Can disable cert check for email server (#3908)

BTCPayServer.Client/Models/EmailSettingsData.cs

@@ -25,4 +25,5 @@ public class EmailSettingsData
     {
         get; set;
     }
+    public bool DisableCertificateCheck { get; set; }
 }

BTCPayServer/Hosting/MigrationStartupTask.cs

@@ -82,7 +82,19 @@ namespace BTCPayServer.Hosting
             try
             {
                 await Migrate(cancellationToken);
-                var settings = (await _Settings.GetSettingAsync<MigrationSettings>()) ?? new MigrationSettings() { MigratedInvoiceTextSearchPages = int.MaxValue };
+                var settings = (await _Settings.GetSettingAsync<MigrationSettings>());
+                if (settings is null)
+                {
+                    // If it is null, then it's the first run: let's skip all the migrations by migration flags to true
+                    settings = new MigrationSettings() { MigratedInvoiceTextSearchPages = int.MaxValue };
+                    foreach (var prop in settings.GetType().GetProperties().Where(p => p.CanWrite && p.PropertyType == typeof(bool)))
+                    {
+                        prop.SetValue(settings, true);
+                    }
+                    settings.CheckedFirstRun = false;
+                    await _Settings.UpdateSetting(settings);
+                }
+
                 if (!settings.PaymentMethodCriteria)
                 {
                     await MigratePaymentMethodCriteria();
@@ -196,6 +208,12 @@ namespace BTCPayServer.Hosting
                     settings.AddStoreToPayout = true;
                     await _Settings.UpdateSetting(settings);
                 }
+                if (!settings.MigrateEmailServerDisableTLSCerts)
+                {
+                    await MigrateEmailServerDisableTLSCerts();
+                    settings.MigrateEmailServerDisableTLSCerts = true;
+                    await _Settings.UpdateSetting(settings);
+                }
             }
             catch (Exception ex)
             {
@@ -204,6 +222,33 @@ namespace BTCPayServer.Hosting
             }
         }
 
+        // In the past, if a server was considered local network, then we would disable TLS checks.
+        // Now we don't do it anymore, as we have an explicit flag (DisableCertificateCheck) to control the behavior.
+        // But we need to migrate old users that relied on the behavior before.
+        private async Task MigrateEmailServerDisableTLSCerts()
+        {
+            await using var ctx = _DBContextFactory.CreateContext();
+            var serverEmailSettings = await _Settings.GetSettingAsync<Services.Mails.EmailSettings>();
+            if (serverEmailSettings?.Server is String server)
+            {
+                serverEmailSettings.DisableCertificateCheck = Extensions.IsLocalNetwork(server);
+                if (serverEmailSettings.DisableCertificateCheck)
+                    await _Settings.UpdateSetting(serverEmailSettings);
+            }
+            var stores = await ctx.Stores.ToArrayAsync();
+            foreach (var store in stores)
+            {
+                var storeBlob = store.GetStoreBlob();
+                if (storeBlob.EmailSettings?.Server is String storeServer)
+                {
+                    storeBlob.EmailSettings.DisableCertificateCheck = Extensions.IsLocalNetwork(storeServer);
+                    if (storeBlob.EmailSettings.DisableCertificateCheck)
+                        store.SetStoreBlob(storeBlob);
+                }
+            }
+            await ctx.SaveChangesAsync();
+        }
+
         private async Task MigrateLighingAddressDatabaseMigration()
         {
             await using var ctx = _DBContextFactory.CreateContext();

BTCPayServer/Services/Mails/EmailSettings.cs

@@ -68,7 +68,7 @@ namespace BTCPayServer.Services.Mails
             using var connectCancel = new CancellationTokenSource(10000);
             try
             {
-                if (Extensions.IsLocalNetwork(Server))
+                if (DisableCertificateCheck)
                 {
                     client.CheckCertificateRevocation = false;
 #pragma warning disable CA5359 // Do Not Disable Certificate Validation

BTCPayServer/Services/MigrationSettings.cs

@@ -31,5 +31,6 @@ namespace BTCPayServer.Services
         public bool LighingAddressSettingRename { get; set; }
         public bool LighingAddressDatabaseMigration { get; set; }
         public bool AddStoreToPayout { get; set; }
+        public bool MigrateEmailServerDisableTLSCerts { get; set; }
     }
 }

BTCPayServer/Views/Shared/EmailsBody.cshtml

@@ -70,6 +70,21 @@
                 }
             </div>
             <input asp-for="PasswordSet" type="hidden"/>
+			<div class="my-4">
+                <button class="btn btn-link text-primary p-0" type="button" id="AdvancedSettingsButton" data-bs-toggle="collapse" data-bs-target="#AdvancedSettings" aria-expanded="false" aria-controls="AdvancedSettings">
+                    Advanced settings
+                </button>
+                <div id="AdvancedSettings" class="collapse">
+                    <div class="pt-3 pb-1">
+                        <div class="form-group">
+                            <div class="form-check">
+                                <input asp-for="Settings.DisableCertificateCheck" class="form-check-input" />
+                                <label asp-for="Settings.DisableCertificateCheck" class="form-check-label">Disable TLS certificate security checks</label>
+                            </div>
+                        </div>
+                    </div>
+                </div>
+            </div>
             <button type="submit" class="btn btn-primary mt-2" name="command" value="Save" id="Save">Save</button>
         </div>
     </div>