mirror of
https://github.com/chatmail/relay.git
synced 2026-05-11 00:14:36 +00:00
Compare commits
4 Commits
http-accou
...
hpk/fix_ac
| Author | SHA1 | Date | |
|---|---|---|---|
|
9061cbbb4a | ||
|
|
e27ec22465 | ||
|
|
073f567292 | ||
|
|
d74f3dfeda |
@@ -6,14 +6,11 @@ build-backend = "setuptools.build_meta"
|
||||
name = "chatmaild"
|
||||
version = "0.1"
|
||||
dependencies = [
|
||||
"aiosmtpd",
|
||||
"flask",
|
||||
"gunicorn",
|
||||
"aiosmtpd"
|
||||
]
|
||||
|
||||
[project.scripts]
|
||||
doveauth = "chatmaild.doveauth:main"
|
||||
doveauth-http = "chatmaild.web:main"
|
||||
filtermail = "chatmaild.filtermail:main"
|
||||
|
||||
[tool.pytest.ini_options]
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
[Unit]
|
||||
Description=HTTP endpoint for creating chatmail accounts
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/local/bin/gunicorn --timeout 60 -b :3691 -w 1 chatmaild.web:main
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -3,6 +3,7 @@ import os
|
||||
import time
|
||||
import sys
|
||||
import json
|
||||
import crypt
|
||||
from socketserver import (
|
||||
UnixStreamServer,
|
||||
StreamRequestHandler,
|
||||
@@ -11,7 +12,39 @@ from socketserver import (
|
||||
import pwd
|
||||
|
||||
from .database import Database
|
||||
from .util import is_allowed_to_create, encrypt_password, get_mail_domain
|
||||
|
||||
NOCREATE_FILE = "/etc/chatmail-nocreate"
|
||||
|
||||
|
||||
def encrypt_password(password: str):
|
||||
# https://doc.dovecot.org/configuration_manual/authentication/password_schemes/
|
||||
passhash = crypt.crypt(password, crypt.METHOD_SHA512)
|
||||
return "{SHA512-CRYPT}" + passhash
|
||||
|
||||
|
||||
def is_allowed_to_create(user, cleartext_password) -> bool:
|
||||
"""Return True if user and password are admissable."""
|
||||
if os.path.exists(NOCREATE_FILE):
|
||||
logging.warning(f"blocked account creation because {NOCREATE_FILE!r} exists.")
|
||||
return False
|
||||
|
||||
if len(cleartext_password) < 10:
|
||||
logging.warning("Password needs to be at least 10 characters long")
|
||||
return False
|
||||
|
||||
parts = user.split("@")
|
||||
if len(parts) != 2:
|
||||
logging.warning(f"user {user!r} is not a proper e-mail address")
|
||||
return False
|
||||
localpart, domain = parts
|
||||
|
||||
if domain == "nine.testrun.org":
|
||||
# nine.testrun.org policy, username has to be exactly nine chars
|
||||
if len(localpart) != 9:
|
||||
logging.warning(f"localpart {localpart!r} has not exactly nine chars")
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
def get_user_data(db, user):
|
||||
@@ -90,7 +123,8 @@ def main():
|
||||
socket = sys.argv[1]
|
||||
passwd_entry = pwd.getpwnam(sys.argv[2])
|
||||
db = Database(sys.argv[3])
|
||||
mail_domain = get_mail_domain()
|
||||
with open("/etc/mailname", "r") as fp:
|
||||
mail_domain = fp.read().strip()
|
||||
|
||||
class Handler(StreamRequestHandler):
|
||||
def handle(self):
|
||||
|
||||
@@ -1,56 +0,0 @@
|
||||
import base64
|
||||
import random
|
||||
import logging
|
||||
import os
|
||||
import crypt
|
||||
|
||||
|
||||
NOCREATE_FILE = "/etc/chatmail-nocreate"
|
||||
|
||||
|
||||
def is_allowed_to_create(user, cleartext_password) -> bool:
|
||||
"""Return True if user and password are admissable."""
|
||||
if os.path.exists(NOCREATE_FILE):
|
||||
logging.warning(f"blocked account creation because {NOCREATE_FILE!r} exists.")
