Revert "expanding ~ doesn't work with -i"

This reverts commit 4c62714fbb.

.github/workflows/test-and-deploy.yaml

@@ -1,4 +1,4 @@
-name: deploy on staging2.testrun.org, and run tests
+name: deploy on allocated VPS and run tests
 
 on:
   push:
@@ -12,86 +12,27 @@ on:
       - 'LICENSE'
 
 jobs:
-  deploy:
-    name: deploy on staging2.testrun.org, and run tests
+  deploy-and-test:
+    name: deploy on allocated VPS, and run tests
     runs-on: ubuntu-latest
-    timeout-minutes: 30
-    environment:
-      name: staging2.testrun.org
-      url: https://staging2.testrun.org/
-    concurrency: staging2.testrun.org
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@v4
+        with:
+          repository: chatmail/hetzner-relay
+          path: hetzner-relay
+
+      - uses: actions/checkout@v4
+        with:
+          path: relay
 
       - name: prepare SSH
         run: |
           mkdir ~/.ssh
-          echo "${{ secrets.STAGING_SSH_KEY }}" >> ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-          ssh-keyscan staging2.testrun.org > ~/.ssh/known_hosts
-          # save previous acme & dkim state
-          rsync -avz root@staging2.testrun.org:/var/lib/acme . || true
-          rsync -avz root@staging2.testrun.org:/etc/dkimkeys . || true
-          # store previous acme & dkim state on ns.testrun.org, if it contains useful certs
-          if [ -f dkimkeys/opendkim.private ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" dkimkeys root@ns.testrun.org:/tmp/ || true; fi
-          if [ "$(ls -A acme/certs)" ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" acme root@ns.testrun.org:/tmp/ || true; fi
-          # make sure CAA record isn't set
-          scp -o StrictHostKeyChecking=accept-new .github/workflows/staging.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging2.testrun.org.zone
-          ssh root@ns.testrun.org sed -i '/CAA/d' /etc/nsd/staging2.testrun.org.zone
-          ssh root@ns.testrun.org nsd-checkzone staging2.testrun.org /etc/nsd/staging2.testrun.org.zone
-          ssh root@ns.testrun.org systemctl reload nsd
+          echo "${{ secrets.STAGING_SSH_KEY }}" >> ~/.ssh/staging.testrun.org
+          chmod 600 ~/.ssh/staging.testrun.org
 
-      - name: rebuild staging2.testrun.org to have a clean VPS
-        run: |
-            curl -X POST \
-            -H "Authorization: Bearer ${{ secrets.HETZNER_API_TOKEN }}" \
-            -H "Content-Type: application/json" \
-            -d '{"image":"debian-12"}' \
-            "https://api.hetzner.cloud/v1/servers/${{ secrets.STAGING_SERVER_ID }}/actions/rebuild"
+      - run: pip install hetzner-relay/
 
-      - run: scripts/initenv.sh
-
-      - name: append venv/bin to PATH
-        run: echo venv/bin >>$GITHUB_PATH
-
-      - name: upload TLS cert after rebuilding
-        run: |
-          echo " --- wait until staging2.testrun.org VPS is rebuilt --- "
-          rm ~/.ssh/known_hosts
-          while ! ssh -o ConnectTimeout=180 -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org id -u ; do sleep 1 ; done
-          ssh -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org id -u
-          # download acme & dkim state from ns.testrun.org
-          rsync -e "ssh -o StrictHostKeyChecking=accept-new" -avz root@ns.testrun.org:/tmp/acme acme-restore || true
-          rsync -avz root@ns.testrun.org:/tmp/dkimkeys dkimkeys-restore || true
-          # restore acme & dkim state to staging2.testrun.org
-          rsync -avz acme-restore/acme root@staging2.testrun.org:/var/lib/ || true
-          rsync -avz dkimkeys-restore/dkimkeys root@staging2.testrun.org:/etc/ || true
-          ssh -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org chown root:root -R /var/lib/acme || true
-
-      - name: add hpk42 key to staging server
-        run: ssh root@staging2.testrun.org 'curl -s https://github.com/hpk42.keys >> .ssh/authorized_keys'
-
-      - name: run deploy-chatmail offline tests 
-        run: pytest --pyargs cmdeploy 
-
-      - run: |
-          cmdeploy init staging2.testrun.org
-          sed -i 's/#\s*mtail_address/mtail_address/' chatmail.ini
-
-      - run: cmdeploy run --verbose --skip-dns-check
-
-      - name: set DNS entries
-        run: |
-          cmdeploy dns --zonefile staging-generated.zone --verbose
-          cat staging-generated.zone >> .github/workflows/staging.testrun.org-default.zone
-          cat .github/workflows/staging.testrun.org-default.zone
-          scp .github/workflows/staging.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging2.testrun.org.zone
-          ssh root@ns.testrun.org nsd-checkzone staging2.testrun.org /etc/nsd/staging2.testrun.org.zone
-          ssh root@ns.testrun.org systemctl reload nsd
-
-      - name: cmdeploy test
-        run: CHATMAIL_DOMAIN2=ci-chatmail.testrun.org cmdeploy test --slow
-
-      - name: cmdeploy dns
-        run: cmdeploy dns -v
+      - run: python3 hetzner-relay/main.py -i ~/.ssh/staging.testrun.org --dns --test --rebuild --run-id $GITHUB_RUN_ID --domain2 ci-chatmail.testrun.org --hetzner-api-token ${{ secrets.HETZNER_API_TOKEN }} relay/
 

