added mta-sts-resolver into postfix config + daemon

data/Dockerfiles/postfix/Dockerfile

@@ -34,11 +34,15 @@ RUN groupadd -g 102 postfix \
 	syslog-ng-core \
 	syslog-ng-mod-redis \
   	tzdata \
+	python3-pip \
 	&& rm -rf /var/lib/apt/lists/* \
 	&& touch /etc/default/locale \
   && printf '#!/bin/bash\n/usr/sbin/postconf -c /opt/postfix/conf "$@"' > /usr/local/sbin/postconf \
   && chmod +x /usr/local/sbin/postconf
 
+# New for MTA-STS Resolver Daemon
+RUN python3 -m pip install postfix-mta-sts-resolver[redis] uvloop --break-system-packages
+
 COPY supervisord.conf /etc/supervisor/supervisord.conf
 COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
 COPY syslog-ng-redis_slave.conf /etc/syslog-ng/syslog-ng-redis_slave.conf

data/Dockerfiles/postfix/postfix.sh

@@ -3,6 +3,7 @@
 trap "postfix stop" EXIT
 
 [[ ! -d /opt/postfix/conf/sql/ ]] && mkdir -p /opt/postfix/conf/sql/
+[[ ! -d /opt/postfix/conf/mta-sts-resolver/ ]] && mkdir -p /opt/postfix/conf/mta-sts-resolver/
 
 # Wait for MySQL to warm-up
 while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
@@ -503,6 +504,33 @@ if [[ ! -f /opt/postfix/conf/custom_postscreen_whitelist.cidr ]]; then
 EOF
 fi
 
+cat <<EOF > /opt/postfix/conf/mta-sts-resolver/daemon.yml
+# Autogenerated by mailcow | DO NOT TOUCH!
+host: 127.0.0.1
+port: 8461
+reuse_port: true
+shutdown_timeout: 20
+cache:
+  type: redis
+  options:
+    url: "redis://redis/1" # Use seperate Redis Database for mta-sts keys
+    max_connections: 25
+    socket_timeout: 1.0
+    socket_connect_timeout: 1.0
+    password: ${REDISPASS}
+proactive_policy_fetching:
+  enabled: true
+  interval: 86400
+default_zone:
+  strict_testing: false
+  timeout: 4
+  tlsrpt: false # TODO for Postfix Deb 13
+zones:
+  myzone:
+    strict_testing: false
+    timeout: 4
+EOF
+
 # Fix Postfix permissions
 chown -R root:postfix /opt/postfix/conf/sql/ /opt/postfix/conf/custom_transport.pcre
 chmod 640 /opt/postfix/conf/sql/*.cf /opt/postfix/conf/custom_transport.pcre
@@ -524,4 +552,4 @@ if [[ $? != 0 ]]; then
 else
   postfix -c /opt/postfix/conf start
   sleep 126144000
-fi
+fi

data/Dockerfiles/postfix/supervisord.conf

@@ -11,6 +11,15 @@ stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 autostart=true
 
+[program:postfix-mta-sts-resolver]
+startsecs=10
+autorestart=true
+command=/usr/local/bin/mta-sts-daemon -c /opt/postfix/conf/mta-sts-resolver/daemon.yml
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
 [program:postfix]
 command=/opt/postfix.sh
 stdout_logfile=/dev/stdout

data/conf/postfix/main.cf

@@ -152,7 +152,7 @@ smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps_sender_dependent.cf
 smtp_sasl_security_options =
 smtp_sasl_mechanism_filter = plain, login
-smtp_tls_policy_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf
+smtp_tls_policy_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf socketmap:inet:127.0.0.1:8461:postfix
 smtp_header_checks = pcre:/opt/postfix/conf/anonymize_headers.pcre
 mail_name = Postcow
 # local_transport map catches local destinations and prevents routing local dests when the next map would route "*"

docker-compose.yml

@@ -338,7 +338,7 @@ services:
             - dovecot
 
     postfix-mailcow:
-      image: ghcr.io/mailcow/postfix:1.80
+      image: ghcr.io/mailcow/postfix:1.81
       depends_on:
         mysql-mailcow:
           condition: service_started