Most people just use a $tls_trust_file, either a system-wide one with many certs, or a specific one for the CA of the server. However, since this compares the domain name of $host with that in the certificate, this requires using a correct FQDN in msmtp config. Sometimes it's desirable to use different forms of $host, like an IP-address (IPs of mailservers rarely change, no point to check for a new one every few minutes via an unencrypted and unsigned protocol like DNS) - or a .onion address as Tor Hidden Service.
It would be awesome to combine the "best of two worlds." In order to use an IP or onion as $host combined with $tls_trust_file, I would propose to add something like a $tls_hostname setting which we will be verified against the hostname in the certificate.
This isn't completely new, f.e. unbound does something like this for DNS-over-TLS:
forward-addr: 1.1.1.1#cloudflare-dns.com
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658#c10 What do you think about this? Thanks, and keep up the good work! -- ilf If you upload your address book to "the cloud", I don't want to be in it.
Attachment:
signature.asc
Description: PGP signature