-mistaken as a certificate name for www.good.example. The CA however
-would usually sign example.com and not care about the subdomain.
+mistaken as a certificate name for www.good.example. fetchmail also had
+this design and implementation flaw.
+
+Note that fetchmail should always be forced to use strict certificate
+validation through either of these option combinations:
+
+ --sslcertck --ssl --sslproto ssl3 (for service on SSL-wrapped ports)
+or
+ --sslcertck --sslproto tls1 (for STARTTLS-based services)
+
+(These are for the command line, in the rcfile, you will need to omit
+the respective leading --).
+
+The default is relaxed checking for compatibility with historic versions.