DNS: added www subdomain to zonefile

It is currently unused, but better have it correct
in case of enabling debugging options such as rawlogs.

README.md

@@ -157,6 +157,6 @@ While this file is present, account creation will be blocked.
 [acmetool](https://hlandau.github.io/acmetool/) listens on port 80 (http).
 
 Delta Chat apps will, however, discover all ports and configurations
-automatically by reading the [autoconfig XML file](https://web.archive.org/web/20210624004729/https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration) from the chatmail service.
+automatically by reading the [autoconfig XML file](https://www.ietf.org/archive/id/draft-bucksch-autoconfig-00.html) from the chatmail service.
 
 

chatmaild/src/chatmaild/doveauth.py

@@ -91,7 +91,7 @@ def lookup_passdb(db, config: Config, user, cleartext_password):
                VALUES (?, ?, ?)"""
         conn.execute(q, (user, encrypted_password, int(time.time())))
         return dict(
-            home=f"/home/vmail/{user}",
+            home=f"/home/vmail/mail/{config.mail_domain}/{user}",
             uid="vmail",
             gid="vmail",
             password=encrypted_password,

chatmaild/src/chatmaild/ini/chatmail.ini.f

@@ -33,7 +33,7 @@ password_min_length = 9
 passthrough_senders =
 
 # list of e-mail recipients for which to accept outbound un-encrypted mails
-passthrough_recipients = xstore@testrun.org groupsbot@hispanilandia.net
+passthrough_recipients =
 
 #
 # Deployment Details

chatmaild/src/chatmaild/ini/override-testrun.ini

@@ -1,7 +1,7 @@
 
 [privacy]
 
-passthrough_recipients = privacy@testrun.org xstore@testrun.org groupsbot@hispanilandia.net
+passthrough_recipients = privacy@testrun.org
 
 privacy_postal =
     Merlinux GmbH, Represented by the managing director H. Krekel,

chatmaild/src/chatmaild/tests/test_config.py

@@ -28,5 +28,5 @@ def test_read_config_testrun(make_config):
     assert config.username_min_length == 9
     assert config.username_max_length == 9
     assert config.password_min_length == 9
-    assert "privacy@testrun.org" in config.passthrough_recipients
+    assert config.passthrough_recipients == ["privacy@testrun.org"]
     assert config.passthrough_senders == []

chatmaild/src/chatmaild/tests/test_doveauth.py

@@ -61,7 +61,10 @@ def test_handle_dovecot_request(db, example_config):
     assert res
     assert res[0] == "O" and res.endswith("\n")
     userdata = json.loads(res[1:].strip())
-    assert userdata["home"] == "/home/vmail/some42123@chat.example.org"
+    assert (
+        userdata["home"]
+        == "/home/vmail/mail/chat.example.org/some42123@chat.example.org"
+    )
     assert userdata["uid"] == userdata["gid"] == "vmail"
     assert userdata["password"].startswith("{SHA512-CRYPT}")
 

cmdeploy/src/cmdeploy/__init__.py

@@ -254,6 +254,17 @@ def _configure_postfix(config: Config, debug: bool = False) -> bool:
     )
     need_restart |= master_config.changed
 
+    header_cleanup = files.put(
+        src=importlib.resources.files(__package__).joinpath(
+            "postfix/submission_header_cleanup"
+        ),
+        dest="/etc/postfix/submission_header_cleanup",
+        user="root",
+        group="root",
+        mode="644",
+    )
+    need_restart |= header_cleanup.changed
+
     return need_restart
 
 
@@ -413,7 +424,10 @@ def deploy_chatmail(config_path: Path) -> None:
     )
 
     # Deploy acmetool to have TLS certificates.
-    deploy_acmetool(nginx_hook=True, domains=[mail_domain, f"mta-sts.{mail_domain}"])
+    deploy_acmetool(
+        nginx_hook=True,
+        domains=[mail_domain, f"mta-sts.{mail_domain}", f"www.{mail_domain}"],
+    )
 
     apt.packages(
         name="Install Postfix",

cmdeploy/src/cmdeploy/chatmail.zone.f

@@ -10,5 +10,6 @@ _imaps._tcp.{chatmail_domain}.       SRV 0 1 993 {chatmail_domain}.
 _dmarc.{chatmail_domain}.            TXT "v=DMARC1;p=reject;rua=mailto:{email};ruf=mailto:{email};fo=1;adkim=r;aspf=r"
 _mta-sts.{chatmail_domain}.          TXT "v=STSv1; id={sts_id}"
 mta-sts.{chatmail_domain}.           CNAME {chatmail_domain}.
+www.{chatmail_domain}.               CNAME {chatmail_domain}.
 _smtp._tls.{chatmail_domain}.        TXT "v=TLSRPTv1;rua=mailto:{email}"
 {dkim_entry}

