Add MTA-STS verification

management/dns_update.py

@@ -228,6 +228,10 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
 	defaults = [
 		(None,  "A",    env["PUBLIC_IP"],       "Required. May have a different value. Sets the IP address that %s resolves to for web hosting and other services besides mail. The A record must be present but its value does not affect mail delivery." % domain),
 		(None,  "AAAA", env.get('PUBLIC_IPV6'), "Optional. Sets the IPv6 address that %s resolves to, e.g. for web hosting. (It is not necessary for receiving mail on this domain.)" % domain),
+		("mta-sts",  "A", env["PUBLIC_IP"], "Required. For MTA-STS verification."),
+		("mta-sts",  "AAAA", env.get('PUBLIC_IPV6'), "Required. For MTA-STS verification."),
+		("_smtp._tls", "TXT", "v=TLSRPTv1; rua=mailto:postmaster@%s" % domain, "Required. For MTA-STS verification."),
+		("_mta-sts", "TXT", "v=STSv1;id=%sZ;" % datetime.datetime.now().strftime("%Y%m%d%H%M%S"), "Required. For MTA-STS verification.")
 	]
 	if "www." + domain in www_redirect_domains:
 		defaults += [

management/web_update.py

@@ -23,7 +23,10 @@ def get_web_domains(env, include_www_redirects=True, exclude_dns_elsewhere=True)
 		# to the main domain for. We'll add 'www.' to any DNS zones, i.e.
 		# the topmost of each domain we serve.
 		domains |= set('www.' + zone for zone, zonefile in get_dns_zones(env))
-	 
+
+	# add the required subdomains for MTA-STS
+	domains |= set('mta-sts.' + zone for zone, zonefile in get_dns_zones(env))
+
 	if exclude_dns_elsewhere:
 		# ...Unless the domain has an A/AAAA record that maps it to a different
 		# IP address than this box. Remove those domains from our list.