chore(update): use dovecot 2.3 built for Debian 13

2026-06-17 17:11:09 +00:00 · 2026-06-05 13:14:16 +02:00
14 changed files with 70 additions and 29 deletions
@@ -29,7 +29,7 @@ jobs:
          ref: ${{ github.event.pull_request.head.sha }}
          persist-credentials: false
      - name: download filtermail
-        run: curl -L https://github.com/chatmail/filtermail/releases/download/v0.7.1/filtermail-x86_64 -o /usr/local/bin/filtermail && chmod +x /usr/local/bin/filtermail
+        run: curl -L https://github.com/chatmail/filtermail/releases/download/v0.7.0/filtermail-x86_64 -o /usr/local/bin/filtermail && chmod +x /usr/local/bin/filtermail
      - name: run chatmaild tests 
        working-directory: chatmaild
        run: pipx run tox
@@ -9,7 +9,8 @@ dependencies = [
  "iniconfig",
  "filelock",
  "requests",
-  "crypt-r >= 3.13.1 ; python_version >= '3.13'",
+  "crypt-r >= 3.13.1 ; python_version >= '3.11'",
  "domain-validator",
 ]
 [tool.setuptools]
@@ -2,6 +2,7 @@ import ipaddress
 from pathlib import Path
 import iniconfig
 from domain_validator import DomainValidator
 from chatmaild.user import User
@@ -24,6 +25,7 @@ class Config:
            self.mail_domain = f"[{raw_domain}]"
            self.postfix_myhostname = ipaddress.IPv4Address(raw_domain).reverse_pointer
        else:
            DomainValidator().validate_domain_re(raw_domain)
            self.ipv4_relay = None
            self.mail_domain = raw_domain
            self.postfix_myhostname = raw_domain
@@ -71,7 +73,7 @@ class Config:
            self.iroh_relay = iroh_relay.strip()
            self.enable_iroh_relay = False
        self.privacy_postal = params.pop("privacy_postal", None)
-        self.privacy_mail = params.pop("admin_contact", params.pop("privacy_mail", None))
+        self.privacy_mail = params.pop("privacy_mail", None)
        self.privacy_pdo = params.pop("privacy_pdo", None)
        self.privacy_supervisor = params.pop("privacy_supervisor", None)
@@ -109,8 +109,8 @@ mail_domain = {mail_domain}
 # postal address of privacy contact
 privacy_postal =
-# email address or invite link of admin contact
+# email address of privacy contact
-admin_contact =
+privacy_mail =
 # postal address of the privacy data officer
 privacy_pdo =
@@ -1,2 +1,2 @@
 "acme-enter-email": "{{ email }}"
-"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.7-June-04-2026.pdf": true
+"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf": true
@@ -166,7 +166,7 @@ class Deployer:
            return self.put_template(src, dest, **kwargs)
        return self.put_file(src, dest)
-    def put_file(self, src, dest, mode="644", **kwargs):
+    def put_file(self, src, dest, mode="644"):
        if isinstance(src, str):
            src = get_resource(src)
        res = files.put(
@@ -176,7 +176,6 @@ class Deployer:
            user="root",
            group="root",
            mode=mode,
            **kwargs,
        )
        return self._update_restart_signals(dest, res)
@@ -164,7 +164,6 @@ class UnboundDeployer(Deployer):
        self.put_file(
            src=BytesIO(b"nameserver 127.0.0.1\nnameserver 9.9.9.9\n"),
            dest="/etc/resolv.conf",
            force=True,
        )
        server.shell(
            name="Generate root keys for validating DNSSEC",
@@ -19,12 +19,12 @@ DOVECOT_ARCHIVE_VERSION = "2.3.21+dfsg1-3"
 DOVECOT_PACKAGE_VERSION = f"1:{DOVECOT_ARCHIVE_VERSION}"
 DOVECOT_SHA256 = {
-    ("core", "amd64"): "dd060706f52a306fa863d874717210b9fe10536c824afe1790eec247ded5b27d",
+    ("core", "amd64"): "b24dcb26eee8fe2f769290fe4cdb665df3a017811eae972840c54dbc74936aad",
-    ("core", "arm64"): "e7548e8a82929722e973629ecc40fcfa886894cef3db88f23535149e7f730dc9",
+    ("core", "arm64"): "42afe5e00e136c8f8513a2c321a29566811a0c8805aeca4302252604f00e3433",
-    ("imapd", "amd64"): "8d8dc6fc00bbb6cdb25d345844f41ce2f1c53f764b79a838eb2a03103eebfa86",
+    ("imapd", "amd64"): "d13c486e7e19c68f316bae4836d9e94db54892a6eb56260d0d2914aa4babe1b6",
-    ("imapd", "arm64"): "178fa877ddd5df9930e8308b518f4b07df10e759050725f8217a0c1fb3fd707f",
+    ("imapd", "arm64"): "537840c4a3d7cdd529ce611481dd38c7ee41246fb8a678d9abeb4fd843f0f88d",
-    ("lmtpd", "amd64"): "2f69ba5e35363de50962d42cccbfe4ed8495265044e244007d7ccddad77513ab",
+    ("lmtpd", "amd64"): "2dd43f8860ee2152b0dffe5e29104add8d6134d9bccf10a21ab1b369b8aa0490",
-    ("lmtpd", "arm64"): "89f52fb36524f5877a177dff4a713ba771fd3f91f22ed0af7238d495e143b38f",
+    ("lmtpd", "arm64"): "ed26f31fe52eb8cb2104aa877c919443670a0ae42aa832eccc3f70bc497291ba",
 }
@@ -119,7 +119,7 @@ def _download_dovecot_package(package: str, arch: str) -> tuple[str | None, bool
    url_version = DOVECOT_ARCHIVE_VERSION.replace("+", "%2B")
    deb_base = f"{pkg_name}_{url_version}_{arch}.deb"
-    primary_url = f"https://download.delta.chat/dovecot/{deb_base}"
+    primary_url = f"https://download.delta.chat/dovecot/staging-matrix-trixie-trixie/{deb_base}"
    fallback_url = f"https://github.com/chatmail/dovecot/releases/download/upstream%2F{url_version}/{deb_base}"
    url = _pick_url(primary_url, fallback_url)
    deb_filename = f"/root/{deb_base}"
@@ -20,10 +20,10 @@ class FiltermailDeployer(Deployer):
            return
        arch = host.get_fact(facts.server.Arch)
-        url = f"https://github.com/chatmail/filtermail/releases/download/v0.7.1/filtermail-{arch}"
+        url = f"https://github.com/chatmail/filtermail/releases/download/v0.7.0/filtermail-{arch}"
        sha256sum = {
-            "x86_64": "fc2d8141166f8561b9711fb68c5327fc9421f814c46dc69671a4605a95b175c0",
+            "x86_64": "451f295a85b3b12dbb0f89e18ec319f742ee46dec218f20f7923bfb017a248bd",
-            "aarch64": "37e52c5ddb373ef29b5ead89658407c53f48d10ce055a2dbd9c606fa1ebd5f7f",
+            "aarch64": "6833061b2a2028264fdeb32f0a6123e1ff73de57dace125364016300b748452e",
        }[arch]
        self.download_executable(url, self.bin_path, sha256sum)
@@ -1,3 +1,23 @@
-/^DKIM-Signature:/            IGNORE
+# List of headers for incoming messages 
-/^Authentication-Results:/            IGNORE
+# that must be retained for functionality and compatibility reasons 
-/^Received:/            IGNORE
+/^From:/            DUNNO
 /^Message-Id:/      DUNNO
 /^Chat-/            DUNNO
 /^Content-Type:/    DUNNO
 # For receiving clear-text messages (still supported in May 2026)
 /^Subject:/         DUNNO
 /^Date:/            DUNNO
 /^To:/              DUNNO
 /^CC:/              DUNNO
 /^References:/      DUNNO
 /^In-Reply-To:/     DUNNO
 # Senders might support Autocrypt 1 but not RFC9788 (Header Protection) 
 /^Autocrypt:/       DUNNO
 # SecureJoin V2 protocol headers (for backward compatibility) 
 /^Secure-Join/      DUNNO
 # Ignore all other headers
 /.*/                IGNORE
@@ -10,11 +10,13 @@ from pathlib import Path
 import pytest
 from chatmaild.config import is_valid_ipv4, read_config
 from domain_validator import DomainValidator
 def format_mail_domain(raw_domain: str) -> str:
    if is_valid_ipv4(raw_domain):
        return f"[{raw_domain}]"
    DomainValidator().validate_domain_re(raw_domain)
    return raw_domain
@@ -94,12 +94,15 @@ def _build_webpages(src_dir, build_dir, config):
    for path in src_dir.iterdir():
        if path.suffix == ".md":
            render_vars, content = prepare_template(path)
-            if config.privacy_mail.startswith("https://"):
+            render_vars["username_min_length"] = int_to_english(
-                render_vars["admin_contact"] = f"<a href='{config.privacy_mail}'>{config.privacy_mail}</a>"
+                config.username_min_length
-            elif "@" in config.privacy_mail:
+            )
-                render_vars["admin_contact"] = f"<a href='mailto:{config.privacy_mail}'>{config.privacy_mail}</a>"
+            render_vars["username_max_length"] = int_to_english(
-            else:
+                config.username_max_length
-                render_vars["admin_contact"] = config.privacy_mail
+            )
            render_vars["password_min_length"] = int_to_english(
                config.password_min_length
            )
            target = build_dir.joinpath(path.stem + ".html")
            # recursive jinja2 rendering
@@ -225,6 +225,21 @@ Accepting and delivering mail
        nginx -.SMTP inet:465.-> smtpd-smtps
        mta2[Remote relay] -.SMTP inet:25.-> smtpd-smtp
        mta2 -.HTTPS /mxdeliv.-> nginx
        style postfix fill:#363
        style qmgr fill:#252
        style authclean fill:#252
        style cleanup fill:#252
        style lmtp-filtermail fill:#252
        style lmtp fill:#252
        style bounce fill:#252
        style smtpd-submission fill:#252
        style smtpd-smtps fill:#252
        style smtpd-reinject-outgoing fill:#252
        style smtpd-reinject-incoming fill:#252
        style smtpd-smtp fill:#252
        style filtermail-outgoing fill:#225
        style filtermail-incoming fill:#225
        style filtermail-transport fill:#225
 Operational details of a chatmail relay
 ----------------------------------------
@@ -48,7 +48,7 @@ Responsible for the processing of your personal data is:
 {{ config.privacy_postal }}
 ```
-E-mail: {{ admin_contact }}
+E-mail: {{ config.privacy_mail }}
 We have appointed a data protection officer:
`@@ -1,2 +1,2 @@`
	`"acme-enter-email": "{{ email }}"`	`"acme-enter-email": "{{ email }}"`
	`"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.7-June-04-2026.pdf": true`	`"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf": true`