Open foxcpp opened 3 years ago
Use-cases to evaluate:
TLS terminator needs to be protocol aware for server-server SMTP: It needs to proxy SMTP capabilities and inject STARTTLS support, implement it and pass through all necessary metadata (EHLO hostname). maddy needs to be aware of TLS being used for security policy evaluation.
For client-server SMTP and IMAP any special support in TLS terminator is not needed as long as implicit TLS is used which is recommended by IETF over STARTTLS anyway.
In addition, it might be useful to support TLS between proxy and maddy. We can probably limit this to implicit TLS to keep things simple.
Simplest configuration to be supported.
smtp tcp://127.0.0.1:2525 {
proxy_protocol {
assume_tls # should be turned on by default?
}
# if TLS is configured - it is for TLS between proxy and maddy. Not considered in policy evaluation.
#tls ...
...
}
submission tcp://127.0.0.1:565 {
proxy_protocol
# insecure_auth assumed if proxy_protocol is used
}
imap tcp://127.0.0.1:1447 {
proxy_protocol
# insecure_auth assumed if proxy_protocol is used
}
This block seems to be resolved in https://github.com/emersion/go-smtp/pull/148
It looks like Caddy 2 currently supports the PROXY protocol via the caddy-l4 app (see linked discussion). So Caddy is in good company with other proxies that will support this mail reverse-proxy configuration.
From OP:
Putting maddy behind a reverse proxy/load balancer/TLS terminator while still providing necessary information for any policy validation.
From README.md:
In addition to that it implements auxiliary protocols that are mandatory to keep email reasonably secure (DKIM, SPF, DMARC, DANE, MTA-STS).
Will a plain PROXY-based reverse proxy still allow maddy to serve all of these these auxiliary protocols?
Of these, only MTA-STS seems like it would need to be handled directly by the upstream proxy/Caddy. The rest come down to DNS configuration. Maybe there's an opportunity for a Caddy app that autoconfigures the necessary DNS (and either setting up DKIM manually, or pushing it out to be handled by caddy directly, see also dkim-milter, maddy/internal/modify/dkim/keys.go, and "/dkim.go).
See also maddy's initial configuration docs.
Use case
Putting maddy behind a reverse proxy/load balancer/TLS terminator while still providing necessary information for any policy validation.
Implementation
See #296 for relevant discussion.
Exact configuration syntax and semantics is up for discussion.
Task list