Introduce DEFER_ON_TLS_ERROR

This will default to True and defer emails that fail even "loose"
validation of DANE or MTA-STS

It should work most of the time but if it doesn't and you would rather
see your emails delivered, you can turn it off.

core/postfix/conf/main.cf

@@ -58,13 +58,17 @@ tls_ssl_options = NO_COMPRESSION, NO_TICKET
 # 2. not all will have and up-to-date TLS stack.
 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtp_tls_protocols =!SSLv2,!SSLv3
-smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('may') }}
+smtp_tls_security_level = {{ OUTBOUND_TLS_LEVEL|default('dane') }}
+smtp_tls_dane_insecure_mx_policy = dane
 smtp_tls_policy_maps=hash:/etc/postfix/tls_policy.map, socketmap:unix:/tmp/mta-sts.socket:postfix
 smtp_tls_CApath = /etc/ssl/certs
 smtp_tls_session_cache_database = lmdb:/dev/shm/postfix/smtp_scache
 smtpd_tls_session_cache_database = lmdb:/dev/shm/postfix/smtpd_scache
 smtp_host_lookup = dns
 smtp_dns_support_level = dnssec
+delay_warning_time = 5m
+smtp_tls_loglevel = 1
+notify_classes = resource, software, delay
 
 ###############
 # Virtual

core/postfix/mta-sts-daemon.yml

@@ -6,5 +6,5 @@ cache:
   options:
     cache_size: 10000
 default_zone:
-  strict_testing: false
+  strict_testing: {{ DEFER_ON_TLS_ERROR |default('true') }}
   timeout: 4

core/postfix/start.py

@@ -76,6 +76,7 @@ for map_file in glob.glob("/overrides/*.map"):
 
 if os.path.exists("/overrides/mta-sts-daemon.yml"):
     shutil.copyfile("/overrides/mta-sts-daemon.yml", "/etc/mta-sts-daemon.yml")
+conf.jinja("/etc/mta-sts-daemon.yml", os.environ, "/etc/mta-sts-daemon.yml")
 
 if not os.path.exists("/etc/postfix/tls_policy.map.db"):
     with open("/etc/postfix/tls_policy.map", "w") as f: