1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-12-24 07:37:04 +00:00

Initial outgoing MTA-STS support

This commit is contained in:
Michael Kroes 2020-05-30 16:17:11 +02:00
parent bc1be9d70a
commit c585192dd7

View File

@ -260,6 +260,81 @@ chmod +x /etc/cron.daily/mailinabox-postgrey-whitelist
tools/editconf.py /etc/postfix/main.cf \
message_size_limit=134217728
# install the postfix MTA-STS resolver. the MTA-STS resolver service is
# used by Postfix to ensure outgoing mail uses TLS when the recipient
# announces MTA-STS.
hide_output /usr/bin/pip3 install --upgrade postfix-mta-sts-resolver aiosqlite
# add a user to use solely for MTA-STS resolution
id -u mta-sts &>/dev/null || useradd -c "Daemon for MTA-STS policy checks" mta-sts -s /usr/sbin/nologin
# create systemd services for MTA-STS
cat > /etc/systemd/system/postfix-mta-sts-daemon@.service << EOF
[Unit]
Description=Postfix MTA STS daemon instance
After=syslog.target network.target
[Service]
Type=notify
User=mta-sts
Group=mta-sts
ExecStart=/usr/local/bin/mta-sts-daemon
Restart=always
KillMode=process
TimeoutStartSec=10
TimeoutStopSec=30
[Install]
WantedBy=multi-user.target
EOF
cat > /etc/systemd/system/postfix-mta-sts.service << EOF
[Unit]
Description=Postfix MTA STS daemon
After=syslog.target network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/systemctl start postfix-mta-sts-daemon@main.service
ExecReload=/bin/systemctl start postfix-mta-sts-daemon@backup.service ; /bin/systemctl restart postfix-mta-sts-daemon@main.service ; /bin/systemctl stop postfix-mta-sts-daemon@backup.service
ExecStop=/bin/systemctl stop postfix-mta-sts-daemon@main.service
[Install]
WantedBy=multi-user.target
EOF
# create the cache directory for the MTA-STS daemon
mkdir -p $STORAGE_ROOT/mta-sts
chown -R mta-sts:mta-sts $STORAGE_ROOT/mta-sts
# configure the MTA-STS daemon for postfix
cat > /etc/mta-sts-daemon.yml << EOF
host: 127.0.0.1
port: 8461
reuse_port: true
shutdown_timeout: 20
cache:
type: sqlite
options:
filename: "$STORAGE_ROOT/mta-sts/mta-sts-cache.db"
default_zone:
strict_testing: false
timeout: 4
zones:
myzone:
strict_testing: false
timeout: 4
EOF
# add postfix configuration
tools/editconf.py /etc/postfix/main.cf \
smtp_tls_policy_maps=socketmap:inet:127.0.0.1:8461:postfix
# enable and start the MTA-STS service
hide_output /bin/systemctl enable postfix-mta-sts.service
restart_service postfix-mta-sts
# Allow the two SMTP ports in the firewall.
ufw_allow smtp