docs: webdev needs to be exposed via nginx if run on the relay

docs: use ssh_host = localhost in getting started docs
remove mentions of the build machine / deployment server separation
2026-05-13 09:24:43 +00:00 · 2026-05-12 22:45:28 +02:00 · 2026-05-12 22:45:28 +02:00 · 2026-05-12 22:45:28 +02:00 · 2026-05-12 22:45:28 +02:00 · 2026-05-12 22:44:06 +02:00
37 changed files with 774 additions and 954 deletions
--- a/.github/workflows/ci-no-dns.yaml
+++ b/.github/workflows/ci-no-dns.yaml
@@ -9,6 +9,8 @@ on:
  pull_request:
    branches: [ "main" ]
 permissions: {}
 # Newest push wins: Prevents multiple runs from clashing and wasting runner efforts
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -18,18 +20,21 @@ concurrency:
 jobs:
  no-dns:
    name: LXC deploy and test
-    uses: chatmail/cmlxc/.github/workflows/lxc-test.yml@d39fe34c39cee6d760c3479325e8dc82b66a8928
+    uses: chatmail/cmlxc/.github/workflows/lxc-test.yml@v0.14.6
    with:
      cmlxc_version: v0.14.6
      cmlxc_commands: |
        cmlxc init 
        # single cmdeploy relay test
-        cmlxc -v deploy-cmdeploy --source ./repo --ipv4-only --no-dns cm0
+        cmlxc -v deploy-cmdeploy --source ./repo --type ipv4 cm0
-        cmlxc -v test-cmdeploy --no-dns cm0
+        cmlxc -v test-cmdeploy cm0
-        # cross cmdeploy relay test
+        # cross cmdeploy relay test (two ipv4 relays)
-        cmlxc -v deploy-cmdeploy --source ./repo cm1
+        cmlxc -v deploy-cmdeploy --source ./repo --ipv4-only --type ipv4 cm1
-        cmlxc -v test-cmdeploy --no-dns cm0 cm1
+        cmlxc -v test-cmdeploy cm0 cm1
        # cross cmdeploy/madmail relay tests
        cmlxc -v deploy-madmail mad0
-        cmlxc -v test-cmdeploy --no-dns cm0 mad0
+        cmlxc -v test-cmdeploy cm0 mad0
        cmlxc -v test-mini mad0 cm0
        cmlxc -v test-mini cm0 mad0
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -29,7 +29,7 @@ jobs:
          ref: ${{ github.event.pull_request.head.sha }}
          persist-credentials: false
      - name: download filtermail
-        run: curl -L https://github.com/chatmail/filtermail/releases/download/v0.6.4/filtermail-x86_64 -o /usr/local/bin/filtermail && chmod +x /usr/local/bin/filtermail
+        run: curl -L https://github.com/chatmail/filtermail/releases/download/v0.6.6/filtermail-x86_64 -o /usr/local/bin/filtermail && chmod +x /usr/local/bin/filtermail
      - name: run chatmaild tests 
        working-directory: chatmaild
        run: pipx run tox
@@ -57,8 +57,9 @@ jobs:
  lxc-test:
    name: LXC deploy and test
-    uses: chatmail/cmlxc/.github/workflows/lxc-test.yml@d39fe34c39cee6d760c3479325e8dc82b66a8928
+    uses: chatmail/cmlxc/.github/workflows/lxc-test.yml@v0.14.6
    with:
      cmlxc_version: v0.14.6
      cmlxc_commands: |
        cmlxc init 
        # single cmdeploy relay test
@@ -75,3 +76,4 @@ jobs:
        cmlxc -v test-cmdeploy cm0 mad0
        cmlxc -v test-mini cm0 mad0
        cmlxc -v test-mini mad0 cm0
--- a/chatmaild/src/chatmaild/config.py
+++ b/chatmaild/src/chatmaild/config.py
@@ -10,12 +10,7 @@ from chatmaild.user import User
 def read_config(inipath):
    assert Path(inipath).exists(), inipath
    cfg = iniconfig.IniConfig(inipath)
-    params = cfg.sections["params"]
+    return Config(inipath, params=cfg.sections["params"])
    default_config_content = get_default_config_content(params["mail_domain"])
    df_params = iniconfig.IniConfig("ini", data=default_config_content)["params"]
    new_params = dict(df_params.items())
    new_params.update(params)
    return Config(inipath, params=new_params)
 class Config:
@@ -23,6 +18,7 @@ class Config:
        self._inipath = inipath
        raw_domain = params["mail_domain"]
        self.mail_domain_bare = raw_domain
        self.ssh_host = params.get("ssh_host", raw_domain)
        if is_valid_ipv4(raw_domain):
            self.ipv4_relay = raw_domain
@@ -36,16 +32,18 @@ class Config:
        self.max_user_send_per_minute = int(params.get("max_user_send_per_minute", 60))
        self.max_user_send_burst_size = int(params.get("max_user_send_burst_size", 10))
-        self.max_mailbox_size = params["max_mailbox_size"]
+        self.max_mailbox_size = params.get("max_mailbox_size", "500M")
-        self.max_message_size = int(params.get("max_message_size", "31457280"))
+        self.max_message_size = int(params.get("max_message_size", 31457280))
-        self.delete_mails_after = params["delete_mails_after"]
+        self.delete_mails_after = params.get("delete_mails_after", "20")
-        self.delete_large_after = params["delete_large_after"]
+        self.delete_large_after = params.get("delete_large_after", "7")
-        self.delete_inactive_users_after = int(params["delete_inactive_users_after"])
+        self.delete_inactive_users_after = int(
-        self.username_min_length = int(params["username_min_length"])
+            params.get("delete_inactive_users_after", 90)
-        self.username_max_length = int(params["username_max_length"])
+        )
-        self.password_min_length = int(params["password_min_length"])
+        self.username_min_length = int(params.get("username_min_length", 9))
-        self.passthrough_senders = params["passthrough_senders"].split()
+        self.username_max_length = int(params.get("username_max_length", 9))
-        self.passthrough_recipients = params["passthrough_recipients"].split()
+        self.password_min_length = int(params.get("password_min_length", 9))
        self.passthrough_senders = params.get("passthrough_senders", "").split()
        self.passthrough_recipients = params.get("passthrough_recipients", "").split()
        self.www_folder = params.get("www_folder", "")
        self.filtermail_smtp_port = int(params.get("filtermail_smtp_port", "10080"))
        self.filtermail_smtp_port_incoming = int(
@@ -164,31 +162,7 @@ def get_default_config_content(mail_domain, **overrides):
    for name, value in extra.items():
        new_line = f"{name} = {value}"
        new_lines.append(new_line)
-
+    return "\n".join(new_lines)
    content = "\n".join(new_lines)
    # apply testrun privacy overrides
    if mail_domain.endswith(".testrun.org"):
        override_inipath = inidir.joinpath("override-testrun.ini")
        privacy = iniconfig.IniConfig(override_inipath)["privacy"]
        lines = []
        for line in content.split("\n"):
            for key, value in privacy.items():
                value_lines = value.format(mail_domain=mail_domain).strip().split("\n")
                if not line.startswith(f"{key} =") or not value_lines:
                    continue
                if len(value_lines) == 1:
                    lines.append(f"{key} = {value}")
                else:
                    lines.append(f"{key} =")
                    for vl in value_lines:
                        lines.append(f"    {vl}")
                break
            else:
                lines.append(line)
        content = "\n".join(lines)
    return content
 def is_valid_ipv4(address: str) -> bool:
@@ -198,18 +172,3 @@ def is_valid_ipv4(address: str) -> bool:
        return True
    except ValueError:
        return False
 def format_arpa_address(address: str) -> str:
    if is_valid_ipv4(address):
        return ipaddress.IPv4Address(address).reverse_pointer
    DomainValidator().validate_domain_re(address)
    return address
 def format_mail_domain(raw_domain: str) -> str:
    if is_valid_ipv4(raw_domain):
        return f"[{raw_domain}]"
    DomainValidator().validate_domain_re(raw_domain)
    return raw_domain
--- a/chatmaild/src/chatmaild/ini/chatmail.ini.f
+++ b/chatmaild/src/chatmaild/ini/chatmail.ini.f
@@ -3,6 +3,9 @@
 # mail domain (MUST be set to fully qualified chat mail domain)
 mail_domain = {mail_domain}
 # Where to deploy the relay - if unspecified, mail_domain will be used.
 ssh_host = localhost
 #
 # If you only do private test deploys, you don't need to modify any settings below
 #
@@ -12,42 +15,42 @@ mail_domain = {mail_domain}
 #
 # email sending rate per user and minute
-max_user_send_per_minute = 60
+#max_user_send_per_minute = 60
 # per-user max burst size for sending rate limiting (GCRA bucket capacity)
-max_user_send_burst_size = 10
+#max_user_send_burst_size = 10
 # maximum mailbox size of a chatmail address
-# Oldest messages will be removed automatically, so mailboxes never run full.
+# (Oldest messages will be removed automatically, so mailboxes never run full)
-max_mailbox_size = 500M
+#max_mailbox_size = 500M
 # maximum message size for an e-mail in bytes
-max_message_size = 31457280
+#max_message_size = 31457280
 # days after which mails are unconditionally deleted
-delete_mails_after = 20
+#delete_mails_after = 20
 # days after which large messages (>200k) are unconditionally deleted
-delete_large_after = 7
+#delete_large_after = 7
 # days after which users without a successful login are deleted (database and mails)
-delete_inactive_users_after = 90
+#delete_inactive_users_after = 90
 # minimum length a username must have
-username_min_length = 9
+#username_min_length = 9
 # maximum length a username can have
-username_max_length = 9
+#username_max_length = 9
 # minimum length a password must have
-password_min_length = 9
+#password_min_length = 9
 # list of chatmail addresses which can send outbound un-encrypted mail
-passthrough_senders =
+#passthrough_senders =
 # list of e-mail recipients for which to accept outbound un-encrypted mails
 # (space-separated, item may start with "@" to whitelist whole recipient domains)
-passthrough_recipients =
+#passthrough_recipients =
 # Use externally managed TLS certificates instead of built-in acmetool.
 # Paths refer to files on the deployment server (not the build machine).
@@ -63,19 +66,11 @@ passthrough_recipients =
 # Deployment Details
 #
 # SMTP outgoing filtermail and reinjection 
 filtermail_smtp_port = 10080
 postfix_reinject_port = 10025
 # SMTP incoming filtermail and reinjection 
 filtermail_smtp_port_incoming = 10081
 postfix_reinject_port_incoming = 10026
 # if set to "True" IPv6 is disabled
-disable_ipv6 = False
+#disable_ipv6 = False
 # Your email adress, which will be used in acmetool to manage Let's Encrypt SSL certificates
-acme_email = 
+#acme_email =
 # Defaults to https://iroh.{{mail_domain}} and running `iroh-relay` on the chatmail
 # service.
@@ -108,13 +103,13 @@ acme_email =
 # in per-maildir ".in/.out" files. 
 # Note that you need to manually cleanup these files
 # so use this option with caution on production servers. 
-imap_rawlog = false 
+#imap_rawlog = false
 # set to true if you want to enable the IMAP COMPRESS Extension,
 # which allows IMAP connections to be efficiently compressed.
 # WARNING: Enabling this makes it impossible to hibernate IMAP
 # processes which will result in much higher memory/RAM usage.
-imap_compress = false
+#imap_compress = false
 #
--- a/chatmaild/src/chatmaild/ini/override-testrun.ini
+++ b/chatmaild/src/chatmaild/ini/override-testrun.ini
@@ -1,16 +0,0 @@
 [privacy]
 passthrough_recipients = privacy@testrun.org echo@{mail_domain}
 privacy_postal =
    Merlinux GmbH, Represented by the managing director H. Krekel,
    Reichgrafen Str. 20, 79102 Freiburg, Germany
 privacy_mail = privacy@testrun.org
 privacy_pdo =
    Prof. Dr. Fabian Schmieder, lexICT UG (limited), Ostfeldstr. 49, 30559 Hannover.
    You can contact him at *delta-privacy@merlinux.eu* (Keyword: DPO)
 privacy_supervisor =
    State Commissioner for Data Protection and Freedom of Information of
    Baden-Württemberg in 70173 Stuttgart, Germany.
