feat: support setup without domain, with only an IPv4 address (#963)

* dovecot: enable login names with square brackets * config: make IPv4-only relays use self-signed TLS certs * postfix: make delivery for IP-only relays work * cmdeploy: skip DNS checks for IPv4 only relays * www: generate dclogin codes for IPv4-only relays * opendkim: disable DKIM signing on ipv4-only relays * get delivery working * get tests working on IPv4 only machine * doc: document IPv4-only relays * dns: warn if mail_domain is an IP, instead of checking DNS * config: validate domains when formatting them * ci: add cmlxc testing for no-DNS relays * ci: run no-dns and normal CI in parallel * retain "config.mail_domain" as the domain part of @ email addresses, so for ipv4 relays "[1.2.3.4]" and introduce config.ipv4_relay and config.mail_domain_bare helpers. * ci: migrate from --no-dns to --type ipv4 for cmlxc compatibility * cleanup dead code, fix docs, fixate cmlxc version --------- Co-authored-by: missytake <missytake@systemli.org>
2026-05-15 19:14:44 +00:00 · 2026-05-11 21:52:33 +02:00
parent 6a7e6ce9e7
commit 4ebde2825d
26 changed files with 256 additions and 87 deletions
--- a/doc/source/faq.rst
+++ b/doc/source/faq.rst
@@ -15,6 +15,7 @@ goes beyond what classic email servers offer:
   streaming, privacy-preserving Push Notifications for Apple, Google, and `Ubuntu Touch <https://docs.ubports.com/en/latest/appdev/guides/pushnotifications.html>`_;

 -  **Security Enforcement**: only strict TLS, DKIM and OpenPGP with minimized metadata accepted
+   (DKIM is not enforced on :ref:`IP-only relays <iponly>`)

 -  **Reliable Federation and Decentralization:** No spam or IP reputation checks, federating
   depends on established IETF standards and protocols.
--- a/doc/source/getting_started.rst
+++ b/doc/source/getting_started.rst
@@ -14,8 +14,6 @@ Minimal requirements and prerequisites

 You will need the following:

-  Control over a domain through a DNS provider of your choice.
-
 -  A Debian 12 **deployment server** with reachable SMTP/SUBMISSIONS/IMAPS/HTTPS ports.
   IPv6 is encouraged if available. Chatmail relay servers only require
   1GB RAM, one CPU, and perhaps 10GB storage for a few thousand active
@@ -28,6 +26,11 @@ You will need the following:
   (An ed25519 private key is required due to an `upstream bug in
   paramiko <https://github.com/paramiko/paramiko/issues/2191>`_)

+-  Control over a domain through a DNS provider of your choice
+   (there is experimental support for :ref:`IP-only relays <iponly>`).
+
+
+.. _setup:

 Setup with ``scripts/cmdeploy``
 -------------------------------------
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -19,3 +19,4 @@ Contributions and feedback welcome through the https://github.com/chatmail/relay
    reverse_dns
    related
    faq
+    iponly
--- a/doc/source/iponly.rst
+++ b/doc/source/iponly.rst
@@ -0,0 +1,40 @@
+.. _iponly:
+
+Hosting without DNS records
+===========================
+
+.. note::
+
+   This option is experimental and might change without notice.
+
+In case you don't have a domain,
+for example in a local network,
+you can run a chatmail relay with only an IPv4 address as well.
+
+To deploy a relay without a domain,
+run ``cmdeploy init`` with only the IPv4 address
+during the :ref:`installation steps <setup>`,
+for example ``cmdeploy init 13.12.23.42``.
+
+Drawbacks
+---------
+
+- your transport encryption will only use self-signed TLS certificates,
+  which are vulnerable against MITM attacks.
+  the chatmail core's end-to-end encryption should suffice in most scenarios though.
+
+- your messages will not be DKIM-signed;
+  experimentally, most chatmail relays accept non-DKIM-signed messages from IP-only relays,
+  but some relays might not accept messages from yours.
+
+
+Email addresses
+---------------
+
+When running without a domain,
+your chatmail addresses will use the IPv4 address
+in brackets as the domain part,
+for example ``user@[13.12.23.42]``.
+This is a valid email address format
+according to :rfc:`5321`.
+
--- a/doc/source/overview.rst
+++ b/doc/source/overview.rst
@@ -265,7 +265,8 @@ from the chatmail relay server.
 Email domain authentication (DKIM)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-Chatmail relays enforce :rfc:`DKIM <6376>` to authenticate incoming emails.
+Chatmail relays enforce :rfc:`DKIM <6376>` to authenticate incoming emails
+(except for :ref:`IP-only relays <iponly>`).
 Incoming emails must have a valid DKIM signature with
 Signing Domain Identifier (SDID, ``d=`` parameter in the DKIM-Signature
 header) equal to the ``From:`` header domain. This property is checked