diff --git a/conf/nginx-alldomains.conf b/conf/nginx-alldomains.conf index 1db7606c..edde36ad 100644 --- a/conf/nginx-alldomains.conf +++ b/conf/nginx-alldomains.conf @@ -19,6 +19,10 @@ alias /var/lib/mailinabox/mozilla-autoconfig.xml; } + location = /.well-known/mta-sts.txt { + alias /var/lib/mailinabox/mta-sts.txt; + } + # Roundcube Webmail configuration. rewrite ^/mail$ /mail/ redirect; rewrite ^/mail/$ /mail/index.php; diff --git a/management/dns_update.py b/management/dns_update.py index 5c1969d7..9dbad6b2 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -228,6 +228,10 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en defaults = [ (None, "A", env["PUBLIC_IP"], "Required. May have a different value. Sets the IP address that %s resolves to for web hosting and other services besides mail. The A record must be present but its value does not affect mail delivery." % domain), (None, "AAAA", env.get('PUBLIC_IPV6'), "Optional. Sets the IPv6 address that %s resolves to, e.g. for web hosting. (It is not necessary for receiving mail on this domain.)" % domain), + ("mta-sts", "A", env["PUBLIC_IP"], "Required. For MTA-STS verification."), + ("mta-sts", "AAAA", env.get('PUBLIC_IPV6'), "Required. For MTA-STS verification."), + ("_smtp._tls", "TXT", "v=TLSRPTv1; rua=mailto:postmaster@%s" % domain, "Required. For MTA-STS verification."), + ("_mta-sts", "TXT", "v=STSv1;id=%sZ;" % datetime.datetime.now().strftime("%Y%m%d%H%M%S"), "Required. For MTA-STS verification.") ] if "www." + domain in www_redirect_domains: defaults += [ diff --git a/management/web_update.py b/management/web_update.py index 61b38a7b..43e9c3bf 100644 --- a/management/web_update.py +++ b/management/web_update.py @@ -23,7 +23,10 @@ def get_web_domains(env, include_www_redirects=True, exclude_dns_elsewhere=True) # to the main domain for. We'll add 'www.' to any DNS zones, i.e. # the topmost of each domain we serve. domains |= set('www.' + zone for zone, zonefile in get_dns_zones(env)) - + + # add the required subdomains for MTA-STS + domains |= set('mta-sts.' + zone for zone, zonefile in get_dns_zones(env)) + if exclude_dns_elsewhere: # ...Unless the domain has an A/AAAA record that maps it to a different # IP address than this box. Remove those domains from our list. diff --git a/setup/web.sh b/setup/web.sh index ed37e5e3..b94b9e4e 100755 --- a/setup/web.sh +++ b/setup/web.sh @@ -83,6 +83,80 @@ cat conf/mozilla-autoconfig.xml \ > /var/lib/mailinabox/mozilla-autoconfig.xml chmod a+r /var/lib/mailinabox/mozilla-autoconfig.xml +# create the MTA-STS policy +cat << EOF | tee /var/lib/mailinabox/mta-sts.txt +version: STSv1 +mode: enforce +mx: \$PRIMARY_HOSTNAME +max_age: 86400 +EOF +chmod a+r /var/lib/mailinabox/mta-sts.txt + +# install the postfix MTA-STS resolver +/usr/bin/pip3 install postfix-mta-sts-resolver +# add a user to use solely for MTA-STS resolution +useradd -c "Daemon for MTA-STS policy checks" mta-sts -s /sbin/nologin +# create systemd services for MTA-STS +cat > /etc/systemd/system/postfix-mta-sts-daemon@.service << EOF +[Unit] +Description=Postfix MTA STS daemon instance +After=syslog.target network.target + +[Service] +Type=notify +User=mta-sts +Group=mta-sts +ExecStart=/usr/local/bin/mta-sts-daemon +Restart=always +KillMode=process +TimeoutStartSec=10 +TimeoutStopSec=30 + +[Install] +WantedBy=multi-user.target +EOF + +cat > /etc/systemd/system/postfix-mta-sts.service << EOF +[Unit] +Description=Postfix MTA STS daemon +After=syslog.target network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/systemctl start postfix-mta-sts-daemon@main.service +ExecReload=/bin/systemctl start postfix-mta-sts-daemon@backup.service ; /bin/systemctl restart postfix-mta-sts-daemon@main.service ; /bin/systemctl stop postfix-mta-sts-daemon@backup.service +ExecStop=/bin/systemctl stop postfix-mta-sts-daemon@main.service + +[Install] +WantedBy=multi-user.target +EOF + +# configure the MTA-STS daemon for postfix +cat > /etc/postfix/mta-sts-daemon.yml << EOF +host: 127.0.0.1 +port: 8461 +cache: + type: internal + options: + cache_size: 10000 +default_zone: + strict_testing: true + timeout: 4 +zones: + myzone: + strict_testing: false + timeout: 4 +EOF + +# add postfix configuration +tools/editconf.py /etc/postfix/main.cf -s \ + smtp_tls_policy_maps=socketmap:inet:127.0.0.1:8461:postfix + +# enable and start the MTA-STS service +/bin/systemctl enable postfix-mta-sts.service +/bin/systemctl start postfix-mta-sts.service + # make a default homepage if [ -d $STORAGE_ROOT/www/static ]; then mv $STORAGE_ROOT/www/static $STORAGE_ROOT/www/default; fi # migration #NODOC mkdir -p $STORAGE_ROOT/www/default