postfix: do lmtp via local instead of virtual transport

cmdeploy: deploy with IP address only
postfix: hardcode IP addresses of relays without DNS, drop messages to nine
2026-05-14 09:54:38 +00:00 · 2026-01-27 12:14:48 +01:00 · 2026-01-25 13:30:26 +01:00 · 2026-01-25 13:30:26 +01:00 · 2026-01-25 13:30:26 +01:00 · 2026-01-25 13:30:26 +01:00
31 changed files with 97 additions and 429 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -15,7 +15,7 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: download filtermail
-        run: curl -L https://github.com/chatmail/filtermail/releases/download/v0.2.0/filtermail-x86_64-musl -o /usr/local/bin/filtermail && chmod +x /usr/local/bin/filtermail
+        run: curl -L https://github.com/chatmail/filtermail/releases/download/v0.1.2/filtermail-x86_64 -o /usr/local/bin/filtermail && chmod +x /usr/local/bin/filtermail
      - name: run chatmaild tests 
        working-directory: chatmaild
        run: pipx run tox
--- a/README.md
+++ b/README.md
@@ -1,20 +1,25 @@
-# Chatmail relays for end-to-end encrypted email
+# No-DNS Chatmail relay
-Chatmail relay servers are interoperable Mail Transport Agents (MTAs) designed for: 
+With this branch, you don't need DNS at all,
 just a VPS with an IPv4 address,
 let's take `77.42.80.106` as an example.
 First, choose a random domain name (it doesn't need working DNS)
 and create a chatmail.ini config file:
-  **Zero State:** no private data or metadata collected, messages are auto-deleted, low disk usage
+```
 cmdeploy init [77.42.80.106]
 ```
-  **Instant/Realtime:** sub-second message delivery, realtime P2P
+Then, in `cmdeploy/src/cmdeploy/postfix/transport`,
-   streaming, privacy-preserving Push Notifications for Apple, Google, and Huawei;
+remove the line corresponding to your relay,
 and add other for relays you know.
 Now you can deploy the relay to your IP address:
-  **Security Enforcement**: only strict TLS, DKIM and OpenPGP with minimized metadata accepted
+```
 cmdeploy run --skip-dns-check --ssh-host 77.42.80.106
 ```
-  **Reliable Federation and Decentralization:** No spam or IP reputation checks, federating
+Finally, you can login with a `dclogin://` code like this, with the correct "domain name" and IP address:
   depends on established IETF standards and protocols.
 This repository contains everything needed to setup a ready-to-use chatmail relay on an ssh-reachable host. 
 For getting started and more information please refer to the web version of this repositories' documentation at
 [https://chatmail.at/doc/relay](https://chatmail.at/doc/relay)
 `dclogin:s0mer4nd0@[77.42.80.106]?p=w7i8da7h8uads92ycc2rufyl&v=1&ih=77.42.80.106&sh=77.42.80.106&sp=443&ip=443&ic=3&sc=3`
--- a/chatmaild/src/chatmaild/config.py
+++ b/chatmaild/src/chatmaild/config.py
@@ -20,8 +20,7 @@ class Config:
    def __init__(self, inipath, params):
        self._inipath = inipath
        self.mail_domain = params["mail_domain"]
-        self.max_user_send_per_minute = int(params.get("max_user_send_per_minute", 60))
+        self.max_user_send_per_minute = int(params["max_user_send_per_minute"])
        self.max_user_send_burst_size = int(params.get("max_user_send_burst_size", 10))
        self.max_mailbox_size = params["max_mailbox_size"]
        self.max_message_size = int(params.get("max_message_size", "31457280"))
        self.delete_mails_after = params["delete_mails_after"]
--- a/chatmaild/src/chatmaild/doveauth.py
+++ b/chatmaild/src/chatmaild/doveauth.py
@@ -1,11 +1,8 @@
 import json
 import logging
 import os
 import re
 import sys
 import filelock
 try:
    import crypt_r
 except ImportError:
@@ -16,7 +13,6 @@ from .dictproxy import DictProxy
 from .migrate_db import migrate_from_db_to_maildir
 NOCREATE_FILE = "/etc/chatmail-nocreate"
 VALID_LOCALPART_RE = re.compile(r"^[a-z0-9._-]+$")
 def encrypt_password(password: str):
@@ -56,10 +52,6 @@ def is_allowed_to_create(config: Config, user, cleartext_password) -> bool:
        )
        return False
    if not VALID_LOCALPART_RE.match(localpart):
        logging.warning("localpart %r contains invalid characters", localpart)
        return False
    return True
@@ -148,13 +140,8 @@ class AuthDictProxy(DictProxy):
        if not is_allowed_to_create(self.config, addr, cleartext_password):
            return