chatmaild/src/chatmaild/config.py

@@ -1,4 +1,3 @@
-import ipaddress
 import os
 from pathlib import Path
 
@@ -21,10 +20,7 @@ def read_config(inipath):
 class Config:
     def __init__(self, inipath, params):
         self._inipath = inipath
-        if is_valid_ipv4(params["mail_domain"]):
-            self.mail_domain = f"[{params.get('mail_domain')}]"
-        else:
-            self.mail_domain = params["mail_domain"]
+        self.mail_domain = params["mail_domain"]
         self.max_user_send_per_minute = int(params.get("max_user_send_per_minute", 60))
         self.max_user_send_burst_size = int(params.get("max_user_send_burst_size", 10))
         self.max_mailbox_size = params["max_mailbox_size"]
@@ -80,7 +76,7 @@ class Config:
                 )
             self.tls_cert_mode = "external"
             self.tls_cert_path, self.tls_key_path = parts
-        elif self.mail_domain.startswith("_") or is_valid_ipv4(params["mail_domain"]):
+        elif self.mail_domain.startswith("_"):
             self.tls_cert_mode = "self"
             self.tls_cert_path = "/etc/ssl/certs/mailserver.pem"
             self.tls_key_path = "/etc/ssl/private/mailserver.key"
@@ -161,12 +157,3 @@ def get_default_config_content(mail_domain, **overrides):
                 lines.append(line)
         content = "\n".join(lines)
     return content
-
-
-def is_valid_ipv4(address: str) -> bool:
-    """Check if a mail_domain is an IPv4 address."""
-    try:
-        ipaddress.IPv4Address(address)
-        return True
-    except ValueError:
-        return False

chatmaild/src/chatmaild/newemail.py

@@ -7,7 +7,7 @@ import secrets
 import string
 from urllib.parse import quote
 
-from chatmaild.config import Config, is_valid_ipv4, read_config
+from chatmaild.config import Config, read_config
 
 CONFIG_PATH = "/usr/local/lib/chatmaild/chatmail.ini"
 ALPHANUMERIC = string.ascii_lowercase + string.digits
@@ -31,15 +31,7 @@ def create_dclogin_url(email, password):
     Uses ic=3 (AcceptInvalidCertificates) so chatmail clients
     can connect to servers with self-signed TLS certificates.
     """
-    domain = email.split("@")[-1]
-    domain_without_brackets = domain.strip("[").strip("]")
-    if is_valid_ipv4(domain_without_brackets):
-        imap_host = "&ih=" + domain_without_brackets
-        smtp_host = "&sh=" + domain_without_brackets
-    else:
-        imap_host = ""
-        smtp_host = ""
-    return f"dclogin:{quote(email, safe='@[]')}?p={quote(password, safe='')}&v=1{imap_host}{smtp_host}&ic=3"
+    return f"dclogin:{quote(email, safe='@')}?p={quote(password, safe='')}&v=1&ic=3"
 
 
 def print_new_account():

cmdeploy/src/cmdeploy/cmdeploy.py

@@ -13,7 +13,7 @@ import sys
 from pathlib import Path
 
 import pyinfra
-from chatmaild.config import read_config, write_initial_config, is_valid_ipv4
+from chatmaild.config import read_config, write_initial_config
 from packaging import version
 from termcolor import colored
 
@@ -87,11 +87,11 @@ def run_cmd_options(parser):
 def run_cmd(args, out):
     """Deploy chatmail services on the remote server."""
 
