when suggesting CAA records for a domain, suggest variants that bind to the account id and with validation methods used by mox

should prevent potential mitm attacks. especially when done close to the machine itself (where a http/tls challenge is intercepted to get a valid certificate), as seen on the internet last month.
2025-07-14 17:34:37 +03:00 · 2023-12-21 15:16:30 +01:00
parent ca97293cb2
commit db3fef4981
11 changed files with 123 additions and 28 deletions
--- a/config/config.go
+++ b/config/config.go
@ -116,10 +116,11 @@ type Dynamic struct {
 }

 type ACME struct {
-	DirectoryURL string        `sconf-doc:"For letsencrypt, use https://acme-v02.api.letsencrypt.org/directory."`
-	RenewBefore  time.Duration `sconf:"optional" sconf-doc:"How long before expiration to renew the certificate. Default is 30 days."`
-	ContactEmail string        `sconf-doc:"Email address to register at ACME provider. The provider can email you when certificates are about to expire. If you configure an address for which email is delivered by this server, keep in mind that TLS misconfigurations could result in such notification emails not arriving."`
-	Port         int           `sconf:"optional" sconf-doc:"TLS port for ACME validation, 443 by default. You should only override this if you cannot listen on port 443 directly. ACME will make requests to port 443, so you'll have to add an external mechanism to get the connection here, e.g. by configuring port forwarding."`
+	DirectoryURL     string        `sconf-doc:"For letsencrypt, use https://acme-v02.api.letsencrypt.org/directory."`
+	RenewBefore      time.Duration `sconf:"optional" sconf-doc:"How long before expiration to renew the certificate. Default is 30 days."`
+	ContactEmail     string        `sconf-doc:"Email address to register at ACME provider. The provider can email you when certificates are about to expire. If you configure an address for which email is delivered by this server, keep in mind that TLS misconfigurations could result in such notification emails not arriving."`
+	Port             int           `sconf:"optional" sconf-doc:"TLS port for ACME validation, 443 by default. You should only override this if you cannot listen on port 443 directly. ACME will make requests to port 443, so you'll have to add an external mechanism to get the connection here, e.g. by configuring port forwarding."`
+	IssuerDomainName string        `sconf:"optional" sconf-doc:"If set, used for suggested CAA DNS records, for restricting TLS certificate issuance to a Certificate Authority. If empty and DirectyURL is for Let's Encrypt, this value is set automatically to letsencrypt.org."`

 	Manager *autotls.Manager `sconf:"-" json:"-"`
 }
--- a/config/doc.go
+++ b/config/doc.go
@ -96,6 +96,11 @@ describe-static" and "mox config describe-domains":
 			# configuring port forwarding. (optional)
 			Port: 0

+			# If set, used for suggested CAA DNS records, for restricting TLS certificate
+			# issuance to a Certificate Authority. If empty and DirectyURL is for Let's
+			# Encrypt, this value is set automatically to letsencrypt.org. (optional)
+			IssuerDomainName:
+
 	# File containing hash of admin password, for authentication in the web admin
 	# pages (if enabled). (optional)
 	AdminPasswordFile: