Regarding your NixOS module, I'm happy to accept a PR with a new "Community links" section in the main README which links to it.

Thanks for this @ntninja !

I'm not interested in adding this deprecation and change, unless there's some very specific need/request for it. Could you elaborate on what it is?

Ideally and eventually, I'd like to move away from nodemailer, because SMTP is not that complicated and these emails are very simple, so binding the config to that dependency is something I'm not very willing to do.

In my case I needed the ignoreTLS flag to have it not attempt to do TLS certificate verification on the self-signed DANE certificate (something that neither nodemailer, nor your imagined custom solution is likely to support) when connecting to the localhost MTA. Users connecting to an MSA on a different host will always want to enable either secure OR requireTLS instead. Some will need to disable TLS certificate verification or set an external hostname. I’ll likely need different options once I’m able to make it instead connect to the MSA (there’s a limitation in the Dovecot 2.3.x Submission agent, that’s only fixed in the upcoming 2.4.x).

I think your underestimating the complexity of real-world mail deployments, SMTP being “simple” just means that all the complexity ends up in the configuration/deployment options of client (hence why setting up mail clients is often a pain) and getting anything to work particularily with custom mail clients is always a huge pain in the a** – for instance ntfy built-in “simple” email client based on the one shipped in the go standard library (which intentionally states its “simplistic”), I simply could get to work since it insists on validating a DANE certificate using the system CA store…

Had I had the fully nodemailer options available from the get-go, rather than trying to figure out how to make it work with what is current exposed in the code (turned out impossible), I would have wasted a lot less time in getting it to work since I would have been able immediately tried the ignoreTLS option after it gave me a highly nondescript “Write error: EUNKNOWN” – turned out it have actually failed on attempting authentication, but what do I know with that error, right?

Additionally, before I'd accept a utility function like that, it would have to be in misc utils, have explicit types, and tests.

Thought so, wanted to wait for review and feature agreement before I throw time at time though.

Thanks for all the details! Given all of the above, I'd accept a new configuration option tlsMode: 'enable' | 'enforce' | 'ignore' defaulting to enable (which would basically be the current logic if I'm understanding correctly) which sends the appropriate option to nodemailer's transport. I know it's not what you wanted, but hopefully it'll help.

I see, I might end up pestering you for more options then. Will make a new PR once I implemented that!