mirror of
https://github.com/dani-garcia/vaultwarden
synced 2024-11-13 21:41:43 +01:00
Add config for additional SMTP TLS root certs
This commit is contained in:
parent
2ad33ec97f
commit
ad4d962fa6
3 changed files with 28 additions and 1 deletions
|
@ -525,6 +525,10 @@
|
|||
## Only use this as a last resort if you are not able to use a valid certificate.
|
||||
# SMTP_ACCEPT_INVALID_HOSTNAMES=false
|
||||
|
||||
## Accept additional root certs
|
||||
## Paths to PEM files, separated by semicolons
|
||||
# SMTP_ADDITIONAL_ROOT_CERTS=
|
||||
|
||||
##########################
|
||||
### Rocket settings ###
|
||||
##########################
|
||||
|
|
|
@ -674,6 +674,8 @@ make_config! {
|
|||
smtp_accept_invalid_certs: bool, true, def, false;
|
||||
/// Accept Invalid Hostnames (Know the risks!) |> DANGEROUS: Allow invalid hostnames. This option introduces significant vulnerabilities to man-in-the-middle attacks!
|
||||
smtp_accept_invalid_hostnames: bool, true, def, false;
|
||||
/// Accept additional root certs |> Paths to PEM files, separated by semicolons
|
||||
smtp_additional_root_certs: String, true, option;
|
||||
},
|
||||
|
||||
/// Email 2FA Settings
|
||||
|
|
23
src/mail.rs
23
src/mail.rs
|
@ -1,12 +1,13 @@
|
|||
use std::str::FromStr;
|
||||
|
||||
use chrono::NaiveDateTime;
|
||||
use once_cell::sync::Lazy;
|
||||
use percent_encoding::{percent_encode, NON_ALPHANUMERIC};
|
||||
|
||||
use lettre::{
|
||||
message::{Attachment, Body, Mailbox, Message, MultiPart, SinglePart},
|
||||
transport::smtp::authentication::{Credentials, Mechanism as SmtpAuthMechanism},
|
||||
transport::smtp::client::{Tls, TlsParameters},
|
||||
transport::smtp::client::{Certificate, Tls, TlsParameters},
|
||||
transport::smtp::extension::ClientId,
|
||||
Address, AsyncSendmailTransport, AsyncSmtpTransport, AsyncTransport, Tokio1Executor,
|
||||
};
|
||||
|
@ -29,6 +30,21 @@ fn sendmail_transport() -> AsyncSendmailTransport<Tokio1Executor> {
|
|||
}
|
||||
}
|
||||
|
||||
static SMTP_ADDITIONAL_ROOT_CERTS: Lazy<Option<Vec<Certificate>>> = Lazy::new(|| {
|
||||
Some(
|
||||
CONFIG
|
||||
.smtp_additional_root_certs()?
|
||||
.split(';')
|
||||
.filter(|path| !path.is_empty())
|
||||
.map(|path| {
|
||||
let cert = std::fs::read(path)
|
||||
.unwrap_or_else(|e| panic!("Error loading additional SMTP root certificate file {path}.\n{e}"));
|
||||
Certificate::from_pem(&cert).unwrap_or_else(|e| panic!("Error decoding certificate file {path}.\n{e}"))
|
||||
})
|
||||
.collect(),
|
||||
)
|
||||
});
|
||||
|
||||
fn smtp_transport() -> AsyncSmtpTransport<Tokio1Executor> {
|
||||
use std::time::Duration;
|
||||
let host = CONFIG.smtp_host().unwrap();
|
||||
|
@ -46,6 +62,11 @@ fn smtp_transport() -> AsyncSmtpTransport<Tokio1Executor> {
|
|||
if CONFIG.smtp_accept_invalid_certs() {
|
||||
tls_parameters = tls_parameters.dangerous_accept_invalid_certs(true);
|
||||
}
|
||||
if let Some(ref certs) = *SMTP_ADDITIONAL_ROOT_CERTS {
|
||||
for cert in certs {
|
||||
tls_parameters = tls_parameters.add_root_certificate(cert.clone());
|
||||
}
|
||||
}
|
||||
let tls_parameters = tls_parameters.build().unwrap();
|
||||
|
||||
if CONFIG.smtp_security() == *"force_tls" {
|
||||
|
|
Loading…
Reference in a new issue