-        lock = filelock.FileLock(str(user.password_path) + ".lock", timeout=5)
+        user.set_password(encrypt_password(cleartext_password))
-        with lock:
+        print(f"Created address: {addr}", file=sys.stderr)
            userdata = user.get_userdb_dict()
            if userdata:
                return userdata
            user.set_password(encrypt_password(cleartext_password))
            print(f"Created address: {addr}", file=sys.stderr)
        return user.get_userdb_dict()
--- a/chatmaild/src/chatmaild/fsreport.py
+++ b/chatmaild/src/chatmaild/fsreport.py
@@ -68,7 +68,7 @@ class Report:
            for size in self.message_buckets:
                for msg in mailbox.messages:
                    if msg.size >= size:
-                        if self.mdir and f"/{self.mdir}/" not in msg.path:
+                        if self.mdir and not msg.relpath.startswith(self.mdir):
                            continue
                        self.message_buckets[size] += msg.size
--- a/chatmaild/src/chatmaild/ini/chatmail.ini.f
+++ b/chatmaild/src/chatmaild/ini/chatmail.ini.f
@@ -11,12 +11,9 @@ mail_domain = {mail_domain}
 # Restrictions on user addresses
 #
-# email sending rate per user and minute
+# how many mails a user can send out per minute
 max_user_send_per_minute = 60
 # per-user max burst size for sending rate limiting (GCRA bucket capacity)
 max_user_send_burst_size = 10
 # maximum mailbox size of a chatmail address
 max_mailbox_size = 500M
--- a/chatmaild/src/chatmaild/metadata.py
+++ b/chatmaild/src/chatmaild/metadata.py
@@ -101,11 +101,7 @@ class MetadataDictProxy(DictProxy):
                # Handle `GETMETADATA "" /shared/vendor/deltachat/irohrelay`
                return f"O{self.iroh_relay}\n"
            elif keyname == "vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn":
-                try:
+                res = turn_credentials()
                    res = turn_credentials()
                except Exception:
                    logging.exception("failed to get TURN credentials")
                    return "N\n"
                port = 3478
                return f"O{self.turn_hostname}:{port}:{res}\n"
--- a/chatmaild/src/chatmaild/newemail.py
+++ b/chatmaild/src/chatmaild/newemail.py
@@ -3,6 +3,7 @@
 """CGI script for creating new accounts."""
 import json
 import random
 import secrets
 import string
@@ -14,9 +15,7 @@ ALPHANUMERIC_PUNCT = string.ascii_letters + string.digits + string.punctuation
 def create_newemail_dict(config: Config):
-    user = "".join(
+    user = "".join(random.choices(ALPHANUMERIC, k=config.username_max_length))
        secrets.choice(ALPHANUMERIC) for _ in range(config.username_max_length)
    )
    password = "".join(
        secrets.choice(ALPHANUMERIC_PUNCT)
        for _ in range(config.password_min_length + 3)
--- a/chatmaild/src/chatmaild/tests/test_doveauth.py
+++ b/chatmaild/src/chatmaild/tests/test_doveauth.py
@@ -120,60 +120,6 @@ def test_handle_dovecot_protocol_iterate(gencreds, example_config):
    assert not lines[2]
 def test_invalid_localpart_characters(make_config):
    """Test that is_allowed_to_create rejects localparts with invalid characters."""
    config = make_config("chat.example.org", {"username_min_length": "3"})
    password = "zequ0Aimuchoodaechik"
    domain = config.mail_domain
    # valid localparts
    assert is_allowed_to_create(config, f"abc123@{domain}", password)
    assert is_allowed_to_create(config, f"a.b-c_d@{domain}", password)
    # uppercase rejected
    assert not is_allowed_to_create(config, f"Abc123@{domain}", password)
    assert not is_allowed_to_create(config, f"ABCDEFG@{domain}", password)
    # spaces and special chars rejected
    assert not is_allowed_to_create(config, f"a b cde@{domain}", password)
    assert not is_allowed_to_create(config, f"abc+def@{domain}", password)
    assert not is_allowed_to_create(config, f"abc!def@{domain}", password)
    assert not is_allowed_to_create(config, f"ab@cdef@{domain}", password)
    assert not is_allowed_to_create(config, f"abc/def@{domain}", password)
    assert not is_allowed_to_create(config, f"abc\\def@{domain}", password)
 def test_concurrent_creation_same_account(dictproxy):
    """Test that concurrent creation of the same account doesn't corrupt password."""
