docker: add traefik support

- https://github.com/chatmail/relay/pull/614#discussion_r2297828830

.github/workflows/test-and-deploy-ipv4only.yaml

@@ -77,7 +77,7 @@ jobs:
           cmdeploy init staging-ipv4.testrun.org
           sed -i 's#disable_ipv6 = False#disable_ipv6 = True#' chatmail.ini
 
-      - run: cmdeploy run --verbose --skip-dns-check
+      - run: cmdeploy run
 
       - name: set DNS entries
         run: |

.github/workflows/test-and-deploy.yaml

@@ -75,7 +75,7 @@ jobs:
 
       - run: cmdeploy init staging2.testrun.org
 
-      - run: cmdeploy run --verbose --skip-dns-check
+      - run: cmdeploy run --verbose
 
       - name: set DNS entries
         run: |

.gitignore

@@ -170,3 +170,4 @@ chatmail.zone
 /custom/
 docker-compose.yaml
 .env
+/traefik/data/

CHANGELOG.md

@@ -2,47 +2,30 @@
 
 ## untagged
 
-- Setup TURN server
-  ([#621](https://github.com/chatmail/relay/pull/621))
-
 - cmdeploy: make --ssh-host work with localhost
   ([#659](https://github.com/chatmail/relay/pull/659))
 
 - Update iroh-relay to 0.35.0
   ([#650](https://github.com/chatmail/relay/pull/650))
 
-- filtermail: accept mails from Protonmail
-  ([#616](https://github.com/chatmail/relay/pull/655))
-
 - Ignore all RCPT TO: parameters
   ([#651](https://github.com/chatmail/relay/pull/651))
 
-- Add config parameter for Let's Encrypt ACME email
-  ([#663](https://github.com/chatmail/relay/pull/663))
-
 - Use max username length in newemail.py, not min
   ([#648](https://github.com/chatmail/relay/pull/648))
 
-- Add startup for `fcgiwrap.service` because sometimes it did not start automatically.
-  ([#657](https://github.com/chatmail/relay/pull/657))
-
-- Add `cmdeploy init --force` command for recreating chatmail.ini
-  ([#656](https://github.com/chatmail/relay/pull/656))
-
 - Increase maxproc for reinjecting ports from 10 to 100
   ([#646](https://github.com/chatmail/relay/pull/646))
 
 - Allow ports 143 and 993 to be used by `dovecot` process
   ([#639](https://github.com/chatmail/relay/pull/639))
 
-- Add `--skip-dns-check` argument to `cmdeploy run` command, which disables DNS record checking before installation.
-  ([#661](https://github.com/chatmail/relay/pull/661))
-
 - Add installation via docker compose (MVP 1). The instructions, known issues and limitations are located in `/docs` 
   ([#614](https://github.com/chatmail/relay/pull/614))
 
 - Add configuration parameters
   ([#614](https://github.com/chatmail/relay/pull/614)):
+  - `use_foreign_cert_manager` - Use a third-party certificate manager instead of acmetool (default: `False`)
   - `change_kernel_settings` - Whether to change kernel parameters during installation (default: `True`)
   - `fs_inotify_max_user_instances_and_watchers` - Value for kernel parameters `fs.inotify.max_user_instances` and `fs.inotify.max_user_watches` (default: `65535`)
 

README.md

@@ -101,10 +101,7 @@ Please substitute it with your own domain.
    (it can take some time until they are public).
 
 ### Docker installation
-
+Installation using docker compose is presented [here](./docs/DOCKER_INSTALLATION_EN.md)
-We have experimental support for [docker compose](./docs/DOCKER_INSTALLATION_EN.md),
-but it is not covered by automated tests yet,
-so don't expect everything to work.
 
 ### Other helpful commands
 

chatmaild/pyproject.toml

@@ -29,7 +29,6 @@ echobot = "chatmaild.echo:main"
 chatmail-metrics = "chatmaild.metrics:main"
 delete_inactive_users = "chatmaild.delete_inactive_users:main"
 lastlogin = "chatmaild.lastlogin:main"
-turnserver = "chatmaild.turnserver:main"
 
 [project.entry-points.pytest11]
 "chatmaild.testplugin" = "chatmaild.tests.plugin"

chatmaild/src/chatmaild/config.py

@@ -44,7 +44,9 @@ class Config:
         )
         self.mtail_address = params.get("mtail_address")
         self.disable_ipv6 = params.get("disable_ipv6", "false").lower() == "true"
-        self.acme_email = params.get("acme_email", "")
+        self.use_foreign_cert_manager = (
+            params.get("use_foreign_cert_manager", "false").lower() == "true"
+        )
         self.change_kernel_settings = (
             params.get("change_kernel_settings", "true").lower() == "true"
         )

chatmaild/src/chatmaild/filtermail.py

@@ -83,14 +83,8 @@ def check_openpgp_payload(payload: bytes):
     return False
 
 
-def check_armored_payload(payload: str, outgoing: bool):
+def check_armored_payload(payload: str):
-    """Check the armored PGP message for invalid content.
+    prefix = "-----BEGIN PGP MESSAGE-----\r\n\r\n"
-
-    :param payload: the armored PGP message
-    :param outgoing: whether the message is outgoing or incoming
-    :return: whether the message is a valid PGP message
-    """
-    prefix = "-----BEGIN PGP MESSAGE-----\r\n"
     if not payload.startswith(prefix):
         return False
     payload = payload.removeprefix(prefix)
@@ -102,17 +96,6 @@ def check_armored_payload(payload: str, outgoing: bool):
         return False
     payload = payload.removesuffix(suffix)
 
-    # Disallow comments in outgoing messages
-    version_comment = "Version: "
-    if payload.startswith(version_comment):
-        version_line = payload.splitlines()[0]
-        payload = payload.removeprefix(version_line)
-        if outgoing:
-            return False
-
-    while payload.startswith("\r\n"):
-        payload = payload.removeprefix("\r\n")
-
     # Remove CRC24.
     payload = payload.rpartition("=")[0]
 
@@ -148,7 +131,7 @@ def is_securejoin(message):
     return True
 
 
-def check_encrypted(message, outgoing=True):
+def check_encrypted(message):
     """Check that the message is an OpenPGP-encrypted message.
 
