regression

Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.44.1 to 1.44.2.
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.44.1...tokio-1.44.2)

---
updated-dependencies:
- dependency-name: tokio
  dependency-version: 1.44.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/test.yml

@@ -57,12 +57,12 @@ jobs:
 
       - name: Setup cache
         uses: Swatinem/rust-cache@v2
-      
+
       - name: Install cargo hack
         run: cargo install cargo-hack --debug
 
       - name: Check with cargo hack
-        run: cargo hack check --feature-powerset --depth 3
+        run: cargo hack check --feature-powerset --depth 3 --at-least-one-of aws-lc-rs,ring --at-least-one-of rustls-native-certs,webpki-roots
 
   test:
     name: test / ${{ matrix.name }}
@@ -75,8 +75,8 @@ jobs:
             rust: stable
           - name: beta
             rust: beta
-          - name: '1.71'
+          - name: '1.74'
-            rust: '1.71'
+            rust: '1.74'
 
     steps:
       - name: Checkout
@@ -90,7 +90,7 @@ jobs:
       - name: Setup cache
         uses: Swatinem/rust-cache@v2
 
-      - name: Install postfix  
+      - name: Install postfix
         run: |
           DEBIAN_FRONTEND=noninteractive sudo apt-get update
           DEBIAN_FRONTEND=noninteractive sudo apt-get -y install postfix
@@ -119,10 +119,10 @@ jobs:
         run: cargo test
 
       - name: Test with all features (-native-tls)
-        run: cargo test --no-default-features --features async-std1,async-std1-rustls-tls,boring-tls,builder,dkim,file-transport,file-transport-envelope,hostname,mime03,pool,rustls-native-certs,rustls-tls,sendmail-transport,smtp-transport,tokio1,tokio1-boring-tls,tokio1-rustls-tls,tracing
+        run: cargo test --no-default-features --features async-std1,async-std1-rustls,aws-lc-rs,rustls-native-certs,boring-tls,builder,dkim,file-transport,file-transport-envelope,hostname,mime03,pool,rustls-native-certs,rustls,sendmail-transport,smtp-transport,tokio1,tokio1-boring-tls,tokio1-rustls,tracing
-  
+
       - name: Test with all features (-boring-tls)
-        run: cargo test --no-default-features --features async-std1,async-std1-rustls-tls,builder,dkim,file-transport,file-transport-envelope,hostname,mime03,native-tls,pool,rustls-native-certs,rustls-tls,sendmail-transport,smtp-transport,tokio1,tokio1-native-tls,tokio1-rustls-tls,tracing
+        run: cargo test --no-default-features --features async-std1,async-std1-rustls,aws-lc-rs,rustls-native-certs,builder,dkim,file-transport,file-transport-envelope,hostname,mime03,native-tls,pool,rustls-native-certs,rustls,sendmail-transport,smtp-transport,tokio1,tokio1-native-tls,tokio1-rustls,tracing
 
 #  coverage:
 #    name: Coverage

CHANGELOG.md

@@ -1,3 +1,133 @@
+<a name="v0.11.16"></a>
+### v0.11.16 (2025-05-12)
+
+#### Features
+
+* Always implement `Clone` for `AsyncFileTransport` ([#1075])
+
+#### Changes
+
+* `Tls`, `CertificateStore`, `TlsParameters`, `TlsParametersBuilder`, `Certificate` and `Identity`
+  are now marked as deprecated when no TLS backend is enabled. They will be properly feature gated
+  in lettre v0.12 ([#1084])
+
+#### Misc
+
+* Gate `web-time` behind `cfg(target_arch = "wasm32")]` ([#1086])
+* Add missing `#[doc(cfg(...))]` attributes ([#1086])
+* Upgrade `webpki-roots` to v1 ([#1088])
+* Cleanup internal `TlsParameters` and `(Async)NetworkStream` structures ([#1082])
+* Feature gate internal `TransportBuilder::tls` to avoid recursive call site warnings ([#1083])
+* Fix workaround for embedding cargo script in rustdoc output ([#1077])
+* Fix `clippy::io_other_error` warnings ([#1078])
+* Upgrade semver compatible dependencies ([#1076], [#1079], [#1080])
+
+[#1075]: https://github.com/lettre/lettre/pull/1075
+[#1076]: https://github.com/lettre/lettre/pull/1076
+[#1077]: https://github.com/lettre/lettre/pull/1077
+[#1078]: https://github.com/lettre/lettre/pull/1078
+[#1079]: https://github.com/lettre/lettre/pull/1079
+[#1080]: https://github.com/lettre/lettre/pull/1080
+[#1082]: https://github.com/lettre/lettre/pull/1082
+[#1083]: https://github.com/lettre/lettre/pull/1083
+[#1084]: https://github.com/lettre/lettre/pull/1084
+[#1086]: https://github.com/lettre/lettre/pull/1086
+[#1088]: https://github.com/lettre/lettre/pull/1088
+
+<a name="v0.11.15"></a>
+### v0.11.15 (2025-03-10)
+
+#### Upgrade notes
+
+* MSRV is now 1.74 ([#1060])
+
+#### Features
+
+* Add controlled shutdown methods ([#1045], [#1068])
+
+#### Misc
+
+* Deny `unreachable_pub` lint ([#1058])
+* Bump minimum supported `rustls` ([#1063])
+* Bump minimum supported `serde` ([#1064])
+* Upgrade semver compatible dependencies ([#1067])
+* Upgrade `email-encoding` to v0.4 ([#1069])
+
+[#1045]: https://github.com/lettre/lettre/pull/1045
+[#1058]: https://github.com/lettre/lettre/pull/1058
+[#1060]: https://github.com/lettre/lettre/pull/1060
+[#1063]: https://github.com/lettre/lettre/pull/1063
+[#1064]: https://github.com/lettre/lettre/pull/1064
+[#1067]: https://github.com/lettre/lettre/pull/1067
+[#1068]: https://github.com/lettre/lettre/pull/1068
+[#1069]: https://github.com/lettre/lettre/pull/1069
+
+<a name="v0.11.14"></a>
+### v0.11.14 (2025-02-23)
+
+This release deprecates the `rustls-tls`, `tokio1-rustls-tls` and `async-std1-rustls-tls`
+features, which will be removed in lettre v0.12.
+
+rustls users should start migrating to the `rustls`, `tokio1-rustls` and
+`async-std1-rustls` features. Unlike the deprecated _*rustls-tls_ features,
+which automatically enabled the `ring` and `webpki-roots` backends, the new
+features do not. To complete the migration, users must either enable the
+`aws-lc-rs` or the `ring` feature. Additionally, those who rely on `webpki-roots`
+for TLS certificate verification must now explicitly enable its feature.
+Users of `rustls-native-certs` do not need to enable `webpki-roots`.
+
+Find out more about the new features via the [lettre rustls docs].
+
+#### Features
+
+* Make it possible to use different `rustls` crypto providers and TLS verifiers ([#1054])
+
+#### Bug fixes
+
+* Use the same `rustls` crypto provider everywhere ([#1055])
+
+#### Misc
+
+* Deprecate `AsyncNetworkStream` being public ([#1059])
+* Upgrade `nom` to v8 ([#1048])
+* Drop `rustls-pemfile` in favor of `rustls-pki-types` APIs ([#1050])
+* Ban direct use of `std::time::SystemTime::now` via clippy ([#1043])
+* Drop direct dependency on `rustls-pki-types` ([#1051])
+* Remove artifact from `web-time` refactor ([#1049])
+* Fix warnings with `rustls-native-certs` when `tracing` is disabled ([#1053])
+* Bump license year ([#1057])
+* Cleanup `Cargo.toml` style ([#1047])
+
+[lettre rustls docs]: https://docs.rs/lettre/0.11.14/lettre/index.html#smtp-over-tls-via-the-rustls-crate
+[#1043]: https://github.com/lettre/lettre/pull/1043
+[#1047]: https://github.com/lettre/lettre/pull/1047
+[#1048]: https://github.com/lettre/lettre/pull/1048
+[#1049]: https://github.com/lettre/lettre/pull/1049
+[#1050]: https://github.com/lettre/lettre/pull/1050
+[#1051]: https://github.com/lettre/lettre/pull/1051
+[#1053]: https://github.com/lettre/lettre/pull/1053
+[#1054]: https://github.com/lettre/lettre/pull/1054
+[#1055]: https://github.com/lettre/lettre/pull/1055
+[#1057]: https://github.com/lettre/lettre/pull/1057
+[#1059]: https://github.com/lettre/lettre/pull/1059
+
+<a name="v0.11.13"></a>
+### v0.11.13 (2025-02-17)
+
+#### Features
+
+* Add WASM support ([#1037], [#1042])
+* Add method to get the TLS verify result with BoringSSL ([#1039])
+
+#### Bug fixes
+
+* Synchronous pool shutdowns being arbitrarily delayed ([#1041])
+
+[#1037]: https://github.com/lettre/lettre/pull/1037
+[#1039]: https://github.com/lettre/lettre/pull/1039
+[#1041]: https://github.com/lettre/lettre/pull/1041
+[#1042]: https://github.com/lettre/lettre/pull/1042
+
 <a name="v0.11.12"></a>
 ### v0.11.12 (2025-02-02)
 

Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "lettre"
 # remember to update html_root_url and README.md (Cargo.toml example and deps.rs badge)
-version = "0.11.12"
+version = "0.11.16"
 description = "Email client"
 readme = "README.md"
 homepage = "https://lettre.rs"
@@ -11,7 +11,7 @@ authors = ["Alexis Mousset <contact@amousset.me>", "Paolo Barbolini <paolo@paolo
 categories = ["email", "network-programming"]
 keywords = ["email", "smtp", "mailer", "message", "sendmail"]
 edition = "2021"
-rust-version = "1.71"
+rust-version = "1.74"
 
 [badges]
 is-it-maintained-issue-resolution = { repository = "lettre/lettre" }
@@ -19,9 +19,12 @@ is-it-maintained-open-issues = { repository = "lettre/lettre" }
 maintenance = { status = "actively-developed" }
 
 [dependencies]
+email_address = { version = "0.2.1", default-features = false }
 chumsky = "0.9"
 idna = "1"
-tracing = { version = "0.1.16", default-features = false, features = ["std"], optional = true } # feature
+
+## tracing support
+tracing = { version = "0.1.16", default-features = false, features = ["std"], optional = true }
 
 # builder
 httpdate = { version = "1", optional = true }
@@ -29,15 +32,15 @@ mime = { version = "0.3.4", optional = true }
 fastrand = { version = "2.0", optional = true }
 quoted_printable = { version = "0.5", optional = true }
 base64 = { version = "0.22", optional = true }
-email-encoding = { version = "0.3", optional = true }
+email-encoding = { version = "0.4", optional = true }
 
 # file transport
 uuid = { version = "1", features = ["v4"], optional = true }
-serde = { version = "1", optional = true, features = ["derive"] }
+serde = { version = "1.0.110", features = ["derive"], optional = true }
 serde_json = { version = "1", optional = true }
 
 # smtp-transport
-nom = { version = "7", optional = true }
+nom = { version = "8", optional = true }
 hostname = { version = "0.4", optional = true } # feature
 socket2 = { version = "0.5.1", optional = true }
 url = { version = "2.4", optional = true }
@@ -45,11 +48,10 @@ percent-encoding = { version = "2.3", optional = true }
 
 ## tls
 native-tls = { version = "0.2.9", optional = true } # feature
-rustls = { version = "0.23.5", default-features = false, features = ["ring", "logging", "std", "tls12"], optional = true }
+rustls = { version = "0.23.18", default-features = false, features = ["logging", "std", "tls12"], optional = true }
-rustls-pemfile = { version = "2", optional = true }
+rustls-platform-verifier = { version = "0.6.0", optional = true }
 rustls-native-certs = { version = "0.8", optional = true }
-rustls-pki-types = { version = "1.7", optional = true }
+webpki-roots = { version = "1.0.0", optional = true }
-webpki-roots = { version = "0.26", optional = true }
 boring = { version = "4", optional = true }
 
 # async
@@ -59,21 +61,22 @@ async-trait = { version = "0.1", optional = true }
 
 ## async-std
 async-std = { version = "1.8", optional = true }
-futures-rustls = { version = "0.26", default-features = false, features = ["logging", "tls12", "ring"], optional = true }
+futures-rustls = { version = "0.26", default-features = false, features = ["logging", "tls12"], optional = true }
 
 ## tokio
 tokio1_crate = { package = "tokio", version = "1", optional = true }
 tokio1_native_tls_crate = { package = "tokio-native-tls", version = "0.3", optional = true }
-tokio1_rustls = { package = "tokio-rustls", version = "0.26", default-features = false, features = ["logging", "tls12", "ring"], optional = true }
+tokio1_rustls = { package = "tokio-rustls", version = "0.26", default-features = false, features = ["logging", "tls12"], optional = true }
 tokio1_boring = { package = "tokio-boring", version = "4", optional = true }
 
 ## dkim
-sha2 = { version = "0.10", optional = true, features = ["oid"] }
+sha2 = { version = "0.10", features = ["oid"], optional = true }
 rsa = { version = "0.9", optional = true }
 ed25519-dalek = { version = "2", optional = true }
 
-# email formats
+[target.'cfg(target_arch = "wasm32")'.dependencies]
-email_address = { version = "0.2.1", default-features = false }
+## web-time for wasm support
+web-time = { version = "1.1.0", optional = true }
 
 [dev-dependencies]
 pretty_assertions = "1"
@@ -108,20 +111,33 @@ smtp-transport = ["dep:base64", "dep:nom", "dep:socket2", "dep:url", "dep:percen
 
 pool = ["dep:futures-util"]
 
-rustls-tls = ["dep:webpki-roots", "dep:rustls", "dep:rustls-pemfile", "dep:rustls-pki-types"]
+rustls = ["dep:rustls"]
+aws-lc-rs = ["rustls?/aws-lc-rs"]
+fips = ["aws-lc-rs", "rustls?/fips"]
+ring = ["rustls?/ring"]
+webpki-roots = ["dep:webpki-roots"]
+# deprecated
+rustls-tls = ["webpki-roots", "rustls", "ring"]
 
 boring-tls = ["dep:boring"]
 
 # async
 async-std1 = ["dep:async-std", "dep:async-trait", "dep:futures-io", "dep:futures-util"]
-async-std1-rustls-tls = ["async-std1", "rustls-tls", "dep:futures-rustls"]
+async-std1-rustls = ["async-std1", "rustls", "dep:futures-rustls"]
+# deprecated
+async-std1-rustls-tls = ["async-std1-rustls", "rustls-tls"]
 tokio1 = ["dep:tokio1_crate", "dep:async-trait", "dep:futures-io", "dep:futures-util"]
 tokio1-native-tls = ["tokio1", "native-tls", "dep:tokio1_native_tls_crate"]
-tokio1-rustls-tls = ["tokio1", "rustls-tls", "dep:tokio1_rustls"]
+tokio1-rustls = ["tokio1", "rustls", "dep:tokio1_rustls"]
+# deprecated
+tokio1-rustls-tls = ["tokio1-rustls", "rustls-tls"]
 tokio1-boring-tls = ["tokio1", "boring-tls", "dep:tokio1_boring"]
 
 dkim = ["dep:base64", "dep:sha2", "dep:rsa", "dep:ed25519-dalek"]
 
+# wasm support
+web = ["dep:web-time"]
+
 [lints.rust]
 unexpected_cfgs = { level = "warn", check-cfg = ['cfg(lettre_ignore_tls_mismatch)'] }
 

LICENSE

@@ -1,5 +1,5 @@
 Copyright (c) 2014-2024 Alexis Mousset <contact@amousset.me>
-Copyright (c) 2019-2024 Paolo Barbolini <paolo@paolo565.org>
+Copyright (c) 2019-2025 Paolo Barbolini <paolo@paolo565.org>
 Copyright (c) 2018 K. <kayo@illumium.org>
 
 Permission is hereby granted, free of charge, to any

README.md

@@ -28,8 +28,8 @@
 </div>
 
 <div align="center">
-  <a href="https://deps.rs/crate/lettre/0.11.12">
+  <a href="https://deps.rs/crate/lettre/0.11.16">
-    <img src="https://deps.rs/crate/lettre/0.11.12/status.svg"
+    <img src="https://deps.rs/crate/lettre/0.11.16/status.svg"
       alt="dependency status" />
   </a>
 </div>
@@ -53,12 +53,12 @@ Lettre does not provide (for now):
 ## Supported Rust Versions
 
 Lettre supports all Rust versions released in the last 6 months. At the time of writing
-the minimum supported Rust version is 1.71, but this could change at any time either from
+the minimum supported Rust version is 1.74, but this could change at any time either from
 one of our dependencies bumping their MSRV or by a new patch release of lettre.
 
 ## Example
 
-This library requires Rust 1.71 or newer.
+This library requires Rust 1.74 or newer.
 To use this library, add the following to your `Cargo.toml`:
 
 ```toml
@@ -73,9 +73,9 @@ use lettre::{Message, SmtpTransport, Transport};
 
 fn main() {
     let email = Message::builder()
-        .from("NoBody <nobody@domain.tld>".parse().unwrap())
+        .from(Mailbox::new("NoBody".to_owned(), "nobody@domain.tld".parse().unwrap()))
-        .reply_to("Yuin <yuin@domain.tld>".parse().unwrap())
+        .reply_to(Mailbox::new("Yuin".to_owned(), "yuin@domain.tld".parse().unwrap()))
-        .to("Hei <hei@domain.tld>".parse().unwrap())
+        .to(Mailbox::new("Hei".to_owned(), "hei@domain.tld".parse().unwrap()))
         .subject("Happy new year")
         .header(ContentType::TEXT_PLAIN)
         .body(String::from("Be happy!"))

clippy.toml

@@ -0,0 +1,3 @@
+disallowed-methods = [
+    { "path" = "std::time::SystemTime::now", reason = "does not work on WASM environments", replacement = "crate::time::now" }
+]

src/address/envelope.rs

@@ -53,7 +53,7 @@ mod serde_forward_path {
             }
         }
     }
-    pub fn deserialize<'de, D>(deserializer: D) -> Result<Vec<Address>, D::Error>
+    pub(super) fn deserialize<'de, D>(deserializer: D) -> Result<Vec<Address>, D::Error>
     where
         D: serde::Deserializer<'de>,
     {
@@ -163,6 +163,7 @@ impl Envelope {
 }
 
 #[cfg(feature = "builder")]
+#[cfg_attr(docsrs, doc(cfg(feature = "builder")))]
 impl TryFrom<&Headers> for Envelope {
     type Error = Error;
 

src/executor.rs

@@ -45,6 +45,7 @@ use crate::transport::smtp::Error;
 #[async_trait]
 pub trait Executor: Debug + Send + Sync + 'static + private::Sealed {
     #[cfg(feature = "smtp-transport")]
+    #[allow(private_bounds)]
     type Handle: SpawnHandle;
     #[cfg(feature = "smtp-transport")]
     type Sleep: Future<Output = ()> + Send + 'static;
@@ -82,8 +83,8 @@ pub trait Executor: Debug + Send + Sync + 'static + private::Sealed {
 #[doc(hidden)]
 #[cfg(feature = "smtp-transport")]
 #[async_trait]
-pub trait SpawnHandle: Debug + Send + Sync + 'static + private::Sealed {
+pub(crate) trait SpawnHandle: Debug + Send + Sync + 'static + private::Sealed {
-    async fn shutdown(self);
+    async fn shutdown(&self);
 }
 
 /// Async [`Executor`] using `tokio` `1.x`
@@ -133,7 +134,7 @@ impl Executor for Tokio1Executor {
     ) -> Result<AsyncSmtpConnection, Error> {
         #[allow(clippy::match_single_binding)]
         let tls_parameters = match tls {
-            #[cfg(any(feature = "tokio1-native-tls", feature = "tokio1-rustls-tls"))]
+            #[cfg(any(feature = "tokio1-native-tls", feature = "tokio1-rustls"))]
             Tls::Wrapper(tls_parameters) => Some(tls_parameters.clone()),
             _ => None,
         };
@@ -147,7 +148,7 @@ impl Executor for Tokio1Executor {
         )
         .await?;
 
-        #[cfg(any(feature = "tokio1-native-tls", feature = "tokio1-rustls-tls"))]
+        #[cfg(any(feature = "tokio1-native-tls", feature = "tokio1-rustls"))]
         match tls {
             Tls::Opportunistic(tls_parameters) => {
                 if conn.can_starttls() {
@@ -177,7 +178,7 @@ impl Executor for Tokio1Executor {
 #[cfg(all(feature = "smtp-transport", feature = "tokio1"))]
 #[async_trait]
 impl SpawnHandle for tokio1_crate::task::JoinHandle<()> {
-    async fn shutdown(self) {
+    async fn shutdown(&self) {
         self.abort();
     }
 }
@@ -201,7 +202,7 @@ pub struct AsyncStd1Executor;
 #[cfg(feature = "async-std1")]
 impl Executor for AsyncStd1Executor {
     #[cfg(feature = "smtp-transport")]
-    type Handle = async_std::task::JoinHandle<()>;
+    type Handle = futures_util::future::AbortHandle;
     #[cfg(feature = "smtp-transport")]
     type Sleep = BoxFuture<'static, ()>;
 
@@ -211,7 +212,9 @@ impl Executor for AsyncStd1Executor {
         F: Future<Output = ()> + Send + 'static,
         F::Output: Send + 'static,
     {
-        async_std::task::spawn(fut)
+        let (handle, registration) = futures_util::future::AbortHandle::new_pair();
+        async_std::task::spawn(futures_util::future::Abortable::new(fut, registration));
+        handle
     }
 
     #[cfg(feature = "smtp-transport")]
@@ -230,7 +233,7 @@ impl Executor for AsyncStd1Executor {
     ) -> Result<AsyncSmtpConnection, Error> {
         #[allow(clippy::match_single_binding)]
         let tls_parameters = match tls {
-            #[cfg(feature = "async-std1-rustls-tls")]
+            #[cfg(feature = "async-std1-rustls")]
             Tls::Wrapper(tls_parameters) => Some(tls_parameters.clone()),
             _ => None,
         };
@@ -243,7 +246,7 @@ impl Executor for AsyncStd1Executor {
         )
         .await?;
 
-        #[cfg(feature = "async-std1-rustls-tls")]
+        #[cfg(feature = "async-std1-rustls")]
         match tls {
             Tls::Opportunistic(tls_parameters) => {
                 if conn.can_starttls() {
@@ -272,9 +275,9 @@ impl Executor for AsyncStd1Executor {
 
 #[cfg(all(feature = "smtp-transport", feature = "async-std1"))]
 #[async_trait]
-impl SpawnHandle for async_std::task::JoinHandle<()> {
+impl SpawnHandle for futures_util::future::AbortHandle {
-    async fn shutdown(self) {
+    async fn shutdown(&self) {
-        self.cancel().await;
+        self.abort();
     }
 }
 
@@ -291,5 +294,5 @@ mod private {
     impl Sealed for tokio1_crate::task::JoinHandle<()> {}
 
     #[cfg(all(feature = "smtp-transport", feature = "async-std1"))]
-    impl Sealed for async_std::task::JoinHandle<()> {}
+    impl Sealed for futures_util::future::AbortHandle {}
 }

src/lib.rs

@@ -6,7 +6,7 @@
 //! * Secure defaults
 //! * Async support
 //!
-//! Lettre requires Rust 1.71 or newer.
+//! Lettre requires Rust 1.74 or newer.
 //!
 //! ## Features
 //!
@@ -64,13 +64,49 @@
 //!
 //! #### SMTP over TLS via the rustls crate
 //!
-//! _Secure SMTP connections using TLS from the `rustls-tls` crate_
+//! _Secure SMTP connections using TLS from the `rustls` crate_
 //!
-//! Rustls uses [ring] as the cryptography implementation. As a result, [not all Rust's targets are supported][ring-support].
+//! * **rustls**: TLS support for the synchronous version of the API
+//! * **tokio1-rustls**: TLS support for the `tokio1` async version of the API
+//! * **async-std1-rustls**: TLS support for the `async-std1` async version of the API
 //!
-//! * **rustls-tls**: TLS support for the synchronous version of the API
+//! ##### rustls crypto backends
-//! * **tokio1-rustls-tls**: TLS support for the `tokio1` async version of the API
+//!
-//! * **async-std1-rustls-tls**: TLS support for the `async-std1` async version of the API
+//! _The crypto implementation to use with rustls_
+//!
+//! When the `rustls` feature is enabled, one of the following crypto backends MUST also
+//! be enabled.
+//!
+//! * **aws-lc-rs**: use [AWS-LC] (via [`aws-lc-rs`]) as the `rustls` crypto backend
+//! * **ring**: use [`ring`] as the `rustls` crypto backend
+//!
+//! When enabling `aws-lc-rs`, the `fips` feature can also be enabled to have
+//! rustls use the FIPS certified module of AWS-LC.
+//!
+//! `aws-lc-rs` may require cmake on some platforms to compile.
+//! `fips` always requires cmake and the Go compiler to compile.
+//!
+//! ##### rustls certificate verification backend
+//!
+//! _The TLS certificate verification backend to use with rustls_
+//!
+//! When the `rustls` feature is enabled, one of the following verification backends
+//! MUST also be enabled.
+//!
+//! * **rustls-platform-verifier**: verify TLS certificate using the OS's native certificate store (see [`rustls-platform-verifier`])
+//! * **rustls-native-certs**: verify TLS certificates using the platform's native certificate store (see [`rustls-native-certs`]) - when in doubt use `rustls-platform-verifier`
+//! * **webpki-roots**: verify TLS certificates against Mozilla's root certificates (see [`webpki-roots`])
+//!
+//! The following packages will need to be installed in order for the build
+//! stage and the compiled program to run properly.
+//!
+//! | Verification backend       | Distro       | Build-time packages        | Runtime packages             |
+//! | ---------------------      | ------------ | -------------------------- | ---------------------------- |
+//! | `rustls-platform-verifier` | Debian       | none                       | `ca-certificates`            |
+//! | `rustls-platform-verifier` | Alpine Linux | none                       | `ca-certificates`            |
+//! | `rustls-native-certs`      | Debian       | none                       | `ca-certificates`            |
+//! | `rustls-native-certs`      | Alpine Linux | none                       | `ca-certificates`            |
+//! | `webpki-roots`             | any          | none                       | none                         |
 //!
 //! ### Sendmail transport
 //!
@@ -107,6 +143,7 @@
 //! * **tracing**: Logging using the `tracing` crate
 //! * **mime03**: Allow creating a [`ContentType`] from an existing [mime 0.3] `Mime` struct
 //! * **dkim**: Add support for signing email with DKIM
+//! * **web**: WebAssembly support using the `web-time` crate for time operations
 //!
 //! [`SMTP`]: crate::transport::smtp
 //! [`sendmail`]: crate::transport::sendmail
@@ -114,18 +151,23 @@
 //! [`ContentType`]: crate::message::header::ContentType
 //! [tokio]: https://docs.rs/tokio/1
 //! [async-std]: https://docs.rs/async-std/1
-//! [ring]: https://github.com/briansmith/ring#ring
+//! [AWS-LC]: https://github.com/aws/aws-lc
-//! [ring-support]: https://github.com/briansmith/ring#online-automated-testing
+//! [`aws-lc-rs`]: https://crates.io/crates/aws-lc-rs
+//! [`ring`]: https://crates.io/crates/ring
+//! [`rustls-platform-verifier`]: https://crates.io/crates/rustls-platform-verifier
+//! [`rustls-native-certs`]: https://crates.io/crates/rustls-native-certs
+//! [`webpki-roots`]: https://crates.io/crates/webpki-roots
 //! [Tokio 1.x]: https://docs.rs/tokio/1
 //! [async-std 1.x]: https://docs.rs/async-std/1
 //! [mime 0.3]: https://docs.rs/mime/0.3
 //! [DKIM]: https://datatracker.ietf.org/doc/html/rfc6376
 
-#![doc(html_root_url = "https://docs.rs/crate/lettre/0.11.12")]
+#![doc(html_root_url = "https://docs.rs/crate/lettre/0.11.16")]
 #![doc(html_favicon_url = "https://lettre.rs/favicon.ico")]
 #![doc(html_logo_url = "https://avatars0.githubusercontent.com/u/15113230?v=4")]
 #![forbid(unsafe_code)]
 #![deny(
+    unreachable_pub,
     missing_copy_implementations,
     trivial_casts,
     trivial_numeric_casts,
@@ -162,6 +204,23 @@
 
 #[cfg(not(lettre_ignore_tls_mismatch))]
 mod compiletime_checks {
+    #[cfg(all(feature = "rustls", not(feature = "aws-lc-rs"), not(feature = "ring")))]
+    compile_error!(
+        "feature `rustls` also requires either the `aws-lc-rs` or the `ring` feature to
+    be enabled"
+    );
+
+    #[cfg(all(
+        feature = "rustls",
+        not(feature = "rustls-platform-verifier"),
+        not(feature = "rustls-native-certs"),
+        not(feature = "webpki-roots")
+    ))]
+    compile_error!(
+        "feature `rustls` also requires either the `rustls-platform-verifier`, the `rustls-native-certs`
+    or the `webpki-roots` feature to be enabled"
+    );
+
     #[cfg(all(feature = "native-tls", feature = "boring-tls"))]
     compile_error!("feature \"native-tls\" and feature \"boring-tls\" cannot be enabled at the same time, otherwise
     the executable will fail to link.");
@@ -172,16 +231,12 @@ mod compiletime_checks {
         not(feature = "tokio1-native-tls")
     ))]
     compile_error!("Lettre is being built with the `tokio1` and the `native-tls` features, but the `tokio1-native-tls` feature hasn't been turned on.
-    If you were trying to opt into `rustls-tls` and did not activate `native-tls`, disable the default-features of lettre in `Cargo.toml` and manually add the required features.
+    If you were trying to opt into `rustls` and did not activate `native-tls`, disable the default-features of lettre in `Cargo.toml` and manually add the required features.
     Make sure to apply the same to any of your crate dependencies that use the `lettre` crate.");
 
-    #[cfg(all(
+    #[cfg(all(feature = "tokio1", feature = "rustls", not(feature = "tokio1-rustls")))]
-        feature = "tokio1",
+    compile_error!("Lettre is being built with the `tokio1` and the `rustls` features, but the `tokio1-rustls` feature hasn't been turned on.
-        feature = "rustls-tls",
+    If you'd like to use `native-tls` make sure that the `rustls` feature hasn't been enabled by mistake.
-        not(feature = "tokio1-rustls-tls")
-    ))]
-    compile_error!("Lettre is being built with the `tokio1` and the `rustls-tls` features, but the `tokio1-rustls-tls` feature hasn't been turned on.
-    If you'd like to use `native-tls` make sure that the `rustls-tls` feature hasn't been enabled by mistake.
     Make sure to apply the same to any of your crate dependencies that use the `lettre` crate.");
 
     #[cfg(all(
@@ -190,22 +245,22 @@ mod compiletime_checks {
         not(feature = "tokio1-boring-tls")
     ))]
     compile_error!("Lettre is being built with the `tokio1` and the `boring-tls` features, but the `tokio1-boring-tls` feature hasn't been turned on.
-    If you'd like to use `boring-tls` make sure that the `rustls-tls` feature hasn't been enabled by mistake.
+    If you'd like to use `boring-tls` make sure that the `rustls` feature hasn't been enabled by mistake.
     Make sure to apply the same to any of your crate dependencies that use the `lettre` crate.");
 
-    #[cfg(all(feature = "async-std1", feature = "native-tls",))]
+    #[cfg(all(feature = "async-std1", feature = "native-tls"))]
     compile_error!("Lettre is being built with the `async-std1` and the `native-tls` features, but the async-std integration doesn't support native-tls yet.
 If you'd like to work on the issue please take a look at https://github.com/lettre/lettre/issues/576.
-If you were trying to opt into `rustls-tls` and did not activate `native-tls`, disable the default-features of lettre in `Cargo.toml` and manually add the required features.
+If you were trying to opt into `rustls` and did not activate `native-tls`, disable the default-features of lettre in `Cargo.toml` and manually add the required features.
 Make sure to apply the same to any of your crate dependencies that use the `lettre` crate.");
 
     #[cfg(all(
         feature = "async-std1",
-        feature = "rustls-tls",
+        feature = "rustls",
-        not(feature = "async-std1-rustls-tls")
+        not(feature = "async-std1-rustls")
     ))]
-    compile_error!("Lettre is being built with the `async-std1` and the `rustls-tls` features, but the `async-std1-rustls-tls` feature hasn't been turned on.
+    compile_error!("Lettre is being built with the `async-std1` and the `rustls` features, but the `async-std1-rustls` feature hasn't been turned on.
-If you'd like to use `native-tls` make sure that the `rustls-tls` hasn't been enabled by mistake.
+If you'd like to use `native-tls` make sure that the `rustls` hasn't been enabled by mistake.
 Make sure to apply the same to any of your crate dependencies that use the `lettre` crate.");
 }
 
@@ -218,6 +273,9 @@ mod executor;
 #[cfg(feature = "builder")]
 #[cfg_attr(docsrs, doc(cfg(feature = "builder")))]
 pub mod message;
+#[cfg(feature = "rustls")]
+mod rustls_crypto;
+mod time;
 pub mod transport;
 
 use std::error::Error as StdError;

src/message/dkim.rs

@@ -346,7 +346,7 @@ fn dkim_canonicalize_headers<'a>(
 /// Sign with Dkim a message by adding Dkim-Signature header created with configuration expressed by
 /// `dkim_config`
 pub fn dkim_sign(message: &mut Message, dkim_config: &DkimConfig) {
-    dkim_sign_fixed_time(message, dkim_config, SystemTime::now());
+    dkim_sign_fixed_time(message, dkim_config, crate::time::now());
 }
 
 fn dkim_sign_fixed_time(message: &mut Message, dkim_config: &DkimConfig, timestamp: SystemTime) {

src/message/header/date.rs

@@ -21,7 +21,7 @@ impl Date {
     ///
     /// Shortcut for `Date::new(SystemTime::now())`
     pub fn now() -> Self {
-        Self::new(SystemTime::now())
+        Self::new(crate::time::now())
     }
 }
 

src/message/mailbox/parsers/rfc2822.rs

@@ -41,14 +41,14 @@ fn quoted_pair() -> impl Parser<char, char, Error = Cheap<char>> {
 
 // FWS             =       ([*WSP CRLF] 1*WSP) /   ; Folding white space
 //                         obs-FWS
-pub fn fws() -> impl Parser<char, Option<char>, Error = Cheap<char>> {
+pub(super) fn fws() -> impl Parser<char, Option<char>, Error = Cheap<char>> {
     rfc2234::wsp()
         .or_not()
         .then_ignore(rfc2234::wsp().ignored().repeated())
 }
 
 // CFWS            =       *([FWS] comment) (([FWS] comment) / FWS)
-pub fn cfws() -> impl Parser<char, Option<char>, Error = Cheap<char>> {
+pub(super) fn cfws() -> impl Parser<char, Option<char>, Error = Cheap<char>> {
     // TODO: comment are not currently supported, so for now a cfws is
     // the same as a fws.
     fws()
@@ -106,12 +106,12 @@ pub(super) fn atom() -> impl Parser<char, Vec<char>, Error = Cheap<char>> {
 }
 
 // dot-atom        =       [CFWS] dot-atom-text [CFWS]
-pub fn dot_atom() -> impl Parser<char, Vec<char>, Error = Cheap<char>> {
+pub(super) fn dot_atom() -> impl Parser<char, Vec<char>, Error = Cheap<char>> {
     cfws().chain(dot_atom_text())
 }
 
 // dot-atom-text   =       1*atext *("." 1*atext)
-pub fn dot_atom_text() -> impl Parser<char, Vec<char>, Error = Cheap<char>> {
+pub(super) fn dot_atom_text() -> impl Parser<char, Vec<char>, Error = Cheap<char>> {
     atext().repeated().at_least(1).chain(
         just('.')
             .chain(atext().repeated().at_least(1))
@@ -204,7 +204,7 @@ pub(crate) fn mailbox_list(
 // https://datatracker.ietf.org/doc/html/rfc2822#section-3.4.1
 
 // addr-spec       =       local-part "@" domain
-pub fn addr_spec() -> impl Parser<char, (String, String), Error = Cheap<char>> {
+pub(super) fn addr_spec() -> impl Parser<char, (String, String), Error = Cheap<char>> {
     local_part()
         .collect()
         .then_ignore(just('@'))
@@ -212,12 +212,12 @@ pub fn addr_spec() -> impl Parser<char, (String, String), Error = Cheap<char>> {
 }
 
 // local-part      =       dot-atom / quoted-string / obs-local-part
-pub fn local_part() -> impl Parser<char, Vec<char>, Error = Cheap<char>> {
+pub(super) fn local_part() -> impl Parser<char, Vec<char>, Error = Cheap<char>> {
     choice((dot_atom(), quoted_string(), obs_local_part()))
 }
 
 // domain          =       dot-atom / domain-literal / obs-domain
-pub fn domain() -> impl Parser<char, Vec<char>, Error = Cheap<char>> {
+pub(super) fn domain() -> impl Parser<char, Vec<char>, Error = Cheap<char>> {
     // NOTE: omitting domain-literal since it may never be used
     choice((dot_atom(), obs_domain()))
 }
@@ -240,11 +240,11 @@ fn obs_phrase() -> impl Parser<char, Vec<char>, Error = Cheap<char>> {
 // https://datatracker.ietf.org/doc/html/rfc2822#section-4.4
 
 // obs-local-part  =       word *("." word)
-pub fn obs_local_part() -> impl Parser<char, Vec<char>, Error = Cheap<char>> {
+pub(super) fn obs_local_part() -> impl Parser<char, Vec<char>, Error = Cheap<char>> {
     word().chain(just('.').chain(word()).repeated().flatten())
 }
 
 // obs-domain      =       atom *("." atom)
-pub fn obs_domain() -> impl Parser<char, Vec<char>, Error = Cheap<char>> {
+pub(super) fn obs_domain() -> impl Parser<char, Vec<char>, Error = Cheap<char>> {
     atom().chain(just('.').chain(atom()).repeated().flatten())
 }

src/message/mod.rs

@@ -277,7 +277,7 @@ impl MessageBuilder {
     /// Shortcut for `self.date(SystemTime::now())`, it is automatically inserted
     /// if no date has been provided.
     pub fn date_now(self) -> Self {
-        self.date(SystemTime::now())
+        self.date(crate::time::now())
     }
 
     /// Set or add mailbox to `ReplyTo` header

src/rustls_crypto.rs

@@ -0,0 +1,14 @@
+use std::sync::Arc;
+
+use rustls::crypto::CryptoProvider;
+
+pub(crate) fn crypto_provider() -> Arc<CryptoProvider> {
+    CryptoProvider::get_default().cloned().unwrap_or_else(|| {
+        #[cfg(feature = "aws-lc-rs")]
+        let provider = rustls::crypto::aws_lc_rs::default_provider();
+        #[cfg(not(feature = "aws-lc-rs"))]
+        let provider = rustls::crypto::ring::default_provider();
+
+        Arc::new(provider)
+    })
+}

src/time.rs

@@ -0,0 +1,26 @@
+use std::time::SystemTime;
+
+#[cfg(all(feature = "web", target_arch = "wasm32"))]
+pub(crate) fn now() -> SystemTime {
+    fn to_std_systemtime(time: web_time::SystemTime) -> std::time::SystemTime {
+        let duration = time
+            .duration_since(web_time::SystemTime::UNIX_EPOCH)
+            .unwrap();
+        SystemTime::UNIX_EPOCH + duration
+    }
+
+    // FIXME: change to:
+    // #[allow(
+    //     clippy::disallowed_methods,
+    //     reason = "`web-time` aliases `std::time::SystemTime::now` on non-WASM platforms"
+    // )]
+    #[allow(clippy::disallowed_methods)]
+    to_std_systemtime(web_time::SystemTime::now())
+}
+
+#[cfg(not(all(feature = "web", target_arch = "wasm32")))]
+pub(crate) fn now() -> SystemTime {
+    // FIXME: change to #[expect(clippy::disallowed_methods, reason = "the `web` feature is disabled")]
+    #[allow(clippy::disallowed_methods)]
+    SystemTime::now()
+}

src/transport/file/error.rs

@@ -34,6 +34,7 @@ impl Error {
 
     /// Returns true if the error is an envelope serialization or deserialization error
     #[cfg(feature = "file-transport-envelope")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "file-transport-envelope")))]
     pub fn is_envelope(&self) -> bool {
         matches!(self.inner.kind, Kind::Envelope)
     }

src/transport/file/mod.rs

@@ -173,7 +173,7 @@ pub struct FileTransport {
 }
 
 /// Asynchronously writes the content and the envelope information to a file
-#[derive(Debug, Clone)]
+#[derive(Debug)]
 #[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
 #[cfg_attr(docsrs, doc(cfg(any(feature = "tokio1", feature = "async-std1"))))]
 #[cfg(any(feature = "async-std1", feature = "tokio1"))]
@@ -199,6 +199,7 @@ impl FileTransport {
     /// Writes the email content in eml format and the envelope
     /// in json format.
     #[cfg(feature = "file-transport-envelope")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "file-transport-envelope")))]
     pub fn with_envelope<P: AsRef<Path>>(path: P) -> FileTransport {
         FileTransport {
             path: PathBuf::from(path.as_ref()),
@@ -211,6 +212,7 @@ impl FileTransport {
     ///
     /// Reads the envelope and the raw message content.
     #[cfg(feature = "file-transport-envelope")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "file-transport-envelope")))]
     pub fn read(&self, email_id: &str) -> Result<(Envelope, Vec<u8>), Error> {
         use std::fs;
 
@@ -249,6 +251,7 @@ where
     /// Writes the email content in eml format and the envelope
     /// in json format.
     #[cfg(feature = "file-transport-envelope")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "file-transport-envelope")))]
     pub fn with_envelope<P: AsRef<Path>>(path: P) -> Self {
         Self {
             inner: FileTransport::with_envelope(path),
@@ -260,6 +263,7 @@ where
     ///
     /// Reads the envelope and the raw message content.
     #[cfg(feature = "file-transport-envelope")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "file-transport-envelope")))]
     pub async fn read(&self, email_id: &str) -> Result<(Envelope, Vec<u8>), Error> {
         let eml_file = self.inner.path.join(format!("{email_id}.eml"));
         let eml = E::fs_read(&eml_file).await.map_err(error::io)?;
@@ -272,6 +276,16 @@ where
     }
 }
 
+#[cfg(any(feature = "async-std1", feature = "tokio1"))]
+impl<E: Executor> Clone for AsyncFileTransport<E> {
+    fn clone(&self) -> Self {
+        Self {
+            inner: self.inner.clone(),
+            marker_: PhantomData,
+        }
+    }
+}
+
 impl Transport for FileTransport {
     type Ok = Id;
     type Error = Error;

src/transport/mod.rs

@@ -140,6 +140,10 @@ pub trait Transport {
     }
 
     fn send_raw(&self, envelope: &Envelope, email: &[u8]) -> Result<Self::Ok, Self::Error>;
+
+    /// Shuts down the transport. Future calls to [`Self::send`] and
+    /// [`Self::send_raw`] might fail.
+    fn shutdown(&self) {}
 }
 
 /// Async Transport method for emails
@@ -166,4 +170,8 @@ pub trait AsyncTransport {
     }
 
     async fn send_raw(&self, envelope: &Envelope, email: &[u8]) -> Result<Self::Ok, Self::Error>;
+
+    /// Shuts down the transport. Future calls to [`Self::send`] and
+    /// [`Self::send_raw`] might fail.
+    async fn shutdown(&self) {}
 }

src/transport/smtp/async_transport.rs

@@ -14,8 +14,8 @@ use super::pool::async_impl::Pool;
 use super::PoolConfig;
 #[cfg(any(
     feature = "tokio1-native-tls",
-    feature = "tokio1-rustls-tls",
+    feature = "tokio1-rustls",
-    feature = "async-std1-rustls-tls"
+    feature = "async-std1-rustls"
 ))]
 use super::Tls;
 use super::{
@@ -79,6 +79,11 @@ impl AsyncTransport for AsyncSmtpTransport<Tokio1Executor> {
 
         Ok(result)
     }
+
+    async fn shutdown(&self) {
+        #[cfg(feature = "pool")]
+        self.inner.shutdown().await;
+    }
 }
 
 #[cfg(feature = "async-std1")]
@@ -97,6 +102,11 @@ impl AsyncTransport for AsyncSmtpTransport<AsyncStd1Executor> {
 
         Ok(result)
     }
+
+    async fn shutdown(&self) {
+        #[cfg(feature = "pool")]
+        self.inner.shutdown().await;
+    }
 }
 
 impl<E> AsyncSmtpTransport<E>
@@ -111,15 +121,15 @@ where
     /// to validate TLS certificates.
     #[cfg(any(
         feature = "tokio1-native-tls",
-        feature = "tokio1-rustls-tls",
+        feature = "tokio1-rustls",
-        feature = "async-std1-rustls-tls"
+        feature = "async-std1-rustls"
     ))]
     #[cfg_attr(
         docsrs,
         doc(cfg(any(
             feature = "tokio1-native-tls",
-            feature = "tokio1-rustls-tls",
+            feature = "tokio1-rustls",
-            feature = "async-std1-rustls-tls"
+            feature = "async-std1-rustls"
         )))
     )]
     pub fn relay(relay: &str) -> Result<AsyncSmtpTransportBuilder, Error> {
@@ -145,15 +155,15 @@ where
     /// or emails will be sent to the server, protecting from downgrade attacks.
     #[cfg(any(
         feature = "tokio1-native-tls",
-        feature = "tokio1-rustls-tls",
+        feature = "tokio1-rustls",
-        feature = "async-std1-rustls-tls"
+        feature = "async-std1-rustls"
     ))]
     #[cfg_attr(
         docsrs,
         doc(cfg(any(
             feature = "tokio1-native-tls",
-            feature = "tokio1-rustls-tls",
+            feature = "tokio1-rustls",
-            feature = "async-std1-rustls-tls"
+            feature = "async-std1-rustls"
         )))
     )]
     pub fn starttls_relay(relay: &str) -> Result<AsyncSmtpTransportBuilder, Error> {
@@ -224,7 +234,7 @@ where
     /// a proper URL encoder, like the following cargo script:
     ///
     /// ```rust
-    /// # let _ = r#"
+    /// # const TOML: &str = r#"
     /// #!/usr/bin/env cargo
     ///
     /// //! ```cargo
@@ -288,10 +298,10 @@ where
     /// # Ok(())
     /// # }
     /// ```
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
     #[cfg_attr(
         docsrs,
-        doc(cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls")))
+        doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
     )]
     pub fn from_url(connection_url: &str) -> Result<AsyncSmtpTransportBuilder, Error> {
         super::connection_url::from_connection_url(connection_url)
@@ -416,15 +426,15 @@ impl AsyncSmtpTransportBuilder {
     /// lead to hard to debug IO errors coming from the TLS library.
     #[cfg(any(
         feature = "tokio1-native-tls",
-        feature = "tokio1-rustls-tls",
+        feature = "tokio1-rustls",
-        feature = "async-std1-rustls-tls"
+        feature = "async-std1-rustls"
     ))]
     #[cfg_attr(
         docsrs,
         doc(cfg(any(
             feature = "tokio1-native-tls",
-            feature = "tokio1-rustls-tls",
+            feature = "tokio1-rustls",
-            feature = "async-std1-rustls-tls"
+            feature = "async-std1-rustls"
         )))
     )]
     pub fn tls(mut self, tls: Tls) -> Self {
@@ -460,7 +470,7 @@ impl AsyncSmtpTransportBuilder {
 }
 
 /// Build client
-pub struct AsyncSmtpClient<E> {
+pub(super) struct AsyncSmtpClient<E> {
     info: SmtpInfo,
     marker_: PhantomData<E>,
 }
@@ -472,7 +482,7 @@ where
     /// Creates a new connection directly usable to send emails
     ///
     /// Handles encryption and authentication
-    pub async fn connection(&self) -> Result<AsyncSmtpConnection, Error> {
+    pub(super) async fn connection(&self) -> Result<AsyncSmtpConnection, Error> {
         let mut conn = E::connect(
             &self.info.server,
             self.info.port,

src/transport/smtp/client/async_connection.rs

@@ -6,7 +6,8 @@ use futures_util::io::{AsyncBufReadExt, AsyncWriteExt, BufReader};
 use super::async_net::AsyncTokioStream;
 #[cfg(feature = "tracing")]
 use super::escape_crlf;
-use super::{AsyncNetworkStream, ClientCodec, TlsParameters};
+#[allow(deprecated)]
+use super::{async_net::AsyncNetworkStream, ClientCodec, TlsParameters};
 use crate::{
     transport::smtp::{
         authentication::{Credentials, Mechanism},
@@ -35,6 +36,7 @@ macro_rules! try_smtp (
 pub struct AsyncSmtpConnection {
     /// TCP stream between client and server
     /// Value is None before connection
+    #[allow(deprecated)]
     stream: BufReader<AsyncNetworkStream>,
     /// Panic state
     panic: bool,
@@ -52,10 +54,12 @@ impl AsyncSmtpConnection {
     ///
     /// Sends EHLO and parses server information
     #[cfg(feature = "tokio1")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "tokio1")))]
     pub async fn connect_with_transport(
         stream: Box<dyn AsyncTokioStream>,
         hello_name: &ClientId,
     ) -> Result<AsyncSmtpConnection, Error> {
+        #[allow(deprecated)]
         let stream = AsyncNetworkStream::use_existing_tokio1(stream);
         Self::connect_impl(stream, hello_name).await
     }
@@ -91,6 +95,7 @@ impl AsyncSmtpConnection {
     /// # }
     /// ```
     #[cfg(feature = "tokio1")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "tokio1")))]
     pub async fn connect_tokio1<T: tokio1_crate::net::ToSocketAddrs>(
         server: T,
         timeout: Option<Duration>,
@@ -98,6 +103,7 @@ impl AsyncSmtpConnection {
         tls_parameters: Option<TlsParameters>,
         local_address: Option<IpAddr>,
     ) -> Result<AsyncSmtpConnection, Error> {
+        #[allow(deprecated)]
         let stream =
             AsyncNetworkStream::connect_tokio1(server, timeout, tls_parameters, local_address)
                 .await?;
@@ -108,16 +114,19 @@ impl AsyncSmtpConnection {
     ///
     /// Sends EHLO and parses server information
     #[cfg(feature = "async-std1")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "async-std1")))]
     pub async fn connect_asyncstd1<T: async_std::net::ToSocketAddrs>(
         server: T,
         timeout: Option<Duration>,
         hello_name: &ClientId,
         tls_parameters: Option<TlsParameters>,
     ) -> Result<AsyncSmtpConnection, Error> {
+        #[allow(deprecated)]
         let stream = AsyncNetworkStream::connect_asyncstd1(server, timeout, tls_parameters).await?;
         Self::connect_impl(stream, hello_name).await
     }
 
+    #[allow(deprecated)]
     async fn connect_impl(
         stream: AsyncNetworkStream,
         hello_name: &ClientId,
@@ -245,6 +254,7 @@ impl AsyncSmtpConnection {
     }
 
     /// Sets the underlying stream
+    #[allow(deprecated)]
     pub fn set_stream(&mut self, stream: AsyncNetworkStream) {
         self.stream = BufReader::new(stream);
     }
@@ -368,13 +378,35 @@ impl AsyncSmtpConnection {
     }
 
     /// The X509 certificate of the server (DER encoded)
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+    #[cfg_attr(
+        docsrs,
+        doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
+    )]
     pub fn peer_certificate(&self) -> Result<Vec<u8>, Error> {
         self.stream.get_ref().peer_certificate()
     }
 
+    /// Currently this is only avaialable when using Boring TLS and
+    /// returns the result of the verification of the TLS certificate
+    /// presented by the peer, if any. Only the last error encountered
+    /// during verification is presented.
+    /// It can be useful when you don't want to fail outright the TLS
+    /// negotiation, for example when a self-signed certificate is
+    /// encountered, but still want to record metrics or log the fact.
+    /// When using DANE verification, the PKI root of trust moves from
+    /// the CAs to DNS, so self-signed certificates are permitted as long
+    /// as the TLSA records match the leaf or issuer certificates.
+    /// It cannot be called on non Boring TLS streams.
+    #[cfg(feature = "boring-tls")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "boring-tls")))]
+    pub fn tls_verify_result(&self) -> Result<(), Error> {
+        self.stream.get_ref().tls_verify_result()
+    }
+
     /// All the X509 certificates of the chain (DER encoded)
-    #[cfg(any(feature = "rustls-tls", feature = "boring-tls"))]
+    #[cfg(any(feature = "rustls", feature = "boring-tls"))]
+    #[cfg_attr(docsrs, doc(cfg(any(feature = "rustls", feature = "boring-tls"))))]
     pub fn certificate_chain(&self) -> Result<Vec<Vec<u8>>, Error> {
         self.stream.get_ref().certificate_chain()
     }

src/transport/smtp/client/async_net.rs

@@ -9,13 +9,11 @@ use std::{
 #[cfg(feature = "async-std1")]
 use async_std::net::{TcpStream as AsyncStd1TcpStream, ToSocketAddrs as AsyncStd1ToSocketAddrs};
 use futures_io::{
-    AsyncRead as FuturesAsyncRead, AsyncWrite as FuturesAsyncWrite, Error as IoError, ErrorKind,
+    AsyncRead as FuturesAsyncRead, AsyncWrite as FuturesAsyncWrite, Error as IoError,
     Result as IoResult,
 };
-#[cfg(feature = "async-std1-rustls-tls")]
+#[cfg(feature = "async-std1-rustls")]
-use futures_rustls::client::TlsStream as AsyncStd1RustlsTlsStream;
+use futures_rustls::client::TlsStream as AsyncStd1RustlsStream;
-#[cfg(any(feature = "tokio1-rustls-tls", feature = "async-std1-rustls-tls"))]
-use rustls::pki_types::ServerName;
 #[cfg(feature = "tokio1-boring-tls")]
 use tokio1_boring::SslStream as Tokio1SslStream;
 #[cfg(feature = "tokio1")]
@@ -27,14 +25,14 @@ use tokio1_crate::net::{
 };
 #[cfg(feature = "tokio1-native-tls")]
 use tokio1_native_tls_crate::TlsStream as Tokio1TlsStream;
-#[cfg(feature = "tokio1-rustls-tls")]
+#[cfg(feature = "tokio1-rustls")]
-use tokio1_rustls::client::TlsStream as Tokio1RustlsTlsStream;
+use tokio1_rustls::client::TlsStream as Tokio1RustlsStream;
 
 #[cfg(any(
     feature = "tokio1-native-tls",
-    feature = "tokio1-rustls-tls",
+    feature = "tokio1-rustls",
     feature = "tokio1-boring-tls",
-    feature = "async-std1-rustls-tls"
+    feature = "async-std1-rustls"
 ))]
 use super::InnerTlsParameters;
 use super::TlsParameters;
@@ -44,6 +42,10 @@ use crate::transport::smtp::{error, Error};
 
 /// A network stream
 #[derive(Debug)]
+#[deprecated(
+    since = "0.11.14",
+    note = "This struct was not meant to be made public"
+)]
 pub struct AsyncNetworkStream {
     inner: InnerAsyncNetworkStream,
 }
@@ -74,8 +76,8 @@ enum InnerAsyncNetworkStream {
     #[cfg(feature = "tokio1-native-tls")]
     Tokio1NativeTls(Tokio1TlsStream<Box<dyn AsyncTokioStream>>),
     /// Encrypted Tokio 1.x TCP stream
-    #[cfg(feature = "tokio1-rustls-tls")]
+    #[cfg(feature = "tokio1-rustls")]
-    Tokio1RustlsTls(Tokio1RustlsTlsStream<Box<dyn AsyncTokioStream>>),
+    Tokio1Rustls(Tokio1RustlsStream<Box<dyn AsyncTokioStream>>),
     /// Encrypted Tokio 1.x TCP stream
     #[cfg(feature = "tokio1-boring-tls")]
     Tokio1BoringTls(Tokio1SslStream<Box<dyn AsyncTokioStream>>),
@@ -83,12 +85,13 @@ enum InnerAsyncNetworkStream {
     #[cfg(feature = "async-std1")]
     AsyncStd1Tcp(AsyncStd1TcpStream),
     /// Encrypted Tokio 1.x TCP stream
-    #[cfg(feature = "async-std1-rustls-tls")]
+    #[cfg(feature = "async-std1-rustls")]
-    AsyncStd1RustlsTls(AsyncStd1RustlsTlsStream<AsyncStd1TcpStream>),
+    AsyncStd1Rustls(AsyncStd1RustlsStream<AsyncStd1TcpStream>),
     /// Can't be built
     None,
 }
 
+#[allow(deprecated)]
 impl AsyncNetworkStream {
     fn new(inner: InnerAsyncNetworkStream) -> Self {
         if let InnerAsyncNetworkStream::None = inner {
@@ -107,18 +110,17 @@ impl AsyncNetworkStream {
             InnerAsyncNetworkStream::Tokio1NativeTls(s) => {
                 s.get_ref().get_ref().get_ref().peer_addr()
             }
-            #[cfg(feature = "tokio1-rustls-tls")]
+            #[cfg(feature = "tokio1-rustls")]
-            InnerAsyncNetworkStream::Tokio1RustlsTls(s) => s.get_ref().0.peer_addr(),
+            InnerAsyncNetworkStream::Tokio1Rustls(s) => s.get_ref().0.peer_addr(),
             #[cfg(feature = "tokio1-boring-tls")]
             InnerAsyncNetworkStream::Tokio1BoringTls(s) => s.get_ref().peer_addr(),
             #[cfg(feature = "async-std1")]
             InnerAsyncNetworkStream::AsyncStd1Tcp(s) => s.peer_addr(),
-            #[cfg(feature = "async-std1-rustls-tls")]
+            #[cfg(feature = "async-std1-rustls")]
-            InnerAsyncNetworkStream::AsyncStd1RustlsTls(s) => s.get_ref().0.peer_addr(),
+            InnerAsyncNetworkStream::AsyncStd1Rustls(s) => s.get_ref().0.peer_addr(),
             InnerAsyncNetworkStream::None => {
                 debug_assert!(false, "InnerAsyncNetworkStream::None must never be built");
-                Err(IoError::new(
+                Err(IoError::other(
-                    ErrorKind::Other,
                     "InnerAsyncNetworkStream::None must never be built",
                 ))
             }
@@ -126,11 +128,13 @@ impl AsyncNetworkStream {
     }
 
     #[cfg(feature = "tokio1")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "tokio1")))]
     pub fn use_existing_tokio1(stream: Box<dyn AsyncTokioStream>) -> AsyncNetworkStream {
         AsyncNetworkStream::new(InnerAsyncNetworkStream::Tokio1Tcp(stream))
     }
 
     #[cfg(feature = "tokio1")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "tokio1")))]
     pub async fn connect_tokio1<T: Tokio1ToSocketAddrs>(
         server: T,
         timeout: Option<Duration>,
@@ -197,6 +201,7 @@ impl AsyncNetworkStream {
     }
 
     #[cfg(feature = "async-std1")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "async-std1")))]
     pub async fn connect_asyncstd1<T: AsyncStd1ToSocketAddrs>(
         server: T,
         timeout: Option<Duration>,
@@ -253,18 +258,18 @@ impl AsyncNetworkStream {
                 feature = "tokio1",
                 not(any(
                     feature = "tokio1-native-tls",
-                    feature = "tokio1-rustls-tls",
+                    feature = "tokio1-rustls",
                     feature = "tokio1-boring-tls"
                 ))
             ))]
             InnerAsyncNetworkStream::Tokio1Tcp(_) => {
                 let _ = tls_parameters;
-                panic!("Trying to upgrade an AsyncNetworkStream without having enabled either the tokio1-native-tls or the tokio1-rustls-tls feature");
+                panic!("Trying to upgrade an AsyncNetworkStream without having enabled either the tokio1-native-tls or the tokio1-rustls feature");
             }
 
             #[cfg(any(
                 feature = "tokio1-native-tls",
-                feature = "tokio1-rustls-tls",
+                feature = "tokio1-rustls",
                 feature = "tokio1-boring-tls"
             ))]
             InnerAsyncNetworkStream::Tokio1Tcp(_) => {
@@ -279,13 +284,13 @@ impl AsyncNetworkStream {
                     .map_err(error::connection)?;
                 Ok(())
             }
-            #[cfg(all(feature = "async-std1", not(feature = "async-std1-rustls-tls")))]
+            #[cfg(all(feature = "async-std1", not(feature = "async-std1-rustls")))]
             InnerAsyncNetworkStream::AsyncStd1Tcp(_) => {
                 let _ = tls_parameters;
-                panic!("Trying to upgrade an AsyncNetworkStream without having enabled the async-std1-rustls-tls feature");
+                panic!("Trying to upgrade an AsyncNetworkStream without having enabled the async-std1-rustls feature");
             }
 
-            #[cfg(feature = "async-std1-rustls-tls")]
+            #[cfg(feature = "async-std1-rustls")]
             InnerAsyncNetworkStream::AsyncStd1Tcp(_) => {
                 // get owned TcpStream
                 let tcp_stream = mem::replace(&mut self.inner, InnerAsyncNetworkStream::None);
@@ -305,18 +310,16 @@ impl AsyncNetworkStream {
     #[allow(unused_variables)]
     #[cfg(any(
         feature = "tokio1-native-tls",
-        feature = "tokio1-rustls-tls",
+        feature = "tokio1-rustls",
         feature = "tokio1-boring-tls"
     ))]
     async fn upgrade_tokio1_tls(
         tcp_stream: Box<dyn AsyncTokioStream>,
         tls_parameters: TlsParameters,
     ) -> Result<InnerAsyncNetworkStream, Error> {
-        let domain = tls_parameters.domain().to_owned();
+        match tls_parameters.inner {
-
-        match tls_parameters.connector {
             #[cfg(feature = "native-tls")]
-            InnerTlsParameters::NativeTls(connector) => {
+            InnerTlsParameters::NativeTls(inner) => {
                 #[cfg(not(feature = "tokio1-native-tls"))]
                 panic!("built without the tokio1-native-tls feature");
 
@@ -324,45 +327,42 @@ impl AsyncNetworkStream {
                 return {
                     use tokio1_native_tls_crate::TlsConnector;
 
-                    let connector = TlsConnector::from(connector);
+                    let connector = TlsConnector::from(inner.connector);
                     let stream = connector
-                        .connect(&domain, tcp_stream)
+                        .connect(&inner.server_name, tcp_stream)
                         .await
                         .map_err(error::connection)?;
                     Ok(InnerAsyncNetworkStream::Tokio1NativeTls(stream))
                 };
             }
-            #[cfg(feature = "rustls-tls")]
+            #[cfg(feature = "rustls")]
-            InnerTlsParameters::RustlsTls(config) => {
+            InnerTlsParameters::Rustls(inner) => {
-                #[cfg(not(feature = "tokio1-rustls-tls"))]
+                #[cfg(not(feature = "tokio1-rustls"))]
-                panic!("built without the tokio1-rustls-tls feature");
+                panic!("built without the tokio1-rustls feature");
 
-                #[cfg(feature = "tokio1-rustls-tls")]
+                #[cfg(feature = "tokio1-rustls")]
                 return {
                     use tokio1_rustls::TlsConnector;
 
-                    let domain = ServerName::try_from(domain.as_str())
+                    let connector = TlsConnector::from(inner.connector);
-                        .map_err(|_| error::connection("domain isn't a valid DNS name"))?;
-
-                    let connector = TlsConnector::from(config);
                     let stream = connector
-                        .connect(domain.to_owned(), tcp_stream)
+                        .connect(inner.server_name.inner(), tcp_stream)
                         .await
                         .map_err(error::connection)?;
-                    Ok(InnerAsyncNetworkStream::Tokio1RustlsTls(stream))
+                    Ok(InnerAsyncNetworkStream::Tokio1Rustls(stream))
                 };
             }
             #[cfg(feature = "boring-tls")]
-            InnerTlsParameters::BoringTls(connector) => {
+            InnerTlsParameters::BoringTls(inner) => {
                 #[cfg(not(feature = "tokio1-boring-tls"))]
                 panic!("built without the tokio1-boring-tls feature");
 
                 #[cfg(feature = "tokio1-boring-tls")]
                 return {
-                    let mut config = connector.configure().map_err(error::connection)?;
+                    let mut config = inner.connector.configure().map_err(error::connection)?;
-                    config.set_verify_hostname(tls_parameters.accept_invalid_hostnames);
+                    config.set_verify_hostname(inner.extra_info.accept_invalid_hostnames);
 
-                    let stream = tokio1_boring::connect(config, &domain, tcp_stream)
+                    let stream = tokio1_boring::connect(config, &inner.server_name, tcp_stream)
                         .await
                         .map_err(error::connection)?;
                     Ok(InnerAsyncNetworkStream::Tokio1BoringTls(stream))
@@ -372,40 +372,35 @@ impl AsyncNetworkStream {
     }
 
     #[allow(unused_variables)]
-    #[cfg(feature = "async-std1-rustls-tls")]
+    #[cfg(feature = "async-std1-rustls")]
     async fn upgrade_asyncstd1_tls(
         tcp_stream: AsyncStd1TcpStream,
-        mut tls_parameters: TlsParameters,
+        tls_parameters: TlsParameters,
     ) -> Result<InnerAsyncNetworkStream, Error> {
-        let domain = mem::take(&mut tls_parameters.domain);
+        match tls_parameters.inner {
-
-        match tls_parameters.connector {
             #[cfg(feature = "native-tls")]
-            InnerTlsParameters::NativeTls(connector) => {
+            InnerTlsParameters::NativeTls(_) => {
                 panic!("native-tls isn't supported with async-std yet. See https://github.com/lettre/lettre/pull/531#issuecomment-757893531");
             }
-            #[cfg(feature = "rustls-tls")]
+            #[cfg(feature = "rustls")]
-            InnerTlsParameters::RustlsTls(config) => {
+            InnerTlsParameters::Rustls(inner) => {
-                #[cfg(not(feature = "async-std1-rustls-tls"))]
+                #[cfg(not(feature = "async-std1-rustls"))]
-                panic!("built without the async-std1-rustls-tls feature");
+                panic!("built without the async-std1-rustls feature");
 
-                #[cfg(feature = "async-std1-rustls-tls")]
+                #[cfg(feature = "async-std1-rustls")]
                 return {
                     use futures_rustls::TlsConnector;
 
-                    let domain = ServerName::try_from(domain.as_str())
+                    let connector = TlsConnector::from(inner.connector);
-                        .map_err(|_| error::connection("domain isn't a valid DNS name"))?;
-
-                    let connector = TlsConnector::from(config);
                     let stream = connector
-                        .connect(domain.to_owned(), tcp_stream)
+                        .connect(inner.server_name.inner(), tcp_stream)
                         .await
                         .map_err(error::connection)?;
-                    Ok(InnerAsyncNetworkStream::AsyncStd1RustlsTls(stream))
+                    Ok(InnerAsyncNetworkStream::AsyncStd1Rustls(stream))
                 };
             }
             #[cfg(feature = "boring-tls")]
-            InnerTlsParameters::BoringTls(connector) => {
+            InnerTlsParameters::BoringTls(_inner) => {
                 panic!("boring-tls isn't supported with async-std yet.");
             }
         }
@@ -417,18 +412,44 @@ impl AsyncNetworkStream {
             InnerAsyncNetworkStream::Tokio1Tcp(_) => false,
             #[cfg(feature = "tokio1-native-tls")]
             InnerAsyncNetworkStream::Tokio1NativeTls(_) => true,
-            #[cfg(feature = "tokio1-rustls-tls")]
+            #[cfg(feature = "tokio1-rustls")]
-            InnerAsyncNetworkStream::Tokio1RustlsTls(_) => true,
+            InnerAsyncNetworkStream::Tokio1Rustls(_) => true,
             #[cfg(feature = "tokio1-boring-tls")]
             InnerAsyncNetworkStream::Tokio1BoringTls(_) => true,
             #[cfg(feature = "async-std1")]
             InnerAsyncNetworkStream::AsyncStd1Tcp(_) => false,
-            #[cfg(feature = "async-std1-rustls-tls")]
+            #[cfg(feature = "async-std1-rustls")]
-            InnerAsyncNetworkStream::AsyncStd1RustlsTls(_) => true,
+            InnerAsyncNetworkStream::AsyncStd1Rustls(_) => true,
             InnerAsyncNetworkStream::None => false,
         }
     }
 
+    #[cfg(feature = "boring-tls")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "boring-tls")))]
+    pub fn tls_verify_result(&self) -> Result<(), Error> {
+        match &self.inner {
+            #[cfg(feature = "tokio1")]
+            InnerAsyncNetworkStream::Tokio1Tcp(_) => {
+                Err(error::client("Connection is not encrypted"))
+            }
+            #[cfg(feature = "tokio1-native-tls")]
+            InnerAsyncNetworkStream::Tokio1NativeTls(_) => panic!("Unsupported"),
+            #[cfg(feature = "tokio1-rustls")]
+            InnerAsyncNetworkStream::Tokio1Rustls(_) => panic!("Unsupported"),
+            #[cfg(feature = "tokio1-boring-tls")]
+            InnerAsyncNetworkStream::Tokio1BoringTls(stream) => {
+                stream.ssl().verify_result().map_err(error::tls)
+            }
+            #[cfg(feature = "async-std1")]
+            InnerAsyncNetworkStream::AsyncStd1Tcp(_) => {
+                Err(error::client("Connection is not encrypted"))
+            }
+            #[cfg(feature = "async-std1-rustls")]
+            InnerAsyncNetworkStream::AsyncStd1Rustls(_) => panic!("Unsupported"),
+            InnerAsyncNetworkStream::None => panic!("InnerNetworkStream::None must never be built"),
+        }
+    }
+
     pub fn certificate_chain(&self) -> Result<Vec<Vec<u8>>, Error> {
         match &self.inner {
             #[cfg(feature = "tokio1")]
@@ -437,8 +458,8 @@ impl AsyncNetworkStream {
             }
             #[cfg(feature = "tokio1-native-tls")]
             InnerAsyncNetworkStream::Tokio1NativeTls(_) => panic!("Unsupported"),
-            #[cfg(feature = "tokio1-rustls-tls")]
+            #[cfg(feature = "tokio1-rustls")]
-            InnerAsyncNetworkStream::Tokio1RustlsTls(stream) => Ok(stream
+            InnerAsyncNetworkStream::Tokio1Rustls(stream) => Ok(stream
                 .get_ref()
                 .1
                 .peer_certificates()
@@ -458,8 +479,8 @@ impl AsyncNetworkStream {
             InnerAsyncNetworkStream::AsyncStd1Tcp(_) => {
                 Err(error::client("Connection is not encrypted"))
             }
-            #[cfg(feature = "async-std1-rustls-tls")]
+            #[cfg(feature = "async-std1-rustls")]
-            InnerAsyncNetworkStream::AsyncStd1RustlsTls(stream) => Ok(stream
+            InnerAsyncNetworkStream::AsyncStd1Rustls(stream) => Ok(stream
                 .get_ref()
                 .1
                 .peer_certificates()
@@ -485,8 +506,8 @@ impl AsyncNetworkStream {
                 .unwrap()
                 .to_der()
