Set customize_hostname_check for Swoosh.Adapters.SMTP

This should hopefully fix issues with connecting to SMTP servers with wildcard TLS certificates. Taken from https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/ssl Fixes AkkomaGang/akkoma#660
2024-12-17 18:30:01 -05:00 · 2024-12-17 18:30:01 -05:00 · f19d5d1380
commit f19d5d1380
parent c0a99df06a
1 changed files with 7 additions and 1 deletions
--- a/lib/pleroma/emails/mailer.ex
+++ b/lib/pleroma/emails/mailer.ex
@ -84,8 +84,14 @@ defp default_config(Swoosh.Adapters.SMTP, conf, _) do
      cacerts: os_cacerts,
      versions: [:"tlsv1.2", :"tlsv1.3"],
      verify: :verify_peer,
-      # some versions have supposedly issues verifying wildcard certs without this
      server_name_indication: relay,
+      # This allows wildcard ceritifcates to be verified properly.
+      # The :https parameter simply means to use the HTTPS wildcard format
+      # (as opposed to say LDAP). SMTP servers tend to use the same type of
+      # certs as HTTPS ones so this should work for most.
+      customize_hostname_check: [
+        match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
+      ],
      # the default of 10 is too restrictive
      depth: 32
    ]