mirror of
https://github.com/chatmail/relay.git
synced 2026-05-15 10:24:40 +00:00
Compare commits
4 Commits
support-se
...
hpk/fix_ac
| Author | SHA1 | Date | |
|---|---|---|---|
|
9061cbbb4a | ||
|
|
e27ec22465 | ||
|
|
073f567292 | ||
|
|
d74f3dfeda |
@@ -25,8 +25,8 @@ def _install_chatmaild() -> None:
|
|||||||
)
|
)
|
||||||
|
|
||||||
apt.packages(
|
apt.packages(
|
||||||
name="apt install python3-aiosmtpd python3-pip python3-venv",
|
name="apt install python3-aiosmtpd",
|
||||||
packages=["python3-aiosmtpd", "python3-pip", "python3-venv"],
|
packages=["python3-aiosmtpd", "python3-pip"],
|
||||||
)
|
)
|
||||||
|
|
||||||
# --no-deps because aiosmtplib is installed with `apt`.
|
# --no-deps because aiosmtplib is installed with `apt`.
|
||||||
@@ -133,44 +133,6 @@ def _configure_opendkim(domain: str, dkim_selector: str) -> bool:
|
|||||||
return need_restart
|
return need_restart
|
||||||
|
|
||||||
|
|
||||||
def _install_mta_sts_daemon() -> bool:
|
|
||||||
need_restart = False
|
|
||||||
|
|
||||||
config = files.put(
|
|
||||||
name="upload postfix-mta-sts-resolver config",
|
|
||||||
src=importlib.resources.files(__package__).joinpath(
|
|
||||||
"postfix/mta-sts-daemon.yml"
|
|
||||||
),
|
|
||||||
dest="/etc/mta-sts-daemon.yml",
|
|
||||||
user="root",
|
|
||||||
group="root",
|
|
||||||
mode="644",
|
|
||||||
)
|
|
||||||
need_restart |= config.changed
|
|
||||||
|
|
||||||
server.shell(
|
|
||||||
name="install postfix-mta-sts-resolver with pip",
|
|
||||||
commands=[
|
|
||||||
"python3 -m venv /usr/local/lib/postfix-mta-sts-resolver",
|
|
||||||
"/usr/local/lib/postfix-mta-sts-resolver/bin/pip install postfix-mta-sts-resolver",
|
|
||||||
],
|
|
||||||
)
|
|
||||||
|
|
||||||
systemd_unit = files.put(
|
|
||||||
name="upload mta-sts-daemon systemd unit",
|
|
||||||
src=importlib.resources.files(__package__).joinpath(
|
|
||||||
"postfix/mta-sts-daemon.service"
|
|
||||||
),
|
|
||||||
dest="/etc/systemd/system/mta-sts-daemon.service",
|
|
||||||
user="root",
|
|
||||||
group="root",
|
|
||||||
mode="644",
|
|
||||||
)
|
|
||||||
need_restart |= systemd_unit.changed
|
|
||||||
|
|
||||||
return need_restart
|
|
||||||
|
|
||||||
|
|
||||||
def _configure_postfix(domain: str, debug: bool = False) -> bool:
|
def _configure_postfix(domain: str, debug: bool = False) -> bool:
|
||||||
"""Configures Postfix SMTP server."""
|
"""Configures Postfix SMTP server."""
|
||||||
need_restart = False
|
need_restart = False
|
||||||
@@ -245,7 +207,7 @@ def _configure_dovecot(mail_server: str, debug: bool = False) -> bool:
|
|||||||
return need_restart
|
return need_restart
|
||||||
|
|
||||||
|
|
||||||
def _configure_nginx(domain: str, mail_server: str) -> bool:
|
def _configure_nginx(domain: str, debug: bool = False) -> bool:
|
||||||
"""Configures nginx HTTP server."""
|
"""Configures nginx HTTP server."""
