fix: pin chatmail core to 2.49.0

2.50.0 has delete_server_after config removed, but it is still used in the tests.
feat: reduce maximal_queue_lifetime from 5d to 2d
2026-06-10 05:31:08 +00:00 · 2026-05-28 16:17:11 +02:00 · 2026-05-20 19:27:58 +00:00 · 2026-05-20 15:39:11 +00:00 · 2026-05-19 22:17:04 +00:00 · 2026-05-19 15:54:15 +00:00
6 changed files with 76 additions and 5 deletions
@@ -9,6 +9,7 @@ name: Trigger Docker build
 on:
  push:
    branches: [main]
    tags: ['[0-9]+.[0-9]+.[0-9]+']
  workflow_dispatch:
 permissions: {}
@@ -1,5 +1,47 @@
 # Changelog for chatmail deployment
 ## [1.11.0] - 2026-05-15
 ### Breaking Changes
 - [**breaking**] Drop passthrough_sender and passthrough_recipients chatmail.ini options to eliminate one more source of unencrypted messages
 ### Features
 - Use filtermail for delivery to remote MTAs
 - Expose metadata "maxsmtprecipients" value
 - Support setup without domain, with only an IPv4 address (#963)
 - *(doc/docker)* Introduce docker images in documentation
 - DKIM-sign bounce messages (mainly "user does not exist")
 - *(config)* Load default values from Config(), not chatmail.ini.f (#853)
 - Make turn_socket_path configurable, and cleanup tests and turnserver code.
 - Warn about any unused chatmail.ini parameter at the end of "cmdeploy run"
 ### Bug Fixes
 - Make www tests work with editable instead of just plain installs
 - Use path with no leading slash for mxdeliv
 - Increase filtermail-transport concurrency limit
 - Fix #972 by increasing file descriptors for filtermail
 - *(mtail)* Correct boot ordering and deploy restart logic
 - *(cmdeploy)* Stop and disable unbound-resolvconf
 - *(nginx)* Properly redirect www to mail_domain
 - *(dns)* Query correct NS if MNAME server is hidden (#954)
 - Legacy token metadata storage used list type, but if no new setmetadata happened, the user would not be notified at all.
 - *(logging)* Log all http requests to syslog
 ### Documentation
 - Document how to upgrade to new version (#965)
 ### Other
 - *(deps)* Upgrade to filtermail v0.6.4
 ### Refactor
 - Introduce automated change-tracking across deployers
 ## 1.10.0 2026-04-30
 * start mtail after networking is fully up <https://github.com/chatmail/relay/pull/942>
@@ -19,8 +19,8 @@ dependencies = [
  "pytest-xdist", 
  "execnet",
  "imap_tools",
-  "deltachat-rpc-client",
+  "deltachat-rpc-client==2.49.0",
-  "deltachat-rpc-server",
+  "deltachat-rpc-server==2.49.0",
 ]
 [project.scripts]
@@ -53,7 +53,8 @@ smtpd_tls_exclude_ciphers = aNULL, RC4, MD5, DES
 # See <https://www.postfix.org/FORWARD_SECRECY_README.html#server_fs>.
 tls_preempt_cipherlist = yes
-smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+# Reject by default, override per smtpd in master.cf
 smtpd_relay_restrictions = reject
 myhostname = {{ config.postfix_myhostname }}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
@@ -101,9 +102,24 @@ smtpd_peername_lookup = no
 # so instead this is handled in filtermail.
 # We use LMTP instead SMTP so we can communicate per-recipient errors back to postfix.
 default_transport = lmtp-filtermail:inet:[127.0.0.1]:{{ config.filtermail_lmtp_port_transport }}
 # All deliveries over lmtp-filtermail are treated
 # as having the same destination [127.0.0.1],
 # so it is not possible to limit per-destination concurrency here,
 # it is a job for filtermail-transport.
 # Total number of parallel deliveries is limited
 # by "maxproc" column in /etc/postfix/master.cf for lmtp-filtermail.
 # Settings below are to prevent Postfix queue manager
 # from limiting the number of LMTP connections to filtermail-transport.
 # Read <https://www.postfix.org/TUNING_README.html#rope> and
 # <https://www.postfix.org/SCHEDULER_README.html> for the details
 # of the Postfix algorithm that we effectively disable here.
 lmtp-filtermail_initial_destination_concurrency=10000
 lmtp-filtermail_destination_concurrency_limit=10000
 # Do not try to deliver messages for more than 2 days.
 maximal_queue_lifetime = 2d
 {% if not config.ipv4_relay %}
 # DKIM-sign locally generated mail (bounces, DSNs).
 # These bypass smtpd, so they need explicit milter configuration.
@@ -17,6 +17,7 @@ smtp      inet  n       -       y       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_mandatory_protocols=>=TLSv1.2
  -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port_incoming }}
  -o smtpd_relay_restrictions=reject_unauth_destination
 submission inet n       -       y       -       5000    smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
@@ -81,12 +82,14 @@ filter    unix -        n       n       -       -       lmtp
  -o syslog_name=postfix/reinject
  -o milter_macro_daemon_name=ORIGINATING
  -o cleanup_service_name=authclean
  -o smtpd_relay_restrictions=permit_mynetworks,reject
 {% if not config.ipv4_relay %}  -o smtpd_milters=unix:opendkim/opendkim.sock
 {% endif %}
 # Local SMTP server for reinjecting incoming filtered mail 
 127.0.0.1:{{ config.postfix_reinject_port_incoming }} inet  n       -       n       -       100      smtpd
  -o syslog_name=postfix/reinject_incoming
  -o smtpd_relay_restrictions=reject_unauth_destination
 # Cleanup `Received` headers for authenticated mail
 # to avoid leaking client IP.
@@ -102,7 +105,15 @@ filter    unix -        n       n       -       -       lmtp
 authclean unix  n       -       -       -       0       cleanup
  -o header_checks=regexp:/etc/postfix/submission_header_cleanup
-lmtp-filtermail unix  -       -       y       -       10000       lmtp
+# Reducing `maxproc` here may result in a head of line blocking
 # when there are many messages sent to unreachable destinations
 # at the same time.
 # LMTP clients here talk to filtermail-transport.
 # LMTP has no pipelining,
 # so while filtermail-transport tries to deliver the message,
 # possibly waiting for a long connection timeout
 # or talking to a slow server, LMTP client cannot be reused.
 lmtp-filtermail unix  -       -       y       -       500       lmtp
  -o syslog_name=postfix/lmtp-filtermail
  -o lmtp_header_checks=
  -o lmtp_tls_security_level=none
@@ -60,6 +60,7 @@ and run the following commands:
   ::
       git pull origin main --rebase --autostash
       scripts/initenv.sh
       scripts/cmdeploy run
 If you don't want the latest development version,
Author	SHA1	Message	Date
link2xt	221f5ed10e	fix: pin chatmail core to 2.49.0 2.50.0 has delete_server_after config removed, but it is still used in the tests.	2026-05-28 16:17:11 +02:00
link2xt	4b04aae83b	feat: reduce maximal_queue_lifetime from 5d to 2d If the message is not delivered within 2 days, it is unlikely to be delivered in 5 days either.	2026-05-20 19:27:58 +00:00
link2xt	0eed92171c	fix: reduce maxproc for filtermail-transport LMTP client to 500 This further reduces it from 1000. For small servers this may be needed if they have low memory. For large servers may be increased manually for now.	2026-05-20 15:39:11 +00:00
link2xt	a5b9a98baa	fix: limit the number of LMTP clients for filtermail-transport to 1000 Postfix does not have jitter for deferred mails and scans the queue periodically every queue_run_delay (<https://www.postfix.org/postconf.5.html#queue_run_delay>). As a result it is likely to try delivering many deferred messages at the same time. Normally the number of outgoing connections should be low even with unreachable destinations, but after the server downtime or if admin flushes the queue manually it is possible that a lot of messages to the same unreachable destination expire at once and are moved from "deferred" into the "active" queue. Trying to deliver them all at once may make the server run out of memory by starting many LMTP clients. Limiting the number of LMTP processes turns OOM problem into head of line blocking problem. Messages sent to reachable destinations will be delayed as well, but at least deferred messages will get distributed over time. In this case "active" queue may grow (up to qmgr_message_active_limit defaulting to 20000), but then admin may notice the problem and solve it e.g. by making the destinations reachable or setting up a transport map to route messages for known dead servers into discard transport. Eventually the problem should be solved by filtermail-transport quickly returning temporary errors for destinations which already have many messages queued, then we can reduce "maxproc" further.	2026-05-19 22:17:04 +00:00
link2xt	ab2d807084	fix: set relay restrictions per smtpd service with default reject We never want to defer email with a tepporary error when it has destination that we cannot deliver locally and don't want to relay. To avoid doing this accidentally, set default action to "reject" and then override it with the minimal restrictions per smtpd. Submission ports already had smtpd_relay_restrictions=permit_sasl_authenticated,reject override. Each smtpd port must have at least one of reject, reject_unauth_destination, defer, defer_if_permit, defer_unauth_destination according to <https://www.postfix.org/postconf.5.html#smtpd_relay_restrictions>. I have set smtpd_relay_restrictions=reject_unauth_destination for port 25 and incoming reinject port, and smtpd_relay_restrictions=permit_mynetworks,reject for outgoing reinject port.	2026-05-19 15:54:15 +00:00
j4n	ce05b26c77	ci: auto-trigger docker build on release tag push docker-dispatch.yaml previously only fired on push to main and manual workflow_dispatch, so tagging 1.11.0 did not build the release image. This change adds matching of X.Y.Z tag.	2026-05-19 14:58:05 +02:00
missytake	77ed93fb7a	docs: add scripts/initenv.sh to upgrade instructions	2026-05-18 10:35:25 +02:00
missytake	39d1ecaa03	chore(release): prepare for 1.11.0	2026-05-15 17:13:58 +02:00