Hello Viktor The problem is the CNAME being resolved. The client should be checking the certificate for the original hostname that it was asked to connect to, which in this case would match.
Otherwise, if you wanted to connect securely to smtp.mandrillapp.com, I could perform a MITM injecting a DNS reply saying that it's a CNAME to evilserver.com, provide a legitimate certificate for evilserver.com and receive your email intended for smtp.mandrillapp.com. (you might get away with the security aspect if you were verifying the CNAME with DNSSEC, but as you found out, that breaks other expectations, too) Best regards ------------------------------------------------------------------------------ _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
