diff --git a/config_examples/mta-sts-daemon.yml.internal b/config_examples/mta-sts-daemon.yml.internal
index 4e1996dd6c4dcf3471b0d7b46be2bd77a96bc3d0..e4770de155a6bff1d53b580db2af6a9d2ac28c96 100644
--- a/config_examples/mta-sts-daemon.yml.internal
+++ b/config_examples/mta-sts-daemon.yml.internal
@@ -2,7 +2,6 @@ host: 127.0.0.1
port: 8461
reuse_port: true
shutdown_timeout: 20
-# tlsrpt: true
cache:
type: internal
options:
@@ -10,6 +9,7 @@ cache:
default_zone:
strict_testing: false
timeout: 4
+ #tlsrpt: true
zones:
myzone:
strict_testing: false
diff --git a/config_examples/mta-sts-daemon.yml.postgres b/config_examples/mta-sts-daemon.yml.postgres
index 345efa0bdf249534061b5d41cd9ac097bfd382c2..300853f90aa7e3831f72801c4b3095d7d2db4ca7 100644
--- a/config_examples/mta-sts-daemon.yml.postgres
+++ b/config_examples/mta-sts-daemon.yml.postgres
@@ -2,7 +2,6 @@ host: 127.0.0.1
port: 8461
reuse_port: true
shutdown_timeout: 20
-# tlsrpt: true
cache:
type: postgres
options:
@@ -10,6 +9,7 @@ cache:
default_zone:
strict_testing: false
timeout: 4
+ #tlsrpt: true
zones:
myzone:
strict_testing: false
diff --git a/config_examples/mta-sts-daemon.yml.redis b/config_examples/mta-sts-daemon.yml.redis
index 133811c17273cbc4b235e8da7da3adf7efffc097..1a0db8c4d78c3b53a72907ebf698df79a023e161 100644
--- a/config_examples/mta-sts-daemon.yml.redis
+++ b/config_examples/mta-sts-daemon.yml.redis
@@ -2,7 +2,6 @@ host: 127.0.0.1
port: 8461
reuse_port: true
shutdown_timeout: 20
-# tlsrpt: true
cache:
type: redis
options:
@@ -13,6 +12,7 @@ cache:
default_zone:
strict_testing: false
timeout: 4
+ #tlsrpt: true
zones:
myzone:
strict_testing: false
diff --git a/config_examples/mta-sts-daemon.yml.redis_sentinel b/config_examples/mta-sts-daemon.yml.redis_sentinel
index 885ae2ce5050a646f74cafb4b4fb7947f93d057e..c05dc95996f9277f6481766e794c24e705d91c35 100644
--- a/config_examples/mta-sts-daemon.yml.redis_sentinel
+++ b/config_examples/mta-sts-daemon.yml.redis_sentinel
@@ -2,7 +2,6 @@ host: 127.0.0.1
port: 8461
reuse_port: true
shutdown_timeout: 20
-# tlsrpt: true
cache:
type: redis_sentinel
options:
@@ -18,6 +17,7 @@ cache:
default_zone:
strict_testing: false
timeout: 4
+ #tlsrpt: true
zones:
myzone:
strict_testing: false
diff --git a/config_examples/mta-sts-daemon.yml.sqlite b/config_examples/mta-sts-daemon.yml.sqlite
index 3cac32d9aa12ba21e70daafd5a7837f4c93fb694..7d787281db23000b877ee7969c24e7f52ba4dfd5 100644
--- a/config_examples/mta-sts-daemon.yml.sqlite
+++ b/config_examples/mta-sts-daemon.yml.sqlite
@@ -2,7 +2,6 @@ host: 127.0.0.1
port: 8461
reuse_port: true
shutdown_timeout: 20
-# tlsrpt: true
cache:
type: sqlite
options:
@@ -10,6 +9,7 @@ cache:
default_zone:
strict_testing: false
timeout: 4
+ #tlsrpt: true
zones:
myzone:
strict_testing: false
diff --git a/config_examples/mta-sts-daemon.yml.sqlite_unixsock b/config_examples/mta-sts-daemon.yml.sqlite_unixsock
index 9c60392a267f955364d2341fce72f72b9af32860..51a318826a5e02b9e118722a2260be1622d1fb21 100644
--- a/config_examples/mta-sts-daemon.yml.sqlite_unixsock
+++ b/config_examples/mta-sts-daemon.yml.sqlite_unixsock
@@ -1,7 +1,6 @@
path: "/var/run/mta-sts.sock"
mode: 0666
shutdown_timeout: 20
-# tlsrpt: true
cache:
type: sqlite
options:
@@ -9,6 +8,7 @@ cache:
default_zone:
strict_testing: false
timeout: 4
+ #tlsrpt: true
zones:
myzone:
strict_testing: false
diff --git a/man/mta-sts-daemon.yml.5.adoc b/man/mta-sts-daemon.yml.5.adoc
index c25caba4979ab5a6889daedd0e8598e112c9df9e..7bdcef73b29eec06c843e1419683e1efac0466f9 100644
--- a/man/mta-sts-daemon.yml.5.adoc
+++ b/man/mta-sts-daemon.yml.5.adoc
@@ -30,8 +30,6 @@ The file is in YAML syntax with the following elements:
*shutdown_timeout*: (_float_) time limit granted to existing client sessions for finishing when server stops. Default: 20