    addr = "racetest1@chat.example.org"
    password = "zequ0Aimuchoodaechik"
    num_threads = 10
    results = queue.Queue()
    def create():
        try:
            res = dictproxy.lookup_passdb(addr, password)
            results.put(("ok", res))
        except Exception:
            results.put(("err", traceback.format_exc()))
    threads = [threading.Thread(target=create, daemon=True) for _ in range(num_threads)]
    for t in threads:
        t.start()
    for t in threads:
        t.join(timeout=10)
    passwords_seen = set()
    for _ in range(num_threads):
        status, res = results.get()
        if status == "err":
            pytest.fail(f"concurrent creation failed\n{res}")
        passwords_seen.add(res["password"])
    # all threads must see the same password hash
    assert len(passwords_seen) == 1
 def test_50_concurrent_lookups_different_accounts(gencreds, dictproxy):
    num_threads = 50
    req_per_thread = 5
--- a/chatmaild/src/chatmaild/tests/test_expire.py
+++ b/chatmaild/src/chatmaild/tests/test_expire.py
@@ -112,43 +112,6 @@ def test_report(mbox1, example_config):
    report_main(args)
 def test_report_mdir_filters_by_path(mbox1, example_config):
    """Test that Report with mdir='cur' only counts messages in cur/ subdirectory."""
    from chatmaild.fsreport import Report
    now = datetime.utcnow().timestamp()
    # Set password mtime to old enough so min_login_age check passes
    password = Path(mbox1.basedir).joinpath("password")
    old_time = now - 86400 * 10  # 10 days ago
    os.utime(password, (old_time, old_time))
    # Reload mailbox with updated mtime
    from chatmaild.expire import MailboxStat
    mbox = MailboxStat(mbox1.basedir)
    # Report without mdir — should count all messages
    rep_all = Report(now=now, min_login_age=1, mdir=None)
    rep_all.process_mailbox_stat(mbox)
    total_all = rep_all.message_buckets[0]
    # Report with mdir='cur' — should only count cur/ messages
    rep_cur = Report(now=now, min_login_age=1, mdir="cur")
    rep_cur.process_mailbox_stat(mbox)
    total_cur = rep_cur.message_buckets[0]
    # Report with mdir='new' — should only count new/ messages
    rep_new = Report(now=now, min_login_age=1, mdir="new")
    rep_new.process_mailbox_stat(mbox)
    total_new = rep_new.message_buckets[0]
    # cur has 500-byte msg, new has 600-byte msg (from fill_mbox)
    assert total_cur == 500
    assert total_new == 600
    assert total_all == 500 + 600
 def test_expiry_cli_basic(example_config, mbox1):
    args = (str(example_config._inipath),)
    expiry_main(args)
--- a/chatmaild/src/chatmaild/tests/test_metadata.py
+++ b/chatmaild/src/chatmaild/tests/test_metadata.py
@@ -314,51 +314,6 @@ def test_persistent_queue_items(tmp_path, testaddr, token):
    assert not queue_item < item2 and not item2 < queue_item
 def test_turn_credentials_exception_returns_N(notifier, metadata, monkeypatch):
    """Test that turn_credentials() failure returns N\\n instead of crashing."""
    import chatmaild.metadata
    dictproxy = MetadataDictProxy(
        notifier=notifier,
        metadata=metadata,
        turn_hostname="turn.example.org",
    )
    def mock_turn_credentials():
        raise ConnectionRefusedError("socket not available")
    monkeypatch.setattr(chatmaild.metadata, "turn_credentials", mock_turn_credentials)
    transactions = {}
    res = dictproxy.handle_dovecot_request(
        "Lshared/0123/vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn"
        "\tuser@example.org",
        transactions,
    )
    assert res == "N\n"
 def test_turn_credentials_success(notifier, metadata, monkeypatch):
    """Test that valid turn_credentials() returns TURN URI."""
    import chatmaild.metadata
    dictproxy = MetadataDictProxy(
        notifier=notifier,
        metadata=metadata,
        turn_hostname="turn.example.org",
    )
    monkeypatch.setattr(chatmaild.metadata, "turn_credentials", lambda: "user:pass")
    transactions = {}
    res = dictproxy.handle_dovecot_request(
        "Lshared/0123/vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn"
        "\tuser@example.org",
        transactions,
    )
    assert res == "Oturn.example.org:3478:user:pass\n"
 def test_iroh_relay(dictproxy):
    rfile = io.BytesIO(
        b"\n".join(
--- a/chatmaild/src/chatmaild/tests/test_turnserver.py
+++ b/chatmaild/src/chatmaild/tests/test_turnserver.py
@@ -1,73 +0,0 @@
 import socket
 import threading
 import time
 from unittest.mock import patch
 import pytest
 from chatmaild.turnserver import turn_credentials
 SOCKET_PATH = "/run/chatmail-turn/turn.socket"
@pytest.fixture
 def turn_socket(tmp_path):
    """Create a real Unix socket server at a temp path."""
