in webdev mode make page auto-refresh every 3 seconds

.github/CODE_OF_CONDUCT.md

@@ -1,4 +0,0 @@
-
-Please refer to 
-[Delta Chat community standards and practices](https://delta.chat/en/community-standards)
-which also apply for all chatmail developments. 

.github/workflows/ci.yaml

@@ -6,32 +6,26 @@ on:
 
 jobs:
   tox:
-    name: isolated chatmaild tests
+    name: chatmail tests
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-
       - name: run chatmaild tests 
         working-directory: chatmaild
         run: pipx run tox
+      - name: run deploy-chatmail offline tests 
+        working-directory: deploy-chatmail
+        run: pipx run tox
+      - name: run deploy-chatmail offline tests 
+        working-directory: deploy-chatmail
+        run: pipx run tox
 
   scripts:
-    name: deploy-chatmail tests 
+    name: chatmail script invocations 
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-
-      - name: initenv 
-        run: scripts/initenv.sh
-
-      - name: append venv/bin to PATH
-        run: echo venv/bin >>$GITHUB_PATH
-
-      - name: run formatting checks 
-        run: cmdeploy fmt -v 
-
-      - name: run deploy-chatmail offline tests 
-        run: pytest --pyargs cmdeploy 
-
-      # all other cmdeploy commands require a staging server 
-      # see https://github.com/deltachat/chatmail/issues/100
+      - name: run init.sh 
+        run: ./scripts/init.sh 
+      - name: run test.sh 
+        run: ./scripts/test.sh 

.github/workflows/staging.testrun.org-default.zone

@@ -1,20 +0,0 @@
-;; Zone file for staging.testrun.org
-
-$ORIGIN staging.testrun.org.
-$TTL 300
-
-@  IN  SOA     ns.testrun.org. root.nine.testrun.org (
-  2023010101 ; Serial
-  7200       ; Refresh
-  3600       ; Retry
-  1209600    ; Expire
-  3600       ; Negative response caching TTL
-)
-
-;; Nameservers.
-@  IN NS ns.testrun.org.
-
-;; DNS records.
-@       IN      A       37.27.37.98
-mta-sts.staging.testrun.org.    CNAME   staging.testrun.org.
-www.staging.testrun.org.        CNAME   staging.testrun.org.

.github/workflows/test-and-deploy.yaml

@@ -1,72 +0,0 @@
-name: deploy on staging.testrun.org, and run tests
-
-on:
-  push:
-    branches:
-      - main
-      - staging-ci
-
-jobs:
-  deploy:
-    name: deploy on staging.testrun.org, and run tests
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: prepare SSH
-        run: |
-          mkdir ~/.ssh
-          echo "${{ secrets.STAGING_SSH_KEY }}" >> ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-          ssh-keyscan staging.testrun.org > ~/.ssh/known_hosts
-     #    rsync -avz root@staging.testrun.org:/var/lib/acme . || true
-     #    rsync -avz root@staging.testrun.org:/var/lib/rspamd/dkim . || true
-
-     #- name: rebuild staging.testrun.org to have a clean VPS
-     #  run: |
-     #      curl -X POST \
-     #      -H "Authorization: Bearer ${{ secrets.HETZNER_API_TOKEN }}" \
-     #      -H "Content-Type: application/json" \
-     #      -d '{"image":"debian-12"}' \
-     #      "https://api.hetzner.cloud/v1/servers/${{ secrets.STAGING_SERVER_ID }}/actions/rebuild"
-
-      - run: scripts/initenv.sh
-
-      - name: append venv/bin to PATH
-        run: echo venv/bin >>$GITHUB_PATH
-
-      - name: run formatting checks 
-        run: cmdeploy fmt -v 
-
-      - name: run deploy-chatmail offline tests 
-        run: pytest --pyargs cmdeploy 
-
-     #- name: upload TLS cert after rebuilding
-     #  run: |
-     #    echo " --- wait until staging.testrun.org VPS is rebuilt --- "
-     #    rm ~/.ssh/known_hosts
-     #    while ! ssh -o ConnectTimeout=180 -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org id -u ; do sleep 1 ; done
-     #    ssh -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org id -u
-     #    rsync -avz acme root@staging.testrun.org:/var/lib/ || true
-     #    rsync -avz dkim root@staging.testrun.org:/var/lib/rspamd/ || true
-
-      - run: cmdeploy init staging.testrun.org
-
-      - run: cmdeploy run
-
-      - name: set DNS entries
-        run: |
-          #ssh -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org chown _rspamd:_rspamd -R /var/lib/rspamd/dkim
-          cmdeploy dns --zonefile staging-generated.zone
-          cat staging-generated.zone >> .github/workflows/staging.testrun.org-default.zone
-          cat .github/workflows/staging.testrun.org-default.zone
-          scp -o StrictHostKeyChecking=accept-new .github/workflows/staging.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging.testrun.org.zone
-          ssh root@ns.testrun.org nsd-checkzone staging.testrun.org /etc/nsd/staging.testrun.org.zone
-          ssh root@ns.testrun.org systemctl reload nsd
-
-      - name: cmdeploy test
-        run: CHATMAIL_DOMAIN2=nine.testrun.org cmdeploy test --slow
-
-      - name: cmdeploy dns (try 3 times)
-        run: cmdeploy dns || cmdeploy dns || cmdeploy dns
-

.gitignore

@@ -3,8 +3,10 @@ __pycache__/
 *.py[cod]
 *$py.class
 *.swp
+www/privacy.html*
+www/index.html*
+www/info.html*
 *qr-*.png
-chatmail.ini
 
 
 # C extensions

CHANGELOG.md

@@ -1,22 +0,0 @@
-# Changelog for chatmail deployment 
-
-## unreleased
-
-### Changes since March 15th, 2024
-
-- Fix various tests to pass again with "cmdeploy test". 
-  ([#245](https://github.com/deltachat/chatmail/pull/245),
-  [#242](https://github.com/deltachat/chatmail/pull/242)
-
-- Ensure lets-encrypt certificates are reloaded after renewal 
-  ([#244]) https://github.com/deltachat/chatmail/pull/244
-
-- Persist tokens to avoid iOS users loosing push-notifications when the
-  chatmail metadata service is restarted (happens regularly during deploys)
-  ([#238](https://github.com/deltachat/chatmail/pull/239)
-
-- Fix failing sieve-script compile errors on incoming messages
-  ([#237](https://github.com/deltachat/chatmail/pull/239)
-
-- Fix quota reporting after expunging of old mails
-  ([#233](https://github.com/deltachat/chatmail/pull/239)

LICENSE

@@ -1,21 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2023, chatmail and delta chat teams
-
-Permission is hereby granted, free of charge, to any person obtaining a copy of
-this software and associated documentation files (the "Software"), to deal in
-the Software without restriction, including without limitation the rights to
-use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
-of the Software, and to permit persons to whom the Software is furnished to do
-so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

README.md

@@ -1,9 +1,9 @@
 
-<img width="800px" src="www/src/collage-top.png"/>
+<img width="800px" src="www/collage-top.png"/>
 
-# Chatmail services optimized for Delta Chat apps 
+# Chatmail instances optimized for Delta Chat apps 
 
-This repository helps to setup a ready-to-use chatmail server
+This repository helps to setup a ready-to-use chatmail instance
 comprised of a minimal setup of the battle-tested 
 [postfix smtp](https://www.postfix.org) and [dovecot imap](https://www.dovecot.org) services. 
 
@@ -13,150 +13,119 @@ for use by [Delta Chat apps](https://delta.chat).
 Chatmail accounts are automatically created by a first login, 
 after which the initially specified password is required for using them. 
 
-## Deploying your own chatmail server 
+## Getting Started deploying your own chatmail instance
 
-We use `chat.example.org` as the chatmail domain in the following steps. 
-Please substitute it with your own domain. 
+1. Prepare your local (presumably Linux) system:
 
-1. Install the `cmdeploy` command in a virtualenv
+    scripts/init.sh 
 
-   ```
-    git clone https://github.com/deltachat/chatmail
-    cd chatmail
-    scripts/initenv.sh
-   ```
+2. Setup a domain with `A` and `AAAA` records for your chatmail server.
 
-2. Create chatmail configuration file `chatmail.ini`:
+3. Set environment variable to the chatmail domain you want to setup:
 
-   ```
-    scripts/cmdeploy init chat.example.org  # <-- use your domain 
-   ```
+    export CHATMAIL_DOMAIN=c1.testrun.org   # replace with your host
 
-3. Setup first DNS records for your chatmail domain, 
-   according to the hints provided by `cmdeploy init`.
-   Verify that SSH root login works:
+4. Fill in privacy contact data into the `chatmail.ini` file
 
-   ```
-    ssh root@chat.example.org   # <-- use your domain 
-   ```
+5. Deploy the chat mail instance to your chatmail server: 
 
-4. Deploy to the remote chatmail server:
+    scripts/deploy.sh 
 
-   ```
-    scripts/cmdeploy run
-   ```
-   This script will also show you additional DNS records
-   which you should configure at your DNS provider
-   (it can take some time until they are public).
+   This script remotely sets up packages and configures the chatmail provider. 
 
-### Other helpful commands:
+6. Run `scripts/generate-dns-zone.sh` and 
+   transfer the generated DNS records at your DNS provider
 
-To check the status of your remotely running chatmail service:
 
-```
-scripts/cmdeploy status
+### Home page and getting started for users 
+
+The `deploy.sh` script deploys 
+
+- a default `index.html` along with a QR code that users can click to 
+  create accounts on your chatmail provider,
+
+- a default `info.html` that is linked from the home page,
+
+- a default `policy.html` that is linked from the home page. 
+
+All files are generated by the according markdown `.md` file in the `www` directory.
+
+
+### Refining the web pages 
+
+The `scripts/webdev.sh` script supports live development of the chatmail web presence:
+
+``` 
+    scripts/init.sh  # to locally initialize python virtual environments etc. 
+    scripts/webdev.sh
 ```
 
-To check whether your DNS records are correct:
+- uses the `www/src/page-layout.html` file for producing html documents
+  from `www/src/*.md` files. 
 
-```
-scripts/cmdeploy dns
-```
+- continously builds the web presence reading files from `www/src` directory
+  and generating html files and copying assets to the `www/build` directory. 
 
-To test whether your chatmail service is working correctly:
+- Starts a browser window automatically where you can "refresh" as needed. 
 
-```
-scripts/cmdeploy test
-```
+Note that this script is not needed for running `scripts/deploy.sh" 
+which deploys the whole chatmail setup remotely. 
+The code that generates the web pages is identical
+which means that `webdev.sh` gives a pretty good preview. 
 
-To measure the performance of your chatmail service:
+### Ports
 
-```
-scripts/cmdeploy bench
-```
+Postfix listens on ports 25 (smtp) and 587 (submission) and 465 (submissions).
+Dovecot listens on ports 143(imap) and 993 (imaps).
 
-## Overview of this repository
+Delta Chat will, however, discover all ports and configurations 
+automatically by reading the `autoconfig.xml` file from the chatmail instance. 
 
-This repository drives the development of chatmail services, 
-comprised of minimal setups of
 
-- [postfix smtp server](https://www.postfix.org)
-- [dovecot imap server](https://www.dovecot.org)
+## Emergency Commands to disable automatic account creation 
 
-as well as custom services that are integrated with these two:
+If you need to stop account creation,
+e.g. because some script is wildly creating accounts, run:
+
+    touch /etc/chatmail-nocreate
+
+While this file is present, account creation will be blocked. 
+
+
+## Running tests and benchmarks (offline and online) 
+
+1. Set `CHATMAIL_SSH` so that `ssh root@$CHATMAIL_SSH` allows 
+   to login to the chatmail instance server. 
+
+2. To run local and online tests: 
+
+    scripts/test.sh 
+
+3. To run benchmarks against your chatmail instance: 
+
+    scripts/bench.sh 
+
+
+## Development Background for chatmail instances 
+
+This repository drives the development of "chatmail instances", 
+comprised of minimal setups of 
+
+- [postfix smtp server](https://www.postfix.org) 
+- [dovecot imap server](https://www.dovecot.org) 
+
+as well as two custom services that are integrated with these two: 
 
 - `chatmaild/src/chatmaild/doveauth.py` implements
   create-on-login account creation semantics and is used
   by Dovecot during login authentication and by Postfix
   which in turn uses [Dovecot SASL](https://doc.dovecot.org/configuration_manual/authentication/dict/#complete-example-for-authenticating-via-a-unix-socket)
   to authenticate users
-  to send mails for them.
+  to send mails for them. 
 
-- `chatmaild/src/chatmaild/filtermail.py` prevents
-  unencrypted e-mail from leaving the chatmail service
-  and is integrated into postfix's outbound mail pipelines.
-
-There is also the `cmdeploy/src/cmdeploy/cmdeploy.py` command line tool
-which helps with setting up and managing the chatmail service.
-`cmdeploy run` uses [pyinfra-based scripting](https://pyinfra.com/)
-in `cmdeploy/src/cmdeploy/__init__.py`
-to automatically install all chatmail components on a server.
+- `chatmaild/src/chatmaild/filtermail.py` prevents 
+  unencrypted e-mail from leaving the chatmail instance
+  and is integrated into postfix's outbound mail pipelines. 
 
 
-### Home page and getting started for users
-
-`cmdeploy run` also creates default static Web pages and deploys them
-to a nginx web server with: 
-
-- a default `index.html` along with a QR code that users can click to
-  create accounts on your chatmail provider,
-
-- a default `info.html` that is linked from the home page,
-
-- a default `policy.html` that is linked from the home page.
-
-All `.html` files are generated
-by the according markdown `.md` file in the `www/src` directory.
-
-
-### Refining the web pages
-
-
-```
-scripts/cmdeploy webdev
-```
-
-This starts a local live development cycle for chatmail Web pages:
-
-- uses the `www/src/page-layout.html` file for producing static
-  HTML pages from `www/src/*.md` files
-
-- continously builds the web presence reading files from `www/src` directory
-  and generating html files and copying assets to the `www/build` directory.
-
-- Starts a browser window automatically where you can "refresh" as needed.
-
-
-## Emergency Commands to disable automatic account creation
-
-If you need to stop account creation,
-e.g. because some script is wildly creating accounts,
-login to the server with ssh and run:
-
-```
-    touch /etc/chatmail-nocreate
-```
-
-While this file is present, account creation will be blocked.
-
-### Ports
-
-[Postfix](http://www.postfix.org/) listens on ports 25 (smtp) and 587 (submission) and 465 (submissions).
-[Dovecot](https://www.dovecot.org/) listens on ports 143 (imap) and 993 (imaps).
-[nginx](https://www.nginx.com/) listens on port 443 (https).
-[acmetool](https://hlandau.github.io/acmetool/) listens on port 80 (http).
-
-Delta Chat apps will, however, discover all ports and configurations
-automatically by reading the [autoconfig XML file](https://www.ietf.org/archive/id/draft-bucksch-autoconfig-00.html) from the chatmail service.
-
 

chatmail.ini

@@ -1,16 +1,15 @@
-
-[privacy]
-
-passthrough_recipients = privacy@testrun.org xstore@testrun.org groupsbot@hispanilandia.net
+[config]
 
 privacy_postal =
     Merlinux GmbH, Represented by the managing director H. Krekel,
     Reichgrafen Str. 20, 79102 Freiburg, Germany
 
-privacy_mail = privacy@testrun.org
+privacy_mail = delta-privacy@merlinux.eu
+
 privacy_pdo =
     Prof. Dr. Fabian Schmieder, lexICT UG (limited), Ostfeldstr. 49, 30559 Hannover.
     You can contact him at *delta-privacy@merlinux.eu* (Keyword: DPO)
+
 privacy_supervisor =
     State Commissioner for Data Protection and Freedom of Information of
     Baden-Württemberg in 70173 Stuttgart, Germany.

chatmaild/MANIFEST.in

@@ -1,4 +0,0 @@
-include src/chatmaild/*.f 
-include src/chatmaild/ini/*.ini.f
-include src/chatmaild/ini/*.ini
-include src/chatmaild/tests/mail-data/*

chatmaild/pyproject.toml

@@ -1,33 +1,17 @@
 [build-system]
-requires = ["setuptools>=61"]
+requires = ["setuptools>=45"]
 build-backend = "setuptools.build_meta"
 
 [project]
 name = "chatmaild"
-version = "0.2"
+version = "0.1"
 dependencies = [
   "aiosmtpd",
-  "iniconfig",
-  "deltachat-rpc-server",
-  "deltachat-rpc-client",
-  "requests",
 ]
 
-[tool.setuptools]
-include-package-data = true
-
-[tool.setuptools.packages.find]
-where = ['src']
-
 [project.scripts]
 doveauth = "chatmaild.doveauth:main"
-chatmail-metadata = "chatmaild.metadata:main"
 filtermail = "chatmaild.filtermail:main"
-echobot = "chatmaild.echo:main"
-chatmail-metrics = "chatmaild.metrics:main"
-
-[project.entry-points.pytest11]
-"chatmaild.testplugin" = "chatmaild.tests.plugin"
 
 [tool.pytest.ini_options]
 addopts = "-v -ra --strict-markers"
@@ -52,7 +36,8 @@ commands =
   ruff src/
 
 [testenv]
+passenv = CHATMAIL_DOMAIN
 deps = pytest 
        pdbpp 
-commands = pytest -v -rsXx {posargs}
+commands = pytest -v -rsXx {posargs: ../tests/chatmaild}
 """

chatmaild/src/chatmaild/chatmail-metadata.service.f

@@ -1,10 +0,0 @@
-[Unit]
-Description=Chatmail dict proxy for IMAP METADATA
-
-[Service]
-ExecStart={execpath} /run/dovecot/metadata.socket vmail {config_path} /home/vmail/metadata
-Restart=always
-RestartSec=30
-
-[Install]
-WantedBy=multi-user.target

chatmaild/src/chatmaild/config.py

@@ -1,59 +0,0 @@
-import iniconfig
-
-
-def read_config(inipath):
-    cfg = iniconfig.IniConfig(inipath)
-    return Config(inipath, params=cfg.sections["params"])
-
-
-class Config:
-    def __init__(self, inipath, params):
-        self._inipath = inipath
-        self.mail_domain = params["mail_domain"]
-        self.max_user_send_per_minute = int(params["max_user_send_per_minute"])
-        self.max_mailbox_size = params["max_mailbox_size"]
-        self.delete_mails_after = params["delete_mails_after"]
-        self.username_min_length = int(params["username_min_length"])
-        self.username_max_length = int(params["username_max_length"])
-        self.password_min_length = int(params["password_min_length"])
-        self.passthrough_senders = params["passthrough_senders"].split()
-        self.passthrough_recipients = params["passthrough_recipients"].split()
-        self.filtermail_smtp_port = int(params["filtermail_smtp_port"])
-        self.postfix_reinject_port = int(params["postfix_reinject_port"])
-        self.privacy_postal = params.get("privacy_postal")
-        self.privacy_mail = params.get("privacy_mail")
-        self.privacy_pdo = params.get("privacy_pdo")
-        self.privacy_supervisor = params.get("privacy_supervisor")
-
-    def _getbytefile(self):
-        return open(self._inipath, "rb")
-
-
-def write_initial_config(inipath, mail_domain):
-    from importlib.resources import files
-
-    inidir = files(__package__).joinpath("ini")
-    content = (
-        inidir.joinpath("chatmail.ini.f").read_text().format(mail_domain=mail_domain)
-    )
-    if mail_domain.endswith(".testrun.org"):
-        override_inipath = inidir.joinpath("override-testrun.ini")
-        privacy = iniconfig.IniConfig(override_inipath)["privacy"]
-        lines = []
-        for line in content.split("\n"):
-            for key, value in privacy.items():
-                value_lines = value.strip().split("\n")
-                if not line.startswith(f"{key} =") or not value_lines:
-                    continue
-                if len(value_lines) == 1:
-                    lines.append(f"{key} = {value}")
-                else:
-                    lines.append(f"{key} =")
-                    for vl in value_lines:
-                        lines.append(f"    {vl}")
-                break
-            else:
-                lines.append(line)
-        content = "\n".join(lines)
-
-    inipath.write_text(content)

chatmaild/src/chatmaild/doveauth.py

@@ -12,32 +12,24 @@ from socketserver import (
 import pwd
 
 from .database import Database
-from .config import read_config, Config
 
 NOCREATE_FILE = "/etc/chatmail-nocreate"
 
 
-class UnknownCommand(ValueError):
-    """dictproxy handler received an unkown command"""
-
-
 def encrypt_password(password: str):
     # https://doc.dovecot.org/configuration_manual/authentication/password_schemes/
     passhash = crypt.crypt(password, crypt.METHOD_SHA512)
     return "{SHA512-CRYPT}" + passhash
 
 
-def is_allowed_to_create(config: Config, user, cleartext_password) -> bool:
+def is_allowed_to_create(user, cleartext_password) -> bool:
     """Return True if user and password are admissable."""
     if os.path.exists(NOCREATE_FILE):
         logging.warning(f"blocked account creation because {NOCREATE_FILE!r} exists.")
         return False
 
-    if len(cleartext_password) < config.password_min_length:
-        logging.warning(
-            "Password needs to be at least %s characters long",
-            config.password_min_length,
-        )
+    if len(cleartext_password) < 9:
+        logging.warning("Password needs to be at least 9 characters long")
         return False
 
     parts = user.split("@")
@@ -46,37 +38,29 @@ def is_allowed_to_create(config: Config, user, cleartext_password) -> bool:
         return False
     localpart, domain = parts
 
-    if (
-        len(localpart) > config.username_max_length
-        or len(localpart) < config.username_min_length
-    ):
-        if localpart != "echo":
-            logging.warning(
-                "localpart %s has to be between %s and %s chars long",
-                localpart,
-                config.username_min_length,
-                config.username_max_length,
-            )
+    if domain == "nine.testrun.org":
+        # nine.testrun.org policy, username has to be exactly nine chars
+        if len(localpart) != 9:
+            logging.warning(f"localpart {localpart!r} has not exactly nine chars")
             return False
 
     return True
 
 
-def get_user_data(db, config: Config, user):
+def get_user_data(db, user):
     with db.read_connection() as conn:
         result = conn.get_user(user)
     if result:
-        result["home"] = f"/home/vmail/mail/{config.mail_domain}/{user}"
         result["uid"] = "vmail"
         result["gid"] = "vmail"
     return result
 
 
-def lookup_userdb(db, config: Config, user):
-    return get_user_data(db, config, user)
+def lookup_userdb(db, user):
+    return get_user_data(db, user)
 
 
-def lookup_passdb(db, config: Config, user, cleartext_password):
+def lookup_passdb(db, user, cleartext_password):
     with db.write_transaction() as conn:
         userdata = conn.get_user(user)
         if userdata:
@@ -85,11 +69,10 @@ def lookup_passdb(db, config: Config, user, cleartext_password):
                 "UPDATE users SET last_login=? WHERE addr=?", (int(time.time()), user)
             )
 
-            userdata["home"] = f"/home/vmail/mail/{config.mail_domain}/{user}"
             userdata["uid"] = "vmail"
             userdata["gid"] = "vmail"
             return userdata
-        if not is_allowed_to_create(config, user, cleartext_password):
+        if not is_allowed_to_create(user, cleartext_password):
             return
 
         encrypted_password = encrypt_password(cleartext_password)
@@ -97,92 +80,39 @@ def lookup_passdb(db, config: Config, user, cleartext_password):
                VALUES (?, ?, ?)"""
         conn.execute(q, (user, encrypted_password, int(time.time())))
         return dict(
-            home=f"/home/vmail/mail/{config.mail_domain}/{user}",
+            home=f"/home/vmail/{user}",
             uid="vmail",
             gid="vmail",
             password=encrypted_password,
         )
 
 
-def split_and_unescape(s):
-    """Split strings using double quote as a separator and backslash as escape character
-    into parts."""
-
-    out = ""
-    i = 0
-    while i < len(s):
-        c = s[i]
-        if c == "\\":
-            # Skip escape character.
-            i += 1
-
-            # This will raise IndexError if there is no character
-            # after escape character. This is expected
-            # as this is an invalid input.
-            out += s[i]
-        elif c == '"':
-            # Separator
-            yield out
-            out = ""
-        else:
-            out += c
-        i += 1
-    yield out
-
-
-def handle_dovecot_request(msg, db, config: Config):
-    # see https://doc.dovecot.org/3.0/developer_manual/design/dict_protocol/
+def handle_dovecot_request(msg, db, mail_domain):
     short_command = msg[0]
-    if short_command == "H":  # HELLO
-        # we don't do any checking on versions and just return
-        return
-    elif short_command == "L":  # LOOKUP
+    if short_command == "L":  # LOOKUP
         parts = msg[1:].split("\t")
-
-        # Dovecot <2.3.17 has only one part,
-        # do not attempt to read any other parts for compatibility.
-        keyname = parts[0]
-
-        namespace, type, args = keyname.split("/", 2)
-        args = list(split_and_unescape(args))
-
+        keyname, user = parts[:2]
+        namespace, type, *args = keyname.split("/")
         reply_command = "F"
         res = ""
         if namespace == "shared":
             if type == "userdb":
-                user = args[0]
-                if user.endswith(f"@{config.mail_domain}"):
-                    res = lookup_userdb(db, config, user)
+                if user.endswith(f"@{mail_domain}"):
+                    res = lookup_userdb(db, user)
                 if res:
                     reply_command = "O"
                 else:
                     reply_command = "N"
             elif type == "passdb":
-                user = args[1]
-                if user.endswith(f"@{config.mail_domain}"):
-                    res = lookup_passdb(db, config, user, cleartext_password=args[0])
+                if user.endswith(f"@{mail_domain}"):
+                    res = lookup_passdb(db, user, cleartext_password=args[0])
                 if res:
                     reply_command = "O"
                 else:
                     reply_command = "N"
         json_res = json.dumps(res) if res else ""
         return f"{reply_command}{json_res}\n"
-    raise UnknownCommand(msg)
-
-
-def handle_dovecot_protocol(rfile, wfile, db: Database, config: Config):
-    while True:
-        msg = rfile.readline().strip().decode()
-        if not msg:
-            break
-        try:
-            res = handle_dovecot_request(msg, db, config)
-        except UnknownCommand:
-            logging.warning("unknown command: %r", msg)
-        else:
-            if res:
-                wfile.write(res.encode("ascii"))
-                wfile.flush()
+    return None
 
 
 class ThreadedUnixStreamServer(ThreadingMixIn, UnixStreamServer):
@@ -193,12 +123,22 @@ def main():
     socket = sys.argv[1]
     passwd_entry = pwd.getpwnam(sys.argv[2])
     db = Database(sys.argv[3])
-    config = read_config(sys.argv[4])
+    with open("/etc/mailname", "r") as fp:
+        mail_domain = fp.read().strip()
 
     class Handler(StreamRequestHandler):
         def handle(self):
             try:
-                handle_dovecot_protocol(self.rfile, self.wfile, db, config)
+                while True:
+                    msg = self.rfile.readline().strip().decode()
+                    if not msg:
+                        break
+                    res = handle_dovecot_request(msg, db, mail_domain)
+                    if res:
+                        self.wfile.write(res.encode("ascii"))
+                        self.wfile.flush()
+                    else:
+                        logging.warn("request had no answer: %r", msg)
             except Exception:
                 logging.exception("Exception in the handler")
                 raise

chatmaild/src/chatmaild/doveauth.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Dict authentication proxy for dovecot
+
+[Service]
+ExecStart=/usr/local/bin/doveauth /run/dovecot/doveauth.socket vmail /home/vmail/passdb.sqlite
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

chatmaild/src/chatmaild/doveauth.service.f

@@ -1,10 +0,0 @@
-[Unit]
-Description=Chatmail dict authentication proxy for dovecot
-
-[Service]
-ExecStart={execpath} /run/dovecot/doveauth.socket vmail /home/vmail/passdb.sqlite {config_path}
-Restart=always
-RestartSec=30
-
-[Install]
-WantedBy=multi-user.target

chatmaild/src/chatmaild/echo.py

@@ -1,87 +0,0 @@
-#!/usr/bin/env python3
-"""Advanced echo bot example.
-
-it will echo back any message that has non-empty text and also supports the /help command.
-"""
-import logging
-import os
-import sys
-
-from deltachat_rpc_client import Bot, DeltaChat, EventType, Rpc, events
-
-from chatmaild.newemail import create_newemail_dict
-from chatmaild.config import read_config
-
-hooks = events.HookCollection()
-
-
-@hooks.on(events.RawEvent)
-def log_event(event):
-    if event.kind == EventType.INFO:
-        logging.info("%s", event.msg)
-    elif event.kind == EventType.WARNING:
-        logging.warning("%s", event.msg)
-
-
-@hooks.on(events.RawEvent(EventType.ERROR))
-def log_error(event):
-    logging.error("%s", event.msg)
-
-
-@hooks.on(events.MemberListChanged)
-def on_memberlist_changed(event):
-    logging.info(
-        "member %s was %s", event.member, "added" if event.member_added else "removed"
-    )
-
-
-@hooks.on(events.GroupImageChanged)
