If built with EXPERIMENTAL_CERTNAMES defined, code is
included to do so for server certificates, and a new smtp transport option
-"tls_verify_cert_hostname" supported which takes a list of
-names for which the checks must be made. The host must
-also be in "tls_verify_hosts".
+"tls_verify_cert_hostnames" supported which takes a hostlist
+which must match the target host for the additional checks must be made.
+The option currently defaults to empty, but this may change in
+the future. "*" is probably a suitable value.
+Whether certificate verification is done at all, and the result of
+it failing, is stll under the control of "tls_verify_hosts" nad
+"tls_try_verify_hosts".
+
+The name being checked is that for the host, generally
+the result of an MX lookup.
Both Subject and Subject-Alternate-Name certificate fields
are supported, as are wildcard certificates (limited to
The equivalent check on the server for client certificates is not
implemented. At least one major email provider is using a client
certificate which fails this check. They do not retry either without
-hte client certificate or in clear.
+the client certificate or in clear.
It is possible to duplicate the effect of this checking by
creative use of Events.