From e3331b0f44b1d9c1c513389ad5b6f3b09e51dc16 Mon Sep 17 00:00:00 2001
From: Joerg Sonnenberger <joerg@bec.de>
Date: Sat, 13 Jan 2024 09:37:20 +0100
Subject: [PATCH] feat: Add MTA-STS support for outbound mail (#3592)

* feat: add support for MTA-STS for outgoing mails

* Hook-up mta-sts-daemon into basic process handling test

* fix: Call python script directly

The python3 shebang will run it, which will now meet the expectations of the process testing via pgrep. fail2ban has the same approach.

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
---
 CHANGELOG.md                                  |  8 +++--
 Dockerfile                                    |  9 ++++++
 docs/content/config/best-practices/mta-sts.md | 30 +++++++++++++++++++
 docs/content/config/environment.md            |  9 ++++++
 docs/mkdocs.yml                               |  3 +-
 mailserver.env                                |  6 ++++
 target/mta-sts-daemon/mta-sts-daemon.yml      |  7 +++++
 target/scripts/build/packages.sh              |  2 +-
 target/scripts/start-mailserver.sh            |  5 ++++
 target/scripts/startup/daemons-stack.sh       |  1 +
 target/scripts/startup/setup.d/mail_state.sh  |  2 ++
 target/scripts/startup/setup.d/mta-sts.sh     |  7 +++++
 target/supervisor/conf.d/supervisor-app.conf  | 12 ++++++++
 .../process_check_restart.bats                |  4 +++
 14 files changed, 101 insertions(+), 4 deletions(-)
 create mode 100644 docs/content/config/best-practices/mta-sts.md
 create mode 100644 target/mta-sts-daemon/mta-sts-daemon.yml
 create mode 100644 target/scripts/startup/setup.d/mta-sts.sh

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e3881941..df9c6987 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,10 +8,14 @@ All notable changes to this project will be documented in this file. The format
 
 ### Features
 
-  - **Authentication with OIDC / OAuth 2.0** 🎉
-    - DMS now supports authentication via OAuth2 (_via `XOAUTH2` or `OAUTHBEARER` SASL mechanisms_) from capable services (_like Roundcube_).
+- **Authentication with OIDC / OAuth 2.0** 🎉
+  - DMS now supports authentication via OAuth2 (_via `XOAUTH2` or `OAUTHBEARER` SASL mechanisms_) from capable services (_like Roundcube_).
     - This does not replace the need for an `ACCOUNT_PROVISIONER` (`FILE` / `LDAP`), which is required for an account to receive or send mail.
     - Successful authentication (_via Dovecot PassDB_) still requires an existing account (_lookup via Dovecot UserDB_).
+- **MTA-STS** (_Optional support for mandatory outgoing TLS encryption_)
+  - If enabled and the outbound recipient has an MTA-STS policy set, TLS is mandatory for delivering to that recipient.
+    - Enable via the ENV `ENABLE_MTA_STS=1`
+    - Supported by major email service providers like Gmail, Yahoo and Outlook.
 
 ### Updates
 
diff --git a/Dockerfile b/Dockerfile
index 2118622d..e822632a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -199,6 +199,15 @@ COPY target/opendmarc/opendmarc.conf /etc/opendmarc.conf
 COPY target/opendmarc/default-opendmarc /etc/default/opendmarc
 COPY target/opendmarc/ignore.hosts /etc/opendmarc/ignore.hosts
 
