make 'experimental' more outstanding

use a class for the banner, make sure it is always width of page
add domain right of the menu, standardize menu help-code
2026-05-10 16:04:37 +00:00 · 2023-12-12 19:46:26 +01:00 · 2023-12-12 19:39:30 +01:00 · 2023-12-12 19:27:39 +01:00 · 2023-12-12 18:48:24 +01:00 · 2023-12-11 18:26:50 +01:00
88 changed files with 3669 additions and 573 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -6,26 +6,35 @@ on:
 jobs:
  tox:
-    name: chatmail tests
+    name: isolated chatmaild tests
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: run chatmaild tests 
        working-directory: chatmaild
        run: pipx run tox
      - name: run deploy-chatmail offline tests 
        working-directory: deploy-chatmail
        run: pipx run tox
      - name: run deploy-chatmail offline tests 
        working-directory: deploy-chatmail
        run: pipx run tox
  scripts:
-    name: chatmail script invocations 
+    name: deploy-chatmail tests 
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - name: run init.sh 
+
-        run: ./scripts/init.sh 
+      - name: initenv 
-      - name: run test.sh 
+        run: scripts/initenv.sh
-        run: ./scripts/test.sh 
+
      - name: append venv/bin to PATH
        run: echo venv/bin >>$GITHUB_PATH
      - name: run formatting checks 
        run: cmdeploy fmt -v 
      - name: run deploy-chatmail offline tests 
        run: pytest --pyargs cmdeploy 
      - name: initialize with chatmail domain
        run: cmdeploy init chat.example.org  
      # all other cmdeploy commands require a staging server 
      # see https://github.com/deltachat/chatmail/issues/100
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,9 @@ __pycache__/
 *.py[cod]
 *$py.class
 *.swp
 *qr-*.png
 chatmail.ini
 # C extensions
 *.so
--- a/README.md
+++ b/README.md
@@ -1,6 +1,9 @@
 # Chatmail instances optimized for Delta Chat apps 
-This repository helps to setup a ready-to-use chatmail instance
+<img width="800px" src="www/src/collage-top.png"/>
 # Chatmail services optimized for Delta Chat apps 
 This repository helps to setup a ready-to-use chatmail server
 comprised of a minimal setup of the battle-tested 
 [postfix smtp](https://www.postfix.org) and [dovecot imap](https://www.dovecot.org) services. 
@@ -10,32 +13,93 @@ for use by [Delta Chat apps](https://delta.chat).
 Chatmail accounts are automatically created by a first login, 
 after which the initially specified password is required for using them. 
-## Getting Started deploying your own chatmail instance
+## Deploying your own chatmail server 
-1. Prepare your local (presumably Linux) system:
+We subsequently use `CHATMAIL_DOMAIN` as a placeholder for your fully qualified 
 DNS domain name (FQDN), for example `chat.example.org`.
-    scripts/init.sh 
+1. Setup DNS `A` and `AAAA` records for your `CHATMAIL_DOMAIN`. 
   Verify that DNS is set and SSH root login works:
-2. Setup a domain with `A` and `AAAA` records for your chatmail server.
+   ```
        ssh root@CHATMAIL_DOMAIN 
   ```
-3. Set environment variable to the chatmail domain you want to setup:
+2. Install the `cmdeploy` command in a virtualenv 
-    export CHATMAIL_DOMAIN=c1.testrun.org   # replace with your host
+   ```
    source scripts/initenv.sh
   ```
 3. Create chatmail configuration file `chatmail.ini`:
-4. Deploy the chat mail instance to your chatmail server: 
+   ```
    cmdeploy init CHATMAIL_DOMAIN
   ```
-    scripts/deploy.sh 
+4. Deploy to the remote chatmail server:
-   This script uses `pyinfra` and `ssh` to setup packages and configure
+   ```
-   the chatmail instance on your remote server. 
+    cmdeploy run 
   ```
-5. Run `scripts/generate-dns-zone.sh` and 
+5. To output a DNS zone file from which you can transfer DNS records 
-   transfer the generated DNS records at your DNS provider
+   to your DNS provider:
-6. Start a Delta Chat app and create a new account 
+   ```
-   by typing an e-mail address with an arbitrary username 
+    cmdeploy dns
-   and `@<your-chatmail-domain>` appended. 
+   ```
-   Use an at least 10-character random password. 
+
 6. To check status of your remotely running chatmail service: 
   ```
    cmdeploy status
   ```
 7. To test your chatmail service: 
   ```
    cmdeploy test
   ```
 8. To benchmark your chatmail service: 
   ```
    cmdeploy bench
   ```
 ### Refining the web pages 
 ``` 
    cmdeploy webdev 
 ```
 This starts a local live development cycle for chatmail Web pages: 
 - uses the `www/src/page-layout.html` file for producing static 
  HTML pages from `www/src/*.md` files
 - continously builds the web presence reading files from `www/src` directory
  and generating html files and copying assets to the `www/build` directory. 
 - Starts a browser window automatically where you can "refresh" as needed. 
 ### Home page and getting started for users 
 `cmdeploy run` sets up mail services,
 and also creates default static Web pages and deploys them: 
 - a default `index.html` along with a QR code that users can click to 
  create accounts on your chatmail provider,
 - a default `info.html` that is linked from the home page,
 - a default `policy.html` that is linked from the home page. 
 All `.html` files are generated 
 by the according markdown `.md` file in the `www/src` directory.
 ### Ports
--- a/chatmaild/MANIFEST.in
+++ b/chatmaild/MANIFEST.in
@@ -0,0 +1,4 @@
 include src/chatmaild/*.f 
 include src/chatmaild/ini/*.ini.f
 include src/chatmaild/ini/*.ini
 include src/chatmaild/tests/mail-data/*
--- a/chatmaild/pyproject.toml
+++ b/chatmaild/pyproject.toml
@@ -1,20 +1,33 @@
 [build-system]
-requires = ["setuptools>=45"]
+requires = ["setuptools>=61"]
 build-backend = "setuptools.build_meta"
 [project]
 name = "chatmaild"
-version = "0.1"
+version = "0.2"
 dependencies = [
-  "aiosmtpd"
+  "aiosmtpd",
  "iniconfig",
 ]
 [tool.setuptools]
 include-package-data = true
 [tool.setuptools.packages.find]
 where = ['src']
 [project.scripts]
 doveauth = "chatmaild.doveauth:main"
 filtermail = "chatmaild.filtermail:main"
 [project.entry-points.pytest11]
 "chatmaild.testplugin" = "chatmaild.tests.plugin"
 [tool.pytest.ini_options]
 addopts = "-v -ra --strict-markers"
 log_format = "%(asctime)s %(levelname)s %(message)s"
 log_date_format = "%Y-%m-%d %H:%M:%S"
 log_level = "INFO"
 [tool.tox]
 legacy_tox_ini = """
@@ -33,8 +46,7 @@ commands =
  ruff src/
 [testenv]
 passenv = CHATMAIL_DOMAIN
 deps = pytest 
       pdbpp 
-commands = pytest -v -rsXx {posargs: ../tests/chatmaild}
+commands = pytest -v -rsXx {posargs}
 """
--- a/chatmaild/src/chatmaild/config.py
+++ b/chatmaild/src/chatmaild/config.py
@@ -0,0 +1,53 @@
 import iniconfig
 def read_config(inipath):
    cfg = iniconfig.IniConfig(inipath)
    return Config(inipath, params=cfg.sections["params"])
 class Config:
    def __init__(self, inipath, params):
        self._inipath = inipath
        self.mail_domain = params["mail_domain"]
        self.max_user_send_per_minute = int(params["max_user_send_per_minute"])
        self.filtermail_smtp_port = int(params["filtermail_smtp_port"])
        self.postfix_reinject_port = int(params["postfix_reinject_port"])
        self.passthrough_recipients = params["passthrough_recipients"].split()
        self.privacy_postal = params.get("privacy_postal")
        self.privacy_mail = params.get("privacy_mail")
        self.privacy_pdo = params.get("privacy_pdo")
        self.privacy_supervisor = params.get("privacy_supervisor")
    def _getbytefile(self):
        return open(self._inipath, "rb")
 def write_initial_config(inipath, mail_domain):
    from importlib.resources import files
    inidir = files(__package__).joinpath("ini")
    content = (
        inidir.joinpath("chatmail.ini.f").read_text().format(mail_domain=mail_domain)
    )
    if mail_domain.endswith(".testrun.org"):
        override_inipath = inidir.joinpath("override-testrun.ini")
        privacy = iniconfig.IniConfig(override_inipath)["privacy"]
        lines = []
        for line in content.split("\n"):
            for key, value in privacy.items():
                value_lines = value.strip().split("\n")
                if not line.startswith(f"{key} =") or not value_lines:
                    continue
                if len(value_lines) == 1:
                    lines.append(f"{key} = {value}")
                else:
                    lines.append(f"{key} =")
                    for vl in value_lines:
                        lines.append(f"    {vl}")
                break
            else:
                lines.append(line)
        content = "\n".join(lines)
    inipath.write_text(content)
--- a/chatmaild/src/chatmaild/doveauth.py
+++ b/chatmaild/src/chatmaild/doveauth.py
@@ -28,8 +28,8 @@ def is_allowed_to_create(user, cleartext_password) -> bool:
        logging.warning(f"blocked account creation because {NOCREATE_FILE!r} exists.")
        return False
-    if len(cleartext_password) < 10:
+    if len(cleartext_password) < 9:
-        logging.warning("Password needs to be at least 10 characters long")
+        logging.warning("Password needs to be at least 9 characters long")
        return False
    parts = user.split("@")
@@ -116,7 +116,7 @@ def handle_dovecot_request(msg, db, mail_domain):
 class ThreadedUnixStreamServer(ThreadingMixIn, UnixStreamServer):
-    pass
+    request_queue_size = 100
 def main():
@@ -128,14 +128,20 @@ def main():
    class Handler(StreamRequestHandler):
        def handle(self):
-            while True:
+            try:
-                msg = self.rfile.readline().strip().decode()
+                while True:
-                if not msg:
+                    msg = self.rfile.readline().strip().decode()
-                    break
+                    if not msg:
-                res = handle_dovecot_request(msg, db, mail_domain)
+                        break
-                if res:
+                    res = handle_dovecot_request(msg, db, mail_domain)
-                    self.wfile.write(res.encode("ascii"))
+                    if res:
-                    self.wfile.flush()
+                        self.wfile.write(res.encode("ascii"))
                        self.wfile.flush()
                    else:
                        logging.warn("request had no answer: %r", msg)
            except Exception:
                logging.exception("Exception in the handler")
                raise
    try:
        os.unlink(socket)
--- a/chatmaild/src/chatmaild/doveauth.service
+++ b/chatmaild/src/chatmaild/doveauth.service
@@ -1,10 +0,0 @@
 [Unit]
 Description=Dict authentication proxy for dovecot
 [Service]
 ExecStart=/usr/local/bin/doveauth /run/dovecot/doveauth.socket vmail /home/vmail/passdb.sqlite
 Restart=always
 RestartSec=30
 [Install]
 WantedBy=multi-user.target
--- a/chatmaild/src/chatmaild/doveauth.service.f
+++ b/chatmaild/src/chatmaild/doveauth.service.f
@@ -0,0 +1,10 @@
 [Unit]
 Description=Chatmail dict authentication proxy for dovecot
 [Service]
 ExecStart={execpath} /run/dovecot/doveauth.socket vmail /home/vmail/passdb.sqlite
 Restart=always
 RestartSec=30
 [Install]
 WantedBy=multi-user.target
--- a/chatmaild/src/chatmaild/filtermail.py
+++ b/chatmaild/src/chatmaild/filtermail.py
@@ -7,10 +7,11 @@ from email.parser import BytesParser
 from email import policy
 from email.utils import parseaddr
 from aiosmtpd.smtp import SMTP
 from aiosmtpd.controller import Controller
 from smtplib import SMTP as SMTPClient
 from .config import read_config
 def check_encrypted(message):
    """Check that the message is an OpenPGP-encrypted message."""
@@ -62,19 +63,21 @@ def check_mdn(message, envelope):
    return True
-class SMTPController(Controller):
+async def asyncmain_beforequeue(config):
-    def factory(self):
+    port = config.filtermail_smtp_port
-        return SMTP(self.handler, **self.SMTP_kwargs)
+    Controller(BeforeQueueHandler(config), hostname="127.0.0.1", port=port).start()
 class BeforeQueueHandler:
-    def __init__(self):
+    def __init__(self, config):
        self.config = config
        self.send_rate_limiter = SendRateLimiter()
    async def handle_MAIL(self, server, session, envelope, address, mail_options):
        logging.info(f"handle_MAIL from {address}")
        envelope.mail_from = address
-        if not self.send_rate_limiter.is_sending_allowed(address):
+        max_sent = self.config.max_user_send_per_minute
        if not self.send_rate_limiter.is_sending_allowed(address, max_sent):
            return f"450 4.7.1: Too much mail from {address}"
        parts = envelope.mail_from.split("@")
@@ -85,62 +88,61 @@ class BeforeQueueHandler:
    async def handle_DATA(self, server, session, envelope):
        logging.info("handle_DATA before-queue")
-        error = check_DATA(envelope)
+        error = self.check_DATA(envelope)
        if error:
            return error
        logging.info("re-injecting the mail that passed checks")
-        client = SMTPClient("localhost", "10025")
+        client = SMTPClient("localhost", self.config.postfix_reinject_port)
        client.sendmail(envelope.mail_from, envelope.rcpt_tos, envelope.content)
        return "250 OK"
    def check_DATA(self, envelope):
        """the central filtering function for e-mails."""
        logging.info(f"Processing DATA message from {envelope.mail_from}")
-async def asyncmain_beforequeue(port):
+        message = BytesParser(policy=policy.default).parsebytes(envelope.content)
-    Controller(BeforeQueueHandler(), hostname="127.0.0.1", port=port).start()
+        mail_encrypted = check_encrypted(message)
        _, from_addr = parseaddr(message.get("from").strip())
        logging.info(f"mime-from: {from_addr} envelope-from: {envelope.mail_from!r}")
        if envelope.mail_from.lower() != from_addr.lower():
            return f"500 Invalid FROM <{from_addr!r}> for <{envelope.mail_from!r}>"
-def check_DATA(envelope):
+        if not mail_encrypted and check_mdn(message, envelope):
-    """the central filtering function for e-mails."""
