emailll

79ed606 · gmorell · 2026-05-15 03:07

2 files +33 -12

Files changed

modified config/runtime.exs
+13 −1
@@ -226,16 +226,28 @@ if config_env() == :prod do
226 226 [cacertfile: smtp_cacertfile]
227 227 end
228 228
229 + # Pin modern TLS at both the top level (read by gen_smtp before
230 + # it calls :ssl.connect) and inside tls_options (read by :ssl
231 + # itself). Matches Mobilizon's working pattern.
232 + tls_versions = [:"tlsv1.2", :"tlsv1.3"]
233 +
229 234 [
230 235 adapter: Swoosh.Adapters.SMTP,
231 236 relay: relay,
232 237 port: String.to_integer(System.get_env("SMTP_PORT", "587")),
233 238 username: System.get_env("SMTP_USERNAME"),
234 239 password: System.get_env("SMTP_PASSWORD"),
240 + # `tls` controls the STARTTLS upgrade after EHLO. On port 465
241 + # (`ssl: true`) the socket is already TLS — `:always` forces a
242 + # second :ssl.connect with gen_smtp's bare defaults, which has
243 + # `cacerts: :undefined` baked in and fails options validation.
244 + # `:never` (with ssl: true) or `:if_available` (with port 587
245 + # STARTTLS) are both safe.
235 246 tls: smtp_tri.("SMTP_TLS", "if_available"),
236 247 ssl: System.get_env("SMTP_SSL", "false") == "true",
237 248 auth: smtp_tri.("SMTP_AUTH", "if_available"),
238 tls_options: tls_options,
249 + allowed_tls_versions: tls_versions,
250 + tls_options: [{:versions, tls_versions} | tls_options],
239 251 retries: 1,
240 252 no_mx_lookups: false
241 253 ]
modified smtp-secret.example.yml
+20 −11
@@ -38,18 +38,27 @@ metadata:
38 38 name: smtp-config
39 39 namespace: git-gud
40 40 data:
41 # Host + port for the submission endpoint. 587 is the conventional
42 # STARTTLS-submission port; 465 is implicit TLS (set SMTP_SSL=true
43 # below if you use 465). 25 is plaintext and almost always blocked.
41 + # Host + port for the submission endpoint. Two common combos:
42 + #
43 + # Port 465 (implicit TLS — modern default for most managed relays):
44 + # SMTP_PORT: "465"
45 + # SMTP_SSL: "true"
46 + # SMTP_TLS: "never"
47 + #
48 + # Port 587 (STARTTLS submission):
49 + # SMTP_PORT: "587"
50 + # SMTP_SSL: "false"
51 + # SMTP_TLS: "if_available" # or :always to require STARTTLS
52 + #
53 + # Important: with `SMTP_SSL: "true"` (port 465) you MUST set
54 + # `SMTP_TLS: "never"` — `always` triggers a second :ssl.connect
55 + # over an already-TLS socket with gen_smtp's bare defaults, which
56 + # fails options validation. 25 is plaintext and almost always
57 + # blocked on the egress side.
44 58 SMTP_RELAY: "smtp.example.com"
45 SMTP_PORT: "587"
46
47 # TLS / SSL knobs. `tls` does STARTTLS upgrade; `ssl` is implicit
48 # TLS from connect (port 465 style). One of: always | if_available |
49 # never. `if_available` is a sensible default for submission-port
50 # relays that may or may not advertise STARTTLS.
51 SMTP_TLS: "always"
52 SMTP_SSL: "false"
59 + SMTP_PORT: "465"
60 + SMTP_SSL: "true"
61 + SMTP_TLS: "never"
53 62
54 63 # SMTP AUTH knob. `always` will fail if the server doesn't advertise
55 64 # AUTH; `if_available` is the safe default for mixed setups.

Parents: 0d14c0d