From be6b4f87350ae44de04947356a5f9f9836c152b0 Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Thu, 17 Dec 2020 14:33:04 +0100
Subject: [PATCH] Setup MTA-STS in testing mode
https://tools.ietf.org/html/rfc8461
---
playbooks/mail.archlinux.org.yml | 2 ++
roles/mta_sts/defaults/main.yml | 1 +
roles/mta_sts/tasks/main.yml | 11 +++++++
roles/mta_sts/templates/nginx.d.conf.j2 | 38 +++++++++++++++++++++++++
tf-stage1/archlinux.tf | 16 +++++++++++
5 files changed, 68 insertions(+)
create mode 100644 roles/mta_sts/defaults/main.yml
create mode 100644 roles/mta_sts/tasks/main.yml
create mode 100644 roles/mta_sts/templates/nginx.d.conf.j2
diff --git a/playbooks/mail.archlinux.org.yml b/playbooks/mail.archlinux.org.yml
index f06f7ab0f..70272765d 100644
--- a/playbooks/mail.archlinux.org.yml
+++ b/playbooks/mail.archlinux.org.yml
@@ -8,6 +8,8 @@
- { role: root_ssh }
- { role: borg_client, tags: ['borg'] }
- { role: certbot }
+ - { role: nginx }
+ - { role: mta_sts }
- { role: postfix, postfix_server: true, postfix_smtpd_public: true, tags: ['mail'] }
- { role: dovecot }
- { role: rspamd, tags: ["mail"] }
diff --git a/roles/mta_sts/defaults/main.yml b/roles/mta_sts/defaults/main.yml
new file mode 100644
index 000000000..4ec5575a8
--- /dev/null
+++ b/roles/mta_sts/defaults/main.yml
@@ -0,0 +1 @@
+mta_sts_domain: mta-sts.archlinux.org
diff --git a/roles/mta_sts/tasks/main.yml b/roles/mta_sts/tasks/main.yml
new file mode 100644
index 000000000..26dca3eac
--- /dev/null
+++ b/roles/mta_sts/tasks/main.yml
@@ -0,0 +1,11 @@
+---
+- name: create ssl cert
+ command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ mta_sts_domain }}' creates='/etc/letsencrypt/live/{{ mta_sts_domain }}/fullchain.pem'
+
+- name: make nginx log dir
+ file: path=/var/log/nginx/{{ mta_sts_domain }} state=directory owner=root group=root mode=0755
+
+- name: set up nginx
+ template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mta-sts.conf" owner=root group=root mode=644
+ notify: reload nginx
+ tags: ['nginx']
diff --git a/roles/mta_sts/templates/nginx.d.conf.j2 b/roles/mta_sts/templates/nginx.d.conf.j2
new file mode 100644
index 000000000..894a56f53
--- /dev/null
+++ b/roles/mta_sts/templates/nginx.d.conf.j2
@@ -0,0 +1,38 @@
+server {
+ listen 80;
+ listen [::]:80;
+ server_name {{ mta_sts_domain }};
+
+ access_log /var/log/nginx/{{ mta_sts_domain }}/access.log reduced;
+ error_log /var/log/nginx/{{ mta_sts_domain }}/error.log;
+
+ include snippets/letsencrypt.conf;
+
+ location / {
+ access_log off;
+ return 301 https://$server_name$request_uri;
+ }
+}
+
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+ server_name {{ mta_sts_domain }};
+
+ access_log /var/log/nginx/{{ mta_sts_domain }}/access.log reduced;
+ error_log /var/log/nginx/{{ mta_sts_domain }}/error.log;
+
+ ssl_certificate /etc/letsencrypt/live/{{ mta_sts_domain }}/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/{{ mta_sts_domain }}/privkey.pem;
+ ssl_trusted_certificate /etc/letsencrypt/live/{{ mta_sts_domain }}/chain.pem;
+
+ location /.well-known/mta-sts.txt {
+ default_type text/plain;
+ return 200 'version: STSv1\nmode: testing\nmax_age: 604800\nmx: mail.archlinux.org\n';
+ }
+
+ location / {
+ access_log off;
+ return 404;
+ }
+}
diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf
index e8cfc7536..b3ebb51ec 100644
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -613,6 +613,22 @@ resource "hetznerdns_record" "archlinux_org_mail_aaaa" {
type = "AAAA"
}
+resource "hetznerdns_record" "archlinux_org_mtasts_cname" {
+ zone_id = hetznerdns_zone.archlinux.id
+ name = "mta-sts"
+ value = "mail"
+ type = "CNAME"
+}
+
+resource "hetznerdns_record" "archlinux_org__mtasts_txt" {
+ zone_id = hetznerdns_zone.archlinux.id
+ name = "_mta-sts"
+ ttl = 600
+ # date +%s
+ value = "\"v=STSv1; id=1608210175\""
+ type = "TXT"
+}
+
resource "hetznerdns_record" "archlinux_org_origin_mx" {
for_each = toset(["@", "aur", "master-key"])
--
GitLab