config: comment out values in chatmail.ini.f, so defaults take precedence

config: default delete_inactive_users_after is 90, actually
config: load default values from Config(), not chatmail.ini.f
2026-05-11 16:34:39 +00:00 · 2026-02-24 14:44:46 +01:00 · 2026-02-24 14:43:58 +01:00 · 2026-02-19 21:41:17 +01:00 · 2026-02-19 21:34:39 +01:00 · 2026-02-19 19:41:14 +00:00
79 changed files with 2066 additions and 2033 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -14,7 +14,8 @@ jobs:
        # Otherwise `test_deployed_state` will be unhappy.
        with:
          ref: ${{ github.event.pull_request.head.sha }}
-
+      - name: download filtermail
        run: curl -L https://github.com/chatmail/filtermail/releases/download/v0.3.0/filtermail-x86_64 -o /usr/local/bin/filtermail && chmod +x /usr/local/bin/filtermail
      - name: run chatmaild tests 
        working-directory: chatmaild
        run: pipx run tox
--- a/.github/workflows/docs-preview.yaml
+++ b/.github/workflows/docs-preview.yaml
@@ -11,6 +11,9 @@ jobs:
  scripts:
    name: build 
    runs-on: ubuntu-latest
    environment:
      name: 'staging.chatmail.at/doc/relay/'
      url: https://staging.chatmail.at/doc/relay/${{ steps.prepare.outputs.prid }}
    steps:
      - uses: actions/checkout@v4
@@ -44,36 +47,6 @@ jobs:
          chmod 600 "$HOME/.ssh/key"
          rsync -rILvh -e "ssh -i $HOME/.ssh/key -o StrictHostKeyChecking=no" $GITHUB_WORKSPACE/doc/build/ "${{ secrets.USERNAME }}@chatmail.at:/var/www/html/staging.chatmail.at/doc/relay/${{ steps.prepare.outputs.prid }}/"
      - name: "Post links to details"
        id: details
        if: steps.prepare.outputs.uploadtoserver
        run: |
          # URLs for API connection and uploads
          export GITHUB_API_URL="https://api.github.com/repos/chatmail/relay/statuses/${{ github.event.after }}"
          export PREVIEW_LINK="https://staging.chatmail.at/doc/relay/${{ steps.prepare.outputs.prid }}/"
          export STATUS_DATA="{\"state\": \"success\", \
                               \"description\": \"Preview the changed documentation here:\", \
                               \"context\": \"Documentation Preview\", \
                               \"target_url\": \"${PREVIEW_LINK}\"}"
          curl -X POST --header "Accept: application/vnd.github+json" --header "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" --url "$GITHUB_API_URL" --header "content-type: application/json" --data "$STATUS_DATA"
          #check if comment already exists, if not post it
          export GITHUB_API_URL="https://api.github.com/repos/chatmail/relay/issues/${{ steps.prepare.outputs.prid }}/comments"
          export RESPONSE=$(curl -L --header "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" --url "$GITHUB_API_URL" --header "content-type: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28")
          echo $RESPONSE > response
          grep -v '"Check out the page preview at https://staging.chatmail.at/doc/relay' response && echo "comment=true" >> $GITHUB_OUTPUT || true
      - name: "Post link to comments"
        if: steps.details.outputs.comment
        uses: actions/github-script@v7
        with:
          script: |
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: "Check out the page preview at https://staging.chatmail.at/doc/relay/${{ steps.prepare.outputs.prid }}/"
            })
      - name: check links 
        working-directory: doc
        run: sphinx-build --builder linkcheck source build
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -14,6 +14,9 @@ jobs:
  scripts:
    name: build 
    runs-on: ubuntu-latest
    environment: 
      name: 'chatmail.at/doc/relay/'
      url: https://chatmail.at/doc/relay/
    steps:
      - uses: actions/checkout@v4
--- a/.github/workflows/test-and-deploy-ipv4only.yaml
+++ b/.github/workflows/test-and-deploy-ipv4only.yaml
@@ -16,13 +16,11 @@ jobs:
    name: deploy on staging-ipv4.testrun.org, and run tests
    runs-on: ubuntu-latest
    timeout-minutes: 30
-    concurrency:
+    environment:
-      group: ci-ipv4-${{ github.workflow }}-${{ github.ref }}
+      name: staging-ipv4.testrun.org
-      cancel-in-progress: ${{ !contains(github.ref, '$GITHUB_REF') }}
+      url: https://staging-ipv4.testrun.org/
    concurrency: staging-ipv4.testrun.org
    steps:
      - uses: jsok/serialize-workflow-action@515cd04c46d7ea7435c4a22a3b4419127afdefe9
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
      - uses: actions/checkout@v4
      - name: prepare SSH
@@ -73,25 +71,35 @@ jobs:
      - name: run deploy-chatmail offline tests 
        run: pytest --pyargs cmdeploy 
-      - run: |
+      - name: setup dependencies
-          cmdeploy init staging-ipv4.testrun.org
+        run: |
-          sed -i 's#disable_ipv6 = False#disable_ipv6 = True#' chatmail.ini
+          ssh root@staging-ipv4.testrun.org apt update
          ssh root@staging-ipv4.testrun.org apt install -y git python3.11-venv python3-dev gcc
          ssh root@staging-ipv4.testrun.org git clone https://github.com/chatmail/relay
          ssh root@staging-ipv4.testrun.org "cd relay && git checkout " ${{ github.head_ref }}
          ssh root@staging-ipv4.testrun.org "cd relay && scripts/initenv.sh"
-      - run: cmdeploy run --verbose --skip-dns-check
+      - name: initialize config
        run: |
          ssh root@staging-ipv4.testrun.org "cd relay && scripts/cmdeploy init staging-ipv4.testrun.org"
          ssh root@staging-ipv4.testrun.org "sed -i 's#disable_ipv6 = False#disable_ipv6 = True#' relay/chatmail.ini"
          ssh root@staging-ipv4.testrun.org "sed -i 's/#\s*mtail_address/mtail_address/' relay/chatmail.ini"
      - run: ssh root@staging-ipv4.testrun.org "cd relay && scripts/cmdeploy run --verbose --skip-dns-check --ssh-host localhost"
      - name: set DNS entries
        run: |
-          ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org chown opendkim:opendkim -R /etc/dkimkeys
+          ssh root@staging-ipv4.testrun.org chown opendkim:opendkim -R /etc/dkimkeys
-          cmdeploy dns --zonefile staging-generated.zone
+          ssh root@staging-ipv4.testrun.org "cd relay && scripts/cmdeploy dns --zonefile staging-generated.zone --ssh-host localhost"
-          cat staging-generated.zone >> .github/workflows/staging-ipv4.testrun.org-default.zone
+          ssh root@staging-ipv4.testrun.org cat relay/staging-generated.zone >> .github/workflows/staging-ipv4.testrun.org-default.zone
          cat .github/workflows/staging-ipv4.testrun.org-default.zone
          scp .github/workflows/staging-ipv4.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging-ipv4.testrun.org.zone
          ssh root@ns.testrun.org nsd-checkzone staging-ipv4.testrun.org /etc/nsd/staging-ipv4.testrun.org.zone
          ssh root@ns.testrun.org systemctl reload nsd
      - name: cmdeploy test
-        run: CHATMAIL_DOMAIN2=nine.testrun.org cmdeploy test --slow
+        run: ssh root@staging-ipv4.testrun.org "cd relay && CHATMAIL_DOMAIN2=ci-chatmail.testrun.org scripts/cmdeploy test --slow --ssh-host localhost"
      - name: cmdeploy dns
-        run: cmdeploy dns -v
+        run: ssh root@staging-ipv4.testrun.org "cd relay && scripts/cmdeploy dns -v --ssh-host localhost"
--- a/.github/workflows/test-and-deploy.yaml
+++ b/.github/workflows/test-and-deploy.yaml
@@ -16,13 +16,11 @@ jobs:
    name: deploy on staging2.testrun.org, and run tests
    runs-on: ubuntu-latest
    timeout-minutes: 30
-    concurrency:
+    environment:
-      group: ci-${{ github.workflow }}-${{ github.ref }}
+      name: staging2.testrun.org
-      cancel-in-progress: ${{ !contains(github.ref, '$GITHUB_REF') }}
+      url: https://staging2.testrun.org/
    concurrency: staging2.testrun.org
    steps:
      - uses: jsok/serialize-workflow-action@515cd04c46d7ea7435c4a22a3b4419127afdefe9
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
      - uses: actions/checkout@v4
      - name: prepare SSH
@@ -70,10 +68,15 @@ jobs:
          rsync -avz dkimkeys-restore/dkimkeys root@staging2.testrun.org:/etc/ || true
          ssh -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org chown root:root -R /var/lib/acme || true
      - name: add hpk42 key to staging server
        run: ssh root@staging2.testrun.org 'curl -s https://github.com/hpk42.keys >> .ssh/authorized_keys'
      - name: run deploy-chatmail offline tests 
        run: pytest --pyargs cmdeploy 
-      - run: cmdeploy init staging2.testrun.org
+      - run: |
          cmdeploy init staging2.testrun.org
          sed -i 's/#\s*mtail_address/mtail_address/' chatmail.ini
      - run: cmdeploy run --verbose --skip-dns-check
@@ -88,7 +91,7 @@ jobs:
          ssh root@ns.testrun.org systemctl reload nsd
      - name: cmdeploy test
-        run: CHATMAIL_DOMAIN2=nine.testrun.org cmdeploy test --slow
+        run: CHATMAIL_DOMAIN2=ci-chatmail.testrun.org cmdeploy test --slow
      - name: cmdeploy dns
        run: cmdeploy dns -v
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,47 @@
 # Changelog for chatmail deployment 
-## untagged
+## 1.9.0 2025-12-18
 ### Documentation
 - Add RELEASE.md and CONTRIBUTING.md
 - README update, mention Chatmail Cookbook project
 ### Bug Fixes
 - Expire messages also from IMAP subfolders
 - Use absolute path instead of relative path in message expiration script
 - Restart Postfix and Dovecot automatically on failure
 - acmetool: Use a fixed name and `reconcile` instead of `want`
 ### Features
 - Report DKIM error code in SMTP response
 - Remove development notice from the web pages
 ### Miscellaneous Tasks
 - Update the heading in the CHANGELOG.md
 - Setup git-cliff
 - Run tests against ci-chatmail.testrun.org instead of nine.testrun.org
 - Cleanup remaining echobot code, remove echobot user from deployment and passthrough recipients
 ## 1.8.0 2025-12-12
 - Add imap_compress option to chatmail.ini
  ([#760](https://github.com/chatmail/relay/pull/760))
 - Remove echobot from relays 
  ([#753](https://github.com/chatmail/relay/pull/753))
 - Fix `cmdeploy webdev`
  ([#743](https://github.com/chatmail/relay/pull/743))
 - Add robots.txt to exclude all web crawlers
  ([#732](https://github.com/chatmail/relay/pull/732))
 - acmetool: accept new Let's Encrypt ToS: https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf
  ([#729](https://github.com/chatmail/relay/pull/729))
 - Organized cmdeploy into install, configure, and activate stages
  ([#695](https://github.com/chatmail/relay/pull/695))
@@ -21,10 +62,10 @@
  ([#689](https://github.com/chatmail/relay/pull/689))
 - Require TLS 1.2 for outgoing SMTP connections
-  ([#685](https://github.com/chatmail/relay/pull/685))
+  ([#685](https://github.com/chatmail/relay/pull/685), [#730](https://github.com/chatmail/relay/pull/730))
 - require STARTTLS for incoming port 25 connections
-  ([#684](https://github.com/chatmail/relay/pull/684))
+  ([#684](https://github.com/chatmail/relay/pull/684), [#730](https://github.com/chatmail/relay/pull/730))
 - filtermail: run CPU-intensive handle_DATA in a thread pool executor
  ([#676](https://github.com/chatmail/relay/pull/676))
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,7 @@
 # Contributing to the chatmail relay
 Commit messages follow the [Conventional Commits] notation.
 We use [git-cliff] to generate the changelog from commit messages before the release.
 [Conventional Commits]: https://www.conventionalcommits.org/
 [git-cliff]: https://git-cliff.org/
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -0,0 +1,15 @@
 # Releasing a new version of chatmail relay
 For example, to release version 1.9.0 of chatmail relay, do the following steps.
 1. Update the changelog: `git cliff --unreleased --tag 1.9.0 --prepend CHANGELOG.md` or `git cliff -u -t 1.9.0 -p CHANGELOG.md`.
 2. Open the changelog in the editor, edit it if required.
 3. Commit the changes to the changelog with a commit message `chore(release): prepare for 1.9.0`.
 3. Tag the release: `git tag --annotate 1.9.0`.
 4. Push the release tag: `git push origin 1.9.0`.
 5. Create a GitHub release: `gh release create 1.9.0`.
--- a/chatmaild/pyproject.toml
+++ b/chatmaild/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "chatmaild"
-version = "0.2"
+version = "0.3"
 dependencies = [
  "aiosmtpd",
  "iniconfig",
@@ -24,8 +24,6 @@ where = ['src']
 [project.scripts]
 doveauth = "chatmaild.doveauth:main"
 chatmail-metadata = "chatmaild.metadata:main"
 filtermail = "chatmaild.filtermail:main"
 echobot = "chatmaild.echo:main"
 chatmail-metrics = "chatmaild.metrics:main"
 chatmail-expire = "chatmaild.expire:main"
 chatmail-fsreport = "chatmaild.fsreport:main"
@@ -73,5 +71,6 @@ commands =
 deps = pytest 
       pdbpp 
       pytest-localserver
       execnet
 commands = pytest -v -rsXx {posargs}
 """
--- a/chatmaild/src/chatmaild/config.py
+++ b/chatmaild/src/chatmaild/config.py
@@ -1,51 +1,51 @@
 import os
 from pathlib import Path
 import iniconfig
 from chatmaild.user import User
 echobot_password_path = Path("/run/echobot/password")
 def read_config(inipath):
    assert Path(inipath).exists(), inipath
    cfg = iniconfig.IniConfig(inipath)
-    params = cfg.sections["params"]
+    return Config(inipath, params=cfg.sections["params"])
    default_config_content = get_default_config_content(params["mail_domain"])
    df_params = iniconfig.IniConfig("ini", data=default_config_content)["params"]
    new_params = dict(df_params.items())
    new_params.update(params)
    return Config(inipath, params=new_params)
 class Config:
    def __init__(self, inipath, params):
        self._inipath = inipath
        self.mail_domain = params["mail_domain"]
-        self.max_user_send_per_minute = int(params["max_user_send_per_minute"])
+        self.max_user_send_per_minute = int(params.get("max_user_send_per_minute", 60))
-        self.max_mailbox_size = params["max_mailbox_size"]
+        self.max_user_send_burst_size = int(params.get("max_user_send_burst_size", 10))
-        self.max_message_size = int(params.get("max_message_size", "31457280"))
+        self.max_mailbox_size = params.get("max_mailbox_size", "500M")
-        self.delete_mails_after = params["delete_mails_after"]
+        self.max_message_size = int(params.get("max_message_size", 31457280))
-        self.delete_large_after = params["delete_large_after"]
+        self.delete_mails_after = params.get("delete_mails_after", "20")
-        self.delete_inactive_users_after = int(params["delete_inactive_users_after"])
+        self.delete_large_after = params.get("delete_large_after", "7")
-        self.username_min_length = int(params["username_min_length"])
+        self.delete_inactive_users_after = int(
-        self.username_max_length = int(params["username_max_length"])
+            params.get("delete_inactive_users_after", 90)
        self.password_min_length = int(params["password_min_length"])
        self.passthrough_senders = params["passthrough_senders"].split()
        self.passthrough_recipients = params["passthrough_recipients"].split()
        self.www_folder = params.get("www_folder", "")
        self.filtermail_smtp_port = int(params["filtermail_smtp_port"])
        self.filtermail_smtp_port_incoming = int(
            params["filtermail_smtp_port_incoming"]
        )
-        self.postfix_reinject_port = int(params["postfix_reinject_port"])
+        self.username_min_length = int(params.get("username_min_length", 9))
        self.username_max_length = int(params.get("username_max_length", 9))
        self.password_min_length = int(params.get("password_min_length", 9))
        self.passthrough_senders = params.get("passthrough_senders", "").split()
        self.passthrough_recipients = params.get("passthrough_recipients", "").split()
        self.www_folder = params.get("www_folder", "")
        self.filtermail_smtp_port = int(params.get("filtermail_smtp_port", "10080"))
        self.filtermail_smtp_port_incoming = int(
            params.get("filtermail_smtp_port_incoming", "10081")
        )
        self.postfix_reinject_port = int(params.get("postfix_reinject_port", "10025"))
        self.postfix_reinject_port_incoming = int(
-            params["postfix_reinject_port_incoming"]
+            params.get("postfix_reinject_port_incoming", "10026")
        )
        self.mtail_address = params.get("mtail_address")
        self.disable_ipv6 = params.get("disable_ipv6", "false").lower() == "true"
        self.addr_v4 = os.environ.get("CHATMAIL_ADDR_V4", "")
        self.addr_v6 = os.environ.get("CHATMAIL_ADDR_V6", "")
        self.acme_email = params.get("acme_email", "")
        self.imap_rawlog = params.get("imap_rawlog", "false").lower() == "true"
        self.imap_compress = params.get("imap_compress", "false").lower() == "true"
        if "iroh_relay" not in params:
            self.iroh_relay = "https://" + params["mail_domain"]
            self.enable_iroh_relay = True
@@ -57,6 +57,18 @@ class Config:
        self.privacy_pdo = params.get("privacy_pdo")
        self.privacy_supervisor = params.get("privacy_supervisor")
        # TLS certificate management: derived from the domain name.
        # Domains starting with "_" use self-signed certificates
        # All other domains use ACME.
        if self.mail_domain.startswith("_"):
            self.tls_cert_mode = "self"
            self.tls_cert_path = "/etc/ssl/certs/mailserver.pem"
            self.tls_key_path = "/etc/ssl/private/mailserver.key"
        else:
            self.tls_cert_mode = "acme"
            self.tls_cert_path = f"/var/lib/acme/live/{self.mail_domain}/fullchain"
            self.tls_key_path = f"/var/lib/acme/live/{self.mail_domain}/privkey"
        # deprecated option
        mbdir = params.get("mailboxes_dir", f"/home/vmail/mail/{self.mail_domain}")
        self.mailboxes_dir = Path(mbdir.strip())
@@ -72,9 +84,6 @@ class Config:
            raise ValueError(f"invalid address {addr!r}")
        maildir = self.mailboxes_dir.joinpath(addr)
        if addr.startswith("echo@"):
            password_path = echobot_password_path
        else:
        password_path = maildir.joinpath("password")
        return User(maildir, addr, password_path, uid="vmail", gid="vmail")
--- a/chatmaild/src/chatmaild/dictproxy.py
+++ b/chatmaild/src/chatmaild/dictproxy.py
@@ -22,7 +22,7 @@ class DictProxy:
                wfile.flush()
    def handle_dovecot_request(self, msg, transactions):
-        # see https://doc.dovecot.org/developer_manual/design/dict_protocol/#dovecot-dict-protocol
+        # see https://doc.dovecot.org/2.3/developer_manual/design/dict_protocol/#dovecot-dict-protocol
        short_command = msg[0]
        parts = msg[1:].split("\t")
--- a/chatmaild/src/chatmaild/doveauth.py
+++ b/chatmaild/src/chatmaild/doveauth.py
@@ -16,7 +16,7 @@ NOCREATE_FILE = "/etc/chatmail-nocreate"
 def encrypt_password(password: str):
-    # https://doc.dovecot.org/configuration_manual/authentication/password_schemes/
+    # https://doc.dovecot.org/2.3/configuration_manual/authentication/password_schemes/
    passhash = crypt_r.crypt(password, crypt_r.METHOD_SHA512)
    return "{SHA512-CRYPT}" + passhash
@@ -40,10 +40,6 @@ def is_allowed_to_create(config: Config, user, cleartext_password) -> bool:
        return False
    localpart, domain = parts
    if localpart == "echo":
        # echobot account should not be created in the database
        return False
    if (
        len(localpart) > config.username_max_length
        or len(localpart) < config.username_min_length
--- a/chatmaild/src/chatmaild/echo.py
+++ b/chatmaild/src/chatmaild/echo.py
@@ -1,109 +0,0 @@
 #!/usr/bin/env python3
 """Advanced echo bot example.
 it will echo back any message that has non-empty text and also supports the /help command.
 """
 import logging
 import os
 import subprocess
 import sys
 from pathlib import Path
 from deltachat_rpc_client import Bot, DeltaChat, EventType, Rpc, events
 from chatmaild.config import echobot_password_path, read_config
 from chatmaild.doveauth import encrypt_password
 from chatmaild.newemail import create_newemail_dict
 hooks = events.HookCollection()
@hooks.on(events.RawEvent)
 def log_event(event):
    if event.kind == EventType.INFO:
        logging.info(event.msg)
    elif event.kind == EventType.WARNING:
        logging.warning(event.msg)
@hooks.on(events.RawEvent(EventType.ERROR))
 def log_error(event):
    logging.error("%s", event.msg)
@hooks.on(events.MemberListChanged)
 def on_memberlist_changed(event):
    logging.info(
        "member %s was %s", event.member, "added" if event.member_added else "removed"
    )
@hooks.on(events.GroupImageChanged)
 def on_group_image_changed(event):
    logging.info("group image %s", "deleted" if event.image_deleted else "changed")
@hooks.on(events.GroupNameChanged)
 def on_group_name_changed(event):
    logging.info(f"group name changed, old name: {event.old_name}")
@hooks.on(events.NewMessage(func=lambda e: not e.command))
 def echo(event):
    snapshot = event.message_snapshot
    if snapshot.is_info:
        # Ignore info messages
        return
    if snapshot.text or snapshot.file:
        snapshot.chat.send_message(text=snapshot.text, file=snapshot.file)
@hooks.on(events.NewMessage(command="/help"))
 def help_command(event):
    snapshot = event.message_snapshot
    snapshot.chat.send_text("Send me any message and I will echo it back")
 def main():
    logging.basicConfig(level=logging.INFO)
    path = os.environ.get("PATH")
    venv_path = sys.argv[0].strip("echobot")
    os.environ["PATH"] = path + ":" + venv_path
    with Rpc() as rpc:
        deltachat = DeltaChat(rpc)
        system_info = deltachat.get_system_info()
        logging.info(f"Running deltachat core {system_info.deltachat_core_version}")
        accounts = deltachat.get_all_accounts()
        account = accounts[0] if accounts else deltachat.add_account()
        bot = Bot(account, hooks)
        config = read_config(sys.argv[1])
        addr = "echo@" + config.mail_domain
        # Create password file
        if bot.is_configured():
            password = bot.account.get_config("mail_pw")
        else:
            password = create_newemail_dict(config)["password"]
        echobot_password_path.write_text(encrypt_password(password))
        # Give the user which doveauth runs as access to the password file.
        subprocess.check_call(
            ["/usr/bin/setfacl", "-m", "user:vmail:r", echobot_password_path],
        )
        if not bot.is_configured():
            bot.configure(addr, password)
        # write invite link to working directory
        invitelink = bot.account.get_qr_code()
        Path("invite-link.txt").write_text(invitelink)
        bot.run_forever()
 if __name__ == "__main__":
    main()
--- a/chatmaild/src/chatmaild/expire.py
+++ b/chatmaild/src/chatmaild/expire.py
@@ -14,7 +14,7 @@ from stat import S_ISREG
 from chatmaild.config import read_config
-FileEntry = namedtuple("FileEntry", ("relpath", "mtime", "size"))
+FileEntry = namedtuple("FileEntry", ("path", "mtime", "size"))
 def iter_mailboxes(basedir, maxnum):
@@ -51,33 +51,27 @@ class MailboxStat:
    def __init__(self, basedir):
        self.basedir = str(basedir)
        # all detected messages in cur/new/tmp folders
        self.messages = []
        # all detected files in mailbox top dir
        self.extrafiles = []
        self.scandir(self.basedir)
-        # scan all relevant files (without recursion)
+    def scandir(self, folderdir):
-        old_cwd = os.getcwd()
+        for name in os_listdir_if_exists(folderdir):
-        try:
+            path = f"{folderdir}/{name}"
            os.chdir(self.basedir)
        except FileNotFoundError:
            return
        for name in os_listdir_if_exists("."):
            if name in ("cur", "new", "tmp"):
-                for msg_name in os_listdir_if_exists(name):
+                for msg_name in os_listdir_if_exists(path):
-                    entry = get_file_entry(f"{name}/{msg_name}")
+                    entry = get_file_entry(f"{path}/{msg_name}")
                    if entry is not None:
                        self.messages.append(entry)
-
+            elif os.path.isdir(path):
                self.scandir(path)
            else:
-                entry = get_file_entry(name)
+                entry = get_file_entry(path)
                if entry is not None:
                    self.extrafiles.append(entry)
                    if name == "password":
                        self.last_login = entry.mtime
        self.extrafiles.sort(key=lambda x: -x.size)
        os.chdir(old_cwd)
 def print_info(msg):
@@ -130,13 +124,6 @@ class Expiry:
            self.remove_mailbox(mbox.basedir)
            return
        # all to-be-removed files are relative to the mailbox basedir
        try:
            os.chdir(mbox.basedir)
        except FileNotFoundError:
            print_info(f"mailbox not found/vanished {mbox.basedir}")
            return
        mboxname = os.path.basename(mbox.basedir)
        if self.verbose:
            date = datetime.fromtimestamp(mbox.last_login) if mbox.last_login else None
@@ -147,16 +134,17 @@ class Expiry:
        self.all_files += len(mbox.messages)
        for message in mbox.messages:
            if message.mtime < cutoff_mails:
-                self.remove_file(message.relpath, mtime=message.mtime)
+                self.remove_file(message.path, mtime=message.mtime)
            elif message.size > 200000 and message.mtime < cutoff_large_mails:
                # we only remove noticed large files (not unnoticed ones in new/)
-                if message.relpath.startswith("cur/"):
+                parts = message.path.split("/")
-                    self.remove_file(message.relpath, mtime=message.mtime)
+                if len(parts) >= 2 and parts[-2] == "cur":
                    self.remove_file(message.path, mtime=message.mtime)
            else:
                continue
            changed = True
        if changed:
-            self.remove_file("maildirsize")
+            self.remove_file(f"{mbox.basedir}/maildirsize")
    def get_summary(self):
        return (
--- a/chatmaild/src/chatmaild/filtermail.py
+++ b/chatmaild/src/chatmaild/filtermail.py
@@ -1,381 +0,0 @@
 #!/usr/bin/env python3
 import asyncio
 import base64
 import binascii
 import sys
 import time
 from email import policy
 from email.parser import BytesParser
 from email.utils import parseaddr
 from smtplib import SMTP as SMTPClient
 from aiosmtpd.controller import Controller
 from aiosmtpd.smtp import SMTP
 from .config import read_config
 ENCRYPTION_NEEDED_523 = "523 Encryption Needed: Invalid Unencrypted Mail"
 def check_openpgp_payload(payload: bytes):
    """Checks the OpenPGP payload.
    OpenPGP payload must consist only of PKESK and SKESK packets
    terminated by a single SEIPD packet.
    Returns True if OpenPGP payload is correct,
    False otherwise.
    May raise IndexError while trying to read OpenPGP packet header
    if it is truncated.
