Set customize_hostname_check for Swoosh.Adapters.SMTP #861

Merged

floatingghost merged 1 commit from norm/akkoma:smtp-defaults-fix into develop

2025-01-05 15:43:16 +00:00

norm commented

2024-12-17 23:35:25 +00:00

Contributor

This should hopefully fix issues with connecting to SMTP servers
with wildcard TLS certificates.

Taken from https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/ssl

Fixes #660

This should hopefully fix issues with connecting to SMTP servers with wildcard TLS certificates. Taken from https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/ssl Fixes https://akkoma.dev/AkkomaGang/akkoma/issues/660

norm added 1 commit 2024-12-17 23:35:26 +00:00

Set customize_hostname_check for Swoosh.Adapters.SMTP

ci/woodpecker/pr/build-amd64 Pipeline is pending approval

Details

ci/woodpecker/pr/build-arm64 Pipeline is pending approval

Details

ci/woodpecker/pr/docs Pipeline is pending approval

Details

ci/woodpecker/pr/lint Pipeline is pending approval

Details

ci/woodpecker/pr/test Pipeline is pending approval

Details

615c52cdde

This should hopefully fix issues with connecting to SMTP servers
with wildcard TLS certificates.

Taken from https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/ssl

Fixes #660

norm referenced this pull request

2024-12-17 23:35:47 +00:00

[bug] Email doesn't work with Erlang OTP 26 #660

floatingghost commented

2024-12-18 10:40:44 +00:00

Owner

hm, i wonder, does this break non-ssl'd smtp connections? i doubt it but worth testing if we can

hm, i wonder, does this break _non_-ssl'd smtp connections? i doubt it but worth testing if we can

Oneric commented

2024-12-18 14:50:38 +00:00

Member

It cannot ever break non-SSL connections since common_tls_opts to which the new argument is added, are never applied to the final socket options if ssl is set to false *(a few lines below the shown context). Otherwise it would already break with the existing defaults.

However, when i added the defaults comments in relevant threads suggested setting server_name_indication would already fix wildcard certificates; evidently this isn't the case here at least and tbh i was never sure why it should fix wildcard certs. Might be good to drop the wildcard comment from śerver_name_indication and just add it to the new setting here instead (but keep the SNI setting; can't hurt to explicitly request the right domain)

It cannot ever break non-SSL connections since `common_tls_opts` to which the new argument is added, are never applied to the final socket options if `ssl` is set to false *(a few lines below the shown context). Otherwise it would already break with the existing defaults. However, when i added the defaults comments in relevant threads suggested setting `server_name_indication` would already fix wildcard certificates; evidently this isn't the case here at least and tbh i was never sure why it should fix wildcard certs. Might be good to drop the wildcard comment from `śerver_name_indication` and just add it to the new setting here instead *(but keep the SNI setting; can't hurt to explicitly request the right domain)*

norm force-pushed smtp-defaults-fix from 615c52cdde to f19d5d1380

2024-12-18 19:37:35 +00:00

Compare

Oneric approved these changes 2024-12-18 19:57:16 +00:00