Add MTA-STS verification

conf/nginx-alldomains.conf

@@ -19,6 +19,10 @@
 		alias /var/lib/mailinabox/mozilla-autoconfig.xml;
 	}
 
+	location = /.well-known/mta-sts.txt {
+		alias /var/lib/mailinabox/mta-sts.txt;
+	}
+
 	# Roundcube Webmail configuration.
 	rewrite ^/mail$ /mail/ redirect;
 	rewrite ^/mail/$ /mail/index.php;

management/dns_update.py

@@ -228,6 +228,10 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
 	defaults = [
 		(None,  "A",    env["PUBLIC_IP"],       "Required. May have a different value. Sets the IP address that %s resolves to for web hosting and other services besides mail. The A record must be present but its value does not affect mail delivery." % domain),
 		(None,  "AAAA", env.get('PUBLIC_IPV6'), "Optional. Sets the IPv6 address that %s resolves to, e.g. for web hosting. (It is not necessary for receiving mail on this domain.)" % domain),
+		("mta-sts",  "A", env["PUBLIC_IP"], "Required. For MTA-STS verification."),
+		("mta-sts",  "AAAA", env.get('PUBLIC_IPV6'), "Required. For MTA-STS verification."),
+		("_smtp._tls", "TXT", "v=TLSRPTv1; rua=mailto:postmaster@%s" % domain, "Required. For MTA-STS verification."),
+		("_mta-sts", "TXT", "v=STSv1;id=%sZ;" % datetime.datetime.now().strftime("%Y%m%d%H%M%S"), "Required. For MTA-STS verification.")
 	]
 	if "www." + domain in www_redirect_domains:
 		defaults += [

management/web_update.py

@@ -24,6 +24,9 @@ def get_web_domains(env, include_www_redirects=True, exclude_dns_elsewhere=True)
 		# the topmost of each domain we serve.
 		domains |= set('www.' + zone for zone, zonefile in get_dns_zones(env))
 
+	# add the required subdomains for MTA-STS
+	domains |= set('mta-sts.' + zone for zone, zonefile in get_dns_zones(env))
+
 	if exclude_dns_elsewhere:
 		# ...Unless the domain has an A/AAAA record that maps it to a different
 		# IP address than this box. Remove those domains from our list.

setup/web.sh

@@ -83,6 +83,80 @@ cat conf/mozilla-autoconfig.xml \
 	 > /var/lib/mailinabox/mozilla-autoconfig.xml
 chmod a+r /var/lib/mailinabox/mozilla-autoconfig.xml
 
+# create the MTA-STS policy
+cat << EOF | tee /var/lib/mailinabox/mta-sts.txt
+version: STSv1
+mode: enforce
+mx: \$PRIMARY_HOSTNAME
+max_age: 86400
+EOF
+chmod a+r /var/lib/mailinabox/mta-sts.txt
+
+# install the postfix MTA-STS resolver
+/usr/bin/pip3 install postfix-mta-sts-resolver
+# add a user to use solely for MTA-STS resolution
+useradd -c "Daemon for MTA-STS policy checks" mta-sts -s /sbin/nologin
+# create systemd services for MTA-STS
+cat > /etc/systemd/system/postfix-mta-sts-daemon@.service << EOF
+[Unit]
+Description=Postfix MTA STS daemon instance
+After=syslog.target network.target
+
+[Service]
+Type=notify
+User=mta-sts
+Group=mta-sts
+ExecStart=/usr/local/bin/mta-sts-daemon
+Restart=always
+KillMode=process
+TimeoutStartSec=10
+TimeoutStopSec=30
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat > /etc/systemd/system/postfix-mta-sts.service << EOF
+[Unit]
+Description=Postfix MTA STS daemon
+After=syslog.target network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/systemctl start postfix-mta-sts-daemon@main.service
+ExecReload=/bin/systemctl start postfix-mta-sts-daemon@backup.service ; /bin/systemctl restart postfix-mta-sts-daemon@main.service ; /bin/systemctl stop postfix-mta-sts-daemon@backup.service
+ExecStop=/bin/systemctl stop postfix-mta-sts-daemon@main.service
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# configure the MTA-STS daemon for postfix
+cat > /etc/postfix/mta-sts-daemon.yml << EOF
+host: 127.0.0.1
+port: 8461
+cache:
+  type: internal
+  options:
+    cache_size: 10000
+default_zone:
+  strict_testing: true
+  timeout: 4
+zones:
+  myzone:
+    strict_testing: false
+    timeout: 4
+EOF
+
+# add postfix configuration
+tools/editconf.py /etc/postfix/main.cf -s \
+	smtp_tls_policy_maps=socketmap:inet:127.0.0.1:8461:postfix
+
+# enable and start the MTA-STS service
+/bin/systemctl enable postfix-mta-sts.service
+/bin/systemctl start postfix-mta-sts.service
+
 # make a default homepage
 if [ -d $STORAGE_ROOT/www/static ]; then mv $STORAGE_ROOT/www/static $STORAGE_ROOT/www/default; fi # migration #NODOC
 mkdir -p $STORAGE_ROOT/www/default