Revert "Revert "Aggressive LMTP header cleanup (#816)""

This reverts commit 6def189d16.

.github/workflows/ci.yaml

@@ -29,7 +29,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
           persist-credentials: false
       - name: download filtermail
-        run: curl -L https://github.com/chatmail/filtermail/releases/download/v0.7.1/filtermail-x86_64 -o /usr/local/bin/filtermail && chmod +x /usr/local/bin/filtermail
+        run: curl -L https://github.com/chatmail/filtermail/releases/download/v0.7.0/filtermail-x86_64 -o /usr/local/bin/filtermail && chmod +x /usr/local/bin/filtermail
       - name: run chatmaild tests 
         working-directory: chatmaild
         run: pipx run tox

chatmaild/pyproject.toml

@@ -9,7 +9,7 @@ dependencies = [
   "iniconfig",
   "filelock",
   "requests",
-  "crypt-r >= 3.13.1 ; python_version >= '3.13'",
+  "crypt-r >= 3.13.1 ; python_version >= '3.11'",
 ]
 
 [tool.setuptools]

chatmaild/src/chatmaild/config.py

@@ -71,7 +71,7 @@ class Config:
             self.iroh_relay = iroh_relay.strip()
             self.enable_iroh_relay = False
         self.privacy_postal = params.pop("privacy_postal", None)
-        self.privacy_mail = params.pop("admin_contact", params.pop("privacy_mail", None))
+        self.privacy_mail = params.pop("privacy_mail", None)
         self.privacy_pdo = params.pop("privacy_pdo", None)
         self.privacy_supervisor = params.pop("privacy_supervisor", None)
 

chatmaild/src/chatmaild/ini/chatmail.ini.f

@@ -109,8 +109,8 @@ mail_domain = {mail_domain}
 # postal address of privacy contact
 privacy_postal =
 
-# email address or invite link of admin contact
-admin_contact =
+# email address of privacy contact
+privacy_mail =
 
 # postal address of the privacy data officer
 privacy_pdo =

cmdeploy/src/cmdeploy/acmetool/response-file.yaml.j2

@@ -1,2 +1,2 @@
 "acme-enter-email": "{{ email }}"
-"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.7-June-04-2026.pdf": true
+"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf": true

cmdeploy/src/cmdeploy/basedeploy.py

@@ -166,7 +166,7 @@ class Deployer:
             return self.put_template(src, dest, **kwargs)
         return self.put_file(src, dest)
 
-    def put_file(self, src, dest, mode="644", **kwargs):
+    def put_file(self, src, dest, mode="644"):
         if isinstance(src, str):
             src = get_resource(src)
         res = files.put(
@@ -176,7 +176,6 @@ class Deployer:
             user="root",
             group="root",
             mode=mode,
-            **kwargs,
         )
 
         return self._update_restart_signals(dest, res)

cmdeploy/src/cmdeploy/deployers.py

@@ -164,7 +164,6 @@ class UnboundDeployer(Deployer):
         self.put_file(
             src=BytesIO(b"nameserver 127.0.0.1\nnameserver 9.9.9.9\n"),
             dest="/etc/resolv.conf",
-            force=True,
         )
         server.shell(
             name="Generate root keys for validating DNSSEC",

cmdeploy/src/cmdeploy/filtermail/deployer.py

@@ -20,10 +20,10 @@ class FiltermailDeployer(Deployer):
             return
 
         arch = host.get_fact(facts.server.Arch)
-        url = f"https://github.com/chatmail/filtermail/releases/download/v0.7.1/filtermail-{arch}"
+        url = f"https://github.com/chatmail/filtermail/releases/download/v0.7.0/filtermail-{arch}"
         sha256sum = {
-            "x86_64": "fc2d8141166f8561b9711fb68c5327fc9421f814c46dc69671a4605a95b175c0",
-            "aarch64": "37e52c5ddb373ef29b5ead89658407c53f48d10ce055a2dbd9c606fa1ebd5f7f",
+            "x86_64": "451f295a85b3b12dbb0f89e18ec319f742ee46dec218f20f7923bfb017a248bd",
+            "aarch64": "6833061b2a2028264fdeb32f0a6123e1ff73de57dace125364016300b748452e",
         }[arch]
         self.download_executable(url, self.bin_path, sha256sum)
 

cmdeploy/src/cmdeploy/postfix/lmtp_header_cleanup

@@ -1,3 +1,23 @@
-/^DKIM-Signature:/            IGNORE
-/^Authentication-Results:/            IGNORE
-/^Received:/            IGNORE
+# List of headers for incoming messages 
+# that must be retained for functionality and compatibility reasons 
+/^From:/            DUNNO
+/^Message-Id:/      DUNNO
+/^Chat-/            DUNNO
+/^Content-Type:/    DUNNO
+
+# For receiving clear-text messages (still supported in May 2026)
+/^Subject:/         DUNNO
+/^Date:/            DUNNO
+/^To:/              DUNNO
+/^CC:/              DUNNO
+/^References:/      DUNNO
+/^In-Reply-To:/     DUNNO
+
+# Senders might support Autocrypt 1 but not RFC9788 (Header Protection) 
+/^Autocrypt:/       DUNNO
+
+# SecureJoin V2 protocol headers (for backward compatibility) 
+/^Secure-Join/      DUNNO
+
+# Ignore all other headers
+/.*/                IGNORE

cmdeploy/src/cmdeploy/www.py

@@ -94,12 +94,15 @@ def _build_webpages(src_dir, build_dir, config):
     for path in src_dir.iterdir():
         if path.suffix == ".md":
             render_vars, content = prepare_template(path)
-            if config.privacy_mail.startswith("https://"):
-                render_vars["admin_contact"] = f"<a href='{config.privacy_mail}'>{config.privacy_mail}</a>"
-            elif "@" in config.privacy_mail:
-                render_vars["admin_contact"] = f"<a href='mailto:{config.privacy_mail}'>{config.privacy_mail}</a>"
-            else:
-                render_vars["admin_contact"] = config.privacy_mail
+            render_vars["username_min_length"] = int_to_english(
+                config.username_min_length
+            )
+            render_vars["username_max_length"] = int_to_english(
+                config.username_max_length
+            )
+            render_vars["password_min_length"] = int_to_english(
+                config.password_min_length
+            )
             target = build_dir.joinpath(path.stem + ".html")
 
             # recursive jinja2 rendering

doc/source/overview.rst

@@ -225,6 +225,21 @@ Accepting and delivering mail
         nginx -.SMTP inet:465.-> smtpd-smtps
         mta2[Remote relay] -.SMTP inet:25.-> smtpd-smtp
         mta2 -.HTTPS /mxdeliv.-> nginx
+        style postfix fill:#363
+        style qmgr fill:#252
+        style authclean fill:#252
+        style cleanup fill:#252
+        style lmtp-filtermail fill:#252
+        style lmtp fill:#252
+        style bounce fill:#252
+        style smtpd-submission fill:#252
+        style smtpd-smtps fill:#252
+        style smtpd-reinject-outgoing fill:#252
+        style smtpd-reinject-incoming fill:#252
+        style smtpd-smtp fill:#252
+        style filtermail-outgoing fill:#225
+        style filtermail-incoming fill:#225
+        style filtermail-transport fill:#225
 
 Operational details of a chatmail relay
 ----------------------------------------

www/src/privacy.md

@@ -48,7 +48,7 @@ Responsible for the processing of your personal data is:
 {{ config.privacy_postal }}
 ```
 
-E-mail: {{ admin_contact }}
+E-mail: {{ config.privacy_mail }}
 
 We have appointed a data protection officer: