From 63effc3887983a4e00754bdcfddbadeb5f4cfbe2 Mon Sep 17 00:00:00 2001
From: Lisa Marie Maginnis <me@lisamarie.pro>
Date: Fri, 13 Mar 2026 16:14:04 +0100
Subject: [PATCH] Added two new configuration options for SMTP: "starttls" and
 "allowInsecure".

smtp.starttls will enable or disable STARTTLS
when "secure" is set to false (otherwise it does nothing).

smtp.allowInsecure will allow self-signed certificates if
set to true for both smtp.secure and smtp.starttls options.
---
 .../types/subconfigurations/email/SMTP.ts     |  2 +
 .../util/email/clients/SMTPEmailClient.ts     | 41 ++++++++++---------
 2 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/src/util/config/types/subconfigurations/email/SMTP.ts b/src/util/config/types/subconfigurations/email/SMTP.ts
index 85c286a37..cf81aec92 100644
--- a/src/util/config/types/subconfigurations/email/SMTP.ts
+++ b/src/util/config/types/subconfigurations/email/SMTP.ts
@@ -20,6 +20,8 @@ export class SMTPConfiguration {
     host: string | null = null;
     port: number | null = null;
     secure: boolean | null = null;
+    starttls: boolean = false;
+    allowInsecure: boolean = false;
     username: string | null = null;
     password: string | null = null;
 }
diff --git a/src/util/util/email/clients/SMTPEmailClient.ts b/src/util/util/email/clients/SMTPEmailClient.ts
index 5c469e0fe..278a41980 100644
--- a/src/util/util/email/clients/SMTPEmailClient.ts
+++ b/src/util/util/email/clients/SMTPEmailClient.ts
@@ -34,7 +34,7 @@ export class SMTPEmailClient extends BaseEmailClient {
             return;
         }
         // get configuration
-        const { host, port, secure, username, password } = Config.get().email.smtp;
+        const { host, port, secure, starttls, allowInsecure, username, password } = Config.get().email.smtp;
 
         // ensure all required configuration values are set
         if (!host || !port || secure === null) return console.error("[Email] SMTP has not been configured correctly.");
@@ -45,24 +45,27 @@ export class SMTPEmailClient extends BaseEmailClient {
             );
 
         /* Allow for SMTP relays with and without username/passwords (IE: Smarthosts/Local Relays, etc) */
-        let nodemailer_opts: unknown;
-        if(!username || !password) {
-            nodemailer_opts = {
-                host,
-                port,
-                secure,
-            };
-        } else {
-            nodemailer_opts = {
-                host,
-                port,
-                secure,
-                auth: {
-                    user: username,
-                    pass: password,
-                },
-            };
-        }
+        const nodemailer_opts = {
+            host: host,
+            port: port,
+            secure: secure,
+            ...(starttls ? { requireTLS: true } : { ignoreTLS: true }),
+            ...(allowInsecure
+                ? {
+                      tls: {
+                          rejectUnauthorized: false,
+                      },
+                  }
+                : {}),
+            ...(username && password
+                ? {
+                      auth: {
+                          user: username,
+                          pass: password,
+                      },
+                  }
+                : {}),
+        };
 
         // construct the transporter
         // eslint-disable-next-line @typescript-eslint/ban-ts-comment