fix: use Rustls NoCertificateVerification for underscore domains instead of AcceptInvalidCertificates

Remove AcceptInvalidCertificates overrides in configure.rs and qr.rs that
caused a fallback to OpenSSL/native-tls. The upstream Rustls TLS layer now
handles underscore-prefixed domains via NoCertificateVerification directly.
Also fix clippy lint in peer_channels.rs (map_or -> is_some_and).

src/configure.rs

@@ -581,13 +581,7 @@ async fn get_configured_param(
         smtp_password,
         provider,
         certificate_checks: match param.certificate_checks {
-            EnteredCertificateChecks::Automatic => {
-                if param_domain.starts_with('_') {
-                    ConfiguredCertificateChecks::AcceptInvalidCertificates
-                } else {
-                    ConfiguredCertificateChecks::Automatic
-                }
-            }
+            EnteredCertificateChecks::Automatic => ConfiguredCertificateChecks::Automatic,
             EnteredCertificateChecks::Strict => ConfiguredCertificateChecks::Strict,
             EnteredCertificateChecks::AcceptInvalidCertificates
             | EnteredCertificateChecks::AcceptInvalidCertificates2 => {

src/peer_channels.rs

@@ -247,7 +247,7 @@ impl Context {
         {
             // Underscore-prefixed domains use self-signed TLS certificates,
             // so we need to skip relay certificate verification for them.
-            let skip = relay_url.host_str().map_or(false, |h| h.starts_with('_'));
+            let skip = relay_url.host_str().is_some_and(|h| h.starts_with('_'));
             (RelayMode::Custom(RelayUrl::from(relay_url).into()), skip)
         } else {
             // FIXME: this should be RelayMode::Disabled instead.

src/qr.rs

@@ -817,11 +817,6 @@ pub(crate) async fn login_param_from_account_qr(
         .context("Invalid DCACCOUNT scheme")?;
 
     if !payload.starts_with(HTTPS_SCHEME) {
-        let certificate_checks = if payload.starts_with('_') {
-            EnteredCertificateChecks::AcceptInvalidCertificates
-        } else {
-            EnteredCertificateChecks::Strict
-        };
         let rng = &mut rand::rngs::OsRng.unwrap_err();
         let username = Alphanumeric.sample_string(rng, 9);
         let addr = username + "@" + payload;
@@ -834,7 +829,7 @@ pub(crate) async fn login_param_from_account_qr(
                 ..Default::default()
             },
             smtp: Default::default(),
-            certificate_checks,
+            certificate_checks: EnteredCertificateChecks::Automatic,
             oauth2: false,
         };
         return Ok(param);

src/qr/qr_tests.rs

@@ -767,18 +767,22 @@ async fn test_decode_account_underscore_domain() -> Result<()> {
         }
     );
 
-    // Verify login params use AcceptInvalidCertificates for underscore domain.
+    // Verify login params use Automatic for underscore domain.
+    // The TLS layer handles underscore domains via NoCertificateVerification in Rustls.
     let param = login_param_from_account_qr(&ctx.ctx, "dcaccount:_example.org").await?;
     assert!(param.addr.ends_with("@_example.org"));
     assert_eq!(
         param.certificate_checks,
-        EnteredCertificateChecks::AcceptInvalidCertificates
+        EnteredCertificateChecks::Automatic
     );
 
-    // Regular domain still uses Strict.
+    // Regular domain also uses Automatic.
     let param = login_param_from_account_qr(&ctx.ctx, "dcaccount:example.org").await?;
     assert!(param.addr.ends_with("@example.org"));
-    assert_eq!(param.certificate_checks, EnteredCertificateChecks::Strict);
+    assert_eq!(
+        param.certificate_checks,
+        EnteredCertificateChecks::Automatic
+    );
 
     Ok(())
 }