mirror of
https://github.com/chatmail/relay.git
synced 2026-05-14 18:04:38 +00:00
Compare commits
23 Commits
hpk/fix_ac
...
support-se
| Author | SHA1 | Date | |
|---|---|---|---|
|
3a32817de8 | ||
|
|
c6dd4f9b21 | ||
|
|
a420e37612 | ||
|
|
5429f3e379 | ||
|
|
d2c98e9afc | ||
|
|
658d6923ae | ||
|
|
776bd87888 | ||
|
d7683ed3f7 | ||
|
|
0cc9f18468 | ||
|
|
889e18f803 | ||
|
|
773b8d1e00 | ||
|
|
dca6d35a6f | ||
|
|
d29d2d147b | ||
|
|
347dae1f84 | ||
|
|
63cbb83344 | ||
|
|
27d135fee7 | ||
|
|
ccd7c789f0 | ||
|
|
c7625fad81 | ||
|
|
5305dfab12 | ||
|
4478270fc9 | ||
|
|
e7c9992fdc | ||
|
|
a9d43c42f4 | ||
|
|
bbf2f0dd36 |
@@ -25,8 +25,8 @@ def _install_chatmaild() -> None:
|
|||||||
)
|
)
|
||||||
|
|
||||||
apt.packages(
|
apt.packages(
|
||||||
name="apt install python3-aiosmtpd",
|
name="apt install python3-aiosmtpd python3-pip python3-venv",
|
||||||
packages=["python3-aiosmtpd", "python3-pip"],
|
packages=["python3-aiosmtpd", "python3-pip", "python3-venv"],
|
||||||
)
|
)
|
||||||
|
|
||||||
# --no-deps because aiosmtplib is installed with `apt`.
|
# --no-deps because aiosmtplib is installed with `apt`.
|
||||||
@@ -133,6 +133,44 @@ def _configure_opendkim(domain: str, dkim_selector: str) -> bool:
|
|||||||
return need_restart
|
return need_restart
|
||||||
|
|
||||||
|
|
||||||
|
def _install_mta_sts_daemon() -> bool:
|
||||||
|
need_restart = False
|
||||||
|
|
||||||
|
config = files.put(
|
||||||
|
name="upload postfix-mta-sts-resolver config",
|
||||||
|
src=importlib.resources.files(__package__).joinpath(
|
||||||
|
"postfix/mta-sts-daemon.yml"
|
||||||
|
),
|
||||||
|
dest="/etc/mta-sts-daemon.yml",
|
||||||
|
user="root",
|
||||||
|
group="root",
|
||||||
|
mode="644",
|
||||||
|
)
|
||||||
|
need_restart |= config.changed
|
||||||
|
|
||||||
|
server.shell(
|
||||||
|
name="install postfix-mta-sts-resolver with pip",
|
||||||
|
commands=[
|
||||||
|
"python3 -m venv /usr/local/lib/postfix-mta-sts-resolver",
|
||||||
|
"/usr/local/lib/postfix-mta-sts-resolver/bin/pip install postfix-mta-sts-resolver",
|
||||||
|
],
|
||||||
|
)
|
||||||
|
|
||||||
|
systemd_unit = files.put(
|
||||||
|
name="upload mta-sts-daemon systemd unit",
|
||||||
|
src=importlib.resources.files(__package__).joinpath(
|
||||||
|
"postfix/mta-sts-daemon.service"
|
||||||
|
),
|
||||||
|
dest="/etc/systemd/system/mta-sts-daemon.service",
|
||||||
|
user="root",
|
||||||
|
group="root",
|
||||||
|
mode="644",
|
||||||
|
)
|
||||||
|
need_restart |= systemd_unit.changed
|
||||||
|
|
||||||
|
return need_restart
|
||||||
|
|
||||||
|
|
||||||
def _configure_postfix(domain: str, debug: bool = False) -> bool:
|
def _configure_postfix(domain: str, debug: bool = False) -> bool:
|
||||||
"""Configures Postfix SMTP server."""
|
"""Configures Postfix SMTP server."""
|
||||||
need_restart = False
|
need_restart = False
|
||||||
@@ -207,7 +245,7 @@ def _configure_dovecot(mail_server: str, debug: bool = False) -> bool:
|
|||||||
return need_restart
|
return need_restart
|
||||||
|
|
||||||
|
|
||||||
def _configure_nginx(domain: str, debug: bool = False) -> bool:
|
def _configure_nginx(domain: str, mail_server: str) -> bool:
|
||||||
"""Configures nginx HTTP server."""
|
"""Configures nginx HTTP server."""
|
||||||
need_restart = False
|
need_restart = False
|
||||||
|
|
||||||
@@ -231,6 +269,16 @@ def _configure_nginx(domain: str, debug: bool = False) -> bool:
|
|||||||
)
|
)
|
||||||
need_restart |= autoconfig.changed
|
need_restart |= autoconfig.changed
|
||||||
|
|
||||||
|
mta_sts_config = files.template(
|
||||||
|
src=importlib.resources.files(__package__).joinpath("nginx/mta-sts.txt.j2"),
|
||||||
|
dest="/var/www/html/.well-known/mta-sts.txt",
|
||||||
|
user="root",
|
||||||
|
group="root",
|
||||||
|
mode="644",
|
||||||
|
config={"mail_server": mail_server},
|
||||||
|
)
|
||||||
|
need_restart |= mta_sts_config.changed
|
||||||
|
|
||||||
return need_restart
|
return need_restart
|
||||||
|
|
||||||
|
|
||||||
@@ -255,7 +303,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
|
|||||||
)
|
)
|
||||||
|
|
||||||
# Deploy acmetool to have TLS certificates.
|
# Deploy acmetool to have TLS certificates.
|
||||||
deploy_acmetool(nginx_hook=True, domains=[mail_server])
|
deploy_acmetool(nginx_hook=True, domains=[mail_server, f"mta-sts.{mail_server}"])
|
||||||
|
|
||||||
apt.packages(
|
apt.packages(
|
||||||
name="Install Postfix",
|
name="Install Postfix",
|
||||||
@@ -285,7 +333,8 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
|
|||||||
dovecot_need_restart = _configure_dovecot(mail_server, debug=debug)
|
dovecot_need_restart = _configure_dovecot(mail_server, debug=debug)
|
||||||
postfix_need_restart = _configure_postfix(mail_domain, debug=debug)
|
postfix_need_restart = _configure_postfix(mail_domain, debug=debug)
|
||||||
opendkim_need_restart = _configure_opendkim(mail_domain, dkim_selector)
|
opendkim_need_restart = _configure_opendkim(mail_domain, dkim_selector)
|
||||||
nginx_need_restart = _configure_nginx(mail_domain)
|
nginx_need_restart = _configure_nginx(mail_domain, mail_server)
|
||||||
|
mta_sts_need_restart = _install_mta_sts_daemon()
|
||||||
|
|
||||||
# deploy web pages and info if we have them
|
# deploy web pages and info if we have them
|
||||||
pkg_root = importlib.resources.files(__package__)
|
pkg_root = importlib.resources.files(__package__)
|
||||||
@@ -301,6 +350,15 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
|
|||||||
restarted=opendkim_need_restart,
|
restarted=opendkim_need_restart,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
systemd.service(
|
||||||
|
name="Start and enable MTA-STS daemon",
|
||||||
|
service="mta-sts-daemon.service",
|
||||||
|
daemon_reload=True,
|
||||||
|
running=True,
|
||||||
|
enabled=True,
|
||||||
|
restarted=mta_sts_need_restart,
|
||||||
|
)
|
||||||
|
|
||||||
systemd.service(
|
systemd.service(
|
||||||
name="Start and enable Postfix",
|
name="Start and enable Postfix",
|
||||||
service="postfix.service",
|
service="postfix.service",
|
||||||
|
|||||||
@@ -46,8 +46,7 @@ def deploy_acmetool(nginx_hook=False, email="", domains=[]):
|
|||||||
mode="644",
|
mode="644",
|
||||||
)
|
)
|
||||||
|
|
||||||
for domain in domains:
|
server.shell(
|
||||||
server.shell(
|
name=f"Request certificate for: { ', '.join(domains) }",
|
||||||
name=f"Request certificate for {domain}",
|
commands=[f"acmetool want { ' '.join(domains)}"],
|
||||||
commands=[f"acmetool want {domain}"],
|
)
|
||||||
)
|
