postfix: install MTA-STS resolver daemon

deploy-chatmail/src/deploy_chatmail/__init__.py

@@ -133,6 +133,38 @@ def _configure_opendkim(domain: str, dkim_selector: str) -> bool:
     return need_restart
 
 
+def _install_mta_sts_daemon() -> bool:
+    need_restart = False
+
+    config = files.put(
+        name="upload postfix-mta-sts-resolver config",
+        src=importlib.resources.files(__package__).joinpath("postfix/mta-sts-daemon.yml"),
+        dest="/etc/mta-sts-daemon.yml",
+        user="root",
+        group="root",
+        mode="644",
+    )
+    need_restart |= config.changed
+
+    server.shell(
+        name="install postfix-mta-sts-resolver with pip",
+        commands=["python3 -m venv /var/lib/postfix-mta-sts-resolver",
+                  "/var/lib/postfix-mta-sts-resolver/bin/pip install postfix-mta-sts-resolver"],
+    )
+
+    systemd_unit = files.put(
+        name="upload mta-sts-daemon systemd unit",
+        src=importlib.resources.files(__package__).joinpath("postfix/mta-sts-daemon.service"),
+        dest="/etc/systemd/system/mta-sts-daemon.service",
+        user="root",
+        group="root",
+        mode="644",
+    )
+    need_restart |= systemd_unit.changed
+
+    return need_restart
+
+
 def _configure_postfix(domain: str, debug: bool = False) -> bool:
     """Configures Postfix SMTP server."""
     need_restart = False
@@ -296,6 +328,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
     postfix_need_restart = _configure_postfix(mail_domain, debug=debug)
     opendkim_need_restart = _configure_opendkim(mail_domain, dkim_selector)
     nginx_need_restart = _configure_nginx(mail_domain, mail_server)
+    mta_sts_need_restart = _install_mta_sts_daemon()
 
     # deploy web pages and info if we have them
     pkg_root = importlib.resources.files(__package__)
@@ -311,6 +344,15 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
         restarted=opendkim_need_restart,
     )
 
+    systemd.service(
+        name="Start and enable MTA-STS daemon",
+        service="mta-sts-daemon.service",
+        daemon_reload=True,
+        running=True,
+        enabled=True,
+        restarted=mta_sts_need_restart,
+    )
+
     systemd.service(
         name="Start and enable Postfix",
         service="postfix.service",

deploy-chatmail/src/deploy_chatmail/postfix/main.cf.j2

@@ -23,6 +23,7 @@ smtpd_tls_security_level=may
 smtp_tls_CApath=/etc/ssl/certs
 smtp_tls_security_level=may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
 
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
 myhostname = {{ config.domain_name }}

deploy-chatmail/src/deploy_chatmail/postfix/mta-sts-daemon.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Postfix MTA-STS resolver daemon
+
+[Service]
+ExecStart=/var/lib/postfix-mta-sts-resolver/bin/mta-sts-daemon
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

deploy-chatmail/src/deploy_chatmail/postfix/mta-sts-daemon.yml

@@ -0,0 +1,13 @@
+host: 127.0.0.1
+port: 8461
+reuse_port: true
+shutdown_timeout: 20
+cache:
+  type: internal
+  options:
+    cache_size: 10000
+proactive_policy_fetching:
+  enabled: true
+default_zone:
+  strict_testing: false
+  timeout: 4