From 976a6f650d983faa3dd36165b10d1a030be33b6d Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Sun, 26 Jan 2020 19:17:13 +0100
Subject: [PATCH 1/4] postfix: enable outgoing tls deliveries

---
 postfix/templates/main.cf.j2 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/postfix/templates/main.cf.j2 b/postfix/templates/main.cf.j2
index 6afd5c3..e0185e3 100644
--- a/postfix/templates/main.cf.j2
+++ b/postfix/templates/main.cf.j2
@@ -47,6 +47,8 @@ smtpd_relay_restrictions =
 	defer_unauth_destination
 
 smtpd_use_tls = yes
+smtp_tls_security_level = may
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 smtpd_tls_security_level = may
 smtpd_tls_auth_only = yes
 smtpd_tls_cert_file = {{ postfix_tls_cert }}
-- 
GitLab


From 7921b99306cd5545df72e16c856a57e20e6a006e Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Sun, 26 Jan 2020 19:17:45 +0100
Subject: [PATCH 2/4] postfix: sort postscreen access entries

---
 postfix/templates/postscreen_access.cidr.j2 | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/postfix/templates/postscreen_access.cidr.j2 b/postfix/templates/postscreen_access.cidr.j2
index fda2bec..e0b48ca 100644
--- a/postfix/templates/postscreen_access.cidr.j2
+++ b/postfix/templates/postscreen_access.cidr.j2
@@ -20,11 +20,11 @@
 {% endif %}
 {% if 'mx' in net %}
 {{ net.mx|comment('plain', prefix='', postfix='') }}
-{% for mx in q('dig', net.mx, 'qtype=MX') %}
-{% for addr in q('dig', mx.split(' ', maxsplit=1)[-1], 'qtype=A') %}
+{% for mx in q('dig', net.mx, 'qtype=MX')|sort %}
+{% for addr in q('dig', mx.split(' ', maxsplit=1)[-1], 'qtype=A')|sort %}
 {{ addr }}	{{ net.action|default('dunno') }}
 {% endfor %}
-{% for addr in q('dig', mx.split(' ', maxsplit=1)[-1], 'qtype=AAAA') %}
+{% for addr in q('dig', mx.split(' ', maxsplit=1)[-1], 'qtype=AAAA')|sort %}
 {{ addr }}	{{ net.action|default('dunno') }}
 {% endfor %}
 {% endfor %}
-- 
GitLab


From f936e1d1e005fd24e5814f32ac943068a8fe709e Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Sun, 26 Jan 2020 19:43:04 +0100
Subject: [PATCH 3/4] postfix/dovecot: disable tls-level compression

---
 dovecot/templates/conf.d/10-ssl.conf.j2 | 2 +-
 postfix/templates/main.cf.j2            | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/dovecot/templates/conf.d/10-ssl.conf.j2 b/dovecot/templates/conf.d/10-ssl.conf.j2
index a461620..baa1b40 100644
--- a/dovecot/templates/conf.d/10-ssl.conf.j2
+++ b/dovecot/templates/conf.d/10-ssl.conf.j2
@@ -81,4 +81,4 @@ ssl_prefer_server_ciphers = {{ 'yes' if dovecot_tls_prefer_server_ciphers else '
 
 # SSL extra options. Currently supported options are:
 #   no_compression - Disable compression.
-#ssl_options =
+ssl_options = no_compression
diff --git a/postfix/templates/main.cf.j2 b/postfix/templates/main.cf.j2
index e0185e3..76028f2 100644
--- a/postfix/templates/main.cf.j2
+++ b/postfix/templates/main.cf.j2
@@ -76,6 +76,7 @@ tls_medium_cipherlist = {{ postfix_tls_medium_cipherlist }}
 {% if postfix_tls_dh_file %}
 smtpd_tls_dh1024_param_file = /etc/postfix/dh.pem
 {% endif %}
+tls_ssl_options = NO_COMPRESSION
 {% endif %}
 
 alias_maps = cdb:/etc/aliases
-- 
GitLab


From bb2f681a87d7cca620becb832589c7cd0a88168e Mon Sep 17 00:00:00 2001
From: Lars Beckers <lars.beckers@rwth-aachen.de>
Date: Wed, 29 Jan 2020 16:44:58 +0100
Subject: [PATCH 4/4] postfix: add integration of a MTA-STS resolver daemon