+            return
    logging.info(f"Processing DATA message from {envelope.mail_from}")
-    message = BytesParser(policy=policy.default).parsebytes(envelope.content)
+        passthrough_recipients = self.config.passthrough_recipients
-    mail_encrypted = check_encrypted(message)
+        envelope_from_domain = from_addr.split("@").pop()
        for recipient in envelope.rcpt_tos:
            if envelope.mail_from == recipient:
                # Always allow sending emails to self.
                continue
            if recipient in passthrough_recipients:
                continue
            res = recipient.split("@")
            if len(res) != 2:
                return f"500 Invalid address <{recipient}>"
            _recipient_addr, recipient_domain = res
-    _, from_addr = parseaddr(message.get("from").strip())
+            is_outgoing = recipient_domain != envelope_from_domain
-    logging.info(f"mime-from: {from_addr} envelope-from: {envelope.mail_from!r}")
+            if is_outgoing and not mail_encrypted:
-    if envelope.mail_from.lower() != from_addr.lower():
+                is_securejoin = message.get("secure-join") in [
-        return f"500 Invalid FROM <{from_addr!r}> for <{envelope.mail_from!r}>"
+                    "vc-request",
-
+                    "vg-request",
-    if not mail_encrypted and check_mdn(message, envelope):
+                ]
-        return
+                if not is_securejoin:
-
+                    return f"500 Invalid unencrypted mail to <{recipient}>"
    envelope_from_domain = from_addr.split("@").pop()
    for recipient in envelope.rcpt_tos:
        if envelope.mail_from == recipient:
            # Always allow sending emails to self.
            continue
        res = recipient.split("@")
        if len(res) != 2:
            return f"500 Invalid address <{recipient}>"
        _recipient_addr, recipient_domain = res
        is_outgoing = recipient_domain != envelope_from_domain
        if is_outgoing and not mail_encrypted:
            is_securejoin = message.get("secure-join") in ["vc-request", "vg-request"]
            if not is_securejoin:
                return f"500 Invalid unencrypted mail to <{recipient}>"
 class SendRateLimiter:
    MAX_USER_SEND_PER_MINUTE = 80
    def __init__(self):
        self.addr2timestamps = {}
-    def is_sending_allowed(self, mail_from):
+    def is_sending_allowed(self, mail_from, max_send_per_minute):
        last = self.addr2timestamps.setdefault(mail_from, [])
        now = time.time()
        last[:] = [ts for ts in last if ts >= (now - 60)]
-        if len(last) <= self.MAX_USER_SEND_PER_MINUTE:
+        if len(last) <= max_send_per_minute:
            last.append(now)
            return True
        return False
@@ -149,9 +151,10 @@ class SendRateLimiter:
 def main():
    args = sys.argv[1:]
    assert len(args) == 1
-    logging.basicConfig(level=logging.INFO)
+    config = read_config(args[0])
    logging.basicConfig(level=logging.WARN)
    loop = asyncio.new_event_loop()
    asyncio.set_event_loop(loop)
-    task = asyncmain_beforequeue(port=int(args[0]))
+    task = asyncmain_beforequeue(config)
    loop.create_task(task)
    loop.run_forever()
--- a/chatmaild/src/chatmaild/filtermail.service.f
+++ b/chatmaild/src/chatmaild/filtermail.service.f
@@ -2,7 +2,7 @@
 Description=Chatmail Postfix BeforeQeue filter 
 [Service]
-ExecStart=/usr/local/bin/filtermail 10080
+ExecStart={execpath} {config_path}
 Restart=always
 RestartSec=30
--- a/chatmaild/src/chatmaild/ini/chatmail.ini.f
+++ b/chatmaild/src/chatmaild/ini/chatmail.ini.f
@@ -0,0 +1,33 @@
 [params]
 # mail domain (MUST be set to fully qualified chat mail domain)
 mail_domain = {mail_domain}
 #
 # If you only do private test deploys, you don't need to modify any settings below
 #
 # how many mails a user can send out per minute
 max_user_send_per_minute = 60
 # list of e-mail recipients for which to accept outbound un-encrypted mails
 passthrough_recipients =
 # where the filtermail SMTP service listens
 filtermail_smtp_port = 10080
 # postfix accepts on the localhost reinject SMTP port
 postfix_reinject_port = 10025
 # postal address of privacy contact
 privacy_postal =
 # email address of privacy contact
 privacy_mail =
 # postal address of the privacy data officer
 privacy_pdo =
 # postal address of the privacy supervisor
 privacy_supervisor =
--- a/chatmaild/src/chatmaild/ini/override-testrun.ini
+++ b/chatmaild/src/chatmaild/ini/override-testrun.ini
@@ -0,0 +1,16 @@
 [privacy]
 passthrough_recipients = privacy@testrun.org
 privacy_postal =
    Merlinux GmbH, Represented by the managing director H. Krekel,
    Reichgrafen Str. 20, 79102 Freiburg, Germany
 privacy_mail = privacy@testrun.org
 privacy_pdo =
    Prof. Dr. Fabian Schmieder, lexICT UG (limited), Ostfeldstr. 49, 30559 Hannover.
    You can contact him at *delta-privacy@merlinux.eu* (Keyword: DPO)
 privacy_supervisor =
    State Commissioner for Data Protection and Freedom of Information of
    Baden-Württemberg in 70173 Stuttgart, Germany.
--- a/chatmaild/src/chatmaild/newemail.py
+++ b/chatmaild/src/chatmaild/newemail.py
@@ -0,0 +1,28 @@
 #!/usr/bin/python3
 """ CGI script for creating new accounts. """
 import json
 import random
 mail_domain_path = "/etc/mailname"
 def create_newemail_dict(domain):
    alphanumeric = "abcdefghijklmnopqrstuvwxyz1234567890"
    user = "".join(random.choices(alphanumeric, k=9))
    password = "".join(random.choices(alphanumeric, k=12))
    return dict(email=f"{user}@{domain}", password=f"{password}")
 def print_new_account():
    domain = open(mail_domain_path).read().strip()
    creds = create_newemail_dict(domain=domain)
    print("Content-Type: application/json")
    print("")
    print(json.dumps(creds))
 if __name__ == "__main__":
    print_new_account()
--- a/chatmaild/src/chatmaild/tests/mail-data/encrypted.eml
+++ b/chatmaild/src/chatmaild/tests/mail-data/encrypted.eml
--- a/chatmaild/src/chatmaild/tests/mail-data/fake-encrypted.eml
+++ b/chatmaild/src/chatmaild/tests/mail-data/fake-encrypted.eml
--- a/chatmaild/src/chatmaild/tests/mail-data/mdn.eml
+++ b/chatmaild/src/chatmaild/tests/mail-data/mdn.eml
--- a/chatmaild/src/chatmaild/tests/mail-data/plain.eml
+++ b/chatmaild/src/chatmaild/tests/mail-data/plain.eml
--- a/chatmaild/src/chatmaild/tests/plugin.py
+++ b/chatmaild/src/chatmaild/tests/plugin.py
@@ -0,0 +1,68 @@
 import random
 import importlib.resources
 import itertools
 from email.parser import BytesParser
 from email import policy
 import pytest
 from chatmaild.database import Database
 from chatmaild.config import read_config, write_initial_config
@pytest.fixture
 def make_config(tmp_path):
    inipath = tmp_path.joinpath("chatmail.ini")
    def make_conf(mail_domain):
        write_initial_config(inipath, mail_domain=mail_domain)
        return read_config(inipath)
    return make_conf
@pytest.fixture
 def example_config(make_config):
    return make_config("chat.example.org")
@pytest.fixture
 def maildomain(example_config):
    return example_config.mail_domain
@pytest.fixture
 def gencreds(maildomain):
    count = itertools.count()
    next(count)
    def gen(domain=None):
        domain = domain if domain else maildomain
        while 1:
            num = next(count)
            alphanumeric = "abcdefghijklmnopqrstuvwxyz1234567890"
            user = "".join(random.choices(alphanumeric, k=10))
            user = f"ac{num}_{user}"[:9]
            password = "".join(random.choices(alphanumeric, k=12))
            yield f"{user}@{domain}", f"{password}"
    return lambda domain=None: next(gen(domain))
@pytest.fixture()
 def db(tmpdir):
    db_path = tmpdir / "passdb.sqlite"
    print("database path:", db_path)
    return Database(db_path)
@pytest.fixture
 def maildata(request):
    datadir = importlib.resources.files(__package__).joinpath("mail-data")
    assert datadir.exists(), datadir
    def maildata(name, from_addr, to_addr):
        data = datadir.joinpath(name).read_text()
        text = data.format(from_addr=from_addr, to_addr=to_addr)
        return BytesParser(policy=policy.default).parsebytes(text.encode())
    return maildata
--- a/chatmaild/src/chatmaild/tests/test_config.py
+++ b/chatmaild/src/chatmaild/tests/test_config.py
@@ -0,0 +1,27 @@
 from chatmaild.config import read_config
 def test_read_config_basic(make_config):
    config = make_config("chat.example.org")
    assert config.mail_domain == "chat.example.org"
    assert not config.privacy_supervisor and not config.privacy_mail
    assert not config.privacy_pdo and not config.privacy_postal
    inipath = config._inipath
    inipath.write_text(inipath.read_text().replace("60", "37"))
    config = read_config(inipath)
    assert config.max_user_send_per_minute == 37
    assert config.mail_domain == "chat.example.org"
 def test_read_config_testrun(make_config):
    config = make_config("something.testrun.org")
    assert config.mail_domain == "something.testrun.org"
    assert len(config.privacy_postal.split("\n")) > 1
    assert len(config.privacy_supervisor.split("\n")) > 1
    assert len(config.privacy_pdo.split("\n")) > 1
    assert config.privacy_mail == "privacy@testrun.org"
    assert config.filtermail_smtp_port == 10080
    assert config.postfix_reinject_port == 10025
    assert config.max_user_send_per_minute == 60
    assert config.passthrough_recipients
--- a/chatmaild/src/chatmaild/tests/test_doveauth.py
+++ b/chatmaild/src/chatmaild/tests/test_doveauth.py
@@ -1,5 +1,4 @@
 import json
 import pytest
 import threading
 import queue
@@ -7,7 +6,7 @@ import traceback
 import chatmaild.doveauth
 from chatmaild.doveauth import get_user_data, lookup_passdb, handle_dovecot_request
-from chatmaild.database import Database, DBError
+from chatmaild.database import DBError
 def test_basic(db):
@@ -60,27 +59,31 @@ def test_handle_dovecot_request(db):
    assert userdata["password"].startswith("{SHA512-CRYPT}")
-def test_100_concurrent_lookups(db):
+def test_50_concurrent_lookups_different_accounts(db, gencreds):
-    num = 100
+    num_threads = 50
-    dbs = [Database(db.path) for i in range(num)]
+    req_per_thread = 5
    print(f"created {num} databases")
    results = queue.Queue()
    def lookup(db):
-        try:
+        for i in range(req_per_thread):
-            lookup_passdb(db, "something@c1.testrun.org", "Pieg9aeToe3eghuthe5u")
+            addr, password = gencreds()
-        except Exception:
+            try:
-            results.put(traceback.format_exc())
+                lookup_passdb(db, addr, password)
-        else:
+            except Exception:
-            results.put(None)
+                results.put(traceback.format_exc())
            else:
                results.put(None)
-    threads = [threading.Thread(target=lookup, args=(db,), daemon=True) for db in dbs]
+    threads = []
    for i in range(num_threads):
        thread = threading.Thread(target=lookup, args=(db,), daemon=True)
        threads.append(thread)
-    print(f"created {num} threads, starting them and waiting for results")
+    print(f"created {num_threads} threads, starting them and waiting for results")
    for thread in threads:
        thread.start()
-    for _ in dbs:
+    for i in range(num_threads * req_per_thread):
        res = results.get()
        if res is not None:
            pytest.fail(f"concurrent lookup failed\n{res}")
--- a/chatmaild/src/chatmaild/tests/test_filtermail.py
+++ b/chatmaild/src/chatmaild/tests/test_filtermail.py
@@ -0,0 +1,129 @@
 from chatmaild.filtermail import (
    check_encrypted,
    BeforeQueueHandler,
    SendRateLimiter,
    check_mdn,
 )
 import pytest
@pytest.fixture
 def maildomain():
    # let's not depend on a real chatmail instance for the offline tests below
    return "chatmail.example.org"
@pytest.fixture
 def handler(make_config, maildomain):
    config = make_config(maildomain)
    return BeforeQueueHandler(config)
 def test_reject_forged_from(maildata, gencreds, handler):
    class env:
        mail_from = gencreds()[0]
        rcpt_tos = [gencreds()[0]]
    # test that the filter lets good mail through
    to_addr = gencreds()[0]
    env.content = maildata(
        "plain.eml", from_addr=env.mail_from, to_addr=to_addr
    ).as_bytes()
    assert not handler.check_DATA(envelope=env)
    # test that the filter rejects forged mail
    env.content = maildata(
        "plain.eml", from_addr="forged@c3.testrun.org", to_addr=to_addr
    ).as_bytes()
    error = handler.check_DATA(envelope=env)
    assert "500" in error
 def test_filtermail_no_encryption_detection(maildata):
    msg = maildata(
        "plain.eml", from_addr="some@example.org", to_addr="other@example.org"
    )
    assert not check_encrypted(msg)
    # https://xkcd.com/1181/
    msg = maildata(
        "fake-encrypted.eml", from_addr="some@example.org", to_addr="other@example.org"
    )
    assert not check_encrypted(msg)
 def test_filtermail_encryption_detection(maildata):
    msg = maildata("encrypted.eml", from_addr="1@example.org", to_addr="2@example.org")
    assert check_encrypted(msg)
    # if the subject is not "..." it is not considered ac-encrypted
    msg.replace_header("Subject", "Click this link")
    assert not check_encrypted(msg)
 def test_filtermail_is_mdn(maildata, gencreds, handler):
    from_addr = gencreds()[0]
    to_addr = gencreds()[0] + ".other"
    msg = maildata("mdn.eml", from_addr, to_addr)
    class env:
        mail_from = from_addr
        rcpt_tos = [to_addr]
        content = msg.as_bytes()
    assert check_mdn(msg, env)
    print(msg.as_string())
    assert not handler.check_DATA(env)
 def test_filtermail_to_multiple_recipients_no_mdn(maildata, gencreds):
    from_addr = gencreds()[0]
    to_addr = gencreds()[0] + ".other"
    thirdaddr = gencreds()[0]
    msg = maildata("mdn.eml", from_addr, to_addr)
    class env:
        mail_from = from_addr
        rcpt_tos = [to_addr, thirdaddr]
        content = msg.as_bytes()
    assert not check_mdn(msg, env)
 def test_send_rate_limiter():
    limiter = SendRateLimiter()
    for i in range(100):
        if limiter.is_sending_allowed("some@example.org", 10):
            if i <= 10:
                continue
            pytest.fail("limiter didn't work")
        else:
            assert i == 11
            break
 def test_excempt_privacy(maildata, gencreds, handler):
    from_addr = gencreds()[0]
    to_addr = "privacy@testrun.org"
    handler.config.passthrough_recipients = [to_addr]
    false_to = "privacy@something.org"
    msg = maildata("plain.eml", from_addr, to_addr)
    class env:
        mail_from = from_addr
        rcpt_tos = [to_addr]
        content = msg.as_bytes()
    # assert that None/no error is returned
    assert not handler.check_DATA(envelope=env)
    class env2:
        mail_from = from_addr
        rcpt_tos = [to_addr, false_to]
        content = msg.as_bytes()
    assert "500" in handler.check_DATA(envelope=env2)
--- a/chatmaild/src/chatmaild/tests/test_newmail.py
+++ b/chatmaild/src/chatmaild/tests/test_newmail.py
@@ -0,0 +1,29 @@
 import json
 import chatmaild
 from chatmaild.newemail import create_newemail_dict, print_new_account
 def test_create_newemail_dict():
    ac1 = create_newemail_dict(domain="example.org")
    assert "@" in ac1["email"]
    assert len(ac1["password"]) >= 10
    ac2 = create_newemail_dict(domain="example.org")
    assert ac1["email"] != ac2["email"]
    assert ac1["password"] != ac2["password"]
 def test_print_new_account(capsys, monkeypatch, maildomain, tmpdir):
    p = tmpdir.join("mailname")
    p.write(maildomain)
    monkeypatch.setattr(chatmaild.newemail, "mail_domain_path", str(p))
    print_new_account()
    out, err = capsys.readouterr()
    lines = out.split("\n")
    assert lines[0] == "Content-Type: application/json"
    assert not lines[1]
    dic = json.loads(lines[2])
    assert dic["email"].endswith(f"@{maildomain}")
    assert len(dic["password"]) >= 10
--- a/cmdeploy/pyproject.toml
+++ b/cmdeploy/pyproject.toml
@@ -0,0 +1,32 @@
 [build-system]
 requires = ["setuptools>=68"]
 build-backend = "setuptools.build_meta"
 [project]
 name = "cmdeploy"
 version = "0.2"
 dependencies = [
  "pyinfra",
  "pillow",
  "qrcode",
  "markdown",
  "pytest",
  "setuptools>=68",
  "termcolor",
  "build",
  "tox",
  "ruff",
  "black",
  "pytest",
  "pytest-xdist", 
 ]
 [project.scripts]
 cmdeploy = "cmdeploy.cmdeploy:main"
 [project.entry-points.pytest11]
 "chatmaild.testplugin" = "chatmaild.tests.plugin"
 "cmdeploy.testplugin" = "cmdeploy.tests.plugin"
 [tool.pytest.ini_options]
 addopts = "-v -ra --strict-markers"
--- a/deploy-chatmail/src/deploy_chatmail/init.py
+++ b/deploy-chatmail/src/deploy_chatmail/init.py
@@ -1,72 +1,116 @@
 """
 Chat Mail pyinfra deploy.