--- a/chatmaild/src/chatmaild/metadata.py
+++ b/chatmaild/src/chatmaild/metadata.py
@@ -70,6 +70,9 @@ class Metadata:
                # Some tokens have expired, remove them.
                with self._modify_tokens(addr) as _tokens:
                    pass
        elif isinstance(tokens, list):
            with self._modify_tokens(addr) as tokens:
                token_list = list(tokens.keys())
        else:
            token_list = []
        return token_list
@@ -85,29 +88,27 @@ class MetadataDictProxy(DictProxy):
    def handle_lookup(self, parts):
        # Lpriv/43f5f508a7ea0366dff30200c15250e3/devicetoken\tlkj123poi@c2.testrun.org
-        keyparts = parts[0].split("/", 2)
+        match parts[0].split("/", 2):
-        if keyparts[0] == "priv":
+            case ["priv", _, keyname] if keyname == self.metadata.DEVICETOKEN_KEY:
-            keyname = keyparts[2]
+                addr = parts[1]
            addr = parts[1]
            if keyname == self.metadata.DEVICETOKEN_KEY:
                res = " ".join(self.metadata.get_tokens_for_addr(addr))
                return f"O{res}\n"
-        elif keyparts[0] == "shared":
+            case ["shared", _, keyname]:
-            keyname = keyparts[2]
+                prefix = "vendor/vendor.dovecot/pvt/server/vendor/deltachat/"
-            if (
+                if keyname.startswith(prefix):
-                keyname == "vendor/vendor.dovecot/pvt/server/vendor/deltachat/irohrelay"
+                    match keyname[len(prefix) :]:
-                and self.iroh_relay
+                        case "irohrelay" if self.iroh_relay:
-            ):
+                            return f"O{self.iroh_relay}\n"
-                # Handle `GETMETADATA "" /shared/vendor/deltachat/irohrelay`
+                        case "turn":
-                return f"O{self.iroh_relay}\n"
+                            try:
-            elif keyname == "vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn":
+                                res = turn_credentials()
-                try:
+                            except Exception:
-                    res = turn_credentials()
+                                logging.exception("failed to get TURN credentials")
-                except Exception:
+                                return "N\n"
-                    logging.exception("failed to get TURN credentials")
+                            return f"O{self.turn_hostname}:3478:{res}\n"
-                    return "N\n"
+                        case "maxsmtprecipients":
-                port = 3478
+                            # postfix default  (see "postconf smtpd_recipient_limit")
-                return f"O{self.turn_hostname}:{port}:{res}\n"
+                            return "O1000\n"
        logging.warning(f"lookup ignored: {parts!r}")
        return "N\n"
@@ -117,12 +118,13 @@ class MetadataDictProxy(DictProxy):
        # https://github.com/dovecot/core/blob/main/src/lib-storage/mailbox-attribute.h
        keyname = parts[1].split("/")
        value = parts[2] if len(parts) > 2 else ""
-        if keyname[0] == "priv" and keyname[2] == self.metadata.DEVICETOKEN_KEY:
+        match keyname:
-            self.metadata.add_token_to_addr(addr, value)
+            case ["priv", _, key] if key == self.metadata.DEVICETOKEN_KEY:
-            return True
+                self.metadata.add_token_to_addr(addr, value)
-        elif keyname[0] == "priv" and keyname[2] == "messagenew":
+                return True
-            self.notifier.new_message_for_addr(addr, self.metadata)
+            case ["priv", _, "messagenew"]:
-            return True
+                self.notifier.new_message_for_addr(addr, self.metadata)
                return True
        return False
--- a/chatmaild/src/chatmaild/tests/test_config.py
+++ b/chatmaild/src/chatmaild/tests/test_config.py
@@ -1,10 +1,6 @@
 from contextlib import nullcontext as does_not_raise
 import pytest
 from chatmaild.config import (
    format_arpa_address,
    format_mail_domain,
    is_valid_ipv4,
    parse_size_mb,
    read_config,
@@ -17,7 +13,12 @@ def test_read_config_basic(example_config):
    assert not example_config.privacy_pdo and not example_config.privacy_postal
    inipath = example_config._inipath
-    inipath.write_text(inipath.read_text().replace("60", "37"))
+    inipath.write_text(
        inipath.read_text().replace(
            "#max_user_send_per_minute = 60",
            "max_user_send_per_minute = 37",
        )
    )
    example_config = read_config(inipath)
    assert example_config.max_user_send_per_minute == 37
    assert example_config.mail_domain == "chat.example.org"
@@ -35,26 +36,17 @@ def test_read_config_basic_using_defaults(tmp_path, maildomain):
    example_config = read_config(inipath)
    assert example_config.max_user_send_per_minute == 60
    assert example_config.filtermail_smtp_port_incoming == 10081
-
+    assert example_config.filtermail_smtp_port == 10080
-
+    assert example_config.postfix_reinject_port == 10025
-def test_read_config_testrun(make_config):
+    assert example_config.max_user_send_per_minute == 60
-    config = make_config("something.testrun.org")
+    assert example_config.max_mailbox_size == "500M"
-    assert config.mail_domain == "something.testrun.org"
+    assert example_config.delete_mails_after == "20"
-    assert len(config.privacy_postal.split("\n")) > 1
+    assert example_config.delete_large_after == "7"
-    assert len(config.privacy_supervisor.split("\n")) > 1
+    assert example_config.username_min_length == 9
-    assert len(config.privacy_pdo.split("\n")) > 1
+    assert example_config.username_max_length == 9
-    assert config.privacy_mail == "privacy@testrun.org"
+    assert example_config.password_min_length == 9
-    assert config.filtermail_smtp_port == 10080
+    assert example_config.passthrough_recipients == []
-    assert config.postfix_reinject_port == 10025
+    assert example_config.passthrough_senders == []
    assert config.max_user_send_per_minute == 60
    assert config.max_mailbox_size == "500M"
    assert config.delete_mails_after == "20"
    assert config.delete_large_after == "7"
    assert config.username_min_length == 9
    assert config.username_max_length == 9
    assert config.password_min_length == 9
    assert "privacy@testrun.org" in config.passthrough_recipients
    assert config.passthrough_senders == []
 def test_config_userstate_paths(make_config, tmp_path):
@@ -163,31 +155,3 @@ def test_max_mailbox_size_mb(make_config):
 )
 def test_is_valid_ipv4(input, result):
    assert result == is_valid_ipv4(input)
@pytest.mark.parametrize(
    ["input", "result", "exception"],
    [
        ("example.org", "example.org", does_not_raise()),
        ("1.3.3.7", "7.3.3.1.in-addr.arpa", does_not_raise()),
        ("fe::1", None, pytest.raises(ValueError)),
        ("12394142", None, pytest.raises(ValueError)),
    ],
 )
 def test_format_arpa_address(input, result, exception):
    with exception:
        assert result == format_arpa_address(input)
@pytest.mark.parametrize(
    ["input", "result", "exception"],
    [
        ("example.org", "example.org", does_not_raise()),
        ("1.3.3.7", "[1.3.3.7]", does_not_raise()),
        ("fe::1", None, pytest.raises(ValueError)),
        ("12394142", None, pytest.raises(ValueError)),
    ],
 )
 def test_format_mail_domain(input, result, exception):
    with exception:
        assert result == format_mail_domain(input)
--- a/chatmaild/src/chatmaild/tests/test_metadata.py
+++ b/chatmaild/src/chatmaild/tests/test_metadata.py
@@ -360,15 +360,39 @@ def test_turn_credentials_success(notifier, metadata, monkeypatch):
 def test_iroh_relay(dictproxy):
-    rfile = io.BytesIO(
+    key = b"Lshared/0123/vendor/vendor.dovecot/pvt/server/vendor/deltachat/irohrelay\tuser@example.org"
-        b"\n".join(
+    rfile, wfile = io.BytesIO(b"H\n" + key), io.BytesIO()
            [
                b"H",
                b"Lshared/0123/vendor/vendor.dovecot/pvt/server/vendor/deltachat/irohrelay\tuser@example.org",
            ]
        )
    )
    wfile = io.BytesIO()
    dictproxy.iroh_relay = "https://example.org/"
    dictproxy.loop_forever(rfile, wfile)
    assert wfile.getvalue() == b"Ohttps://example.org/\n"
 def test_legacy_token_migration(metadata, testaddr):
    with metadata.get_metadata_dict(testaddr).modify() as data:
        data[metadata.DEVICETOKEN_KEY] = ["oldtoken1", "oldtoken2"]
    assert metadata.get_tokens_for_addr(testaddr) == ["oldtoken1", "oldtoken2"]
    mdict = metadata.get_metadata_dict(testaddr).read()
    tokens = mdict[metadata.DEVICETOKEN_KEY]
    assert isinstance(tokens, dict)
    assert "oldtoken1" in tokens and "oldtoken2" in tokens
@pytest.mark.parametrize(
    "suffix, expected",
    [
        (b"vendor/deltachat/maxsmtprecipients", b"O1000\n"),
        (b"wrong/prefix/key", b"N\n"),
        (b"vendor/deltachat/unknown", b"N\n"),
    ],
    ids=["maxsmtprecipients", "prefix_mismatch", "unknown_name"],
 )
 def test_shared_lookup(dictproxy, suffix, expected):
    key = (
        b"Lshared/0123/vendor/vendor.dovecot/pvt/server/"
        + suffix
        + b"\tuser@example.org"
    )
    rfile, wfile = io.BytesIO(b"H\n" + key), io.BytesIO()
    dictproxy.loop_forever(rfile, wfile)
    assert wfile.getvalue() == expected
--- a/chatmaild/src/chatmaild/tests/test_migrate_db.py
+++ b/chatmaild/src/chatmaild/tests/test_migrate_db.py
@@ -48,6 +48,8 @@ def test_migration(tmp_path, example_config, caplog):
    assert passdb_path.stat().st_size > 10000
    example_config.passdb_path = passdb_path
    # ensure logging.info records are captured regardless of global configuration
    caplog.set_level("INFO")
    assert not caplog.records
--- a/cmdeploy/src/cmdeploy/acmetool/init.py
+++ b/cmdeploy/src/cmdeploy/acmetool/init.py
@@ -1,6 +1,4 @@
-import importlib.resources
+from pyinfra.operations import apt, server
 from pyinfra.operations import apt, files, server, systemd
 from ..basedeploy import Deployer
@@ -9,9 +7,6 @@ class AcmetoolDeployer(Deployer):
    def __init__(self, email, domains):
        self.domains = domains
        self.email = email
        self.need_restart_redirector = False
        self.need_restart_reconcile_service = False
        self.need_restart_reconcile_timer = False
    def install(self):
        apt.packages(
@@ -19,121 +14,41 @@ class AcmetoolDeployer(Deployer):
            packages=["acmetool"],
        )
-        files.file(
+        self.remove_file("/etc/cron.d/acmetool")
            name="Remove old acmetool cronjob, it is replaced with systemd timer.",
            path="/etc/cron.d/acmetool",
            present=False,
        )
-        files.put(
+        self.put_executable("acmetool/acmetool.hook", "/etc/acme/hooks/nginx")
-            name="Install acmetool hook.",
+        self.remove_file("/usr/lib/acme/hooks/nginx")
            src=importlib.resources.files(__package__)
            .joinpath("acmetool.hook")
            .open("rb"),
            dest="/etc/acme/hooks/nginx",
            user="root",
            group="root",
            mode="755",
        )
        files.file(
            name="Remove acmetool hook from the wrong location where it was previously installed.",
            path="/usr/lib/acme/hooks/nginx",
            present=False,
        )
    def configure(self):
-        files.template(
+        self.put_template(
-            src=importlib.resources.files(__package__).joinpath(
+            "acmetool/response-file.yaml.j2",
-                "response-file.yaml.j2"
+            "/var/lib/acme/conf/responses",
            ),
            dest="/var/lib/acme/conf/responses",
            user="root",
            group="root",
            mode="644",
            email=self.email,
        )
-        files.template(
+        self.put_template(
-            src=importlib.resources.files(__package__).joinpath("target.yaml.j2"),
+            "acmetool/target.yaml.j2",
-            dest="/var/lib/acme/conf/target",
+            "/var/lib/acme/conf/target",
            user="root",
            group="root",
            mode="644",
        )
        server.shell(
            name=f"Remove old acmetool desired files for {self.domains[0]}",
            commands=[f"rm -f /var/lib/acme/desired/{self.domains[0]}-*"],
        )
-        files.template(
+        self.put_template(
-            src=importlib.resources.files(__package__).joinpath("desired.yaml.j2"),
+            "acmetool/desired.yaml.j2",
-            dest=f"/var/lib/acme/desired/{self.domains[0]}",  # 0 is mailhost TLD
+            f"/var/lib/acme/desired/{self.domains[0]}",
            user="root",
            group="root",
            mode="644",
            domains=self.domains,
        )
-        service_file = files.put(
+        self.ensure_systemd_unit("acmetool/acmetool-redirector.service")
-            src=importlib.resources.files(__package__).joinpath(
+        self.ensure_systemd_unit("acmetool/acmetool-reconcile.service")
-                "acmetool-redirector.service"
+        self.ensure_systemd_unit("acmetool/acmetool-reconcile.timer")
            ),
            dest="/etc/systemd/system/acmetool-redirector.service",
            user="root",
            group="root",
            mode="644",
        )
        self.need_restart_redirector = service_file.changed
        reconcile_service_file = files.put(
            src=importlib.resources.files(__package__).joinpath(
                "acmetool-reconcile.service"
            ),
            dest="/etc/systemd/system/acmetool-reconcile.service",
            user="root",
            group="root",
            mode="644",
        )
        self.need_restart_reconcile_service = reconcile_service_file.changed
        reconcile_timer_file = files.put(
            src=importlib.resources.files(__package__).joinpath(
                "acmetool-reconcile.timer"
            ),
            dest="/etc/systemd/system/acmetool-reconcile.timer",
            user="root",
            group="root",
            mode="644",
        )
        self.need_restart_reconcile_timer = reconcile_timer_file.changed
    def activate(self):
-        systemd.service(
+        self.ensure_service("acmetool-redirector.service")
-            name="Setup acmetool-redirector service",
+        self.ensure_service("acmetool-reconcile.service", running=False, enabled=False)
-            service="acmetool-redirector.service",
