SMTP/TLS (RFC 2487) server authentication question

[Lutz Jaenicke <Lutz.Jaenicke@xxxxxxxxxxxxxxxxx>]

Hi!

While working on a RFC2487 extension to the Postfix MTA I stumbled over
the following question:
How should the client verify the servers identity?
Unlike other protocols (e.g. RFC2595), where an explicite statement is made
(Section 2.4. Server Identity Check) that the name presented in the certifiate
MUST be checked against the hostname the client used to connect, there is
no information in RFC2487. (I also checked the ietf-apps-tls archive and
found no discussion about it.)

The problem arises since the mail client software must look up the MX
record using DNS. As of now, I use the name returned from the MX lookup
to check.

1. Is there some SHOULD or MAY policy I just missed?
2. Is this left out because the data returned from DNS lookups is considered
   "unreliable" as of today?

Best regards,
	Lutz Jaenicke
PS. The Postfix/TLS homepage is at
	http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/
-- 
Lutz Jaenicke                             Lutz.Jaenicke@xxxxxxxxxxxxxxxxx
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153