                 .map_err(error::tls)?),
-            #[cfg(feature = "tokio1-rustls-tls")]
+            #[cfg(feature = "tokio1-rustls")]
-            InnerAsyncNetworkStream::Tokio1RustlsTls(stream) => Ok(stream
+            InnerAsyncNetworkStream::Tokio1Rustls(stream) => Ok(stream
                 .get_ref()
                 .1
                 .peer_certificates()
@@ -505,8 +526,8 @@ impl AsyncNetworkStream {
             InnerAsyncNetworkStream::AsyncStd1Tcp(_) => {
                 Err(error::client("Connection is not encrypted"))
             }
-            #[cfg(feature = "async-std1-rustls-tls")]
+            #[cfg(feature = "async-std1-rustls")]
-            InnerAsyncNetworkStream::AsyncStd1RustlsTls(stream) => Ok(stream
+            InnerAsyncNetworkStream::AsyncStd1Rustls(stream) => Ok(stream
                 .get_ref()
                 .1
                 .peer_certificates()
@@ -519,6 +540,7 @@ impl AsyncNetworkStream {
     }
 }
 
+#[allow(deprecated)]
 impl FuturesAsyncRead for AsyncNetworkStream {
     fn poll_read(
         mut self: Pin<&mut Self>,
@@ -544,8 +566,8 @@ impl FuturesAsyncRead for AsyncNetworkStream {
                     Poll::Pending => Poll::Pending,
                 }
             }
-            #[cfg(feature = "tokio1-rustls-tls")]
+            #[cfg(feature = "tokio1-rustls")]
-            InnerAsyncNetworkStream::Tokio1RustlsTls(s) => {
+            InnerAsyncNetworkStream::Tokio1Rustls(s) => {
                 let mut b = Tokio1ReadBuf::new(buf);
                 match Pin::new(s).poll_read(cx, &mut b) {
                     Poll::Ready(Ok(())) => Poll::Ready(Ok(b.filled().len())),
@@ -564,8 +586,8 @@ impl FuturesAsyncRead for AsyncNetworkStream {
             }
             #[cfg(feature = "async-std1")]
             InnerAsyncNetworkStream::AsyncStd1Tcp(s) => Pin::new(s).poll_read(cx, buf),
-            #[cfg(feature = "async-std1-rustls-tls")]
+            #[cfg(feature = "async-std1-rustls")]
-            InnerAsyncNetworkStream::AsyncStd1RustlsTls(s) => Pin::new(s).poll_read(cx, buf),
+            InnerAsyncNetworkStream::AsyncStd1Rustls(s) => Pin::new(s).poll_read(cx, buf),
             InnerAsyncNetworkStream::None => {
                 debug_assert!(false, "InnerAsyncNetworkStream::None must never be built");
                 Poll::Ready(Ok(0))
@@ -574,6 +596,7 @@ impl FuturesAsyncRead for AsyncNetworkStream {
     }
 }
 
+#[allow(deprecated)]
 impl FuturesAsyncWrite for AsyncNetworkStream {
     fn poll_write(
         mut self: Pin<&mut Self>,
@@ -585,14 +608,14 @@ impl FuturesAsyncWrite for AsyncNetworkStream {
             InnerAsyncNetworkStream::Tokio1Tcp(s) => Pin::new(s).poll_write(cx, buf),
             #[cfg(feature = "tokio1-native-tls")]
             InnerAsyncNetworkStream::Tokio1NativeTls(s) => Pin::new(s).poll_write(cx, buf),
-            #[cfg(feature = "tokio1-rustls-tls")]
+            #[cfg(feature = "tokio1-rustls")]
-            InnerAsyncNetworkStream::Tokio1RustlsTls(s) => Pin::new(s).poll_write(cx, buf),
+            InnerAsyncNetworkStream::Tokio1Rustls(s) => Pin::new(s).poll_write(cx, buf),
             #[cfg(feature = "tokio1-boring-tls")]
             InnerAsyncNetworkStream::Tokio1BoringTls(s) => Pin::new(s).poll_write(cx, buf),
             #[cfg(feature = "async-std1")]
             InnerAsyncNetworkStream::AsyncStd1Tcp(s) => Pin::new(s).poll_write(cx, buf),
-            #[cfg(feature = "async-std1-rustls-tls")]
+            #[cfg(feature = "async-std1-rustls")]
-            InnerAsyncNetworkStream::AsyncStd1RustlsTls(s) => Pin::new(s).poll_write(cx, buf),
+            InnerAsyncNetworkStream::AsyncStd1Rustls(s) => Pin::new(s).poll_write(cx, buf),
             InnerAsyncNetworkStream::None => {
                 debug_assert!(false, "InnerAsyncNetworkStream::None must never be built");
                 Poll::Ready(Ok(0))
@@ -606,14 +629,14 @@ impl FuturesAsyncWrite for AsyncNetworkStream {
             InnerAsyncNetworkStream::Tokio1Tcp(s) => Pin::new(s).poll_flush(cx),
             #[cfg(feature = "tokio1-native-tls")]
             InnerAsyncNetworkStream::Tokio1NativeTls(s) => Pin::new(s).poll_flush(cx),
-            #[cfg(feature = "tokio1-rustls-tls")]
+            #[cfg(feature = "tokio1-rustls")]
-            InnerAsyncNetworkStream::Tokio1RustlsTls(s) => Pin::new(s).poll_flush(cx),
+            InnerAsyncNetworkStream::Tokio1Rustls(s) => Pin::new(s).poll_flush(cx),
             #[cfg(feature = "tokio1-boring-tls")]
             InnerAsyncNetworkStream::Tokio1BoringTls(s) => Pin::new(s).poll_flush(cx),
             #[cfg(feature = "async-std1")]
             InnerAsyncNetworkStream::AsyncStd1Tcp(s) => Pin::new(s).poll_flush(cx),
-            #[cfg(feature = "async-std1-rustls-tls")]
+            #[cfg(feature = "async-std1-rustls")]
-            InnerAsyncNetworkStream::AsyncStd1RustlsTls(s) => Pin::new(s).poll_flush(cx),
+            InnerAsyncNetworkStream::AsyncStd1Rustls(s) => Pin::new(s).poll_flush(cx),
             InnerAsyncNetworkStream::None => {
                 debug_assert!(false, "InnerAsyncNetworkStream::None must never be built");
                 Poll::Ready(Ok(()))
@@ -627,14 +650,14 @@ impl FuturesAsyncWrite for AsyncNetworkStream {
             InnerAsyncNetworkStream::Tokio1Tcp(s) => Pin::new(s).poll_shutdown(cx),
             #[cfg(feature = "tokio1-native-tls")]
             InnerAsyncNetworkStream::Tokio1NativeTls(s) => Pin::new(s).poll_shutdown(cx),
-            #[cfg(feature = "tokio1-rustls-tls")]
+            #[cfg(feature = "tokio1-rustls")]
-            InnerAsyncNetworkStream::Tokio1RustlsTls(s) => Pin::new(s).poll_shutdown(cx),
+            InnerAsyncNetworkStream::Tokio1Rustls(s) => Pin::new(s).poll_shutdown(cx),
             #[cfg(feature = "tokio1-boring-tls")]
             InnerAsyncNetworkStream::Tokio1BoringTls(s) => Pin::new(s).poll_shutdown(cx),
             #[cfg(feature = "async-std1")]
             InnerAsyncNetworkStream::AsyncStd1Tcp(s) => Pin::new(s).poll_close(cx),
-            #[cfg(feature = "async-std1-rustls-tls")]
+            #[cfg(feature = "async-std1-rustls")]
-            InnerAsyncNetworkStream::AsyncStd1RustlsTls(s) => Pin::new(s).poll_close(cx),
+            InnerAsyncNetworkStream::AsyncStd1Rustls(s) => Pin::new(s).poll_close(cx),
             InnerAsyncNetworkStream::None => {
                 debug_assert!(false, "InnerAsyncNetworkStream::None must never be built");
                 Poll::Ready(Ok(()))

src/transport/smtp/client/connection.rs

@@ -143,7 +143,7 @@ impl SmtpConnection {
         hello_name: &ClientId,
     ) -> Result<(), Error> {
         if self.server_info.supports_feature(Extension::StartTls) {
-            #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+            #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
             {
                 try_smtp!(self.command(Starttls), self);
                 self.stream.get_mut().upgrade_tls(tls_parameters)?;
@@ -153,11 +153,7 @@ impl SmtpConnection {
                 try_smtp!(self.ehlo(hello_name), self);
                 Ok(())
             }
-            #[cfg(not(any(
+            #[cfg(not(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))]
-                feature = "native-tls",
-                feature = "rustls-tls",
-                feature = "boring-tls"
-            )))]
             // This should never happen as `Tls` can only be created
             // when a TLS library is enabled
             unreachable!("TLS support required but not supported");
@@ -303,13 +299,35 @@ impl SmtpConnection {
     }
 
     /// The X509 certificate of the server (DER encoded)
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+    #[cfg_attr(
+        docsrs,
+        doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
+    )]
     pub fn peer_certificate(&self) -> Result<Vec<u8>, Error> {
         self.stream.get_ref().peer_certificate()
     }
 
+    /// Currently this is only avaialable when using Boring TLS and
+    /// returns the result of the verification of the TLS certificate
+    /// presented by the peer, if any. Only the last error encountered
+    /// during verification is presented.
+    /// It can be useful when you don't want to fail outright the TLS
+    /// negotiation, for example when a self-signed certificate is
+    /// encountered, but still want to record metrics or log the fact.
+    /// When using DANE verification, the PKI root of trust moves from
+    /// the CAs to DNS, so self-signed certificates are permitted as long
+    /// as the TLSA records match the leaf or issuer certificates.
+    /// It cannot be called on non Boring TLS streams.
+    #[cfg(feature = "boring-tls")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "boring-tls")))]
+    pub fn tls_verify_result(&self) -> Result<(), Error> {
+        self.stream.get_ref().tls_verify_result()
+    }
+
     /// All the X509 certificates of the chain (DER encoded)
-    #[cfg(any(feature = "rustls-tls", feature = "boring-tls"))]
+    #[cfg(any(feature = "rustls", feature = "boring-tls"))]
+    #[cfg_attr(docsrs, doc(cfg(any(feature = "rustls", feature = "boring-tls"))))]
     pub fn certificate_chain(&self) -> Result<Vec<Vec<u8>>, Error> {
         self.stream.get_ref().certificate_chain()
     }

src/transport/smtp/client/mod.rs

@@ -28,17 +28,20 @@ use std::fmt::Debug;
 #[cfg(any(feature = "tokio1", feature = "async-std1"))]
 pub use self::async_connection::AsyncSmtpConnection;
 #[cfg(any(feature = "tokio1", feature = "async-std1"))]
+#[allow(deprecated)]
 pub use self::async_net::AsyncNetworkStream;
 #[cfg(feature = "tokio1")]
 pub use self::async_net::AsyncTokioStream;
 use self::net::NetworkStream;
-#[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+#[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
-pub(super) use self::tls::InnerTlsParameters;
+pub(super) use self::tls::current::InnerTlsParameters;
-#[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+#[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
-pub use self::tls::TlsVersion;
+pub use self::tls::current::TlsVersion;
 pub use self::{
     connection::SmtpConnection,
-    tls::{Certificate, CertificateStore, Identity, Tls, TlsParameters, TlsParametersBuilder},
+    tls::current::{
+        Certificate, CertificateStore, Identity, Tls, TlsParameters, TlsParametersBuilder,
+    },
 };
 
 #[cfg(any(feature = "tokio1", feature = "async-std1"))]
@@ -57,7 +60,7 @@ struct ClientCodec {
 
 impl ClientCodec {
     /// Creates a new client codec
-    pub fn new() -> Self {
+    pub(crate) fn new() -> Self {
         Self {
             status: CodecStatus::StartOfNewLine,
         }

src/transport/smtp/client/net.rs

@@ -1,4 +1,4 @@
-#[cfg(feature = "rustls-tls")]
+#[cfg(feature = "rustls")]
 use std::sync::Arc;
 use std::{
     io::{self, Read, Write},
@@ -11,11 +11,11 @@ use std::{
 use boring::ssl::SslStream;
 #[cfg(feature = "native-tls")]
 use native_tls::TlsStream;
-#[cfg(feature = "rustls-tls")]
+#[cfg(feature = "rustls")]
-use rustls::{pki_types::ServerName, ClientConnection, StreamOwned};
+use rustls::{ClientConnection, StreamOwned};
 use socket2::{Domain, Protocol, Type};
 
-#[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+#[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
 use super::InnerTlsParameters;
 use super::TlsParameters;
 use crate::transport::smtp::{error, Error};
@@ -36,8 +36,8 @@ enum InnerNetworkStream {
     #[cfg(feature = "native-tls")]
     NativeTls(TlsStream<TcpStream>),
     /// Encrypted TCP stream
-    #[cfg(feature = "rustls-tls")]
+    #[cfg(feature = "rustls")]
-    RustlsTls(StreamOwned<ClientConnection, TcpStream>),
+    Rustls(StreamOwned<ClientConnection, TcpStream>),
     #[cfg(feature = "boring-tls")]
     BoringTls(SslStream<TcpStream>),
     /// Can't be built
@@ -59,8 +59,8 @@ impl NetworkStream {
             InnerNetworkStream::Tcp(s) => s.peer_addr(),
             #[cfg(feature = "native-tls")]
             InnerNetworkStream::NativeTls(s) => s.get_ref().peer_addr(),
-            #[cfg(feature = "rustls-tls")]
+            #[cfg(feature = "rustls")]
-            InnerNetworkStream::RustlsTls(s) => s.get_ref().peer_addr(),
+            InnerNetworkStream::Rustls(s) => s.get_ref().peer_addr(),
             #[cfg(feature = "boring-tls")]
             InnerNetworkStream::BoringTls(s) => s.get_ref().peer_addr(),
             InnerNetworkStream::None => {
@@ -79,8 +79,8 @@ impl NetworkStream {
             InnerNetworkStream::Tcp(s) => s.shutdown(how),
             #[cfg(feature = "native-tls")]
             InnerNetworkStream::NativeTls(s) => s.get_ref().shutdown(how),
-            #[cfg(feature = "rustls-tls")]
+            #[cfg(feature = "rustls")]
-            InnerNetworkStream::RustlsTls(s) => s.get_ref().shutdown(how),
+            InnerNetworkStream::Rustls(s) => s.get_ref().shutdown(how),
             #[cfg(feature = "boring-tls")]
             InnerNetworkStream::BoringTls(s) => s.get_ref().shutdown(how),
             InnerNetworkStream::None => {
@@ -146,17 +146,13 @@ impl NetworkStream {
 
     pub fn upgrade_tls(&mut self, tls_parameters: &TlsParameters) -> Result<(), Error> {
         match &self.inner {
-            #[cfg(not(any(
+            #[cfg(not(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))]
-                feature = "native-tls",
-                feature = "rustls-tls",
-                feature = "boring-tls"
-            )))]
             InnerNetworkStream::Tcp(_) => {
                 let _ = tls_parameters;
-                panic!("Trying to upgrade an NetworkStream without having enabled either the native-tls or the rustls-tls feature");
+                panic!("Trying to upgrade an NetworkStream without having enabled either the `native-tls` or the `rustls` feature");
             }
 
-            #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+            #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
             InnerNetworkStream::Tcp(_) => {
                 // get owned TcpStream
                 let tcp_stream = mem::replace(&mut self.inner, InnerNetworkStream::None);
@@ -171,35 +167,38 @@ impl NetworkStream {
         }
     }
 
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
     fn upgrade_tls_impl(
         tcp_stream: TcpStream,
         tls_parameters: &TlsParameters,
     ) -> Result<InnerNetworkStream, Error> {
-        Ok(match &tls_parameters.connector {
+        Ok(match &tls_parameters.inner {
             #[cfg(feature = "native-tls")]
-            InnerTlsParameters::NativeTls(connector) => {
+            InnerTlsParameters::NativeTls(inner) => {
-                let stream = connector
+                let stream = inner
-                    .connect(tls_parameters.domain(), tcp_stream)
+                    .connector
+                    .connect(&inner.server_name, tcp_stream)
                     .map_err(error::connection)?;
                 InnerNetworkStream::NativeTls(stream)
             }
-            #[cfg(feature = "rustls-tls")]
+            #[cfg(feature = "rustls")]
-            InnerTlsParameters::RustlsTls(connector) => {
+            InnerTlsParameters::Rustls(inner) => {
-                let domain = ServerName::try_from(tls_parameters.domain())
+                let connection = ClientConnection::new(
-                    .map_err(|_| error::connection("domain isn't a valid DNS name"))?;
+                    Arc::clone(&inner.connector),
-                let connection = ClientConnection::new(Arc::clone(connector), domain.to_owned())
+                    inner.server_name.inner_ref().clone(),
-                    .map_err(error::connection)?;
+                )
+                .map_err(error::connection)?;
                 let stream = StreamOwned::new(connection, tcp_stream);
-                InnerNetworkStream::RustlsTls(stream)
+                InnerNetworkStream::Rustls(stream)
             }
             #[cfg(feature = "boring-tls")]
-            InnerTlsParameters::BoringTls(connector) => {
+            InnerTlsParameters::BoringTls(inner) => {
-                let stream = connector
+                let stream = inner
+                    .connector
                     .configure()
                     .map_err(error::connection)?
-                    .verify_hostname(tls_parameters.accept_invalid_hostnames)
+                    .verify_hostname(inner.extra_info.accept_invalid_hostnames)
-                    .connect(tls_parameters.domain(), tcp_stream)
+                    .connect(&inner.server_name, tcp_stream)
                     .map_err(error::connection)?;
                 InnerNetworkStream::BoringTls(stream)
             }
@@ -211,8 +210,8 @@ impl NetworkStream {
             InnerNetworkStream::Tcp(_) => false,
             #[cfg(feature = "native-tls")]
             InnerNetworkStream::NativeTls(_) => true,
-            #[cfg(feature = "rustls-tls")]
+            #[cfg(feature = "rustls")]
-            InnerNetworkStream::RustlsTls(_) => true,
+            InnerNetworkStream::Rustls(_) => true,
             #[cfg(feature = "boring-tls")]
             InnerNetworkStream::BoringTls(_) => true,
             InnerNetworkStream::None => {
@@ -222,14 +221,32 @@ impl NetworkStream {
         }
     }
 
-    #[cfg(any(feature = "rustls-tls", feature = "boring-tls"))]
+    #[cfg(feature = "boring-tls")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "boring-tls")))]
+    pub fn tls_verify_result(&self) -> Result<(), Error> {
+        match &self.inner {
+            InnerNetworkStream::Tcp(_) => Err(error::client("Connection is not encrypted")),
+            #[cfg(feature = "native-tls")]
+            InnerNetworkStream::NativeTls(_) => panic!("Unsupported"),
+            #[cfg(feature = "rustls")]
+            InnerNetworkStream::Rustls(_) => panic!("Unsupported"),
+            #[cfg(feature = "boring-tls")]
+            InnerNetworkStream::BoringTls(stream) => {
+                stream.ssl().verify_result().map_err(error::tls)
+            }
+            InnerNetworkStream::None => panic!("InnerNetworkStream::None must never be built"),
+        }
+    }
+
+    #[cfg(any(feature = "rustls", feature = "boring-tls"))]
+    #[cfg_attr(docsrs, doc(cfg(any(feature = "rustls", feature = "boring-tls"))))]
     pub fn certificate_chain(&self) -> Result<Vec<Vec<u8>>, Error> {
         match &self.inner {
             InnerNetworkStream::Tcp(_) => Err(error::client("Connection is not encrypted")),
             #[cfg(feature = "native-tls")]
             InnerNetworkStream::NativeTls(_) => panic!("Unsupported"),
-            #[cfg(feature = "rustls-tls")]
+            #[cfg(feature = "rustls")]
-            InnerNetworkStream::RustlsTls(stream) => Ok(stream
+            InnerNetworkStream::Rustls(stream) => Ok(stream
                 .conn
                 .peer_certificates()
                 .unwrap()
@@ -248,7 +265,11 @@ impl NetworkStream {
         }
     }
 
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+    #[cfg_attr(
+        docsrs,
+        doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
+    )]
     pub fn peer_certificate(&self) -> Result<Vec<u8>, Error> {
         match &self.inner {
             InnerNetworkStream::Tcp(_) => Err(error::client("Connection is not encrypted")),
@@ -259,8 +280,8 @@ impl NetworkStream {
                 .unwrap()
                 .to_der()
                 .map_err(error::tls)?),
-            #[cfg(feature = "rustls-tls")]
+            #[cfg(feature = "rustls")]
-            InnerNetworkStream::RustlsTls(stream) => Ok(stream
+            InnerNetworkStream::Rustls(stream) => Ok(stream
                 .conn
                 .peer_certificates()
                 .unwrap()
@@ -283,8 +304,8 @@ impl NetworkStream {
             InnerNetworkStream::Tcp(stream) => stream.set_read_timeout(duration),
             #[cfg(feature = "native-tls")]
             InnerNetworkStream::NativeTls(stream) => stream.get_ref().set_read_timeout(duration),
-            #[cfg(feature = "rustls-tls")]
+            #[cfg(feature = "rustls")]
-            InnerNetworkStream::RustlsTls(stream) => stream.get_ref().set_read_timeout(duration),
+            InnerNetworkStream::Rustls(stream) => stream.get_ref().set_read_timeout(duration),
             #[cfg(feature = "boring-tls")]
             InnerNetworkStream::BoringTls(stream) => stream.get_ref().set_read_timeout(duration),
             InnerNetworkStream::None => {
@@ -301,8 +322,8 @@ impl NetworkStream {
 
             #[cfg(feature = "native-tls")]
             InnerNetworkStream::NativeTls(stream) => stream.get_ref().set_write_timeout(duration),
-            #[cfg(feature = "rustls-tls")]
+            #[cfg(feature = "rustls")]
-            InnerNetworkStream::RustlsTls(stream) => stream.get_ref().set_write_timeout(duration),
+            InnerNetworkStream::Rustls(stream) => stream.get_ref().set_write_timeout(duration),
             #[cfg(feature = "boring-tls")]
             InnerNetworkStream::BoringTls(stream) => stream.get_ref().set_write_timeout(duration),
             InnerNetworkStream::None => {
@@ -319,8 +340,8 @@ impl Read for NetworkStream {
             InnerNetworkStream::Tcp(s) => s.read(buf),
             #[cfg(feature = "native-tls")]
             InnerNetworkStream::NativeTls(s) => s.read(buf),
-            #[cfg(feature = "rustls-tls")]
+            #[cfg(feature = "rustls")]
-            InnerNetworkStream::RustlsTls(s) => s.read(buf),
+            InnerNetworkStream::Rustls(s) => s.read(buf),
             #[cfg(feature = "boring-tls")]
             InnerNetworkStream::BoringTls(s) => s.read(buf),
             InnerNetworkStream::None => {
@@ -337,8 +358,8 @@ impl Write for NetworkStream {
             InnerNetworkStream::Tcp(s) => s.write(buf),
             #[cfg(feature = "native-tls")]
             InnerNetworkStream::NativeTls(s) => s.write(buf),
-            #[cfg(feature = "rustls-tls")]
+            #[cfg(feature = "rustls")]
-            InnerNetworkStream::RustlsTls(s) => s.write(buf),
+            InnerNetworkStream::Rustls(s) => s.write(buf),
             #[cfg(feature = "boring-tls")]
             InnerNetworkStream::BoringTls(s) => s.write(buf),
             InnerNetworkStream::None => {
@@ -353,8 +374,8 @@ impl Write for NetworkStream {
             InnerNetworkStream::Tcp(s) => s.flush(),
             #[cfg(feature = "native-tls")]
             InnerNetworkStream::NativeTls(s) => s.flush(),
-            #[cfg(feature = "rustls-tls")]
+            #[cfg(feature = "rustls")]
-            InnerNetworkStream::RustlsTls(s) => s.flush(),
+            InnerNetworkStream::Rustls(s) => s.flush(),
             #[cfg(feature = "boring-tls")]
             InnerNetworkStream::BoringTls(s) => s.flush(),
             InnerNetworkStream::None => {

src/transport/smtp/client/tls.rs

@@ -1,753 +0,0 @@
-use std::fmt::{self, Debug};
-#[cfg(feature = "rustls-tls")]
-use std::{io, sync::Arc};
-
-#[cfg(feature = "boring-tls")]
-use boring::{
-    pkey::PKey,
-    ssl::{SslConnector, SslVersion},
-    x509::store::X509StoreBuilder,
-};
-#[cfg(feature = "native-tls")]
-use native_tls::{Protocol, TlsConnector};
-#[cfg(feature = "rustls-tls")]
-use rustls::{
-    client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
-    crypto::WebPkiSupportedAlgorithms,
-    crypto::{verify_tls12_signature, verify_tls13_signature},
-    pki_types::{CertificateDer, PrivateKeyDer, ServerName, UnixTime},
-    server::ParsedCertificate,
-    ClientConfig, DigitallySignedStruct, Error as TlsError, RootCertStore, SignatureScheme,
-};
-
-#[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
-use crate::transport::smtp::{error, Error};
-
-/// TLS protocol versions.
-#[derive(Debug, Copy, Clone)]
-#[non_exhaustive]
-#[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
-pub enum TlsVersion {
-    /// TLS 1.0
-    ///
-    /// Should only be used when trying to support legacy
-    /// SMTP servers that haven't updated to
-    /// at least TLS 1.2 yet.
-    ///
-    /// Supported by `native-tls` and `boring-tls`.
-    Tlsv10,
-    /// TLS 1.1
-    ///
-    /// Should only be used when trying to support legacy
-    /// SMTP servers that haven't updated to
-    /// at least TLS 1.2 yet.
-    ///
-    /// Supported by `native-tls` and `boring-tls`.
-    Tlsv11,
-    /// TLS 1.2
-    ///
-    /// A good option for most SMTP servers.
-    ///
-    /// Supported by all TLS backends.
-    Tlsv12,
-    /// TLS 1.3
-    ///
-    /// The most secure option, although not supported by all SMTP servers.
-    ///
-    /// Although it is technically supported by all TLS backends,
-    /// trying to set it for `native-tls` will give a runtime error.
-    Tlsv13,
-}
-
-/// Specifies how to establish a TLS connection
-///
-/// TLDR: Use [`Tls::Wrapper`] or [`Tls::Required`] when
-/// connecting to a remote server, [`Tls::None`] when
-/// connecting to a local server.
-#[derive(Clone)]
-#[allow(missing_copy_implementations)]
-pub enum Tls {
-    /// Insecure (plaintext) connection only.
-    ///
-    /// This option **always** uses a plaintext connection and should only
-    /// be used for trusted local relays. It is **highly discouraged**
-    /// for remote servers, as it exposes credentials and emails to potential
-    /// interception.
-    ///
-    /// Note: Servers requiring credentials or emails to be sent over TLS