|
||||
return False
|
||||
|
||||
if len(cleartext_password) < 10:
|
||||
logging.warning("Password needs to be at least 10 characters long")
|
||||
return False
|
||||
|
||||
parts = user.split("@")
|
||||
if len(parts) != 2:
|
||||
logging.warning(f"user {user!r} is not a proper e-mail address")
|
||||
return False
|
||||
localpart, domain = parts
|
||||
|
||||
if domain == "nine.testrun.org":
|
||||
# nine.testrun.org policy, username has to be exactly nine chars
|
||||
if len(localpart) != 9:
|
||||
logging.warning(f"localpart {localpart!r} has not exactly nine chars")
|
||||
return False
|
||||
|
||||
return True
|
||||
|
||||
|
||||
def gen_password():
|
||||
with open("/dev/urandom", "rb") as f:
|
||||
s = f.read(21)
|
||||
return base64.b64encode(s).decode("ascii")[:12]
|
||||
|
||||
|
||||
def encrypt_password(password: str):
|
||||
# https://doc.dovecot.org/configuration_manual/authentication/password_schemes/
|
||||
passhash = crypt.crypt(password, crypt.METHOD_SHA512)
|
||||
return "{SHA512-CRYPT}" + passhash
|
||||
|
||||
|
||||
def get_mail_domain():
|
||||
with open("/etc/mailname", "r") as fp:
|
||||
return fp.read().strip()
|
||||
|
||||
|
||||
def get_valid_email_addr(length=9, chars="2345789acdefghjkmnpqrstuvwxyz"):
|
||||
localpart = "".join(random.choice(chars) for i in range(length))
|
||||
mail_domain = get_mail_domain()
|
||||
return f"{localpart}@{mail_domain}"
|
||||
@@ -1,48 +0,0 @@
|
||||
from flask import Flask, jsonify, request
|
||||
import time
|
||||
import os
|
||||
|
||||
from database import Database
|
||||
from util import gen_password, get_valid_email_addr, encrypt_password
|
||||
from doveauth import get_user_data
|
||||
|
||||
|
||||
def create_app_from_db_path(db_path=None):
|
||||
db = Database(db_path)
|
||||
return create_app_from_db(db)
|
||||
|
||||
|
||||
def create_app_from_db(db):
|
||||
app = Flask("chatmaild-http")
|
||||
app.db = db
|
||||
|
||||
@app.route("/", methods=["POST"])
|
||||
def new_email():
|
||||
for i in range(10):
|
||||
addr = get_valid_email_addr()
|
||||
if not get_user_data(db, addr):
|
||||
cleartext_password = gen_password()
|
||||
encrypted_password = encrypt_password(cleartext_password)
|
||||
q = """INSERT INTO users (addr, password, last_login)
|
||||
VALUES (?, ?, ?)"""
|
||||
with db.write_transaction() as conn:
|
||||
conn.execute(q, (addr, encrypted_password, int(time.time())))
|
||||
return jsonify(
|
||||
email=addr,
|
||||
password=cleartext_password,
|
||||
)
|
||||
return jsonify(
|
||||
type="error",
|
||||
status_code=409,
|
||||
reason="all 10 email addresses we tried are taken"
|
||||
)
|
||||
|
||||
return app
|
||||
|
||||
|
||||
def main():
|
||||
"""(debugging-only!) serve http account creation Web API on localhost"""
|
||||
db_path = os.getenv("CHATMAIL_DATABASE", "/home/vmail/passdb.sqlite")
|
||||
app = create_app_from_db_path(db_path)
|
||||
if __name__ == "__main__":
|
||||
app.run(debug=True, host="localhost", port=3691)
|
||||
@@ -25,8 +25,8 @@ def _install_chatmaild() -> None:
|
||||
)
|
||||
|
||||
apt.packages(
|
||||
name="apt install python3-aiosmtpd python3-pip python3-venv",
|
||||
packages=["python3-aiosmtpd", "python3-pip", "python3-venv"],
|
||||
name="apt install python3-aiosmtpd",
|
||||
packages=["python3-aiosmtpd", "python3-pip"],
|
||||
)
