https://bugs.exim.org/show_bug.cgi?id=2594
Phil Pennock <p...@exim.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |p...@exim.org --- Comment #5 from Phil Pennock <p...@exim.org> --- If DNS is DNSSEC-signed and validated, then the DANE specs for email say to chase CNAMEs to get the validated name, IIRC. If DNS is not provably signed, then the only input for verification is the hostname as entered into configs, or into the mail; DNS is then an _untrusted_ resolution mechanism and intermediate results are not appropriate for use as identities to be validated as present in certificates. In TLS, the cert hostname to validate should always, barring exceptional override, be the same as the hostname sent in SNI. In the original bug-report here: """ Cert hostname to check: "mail.edesix.local" Setting TLS SNI "mail.dev.edesix.com" """ That is clearly an unfortunate combination. The first should use the same value as the second. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##