-def on_group_image_changed(event):
-    logging.info("group image %s", "deleted" if event.image_deleted else "changed")
-
-
-@hooks.on(events.GroupNameChanged)
-def on_group_name_changed(event):
-    logging.info("group name changed, old name: %s", event.old_name)
-
-
-@hooks.on(events.NewMessage(func=lambda e: not e.command))
-def echo(event):
-    snapshot = event.message_snapshot
-    if snapshot.is_info:
-        # Ignore info messages
-        return
-    if snapshot.text or snapshot.file:
-        snapshot.chat.send_message(text=snapshot.text, file=snapshot.file)
-
-
-@hooks.on(events.NewMessage(command="/help"))
-def help_command(event):
-    snapshot = event.message_snapshot
-    snapshot.chat.send_text("Send me any message and I will echo it back")
-
-
-def main():
-    logging.basicConfig(level=logging.INFO)
-    path = os.environ.get("PATH")
-    venv_path = sys.argv[0].strip("echobot")
-    os.environ["PATH"] = path + ":" + venv_path
-    with Rpc() as rpc:
-        deltachat = DeltaChat(rpc)
-        system_info = deltachat.get_system_info()
-        logging.info("Running deltachat core %s", system_info.deltachat_core_version)
-
-        accounts = deltachat.get_all_accounts()
-        account = accounts[0] if accounts else deltachat.add_account()
-
-        bot = Bot(account, hooks)
-        if not bot.is_configured():
-            config = read_config(sys.argv[1])
-            password = create_newemail_dict(config).get("password")
-            email = "echo@" + config.mail_domain
-            bot.configure(email, password)
-        bot.run_forever()
-
-
-if __name__ == "__main__":
-    main()

chatmaild/src/chatmaild/echobot.service.f

@@ -1,11 +0,0 @@
-[Unit]
-Description=Chatmail echo bot for testing it works
-
-[Service]
-ExecStart={execpath} {config_path}
-Environment="PATH={remote_venv_dir}:$PATH"
-Restart=always
-RestartSec=30
-
-[Install]
-WantedBy=multi-user.target

chatmaild/src/chatmaild/filtermail.py

@@ -7,11 +7,10 @@ from email.parser import BytesParser
 from email import policy
 from email.utils import parseaddr
 
+from aiosmtpd.smtp import SMTP
 from aiosmtpd.controller import Controller
 from smtplib import SMTP as SMTPClient
 
-from .config import read_config
-
 
 def check_encrypted(message):
     """Check that the message is an OpenPGP-encrypted message."""
@@ -63,21 +62,19 @@ def check_mdn(message, envelope):
     return True
 
 
-async def asyncmain_beforequeue(config):
-    port = config.filtermail_smtp_port
-    Controller(BeforeQueueHandler(config), hostname="127.0.0.1", port=port).start()
+class SMTPController(Controller):
+    def factory(self):
+        return SMTP(self.handler, **self.SMTP_kwargs)
 
 
 class BeforeQueueHandler:
-    def __init__(self, config):
-        self.config = config
+    def __init__(self):
         self.send_rate_limiter = SendRateLimiter()
 
     async def handle_MAIL(self, server, session, envelope, address, mail_options):
         logging.info(f"handle_MAIL from {address}")
         envelope.mail_from = address
-        max_sent = self.config.max_user_send_per_minute
-        if not self.send_rate_limiter.is_sending_allowed(address, max_sent):
+        if not self.send_rate_limiter.is_sending_allowed(address):
             return f"450 4.7.1: Too much mail from {address}"
 
         parts = envelope.mail_from.split("@")
@@ -88,64 +85,62 @@ class BeforeQueueHandler:
 
     async def handle_DATA(self, server, session, envelope):
         logging.info("handle_DATA before-queue")
-        error = self.check_DATA(envelope)
+        error = check_DATA(envelope)
         if error:
             return error
         logging.info("re-injecting the mail that passed checks")
-        client = SMTPClient("localhost", self.config.postfix_reinject_port)
+        client = SMTPClient("localhost", "10025")
         client.sendmail(envelope.mail_from, envelope.rcpt_tos, envelope.content)
         return "250 OK"
 
-    def check_DATA(self, envelope):
-        """the central filtering function for e-mails."""
-        logging.info(f"Processing DATA message from {envelope.mail_from}")
 
-        message = BytesParser(policy=policy.default).parsebytes(envelope.content)
-        mail_encrypted = check_encrypted(message)
+async def asyncmain_beforequeue(port):
+    Controller(BeforeQueueHandler(), hostname="127.0.0.1", port=port).start()
 
-        _, from_addr = parseaddr(message.get("from").strip())
-        logging.info(f"mime-from: {from_addr} envelope-from: {envelope.mail_from!r}")
-        if envelope.mail_from.lower() != from_addr.lower():
-            return f"500 Invalid FROM <{from_addr!r}> for <{envelope.mail_from!r}>"
 
-        if not mail_encrypted and check_mdn(message, envelope):
-            return
+def check_DATA(envelope):
+    """the central filtering function for e-mails."""
+    logging.info(f"Processing DATA message from {envelope.mail_from}")
 
-        if envelope.mail_from in self.config.passthrough_senders:
-            return
+    message = BytesParser(policy=policy.default).parsebytes(envelope.content)
+    mail_encrypted = check_encrypted(message)
 
-        passthrough_recipients = self.config.passthrough_recipients
-        envelope_from_domain = from_addr.split("@").pop()
-        for recipient in envelope.rcpt_tos:
-            if envelope.mail_from == recipient:
-                # Always allow sending emails to self.
-                continue
-            if recipient in passthrough_recipients:
-                continue
-            res = recipient.split("@")
-            if len(res) != 2:
-                return f"500 Invalid address <{recipient}>"
-            _recipient_addr, recipient_domain = res
+    _, from_addr = parseaddr(message.get("from").strip())
+    logging.info(f"mime-from: {from_addr} envelope-from: {envelope.mail_from!r}")
+    if envelope.mail_from.lower() != from_addr.lower():
+        return f"500 Invalid FROM <{from_addr!r}> for <{envelope.mail_from!r}>"
 
-            is_outgoing = recipient_domain != envelope_from_domain
-            if is_outgoing and not mail_encrypted:
-                is_securejoin = message.get("secure-join") in [
-                    "vc-request",
-                    "vg-request",
-                ]
-                if not is_securejoin:
-                    return f"500 Invalid unencrypted mail to <{recipient}>"
+    if not mail_encrypted and check_mdn(message, envelope):
+        return
+
+    envelope_from_domain = from_addr.split("@").pop()
+    for recipient in envelope.rcpt_tos:
+        if envelope.mail_from == recipient:
+            # Always allow sending emails to self.
+            continue
+        res = recipient.split("@")
+        if len(res) != 2:
+            return f"500 Invalid address <{recipient}>"
+        _recipient_addr, recipient_domain = res
+
+        is_outgoing = recipient_domain != envelope_from_domain
+        if is_outgoing and not mail_encrypted:
+            is_securejoin = message.get("secure-join") in ["vc-request", "vg-request"]
+            if not is_securejoin:
+                return f"500 Invalid unencrypted mail to <{recipient}>"
 
 
 class SendRateLimiter:
+    MAX_USER_SEND_PER_MINUTE = 80
+
     def __init__(self):
         self.addr2timestamps = {}
 
-    def is_sending_allowed(self, mail_from, max_send_per_minute):
+    def is_sending_allowed(self, mail_from):
         last = self.addr2timestamps.setdefault(mail_from, [])
         now = time.time()
         last[:] = [ts for ts in last if ts >= (now - 60)]
-        if len(last) <= max_send_per_minute:
+        if len(last) <= self.MAX_USER_SEND_PER_MINUTE:
             last.append(now)
             return True
         return False
@@ -154,10 +149,9 @@ class SendRateLimiter:
 def main():
     args = sys.argv[1:]
     assert len(args) == 1
-    config = read_config(args[0])
     logging.basicConfig(level=logging.WARN)
     loop = asyncio.new_event_loop()
     asyncio.set_event_loop(loop)
-    task = asyncmain_beforequeue(config)
+    task = asyncmain_beforequeue(port=int(args[0]))
     loop.create_task(task)
     loop.run_forever()

chatmaild/src/chatmaild/filtermail.service

@@ -2,7 +2,7 @@
 Description=Chatmail Postfix BeforeQeue filter 
 
 [Service]
-ExecStart={execpath} {config_path}
+ExecStart=/usr/local/bin/filtermail 10080
 Restart=always
 RestartSec=30
 

chatmaild/src/chatmaild/ini/chatmail.ini.f

@@ -1,63 +0,0 @@
-[params]
-
-# mail domain (MUST be set to fully qualified chat mail domain)
-mail_domain = {mail_domain}
-
-#
-# If you only do private test deploys, you don't need to modify any settings below
-#
-
-#
-# Account Restrictions
-#
-
-# how many mails a user can send out per minute
-max_user_send_per_minute = 60
-
-# maximum mailbox size of a chatmail account
-max_mailbox_size = 100M
-
-# days after which mails are unconditionally deleted
-delete_mails_after = 40
-
-# minimum length a username must have
-username_min_length = 9
-
-# maximum length a username can have
-username_max_length = 9
-
-# minimum length a password must have
-password_min_length = 9
-
-# list of chatmail accounts which can send outbound un-encrypted mail
-passthrough_senders =
-
-# list of e-mail recipients for which to accept outbound un-encrypted mails
-passthrough_recipients = xstore@testrun.org groupsbot@hispanilandia.net
-
-#
-# Deployment Details
-#
-
-# where the filtermail SMTP service listens
-filtermail_smtp_port = 10080
-
-# postfix accepts on the localhost reinject SMTP port
-postfix_reinject_port = 10025
-
-#
-# Privacy Policy
-#
-
-# postal address of privacy contact
-privacy_postal =
-
-# email address of privacy contact
-privacy_mail =
-
-# postal address of the privacy data officer
-privacy_pdo =
-
-# postal address of the privacy supervisor
-privacy_supervisor =
-

chatmaild/src/chatmaild/metadata.py

@@ -1,184 +0,0 @@
-import pwd
-
-import pathlib
-from queue import Queue
-from threading import Thread
-from socketserver import (
-    UnixStreamServer,
-    StreamRequestHandler,
-    ThreadingMixIn,
-)
-from .config import read_config
-import sys
-import logging
-import os
-import requests
-import marshal
-
-
-DICTPROXY_LOOKUP_CHAR = "L"
-DICTPROXY_ITERATE_CHAR = "I"
-DICTPROXY_SET_CHAR = "S"
-DICTPROXY_BEGIN_TRANSACTION_CHAR = "B"
-DICTPROXY_COMMIT_TRANSACTION_CHAR = "C"
-DICTPROXY_TRANSACTION_CHARS = "SBC"
-
-
-class Notifier:
-    def __init__(self, metadata_dir):
-        self.metadata_dir = metadata_dir
-        self.to_notify_queue = Queue()
-
-    def get_metadata(self, guid):
-        guid_path = self.metadata_dir.joinpath(guid)
-        if guid_path.exists():
-            with guid_path.open("rb") as f:
-                return marshal.load(f)
-        return {}
-
-    def set_metadata(self, guid, guid_data):
-        guid_path = self.metadata_dir.joinpath(guid)
-        write_path = guid_path.with_suffix(".tmp")
-        with write_path.open("wb") as f:
-            marshal.dump(guid_data, f)
-        os.rename(write_path, guid_path)
-
-    def set_token(self, guid, token):
-        guid_data = self.get_metadata(guid)
-        guid_data["token"] = token
-        self.set_metadata(guid, guid_data)
-
-    def del_token(self, guid):
-        guid_data = self.get_metadata(guid)
-        if "token" in guid_data:
-            del guid_data["token"]
-            self.set_metadata(guid, guid_data)
-
-    def get_token(self, guid):
-        return self.get_metadata(guid).get("token")
-
-    def new_message_for_guid(self, guid):
-        self.to_notify_queue.put(guid)
-
-    def thread_run_loop(self):
-        requests_session = requests.Session()
-        while 1:
-            self.thread_run_one(requests_session)
-
-    def thread_run_one(self, requests_session):
-        guid = self.to_notify_queue.get()
-        token = self.get_token(guid)
-        if token:
-            response = requests_session.post(
-                "https://notifications.delta.chat/notify",
-                data=token,
-                timeout=60,
-            )
-            if response.status_code == 410:
-                # 410 Gone status code
-                # means the token is no longer valid.
-                self.del_token(guid)
-
-
-def handle_dovecot_protocol(rfile, wfile, notifier):
-    # HELLO message, ignored.
-    msg = rfile.readline().strip().decode()
-
-    transactions = {}
-    while True:
-        msg = rfile.readline().strip().decode()
-        if not msg:
-            break
-
-        res = handle_dovecot_request(msg, transactions, notifier)
-        if res:
-            wfile.write(res.encode("ascii"))
-            wfile.flush()
-
-
-def handle_dovecot_request(msg, transactions, notifier):
-    # see https://doc.dovecot.org/3.0/developer_manual/design/dict_protocol/
-    short_command = msg[0]
-    parts = msg[1:].split("\t")
-    if short_command == DICTPROXY_LOOKUP_CHAR:
-        return "N\n"
-    elif short_command == DICTPROXY_ITERATE_CHAR:
-        # Empty line means ITER_FINISHED.
-        # If we don't return empty line Dovecot will timeout.
-        return "\n"
-
-    if short_command not in (DICTPROXY_TRANSACTION_CHARS):
-        return
-
-    transaction_id = parts[0]
-
-    if short_command == DICTPROXY_BEGIN_TRANSACTION_CHAR:
-        transactions[transaction_id] = "O\n"
-    elif short_command == DICTPROXY_COMMIT_TRANSACTION_CHAR:
-        # returns whether it failed or succeeded.
-        return transactions.pop(transaction_id, "N\n")
-    elif short_command == DICTPROXY_SET_CHAR:
-        # See header of
-        # <https://github.com/dovecot/core/blob/5e7965632395793d9355eb906b173bf28d2a10ca/src/lib-storage/mailbox-attribute.h>
-        # for the documentation on the structure of the key.
-
-        # Request GETMETADATA "INBOX" /private/chatmail
-        # results in a query for
-        # priv/dd72550f05eadc65542a1200cac67ad7/chatmail
-        #
-        # Request GETMETADATA "" /private/chatmail
-        # results in
-        # priv/dd72550f05eadc65542a1200cac67ad7/vendor/vendor.dovecot/pvt/server/chatmail
-
-        keyname = parts[1].split("/")
-        value = parts[2] if len(parts) > 2 else ""
-        if keyname[0] == "priv" and keyname[2] == "devicetoken":
-            notifier.set_token(keyname[1], value)
-        elif keyname[0] == "priv" and keyname[2] == "messagenew":
-            notifier.new_message_for_guid(keyname[1])
-        else:
-            # Transaction failed.
-            transactions[transaction_id] = "F\n"
-
-
-class ThreadedUnixStreamServer(ThreadingMixIn, UnixStreamServer):
-    request_queue_size = 100
-
-
-def main():
-    socket, username, config, metadata_dir = sys.argv[1:]
-    passwd_entry = pwd.getpwnam(username)
-
-    # XXX config is not currently used
-    config = read_config(config)
-    metadata_dir = pathlib.Path(metadata_dir)
-    if not metadata_dir.exists():
-        metadata_dir.mkdir()
-    notifier = Notifier(metadata_dir)
-
-    class Handler(StreamRequestHandler):
-        def handle(self):
-            try:
-                handle_dovecot_protocol(self.rfile, self.wfile, notifier)
-            except Exception:
-                logging.exception("Exception in the handler")
-                raise
-
-    try:
-        os.unlink(socket)
-    except FileNotFoundError:
-        pass
-
-    # start notifier thread for signalling new messages to
-    # Delta Chat notification server
-
-    t = Thread(target=notifier.thread_run_loop)
-    t.setDaemon(True)
-    t.start()
-
-    with ThreadedUnixStreamServer(socket, Handler) as server:
-        os.chown(socket, uid=passwd_entry.pw_uid, gid=passwd_entry.pw_gid)
-        try:
-            server.serve_forever()
-        except KeyboardInterrupt:
-            pass

chatmaild/src/chatmaild/metrics.py

@@ -1,25 +0,0 @@
-#!/usr/bin/env python3
-from pathlib import Path
-import time
-import sys
-
-
-def main(vmail_dir=None):
-    if vmail_dir is None:
-        vmail_dir = sys.argv[1]
-
-    accounts = 0
-    ci_accounts = 0
-
-    for path in Path(vmail_dir).iterdir():
-        accounts += 1
-        if path.name[:3] in ("ci-", "ac_"):
-            ci_accounts += 1
-
-    timestamp = int(time.time() * 1000)
-    print(f"accounts {accounts} {timestamp}")
-    print(f"ci_accounts {ci_accounts} {timestamp}")
-
-
-if __name__ == "__main__":
-    main()

chatmaild/src/chatmaild/newemail.py

@@ -1,31 +1,23 @@
-#!/usr/local/lib/chatmaild/venv/bin/python3
+#!/usr/bin/python3
 
 """ CGI script for creating new accounts. """
 
 import json
 import random
-import secrets
-import string
 
-from chatmaild.config import read_config, Config
-
-CONFIG_PATH = "/usr/local/lib/chatmaild/chatmail.ini"
-ALPHANUMERIC = string.ascii_lowercase + string.digits
-ALPHANUMERIC_PUNCT = string.ascii_letters + string.digits + string.punctuation
+mailname_path = "/etc/mailname"
 
 
-def create_newemail_dict(config: Config):
-    user = "".join(random.choices(ALPHANUMERIC, k=config.username_min_length))
-    password = "".join(
-        secrets.choice(ALPHANUMERIC_PUNCT)
-        for _ in range(config.password_min_length + 3)
-    )
-    return dict(email=f"{user}@{config.mail_domain}", password=f"{password}")
+def create_newemail_dict(domain):
+    alphanumeric = "abcdefghijklmnopqrstuvwxyz1234567890"
+    user = "".join(random.choices(alphanumeric, k=9))
+    password = "".join(random.choices(alphanumeric, k=12))
+    return dict(email=f"{user}@{domain}", password=f"{password}")
 
 
 def print_new_account():
-    config = read_config(CONFIG_PATH)
-    creds = create_newemail_dict(config)
+    domain = open(mailname_path).read().strip()
+    creds = create_newemail_dict(domain=domain)
 
     print("Content-Type: application/json")
     print("")

chatmaild/src/chatmaild/tests/plugin.py

@@ -1,75 +0,0 @@
-import random
-from pathlib import Path
-import os
-import importlib.resources
-import itertools
-from email.parser import BytesParser
-from email import policy
-import pytest
-
-from chatmaild.database import Database
-from chatmaild.config import read_config, write_initial_config
-
-
-@pytest.fixture
-def make_config(tmp_path):
-    inipath = tmp_path.joinpath("chatmail.ini")
-
-    def make_conf(mail_domain):
-        write_initial_config(inipath, mail_domain=mail_domain)
-        return read_config(inipath)
-
-    return make_conf
-
-
-@pytest.fixture
-def example_config(make_config):
-    return make_config("chat.example.org")
-
-
-@pytest.fixture
-def maildomain(example_config):
-    return example_config.mail_domain
-
-
-@pytest.fixture
-def gencreds(maildomain):
-    count = itertools.count()
-    next(count)
-
-    def gen(domain=None):
-        domain = domain if domain else maildomain
-        while 1:
-            num = next(count)
-            alphanumeric = "abcdefghijklmnopqrstuvwxyz1234567890"
-            user = "".join(random.choices(alphanumeric, k=10))
-            user = f"ac{num}_{user}"[:9]
-            password = "".join(random.choices(alphanumeric, k=12))
-            yield f"{user}@{domain}", f"{password}"
-
-    return lambda domain=None: next(gen(domain))
-
-
-@pytest.fixture()
-def db(tmpdir):
-    db_path = tmpdir / "passdb.sqlite"
-    print("database path:", db_path)
-    return Database(db_path)
-
-
-@pytest.fixture
-def maildata(request):
-    try:
-        datadir = importlib.resources.files(__package__).joinpath("mail-data")
-    except TypeError:
-        # in python3.9 or lower, the above doesn't work, so we get datadir this way:
-        datadir = Path(os.getcwd()).joinpath("chatmaild/src/chatmaild/tests/mail-data")
-
-    assert datadir.exists(), datadir
-
-    def maildata(name, from_addr, to_addr):
-        data = datadir.joinpath(name).read_text()
-        text = data.format(from_addr=from_addr, to_addr=to_addr)
-        return BytesParser(policy=policy.default).parsebytes(text.encode())
-
-    return maildata

chatmaild/src/chatmaild/tests/test_config.py

@@ -1,32 +0,0 @@
-from chatmaild.config import read_config
-
-
-def test_read_config_basic(example_config):
-    assert example_config.mail_domain == "chat.example.org"
-    assert not example_config.privacy_supervisor and not example_config.privacy_mail
-    assert not example_config.privacy_pdo and not example_config.privacy_postal
-
-    inipath = example_config._inipath
-    inipath.write_text(inipath.read_text().replace("60", "37"))
-    example_config = read_config(inipath)
-    assert example_config.max_user_send_per_minute == 37
-    assert example_config.mail_domain == "chat.example.org"
-
-
-def test_read_config_testrun(make_config):
-    config = make_config("something.testrun.org")
-    assert config.mail_domain == "something.testrun.org"
-    assert len(config.privacy_postal.split("\n")) > 1
-    assert len(config.privacy_supervisor.split("\n")) > 1
-    assert len(config.privacy_pdo.split("\n")) > 1
-    assert config.privacy_mail == "privacy@testrun.org"
-    assert config.filtermail_smtp_port == 10080
-    assert config.postfix_reinject_port == 10025
-    assert config.max_user_send_per_minute == 60
-    assert config.max_mailbox_size == "100M"
-    assert config.delete_mails_after == "40"
-    assert config.username_min_length == 9
-    assert config.username_max_length == 9
-    assert config.password_min_length == 9
-    assert "privacy@testrun.org" in config.passthrough_recipients
-    assert config.passthrough_senders == []

chatmaild/src/chatmaild/tests/test_doveauth.py

@@ -1,122 +0,0 @@
-import io
-import json
-import pytest
-import queue
-import threading
-import traceback
-
-import chatmaild.doveauth
-from chatmaild.doveauth import (
-    get_user_data,
-    lookup_passdb,
-    handle_dovecot_request,
-    handle_dovecot_protocol,
-)
-from chatmaild.database import DBError
-
-
-def test_basic(db, example_config):
-    lookup_passdb(db, example_config, "asdf12345@chat.example.org", "q9mr3faue")
-    data = get_user_data(db, example_config, "asdf12345@chat.example.org")
-    assert data
-    data2 = lookup_passdb(
-        db, example_config, "asdf12345@chat.example.org", "q9mr3jewvadsfaue"
-    )
-    assert data == data2
-
-
-def test_dont_overwrite_password_on_wrong_login(db, example_config):
-    """Test that logging in with a different password doesn't create a new user"""
-    res = lookup_passdb(
-        db, example_config, "newuser12@chat.example.org", "kajdlkajsldk12l3kj1983"
-    )
-    assert res["password"]
-    res2 = lookup_passdb(db, example_config, "newuser12@chat.example.org", "kajdslqwe")
-    # this function always returns a password hash, which is actually compared by dovecot.
-    assert res["password"] == res2["password"]
-
-
-def test_nocreate_file(db, monkeypatch, tmpdir, example_config):
-    p = tmpdir.join("nocreate")
-    p.write("")
-    monkeypatch.setattr(chatmaild.doveauth, "NOCREATE_FILE", str(p))
-    lookup_passdb(
-        db, example_config, "newuser12@chat.example.org", "zequ0Aimuchoodaechik"
-    )
-    assert not get_user_data(db, example_config, "newuser12@chat.example.org")
-
-
-def test_db_version(db):
-    assert db.get_schema_version() == 1
-
-
-def test_too_high_db_version(db):
-    with db.write_transaction() as conn:
-        conn.execute("PRAGMA user_version=%s;" % (999,))
-    with pytest.raises(DBError):
-        db.ensure_tables()
-
-
-def test_handle_dovecot_request(db, example_config):
-    # Test that password can contain ", ', \ and /
-    msg = (
-        'Lshared/passdb/laksjdlaksjdlak\\\\sjdlk\\"12j\\\'3l1/k2j3123"'
-        "some42123@chat.example.org\tsome42123@chat.example.org"
-    )
-    res = handle_dovecot_request(msg, db, example_config)
-    assert res
-    assert res[0] == "O" and res.endswith("\n")
-    userdata = json.loads(res[1:].strip())
-    assert (
-        userdata["home"]
-        == "/home/vmail/mail/chat.example.org/some42123@chat.example.org"
-    )
-    assert userdata["uid"] == userdata["gid"] == "vmail"
-    assert userdata["password"].startswith("{SHA512-CRYPT}")
-
-
-def test_handle_dovecot_protocol_hello_is_skipped(db, example_config, caplog):
-    rfile = io.BytesIO(b"H3\t2\t0\t\tauth\n")
-    wfile = io.BytesIO()
-    handle_dovecot_protocol(rfile, wfile, db, example_config)
-    assert wfile.getvalue() == b""
-    assert not caplog.messages
-
-
-def test_handle_dovecot_protocol(db, example_config):
-    rfile = io.BytesIO(
-        b"H3\t2\t0\t\tauth\nLshared/userdb/foobar@chat.example.org\tfoobar@chat.example.org\n"
-    )
-    wfile = io.BytesIO()
-    handle_dovecot_protocol(rfile, wfile, db, example_config)
-    assert wfile.getvalue() == b"N\n"
-
-
-def test_50_concurrent_lookups_different_accounts(db, gencreds, example_config):
-    num_threads = 50
-    req_per_thread = 5
-    results = queue.Queue()
-
-    def lookup(db):
-        for i in range(req_per_thread):
-            addr, password = gencreds()
-            try:
-                lookup_passdb(db, example_config, addr, password)
-            except Exception:
-                results.put(traceback.format_exc())
-            else:
-                results.put(None)
-
-    threads = []
-    for i in range(num_threads):
-        thread = threading.Thread(target=lookup, args=(db,), daemon=True)
-        threads.append(thread)
-
-    print(f"created {num_threads} threads, starting them and waiting for results")
-    for thread in threads:
-        thread.start()
-
-    for i in range(num_threads * req_per_thread):
-        res = results.get()
-        if res is not None:
-            pytest.fail(f"concurrent lookup failed\n{res}")

chatmaild/src/chatmaild/tests/test_filtermail.py

@@ -1,145 +0,0 @@
-from chatmaild.filtermail import (
-    check_encrypted,
-    BeforeQueueHandler,
-    SendRateLimiter,
-    check_mdn,
-)
-
-import pytest
-
-
-@pytest.fixture
-def maildomain():
-    # let's not depend on a real chatmail instance for the offline tests below
-    return "chatmail.example.org"
-
-
-@pytest.fixture
-def handler(make_config, maildomain):
-    config = make_config(maildomain)
-    return BeforeQueueHandler(config)
-
-
-def test_reject_forged_from(maildata, gencreds, handler):
-    class env:
-        mail_from = gencreds()[0]
-        rcpt_tos = [gencreds()[0]]
-
-    # test that the filter lets good mail through
-    to_addr = gencreds()[0]
-    env.content = maildata(
-        "plain.eml", from_addr=env.mail_from, to_addr=to_addr
-    ).as_bytes()
-
-    assert not handler.check_DATA(envelope=env)
-
-    # test that the filter rejects forged mail
-    env.content = maildata(
-        "plain.eml", from_addr="forged@c3.testrun.org", to_addr=to_addr
-    ).as_bytes()
-    error = handler.check_DATA(envelope=env)
-    assert "500" in error
-
-
-def test_filtermail_no_encryption_detection(maildata):
-    msg = maildata(
-        "plain.eml", from_addr="some@example.org", to_addr="other@example.org"
-    )
-    assert not check_encrypted(msg)
-
-    # https://xkcd.com/1181/
-    msg = maildata(
-        "fake-encrypted.eml", from_addr="some@example.org", to_addr="other@example.org"
-    )
-    assert not check_encrypted(msg)
-
-
-def test_filtermail_encryption_detection(maildata):
-    msg = maildata("encrypted.eml", from_addr="1@example.org", to_addr="2@example.org")
-    assert check_encrypted(msg)
-
-    # if the subject is not "..." it is not considered ac-encrypted
-    msg.replace_header("Subject", "Click this link")
-    assert not check_encrypted(msg)
-
-
-def test_filtermail_is_mdn(maildata, gencreds, handler):
-    from_addr = gencreds()[0]
-    to_addr = gencreds()[0] + ".other"
-    msg = maildata("mdn.eml", from_addr, to_addr)
-
-    class env:
-        mail_from = from_addr
-        rcpt_tos = [to_addr]
-        content = msg.as_bytes()
-
-    assert check_mdn(msg, env)
-    print(msg.as_string())
-
-    assert not handler.check_DATA(env)
-
-
-def test_filtermail_to_multiple_recipients_no_mdn(maildata, gencreds):
-    from_addr = gencreds()[0]
-    to_addr = gencreds()[0] + ".other"
-    thirdaddr = gencreds()[0]
-    msg = maildata("mdn.eml", from_addr, to_addr)
-
-    class env:
-        mail_from = from_addr
-        rcpt_tos = [to_addr, thirdaddr]
-        content = msg.as_bytes()
-
-    assert not check_mdn(msg, env)
-
-
-def test_send_rate_limiter():
-    limiter = SendRateLimiter()
-    for i in range(100):
-        if limiter.is_sending_allowed("some@example.org", 10):
-            if i <= 10:
-                continue
-            pytest.fail("limiter didn't work")
-        else:
-            assert i == 11
-            break
-
-
-def test_excempt_privacy(maildata, gencreds, handler):
-    from_addr = gencreds()[0]
-    to_addr = "privacy@testrun.org"
-    handler.config.passthrough_recipients = [to_addr]
-    false_to = "privacy@something.org"
-
-    msg = maildata("plain.eml", from_addr, to_addr)
-
-    class env:
-        mail_from = from_addr
-        rcpt_tos = [to_addr]
-        content = msg.as_bytes()
-
-    # assert that None/no error is returned
-    assert not handler.check_DATA(envelope=env)
-
-    class env2:
-        mail_from = from_addr
-        rcpt_tos = [to_addr, false_to]
-        content = msg.as_bytes()
-
-    assert "500" in handler.check_DATA(envelope=env2)
-
-
-def test_passthrough_senders(gencreds, handler, maildata):
-    acc1 = gencreds()[0]
-    to_addr = "recipient@something.org"
-    handler.config.passthrough_senders = [acc1]
-
-    msg = maildata("plain.eml", acc1, to_addr)
-
-    class env:
-        mail_from = acc1
-        rcpt_tos = to_addr
-        content = msg.as_bytes()
-
-    # assert that None/no error is returned
-    assert not handler.check_DATA(envelope=env)

chatmaild/src/chatmaild/tests/test_metadata.py

@@ -1,163 +0,0 @@
-import io
-import pytest
-
-from chatmaild.metadata import (
-    handle_dovecot_request,
-    handle_dovecot_protocol,
-    Notifier,
-)
-
-
-@pytest.fixture
-def notifier(tmp_path):
-    metadata_dir = tmp_path.joinpath("metadata")
-    metadata_dir.mkdir()
-    return Notifier(metadata_dir)
-
-
-def test_notifier_persistence(tmp_path):
-    metadata_dir = tmp_path.joinpath("metadata")
-    metadata_dir.mkdir()
-    notifier1 = Notifier(metadata_dir)
-    notifier2 = Notifier(metadata_dir)
-    assert notifier1.get_token(guid="guid00") is None
-    assert notifier2.get_token(guid="guid00") is None
-
-    notifier1.set_token("guid00", "01234")
-    notifier1.set_token("guid03", "456")
-    assert notifier2.get_token("guid00") == "01234"
-    assert notifier2.get_token("guid03") == "456"
-    notifier2.del_token("guid00")
-    assert notifier1.get_token("guid00") is None
-
-
-def test_handle_dovecot_request_lookup_fails(notifier):
-    res = handle_dovecot_request("Lpriv/123/chatmail", {}, notifier)
-    assert res == "N\n"
-
-
-def test_handle_dovecot_request_happy_path(notifier):
-    transactions = {}
-
-    # lookups return the same NOTFOUND result
-    res = handle_dovecot_request("Lpriv/123/chatmail", transactions, notifier)
-    assert res == "N\n"
-    assert notifier.get_token("guid00") is None and not transactions
-
-    # set device token in a transaction
-    tx = "1111"
-    msg = f"B{tx}\tuser"
-    res = handle_dovecot_request(msg, transactions, notifier)
-    assert not res and notifier.get_token("guid00") is None
-    assert transactions == {tx: "O\n"}
-
-    msg = f"S{tx}\tpriv/guid00/devicetoken\t01234"
-    res = handle_dovecot_request(msg, transactions, notifier)
-    assert not res
-    assert len(transactions) == 1
-    assert notifier.get_token("guid00") == "01234"
-
-    msg = f"C{tx}"
-    res = handle_dovecot_request(msg, transactions, notifier)
-    assert res == "O\n"
-    assert len(transactions) == 0
-    assert notifier.get_token("guid00") == "01234"
-
-    # trigger notification for incoming message
-    assert handle_dovecot_request(f"B{tx}\tuser", transactions, notifier) is None
-    msg = f"S{tx}\tpriv/guid00/messagenew"
-    assert handle_dovecot_request(msg, transactions, notifier) is None
-    assert notifier.to_notify_queue.get() == "guid00"
-    assert notifier.to_notify_queue.qsize() == 0
-    assert handle_dovecot_request(f"C{tx}\tuser", transactions, notifier) == "O\n"
-    assert not transactions
-
-
-def test_handle_dovecot_protocol_set_devicetoken(notifier):
-    rfile = io.BytesIO(
-        b"\n".join(
-            [
-                b"HELLO",
-                b"Btx00\tuser",
-                b"Stx00\tpriv/guid00/devicetoken\t01234",
-                b"Ctx00",
-            ]
-        )
-    )
-    wfile = io.BytesIO()
-    handle_dovecot_protocol(rfile, wfile, notifier)
-    assert notifier.get_token("guid00") == "01234"
-    assert wfile.getvalue() == b"O\n"
-
-
-def test_handle_dovecot_protocol_iterate(notifier):
-    rfile = io.BytesIO(
-        b"\n".join(
-            [
-                b"H",
-                b"I9\t0\tpriv/5cbe730f146fea6535be0d003dd4fc98/\tci-2dzsrs@nine.testrun.org",
-            ]
-        )
-    )
-    wfile = io.BytesIO()
-    handle_dovecot_protocol(rfile, wfile, notifier)
-    assert wfile.getvalue() == b"\n"
-
-
-def test_handle_dovecot_protocol_messagenew(notifier):
-    rfile = io.BytesIO(
-        b"\n".join(
-            [
-                b"HELLO",
-                b"Btx01\tuser",
-                b"Stx01\tpriv/guid00/messagenew",
-                b"Ctx01",
-            ]
-        )
-    )
-    wfile = io.BytesIO()
-    handle_dovecot_protocol(rfile, wfile, notifier)
-    assert wfile.getvalue() == b"O\n"
-    assert notifier.to_notify_queue.get() == "guid00"
-    assert notifier.to_notify_queue.qsize() == 0
-
-
-def test_notifier_thread_run(notifier):
-    requests = []
-
-    class ReqMock:
-        def post(self, url, data, timeout):
-            requests.append((url, data, timeout))
-
-            class Result:
-                status_code = 200
-
-            return Result()
-
-    notifier.set_token("guid00", "01234")
-    notifier.new_message_for_guid("guid00")
-    notifier.thread_run_one(ReqMock())
-    url, data, timeout = requests[0]
-    assert data == "01234"
-    assert notifier.get_token("guid00") == "01234"
-
-
-def test_notifier_thread_run_gone_removes_token(notifier):
-    requests = []
-
-    class ReqMock:
-        def post(self, url, data, timeout):
-            requests.append((url, data, timeout))
-
-            class Result:
-                status_code = 410
-
-            return Result()
-
-    notifier.set_token("guid00", "01234")
-    notifier.new_message_for_guid("guid00")
-    assert notifier.get_token("guid00") == "01234"
-    notifier.thread_run_one(ReqMock())
-    url, data, timeout = requests[0]
-    assert data == "01234"
-    assert notifier.get_token("guid00") is None

chatmaild/src/chatmaild/tests/test_metrics.py

@@ -1,16 +0,0 @@
-from chatmaild.metrics import main
-
-
-def test_main(tmp_path, capsys):
-    for x in ("ci-asllkj", "ac_12l3kj", "qweqwe", "ci-l1k2j31l2k3"):
-        tmp_path.joinpath(x).mkdir()
-    main(tmp_path)
-    out, _ = capsys.readouterr()
-    d = {}
-    for line in out.split("\n"):
-        if line.strip():
-            name, num, _ = line.split()
-            d[name] = int(num)
-
-    assert d["accounts"] == 4
-    assert d["ci_accounts"] == 3

cmdeploy/pyproject.toml

@@ -1,32 +0,0 @@
-[build-system]
-requires = ["setuptools>=68"]
-build-backend = "setuptools.build_meta"
-
-[project]
-name = "cmdeploy"
-version = "0.2"
-dependencies = [
-  "pyinfra",
-  "pillow",
-  "qrcode",
-  "markdown",
-  "pytest",
-  "setuptools>=68",
-  "termcolor",
-  "build",
-  "tox",
-  "ruff",
-  "black",
-  "pytest",
-  "pytest-xdist", 
-]
-
-[project.scripts]
-cmdeploy = "cmdeploy.cmdeploy:main"
-
-[project.entry-points.pytest11]
-"chatmaild.testplugin" = "chatmaild.tests.plugin"
-"cmdeploy.testplugin" = "cmdeploy.tests.plugin"
-
-[tool.pytest.ini_options]
-addopts = "-v -ra --strict-markers"

cmdeploy/src/cmdeploy/acmetool/acmetool-redirector.service

@@ -1,11 +0,0 @@
-[Unit]
-Description=acmetool HTTP redirector
-
-[Service]
-Type=notify
-ExecStart=/usr/bin/acmetool redirector --service.uid=daemon
-Restart=always
-RestartSec=30
-
-[Install]
-WantedBy=multi-user.target

cmdeploy/src/cmdeploy/acmetool/acmetool.cron

@@ -1,4 +0,0 @@
-SHELL=/bin/sh
-PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
-MAILTO=root
-20 16 * * * root /usr/bin/acmetool --batch reconcile && systemctl reload dovecot && systemctl reload postfix

cmdeploy/src/cmdeploy/chatmail.zone.f

@@ -1,15 +0,0 @@
-{chatmail_domain}.                   A     {ipv4}
-{chatmail_domain}.                   AAAA  {ipv6}
-{chatmail_domain}.                   MX 10 {chatmail_domain}.
-_submission._tcp.{chatmail_domain}.  SRV 0 1 587 {chatmail_domain}.
-_submissions._tcp.{chatmail_domain}. SRV 0 1 465 {chatmail_domain}.
-_imap._tcp.{chatmail_domain}.        SRV 0 1 143 {chatmail_domain}.
-_imaps._tcp.{chatmail_domain}.       SRV 0 1 993 {chatmail_domain}.
-{chatmail_domain}.                   CAA 128 issue "letsencrypt.org;accounturi={acme_account_url}"
-{chatmail_domain}.                   TXT "v=spf1 a:{chatmail_domain} ~all"
-_dmarc.{chatmail_domain}.            TXT "v=DMARC1;p=reject;adkim=s;aspf=s"
-_mta-sts.{chatmail_domain}.          TXT "v=STSv1; id={sts_id}"
-mta-sts.{chatmail_domain}.           CNAME {chatmail_domain}.
-www.{chatmail_domain}.               CNAME {chatmail_domain}.
-{dkim_entry}
-_adsp._domainkey.{chatmail_domain}.  TXT "dkim=discardable"

cmdeploy/src/cmdeploy/cmdeploy.py

@@ -1,316 +0,0 @@
-"""
-Provides the `cmdeploy` entry point function,
-along with command line option and subcommand parsing.
-"""
-
-import argparse
-import shutil
-import subprocess
-import importlib.resources
-import importlib.util
-import os
-import sys
-from pathlib import Path
-
-
-from termcolor import colored
-from chatmaild.config import read_config, write_initial_config
-from cmdeploy.dns import show_dns, check_necessary_dns
-
-
-#
-# cmdeploy sub commands and options
-#
-
-
-def init_cmd_options(parser):
-    parser.add_argument(
-        "chatmail_domain",
-        action="store",
-        help="fully qualified DNS domain name for your chatmail instance",
-    )
-
-
-def init_cmd(args, out):
-    """Initialize chatmail config file."""
-    mail_domain = args.chatmail_domain
-    if args.inipath.exists():
-        print(f"Path exists, not modifying: {args.inipath}")
-    else:
-        write_initial_config(args.inipath, mail_domain)
-        out.green(f"created config file for {mail_domain} in {args.inipath}")
-    check_necessary_dns(
-        out,
-        mail_domain,
-    )
-
-
-def run_cmd_options(parser):
-    parser.add_argument(
-        "--dry-run",
-        dest="dry_run",
-        action="store_true",
-        help="don't actually modify the server",
-    )
-
-
-def run_cmd(args, out):
-    """Deploy chatmail services on the remote server."""
-    mail_domain = args.config.mail_domain
-    if not check_necessary_dns(
-        out,
-        mail_domain,
-    ):
-        sys.exit(1)
-
-    env = os.environ.copy()
-    env["CHATMAIL_INI"] = args.inipath
-    deploy_path = importlib.resources.files(__package__).joinpath("deploy.py").resolve()
-    pyinf = "pyinfra --dry" if args.dry_run else "pyinfra"
-    cmd = f"{pyinf} --ssh-user root {args.config.mail_domain} {deploy_path}"
-
-    out.check_call(cmd, env=env)
-    print("Deploy completed, call `cmdeploy dns` next.")
-
-
-def dns_cmd_options(parser):
-    parser.add_argument(
-        "--zonefile",
-        dest="zonefile",
-        help="print the whole zonefile for deploying directly",
-    )
-
-
-def dns_cmd(args, out):
-    """Generate dns zone file."""
-    exit_code = show_dns(args, out)
-    exit(exit_code)
-
-
-def status_cmd(args, out):
-    """Display status for online chatmail instance."""
-
-    ssh = f"ssh root@{args.config.mail_domain}"
-
-    out.green(f"chatmail domain: {args.config.mail_domain}")
-    if args.config.privacy_mail:
-        out.green("privacy settings: present")
-    else:
-        out.red("no privacy settings")
-
-    s1 = "systemctl --type=service --state=running"
-    for line in out.shell_output(f"{ssh} -- {s1}").split("\n"):
-        if line.startswith("  "):
-            print(line)
-
-
-def test_cmd_options(parser):
-    parser.add_argument(
-        "--slow",
-        dest="slow",
-        action="store_true",
-        help="also run slow tests",
-    )
-
-
-def test_cmd(args, out):
-    """Run local and online tests for chatmail deployment.
-
