feat(mail): add SMTP encryption support

gemmadlou · gemmadlou · commit c16c513da01d · 2026-03-22T01:27:16.000+01:00
diff --git a/.env.example b/.env.example
@@ -12,4 +12,7 @@ MAIL_FROM=noreply@yourdomain.com
 # SMTP_HOST=
 # SMTP_PORT=587
 # SMTP_USER=
-# SMTP_PASS=
+# SMTP_PASS=
+# SMTP_ENCRYPTION: unset = auto (port 465 &rarr; tls/SMTPS, other ports &rarr; starttls).
+#   starttls | tls | none &mdash; use none only for local mail sinks (e.g. Mailpit), not production.
+# SMTP_ENCRYPTION=
diff --git a/src/app/config.rs b/src/app/config.rs
@@ -29,6 +29,9 @@ pub struct Config {
 
     /// SMTP password. Optional for some servers.
     pub smtp_pass: Option<String>,
+
+    /// SMTP encryption: `starttls`, `tls`, or `none`. Unset uses auto (465 &rarr; tls, else starttls).
+    pub smtp_encryption: Option<String>,
 }
 
 impl Config {
@@ -54,6 +57,7 @@ impl Config {
             .map_err(|_| "SMTP_PORT must be a valid port number")?;
         let smtp_user = std::env::var("SMTP_USER").ok();
         let smtp_pass = std::env::var("SMTP_PASS").ok();
+        let smtp_encryption = std::env::var("SMTP_ENCRYPTION").ok();
 
         Ok(Self {
             database_url,
@@ -64,6 +68,7 @@ impl Config {
             smtp_port,
             smtp_user,
             smtp_pass,
+            smtp_encryption,
         })
     }
 
@@ -83,6 +88,7 @@ impl Config {
             smtp_port: 587,
             smtp_user: None,
             smtp_pass: None,
+            smtp_encryption: None,
         }
     }
 }
diff --git a/src/app/mail/mod.rs b/src/app/mail/mod.rs
@@ -50,7 +50,7 @@ pub enum EmailError {
 
 // Re-export implementations
 pub use console::ConsoleMailer;
-pub use smtp::SmtpMailer;
+pub use smtp::{SmtpEncryption, SmtpMailer};
 
 mod console;
 mod smtp;
@@ -65,12 +65,15 @@ pub fn from_config(config: &crate::app::config::Config) -> Result<Arc<dyn EmailS
                 .clone()
                 .ok_or_else(|| EmailError::Config("SMTP_HOST is required for SMTP adapter".to_string()))?;
 
+            let encryption = SmtpEncryption::resolve(config.smtp_encryption.as_deref(), config.smtp_port)?;
+
             Ok(Arc::new(SmtpMailer::new(
                 host,
                 config.smtp_port,
                 config.smtp_user.clone(),
                 config.smtp_pass.clone(),
                 config.mail_from.clone(),
+                encryption,
             )?))
         }
         _ => Err(EmailError::Config(format!(
diff --git a/src/app/mail/smtp.rs b/src/app/mail/smtp.rs
@@ -7,6 +7,64 @@ use lettre::{
 
 use super::{EmailError, EmailMessage, EmailSender};
 
+/// How to encrypt the connection to the SMTP server.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum SmtpEncryption {
+    /// STARTTLS after plain connect (typical port 587).
+    StartTls,
+    /// Implicit TLS / SMTPS (typical port 465).
+    Tls,
+    /// Cleartext only &mdash; for local tools (e.g. Mailpit). Not for production.
+    None,
+}
+
+impl SmtpEncryption {
+    /// Resolve from optional `SMTP_ENCRYPTION` value and port.
+    /// When `override_` is `None` or empty: port 465 &rarr; `Tls`, otherwise `StartTls`.
+    pub fn resolve(override_: Option<&str>, port: u16) -> Result<Self, EmailError> {
+        match override_.map(str::trim).filter(|s| !s.is_empty()) {
+            None => Ok(if port == 465 { Self::Tls } else { Self::StartTls }),
+            Some("starttls") => Ok(Self::StartTls),
+            Some("tls") => Ok(Self::Tls),
+            Some("none") => Ok(Self::None),
+            Some(other) => Err(EmailError::Config(format!(
+                "Invalid SMTP_ENCRYPTION: expected starttls, tls, or none, got {:?}",
+                other
+            ))),
+        }
+    }
+}
+
+fn build_transport(
+    host: &str,
+    port: u16,
+    user: Option<String>,
+    pass: Option<String>,
+    encryption: SmtpEncryption,
+) -> Result<AsyncSmtpTransport<Tokio1Executor>, EmailError> {
+    let mut builder = match encryption {
+        SmtpEncryption::StartTls => AsyncSmtpTransport::<Tokio1Executor>::starttls_relay(host)
+            .map_err(|e| EmailError::Config(format!("SMTP STARTTLS relay: {}", e)))?,
+        SmtpEncryption::Tls => AsyncSmtpTransport::<Tokio1Executor>::relay(host)
+            .map_err(|e| EmailError::Config(format!("SMTP TLS relay: {}", e)))?,
+        SmtpEncryption::None => {
+            tracing::warn!(
+                "SMTP_ENCRYPTION=none: using cleartext SMTP without TLS (not for production)"
+            );
+            AsyncSmtpTransport::<Tokio1Executor>::builder_dangerous(host)
+        }
+    };
+
+    builder = builder.port(port);
+
+    if let (Some(user), Some(pass)) = (user, pass) {
+        let creds = Credentials::new(user, pass);
+        builder = builder.credentials(creds);
+    }
+
+    Ok(builder.build())
+}
+
 /// SMTP email sender for production use.
 #[derive(Debug)]
 pub struct SmtpMailer {
@@ -23,23 +81,16 @@ impl SmtpMailer {
     /// * `user` - SMTP username (optional for some servers)
     /// * `pass` - SMTP password (optional for some servers)
     /// * `from` - Default from address
+    /// * `encryption` - TLS mode (see [`SmtpEncryption::resolve`])
     pub fn new(
         host: String,
         port: u16,
         user: Option<String>,
         pass: Option<String>,
         from: String,
+        encryption: SmtpEncryption,
     ) -> Result<Self, EmailError> {
-        let mut transport = AsyncSmtpTransport::<Tokio1Executor>::builder_dangerous(&host)
-            .port(port);
-
-        // Add authentication if provided
-        if let (Some(user), Some(pass)) = (user, pass) {
-            let creds = Credentials::new(user, pass);
-            transport = transport.credentials(creds);
-        }
-
-        let transport = transport.build();
+        let transport = build_transport(&host, port, user, pass, encryption)?;
 
         Ok(Self { transport, from })
     }
@@ -68,4 +119,62 @@ impl EmailSender for SmtpMailer {
 
         Ok(())
     }
-}
+}
+
+#[cfg(test)]
+mod tests {
+    use super::SmtpEncryption;
+
+    #[test]
+    fn resolve_auto_465_is_tls() {
+        assert_eq!(
+            SmtpEncryption::resolve(None, 465).unwrap(),
+            SmtpEncryption::Tls
+        );
+    }
+
+    #[test]
+    fn resolve_auto_587_is_starttls() {
+        assert_eq!(
+            SmtpEncryption::resolve(None, 587).unwrap(),
+            SmtpEncryption::StartTls
+        );
+    }
+
+    #[test]
+    fn resolve_explicit_starttls_on_465() {
+        assert_eq!(
+            SmtpEncryption::resolve(Some("starttls"), 465).unwrap(),
+            SmtpEncryption::StartTls
+        );
+    }
+
+    #[test]
+    fn resolve_explicit_tls_on_587() {
+        assert_eq!(
+            SmtpEncryption::resolve(Some("tls"), 587).unwrap(),
+            SmtpEncryption::Tls
+        );
+    }
+
+    #[test]
+    fn resolve_explicit_none() {
+        assert_eq!(
+            SmtpEncryption::resolve(Some("none"), 1025).unwrap(),
+            SmtpEncryption::None
+        );
+    }
+
+    #[test]
+    fn resolve_empty_string_uses_auto() {
+        assert_eq!(
+            SmtpEncryption::resolve(Some(""), 2525).unwrap(),
+            SmtpEncryption::StartTls
+        );
+    }
+
+    #[test]
+    fn resolve_invalid_returns_err() {
+        assert!(SmtpEncryption::resolve(Some("wss"), 587).is_err());
+    }
+}
diff --git a/src/lib.rs b/src/lib.rs
@@ -7,10 +7,21 @@ use std::path::PathBuf;
 use axum::Router;
 use tower_http::services::ServeDir;
 
