When are the acl_smtp_* expanded?

on use

jgh_: if a server sends a certificate+intermediates and I try to connect to it with tls_verify_certificates = ... with exactly the same PEM container missing only the root CA cert ... verification fails on exim but not with openssl s_client or gnutls-cli?

I think tls_verify_certificates has to be root certs

ok... using root CA works, yes
is there a way to verify without chain giving the cert itself?

verify what?

the exactly same certificate. one host uses it as server, the other should verify it as client

you're asking for the client to verify it without the server sending anything to be verified?

no, the server sends the certificate and i want the client to verify it at depth=0 instead of depth=2
by giving him the cert at depth=0 as well

let's step back a way. What are you trying to do?

I have a server certificate/key pair signed by a public CA with one intermediate inbetween. my LMTP server uses this.
exim 4.86 complained about not being able to verify it connecting as LMTP client... this has a second topic as well, but let's queue that for now...
so I set tls_verify_certificates = ... to the same certificate file the server uses on the smtp(lmtp mode) transport.
using this file as --x509cafile with gnutls-cli works and verification succeeds. but exim complains about the missing root-CA
setting the CA-bundle on exim in the transport works.
and the second topic... exim 4.86 seems to ignore the global tls_verify_certificates =
I've set a global one for very long time and it worked up to 4.85. only the single host running 4.86 complains until I set it locally in the transport

the main-configuration option is not a global, but applies to exim-as-server connections

ah, i see the change in the changelog.... try_verify_hosts is default...

Can I set a new local_part in rcpt acl .. for example when expanding prvs

no

so not possible to use local_parts here..

I am trying to whitelist only mailchimp's servers with /etc/exim4/local_sender_blacklist. I know it is effective because I am using it also to whitelist a few domains, here is what I have: https://pastee.org/9vvxq, but mail is still being rejected by exim with the message: https://pastee.org/e7uk8 (redactions mine).
Any idea what could be wrong?
The IP given in the log is within the range in the config
I got the ranges from here: http://mailchimp.com/about/ips/

since you use the term "exim4" this may be a Debian-specific issue. We don't know, eg, how that blacklist file is used by your config

What is the enhanced status code for "domain is not local" or whatever
X.1.8 Bad sender's system address 451, 501
no..