mirror of
https://github.com/chatmail/relay.git
synced 2026-05-15 19:14:44 +00:00
Compare commits
20 Commits
j-g00da/dk
...
fix/multip
| Author | SHA1 | Date | |
|---|---|---|---|
|
1d8e44a948 | ||
|
|
447c0ee33d | ||
|
|
47c9586b67 | ||
|
|
e32816b477 | ||
|
|
0d3cde9850 | ||
|
|
c48a7d80dc | ||
|
|
93eb996a42 | ||
|
|
0148ecde8e | ||
|
|
3ad8e5a6ee | ||
|
|
a5dc1d886d | ||
|
|
0443965f63 | ||
|
|
ea52fde2d9 | ||
|
dfcaf415b1 | ||
|
|
c0718325ef | ||
|
|
7d72b0e592 | ||
|
|
8f1e23d98e | ||
|
|
56aaf2649b | ||
|
|
2660b4d24c | ||
|
|
ea60ecfb57 | ||
|
|
2a3a224cc2 |
@@ -80,7 +80,7 @@ jobs:
|
|||||||
|
|
||||||
- name: set DNS entries
|
- name: set DNS entries
|
||||||
run: |
|
run: |
|
||||||
ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org chown dkim-milter:dkim-milter -R /etc/dkimkeys
|
ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org chown opendkim:opendkim -R /etc/dkimkeys
|
||||||
cmdeploy dns --zonefile staging-generated.zone
|
cmdeploy dns --zonefile staging-generated.zone
|
||||||
cat staging-generated.zone >> .github/workflows/staging-ipv4.testrun.org-default.zone
|
cat staging-generated.zone >> .github/workflows/staging-ipv4.testrun.org-default.zone
|
||||||
cat .github/workflows/staging-ipv4.testrun.org-default.zone
|
cat .github/workflows/staging-ipv4.testrun.org-default.zone
|
||||||
|
|||||||
2
.github/workflows/test-and-deploy.yaml
vendored
2
.github/workflows/test-and-deploy.yaml
vendored
@@ -82,7 +82,7 @@ jobs:
|
|||||||
|
|
||||||
- name: set DNS entries
|
- name: set DNS entries
|
||||||
run: |
|
run: |
|
||||||
ssh -o StrictHostKeyChecking=accept-new root@staging2.testrun.org chown dkim-milter:dkim-milter -R /etc/dkimkeys
|
ssh -o StrictHostKeyChecking=accept-new root@staging2.testrun.org chown opendkim:opendkim -R /etc/dkimkeys
|
||||||
cmdeploy dns --zonefile staging-generated.zone --verbose
|
cmdeploy dns --zonefile staging-generated.zone --verbose
|
||||||
cat staging-generated.zone >> .github/workflows/staging.testrun.org-default.zone
|
cat staging-generated.zone >> .github/workflows/staging.testrun.org-default.zone
|
||||||
cat .github/workflows/staging.testrun.org-default.zone
|
cat .github/workflows/staging.testrun.org-default.zone
|
||||||
|
|||||||
@@ -1,8 +1,11 @@
|
|||||||
import json
|
import json
|
||||||
import logging
|
import logging
|
||||||
import os
|
import os
|
||||||
|
import re
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
|
import filelock
|
||||||
|
|
||||||
try:
|
try:
|
||||||
import crypt_r
|
import crypt_r
|
||||||
except ImportError:
|
except ImportError:
|
||||||
@@ -13,6 +16,7 @@ from .dictproxy import DictProxy
|
|||||||
from .migrate_db import migrate_from_db_to_maildir
|
from .migrate_db import migrate_from_db_to_maildir
|
||||||
|
|
||||||
NOCREATE_FILE = "/etc/chatmail-nocreate"
|
NOCREATE_FILE = "/etc/chatmail-nocreate"
|
||||||
|
VALID_LOCALPART_RE = re.compile(r"^[a-z0-9._-]+$")
|
||||||
|
|
||||||
|
|
||||||
def encrypt_password(password: str):
|
def encrypt_password(password: str):
|
||||||
@@ -52,6 +56,10 @@ def is_allowed_to_create(config: Config, user, cleartext_password) -> bool:
|
|||||||
)
|
)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
if not VALID_LOCALPART_RE.match(localpart):
|
||||||
|
logging.warning("localpart %r contains invalid characters", localpart)
|
||||||
|
return False
|
||||||
|
|
||||||
return True
|
return True
|
||||||
|
|
||||||
|
|
||||||
@@ -140,8 +148,13 @@ class AuthDictProxy(DictProxy):
|
|||||||
if not is_allowed_to_create(self.config, addr, cleartext_password):
|
if not is_allowed_to_create(self.config, addr, cleartext_password):
|
||||||
return
|
return
|
||||||
|
|
||||||
user.set_password(encrypt_password(cleartext_password))
|
lock = filelock.FileLock(str(user.password_path) + ".lock", timeout=5)
|
||||||
print(f"Created address: {addr}", file=sys.stderr)
|
with lock:
|
||||||
|
userdata = user.get_userdb_dict()
|
||||||
|
if userdata:
|
||||||
|
return userdata
|
||||||
|
user.set_password(encrypt_password(cleartext_password))
|
||||||
|
print(f"Created address: {addr}", file=sys.stderr)
|
||||||
return user.get_userdb_dict()
|
return user.get_userdb_dict()
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -68,7 +68,7 @@ class Report:
|
|||||||
for size in self.message_buckets:
|
for size in self.message_buckets:
|
||||||
for msg in mailbox.messages:
|
for msg in mailbox.messages:
|
||||||
if msg.size >= size:
|
if msg.size >= size:
|
||||||
if self.mdir and not msg.relpath.startswith(self.mdir):
|
if self.mdir and f"/{self.mdir}/" not in msg.path:
|
||||||
continue
|
continue
|
||||||
self.message_buckets[size] += msg.size
|
self.message_buckets[size] += msg.size
|
||||||
|
|
||||||
|
|||||||
@@ -101,7 +101,11 @@ class MetadataDictProxy(DictProxy):
|
|||||||
# Handle `GETMETADATA "" /shared/vendor/deltachat/irohrelay`
|
# Handle `GETMETADATA "" /shared/vendor/deltachat/irohrelay`
|
||||||
return f"O{self.iroh_relay}\n"
|
return f"O{self.iroh_relay}\n"
|
||||||
elif keyname == "vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn":
|
elif keyname == "vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn":
|
||||||
res = turn_credentials()
|
try:
|
||||||
|
res = turn_credentials()
|
||||||
|
except Exception:
|
||||||
|
logging.exception("failed to get TURN credentials")
|
||||||
|
return "N\n"
|
||||||
port = 3478
|
port = 3478
|
||||||
return f"O{self.turn_hostname}:{port}:{res}\n"
|
return f"O{self.turn_hostname}:{port}:{res}\n"
|
||||||
|
|
||||||
|
|||||||
@@ -3,7 +3,6 @@
|
|||||||
"""CGI script for creating new accounts."""
|
"""CGI script for creating new accounts."""
|
||||||
|
|
||||||
import json
|
import json
|
||||||
import random
|
|
||||||
import secrets
|
import secrets
|
||||||
import string
|
import string
|
||||||
|
|
||||||
@@ -15,7 +14,9 @@ ALPHANUMERIC_PUNCT = string.ascii_letters + string.digits + string.punctuation
|
|||||||
|
|
||||||
|
|
||||||
def create_newemail_dict(config: Config):
|
def create_newemail_dict(config: Config):
|
||||||
user = "".join(random.choices(ALPHANUMERIC, k=config.username_max_length))
|
user = "".join(
|
||||||
|
secrets.choice(ALPHANUMERIC) for _ in range(config.username_max_length)
|
||||||
|
)
|
||||||
password = "".join(
|
password = "".join(
|
||||||
secrets.choice(ALPHANUMERIC_PUNCT)
|
secrets.choice(ALPHANUMERIC_PUNCT)
|
||||||
for _ in range(config.password_min_length + 3)
|
for _ in range(config.password_min_length + 3)
|
||||||
|
|||||||
@@ -120,6 +120,60 @@ def test_handle_dovecot_protocol_iterate(gencreds, example_config):
|
|||||||
assert not lines[2]
|
assert not lines[2]
|
||||||
|
|
||||||
|
|
||||||
|
def test_invalid_localpart_characters(make_config):
|
||||||
|
"""Test that is_allowed_to_create rejects localparts with invalid characters."""
|
||||||
|
config = make_config("chat.example.org", {"username_min_length": "3"})
|
||||||
|
password = "zequ0Aimuchoodaechik"
|
||||||
|
domain = config.mail_domain
|
||||||
|
|
||||||
|
# valid localparts
|
||||||
|
assert is_allowed_to_create(config, f"abc123@{domain}", password)
|
||||||
|
assert is_allowed_to_create(config, f"a.b-c_d@{domain}", password)
|
||||||
|
|
||||||
|
# uppercase rejected
|
||||||
|
assert not is_allowed_to_create(config, f"Abc123@{domain}", password)
|
||||||
|
assert not is_allowed_to_create(config, f"ABCDEFG@{domain}", password)
|
||||||
|
|
||||||
|
# spaces and special chars rejected
|
||||||
|
assert not is_allowed_to_create(config, f"a b cde@{domain}", password)
|
||||||
|
assert not is_allowed_to_create(config, f"abc+def@{domain}", password)
|
||||||
|
assert not is_allowed_to_create(config, f"abc!def@{domain}", password)
|
||||||
|
assert not is_allowed_to_create(config, f"ab@cdef@{domain}", password)
|
||||||
|
assert not is_allowed_to_create(config, f"abc/def@{domain}", password)
|
||||||
|
assert not is_allowed_to_create(config, f"abc\\def@{domain}", password)
|
||||||
|
|
||||||
|
|
||||||
|
def test_concurrent_creation_same_account(dictproxy):
|
||||||
|
"""Test that concurrent creation of the same account doesn't corrupt password."""
|
||||||
|
addr = "racetest1@chat.example.org"
|
||||||
|
password = "zequ0Aimuchoodaechik"
|
||||||
|
num_threads = 10
|
||||||
|
results = queue.Queue()
|
||||||
|
|
||||||
|
def create():
|
||||||
|
try:
|
||||||
|
res = dictproxy.lookup_passdb(addr, password)
|
||||||
|
results.put(("ok", res))
|
||||||
|
except Exception:
|
||||||
|
results.put(("err", traceback.format_exc()))
|
||||||
|
|
||||||
|
threads = [threading.Thread(target=create, daemon=True) for _ in range(num_threads)]
|
||||||
|
for t in threads:
|
||||||
|
t.start()
|
||||||
|
for t in threads:
|
||||||
|
t.join(timeout=10)
|
||||||
|
|
||||||
|
passwords_seen = set()
|
||||||
|
for _ in range(num_threads):
|
||||||
|
status, res = results.get()
|
||||||
|
if status == "err":
|
||||||
|
pytest.fail(f"concurrent creation failed\n{res}")
|
||||||
|
passwords_seen.add(res["password"])
|
||||||
|
|
||||||
|
# all threads must see the same password hash
|
||||||
|
assert len(passwords_seen) == 1
|
||||||
|
|
||||||
|
|
||||||
def test_50_concurrent_lookups_different_accounts(gencreds, dictproxy):
|
def test_50_concurrent_lookups_different_accounts(gencreds, dictproxy):
|
||||||
num_threads = 50
|
num_threads = 50
|
||||||
req_per_thread = 5
|
req_per_thread = 5
|
||||||
|
|||||||
@@ -112,6 +112,43 @@ def test_report(mbox1, example_config):
|
|||||||
report_main(args)
|
report_main(args)
|
||||||
|
|
||||||
|
|
||||||
|
def test_report_mdir_filters_by_path(mbox1, example_config):
|
||||||
|
"""Test that Report with mdir='cur' only counts messages in cur/ subdirectory."""
|
||||||
|
from chatmaild.fsreport import Report
|
||||||
|
|
||||||
|
now = datetime.utcnow().timestamp()
|
||||||
|
|
||||||
|
# Set password mtime to old enough so min_login_age check passes
|
||||||
|
password = Path(mbox1.basedir).joinpath("password")
|
||||||
|
old_time = now - 86400 * 10 # 10 days ago
|
||||||
|
os.utime(password, (old_time, old_time))
|
||||||
|
|
||||||
|
# Reload mailbox with updated mtime
|
||||||
|
from chatmaild.expire import MailboxStat
|
||||||
|
|
||||||
|
mbox = MailboxStat(mbox1.basedir)
|
||||||
|
|
||||||
|
# Report without mdir — should count all messages
|
||||||
|
rep_all = Report(now=now, min_login_age=1, mdir=None)
|
||||||
|
rep_all.process_mailbox_stat(mbox)
|
||||||
|
total_all = rep_all.message_buckets[0]
|
||||||
|
|
||||||
|
# Report with mdir='cur' — should only count cur/ messages
|
||||||
|
rep_cur = Report(now=now, min_login_age=1, mdir="cur")
|
||||||
|
rep_cur.process_mailbox_stat(mbox)
|
||||||
|
total_cur = rep_cur.message_buckets[0]
|
||||||
|
|
||||||
|
# Report with mdir='new' — should only count new/ messages
|
||||||
|
rep_new = Report(now=now, min_login_age=1, mdir="new")
|
||||||
|
rep_new.process_mailbox_stat(mbox)
|
||||||
|
total_new = rep_new.message_buckets[0]
|
||||||
|
|
||||||
|
# cur has 500-byte msg, new has 600-byte msg (from fill_mbox)
|
||||||
|
assert total_cur == 500
|
||||||
|
assert total_new == 600
|
||||||
|
assert total_all == 500 + 600
|
||||||
|
|
||||||
|
|
||||||
def test_expiry_cli_basic(example_config, mbox1):
|
def test_expiry_cli_basic(example_config, mbox1):
|
||||||
args = (str(example_config._inipath),)
|
args = (str(example_config._inipath),)
|
||||||
expiry_main(args)
|
expiry_main(args)
|
||||||
|
|||||||
@@ -314,6 +314,51 @@ def test_persistent_queue_items(tmp_path, testaddr, token):
|
|||||||
assert not queue_item < item2 and not item2 < queue_item
|
assert not queue_item < item2 and not item2 < queue_item
|
||||||
|
|
||||||
|
|
||||||
|
def test_turn_credentials_exception_returns_N(notifier, metadata, monkeypatch):
|
||||||
|
"""Test that turn_credentials() failure returns N\\n instead of crashing."""
|
||||||
|
import chatmaild.metadata
|
||||||
|
|
||||||
|
dictproxy = MetadataDictProxy(
|
||||||
|
notifier=notifier,
|
||||||
|
metadata=metadata,
|
||||||
|
turn_hostname="turn.example.org",
|
||||||
|
)
|
||||||
|
|
||||||
|
def mock_turn_credentials():
|
||||||
|
raise ConnectionRefusedError("socket not available")
|
||||||
|
|
||||||
|
monkeypatch.setattr(chatmaild.metadata, "turn_credentials", mock_turn_credentials)
|
||||||
|
|
||||||
|
transactions = {}
|
||||||
|
res = dictproxy.handle_dovecot_request(
|
||||||
|
"Lshared/0123/vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn"
|
||||||
|
"\tuser@example.org",
|
||||||
|
transactions,
|
||||||
|
)
|
||||||
|
assert res == "N\n"
|
||||||
|
|
||||||
|
|
||||||
|
def test_turn_credentials_success(notifier, metadata, monkeypatch):
|
||||||
|
"""Test that valid turn_credentials() returns TURN URI."""
|
||||||
|
import chatmaild.metadata
|
||||||
|
|
||||||
|
dictproxy = MetadataDictProxy(
|
||||||
|
notifier=notifier,
|
||||||
|
metadata=metadata,
|
||||||
|
turn_hostname="turn.example.org",
|
||||||
|
)
|
||||||
|
|
||||||
|
monkeypatch.setattr(chatmaild.metadata, "turn_credentials", lambda: "user:pass")
|
||||||
|
|
||||||
|
transactions = {}
|
||||||
|
res = dictproxy.handle_dovecot_request(
|
||||||
|
"Lshared/0123/vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn"
|
||||||
|
"\tuser@example.org",
|
||||||
|
transactions,
|
||||||
|
)
|
||||||
|
assert res == "Oturn.example.org:3478:user:pass\n"
|
||||||
|
|
||||||
|
|
||||||
def test_iroh_relay(dictproxy):
|
def test_iroh_relay(dictproxy):
|
||||||
rfile = io.BytesIO(
|
rfile = io.BytesIO(
|
||||||
b"\n".join(
|
b"\n".join(
|
||||||
|
|||||||
73
chatmaild/src/chatmaild/tests/test_turnserver.py
Normal file
73
chatmaild/src/chatmaild/tests/test_turnserver.py
Normal file
@@ -0,0 +1,73 @@
|
|||||||
|
import socket
|
||||||
|
import threading
|
||||||
|
import time
|
||||||
|
from unittest.mock import patch
|
||||||
|
|
||||||
|
import pytest
|
||||||
|
|
||||||
|
from chatmaild.turnserver import turn_credentials
|
||||||
|
|
||||||
|
SOCKET_PATH = "/run/chatmail-turn/turn.socket"
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.fixture
|
||||||
|
def turn_socket(tmp_path):
|
||||||
|
"""Create a real Unix socket server at a temp path."""
|
||||||
|
sock_path = str(tmp_path / "turn.socket")
|
||||||
|
server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
|
||||||
|
server.bind(sock_path)
|
||||||
|
server.listen(1)
|
||||||
|
yield sock_path, server
|
||||||
|
server.close()
|
||||||
|
|
||||||
|
|
||||||
|
def _call_turn_credentials(sock_path):
|
||||||
|
"""Call turn_credentials but connect to sock_path instead of hardcoded path."""
|
||||||
|
original_connect = socket.socket.connect
|
||||||
|
|
||||||
|
def patched_connect(self, address):
|
||||||
|
if address == SOCKET_PATH:
|
||||||
|
address = sock_path
|
||||||
|
return original_connect(self, address)
|
||||||
|
|
||||||
|
with patch.object(socket.socket, "connect", patched_connect):
|
||||||
|
return turn_credentials()
|
||||||
|
|
||||||
|
|
||||||
|
def test_turn_credentials_timeout(turn_socket):
|
||||||
|
"""Server accepts but never responds — must raise socket.timeout."""
|
||||||
|
sock_path, server = turn_socket
|
||||||
|
|
||||||
|
def accept_and_hang():
|
||||||
|
conn, _ = server.accept()
|
||||||
|
time.sleep(30)
|
||||||
|
conn.close()
|
||||||
|
|
||||||
|
t = threading.Thread(target=accept_and_hang, daemon=True)
|
||||||
|
t.start()
|
||||||
|
|
||||||
|
with pytest.raises(socket.timeout):
|
||||||
|
_call_turn_credentials(sock_path)
|
||||||
|
|
||||||
|
|
||||||
|
def test_turn_credentials_connection_refused(tmp_path):
|
||||||
|
"""Socket file doesn't exist — must raise ConnectionRefusedError or FileNotFoundError."""
|
||||||
|
missing = str(tmp_path / "nonexistent.socket")
|
||||||
|
with pytest.raises((ConnectionRefusedError, FileNotFoundError)):
|
||||||
|
_call_turn_credentials(missing)
|
||||||
|
|
||||||
|
|
||||||
|
def test_turn_credentials_success(turn_socket):
|
||||||
|
"""Server responds with credentials — must return stripped string."""
|
||||||
|
sock_path, server = turn_socket
|
||||||
|
|
||||||
|
def respond():
|
||||||
|
conn, _ = server.accept()
|
||||||
|
conn.sendall(b"testuser:testpass\n")
|
||||||
|
conn.close()
|
||||||
|
|
||||||
|
t = threading.Thread(target=respond, daemon=True)
|
||||||
|
t.start()
|
||||||
|
|
||||||
|
result = _call_turn_credentials(sock_path)
|
||||||
|
assert result == "testuser:testpass"
|
||||||
@@ -4,6 +4,7 @@ import socket
|
|||||||
|
|
||||||
def turn_credentials() -> str:
|
def turn_credentials() -> str:
|
||||||
with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as client_socket:
|
with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as client_socket:
|
||||||
|
client_socket.settimeout(5)
|
||||||
client_socket.connect("/run/chatmail-turn/turn.socket")
|
client_socket.connect("/run/chatmail-turn/turn.socket")
|
||||||
with client_socket.makefile("rb") as file:
|
with client_socket.makefile("rb") as file:
|
||||||
return file.readline().decode("utf-8").strip()
|
return file.readline().decode("utf-8").strip()
|
||||||
|
|||||||
@@ -67,7 +67,7 @@ class AcmetoolDeployer(Deployer):
|
|||||||
)
|
)
|
||||||
files.template(
|
files.template(
|
||||||
src=importlib.resources.files(__package__).joinpath("desired.yaml.j2"),
|
src=importlib.resources.files(__package__).joinpath("desired.yaml.j2"),
|
||||||
dest=f"/var/lib/acme/desired/{self.domains[0]}", # 0 is mailhost TLD
|
dest=f"/var/lib/acme/desired/{self.domains[0]}", # 0 is mailhost TLD
|
||||||
user="root",
|
user="root",
|
||||||
group="root",
|
group="root",
|
||||||
mode="644",
|
mode="644",
|
||||||
|
|||||||
@@ -113,24 +113,15 @@ def run_cmd(args, out):
|
|||||||
return 1
|
return 1
|
||||||
|
|
||||||
try:
|
try:
|
||||||
retcode = out.check_call(cmd, env=env)
|
out.check_call(cmd, env=env)
|
||||||
if args.website_only:
|
if args.website_only:
|
||||||
if retcode == 0:
|
out.green("Website deployment completed.")
|
||||||
out.green("Website deployment completed.")
|
|
||||||
else:
|
|
||||||
out.red("Website deployment failed.")
|
|
||||||
elif retcode == 0:
|
|
||||||
out.green("Deploy completed, call `cmdeploy dns` next.")
|
|
||||||
elif not remote_data["acme_account_url"]:
|
|
||||||
out.red("Deploy completed but letsencrypt not configured")
|
|
||||||
out.red("Run 'cmdeploy run' again")
|
|
||||||
retcode = 0
|
|
||||||
else:
|
else:
|
||||||
out.red("Deploy failed")
|
out.green("Deploy completed, call `cmdeploy dns` next.")
|
||||||
|
return 0
|
||||||
except subprocess.CalledProcessError:
|
except subprocess.CalledProcessError:
|
||||||
out.red("Deploy failed")
|
out.red("Deploy failed")
|
||||||
retcode = 1
|
return 1
|
||||||
return retcode
|
|
||||||
|
|
||||||
|
|
||||||
def dns_cmd_options(parser):
|
def dns_cmd_options(parser):
|
||||||
|
|||||||
@@ -25,11 +25,11 @@ from .basedeploy import (
|
|||||||
configure_remote_units,
|
configure_remote_units,
|
||||||
get_resource,
|
get_resource,
|
||||||
)
|
)
|
||||||
from .dkim_milter.deployer import DkimMilterDeployer
|
|
||||||
from .dovecot.deployer import DovecotDeployer
|
from .dovecot.deployer import DovecotDeployer
|
||||||
from .filtermail.deployer import FiltermailDeployer
|
from .filtermail.deployer import FiltermailDeployer
|
||||||
from .mtail.deployer import MtailDeployer
|
from .mtail.deployer import MtailDeployer
|
||||||
from .nginx.deployer import NginxDeployer
|
from .nginx.deployer import NginxDeployer
|
||||||
|
from .opendkim.deployer import OpendkimDeployer
|
||||||
from .postfix.deployer import PostfixDeployer
|
from .postfix.deployer import PostfixDeployer
|
||||||
from .www import build_webpages, find_merge_conflict, get_paths
|
from .www import build_webpages, find_merge_conflict, get_paths
|
||||||
|
|
||||||
@@ -141,6 +141,10 @@ def _configure_remote_venv_with_chatmaild(config) -> None:
|
|||||||
|
|
||||||
|
|
||||||
class UnboundDeployer(Deployer):
|
class UnboundDeployer(Deployer):
|
||||||
|
def __init__(self, config):
|
||||||
|
self.config = config
|
||||||
|
self.need_restart = False
|
||||||
|
|
||||||
def install(self):
|
def install(self):
|
||||||
# Run local DNS resolver `unbound`.
|
# Run local DNS resolver `unbound`.
|
||||||
# `resolvconf` takes care of setting up /etc/resolv.conf
|
# `resolvconf` takes care of setting up /etc/resolv.conf
|
||||||
@@ -177,6 +181,27 @@ class UnboundDeployer(Deployer):
|
|||||||
"unbound-anchor -a /var/lib/unbound/root.key || true",
|
"unbound-anchor -a /var/lib/unbound/root.key || true",
|
||||||
],
|
],
|
||||||
)
|
)
|
||||||
|
if self.config.disable_ipv6:
|
||||||
|
files.directory(
|
||||||
|
path="/etc/unbound/unbound.conf.d",
|
||||||
|
present=True,
|
||||||
|
user="root",
|
||||||
|
group="root",
|
||||||
|
mode="755",
|
||||||
|
)
|
||||||
|
conf = files.put(
|
||||||
|
src=get_resource("unbound/unbound.conf.j2"),
|
||||||
|
dest="/etc/unbound/unbound.conf.d/chatmail.conf",
|
||||||
|
user="root",
|
||||||
|
group="root",
|
||||||
|
mode="644",
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
conf = files.file(
|
||||||
|
path="/etc/unbound/unbound.conf.d/chatmail.conf",
|
||||||
|
present=False,
|
||||||
|
)
|
||||||
|
self.need_restart |= conf.changed
|
||||||
|
|
||||||
def activate(self):
|
def activate(self):
|
||||||
server.shell(
|
server.shell(
|
||||||
@@ -191,6 +216,7 @@ class UnboundDeployer(Deployer):
|
|||||||
service="unbound.service",
|
service="unbound.service",
|
||||||
running=True,
|
running=True,
|
||||||
enabled=True,
|
enabled=True,
|
||||||
|
restarted=self.need_restart,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
@@ -238,6 +264,9 @@ class WebsiteDeployer(Deployer):
|
|||||||
# if www_folder is a hugo page, build it
|
# if www_folder is a hugo page, build it
|
||||||
if build_dir:
|
if build_dir:
|
||||||
www_path = build_webpages(src_dir, build_dir, self.config)
|
www_path = build_webpages(src_dir, build_dir, self.config)
|
||||||
|
if www_path is None:
|
||||||
|
logger.warning("Web page build failed, skipping website deployment")
|
||||||
|
return
|
||||||
# if it is not a hugo page, upload it as is
|
# if it is not a hugo page, upload it as is
|
||||||
files.rsync(
|
files.rsync(
|
||||||
f"{www_path}/", "/var/www/html", flags=["-avz", "--chown=www-data"]
|
f"{www_path}/", "/var/www/html", flags=["-avz", "--chown=www-data"]
