Add /etc/mailname

dictproxy: make NOCREATE_FILE a constant; log warning if creating account fails
tests: pass CLI arguments to pytest, don't run chatmails tests in weird subdir
2026-05-11 08:24:37 +00:00 · 2023-10-17 19:26:39 +00:00 · 2023-10-17 20:03:18 +02:00 · 2023-10-17 20:03:18 +02:00 · 2023-10-17 20:03:18 +02:00 · 2023-10-17 20:03:18 +02:00
18 changed files with 135 additions and 160 deletions
--- a/README.md
+++ b/README.md
@@ -1,61 +1,40 @@
 # Chat Mail server configuration
-This package deploys Postfix and Dovecot servers, including OpenDKIM for DKIM signing.
+This repository setups a ready-to-go chatmail instance
-
+comprised of a minimal setup of the battle-tested 
-Postfix uses Dovecot for authentication as described in <https://www.postfix.org/SASL_README.html#server_dovecot>
+[postfix smtp server](https://www.postfix.org) and [dovecot imap server](https://www.dovecot.org).
 ## Getting started 
-prepare:
+1. prepare your local system:
-    pip install -e chatmail-infra
+    scripts/init.sh 
 2. set environment variable to the chatmail domain you want to setup:
    export CHATMAIL_DOMAIN=c1.testrun.org   # replace with your host
 3. run the deploy of the chat mail instance: 
    scripts/deploy.sh 
-then run with pyinfra command line tool: 
+## Running tests and benchmarks (offline and online) 
-    CHATMAIL_DOMAIN=c1.testrun.org pyinfra --ssh-user root c1.testrun.org deploy.py
+1. Set `CHATMAIL_SSH` so that `ssh root@$CHATMAIL_SSH` allows 
   to login to the chatmail instance server. 
 2. To run local and online tests: 
-## Structure (wip)
+    scripts/test.sh 
 ```
-# package doveauth tool and deploy chatmail server to a envvar-specified ssh-reachable host 
+3. To run benchmarks against your chatmail instance: 
 deploy.py 
-# chatmail pyinfra deploy package 
+    scripts/bench.sh 
 chatmail-pyinfra 
    pyproject.toml
    chatmail/__init__ ...
-# doveauth tool used by dovecot's auth mechanism on the host system 
+## Running tests (offline and online) 
 doveauth
    README.md
    pyproject.toml
    doveauth.py
    test_doveauth.py
 # lmtp server to block (outgoing) unencrypted messages 
 filtermail 
    README.md
    pyproject.toml
    .... 
 # online tests (after deploy)
 online-tests  # runnable via pytest 
 # scripts for setup/development/deployment 
 scripts/
    init.sh  # create venv/other perequires
    deploy.sh  # run pyinfra based deploy of everything
    test.sh # run all local and online tests 
    bench.sh # run performance benchmark tests
 ```
 ## Dovecot/Postfix configuration
 ### Ports
@@ -65,4 +44,16 @@ Dovecot listens on ports 143(imap) and 993 (imaps).
 ## DNS
-For DKIM you must add a DNS entry as in /etc/opendkim/selector.txt (where selector is the opendkim_selector configured in the chatmail inventory).
+For DKIM you must add a DNS entry as found in /etc/opendkim/selector.txt on your chatmail instance.
 The above `scripts/deploy.sh` prints out the DKIM selector and DNS entry you
 need to setup with your DNS provider. 
 ## Emergency Commands
 If you need to stop account creation,
 e.g. because some script is wildly creating accounts,
 just run `touch /tmp/nocreate`.
 You can remove the file
 as soon as the attacker was banned
 by different means.