-    /// may reject connections when this option is used.
-    None,
-    /// Begin with a plaintext connection and attempt to use `STARTTLS` if available.
-    ///
-    /// lettre will try to upgrade to a TLS-secured connection but will fall back
-    /// to plaintext if the server does not support TLS. This option is provided for
-    /// compatibility but is **strongly discouraged**, as it exposes connections to
-    /// potential MITM (man-in-the-middle) attacks.
-    ///
-    /// Warning: A malicious intermediary could intercept the `STARTTLS` flag,
-    /// causing lettre to believe the server only supports plaintext connections.
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
-    #[cfg_attr(
-        docsrs,
-        doc(cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls")))
-    )]
-    Opportunistic(TlsParameters),
-    /// Begin with a plaintext connection and require `STARTTLS` for security.
-    ///
-    /// lettre will upgrade plaintext TCP connections to TLS before transmitting
-    /// any sensitive data. If the server does not support TLS, the connection
-    /// attempt will fail, ensuring no credentials or emails are sent in plaintext.
-    ///
-    /// Unlike [`Tls::Opportunistic`], this option is secure against MITM attacks.
-    /// For optimal security and performance, consider using [`Tls::Wrapper`] instead,
-    /// as it requires fewer roundtrips to establish a secure connection.
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
-    #[cfg_attr(
-        docsrs,
-        doc(cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls")))
-    )]
-    Required(TlsParameters),
-    /// Establish a connection wrapped in TLS from the start.
-    ///
-    /// lettre connects to the server and immediately performs a TLS handshake.
-    /// If the handshake fails, the connection attempt is aborted without
-    /// transmitting any sensitive data.
-    ///
-    /// This is the fastest and most secure option for establishing a connection.
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
-    #[cfg_attr(
-        docsrs,
-        doc(cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls")))
-    )]
-    Wrapper(TlsParameters),
-}
-
-impl Debug for Tls {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        match &self {
-            Self::None => f.pad("None"),
-            #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
-            Self::Opportunistic(_) => f.pad("Opportunistic"),
-            #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
-            Self::Required(_) => f.pad("Required"),
-            #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
-            Self::Wrapper(_) => f.pad("Wrapper"),
-        }
-    }
-}
-
-/// Source for the base set of root certificates to trust.
-#[allow(missing_copy_implementations)]
-#[derive(Clone, Debug, Default)]
-pub enum CertificateStore {
-    /// Use the default for the TLS backend.
-    ///
-    /// For native-tls, this will use the system certificate store on Windows, the keychain on
-    /// macOS, and OpenSSL directories on Linux (usually `/etc/ssl`).
-    ///
-    /// For rustls, this will also use the system store if the `rustls-native-certs` feature is
-    /// enabled, or will fall back to `webpki-roots`.
-    ///
-    /// The boring-tls backend uses the same logic as OpenSSL on all platforms.
-    #[default]
-    Default,
-    /// Use a hardcoded set of Mozilla roots via the `webpki-roots` crate.
-    ///
-    /// This option is only available in the rustls backend.
-    #[cfg(feature = "rustls-tls")]
-    WebpkiRoots,
-    /// Don't use any system certificates.
-    None,
-}
-
-/// Parameters to use for secure clients
-#[derive(Clone)]
-pub struct TlsParameters {
-    pub(crate) connector: InnerTlsParameters,
-    /// The domain name which is expected in the TLS certificate from the server
-    pub(super) domain: String,
-    #[cfg(feature = "boring-tls")]
-    pub(super) accept_invalid_hostnames: bool,
-}
-
-/// Builder for `TlsParameters`
-#[derive(Debug, Clone)]
-pub struct TlsParametersBuilder {
-    domain: String,
-    cert_store: CertificateStore,
-    root_certs: Vec<Certificate>,
-    identity: Option<Identity>,
-    accept_invalid_hostnames: bool,
-    accept_invalid_certs: bool,
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
-    min_tls_version: TlsVersion,
-}
-
-impl TlsParametersBuilder {
-    /// Creates a new builder for `TlsParameters`
-    pub fn new(domain: String) -> Self {
-        Self {
-            domain,
-            cert_store: CertificateStore::Default,
-            root_certs: Vec::new(),
-            identity: None,
-            accept_invalid_hostnames: false,
-            accept_invalid_certs: false,
-            #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
-            min_tls_version: TlsVersion::Tlsv12,
-        }
-    }
-
-    /// Set the source for the base set of root certificates to trust.
-    pub fn certificate_store(mut self, cert_store: CertificateStore) -> Self {
-        self.cert_store = cert_store;
-        self
-    }
-
-    /// Add a custom root certificate
-    ///
-    /// Can be used to safely connect to a server using a self-signed certificate, for example.
-    pub fn add_root_certificate(mut self, cert: Certificate) -> Self {
-        self.root_certs.push(cert);
-        self
-    }
-
-    /// Add a client certificate
-    ///
-    /// Can be used to configure a client certificate to present to the server.
-    pub fn identify_with(mut self, identity: Identity) -> Self {
-        self.identity = Some(identity);
-        self
-    }
-
-    /// Controls whether certificates with an invalid hostname are accepted
-    ///
-    /// Defaults to `false`.
-    ///
-    /// # Warning
-    ///
-    /// You should think very carefully before using this method.
-    /// If hostname verification is disabled *any* valid certificate,
-    /// including those from other sites, are trusted.
-    ///
-    /// This method introduces significant vulnerabilities to man-in-the-middle attacks.
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
-    #[cfg_attr(
-        docsrs,
-        doc(cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls")))
-    )]
-    pub fn dangerous_accept_invalid_hostnames(mut self, accept_invalid_hostnames: bool) -> Self {
-        self.accept_invalid_hostnames = accept_invalid_hostnames;
-        self
-    }
-
-    /// Controls which minimum TLS version is allowed
-    ///
-    /// Defaults to [`Tlsv12`][TlsVersion::Tlsv12].
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
-    pub fn set_min_tls_version(mut self, min_tls_version: TlsVersion) -> Self {
-        self.min_tls_version = min_tls_version;
-        self
-    }
-
-    /// Controls whether invalid certificates are accepted
-    ///
-    /// Defaults to `false`.
-    ///
-    /// # Warning
-    ///
-    /// You should think very carefully before using this method.
-    /// If certificate verification is disabled, *any* certificate
-    /// is trusted for use, including:
-    ///
-    /// * Self signed certificates
-    /// * Certificates from different hostnames
-    /// * Expired certificates
-    ///
-    /// This method should only be used as a last resort, as it introduces
-    /// significant vulnerabilities to man-in-the-middle attacks.
-    pub fn dangerous_accept_invalid_certs(mut self, accept_invalid_certs: bool) -> Self {
-        self.accept_invalid_certs = accept_invalid_certs;
-        self
-    }
-
-    /// Creates a new `TlsParameters` using native-tls, boring-tls or rustls
-    /// depending on which one is available
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
-    #[cfg_attr(
-        docsrs,
-        doc(cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls")))
-    )]
-    pub fn build(self) -> Result<TlsParameters, Error> {
-        #[cfg(feature = "rustls-tls")]
-        return self.build_rustls();
-        #[cfg(all(not(feature = "rustls-tls"), feature = "native-tls"))]
-        return self.build_native();
-        #[cfg(all(not(feature = "rustls-tls"), feature = "boring-tls"))]
-        return self.build_boring();
-    }
-
-    /// Creates a new `TlsParameters` using native-tls with the provided configuration
-    #[cfg(feature = "native-tls")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "native-tls")))]
-    pub fn build_native(self) -> Result<TlsParameters, Error> {
-        let mut tls_builder = TlsConnector::builder();
-
-        match self.cert_store {
-            CertificateStore::Default => {}
-            CertificateStore::None => {
-                tls_builder.disable_built_in_roots(true);
-            }
-            #[allow(unreachable_patterns)]
-            other => {
-                return Err(error::tls(format!(
-                    "{other:?} is not supported in native tls"
-                )))
-            }
-        }
-        for cert in self.root_certs {
-            tls_builder.add_root_certificate(cert.native_tls);
-        }
-        tls_builder.danger_accept_invalid_hostnames(self.accept_invalid_hostnames);
-        tls_builder.danger_accept_invalid_certs(self.accept_invalid_certs);
-
-        let min_tls_version = match self.min_tls_version {
-            TlsVersion::Tlsv10 => Protocol::Tlsv10,
-            TlsVersion::Tlsv11 => Protocol::Tlsv11,
-            TlsVersion::Tlsv12 => Protocol::Tlsv12,
-            TlsVersion::Tlsv13 => {
-                return Err(error::tls(
-                    "min tls version Tlsv13 not supported in native tls",
-                ))
-            }
-        };
-
-        tls_builder.min_protocol_version(Some(min_tls_version));
-        if let Some(identity) = self.identity {
-            tls_builder.identity(identity.native_tls);
-        }
-
-        let connector = tls_builder.build().map_err(error::tls)?;
-        Ok(TlsParameters {
-            connector: InnerTlsParameters::NativeTls(connector),
-            domain: self.domain,
-            #[cfg(feature = "boring-tls")]
-            accept_invalid_hostnames: self.accept_invalid_hostnames,
-        })
-    }
-
-    /// Creates a new `TlsParameters` using boring-tls with the provided configuration
-    #[cfg(feature = "boring-tls")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "boring-tls")))]
-    pub fn build_boring(self) -> Result<TlsParameters, Error> {
-        use boring::ssl::{SslMethod, SslVerifyMode};
-
-        let mut tls_builder = SslConnector::builder(SslMethod::tls_client()).map_err(error::tls)?;
-
-        if self.accept_invalid_certs {
-            tls_builder.set_verify(SslVerifyMode::NONE);
-        } else {
-            match self.cert_store {
-                CertificateStore::Default => {}
-                CertificateStore::None => {
-                    // Replace the default store with an empty store.
-                    tls_builder
-                        .set_cert_store(X509StoreBuilder::new().map_err(error::tls)?.build());
-                }
-                #[allow(unreachable_patterns)]
-                other => {
-                    return Err(error::tls(format!(
-                        "{other:?} is not supported in boring tls"
-                    )))
-                }
-            }
-
-            let cert_store = tls_builder.cert_store_mut();
-
-            for cert in self.root_certs {
-                cert_store.add_cert(cert.boring_tls).map_err(error::tls)?;
-            }
-        }
-
-        if let Some(identity) = self.identity {
-            tls_builder
-                .set_certificate(identity.boring_tls.0.as_ref())
-                .map_err(error::tls)?;
-            tls_builder
-                .set_private_key(identity.boring_tls.1.as_ref())
-                .map_err(error::tls)?;
-        }
-
-        let min_tls_version = match self.min_tls_version {
-            TlsVersion::Tlsv10 => SslVersion::TLS1,
-            TlsVersion::Tlsv11 => SslVersion::TLS1_1,
-            TlsVersion::Tlsv12 => SslVersion::TLS1_2,
-            TlsVersion::Tlsv13 => SslVersion::TLS1_3,
-        };
-
-        tls_builder
-            .set_min_proto_version(Some(min_tls_version))
-            .map_err(error::tls)?;
-        let connector = tls_builder.build();
-        Ok(TlsParameters {
-            connector: InnerTlsParameters::BoringTls(connector),
-            domain: self.domain,
-            accept_invalid_hostnames: self.accept_invalid_hostnames,
-        })
-    }
-
-    /// Creates a new `TlsParameters` using rustls with the provided configuration
-    #[cfg(feature = "rustls-tls")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls")))]
-    pub fn build_rustls(self) -> Result<TlsParameters, Error> {
-        let just_version3 = &[&rustls::version::TLS13];
-        let supported_versions = match self.min_tls_version {
-            TlsVersion::Tlsv10 => {
-                return Err(error::tls("min tls version Tlsv10 not supported in rustls"))
-            }
-            TlsVersion::Tlsv11 => {
-                return Err(error::tls("min tls version Tlsv11 not supported in rustls"))
-            }
-            TlsVersion::Tlsv12 => rustls::ALL_VERSIONS,
-            TlsVersion::Tlsv13 => just_version3,
-        };
-
-        let tls = ClientConfig::builder_with_protocol_versions(supported_versions);
-        let provider = rustls::crypto::CryptoProvider::get_default()
-            .cloned()
-            .unwrap_or_else(|| Arc::new(rustls::crypto::ring::default_provider()));
-
-        // Build TLS config
-        let signature_algorithms = provider.signature_verification_algorithms;
-
-        let mut root_cert_store = RootCertStore::empty();
-
-        #[cfg(feature = "rustls-native-certs")]
-        fn load_native_roots(store: &mut RootCertStore) {
-            let rustls_native_certs::CertificateResult { certs, errors, .. } =
-                rustls_native_certs::load_native_certs();
-            let errors_len = errors.len();
-
-            let (added, ignored) = store.add_parsable_certificates(certs);
-            #[cfg(feature = "tracing")]
-            tracing::debug!(
-                "loaded platform certs with {errors_len} failing to load, {added} valid and {ignored} ignored (invalid) certs"
-            );
-        }
-
-        #[cfg(feature = "rustls-tls")]
-        fn load_webpki_roots(store: &mut RootCertStore) {
-            store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
-        }
-
-        match self.cert_store {
-            CertificateStore::Default => {
-                #[cfg(feature = "rustls-native-certs")]
-                load_native_roots(&mut root_cert_store);
-                #[cfg(not(feature = "rustls-native-certs"))]
-                load_webpki_roots(&mut root_cert_store);
-            }
-            #[cfg(feature = "rustls-tls")]
-            CertificateStore::WebpkiRoots => {
-                load_webpki_roots(&mut root_cert_store);
-            }
-            CertificateStore::None => {}
-        }
-        for cert in self.root_certs {
-            for rustls_cert in cert.rustls {
-                root_cert_store.add(rustls_cert).map_err(error::tls)?;
-            }
-        }
-
-        let tls = if self.accept_invalid_certs || self.accept_invalid_hostnames {
-            let verifier = InvalidCertsVerifier {
-                ignore_invalid_hostnames: self.accept_invalid_hostnames,
-                ignore_invalid_certs: self.accept_invalid_certs,
-                roots: root_cert_store,
-                signature_algorithms,
-            };
-            tls.dangerous()
-                .with_custom_certificate_verifier(Arc::new(verifier))
-        } else {
-            tls.with_root_certificates(root_cert_store)
-        };
-
-        let tls = if let Some(identity) = self.identity {
-            let (client_certificates, private_key) = identity.rustls_tls;
-            tls.with_client_auth_cert(client_certificates, private_key)
-                .map_err(error::tls)?
-        } else {
-            tls.with_no_client_auth()
-        };
-
-        Ok(TlsParameters {
-            connector: InnerTlsParameters::RustlsTls(Arc::new(tls)),
-            domain: self.domain,
-            #[cfg(feature = "boring-tls")]
-            accept_invalid_hostnames: self.accept_invalid_hostnames,
-        })
-    }
-}
-
-#[derive(Clone)]
-#[allow(clippy::enum_variant_names)]
-pub enum InnerTlsParameters {
-    #[cfg(feature = "native-tls")]
-    NativeTls(TlsConnector),
-    #[cfg(feature = "rustls-tls")]
-    RustlsTls(Arc<ClientConfig>),
-    #[cfg(feature = "boring-tls")]
-    BoringTls(SslConnector),
-}
-
-impl TlsParameters {
-    /// Creates a new `TlsParameters` using native-tls or rustls
-    /// depending on which one is available
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
-    #[cfg_attr(
-        docsrs,
-        doc(cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls")))
-    )]
-    pub fn new(domain: String) -> Result<Self, Error> {
-        TlsParametersBuilder::new(domain).build()
-    }
-
-    /// Creates a new `TlsParameters` builder
-    pub fn builder(domain: String) -> TlsParametersBuilder {
-        TlsParametersBuilder::new(domain)
-    }
-
-    /// Creates a new `TlsParameters` using native-tls
-    #[cfg(feature = "native-tls")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "native-tls")))]
-    pub fn new_native(domain: String) -> Result<Self, Error> {
-        TlsParametersBuilder::new(domain).build_native()
-    }
-
-    /// Creates a new `TlsParameters` using rustls
-    #[cfg(feature = "rustls-tls")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "rustls-tls")))]
-    pub fn new_rustls(domain: String) -> Result<Self, Error> {
-        TlsParametersBuilder::new(domain).build_rustls()
-    }
-
-    /// Creates a new `TlsParameters` using boring
-    #[cfg(feature = "boring-tls")]
-    #[cfg_attr(docsrs, doc(cfg(feature = "boring-tls")))]
-    pub fn new_boring(domain: String) -> Result<Self, Error> {
-        TlsParametersBuilder::new(domain).build_boring()
-    }
-
-    pub fn domain(&self) -> &str {
-        &self.domain
-    }
-}
-
-/// A certificate that can be used with [`TlsParametersBuilder::add_root_certificate`]
-#[derive(Clone)]
-#[allow(missing_copy_implementations)]
-pub struct Certificate {
-    #[cfg(feature = "native-tls")]
-    native_tls: native_tls::Certificate,
-    #[cfg(feature = "rustls-tls")]
-    rustls: Vec<CertificateDer<'static>>,
-    #[cfg(feature = "boring-tls")]
-    boring_tls: boring::x509::X509,
-}
-
-#[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
-impl Certificate {
-    /// Create a `Certificate` from a DER encoded certificate
-    pub fn from_der(der: Vec<u8>) -> Result<Self, Error> {
-        #[cfg(feature = "native-tls")]
-        let native_tls_cert = native_tls::Certificate::from_der(&der).map_err(error::tls)?;
-
-        #[cfg(feature = "boring-tls")]
-        let boring_tls_cert = boring::x509::X509::from_der(&der).map_err(error::tls)?;
-
-        Ok(Self {
-            #[cfg(feature = "native-tls")]
-            native_tls: native_tls_cert,
-            #[cfg(feature = "rustls-tls")]
-            rustls: vec![der.into()],
-            #[cfg(feature = "boring-tls")]
-            boring_tls: boring_tls_cert,
-        })
-    }
-
-    /// Create a `Certificate` from a PEM encoded certificate
-    pub fn from_pem(pem: &[u8]) -> Result<Self, Error> {
-        #[cfg(feature = "native-tls")]
-        let native_tls_cert = native_tls::Certificate::from_pem(pem).map_err(error::tls)?;
-
-        #[cfg(feature = "boring-tls")]
-        let boring_tls_cert = boring::x509::X509::from_pem(pem).map_err(error::tls)?;
-
-        #[cfg(feature = "rustls-tls")]
-        let rustls_cert = {
-            use std::io::Cursor;
-
-            let mut pem = Cursor::new(pem);
-            rustls_pemfile::certs(&mut pem)
-                .collect::<io::Result<Vec<_>>>()
-                .map_err(|_| error::tls("invalid certificates"))?
-        };
-
-        Ok(Self {
-            #[cfg(feature = "native-tls")]
-            native_tls: native_tls_cert,
-            #[cfg(feature = "rustls-tls")]
-            rustls: rustls_cert,
-            #[cfg(feature = "boring-tls")]
-            boring_tls: boring_tls_cert,
-        })
-    }
-}
-
-impl Debug for Certificate {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        f.debug_struct("Certificate").finish()
-    }
-}
-
-/// An identity that can be used with [`TlsParametersBuilder::identify_with`]
-#[allow(missing_copy_implementations)]
-pub struct Identity {
-    #[cfg(feature = "native-tls")]
-    native_tls: native_tls::Identity,
-    #[cfg(feature = "rustls-tls")]
-    rustls_tls: (Vec<CertificateDer<'static>>, PrivateKeyDer<'static>),
-    #[cfg(feature = "boring-tls")]
-    boring_tls: (boring::x509::X509, PKey<boring::pkey::Private>),
-}
-
-impl Debug for Identity {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        f.debug_struct("Identity").finish()
-    }
-}
-
-impl Clone for Identity {
-    fn clone(&self) -> Self {
-        Identity {
-            #[cfg(feature = "native-tls")]
-            native_tls: self.native_tls.clone(),
-            #[cfg(feature = "rustls-tls")]
-            rustls_tls: (self.rustls_tls.0.clone(), self.rustls_tls.1.clone_key()),
-            #[cfg(feature = "boring-tls")]
-            boring_tls: (self.boring_tls.0.clone(), self.boring_tls.1.clone()),
-        }
-    }
-}
-
-#[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
-impl Identity {
-    pub fn from_pem(pem: &[u8], key: &[u8]) -> Result<Self, Error> {
-        Ok(Self {
-            #[cfg(feature = "native-tls")]
-            native_tls: Identity::from_pem_native_tls(pem, key)?,
-            #[cfg(feature = "rustls-tls")]
-            rustls_tls: Identity::from_pem_rustls_tls(pem, key)?,
-            #[cfg(feature = "boring-tls")]
-            boring_tls: Identity::from_pem_boring_tls(pem, key)?,
-        })
-    }
-
-    #[cfg(feature = "native-tls")]
-    fn from_pem_native_tls(pem: &[u8], key: &[u8]) -> Result<native_tls::Identity, Error> {
-        native_tls::Identity::from_pkcs8(pem, key).map_err(error::tls)
-    }
-
-    #[cfg(feature = "rustls-tls")]
-    fn from_pem_rustls_tls(
-        pem: &[u8],
-        mut key: &[u8],
-    ) -> Result<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>), Error> {
-        let key = rustls_pemfile::private_key(&mut key)
-            .map_err(error::tls)?
-            .ok_or_else(|| error::tls("no private key found"))?;
-        Ok((vec![pem.to_owned().into()], key))
-    }
-
-    #[cfg(feature = "boring-tls")]
-    fn from_pem_boring_tls(
-        pem: &[u8],
-        key: &[u8],
-    ) -> Result<(boring::x509::X509, PKey<boring::pkey::Private>), Error> {
-        let cert = boring::x509::X509::from_pem(pem).map_err(error::tls)?;
-        let key = boring::pkey::PKey::private_key_from_pem(key).map_err(error::tls)?;
-        Ok((cert, key))
-    }
-}
-
-#[cfg(feature = "rustls-tls")]
-#[derive(Debug)]
-struct InvalidCertsVerifier {
-    ignore_invalid_hostnames: bool,
-    ignore_invalid_certs: bool,
-    roots: RootCertStore,
-    signature_algorithms: WebPkiSupportedAlgorithms,
-}
-
-#[cfg(feature = "rustls-tls")]
-impl ServerCertVerifier for InvalidCertsVerifier {
-    fn verify_server_cert(
-        &self,
-        end_entity: &CertificateDer<'_>,
-        intermediates: &[CertificateDer<'_>],
-        server_name: &ServerName<'_>,
-        _ocsp_response: &[u8],
-        now: UnixTime,
-    ) -> Result<ServerCertVerified, TlsError> {
-        let cert = ParsedCertificate::try_from(end_entity)?;
-
-        if !self.ignore_invalid_certs {
-            rustls::client::verify_server_cert_signed_by_trust_anchor(
-                &cert,
-                &self.roots,
-                intermediates,
-                now,
-                self.signature_algorithms.all,
-            )?;
-        }
-
-        if !self.ignore_invalid_hostnames {
-            rustls::client::verify_server_name(&cert, server_name)?;
-        }
-        Ok(ServerCertVerified::assertion())
-    }
-
-    fn verify_tls12_signature(
-        &self,
-        message: &[u8],
-        cert: &CertificateDer<'_>,
-        dss: &DigitallySignedStruct,
-    ) -> Result<HandshakeSignatureValid, TlsError> {
-        verify_tls12_signature(
-            message,
-            cert,
-            dss,
-            &rustls::crypto::ring::default_provider().signature_verification_algorithms,
-        )
-    }
-
-    fn verify_tls13_signature(
-        &self,
-        message: &[u8],
-        cert: &CertificateDer<'_>,
-        dss: &DigitallySignedStruct,
-    ) -> Result<HandshakeSignatureValid, TlsError> {
-        verify_tls13_signature(
-            message,
-            cert,
-            dss,
-            &rustls::crypto::ring::default_provider().signature_verification_algorithms,
-        )
-    }
-
-    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
-        rustls::crypto::ring::default_provider()
-            .signature_verification_algorithms
-            .supported_schemes()
-    }
-}

src/transport/smtp/client/tls/boring_tls.rs

@@ -0,0 +1,111 @@
+use std::fmt::{self, Debug};
+
+use boring::{
+    ssl::{SslConnector, SslMethod, SslVerifyMode, SslVersion},
+    x509::store::X509StoreBuilder,
+};
+
+use crate::transport::smtp::error::{self, Error};
+
+pub(super) fn build_connector(
+    builder: super::TlsParametersBuilder<super::BoringTls>,