+        self.ensure_service("acmetool-reconcile.timer")
            running=True,
            enabled=True,
            restarted=self.need_restart_redirector,
        )
        self.need_restart_redirector = False
        systemd.service(
            name="Setup acmetool-reconcile service",
            service="acmetool-reconcile.service",
            running=False,
            enabled=False,
            daemon_reload=self.need_restart_reconcile_service,
        )
        self.need_restart_reconcile_service = False
        systemd.service(
            name="Setup acmetool-reconcile timer",
            service="acmetool-reconcile.timer",
            running=True,
            enabled=True,
            daemon_reload=self.need_restart_reconcile_timer,
        )
        self.need_restart_reconcile_timer = False
        server.shell(
            name=f"Reconcile certificates for: {', '.join(self.domains)}",
--- a/cmdeploy/src/cmdeploy/basedeploy.py
+++ b/cmdeploy/src/cmdeploy/basedeploy.py
@@ -4,6 +4,7 @@ import os
 from contextlib import contextmanager
 from pyinfra import host
 from pyinfra.facts.files import Sha256File
 from pyinfra.facts.server import Command
 from pyinfra.operations import files, server, systemd
@@ -50,11 +51,10 @@ def get_resource(arg, pkg=__package__):
    return importlib.resources.files(pkg).joinpath(arg)
-def configure_remote_units(mail_domain, units) -> None:
+def configure_remote_units(deployer, mail_domain, units) -> None:
    remote_base_dir = "/usr/local/lib/chatmaild"
    remote_venv_dir = f"{remote_base_dir}/venv"
    remote_chatmail_inipath = f"{remote_base_dir}/chatmail.ini"
    root_owned = dict(user="root", group="root", mode="644")
    # install systemd units
    for fn in units:
@@ -70,15 +70,13 @@ def configure_remote_units(mail_domain, units) -> None:
        source_path = get_resource(f"service/{basename}.f")
        content = source_path.read_text().format(**params).encode()
-        files.put(
+        deployer.put_file(
            name=f"Upload {basename}",
            src=io.BytesIO(content),
            dest=f"/etc/systemd/system/{basename}",
            **root_owned,
        )
-def activate_remote_units(units) -> None:
+def activate_remote_units(deployer, units) -> None:
    # activate systemd units
    for fn in units:
        basename = fn if "." in fn else f"{fn}.service"
@@ -88,14 +86,8 @@ def activate_remote_units(units) -> None:
            enabled = False
        else:
            enabled = True
-        systemd.service(
+
-            name=f"Setup {basename}",
+        deployer.ensure_service(basename, running=enabled, enabled=enabled)
            service=basename,
            running=enabled,
            enabled=enabled,
            restarted=enabled,
            daemon_reload=True,
        )
 class Deployment:
@@ -141,6 +133,7 @@ class Deployment:
 class Deployer:
    need_restart = False
    daemon_reload = False
    def install(self):
        pass
@@ -150,3 +143,113 @@ class Deployer:
    def activate(self):
        pass
    def ensure_service(self, service, running=True, enabled=True):
        if running:
            verb = "Start and enable"
        else:
            verb = "Stop"
        systemd.service(
            name=f"{verb} {service}",
            service=service,
            running=running,
            enabled=enabled,
            restarted=self.need_restart if running else False,
            daemon_reload=self.daemon_reload,
        )
        self.daemon_reload = False
    def ensure_systemd_unit(self, src, **kwargs):
        dest_name = src.split("/")[-1].replace(".j2", "")
        dest = f"/etc/systemd/system/{dest_name}"
        if src.endswith(".j2"):
            return self.put_template(src, dest, **kwargs)
        return self.put_file(src, dest)
    def put_file(self, src, dest, mode="644"):
        if isinstance(src, str):
            src = get_resource(src)
        res = files.put(
            name=f"Upload {dest}",
            src=src,
            dest=dest,
            user="root",
            group="root",
            mode=mode,
        )
        return self._update_restart_signals(dest, res)
    def put_executable(self, src, dest):
        return self.put_file(src, dest, mode="755")
    def put_template(self, src, dest, owner="root", **kwargs):
        if isinstance(src, str):
            src = get_resource(src)
        res = files.template(
            name=f"Upload {dest}",
            src=src,
            dest=dest,
            user=owner,
            group=owner,
            mode="644",
            **kwargs,
        )
        return self._update_restart_signals(dest, res)
    def remove_file(self, dest):
        res = files.file(name=f"Remove {dest}", path=dest, present=False)
        return self._update_restart_signals(dest, res)
    def ensure_line(self, path, line, **kwargs):
        name = kwargs.pop("name", f"Ensure line in {path}")
        res = files.line(name=name, path=path, line=line, **kwargs)
        return self._update_restart_signals(path, res)
    def ensure_directory(self, path, owner="root", mode="755", **kwargs):
        name = kwargs.pop("name", f"Ensure directory {path}")
        res = files.directory(
            name=name,
            path=path,
            user=owner,
            group=owner,
            mode=mode,
            present=True,
            **kwargs,
        )
        return self._update_restart_signals(path, res)
    def remove_directory(self, path, **kwargs):
        name = kwargs.pop("name", f"Remove directory {path}")
        res = files.directory(name=name, path=path, present=False, **kwargs)
        return self._update_restart_signals(path, res)
    def download_executable(self, url, dest, sha256sum, extract=None):
        existing = host.get_fact(Sha256File, dest)
        if existing == sha256sum:
            return
        tmp = f"{dest}.new"
        if extract:
            dl_cmd = f"curl -fSL {url} | {extract} >{tmp}"
        else:
            dl_cmd = f"curl -fSL {url} -o {tmp}"
        server.shell(
            name=f"Download {dest}",
            commands=[
                f"({dl_cmd}"
                f" && echo '{sha256sum}  {tmp}' | sha256sum -c"
                f" && mv {tmp} {dest})",
                f"chmod 755 {dest}",
            ],
        )
        self.need_restart = True
    def _update_restart_signals(self, path, res):
        if res.changed:
            self.need_restart = True
            if str(path).startswith("/etc/systemd/system/"):
                self.daemon_reload = True
        return res
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -87,7 +87,7 @@ def run_cmd_options(parser):
 def run_cmd(args, out):
    """Deploy chatmail services on the remote server."""
-    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain_bare
+    ssh_host = args.ssh_host if args.ssh_host else args.config.ssh_host
    sshexec = get_sshexec(ssh_host)
    require_iroh = args.config.enable_iroh_relay
    strict_tls = args.config.tls_cert_mode == "acme"
@@ -107,7 +107,7 @@ def run_cmd(args, out):
    pyinf = "pyinfra --dry" if args.dry_run else "pyinfra"
    cmd = f"{pyinf} --ssh-user root {ssh_host} {deploy_path} -y"
-    if ssh_host == "localhost":
+    if ssh_host in ["localhost", "@local"]:
        cmd = f"{pyinf} @local {deploy_path} -y"
    if version.parse(pyinfra.__version__) < version.parse("3"):
@@ -148,7 +148,7 @@ def dns_cmd(args, out):
        ipv4 = args.config.ipv4_relay
        print(f"[WARNING] {ipv4} is not a domain, skipping DNS checks.")
        return 0
-    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
+    ssh_host = args.ssh_host if args.ssh_host else args.config.ssh_host
    sshexec = get_sshexec(ssh_host, verbose=args.verbose)
    tls_cert_mode = args.config.tls_cert_mode
    strict_tls = tls_cert_mode == "acme"
@@ -185,7 +185,7 @@ def status_cmd_options(parser):
 def status_cmd(args, out):
    """Display status for online chatmail instance."""
-    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain_bare
+    ssh_host = args.ssh_host if args.ssh_host else args.config.ssh_host
    sshexec = get_sshexec(ssh_host, verbose=args.verbose)
    out.green(f"chatmail domain: {args.config.mail_domain}")
--- a/cmdeploy/src/cmdeploy/deployers.py
+++ b/cmdeploy/src/cmdeploy/deployers.py
@@ -12,7 +12,6 @@ from chatmaild.config import read_config
 from pyinfra import facts, host, logger
 from pyinfra.api import FactBase
 from pyinfra.facts import hardware
 from pyinfra.facts.files import Sha256File
 from pyinfra.facts.systemd import SystemdEnabled
 from pyinfra.operations import apt, files, pip, server, systemd
@@ -25,7 +24,6 @@ from .basedeploy import (
    activate_remote_units,
    blocked_service_startup,
    configure_remote_units,
    get_resource,
    has_systemd,
    is_in_container,
 )
@@ -82,25 +80,22 @@ def remove_legacy_artifacts():
        )
-def _install_remote_venv_with_chatmaild() -> None:
+def _install_remote_venv_with_chatmaild(deployer) -> None:
    remove_legacy_artifacts()
    dist_file = _build_chatmaild(dist_dir=Path("chatmaild/dist"))
    remote_base_dir = "/usr/local/lib/chatmaild"
    remote_dist_file = f"{remote_base_dir}/dist/{dist_file.name}"
    remote_venv_dir = f"{remote_base_dir}/venv"
    root_owned = dict(user="root", group="root", mode="644")
    apt.packages(
        name="apt install python3-virtualenv",
        packages=["python3-virtualenv"],
    )
-    files.put(
+    deployer.ensure_directory(f"{remote_base_dir}/dist")
-        name="Upload chatmaild source package",
+    deployer.put_file(
        src=dist_file.open("rb"),
        dest=remote_dist_file,
        create_remote_dir=True,
        **root_owned,
    )
    pip.virtualenv(
@@ -122,32 +117,22 @@ def _install_remote_venv_with_chatmaild() -> None:
    )
-def _configure_remote_venv_with_chatmaild(config) -> None:
+def _configure_remote_venv_with_chatmaild(deployer, config) -> None:
    remote_base_dir = "/usr/local/lib/chatmaild"
    remote_chatmail_inipath = f"{remote_base_dir}/chatmail.ini"
    root_owned = dict(user="root", group="root", mode="644")
-    files.put(
+    deployer.put_file(
        name=f"Upload {remote_chatmail_inipath}",
        src=config._getbytefile(),
        dest=remote_chatmail_inipath,
        **root_owned,
    )
-    files.file(
+    deployer.remove_file("/etc/cron.d/chatmail-metrics")
-        path="/etc/cron.d/chatmail-metrics",
+    deployer.remove_file("/var/www/html/metrics")
        present=False,
    )
    files.file(
        path="/var/www/html/metrics",
        present=False,
    )
 class UnboundDeployer(Deployer):
    def __init__(self, config):
        self.config = config
        self.need_restart = False
    def install(self):
        # On an IPv4-only system, if unbound is started but not configured,
@@ -176,13 +161,9 @@ class UnboundDeployer(Deployer):
        )
        # Configure unbound resolver with Quad9 fallback and a trailing newline
        # (SolusVM bug).
-        files.put(
+        self.put_file(
            name="Write static resolv.conf",
            src=BytesIO(b"nameserver 127.0.0.1\nnameserver 9.9.9.9\n"),
            dest="/etc/resolv.conf",
            user="root",
            group="root",
            mode="644",
        )
        server.shell(
            name="Generate root keys for validating DNSSEC",
@@ -191,26 +172,15 @@ class UnboundDeployer(Deployer):
            ],
        )
        if self.config.disable_ipv6:
-            files.directory(
+            self.ensure_directory(
                path="/etc/unbound/unbound.conf.d",
                present=True,
                user="root",
                group="root",
                mode="755",
            )
-            conf = files.put(
+            self.put_template(
-                src=get_resource("unbound/unbound.conf.j2"),
+                "unbound/unbound.conf.j2",
-                dest="/etc/unbound/unbound.conf.d/chatmail.conf",
+                "/etc/unbound/unbound.conf.d/chatmail.conf",
                user="root",
                group="root",
                mode="644",
            )
        else:
-            conf = files.file(
+            self.remove_file("/etc/unbound/unbound.conf.d/chatmail.conf")
                path="/etc/unbound/unbound.conf.d/chatmail.conf",
                present=False,
            )
        self.need_restart |= conf.changed
    def activate(self):
        server.shell(
@@ -220,27 +190,25 @@ class UnboundDeployer(Deployer):
            ],
        )
-        systemd.service(
+        self.ensure_service("unbound.service")
-            name="Start and enable unbound",
+
-            service="unbound.service",
+        self.ensure_service(
-            running=True,
+            "unbound-resolvconf.service",
-            enabled=True,
+            running=False,
-            restarted=self.need_restart,
+            enabled=False,
        )
 class MtastsDeployer(Deployer):
    def configure(self):
        # Remove configuration.
-        files.file("/etc/mta-sts-daemon.yml", present=False)
+        self.remove_file("/etc/mta-sts-daemon.yml")
-        files.directory("/usr/local/lib/postfix-mta-sts-resolver", present=False)
+        self.remove_directory("/usr/local/lib/postfix-mta-sts-resolver")
-        files.file("/etc/systemd/system/mta-sts-daemon.service", present=False)
+        self.remove_file("/etc/systemd/system/mta-sts-daemon.service")
    def activate(self):
-        systemd.service(
+        self.ensure_service(
-            name="Stop MTA-STS daemon",
+            "mta-sts-daemon.service",
            service="mta-sts-daemon.service",
            daemon_reload=True,
            running=False,
            enabled=False,
        )
@@ -251,14 +219,7 @@ class WebsiteDeployer(Deployer):
        self.config = config
    def install(self):
-        files.directory(
+        self.ensure_directory("/var/www")
            name="Ensure /var/www exists",
            path="/var/www",
            user="root",
            group="root",
            mode="755",
            present=True,
        )
    def configure(self):
        www_path, src_dir, build_dir = get_paths(self.config)
@@ -288,15 +249,11 @@ class LegacyRemoveDeployer(Deployer):
        # remove historic expunge script
        # which is now implemented through a systemd timer (chatmail-expire)
-        files.file(
+        self.remove_file("/etc/cron.d/expunge")
            path="/etc/cron.d/expunge",
            present=False,
        )
