0
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden synced 2024-11-13 21:41:43 +01:00

Add config for additional SMTP TLS root certs

This commit is contained in:
Josef Schönberger 2024-02-27 15:33:32 +01:00 committed by Mathijs van Veluw
parent 2ad33ec97f
commit ad4d962fa6
3 changed files with 28 additions and 1 deletions

View file

@ -525,6 +525,10 @@
## Only use this as a last resort if you are not able to use a valid certificate.
# SMTP_ACCEPT_INVALID_HOSTNAMES=false
## Accept additional root certs
## Paths to PEM files, separated by semicolons
# SMTP_ADDITIONAL_ROOT_CERTS=
##########################
### Rocket settings ###
##########################

View file

@ -674,6 +674,8 @@ make_config! {
smtp_accept_invalid_certs: bool, true, def, false;
/// Accept Invalid Hostnames (Know the risks!) |> DANGEROUS: Allow invalid hostnames. This option introduces significant vulnerabilities to man-in-the-middle attacks!
smtp_accept_invalid_hostnames: bool, true, def, false;
/// Accept additional root certs |> Paths to PEM files, separated by semicolons
smtp_additional_root_certs: String, true, option;
},
/// Email 2FA Settings

View file

@ -1,12 +1,13 @@
use std::str::FromStr;
use chrono::NaiveDateTime;
use once_cell::sync::Lazy;
use percent_encoding::{percent_encode, NON_ALPHANUMERIC};
use lettre::{
message::{Attachment, Body, Mailbox, Message, MultiPart, SinglePart},
transport::smtp::authentication::{Credentials, Mechanism as SmtpAuthMechanism},
transport::smtp::client::{Tls, TlsParameters},
transport::smtp::client::{Certificate, Tls, TlsParameters},
transport::smtp::extension::ClientId,
Address, AsyncSendmailTransport, AsyncSmtpTransport, AsyncTransport, Tokio1Executor,
};
@ -29,6 +30,21 @@ fn sendmail_transport() -> AsyncSendmailTransport<Tokio1Executor> {
}
}
static SMTP_ADDITIONAL_ROOT_CERTS: Lazy<Option<Vec<Certificate>>> = Lazy::new(|| {
Some(
CONFIG
.smtp_additional_root_certs()?
.split(';')
.filter(|path| !path.is_empty())
.map(|path| {
let cert = std::fs::read(path)
.unwrap_or_else(|e| panic!("Error loading additional SMTP root certificate file {path}.\n{e}"));
Certificate::from_pem(&cert).unwrap_or_else(|e| panic!("Error decoding certificate file {path}.\n{e}"))
})
.collect(),
)
});
fn smtp_transport() -> AsyncSmtpTransport<Tokio1Executor> {
use std::time::Duration;
let host = CONFIG.smtp_host().unwrap();
@ -46,6 +62,11 @@ fn smtp_transport() -> AsyncSmtpTransport<Tokio1Executor> {
if CONFIG.smtp_accept_invalid_certs() {
tls_parameters = tls_parameters.dangerous_accept_invalid_certs(true);
}
if let Some(ref certs) = *SMTP_ADDITIONAL_ROOT_CERTS {
for cert in certs {
tls_parameters = tls_parameters.add_root_certificate(cert.clone());
}
}
let tls_parameters = tls_parameters.build().unwrap();
if CONFIG.smtp_security() == *"force_tls" {