properly call logging.exception

it's unclear what this limit really means -- with ipv6 one can easily create lots of IP addresses anyway
- tune down logging for filtermail
2026-05-16 23:28:57 +00:00 · 2023-11-20 22:52:31 +01:00 · 2023-11-20 16:27:12 +01:00 · 2023-11-20 16:01:38 +01:00 · 2023-11-20 15:48:38 +01:00
14 changed files with 47 additions and 223 deletions
--- a/chatmaild/pyproject.toml
+++ b/chatmaild/pyproject.toml
@@ -6,14 +6,11 @@ build-backend = "setuptools.build_meta"
 name = "chatmaild"
 version = "0.1"
 dependencies = [
-  "aiosmtpd",
+  "aiosmtpd"
  "flask",
  "gunicorn",
 ]
 [project.scripts]
 doveauth = "chatmaild.doveauth:main"
 doveauth-http = "chatmaild.web:main"
 filtermail = "chatmaild.filtermail:main"
 [tool.pytest.ini_options]
--- a/chatmaild/src/chatmaild/doveauth-http.service
+++ b/chatmaild/src/chatmaild/doveauth-http.service
@@ -1,10 +0,0 @@
 [Unit]
 Description=HTTP endpoint for creating chatmail accounts
 [Service]
 ExecStart=/usr/local/bin/gunicorn --timeout 60 -b :3691 -w 1 chatmaild.web:main
 Restart=always
 RestartSec=30
 [Install]
 WantedBy=multi-user.target
--- a/chatmaild/src/chatmaild/doveauth.py
+++ b/chatmaild/src/chatmaild/doveauth.py
@@ -3,6 +3,7 @@ import os
 import time
 import sys
 import json
 import crypt
 from socketserver import (
    UnixStreamServer,
    StreamRequestHandler,
@@ -11,7 +12,39 @@ from socketserver import (
 import pwd
 from .database import Database
-from .util import is_allowed_to_create, encrypt_password, get_mail_domain
+
 NOCREATE_FILE = "/etc/chatmail-nocreate"
 def encrypt_password(password: str):
    # https://doc.dovecot.org/configuration_manual/authentication/password_schemes/
    passhash = crypt.crypt(password, crypt.METHOD_SHA512)
    return "{SHA512-CRYPT}" + passhash
 def is_allowed_to_create(user, cleartext_password) -> bool:
    """Return True if user and password are admissable."""
    if os.path.exists(NOCREATE_FILE):
        logging.warning(f"blocked account creation because {NOCREATE_FILE!r} exists.")
        return False
    if len(cleartext_password) < 10:
        logging.warning("Password needs to be at least 10 characters long")
        return False
    parts = user.split("@")
    if len(parts) != 2:
        logging.warning(f"user {user!r} is not a proper e-mail address")
        return False
    localpart, domain = parts
    if domain == "nine.testrun.org":
        # nine.testrun.org policy, username has to be exactly nine chars
        if len(localpart) != 9:
            logging.warning(f"localpart {localpart!r} has not exactly nine chars")
            return False
    return True
 def get_user_data(db, user):
@@ -90,7 +123,8 @@ def main():
    socket = sys.argv[1]
    passwd_entry = pwd.getpwnam(sys.argv[2])
    db = Database(sys.argv[3])
-    mail_domain = get_mail_domain()
+    with open("/etc/mailname", "r") as fp:
        mail_domain = fp.read().strip()
    class Handler(StreamRequestHandler):
        def handle(self):
--- a/chatmaild/src/chatmaild/util.py
+++ b/chatmaild/src/chatmaild/util.py
@@ -1,56 +0,0 @@
 import base64
 import random
 import logging
 import os
 import crypt
 NOCREATE_FILE = "/etc/chatmail-nocreate"
 def is_allowed_to_create(user, cleartext_password) -> bool:
    """Return True if user and password are admissable."""
    if os.path.exists(NOCREATE_FILE):
        logging.warning(f"blocked account creation because {NOCREATE_FILE!r} exists.")
