From 8399c5470dd4bacf00a946154359eca22aedbc4a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Josef=20Sch=C3=B6nberger?= <josef.schoenberger@tum.de>
Date: Tue, 27 Feb 2024 15:42:13 +0100
Subject: [PATCH] Add config to disable system root cert store

---
 .env.template | 3 +++
 src/config.rs | 2 ++
 src/mail.rs   | 5 ++++-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/.env.template b/.env.template
index 9bbe0fa3..7417d0ba 100644
--- a/.env.template
+++ b/.env.template
@@ -529,6 +529,9 @@
 ## Paths to PEM files, separated by semicolons
 # SMTP_ADDITIONAL_ROOT_CERTS=
 
+## Use system root certificate store for TLS host verification
+# SMTP_USE_SYSTEM_ROOT_CERTS=true
+
 ##########################
 ### Rocket settings ###
 ##########################
diff --git a/src/config.rs b/src/config.rs
index c99e05a2..ebdb56e5 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -677,6 +677,8 @@ make_config! {
         smtp_accept_invalid_hostnames: bool,   true,   def,     false;
         /// Accept additional root certs |> Paths to PEM files, separated by semicolons
         smtp_additional_root_certs:    String, true,   option;
+        /// Use system root certificate store for TLS host verification
+        smtp_use_system_root_certs:    bool,   true,   def,     true;
     },
 
     /// Email 2FA Settings
diff --git a/src/mail.rs b/src/mail.rs
index 17c50969..7d960c1a 100644
--- a/src/mail.rs
+++ b/src/mail.rs
@@ -6,7 +6,7 @@ use percent_encoding::{percent_encode, NON_ALPHANUMERIC};
 use lettre::{
     message::{Attachment, Body, Mailbox, Message, MultiPart, SinglePart},
     transport::smtp::authentication::{Credentials, Mechanism as SmtpAuthMechanism},
-    transport::smtp::client::{Tls, TlsParameters},
+    transport::smtp::client::{CertificateStore, Tls, TlsParameters},
     transport::smtp::extension::ClientId,
     Address, AsyncSendmailTransport, AsyncSmtpTransport, AsyncTransport, Tokio1Executor,
 };
@@ -50,6 +50,9 @@ fn smtp_transport() -> AsyncSmtpTransport<Tokio1Executor> {
         for cert in &*SMTP_ADDITIONAL_ROOT_CERTS.read().unwrap() {
             tls_parameters = tls_parameters.add_root_certificate(cert.clone());
         }
+        if !CONFIG.smtp_use_system_root_certs() {
+            tls_parameters = tls_parameters.certificate_store(CertificateStore::None);
+        }
         let tls_parameters = tls_parameters.build().unwrap();
 
         if CONFIG.smtp_security() == *"force_tls" {