maddy icon indicating copy to clipboard operation
maddy copied to clipboard
verified publisher icon foxcpp

cannot specify tls_client directive

Open pidario opened this issue 1 year ago • 4 comments

Describe the bug

Given the documentation found here I assumed I could specify a global tls_client directive but instead I get this error:

/etc/maddy/maddy.conf:21: unknown module or global directive: tls_client

Steps to reproduce

Add a tls_client directive in the global scope.

Configuration file

Default configuration file, with just the added tls_client block, as below.

...

# Base variables
$(hostname) = example.com
$(primary_domain) = example.com
$(local_domains) = $(primary_domain)

tls file /etc/maddy/cert.pem /etc/maddy/key.pem {
    protocols tls1.2 tls1.3
    curves X25519
}

tls_client {
    protocols tls1.2 tls1.3
    curves X25519
    root_ca /etc/maddy/ca.pem
 }

# ----------------------------------------------------------------------------
# Local storage & authentication
...

Environment information

  • maddy version: 0.7.1

Thanks in advance for your answer and for making email deployment a simple task.

pidario avatar Jan 26 '24 16:01 pidario

Oops, fixed in dd06ffe.

You can build maddy from source from master branch or just move tls_client into target.remote block:

target.remote outbound_delivery {
  tls_client {
    protocols tls1.2 tls1.3
    curves X25519
    root_ca /etc/maddy/ca.pem
  }
}

foxcpp avatar Jan 27 '24 13:01 foxcpp

Building from source gets rid of the error. But I cannot get maddy to enable TLS client authentication. Probably I should have mentioned before that I wanted to achieve that. I expected cert to be the certificate presented by the server to any client connecting and key its private key (and that seems to be the case); but then I also expected root_ca to be the certificate authority that needs to be used to sign client certificate but it seems that, even though I specified all three properties, maddy allows the connection from any client. Docs mention that. The three pem files I used works as expected for connecting to a redis server. What do I need to do it? Would you prefer to open a separate issue for that?

pidario avatar Jan 27 '24 15:01 pidario

Docs probably should be clarified, tls_client configures maddy's TLS client - that is, when maddy connects to other SMTP servers. While maddy can be configured to use TLS authentication while talking to other servers, currently it does not support it server-side.

What is your use-case? It is very easy to add functionality to validate client certificates, but full authentication support definitely will take more work.

foxcpp avatar Jan 27 '24 16:01 foxcpp

Ah that now makes more sense! Thanks for the clarification. My use case is basically using a more secure authentication method for imap and submission.

pidario avatar Jan 27 '24 16:01 pidario