|
||||
|
||||
# --no-deps because aiosmtplib is installed with `apt`.
|
||||
@@ -46,7 +46,6 @@ def _install_chatmaild() -> None:
|
||||
|
||||
for fn in (
|
||||
"doveauth",
|
||||
"doveauth-http",
|
||||
"filtermail",
|
||||
):
|
||||
files.put(
|
||||
@@ -134,44 +133,6 @@ def _configure_opendkim(domain: str, dkim_selector: str) -> bool:
|
||||
return need_restart
|
||||
|
||||
|
||||
def _install_mta_sts_daemon() -> bool:
|
||||
need_restart = False
|
||||
|
||||
config = files.put(
|
||||
name="upload postfix-mta-sts-resolver config",
|
||||
src=importlib.resources.files(__package__).joinpath(
|
||||
"postfix/mta-sts-daemon.yml"
|
||||
),
|
||||
dest="/etc/mta-sts-daemon.yml",
|
||||
user="root",
|
||||
group="root",
|
||||
mode="644",
|
||||
)
|
||||
need_restart |= config.changed
|
||||
|
||||
server.shell(
|
||||
name="install postfix-mta-sts-resolver with pip",
|
||||
commands=[
|
||||
"python3 -m venv /usr/local/lib/postfix-mta-sts-resolver",
|
||||
"/usr/local/lib/postfix-mta-sts-resolver/bin/pip install postfix-mta-sts-resolver",
|
||||
],
|
||||
)
|
||||
|
||||
systemd_unit = files.put(
|
||||
name="upload mta-sts-daemon systemd unit",
|
||||
src=importlib.resources.files(__package__).joinpath(
|
||||
"postfix/mta-sts-daemon.service"
|
||||
),
|
||||
dest="/etc/systemd/system/mta-sts-daemon.service",
|
||||
user="root",
|
||||
group="root",
|
||||
mode="644",
|
||||
)
|
||||
need_restart |= systemd_unit.changed
|
||||
|
||||
return need_restart
|
||||
|
||||
|
||||
def _configure_postfix(domain: str, debug: bool = False) -> bool:
|
||||
"""Configures Postfix SMTP server."""
|
||||
need_restart = False
|
||||
@@ -270,16 +231,6 @@ def _configure_nginx(domain: str, debug: bool = False) -> bool:
|
||||
)
|
||||
need_restart |= autoconfig.changed
|
||||
|
||||
mta_sts_config = files.template(
|
||||
src=importlib.resources.files(__package__).joinpath("nginx/mta-sts.txt.j2"),
|
||||
dest="/var/www/html/.well-known/mta-sts.txt",
|
||||
user="root",
|
||||
group="root",
|
||||
mode="644",
|
||||
config={"domain_name": domain},
|
||||
)
|
||||
need_restart |= mta_sts_config.changed
|
||||
|
||||
return need_restart
|
||||
|
||||
|
||||
@@ -304,7 +255,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
|
||||
)
|
||||
|
||||
# Deploy acmetool to have TLS certificates.
|
||||
deploy_acmetool(nginx_hook=True, domains=[mail_server, f"mta-sts.{mail_server}"])
|
||||
deploy_acmetool(nginx_hook=True, domains=[mail_server])
|
||||
|
||||
apt.packages(
|
||||
name="Install Postfix",
|
||||
@@ -335,7 +286,6 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
|
||||
postfix_need_restart = _configure_postfix(mail_domain, debug=debug)
|
||||
opendkim_need_restart = _configure_opendkim(mail_domain, dkim_selector)
|
||||
nginx_need_restart = _configure_nginx(mail_domain)
|
||||
mta_sts_need_restart = _install_mta_sts_daemon()
|
||||
|
||||
# deploy web pages and info if we have them
|
||||
pkg_root = importlib.resources.files(__package__)
|
||||
@@ -351,15 +301,6 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
|
||||
restarted=opendkim_need_restart,
|
||||
)
|
||||
|
||||
systemd.service(
|
||||
name="Start and enable MTA-STS daemon",
|
||||
service="mta-sts-daemon.service",
|
||||
daemon_reload=True,
|
||||
running=True,
|
||||
enabled=True,
|
||||
restarted=mta_sts_need_restart,
|
||||
)
|
||||
|
||||
systemd.service(
|
||||
name="Start and enable Postfix",
|
||||
service="postfix.service",
|
||||
|
||||
@@ -46,7 +46,8 @@ def deploy_acmetool(nginx_hook=False, email="", domains=[]):
|
||||
mode="644",
|
||||
)
|
||||
|
||||
server.shell(
|
||||
name=f"Request certificate for: { ', '.join(domains) }",
|
||||
commands=[f"acmetool want { ' '.join(domains)}"],
|
||||
)
|
||||
for domain in domains:
|
||||
server.shell(
|
||||
name=f"Request certificate for {domain}",
|
||||
commands=[f"acmetool want {domain}"],
|
||||
)
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
version: STSv1
|
||||
mode: enforce
|
||||
mx: {{ config.domain_name }}
|
||||
max_age: 2419200
|
||||
@@ -42,10 +42,6 @@ http {
|
||||
# as directory, then fall back to displaying a 404.
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
location /new_email {
|
||||
proxy_pass http://localhost:3691/;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -20,7 +20,7 @@ Domain {{ config.domain_name }}
|
||||
Selector {{ config.opendkim_selector }}
|
||||
KeyFile /etc/dkimkeys/{{ config.opendkim_selector }}.private
|
||||
KeyTable /etc/dkimkeys/KeyTable
|
||||
SigningTable refile:/etc/dkimkeys/SigningTable
|
||||
SigningTable /etc/dkimkeys/SigningTable
|
||||
|
||||
# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
|
||||
# using a local socket with MTAs that access the socket as a non-privileged
|
||||
|
||||
@@ -23,7 +23,6 @@ smtpd_tls_security_level=may
|
||||
smtp_tls_CApath=/etc/ssl/certs
|
||||
smtp_tls_security_level=may
|
||||
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||
smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
|
||||
|
||||
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
||||
myhostname = {{ config.domain_name }}
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
[Unit]
|
||||
Description=Postfix MTA-STS resolver daemon
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/local/lib/postfix-mta-sts-resolver/bin/mta-sts-daemon
|
||||
Restart=always
|
||||
RestartSec=30
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -1,13 +0,0 @@
|
||||
host: 127.0.0.1
|
||||
port: 8461
|
||||
reuse_port: true
|
||||
shutdown_timeout: 20
|
||||
cache:
|
||||
type: internal
|
||||
options:
|
||||
cache_size: 10000
|
||||
proactive_policy_fetching:
|
||||
enabled: true
|
||||
default_zone:
|
||||
strict_testing: false
|
||||
timeout: 4
|
||||
@@ -15,9 +15,6 @@ _submission._tcp.$CHATMAIL_DOMAIN. SRV 0 1 587 $CHATMAIL_DOMAIN.
|
||||
_submissions._tcp.$CHATMAIL_DOMAIN. SRV 0 1 465 $CHATMAIL_DOMAIN.
|
||||
_imap._tcp.$CHATMAIL_DOMAIN. SRV 0 1 143 $CHATMAIL_DOMAIN.
|
||||
_imaps._tcp.$CHATMAIL_DOMAIN. SRV 0 1 993 $CHATMAIL_DOMAIN.
|
||||
$CHATMAIL_DOMAIN. IN CAA 128 issue "letsencrypt.org;accounturi=$ACME_ACCOUNT_URL"
|
||||
_mta-sts.$CHATMAIL_DOMAIN. IN TXT "v=STSv1; id=$(date -u '+%Y%m%d%H%M')"
|
||||
mta-sts.$CHATMAIL_DOMAIN. IN CNAME $CHATMAIL_DOMAIN.
|
||||
_smtp._tls.$CHATMAIL_DOMAIN. IN TXT "v=TLSRPTv1;rua=mailto:$EMAIL"
|
||||
$CHATMAIL_DOMAIN. IN CAA 128 issue "letsencrypt.org; accounturi=$ACME_ACCOUNT_URL"
|
||||
EOF
|
||||
$SSH opendkim-genzone -F | sed 's/^;.*$//;/^$/d'
|
||||
|
||||
Reference in New Issue
Block a user