From db26e7e045a51972722e24b94063a1979e2351cf Mon Sep 17 00:00:00 2001
From: Dmitry Mironov <dmi@novorado.com>
Date: Sun, 2 Nov 2025 01:36:56 -0700
Subject: [PATCH 1/2] smtp: honor STARTTLS setting instead of forcing implicit
 TLS

---
 modules/smtp/hm-smtp.php | 32 ++++++++++++++++++++++++++------
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/modules/smtp/hm-smtp.php b/modules/smtp/hm-smtp.php
index 7a3342faf..a621397ef 100644
--- a/modules/smtp/hm-smtp.php
+++ b/modules/smtp/hm-smtp.php
@@ -111,13 +111,33 @@ function __construct($conf) {
         else {
             $this->port = 25;
         }
-        if (isset($conf['tls']) && $conf['tls']) {
-            $this->tls = true;
-        }
-        else {
-            $this->tls = false;
+        $this->tls = false;
+        $this->starttls = false;
+        if (isset($conf['tls'])) {
+            $tls_val = $conf['tls'];
+            if (is_string($tls_val)) {
+                $normalized = mb_strtolower(trim($tls_val));
+                if ($normalized === 'starttls') {
+                    $this->starttls = true;
+                }
+                elseif ($normalized === 'tls' || $normalized === 'ssl' || $normalized === 'true' || $normalized === '1') {
+                    $this->tls = true;
+                }
+                elseif ($normalized === 'false' || $normalized === '0' || $normalized === '') {
+                    // leave both false
+                }
+                elseif ($tls_val) {
+                    $this->tls = true;
+                }
+            }
+            elseif ($tls_val === true || $tls_val === 1) {
+                $this->tls = true;
+            }
+            elseif ($tls_val) {
+                $this->tls = true;
+            }
         }
-        if (!$this->tls) {
+        if (!$this->tls && !$this->starttls) {
             $this->starttls = true;
         }
         $this->request_auths = array(

From 30d10b4ed5d2fcf88fc7df4f3dd42b37395428af Mon Sep 17 00:00:00 2001
From: Dmitry Mironov <dmi@novorado.com>
Date: Sun, 2 Nov 2025 02:10:03 -0800
Subject: [PATCH 2/2] fix(module/config): read postgres bytea streams before
 decryption

---
 lib/config.php | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/config.php b/lib/config.php
index 11441d7b0..7c9a33bdf 100644
--- a/lib/config.php
+++ b/lib/config.php
@@ -357,7 +357,15 @@ private function new_settings($username) {
      */
     private function decrypt_settings($data, $key) {
         if (!$this->crypt) {
-            $data = $this->decode($data['settings']);
+            $settings = $data['settings'];
+            if (is_resource($settings)) {
+                $settings = stream_get_contents($settings);
+            }
+            if ($settings === false) {
+                $this->decrypt_failed = true;
+                return false;
+            }
+            $data = $this->decode($settings);
         } else {
             $data = $this->decode(Hm_Crypt::plaintext($data['settings'], $key));
         }