|
||||||
need_restart = False
|
need_restart = False
|
||||||
|
|
||||||
@@ -269,16 +231,6 @@ def _configure_nginx(domain: str, mail_server: str) -> bool:
|
|||||||
)
|
)
|
||||||
need_restart |= autoconfig.changed
|
need_restart |= autoconfig.changed
|
||||||
|
|
||||||
mta_sts_config = files.template(
|
|
||||||
src=importlib.resources.files(__package__).joinpath("nginx/mta-sts.txt.j2"),
|
|
||||||
dest="/var/www/html/.well-known/mta-sts.txt",
|
|
||||||
user="root",
|
|
||||||
group="root",
|
|
||||||
mode="644",
|
|
||||||
config={"mail_server": mail_server},
|
|
||||||
)
|
|
||||||
need_restart |= mta_sts_config.changed
|
|
||||||
|
|
||||||
return need_restart
|
return need_restart
|
||||||
|
|
||||||
|
|
||||||
@@ -303,7 +255,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
|
|||||||
)
|
)
|
||||||
|
|
||||||
# Deploy acmetool to have TLS certificates.
|
# Deploy acmetool to have TLS certificates.
|
||||||
deploy_acmetool(nginx_hook=True, domains=[mail_server, f"mta-sts.{mail_server}"])
|
deploy_acmetool(nginx_hook=True, domains=[mail_server])
|
||||||
|
|
||||||
apt.packages(
|
apt.packages(
|
||||||
name="Install Postfix",
|
name="Install Postfix",
|
||||||
@@ -333,8 +285,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
|
|||||||
dovecot_need_restart = _configure_dovecot(mail_server, debug=debug)
|
dovecot_need_restart = _configure_dovecot(mail_server, debug=debug)
|
||||||
postfix_need_restart = _configure_postfix(mail_domain, debug=debug)
|
postfix_need_restart = _configure_postfix(mail_domain, debug=debug)
|
||||||
opendkim_need_restart = _configure_opendkim(mail_domain, dkim_selector)
|
opendkim_need_restart = _configure_opendkim(mail_domain, dkim_selector)
|
||||||
nginx_need_restart = _configure_nginx(mail_domain, mail_server)
|
nginx_need_restart = _configure_nginx(mail_domain)
|
||||||
mta_sts_need_restart = _install_mta_sts_daemon()
|
|
||||||
|
|
||||||
# deploy web pages and info if we have them
|
# deploy web pages and info if we have them
|
||||||
pkg_root = importlib.resources.files(__package__)
|
pkg_root = importlib.resources.files(__package__)
|
||||||
@@ -350,15 +301,6 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
|
|||||||
restarted=opendkim_need_restart,
|
restarted=opendkim_need_restart,
|
||||||
)
|
)
|
||||||
|
|
||||||
systemd.service(
|
|
||||||
name="Start and enable MTA-STS daemon",
|
|
||||||
service="mta-sts-daemon.service",
|
|
||||||
daemon_reload=True,
|
|
||||||
running=True,
|
|
||||||
enabled=True,
|
|
||||||
restarted=mta_sts_need_restart,
|
|
||||||
)
|
|
||||||
|
|
||||||
systemd.service(
|
systemd.service(
|
||||||
name="Start and enable Postfix",
|
name="Start and enable Postfix",
|
||||||
service="postfix.service",
|
service="postfix.service",
|
||||||
|
|||||||
@@ -46,7 +46,8 @@ def deploy_acmetool(nginx_hook=False, email="", domains=[]):
|
|||||||
mode="644",
|
mode="644",
|
||||||
)
|
)
|
||||||
|
|
||||||
server.shell(
|
for domain in domains:
|
||||||
name=f"Request certificate for: { ', '.join(domains) }",
|
server.shell(
|
||||||
commands=[f"acmetool want { ' '.join(domains)}"],
|
name=f"Request certificate for {domain}",
|
||||||
)
|
commands=[f"acmetool want {domain}"],
|
||||||
|
)
|
||||||
|
|||||||
@@ -1,4 +0,0 @@
|
|||||||
version: STSv1
|
|
||||||
mode: enforce
|
|
||||||
mx: {{ config.mail_server }}
|
|
||||||
max_age: 2419200
|
|
||||||
@@ -20,6 +20,8 @@ http {
|
|||||||
