diff --git a/.env.template b/.env.template index 0189cc7a96..7417d0ba85 100644 --- a/.env.template +++ b/.env.template @@ -525,6 +525,13 @@ ## Only use this as a last resort if you are not able to use a valid certificate. # SMTP_ACCEPT_INVALID_HOSTNAMES=false +## Accept additional root certs +## Paths to PEM files, separated by semicolons +# SMTP_ADDITIONAL_ROOT_CERTS= + +## Use system root certificate store for TLS host verification +# SMTP_USE_SYSTEM_ROOT_CERTS=true + ########################## ### Rocket settings ### ########################## diff --git a/src/config.rs b/src/config.rs index 489a229d6a..ebdb56e590 100644 --- a/src/config.rs +++ b/src/config.rs @@ -3,6 +3,7 @@ use std::process::exit; use std::sync::RwLock; use job_scheduler_ng::Schedule; +use lettre::transport::smtp::client::Certificate; use once_cell::sync::Lazy; use reqwest::Url; @@ -674,6 +675,10 @@ make_config! { smtp_accept_invalid_certs: bool, true, def, false; /// Accept Invalid Hostnames (Know the risks!) |> DANGEROUS: Allow invalid hostnames. This option introduces significant vulnerabilities to man-in-the-middle attacks! smtp_accept_invalid_hostnames: bool, true, def, false; + /// Accept additional root certs |> Paths to PEM files, separated by semicolons + smtp_additional_root_certs: String, true, option; + /// Use system root certificate store for TLS host verification + smtp_use_system_root_certs: bool, true, def, true; }, /// Email 2FA Settings @@ -886,6 +891,11 @@ fn validate_config(cfg: &ConfigItems) -> Result<(), Error> { if cfg._enable_email_2fa && cfg.email_token_size < 6 { err!("`EMAIL_TOKEN_SIZE` has a minimum size of 6") } + + if let Some(additional_root_cert_paths) = &cfg.smtp_additional_root_certs { + let certificates = load_certificates(additional_root_cert_paths.as_str())?; + *SMTP_ADDITIONAL_ROOT_CERTS.write().unwrap() = certificates; + } } if cfg._enable_email_2fa && !(cfg.smtp_host.is_some() || cfg.use_sendmail) { @@ -1018,6 +1028,24 @@ fn generate_smtp_img_src(embed_images: bool, domain: &str) -> String { } } +pub static SMTP_ADDITIONAL_ROOT_CERTS: RwLock> = RwLock::new(Vec::new()); + +fn load_certificates(smtp_additional_root_certs: &str) -> Result, Error> { + smtp_additional_root_certs + .split(';') + .filter(|path| !path.is_empty()) + .map(|path| { + let cert = match std::fs::read(path) { + Ok(cert) => cert, + Err(e) => { + err!(format!("Error loading additional SMTP root certificate file {path}.\n{e}")) + } + }; + Certificate::from_pem(&cert).or_else(|e| err!(format!("Error decoding certificate file {path}.\n{e}"))) + }) + .collect() +} + /// Generate the correct URL for the icon service. /// This will be used within icons.rs to call the external icon service. fn generate_icon_service_url(icon_service: &str) -> String { diff --git a/src/mail.rs b/src/mail.rs index 151554a1fd..7d960c1ad4 100644 --- a/src/mail.rs +++ b/src/mail.rs @@ -6,7 +6,7 @@ use percent_encoding::{percent_encode, NON_ALPHANUMERIC}; use lettre::{ message::{Attachment, Body, Mailbox, Message, MultiPart, SinglePart}, transport::smtp::authentication::{Credentials, Mechanism as SmtpAuthMechanism}, - transport::smtp::client::{Tls, TlsParameters}, + transport::smtp::client::{CertificateStore, Tls, TlsParameters}, transport::smtp::extension::ClientId, Address, AsyncSendmailTransport, AsyncSmtpTransport, AsyncTransport, Tokio1Executor, }; @@ -17,6 +17,7 @@ use crate::{ encode_jwt, generate_delete_claims, generate_emergency_access_invite_claims, generate_invite_claims, generate_verify_email_claims, }, + config::SMTP_ADDITIONAL_ROOT_CERTS, error::Error, CONFIG, }; @@ -46,6 +47,12 @@ fn smtp_transport() -> AsyncSmtpTransport { if CONFIG.smtp_accept_invalid_certs() { tls_parameters = tls_parameters.dangerous_accept_invalid_certs(true); } + for cert in &*SMTP_ADDITIONAL_ROOT_CERTS.read().unwrap() { + tls_parameters = tls_parameters.add_root_certificate(cert.clone()); + } + if !CONFIG.smtp_use_system_root_certs() { + tls_parameters = tls_parameters.certificate_store(CertificateStore::None); + } let tls_parameters = tls_parameters.build().unwrap(); if CONFIG.smtp_security() == *"force_tls" {