added full path to tox

2026-05-12 17:14:36 +00:00 · 2023-10-24 21:53:23 +02:00
15 changed files with 52 additions and 173 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -159,5 +159,3 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
 chatmail.zone
--- a/README.md
+++ b/README.md
@@ -10,17 +10,14 @@ comprised of a minimal setup of the battle-tested
    scripts/init.sh 
-2. setup a domain with `A` and `AAAA` records for your chatmail server
+2. set environment variable to the chatmail domain you want to setup:
 3. set environment variable to the chatmail domain you want to setup:
    export CHATMAIL_DOMAIN=c1.testrun.org   # replace with your host
-4. run the deploy of the chat mail instance: 
+3. run the deploy of the chat mail instance: 
    scripts/deploy.sh 
 5. run `scripts/generate-dns-zone.sh` and create the generated DNS records at your DNS provider
 ## Running tests and benchmarks (offline and online) 
--- a/chatmaild/src/chatmaild/dictproxy.py
+++ b/chatmaild/src/chatmaild/dictproxy.py
@@ -21,40 +21,15 @@ def encrypt_password(password: str):
    return "{SHA512-CRYPT}" + passhash
-def is_allowed_to_create(user, cleartext_password) -> bool:
+def create_user(db, user, password):
    """Return True if user and password are admissable."""
    if os.path.exists(NOCREATE_FILE):
-        logging.warning(f"blocked account creation because {NOCREATE_FILE!r} exists.")
+        logging.warning(
-        return False
+            f"Didn't create account: {NOCREATE_FILE} exists. Delete the file to enable account creation."
-
+        )
-    if len(cleartext_password) < 10:
+        return
        logging.warning("Password needs to be at least 10 characters long")
        return False
    parts = user.split("@")
    if len(parts) != 2:
        logging.warning(f"user {user!r} is not a proper e-mail address")
        return False
    localpart, domain = parts
    if domain == "nine.testrun.org":
        # nine.testrun.org policy, username has to be exactly nine chars
        if len(localpart) != 9:
            logging.warning(f"localpart {localpart!r} has not exactly nine chars")
            return False
    return True
 def create_user(db, user, encrypted_password):
    with db.write_transaction() as conn:
-        conn.create_user(user, encrypted_password)
+        conn.create_user(user, password)
-    return dict(
+    return dict(home=f"/home/vmail/{user}", uid="vmail", gid="vmail", password=password)
        home=f"/home/vmail/{user}",
        uid="vmail",
        gid="vmail",
        password=encrypted_password,
    )
 def get_user_data(db, user):
@@ -70,13 +45,10 @@ def lookup_userdb(db, user):
    return get_user_data(db, user)
-def lookup_passdb(db, user, cleartext_password):
+def lookup_passdb(db, user, password):
    userdata = get_user_data(db, user)
    if not userdata:
-        if not is_allowed_to_create(user, cleartext_password):
+        return create_user(db, user, encrypt_password(password))
            return
        encrypted_password = encrypt_password(cleartext_password)
        userdata = create_user(db=db, user=user, encrypted_password=encrypted_password)
    userdata["password"] = userdata["password"].strip()
    return userdata
@@ -100,7 +72,7 @@ def handle_dovecot_request(msg, db, mail_domain):
                    reply_command = "N"
            elif type == "passdb":
                if user.endswith(f"@{mail_domain}"):
-                    res = lookup_passdb(db, user, cleartext_password=args[0])
+                    res = lookup_passdb(db, user, password=args[0])
                if res:
                    reply_command = "O"
                else:
--- a/deploy-chatmail/src/deploy_chatmail/init.py
+++ b/deploy-chatmail/src/deploy_chatmail/init.py
@@ -4,8 +4,8 @@ Chat Mail pyinfra deploy.
 import importlib.resources
 from pathlib import Path
-from pyinfra import host
+from pyinfra import host, logger
-from pyinfra.operations import apt, files, server, systemd
+from pyinfra.operations import apt, files, server, systemd, python
 from pyinfra.facts.files import File
 from .acmetool import deploy_acmetool
@@ -70,36 +70,6 @@ def _configure_opendkim(domain: str, dkim_selector: str) -> bool:
        mode="644",
        config={"domain_name": domain, "opendkim_selector": dkim_selector},
    )
    need_restart |= main_config.changed
    files.directory(
        name="Add opendkim directory to /etc",
        path="/etc/opendkim",
        user="opendkim",
        group="opendkim",
        mode="750",
        present=True,
    )
    keytable = files.template(
        src=importlib.resources.files(__package__).joinpath("opendkim/KeyTable"),
        dest="/etc/dkimkeys/KeyTable",
        user="opendkim",
        group="opendkim",
        mode="644",
        config={"domain_name": domain, "opendkim_selector": dkim_selector},
    )
    need_restart |= keytable.changed
    signing_table = files.template(
        src=importlib.resources.files(__package__).joinpath("opendkim/SigningTable"),
        dest="/etc/dkimkeys/SigningTable",
        user="opendkim",
        group="opendkim",
        mode="644",
        config={"domain_name": domain, "opendkim_selector": dkim_selector},
    )
    need_restart |= signing_table.changed
    files.directory(
        name="Add opendkim socket directory to /var/spool/postfix",
@@ -120,6 +90,8 @@ def _configure_opendkim(domain: str, dkim_selector: str) -> bool:
            _sudo_user="opendkim",
        )
    need_restart |= main_config.changed
    return need_restart
@@ -183,17 +155,6 @@ def _configure_dovecot(mail_server: str, debug: bool = False) -> bool:
        mode="644",
    )
    # as per https://doc.dovecot.org/configuration_manual/os/
    # it is recommended to set the following inotify limits
    for name in ("max_user_instances", "max_user_watches"):
        key = f"fs.inotify.{name}"
        server.sysctl(
            name=f"Change {key}",
            key=key,
            value=65535,
            persist=True,
        )
    return need_restart
@@ -331,3 +292,14 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
        enabled=True,
        restarted=journald_conf,
    )
    def callback():
        result = server.shell(
            commands=[
                f"""sed 's/\tIN/ 600 IN/;s/\t(//;s/\"$//;s/^\t  \"//g; s/ ).*//' """
                f"""/etc/dkimkeys/{dkim_selector}.txt | tr --delete '\n'"""
            ]
        )
        logger.info(f"Add this TXT entry into DNS zone: {result.stdout}")
    python.call(name="Print TXT entry for DKIM", function=callback)
--- a/deploy-chatmail/src/deploy_chatmail/deploy.py
+++ b/deploy-chatmail/src/deploy_chatmail/deploy.py
@@ -6,7 +6,7 @@ from deploy_chatmail import deploy_chatmail
 def main():
    mail_domain = os.getenv("CHATMAIL_DOMAIN")
    mail_server = os.getenv("CHATMAIL_SERVER", mail_domain)
-    dkim_selector = os.getenv("CHATMAIL_DKIM_SELECTOR", "dkim")
+    dkim_selector = os.getenv("CHATMAIL_DKIM_SELECTOR", "2023")
    assert mail_domain
    assert mail_server
--- a/deploy-chatmail/src/deploy_chatmail/dovecot/dovecot.conf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/dovecot/dovecot.conf.j2
@@ -118,24 +118,6 @@ service auth-worker {
  user = vmail
 }
 service imap-login {
    # High-security mode.
    # Each process serves a single connection and exits afterwards.
    # This is the default, but we set it explicitly to be sure.
    # See <https://doc.dovecot.org/admin_manual/login_processes/#high-security-mode> for details.
    service_count = 1
    # Inrease the number of simultaneous connections.
    #
    # As of Dovecot 2.3.19.1 the default is 100 processes.
    # Combined with `service_count = 1` it means only 100 connections
    # can be handled simultaneously.
    process_limit = 10000
    # Avoid startup latency for new connections.
    process_min_avail = 10
 }
 ssl = required
 ssl_cert = </var/lib/acme/live/{{ config.hostname }}/fullchain
 ssl_key = </var/lib/acme/live/{{ config.hostname }}/privkey
--- a/deploy-chatmail/src/deploy_chatmail/opendkim/KeyTable
+++ b/deploy-chatmail/src/deploy_chatmail/opendkim/KeyTable
@@ -1 +0,0 @@
 dkim._domainkey.{{ config.domain_name }} {{ config.domain_name }}:{{ config.opendkim_selector }}:/etc/dkimkeys/dkim.private
--- a/deploy-chatmail/src/deploy_chatmail/opendkim/SigningTable
+++ b/deploy-chatmail/src/deploy_chatmail/opendkim/SigningTable
@@ -1 +0,0 @@
 *@{{ config.domain_name }} {{ config.opendkim_selector }}._domainkey.{{ config.domain_name }}
--- a/deploy-chatmail/src/deploy_chatmail/opendkim/opendkim.conf
+++ b/deploy-chatmail/src/deploy_chatmail/opendkim/opendkim.conf
@@ -1,4 +1,7 @@
-# OpenDKIM configuration.
