Open stianst opened 4 years ago
p-
commented
4 years ago Absolutely!
checkserveridentityshould be set to true by default for all Java Mail supported protocols (SMTP, POP3, IMAP, ...).
Hostname verification is very important for a working TLS implementation.
bshannon
commented
4 years ago The goal of Jakarta Mail 2.0.0 is to be identical to Jakarta Mail 1.6.5, except for the package name change. This is a good thing to consider for Jakarta Mail 2.0.1.
oliverlietz
commented
2 years ago @IntegralProgrammer reported a security issue at Apache Sling for module Commons Messaging Mail. Server identity checks are now enabled by default to protect our users: Support server identity check
@lukasj, Should we create a PR to get it into the next release?
lukasj
commented
2 years ago @oliverlietz yes, please. Note that if this is an issue in the implementation code, then the PR belongs to https://github.com/eclipse-ee4j/angus-mail/, this repo hosts jakarta.mail.* packages only now
JavaMail 1.0 specifications has hostname validation of certificates disabled by default [1]. This is a very insecure default configuration, and opposite to what would be expected as a default.
As part of Jakarta Mail 2.0 this should be changed to be secure by default.
[1] mail.smtp.ssl.checkserveridentity defaults to false