test: add error-path tests for all bug fixes

- test_doveauth: invalid localpart chars rejected, concurrent same-account creation - test_expire: --mdir filtering uses msg.path correctly - test_metadata: TURN exception returns N\n, success returns credentials - test_turnserver: socket timeout, connection refused, happy path - test_dns: get_dkim_entry returns (None, None) on CalledProcessError - test_rshell: dovecot_recalc_quota handles empty/malformed output
fix: handle turn_credentials exceptions in metadata proxy
2026-05-11 00:14:36 +00:00 · 2026-02-07 21:45:22 +03:00 · 2026-02-07 16:51:30 +03:00 · 2026-02-07 16:51:19 +03:00 · 2026-02-07 16:51:01 +03:00 · 2026-02-07 16:50:43 +03:00
41 changed files with 669 additions and 259 deletions
--- a/.github/workflows/test-and-deploy-ipv4only.yaml
+++ b/.github/workflows/test-and-deploy-ipv4only.yaml
@@ -80,7 +80,7 @@ jobs:

      - name: set DNS entries
        run: |
-          ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org chown dkim-milter:dkim-milter -R /etc/dkimkeys
+          ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org chown opendkim:opendkim -R /etc/dkimkeys
          cmdeploy dns --zonefile staging-generated.zone
          cat staging-generated.zone >> .github/workflows/staging-ipv4.testrun.org-default.zone
          cat .github/workflows/staging-ipv4.testrun.org-default.zone
--- a/.github/workflows/test-and-deploy.yaml
+++ b/.github/workflows/test-and-deploy.yaml
@@ -82,7 +82,7 @@ jobs:

      - name: set DNS entries
        run: |
-          ssh -o StrictHostKeyChecking=accept-new root@staging2.testrun.org chown dkim-milter:dkim-milter -R /etc/dkimkeys
+          ssh -o StrictHostKeyChecking=accept-new root@staging2.testrun.org chown opendkim:opendkim -R /etc/dkimkeys
          cmdeploy dns --zonefile staging-generated.zone --verbose
          cat staging-generated.zone >> .github/workflows/staging.testrun.org-default.zone
          cat .github/workflows/staging.testrun.org-default.zone
--- a/chatmaild/src/chatmaild/doveauth.py
+++ b/chatmaild/src/chatmaild/doveauth.py
@@ -1,8 +1,11 @@
 import json
 import logging
 import os
+import re
 import sys

+import filelock
+
 try:
    import crypt_r
 except ImportError:
@@ -13,6 +16,7 @@ from .dictproxy import DictProxy
 from .migrate_db import migrate_from_db_to_maildir

 NOCREATE_FILE = "/etc/chatmail-nocreate"
+VALID_LOCALPART_RE = re.compile(r"^[a-z0-9._-]+$")


 def encrypt_password(password: str):
@@ -52,6 +56,10 @@ def is_allowed_to_create(config: Config, user, cleartext_password) -> bool:
        )
        return False

+    if not VALID_LOCALPART_RE.match(localpart):
+        logging.warning("localpart %r contains invalid characters", localpart)
+        return False
+
    return True


@@ -140,8 +148,13 @@ class AuthDictProxy(DictProxy):
        if not is_allowed_to_create(self.config, addr, cleartext_password):
            return

-        user.set_password(encrypt_password(cleartext_password))
-        print(f"Created address: {addr}", file=sys.stderr)
+        lock = filelock.FileLock(str(user.password_path) + ".lock", timeout=5)
+        with lock:
+            userdata = user.get_userdb_dict()
+            if userdata:
+                return userdata
+            user.set_password(encrypt_password(cleartext_password))
+            print(f"Created address: {addr}", file=sys.stderr)
        return user.get_userdb_dict()


--- a/chatmaild/src/chatmaild/fsreport.py
+++ b/chatmaild/src/chatmaild/fsreport.py
@@ -68,7 +68,7 @@ class Report:
            for size in self.message_buckets:
                for msg in mailbox.messages:
                    if msg.size >= size:
-                        if self.mdir and not msg.relpath.startswith(self.mdir):
+                        if self.mdir and f"/{self.mdir}/" not in msg.path:
                            continue
                        self.message_buckets[size] += msg.size

--- a/chatmaild/src/chatmaild/metadata.py
+++ b/chatmaild/src/chatmaild/metadata.py
@@ -101,7 +101,11 @@ class MetadataDictProxy(DictProxy):
                # Handle `GETMETADATA "" /shared/vendor/deltachat/irohrelay`
                return f"O{self.iroh_relay}\n"
            elif keyname == "vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn":
-                res = turn_credentials()
+                try:
+                    res = turn_credentials()
+                except Exception:
+                    logging.exception("failed to get TURN credentials")
+                    return "N\n"
                port = 3478
                return f"O{self.turn_hostname}:{port}:{res}\n"

--- a/chatmaild/src/chatmaild/newemail.py
+++ b/chatmaild/src/chatmaild/newemail.py
@@ -3,7 +3,6 @@
 """CGI script for creating new accounts."""

 import json
-import random
 import secrets
 import string

@@ -15,7 +14,9 @@ ALPHANUMERIC_PUNCT = string.ascii_letters + string.digits + string.punctuation


 def create_newemail_dict(config: Config):
-    user = "".join(random.choices(ALPHANUMERIC, k=config.username_max_length))
+    user = "".join(
+        secrets.choice(ALPHANUMERIC) for _ in range(config.username_max_length)
+    )
    password = "".join(
        secrets.choice(ALPHANUMERIC_PUNCT)
        for _ in range(config.password_min_length + 3)
--- a/chatmaild/src/chatmaild/tests/test_doveauth.py
+++ b/chatmaild/src/chatmaild/tests/test_doveauth.py
@@ -120,6 +120,60 @@ def test_handle_dovecot_protocol_iterate(gencreds, example_config):
    assert not lines[2]


+def test_invalid_localpart_characters(make_config):
+    """Test that is_allowed_to_create rejects localparts with invalid characters."""
+    config = make_config("chat.example.org", {"username_min_length": "3"})
+    password = "zequ0Aimuchoodaechik"
+    domain = config.mail_domain
+
+    # valid localparts
+    assert is_allowed_to_create(config, f"abc123@{domain}", password)
+    assert is_allowed_to_create(config, f"a.b-c_d@{domain}", password)
+
+    # uppercase rejected
+    assert not is_allowed_to_create(config, f"Abc123@{domain}", password)
+    assert not is_allowed_to_create(config, f"ABCDEFG@{domain}", password)
+
+    # spaces and special chars rejected
+    assert not is_allowed_to_create(config, f"a b cde@{domain}", password)
+    assert not is_allowed_to_create(config, f"abc+def@{domain}", password)
+    assert not is_allowed_to_create(config, f"abc!def@{domain}", password)
+    assert not is_allowed_to_create(config, f"ab@cdef@{domain}", password)
+    assert not is_allowed_to_create(config, f"abc/def@{domain}", password)
+    assert not is_allowed_to_create(config, f"abc\\def@{domain}", password)
+
+
+def test_concurrent_creation_same_account(dictproxy):
+    """Test that concurrent creation of the same account doesn't corrupt password."""
+    addr = "racetest1@chat.example.org"
+    password = "zequ0Aimuchoodaechik"
+    num_threads = 10
+    results = queue.Queue()
+
+    def create():
+        try:
+            res = dictproxy.lookup_passdb(addr, password)
+            results.put(("ok", res))
+        except Exception:
+            results.put(("err", traceback.format_exc()))
+
+    threads = [threading.Thread(target=create, daemon=True) for _ in range(num_threads)]
+    for t in threads:
+        t.start()
+    for t in threads:
+        t.join(timeout=10)
+
+    passwords_seen = set()
+    for _ in range(num_threads):
+        status, res = results.get()
+        if status == "err":
+            pytest.fail(f"concurrent creation failed\n{res}")
+        passwords_seen.add(res["password"])
+
+    # all threads must see the same password hash
+    assert len(passwords_seen) == 1
+
+
 def test_50_concurrent_lookups_different_accounts(gencreds, dictproxy):
    num_threads = 50
    req_per_thread = 5
--- a/chatmaild/src/chatmaild/tests/test_expire.py
+++ b/chatmaild/src/chatmaild/tests/test_expire.py
@@ -112,6 +112,43 @@ def test_report(mbox1, example_config):
    report_main(args)


+def test_report_mdir_filters_by_path(mbox1, example_config):
+    """Test that Report with mdir='cur' only counts messages in cur/ subdirectory."""
+    from chatmaild.fsreport import Report
+
+    now = datetime.utcnow().timestamp()
+
+    # Set password mtime to old enough so min_login_age check passes
+    password = Path(mbox1.basedir).joinpath("password")
+    old_time = now - 86400 * 10  # 10 days ago
+    os.utime(password, (old_time, old_time))
+
+    # Reload mailbox with updated mtime
+    from chatmaild.expire import MailboxStat
+
+    mbox = MailboxStat(mbox1.basedir)
+
+    # Report without mdir — should count all messages
+    rep_all = Report(now=now, min_login_age=1, mdir=None)
+    rep_all.process_mailbox_stat(mbox)
+    total_all = rep_all.message_buckets[0]
+
+    # Report with mdir='cur' — should only count cur/ messages
+    rep_cur = Report(now=now, min_login_age=1, mdir="cur")
+    rep_cur.process_mailbox_stat(mbox)
+    total_cur = rep_cur.message_buckets[0]
+
+    # Report with mdir='new' — should only count new/ messages
+    rep_new = Report(now=now, min_login_age=1, mdir="new")
+    rep_new.process_mailbox_stat(mbox)
+    total_new = rep_new.message_buckets[0]
+
+    # cur has 500-byte msg, new has 600-byte msg (from fill_mbox)
+    assert total_cur == 500
+    assert total_new == 600
+    assert total_all == 500 + 600
+
+
 def test_expiry_cli_basic(example_config, mbox1):
    args = (str(example_config._inipath),)
    expiry_main(args)
--- a/chatmaild/src/chatmaild/tests/test_metadata.py
+++ b/chatmaild/src/chatmaild/tests/test_metadata.py
@@ -314,6 +314,51 @@ def test_persistent_queue_items(tmp_path, testaddr, token):
    assert not queue_item < item2 and not item2 < queue_item


+def test_turn_credentials_exception_returns_N(notifier, metadata, monkeypatch):
+    """Test that turn_credentials() failure returns N\\n instead of crashing."""
+    import chatmaild.metadata
+
+    dictproxy = MetadataDictProxy(
+        notifier=notifier,
+        metadata=metadata,
+        turn_hostname="turn.example.org",
+    )
+
+    def mock_turn_credentials():
+        raise ConnectionRefusedError("socket not available")
+
+    monkeypatch.setattr(chatmaild.metadata, "turn_credentials", mock_turn_credentials)
+
+    transactions = {}
+    res = dictproxy.handle_dovecot_request(
+        "Lshared/0123/vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn"
+        "\tuser@example.org",
+        transactions,
+    )
+    assert res == "N\n"
+
+
+def test_turn_credentials_success(notifier, metadata, monkeypatch):
+    """Test that valid turn_credentials() returns TURN URI."""
+    import chatmaild.metadata
+
+    dictproxy = MetadataDictProxy(
+        notifier=notifier,
+        metadata=metadata,
+        turn_hostname="turn.example.org",
+    )
+
+    monkeypatch.setattr(chatmaild.metadata, "turn_credentials", lambda: "user:pass")
+
+    transactions = {}
+    res = dictproxy.handle_dovecot_request(
+        "Lshared/0123/vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn"
+        "\tuser@example.org",
+        transactions,
+    )
+    assert res == "Oturn.example.org:3478:user:pass\n"
+
+
 def test_iroh_relay(dictproxy):
    rfile = io.BytesIO(
        b"\n".join(
--- a/chatmaild/src/chatmaild/tests/test_turnserver.py
+++ b/chatmaild/src/chatmaild/tests/test_turnserver.py
@@ -0,0 +1,73 @@
+import socket
+import threading
+import time
+from unittest.mock import patch
+
+import pytest
+
+from chatmaild.turnserver import turn_credentials
+
+SOCKET_PATH = "/run/chatmail-turn/turn.socket"
+
+
+@pytest.fixture
+def turn_socket(tmp_path):
+    """Create a real Unix socket server at a temp path."""
+    sock_path = str(tmp_path / "turn.socket")
+    server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+    server.bind(sock_path)
+    server.listen(1)
+    yield sock_path, server
+    server.close()
+
+
+def _call_turn_credentials(sock_path):
+    """Call turn_credentials but connect to sock_path instead of hardcoded path."""
+    original_connect = socket.socket.connect
+
+    def patched_connect(self, address):
+        if address == SOCKET_PATH:
+            address = sock_path
+        return original_connect(self, address)
+
+    with patch.object(socket.socket, "connect", patched_connect):
+        return turn_credentials()
+
+
+def test_turn_credentials_timeout(turn_socket):
+    """Server accepts but never responds — must raise socket.timeout."""
+    sock_path, server = turn_socket
+
+    def accept_and_hang():
+        conn, _ = server.accept()
+        time.sleep(30)
+        conn.close()
+
+    t = threading.Thread(target=accept_and_hang, daemon=True)
+    t.start()
+
+    with pytest.raises(socket.timeout):
+        _call_turn_credentials(sock_path)
+
+
+def test_turn_credentials_connection_refused(tmp_path):
+    """Socket file doesn't exist — must raise ConnectionRefusedError or FileNotFoundError."""
+    missing = str(tmp_path / "nonexistent.socket")
+    with pytest.raises((ConnectionRefusedError, FileNotFoundError)):
+        _call_turn_credentials(missing)
+
+
+def test_turn_credentials_success(turn_socket):
+    """Server responds with credentials — must return stripped string."""
+    sock_path, server = turn_socket
+
+    def respond():
+        conn, _ = server.accept()
+        conn.sendall(b"testuser:testpass\n")
+        conn.close()
+
+    t = threading.Thread(target=respond, daemon=True)
+    t.start()
+
+    result = _call_turn_credentials(sock_path)
+    assert result == "testuser:testpass"
--- a/chatmaild/src/chatmaild/turnserver.py
+++ b/chatmaild/src/chatmaild/turnserver.py
@@ -4,6 +4,7 @@ import socket

 def turn_credentials() -> str:
    with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as client_socket:
+        client_socket.settimeout(5)
        client_socket.connect("/run/chatmail-turn/turn.socket")
        with client_socket.makefile("rb") as file:
            return file.readline().decode("utf-8").strip()
--- a/cmdeploy/src/cmdeploy/acmetool/init.py
+++ b/cmdeploy/src/cmdeploy/acmetool/init.py
@@ -67,7 +67,7 @@ class AcmetoolDeployer(Deployer):
        )
        files.template(
            src=importlib.resources.files(__package__).joinpath("desired.yaml.j2"),
-            dest=f"/var/lib/acme/desired/{self.domains[0]}", # 0 is mailhost TLD
+            dest=f"/var/lib/acme/desired/{self.domains[0]}",  # 0 is mailhost TLD
            user="root",
            group="root",
            mode="644",
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -113,24 +113,15 @@ def run_cmd(args, out):
        return 1

    try:
-        retcode = out.check_call(cmd, env=env)
+        out.check_call(cmd, env=env)
        if args.website_only:
-            if retcode == 0:
-                out.green("Website deployment completed.")
-            else:
-                out.red("Website deployment failed.")
-        elif retcode == 0:
-            out.green("Deploy completed, call `cmdeploy dns` next.")
-        elif not remote_data["acme_account_url"]:
-            out.red("Deploy completed but letsencrypt not configured")
-            out.red("Run 'cmdeploy run' again")
-            retcode = 0
+            out.green("Website deployment completed.")
        else:
-            out.red("Deploy failed")
+            out.green("Deploy completed, call `cmdeploy dns` next.")
+        return 0
    except subprocess.CalledProcessError:
        out.red("Deploy failed")
-        retcode = 1
-    return retcode
+        return 1


 def dns_cmd_options(parser):
--- a/cmdeploy/src/cmdeploy/deployers.py
+++ b/cmdeploy/src/cmdeploy/deployers.py
@@ -25,11 +25,11 @@ from .basedeploy import (
    configure_remote_units,
    get_resource,
 )
-from .dkim_milter.deployer import DkimMilterDeployer
 from .dovecot.deployer import DovecotDeployer
 from .filtermail.deployer import FiltermailDeployer
 from .mtail.deployer import MtailDeployer
 from .nginx.deployer import NginxDeployer
+from .opendkim.deployer import OpendkimDeployer
 from .postfix.deployer import PostfixDeployer
 from .www import build_webpages, find_merge_conflict, get_paths

@@ -141,6 +141,10 @@ def _configure_remote_venv_with_chatmaild(config) -> None:


 class UnboundDeployer(Deployer):
+    def __init__(self, config):
+        self.config = config
+        self.need_restart = False
+
    def install(self):
        # Run local DNS resolver `unbound`.
        # `resolvconf` takes care of setting up /etc/resolv.conf
@@ -177,6 +181,27 @@ class UnboundDeployer(Deployer):
                "unbound-anchor -a /var/lib/unbound/root.key || true",
            ],
        )
+        if self.config.disable_ipv6:
+            files.directory(
+                path="/etc/unbound/unbound.conf.d",
+                present=True,
+                user="root",
+                group="root",
+                mode="755",
+            )
+            conf = files.put(
+                src=get_resource("unbound/unbound.conf.j2"),
+                dest="/etc/unbound/unbound.conf.d/chatmail.conf",
+                user="root",
+                group="root",
+                mode="644",
+            )
+        else:
+            conf = files.file(
+                path="/etc/unbound/unbound.conf.d/chatmail.conf",
+                present=False,
+            )
+        self.need_restart |= conf.changed

    def activate(self):
        server.shell(
@@ -191,6 +216,7 @@ class UnboundDeployer(Deployer):
            service="unbound.service",
            running=True,
            enabled=True,
+            restarted=self.need_restart,
        )


@@ -238,6 +264,9 @@ class WebsiteDeployer(Deployer):
            # if www_folder is a hugo page, build it
            if build_dir:
                www_path = build_webpages(src_dir, build_dir, self.config)
+                if www_path is None:
+                    logger.warning("Web page build failed, skipping website deployment")
+                    return
            # if it is not a hugo page, upload it as is
            files.rsync(
                f"{www_path}/", "/var/www/html", flags=["-avz", "--chown=www-data"]
@@ -527,7 +556,8 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
        files.line(
            name="Add 9.9.9.9 to resolv.conf",
            path="/etc/resolv.conf",
-            line="nameserver 9.9.9.9",
+            # Guard against resolv.conf missing a trailing newline (SolusVM bug).
+            line="\nnameserver 9.9.9.9",
        )

    port_services = [
@@ -565,14 +595,14 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
        LegacyRemoveDeployer(),
        FiltermailDeployer(),
        JournaldDeployer(),
-        UnboundDeployer(),
+        UnboundDeployer(config),
        TurnDeployer(mail_domain),
        IrohDeployer(config.enable_iroh_relay),
        AcmetoolDeployer(config.acme_email, tls_domains),
        WebsiteDeployer(config),
        ChatmailVenvDeployer(config),
        MtastsDeployer(),
-        DkimMilterDeployer(mail_domain),
+        OpendkimDeployer(mail_domain),
        # Dovecot should be started before Postfix
        # because it creates authentication socket
        # required by Postfix.
--- a/cmdeploy/src/cmdeploy/dkim_milter/deployer.py
+++ b/cmdeploy/src/cmdeploy/dkim_milter/deployer.py
@@ -1,169 +0,0 @@
-"""
-Installs DKIM Milter.
-"""
-
-from pyinfra import facts, host
-from pyinfra.facts.files import File, Sha256File
-from pyinfra.operations import apt, files, server, systemd
-
-from cmdeploy.basedeploy import Deployer, get_resource
-
-
-class DkimMilterDeployer(Deployer):
-    required_users = [("dkim-milter", None, ["dkim-milter"])]
-
-    def __init__(self, mail_domain):
-        self.mail_domain = mail_domain
-        self.need_restart = False
-
-    def install(self):
-        """Builds and installs dkim-milter"""
-
-        # openssl is required to generate the signing key
-        apt.packages(
-            name="Install openssl required by DKIM Milter",
-            packages=["openssl"],
-        )
-
-        (url, sha256sum) = {
-            "x86_64": (
-                "https://github.com/chatmail/dkim-milter/releases/download/0.1.0/dkim-milter-x86_64",
-                "e676837b362ebef461881079e3e1151ed2db2d942d98b7103974921ac69ce5de",
-            ),
-            "aarch64": (
-                "https://github.com/chatmail/dkim-milter/releases/download/0.1.0/dkim-milter-aarch64",
-                "b853ab85a535b7e7e548ae0e4d85a61d4c0fd44f2912c3439662c56ca8a369e6",
-            ),
-        }[host.get_fact(facts.server.Arch)]
-
-        existing_sha256sum = host.get_fact(Sha256File, "/usr/local/sbin/dkim-milter")
-        if existing_sha256sum != sha256sum:
-            server.shell(
-                name="Download DKIM Milter",
-                commands=[
-                    f"(curl -L {url} >/usr/local/sbin/dkim-milter.new && (echo '{sha256sum} /usr/local/sbin/dkim-milter.new' | sha256sum -c) && mv /usr/local/sbin/dkim-milter.new /usr/local/sbin/dkim-milter)",
-                    "chmod 755 /usr/local/sbin/dkim-milter",
-                ],
-            )
-            self.need_restart = True
-
-    def configure(self):
-        """Configures dkim-milter"""
-
-        domain = self.mail_domain
-        # note - we are using "opendkim" for backward compatibility
-        # for relays that were set up before we migrated from OpenDKIM
-        # to DKIM Milter.
-        selector = "opendkim"
-        signing_key_name = selector
-        # for backward compatibility with opendkim-genkey
-        signing_key_filename = f"{signing_key_name}.private"
-        config_common = {
-            "domain": domain,
-            "selector": selector,
-            "signing_key_name": signing_key_name,
-            "signing_key_filename": signing_key_filename,
-        }
-        config_verify = {
-            **config_common,
-            "mode": "verify",
-            "config_file": "/etc/dkim-milter/dkim-milter-verify.conf",
-            "socket_name": "dkim-milter-verify.sock",
-        }
-        config_sign = {
-            **config_common,
-            "mode": "sign",
-            "config_file": "/etc/dkim-milter/dkim-milter-sign.conf",
-            "socket_name": "dkim-milter-sign.sock",
-        }
-
-        self.need_restart |= files.directory(
-            name="Create a directory for DKIM Milter configs",
-            path="/etc/dkim-milter",
-            user="dkim-milter",
-            group="dkim-milter",
-            mode="750",
-            present=True,
-        ).changed
-
-        for config in [config_verify, config_sign]:
-            self.need_restart |= files.template(
-                src=get_resource("dkim_milter/dkim-milter.conf.j2"),
-                dest=config["config_file"],
-                user="dkim-milter",
-                group="dkim-milter",
-                mode="644",
-                config=config,
-            ).changed
-
-        self.need_restart |= files.directory(
-            name="Create dkimkeys directory",
-            path="/etc/dkimkeys",
-            user="dkim-milter",
-            group="dkim-milter",
-            mode="750",
-            present=True,
-        ).changed
-
-        self.need_restart |= files.template(
-            src=get_resource("dkim_milter/signing-keys"),
-            dest="/etc/dkim-milter/signing-keys",
-            user="dkim-milter",
-            group="dkim-milter",
-            mode="644",
-            config=config_common,
-        ).changed
-
-        self.need_restart |= files.template(
-            src=get_resource("dkim_milter/signing-senders"),
-            dest="/etc/dkim-milter/signing-senders",
-            user="dkim-milter",
-            group="dkim-milter",
-            mode="644",
-            config=config_common,
-        ).changed
-
-        self.need_restart |= files.directory(
-            name="Create DKIM Milter unix sockets directory",
-            path="/var/spool/postfix/dkim-milter",
-            user="dkim-milter",
-            group="dkim-milter",
-            mode="770",
-        ).changed
-
-        if not host.get_fact(File, f"/etc/dkimkeys/{signing_key_filename}"):
-            server.shell(
-                name=f"Generate DKIM Milter signing key '{signing_key_name}'",
-                commands=[
-                    f"openssl genpkey -algorithm RSA -out /etc/dkimkeys/{signing_key_filename}"
-                ],
-            )
-            self.need_restart = True
-
-        # enforce restrictive permissions for the signing key
-        self.need_restart |= files.file(
-            path=f"/etc/dkimkeys/{signing_key_filename}",
-            present=True,
-            user="dkim-milter",
-            group="dkim-milter",
-            mode="0400",
-        ).changed
-
-        self.need_restart |= files.put(
-            name="Create dkim-milter service",
-            src=get_resource("dkim_milter/dkim-milter@.service"),
-            dest=f"/etc/systemd/system/dkim-milter@.service",
-        ).changed
-
-    def activate(self):
-        """Start and enable DKIM Milter"""
-        for mode in ["sign", "verify"]:
-            systemd.service(
-                name=f"Start and enable DKIM Milter in {mode} mode",
-                service=f"dkim-milter@{mode}",
-                running=True,
-                enabled=True,
-                daemon_reload=self.need_restart,
-                restarted=self.need_restart,
-            )
-            self.need_restart = False
--- a/cmdeploy/src/cmdeploy/dkim_milter/dkim-milter.conf.j2
+++ b/cmdeploy/src/cmdeploy/dkim_milter/dkim-milter.conf.j2
@@ -1,30 +0,0 @@
-mode = {{ config.mode }}
-
-{% if config.mode == "verify" %}
-# DKIM milter will skip verification for trusted sources,
-# which in our case is everything, since we run DKIM milter on a reinjection port,
-# and all connections are local.
-# We force verification for local connections by not trusting anyone.
-trusted_networks =
-{% endif %}
-
-log_destination = syslog
-log_level = info
-
-canonicalization = relaxed/simple
-
-lookup_timeout = 60s
-
-signing_keys = /etc/dkim-milter/signing-keys
-signing_senders = /etc/dkim-milter/signing-senders
-
-# Signing
-sign_headers = default; autocrypt:content-type
-oversign_headers = signed-extended
-
-# Verification
-required_signed_headers = From*
-forbid_unsigned_content = yes
-reject_failures = missing, no-pass, author-mismatch
-
-socket = unix:/var/spool/postfix/dkim-milter/{{ config.socket_name }}
--- a/cmdeploy/src/cmdeploy/dkim_milter/dkim-milter@.service
+++ b/cmdeploy/src/cmdeploy/dkim_milter/dkim-milter@.service
@@ -1,15 +0,0 @@
-[Unit]
-Description=DKIM Milter %i
-Documentation=man:dkim-milter(8) man:dkim-milter.conf(5)
-After=network-online.target nss-lookup.target
-Wants=network-online.target
-
-[Service]
-User=dkim-milter
-UMask=007
-ExecStart=/usr/local/sbin/dkim-milter -c /etc/dkim-milter/dkim-milter-%i.conf
-ExecReload=/bin/kill -HUP $MAINPID
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target
--- a/cmdeploy/src/cmdeploy/dkim_milter/signing-keys
+++ b/cmdeploy/src/cmdeploy/dkim_milter/signing-keys
@@ -1,2 +0,0 @@
-# Key name                       Signing key
-{{ config.signing_key_name }}    </etc/dkimkeys/{{ config.signing_key_filename }}
--- a/cmdeploy/src/cmdeploy/dkim_milter/signing-senders
+++ b/cmdeploy/src/cmdeploy/dkim_milter/signing-senders
@@ -1,2 +0,0 @@
-# Sender expression    Domain                 Selector                 Key name
-.{{ config.domain }}   {{ config.domain }}    {{ config.selector }}    {{ config.signing_key_name }}
--- a/cmdeploy/src/cmdeploy/dovecot/deployer.py
+++ b/cmdeploy/src/cmdeploy/dovecot/deployer.py
@@ -37,7 +37,9 @@ class DovecotDeployer(Deployer):
        restart = False if self.disable_mail else self.need_restart

        systemd.service(
-            name="Disable dovecot for now" if self.disable_mail else "Start and enable Dovecot",
+            name="Disable dovecot for now"
+            if self.disable_mail
+            else "Start and enable Dovecot",
            service="dovecot.service",
            running=False if self.disable_mail else True,
            enabled=False if self.disable_mail else True,
--- a/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
+++ b/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
@@ -1,7 +1,7 @@
 ## Dovecot configuration file

 {% if disable_ipv6 %}
-listen = *
+listen = 0.0.0.0
 {% endif %}

 protocols = imap lmtp
--- a/cmdeploy/src/cmdeploy/nginx/nginx.conf.j2
+++ b/cmdeploy/src/cmdeploy/nginx/nginx.conf.j2
@@ -51,7 +51,7 @@ http {
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;

-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+	ssl_protocols TLSv1.2 TLSv1.3;
 	ssl_prefer_server_ciphers on;
 	ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
 	ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
--- a/cmdeploy/src/cmdeploy/opendkim/KeyTable
+++ b/cmdeploy/src/cmdeploy/opendkim/KeyTable
@@ -0,0 +1 @@
+{{ config.opendkim_selector }}._domainkey.{{ config.domain_name }} {{ config.domain_name }}:{{ config.opendkim_selector }}:/etc/dkimkeys/{{ config.opendkim_selector }}.private
--- a/cmdeploy/src/cmdeploy/opendkim/SigningTable
+++ b/cmdeploy/src/cmdeploy/opendkim/SigningTable
@@ -0,0 +1 @@
+*@{{ config.domain_name }} {{ config.opendkim_selector }}._domainkey.{{ config.domain_name }}
--- a/cmdeploy/src/cmdeploy/opendkim/deployer.py
+++ b/cmdeploy/src/cmdeploy/opendkim/deployer.py
@@ -0,0 +1,123 @@
+"""
+Installs OpenDKIM
+"""
+
+from pyinfra import host
+from pyinfra.facts.files import File
+from pyinfra.operations import apt, files, server, systemd
+
+from cmdeploy.basedeploy import Deployer, get_resource
+
+
+class OpendkimDeployer(Deployer):
+    required_users = [("opendkim", None, ["opendkim"])]
+
+    def __init__(self, mail_domain):
+        self.mail_domain = mail_domain
+
+    def install(self):
+        apt.packages(
+            name="apt install opendkim opendkim-tools",
+            packages=["opendkim", "opendkim-tools"],
+        )
+
+    def configure(self):
+        domain = self.mail_domain
+        dkim_selector = "opendkim"
+        """Configures OpenDKIM"""
+        need_restart = False
+
+        main_config = files.template(
+            src=get_resource("opendkim/opendkim.conf"),
+            dest="/etc/opendkim.conf",
+            user="root",
+            group="root",
+            mode="644",
+            config={"domain_name": domain, "opendkim_selector": dkim_selector},
+        )
+        need_restart |= main_config.changed
+
+        screen_script = files.put(
+            src=get_resource("opendkim/screen.lua"),
+            dest="/etc/opendkim/screen.lua",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        need_restart |= screen_script.changed
+
+        final_script = files.put(
+            src=get_resource("opendkim/final.lua"),
+            dest="/etc/opendkim/final.lua",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        need_restart |= final_script.changed
+
+        files.directory(
+            name="Add opendkim directory to /etc",
+            path="/etc/opendkim",
+            user="opendkim",
+            group="opendkim",
+            mode="750",
+            present=True,
+        )
+
+        keytable = files.template(
+            src=get_resource("opendkim/KeyTable"),
+            dest="/etc/dkimkeys/KeyTable",
+            user="opendkim",
+            group="opendkim",
+            mode="644",
+            config={"domain_name": domain, "opendkim_selector": dkim_selector},
+        )
+        need_restart |= keytable.changed
+
+        signing_table = files.template(
+            src=get_resource("opendkim/SigningTable"),
+            dest="/etc/dkimkeys/SigningTable",
+            user="opendkim",
+            group="opendkim",
+            mode="644",
+            config={"domain_name": domain, "opendkim_selector": dkim_selector},
+        )
+        need_restart |= signing_table.changed
+        files.directory(
+            name="Add opendkim socket directory to /var/spool/postfix",
+            path="/var/spool/postfix/opendkim",
+            user="opendkim",
+            group="opendkim",
+            mode="750",
+            present=True,
+        )
+
+        if not host.get_fact(File, f"/etc/dkimkeys/{dkim_selector}.private"):
+            server.shell(
+                name="Generate OpenDKIM domain keys",
+                commands=[
+                    f"/usr/sbin/opendkim-genkey -D /etc/dkimkeys -d {domain} -s {dkim_selector}"
+                ],
+                _use_su_login=True,
+                _su_user="opendkim",
+            )
+
+        service_file = files.put(
+            name="Configure opendkim to restart once a day",
+            src=get_resource("opendkim/systemd.conf"),
+            dest="/etc/systemd/system/opendkim.service.d/10-prevent-memory-leak.conf",
+        )
+        need_restart |= service_file.changed
+
+        self.need_restart = need_restart
+
+    def activate(self):
+        systemd.service(
+            name="Start and enable OpenDKIM",
+            service="opendkim.service",
+            running=True,
+            enabled=True,
+            daemon_reload=self.need_restart,
+            restarted=self.need_restart,
+        )
+        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/opendkim/final.lua
+++ b/cmdeploy/src/cmdeploy/opendkim/final.lua
@@ -0,0 +1,42 @@
+mtaname = odkim.get_mtasymbol(ctx, "{daemon_name}")
+if mtaname == "ORIGINATING" then
+	-- Outgoing message will be signed,
+	-- no need to look for signatures.
+	return nil
+end
+
+nsigs = odkim.get_sigcount(ctx)
+if nsigs == nil then
+	return nil
+end
+
+local valid = false
+local error_msg = "No valid DKIM signature found."
+for i = 1, nsigs do
+	sig = odkim.get_sighandle(ctx, i - 1)
+	sigres = odkim.sig_result(sig)
+
+	-- All signatures that do not correspond to From: 
+	-- were ignored in screen.lua and return sigres -1.
+	-- 
+	-- Any valid signature that was not ignored like this
+	-- means the message is acceptable.
+	if sigres == 0 then
+		valid = true
+    else
+        error_msg = "DKIM signature is invalid, error code " .. tostring(sigres) .. ", search https://github.com/trusteddomainproject/OpenDKIM/blob/master/libopendkim/dkim.h#L108"
+	end
+end
+
+if valid then
+	-- Strip all DKIM-Signature headers after successful validation
+	-- Delete in reverse order to avoid index shifting.
+	for i = nsigs, 1, -1 do
+		odkim.del_header(ctx, "DKIM-Signature", i)
+	end
+else
+	odkim.set_reply(ctx, "554", "5.7.1", error_msg)
+	odkim.set_result(ctx, SMFIS_REJECT)
+end
+
+return nil
--- a/cmdeploy/src/cmdeploy/opendkim/opendkim.conf
+++ b/cmdeploy/src/cmdeploy/opendkim/opendkim.conf
@@ -0,0 +1,73 @@
+# OpenDKIM configuration.
+
+Syslog			yes
+SyslogSuccess		yes
+#LogWhy			no
+
+# Common signing and verification parameters. In Debian, the "From" header is
+# oversigned, because it is often the identity key used by reputation systems
+# and thus somewhat security sensitive.
+Canonicalization	relaxed/simple
+OversignHeaders		From
+
+On-BadSignature         reject
+On-KeyNotFound          reject
+On-NoSignature          reject
+DNSTimeout          60
+
+# Signing domain, selector, and key (required). For example, perform signing
+# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
+# using the private key stored in /etc/dkimkeys/example.private. More granular
+# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
+Domain			{{ config.domain_name }}
+Selector		{{ config.opendkim_selector }}
+KeyFile		  /etc/dkimkeys/{{ config.opendkim_selector }}.private
+KeyTable          /etc/dkimkeys/KeyTable
+SigningTable      refile:/etc/dkimkeys/SigningTable
+
+# Sign Autocrypt header in addition to the default specified in RFC 6376.
+#
+# Default list is here:
+# <https://github.com/trusteddomainproject/OpenDKIM/blob/5c539587561785a66c1f67f720f2fb741f320785/libopendkim/dkim.c#L221-L245>
+SignHeaders *,+autocrypt,+content-type
+
+# Prevent addition of second Content-Type header
+# and other important headers that should not be added
+# after signing the message.
+# See
+# <https://www.zone.eu/blog/2024/05/17/bimi-and-dmarc-cant-save-you/>
+# and RFC 6376 (page 41) for reference.
+#
+# We don't use "l=" body length so the problem described in RFC 6376
+# is not applicable, but adding e.g. a second "From" header
+# or second "Autocrypt" header is better prevented in any case.
+#
+# Default is empty.
+OversignHeaders from,reply-to,subject,date,to,cc,resent-date,resent-from,resent-sender,resent-to,resent-cc,in-reply-to,references,list-id,list-help,list-unsubscribe,list-subscribe,list-post,list-owner,list-archive,autocrypt
+
+# Script to ignore signatures that do not correspond to the From: domain.
+ScreenPolicyScript /etc/opendkim/screen.lua
+
+# Script to reject mails without a valid DKIM signature.
+FinalPolicyScript /etc/opendkim/final.lua
+
+# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
+# using a local socket with MTAs that access the socket as a non-privileged
+# user (for example, Postfix). You may need to add user "postfix" to group
+# "opendkim" in that case.
+UserID			opendkim
+UMask			007
+
+Socket			local:/var/spool/postfix/opendkim/opendkim.sock
+
+PidFile			/run/opendkim/opendkim.pid
+
+# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
+# by the package dns-root-data.
+TrustAnchorFile		/usr/share/dns/root.key
+
+# Sign messages when `-o milter_macro_daemon_name=ORIGINATING` is set.
+MTA ORIGINATING
+
+# No hosts are treated as internal, ORIGINATING daemon name should be set explicitly.
+InternalHosts -
--- a/cmdeploy/src/cmdeploy/opendkim/screen.lua
+++ b/cmdeploy/src/cmdeploy/opendkim/screen.lua
@@ -0,0 +1,21 @@
+-- Ignore signatures that do not correspond to the From: domain.
+
+from_domain = odkim.get_fromdomain(ctx)
+if from_domain == nil then
+	return nil
+end
+
+n = odkim.get_sigcount(ctx)
+if n == nil then
+	return nil
+end
+
+for i = 1, n do
+	sig = odkim.get_sighandle(ctx, i - 1)
+	sig_domain = odkim.sig_getdomain(sig)
+	if from_domain ~= sig_domain then
+		odkim.sig_ignore(sig)
+	end
+end
+
+return nil
--- a/cmdeploy/src/cmdeploy/opendkim/systemd.conf
+++ b/cmdeploy/src/cmdeploy/opendkim/systemd.conf
@@ -0,0 +1,3 @@
+[Service]
+Restart=always
+RuntimeMaxSec=1d
--- a/cmdeploy/src/cmdeploy/postfix/deployer.py
+++ b/cmdeploy/src/cmdeploy/postfix/deployer.py
@@ -4,7 +4,7 @@ from cmdeploy.basedeploy import Deployer, get_resource


 class PostfixDeployer(Deployer):
-    required_users = [("postfix", None, ["dkim-milter"])]
+    required_users = [("postfix", None, ["opendkim"])]
    daemon_reload = False

    def __init__(self, config, disable_mail):
@@ -83,7 +83,9 @@ class PostfixDeployer(Deployer):
            server.shell(
                name="Validate postfix configuration",
                # Extract stderr and quit with error if non-zero
-                commands=["""bash -c 'w=$(postconf 2>&1 >/dev/null); [[ -z "$w" ]] || { echo "$w"; false; }'"""],
+                commands=[
+                    """bash -c 'w=$(postconf 2>&1 >/dev/null); [[ -z "$w" ]] || { echo "$w"; false; }'"""
+                ],
            )
        self.need_restart = need_restart

--- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
@@ -64,7 +64,11 @@ alias_database = hash:/etc/aliases
 mydestination =

 relayhost = 
+{% if disable_ipv6 %}
+mynetworks = 127.0.0.0/8
+{% else %}
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+{% endif %}
 mailbox_size_limit = 0
 message_size_limit = {{config.max_message_size}}
 recipient_delimiter = +
--- a/cmdeploy/src/cmdeploy/postfix/master.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/master.cf.j2
@@ -80,13 +80,13 @@ filter    unix -        n       n       -       -       lmtp
 127.0.0.1:{{ config.postfix_reinject_port }} inet  n       -       n       -       100      smtpd
  -o syslog_name=postfix/reinject
  -o milter_macro_daemon_name=ORIGINATING
-  -o smtpd_milters=unix:dkim-milter/dkim-milter-sign.sock
+  -o smtpd_milters=unix:opendkim/opendkim.sock
  -o cleanup_service_name=authclean

 # Local SMTP server for reinjecting incoming filtered mail 
 127.0.0.1:{{ config.postfix_reinject_port_incoming }} inet  n       -       n       -       100      smtpd
  -o syslog_name=postfix/reinject_incoming
-  -o smtpd_milters=unix:dkim-milter/dkim-milter-verify.sock
+  -o smtpd_milters=unix:opendkim/opendkim.sock

 # Cleanup `Received` headers for authenticated mail
 # to avoid leaking client IP.
--- a/cmdeploy/src/cmdeploy/remote/rdns.py
+++ b/cmdeploy/src/cmdeploy/remote/rdns.py
@@ -53,7 +53,7 @@ def get_dkim_entry(mail_domain, pre_command, dkim_selector):
            print=log_progress,
        )
    except CalledProcessError:
-        return
+        return None, None
    dkim_value_raw = f"v=DKIM1;k=rsa;p={dkim_pubkey};s=email;t=s"
    dkim_value = '" "'.join(re.findall(".{1,255}", dkim_value_raw))
    web_dkim_value = "".join(re.findall(".{1,255}", dkim_value_raw))
--- a/cmdeploy/src/cmdeploy/remote/rshell.py
+++ b/cmdeploy/src/cmdeploy/remote/rshell.py
@@ -40,5 +40,5 @@ def dovecot_recalc_quota(user):
    #
    for line in output.split("\n"):
        parts = line.split()
-        if parts[2] == "STORAGE":
+        if len(parts) >= 6 and parts[2] == "STORAGE":
            return dict(value=int(parts[3]), limit=int(parts[4]), percent=int(parts[5]))
--- a/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
@@ -1,3 +1,4 @@
+import datetime
 import smtplib
 import socket
 import subprocess
@@ -57,6 +58,15 @@ class TestSSHExecutor:
        else:
            pytest.fail("didn't raise exception")

+    def test_opendkim_restarted(self, sshexec):
+        """check that opendkim is not running for longer than a day."""
+        cmd = "systemctl show opendkim --timestamp=utc --property=ActiveEnterTimestamp"
+        out = sshexec(call=remote.rshell.shell, kwargs=dict(command=cmd))
+        datestring = out.split("=")[1]
+        since_date = datetime.datetime.strptime(datestring, "%a %Y-%m-%d %H:%M:%S %Z")
+        now = datetime.datetime.now(since_date.tzinfo)
+        assert (now - since_date).total_seconds() < 60 * 60 * 51
+

 def test_timezone_env(remote):
    for line in remote.iter_output("env"):
@@ -136,7 +146,7 @@ def test_reject_missing_dkim(cmsetup, maildata, from_addr):
    conn.starttls()

    with conn as s:
-        with pytest.raises(smtplib.SMTPDataError, match="No DKIM signature found"):
+        with pytest.raises(smtplib.SMTPDataError, match="No valid DKIM signature"):
            s.sendmail(from_addr=from_addr, to_addrs=recipient.addr, msg=msg)


--- a/cmdeploy/src/cmdeploy/tests/online/test_3_status.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_3_status.py
@@ -24,7 +24,7 @@ def test_status_cmd(chatmail_config, capsys, request):
        "filtermail",
        "lastlogin",
        "nginx",
-        "dkim-milter",
+        "opendkim",
        "postfix@-",
        "systemd-journald",
        "turnserver",
--- a/cmdeploy/src/cmdeploy/tests/test_dns.py
+++ b/cmdeploy/src/cmdeploy/tests/test_dns.py
@@ -60,6 +60,29 @@ def mockdns(request, mockdns_base, mockdns_expected):
    return mockdns_base


+class TestGetDkimEntry:
+    def test_dkim_entry_returns_tuple_on_success(self, mockdns):
+        entry, web_entry = remote.rdns.get_dkim_entry(
+            "some.domain", "", dkim_selector="opendkim"
+        )
+        # May return None,None if openssl not available, but should never crash
+        if entry is not None:
+            assert "opendkim._domainkey.some.domain" in entry
+            assert "opendkim._domainkey.some.domain" in web_entry
+
+    def test_dkim_entry_returns_none_tuple_on_error(self, monkeypatch):
+        """CalledProcessError must return (None, None), not bare None."""
+        from subprocess import CalledProcessError
+
+        def failing_shell(command, fail_ok=False, print=print):
+            raise CalledProcessError(1, command)
+
+        monkeypatch.setattr(remote.rdns, "shell", failing_shell)
+        result = remote.rdns.get_dkim_entry("some.domain", "", dkim_selector="opendkim")
+        assert result == (None, None)
+        assert result[0] is None and result[1] is None
+
+
 class TestPerformInitialChecks:
    def test_perform_initial_checks_ok1(self, mockdns, mockdns_expected):
        remote_data = remote.rdns.perform_initial_checks("some.domain")
--- a/cmdeploy/src/cmdeploy/tests/test_rshell.py
+++ b/cmdeploy/src/cmdeploy/tests/test_rshell.py
@@ -0,0 +1,68 @@
+from unittest.mock import patch
+
+from cmdeploy.remote.rshell import dovecot_recalc_quota
+
+
+def test_dovecot_recalc_quota_normal_output():
+    """Normal doveadm output returns parsed dict."""
+    normal_output = (
+        "Quota name Type    Value  Limit  %\n"
+        "User quota STORAGE     5 102400  0\n"
+        "User quota MESSAGE     2      -  0\n"
+    )
+
+    with patch("cmdeploy.remote.rshell.shell", return_value=normal_output):
+        result = dovecot_recalc_quota("user@example.org")
+
+    # shell is called twice (recalc + get), patch returns same for both
+    assert result == {"value": 5, "limit": 102400, "percent": 0}
+
+
+def test_dovecot_recalc_quota_empty_output():
+    """Empty doveadm output (trailing newline) must not IndexError."""
+    call_count = [0]
+
+    def mock_shell(cmd):
+        call_count[0] += 1
+        if "recalc" in cmd:
+            return ""
+        # quota get returns only empty lines
+        return "\n\n"
+
+    with patch("cmdeploy.remote.rshell.shell", side_effect=mock_shell):
+        result = dovecot_recalc_quota("user@example.org")
+
+    assert result is None
+
+
+def test_dovecot_recalc_quota_malformed_output():
+    """Malformed output with too few columns must not crash."""
+    call_count = [0]
+
+    def mock_shell(cmd):
+        call_count[0] += 1
+        if "recalc" in cmd:
+            return ""
+        # partial line, fewer than 6 parts
+        return "Quota name\nUser quota STORAGE\n"
+
+    with patch("cmdeploy.remote.rshell.shell", side_effect=mock_shell):
+        result = dovecot_recalc_quota("user@example.org")
+
+    assert result is None
+
+
+def test_dovecot_recalc_quota_header_only():
+    """Only header line, no data rows."""
+    call_count = [0]
+
+    def mock_shell(cmd):
+        call_count[0] += 1
+        if "recalc" in cmd:
+            return ""
+        return "Quota name Type    Value  Limit  %\n"
+
+    with patch("cmdeploy.remote.rshell.shell", side_effect=mock_shell):
+        result = dovecot_recalc_quota("user@example.org")
+
+    assert result is None
--- a/cmdeploy/src/cmdeploy/unbound/unbound.conf.j2
+++ b/cmdeploy/src/cmdeploy/unbound/unbound.conf.j2
@@ -0,0 +1,4 @@
+# Managed by cmdeploy: disable IPv6 in unbound.
+server:
+  interface: 127.0.0.1
+  do-ip6: no
--- a/doc/source/migrate.rst
+++ b/doc/source/migrate.rst
@@ -72,7 +72,7 @@ in this case, just run ``ssh-keygen -R "mail.example.org"`` as recommended.

       ssh root@$NEW_IP4
       chown root: -R /var/lib/acme
-       chown dkim-milter: -R /etc/dkimkeys
+       chown opendkim: -R /etc/dkimkeys
       chown vmail: -R /home/vmail/mail


--- a/doc/source/overview.rst
+++ b/doc/source/overview.rst
@@ -52,7 +52,7 @@ The deployed system components of a chatmail relay are:
 -  `acmetool <https://hlandau.github.io/acmetool/>`_ manages TLS
   certificates for Dovecot, Postfix, and Nginx

-  `DKIM Milter <https://github.com/chatmail/dkim-milter>`_ for signing messages with
+-  `OpenDKIM <http://www.opendkim.org/>`_ for signing messages with
   DKIM and rejecting inbound messages without DKIM

 -  `mtail <https://google.github.io/mtail/>`_ for collecting anonymized
@@ -268,10 +268,12 @@ Chatmail relays enforce :rfc:`DKIM <6376>` to authenticate incoming emails.
 Incoming emails must have a valid DKIM signature with
 Signing Domain Identifier (SDID, ``d=`` parameter in the DKIM-Signature
 header) equal to the ``From:`` header domain. This property is checked
-by dkim-milter ``reject_failures = author-mismatch `` policy. This
+by OpenDKIM screen policy script before validating the signatures. This
 corresponds to strict :rfc:`DMARC <7489>` alignment (``adkim=s``).
 If there is no valid DKIM signature on the incoming email, the
 sender receives a “5.7.1 No valid DKIM signature found” error.
+After validating the DKIM signature,
+the `final.lua` script strips all ``OpenDKIM:`` headers to reduce message size on disc.

 Note that chatmail relays
Author	SHA1	Message	Date
Alex V.	1d8e44a948	test: add error-path tests for all bug fixes - test_doveauth: invalid localpart chars rejected, concurrent same-account creation - test_expire: --mdir filtering uses msg.path correctly - test_metadata: TURN exception returns N\n, success returns credentials - test_turnserver: socket timeout, connection refused, happy path - test_dns: get_dkim_entry returns (None, None) on CalledProcessError - test_rshell: dovecot_recalc_quota handles empty/malformed output	2026-02-07 21:45:22 +03:00
Alex V.	447c0ee33d	fix: handle turn_credentials exceptions in metadata proxy ConnectionRefusedError/FileNotFoundError/TimeoutError from turn_credentials() would kill the dict proxy connection. Return N (not found) response instead and log the error.	2026-02-07 16:51:30 +03:00
Alex V.	47c9586b67	fix: add 5s timeout to TURN credential socket Hung TURN daemon would block dict proxy handler thread indefinitely. Per Python docs, settimeout() raises TimeoutError on expiry.	2026-02-07 16:51:19 +03:00
Alex V.	e32816b477	fix(security): validate localpart chars and fix account creation race - Reject localparts with chars outside [a-z0-9._-] to prevent filesystem issues from crafted usernames via IMAP/SMTP auth - Use filelock to serialize concurrent account creation for same address, preventing TOCTOU race where two threads both create an account and last writer wins	2026-02-07 16:51:01 +03:00
Alex V.	0d3cde9850	fix(security): remove deprecated TLS 1.0/1.1 from nginx config TLS 1.0/1.1 deprecated by RFC 8996. Nginx default is TLSv1.2 TLSv1.3. Aligns with postfix (>=TLSv1.2) and dovecot (TLSv1.3) in the same stack.	2026-02-07 16:50:43 +03:00
Alex V.	c48a7d80dc	fix(security): use secrets.choice instead of random.choices for username Per Python docs, secrets module should be used for security-sensitive data. random.choices uses Mersenne Twister PRNG which is predictable. secrets.choice was already used for password generation in the same file.	2026-02-07 16:50:24 +03:00
Alex V.	93eb996a42	fix: guard against IndexError in dovecot_recalc_quota doveadm output ends with empty line, parts=[] causes parts[2] crash.	2026-02-07 16:30:04 +03:00
Alex V.	0148ecde8e	fix: remove dead code and potential NameError in run_cmd check_call always returns 0 or raises, making retcode!=0 branches unreachable. Also remote_data was undefined with --skip-dns-check.	2026-02-07 16:29:38 +03:00
Alex V.	3ad8e5a6ee	fix: handle build_webpages returning None in WebsiteDeployer Exception in _build_webpages was silently caught, returning None. rsync then received "None/" as source path, silently breaking deploy.	2026-02-07 16:29:14 +03:00
Alex V.	a5dc1d886d	fix: return tuple from get_dkim_entry on CalledProcessError Bare return yielded None, causing TypeError on tuple unpacking in perform_initial_checks on fresh servers without DKIM keys.	2026-02-07 16:28:53 +03:00
Alex V.	0443965f63	fix: use msg.path instead of nonexistent msg.relpath in fsreport FileEntry namedtuple has (path, mtime, size), not relpath. Crashes with AttributeError when --mdir flag is used.	2026-02-07 16:28:42 +03:00
Alex V.	ea52fde2d9	chore: fix ruff formatting in acmetool, dovecot, postfix deployers	2026-02-07 16:27:46 +03:00
373[Ø]™	dfcaf415b1	Merge pull request #834 from chatmail/373/fix-dns-resolver-injection fix: remediates issue with improper concat on resolver injection	2026-01-30 23:36:46 +00:00
ccclxxiii	c0718325ef	fix: simplify resolver fix	2026-01-30 22:17:53 +00:00
ccclxxiii	7d72b0e592	fix:[wip] fix concact issue which causes dns failure	2026-01-30 21:10:19 +00:00
373[Ø]™	8f1e23d98e	Merge pull request #832 from chatmail/373/respect-ipv4-ipv6-boolean-config remediates ipv6 boolean not being respected during operations	2026-01-30 17:53:36 +00:00
ccclxxiii	56aaf2649b	chore: fixes bug in dovecot template	2026-01-30 15:52:32 +00:00
ccclxxiii	2660b4d24c	feat: updates postfix for ipv4/v6	2026-01-30 15:27:02 +00:00
ccclxxiii	ea60ecfb57	feat: updates deployers for ipv4/v6 bool	2026-01-30 15:26:45 +00:00
ccclxxiii	2a3a224cc2	feat: adds template for unbound v4/v6	2026-01-30 15:24:26 +00:00
				`@@ -0,0 +1 @@`
				`{{ config.opendkim_selector }}._domainkey.{{ config.domain_name }} {{ config.domain_name }}:{{ config.opendkim_selector }}:/etc/dkimkeys/{{ config.opendkim_selector }}.private`
				`@@ -0,0 +1 @@`
				`*@{{ config.domain_name }} {{ config.opendkim_selector }}._domainkey.{{ config.domain_name }}`