external/mailinabox
1
0
Fork 0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2025-04-20 02:52:11 +00:00
Code Issues Releases Wiki Activity

first start of some changes; not yet completed.

Browse Source
This commit is contained in:
A. Schippers 2020-03-22 21:13:52 +01:00
parent 3f09c88097
commit 671350c80f
2 changed files with 22 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
management/dns_update.py
View File

@ -304,9 +304,18 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
if not has_rec(qname, rtype): if not has_rec(qname, rtype):
records.append((qname, rtype, value, explanation)) records.append((qname, rtype, value, explanation))
# Adds autoconfiguration A records for all domains. # If this is a domain name that there are email addresses configured for, i.e. "something@"
# mta-sts.* - required A record for mta-sts (serving the policy) # this domain name, then the domain name is a MTA-STS (https://tools.ietf.org/html/rfc8461)
# Policy Domain.
#
# A "_mta-sts" TXT record signals the presence of a MTA-STS policy, and an effectively random policy
# ID is used to signal that a new policy may (or may not) be deployed any time the DNS is
# updated.
#
# The policy itself is served at the "mta-sts" (no underscore) subdomain over HTTPS. The
# TLS certificate used by Postfix for STARTTLS must be a valid certificate for the MX
# name (PRIMARY_HOSTNAME), so we do not set an MTA-STS policy if the certificate is not
# valid (e.g. because it is self-signed and a valid certificate has not yet been provisioned).
get_prim_cert = get_ssl_certificates(env)[env['PRIMARY_HOSTNAME']] get_prim_cert = get_ssl_certificates(env)[env['PRIMARY_HOSTNAME']]
response = check_certificate(env['PRIMARY_HOSTNAME'], get_prim_cert['certificate'],get_prim_cert['private-key']) response = check_certificate(env['PRIMARY_HOSTNAME'], get_prim_cert['certificate'],get_prim_cert['private-key'])
# we don't want those records on the primary hostname # we don't want those records on the primary hostname
@ -317,8 +326,10 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
("mta-sts", "AAAA", env.get('PUBLIC_IPV6'), "Provides MTA-STS support"), ("mta-sts", "AAAA", env.get('PUBLIC_IPV6'), "Provides MTA-STS support"),
("_mta-sts", "TXT", "v=STSv1; id=%sZ" % datetime.datetime.now().strftime("%Y%m%d%H%M%S"), "Enables MTA-STS support") ("_mta-sts", "TXT", "v=STSv1; id=%sZ" % datetime.datetime.now().strftime("%Y%m%d%H%M%S"), "Enables MTA-STS support")
] ]
# Skip if the user has set a custom _smtp._tls record. # Rules can be custom configured accoring to https://tools.ietf.org/html/rfc8460.
# Skip if the rules below if the user has set a custom _smtp._tls record.
if not has_rec("_smtp._tls", "TXT", prefix="v=TLSRPTv1;"): if not has_rec("_smtp._tls", "TXT", prefix="v=TLSRPTv1;"):
# if the alias 'tlsrpt@PRIMARY_HOSTNAME' is configured, automaticly, reporting will be enabled to this email address
tls_rpt_email = "tlsrpt@%s" % env['PRIMARY_HOSTNAME'] tls_rpt_email = "tlsrpt@%s" % env['PRIMARY_HOSTNAME']
tls_rpt_string = "" tls_rpt_string = ""
for alias in get_mail_aliases(env): for alias in get_mail_aliases(env):

12
security.md
View File

@ -98,11 +98,7 @@ While domain policy records prevent other servers from sending mail with a "From
The box restricts the envelope sender address (also called the return path or MAIL FROM address --- this is different from the "From:" header) that users may put into outbound mail. The envelope sender address must be either their own email address (their SMTP login username) or any alias that they are listed as a permitted sender of. (There is currently no restriction on the contents of the "From:" header.) The box restricts the envelope sender address (also called the return path or MAIL FROM address --- this is different from the "From:" header) that users may put into outbound mail. The envelope sender address must be either their own email address (their SMTP login username) or any alias that they are listed as a permitted sender of. (There is currently no restriction on the contents of the "From:" header.)
### MTA-STS Incoming Mail
SMTP MTA Strict Transport Security ([SMTP MTA-STS for short](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_MTA_Strict_Transport_Security)).
MTA-STS is a mechanism that instructs an SMTP server that the communication with the other SMTP server MUST be encrypted and that the domain name on the certificate should match the domain in the policy. It uses a combination of DNS and HTTPS to publish a policy that tells the sending party what to do when an encrypted channel can not be negotiated.
------------- -------------
@ -114,6 +110,12 @@ As discussed above, there is no way to require on-the-wire encryption of mail. W
When DNSSEC is enabled at the box's domain name's registrar, [DANE TLSA](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records are automatically published in DNS. Senders supporting DANE will enforce encryption on-the-wire between them and the box --- see the section on DANE for outgoing mail above. ([source](management/dns_update.py)) When DNSSEC is enabled at the box's domain name's registrar, [DANE TLSA](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) records are automatically published in DNS. Senders supporting DANE will enforce encryption on-the-wire between them and the box --- see the section on DANE for outgoing mail above. ([source](management/dns_update.py))
### MTA-STS
SMTP MTA Strict Transport Security ([SMTP MTA-STS for short](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_MTA_Strict_Transport_Security)).
MTA-STS is a mechanism that instructs an SMTP server that the communication with the other SMTP server MUST be encrypted and that the domain name on the certificate should match the domain in the policy. It uses a combination of DNS and HTTPS to publish a policy that tells the sending party what to do when an encrypted channel can not be negotiated.
### Filters ### Filters
Incoming mail is run through several filters. Email is bounced if the sender's IP address is listed in the [Spamhaus Zen blacklist](http://www.spamhaus.org/zen/) or if the sender's domain is listed in the [Spamhaus Domain Block List](http://www.spamhaus.org/dbl/). Greylisting (with [postgrey](http://postgrey.schweikert.ch/)) is also used to cut down on spam. ([source](setup/mail-postfix.sh)) Incoming mail is run through several filters. Email is bounced if the sender's IP address is listed in the [Spamhaus Zen blacklist](http://www.spamhaus.org/zen/) or if the sender's domain is listed in the [Spamhaus Domain Block List](http://www.spamhaus.org/dbl/). Greylisting (with [postgrey](http://postgrey.schweikert.ch/)) is also used to cut down on spam. ([source](setup/mail-postfix.sh))