    sock_path = str(tmp_path / "turn.socket")
    server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
    server.bind(sock_path)
    server.listen(1)
    yield sock_path, server
    server.close()
 def _call_turn_credentials(sock_path):
    """Call turn_credentials but connect to sock_path instead of hardcoded path."""
    original_connect = socket.socket.connect
    def patched_connect(self, address):
        if address == SOCKET_PATH:
            address = sock_path
        return original_connect(self, address)
    with patch.object(socket.socket, "connect", patched_connect):
        return turn_credentials()
 def test_turn_credentials_timeout(turn_socket):
    """Server accepts but never responds — must raise socket.timeout."""
    sock_path, server = turn_socket
    def accept_and_hang():
        conn, _ = server.accept()
        time.sleep(30)
        conn.close()
    t = threading.Thread(target=accept_and_hang, daemon=True)
    t.start()
    with pytest.raises(socket.timeout):
        _call_turn_credentials(sock_path)
 def test_turn_credentials_connection_refused(tmp_path):
    """Socket file doesn't exist — must raise ConnectionRefusedError or FileNotFoundError."""
    missing = str(tmp_path / "nonexistent.socket")
    with pytest.raises((ConnectionRefusedError, FileNotFoundError)):
        _call_turn_credentials(missing)
 def test_turn_credentials_success(turn_socket):
    """Server responds with credentials — must return stripped string."""
    sock_path, server = turn_socket
    def respond():
        conn, _ = server.accept()
        conn.sendall(b"testuser:testpass\n")
        conn.close()
    t = threading.Thread(target=respond, daemon=True)
    t.start()
    result = _call_turn_credentials(sock_path)
    assert result == "testuser:testpass"
--- a/chatmaild/src/chatmaild/turnserver.py
+++ b/chatmaild/src/chatmaild/turnserver.py
@@ -4,7 +4,6 @@ import socket
 def turn_credentials() -> str:
    with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as client_socket:
        client_socket.settimeout(5)
        client_socket.connect("/run/chatmail-turn/turn.socket")
        with client_socket.makefile("rb") as file:
            return file.readline().decode("utf-8").strip()
--- a/cmdeploy/src/cmdeploy/acmetool/init.py
+++ b/cmdeploy/src/cmdeploy/acmetool/init.py
@@ -67,7 +67,7 @@ class AcmetoolDeployer(Deployer):
        )
        files.template(
            src=importlib.resources.files(__package__).joinpath("desired.yaml.j2"),
-            dest=f"/var/lib/acme/desired/{self.domains[0]}",  # 0 is mailhost TLD
+            dest=f"/var/lib/acme/desired/{self.domains[0]}", # 0 is mailhost TLD
            user="root",
            group="root",
            mode="644",
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -89,6 +89,7 @@ def run_cmd(args, out):
    """Deploy chatmail services on the remote server."""
    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
    ssh_host = ssh_host.strip("[").strip("]")
    sshexec = get_sshexec(ssh_host)
    require_iroh = args.config.enable_iroh_relay
    if not args.dns_check_disabled:
@@ -113,15 +114,24 @@ def run_cmd(args, out):
        return 1
    try:
-        out.check_call(cmd, env=env)
+        retcode = out.check_call(cmd, env=env)
        if args.website_only:
-            out.green("Website deployment completed.")
+            if retcode == 0:
-        else:
+                out.green("Website deployment completed.")
            else:
                out.red("Website deployment failed.")
        elif retcode == 0:
            out.green("Deploy completed, call `cmdeploy dns` next.")
-        return 0
+        elif not remote_data["acme_account_url"]:
            out.red("Deploy completed but letsencrypt not configured")
            out.red("Run 'cmdeploy run' again")
            retcode = 0
        else:
            out.red("Deploy failed")
    except subprocess.CalledProcessError:
        out.red("Deploy failed")
-        return 1
+        retcode = 1
    return retcode
 def dns_cmd_options(parser):
--- a/cmdeploy/src/cmdeploy/deployers.py
+++ b/cmdeploy/src/cmdeploy/deployers.py
@@ -17,7 +17,6 @@ from pyinfra.operations import apt, files, pip, server, systemd
 from cmdeploy.cmdeploy import Out
 from .acmetool import AcmetoolDeployer
 from .basedeploy import (
    Deployer,
    Deployment,
@@ -141,10 +140,6 @@ def _configure_remote_venv_with_chatmaild(config) -> None:
 class UnboundDeployer(Deployer):
    def __init__(self, config):
        self.config = config
        self.need_restart = False
    def install(self):
        # Run local DNS resolver `unbound`.
        # `resolvconf` takes care of setting up /etc/resolv.conf
@@ -181,27 +176,6 @@ class UnboundDeployer(Deployer):
                "unbound-anchor -a /var/lib/unbound/root.key || true",
            ],
        )
        if self.config.disable_ipv6:
            files.directory(
                path="/etc/unbound/unbound.conf.d",
                present=True,
                user="root",
                group="root",
                mode="755",
            )
            conf = files.put(
                src=get_resource("unbound/unbound.conf.j2"),
                dest="/etc/unbound/unbound.conf.d/chatmail.conf",
                user="root",
                group="root",
                mode="644",
            )
        else:
            conf = files.file(
                path="/etc/unbound/unbound.conf.d/chatmail.conf",
                present=False,
            )
        self.need_restart |= conf.changed
    def activate(self):
        server.shell(
@@ -216,7 +190,6 @@ class UnboundDeployer(Deployer):
            service="unbound.service",
            running=True,
            enabled=True,
            restarted=self.need_restart,
        )
@@ -264,9 +237,6 @@ class WebsiteDeployer(Deployer):
            # if www_folder is a hugo page, build it
            if build_dir:
                www_path = build_webpages(src_dir, build_dir, self.config)
                if www_path is None:
                    logger.warning("Web page build failed, skipping website deployment")
                    return
            # if it is not a hugo page, upload it as is
            files.rsync(
                f"{www_path}/", "/var/www/html", flags=["-avz", "--chown=www-data"]
@@ -556,14 +526,12 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
        files.line(
            name="Add 9.9.9.9 to resolv.conf",
            path="/etc/resolv.conf",
-            # Guard against resolv.conf missing a trailing newline (SolusVM bug).
+            line="nameserver 9.9.9.9",
            line="\nnameserver 9.9.9.9",
        )
    port_services = [
        (["master", "smtpd"], 25),
        ("unbound", 53),
        ("acmetool", 80),
        (["imap-login", "dovecot"], 143),
        ("nginx", 443),
        (["master", "smtpd"], 465),
@@ -595,10 +563,9 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
        LegacyRemoveDeployer(),
        FiltermailDeployer(),
        JournaldDeployer(),
-        UnboundDeployer(config),
+        UnboundDeployer(),
        TurnDeployer(mail_domain),
        IrohDeployer(config.enable_iroh_relay),
        AcmetoolDeployer(config.acme_email, tls_domains),
        WebsiteDeployer(config),
        ChatmailVenvDeployer(config),
        MtastsDeployer(),
--- a/cmdeploy/src/cmdeploy/dovecot/deployer.py
+++ b/cmdeploy/src/cmdeploy/dovecot/deployer.py
@@ -37,9 +37,7 @@ class DovecotDeployer(Deployer):
        restart = False if self.disable_mail else self.need_restart
        systemd.service(
-            name="Disable dovecot for now"
+            name="Disable dovecot for now" if self.disable_mail else "Start and enable Dovecot",
            if self.disable_mail
            else "Start and enable Dovecot",
            service="dovecot.service",
            running=False if self.disable_mail else True,
            enabled=False if self.disable_mail else True,
--- a/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
+++ b/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
@@ -1,12 +1,13 @@
 ## Dovecot configuration file
 {% if disable_ipv6 %}
-listen = 0.0.0.0
+listen = *
 {% endif %}
 protocols = imap lmtp
 auth_mechanisms = plain
 auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@[]
 {% if debug == true %}
 auth_verbose = yes
@@ -228,8 +229,8 @@ service anvil {
 }
 ssl = required
-ssl_cert = </var/lib/acme/live/{{ config.mail_domain }}/fullchain
+ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
-ssl_key = </var/lib/acme/live/{{ config.mail_domain }}/privkey
+ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
 ssl_dh = </usr/share/dovecot/dh.pem
 ssl_min_protocol = TLSv1.3
 ssl_prefer_server_ciphers = yes
--- a/cmdeploy/src/cmdeploy/filtermail/deployer.py
+++ b/cmdeploy/src/cmdeploy/filtermail/deployer.py
@@ -14,10 +14,10 @@ class FiltermailDeployer(Deployer):
    def install(self):
        arch = host.get_fact(facts.server.Arch)
-        url = f"https://github.com/chatmail/filtermail/releases/download/v0.2.0/filtermail-{arch}-musl"
+        url = f"https://github.com/chatmail/filtermail/releases/download/v0.1.2/filtermail-{arch}"
        sha256sum = {
-            "x86_64": "1e5bbb646582cb16740c6dfbbca39edba492b78cc96ec9fa2528c612bb504edd",
+            "x86_64": "de7de6e011ffc06881d3a05fc9788e327ba2389219e77280ace38b429e11a5ce",
-            "aarch64": "3564fba8605f8f9adfeefff3f4580533205da043f47c5968d0d10db17e50f44e",
+            "aarch64": "a78fcdfb81eb3d9c8a8b6f84f6c0a75519b8be01aa25bd4617d72aae543992b4",
        }[arch]
        self.need_restart |= files.download(
            name="Download filtermail",
--- a/cmdeploy/src/cmdeploy/nginx/nginx.conf.j2
+++ b/cmdeploy/src/cmdeploy/nginx/nginx.conf.j2
@@ -51,10 +51,10 @@ http {
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
-	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
 	ssl_prefer_server_ciphers on;
-	ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
+	ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
-	ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
+	ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
 	gzip on;
--- a/cmdeploy/src/cmdeploy/postfix/deployer.py
+++ b/cmdeploy/src/cmdeploy/postfix/deployer.py
@@ -60,7 +60,19 @@ class PostfixDeployer(Deployer):
            mode="644",
        )
        need_restart |= lmtp_header_cleanup.changed
-
+        # Transport map that discards messages to nine.testrun.org
        transport_map = files.put(
            src=get_resource("postfix/transport"),
            dest="/etc/postfix/transport",
            user="root",
            group="root",
            mode="644",
        )
        need_restart |= transport_map.changed
        if transport_map.changed:
            server.shell(
                commands=["postmap /etc/postfix/transport"],
            )
        # Login map that 1:1 maps email address to login.
        login_map = files.put(
            src=get_resource("postfix/login_map"),
@@ -83,9 +95,7 @@ class PostfixDeployer(Deployer):
            server.shell(
                name="Validate postfix configuration",
                # Extract stderr and quit with error if non-zero
-                commands=[
+                commands=["""bash -c 'w=$(postconf 2>&1 >/dev/null); [[ -z "$w" ]] || { echo "$w"; false; }'"""],
                    """bash -c 'w=$(postconf 2>&1 >/dev/null); [[ -z "$w" ]] || { echo "$w"; false; }'"""
                ],
            )
        self.need_restart = need_restart
--- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
@@ -15,12 +15,12 @@ readme_directory = no
 compatibility_level = 3.6
 # TLS parameters
-smtpd_tls_cert_file=/var/lib/acme/live/{{ config.mail_domain }}/fullchain
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
-smtpd_tls_key_file=/var/lib/acme/live/{{ config.mail_domain }}/privkey
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
 smtpd_tls_security_level=may
 smtp_tls_CApath=/etc/ssl/certs
-smtp_tls_security_level=verify
+smtp_tls_security_level=encrypt
 # Send SNI extension when connecting to other servers.
 # <https://www.postfix.org/postconf.5.html#smtp_tls_servername>
 smtp_tls_servername = hostname
@@ -54,21 +54,18 @@ smtpd_tls_exclude_ciphers = aNULL, RC4, MD5, DES
 tls_preempt_cipherlist = yes
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
 myhostname = {{ config.mail_domain }}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 # Postfix does not deliver mail for any domain by itself.
 # Primary domain is listed in `virtual_mailbox_domains` instead
 # and handed over to Dovecot.
-mydestination =
+mydestination = {{ config.mail_domain }}
 local_transport = lmtp:unix:private/dovecot-lmtp
 local_recipient_maps =
 relayhost = 
 {% if disable_ipv6 %}
 mynetworks = 127.0.0.0/8
 {% else %}
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 {% endif %}
 mailbox_size_limit = 0
 message_size_limit = {{config.max_message_size}}
 recipient_delimiter = +
@@ -79,14 +76,15 @@ inet_protocols = ipv4
 inet_protocols = all
 {% endif %}
 virtual_transport = lmtp:unix:private/dovecot-lmtp
 virtual_mailbox_domains = {{ config.mail_domain }}
 lmtp_header_checks = regexp:/etc/postfix/lmtp_header_cleanup
 mua_client_restrictions = permit_sasl_authenticated, reject
 mua_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, reject
 mua_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit
 # Discard messages to nine.testrun.org
 transport_maps = hash:/etc/postfix/transport
 # 1:1 map MAIL FROM to SASL login name.
 smtpd_sender_login_maps = regexp:/etc/postfix/login_map
--- a/cmdeploy/src/cmdeploy/postfix/master.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/master.cf.j2
@@ -86,7 +86,7 @@ filter    unix -        n       n       -       -       lmtp
 # Local SMTP server for reinjecting incoming filtered mail 
 127.0.0.1:{{ config.postfix_reinject_port_incoming }} inet  n       -       n       -       100      smtpd
  -o syslog_name=postfix/reinject_incoming
-  -o smtpd_milters=unix:opendkim/opendkim.sock
+#  -o smtpd_milters=unix:opendkim/opendkim.sock
 # Cleanup `Received` headers for authenticated mail
 # to avoid leaking client IP.
--- a/cmdeploy/src/cmdeploy/postfix/transport
+++ b/cmdeploy/src/cmdeploy/postfix/transport
@@ -0,0 +1,2 @@
 nine.testrun.org discard:
 * :
--- a/cmdeploy/src/cmdeploy/remote/rdns.py
+++ b/cmdeploy/src/cmdeploy/remote/rdns.py
@@ -53,7 +53,7 @@ def get_dkim_entry(mail_domain, pre_command, dkim_selector):
            print=log_progress,
        )
    except CalledProcessError:
-        return None, None
+        return
    dkim_value_raw = f"v=DKIM1;k=rsa;p={dkim_pubkey};s=email;t=s"
    dkim_value = '" "'.join(re.findall(".{1,255}", dkim_value_raw))
    web_dkim_value = "".join(re.findall(".{1,255}", dkim_value_raw))
--- a/cmdeploy/src/cmdeploy/remote/rshell.py
+++ b/cmdeploy/src/cmdeploy/remote/rshell.py
@@ -40,5 +40,5 @@ def dovecot_recalc_quota(user):
    #
    for line in output.split("\n"):
        parts = line.split()
-        if len(parts) >= 6 and parts[2] == "STORAGE":
+        if parts[2] == "STORAGE":
            return dict(value=int(parts[3]), limit=int(parts[4]), percent=int(parts[5]))
--- a/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
@@ -190,18 +190,22 @@ def test_exceed_rate_limit(cmsetup, gencreds, maildata, chatmail_config):
        "encrypted.eml", from_addr=user1.addr, to_addr=user2.addr
    ).as_string()
-    start = time.time()
+    timestamps = []
-    for i in range(chatmail_config.max_user_send_per_minute * 3):
+    i = 0
-        print("Sending mail", str(i + 1), "at", time.time() - start, "s.")
+    while len(timestamps) <= chatmail_config.max_user_send_per_minute * 1.7:
        print("Sending mail", str(i))
        i += 1
        try:
            user1.smtp.sendmail(user1.addr, [user2.addr], mail)
            timestamps.append(time.time())
        except smtplib.SMTPException as e:
-            if i < chatmail_config.max_user_send_burst_size:
+            if len(timestamps) < chatmail_config.max_user_send_per_minute:
                pytest.fail(f"rate limit was exceeded too early with msg {i}")
            outcome = e.recipients[user2.addr]
            assert outcome[0] == 450
            assert b"4.7.1: Too much mail from" in outcome[1]
            return
        timestamps[:] = [ts for ts in timestamps if ts >= (time.time() - 60)]
    pytest.fail("Rate limit was not exceeded")
--- a/cmdeploy/src/cmdeploy/tests/test_dns.py
+++ b/cmdeploy/src/cmdeploy/tests/test_dns.py
@@ -60,29 +60,6 @@ def mockdns(request, mockdns_base, mockdns_expected):
    return mockdns_base
 class TestGetDkimEntry:
    def test_dkim_entry_returns_tuple_on_success(self, mockdns):
        entry, web_entry = remote.rdns.get_dkim_entry(
            "some.domain", "", dkim_selector="opendkim"
        )
        # May return None,None if openssl not available, but should never crash
        if entry is not None:
            assert "opendkim._domainkey.some.domain" in entry
            assert "opendkim._domainkey.some.domain" in web_entry
    def test_dkim_entry_returns_none_tuple_on_error(self, monkeypatch):
        """CalledProcessError must return (None, None), not bare None."""
        from subprocess import CalledProcessError
        def failing_shell(command, fail_ok=False, print=print):
            raise CalledProcessError(1, command)
        monkeypatch.setattr(remote.rdns, "shell", failing_shell)
        result = remote.rdns.get_dkim_entry("some.domain", "", dkim_selector="opendkim")
        assert result == (None, None)
        assert result[0] is None and result[1] is None
 class TestPerformInitialChecks:
    def test_perform_initial_checks_ok1(self, mockdns, mockdns_expected):
        remote_data = remote.rdns.perform_initial_checks("some.domain")
--- a/cmdeploy/src/cmdeploy/tests/test_rshell.py
+++ b/cmdeploy/src/cmdeploy/tests/test_rshell.py
@@ -1,68 +0,0 @@
 from unittest.mock import patch
 from cmdeploy.remote.rshell import dovecot_recalc_quota
 def test_dovecot_recalc_quota_normal_output():
    """Normal doveadm output returns parsed dict."""