-    This will automatically pip-install 'deltachat' if it's not available.
-    """
-
-    x = importlib.util.find_spec("deltachat")
-    if x is None:
-        out.check_call(f"{sys.executable} -m pip install deltachat")
-
-    pytest_path = shutil.which("pytest")
-    pytest_args = [
-        pytest_path,
-        "cmdeploy/src/",
-        "-n4",
-        "-rs",
-        "-x",
-        "-vrx",
-        "--durations=5",
-    ]
-    if args.slow:
-        pytest_args.append("--slow")
-    ret = out.run_ret(pytest_args)
-    return ret
-
-
-def fmt_cmd_options(parser):
-    parser.add_argument(
-        "--verbose",
-        "-v",
-        dest="verbose",
-        action="store_true",
-        help="provide information on invocations",
-    )
-
-    parser.add_argument(
-        "--check",
-        "-c",
-        action="store_true",
-        help="only check but don't fix problems",
-    )
-
-
-def fmt_cmd(args, out):
-    """Run formattting fixes (ruff and black) on all chatmail source code."""
-
-    sources = [str(importlib.resources.files(x)) for x in ("chatmaild", "cmdeploy")]
-    black_args = [shutil.which("black")]
-    ruff_args = [shutil.which("ruff")]
-
-    if args.check:
-        black_args.append("--check")
-    else:
-        ruff_args.append("--fix")
-
-    if not args.verbose:
-        black_args.append("-q")
-        ruff_args.append("-q")
-
-    black_args.extend(sources)
-    ruff_args.extend(sources)
-
-    out.check_call(" ".join(black_args), quiet=not args.verbose)
-    out.check_call(" ".join(ruff_args), quiet=not args.verbose)
-    return 0
-
-
-def bench_cmd(args, out):
-    """Run benchmarks against an online chatmail instance."""
-    args = ["pytest", "--pyargs", "cmdeploy.tests.online.benchmark", "-vrx"]
-    cmdstring = " ".join(args)
-    out.green(f"[$ {cmdstring}]")
-    subprocess.check_call(args)
-
-
-def webdev_cmd(args, out):
-    """Run local web development loop for static web pages."""
-    from .www import main
-
-    main()
-
-
-#
-# Parsing command line options and starting commands
-#
-
-
-class Out:
-    """Convenience output printer providing coloring."""
-
-    def red(self, msg, file=sys.stderr):
-        print(colored(msg, "red"), file=file)
-
-    def green(self, msg, file=sys.stderr):
-        print(colored(msg, "green"), file=file)
-
-    def __call__(self, msg, red=False, green=False, file=sys.stdout):
-        color = "red" if red else ("green" if green else None)
-        print(colored(msg, color), file=file)
-
-    def shell_output(self, arg, no_print=False, timeout=10):
-        if not no_print:
-            self(f"[$ {arg}]", file=sys.stderr)
-            output = subprocess.STDOUT
-        else:
-            output = subprocess.DEVNULL
-        return subprocess.check_output(
-            arg, shell=True, timeout=timeout, stderr=output
-        ).decode()
-
-    def check_call(self, arg, env=None, quiet=False):
-        if not quiet:
-            self(f"[$ {arg}]", file=sys.stderr)
-        return subprocess.check_call(arg, shell=True, env=env)
-
-    def run_ret(self, args, env=None, quiet=False):
-        if not quiet:
-            cmdstring = " ".join(args)
-            self(f"[$ {cmdstring}]", file=sys.stderr)
-        proc = subprocess.run(args, env=env)
-        return proc.returncode
-
-
-def add_config_option(parser):
-    parser.add_argument(
-        "--config",
-        dest="inipath",
-        action="store",
-        default=Path("chatmail.ini"),
-        type=Path,
-        help="path to the chatmail.ini file",
-    )
-
-
-def add_subcommand(subparsers, func):
-    name = func.__name__
-    assert name.endswith("_cmd")
-    name = name[:-4]
-    doc = func.__doc__.strip()
-    help = doc.split("\n")[0].strip(".")
-    p = subparsers.add_parser(name, description=doc, help=help)
-    p.set_defaults(func=func)
-    add_config_option(p)
-    return p
-
-
-description = """
-Setup your chatmail server configuration and
-deploy it via SSH to your remote location.
-"""
-
-
-def get_parser():
-    """Return an ArgumentParser for the 'cmdeploy' CLI"""
-
-    parser = argparse.ArgumentParser(description=description.strip())
-    subparsers = parser.add_subparsers(title="subcommands")
-
-    # find all subcommands in the module namespace
-    glob = globals()
-    for name, func in glob.items():
-        if name.endswith("_cmd"):
-            subparser = add_subcommand(subparsers, func)
-            addopts = glob.get(name + "_options")
-            if addopts is not None:
-                addopts(subparser)
-
-    return parser
-
-
-def main(args=None):
-    """Provide main entry point for 'xdcget' CLI invocation."""
-    parser = get_parser()
-    args = parser.parse_args(args=args)
-    if not hasattr(args, "func"):
-        return parser.parse_args(["-h"])
-    out = Out()
-    kwargs = {}
-    if args.func.__name__ not in ("init_cmd", "fmt_cmd"):
-        if not args.inipath.exists():
-            out.red(f"expecting {args.inipath} to exist, run init first?")
-            raise SystemExit(1)
-        try:
-            args.config = read_config(args.inipath)
-        except Exception as ex:
-            out.red(ex)
-            raise SystemExit(1)
-
-    try:
-        res = args.func(args, out, **kwargs)
-        if res is None:
-            res = 0
-        return res
-
-    except KeyboardInterrupt:
-        out.red("KeyboardInterrupt")
-        sys.exit(130)
-
-
-if __name__ == "__main__":
-    main()

cmdeploy/src/cmdeploy/deploy.py

@@ -1,17 +0,0 @@
-import os
-import importlib.resources
-import pyinfra
-from cmdeploy import deploy_chatmail
-
-
-def main():
-    config_path = os.getenv(
-        "CHATMAIL_INI",
-        importlib.resources.files("cmdeploy").joinpath("../../../chatmail.ini"),
-    )
-
-    deploy_chatmail(config_path)
-
-
-if pyinfra.is_cli:
-    main()

cmdeploy/src/cmdeploy/dns.py

@@ -1,203 +0,0 @@
-import sys
-
-import requests
-import importlib
-import subprocess
-import datetime
-
-
-class DNS:
-    def __init__(self, out, mail_domain):
-        self.session = requests.Session()
-        self.out = out
-        self.ssh = f"ssh root@{mail_domain} -- "
-        try:
-            self.shell(f"unbound-control flush_zone {mail_domain}")
-        except subprocess.CalledProcessError:
-            pass
-
-    def shell(self, cmd):
-        try:
-            return self.out.shell_output(f"{self.ssh}{cmd}", no_print=True)
-        except (subprocess.CalledProcessError, subprocess.TimeoutExpired) as e:
-            if "exit status 255" in str(e) or "timed out" in str(e):
-                self.out.red(f"Error: can't reach the server with: {self.ssh[:-4]}")
-                sys.exit(1)
-            else:
-                raise
-
-    def get_ipv4(self):
-        cmd = "ip a | grep 'inet ' | grep 'scope global' | grep -oE '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' | head -1"
-        return self.shell(cmd).strip()
-
-    def get_ipv6(self):
-        cmd = "ip a | grep inet6 | grep 'scope global' | sed -e 's#/64 scope global##' | sed -e 's#inet6##'"
-        return self.shell(cmd).strip()
-
-    def get(self, typ: str, domain: str) -> str:
-        """Get a DNS entry or empty string if there is none."""
-        dig_result = self.shell(f"dig -r -q {domain} -t {typ} +short")
-        line = dig_result.partition("\n")[0]
-        return line
-
-    def check_ptr_record(self, ip: str, mail_domain) -> bool:
-        """Check the PTR record for an IPv4 or IPv6 address."""
-        result = self.shell(f"dig -r -x {ip} +short").rstrip()
-        return result == f"{mail_domain}."
-
-
-def show_dns(args, out) -> int:
-    """Check existing DNS records, optionally write them to zone file, return exit code 0 or 1."""
-    template = importlib.resources.files(__package__).joinpath("chatmail.zone.f")
-    mail_domain = args.config.mail_domain
-    ssh = f"ssh root@{mail_domain}"
-    dns = DNS(out, mail_domain)
-
-    print("Checking your DKIM keys and DNS entries...")
-    try:
-        acme_account_url = out.shell_output(f"{ssh} -- acmetool account-url")
-    except subprocess.CalledProcessError:
-        print("Please run `cmdeploy run` first.")
-        return 1
-
-    dkim_selector = "opendkim"
-    dkim_pubkey = out.shell_output(
-        ssh + f" -- openssl rsa -in /etc/dkimkeys/{dkim_selector}.private"
-        " -pubout 2>/dev/null | awk '/-/{next}{printf(\"%s\",$0)}'"
-    )
-    dkim_entry_value = f"v=DKIM1;k=rsa;p={dkim_pubkey};s=email;t=s"
-    dkim_entry_str = ""
-    while len(dkim_entry_value) >= 255:
-        dkim_entry_str += '"' + dkim_entry_value[:255] + '" '
-        dkim_entry_value = dkim_entry_value[255:]
-    dkim_entry_str += '"' + dkim_entry_value + '"'
-    dkim_entry = f"{dkim_selector}._domainkey.{mail_domain}. TXT {dkim_entry_str}"
-
-    ipv6 = dns.get_ipv6()
-    reverse_ipv6 = dns.check_ptr_record(ipv6, mail_domain)
-    ipv4 = dns.get_ipv4()
-    reverse_ipv4 = dns.check_ptr_record(ipv4, mail_domain)
-    to_print = []
-
-    with open(template, "r") as f:
-        zonefile = (
-            f.read()
-            .format(
-                acme_account_url=acme_account_url,
-                sts_id=datetime.datetime.now().strftime("%Y%m%d%H%M"),
-                chatmail_domain=args.config.mail_domain,
-                dkim_entry=dkim_entry,
-                ipv6=ipv6,
-                ipv4=ipv4,
-            )
-            .strip()
-        )
-        try:
-            with open(args.zonefile, "w+") as zf:
-                zf.write(zonefile)
-                print(f"DNS records successfully written to: {args.zonefile}")
-            return 0
-        except TypeError:
-            pass
-        for line in zonefile.splitlines():
-            line = line.format(
-                acme_account_url=acme_account_url,
-                sts_id=datetime.datetime.now().strftime("%Y%m%d%H%M"),
-                chatmail_domain=args.config.mail_domain,
-                dkim_entry=dkim_entry,
-                ipv6=ipv6,
-            ).strip()
-            for typ in ["A", "AAAA", "CNAME", "CAA"]:
-                if f" {typ} " in line:
-                    domain, value = line.split(f" {typ} ")
-                    current = dns.get(typ, domain.strip()[:-1])
-                    if current != value.strip():
-                        to_print.append(line)
-            if " MX " in line:
-                domain, typ, prio, value = line.split()
-                current = dns.get(typ, domain[:-1])
-                if not current:
-                    to_print.append(line)
-                elif current.split()[1] != value:
-                    print(line.replace(prio, str(int(current[0]) + 1)))
-            if " SRV " in line:
-                domain, typ, prio, weight, port, value = line.split()
-                current = dns.get("SRV", domain[:-1])
-                if current != f"{prio} {weight} {port} {value}":
-                    to_print.append(line)
-            if " TXT " in line:
-                domain, value = line.split(" TXT ")
-                current = dns.get("TXT", domain.strip()[:-1])
-                if domain.startswith("_mta-sts."):
-                    if current:
-                        if current.split("id=")[0] == value.split("id=")[0]:
-                            continue
-
-                # TXT records longer than 255 bytes
-                # are split into multiple <character-string>s.
-                # This typically happens with DKIM record
-                # which contains long RSA key.
-                #
-                # Removing `" "` before comparison
-                # to get back a single string.
-                if current.replace('" "', "") != value.replace('" "', ""):
-                    to_print.append(line)
-
-    exit_code = 0
-    if to_print:
-        to_print.insert(
-            0, "You should configure the following DNS entries at your provider:\n"
-        )
-        to_print.append(
-            "\nIf you already configured the DNS entries, wait a bit until the DNS entries propagate to the Internet."
-        )
-        print("\n".join(to_print))
-        exit_code = 1
-    else:
-        out.green("Great! All your DNS entries are correct.")
-
-    to_print = []
-    if not reverse_ipv4:
-        to_print.append(f"\tIPv4:\t{ipv4}\t{args.config.mail_domain}")
-    if not reverse_ipv6:
-        to_print.append(f"\tIPv6:\t{ipv6}\t{args.config.mail_domain}")
-    if len(to_print) > 0:
-        if len(to_print) == 1:
-            warning = "You should add the following PTR/reverse DNS entry:"
-        else:
-            warning = "You should add the following PTR/reverse DNS entries:"
-        out.red(warning)
-        for entry in to_print:
-            print(entry)
-        print(
-            "You can do so at your hosting provider (maybe this isn't your DNS provider)."
-        )
-        exit_code = 1
-    return exit_code
-
-
-def check_necessary_dns(out, mail_domain):
-    """Check whether $mail_domain and mta-sts.$mail_domain resolve."""
-    dns = DNS(out, mail_domain)
-    ipv4 = dns.get("A", mail_domain)
-    ipv6 = dns.get("AAAA", mail_domain)
-    mta_entry = dns.get("CNAME", "mta-sts." + mail_domain)
-    www_entry = dns.get("CNAME", "www." + mail_domain)
-    to_print = []
-    if not (ipv4 or ipv6):
-        to_print.append(f"\t{mail_domain}.\t\t\tA<your server's IPv4 address>")
-    if mta_entry != mail_domain + ".":
-        to_print.append(f"\tmta-sts.{mail_domain}.\tCNAME\t{mail_domain}.")
-    if www_entry != mail_domain + ".":
-        to_print.append(f"\twww.{mail_domain}.\tCNAME\t{mail_domain}.")
-    if to_print:
-        to_print.insert(
-            0,
-            "\nFor chatmail to work, you need to configure this at your DNS provider:\n",
-        )
-        for line in to_print:
-            print(line)
-        print()
-    else:
-        dns.out.green("\nAll necessary DNS entries seem to be set.")
-        return True

cmdeploy/src/cmdeploy/dovecot/auth.conf

@@ -1,10 +0,0 @@
-uri = proxy:/run/dovecot/doveauth.socket:auth
-iterate_disable = yes
-default_pass_scheme = plain
-# %E escapes characters " (double quote), ' (single quote) and \ (backslash) with \ (backslash).
-# See <https://doc.dovecot.org/configuration_manual/config_file/config_variables/#modifiers>
-# for documentation.
-#
-# We escape user-provided input and use double quote as a separator.
-password_key = passdb/%Ew"%Eu
-user_key = userdb/%Eu

cmdeploy/src/cmdeploy/dovecot/default.sieve

@@ -1,7 +0,0 @@
-require ["imap4flags"];
-
-# flag the message so it doesn't cause a push notification
-
-if header :is ["Auto-Submitted"] ["auto-replied", "auto-generated"] {
-	addflag "$Auto";
-}

cmdeploy/src/cmdeploy/dovecot/expunge.cron.j2

@@ -1,11 +0,0 @@
-# delete all mails after {{ config.delete_mails_after }} days, in the Inbox
-2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/cur/*' -mtime +{{ config.delete_mails_after }} -type f -delete
-# or in any IMAP subfolder
-2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/.*/cur/*' -mtime +{{ config.delete_mails_after }} -type f -delete
-# even if they are unseen
-2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/new/*' -mtime +{{ config.delete_mails_after }} -type f -delete
-2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/.*/new/*' -mtime +{{ config.delete_mails_after }} -type f -delete
-# or only temporary (but then they shouldn't be around after {{ config.delete_mails_after }} days anyway).
-2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/tmp/*' -mtime +{{ config.delete_mails_after }} -type f -delete
-2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/.*/tmp/*' -mtime +{{ config.delete_mails_after }} -type f -delete
-3 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -name 'maildirsize' -type f -delete

cmdeploy/src/cmdeploy/dovecot/push_notification.lua

@@ -1,32 +0,0 @@
-function dovecot_lua_notify_begin_txn(user)
-  return user
-end
-
-function contains(v, needle)
-  for _, keyword in ipairs(v) do
-    if keyword == needle then
-      return true
-    end
-  end
-  return false
-end
-
-function dovecot_lua_notify_event_message_new(user, event)
-  local mbox = user:mailbox(event.mailbox)
-  mbox:sync()
-
-  if user.username ~= event.from_address then
-    -- Incoming message
-    if not contains(event.keywords, "$Auto") then
-      -- Not an Auto-Submitted message, notifying.
-
-      -- Notify METADATA server about new message.
-      mbox:metadata_set("/private/messagenew", "")
-    end
-  end
-
-  mbox:free()
-end
-
-function dovecot_lua_notify_end_txn(ctx, success)
-end

cmdeploy/src/cmdeploy/metrics.cron.j2

@@ -1 +0,0 @@
-*/5 * * * * root {{ config.execpath }} /home/vmail/mail/{{ config.mail_domain }} >/var/www/html/metrics

cmdeploy/src/cmdeploy/nginx/nginx.conf.j2

@@ -1,84 +0,0 @@
-user www-data;
-worker_processes auto;
-pid /run/nginx.pid;
-error_log /var/log/nginx/error.log;
-
-events {
-	worker_connections 768;
-	# multi_accept on;
-}
-
-http {
-	sendfile on;
-	tcp_nopush on;
-
-	# Do not emit nginx version on error pages.
-	server_tokens off;
-
-	include /etc/nginx/mime.types;
-	default_type application/octet-stream;
-
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
-	ssl_prefer_server_ciphers on;
-	ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
-	ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
-
-	gzip on;
-
-	server {
-		listen 443 ssl default_server;
-		listen [::]:443 ssl default_server;
-
-		root /var/www/html;
-
-		index index.html index.htm;
-
-		server_name _;
-
-		location / {
-			# First attempt to serve request as file, then
-			# as directory, then fall back to displaying a 404.
-			try_files $uri $uri/ =404;
-		}
-
-		location /metrics {
-			default_type text/plain;
-		}
-
-		location /new {
-			if ($request_method = GET) {
-				# Redirect to Delta Chat,
-				# which will in turn do a POST request.
-				return 301 dcaccount:https://{{ config.domain_name }}/new;
-			}
-
-			fastcgi_pass unix:/run/fcgiwrap.socket;
-			include /etc/nginx/fastcgi_params;
-			fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/newemail.py;
-		}
-
-		# Old URL for compatibility with e.g. printed QR codes.
-		#
-		# Copy-paste instead of redirect to /new
-		# because Delta Chat core does not follow redirects.
-		#
-		# Redirects are only for browsers.
-		location /cgi-bin/newemail.py {
-			if ($request_method = GET) {
-				return 301 dcaccount:https://{{ config.domain_name }}/new;
-			}
-
-			fastcgi_pass unix:/run/fcgiwrap.socket;
-			include /etc/nginx/fastcgi_params;
-			fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/newemail.py;
-		}
-	}
-
-	# Redirect www. to non-www
-	server {
-		listen 443 ssl;
-		listen [::]:443 ssl;
-		server_name www.{{ config.domain_name }};
-		return 301 $scheme://{{ config.domain_name }}$request_uri;
-	}
-}

cmdeploy/src/cmdeploy/opendkim/KeyTable

@@ -1 +0,0 @@
-{{ config.opendkim_selector }}._domainkey.{{ config.domain_name }} {{ config.domain_name }}:{{ config.opendkim_selector }}:/etc/dkimkeys/{{ config.opendkim_selector }}.private

cmdeploy/src/cmdeploy/opendkim/final.lua

@@ -1,28 +0,0 @@
-if odkim.internal_ip(ctx) == 1 then
-	-- Outgoing message will be signed,
-	-- no need to look for signatures.
-	return nil
-end
-
-nsigs = odkim.get_sigcount(ctx)
-if nsigs == nil then
-	return nil
-end
-
-for i = 1, nsigs do
-        sig = odkim.get_sighandle(ctx, i - 1)
-        sigres = odkim.sig_result(sig)
-
-	-- All signatures that do not correspond to From: 
-	-- were ignored in screen.lua and return sigres -1.
-	-- 
-	-- Any valid signature that was not ignored like this
-	-- means the message is acceptable.
-	if sigres == 0 then
-		return nil
-	end	
-end
-
-odkim.set_reply(ctx, "554", "5.7.1", "No valid DKIM signature found")
-odkim.set_result(ctx, SMFIS_REJECT)
-return nil

cmdeploy/src/cmdeploy/opendkim/screen.lua

@@ -1,21 +0,0 @@
--- Ignore signatures that do not correspond to the From: domain.
-
-from_domain = odkim.get_fromdomain(ctx)
-if from_domain == nil then
-	return nil
-end
-
-n = odkim.get_sigcount(ctx)
-if n == nil then
-	return nil
-end
-
-for i = 1, n do
-	sig = odkim.get_sighandle(ctx, i - 1)
-	sig_domain = odkim.sig_getdomain(sig)
