From 885129d6508eefcb18255444d550e491c3d97694 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Thu, 23 Apr 2026 09:16:33 +0200
Subject: [PATCH 1/4] contrib/telegram: add note for dhcpv6-client-lease

---
 contrib/telegram.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/contrib/telegram.md b/contrib/telegram.md
index f84d6dc3..192fd6cb 100644
--- a/contrib/telegram.md
+++ b/contrib/telegram.md
@@ -95,6 +95,10 @@ Notes
 
     /save dhcpv4-server-lease Run other scripts on IPv4 DHCP server lease with [dhcpv4-server-lease](https://rsc.eworm.de/doc/dhcpv4-server-lease.md).
 
+#### dhcpv6-client-lease
+
+    /save dhcpv6-client-lease Run other scripts on IPv6 DHCP client lease with [dhcpv6-client-lease](https://rsc.eworm.de/doc/dhcpv6-client-lease.md).
+
 #### firmware-upgrade-reboot
 
     /save firmware-upgrade-reboot Automatically upgrade firmware and reboot with [firmware-upgrade-reboot](https://rsc.eworm.de/doc/firmware-upgrade-reboot.md).

From f69925e5372bfc01d9cd5964e4b756dee989dfa6 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Wed, 22 Apr 2026 10:03:45 +0200
Subject: [PATCH 2/4] global-functions: $CertificateAvailable: warn on
 undefined intended use

---
 global-functions.rsc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/global-functions.rsc b/global-functions.rsc
index dab203d0..de991817 100644
--- a/global-functions.rsc
+++ b/global-functions.rsc
@@ -111,11 +111,13 @@
   :local UseFor     [ :tostr $2 ];
 
   :global CertificateDownload;
-  :global EitherOr;
   :global LogPrint;
   :global ParseKeyValueStore;
 
-  :set UseFor [ $EitherOr $UseFor "undefined" ];
+  :if ([ :len $UseFor ] = 0) do={
+    $LogPrint warning $0 ("The intended use is undefined!");
+    :set UseFor "undefined";
+  }
 
   :if ([ /system/resource/get free-hdd-space ] < 8388608 && \
        [ /certificate/settings/get crl-download ] = true && \

From f5dbc27a01f5068e30403333a44c9ac8c9418dc8 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Wed, 22 Apr 2026 09:36:45 +0200
Subject: [PATCH 3/4] global-functions: $CertificateDownload: extend the check
 for builtin certificates

---
 global-functions.rsc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/global-functions.rsc b/global-functions.rsc
index de991817..81f49f7d 100644
--- a/global-functions.rsc
+++ b/global-functions.rsc
@@ -191,7 +191,12 @@
     $LogPrint warning $0 ("Failed downloading certificate with CommonName '" . $CommonName . \
       "' from repository! Trying fallback to mkcert.org...");
     :do {
-      :if ([ :len [ /certificate/find where common-name="ISRG Root X1" ] ] = 0) do={
+      :local CertSettings [ /certificate/settings/get ];
+      :if ([ :len [ /certificate/find where common-name="ISRG Root X1" ] ] = 0 && \
+           !((($CertSettings->"builtin-trust-anchors") = "trusted" || \
+              ($CertSettings->"builtin-trust-store") ~ "fetch" || \
+              ($CertSettings->"builtin-trust-store") = "all") && \
+             [ :len [ /certificate/builtin/find where common-name="ISRG Root X1" ] ] > 0)) do={
         $LogPrint error $0 ("Required certificate is not available.");
         :return false;
       }

From 1f460b5bae90a3bab69a83a408782b7b46df0bc5 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Wed, 22 Apr 2026 11:04:57 +0200
Subject: [PATCH 4/4] mod/notification-email: add setting for certificate
 verification

---
 doc/mod/notification-email.md |  4 +++-
 global-config.rsc             |  2 ++
 global-functions.rsc          |  2 +-
 mod/notification-email.rsc    | 10 ++++++++++
 news-and-changes.rsc          |  1 +
 5 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/doc/mod/notification-email.md b/doc/mod/notification-email.md
index c45e917c..cae7c94b 100644
--- a/doc/mod/notification-email.md
+++ b/doc/mod/notification-email.md
@@ -37,7 +37,9 @@ Also make sure the device has correct time configured, best is to set up
 the ntp client.
 
 Then edit `global-config-overlay`, add `EmailGeneralTo` with a valid
-recipient address. Finally reload the configuration.
+recipient address. Optionally add `EmailServerCertificate` and add the CA
+certificate name if you have certificate verification enabled. Finally
+reload the configuration.
 
 > ℹ️ **Info**: Copy relevant configuration from
 > [`global-config`](../../global-config.rsc) (the one without `-overlay`) to
diff --git a/global-config.rsc b/global-config.rsc
index 1425764c..12c85916 100644
--- a/global-config.rsc
+++ b/global-config.rsc
@@ -31,6 +31,8 @@
 :global EmailGeneralCc "";
 #:global EmailGeneralTo "mail@example.com";
 #:global EmailGeneralCc "another@example.com,third@example.com";
+# Add the CA certificate name here for verification.
+:global EmailServerCertificate "";
 
 # You can send Telegram notifications. Register a bot
 # and add the token and chat ids here, then install the module:
diff --git a/global-functions.rsc b/global-functions.rsc
index 81f49f7d..413517f3 100644
--- a/global-functions.rsc
+++ b/global-functions.rsc
@@ -15,7 +15,7 @@
 # Git commit id & info, expected configuration version
 :global CommitId "unknown";
 :global CommitInfo "unknown";
-:global ExpectedConfigVersion 141;
+:global ExpectedConfigVersion 142;
 
 # global variables not to be changed by user
 :global GlobalFunctionsReady false;
diff --git a/mod/notification-email.rsc b/mod/notification-email.rsc
index b0ac77ac..b6288821 100644
--- a/mod/notification-email.rsc
+++ b/mod/notification-email.rsc
@@ -37,7 +37,9 @@
 # flush e-mail queue
 :set FlushEmailQueue do={ :onerror Err {
   :global EmailQueue;
+  :global EmailServerCertificate;
 
+  :global CertificateAvailable;
   :global EitherOr;
   :global EMailGenerateFrom;
   :global FileExists;
@@ -90,6 +92,14 @@
     :return false;
   }
 
+  :if (([ /tool/e-mail/get ]->"certificate-verification") ~ "^yes" && \
+       [ :len $EmailServerCertificate ] > 0) do={
+    :if ([ $CertificateAvailable $EmailServerCertificate "email" ] = false) do={
+      $LogPrint warning $0 ("Downloading required certificate failed.");
+      :return false;
+    }
+  }
+
   /system/scheduler/set interval=($QueueLen . "m") comment="Sending..." \
     [ find where name="_FlushEmailQueue" ];
 
diff --git a/news-and-changes.rsc b/news-and-changes.rsc
index 109244ea..2c1a0272 100644
--- a/news-and-changes.rsc
+++ b/news-and-changes.rsc
@@ -66,6 +66,7 @@
   139="Certificate Authorities will reduce the leaf certificate validity times soon. Thus the defaults for renewal and warning in 'check-certificates' were decreased.";
   140="The scripts 'lease-script' was renamed to 'dhcpv4-server-lease', configuration was updated automatically.";
   141="Introduced script 'dhcpv6-client-lease' to run several scripts on IPv6 DHCP client lease.";
+  142="Added a setting for 'mod/notification-email' to check availability of certificate chain.";
 };
 
 # Migration steps to be applied on script updates