|
||||||
@@ -527,7 +556,8 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
|
|||||||
files.line(
|
files.line(
|
||||||
name="Add 9.9.9.9 to resolv.conf",
|
name="Add 9.9.9.9 to resolv.conf",
|
||||||
path="/etc/resolv.conf",
|
path="/etc/resolv.conf",
|
||||||
line="nameserver 9.9.9.9",
|
# Guard against resolv.conf missing a trailing newline (SolusVM bug).
|
||||||
|
line="\nnameserver 9.9.9.9",
|
||||||
)
|
)
|
||||||
|
|
||||||
port_services = [
|
port_services = [
|
||||||
@@ -565,14 +595,14 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
|
|||||||
LegacyRemoveDeployer(),
|
LegacyRemoveDeployer(),
|
||||||
FiltermailDeployer(),
|
FiltermailDeployer(),
|
||||||
JournaldDeployer(),
|
JournaldDeployer(),
|
||||||
UnboundDeployer(),
|
UnboundDeployer(config),
|
||||||
TurnDeployer(mail_domain),
|
TurnDeployer(mail_domain),
|
||||||
IrohDeployer(config.enable_iroh_relay),
|
IrohDeployer(config.enable_iroh_relay),
|
||||||
AcmetoolDeployer(config.acme_email, tls_domains),
|
AcmetoolDeployer(config.acme_email, tls_domains),
|
||||||
WebsiteDeployer(config),
|
WebsiteDeployer(config),
|
||||||
ChatmailVenvDeployer(config),
|
ChatmailVenvDeployer(config),
|
||||||
MtastsDeployer(),
|
MtastsDeployer(),
|
||||||
DkimMilterDeployer(mail_domain),
|
OpendkimDeployer(mail_domain),
|
||||||
# Dovecot should be started before Postfix
|
# Dovecot should be started before Postfix
|
||||||
# because it creates authentication socket
|
# because it creates authentication socket
|
||||||
# required by Postfix.
|
# required by Postfix.
|
||||||
|
|||||||
@@ -1,169 +0,0 @@
|
|||||||
"""
|
|
||||||
Installs DKIM Milter.
|
|
||||||
"""
|
|
||||||
|
|
||||||
from pyinfra import facts, host
|
|
||||||
from pyinfra.facts.files import File, Sha256File
|
|
||||||
from pyinfra.operations import apt, files, server, systemd
|
|
||||||
|
|
||||||
from cmdeploy.basedeploy import Deployer, get_resource
|
|
||||||
|
|
||||||
|
|
||||||
class DkimMilterDeployer(Deployer):
|
|
||||||
required_users = [("dkim-milter", None, ["dkim-milter"])]
|
|
||||||
|
|
||||||
def __init__(self, mail_domain):
|
|
||||||
self.mail_domain = mail_domain
|
|
||||||
self.need_restart = False
|
|
||||||
|
|
||||||
def install(self):
|
|
||||||
"""Builds and installs dkim-milter"""
|
|
||||||
|
|
||||||
# openssl is required to generate the signing key
|
|
||||||
apt.packages(
|
|
||||||
name="Install openssl required by DKIM Milter",
|
|
||||||
packages=["openssl"],
|
|
||||||
)
|
|
||||||
|
|
||||||
(url, sha256sum) = {
|
|
||||||
"x86_64": (
|
|
||||||
"https://github.com/chatmail/dkim-milter/releases/download/0.1.0/dkim-milter-x86_64",
|
|
||||||
"e676837b362ebef461881079e3e1151ed2db2d942d98b7103974921ac69ce5de",
|
|
||||||
),
|
|
||||||
"aarch64": (
|
|
||||||
"https://github.com/chatmail/dkim-milter/releases/download/0.1.0/dkim-milter-aarch64",
|
|
||||||
"b853ab85a535b7e7e548ae0e4d85a61d4c0fd44f2912c3439662c56ca8a369e6",
|
|
||||||
),
|
|
||||||
}[host.get_fact(facts.server.Arch)]
|
|
||||||
|
|
||||||
existing_sha256sum = host.get_fact(Sha256File, "/usr/local/sbin/dkim-milter")
|
|
||||||
if existing_sha256sum != sha256sum:
|
|
||||||
server.shell(
|
|
||||||
name="Download DKIM Milter",
|
|
||||||
commands=[
|
|
||||||
f"(curl -L {url} >/usr/local/sbin/dkim-milter.new && (echo '{sha256sum} /usr/local/sbin/dkim-milter.new' | sha256sum -c) && mv /usr/local/sbin/dkim-milter.new /usr/local/sbin/dkim-milter)",
|
|
||||||
"chmod 755 /usr/local/sbin/dkim-milter",
|
|
||||||
],
|
|
||||||
)
|
|
||||||
self.need_restart = True
|
|
||||||
|
|
||||||
def configure(self):
|
|
||||||
"""Configures dkim-milter"""
|
|
||||||
|
|
||||||
domain = self.mail_domain
|
|
||||||
# note - we are using "opendkim" for backward compatibility
|
|
||||||
# for relays that were set up before we migrated from OpenDKIM
|
|
||||||
# to DKIM Milter.
|
|
||||||
selector = "opendkim"
|
|
||||||
signing_key_name = selector
|
|
||||||
# for backward compatibility with opendkim-genkey
|
|
||||||
signing_key_filename = f"{signing_key_name}.private"
|
|
||||||
config_common = {
|
|
||||||
"domain": domain,
|
|
||||||
"selector": selector,
|
|
||||||
"signing_key_name": signing_key_name,
|
|
||||||
"signing_key_filename": signing_key_filename,
|
|
||||||
}
|
|
||||||
config_verify = {
|
|
||||||
**config_common,
|
|
||||||
"mode": "verify",
|
|
||||||
"config_file": "/etc/dkim-milter/dkim-milter-verify.conf",
|
|
||||||
"socket_name": "dkim-milter-verify.sock",
|
|
||||||
}
|
|
||||||
config_sign = {
|
|
||||||
**config_common,
|
|
||||||
"mode": "sign",
|
|
||||||
"config_file": "/etc/dkim-milter/dkim-milter-sign.conf",
|
|
||||||
"socket_name": "dkim-milter-sign.sock",
|
|
||||||
}
|
|
||||||
|
|
||||||
self.need_restart |= files.directory(
|
|
||||||
name="Create a directory for DKIM Milter configs",
|
|
||||||
path="/etc/dkim-milter",
|
|
||||||
user="dkim-milter",
|
|
||||||
group="dkim-milter",
|
|
||||||
mode="750",
|
|
||||||
present=True,
|
|
||||||
).changed
|
|
||||||
|
|
||||||
for config in [config_verify, config_sign]:
|
|
||||||
self.need_restart |= files.template(
|
|
||||||
src=get_resource("dkim_milter/dkim-milter.conf.j2"),
|
|
||||||
dest=config["config_file"],
|
|
||||||
user="dkim-milter",
|
|
||||||
group="dkim-milter",
|
|
||||||
mode="644",
|
|
||||||
config=config,
|
|
||||||
).changed
|
|
||||||
|
|
||||||
self.need_restart |= files.directory(
|
|
||||||
name="Create dkimkeys directory",
|
|
||||||
path="/etc/dkimkeys",
|
|
||||||
user="dkim-milter",
|
|
||||||
group="dkim-milter",
|
|
||||||
mode="750",
|
|
||||||
present=True,
|
|
||||||
).changed
|
|
||||||
|
|
||||||
self.need_restart |= files.template(
|
|
||||||
src=get_resource("dkim_milter/signing-keys"),
|
|
||||||
dest="/etc/dkim-milter/signing-keys",
|
|
||||||
user="dkim-milter",
|
|
||||||
group="dkim-milter",
|
|
||||||
mode="644",
|
|
||||||
config=config_common,
|
|
||||||
).changed
|
|
||||||
|
|
||||||
self.need_restart |= files.template(
|
|
||||||
src=get_resource("dkim_milter/signing-senders"),
|
|
||||||
dest="/etc/dkim-milter/signing-senders",
|
|
||||||
user="dkim-milter",
|
|
||||||
group="dkim-milter",
|
|
||||||
mode="644",
|
|
||||||
config=config_common,
|
|
||||||
).changed
|
|
||||||
|
|
||||||
self.need_restart |= files.directory(
|
|
||||||
name="Create DKIM Milter unix sockets directory",
|
|
||||||
path="/var/spool/postfix/dkim-milter",
|
|
||||||
user="dkim-milter",
|
|
||||||
group="dkim-milter",
|
|
||||||
mode="770",
|
|
||||||
).changed
|
|
||||||
|
|
||||||
if not host.get_fact(File, f"/etc/dkimkeys/{signing_key_filename}"):
|
|
||||||
server.shell(
|
|
||||||
name=f"Generate DKIM Milter signing key '{signing_key_name}'",
|
|
||||||
commands=[
|
|
||||||
f"openssl genpkey -algorithm RSA -out /etc/dkimkeys/{signing_key_filename}"
|
|
||||||
],
|
|
||||||
)
|
|
||||||
self.need_restart = True
|
|
||||||
|
|
||||||
# enforce restrictive permissions for the signing key
|
|
||||||
self.need_restart |= files.file(
|
|
||||||
path=f"/etc/dkimkeys/{signing_key_filename}",
|
|
||||||
present=True,
|
|
||||||
user="dkim-milter",
|
|
||||||
group="dkim-milter",
|
|
||||||
mode="0400",
|
|
||||||
).changed
|
|
||||||
|
|
||||||
self.need_restart |= files.put(
|
|
||||||
name="Create dkim-milter service",
|
|
||||||
src=get_resource("dkim_milter/dkim-milter@.service"),
|
|
||||||
dest=f"/etc/systemd/system/dkim-milter@.service",
|
|
||||||
).changed
|
|
||||||
|
|
||||||
def activate(self):
|
|
||||||
"""Start and enable DKIM Milter"""
|
|
||||||
for mode in ["sign", "verify"]:
|
|
||||||
systemd.service(
|
|
||||||
name=f"Start and enable DKIM Milter in {mode} mode",
|
|
||||||
service=f"dkim-milter@{mode}",
|
|
||||||
running=True,
|
|
||||||
enabled=True,
|
|
||||||
daemon_reload=self.need_restart,
|
|
||||||
restarted=self.need_restart,
|
|
||||||
)
