Allow disabling TLS hostname verification

[kiall]

This adds a new configuration option to disable TLS hostname verification. This allows for configuring TLS to be on, but pointed at localhost - even though the IMAP servers TLS cert doesn't contain a localhost as a SAN or CN.

[kousu]

I thought about writing this too, but concluded that I would never need this.

If connecting to localhost I don't really need encryption anyway, and in any case most servers have their name in /etc/hosts like mail.yourdomain.com 127.0.0.1, so I can just talk to its public address and TLS will work correctly; if my server doesn't have the right line there, it's just as easy to add that line as this extra config line.

And if connecting to a remote server with a self-signed cert, it's about equal effort to install it to /etc/ssl/certs the conventional way, rather than opening yourself up to MITM; either:

openssl s_client -connect mail.example.org:143 -starttls imap -showcerts | openssl x509 | sudo tee /etc/ssl/certs/mail.example.org.pem && sudo c_rehash`

openssl s_client -connect mail.example.org:993 -showcerts | openssl x509 | sudo tee /etc/ssl/certs/mail.example.org.pem && sudo c_rehash

[kousu]

Funny, looks like the author wanted this feature at some point? #1 (comment)

But in the 2022 version there's no way to disable the hostname check, now, because every path uses ssl.create_default_context() which implies cert verification:

RadicaleIMAP/radicale_imap/__init__.py

Lines 63 to 72 in 8e3e6bb

	if security == "tls":
	port = 993 if port is None else port
	connection = imaplib.IMAP4_SSL(
	host=host, port=port,
	ssl_context=ssl.create_default_context())
	else:
	port = 143 if port is None else port
	connection = imaplib.IMAP4(host=host, port=port)
	if security == "starttls":
	connection.starttls(ssl.create_default_context())