--- a/chatmaild/pyproject.toml
+++ b/chatmaild/pyproject.toml
@@ -10,7 +10,6 @@ dependencies = [
 ]
 [project.scripts]
 doveauth = "chatmaild.doveauth:main"
 doveauth-dictproxy = "chatmaild.dictproxy:main"
 filtermail = "chatmaild.filtermail:main"
--- a/chatmaild/src/chatmaild/dictproxy.py
+++ b/chatmaild/src/chatmaild/dictproxy.py
@@ -1,3 +1,4 @@
 import logging
 import os
 import sys
 import json
@@ -11,6 +12,8 @@ import subprocess
 from .database import Database
 NOCREATE_FILE = "/etc/chatmail-nocreate"
 def encrypt_password(password: str):
    password = password.encode("ascii")
@@ -27,6 +30,9 @@ def encrypt_password(password: str):
 def create_user(db, user, password):
    if os.path.exists(NOCREATE_FILE):
        logging.warning(f"Didn't create account: {NOCREATE_FILE} exists. Delete the file to enable account creation.")
        return
    with db.write_transaction() as conn:
        conn.create_user(user, password)
    return dict(home=f"/home/vmail/{user}", uid="vmail", gid="vmail", password=password)
@@ -53,7 +59,7 @@ def lookup_passdb(db, user, password):
    return userdata
-def handle_dovecot_request(msg, db):
+def handle_dovecot_request(msg, db, mail_domain):
    print(f"received msg: {msg!r}", file=sys.stderr)
    short_command = msg[0]
    if short_command == "L":  # LOOKUP
@@ -64,13 +70,15 @@ def handle_dovecot_request(msg, db):
        res = ""
        if namespace == "shared":
            if type == "userdb":
-                res = lookup_userdb(db, user)
+                if user.endswith(f"@{mail_domain}"):
                    res = lookup_userdb(db, user)
                if res:
                    reply_command = "O"
                else:
                    reply_command = "N"
            elif type == "passdb":
-                res = lookup_passdb(db, user, password=args[0])
+                if user.endswith(f"@{mail_domain}"):
                    res = lookup_passdb(db, user, password=args[0])
                if res:
                    reply_command = "O"
                else:
@@ -89,6 +97,8 @@ def main():
    socket = sys.argv[1]
    passwd_entry = pwd.getpwnam(sys.argv[2])
    db = Database(sys.argv[3])
    with open("/etc/mailname", "r") as fp:
        mail_domain = fp.read().strip()
    class Handler(StreamRequestHandler):
        def handle(self):
@@ -96,7 +106,7 @@ def main():
                msg = self.rfile.readline().strip().decode()
                if not msg:
                    break
-                res = handle_dovecot_request(msg, db)
+                res = handle_dovecot_request(msg, db, mail_domain)
                if res:
                    print(f"sending result: {res!r}", file=sys.stderr)
                    self.wfile.write(res.encode("ascii"))
--- a/chatmaild/src/chatmaild/doveauth.py
+++ b/chatmaild/src/chatmaild/doveauth.py
@@ -1,65 +0,0 @@
 #!/usr/bin/env python3
 import base64
 import sys
 from .database import Database
 def get_user_data(db, user):
    with db.read_connection() as conn:
        result = conn.get_user(user)
    if result:
        result["uid"] = "vmail"
        result["gid"] = "vmail"
    return result
 def create_user(db, user, password):
    with db.write_transaction() as conn:
        conn.create_user(user, password)
    return dict(home=f"/home/vmail/{user}", uid="vmail", gid="vmail", password=password)
 def verify_user(db, user, password):
    userdata = get_user_data(db, user)
    if userdata:
        if userdata.get("password") == password:
            userdata["status"] = "ok"
        else:
            userdata["status"] = "fail"
    else:
        userdata = create_user(db, user, password)
        userdata["status"] = "ok"
    return userdata
 def lookup_user(db, user):
    userdata = get_user_data(db, user)
    if userdata:
        userdata["status"] = "ok"
    else:
        userdata["status"] = "fail"
    return userdata
 def dump_result(res):
    for key, value in res.items():
        print(f"{key}={value}")
 def main():
    db = Database("/home/vmail/passdb.sqlite")
    if sys.argv[1] == "hexauth":
        login = base64.b16decode(sys.argv[2]).decode()
        password = base64.b16decode(sys.argv[3]).decode()
        res = verify_user(db, login, password)
        dump_result(res)
    elif sys.argv[1] == "hexlookup":
        login = base64.b16decode(sys.argv[2]).decode()
        res = lookup_user(db, login)
        dump_result(res)
 if __name__ == "__main__":
    main()
--- a/chatmaild/src/chatmaild/filtermail.py
+++ b/chatmaild/src/chatmaild/filtermail.py
@@ -9,9 +9,8 @@ from aiosmtpd.controller import UnixSocketController
 from smtplib import SMTP as SMTPClient
-def check_encrypted(content):
+def check_encrypted(message):
    """Check that the message is an OpenPGP-encrypted message."""
