On 2023-04-20, Jeremy Harris via Exim-users <exim-users@???> wrote: > On 20/04/2023 06:18, Jasen Betts via Exim-users wrote:
>> On 2023-04-18, Lance Lovette via Exim-users <exim-users@???> wrote:
>>>> This is a name mismatch: mailgun.org != mailgun.com.
>>>
>>> Perhaps it's time for a larger font size :) I will put on my dunce cap and
>>> go sit in the corner. But shame on Mailgun for responding to .com with a
>>> .org certificate!
>>>
>>> Lance
>>
>> Their .com is a cname pointing to the .org, so the same host is both
>> .com and .org, but their host isn't using SNI.
>
> This raises the question: should the name-check be against the CNAME-resolved
> name rather than the initial? Both?
> I've not hunted through standards yet.
Web browsers just use the initial domain name given by the user: the resolver is treated
as a black box.
