On 12/15/2015 07:40 AM, Michael Storz wrote:
Sorry for not writing it explicitly. In the case I described, you use the domain of the recipient address, because this is the only information you can trust (and this domain must be included in the SAN). Since you have more than one recipient domain in the described case, you must use more than one TLS connection to use the recipient domain for SNI. You cannot use the MX record because you cannot trust it (I wrote: it is not secured by DNSSEC). Michael
If you can't trust the MX record then you can't trust the IP address returned either.
If you can't trust the IP address returned then you are only secure if a certificate authority is used, and then you have to trust the certificate authority.
My understanding is that there is no agreement upon which certificate authorities can be trusted.