        return False
    if len(cleartext_password) < 10:
        logging.warning("Password needs to be at least 10 characters long")
        return False
    parts = user.split("@")
    if len(parts) != 2:
        logging.warning(f"user {user!r} is not a proper e-mail address")
        return False
    localpart, domain = parts
    if domain == "nine.testrun.org":
        # nine.testrun.org policy, username has to be exactly nine chars
        if len(localpart) != 9:
            logging.warning(f"localpart {localpart!r} has not exactly nine chars")
            return False
    return True
 def gen_password():
    with open("/dev/urandom", "rb") as f:
        s = f.read(21)
    return base64.b64encode(s).decode("ascii")[:12]
 def encrypt_password(password: str):
    # https://doc.dovecot.org/configuration_manual/authentication/password_schemes/
    passhash = crypt.crypt(password, crypt.METHOD_SHA512)
    return "{SHA512-CRYPT}" + passhash
 def get_mail_domain():
    with open("/etc/mailname", "r") as fp:
        return fp.read().strip()
 def get_valid_email_addr(length=9, chars="2345789acdefghjkmnpqrstuvwxyz"):
    localpart = "".join(random.choice(chars) for i in range(length))
    mail_domain = get_mail_domain()
    return f"{localpart}@{mail_domain}"
--- a/chatmaild/src/chatmaild/web.py
+++ b/chatmaild/src/chatmaild/web.py
@@ -1,48 +0,0 @@
 from flask import Flask, jsonify, request
 import time
 import os
 from database import Database
 from util import gen_password, get_valid_email_addr, encrypt_password
 from doveauth import get_user_data
 def create_app_from_db_path(db_path=None):
    db = Database(db_path)
    return create_app_from_db(db)
 def create_app_from_db(db):
    app = Flask("chatmaild-http")
    app.db = db
    @app.route("/", methods=["POST"])
    def new_email():
        for i in range(10):
            addr = get_valid_email_addr()
            if not get_user_data(db, addr):
                cleartext_password = gen_password()
                encrypted_password = encrypt_password(cleartext_password)
                q = """INSERT INTO users (addr, password, last_login)
                       VALUES (?, ?, ?)"""
                with db.write_transaction() as conn:
                    conn.execute(q, (addr, encrypted_password, int(time.time())))
                return jsonify(
                    email=addr,
                    password=cleartext_password,
                )
        return jsonify(
            type="error",
            status_code=409,
            reason="all 10 email addresses we tried are taken"
        )
    return app
 def main():
    """(debugging-only!) serve http account creation Web API on localhost"""
    db_path = os.getenv("CHATMAIL_DATABASE", "/home/vmail/passdb.sqlite")
    app = create_app_from_db_path(db_path)
    if __name__ == "__main__":
        app.run(debug=True, host="localhost", port=3691)
--- a/deploy-chatmail/src/deploy_chatmail/init.py
+++ b/deploy-chatmail/src/deploy_chatmail/init.py
@@ -25,8 +25,8 @@ def _install_chatmaild() -> None:
        )
        apt.packages(
-            name="apt install python3-aiosmtpd python3-pip python3-venv",
+            name="apt install python3-aiosmtpd",
-            packages=["python3-aiosmtpd", "python3-pip", "python3-venv"],
+            packages=["python3-aiosmtpd", "python3-pip"],
        )
        # --no-deps because aiosmtplib is installed with `apt`.
@@ -46,7 +46,6 @@ def _install_chatmaild() -> None:
        for fn in (
            "doveauth",
            "doveauth-http",
            "filtermail",
        ):
            files.put(
@@ -134,44 +133,6 @@ def _configure_opendkim(domain: str, dkim_selector: str) -> bool:
    return need_restart
 def _install_mta_sts_daemon() -> bool:
    need_restart = False
    config = files.put(
        name="upload postfix-mta-sts-resolver config",
        src=importlib.resources.files(__package__).joinpath(
            "postfix/mta-sts-daemon.yml"
        ),
        dest="/etc/mta-sts-daemon.yml",
        user="root",
        group="root",
        mode="644",
    )
    need_restart |= config.changed
    server.shell(
        name="install postfix-mta-sts-resolver with pip",
        commands=[
            "python3 -m venv /usr/local/lib/postfix-mta-sts-resolver",
            "/usr/local/lib/postfix-mta-sts-resolver/bin/pip install postfix-mta-sts-resolver",
        ],
    )
    systemd_unit = files.put(
        name="upload mta-sts-daemon systemd unit",
        src=importlib.resources.files(__package__).joinpath(
            "postfix/mta-sts-daemon.service"
        ),
        dest="/etc/systemd/system/mta-sts-daemon.service",
        user="root",
        group="root",
        mode="644",
    )
    need_restart |= systemd_unit.changed
    return need_restart
 def _configure_postfix(domain: str, debug: bool = False) -> bool:
    """Configures Postfix SMTP server."""
    need_restart = False
@@ -270,16 +231,6 @@ def _configure_nginx(domain: str, debug: bool = False) -> bool:
    )
    need_restart |= autoconfig.changed
    mta_sts_config = files.template(
        src=importlib.resources.files(__package__).joinpath("nginx/mta-sts.txt.j2"),
        dest="/var/www/html/.well-known/mta-sts.txt",
        user="root",
        group="root",
        mode="644",
        config={"domain_name": domain},
    )
    need_restart |= mta_sts_config.changed
    return need_restart
@@ -304,7 +255,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
    )
    # Deploy acmetool to have TLS certificates.
-    deploy_acmetool(nginx_hook=True, domains=[mail_server, f"mta-sts.{mail_server}"])
+    deploy_acmetool(nginx_hook=True, domains=[mail_server])
    apt.packages(
        name="Install Postfix",
@@ -335,7 +286,6 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
    postfix_need_restart = _configure_postfix(mail_domain, debug=debug)
    opendkim_need_restart = _configure_opendkim(mail_domain, dkim_selector)
    nginx_need_restart = _configure_nginx(mail_domain)
    mta_sts_need_restart = _install_mta_sts_daemon()
    # deploy web pages and info if we have them
    pkg_root = importlib.resources.files(__package__)
@@ -351,15 +301,6 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
        restarted=opendkim_need_restart,
    )
    systemd.service(
        name="Start and enable MTA-STS daemon",
        service="mta-sts-daemon.service",
        daemon_reload=True,
        running=True,
        enabled=True,
        restarted=mta_sts_need_restart,
    )
    systemd.service(
        name="Start and enable Postfix",
        service="postfix.service",
--- a/deploy-chatmail/src/deploy_chatmail/acmetool/init.py
+++ b/deploy-chatmail/src/deploy_chatmail/acmetool/init.py
@@ -46,7 +46,8 @@ def deploy_acmetool(nginx_hook=False, email="", domains=[]):
        mode="644",
    )
-    server.shell(
+    for domain in domains:
-        name=f"Request certificate for: { ', '.join(domains) }",
+        server.shell(
-        commands=[f"acmetool want { ' '.join(domains)}"],
+            name=f"Request certificate for {domain}",
-    )
+            commands=[f"acmetool want {domain}"],
        )
--- a/deploy-chatmail/src/deploy_chatmail/nginx/mta-sts.txt.j2
+++ b/deploy-chatmail/src/deploy_chatmail/nginx/mta-sts.txt.j2
@@ -1,4 +0,0 @@
 version: STSv1
 mode: enforce
 mx: {{ config.domain_name }}
 max_age: 2419200
--- a/deploy-chatmail/src/deploy_chatmail/nginx/nginx.conf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/nginx/nginx.conf.j2
