On 08/06/2020 14:51, Viktor Dukhovni via Exim-dev wrote:
> On Mon, Jun 08, 2020 at 12:48:22PM +0000, admin--- via Exim-dev wrote:
>
>> https://bugs.exim.org/show_bug.cgi?id=2594
>>
>> --- Comment #1 from Jeremy Harris <jgh146exb@???> ---
>> Can you locate a standards document specifying the name that should be checked
>> against the certificate?
>
> Yes: https://tools.ietf.org/html/rfc6125#appendix-B.4
>
> The original reported is right.
No, it's worse. If you take that RFC 3207 wording strictly:
- A SMTP client would probably only want to authenticate an SMTP
server whose server certificate has a domain name that is the
domain name that the client thought it was connecting to.
it could mean the domain part of the recipient email address,
pre-MX-lookup. Thanks to the word "domain".
Or it could mean that, again, but only when there is no MX record
and an A / AAAA is being used... but pre-CNAME.
Or it could mean post-CNAME, because that "client" SMTP agent surely
thought it was connecting to a name that A/AAAA resolved to the IP for
the connect() syscall.
It really is not well specified.
--
Cheers,
Jeremy