symfony
diff --git a/‎src/Symfony/Component/Mailer/CHANGELOG.md
Lines changed: 1 addition & 0 deletions b/‎src/Symfony/Component/Mailer/CHANGELOG.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/Symfony/Component/Mailer/Tests/Transport/Smtp/EsmtpTransportFactoryTest.php
Lines changed: 12 additions & 0 deletions b/‎src/Symfony/Component/Mailer/Tests/Transport/Smtp/EsmtpTransportFactoryTest.php
Lines changed: 12 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Mailer/Tests/Transport/Smtp/EsmtpTransportTest.php
Lines changed: 19 additions & 0 deletions b/‎src/Symfony/Component/Mailer/Tests/Transport/Smtp/EsmtpTransportTest.php
Lines changed: 19 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Mailer/Transport/Smtp/EsmtpTransport.php
Lin 8000 es changed: 22 additions & 0 deletions b/‎src/Symfony/Component/Mailer/Transport/Smtp/EsmtpTransport.php
Lin 8000 es changed: 22 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Mailer/Transport/Smtp/EsmtpTransportFactory.php
Lines changed: 4 additions & 0 deletions b/‎src/Symfony/Component/Mailer/Transport/Smtp/EsmtpTransportFactory.php
Lines changed: 4 additions & 0 deletions
@@ -7,6 +7,7 @@ CHANGELOG
  * Add DSN param `retry_period` to override default email transport retry period
  * Add `Dsn::getBooleanOption()`
  * Add DSN param `source_ip` to allow binding to a (specific) IPv4 or IPv6 address.
+ * Add DSN param `require_tls` to enforce use of TLS/STARTTLS
 
 7.2
 ---
@@ -194,6 +194,18 @@ public static function createProvider(): iterable
             Dsn::fromString('smtps://:@example.com:465?source_ip=[2606:4700:20::681a:5fb]'),
             $transport,
         ];
+
+        $transport = new EsmtpTransport('example.com', 465, true, null, $logger);
+        $transport->setRequireTls(true);
+
+        yield [
+            new Dsn('smtps', 'example.com', '', '', 465, ['require_tls' => true]),
+            $transport,
+        ];
+        yield [
+            Dsn::fromString('smtps://:@example.com?require_tls=true'),
+            $transport,
+        ];
     }
 
     public static function unsupportedSchemeProvider(): iterable
 
@@ -297,6 +297,25 @@ public function testSocketTimeout()
             $stream->getCommands()
         );
     }
+
+    public function testRequireTls()
+    {
+        $stream = new DummyStream();
+        $transport = new EsmtpTransport(stream: $stream);
+        $transport->setRequireTls(true);
+
+        $message = new Email();
+        $message->from('sender@example.org');
+        $message->addTo('recipient@example.org');
+        $message->text('.');
+
+        try {
+            $transport->send($message);
+            $this->fail('Symfony\Component\Mailer\Exception\TransportException to be thrown');
+        } catch (TransportException $e) {
+            $this->assertStringStartsWith('TLS required but neither TLS or STARTTLS are in use.', $e->getMessage());
+        }
+    }
 }
 
 class CustomEsmtpTransport extends EsmtpTransport
 
@@ -33,6 +33,7 @@ class EsmtpTransport extends SmtpTransport
     private string $password = '';
     private array $capabilities;
     private bool $autoTls = true;
+    private bool $requireTls = false;
 
     public function __construct(string $host = 'localhost', int $port = 0, ?bool $tls = null, ?EventDispatcherInterface $dispatcher = null, ?LoggerInterface $logger = null, ?AbstractStream $stream = null, ?array $authenticators = null)
     {
@@ -116,6 +117,21 @@ public function isAutoTls(): bool
         return $this->autoTls;
     }
 
+    /**
+     * @return $this
+     */
+    public function setRequireTls(bool $requireTls): static
+    {
+        $this->requireTls = $requireTls;
+
+        return $this;
+    }
+
+    public function isTlsRequired(): bool
+    {
+        return $this->requireTls;
+    }
+
     public function setAuthenticators(array $authenticators): void
     {
         $this->authenticators = [];
@@ -159,6 +175,7 @@ private function doEhloCommand(): string
 
         /** @var SocketStream $stream */
         $stream = $this->getStream();
+        $tlsStarted = $stream->isTls();
         // WARNING: !$stream->isTLS() is right, 100% sure :)
         // if you think that the ! should be removed, read the code again
         // if doing so "fixes" your issue then it probably means your SMTP server behaves incorrectly or is wrongly configured
@@ -169,10 +186,15 @@ private function doEhloCommand(): string
                 throw new TransportException('Unable to connect with STARTTLS.');
             }
 
+            $tlsStarted = true;
             $response = $this->executeCommand(\sprintf("EHLO %s\r\n", $this->getLocalDomain()), [250]);
             $this->capabilities = $this->parseCapabilities($response);
         }
 
+        if (!$tlsStarted && $this->isTlsRequired()) {
+            throw new TransportException('TLS required but neither TLS or STARTTLS are in use.');
+        }
+
         if (\array_key_exists('AUTH', $this->capabilities)) {
             $this->handleAuth($this->capabilities['AUTH']);
         }
 
@@ -78,6 +78,10 @@ public function create(Dsn $dsn): TransportInterface
             $transport->setPingThreshold((int) $pingThreshold);
         }
 
+        if (null !== ($tlsRequired = $dsn->getOption('require_tls'))) {
+            $transport->setRequireTls((bool) $tlsRequired);
+        }
+
         return $transport;
     }
Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,10 @@ public function create(Dsn $dsn): TransportInterface`
`78`	`78`	`$transport->setPingThreshold((int) $pingThreshold);`
`79`	`79`	`}`
`80`	`80`
	`81`	`+ if (null !== ($tlsRequired = $dsn->getOption('require_tls'))) {`
	`82`	`+ $transport->setRequireTls((bool) $tlsRequired);`
	`83`	`+ }`
	`84`	`+`
`81`	`85`	`return $transport;`
`82`	`86`	`}`
`83`	`87`