On 2018-04-16 at 11:45 -0700, Ned Freed wrote:
> AFAIK this does not happen in MTA-STS, that is, at no time is the MX hostname
> obtained from the DNS checked against the "mx" list from the MTA-STS policy.
> Rather, the DNS-ID of the certificate returned by the server is checked
> against
> the "m
> In MX delivery without DNSSEC, if Eve injects an MX record:
> gmail.com. IN MX 1 my-spy-agency.example.org.
> then using the hostname from DNS means that the client will happily go
> talk to my-spy-agency.example.org, using that as the SNI, and validating
> against that same domain, then pres
