* dovecot: enable login names with square brackets
* config: make IPv4-only relays use self-signed TLS certs
* postfix: make delivery for IP-only relays work
* cmdeploy: skip DNS checks for IPv4 only relays
* www: generate dclogin codes for IPv4-only relays
* opendkim: disable DKIM signing on ipv4-only relays
* get delivery working
* get tests working on IPv4 only machine
* doc: document IPv4-only relays
* dns: warn if mail_domain is an IP, instead of checking DNS
* config: validate domains when formatting them
* ci: add cmlxc testing for no-DNS relays
* ci: run no-dns and normal CI in parallel
* retain "config.mail_domain" as the domain part of @ email addresses, so for ipv4 relays "[1.2.3.4]" and introduce config.ipv4_relay and config.mail_domain_bare helpers.
* ci: migrate from --no-dns to --type ipv4 for cmlxc compatibility
* cleanup dead code, fix docs, fixate cmlxc version
---------
Co-authored-by: missytake <missytake@systemli.org>
Adds a new tls_external_cert_and_key config option for chatmail servers
that manage their own TLS certificates (e.g. via an external ACME client
or a load balancer).
A systemd path unit (tls-cert-reload.path) watches the certificate file
via inotify and automatically reloads dovecot and nginx when it changes.
Postfix reads certs per TLS handshake so needs no reload.
Also extracts openssl_selfsigned_args() so cert generation parameters
are shared between SelfSignedTlsDeployer and the e2e test.
feat: support self-signed TLS via underscore domain convention
Domains starting with "_" (e.g. _chat.example.org) automatically use
self-signed TLS certificates instead of ACME/Let's Encrypt. The TLS
mode is derived from the domain name — no separate config option needed.
Internally, when config.tls_cert_mode is "self" (underscore domain):
- Generate self-signed certificates via openssl
- Set Postfix smtp_tls_security_level to "encrypt" (opportunistic TLS)
- Add smtp_tls_policy_map entry for underscore domains
- Skip ACME, MTA-STS and www CNAME checks in `cmdeploy dns`
- Serve /new via GET (not redirect to dcaccount:) with rate-limiting
(nginx limit_req, 2r/s burst=5)
- Return dclogin: URLs with ic=3 (AcceptInvalidCertificates) from /new
- Render QR codes client-side via JavaScript and qrcode-svg
- Use config.tls_cert_path/tls_key_path in Postfix, Dovecot and nginx
templates instead of hardcoded ACME paths
* docs: update index reference
* docs: adds control machine migration instructions
* docs: rename index ref
* docs: remove maddy-chatmail (404)
* docs: consistent underlining in header text
* docs: remove dedicated page reference
* docs: remove dedicated page for control machine migration
* docs: condense deployment machine migration into getting started per feedback
* docs: correct link to madmail
* docs: update verbiage based on feedback
refactor README.rst and architecture file into sphinx doc project, automatically deploying on main merges and PRs.
* add FAQs from https://chatmail.at/relays landing page
* fix links, and streamline postfix/dovecot mentioning
* add linkcheck to CI, fix several links and streamlihne DKIM section while at it
* some streamlining, rename to "overview"
* ci: upload documentation to chatmail.at/doc/relay
* ci: main should be uploaded when docs.yaml changes
* ci: fix typo
* Update .github/workflows/docs-preview.yaml
Co-authored-by: missytake <missytake@systemli.org>