     MIME structure of the message must correspond to <https://www.rfc-editor.org/rfc/rfc3156>.
@@ -175,7 +158,7 @@ def check_encrypted(message, outgoing=True):
             if part.get_content_type() != "application/octet-stream":
                 return False
 
-            if not check_armored_payload(part.get_payload(), outgoing=outgoing):
+            if not check_armored_payload(part.get_payload()):
                 return False
         else:
             return False
@@ -258,7 +241,7 @@ class OutgoingBeforeQueueHandler:
         logging.info(f"Processing DATA message from {envelope.mail_from}")
 
         message = BytesParser(policy=policy.default).parsebytes(envelope.content)
-        mail_encrypted = check_encrypted(message, outgoing=True)
+        mail_encrypted = check_encrypted(message)
 
         _, from_addr = parseaddr(message.get("from").strip())
 
@@ -318,7 +301,7 @@ class IncomingBeforeQueueHandler:
         logging.info(f"Processing DATA message from {envelope.mail_from}")
 
         message = BytesParser(policy=policy.default).parsebytes(envelope.content)
-        mail_encrypted = check_encrypted(message, outgoing=False)
+        mail_encrypted = check_encrypted(message)
 
         if mail_encrypted or is_securejoin(message):
             print("Incoming: Filtering encrypted mail.", file=sys.stderr)

chatmaild/src/chatmaild/ini/chatmail.ini.f

@@ -45,14 +45,11 @@ passthrough_senders =
 # (space-separated, item may start with "@" to whitelist whole recipient domains)
 passthrough_recipients = xstore@testrun.org echo@{mail_domain}
 
-# path to www directory - documented here: https://github.com/chatmail/relay/#custom-web-pages
-#www_folder = www
-
 #
 # Deployment Details
 #
 
-# SMTP outgoing filtermail and reinjection 
+# SMTP outgoing filtermail and reinjection
 filtermail_smtp_port = 10080
 postfix_reinject_port = 10025
 
@@ -63,8 +60,8 @@ postfix_reinject_port_incoming = 10026
 # if set to "True" IPv6 is disabled
 disable_ipv6 = False
 
-# Your email adress, which will be used in acmetool to manage Let's Encrypt SSL certificates
+# if you set "True", acmetool will not be installed and you will have to manage certificates yourself.
-acme_email = 
+use_foreign_cert_manager = False
 
 #
 # Kernel settings

chatmaild/src/chatmaild/metadata.py

@@ -7,7 +7,6 @@ from .config import read_config
 from .dictproxy import DictProxy
 from .filedict import FileDict
 from .notifier import Notifier
-from .turnserver import turn_credentials
 
 
 def _is_valid_token_timestamp(timestamp, now):
@@ -76,12 +75,11 @@ class Metadata:
 
 
 class MetadataDictProxy(DictProxy):
-    def __init__(self, notifier, metadata, iroh_relay=None, turn_hostname=None):
+    def __init__(self, notifier, metadata, iroh_relay=None):
         super().__init__()
         self.notifier = notifier
         self.metadata = metadata
         self.iroh_relay = iroh_relay
-        self.turn_hostname = turn_hostname
 
     def handle_lookup(self, parts):
         # Lpriv/43f5f508a7ea0366dff30200c15250e3/devicetoken\tlkj123poi@c2.testrun.org
@@ -100,11 +98,6 @@ class MetadataDictProxy(DictProxy):
             ):
                 # Handle `GETMETADATA "" /shared/vendor/deltachat/irohrelay`
                 return f"O{self.iroh_relay}\n"
-            elif keyname == "vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn":
-                res = turn_credentials()
-                port = 3478
-                return f"O{self.turn_hostname}:{port}:{res}\n"
-
         logging.warning(f"lookup ignored: {parts!r}")
         return "N\n"
 
@@ -128,7 +121,6 @@ def main():
 
     config = read_config(config_path)
     iroh_relay = config.iroh_relay
-    mail_domain = config.mail_domain
 
     vmail_dir = config.mailboxes_dir
     if not vmail_dir.exists():
@@ -142,10 +134,7 @@ def main():
     notifier.start_notification_threads(metadata.remove_token_from_addr)
 
     dictproxy = MetadataDictProxy(
-        notifier=notifier,
+        notifier=notifier, metadata=metadata, iroh_relay=iroh_relay
-        metadata=metadata,
-        iroh_relay=iroh_relay,
-        turn_hostname=mail_domain,
     )
 
     dictproxy.serve_forever_from_socket(socket)

chatmaild/src/chatmaild/tests/test_filtermail.py

@@ -241,9 +241,8 @@ def test_cleartext_passthrough_senders(gencreds, handler, maildata):
 
 
 def test_check_armored_payload():
-    prefix = "-----BEGIN PGP MESSAGE-----\r\n"
+    payload = """-----BEGIN PGP MESSAGE-----\r
-    comment = "Version: ProtonMail\r\n"
+\r
-    payload = """\r
 wU4DSqFx0d1yqAoSAQdAYkX/ZN/Az4B0k7X47zKyWrXxlDEdS3WOy0Yf2+GJTFgg\r
 Zk5ql0mLG8Ze+ZifCS0XMO4otlemSyJ0K1ZPdFMGzUDBTgNqzkFabxXoXRIBB0AM\r
 755wlX41X6Ay3KhnwBq7yEqSykVH6F3x11iHPKraLCAGZoaS8bKKNy/zg5slda1X\r
@@ -279,25 +278,16 @@ UN4fiB0KR9JyG2ayUdNJVkXZSZLnHyRgiaadlpUo16LVvw==\r
 \r
 """
 