        # Remove OBS repository key that is no longer used.
-        files.file("/etc/apt/keyrings/obs-home-deltachat.gpg", present=False)
+        self.remove_file("/etc/apt/keyrings/obs-home-deltachat.gpg")
-        files.line(
+        self.ensure_line(
            name="Remove DeltaChat OBS home repository from sources.list",
            path="/etc/apt/sources.list",
            line="deb [signed-by=/etc/apt/keyrings/obs-home-deltachat.gpg] https://download.opensuse.org/repositories/home:/deltachat/Debian_12/ ./",
            escape_regex_characters=True,
@@ -304,11 +261,7 @@ class LegacyRemoveDeployer(Deployer):
        )
        # prior relay versions used filelogging
-        files.directory(
+        self.remove_directory("/var/log/journal/")
            name="Ensure old logs on disk are deleted",
            path="/var/log/journal/",
            present=False,
        )
        # remove echobot if it is still running
        if has_systemd() and host.get_fact(SystemdEnabled).get("echobot.service"):
            systemd.service(
@@ -350,22 +303,13 @@ class TurnDeployer(Deployer):
                "0fb3e792419494e21ecad536464929dba706bb2c88884ed8f1788141d26fc756",
            ),
        }[host.get_fact(facts.server.Arch)]
-
+        self.download_executable(url, "/usr/local/bin/chatmail-turn", sha256sum)
        existing_sha256sum = host.get_fact(Sha256File, "/usr/local/bin/chatmail-turn")
        if existing_sha256sum != sha256sum:
            server.shell(
                name="Download chatmail-turn",
                commands=[
                    f"(curl -L {url} >/usr/local/bin/chatmail-turn.new && (echo '{sha256sum} /usr/local/bin/chatmail-turn.new' | sha256sum -c) && mv /usr/local/bin/chatmail-turn.new /usr/local/bin/chatmail-turn)",
                    "chmod 755 /usr/local/bin/chatmail-turn",
                ],
            )
    def configure(self):
-        configure_remote_units(self.mail_domain, self.units)
+        configure_remote_units(self, self.mail_domain, self.units)
    def activate(self):
-        activate_remote_units(self.units)
+        activate_remote_units(self, self.units)
 class IrohDeployer(Deployer):
@@ -383,72 +327,30 @@ class IrohDeployer(Deployer):
                "f8ef27631fac213b3ef668d02acd5b3e215292746a3fc71d90c63115446008b1",
            ),
        }[host.get_fact(facts.server.Arch)]
-
+        self.download_executable(
-        existing_sha256sum = host.get_fact(Sha256File, "/usr/local/bin/iroh-relay")
+            url,
-        if existing_sha256sum != sha256sum:
+            "/usr/local/bin/iroh-relay",
-            server.shell(
+            sha256sum,
-                name="Download iroh-relay",
+            extract="gunzip | tar -xf - ./iroh-relay -O",
-                commands=[
+        )
                    f"(curl -L {url} | gunzip | tar -x -f - ./iroh-relay -O >/usr/local/bin/iroh-relay.new && (echo '{sha256sum} /usr/local/bin/iroh-relay.new' | sha256sum -c) && mv /usr/local/bin/iroh-relay.new /usr/local/bin/iroh-relay)",
                    "chmod 755 /usr/local/bin/iroh-relay",
                ],
            )
            self.need_restart = True
    def configure(self):
-        systemd_unit = files.put(
+        self.ensure_systemd_unit("iroh-relay.service")
-            name="Upload iroh-relay systemd unit",
+        self.put_file("iroh-relay.toml", "/etc/iroh-relay.toml")
            src=get_resource("iroh-relay.service"),
            dest="/etc/systemd/system/iroh-relay.service",
            user="root",
            group="root",
            mode="644",
        )
        self.need_restart |= systemd_unit.changed
        iroh_config = files.put(
            name="Upload iroh-relay config",
            src=get_resource("iroh-relay.toml"),
            dest="/etc/iroh-relay.toml",
            user="root",
            group="root",
            mode="644",
        )
        self.need_restart |= iroh_config.changed
    def activate(self):
-        systemd.service(
+        self.ensure_service(
-            name="Start and enable iroh-relay",
+            "iroh-relay.service",
            service="iroh-relay.service",
            running=True,
            enabled=self.enable_iroh_relay,
            restarted=self.need_restart,
        )
        self.need_restart = False
 class JournaldDeployer(Deployer):
    def configure(self):
-        journald_conf = files.put(
+        self.put_file("journald.conf", "/etc/systemd/journald.conf")
            name="Configure journald",
            src=get_resource("journald.conf"),
            dest="/etc/systemd/journald.conf",
            user="root",
            group="root",
            mode="644",
        )
        self.need_restart = journald_conf.changed
    def activate(self):
-        systemd.service(
+        self.ensure_service("systemd-journald.service")
            name="Start and enable journald",
            service="systemd-journald.service",
            running=True,
            enabled=True,
            restarted=self.need_restart,
        )
        self.need_restart = False
 class ChatmailVenvDeployer(Deployer):
@@ -464,14 +366,14 @@ class ChatmailVenvDeployer(Deployer):
        )
    def install(self):
-        _install_remote_venv_with_chatmaild()
+        _install_remote_venv_with_chatmaild(self)
    def configure(self):
-        _configure_remote_venv_with_chatmaild(self.config)
+        _configure_remote_venv_with_chatmaild(self, self.config)
-        configure_remote_units(self.config.mail_domain_bare, self.units)
+        configure_remote_units(self, self.config.mail_domain_bare, self.units)
    def activate(self):
-        activate_remote_units(self.units)
+        activate_remote_units(self, self.units)
 class ChatmailDeployer(Deployer):
@@ -485,13 +387,9 @@ class ChatmailDeployer(Deployer):
        self.mail_domain = config.mail_domain
    def install(self):
-        files.put(
+        self.put_file(
            name="Disable installing recommended packages globally",
            src=BytesIO(b'APT::Install-Recommends "false";\n'),
            dest="/etc/apt/apt.conf.d/00InstallRecommends",
            user="root",
            group="root",
            mode="644",
        )
        apt.update(name="apt update", cache_time=24 * 3600)
        apt.upgrade(name="upgrade apt packages", auto_remove=True)
@@ -508,13 +406,10 @@ class ChatmailDeployer(Deployer):
    def configure(self):
        # metadata crashes if the mailboxes dir does not exist
-        files.directory(
+        self.ensure_directory(
-            name="Ensure vmail mailbox directory exists",
+            str(self.config.mailboxes_dir),
-            path=str(self.config.mailboxes_dir),
+            owner="vmail",
            user="vmail",
            group="vmail",
            mode="700",
            present=True,
        )
        # This file is used by auth proxy.
@@ -535,12 +430,7 @@ class FcgiwrapDeployer(Deployer):
        )
    def activate(self):
-        systemd.service(
+        self.ensure_service("fcgiwrap.service")
            name="Start and enable fcgiwrap",
            service="fcgiwrap.service",
            running=True,
            enabled=True,
        )
 class GithashDeployer(Deployer):
@@ -553,12 +443,7 @@ class GithashDeployer(Deployer):
            git_diff = subprocess.check_output(["git", "diff"]).decode()
        except Exception:
            git_diff = ""
-        files.put(
+        self.put_file(src=StringIO(git_hash + git_diff), dest="/etc/chatmail-version")
            name="Upload chatmail relay git commit hash",
            src=StringIO(git_hash + git_diff),
            dest="/etc/chatmail-version",
            mode="700",
        )
 def get_tls_deployer(config, mail_domain):
@@ -591,11 +476,17 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
        return
    # Check if mtail_address interface is available (if configured)
-    if config.mtail_address and config.mtail_address not in ('127.0.0.1', '::1', 'localhost'):
+    if config.mtail_address and config.mtail_address not in (
        "127.0.0.1",
        "::1",
        "localhost",
    ):
        ipv4_addrs = host.get_fact(hardware.Ipv4Addrs)
        all_addresses = [addr for addrs in ipv4_addrs.values() for addr in addrs]
        if config.mtail_address not in all_addresses:
-            Out().red(f"Deploy failed: mtail_address {config.mtail_address} is not available (VPN up?).\n")
+            Out().red(
                f"Deploy failed: mtail_address {config.mtail_address} is not available (VPN up?).\n"
            )
            exit(1)
    if not is_in_container():
@@ -649,7 +540,7 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
        WebsiteDeployer(config),
        ChatmailVenvDeployer(config),
        MtastsDeployer(),
-        OpendkimDeployer(config.mail_domain),
+        *([] if config.ipv4_relay else [OpendkimDeployer(bare_host)]),
        # Dovecot should be started before Postfix
        # because it creates authentication socket
        # required by Postfix.
--- a/cmdeploy/src/cmdeploy/dovecot/deployer.py
+++ b/cmdeploy/src/cmdeploy/dovecot/deployer.py
@@ -5,14 +5,13 @@ from chatmaild.config import Config
 from pyinfra import host
 from pyinfra.facts.deb import DebPackages
 from pyinfra.facts.server import Arch, Command, Sysctl
-from pyinfra.operations import apt, files, server, systemd
+from pyinfra.operations import apt, files, server
 from cmdeploy.basedeploy import (
    Deployer,
    activate_remote_units,
    blocked_service_startup,
    configure_remote_units,
    get_resource,
    is_in_container,
 )
@@ -59,26 +58,21 @@ class DovecotDeployer(Deployer):
                    ],
                )
                self.need_restart = True
-        files.put(
+        self.put_file(
            name="Pin dovecot packages to block Debian dist-upgrades",
            src=io.StringIO(
                "Package: dovecot-*\n"
                "Pin: version *\n"
                "Pin-Priority: -1\n"
            ),
            dest="/etc/apt/preferences.d/pin-dovecot",
            user="root",
            group="root",
            mode="644",
        )
    def configure(self):
-        configure_remote_units(self.config.mail_domain_bare, self.units)
+        configure_remote_units(self, self.config.mail_domain_bare, self.units)
-        config_restart, self.daemon_reload = _configure_dovecot(self.config)
+        _configure_dovecot(self, self.config)
        self.need_restart |= config_restart
    def activate(self):
-        activate_remote_units(self.units)
+        activate_remote_units(self, self.units)
        # Detect stale binary: package installed but service still runs old (deleted) binary.
        if not self.disable_mail and not self.need_restart:
@@ -91,19 +85,12 @@ class DovecotDeployer(Deployer):
            if stale == "STALE":
                self.need_restart = True
-        restart = False if self.disable_mail else self.need_restart
+        active = not self.disable_mail
-
+        self.ensure_service(
-        systemd.service(
+            "dovecot.service",
-            name="Disable dovecot for now"
+            running=active,
-            if self.disable_mail
+            enabled=active,
            else "Start and enable Dovecot",
            service="dovecot.service",
            running=False if self.disable_mail else True,
            enabled=False if self.disable_mail else True,
            restarted=restart,
            daemon_reload=self.daemon_reload,
        )
        self.need_restart = False
 def _pick_url(primary, fallback):
@@ -147,39 +134,19 @@ def _download_dovecot_package(package: str, arch: str) -> tuple[str | None, bool
    return deb_filename, True
-
+def _configure_dovecot(deployer, config: Config, debug: bool = False):
 def _configure_dovecot(config: Config, debug: bool = False) -> tuple[bool, bool]:
    """Configures Dovecot IMAP server."""
-    need_restart = False
+    deployer.put_template(
-    daemon_reload = False
+        "dovecot/dovecot.conf.j2",
-
+        "/etc/dovecot/dovecot.conf",
    main_config = files.template(
        src=get_resource("dovecot/dovecot.conf.j2"),
        dest="/etc/dovecot/dovecot.conf",
        user="root",
        group="root",
        mode="644",
        config=config,
        debug=debug,
        disable_ipv6=config.disable_ipv6,
    )
-    need_restart |= main_config.changed
+    deployer.put_file("dovecot/auth.conf", "/etc/dovecot/auth.conf")
-    auth_config = files.put(
+    deployer.put_file(
-        src=get_resource("dovecot/auth.conf"),
+        "dovecot/push_notification.lua", "/etc/dovecot/push_notification.lua"
        dest="/etc/dovecot/auth.conf",
        user="root",
        group="root",
        mode="644",
    )
    need_restart |= auth_config.changed
    lua_push_notification_script = files.put(
        src=get_resource("dovecot/push_notification.lua"),
        dest="/etc/dovecot/push_notification.lua",
        user="root",
        group="root",
        mode="644",
    )
    need_restart |= lua_push_notification_script.changed
    # as per https://doc.dovecot.org/2.3/configuration_manual/os/
    # it is recommended to set the following inotify limits
@@ -203,25 +170,20 @@ def _configure_dovecot(config: Config, debug: bool = False) -> tuple[bool, bool]
            persist=True,
        )
-    timezone_env = files.line(
+    deployer.ensure_line(
        name="Set TZ environment variable",
        path="/etc/environment",
        line="TZ=:/etc/localtime",
    )
    need_restart |= timezone_env.changed
-    restart_conf = files.put(
+    deployer.put_file(
-        name="dovecot: restart automatically on failure",
+        "service/10_restart_on_failure.conf",
-        src=get_resource("service/10_restart.conf"),
+        "/etc/systemd/system/dovecot.service.d/10_restart.conf",
        dest="/etc/systemd/system/dovecot.service.d/10_restart.conf",
    )
    daemon_reload |= restart_conf.changed
    # Validate dovecot configuration before restart
-    if need_restart:
+    if deployer.need_restart:
        server.shell(
            name="Validate dovecot configuration",
            commands=["doveconf -n >/dev/null"],
        )
    return need_restart, daemon_reload
--- a/cmdeploy/src/cmdeploy/external/deployer.py
+++ b/cmdeploy/src/cmdeploy/external/deployer.py
@@ -1,10 +1,7 @@
 import io
 from pyinfra import host
 from pyinfra.facts.files import File
 from pyinfra.operations import files, systemd
-from cmdeploy.basedeploy import Deployer, get_resource
+from ..basedeploy import Deployer
 class ExternalTlsDeployer(Deployer):
@@ -23,45 +20,22 @@ class ExternalTlsDeployer(Deployer):
    def configure(self):
        # Verify cert and key exist on the remote host using pyinfra facts.
        for path in (self.cert_path, self.key_path):
-            info = host.get_fact(File, path=path)
+            if host.get_fact(File, path=path) is None:
            if info is None:
                raise Exception(f"External TLS file not found on server: {path}")
-        # Deploy the .path unit (templated with the cert path).