-	if from_domain ~= sig_domain then
-		odkim.sig_ignore(sig)
-	end
-end
-
-return nil

cmdeploy/src/cmdeploy/postfix/login_map

@@ -1 +0,0 @@
-/^(.*)$/	${1}

cmdeploy/src/cmdeploy/postfix/main.cf.j2

@@ -1,79 +0,0 @@
-myorigin = {{ config.mail_domain }}
-
-smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
-biff = no
-
-# appending .domain is the MUA's job.
-append_dot_mydomain = no
-
-# Uncomment the next line to generate "delayed mail" warnings
-#delay_warning_time = 4h
-
-readme_directory = no
-
-# See http://www.postfix.org/COMPATIBILITY_README.html
-compatibility_level = 3.6
-
-# TLS parameters
-smtpd_tls_cert_file=/var/lib/acme/live/{{ config.mail_domain }}/fullchain
-smtpd_tls_key_file=/var/lib/acme/live/{{ config.mail_domain }}/privkey
-smtpd_tls_security_level=may
-
-smtp_tls_CApath=/etc/ssl/certs
-smtp_tls_security_level=may
-smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
-smtpd_tls_protocols = >=TLSv1.2
-
-# Disable anonymous cipher suites
-# and known insecure algorithms.
-#
-# Disabling anonymous ciphers
-# does not generally improve security
-# because clients that want to verify certificate
-# will not select them anyway,
-# but makes cipher suite list shorter and security scanners happy.
-# See <https://www.postfix.org/TLS_README.html> for discussion.
-#
-# Only ancient insecure ciphers should be disabled here
-# as MTA clients that do not support more secure cipher
-# likely do not support MTA-STS either and will
-# otherwise fall back to using plaintext connection.
-smtpd_tls_exclude_ciphers = aNULL, RC4, MD5, DES
-
-# Override client's preference order.
-# <https://www.postfix.org/postconf.5.html#tls_preempt_cipherlist>
-#
-# This is mostly to ensure cipher suites with forward secrecy
-# are preferred over non cipher suites without forward secrecy.
-# See <https://www.postfix.org/FORWARD_SECRECY_README.html#server_fs>.
-tls_preempt_cipherlist = yes
-
-smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-myhostname = {{ config.mail_domain }}
-alias_maps = hash:/etc/aliases
-alias_database = hash:/etc/aliases
-
-# Postfix does not deliver mail for any domain by itself.
-# Primary domain is listed in `virtual_mailbox_domains` instead
-# and handed over to Dovecot.
-mydestination =
-
-relayhost = 
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-mailbox_size_limit = 0
-# maximum 30MB sized messages
-message_size_limit = 31457280
-recipient_delimiter = +
-inet_interfaces = all
-inet_protocols = all
-
-virtual_transport = lmtp:unix:private/dovecot-lmtp
-virtual_mailbox_domains = {{ config.mail_domain }}
-
-mua_client_restrictions = permit_sasl_authenticated, reject
-mua_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, reject
-mua_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit
-
-# 1:1 map MAIL FROM to SASL login name.
-smtpd_sender_login_maps = regexp:/etc/postfix/login_map

cmdeploy/src/cmdeploy/postfix/submission_header_cleanup

@@ -1,4 +0,0 @@
-/^Received:/            IGNORE
-/^X-Originating-IP:/    IGNORE
-/^X-Mailer:/            IGNORE
-/^User-Agent:/          IGNORE

cmdeploy/src/cmdeploy/tests/online/test_0_qr.py

@@ -1,25 +0,0 @@
-import requests
-
-from cmdeploy.genqr import gen_qr_png_data
-
-
-def test_gen_qr_png_data(maildomain):
-    data = gen_qr_png_data(maildomain)
-    assert data
-
-
-def test_fastcgi_working(maildomain, chatmail_config):
-    url = f"https://{maildomain}/new"
-    print(url)
-    res = requests.post(url)
-    assert maildomain in res.json().get("email")
-    assert len(res.json().get("password")) > chatmail_config.password_min_length
-
-
-def test_newemail_configure(maildomain, rpc):
-    """Test configuring accounts by scanning a QR code works."""
-    url = f"DCACCOUNT:https://{maildomain}/new"
-    for i in range(3):
-        account_id = rpc.add_account()
-        rpc.set_config_from_qr(account_id, url)
-        rpc.configure(account_id)

cmdeploy/src/cmdeploy/tests/online/test_1_basic.py

@@ -1,100 +0,0 @@
-import smtplib
-import pytest
-
-
-def test_remote(remote, imap_or_smtp):
-    lineproducer = remote.iter_output(imap_or_smtp.logcmd)
-    imap_or_smtp.connect()
-    assert imap_or_smtp.name in next(lineproducer)
-
-
-def test_use_two_chatmailservers(cmfactory, maildomain2):
-    ac1 = cmfactory.new_online_configuring_account(cache=False)
-    cmfactory.switch_maildomain(maildomain2)
-    ac2 = cmfactory.new_online_configuring_account(cache=False)
-    cmfactory.bring_accounts_online()
-    cmfactory.get_accepted_chat(ac1, ac2)
-    domain1 = ac1.get_config("addr").split("@")[1]
-    domain2 = ac2.get_config("addr").split("@")[1]
-    assert domain1 != domain2
-
-
-@pytest.mark.parametrize("forgeaddr", ["internal", "someone@example.org"])
-def test_reject_forged_from(cmsetup, maildata, gencreds, lp, forgeaddr):
-    user1, user3 = cmsetup.gen_users(2)
-
-    lp.sec("send encrypted message with forged from")
-    print("envelope_from", user1.addr)
-    if forgeaddr == "internal":
-        addr_to_forge = cmsetup.gen_users(1)[0].addr
-    else:
-        addr_to_forge = "someone@example.org"
-
-    print("message to inject:")
-    msg = maildata("encrypted.eml", from_addr=addr_to_forge, to_addr=user3.addr)
-    msg = msg.as_string()
-    for line in msg.split("\n")[:4]:
-        print(f"   {line}")
-
-    lp.sec("Send forged mail and check remote postfix lmtp processing result")
-    with pytest.raises(smtplib.SMTPException) as e:
-        user1.smtp.sendmail(from_addr=user1.addr, to_addrs=[user3.addr], msg=msg)
-    assert "500" in str(e.value)
-
-
-def test_authenticated_from(cmsetup, maildata):
-    """Test that envelope FROM must be the same as login."""
-    user1, user2, user3 = cmsetup.gen_users(3)
-
-    msg = maildata("encrypted.eml", from_addr=user2.addr, to_addr=user3.addr)
-    with pytest.raises(smtplib.SMTPException) as e:
-        user1.smtp.sendmail(
-            from_addr=user2.addr, to_addrs=[user3.addr], msg=msg.as_string()
-        )
-    assert e.value.recipients[user3.addr][0] == 553
-
-
-@pytest.mark.parametrize("from_addr", ["fake@example.org", "fake@testrun.org"])
-def test_reject_missing_dkim(cmsetup, maildata, from_addr):
-    """Test that emails with missing or wrong DMARC, DKIM, and SPF entries are rejected."""
-    recipient = cmsetup.gen_users(1)[0]
-    msg = maildata("plain.eml", from_addr=from_addr, to_addr=recipient.addr).as_string()
-    with smtplib.SMTP(cmsetup.maildomain, 25) as s:
-        with pytest.raises(smtplib.SMTPDataError, match="No valid DKIM signature"):
-            s.sendmail(from_addr=from_addr, to_addrs=recipient.addr, msg=msg)
-
-
-@pytest.mark.slow
-def test_exceed_rate_limit(cmsetup, gencreds, maildata, chatmail_config):
-    """Test that the per-account send-mail limit is exceeded."""
-    user1, user2 = cmsetup.gen_users(2)
-    mail = maildata(
-        "encrypted.eml", from_addr=user1.addr, to_addr=user2.addr
-    ).as_string()
-    for i in range(chatmail_config.max_user_send_per_minute + 5):
-        print("Sending mail", str(i))
-        try:
-            user1.smtp.sendmail(user1.addr, [user2.addr], mail)
-        except smtplib.SMTPException as e:
-            if i < chatmail_config.max_user_send_per_minute:
-                pytest.fail(f"rate limit was exceeded too early with msg {i}")
-            outcome = e.recipients[user2.addr]
-            assert outcome[0] == 450
-            assert b"4.7.1: Too much mail from" in outcome[1]
-            return
-    pytest.fail("Rate limit was not exceeded")
-
-
-def test_expunged(remote, chatmail_config):
-    outdated_days = int(chatmail_config.delete_mails_after) + 1
-    find_cmds = [
-        f"find /home/vmail/mail/{chatmail_config.mail_domain} -path '*/cur/*' -mtime +{outdated_days} -type f",
-        f"find /home/vmail/mail/{chatmail_config.mail_domain} -path '*/.*/cur/*' -mtime +{outdated_days} -type f",
-        f"find /home/vmail/mail/{chatmail_config.mail_domain} -path '*/new/*' -mtime +{outdated_days} -type f",
-        f"find /home/vmail/mail/{chatmail_config.mail_domain} -path '*/.*/new/*' -mtime +{outdated_days} -type f",
-        f"find /home/vmail/mail/{chatmail_config.mail_domain} -path '*/tmp/*' -mtime +{outdated_days} -type f",
-        f"find /home/vmail/mail/{chatmail_config.mail_domain} -path '*/.*/tmp/*' -mtime +{outdated_days} -type f",
-    ]
-    for cmd in find_cmds:
-        for line in remote.iter_output(cmd):
-            assert not line

cmdeploy/src/cmdeploy/tests/test_cmdeploy.py

@@ -1,27 +0,0 @@
-import os
-
-import pytest
-from cmdeploy.cmdeploy import get_parser, main
-
-
-@pytest.fixture(autouse=True)
-def _chdir(tmp_path):
-    old = os.getcwd()
-    os.chdir(tmp_path)
-    yield
-    os.chdir(old)
-
-
-class TestCmdline:
-    def test_parser(self, capsys):
-        parser = get_parser()
-        parser.parse_args([])
-        init = parser.parse_args(["init", "chat.example.org"])
-        run = parser.parse_args(["run"])
-        assert init and run
-
-    @pytest.mark.xfail(reason="init doesn't exit anymore, check for CLI output instead")
-    def test_init_not_overwrite(self):
-        main(["init", "chat.example.org"])
-        with pytest.raises(SystemExit):
-            main(["init", "chat.example.org"])

cmdeploy/src/cmdeploy/tests/test_helpers.py

@@ -1,13 +0,0 @@
-import importlib.resources
-
-from cmdeploy.www import build_webpages
-
-
-def test_build_webpages(tmp_path, make_config):
-    pkgroot = importlib.resources.files("cmdeploy")
-    src_dir = pkgroot.joinpath("../../../www/src").resolve()
-    assert src_dir.exists(), src_dir
-    config = make_config("chat.example.org")
-    build_dir = tmp_path.joinpath("build")
-    build_webpages(src_dir, build_dir, config)
-    assert len([x for x in build_dir.iterdir() if x.suffix == ".html"]) >= 3

deploy-chatmail/pyproject.toml

@@ -0,0 +1,33 @@
+[build-system]
+requires = ["setuptools>=45"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "deploy-chatmail"
+version = "0.1"
+dependencies = [
+  "pyinfra",
+  "pillow",
+  "qrcode",
+  "markdown",
+]
+
+[tool.pytest.ini_options]
+addopts = "-v -ra --strict-markers"
+
+[tool.tox]
+legacy_tox_ini = """
+[tox]
+isolated_build = true
+envlist = lint
+
+[testenv:lint]
+skipdist = True
+skip_install = True
+deps =
+  ruff
+  black
+commands =
+  black --quiet --check --diff src/
+  ruff src/
+"""

deploy-chatmail/src/deploy_chatmail/__init__.py

@@ -1,151 +1,80 @@
 """
 Chat Mail pyinfra deploy.
 """
-
-import sys
 import importlib.resources
-import subprocess
-import shutil
-import io
+import configparser
 from pathlib import Path
 
 from pyinfra import host
-from pyinfra.operations import apt, files, server, systemd, pip
+from pyinfra.operations import apt, files, server, systemd
 from pyinfra.facts.files import File
 from pyinfra.facts.systemd import SystemdEnabled
 from .acmetool import deploy_acmetool
 
-from chatmaild.config import read_config, Config
 
-
-def _build_chatmaild(dist_dir) -> None:
-    dist_dir = Path(dist_dir).resolve()
-    if dist_dir.exists():
-        shutil.rmtree(dist_dir)
-    dist_dir.mkdir()
-    subprocess.check_output(
-        [sys.executable, "-m", "build", "-n"]
-        + ["--sdist", "chatmaild", "--outdir", str(dist_dir)]
+def _install_chatmaild() -> None:
+    chatmaild_filename = "chatmaild-0.1.tar.gz"
+    chatmaild_path = importlib.resources.files(__package__).joinpath(
+        f"../../../dist/{chatmaild_filename}"
     )
-    entries = list(dist_dir.iterdir())
-    assert len(entries) == 1
-    return entries[0]
-
-
-def remove_legacy_artifacts():
-    # disable legacy doveauth-dictproxy.service
-    if host.get_fact(SystemdEnabled).get("doveauth-dictproxy.service"):
-        systemd.service(
-            name="Disable legacy doveauth-dictproxy.service",
-            service="doveauth-dictproxy.service",
-            running=False,
-            enabled=False,
-        )
-
-
-def _install_remote_venv_with_chatmaild(config) -> None:
-    remove_legacy_artifacts()
-    dist_file = _build_chatmaild(dist_dir=Path("chatmaild/dist"))
-    remote_base_dir = "/usr/local/lib/chatmaild"
-    remote_dist_file = f"{remote_base_dir}/dist/{dist_file.name}"
-    remote_venv_dir = f"{remote_base_dir}/venv"
-    remote_chatmail_inipath = f"{remote_base_dir}/chatmail.ini"
-    root_owned = dict(user="root", group="root", mode="644")
-
-    apt.packages(
-        name="apt install python3-virtualenv",
-        packages=["python3-virtualenv"],
-    )
-
-    files.put(
-        name="Upload chatmaild source package",
-        src=dist_file.open("rb"),
-        dest=remote_dist_file,
-        create_remote_dir=True,
-        **root_owned,
-    )
-
-    files.put(
-        name=f"Upload {remote_chatmail_inipath}",
-        src=config._getbytefile(),
-        dest=remote_chatmail_inipath,
-        **root_owned,
-    )
-
-    pip.virtualenv(
-        name=f"chatmaild virtualenv {remote_venv_dir}",
-        path=remote_venv_dir,
-        always_copy=True,
-    )
-
-    server.shell(
-        name=f"forced pip-install {dist_file.name}",
-        commands=[
-            f"{remote_venv_dir}/bin/pip install --force-reinstall {remote_dist_file}"
-        ],
-    )
-
-    files.template(
-        src=importlib.resources.files(__package__).joinpath("metrics.cron.j2"),
-        dest="/etc/cron.d/chatmail-metrics",
-        user="root",
-        group="root",
-        mode="644",
-        config={
-            "mail_domain": config.mail_domain,
-            "execpath": f"{remote_venv_dir}/bin/chatmail-metrics",
-        },
-    )
-
-    # install systemd units
-    for fn in (
-        "doveauth",
-        "filtermail",
-        "echobot",
-        "chatmail-metadata",
-    ):
-        params = dict(
-            execpath=f"{remote_venv_dir}/bin/{fn}",
-            config_path=remote_chatmail_inipath,
-            remote_venv_dir=remote_venv_dir,
-        )
-        source_path = importlib.resources.files("chatmaild").joinpath(f"{fn}.service.f")
-        content = source_path.read_text().format(**params).encode()
-
+    remote_path = f"/tmp/{chatmaild_filename}"
+    if Path(str(chatmaild_path)).exists():
         files.put(
-            name=f"Upload {fn}.service",
-            src=io.BytesIO(content),
-            dest=f"/etc/systemd/system/{fn}.service",
-            **root_owned,
-        )
-        systemd.service(
-            name=f"Setup {fn} service",
-            service=f"{fn}.service",
-            running=True,
-            enabled=True,
-            restarted=True,
-            daemon_reload=True,
+            name="Upload chatmaild source package",
+            src=chatmaild_path.open("rb"),
+            dest=remote_path,
         )
 
+        apt.packages(
+            name="apt install python3-aiosmtpd python3-pip python3-venv",
+            packages=["python3-aiosmtpd", "python3-pip", "python3-venv"],
+        )
 
-def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool:
+        # --no-deps because aiosmtplib is installed with `apt`.
+        server.shell(
+            name="install chatmaild with pip",
+            commands=[f"pip install --break-system-packages {remote_path}"],
+        )
+
+        # disable legacy doveauth-dictproxy.service
+        if host.get_fact(SystemdEnabled).get("doveauth-dictproxy.service"):
+            systemd.service(
+                name="Disable legacy doveauth-dictproxy.service",
+                service="doveauth-dictproxy.service",
+                running=False,
+                enabled=False,
+            )
+
+        # install systemd units
+
+        for fn in (
+            "doveauth",
+            "filtermail",
+        ):
+            files.put(
+                name=f"Upload {fn}.service",
+                src=importlib.resources.files("chatmaild")
+                .joinpath(f"{fn}.service")
+                .open("rb"),
+                dest=f"/etc/systemd/system/{fn}.service",
+                user="root",
+                group="root",
+                mode="644",
+            )
+            systemd.service(
+                name=f"Setup {fn} service",
+                service=f"{fn}.service",
+                running=True,
+                enabled=True,
+                restarted=True,
+                daemon_reload=True,
+            )
+
+
+def _configure_opendkim(domain: str, dkim_selector: str) -> bool:
     """Configures OpenDKIM"""
     need_restart = False
 
-    server.group(name="Create opendkim group", group="opendkim", system=True)
-    server.user(
-        name="Create opendkim user",
-        user="opendkim",
-        groups=["opendkim"],
-        system=True,
-    )
-    server.user(
-        name="Add postfix user to opendkim group for socket access",
-        user="postfix",
-        groups=["opendkim"],
-        system=True,
-    )
-
     main_config = files.template(
         src=importlib.resources.files(__package__).joinpath("opendkim/opendkim.conf"),
         dest="/etc/opendkim.conf",
@@ -156,24 +85,6 @@ def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool:
     )
     need_restart |= main_config.changed
 
-    screen_script = files.put(
-        src=importlib.resources.files(__package__).joinpath("opendkim/screen.lua"),
-        dest="/etc/opendkim/screen.lua",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= screen_script.changed
-
-    final_script = files.put(
-        src=importlib.resources.files(__package__).joinpath("opendkim/final.lua"),
-        dest="/etc/opendkim/final.lua",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= final_script.changed
-
     files.directory(
         name="Add opendkim directory to /etc",
         path="/etc/opendkim",
@@ -202,6 +113,7 @@ def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool:
         config={"domain_name": domain, "opendkim_selector": dkim_selector},
     )
     need_restart |= signing_table.changed
+
     files.directory(
         name="Add opendkim socket directory to /var/spool/postfix",
         path="/var/spool/postfix/opendkim",
@@ -211,11 +123,6 @@ def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool:
         present=True,
     )
 
-    apt.packages(
-        name="apt install opendkim opendkim-tools",
-        packages=["opendkim", "opendkim-tools"],
-    )
-
     if not host.get_fact(File, f"/etc/dkimkeys/{dkim_selector}.private"):
         server.shell(
             name="Generate OpenDKIM domain keys",
@@ -247,7 +154,7 @@ def _install_mta_sts_daemon() -> bool:
     server.shell(
         name="install postfix-mta-sts-resolver with pip",
         commands=[
-            "python3 -m virtualenv /usr/local/lib/postfix-mta-sts-resolver",
+            "python3 -m venv /usr/local/lib/postfix-mta-sts-resolver",
             "/usr/local/lib/postfix-mta-sts-resolver/bin/pip install postfix-mta-sts-resolver",
         ],
     )
@@ -267,7 +174,7 @@ def _install_mta_sts_daemon() -> bool:
     return need_restart
 
 
-def _configure_postfix(config: Config, debug: bool = False) -> bool:
+def _configure_postfix(domain: str, debug: bool = False) -> bool:
     """Configures Postfix SMTP server."""
     need_restart = False
 
@@ -277,7 +184,7 @@ def _configure_postfix(config: Config, debug: bool = False) -> bool:
         user="root",
         group="root",
         mode="644",
-        config=config,
+        config={"domain_name": domain},
     )
     need_restart |= main_config.changed
 
@@ -288,35 +195,13 @@ def _configure_postfix(config: Config, debug: bool = False) -> bool:
         group="root",
         mode="644",
         debug=debug,
-        config=config,
     )
     need_restart |= master_config.changed
 
-    header_cleanup = files.put(
-        src=importlib.resources.files(__package__).joinpath(
-            "postfix/submission_header_cleanup"
-        ),
-        dest="/etc/postfix/submission_header_cleanup",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= header_cleanup.changed
-
-    # Login map that 1:1 maps email address to login.
-    login_map = files.put(
-        src=importlib.resources.files(__package__).joinpath("postfix/login_map"),
-        dest="/etc/postfix/login_map",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= login_map.changed
-
     return need_restart
 
 
-def _configure_dovecot(config: Config, debug: bool = False) -> bool:
+def _configure_dovecot(mail_server: str, debug: bool = False) -> bool:
     """Configures Dovecot IMAP server."""
     need_restart = False
 
@@ -326,7 +211,7 @@ def _configure_dovecot(config: Config, debug: bool = False) -> bool:
         user="root",
         group="root",
         mode="644",
-        config=config,
+        config={"hostname": mail_server},
         debug=debug,
     )
     need_restart |= main_config.changed
@@ -338,38 +223,15 @@ def _configure_dovecot(config: Config, debug: bool = False) -> bool:
         mode="644",
     )
     need_restart |= auth_config.changed
-    lua_push_notification_script = files.put(
-        src=importlib.resources.files(__package__).joinpath(
-            "dovecot/push_notification.lua"
-        ),
-        dest="/etc/dovecot/push_notification.lua",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= lua_push_notification_script.changed
 
-    sieve_script = files.put(
-        src=importlib.resources.files(__package__).joinpath("dovecot/default.sieve"),
-        dest="/etc/dovecot/default.sieve",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= sieve_script.changed
-    if sieve_script.changed:
-        server.shell(
-            name="compile sieve script",
-            commands=["/usr/bin/sievec /etc/dovecot/default.sieve"],
-        )
-
-    files.template(
-        src=importlib.resources.files(__package__).joinpath("dovecot/expunge.cron.j2"),
+    files.put(
+        src=importlib.resources.files(__package__)
+        .joinpath("dovecot/expunge.cron")
+        .open("rb"),
         dest="/etc/cron.d/expunge",
         user="root",
         group="root",
         mode="644",
-        config=config,
     )
 
     # as per https://doc.dovecot.org/configuration_manual/os/
@@ -442,71 +304,44 @@ def _configure_nginx(domain: str, debug: bool = False) -> bool:
     return need_restart
 
 
-def _remove_rspamd() -> None:
-    """Remove rspamd"""
-    apt.packages(name="Remove rspamd", packages="rspamd", present=False)
-
-
-def check_config(config):
-    mail_domain = config.mail_domain
+def get_ini_settings(mail_domain, inipath):
+    parser = configparser.ConfigParser()
+    parser.read(inipath)
+    settings = {key: value.strip() for (key, value) in parser["config"].items()}
     if mail_domain != "testrun.org" and not mail_domain.endswith(".testrun.org"):
-        blocked_words = "merlinux schmieder testrun.org".split()
-        for key in config.__dict__:
-            value = config.__dict__[key]
-            if key.startswith("privacy") and any(
-                x in str(value) for x in blocked_words
-            ):
+        for value in settings.values():
+            value = value.lower()
+            if "merlinux" in value or "schmieder" in value or "@testrun.org" in value:
                 raise ValueError(
-                    f"please set your own privacy contacts/addresses in {config._inipath}"
+                    f"please set your own privacy contacts/addresses in {inipath}"
                 )
-    return config
+    settings["mail_domain"] = mail_domain
+    return settings
 
 
-def deploy_chatmail(config_path: Path) -> None:
+def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> None:
     """Deploy a chat-mail instance.
 
-    :param config_path: path to chatmail.ini
+    :param mail_domain: domain part of your future email addresses
+    :param mail_server: the DNS name under which your mail server is reachable
+    :param dkim_selector:
     """
-    config = read_config(config_path)
-    check_config(config)
-    mail_domain = config.mail_domain
-
     from .www import build_webpages
 
     apt.update(name="apt update", cache_time=24 * 3600)
     server.group(name="Create vmail group", group="vmail", system=True)
     server.user(name="Create vmail user", user="vmail", group="vmail", system=True)
-    apt.packages(
-        name="Install rsync",
-        packages=["rsync"],
-    )
 
-    # Run local DNS resolver `unbound`.
-    # `resolvconf` takes care of setting up /etc/resolv.conf
-    # to use 127.0.0.1 as the resolver.
-    apt.packages(
-        name="Install unbound",
-        packages=["unbound", "unbound-anchor", "dnsutils"],
-    )
-    server.shell(
-        name="Generate root keys for validating DNSSEC",
-        commands=[
-            "unbound-anchor -a /var/lib/unbound/root.key || true",
-            "systemctl reset-failed unbound.service",
-        ],
-    )
-    systemd.service(
-        name="Start and enable unbound",
-        service="unbound.service",
-        running=True,
-        enabled=True,
+    server.group(name="Create opendkim group", group="opendkim", system=True)
+    server.user(
+        name="Add postfix user to opendkim group for socket access",
+        user="postfix",
+        groups=["opendkim"],
+        system=True,
     )
 
     # Deploy acmetool to have TLS certificates.
-    deploy_acmetool(
-        nginx_hook=True,
-        domains=[mail_domain, f"mta-sts.{mail_domain}", f"www.{mail_domain}"],
-    )
+    deploy_acmetool(nginx_hook=True, domains=[mail_server, f"mta-sts.{mail_server}"])
 
     apt.packages(
         name="Install Postfix",
@@ -515,7 +350,15 @@ def deploy_chatmail(config_path: Path) -> None:
 
     apt.packages(
         name="Install Dovecot",
-        packages=["dovecot-imapd", "dovecot-lmtpd", "dovecot-sieve"],
+        packages=["dovecot-imapd", "dovecot-lmtpd"],
+    )
+
+    apt.packages(
+        name="Install OpenDKIM",
+        packages=[
+            "opendkim",
+            "opendkim-tools",
+        ],
     )
 
     apt.packages(
@@ -528,23 +371,24 @@ def deploy_chatmail(config_path: Path) -> None:
         packages=["fcgiwrap"],
     )
 
-    www_path = importlib.resources.files(__package__).joinpath("../../../www").resolve()
+    pkg_root = importlib.resources.files(__package__)
+    chatmail_ini = pkg_root.joinpath("../../../chatmail.ini").resolve()
+    config = get_ini_settings(mail_domain, chatmail_ini)
+    www_path = pkg_root.joinpath("../../../www").resolve()
 
     build_dir = www_path.joinpath("build")
     src_dir = www_path.joinpath("src")
     build_webpages(src_dir, build_dir, config)
     files.rsync(f"{build_dir}/", "/var/www/html", flags=["-avz"])
 
-    _install_remote_venv_with_chatmaild(config)
+    _install_chatmaild()
     debug = False
-    dovecot_need_restart = _configure_dovecot(config, debug=debug)
-    postfix_need_restart = _configure_postfix(config, debug=debug)
+    dovecot_need_restart = _configure_dovecot(mail_server, debug=debug)
+    postfix_need_restart = _configure_postfix(mail_domain, debug=debug)
+    opendkim_need_restart = _configure_opendkim(mail_domain, dkim_selector)
     mta_sts_need_restart = _install_mta_sts_daemon()
     nginx_need_restart = _configure_nginx(mail_domain)
 
-    _remove_rspamd()
-    opendkim_need_restart = _configure_opendkim(mail_domain, "opendkim")
-
     systemd.service(
         name="Start and enable OpenDKIM",
         service="opendkim.service",

deploy-chatmail/src/deploy_chatmail/acmetool/__init__.py

@@ -1,8 +1,6 @@
 import importlib.resources
 
-from pyinfra.operations import apt, files, systemd, server
-from pyinfra import host
-from pyinfra.facts.systemd import SystemdStatus
+from pyinfra.operations import apt, files, server
 
 
 def deploy_acmetool(nginx_hook=False, email="", domains=[]):
@@ -48,30 +46,6 @@ def deploy_acmetool(nginx_hook=False, email="", domains=[]):
         mode="644",
     )
 
-    service_file = files.put(
-        src=importlib.resources.files(__package__).joinpath(
-            "acmetool-redirector.service"
-        ),
-        dest="/etc/systemd/system/acmetool-redirector.service",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    if host.get_fact(SystemdStatus).get("nginx.service"):
-        systemd.service(
-            name="Stop nginx service to free port 80",
-            service="nginx",
-            running=False,
-        )
-
-    systemd.service(
-        name="Setup acmetool-redirector service",
-        service="acmetool-redirector.service",
-        running=True,
-        enabled=True,
-        restarted=service_file.changed,
-    )
-
     server.shell(
         name=f"Request certificate for: { ', '.join(domains) }",
         commands=[f"acmetool want { ' '.join(domains)}"],

deploy-chatmail/src/deploy_chatmail/acmetool/acmetool.cron

@@ -0,0 +1,4 @@
+SHELL=/bin/sh
+PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
+MAILTO=root
+20 16 * * * root /usr/bin/acmetool --batch reconcile

deploy-chatmail/src/deploy_chatmail/deploy.py

@@ -0,0 +1,19 @@
+import os
+import pyinfra
+from deploy_chatmail import deploy_chatmail
+
+
+def main():
+    mail_domain = os.getenv("CHATMAIL_DOMAIN")
+    mail_server = os.getenv("CHATMAIL_SERVER", mail_domain)
+    dkim_selector = os.getenv("CHATMAIL_DKIM_SELECTOR", "dkim")
+
+    assert mail_domain
+    assert mail_server
+    assert dkim_selector
+
+    deploy_chatmail(mail_domain, mail_server, dkim_selector)
+
+
+if pyinfra.is_cli:
+    main()

deploy-chatmail/src/deploy_chatmail/dovecot/auth.conf

@@ -0,0 +1,5 @@
+uri = proxy:/run/dovecot/doveauth.socket:auth
+iterate_disable = yes
+default_pass_scheme = plain
+password_key = passdb/%w/%u
+user_key = userdb/%u

deploy-chatmail/src/deploy_chatmail/dovecot/dovecot.conf.j2

@@ -13,21 +13,13 @@ auth_cache_size = 100M
 mail_debug = yes
 {% endif %}
 
-# Prevent warnings similar to:
-#   config: Warning: service auth { client_limit=1000 } is lower than required under max. load (10200). Counted for protocol services with service_count != 1: service lmtp { process_limit=100 } + service imap-urlauth-login { process_limit=100 } + service imap-login { process_limit=10000 }
-#   config: Warning: service anvil { client_limit=1000 } is lower than required under max. load (10103). Counted with: service imap-urlauth-login { process_limit=100 } + service imap-login { process_limit=10000 } + service auth { process_limit=1 }
-#   master: Warning: service(stats): client_limit (1000) reached, client connections are being dropped
-default_client_limit = 20000
-
-mail_server_admin = mailto:root@{{ config.mail_domain }}
-mail_server_comment = Chatmail server
 
 mail_plugins = quota
 
 # these are the capabilities Delta Chat cares about actually 
 # so let's keep the network overhead per login small
 # https://github.com/deltachat/deltachat-core-rust/blob/master/src/imap/capabilities.rs
-imap_capability = IMAP4rev1 IDLE MOVE QUOTA CONDSTORE NOTIFY METADATA XDELTAPUSH
+imap_capability = IMAP4rev1 IDLE MOVE QUOTA CONDSTORE NOTIFY
 
 
 # Authentication for system users.
@@ -77,32 +69,14 @@ mail_privileged_group = vmail
 ## Mail processes
 ##
 
-# Pass all IMAP METADATA requests to the server implementing Dovecot's dict protocol.
-mail_attribute_dict = proxy:/run/dovecot/metadata.socket:metadata
-
 # Enable IMAP COMPRESS (RFC 4978).
 # <https://datatracker.ietf.org/doc/html/rfc4978.html>
 protocol imap {
   mail_plugins = $mail_plugins imap_zlib imap_quota
-  imap_metadata = yes
 }
 
 protocol lmtp {
-  # quota plugin documentation:
-  # <https://doc.dovecot.org/configuration_manual/quota_plugin/>
-  #
-  # notify plugin is a dependency of push_notification plugin:
-  # <https://doc.dovecot.org/settings/plugin/notify-plugin/>
-  #
-  # push_notification plugin documentation:
-  # <https://doc.dovecot.org/configuration_manual/push_notification/>
-  #
-  # mail_lua and push_notification_lua are needed for Lua push notification handler.
-  # <https://doc.dovecot.org/configuration_manual/push_notification/#configuration>
-  #
-  # Sieve to mark messages that should not be notified as \Seen
-  # <https://doc.dovecot.org/configuration_manual/sieve/configuration/>
-  mail_plugins = $mail_plugins quota mail_lua notify push_notification push_notification_lua sieve
+  mail_plugins = $mail_plugins quota
 }
 
 plugin {
@@ -112,21 +86,13 @@ plugin {
 plugin {
   # for now we define static quota-rules for all users 
   quota = maildir:User quota
-  quota_rule = *:storage={{ config.max_mailbox_size }}
+  quota_rule = *:storage=100M
   quota_max_mail_size=30M
   quota_grace = 0
   # quota_over_flag_value = TRUE
 }
 
-# push_notification configuration
-plugin {
-  # <https://doc.dovecot.org/configuration_manual/push_notification/#lua-lua>
-  push_notification_driver = lua:file=/etc/dovecot/push_notification.lua
-}
 
-plugin {
-  sieve_default = file:/etc/dovecot/default.sieve
-}
 
 service lmtp {
   user=vmail
@@ -171,8 +137,8 @@ service imap-login {
 }
 
 ssl = required
-ssl_cert = </var/lib/acme/live/{{ config.mail_domain }}/fullchain
-ssl_key = </var/lib/acme/live/{{ config.mail_domain }}/privkey
+ssl_cert = </var/lib/acme/live/{{ config.hostname }}/fullchain
+ssl_key = </var/lib/acme/live/{{ config.hostname }}/privkey
 ssl_dh = </usr/share/dovecot/dh.pem
 ssl_min_protocol = TLSv1.2
 ssl_prefer_server_ciphers = yes

deploy-chatmail/src/deploy_chatmail/dovecot/expunge.cron

@@ -0,0 +1,4 @@
+2 0 * * * dovecot doveadm expunge -A SEEN BEFORE 40d INBOX
+2 0 * * * dovecot doveadm expunge -A SEEN BEFORE 40d Deltachat
+2 0 * * * dovecot doveadm expunge -A SEEN BEFORE 40d Trash
+2 30 * * * dovecot doveadm purge -A

deploy-chatmail/src/deploy_chatmail/genqr.py

@@ -6,7 +6,7 @@ import io
 
 
 def gen_qr_png_data(maildomain):
-    url = f"DCACCOUNT:https://{maildomain}/new"
+    url = f"DCACCOUNT:https://{maildomain}/cgi-bin/newemail.py"
     image = gen_qr(maildomain, url)
     temp = io.BytesIO()
     image.save(temp, format="png")
@@ -52,7 +52,7 @@ def gen_qr(maildomain, url):
     height = size + text_height
 
     image = Image.new("RGBA", (width, height), "white")
-    qr_final_size = width - (qr_padding * 2)
+    qr_final_size = width
 
     if num_lines:
         draw = ImageDraw.Draw(image)

deploy-chatmail/src/deploy_chatmail/nginx/nginx.conf.j2

@@ -0,0 +1,55 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+error_log /var/log/nginx/error.log;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+	sendfile on;
+	tcp_nopush on;
+
+	# Do not emit nginx version on error pages.
+	server_tokens off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_prefer_server_ciphers on;
+	ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
+	ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
+
+	gzip on;
+
+	server {
+		listen 443 ssl default_server;
+		listen [::]:443 ssl default_server;
+
+		root /var/www/html;
+
+		index index.html index.htm;
+
+		server_name _;
+
+		location / {
+			# First attempt to serve request as file, then
+			# as directory, then fall back to displaying a 404.
+			try_files $uri $uri/ =404;
+		}
+
+        # add cgi-bin support
+        include /usr/share/doc/fcgiwrap/examples/nginx.conf;
+	}
+    server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+        server_name _;
+
+        return 301 https://$host$request_uri;
+    }
+}
+

deploy-chatmail/src/deploy_chatmail/opendkim/KeyTable

@@ -0,0 +1 @@
+dkim._domainkey.{{ config.domain_name }} {{ config.domain_name }}:{{ config.opendkim_selector }}:/etc/dkimkeys/dkim.private

deploy-chatmail/src/deploy_chatmail/opendkim/opendkim.conf

@@ -8,12 +8,10 @@ SyslogSuccess		yes
 # oversigned, because it is often the identity key used by reputation systems
 # and thus somewhat security sensitive.
 Canonicalization	relaxed/simple
+#Mode			sv
+#SubDomains		no
 OversignHeaders		From
 
-On-BadSignature         reject
-On-KeyNotFound          reject
-On-NoSignature          reject
-
 # Signing domain, selector, and key (required). For example, perform signing
 # for domain "example.com" with selector "2020" (2020._domainkey.example.com),
 # using the private key stored in /etc/dkimkeys/example.private. More granular
@@ -24,15 +22,6 @@ KeyFile		  /etc/dkimkeys/{{ config.opendkim_selector }}.private
 KeyTable          /etc/dkimkeys/KeyTable
 SigningTable      refile:/etc/dkimkeys/SigningTable
 
-# Sign Autocrypt header in addition to the default specified in RFC 6376.
-SignHeaders *,+autocrypt
-
-# Script to ignore signatures that do not correspond to the From: domain.
-ScreenPolicyScript /etc/opendkim/screen.lua
-
-# Script to reject mails without a valid DKIM signature.
-FinalPolicyScript /etc/opendkim/final.lua
-
 # In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
 # using a local socket with MTAs that access the socket as a non-privileged
 # user (for example, Postfix). You may need to add user "postfix" to group
@@ -40,10 +29,22 @@ FinalPolicyScript /etc/opendkim/final.lua
 UserID			opendkim
 UMask			007
 
+# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
+# it must be ensured that the socket is accessible. In Debian, Postfix runs in
+# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
+# configured as shown on the last line below.
+#Socket			local:/run/opendkim/opendkim.sock
+#Socket			inet:8891@localhost
+#Socket			inet:8891
 Socket			local:/var/spool/postfix/opendkim/opendkim.sock
 
 PidFile			/run/opendkim/opendkim.pid
 
+# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
+# OPERATION section of opendkim(8) for more information.
+#InternalHosts		192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
+
 # The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
 # by the package dns-root-data.
 TrustAnchorFile		/usr/share/dns/root.key
+#Nameservers		127.0.0.1

deploy-chatmail/src/deploy_chatmail/postfix/main.cf.j2

@@ -0,0 +1,51 @@
+myorigin = {{ config.domain_name }}
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+# fresh installs.
+compatibility_level = 2
+
+# TLS parameters
+smtpd_tls_cert_file=/var/lib/acme/live/{{ config.domain_name }}/fullchain
+smtpd_tls_key_file=/var/lib/acme/live/{{ config.domain_name }}/privkey
+smtpd_tls_security_level=may
+
+smtp_tls_CApath=/etc/ssl/certs
+smtp_tls_security_level=may
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = {{ config.domain_name }}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+
+# Postfix does not deliver mail for any domain by itself.
+# Primary domain is listed in `virtual_mailbox_domains` instead
+# and handed over to Dovecot.
+mydestination =
+
+relayhost = 
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+# maximum 30MB sized messages
+message_size_limit = 31457280
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+
+virtual_transport = lmtp:unix:private/dovecot-lmtp
+virtual_mailbox_domains = {{ config.domain_name }}
+
+smtpd_milters = unix:opendkim/opendkim.sock
+non_smtpd_milters = $smtpd_milters

deploy-chatmail/src/deploy_chatmail/postfix/master.cf.j2

@@ -11,10 +11,13 @@
 # ==========================================================================
 {% if debug == true %}
 smtp      inet  n       -       y       -       -       smtpd -v
-{%- else %}
+{% else %}
 smtp      inet  n       -       y       -       -       smtpd 
-{%- endif %}
-  -o smtpd_milters=unix:opendkim/opendkim.sock
+{% endif %}
+#smtp      inet  n       -       y       -       1       postscreen
+#smtpd     pass  -       -       y       -       -       smtpd
+#dnsblog   unix  -       -       y       -       0       dnsblog
+#tlsproxy  unix  -       -       y       -       0       tlsproxy
 submission inet n       -       y       -       -       smtpd
   -o syslog_name=postfix/submission
   -o smtpd_tls_security_level=encrypt
@@ -30,8 +33,7 @@ submission inet n       -       y       -       -       smtpd
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
   -o milter_macro_daemon_name=ORIGINATING
   -o smtpd_client_connection_count_limit=1000
-  -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port }}
-  -o cleanup_service_name=authclean
+  -o smtpd_proxy_filter=127.0.0.1:10080
 smtps     inet  n       -       y       -       -       smtpd
   -o syslog_name=postfix/smtps
   -o smtpd_tls_wrappermode=yes
@@ -47,8 +49,7 @@ smtps     inet  n       -       y       -       -       smtpd
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
   -o smtpd_client_connection_count_limit=1000
   -o milter_macro_daemon_name=ORIGINATING
-  -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port }}
-  -o cleanup_service_name=authclean
+  -o smtpd_proxy_filter=127.0.0.1:10080
