ACME Integration for Effortless TLS Certificates | Stalwart Labs
stalw.art
external-link
ACME (Automatic Certificate Management Environment) represents a breakthrough in managing TLS (Transport Layer Security) certificates. This protocol automates the process of obtaining, installing, and renewing TLS/SSL certificates, which are crucial for securing network communications. TLS certificates provide authentication and encryption, ensuring that data transferred between users and servers remains private and secure.

We are thrilled to announce the release of Stalwart Mail Server 0.5.2, which brings two significant advancements: the integration of the ACME protocol for automatic TLS certificate deployment and support for the HAProxy Protocol. These features mark a substantial step forward in our commitment to enhancing the security and efficiency of Stalwart Mail Server.

@ikidd@lemmy.world
link
fedilink
English
2
edit-2
10M

Your SMTP should relay to the IMAP server but not be part of the same system so only new mail in and out is compromised, not the old. Or the spam filter. Or the other relays.

The webmail is the least of it, but even that should be separated from the services since that can compromise the users browser. And vice versa, if the users browser is owned and can infect the webserver, then the infection spreads all the way across the mail server, not just isolated to the nginx server.

Do one thing, and do it well. Then put them together, securely.

Ok, I can understand your concern now but I feel like you’re basically saying that mail and self-hosting in general shouldn’t be streamlined at all and be super complex. Because your recommendation puts a lot of the security burden on the end user building their setup of various best-of-breed solutions. You would then yourself have to ensure all inter solution communication is secure as well as deploy every solution securely. Whereas with a all-in-one it’s generally on the Developers and the larger FOSS community to ensure the package is secure internally and the end user is only responsible for the deployment (i.e. that they follow the instructions and have reasonable security on the server they deploy to). Theoretically if an end user is very bad at security then your recommendation doesn’t end up with a more secure solution over all, it would be just as easy to compromise as the all in one, if not easier.

@ikidd@lemmy.world
link
fedilink
English
210M

Not even saying that. Mailcow-dockerized is as simple to set up but separates the functions by container, and lets you specify secrets for database access, etc outside the docker compose. Unfortunately, the other easy-to-set-up one, docker-mailserver is a monolithic container as well.

I would also point out that people that don’t understand server security practices should probably stay way the hell away from self-hosting mail. When I did this professionally, I would compartmentalize the mail infra physically, then eventually by individual VMs. I now use unprivileged docker on it’s own docker host separate from the rest of my infra, in fact on another virtualized DMZ, because mail is the #2 point of contact for penetration.

Create a post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

  • 1 user online
  • 215 users / day
  • 438 users / week
  • 1.15K users / month
  • 3.85K users / 6 months
  • 1 subscriber
  • 3.71K Posts
  • 74.7K Comments
  • Modlog