|
|
||||||
self.need_restart = False
|
|
||||||
@@ -1,30 +0,0 @@
|
|||||||
mode = {{ config.mode }}
|
|
||||||
|
|
||||||
{% if config.mode == "verify" %}
|
|
||||||
# DKIM milter will skip verification for trusted sources,
|
|
||||||
# which in our case is everything, since we run DKIM milter on a reinjection port,
|
|
||||||
# and all connections are local.
|
|
||||||
# We force verification for local connections by not trusting anyone.
|
|
||||||
trusted_networks =
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
log_destination = syslog
|
|
||||||
log_level = info
|
|
||||||
|
|
||||||
canonicalization = relaxed/simple
|
|
||||||
|
|
||||||
lookup_timeout = 60s
|
|
||||||
|
|
||||||
signing_keys = /etc/dkim-milter/signing-keys
|
|
||||||
signing_senders = /etc/dkim-milter/signing-senders
|
|
||||||
|
|
||||||
# Signing
|
|
||||||
sign_headers = default; autocrypt:content-type
|
|
||||||
oversign_headers = signed-extended
|
|
||||||
|
|
||||||
# Verification
|
|
||||||
required_signed_headers = From*
|
|
||||||
forbid_unsigned_content = yes
|
|
||||||
reject_failures = missing, no-pass, author-mismatch
|
|
||||||
|
|
||||||
socket = unix:/var/spool/postfix/dkim-milter/{{ config.socket_name }}
|
|
||||||
@@ -1,15 +0,0 @@
|
|||||||
[Unit]
|
|
||||||
Description=DKIM Milter %i
|
|
||||||
Documentation=man:dkim-milter(8) man:dkim-milter.conf(5)
|
|
||||||
After=network-online.target nss-lookup.target
|
|
||||||
Wants=network-online.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
User=dkim-milter
|
|
||||||
UMask=007
|
|
||||||
ExecStart=/usr/local/sbin/dkim-milter -c /etc/dkim-milter/dkim-milter-%i.conf
|
|
||||||
ExecReload=/bin/kill -HUP $MAINPID
|
|
||||||
Restart=on-failure
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
# Key name Signing key
|
|
||||||
{{ config.signing_key_name }} </etc/dkimkeys/{{ config.signing_key_filename }}
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
# Sender expression Domain Selector Key name
|
|
||||||
.{{ config.domain }} {{ config.domain }} {{ config.selector }} {{ config.signing_key_name }}
|
|
||||||
@@ -37,7 +37,9 @@ class DovecotDeployer(Deployer):
|
|||||||
restart = False if self.disable_mail else self.need_restart
|
restart = False if self.disable_mail else self.need_restart
|
||||||
|
|
||||||
systemd.service(
|
systemd.service(
|
||||||
name="Disable dovecot for now" if self.disable_mail else "Start and enable Dovecot",
|
name="Disable dovecot for now"
|
||||||
|
if self.disable_mail
|
||||||
|
else "Start and enable Dovecot",
|
||||||
service="dovecot.service",
|
service="dovecot.service",
|
||||||
running=False if self.disable_mail else True,
|
running=False if self.disable_mail else True,
|
||||||
enabled=False if self.disable_mail else True,
|
enabled=False if self.disable_mail else True,
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
## Dovecot configuration file
|
## Dovecot configuration file
|
||||||
|
|
||||||
{% if disable_ipv6 %}
|
{% if disable_ipv6 %}
|
||||||
listen = *
|
listen = 0.0.0.0
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
protocols = imap lmtp
|
protocols = imap lmtp
|
||||||
|
|||||||
@@ -51,7 +51,7 @@ http {
|
|||||||
include /etc/nginx/mime.types;
|
include /etc/nginx/mime.types;
|
||||||
default_type application/octet-stream;
|
default_type application/octet-stream;
|
||||||
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
|
ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
|
||||||
ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
|
ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
|
||||||
|
|||||||
1
cmdeploy/src/cmdeploy/opendkim/KeyTable
Normal file
1
cmdeploy/src/cmdeploy/opendkim/KeyTable
Normal file
@@ -0,0 +1 @@
|
|||||||
|
{{ config.opendkim_selector }}._domainkey.{{ config.domain_name }} {{ config.domain_name }}:{{ config.opendkim_selector }}:/etc/dkimkeys/{{ config.opendkim_selector }}.private
|
||||||
1
cmdeploy/src/cmdeploy/opendkim/SigningTable
Normal file
1
cmdeploy/src/cmdeploy/opendkim/SigningTable
Normal file
@@ -0,0 +1 @@
|
|||||||
|
*@{{ config.domain_name }} {{ config.opendkim_selector }}._domainkey.{{ config.domain_name }}
|
||||||
123
cmdeploy/src/cmdeploy/opendkim/deployer.py
Normal file
123
cmdeploy/src/cmdeploy/opendkim/deployer.py
Normal file
@@ -0,0 +1,123 @@
|
|||||||
|
"""
|
||||||
|
Installs OpenDKIM
|
||||||
|
"""
|
||||||
|
|
||||||
|
from pyinfra import host
|
||||||
|
from pyinfra.facts.files import File
|
||||||
|
from pyinfra.operations import apt, files, server, systemd
|
||||||
|
|
||||||
|
from cmdeploy.basedeploy import Deployer, get_resource
|
||||||
|
|
||||||
|
|
||||||
|
class OpendkimDeployer(Deployer):
|
||||||
|
required_users = [("opendkim", None, ["opendkim"])]
|
||||||
|
|
||||||
|
def __init__(self, mail_domain):
|
||||||
|
self.mail_domain = mail_domain
|
||||||
|
|
||||||
|
def install(self):
|
||||||
|
apt.packages(
|
||||||
|
name="apt install opendkim opendkim-tools",
|
||||||
|
packages=["opendkim", "opendkim-tools"],
|
||||||
|
)
|
||||||
|
|
||||||
|
def configure(self):
|
||||||
|
domain = self.mail_domain
|
||||||
|
dkim_selector = "opendkim"
|
||||||
|
"""Configures OpenDKIM"""
|
||||||
|
need_restart = False
|
||||||
|
|
||||||
|
main_config = files.template(
|
||||||
|
src=get_resource("opendkim/opendkim.conf"),
|
||||||
|
dest="/etc/opendkim.conf",
|
||||||
|
user="root",
|
||||||
|
group="root",
|
||||||
|
mode="644",
|
||||||
|
config={"domain_name": domain, "opendkim_selector": dkim_selector},
|
||||||
|
)
|
||||||
|
need_restart |= main_config.changed
|
||||||
|
|
||||||
|
screen_script = files.put(
|
||||||
|
src=get_resource("opendkim/screen.lua"),
|
||||||
|
dest="/etc/opendkim/screen.lua",
|
||||||
|
user="root",
|
||||||
|
group="root",
|
||||||
|
mode="644",
|
||||||
|
)
|
||||||
|
need_restart |= screen_script.changed
|
||||||
|
|
||||||
|
final_script = files.put(
|
||||||
|
src=get_resource("opendkim/final.lua"),
|
||||||
|
dest="/etc/opendkim/final.lua",
|
||||||
|
user="root",
|
||||||
|
group="root",
|
||||||
|
mode="644",
|
||||||
|
)
|
||||||
|
need_restart |= final_script.changed
|
||||||
|
|
||||||
|
files.directory(
|
||||||
|
name="Add opendkim directory to /etc",
|
||||||
|
path="/etc/opendkim",
|
||||||
|
user="opendkim",
|
||||||
|
group="opendkim",
|
||||||
|
mode="750",
|
||||||
|
present=True,
|
||||||
|
)
|
||||||
|
|
||||||
|
keytable = files.template(
|
||||||
|
src=get_resource("opendkim/KeyTable"),
|
||||||
|
dest="/etc/dkimkeys/KeyTable",
|
||||||
|
user="opendkim",
|
||||||
|
group="opendkim",
|
||||||
|
mode="644",
|
||||||
|
config={"domain_name": domain, "opendkim_selector": dkim_selector},
|
||||||
|
)
|
||||||
|
need_restart |= keytable.changed
|
||||||
|
|
||||||
|
signing_table = files.template(
|
||||||
|
src=get_resource("opendkim/SigningTable"),
|
||||||
|
dest="/etc/dkimkeys/SigningTable",
|
||||||
|
user="opendkim",
|
||||||
|
group="opendkim",
|
||||||
|
mode="644",
|
||||||
|
config={"domain_name": domain, "opendkim_selector": dkim_selector},
