The SMTP server's certificate and hostname must be verified if
encryption is enabled with SSL verification in the host settings
(sendemail.smtpEncryption and sendemail.sslVerify).
SMTPSClient from Apache Commons Net used for SSL processing.
It has the following downside: if encryption is not required,
SMTPSClient is used in 'explicit' mode with the upgrade to TLS
never called. Thus, the client is somewhat misused.
However, this helps to avoid code duplication and we could use
AuthenticatingSMTPClient instead of custom auth.
Tested by running a local gerrit host with different [sendemail]
configuration for smtpServer/smtpServerPort/smtpEncryption/sslVerify
Traced the email notification to the point where SMTP server
fails/passes certificate/hostname verification.
Malicious server:
pass wrong-mail-host.sectests.net/465/SSL/false
fail wrong-mail-host.sectests.net/465/SSL/true
Valid SSL server:
pass smtp.laposte.net/465/SSL/true|false
Valid TLS server:
pass smtp.gmail.com/587/TLS/true|false
Bug: Issue 12629
Change-Id: I1755749da5006c3b56de010f953a79e25a5b7539
d0d5fe6566