 #628       inet  n       -       y       -       -       qmqpd
 pickup    unix  n       -       y       60      1       pickup
 cleanup   unix  n       -       y       -       0       cleanup
@@ -77,16 +78,5 @@ scache    unix  -       -       y       -       1       scache
 postlog   unix-dgram n  -       n       -       1       postlogd
 filter    unix -        n       n       -       -       lmtp
 # Local SMTP server for reinjecting filered mail.
-localhost:{{ config.postfix_reinject_port }} inet  n       -       n       -       10      smtpd
+localhost:10025 inet  n       -       n       -       10      smtpd
   -o syslog_name=postfix/reinject
-  -o smtpd_milters=unix:opendkim/opendkim.sock
-  -o cleanup_service_name=authclean
-
-# Cleanup `Received` headers for authenticated mail
-# to avoid leaking client IP.
-#
-# We do not do this for received mails
-# as this will break DKIM signatures
-# if `Received` header is signed.
-authclean unix  n       -       -       -       0       cleanup
-  -o header_checks=regexp:/etc/postfix/submission_header_cleanup

deploy-chatmail/src/deploy_chatmail/www.py

@@ -7,7 +7,7 @@ import traceback
 import markdown
 from jinja2 import Template
 from .genqr import gen_qr_png_data
-from chatmaild.config import read_config
+from deploy_chatmail import get_ini_settings
 
 
 def snapshot_dir_stats(somedir):
@@ -36,32 +36,8 @@ def build_webpages(src_dir, build_dir, config):
         print(traceback.format_exc())
 
 
-def int_to_english(number):
-    if number >= 0 and number <= 12:
-        a = [
-            "zero",
-            "one",
-            "two",
-            "three",
-            "four",
-            "five",
-            "six",
-            "seven",
-            "eight",
-            "nine",
-            "ten",
-            "eleven",
-            "twelve",
-        ]
-        return a[number]
-    elif number <= 50:
-        return str(number)
-    if number > 50:
-        return "more"
-
-
 def _build_webpages(src_dir, build_dir, config):
-    mail_domain = config.mail_domain
+    mail_domain = config["mail_domain"]
     assert src_dir.exists(), src_dir
     if not build_dir.exists():
         build_dir.mkdir()
@@ -72,15 +48,6 @@ def _build_webpages(src_dir, build_dir, config):
     for path in src_dir.iterdir():
         if path.suffix == ".md":
             render_vars, content = prepare_template(path)
-            render_vars["username_min_length"] = int_to_english(
-                config.username_min_length
-            )
-            render_vars["username_max_length"] = int_to_english(
-                config.username_max_length
-            )
-            render_vars["password_min_length"] = int_to_english(
-                config.password_min_length
-            )
             target = build_dir.joinpath(path.stem + ".html")
 
             # recursive jinja2 rendering
@@ -99,12 +66,12 @@ def _build_webpages(src_dir, build_dir, config):
 
 
 def main():
+    chatmail_domain = "example.testrun.org"
     path = importlib.resources.files(__package__)
     reporoot = path.joinpath("../../../").resolve()
     inipath = reporoot.joinpath("chatmail.ini")
-    config = read_config(inipath)
-    config.webdev = True
-    assert config.mail_domain
+    config = get_ini_settings(chatmail_domain, inipath)
+    config["webdev"] = True
     www_path = reporoot.joinpath("www")
     src_path = www_path.joinpath("src")
     stats = None

plan.txt

@@ -0,0 +1,65 @@
+# Chat-mail server development (up until Oct 18th)
+
+## Dovecot goals/steps
+
+- automatic expiry of messages older than M days
+   - also expunge unread messages
+
+- limit: configure max-connections per account
+
+
+## nami: send out rate limit / rspamd
+
+- basic outgoing send rate/limits (depending on "account-rating")
+  use rspamd in a minimal way, check support dkim-signing
+  (including an online test exceeding rate limit)
+
+
+## doveauth questions/futures
+
+- bcrypt-password scheme is slow: require long passwords, use faster hashing
+
+- define user-name and password policies, and implement them
+  (be very restrictive at the beginning, we can relax later)
+
+- password is part of the dictproxy-lookup key, is it safe to use auth-caching?
+
+
+## How to limit creation of accounts?
+
+attack: a 3-line bash script to fill the chatmail db with millions of unused accouts
+
+- make it computationally expensive (somehow try to except our tests from it)
+  1st pass instant onboarding: create userid + cheap password -- if it fails then
+  2nd pass instant onboarding: create userdid + comput. expensive password
+
+- probably also do firewall: limit number of new tcp-connections per IP address per duration
+
+
+## Open/deferred questions
+
+- automatic expiry of users that haven't logged in for N days
+  Is it neccessary?  If all messages are gone, does the existence of
+  an e-mail address bother anybody?
+
+
+## web page for chat-mail servers?
+
+- documentation for users, privacy policy etc.
+  (probably also with provider-messages ...)
+
+
+## online tests (first with plain python/pytest)
+
+- write tests for dovecot login (exists)
+- write tests for postfix logins (exists)
+- write A<>B send/receive tests (exists)
+
+
+## Delta Chat
+
+1. qr code that defines access to a chatmail instance (like mailadm but without http etc.)
+
+2. support for creating username/password and verifying login works
+
+

scripts/bench.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+set -e
+
+venv/bin/pytest tests/online/benchmark.py -vrx

scripts/cmdeploy

@@ -1,6 +0,0 @@
-#!/usr/bin/env bash
-#
-# Wrapper for cmdelpoy to run it in activated virtualenv.
-set -e
-. venv/bin/activate
-cmdeploy "$@"

scripts/deploy.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+echo -----------------------------------------
+echo deploying to $CHATMAIL_DOMAIN 
+echo -----------------------------------------
+
+echo WARNING: in five seconds deploy to $CHATMAIL_DOMAIN starts
+sleep 5
+
+venv/bin/python3 -m build -n --sdist chatmaild --outdir dist
+
+venv/bin/pyinfra --ssh-user root "$CHATMAIL_DOMAIN" \
+    deploy-chatmail/src/deploy_chatmail/deploy.py
+
+rm -r dist/

scripts/generate-dns-zone.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+: ${CHATMAIL_DOMAIN:=c1.testrun.org}
+: ${CHATMAIL_SSH:=$CHATMAIL_DOMAIN}
+
+set -e
+SSH="ssh root@$CHATMAIL_SSH"
+EMAIL="root@$CHATMAIL_DOMAIN"
+ACME_ACCOUNT_URL="$($SSH -- acmetool account-url)"
+
+cat <<EOF
+$CHATMAIL_DOMAIN. MX 10 $CHATMAIL_DOMAIN.
+$CHATMAIL_DOMAIN. TXT "v=spf1 a:$CHATMAIL_DOMAIN -all"
+_dmarc.$CHATMAIL_DOMAIN. TXT "v=DMARC1;p=reject;rua=mailto:$EMAIL;ruf=mailto:$EMAIL;fo=1;adkim=r;aspf=r"
+_submission._tcp.$CHATMAIL_DOMAIN.  SRV 0 1 587 $CHATMAIL_DOMAIN.
+_submissions._tcp.$CHATMAIL_DOMAIN. SRV 0 1 465 $CHATMAIL_DOMAIN.
+_imap._tcp.$CHATMAIL_DOMAIN.        SRV 0 1 143 $CHATMAIL_DOMAIN.
+_imaps._tcp.$CHATMAIL_DOMAIN.       SRV 0 1 993 $CHATMAIL_DOMAIN.
+$CHATMAIL_DOMAIN. IN CAA 128 issue "letsencrypt.org;accounturi=$ACME_ACCOUNT_URL"
+_mta-sts.$CHATMAIL_DOMAIN. IN TXT "v=STSv1; id=$(date -u '+%Y%m%d%H%M')"
+mta-sts.$CHATMAIL_DOMAIN. IN CNAME $CHATMAIL_DOMAIN.
+_smtp._tls.$CHATMAIL_DOMAIN. IN TXT "v=TLSRPTv1;rua=mailto:$EMAIL"
+EOF
+$SSH opendkim-genzone -F | sed 's/^;.*$//;/^$/d'

scripts/get_imap_capabilities.py

@@ -0,0 +1,14 @@
+import os
+import time
+import imaplib
+
+domain = os.environ.get("CHATMAIL_DOMAIN", "c3.testrun.org")
+
+print("connecting")
+conn = imaplib.IMAP4_SSL(domain)
+print("logging in")
+conn.login(f"imapcapa", "pass")
+status, res = conn.capability()
+for capa in sorted(res[0].decode().split()):
+    print(capa)
+

scripts/init.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+python3 -m venv venv
+pip=venv/bin/pip
+
+$pip install pyinfra pytest build 'setuptools>=68' tox 
+$pip install -e deploy-chatmail 
+$pip install -e chatmaild 

scripts/initenv.sh

@@ -1,6 +0,0 @@
-#!/bin/bash
-set -e
-python3 -m venv --upgrade-deps venv
-
-venv/bin/pip install -e chatmaild 
-venv/bin/pip install -e cmdeploy

scripts/measure_tls_and_logins.py

@@ -0,0 +1,28 @@
+#!/usr/bin/env python3
+import os
+import time
+import imaplib
+
+domain = os.environ.get("CHATMAIL_DOMAIN", "c3.testrun.org")
+
+NUM_CONNECTIONS=10
+
+conns = []
+
+start = time.time()
+for i in range(NUM_CONNECTIONS):
+    print(f"opening connection {i} to {domain}")
+    conn = imaplib.IMAP4_SSL(domain)
+    conns.append(conn)
+
+tlsdone = time.time()
+duration = tlsdone-start
+print(f"{duration}: TLS connections opening TLS connections")
+
+for i, conn in enumerate(conns):
+    print(f"logging into connection {i}")
+    conn.login(f"measure{i}", "pass")
+
+logindone = time.time()
+duration = logindone - tlsdone
+print(f"{duration}: LOGINS done")

scripts/remote-deploy.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+
+: ${CHATMAIL_DOMAIN:=c1.testrun.org}
+: ${CHATMAIL_SSH:=$CHATMAIL_DOMAIN}
+
+rsync -avz . "root@$CHATMAIL_SSH:/root/chatmail" --exclude='/.git' --filter="dir-merge,- .gitignore"
+ssh "root@$CHATMAIL_SSH" "cd /root/chatmail; apt install -y python3-venv; python3 -m venv venv; venv/bin/pip install pyinfra build; venv/bin/python3 -m build -n --sdist chatmaild --outdir dist; venv/bin/pip install -e ./deploy-chatmail -e ./chatmaild; export CHATMAIL_DOMAIN=$CHATMAIL_DOMAIN; venv/bin/pyinfra @local deploy.py"

scripts/test.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+venv/bin/tox -c chatmaild
+venv/bin/tox -c deploy-chatmail
+venv/bin/pytest tests/online -rs -vrx --durations=5 $@

scripts/webdev.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+echo -----------------------------------------
+echo starting local webdev 
+echo -----------------------------------------
+
+venv/bin/python3 -m deploy_chatmail.www 
+
+

tests/chatmaild/test_doveauth.py

@@ -0,0 +1,90 @@
+import json
+import sys
+import pytest
+import threading
+import queue
+import traceback
+
+import chatmaild.doveauth
+from chatmaild.doveauth import get_user_data, lookup_passdb, handle_dovecot_request
+from chatmaild.database import Database, DBError
+
+
+def test_basic(db):
+    lookup_passdb(db, "link2xt@c1.testrun.org", "Pieg9aeToe3eghuthe5u")
+    data = get_user_data(db, "link2xt@c1.testrun.org")
+    assert data
+    data2 = lookup_passdb(db, "link2xt@c1.testrun.org", "Pieg9aeToe3eghuthe5u")
+    assert data == data2
+
+
+def test_dont_overwrite_password_on_wrong_login(db):
+    """Test that logging in with a different password doesn't create a new user"""
+    res = lookup_passdb(db, "newuser1@something.org", "kajdlkajsldk12l3kj1983")
+    assert res["password"]
+    res2 = lookup_passdb(db, "newuser1@something.org", "kajdlqweqwe")
+    # this function always returns a password hash, which is actually compared by dovecot.
+    assert res["password"] == res2["password"]
+
+
+def test_nocreate_file(db, monkeypatch, tmpdir):
+    p = tmpdir.join("nocreate")
+    p.write("")
+    monkeypatch.setattr(chatmaild.doveauth, "NOCREATE_FILE", str(p))
+    lookup_passdb(db, "newuser1@something.org", "zequ0Aimuchoodaechik")
+    assert not get_user_data(db, "newuser1@something.org")
+
+
+def test_db_version(db):
+    assert db.get_schema_version() == 1
+
+
+def test_too_high_db_version(db):
+    with db.write_transaction() as conn:
+        conn.execute("PRAGMA user_version=%s;" % (999,))
+    with pytest.raises(DBError):
+        db.ensure_tables()
+
+
+def test_handle_dovecot_request(db):
+    msg = (
+        "Lshared/passdb/laksjdlaksjdlaksjdlk12j3l1k2j3123/"
+        "some42@c3.testrun.org\tsome42@c3.testrun.org"
+    )
+    res = handle_dovecot_request(msg, db, "c3.testrun.org")
+    assert res
+    assert res[0] == "O" and res.endswith("\n")
+    userdata = json.loads(res[1:].strip())
+    assert userdata["home"] == "/home/vmail/some42@c3.testrun.org"
+    assert userdata["uid"] == userdata["gid"] == "vmail"
+    assert userdata["password"].startswith("{SHA512-CRYPT}")
+
+
+def test_100_concurrent_lookups_different_accounts(db, gencreds):
+    num_threads = 100
+    req_per_thread = 5
+    results = queue.Queue()
+
+    def lookup(db):
+        for i in range(req_per_thread):
+            addr, password = gencreds()
+            try:
+                lookup_passdb(db, addr, password)
+            except Exception:
+                results.put(traceback.format_exc())
+            else:
+                results.put(None)
+
+    threads = []
+    for i in range(num_threads):
+        thread = threading.Thread(target=lookup, args=(db,), daemon=True)
+        threads.append(thread)
+
+    print(f"created {num_threads} threads, starting them and waiting for results")
+    for thread in threads:
+        thread.start()
+
+    for i in range(num_threads * req_per_thread):
+        res = results.get()
+        if res is not None:
+            pytest.fail(f"concurrent lookup failed\n{res}")

tests/chatmaild/test_filtermail.py

@@ -0,0 +1,82 @@
+from chatmaild.filtermail import check_encrypted, check_DATA, SendRateLimiter, check_mdn
+import pytest
+
+
+@pytest.fixture
+def maildomain():
+    # let's not depend on a real chatmail instance for the offline tests below
+    return "chatmail.example.org"
+
+
+def test_reject_forged_from(maildata, gencreds):
+    class env:
+        mail_from = gencreds()[0]
+        rcpt_tos = [gencreds()[0]]
+
+    # test that the filter lets good mail through
+    env.content = maildata("plain.eml", from_addr=env.mail_from).as_bytes()
+    assert not check_DATA(envelope=env)
+
+    # test that the filter rejects forged mail
+    env.content = maildata("plain.eml", from_addr="forged@c3.testrun.org").as_bytes()
+    error = check_DATA(envelope=env)
+    assert "500" in error
+
+
+def test_filtermail_no_encryption_detection(maildata):
+    msg = maildata("plain.eml")
+    assert not check_encrypted(msg)
+
+    # https://xkcd.com/1181/
+    msg = maildata("fake-encrypted.eml")
+    assert not check_encrypted(msg)
+
+
+def test_filtermail_encryption_detection(maildata):
+    msg = maildata("encrypted.eml")
+    assert check_encrypted(msg)
+
+    # if the subject is not "..." it is not considered ac-encrypted
+    msg.replace_header("Subject", "Click this link")
+    assert not check_encrypted(msg)
+
+
+def test_filtermail_is_mdn(maildata, gencreds):
+    from_addr = gencreds()[0]
+    to_addr = gencreds()[0] + ".other"
+    msg = maildata("mdn.eml", from_addr, to_addr)
+
+    class env:
+        mail_from = from_addr
+        rcpt_tos = [to_addr]
+        content = msg.as_bytes()
+
+    assert check_mdn(msg, env)
+    print(msg.as_string())
+    assert not check_DATA(env)
+
+
+def test_filtermail_to_multiple_recipients_no_mdn(maildata, gencreds):
+    from_addr = gencreds()[0]
+    to_addr = gencreds()[0] + ".other"
+    thirdaddr = gencreds()[0]
+    msg = maildata("mdn.eml", from_addr, to_addr)
+
+    class env:
+        mail_from = from_addr
+        rcpt_tos = [to_addr, thirdaddr]
+        content = msg.as_bytes()
+
+    assert not check_mdn(msg, env)
+
+
+def test_send_rate_limiter():
+    limiter = SendRateLimiter()
+    for i in range(100):
+        if limiter.is_sending_allowed("some@example.org"):
+            if i <= SendRateLimiter.MAX_USER_SEND_PER_MINUTE:
+                continue
+            pytest.fail("limiter didn't work")
+        else:
+            assert i == SendRateLimiter.MAX_USER_SEND_PER_MINUTE + 1
+            break

tests/chatmaild/test_newmail.py

@@ -4,24 +4,26 @@ import chatmaild
 from chatmaild.newemail import create_newemail_dict, print_new_account
 
 
-def test_create_newemail_dict(example_config):
-    ac1 = create_newemail_dict(example_config)
+def test_create_newemail_dict():
+    ac1 = create_newemail_dict(domain="example.org")
     assert "@" in ac1["email"]
     assert len(ac1["password"]) >= 10
 
-    ac2 = create_newemail_dict(example_config)
+    ac2 = create_newemail_dict(domain="example.org")
 
     assert ac1["email"] != ac2["email"]
     assert ac1["password"] != ac2["password"]
 
 
-def test_print_new_account(capsys, monkeypatch, maildomain, tmpdir, example_config):
-    monkeypatch.setattr(chatmaild.newemail, "CONFIG_PATH", str(example_config._inipath))
+def test_print_new_account(capsys, monkeypatch, maildomain, tmpdir):
+    p = tmpdir.join("mailname")
+    p.write(maildomain)
+    monkeypatch.setattr(chatmaild.newemail, "mailname_path", str(p))
     print_new_account()
     out, err = capsys.readouterr()
     lines = out.split("\n")
     assert lines[0] == "Content-Type: application/json"
     assert not lines[1]
     dic = json.loads(lines[2])
-    assert dic["email"].endswith(f"@{example_config.mail_domain}")
+    assert dic["email"].endswith(f"@{maildomain}")
     assert len(dic["password"]) >= 10

tests/conftest.py

@@ -6,11 +6,12 @@ import subprocess
 import imaplib
 import smtplib
 import itertools
+from email.parser import BytesParser
+from email import policy
 from pathlib import Path
 import pytest
 
 from chatmaild.database import Database
-from chatmaild.config import read_config
 
 
 conftestdir = Path(__file__).parent
@@ -37,22 +38,11 @@ def pytest_runtest_setup(item):
 
 
 @pytest.fixture
-def chatmail_config(pytestconfig):
-    current = basedir = Path().resolve()
-    while 1:
-        path = current.joinpath("chatmail.ini").resolve()
-        if path.exists():
-            return read_config(path)
-        if current == current.parent:
-            break
-        current = current.parent
-
-    pytest.skip(f"no chatmail.ini file found in {basedir} or parent dirs")
-
-
-@pytest.fixture
-def maildomain(chatmail_config):
-    return chatmail_config.mail_domain
+def maildomain():
+    domain = os.environ.get("CHATMAIL_DOMAIN")
+    if not domain:
+        pytest.skip("set CHATMAIL_DOMAIN to a ssh-reachable chatmail instance")
+    return domain
 
 
 @pytest.fixture
@@ -228,25 +218,18 @@ def imap_or_smtp(request):
 
 
 @pytest.fixture
-def gencreds(chatmail_config):
+def gencreds(maildomain):
     count = itertools.count()
     next(count)
 
     def gen(domain=None):
-        domain = domain if domain else chatmail_config.mail_domain
+        domain = domain if domain else maildomain
         while 1:
             num = next(count)
             alphanumeric = "abcdefghijklmnopqrstuvwxyz1234567890"
-            user = "".join(
-                random.choices(alphanumeric, k=chatmail_config.username_max_length)
-            )
-            if domain == "nine.testrun.org":
-                user = f"ac{num}_{user}"[:9]
-            else:
-                user = f"ac{num}_{user}"[: chatmail_config.username_max_length]
-            password = "".join(
-                random.choices(alphanumeric, k=chatmail_config.password_min_length)
-            )
+            user = "".join(random.choices(alphanumeric, k=10))
+            user = f"ac{num}_{user}"[:9]
+            password = "".join(random.choices(alphanumeric, k=12))
             yield f"{user}@{domain}", f"{password}"
 
     return lambda domain=None: next(gen(domain))
@@ -300,10 +283,8 @@ def cmfactory(request, gencreds, tmpdir, maildomain):
     pytest.importorskip("deltachat")
     from deltachat.testplugin import ACFactory
 
-    data = request.getfixturevalue("data")
-
     testproc = ChatmailTestProcess(request.config, maildomain, gencreds)
-    am = ACFactory(request=request, tmpdir=tmpdir, testprocess=testproc, data=data)
+    am = ACFactory(request=request, tmpdir=tmpdir, testprocess=testproc, data=None)
 
     # nb. a bit hacky
     # would probably be better if deltachat's test machinery grows native support
@@ -357,6 +338,22 @@ def lp(request):
     return LP()
 
 
+@pytest.fixture
+def maildata(request, gencreds):
+    datadir = conftestdir.joinpath("mail-data")
+
+    def maildata(name, from_addr=None, to_addr=None):
+        if from_addr is None:
+            from_addr = gencreds()[0]
+        if to_addr is None:
+            to_addr = gencreds()[0]
+        data = datadir.joinpath(name).read_text()
+        text = data.format(from_addr=from_addr, to_addr=to_addr)
+        return BytesParser(policy=policy.default).parsebytes(text.encode())
+
+    return maildata
+
+
 @pytest.fixture
 def cmsetup(maildomain, gencreds):
     return CMSetup(maildomain, gencreds)