|
||||||
|
|||||||
4
deploy-chatmail/src/deploy_chatmail/nginx/mta-sts.txt.j2
Normal file
4
deploy-chatmail/src/deploy_chatmail/nginx/mta-sts.txt.j2
Normal file
@@ -0,0 +1,4 @@
|
|||||||
|
version: STSv1
|
||||||
|
mode: enforce
|
||||||
|
mx: {{ config.mail_server }}
|
||||||
|
max_age: 2419200
|
||||||
@@ -20,8 +20,6 @@ http {
|
|||||||
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
|
|
||||||
ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
|
|
||||||
|
|
||||||
gzip on;
|
gzip on;
|
||||||
|
|
||||||
@@ -30,6 +28,8 @@ http {
|
|||||||
listen [::]:80 default_server;
|
listen [::]:80 default_server;
|
||||||
listen 443 ssl default_server;
|
listen 443 ssl default_server;
|
||||||
listen [::]:443 ssl default_server;
|
listen [::]:443 ssl default_server;
|
||||||
|
ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
|
||||||
|
ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
|
||||||
|
|
||||||
root /var/www/html;
|
root /var/www/html;
|
||||||
|
|
||||||
@@ -37,6 +37,28 @@ http {
|
|||||||
|
|
||||||
server_name _;
|
server_name _;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
# First attempt to serve request as file, then
|
||||||
|
# as directory, then fall back to displaying a 404.
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
root /var/www/html;
|
||||||
|
|
||||||
|
index index.html index.htm;
|
||||||
|
|
||||||
|
server_name mta-sts.{{ config.domain_name }};
|
||||||
|
|
||||||
|
ssl_certificate /var/lib/acme/live/mta-sts.{{ config.domain_name }}/fullchain;
|
||||||
|
ssl_certificate_key /var/lib/acme/live/mta-sts.{{ config.domain_name }}/privkey;
|
||||||
|
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
# First attempt to serve request as file, then
|
# First attempt to serve request as file, then
|
||||||
# as directory, then fall back to displaying a 404.
|
# as directory, then fall back to displaying a 404.
|
||||||
|
|||||||
@@ -23,6 +23,7 @@ smtpd_tls_security_level=may
|
|||||||
smtp_tls_CApath=/etc/ssl/certs
|
smtp_tls_CApath=/etc/ssl/certs
|
||||||
smtp_tls_security_level=may
|
smtp_tls_security_level=may
|
||||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||||
|
smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
|
||||||
|
|
||||||
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
||||||
myhostname = {{ config.domain_name }}
|
myhostname = {{ config.domain_name }}
|
||||||
|
|||||||
@@ -0,0 +1,10 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Postfix MTA-STS resolver daemon
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStart=/usr/local/lib/postfix-mta-sts-resolver/bin/mta-sts-daemon
|
||||||
|
Restart=always
|
||||||
|
RestartSec=30
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
@@ -0,0 +1,13 @@
|
|||||||
|
host: 127.0.0.1
|
||||||
|
port: 8461
|
||||||
|
reuse_port: true
|
||||||
|
shutdown_timeout: 20
|
||||||
|
cache:
|
||||||
|
type: internal
|
||||||
|
options:
|
||||||
|
cache_size: 10000
|
||||||
|
proactive_policy_fetching:
|
||||||
|
enabled: true
|
||||||
|
default_zone:
|
||||||
|
strict_testing: false
|
||||||
|
timeout: 4
|
||||||
@@ -1,5 +1,6 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
: ${CHATMAIL_DOMAIN:=c1.testrun.org}
|
: ${CHATMAIL_DOMAIN:=c1.testrun.org}
|
||||||
|
: ${CHATMAIL_SERVER:=$CHATMAIL_DOMAIN}
|
||||||
: ${CHATMAIL_SSH:=$CHATMAIL_DOMAIN}
|
: ${CHATMAIL_SSH:=$CHATMAIL_DOMAIN}
|
||||||
|
|
||||||
set -e
|
set -e
|
||||||
@@ -8,13 +9,22 @@ EMAIL="root@$CHATMAIL_DOMAIN"
|
|||||||
ACME_ACCOUNT_URL="$($SSH -- acmetool account-url)"
|
ACME_ACCOUNT_URL="$($SSH -- acmetool account-url)"
|
||||||
|
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
$CHATMAIL_DOMAIN. MX 10 $CHATMAIL_DOMAIN.
