tsmethurst
commented
3 weeks ago Oh strange I thought we had this already but I see now indeed it only works if the mail server seems to be on localhost, which doesn't work with containers. After 0.16.0 is out we can add an option for this :)
Is your feature request related to a problem ?
In an environment where internal container-to-container networking is used to connect to the SMTP server, the certificate being presented will be for external use, not within-Docker-network use. So you'll get an error such as
Code 422 Unprocessable Entity: tls: failed to verify certificate: x509: cannot validate certificate for 172.30.42.6 because it doesn't contain any IP SANsOr if you use the named Docker network DNS you'll get
Code 422 Unprocessable Entity: tls: failed to verify certificate: x509: certificate is valid for <domains>, not <smtp_host>The point of using internal networking is specifically to allow trusted relay on the SMTP server side, but a verified cert can't have the internal IP in its SANs for the obvious reason that the IP can't be verified by external entities.
Describe the solution you'd like.
Need an option to turn off TLS cert validation for SMTP when using a trusted host.
Alternatively, if the smtp_host is an IP in the trusted_proxies network, that could be another way to declare the trusted nature without another option. (But this feels like overloading an option too much with hidden behavior.)
Describe alternatives you've considered.
Hairpinning through the host's networking using socat proxy sort-of works but it's really a nasty hack.
Additional context.
No response