    """
    i = 0
    while i < len(payload):
        # Only OpenPGP format is allowed.
        if payload[i] & 0xC0 != 0xC0:
            return False
        packet_type_id = payload[i] & 0x3F
        i += 1
        while payload[i] >= 224 and payload[i] < 255:
            # Partial body length.
            partial_length = 1 << (payload[i] & 0x1F)
            i += 1 + partial_length
        if payload[i] < 192:
            # One-octet length.
            body_len = payload[i]
            i += 1
        elif payload[i] < 224:
            # Two-octet length.
            body_len = ((payload[i] - 192) << 8) + payload[i + 1] + 192
            i += 2
        elif payload[i] == 255:
            # Five-octet length.
            body_len = (
                (payload[i + 1] << 24)
                | (payload[i + 2] << 16)
                | (payload[i + 3] << 8)
                | payload[i + 4]
            )
            i += 5
        else:
            # Impossible, partial body length was processed above.
            return False
        i += body_len
        if i == len(payload):
            # Last packet should be
            # Symmetrically Encrypted and Integrity Protected Data Packet (SEIPD)
            #
            # This is the only place where this function may return `True`.
            return packet_type_id == 18
        elif packet_type_id not in [1, 3]:
            # All packets except the last one must be either
            # Public-Key Encrypted Session Key Packet (PKESK)
            # or
            # Symmetric-Key Encrypted Session Key Packet (SKESK)
            return False
    return False
 def check_armored_payload(payload: str, outgoing: bool):
    """Check the armored PGP message for invalid content.
    :param payload: the armored PGP message
    :param outgoing: whether the message is outgoing or incoming
    :return: whether the message is a valid PGP message
    """
    prefix = "-----BEGIN PGP MESSAGE-----\r\n"
    if not payload.startswith(prefix):
        return False
    payload = payload.removeprefix(prefix)
    while payload.endswith("\r\n"):
        payload = payload.removesuffix("\r\n")
    suffix = "-----END PGP MESSAGE-----"
    if not payload.endswith(suffix):
        return False
    payload = payload.removesuffix(suffix)
    version_comment = "Version: "
    if payload.startswith(version_comment):
        if outgoing:  # Disallow comments in outgoing messages
            return False
        # Remove comments from incoming messages
        payload = payload.partition("\r\n")[2]
    while payload.startswith("\r\n"):
        payload = payload.removeprefix("\r\n")
    # Remove CRC24.
    payload = payload.rpartition("=")[0]
    try:
        payload = base64.b64decode(payload)
    except binascii.Error:
        return False
    try:
        return check_openpgp_payload(payload)
    except IndexError:
        return False
 def is_securejoin(message):
    if message.get("secure-join") not in ["vc-request", "vg-request"]:
        return False
    if not message.is_multipart():
        return False
    parts_count = 0
    for part in message.iter_parts():
        parts_count += 1
        if parts_count > 1:
            return False
        if part.is_multipart():
            return False
        if part.get_content_type() != "text/plain":
            return False
        payload = part.get_payload().strip().lower()
        if payload not in ("secure-join: vc-request", "secure-join: vg-request"):
            return False
    return True
 def check_encrypted(message, outgoing=True):
    """Check that the message is an OpenPGP-encrypted message.
    MIME structure of the message must correspond to <https://www.rfc-editor.org/rfc/rfc3156>.
    """
    if not message.is_multipart():
        return False
    if message.get_content_type() != "multipart/encrypted":
        return False
    parts_count = 0
    for part in message.iter_parts():
        # We explicitly check Content-Type of each part later,
        # but this is to be absolutely sure `get_payload()` returns string and not list.
        if part.is_multipart():
            return False
        if parts_count == 0:
            if part.get_content_type() != "application/pgp-encrypted":
                return False
            payload = part.get_payload()
            if payload.strip() != "Version: 1":
                return False
        elif parts_count == 1:
            if part.get_content_type() != "application/octet-stream":
                return False
            if not check_armored_payload(part.get_payload(), outgoing=outgoing):
                return False
        else:
            return False
        parts_count += 1
    return True
 async def asyncmain_beforequeue(config, mode):
    if mode == "outgoing":
        port = config.filtermail_smtp_port
        handler = OutgoingBeforeQueueHandler(config)
    else:
        port = config.filtermail_smtp_port_incoming
        handler = IncomingBeforeQueueHandler(config)
    HackedController(
        handler,
        hostname="127.0.0.1",
        port=port,
        data_size_limit=config.max_message_size,
    ).start()
 def recipient_matches_passthrough(recipient, passthrough_recipients):
    for addr in passthrough_recipients:
        if recipient == addr:
            return True
        if addr[0] == "@" and recipient.endswith(addr):
            return True
    return False
 class HackedController(Controller):
    def factory(self):
        return SMTPDiscardRCPTO_options(self.handler, **self.SMTP_kwargs)
 class SMTPDiscardRCPTO_options(SMTP):
    def _getparams(self, params):
        # Ignore RCPT TO parameters.
        #
        # Otherwise parameters such as `ORCPT=...`
        # or `NOTIFY=DELAY,FAILURE` (generated by Stalwart)
        # make aiosmtpd reject the message here:
        # <https://github.com/aio-libs/aiosmtpd/blob/98f578389ae86e5345cc343fa4e5a17b21d9c96d/aiosmtpd/smtp.py#L1379-L1384>
        return {}
 class OutgoingBeforeQueueHandler:
    def __init__(self, config):
        self.config = config
        self.send_rate_limiter = SendRateLimiter()
    async def handle_MAIL(self, server, session, envelope, address, mail_options):
        log_info(f"handle_MAIL from {address}")
        envelope.mail_from = address
        max_sent = self.config.max_user_send_per_minute
        if not self.send_rate_limiter.is_sending_allowed(address, max_sent):
            return f"450 4.7.1: Too much mail from {address}"
        parts = envelope.mail_from.split("@")
        if len(parts) != 2:
            return f"500 Invalid from address <{envelope.mail_from!r}>"
        return "250 OK"
    async def handle_DATA(self, server, session, envelope):
        loop = asyncio.get_running_loop()
        return await loop.run_in_executor(None, self.sync_handle_DATA, envelope)
    def sync_handle_DATA(self, envelope):
        log_info("handle_DATA before-queue")
        error = self.check_DATA(envelope)
        if error:
            return error
        log_info("re-injecting the mail that passed checks")
        client = SMTPClient("localhost", self.config.postfix_reinject_port)
        client.sendmail(
            envelope.mail_from, envelope.rcpt_tos, envelope.original_content
        )
        return "250 OK"
    def check_DATA(self, envelope):
        """the central filtering function for e-mails."""
        log_info(f"Processing DATA message from {envelope.mail_from}")
        message = BytesParser(policy=policy.default).parsebytes(envelope.content)
        mail_encrypted = check_encrypted(message, outgoing=True)
        _, from_addr = parseaddr(message.get("from").strip())
        if envelope.mail_from.lower() != from_addr.lower():
            return f"500 Invalid FROM <{from_addr!r}> for <{envelope.mail_from!r}>"
        if mail_encrypted or is_securejoin(message):
            print("Outgoing: Filtering encrypted mail.", file=sys.stderr)
            return
        print("Outgoing: Filtering unencrypted mail.", file=sys.stderr)
        if envelope.mail_from in self.config.passthrough_senders:
            return
        # allow self-sent Autocrypt Setup Message
        if envelope.rcpt_tos == [from_addr]:
            if message.get("subject") == "Autocrypt Setup Message":
                if message.get_content_type() == "multipart/mixed":
                    return
        passthrough_recipients = self.config.passthrough_recipients
        for recipient in envelope.rcpt_tos:
            if recipient_matches_passthrough(recipient, passthrough_recipients):
                continue
            print("Rejected unencrypted mail.", file=sys.stderr)
            return ENCRYPTION_NEEDED_523
 class IncomingBeforeQueueHandler:
    def __init__(self, config):
        self.config = config
    async def handle_DATA(self, server, session, envelope):
        loop = asyncio.get_running_loop()
        return await loop.run_in_executor(None, self.sync_handle_DATA, envelope)
    def sync_handle_DATA(self, envelope):
        log_info("handle_DATA before-queue")
        error = self.check_DATA(envelope)
        if error:
            return error
        log_info("re-injecting the mail that passed checks")
        # the smtp daemon on reinject_port_incoming gives it to dkim milter
        # which looks at source address to determine whether to verify or sign
        client = SMTPClient(
            "localhost",
            self.config.postfix_reinject_port_incoming,
            source_address=("127.0.0.2", 0),
        )
        client.sendmail(
            envelope.mail_from, envelope.rcpt_tos, envelope.original_content
        )
        return "250 OK"
    def check_DATA(self, envelope):
        """the central filtering function for e-mails."""
        log_info(f"Processing DATA message from {envelope.mail_from}")
        message = BytesParser(policy=policy.default).parsebytes(envelope.content)
        mail_encrypted = check_encrypted(message, outgoing=False)
        if mail_encrypted or is_securejoin(message):
            print("Incoming: Filtering encrypted mail.", file=sys.stderr)
            return
        print("Incoming: Filtering unencrypted mail.", file=sys.stderr)
        # we want cleartext mailer-daemon messages to pass through
        # chatmail core will typically not display them as normal messages
        if message.get("auto-submitted"):
            _, from_addr = parseaddr(message.get("from").strip())
            if from_addr.lower().startswith("mailer-daemon@"):
                if message.get_content_type() == "multipart/report":
                    return
        for recipient in envelope.rcpt_tos:
            user = self.config.get_user(recipient)
            if user is None or user.is_incoming_cleartext_ok():
                continue
            print("Rejected unencrypted mail.", file=sys.stderr)
            return ENCRYPTION_NEEDED_523
 class SendRateLimiter:
    def __init__(self):
        self.addr2timestamps = {}
    def is_sending_allowed(self, mail_from, max_send_per_minute):
        last = self.addr2timestamps.setdefault(mail_from, [])
        now = time.time()
        last[:] = [ts for ts in last if ts >= (now - 60)]
        if len(last) <= max_send_per_minute:
            last.append(now)
            return True
        return False
 def log_info(msg):
    print(msg, file=sys.stderr)
 def main():
    args = sys.argv[1:]
    assert len(args) == 2
    config = read_config(args[0])
    mode = args[1]
    loop = asyncio.new_event_loop()
    asyncio.set_event_loop(loop)
    assert mode in ["incoming", "outgoing"]
    task = asyncmain_beforequeue(config, mode)
    loop.create_task(task)
    log_info("entering serving loop")
    loop.run_forever()
--- a/chatmaild/src/chatmaild/ini/chatmail.ini.f
+++ b/chatmaild/src/chatmaild/ini/chatmail.ini.f
@@ -11,41 +11,44 @@ mail_domain = {mail_domain}
 # Restrictions on user addresses
 #
-# how many mails a user can send out per minute
+# email sending rate per user and minute
-max_user_send_per_minute = 60
+#max_user_send_per_minute = 60
 # per-user max burst size for sending rate limiting (GCRA bucket capacity)
 #max_user_send_burst_size = 10
 # maximum mailbox size of a chatmail address
-max_mailbox_size = 100M
+#max_mailbox_size = 500M
 # maximum message size for an e-mail in bytes
-max_message_size = 31457280
+#max_message_size = 31457280
 # days after which mails are unconditionally deleted
-delete_mails_after = 20
+#delete_mails_after = 20
 # days after which large messages (>200k) are unconditionally deleted
-delete_large_after = 7
+#delete_large_after = 7
 # days after which users without a successful login are deleted (database and mails)
-delete_inactive_users_after = 90
+#delete_inactive_users_after = 90
 # minimum length a username must have
-username_min_length = 9
+#username_min_length = 9
 # maximum length a username can have
-username_max_length = 9
+#username_max_length = 9
 # minimum length a password must have
-password_min_length = 9
+#password_min_length = 9
 # list of chatmail addresses which can send outbound un-encrypted mail
-passthrough_senders =
+#passthrough_senders =
 # list of e-mail recipients for which to accept outbound un-encrypted mails
 # (space-separated, item may start with "@" to whitelist whole recipient domains)
-passthrough_recipients = echo@{mail_domain}
+#passthrough_recipients =
-# path to www directory - documented here: https://github.com/chatmail/relay/#custom-web-pages
+# path to www directory - documented here: https://chatmail.at/doc/relay/getting_started.html#custom-web-pages
 #www_folder = www
 #
@@ -53,18 +56,18 @@ passthrough_recipients = echo@{mail_domain}
 #
 # SMTP outgoing filtermail and reinjection 
-filtermail_smtp_port = 10080
+#filtermail_smtp_port = 10080
-postfix_reinject_port = 10025
+#postfix_reinject_port = 10025
 # SMTP incoming filtermail and reinjection 
-filtermail_smtp_port_incoming = 10081
+#filtermail_smtp_port_incoming = 10081
-postfix_reinject_port_incoming = 10026
+#postfix_reinject_port_incoming = 10026
 # if set to "True" IPv6 is disabled
-disable_ipv6 = False
+#disable_ipv6 = False
 # Your email adress, which will be used in acmetool to manage Let's Encrypt SSL certificates
-acme_email = 
+#acme_email =
 # Defaults to https://iroh.{{mail_domain}} and running `iroh-relay` on the chatmail
 # service.
@@ -97,7 +100,13 @@ acme_email =
 # in per-maildir ".in/.out" files. 
 # Note that you need to manually cleanup these files
 # so use this option with caution on production servers. 
-imap_rawlog = false 
+#imap_rawlog = false
 # set to true if you want to enable the IMAP COMPRESS Extension,
 # which allows IMAP connections to be efficiently compressed.
 # WARNING: Enabling this makes it impossible to hibernate IMAP
 # processes which will result in much higher memory/RAM usage.
 #imap_compress = false
 #
--- a/chatmaild/src/chatmaild/lastlogin.py
+++ b/chatmaild/src/chatmaild/lastlogin.py
@@ -13,8 +13,6 @@ class LastLoginDictProxy(DictProxy):
        keyname = parts[1].split("/")
        value = parts[2] if len(parts) > 2 else ""
        if keyname[0] == "shared" and keyname[1] == "last-login":
            if addr.startswith("echo@"):
                return True
            addr = keyname[2]
            timestamp = int(value)
            user = self.config.get_user(addr)
--- a/chatmaild/src/chatmaild/newemail.py
+++ b/chatmaild/src/chatmaild/newemail.py
@@ -6,6 +6,7 @@ import json
 import random
 import secrets
 import string
 from urllib.parse import quote
 from chatmaild.config import Config, read_config
@@ -23,13 +24,26 @@ def create_newemail_dict(config: Config):
    return dict(email=f"{user}@{config.mail_domain}", password=f"{password}")
 def create_dclogin_url(email, password):
    """Build a dclogin: URL with credentials and self-signed cert acceptance.
    Uses ic=3 (AcceptInvalidCertificates) so chatmail clients
    can connect to servers with self-signed TLS certificates.
    """
    return f"dclogin:{quote(email, safe='@')}?p={quote(password, safe='')}&v=1&ic=3"
 def print_new_account():
    config = read_config(CONFIG_PATH)
    creds = create_newemail_dict(config)
    result = dict(email=creds["email"], password=creds["password"])
    if config.tls_cert_mode == "self":
        result["dclogin_url"] = create_dclogin_url(creds["email"], creds["password"])
    print("Content-Type: application/json")
    print("")
-    print(json.dumps(creds))
+    print(json.dumps(result))
 if __name__ == "__main__":
--- a/chatmaild/src/chatmaild/tests/test_config.py
+++ b/chatmaild/src/chatmaild/tests/test_config.py
@@ -33,7 +33,7 @@ def test_read_config_testrun(make_config):
    assert config.filtermail_smtp_port == 10080
    assert config.postfix_reinject_port == 10025
    assert config.max_user_send_per_minute == 60
-    assert config.max_mailbox_size == "100M"
+    assert config.max_mailbox_size == "500M"
    assert config.delete_mails_after == "20"
    assert config.delete_large_after == "7"
    assert config.username_min_length == 9
@@ -73,3 +73,17 @@ def test_config_userstate_paths(make_config, tmp_path):
 def test_config_max_message_size(make_config, tmp_path):
    config = make_config("something.testrun.org", dict(max_message_size="10000"))
    assert config.max_message_size == 10000
 def test_config_tls_default_acme(make_config):
    config = make_config("chat.example.org")
    assert config.tls_cert_mode == "acme"
    assert config.tls_cert_path == "/var/lib/acme/live/chat.example.org/fullchain"
    assert config.tls_key_path == "/var/lib/acme/live/chat.example.org/privkey"
 def test_config_tls_self(make_config):
    config = make_config("_test.example.org")
    assert config.tls_cert_mode == "self"
    assert config.tls_cert_path == "/etc/ssl/certs/mailserver.pem"
    assert config.tls_key_path == "/etc/ssl/private/mailserver.key"
--- a/chatmaild/src/chatmaild/tests/test_expire.py
+++ b/chatmaild/src/chatmaild/tests/test_expire.py
@@ -17,19 +17,17 @@ from chatmaild.expire import main as expiry_main
 from chatmaild.fsreport import main as report_main
-def fill_mbox(basedir):
+def fill_mbox(folderdir):
-    basedir1 = basedir.joinpath("mailbox1@example.org")
+    password = folderdir.joinpath("password")
    basedir1.mkdir()
    password = basedir1.joinpath("password")
    password.write_text("xxx")
-    basedir1.joinpath("maildirsize").write_text("xxx")
+    folderdir.joinpath("maildirsize").write_text("xxx")
-    garbagedir = basedir1.joinpath("garbagedir")
+    garbagedir = folderdir.joinpath("garbagedir")
    garbagedir.mkdir()
    garbagedir.joinpath("bimbum").write_text("hello")
-    create_new_messages(basedir1, ["cur/msg1"], size=500)
+    create_new_messages(folderdir, ["cur/msg1"], size=500)
-    create_new_messages(basedir1, ["new/msg2"], size=600)
+    create_new_messages(folderdir, ["new/msg2"], size=600)
    return basedir1
 def create_new_messages(basedir, relpaths, size=1000, days=0):
@@ -45,8 +43,21 @@ def create_new_messages(basedir, relpaths, size=1000, days=0):
@pytest.fixture
 def mbox1(example_config):
-    basedir1 = fill_mbox(example_config.mailboxes_dir)
+    mboxdir = example_config.mailboxes_dir.joinpath("mailbox1@example.org")
-    return MailboxStat(basedir1)
+    mboxdir.mkdir()
    fill_mbox(mboxdir)
    return MailboxStat(mboxdir)
 def test_deltachat_folder(example_config):
    """Test old setups that might have a .DeltaChat folder where messages also need to get removed."""
    mboxdir = example_config.mailboxes_dir.joinpath("mailbox1@example.org")
    mboxdir.mkdir()
    mbox2dir = mboxdir.joinpath(".DeltaChat")
    mbox2dir.mkdir()
    fill_mbox(mbox2dir)
    mb = MailboxStat(mboxdir)
    assert len(mb.messages) == 2
 def test_filentry_ordering(tmp_path):
@@ -76,7 +87,7 @@ def test_stats_mailbox(mbox1):
    create_new_messages(mbox1.basedir, ["large-extra"], size=1000)
    create_new_messages(mbox1.basedir, ["index-something"], size=3)
    mbox2 = MailboxStat(mbox1.basedir)
-    assert len(mbox2.extrafiles) == 4
+    assert len(mbox2.extrafiles) == 5
    assert mbox2.extrafiles[0].size == 1000
    # cope well with mailbox dirs that have no password (for whatever reason)
--- a/chatmaild/src/chatmaild/tests/test_filtermail.py
+++ b/chatmaild/src/chatmaild/tests/test_filtermail.py
@@ -1,361 +0,0 @@
 import pytest
 from chatmaild.filtermail import (
    IncomingBeforeQueueHandler,
    OutgoingBeforeQueueHandler,
    SendRateLimiter,
    check_armored_payload,
    check_encrypted,
    is_securejoin,
 )
@pytest.fixture
 def maildomain():
    # let's not depend on a real chatmail instance for the offline tests below
    return "chatmail.example.org"
@pytest.fixture
 def handler(make_config, maildomain):
    config = make_config(maildomain)
    return OutgoingBeforeQueueHandler(config)
@pytest.fixture
 def inhandler(make_config, maildomain):
    config = make_config(maildomain)
    return IncomingBeforeQueueHandler(config)
 def test_reject_forged_from(maildata, gencreds, handler):
    class env:
        mail_from = gencreds()[0]
        rcpt_tos = [gencreds()[0]]
    # test that the filter lets good mail through
    to_addr = gencreds()[0]
    env.content = maildata(
        "encrypted.eml", from_addr=env.mail_from, to_addr=to_addr
    ).as_bytes()
    assert not handler.check_DATA(envelope=env)
    # test that the filter rejects forged mail
    env.content = maildata(
        "encrypted.eml", from_addr="forged@c3.testrun.org", to_addr=to_addr
    ).as_bytes()
    error = handler.check_DATA(envelope=env)
    assert "500" in error
 def test_filtermail_no_encryption_detection(maildata):
    msg = maildata(
        "plain.eml", from_addr="some@example.org", to_addr="other@example.org"
    )
    assert not check_encrypted(msg)
    # https://xkcd.com/1181/
    msg = maildata(
        "fake-encrypted.eml", from_addr="some@example.org", to_addr="other@example.org"
    )
    assert not check_encrypted(msg)
 def test_filtermail_securejoin_detection(maildata):
    msg = maildata(
        "securejoin-vc.eml", from_addr="some@example.org", to_addr="other@example.org"
    )
    assert is_securejoin(msg)
    msg = maildata(
        "securejoin-vc-fake.eml",
        from_addr="some@example.org",
        to_addr="other@example.org",
    )
    assert not is_securejoin(msg)
 def test_filtermail_encryption_detection(maildata):
    msg = maildata(
        "encrypted.eml",
        from_addr="1@example.org",
        to_addr="2@example.org",
        subject="Subject does not matter, will be replaced anyway",
    )
    assert check_encrypted(msg)
 def test_filtermail_no_literal_packets(maildata):
    """Test that literal OpenPGP packet is not considered an encrypted mail."""
    msg = maildata("literal.eml", from_addr="1@example.org", to_addr="2@example.org")
    assert not check_encrypted(msg)
 def test_filtermail_unencrypted_mdn(maildata, gencreds):
    """Unencrypted MDNs should not pass."""
    from_addr = gencreds()[0]
    to_addr = gencreds()[0] + ".other"
    msg = maildata("mdn.eml", from_addr=from_addr, to_addr=to_addr)
    assert not check_encrypted(msg)
 def test_send_rate_limiter():
    limiter = SendRateLimiter()
    for i in range(100):
        if limiter.is_sending_allowed("some@example.org", 10):
            if i <= 10:
                continue
            pytest.fail("limiter didn't work")
        else:
            assert i == 11
            break
 def test_cleartext_excempt_privacy(maildata, gencreds, handler):
    from_addr = gencreds()[0]
    to_addr = "privacy@testrun.org"
    handler.config.passthrough_recipients = [to_addr]
    false_to = "privacy@something.org"
    msg = maildata("plain.eml", from_addr=from_addr, to_addr=to_addr)
    class env:
        mail_from = from_addr
        rcpt_tos = [to_addr]
        content = msg.as_bytes()
    # assert that None/no error is returned
    assert not handler.check_DATA(envelope=env)
    class env2:
        mail_from = from_addr
        rcpt_tos = [to_addr, false_to]
        content = msg.as_bytes()
    assert "523" in handler.check_DATA(envelope=env2)
 def test_cleartext_self_send_autocrypt_setup_message(maildata, gencreds, handler):
    from_addr = gencreds()[0]
    to_addr = from_addr
    msg = maildata("asm.eml", from_addr=from_addr, to_addr=to_addr)
    class env:
        mail_from = from_addr
        rcpt_tos = [to_addr]
        content = msg.as_bytes()
    assert not handler.check_DATA(envelope=env)
 def test_cleartext_send_fails(maildata, gencreds, handler):
    from_addr = gencreds()[0]
    to_addr = gencreds()[0]
    msg = maildata("plain.eml", from_addr=from_addr, to_addr=to_addr)
    class env:
        mail_from = from_addr
        rcpt_tos = [to_addr]
        content = msg.as_bytes()
    res = handler.check_DATA(envelope=env)
    assert "523 Encryption Needed" in res
 def test_cleartext_incoming_fails(maildata, gencreds, inhandler):
    from_addr = gencreds()[0]
    to_addr, password = gencreds()
    msg = maildata("plain.eml", from_addr=from_addr, to_addr=to_addr)
    class env:
        mail_from = from_addr
        rcpt_tos = [to_addr]
        content = msg.as_bytes()
    user = inhandler.config.get_user(to_addr)
    user.set_password(password)
    res = inhandler.check_DATA(envelope=env)
    assert "523 Encryption Needed" in res
    user.allow_incoming_cleartext()
    assert not inhandler.check_DATA(envelope=env)
 def test_cleartext_incoming_mailer_daemon(maildata, gencreds, inhandler):
    from_addr = "mailer-daemon@example.org"
    to_addr = gencreds()[0]
    msg = maildata("mailer-daemon.eml", from_addr=from_addr, to_addr=to_addr)
    class env:
        mail_from = from_addr
        rcpt_tos = [to_addr]
        content = msg.as_bytes()
    assert not inhandler.check_DATA(envelope=env)
 def test_cleartext_passthrough_domains(maildata, gencreds, handler):
    from_addr = gencreds()[0]
    to_addr = "privacy@x.y.z"
    handler.config.passthrough_recipients = ["@x.y.z"]
    false_to = "something@x.y"
    msg = maildata("plain.eml", from_addr=from_addr, to_addr=to_addr)
    class env:
        mail_from = from_addr
        rcpt_tos = [to_addr]
        content = msg.as_bytes()
    # assert that None/no error is returned
    assert not handler.check_DATA(envelope=env)
    class env2:
        mail_from = from_addr
        rcpt_tos = [to_addr, false_to]
        content = msg.as_bytes()
    assert "523" in handler.check_DATA(envelope=env2)
 def test_cleartext_passthrough_senders(gencreds, handler, maildata):
    acc1 = gencreds()[0]
    to_addr = "recipient@something.org"
    handler.config.passthrough_senders = [acc1]
    msg = maildata("plain.eml", from_addr=acc1, to_addr=to_addr)
    class env:
        mail_from = acc1
        rcpt_tos = to_addr
        content = msg.as_bytes()
    # assert that None/no error is returned
    assert not handler.check_DATA(envelope=env)
 def test_check_armored_payload():
    prefix = "-----BEGIN PGP MESSAGE-----\r\n"
    comment = "Version: ProtonMail\r\n"
    payload = """\r
 wU4DSqFx0d1yqAoSAQdAYkX/ZN/Az4B0k7X47zKyWrXxlDEdS3WOy0Yf2+GJTFgg\r
 Zk5ql0mLG8Ze+ZifCS0XMO4otlemSyJ0K1ZPdFMGzUDBTgNqzkFabxXoXRIBB0AM\r
 755wlX41X6Ay3KhnwBq7yEqSykVH6F3x11iHPKraLCAGZoaS8bKKNy/zg5slda1X\r
 pt14b4aC1VwtSnYhcRRELNLD/wE2TFif+g7poMmFY50VyMPLYjVP96Z5QCT4+z4H\r
 Ikh/pRRN8S3JNMrRJHc6prooSJmLcx47Y5un7VFy390MsJ+LiUJuQMDdYWRAinfs\r
 Ebm89Ezjm7F03qbFPXE0X4ZNzVXS/eKO0uhJQdiov/vmbn41rNtHmNpqjaO0vi5+\r
 sS9tR7yDUrIXiCUCN78eBLVioxtktsPZm5cDORbQWzv+7nmCEz9/JowCUcBVdCGn\r
 1ofOaH82JCAX/cRx08pLaDNj6iolVBsi56Dd+2bGxJOZOG2AMcEyz0pXY0dOAJCD\r
 iUThcQeGIdRnU3j8UBcnIEsjLu2+C+rrwMZQESMWKnJ0rnqTk0pK5kXScr6F/L0L\r
 UE49ccIexNm3xZvYr5drszr6wz3Tv5fdue87P4etBt90gF/Vzknck+g1LLlkzZkp\r
 d8dI0k2tOSPjUbDPnSy1x+X73WGpPZmj0kWT+RGvq0nH6UkJj3AQTG2qf1T8jK+3\r
 rTp3LR9vDkMwDjX4R8SA9c0wdnUzzr79OYQC9lTnzcx+fM6BBmgQ2GrS33jaFLp7\r
 L6/DFpCl5zhnPjM/2dKvMkw/Kd6XS/vjwsO405FQdjSDiQEEAZA+ZvAfcjdccbbU\r
 yCO+x0QNdeBsufDVnh3xvzuWy4CICdTQT4s1AWRPCzjOj+SGmx5WqCLWfsd8Ma0+\r
 w/C7SfTYu1FDQILLM+llpq1M/9GPley4QZ8JQjo262AyPXsPF/OW48uuZz0Db1xT\r
 Yh4iHBztj4VSdy7l2+IyaIf7cnL4EEBFxv/MwmVDXvDlxyvfAfIsd3D9SvJESzKZ\r
 VWDYwaocgeCN+ojKu1p885lu1EfRbX3fr3YO02K5/c2JYDkc0Py0W3wUP/J1XUax\r
 pbKpzwlkxEgtmzsGqsOfMJqBV3TNDrOA2uBsa+uBqP5MGYLZ49S/4v/bW9I01Cr1\r
 D2ZkV510Y1Vgo66WlP8mRqOTyt/5WRhPD+MxXdk67BNN/PmO6tMlVoJDuk+XwWPR\r
 t2TvNaND/yabT9eYI55Og4fzKD6RIjouUX8DvKLkm+7aXxVs2uuLQ3Jco3O82z55\r
 dbShU1jYsrw9oouXUz06MHPbkdhNbF/2hfhZ2qA31sNeovJw65iUv7sDKX3LVWgJ\r
 10jlywcDwqlU8CO7WC9lGixYTbnOkYZpXCGEl8e6Jbs79l42YFo4ogYpFK1NXFhV\r
 kOXRmDf/wmfj+c/ld3L2PkvwlgofhCudOQknZbo3ub1gjiTn7L+lMGHIj/3suMIl\r
 ID4EUxAXScIM1ZEz2fjtW5jATlqYcLjLTbf/olw6HFyPNH+9IssqXeZNKnGwPUB9\r
 3lTXsg0tpzl+x7F/2WjEw1DSNhjC0KnHt1vEYNMkUGDGFdN9y3ERLqX/FIgiASUb\r
 bTvAVupnAK3raBezGmhrs6LsQtLS9P0VvQiLU3uDhMqw8Z4SISLpcD+NnVBHzQqm\r
 6W5Qn/8xsCL6av18yUVTi2G3igt3QCNoYx9evt2ZcIkNoyyagUVjfZe5GHXh8Dnz\r
 GaBXW/hg3HlXLRGaQu4RYCzBMJILcO25OhZOg6jbkCLiEexQlm2e9krB5cXR49Al\r
 UN4fiB0KR9JyG2ayUdNJVkXZSZLnHyRgiaadlpUo16LVvw==\r
 =b5Kp\r
 -----END PGP MESSAGE-----\r
 \r
 \r
 """
    commented_payload = prefix + comment + payload
    assert check_armored_payload(commented_payload, outgoing=False) == True
    assert check_armored_payload(commented_payload, outgoing=True) == False
    payload = prefix + payload
    assert check_armored_payload(payload, outgoing=False) == True
    assert check_armored_payload(payload, outgoing=True) == True
    payload = payload.removesuffix("\r\n")
    assert check_armored_payload(payload, outgoing=False) == True
    assert check_armored_payload(payload, outgoing=True) == True
    payload = payload.removesuffix("\r\n")
    assert check_armored_payload(payload, outgoing=False) == True
    assert check_armored_payload(payload, outgoing=True) == True
    payload = payload.removesuffix("\r\n")
    assert check_armored_payload(payload, outgoing=False) == True
    assert check_armored_payload(payload, outgoing=True) == True
    payload = """-----BEGIN PGP MESSAGE-----\r
 \r
 HELLOWORLD
 -----END PGP MESSAGE-----\r
 \r
 """
    assert check_armored_payload(payload, outgoing=False) == False
    assert check_armored_payload(payload, outgoing=True) == False
    payload = """-----BEGIN PGP MESSAGE-----\r
 \r
 =njUN
 -----END PGP MESSAGE-----\r
 \r
 """
