Update Swoosh TLS configuration for OTP26+

rorymckinley · stuartc · commit 4634d08aef7c · 2026-04-10T07:46:28.000+02:00
- swoosh/swoosh#785
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -28,6 +28,12 @@ and this project adheres to
 
 ### Fixed
 
+- Since OTP26, if `SMTP_PROVIDER` is set to `smtp` and `SMTP_TLS` is set to
+  `true` or `if_available` this would result in TLS-related failures when trying
+  to send emails. This is now fixed for a limited number of use cases (see
+  (DEPLOYMENT.md)[https://github.com/OpenFn/lightning/blob/main/DEPLOYMENT.md#mail]
+  for details). [#4602](https://github.com/OpenFn/lightning/issues/4602)
+
 ## [2.16.1] - 2026-04-07
 
 ## [2.16.1-pre1] - 2026-04-04
diff --git a/DEPLOYMENT.md b/DEPLOYMENT.md
@@ -142,6 +142,16 @@ variable to one of the following:
 You will also want to set the `EMAIL_ADMIN` environment variable to the email
 address that will be used as the sender for system emails.
 
+If you are planning on using the `smtp` provider, with `TLS` enabled, the
+current implementation has the following contraints:
+
+- Only TLS 1.3 is supported.
+- For the purposes of Server Name Indication (SNI), the hostname provided as the
+  `SMTP_RELAY` is used. This means that the `SMTP_RELAY` value must be present
+  in a SAN `dNSName` on the cert. Practically, this means that TLS is unlikely
+  to work if an IP address, or an internal-only hostname is provided as the
+  `SMTP_RELAY` value.
+
 #### Mailgun
 
 For mailgun, the following environment variables are required:
diff --git a/lib/lightning/config/bootstrap.ex b/lib/lightning/config/bootstrap.ex
@@ -389,6 +389,16 @@ defmodule Lightning.Config.Bootstrap do
               end,
               :always
             ),
+          tls_options: [
+            versions: [:"tlsv1.3"],
+            verify: :verify_peer,
+            cacerts: :public_key.cacerts_get(),
+            server_name_indication: env!("SMTP_RELAY", :string) |> to_charlist(),
+            depth: 5,
+            customize_hostname_check: [
+              match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
+            ]
+          ],
           port: env!("SMTP_PORT", :integer, 587)
 
       unknown ->
diff --git a/test/lightning/config/bootstrap_test.exs b/test/lightning/config/bootstrap_test.exs
@@ -411,6 +411,16 @@ defmodule Lightning.Config.BootstrapTest do
                password: "bar",
                relay: "baz",
                tls: :always,
+               tls_options: [
+                 versions: [:"tlsv1.3"],
+                 verify: :verify_peer,
+                 cacerts: :public_key.cacerts_get(),
+                 server_name_indication: to_charlist("baz"),
+                 depth: 5,
+                 customize_hostname_check: [
+                   match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
+                 ]
+               ],
                port: 587
              ]
     end
