feat: add support for MTA-STS for outgoing mails

2023-10-21 02:40:35 +02:00 · 2023-10-21 02:40:35 +02:00 · 09b9a535d9
parent 811a769845
commit 09b9a535d9
8 changed files with 66 additions and 1 deletions
--- a/docs/content/config/advanced/mail-mta-sts.md
+++ b/docs/content/config/advanced/mail-mta-sts.md
@ -0,0 +1,27 @@
+---
+title: 'Advanced | MTA-STS'
+---
+
+MTA-STS is an optional mechanism for a domain to signal support for
+STARTTLS. It can be used to prevent man-in-the-middle-attacks hiding the
+feature to force mail servers to send outgoing emails as plain text.
+MTA-STS is an alternative to DANE without the need of DNSSEC.
+
+MTA-STS is supported by some of the biggest mail providers like Google Mail
+and Outlook.
+
+## Supporting MTA-STS for outgoing mails
+
+This is enabled by setting `ENABLE_MTA_STS=1` [](../environment.md#enable_mta_sts)
+in the environment.
+
+!!! warning
+
+    MTA-STS will by default override DANE if both are in used by a domain.
+    This can be partially addressed by configuring a dane-only policy resolver
+    before the MTA-STS entry in smtp_tls_policy_maps. See [the postfix-mta-sts-resolver documentation](https://github.com/Snawoot/postfix-mta-sts-resolver#warning-mta-sts-policy-overrides-dane-tls-authentication)
+    for further details.
+
+## Supporting MTA-STS for incoming mails
+
+A good introduction can be found on [dmarcian.com](https://dmarcian.com/mta-sts/).
--- a/docs/content/config/environment.md
+++ b/docs/content/config/environment.md
@ -108,6 +108,15 @@ This enables DNS block lists in _Postscreen_. If you want to know which lists we
 - **0** => DNS block lists are disabled
 - 1     => DNS block lists are enabled

+##### ENABLE_MTA_STS
+
+Enables MTA-STS for outgoing mails.
+
+- **0** => Disabled
+- 1 => Enabled
+
+See [MTA-STS](advanced/mail-mta-sts.md) for further explanation.
+
 ##### ENABLE_OPENDKIM

 Enables the OpenDKIM service.
--- a/mailserver.env
+++ b/mailserver.env
@ -346,6 +346,13 @@ POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME=0
 # Note: More details at http://www.postfix.org/postconf.5.html#inet_protocols
 POSTFIX_INET_PROTOCOLS=all

+# If enabled, STARTTLS support is enforced for outgoing mails to domains
+# with MTA-STS records like Google Mail.
+# This can prevent man-in-the-middle that hide the STARTTLS feature.
+# - **0** ==> MTA-STS disabled
+# - 1 => MTA-STS enabled
+ENABLE_MTA_STS=0
+
 # Choose TCP/IP protocols for dovecot to use
 # **all** => Listen on all interfaces
 # ipv4 => Listen only on IPv4 interfaces. Most likely you want this behind Docker.
--- a/target/scripts/build/packages.sh
+++ b/target/scripts/build/packages.sh
@ -68,7 +68,7 @@ function _install_packages() {
  )

  POSTFIX_PACKAGES=(
-    pflogsumm postgrey postfix-ldap
+    pflogsumm postgrey postfix-ldap postfix-mta-sts-resolver
    postfix-pcre postfix-policyd-spf-python postsrsd
  )

--- a/target/scripts/start-mailserver.sh
+++ b/target/scripts/start-mailserver.sh
@ -113,6 +113,11 @@ function _register_functions() {
  _register_setup_function '_setup_apply_fixes_after_configuration'
  _register_setup_function '_environment_variables_export'

+  if [[ ${ENABLE_MTA_STS} -eq 1 ]]; then
+    _register_setup_function '_setup_mta_sts'
+    _register_start_daemon '_start_daemon_mta_sts_daemon'
+  fi
+
  # ? >> Daemons

  _register_start_daemon '_start_daemon_cron'
--- a/target/scripts/startup/daemons-stack.sh
+++ b/target/scripts/startup/daemons-stack.sh
@ -38,6 +38,7 @@ function _start_daemon_opendkim       { _default_start_daemon 'opendkim'       ;
 function _start_daemon_opendmarc      { _default_start_daemon 'opendmarc'      ; }
 function _start_daemon_postgrey       { _default_start_daemon 'postgrey'       ; }
 function _start_daemon_postsrsd       { _default_start_daemon 'postsrsd'       ; }
+function _start_daemon_mta_sts_daemon { _default_start_daemon 'mta-sts-daemon' ; }
 function _start_daemon_rspamd         { _default_start_daemon 'rspamd'         ; }
 function _start_daemon_rspamd_redis   { _default_start_daemon 'rspamd-redis'   ; }
 function _start_daemon_rsyslog        { _default_start_daemon 'rsyslog'        ; }
--- a/target/scripts/startup/setup.d/mta_sts.sh
+++ b/target/scripts/startup/setup.d/mta_sts.sh
@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Set up MTA-STS
+
+function _setup_mta_sts() {
+  _log 'trace' 'Adding MTA-STS lookup to the Postfix TLS policy map'
+  postconf 'smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix'
+}
--- a/target/supervisor/conf.d/supervisor-app.conf
+++ b/target/supervisor/conf.d/supervisor-app.conf
@ -157,3 +157,11 @@ autostart=false
 stdout_logfile=/var/log/supervisor/%(program_name)s.log
 stderr_logfile=/var/log/supervisor/%(program_name)s.log
 command=/bin/bash -l -c /usr/local/bin/update-check.sh
+
+[program:mta-sts-daemon]
+startsecs=0
+stopwaitsecs=55
+autostart=false
+stdout_logfile=/var/log/supervisor/%(program_name)s.log
+stderr_logfile=/var/log/supervisor/%(program_name)s.log
+command=/usr/bin/python3 /usr/bin/mta-sts-daemon --config /etc/mta-sts-daemon.yml