On Mon, Jun 08, 2020 at 12:48:22PM +0000, admin--- via Exim-dev wrote: > https://bugs.exim.org/show_bug.cgi?id=2594 > > --- Comment #1 from Jeremy Harris <[email protected]> --- > Can you locate a standards document specifying the name that should be checked > against the certificate?
Yes: https://tools.ietf.org/html/rfc6125#appendix-B.4 The original reported is right. Aside from DANE, the correct name to check in the certificate is the original name, not the (generally insecure) CNAME expansion. With DANE SMTP (RFC7672) CNAMEs can *augment* the set of valid names to check in the certificate, to include the name associated with the TLSA base domain, which might be a fully-expanded CNAME, provided the expansion never strayed into a DNSSEC-unsigned zone. https://tools.ietf.org/html/rfc7672#section-3.2.2 -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