-    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain.strip("[").strip("]")
+    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
     sshexec = get_sshexec(ssh_host)
     require_iroh = args.config.enable_iroh_relay
     strict_tls = args.config.tls_cert_mode == "acme"
-    if not args.dns_check_disabled and not is_valid_ipv4(args.config.mail_domain.strip("[").strip("]")):
+    if not args.dns_check_disabled:
         remote_data = dns.get_initial_remote_data(sshexec, args.config.mail_domain)
         if not dns.check_initial_remote_data(remote_data, strict_tls=strict_tls, print=out.red):
             return 1
@@ -101,7 +101,7 @@ def run_cmd(args, out):
     env["CHATMAIL_WEBSITE_ONLY"] = "True" if args.website_only else ""
     env["CHATMAIL_DISABLE_MAIL"] = "True" if args.disable_mail else ""
     env["CHATMAIL_REQUIRE_IROH"] = "True" if require_iroh else ""
-    if not args.dns_check_disabled and not is_valid_ipv4(args.config.mail_domain.strip("[").strip("]")):
+    if not args.dns_check_disabled:
         env["CHATMAIL_ADDR_V4"] = remote_data.get("A") or ""
         env["CHATMAIL_ADDR_V6"] = remote_data.get("AAAA") or ""
     deploy_path = importlib.resources.files(__package__).joinpath("run.py").resolve()

cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2

@@ -7,7 +7,6 @@ listen = 0.0.0.0
 protocols = imap lmtp
 
 auth_mechanisms = plain
-auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@[]
 
 {% if debug == true %}
 auth_verbose = yes

cmdeploy/src/cmdeploy/postfix/main.cf.j2

@@ -54,15 +54,14 @@ smtpd_tls_exclude_ciphers = aNULL, RC4, MD5, DES
 tls_preempt_cipherlist = yes
 
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = {{ config.mail_domain }}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 
 # Postfix does not deliver mail for any domain by itself.
 # Primary domain is listed in `virtual_mailbox_domains` instead
 # and handed over to Dovecot.
-mydestination = {{ config.mail_domain }}
-local_transport = lmtp:unix:private/dovecot-lmtp
-local_recipient_maps =
+mydestination =
 
 relayhost = 
 {% if disable_ipv6 %}
@@ -89,6 +88,8 @@ inet_protocols = ipv4
 inet_protocols = all
 {% endif %}
 
+virtual_transport = lmtp:unix:private/dovecot-lmtp
+virtual_mailbox_domains = {{ config.mail_domain }}
 lmtp_header_checks = regexp:/etc/postfix/lmtp_header_cleanup
 
 mua_client_restrictions = permit_sasl_authenticated, reject

cmdeploy/src/cmdeploy/postfix/master.cf.j2

@@ -80,9 +80,7 @@ filter    unix -        n       n       -       -       lmtp
 127.0.0.1:{{ config.postfix_reinject_port }} inet  n       -       n       -       100      smtpd
   -o syslog_name=postfix/reinject
   -o milter_macro_daemon_name=ORIGINATING
-{% if "[" not in config.mail_domain %}
   -o smtpd_milters=unix:opendkim/opendkim.sock
-{% endif %}
   -o cleanup_service_name=authclean
 
 # Local SMTP server for reinjecting incoming filtered mail 

cmdeploy/src/cmdeploy/tests/online/test_0_login.py

@@ -8,11 +8,11 @@ from chatmaild.config import read_config
 from cmdeploy.cmdeploy import main
 