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
|
||||||
|
ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
|
||||||
|
|
||||||
gzip on;
|
gzip on;
|
||||||
|
|
||||||
@@ -28,8 +30,6 @@ http {
|
|||||||
listen [::]:80 default_server;
|
listen [::]:80 default_server;
|
||||||
listen 443 ssl default_server;
|
listen 443 ssl default_server;
|
||||||
listen [::]:443 ssl default_server;
|
listen [::]:443 ssl default_server;
|
||||||
ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
|
|
||||||
ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
|
|
||||||
|
|
||||||
root /var/www/html;
|
root /var/www/html;
|
||||||
|
|
||||||
@@ -37,28 +37,6 @@ http {
|
|||||||
|
|
||||||
server_name _;
|
server_name _;
|
||||||
|
|
||||||
location / {
|
|
||||||
# First attempt to serve request as file, then
|
|
||||||
# as directory, then fall back to displaying a 404.
|
|
||||||
try_files $uri $uri/ =404;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
listen 443 ssl;
|
|
||||||
listen [::]:443 ssl;
|
|
||||||
|
|
||||||
root /var/www/html;
|
|
||||||
|
|
||||||
index index.html index.htm;
|
|
||||||
|
|
||||||
server_name mta-sts.{{ config.domain_name }};
|
|
||||||
|
|
||||||
ssl_certificate /var/lib/acme/live/mta-sts.{{ config.domain_name }}/fullchain;
|
|
||||||
ssl_certificate_key /var/lib/acme/live/mta-sts.{{ config.domain_name }}/privkey;
|
|
||||||
|
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
# First attempt to serve request as file, then
|
# First attempt to serve request as file, then
|
||||||
# as directory, then fall back to displaying a 404.
|
# as directory, then fall back to displaying a 404.
|
||||||
|
|||||||
@@ -23,7 +23,6 @@ smtpd_tls_security_level=may
|
|||||||
smtp_tls_CApath=/etc/ssl/certs
|
smtp_tls_CApath=/etc/ssl/certs
|
||||||
smtp_tls_security_level=may
|
smtp_tls_security_level=may
|
||||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||||
smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
|
|
||||||
|
|
||||||
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
||||||
myhostname = {{ config.domain_name }}
|
myhostname = {{ config.domain_name }}
|
||||||
|
|||||||
@@ -1,10 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=Postfix MTA-STS resolver daemon
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
ExecStart=/usr/local/lib/postfix-mta-sts-resolver/bin/mta-sts-daemon
|
|
||||||
Restart=always
|
|
||||||
RestartSec=30
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
@@ -1,13 +0,0 @@
|
|||||||
host: 127.0.0.1
|
|
||||||
port: 8461
|
|
||||||
reuse_port: true
|
|
||||||
shutdown_timeout: 20
|
|
||||||
cache:
|
|
||||||
type: internal
|
|
||||||
options:
|
|
||||||
cache_size: 10000
|
|
||||||
proactive_policy_fetching:
|
|
||||||
enabled: true
|
|
||||||
default_zone:
|
|
||||||
strict_testing: false
|
|
||||||
timeout: 4
|
|
||||||
@@ -1,6 +1,5 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
: ${CHATMAIL_DOMAIN:=c1.testrun.org}
|
: ${CHATMAIL_DOMAIN:=c1.testrun.org}
|
||||||
: ${CHATMAIL_SERVER:=$CHATMAIL_DOMAIN}
|
|
||||||
: ${CHATMAIL_SSH:=$CHATMAIL_DOMAIN}
|
: ${CHATMAIL_SSH:=$CHATMAIL_DOMAIN}
|
||||||
|
|
||||||
set -e
|
set -e
|
||||||
@@ -9,22 +8,13 @@ EMAIL="root@$CHATMAIL_DOMAIN"
|
|||||||
ACME_ACCOUNT_URL="$($SSH -- acmetool account-url)"
|
ACME_ACCOUNT_URL="$($SSH -- acmetool account-url)"
|
||||||
|
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
$CHATMAIL_DOMAIN. MX 10 $CHATMAIL_SERVER.
