DuckCorp » DuckCorp Infrastructure

Added MTA-STS policy which can be setup via Ansible.

Now we need to check the status for incoming mails.

I had no reply and that's going to take time anyway so I created a role to install postfix-mta-sts-resolver using pip in a virtualenv.

All is in place now and manual tests were ok; I'm monitoring the logs to see how it goes.

despite my tests (I guess due to delay to be taken into account) the enforcing policy caused problems because of our custom CA; switched to testing until solved.

SMTP certs are now using Let's Encrypt certs using DNS challenge. I was able to enforce the MTA-STS policy again.

As we do not generate the cert ourselves I was forced to disable TLSA. I saw some projects around this and need to look at it.

I also need to replace the DH generation.

All MX types are now using Let's Encrypt.

I cleaned-up the obsolete certs from our custom CA and reenabled TLSA for the remaining services.

The DH is now generated.

I created #675 for the TLSA part as using Let's Encrypt for website also had the same effect, so it's not directly related to MTA-STS.

Continuing to monitor, no problems so far.

The hook was created and works fine.

There was no problem during the week, thus closing.