feat: allow anonymous smtp authentication (#1204)

Introduces the ability to use anonymous SMTP authentication where no username or password is provided.

Also introduces a new flag to disable TLS avoiding cases also where STARTTLS is used despite `secure` being
set to `false`

.env.example

@@ -78,6 +78,8 @@ NEXT_PRIVATE_SMTP_APIKEY_USER=
 NEXT_PRIVATE_SMTP_APIKEY=
 # OPTIONAL: Defines whether to force the use of TLS.
 NEXT_PRIVATE_SMTP_SECURE=
+# OPTIONAL: if this is true and NEXT_PRIVATE_SMTP_SECURE is false then TLS is not used even if the server supports STARTTLS extension
+NEXT_PRIVATE_SMTP_UNSAFE_IGNORE_TLS=
 # REQUIRED: Defines the sender name to use for the from address.
 NEXT_PRIVATE_SMTP_FROM_NAME="Documenso"
 # REQUIRED: Defines the email address to use as the from address.

docker/README.md

@@ -128,6 +128,7 @@ Here's a markdown table documenting all the provided environment variables:
 | `NEXT_PRIVATE_SMTP_APIKEY_USER`              | The API key user for the SMTP server for the `smtp-api` transport.                                  |
 | `NEXT_PRIVATE_SMTP_APIKEY`                   | The API key for the SMTP server for the `smtp-api` transport.                                       |
 | `NEXT_PRIVATE_SMTP_SECURE`                   | Whether to force the use of TLS for the SMTP server for SMTP transports.                            |
+| `NEXT_PRIVATE_SMTP_UNSAFE_IGNORE_TLS`        | If true, then no TLS will be used (even if STARTTLS is supported)                                   |
 | `NEXT_PRIVATE_SMTP_FROM_ADDRESS`             | The email address for the "from" address.                                                           |
 | `NEXT_PRIVATE_SMTP_FROM_NAME`                | The sender name for the "from" address.                                                             |
 | `NEXT_PRIVATE_RESEND_API_KEY`                | The API key for Resend.com for the `resend` transport.                                              |

packages/email/mailer.ts

@@ -46,10 +46,13 @@ const getTransport = () => {
     host: process.env.NEXT_PRIVATE_SMTP_HOST ?? 'localhost:2500',
     port: Number(process.env.NEXT_PRIVATE_SMTP_PORT) || 587,
     secure: process.env.NEXT_PRIVATE_SMTP_SECURE === 'true',
-    auth: {
+    ignoreTLS: process.env.NEXT_PRIVATE_SMTP_UNSAFE_IGNORE_TLS === 'true',
-      user: process.env.NEXT_PRIVATE_SMTP_USERNAME ?? '',
+    auth: process.env.NEXT_PRIVATE_SMTP_USERNAME
-      pass: process.env.NEXT_PRIVATE_SMTP_PASSWORD ?? '',
+      ? {
-    },
+          user: process.env.NEXT_PRIVATE_SMTP_USERNAME,
+          pass: process.env.NEXT_PRIVATE_SMTP_PASSWORD ?? '',
+        }
+      : undefined,
   });
 };
 

packages/lib/server-only/auth/send-confirmation-email.ts

@@ -38,7 +38,7 @@ export const sendConfirmationEmail = async ({ userId }: SendConfirmationEmailPro
   const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
   const confirmationLink = `${assetBaseUrl}/verify-email/${verificationToken.token}`;
   const senderName = NEXT_PRIVATE_SMTP_FROM_NAME || 'Documenso';
-  const senderAdress = NEXT_PRIVATE_SMTP_FROM_ADDRESS || 'noreply@documenso.com';
+  const senderAddress = NEXT_PRIVATE_SMTP_FROM_ADDRESS || 'noreply@documenso.com';
 
   const confirmationTemplate = createElement(ConfirmEmailTemplate, {
     assetBaseUrl,
@@ -52,7 +52,7 @@ export const sendConfirmationEmail = async ({ userId }: SendConfirmationEmailPro
     },
     from: {
       name: senderName,
-      address: senderAdress,
+      address: senderAddress,
     },
     subject: 'Please confirm your email',
     html: render(confirmationTemplate),

packages/tsconfig/process-env.d.ts

@@ -59,6 +59,7 @@ declare namespace NodeJS {
     NEXT_PRIVATE_SMTP_APIKEY?: string;
 
     NEXT_PRIVATE_SMTP_SECURE?: string;
+    NEXT_PRIVATE_SMTP_UNSAFE_IGNORE_TLS?: string;
 
     NEXT_PRIVATE_SMTP_FROM_NAME?: string;
     NEXT_PRIVATE_SMTP_FROM_ADDRESS?: string;

turbo.json

@@ -12,9 +12,12 @@
       ]
     },
     "prebuild": {
-      "cache": false,
       "dependsOn": [
         "^prebuild"
+      ],
+      "outputs": [
+        ".next/**",
+        "!.next/cache/**"
       ]
     },
     "lint": {
@@ -109,6 +112,7 @@
     "NEXT_PRIVATE_SMTP_APIKEY_USER",
     "NEXT_PRIVATE_SMTP_APIKEY",
     "NEXT_PRIVATE_SMTP_SECURE",
+    "NEXT_PRIVATE_SMTP_UNSAFE_IGNORE_TLS",
     "NEXT_PRIVATE_SMTP_FROM_NAME",
     "NEXT_PRIVATE_SMTP_FROM_ADDRESS",
     "NEXT_PRIVATE_STRIPE_API_KEY",
@@ -137,4 +141,4 @@
     "E2E_TEST_AUTHENTICATE_USER_EMAIL",
     "E2E_TEST_AUTHENTICATE_USER_PASSWORD"
   ]
-}
+}