From b736086ab67f9a4d0b99f5288f9134764e5fb1b1 Mon Sep 17 00:00:00 2001
From: Norm <normandy@biribiri.dev>
Date: Tue, 17 Dec 2024 18:30:01 -0500
Subject: [PATCH] Set customize_hostname_check for Swoosh.Adapters.SMTP

This should hopefully fix issues with connecting to SMTP servers
with wildcard TLS certificates.

Taken from https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/ssl

Fixes https://akkoma.dev/AkkomaGang/akkoma/issues/660
---
 lib/pleroma/emails/mailer.ex | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/pleroma/emails/mailer.ex b/lib/pleroma/emails/mailer.ex
index 6a79a7694..e4f53f715 100644
--- a/lib/pleroma/emails/mailer.ex
+++ b/lib/pleroma/emails/mailer.ex
@@ -86,6 +86,9 @@ defp default_config(Swoosh.Adapters.SMTP, conf, _) do
       verify: :verify_peer,
       # some versions have supposedly issues verifying wildcard certs without this
       server_name_indication: relay,
+      customize_hostname_check: [
+        match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
+      ],
       # the default of 10 is too restrictive
       depth: 32
     ]