    normal_output = (
        "Quota name Type    Value  Limit  %\n"
        "User quota STORAGE     5 102400  0\n"
        "User quota MESSAGE     2      -  0\n"
    )
    with patch("cmdeploy.remote.rshell.shell", return_value=normal_output):
        result = dovecot_recalc_quota("user@example.org")
    # shell is called twice (recalc + get), patch returns same for both
    assert result == {"value": 5, "limit": 102400, "percent": 0}
 def test_dovecot_recalc_quota_empty_output():
    """Empty doveadm output (trailing newline) must not IndexError."""
    call_count = [0]
    def mock_shell(cmd):
        call_count[0] += 1
        if "recalc" in cmd:
            return ""
        # quota get returns only empty lines
        return "\n\n"
    with patch("cmdeploy.remote.rshell.shell", side_effect=mock_shell):
        result = dovecot_recalc_quota("user@example.org")
    assert result is None
 def test_dovecot_recalc_quota_malformed_output():
    """Malformed output with too few columns must not crash."""
    call_count = [0]
    def mock_shell(cmd):
        call_count[0] += 1
        if "recalc" in cmd:
            return ""
        # partial line, fewer than 6 parts
        return "Quota name\nUser quota STORAGE\n"
    with patch("cmdeploy.remote.rshell.shell", side_effect=mock_shell):
        result = dovecot_recalc_quota("user@example.org")
    assert result is None
 def test_dovecot_recalc_quota_header_only():
    """Only header line, no data rows."""
    call_count = [0]
    def mock_shell(cmd):
        call_count[0] += 1
        if "recalc" in cmd:
            return ""
        return "Quota name Type    Value  Limit  %\n"
    with patch("cmdeploy.remote.rshell.shell", side_effect=mock_shell):
        result = dovecot_recalc_quota("user@example.org")
    assert result is None
--- a/cmdeploy/src/cmdeploy/unbound/unbound.conf.j2
+++ b/cmdeploy/src/cmdeploy/unbound/unbound.conf.j2
@@ -1,4 +0,0 @@
 # Managed by cmdeploy: disable IPv6 in unbound.
 server:
  interface: 127.0.0.1
  do-ip6: no
--- a/doc/source/overview.rst
+++ b/doc/source/overview.rst
@@ -42,11 +42,6 @@ The deployed system components of a chatmail relay are:
 -  Dovecot_ is the Mail Delivery Agent (MDA) and
   stores messages for users until they download them
 -  `filtermail <https://github.com/chatmail/filtermail>`_
   prevents unencrypted email from leaving or entering the chatmail
   service and is integrated into Postfix’s outbound and inbound mail
   pipelines.
 -  Nginx_ shows the web page with privacy policy and additional information
 -  `acmetool <https://hlandau.github.io/acmetool/>`_ manages TLS
@@ -90,6 +85,11 @@ short overview of ``chatmaild`` services:
   <https://doc.dovecot.org/2.3/configuration_manual/authentication/dict/#complete-example-for-authenticating-via-a-unix-socket>`_
   to authenticate logins.
 -  `filtermail <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/filtermail.py>`_
   prevents unencrypted email from leaving or entering the chatmail
   service and is integrated into Postfix’s outbound and inbound mail
   pipelines.
 -  `chatmail-metadata <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/metadata.py>`_
   is contacted by a `Dovecot lua
   script <https://github.com/chatmail/relay/blob/main/cmdeploy/src/cmdeploy/dovecot/push_notification.lua>`_
Author	SHA1	Message	Date
missytake	df756db8ab	postfix: do lmtp via local instead of virtual transport	2026-01-27 12:14:48 +01:00
missytake	09e95cbfb6	cmdeploy: deploy with IP address only	2026-01-25 13:30:26 +01:00
missytake	ee2b858661	postfix: hardcode IP addresses of relays without DNS, drop messages to nine	2026-01-25 13:30:26 +01:00
missytake	2a07626f82	postfix: don't verify TLS certs of receiving SMTP servers	2026-01-25 13:30:26 +01:00
missytake	7a43984ab1	doc: document setup without DNS	2026-01-25 13:30:26 +01:00
missytake	fae5568873	acmetool: disable acmetool, use dovecot's self-signed certs	2026-01-25 13:30:26 +01:00
missytake	6f8d7cbdec	postfix: stop rejecting messages without DKIM	2026-01-25 13:30:26 +01:00