|
||||||
|
)
|
||||||
|
need_restart |= signing_table.changed
|
||||||
|
files.directory(
|
||||||
|
name="Add opendkim socket directory to /var/spool/postfix",
|
||||||
|
path="/var/spool/postfix/opendkim",
|
||||||
|
user="opendkim",
|
||||||
|
group="opendkim",
|
||||||
|
mode="750",
|
||||||
|
present=True,
|
||||||
|
)
|
||||||
|
|
||||||
|
if not host.get_fact(File, f"/etc/dkimkeys/{dkim_selector}.private"):
|
||||||
|
server.shell(
|
||||||
|
name="Generate OpenDKIM domain keys",
|
||||||
|
commands=[
|
||||||
|
f"/usr/sbin/opendkim-genkey -D /etc/dkimkeys -d {domain} -s {dkim_selector}"
|
||||||
|
],
|
||||||
|
_use_su_login=True,
|
||||||
|
_su_user="opendkim",
|
||||||
|
)
|
||||||
|
|
||||||
|
service_file = files.put(
|
||||||
|
name="Configure opendkim to restart once a day",
|
||||||
|
src=get_resource("opendkim/systemd.conf"),
|
||||||
|
dest="/etc/systemd/system/opendkim.service.d/10-prevent-memory-leak.conf",
|
||||||
|
)
|
||||||
|
need_restart |= service_file.changed
|
||||||
|
|
||||||
|
self.need_restart = need_restart
|
||||||
|
|
||||||
|
def activate(self):
|
||||||
|
systemd.service(
|
||||||
|
name="Start and enable OpenDKIM",
|
||||||
|
service="opendkim.service",
|
||||||
|
running=True,
|
||||||
|
enabled=True,
|
||||||
|
daemon_reload=self.need_restart,
|
||||||
|
restarted=self.need_restart,
|
||||||
|
)
|
||||||
|
self.need_restart = False
|
||||||
42
cmdeploy/src/cmdeploy/opendkim/final.lua
Normal file
42
cmdeploy/src/cmdeploy/opendkim/final.lua
Normal file
@@ -0,0 +1,42 @@
|
|||||||
|
mtaname = odkim.get_mtasymbol(ctx, "{daemon_name}")
|
||||||
|
if mtaname == "ORIGINATING" then
|
||||||
|
-- Outgoing message will be signed,
|
||||||
|
-- no need to look for signatures.
|
||||||
|
return nil
|
||||||
|
end
|
||||||
|
|
||||||
|
nsigs = odkim.get_sigcount(ctx)
|
||||||
|
if nsigs == nil then
|
||||||
|
return nil
|
||||||
|
end
|
||||||
|
|
||||||
|
local valid = false
|
||||||
|
local error_msg = "No valid DKIM signature found."
|
||||||
|
for i = 1, nsigs do
|
||||||
|
sig = odkim.get_sighandle(ctx, i - 1)
|
||||||
|
sigres = odkim.sig_result(sig)
|
||||||
|
|
||||||
|
-- All signatures that do not correspond to From:
|
||||||
|
-- were ignored in screen.lua and return sigres -1.
|
||||||
|
--
|
||||||
|
-- Any valid signature that was not ignored like this
|
||||||
|
-- means the message is acceptable.
|
||||||
|
if sigres == 0 then
|
||||||
|
valid = true
|
||||||
|
else
|
||||||
|
error_msg = "DKIM signature is invalid, error code " .. tostring(sigres) .. ", search https://github.com/trusteddomainproject/OpenDKIM/blob/master/libopendkim/dkim.h#L108"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
if valid then
|
||||||
|
-- Strip all DKIM-Signature headers after successful validation
|
||||||
|
-- Delete in reverse order to avoid index shifting.
|
||||||
|
for i = nsigs, 1, -1 do
|
||||||
|
odkim.del_header(ctx, "DKIM-Signature", i)
|
||||||
|
end
|
||||||
|
else
|
||||||
|
odkim.set_reply(ctx, "554", "5.7.1", error_msg)
|
||||||
|
odkim.set_result(ctx, SMFIS_REJECT)
|
||||||
|
end
|
||||||
|
|
||||||
|
return nil
|
||||||
73
cmdeploy/src/cmdeploy/opendkim/opendkim.conf
Normal file
73
cmdeploy/src/cmdeploy/opendkim/opendkim.conf
Normal file
@@ -0,0 +1,73 @@
|
|||||||
|
# OpenDKIM configuration.
|
||||||
|
|
||||||
|
Syslog yes
|
||||||
|
SyslogSuccess yes
|
||||||
|
#LogWhy no
|
||||||
|
|
||||||
|
# Common signing and verification parameters. In Debian, the "From" header is
|
||||||
|
# oversigned, because it is often the identity key used by reputation systems
|
||||||
|
# and thus somewhat security sensitive.
|
||||||
|
Canonicalization relaxed/simple
|
||||||
|
OversignHeaders From
|
||||||
|
|
||||||
|
On-BadSignature reject
|
||||||
|
On-KeyNotFound reject
|
||||||
|
On-NoSignature reject
|
||||||
|
DNSTimeout 60
|
||||||
|
|
||||||
|
# Signing domain, selector, and key (required). For example, perform signing
|
||||||
|
# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
|
||||||
|
# using the private key stored in /etc/dkimkeys/example.private. More granular
|
||||||
|
# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
|
||||||
|
Domain {{ config.domain_name }}
|
||||||
|
Selector {{ config.opendkim_selector }}
|
||||||
|
KeyFile /etc/dkimkeys/{{ config.opendkim_selector }}.private
|
||||||
|
KeyTable /etc/dkimkeys/KeyTable
|
||||||
|
SigningTable refile:/etc/dkimkeys/SigningTable
|
||||||
|
|
||||||
|
# Sign Autocrypt header in addition to the default specified in RFC 6376.
|
||||||
|
#
|
||||||
|
# Default list is here:
|
||||||
|
# <https://github.com/trusteddomainproject/OpenDKIM/blob/5c539587561785a66c1f67f720f2fb741f320785/libopendkim/dkim.c#L221-L245>
|
||||||
|
SignHeaders *,+autocrypt,+content-type
|
||||||
|
|
||||||
|
# Prevent addition of second Content-Type header
|
||||||
|
# and other important headers that should not be added
|
||||||
|
# after signing the message.
|
||||||
|
# See
|
||||||
|
# <https://www.zone.eu/blog/2024/05/17/bimi-and-dmarc-cant-save-you/>
|
||||||
|
# and RFC 6376 (page 41) for reference.
|
||||||
|
#
|
||||||
|
# We don't use "l=" body length so the problem described in RFC 6376
|
||||||
|
# is not applicable, but adding e.g. a second "From" header
|
||||||
|
# or second "Autocrypt" header is better prevented in any case.
|
||||||
|
#
|
||||||
|
# Default is empty.
|
||||||
|
OversignHeaders from,reply-to,subject,date,to,cc,resent-date,resent-from,resent-sender,resent-to,resent-cc,in-reply-to,references,list-id,list-help,list-unsubscribe,list-subscribe,list-post,list-owner,list-archive,autocrypt
|
||||||
|
|
||||||
|
# Script to ignore signatures that do not correspond to the From: domain.
|
||||||
|
ScreenPolicyScript /etc/opendkim/screen.lua
|
||||||
|
|
||||||
|
# Script to reject mails without a valid DKIM signature.
|
||||||
|
FinalPolicyScript /etc/opendkim/final.lua
|
||||||
|
|
||||||
|
# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
|
||||||
|
# using a local socket with MTAs that access the socket as a non-privileged
|
||||||
|
# user (for example, Postfix). You may need to add user "postfix" to group
|
||||||
|
# "opendkim" in that case.
|
||||||
|
UserID opendkim
|
||||||
|
UMask 007
|
||||||
|
|
||||||
|
Socket local:/var/spool/postfix/opendkim/opendkim.sock
|
||||||
|
|
||||||
|
PidFile /run/opendkim/opendkim.pid
|
||||||
|
|
||||||
|
# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
|
||||||
|
# by the package dns-root-data.
|
||||||
|
TrustAnchorFile /usr/share/dns/root.key
|
||||||
|
|
||||||
|
# Sign messages when `-o milter_macro_daemon_name=ORIGINATING` is set.
|
||||||
|
MTA ORIGINATING
|
||||||
|
|
||||||
|
# No hosts are treated as internal, ORIGINATING daemon name should be set explicitly.
|
||||||
|
InternalHosts -
|
||||||
21
cmdeploy/src/cmdeploy/opendkim/screen.lua
Normal file
21
cmdeploy/src/cmdeploy/opendkim/screen.lua
Normal file
@@ -0,0 +1,21 @@
|
|||||||
|
-- Ignore signatures that do not correspond to the From: domain.