    message = BytesParser(policy=policy.default).parsebytes(content)
    if not message.is_multipart():
        return False
    if message.get("subject") != "...":
@@ -47,7 +46,8 @@ class ExampleHandler:
        valid_recipients = []
-        mail_encrypted = check_encrypted(envelope.content)
+        message = BytesParser(policy=policy.default).parsebytes(envelope.content)
        mail_encrypted = check_encrypted(message)
        res = []
        for recipient in envelope.rcpt_tos:
@@ -68,7 +68,13 @@ class ExampleHandler:
                continue
            is_outgoing = recipient_local_domain[1] != my_local_domain[1]
-            if is_outgoing and not mail_encrypted:
+
            if (
                is_outgoing
                and not mail_encrypted
                and message.get("secure-join") != "vc-request"
                and message.get("secure-join") != "vg-request"
            ):
                res += ["500 Outgoing mail must be encrypted"]
                continue
--- a/chatmaild/src/chatmaild/test_doveauth.py
+++ b/chatmaild/src/chatmaild/test_doveauth.py
@@ -1,7 +1,9 @@
 import os
 import pytest
-from .dictproxy import get_user_data
+import chatmaild.dictproxy
-from .doveauth import verify_user
+from .dictproxy import get_user_data, lookup_passdb
 from .database import Database, DBError
@@ -13,16 +15,31 @@ def db(tmpdir):
 def test_basic(db):
-    verify_user(db, "link2xt@c1.testrun.org", "asdf")
+    chatmaild.dictproxy.NOCREATE_FILE = "/tmp/nocreate"
    if os.path.exists(chatmaild.dictproxy.NOCREATE_FILE):
        os.remove(chatmaild.dictproxy.NOCREATE_FILE)
    lookup_passdb(db, "link2xt@c1.testrun.org", "asdf")
    data = get_user_data(db, "link2xt@c1.testrun.org")
    assert data
-def test_verify_or_create(db):
+def test_dont_overwrite_password_on_wrong_login(db):
-    res = verify_user(db, "newuser1@something.org", "kajdlkajsldk12l3kj1983")
+    """Test that logging in with a different password doesn't create a new user"""
-    assert res["status"] == "ok"
+    res = lookup_passdb(db, "newuser1@something.org", "kajdlkajsldk12l3kj1983")
-    res = verify_user(db, "newuser1@something.org", "kajdlqweqwe")
+    assert res["password"]
-    assert res["status"] == "fail"
+    res2 = lookup_passdb(db, "newuser1@something.org", "kajdlqweqwe")
