Messages are already cleaned once on the submission port
to avoid leaking the user IP address.
There is no need to clean them again
and remove the `Received` header
which records reception from filtermail.
I tested with -tls1_2 option
of openssl s_client
that TLS 1.2 connections
are no longer possible
on any ports except port 25.
Port 25 requires at least TLS 1.2
for encrypted connections.
`authclean` cleanup server is used by
reinjecting smtpd running on localhost:10025 by default.
It runs after filtermail
and currently removes `Received` header
to avoid leaking IP address.
Can as well be used to replace `Subject` lines
with `Subject: [...]`.
If there are multiple `Subject` lines,
all of them should be replaced.
This allows us to avoid dealing with
localized subjects, including SecureJoin
messages `vc-request` and `vg-request`
which can have Subject lines like
Subject: =?utf-8?q?Nachricht_von_nrn178fi4=40nine=2Etestrun=2Eorg?=
unbound-control is not installed out of the box
and even once installed `flush_zone` does not seem
to work reliably.
Instead of trying to flush the cache from unbound,
we now query authoritative nameserver directly using `dig`.
perform_initial_checks may exit early
and not add `acme_account_url` if required DNS
records are not found.
In this case other `cmdeploy run` fails
with KeyError.
To avoid this, `acme_account_url` should always be set.
Unlike DNS checks, running acmetool
may not fail due to network errors,
so it is more reliable and should be checked first.
I wanted to add `COMPRESS=DEFLATE`,
but it should be added only for sessions
that are logged in because `COMPRESS`
command does not work before logging in.
Dovecot already does it correctly
if we don't overwrite the capability string.
* Improve README for first setup
* DNS: fix flushing DNS when requesting records
* DNS: actually check whether mta-sts record is set correctly
* DNS: add changelog
* DNS: also check for www CNAME record
* DNS: fix tests
* lint: update ruff to 0.6.5 locally
* add allow_ipv6 config option
* add ipv6 config changes to cmdeploy
* fix name of config option for ipv6 in config.py
* move configure ipv6 before service start
* Use templates for disabling ipv6
* lint
* fix parameters in _configure_dovecot
* dont pass domain to _configure_nginx
* make disable_ipv6 boolean
Co-authored-by: missytake <missytake@systemli.org>
* implement namis suggestions reg boolean for ipv6
* Update chatmaild/src/chatmaild/config.py
Co-authored-by: missytake <missytake@systemli.org>
* ruff
* ruff again :)
* fix merge conflict
* CI: add CI machine with IPv6 disabled
* CI: fix sed statement
* CI: fix ubuntu reset
* CI: separate cert storage for staging2 and staging-ipv4
* add DNS records to proper zone
* CI: ignore if folders are missing
* CI: renames are not needed like this
* CI: fix default DNS zone for ipv4
* CI: use debian 12 instead of ubuntu, tired of trying to guess the correct image
* remove duplicared listen on 8443
* use jinja templates for disable_ipv6
* remove unused variable
* add missing % sign in jinja tempalte
* more fun with jinja syntax
* CI: proper rsync paths for acme & DKIM caching
* Changelog: add disable_ipv6 config option
---------
Co-authored-by: missytake <missytake@systemli.org>
Co-authored-by: holger krekel <holger@merlinux.eu>
