diff --git a/deploy-chatmail/src/deploy_chatmail/__init__.py b/deploy-chatmail/src/deploy_chatmail/__init__.py index 82794854..0dd152bb 100644 --- a/deploy-chatmail/src/deploy_chatmail/__init__.py +++ b/deploy-chatmail/src/deploy_chatmail/__init__.py @@ -207,7 +207,7 @@ def _configure_dovecot(mail_server: str, debug: bool = False) -> bool: return need_restart -def _configure_nginx(domain: str, debug: bool = False) -> bool: +def _configure_nginx(domain: str, mail_server: str) -> bool: """Configures nginx HTTP server.""" need_restart = False @@ -231,6 +231,16 @@ def _configure_nginx(domain: str, debug: bool = False) -> bool: ) need_restart |= autoconfig.changed + mta_sts_config = files.template( + src=importlib.resources.files(__package__).joinpath("nginx/mta-sts.txt.j2"), + dest="/var/www/html/.well-known/mta-sts.txt", + user="root", + group="root", + mode="644", + config={"mail_server": mail_server}, + ) + need_restart |= mta_sts_config.changed + return need_restart diff --git a/deploy-chatmail/src/deploy_chatmail/nginx/mta-sts.txt.j2 b/deploy-chatmail/src/deploy_chatmail/nginx/mta-sts.txt.j2 new file mode 100644 index 00000000..a74f64d0 --- /dev/null +++ b/deploy-chatmail/src/deploy_chatmail/nginx/mta-sts.txt.j2 @@ -0,0 +1,4 @@ +version: STSv1 +mode: enforce +max_age: 2419200 # 28 days +mx: {{ config.mail_server }} diff --git a/scripts/generate-dns-zone.sh b/scripts/generate-dns-zone.sh index 3f01d70d..0480ca3e 100755 --- a/scripts/generate-dns-zone.sh +++ b/scripts/generate-dns-zone.sh @@ -16,5 +16,8 @@ _submissions._tcp.$CHATMAIL_DOMAIN. SRV 0 1 465 $CHATMAIL_DOMAIN. _imap._tcp.$CHATMAIL_DOMAIN. SRV 0 1 143 $CHATMAIL_DOMAIN. _imaps._tcp.$CHATMAIL_DOMAIN. SRV 0 1 993 $CHATMAIL_DOMAIN. $CHATMAIL_DOMAIN. IN CAA 128 issue "letsencrypt.org; accounturi=$ACME_ACCOUNT_URL" +_mta-sts.$CHATMAIL_DOMAIN. IN TXT "v=STSv1; id=$(date -u '+%Y%m%d%H%M')" +_mta-sts.$CHATMAIL_DOMAIN. IN CNAME $CHATMAIL_DOMAIN. +_smtp._tls.$CHATMAIL_DOMAIN. IN TXT "v=TLSRPTv1; rua=mailto:$EMAIL" EOF $SSH opendkim-genzone -F | sed 's/^;.*$//;/^$/d'