Open moeffju opened 6 months ago
Alternatively, make it easier to add each newly configured mail domain to the ACME domain list.
I'm not familiar with Caddy, but how does it prevent abuse and attacks when this features is enabled? A bad actor could send thousands/millions of TLS handshakes with different SNI hostnames which would generate an equivalent number of certificate requests to the ACME provider.
Caddy does it for configured domains including wildcard domains. See https://caddyserver.com/docs/automatic-https#hostname-requirements for requirements, quote
All hostnames (domain names) qualify for fully-managed certificates if they:
- are non-empty
- consist only of alphanumerics, hyphens, dots, and wildcard (*)
- do not start or end with a dot (RFC 1034)
In addition, hostnames qualify for publicly-trusted certificates if they:
- are not localhost (including .localhost, .local and .home.arpa TLDs)
- are not an IP address
- have only a single wildcard * as the left-most label
Translated to Stalwart I would expect it to automatically create certificates for all hostname aliases it outputs in the DNS Records overview.
For example, when I configure the domain example.com
, Stalwart would tell me to set a CNAME
RR for mail.example.com
that points to Stalwart's configured FQDN. However, if I configure a client to use mail.example.com
as the mail server, or when the client does auto-discovery and tries that subdomain (as Thunderbird does), I would get an error message that the certificate doesn't match, because the client is expecting the cert for mail.example.com
and getting the cert for Stalwart's FQDN.
I would like Stalwart to automatically create the cert for mail.example.com
in this case and send it if the client supports SNI and indicates that target hostname.
(And one could argue that MUAs should first resolve CNAMEs, or try STARTTLS first, etc., but ... yeah, email has been around forever and MUAs haven't always done a great job of keeping up to date.)
I understand, this is an interesting feature indeed. However, we cannot force this feature on everyone as some people will want to have control of how and when certificates are issues. What we could do instead is add a checkbox to the "Create Domain" screen so administrators can decide whether to enable auto-ACME or not.
It can also be a global or group setting instead of a per-domain setting.
Which feature or improvement would you like to request?
I'd like to see this feature:
If Stalwart has access to the TLS connection establishment and SNI, it would be great to have the option for Stalwart to automatically try to get ACME certificates for new hostnames, similar to how Caddy does ACME-on-demand.
Is your feature request related to a problem?
I'm having a problem with...
Code of Conduct