Skip to content

Figure out how to interact with DNS and HTTPS #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
emersion opened this issue Jan 9, 2019 · 9 comments
Closed

Figure out how to interact with DNS and HTTPS #8

emersion opened this issue Jan 9, 2019 · 9 comments
Labels
question

Comments

@emersion
Copy link
Collaborator

emersion commented Jan 9, 2019
edited
Loading

Things like DKIM, MTA-STS are tightly coupled with DNS and HTTPS.

Should we become tiny DNS/HTTPS servers too?
@foxcpp
Copy link
Owner

foxcpp commented Mar 16, 2019
edited
Loading

I don't like the idea of having an embedded DNS server. That's too much for maddy IMO, DNS is hard to get right.
For DKIM, we can generate keypair and zone file with public key (somewhere in /var/maddy/, perhaps) so it can be included from user's main zone file.
RFC 1035 does have a $INCLUDE directive for this.

@emersion
Copy link
Collaborator Author

Yeah, that's probably a better idea.

@emersion
Copy link
Collaborator Author

emersion commented Mar 16, 2019
edited
Loading

That still leaves the question of TLS: where do we get certs from?

It would be nice to be able to have automatic TLS. Maybe we can use https://github.com/mholt/certmagic (maybe it requires having an HTTP server)

MTA-STS involves serving an HTTPS document btw.

@foxcpp
Copy link
Owner

foxcpp commented Mar 16, 2019

Well, I guess we can then start net/http server and bind on 127.0.0.1:some_probably_unused_port to serve just this file. Note that it is important to be able to change the port or fully disable this feature.

@emersion
Copy link
Collaborator Author

MTA-STS requires port 443. And I think it's the same for ACME challenges…

@foxcpp
Copy link
Owner

foxcpp commented Mar 16, 2019

Leave the job of HTTPS to reverse proxy then? I never liked this automagic with TLS, right now it just increases complexity by restricting use-cases (separate domain for mail) and requiring more actions to be taken to work in existing environments (clashes with caddy and manual TLS configuration).

@foxcpp foxcpp mentioned this issue Mar 23, 2019
Closed
@foxcpp
Copy link
Owner

foxcpp commented May 25, 2019

Issue #67 had some discussion related to the HTTP endpoint module starting at #67 (comment). I guess we are going with approach outlined in #67 (comment).

@MFAshby
Copy link
Contributor

MFAshby commented Feb 22, 2020

Just FYI caddy server has some code for interacting with a variety of DNS providers' APIs, so that it can automatically create DNS entries: https://github.com/caddyserver/dnsproviders

@foxcpp foxcpp removed this from the 0.3 - "Third-party integrations" milestone May 11, 2020
@foxcpp
Copy link
Owner

foxcpp commented Jul 27, 2020

Closing as a too broad ticket. ACME TLS autoconfiguration is discussed in #3, considerations for static webserver for autoconfiguration and other purposes are mentioned in #67 and idea with builtin DNS server is discarded as not useful enough for its complexity.

@foxcpp foxcpp closed this as completed Jul 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@emersion @MFAshby @foxcpp