---
 postfix/defaults/main.yml           |  3 ++
 postfix/files/mta-sts-daemon.yml    | 20 ++++++++
 postfix/files/mta-sts-override.conf |  2 +
 postfix/files/mta-sts-tmpfiles.conf |  1 +
 postfix/handlers/main.yml           |  9 ++++
 postfix/tasks/main.yml              |  2 +
 postfix/tasks/mta-sts.yml           | 74 +++++++++++++++++++++++++++++
 postfix/templates/main.cf.j2        |  3 ++
 8 files changed, 114 insertions(+)
 create mode 100644 postfix/files/mta-sts-daemon.yml
 create mode 100644 postfix/files/mta-sts-override.conf
 create mode 100644 postfix/files/mta-sts-tmpfiles.conf
 create mode 100644 postfix/tasks/mta-sts.yml

diff --git a/postfix/defaults/main.yml b/postfix/defaults/main.yml
index 7d3cd45..1b8e12d 100644
--- a/postfix/defaults/main.yml
+++ b/postfix/defaults/main.yml
@@ -43,6 +43,9 @@ postfix_transport_maps: []
 #    protocol: smtp
 #    use_mx: true
 
+# Note: This requires at least buster-backports or newer.
+postfix_enable_mta_sts: false
+
 postfix_my_networks: []
 postfix_notify_classes: []
 postfix_satellite_only: false
diff --git a/postfix/files/mta-sts-daemon.yml b/postfix/files/mta-sts-daemon.yml
new file mode 100644
index 0000000..1e79d6b
--- /dev/null
+++ b/postfix/files/mta-sts-daemon.yml
@@ -0,0 +1,20 @@
+---
+path: "/var/spool/postfix/mta-sts/mta-sts.sock"
+# yamllint disable-line rule:octal-values
+mode: 0666
+# host: 127.0.0.1
+# port: 8461
+reuse_port: true
+cache_grace: 60
+shutdown_timeout: 5
+cache:
+  type: sqlite
+  options:
+    filename: "/var/lib/mta-sts/cache.db"
+default_zone:
+  strict_testing: false
+  timeout: 4
+# zones:
+#   myzone:
+#     strict_testing: false
+#     timeout: 4
diff --git a/postfix/files/mta-sts-override.conf b/postfix/files/mta-sts-override.conf
new file mode 100644
index 0000000..80ca794
--- /dev/null
+++ b/postfix/files/mta-sts-override.conf
@@ -0,0 +1,2 @@
+[Service]
+ReadWritePaths=/var/spool/postfix/mta-sts
diff --git a/postfix/files/mta-sts-tmpfiles.conf b/postfix/files/mta-sts-tmpfiles.conf
new file mode 100644
index 0000000..919c414
--- /dev/null
+++ b/postfix/files/mta-sts-tmpfiles.conf
@@ -0,0 +1 @@
+d /var/spool/postfix/mta-sts 0770 postfix _mta-sts - -
diff --git a/postfix/handlers/main.yml b/postfix/handlers/main.yml
index 5421edf..3e156d7 100644
--- a/postfix/handlers/main.yml
+++ b/postfix/handlers/main.yml
@@ -1,11 +1,20 @@
 ---
 
+- name: create tmpfiles
+  command: systemd-tmpfiles --create
+
+- name: reload systemd service files
+  systemd: daemon_reload=true
+
 - name: restart postfix
   service: name=postfix state=restarted
 
 - name: restart memcached
   service: name=memcached state=restarted
 
+- name: restart mta-sts resolver
+  service: name=postfix-mta-sts-resolver state=restarted
+
 - name: postmap system
   command: postalias cdb:/etc/aliases
 
diff --git a/postfix/tasks/main.yml b/postfix/tasks/main.yml
index e9a0386..fb14d19 100644
--- a/postfix/tasks/main.yml
+++ b/postfix/tasks/main.yml
@@ -78,6 +78,8 @@
     - postfix
     - mail
 
