Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[enhancement]: TLS support for FoundationDB store #794

Open
1 task done
tkpte opened this issue Sep 23, 2024 · 2 comments
Open
1 task done

[enhancement]: TLS support for FoundationDB store #794

tkpte opened this issue Sep 23, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@tkpte
Copy link

tkpte commented Sep 23, 2024

Which feature or improvement would you like to request?

I'd like to see this feature:

Optional directives to specify the paths to the certificate, ca, and key files used by the Rust FoundationDB client to authenticate and establish a secure connection with the coordinator nodes from the fdb.cluster file.

Example config.toml:

[store."foundationdb"]
type = "foundationdb"
cluster-file = "/path/to/fdb.cluster"
tls_certificate_file = "/path/to/fdb.pem"
tls_key_file = "/path/to/private.key"
tls_ca_file = "/path/to/cert.crt"
tls_verify_peers = "Check.Valid=0"

Example with fdbcli:

fdbcli --tls_certificate_file="/path/to/fdb.cluster" --tls_key_file="/path/to/private.key" --tls_ca_file="/path/to/cert.crt" --tls_verify_peers="Check.Valid=0" --exec "status"

Example with Rust FoundationDB client:

???

I spent a few hours trying to understand how the libraries foundationdb and foundationdb-sys work, but not easy without any prior experience in Rust and very little in C. The client supports TLS though, as we can see in the foundationdb-sys options file with enums like FDB_NET_OPTION_TLS_CERT_PATH, FDB_NET_OPTION_TLS_KEY_PATH, FDB_NET_OPTION_TLS_CA_PATH, and FDB_NET_OPTION_TLS_VERIFY_PEERS.

I'd like to see this other feature too:

Support for FoundationDB v7.3.x.

Stalwart /crates/store/Cargo.toml:

foundationdb = { version = "0.9.0", features = ["embedded-fdb-include", "fdb-7_1"], optional = true }

but the latest version of the foundationdb already supports the fdb-7_3 feature (See).

Is your feature request related to a problem?

This is necessary because FoundationDB only supports a single authentication method which is mutual TLS.

Code of Conduct

  • I agree to follow this project's Code of Conduct
@tkpte tkpte added the enhancement New feature or request label Sep 23, 2024
@CybersShell
Copy link

CybersShell commented Sep 27, 2024
edited
Loading

I do agree that native support for FoundationDB TLS in Stalwart is best.

I have solved this issue for now in the following way:

I have added an EnvironmentFile directive to the [Service] section of the Systemd service file:

[Service]
...
first set of options
...
EnvironmentFile=/path/to/stalwart/systemd/env/file
ExecStart=/opt/stalwart-mail/bin/stalwart-mail --config=/opt/stalwart-mail/etc/config.toml
...
last set of options
...

The EnvironmentFile uses the environment variables specified in the official FoundationDB TLS Documentation.

One note, you must make sure you allow the stalwart-mail user access to the certificate files. I used setfcl:

setfacl -Rm stalwart-mail:rx /path/to/certs

@tkpte
Copy link
Author

tkpte commented Sep 30, 2024

Thanks so much, this works! I agree it would be good to have the directives in config.toml, but if this works, it's fine to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tkpte @CybersShell