pf/php: add mta-sts support (outbound) (#6686)

* added mta-sts-resolver into postfix config + daemon * [Web] Add MTA-STS support * [Web] Fix mta-sts server_name * updated .gitignore * [ACME] fetch cert for mta-sts subdomain * [Web] change MTA-STS id to human-readable timestamp * [Web] Remove MTA-STS version STSv2 * [Web] Fix MTA-STS DNS check * [Web] add max_age limit for MTA-STS policy * Added tooltips and info texts to mta-sts webui page * postfix: replace mta-sts-resolver with postfix-tlspol --------- Co-authored-by: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
2025-08-26 09:57:05 +02:00
parent af871fdacb
commit c39712af67
18 changed files with 488 additions and 19 deletions
@@ -483,10 +483,13 @@
        "mailboxes_in_use": "Max. mailboxes must be greater or equal to %d",
        "malformed_username": "Malformed username",
        "map_content_empty": "Map content cannot be empty",
+        "max_age_invalid": "Max age %s is invalid",
        "max_alias_exceeded": "Max. aliases exceeded",
        "max_mailbox_exceeded": "Max. mailboxes exceeded (%d of %d)",
        "max_quota_in_use": "Mailbox quota must be greater or equal to %d MiB",
        "maxquota_empty": "Max. quota per mailbox must not be 0.",
+        "mode_invalid": "Mode %s is invalid",
+        "mx_invalid": "MX record %s is invalid",
        "mysql_error": "MySQL error: %s",
        "network_host_invalid": "Invalid network or host: %s",
        "next_hop_interferes": "%s interferes with nexthop %s",
@@ -550,6 +553,7 @@
        "username_invalid": "Username %s cannot be used",
        "validity_missing": "Please assign a period of validity",
        "value_missing": "Please provide all values",
+        "version_invalid": "Version %s is invalid",
        "yotp_verification_failed": "Yubico OTP verification failed: %s"
    },
    "datatables": {
@@ -704,6 +708,17 @@
        "maxbytespersecond": "Max. bytes per second <br><small>(0 = unlimited)</small>",
        "mbox_rl_info": "This rate limit is applied on the SASL login name, it matches any \"from\" address used by the logged-in user. A mailbox rate limit overrides a domain-wide rate limit.",
        "mins_interval": "Interval (min)",
+        "mta_sts": "MTA-STS",
+        "mta_sts_info": "<a href='https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol#SMTP_MTA_Strict_Transport_Security' target='_blank'>MTA-STS</a> is a standard that enforces email delivery between mail servers to use TLS with valid certificates. <br>It is used when <a target='_blank' href='https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities'>DANE</a> is not possible due to missing or unsupported DNSSEC.<br><b>Note</b>: If the receiving domain supports DANE with DNSSEC, DANE is <b>always</b> preferred – MTA-STS only acts as a fallback.",
+        "mta_sts_version": "Version",
+        "mta_sts_version_info": "Defines the version of the MTA-STS standard – currently only <code>STSv1</code> is valid." ,
+        "mta_sts_mode": "Mode",
+        "mta_sts_mode_info": "There are three modes to choose from:<ul><li><em>testing</em> – policy is only monitored, violations have no impact.</li><li><em>enforce</em> – policy is strictly enforced, connections without valid TLS are rejected.</li><li><em>none</em> – policy is published but not applied.</li></ul>",
+        "mta_sts_max_age": "Max age",
+        "mta_sts_max_age_info": "Time in seconds that receiving mail servers may cache this policy until refetching.",
+        "mta_sts_mx": "MX server",
+        "mta_sts_mx_info": "Allows sending only to explicitly listed mail server hostnames; the sending MTA checks if the DNS MX hostname matches the policy list, and only allows delivery with a valid TLS certificate (guards against MITM).",
+        "mta_sts_mx_notice": "Multiple MX servers can be specified (separated by commas).",
        "multiple_bookings": "Multiple bookings",
        "none_inherit": "None / Inherit",
        "nexthop": "Next hop",