-*tlsrpt*: (_bool_) include response attributes for TLSRPT support (Postfix 3.10 and later). Default: false
-
*cache*::
* *type*: (_str_: _internal_|_sqlite_|_redis_|_redis_sentinel_|postgres) cache backend type. Default: internal
@@ -64,6 +62,7 @@ It is unaffected by `cache_grace` and vice versa. Default: 86400
* *strict_testing*: (_bool_) enforce policy for testing domains. Default: false
* *timeout*: (_int_) network operations timeout for resolver in that zone. Default: 4
* *require_sni*: (_bool_) add option `servername=hostname` to policy responses to make Postfix send SNI in TLS handshake as required by RFC 8461. Requires Postfix version 3.4+. Default: true
+* *tlsrpt*: (_bool_) include response attributes for TLSRPT support (Postfix 3.10 and later). Default: false
*zones*::
diff --git a/postfix_mta_sts_resolver/responder.py b/postfix_mta_sts_resolver/responder.py
index b2fc865e88b3940604994b3a3591b26ae704f346..c67cefe6173d8ff17a37d6b3566ff606ac3ec51a 100644
--- a/postfix_mta_sts_resolver/responder.py
+++ b/postfix_mta_sts_resolver/responder.py
@@ -15,7 +15,7 @@ from . import netstring
REQUEST_ENCODING = 'utf-8'
-ZoneEntry = collections.namedtuple('ZoneEntry', ('strict', 'resolver', 'require_sni'))
+ZoneEntry = collections.namedtuple('ZoneEntry', ('strict', 'resolver', 'require_sni', 'tlsrpt'))
# pylint: disable=too-many-instance-attributes
@@ -33,19 +33,20 @@ class STSSocketmapResponder:
self._port = cfg['port']
self._reuse_port = cfg['reuse_port']
self._shutdown_timeout = cfg['shutdown_timeout']
- self._tlsrpt = cfg['tlsrpt']
self._grace = cfg['cache_grace']
# Construct configurations and resolvers for every socketmap name
self._default_zone = ZoneEntry(cfg["default_zone"]["strict_testing"],
STSResolver(loop=loop,
timeout=cfg["default_zone"]["timeout"]),
- cfg["default_zone"]["require_sni"])
+ cfg["default_zone"]["require_sni"],
+ cfg["default_zone"]["tlsrpt"])
self._zones = dict((k, ZoneEntry(zone["strict_testing"],
STSResolver(loop=loop,
timeout=zone["timeout"]),
- zone["require_sni"]))
+ zone["require_sni"],
+ zone["tlsrpt"]))
for k, zone in cfg["zones"].items())
self._cache = cache
@@ -226,8 +227,13 @@ class STSSocketmapResponder:
resp = "OK secure match=" + ":".join(mxlist)
if zone_cfg.require_sni:
resp += " servername=hostname"
- if self._tlsrpt:
+ if zone_cfg.tlsrpt:
resp += " policy_type=sts policy_domain=" + domain
+ resp += " " + " ".join("mx_host_pattern=" + mx for mx in cached.pol_body['mx'])
+ resp += " " + " ".join(
+ "{ policy_string = %s: %s }" % (k, v) if k != "mx" else
+ " ".join("{ policy_string = mx: %s }" % (mx,) for mx in v)
+ for k, v in cached.pol_body.items())
return netstring.encode(resp.encode('utf-8'))
else:
return netstring.encode(b'NOTFOUND ')
diff --git a/postfix_mta_sts_resolver/utils.py b/postfix_mta_sts_resolver/utils.py
index ce0863308f23f591f88a8ed8ac410bf0707b0567..245bc709bcbcac0d1ebeca2e7b39c6a685f9c2e0 100644
--- a/postfix_mta_sts_resolver/utils.py
+++ b/postfix_mta_sts_resolver/utils.py
@@ -87,7 +87,6 @@ def populate_cfg_defaults(cfg):
cfg['reuse_port'] = cfg.get('reuse_port', defaults.REUSE_PORT)
cfg['shutdown_timeout'] = cfg.get('shutdown_timeout',
defaults.SHUTDOWN_TIMEOUT)
- cfg['tlsrpt'] = cfg.get('tlsrpt', defaults.TLSRPT)
cfg['cache_grace'] = cfg.get('cache_grace', defaults.CACHE_GRACE)
if 'proactive_policy_fetching' not in cfg:
@@ -117,6 +116,7 @@ def populate_cfg_defaults(cfg):
zone['timeout'] = zone.get('timeout', defaults.TIMEOUT)
zone['strict_testing'] = zone.get('strict_testing', defaults.STRICT_TESTING)
zone['require_sni'] = zone.get('require_sni', defaults.REQUIRE_SNI)
+ zone['tlsrpt'] = zone.get('tlsrpt', defaults.TLSRPT)
return zone
if 'default_zone' not in cfg: