Commit d11c92cc authored by Kristian Klausen's avatar Kristian Klausen 🎉
Browse files

Setup MTA-STS for remaining mail domains

https://tools.ietf.org/html/rfc8461
parent 0fdd8a6e
mta_sts_domain: mta-sts.archlinux.org
mta_sts:
- mx:
- mail.archlinux.org
domains:
- archlinux.org
- aur.archlinux.org
- master-key.archlinux.org
- mx:
- luna.archlinux.org
domains:
- lists.archlinux.org
---
- name: create ssl cert
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ mta_sts_domain }}' creates='/etc/letsencrypt/live/{{ mta_sts_domain }}/fullchain.pem'
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d mta-sts.{{ item.domains | join(' -d mta-sts.') }} creates='/etc/letsencrypt/live/{{ "mta-sts." + item.domains | first }}/fullchain.pem'
loop: "{{ mta_sts }}"
- name: make nginx log dir
file: path=/var/log/nginx/{{ mta_sts_domain }} state=directory owner=root group=root mode=0755
file: path=/var/log/nginx/{{ "mta-sts." + item.domains | first }} state=directory owner=root group=root mode=0755
loop: "{{ mta_sts }}"
- name: set up nginx
template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/mta-sts.conf" owner=root group=root mode=644
......
{% for config in mta_sts %}
{% set domain = "mta-sts." + config.domains | first %}
server {
listen 80;
listen [::]:80;
server_name {{ mta_sts_domain }};
server_name mta-sts.{{ config.domains | join(' mta-sts.') }};
access_log /var/log/nginx/{{ mta_sts_domain }}/access.log reduced;
error_log /var/log/nginx/{{ mta_sts_domain }}/error.log;
access_log /var/log/nginx/{{ domain }}/access.log reduced;
error_log /var/log/nginx/{{ domain }}/error.log;
include snippets/letsencrypt.conf;
......@@ -17,18 +19,18 @@ server {
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ mta_sts_domain }};
server_name mta-sts.{{ config.domains | join(' mta-sts.') }};
access_log /var/log/nginx/{{ mta_sts_domain }}/access.log reduced;
error_log /var/log/nginx/{{ mta_sts_domain }}/error.log;
access_log /var/log/nginx/{{ domain }}/access.log reduced;
error_log /var/log/nginx/{{ domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ mta_sts_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ mta_sts_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ mta_sts_domain }}/chain.pem;
ssl_certificate /etc/letsencrypt/live/{{ domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ domain }}/chain.pem;
location /.well-known/mta-sts.txt {
default_type text/plain;
return 200 'version: STSv1\nmode: testing\nmax_age: 604800\nmx: mail.archlinux.org\n';
return 200 'version: STSv1\nmode: testing\nmax_age: 604800\nmx: {{ config.mx | join('\\nmx: ')}}\n';
}
location / {
......@@ -36,3 +38,4 @@ server {
return 404;
}
}
{% endfor %}
......@@ -614,15 +614,19 @@ resource "hetznerdns_record" "archlinux_org_mail_aaaa" {
}
resource "hetznerdns_record" "archlinux_org_mtasts_cname" {
for_each = toset(["", ".aur", ".master-key", ".lists"])
zone_id = hetznerdns_zone.archlinux.id
name = "mta-sts"
name = "mta-sts${each.value}"
value = "mail"
type = "CNAME"
}
resource "hetznerdns_record" "archlinux_org__mtasts_txt" {
for_each = toset(["", ".aur", ".master-key", ".lists"])
zone_id = hetznerdns_zone.archlinux.id
name = "_mta-sts"
name = "_mta-sts${each.value}"
ttl = 600
# date +%s
value = "\"v=STSv1; id=1608210175\""
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment