diff --git a/.env.template b/.env.template index 9bbe0fa33c..7417d0ba85 100644 --- a/.env.template +++ b/.env.template @@ -529,6 +529,9 @@ ## Paths to PEM files, separated by semicolons # SMTP_ADDITIONAL_ROOT_CERTS= +## Use system root certificate store for TLS host verification +# SMTP_USE_SYSTEM_ROOT_CERTS=true + ########################## ### Rocket settings ### ########################## diff --git a/src/config.rs b/src/config.rs index 49d64bc192..a4470aeafd 100644 --- a/src/config.rs +++ b/src/config.rs @@ -676,6 +676,8 @@ make_config! { smtp_accept_invalid_hostnames: bool, true, def, false; /// Accept additional root certs |> Paths to PEM files, separated by semicolons smtp_additional_root_certs: String, true, option; + /// Use system root certificate store for TLS host verification + smtp_use_system_root_certs: bool, true, def, true; }, /// Email 2FA Settings diff --git a/src/mail.rs b/src/mail.rs index 1fa92e1ee6..a481df081f 100644 --- a/src/mail.rs +++ b/src/mail.rs @@ -7,7 +7,7 @@ use percent_encoding::{percent_encode, NON_ALPHANUMERIC}; use lettre::{ message::{Attachment, Body, Mailbox, Message, MultiPart, SinglePart}, transport::smtp::authentication::{Credentials, Mechanism as SmtpAuthMechanism}, - transport::smtp::client::{Certificate, Tls, TlsParameters}, + transport::smtp::client::{Certificate, CertificateStore, Tls, TlsParameters}, transport::smtp::extension::ClientId, Address, AsyncSendmailTransport, AsyncSmtpTransport, AsyncTransport, Tokio1Executor, }; @@ -67,6 +67,9 @@ fn smtp_transport() -> AsyncSmtpTransport { tls_parameters = tls_parameters.add_root_certificate(cert.clone()); } } + if !CONFIG.smtp_use_system_root_certs() { + tls_parameters = tls_parameters.certificate_store(CertificateStore::None); + } let tls_parameters = tls_parameters.build().unwrap(); if CONFIG.smtp_security() == *"force_tls" {