Comment 4 for bug 1384232

I just looked into this, prompted by Chuck Peters on the ubuntu-server list.

It seems to me that this is a security-related feature made upstream in a newer release of exim4. To use it, every individual sysadmin would need to manually configure the tls_verify_cert_hostnames setting to a list of hostnames to use for stricter certificate checking when connecting to those particular hosts. Is this understanding accurate?

Chuck requested a backport to Trusty on the list. I think feature would have limited value in an update automatically recommended to all users (such as an SRU or security update), since most users would not be aware of the feature in order to enable it. And the feature is of limited use on the wider Internet anyway. We'd only be enabling the feature for a very small proportion of "opt-in" users because of the configuration requirement, for whom I suggest that the backports repository or moving to a newer (yet to be released) Ubuntu release would be more suitable. So I'm in favour of merging 4.86 into the development release when it is available, but am not convinced that this is suitable in an update that would be automatically recommended to all users such as through trusty-updates.

I welcome discussion on this though. I'm particularly interested in the security team's opinion.