()
| 352 | } |
| 353 | |
| 354 | func (s *SMTPHandler) tlsConfig() (*tls.Config, error) { |
| 355 | host, _, err := s.smarthost() |
| 356 | if err != nil { |
| 357 | return nil, err |
| 358 | } |
| 359 | |
| 360 | srvName := s.cfg.TLS.ServerName.String() |
| 361 | if srvName == "" { |
| 362 | srvName = host |
| 363 | } |
| 364 | |
| 365 | ca, err := s.loadCAFile() |
| 366 | if err != nil { |
| 367 | return nil, xerrors.Errorf("load CA: %w", err) |
| 368 | } |
| 369 | |
| 370 | var certs []tls.Certificate |
| 371 | cert, err := s.loadCertificate() |
| 372 | if err != nil { |
| 373 | return nil, xerrors.Errorf("load cert: %w", err) |
| 374 | } |
| 375 | |
| 376 | if cert != nil { |
| 377 | certs = append(certs, *cert) |
| 378 | } |
| 379 | |
| 380 | return &tls.Config{ |
| 381 | ServerName: srvName, |
| 382 | // nolint:gosec // Users may choose to enable this. |
| 383 | InsecureSkipVerify: s.cfg.TLS.InsecureSkipVerify.Value(), |
| 384 | |
| 385 | RootCAs: ca, |
| 386 | Certificates: certs, |
| 387 | ClientAuth: tls.RequireAndVerifyClientCert, |
| 388 | }, nil |
| 389 | } |
| 390 | |
| 391 | func (s *SMTPHandler) loadCAFile() (*x509.CertPool, error) { |
| 392 | if s.cfg.TLS.CAFile == "" { |
no test coverage detected