    assert check_armored_payload(payload, outgoing=False) == False
    assert check_armored_payload(payload, outgoing=True) == False
    # Test payload using partial body length
    # as generated by GopenPGP.
    payload = """-----BEGIN PGP MESSAGE-----\r
 \r
 wV4DdCVjRfOT3TQSAQdAY5+pjT6mlCxPGdR3be4w7oJJRUGIPI/Vnh+mJxGSm34w\r
 LNlVc89S1g22uQYFif2sUJsQWbpoHpNkuWpkSgOaHmNvrZiY/YU5iv+cZ3LbmtUG\r
 0uoBisSHh9O1c+5sYZSbrvYZ1NOwlD7Fv/U5/Mw4E5+CjxfdgNGp5o3DDddzPK78\r
 jseDhdSXxnaiIJC93hxNX6R1RPt3G2gukyzx69wciPQShcF8zf3W3o75Ed7B8etV\r
 QEeB16xzdFhKa9JxdjTu3osgCs21IO7wpcFkjc7nZzlW6jPnELJJaNmv4yOOCjMp\r
 6YAkaN/BkL+jHTznHDuDsT5ilnTXpwHDU1Cm9PIx/KFcNCQnIB+2DcdIHPHUH1ci\r
 jvqoeXAVWjKXEjS7PqPFuP/xGbrWG2ugs+toXJOKbgRkExvKs1dwPFKrgghvCVbW\r
 AcKejQKAPArLwpkA7aD875TZQShvGt74fNs45XBlGOYOnNOAJ1KAmzrXLIDViyyB\r
 kDsmTBk785xofuCkjBpXSe6vsMprPzCteDfaUibh8FHeJjucxPerwuOPEmnogNaf\r
 YyL4+iy8H8I9/p7pmUqILprxTG0jTOtlk0bTVzeiF56W1xbtSEMuOo4oFbQTyOM2\r
 bKXaYo774Jm+rRtKAnnI2dtf9RpK19cog6YNzfYjesLKbXDsPZbN5rmwyFiCvvxC\r
 kQ6JLob+B2fPdY2gzy7LypxktS8Zi1HJcWDHJGVmQodaDLqKUObb4M26bXDe6oxI\r
 NS8PJz5exVbM3KhZnUOEn6PJRBBf5a/ZqxlhZPcQo/oBuhKpBRpO5kSDwPIUByu3\r
 UlXLSkpMqe9pUarAOEuQjfl2RVY7U+RrQYp4YP5keMO+i8NCefAFbowTTufO1JIq\r
 2nVgCi/QVnxZyEc9OYt/8AE3g4cdojE+vsSDifZLSWYIetpfrohHv3dT3StD1QRG\r
 0QE6qq6oKpg/IL0cjvuX4c7a7bslv2fXp8t75y37RU6253qdIebhxc/cRhPbc/yu\r
 p0YLyD4SrvKTLP2ZV95jT4IPEpqm4AN3QmiOzdtqR2gLyb62L8QfqI/FdwsIiRiM\r
 hqydwoqt/lfSqG1WKPh+6EkMkH+TDiCC1BQdbN1MNcyUtcjb35PR2c8Ld2TF3guA\r
 jLIqMt/Vb7hBoMb2FcsOYY25ka9oV62OwgKWLXnFzk+modMR5fzb4kxVVAYEqP+D\r
 T5KO1Vs76v1fyPGOq6BbBCvLwTqe/e6IZInJles4v5jrhnLcGKmNGivCUDe6X6NY\r
 UKNt5RsZllwDQpaAb5dMNhyrk8SgIE7TBI7rvqIdUCE52Vy+0JDxFg5olRpFUfO6\r
 /MyTW3Yo/ekk/npHr7iYYqJTCc21bDGLWQcIo/XO7WPxrKNWGBNPFnkRdw0MaKr4\r
 +cEM3V8NFnSEpC12xA+RX/CezuJtwXZK5MpG76eYqMO6qyC+c25YcFecEufDZDxx\r
 ZLqRszVRyxyWPtk/oIeQK2v9wOqY6N9/ff01gHz69vqYqN5bUw/QKZsmx1zW+gPw\r
 6x2tDK2BHeYl182gCbhlKISRFwCtbjqZSkiKWao/VtygHkw0fK34avJuyQ/X9YaN\r
 BRy+7Lf3VA53pnB5WJ1xwRXN8VDvmZeXzv2krHveCMemj0OjnRoCLu117xN0A5m9\r
 Fm/RoDix5PolDHtWTtr2m1n2hp2LHnj8at9lFEd0SKhAYHVL9KjzycwWODZRXt+x\r
 zGDDuooEeTvdY5NLyKcl4gETz1ZP4Ez5jGGjhPSwSpq1mU7UaJ9ZXXdr4KHyifW6\r
 ggNzNsGhXTap7IWZpTtqXABydfiBshmH2NjqtNDwBweJVSgP10+r0WhMWlaZs6xl\r
 V3o5yskJt6GlkwpJxZrTvN6Tiww/eW7HFV6NGf7IRSWY5tJc/iA7/92tOmkdvJ1q\r
 myLbG7cJB787QjplEyVe2P/JBO6xYvbkJLf9Q+HaviTO25rugRSrYsoKMDfO8VlQ\r
 1CcnTPVtApPZJEQzAWJEgVAM8uIlkqWJJMgyWT34sTkdBeCUFGloXQFs9Yxd0AGf\r
 /zHEkYZSTKpVSvAIGu4=\r
 =6iHb\r
 -----END PGP MESSAGE-----\r
 """
    assert check_armored_payload(payload, outgoing=False) == True
    assert check_armored_payload(payload, outgoing=True) == True
--- a/chatmaild/src/chatmaild/tests/test_filtermail_blackbox.py
+++ b/chatmaild/src/chatmaild/tests/test_filtermail_blackbox.py
@@ -1,9 +1,15 @@
 import shutil
 import smtplib
 import subprocess
 import sys
 import pytest
 pytestmark = pytest.mark.skipif(
    shutil.which("filtermail") is None,
    reason="filtermail binary not found",
 )
@pytest.fixture
 def smtpserver():
--- a/chatmaild/src/chatmaild/tests/test_lastlogin.py
+++ b/chatmaild/src/chatmaild/tests/test_lastlogin.py
@@ -36,29 +36,3 @@ def test_handle_dovecot_request_last_login(testaddr, example_config):
    res = dictproxy.handle_dovecot_request(msg, dictproxy_transactions)
    assert res == "O\n"
    assert len(dictproxy_transactions) == 0
 def test_handle_dovecot_request_last_login_echobot(example_config):
    dictproxy = LastLoginDictProxy(config=example_config)
    authproxy = AuthDictProxy(config=example_config)
    testaddr = f"echo@{example_config.mail_domain}"
    authproxy.lookup_passdb(testaddr, "ignore")
    user = dictproxy.config.get_user(testaddr)
    transactions = {}
    # set last-login info for user
    tx = "1111"
    msg = f"B{tx}\t{testaddr}"
    res = dictproxy.handle_dovecot_request(msg, transactions)
    assert not res
    assert transactions == {tx: dict(addr=testaddr, res="O\n")}
    timestamp = int(time.time())
    msg = f"S{tx}\tshared/last-login/{testaddr}\t{timestamp}"
    res = dictproxy.handle_dovecot_request(msg, transactions)
    assert not res
    assert len(transactions) == 1
    read_timestamp = user.get_last_login_timestamp()
    assert read_timestamp is None
--- a/chatmaild/src/chatmaild/tests/test_newmail.py
+++ b/chatmaild/src/chatmaild/tests/test_newmail.py
@@ -1,7 +1,11 @@
 import json
 import chatmaild
-from chatmaild.newemail import create_newemail_dict, print_new_account
+from chatmaild.newemail import (
    create_dclogin_url,
    create_newemail_dict,
    print_new_account,
 )
 def test_create_newemail_dict(example_config):
@@ -15,6 +19,18 @@ def test_create_newemail_dict(example_config):
    assert ac1["password"] != ac2["password"]
 def test_create_dclogin_url():
    url = create_dclogin_url("user@example.org", "p@ss w+rd")
    assert url.startswith("dclogin:")
    assert "v=1" in url
    assert "ic=3" in url
    assert "user@example.org" in url
    # password special chars must be encoded
    assert "p%40ss" in url
    assert "w%2Brd" in url
 def test_print_new_account(capsys, monkeypatch, maildomain, tmpdir, example_config):
    monkeypatch.setattr(chatmaild.newemail, "CONFIG_PATH", str(example_config._inipath))
    print_new_account()
@@ -25,3 +41,20 @@ def test_print_new_account(capsys, monkeypatch, maildomain, tmpdir, example_conf
    dic = json.loads(lines[2])
    assert dic["email"].endswith(f"@{example_config.mail_domain}")
    assert len(dic["password"]) >= 10
    # default tls_cert=acme should not include dclogin_url
    assert "dclogin_url" not in dic
 def test_print_new_account_self_signed(capsys, monkeypatch, make_config):
    config = make_config("_test.example.org")
    monkeypatch.setattr(chatmaild.newemail, "CONFIG_PATH", str(config._inipath))
    print_new_account()
    out, err = capsys.readouterr()
    lines = out.split("\n")
    dic = json.loads(lines[2])
    assert "dclogin_url" in dic
    url = dic["dclogin_url"]
    assert url.startswith("dclogin:")
    assert "ic=3" in url
    assert dic["email"].split("@")[0] in url
--- a/chatmaild/src/chatmaild/user.py
+++ b/chatmaild/src/chatmaild/user.py
@@ -19,7 +19,7 @@ class User:
    @property
    def can_track(self):
-        return "@" in self.addr and not self.addr.startswith("echo@")
+        return "@" in self.addr
    def get_userdb_dict(self):
        """Return a non-empty dovecot 'userdb' style dict
@@ -55,10 +55,8 @@ class User:
        try:
            write_bytes_atomic(self.password_path, password)
        except PermissionError:
            if not self.addr.startswith("echo@"):
            logging.error(f"could not write password for: {self.addr}")
            raise
        if not self.addr.startswith("echo@"):
        self.enforce_E2EE_path.touch()
    def set_last_login_timestamp(self, timestamp):
--- a/cliff.toml
+++ b/cliff.toml
@@ -0,0 +1,94 @@
 # git-cliff ~ configuration file
 # https://git-cliff.org/docs/configuration
 [changelog]
 # A Tera template to be rendered for each release in the changelog.
 # See https://keats.github.io/tera/docs/#introduction
 body = """
 {% if version %}\
    ## [{{ version | trim_start_matches(pat="v") }}] - {{ timestamp | date(format="%Y-%m-%d") }}
 {% else %}\
    ## [unreleased]
 {% endif %}\
 {% for group, commits in commits | group_by(attribute="group") %}
    ### {{ group | striptags | trim | upper_first }}
    {% for commit in commits %}
        - {% if commit.scope %}*({{ commit.scope }})* {% endif %}\
            {% if commit.breaking %}[**breaking**] {% endif %}\
            {{ commit.message | upper_first }}\
    {% endfor %}
 {% endfor %}
 """
 # Remove leading and trailing whitespaces from the changelog's body.
 trim = true
 # Render body even when there are no releases to process.
 render_always = true
 # An array of regex based postprocessors to modify the changelog.
 postprocessors = [
    # Replace the placeholder <REPO> with a URL.
    #{ pattern = '<REPO>', replace = "https://github.com/orhun/git-cliff" },
 ]
 # render body even when there are no releases to process
 # render_always = true
 # output file path
 # output = "test.md"
 [git]
 # Parse commits according to the conventional commits specification.
 # See https://www.conventionalcommits.org
 conventional_commits = true
 # Exclude commits that do not match the conventional commits specification.
 filter_unconventional = true
 # Require all commits to be conventional.
 # Takes precedence over filter_unconventional.
 require_conventional = false
 # Split commits on newlines, treating each line as an individual commit.
 split_commits = false
 # An array of regex based parsers to modify commit messages prior to further processing.
 commit_preprocessors = [
    # Replace issue numbers with link templates to be updated in `changelog.postprocessors`.
    #{ pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](<REPO>/issues/${2}))"},
    # Check spelling of the commit message using https://github.com/crate-ci/typos.
    # If the spelling is incorrect, it will be fixed automatically.
    #{ pattern = '.*', replace_command = 'typos --write-changes -' },
 ]
 # Prevent commits that are breaking from being excluded by commit parsers.
 protect_breaking_commits = false
 # An array of regex based parsers for extracting data from the commit message.
 # Assigns commits to groups.
 # Optionally sets the commit's scope and can decide to exclude commits from further processing.
 commit_parsers = [
    { message = "^feat", group = "Features" },
    { message = "^fix", group = "Bug Fixes" },
    { message = "^docs", group = "Documentation" },
    { message = "^perf", group = "Performance" },
    { message = "^refactor", group = "Refactor" },
    { message = "^style", group = "Styling" },
    { message = "^test", group = "Testing" },
    { message = "^chore\\(release\\): prepare for", skip = true },
    { message = "^chore\\(deps.*\\)", skip = true },
    { message = "^chore\\(pr\\)", skip = true },
    { message = "^chore\\(pull\\)", skip = true },
    { message = "^chore|^ci", group = "Miscellaneous Tasks" },
    { body = ".*security", group = "Security" },
    { message = "^revert", group = "Revert" },
    { message = ".*", group = "Other" },
 ]
 # Exclude commits that are not matched by any commit parser.
 filter_commits = false
 # Fail on a commit that is not matched by any commit parser.
 fail_on_unmatched_commit = false
 # An array of link parsers for extracting external references, and turning them into URLs, using regex.
 link_parsers = []
 # Include only the tags that belong to the current branch.
 use_branch_tags = false
 # Order releases topologically instead of chronologically.
 topo_order = false
 # Order commits topologically instead of chronologically.
 topo_order_commits = true
 # Order of commits in each group/release within the changelog.
 # Allowed values: newest, oldest
 sort_commits = "oldest"
 # Process submodules commits
 recurse_submodules = false
--- a/cmdeploy/src/cmdeploy/acmetool/init.py
+++ b/cmdeploy/src/cmdeploy/acmetool/init.py
@@ -61,6 +61,19 @@ class AcmetoolDeployer(Deployer):
            mode="644",
        )
        server.shell(
            name=f"Remove old acmetool desired files for {self.domains[0]}",
            commands=[f"rm -f /var/lib/acme/desired/{self.domains[0]}-*"],
        )
        files.template(
            src=importlib.resources.files(__package__).joinpath("desired.yaml.j2"),
            dest=f"/var/lib/acme/desired/{self.domains[0]}", # 0 is mailhost TLD
            user="root",
            group="root",
            mode="644",
            domains=self.domains,
        )
        service_file = files.put(
            src=importlib.resources.files(__package__).joinpath(
                "acmetool-redirector.service"
@@ -123,6 +136,6 @@ class AcmetoolDeployer(Deployer):
        self.need_restart_reconcile_timer = False
        server.shell(
-            name=f"Request certificate for: {', '.join(self.domains)}",
+            name=f"Reconcile certificates for: {', '.join(self.domains)}",
-            commands=[f"acmetool want --xlog.severity=debug {' '.join(self.domains)}"],
+            commands=["acmetool --batch --xlog.severity=debug reconcile"],
        )
--- a/cmdeploy/src/cmdeploy/acmetool/desired.yaml.j2
+++ b/cmdeploy/src/cmdeploy/acmetool/desired.yaml.j2
@@ -0,0 +1,6 @@
 satisfy:
  names:
 {%- for domain in domains %}
  - {{ domain }}
 {%- endfor %}
--- a/cmdeploy/src/cmdeploy/acmetool/response-file.yaml.j2
+++ b/cmdeploy/src/cmdeploy/acmetool/response-file.yaml.j2
@@ -1,2 +1,2 @@
 "acme-enter-email": "{{ email }}"
-"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf": true
+"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf": true
--- a/cmdeploy/src/cmdeploy/basedeploy.py
+++ b/cmdeploy/src/cmdeploy/basedeploy.py
@@ -1,6 +1,60 @@
 import importlib.resources
 import io
 import os
-from pyinfra.operations import server
+from pyinfra.operations import files, server, systemd
 def get_resource(arg, pkg=__package__):
    return importlib.resources.files(pkg).joinpath(arg)
 def configure_remote_units(mail_domain, units) -> None:
    remote_base_dir = "/usr/local/lib/chatmaild"
    remote_venv_dir = f"{remote_base_dir}/venv"
    remote_chatmail_inipath = f"{remote_base_dir}/chatmail.ini"
    root_owned = dict(user="root", group="root", mode="644")
    # install systemd units
    for fn in units:
        params = dict(
            execpath=f"{remote_venv_dir}/bin/{fn}",
            config_path=remote_chatmail_inipath,
            remote_venv_dir=remote_venv_dir,
            mail_domain=mail_domain,
        )
        basename = fn if "." in fn else f"{fn}.service"
        source_path = get_resource(f"service/{basename}.f")
        content = source_path.read_text().format(**params).encode()
        files.put(
            name=f"Upload {basename}",
            src=io.BytesIO(content),
            dest=f"/etc/systemd/system/{basename}",
            **root_owned,
        )
 def activate_remote_units(units) -> None:
    # activate systemd units
    for fn in units:
        basename = fn if "." in fn else f"{fn}.service"
        if fn == "chatmail-expire" or fn == "chatmail-fsreport":
            # don't auto-start but let the corresponding timer trigger execution
            enabled = False
        else:
            enabled = True
        systemd.service(
            name=f"Setup {basename}",
            service=basename,
            running=enabled,
            enabled=enabled,
            restarted=enabled,
            daemon_reload=True,
        )
 class Deployment:
--- a/cmdeploy/src/cmdeploy/chatmail.zone.j2
+++ b/cmdeploy/src/cmdeploy/chatmail.zone.j2
@@ -8,8 +8,10 @@
 {{ mail_domain }}.                   AAAA  {{ AAAA }}
 {% endif %}
 {{ mail_domain }}.                   MX 10 {{ mail_domain }}.
 {% if strict_tls %}
 _mta-sts.{{ mail_domain }}.          TXT "v=STSv1; id={{ sts_id }}"
 mta-sts.{{ mail_domain }}.           CNAME {{ mail_domain }}.
 {% endif %}
 www.{{ mail_domain }}.               CNAME {{ mail_domain }}.
 {{ dkim_entry }}
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -71,6 +71,11 @@ def run_cmd_options(parser):
        action="store_true",
        help="install/upgrade the server, but disable postfix & dovecot for now",
    )
    parser.add_argument(
        "--website-only",
        action="store_true",
        help="only update/deploy the website, skipping full server upgrade/deployment, useful when you only changed/updated the web pages and don't need to re-run a full server upgrade",
    )
    parser.add_argument(
        "--skip-dns-check",
        dest="dns_check_disabled",
@@ -86,15 +91,20 @@ def run_cmd(args, out):
    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
    sshexec = get_sshexec(ssh_host)
    require_iroh = args.config.enable_iroh_relay
    strict_tls = args.config.tls_cert_mode == "acme"
    if not args.dns_check_disabled:
        remote_data = dns.get_initial_remote_data(sshexec, args.config.mail_domain)
-        if not dns.check_initial_remote_data(remote_data, print=out.red):
+        if not dns.check_initial_remote_data(remote_data, strict_tls=strict_tls, print=out.red):
            return 1
    env = os.environ.copy()
    env["CHATMAIL_INI"] = args.inipath
    env["CHATMAIL_WEBSITE_ONLY"] = "True" if args.website_only else ""
    env["CHATMAIL_DISABLE_MAIL"] = "True" if args.disable_mail else ""
    env["CHATMAIL_REQUIRE_IROH"] = "True" if require_iroh else ""
    if not args.dns_check_disabled:
        env["CHATMAIL_ADDR_V4"] = remote_data.get("A") or ""
        env["CHATMAIL_ADDR_V6"] = remote_data.get("AAAA") or ""
    deploy_path = importlib.resources.files(__package__).joinpath("run.py").resolve()
    pyinf = "pyinfra --dry" if args.dry_run else "pyinfra"
@@ -108,18 +118,14 @@ def run_cmd(args, out):
    try:
        retcode = out.check_call(cmd, env=env)
        if args.website_only:
            if retcode == 0:
-            if not args.disable_mail:
+                out.green("Website deployment completed.")
-                print("\nYou can try out the relay by talking to this echo bot: ")
+            else:
-                sshexec = SSHExec(args.config.mail_domain, verbose=args.verbose)
+                out.red("Website deployment failed.")
-                print(
+        elif retcode == 0:
                    sshexec(
                        call=remote.rshell.shell,
                        kwargs=dict(command="cat /var/lib/echobot/invite-link.txt"),
                    )
                )
            out.green("Deploy completed, call `cmdeploy dns` next.")
-        elif not remote_data["acme_account_url"]:
+        elif not args.dns_check_disabled and strict_tls and not remote_data["acme_account_url"]:
            out.red("Deploy completed but letsencrypt not configured")
            out.red("Run 'cmdeploy run' again")
            retcode = 0
@@ -146,11 +152,13 @@ def dns_cmd(args, out):
    """Check DNS entries and optionally generate dns zone file."""
    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
    sshexec = get_sshexec(ssh_host, verbose=args.verbose)
    tls_cert_mode = args.config.tls_cert_mode
    strict_tls = tls_cert_mode == "acme"
    remote_data = dns.get_initial_remote_data(sshexec, args.config.mail_domain)
-    if not remote_data:
+    if not dns.check_initial_remote_data(remote_data, strict_tls=strict_tls):
        return 1
-    if not remote_data["acme_account_url"]:
+    if strict_tls and not remote_data["acme_account_url"]:
        out.red("could not get letsencrypt account url, please run 'cmdeploy run'")
        return 1
@@ -158,6 +166,7 @@ def dns_cmd(args, out):
        out.red("could not determine dkim_entry, please run 'cmdeploy run'")
        return 1
    remote_data["strict_tls"] = strict_tls
    zonefile = dns.get_filled_zone_file(remote_data)
    if args.zonefile:
@@ -198,6 +207,7 @@ def test_cmd_options(parser):
        action="store_true",
        help="also run slow tests",
    )
    add_ssh_host_option(parser)
 def test_cmd(args, out):
@@ -209,6 +219,9 @@ def test_cmd(args, out):
    x = importlib.util.find_spec("deltachat")
    if x is None:
        out.check_call(f"{sys.executable} -m pip install deltachat")
    env = os.environ.copy()
    if args.ssh_host:
        env["CHATMAIL_SSH"] = args.ssh_host
    pytest_path = shutil.which("pytest")
    pytest_args = [
@@ -222,7 +235,7 @@ def test_cmd(args, out):
    ]
    if args.slow:
        pytest_args.append("--slow")
-    ret = out.run_ret(pytest_args)
+    ret = out.run_ret(pytest_args, env=env)
    return ret
--- a/cmdeploy/src/cmdeploy/deployers.py
+++ b/cmdeploy/src/cmdeploy/deployers.py
@@ -2,32 +2,43 @@
 Chat Mail pyinfra deploy.
 """
 import importlib.resources
 import io
 import shutil
 import subprocess
 import sys
 from io import StringIO
 from pathlib import Path
-from chatmaild.config import Config, read_config
+from chatmaild.config import read_config
 from pyinfra import facts, host, logger
 from pyinfra.facts import hardware
 from pyinfra.api import FactBase
-from pyinfra.facts.files import File, Sha256File
+from pyinfra.facts.files import Sha256File
 from pyinfra.facts.server import Sysctl
 from pyinfra.facts.systemd import SystemdEnabled
 from pyinfra.operations import apt, files, pip, server, systemd
 from cmdeploy.cmdeploy import Out
 from .acmetool import AcmetoolDeployer
-from .basedeploy import Deployer, Deployment
+from .selfsigned.deployer import SelfSignedTlsDeployer
 from .basedeploy import (
    Deployer,
    Deployment,
    activate_remote_units,
    configure_remote_units,
    get_resource,
 )
 from .dovecot.deployer import DovecotDeployer
 from .filtermail.deployer import FiltermailDeployer
 from .mtail.deployer import MtailDeployer
 from .nginx.deployer import NginxDeployer
 from .opendkim.deployer import OpendkimDeployer
 from .postfix.deployer import PostfixDeployer
 from .www import build_webpages, find_merge_conflict, get_paths
 class Port(FactBase):
    """
-    Returns the process occuping a port.