+- import_tasks: mta-sts.yml
+
 - name: install rt-mailgate if needed
   apt:
     name: rt4-clients
diff --git a/postfix/tasks/mta-sts.yml b/postfix/tasks/mta-sts.yml
new file mode 100644
index 0000000..7f87546
--- /dev/null
+++ b/postfix/tasks/mta-sts.yml
@@ -0,0 +1,74 @@
+---
+
+- name: ensure we got the MTA-STS resolver software installed
+  apt:
+    state: "{{ 'present' if postfix_enable_mta_sts else 'absent' }}"
+    name: postfix-mta-sts-resolver
+
+# yamllint disable-line rule:line-length
+- name: ensure the MTA-STS resolver can put its socket somewhere reachable (tmpfiles)
+  copy:
+    src: mta-sts-tmpfiles.conf
+    dest: /etc/tmpfiles.d/mta-sts.conf
+    owner: root
+    group: root
+    mode: '0644'
+  when: postfix_enable_mta_sts
+  notify:
+    - create tmpfiles
+    - restart mta-sts resolver
+
+# yamllint disable-line rule:line-length
+- name: ensure the MTA-STS resolver can put its socket somewhere reachable (overrideable)
+  file:
+    state: directory
+    path: /etc/systemd/system/postfix-mta-sts-resolver.service.d/
+    owner: root
+    group: root
+    mode: '0755'
+  when: postfix_enable_mta_sts
+  notify:
+    - reload systemd service files
+    - restart mta-sts resolver
+
+# yamllint disable-line rule:line-length
+- name: ensure the MTA-STS resolver can put its socket somewhere reachable (service)
+  copy:
+    src: mta-sts-override.conf
+    dest: /etc/systemd/system/postfix-mta-sts-resolver.service.d/rw-paths.conf
+    owner: root
+    group: root
+    mode: '0644'
+  when: postfix_enable_mta_sts
+  notify:
+    - reload systemd service files
+    - restart mta-sts resolver
+
+- name: ensure MTA-STS resolver overrides are deconfigured when disabled
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /etc/systemd/system/postfix-mta-sts-resolver.service.d/rw-paths.conf
+    - /etc/systemd/system/postfix-mta-sts-resolver.service.d/
+    - /etc/tmpfiles.d/mta-sts.conf
+  when: not postfix_enable_mta_sts
+  notify:
+    - reload systemd service files
+
+- name: ensure the MTA-STS resolver is configured
+  copy:
+    src: mta-sts-daemon.yml
+    dest: /etc/mta-sts-daemon.yml
+    owner: root
+    group: root
+    mode: '0644'
+  when: postfix_enable_mta_sts
+  notify:
+    - restart mta-sts resolver
+
+- name: ensure the MTA-STS resolver is up and running
+  service:
+    name: postfix-mta-sts-resolver
+    enabled: "{{ postfix_enable_mta_sts|string }}"
+    state: "{{ 'started' if postfix_enable_mta_sts else 'stopped' }}"
diff --git a/postfix/templates/main.cf.j2 b/postfix/templates/main.cf.j2
index 76028f2..784102c 100644
--- a/postfix/templates/main.cf.j2
+++ b/postfix/templates/main.cf.j2
@@ -55,6 +55,9 @@ smtpd_tls_cert_file = {{ postfix_tls_cert }}
 smtpd_tls_key_file = {{ postfix_tls_key }}
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+{% if postfix_enable_mta_sts %}
+smtp_tls_policy_maps = socketmap:unix:mta-sts/mta-sts.sock:postfix
+{% endif %}
 {% if not postfix_satellite_only %}
 smtpd_tls_protocols = {{ postfix_tls_protocols }}
 smtpd_tls_mandatory_protocols = {{ postfix_tls_protocols }}
-- 
GitLab