    # this function always returns a password hash, which is actually compared by dovecot.
    assert res["password"] == res2["password"]
 def test_nocreate_file(db):
    chatmaild.dictproxy.NOCREATE_FILE = "/tmp/nocreate"
    with open(chatmaild.dictproxy.NOCREATE_FILE, "w+") as f:
        f.write("")
    assert os.path.exists(chatmaild.dictproxy.NOCREATE_FILE)
    lookup_passdb(db, "newuser1@something.org", "kajdlqweqwe")
    assert not get_user_data(db, "newuser1@something.org")
    os.remove(chatmaild.dictproxy.NOCREATE_FILE)
 def test_db_version(db):
--- a/chatmaild/src/chatmaild/test_filtermail.py
+++ b/chatmaild/src/chatmaild/test_filtermail.py
@@ -1,12 +1,16 @@
 import pytest
 from .filtermail import check_encrypted
 from email.parser import BytesParser
 from email import policy
 def test_filtermail():
-    assert not check_encrypted(b"foo")
+    def check_encrypted_bstr(content):
        message = BytesParser(policy=policy.default).parsebytes(content)
        return check_encrypted(message)
-    assert not check_encrypted(
+    assert not check_encrypted_bstr(b"foo")
    assert not check_encrypted_bstr(
        "\r\n".join(
            [
                "Subject: =?utf-8?q?Message_from_foobar=40c2=2Etestrun=2Eorg?=",
@@ -36,7 +40,7 @@ def test_filtermail():
        ).encode()
    )
-    assert not check_encrypted(
+    assert not check_encrypted_bstr(
        "\r\n".join(
            [
                "Subject: =?utf-8?q?Message_from_foobar=40c2=2Etestrun=2Eorg?=",
@@ -67,7 +71,7 @@ def test_filtermail():
    )
    # https://xkcd.com/1181/
-    assert not check_encrypted(
+    assert not check_encrypted_bstr(
        "\r\n".join(
            [
                "Subject: =?utf-8?q?Message_from_foobar=40c2=2Etestrun=2Eorg?=",
@@ -99,7 +103,7 @@ def test_filtermail():
        ).encode()
    )
-    assert check_encrypted(
+    assert check_encrypted_bstr(
        "\r\n".join(
            [
                "Subject: ...",
@@ -172,7 +176,7 @@ def test_filtermail():
        ).encode()
    )
-    assert not check_encrypted(
+    assert not check_encrypted_bstr(
        "\r\n".join(
            [
                "Subject: Buy Penis Enlargement at www.malicious-domain.com",
@@ -245,7 +249,7 @@ def test_filtermail():
        ).encode()
    )
-    assert not check_encrypted(
+    assert not check_encrypted_bstr(
        "\r\n".join(
            [
                "Subject: Message opened",
--- a/deploy-chatmail/src/deploy_chatmail/init.py
+++ b/deploy-chatmail/src/deploy_chatmail/init.py
@@ -244,6 +244,13 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
        restarted=dovecot_need_restart,
    )
    # This file is used by auth proxy.
    # https://wiki.debian.org/EtcMailName
    server.shell(
        name="Setup /etc/mailname",
        commands=[f"echo {mail_domain} >/etc/mailname; chmod 644 /etc/mailname"],
    )
    def callback():
        result = server.shell(
            commands=[
--- a/deploy-chatmail/src/deploy_chatmail/acmetool/init.py
+++ b/deploy-chatmail/src/deploy_chatmail/acmetool/init.py
@@ -50,8 +50,8 @@ def deploy_acmetool(nginx_hook=False, email="", domains=[]):
    systemd.service(
        name="Setup acmetool-redirector service",
        service="acmetool-redirector.service",
-        running=True,
+        running=False,
-        enabled=True,
+        enabled=False,
        restarted=service_file.changed,
    )
--- a/deploy-chatmail/src/deploy_chatmail/deploy.py
+++ b/deploy-chatmail/src/deploy_chatmail/deploy.py
--- a/deploy-chatmail/src/deploy_chatmail/dovecot/dovecot.conf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/dovecot/dovecot.conf.j2
@@ -16,6 +16,12 @@ mail_debug = yes
 mail_plugins = quota
 # these are the capabilities Delta Chat cares about actually 
 # so let's keep the network overhead per login small
 # https://github.com/deltachat/deltachat-core-rust/blob/master/src/imap/capabilities.rs
 imap_capability = IMAP4rev1 IDLE MOVE QUOTA CONDSTORE
 # Authentication for system users.
 passdb {
  driver = dict
--- a/deploy-chatmail/src/deploy_chatmail/postfix/master.cf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/postfix/master.cf.j2
@@ -70,8 +70,6 @@ showq     unix  n       -       y       -       -       showq
 error     unix  -       -       y       -       -       error
 retry     unix  -       -       y       -       -       error
 discard   unix  -       -       y       -       -       discard
 local     unix  -       n       n       -       -       local
 virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       y       -       -       lmtp
 anvil     unix  -       -       y       -       1       anvil
 scache    unix  -       -       y       -       1       scache
--- a/online-tests/test_1_deltachat.py
+++ b/online-tests/test_1_deltachat.py
@@ -67,3 +67,17 @@ class TestEndToEndDeltaChat:
                    break
        pytest.fail("sending succeeded although messages should exceed quota")
    def test_securejoin(self, cmfactory, lp, maildomain2):
        ac1 = cmfactory.new_online_configuring_account(cache=False)
        cmfactory.switch_maildomain(maildomain2)
        ac2 = cmfactory.new_online_configuring_account(cache=False)
        cmfactory.bring_accounts_online()
        lp.sec("ac1: create QR code and let ac2 scan it, starting the securejoin")
        qr = ac1.get_setup_contact_qr()
        lp.sec("ac2: start QR-code based setup contact protocol")
        ch = ac2.qr_setup_contact(qr)
        assert ch.id >= 10
        ac1._evtracker.wait_securejoin_inviter_progress(1000)
--- a/plan.txt
+++ b/plan.txt
@@ -8,12 +8,6 @@
 - limit: configure max-connections per account
 ## Filtermail
 - (alex, Only allow (outgoing) mails if secure-join or autocrypt-pgp-encrypted format.
  TODO: mime-parse mails and check/add tests
 ## nami: send out rate limit / rspamd
 - basic outgoing send rate/limits (depending on "account-rating")
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -2,8 +2,9 @@
 : ${CHATMAIL_DOMAIN:=c1.testrun.org}
 export CHATMAIL_DOMAIN
-venv/bin/python3 -m build -n --sdist chatmaild --outdir dist
+chatmaild/venv/bin/python3 -m build -n --sdist chatmaild --outdir dist
-deploy-chatmail/venv/bin/pyinfra --ssh-user root "$CHATMAIL_DOMAIN" deploy.py
+deploy-chatmail/venv/bin/pyinfra --ssh-user root "$CHATMAIL_DOMAIN" \
    deploy-chatmail/src/deploy_chatmail/deploy.py
 rm -r dist/
--- a/scripts/init.sh
+++ b/scripts/init.sh
@@ -6,12 +6,9 @@ deploy-chatmail/venv/bin/pip install -e deploy-chatmail
 deploy-chatmail/venv/bin/pip install -e chatmaild
 python3 -m venv chatmaild/venv
-chatmaild/venv/bin/pip install pytest
+sudo apt install -y dovecot-core && sudo systemctl disable --now dovecot
 chatmaild/venv/bin/pip install --upgrade pytest build 'setuptools>=68'
 chatmaild/venv/bin/pip install -e chatmaild
