Merge pull request #111 from wietse-postfix/tlsrpt

Snawoot · web-flow · commit 097319fe6fab · 2025-02-03T23:17:58.000+02:00
Minimal support for TLSRPT in Postfix 3.10 and later
diff --git a/config_examples/mta-sts-daemon.yml.internal b/config_examples/mta-sts-daemon.yml.internal
@@ -2,6 +2,7 @@ host: 127.0.0.1
 port: 8461
 reuse_port: true
 shutdown_timeout: 20
+# tlsrpt: true
 cache:
   type: internal
   options:
diff --git a/config_examples/mta-sts-daemon.yml.postgres b/config_examples/mta-sts-daemon.yml.postgres
@@ -2,6 +2,7 @@ host: 127.0.0.1
 port: 8461
 reuse_port: true
 shutdown_timeout: 20
+# tlsrpt: true
 cache:
   type: postgres
   options:
diff --git a/config_examples/mta-sts-daemon.yml.redis b/config_examples/mta-sts-daemon.yml.redis
@@ -2,6 +2,7 @@ host: 127.0.0.1
 port: 8461
 reuse_port: true
 shutdown_timeout: 20
+# tlsrpt: true
 cache:
   type: redis
   options:
diff --git a/config_examples/mta-sts-daemon.yml.redis_sentinel b/config_examples/mta-sts-daemon.yml.redis_sentinel
@@ -2,6 +2,7 @@ host: 127.0.0.1
 port: 8461
 reuse_port: true
 shutdown_timeout: 20
+# tlsrpt: true
 cache:
   type: redis_sentinel
   options:
diff --git a/config_examples/mta-sts-daemon.yml.sqlite b/config_examples/mta-sts-daemon.yml.sqlite
@@ -2,6 +2,7 @@ host: 127.0.0.1
 port: 8461
 reuse_port: true
 shutdown_timeout: 20
+# tlsrpt: true
 cache:
   type: sqlite
   options:
diff --git a/config_examples/mta-sts-daemon.yml.sqlite_unixsock b/config_examples/mta-sts-daemon.yml.sqlite_unixsock
@@ -1,6 +1,7 @@
 path: "/var/run/mta-sts.sock"
 mode: 0666
 shutdown_timeout: 20
+# tlsrpt: true
 cache:
   type: sqlite
   options:
diff --git a/man/mta-sts-daemon.yml.5.adoc b/man/mta-sts-daemon.yml.5.adoc
@@ -30,6 +30,8 @@ The file is in YAML syntax with the following elements:
 
 *shutdown_timeout*: (_float_) time limit granted to existing client sessions for finishing when server stops. Default: 20
 
+*tlsrpt*: (_bool_) include response attributes for TLSRPT support (Postfix 3.10 and later). Default: false
+
 *cache*::
 
 * *type*: (_str_: _internal_|_sqlite_|_redis_|_redis_sentinel_|postgres) cache backend type. Default: internal
diff --git a/postfix_mta_sts_resolver/defaults.py b/postfix_mta_sts_resolver/defaults.py
@@ -4,6 +4,7 @@
 PORT = 8461
 REUSE_PORT = True
 TIMEOUT = 4
+TLSRPT = False
 SHUTDOWN_TIMEOUT = 20
 STRICT_TESTING = False
 CONFIG_LOCATION = "/etc/mta-sts-daemon.yml"
diff --git a/postfix_mta_sts_resolver/responder.py b/postfix_mta_sts_resolver/responder.py
@@ -33,6 +33,7 @@ def __init__(self, cfg, loop, cache):
             self._port = cfg['port']
         self._reuse_port = cfg['reuse_port']
         self._shutdown_timeout = cfg['shutdown_timeout']
+        self._tlsrpt = cfg['tlsrpt']
         self._grace = cfg['cache_grace']
 
         # Construct configurations and resolvers for every socketmap name
@@ -225,6 +226,8 @@ async def process_request(self, raw_req):
                 resp = "OK secure match=" + ":".join(mxlist)
                 if zone_cfg.require_sni:
                     resp += " servername=hostname"
+                if self._tlsrpt:
+                    resp += " policy_type=sts policy_domain=" + domain
                 return netstring.encode(resp.encode('utf-8'))
         else:
             return netstring.encode(b'NOTFOUND ')
diff --git a/postfix_mta_sts_resolver/utils.py b/postfix_mta_sts_resolver/utils.py
@@ -87,6 +87,7 @@ def populate_cfg_defaults(cfg):
     cfg['reuse_port'] = cfg.get('reuse_port', defaults.REUSE_PORT)
     cfg['shutdown_timeout'] = cfg.get('shutdown_timeout',
                                       defaults.SHUTDOWN_TIMEOUT)
+    cfg['tlsrpt'] = cfg.get('tlsrpt', defaults.TLSRPT)
     cfg['cache_grace'] = cfg.get('cache_grace', defaults.CACHE_GRACE)
 
     if 'proactive_policy_fetching' not in cfg:
