#!/bin/bash # # Fix for Mantis bug 10979 — DKIM/ARC and MTA-STS on firefly (host-side parts). # # Does the two things that can be fixed without DNS access: # 1. Enable ARC signing in rspamd (reusing the existing DKIM keys/selector). # 2. Repair the malformed MTA-STS policy served for mta-sts.taler.net # (the served bytes currently have leading whitespace -> invalid per RFC 8461). # # DNS-side work (publishing the DKIM selector, _mta-sts/ TXT records, DMARC, and # MTA-STS for other domains) is NOT done here — see analysis.md. # # Idempotent; validates nginx and rspamd before reloading. Run as root on firefly. # set -euo pipefail if [[ "$(id -u)" -ne 0 ]]; then echo "ERROR: must be run as root." >&2 exit 1 fi ts="$(date +%Y%m%d%H%M%S)" DKIM_CONF="/etc/rspamd/local.d/dkim_signing.conf" ARC_CONF="/etc/rspamd/local.d/arc.conf" MTASTS_VHOST="/etc/nginx/sites-enabled/mta-sts.site" # ------------------------------------------------------------------------- # 1) ARC signing in rspamd, mirroring DKIM signing's key path + selector. # ------------------------------------------------------------------------- if [[ ! -r "$DKIM_CONF" ]]; then echo "ERROR: $DKIM_CONF not found; cannot mirror DKIM settings for ARC." >&2 exit 1 fi # Reuse the same path/selector that DKIM signing uses so ARC signs with the # same already-deployed keys. DKIM_PATH="$(sed -nE 's/^[[:space:]]*path[[:space:]]*=[[:space:]]*"([^"]+)".*/\1/p' "$DKIM_CONF" | head -n1)" DKIM_SELECTOR="$(sed -nE 's/^[[:space:]]*selector[[:space:]]*=[[:space:]]*"([^"]+)".*/\1/p' "$DKIM_CONF" | head -n1)" DKIM_PATH="${DKIM_PATH:-/etc/rspamd/dkim/\$domain/\$domain-\$selector.key}" DKIM_SELECTOR="${DKIM_SELECTOR:-mail-2026-3}" echo "==> Writing ${ARC_CONF} (selector=${DKIM_SELECTOR})" [[ -f "$ARC_CONF" ]] && cp -a "$ARC_CONF" "${ARC_CONF}.bak.${ts}" cat > "$ARC_CONF" < Validating rspamd configuration" if command -v rspamadm >/dev/null 2>&1; then rspamadm configtest fi # ------------------------------------------------------------------------- # 2) Repair the MTA-STS policy (remove leading whitespace from served lines). # ------------------------------------------------------------------------- if [[ -f "$MTASTS_VHOST" ]]; then echo "==> Rewriting ${MTASTS_VHOST} with a valid (flush-left) policy" cp -a "$MTASTS_VHOST" "${MTASTS_VHOST}.bak.${ts}" cat > "$MTASTS_VHOST" <<'EOF' server { listen 443 ssl; listen [::]:443 ssl; server_name mta-sts.taler.net; ssl_certificate /etc/letsencrypt/live/mail/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mail/privkey.pem; include conf.d/gnunet-org-tls-defaults.conf; error_log off; access_log off; root /dev/null; # RFC 8461: every line must be "key: value" with NO leading whitespace. # Continuation lines below are intentionally flush-left. location /.well-known/mta-sts.txt { default_type text/plain; return 200 "version: STSv1 mode: testing max_age: 86400 mx: gv.taler.net mx: *.taler.net "; } } EOF echo "==> Validating nginx configuration" if nginx -t; then systemctl reload nginx else echo "ERROR: nginx -t failed; restoring previous vhost." >&2 cp -a "${MTASTS_VHOST}.bak.${ts}" "$MTASTS_VHOST" exit 1 fi else echo "NOTE: ${MTASTS_VHOST} not found; skipping MTA-STS repair." fi # ------------------------------------------------------------------------- # Reload rspamd last (after configtest passed). # ------------------------------------------------------------------------- echo "==> Reloading rspamd" systemctl reload rspamd 2>/dev/null || systemctl restart rspamd echo echo "Done (host-side). ARC signing enabled; MTA-STS policy now RFC-valid." echo "Remember the DNS-side records — see analysis.md (DKIM selector publish," echo "_mta-sts TXT, DMARC). Validate, then consider MTA-STS mode: enforce."