+# This is a basic configuration for signing and verifying. It can easily be
 # adapted to suit a basic installation. See opendkim.conf(5) and
 # /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
 # documentation of available configuration parameters.
 Syslog			yes
 SyslogSuccess		yes
@@ -18,9 +21,7 @@ OversignHeaders		From
 # setup options can be found in /usr/share/doc/opendkim/README.opendkim.
 Domain			{{ config.domain_name }}
 Selector		{{ config.opendkim_selector }}
-KeyFile		  /etc/dkimkeys/{{ config.opendkim_selector }}.private
+KeyFile		/etc/dkimkeys/{{ config.opendkim_selector }}.private
 KeyTable          /etc/dkimkeys/KeyTable
 SigningTable      /etc/dkimkeys/SigningTable
 # In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
 # using a local socket with MTAs that access the socket as a non-privileged
--- a/scripts/bench.sh
+++ b/scripts/bench.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
 set -e
-venv/bin/pytest online-tests/benchmark.py -vrx 
+online-tests/venv/bin/pytest online-tests/benchmark.py -vrx 
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -1,15 +1,10 @@
 #!/usr/bin/env bash
 : ${CHATMAIL_DOMAIN:=c1.testrun.org}
 export CHATMAIL_DOMAIN
-echo -----------------------------------------
+chatmaild/venv/bin/python3 -m build -n --sdist chatmaild --outdir dist
 echo deploying to $CHATMAIL_DOMAIN 
 echo -----------------------------------------
-echo WARNING: in five seconds deploy to $CHATMAIL_DOMAIN starts
+deploy-chatmail/venv/bin/pyinfra --ssh-user root "$CHATMAIL_DOMAIN" \
 sleep 5
 venv/bin/python3 -m build -n --sdist chatmaild --outdir dist
 venv/bin/pyinfra --ssh-user root "$CHATMAIL_DOMAIN" \
    deploy-chatmail/src/deploy_chatmail/deploy.py
 rm -r dist/
--- a/scripts/generate-dns-zone.sh
+++ b/scripts/generate-dns-zone.sh
@@ -1,20 +0,0 @@
 #!/bin/sh
 : ${CHATMAIL_DOMAIN:=c1.testrun.org}
 : ${CHATMAIL_SSH:=$CHATMAIL_DOMAIN}
 set -e
 SSH="ssh root@$CHATMAIL_SSH"
 EMAIL="root@$CHATMAIL_DOMAIN"
 ACME_ACCOUNT_URL="$($SSH -- acmetool account-url)"
 cat <<EOF
 $CHATMAIL_DOMAIN. MX 10 $CHATMAIL_DOMAIN.
 $CHATMAIL_DOMAIN. TXT "v=spf1 a:$CHATMAIL_DOMAIN -all"
 _dmarc.$CHATMAIL_DOMAIN. TXT "v=DMARC1;p=reject;rua=mailto:$EMAIL;ruf=mailto:$EMAIL;fo=1;adkim=r;aspf=r"
 _submission._tcp.$CHATMAIL_DOMAIN.  SRV 0 1 587 $CHATMAIL_DOMAIN.
 _submissions._tcp.$CHATMAIL_DOMAIN. SRV 0 1 465 $CHATMAIL_DOMAIN.
 _imap._tcp.$CHATMAIL_DOMAIN.        SRV 0 1 143 $CHATMAIL_DOMAIN.
 _imaps._tcp.$CHATMAIL_DOMAIN.       SRV 0 1 993 $CHATMAIL_DOMAIN.
