Revert "Revert "Aggressive LMTP header cleanup (#816)""

This reverts commit 6def189d16.

.github/workflows/ci.yaml

@@ -29,7 +29,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
           persist-credentials: false
       - name: download filtermail
-        run: curl -L https://github.com/chatmail/filtermail/releases/download/v0.7.1/filtermail-x86_64 -o /usr/local/bin/filtermail && chmod +x /usr/local/bin/filtermail
+        run: curl -L https://github.com/chatmail/filtermail/releases/download/v0.7.0/filtermail-x86_64 -o /usr/local/bin/filtermail && chmod +x /usr/local/bin/filtermail
       - name: run chatmaild tests 
         working-directory: chatmaild
         run: pipx run tox

README.md

@@ -8,7 +8,7 @@ Chatmail relay servers are interoperable Mail Transport Agents (MTAs) designed f
 -  **Instant/Realtime:** sub-second message delivery, realtime P2P
    streaming, privacy-preserving Push Notifications for Apple, Google, and Huawei;
 
--  **Security Enforcement**: only connections with strict TLS are accepted; all messages must be corrently signed with DKIM and OpenPGP-encrypted with minimized metadata
+-  **Security Enforcement**: only strict TLS, DKIM and OpenPGP with minimized metadata accepted
 
 -  **Reliable Federation and Decentralization:** No spam or IP reputation checks, federating
    depends on established IETF standards and protocols.

chatmaild/pyproject.toml

@@ -9,7 +9,7 @@ dependencies = [
   "iniconfig",
   "filelock",
   "requests",
-  "crypt-r >= 3.13.1 ; python_version >= '3.13'",
+  "crypt-r >= 3.13.1 ; python_version >= '3.11'",
 ]
 
 [tool.setuptools]

cmdeploy/src/cmdeploy/acmetool/response-file.yaml.j2

@@ -1,2 +1,2 @@
 "acme-enter-email": "{{ email }}"
-"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.7-June-04-2026.pdf": true
+"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf": true

cmdeploy/src/cmdeploy/basedeploy.py

@@ -166,7 +166,7 @@ class Deployer:
             return self.put_template(src, dest, **kwargs)
         return self.put_file(src, dest)
 
-    def put_file(self, src, dest, mode="644", **kwargs):
+    def put_file(self, src, dest, mode="644"):
         if isinstance(src, str):
             src = get_resource(src)
         res = files.put(
@@ -176,7 +176,6 @@ class Deployer:
             user="root",
             group="root",
             mode=mode,
-            **kwargs,
         )
 
         return self._update_restart_signals(dest, res)

cmdeploy/src/cmdeploy/deployers.py

@@ -164,7 +164,6 @@ class UnboundDeployer(Deployer):
         self.put_file(
             src=BytesIO(b"nameserver 127.0.0.1\nnameserver 9.9.9.9\n"),
             dest="/etc/resolv.conf",
-            force=True,
         )
         server.shell(
             name="Generate root keys for validating DNSSEC",

cmdeploy/src/cmdeploy/filtermail/deployer.py

@@ -20,10 +20,10 @@ class FiltermailDeployer(Deployer):
             return
 
         arch = host.get_fact(facts.server.Arch)
-        url = f"https://github.com/chatmail/filtermail/releases/download/v0.7.1/filtermail-{arch}"
+        url = f"https://github.com/chatmail/filtermail/releases/download/v0.7.0/filtermail-{arch}"
         sha256sum = {
-            "x86_64": "fc2d8141166f8561b9711fb68c5327fc9421f814c46dc69671a4605a95b175c0",
+            "x86_64": "451f295a85b3b12dbb0f89e18ec319f742ee46dec218f20f7923bfb017a248bd",
-            "aarch64": "37e52c5ddb373ef29b5ead89658407c53f48d10ce055a2dbd9c606fa1ebd5f7f",
+            "aarch64": "6833061b2a2028264fdeb32f0a6123e1ff73de57dace125364016300b748452e",
         }[arch]
         self.download_executable(url, self.bin_path, sha256sum)
 

cmdeploy/src/cmdeploy/postfix/lmtp_header_cleanup

@@ -1,3 +1,23 @@
-/^DKIM-Signature:/            IGNORE
+# List of headers for incoming messages 
-/^Authentication-Results:/            IGNORE
+# that must be retained for functionality and compatibility reasons 
-/^Received:/            IGNORE
+/^From:/            DUNNO
+/^Message-Id:/      DUNNO
+/^Chat-/            DUNNO
+/^Content-Type:/    DUNNO
+
+# For receiving clear-text messages (still supported in May 2026)
+/^Subject:/         DUNNO
+/^Date:/            DUNNO
+/^To:/              DUNNO
+/^CC:/              DUNNO
+/^References:/      DUNNO
+/^In-Reply-To:/     DUNNO
+
+# Senders might support Autocrypt 1 but not RFC9788 (Header Protection) 
+/^Autocrypt:/       DUNNO
+
+# SecureJoin V2 protocol headers (for backward compatibility) 
+/^Secure-Join/      DUNNO
+
+# Ignore all other headers
+/.*/                IGNORE

doc/source/overview.rst

@@ -225,6 +225,21 @@ Accepting and delivering mail
         nginx -.SMTP inet:465.-> smtpd-smtps
         mta2[Remote relay] -.SMTP inet:25.-> smtpd-smtp
         mta2 -.HTTPS /mxdeliv.-> nginx
+        style postfix fill:#363
+        style qmgr fill:#252
+        style authclean fill:#252
+        style cleanup fill:#252
+        style lmtp-filtermail fill:#252
+        style lmtp fill:#252
+        style bounce fill:#252
+        style smtpd-submission fill:#252
+        style smtpd-smtps fill:#252
+        style smtpd-reinject-outgoing fill:#252
+        style smtpd-reinject-incoming fill:#252
+        style smtpd-smtp fill:#252
+        style filtermail-outgoing fill:#225
+        style filtermail-incoming fill:#225
+        style filtermail-transport fill:#225
 
 Operational details of a chatmail relay
 ----------------------------------------