postfix: add integration of a MTA-STS resolver daemon

bb2f681a · Lars Beckers · f936e1d1 · bb2f681a · bb2f681a · bb2f681a
Commit bb2f681a authored 5 years ago by Lars Beckers
--- a/postfix/defaults/main.yml
+++ b/postfix/defaults/main.yml
@@ -43,6 +43,9 @@ postfix_transport_maps: []
 #    protocol: smtp
 #    use_mx: true
+# Note: This requires at least buster-backports or newer.
+postfix_enable_mta_sts: false
 postfix_my_networks: []
 postfix_notify_classes: []
 postfix_satellite_only: false

--- a/postfix/files/mta-sts-daemon.yml
+++ b/postfix/files/mta-sts-daemon.yml
+---
+path: "/var/spool/postfix/mta-sts/mta-sts.sock"
+# yamllint disable-line rule:octal-values
+mode: 0666
+# host: 127.0.0.1
+# port: 8461
+reuse_port: true
+cache_grace: 60
+shutdown_timeout: 5
+cache:
+  type: sqlite
+  options:
+    filename: "/var/lib/mta-sts/cache.db"
+default_zone:
+  strict_testing: false
+  timeout: 4
+# zones:
+#   myzone:
+#     strict_testing: false
+#     timeout: 4
--- a/postfix/files/mta-sts-override.conf
+++ b/postfix/files/mta-sts-override.conf
+[Service]
+ReadWritePaths=/var/spool/postfix/mta-sts
--- a/postfix/files/mta-sts-tmpfiles.conf
+++ b/postfix/files/mta-sts-tmpfiles.conf
+d /var/spool/postfix/mta-sts 0770 postfix _mta-sts - -
--- a/postfix/handlers/main.yml
+++ b/postfix/handlers/main.yml
 ---
+- name: create tmpfiles
+  command: systemd-tmpfiles --create
+- name: reload systemd service files
+  systemd: daemon_reload=true
 - name: restart postfix
  service: name=postfix state=restarted
 - name: restart memcached
  service: name=memcached state=restarted
+- name: restart mta-sts resolver
+  service: name=postfix-mta-sts-resolver state=restarted
 - name: postmap system
  command: postalias cdb:/etc/aliases

--- a/postfix/tasks/main.yml
+++ b/postfix/tasks/main.yml
@@ -78,6 +78,8 @@
    - postfix
    - mail
+- import_tasks: mta-sts.yml
 - name: install rt-mailgate if needed
  apt:
    name: rt4-clients

--- a/postfix/tasks/mta-sts.yml
+++ b/postfix/tasks/mta-sts.yml
+---
+- name: ensure we got the MTA-STS resolver software installed
+  apt:
+    state: "{{ 'present' if postfix_enable_mta_sts else 'absent' }}"
+    name: postfix-mta-sts-resolver
+# yamllint disable-line rule:line-length
+- name: ensure the MTA-STS resolver can put its socket somewhere reachable (tmpfiles)
+  copy:
+    src: mta-sts-tmpfiles.conf
+    dest: /etc/tmpfiles.d/mta-sts.conf
+    owner: root
+    group: root
+    mode: '0644'
+  when: postfix_enable_mta_sts
+  notify:
+    - create tmpfiles
+    - restart mta-sts resolver
+# yamllint disable-line rule:line-length
+- name: ensure the MTA-STS resolver can put its socket somewhere reachable (overrideable)
+  file:
+    state: directory
+    path: /etc/systemd/system/postfix-mta-sts-resolver.service.d/
+    owner: root
+    group: root
+    mode: '0755'
+  when: postfix_enable_mta_sts
+  notify:
+    - reload systemd service files
+    - restart mta-sts resolver
+# yamllint disable-line rule:line-length
+- name: ensure the MTA-STS resolver can put its socket somewhere reachable (service)
+  copy:
+    src: mta-sts-override.conf
+    dest: /etc/systemd/system/postfix-mta-sts-resolver.service.d/rw-paths.conf
+    owner: root
+    group: root
+    mode: '0644'
+  when: postfix_enable_mta_sts
+  notify:
+    - reload systemd service files
+    - restart mta-sts resolver
+- name: ensure MTA-STS resolver overrides are deconfigured when disabled
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /etc/systemd/system/postfix-mta-sts-resolver.service.d/rw-paths.conf
+    - /etc/systemd/system/postfix-mta-sts-resolver.service.d/
+    - /etc/tmpfiles.d/mta-sts.conf
+  when: not postfix_enable_mta_sts
+  notify:
+    - reload systemd service files
+- name: ensure the MTA-STS resolver is configured
+  copy:
+    src: mta-sts-daemon.yml
+    dest: /etc/mta-sts-daemon.yml
+    owner: root
+    group: root
+    mode: '0644'
+  when: postfix_enable_mta_sts
+  notify:
+    - restart mta-sts resolver
+- name: ensure the MTA-STS resolver is up and running
+  service:
+    name: postfix-mta-sts-resolver
+    enabled: "{{ postfix_enable_mta_sts|string }}"
+    state: "{{ 'started' if postfix_enable_mta_sts else 'stopped' }}"
--- a/postfix/templates/main.cf.j2
+++ b/postfix/templates/main.cf.j2
@@ -55,6 +55,9 @@ smtpd_tls_cert_file = {{ postfix_tls_cert }}
 smtpd_tls_key_file = {{ postfix_tls_key }}
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+{% if postfix_enable_mta_sts %}
+smtp_tls_policy_maps = socketmap:unix:mta-sts/mta-sts.sock:postfix
+{% endif %}
 {% if not postfix_satellite_only %}
 smtpd_tls_protocols = {{ postfix_tls_protocols }}
 smtpd_tls_mandatory_protocols = {{ postfix_tls_protocols }}