A few changes here:

1) Don't recurse up the DNS tree. That's just wrong.

2) Also, don't assume that a subdomain is handled by a parent domain's server.
Still wrong.

3) Check certificates post-connect using our new logic, and drop the session
if they don't match and we're not meant to be doing dialback.

4) Do use EXTERNAL if offered, even if we're using a self-signed certificate.
There's no value in not doing so, it's a bizarre behaviour.

5) Disable S2S Compression; it's currently not working. XPP reset seems to fail,
so doing replacement of the input stream instead.

6) Protect against a null features after TLS. Seems unlikely to happen, but
still.