+        self.ensure_systemd_unit(
-        # pkg=__package__ is required here because the resource files
+            "external/tls-cert-reload.path.j2",
-        # live in cmdeploy.external, not the default cmdeploy package.
+            cert_path=self.cert_path,
        source = get_resource("tls-cert-reload.path.f", pkg=__package__)
        content = source.read_text().format(cert_path=self.cert_path).encode()
        path_unit = files.put(
            name="Upload tls-cert-reload.path",
            src=io.BytesIO(content),
            dest="/etc/systemd/system/tls-cert-reload.path",
            user="root",
            group="root",
            mode="644",
        )
-
+        self.ensure_systemd_unit(
-        service_unit = files.put(
+            "external/tls-cert-reload.service",
            name="Upload tls-cert-reload.service",
            src=get_resource("tls-cert-reload.service", pkg=__package__),
            dest="/etc/systemd/system/tls-cert-reload.service",
            user="root",
            group="root",
            mode="644",
        )
        if path_unit.changed or service_unit.changed:
            self.need_restart = True
    def activate(self):
        systemd.service(
            name="Enable tls-cert-reload path watcher",
            service="tls-cert-reload.path",
            running=True,
            enabled=True,
            restarted=self.need_restart,
            daemon_reload=self.need_restart,
        )
        # No explicit reload needed here: dovecot/nginx read the cert
        # on startup, and the .path watcher handles live changes.
        self.ensure_service(
            "tls-cert-reload.path",
            running=True,
            enabled=True,
        )
--- a/cmdeploy/src/cmdeploy/external/tls-cert-reload.path.j2
+++ b/cmdeploy/src/cmdeploy/external/tls-cert-reload.path.j2
@@ -9,7 +9,7 @@
 Description=Watch TLS certificate for changes
 [Path]
-PathChanged={cert_path}
+PathChanged={{ cert_path }}
 [Install]
 WantedBy=multi-user.target
--- a/cmdeploy/src/cmdeploy/filtermail/deployer.py
+++ b/cmdeploy/src/cmdeploy/filtermail/deployer.py
@@ -1,9 +1,8 @@
 import os
 from pyinfra import facts, host
 from pyinfra.operations import files, systemd
-from cmdeploy.basedeploy import Deployer, get_resource
+from cmdeploy.basedeploy import Deployer
 class FiltermailDeployer(Deployer):
@@ -11,54 +10,31 @@ class FiltermailDeployer(Deployer):
    bin_path = "/usr/local/bin/filtermail"
    config_path = "/usr/local/lib/chatmaild/chatmail.ini"
    def __init__(self):
        self.need_restart = False
    def install(self):
        local_bin = os.environ.get("CHATMAIL_FILTERMAIL_BINARY")
        if local_bin:
-            self.need_restart |= files.put(
+            self.put_executable(
                name="Upload locally built filtermail",
                src=local_bin,
                dest=self.bin_path,
-                mode="755",
+            )
            ).changed
            return
        arch = host.get_fact(facts.server.Arch)
-        url = f"https://github.com/chatmail/filtermail/releases/download/v0.6.4/filtermail-{arch}"
+        url = f"https://github.com/chatmail/filtermail/releases/download/v0.6.6/filtermail-{arch}"
        sha256sum = {
-            "x86_64": "5295115952c72e4c4ec3c85546e094b4155a4c702c82bd71fcdcb744dc73adf6",
+            "x86_64": "05c7e7ac244606c2eeb275f2d282ffdbc2403e0169f1cdd3110ffcebdb994a92",
-            "aarch64": "6892244f17b8f26ccb465766e96028e7222b3c8adefca9fc6bfe9ff332ca8dff",
+            "aarch64": "8cf8bbda4d907beca547b365cc7e6753532a74b1712492d0d2f3d2d8a553fb3d",
        }[arch]
-        self.need_restart |= files.download(
+        self.download_executable(url, self.bin_path, sha256sum)
            name="Download filtermail",
            src=url,
            sha256sum=sha256sum,
            dest=self.bin_path,
            mode="755",
        ).changed
    def configure(self):
        for service in self.services:
-            self.need_restart |= files.template(
+            self.ensure_systemd_unit(
-                src=get_resource(f"filtermail/{service}.service.j2"),
+                f"filtermail/{service}.service.j2",
                dest=f"/etc/systemd/system/{service}.service",
                user="root",
                group="root",
                mode="644",
                bin_path=self.bin_path,
                config_path=self.config_path,
-            ).changed
+            )
    def activate(self):
        for service in self.services:
-            systemd.service(
+            self.ensure_service(f"{service}.service")
                name=f"Start and enable {service}",
                service=f"{service}.service",
                running=True,
                enabled=True,
                restarted=self.need_restart,
                daemon_reload=True,
            )
        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/mtail/deployer.py
+++ b/cmdeploy/src/cmdeploy/mtail/deployer.py
@@ -1,10 +1,7 @@
 from pyinfra import facts, host
-from pyinfra.operations import apt, files, server, systemd
+from pyinfra.operations import apt
-from cmdeploy.basedeploy import (
+from cmdeploy.basedeploy import Deployer
    Deployer,
    get_resource,
 )
 class MtailDeployer(Deployer):
@@ -18,51 +15,30 @@ class MtailDeployer(Deployer):
        (url, sha256sum) = {
            "x86_64": (
                "https://github.com/google/mtail/releases/download/v3.0.8/mtail_3.0.8_linux_amd64.tar.gz",
-                "123c2ee5f48c3eff12ebccee38befd2233d715da736000ccde49e3d5607724e4",
+                "d55cb601049c5e61eabab29998dbbcea95d480e5448544f9470337ba2eea882e",
            ),
            "aarch64": (
                "https://github.com/google/mtail/releases/download/v3.0.8/mtail_3.0.8_linux_arm64.tar.gz",
-                "aa04811c0929b6754408676de520e050c45dddeb3401881888a092c9aea89cae",
+                "f748db8ad2a1e0b63684d4c8868cf6a373a20f7e6922e5ece601fff0ee00eb1a",
            ),
        }[host.get_fact(facts.server.Arch)]
-
+        self.download_executable(
-        server.shell(
+            url,
-            name="Download mtail",
+            "/usr/local/bin/mtail",
-            commands=[
+            sha256sum,
-                f"(echo '{sha256sum} /usr/local/bin/mtail' | sha256sum -c) || (curl -L {url} | gunzip | tar -x -f - mtail -O >/usr/local/bin/mtail.new && mv /usr/local/bin/mtail.new /usr/local/bin/mtail)",
+            extract="gunzip | tar -xf - mtail -O",
                "chmod 755 /usr/local/bin/mtail",
            ],
        )
    def configure(self):
        # Using our own systemd unit instead of `/usr/lib/systemd/system/mtail.service`.
        # This allows to read from journalctl instead of log files.
-        files.template(
+        self.ensure_systemd_unit(
-            src=get_resource("mtail/mtail.service.j2"),
+            "mtail/mtail.service.j2",
            dest="/etc/systemd/system/mtail.service",
            user="root",
            group="root",
            mode="644",
            address=self.mtail_address or "127.0.0.1",
            port=3903,
        )
-
+        self.put_file("mtail/delivered_mail.mtail", "/etc/mtail/delivered_mail.mtail")
        mtail_conf = files.put(
            name="Mtail configuration",
            src=get_resource("mtail/delivered_mail.mtail"),
            dest="/etc/mtail/delivered_mail.mtail",
            user="root",
            group="root",
            mode="644",
        )
        self.need_restart = mtail_conf.changed
    def activate(self):
-        systemd.service(
+        active = bool(self.mtail_address)
-            name="Start and enable mtail",
+        self.ensure_service("mtail.service", running=active, enabled=active)
            service="mtail.service",
            running=bool(self.mtail_address),
            enabled=bool(self.mtail_address),
            restarted=self.need_restart,
        )
        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/mtail/mtail.service.j2
+++ b/cmdeploy/src/cmdeploy/mtail/mtail.service.j2
@@ -1,11 +1,13 @@
 [Unit]
 Description=mtail
-After=multi-user.target
+After=network-online.target
 Wants=network-online.target
 [Service]
 Type=simple
 ExecStart=/bin/sh -c "journalctl -f -o short-iso -n 0 | /usr/local/bin/mtail --address={{ address }} --port={{ port }} --progs /etc/mtail --logtostderr --logs -"
 Restart=on-failure
 RestartSec=2s
 [Install]
 WantedBy=multi-user.target
--- a/cmdeploy/src/cmdeploy/nginx/deployer.py
+++ b/cmdeploy/src/cmdeploy/nginx/deployer.py
@@ -1,5 +1,5 @@
 from chatmaild.config import Config
-from pyinfra.operations import apt, files, systemd
+from pyinfra.operations import apt
 from cmdeploy.basedeploy import (
    Deployer,
@@ -31,87 +31,50 @@ class NginxDeployer(Deployer):
        # For documentation about policy-rc.d, see:
        # https://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt
        #
-        files.put(
+        self.put_executable(src="policy-rc.d", dest="/usr/sbin/policy-rc.d")
            src=get_resource("policy-rc.d"),
            dest="/usr/sbin/policy-rc.d",
            user="root",
            group="root",
            mode="755",
        )
        apt.packages(
            name="Install nginx",
            packages=["nginx", "libnginx-mod-stream"],
        )
-        files.file("/usr/sbin/policy-rc.d", present=False)
+        self.remove_file("/usr/sbin/policy-rc.d")
    def configure(self):
-        self.need_restart = _configure_nginx(self.config)
+        _configure_nginx(self, self.config)
    def activate(self):
-        systemd.service(
+        self.ensure_service("nginx.service")
            name="Start and enable nginx",
            service="nginx.service",
            running=True,
            enabled=True,
            restarted=self.need_restart,
        )
        self.need_restart = False
-def _configure_nginx(config: Config, debug: bool = False) -> bool:
+def _configure_nginx(deployer, config: Config, debug: bool = False):
    """Configures nginx HTTP server."""