|
$CHATMAIL_DOMAIN. MX 10 $CHATMAIL_DOMAIN.
|
||||||
$CHATMAIL_DOMAIN. TXT "v=spf1 a:$CHATMAIL_SERVER -all"
|
$CHATMAIL_DOMAIN. TXT "v=spf1 a:$CHATMAIL_DOMAIN -all"
|
||||||
_dmarc.$CHATMAIL_DOMAIN. TXT "v=DMARC1;p=reject;rua=mailto:$EMAIL;ruf=mailto:$EMAIL;fo=1;adkim=r;aspf=r"
|
_dmarc.$CHATMAIL_DOMAIN. TXT "v=DMARC1;p=reject;rua=mailto:$EMAIL;ruf=mailto:$EMAIL;fo=1;adkim=r;aspf=r"
|
||||||
_submission._tcp.$CHATMAIL_SERVER. SRV 0 1 587 $CHATMAIL_SERVER.
|
_submission._tcp.$CHATMAIL_DOMAIN. SRV 0 1 587 $CHATMAIL_DOMAIN.
|
||||||
_submissions._tcp.$CHATMAIL_SERVER. SRV 0 1 465 $CHATMAIL_SERVER.
|
_submissions._tcp.$CHATMAIL_DOMAIN. SRV 0 1 465 $CHATMAIL_DOMAIN.
|
||||||
_imap._tcp.$CHATMAIL_SERVER. SRV 0 1 143 $CHATMAIL_SERVER.
|
_imap._tcp.$CHATMAIL_DOMAIN. SRV 0 1 143 $CHATMAIL_DOMAIN.
|
||||||
_imaps._tcp.$CHATMAIL_SERVER. SRV 0 1 993 $CHATMAIL_SERVER.
|
_imaps._tcp.$CHATMAIL_DOMAIN. SRV 0 1 993 $CHATMAIL_DOMAIN.
|
||||||
$CHATMAIL_DOMAIN. IN CAA 128 issue "letsencrypt.org;accounturi=$ACME_ACCOUNT_URL"
|
$CHATMAIL_DOMAIN. IN CAA 128 issue "letsencrypt.org; accounturi=$ACME_ACCOUNT_URL"
|
||||||
_mta-sts.$CHATMAIL_DOMAIN. IN TXT "v=STSv1; id=$(date -u '+%Y%m%d%H%M')"
|
|
||||||
mta-sts.$CHATMAIL_SERVER. IN CNAME $CHATMAIL_SERVER.
|
|
||||||
_smtp._tls.$CHATMAIL_SERVER. IN TXT "v=TLSRPTv1;rua=mailto:$EMAIL"
|
|
||||||
EOF
|
EOF
|
||||||
if [ "$CHATMAIL_DOMAIN" != "$CHATMAIL_SERVER" ]; then
|
|
||||||
cat <<EOF
|
|
||||||
mta-sts.$CHATMAIL_DOMAIN. IN CNAME mta-sts.$CHATMAIL_SERVER.
|
|
||||||
_smtp._tls.$CHATMAIL_DOMAIN. IN CNAME _smtp._tls.$CHATMAIL_SERVER.
|
|
||||||
EOF
|
|
||||||
fi
|
|
||||||
$SSH opendkim-genzone -F | sed 's/^;.*$//;/^$/d'
|
$SSH opendkim-genzone -F | sed 's/^;.*$//;/^$/d'
|
||||||
|
|||||||
Reference in New Issue
Block a user