 """
 import sys
 import importlib.resources
 import subprocess
 import shutil
 import io
 from pathlib import Path
 from pyinfra import host
-from pyinfra.operations import apt, files, server, systemd
+from pyinfra.operations import apt, files, server, systemd, pip
 from pyinfra.facts.files import File
 from pyinfra.facts.systemd import SystemdEnabled
 from .acmetool import deploy_acmetool
 from chatmaild.config import read_config, Config
-def _install_chatmaild() -> None:
+
-    chatmaild_filename = "chatmaild-0.1.tar.gz"
+def _build_chatmaild(dist_dir) -> None:
-    chatmaild_path = importlib.resources.files(__package__).joinpath(
+    dist_dir = Path(dist_dir).resolve()
-        f"../../../dist/{chatmaild_filename}"
+    if dist_dir.exists():
        shutil.rmtree(dist_dir)
    dist_dir.mkdir()
    subprocess.check_output(
        [sys.executable, "-m", "build", "-n"]
        + ["--sdist", "chatmaild", "--outdir", str(dist_dir)]
    )
-    remote_path = f"/tmp/{chatmaild_filename}"
+    entries = list(dist_dir.iterdir())
-    if Path(str(chatmaild_path)).exists():
+    assert len(entries) == 1
    return entries[0]
 def remove_legacy_artifacts():
    # disable legacy doveauth-dictproxy.service
    if host.get_fact(SystemdEnabled).get("doveauth-dictproxy.service"):
        systemd.service(
            name="Disable legacy doveauth-dictproxy.service",
            service="doveauth-dictproxy.service",
            running=False,
            enabled=False,
        )
 def _install_remote_venv_with_chatmaild(config) -> None:
    remove_legacy_artifacts()
    dist_file = _build_chatmaild(dist_dir=Path("chatmaild/dist"))
    remote_base_dir = "/usr/local/lib/chatmaild"
    remote_dist_file = f"{remote_base_dir}/dist/{dist_file.name}"
    remote_venv_dir = f"{remote_base_dir}/venv"
    remote_chatmail_inipath = f"{remote_base_dir}/chatmail.ini"
    root_owned = dict(user="root", group="root", mode="644")
    apt.packages(
        name="apt install python3-virtualenv",
        packages=["python3-virtualenv"],
    )
    files.put(
        name="Upload chatmaild source package",
        src=dist_file.open("rb"),
        dest=remote_dist_file,
        create_remote_dir=True,
        **root_owned,
    )
    files.put(
        name=f"Upload {remote_chatmail_inipath}",
        src=config._getbytefile(),
        dest=remote_chatmail_inipath,
        **root_owned,
    )
    pip.virtualenv(
        name=f"chatmaild virtualenv {remote_venv_dir}",
        path=remote_venv_dir,
        always_copy=True,
    )
    server.shell(
        name=f"forced pip-install {dist_file.name}",
        commands=[
            f"{remote_venv_dir}/bin/pip install --force-reinstall {remote_dist_file}"
        ],
    )
    # install systemd units
    for fn in (
        "doveauth",
        "filtermail",
    ):
        params = dict(
            execpath=f"{remote_venv_dir}/bin/{fn}",
            config_path=remote_chatmail_inipath,
        )
        source_path = importlib.resources.files("chatmaild").joinpath(f"{fn}.service.f")
        content = source_path.read_text().format(**params).encode()
        files.put(
-            name="Upload chatmaild source package",
+            name=f"Upload {fn}.service",
-            src=chatmaild_path.open("rb"),
+            src=io.BytesIO(content),
-            dest=remote_path,
+            dest=f"/etc/systemd/system/{fn}.service",
            **root_owned,
        )
-
+        systemd.service(
-        apt.packages(
+            name=f"Setup {fn} service",
-            name="apt install python3-aiosmtpd",
+            service=f"{fn}.service",
-            packages=["python3-aiosmtpd", "python3-pip"],
+            running=True,
            enabled=True,
            restarted=True,
            daemon_reload=True,
        )
        # --no-deps because aiosmtplib is installed with `apt`.
        server.shell(
            name="install chatmaild with pip",
            commands=[f"pip install --break-system-packages {remote_path}"],
        )
        # disable legacy doveauth-dictproxy.service
        if host.get_fact(SystemdEnabled).get("doveauth-dictproxy.service"):
            systemd.service(
                name="Disable legacy doveauth-dictproxy.service",
                service="doveauth-dictproxy.service",
                running=False,
                enabled=False,
            )
        for fn in (
            "doveauth",
            "filtermail",
        ):
            files.put(
                name=f"Upload {fn}.service",
                src=importlib.resources.files("chatmaild")
                .joinpath(f"{fn}.service")
                .open("rb"),
                dest=f"/etc/systemd/system/{fn}.service",
                user="root",
                group="root",
                mode="644",
            )
            systemd.service(
                name=f"Setup {fn} service",
                service=f"{fn}.service",
                running=True,
                enabled=True,
                restarted=True,
                daemon_reload=True,
            )
 def _configure_opendkim(domain: str, dkim_selector: str) -> bool:
    """Configures OpenDKIM"""
@@ -133,7 +177,45 @@ def _configure_opendkim(domain: str, dkim_selector: str) -> bool:
    return need_restart
-def _configure_postfix(domain: str, debug: bool = False) -> bool:
+def _install_mta_sts_daemon() -> bool:
    need_restart = False
    config = files.put(
        name="upload postfix-mta-sts-resolver config",
        src=importlib.resources.files(__package__).joinpath(
            "postfix/mta-sts-daemon.yml"
        ),
        dest="/etc/mta-sts-daemon.yml",
        user="root",
        group="root",
        mode="644",
    )
    need_restart |= config.changed
    server.shell(
        name="install postfix-mta-sts-resolver with pip",
        commands=[
            "python3 -m virtualenv /usr/local/lib/postfix-mta-sts-resolver",
            "/usr/local/lib/postfix-mta-sts-resolver/bin/pip install postfix-mta-sts-resolver",
        ],
    )
    systemd_unit = files.put(
        name="upload mta-sts-daemon systemd unit",
        src=importlib.resources.files(__package__).joinpath(
            "postfix/mta-sts-daemon.service"
        ),
        dest="/etc/systemd/system/mta-sts-daemon.service",
        user="root",
        group="root",
        mode="644",
    )
    need_restart |= systemd_unit.changed
    return need_restart
 def _configure_postfix(config: Config, debug: bool = False) -> bool:
    """Configures Postfix SMTP server."""
    need_restart = False
@@ -143,7 +225,7 @@ def _configure_postfix(domain: str, debug: bool = False) -> bool:
        user="root",
        group="root",
        mode="644",
-        config={"domain_name": domain},
+        config=config,
    )
    need_restart |= main_config.changed
@@ -154,6 +236,7 @@ def _configure_postfix(domain: str, debug: bool = False) -> bool:
        group="root",
        mode="644",
        debug=debug,
        config=config,
    )
    need_restart |= master_config.changed
@@ -231,9 +314,50 @@ def _configure_nginx(domain: str, debug: bool = False) -> bool:
    )
    need_restart |= autoconfig.changed
    mta_sts_config = files.template(
        src=importlib.resources.files(__package__).joinpath("nginx/mta-sts.txt.j2"),
        dest="/var/www/html/.well-known/mta-sts.txt",
        user="root",
        group="root",
        mode="644",
        config={"domain_name": domain},
    )
    need_restart |= mta_sts_config.changed
    # install CGI newemail script
    #
    cgi_dir = "/usr/lib/cgi-bin"
    files.directory(
        name=f"Ensure {cgi_dir} exists",
        path=cgi_dir,
        user="root",
        group="root",
    )
    files.put(
        name="Upload cgi newemail.py script",
        src=importlib.resources.files("chatmaild").joinpath("newemail.py").open("rb"),
        dest=f"{cgi_dir}/newemail.py",
        user="root",
        group="root",
        mode="755",
    )
    return need_restart
 def check_config(config):
    mail_domain = config.mail_domain
    if mail_domain != "testrun.org" and not mail_domain.endswith(".testrun.org"):
        blocked_words = "merlinux schmieder testrun.org".split()
        for value in config.__dict__.values():
            if any(x in value for x in blocked_words):
                raise ValueError(
                    f"please set your own privacy contacts/addresses in {config._inipath}"
                )
    return config
 def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> None:
    """Deploy a chat-mail instance.
@@ -241,6 +365,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
    :param mail_server: the DNS name under which your mail server is reachable
    :param dkim_selector:
    """
    from .www import build_webpages
    apt.update(name="apt update", cache_time=24 * 3600)
    server.group(name="Create vmail group", group="vmail", system=True)
@@ -255,7 +380,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
    )
    # Deploy acmetool to have TLS certificates.
-    deploy_acmetool(nginx_hook=True, domains=[mail_server])
+    deploy_acmetool(nginx_hook=True, domains=[mail_server, f"mta-sts.{mail_server}"])
    apt.packages(
        name="Install Postfix",
@@ -280,19 +405,30 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
        packages=["nginx"],
    )
-    _install_chatmaild()
+    apt.packages(
        name="Install fcgiwrap",
        packages=["fcgiwrap"],
    )
    pkg_root = importlib.resources.files(__package__)
    chatmail_ini = pkg_root.joinpath("../../../chatmail.ini").resolve()
    config = read_config(chatmail_ini)
    check_config(config)
    www_path = pkg_root.joinpath("../../../www").resolve()
    build_dir = www_path.joinpath("build")
    src_dir = www_path.joinpath("src")
    build_webpages(src_dir, build_dir, config)
    files.rsync(f"{build_dir}/", "/var/www/html", flags=["-avz"])
    _install_remote_venv_with_chatmaild(config)
    debug = False
    dovecot_need_restart = _configure_dovecot(mail_server, debug=debug)
-    postfix_need_restart = _configure_postfix(mail_domain, debug=debug)
+    postfix_need_restart = _configure_postfix(config, debug=debug)
    opendkim_need_restart = _configure_opendkim(mail_domain, dkim_selector)
    mta_sts_need_restart = _install_mta_sts_daemon()
    nginx_need_restart = _configure_nginx(mail_domain)
    # deploy web pages and info if we have them
    pkg_root = importlib.resources.files(__package__)
    www_path = pkg_root.joinpath(f"../../../www/{mail_domain}").resolve()
    if www_path.is_dir():
        files.rsync(f"{www_path}/", "/var/www/html", flags=["-avz"])
    systemd.service(
        name="Start and enable OpenDKIM",
        service="opendkim.service",
@@ -301,6 +437,15 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
        restarted=opendkim_need_restart,
    )
    systemd.service(
        name="Start and enable MTA-STS daemon",
        service="mta-sts-daemon.service",
        daemon_reload=True,
        running=True,
        enabled=True,
        restarted=mta_sts_need_restart,
    )
    systemd.service(
        name="Start and enable Postfix",
        service="postfix.service",
--- a/deploy-chatmail/src/deploy_chatmail/acmetool/init.py
+++ b/deploy-chatmail/src/deploy_chatmail/acmetool/init.py
@@ -46,8 +46,7 @@ def deploy_acmetool(nginx_hook=False, email="", domains=[]):
        mode="644",
    )
-    for domain in domains:
+    server.shell(
-        server.shell(
+        name=f"Request certificate for: { ', '.join(domains) }",
-            name=f"Request certificate for {domain}",
+        commands=[f"acmetool want { ' '.join(domains)}"],
-            commands=[f"acmetool want {domain}"],
+    )
        )
--- a/deploy-chatmail/src/deploy_chatmail/acmetool/acmetool.cron
+++ b/deploy-chatmail/src/deploy_chatmail/acmetool/acmetool.cron
--- a/deploy-chatmail/src/deploy_chatmail/acmetool/acmetool.hook
+++ b/deploy-chatmail/src/deploy_chatmail/acmetool/acmetool.hook
--- a/deploy-chatmail/src/deploy_chatmail/acmetool/response-file.yaml.j2
+++ b/deploy-chatmail/src/deploy_chatmail/acmetool/response-file.yaml.j2
--- a/deploy-chatmail/src/deploy_chatmail/acmetool/target.yaml.j2
+++ b/deploy-chatmail/src/deploy_chatmail/acmetool/target.yaml.j2
--- a/cmdeploy/src/cmdeploy/chatmail.zone.f
+++ b/cmdeploy/src/cmdeploy/chatmail.zone.f
@@ -0,0 +1,12 @@
 {chatmail_domain}.                   MX 10 {chatmail_domain}.
