O. wrote:
> 
> For MX see RFC 3207 Section 4.1:
> 
>    The decision of whether or not to believe the authenticity of the
>    other party in a TLS negotiation is a local matter.  However, some
>    general rules for the decisions are:
> 
>    -  A SMTP client would probably only want to authenticate an SMTP
>       server whose server certificate has a domain name that is the
>       domain name that the client thought it was connecting to.
> 
> It's a bit vague, but I would assume that the SMTP clients connects to
> the domain name of the SMTP server and not to the domain part of the
> email address.

Looking at the info in DNS for "@gmail.com", it appears that google
expects SMTP clients to _not_ perform any kind of matching
... which does not feel right.

gmail.com has the following MX records:

  gmail.com.  3600  IN  MX   5  gmail-smtp-in.l.google.com.
  gmail.com.  3600  IN  MX  10  alt1.gmail-smtp-in.l.google.com.
  gmail.com.  3600  IN  MX  20  alt2.gmail-smtp-in.l.google.com.
  gmail.com.  3600  IN  MX  30  alt3.gmail-smtp-in.l.google.com.
  gmail.com.  3600  IN  MX  40  alt4.gmail-smtp-in.l.google.com.

Talking SMTP & STARTTLS to alt4.gmail-smtp-in.l.google.com. (with TLS SNI)
yields the following TLS Server cert (no subjectAltNames) below:

Subject:  CN=mx.google.com,O=Google Inc,L=Mountain View,S=California,C=US

There would be some security value in tail-matching the target domain
"gmail.com" to the Server certificate, but that is a clear mismatch here.

Tail-matching an MX result with the server certificate looks bogus
to me (without that MX-record being protected by DNSSEC and the result
verified by the SMTP client) and is susceptible to simple DNS spoofing
of MX records for gmail.com.


-----BEGIN CERTIFICATE-----
MIIDWjCCAsOgAwIBAgIKaNJJNQADAAAisDANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMTAyMTYwNDQxMTZaFw0xMjAyMTYwNDUxMTZa
MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1teC5n
b29nbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCy6f/dA6rQoTGx
TzHGb42KkWsVc1RIrRtp3EchKMf6syEVXXCmDva134GFe1rVGYuNKI/F9Y0kensM
vSOoIbZpb2XkHyhVaxI6p6ixbaE2SL5F8M4A6LAFu94oSu4qDyNwf7TaxRy7B1Wi
p9hF4e4170oL9xqK+0+aVVKq11uTvQIDAQABo4IBLDCCASgwHQYDVR0OBBYEFIVr
EEiaJybkRFsCTtZVNvdxCV6YMB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrj
axIkMFsGA1UdHwRUMFIwUKBOoEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29v
Z2xlSW50ZXJuZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3Js
MGYGCCsGAQUFBwEBBFowWDBWBggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGlj
LmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhv
cml0eS5jcnQwIQYJKwYBBAGCNxQCBBQeEgBXAGUAYgBTAGUAcgB2AGUAcjANBgkq
hkiG9w0BAQUFAAOBgQDD59m7yv9fbVBo5+jeSNHnAyPBsj7hZsgznv7FsRZ54Nkz
a5Tc3CePDzzNfoq9KyDYaL5NPdJFoxaI7Dfg84mxvvWB7xpAouHUT4tmmabZtLzd
DxVwwfIF0mmHoZUKSyT2257DsQFm1JR7M/CJW6K3ov88bsajXuvwEu+mK6nizA==
-----END CERTIFICATE-----


-Martin