fix: set default smtp_tls_security_level to "verify" unconditionally#902
Merged
fix: set default smtp_tls_security_level to "verify" unconditionally#902
Conversation
This change was accidentally added in cf96be2 Relay should not stop validating TLS certificates of other relays just because it has a self-signed or externally managed certificate. Externally managed certificate is likely to even be valid.
link2xt
temporarily deployed
to
staging-ipv4.testrun.org
GitHub Actions
Inactive
link2xt
temporarily deployed
to
staging2.testrun.org
GitHub Actions
Inactive
link2xt
referenced
this pull request
Mar 23, 2026
feat: support self-signed TLS via underscore domain convention Domains starting with "_" (e.g. _chat.example.org) automatically use self-signed TLS certificates instead of ACME/Let's Encrypt. The TLS mode is derived from the domain name — no separate config option needed. Internally, when config.tls_cert_mode is "self" (underscore domain): - Generate self-signed certificates via openssl - Set Postfix smtp_tls_security_level to "encrypt" (opportunistic TLS) - Add smtp_tls_policy_map entry for underscore domains - Skip ACME, MTA-STS and www CNAME checks in `cmdeploy dns` - Serve /new via GET (not redirect to dcaccount:) with rate-limiting (nginx limit_req, 2r/s burst=5) - Return dclogin: URLs with ic=3 (AcceptInvalidCertificates) from /new - Render QR codes client-side via JavaScript and qrcode-svg - Use config.tls_cert_path/tls_key_path in Postfix, Dovecot and nginx templates instead of hardcoded ACME paths
missytake
approved these changes
Mar 23, 2026
Contributor
missytake
left a comment
missytake
left a comment
There was a problem hiding this comment.
Exceptions for smtp_tls_security_level=verify, e.g. for IP-only relays, can be added with smtp_tls_policy_maps.
Contributor
Author
This is already done. I think it is just an accident that this was not reverted after adding exception for |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change was accidentally added in cf96be2 Relay should not stop validating TLS certificates of other relays just because it has a self-signed or externally managed certificate. Externally managed certificate is likely to even be valid.