* dovecot: enable login names with square brackets
* config: make IPv4-only relays use self-signed TLS certs
* postfix: make delivery for IP-only relays work
* cmdeploy: skip DNS checks for IPv4 only relays
* www: generate dclogin codes for IPv4-only relays
* opendkim: disable DKIM signing on ipv4-only relays
* get delivery working
* get tests working on IPv4 only machine
* doc: document IPv4-only relays
* dns: warn if mail_domain is an IP, instead of checking DNS
* config: validate domains when formatting them
* ci: add cmlxc testing for no-DNS relays
* ci: run no-dns and normal CI in parallel
* retain "config.mail_domain" as the domain part of @ email addresses, so for ipv4 relays "[1.2.3.4]" and introduce config.ipv4_relay and config.mail_domain_bare helpers.
* ci: migrate from --no-dns to --type ipv4 for cmlxc compatibility
* cleanup dead code, fix docs, fixate cmlxc version
---------
Co-authored-by: missytake <missytake@systemli.org>
Both dovecot-quota-threshold triggers and the daily expiry routine
will now expunge oldest messages from mailboxes automatically
when the mailbox reaches 75% of max_mailbox_size.
Delta Chat users should not see any warnings (at 80/95 percent) or bounce messages,
and existing over-quota mailboxes should start receiving mails again.
This is aimed at reducing SSD wear level.
SSDs wear out because of writes
according to <https://superuser.com/a/440219/1777696>,
so anything reducing the writes should be helpful.
For online users Maildir format that we use
results in first storing the message in new/
and then moving to cur/ and then maybe even deleting
it immediately for users with a single device
or bots. Syncing all these changes to disk
is unnecessary and wears SSDs.
feat: support self-signed TLS via underscore domain convention
Domains starting with "_" (e.g. _chat.example.org) automatically use
self-signed TLS certificates instead of ACME/Let's Encrypt. The TLS
mode is derived from the domain name — no separate config option needed.
Internally, when config.tls_cert_mode is "self" (underscore domain):
- Generate self-signed certificates via openssl
- Set Postfix smtp_tls_security_level to "encrypt" (opportunistic TLS)
- Add smtp_tls_policy_map entry for underscore domains
- Skip ACME, MTA-STS and www CNAME checks in `cmdeploy dns`
- Serve /new via GET (not redirect to dcaccount:) with rate-limiting
(nginx limit_req, 2r/s burst=5)
- Return dclogin: URLs with ic=3 (AcceptInvalidCertificates) from /new
- Render QR codes client-side via JavaScript and qrcode-svg
- Use config.tls_cert_path/tls_key_path in Postfix, Dovecot and nginx
templates instead of hardcoded ACME paths
The ! character in != is an invalid token in Dovecot's unified filter
language (2.3.12+). The parser expected a comparison operator (=, >, <)
and choked on !.
This adds exporting of some dovecot event metrics to help debugging slow IMAP login and hibernation. For now, re-using mtail_address config flag and configure the port of the dovecot exporter to be 3904.
High-security mode could be configured
to handle more connections by increasing process_limit,
but has problems logging in many users at once after
each Dovecot restart or config reload.
I tested with -tls1_2 option
of openssl s_client
that TLS 1.2 connections
are no longer possible
on any ports except port 25.
Port 25 requires at least TLS 1.2
for encrypted connections.
I wanted to add `COMPRESS=DEFLATE`,
but it should be added only for sessions
that are logged in because `COMPRESS`
command does not work before logging in.
Dovecot already does it correctly
if we don't overwrite the capability string.
* add allow_ipv6 config option
* add ipv6 config changes to cmdeploy
* fix name of config option for ipv6 in config.py
* move configure ipv6 before service start
* Use templates for disabling ipv6
* lint
* fix parameters in _configure_dovecot
* dont pass domain to _configure_nginx
* make disable_ipv6 boolean
Co-authored-by: missytake <missytake@systemli.org>
* implement namis suggestions reg boolean for ipv6
* Update chatmaild/src/chatmaild/config.py
Co-authored-by: missytake <missytake@systemli.org>
* ruff
* ruff again :)
* fix merge conflict
* CI: add CI machine with IPv6 disabled
* CI: fix sed statement
* CI: fix ubuntu reset
* CI: separate cert storage for staging2 and staging-ipv4
* add DNS records to proper zone
* CI: ignore if folders are missing
* CI: renames are not needed like this
* CI: fix default DNS zone for ipv4
* CI: use debian 12 instead of ubuntu, tired of trying to guess the correct image
* remove duplicared listen on 8443
* use jinja templates for disable_ipv6
* remove unused variable
* add missing % sign in jinja tempalte
* more fun with jinja syntax
* CI: proper rsync paths for acme & DKIM caching
* Changelog: add disable_ipv6 config option
---------
Co-authored-by: missytake <missytake@systemli.org>
Co-authored-by: holger krekel <holger@merlinux.eu>
LMTP does not deduplicate messages
if sieve plugin is used.
We don't check for Auto-Submitted header anymore
as iOS application has a notification service
and should not display "You have a new message".
This change adds XDELTAPUSH capability.
Delta Chat clients detecting this capability
can set /private/devicetoken IMAP metadata
on the inbox to subscribe for Apple (APNS)
notifications.
Notifications are implemented in a new
`chatmail-metadata` service
which handles requests to set /private/devicetoken
IMAP metadata from Delta Chat clients
and /private/messagenew requests from
push_notification_lua script.
To avoid sending notifications for
MDNs, webxdc updates and Delta Chat sync messages,
messages with Auto-Submitted header are ignored
by setting $Auto keyword (flag) on them in Sieve script
and skipping such messages in push_notification_lua script.
Outgoing messages are also ignored.
There is no dictionary to set additional attributes,
but admin email can already be retrieved:
? GETMETADATA "" (/shared/admin)
* METADATA "" (/shared/admin {27}
mailto:root@c20.testrun.org)
? OK Getmetadata completed (0.001 + 0.000 secs).
