Can caddy-l4 do automated TLS renewal?

supriyo_biswas · January 19, 2025, 5:53pm

I have an app which accepts plaintext SMTP connections, and it does support TLS certificates but renewals are a bit flaky, so I’d like to use caddy-l4 to that end.

Effectively, what I’m looking for is to replicate the configuration for SMTP on port 465 where there’s a TLS wrapping layer before the SMTP session starts.

However, the example of “TCP reverse proxy that terminates TLS on 993” does not seem to mention any domain names associated with the TLS configuration, although I do see a way to override the domain name for the TLS directive using dns_challenge_override_domain.

Does this mean, for the example above, where I want to terminate TLS for SMTP, I’d have to do this:

{
    layer4 {
        0.0.0.0:465 {
            route {
                tls my@email.com {
                    dns cloudflare ...
                    dns_challenge_override_domain my.example.com
                }
                proxy {
                    upstream localhost:3465
                }
            }
        }
    }
}

Thanks in advance.

Monviech · January 20, 2025, 5:51pm

I imagine it works like this, it will automatically match the certificate from the site block when tls sni is used.

# Global Options
{
	layer4 {
		tcp/:465 {
			@3f0824af-b877-40d5-8e60-b54df442599d tls sni mail.example.com
			route @3f0824af-b877-40d5-8e60-b54df442599d {
				tls
				proxy tcp/localhost:3465 {
				}
			}
		}
	}
}

# Site Block
mail.example.com {
	tls {
		issuer acme {
			dns cloudflare randomapikey
			resolvers 1.1.1.1
		}
	}
}

system · February 19, 2025, 5:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.