On 08/06/2020 14:51, Viktor Dukhovni via Exim-dev wrote: > On Mon, Jun 08, 2020 at 12:48:22PM +0000, admin--- via Exim-dev wrote: > >> https://bugs.exim.org/show_bug.cgi?id=2594 >> >> --- Comment #1 from Jeremy Harris <jgh146...@wizmail.org> --- >> Can you locate a standards document specifying the name that should be >> checked >> against the certificate? > > Yes: https://tools.ietf.org/html/rfc6125#appendix-B.4 > > The original reported is right.
No, it's worse. If you take that RFC 3207 wording strictly: - A SMTP client would probably only want to authenticate an SMTP server whose server certificate has a domain name that is the domain name that the client thought it was connecting to. it could mean the domain part of the recipient email address, pre-MX-lookup. Thanks to the word "domain". Or it could mean that, again, but only when there is no MX record and an A / AAAA is being used... but pre-CNAME. Or it could mean post-CNAME, because that "client" SMTP agent surely thought it was connecting to a name that A/AAAA resolved to the IP for the connect() syscall. It really is not well specified. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##