emailll
79ed606 · gmorell · 2026-05-15 03:07
Files changed
modified
config/runtime.exs
+13
−1
@@ -226,16 +226,28 @@ if config_env() == :prod do
| 226 | 226 | [cacertfile: smtp_cacertfile] |
| 227 | 227 | end |
| 228 | 228 | |
| 229 | + # Pin modern TLS at both the top level (read by gen_smtp before | |
| 230 | + # it calls :ssl.connect) and inside tls_options (read by :ssl | |
| 231 | + # itself). Matches Mobilizon's working pattern. | |
| 232 | + tls_versions = [:"tlsv1.2", :"tlsv1.3"] | |
| 233 | + | |
| 229 | 234 | [ |
| 230 | 235 | adapter: Swoosh.Adapters.SMTP, |
| 231 | 236 | relay: relay, |
| 232 | 237 | port: String.to_integer(System.get_env("SMTP_PORT", "587")), |
| 233 | 238 | username: System.get_env("SMTP_USERNAME"), |
| 234 | 239 | password: System.get_env("SMTP_PASSWORD"), |
| 240 | + # `tls` controls the STARTTLS upgrade after EHLO. On port 465 | |
| 241 | + # (`ssl: true`) the socket is already TLS — `:always` forces a | |
| 242 | + # second :ssl.connect with gen_smtp's bare defaults, which has | |
| 243 | + # `cacerts: :undefined` baked in and fails options validation. | |
| 244 | + # `:never` (with ssl: true) or `:if_available` (with port 587 | |
| 245 | + # STARTTLS) are both safe. | |
| 235 | 246 | tls: smtp_tri.("SMTP_TLS", "if_available"), |
| 236 | 247 | ssl: System.get_env("SMTP_SSL", "false") == "true", |
| 237 | 248 | auth: smtp_tri.("SMTP_AUTH", "if_available"), |
| 238 | − tls_options: tls_options, | |
| 249 | + allowed_tls_versions: tls_versions, | |
| 250 | + tls_options: [{:versions, tls_versions} | tls_options], | |
| 239 | 251 | retries: 1, |
| 240 | 252 | no_mx_lookups: false |
| 241 | 253 | ] |
modified
smtp-secret.example.yml
+20
−11
@@ -38,18 +38,27 @@ metadata:
| 38 | 38 | name: smtp-config |
| 39 | 39 | namespace: git-gud |
| 40 | 40 | data: |
| 41 | − # Host + port for the submission endpoint. 587 is the conventional | |
| 42 | − # STARTTLS-submission port; 465 is implicit TLS (set SMTP_SSL=true | |
| 43 | − # below if you use 465). 25 is plaintext and almost always blocked. | |
| 41 | + # Host + port for the submission endpoint. Two common combos: | |
| 42 | + # | |
| 43 | + # Port 465 (implicit TLS — modern default for most managed relays): | |
| 44 | + # SMTP_PORT: "465" | |
| 45 | + # SMTP_SSL: "true" | |
| 46 | + # SMTP_TLS: "never" | |
| 47 | + # | |
| 48 | + # Port 587 (STARTTLS submission): | |
| 49 | + # SMTP_PORT: "587" | |
| 50 | + # SMTP_SSL: "false" | |
| 51 | + # SMTP_TLS: "if_available" # or :always to require STARTTLS | |
| 52 | + # | |
| 53 | + # Important: with `SMTP_SSL: "true"` (port 465) you MUST set | |
| 54 | + # `SMTP_TLS: "never"` — `always` triggers a second :ssl.connect | |
| 55 | + # over an already-TLS socket with gen_smtp's bare defaults, which | |
| 56 | + # fails options validation. 25 is plaintext and almost always | |
| 57 | + # blocked on the egress side. | |
| 44 | 58 | SMTP_RELAY: "smtp.example.com" |
| 45 | − SMTP_PORT: "587" | |
| 46 | − | |
| 47 | − # TLS / SSL knobs. `tls` does STARTTLS upgrade; `ssl` is implicit | |
| 48 | − # TLS from connect (port 465 style). One of: always | if_available | | |
| 49 | − # never. `if_available` is a sensible default for submission-port | |
| 50 | − # relays that may or may not advertise STARTTLS. | |
| 51 | − SMTP_TLS: "always" | |
| 52 | − SMTP_SSL: "false" | |
| 59 | + SMTP_PORT: "465" | |
| 60 | + SMTP_SSL: "true" | |
| 61 | + SMTP_TLS: "never" | |
| 53 | 62 | |
| 54 | 63 | # SMTP AUTH knob. `always` will fail if the server doesn't advertise |
| 55 | 64 | # AUTH; `if_available` is the safe default for mixed setups. |
Parents: 0d14c0d