-    commented_payload = prefix + comment + payload
+    assert check_armored_payload(payload) == True
-    assert check_armored_payload(commented_payload, outgoing=False) == True
-    assert check_armored_payload(commented_payload, outgoing=True) == False
-
-    payload = prefix + payload
-    assert check_armored_payload(payload, outgoing=False) == True
-    assert check_armored_payload(payload, outgoing=True) == True
 
     payload = payload.removesuffix("\r\n")
-    assert check_armored_payload(payload, outgoing=False) == True
+    assert check_armored_payload(payload) == True
-    assert check_armored_payload(payload, outgoing=True) == True
 
     payload = payload.removesuffix("\r\n")
-    assert check_armored_payload(payload, outgoing=False) == True
+    assert check_armored_payload(payload) == True
-    assert check_armored_payload(payload, outgoing=True) == True
 
     payload = payload.removesuffix("\r\n")
-    assert check_armored_payload(payload, outgoing=False) == True
+    assert check_armored_payload(payload) == True
-    assert check_armored_payload(payload, outgoing=True) == True
 
     payload = """-----BEGIN PGP MESSAGE-----\r
 \r
@@ -305,8 +295,7 @@ HELLOWORLD
 -----END PGP MESSAGE-----\r
 \r
 """
-    assert check_armored_payload(payload, outgoing=False) == False
+    assert check_armored_payload(payload) == False
-    assert check_armored_payload(payload, outgoing=True) == False
 
     payload = """-----BEGIN PGP MESSAGE-----\r
 \r
@@ -314,8 +303,7 @@ HELLOWORLD
 -----END PGP MESSAGE-----\r
 \r
 """
-    assert check_armored_payload(payload, outgoing=False) == False
+    assert check_armored_payload(payload) == False
-    assert check_armored_payload(payload, outgoing=True) == False
 
     # Test payload using partial body length
     # as generated by GopenPGP.
@@ -357,5 +345,4 @@ myLbG7cJB787QjplEyVe2P/JBO6xYvbkJLf9Q+HaviTO25rugRSrYsoKMDfO8VlQ\r
 =6iHb\r
 -----END PGP MESSAGE-----\r
 """
-    assert check_armored_payload(payload, outgoing=False) == True
+    assert check_armored_payload(payload) == True
-    assert check_armored_payload(payload, outgoing=True) == True

chatmaild/src/chatmaild/turnserver.py

@@ -1,9 +0,0 @@
-#!/usr/bin/env python3
-import socket
-
-
-def turn_credentials() -> str:
-    with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as client_socket:
-        client_socket.connect("/run/chatmail-turn/turn.socket")
-        with client_socket.makefile("rb") as file:
-            return file.readline().decode("utf-8")

cmdeploy/src/cmdeploy/__init__.py

@@ -128,7 +128,6 @@ def _install_remote_venv_with_chatmaild(config) -> None:
         "echobot",
         "chatmail-metadata",
         "lastlogin",
-        "turnserver",
     ):
         execpath = fn if fn != "filtermail-incoming" else "filtermail"
         params = dict(
@@ -499,56 +498,6 @@ def check_config(config):
     return config
 
 
-def deploy_turn_server(config):
-    (url, sha256sum) = {
-        "x86_64": (
-            "https://github.com/chatmail/chatmail-turn/releases/download/v0.3/chatmail-turn-x86_64-linux",
-            "841e527c15fdc2940b0469e206188ea8f0af48533be12ecb8098520f813d41e4",
-        ),
-        "aarch64": (
-            "https://github.com/chatmail/chatmail-turn/releases/download/v0.3/chatmail-turn-aarch64-linux",
-            "a5fc2d06d937b56a34e098d2cd72a82d3e89967518d159bf246dc69b65e81b42",
-        ),
-    }[host.get_fact(facts.server.Arch)]
-
-    need_restart = False
-
-    existing_sha256sum = host.get_fact(Sha256File, "/usr/local/bin/chatmail-turn")
-    if existing_sha256sum != sha256sum:
-        server.shell(
-            name="Download chatmail-turn",
-            commands=[
-                f"(curl -L {url} >/usr/local/bin/chatmail-turn.new && (echo '{sha256sum} /usr/local/bin/chatmail-turn.new' | sha256sum -c) && mv /usr/local/bin/chatmail-turn.new /usr/local/bin/chatmail-turn)",
-                "chmod 755 /usr/local/bin/chatmail-turn",
-            ],
-        )
-        need_restart = True
-
-    source_path = importlib.resources.files(__package__).joinpath(
-        "service", "turnserver.service.f"
-    )
-    content = source_path.read_text().format(mail_domain=config.mail_domain).encode()
-
-    systemd_unit = files.put(
-        name="Upload turnserver.service",
-        src=io.BytesIO(content),
-        dest="/etc/systemd/system/turnserver.service",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= systemd_unit.changed
-
-    systemd.service(
-        name="Setup turnserver service",
-        service="turnserver.service",
-        running=True,
-        enabled=True,
-        restarted=need_restart,
-        daemon_reload=systemd_unit.changed,
-    )
-
-
 def deploy_mtail(config):
     # Uninstall mtail package, we are going to install a static binary.
     apt.packages(name="Uninstall mtail", packages=["mtail"], present=False)
@@ -725,8 +674,6 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
         packages=["rsync"],
     )
 
-    deploy_turn_server(config)
-
     # Run local DNS resolver `unbound`.
     # `resolvconf` takes care of setting up /etc/resolv.conf
     # to use 127.0.0.1 as the resolver.
@@ -779,11 +726,11 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
     deploy_iroh_relay(config)
 
     # Deploy acmetool to have TLS certificates.
-    tls_domains = [mail_domain, f"mta-sts.{mail_domain}", f"www.{mail_domain}"]
+    if not config.use_foreign_cert_manager:
-    deploy_acmetool(
+        tls_domains = [mail_domain, f"mta-sts.{mail_domain}", f"www.{mail_domain}"]
-        email=config.acme_email,
+        deploy_acmetool(
-        domains=tls_domains,
+            domains=tls_domains,
-    )
+        )
 
     apt.packages(
         # required for setfacl for echobot
@@ -820,7 +767,7 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
         if build_dir:
             www_path = build_webpages(src_dir, build_dir, config)
         # if it is not a hugo page, upload it as is
-        files.rsync(f"{www_path}/", "/var/www/html", flags=["-avz", "--chown=www-data"])
+        files.rsync(f"{www_path}/", "/var/www/html", flags=["-avz"])
 
     _install_remote_venv_with_chatmaild(config)
     debug = False
@@ -868,13 +815,6 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
         restarted=nginx_need_restart,
     )
 
-    systemd.service(
-        name="Start and enable fcgiwrap",
-        service="fcgiwrap.service",
-        running=True,
-        enabled=True,
-    )
-
     systemd.service(
         name="Restart echobot if postfix and dovecot were just started",
         service="echobot.service",

cmdeploy/src/cmdeploy/cmdeploy.py

@@ -19,7 +19,7 @@ from packaging import version
 from termcolor import colored
 
 from . import dns, remote
-from .sshexec import SSHExec, LocalExec
+from .sshexec import SSHExec
 
 #
 # cmdeploy sub commands and options
@@ -32,30 +32,17 @@ def init_cmd_options(parser):
         action="store",
         help="fully qualified DNS domain name for your chatmail instance",
     )
-    parser.add_argument(
-        "--force",
-        dest="recreate_ini",
-        action="store_true",
-        help="force reacreate ini file",
-    )
 
 
 def init_cmd(args, out):
     """Initialize chatmail config file."""
     mail_domain = args.chatmail_domain
-    inipath = args.inipath
     if args.inipath.exists():
-        if not args.recreate_ini:
+        print(f"Path exists, not modifying: {args.inipath}")
-            print(f"[WARNING] Path exists, not modifying: {inipath}")
+        return 1
-            return 1
+    else:
-        else:
+        write_initial_config(args.inipath, mail_domain, overrides={})
-            print(
+        out.green(f"created config file for {mail_domain} in {args.inipath}")
-                f"[WARNING] Force argument was provided, deleting config file: {inipath}"
-            )
-            inipath.unlink()
-
-    write_initial_config(inipath, mail_domain, overrides={})
-    out.green(f"created config file for {mail_domain} in {inipath}")
 
 
 def run_cmd_options(parser):
@@ -72,12 +59,10 @@ def run_cmd_options(parser):
         help="install/upgrade the server, but disable postfix & dovecot for now",
     )
     parser.add_argument(
-        "--skip-dns-check",
+        "--ssh-host",
-        dest="dns_check_disabled",
+        dest="ssh_host",
-        action="store_true",
+        help="Deploy to 'localhost', via 'docker', or to a specific SSH host",
-        help="disable checks nslookup for dns",
     )
-    add_ssh_host_option(parser)
 
 
 def run_cmd(args, out):
@@ -86,10 +71,9 @@ def run_cmd(args, out):
     ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
     sshexec = get_sshexec(ssh_host)
     require_iroh = args.config.enable_iroh_relay
-    if not args.dns_check_disabled:
+    remote_data = dns.get_initial_remote_data(sshexec, args.config.mail_domain)
-        remote_data = dns.get_initial_remote_data(sshexec, args.config.mail_domain)
+    if not dns.check_initial_remote_data(remote_data, print=out.red):
-        if not dns.check_initial_remote_data(remote_data, print=out.red):
+        return 1
-            return 1
 
     env = os.environ.copy()
     env["CHATMAIL_INI"] = args.inipath
@@ -99,7 +83,7 @@ def run_cmd(args, out):
     pyinf = "pyinfra --dry" if args.dry_run else "pyinfra"
 
     cmd = f"{pyinf} --ssh-user root {ssh_host} {deploy_path} -y"
-    if ssh_host in ["localhost", "@docker"]:
+    if ssh_host in ["localhost", "docker"]:
         cmd = f"{pyinf} @local {deploy_path} -y"
 
     if version.parse(pyinfra.__version__) < version.parse("3"):
@@ -109,15 +93,14 @@ def run_cmd(args, out):
     try:
         retcode = out.check_call(cmd, env=env)
         if retcode == 0:
-            if not args.disable_mail:
+            print("\nYou can try out the relay by talking to this echo bot: ")
-                print("\nYou can try out the relay by talking to this echo bot: ")
+            sshexec = SSHExec(args.config.mail_domain, verbose=args.verbose)
-                sshexec = SSHExec(args.config.mail_domain, verbose=args.verbose)
+            print(
-                print(
+                sshexec(
-                    sshexec(
+                    call=remote.rshell.shell,
-                        call=remote.rshell.shell,
+                    kwargs=dict(command="cat /var/lib/echobot/invite-link.txt"),
-                        kwargs=dict(command="cat /var/lib/echobot/invite-link.txt"),
-                    )
                 )
+            )
             server_deployed_message = f"Chatmail server started: https://{args.config.mail_domain}/"
             delimiter_line = "=" * len(server_deployed_message)
             out.green(f"{delimiter_line}\n{server_deployed_message}\n{delimiter_line}")
@@ -142,7 +125,11 @@ def dns_cmd_options(parser):
         default=None,
         help="write out a zonefile",
     )
-    add_ssh_host_option(parser)
+    parser.add_argument(
+        "--ssh-host",
+        dest="ssh_host",
+        help="Run the DNS queries on 'localhost', in the chatmail 'docker' container, or on a specific SSH host",
+    )
 
 
 def dns_cmd(args, out):
@@ -302,15 +289,6 @@ class Out:
         return proc.returncode
 
 
-def add_ssh_host_option(parser):
-    parser.add_argument(
-        "--ssh-host",
-        dest="ssh_host",
-        help="Run commands on 'localhost', via '@docker', or on a specific SSH host "
-             "instead of chatmail.ini's mail_domain.",
-    )
-
-
 def add_config_option(parser):
     parser.add_argument(
         "--config",
@@ -368,9 +346,9 @@ def get_parser():
 
 def get_sshexec(ssh_host: str, verbose=True):
     if ssh_host in ["localhost", "@local"]:
-        return LocalExec(verbose, docker=False)
+        return "localhost"
-    elif ssh_host == "@docker":
+    elif ssh_host == "docker":
-        return LocalExec(verbose, docker=True)
+        return "docker"
     if verbose:
         print(f"[ssh] login to {ssh_host}")
     return SSHExec(ssh_host, verbose=verbose)

cmdeploy/src/cmdeploy/dns.py

@@ -7,9 +7,15 @@ from . import remote
 
 
 def get_initial_remote_data(sshexec, mail_domain):
-    return sshexec.logged(
+    if sshexec == "localhost":
-        call=remote.rdns.perform_initial_checks, kwargs=dict(mail_domain=mail_domain)
+        result = remote.rdns.perform_initial_checks(mail_domain)
-    )
+    elif sshexec == "docker":
+        result = remote.rdns.perform_initial_checks(mail_domain, pre_command="docker exec chatmail ")
+    else:
+        result = sshexec.logged(
+            call=remote.rdns.perform_initial_checks, kwargs=dict(mail_domain=mail_domain)
+        )
+    return result
 
 
 def check_initial_remote_data(remote_data, *, print=print):
@@ -44,9 +50,14 @@ def check_full_zone(sshexec, remote_data, out, zonefile) -> int:
     """Check existing DNS records, optionally write them to zone file
     and return (exitcode, remote_data) tuple."""
 
-    required_diff, recommended_diff = sshexec.logged(
+    if sshexec in ["localhost", "docker"]:
-        remote.rdns.check_zonefile, kwargs=dict(zonefile=zonefile, verbose=False),
+        required_diff, recommended_diff = remote.rdns.check_zonefile(
-    )
+            zonefile=zonefile, verbose=False
+        )
+    else:
+        required_diff, recommended_diff = sshexec.logged(
+            remote.rdns.check_zonefile, kwargs=dict(zonefile=zonefile, verbose=False),
+        )
 
     returncode = 0
     if required_diff:

cmdeploy/src/cmdeploy/iroh-relay.toml

@@ -1,11 +1,5 @@
 enable_relay = true
 http_bind_addr = "[::]:3340"
-
+enable_stun = true
-# Disable built-in STUN server in iroh-relay 0.35
-# as we deploy our own TURN server instead.
-# STUN server is going to be removed in iroh-relay 1.0
-# and this line can be removed after upgrade.
-enable_stun = false
-
 enable_metrics = false
 metrics_bind_addr = "127.0.0.1:9092"

cmdeploy/src/cmdeploy/service/turnserver.service.f

@@ -1,16 +0,0 @@
-[Unit]
-Description=A wrapper for the TURN server
-After=network.target
-
-[Service]
-Type=simple
-Restart=always
-ExecStart=/usr/local/bin/chatmail-turn --realm {mail_domain} --socket /run/chatmail-turn/turn.socket
-
-# Create /run/chatmail-turn
-RuntimeDirectory=chatmail-turn
-User=vmail
-Group=vmail
-
-[Install]
-WantedBy=multi-user.target

cmdeploy/src/cmdeploy/sshexec.py

@@ -82,19 +82,3 @@ class SSHExec:
             res = self(call, kwargs, log_callback=remote.rshell.log_progress)
             print_stderr()
             return res
-
-
-class LocalExec:
-    def __init__(self, verbose=False, docker=False):
-        self.verbose = verbose
-        self.docker = docker
-
-    def logged(self, call, kwargs: dict):
-        where = "locally"
-        if self.docker:
-            if call == remote.rdns.perform_initial_checks:
-                kwargs['pre_command'] = "docker exec chatmail "
-                where = "in docker"
-        if self.verbose:
-            print(f"Running {where}: {call.__name__}(**{kwargs})")
-        return call(**kwargs)

cmdeploy/src/cmdeploy/tests/online/test_1_basic.py

@@ -2,7 +2,6 @@ import datetime
 import smtplib
 import socket
 import subprocess
-import time
 
 import pytest
 
@@ -10,37 +9,10 @@ from cmdeploy import remote
 from cmdeploy.sshexec import SSHExec
 
 
-class FuncError(Exception):
-    pass
-
-
-class DockerExec:
-    FuncError = FuncError
-
-    def __init__(self, pre_command):
-        self.pre_command = pre_command
-
-    def __call__(self, call, kwargs=None):
-        if kwargs is None:
-            kwargs = {}
-        return call(**kwargs)
-
-    def logged(self, call, kwargs):
-        title = call.__doc__
-        if not title:
-            title = call.__name__
-        print("[ssh] " + title)
-        return self(call, kwargs)
-
-
 class TestSSHExecutor:
     @pytest.fixture(scope="class")
     def sshexec(self, sshdomain):
-        try:
+        return SSHExec(sshdomain)
-            sshexec = SSHExec(sshdomain)
-        except FileNotFoundError:
-            sshexec = DockerExec("docker exec chatmail ")
-        return sshexec
 
     def test_ls(self, sshexec):
         out = sshexec(call=remote.rdns.shell, kwargs=dict(command="ls"))
@@ -54,14 +26,11 @@ class TestSSHExecutor:
         assert res["A"] or res["AAAA"]
 
     def test_logged(self, sshexec, maildomain, capsys):
-        if isinstance(sshexec, DockerExec):
-            pytest.skip("This test only works via SSH")
         sshexec.logged(
             remote.rdns.perform_initial_checks, kwargs=dict(mail_domain=maildomain)
         )
         out, err = capsys.readouterr()
         assert err.startswith("Collecting")
-        # XXX could not figure out how capturing can be made to work properly
         #assert err.endswith("....\n")
         assert err.count("\n") == 1
 
@@ -71,7 +40,6 @@ class TestSSHExecutor:
         )
         out, err = capsys.readouterr()
         lines = err.split("\n")
-        # XXX could not figure out how capturing can be made to work properly
         #assert len(lines) > 4
         assert remote.rdns.perform_initial_checks.__doc__ in lines[0]
 
@@ -84,8 +52,6 @@ class TestSSHExecutor:
         except sshexec.FuncError as e:
             assert "rdns.py" in str(e)
             assert "AssertionError" in str(e)
-        except AssertionError:
-            assert isinstance(sshexec, DockerExec)
         else:
             pytest.fail("didn't raise exception")
 
@@ -103,7 +69,7 @@ def test_timezone_env(remote):
     for line in remote.iter_output("env"):
         print(line)
         if line == "tz=:/etc/localtime":
-            return
+            return True
     pytest.fail("TZ is not set")
 
 
@@ -180,16 +146,6 @@ def test_reject_missing_dkim(cmsetup, maildata, from_addr):
             s.sendmail(from_addr=from_addr, to_addrs=recipient.addr, msg=msg)
 
 
-def try_n_times(n, f):
-    for _ in range(n - 1):
-        try:
-            return f()
-        except Exception:
-            time.sleep(1)
-
-    return f()
-
-
 def test_rewrite_subject(cmsetup, maildata):
     """Test that subject gets replaced with [...]."""
     user1, user2 = cmsetup.gen_users(2)
@@ -202,8 +158,7 @@ def test_rewrite_subject(cmsetup, maildata):
     ).as_string()
     user1.smtp.sendmail(from_addr=user1.addr, to_addrs=[user2.addr], msg=sent_msg)
 
-    # The message may need some time to get delivered by postfix.
+    messages = user2.imap.fetch_all_messages()
-    messages = try_n_times(5, user2.imap.fetch_all_messages)
     assert len(messages) == 1
     rcvd_msg = messages[0]
     assert "Subject: [...]" not in sent_msg

cmdeploy/src/cmdeploy/tests/plugin.py

@@ -337,14 +337,10 @@ class Remote:
 
     def iter_output(self, logcmd=""):
         getjournal = "journalctl -f" if not logcmd else logcmd
-        try:
+        self.popen = subprocess.Popen(
-            self.popen = subprocess.Popen(
+            ["ssh", f"root@{self.sshdomain}", getjournal],
-                ["ssh", f"root@{self.sshdomain}", getjournal],
+            stdout=subprocess.PIPE,
-                stdout=subprocess.PIPE,
+        )
-            )
-        except FileNotFoundError:
-            # inside docker container, run locally
-            self.popen = subprocess.Popen([getjournal], stdout=subprocess.PIPE)
         while 1:
             line = self.popen.stdout.readline()
             res = line.decode().strip().lower()

cmdeploy/src/cmdeploy/tests/test_cmdeploy.py

@@ -26,15 +26,10 @@ class TestCmdline:
     def test_init_not_overwrite(self, capsys):
         assert main(["init", "chat.example.org"]) == 0
         capsys.readouterr()
-
         assert main(["init", "chat.example.org"]) == 1
         out, err = capsys.readouterr()
         assert "path exists" in out.lower()
 
-        assert main(["init", "chat.example.org", "--force"]) == 0
-        out, err = capsys.readouterr()
-        assert "deleting config file" in out.lower()
-
 
 def test_www_folder(example_config, tmp_path):
     reporoot = importlib.resources.files(__package__).joinpath("../../../../").resolve()

docker/docker-compose-traefik.yaml

@@ -0,0 +1,136 @@
+services:
+  chatmail:
+    build:
+      context: ./docker
+      dockerfile: chatmail_relay.dockerfile
+      tags:
+        - chatmail-relay:latest
+    image: chatmail-relay:latest
+    restart: unless-stopped
+    container_name: chatmail
+    depends_on:
+      - traefik-certs-dumper
+    cgroup: host # required for systemd
+    tty: true # required for logs
+    tmpfs: # required for systemd
+      - /tmp
+      - /run
+      - /run/lock
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
+    environment: #all possible variables you can check inside README and /chatmaild/src/chatmaild/ini/chatmail.ini.f
+      MAIL_DOMAIN: $MAIL_DOMAIN
+      # MAX_MESSAGE_SIZE: "50M"
+      # DEBUG_COMMANDS_ENABLED: "true"
+      # FORCE_REINIT_INI_FILE: "true"
+      # RECREATE_VENV: "false"
+      USE_FOREIGN_CERT_MANAGER: "true"
+      CHANGE_KERNEL_SETTINGS: "false"
+      PATH_TO_SSL: "${CERTS_ROOT_DIR_CONTAINER}/${MAIL_DOMAIN}"
+      ENABLE_CERTS_MONITORING: "true"
+      # CERTS_MONITORING_TIMEOUT: 60
+      # IS_DEVELOPMENT_INSTANCE: "true"
+    ports:
+      - "25:25"
+      - "587:587"
+      - "143:143"
+      - "465:465"
+      - "993:993"
+    volumes:
+      ## system
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw # required for systemd
+      - ./:/opt/chatmail
+      - ${CERTS_ROOT_DIR_HOST}:${CERTS_ROOT_DIR_CONTAINER}:ro
+
+      ## data
+      - ./data/chatmail:/home
+      # - ./data/chatmail-dkimkeys:/etc/dkimkeys
+      # - ./data/chatmail-echobot:/run/echobot
+      # - ./data/chatmail-acme:/var/lib/acme
+
+      ## custom resources
+      # - ./custom/www/src/index.md:/opt/chatmail/www/src/index.md
+
+      ## debug
+      # - ./docker/files/setup_chatmail_docker.sh:/setup_chatmail_docker.sh
+      # - ./docker/files/entrypoint.sh:/entrypoint.sh
+      # - ./docker/files/update_ini.sh:/update_ini.sh
+
+    labels:
+      - traefik.enable=true
+      - traefik.http.services.chatmail-relay.loadbalancer.server.scheme=https
+      - traefik.http.services.chatmail-relay.loadbalancer.server.port=443
+      - traefik.http.services.chatmail-relay.loadbalancer.serverstransport=insecure@file
+      - traefik.http.routers.chatmail-relay.rule=Host(`${MAIL_DOMAIN}`) || Host(`mta-sts.${MAIL_DOMAIN}`) || Host(`www.${MAIL_DOMAIN}`)
+      - traefik.http.routers.chatmail-relay.service=chatmail-relay
+      - traefik.http.routers.chatmail-relay.tls=true
+      - traefik.http.routers.chatmail-relay.tls.certresolver=letsEncrypt
+
+  traefik_init:
+    image: alpine:latest
+    restart: on-failure
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
+    working_dir: /app
+    entrypoint: sh -c '
+      touch acme.json &&
+      chown 0:0 ./acme.json &&
+      chmod 600 ./acme.json'
+    volumes:
+      - ./traefik/data:/app
+
+  traefik:
+    image: traefik:v3.3
+    container_name: traefik
+    restart: unless-stopped
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
+    command:
+      - "--configFile=/config.yaml"
+      - "--certificatesresolvers.letsEncrypt.acme.email=${ACME_EMAIL}"
+    # ports:
+    #   - "80:80"
+    #   - "443:443"
+    network_mode: host
+    depends_on:
+      traefik_init:
+        condition: service_completed_successfully
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ./traefik/config.yaml:/config.yaml
+      - ./traefik/data/acme.json:/acme.json
+      - ./traefik/dynamic-configs:/dynamic/conf
+
+  traefik-certs-dumper:
+    image: ldez/traefik-certs-dumper:v2.10.0
+    restart: unless-stopped
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
+    depends_on:
+      - traefik
+    entrypoint: sh -c '
+      apk add openssl &&
+      while ! [ -e /data/acme.json ]
+      || ! [ `jq ".[] | .Certificates | length" /data/acme.json | jq -s "add" ` != 0 ]; do
+      sleep 1
+      ; done
+      && traefik-certs-dumper file --version v3 --watch --domain-subdir=true
+      --source /data/acme.json --dest /data/letsencrypt/certs --post-hook "sh /post-hook.sh"'
+    environment:
+      CERTS_DIR: /data/letsencrypt/certs
+    volumes:
+      - ./traefik/data/letsencrypt:/data/letsencrypt
+      - ./traefik/data/acme.json:/data/acme.json
+      - ./traefik/post-hook.sh:/post-hook.sh

docker/example.env

@@ -1 +1,5 @@
 MAIL_DOMAIN="chat.example.com"
+ACME_EMAIL="my.email@gmail.com"
+
+CERTS_ROOT_DIR_HOST="./traefik/data/letsencrypt/certs"
+CERTS_ROOT_DIR_CONTAINER="/var/lib/acme/live"

docker/files/entrypoint.sh

@@ -3,6 +3,19 @@ set -eo pipefail
 
 unlink /etc/nginx/sites-enabled/default || true
 
+if [ "${USE_FOREIGN_CERT_MANAGER,,}" == "true" ]; then
+    if [ ! -f "$PATH_TO_SSL/fullchain" ]; then
+        echo "Error: file '$PATH_TO_SSL/fullchain' does not exist. Exiting..." > /dev/stderr
+        sleep 2
+        exit 1
+    fi
+    if [ ! -f "$PATH_TO_SSL/privkey" ]; then
+        echo "Error: file '$PATH_TO_SSL/privkey' does not exist. Exiting..." > /dev/stderr
+        sleep 2
+        exit 1
+    fi
+fi
+
 SETUP_CHATMAIL_SERVICE_PATH="${SETUP_CHATMAIL_SERVICE_PATH:-/lib/systemd/system/setup_chatmail.service}"
 
 env_vars=$(printenv | cut -d= -f1 | xargs)

docs/DOCKER_INSTALLATION_EN.md

@@ -32,11 +32,25 @@ Please substitute it with your own domain.
    ```
 
 ## Installation
+When installing via Docker, there are several options:
 
-1. Copy the file `./docker/docker-compose-default.yaml` to `docker-compose.yaml`. This is necessary because `docker-compose.yaml` is in `.gitignore` and won’t cause conflicts when updating the git repository.
+- Use the built-in nginx and acmetool in Chatmail container to host the chat and manage certificates.
+- Use third-party tools for certificate management.
+
+For the third-party certificate manager example, traefik will be used, but you can use whatever is more convenient for you.
+
+1. Copy the file `./docker/docker-compose-default.yaml` or `./docker/docker-compose-traefik.yaml` and rename it to `docker-compose.yaml`. This is necessary because `docker-compose.yaml` is in `.gitignore` and won’t cause conflicts when updating the git repository.
 
 ```shell
 cp ./docker/docker-compose-default.yaml docker-compose.yaml
+## or
+# cp ./docker/docker-compose-traefik.yaml docker-compose.yaml
+```
+
+2. Copy `./docker/example.env` and rename it to `.env`. This file stores variables used in `docker-compose.yaml`.
+
+```shell
+cp ./docker/example.env .env
 ```
 
 3. Configure environment variables in the `.env` file. These variables are used in the `docker-compose.yaml` file to pass repeated values.
@@ -82,6 +96,11 @@ docker compose logs -f chatmail # view container logs, press CTRL+C to exit
 
 8. After installation is complete, you can open `https://<your_domain_name>` in your browser.
 
+9. To send messages to other chatmail relays,
+   you need to set additional DNS records.
+   Run `docker exec chatmail scripts/cmdeploy.sh dns --ssh-host localhost`
+   to see recommended DNS records and check whether they are correct.
+
 ## Using custom files
 
 When using Docker, you can apply modified configuration files to make the installation more personalized. This is usually needed for the `www/src` section so that the Chatmail landing page is customized to your taste, but it can be used for any other cases as well.

docs/DOCKER_INSTALLATION_RU.md

@@ -29,10 +29,22 @@ Please substitute it with your own domain.
    ```
 
 ## Installation
+При установке через docker есть несколько вариантов:
+- использовать встроенный в chatmail контейнер nginx и acmetool для хостинга чата и управления сертификатами.
+- использовать сторонние инструменты для менеджмента сертификатов
 
-1. Скопировать файл `./docker/docker-compose-default.yaml` в `docker-compose.yaml`. Это нужно потому что `docker-compose.yaml` находится в `.gitignore` и не будет создавать конфликты при обновлении гит репозитория.
+В качестве примера для стороннего менеджера сертификатов будет использоваться traefik, но вы можете использовать то что удобнее вам.
+
+1. Скопировать файл `./docker/docker-compose-default.yaml` или `./docker/docker-compose-traefik.yaml` и переименовать в `docker-compose.yaml`. Это нужно потому что `docker-compose.yaml` находится в `.gitignore` и не будет создавать конфликты при обновлении гит репозитория.
 ```shell
 cp ./docker/docker-compose-default.yaml docker-compose.yaml
+## or
+# cp ./docker/docker-compose-traefik.yaml docker-compose.yaml
+```
+
+2. Скопировать `./docker/example.env` и переименовать в `.env`. Здесь хранятся переменные, которые используятся в `docker-compose.yaml`.
+```shell
+cp ./docker/example.env .env
 ```
 
 3. Настроить переменные окружения в `.env` файле. Эти переменные используются в `docker-compose.yaml` файле, чтобы передавать повторяющиеся значения.

traefik/config.yaml

@@ -0,0 +1,33 @@
+log:
+  level: TRACE
+
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          permanent: true
+  websecure:
+    address: ":443"
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+  file:
+    directory: /dynamic/conf
+    watch: true
+
+serverstransport:
+  insecureskipverify: true
+
+certificatesResolvers:
+  letsEncrypt:
+    acme:
+      storage: /acme.json
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+      tlschallenge: true
+      httpChallenge:
+        entryPoint: web

traefik/dynamic-configs/insecure.yaml

@@ -0,0 +1,4 @@
+http:
+  serversTransports:
+    insecure:
+      insecureSkipVerify: true

traefik/post-hook.sh

@@ -0,0 +1,15 @@
+CERTS_DIR=${CERTS_DIR:-"/data/letsencrypt/certs"}
+
+echo "CERTS_DIR: $CERTS_DIR"
+
+for dir in "$CERTS_DIR"/*/; do
+    echo "Processing: $dir"
+    cd "$dir"
+    if [ -f "certificate.crt" ]; then
+        ln -sf certificate.crt fullchain
+    fi
+    if [ -f "privatekey.key" ]; then
+        ln -sf privatekey.key privkey
+    fi
+    cd -
+done