|
||||||
|
|
||||||
|
from_domain = odkim.get_fromdomain(ctx)
|
||||||
|
if from_domain == nil then
|
||||||
|
return nil
|
||||||
|
end
|
||||||
|
|
||||||
|
n = odkim.get_sigcount(ctx)
|
||||||
|
if n == nil then
|
||||||
|
return nil
|
||||||
|
end
|
||||||
|
|
||||||
|
for i = 1, n do
|
||||||
|
sig = odkim.get_sighandle(ctx, i - 1)
|
||||||
|
sig_domain = odkim.sig_getdomain(sig)
|
||||||
|
if from_domain ~= sig_domain then
|
||||||
|
odkim.sig_ignore(sig)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
return nil
|
||||||
3
cmdeploy/src/cmdeploy/opendkim/systemd.conf
Normal file
3
cmdeploy/src/cmdeploy/opendkim/systemd.conf
Normal file
@@ -0,0 +1,3 @@
|
|||||||
|
[Service]
|
||||||
|
Restart=always
|
||||||
|
RuntimeMaxSec=1d
|
||||||
@@ -4,7 +4,7 @@ from cmdeploy.basedeploy import Deployer, get_resource
|
|||||||
|
|
||||||
|
|
||||||
class PostfixDeployer(Deployer):
|
class PostfixDeployer(Deployer):
|
||||||
required_users = [("postfix", None, ["dkim-milter"])]
|
required_users = [("postfix", None, ["opendkim"])]
|
||||||
daemon_reload = False
|
daemon_reload = False
|
||||||
|
|
||||||
def __init__(self, config, disable_mail):
|
def __init__(self, config, disable_mail):
|
||||||
@@ -83,7 +83,9 @@ class PostfixDeployer(Deployer):
|
|||||||
server.shell(
|
server.shell(
|
||||||
name="Validate postfix configuration",
|
name="Validate postfix configuration",
|
||||||
# Extract stderr and quit with error if non-zero
|
# Extract stderr and quit with error if non-zero
|
||||||
commands=["""bash -c 'w=$(postconf 2>&1 >/dev/null); [[ -z "$w" ]] || { echo "$w"; false; }'"""],
|
commands=[
|
||||||
|
"""bash -c 'w=$(postconf 2>&1 >/dev/null); [[ -z "$w" ]] || { echo "$w"; false; }'"""
|
||||||
|
],
|
||||||
)
|
)
|
||||||
self.need_restart = need_restart
|
self.need_restart = need_restart
|
||||||
|
|
||||||
|
|||||||
@@ -64,7 +64,11 @@ alias_database = hash:/etc/aliases
|
|||||||
mydestination =
|
mydestination =
|
||||||
|
|
||||||
relayhost =
|
relayhost =
|
||||||
|
{% if disable_ipv6 %}
|
||||||
|
mynetworks = 127.0.0.0/8
|
||||||
|
{% else %}
|
||||||
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
||||||
|
{% endif %}
|
||||||
mailbox_size_limit = 0
|
mailbox_size_limit = 0
|
||||||
message_size_limit = {{config.max_message_size}}
|
message_size_limit = {{config.max_message_size}}
|
||||||
recipient_delimiter = +
|
recipient_delimiter = +
|
||||||
|
|||||||
@@ -80,13 +80,13 @@ filter unix - n n - - lmtp
|
|||||||
127.0.0.1:{{ config.postfix_reinject_port }} inet n - n - 100 smtpd
|
127.0.0.1:{{ config.postfix_reinject_port }} inet n - n - 100 smtpd
|
||||||
-o syslog_name=postfix/reinject
|
-o syslog_name=postfix/reinject
|
||||||
-o milter_macro_daemon_name=ORIGINATING
|
-o milter_macro_daemon_name=ORIGINATING
|
||||||
-o smtpd_milters=unix:dkim-milter/dkim-milter-sign.sock
|
-o smtpd_milters=unix:opendkim/opendkim.sock
|
||||||
-o cleanup_service_name=authclean
|
-o cleanup_service_name=authclean
|
||||||
|
|
||||||
# Local SMTP server for reinjecting incoming filtered mail
|
# Local SMTP server for reinjecting incoming filtered mail
|
||||||
127.0.0.1:{{ config.postfix_reinject_port_incoming }} inet n - n - 100 smtpd
|
127.0.0.1:{{ config.postfix_reinject_port_incoming }} inet n - n - 100 smtpd
|
||||||
-o syslog_name=postfix/reinject_incoming
|
-o syslog_name=postfix/reinject_incoming
|
||||||
-o smtpd_milters=unix:dkim-milter/dkim-milter-verify.sock
|
-o smtpd_milters=unix:opendkim/opendkim.sock
|
||||||
|
|
||||||
# Cleanup `Received` headers for authenticated mail
|
# Cleanup `Received` headers for authenticated mail
|
||||||
# to avoid leaking client IP.
|
# to avoid leaking client IP.
|
||||||
|
|||||||
@@ -53,7 +53,7 @@ def get_dkim_entry(mail_domain, pre_command, dkim_selector):
|
|||||||
print=log_progress,
|
print=log_progress,
|
||||||
)
|
)
|
||||||
except CalledProcessError:
|
except CalledProcessError:
|
||||||
return
|
return None, None
|
||||||
dkim_value_raw = f"v=DKIM1;k=rsa;p={dkim_pubkey};s=email;t=s"
|
dkim_value_raw = f"v=DKIM1;k=rsa;p={dkim_pubkey};s=email;t=s"
|
||||||
dkim_value = '" "'.join(re.findall(".{1,255}", dkim_value_raw))
|
dkim_value = '" "'.join(re.findall(".{1,255}", dkim_value_raw))
|
||||||
web_dkim_value = "".join(re.findall(".{1,255}", dkim_value_raw))
|
web_dkim_value = "".join(re.findall(".{1,255}", dkim_value_raw))
|
||||||
|
|||||||
@@ -40,5 +40,5 @@ def dovecot_recalc_quota(user):
|
|||||||
#
|
#
|
||||||
for line in output.split("\n"):
|
for line in output.split("\n"):
|
||||||
parts = line.split()
|
parts = line.split()
|
||||||
if parts[2] == "STORAGE":
|
if len(parts) >= 6 and parts[2] == "STORAGE":
|
||||||
return dict(value=int(parts[3]), limit=int(parts[4]), percent=int(parts[5]))
|
return dict(value=int(parts[3]), limit=int(parts[4]), percent=int(parts[5]))
|
||||||
|
|||||||
@@ -1,3 +1,4 @@
|
|||||||
|
import datetime
|
||||||
import smtplib
|
import smtplib
|
||||||
import socket
|
import socket
|
||||||
import subprocess
|
import subprocess
|
||||||
@@ -57,6 +58,15 @@ class TestSSHExecutor:
|
|||||||
else:
|
else:
|
||||||
pytest.fail("didn't raise exception")
|
pytest.fail("didn't raise exception")
|
||||||
|
|
||||||
|
def test_opendkim_restarted(self, sshexec):
|
||||||
|
"""check that opendkim is not running for longer than a day."""
|
||||||
|
cmd = "systemctl show opendkim --timestamp=utc --property=ActiveEnterTimestamp"
|
||||||
|
out = sshexec(call=remote.rshell.shell, kwargs=dict(command=cmd))
|
||||||
|
datestring = out.split("=")[1]
|
||||||
|
since_date = datetime.datetime.strptime(datestring, "%a %Y-%m-%d %H:%M:%S %Z")
|
||||||
|
now = datetime.datetime.now(since_date.tzinfo)
|
||||||
|
assert (now - since_date).total_seconds() < 60 * 60 * 51
|
||||||
|
|
||||||
|
|
||||||
def test_timezone_env(remote):
|
def test_timezone_env(remote):
|
||||||
for line in remote.iter_output("env"):
|
for line in remote.iter_output("env"):
|
||||||
@@ -136,7 +146,7 @@ def test_reject_missing_dkim(cmsetup, maildata, from_addr):
|
|||||||
conn.starttls()
|
conn.starttls()
|
||||||
|
|
||||||
with conn as s:
|
with conn as s:
|
||||||
with pytest.raises(smtplib.SMTPDataError, match="No DKIM signature found"):
|
with pytest.raises(smtplib.SMTPDataError, match="No valid DKIM signature"):
|
||||||
s.sendmail(from_addr=from_addr, to_addrs=recipient.addr, msg=msg)
|
s.sendmail(from_addr=from_addr, to_addrs=recipient.addr, msg=msg)
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -24,7 +24,7 @@ def test_status_cmd(chatmail_config, capsys, request):
|
|||||||
"filtermail",
|
"filtermail",
|
||||||
"lastlogin",
|
"lastlogin",
|
||||||
"nginx",
|
"nginx",
|
||||||
"dkim-milter",
|
"opendkim",
|
||||||
"postfix@-",
|
"postfix@-",
|
||||||
"systemd-journald",
|
"systemd-journald",
|
||||||
"turnserver",
|
"turnserver",
|
||||||
|
|||||||
@@ -60,6 +60,29 @@ def mockdns(request, mockdns_base, mockdns_expected):
|
|||||||
return mockdns_base
|
return mockdns_base
|
||||||
|
|
||||||
|
|
||||||
|
class TestGetDkimEntry:
|
||||||
|
def test_dkim_entry_returns_tuple_on_success(self, mockdns):
|
||||||
|
entry, web_entry = remote.rdns.get_dkim_entry(
|
||||||
|
"some.domain", "", dkim_selector="opendkim"
|
||||||
|
)
|
||||||
|
# May return None,None if openssl not available, but should never crash
|
||||||
|
if entry is not None:
|
||||||
|
assert "opendkim._domainkey.some.domain" in entry
|
||||||
|
assert "opendkim._domainkey.some.domain" in web_entry
|
||||||
|
|
||||||
|
def test_dkim_entry_returns_none_tuple_on_error(self, monkeypatch):
|
||||||
|
"""CalledProcessError must return (None, None), not bare None."""