 $CHATMAIL_DOMAIN. IN CAA 0 issue "letsencrypt.org; accounturi=$ACME_ACCOUNT_URL"
 EOF
 $SSH opendkim-genzone -F | sed 's/^;.*$//;/^$/d'
--- a/tests/chatmaild/test_dictproxy.py
+++ b/tests/chatmaild/test_dictproxy.py
@@ -1,10 +1,9 @@
 import os
 import json
 import pytest
 import chatmaild.dictproxy
-from chatmaild.dictproxy import get_user_data, lookup_passdb, handle_dovecot_request
+from chatmaild.dictproxy import get_user_data, lookup_passdb
 from chatmaild.database import Database, DBError
@@ -15,13 +14,13 @@ def db(tmpdir):
    return Database(db_path)
 def test_basic(db):
-    lookup_passdb(db, "link2xt@c1.testrun.org", "Pieg9aeToe3eghuthe5u")
+    chatmaild.dictproxy.NOCREATE_FILE = "/tmp/nocreate"
    if os.path.exists(chatmaild.dictproxy.NOCREATE_FILE):
        os.remove(chatmaild.dictproxy.NOCREATE_FILE)
    lookup_passdb(db, "link2xt@c1.testrun.org", "asdf")
    data = get_user_data(db, "link2xt@c1.testrun.org")
    assert data
    data2 = lookup_passdb(db, "link2xt@c1.testrun.org", "Pieg9aeToe3eghuthe5u")
    assert data == data2
 def test_dont_overwrite_password_on_wrong_login(db):
@@ -33,12 +32,14 @@ def test_dont_overwrite_password_on_wrong_login(db):
    assert res["password"] == res2["password"]
-def test_nocreate_file(db, monkeypatch, tmpdir):
+def test_nocreate_file(db):
-    p = tmpdir.join("nocreate")
+    chatmaild.dictproxy.NOCREATE_FILE = "/tmp/nocreate"
-    p.write("")
+    with open(chatmaild.dictproxy.NOCREATE_FILE, "w+") as f:
-    monkeypatch.setattr(chatmaild.dictproxy, "NOCREATE_FILE", str(p))
+        f.write("")
-    lookup_passdb(db, "newuser1@something.org", "zequ0Aimuchoodaechik")
+    assert os.path.exists(chatmaild.dictproxy.NOCREATE_FILE)
    lookup_passdb(db, "newuser1@something.org", "kajdlqweqwe")
    assert not get_user_data(db, "newuser1@something.org")
    os.remove(chatmaild.dictproxy.NOCREATE_FILE)
 def test_db_version(db):
@@ -50,15 +51,3 @@ def test_too_high_db_version(db):
        conn.execute("PRAGMA user_version=%s;" % (999,))
    with pytest.raises(DBError):
        db.ensure_tables()
 def test_handle_dovecot_request(db):
    msg = ('Lshared/passdb/laksjdlaksjdlaksjdlk12j3l1k2j3123/'
           'some42@c3.testrun.org\tsome42@c3.testrun.org')
    res = handle_dovecot_request(msg, db, "c3.testrun.org")
    assert res
    assert res[0] == "O" and res.endswith("\n")
    userdata = json.loads(res[1:].strip())
    assert userdata["home"] == "/home/vmail/some42@c3.testrun.org"
    assert userdata["uid"] == userdata["gid"] == "vmail"
    assert userdata["password"].startswith("{SHA512-CRYPT}")
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -195,8 +195,8 @@ def gencreds(maildomain):
            num = next(count)
            alphanumeric = "abcdefghijklmnopqrstuvwxyz1234567890"
            user = "".join(random.choices(alphanumeric, k=10))
-            user = f"ac{num}_{user}"[:9]
+            user = f"ac{num}_{user}"
-            password = "".join(random.choices(alphanumeric, k=12))
+            password = "".join(random.choices(alphanumeric, k=10))
            yield f"{user}@{domain}", f"{password}"
    return lambda domain=None: next(gen(domain))
--- a/tests/online/test_0_login.py
+++ b/tests/online/test_0_login.py
@@ -23,11 +23,6 @@ def test_login_basic_functioning(imap_or_smtp, gencreds, lp):
    with pytest.raises(imap_or_smtp.AuthError):
        imap_or_smtp.login(user, password + "wrong")
    lp.sec(f"creating users with a short password is not allowed")
    user, _password = gencreds()
    with pytest.raises(imap_or_smtp.AuthError):
        imap_or_smtp.login(user, "admin")
 def test_login_same_password(imap_or_smtp, gencreds):
    """Test two different users logging in with the same password
		`@@ -1 +0,0 @@`
			`dkim._domainkey.{{ config.domain_name }} {{ config.domain_name }}:{{ config.opendkim_selector }}:/etc/dkimkeys/dkim.private`
		`@@ -1 +0,0 @@`
			`*@{{ config.domain_name }} {{ config.opendkim_selector }}._domainkey.{{ config.domain_name }}`