Add Cloudflare API support

[UltraHKR]

Hi, ddavness

First of all I'm extremely grateful for the rework of MiAB, it looks and feels awesome!

I have this "simple" request, I use Cloudflare as my NS and that poses 2 problems:

• If I create TLSA records they will not be updated, when refreshed.
• If some records have to be updated, everything becomes a long error prone chore... (I prefer to do it manually) NOTE: I do this because my website is on Blogger, so www.xyz.xyz and xyz.xyz redirect there, dont want to break that)

What I would try to do is: Add a question before the installer starts requesting, ACME certs saying "Are you using Cloudflare CDN?"

• If yes, asks for proper user, password, API keys... (adding related pkgs to the OS as required)
  • (It could also allow for DNS records creation/update/deletion from within pMiAB to CF.)
  • A good idea could be to hide the custom DNS page... (so as to not confuse users)
• If no, business as usual

Will you accept a PR, that allows this? (And help me out somewhat with certain files location and logic)

[ddavness]

It's an okay feature to implement - as far as I understand some folks just prefer to use CF, however IIRC they don't provide a DNS-native protocol for this. (Well, they do, but it's for Enterprise customers only - and I guess that if you're paying upwards of 10.000+$/year for that then you're using something else to host your mail - source: https://developers.cloudflare.com/dns/zone-setups/zone-transfers/)

However, I feel that there's a better way to approach this from an User Experience perspective - ideally, you'd have a section on either the Custom DNS or External DNS page that would allow you to link the box to your CF account. From that point on the box would automatically and transparently synchronize the records with the CF account. That's it, no more setup needed.

[UltraHKR]

My gripe is that MiAB wants to do everything........ I like certain things separated (FW & DNS for example)

So for example if we go the cloudflare route: The certs are easy https://www.keyvanfatehi.com/2021/09/11/using-acme-sh-in-cloudflare-dns-mode-to-easily-maintain-wildcard-ssl-certificate-for-apache-server-on-ubuntu-20-04/ https://mangolassi.it/topic/18355/setup-letsencrypt-certbot-with-cloudflare-dns-authentication-ubuntu

Updating DNS with cloudflare API: https://api.cloudflare.com/#getting-started-endpoints

[ddavness]

I'm thinking about the feature working both ways - whatever record you add/delete on the box or whatever key is regenerated the box is able to post that in the CF DNS right away; and if you add or delete a record directly on CF the box is to take note of that too.

The only issue I find with that is what if you delete/change a record that is managed by the box and that it isn't supposed to be able to be overriden - should the box respect that or should the box just put the record back in as it is supposed to be right away?

[UltraHKR]

Yeah, I was thinking about that........

My line of thinking is [External DNS] > List of records > Toggle - NS Records (The "toggle", a checkbox really allows/denies updating the NS records)

[UltraHKR]

ddavness, so to move forward:

which files create the DNS request on install? https://github.com/ddavness/power-mailinabox/blob/main/setup/start.sh https://github.com/ddavness/power-mailinabox/blob/main/setup/ssl.sh https://github.com/ddavness/power-mailinabox/blob/main/setup/management.sh

which files update the DNS records? https://github.com/ddavness/power-mailinabox/blob/main/management/ssl_certificates.py

I suppose those are the minimum files to be edited..... Without touching the WebUI

[nameduser0]

This isn't just a CloudFlare issue. There are hundreds of DNS providers each with their own non-standard API, CF is just one. I also like to keep my DNS external, are you also going to support my DNS provider API or allow a provider plugin?

It might be worth evaluating if you can reuse the acme.sh interface which was only meant to support acme validation TXT records...

[nameduser0]

You also might be interested in this found in ssl_certificates.py:

  # The DANE TLSA record will remain valid so long as the private key
  # hasn't changed. We don't ever change the private key automatically.
  # If the user does it, they must manually update DNS.

Meaning your first issue If I create TLSA records they will not be updated, when refreshed. isn't an issue

[ddavness]

There are hundreds of DNS providers each with their own non-standard API, CF is just one. I also like to keep my DNS external, are you also going to support my DNS provider API or allow a provider plugin?

I see - this issue would probably circle back all the way to #46 that way. If there are a ton of DNS providers that use their own API without supporting AXFR, then we should focus on giving a solid base for individual providers to be built on instead of trying to hardcode them all.

[UltraHKR]

About the TLSA records, let's say I tomorrow change them to Cloudflare for HTTP/S then TLSA records need to be updated properly

[UltraHKR]

About the rest of DNS API providers, it's open source you could extend my PR (when done or even faster than me) so XYZ API is usable

[nameduser0]

About the TLSA records, let's say I tomorrow change them to Cloudflare for HTTP/S then TLSA records need to be updated properly

So if you're changing your certificate and frontend HTTPS concentrator:

1. Wouldn't you expect to have to update your TLSA record manually because MIAB doesn't know your public or private key?
2. Why would you want MIAB to even know about it? If you're issuing certificates externally, it's not unreasonable to expect your website to be on another server and your DNS to also be external.

This is a mail-in-a-box, not a webserver in a box. It just so happens it can also host static files.

[nameduser0]

It seems to me you might be unaware you can have multiple certificates issued for the same domain and even subdomain on different servers?

1. Let MIAB issue it's own certificate for itself (SMTP, IMAP, POP3, Webmail): miab.domain.com
2. Issue another certificate for your website on Blogger: www.domain.com
3. Figure out which of the DNS records you need to use from the MIAB admin page, and which will be needed for your website and put them all in CF.