|
||||||
|
from subprocess import CalledProcessError
|
||||||
|
|
||||||
|
def failing_shell(command, fail_ok=False, print=print):
|
||||||
|
raise CalledProcessError(1, command)
|
||||||
|
|
||||||
|
monkeypatch.setattr(remote.rdns, "shell", failing_shell)
|
||||||
|
result = remote.rdns.get_dkim_entry("some.domain", "", dkim_selector="opendkim")
|
||||||
|
assert result == (None, None)
|
||||||
|
assert result[0] is None and result[1] is None
|
||||||
|
|
||||||
|
|
||||||
class TestPerformInitialChecks:
|
class TestPerformInitialChecks:
|
||||||
def test_perform_initial_checks_ok1(self, mockdns, mockdns_expected):
|
def test_perform_initial_checks_ok1(self, mockdns, mockdns_expected):
|
||||||
remote_data = remote.rdns.perform_initial_checks("some.domain")
|
remote_data = remote.rdns.perform_initial_checks("some.domain")
|
||||||
|
|||||||
68
cmdeploy/src/cmdeploy/tests/test_rshell.py
Normal file
68
cmdeploy/src/cmdeploy/tests/test_rshell.py
Normal file
@@ -0,0 +1,68 @@
|
|||||||
|
from unittest.mock import patch
|
||||||
|
|
||||||
|
from cmdeploy.remote.rshell import dovecot_recalc_quota
|
||||||
|
|
||||||
|
|
||||||
|
def test_dovecot_recalc_quota_normal_output():
|
||||||
|
"""Normal doveadm output returns parsed dict."""
|
||||||
|
normal_output = (
|
||||||
|
"Quota name Type Value Limit %\n"
|
||||||
|
"User quota STORAGE 5 102400 0\n"
|
||||||
|
"User quota MESSAGE 2 - 0\n"
|
||||||
|
)
|
||||||
|
|
||||||
|
with patch("cmdeploy.remote.rshell.shell", return_value=normal_output):
|
||||||
|
result = dovecot_recalc_quota("user@example.org")
|
||||||
|
|
||||||
|
# shell is called twice (recalc + get), patch returns same for both
|
||||||
|
assert result == {"value": 5, "limit": 102400, "percent": 0}
|
||||||
|
|
||||||
|
|
||||||
|
def test_dovecot_recalc_quota_empty_output():
|
||||||
|
"""Empty doveadm output (trailing newline) must not IndexError."""
|
||||||
|
call_count = [0]
|
||||||
|
|
||||||
|
def mock_shell(cmd):
|
||||||
|
call_count[0] += 1
|
||||||
|
if "recalc" in cmd:
|
||||||
|
return ""
|
||||||
|
# quota get returns only empty lines
|
||||||
|
return "\n\n"
|
||||||
|
|
||||||
|
with patch("cmdeploy.remote.rshell.shell", side_effect=mock_shell):
|
||||||
|
result = dovecot_recalc_quota("user@example.org")
|
||||||
|
|
||||||
|
assert result is None
|
||||||
|
|
||||||
|
|
||||||
|
def test_dovecot_recalc_quota_malformed_output():
|
||||||
|
"""Malformed output with too few columns must not crash."""
|
||||||
|
call_count = [0]
|
||||||
|
|
||||||
|
def mock_shell(cmd):
|
||||||
|
call_count[0] += 1
|
||||||
|
if "recalc" in cmd:
|
||||||
|
return ""
|
||||||
|
# partial line, fewer than 6 parts
|
||||||
|
return "Quota name\nUser quota STORAGE\n"
|
||||||
|
|
||||||
|
with patch("cmdeploy.remote.rshell.shell", side_effect=mock_shell):
|
||||||
|
result = dovecot_recalc_quota("user@example.org")
|
||||||
|
|
||||||
|
assert result is None
|
||||||
|
|
||||||
|
|
||||||
|
def test_dovecot_recalc_quota_header_only():
|
||||||
|
"""Only header line, no data rows."""
|
||||||
|
call_count = [0]
|
||||||
|
|
||||||
|
def mock_shell(cmd):
|
||||||
|
call_count[0] += 1
|
||||||
|
if "recalc" in cmd:
|
||||||
|
return ""
|
||||||
|
return "Quota name Type Value Limit %\n"
|
||||||
|
|
||||||
|
with patch("cmdeploy.remote.rshell.shell", side_effect=mock_shell):
|
||||||
|
result = dovecot_recalc_quota("user@example.org")
|
||||||
|
|
||||||
|
assert result is None
|
||||||
4
cmdeploy/src/cmdeploy/unbound/unbound.conf.j2
Normal file
4
cmdeploy/src/cmdeploy/unbound/unbound.conf.j2
Normal file
@@ -0,0 +1,4 @@
|
|||||||
|
# Managed by cmdeploy: disable IPv6 in unbound.
|
||||||
|
server:
|
||||||
|
interface: 127.0.0.1
|
||||||
|
do-ip6: no
|
||||||
@@ -72,7 +72,7 @@ in this case, just run ``ssh-keygen -R "mail.example.org"`` as recommended.
|
|||||||
|
|
||||||
ssh root@$NEW_IP4
|
ssh root@$NEW_IP4
|
||||||
chown root: -R /var/lib/acme
|
chown root: -R /var/lib/acme
|
||||||
chown dkim-milter: -R /etc/dkimkeys
|
chown opendkim: -R /etc/dkimkeys
|
||||||
chown vmail: -R /home/vmail/mail
|
chown vmail: -R /home/vmail/mail
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -52,7 +52,7 @@ The deployed system components of a chatmail relay are:
|
|||||||
- `acmetool <https://hlandau.github.io/acmetool/>`_ manages TLS
|
- `acmetool <https://hlandau.github.io/acmetool/>`_ manages TLS
|
||||||
certificates for Dovecot, Postfix, and Nginx
|
certificates for Dovecot, Postfix, and Nginx
|
||||||
|
|
||||||
- `DKIM Milter <https://github.com/chatmail/dkim-milter>`_ for signing messages with
|
- `OpenDKIM <http://www.opendkim.org/>`_ for signing messages with
|
||||||
DKIM and rejecting inbound messages without DKIM
|
DKIM and rejecting inbound messages without DKIM
|
||||||
|
|
||||||
- `mtail <https://google.github.io/mtail/>`_ for collecting anonymized
|
- `mtail <https://google.github.io/mtail/>`_ for collecting anonymized
|
||||||
@@ -268,10 +268,12 @@ Chatmail relays enforce :rfc:`DKIM <6376>` to authenticate incoming emails.
|
|||||||
Incoming emails must have a valid DKIM signature with
|
Incoming emails must have a valid DKIM signature with
|
||||||
Signing Domain Identifier (SDID, ``d=`` parameter in the DKIM-Signature
|
Signing Domain Identifier (SDID, ``d=`` parameter in the DKIM-Signature
|
||||||
header) equal to the ``From:`` header domain. This property is checked
|
header) equal to the ``From:`` header domain. This property is checked
|
||||||
by dkim-milter ``reject_failures = author-mismatch `` policy. This
|
by OpenDKIM screen policy script before validating the signatures. This
|
||||||
corresponds to strict :rfc:`DMARC <7489>` alignment (``adkim=s``).
|
corresponds to strict :rfc:`DMARC <7489>` alignment (``adkim=s``).
|
||||||
If there is no valid DKIM signature on the incoming email, the
|
If there is no valid DKIM signature on the incoming email, the
|
||||||
sender receives a “5.7.1 No valid DKIM signature found” error.
|
sender receives a “5.7.1 No valid DKIM signature found” error.
|
||||||
|
After validating the DKIM signature,
|
||||||
|
the `final.lua` script strips all ``OpenDKIM:`` headers to reduce message size on disc.
|
||||||
|
|
||||||
Note that chatmail relays
|
Note that chatmail relays
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user