-
Notifications
You must be signed in to change notification settings - Fork 243
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Per-domain TLS certificates #58
Comments
Or perhaps we can take a step forward and also extend TLS directive in general
|
Another way: allow to specify multiple cert/key and do the matching using CN/SAN. |
Why wouldn't you specify it in a |
My friend asked for code me to help him with maddy configuration for multiple domains. I totally forgot how MX records work and the domain in MX record is the one being used for verification. E.g. even if you are working with multiple domains, you can add MX records such that they will point to the same server domain and it will be used for certification verification. |
Reopening add there probably a use case for initially proposed idea. |
Given that MTA-STS is a thing it would be nice to have support for multi-tenant systems for those cases as well. Originally posted by @Avamander in #72 (comment). |
@Avamander, so what you want here is that single maddy instance should be able to serve multiple different domains and provide them with separate storage and etc., right? auth_perdomain and storage_perdomain introduced in #74 enable this for authentication and storage. With configuration like that:
foxcpp@example.org and foxcpp@example.com will be different accounts. |
One possible reason for supporting SNI here is that email client should be able to autodiscover configuration by trying to connect to (imap.)example.org:imaps or (imap.)example.com:imaps. I think for these cases more sophisticated auto-discovery protocols should be used (see #67). |
I think supporting per-domain TLS would be quite beneficial. I host a few websites for different users and right now they have to put up with having to log in using @kitteh.pw and manually changing their address to @example.com. |
Preferably also do MTA-STS with matching domain certificates, if possible. |
@NamedKitten Consider this: This issue basically boils down to autodiscovery protocols support in clients. Research is needed. I think we can merge a PR to support it anyway, I'm not sure about config syntax though. Are there better options than one I described (and implemented but removed before merging in #59)? Somebody can just send a patch to revert the commit that removed it. |
Use letsencrypt to request multi-cert for all configured domains... use SNI for per-host web (theming/domain on address) .. other protocols just answer on appropriate port(s) |
Webmail is out of scope though. The problem is that clients will try to probe for standard continuations, like imap.domain. So it makes sense to be able to accept connections and provide the TLS certificate valid for that domain. |
Added "good first issue" label, it should be easy to implement if somebody thinks it is needed. |
Implemented in cee8bbd.
|
Awesome, thanks! |
Rationale and possible alternative: #58 (comment)
Guidance for contributors
Make it possible to specify multiple cert-key pairs in the
tls
directive:Load them all then call
tls.Config.BuildNameToCertificate
.The relevant code is in internal/config/tls_server.go in the readTLSBlock function.
Documentation to update: docs/man/maddy-imap.5.scd, docs/man/maddy-smtp.5.scd and probably docs/man/maddy-tls.5.scd.
Original post
Perhaps something like that:
Possible using GetCertificate or GetConfigForClient callbacks in tls.Config.
The text was updated successfully, but these errors were encountered: