mail-in-a-box · ctrl-i · Apr 11, 2019 · Apr 11, 2019 · Apr 12, 2019 · Apr 12, 2019
diff --git a/conf/nginx-alldomains.conf b/conf/nginx-alldomains.conf
@@ -19,6 +19,10 @@
 		alias /var/lib/mailinabox/mozilla-autoconfig.xml;
 	}
 
+	location = /.well-known/mta-sts.txt {
+		alias /var/lib/mailinabox/mta-sts.txt;
+	}
+
 	# Roundcube Webmail configuration.
 	rewrite ^/mail$ /mail/ redirect;
 	rewrite ^/mail/$ /mail/index.php;

diff --git a/management/dns_update.py b/management/dns_update.py
@@ -228,6 +228,10 @@ def has_rec(qname, rtype, prefix=None):
 	defaults = [
 		(None,  "A",    env["PUBLIC_IP"],       "Required. May have a different value. Sets the IP address that %s resolves to for web hosting and other services besides mail. The A record must be present but its value does not affect mail delivery." % domain),
 		(None,  "AAAA", env.get('PUBLIC_IPV6'), "Optional. Sets the IPv6 address that %s resolves to, e.g. for web hosting. (It is not necessary for receiving mail on this domain.)" % domain),
+		("mta-sts",  "A", env["PUBLIC_IP"], "Optional. For MTA-STS verification."),
+		("mta-sts",  "AAAA", env.get('PUBLIC_IPV6'), "Optional. For MTA-STS verification."),
+		("_mta-sts", "TXT", "v=STSv1;id=%sZ;" % datetime.datetime.now().strftime("%Y%m%d%H%M%S"), "Optional. This is used for MTA-STS verification and is only necessary if the MTA-STS A and AAAA records are set.  For MTA-STS to function correctly this record must be set with the A and AAAA records."),
+		("_smtp._tls", "TXT", "v=TLSRPTv1; rua=mailto:postmaster@%s" % domain, "Optional. This is used for MTA-STS verification and is only necessary if the MTA-STS A and AAAA records are set.  Furthermore this is not compulsory for MTA-STS to function, enabling this record will result in receiving an emailed report from each mail server that has interacted with your mail server.")
 	]
 	if "www." + domain in www_redirect_domains:
 		defaults += [

diff --git a/management/status_checks.py b/management/status_checks.py
@@ -29,6 +29,7 @@ def get_services():
 		{ "name": "OpenDKIM", "port": 8891, "public": False, },
 		{ "name": "OpenDMARC", "port": 8893, "public": False, },
 		{ "name": "Mail-in-a-Box Management Daemon", "port": 10222, "public": False, },
+		{ "name": "MTA-STS (SMTP Mail Transfer Agent Strict Transport Security)", "port": 8461, "public": False, },
 		{ "name": "SSH Login (ssh)", "port": get_ssh_port(), "public": True, },
 		{ "name": "Public DNS (nsd4)", "port": 53, "public": True, },
 		{ "name": "Incoming Mail (SMTP/postfix)", "port": 25, "public": True, },

diff --git a/management/web_update.py b/management/web_update.py
@@ -23,7 +23,10 @@ def get_web_domains(env, include_www_redirects=True, exclude_dns_elsewhere=True)
 		# to the main domain for. We'll add 'www.' to any DNS zones, i.e.
 		# the topmost of each domain we serve.
 		domains |= set('www.' + zone for zone, zonefile in get_dns_zones(env))
-
+
+	# add the required subdomains for MTA-STS
+	domains |= set('mta-sts.' + zone for zone in get_mail_domains(env))
+
 	if exclude_dns_elsewhere:
 		# ...Unless the domain has an A/AAAA record that maps it to a different
 		# IP address than this box. Remove those domains from our list.

diff --git a/setup/mail-postfix.sh b/setup/mail-postfix.sh
@@ -102,7 +102,7 @@ tools/editconf.py /etc/postfix/master.cf -s -w \
 # Install the `outgoing_mail_header_filters` file required by the new 'authclean' service.
 cp conf/postfix_outgoing_mail_header_filters /etc/postfix/outgoing_mail_header_filters
 
-# Modify the `outgoing_mail_header_filters` file to use the local machine name and ip 
+# Modify the `outgoing_mail_header_filters` file to use the local machine name and ip
 # on the first received header line.  This may help reduce the spam score of email by
 # removing the 127.0.0.1 reference.
 sed -i "s/PRIMARY_HOSTNAME/$PRIMARY_HOSTNAME/" /etc/postfix/outgoing_mail_header_filters
@@ -215,6 +215,88 @@ tools/editconf.py /etc/default/postgrey \
 tools/editconf.py /etc/postfix/main.cf \
 	message_size_limit=134217728
 
+# ### MTA-STS - SMTP Mail Transfer Agent Strict Transport Security - SETUP
+# See: https://github.com/mail-in-a-box/mailinabox/pull/1556
+#
+# create the MTA-STS policy; this is used to announce the local MTA-STS
+# policy to senders and the file is served by nginx on mta-sts subdomains at
+# https://example.com/.well-known/mta-sts.txt
+mkdir -p /var/lib/mailinabox/
+cat > /var/lib/mailinabox/mta-sts.txt << EOF
+version: STSv1
+mode: enforce
+mx: $PRIMARY_HOSTNAME
+max_age: 10368000
+EOF
+chmod a+r /var/lib/mailinabox/mta-sts.txt
+
+# install the postfix MTA-STS resolver.  the MTA-STS resolver service is
+# used by Postfix to ensure outgoing mail uses TLS when the recipient
+# announces MTA-STS.
+hide_output /usr/bin/pip3 install postfix-mta-sts-resolver
+# add a user to use solely for MTA-STS resolution
+id -u mta-sts &>/dev/null || useradd -c "Daemon for MTA-STS policy checks" mta-sts -s /usr/sbin/nologin
+# create systemd services for MTA-STS
+cat > /etc/systemd/system/[email protected] << EOF
+[Unit]
+Description=Postfix MTA STS daemon instance
+After=syslog.target network.target
+
+[Service]
+Type=notify
+User=mta-sts
+Group=mta-sts
+ExecStart=/usr/local/bin/mta-sts-daemon
+Restart=always
+KillMode=process
+TimeoutStartSec=10
+TimeoutStopSec=30
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat > /etc/systemd/system/postfix-mta-sts.service << EOF
+[Unit]
+Description=Postfix MTA STS daemon
+After=syslog.target network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/systemctl start [email protected]
+ExecReload=/bin/systemctl start [email protected] ; /bin/systemctl restart [email protected] ; /bin/systemctl stop [email protected]
+ExecStop=/bin/systemctl stop [email protected]
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# configure the MTA-STS daemon for postfix
+cat > /etc/postfix/mta-sts-daemon.yml << EOF
+host: 127.0.0.1
+port: 8461
+cache:
+  type: internal
+  options:
+    cache_size: 10000
+default_zone:
+  strict_testing: true
+  timeout: 4
+zones:
+  myzone:
+    strict_testing: false
+    timeout: 4
+EOF
+
+# add postfix configuration
+tools/editconf.py /etc/postfix/main.cf \
+	smtp_tls_policy_maps=socketmap:inet:127.0.0.1:8461:postfix
+
+# enable and start the MTA-STS service
+hide_output /bin/systemctl enable postfix-mta-sts.service
+hide_output /bin/systemctl start postfix-mta-sts.service
+
 # Allow the two SMTP ports in the firewall.
 
 ufw_allow smtp