@@ -42,10 +42,6 @@ http {
 			# as directory, then fall back to displaying a 404.
 			try_files $uri $uri/ =404;
 		}
        location /new_email {
            proxy_pass http://localhost:3691/;
        }
 	}
 }
--- a/deploy-chatmail/src/deploy_chatmail/opendkim/opendkim.conf
+++ b/deploy-chatmail/src/deploy_chatmail/opendkim/opendkim.conf
@@ -20,7 +20,7 @@ Domain			{{ config.domain_name }}
 Selector		{{ config.opendkim_selector }}
 KeyFile		  /etc/dkimkeys/{{ config.opendkim_selector }}.private
 KeyTable          /etc/dkimkeys/KeyTable
-SigningTable      refile:/etc/dkimkeys/SigningTable
+SigningTable      /etc/dkimkeys/SigningTable
 # In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
 # using a local socket with MTAs that access the socket as a non-privileged
--- a/deploy-chatmail/src/deploy_chatmail/postfix/main.cf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/postfix/main.cf.j2
@@ -23,7 +23,6 @@ smtpd_tls_security_level=may
 smtp_tls_CApath=/etc/ssl/certs
 smtp_tls_security_level=may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
 myhostname = {{ config.domain_name }}
--- a/deploy-chatmail/src/deploy_chatmail/postfix/mta-sts-daemon.service
+++ b/deploy-chatmail/src/deploy_chatmail/postfix/mta-sts-daemon.service
@@ -1,10 +0,0 @@
 [Unit]
 Description=Postfix MTA-STS resolver daemon
 [Service]
 ExecStart=/usr/local/lib/postfix-mta-sts-resolver/bin/mta-sts-daemon
 Restart=always
 RestartSec=30
 [Install]
 WantedBy=multi-user.target
--- a/deploy-chatmail/src/deploy_chatmail/postfix/mta-sts-daemon.yml
+++ b/deploy-chatmail/src/deploy_chatmail/postfix/mta-sts-daemon.yml
@@ -1,13 +0,0 @@
 host: 127.0.0.1
 port: 8461
 reuse_port: true
 shutdown_timeout: 20
 cache:
  type: internal
  options:
    cache_size: 10000
 proactive_policy_fetching:
  enabled: true
 default_zone:
  strict_testing: false
  timeout: 4
--- a/scripts/generate-dns-zone.sh
+++ b/scripts/generate-dns-zone.sh
@@ -15,9 +15,6 @@ _submission._tcp.$CHATMAIL_DOMAIN.  SRV 0 1 587 $CHATMAIL_DOMAIN.
 _submissions._tcp.$CHATMAIL_DOMAIN. SRV 0 1 465 $CHATMAIL_DOMAIN.
 _imap._tcp.$CHATMAIL_DOMAIN.        SRV 0 1 143 $CHATMAIL_DOMAIN.
 _imaps._tcp.$CHATMAIL_DOMAIN.       SRV 0 1 993 $CHATMAIL_DOMAIN.
-$CHATMAIL_DOMAIN. IN CAA 128 issue "letsencrypt.org;accounturi=$ACME_ACCOUNT_URL"
+$CHATMAIL_DOMAIN. IN CAA 128 issue "letsencrypt.org; accounturi=$ACME_ACCOUNT_URL"
 _mta-sts.$CHATMAIL_DOMAIN. IN TXT "v=STSv1; id=$(date -u '+%Y%m%d%H%M')"
 mta-sts.$CHATMAIL_DOMAIN. IN CNAME $CHATMAIL_DOMAIN.
 _smtp._tls.$CHATMAIL_DOMAIN. IN TXT "v=TLSRPTv1;rua=mailto:$EMAIL"
 EOF
 $SSH opendkim-genzone -F | sed 's/^;.*$//;/^$/d'
Author	SHA1	Message	Date
holger krekel	9061cbbb4a	properly call logging.exception	2023-11-20 22:52:31 +01:00
holger krekel	e27ec22465	it's unclear what this limit really means -- with ipv6 one can easily create lots of IP addresses anyway	2023-11-20 16:27:12 +01:00
holger krekel	073f567292	- tune down logging for filtermail - allow higher smtp connection limit	2023-11-20 16:01:38 +01:00
holger krekel	d74f3dfeda	with help/side-comments from alex i fixed the concurrent account creation problem	2023-11-20 15:48:38 +01:00