SMTP SSL Connection Error: Hostname Mismatch and Config Persistence in Docker

ilSaul

Environment:

Flarum Image: crazymax/flarum:latest
Mail Server: Mailcow (Postfix container)
Infrastructure: Docker Compose, containers sharing a dedicated bridge network.

Description of the Problem: I am experiencing a persistent SMTP connection failure caused by a hostname mismatch during the SSL handshake.

In my Docker environment, Flarum is configured to connect to the mail server using the internal Docker service name (e.g., mailcow-postfix-container). However, the mail server presents an SSL certificate issued for the actual public FQDN (e.g., mail.example.com).

Because the hostname used for the connection (mailcow-postfix-container) does not match the Common Name (CN) or Subject Alternative Name (SAN) on the certificate (mail.example.com), the Symfony Mailer component in Flarum rejects the connection with a certificate validation error.

Key Challenges:

Verification Bypass: I need to disable verify_peer_name or verify_peer to allow this mismatch, as the connection is happening over a secure internal Docker network.
Config Persistence: The crazymax/flarum image regenerates the config.php file from environment variables at every startup. Any manual edits to the config.php file to add stream options are overwritten upon container restart.
Port Restrictions: We are using port 587 (STARTTLS). Port 25 is blocked by the ISP, so we cannot fallback to an unencrypted internal connection.

Tests Performed:

Confirmed that SMTP credentials are correct.
Verified that the mail server is reachable via the internal Docker network.
Confirmed that the failure is specifically due to the SSL handshake failing the hostname identity check.

Requested Assistance: Is there a supported environment variable for this image to inject custom stream or ssl context options into the Flarum mail configuration?

I need a way to persistently set the following (or equivalent) so it survives container recreation: 'ssl' => ['verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true]

KBExit

ilSaul that docker image is not maintained or endorsed by Flarum. You'd need to put in the request to Crazymax's GitHub. This is an unofficial way of running Flarum, and you have every right to run it the way you want to. Just my 2 cents.
Support here is pertaining to Flarum and it's extensions. Another avenue of support would also be contacting Mailcow Support, but they will probably have the same argument that you're running Mailcow outside of the official scope and suggest you contact Crazymax.

ilSaul

Thank you for your feedback. I understand that the Docker image is not officially maintained by the Flarum team and I will certainly reach out to the maintainer.

However, my question pertains to the core functionality of Flarum's mail system itself. Regardless of the deployment method (Docker or bare-metal), I need to understand if Flarum provides a native way to configure the SMTP transport to accept certificates without validation (e.g., disabling verify_peer and verify_peer_name).

In a standard, non-Docker installation, where and how would one officially inject custom stream options into the Symfony Mailer / SwiftMailer configuration in Flarum? Is there a hidden setting in the database or a specific extension point in extend.php to handle such SMTP transport requirements?

KBExit

ilSaul I need to understand if Flarum provides a native way to configure the SMTP transport to accept certificates without validation (e.g., disabling verify_peer and verify_peer_name).

These are not options in Flarum.

ilSaul In a standard, non-Docker installation, where and how would one officially inject custom stream options into the Symfony Mailer / SwiftMailer configuration in Flarum? Is there a hidden

If it's not in the admin dashboard of Flarum, it's not standard Flarum. As mentioned, please reach out to the docker maintainer since none of which what you're talking about is standard Flarum.

GreXXL

ilSaul there have been similar discussions on this previously - see: Add the ability to configure allow self signed for tls smtp mail - Flarum Community

KBExit

GreXXL if he were to write changes to extend.php, wouldn't a docker image update overwrite what's in the extend.php file every time?
So they would have to remember to update the file every time, adding an extra step?

Ghost_chu

I also have same issue, the Mailcow use self-signed certifcate. I've tried add something in extend.php but actually all of them didn't work because they never passthrough to inside instance since Flarum built them self instance.

The only way is hack the flarum/core SMTP driver file both on v1.x and v2.x, here is example on v1.x:

# cat patches/flarum/core/src/Mail/SmtpDriver.php 
<?php

/*
 * This file is part of Flarum.
 *
 * For detailed copyright and license information, please view the
 * LICENSE file that was distributed with this source code.
 */

namespace Flarum\Mail;

use Flarum\Settings\SettingsRepositoryInterface;
use Illuminate\Contracts\Validation\Factory;
use Illuminate\Support\MessageBag;
use Swift_SmtpTransport;
use Swift_Transport;

class SmtpDriver implements DriverInterface
{
    use ValidatesMailSettings;

    public function availableSettings(): array
    {
        return [
            'mail_host' => '', // a hostname, IPv4 address or IPv6 wrapped in []
            'mail_port' => '', // a number, defaults to 25
            'mail_encryption' => '', // "tls" or "ssl"
            'mail_username' => '',
            'mail_password' => '',
        ];
    }

    public function validate(SettingsRepositoryInterface $settings, Factory $validator): MessageBag
    {
        return $validator->make($settings->all(), [
            'mail_host' => ['required', $this->noWhitespace()],
            'mail_port' => ['nullable', 'integer', $this->noWhitespace()],
            'mail_encryption' => 'nullable|in:tls,ssl,TLS,SSL',
            'mail_username' => ['nullable', 'string', $this->noWhitespace()],
            'mail_password' => ['nullable', 'string', $this->noWhitespace()],
        ])->errors();
    }

    public function canSend(): bool
    {
        return true;
    }

    public function buildTransport(SettingsRepositoryInterface $settings): Swift_Transport
    {
        $transport = new Swift_SmtpTransport(
            $settings->get('mail_host'),
            $settings->get('mail_port'),
            $settings->get('mail_encryption') // <-- This actually DIDN'T WORK if you want disable encryption, it ALWAYS use STARTTLS or something like that when available (even encryption is null)! 
        );

        $transport->setUsername($settings->get('mail_username'));
        $transport->setPassword($settings->get('mail_password'));
        $transport->setStreamOptions([ // Hack start
            'ssl' => [
                'allow_self_signed' => true,
                'verify_peer' => false,
                'verify_peer_name' => false,
            ],
        ]); // Hack end

        return $transport;
    }
}

@GreXXL The Flarum team really should address this issue, at the very least by providing a switch in config.php so I don't have to modify core files every single time.

GreXXL

Ghost_chu please open up aProposals so it does not get missed. If there is a high enough demand we will consider adding this.

Ghost_chu

GreXXL
I‘ve open a proposal at https://discuss.flarum.org/d/38897 , Thank you for your suggestions and response ♥️

For those who come across this post later, please consider voting for this proposal and ultimately bringing it to Flarum 🙂