+) -> Result<(Box<str>, SslConnector), Error> {
+    let mut tls_builder = SslConnector::builder(SslMethod::tls_client()).map_err(error::tls)?;
+
+    if builder.accept_invalid_certs {
+        tls_builder.set_verify(SslVerifyMode::NONE);
+    } else {
+        match builder.cert_store {
+            CertificateStore::System => {}
+            CertificateStore::None => {
+                // Replace the default store with an empty store.
+                tls_builder.set_cert_store(X509StoreBuilder::new().map_err(error::tls)?.build());
+            }
+        }
+
+        let cert_store = tls_builder.cert_store_mut();
+
+        for cert in builder.root_certs {
+            cert_store.add_cert(cert.0).map_err(error::tls)?;
+        }
+    }
+
+    if let Some(identity) = builder.identity {
+        tls_builder
+            .set_certificate(identity.chain.as_ref())
+            .map_err(error::tls)?;
+        tls_builder
+            .set_private_key(identity.key.as_ref())
+            .map_err(error::tls)?;
+    }
+
+    let min_tls_version = match builder.min_tls_version {
+        MinTlsVersion::Tlsv10 => SslVersion::TLS1,
+        MinTlsVersion::Tlsv11 => SslVersion::TLS1_1,
+        MinTlsVersion::Tlsv12 => SslVersion::TLS1_2,
+        MinTlsVersion::Tlsv13 => SslVersion::TLS1_3,
+    };
+
+    tls_builder
+        .set_min_proto_version(Some(min_tls_version))
+        .map_err(error::tls)?;
+    Ok((builder.server_name.into_boxed_str(), tls_builder.build()))
+}
+
+#[derive(Debug, Clone, Default)]
+#[allow(missing_copy_implementations)]
+#[non_exhaustive]
+pub(super) enum CertificateStore {
+    #[default]
+    System,
+    None,
+}
+
+#[derive(Clone)]
+pub(super) struct Certificate(pub(super) boring::x509::X509);
+
+impl Certificate {
+    pub(super) fn from_pem(pem: &[u8]) -> Result<Self, Error> {
+        Ok(Self(boring::x509::X509::from_pem(pem).map_err(error::tls)?))
+    }
+
+    pub(super) fn from_der(der: &[u8]) -> Result<Self, Error> {
+        Ok(Self(boring::x509::X509::from_der(der).map_err(error::tls)?))
+    }
+}
+
+impl Debug for Certificate {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("Certificate").finish_non_exhaustive()
+    }
+}
+
+#[derive(Clone)]
+pub(super) struct Identity {
+    pub(super) chain: boring::x509::X509,
+    pub(super) key: boring::pkey::PKey<boring::pkey::Private>,
+}
+
+impl Identity {
+    pub(super) fn from_pem(pem: &[u8], key: &[u8]) -> Result<Self, Error> {
+        let chain = boring::x509::X509::from_pem(pem).map_err(error::tls)?;
+        let key = boring::pkey::PKey::private_key_from_pem(key).map_err(error::tls)?;
+        Ok(Self { chain, key })
+    }
+}
+
+impl Debug for Identity {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("Identity").finish_non_exhaustive()
+    }
+}
+
+#[derive(Debug, Copy, Clone, Default)]
+#[non_exhaustive]
+pub(super) enum MinTlsVersion {
+    Tlsv10,
+    Tlsv11,
+    #[default]
+    Tlsv12,
+    Tlsv13,
+}

src/transport/smtp/client/tls/current.rs

@@ -0,0 +1,601 @@
+use std::fmt::{self, Debug};
+
+use super::TlsBackend;
+#[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+use crate::transport::smtp::error;
+use crate::transport::smtp::Error;
+
+/// TLS protocol versions.
+#[derive(Debug, Copy, Clone)]
+#[non_exhaustive]
+#[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+pub enum TlsVersion {
+    /// TLS 1.0
+    ///
+    /// Should only be used when trying to support legacy
+    /// SMTP servers that haven't updated to
+    /// at least TLS 1.2 yet.
+    ///
+    /// Supported by `native-tls` and `boring-tls`.
+    Tlsv10,
+    /// TLS 1.1
+    ///
+    /// Should only be used when trying to support legacy
+    /// SMTP servers that haven't updated to
+    /// at least TLS 1.2 yet.
+    ///
+    /// Supported by `native-tls` and `boring-tls`.
+    Tlsv11,
+    /// TLS 1.2
+    ///
+    /// A good option for most SMTP servers.
+    ///
+    /// Supported by all TLS backends.
+    Tlsv12,
+    /// TLS 1.3
+    ///
+    /// The most secure option, although not supported by all SMTP servers.
+    ///
+    /// Although it is technically supported by all TLS backends,
+    /// trying to set it for `native-tls` will give a runtime error.
+    Tlsv13,
+}
+
+/// Specifies how to establish a TLS connection
+///
+/// TLDR: Use [`Tls::Wrapper`] or [`Tls::Required`] when
+/// connecting to a remote server, [`Tls::None`] when
+/// connecting to a local server.
+#[derive(Clone)]
+#[allow(missing_copy_implementations)]
+#[cfg_attr(
+    not(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")),
+    deprecated(
+        note = "starting from lettre v0.12 `Tls` won't be available when none of the TLS backends are enabled"
+    )
+)]
+#[cfg_attr(
+    docsrs,
+    doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
+)]
+pub enum Tls {
+    /// Insecure (plaintext) connection only.
+    ///
+    /// This option **always** uses a plaintext connection and should only
+    /// be used for trusted local relays. It is **highly discouraged**
+    /// for remote servers, as it exposes credentials and emails to potential
+    /// interception.
+    ///
+    /// Note: Servers requiring credentials or emails to be sent over TLS
+    /// may reject connections when this option is used.
+    None,
+    /// Begin with a plaintext connection and attempt to use `STARTTLS` if available.
+    ///
+    /// lettre will try to upgrade to a TLS-secured connection but will fall back
+    /// to plaintext if the server does not support TLS. This option is provided for
+    /// compatibility but is **strongly discouraged**, as it exposes connections to
+    /// potential MITM (man-in-the-middle) attacks.
+    ///
+    /// Warning: A malicious intermediary could intercept the `STARTTLS` flag,
+    /// causing lettre to believe the server only supports plaintext connections.
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+    #[cfg_attr(
+        docsrs,
+        doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
+    )]
+    Opportunistic(TlsParameters),
+    /// Begin with a plaintext connection and require `STARTTLS` for security.
+    ///
+    /// lettre will upgrade plaintext TCP connections to TLS before transmitting
+    /// any sensitive data. If the server does not support TLS, the connection
+    /// attempt will fail, ensuring no credentials or emails are sent in plaintext.
+    ///
+    /// Unlike [`Tls::Opportunistic`], this option is secure against MITM attacks.
+    /// For optimal security and performance, consider using [`Tls::Wrapper`] instead,
+    /// as it requires fewer roundtrips to establish a secure connection.
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+    #[cfg_attr(
+        docsrs,
+        doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
+    )]
+    Required(TlsParameters),
+    /// Establish a connection wrapped in TLS from the start.
+    ///
+    /// lettre connects to the server and immediately performs a TLS handshake.
+    /// If the handshake fails, the connection attempt is aborted without
+    /// transmitting any sensitive data.
+    ///
+    /// This is the fastest and most secure option for establishing a connection.
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+    #[cfg_attr(
+        docsrs,
+        doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
+    )]
+    Wrapper(TlsParameters),
+}
+
+impl Debug for Tls {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match &self {
+            Self::None => f.pad("None"),
+            #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+            Self::Opportunistic(_) => f.pad("Opportunistic"),
+            #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+            Self::Required(_) => f.pad("Required"),
+            #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+            Self::Wrapper(_) => f.pad("Wrapper"),
+        }
+    }
+}
+
+/// Source for the base set of root certificates to trust.
+#[allow(missing_copy_implementations)]
+#[derive(Clone, Debug, Default)]
+#[cfg_attr(
+    not(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")),
+    deprecated(
+        note = "starting from lettre v0.12 `CertificateStore` won't be available when none of the TLS backends are enabled"
+    )
+)]
+#[cfg_attr(
+    docsrs,
+    doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
+)]
+pub enum CertificateStore {
+    /// Use the default for the TLS backend.
+    ///
+    /// For native-tls, this will use the system certificate store on Windows, the keychain on
+    /// macOS, and OpenSSL directories on Linux (usually `/etc/ssl`).
+    ///
+    /// For rustls, this will use the system certificate verifier if the `rustls-platform-verifier`
+    /// feature is enabled. If the `rustls-native-certs` feature is enabled, system certificate
+    /// store will be used. Otherwise, it will fall back to `webpki-roots`.
+    ///
+    /// The boring-tls backend uses the same logic as OpenSSL on all platforms.
+    #[default]
+    Default,
+    /// Use a hardcoded set of Mozilla roots via the `webpki-roots` crate.
+    ///
+    /// This option is only available in the rustls backend.
+    #[cfg(all(feature = "rustls", feature = "webpki-roots"))]
+    WebpkiRoots,
+    /// Don't use any system certificates.
+    None,
+}
+
+/// Parameters to use for secure clients
+#[derive(Clone)]
+#[cfg_attr(
+    not(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")),
+    deprecated(
+        note = "starting from lettre v0.12 `TlsParameters` won't be available when none of the TLS backends are enabled"
+    )
+)]
+#[cfg_attr(
+    docsrs,
+    doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
+)]
+pub struct TlsParameters {
+    pub(in crate::transport::smtp) inner: InnerTlsParameters,
+}
+
+/// Builder for `TlsParameters`
+#[derive(Debug, Clone)]
+#[cfg_attr(
+    not(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")),
+    deprecated(
+        note = "starting from lettre v0.12 `TlsParametersBuilder` won't be available when none of the TLS backends are enabled"
+    )
+)]
+#[cfg_attr(
+    docsrs,
+    doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
+)]
+pub struct TlsParametersBuilder {
+    domain: String,
+    cert_store: CertificateStore,
+    root_certs: Vec<Certificate>,
+    identity: Option<Identity>,
+    accept_invalid_hostnames: bool,
+    accept_invalid_certs: bool,
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+    min_tls_version: TlsVersion,
+}
+
+impl TlsParametersBuilder {
+    /// Creates a new builder for `TlsParameters`
+    pub fn new(domain: String) -> Self {
+        Self {
+            domain,
+            cert_store: CertificateStore::Default,
+            root_certs: Vec::new(),
+            identity: None,
+            accept_invalid_hostnames: false,
+            accept_invalid_certs: false,
+            #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+            min_tls_version: TlsVersion::Tlsv12,
+        }
+    }
+
+    /// Set the source for the base set of root certificates to trust.
+    pub fn certificate_store(mut self, cert_store: CertificateStore) -> Self {
+        self.cert_store = cert_store;
+        self
+    }
+
+    /// Add a custom root certificate
+    ///
+    /// Can be used to safely connect to a server using a self-signed certificate, for example.
+    pub fn add_root_certificate(mut self, cert: Certificate) -> Self {
+        self.root_certs.push(cert);
+        self
+    }
+
+    /// Add a client certificate
+    ///
+    /// Can be used to configure a client certificate to present to the server.
+    pub fn identify_with(mut self, identity: Identity) -> Self {
+        self.identity = Some(identity);
+        self
+    }
+
+    /// Controls whether certificates with an invalid hostname are accepted
+    ///
+    /// This option is silently disabled when using `rustls-platform-verifier`.
+    ///
+    /// Defaults to `false`.
+    ///
+    /// # Warning
+    ///
+    /// You should think very carefully before using this method.
+    /// If hostname verification is disabled *any* valid certificate,
+    /// including those from other sites, are trusted.
+    ///
+    /// This method introduces significant vulnerabilities to man-in-the-middle attacks.
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+    #[cfg_attr(
+        docsrs,
+        doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
+    )]
+    pub fn dangerous_accept_invalid_hostnames(mut self, accept_invalid_hostnames: bool) -> Self {
+        self.accept_invalid_hostnames = accept_invalid_hostnames;
+        self
+    }
+
+    /// Controls which minimum TLS version is allowed
+    ///
+    /// Defaults to [`Tlsv12`][TlsVersion::Tlsv12].
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+    #[cfg_attr(
+        docsrs,
+        doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
+    )]
+    pub fn set_min_tls_version(mut self, min_tls_version: TlsVersion) -> Self {
+        self.min_tls_version = min_tls_version;
+        self
+    }
+
+    /// Controls whether invalid certificates are accepted
+    ///
+    /// Defaults to `false`.
+    ///
+    /// # Warning
+    ///
+    /// You should think very carefully before using this method.
+    /// If certificate verification is disabled, *any* certificate
+    /// is trusted for use, including:
+    ///
+    /// * Self signed certificates
+    /// * Certificates from different hostnames
+    /// * Expired certificates
+    ///
+    /// This method should only be used as a last resort, as it introduces
+    /// significant vulnerabilities to man-in-the-middle attacks.
+    pub fn dangerous_accept_invalid_certs(mut self, accept_invalid_certs: bool) -> Self {
+        self.accept_invalid_certs = accept_invalid_certs;
+        self
+    }
+
+    /// Creates a new `TlsParameters` using native-tls, boring-tls or rustls
+    /// depending on which one is available
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+    #[cfg_attr(
+        docsrs,
+        doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
+    )]
+    pub fn build(self) -> Result<TlsParameters, Error> {
+        #[cfg(feature = "rustls")]
+        return self.build_rustls();
+        #[cfg(all(not(feature = "rustls"), feature = "native-tls"))]
+        return self.build_native();
+        #[cfg(all(not(feature = "rustls"), feature = "boring-tls"))]
+        return self.build_boring();
+    }
+
+    /// Creates a new `TlsParameters` using native-tls with the provided configuration
+    #[cfg(feature = "native-tls")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "native-tls")))]
+    pub fn build_native(self) -> Result<TlsParameters, Error> {
+        let cert_store = match self.cert_store {
+            CertificateStore::Default => super::native_tls::CertificateStore::System,
+            CertificateStore::None => super::native_tls::CertificateStore::None,
+            #[allow(unreachable_patterns)]
+            other => {
+                return Err(error::tls(format!(
+                    "{other:?} is not supported in native tls"
+                )))
+            }
+        };
+        let min_tls_version = match self.min_tls_version {
+            TlsVersion::Tlsv10 => super::native_tls::MinTlsVersion::Tlsv10,
+            TlsVersion::Tlsv11 => super::native_tls::MinTlsVersion::Tlsv11,
+            TlsVersion::Tlsv12 => super::native_tls::MinTlsVersion::Tlsv12,
+            TlsVersion::Tlsv13 => {
+                return Err(error::tls(
+                    "min tls version Tlsv13 not supported in native tls",
+                ))
+            }
+        };
+
+        let mut builder = super::TlsParametersBuilder::<super::NativeTls>::new(self.domain)
+            .certificate_store(cert_store)
+            .dangerous_accept_invalid_certs(self.accept_invalid_certs)
+            .dangerous_accept_invalid_hostnames(self.accept_invalid_hostnames)
+            .min_tls_version(min_tls_version);
+        for cert in self.root_certs {
+            builder = builder.add_root_certificate(cert.native_tls);
+        }
+        if let Some(identity) = self.identity {
+            builder = builder.identify_with(identity.native_tls);
+        }
+
+        builder
+            .build()
+            .map(super::NativeTls::__build_current_tls_parameters)
+    }
+
+    /// Creates a new `TlsParameters` using boring-tls with the provided configuration
+    ///
+    /// Warning: this uses the certificate store passed via `certificate_store`
+    /// instead of the one configured in [`TlsParametersBuilder::certificate_store`].
+    #[cfg(feature = "boring-tls")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "boring-tls")))]
+    pub fn build_boring(self) -> Result<TlsParameters, Error> {
+        let cert_store = match self.cert_store {
+            CertificateStore::Default => super::boring_tls::CertificateStore::System,
+            CertificateStore::None => super::boring_tls::CertificateStore::None,
+            #[allow(unreachable_patterns)]
+            other => {
+                return Err(error::tls(format!(
+                    "{other:?} is not supported in native tls"
+                )))
+            }
+        };
+        let min_tls_version = match self.min_tls_version {
+            TlsVersion::Tlsv10 => super::boring_tls::MinTlsVersion::Tlsv10,
+            TlsVersion::Tlsv11 => super::boring_tls::MinTlsVersion::Tlsv11,
+            TlsVersion::Tlsv12 => super::boring_tls::MinTlsVersion::Tlsv12,
+            TlsVersion::Tlsv13 => super::boring_tls::MinTlsVersion::Tlsv13,
+        };
+
+        let mut builder = super::TlsParametersBuilder::<super::BoringTls>::new(self.domain)
+            .certificate_store(cert_store)
+            .dangerous_accept_invalid_certs(self.accept_invalid_certs)
+            .dangerous_accept_invalid_hostnames(self.accept_invalid_hostnames)
+            .min_tls_version(min_tls_version);
+        for cert in self.root_certs {
+            builder = builder.add_root_certificate(cert.boring_tls);
+        }
+        if let Some(identity) = self.identity {
+            builder = builder.identify_with(identity.boring_tls);
+        }
+
+        builder
+            .build()
+            .map(super::BoringTls::__build_current_tls_parameters)
+    }
+
+    /// Creates a new `TlsParameters` using rustls with the provided configuration
+    #[cfg(feature = "rustls")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "rustls")))]
+    pub fn build_rustls(self) -> Result<TlsParameters, Error> {
+        let cert_store = match self.cert_store {
+            CertificateStore::Default => super::rustls::CertificateStore::default(),
+            #[cfg(feature = "webpki-roots")]
+            CertificateStore::WebpkiRoots => super::rustls::CertificateStore::WebpkiRoots,
+            CertificateStore::None => super::rustls::CertificateStore::None,
+        };
+        let min_tls_version = match self.min_tls_version {
+            TlsVersion::Tlsv10 => {
+                return Err(error::tls("min tls version Tlsv10 not supported in rustls"))
+            }
+            TlsVersion::Tlsv11 => {
+                return Err(error::tls("min tls version Tlsv11 not supported in rustls"))
+            }
+            TlsVersion::Tlsv12 => super::rustls::MinTlsVersion::Tlsv12,
+            TlsVersion::Tlsv13 => super::rustls::MinTlsVersion::Tlsv13,
+        };
+
+        let mut builder = super::TlsParametersBuilder::<super::Rustls>::new(self.domain)
+            .certificate_store(cert_store)
+            .dangerous_accept_invalid_certs(self.accept_invalid_certs)
+            .dangerous_accept_invalid_hostnames(self.accept_invalid_hostnames)
+            .min_tls_version(min_tls_version);
+        for cert in self.root_certs {
+            for cert in cert.rustls {
+                builder = builder.add_root_certificate(cert);
+            }
+        }
+        if let Some(identity) = self.identity {
+            builder = builder.identify_with(identity.rustls_tls);
+        }
+
+        builder
+            .build()
+            .map(super::Rustls::__build_current_tls_parameters)
+    }
+}
+
+#[derive(Clone)]
+#[allow(clippy::enum_variant_names)]
+pub(in crate::transport::smtp) enum InnerTlsParameters {
+    #[cfg(feature = "native-tls")]
+    NativeTls(super::TlsParameters<super::NativeTls>),
+    #[cfg(feature = "rustls")]
+    Rustls(super::TlsParameters<super::Rustls>),
+    #[cfg(feature = "boring-tls")]
+    BoringTls(super::TlsParameters<super::BoringTls>),
+}
+
+impl TlsParameters {
+    /// Creates a new `TlsParameters` using native-tls or rustls
+    /// depending on which one is available
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+    #[cfg_attr(
+        docsrs,
+        doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
+    )]
+    pub fn new(domain: String) -> Result<Self, Error> {
+        Self::new_with::<super::DefaultTlsBackend>(domain)
+    }
+
+    /// Creates a new `TlsParameters` builder
+    pub fn builder(domain: String) -> TlsParametersBuilder {
+        TlsParametersBuilder::new(domain)
+    }
+
+    /// Creates a new `TlsParameters` using native-tls
+    #[cfg(feature = "native-tls")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "native-tls")))]
+    pub fn new_native(domain: String) -> Result<Self, Error> {
+        Self::new_with::<super::NativeTls>(domain)
+    }
+
+    /// Creates a new `TlsParameters` using rustls
+    #[cfg(feature = "rustls")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "rustls")))]
+    pub fn new_rustls(domain: String) -> Result<Self, Error> {
+        Self::new_with::<super::Rustls>(domain)
+    }
+
+    /// Creates a new `TlsParameters` using boring
+    #[cfg(feature = "boring-tls")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "boring-tls")))]
+    pub fn new_boring(domain: String) -> Result<Self, Error> {
+        Self::new_with::<super::BoringTls>(domain)
+    }
+
+    fn new_with<B: TlsBackend>(domain: String) -> Result<Self, Error> {
+        super::TlsParametersBuilder::<B>::new(domain)
+            .build()
+            .map(B::__build_current_tls_parameters)
+    }
+
+    pub fn domain(&self) -> &str {
+        match self.inner {
+            #[cfg(feature = "native-tls")]
+            InnerTlsParameters::NativeTls(ref inner) => &inner.server_name,
+            #[cfg(feature = "rustls")]
+            InnerTlsParameters::Rustls(ref inner) => inner.server_name.as_ref(),
+            #[cfg(feature = "boring-tls")]
+            InnerTlsParameters::BoringTls(ref inner) => &inner.server_name,
+        }
+    }
+}
+
+/// A certificate that can be used with [`TlsParametersBuilder::add_root_certificate`]
+#[derive(Clone)]
+#[allow(missing_copy_implementations)]
+#[cfg_attr(
+    not(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")),
+    deprecated(
+        note = "starting from lettre v0.12 `Certificate` won't be available when none of the TLS backends are enabled"
+    )
+)]
+#[cfg_attr(
+    docsrs,
+    doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
+)]
+pub struct Certificate {
+    #[cfg(feature = "native-tls")]
+    native_tls: super::native_tls::Certificate,
+    #[cfg(feature = "rustls")]
+    rustls: Vec<super::rustls::Certificate>,
+    #[cfg(feature = "boring-tls")]
+    boring_tls: super::boring_tls::Certificate,
+}
+
+#[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+impl Certificate {
+    /// Create a `Certificate` from a DER encoded certificate
+    pub fn from_der(der: Vec<u8>) -> Result<Self, Error> {
+        Ok(Self {
+            #[cfg(feature = "native-tls")]
+            native_tls: super::native_tls::Certificate::from_der(&der)?,
+            #[cfg(feature = "boring-tls")]
+            boring_tls: super::boring_tls::Certificate::from_der(&der)?,
+            #[cfg(feature = "rustls")]
+            rustls: vec![super::rustls::Certificate::from_der(der)],
+        })
+    }
+
+    /// Create a `Certificate` from a PEM encoded certificate
+    pub fn from_pem(pem: &[u8]) -> Result<Self, Error> {
+        Ok(Self {
+            #[cfg(feature = "native-tls")]
+            native_tls: super::native_tls::Certificate::from_pem(pem)?,
+            #[cfg(feature = "rustls")]
+            rustls: super::rustls::Certificate::from_pem_bundle(pem)?,
+            #[cfg(feature = "boring-tls")]
+            boring_tls: super::boring_tls::Certificate::from_pem(pem)?,
+        })
+    }
+}
+
+impl Debug for Certificate {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("Certificate").finish()
+    }
+}
+
+/// An identity that can be used with [`TlsParametersBuilder::identify_with`]
+#[derive(Clone)]
+#[allow(missing_copy_implementations)]
+#[cfg_attr(
+    not(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")),
+    deprecated(
+        note = "starting from lettre v0.12 `Identity` won't be available when none of the TLS backends are enabled"
+    )
+)]
+#[cfg_attr(
+    docsrs,
+    doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
+)]
+pub struct Identity {
+    #[cfg(feature = "native-tls")]
+    native_tls: super::native_tls::Identity,
+    #[cfg(feature = "rustls")]
+    rustls_tls: super::rustls::Identity,
+    #[cfg(feature = "boring-tls")]
+    boring_tls: super::boring_tls::Identity,
+}
+
+impl Debug for Identity {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("Identity").finish()
+    }
+}
+
