From bd0de692664cd608bedac7dc2bd7b113df82989c Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 10 Jul 2022 12:19:09 +0200 Subject: surtr: mta-sts & dane --- hosts/surtr/dns/zones/email.bouncy.soa | 11 +++++++--- hosts/surtr/email/default.nix | 37 ++++++++++++++++++++++++++-------- 2 files changed, 37 insertions(+), 11 deletions(-) diff --git a/hosts/surtr/dns/zones/email.bouncy.soa b/hosts/surtr/dns/zones/email.bouncy.soa index 271a061e..e69c4eb4 100644 --- a/hosts/surtr/dns/zones/email.bouncy.soa +++ b/hosts/surtr/dns/zones/email.bouncy.soa @@ -1,7 +1,7 @@ $ORIGIN bouncy.email. $TTL 3600 @ IN SOA ns.yggdrasil.li. root.yggdrasil.li. ( - 2022071000 ; serial + 2022071001 ; serial 10800 ; refresh 3600 ; retry 604800 ; expire @@ -13,7 +13,7 @@ $TTL 3600 IN NS ns3.inwx.eu. @ IN CAA 128 issue "letsencrypt.org; validationmethods=dns-01" -@ IN CAA 128 iodef "mailto:caa@yggdrasil.li" +@ IN CAA 128 iodef "mailto:hostmaster@bouncy.email" @ IN A 202.61.241.61 @ IN AAAA 2a03:4000:52:ada:: @@ -21,7 +21,7 @@ $TTL 3600 @ IN TXT "v=spf1 a:mailout.bouncy.email -all" surtr._domainkey IN CNAME surtr._domainkey.yggdrasil.li. -_dmarc IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@yggdrasil.li;ruf=mailto:postmaster@yggdrasil.li" +_dmarc IN TXT "v=DMARC1;p=reject;sp=reject;pct=100;adkim=s;aspf=s;rua=mailto:postmaster@bouncy.email;ruf=mailto:postmaster@bouncy.email" _acme-challenge IN NS ns.yggdrasil.li. @@ -41,6 +41,11 @@ mailin IN MX 0 mailin.bouncy.email. mailin IN TXT "v=spf1 redirect=bouncy.email" _acme-challenge.mailin IN NS ns.yggdrasil.li. +_25._tcp.mailin IN TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 +_25._tcp.mailin IN TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 +_25._tcp.mailin IN TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d +_25._tcp.mailin IN TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 + mailsub IN A 202.61.241.61 mailsub IN AAAA 2a03:4000:52:ada:: mailsub IN MX 0 mailin.bouncy.email. diff --git a/hosts/surtr/email/default.nix b/hosts/surtr/email/default.nix index e3437a6b..357ee668 100644 --- a/hosts/surtr/email/default.nix +++ b/hosts/surtr/email/default.nix @@ -640,15 +640,35 @@ in { }; }) spmDomains) // { "mta-sts.bouncy.email" = { - locations."/".root = pkgs.runCommand "mta-sts" {} '' - mkdir -p $out/.well-known - cp ${pkgs.writeText "mta-sts.txt" '' - version: STSv1 - mode: testing - mx: mailin.bouncy.email - max_age: 604800 - ''} $out/.well-known/mta-sts.txt + forceSSL = true; + sslCertificate = "/run/credentials/nginx.service/mta-sts.bouncy.email.pem"; + sslCertificateKey = "/run/credentials/nginx.service/mta-sts.bouncy.email.key.pem"; + sslTrustedCertificate = "/run/credentials/nginx.service/mta-sts.bouncy.email.chain.pem"; + + extraConfig = '' + add_header Strict-Transport-Security "max-age=63072000" always; + + add_header Access-Control-Allow-Origin '*'; + add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS'; + add_header Access-Control-Allow-Headers 'X-Requested-With, Content-Type, Authorization'; + add_header Access-Control-Max-Age 7200; ''; + + locations."/" = { + extraConfig = '' + charset utf-8; + source_charset utf-8; + ''; + root = pkgs.runCommand "mta-sts" {} '' + mkdir -p $out/.well-known + cp ${pkgs.writeText "mta-sts.txt" '' + version: STSv1 + mode: testing + mx: mailin.bouncy.email + max_age: 604800 + ''} $out/.well-known/mta-sts.txt + ''; + }; }; }; }; @@ -659,6 +679,7 @@ in { ]) spmDomains ++ [ "mta-sts.bouncy.email.key.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/key.pem" "mta-sts.bouncy.email.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/fullchain.pem" + "mta-sts.bouncy.email.chain.pem:${config.security.acme.certs."mta-sts.bouncy.email".directory}/chain.pem" ]; systemd.services.spm = { -- cgit v1.2.3