    need_restart = False
-    main_config = files.template(
+    deployer.put_template(
-        src=get_resource("nginx/nginx.conf.j2"),
+        "nginx/nginx.conf.j2",
-        dest="/etc/nginx/nginx.conf",
+        "/etc/nginx/nginx.conf",
        user="root",
        group="root",
        mode="644",
        config=config,
        disable_ipv6=config.disable_ipv6,
    )
    need_restart |= main_config.changed
-    autoconfig = files.template(
+    deployer.put_template(
-        src=get_resource("nginx/autoconfig.xml.j2"),
+        "nginx/autoconfig.xml.j2",
-        dest="/var/www/html/.well-known/autoconfig/mail/config-v1.1.xml",
+        "/var/www/html/.well-known/autoconfig/mail/config-v1.1.xml",
        user="root",
        group="root",
        mode="644",
        config=config,
    )
    need_restart |= autoconfig.changed
-    mta_sts_config = files.template(
+    deployer.put_template(
-        src=get_resource("nginx/mta-sts.txt.j2"),
+        "nginx/mta-sts.txt.j2",
-        dest="/var/www/html/.well-known/mta-sts.txt",
+        "/var/www/html/.well-known/mta-sts.txt",
        user="root",
        group="root",
        mode="644",
        config=config,
    )
    need_restart |= mta_sts_config.changed
    # install CGI newemail script
    #
    cgi_dir = "/usr/lib/cgi-bin"
-    files.directory(
+    deployer.ensure_directory(cgi_dir)
        name=f"Ensure {cgi_dir} exists",
        path=cgi_dir,
        user="root",
        group="root",
    )
-    files.put(
+    deployer.put_executable(
        name="Upload cgi newemail.py script",
        src=get_resource("newemail.py", pkg="chatmaild").open("rb"),
        dest=f"{cgi_dir}/newemail.py",
        user="root",
        group="root",
        mode="755",
    )
    return need_restart
--- a/cmdeploy/src/cmdeploy/nginx/nginx.conf.j2
+++ b/cmdeploy/src/cmdeploy/nginx/nginx.conf.j2
@@ -42,6 +42,9 @@ stream {
 }
 http {
 	# access_log setting is inherited by all server sections
 	access_log syslog:server=unix:/dev/log,facility=local7;
 {% if config.tls_cert_mode == "self" %}
 	limit_req_zone $binary_remote_addr zone=newaccount:10m rate=2r/s;
 {% endif %}
@@ -69,9 +72,7 @@ http {
 		index index.html index.htm;
-		server_name {{ config.mail_domain }} www.{{ config.mail_domain }} mta-sts.{{ config.mail_domain }};
+		server_name {{ config.mail_domain }} mta-sts.{{ config.mail_domain }};
 		access_log syslog:server=unix:/dev/log,facility=local7;
 		location /mxdeliv {
 		    proxy_pass http://127.0.0.1:{{ config.filtermail_http_port_incoming }};
@@ -143,7 +144,6 @@ http {
 		listen 127.0.0.1:8443 ssl;
 		server_name www.{{ config.mail_domain }};
 		return 301 $scheme://{{ config.mail_domain }}$request_uri;
 		access_log syslog:server=unix:/dev/log,facility=local7;
 	}
 	server {
--- a/cmdeploy/src/cmdeploy/opendkim/deployer.py
+++ b/cmdeploy/src/cmdeploy/opendkim/deployer.py
@@ -4,9 +4,9 @@ Installs OpenDKIM
 from pyinfra import host
 from pyinfra.facts.files import File
-from pyinfra.operations import apt, files, server, systemd
+from pyinfra.operations import apt, files, server
-from cmdeploy.basedeploy import Deployer, get_resource
+from cmdeploy.basedeploy import Deployer
 class OpendkimDeployer(Deployer):
@@ -25,65 +25,39 @@ class OpendkimDeployer(Deployer):
        domain = self.mail_domain
        dkim_selector = "opendkim"
        """Configures OpenDKIM"""
        need_restart = False
-        main_config = files.template(
+        self.put_template(
-            src=get_resource("opendkim/opendkim.conf"),
+            "opendkim/opendkim.conf",
-            dest="/etc/opendkim.conf",
+            "/etc/opendkim.conf",
            user="root",
            group="root",
            mode="644",
            config={"domain_name": domain, "opendkim_selector": dkim_selector},
        )
        need_restart |= main_config.changed
-        screen_script = files.file(
+        self.remove_file("/etc/opendkim/screen.lua")
-            path="/etc/opendkim/screen.lua",
+        self.remove_file("/etc/opendkim/final.lua")
            present=False,
        )
        need_restart |= screen_script.changed
-        final_script = files.file(
+        self.ensure_directory(
-            path="/etc/opendkim/final.lua",
+            "/etc/opendkim",
-            present=False,
+            owner="opendkim",
        )
        need_restart |= final_script.changed
        files.directory(
            name="Add opendkim directory to /etc",
            path="/etc/opendkim",
            user="opendkim",
            group="opendkim",
            mode="750",
            present=True,
        )
-        keytable = files.template(
+        self.put_template(
-            src=get_resource("opendkim/KeyTable"),
+            "opendkim/KeyTable",
-            dest="/etc/dkimkeys/KeyTable",
+            "/etc/dkimkeys/KeyTable",
-            user="opendkim",
+            owner="opendkim",
            group="opendkim",
            mode="644",
            config={"domain_name": domain, "opendkim_selector": dkim_selector},
        )
        need_restart |= keytable.changed
-        signing_table = files.template(
+        self.put_template(
-            src=get_resource("opendkim/SigningTable"),
+            "opendkim/SigningTable",
-            dest="/etc/dkimkeys/SigningTable",
+            "/etc/dkimkeys/SigningTable",
-            user="opendkim",
+            owner="opendkim",
            group="opendkim",
            mode="644",
            config={"domain_name": domain, "opendkim_selector": dkim_selector},
        )
-        need_restart |= signing_table.changed
+        self.ensure_directory(
-        files.directory(
+            "/var/spool/postfix/opendkim",
-            name="Add opendkim socket directory to /var/spool/postfix",
+            owner="opendkim",
            path="/var/spool/postfix/opendkim",
            user="opendkim",
            group="opendkim",
            mode="750",
            present=True,
        )
        if not host.get_fact(File, f"/etc/dkimkeys/{dkim_selector}.private"):
@@ -96,12 +70,10 @@ class OpendkimDeployer(Deployer):
                _su_user="opendkim",
            )
-        service_file = files.put(
+        self.put_file(
-            name="Configure opendkim to restart once a day",
+            "opendkim/systemd.conf",
-            src=get_resource("opendkim/systemd.conf"),
+            "/etc/systemd/system/opendkim.service.d/10-prevent-memory-leak.conf",
            dest="/etc/systemd/system/opendkim.service.d/10-prevent-memory-leak.conf",
        )
        need_restart |= service_file.changed
        files.file(
            name="chown opendkim: /etc/dkimkeys/opendkim.private",
@@ -110,15 +82,5 @@ class OpendkimDeployer(Deployer):
            group="opendkim",
        )
        self.need_restart = need_restart
    def activate(self):
-        systemd.service(
+        self.ensure_service("opendkim.service")
            name="Start and enable OpenDKIM",
            service="opendkim.service",
            running=True,
            enabled=True,
            daemon_reload=self.need_restart,
            restarted=self.need_restart,
        )
        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/postfix/deployer.py
+++ b/cmdeploy/src/cmdeploy/postfix/deployer.py
@@ -1,11 +1,10 @@
-from pyinfra.operations import apt, files, server, systemd
+from pyinfra.operations import apt, server
-from cmdeploy.basedeploy import Deployer, get_resource
+from cmdeploy.basedeploy import Deployer
 class PostfixDeployer(Deployer):
    required_users = [("postfix", None, ["opendkim"])]
    daemon_reload = False
    def __init__(self, config, disable_mail):
        self.config = config
@@ -19,81 +18,46 @@ class PostfixDeployer(Deployer):
    def configure(self):
        config = self.config
        need_restart = False
-        main_config = files.template(
+        self.put_template(
-            src=get_resource("postfix/main.cf.j2"),
+            "postfix/main.cf.j2",
-            dest="/etc/postfix/main.cf",
+            "/etc/postfix/main.cf",
            user="root",
            group="root",
            mode="644",
            config=config,
            disable_ipv6=config.disable_ipv6,
        )
        need_restart |= main_config.changed
-        master_config = files.template(
+        self.put_template(
-            src=get_resource("postfix/master.cf.j2"),
+            "postfix/master.cf.j2",
-            dest="/etc/postfix/master.cf",
+            "/etc/postfix/master.cf",
            user="root",
            group="root",
            mode="644",
            debug=False,
            config=config,
        )
        need_restart |= master_config.changed
-        header_cleanup = files.put(
+        self.put_file(
-            src=get_resource("postfix/submission_header_cleanup"),
+            "postfix/submission_header_cleanup",
-            dest="/etc/postfix/submission_header_cleanup",
+            "/etc/postfix/submission_header_cleanup",
            user="root",
            group="root",
            mode="644",
        )
-        need_restart |= header_cleanup.changed
+        self.put_file("postfix/lmtp_header_cleanup", "/etc/postfix/lmtp_header_cleanup")
-        lmtp_header_cleanup = files.put(
+        res = self.put_file(
-            src=get_resource("postfix/lmtp_header_cleanup"),
+            "postfix/smtp_tls_policy_map", "/etc/postfix/smtp_tls_policy_map"
            dest="/etc/postfix/lmtp_header_cleanup",
            user="root",
            group="root",
            mode="644",
        )
-        need_restart |= lmtp_header_cleanup.changed
+        tls_policy_changed = res.changed
-
+        if tls_policy_changed:
        tls_policy_map = files.put(
            name="Upload SMTP TLS Policy that accepts self-signed certificates for IP-only hosts",
            src=get_resource("postfix/smtp_tls_policy_map"),
            dest="/etc/postfix/smtp_tls_policy_map",
            user="root",
            group="root",
            mode="644",
        )
        need_restart |= tls_policy_map.changed
        if tls_policy_map.changed:
            server.shell(
                commands=["postmap /etc/postfix/smtp_tls_policy_map"],
            )
        # Login map that 1:1 maps email address to login.
-        login_map = files.put(
+        self.put_file("postfix/login_map", "/etc/postfix/login_map")
            src=get_resource("postfix/login_map"),
            dest="/etc/postfix/login_map",
            user="root",
            group="root",
            mode="644",
        )
        need_restart |= login_map.changed
-        restart_conf = files.put(
+        self.put_file(
-            name="postfix: restart automatically on failure",
+            "service/10_restart_on_failure.conf",
-            src=get_resource("service/10_restart.conf"),
+            "/etc/systemd/system/postfix@.service.d/10_restart.conf",
            dest="/etc/systemd/system/postfix@.service.d/10_restart.conf",
        )
        self.daemon_reload = restart_conf.changed
        # Validate postfix configuration before restart
-        if need_restart:
+        if self.need_restart:
            server.shell(
                name="Validate postfix configuration",
                # Extract stderr and quit with error if non-zero
@@ -101,19 +65,11 @@ class PostfixDeployer(Deployer):
                    """bash -c 'w=$(postconf 2>&1 >/dev/null); [[ -z "$w" ]] || { echo "$w"; false; }'"""
                ],
            )
        self.need_restart = need_restart
    def activate(self):
-        restart = False if self.disable_mail else self.need_restart
+        active = not self.disable_mail
-
+        self.ensure_service(
-        systemd.service(
+            "postfix.service",
-            name="disable postfix for now"
+            running=active,
-            if self.disable_mail
+            enabled=active,
            else "Start and enable Postfix",
            service="postfix.service",
            running=False if self.disable_mail else True,
            enabled=False if self.disable_mail else True,
            restarted=restart,
            daemon_reload=self.daemon_reload,
        )
        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
@@ -60,6 +60,7 @@ alias_database = hash:/etc/aliases
 # When postfix receives mail for $mydestination,
 # it hands it over to dovecot via $local_transport.
 # Note: IP literals must be handled via local delivery / mydestination.
 mydestination = {{ config.mail_domain }}
 local_transport = lmtp:unix:private/dovecot-lmtp
 # postfix doesn't check whether local users exist or not:
@@ -102,3 +103,11 @@ smtpd_peername_lookup = no
 default_transport = lmtp-filtermail:inet:[127.0.0.1]:{{ config.filtermail_lmtp_port_transport }}
 lmtp-filtermail_initial_destination_concurrency=10000
 lmtp-filtermail_destination_concurrency_limit=10000
 {% if not config.ipv4_relay %}
 # DKIM-sign locally generated mail (bounces, DSNs).
 # These bypass smtpd, so they need explicit milter configuration.
 non_smtpd_milters = unix:opendkim/opendkim.sock
 internal_mail_filter_classes = bounce
 milter_macro_daemon_name = ORIGINATING
 {% endif %}
--- a/cmdeploy/src/cmdeploy/remote/rdns.py
+++ b/cmdeploy/src/cmdeploy/remote/rdns.py
@@ -64,21 +64,25 @@ def get_dkim_entry(mail_domain, pre_command, dkim_selector):
    )
-def query_dns(typ, domain):
+def get_authoritative_ns(domain):
-    # Get autoritative nameserver from the SOA record.
+    ns_replies = [
    soa_answers = [
        x.split()
        for x in shell(
-            f"dig -r -q {domain} -t SOA +noall +authority +answer", print=log_progress
+            f"dig -r -q {domain} -t NS +noall +authority +answer", print=log_progress
        ).split("\n")
    ]
-    soa = [a for a in soa_answers if len(a) >= 3 and a[3] == "SOA"]
+    filtered_replies = [a for a in ns_replies if len(a) >= 5 and a[3] == "NS"]
-    if not soa:
+    if not filtered_replies:
        return
-    ns = soa[0][4]
+    return filtered_replies[0][4]
 def query_dns(typ, domain):
    ns = get_authoritative_ns(domain)
    # Query authoritative nameserver directly to bypass DNS cache.
-    res = shell(f"dig @{ns} -r -q {domain} -t {typ} +short", print=log_progress)
+    direct_ns = f"@{ns}" if ns else ""
    res = shell(f"dig {direct_ns} -r -q {domain} -t {typ} +short", print=log_progress)
    return next((line for line in res.split("\n") if not line.startswith(";")), "")
--- a/cmdeploy/src/cmdeploy/selfsigned/deployer.py
+++ b/cmdeploy/src/cmdeploy/selfsigned/deployer.py
@@ -1,8 +1,8 @@
 import shlex
-from pyinfra.operations import apt, server
+from pyinfra.operations import server
-from cmdeploy.basedeploy import Deployer
+from ..basedeploy import Deployer
 def openssl_selfsigned_args(domain, cert_path, key_path, days=36500):
@@ -34,11 +34,7 @@ class SelfSignedTlsDeployer(Deployer):
        self.cert_path = "/etc/ssl/certs/mailserver.pem"
        self.key_path = "/etc/ssl/private/mailserver.key"
-    def install(self):
+
        apt.packages(
            name="Install openssl",
            packages=["openssl"],
        )
    def configure(self):
        args = openssl_selfsigned_args(
@@ -52,3 +48,5 @@ class SelfSignedTlsDeployer(Deployer):
    def activate(self):
        pass
--- a/cmdeploy/src/cmdeploy/service/10_restart_on_failure.conf
+++ b/cmdeploy/src/cmdeploy/service/10_restart_on_failure.conf
--- a/cmdeploy/src/cmdeploy/tests/online/test_0_login.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_0_login.py
@@ -12,7 +12,7 @@ def test_init(tmp_path, maildomain):
    inipath = tmp_path.joinpath("chatmail.ini")
    main(["init", "--config", str(inipath), maildomain])
    config = read_config(inipath)
-    assert config.mail_domain == maildomain
+    assert config.mail_domain_bare == maildomain
 def test_capabilities(imap):
--- a/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
@@ -5,10 +5,10 @@ import subprocess
 import time
 import pytest
 from chatmaild.config import is_valid_ipv4
 from cmdeploy import remote
 from cmdeploy.cmdeploy import get_sshexec
 from chatmaild.config import is_valid_ipv4
 class TestSSHExecutor:
@@ -64,8 +64,10 @@ class TestSSHExecutor:
        else:
            pytest.fail("didn't raise exception")
-    def test_opendkim_restarted(self, sshexec):
+    def test_opendkim_restarted(self, sshexec, maildomain):
        """check that opendkim is not running for longer than a day."""
        if is_valid_ipv4(maildomain):
            pytest.skip(f"{maildomain} is an IPv4 relay, opendkim is not installed")
        cmd = "systemctl show opendkim --timestamp=utc --property=ActiveEnterTimestamp"
        out = sshexec(call=remote.rshell.shell, kwargs=dict(command=cmd))
        datestring = out.split("=")[1]
@@ -192,6 +194,34 @@ def test_reject_missing_dkim(cmsetup, maildata, from_addr):
            s.sendmail(from_addr=from_addr, to_addrs=recipient.addr, msg=msg)
 def test_bounces_are_dkim_signed(cmsetup, cmsetup2, maildata, maildomain):
    # we send a message to non-existant user and expect a bounce message
    # which will only get through if the bounce message was DKIM-signed
    if is_valid_ipv4(maildomain):
        pytest.skip("DKIM is not configured on IPv4-only relays")
    sender = cmsetup2.gen_users(1)[0]
    nonexistent = f"nosuchuser_test42@{cmsetup.maildomain}"
    msg = maildata(
        "encrypted.eml",
        from_addr=sender.addr,
        to_addr=nonexistent,
    ).as_string()
    sender.smtp.sendmail(sender.addr, [nonexistent], msg)
    def bounce_in_inbox():
        messages = sender.imap.fetch_all_messages()
        for m in messages:
            if "mail delivery" in m.lower() or "undelivered" in m.lower():
                return m
        raise ValueError("bounce not yet in inbox")
    bounce = try_n_times(30, bounce_in_inbox)
    assert "nosuchuser_test42" in bounce
 def try_n_times(n, f):
    for _ in range(n - 1):
        try:
@@ -284,3 +314,15 @@ def test_deployed_state(remote):
    # assert len(git_status) == len(remote_version)  # for some reason, we only get 11 lines from remote.iter_output()
    for i in range(len(remote_version)):
        assert git_status[i] == remote_version[i], "You have undeployed changes."
 def test_nginx_access_log_only_defined_once(sshdomain):
    sshexec = get_sshexec(sshdomain)
    conf = sshexec(
        call=remote.rshell.shell,
        kwargs=dict(command="nginx -T 2>/dev/null"),
    )
    access_logs = [l for l in conf.splitlines() if l.strip().startswith("access_log")]
    assert len(access_logs) == 1, (
        f"expected 1 access_log, found {len(access_logs)}: {access_logs}"
    )
--- a/cmdeploy/src/cmdeploy/tests/plugin.py
+++ b/cmdeploy/src/cmdeploy/tests/plugin.py
@@ -1,5 +1,4 @@
 import imaplib
 import ipaddress
 import itertools
 import os
 import random
@@ -10,20 +9,20 @@ import time
 from pathlib import Path
 import pytest
-from chatmaild.config import read_config, format_mail_domain, is_valid_ipv4
+from chatmaild.config import is_valid_ipv4, read_config
 from domain_validator import DomainValidator
 def format_mail_domain(raw_domain: str) -> str:
    if is_valid_ipv4(raw_domain):
        return f"[{raw_domain}]"
    DomainValidator().validate_domain_re(raw_domain)
    return raw_domain
 conftestdir = Path(__file__).parent
 def _is_ip(domain):
    try:
        ipaddress.ip_address(domain)
        return True
    except ValueError:
        return False
 def pytest_configure(config):
    config._benchresults = {}
    config.addinivalue_line(
@@ -63,13 +62,8 @@ def maildomain(chatmail_config):
@pytest.fixture(scope="session")
-def maildomain_deliverable(maildomain):
+def sshdomain(chatmail_config):
-    return format_mail_domain(maildomain)
+    return os.environ.get("CHATMAIL_SSH", chatmail_config.ssh_host)
@pytest.fixture(scope="session")
 def sshdomain(maildomain):
    return os.environ.get("CHATMAIL_SSH", maildomain)
@pytest.fixture
@@ -349,7 +343,7 @@ class ChatmailACFactory:
            account = self.dc.add_account()
            domain_deliverable = format_mail_domain(domain)
            addr, password = self.gencreds(domain_deliverable)
-            if _is_ip(domain):
+            if is_valid_ipv4(domain):
                # Use DCLOGIN scheme with explicit server hosts,
                # matching how madmail presents its addresses to users.
                qr = (
@@ -423,10 +417,10 @@ class Remote:
    def iter_output(self, logcmd="", ready=None):
        getjournal = "journalctl -f" if not logcmd else logcmd
        print(self.sshdomain)
-        match self.sshdomain:
+        if self.sshdomain in ("@local", "localhost"):
-            case "@local": command = []
+            command = []
-            case "localhost": command = []
+        else:
-            case _: command = ["ssh", f"root@{self.sshdomain}"]
+            command = ["ssh", f"root@{self.sshdomain}"]
        [command.append(arg) for arg in getjournal.split()]
        popen = subprocess.Popen(
            command,
@@ -473,6 +467,11 @@ def cmsetup(maildomain, gencreds, ssl_context):
    return CMSetup(maildomain, gencreds, ssl_context)
@pytest.fixture
 def cmsetup2(maildomain2, gencreds, ssl_context):
    return CMSetup(maildomain2, gencreds, ssl_context)
 class CMSetup:
    def __init__(self, maildomain, gencreds, ssl_context):
        self.maildomain = maildomain
@@ -483,7 +482,7 @@ class CMSetup:
        print(f"Creating {num} online users")
        users = []
        for i in range(num):
-            addr, password = self.gencreds()
+            addr, password = self.gencreds(format_mail_domain(self.maildomain))
            user = CMUser(self.maildomain, addr, password, self.ssl_context)
            assert user.smtp
            users.append(user)
--- a/cmdeploy/src/cmdeploy/tests/test_basedeploy.py
+++ b/cmdeploy/src/cmdeploy/tests/test_basedeploy.py
@@ -0,0 +1,118 @@
 from unittest.mock import MagicMock, patch
 from cmdeploy.basedeploy import Deployer
 def test_put_file_restart_and_reload():
    deployer = Deployer()
    mock_res = MagicMock()
    mock_res.changed = True
    with patch("cmdeploy.basedeploy.files.put", return_value=mock_res):
        deployer.put_file("foo.conf", "/etc/foo.conf")
        assert deployer.need_restart is True
        assert deployer.daemon_reload is False
        deployer = Deployer()
        deployer.put_file("test.service", "/etc/systemd/system/test.service")
        assert deployer.need_restart is True
        assert deployer.daemon_reload is True
 def test_remove_file():
    deployer = Deployer()
    mock_res = MagicMock()
    mock_res.changed = True
    with patch("cmdeploy.basedeploy.files.file", return_value=mock_res) as mock_file:
        deployer.remove_file("/etc/foo.conf")
        mock_file.assert_called_once_with(
            name="Remove /etc/foo.conf", path="/etc/foo.conf", present=False
        )
        assert deployer.need_restart is True
 def test_ensure_systemd_unit():
    deployer = Deployer()
    mock_res = MagicMock()
    mock_res.changed = True
    # Plain service file
    with patch("cmdeploy.basedeploy.files.put", return_value=mock_res) as mock_put:
        deployer.ensure_systemd_unit("iroh-relay.service")
        assert (
            mock_put.call_args.kwargs["dest"]
            == "/etc/systemd/system/iroh-relay.service"
        )
        assert deployer.need_restart is True
        assert deployer.daemon_reload is True
    deployer = Deployer()
    # Template (.j2) dispatches to put_template and strips .j2 suffix
    with patch("cmdeploy.basedeploy.files.template", return_value=mock_res) as mock_tpl:
        deployer.ensure_systemd_unit(
            "filtermail/chatmaild.service.j2",
            bin_path="/usr/local/bin/filtermail",
        )
        assert (
            mock_tpl.call_args.kwargs["dest"] == "/etc/systemd/system/chatmaild.service"
        )
    deployer = Deployer()
    # Explicit dest_name override
    with patch("cmdeploy.basedeploy.files.put", return_value=mock_res) as mock_put:
        deployer.ensure_systemd_unit(
            "acmetool/acmetool-reconcile.timer",
            dest_name="acmetool-reconcile.timer",
        )
        assert (
            mock_put.call_args.kwargs["dest"]
            == "/etc/systemd/system/acmetool-reconcile.timer"
        )
 def test_ensure_service():
    with patch("cmdeploy.basedeploy.systemd.service") as mock_svc:
        deployer = Deployer()
        deployer.need_restart = True
        deployer.daemon_reload = True
        deployer.ensure_service("nginx.service")
        mock_svc.assert_called_once_with(
            name="Start and enable nginx.service",
            service="nginx.service",
            running=True,
            enabled=True,
            restarted=True,
            daemon_reload=True,
        )
        # daemon_reload is cleared to avoid multiple systemctl daemon-reload calls
        # need_restart is kept to ensure all subsequent services also restart
        assert deployer.need_restart is True
        assert deployer.daemon_reload is False
    with patch("cmdeploy.basedeploy.systemd.service") as mock_svc:
        # Stopping suppresses restarted even when need_restart is True
        deployer = Deployer()
        deployer.need_restart = True
        deployer.daemon_reload = True
        deployer.ensure_service(
            "mta-sts-daemon.service",
            running=False,
            enabled=False,
        )
        assert mock_svc.call_args.kwargs["restarted"] is False
        assert deployer.need_restart is True
    with patch("cmdeploy.basedeploy.systemd.service") as mock_svc:
        # Multiple calls: daemon_reload resets after first, need_restart persists
        deployer = Deployer()
        deployer.need_restart = True
        deployer.daemon_reload = True
        deployer.ensure_service("chatmaild.service")
        deployer.ensure_service("chatmaild-metadata.service")
        second_call = mock_svc.call_args_list[1]
        assert second_call.kwargs["restarted"] is True
        assert second_call.kwargs["daemon_reload"] is False
--- a/cmdeploy/src/cmdeploy/tests/test_dns.py
+++ b/cmdeploy/src/cmdeploy/tests/test_dns.py
@@ -4,6 +4,7 @@ import pytest
 from cmdeploy import remote
 from cmdeploy.dns import check_full_zone, check_initial_remote_data, parse_zone_records
 from cmdeploy.remote.rdns import get_authoritative_ns
@pytest.fixture
@@ -14,11 +15,15 @@ def mockdns_base(monkeypatch):
        if command.startswith("dig"):
            if command == "dig":
                return "."
-            if "SOA" in command:
+            if "with.public.soa" in command and "NS" in command:
                return "domain.with.public.soa. 2419 IN NS ns1.first-ns.de."
            if "with.hidden.soa" in command and "NS" in command:
                return (
-                    "delta.chat. 21600 IN SOA ns1.first-ns.de. dns.hetzner.com."
+                    "domain.with.hidden.soa. 2137 IN NS ns1.desec.io.\n"
-                    " 2025102800 14400 1800 604800 3600"
+                    "domain.with.hidden.soa. 2137 IN NS ns2.desec.org."
                )
            if "NS" in command:
                return "delta.chat. 21600 IN NS ns1.first-ns.de."
            command_chunks = command.split()
            domain, typ = command_chunks[4], command_chunks[6]
            try:
@@ -125,6 +130,17 @@ class TestPerformInitialChecks:
        assert not l
@pytest.mark.parametrize(
    ("domain", "ns"),
    [
        ("domain.with.public.soa", "ns1.first-ns.de."),
        ("domain.with.hidden.soa", "ns1.desec.io."),
    ],
 )
 def test_get_authoritative_ns(domain, ns, mockdns):
    assert get_authoritative_ns(domain) == ns
 def test_parse_zone_records():
    text = """
    ; This is a comment
--- a/cmdeploy/src/cmdeploy/tests/test_dovecot_deployer.py
+++ b/cmdeploy/src/cmdeploy/tests/test_dovecot_deployer.py
@@ -23,8 +23,7 @@ def make_host(*fact_pairs):
        if cls not in facts:
            registered = ", ".join(c.__name__ for c in facts)
            raise LookupError(
-                f"unexpected get_fact({cls.__name__}); "
+                f"unexpected get_fact({cls.__name__}); only registered: {registered}"
                f"only registered: {registered}"
            )
        return facts[cls]
--- a/doc/source/faq.rst
+++ b/doc/source/faq.rst
@@ -15,6 +15,7 @@ goes beyond what classic email servers offer:
   streaming, privacy-preserving Push Notifications for Apple, Google, and `Ubuntu Touch <https://docs.ubports.com/en/latest/appdev/guides/pushnotifications.html>`_;
 -  **Security Enforcement**: only strict TLS, DKIM and OpenPGP with minimized metadata accepted
   (DKIM is not enforced on :ref:`IP-only relays <iponly>`)
 -  **Reliable Federation and Decentralization:** No spam or IP reputation checks, federating
   depends on established IETF standards and protocols.