 _submission._tcp.{chatmail_domain}.  SRV 0 1 587 {chatmail_domain}.
 _submissions._tcp.{chatmail_domain}. SRV 0 1 465 {chatmail_domain}.
 _imap._tcp.{chatmail_domain}.        SRV 0 1 143 {chatmail_domain}.
 _imaps._tcp.{chatmail_domain}.       SRV 0 1 993 {chatmail_domain}.
 {chatmail_domain}.                IN CAA 128 issue "letsencrypt.org;accounturi={acme_account_url}"
 {chatmail_domain}.                   TXT "v=spf1 a:{chatmail_domain} -all"
 _dmarc.{chatmail_domain}.            TXT "v=DMARC1;p=reject;rua=mailto:{email};ruf=mailto:{email};fo=1;adkim=r;aspf=r"
 _mta-sts.{chatmail_domain}.       IN TXT "v=STSv1; id={sts_id}"
 mta-sts.{chatmail_domain}.        IN CNAME {chatmail_domain}.
 _smtp._tls.{chatmail_domain}.     IN TXT "v=TLSRPTv1;rua=mailto:{email}"
 {dkim_entry}
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -0,0 +1,298 @@
 """
 Provides the `cmdeploy` entry point function,
 along with command line option and subcommand parsing.
 """
 import argparse
 import datetime
 import shutil
 import subprocess
 import importlib.resources
 import importlib.util
 import os
 import sys
 from pathlib import Path
 from termcolor import colored
 from chatmaild.config import read_config, write_initial_config
 #
 # cmdeploy sub commands and options
 #
 def init_cmd_options(parser):
    parser.add_argument(
        "chatmail_domain",
        action="store",
        help="fully qualified DNS domain name for your chatmail instance",
    )
 def init_cmd(args, out):
    """Initialize chatmail config file."""
    if args.inipath.exists():
        out.red(f"Path exists, not modifying: {args.inipath}")
        raise SystemExit(1)
    write_initial_config(args.inipath, args.chatmail_domain)
    out.green(f"created config file for {args.chatmail_domain} in {args.inipath}")
 def run_cmd_options(parser):
    parser.add_argument(
        "--dry-run",
        dest="dry_run",
        action="store_true",
        help="don't actually modify the server",
    )
 def run_cmd(args, out):
    """Deploy chatmail services on the remote server."""
    env = os.environ.copy()
    env["CHATMAIL_DOMAIN"] = args.config.mail_domain
    deploy_path = "cmdeploy/src/cmdeploy/deploy.py"
    pyinf = "pyinfra --dry" if args.dry_run else "pyinfra"
    cmd = f"{pyinf} --ssh-user root {args.config.mail_domain} {deploy_path}"
    out.check_call(cmd, env=env)
 def dns_cmd(args, out):
    """Generate dns zone file."""
    template = importlib.resources.files(__package__).joinpath("chatmail.zone.f")
    ssh = f"ssh root@{args.config.mail_domain}"
    def read_dkim_entries(entry):
        lines = []
        for line in entry.split("\n"):
            if line.startswith(";") or not line.strip():
                continue
            line = line.replace("\t", " ")
            lines.append(line)
        return "\n".join(lines)
    acme_account_url = out.shell_output(f"{ssh} -- acmetool account-url")
    dkim_entry = read_dkim_entries(out.shell_output(f"{ssh} -- opendkim-genzone -F"))
    out(
        f"[writing {args.config.mail_domain} zone data (using space as separator) to stdout output]",
        green=True,
    )
    print(
        template.read_text()
        .format(
            acme_account_url=acme_account_url,
            email=f"root@{args.config.mail_domain}",
            sts_id=datetime.datetime.now().strftime("%Y%m%d%H%M"),
            chatmail_domain=args.config.mail_domain,
            dkim_entry=dkim_entry,
        )
        .strip()
    )
 def status_cmd(args, out):
    """Display status for online chatmail instance."""
    ssh = f"ssh root@{args.config.mail_domain}"
    out.green(f"chatmail domain: {args.config.mail_domain}")
    if args.config.privacy_mail:
        out.green("privacy settings: present")
    else:
        out.red("no privacy settings")
    s1 = "systemctl --type=service --state=running"
    for line in out.shell_output(f"{ssh} -- {s1}").split("\n"):
        if line.startswith("  "):
            print(line)
 def test_cmd(args, out):
    """Run local and online tests for chatmail deployment.
    This will automatically pip-install 'deltachat' if it's not available.
    """
    x = importlib.util.find_spec("deltachat")
    if x is None:
        out.check_call(f"{sys.executable} -m pip install deltachat")
    pytest_path = shutil.which("pytest")
    ret = out.run_ret(
        [pytest_path, "cmdeploy/src/", "-n4", "-rs", "-x", "-vrx", "--durations=5"]
    )
    return ret
 def fmt_cmd_options(parser):
    parser.add_argument(
        "--verbose",
        "-v",
        dest="verbose",
        action="store_true",
        help="provide information on invocations",
    )
    parser.add_argument(
        "--check",
        "-c",
        action="store_true",
        help="only check but don't fix problems",
    )
 def fmt_cmd(args, out):
    """Run formattting fixes (fuff and black) on all chatmail source code."""
    sources = [str(importlib.resources.files(x)) for x in ("chatmaild", "cmdeploy")]
    black_args = [shutil.which("black")]
    ruff_args = [shutil.which("ruff")]
    if args.check:
        black_args.append("--check")
    else:
        ruff_args.append("--fix")
    if not args.verbose:
        black_args.append("-q")
        ruff_args.append("-q")
    black_args.extend(sources)
    ruff_args.extend(sources)
    out.check_call(" ".join(black_args), quiet=not args.verbose)
    out.check_call(" ".join(ruff_args), quiet=not args.verbose)
    return 0
 def bench_cmd(args, out):
    """Run benchmarks against an online chatmail instance."""
    args = ["pytest", "--pyargs", "cmdeploy.tests.online.benchmark", "-vrx"]
    cmdstring = " ".join(args)
    out.green(f"[$ {cmdstring}]")
    subprocess.check_call(args)
 def webdev_cmd(args, out):
    """Run local web development loop for static web pages."""
    from .www import main
    main()
 #
 # Parsing command line options and starting commands
 #
 class Out:
    """Convenience output printer providing coloring."""
    def red(self, msg, file=sys.stderr):
        print(colored(msg, "red"), file=file)
    def green(self, msg, file=sys.stderr):
        print(colored(msg, "green"), file=file)
    def __call__(self, msg, red=False, green=False, file=sys.stdout):
        color = "red" if red else ("green" if green else None)
        print(colored(msg, color), file=file)
    def shell_output(self, arg):
        self(f"[$ {arg}]", file=sys.stderr)
        return subprocess.check_output(arg, shell=True).decode()
    def check_call(self, arg, env=None, quiet=False):
        if not quiet:
            self(f"[$ {arg}]", file=sys.stderr)
        return subprocess.check_call(arg, shell=True, env=env)
    def run_ret(self, args, env=None, quiet=False):
        if not quiet:
            cmdstring = " ".join(args)
            self(f"[$ {cmdstring}]", file=sys.stderr)
        proc = subprocess.run(args, env=env)
        return proc.returncode
 def add_config_option(parser):
    parser.add_argument(
        "--config",
        dest="inipath",
        action="store",
        default=Path("chatmail.ini"),
        type=Path,
        help="path to the chatmail.ini file",
    )
 def add_subcommand(subparsers, func):
    name = func.__name__
    assert name.endswith("_cmd")
    name = name[:-4]
    doc = func.__doc__.strip()
    help = doc.split("\n")[0].strip(".")
    p = subparsers.add_parser(name, description=doc, help=help)
    p.set_defaults(func=func)
    add_config_option(p)
    return p
 description = """
 Setup your chatmail server configuration and
 deploy it via SSH to your remote location.
 """
 def get_parser():
    """Return an ArgumentParser for the 'cmdeploy' CLI"""
    parser = argparse.ArgumentParser(description=description.strip())
    subparsers = parser.add_subparsers(title="subcommands")
    # find all subcommands in the module namespace
    glob = globals()
    for name, func in glob.items():
        if name.endswith("_cmd"):
            subparser = add_subcommand(subparsers, func)
            addopts = glob.get(name + "_options")
            if addopts is not None:
                addopts(subparser)
    return parser
 def main(args=None):
    """Provide main entry point for 'xdcget' CLI invocation."""
    parser = get_parser()
    args = parser.parse_args(args=args)
    if not hasattr(args, "func"):
        return parser.parse_args(["-h"])
    out = Out()
    kwargs = {}
    if args.func.__name__ not in ("init_cmd", "fmt_cmd"):
        if not args.inipath.exists():
            out.red(f"expecting {args.inipath} to exist, run init first?")
            raise SystemExit(1)
        try:
            args.config = read_config(args.inipath)
        except Exception as ex:
            out.red(ex)
            raise SystemExit(1)
    try:
        res = args.func(args, out, **kwargs)
        if res is None:
            res = 0
        return res
    except KeyboardInterrupt:
        out.red("KeyboardInterrupt")
        sys.exit(130)
 if __name__ == "__main__":
    main()
--- a/cmdeploy/src/cmdeploy/data/delta-chat-bw.png
+++ b/cmdeploy/src/cmdeploy/data/delta-chat-bw.png
--- a/cmdeploy/src/cmdeploy/data/opensans-regular.ttf
+++ b/cmdeploy/src/cmdeploy/data/opensans-regular.ttf
--- a/deploy-chatmail/src/deploy_chatmail/deploy.py
+++ b/deploy-chatmail/src/deploy_chatmail/deploy.py
@@ -1,6 +1,6 @@
 import os
 import pyinfra
-from deploy_chatmail import deploy_chatmail
+from cmdeploy import deploy_chatmail
 def main():
--- a/deploy-chatmail/src/deploy_chatmail/dovecot/auth.conf
+++ b/deploy-chatmail/src/deploy_chatmail/dovecot/auth.conf
--- a/deploy-chatmail/src/deploy_chatmail/dovecot/dovecot.conf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/dovecot/dovecot.conf.j2
--- a/deploy-chatmail/src/deploy_chatmail/dovecot/expunge.cron
+++ b/deploy-chatmail/src/deploy_chatmail/dovecot/expunge.cron
--- a/cmdeploy/src/cmdeploy/genqr.py
+++ b/cmdeploy/src/cmdeploy/genqr.py
@@ -0,0 +1,87 @@
 import importlib
 import qrcode
 import os
 from PIL import ImageFont, ImageDraw, Image
 import io
 def gen_qr_png_data(maildomain):
    url = f"DCACCOUNT:https://{maildomain}/cgi-bin/newemail.py"
    image = gen_qr(maildomain, url)
    temp = io.BytesIO()
    image.save(temp, format="png")
    temp.seek(0)
    return temp
 def gen_qr(maildomain, url):
    # taken and modified from
    # https://github.com/deltachat/mailadm/blob/master/src/mailadm/gen_qr.py
    # info = f"{maildomain} invite code"
    info = ""
    # load QR code
    qr = qrcode.QRCode(
        version=1,
        error_correction=qrcode.constants.ERROR_CORRECT_H,
        box_size=1,
        border=1,
    )
    qr.add_data(url)
    qr.make(fit=True)
    qr_img = qr.make_image(fill_color="black", back_color="white")
    # paint all elements
    ttf_path = str(
        importlib.resources.files(__package__).joinpath("data/opensans-regular.ttf")
    )
    logo_red_path = str(
        importlib.resources.files(__package__).joinpath("data/delta-chat-bw.png")
    )
    assert os.path.exists(ttf_path), ttf_path
    font_size = 16
    font = ImageFont.truetype(font=ttf_path, size=font_size)
    num_lines = ((info).count("\n") + 1) if info else 0
    size = width = 384
    qr_padding = 6
    text_height = font_size * num_lines
    height = size + text_height
    image = Image.new("RGBA", (width, height), "white")
    qr_final_size = width - (qr_padding * 2)
    if num_lines:
        draw = ImageDraw.Draw(image)
        # draw text
        if hasattr(font, "getsize"):
            info_pos = (width - font.getsize(info.strip())[0]) // 2
        else:
            info_pos = (width - font.getbbox(info.strip())[3]) // 2
        draw.multiline_text(
            (info_pos, size - qr_padding // 2),
            info,
            font=font,
            fill="black",
            align="right",
        )
    # paste QR code
    image.paste(
        qr_img.resize((qr_final_size, qr_final_size), resample=Image.NEAREST),
        (qr_padding, qr_padding),
    )
    # background delta logo
    logo2_img = Image.open(logo_red_path)
    logo2_width = int(size / 6)
    logo2 = logo2_img.resize((logo2_width, logo2_width), resample=Image.NEAREST)
    pos = int((size / 2) - (logo2_width / 2))
    image.paste(logo2, (pos, pos), mask=logo2)
    return image
--- a/deploy-chatmail/src/deploy_chatmail/journald.conf
+++ b/deploy-chatmail/src/deploy_chatmail/journald.conf
--- a/deploy-chatmail/src/deploy_chatmail/nginx/autoconfig.xml.j2
+++ b/deploy-chatmail/src/deploy_chatmail/nginx/autoconfig.xml.j2
--- a/cmdeploy/src/cmdeploy/nginx/mta-sts.txt.j2
+++ b/cmdeploy/src/cmdeploy/nginx/mta-sts.txt.j2
@@ -0,0 +1,4 @@
 version: STSv1
 mode: enforce
 mx: {{ config.domain_name }}
 max_age: 2419200
--- a/deploy-chatmail/src/deploy_chatmail/nginx/nginx.conf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/nginx/nginx.conf.j2
@@ -26,8 +26,6 @@ http {
 	gzip on;
 	server {
 		listen 80 default_server;
 		listen [::]:80 default_server;
 		listen 443 ssl default_server;
 		listen [::]:443 ssl default_server;
@@ -42,6 +40,16 @@ http {
 			# as directory, then fall back to displaying a 404.
 			try_files $uri $uri/ =404;
 		}
        # add cgi-bin support
        include /usr/share/doc/fcgiwrap/examples/nginx.conf;
 	}
    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
    }
 }
--- a/deploy-chatmail/src/deploy_chatmail/opendkim/KeyTable
+++ b/deploy-chatmail/src/deploy_chatmail/opendkim/KeyTable
--- a/deploy-chatmail/src/deploy_chatmail/opendkim/SigningTable
+++ b/deploy-chatmail/src/deploy_chatmail/opendkim/SigningTable
--- a/deploy-chatmail/src/deploy_chatmail/opendkim/opendkim.conf
+++ b/deploy-chatmail/src/deploy_chatmail/opendkim/opendkim.conf
@@ -20,7 +20,7 @@ Domain			{{ config.domain_name }}
 Selector		{{ config.opendkim_selector }}
 KeyFile		  /etc/dkimkeys/{{ config.opendkim_selector }}.private
 KeyTable          /etc/dkimkeys/KeyTable
-SigningTable      /etc/dkimkeys/SigningTable
+SigningTable      refile:/etc/dkimkeys/SigningTable
 # In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
 # using a local socket with MTAs that access the socket as a non-privileged
--- a/deploy-chatmail/src/deploy_chatmail/postfix/main.cf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/postfix/main.cf.j2
@@ -1,4 +1,4 @@
-myorigin = {{ config.domain_name }}
+myorigin = {{ config.mail_domain }}
 smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
 biff = no
@@ -16,16 +16,17 @@ readme_directory = no
 compatibility_level = 2
 # TLS parameters
-smtpd_tls_cert_file=/var/lib/acme/live/{{ config.domain_name }}/fullchain
+smtpd_tls_cert_file=/var/lib/acme/live/{{ config.mail_domain }}/fullchain
-smtpd_tls_key_file=/var/lib/acme/live/{{ config.domain_name }}/privkey
+smtpd_tls_key_file=/var/lib/acme/live/{{ config.mail_domain }}/privkey
 smtpd_tls_security_level=may
 smtp_tls_CApath=/etc/ssl/certs
 smtp_tls_security_level=may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-myhostname = {{ config.domain_name }}
+myhostname = {{ config.mail_domain }}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
@@ -44,7 +45,7 @@ inet_interfaces = all
 inet_protocols = all
 virtual_transport = lmtp:unix:private/dovecot-lmtp
-virtual_mailbox_domains = {{ config.domain_name }}
+virtual_mailbox_domains = {{ config.mail_domain }}
 smtpd_milters = unix:opendkim/opendkim.sock
 non_smtpd_milters = $smtpd_milters
--- a/deploy-chatmail/src/deploy_chatmail/postfix/master.cf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/postfix/master.cf.j2
@@ -32,7 +32,8 @@ submission inet n       -       y       -       -       smtpd
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
-  -o smtpd_proxy_filter=127.0.0.1:10080
+  -o smtpd_client_connection_count_limit=1000
  -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port }}
 smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
@@ -46,8 +47,9 @@ smtps     inet  n       -       y       -       -       smtpd
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_client_connection_count_limit=1000
  -o milter_macro_daemon_name=ORIGINATING
-  -o smtpd_proxy_filter=127.0.0.1:10080
+  -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port }}
 #628       inet  n       -       y       -       -       qmqpd
 pickup    unix  n       -       y       60      1       pickup
 cleanup   unix  n       -       y       -       0       cleanup
@@ -76,5 +78,5 @@ scache    unix  -       -       y       -       1       scache
 postlog   unix-dgram n  -       n       -       1       postlogd
 filter    unix -        n       n       -       -       lmtp
 # Local SMTP server for reinjecting filered mail.
-localhost:10025 inet  n       -       n       -       10      smtpd
+localhost:{{ config.postfix_reinject_port }} inet  n       -       n       -       10      smtpd
  -o syslog_name=postfix/reinject
--- a/cmdeploy/src/cmdeploy/postfix/mta-sts-daemon.service
+++ b/cmdeploy/src/cmdeploy/postfix/mta-sts-daemon.service
@@ -0,0 +1,10 @@
 [Unit]
 Description=Postfix MTA-STS resolver daemon
 [Service]
 ExecStart=/usr/local/lib/postfix-mta-sts-resolver/bin/mta-sts-daemon
 Restart=always
 RestartSec=30
 [Install]
 WantedBy=multi-user.target
--- a/cmdeploy/src/cmdeploy/postfix/mta-sts-daemon.yml
+++ b/cmdeploy/src/cmdeploy/postfix/mta-sts-daemon.yml
@@ -0,0 +1,13 @@
 host: 127.0.0.1
 port: 8461
 reuse_port: true
 shutdown_timeout: 20
 cache:
  type: internal
  options:
    cache_size: 10000
 proactive_policy_fetching:
  enabled: true
 default_zone:
  strict_testing: false
  timeout: 4
--- a/cmdeploy/src/cmdeploy/tests/init.py
+++ b/cmdeploy/src/cmdeploy/tests/init.py
--- a/cmdeploy/src/cmdeploy/tests/online/init.py
+++ b/cmdeploy/src/cmdeploy/tests/online/init.py
--- a/cmdeploy/src/cmdeploy/tests/online/benchmark.py
+++ b/cmdeploy/src/cmdeploy/tests/online/benchmark.py
--- a/cmdeploy/src/cmdeploy/tests/online/test_0_login.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_0_login.py
--- a/cmdeploy/src/cmdeploy/tests/online/test_0_qr.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_0_qr.py
@@ -0,0 +1,6 @@
 from cmdeploy.genqr import gen_qr_png_data
 def test_gen_qr_png_data(maildomain):
    data = gen_qr_png_data(maildomain)
    assert data
--- a/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
@@ -20,7 +20,7 @@ def test_use_two_chatmailservers(cmfactory, maildomain2):
@pytest.mark.parametrize("forgeaddr", ["internal", "someone@example.org"])
-def test_reject_forged_from(cmsetup, maildata, lp, forgeaddr):
+def test_reject_forged_from(cmsetup, maildata, gencreds, lp, forgeaddr):
    user1, user3 = cmsetup.gen_users(2)
    lp.sec("send encrypted message with forged from")
@@ -54,7 +54,7 @@ def test_exceed_rate_limit(cmsetup, gencreds, maildata):
        try:
            user1.smtp.sendmail(user1.addr, [user2.addr], mail)
        except smtplib.SMTPException as e:
-            if i < 80:
+            if i < 60:
                pytest.fail(f"rate limit was exceeded too early with msg {i}")
            outcome = e.recipients[user2.addr]
            assert outcome[0] == 450
--- a/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py
@@ -91,9 +91,9 @@ class TestEndToEndDeltaChat:
        lp.sec("setup encrypted comms between ac1 and ac2 on different instances")
        qr = ac1.get_setup_contact_qr()
-        ac2.qr_setup_contact(qr)
+        ch = ac2.qr_setup_contact(qr)
-        msg = ac2.wait_next_incoming_message()
+        assert ch.id >= 10
-        assert "verified" in msg.text
+        ac1._evtracker.wait_securejoin_inviter_progress(1000)
        lp.sec("ac1 sends a message and ac2 marks it as seen")
        chat = ac1.create_chat(ac2)
--- a/cmdeploy/src/cmdeploy/tests/plugin.py
+++ b/cmdeploy/src/cmdeploy/tests/plugin.py
@@ -6,12 +6,11 @@ import subprocess
 import imaplib
 import smtplib
 import itertools
 from email.parser import BytesParser
 from email import policy
 from pathlib import Path
 import pytest
 from chatmaild.database import Database
 from chatmaild.config import read_config
 conftestdir = Path(__file__).parent
@@ -38,11 +37,22 @@ def pytest_runtest_setup(item):
@pytest.fixture
-def maildomain():
+def chatmail_config(pytestconfig):
-    domain = os.environ.get("CHATMAIL_DOMAIN")
+    current = basedir = Path().resolve()
-    if not domain:
+    while 1:
-        pytest.skip("set CHATMAIL_DOMAIN to a ssh-reachable chatmail instance")
+        path = current.joinpath("chatmail.ini").resolve()
-    return domain
+        if path.exists():
            return read_config(path)
        if current == current.parent:
            break
        current = current.parent
    pytest.skip(f"no chatmail.ini file found in {basedir} or parent dirs")
@pytest.fixture
 def maildomain(chatmail_config):
    return chatmail_config.mail_domain
@pytest.fixture
@@ -278,11 +288,13 @@ class ChatmailTestProcess:
@pytest.fixture
-def cmfactory(request, gencreds, tmpdir, data, maildomain):
+def cmfactory(request, gencreds, tmpdir, maildomain):
    # cloned from deltachat.testplugin.amfactory
    pytest.importorskip("deltachat")
    from deltachat.testplugin import ACFactory
    data = request.getfixturevalue("data")
    testproc = ChatmailTestProcess(request.config, maildomain, gencreds)
    am = ACFactory(request=request, tmpdir=tmpdir, testprocess=testproc, data=data)
@@ -327,19 +339,15 @@ class Remote:
@pytest.fixture
-def maildata(request, gencreds):
+def lp(request):
-    datadir = conftestdir.joinpath("mail-data")
+    class LP:
        def sec(self, msg):
            print(f"---- {msg} ----")
-    def maildata(name, from_addr=None, to_addr=None):
+        def indent(self, msg):
-        if from_addr is None:
+            print(f"     {msg}")
            from_addr = gencreds()[0]
        if to_addr is None:
            to_addr = gencreds()[0]
        data = datadir.joinpath(name).read_text()
        text = data.format(from_addr=from_addr, to_addr=to_addr)
        return BytesParser(policy=policy.default).parsebytes(text.encode())
-    return maildata
+    return LP()
@pytest.fixture
--- a/cmdeploy/src/cmdeploy/tests/pytest.ini
+++ b/cmdeploy/src/cmdeploy/tests/pytest.ini
--- a/cmdeploy/src/cmdeploy/tests/test_cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/tests/test_cmdeploy.py
@@ -0,0 +1,33 @@
 import os
 import pytest
 from cmdeploy.cmdeploy import get_parser, main
 from chatmaild.config import read_config
@pytest.fixture(autouse=True)
 def _chdir(tmp_path):
    old = os.getcwd()
    os.chdir(tmp_path)
    yield
    os.chdir(old)
 class TestCmdline:
    def test_parser(self, capsys):
        parser = get_parser()
        parser.parse_args([])
        init = parser.parse_args(["init", "chat.example.org"])
        run = parser.parse_args(["run"])
        assert init and run
    def test_init(self, tmp_path):
        main(["init", "chat.example.org"])
        inipath = tmp_path.joinpath("chatmail.ini")
        config = read_config(inipath)
        assert config.mail_domain == "chat.example.org"
    def test_init_not_overwrite(self):
        main(["init", "chat.example.org"])
        with pytest.raises(SystemExit):
            main(["init", "chat.example.org"])
--- a/cmdeploy/src/cmdeploy/tests/test_helpers.py
+++ b/cmdeploy/src/cmdeploy/tests/test_helpers.py
@@ -0,0 +1,13 @@
 import importlib.resources
 from cmdeploy.www import build_webpages
 def test_build_webpages(tmp_path, make_config):
    pkgroot = importlib.resources.files("cmdeploy")
    src_dir = pkgroot.joinpath("../../../www/src").resolve()
    assert src_dir.exists(), src_dir
    config = make_config("chat.example.org")
    build_dir = tmp_path.joinpath("build")
    build_webpages(src_dir, build_dir, config)
    assert len([x for x in build_dir.iterdir() if x.suffix == ".html"]) >= 3
--- a/cmdeploy/src/cmdeploy/www.py
+++ b/cmdeploy/src/cmdeploy/www.py
@@ -0,0 +1,110 @@
 import importlib.resources
 import webbrowser
 import hashlib
 import time
 import traceback
 import markdown
 from jinja2 import Template
 from .genqr import gen_qr_png_data
 from chatmaild.config import read_config
 def snapshot_dir_stats(somedir):
    d = {}
    for path in somedir.iterdir():
        if path.is_file() and path.name[0] != "." and path.suffix != ".swp":
            mtime = path.stat().st_mtime
            hash = hashlib.md5(path.read_bytes()).hexdigest()
            d[path] = (mtime, hash)
    return d
 def prepare_template(source):
    assert source.exists(), source
    render_vars = {}
    render_vars["pagename"] = "home" if source.stem == "index" else source.stem
    render_vars["markdown_html"] = markdown.markdown(source.read_text())
    page_layout = source.with_name("page-layout.html").read_text()
    return render_vars, page_layout
 def build_webpages(src_dir, build_dir, config):
    try:
        _build_webpages(src_dir, build_dir, config)
    except Exception:
        print(traceback.format_exc())
 def _build_webpages(src_dir, build_dir, config):
    mail_domain = config.mail_domain
    assert src_dir.exists(), src_dir
    if not build_dir.exists():
        build_dir.mkdir()
    qr_path = build_dir.joinpath(f"qr-chatmail-invite-{mail_domain}.png")
    qr_path.write_bytes(gen_qr_png_data(mail_domain).read())
    for path in src_dir.iterdir():
        if path.suffix == ".md":
            render_vars, content = prepare_template(path)
            target = build_dir.joinpath(path.stem + ".html")
            # recursive jinja2 rendering
            while 1:
                new = Template(content).render(config=config, **render_vars)
                if new == content:
                    break
                content = new
            with target.open("w") as f:
                f.write(content)
        elif path.name != "page-layout.html":
            target = build_dir.joinpath(path.name)
            target.write_bytes(path.read_bytes())
    return build_dir
 def main():
    path = importlib.resources.files(__package__)
    reporoot = path.joinpath("../../../").resolve()
    inipath = reporoot.joinpath("chatmail.ini")
    config = read_config(inipath)
    config.webdev = True
    assert config.mail_domain
    www_path = reporoot.joinpath("www")
    src_path = www_path.joinpath("src")
    stats = None
    build_dir = www_path.joinpath("build")
    src_dir = www_path.joinpath("src")
    index_path = build_dir.joinpath("index.html")
    # start web page generation, open a browser and wait for changes
    build_webpages(src_dir, build_dir, config)
    webbrowser.open(str(index_path))
    stats = snapshot_dir_stats(src_path)
    print(f"\nOpened URL: file://{index_path.resolve()}\n")
    print(f"watching {src_path} directory for changes")
    changenum = 0
    for count in range(0, 1000000):
        newstats = snapshot_dir_stats(src_path)
        if newstats == stats and count % 60 != 0:
            count += 1
            time.sleep(1.0)
            continue
        for key in newstats:
            if stats[key] != newstats[key]:
                print(f"*** CHANGED: {key}")
                changenum += 1
        stats = newstats
        build_webpages(src_dir, build_dir, config)
        print(f"[{changenum}] regenerated web pages at: {index_path}")
        print(f"URL: file://{index_path.resolve()}\n\n")
        count = 0
 if __name__ == "__main__":
    main()
--- a/deploy-chatmail/pyproject.toml
+++ b/deploy-chatmail/pyproject.toml
@@ -1,30 +0,0 @@
 [build-system]
 requires = ["setuptools>=45"]
 build-backend = "setuptools.build_meta"
 [project]
 name = "deploy-chatmail"
 version = "0.1"
 dependencies = [
  "pyinfra",
 ]
 [tool.pytest.ini_options]
 addopts = "-v -ra --strict-markers"
 [tool.tox]
 legacy_tox_ini = """
 [tox]
 isolated_build = true
 envlist = lint
 [testenv:lint]
 skipdist = True
 skip_install = True
 deps =
  ruff
  black
 commands =
  black --quiet --check --diff src/
  ruff src/
 """
--- a/plan.txt
+++ b/plan.txt
@@ -1,65 +0,0 @@
 # Chat-mail server development (up until Oct 18th)
 ## Dovecot goals/steps
 - automatic expiry of messages older than M days
   - also expunge unread messages
 - limit: configure max-connections per account
 ## nami: send out rate limit / rspamd
 - basic outgoing send rate/limits (depending on "account-rating")
  use rspamd in a minimal way, check support dkim-signing
  (including an online test exceeding rate limit)
 ## doveauth questions/futures
 - bcrypt-password scheme is slow: require long passwords, use faster hashing
 - define user-name and password policies, and implement them
  (be very restrictive at the beginning, we can relax later)
 - password is part of the dictproxy-lookup key, is it safe to use auth-caching?
