diff --git a/app-feature-preview/src/main/java/app/k9mail/feature/preview/auth/DefaultTrustedSocketFactory.java b/app-feature-preview/src/main/java/app/k9mail/feature/preview/auth/DefaultTrustedSocketFactory.java
index d4781e899..b5d5b82e3 100644
--- a/app-feature-preview/src/main/java/app/k9mail/feature/preview/auth/DefaultTrustedSocketFactory.java
+++ b/app-feature-preview/src/main/java/app/k9mail/feature/preview/auth/DefaultTrustedSocketFactory.java
@@ -14,6 +14,7 @@ import android.net.SSLCertificateSocketFactory;
 import android.os.Build;
 import android.text.TextUtils;
 
+import app.k9mail.core.common.net.HostNameUtils;
 import com.fsck.k9.mail.MessagingException;
 import com.fsck.k9.mail.ssl.TrustManagerFactory;
 import com.fsck.k9.mail.ssl.TrustedSocketFactory;
@@ -129,7 +130,10 @@ public class DefaultTrustedSocketFactory implements TrustedSocketFactory {
 
         hardenSocket(sslSocket);
 
-        setSniHost(socketFactory, sslSocket, host);
+        // RFC 6066 does not permit the use of literal IPv4 or IPv6 addresses as SNI hostnames.
+        if (HostNameUtils.INSTANCE.isLegalIPAddress(host) == null) {
+            setSniHost(socketFactory, sslSocket, host);
+        }
 
         return trustedSocket;
     }
diff --git a/app/core/src/main/java/com/fsck/k9/helper/DefaultTrustedSocketFactory.java b/app/core/src/main/java/com/fsck/k9/helper/DefaultTrustedSocketFactory.java
index 7ab0b258c..e83552af4 100644
--- a/app/core/src/main/java/com/fsck/k9/helper/DefaultTrustedSocketFactory.java
+++ b/app/core/src/main/java/com/fsck/k9/helper/DefaultTrustedSocketFactory.java
@@ -14,6 +14,7 @@ import android.net.SSLCertificateSocketFactory;
 import android.os.Build;
 import android.text.TextUtils;
 
+import app.k9mail.core.common.net.HostNameUtils;
 import com.fsck.k9.mail.MessagingException;
 import com.fsck.k9.mail.ssl.TrustManagerFactory;
 import com.fsck.k9.mail.ssl.TrustedSocketFactory;
@@ -129,7 +130,10 @@ public class DefaultTrustedSocketFactory implements TrustedSocketFactory {
 
         hardenSocket(sslSocket);
 
-        setSniHost(socketFactory, sslSocket, host);
+        // RFC 6066 does not permit the use of literal IPv4 or IPv6 addresses as SNI hostnames.
+        if (HostNameUtils.INSTANCE.isLegalIPAddress(host) == null) {
+            setSniHost(socketFactory, sslSocket, host);
+        }
 
         return trustedSocket;
     }