+#[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
+impl Identity {
+    pub fn from_pem(pem: &[u8], key: &[u8]) -> Result<Self, Error> {
+        Ok(Self {
+            #[cfg(feature = "native-tls")]
+            native_tls: super::native_tls::Identity::from_pem(pem, key)?,
+            #[cfg(feature = "rustls")]
+            rustls_tls: super::rustls::Identity::from_pem(pem, key)?,
+            #[cfg(feature = "boring-tls")]
+            boring_tls: super::boring_tls::Identity::from_pem(pem, key)?,
+        })
+    }
+}

src/transport/smtp/client/tls/mod.rs

@@ -0,0 +1,253 @@
+use crate::transport::smtp::Error;
+
+#[cfg(feature = "boring-tls")]
+#[cfg_attr(docsrs, doc(cfg(feature = "boring-tls")))]
+pub(super) mod boring_tls;
+pub(super) mod current;
+#[cfg(feature = "native-tls")]
+#[cfg_attr(docsrs, doc(cfg(feature = "native-tls")))]
+pub(super) mod native_tls;
+#[cfg(feature = "rustls")]
+#[cfg_attr(docsrs, doc(cfg(feature = "rustls")))]
+pub(super) mod rustls;
+
+#[derive(Debug)]
+#[allow(private_bounds)]
+pub(in crate::transport::smtp) struct TlsParameters<B: TlsBackend> {
+    pub(in crate::transport::smtp) server_name: B::ServerName,
+    pub(in crate::transport::smtp) connector: B::Connector,
+    pub(in crate::transport::smtp) extra_info: B::ExtraInfo,
+}
+
+impl<B: TlsBackend> Clone for TlsParameters<B> {
+    fn clone(&self) -> Self {
+        Self {
+            server_name: self.server_name.clone(),
+            connector: self.connector.clone(),
+            extra_info: self.extra_info.clone(),
+        }
+    }
+}
+
+#[derive(Debug)]
+struct TlsParametersBuilder<B: TlsBackend> {
+    server_name: String,
+    cert_store: B::CertificateStore,
+    root_certs: Vec<B::Certificate>,
+    identity: Option<B::Identity>,
+    accept_invalid_certs: bool,
+    accept_invalid_hostnames: bool,
+    min_tls_version: B::MinTlsVersion,
+}
+
+impl<B: TlsBackend> TlsParametersBuilder<B> {
+    fn new(server_name: String) -> Self {
+        Self {
+            server_name,
+            cert_store: Default::default(),
+            root_certs: Vec::new(),
+            identity: None,
+            accept_invalid_certs: false,
+            accept_invalid_hostnames: false,
+            min_tls_version: Default::default(),
+        }
+    }
+
+    fn certificate_store(mut self, cert_store: B::CertificateStore) -> Self {
+        self.cert_store = cert_store;
+        self
+    }
+
+    fn add_root_certificate(mut self, cert: B::Certificate) -> Self {
+        self.root_certs.push(cert);
+        self
+    }
+
+    fn identify_with(mut self, identity: B::Identity) -> Self {
+        self.identity = Some(identity);
+        self
+    }
+
+    fn min_tls_version(mut self, min_tls_version: B::MinTlsVersion) -> Self {
+        self.min_tls_version = min_tls_version;
+        self
+    }
+
+    fn dangerous_accept_invalid_certs(mut self, accept_invalid_certs: bool) -> Self {
+        self.accept_invalid_certs = accept_invalid_certs;
+        self
+    }
+
+    fn dangerous_accept_invalid_hostnames(mut self, accept_invalid_hostnames: bool) -> Self {
+        self.accept_invalid_hostnames = accept_invalid_hostnames;
+        self
+    }
+
+    fn build(self) -> Result<TlsParameters<B>, Error> {
+        B::__build_connector(self)
+    }
+}
+
+#[allow(private_bounds)]
+trait TlsBackend: private::SealedTlsBackend {
+    type CertificateStore: Default;
+    type Certificate;
+    type Identity;
+    type MinTlsVersion: Default;
+
+    #[doc(hidden)]
+    fn __build_connector(builder: TlsParametersBuilder<Self>)
+        -> Result<TlsParameters<Self>, Error>;
+
+    #[doc(hidden)]
+    fn __build_current_tls_parameters(inner: TlsParameters<Self>) -> self::current::TlsParameters;
+}
+
+#[cfg(feature = "native-tls")]
+type DefaultTlsBackend = NativeTls;
+
+#[cfg(all(feature = "rustls", not(feature = "native-tls")))]
+type DefaultTlsBackend = Rustls;
+
+#[cfg(all(
+    feature = "boring-tls",
+    not(feature = "native-tls"),
+    not(feature = "rustls")
+))]
+type DefaultTlsBackend = BoringTls;
+
+#[cfg(feature = "native-tls")]
+#[cfg_attr(docsrs, doc(cfg(feature = "native-tls")))]
+#[derive(Debug)]
+#[allow(missing_copy_implementations)]
+#[non_exhaustive]
+pub(in crate::transport::smtp) struct NativeTls;
+
+#[cfg(feature = "native-tls")]
+#[cfg_attr(docsrs, doc(cfg(feature = "native-tls")))]
+impl TlsBackend for NativeTls {
+    type CertificateStore = self::native_tls::CertificateStore;
+    type Certificate = self::native_tls::Certificate;
+    type Identity = self::native_tls::Identity;
+    type MinTlsVersion = self::native_tls::MinTlsVersion;
+
+    fn __build_connector(
+        builder: TlsParametersBuilder<Self>,
+    ) -> Result<TlsParameters<Self>, Error> {
+        self::native_tls::build_connector(builder).map(|(server_name, connector)| TlsParameters {
+            server_name,
+            connector,
+            extra_info: (),
+        })
+    }
+
+    fn __build_current_tls_parameters(inner: TlsParameters<Self>) -> self::current::TlsParameters {
+        self::current::TlsParameters {
+            inner: self::current::InnerTlsParameters::NativeTls(inner),
+        }
+    }
+}
+
+#[cfg(feature = "rustls")]
+#[cfg_attr(docsrs, doc(cfg(feature = "rustls")))]
+#[derive(Debug)]
+#[allow(missing_copy_implementations)]
+#[non_exhaustive]
+pub(in crate::transport::smtp) struct Rustls;
+
+#[cfg(feature = "rustls")]
+#[cfg_attr(docsrs, doc(cfg(feature = "rustls")))]
+impl TlsBackend for Rustls {
+    type CertificateStore = self::rustls::CertificateStore;
+    type Certificate = self::rustls::Certificate;
+    type Identity = self::rustls::Identity;
+    type MinTlsVersion = self::rustls::MinTlsVersion;
+
+    fn __build_connector(
+        builder: TlsParametersBuilder<Self>,
+    ) -> Result<TlsParameters<Self>, Error> {
+        self::rustls::build_connector(builder).map(|(server_name, connector)| TlsParameters {
+            server_name,
+            connector,
+            extra_info: (),
+        })
+    }
+
+    fn __build_current_tls_parameters(inner: TlsParameters<Self>) -> self::current::TlsParameters {
+        self::current::TlsParameters {
+            inner: self::current::InnerTlsParameters::Rustls(inner),
+        }
+    }
+}
+
+#[cfg(feature = "boring-tls")]
+#[cfg_attr(docsrs, doc(cfg(feature = "boring-tls")))]
+#[derive(Debug)]
+#[allow(missing_copy_implementations)]
+#[non_exhaustive]
+pub(in crate::transport::smtp) struct BoringTls;
+
+#[cfg(feature = "boring-tls")]
+#[cfg_attr(docsrs, doc(cfg(feature = "boring-tls")))]
+impl TlsBackend for BoringTls {
+    type CertificateStore = self::boring_tls::CertificateStore;
+    type Certificate = self::boring_tls::Certificate;
+    type Identity = self::boring_tls::Identity;
+    type MinTlsVersion = self::boring_tls::MinTlsVersion;
+
+    fn __build_connector(
+        builder: TlsParametersBuilder<Self>,
+    ) -> Result<TlsParameters<Self>, Error> {
+        let accept_invalid_hostnames = builder.accept_invalid_hostnames;
+        self::boring_tls::build_connector(builder).map(|(server_name, connector)| TlsParameters {
+            server_name,
+            connector,
+            extra_info: BoringTlsExtraInfo {
+                accept_invalid_hostnames,
+            },
+        })
+    }
+
+    fn __build_current_tls_parameters(inner: TlsParameters<Self>) -> self::current::TlsParameters {
+        self::current::TlsParameters {
+            inner: self::current::InnerTlsParameters::BoringTls(inner),
+        }
+    }
+}
+
+#[cfg(feature = "boring-tls")]
+#[derive(Debug, Clone)]
+pub(in crate::transport::smtp) struct BoringTlsExtraInfo {
+    pub(super) accept_invalid_hostnames: bool,
+}
+
+mod private {
+    pub(in crate::transport::smtp) trait SealedTlsBackend:
+        Sized
+    {
+        type ServerName: Clone + AsRef<str>;
+        type Connector: Clone;
+        type ExtraInfo: Clone;
+    }
+
+    #[cfg(feature = "native-tls")]
+    impl SealedTlsBackend for super::NativeTls {
+        type ServerName = Box<str>;
+        type Connector = native_tls::TlsConnector;
+        type ExtraInfo = ();
+    }
+
+    #[cfg(feature = "rustls")]
+    impl SealedTlsBackend for super::Rustls {
+        type ServerName = super::rustls::ServerName;
+        type Connector = std::sync::Arc<rustls::client::ClientConfig>;
+        type ExtraInfo = ();
+    }
+
+    #[cfg(feature = "boring-tls")]
+    impl SealedTlsBackend for super::BoringTls {
+        type ServerName = Box<str>;
+        type Connector = boring::ssl::SslConnector;
+        type ExtraInfo = super::BoringTlsExtraInfo;
+    }
+}

src/transport/smtp/client/tls/native_tls.rs

@@ -0,0 +1,95 @@
+use std::fmt::{self, Debug};
+
+use native_tls::TlsConnector;
+
+use crate::transport::smtp::error::{self, Error};
+
+pub(super) fn build_connector(
+    builder: super::TlsParametersBuilder<super::NativeTls>,
+) -> Result<(Box<str>, TlsConnector), Error> {
+    let mut tls_builder = TlsConnector::builder();
+
+    match builder.cert_store {
+        CertificateStore::System => {}
+        CertificateStore::None => {
+            tls_builder.disable_built_in_roots(true);
+        }
+    }
+    for cert in builder.root_certs {
+        tls_builder.add_root_certificate(cert.0);
+    }
+    tls_builder.danger_accept_invalid_hostnames(builder.accept_invalid_hostnames);
+    tls_builder.danger_accept_invalid_certs(builder.accept_invalid_certs);
+
+    let min_tls_version = match builder.min_tls_version {
+        MinTlsVersion::Tlsv10 => native_tls::Protocol::Tlsv10,
+        MinTlsVersion::Tlsv11 => native_tls::Protocol::Tlsv11,
+        MinTlsVersion::Tlsv12 => native_tls::Protocol::Tlsv12,
+    };
+
+    tls_builder.min_protocol_version(Some(min_tls_version));
+    if let Some(identity) = builder.identity {
+        tls_builder.identity(identity.0);
+    }
+
+    let connector = tls_builder.build().map_err(error::tls)?;
+    Ok((builder.server_name.into_boxed_str(), connector))
+}
+
+#[derive(Debug, Clone, Default)]
+#[allow(missing_copy_implementations)]
+#[non_exhaustive]
+pub(super) enum CertificateStore {
+    #[default]
+    System,
+    None,
+}
+
+#[derive(Clone)]
+pub(super) struct Certificate(pub(super) native_tls::Certificate);
+
+impl Certificate {
+    pub(super) fn from_pem(pem: &[u8]) -> Result<Self, Error> {
+        Ok(Self(
+            native_tls::Certificate::from_pem(pem).map_err(error::tls)?,
+        ))
+    }
+
+    pub(super) fn from_der(der: &[u8]) -> Result<Self, Error> {
+        Ok(Self(
+            native_tls::Certificate::from_der(der).map_err(error::tls)?,
+        ))
+    }
+}
+
+impl Debug for Certificate {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("Certificate").finish_non_exhaustive()
+    }
+}
+
+#[derive(Clone)]
+pub(super) struct Identity(pub(super) native_tls::Identity);
+
+impl Identity {
+    pub(super) fn from_pem(pem: &[u8], key: &[u8]) -> Result<Self, Error> {
+        Ok(Self(
+            native_tls::Identity::from_pkcs8(pem, key).map_err(error::tls)?,
+        ))
+    }
+}
+
+impl Debug for Identity {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("Identity").finish_non_exhaustive()
+    }
+}
+
+#[derive(Debug, Copy, Clone, Default)]
+#[non_exhaustive]
+pub(super) enum MinTlsVersion {
+    Tlsv10,
+    Tlsv11,
+    #[default]
+    Tlsv12,
+}

src/transport/smtp/client/tls/rustls.rs

@@ -0,0 +1,329 @@
+use std::{
+    fmt::{self, Debug},
+    sync::Arc,
+};
+
+use rustls::{
+    client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier},
+    crypto::{verify_tls12_signature, verify_tls13_signature, CryptoProvider},
+    pki_types::{self, UnixTime},
+    server::ParsedCertificate,
+    ClientConfig, DigitallySignedStruct, RootCertStore, SignatureScheme,
+};
+
+use crate::transport::smtp::error::{self, Error};
+
+pub(super) fn build_connector(
+    builder: super::TlsParametersBuilder<super::Rustls>,
+) -> Result<(ServerName, Arc<ClientConfig>), Error> {
+    let just_version3 = &[&rustls::version::TLS13];
+    let supported_versions = match builder.min_tls_version {
+        MinTlsVersion::Tlsv12 => rustls::ALL_VERSIONS,
+        MinTlsVersion::Tlsv13 => just_version3,
+    };
+
+    let crypto_provider = crate::rustls_crypto::crypto_provider();
+    let tls = ClientConfig::builder_with_provider(Arc::clone(&crypto_provider))
+        .with_protocol_versions(supported_versions)
+        .map_err(error::tls)?;
+
+    // Build TLS config
+    let mut root_cert_store = RootCertStore::empty();
+    #[cfg(feature = "rustls-platform-verifier")]
+    let mut extra_roots = Vec::new();
+
+    match builder.cert_store {
+        #[cfg(feature = "rustls-platform-verifier")]
+        CertificateStore::PlatformVerifier => {
+            extra_roots = builder
+                .root_certs
+                .iter()
+                .map(|cert| cert.0.clone())
+                .collect();
+        }
+        #[cfg(feature = "rustls-native-certs")]
+        CertificateStore::NativeCerts => {
+            let rustls_native_certs::CertificateResult { certs, errors, .. } =
+                rustls_native_certs::load_native_certs();
+            let errors_len = errors.len();
+
+            let (added, ignored) = root_cert_store.add_parsable_certificates(certs);
+            #[cfg(feature = "tracing")]
+            tracing::debug!(
+                "loaded platform certs with {errors_len} failing to load, {added} valid and {ignored} ignored (invalid) certs"
+            );
+            #[cfg(not(feature = "tracing"))]
+            let _ = (errors_len, added, ignored);
+        }
+        #[cfg(feature = "webpki-roots")]
+        CertificateStore::WebpkiRoots => {
+            root_cert_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
+        }
+        CertificateStore::None => {}
+    }
+    for cert in builder.root_certs {
+        root_cert_store.add(cert.0).map_err(error::tls)?;
+    }
+
+    let tls = match (
+        builder.cert_store,
+        builder.accept_invalid_certs,
+        builder.accept_invalid_hostnames,
+    ) {
+        #[cfg(feature = "rustls-platform-verifier")]
+        (CertificateStore::PlatformVerifier, false, _) => {
+            tls.dangerous().with_custom_certificate_verifier(Arc::new(
+                rustls_platform_verifier::Verifier::new_with_extra_roots(
+                    extra_roots,
+                    crypto_provider,
+                )
+                .map_err(error::tls)?,
+            ))
+        }
+        (_, true, _) | (_, _, true) => {
+            let verifier = InvalidCertsVerifier {
+                ignore_invalid_hostnames: builder.accept_invalid_hostnames,
+                ignore_invalid_certs: builder.accept_invalid_certs,
+                roots: root_cert_store,
+                crypto_provider,
+            };
+            tls.dangerous()
+                .with_custom_certificate_verifier(Arc::new(verifier))
+        }
+        _ => tls.with_root_certificates(root_cert_store),
+    };
+
+    let tls = if let Some(identity) = builder.identity {
+        tls.with_client_auth_cert(identity.chain, identity.key)
+            .map_err(error::tls)?
+    } else {
+        tls.with_no_client_auth()
+    };
+    let server_name = ServerName::try_from(builder.server_name)?;
+    Ok((server_name, Arc::new(tls)))
+}
+
+#[derive(Clone)]
+pub(in crate::transport::smtp) struct ServerName {
+    val: pki_types::ServerName<'static>,
+    str_val: Box<str>,
+}
+
+impl ServerName {
+    #[allow(dead_code)]
+    pub(in crate::transport::smtp) fn inner(self) -> pki_types::ServerName<'static> {
+        self.val
+    }
+
+    pub(in crate::transport::smtp) fn inner_ref(&self) -> &pki_types::ServerName<'static> {
+        &self.val
+    }
+
+    fn try_from(value: String) -> Result<Self, crate::transport::smtp::Error> {
+        let val: pki_types::ServerName<'_> = value
+            .as_str()
+            .try_into()
+            .map_err(crate::transport::smtp::error::tls)?;
+        Ok(Self {
+            val: val.to_owned(),
+            str_val: value.into_boxed_str(),
+        })
+    }
+}
+
+impl AsRef<str> for ServerName {
+    fn as_ref(&self) -> &str {
+        &self.str_val
+    }
+}
+
+#[derive(Debug, Clone, Default)]
+#[allow(dead_code, missing_copy_implementations)]
+#[non_exhaustive]
+pub(super) enum CertificateStore {
+    #[cfg(feature = "rustls-platform-verifier")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "rustls-platform-verifier")))]
+    #[cfg_attr(feature = "rustls-platform-verifier", default)]
+    PlatformVerifier,
+    #[cfg(feature = "rustls-native-certs")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "rustls-native-certs")))]
+    #[cfg_attr(
+        all(
+            not(feature = "rustls-platform-verifier"),
+            feature = "rustls-native-certs",
+        ),
+        default
+    )]
+    NativeCerts,
+    #[cfg(feature = "webpki-roots")]
+    #[cfg_attr(docsrs, doc(cfg(feature = "webpki-roots")))]
+    #[cfg_attr(
+        all(
+            not(feature = "rustls-platform-verifier"),
+            not(feature = "rustls-native-certs"),
+            feature = "webpki-roots",
+        ),
+        default
+    )]
+    WebpkiRoots,
+    #[cfg_attr(
+        all(
+            not(feature = "webpki-roots"),
+            not(feature = "rustls-platform-verifier"),
+            not(feature = "rustls-native-certs")
+        ),
+        default
+    )]
+    None,
+}
+
+#[derive(Clone)]
+pub(super) struct Certificate(pub(super) pki_types::CertificateDer<'static>);
+
+impl Certificate {
+    #[allow(dead_code)]
+    pub(super) fn from_pem(pem: &[u8]) -> Result<Self, Error> {
+        use rustls::pki_types::pem::PemObject as _;
+
+        Ok(Self(
+            pki_types::CertificateDer::from_pem_slice(pem)
+                .map_err(|_| error::tls("invalid certificate"))?,
+        ))
+    }
+
+    pub(super) fn from_pem_bundle(pem: &[u8]) -> Result<Vec<Self>, Error> {
+        use rustls::pki_types::pem::PemObject as _;
+
+        pki_types::CertificateDer::pem_slice_iter(pem)
+            .map(|cert| Ok(Self(cert?)))
+            .collect::<Result<Vec<_>, pki_types::pem::Error>>()
+            .map_err(|_| error::tls("invalid certificate"))
+    }
+
+    pub(super) fn from_der(der: Vec<u8>) -> Self {
+        Self(der.into())
+    }
+}
+
+impl Debug for Certificate {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("Certificate").finish_non_exhaustive()
+    }
+}
+
+pub(super) struct Identity {
+    pub(super) chain: Vec<pki_types::CertificateDer<'static>>,
+    pub(super) key: pki_types::PrivateKeyDer<'static>,
+}
+
+impl Identity {
+    pub(super) fn from_pem(pem: &[u8], key: &[u8]) -> Result<Self, Error> {
+        use rustls::pki_types::pem::PemObject as _;
+
+        let key = match pki_types::PrivateKeyDer::from_pem_slice(key) {
+            Ok(key) => key,
+            Err(pki_types::pem::Error::NoItemsFound) => {
+                return Err(error::tls("no private key found"))
+            }
+            Err(err) => return Err(error::tls(err)),
+        };
+
+        Ok(Self {
+            chain: vec![pem.to_owned().into()],
+            key,
+        })
+    }
+}
+
+impl Clone for Identity {
+    fn clone(&self) -> Self {
+        Self {
+            chain: self.chain.clone(),
+            key: self.key.clone_key(),
+        }
+    }
+}
+
+impl Debug for Identity {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.debug_struct("Identity").finish_non_exhaustive()
+    }
+}
+
+#[derive(Debug, Copy, Clone, Default)]
+#[non_exhaustive]
+pub(super) enum MinTlsVersion {
+    #[default]
+    Tlsv12,
+    Tlsv13,
+}
+
+#[derive(Debug)]
+struct InvalidCertsVerifier {
+    ignore_invalid_hostnames: bool,
+    ignore_invalid_certs: bool,
+    roots: RootCertStore,
+    crypto_provider: Arc<CryptoProvider>,
+}
+
+impl ServerCertVerifier for InvalidCertsVerifier {
+    fn verify_server_cert(
+        &self,
+        end_entity: &pki_types::CertificateDer<'_>,
+        intermediates: &[pki_types::CertificateDer<'_>],
+        server_name: &pki_types::ServerName<'_>,
+        _ocsp_response: &[u8],
+        now: UnixTime,
+    ) -> Result<ServerCertVerified, rustls::Error> {
+        let cert = ParsedCertificate::try_from(end_entity)?;
+
+        if !self.ignore_invalid_certs {
+            rustls::client::verify_server_cert_signed_by_trust_anchor(
+                &cert,
+                &self.roots,
+                intermediates,
+                now,
+                self.crypto_provider.signature_verification_algorithms.all,
+            )?;
+        }
+
+        if !self.ignore_invalid_hostnames {
+            rustls::client::verify_server_name(&cert, server_name)?;
+        }
+        Ok(ServerCertVerified::assertion())
+    }
+
+    fn verify_tls12_signature(
+        &self,
+        message: &[u8],
+        cert: &pki_types::CertificateDer<'_>,
+        dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, rustls::Error> {
+        verify_tls12_signature(
+            message,
+            cert,
+            dss,
+            &self.crypto_provider.signature_verification_algorithms,
+        )
+    }
+
+    fn verify_tls13_signature(
+        &self,
+        message: &[u8],
+        cert: &pki_types::CertificateDer<'_>,
+        dss: &DigitallySignedStruct,
+    ) -> Result<HandshakeSignatureValid, rustls::Error> {
+        verify_tls13_signature(
+            message,
+            cert,
+            dss,
+            &self.crypto_provider.signature_verification_algorithms,
+        )
+    }
+
+    fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
+        self.crypto_provider
+            .signature_verification_algorithms
+            .supported_schemes()
+    }
+}

src/transport/smtp/connection_url.rs

@@ -2,7 +2,7 @@ use std::borrow::Cow;
 
 use url::Url;
 
-#[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+#[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
 use super::client::{Tls, TlsParameters};
 #[cfg(any(feature = "tokio1", feature = "async-std1"))]
 use super::AsyncSmtpTransportBuilder;
@@ -13,6 +13,7 @@ use super::{
 
 pub(crate) trait TransportBuilder {
     fn new<T: Into<String>>(server: T) -> Self;
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
     fn tls(self, tls: super::Tls) -> Self;
     fn port(self, port: u16) -> Self;
     fn credentials(self, credentials: Credentials) -> Self;
@@ -24,6 +25,7 @@ impl TransportBuilder for SmtpTransportBuilder {
         Self::new(server)
     }
 
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
     fn tls(self, tls: super::Tls) -> Self {
         self.tls(tls)
     }
@@ -47,6 +49,7 @@ impl TransportBuilder for AsyncSmtpTransportBuilder {
         Self::new(server)
     }
 
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
     fn tls(self, tls: super::Tls) -> Self {
         self.tls(tls)
     }
@@ -82,19 +85,19 @@ pub(crate) fn from_connection_url<B: TransportBuilder>(connection_url: &str) ->
         ("smtp", None) => {
             builder = builder.port(connection_url.port().unwrap_or(SMTP_PORT));
         }
-        #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+        #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
         ("smtp", Some("required")) => {
             builder = builder
                 .port(connection_url.port().unwrap_or(SUBMISSION_PORT))
                 .tls(Tls::Required(TlsParameters::new(host.into())?));
         }
-        #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+        #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
         ("smtp", Some("opportunistic")) => {
             builder = builder
                 .port(connection_url.port().unwrap_or(SUBMISSION_PORT))
                 .tls(Tls::Opportunistic(TlsParameters::new(host.into())?));
         }
-        #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+        #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
         ("smtps", _) => {
             builder = builder
                 .port(connection_url.port().unwrap_or(SUBMISSIONS_PORT))

src/transport/smtp/error.rs

@@ -68,15 +68,20 @@ impl Error {
     }
 
     /// Returns true if the error is from TLS
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
     #[cfg_attr(
         docsrs,
-        doc(cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls")))
+        doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
     )]
     pub fn is_tls(&self) -> bool {
         matches!(self.inner.kind, Kind::Tls)
     }
 
+    /// Returns true if the error is because the transport was shut down
+    pub fn is_transport_shutdown(&self) -> bool {
+        matches!(self.inner.kind, Kind::TransportShutdown)
+    }
+
     /// Returns the status code, if the error was generated from a response.
     pub fn status(&self) -> Option<Code> {
         match self.inner.kind {
@@ -107,10 +112,12 @@ pub(crate) enum Kind {
     /// TLS error
     #[cfg_attr(
         docsrs,
-        doc(cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls")))
+        doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
     )]
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
     Tls,
+    /// Transport shutdown error
+    TransportShutdown,
 }
 
 impl fmt::Debug for Error {
@@ -134,8 +141,9 @@ impl fmt::Display for Error {
             Kind::Client => f.write_str("internal client error")?,
             Kind::Network => f.write_str("network error")?,
             Kind::Connection => f.write_str("Connection error")?,
