Skip to content

feat(mail): add ACKIFY_MAIL_INSECURE_SKIP_VERIFY option #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
btouchard merged 3 commits into from
Nov 22, 2025
Merged

feat(mail): add ACKIFY_MAIL_INSECURE_SKIP_VERIFY option #6

btouchard merged 3 commits into from
Nov 22, 2025

Conversation

@ArnaudFra
Copy link
Contributor

@ArnaudFra ArnaudFra commented Nov 22, 2025
edited
Loading

Summary

Add support for bypassing TLS certificate verification when connecting to SMTP servers with self-signed certificates.

Problem

Current behavior fails with self-signed certificates:

level=ERROR msg="Magic Link request failed" error="tls: failed to verify certificate: x509: certificate signed by unknown authority"

Use Cases

  • Internal corporate mail servers on private networks (intranets)
  • Air-gapped/isolated infrastructure (military, finance, healthcare)
  • Development & testing (MailHog, local Postfix, CI/CD pipelines)
  • Legacy systems awaiting migration

Changes

Backend

  1. Configuration (config.go): Add InsecureSkipVerify field, load ACKIFY_MAIL_INSECURE_SKIP_VERIFY env var (default: false)
  2. Email Sender (sender.go): Configure tls.Config with InsecureSkipVerify for both SSL (465) and STARTTLS (587)

Documentation

  1. Environment files: Add ACKIFY_MAIL_INSECURE_SKIP_VERIFY with security warnings
  2. Configuration guides (EN/FR): Add variable, usage examples, and troubleshooting section

Security

/!\ Use ONLY for:

  • Internal networks with self-signed certificates
  • Air-gapped environments
  • Development/testing
  • Temporary migrations

NEVER use with internet-facing SMTP servers!

Safety:

  • Secure by default (false)
  • Explicit opt-in required
  • Documented warnings

Checklist

  • Code tested and compiles
  • Documentation updated (EN + FR)
  • Security warnings included
  • Backward compatible

Backward Compatibility

Fully compatible - no breaking changes

Pull Request : feat(mail): ajout de l'option ACKIFY_MAIL_INSECURE_SKIP_VERIFY

Résumé

Ajout de la possibilité de contourner la vérification des certificats TLS lors de la connexion à des serveurs SMTP avec certificats auto-signés.

Problème

Le comportement actuel échoue avec les certificats auto-signés :

level=ERROR msg="Magic Link request failed" error="tls: failed to verify certificate: x509: certificate signed by unknown authority"

Cas d'usage

  • Serveurs mail internes d'entreprise sur réseaux privés (intranets)
  • Infrastructures isolées (militaire, finance, santé)
  • Développement et tests (MailHog, Postfix local, pipelines CI/CD)
  • Systèmes legacy en attente de migration

Modifications

Backend

  1. Configuration (config.go) : Ajout du champ InsecureSkipVerify, chargement de ACKIFY_MAIL_INSECURE_SKIP_VERIFY (défaut : false)
  2. Envoi d'emails (sender.go) : Configuration de tls.Config avec InsecureSkipVerify pour SSL (465) et STARTTLS (587)

Documentation

  1. Fichiers d'environnement : Ajout de ACKIFY_MAIL_INSECURE_SKIP_VERIFY avec avertissements de sécurité
  2. Guides de configuration (EN/FR) : Ajout de la variable, exemples d'utilisation et section dépannage

Sécurité

/!\ À utiliser UNIQUEMENT pour :

  • Réseaux internes avec certificats auto-signés
  • Environnements isolés
  • Développement/tests
  • Migrations temporaires

JAMAIS avec des serveurs SMTP exposés sur Internet !

Garanties :

  • Sécurisé par défaut (false)
  • Activation explicite requise
  • Avertissements documentés

Checklist

  • Code testé et compile
  • Documentation mise à jour (EN + FR)
  • Avertissements de sécurité inclus
  • Rétrocompatible

Rétrocompatibilité

Entièrement compatible - aucun changement cassant

@ArnaudFra
feat(mail): add option to skip TLS certificate verification
eca29c1 
Add ACKIFY_MAIL_INSECURE_SKIP_VERIFY environment variable to allow
bypassing TLS certificate verification for self-signed certificates.

This is useful for development/testing environments with self-signed
SMTP certificates while maintaining secure defaults (false by default).
@ArnaudFra
docs: add ACKIFY_MAIL_INSECURE_SKIP_VERIFY documentation
28c1e5f
@ArnaudFra
Merge remote-tracking branch 'origin/main' into feature/mail-tls-skip…
b7192f9 
…-verify
@btouchard
Copy link
Owner

btouchard commented Nov 22, 2025

Hello Arnaud,

Thank you for your contribution, the first one to the project, and it's great job, clear with all needed 👍​
It's nice to see people getting involved.

@codecov-commenter
Copy link

codecov-commenter commented Nov 22, 2025

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment

Thanks for integrating Codecov - We've got you covered ☂️

@btouchard btouchard merged commit ec947af into btouchard:main Nov 22, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ArnaudFra @btouchard @codecov-commenter