From 808eb3e53e0c41f7dde6d499663914029b7b7105 Mon Sep 17 00:00:00 2001
From: missytake <missytake@systemli.org>
Date: Thu, 12 Mar 2026 17:36:08 +0100
Subject: [PATCH] config: make IPv4-only relays use self-signed TLS certs

---
 chatmaild/src/chatmaild/config.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/chatmaild/src/chatmaild/config.py b/chatmaild/src/chatmaild/config.py
index bdd71a1b..e0da5559 100644
--- a/chatmaild/src/chatmaild/config.py
+++ b/chatmaild/src/chatmaild/config.py
@@ -1,3 +1,4 @@
+import ipaddress
 import os
 from pathlib import Path
 
@@ -76,7 +77,7 @@ class Config:
                 )
             self.tls_cert_mode = "external"
             self.tls_cert_path, self.tls_key_path = parts
-        elif self.mail_domain.startswith("_"):
+        elif self.mail_domain.startswith("_") or is_valid_ipv4(self.mail_domain):
             self.tls_cert_mode = "self"
             self.tls_cert_path = "/etc/ssl/certs/mailserver.pem"
             self.tls_key_path = "/etc/ssl/private/mailserver.key"
@@ -157,3 +158,12 @@ def get_default_config_content(mail_domain, **overrides):
                 lines.append(line)
         content = "\n".join(lines)
     return content
+
+
+def is_valid_ipv4(address: str) -> bool:
+    """Check if a mail_domain is an IPv4 address."""
+    try:
+        ipaddress.IPv4Address(address)
+        return True
+    except ValueError:
+        return False