emailll
46f5ce8 · gmorell · 2026-05-15 03:26
Files changed
modified
config/runtime.exs
+19
−7
@@ -231,23 +231,35 @@ if config_env() == :prod do
| 231 | 231 | # itself). Matches Mobilizon's working pattern. |
| 232 | 232 | tls_versions = [:"tlsv1.2", :"tlsv1.3"] |
| 233 | 233 | |
| 234 | + # gen_smtp 1.2 has two distinct connection paths with different | |
| 235 | + # option keys: | |
| 236 | + # | |
| 237 | + # * `ssl: true` (port 465 implicit TLS) reads its TLS opts | |
| 238 | + # from `sockopts` — see gen_smtp_client.erl:848. `tls_options` | |
| 239 | + # is ignored on this path. | |
| 240 | + # * `tls: :always|:if_available` (STARTTLS upgrade) reads from | |
| 241 | + # `tls_options` — only used during do_STARTTLS. | |
| 242 | + # | |
| 243 | + # Without sockopts on the implicit-TLS path, OTP 28's `:ssl` | |
| 244 | + # falls through to its own defaults (verify_peer + | |
| 245 | + # `public_key.cacerts_get()` which returns `:undefined`) and | |
| 246 | + # bails with `{options, incompatible, [verify: verify_peer, | |
| 247 | + # cacerts: undefined]}`. Putting the same opts on both keys | |
| 248 | + # covers both relay setups. | |
| 249 | + ssl_opts = [{:versions, tls_versions} | tls_options] | |
| 250 | + | |
| 234 | 251 | [ |
| 235 | 252 | adapter: Swoosh.Adapters.SMTP, |
| 236 | 253 | relay: relay, |
| 237 | 254 | port: String.to_integer(System.get_env("SMTP_PORT", "587")), |
| 238 | 255 | username: System.get_env("SMTP_USERNAME"), |
| 239 | 256 | password: System.get_env("SMTP_PASSWORD"), |
| 240 | − # `tls` controls the STARTTLS upgrade after EHLO. On port 465 | |
| 241 | − # (`ssl: true`) the socket is already TLS — `:always` forces a | |
| 242 | − # second :ssl.connect with gen_smtp's bare defaults, which has | |
| 243 | − # `cacerts: :undefined` baked in and fails options validation. | |
| 244 | − # `:never` (with ssl: true) or `:if_available` (with port 587 | |
| 245 | − # STARTTLS) are both safe. | |
| 246 | 257 | tls: smtp_tri.("SMTP_TLS", "if_available"), |
| 247 | 258 | ssl: System.get_env("SMTP_SSL", "false") == "true", |
| 248 | 259 | auth: smtp_tri.("SMTP_AUTH", "if_available"), |
| 249 | 260 | allowed_tls_versions: tls_versions, |
| 250 | − tls_options: [{:versions, tls_versions} | tls_options], | |
| 261 | + sockopts: ssl_opts, | |
| 262 | + tls_options: ssl_opts, | |
| 251 | 263 | retries: 1, |
| 252 | 264 | no_mx_lookups: false |
| 253 | 265 | ] |
Parents: 79ed606