feat: support setup without domain, with only an IPv4 address (#963)

* dovecot: enable login names with square brackets * config: make IPv4-only relays use self-signed TLS certs * postfix: make delivery for IP-only relays work * cmdeploy: skip DNS checks for IPv4 only relays * www: generate dclogin codes for IPv4-only relays * opendkim: disable DKIM signing on ipv4-only relays * get delivery working * get tests working on IPv4 only machine * doc: document IPv4-only relays * dns: warn if mail_domain is an IP, instead of checking DNS * config: validate domains when formatting them * ci: add cmlxc testing for no-DNS relays * ci: run no-dns and normal CI in parallel * retain "config.mail_domain" as the domain part of @ email addresses, so for ipv4 relays "[1.2.3.4]" and introduce config.ipv4_relay and config.mail_domain_bare helpers. * ci: migrate from --no-dns to --type ipv4 for cmlxc compatibility * cleanup dead code, fix docs, fixate cmlxc version --------- Co-authored-by: missytake <missytake@systemli.org>
2026-05-21 05:18:04 +00:00 · 2026-05-11 21:52:33 +02:00
parent 6a7e6ce9e7
commit 4ebde2825d
26 changed files with 256 additions and 87 deletions
--- a/chatmaild/pyproject.toml
+++ b/chatmaild/pyproject.toml
@@ -10,6 +10,7 @@ dependencies = [
  "filelock",
  "requests",
  "crypt-r >= 3.13.1 ; python_version >= '3.11'",
+  "domain-validator",
 ]

 [tool.setuptools]
--- a/chatmaild/src/chatmaild/config.py
+++ b/chatmaild/src/chatmaild/config.py
@@ -1,6 +1,8 @@
+import ipaddress
 from pathlib import Path

 import iniconfig
+from domain_validator import DomainValidator

 from chatmaild.user import User

@@ -19,7 +21,19 @@ def read_config(inipath):
 class Config:
    def __init__(self, inipath, params):
        self._inipath = inipath
-        self.mail_domain = params["mail_domain"]
+        raw_domain = params["mail_domain"]
+        self.mail_domain_bare = raw_domain
+
+        if is_valid_ipv4(raw_domain):
+            self.ipv4_relay = raw_domain
+            self.mail_domain = f"[{raw_domain}]"
+            self.postfix_myhostname = ipaddress.IPv4Address(raw_domain).reverse_pointer
+        else:
+            DomainValidator().validate_domain_re(raw_domain)
+            self.ipv4_relay = None
+            self.mail_domain = raw_domain
+            self.postfix_myhostname = raw_domain
+
        self.max_user_send_per_minute = int(params.get("max_user_send_per_minute", 60))
        self.max_user_send_burst_size = int(params.get("max_user_send_burst_size", 10))
        self.max_mailbox_size = params["max_mailbox_size"]
@@ -53,7 +67,7 @@ class Config:
        self.imap_rawlog = params.get("imap_rawlog", "false").lower() == "true"
        self.imap_compress = params.get("imap_compress", "false").lower() == "true"
        if "iroh_relay" not in params:
-            self.iroh_relay = "https://" + params["mail_domain"]
+            self.iroh_relay = "https://" + raw_domain
            self.enable_iroh_relay = True
        else:
            self.iroh_relay = params["iroh_relay"].strip()
@@ -79,17 +93,17 @@ class Config:
                )
            self.tls_cert_mode = "external"
            self.tls_cert_path, self.tls_key_path = parts
-        elif self.mail_domain.startswith("_"):
+        elif raw_domain.startswith("_") or self.ipv4_relay:
            self.tls_cert_mode = "self"
            self.tls_cert_path = "/etc/ssl/certs/mailserver.pem"
            self.tls_key_path = "/etc/ssl/private/mailserver.key"
        else:
            self.tls_cert_mode = "acme"
-            self.tls_cert_path = f"/var/lib/acme/live/{self.mail_domain}/fullchain"
-            self.tls_key_path = f"/var/lib/acme/live/{self.mail_domain}/privkey"
+            self.tls_cert_path = f"/var/lib/acme/live/{raw_domain}/fullchain"
+            self.tls_key_path = f"/var/lib/acme/live/{raw_domain}/privkey"

        # deprecated option
-        mbdir = params.get("mailboxes_dir", f"/home/vmail/mail/{self.mail_domain}")
+        mbdir = params.get("mailboxes_dir", f"/home/vmail/mail/{raw_domain}")
        self.mailboxes_dir = Path(mbdir.strip())

        # old unused option (except for first migration from sqlite to maildir store)
@@ -175,3 +189,12 @@ def get_default_config_content(mail_domain, **overrides):
                lines.append(line)
        content = "\n".join(lines)
    return content
+
+
+def is_valid_ipv4(address: str) -> bool:
+    """Check if a mail_domain is an IPv4 address."""
+    try:
+        ipaddress.IPv4Address(address)
+        return True
+    except ValueError:
+        return False
--- a/chatmaild/src/chatmaild/newemail.py
+++ b/chatmaild/src/chatmaild/newemail.py
@@ -2,7 +2,6 @@

 """CGI script for creating new accounts."""

-import ipaddress
 import json
 import secrets
 import string
@@ -15,16 +14,6 @@ ALPHANUMERIC = string.ascii_lowercase + string.digits
 ALPHANUMERIC_PUNCT = string.ascii_letters + string.digits + string.punctuation


-def wrap_ip(host):
-    if host.startswith("[") and host.endswith("]"):
-        return host
-    try:
-        ipaddress.ip_address(host)
-        return f"[{host}]"
-    except ValueError:
-        return host
-
-
 def create_newemail_dict(config: Config):
    user = "".join(
        secrets.choice(ALPHANUMERIC) for _ in range(config.username_max_length)
@@ -33,16 +22,22 @@ def create_newemail_dict(config: Config):
        secrets.choice(ALPHANUMERIC_PUNCT)
        for _ in range(config.password_min_length + 3)
    )
-    return dict(email=f"{user}@{wrap_ip(config.mail_domain)}", password=f"{password}")
+    return dict(email=f"{user}@{config.mail_domain}", password=f"{password}")


-def create_dclogin_url(email, password):
+def create_dclogin_url(config, email, password):
    """Build a dclogin: URL with credentials and self-signed cert acceptance.

    Uses ic=3 (AcceptInvalidCertificates) so chatmail clients
    can connect to servers with self-signed TLS certificates.
    """
-    return f"dclogin:{quote(email, safe='@')}?p={quote(password, safe='')}&v=1&ic=3"
+    if config.ipv4_relay:
+        imap_host = "&ih=" + config.ipv4_relay
+        smtp_host = "&sh=" + config.ipv4_relay
+    else:
+        imap_host = ""
+        smtp_host = ""
+    return f"dclogin:{quote(email, safe='@[]')}?p={quote(password, safe='')}&v=1{imap_host}{smtp_host}&ic=3"


 def print_new_account():
@@ -51,7 +46,9 @@ def print_new_account():

    result = dict(email=creds["email"], password=creds["password"])
    if config.tls_cert_mode == "self":
-        result["dclogin_url"] = create_dclogin_url(creds["email"], creds["password"])
+        result["dclogin_url"] = create_dclogin_url(
+            config, creds["email"], creds["password"]
+        )

    print("Content-Type: application/json")
    print("")
--- a/chatmaild/src/chatmaild/tests/plugin.py
+++ b/chatmaild/src/chatmaild/tests/plugin.py
@@ -31,6 +31,11 @@ def example_config(make_config):
    return make_config("chat.example.org")


+@pytest.fixture
+def ipv4_config(make_config):
+    return make_config("1.3.3.7")
+
+
@pytest.fixture
 def maildomain(example_config):
    return example_config.mail_domain
--- a/chatmaild/src/chatmaild/tests/test_config.py
+++ b/chatmaild/src/chatmaild/tests/test_config.py
@@ -1,6 +1,10 @@
 import pytest

-from chatmaild.config import parse_size_mb, read_config
+from chatmaild.config import (
+    is_valid_ipv4,
+    parse_size_mb,
+    read_config,
+)


 def test_read_config_basic(example_config):
@@ -13,6 +17,12 @@ def test_read_config_basic(example_config):
    example_config = read_config(inipath)
    assert example_config.max_user_send_per_minute == 37
    assert example_config.mail_domain == "chat.example.org"
+    assert example_config.ipv4_relay is None
+
+
+def test_read_config_ipv4(ipv4_config):
+    assert ipv4_config.ipv4_relay == "1.3.3.7"
+    assert ipv4_config.mail_domain == "[1.3.3.7]"


 def test_read_config_basic_using_defaults(tmp_path, maildomain):
@@ -135,3 +145,17 @@ def test_max_mailbox_size_mb(make_config):
    config = make_config("chat.example.org")
    assert config.max_mailbox_size == "500M"
    assert config.max_mailbox_size_mb == 500
+
+
+@pytest.mark.parametrize(
+    ["input", "result"],
+    [
+        ("example.org", False),
+        ("1.3.3.7", True),
+        ("fe::1", False),
+        ("ad.1e.dag.adf", False),
+        ("12394142", False),
+    ],
+)
+def test_is_valid_ipv4(input, result):
+    assert result == is_valid_ipv4(input)
--- a/chatmaild/src/chatmaild/tests/test_newmail.py
+++ b/chatmaild/src/chatmaild/tests/test_newmail.py
@@ -19,24 +19,35 @@ def test_create_newemail_dict(example_config):
    assert ac1["password"] != ac2["password"]


-def test_create_newemail_dict_ip(make_config):
-    config = make_config("1.2.3.4")
-    ac = create_newemail_dict(config)
-    assert ac["email"].endswith("@[1.2.3.4]")
+def test_create_newemail_dict_ip(ipv4_config):
+    ac = create_newemail_dict(ipv4_config)
+    assert ac["email"].endswith("@[1.3.3.7]")


-def test_create_dclogin_url():
-    url = create_dclogin_url("user@example.org", "p@ss w+rd")
+def test_create_dclogin_url(example_config):
+    addr = "user@example.org"
+    password = "p@ss w+rd"
+    url = create_dclogin_url(example_config, addr, password)
    assert url.startswith("dclogin:")
    assert "v=1" in url
    assert "ic=3" in url

-    assert "user@example.org" in url
+    assert addr in url
    # password special chars must be encoded
    assert "p%40ss" in url
    assert "w%2Brd" in url


+def test_create_dclogin_url_ipv4(ipv4_config):
+    addr = "user@[1.3.3.7]"
+    password = "p@ss w+rd"
+    url = create_dclogin_url(ipv4_config, addr, password)
+    assert url.startswith("dclogin:")
+    assert "v=1" in url
+    assert "ic=3" in url
+    assert addr in url
+
+
 def test_print_new_account(capsys, monkeypatch, maildomain, tmpdir, example_config):
    monkeypatch.setattr(chatmaild.newemail, "CONFIG_PATH", str(example_config._inipath))
    print_new_account()