emails
4ac908f · gmorell · 2026-05-15 02:35
Files changed
modified
config/runtime.exs
+29
−6
@@ -167,8 +167,36 @@ if config_env() == :prod do
| 167 | 167 | end |
| 168 | 168 | end |
| 169 | 169 | |
| 170 | + # CA bundle for TLS verification. `:public_key.cacerts_get/0` | |
| 171 | + # returns `:undefined` on some OTP/OS combos that haven't been pre- | |
| 172 | + # loaded; pointing `ssl` at the file directly via `cacertfile` is | |
| 173 | + # robust across debian-slim, alpine, etc. Override with | |
| 174 | + # `SMTP_CACERTFILE` if your image puts the bundle elsewhere; set | |
| 175 | + # `SMTP_TLS_VERIFY=verify_none` for self-signed / private relays | |
| 176 | + # where you'd rather skip cert validation. | |
| 177 | + smtp_cacertfile = | |
| 178 | + System.get_env("SMTP_CACERTFILE", "/etc/ssl/certs/ca-certificates.crt") | |
| 179 | + | |
| 180 | + smtp_verify = | |
| 181 | + case System.get_env("SMTP_TLS_VERIFY", "verify_peer") do | |
| 182 | + v when v in ~w(verify_peer verify_none) -> String.to_existing_atom(v) | |
| 183 | + other -> raise "SMTP_TLS_VERIFY must be verify_peer or verify_none, got: #{inspect(other)}" | |
| 184 | + end | |
| 185 | + | |
| 170 | 186 | mailer_opts = |
| 171 | 187 | if relay = System.get_env("SMTP_RELAY") do |
| 188 | + tls_options = | |
| 189 | + [ | |
| 190 | + verify: smtp_verify, | |
| 191 | + server_name_indication: String.to_charlist(relay), | |
| 192 | + depth: 99 | |
| 193 | + ] ++ | |
| 194 | + if smtp_verify == :verify_peer do | |
| 195 | + [cacertfile: smtp_cacertfile] | |
| 196 | + else | |
| 197 | + [] | |
| 198 | + end | |
| 199 | + | |
| 172 | 200 | [ |
| 173 | 201 | adapter: Swoosh.Adapters.SMTP, |
| 174 | 202 | relay: relay, |
@@ -178,12 +206,7 @@ if config_env() == :prod do
| 178 | 206 | tls: smtp_tri.("SMTP_TLS", "if_available"), |
| 179 | 207 | ssl: System.get_env("SMTP_SSL", "false") == "true", |
| 180 | 208 | auth: smtp_tri.("SMTP_AUTH", "if_available"), |
| 181 | − tls_options: [ | |
| 182 | − verify: :verify_peer, | |
| 183 | − cacerts: :public_key.cacerts_get(), | |
| 184 | − server_name_indication: String.to_charlist(relay), | |
| 185 | − depth: 99 | |
| 186 | − ], | |
| 209 | + tls_options: tls_options, | |
| 187 | 210 | retries: 1, |
| 188 | 211 | no_mx_lookups: false |
| 189 | 212 | ] |
modified
smtp-secret.example.yml
+10
−0
@@ -55,6 +55,16 @@ data:
| 55 | 55 | # AUTH; `if_available` is the safe default for mixed setups. |
| 56 | 56 | SMTP_AUTH: "always" |
| 57 | 57 | |
| 58 | + # TLS cert verification: | |
| 59 | + # * `verify_peer` (default) validates the relay's cert chain. | |
| 60 | + # `SMTP_CACERTFILE` points at the system CA bundle; defaults to | |
| 61 | + # `/etc/ssl/certs/ca-certificates.crt` (debian-slim). Override | |
| 62 | + # if you ship the image on a different distro. | |
| 63 | + # * `verify_none` skips validation entirely — only for self-signed | |
| 64 | + # / private relays where you can't get the CA into the bundle. | |
| 65 | + SMTP_TLS_VERIFY: "verify_peer" | |
| 66 | + # SMTP_CACERTFILE: "/etc/ssl/certs/ca-certificates.crt" | |
| 67 | + | |
| 58 | 68 | # Optional From overrides. If unset the mailer defaults to |
| 59 | 69 | # "GitGud" <noreply@<PHX_HOST>>. |
| 60 | 70 | MAIL_FROM_NAME: "GitGud" |
Parents: c87387d