mod/notification-email: add setting for certificate verification

global-functions: $CertificateDownload: extend the check for builtin certificates
global-functions: $CertificateAvailable: warn on undefined intended use
2026-06-28 21:42:49 +00:00 · 2026-04-23 09:17:42 +02:00 · 2026-04-23 09:17:42 +02:00 · 2026-04-23 09:17:42 +02:00 · 2026-04-23 09:17:42 +02:00
6 changed files with 31 additions and 5 deletions
--- a/contrib/telegram.md
+++ b/contrib/telegram.md
@ -95,6 +95,10 @@ Notes

    /save dhcpv4-server-lease Run other scripts on IPv4 DHCP server lease with [dhcpv4-server-lease](https://rsc.eworm.de/doc/dhcpv4-server-lease.md).

+#### dhcpv6-client-lease
+
+    /save dhcpv6-client-lease Run other scripts on IPv6 DHCP client lease with [dhcpv6-client-lease](https://rsc.eworm.de/doc/dhcpv6-client-lease.md).
+
 #### firmware-upgrade-reboot

    /save firmware-upgrade-reboot Automatically upgrade firmware and reboot with [firmware-upgrade-reboot](https://rsc.eworm.de/doc/firmware-upgrade-reboot.md).
--- a/doc/mod/notification-email.md
+++ b/doc/mod/notification-email.md
@ -37,7 +37,9 @@ Also make sure the device has correct time configured, best is to set up
 the ntp client.

 Then edit `global-config-overlay`, add `EmailGeneralTo` with a valid
-recipient address. Finally reload the configuration.
+recipient address. Optionally add `EmailServerCertificate` and add the CA
+certificate name if you have certificate verification enabled. Finally
+reload the configuration.

 > ℹ️ **Info**: Copy relevant configuration from
 > [`global-config`](../../global-config.rsc) (the one without `-overlay`) to
--- a/global-config.rsc
+++ b/global-config.rsc
@ -31,6 +31,8 @@
 :global EmailGeneralCc "";
 #:global EmailGeneralTo "mail@example.com";
 #:global EmailGeneralCc "another@example.com,third@example.com";
+# Add the CA certificate name here for verification.
+:global EmailServerCertificate "";

 # You can send Telegram notifications. Register a bot
 # and add the token and chat ids here, then install the module:
--- a/global-functions.rsc
+++ b/global-functions.rsc
@ -15,7 +15,7 @@
 # Git commit id & info, expected configuration version
 :global CommitId "unknown";
 :global CommitInfo "unknown";
-:global ExpectedConfigVersion 141;
+:global ExpectedConfigVersion 142;

 # global variables not to be changed by user
 :global GlobalFunctionsReady false;
@ -111,11 +111,13 @@
  :local UseFor     [ :tostr $2 ];

  :global CertificateDownload;
-  :global EitherOr;
  :global LogPrint;
  :global ParseKeyValueStore;

-  :set UseFor [ $EitherOr $UseFor "undefined" ];
+  :if ([ :len $UseFor ] = 0) do={
+    $LogPrint warning $0 ("The intended use is undefined!");
+    :set UseFor "undefined";
+  }

  :if ([ /system/resource/get free-hdd-space ] < 8388608 && \
       [ /certificate/settings/get crl-download ] = true && \
@ -189,7 +191,12 @@
    $LogPrint warning $0 ("Failed downloading certificate with CommonName '" . $CommonName . \
      "' from repository! Trying fallback to mkcert.org...");
    :do {
-      :if ([ :len [ /certificate/find where common-name="ISRG Root X1" ] ] = 0) do={
+      :local CertSettings [ /certificate/settings/get ];
+      :if ([ :len [ /certificate/find where common-name="ISRG Root X1" ] ] = 0 && \
+           !((($CertSettings->"builtin-trust-anchors") = "trusted" || \
+              ($CertSettings->"builtin-trust-store") ~ "fetch" || \
+              ($CertSettings->"builtin-trust-store") = "all") && \
+             [ :len [ /certificate/builtin/find where common-name="ISRG Root X1" ] ] > 0)) do={
        $LogPrint error $0 ("Required certificate is not available.");
        :return false;
      }
--- a/mod/notification-email.rsc
+++ b/mod/notification-email.rsc
@ -37,7 +37,9 @@
 # flush e-mail queue
 :set FlushEmailQueue do={ :onerror Err {
  :global EmailQueue;
+  :global EmailServerCertificate;

+  :global CertificateAvailable;
  :global EitherOr;
  :global EMailGenerateFrom;
  :global FileExists;
@ -90,6 +92,14 @@
    :return false;
  }

+  :if (([ /tool/e-mail/get ]->"certificate-verification") ~ "^yes" && \
+       [ :len $EmailServerCertificate ] > 0) do={
+    :if ([ $CertificateAvailable $EmailServerCertificate "email" ] = false) do={
+      $LogPrint warning $0 ("Downloading required certificate failed.");
+      :return false;
+    }
+  }
+
  /system/scheduler/set interval=($QueueLen . "m") comment="Sending..." \
    [ find where name="_FlushEmailQueue" ];

--- a/news-and-changes.rsc
+++ b/news-and-changes.rsc
@ -66,6 +66,7 @@
  139="Certificate Authorities will reduce the leaf certificate validity times soon. Thus the defaults for renewal and warning in 'check-certificates' were decreased.";
  140="The scripts 'lease-script' was renamed to 'dhcpv4-server-lease', configuration was updated automatically.";
  141="Introduced script 'dhcpv6-client-lease' to run several scripts on IPv6 DHCP client lease.";
+  142="Added a setting for 'mod/notification-email' to check availability of certificate chain.";
 };

 # Migration steps to be applied on script updates
Author	SHA1	Message	Date
Christian Hesse	1f460b5bae	mod/notification-email: add setting for certificate verification	2026-04-23 09:17:42 +02:00
Christian Hesse	f5dbc27a01	global-functions: $CertificateDownload: extend the check for builtin certificates	2026-04-23 09:17:42 +02:00
Christian Hesse	f69925e537	global-functions: $CertificateAvailable: warn on undefined intended use	2026-04-23 09:17:42 +02:00
Christian Hesse	885129d650	contrib/telegram: add note for dhcpv6-client-lease	2026-04-23 09:17:42 +02:00