search

stalwartlabs / mail-server

Secure & Modern All-in-One Mail Server (IMAP, JMAP, POP3, SMTP)
https://stalw.art
4.92k stars 198 forks source link

[enhancement]: Automatically get ACME certs on requests to new hostnames #333

Open moeffju opened 6 months ago

moeffju commented 6 months ago

Which feature or improvement would you like to request?

I'd like to see this feature:

If Stalwart has access to the TLS connection establishment and SNI, it would be great to have the option for Stalwart to automatically try to get ACME certificates for new hostnames, similar to how Caddy does ACME-on-demand.

Is your feature request related to a problem?

I'm having a problem with...

Code of Conduct

moeffju commented 5 months ago

Alternatively, make it easier to add each newly configured mail domain to the ACME domain list.

mdecimus commented 5 months ago

I'm not familiar with Caddy, but how does it prevent abuse and attacks when this features is enabled? A bad actor could send thousands/millions of TLS handshakes with different SNI hostnames which would generate an equivalent number of certificate requests to the ACME provider.

moeffju commented 5 months ago

Caddy does it for configured domains including wildcard domains. See https://caddyserver.com/docs/automatic-https#hostname-requirements for requirements, quote

All hostnames (domain names) qualify for fully-managed certificates if they:

  • are non-empty
  • consist only of alphanumerics, hyphens, dots, and wildcard (*)
  • do not start or end with a dot (RFC 1034)

In addition, hostnames qualify for publicly-trusted certificates if they:

  • are not localhost (including .localhost, .local and .home.arpa TLDs)
  • are not an IP address
  • have only a single wildcard * as the left-most label

Translated to Stalwart I would expect it to automatically create certificates for all hostname aliases it outputs in the DNS Records overview.

For example, when I configure the domain example.com, Stalwart would tell me to set a CNAME RR for mail.example.com that points to Stalwart's configured FQDN. However, if I configure a client to use mail.example.com as the mail server, or when the client does auto-discovery and tries that subdomain (as Thunderbird does), I would get an error message that the certificate doesn't match, because the client is expecting the cert for mail.example.com and getting the cert for Stalwart's FQDN.

I would like Stalwart to automatically create the cert for mail.example.com in this case and send it if the client supports SNI and indicates that target hostname.

moeffju commented 5 months ago

(And one could argue that MUAs should first resolve CNAMEs, or try STARTTLS first, etc., but ... yeah, email has been around forever and MUAs haven't always done a great job of keeping up to date.)

mdecimus commented 5 months ago

I understand, this is an interesting feature indeed. However, we cannot force this feature on everyone as some people will want to have control of how and when certificates are issues. What we could do instead is add a checkbox to the "Create Domain" screen so administrators can decide whether to enable auto-ACME or not.

nomadturk commented 4 months ago

It can also be a global or group setting instead of a per-domain setting.