 python3 -m venv online-tests/venv
 online-tests/venv/bin/pip install pytest pytest-timeout pdbpp deltachat pytest-benchmark
 python3 -m venv venv
 venv/bin/pip install build
 venv/bin/pip install 'setuptools>=68'
--- a/scripts/remote-deploy.sh
+++ b/scripts/remote-deploy.sh
@@ -2,7 +2,7 @@
 set -e
 : ${CHATMAIL_DOMAIN:=c1.testrun.org}
-: ${CHATMAIL_SSH_HOST:=$CHATMAIL_DOMAIN}
+: ${CHATMAIL_SSH:=$CHATMAIL_DOMAIN}
-rsync -avz . "root@$CHATMAIL_SSH_HOST:/root/chatmail" --exclude='/.git' --filter="dir-merge,- .gitignore"
+rsync -avz . "root@$CHATMAIL_SSH:/root/chatmail" --exclude='/.git' --filter="dir-merge,- .gitignore"
-ssh "root@$CHATMAIL_SSH_HOST" "cd /root/chatmail; apt install -y python3-venv; python3 -m venv venv; venv/bin/pip install pyinfra build; venv/bin/python3 -m build -n --sdist chatmaild --outdir dist; venv/bin/pip install -e ./deploy-chatmail -e ./chatmaild; export CHATMAIL_DOMAIN=$CHATMAIL_DOMAIN; venv/bin/pyinfra @local deploy.py"
+ssh "root@$CHATMAIL_SSH" "cd /root/chatmail; apt install -y python3-venv; python3 -m venv venv; venv/bin/pip install pyinfra build; venv/bin/python3 -m build -n --sdist chatmaild --outdir dist; venv/bin/pip install -e ./deploy-chatmail -e ./chatmaild; export CHATMAIL_DOMAIN=$CHATMAIL_DOMAIN; venv/bin/pyinfra @local deploy.py"
--- a/scripts/test.sh
+++ b/scripts/test.sh
@@ -1,7 +1,3 @@
 #!/bin/bash
-set -e
+chatmaild/venv/bin/pytest chatmaild/ $@
-pushd chatmaild/src/chatmaild
+online-tests/venv/bin/pytest online-tests/ -vrx --durations=5 $@
 ../../venv/bin/pytest
 popd
 online-tests/venv/bin/pytest online-tests/ -vrx --durations=5 --slow
Author	SHA1	Message	Date
link2xt	a6a94944e0	Add /etc/mailname	2023-10-17 19:26:39 +00:00
missytake	f333226abe	dictproxy: make NOCREATE_FILE a constant; log warning if creating account fails	2023-10-17 20:03:18 +02:00
missytake	45fe8a668b	tests: pass CLI arguments to pytest, don't run chatmails tests in weird subdir	2023-10-17 20:03:18 +02:00
missytake	beac91159d	tests: install doveadm for being able to run dictproxy tests	2023-10-17 20:03:18 +02:00
missytake	75e7c85e61	tests: adjust to dictproxy, test /tmp/nocreate	2023-10-17 20:03:18 +02:00
missytake	040b7a74a6	doveauth: don't create users if /tmp/nocreate exists	2023-10-17 20:03:18 +02:00
missytake	0138e59355	doveauth: removed doveauth.py from the project	2023-10-17 20:03:18 +02:00
holger krekel	fffbdc10c3	minimize capabilities	2023-10-17 01:22:19 +02:00
holger krekel	3419e359c8	create build venv in chatmaild/venv	2023-10-17 00:35:07 +02:00
holger krekel	0b051f8154	move deploy.py file and revamp README	2023-10-17 00:35:07 +02:00
link2xt	5936f7a3be	postfix: disable `virtual` and `local` MDAs We do not need them, all mails are delivered to Dovecot over LMTP.	2023-10-16 22:21:39 +00:00
link2xt	983ffa6236	Disable acmetool redirector	2023-10-16 22:12:45 +00:00
holger krekel	b74fde2a9f	add postfix instrumented debugging	2023-10-16 23:38:02 +02:00
holger krekel	e176595f1f	add global debug flag and instrument dovecot with it	2023-10-16 23:38:02 +02:00
link2xt	179c79a052	Allow to send securejoin	2023-10-16 21:15:56 +00:00
link2xt	408da296f1	test.sh: do not run slow tests by default	2023-10-16 20:13:41 +00:00