+    Returns the process occupying a port.
    """
    def command(self, port: int) -> str:
@@ -40,10 +51,6 @@ class Port(FactBase):
        return output[0]
 def get_resource(arg, pkg=__package__):
    return importlib.resources.files(pkg).joinpath(arg)
 def _build_chatmaild(dist_dir) -> None:
    dist_dir = Path(dist_dir).resolve()
    if dist_dir.exists():
@@ -135,172 +142,11 @@ def _configure_remote_venv_with_chatmaild(config) -> None:
    )
-def _configure_remote_units(mail_domain, units) -> None:
+class UnboundDeployer(Deployer):
-    remote_base_dir = "/usr/local/lib/chatmaild"
+    def __init__(self, config):
-    remote_venv_dir = f"{remote_base_dir}/venv"
+        self.config = config
    remote_chatmail_inipath = f"{remote_base_dir}/chatmail.ini"
    root_owned = dict(user="root", group="root", mode="644")
    # install systemd units
    for fn in units:
        execpath = fn if fn != "filtermail-incoming" else "filtermail"
        params = dict(
            execpath=f"{remote_venv_dir}/bin/{execpath}",
            config_path=remote_chatmail_inipath,
            remote_venv_dir=remote_venv_dir,
            mail_domain=mail_domain,
        )
        basename = fn if "." in fn else f"{fn}.service"
        source_path = get_resource(f"service/{basename}.f")
        content = source_path.read_text().format(**params).encode()
        files.put(
            name=f"Upload {basename}",
            src=io.BytesIO(content),
            dest=f"/etc/systemd/system/{basename}",
            **root_owned,
        )
 def _activate_remote_units(units) -> None:
    # activate systemd units
    for fn in units:
        basename = fn if "." in fn else f"{fn}.service"
        if fn == "chatmail-expire" or fn == "chatmail-fsreport":
            # don't auto-start but let the corresponding timer trigger execution
            enabled = False
        else:
            enabled = True
        systemd.service(
            name=f"Setup {basename}",
            service=basename,
            running=enabled,
            enabled=enabled,
            restarted=enabled,
            daemon_reload=True,
        )
 def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool:
    """Configures OpenDKIM"""
    need_restart = False
    main_config = files.template(
        src=get_resource("opendkim/opendkim.conf"),
        dest="/etc/opendkim.conf",
        user="root",
        group="root",
        mode="644",
        config={"domain_name": domain, "opendkim_selector": dkim_selector},
    )
    need_restart |= main_config.changed
    screen_script = files.put(
        src=get_resource("opendkim/screen.lua"),
        dest="/etc/opendkim/screen.lua",
        user="root",
        group="root",
        mode="644",
    )
    need_restart |= screen_script.changed
    final_script = files.put(
        src=get_resource("opendkim/final.lua"),
        dest="/etc/opendkim/final.lua",
        user="root",
        group="root",
        mode="644",
    )
    need_restart |= final_script.changed
    files.directory(
        name="Add opendkim directory to /etc",
        path="/etc/opendkim",
        user="opendkim",
        group="opendkim",
        mode="750",
        present=True,
    )
    keytable = files.template(
        src=get_resource("opendkim/KeyTable"),
        dest="/etc/dkimkeys/KeyTable",
        user="opendkim",
        group="opendkim",
        mode="644",
        config={"domain_name": domain, "opendkim_selector": dkim_selector},
    )
    need_restart |= keytable.changed
    signing_table = files.template(
        src=get_resource("opendkim/SigningTable"),
        dest="/etc/dkimkeys/SigningTable",
        user="opendkim",
        group="opendkim",
        mode="644",
        config={"domain_name": domain, "opendkim_selector": dkim_selector},
    )
    need_restart |= signing_table.changed
    files.directory(
        name="Add opendkim socket directory to /var/spool/postfix",
        path="/var/spool/postfix/opendkim",
        user="opendkim",
        group="opendkim",
        mode="750",
        present=True,
    )
    if not host.get_fact(File, f"/etc/dkimkeys/{dkim_selector}.private"):
        server.shell(
            name="Generate OpenDKIM domain keys",
            commands=[
                f"/usr/sbin/opendkim-genkey -D /etc/dkimkeys -d {domain} -s {dkim_selector}"
            ],
            _use_su_login=True,
            _su_user="opendkim",
        )
    service_file = files.put(
        name="Configure opendkim to restart once a day",
        src=get_resource("opendkim/systemd.conf"),
        dest="/etc/systemd/system/opendkim.service.d/10-prevent-memory-leak.conf",
    )
    need_restart |= service_file.changed
    return need_restart
 class OpendkimDeployer(Deployer):
    required_users = [("opendkim", None, ["opendkim"])]
    def __init__(self, mail_domain):
        self.mail_domain = mail_domain
    def install(self):
        apt.packages(
            name="apt install opendkim opendkim-tools",
            packages=["opendkim", "opendkim-tools"],
        )
    def configure(self):
        self.need_restart = _configure_opendkim(self.mail_domain, "opendkim")
    def activate(self):
        systemd.service(
            name="Start and enable OpenDKIM",
            service="opendkim.service",
            running=True,
            enabled=True,
            daemon_reload=self.need_restart,
            restarted=self.need_restart,
        )
        self.need_restart = False
 class UnboundDeployer(Deployer):
    def install(self):
        # Run local DNS resolver `unbound`.
        # `resolvconf` takes care of setting up /etc/resolv.conf
@@ -337,6 +183,27 @@ class UnboundDeployer(Deployer):
                "unbound-anchor -a /var/lib/unbound/root.key || true",
            ],
        )
        if self.config.disable_ipv6:
            files.directory(
                path="/etc/unbound/unbound.conf.d",
                present=True,
                user="root",
                group="root",
                mode="755",
            )
            conf = files.put(
                src=get_resource("unbound/unbound.conf.j2"),
                dest="/etc/unbound/unbound.conf.d/chatmail.conf",
                user="root",
                group="root",
                mode="644",
            )
        else:
            conf = files.file(
                path="/etc/unbound/unbound.conf.d/chatmail.conf",
                present=False,
            )
        self.need_restart |= conf.changed
    def activate(self):
        server.shell(
@@ -351,6 +218,7 @@ class UnboundDeployer(Deployer):
            service="unbound.service",
            running=True,
            enabled=True,
            restarted=self.need_restart,
        )
@@ -371,320 +239,6 @@ class MtastsDeployer(Deployer):
        )
 def _configure_postfix(config: Config, debug: bool = False) -> bool:
    """Configures Postfix SMTP server."""
    need_restart = False
    main_config = files.template(
        src=get_resource("postfix/main.cf.j2"),
        dest="/etc/postfix/main.cf",
        user="root",
        group="root",
        mode="644",
        config=config,
        disable_ipv6=config.disable_ipv6,
    )
    need_restart |= main_config.changed
    master_config = files.template(
        src=get_resource("postfix/master.cf.j2"),
        dest="/etc/postfix/master.cf",
        user="root",
        group="root",
        mode="644",
        debug=debug,
        config=config,
    )
    need_restart |= master_config.changed
    header_cleanup = files.put(
        src=get_resource("postfix/submission_header_cleanup"),
        dest="/etc/postfix/submission_header_cleanup",
        user="root",
        group="root",
        mode="644",
    )
    need_restart |= header_cleanup.changed
    # Login map that 1:1 maps email address to login.
    login_map = files.put(
        src=get_resource("postfix/login_map"),
        dest="/etc/postfix/login_map",
        user="root",
        group="root",
        mode="644",
    )
    need_restart |= login_map.changed
    return need_restart
 class PostfixDeployer(Deployer):
    required_users = [("postfix", None, ["opendkim"])]
    def __init__(self, config, disable_mail):
        self.config = config
        self.disable_mail = disable_mail
    def install(self):
        apt.packages(
            name="Install Postfix",
            packages="postfix",
        )
    def configure(self):
        self.need_restart = _configure_postfix(self.config)
    def activate(self):
        restart = False if self.disable_mail else self.need_restart
        systemd.service(
            name="disable postfix for now"
            if self.disable_mail
            else "Start and enable Postfix",
            service="postfix.service",
            running=False if self.disable_mail else True,
            enabled=False if self.disable_mail else True,
            restarted=restart,
        )
        self.need_restart = False
 def _install_dovecot_package(package: str, arch: str):
    arch = "amd64" if arch == "x86_64" else arch
    arch = "arm64" if arch == "aarch64" else arch
    url = f"https://download.delta.chat/dovecot/dovecot-{package}_2.3.21%2Bdfsg1-3_{arch}.deb"
    deb_filename = "/root/" + url.split("/")[-1]
    match (package, arch):
        case ("core", "amd64"):
            sha256 = "dd060706f52a306fa863d874717210b9fe10536c824afe1790eec247ded5b27d"
        case ("core", "arm64"):
            sha256 = "e7548e8a82929722e973629ecc40fcfa886894cef3db88f23535149e7f730dc9"
        case ("imapd", "amd64"):
            sha256 = "8d8dc6fc00bbb6cdb25d345844f41ce2f1c53f764b79a838eb2a03103eebfa86"
        case ("imapd", "arm64"):
            sha256 = "178fa877ddd5df9930e8308b518f4b07df10e759050725f8217a0c1fb3fd707f"
        case ("lmtpd", "amd64"):
            sha256 = "2f69ba5e35363de50962d42cccbfe4ed8495265044e244007d7ccddad77513ab"
        case ("lmtpd", "arm64"):
            sha256 = "89f52fb36524f5877a177dff4a713ba771fd3f91f22ed0af7238d495e143b38f"
        case _:
            apt.packages(packages=[f"dovecot-{package}"])
            return
    files.download(
        name=f"Download dovecot-{package}",
        src=url,
        dest=deb_filename,
        sha256sum=sha256,
        cache_time=60 * 60 * 24 * 365 * 10,  # never redownload the package
    )
    apt.deb(name=f"Install dovecot-{package}", src=deb_filename)
 def _configure_dovecot(config: Config, debug: bool = False) -> bool:
    """Configures Dovecot IMAP server."""
    need_restart = False
    main_config = files.template(
        src=get_resource("dovecot/dovecot.conf.j2"),
        dest="/etc/dovecot/dovecot.conf",
        user="root",
        group="root",
        mode="644",
        config=config,
        debug=debug,
        disable_ipv6=config.disable_ipv6,
    )
    need_restart |= main_config.changed
    auth_config = files.put(
        src=get_resource("dovecot/auth.conf"),
        dest="/etc/dovecot/auth.conf",
        user="root",
        group="root",
        mode="644",
    )
    need_restart |= auth_config.changed
    lua_push_notification_script = files.put(
        src=get_resource("dovecot/push_notification.lua"),
        dest="/etc/dovecot/push_notification.lua",
        user="root",
        group="root",
        mode="644",
    )
    need_restart |= lua_push_notification_script.changed
    # as per https://doc.dovecot.org/configuration_manual/os/
    # it is recommended to set the following inotify limits
    for name in ("max_user_instances", "max_user_watches"):
        key = f"fs.inotify.{name}"
        if host.get_fact(Sysctl)[key] > 65535:
            # Skip updating limits if already sufficient
            # (enables running in incus containers where sysctl readonly)
            continue
        server.sysctl(
            name=f"Change {key}",
            key=key,
            value=65535,
            persist=True,
        )
    timezone_env = files.line(
        name="Set TZ environment variable",
        path="/etc/environment",
        line="TZ=:/etc/localtime",
    )
    need_restart |= timezone_env.changed
    return need_restart
 class DovecotDeployer(Deployer):
    def __init__(self, config, disable_mail):
        self.config = config
        self.disable_mail = disable_mail
        self.units = ["doveauth"]
    def install(self):
        arch = host.get_fact(facts.server.Arch)
        if not "dovecot.service" in host.get_fact(SystemdEnabled):
            _install_dovecot_package("core", arch)
            _install_dovecot_package("imapd", arch)
            _install_dovecot_package("lmtpd", arch)
    def configure(self):
        _configure_remote_units(self.config.mail_domain, self.units)
        self.need_restart = _configure_dovecot(self.config)
    def activate(self):
        _activate_remote_units(self.units)
        restart = False if self.disable_mail else self.need_restart
        systemd.service(
            name="disable dovecot for now"
            if self.disable_mail
            else "Start and enable Dovecot",
            service="dovecot.service",
            running=False if self.disable_mail else True,
            enabled=False if self.disable_mail else True,
            restarted=restart,
        )
        self.need_restart = False
 def _configure_nginx(config: Config, debug: bool = False) -> bool:
    """Configures nginx HTTP server."""
    need_restart = False
    main_config = files.template(
        src=get_resource("nginx/nginx.conf.j2"),
        dest="/etc/nginx/nginx.conf",
        user="root",
        group="root",
        mode="644",
        config={"domain_name": config.mail_domain},
        disable_ipv6=config.disable_ipv6,
    )
    need_restart |= main_config.changed
    autoconfig = files.template(
        src=get_resource("nginx/autoconfig.xml.j2"),
        dest="/var/www/html/.well-known/autoconfig/mail/config-v1.1.xml",
        user="root",
        group="root",
        mode="644",
        config={"domain_name": config.mail_domain},
    )
    need_restart |= autoconfig.changed
    mta_sts_config = files.template(
        src=get_resource("nginx/mta-sts.txt.j2"),
        dest="/var/www/html/.well-known/mta-sts.txt",
        user="root",
        group="root",
        mode="644",
        config={"domain_name": config.mail_domain},
    )
    need_restart |= mta_sts_config.changed
    # install CGI newemail script
    #
    cgi_dir = "/usr/lib/cgi-bin"
    files.directory(
        name=f"Ensure {cgi_dir} exists",
        path=cgi_dir,
        user="root",
        group="root",
    )
    files.put(
        name="Upload cgi newemail.py script",
        src=get_resource("newemail.py", pkg="chatmaild").open("rb"),
        dest=f"{cgi_dir}/newemail.py",
        user="root",
        group="root",
        mode="755",
    )
    return need_restart
 class NginxDeployer(Deployer):
    def __init__(self, config):
        self.config = config
    def install(self):
        #
        # If we allow nginx to start up on install, it will grab port
        # 80, which then will block acmetool from listening on the port.
        # That in turn prevents getting certificates, which then causes
        # an error when we try to start nginx on the custom config
        # that leaves port 80 open but also requires certificates to
        # be present.  To avoid getting into that interlocking mess,
        # we use policy-rc.d to prevent nginx from starting up when it
        # is installed.
        #
        # This approach allows us to avoid performing any explicit
        # systemd operations during the install stage (as opposed to
        # allowing it to start and then forcing it to stop), which allows
        # the install stage to run in non-systemd environments like a
        # container image build.
        #
        # For documentation about policy-rc.d, see:
        # https://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt
        #
        files.put(
            src=get_resource("policy-rc.d"),
            dest="/usr/sbin/policy-rc.d",
            user="root",
            group="root",
            mode="755",
        )
        apt.packages(
            name="Install nginx",
            packages=["nginx", "libnginx-mod-stream"],
        )
        files.file("/usr/sbin/policy-rc.d", present=False)
    def configure(self):
        self.need_restart = _configure_nginx(self.config)
    def activate(self):
        systemd.service(
            name="Start and enable nginx",
            service="nginx.service",
            running=True,
            enabled=True,
            restarted=self.need_restart,
        )
        self.need_restart = False
 class WebsiteDeployer(Deployer):
    def __init__(self, config):
        self.config = config
@@ -745,6 +299,14 @@ class LegacyRemoveDeployer(Deployer):
            path="/var/log/journal/",
            present=False,
        )
        # remove echobot if it is still running
        if host.get_fact(SystemdEnabled).get("echobot.service"):
            systemd.service(
                name="Disable echobot.service",
                service="echobot.service",
                running=False,
                enabled=False,
            )
 def check_config(config):
@@ -790,71 +352,10 @@ class TurnDeployer(Deployer):
            )
    def configure(self):
-        _configure_remote_units(self.mail_domain, self.units)
+        configure_remote_units(self.mail_domain, self.units)
    def activate(self):
-        _activate_remote_units(self.units)
+        activate_remote_units(self.units)
 class MtailDeployer(Deployer):
    def __init__(self, mtail_address):
        self.mtail_address = mtail_address
    def install(self):
        # Uninstall mtail package to install a static binary.
        apt.packages(name="Uninstall mtail", packages=["mtail"], present=False)
        (url, sha256sum) = {
            "x86_64": (
                "https://github.com/google/mtail/releases/download/v3.0.8/mtail_3.0.8_linux_amd64.tar.gz",
                "123c2ee5f48c3eff12ebccee38befd2233d715da736000ccde49e3d5607724e4",
            ),
            "aarch64": (
                "https://github.com/google/mtail/releases/download/v3.0.8/mtail_3.0.8_linux_arm64.tar.gz",
                "aa04811c0929b6754408676de520e050c45dddeb3401881888a092c9aea89cae",
            ),
        }[host.get_fact(facts.server.Arch)]
        server.shell(
            name="Download mtail",
            commands=[
                f"(echo '{sha256sum} /usr/local/bin/mtail' | sha256sum -c) || (curl -L {url} | gunzip | tar -x -f - mtail -O >/usr/local/bin/mtail.new && mv /usr/local/bin/mtail.new /usr/local/bin/mtail)",
                "chmod 755 /usr/local/bin/mtail",
            ],
        )
    def configure(self):
        # Using our own systemd unit instead of `/usr/lib/systemd/system/mtail.service`.
        # This allows to read from journalctl instead of log files.
        files.template(
            src=get_resource("mtail/mtail.service.j2"),
            dest="/etc/systemd/system/mtail.service",
            user="root",
            group="root",
            mode="644",
            address=self.mtail_address or "127.0.0.1",
            port=3903,
        )
        mtail_conf = files.put(
            name="Mtail configuration",
            src=get_resource("mtail/delivered_mail.mtail"),
            dest="/etc/mtail/delivered_mail.mtail",
            user="root",
            group="root",
            mode="644",
        )
        self.need_restart = mtail_conf.changed
    def activate(self):
        systemd.service(
            name="Start and enable mtail",
            service="mtail.service",
            running=bool(self.mtail_address),
            enabled=bool(self.mtail_address),
            restarted=self.need_restart,
        )
        self.need_restart = False
 class IrohDeployer(Deployer):
@@ -940,36 +441,10 @@ class JournaldDeployer(Deployer):
        self.need_restart = False
 class EchobotDeployer(Deployer):
    #
    # This deployer depends on the dovecot and postfix deployers because
    # it needs to base its decision of whether to restart the service on
    # whether those two services were restarted.
    #
    def __init__(self, mail_domain):
        self.mail_domain = mail_domain
        self.units = ["echobot"]
    def install(self):
        apt.packages(
            # required for setfacl for echobot
            name="Install acl",
            packages="acl",
        )
    def configure(self):
        _configure_remote_units(self.mail_domain, self.units)
    def activate(self):
        _activate_remote_units(self.units)
 class ChatmailVenvDeployer(Deployer):
    def __init__(self, config):
        self.config = config
        self.units = (
            "filtermail",
            "filtermail-incoming",
            "chatmail-metadata",
            "lastlogin",
            "chatmail-expire",
@@ -983,16 +458,15 @@ class ChatmailVenvDeployer(Deployer):
    def configure(self):
        _configure_remote_venv_with_chatmaild(self.config)
-        _configure_remote_units(self.config.mail_domain, self.units)
+        configure_remote_units(self.config.mail_domain, self.units)
    def activate(self):
-        _activate_remote_units(self.units)
+        activate_remote_units(self.units)
 class ChatmailDeployer(Deployer):
    required_users = [
        ("vmail", "vmail", None),
        ("echobot", None, None),
        ("iroh", None, None),
    ]
@@ -1055,40 +529,59 @@ class GithashDeployer(Deployer):
        except Exception:
            git_diff = ""
        files.put(
-            name="Upload chatmail relay git commiit hash",
+            name="Upload chatmail relay git commit hash",
            src=StringIO(git_hash + git_diff),
            dest="/etc/chatmail-version",
            mode="700",
        )
-def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
+def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -> None:
    """Deploy a chat-mail instance.
    :param config_path: path to chatmail.ini
    :param disable_mail: whether to disable postfix & dovecot
    :param website_only: if True, only deploy the website
    """
    config = read_config(config_path)
    check_config(config)
    mail_domain = config.mail_domain
    if website_only:
        Deployment().perform_stages([WebsiteDeployer(config)])
        return
    if host.get_fact(Port, port=53) != "unbound":
        files.line(
            name="Add 9.9.9.9 to resolv.conf",
            path="/etc/resolv.conf",
-            line="nameserver 9.9.9.9",
+            # Guard against resolv.conf missing a trailing newline (SolusVM bug).
            line="\nnameserver 9.9.9.9",
        )
    # Check if mtail_address interface is available (if configured)
    if config.mtail_address and config.mtail_address not in ('127.0.0.1', '::1', 'localhost'):
        ipv4_addrs = host.get_fact(hardware.Ipv4Addrs)
        all_addresses = [addr for addrs in ipv4_addrs.values() for addr in addrs]
        if config.mtail_address not in all_addresses:
            Out().red(f"Deploy failed: mtail_address {config.mtail_address} is not available (VPN up?).\n")
            exit(1)
    port_services = [
        (["master", "smtpd"], 25),
        ("unbound", 53),
-        ("acmetool", 80),
+    ]
    if config.tls_cert_mode == "acme":
        port_services.append(("acmetool", 80))
    port_services += [
        (["imap-login", "dovecot"], 143),
        ("nginx", 443),
        (["master", "smtpd"], 465),
        (["master", "smtpd"], 587),
        (["imap-login", "dovecot"], 993),
        ("iroh-relay", 3340),
        ("mtail", 3903),
        ("stats", 3904),
        ("nginx", 8443),
        (["master", "smtpd"], config.postfix_reinject_port),
        (["master", "smtpd"], config.postfix_reinject_port_incoming),
@@ -1098,8 +591,9 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
    for service, port in port_services:
        print(f"Checking if port {port} is available for {service}...")
        running_service = host.get_fact(Port, port=port)
        services = [service] if isinstance(service, str) else service
        if running_service:
-            if running_service not in service:
+            if running_service not in services:
                Out().red(
                    f"Deploy failed: port {port} is occupied by: {running_service}"
                )
@@ -1107,14 +601,20 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
    tls_domains = [mail_domain, f"mta-sts.{mail_domain}", f"www.{mail_domain}"]
    if config.tls_cert_mode == "acme":
        tls_deployer = AcmetoolDeployer(config.acme_email, tls_domains)
    else:
        tls_deployer = SelfSignedTlsDeployer(mail_domain)
    all_deployers = [
        ChatmailDeployer(mail_domain),
        LegacyRemoveDeployer(),
        FiltermailDeployer(),
        JournaldDeployer(),
-        UnboundDeployer(),
+        UnboundDeployer(config),
        TurnDeployer(mail_domain),
        IrohDeployer(config.enable_iroh_relay),
-        AcmetoolDeployer(config.acme_email, tls_domains),
+        tls_deployer,
        WebsiteDeployer(config),
        ChatmailVenvDeployer(config),
        MtastsDeployer(),
@@ -1126,10 +626,8 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
        PostfixDeployer(config, disable_mail),
        FcgiwrapDeployer(),
        NginxDeployer(config),
        EchobotDeployer(mail_domain),
        MtailDeployer(config.mtail_address),
        GithashDeployer(),
    ]
    Deployment().perform_stages(all_deployers)
--- a/cmdeploy/src/cmdeploy/dns.py
+++ b/cmdeploy/src/cmdeploy/dns.py
@@ -12,14 +12,14 @@ def get_initial_remote_data(sshexec, mail_domain):
    )
-def check_initial_remote_data(remote_data, *, print=print):
+def check_initial_remote_data(remote_data, *, strict_tls=True, print=print):
    mail_domain = remote_data["mail_domain"]
    if not remote_data["A"] and not remote_data["AAAA"]:
        print(f"Missing A and/or AAAA DNS records for {mail_domain}!")
-    elif remote_data["MTA_STS"] != f"{mail_domain}.":
+    elif strict_tls and remote_data["MTA_STS"] != f"{mail_domain}.":
        print("Missing MTA-STS CNAME record:")
        print(f"mta-sts.{mail_domain}.   CNAME  {mail_domain}.")
