infra: MTA-STS policy + vhost + README (cert pending DNS propagation)

infra/mta-sts/README.md

@@ -0,0 +1,15 @@
+# MTA-STS for performancewest.net
+
+DNS TXT `_mta-sts.performancewest.net` = `v=STSv1; id=20260505` (already published).
+TLS-RPT TXT `_smtp._tls.performancewest.net` published.
+Added A record `mta-sts.performancewest.net -> 207.174.124.71` (Hestia).
+
+Policy served at `https://mta-sts.performancewest.net/.well-known/mta-sts.txt`
+from `/var/www/mta-sts/.well-known/mta-sts.txt` (content = mta-sts.txt here).
+
+PENDING: Let's Encrypt cert for mta-sts.performancewest.net (waiting on HE.net
+secondary DNS propagation). Once `dig +short mta-sts.performancewest.net @8.8.8.8`
+resolves, run:
+  sudo certbot certonly --webroot -w /var/www/certbot -d mta-sts.performancewest.net --non-interactive --agree-tos -m admin@performancewest.net
+then upgrade pw-mta-sts.conf to an HTTPS (443) server block (see pw-listmonk-hc.conf
+pattern) and reload nginx. MTA-STS requires the policy be served over valid HTTPS.

infra/mta-sts/mta-sts.txt

@@ -0,0 +1,4 @@
+version: STSv1
+mode: enforce
+mx: co.carrierone.com
+max_age: 604800

infra/mta-sts/pw-mta-sts.conf

@@ -0,0 +1,7 @@
+server {
+    listen 80;
+    server_name mta-sts.performancewest.net;
+    location /.well-known/acme-challenge/ { root /var/www/certbot; }
+    location /.well-known/mta-sts.txt { root /var/www/mta-sts; default_type text/plain; }
+    location / { return 404; }
+}