From 982c32991827315fe00d79344a3fbc0807ea427b Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Sat, 4 Apr 2026 11:06:25 +0530
Subject: [PATCH] fix(email): set explicit TLS ServerName for SMTP verification

When SMTP TLS verification is enabled (default), the TLS config now
explicitly sets ServerName to match the SMTP host, ensuring proper
certificate hostname verification.

Fixes: M10 (Medium)
---
 internal/email/email.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/internal/email/email.go b/internal/email/email.go
index ac215be6..de170e0c 100644
--- a/internal/email/email.go
+++ b/internal/email/email.go
@@ -46,7 +46,9 @@ func New(
 		mailer.LocalName = config.SMTPLocalName
 	}
 	if config.SMTPSkipTLSVerification {
-		mailer.TLSConfig = &tls.Config{InsecureSkipVerify: true}
+		mailer.TLSConfig = &tls.Config{InsecureSkipVerify: true} //nolint:gosec // explicit opt-in for dev/testing
+	} else {
+		mailer.TLSConfig = &tls.Config{ServerName: config.SMTPHost}
 	}
 	return &provider{
 		config: config,