feat: randomize SMTP + IMAP ports

This reverts commit 921080125f.

chatmaild/pyproject.toml

@@ -10,7 +10,6 @@ dependencies = [
   "filelock",
   "requests",
   "crypt-r >= 3.13.1 ; python_version >= '3.11'",
-  "domain-validator",
 ]
 
 [tool.setuptools]

chatmaild/src/chatmaild/config.py

@@ -1,8 +1,8 @@
 import ipaddress
 from pathlib import Path
+from random import randint
 
 import iniconfig
-from domain_validator import DomainValidator
 
 from chatmaild.user import User
 
@@ -25,7 +25,6 @@ class Config:
             self.mail_domain = f"[{raw_domain}]"
             self.postfix_myhostname = ipaddress.IPv4Address(raw_domain).reverse_pointer
         else:
-            DomainValidator().validate_domain_re(raw_domain)
             self.ipv4_relay = None
             self.mail_domain = raw_domain
             self.postfix_myhostname = raw_domain
@@ -43,6 +42,11 @@ class Config:
         self.username_max_length = int(params.pop("username_max_length", 9))
         self.password_min_length = int(params.pop("password_min_length", 9))
         self.www_folder = params.pop("www_folder", "")
+
+        self.imap_port = int(params.pop("imap_port", 143))
+        self.imaps_port = int(params.pop("imaps_port", 993))
+        self.smtp_port = int(params.pop("smtp_port", 587))
+        self.smtps_port = int(params.pop("smtps_port", 465))
         self.filtermail_smtp_port = int(params.pop("filtermail_smtp_port", "10080"))
         self.filtermail_smtp_port_incoming = int(
             params.pop("filtermail_smtp_port_incoming", "10081")
@@ -140,8 +144,15 @@ def parse_size_mb(limit):
 
 def write_initial_config(inipath, mail_domain, overrides):
     """Write out default config file, using the specified config value overrides."""
-    content = get_default_config_content(mail_domain, **overrides)
-    inipath.write_text(content)
+    content = get_default_config_content(mail_domain, **overrides).splitlines()
+    used_ports = [25, 53, 80, 143, 402, 443, 465, 587, 993, 3340, 3903, 3904, 8443, 10080, 10081, 10082, 10083, 10025, 10026]
+    for config_key in ["smtp_port", "imap_port", "smtps_port", "imaps_port"]:
+        value = randint(1, 65536)
+        while value in used_ports:
+            value = randint(65535)
+        used_ports.append(value)
+        content.append(f"{config_key} = {value}")
+    inipath.write_text("\n".join(content))
 
 
 def get_default_config_content(mail_domain, **overrides):

cmdeploy/src/cmdeploy/acmetool/response-file.yaml.j2

@@ -1,2 +1,2 @@
 "acme-enter-email": "{{ email }}"
-"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf": true
+"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.7-June-04-2026.pdf": true

cmdeploy/src/cmdeploy/deployers.py

@@ -495,15 +495,15 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
         if config.tls_cert_mode == "acme":
             port_services.append(("acmetool", 402))
         port_services += [
-            (["imap-login", "dovecot"], 143),
+            (["imap-login", "dovecot"], config.imap_port),
             # acmetool previously listened on port 80,
             # so don't complain during upgrade that moved it to port 402
             # and gave the port to nginx.
             (["acmetool", "nginx"], 80),
             ("nginx", 443),
-            (["master", "smtpd"], 465),
-            (["master", "smtpd"], 587),
-            (["imap-login", "dovecot"], 993),
+            (["master", "smtpd"], config.smtp_port),
+            (["master", "smtpd"], config.smtps_port),
+            (["imap-login", "dovecot"], config.imaps_port),
             ("iroh-relay", 3340),
             ("mtail", 3903),
             ("stats", 3904),

cmdeploy/src/cmdeploy/nginx/autoconfig.xml.j2

@@ -7,14 +7,14 @@
     <displayShortName>{{ config.mail_domain }}</displayShortName>
     <incomingServer type="imap">
       <hostname>{{ config.mail_domain }}</hostname>
-      <port>993</port>
+      <port>{{ config.imaps_port }}</port>
       <socketType>SSL</socketType>
       <authentication>password-cleartext</authentication>
       <username>%EMAILADDRESS%</username>
     </incomingServer>
     <incomingServer type="imap">
       <hostname>{{ config.mail_domain }}</hostname>
-      <port>143</port>
+      <port>{{ config.imap_port }}</port>
       <socketType>STARTTLS</socketType>
       <authentication>password-cleartext</authentication>
       <username>%EMAILADDRESS%</username>
@@ -28,14 +28,14 @@
     </incomingServer>
     <outgoingServer type="smtp">
       <hostname>{{ config.mail_domain }}</hostname>
-      <port>465</port>
+      <port>{{ config.smtps_port }}</port>
       <socketType>SSL</socketType>
       <authentication>password-cleartext</authentication>
       <username>%EMAILADDRESS%</username>
     </outgoingServer>
     <outgoingServer type="smtp">
       <hostname>{{ config.mail_domain }}</hostname>
-      <port>587</port>
+      <port>{{ config.smtp_port }}</port>
       <socketType>STARTTLS</socketType>
       <authentication>password-cleartext</authentication>
       <username>%EMAILADDRESS%</username>

cmdeploy/src/cmdeploy/nginx/nginx.conf.j2

@@ -31,6 +31,26 @@ stream {
             ~\bimap\b 127.0.0.1:993;
         }
 
+        server {
+                listen {{ config.smtp_port }};
+                proxy_pass 127.0.0.1:587;
+        }
+
+        server {
+                listen {{ config.imap_port }};
+                proxy_pass 127.0.0.1:143;
+        }
+
+        server {
+                listen {{ config.smtps_port }};
+                proxy_pass 127.0.0.1:465;
+        }
+
+        server {
+                listen {{ config.imaps_port }};
+                proxy_pass 127.0.0.1:993;
+        }
+
         server {
                 listen 443;
                 {% if not disable_ipv6 %}

cmdeploy/src/cmdeploy/postfix/lmtp_header_cleanup

@@ -1,23 +1,3 @@
-# List of headers for incoming messages 
-# that must be retained for functionality and compatibility reasons 
-/^From:/            DUNNO
-/^Message-Id:/      DUNNO
-/^Chat-/            DUNNO
-/^Content-Type:/    DUNNO
-
-# For receiving clear-text messages (still supported in May 2026)
-/^Subject:/         DUNNO
-/^Date:/            DUNNO
-/^To:/              DUNNO
-/^CC:/              DUNNO
-/^References:/      DUNNO
-/^In-Reply-To:/     DUNNO
-
-# Senders might support Autocrypt 1 but not RFC9788 (Header Protection) 
-/^Autocrypt:/       DUNNO
-
-# SecureJoin V2 protocol headers (for backward compatibility) 
-/^Secure-Join/      DUNNO
-
-# Ignore all other headers
-/.*/                IGNORE
+/^DKIM-Signature:/            IGNORE
+/^Authentication-Results:/            IGNORE
+/^Received:/            IGNORE

cmdeploy/src/cmdeploy/tests/plugin.py

@@ -10,13 +10,11 @@ from pathlib import Path
 
 import pytest
 from chatmaild.config import is_valid_ipv4, read_config
-from domain_validator import DomainValidator
 
 
 def format_mail_domain(raw_domain: str) -> str:
     if is_valid_ipv4(raw_domain):
         return f"[{raw_domain}]"
-    DomainValidator().validate_domain_re(raw_domain)
     return raw_domain