 
-def test_init(tmp_path, maildomain_sanitized):
+def test_init(tmp_path, maildomain):
     inipath = tmp_path.joinpath("chatmail.ini")
-    main(["init", "--config", str(inipath), maildomain_sanitized])
+    main(["init", "--config", str(inipath), maildomain])
     config = read_config(inipath)
-    assert config.mail_domain.strip("[").strip("]") == maildomain_sanitized
+    assert config.mail_domain == maildomain
 
 
 def test_capabilities(imap):
@@ -92,7 +92,7 @@ def test_concurrent_logins_same_account(
 def test_no_vrfy(chatmail_config):
     domain = chatmail_config.mail_domain
 
-    s = smtplib.SMTP(domain.strip("[").strip("]"))
+    s = smtplib.SMTP(domain)
     s.starttls()
 
     s.putcmd("vrfy", f"wrongaddress@{chatmail_config.mail_domain}")

cmdeploy/src/cmdeploy/tests/online/test_0_qr.py

@@ -10,31 +10,31 @@ def test_gen_qr_png_data(maildomain):
 
 
 @pytest.mark.filterwarnings("ignore::urllib3.exceptions.InsecureRequestWarning")
-def test_fastcgi_working(maildomain_sanitized, chatmail_config):
-    url = f"https://{maildomain_sanitized}/new"
+def test_fastcgi_working(maildomain, chatmail_config):
+    url = f"https://{maildomain}/new"
     print(url)
     verify = chatmail_config.tls_cert_mode == "acme"
     res = requests.post(url, verify=verify)
-    assert maildomain_sanitized in res.json().get("email")
+    assert maildomain in res.json().get("email")
     assert len(res.json().get("password")) > chatmail_config.password_min_length
 
 
 @pytest.mark.filterwarnings("ignore::urllib3.exceptions.InsecureRequestWarning")
-def test_newemail_configure(maildomain_sanitized, rpc, chatmail_config):
+def test_newemail_configure(maildomain, rpc, chatmail_config):
     """Test configuring accounts by scanning a QR code works."""
-    url = f"DCACCOUNT:https://{maildomain_sanitized}/new"
+    url = f"DCACCOUNT:https://{maildomain}/new"
     for i in range(3):
         account_id = rpc.add_account()
         if chatmail_config.tls_cert_mode == "self":
             # deltachat core's rustls rejects self-signed HTTPS certs during
             # set_config_from_qr, so fetch credentials via requests instead
-            res = requests.post(f"https://{maildomain_sanitized}/new", verify=False)
+            res = requests.post(f"https://{maildomain}/new", verify=False)
             data = res.json()
             rpc.add_or_update_transport(account_id, {
                 "addr": data["email"],
                 "password": data["password"],
-                "imapServer": maildomain_sanitized,
-                "smtpServer": maildomain_sanitized,
+                "imapServer": maildomain,
+                "smtpServer": maildomain,
                 "certificateChecks": "acceptInvalidCertificates",
             })
         else:

cmdeploy/src/cmdeploy/tests/online/test_1_basic.py

@@ -21,8 +21,6 @@ class TestSSHExecutor:
         assert out == out2
 
     def test_perform_initial(self, sshexec, maildomain):
-        if "[" in maildomain:
-            pytest.skip("Relay doesn't have a domain")
         res = sshexec(
             remote.rdns.perform_initial_checks, kwargs=dict(mail_domain=maildomain)
         )
@@ -133,7 +131,7 @@ def test_authenticated_from(cmsetup, maildata):
 
 @pytest.mark.parametrize("from_addr", ["fake@example.org", "fake@testrun.org"])
 def test_reject_missing_dkim(cmsetup, maildata, from_addr):
-    domain = cmsetup.maildomain.strip("[").strip("]")
+    domain = cmsetup.maildomain
     sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
     sock.settimeout(10)
     try:
@@ -145,7 +143,7 @@ def test_reject_missing_dkim(cmsetup, maildata, from_addr):
     msg = maildata(
         "encrypted.eml", from_addr=from_addr, to_addr=recipient.addr
     ).as_string()
-    conn = smtplib.SMTP(cmsetup.maildomain.strip("[").strip("]"), 25, timeout=10)
+    conn = smtplib.SMTP(cmsetup.maildomain, 25, timeout=10)
     conn.starttls()
 
     with conn as s:

cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py

@@ -15,7 +15,7 @@ def imap_mailbox(cmfactory, ssl_context):
     (ac1,) = cmfactory.get_online_accounts(1)
     user = ac1.get_config("addr")
     password = ac1.get_config("mail_pw")
-    host = user.split("@")[1].strip("[").strip("]")
+    host = user.split("@")[1]
     mailbox = imap_tools.MailBox(host, ssl_context=ssl_context)
     mailbox.login(user, password)
     mailbox.dc_ac = ac1
@@ -178,7 +178,7 @@ def test_hide_senders_ip_address(cmfactory, ssl_context):
     chat.send_text("testing submission header cleanup")
     user2.wait_for_incoming_msg()
     addr = user2.get_config("addr")
-    host = addr.split("@")[1].strip("[").strip("]")
+    host = addr.split("@")[1]
     pw = user2.get_config("mail_pw")
     mailbox = imap_tools.MailBox(host, ssl_context=ssl_context)
     mailbox.login(addr, pw)

cmdeploy/src/cmdeploy/tests/plugin.py

@@ -61,13 +61,8 @@ def maildomain(chatmail_config):
 
 
 @pytest.fixture(scope="session")
-def maildomain_sanitized(maildomain):
-    return maildomain.strip("[").strip("]")
-
-
-@pytest.fixture(scope="session")
-def sshdomain(maildomain_sanitized):
-    return os.environ.get("CHATMAIL_SSH", maildomain_sanitized)
+def sshdomain(maildomain):
+    return os.environ.get("CHATMAIL_SSH", maildomain)
 
 
 @pytest.fixture
@@ -80,7 +75,7 @@ def maildomain2():
 
 @pytest.fixture
 def sshdomain2(maildomain2):
-    return os.environ.get("CHATMAIL_SSH2", maildomain2.strip("[").strip("]"))
+    return os.environ.get("CHATMAIL_SSH2", maildomain2)
 
 
 def pytest_report_header():
@@ -181,14 +176,14 @@ def ssl_context(chatmail_config):
 
 
 @pytest.fixture
-def imap(maildomain_sanitized, ssl_context):
-    return ImapConn(maildomain_sanitized, ssl_context=ssl_context)
+def imap(maildomain, ssl_context):
+    return ImapConn(maildomain, ssl_context=ssl_context)
 
 
 @pytest.fixture
-def make_imap_connection(maildomain_sanitized, ssl_context):
+def make_imap_connection(maildomain, ssl_context):
     def make_imap_connection():
-        conn = ImapConn(maildomain_sanitized, ssl_context=ssl_context)
+        conn = ImapConn(maildomain, ssl_context=ssl_context)
         conn.connect()
         return conn
 
@@ -232,14 +227,14 @@ class ImapConn:
 
 
 @pytest.fixture
-def smtp(maildomain_sanitized, ssl_context):
-    return SmtpConn(maildomain_sanitized, ssl_context=ssl_context)
+def smtp(maildomain, ssl_context):
+    return SmtpConn(maildomain, ssl_context=ssl_context)
 
 
 @pytest.fixture
-def make_smtp_connection(maildomain_sanitized, ssl_context):
+def make_smtp_connection(maildomain, ssl_context):
     def make_smtp_connection():
-        conn = SmtpConn(maildomain_sanitized, ssl_context=ssl_context)
+        conn = SmtpConn(maildomain, ssl_context=ssl_context)
         conn.connect()
         return conn
 
@@ -326,8 +321,8 @@ class ChatmailACFactory:
             "password": password,
             # Setting server explicitly skips requesting autoconfig XML,
             # see https://datatracker.ietf.org/doc/draft-ietf-mailmaint-autoconfig/
-            "imapServer": domain.strip("[").strip("]"),
-            "smtpServer": domain.strip("[").strip("]"),
+            "imapServer": domain,
+            "smtpServer": domain,
         }
         if self.chatmail_config.tls_cert_mode == "self":
             transport["certificateChecks"] = "acceptInvalidCertificates"
@@ -459,7 +454,7 @@ class CMSetup:
 
 class CMUser:
     def __init__(self, maildomain, addr, password, ssl_context=None):
-        self.maildomain = maildomain.strip("[").strip("]")
+        self.maildomain = maildomain
         self.addr = addr
         self.password = password
         self.ssl_context = ssl_context