Allow TLS name mismatch as per RFC7671 Section 5.1

mdecimus · mdecimus · commit a8bdf3949b06 · 2025-03-21T20:05:02.000+01:00
diff --git a/crates/smtp/src/outbound/delivery.rs b/crates/smtp/src/outbound/delivery.rs
@@ -967,7 +967,10 @@ impl QueuedMessage {
                         || (message.flags & MAIL_REQUIRETLS) != 0
                         || mta_sts_policy.is_some()
                         || dane_policy.is_some();
-                    let tls_connector = if allow_invalid_certs || remote_host.allow_invalid_certs()
+                    // As per RFC7671 Section 5.1, DANE-EE(3) allows name mismatch
+                    let tls_connector = if allow_invalid_certs
+                        || remote_host.allow_invalid_certs()
+                        || dane_policy.as_ref().is_some_and(|t| t.has_end_entities)
                     {
                         &server.inner.data.smtp_connectors.dummy_verify
                     } else {
