search

foxcpp / maddy

✉️ Composable all-in-one mail server.
https://maddy.email
GNU General Public License v3.0
4.95k stars 239 forks source link

Add support for delegating DNS-01 challenge to a different domain #588

Closed cuu508 closed 1 year ago

cuu508 commented 1 year ago

Use case

DNS-01 challenge requires storing DNS API key in maddy.conf. DNS providers do not typically offer API keys that can be restricted to setting and removing _acme_challenge TXT records and nothing else. Storing an API key that controls DNS for the whole domain in maddy.conf is not great for security.

One workaround is to delegate DNS-01 challenges to a separate domain using a CNAME record: https://www.eff.org/deeplinks/2018/02/technical-deep-dive-securing-automation-acme-dns-challenge-validation (see the "Use a "Throwaway" Validation Domain" section)

Your idea for a solution

DNS01Solver in the certmagic package has a OverrideDomain field:

// Override the domain to set the TXT record on. This is // to delegate the challenge to a different domain. Note // that the solver doesn't follow CNAME/NS record. OverrideDomain string

Allow it to be specified in maddy.conf, and pass it to DNS01Solver. Configuration mockup:

tls {
    loader acme {
        hostname example.com
        email hello@example.com
        agreed
        challenge dns-01
        override_domain example-acme-challenge.com
        dns cloudflare {
            api_token "..."
        }
    }
}
cuu508 commented 1 year ago

I've been using override_domain option for a couple months now and it works great. Thanks @foxcpp !