+/// Root directory containing `js/` and `css/` (same layout as repo `public/`).
+/// Set `BOARDTASK_PUBLIC_DIR` when the binary runs without the compile-time crate path
+/// (e.g. container with only `public/` deployed beside the binary).
+fn static_public_root() -> PathBuf {
+    std::env::var_os("BOARDTASK_PUBLIC_DIR")
+        .map(PathBuf::from)
+        .filter(|p| !p.as_os_str().is_empty())
+        .unwrap_or_else(|| PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("public"))
+}
+
 /// Build the full application router. Used by main and by integration tests.
 pub fn create_router(state: app::AppState) -> Router {
-    let public_js = PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("public/js");
-    let public_css = PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("public/css");
+    let root = static_public_root();
+    let public_js = root.join("js");
+    let public_css = root.join("css");
 
     Router::new()
         .nest_service("/js", ServeDir::new(public_js))
diff --git a/tests/static_assets.rs b/tests/static_assets.rs
@@ -35,6 +35,11 @@ async fn get_js_app_js_returns_javascript_not_html_404() {
         "Expected JavaScript body, got: {:?}",
         prefix.chars().take(120).collect::<String>()
     );
+    let s = String::from_utf8_lossy(&body);
+    assert!(
+        s.contains("Alpine.data('projectKanban'"),
+        "Served app.js must register projectKanban (Kanban x-data); missing registration causes Alpine ReferenceError"
+    );
 }
 
 #[tokio::test]

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,9 @@ pub struct Config {`
`29`	`29`
`30`	`30`	`/// SMTP password. Optional for some servers.`
`31`	`31`	`pub smtp_pass: Option<String>,`
	`32`	`+`
	`33`	+ /// SMTP encryption: `starttls`, `tls`, or `none`. Unset uses auto (465 → tls, else starttls).
	`34`	`+ pub smtp_encryption: Option<String>,`
`32`	`35`	`}`
`33`	`36`
`34`	`37`	`impl Config {`
`@@ -54,6 +57,7 @@ impl Config {`
`54`	`57`	`.map_err(\|_\| "SMTP_PORT must be a valid port number")?;`
`55`	`58`	`let smtp_user = std::env::var("SMTP_USER").ok();`
`56`	`59`	`let smtp_pass = std::env::var("SMTP_PASS").ok();`
	`60`	`+ let smtp_encryption = std::env::var("SMTP_ENCRYPTION").ok();`
`57`	`61`
`58`	`62`	`Ok(Self {`
`59`	`63`	`database_url,`
`@@ -64,6 +68,7 @@ impl Config {`
`64`	`68`	`smtp_port,`
`65`	`69`	`smtp_user,`
`66`	`70`	`smtp_pass,`
	`71`	`+ smtp_encryption,`
`67`	`72`	`})`
`68`	`73`	`}`
`69`	`74`
`@@ -83,6 +88,7 @@ impl Config {`
`83`	`88`	`smtp_port: 587,`
`84`	`89`	`smtp_user: None,`
`85`	`90`	`smtp_pass: None,`
	`91`	`+ smtp_encryption: None,`
`86`	`92`	`}`
`87`	`93`	`}`
`88`	`94`	`}`