|
$CHATMAIL_DOMAIN. MX 10 $CHATMAIL_SERVER.
|
||||||
$CHATMAIL_DOMAIN. TXT "v=spf1 a:$CHATMAIL_DOMAIN -all"
|
$CHATMAIL_DOMAIN. TXT "v=spf1 a:$CHATMAIL_SERVER -all"
|
||||||
_dmarc.$CHATMAIL_DOMAIN. TXT "v=DMARC1;p=reject;rua=mailto:$EMAIL;ruf=mailto:$EMAIL;fo=1;adkim=r;aspf=r"
|
_dmarc.$CHATMAIL_DOMAIN. TXT "v=DMARC1;p=reject;rua=mailto:$EMAIL;ruf=mailto:$EMAIL;fo=1;adkim=r;aspf=r"
|
||||||
_submission._tcp.$CHATMAIL_DOMAIN. SRV 0 1 587 $CHATMAIL_DOMAIN.
|
_submission._tcp.$CHATMAIL_SERVER. SRV 0 1 587 $CHATMAIL_SERVER.
|
||||||
_submissions._tcp.$CHATMAIL_DOMAIN. SRV 0 1 465 $CHATMAIL_DOMAIN.
|
_submissions._tcp.$CHATMAIL_SERVER. SRV 0 1 465 $CHATMAIL_SERVER.
|
||||||
_imap._tcp.$CHATMAIL_DOMAIN. SRV 0 1 143 $CHATMAIL_DOMAIN.
|
_imap._tcp.$CHATMAIL_SERVER. SRV 0 1 143 $CHATMAIL_SERVER.
|
||||||
_imaps._tcp.$CHATMAIL_DOMAIN. SRV 0 1 993 $CHATMAIL_DOMAIN.
|
_imaps._tcp.$CHATMAIL_SERVER. SRV 0 1 993 $CHATMAIL_SERVER.
|
||||||
$CHATMAIL_DOMAIN. IN CAA 128 issue "letsencrypt.org; accounturi=$ACME_ACCOUNT_URL"
|
$CHATMAIL_DOMAIN. IN CAA 128 issue "letsencrypt.org;accounturi=$ACME_ACCOUNT_URL"
|
||||||
|
_mta-sts.$CHATMAIL_DOMAIN. IN TXT "v=STSv1; id=$(date -u '+%Y%m%d%H%M')"
|
||||||
|
mta-sts.$CHATMAIL_SERVER. IN CNAME $CHATMAIL_SERVER.
|
||||||
|
_smtp._tls.$CHATMAIL_SERVER. IN TXT "v=TLSRPTv1;rua=mailto:$EMAIL"
|
||||||
EOF
|
EOF
|
||||||
|
if [ "$CHATMAIL_DOMAIN" != "$CHATMAIL_SERVER" ]; then
|
||||||
|
cat <<EOF
|
||||||
|
mta-sts.$CHATMAIL_DOMAIN. IN CNAME mta-sts.$CHATMAIL_SERVER.
|
||||||
|
_smtp._tls.$CHATMAIL_DOMAIN. IN CNAME _smtp._tls.$CHATMAIL_SERVER.
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
$SSH opendkim-genzone -F | sed 's/^;.*$//;/^$/d'
|
$SSH opendkim-genzone -F | sed 's/^;.*$//;/^$/d'
|
||||||
|
|||||||
Reference in New Issue
Block a user