Hostname validation for certificates should be enabled by default

[stianst]

JavaMail 1.0 specifications has hostname validation of certificates disabled by default [1]. This is a very insecure default configuration, and opposite to what would be expected as a default.

As part of Jakarta Mail 2.0 this should be changed to be secure by default.

[1] mail.smtp.ssl.checkserveridentity defaults to false

[p-]

Absolutely! checkserveridentityshould be set to true by default for all Java Mail supported protocols (SMTP, POP3, IMAP, ...). Hostname verification is very important for a working TLS implementation.

[bshannon]

The goal of Jakarta Mail 2.0.0 is to be identical to Jakarta Mail 1.6.5, except for the package name change. This is a good thing to consider for Jakarta Mail 2.0.1.

[oliverlietz]

@IntegralProgrammer reported a security issue at Apache Sling for module Commons Messaging Mail. Server identity checks are now enabled by default to protect our users: Support server identity check

@lukasj, Should we create a PR to get it into the next release?

[lukasj]

@oliverlietz yes, please. Note that if this is an issue in the implementation code, then the PR belongs to https://github.com/eclipse-ee4j/angus-mail/, this repo hosts jakarta.mail.* packages only now