cqrenet/relay
4
0
Fork 0
mirror of https://github.com/chatmail/relay.git synced 2026-05-19 12:28:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

MTA-STS: the HTTPS route needs to be mta-sts.@ not _mta-sts

Browse Source
This commit is contained in:
missytake
2023-11-13 19:05:38 +01:00
parent 347dae1f84
commit d29d2d147b
3 changed files with 27 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
deploy-chatmail/src/deploy_chatmail/__init__.py
View File

@@ -297,7 +297,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
) )
# Deploy acmetool to have TLS certificates. # Deploy acmetool to have TLS certificates.
deploy_acmetool(nginx_hook=True, domains=[mail_server]) deploy_acmetool(nginx_hook=True, domains=[mail_server, f"mta-sts.{mail_server}"])
apt.packages( apt.packages(
name="Install Postfix", name="Install Postfix",

26
deploy-chatmail/src/deploy_chatmail/nginx/nginx.conf.j2
View File

@@ -20,8 +20,6 @@ http {
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
gzip on; gzip on;
@@ -30,6 +28,8 @@ http {
listen [::]:80 default_server; listen [::]:80 default_server;
listen 443 ssl default_server; listen 443 ssl default_server;
listen [::]:443 ssl default_server; listen [::]:443 ssl default_server;
ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
root /var/www/html; root /var/www/html;
@@ -37,6 +37,28 @@ http {
server_name _; server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
}
server {
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
root /var/www/html;
index index.html index.htm;
server_name mta-sts.{{ config.domain_name }};
ssl_certificate /var/lib/acme/live/mta-sts.{{ config.domain_name }}/fullchain;
ssl_certificate_key /var/lib/acme/live/mta-sts.{{ config.domain_name }}/privkey;
location / { location / {
# First attempt to serve request as file, then # First attempt to serve request as file, then
# as directory, then fall back to displaying a 404. # as directory, then fall back to displaying a 404.

5
scripts/generate-dns-zone.sh
View File

@@ -18,13 +18,12 @@ _imap._tcp.$CHATMAIL_SERVER. SRV 0 1 143 $CHATMAIL_SERVER.
_imaps._tcp.$CHATMAIL_SERVER. SRV 0 1 993 $CHATMAIL_SERVER. _imaps._tcp.$CHATMAIL_SERVER. SRV 0 1 993 $CHATMAIL_SERVER.
$CHATMAIL_DOMAIN. IN CAA 128 issue "letsencrypt.org;accounturi=$ACME_ACCOUNT_URL" $CHATMAIL_DOMAIN. IN CAA 128 issue "letsencrypt.org;accounturi=$ACME_ACCOUNT_URL"
_mta-sts.$CHATMAIL_DOMAIN. IN TXT "v=STSv1; id=$(date -u '+%Y%m%d%H%M')" _mta-sts.$CHATMAIL_DOMAIN. IN TXT "v=STSv1; id=$(date -u '+%Y%m%d%H%M')"
_mta-sts.$CHATMAIL_SERVER. IN A $(dig +short $CHATMAIL_SERVER) mta-sts.$CHATMAIL_SERVER. IN CNAME $CHATMAIL_SERVER.
_mta-sts.$CHATMAIL_SERVER. IN AAAA $(dig AAAA +short $CHATMAIL_SERVER)
_smtp._tls.$CHATMAIL_SERVER. IN TXT "v=TLSRPTv1;rua=mailto:$EMAIL" _smtp._tls.$CHATMAIL_SERVER. IN TXT "v=TLSRPTv1;rua=mailto:$EMAIL"
EOF EOF
if [ "$CHATMAIL_DOMAIN" != "$CHATMAIL_SERVER" ]; then if [ "$CHATMAIL_DOMAIN" != "$CHATMAIL_SERVER" ]; then
cat <<EOF cat <<EOF
_mta-sts.$CHATMAIL_DOMAIN. IN CNAME _mta-sts.$CHATMAIL_SERVER. mta-sts.$CHATMAIL_DOMAIN. IN CNAME mta-sts.$CHATMAIL_SERVER.
_smtp._tls.$CHATMAIL_DOMAIN. IN CNAME _smtp._tls.$CHATMAIL_SERVER. _smtp._tls.$CHATMAIL_DOMAIN. IN CNAME _smtp._tls.$CHATMAIL_SERVER.
EOF EOF
fi fi