 ## How to limit creation of accounts?
 attack: a 3-line bash script to fill the chatmail db with millions of unused accouts
 - make it computationally expensive (somehow try to except our tests from it)
  1st pass instant onboarding: create userid + cheap password -- if it fails then
  2nd pass instant onboarding: create userdid + comput. expensive password
 - probably also do firewall: limit number of new tcp-connections per IP address per duration
 ## Open/deferred questions
 - automatic expiry of users that haven't logged in for N days
  Is it neccessary?  If all messages are gone, does the existence of
  an e-mail address bother anybody?
 ## web page for chat-mail servers?
 - documentation for users, privacy policy etc.
  (probably also with provider-messages ...)
 ## online tests (first with plain python/pytest)
 - write tests for dovecot login (exists)
 - write tests for postfix logins (exists)
 - write A<>B send/receive tests (exists)
 ## Delta Chat
 1. qr code that defines access to a chatmail instance (like mailadm but without http etc.)
 2. support for creating username/password and verifying login works
--- a/scripts/bench.sh
+++ b/scripts/bench.sh
@@ -1,4 +0,0 @@
 #!/bin/bash
 set -e
 venv/bin/pytest tests/online/benchmark.py -vrx
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -1,15 +0,0 @@
 #!/usr/bin/env bash
 echo -----------------------------------------
 echo deploying to $CHATMAIL_DOMAIN 
 echo -----------------------------------------
 echo WARNING: in five seconds deploy to $CHATMAIL_DOMAIN starts
 sleep 5
 venv/bin/python3 -m build -n --sdist chatmaild --outdir dist
 venv/bin/pyinfra --ssh-user root "$CHATMAIL_DOMAIN" \
    deploy-chatmail/src/deploy_chatmail/deploy.py
 rm -r dist/
--- a/scripts/generate-dns-zone.sh
+++ b/scripts/generate-dns-zone.sh
@@ -1,20 +0,0 @@
 #!/bin/sh
 : ${CHATMAIL_DOMAIN:=c1.testrun.org}
 : ${CHATMAIL_SSH:=$CHATMAIL_DOMAIN}
 set -e
 SSH="ssh root@$CHATMAIL_SSH"
 EMAIL="root@$CHATMAIL_DOMAIN"
 ACME_ACCOUNT_URL="$($SSH -- acmetool account-url)"
 cat <<EOF
 $CHATMAIL_DOMAIN. MX 10 $CHATMAIL_DOMAIN.
 $CHATMAIL_DOMAIN. TXT "v=spf1 a:$CHATMAIL_DOMAIN -all"
 _dmarc.$CHATMAIL_DOMAIN. TXT "v=DMARC1;p=reject;rua=mailto:$EMAIL;ruf=mailto:$EMAIL;fo=1;adkim=r;aspf=r"
 _submission._tcp.$CHATMAIL_DOMAIN.  SRV 0 1 587 $CHATMAIL_DOMAIN.
 _submissions._tcp.$CHATMAIL_DOMAIN. SRV 0 1 465 $CHATMAIL_DOMAIN.
 _imap._tcp.$CHATMAIL_DOMAIN.        SRV 0 1 143 $CHATMAIL_DOMAIN.
 _imaps._tcp.$CHATMAIL_DOMAIN.       SRV 0 1 993 $CHATMAIL_DOMAIN.
 $CHATMAIL_DOMAIN. IN CAA 128 issue "letsencrypt.org; accounturi=$ACME_ACCOUNT_URL"
 EOF
 $SSH opendkim-genzone -F | sed 's/^;.*$//;/^$/d'
--- a/scripts/get_imap_capabilities.py
+++ b/scripts/get_imap_capabilities.py
@@ -1,14 +0,0 @@
 import os
 import time
 import imaplib
 domain = os.environ.get("CHATMAIL_DOMAIN", "c3.testrun.org")
 print("connecting")
 conn = imaplib.IMAP4_SSL(domain)
 print("logging in")
 conn.login(f"imapcapa", "pass")
 status, res = conn.capability()
 for capa in sorted(res[0].decode().split()):
    print(capa)
--- a/scripts/init.sh
+++ b/scripts/init.sh
@@ -1,8 +0,0 @@
 #!/bin/sh
 set -e
 python3 -m venv venv
 pip=venv/bin/pip
 $pip install pyinfra pytest build 'setuptools>=68' tox deltachat
 $pip install -e deploy-chatmail 
 $pip install -e chatmaild 
--- a/scripts/initenv.sh
+++ b/scripts/initenv.sh
@@ -0,0 +1,9 @@
 #!/bin/bash
 set -e
 python3 -m venv venv
 venv/bin/pip install -e chatmaild 
 venv/bin/pip install -e cmdeploy
 source venv/bin/activate
 echo activated 'venv' python virtualenv environment containing "cmdeploy" tool
--- a/scripts/measure_tls_and_logins.py
+++ b/scripts/measure_tls_and_logins.py
@@ -1,28 +0,0 @@
 #!/usr/bin/env python3
 import os
 import time
 import imaplib
 domain = os.environ.get("CHATMAIL_DOMAIN", "c3.testrun.org")
 NUM_CONNECTIONS=10
 conns = []
 start = time.time()
 for i in range(NUM_CONNECTIONS):
    print(f"opening connection {i} to {domain}")
    conn = imaplib.IMAP4_SSL(domain)
    conns.append(conn)
 tlsdone = time.time()
 duration = tlsdone-start
 print(f"{duration}: TLS connections opening TLS connections")
 for i, conn in enumerate(conns):
    print(f"logging into connection {i}")
    conn.login(f"measure{i}", "pass")
 logindone = time.time()
 duration = logindone - tlsdone
 print(f"{duration}: LOGINS done")
--- a/scripts/remote-deploy.sh
+++ b/scripts/remote-deploy.sh
@@ -1,8 +0,0 @@
 #!/bin/sh
 set -e
 : ${CHATMAIL_DOMAIN:=c1.testrun.org}
 : ${CHATMAIL_SSH:=$CHATMAIL_DOMAIN}
 rsync -avz . "root@$CHATMAIL_SSH:/root/chatmail" --exclude='/.git' --filter="dir-merge,- .gitignore"
 ssh "root@$CHATMAIL_SSH" "cd /root/chatmail; apt install -y python3-venv; python3 -m venv venv; venv/bin/pip install pyinfra build; venv/bin/python3 -m build -n --sdist chatmaild --outdir dist; venv/bin/pip install -e ./deploy-chatmail -e ./chatmaild; export CHATMAIL_DOMAIN=$CHATMAIL_DOMAIN; venv/bin/pyinfra @local deploy.py"
--- a/scripts/test.sh
+++ b/scripts/test.sh
@@ -1,4 +0,0 @@
 #!/bin/bash
 venv/bin/tox -c chatmaild
 venv/bin/tox -c deploy-chatmail
 venv/bin/pytest tests/online -rs -vrx --durations=5 $@
--- a/tests/chatmaild/test_filtermail.py
+++ b/tests/chatmaild/test_filtermail.py
@@ -1,82 +0,0 @@
 from chatmaild.filtermail import check_encrypted, check_DATA, SendRateLimiter, check_mdn
 import pytest
@pytest.fixture
 def maildomain():
    # let's not depend on a real chatmail instance for the offline tests below
    return "chatmail.example.org"
 def test_reject_forged_from(maildata, gencreds):
    class env:
        mail_from = gencreds()[0]
        rcpt_tos = [gencreds()[0]]
    # test that the filter lets good mail through
    env.content = maildata("plain.eml", from_addr=env.mail_from).as_bytes()
    assert not check_DATA(envelope=env)
    # test that the filter rejects forged mail
    env.content = maildata("plain.eml", from_addr="forged@c3.testrun.org").as_bytes()
    error = check_DATA(envelope=env)
    assert "500" in error
 def test_filtermail_no_encryption_detection(maildata):
    msg = maildata("plain.eml")
    assert not check_encrypted(msg)
    # https://xkcd.com/1181/
    msg = maildata("fake-encrypted.eml")
    assert not check_encrypted(msg)
 def test_filtermail_encryption_detection(maildata):
    msg = maildata("encrypted.eml")
    assert check_encrypted(msg)
    # if the subject is not "..." it is not considered ac-encrypted
    msg.replace_header("Subject", "Click this link")
    assert not check_encrypted(msg)
 def test_filtermail_is_mdn(maildata, gencreds):
    from_addr = gencreds()[0]
    to_addr = gencreds()[0] + ".other"
    msg = maildata("mdn.eml", from_addr, to_addr)
    class env:
        mail_from = from_addr
        rcpt_tos = [to_addr]
        content = msg.as_bytes()
    assert check_mdn(msg, env)
    print(msg.as_string())
    assert not check_DATA(env)
 def test_filtermail_to_multiple_recipients_no_mdn(maildata, gencreds):
    from_addr = gencreds()[0]
    to_addr = gencreds()[0] + ".other"
    thirdaddr = gencreds()[0]
    msg = maildata("mdn.eml", from_addr, to_addr)
    class env:
        mail_from = from_addr
        rcpt_tos = [to_addr, thirdaddr]
        content = msg.as_bytes()
    assert not check_mdn(msg, env)
 def test_send_rate_limiter():
    limiter = SendRateLimiter()
    for i in range(100):
        if limiter.is_sending_allowed("some@example.org"):
            if i <= SendRateLimiter.MAX_USER_SEND_PER_MINUTE:
                continue
            pytest.fail("limiter didn't work")
        else:
            assert i == SendRateLimiter.MAX_USER_SEND_PER_MINUTE + 1
            break
--- a/www/nine.testrun.org/collage-bg.png
+++ b/www/nine.testrun.org/collage-bg.png
--- a/www/nine.testrun.org/collage-down.png
+++ b/www/nine.testrun.org/collage-down.png
--- a/www/nine.testrun.org/collage-top.png
+++ b/www/nine.testrun.org/collage-top.png
--- a/www/nine.testrun.org/index.html
+++ b/www/nine.testrun.org/index.html
@@ -1,75 +0,0 @@
 <!DOCTYPE html>
 <html>
 <head>
    <meta charset="utf-8" />
    <title>nine.testrun.org - Experimenting with the Future of Email</title>
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <style>
        .wrapper {
            width: 100%;
            max-width: 596px;
            margin: 0 auto;
        }
        .section {
            width: 100%;
            max-width: 596px;
        }
        .text {
            box-sizing: border-box;
            padding: 9px;
            font-size: 18px;
            font-family: "Swansea", "Helvetica", sans-serif;
            color: black;
        }
        a {
            color: black;
        }
        h1, h2, h3 {
            font-size: 18px;
            font-weight: bold;
        }
    </style>
 </head>
 <body>
    <div class="wrapper">
        <img class="section" src="collage-top.png" />
        <div class="section text">
            <h1>Dear Delta Chat users and newcomers,</h1>
            <p>
                welcome to the first public "chat-mail instance",
                a small and lean e-mail provider for smooth chatting.
                Install Delta Chat or add an account:
            <ul>
                <li>Tap "LOG INTO YOUR E-MAIL ACCOUNT".</li>
                <li>Address: invent a word with <i>exactly</i> nine characters
                and append @nine.testrun.org to it.</li>
                <li>Password: invent at least 10 characters. The first login sets your password.</li>
            </ul>
                If the e-mail address is not yet taken, you'll get that account.
            </p>
            <p>
            <img class="section" src="collage-down.png" />
            <h2>What's behind it, how does it operate?</h2>
            <p>nine.testrun.org is run
                by a small group of devs and sysadmins, reachable via root@.
                They want to keep this instance running at least until end 2024.
                Current limits:
            <ul>
            <li>Un-encrypted mails can not leave the chat-mail instance.</li>
            <li>Use <a href="https://delta.chat/en/help#howtoe2ee">
                guaranteed end-to-end encryption via QR code scans</a>
                to setup contact with users outside of the chat-mail instance.
            </li>
            <li>You may send up to 60 messages per minute.</li>
            <li>Messages are unconditionally removed 40 days after arrival.</li>
            <li>Max storage per user is 100MB.</li>
            </ul>
            <h2>Why are other email providers 1000 times more complicated?</h2>
            <p>¯\_(ツ)_/¯</p>
        </div>
    </div>
 </body>
 </html>
--- a/www/src/collage-info.png
+++ b/www/src/collage-info.png
--- a/www/src/collage-privacy.png
+++ b/www/src/collage-privacy.png
--- a/www/src/collage-top.png
+++ b/www/src/collage-top.png
--- a/www/src/index.md
+++ b/www/src/index.md
@@ -0,0 +1,20 @@
 <img class="banner" src="collage-top.png"/>
 ## Dear [Delta Chat](https://get.delta.chat) users and newcomers, 
 Welcome to instant, interoperable and [privacy-preserving](privacy.html) messaging :) 
 👉 **Tap** or scan this QR code to get a random `@{{config.mail_domain}}` e-mail address
 <a href="DCACCOUNT:https://{{ config.mail_domain }}/cgi-bin/newemail.py">
    <img width=300 style="float: none;" src="qr-chatmail-invite-{{config.mail_domain}}.png" /></a>
 🐣 **Choose** your Avatar and Name
 💬 **Start** chatting with any Delta Chat contacts using [QR invite codes](https://delta.chat/en/help#howtoe2ee)
 <div class="experimental">Note: this is an experimental service</div>
--- a/www/src/info.md
+++ b/www/src/info.md
@@ -0,0 +1,39 @@
 <img class="banner" src="collage-info.png"/>
 ## More information 
 ### Choosing a chatmail address instead of using a random one
 In the Delta Chat account setup 
 you may tap `LOG INTO YOUR E-MAIL ACCOUNT` 
 and fill the two fields like this: 
 - `Address`: invent a word with *exactly* nine characters 
   and append `@{{config.mail_domain}}` to it. 
 - `Password`: invent at least 9 characters. 
 If the e-mail address is not yet taken, you'll get that account. 
 The first login sets your password. 
 ### Rate and storage limits 
 - Un-encrypted messages are blocked to recipients outside
  {{config.mail_domain}} but setting up contact via [QR invite codes](https://delta.chat/en/help#howtoe2ee) 
  allows your messages to pass freely to any outside recipients.
 - You may send up to 60 messages per minute
 - Messages are unconditionally removed 40 days after arriving on the server
 - You can store up to [100MB messages on the server](https://delta.chat/en/help#what-happens-if-i-turn-on-delete-old-messages-from-server)
 ### Who are the operators? Which software is running? 
 This chatmail provider is run by a small voluntary group of devs and sysadmins,
 who [publically develop chatmail provider setups](https://github.com/deltachat/chatmail).
 Chatmail setups aim to be very low-maintenance, resource efficient and 
 interoperable with any other standards-compliant e-mail service. 
--- a/www/src/logo.svg
+++ b/www/src/logo.svg
@@ -0,0 +1,44 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <svg
   width="145"
   height="145"
   version="1.1"
   id="svg4"
   sodipodi:docname="At_sign.svg"
   inkscape:version="1.2.2 (b0a84865, 2022-12-01)"
   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
   xmlns="http://www.w3.org/2000/svg"
   xmlns:svg="http://www.w3.org/2000/svg">
  <defs
     id="defs8" />
  <sodipodi:namedview
     id="namedview6"
     pagecolor="#ffffff"
     bordercolor="#000000"
     borderopacity="0.25"
     inkscape:showpageshadow="2"
     inkscape:pageopacity="0.0"
     inkscape:pagecheckerboard="0"
     inkscape:deskcolor="#d1d1d1"
     showgrid="false"
     inkscape:zoom="3.0241379"
     inkscape:cx="67.622577"
     inkscape:cy="72.913341"
     inkscape:window-width="1390"
     inkscape:window-height="1027"
     inkscape:window-x="55"
     inkscape:window-y="25"
     inkscape:window-maximized="0"
     inkscape:current-layer="svg4" />
  <g
     aria-label="@"
     id="text2"
     style="font-size:144px;font-family:Arial">
    <path
       d="m 79.927878,94.422406 c -2.704286,3.120332 -5.741407,5.637394 -9.111364,7.551194 -3.328352,1.87221 -6.677506,2.80831 -10.047463,2.80831 -3.702792,0 -7.301573,-1.08172 -10.796342,-3.24515 -3.49477,-2.163426 -6.344671,-5.491779 -8.549704,-9.985058 -2.163429,-4.493275 -3.245144,-9.423397 -3.245144,-14.790365 0,-6.615099 1.684978,-13.230199 5.054935,-19.845299 3.411561,-6.656705 7.634407,-11.649233 12.66854,-14.977585 5.034133,-3.328352 9.92265,-4.992528 14.665552,-4.992528 3.619583,0 7.072748,0.956901 10.359496,2.870704 3.286748,1.872198 6.115847,4.742902 8.487297,8.612111 l 2.121825,-9.673023 h 11.170784 l -8.986557,41.87483 c -1.248129,5.824616 -1.872194,9.048957 -1.872194,9.673023 0,1.123319 0.416044,2.101022 1.248132,2.93311 0.873692,0.790484 1.913802,1.185726 3.120332,1.185726 2.20503,0 5.096537,-1.268934 8.674517,-3.806803 4.7429,-3.328352 8.4873,-7.780023 11.23319,-13.355013 2.78749,-5.616594 4.18124,-11.399606 4.18124,-17.349035 0,-6.947935 -1.78899,-13.438222 -5.36697,-19.47086 -3.53637,-6.032638 -8.84094,-10.858749 -15.913687,-14.478332 -7.03114,-3.619583 -14.811161,-5.429374 -23.340064,-5.429374 -9.73543,0 -18.638772,2.288242 -26.710026,6.864726 -8.029649,4.534879 -14.27031,11.06677 -18.721981,19.595673 -4.410066,8.487298 -6.615099,17.598662 -6.615099,27.334092 0,10.193078 2.205033,18.971607 6.615099,26.33559 2.290454,3.78888 -7.136335,18.96983 -3.810585,21.73443 3.138096,2.60861 18.971963,-7.14297 23.031819,-5.44631 8.404089,3.53637 17.702673,5.30456 27.895752,5.30456 10.90035,0 20.032515,-1.83059 27.396492,-5.49178 7.36399,-3.66119 12.87657,-8.11286 16.53776,-13.35501 l 9.29559,4 c -2.12183,4.36846 -3.76221,4.82013 -8.92116,9.35501 -5.15895,4.53488 -11.2956,8.11286 -18.40995,10.73393 -7.114346,2.66268 -15.684851,3.99402 -25.711512,3.99402 -9.236177,0 -17.76508,-1.18572 -25.586707,-3.55717 -7.780023,-2.37145 -29.296198,9.26152 -34.78798,4.47701 -5.49178,-4.7429 5.248856,-25.42482 2.461361,-31.62388 -3.49477,-7.863231 -5.242155,-16.350531 -5.242155,-25.461894 0,-10.151474 2.08022,-19.824498 6.240661,-29.019071 5.075736,-11.274793 12.273297,-19.907706 21.592683,-25.898739 9.360991,-5.991034 20.69819,-8.986551 34.011599,-8.986551 10.317891,0 19.574873,2.121824 27.77093,6.365473 8.23767,4.202045 14.72796,10.484309 19.47086,18.846794 4.03563,7.197561 6.05344,15.019189 6.05344,23.464883 0,12.065277 -4.24365,22.77841 -12.73094,32.1394 -7.572,8.404095 -15.85128,12.606135 -24.837827,12.606135 -2.870704,0 -5.200551,-0.43684 -6.98954,-1.31053 -1.747385,-0.8737 -3.037121,-2.12183 -3.869209,-3.744402 -0.540857,-1.040114 -0.936099,-2.829105 -1.185726,-5.366972 z M 49.723082,77.510217 c 0,5.699803 1.352143,10.130671 4.05643,13.292606 2.704286,3.161935 5.803814,4.742902 9.298583,4.742902 2.329847,0 4.784506,-0.686473 7.363979,-2.059418 2.579473,-1.41455 5.034133,-3.49477 7.363979,-6.240661 2.371451,-2.74589 4.306056,-6.219857 5.803815,-10.421902 1.497759,-4.243649 2.246638,-8.487298 2.246638,-12.730947 0,-5.658198 -1.41455,-10.047462 -4.243649,-13.167793 -2.787495,-3.12033 -6.199056,-4.680495 -10.234683,-4.680495 -2.662682,0 -5.179749,0.686473 -7.5512,2.059418 -2.329846,1.331341 -4.597286,3.494769 -6.802319,6.490286 -2.205033,2.995517 -3.97322,6.635903 -5.304561,10.921156 -1.331341,4.285253 -1.997012,8.216869 -1.997012,11.794848 z"
       id="path347"
       style="stroke-width:0.887561"
       sodipodi:nodetypes="ccsscscsscccccscsccsccsccscscssccscscccsccsccscscccssscccscscsss" />
  </g>
 </svg>
--- a/www/src/main.css
+++ b/www/src/main.css
@@ -0,0 +1,31 @@
 #menu {
  display: flex;
  flex-wrap: wrap;
  padding: 0;
 }
 #menu li {
  display: inline-block;
  padding-right: 0.5em;
 }
 #domain {
  margin-left: auto;
 }
 #domain a {
  color: #888;
 }
 .banner {
  width: 100%;
 }
 .experimental {
  margin: 3em 0;
  padding: 1em;
  border: 4px dashed red;
  color: red;
  font-weight: bold;
 }
--- a/www/src/page-layout.html
+++ b/www/src/page-layout.html
@@ -0,0 +1,27 @@
 <!DOCTYPE html>
 <html>
 <head>
    <meta charset="utf-8" />
    {% if config.webdev %}
    <meta http-equiv="refresh" content="3">
    {% endif %}
    <title>{{ config.mail_domain }} {{ pagename }}</title>
    <link rel="stylesheet" href="./water.css">
    <link rel="stylesheet" href="./main.css">
    <link rel="icon" href="/logo.svg">
    <link rel=”mask-icon” href=”/logo.svg” color=”#000000">
 </head>
 <body>
 <ul id="menu">
    <li><a href="index.html">home</a></li>
    <li><a href="info.html">info</a></li>
    <li><a href="privacy.html">privacy</a></li>
    <li><a href="https://github.com/deltachat/chatmail">public code ↗</a></li>
    <li id="domain"><a href="index.html">{{ config.mail_domain }}</a></li>
 </ul>
 {{ markdown_html }}
 </body>
 </html>
--- a/www/src/privacy.md
+++ b/www/src/privacy.md
@@ -0,0 +1,321 @@
 <img class="banner" src="collage-privacy.png"/>
 # Privacy Policy for {{ config.mail_domain }} 
 We want to show you in a fair and transparent way
 what personal data is processed by us.
 We follow a strict privacy-by-design approach
 and try to avoid processing your data in the first place,
 but as you may know,
 the internet, 
 and in particular sending e-mail messages,
 does not work without data.
 Still,
 it's only fair that you know at all times
 what personal data is processed
 when you use our service.
 If you have any remaining questions about data protection, please contact us. 
 ## 1. Name and contact information 
 Responsible for the processing of your personal data is:
 ```
 {{ config.privacy_postal }}
 ```
 E-mail: {{ config.privacy_mail }}
 We have appointed a data protection officer:
 ```
 {{ config.privacy_pdo }}
 ```
 ## 2. Processing when using chat e-mail services
 We provide e-mail services optimized for the use from [Delta Chat](https://delta.chat) apps 
 and process only the data necessary
 for the setup and technical execution of the e-mail dispatch.
 The purpose of the processing is to
 read, write, manage, delete, send, and receive emails.
 For this purpose,
 we operate server-side software
 that enables us to send and receive e-mail messages.
 Allowing the use of the e-mail service,
 we process the following data and details:
 - Outgoing and incoming messages (SMTP) are stored for transit 
  on behalf of their users until the message can be delivered.
 - E-Mail-Messages are stored for the recipient and made accessible via IMAP protocols,
  until explicitly deleted by the user or until a fixed time period is exceeded,
  (*usually 4-8 weeks*).
 - IMAP and SMTP protocols are password protected with unique credentials for each account.
 - Users can retrieve or delete all stored messages 
  without intervention from the operators using standard IMAP client tools.
 ### 3.1 Account setup
 Creating an account happens in one of two ways on our mail servers: 
 - with a QR invitation token 
  which is scanned using the DeltaChat app
  and then the account is created.
 - by letting Delta Chat otherwise create an account 
  and register it with a {{ config.mail_domain }} mail server. 
 In either case, we process the newly created email address.
 No phone numbers,
 other email addresses,
 or other identifiable data
 is currently required.
 The legal basis for the processing is
 Art. 6 (1) lit. b GDPR,
 as you have a usage contract with us
 by using our services.
 ## 3.2 Processing of E-Mail-Messages
 In addition,
 we will process data
 to keep the server infrastructure operational
 for purposes of e-mail dispatch
 and abuse prevention.
 - Therefore,
  it is necessary to process the content and/or metadata
  (e.g., headers of the email as well as smtp chatter)
  of E-Mail-Messages in transit. 
 - We will keep logs of messages in transit for a limited time.
  These logs are used to debug delivery problems and software bugs.
 In addition,
 we process data to protect the systems from excessive use.
 Therefore, limits are enforced:
 - rate limits
 - storage limits
 - message size limits
 - any other limit neccessary for the whole server to function in a healthy way
  and to prevent abuse.
 The processing and use of the above permissions
 are performed to provide the service.
 The data processing is necessary for the use of our services,
 therefore the legal basis of the processing is
 Art. 6 (1) lit. b GDPR,
 as you have a usage contract with us
 by using our services.
 The legal basis for the data processing
 for the purposes of security and abuse prevention is
 Art. 6 (1) lit. f GDPR.
 Our legitimate interest results
 from the aforementioned purposes.
 We will not use the collected data
 for the purpose of drawing conclusions
 about your person.
 ## 3. Processing when using our Website
 When you visit our website,
 the browser used on your end device
 automatically sends information to the server of our website.
 This information is temporarily stored in a so-called log file.
 The following information is collected and stored
 until it is automatically deleted
 (*usually 7 days*):
 - used type of browser,
 - used operating system, 
 - access date and time as well as
 - country of origin and IP address, 
 - the requested file name or HTTP resource,
 - the amount of data transferred,
 - the access status (file transferred, file not found, etc.) and
 - the page from which the file was requested.
 This website is hosted by an external service provider (hoster).
 The personal data collected on this website is stored
 on the hoster's servers.
 Our hoster will process your data
 only to the extent necessary to fulfill its obligations
 to perform under our instructions.
 In order to ensure data protection-compliant processing,
 we have concluded a data processing agreement with our hoster.
 The aforementioned data is processed by us for the following purposes:  
 - Ensuring a reliable connection setup of the website,
 - ensuring a convenient use of our website,
 - checking and ensuring system security and stability, and
 - for other administrative purposes.
 The legal basis for the data processing is
 Art. 6 (1) lit. f GDPR.
 Our legitimate interest results
 from the aforementioned purposes of data collection.
 We will not use the collected data
 for the purpose of drawing conclusions about your person.
 ## 4. Transfer of Data
 Your personal data
 will not be transferred to third parties
 for purposes other than those listed below:
 a) you have given your express consent
 in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR,  
 b) the disclosure is necessary for the assertion, exercise or defence of legal claims
 pursuant to Art. 6 (1) sentence 1 lit. f GDPR
 and there is no reason to assume that you have
 an overriding interest worthy of protection
 in the non-disclosure of your data,  
 c) in the event that there is a legal obligation to disclose your data
 pursuant to Art. 6 para. 1 sentence 1 lit. c GDPR,
 as well as  
 d) this is legally permissible and necessary
 in accordance with Art. 6 Para. 1 S. 1 lit. b GDPR
 for the processing of contractual relationships with you,  
 e) this is carried out by a service provider
 acting on our behalf and on our exclusive instructions,
 whom we have carefully selected (Art. 28 (1) GDPR)
 and with whom we have concluded a corresponding contract on commissioned processing (Art. 28 (3) GDPR),
 which obliges our contractor,
 among other things,
 to implement appropriate security measures
 and grants us comprehensive control powers.
 ## 5. Rights of the data subject
 The rights arise from Articles 12 to 23 GDPR.
 Since no personal data is stored on our servers,
 even in encrypted form,
 there is no need to provide information
 on these or possible objections.
 A deletion can be made
 directly in the Delta Chat email messenger.
 a) request information about your personal data processed by us
 in accordance with Art. 15 GDPR.
 In particular,
 you can request information about the processing purposes,
 the category of personal data,
 the categories of recipients to whom your data have been or will be disclosed,
 the planned storage period,
 the existence of a right to rectification, erasure, restriction of processing or objection,
 the existence of a right of complaint,
 the origin of your data if it has not been collected by us,
 as well as the existence of automated decision-making including profiling
 and, if applicable,
 meaningful information about its details;  
 b) in accordance with Art. 16 of the GDPR,
 immediately request the correction
 of inaccurate or incomplete personal data stored by us;  
 c) pursuant to Article 17 of the GDPR,
 to request the erasure of your personal data stored by us,
 unless the processing is necessary
 for the exercise of the right to freedom of expression and information,
 for compliance with a legal obligation,
 for reasons of public interest,
 or for the establishment, exercise or defence of legal claims;  
 d) pursuant to Art. 18 GDPR,
 to request the restriction of the processing of your personal data,
 insofar as the accuracy of the data is disputed by you,
 the processing is unlawful,
 but you object to its erasure
 and we no longer require the data,
 but you need it for the assertion, exercise or defence of legal claims
 or you have objected to the processing pursuant to Art. 21 GDPR;  
 e) pursuant to Art. 20 GDPR,
 to receive your personal data that you have provided to us
 in a structured, common and machine-readable format
 or to request that it be transferred to another controller;  
 f) in accordance with Art. 7 (3) of the GDPR,
 to revoke your consent given to us at any time.
 This has the consequence that we may no longer continue the data processing
 based on this consent in the future; and  
 g) complain to a supervisory authority
 in accordance with Article 77 of the GDPR.
 As a rule,
 you can contact the supervisory authority of your usual place of residence
 or workplace
 or our registered office for this purpose.
 The supervisory authority responsible for our place of business
 is the `{{ config.privacy_supervisor }}`.
 If you have any questions or complaints, please feel free to contact us by email:  
 {{ config.privacy_mail }}
 ### 5.1 Right to object
 If your personal data is processed on the basis of our legitimate interests
 in accordance with Art. 6 (1) lit. f GDPR,
 you have the right to object to the processing of your personal data
 in accordance with Art. 21 GDPR,
 provided that there are grounds for this based on your particular situation
 or the objection is directed against direct advertising.
 In the latter case,
 you have a general right of objection,
 which will be implemented by us
 without specifying a particular situation.
 If you wish to exercise your right of objection,
 simply send an e-mail to: {{ config.privacy_mail }}
 ### 5.2 Right to withdraw
 If your personal data is processed on the basis of your consent
 in accordance with Art. 6 (1) lit. a GDPR
 (e.g. via the mailing list),
 you can withdraw your consent at any time
 and without any disadvantages.
 As a result,
 we may no longer continue the data processing
 that was based on this consent for the future.
 However,
 the withdrawal of your consent
 does not affect the lawfulness of the processing
 carried out on the basis of the consent until the withdrawal.
 If you wish to make use of your right of withdrawal,
 simply send an e-mail to: {{ config.privacy_mail }}
 ## 6. Validity of this privacy policy 
 This data protection declaration is valid
 as of *December 2023*.
 Due to the further development of our service and offers
 or due to changed legal or official requirements,
 it may become necessary to revise this data protection declaration from time to time.
--- a/www/src/water.css
+++ b/www/src/water.css
Author	SHA1	Message	Date
B. Petersen	9667fe661c	make 'experimental' more outstanding	2023-12-12 19:46:26 +01:00
B. Petersen	3141431ee3	use a class for the banner, make sure it is always width of page	2023-12-12 19:39:30 +01:00
B. Petersen	ac2517df4b	add domain right of the menu, standardize menu help-code	2023-12-12 19:27:39 +01:00
B. Petersen	f467d7bcd1	move menu up	2023-12-12 18:48:24 +01:00
missytake	3cd4265c94	www: add favicon	2023-12-11 18:26:50 +01:00
holger krekel	8e6869d8e3	move tests into cmdeploy	2023-12-11 18:12:23 +01:00
holger krekel	d6df0f0604	rename deploy_chatmail to cmdeploy	2023-12-11 18:12:23 +01:00
missytake	cad1d32682	mta-sts-resolver: fix virtualenv deployment	2023-12-11 17:54:22 +01:00
holger krekel	fd10652f48	fix event waiting in a test	2023-12-11 17:07:07 +01:00
holger krekel	02918de6c1	rename mailname to mail_domain everywhere	2023-12-11 17:07:07 +01:00
holger krekel	e27dd84501	show PATH env	2023-12-11 15:52:12 +01:00
holger krekel	cdbda291c5	fix cmdeploy test command	2023-12-11 15:52:12 +01:00
holger krekel	d70eb78a76	remove tox run from deploy-chatmail and use 'cmdeploy fmt' and 'pytest' directly	2023-12-11 15:52:12 +01:00
holger krekel	a5e4562505	move tests/chatmaild to chatmaild package, streamline tests and fixtures accordingly	2023-12-11 15:52:12 +01:00
holger krekel	3f2eb84323	fix tests and run all tests on "cmdeploy test"	2023-12-11 15:52:12 +01:00
holger krekel	613d3e14ea	discover chatmail.ini in tests from CWD and all parent dirs (tox runs change dirs)	2023-12-11 15:52:12 +01:00
holger krekel	453c401ac6	"cmdeploy test" now installs deltachat if it's not there	2023-12-11 15:52:12 +01:00
holger krekel	8b756f2e0c	consistently use shell helper	2023-12-11 15:52:12 +01:00
holger krekel	9e9d5b7698	consistently show ssh/shell output	2023-12-11 15:52:12 +01:00
holger krekel	02adb758ff	add "build" dependency	2023-12-11 15:52:12 +01:00
holger krekel	ffade66d97	always show which ssh-commands execute	2023-12-11 15:52:12 +01:00
holger krekel	988333d5fd	some more shifting around	2023-12-11 15:52:12 +01:00
holger krekel	db41e952e3	shift functions around, discover sub commands automatically	2023-12-11 15:52:12 +01:00
holger krekel	bb1b11df15	make tests depend on chatmail.ini, not env var	2023-12-11 15:52:12 +01:00
holger krekel	b3fdebf8df	tweak for making CI happy	2023-12-11 15:52:12 +01:00
holger krekel	4615df2e3b	try to fix workflow	2023-12-11 15:52:12 +01:00
holger krekel	73d8e01452	don't print a traceback but do a proper return code for "cmdeploy test"	2023-12-11 15:52:12 +01:00
holger krekel	bf8a99d844	add chatmail.ini to ignore	2023-12-11 15:52:12 +01:00
holger krekel	cb19ac34e3	add manifest so that ini files get included	2023-12-11 15:52:12 +01:00
holger krekel	15e5573ab4	address nami comment	2023-12-11 15:52:12 +01:00
holger krekel	74f5b2847f	fix readme	2023-12-11 15:52:12 +01:00
holger krekel	e417e43c54	add test command	2023-12-11 15:52:12 +01:00
holger krekel	158ebe1089	fix README	2023-12-11 15:52:12 +01:00
holger krekel	5fb7833677	add status command and delete last script	2023-12-11 15:52:12 +01:00
holger krekel	587d8142d2	some more housekeeping	2023-12-11 15:52:12 +01:00
holger krekel	a6d24b3af7	introduce "cmdeploy bench"	2023-12-11 15:52:12 +01:00
holger krekel	d730af2e69	cleanup	2023-12-11 15:52:12 +01:00
holger krekel	99b1e18b0a	generate dns zone file via cmdeploy	2023-12-11 15:52:12 +01:00
holger krekel	6012039c56	add dns command beginning	2023-12-11 15:52:12 +01:00
holger krekel	f388e86287	make cmdeploy test work	2023-12-11 15:52:12 +01:00
holger krekel	d3ca037ebf	snap	2023-12-11 15:52:12 +01:00
holger krekel	00a203c9aa	fix various test setups	2023-12-11 15:52:12 +01:00
holger krekel	6bffb5470d	add webdev sub command	2023-12-11 15:52:12 +01:00
holger krekel	81c4a6170f	making it work	2023-12-11 15:52:12 +01:00
holger krekel	6285283b02	rework UI for chatmail setup	2023-12-11 15:52:12 +01:00
holger krekel	b71e24d6a1	draft init flow	2023-12-11 15:52:12 +01:00
holger krekel	a4e48c9919	document some attributes in chatmail.ini	2023-12-11 15:52:12 +01:00
holger krekel	bc27eb58bf	get passthrough_recipients list from config	2023-12-11 15:52:12 +01:00
holger krekel	1b1f9365c9	various fixes	2023-12-11 15:52:12 +01:00
holger krekel	d8c8040f07	introduce basic config file	2023-12-11 15:52:12 +01:00
holger krekel	652b9688d3	deploy chatmaild in a virtualenv to make it easier to add dependencies	2023-12-08 21:55:18 +01:00
holger krekel	59c3730d84	fix data fixture access	2023-12-08 20:47:49 +01:00
holger krekel	84db074686	fix README link	2023-12-08 14:59:17 +01:00
holger krekel	7eec0ab301	tweak QR code generation	2023-12-08 14:56:48 +01:00
holger krekel	7cb8f90340	create a wwwdev.sh entry point for helping live web design/development (#92 ) * create a wwwdev.sh entry point for developing the web part * rename script * fix README * add a note * don't depend on deltachat python package * avoid bailing out on jinja2 errors, and provide file-url for instant clickability * in webdev mode make page auto-refresh every 3 seconds	2023-12-08 14:32:40 +01:00
missytake	32360061b4	filtermail: address hpk's comments	2023-12-08 12:23:10 +01:00
missytake	2055e9f5b8	filtermail: always allow privacy@testrun.org	2023-12-08 12:23:10 +01:00
holger krekel	8cb77d3b98	be fine with 9 chars for password already	2023-12-07 17:34:19 +01:00
holger krekel	c67fb69af2	Parametrized privacy policy, unified and refined nine/non-nine landing pages (#89 ) - move web sources to markdown - integrate privacy policy template - create and use chatmail.ini file to driving web-page generation Co-authored-by: missytake <missytake@systemli.org> --------- Co-authored-by: missytake <missytake@systemli.org>	2023-12-07 13:52:00 +01:00
holger krekel	960bc1599b	add missing simple test file for generating a qr code	2023-12-06 11:00:07 +01:00
holger krekel	0f05216ea0	mention QRcode in readme and modify nine.testrun.org index page to include it	2023-12-05 14:22:42 +01:00
holger krekel	75551224b3	revert unneccessary reformatting and unused file	2023-12-05 14:22:42 +01:00
holger krekel	0b8de41da2	put index.html into www/ dir, as it's not config	2023-12-05 14:22:42 +01:00
holger krekel	f9b5783296	streamline text to be less redundant	2023-12-05 14:22:42 +01:00
holger krekel	d3281cc746	Update deploy-chatmail/src/deploy_chatmail/nginx/index.html.j2 Co-authored-by: missytake <missytake@systemli.org> use example config as recommended by fcgiwrap/README.debian	2023-12-05 14:22:42 +01:00
holger krekel	4c7e39c10c	add origin of genqr code	2023-12-05 14:22:42 +01:00
holger krekel	7b3c1d5ab9	streamline index.html	2023-12-05 14:22:42 +01:00
holger krekel	2d5eb86776	make QR code clickable, verified it works on android and desktop	2023-12-05 14:22:42 +01:00
holger krekel	5c9d9a98b3	works	2023-12-05 14:22:42 +01:00
missytake	5eb5c09052	redirect HTTPS traffic to HTTPS. fix #81	2023-11-28 16:40:19 +01:00
missytake	a86e135967	opendkim: correctly specify SigningTable in opendkim.conf	2023-11-26 07:40:25 +01:00
missytake	776bd87888	moved mta-sts-resolver to /usr/local/lib	2023-11-25 00:39:27 +01:00
link2xt	d7683ed3f7	Move ssl_certificate back to http and fix indentation	2023-11-25 00:39:27 +01:00
missytake	0cc9f18468	acmetool: request one TLS cert for all domains	2023-11-25 00:39:27 +01:00
missytake	889e18f803	generate-dns-zone.sh doesn't need to support CHATMAIL_SERVER env var for now, let's assume A/AAAA point to the chatmail server, too	2023-11-25 00:39:27 +01:00
missytake	773b8d1e00	MTA-STS: fixing lint issues	2023-11-25 00:39:27 +01:00
missytake	dca6d35a6f	MTA-STS: adding correct line breaks to config	2023-11-25 00:39:27 +01:00
missytake	d29d2d147b	MTA-STS: the HTTPS route needs to be mta-sts.@ not _mta-sts	2023-11-25 00:39:27 +01:00
missytake	347dae1f84	MTA-STS: CNAME doesn't work, it needs to be A and AAAA	2023-11-25 00:39:27 +01:00
missytake	63cbb83344	fix: hetzner doesn't accept whitespace in TXT and CAA records apparently	2023-11-25 00:39:27 +01:00
missytake	27d135fee7	python3-venv was missing	2023-11-25 00:39:27 +01:00
missytake	ccd7c789f0	postfix: install MTA-STS resolver daemon	2023-11-25 00:39:27 +01:00
missytake	c7625fad81	DNS: distinguish between mail_server and mail_domain	2023-11-25 00:39:27 +01:00
missytake	5305dfab12	Added MTA-STS records and .well-known file	2023-11-25 00:39:27 +01:00
holger krekel	4478270fc9	properly call logging.exception	2023-11-20 22:54:15 +01:00
holger krekel	e7c9992fdc	it's unclear what this limit really means -- with ipv6 one can easily create lots of IP addresses anyway	2023-11-20 22:54:15 +01:00
holger krekel	a9d43c42f4	- tune down logging for filtermail - allow higher smtp connection limit	2023-11-20 22:54:15 +01:00
holger krekel	bbf2f0dd36	with help/side-comments from alex i fixed the concurrent account creation problem	2023-11-20 22:54:15 +01:00