+# --------------------------------------------------
+# --- postfix-mta-sts-daemon -----------------------
+# --------------------------------------------------
+COPY target/mta-sts-daemon/mta-sts-daemon.yml /etc/mta-sts-daemon.yml
+RUN <<EOF
+  mkdir /var/run/mta-sts
+  chown -R _mta-sts:root /var/run/mta-sts
+EOF
+
 # --------------------------------------------------
 # --- Fetchmail, Getmail, Postfix & Let'sEncrypt ---
 # --------------------------------------------------
diff --git a/docs/content/config/best-practices/mta-sts.md b/docs/content/config/best-practices/mta-sts.md
new file mode 100644
index 00000000..1aebbdc5
--- /dev/null
+++ b/docs/content/config/best-practices/mta-sts.md
@@ -0,0 +1,30 @@
+---
+title: 'Best practices | MTA-STS'
+hide:
+  - toc # Hide Table of Contents for this page
+---
+
+MTA-STS is an optional mechanism for a domain to signal support for STARTTLS.
+
+- It can be used to prevent man-in-the-middle-attacks from hiding STARTTLS support that would force DMS to send outbound mail through an insecure connection.
+- MTA-STS is an alternative to DANE without the need of DNSSEC.
+- MTA-STS is supported by some of the biggest mail providers like Google Mail and Outlook.
+
+## Supporting MTA-STS for outbound mail
+
+Enable this feature via the ENV setting [`ENABLE_MTA_STS=1`](../environment.md#enable_mta_sts).
+
+!!! warning "If you have configured DANE"
+
+    Enabling MTA-STS will by default override DANE if both are configured for a domain.
+
+    This can be partially addressed by configuring a dane-only policy resolver before the MTA-STS entry in `smtp_tls_policy_maps`. See the [`postfix-mta-sts-resolver` documentation][postfix-mta-sts-resolver::dane] for further details.
+
+[postfix-mta-sts-resolver::dane]: https://github.com/Snawoot/postfix-mta-sts-resolver#warning-mta-sts-policy-overrides-dane-tls-authentication
+
+## Supporting MTA-STS for inbound mail
+
+While this feature in DMS supports ensuring STARTTLS is used when mail is sent to another mail server, you may setup similar for mail servers sending mail to DMS.
+
+This requires configuring your DNS and hosting the MTA-STS policy file via a webserver. A good introduction can be found on [dmarcian.com](https://dmarcian.com/mta-sts/).
+
diff --git a/docs/content/config/environment.md b/docs/content/config/environment.md
index 61e604aa..7ae96fcd 100644
--- a/docs/content/config/environment.md
+++ b/docs/content/config/environment.md
@@ -116,6 +116,15 @@ This enables DNS block lists in _Postscreen_. If you want to know which lists we
 - **0** => DNS block lists are disabled
 - 1     => DNS block lists are enabled
 
+##### ENABLE_MTA_STS
+
+Enables MTA-STS support for outbound mail.
+
+- **0** => Disabled
+- 1 => Enabled
+
+See [MTA-STS](best-practices/mta-sts.md) for further explanation.
+
 ##### ENABLE_OPENDKIM
 
 Enables the OpenDKIM service.
diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml
index 7df1acbe..aaaaf51b 100644
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -122,8 +122,9 @@ nav:
     - 'Environment Variables': config/environment.md
     - 'User Management': config/user-management.md
     - 'Best Practices':
-      - 'DKIM, DMARC & SPF': config/best-practices/dkim_dmarc_spf.md
       - 'Auto-discovery': config/best-practices/autodiscover.md
+      - 'DKIM, DMARC & SPF': config/best-practices/dkim_dmarc_spf.md
+      - 'MTA-STS': config/best-practices/mta-sts.md
     - 'Security':
       - 'Understanding the Ports': config/security/understanding-the-ports.md
       - 'SSL/TLS': config/security/ssl.md
diff --git a/mailserver.env b/mailserver.env
index c9793a99..49bc2cca 100644
--- a/mailserver.env
+++ b/mailserver.env
@@ -354,6 +354,12 @@ POSTFIX_REJECT_UNKNOWN_CLIENT_HOSTNAME=0
 # Note: More details at http://www.postfix.org/postconf.5.html#inet_protocols
 POSTFIX_INET_PROTOCOLS=all
 
+# Enables MTA-STS support for outbound mail.
+# More details: https://docker-mailserver.github.io/docker-mailserver/latest/config/advanced/mail-mta-sts/
+# - **0** ==> MTA-STS disabled
+# - 1 => MTA-STS enabled
+ENABLE_MTA_STS=0
+
 # Choose TCP/IP protocols for dovecot to use
 # **all** => Listen on all interfaces
 # ipv4 => Listen only on IPv4 interfaces. Most likely you want this behind Docker.
diff --git a/target/mta-sts-daemon/mta-sts-daemon.yml b/target/mta-sts-daemon/mta-sts-daemon.yml
new file mode 100644
index 00000000..4d5d5e55
--- /dev/null
+++ b/target/mta-sts-daemon/mta-sts-daemon.yml
@@ -0,0 +1,7 @@
+# Docs: https://github.com/Snawoot/postfix-mta-sts-resolver/blob/master/man/mta-sts-daemon.yml.5.adoc
+path: /var/run/mta-sts/daemon.sock
+mode: 0666
+cache:
+  type: sqlite
+  options:
+    filename: "/var/lib/mta-sts/cache.db"
diff --git a/target/scripts/build/packages.sh b/target/scripts/build/packages.sh
index e3607f48..e57cfe07 100644
--- a/target/scripts/build/packages.sh
+++ b/target/scripts/build/packages.sh
@@ -68,7 +68,7 @@ function _install_packages() {
   )
 
