X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/32bcb602b77fbf4a7a746f448663688694677adc..0851a3bbf4667081d47f5d85b6b3a5cb33cbdba6:/doc/doc-docbook/spec.xfpt

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index abd235bae..e3684ba30 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -29242,8 +29242,14 @@ certificate verification to the listed servers.  Verification either must
 or need not succeed respectively.
 
 The &%tls_verify_cert_hostnames%& option lists hosts for which additional
-checks are made: that the host name (the one in the DNS A record)
-is valid for the certificate.
+name checks are made on the server certificate.
+.new
+The match against this list is, as per other Exim usage, the
+IP for the host.  That is most closely associated with the
+name on the DNS A (or AAAA) record for the host.
+However, the name that needs to be in the certificate
+is the one at the head of any CNAME chain leading to the A record.
+.wen
 The option defaults to always checking.
 
 The &(smtp)& transport has two OCSP-related options: