* enforce encryption for in-server mails
* make tests work with chatmail server only support e2ee internally
* fix echobot test
* simplify quota-exceeded test
* work around rpc-server fixture changes
Otherwise email providers which allow to bring your own domain
and use the same IP addresses for all customers
send wildcard certificate instead of the correct one
and Postfix refuses to connect with an error
server certificate verification failed for example.org[A.B.C.D]:25: num=62:hostname mismatch
It does not work because of `smtpd_proxy_filter`
forwarding the message to filtermail
and we cleanup the message once
filtermail reinjects it on port 10025.
I tested with -tls1_2 option
of openssl s_client
that TLS 1.2 connections
are no longer possible
on any ports except port 25.
Port 25 requires at least TLS 1.2
for encrypted connections.
`authclean` cleanup server is used by
reinjecting smtpd running on localhost:10025 by default.
It runs after filtermail
and currently removes `Received` header
to avoid leaking IP address.
Can as well be used to replace `Subject` lines
with `Subject: [...]`.
If there are multiple `Subject` lines,
all of them should be replaced.
This allows us to avoid dealing with
localized subjects, including SecureJoin
messages `vc-request` and `vg-request`
which can have Subject lines like
Subject: =?utf-8?q?Nachricht_von_nrn178fi4=40nine=2Etestrun=2Eorg?=
unbound-control is not installed out of the box
and even once installed `flush_zone` does not seem
to work reliably.
Instead of trying to flush the cache from unbound,
we now query authoritative nameserver directly using `dig`.
perform_initial_checks may exit early
and not add `acme_account_url` if required DNS
records are not found.
In this case other `cmdeploy run` fails
with KeyError.
To avoid this, `acme_account_url` should always be set.
Unlike DNS checks, running acmetool
may not fail due to network errors,
so it is more reliable and should be checked first.
I wanted to add `COMPRESS=DEFLATE`,
but it should be added only for sessions
that are logged in because `COMPRESS`
command does not work before logging in.
Dovecot already does it correctly
if we don't overwrite the capability string.
* Improve README for first setup
* DNS: fix flushing DNS when requesting records
* DNS: actually check whether mta-sts record is set correctly
* DNS: add changelog
* DNS: also check for www CNAME record
* DNS: fix tests
* lint: update ruff to 0.6.5 locally