   POSTFIX_PACKAGES=(
-    pflogsumm postgrey postfix-ldap
+    pflogsumm postgrey postfix-ldap postfix-mta-sts-resolver
     postfix-pcre postfix-policyd-spf-python postsrsd
   )
 
diff --git a/target/scripts/start-mailserver.sh b/target/scripts/start-mailserver.sh
index 1f352229..56dfa1fb 100755
--- a/target/scripts/start-mailserver.sh
+++ b/target/scripts/start-mailserver.sh
@@ -120,6 +120,11 @@ function _register_functions() {
   _register_setup_function '_setup_apply_fixes_after_configuration'
   _register_setup_function '_environment_variables_export'
 
+  if [[ ${ENABLE_MTA_STS} -eq 1 ]]; then
+    _register_setup_function '_setup_mta_sts'
+    _register_start_daemon '_start_daemon_mta_sts_daemon'
+  fi
+
   # ? >> Daemons
 
   _register_start_daemon '_start_daemon_cron'
diff --git a/target/scripts/startup/daemons-stack.sh b/target/scripts/startup/daemons-stack.sh
index 5476fc9f..a4cecf67 100644
--- a/target/scripts/startup/daemons-stack.sh
+++ b/target/scripts/startup/daemons-stack.sh
@@ -38,6 +38,7 @@ function _start_daemon_opendkim       { _default_start_daemon 'opendkim'       ;
 function _start_daemon_opendmarc      { _default_start_daemon 'opendmarc'      ; }
 function _start_daemon_postgrey       { _default_start_daemon 'postgrey'       ; }
 function _start_daemon_postsrsd       { _default_start_daemon 'postsrsd'       ; }
+function _start_daemon_mta_sts_daemon { _default_start_daemon 'mta-sts-daemon' ; }
 function _start_daemon_rspamd         { _default_start_daemon 'rspamd'         ; }
 function _start_daemon_rspamd_redis   { _default_start_daemon 'rspamd-redis'   ; }
 function _start_daemon_rsyslog        { _default_start_daemon 'rsyslog'        ; }
diff --git a/target/scripts/startup/setup.d/mail_state.sh b/target/scripts/startup/setup.d/mail_state.sh
index 73c2515b..9963bbcc 100644
--- a/target/scripts/startup/setup.d/mail_state.sh
+++ b/target/scripts/startup/setup.d/mail_state.sh
@@ -24,6 +24,7 @@ function _setup_save_states() {
     [[ ${ENABLE_FAIL2BAN}     -eq 1 ]] && SERVICEDIRS+=('lib/fail2ban')
     [[ ${ENABLE_FETCHMAIL}    -eq 1 ]] && SERVICEDIRS+=('lib/fetchmail')
     [[ ${ENABLE_GETMAIL}      -eq 1 ]] && SERVICEDIRS+=('lib/getmail')
+    [[ ${ENABLE_MTA_STS}      -eq 1 ]] && SERVICEDIRS+=('lib/mta-sts')
     [[ ${ENABLE_POSTGREY}     -eq 1 ]] && SERVICEDIRS+=('lib/postgrey')
     [[ ${ENABLE_RSPAMD}       -eq 1 ]] && SERVICEDIRS+=('lib/rspamd')
     [[ ${ENABLE_RSPAMD_REDIS} -eq 1 ]] && SERVICEDIRS+=('lib/redis')
@@ -84,6 +85,7 @@ function _setup_save_states() {
     [[ ${ENABLE_AMAVIS}       -eq 1 ]] && chown -R amavis:amavis             "${STATEDIR}/lib-amavis"
     [[ ${ENABLE_CLAMAV}       -eq 1 ]] && chown -R clamav:clamav             "${STATEDIR}/lib-clamav"
     [[ ${ENABLE_FETCHMAIL}    -eq 1 ]] && chown -R fetchmail:nogroup         "${STATEDIR}/lib-fetchmail"
+    [[ ${ENABLE_MTA_STS}      -eq 1 ]] && chown -R _mta-sts:_mta-sts         "${STATEDIR}/lib-mta-sts"
     [[ ${ENABLE_POSTGREY}     -eq 1 ]] && chown -R postgrey:postgrey         "${STATEDIR}/lib-postgrey"