cmdeploy/src/cmdeploy/dns.py

@@ -4,7 +4,6 @@ import requests
 import importlib
 import subprocess
 import datetime
-from ipaddress import ip_address
 
 
 class DNS:
@@ -184,14 +183,14 @@ def check_necessary_dns(out, mail_domain):
     ipv4 = dns.get("A", mail_domain)
     ipv6 = dns.get("AAAA", mail_domain)
     mta_entry = dns.get("CNAME", "mta-sts." + mail_domain)
-    mta_ip = dns.get("A", mta_entry)
-    if not mta_ip:
-        mta_ip = dns.get("AAAA", mta_entry)
+    www_entry = dns.get("CNAME", "www." + mail_domain)
     to_print = []
     if not (ipv4 or ipv6):
         to_print.append(f"\t{mail_domain}.\t\t\tA<your server's IPv4 address>")
-    if not mta_ip or not (mta_ip == ipv4 or mta_ip == ipv6):
+    if mta_entry != mail_domain + ".":
         to_print.append(f"\tmta-sts.{mail_domain}.\tCNAME\t{mail_domain}.")
+    if www_entry != mail_domain + ".":
+        to_print.append(f"\twww.{mail_domain}.\tCNAME\t{mail_domain}.")
     if to_print:
         to_print.insert(
             0,

cmdeploy/src/cmdeploy/nginx/nginx.conf.j2

@@ -41,11 +41,19 @@ http {
 			try_files $uri $uri/ =404;
 		}
 
-                location /metrics {
-                        default_type text/plain;
-                }
+		location /metrics {
+			default_type text/plain;
+		}
 
-        # add cgi-bin support
-        include /usr/share/doc/fcgiwrap/examples/nginx.conf;
+		# add cgi-bin support
+		include /usr/share/doc/fcgiwrap/examples/nginx.conf;
+	}
+
+	# Redirect www. to non-www
+	server {
+		listen 443 ssl;
+		listen [::]:443 ssl;
+		server_name www.{{ config.domain_name }};
+		return 301 $scheme://{{ config.domain_name }}$request_uri;
 	}
 }

cmdeploy/src/cmdeploy/postfix/main.cf.j2

@@ -48,3 +48,5 @@ virtual_mailbox_domains = {{ config.mail_domain }}
 
 smtpd_milters = unix:opendkim/opendkim.sock
 non_smtpd_milters = $smtpd_milters
+
+header_checks = regexp:/etc/postfix/submission_header_cleanup

cmdeploy/src/cmdeploy/postfix/submission_header_cleanup

@@ -0,0 +1,4 @@
+/^Received:/            IGNORE
+/^X-Originating-IP:/    IGNORE
+/^X-Mailer:/            IGNORE
+/^User-Agent:/          IGNORE

cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py

@@ -1,7 +1,10 @@
 import time
 import re
 import random
+
 import pytest
+import requests
+import ipaddress
 
 
 class TestEndToEndDeltaChat:
@@ -119,3 +122,17 @@ class TestEndToEndDeltaChat:
             for msg in msgs:
                 assert "error" not in m.get_message_info()
             time.sleep(1)
+
+
+def test_hide_senders_ip_address(cmfactory):
+    public_ip = requests.get("http://icanhazip.com").content.decode().strip()
+    assert ipaddress.ip_address(public_ip)
+
+    user1, user2 = cmfactory.get_online_accounts(2)
+    chat = cmfactory.get_accepted_chat(user1, user2)
+
+    chat.send_text("testing submission header cleanup")
+    user2.wait_next_incoming_message()
+    user2.direct_imap.select_folder("Inbox")
+    msg = user2.direct_imap.get_all_messages()[0]
+    assert public_ip not in msg.obj.as_string()

www/src/info.md

@@ -3,7 +3,7 @@
 
 ## More information 
 
-`nine.testrun.org` provides a low-maintenance, resource efficient and 
+{{ config.mail_domain }} provides a low-maintenance, resource efficient and 
 interoperable e-mail service for everyone. What's behind a `chatmail` is 
 effectively a normal e-mail address just like any other but optimized 
 for the usage in chats, especially DeltaChat.