@@ -47,6 +48,28 @@ Dovecot, and are configured to run unattended without much maintenance
 effort. Chatmail relays happily run on low-end hardware like a Raspberry
 Pi.
 .. _upgrade:
 How can I upgrade my chatmail relay?
 ------------------------------------
 To upgrade to the latest ``main`` branch,
 ``cd`` into your local checkout of `https://github.com/chatmail/relay/`_
 and run the following commands:
   ::
       git pull origin main --rebase --autostash
       scripts/cmdeploy run
 If you don't want the latest development version,
 but a specific tagged release like `1.10.0 <https://github.com/chatmail/relay/releases/tag/1.10.0>`_,
 run ``git pull origin 1.10.0`` instead.
 If you made local changes for your setup,
 they will be reapplied as long as they don't conflict with the upgrade.
 If a conflict arises, ``git status`` will tell you how to resolve it.
 How trustable are chatmail relays?
 ----------------------------------
--- a/doc/source/getting_started.rst
+++ b/doc/source/getting_started.rst
@@ -14,21 +14,14 @@ Minimal requirements and prerequisites
 You will need the following:
-  A Debian 12 **deployment server** with reachable SMTP/SUBMISSIONS/IMAPS/HTTPS ports.
+-  Control over a domain through a DNS provider of your choice.
   (there is experimental support for :ref:`IP-only relays <iponly>`).
 -  A Debian 12 server with reachable SMTP/SUBMISSIONS/IMAPS/HTTPS ports.
   IPv6 is encouraged if available. Chatmail relay servers only require
   1GB RAM, one CPU, and perhaps 10GB storage for a few thousand active
   chatmail addresses.
 -  A Linux or Unix **build machine** with key-based SSH access to the root
   user of the deployment server.
   You must add a passphrase-protected private key to your local ssh-agent because you
   can’t type in your passphrase during deployment.
   (An ed25519 private key is required due to an `upstream bug in
   paramiko <https://github.com/paramiko/paramiko/issues/2191>`_)
 -  Control over a domain through a DNS provider of your choice
   (there is experimental support for :ref:`DNS-less relays <iponly>`).
 .. _setup:
@@ -38,7 +31,7 @@ Setup with ``scripts/cmdeploy``
 We use ``chat.example.org`` as the chatmail domain in the following
 steps. Please substitute it with your own domain.
-1. Setup the initial DNS records for your deployment server.
+1. Setup the initial DNS records for your relay.
   The following is an example in the
   familiar BIND zone file format with a TTL of 1 hour (3600 seconds).
   Please substitute your domain and IP addresses.
@@ -58,22 +51,25 @@ steps. Please substitute it with your own domain.
      The ``mta-sts`` CNAME and ``_mta-sts`` TXT records
      are not needed for such domains.
-2. On your local PC, clone the repository and bootstrap the Python
+2. Login to the server with SSH, clone the repository and bootstrap the Python
   virtualenv.
   ::
       ssh root@chat.example.org
       git clone https://github.com/chatmail/relay
       cd relay
       scripts/initenv.sh
-3. On your local build machine (PC), create a chatmail configuration file
+3. Then, create a chatmail configuration file
   ``chatmail.ini``:
   ::
       scripts/cmdeploy init chat.example.org  # <-- use your domain
   .. note::
   To use self-signed TLS certificates
   instead of Let's Encrypt,
   use a domain name starting with ``_``
@@ -84,13 +80,7 @@ steps. Please substitute it with your own domain.
   See the :doc:`overview`
   for details on certificate provisioning.
-4. Verify that SSH root login to the deployment server server works:
+4. Now run the deployment script to install the relay to the server:
   ::
       ssh root@chat.example.org  # <-- use your domain
 5. From your local build machine, setup and configure the remote deployment server:
   ::
@@ -101,27 +91,41 @@ steps. Please substitute it with your own domain.
   configure at your DNS provider (it can take some time until they are
   public).
 Other helpful commands
 ----------------------
-To check the status of your deployment server running the chatmail service:
+Docker installation
 -------------------
-::
+There is experimental support for running chatmail via Docker.
 A monolithic image based on the above cmdeploy method is available `through a separate repository <https://github.com/chatmail/docker/pkgs/container/docker>`_.
 See the `chatmail/docker README <https://github.com/chatmail/docker>`_ for full setup instructions.
   scripts/cmdeploy status
-To display and check all recommended DNS records:
+Next Steps
 ----------
 Now you should display and check all recommended DNS records
 to enable federation with other relays:
 ::
   scripts/cmdeploy dns
-To test whether your chatmail service is working correctly:
+You should also test whether your chatmail service is working correctly:
 ::
   scripts/cmdeploy test
 Other Helpful Commands
 ----------------------
 To check the status of your chatmail relay:
 ::
   scripts/cmdeploy status
 To measure the performance of your chatmail service:
 ::
@@ -162,8 +166,9 @@ This starts a local live development cycle for chatmail web pages:
   directory and generating HTML files and copying assets to the
   ``www/build`` directory.
-  Starts a browser window automatically where you can “refresh” as
+-  if you are running scripts/cmdeploy webdev on the relay itself,
-   needed.
+   you need to configure a route in /etc/nginx/nginx.conf
   to expose the build directory.
 Custom web pages
 ----------------
@@ -181,7 +186,7 @@ Disable automatic address creation
 --------------------------------------------------------
 If you need to stop address creation, e.g. because some script is wildly
-creating addresses, login with ssh to the deployment machine and run:
+creating addresses, login with ssh to the relay and run:
 ::
@@ -237,25 +242,3 @@ The deploy will verify that both files exist on the server.
   If you use such a setup, you must trigger the reload explicitly after renewal::
      systemctl start tls-cert-reload.service
 Migrating to a new build machine
 ----------------------------------
 To move or add a build machine,
 clone the relay repository on the new build machine, and copy the ``chatmail.ini`` file from the old build machine.
 Make sure ``rsync`` is installed, then initialize the environment:
 ::
   ./scripts/initenv.sh
 Run safety checks before a new deployment:
 ::
   ./scripts/cmdeploy dns
   ./scripts/cmdeploy status
 If you keep multiple build machines (ie laptop and desktop), keep ``chatmail.ini`` in sync between
 them.
--- a/doc/source/iponly.rst
+++ b/doc/source/iponly.rst
@@ -24,6 +24,17 @@ Drawbacks
  the chatmail core's end-to-end encryption should suffice in most scenarios though.
 - your messages will not be DKIM-signed;
-  experimentally, most chatmail relays accept non-DKIM-signed messages from IPv4-only relays,
+  experimentally, most chatmail relays accept non-DKIM-signed messages from IP-only relays,
  but some relays might not accept messages from yours.
 Email addresses
 ---------------
 When running without a domain,
 your chatmail addresses will use the IPv4 address
 in brackets as the domain part,
 for example ``user@[13.12.23.42]``.
 This is a valid email address format
 according to :rfc:`5321`.
--- a/doc/source/overview.rst
+++ b/doc/source/overview.rst
@@ -265,7 +265,8 @@ from the chatmail relay server.
 Email domain authentication (DKIM)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Chatmail relays enforce :rfc:`DKIM <6376>` to authenticate incoming emails.
+Chatmail relays enforce :rfc:`DKIM <6376>` to authenticate incoming emails
 (except for :ref:`IP-only relays <iponly>`).
 Incoming emails must have a valid DKIM signature with
 Signing Domain Identifier (SDID, ``d=`` parameter in the DKIM-Signature
 header) equal to the ``From:`` header domain. This property is checked
Author	SHA1	Message	Date
missytake	c9c1f226b4	docs: webdev needs to be exposed via nginx if run on the relay	2026-05-12 22:45:28 +02:00
missytake	85eddb671e	docs: use ssh_host = localhost in getting started docs remove mentions of the build machine / deployment server separation	2026-05-12 22:45:28 +02:00
missytake	cf215f971d	docs: cmdeploy dns + test are kind of necessary	2026-05-12 22:45:28 +02:00
missytake	ab3b9d156a	cmdeploy: add ssh_host chatmail.ini option to deploy remotely	2026-05-12 22:45:28 +02:00
missytake	ed664cd9cd	feat(config): load default values from Config(), not chatmail.ini.f (#853 ) * config: comment out values in chatmail.ini.f, so defaults take precedence * config: remove testrun-specific overrides * config: remove filtermail ports from default ini	2026-05-12 22:44:06 +02:00
holger krekel	26a13fbc26	feat: DKIM-sign bounce messages (mainly "user does not exist") This was originally based on Jagoda's https://github.com/chatmail/relay/pull/874 but then the postfix config was simplified, and it comes with a simpler and more robust test.	2026-05-12 14:19:11 +02:00
missytake	d054fbb5aa	docs: document how to upgrade to new version (#965 ) Co-authored-by: Jagoda Estera Ślązak <128227338+j-g00da@users.noreply.github.com>	2026-05-12 14:13:28 +02:00
j4n	def08c52f4	feat(doc/docker): Introduce docker images in documentation	2026-05-12 13:45:21 +02:00
Jagoda Estera Ślązak	32cfa9c76c	chore(deps): Upgrade filtermail to v0.6.6 (#967 ) ## 0.6.6 - 2026-05-12 ### Bug Fixes - Return HTTP 200 because madmail expects it, and make sure https is immediately retried when SMTP fails ### Features - Improved SMTP error responses ### Miscellaneous Tasks - Remove mac and windows from matrix tests - Run cmlxc tests in all classic/classic-ipv4/madmail combinations Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>	2026-05-12 13:24:23 +02:00
Jagoda Estera Ślązak	c0b207c320	chore(deps): Upgrade filtermail to v0.6.5 (#966 )	2026-05-12 10:37:28 +02:00
holger krekel	4ebde2825d	feat: support setup without domain, with only an IPv4 address (#963 ) * dovecot: enable login names with square brackets * config: make IPv4-only relays use self-signed TLS certs * postfix: make delivery for IP-only relays work * cmdeploy: skip DNS checks for IPv4 only relays * www: generate dclogin codes for IPv4-only relays * opendkim: disable DKIM signing on ipv4-only relays * get delivery working * get tests working on IPv4 only machine * doc: document IPv4-only relays * dns: warn if mail_domain is an IP, instead of checking DNS * config: validate domains when formatting them * ci: add cmlxc testing for no-DNS relays * ci: run no-dns and normal CI in parallel * retain "config.mail_domain" as the domain part of @ email addresses, so for ipv4 relays "[1.2.3.4]" and introduce config.ipv4_relay and config.mail_domain_bare helpers. * ci: migrate from --no-dns to --type ipv4 for cmlxc compatibility * cleanup dead code, fix docs, fixate cmlxc version --------- Co-authored-by: missytake <missytake@systemli.org>	2026-05-11 21:52:33 +02:00
holger krekel	6a7e6ce9e7	feat: expose metadata "maxsmtprecipients" value also add metadata tests and make metadata lookup method more readable by using structural match/case syntax	2026-05-11 20:08:38 +02:00
holger krekel	8db668c037	fix(logging): log all http requests to syslog	2026-05-10 23:32:42 +02:00
holger krekel	45fafa10a9	fix: legacy token metadata storage used list type, but if no new setmetadata happened, the user would not be notified at all.	2026-05-08 21:39:40 +02:00
missytake	ee435a7ef7	fix(dns): query correct NS if MNAME server is hidden (#954 ) replaces #870 fix #851 * fix(dns): address possible IndexError * fix(dns): remove redundant docstring * fix(dns): don't make NS explicit if None * bump cmlxc to 0.13.5 which fixes a powerdns config issue * remove the unneccessary SOA mocks, simplify mock tests, and run ruff format Co-authored-by: holger krekel <holger@merlinux.eu>	2026-05-08 19:34:42 +02:00
missytake	8fafd4e79f	fix(nginx): properly redirect www to mail_domain	2026-05-07 23:00:02 +02:00
punkero-org	129b8a20bc	fix(cmdeploy): stop and disable unbound-resolvconf Commit `825831e` purges resolvconf, however the unbound service activates a 'wants' unit for async resolvconf updates. This results in errors in systemd startup as the unit will now always fail. Stop and disable the unbound-resolvconf unit activation	2026-05-07 13:40:19 +02:00
holger krekel	a1f64ebd96	refactor: introduce automated change-tracking across deployers	2026-05-06 20:02:13 +02:00
j4n	fb64be97b5	fix(mtail): correct boot ordering and deploy restart logic Correct the systemd unit modifications in 98bc1503 that lead to startup failures in some instances. Switch to After+Wants = network-online.target and add RestartSec=2s to give late-binding more interfaces time to appear. In the deployer, capture the files.template() return value and appropriately set need_restart and daemon_reload.	2026-05-06 14:04:32 +02:00