From 667a987dfcb61531d9c805cc71e1feae35acefa1 Mon Sep 17 00:00:00 2001 From: link2xt Date: Sun, 16 Feb 2025 15:43:17 +0000 Subject: [PATCH] Remove MTA-STS daemon --- cmdeploy/src/cmdeploy/__init__.py | 58 ++++++------------------ cmdeploy/src/cmdeploy/postfix/main.cf.j2 | 4 +- 2 files changed, 16 insertions(+), 46 deletions(-) diff --git a/cmdeploy/src/cmdeploy/__init__.py b/cmdeploy/src/cmdeploy/__init__.py index f50e5636..f89f169f 100644 --- a/cmdeploy/src/cmdeploy/__init__.py +++ b/cmdeploy/src/cmdeploy/__init__.py @@ -224,42 +224,21 @@ def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool: return need_restart -def _install_mta_sts_daemon() -> bool: - need_restart = False +def _uninstall_mta_sts_daemon() -> None: + # Remove configuration. + files.file("/etc/mta-sts-daemon.yml", present=False) - config = files.put( - name="upload postfix-mta-sts-resolver config", - src=importlib.resources.files(__package__).joinpath( - "postfix/mta-sts-daemon.yml" - ), - dest="/etc/mta-sts-daemon.yml", - user="root", - group="root", - mode="644", + files.directory("/usr/local/lib/postfix-mta-sts-resolver", present=False) + + files.file("/etc/systemd/system/mta-sts-daemon.service", present=False) + + systemd.service( + name="Stop MTA-STS daemon", + service="mta-sts-daemon.service", + daemon_reload=True, + running=False, + enabled=False, ) - need_restart |= config.changed - - server.shell( - name="install postfix-mta-sts-resolver with pip", - commands=[ - "python3 -m virtualenv /usr/local/lib/postfix-mta-sts-resolver", - "/usr/local/lib/postfix-mta-sts-resolver/bin/pip install postfix-mta-sts-resolver", - ], - ) - - systemd_unit = files.put( - name="upload mta-sts-daemon systemd unit", - src=importlib.resources.files(__package__).joinpath( - "postfix/mta-sts-daemon.service" - ), - dest="/etc/systemd/system/mta-sts-daemon.service", - user="root", - group="root", - mode="644", - ) - need_restart |= systemd_unit.changed - - return need_restart def _configure_postfix(config: Config, debug: bool = False) -> bool: @@ -663,8 +642,8 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None: debug = False dovecot_need_restart = _configure_dovecot(config, debug=debug) postfix_need_restart = _configure_postfix(config, debug=debug) - mta_sts_need_restart = _install_mta_sts_daemon() nginx_need_restart = _configure_nginx(config) + _uninstall_mta_sts_daemon() _remove_rspamd() opendkim_need_restart = _configure_opendkim(mail_domain, "opendkim") @@ -677,15 +656,6 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None: restarted=opendkim_need_restart, ) - systemd.service( - name="Start and enable MTA-STS daemon", - service="mta-sts-daemon.service", - daemon_reload=True, - running=True, - enabled=True, - restarted=mta_sts_need_restart, - ) - # Dovecot should be started before Postfix # because it creates authentication socket # required by Postfix. diff --git a/cmdeploy/src/cmdeploy/postfix/main.cf.j2 b/cmdeploy/src/cmdeploy/postfix/main.cf.j2 index 973ca713..33ab5719 100644 --- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2 +++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2 @@ -20,9 +20,9 @@ smtpd_tls_key_file=/var/lib/acme/live/{{ config.mail_domain }}/privkey smtpd_tls_security_level=may smtp_tls_CApath=/etc/ssl/certs -smtp_tls_security_level=may +smtp_tls_security_level=verify smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache -smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix +smtp_tls_policy_maps = inline:{nauta.cu=may} smtpd_tls_protocols = >=TLSv1.2 # Disable anonymous cipher suites