Publish MTA-STS policy for mail domains

diff --git a/cookbooks/exim/recipes/default.rb b/cookbooks/exim/recipes/default.rb
index 94133183a5ee06760e2632e278e5cbcc419118db..b250045d2d8fa9ee9a901baf912f08779da76aae 100644 (file)
--- a/cookbooks/exim/recipes/default.rb
+++ b/cookbooks/exim/recipes/default.rb
@@ -76,6 +76,35 @@ if node[:exim][:smarthost_name]
   search(:node, "exim_smarthost_via:#{node[:exim][:smarthost_name]}\\:*").each do |host|
     relay_from_hosts |= host.ipaddresses(:role => :external)
   end
+
+  domains = node[:exim][:local_domains].reject { |d| ["localhost", "@", "noreply.openstreetmap.org"].any?(d) }
+  primary_domain = domains.first
+
+  directory "/srv/mta-sts.#{primary_domain}" do
+    owner "root"
+    group "root"
+    mode 0o755
+  end
+
+  domains.each do |domain|
+    template "/srv/mta-sts.#{primary_domain}/#{domain}.txt" do
+      source "mta-sts.erb"
+      owner "root"
+      group "root"
+      mode 0o644
+      variables :domain => domain
+    end
+  end
+
+  ssl_certificate "mta-sts.#{primary_domain}" do
+    domains domains.collect { |d| "mta-sts.#{d}" }
+    notifies :reload, "service[apache2]"
+  end
+
+  apache_site "mta-sts.#{primary_domain}" do
+    template "apache-mta-sts.erb"
+    variables :domains => domains
+  end
 end
 
 file "/etc/exim4/blocked-senders" do

diff --git a/cookbooks/exim/templates/default/apache-mta-sts.erb b/cookbooks/exim/templates/default/apache-mta-sts.erb
new file mode 100644 (file)
index 0000000..794a52a
--- /dev/null
+++ b/cookbooks/exim/templates/default/apache-mta-sts.erb
@@ -0,0 +1,30 @@
+# DO NOT EDIT - This file is being maintained by Chef
+
+<VirtualHost *:80>
+  ServerName <%= @name %>
+<% @domains.drop(1).each do |domain| -%>
+  ServerAlias mta-sts.<%= domain %>
+<% end -%>
+  ServerAdmin webmaster@openstreetmap.org
+
+  CustomLog /var/log/apache2/<%= @name %>-access.log combined
+  ErrorLog /var/log/apache2/<%= @name %>-error.log
+
+  RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
+</VirtualHost>
+<% @domains.each do |domain| -%>
+
+<VirtualHost *:443>
+  ServerName mta-sts.<%= domain %>
+  ServerAdmin webmaster@openstreetmap.org
+
+  SSLEngine on
+  SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem
+  SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key
+
+  CustomLog /var/log/apache2/<%= @name %>-access.log combined
+  ErrorLog /var/log/apache2/<%= @name %>-error.log
+
+  Alias /.well-known/mta-sts.txt <%= @directory %>/<%= domain %>.txt
+</VirtualHost>
+<% end -%>

diff --git a/cookbooks/exim/templates/default/mta-sts.erb b/cookbooks/exim/templates/default/mta-sts.erb
new file mode 100644 (file)
index 0000000..cd36551
--- /dev/null
+++ b/cookbooks/exim/templates/default/mta-sts.erb
@@ -0,0 +1,4 @@
+version: STSv1
+mode: testing
+mx: *.mx.<%= @domain %>
+max_age: 31536000

diff --git a/roles/mail.rb b/roles/mail.rb
index 288eb22d39d86bc7f628852b9ad790de442f441e..8df80ee50a0b38b086fd63d206751a6faff812c9 100644 (file)
--- a/roles/mail.rb
+++ b/roles/mail.rb
@@ -34,11 +34,6 @@ default_attributes(
         :domains => ["otrs.openstreetmap.org"],
         :host => "ridley.ucl.openstreetmap.org"
       },
-      :tickets => {
-        :comment => "tickets.openstreetmap.org",
-        :domains => ["tickets.openstreetmap.org"],
-        :host => "ridley.ucl.openstreetmap.org"
-      },
       :join => {
         :comment => "join.osmfoundation.org",
         :domains => ["join.osmfoundation.org"],