-    elif remote_data["WWW"] != f"{mail_domain}.":
+    elif strict_tls and remote_data["WWW"] != f"{mail_domain}.":
        print("Missing www CNAME record:")
        print(f"www.{mail_domain}.   CNAME  {mail_domain}.")
    else:
--- a/cmdeploy/src/cmdeploy/dovecot/auth.conf
+++ b/cmdeploy/src/cmdeploy/dovecot/auth.conf
@@ -4,7 +4,7 @@ iterate_prefix = userdb/
 default_pass_scheme = plain
 # %E escapes characters " (double quote), ' (single quote) and \ (backslash) with \ (backslash).
-# See <https://doc.dovecot.org/configuration_manual/config_file/config_variables/#modifiers>
+# See <https://doc.dovecot.org/2.3/configuration_manual/config_file/config_variables/#modifiers>
 # for documentation.
 #
 # We escape user-provided input and use double quote as a separator.
--- a/cmdeploy/src/cmdeploy/dovecot/deployer.py
+++ b/cmdeploy/src/cmdeploy/dovecot/deployer.py
@@ -0,0 +1,153 @@
 from chatmaild.config import Config
 from pyinfra import host
 from pyinfra.facts.server import Arch, Sysctl
 from pyinfra.facts.systemd import SystemdEnabled
 from pyinfra.operations import apt, files, server, systemd
 from cmdeploy.basedeploy import (
    Deployer,
    activate_remote_units,
    configure_remote_units,
    get_resource,
 )
 class DovecotDeployer(Deployer):
    daemon_reload = False
    def __init__(self, config, disable_mail):
        self.config = config
        self.disable_mail = disable_mail
        self.units = ["doveauth"]
    def install(self):
        arch = host.get_fact(Arch)
        if not host.get_fact(SystemdEnabled).get("dovecot.service"):
            _install_dovecot_package("core", arch)
            _install_dovecot_package("imapd", arch)
            _install_dovecot_package("lmtpd", arch)
    def configure(self):
        configure_remote_units(self.config.mail_domain, self.units)
        self.need_restart, self.daemon_reload = _configure_dovecot(self.config)
    def activate(self):
        activate_remote_units(self.units)
        restart = False if self.disable_mail else self.need_restart
        systemd.service(
            name="Disable dovecot for now" if self.disable_mail else "Start and enable Dovecot",
            service="dovecot.service",
            running=False if self.disable_mail else True,
            enabled=False if self.disable_mail else True,
            restarted=restart,
            daemon_reload=self.daemon_reload,
        )
        self.need_restart = False
 def _install_dovecot_package(package: str, arch: str):
    arch = "amd64" if arch == "x86_64" else arch
    arch = "arm64" if arch == "aarch64" else arch
    url = f"https://download.delta.chat/dovecot/dovecot-{package}_2.3.21%2Bdfsg1-3_{arch}.deb"
    deb_filename = "/root/" + url.split("/")[-1]
    match (package, arch):
        case ("core", "amd64"):
            sha256 = "dd060706f52a306fa863d874717210b9fe10536c824afe1790eec247ded5b27d"
        case ("core", "arm64"):
            sha256 = "e7548e8a82929722e973629ecc40fcfa886894cef3db88f23535149e7f730dc9"
        case ("imapd", "amd64"):
            sha256 = "8d8dc6fc00bbb6cdb25d345844f41ce2f1c53f764b79a838eb2a03103eebfa86"
        case ("imapd", "arm64"):
            sha256 = "178fa877ddd5df9930e8308b518f4b07df10e759050725f8217a0c1fb3fd707f"
        case ("lmtpd", "amd64"):
            sha256 = "2f69ba5e35363de50962d42cccbfe4ed8495265044e244007d7ccddad77513ab"
        case ("lmtpd", "arm64"):
            sha256 = "89f52fb36524f5877a177dff4a713ba771fd3f91f22ed0af7238d495e143b38f"
        case _:
            apt.packages(packages=[f"dovecot-{package}"])
            return
    files.download(
        name=f"Download dovecot-{package}",
        src=url,
        dest=deb_filename,
        sha256sum=sha256,
        cache_time=60 * 60 * 24 * 365 * 10,  # never redownload the package
    )
    apt.deb(name=f"Install dovecot-{package}", src=deb_filename)
 def _configure_dovecot(config: Config, debug: bool = False) -> (bool, bool):
    """Configures Dovecot IMAP server."""
    need_restart = False
    daemon_reload = False
    main_config = files.template(
        src=get_resource("dovecot/dovecot.conf.j2"),
        dest="/etc/dovecot/dovecot.conf",
        user="root",
        group="root",
        mode="644",
        config=config,
        debug=debug,
        disable_ipv6=config.disable_ipv6,
    )
    need_restart |= main_config.changed
    auth_config = files.put(
        src=get_resource("dovecot/auth.conf"),
        dest="/etc/dovecot/auth.conf",
        user="root",
        group="root",
        mode="644",
    )
    need_restart |= auth_config.changed
    lua_push_notification_script = files.put(
        src=get_resource("dovecot/push_notification.lua"),
        dest="/etc/dovecot/push_notification.lua",
        user="root",
        group="root",
        mode="644",
    )
    need_restart |= lua_push_notification_script.changed
    # as per https://doc.dovecot.org/2.3/configuration_manual/os/
    # it is recommended to set the following inotify limits
    for name in ("max_user_instances", "max_user_watches"):
        key = f"fs.inotify.{name}"
        if host.get_fact(Sysctl)[key] > 65535:
            # Skip updating limits if already sufficient
            # (enables running in incus containers where sysctl readonly)
            continue
        server.sysctl(
            name=f"Change {key}",
            key=key,
            value=65535,
            persist=True,
        )
    timezone_env = files.line(
        name="Set TZ environment variable",
        path="/etc/environment",
        line="TZ=:/etc/localtime",
    )
    need_restart |= timezone_env.changed
    restart_conf = files.put(
        name="dovecot: restart automatically on failure",
        src=get_resource("service/10_restart.conf"),
        dest="/etc/systemd/system/dovecot.service.d/10_restart.conf",
    )
    daemon_reload |= restart_conf.changed
    # Validate dovecot configuration before restart
    if need_restart:
        server.shell(
            name="Validate dovecot configuration",
            commands=["doveconf -n >/dev/null"],
        )
    return need_restart, daemon_reload
--- a/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
+++ b/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
@@ -1,7 +1,7 @@
 ## Dovecot configuration file
 {% if disable_ipv6 %}
-listen = *
+listen = 0.0.0.0
 {% endif %}
 protocols = imap lmtp
@@ -26,7 +26,7 @@ default_client_limit = 20000
 # Increase number of logged in IMAP connections.
 # Each connection is handled by a separate `imap` process.
 # `imap` process should have `client_limit=1` as described in
-# <https://doc.dovecot.org/configuration_manual/service_configuration/#service-limits>
+# <https://doc.dovecot.org/2.3/configuration_manual/service_configuration/#service-limits>
 # so each logged in IMAP session will need its own `imap` process.
 #
 # If this limit is reached,
@@ -44,11 +44,11 @@ mail_server_comment = Chatmail server
 # `zlib` enables compressing messages stored in the maildir.
 # See
-# <https://doc.dovecot.org/configuration_manual/zlib_plugin/>
+# <https://doc.dovecot.org/2.3/configuration_manual/zlib_plugin/>
 # for documentation.
 #
 # quota plugin documentation:
-# <https://doc.dovecot.org/configuration_manual/quota_plugin/>
+# <https://doc.dovecot.org/2.3/configuration_manual/quota_plugin/>
 mail_plugins = zlib quota
 imap_capability = +XDELTAPUSH XCHATMAIL
@@ -113,7 +113,7 @@ mail_attribute_dict = proxy:/run/chatmail-metadata/metadata.socket:metadata
 # `imap_zlib` enables IMAP COMPRESS (RFC 4978).
 # <https://datatracker.ietf.org/doc/html/rfc4978.html>
 protocol imap {
-  mail_plugins = $mail_plugins imap_zlib imap_quota last_login
+  mail_plugins = $mail_plugins imap_quota last_login {% if config.imap_compress %}imap_zlib{% endif %}
  imap_metadata = yes
 }
@@ -125,13 +125,13 @@ plugin {
 protocol lmtp {
  # notify plugin is a dependency of push_notification plugin:
-  # <https://doc.dovecot.org/settings/plugin/notify-plugin/>
+  # <https://doc.dovecot.org/2.3/settings/plugin/notify-plugin/>
  #
  # push_notification plugin documentation:
-  # <https://doc.dovecot.org/configuration_manual/push_notification/>
+  # <https://doc.dovecot.org/2.3/configuration_manual/push_notification/>
  #
  # mail_lua and push_notification_lua are needed for Lua push notification handler.
-  # <https://doc.dovecot.org/configuration_manual/push_notification/#configuration>
+  # <https://doc.dovecot.org/2.3/configuration_manual/push_notification/#configuration>
  mail_plugins = $mail_plugins mail_lua notify push_notification push_notification_lua
 }
@@ -154,7 +154,7 @@ plugin {
 # push_notification configuration
 plugin {
-  # <https://doc.dovecot.org/configuration_manual/push_notification/#lua-lua>
+  # <https://doc.dovecot.org/2.3/configuration_manual/push_notification/#lua-lua>
  push_notification_driver = lua:file=/etc/dovecot/push_notification.lua
 }
@@ -168,6 +168,8 @@ service lmtp {
  }
 }
 lmtp_add_received_header = no
 service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
@@ -226,8 +228,8 @@ service anvil {
 }
 ssl = required
-ssl_cert = </var/lib/acme/live/{{ config.mail_domain }}/fullchain
+ssl_cert = <{{ config.tls_cert_path }}
-ssl_key = </var/lib/acme/live/{{ config.mail_domain }}/privkey
+ssl_key = <{{ config.tls_key_path }}
 ssl_dh = </usr/share/dovecot/dh.pem
 ssl_min_protocol = TLSv1.3
 ssl_prefer_server_ciphers = yes
@@ -252,3 +254,181 @@ protocol imap {
  rawlog_dir = %h 
 } 
 {% endif %}
 {% if not config.imap_compress %}
 # Hibernate IDLE users to save memory and CPU resources
 # NOTE: this will have no effect if imap_zlib plugin is used
 imap_hibernate_timeout = 30s
 service imap {
  # Note that this change will allow any process running as
  # $default_internal_user (dovecot) to access mails as any other user.
  # This may be insecure in some installations, which is why this isn't
  # done by default.
  unix_listener imap-master {
    user = $default_internal_user
  }
 }
 # The following is the default already in v2.3.1+:
 service imap {
  extra_groups = $default_internal_group
 }
 service imap-hibernate {
  unix_listener imap-hibernate {
    mode = 0660
    group = $default_internal_group
  }
 }
 {% endif %}
 {% if config.mtail_address %}
 #
 # Dovecot Statistics
 #
 # OpenMetrics endpoint at http://{{- config.mtail_address}}:3904/metrics
 service stats {
  inet_listener http {
    port = 3904
    address = {{- config.mtail_address}}
  }
 }
 # IMAP Command Metrics
 # - Bytes in/out for compression efficiency analysis
 # - Lock wait time for contention debugging
 # - Grouped by command name and reply state
 metric imap_command {
  filter = event=imap_command_finished
  fields = bytes_in bytes_out lock_wait_usecs running_usecs
  group_by = cmd_name tagged_reply_state
 }
 # Duration buckets for latency histograms (base 10: 10us, 100us, 1ms, 10ms, 100ms, 1s, 10s, 100s)
 metric imap_command_duration {
  filter = event=imap_command_finished
  group_by = cmd_name duration:exponential:1:8:10
 }
 # Slow command outliers (>1 second = 1000000 usecs)
 # Useful for alerting without high cardinality
 metric imap_command_slow {
  filter = event=imap_command_finished AND duration>1000000 AND NOT cmd_name=IDLE
  group_by = cmd_name
 }
 # IDLE-specific Metrics
 metric imap_idle {
  filter = event=imap_command_finished AND cmd_name=IDLE
  fields = bytes_in bytes_out running_usecs
  group_by = tagged_reply_state
 }
 metric imap_idle_duration {
  filter = event=imap_command_finished AND cmd_name=IDLE
  # Base 10: 100ms to 27h (covers short wakeups to long idle sessions)
  group_by = duration:exponential:5:11:10
 }
 metric imap_idle_commands {
  filter = event=imap_command_finished AND cmd_name=IDLE
  group_by = tagged_reply_state
 }
 metric imap_idle_failed {
  filter = event=imap_command_finished AND cmd_name=IDLE AND NOT tagged_reply_state=OK
 }
 # Hibernation Metrics (requires imap_hibernate_timeout)
 metric imap_hibernated {
  filter = event=imap_client_hibernated
 }
 metric imap_hibernated_failed {
  filter = event=imap_client_hibernated AND error=*
 }
 metric imap_unhibernated {
  filter = event=imap_client_unhibernated
  fields = hibernation_usecs
 }
 metric imap_unhibernated_reason {
  filter = event=imap_client_unhibernated
  group_by = reason
  fields = hibernation_usecs
 }
 metric imap_unhibernated_reason_sleep {
  filter = event=imap_client_unhibernated
  group_by = reason hibernation_usecs:exponential:4:8:10
 }
 metric imap_unhibernated_failed {
  filter = event=imap_client_unhibernated AND error=*
 }
 # Hibernation duration buckets (how long clients stayed hibernated)
 # Base 10: 100ms to 27h
 metric imap_hibernation_duration {
  filter = event=imap_client_unhibernated
  group_by = reason duration:exponential:5:11:10
 }
 # Authentication / Login Metrics
 metric auth_request {
  filter = event=auth_request_finished
  group_by = success
 }
 metric auth_request_duration {
  filter = event=auth_request_finished
  group_by = success duration:exponential:2:6:10
 }
 metric auth_failed {
  filter = event=auth_request_finished AND success=no
 }
 # Passdb cache effectiveness
 metric auth_passdb {
  filter = event=auth_passdb_request_finished
  group_by = result cache
 }
 # Master login (post-auth userdb lookup)
 metric auth_master_login {
  filter = event=auth_master_client_login_finished
 }
 metric auth_master_login_failed {
  filter = event=auth_master_client_login_finished AND error=*
 }
 # Mail Delivery (LMTP) - affects IDLE wakeup latency
 metric mail_delivery {
  filter = event=mail_delivery_finished
 }
 metric mail_delivery_duration {
  filter = event=mail_delivery_finished
  group_by = duration:exponential:3:7:10
 }
 metric mail_delivery_failed {
  filter = event=mail_delivery_finished AND error=*
 }
 # Connection Events
 metric client_connected {
  filter = event=client_connection_connected AND category="service:imap"
 }
 metric client_disconnected {
  filter = event=client_connection_disconnected AND category="service:imap"
  fields = bytes_in bytes_out
 }
 {% endif %}
--- a/cmdeploy/src/cmdeploy/filtermail/deployer.py
+++ b/cmdeploy/src/cmdeploy/filtermail/deployer.py
@@ -0,0 +1,52 @@
 from pyinfra import facts, host
 from pyinfra.operations import files, systemd
 from cmdeploy.basedeploy import Deployer, get_resource
 class FiltermailDeployer(Deployer):
    services = ["filtermail", "filtermail-incoming"]
    bin_path = "/usr/local/bin/filtermail"
    config_path = "/usr/local/lib/chatmaild/chatmail.ini"
    def __init__(self):
        self.need_restart = False
    def install(self):
        arch = host.get_fact(facts.server.Arch)
        url = f"https://github.com/chatmail/filtermail/releases/download/v0.3.0/filtermail-{arch}"
        sha256sum = {
            "x86_64": "f14a31323ae2dad3b59d3fdafcde507521da2f951a9478cd1f2fe2b4463df71d",
            "aarch64": "933770d75046c4fd7084ce8d43f905f8748333426ad839154f0fc654755ef09f",
        }[arch]
        self.need_restart |= files.download(
            name="Download filtermail",
            src=url,
            sha256sum=sha256sum,
            dest=self.bin_path,
            mode="755",
        ).changed
    def configure(self):
        for service in self.services:
            self.need_restart |= files.template(
                src=get_resource(f"filtermail/{service}.service.j2"),
                dest=f"/etc/systemd/system/{service}.service",
                user="root",
                group="root",
                mode="644",
                bin_path=self.bin_path,
                config_path=self.config_path,
            ).changed
    def activate(self):
        for service in self.services:
            systemd.service(
                name=f"Start and enable {service}",
                service=f"{service}.service",
                running=True,
                enabled=True,
                restarted=self.need_restart,
                daemon_reload=True,
            )
        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/filtermail/filtermail-incoming.service.j2
+++ b/cmdeploy/src/cmdeploy/filtermail/filtermail-incoming.service.j2
@@ -2,11 +2,10 @@
 Description=Incoming Chatmail Postfix before queue filter 
 [Service]
-ExecStart={execpath} {config_path} incoming
+ExecStart={{ bin_path }} {{ config_path }} incoming
 Restart=always
 RestartSec=30
 User=vmail
 [Install]
 WantedBy=multi-user.target
--- a/cmdeploy/src/cmdeploy/filtermail/filtermail.service.j2
+++ b/cmdeploy/src/cmdeploy/filtermail/filtermail.service.j2
@@ -2,7 +2,7 @@
 Description=Outgoing Chatmail Postfix before queue filter
 [Service]
-ExecStart={execpath} {config_path} outgoing
+ExecStart={{ bin_path }} {{ config_path }} outgoing
 Restart=always
 RestartSec=30
 User=vmail
--- a/cmdeploy/src/cmdeploy/mtail/delivered_mail.mtail
+++ b/cmdeploy/src/cmdeploy/mtail/delivered_mail.mtail
@@ -44,21 +44,37 @@ counter warning_count
 }
-counter filtered_mail_count
+counter filtered_outgoing_mail_count
-counter encrypted_mail_count
+counter outgoing_encrypted_mail_count
-/Filtering encrypted mail\./ {
+/Outgoing: Filtering encrypted mail\./ {
-  encrypted_mail_count++
+  outgoing_encrypted_mail_count++
-  filtered_mail_count++
+  filtered_outgoing_mail_count++
 }
-counter unencrypted_mail_count
+counter outgoing_unencrypted_mail_count
-/Filtering unencrypted mail\./ {
+/Outgoing: Filtering unencrypted mail\./ {
-  unencrypted_mail_count++
+  outgoing_unencrypted_mail_count++
-  filtered_mail_count++
+  filtered_outgoing_mail_count++
 }
 counter filtered_incoming_mail_count
 counter incoming_encrypted_mail_count
 /Incoming: Filtering encrypted mail\./ {
  incoming_encrypted_mail_count++
  filtered_incoming_mail_count++
 }
 counter incoming_unencrypted_mail_count
 /Incoming: Filtering unencrypted mail\./ {
  incoming_unencrypted_mail_count++
  filtered_incoming_mail_count++
 }
 counter rejected_unencrypted_mail_count
-/Rejected unencrypted mail\./ {
+/Rejected unencrypted mail/ {
  rejected_unencrypted_mail_count++
 }
--- a/cmdeploy/src/cmdeploy/mtail/deployer.py
+++ b/cmdeploy/src/cmdeploy/mtail/deployer.py
@@ -0,0 +1,68 @@
 from pyinfra import facts, host
 from pyinfra.operations import apt, files, server, systemd
 from cmdeploy.basedeploy import (
    Deployer,
    get_resource,
 )
 class MtailDeployer(Deployer):
    def __init__(self, mtail_address):
        self.mtail_address = mtail_address
    def install(self):
        # Uninstall mtail package to install a static binary.
        apt.packages(name="Uninstall mtail", packages=["mtail"], present=False)
        (url, sha256sum) = {
            "x86_64": (
                "https://github.com/google/mtail/releases/download/v3.0.8/mtail_3.0.8_linux_amd64.tar.gz",
                "123c2ee5f48c3eff12ebccee38befd2233d715da736000ccde49e3d5607724e4",
            ),
            "aarch64": (
                "https://github.com/google/mtail/releases/download/v3.0.8/mtail_3.0.8_linux_arm64.tar.gz",
                "aa04811c0929b6754408676de520e050c45dddeb3401881888a092c9aea89cae",
            ),
        }[host.get_fact(facts.server.Arch)]
        server.shell(
            name="Download mtail",
            commands=[
                f"(echo '{sha256sum} /usr/local/bin/mtail' | sha256sum -c) || (curl -L {url} | gunzip | tar -x -f - mtail -O >/usr/local/bin/mtail.new && mv /usr/local/bin/mtail.new /usr/local/bin/mtail)",
                "chmod 755 /usr/local/bin/mtail",
            ],
        )
    def configure(self):
        # Using our own systemd unit instead of `/usr/lib/systemd/system/mtail.service`.
        # This allows to read from journalctl instead of log files.
        files.template(
            src=get_resource("mtail/mtail.service.j2"),
            dest="/etc/systemd/system/mtail.service",
            user="root",
            group="root",
            mode="644",
            address=self.mtail_address or "127.0.0.1",
            port=3903,
        )
        mtail_conf = files.put(
            name="Mtail configuration",
            src=get_resource("mtail/delivered_mail.mtail"),
            dest="/etc/mtail/delivered_mail.mtail",
            user="root",
            group="root",
            mode="644",
        )
        self.need_restart = mtail_conf.changed
    def activate(self):
        systemd.service(
            name="Start and enable mtail",
            service="mtail.service",
            running=bool(self.mtail_address),
            enabled=bool(self.mtail_address),
            restarted=self.need_restart,
        )
        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/nginx/autoconfig.xml.j2
+++ b/cmdeploy/src/cmdeploy/nginx/autoconfig.xml.j2
@@ -1,47 +1,47 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <clientConfig version="1.1">
-  <emailProvider id="{{ config.domain_name }}">
+  <emailProvider id="{{ config.mail_domain }}">
-    <domain>{{ config.domain_name }}</domain>
+    <domain>{{ config.mail_domain }}</domain>
-    <displayName>{{ config.domain_name }} chatmail</displayName>
+    <displayName>{{ config.mail_domain }} chatmail</displayName>
-    <displayShortName>{{ config.domain_name }}</displayShortName>
+    <displayShortName>{{ config.mail_domain }}</displayShortName>
    <incomingServer type="imap">
-      <hostname>{{ config.domain_name }}</hostname>
+      <hostname>{{ config.mail_domain }}</hostname>
      <port>993</port>
      <socketType>SSL</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </incomingServer>
    <incomingServer type="imap">
-      <hostname>{{ config.domain_name }}</hostname>
+      <hostname>{{ config.mail_domain }}</hostname>
      <port>143</port>
      <socketType>STARTTLS</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </incomingServer>
    <incomingServer type="imap">
-      <hostname>{{ config.domain_name }}</hostname>
+      <hostname>{{ config.mail_domain }}</hostname>
      <port>443</port>
      <socketType>SSL</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </incomingServer>
    <outgoingServer type="smtp">
-      <hostname>{{ config.domain_name }}</hostname>
+      <hostname>{{ config.mail_domain }}</hostname>
      <port>465</port>
      <socketType>SSL</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </outgoingServer>
    <outgoingServer type="smtp">
-      <hostname>{{ config.domain_name }}</hostname>
+      <hostname>{{ config.mail_domain }}</hostname>
      <port>587</port>
      <socketType>STARTTLS</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </outgoingServer>
    <outgoingServer type="smtp">
-      <hostname>{{ config.domain_name }}</hostname>
+      <hostname>{{ config.mail_domain }}</hostname>
      <port>443</port>
      <socketType>SSL</socketType>
      <authentication>password-cleartext</authentication>
--- a/cmdeploy/src/cmdeploy/nginx/deployer.py
+++ b/cmdeploy/src/cmdeploy/nginx/deployer.py
@@ -0,0 +1,117 @@
 from chatmaild.config import Config
 from pyinfra.operations import apt, files, systemd
 from cmdeploy.basedeploy import (
    Deployer,
    get_resource,
 )
 class NginxDeployer(Deployer):
    def __init__(self, config):
        self.config = config
    def install(self):
        #
        # If we allow nginx to start up on install, it will grab port
        # 80, which then will block acmetool from listening on the port.
        # That in turn prevents getting certificates, which then causes
        # an error when we try to start nginx on the custom config
        # that leaves port 80 open but also requires certificates to
        # be present.  To avoid getting into that interlocking mess,
        # we use policy-rc.d to prevent nginx from starting up when it
        # is installed.
        #
        # This approach allows us to avoid performing any explicit
        # systemd operations during the install stage (as opposed to
        # allowing it to start and then forcing it to stop), which allows
        # the install stage to run in non-systemd environments like a
        # container image build.
        #
        # For documentation about policy-rc.d, see:
        # https://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt
        #
        files.put(
            src=get_resource("policy-rc.d"),
            dest="/usr/sbin/policy-rc.d",
            user="root",
            group="root",
            mode="755",
        )
        apt.packages(
            name="Install nginx",
            packages=["nginx", "libnginx-mod-stream"],
        )
        files.file("/usr/sbin/policy-rc.d", present=False)
    def configure(self):
        self.need_restart = _configure_nginx(self.config)
    def activate(self):
        systemd.service(
            name="Start and enable nginx",
            service="nginx.service",
            running=True,
            enabled=True,
            restarted=self.need_restart,
        )
        self.need_restart = False
 def _configure_nginx(config: Config, debug: bool = False) -> bool:
    """Configures nginx HTTP server."""
    need_restart = False
    main_config = files.template(
        src=get_resource("nginx/nginx.conf.j2"),
        dest="/etc/nginx/nginx.conf",
        user="root",
        group="root",
        mode="644",
        config=config,
        disable_ipv6=config.disable_ipv6,
    )
    need_restart |= main_config.changed
    autoconfig = files.template(
        src=get_resource("nginx/autoconfig.xml.j2"),
        dest="/var/www/html/.well-known/autoconfig/mail/config-v1.1.xml",
        user="root",
        group="root",
        mode="644",
        config=config,
    )
    need_restart |= autoconfig.changed
    mta_sts_config = files.template(
        src=get_resource("nginx/mta-sts.txt.j2"),
        dest="/var/www/html/.well-known/mta-sts.txt",
        user="root",
        group="root",
        mode="644",
        config=config,
    )
    need_restart |= mta_sts_config.changed
    # install CGI newemail script
    #
    cgi_dir = "/usr/lib/cgi-bin"
    files.directory(
        name=f"Ensure {cgi_dir} exists",
        path=cgi_dir,
        user="root",
        group="root",
    )
    files.put(
        name="Upload cgi newemail.py script",
        src=get_resource("newemail.py", pkg="chatmaild").open("rb"),
        dest=f"{cgi_dir}/newemail.py",
        user="root",
        group="root",
        mode="755",
    )
    return need_restart
--- a/cmdeploy/src/cmdeploy/nginx/mta-sts.txt.j2
+++ b/cmdeploy/src/cmdeploy/nginx/mta-sts.txt.j2
@@ -1,4 +1,4 @@
 version: STSv1
 mode: enforce
-mx: {{ config.domain_name }}
+mx: {{ config.mail_domain }}
 max_age: 2419200
--- a/cmdeploy/src/cmdeploy/nginx/nginx.conf.j2
+++ b/cmdeploy/src/cmdeploy/nginx/nginx.conf.j2
@@ -42,6 +42,9 @@ stream {
 }
 http {
 {% if config.tls_cert_mode == "self" %}
 	limit_req_zone $binary_remote_addr zone=newaccount:10m rate=2r/s;
 {% endif %}
 	sendfile on;
 	tcp_nopush on;
@@ -53,8 +56,8 @@ http {
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
 	ssl_prefer_server_ciphers on;
-	ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
+	ssl_certificate {{ config.tls_cert_path }};
-	ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
+	ssl_certificate_key {{ config.tls_key_path }};
 	gzip on;
@@ -66,7 +69,7 @@ http {
 		index index.html index.htm;
-		server_name {{ config.domain_name }} www.{{ config.domain_name }} mta-sts.{{ config.domain_name }};
+		server_name {{ config.mail_domain }} www.{{ config.mail_domain }} mta-sts.{{ config.mail_domain }};
 		access_log syslog:server=unix:/dev/log,facility=local7;
@@ -81,11 +84,15 @@ http {
 		}
 		location /new {
 {% if config.tls_cert_mode == "acme" %}
 			if ($request_method = GET) {
 				# Redirect to Delta Chat,
 				# which will in turn do a POST request.
-				return 301 dcaccount:https://{{ config.domain_name }}/new;
+				return 301 dcaccount:https://{{ config.mail_domain }}/new;
 			}
 {% else %}
 			limit_req zone=newaccount burst=5 nodelay;
 {% endif %}
 			fastcgi_pass unix:/run/fcgiwrap.socket;
 			include /etc/nginx/fastcgi_params;
@@ -99,9 +106,11 @@ http {
 		#
 		# Redirects are only for browsers.
 		location /cgi-bin/newemail.py {
 {% if config.tls_cert_mode == "acme" %}
 			if ($request_method = GET) {
-				return 301 dcaccount:https://{{ config.domain_name }}/new;
+				return 301 dcaccount:https://{{ config.mail_domain }}/new;
 			}
 {% endif %}
 			fastcgi_pass unix:/run/fcgiwrap.socket;
 			include /etc/nginx/fastcgi_params;
@@ -132,8 +141,8 @@ http {
 	# Redirect www. to non-www
 	server {
 		listen 127.0.0.1:8443 ssl;
-		server_name www.{{ config.domain_name }};
+		server_name www.{{ config.mail_domain }};
-		return 301 $scheme://{{ config.domain_name }}$request_uri;
+		return 301 $scheme://{{ config.mail_domain }}$request_uri;
 		access_log syslog:server=unix:/dev/log,facility=local7;
 	}
 }
--- a/cmdeploy/src/cmdeploy/opendkim/deployer.py
+++ b/cmdeploy/src/cmdeploy/opendkim/deployer.py
@@ -0,0 +1,123 @@
 """
 Installs OpenDKIM
 """
 from pyinfra import host
 from pyinfra.facts.files import File
 from pyinfra.operations import apt, files, server, systemd
 from cmdeploy.basedeploy import Deployer, get_resource
 class OpendkimDeployer(Deployer):
    required_users = [("opendkim", None, ["opendkim"])]
    def __init__(self, mail_domain):
        self.mail_domain = mail_domain
    def install(self):
        apt.packages(
            name="apt install opendkim opendkim-tools",
            packages=["opendkim", "opendkim-tools"],
        )
    def configure(self):
        domain = self.mail_domain
        dkim_selector = "opendkim"
        """Configures OpenDKIM"""
        need_restart = False
        main_config = files.template(
            src=get_resource("opendkim/opendkim.conf"),
            dest="/etc/opendkim.conf",
            user="root",
            group="root",
            mode="644",
            config={"domain_name": domain, "opendkim_selector": dkim_selector},
        )
        need_restart |= main_config.changed
        screen_script = files.put(
            src=get_resource("opendkim/screen.lua"),
            dest="/etc/opendkim/screen.lua",
            user="root",
            group="root",
            mode="644",
        )
        need_restart |= screen_script.changed
        final_script = files.put(
            src=get_resource("opendkim/final.lua"),
            dest="/etc/opendkim/final.lua",
            user="root",
            group="root",
            mode="644",
        )
        need_restart |= final_script.changed
        files.directory(
            name="Add opendkim directory to /etc",
            path="/etc/opendkim",
            user="opendkim",
            group="opendkim",
            mode="750",
            present=True,
        )
        keytable = files.template(
            src=get_resource("opendkim/KeyTable"),
            dest="/etc/dkimkeys/KeyTable",
            user="opendkim",
            group="opendkim",
            mode="644",
            config={"domain_name": domain, "opendkim_selector": dkim_selector},
        )
        need_restart |= keytable.changed
        signing_table = files.template(
            src=get_resource("opendkim/SigningTable"),
            dest="/etc/dkimkeys/SigningTable",
            user="opendkim",
            group="opendkim",
            mode="644",
            config={"domain_name": domain, "opendkim_selector": dkim_selector},
        )
        need_restart |= signing_table.changed
        files.directory(
            name="Add opendkim socket directory to /var/spool/postfix",
            path="/var/spool/postfix/opendkim",
            user="opendkim",
            group="opendkim",
            mode="750",
            present=True,
        )
        if not host.get_fact(File, f"/etc/dkimkeys/{dkim_selector}.private"):
            server.shell(
                name="Generate OpenDKIM domain keys",
                commands=[
                    f"/usr/sbin/opendkim-genkey -D /etc/dkimkeys -d {domain} -s {dkim_selector}"
                ],
                _use_su_login=True,
                _su_user="opendkim",
            )
        service_file = files.put(
            name="Configure opendkim to restart once a day",
            src=get_resource("opendkim/systemd.conf"),
            dest="/etc/systemd/system/opendkim.service.d/10-prevent-memory-leak.conf",
        )
        need_restart |= service_file.changed
        self.need_restart = need_restart
    def activate(self):
        systemd.service(
            name="Start and enable OpenDKIM",
            service="opendkim.service",
            running=True,
            enabled=True,
            daemon_reload=self.need_restart,
            restarted=self.need_restart,
        )
        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/opendkim/final.lua
+++ b/cmdeploy/src/cmdeploy/opendkim/final.lua
@@ -1,4 +1,5 @@
-if odkim.internal_ip(ctx) == 1 then
+mtaname = odkim.get_mtasymbol(ctx, "{daemon_name}")
 if mtaname == "ORIGINATING" then
 	-- Outgoing message will be signed,
 	-- no need to look for signatures.
