mjwwit
commented
2 years ago It's difficult either way, is skip_verify not good enough for you?
Closed silverwind closed 1 year ago
mjwwit
commented
2 years ago It's difficult either way, is skip_verify not good enough for you?
silverwind
commented
2 years ago Yeah, I do work around using PLUGIN_SKIP_VERIFY and it's sufficient for my case, but it's also not ideal from a security perspective. It's more of a "nice to have" feature.
silverwind
commented
1 year ago Actually, golang does load certs from the OS (https://stackoverflow.com/a/40051432/808699), so it should be possible to just add the CAs to the OS store to solve.
When the SMTP server's certificate (STARTTLS or SMTPS) is on a private CA, TLS verification will fail. I think an option could be added to specify one or more PEM certificates in plain text form in a
EMAIL_ADDITIONAL_CA_CERTSwhich would extend the list of OS certificates in use, e.g.Another option could be to load from a file, but I see it challenging to even transfer a file into the docker environment for this purpose.