diff --git a/deploy-chatmail/src/deploy_chatmail/__init__.py b/deploy-chatmail/src/deploy_chatmail/__init__.py index 05507e2a..ff7b756f 100644 --- a/deploy-chatmail/src/deploy_chatmail/__init__.py +++ b/deploy-chatmail/src/deploy_chatmail/__init__.py @@ -133,6 +133,38 @@ def _configure_opendkim(domain: str, dkim_selector: str) -> bool: return need_restart +def _install_mta_sts_daemon() -> bool: + need_restart = False + + config = files.put( + name="upload postfix-mta-sts-resolver config", + src=importlib.resources.files(__package__).joinpath("postfix/mta-sts-daemon.yml"), + dest="/etc/mta-sts-daemon.yml", + user="root", + group="root", + mode="644", + ) + need_restart |= config.changed + + server.shell( + name="install postfix-mta-sts-resolver with pip", + commands=["python3 -m venv /var/lib/postfix-mta-sts-resolver", + "/var/lib/postfix-mta-sts-resolver/bin/pip install postfix-mta-sts-resolver"], + ) + + systemd_unit = files.put( + name="upload mta-sts-daemon systemd unit", + src=importlib.resources.files(__package__).joinpath("postfix/mta-sts-daemon.service"), + dest="/etc/systemd/system/mta-sts-daemon.service", + user="root", + group="root", + mode="644", + ) + need_restart |= systemd_unit.changed + + return need_restart + + def _configure_postfix(domain: str, debug: bool = False) -> bool: """Configures Postfix SMTP server.""" need_restart = False @@ -296,6 +328,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N postfix_need_restart = _configure_postfix(mail_domain, debug=debug) opendkim_need_restart = _configure_opendkim(mail_domain, dkim_selector) nginx_need_restart = _configure_nginx(mail_domain, mail_server) + mta_sts_need_restart = _install_mta_sts_daemon() # deploy web pages and info if we have them pkg_root = importlib.resources.files(__package__) @@ -311,6 +344,15 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N restarted=opendkim_need_restart, ) + systemd.service( + name="Start and enable MTA-STS daemon", + service="mta-sts-daemon.service", + daemon_reload=True, + running=True, + enabled=True, + restarted=mta_sts_need_restart, + ) + systemd.service( name="Start and enable Postfix", service="postfix.service", diff --git a/deploy-chatmail/src/deploy_chatmail/postfix/main.cf.j2 b/deploy-chatmail/src/deploy_chatmail/postfix/main.cf.j2 index 303aed13..b9f2496f 100644 --- a/deploy-chatmail/src/deploy_chatmail/postfix/main.cf.j2 +++ b/deploy-chatmail/src/deploy_chatmail/postfix/main.cf.j2 @@ -23,6 +23,7 @@ smtpd_tls_security_level=may smtp_tls_CApath=/etc/ssl/certs smtp_tls_security_level=may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache +smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = {{ config.domain_name }} diff --git a/deploy-chatmail/src/deploy_chatmail/postfix/mta-sts-daemon.service b/deploy-chatmail/src/deploy_chatmail/postfix/mta-sts-daemon.service new file mode 100644 index 00000000..fc310d7e --- /dev/null +++ b/deploy-chatmail/src/deploy_chatmail/postfix/mta-sts-daemon.service @@ -0,0 +1,10 @@ +[Unit] +Description=Postfix MTA-STS resolver daemon + +[Service] +ExecStart=/var/lib/postfix-mta-sts-resolver/bin/mta-sts-daemon +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target diff --git a/deploy-chatmail/src/deploy_chatmail/postfix/mta-sts-daemon.yml b/deploy-chatmail/src/deploy_chatmail/postfix/mta-sts-daemon.yml new file mode 100644 index 00000000..efcbce0c --- /dev/null +++ b/deploy-chatmail/src/deploy_chatmail/postfix/mta-sts-daemon.yml @@ -0,0 +1,13 @@ +host: 127.0.0.1 +port: 8461 +reuse_port: true +shutdown_timeout: 20 +cache: + type: internal + options: + cache_size: 10000 +proactive_policy_fetching: + enabled: true +default_zone: + strict_testing: false + timeout: 4