Add an MTA-STS entry for email policy

https://www.mailhardener.com/kb/mta-sts
gip-inclusion · Oct 16, 2024 · ad7f176 · ad7f176
1 parent 71f6878
commit ad7f176
Show file tree

Hide file tree

Showing 5 changed files with 70 additions and 2 deletions.
diff --git a/static/.well-known/mta-sts.inclusion.beta.gouv.fr.txt b/static/.well-known/mta-sts.inclusion.beta.gouv.fr.txt
@@ -0,0 +1,5 @@
+version: STSv1
+mode: enforce
+mx: mx1.alwaysdata.com.
+mx: mx2.alwaysdata.com.
+max_age: 604800
diff --git a/static/.well-known/mta-sts.inclusion.gouv.fr.txt b/static/.well-known/mta-sts.inclusion.gouv.fr.txt
@@ -0,0 +1,8 @@
+version: STSv1
+mode: enforce
+mx: aspmx.l.google.com
+mx: alt1.aspmx.l.google.com
+mx: alt2.aspmx.l.google.com
+mx: alt3.aspmx.l.google.com
+mx: alt4.aspmx.l.google.com
+max_age: 604800
diff --git a/well_known/tests.py b/well_known/tests.py
@@ -0,0 +1,41 @@
+import pathlib
+
+from django.conf import settings
+from django.test import TestCase, override_settings
+from django.urls import reverse
+
+
+class TestMTASTS(TestCase):
+    def test_access_from_tests(self):
+        response = self.client.get(reverse("mta-sts"))
+        self.assertEqual(response.status_code, 404)
+
+    def test_access_from_localhost(self):
+        response = self.client.get(
+            reverse("mta-sts"),
+            HTTP_HOST="localhost",
+            SERVER_NAME="localhost",
+        )
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(
+            response.content,
+            b"Content depends on the domain, because MX servers are per domain.",
+        )
+
+    @override_settings(ALLOWED_HOSTS=["inclusion.beta.gouv.fr", "inclusion.gouv.fr"])
+    def test_access_from_domain(self):
+        for domain in settings.ALLOWED_HOSTS:
+            with self.subTest(domain):
+                response = self.client.get(
+                    reverse("mta-sts"),
+                    HTTP_HOST=domain,
+                    SERVER_NAME=domain,
+                )
+                self.assertEqual(response.status_code, 200)
+                policy_path = (
+                    pathlib.Path(settings.BASE_DIR)
+                    / "static"
+                    / ".well-known"
+                    / f"mta-sts.{domain}.txt"
+                )
+                self.assertEqual(response.content, policy_path.read_bytes())
diff --git a/well_known/urls.py b/well_known/urls.py
@@ -1,10 +1,11 @@
 from django.urls import path
 
-from .views import serve_text_file
+from .views import mta_sts, serve_text_file
 
 
 urlpatterns = [
     path("pdi-pgp.asc", serve_text_file, {"file_name": "pdi-pgp.asc"}, name="pdi-pgp"),
     path("security-policy.txt", serve_text_file, {"file_name": "security-policy.txt"}, name="security-policy"),
     path("security.txt", serve_text_file, {"file_name": "security.txt"}, name="security"),
+    path("mta-sts.txt", mta_sts, name="mta-sts"),
 ]
diff --git a/well_known/views.py b/well_known/views.py
@@ -1,6 +1,6 @@
 import os
 
-from django.http import HttpResponse
+from django.http import Http404, HttpResponse
 
 
 def serve_text_file(request, file_name):
@@ -11,3 +11,16 @@ def serve_text_file(request, file_name):
         return HttpResponse(content, content_type="text/plain; charset=utf-8")
     except FileNotFoundError:
         return HttpResponse(b"File not found.", status=404)
+
+
+def mta_sts(request):
+    match request.META["SERVER_NAME"]:
+        case "inclusion.beta.gouv.fr" | "inclusion.gouv.fr" as domain:
+            return serve_text_file(request, f"mta-sts.{domain}.txt")
+        case "localhost":
+            return HttpResponse(
+                "Content depends on the domain, because MX servers are per domain.".encode(),
+                content_type="text/plain; charset=utf-8",
+            )
+        case _:
+            raise Http404