Security fixes in SMTP_SSL and SMTP_TLS strategies

[cbarcenas]

• The SMTP_SSL and SMTP_TLS transport strategies now validate certificates
  by setting JavaMail's mail.<protocol>.ssl.checkserveridentity property
  to true.

  Previously, no identity validation was performed, leaving SMTPS and
  STARTTLS connections vulnerable to man-in-the-middle attacks. Without
  identity validation, JavaMail accepts any certificate issued by a
  JVM-trusted CA, regardless of the identity encoded in the certificate.

• The SMTP_TLS transport strategy now requires STARTTLS support by setting
  JavaMail's mail.smtp.starttls.required property to true.

  Previously, STARTTLS support was not required, enabling a man-in-the-middle
  attack whereby an attacker could strip the STARTTLS request from an SMTP
  connection, causing JavaMail to fall back to plaintext SMTP for
  authentication and email transport.

[cbarcenas]

It's worth noting that while having a certificate identity validation mechanism is required the STARTTLS/SMTPS RFCs, it's only "strongly recommended" by Oracle, who left it off "for compatibility with earlier releases of JavaMail". 🤦‍♂️ This is very dangerous default behavior - and it's no surprise that developers might miss this while building software on top of JavaMail.

RFC 2595 specifies addition checks that must be performed on the
server's certificate to ensure that the server you connected to is
the server you intended to connect to. This reduces the risk of
"man in the middle" attacks. For compatibility with earlier releases
of JavaMail, these additional checks are disabled by default. We
strongly recommend that you enable these checks when using SSL. To
enable these checks, set the "mail.<protocol>.ssl.checkserveridentity"
property to "true".

- "Server Identity Check", SSLNOTES.txt