postfix: do lmtp via local instead of virtual transport

.github/workflows/ci.yaml

@@ -15,7 +15,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: download filtermail
-        run: curl -L https://github.com/chatmail/filtermail/releases/download/v0.2.0/filtermail-x86_64-musl -o /usr/local/bin/filtermail && chmod +x /usr/local/bin/filtermail
+        run: curl -L https://github.com/chatmail/filtermail/releases/download/v0.1.2/filtermail-x86_64 -o /usr/local/bin/filtermail && chmod +x /usr/local/bin/filtermail
       - name: run chatmaild tests 
         working-directory: chatmaild
         run: pipx run tox

.github/workflows/test-and-deploy-ipv4only.yaml

@@ -80,7 +80,7 @@ jobs:
 
       - name: set DNS entries
         run: |
-          ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org chown dkim-milter:dkim-milter -R /etc/dkimkeys
+          ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org chown opendkim:opendkim -R /etc/dkimkeys
           cmdeploy dns --zonefile staging-generated.zone
           cat staging-generated.zone >> .github/workflows/staging-ipv4.testrun.org-default.zone
           cat .github/workflows/staging-ipv4.testrun.org-default.zone

.github/workflows/test-and-deploy.yaml

@@ -82,7 +82,7 @@ jobs:
 
       - name: set DNS entries
         run: |
-          ssh -o StrictHostKeyChecking=accept-new root@staging2.testrun.org chown dkim-milter:dkim-milter -R /etc/dkimkeys
+          ssh -o StrictHostKeyChecking=accept-new root@staging2.testrun.org chown opendkim:opendkim -R /etc/dkimkeys
           cmdeploy dns --zonefile staging-generated.zone --verbose
           cat staging-generated.zone >> .github/workflows/staging.testrun.org-default.zone
           cat .github/workflows/staging.testrun.org-default.zone

README.md

@@ -1,20 +1,25 @@
 
-# Chatmail relays for end-to-end encrypted email
+# No-DNS Chatmail relay
 
-Chatmail relay servers are interoperable Mail Transport Agents (MTAs) designed for: 
+With this branch, you don't need DNS at all,
+just a VPS with an IPv4 address,
+let's take `77.42.80.106` as an example.
+First, choose a random domain name (it doesn't need working DNS)
+and create a chatmail.ini config file:
 
--  **Zero State:** no private data or metadata collected, messages are auto-deleted, low disk usage
+```
+cmdeploy init [77.42.80.106]
+```
 
--  **Instant/Realtime:** sub-second message delivery, realtime P2P
-   streaming, privacy-preserving Push Notifications for Apple, Google, and Huawei;
+Then, in `cmdeploy/src/cmdeploy/postfix/transport`,
+remove the line corresponding to your relay,
+and add other for relays you know.
+Now you can deploy the relay to your IP address:
 
--  **Security Enforcement**: only strict TLS, DKIM and OpenPGP with minimized metadata accepted
+```
+cmdeploy run --skip-dns-check --ssh-host 77.42.80.106
+```
 
--  **Reliable Federation and Decentralization:** No spam or IP reputation checks, federating
-   depends on established IETF standards and protocols.
-
-This repository contains everything needed to setup a ready-to-use chatmail relay on an ssh-reachable host. 
-For getting started and more information please refer to the web version of this repositories' documentation at
-
-[https://chatmail.at/doc/relay](https://chatmail.at/doc/relay)
+Finally, you can login with a `dclogin://` code like this, with the correct "domain name" and IP address:
 
+`dclogin:s0mer4nd0@[77.42.80.106]?p=w7i8da7h8uads92ycc2rufyl&v=1&ih=77.42.80.106&sh=77.42.80.106&sp=443&ip=443&ic=3&sc=3`

chatmaild/src/chatmaild/config.py

@@ -20,8 +20,7 @@ class Config:
     def __init__(self, inipath, params):
         self._inipath = inipath
         self.mail_domain = params["mail_domain"]
-        self.max_user_send_per_minute = int(params.get("max_user_send_per_minute", 60))
-        self.max_user_send_burst_size = int(params.get("max_user_send_burst_size", 10))
+        self.max_user_send_per_minute = int(params["max_user_send_per_minute"])
         self.max_mailbox_size = params["max_mailbox_size"]
         self.max_message_size = int(params.get("max_message_size", "31457280"))
         self.delete_mails_after = params["delete_mails_after"]

chatmaild/src/chatmaild/ini/chatmail.ini.f

@@ -11,12 +11,9 @@ mail_domain = {mail_domain}
 # Restrictions on user addresses
 #
 
-# email sending rate per user and minute
+# how many mails a user can send out per minute
 max_user_send_per_minute = 60
 
-# per-user max burst size for sending rate limiting (GCRA bucket capacity)
-max_user_send_burst_size = 10
-
 # maximum mailbox size of a chatmail address
 max_mailbox_size = 500M
 

cmdeploy/src/cmdeploy/cmdeploy.py

@@ -89,6 +89,7 @@ def run_cmd(args, out):
     """Deploy chatmail services on the remote server."""
 
     ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
+    ssh_host = ssh_host.strip("[").strip("]")
     sshexec = get_sshexec(ssh_host)
     require_iroh = args.config.enable_iroh_relay
     if not args.dns_check_disabled:

cmdeploy/src/cmdeploy/deployers.py

@@ -17,7 +17,6 @@ from pyinfra.operations import apt, files, pip, server, systemd
 
 from cmdeploy.cmdeploy import Out
 
-from .acmetool import AcmetoolDeployer
 from .basedeploy import (
     Deployer,
     Deployment,
@@ -25,11 +24,11 @@ from .basedeploy import (
     configure_remote_units,
     get_resource,
 )
-from .dkim_milter.deployer import DkimMilterDeployer
 from .dovecot.deployer import DovecotDeployer
 from .filtermail.deployer import FiltermailDeployer
 from .mtail.deployer import MtailDeployer
 from .nginx.deployer import NginxDeployer
+from .opendkim.deployer import OpendkimDeployer
 from .postfix.deployer import PostfixDeployer
 from .www import build_webpages, find_merge_conflict, get_paths
 
@@ -533,7 +532,6 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
     port_services = [
         (["master", "smtpd"], 25),
         ("unbound", 53),
-        ("acmetool", 80),
         (["imap-login", "dovecot"], 143),
         ("nginx", 443),
         (["master", "smtpd"], 465),
@@ -568,11 +566,10 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
         UnboundDeployer(),
         TurnDeployer(mail_domain),
         IrohDeployer(config.enable_iroh_relay),
-        AcmetoolDeployer(config.acme_email, tls_domains),
         WebsiteDeployer(config),
         ChatmailVenvDeployer(config),
         MtastsDeployer(),
-        DkimMilterDeployer(mail_domain),
+        OpendkimDeployer(mail_domain),
         # Dovecot should be started before Postfix
         # because it creates authentication socket
         # required by Postfix.

