From f19d5d13809f044580018d1ff65fa41e0335fa31 Mon Sep 17 00:00:00 2001
From: Norm <normandy@biribiri.dev>
Date: Tue, 17 Dec 2024 18:30:01 -0500
Subject: [PATCH] Set customize_hostname_check for Swoosh.Adapters.SMTP

This should hopefully fix issues with connecting to SMTP servers
with wildcard TLS certificates.

Taken from https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/ssl

Fixes https://akkoma.dev/AkkomaGang/akkoma/issues/660
---
 lib/pleroma/emails/mailer.ex | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/pleroma/emails/mailer.ex b/lib/pleroma/emails/mailer.ex
index 6a79a7694..af513f1f1 100644
--- a/lib/pleroma/emails/mailer.ex
+++ b/lib/pleroma/emails/mailer.ex
@@ -84,8 +84,14 @@ defmodule Pleroma.Emails.Mailer do
       cacerts: os_cacerts,
       versions: [:"tlsv1.2", :"tlsv1.3"],
       verify: :verify_peer,
-      # some versions have supposedly issues verifying wildcard certs without this
       server_name_indication: relay,
+      # This allows wildcard ceritifcates to be verified properly.
+      # The :https parameter simply means to use the HTTPS wildcard format
+      # (as opposed to say LDAP). SMTP servers tend to use the same type of
+      # certs as HTTPS ones so this should work for most.
+      customize_hostname_check: [
+        match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
+      ],
       # the default of 10 is too restrictive
       depth: 32
     ]