-            #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+            #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
             Kind::Tls => f.write_str("tls error")?,
+            Kind::TransportShutdown => f.write_str("transport has been shut down")?,
             Kind::Transient(code) => {
                 write!(f, "transient error ({code})")?;
             }
@@ -185,7 +193,11 @@ pub(crate) fn connection<E: Into<BoxError>>(e: E) -> Error {
     Error::new(Kind::Connection, Some(e))
 }
 
-#[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+#[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
 pub(crate) fn tls<E: Into<BoxError>>(e: E) -> Error {
     Error::new(Kind::Tls, Some(e))
 }
+
+pub(crate) fn transport_shutdown() -> Error {
+    Error::new::<BoxError>(Kind::TransportShutdown, None)
+}

src/transport/smtp/mod.rs

@@ -32,7 +32,7 @@
 //! do the following:
 //!
 //! ```rust,no_run
-//! # #[cfg(all(feature = "builder", any(feature = "native-tls", feature = "rustls-tls")))]
+//! # #[cfg(all(feature = "builder", any(feature = "native-tls", feature = "rustls")))]
 //! # fn test() -> Result<(), Box<dyn std::error::Error>> {
 //! use lettre::{
 //!     message::header::ContentType,
@@ -73,7 +73,7 @@
 //! For more information take a look at [`SmtpTransport::from_url`] or [`AsyncSmtpTransport::from_url`].
 //!
 //! ```rust,no_run
-//! # #[cfg(all(feature = "builder", any(feature = "native-tls", feature = "rustls-tls")))]
+//! # #[cfg(all(feature = "builder", any(feature = "native-tls", feature = "rustls")))]
 //! # fn test() -> Result<(), Box<dyn std::error::Error>> {
 //! use lettre::{
 //!     message::header::ContentType,
@@ -101,7 +101,7 @@
 //! #### Advanced configuration with custom TLS settings
 //!
 //! ```rust,no_run
-//! # #[cfg(all(feature = "builder", any(feature = "native-tls", feature = "rustls-tls")))]
+//! # #[cfg(all(feature = "builder", any(feature = "native-tls", feature = "rustls")))]
 //! # fn test() -> Result<(), Box<dyn std::error::Error>> {
 //! use std::fs;
 //!
@@ -146,7 +146,7 @@
 //! In a webserver context it may go about this:
 //!
 //! ```rust,no_run
-//! # #[cfg(all(feature = "builder", any(feature = "native-tls", feature = "rustls-tls")))]
+//! # #[cfg(all(feature = "builder", any(feature = "native-tls", feature = "rustls")))]
 //! # fn test() {
 //! use lettre::{
 //!     message::header::ContentType,
@@ -199,7 +199,7 @@ pub use self::{
     error::Error,
     transport::{SmtpTransport, SmtpTransportBuilder},
 };
-#[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+#[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
 use crate::transport::smtp::client::TlsParameters;
 use crate::transport::smtp::{
     authentication::{Credentials, Mechanism, DEFAULT_MECHANISMS},

src/transport/smtp/pool/async_impl.rs

@@ -1,6 +1,5 @@
 use std::{
     fmt::{self, Debug},
-    mem,
     ops::{Deref, DerefMut},
     sync::{Arc, OnceLock},
     time::{Duration, Instant},
@@ -15,11 +14,15 @@ use super::{
     super::{client::AsyncSmtpConnection, Error},
     PoolConfig,
 };
-use crate::{executor::SpawnHandle, transport::smtp::async_transport::AsyncSmtpClient, Executor};
+use crate::{
+    executor::SpawnHandle,
+    transport::smtp::{async_transport::AsyncSmtpClient, error},
+    Executor,
+};
 
-pub struct Pool<E: Executor> {
+pub(crate) struct Pool<E: Executor> {
     config: PoolConfig,
-    connections: Mutex<Vec<ParkedConnection>>,
+    connections: Mutex<Option<Vec<ParkedConnection>>>,
     client: AsyncSmtpClient<E>,
     handle: OnceLock<E::Handle>,
 }
@@ -29,16 +32,16 @@ struct ParkedConnection {
     since: Instant,
 }
 
-pub struct PooledConnection<E: Executor> {
+pub(crate) struct PooledConnection<E: Executor> {
     conn: Option<AsyncSmtpConnection>,
     pool: Arc<Pool<E>>,
 }
 
 impl<E: Executor> Pool<E> {
-    pub fn new(config: PoolConfig, client: AsyncSmtpClient<E>) -> Arc<Self> {
+    pub(crate) fn new(config: PoolConfig, client: AsyncSmtpClient<E>) -> Arc<Self> {
         let pool = Arc::new(Self {
             config,
-            connections: Mutex::new(Vec::new()),
+            connections: Mutex::new(Some(Vec::new())),
             client,
             handle: OnceLock::new(),
         });
@@ -60,6 +63,10 @@ impl<E: Executor> Pool<E> {
                             #[allow(clippy::needless_collect)]
                             let (count, dropped) = {
                                 let mut connections = pool.connections.lock().await;
+                                let Some(connections) = connections.as_mut() else {
+                                    // The transport was shut down
+                                    return;
+                                };
 
                                 let to_drop = connections
                                     .iter()
@@ -92,6 +99,11 @@ impl<E: Executor> Pool<E> {
                                 };
 
                                 let mut connections = pool.connections.lock().await;
+                                let Some(connections) = connections.as_mut() else {
+                                    // The transport was shut down
+                                    return;
+                                };
+
                                 connections.push(ParkedConnection::park(conn));
 
                                 #[cfg(feature = "tracing")]
@@ -134,10 +146,25 @@ impl<E: Executor> Pool<E> {
         pool
     }
 
-    pub async fn connection(self: &Arc<Self>) -> Result<PooledConnection<E>, Error> {
+    pub(crate) async fn shutdown(&self) {
+        let connections = { self.connections.lock().await.take() };
+        if let Some(connections) = connections {
+            abort_concurrent(connections.into_iter().map(ParkedConnection::unpark)).await;
+        }
+
+        if let Some(handle) = self.handle.get() {
+            handle.shutdown().await;
+        }
+    }
+
+    pub(crate) async fn connection(self: &Arc<Self>) -> Result<PooledConnection<E>, Error> {
         loop {
             let conn = {
                 let mut connections = self.connections.lock().await;
+                let Some(connections) = connections.as_mut() else {
+                    // The transport was shut down
+                    return Err(error::transport_shutdown());
+                };
                 connections.pop()
             };
 
@@ -181,13 +208,20 @@ impl<E: Executor> Pool<E> {
             #[cfg(feature = "tracing")]
             tracing::debug!("recycling connection");
 
-            let mut connections = self.connections.lock().await;
+            let mut connections_guard = self.connections.lock().await;
-            if connections.len() >= self.config.max_size as usize {
+
-                drop(connections);
+            if let Some(connections) = connections_guard.as_mut() {
-                conn.abort().await;
+                if connections.len() >= self.config.max_size as usize {
+                    drop(connections_guard);
+                    conn.abort().await;
+                } else {
+                    let conn = ParkedConnection::park(conn);
+                    connections.push(conn);
+                }
             } else {
-                let conn = ParkedConnection::park(conn);
+                // The pool has already been shut down
-                connections.push(conn);
+                drop(connections_guard);
+                conn.abort().await;
             }
         }
     }
@@ -200,7 +234,13 @@ impl<E: Executor> Debug for Pool<E> {
             .field(
                 "connections",
                 &match self.connections.try_lock() {
-                    Some(connections) => format!("{} connections", connections.len()),
+                    Some(connections) => {
+                        if let Some(connections) = connections.as_ref() {
+                            format!("{} connections", connections.len())
+                        } else {
+                            "SHUT DOWN".to_owned()
+                        }
+                    }
 
                     None => "LOCKED".to_owned(),
                 },
@@ -222,14 +262,16 @@ impl<E: Executor> Drop for Pool<E> {
         #[cfg(feature = "tracing")]
         tracing::debug!("dropping Pool");
 
-        let connections = mem::take(self.connections.get_mut());
+        let connections = self.connections.get_mut().take();
         let handle = self.handle.take();
         E::spawn(async move {
             if let Some(handle) = handle {
                 handle.shutdown().await;
             }
 
-            abort_concurrent(connections.into_iter().map(ParkedConnection::unpark)).await;
+            if let Some(connections) = connections {
+                abort_concurrent(connections.into_iter().map(ParkedConnection::unpark)).await;
+            }
         });
     }
 }

src/transport/smtp/pool/mod.rs

@@ -1,8 +1,8 @@
 use std::time::Duration;
 
 #[cfg(any(feature = "tokio1", feature = "async-std1"))]
-pub mod async_impl;
+pub(super) mod async_impl;
-pub mod sync_impl;
+pub(super) mod sync_impl;
 
 /// Configuration for a connection pool
 #[derive(Debug, Clone)]

src/transport/smtp/pool/sync_impl.rs

@@ -1,8 +1,7 @@
 use std::{
     fmt::{self, Debug},
-    mem,
     ops::{Deref, DerefMut},
-    sync::{Arc, Mutex, TryLockError},
+    sync::{mpsc, Arc, Mutex, TryLockError},
     thread,
     time::{Duration, Instant},
 };
@@ -11,11 +10,12 @@ use super::{
     super::{client::SmtpConnection, Error},
     PoolConfig,
 };
-use crate::transport::smtp::transport::SmtpClient;
+use crate::transport::smtp::{error, transport::SmtpClient};
 
-pub struct Pool {
+pub(crate) struct Pool {
     config: PoolConfig,
-    connections: Mutex<Vec<ParkedConnection>>,
+    connections: Mutex<Option<Vec<ParkedConnection>>>,
+    thread_terminator: mpsc::SyncSender<()>,
     client: SmtpClient,
 }
 
@@ -24,16 +24,19 @@ struct ParkedConnection {
     since: Instant,
 }
 
-pub struct PooledConnection {
+pub(crate) struct PooledConnection {
     conn: Option<SmtpConnection>,
     pool: Arc<Pool>,
 }
 
 impl Pool {
-    pub fn new(config: PoolConfig, client: SmtpClient) -> Arc<Self> {
+    pub(crate) fn new(config: PoolConfig, client: SmtpClient) -> Arc<Self> {
+        let (thread_tx, thread_rx) = mpsc::sync_channel(1);
+
         let pool = Arc::new(Self {
             config,
-            connections: Mutex::new(Vec::new()),
+            connections: Mutex::new(Some(Vec::new())),
+            thread_terminator: thread_tx,
             client,
         });
 
@@ -54,6 +57,10 @@ impl Pool {
                         #[allow(clippy::needless_collect)]
                         let (count, dropped) = {
                             let mut connections = pool.connections.lock().unwrap();
+                            let Some(connections) = connections.as_mut() else {
+                                // The transport was shut down
+                                return;
+                            };
 
                             let to_drop = connections
                                 .iter()
@@ -86,6 +93,11 @@ impl Pool {
                             };
 
                             let mut connections = pool.connections.lock().unwrap();
+                            let Some(connections) = connections.as_mut() else {
+                                // The transport was shut down
+                                return;
+                            };
+
                             connections.push(ParkedConnection::park(conn));
 
                             #[cfg(feature = "tracing")]
@@ -109,7 +121,15 @@ impl Pool {
                             }
                         }
 
-                        thread::sleep(idle_timeout);
+                        drop(pool);
+
+                        match thread_rx.recv_timeout(idle_timeout) {
+                            Ok(()) | Err(mpsc::RecvTimeoutError::Disconnected) => {
+                                // The transport was shut down
+                                return;
+                            }
+                            Err(mpsc::RecvTimeoutError::Timeout) => {}
+                        }
                     }
                 })
                 .expect("couldn't spawn the Pool thread");
@@ -118,10 +138,25 @@ impl Pool {
         pool
     }
 
-    pub fn connection(self: &Arc<Self>) -> Result<PooledConnection, Error> {
+    pub(crate) fn shutdown(&self) {
+        let connections = { self.connections.lock().unwrap().take() };
+        if let Some(connections) = connections {
+            for conn in connections {
+                conn.unpark().abort();
+            }
+        }
+
+        _ = self.thread_terminator.try_send(());
+    }
+
+    pub(crate) fn connection(self: &Arc<Self>) -> Result<PooledConnection, Error> {
         loop {
             let conn = {
                 let mut connections = self.connections.lock().unwrap();
+                let Some(connections) = connections.as_mut() else {
+                    // The transport was shut down
+                    return Err(error::transport_shutdown());
+                };
                 connections.pop()
             };
 
@@ -165,13 +200,20 @@ impl Pool {
             #[cfg(feature = "tracing")]
             tracing::debug!("recycling connection");
 
-            let mut connections = self.connections.lock().unwrap();
+            let mut connections_guard = self.connections.lock().unwrap();
-            if connections.len() >= self.config.max_size as usize {
+
-                drop(connections);
+            if let Some(connections) = connections_guard.as_mut() {
-                conn.abort();
+                if connections.len() >= self.config.max_size as usize {
+                    drop(connections_guard);
+                    conn.abort();
+                } else {
+                    let conn = ParkedConnection::park(conn);
+                    connections.push(conn);
+                }
             } else {
-                let conn = ParkedConnection::park(conn);
+                // The pool has already been shut down
-                connections.push(conn);
+                drop(connections_guard);
+                conn.abort();
             }
         }
     }
@@ -184,7 +226,13 @@ impl Debug for Pool {
             .field(
                 "connections",
                 &match self.connections.try_lock() {
-                    Ok(connections) => format!("{} connections", connections.len()),
+                    Ok(connections) => {
+                        if let Some(connections) = connections.as_ref() {
+                            format!("{} connections", connections.len())
+                        } else {
+                            "SHUT DOWN".to_owned()
+                        }
+                    }
 
                     Err(TryLockError::WouldBlock) => "LOCKED".to_owned(),
                     Err(TryLockError::Poisoned(_)) => "POISONED".to_owned(),
@@ -200,10 +248,11 @@ impl Drop for Pool {
         #[cfg(feature = "tracing")]
         tracing::debug!("dropping Pool");
 
-        let connections = mem::take(&mut *self.connections.get_mut().unwrap());
+        if let Some(connections) = self.connections.get_mut().unwrap().take() {
-        for conn in connections {
+            for conn in connections {
-            let mut conn = conn.unpark();
+                let mut conn = conn.unpark();
-            conn.abort();
+                conn.abort();
+            }
         }
     }
 }

src/transport/smtp/response.rs

@@ -12,8 +12,8 @@ use nom::{
     bytes::streaming::{tag, take_until},
     combinator::{complete, map},
     multi::many0,
-    sequence::{preceded, tuple},
+    sequence::preceded,
-    IResult,
+    IResult, Parser,
 };
 
 use crate::transport::smtp::{error, Error};
@@ -221,7 +221,8 @@ fn parse_severity(i: &str) -> IResult<&str, Severity> {
         map(tag("3"), |_| Severity::PositiveIntermediate),
         map(tag("4"), |_| Severity::TransientNegativeCompletion),
         map(tag("5"), |_| Severity::PermanentNegativeCompletion),
-    ))(i)
+    ))
+    .parse(i)
 }
 
 fn parse_category(i: &str) -> IResult<&str, Category> {
@@ -232,7 +233,8 @@ fn parse_category(i: &str) -> IResult<&str, Category> {
         map(tag("3"), |_| Category::Unspecified3),
         map(tag("4"), |_| Category::Unspecified4),
         map(tag("5"), |_| Category::MailSystem),
-    ))(i)
+    ))
+    .parse(i)
 }
 
 fn parse_detail(i: &str) -> IResult<&str, Detail> {
@@ -247,18 +249,20 @@ fn parse_detail(i: &str) -> IResult<&str, Detail> {
         map(tag("7"), |_| Detail::Seven),
         map(tag("8"), |_| Detail::Eight),
         map(tag("9"), |_| Detail::Nine),
-    ))(i)
+    ))
+    .parse(i)
 }
 
 pub(crate) fn parse_response(i: &str) -> IResult<&str, Response> {
-    let (i, lines) = many0(tuple((
+    let (i, lines) = many0((
         parse_code,
         preceded(tag("-"), take_until("\r\n")),
         tag("\r\n"),
-    )))(i)?;
+    ))
+    .parse(i)?;
     let (i, (last_code, last_line)) =
-        tuple((parse_code, preceded(tag(" "), take_until("\r\n"))))(i)?;
+        (parse_code, preceded(tag(" "), take_until("\r\n"))).parse(i)?;
-    let (i, _) = complete(tag("\r\n"))(i)?;
+    let (i, _) = complete(tag("\r\n")).parse(i)?;
 
     // Check that all codes are equal.
     if !lines.iter().all(|&(code, _, _)| code == last_code) {

src/transport/smtp/transport.rs

@@ -7,7 +7,7 @@ use super::pool::sync_impl::Pool;
 #[cfg(feature = "pool")]
 use super::PoolConfig;
 use super::{ClientId, Credentials, Error, Mechanism, Response, SmtpConnection, SmtpInfo};
-#[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+#[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
 use super::{Tls, TlsParameters, SUBMISSIONS_PORT, SUBMISSION_PORT};
 use crate::{address::Envelope, Transport};
 
@@ -60,6 +60,11 @@ impl Transport for SmtpTransport {
 
         Ok(result)
     }
+
+    fn shutdown(&self) {
+        #[cfg(feature = "pool")]
+        self.inner.shutdown();
+    }
 }
 
 impl Debug for SmtpTransport {
@@ -77,10 +82,10 @@ impl SmtpTransport {
     ///
     /// Creates an encrypted transport over submissions port, using the provided domain
     /// to validate TLS certificates.
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
     #[cfg_attr(
         docsrs,
-        doc(cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls")))
+        doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
     )]
     pub fn relay(relay: &str) -> Result<SmtpTransportBuilder, Error> {
         let tls_parameters = TlsParameters::new(relay.into())?;
@@ -101,10 +106,10 @@ impl SmtpTransport {
     ///
     /// An error is returned if the connection can't be upgraded. No credentials
     /// or emails will be sent to the server, protecting from downgrade attacks.
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
     #[cfg_attr(
         docsrs,
-        doc(cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls")))
+        doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
     )]
     pub fn starttls_relay(relay: &str) -> Result<SmtpTransportBuilder, Error> {
         let tls_parameters = TlsParameters::new(relay.into())?;
@@ -172,7 +177,7 @@ impl SmtpTransport {
     /// a proper URL encoder, like the following cargo script:
     ///
     /// ```rust
-    /// # let _ = r#"
+    /// # const TOML: &str = r#"
     /// #!/usr/bin/env cargo
     ///
     /// //! ```cargo
@@ -230,10 +235,10 @@ impl SmtpTransport {
     /// # Ok(())
     /// # }
     /// ```
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
     #[cfg_attr(
         docsrs,
-        doc(cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls")))
+        doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
     )]
     pub fn from_url(connection_url: &str) -> Result<SmtpTransportBuilder, Error> {
         super::connection_url::from_connection_url(connection_url)
@@ -333,10 +338,10 @@ impl SmtpTransportBuilder {
     ///
     /// Using the wrong [`Tls`] and [`Self::port`] combination may
     /// lead to hard to debug IO errors coming from the TLS library.
-    #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+    #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
     #[cfg_attr(
         docsrs,
-        doc(cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls")))
+        doc(cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls")))
     )]
     pub fn tls(mut self, tls: Tls) -> Self {
         self.info.tls = tls;
@@ -369,7 +374,7 @@ impl SmtpTransportBuilder {
 
 /// Build client
 #[derive(Debug, Clone)]
-pub struct SmtpClient {
+pub(super) struct SmtpClient {
     info: SmtpInfo,
 }
 
@@ -377,10 +382,10 @@ impl SmtpClient {
     /// Creates a new connection directly usable to send emails
     ///
     /// Handles encryption and authentication
-    pub fn connection(&self) -> Result<SmtpConnection, Error> {
+    pub(super) fn connection(&self) -> Result<SmtpConnection, Error> {
         #[allow(clippy::match_single_binding)]
         let tls_parameters = match &self.info.tls {
-            #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+            #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
             Tls::Wrapper(tls_parameters) => Some(tls_parameters),
             _ => None,
         };
@@ -394,7 +399,7 @@ impl SmtpClient {
             None,
         )?;
 
-        #[cfg(any(feature = "native-tls", feature = "rustls-tls", feature = "boring-tls"))]
+        #[cfg(any(feature = "native-tls", feature = "rustls", feature = "boring-tls"))]
         match &self.info.tls {
             Tls::Opportunistic(tls_parameters) => {
                 if conn.can_starttls() {

src/transport/smtp/util.rs

@@ -4,7 +4,7 @@ use std::fmt::{Display, Formatter, Result as FmtResult};
 
 /// Encode a string as xtext
 #[derive(Debug)]
-pub struct XText<'a>(pub &'a str);
+pub(crate) struct XText<'a>(pub(crate) &'a str);
 
 impl Display for XText<'_> {
     fn fmt(&self, f: &mut Formatter<'_>) -> FmtResult {

src/transport/stub/mod.rs

@@ -43,13 +43,11 @@
 use std::{
     error::Error as StdError,
     fmt,
-    sync::{Arc, Mutex as StdMutex},
+    sync::{Arc, Mutex},
 };
 
 #[cfg(any(feature = "tokio1", feature = "async-std1"))]
 use async_trait::async_trait;
-#[cfg(any(feature = "tokio1", feature = "async-std1"))]
-use futures_util::lock::Mutex as FuturesMutex;
 
 #[cfg(any(feature = "tokio1", feature = "async-std1"))]
 use crate::AsyncTransport;
@@ -72,7 +70,7 @@ impl StdError for Error {}
 #[derive(Debug, Clone)]
 pub struct StubTransport {
     response: Result<(), Error>,
-    message_log: Arc<StdMutex<Vec<(Envelope, String)>>>,
+    message_log: Arc<Mutex<Vec<(Envelope, String)>>>,
 }
 
 /// This transport logs messages and always returns the given response
@@ -81,7 +79,7 @@ pub struct StubTransport {
 #[cfg_attr(docsrs, doc(cfg(any(feature = "tokio1", feature = "async-std1"))))]
 pub struct AsyncStubTransport {
     response: Result<(), Error>,
-    message_log: Arc<FuturesMutex<Vec<(Envelope, String)>>>,
+    message_log: Arc<Mutex<Vec<(Envelope, String)>>>,
 }
 
 impl StubTransport {
@@ -89,7 +87,7 @@ impl StubTransport {
     pub fn new(response: Result<(), Error>) -> Self {
         Self {
             response,
-            message_log: Arc::new(StdMutex::new(vec![])),
+            message_log: Arc::new(Mutex::new(vec![])),
         }
     }
 
@@ -97,7 +95,7 @@ impl StubTransport {
     pub fn new_ok() -> Self {
         Self {
             response: Ok(()),
-            message_log: Arc::new(StdMutex::new(vec![])),
+            message_log: Arc::new(Mutex::new(vec![])),
         }
     }
 
@@ -105,7 +103,7 @@ impl StubTransport {
     pub fn new_error() -> Self {
         Self {
             response: Err(Error),
-            message_log: Arc::new(StdMutex::new(vec![])),
+            message_log: Arc::new(Mutex::new(vec![])),
         }
     }
 
@@ -124,7 +122,7 @@ impl AsyncStubTransport {
     pub fn new(response: Result<(), Error>) -> Self {
         Self {
             response,
-            message_log: Arc::new(FuturesMutex::new(vec![])),
+            message_log: Arc::new(Mutex::new(vec![])),
         }
     }
 
@@ -132,7 +130,7 @@ impl AsyncStubTransport {
     pub fn new_ok() -> Self {
         Self {
             response: Ok(()),
-            message_log: Arc::new(FuturesMutex::new(vec![])),
+            message_log: Arc::new(Mutex::new(vec![])),
         }
     }
 
@@ -140,14 +138,14 @@ impl AsyncStubTransport {
     pub fn new_error() -> Self {
         Self {
             response: Err(Error),
-            message_log: Arc::new(FuturesMutex::new(vec![])),
+            message_log: Arc::new(Mutex::new(vec![])),
         }
     }
 
     /// Return all logged messages sent using [`AsyncTransport::send_raw`]
     #[cfg(any(feature = "tokio1", feature = "async-std1"))]
     pub async fn messages(&self) -> Vec<(Envelope, String)> {
-        self.message_log.lock().await.clone()
+        self.message_log.lock().unwrap().clone()
     }
 }
 
@@ -173,7 +171,7 @@ impl AsyncTransport for AsyncStubTransport {
     async fn send_raw(&self, envelope: &Envelope, email: &[u8]) -> Result<Self::Ok, Self::Error> {
         self.message_log
             .lock()
-            .await
+            .unwrap()
             .push((envelope.clone(), String::from_utf8_lossy(email).into()));
         self.response
     }