 	return nil
@@ -9,6 +10,8 @@ if nsigs == nil then
 	return nil
 end
 local valid = false
 local error_msg = "No valid DKIM signature found."
 for i = 1, nsigs do
 	sig = odkim.get_sighandle(ctx, i - 1)
 	sigres = odkim.sig_result(sig)
@@ -19,10 +22,21 @@ for i = 1, nsigs do
 	-- Any valid signature that was not ignored like this
 	-- means the message is acceptable.
 	if sigres == 0 then
-		return nil
+		valid = true
    else
        error_msg = "DKIM signature is invalid, error code " .. tostring(sigres) .. ", search https://github.com/trusteddomainproject/OpenDKIM/blob/master/libopendkim/dkim.h#L108"
 	end
 end
-odkim.set_reply(ctx, "554", "5.7.1", "No valid DKIM signature found")
+if valid then
 	-- Strip all DKIM-Signature headers after successful validation
 	-- Delete in reverse order to avoid index shifting.
 	for i = nsigs, 1, -1 do
 		odkim.del_header(ctx, "DKIM-Signature", i)
 	end
 else
 	odkim.set_reply(ctx, "554", "5.7.1", error_msg)
 	odkim.set_result(ctx, SMFIS_REJECT)
 end
 return nil
--- a/cmdeploy/src/cmdeploy/opendkim/opendkim.conf
+++ b/cmdeploy/src/cmdeploy/opendkim/opendkim.conf
@@ -65,3 +65,9 @@ PidFile			/run/opendkim/opendkim.pid
 # The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
 # by the package dns-root-data.
 TrustAnchorFile		/usr/share/dns/root.key
 # Sign messages when `-o milter_macro_daemon_name=ORIGINATING` is set.
 MTA ORIGINATING
 # No hosts are treated as internal, ORIGINATING daemon name should be set explicitly.
 InternalHosts -
--- a/cmdeploy/src/cmdeploy/postfix/deployer.py
+++ b/cmdeploy/src/cmdeploy/postfix/deployer.py
@@ -0,0 +1,117 @@
 from pyinfra.operations import apt, files, server, systemd
 from cmdeploy.basedeploy import Deployer, get_resource
 class PostfixDeployer(Deployer):
    required_users = [("postfix", None, ["opendkim"])]
    daemon_reload = False
    def __init__(self, config, disable_mail):
        self.config = config
        self.disable_mail = disable_mail
    def install(self):
        apt.packages(
            name="Install Postfix",
            packages="postfix",
        )
    def configure(self):
        config = self.config
        need_restart = False
        main_config = files.template(
            src=get_resource("postfix/main.cf.j2"),
            dest="/etc/postfix/main.cf",
            user="root",
            group="root",
            mode="644",
            config=config,
            disable_ipv6=config.disable_ipv6,
        )
        need_restart |= main_config.changed
        master_config = files.template(
            src=get_resource("postfix/master.cf.j2"),
            dest="/etc/postfix/master.cf",
            user="root",
            group="root",
            mode="644",
            debug=False,
            config=config,
        )
        need_restart |= master_config.changed
        header_cleanup = files.put(
            src=get_resource("postfix/submission_header_cleanup"),
            dest="/etc/postfix/submission_header_cleanup",
            user="root",
            group="root",
            mode="644",
        )
        need_restart |= header_cleanup.changed
        lmtp_header_cleanup = files.put(
            src=get_resource("postfix/lmtp_header_cleanup"),
            dest="/etc/postfix/lmtp_header_cleanup",
            user="root",
            group="root",
            mode="644",
        )
        need_restart |= lmtp_header_cleanup.changed
        tls_policy_map = files.put(
            name="Upload SMTP TLS Policy that accepts self-signed certificates for IP-only hosts",
            src=get_resource("postfix/smtp_tls_policy_map"),
            dest="/etc/postfix/smtp_tls_policy_map",
            user="root",
            group="root",
            mode="644",
        )
        need_restart |= tls_policy_map.changed
        if tls_policy_map.changed:
            server.shell(
                commands=["postmap /etc/postfix/smtp_tls_policy_map"],
            )
        # Login map that 1:1 maps email address to login.
        login_map = files.put(
            src=get_resource("postfix/login_map"),
            dest="/etc/postfix/login_map",
            user="root",
            group="root",
            mode="644",
        )
        need_restart |= login_map.changed
        restart_conf = files.put(
            name="postfix: restart automatically on failure",
            src=get_resource("service/10_restart.conf"),
            dest="/etc/systemd/system/postfix@.service.d/10_restart.conf",
        )
        self.daemon_reload = restart_conf.changed
        # Validate postfix configuration before restart
        if need_restart:
            server.shell(
                name="Validate postfix configuration",
                # Extract stderr and quit with error if non-zero
                commands=["""bash -c 'w=$(postconf 2>&1 >/dev/null); [[ -z "$w" ]] || { echo "$w"; false; }'"""],
            )
        self.need_restart = need_restart
    def activate(self):
        restart = False if self.disable_mail else self.need_restart
        systemd.service(
            name="disable postfix for now"
            if self.disable_mail
            else "Start and enable Postfix",
            service="postfix.service",
            running=False if self.disable_mail else True,
            enabled=False if self.disable_mail else True,
            restarted=restart,
            daemon_reload=self.daemon_reload,
        )
        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/postfix/lmtp_header_cleanup
+++ b/cmdeploy/src/cmdeploy/postfix/lmtp_header_cleanup
@@ -0,0 +1,3 @@
 /^DKIM-Signature:/            IGNORE
 /^Authentication-Results:/            IGNORE
 /^Received:/            IGNORE
--- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
@@ -15,19 +15,19 @@ readme_directory = no
 compatibility_level = 3.6
 # TLS parameters
-smtpd_tls_cert_file=/var/lib/acme/live/{{ config.mail_domain }}/fullchain
+smtpd_tls_cert_file={{ config.tls_cert_path }}
-smtpd_tls_key_file=/var/lib/acme/live/{{ config.mail_domain }}/privkey
+smtpd_tls_key_file={{ config.tls_key_path }}
 smtpd_tls_security_level=may
 smtp_tls_CApath=/etc/ssl/certs
-smtp_tls_security_level=verify
+smtp_tls_security_level={{ "verify" if config.tls_cert_mode == "acme" else "encrypt" }}
 # Send SNI extension when connecting to other servers.
 # <https://www.postfix.org/postconf.5.html#smtp_tls_servername>
 smtp_tls_servername = hostname
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-smtp_tls_policy_maps = inline:{nauta.cu=may}
+smtp_tls_policy_maps = regexp:/etc/postfix/smtp_tls_policy_map
 smtp_tls_protocols = >=TLSv1.2
-smtpd_tls_protocols = >=TLSv1.2
+smtp_tls_mandatory_protocols = >=TLSv1.2
 # Disable anonymous cipher suites
 # and known insecure algorithms.
@@ -64,7 +64,20 @@ alias_database = hash:/etc/aliases
 mydestination =
 relayhost = 
 {% if disable_ipv6 %}
 mynetworks = 127.0.0.0/8
 {% else %}
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 {% endif %}
 {% if config.addr_v4 %}
 smtp_bind_address = {{ config.addr_v4 }}
 {% endif %}
 {% if config.addr_v6 %}
 smtp_bind_address6 = {{ config.addr_v6 }}
 {% endif %}
 {% if config.addr_v4 or config.addr_v6 %}
 smtp_bind_address_enforce = yes
 {% endif %}
 mailbox_size_limit = 0
 message_size_limit = {{config.max_message_size}}
 recipient_delimiter = +
@@ -77,6 +90,7 @@ inet_protocols = all
 virtual_transport = lmtp:unix:private/dovecot-lmtp
 virtual_mailbox_domains = {{ config.mail_domain }}
 lmtp_header_checks = regexp:/etc/postfix/lmtp_header_cleanup
 mua_client_restrictions = permit_sasl_authenticated, reject
 mua_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, reject
--- a/cmdeploy/src/cmdeploy/postfix/master.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/master.cf.j2
@@ -15,6 +15,7 @@ smtp      inet  n       -       y       -       -       smtpd -v
 smtp      inet  n       -       y       -       -       smtpd 
 {%- endif %}
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_mandatory_protocols=>=TLSv1.2
  -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port_incoming }}
 submission inet n       -       y       -       5000    smtpd
  -o syslog_name=postfix/submission
@@ -30,7 +31,6 @@ submission inet n       -       y       -       5000    smtpd
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_client_connection_count_limit=1000
  -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port }}
 smtps     inet  n       -       y       -       5000    smtpd
@@ -48,7 +48,6 @@ smtps     inet  n       -       y       -       5000    smtpd
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_client_connection_count_limit=1000
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port }}
 #628       inet  n       -       y       -       -       qmqpd
 pickup    unix  n       -       y       60      1       pickup
@@ -80,6 +79,7 @@ filter    unix -        n       n       -       -       lmtp
 # Local SMTP server for reinjecting outgoing filtered mail.
 127.0.0.1:{{ config.postfix_reinject_port }} inet  n       -       n       -       100      smtpd
  -o syslog_name=postfix/reinject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_milters=unix:opendkim/opendkim.sock
  -o cleanup_service_name=authclean
--- a/cmdeploy/src/cmdeploy/postfix/smtp_tls_policy_map
+++ b/cmdeploy/src/cmdeploy/postfix/smtp_tls_policy_map
@@ -0,0 +1,3 @@
 /^\[[^]]+\]$/ encrypt
 /^_/          encrypt
 /^nauta\.cu$/    may
--- a/cmdeploy/src/cmdeploy/remote/rdns.py
+++ b/cmdeploy/src/cmdeploy/remote/rdns.py
@@ -37,7 +37,10 @@ def perform_initial_checks(mail_domain, pre_command=""):
        return res
    # parse out sts-id if exists, example: "v=STSv1; id=2090123"
-    parts = query_dns("TXT", f"_mta-sts.{mail_domain}").split("id=")
+    mta_sts_txt = query_dns("TXT", f"_mta-sts.{mail_domain}")
    if not mta_sts_txt:
        return res
    parts = mta_sts_txt.split("id=")
    res["sts_id"] = parts[1].rstrip('"') if len(parts) == 2 else ""
    return res
--- a/cmdeploy/src/cmdeploy/run.py
+++ b/cmdeploy/src/cmdeploy/run.py
@@ -14,8 +14,9 @@ def main():
        importlib.resources.files("cmdeploy").joinpath("../../../chatmail.ini"),
    )
    disable_mail = bool(os.environ.get("CHATMAIL_DISABLE_MAIL"))
    website_only = bool(os.environ.get("CHATMAIL_WEBSITE_ONLY"))
-    deploy_chatmail(config_path, disable_mail)
+    deploy_chatmail(config_path, disable_mail, website_only)
 if pyinfra.is_cli:
--- a/cmdeploy/src/cmdeploy/selfsigned/deployer.py
+++ b/cmdeploy/src/cmdeploy/selfsigned/deployer.py
@@ -0,0 +1,36 @@
 from pyinfra.operations import apt, files, server
 from cmdeploy.basedeploy import Deployer
 class SelfSignedTlsDeployer(Deployer):
    """Generates a self-signed TLS certificate for all chatmail endpoints."""
    def __init__(self, mail_domain):
        self.mail_domain = mail_domain
        self.cert_path = "/etc/ssl/certs/mailserver.pem"
        self.key_path = "/etc/ssl/private/mailserver.key"
    def install(self):
        apt.packages(
            name="Install openssl",
            packages=["openssl"],
        )
    def configure(self):
        server.shell(
            name="Generate self-signed TLS certificate if not present",
            commands=[
                f"[ -f {self.cert_path} ] || openssl req -x509"
                f" -newkey ec -pkeyopt ec_paramgen_curve:P-256"
                f" -noenc -days 36500"
                f" -keyout {self.key_path}"
                f" -out {self.cert_path}"
                f' -subj "/CN={self.mail_domain}"'
                f' -addext "extendedKeyUsage=serverAuth,clientAuth"'
                f' -addext "subjectAltName=DNS:{self.mail_domain},DNS:www.{self.mail_domain},DNS:mta-sts.{self.mail_domain}"',
            ],
        )
    def activate(self):
        pass
--- a/cmdeploy/src/cmdeploy/service/10_restart.conf
+++ b/cmdeploy/src/cmdeploy/service/10_restart.conf
@@ -0,0 +1,3 @@
 [Service]
 Restart=always
 RestartSec=30
--- a/cmdeploy/src/cmdeploy/service/chatmail-metadata.service.f
+++ b/cmdeploy/src/cmdeploy/service/chatmail-metadata.service.f
@@ -4,7 +4,7 @@ Description=Chatmail dict proxy for IMAP METADATA
 [Service]
 ExecStart={execpath} /run/chatmail-metadata/metadata.socket {config_path}
 Restart=always
-RestartSec=30
+RestartSec=5
 User=vmail
 RuntimeDirectory=chatmail-metadata
 UMask=0077
--- a/cmdeploy/src/cmdeploy/service/echobot.service.f
+++ b/cmdeploy/src/cmdeploy/service/echobot.service.f
@@ -1,67 +0,0 @@
 [Unit]
 Description=Chatmail echo bot for testing it works
 [Service]
 ExecStart={execpath} {config_path}
 Environment="PATH={remote_venv_dir}:$PATH"
 Restart=always
 RestartSec=30
 User=echobot
 Group=echobot
 # Create /var/lib/echobot
 StateDirectory=echobot
 # Create /run/echobot
 #
 # echobot stores /run/echobot/password
 # with a password there, which doveauth then reads.
 RuntimeDirectory=echobot
 WorkingDirectory=/var/lib/echobot
 # Apply security restrictions suggested by
 #   systemd-analyze security echobot.service
 CapabilityBoundingSet=
 LockPersonality=true
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=true
 PrivateMounts=true
 PrivateTmp=true
 # We need to know about doveauth user to give it access to /run/echobot/password
 PrivateUsers=false
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectProc=noaccess
 # Should be "strict", but we currently write /accounts folder in a protected path
 ProtectSystem=full
 RemoveIPC=true
 RestrictAddressFamilies=AF_INET AF_INET6
 RestrictNamespaces=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=~@clock
 SystemCallFilter=~@cpu-emulation
 SystemCallFilter=~@debug
 SystemCallFilter=~@module
 SystemCallFilter=~@mount
 SystemCallFilter=~@obsolete
 SystemCallFilter=~@raw-io
 SystemCallFilter=~@reboot
 SystemCallFilter=~@resources
 SystemCallFilter=~@swap
 UMask=0077
 [Install]
 WantedBy=multi-user.target
--- a/cmdeploy/src/cmdeploy/sshexec.py
+++ b/cmdeploy/src/cmdeploy/sshexec.py
@@ -85,16 +85,31 @@ class SSHExec:
 class LocalExec:
    FuncError = FuncError
    def __init__(self, verbose=False, docker=False):
        self.verbose = verbose
        self.docker = docker
    def __call__(self, call, kwargs=None, log_callback=None):
        if kwargs is None:
            kwargs = {}
        return call(**kwargs)
    def logged(self, call, kwargs: dict):
        title = call.__doc__
        if not title:
            title = call.__name__
        where = "locally"
        if self.docker:
            if call == remote.rdns.perform_initial_checks:
                kwargs["pre_command"] = "docker exec chatmail "
                where = "in docker"
        if self.verbose:
-            print(f"Running {where}: {call.__name__}(**{kwargs})")
+            print_stderr(f"Running {where}: {title}(**{kwargs})")
-        return call(**kwargs)
+            return self(call, kwargs, log_callback=print_stderr)
        else:
            print_stderr(title, end="")
            res = self(call, kwargs, log_callback=remote.rshell.log_progress)
            print_stderr()
            return res
--- a/cmdeploy/src/cmdeploy/tests/online/test_0_qr.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_0_qr.py
@@ -1,3 +1,4 @@
 import pytest
 import requests
 from cmdeploy.genqr import gen_qr_png_data
@@ -8,18 +9,33 @@ def test_gen_qr_png_data(maildomain):
    assert data
@pytest.mark.filterwarnings("ignore::urllib3.exceptions.InsecureRequestWarning")
 def test_fastcgi_working(maildomain, chatmail_config):
    url = f"https://{maildomain}/new"
    print(url)
-    res = requests.post(url)
+    verify = chatmail_config.tls_cert_mode == "acme"
    res = requests.post(url, verify=verify)
    assert maildomain in res.json().get("email")
    assert len(res.json().get("password")) > chatmail_config.password_min_length
-def test_newemail_configure(maildomain, rpc):
+@pytest.mark.filterwarnings("ignore::urllib3.exceptions.InsecureRequestWarning")
 def test_newemail_configure(maildomain, rpc, chatmail_config):
    """Test configuring accounts by scanning a QR code works."""
    url = f"DCACCOUNT:https://{maildomain}/new"
    for i in range(3):
        account_id = rpc.add_account()
-        rpc.set_config_from_qr(account_id, url)
+        if chatmail_config.tls_cert_mode == "self":
-        rpc.configure(account_id)
+            # deltachat core's rustls rejects self-signed HTTPS certs during
            # set_config_from_qr, so fetch credentials via requests instead
            res = requests.post(f"https://{maildomain}/new", verify=False)
            data = res.json()
            rpc.add_or_update_transport(account_id, {
                "addr": data["email"],
                "password": data["password"],
                "imapServer": maildomain,
                "smtpServer": maildomain,
                "certificateChecks": "acceptInvalidCertificates",
            })
        else:
            rpc.add_transport_from_qr(account_id, url)
--- a/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
@@ -1,5 +1,4 @@
 import datetime
 import os
 import smtplib
 import socket
 import subprocess
@@ -8,14 +7,13 @@ import time
 import pytest
 from cmdeploy import remote
-from cmdeploy.cmdeploy import main
+from cmdeploy.cmdeploy import get_sshexec
 from cmdeploy.sshexec import SSHExec
 class TestSSHExecutor:
    @pytest.fixture(scope="class")
    def sshexec(self, sshdomain):
-        return SSHExec(sshdomain)
+        return get_sshexec(sshdomain)
    def test_ls(self, sshexec):
        out = sshexec(call=remote.rdns.shell, kwargs=dict(command="ls"))
@@ -29,6 +27,7 @@ class TestSSHExecutor:
        assert res["A"] or res["AAAA"]
    def test_logged(self, sshexec, maildomain, capsys):
        sshexec.verbose = False
        sshexec.logged(
            remote.rdns.perform_initial_checks, kwargs=dict(mail_domain=maildomain)
        )
@@ -54,6 +53,8 @@ class TestSSHExecutor:
                remote.rdns.perform_initial_checks,
                kwargs=dict(mail_domain=None),
            )
        except AssertionError:
            pass
        except sshexec.FuncError as e:
            assert "rdns.py" in str(e)
            assert "AssertionError" in str(e)
@@ -70,47 +71,6 @@ class TestSSHExecutor:
        assert (now - since_date).total_seconds() < 60 * 60 * 51
 def test_status_cmd(chatmail_config, capsys, request):
    os.chdir(request.config.invocation_params.dir)
    assert main(["status"]) == 0
    status_out = capsys.readouterr()
    print(status_out.out)
    services = [
        "acmetool-redirector",
        "chatmail-metadata",
        "doveauth",
        "dovecot",
        "echobot",
        "fcgiwrap",
        "filtermail-incoming",
        "filtermail",
        "lastlogin",
        "nginx",
        "opendkim",
        "postfix@-",
        "systemd-journald",
        "turnserver",
        "unbound",
    ]
    not_running = []
    for service in services:
        active = False
        for line in status_out:
            if service in line:
                active = True
                if not "loaded" in line:
                    active = False
                if not "active" in line:
                    active = False
                if not "running" in line:
                    active = False
                break
        if not active:
            not_running.append(service)
    assert not_running == []
 def test_timezone_env(remote):
    for line in remote.iter_output("env"):
        print(line)
@@ -232,12 +192,14 @@ def test_exceed_rate_limit(cmsetup, gencreds, maildata, chatmail_config):
    mail = maildata(
        "encrypted.eml", from_addr=user1.addr, to_addr=user2.addr
    ).as_string()
-    for i in range(chatmail_config.max_user_send_per_minute + 5):
+
-        print("Sending mail", str(i))
+    start = time.time()
    for i in range(chatmail_config.max_user_send_per_minute * 3):
        print("Sending mail", str(i + 1), "at", time.time() - start, "s.")
        try:
            user1.smtp.sendmail(user1.addr, [user2.addr], mail)
        except smtplib.SMTPException as e:
-            if i < chatmail_config.max_user_send_per_minute:
+            if i < chatmail_config.max_user_send_burst_size:
                pytest.fail(f"rate limit was exceeded too early with msg {i}")
            outcome = e.recipients[user2.addr]
            assert outcome[0] == 450
@@ -259,7 +221,7 @@ def test_expunged(remote, chatmail_config):
    ]
    outdated_days = int(chatmail_config.delete_large_after) + 1
    find_cmds.append(
-        "find {chatmail_config.mailboxes_dir} -path '*/cur/*' -mtime +{outdated_days} -size +200k -type f"
+        f"find {chatmail_config.mailboxes_dir} -path '*/cur/*' -mtime +{outdated_days} -size +200k -type f"
    )
    for cmd in find_cmds:
        for line in remote.iter_output(cmd):
--- a/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py
@@ -7,16 +7,18 @@ import pytest
 import requests
 from cmdeploy.remote import rshell
-from cmdeploy.sshexec import SSHExec
+from cmdeploy.cmdeploy import get_sshexec
@pytest.fixture
-def imap_mailbox(cmfactory):
+def imap_mailbox(cmfactory, ssl_context):
    (ac1,) = cmfactory.get_online_accounts(1)
    user = ac1.get_config("addr")
    password = ac1.get_config("mail_pw")
-    mailbox = imap_tools.MailBox(user.split("@")[1])
+    host = user.split("@")[1]
    mailbox = imap_tools.MailBox(host, ssl_context=ssl_context)
    mailbox.login(user, password)
    mailbox.dc_ac = ac1
    return mailbox
@@ -89,7 +91,7 @@ class TestEndToEndDeltaChat:
        lp.sec(f"filling remote inbox for {user}")
        fn = f"7743102289.M843172P2484002.c20,S={quota},W=2398:2,"
        path = chatmail_config.mailboxes_dir.joinpath(user, "cur", fn)
-        sshexec = SSHExec(sshdomain)
+        sshexec = get_sshexec(sshdomain)
        sshexec(call=rshell.write_numbytes, kwargs=dict(path=str(path), num=120))
        res = sshexec(call=rshell.dovecot_recalc_quota, kwargs=dict(user=user))
        assert res["percent"] >= 100
@@ -121,6 +123,28 @@ class TestEndToEndDeltaChat:
        assert ch.id >= 10
        ac1._evtracker.wait_securejoin_inviter_progress(1000)
    def test_dkim_header_stripped(self, cmfactory, maildomain2, lp, imap_mailbox):
        """Test that if a DC address receives a message, it has no
        DKIM-Signature and Authentication-Results headers."""
        ac1 = cmfactory.new_online_configuring_account(cache=False)
        cmfactory.switch_maildomain(maildomain2)
        ac2 = cmfactory.new_online_configuring_account(cache=False)
        cmfactory.bring_accounts_online()
        chat = cmfactory.get_accepted_chat(ac1, imap_mailbox.dc_ac)
        chat.send_text("message0")
        chat2 = cmfactory.get_accepted_chat(ac2, imap_mailbox.dc_ac)
        chat2.send_text("message1")
        lp.sec("receive message with ac1...")
