Found while debugging for T212709: discourse-mediawiki.wmflabs.org and discourse.wmflabs.org send emails only to @wikimedia.org addresses:
$ ssh mx-out01.wmflabs.org $ grep tls_certificate /etc/exim4/exim4.conf tls_certificate = /etc/acme/cert/mx-out01.cloudinfra.wmflabs.org.chained.crt $ openssl x509 -in /etc/acme/cert/mx-out01.cloudinfra.wmflabs.org.chained.crt -text -noout x509: Cannot open input file /etc/acme/cert/mx-out01.cloudinfra.wmflabs.org.chained.crt, No such file or directory x509: Use -help for summary. $ ls /etc/acme/cert mx_out01.chain.crt mx_out01.chained.crt mx_out01_cloudinfra_wmflabs_org.chain.crt mx_out01_cloudinfra_wmflabs_org.chained.crt mx_out01_cloudinfra_wmflabs_org.crt mx_out01.crt
$ ssh mx-out02.wmflabs.org $ grep tls_certificate /etc/exim4/exim4.conf tls_certificate = /etc/acme/cert/mx-out02.wmflabs.org.chained.crt $ openssl x509 -in /etc/acme/cert/mx-out02.wmflabs.org.chained.crt -text -noout x509: Cannot open input file /etc/acme/cert/mx-out02.wmflabs.org.chained.crt, No such file or directory x509: Use -help for summary. $ ls /etc/acme/cert mx_out02_cloudinfra_wmflabs_org.chain.crt mx_out02_wmflabs_org.chain.crt mx_out02_cloudinfra_wmflabs_org.chained.crt mx_out02_wmflabs_org.chained.crt mx_out02_cloudinfra_wmflabs_org.crt mx_out02_wmflabs_org.crt
I'm not sure if the fix is just adjusting the profile::mail::smarthost::cert_subjects and profile::mail::smarthost::cert_name values for each server or something deeper.