stalwartlabs / mail-server

Secure & Modern All-in-One Mail Server (IMAP, JMAP, POP3, SMTP)
https://stalw.art
5.19k stars 214 forks source link

[enhancement]: TLS support for FoundationDB store #794

Open tkpte opened 1 month ago

tkpte commented 1 month ago

Which feature or improvement would you like to request?

I'd like to see this feature:

Optional directives to specify the paths to the certificate, ca, and key files used by the Rust FoundationDB client to authenticate and establish a secure connection with the coordinator nodes from the fdb.cluster file.

Example config.toml:

[store."foundationdb"]
type = "foundationdb"
cluster-file = "/path/to/fdb.cluster"
tls_certificate_file = "/path/to/fdb.pem"
tls_key_file = "/path/to/private.key"
tls_ca_file = "/path/to/cert.crt"
tls_verify_peers = "Check.Valid=0"

Example with fdbcli:

fdbcli --tls_certificate_file="/path/to/fdb.cluster" --tls_key_file="/path/to/private.key" --tls_ca_file="/path/to/cert.crt" --tls_verify_peers="Check.Valid=0" --exec "status"

Example with Rust FoundationDB client:

???

I spent a few hours trying to understand how the libraries foundationdb and foundationdb-sys work, but not easy without any prior experience in Rust and very little in C. The client supports TLS though, as we can see in the foundationdb-sys options file with enums like FDB_NET_OPTION_TLS_CERT_PATH, FDB_NET_OPTION_TLS_KEY_PATH, FDB_NET_OPTION_TLS_CA_PATH, and FDB_NET_OPTION_TLS_VERIFY_PEERS.


I'd like to see this other feature too:

Support for FoundationDB v7.3.x.

Stalwart /crates/store/Cargo.toml:

foundationdb = { version = "0.9.0", features = ["embedded-fdb-include", "fdb-7_1"], optional = true }

but the latest version of the foundationdb already supports the fdb-7_3 feature (See).

Is your feature request related to a problem?

This is necessary because FoundationDB only supports a single authentication method which is mutual TLS.

Code of Conduct

CybersShell commented 1 month ago

I do agree that native support for FoundationDB TLS in Stalwart is best.

I have solved this issue for now in the following way:

I have added an EnvironmentFile directive to the [Service] section of the Systemd service file:

[Service]
...
first set of options
...
EnvironmentFile=/path/to/stalwart/systemd/env/file
ExecStart=/opt/stalwart-mail/bin/stalwart-mail --config=/opt/stalwart-mail/etc/config.toml
...
last set of options
...

The EnvironmentFile uses the environment variables specified in the official FoundationDB TLS Documentation.

One note, you must make sure you allow the stalwart-mail user access to the certificate files. I used setfcl:

setfacl -Rm stalwart-mail:rx /path/to/certs
tkpte commented 1 month ago

Thanks so much, this works! I agree it would be good to have the directives in config.toml, but if this works, it's fine to me.