        received = 0
        while received < 2:
            msgs = imap_mailbox.fetch()
            for msg in msgs:
                lp.sec(f"ac1 received msg from {msg.from_}")
                received += 1
                assert "authentication-results" not in msg.headers
                assert "dkim-signature" not in msg.headers
    def test_read_receipts_between_instances(self, cmfactory, lp, maildomain2):
        ac1 = cmfactory.new_online_configuring_account(cache=False)
        cmfactory.switch_maildomain(maildomain2)
@@ -148,7 +172,7 @@ class TestEndToEndDeltaChat:
            time.sleep(1)
-def test_hide_senders_ip_address(cmfactory):
+def test_hide_senders_ip_address(cmfactory, ssl_context):
    public_ip = requests.get("http://icanhazip.com").content.decode().strip()
    assert ipaddress.ip_address(public_ip)
@@ -157,25 +181,11 @@ def test_hide_senders_ip_address(cmfactory):
    chat.send_text("testing submission header cleanup")
    user2._evtracker.wait_next_incoming_message()
-    user2.direct_imap.select_folder("Inbox")
+    addr = user2.get_config("addr")
-    msg = user2.direct_imap.get_all_messages()[0]
+    host = addr.split("@")[1]
-    assert public_ip not in msg.obj.as_string()
+    pw = user2.get_config("mail_pw")
-
+    mailbox = imap_tools.MailBox(host, ssl_context=ssl_context)
-
+    mailbox.login(addr, pw)
-def test_echobot(cmfactory, chatmail_config, lp, sshdomain):
+    msgs = list(mailbox.fetch(mark_seen=False))
-    ac = cmfactory.get_online_accounts(1)[0]
+    assert msgs, "expected at least one message"
-
+    assert public_ip not in msgs[0].obj.as_string()
    # establish contact with echobot
    sshexec = SSHExec(sshdomain)
    command = "cat /var/lib/echobot/invite-link.txt"
    echo_invite_link = sshexec(call=rshell.shell, kwargs=dict(command=command))
    chat = ac.qr_setup_contact(echo_invite_link)
    ac._evtracker.wait_securejoin_joiner_progress(1000)
    # send message and check it gets replied back
    lp.sec("Send message to echobot")
    text = "hi, I hope you text me back"
    chat.send_text(text)
    lp.sec("Wait for reply from echobot")
    reply = ac._evtracker.wait_next_incoming_message()
    assert reply.text == text
--- a/cmdeploy/src/cmdeploy/tests/online/test_3_status.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_3_status.py
@@ -0,0 +1,53 @@
 import os
 from cmdeploy.cmdeploy import main
 def test_status_cmd(chatmail_config, capsys, request):
    os.chdir(request.config.invocation_params.dir)
    command = ["status"]
    if os.getenv("CHATMAIL_SSH"):
        command.append("--ssh-host")
        command.append(os.getenv("CHATMAIL_SSH"))
    assert main(command) == 0
    status_out = capsys.readouterr()
    print(status_out.out)
    assert len(status_out.out.splitlines()) > 5
    """
    don't test actual server state:
    services = [
        "acmetool-redirector",
        "chatmail-metadata",
        "doveauth",
        "dovecot",
        "fcgiwrap",
        "filtermail-incoming",
        "filtermail",
        "lastlogin",
        "nginx",
        "opendkim",
        "postfix@-",
        "systemd-journald",
        "turnserver",
        "unbound",
    ]
    not_running = []
    for service in services:
        active = False
        for line in status_out:
            if service in line:
                active = True
                if not "loaded" in line:
                    active = False
                if not "active" in line:
                    active = False
                if not "running" in line:
                    active = False
                break
        if not active:
            not_running.append(service)
    assert not_running == []
    """
--- a/cmdeploy/src/cmdeploy/tests/plugin.py
+++ b/cmdeploy/src/cmdeploy/tests/plugin.py
@@ -4,6 +4,7 @@ import itertools
 import os
 import random
 import smtplib
 import ssl
 import subprocess
 import time
 from pathlib import Path
@@ -144,15 +145,25 @@ def pytest_terminal_summary(terminalreporter):
            tr.write_line(line)
-@pytest.fixture
+@pytest.fixture(scope="session")
-def imap(maildomain):
+def ssl_context(chatmail_config):
-    return ImapConn(maildomain)
+    if chatmail_config.tls_cert_mode == "self":
        ctx = ssl.create_default_context()
        ctx.check_hostname = False
        ctx.verify_mode = ssl.CERT_NONE
        return ctx
    return None
@pytest.fixture
-def make_imap_connection(maildomain):
+def imap(maildomain, ssl_context):
    return ImapConn(maildomain, ssl_context=ssl_context)
@pytest.fixture
 def make_imap_connection(maildomain, ssl_context):
    def make_imap_connection():
-        conn = ImapConn(maildomain)
+        conn = ImapConn(maildomain, ssl_context=ssl_context)
        conn.connect()
        return conn
@@ -164,12 +175,13 @@ class ImapConn:
    logcmd = "journalctl -f -u dovecot"
    name = "dovecot"
-    def __init__(self, host):
+    def __init__(self, host, ssl_context=None):
        self.host = host
        self.ssl_context = ssl_context
    def connect(self):
        print(f"imap-connect {self.host}")
-        self.conn = imaplib.IMAP4_SSL(self.host)
+        self.conn = imaplib.IMAP4_SSL(self.host, ssl_context=self.ssl_context)
    def login(self, user, password):
        print(f"imap-login {user!r} {password!r}")
@@ -195,14 +207,14 @@ class ImapConn:
@pytest.fixture
-def smtp(maildomain):
+def smtp(maildomain, ssl_context):
-    return SmtpConn(maildomain)
+    return SmtpConn(maildomain, ssl_context=ssl_context)
@pytest.fixture
-def make_smtp_connection(maildomain):
+def make_smtp_connection(maildomain, ssl_context):
    def make_smtp_connection():
-        conn = SmtpConn(maildomain)
+        conn = SmtpConn(maildomain, ssl_context=ssl_context)
        conn.connect()
        return conn
@@ -214,12 +226,14 @@ class SmtpConn:
    logcmd = "journalctl -f -t postfix/smtpd -t postfix/smtp -t postfix/lmtp"
    name = "postfix"
-    def __init__(self, host):
+    def __init__(self, host, ssl_context=None):
        self.host = host
        self.ssl_context = ssl_context
    def connect(self):
        print(f"smtp-connect {self.host}")
-        self.conn = smtplib.SMTP_SSL(self.host)
+        context = self.ssl_context or ssl.create_default_context()
        self.conn = smtplib.SMTP_SSL(self.host, context=context)
    def login(self, user, password):
        print(f"smtp-login {user!r} {password!r}")
@@ -270,11 +284,12 @@ def gencreds(chatmail_config):
 class ChatmailTestProcess:
    """Provider for chatmail instance accounts as used by deltachat.testplugin.acfactory"""
-    def __init__(self, pytestconfig, maildomain, gencreds):
+    def __init__(self, pytestconfig, maildomain, gencreds, chatmail_config):
        self.pytestconfig = pytestconfig
        self.maildomain = maildomain
        assert "." in self.maildomain, maildomain
        self.gencreds = gencreds
        self.chatmail_config = chatmail_config
        self._addr2files = {}
    def get_liveconfig_producer(self):
@@ -287,6 +302,9 @@ class ChatmailTestProcess:
            # speed up account configuration
            config["mail_server"] = self.maildomain
            config["send_server"] = self.maildomain
            if self.chatmail_config.tls_cert_mode == "self":
                # Accept self-signed TLS certificates
                config["imap_certificate_checks"] = "3"
            yield config
    def cache_maybe_retrieve_configured_db_files(self, cache_addr, db_target_path):
@@ -297,12 +315,14 @@ class ChatmailTestProcess:
@pytest.fixture
-def cmfactory(request, gencreds, tmpdir, maildomain):
+def cmfactory(request, gencreds, tmpdir, maildomain, chatmail_config):
    # cloned from deltachat.testplugin.amfactory
    pytest.importorskip("deltachat")
    from deltachat.testplugin import ACFactory
-    testproc = ChatmailTestProcess(request.config, maildomain, gencreds)
+    testproc = ChatmailTestProcess(
        request.config, maildomain, gencreds, chatmail_config
    )
    class Data:
        def read_path(self, path):
@@ -310,6 +330,10 @@ def cmfactory(request, gencreds, tmpdir, maildomain):
    am = ACFactory(request=request, tmpdir=tmpdir, testprocess=testproc, data=Data())
    # Skip upstream's init_imap to prevent extra imap connections not
    # needed for relay testing
    am._acsetup.init_imap = lambda acc: None
    # nb. a bit hacky
    # would probably be better if deltachat's test machinery grows native support
    def switch_maildomain(maildomain2):
@@ -337,8 +361,14 @@ class Remote:
    def iter_output(self, logcmd=""):
        getjournal = "journalctl -f" if not logcmd else logcmd
        print(self.sshdomain)
        match self.sshdomain:
            case "@local": command = []
            case "localhost": command = []
            case _: command = ["ssh", f"root@{self.sshdomain}"]
        [command.append(arg) for arg in getjournal.split()]
        self.popen = subprocess.Popen(
-            ["ssh", f"root@{self.sshdomain}", getjournal],
+            command,
            stdout=subprocess.PIPE,
        )
        while 1:
@@ -363,38 +393,40 @@ def lp(request):
@pytest.fixture
-def cmsetup(maildomain, gencreds):
+def cmsetup(maildomain, gencreds, ssl_context):
-    return CMSetup(maildomain, gencreds)
+    return CMSetup(maildomain, gencreds, ssl_context)
 class CMSetup:
-    def __init__(self, maildomain, gencreds):
+    def __init__(self, maildomain, gencreds, ssl_context):
        self.maildomain = maildomain
        self.gencreds = gencreds
        self.ssl_context = ssl_context
    def gen_users(self, num):
        print(f"Creating {num} online users")
        users = []
        for i in range(num):
            addr, password = self.gencreds()
-            user = CMUser(self.maildomain, addr, password)
+            user = CMUser(self.maildomain, addr, password, self.ssl_context)
            assert user.smtp
            users.append(user)
        return users
 class CMUser:
-    def __init__(self, maildomain, addr, password):
+    def __init__(self, maildomain, addr, password, ssl_context=None):
        self.maildomain = maildomain
        self.addr = addr
        self.password = password
        self.ssl_context = ssl_context
        self._smtp = None
        self._imap = None
    @property
    def smtp(self):
        if not self._smtp:
-            handle = SmtpConn(self.maildomain)
+            handle = SmtpConn(self.maildomain, ssl_context=self.ssl_context)
            handle.connect()
            handle.login(self.addr, self.password)
            self._smtp = handle
@@ -403,7 +435,7 @@ class CMUser:
    @property
    def imap(self):
        if not self._imap:
-            imap = ImapConn(self.maildomain)
+            imap = ImapConn(self.maildomain, ssl_context=self.ssl_context)
            imap.connect()
            imap.login(self.addr, self.password)
            self._imap = imap
--- a/cmdeploy/src/cmdeploy/tests/test_dns.py
+++ b/cmdeploy/src/cmdeploy/tests/test_dns.py
@@ -91,6 +91,16 @@ class TestPerformInitialChecks:
        assert not res
        assert len(l) == 2
    def test_perform_initial_checks_no_mta_sts_self_signed(self, mockdns):
        del mockdns["CNAME"]["mta-sts.some.domain"]
        remote_data = remote.rdns.perform_initial_checks("some.domain")
        assert not remote_data["MTA_STS"]
        l = []
        res = check_initial_remote_data(remote_data, strict_tls=False, print=l.append)
        assert res
        assert not l
 def parse_zonefile_into_dict(zonefile, mockdns_base, only_required=False):
    for zf_line in zonefile.split("\n"):
--- a/cmdeploy/src/cmdeploy/unbound/unbound.conf.j2
+++ b/cmdeploy/src/cmdeploy/unbound/unbound.conf.j2
@@ -0,0 +1,4 @@
 # Managed by cmdeploy: disable IPv6 in unbound.
 server:
  interface: 127.0.0.1
  do-ip6: no
--- a/cmdeploy/src/cmdeploy/www.py
+++ b/cmdeploy/src/cmdeploy/www.py
@@ -140,34 +140,34 @@ def main():
    config.webdev = True
    assert config.mail_domain
    # start web page generation, open a browser and wait for changes
    www_path, src_path, build_dir = get_paths(config)
    build_dir = build_webpages(src_path, build_dir, config)
    index_path = build_dir.joinpath("index.html")
    webbrowser.open(str(index_path))
-    stats = snapshot_dir_stats(src_path)
+
    print(f"\nOpened URL: file://{index_path.resolve()}\n")
-    print(f"watching {src_path} directory for changes")
+    print(f"Watching {src_path} directory for changes...")
    stats = snapshot_dir_stats(src_path)
    changenum = 0
-    count = 0
+    debounce_time = 0.5  # wait 0.5s after detecting a change
    while True:
        newstats = snapshot_dir_stats(src_path)
        if newstats == stats and count % 60 != 0:
            count += 1
            time.sleep(1.0)
            continue
-        for key in newstats:
+    while True:
-            if stats[key] != newstats[key]:
+        time.sleep(1)
-                print(f"*** CHANGED: {key}")
+        newstats = snapshot_dir_stats(src_path)
-                changenum += 1
+
        if newstats != stats:
            changed_files = [f for f in newstats if stats.get(f) != newstats[f]]
            for f in changed_files:
                print(f"*** CHANGED: {f}")
            stats = newstats
            changenum += 1
            build_webpages(src_path, build_dir, config)
            print(f"[{changenum}] regenerated web pages at: {index_path}")
            print(f"URL: file://{index_path.resolve()}\n\n")
-        count = 0
+
            time.sleep(debounce_time)  # simple debounce
 if __name__ == "__main__":
--- a/doc/README.md
+++ b/doc/README.md
@@ -6,7 +6,7 @@ You can use the `make` command and `make html` to build web pages.
 You need a Python environment where the following install was excuted: 
-    pip install sphinx-build furo sphinx-autobuild 
+    pip install furo sphinx-autobuild
 To develop/change documentation, you can then do: 
--- a/doc/source/getting_started.rst
+++ b/doc/source/getting_started.rst
@@ -16,15 +16,16 @@ You will need the following:
 -  Control over a domain through a DNS provider of your choice.
-  A Debian 12 server with reachable SMTP/SUBMISSIONS/IMAPS/HTTPS ports.
+-  A Debian 12 **deployment server** with reachable SMTP/SUBMISSIONS/IMAPS/HTTPS ports.
   IPv6 is encouraged if available. Chatmail relay servers only require
   1GB RAM, one CPU, and perhaps 10GB storage for a few thousand active
   chatmail addresses.
-  Key-based SSH authentication to the root user. You must add a
+-  A Linux or Unix **build machine** with key-based SSH access to the root
-   passphrase-protected private key to your local ssh-agent because you
+   user of the deployment server.
-   can’t type in your passphrase during deployment. (An ed25519 private
+   You must add a passphrase-protected private key to your local ssh-agent because you
-   key is required due to an `upstream bug in
+   can’t type in your passphrase during deployment.
   (An ed25519 private key is required due to an `upstream bug in
   paramiko <https://github.com/paramiko/paramiko/issues/2191>`_)
@@ -34,16 +35,25 @@ Setup with ``scripts/cmdeploy``
 We use ``chat.example.org`` as the chatmail domain in the following
 steps. Please substitute it with your own domain.
-1. Setup the initial DNS records. The following is an example in the
+1. Setup the initial DNS records for your deployment server.
   The following is an example in the
   familiar BIND zone file format with a TTL of 1 hour (3600 seconds).
   Please substitute your domain and IP addresses.
   ::
-       chat.example.com. 3600 IN A 198.51.100.5
+       chat.example.org. 3600 IN A 198.51.100.5
-       chat.example.com. 3600 IN AAAA 2001:db8::5
+       chat.example.org. 3600 IN AAAA 2001:db8::5
-       www.chat.example.com. 3600 IN CNAME chat.example.com.
+       www.chat.example.org. 3600 IN CNAME chat.example.org.
-       mta-sts.chat.example.com. 3600 IN CNAME chat.example.com.
+       mta-sts.chat.example.org. 3600 IN CNAME chat.example.org.
   .. note::
      For experimental deployments using self-signed certificates,
      use a domain name starting with ``_``
      (e.g. ``_chat.example.org``).
      The ``mta-sts`` CNAME and ``_mta-sts`` TXT records
      are not needed for such domains.
 2. On your local PC, clone the repository and bootstrap the Python
   virtualenv.
@@ -54,20 +64,30 @@ steps. Please substitute it with your own domain.
       cd relay
       scripts/initenv.sh
-3. On your local PC, create chatmail configuration file
+3. On your local build machine (PC), create a chatmail configuration file
   ``chatmail.ini``:
   ::
       scripts/cmdeploy init chat.example.org  # <-- use your domain
-4. Verify that SSH root login to your remote server works:
+   To use self-signed TLS certificates
   instead of Let's Encrypt,
   use a domain name starting with ``_``
   (e.g. ``scripts/cmdeploy init _chat.example.org``).
   Domains starting with ``_`` cannot obtain WebPKI certificates,
   so self-signed mode is derived automatically.
   This is useful for private or test deployments.
   See the :doc:`overview`
   for details on certificate provisioning.
 4. Verify that SSH root login to the deployment server server works:
   ::
       ssh root@chat.example.org  # <-- use your domain
-5. From your local PC, deploy the remote chatmail relay server:
+5. From your local build machine, setup and configure the remote deployment server:
   ::
@@ -81,7 +101,7 @@ steps. Please substitute it with your own domain.
 Other helpful commands
 ----------------------
-To check the status of your remotely running chatmail service:
+To check the status of your deployment server running the chatmail service:
 ::
@@ -158,7 +178,7 @@ Disable automatic address creation
 --------------------------------------------------------
 If you need to stop address creation, e.g. because some script is wildly
-creating addresses, login with ssh and run:
+creating addresses, login with ssh to the deployment machine and run:
 ::
@@ -167,3 +187,34 @@ creating addresses, login with ssh and run:
 Chatmail address creation will be denied while this file is present.
 Running a relay with self-signed certificates
 ----------------------------------------------
 Use a domain name starting with ``_`` (e.g. ``_chat.example.org``)
 to run a relay with self-signed certificates.
 Domains starting with ``_`` cannot obtain WebPKI certificates
 so the relay automatically uses self-signed certificates
 and all other relays will accept connections from it
 without requiring certificate verification.
 This is useful for experimental setups and testing.
 Migrating to a new build machine
 ----------------------------------
 To move or add a build machine,
 clone the relay repository on the new build machine, and copy the ``chatmail.ini`` file from the old build machine.
 Make sure ``rsync`` is installed, then initialize the environment:
 ::
   ./scripts/initenv.sh
 Run safety checks before a new deployment:
 ::
   ./scripts/cmdeploy dns
   ./scripts/cmdeploy status
 If you keep multiple build machines (ie laptop and desktop), keep ``chatmail.ini`` in sync between
 them.
--- a/doc/source/migrate.rst
+++ b/doc/source/migrate.rst
@@ -1,73 +1,98 @@
-Migrating to a new host
+Migrating to a new machine
-----------------------
+===========================
-If you want to migrate chatmail relay from an old machine to a new
+This migration tutorial provides a step-wise approach
-machine, you can use these steps. They were tested with a Linux laptop;
+to safely migrate a chatmail relay from one remote machine to another.
 you might need to adjust some of the steps to your environment.
-Let’s assume that your ``mail_domain`` is ``mail.example.org``, all
+Preliminary notes and assumptions
-involved machines run Debian 12, your old site’s IP address is
+---------------------------------
 ``13.37.13.37``, and your new site’s IP address is ``13.12.23.42``.
-Note, you should lower the TTLs of your DNS records to a value such as
+- If the migration is a planned move,
-300 (5 minutes) so the migration happens as smoothly as possible.
+  it's recommended to lower the Time To Live (TTL) of your DNS records to a value such as 300 (5 minutes),
  at best much earlier than the actual planned migration.
  This speeds up propagation of DNS changes in the Internet after the migration is complete.
-During the guide you might get a warning about changed SSH Host keys; in
+- The migration steps were tested with a Linux laptop; you might need to adjust some of the steps to your local environment.
 this case, just run ``ssh-keygen -R "mail.example.org"`` as recommended.
-1. First, disable mail services on the old site.
+- Your ``mail_domain`` is ``mail.example.org``.
 - All remote machines run Debian 12.
 - The old site’s IP version 4 address is ``$OLD_IP4``.
 - The new site’s IP addresses are ``$NEW_IP4`` and ``$NEW_IPV6``.
 The six steps to migrate
 ------------------------
 Note that during some of the following steps you might get a warning about changed SSH Host keys;
 in this case, just run ``ssh-keygen -R "mail.example.org"`` as recommended.
 1. **Initially transfer mailboxes from old to new site.**
   Login to old site, forwarding your ssh-agent with ``ssh -A``
   to allow using ssh to directly copy files from old to new site.
   ::
       ssh -A root@$OLD_IP4
       tar c /home/vmail/mail | ssh root@$NEW_IP4 "tar x -C /"
 2. **Pre-configure the new site but keep it inactive until step 6**
   ::
       CMDEPLOY_STAGES=install,configure scripts/cmdeploy run --ssh-host $NEW_IP4
 3. **It's getting serious: disable mail services on the old site.**
   Users will not be able to send or receive messages until all steps are completed.
   Other relays and mail servers will retry delivering messages from time to time,
   so nothing is lost for users.
   ::
-       cmdeploy run --disable-mail --ssh-host 13.37.13.37
+       scripts/cmdeploy run --disable-mail --ssh-host $OLD_IP4
   Now your users will notice the migration and will not be able to send
   or receive messages until the migration is completed.
-2. Now we want to copy ``/home/vmail``, ``/var/lib/acme``,
+4. **Final synchronization of TLS/DKIM secrets, mail queues and mailboxes.**
-   ``/etc/dkimkeys``, ``/run/echobot``, and ``/var/spool/postfix`` to
+   Again we use ssh-agent forwarding (``-A``) to allow transfering all important data directly
-   the new site. Login to the old site while forwarding your SSH agent
+   from the old to the new site.
-   so you can copy directly from the old to the new site with your SSH
+   ::
-   key:
+
-
+       ssh -A root@$OLD_IP4
-   ::
+       tar c /var/lib/acme /etc/dkimkeys /var/spool/postfix | ssh root@$NEW_IP4 "tar x -C /"
-
+       rsync -azH /home/vmail/mail root@$NEW_IP4:/home/vmail/
-       ssh -A root@13.37.13.37
+
-       tar c - /home/vmail/mail /var/lib/acme /etc/dkimkeys /run/echobot /var/spool/postfix | ssh root@13.12.23.42 "tar x -C /"
+   Login to the new site and ensure file ownerships are correctly set:
   This transfers all addresses, the TLS certificate, DKIM keys (so DKIM
   DNS record remains valid), and the echobot’s password so it continues
   to function. It also preserves the Postfix mail spool so any messages
   pending delivery will still be delivered.
 3. Install chatmail on the new machine:
   ::
       cmdeploy run --disable-mail --ssh-host 13.12.23.42
   Postfix and Dovecot are disabled for now; we will enable them later.
   We first need to make the new site fully operational.
 4. On the new site, run the following to ensure the ownership is correct
   in case UIDs/GIDs changed:
   ::
       ssh root@$NEW_IP4
       chown root: -R /var/lib/acme
       chown opendkim: -R /etc/dkimkeys
       chown vmail: -R /home/vmail/mail
       chown echobot: -R /run/echobot
 5. Now, update DNS entries.
-   If other MTAs try to deliver messages to your chatmail domain they
+5. **Update the DNS entries to point to the new site.**
-   may fail intermittently, as DNS catches up with the new site settings
+   You only need to change the ``A`` and ``AAAA`` records, for example:
   but normally will retry delivering messages for at least a week, so
   messages will not be lost.
-6. Finally, you can execute ``cmdeploy run --ssh-host 13.12.23.42`` to
+   ::
-   turn on chatmail on the new relay. Your users will be able to use the
+
-   chatmail relay as soon as the DNS changes have propagated. Voilà!
+       mail.example.org.    IN A    $NEW_IP4
       mail.example.org.    IN AAAA $NEW_IP6
 6. **Activate chatmail relay on new site.**
   ::
        CMDEPLOY_STAGES=activate scripts/cmdeploy run --ssh-host $NEW_IP4
   Voilà!
   Users will be able to use the relay as soon as the DNS changes have propagated.
   If you have lowered the Time-to-Live for DNS records in step 1,
   better use a higher value again (between 14400 and 86400 seconds) once you are sure everything works.
--- a/doc/source/overview.rst
+++ b/doc/source/overview.rst
@@ -42,6 +42,11 @@ The deployed system components of a chatmail relay are:
 -  Dovecot_ is the Mail Delivery Agent (MDA) and
   stores messages for users until they download them
 -  `filtermail <https://github.com/chatmail/filtermail>`_
   prevents unencrypted email from leaving or entering the chatmail
   service and is integrated into Postfix’s outbound and inbound mail
   pipelines.
 -  Nginx_ shows the web page with privacy policy and additional information
 -  `acmetool <https://hlandau.github.io/acmetool/>`_ manages TLS
@@ -85,11 +90,6 @@ short overview of ``chatmaild`` services:
   <https://doc.dovecot.org/2.3/configuration_manual/authentication/dict/#complete-example-for-authenticating-via-a-unix-socket>`_
   to authenticate logins.
 -  `filtermail <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/filtermail.py>`_
   prevents unencrypted email from leaving or entering the chatmail
   service and is integrated into Postfix’s outbound and inbound mail
   pipelines.
 -  `chatmail-metadata <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/metadata.py>`_
   is contacted by a `Dovecot lua
   script <https://github.com/chatmail/relay/blob/main/cmdeploy/src/cmdeploy/dovecot/push_notification.lua>`_
@@ -109,10 +109,6 @@ short overview of ``chatmaild`` services:
   is contacted by Dovecot when a user logs in and stores the date of
   the login.
 -  `echobot <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/echo.py>`_
   is a small bot for test purposes. It simply echoes back messages from
   users.
 -  `metrics <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/metrics.py>`_
   collects some metrics and displays them at
   ``https://example.org/metrics``.
@@ -203,44 +199,6 @@ Message between users on the same relay
        dovecot --> recipient;
        dovecot --> sender's_other_devices;
 Message to an external address
 ------------------------------
 .. mermaid::
    :caption: This diagram shows the path a federated message takes.
    graph LR;
        sender --> |465|smtps/smtpd;
        sender --> |587|submission/smtpd;
        smtps/smtpd --> |10080|filtermail;
        submission/smtpd --> |10080|filtermail;
        filtermail --> |10025|smtpd_reinject;
        smtpd_reinject --> opendkim;
        opendkim --> smtpd_reinject;
        smtpd_reinject --> cleanup;
        cleanup --> qmgr;
        qmgr --> external_smtp_server;
        qmgr --> |lmtp|dovecot;
        external_smtp_server --> recipient;
        dovecot --> senders_other_devices;
 Message from an external address
 --------------------------------
 .. mermaid::
    :caption: This diagram shows the path a federated message takes.
    graph LR;
        external_smtp_server --> |25|smtpd;
        smtps/smtpd --> |10081|filtermail-incoming;
        filtermail-incoming --> |10026|smtpd_reinject_incoming;
        smtpd_reinject_incoming --> opendkim;
        opendkim --> smtpd_reinject_incoming;
        smtpd_reinject_incoming --> cleanup;
        cleanup --> qmgr;
        qmgr --> |lmtp|dovecot;
        dovecot --> recipient;
 Operational details of a chatmail relay
 ----------------------------------------
@@ -311,9 +269,11 @@ Incoming emails must have a valid DKIM signature with
 Signing Domain Identifier (SDID, ``d=`` parameter in the DKIM-Signature
 header) equal to the ``From:`` header domain. This property is checked
 by OpenDKIM screen policy script before validating the signatures. This
-correpsonds to strict :rfc:`DMARC <7489>` alignment (``adkim=s``).
+corresponds to strict :rfc:`DMARC <7489>` alignment (``adkim=s``).
 If there is no valid DKIM signature on the incoming email, the
 sender receives a “5.7.1 No valid DKIM signature found” error.
 After validating the DKIM signature,
 the `final.lua` script strips all ``OpenDKIM:`` headers to reduce message size on disc.
 Note that chatmail relays
@@ -337,8 +297,7 @@ TLS requirements
 Postfix is configured to require valid TLS by setting
 `smtp_tls_security_level <https://www.postfix.org/postconf.5.html#smtp_tls_security_level>`_
-to ``verify``. If emails don’t arrive at your chatmail relay server, the
+to ``verify``.
 problem is likely that your relay does not have a valid TLS certificate.
 You can test it by resolving ``MX`` records of your relay domain and
 then connecting to MX relays (e.g ``mx.example.org``) with
@@ -357,6 +316,14 @@ default Exim does not log sessions that are closed before sending the
 by Postfix, so you might think that connection is not established while
 actually it is a problem with your TLS certificate.
 If emails don’t arrive at your chatmail relay server, the
 problem is likely that your relay does not have a valid TLS certificate.
 Note that connections to relays with underscore-prefixed test domains
 (e.g. ``_chat.example.org``) use ``encrypt`` tls security level,
 because such domains cannot obtain valid Let's Encrypt certificates
 and run with self-signed certificates.
 .. _dovecot: https://dovecot.org
 .. _postfix: https://www.postfix.org
--- a/doc/source/proxy.rst
+++ b/doc/source/proxy.rst
@@ -22,7 +22,12 @@ Note that your chatmail relay still needs to be able to make outgoing
 connections on port 25 to send messages outside.
 To setup a reverse proxy (or rather Destination NAT, DNAT) for your
-chatmail relay, put the following configuration in
+chatmail relay, follow these instructions:
 Linux
 ^^^^^
 Put the following configuration in
 ``/etc/nftables.conf``:
 ::
@@ -110,5 +115,61 @@ Uncomment in ``/etc/sysctl.conf`` the following two lines:
 Then reboot the relay or do ``sysctl -p`` and
 ``nft -f /etc/nftables.conf``.
