From d0404b4ed36e373b85fd27b033634b896a73354c Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Tue, 28 Jan 2020 17:40:02 +0000 Subject: [PATCH] Publish MTA-STS policy for mail domains --- cookbooks/exim/recipes/default.rb | 29 ++++++++++++++++++ .../exim/templates/default/apache-mta-sts.erb | 30 +++++++++++++++++++ cookbooks/exim/templates/default/mta-sts.erb | 4 +++ roles/mail.rb | 5 ---- 4 files changed, 63 insertions(+), 5 deletions(-) create mode 100644 cookbooks/exim/templates/default/apache-mta-sts.erb create mode 100644 cookbooks/exim/templates/default/mta-sts.erb diff --git a/cookbooks/exim/recipes/default.rb b/cookbooks/exim/recipes/default.rb index 94133183a..b250045d2 100644 --- a/cookbooks/exim/recipes/default.rb +++ b/cookbooks/exim/recipes/default.rb @@ -76,6 +76,35 @@ if node[:exim][:smarthost_name] search(:node, "exim_smarthost_via:#{node[:exim][:smarthost_name]}\\:*").each do |host| relay_from_hosts |= host.ipaddresses(:role => :external) end + + domains = node[:exim][:local_domains].reject { |d| ["localhost", "@", "noreply.openstreetmap.org"].any?(d) } + primary_domain = domains.first + + directory "/srv/mta-sts.#{primary_domain}" do + owner "root" + group "root" + mode 0o755 + end + + domains.each do |domain| + template "/srv/mta-sts.#{primary_domain}/#{domain}.txt" do + source "mta-sts.erb" + owner "root" + group "root" + mode 0o644 + variables :domain => domain + end + end + + ssl_certificate "mta-sts.#{primary_domain}" do + domains domains.collect { |d| "mta-sts.#{d}" } + notifies :reload, "service[apache2]" + end + + apache_site "mta-sts.#{primary_domain}" do + template "apache-mta-sts.erb" + variables :domains => domains + end end file "/etc/exim4/blocked-senders" do diff --git a/cookbooks/exim/templates/default/apache-mta-sts.erb b/cookbooks/exim/templates/default/apache-mta-sts.erb new file mode 100644 index 000000000..794a52aab --- /dev/null +++ b/cookbooks/exim/templates/default/apache-mta-sts.erb @@ -0,0 +1,30 @@ +# DO NOT EDIT - This file is being maintained by Chef + + + ServerName <%= @name %> +<% @domains.drop(1).each do |domain| -%> + ServerAlias mta-sts.<%= domain %> +<% end -%> + ServerAdmin webmaster@openstreetmap.org + + CustomLog /var/log/apache2/<%= @name %>-access.log combined + ErrorLog /var/log/apache2/<%= @name %>-error.log + + RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/ + +<% @domains.each do |domain| -%> + + + ServerName mta-sts.<%= domain %> + ServerAdmin webmaster@openstreetmap.org + + SSLEngine on + SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem + SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key + + CustomLog /var/log/apache2/<%= @name %>-access.log combined + ErrorLog /var/log/apache2/<%= @name %>-error.log + + Alias /.well-known/mta-sts.txt <%= @directory %>/<%= domain %>.txt + +<% end -%> diff --git a/cookbooks/exim/templates/default/mta-sts.erb b/cookbooks/exim/templates/default/mta-sts.erb new file mode 100644 index 000000000..cd365519a --- /dev/null +++ b/cookbooks/exim/templates/default/mta-sts.erb @@ -0,0 +1,4 @@ +version: STSv1 +mode: testing +mx: *.mx.<%= @domain %> +max_age: 31536000 diff --git a/roles/mail.rb b/roles/mail.rb index 288eb22d3..8df80ee50 100644 --- a/roles/mail.rb +++ b/roles/mail.rb @@ -34,11 +34,6 @@ default_attributes( :domains => ["otrs.openstreetmap.org"], :host => "ridley.ucl.openstreetmap.org" }, - :tickets => { - :comment => "tickets.openstreetmap.org", - :domains => ["tickets.openstreetmap.org"], - :host => "ridley.ucl.openstreetmap.org" - }, :join => { :comment => "join.osmfoundation.org", :domains => ["join.osmfoundation.org"], -- 2.39.5