emails

4ac908f · gmorell · 2026-05-15 02:35

2 files +39 -6

Files changed

modified config/runtime.exs
+29 −6
@@ -167,8 +167,36 @@ if config_env() == :prod do
167 167 end
168 168 end
169 169
170 + # CA bundle for TLS verification. `:public_key.cacerts_get/0`
171 + # returns `:undefined` on some OTP/OS combos that haven't been pre-
172 + # loaded; pointing `ssl` at the file directly via `cacertfile` is
173 + # robust across debian-slim, alpine, etc. Override with
174 + # `SMTP_CACERTFILE` if your image puts the bundle elsewhere; set
175 + # `SMTP_TLS_VERIFY=verify_none` for self-signed / private relays
176 + # where you'd rather skip cert validation.
177 + smtp_cacertfile =
178 + System.get_env("SMTP_CACERTFILE", "/etc/ssl/certs/ca-certificates.crt")
179 +
180 + smtp_verify =
181 + case System.get_env("SMTP_TLS_VERIFY", "verify_peer") do
182 + v when v in ~w(verify_peer verify_none) -> String.to_existing_atom(v)
183 + other -> raise "SMTP_TLS_VERIFY must be verify_peer or verify_none, got: #{inspect(other)}"
184 + end
185 +
170 186 mailer_opts =
171 187 if relay = System.get_env("SMTP_RELAY") do
188 + tls_options =
189 + [
190 + verify: smtp_verify,
191 + server_name_indication: String.to_charlist(relay),
192 + depth: 99
193 + ] ++
194 + if smtp_verify == :verify_peer do
195 + [cacertfile: smtp_cacertfile]
196 + else
197 + []
198 + end
199 +
172 200 [
173 201 adapter: Swoosh.Adapters.SMTP,
174 202 relay: relay,
@@ -178,12 +206,7 @@ if config_env() == :prod do
178 206 tls: smtp_tri.("SMTP_TLS", "if_available"),
179 207 ssl: System.get_env("SMTP_SSL", "false") == "true",
180 208 auth: smtp_tri.("SMTP_AUTH", "if_available"),
181 tls_options: [
182 verify: :verify_peer,
183 cacerts: :public_key.cacerts_get(),
184 server_name_indication: String.to_charlist(relay),
185 depth: 99
186 ],
209 + tls_options: tls_options,
187 210 retries: 1,
188 211 no_mx_lookups: false
189 212 ]
modified smtp-secret.example.yml
+10 −0
@@ -55,6 +55,16 @@ data:
55 55 # AUTH; `if_available` is the safe default for mixed setups.
56 56 SMTP_AUTH: "always"
57 57
58 + # TLS cert verification:
59 + # * `verify_peer` (default) validates the relay's cert chain.
60 + # `SMTP_CACERTFILE` points at the system CA bundle; defaults to
61 + # `/etc/ssl/certs/ca-certificates.crt` (debian-slim). Override
62 + # if you ship the image on a different distro.
63 + # * `verify_none` skips validation entirely — only for self-signed
64 + # / private relays where you can't get the CA into the bundle.
65 + SMTP_TLS_VERIFY: "verify_peer"
66 + # SMTP_CACERTFILE: "/etc/ssl/certs/ca-certificates.crt"
67 +
58 68 # Optional From overrides. If unset the mailer defaults to
59 69 # "GitGud" <noreply@<PHX_HOST>>.
60 70 MAIL_FROM_NAME: "GitGud"

Parents: c87387d