+The &%message_size_limit%& usage is a hack to avoid sending on messages
+with over-long lines. The built-in macro _HAVE_DANE guards configuration
+to try to use DNSSEC for all queries and to use DANE for delivery;
+see section &<<SECDANE>>& for more details.
+
+The other remote transport is used when delivering to a specific smarthost
+with whom there must be some kind of existing relationship, instead of the
+usual federated system.
+
+.code
+smarthost_smtp:
+ driver = smtp
+ message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+ multi_domain
+ #
+.ifdef _HAVE_TLS
+ # Comment out any of these which you have to, then file a Support
+ # request with your smarthost provider to get things fixed:
+ hosts_require_tls = *
+ tls_verify_hosts = *
+ # As long as tls_verify_hosts is enabled, this won't matter, but if you
+ # have to comment it out then this will at least log whether you succeed
+ # or not:
+ tls_try_verify_hosts = *
+ #
+ # The SNI name should match the name which we'll expect to verify;
+ # many mail systems don't use SNI and this doesn't matter, but if it does,
+ # we need to send a name which the remote site will recognize.
+ # This _should_ be the name which the smarthost operators specified as
+ # the hostname for sending your mail to.
+ tls_sni = ROUTER_SMARTHOST
+ #
+.ifdef _HAVE_OPENSSL
+ tls_require_ciphers = HIGH:!aNULL:@STRENGTH
+.endif
+.ifdef _HAVE_GNUTLS
+ tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
+.endif
+.endif
+.endd
+After the same &%message_size_limit%& hack, we then specify that this Transport
+can handle messages to multiple domains in one run. The assumption here is
+that you're routing all non-local mail to the same place and that place is
+happy to take all messages from you as quickly as possible.
+All other options depend upon built-in macros; if Exim was built without TLS support
+then no other options are defined.
+If TLS is available, then we configure "stronger than default" TLS ciphersuites
+and versions using the &%tls_require_ciphers%& option, where the value to be
+used depends upon the library providing TLS.
+Beyond that, the options adopt the stance that you should have TLS support available
+from your smarthost on today's Internet, so we turn on requiring TLS for the
+mail to be delivered, and requiring that the certificate be valid, and match
+the expected hostname. The &%tls_sni%& option can be used by service providers
+to select an appropriate certificate to present to you and here we re-use the
+ROUTER_SMARTHOST macro, because that is unaffected by CNAMEs present in DNS.
+You want to specify the hostname which you'll expect to validate for, and that
+should not be subject to insecure tampering via DNS results.
+