     [[ ${ENABLE_RSPAMD}       -eq 1 ]] && chown -R _rspamd:_rspamd           "${STATEDIR}/lib-rspamd"
     [[ ${ENABLE_RSPAMD_REDIS} -eq 1 ]] && chown -R redis:redis               "${STATEDIR}/lib-redis"
diff --git a/target/scripts/startup/setup.d/mta-sts.sh b/target/scripts/startup/setup.d/mta-sts.sh
new file mode 100644
index 00000000..7d1f88ea
--- /dev/null
+++ b/target/scripts/startup/setup.d/mta-sts.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+
+function _setup_mta_sts() {
+  _log 'trace' 'Adding MTA-STS lookup to the Postfix TLS policy map'
+  _add_to_or_update_postfix_main smtp_tls_policy_maps 'socketmap:unix:/var/run/mta-sts/daemon.sock:postfix'
+}
diff --git a/target/supervisor/conf.d/supervisor-app.conf b/target/supervisor/conf.d/supervisor-app.conf
index 431357d8..d64d3d72 100644
--- a/target/supervisor/conf.d/supervisor-app.conf
+++ b/target/supervisor/conf.d/supervisor-app.conf
@@ -157,3 +157,15 @@ autostart=false
 stdout_logfile=/var/log/supervisor/%(program_name)s.log
 stderr_logfile=/var/log/supervisor/%(program_name)s.log
 command=/bin/bash -l -c /usr/local/bin/update-check.sh
+
+# Docs: https://github.com/Snawoot/postfix-mta-sts-resolver/blob/master/man/mta-sts-daemon.1.adoc
+[program:mta-sts-daemon]
+startsecs=0
+stopwaitsecs=55
+autostart=false
+autorestart=true
+stdout_logfile=/var/log/supervisor/%(program_name)s.log
+stderr_logfile=/var/log/supervisor/%(program_name)s.log
+command=/usr/bin/mta-sts-daemon --config /etc/mta-sts-daemon.yml
+user=_mta-sts
+environment=HOME=/var/lib/mta-sts
diff --git a/test/tests/parallel/set3/container_configuration/process_check_restart.bats b/test/tests/parallel/set3/container_configuration/process_check_restart.bats
index b559d21d..4b01454e 100644
--- a/test/tests/parallel/set3/container_configuration/process_check_restart.bats
+++ b/test/tests/parallel/set3/container_configuration/process_check_restart.bats
@@ -21,6 +21,7 @@ function teardown() { _default_teardown ; }
 # dovecot (/usr/sbin/dovecot)
 # fetchmail (/usr/bin/fetchmail)
 # fail2ban-server (/usr/bin/python3 /usr/bin/fail2ban-server) - Started by fail2ban-wrapper.sh
+# mta-sts-daemon (/usr/bin/bin/python3 /usr/bin/mta-sts-daemon)
 # postgrey (postgrey) - NOTE: This process lacks path information to match with `--full` in pgrep / pkill
 # postsrsd (/usr/sbin/postsrsd) - NOTE: Also matches the wrapper: `/bin/bash /usr/local/bin/postsrsd-wrapper.sh`
 # saslauthd (/usr/sbin/saslauthd) - x5 of the same process are found running (1 is a parent of 4)
@@ -44,6 +45,7 @@ ENV_PROCESS_LIST=(
   dovecot
   fail2ban-server
   fetchmail
+  mta-sts-daemon
   opendkim
   opendmarc
   postgrey
@@ -58,6 +60,7 @@ ENV_PROCESS_LIST=(
     --env ENABLE_CLAMAV=0
     --env ENABLE_FAIL2BAN=0
     --env ENABLE_FETCHMAIL=0
+    --env ENABLE_MTA_STS=0
     --env ENABLE_OPENDKIM=0
     --env ENABLE_OPENDMARC=0
     --env ENABLE_POSTGREY=0
@@ -93,6 +96,7 @@ ENV_PROCESS_LIST=(
     --env ENABLE_AMAVIS=1
     --env ENABLE_FAIL2BAN=1
     --env ENABLE_FETCHMAIL=1
+    --env ENABLE_MTA_STS=1
     --env ENABLE_OPENDKIM=1
     --env ENABLE_OPENDMARC=1
     --env FETCHMAIL_PARALLEL=1