-Once proxy relay is set up, you can add its IP address to the DNS.
+FreeBSD / pf
 ^^^^^^^^^^^^
 Put the following configuration in
 ``/etc/pf.conf``:
 ::
    ext_if = "em0"
    forward_ports = "{ 25, 80, 143, 443, 465, 587, 993 }"
    chatmail_ipv4 = "AAA.BBB.CCC.DDD"
    icmp_types = "{ echoreq, echorep, unreach, timex }"
    chatmail_ipv6 = "XXX::1"
    icmp6_types = "{ echorep, echoreq, neighbradv, neighbrsol, routeradv, routersol, unreach, toobig, timex }"
    set skip on lo0
    nat on $ext_if inet from any to any -> ($ext_if:0)
    nat on $ext_if inet6 from any to any -> ($ext_if:0)
    # Define the redirect rules
    rdr on $ext_if inet proto tcp from any to ($ext_if:0) port $forward_ports -> $chatmail_ipv4
    rdr on $ext_if inet6 proto tcp from any to ($ext_if:0) port $forward_ports -> $chatmail_ipv6
    # Accept the incoming traffic to the specified ports we will NAT redirect
    pass in quick on $ext_if inet proto tcp from any to any port $forward_ports flags S/SA modulate state
    pass in quick on $ext_if inet6 proto tcp from any to any port $forward_ports flags S/SA modulate state
    # Allow incoming SSH for host mgmt
    pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 flags S/SA modulate state
    # Allow ICMP
    pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep state
    pass in quick on $ext_if inet6 proto ipv6-icmp all icmp6-type $icmp6_types keep state
    # Allow traffic from anyone to go through the NAT
    pass on $ext_if inet proto tcp from any to $chatmail_ipv4 flags S/SA modulate state
    pass on $ext_if inet6 proto tcp from any to $chatmail_ipv6 flags S/SA modulate state
    # Default allow out
    pass out quick on $ext_if from any to any
    # Default block
    block drop in log all
 Insert into ``/etc/sysctl.conf.local`` the following two lines:
 ::
    net.inet.ip.forwarding=1
    net.inet6.ip6.forwarding=1
 Activate the sysctls with ``service sysctl onestart``.
 Enable the pf firewall with ``service pf enable``.
 Apply the firewall rules with ``service pf start`` or ``pfctl -f /etc/pf.conf``.
 Note, enabling the firewall may interrupt your SSH session, but you can reconnect.
 Once proxy relay is set up, you can add its IP address to the DNS.
--- a/doc/source/related.rst
+++ b/doc/source/related.rst
@@ -7,14 +7,21 @@ Active development takes place in the `chatmail/relay github repository <https:/
 You can check out the `'chatmail' tag in the support.delta.chat forum <https://support.delta.chat/tag/chatmail>`_
 and ask to get added to a non-public support chat for debugging issues.
-We know of two work-in-progress alternative implementation efforts:
+We know of three work-in-progress alternative implementation efforts:
 -  `Mox <https://github.com/mjl-/mox>`_: A Golang email server. `Work
   is in progress <https://github.com/mjl-/mox/issues/251>`_ to modify
   it to support all of the features and configuration settings required
   to operate as a chatmail relay.
-  `Maddy-Chatmail <https://github.com/sadraiiali/maddy_chatmail>`_: a
+-  `Madmail <https://github.com/themadorg/madmail>`_: an
-   plugin for the `Maddy email server <https://maddy.email/>`_ which
+   experimental fork of `Maddy Mail Server <https://maddy.email/>`_, modified
-   aims to implement the chatmail relay features and configuration
+   for chatmail deployments.  It provides a single binary solution
-   options.
+   for running a chatmail relay.
 -  `Chatmail Cookbook <https://github.com/feld/chatmail-cookbook>`_:
   A Chef Cookbook implementing a relay server. The project follows the
   official relay server software and configurations converted to a Chef
   Cookbook with only minor differences. The cookbook uses DNS-01 for
   certificate validation and additionally supports FreeBSD. It does not
   require a Chef server to use.
--- a/www/src/dclogin.js
+++ b/www/src/dclogin.js
@@ -0,0 +1,21 @@
 /* dclogin profile generator for self-signed chatmail relays.
 * Fetches credentials from /new and generates a dclogin: QR code.
 * Requires qrcode-svg.min.js to be loaded first.
 */
 (function () {
    function generateProfile() {
        fetch('/new')
            .then(function (r) { return r.json(); })
            .then(function (data) {
                var url = data.dclogin_url;
                var link = document.getElementById('dclogin-link');
                link.href = url;
                var qrLink = document.getElementById('qr-link');
                qrLink.href = url;
                var qrCode = document.getElementById('qr-code');
                var qr = new QRCode({ content: url, width: 300, height: 300, padding: 1, join: true });
                qrCode.innerHTML = qr.svg();
            });
    }
    generateProfile();
 })();
--- a/www/src/index.md
+++ b/www/src/index.md
@@ -11,6 +11,18 @@ for Delta Chat users.  For details how it avoids storing personal information
 please see our [privacy policy](privacy.html). 
 {% endif %}
 {% if config.tls_cert_mode == "self" %}
 <a class="cta-button" id="dclogin-link" href="#">Get a {{config.mail_domain}} chat profile</a>
 If you are viewing this page on a different device
 without a Delta Chat app,
 you can also **scan this QR code** with Delta Chat:
 <a id="qr-link" href="#"><div id="qr-code"></div></a>
 <script src="qrcode-svg.min.js"></script>
 <script src="dclogin.js"></script>
 {% else %}
 <a class="cta-button" href="DCACCOUNT:https://{{ config.mail_domain }}/new">Get a {{config.mail_domain}} chat profile</a>
 If you are viewing this page on a different device
@@ -19,11 +31,8 @@ you can also **scan this QR code** with Delta Chat:
 <a href="DCACCOUNT:https://{{ config.mail_domain }}/new">
    <img width=300 style="float: none;" src="qr-chatmail-invite-{{config.mail_domain}}.png" /></a>
 {% endif %}
 🐣 **Choose** your Avatar and Name
 💬 **Start** chatting with any Delta Chat contacts using [QR invite codes](https://delta.chat/en/help#howtoe2ee)
 {% if config.mail_domain != "nine.testrun.org" %}
 <div class="experimental">Note: this is only a temporary development chatmail service</div>
 {% endif %}
--- a/www/src/qrcode-svg.min.js
+++ b/www/src/qrcode-svg.min.js
--- a/www/src/robots.txt
+++ b/www/src/robots.txt
@@ -0,0 +1,2 @@
 User-agent: *
 Disallow: /
Author	SHA1	Message	Date
missytake	4f8b958a57	config: comment out values in chatmail.ini.f, so defaults take precedence	2026-02-24 14:44:46 +01:00
missytake	ca2103a4d3	config: default delete_inactive_users_after is 90, actually	2026-02-24 14:43:58 +01:00
missytake	13dd64798a	config: load default values from Config(), not chatmail.ini.f	2026-02-19 21:41:17 +01:00
missytake	38cc1c7cd6	fix(cmdeploy): make tests work with `--ssh-host localhost` (#856 ) * tests: fix test_remote[imap] * cmdeploy: call LocalExec directly, not .logged() * tests: fix TestSSHExecutor.test_logged * tests: fix test_status_cmd with --ssh-host @local * tests: fix test_logged with --ssh-host localhost * tests: fix TestSSHExecutor::test_exception with --ssh-host localhost * ci: deploy with --ssh-host localhost on staging-ipv4 * metadata: lower RestartSec	2026-02-19 21:34:39 +01:00
link2xt	7a6ed8340e	test: mark f-string with f prefix in test_expunged This one was not marked accidentally.	2026-02-19 19:41:14 +00:00
missytake	2ce9e5fe78	dovecot: install also if dovecot.service=False in SystemdEnabled Fact	2026-02-19 16:00:25 +01:00
holger krekel	cf96be2cbb	feat: support self-signed chatmail relays (#855 ) feat: support self-signed TLS via underscore domain convention Domains starting with "_" (e.g. _chat.example.org) automatically use self-signed TLS certificates instead of ACME/Let's Encrypt. The TLS mode is derived from the domain name — no separate config option needed. Internally, when config.tls_cert_mode is "self" (underscore domain): - Generate self-signed certificates via openssl - Set Postfix smtp_tls_security_level to "encrypt" (opportunistic TLS) - Add smtp_tls_policy_map entry for underscore domains - Skip ACME, MTA-STS and www CNAME checks in `cmdeploy dns` - Serve /new via GET (not redirect to dcaccount:) with rate-limiting (nginx limit_req, 2r/s burst=5) - Return dclogin: URLs with ic=3 (AcceptInvalidCertificates) from /new - Render QR codes client-side via JavaScript and qrcode-svg - Use config.tls_cert_path/tls_key_path in Postfix, Dovecot and nginx templates instead of hardcoded ACME paths	2026-02-19 10:27:41 +01:00
Mark Felder	36eb63faa1	feat: Strip Received headers before delivery	2026-02-17 21:16:11 +01:00
Jagoda Estera Ślązak	91df11015e	chore(deps): upgrade to filtermail v0.3 (#850 ) ## 0.3.0 - 2026-02-14 ### Features - Support legacy, pre-OpenPGP packet format ### Miscellaneous Tasks - (dist) Switch to musl targets ### Refactor - Remove unnecessary Arc - Use a custom, minimal SMTP client instead of lettre Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>	2026-02-14 18:02:05 +01:00
link2xt	d4f8a29243	docs: fix link to Maddy and update madmail URL	2026-02-13 09:49:29 +00:00
missytake	0144fc3ea8	postfix: only look for square brackets, they are only allowed for address literals	2026-02-12 10:45:15 +01:00
missytake	e7ce6679b9	postfix: IPv6 literals have a prefix	2026-02-12 10:45:15 +01:00
missytake	d1adf52f89	postfix: also accept self-signed for IPv6-only	2026-02-12 10:45:15 +01:00
missytake	56d0e2ca27	postfix: be more exact with nauta.cu	2026-02-12 10:45:15 +01:00
missytake	2613558db6	postfix uses POSIX EREs, not PCRE, so some stuff doesn't work	2026-02-12 10:45:15 +01:00
missytake	6843fcb1a0	postfix: fix tls policy regexp map	2026-02-12 10:45:15 +01:00
missytake	ff54ad88d8	postfix: use regexp to match IPv4 addresses	2026-02-12 10:45:15 +01:00
missytake	cce2b27ae7	postfix: accept self-signed certificates for IP-only relays	2026-02-12 10:45:15 +01:00
j4n	87022e3681	fix(cmdeploy): check if dns_check_disabled before trying to warn about LE If --skip-dns-check is used and retcode != 0, remote_data is undefined.	2026-02-11 12:13:24 +01:00
j4n	06560dd071	feat(postfix): bind to mail_domain's A/AAAA addresses for outbound mail Carry forward A/AAAA address from the DNS check to the postfix deploy stage and set accordingly in main.cf.	2026-02-11 12:13:24 +01:00
j4n	1b0337a5f7	fix(cmdeploy): port check: check addresses, fix single services Ensure that the interface for mtail_address is available and fix a bug in port checking where single services were always passing regardless of the specified service name.	2026-02-11 09:36:04 +01:00
373[Ø]™	dfcaf415b1	Merge pull request #834 from chatmail/373/fix-dns-resolver-injection fix: remediates issue with improper concat on resolver injection	2026-01-30 23:36:46 +00:00
ccclxxiii	c0718325ef	fix: simplify resolver fix	2026-01-30 22:17:53 +00:00
ccclxxiii	7d72b0e592	fix:[wip] fix concact issue which causes dns failure	2026-01-30 21:10:19 +00:00
373[Ø]™	8f1e23d98e	Merge pull request #832 from chatmail/373/respect-ipv4-ipv6-boolean-config remediates ipv6 boolean not being respected during operations	2026-01-30 17:53:36 +00:00
ccclxxiii	56aaf2649b	chore: fixes bug in dovecot template	2026-01-30 15:52:32 +00:00
ccclxxiii	2660b4d24c	feat: updates postfix for ipv4/v6	2026-01-30 15:27:02 +00:00
ccclxxiii	ea60ecfb57	feat: updates deployers for ipv4/v6 bool	2026-01-30 15:26:45 +00:00
ccclxxiii	2a3a224cc2	feat: adds template for unbound v4/v6	2026-01-30 15:24:26 +00:00
Jagoda Ślązak	e42139e97b	chore(deps): upgrade to filtermail v0.2 Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>	2026-01-28 20:46:02 +00:00
Jagoda Estera Ślązak	65b660c413	docs: update information about filtermail (#824 ) Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>	2026-01-27 13:20:09 +01:00
link2xt	dd2beb226a	test(test_exceed_rate_limit): print timestamps when sending messages	2026-01-26 14:25:06 +00:00
link2xt	9c7508cc33	test: fix flaky test_exceed_rate_limit filtermail rate limiter is using leaky bucket algorithm (GCRA). Exceeting the limit requires sending at least max_user_send_per_minute messages to exhaust allowed burst, and then sending messages faster than the leak rate. As we don't know how fast is the network between the server and test runner, try to send 3 times max_user_send_per_minute messages to ensure the test does not fail randomly.	2026-01-26 12:07:10 +00:00
Jagoda Estera Ślązak	ab3492d9a1	feat(filtermail): Replace filtermail with rust reimplementation (#808 ) Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>	2026-01-23 16:31:45 +01:00
Jagoda Estera Ślązak	032faf0a94	feat(config): Set default internal SMTP ports in Config (#819 ) Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>	2026-01-23 09:34:16 +01:00
link2xt	c45fe03652	fix(mtail): separate metrics for incoming and outgoing messages	2026-01-22 14:45:33 +00:00
feld	08bf4c234b	Merge pull request #815 from chatmail/dovecot_lmtp_header Dovecot: disable appending the Received header	2026-01-21 12:18:54 -08:00
j4n	2d0ccdb4a3	cmdeploy/{postfix,dovecot}/deployer.py: check config before restarting postfix: also fail on warnings	2026-01-21 16:33:38 +01:00
j4n	3abba6f2fa	dovecot.conf: fix the stats syntax The ! character in != is an invalid token in Dovecot's unified filter language (2.3.12+). The parser expected a comparison operator (=, >, <) and choked on !.	2026-01-21 16:33:38 +01:00
missytake	f9aaeb0f42	ci: enable mtail for CI github deployments: be lenient on the whitespace in sed replace of mtail_address	2026-01-21 16:33:38 +01:00
missytake	e0c44bf04f	Reapply "cmdeploy/dovecot/dovecot.conf.j2: tweak idle/hibernate metrics" This reverts commit `0aa0324c81`.	2026-01-21 16:33:38 +01:00
Mark Felder	8ff53d12cb	Dovecot: disable appending the Received header This suppresses a Received header only applied during LMTP processing and includes a timestamp.	2026-01-20 15:16:33 -08:00
missytake	0aa0324c81	Revert "cmdeploy/dovecot/dovecot.conf.j2: tweak idle/hibernate metrics" This reverts commit `bfcfc9b090`.	2026-01-20 19:11:24 +01:00
j4n	bfcfc9b090	cmdeploy/dovecot/dovecot.conf.j2: tweak idle/hibernate metrics Tune stats collection in tandem with the dashboard.	2026-01-20 17:38:04 +01:00
j4n	e101c36ab4	fix(cmdeploy): comiit typo	2026-01-20 17:38:04 +01:00
j4n	be7aa21039	feat(dovecot): add config flag to export statistics (#806 ) This adds exporting of some dovecot event metrics to help debugging slow IMAP login and hibernation. For now, re-using mtail_address config flag and configure the port of the dovecot exporter to be 3904.	2026-01-16 11:35:19 +01:00
adbenitez	4906b82e44	add --website-only option to run subcommand	2026-01-15 16:58:06 +01:00
missytake	5d49b4c0fd	postfix: also strip Authentication-Results header	2026-01-15 15:41:21 +01:00
missytake	56c8f9faae	tests: add test for stripping DKIM + Authentication-Results headers	2026-01-15 15:41:21 +01:00
Mark Felder	203a7da3f4	Strip DKIM-Signature header before LMTP Currently we strip the DKIM-Signature header in the OpenDKIM final.lua script after validation of the signature. We sign all messages upon submission, but we do not verify messages which are from a local account and delivered to another local account. This corrects the problem and ensures that the plaintext headers of a local to local delivery are sanitized the same as a message received from another server. The functionality in final.lua to strip the DKIM-Signature header can now be retired.	2026-01-15 15:41:21 +01:00
missytake	a1667ca54d	Update cmdeploy/src/cmdeploy/postfix/deployer.py	2026-01-15 12:51:29 +01:00
holger krekel	6401bbb32c	fix: properly make sure that postfix gets restarted on failure	2026-01-15 12:51:29 +01:00
Mark Felder	325cc7a7b4	expire.py: use absolute path to maildirsize	2026-01-15 12:50:38 +01:00
link2xt	c2acbad802	docs: pin Dovecot documentation URLs to version 2.3 At least some old URLs are 404 already.	2026-01-07 20:08:45 +00:00
holger krekel	0e7ab96dc8	docs: use "build machine" and "deployment server" consistently in getting-started (#797 )	2026-01-04 15:05:09 +01:00
３７３	d1f9523836	docs: adds instructions for migrating control machines (#795 ) * docs: update index reference * docs: adds control machine migration instructions * docs: rename index ref * docs: remove maddy-chatmail (404) * docs: consistent underlining in header text * docs: remove dedicated page reference * docs: remove dedicated page for control machine migration * docs: condense deployment machine migration into getting started per feedback * docs: correct link to madmail * docs: update verbiage based on feedback	2026-01-04 14:21:12 +01:00
３７３	bcf2fdb5d0	docs: consistent naming schema in documentation	2025-12-28 23:57:39 +01:00
link2xt	77a6f49c9b	ci: remove jsok/serialize-workflow-action dependency Deployments to test servers will not be cancelled anymore, but it is not clear if we even want it. This setup is much simpler because it only depends on GitHub Actions features and does not allocate a runner just to sleep there and wait in the queue.	2025-12-27 14:36:39 +00:00
holger krekel	99630e4d1b	docs: streamline migration guide wording, provide titled steps (#789 ) * docs: update migration guide after nine migration * use $OLD_IP4 and $NEW_IP4 to make docs more readable. Also streamline "set TTL to 5 minute" phrasing a bit. * fix tar commands * refactor: streamline and refactor the migration guide to provide more clarity and focus * recommend a "higher TTL" concrete value Co-authored-by: missytake <missytake@systemli.org> * scriptify another location --------- Co-authored-by: missytake <missytake@systemli.org>	2025-12-27 13:10:56 +01:00
３７３	2f8199a7c6	test: update config test for proper assertion	2025-12-26 20:46:03 +01:00
３７３	4eeead2826	feat: increases default max mailbox size this changeset increases the default max mailbox or quota size per a conversation in our development channel	2025-12-26 20:46:03 +01:00
link2xt	0d890274fd	feat: use daemon_name for OpenDKIM sign-verify decision instead of IP On FreeBSD 127.0.0.2 is not assigned to any interface by default, so 127.0.0.2 source address hack cannot be used to make OpenDKIM verify the signature instead of signing. This change sets InternalHosts to `-` so no IP addresses make OpenDKIM sign the message. Instead of IP address, OpenDKIM in the outgoing pipeline is explicitly told to sign messages by setting `{daemon_name}` macro to `ORIGINATING`.	2025-12-19 17:09:33 +00:00
link2xt	7191329a9f	chore(release): prepare for 1.9.0	2025-12-18 23:49:48 +00:00
link2xt	1ae4c8451a	ci: run tests against ci-chatmail.testrun.org instead of nine.testrun.org	2025-12-18 23:06:05 +00:00
holger krekel	f04a624e19	fix: use absolute path instead of relative path, and streamline some code parts according to comments at https://github.com/chatmail/relay/pull/785	2025-12-18 23:31:39 +01:00
holger krekel	24e3f33acd	fix: expire messages also from DeltaChat IMAP subfolders	2025-12-18 23:04:50 +01:00
link2xt	610843a44a	docs: add RELEASE.md and CONTRIBUTING.md	2025-12-18 09:21:19 +01:00
link2xt	966754a346	chore: setup git-cliff I am running git-cliff 2.11.0. Ran `git-cliff --init` to generate `cliff.toml`. Removed emojis, replaced `doc` with `docs` to match chatmail core convention.	2025-12-18 09:21:19 +01:00
link2xt	87153667ed	chore: update the heading in the CHANGELOG.md I have checked that nobody added any entries since 1.8.0 was released.	2025-12-17 21:18:02 +00:00
holger krekel	abe0cb5d08	address cliff's comments about dovecot/postfix	2025-12-17 16:21:40 +01:00
missytake	8c8c37c822	postfix: restart automatically on failure	2025-12-17 16:21:40 +01:00
missytake	e7bed4d2a1	dovecot: restart automatically on failure	2025-12-17 16:21:40 +01:00
j4n	df21076e9b	acmetool: use a fixed name and reconcile instead of want	2025-12-17 11:57:41 +01:00
missytake	70da217442	opendkim: only display last sigerror	2025-12-17 10:39:50 +01:00
missytake	40fd62c562	opendkim: report DKIM error code in SMTP response	2025-12-17 10:39:50 +01:00
cliffmccarthy	d76b33def1	feat: Remove echo from passthrough recipients	2025-12-17 10:35:47 +01:00
cliffmccarthy	bab3de9768	feat: Remove echobot user from deployment	2025-12-17 10:35:47 +01:00
cliffmccarthy	49c66116bf	feat: Remove echobot special cases	2025-12-17 10:35:47 +01:00
３７３	9bf99cc8a9	removes development notice	2025-12-16 15:06:45 +01:00
Mark Felder	1188aed061	Related: Add the Chatmail Cookbook project	2025-12-14 20:32:08 +01:00
Mark Felder	e15b8ebf11	docs README update There is no sphinx-build to pip install	2025-12-14 20:31:19 +01:00
missytake	c84ddf69e8	add missing changelog entries	2025-12-12 14:18:42 +01:00
missytake	96fc3d9ff6	tests: don't let test_status_cmd test server state	2025-12-12 14:00:53 +01:00
missytake	4b5e8feb96	ci: run test_status_cmd at the end to avoid flakiness	2025-12-12 14:00:53 +01:00
Rodrigo Camacho	c98853570b	updated location of the documentation for custom webpage location	2025-12-11 22:50:02 +01:00
Simon Laux	bad356503e	Merge pull request #745 from chatmail/simon/i744 fix: Handle case where user followed the tutorial and set the CNAME reccord for mta-sts, but no TXT record for it yet.	2025-12-11 22:41:14 +01:00
adb	dba48e88d1	Merge pull request #760 from chatmail/adb/issue-734 add imap_compress option to chatmail.ini	2025-12-11 08:33:41 +01:00
adbenitez	3ae8834cbe	update changelog	2025-12-11 08:33:24 +01:00
adb	81391f4066	Update cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2 Co-authored-by: missytake <missytake@systemli.org>	2025-12-10 20:43:03 +01:00
adbenitez	55cfd00505	add imap_compress option to chatmail.ini	2025-12-09 09:32:53 +01:00
holger krekel	b000213c68	remove echobot from relay deployment and make sure it's un-installed during "cmdeploy run"	2025-12-07 20:14:35 +01:00
link2xt	51d16b6bb8	Add hpk42 SSH key to staging server for debugging	2025-12-07 20:13:38 +01:00
link2xt	2beba8c455	ci: add deployment environments for all deployment workflows Code posting the link to comments is removed as deployment URLs are directly visible in the UI.	2025-12-07 15:21:44 +01:00
link2xt	33c67d22fa	Add execnet dependency	2025-12-07 15:21:44 +01:00
j4n	166bf68915	Remove DKIM-Signature from incoming mail after checking (#747 ) The original https://github.com/chatmail/relay/pull/533 attempted to remove the header through postfix, but that is too early. Instead, remove the headers in the OpenDKIM `final.lua` script after the validation.	2025-12-04 12:23:27 +01:00
Treefit	abb70a6b14	Handle case where user followed the tutorial and set the CNAME reccord for mta-sts, but no TXT record for it yet.	2025-11-28 09:34:44 +01:00
Maikel Frias Mosquea	96108bbaba	fix: cmdeploy webdev now works as intended Before: cmdeploy webdev just kept running non-stop regeneration of the files with this it truly stop unless there's an actual change.	2025-11-25 22:26:47 +01:00
Mark Felder	8f68672e31	FreeBSD/pf example: fix small inconsistency harmless, but better to be consistent	2025-11-21 10:02:44 +01:00
Mark Felder	9e6e3af534	Proxy example for FreeBSD/pf	2025-11-20 17:03:31 +01:00
missytake	fa5a6a64b3	opendkim: use opendkim as selector as before	2025-11-16 19:53:54 +01:00
holger krekel	6b7c002e24	use non-underscore naming for basedeploy helpers	2025-11-16 19:53:54 +01:00
holger krekel	4b2f98788d	remove unneeded __init__ files	2025-11-16 19:53:54 +01:00
holger krekel	13faa42abd	shift mtail deployer to subdir	2025-11-16 19:53:54 +01:00
holger krekel	7c12136991	move out nginx deployer	2025-11-16 19:53:54 +01:00
holger krekel	3637bba5dc	move dovecot deployer out to dovecot/ directory	2025-11-16 19:53:54 +01:00
holger krekel	e2b157bd96	move postfix deployer to postfix directory	2025-11-16 19:53:54 +01:00
holger krekel	83abb3a3e1	factor out opendkim deployer	2025-11-16 19:53:54 +01:00
link2xt	2e3e3101b6	Add robots.txt to exclude all web crawlers	2025-11-16 10:31:14 +00:00
missytake	213d68ed02	acmetool: accept new Let's Encrypt Terms of Services (#729 )	2025-11-16 09:51:39 +01:00
link2xt	68cc6676ef	Update changelog	2025-11-15 10:51:04 +00:00
link2xt	14ca95d25a	fix(postfix): set smtpd_tls_mandatory_protocols for port 25 smtp_tls_mandatory_protocols does not affect port 25 because we require STARTTLS on port 25 since commit `8d7e1dad0e` We don't have any smtpd ports with opportunistic TLS. Submission ports require TLSv1.3 and starting with this commit MX port will require TLSv1.2 instead of TLSv1. I have not managed to connect using TLSv1.1 even without this fix to reproduce the problem, but I have checked that setting `-o smtpd_tls_mandatory_protocols=>=TLSv1.3` does not allow to connect using TLSv1.2 anymore using `openssl s_client -connect example.org:25 -starttls smtp -tls1_2`. `smtpd_tls_protocols` setting is removed because it does not affect anything except the internal ports and its `git blame` points to the wrong commit.	2025-11-15 10:51:04 +00:00
link2xt	3524b055db	fix(postfix): set smtp_tls_mandatory_protocols to require TLSv1.2 for outgoing connections According to <https://www.postfix.org/postconf.5.html#smtp_tls_security_level> for outgoing connections with smtp_tls_security_level `encrypt` and higher (such as `verify` that we currently use) the setting `smtp_tls_mandatory_protocols` is used instead of `smtp_tls_protocols`. According to `postconf -d` (and `postconf` because the default is not changed) current setting value is `smtp_tls_mandatory_protocols = >=TLSv1`. But we only want to connect outside with TLS 1.2 and TLS 1.3. `smtp_tls_protocols` which was already set to `>= TLSv1.2` in commit `0155f32df6` only affected outgoing connections with the `may` level exception set for nauta.cu domain via `smtp_tls_policy_maps` which does not support STARTTLS at all.	2025-11-15 10:51:04 +00:00
`@@ -1,2 +1,2 @@`
	`"acme-enter-email": "{{ email }}"`	`"acme-enter-email": "{{ email }}"`
	`"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf": true`	`"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf": true`