cmdeploy/src/cmdeploy/dkim_milter/deployer.py

@@ -1,169 +0,0 @@
-"""
-Installs DKIM Milter.
-"""
-
-from pyinfra import facts, host
-from pyinfra.facts.files import File, Sha256File
-from pyinfra.operations import apt, files, server, systemd
-
-from cmdeploy.basedeploy import Deployer, get_resource
-
-
-class DkimMilterDeployer(Deployer):
-    required_users = [("dkim-milter", None, ["dkim-milter"])]
-
-    def __init__(self, mail_domain):
-        self.mail_domain = mail_domain
-        self.need_restart = False
-
-    def install(self):
-        """Builds and installs dkim-milter"""
-
-        # openssl is required to generate the signing key
-        apt.packages(
-            name="Install openssl required by DKIM Milter",
-            packages=["openssl"],
-        )
-
-        (url, sha256sum) = {
-            "x86_64": (
-                "https://github.com/chatmail/dkim-milter/releases/download/0.1.0/dkim-milter-x86_64",
-                "e676837b362ebef461881079e3e1151ed2db2d942d98b7103974921ac69ce5de",
-            ),
-            "aarch64": (
-                "https://github.com/chatmail/dkim-milter/releases/download/0.1.0/dkim-milter-aarch64",
-                "b853ab85a535b7e7e548ae0e4d85a61d4c0fd44f2912c3439662c56ca8a369e6",
-            ),
-        }[host.get_fact(facts.server.Arch)]
-
-        existing_sha256sum = host.get_fact(Sha256File, "/usr/local/sbin/dkim-milter")
-        if existing_sha256sum != sha256sum:
-            server.shell(
-                name="Download DKIM Milter",
-                commands=[
-                    f"(curl -L {url} >/usr/local/sbin/dkim-milter.new && (echo '{sha256sum} /usr/local/sbin/dkim-milter.new' | sha256sum -c) && mv /usr/local/sbin/dkim-milter.new /usr/local/sbin/dkim-milter)",
-                    "chmod 755 /usr/local/sbin/dkim-milter",
-                ],
-            )
-            self.need_restart = True
-
-    def configure(self):
-        """Configures dkim-milter"""
-
-        domain = self.mail_domain
-        # note - we are using "opendkim" for backward compatibility
-        # for relays that were set up before we migrated from OpenDKIM
-        # to DKIM Milter.
-        selector = "opendkim"
-        signing_key_name = selector
-        # for backward compatibility with opendkim-genkey
-        signing_key_filename = f"{signing_key_name}.private"
-        config_common = {
-            "domain": domain,
-            "selector": selector,
-            "signing_key_name": signing_key_name,
-            "signing_key_filename": signing_key_filename,
-        }
-        config_verify = {
-            **config_common,
-            "mode": "verify",
-            "config_file": "/etc/dkim-milter/dkim-milter-verify.conf",
-            "socket_name": "dkim-milter-verify.sock",
-        }
-        config_sign = {
-            **config_common,
-            "mode": "sign",
-            "config_file": "/etc/dkim-milter/dkim-milter-sign.conf",
-            "socket_name": "dkim-milter-sign.sock",
-        }
-
-        self.need_restart |= files.directory(
-            name="Create a directory for DKIM Milter configs",
-            path="/etc/dkim-milter",
-            user="dkim-milter",
-            group="dkim-milter",
-            mode="750",
-            present=True,
-        ).changed
-
-        for config in [config_verify, config_sign]:
-            self.need_restart |= files.template(
-                src=get_resource("dkim_milter/dkim-milter.conf.j2"),
-                dest=config["config_file"],
-                user="dkim-milter",
-                group="dkim-milter",
-                mode="644",
-                config=config,
-            ).changed
-
-        self.need_restart |= files.directory(
-            name="Create dkimkeys directory",
-            path="/etc/dkimkeys",
-            user="dkim-milter",
-            group="dkim-milter",
-            mode="750",
-            present=True,
-        ).changed
-
-        self.need_restart |= files.template(
-            src=get_resource("dkim_milter/signing-keys"),
-            dest="/etc/dkim-milter/signing-keys",
-            user="dkim-milter",
-            group="dkim-milter",
-            mode="644",
-            config=config_common,
-        ).changed
-
-        self.need_restart |= files.template(
-            src=get_resource("dkim_milter/signing-senders"),
-            dest="/etc/dkim-milter/signing-senders",
-            user="dkim-milter",
-            group="dkim-milter",
-            mode="644",
-            config=config_common,
-        ).changed
-
-        self.need_restart |= files.directory(
-            name="Create DKIM Milter unix sockets directory",
-            path="/var/spool/postfix/dkim-milter",
-            user="dkim-milter",
-            group="dkim-milter",
-            mode="770",
-        ).changed
-
-        if not host.get_fact(File, f"/etc/dkimkeys/{signing_key_filename}"):
-            server.shell(
-                name=f"Generate DKIM Milter signing key '{signing_key_name}'",
-                commands=[
-                    f"openssl genpkey -algorithm RSA -out /etc/dkimkeys/{signing_key_filename}"
-                ],
-            )
-            self.need_restart = True
-
-        # enforce restrictive permissions for the signing key
-        self.need_restart |= files.file(
-            path=f"/etc/dkimkeys/{signing_key_filename}",
-            present=True,
-            user="dkim-milter",
-            group="dkim-milter",
-            mode="0400",
-        ).changed
-
-        self.need_restart |= files.put(
-            name="Create dkim-milter service",
-            src=get_resource("dkim_milter/dkim-milter@.service"),
-            dest=f"/etc/systemd/system/dkim-milter@.service",
-        ).changed
-
-    def activate(self):
-        """Start and enable DKIM Milter"""
-        for mode in ["sign", "verify"]:
-            systemd.service(
-                name=f"Start and enable DKIM Milter in {mode} mode",
-                service=f"dkim-milter@{mode}",
-                running=True,
-                enabled=True,
-                daemon_reload=self.need_restart,
-                restarted=self.need_restart,
-            )
-            self.need_restart = False

cmdeploy/src/cmdeploy/dkim_milter/dkim-milter.conf.j2

@@ -1,30 +0,0 @@
-mode = {{ config.mode }}
-
-{% if config.mode == "verify" %}
-# DKIM milter will skip verification for trusted sources,
-# which in our case is everything, since we run DKIM milter on a reinjection port,
-# and all connections are local.
-# We force verification for local connections by not trusting anyone.
-trusted_networks =
-{% endif %}
-
-log_destination = syslog
-log_level = info
-
-canonicalization = relaxed/simple
-
-lookup_timeout = 60s
-
-signing_keys = /etc/dkim-milter/signing-keys
-signing_senders = /etc/dkim-milter/signing-senders
-
-# Signing
-sign_headers = default; autocrypt:content-type
-oversign_headers = signed-extended
-
-# Verification
-required_signed_headers = From*
-forbid_unsigned_content = yes
-reject_failures = missing, no-pass, author-mismatch
-
-socket = unix:/var/spool/postfix/dkim-milter/{{ config.socket_name }}

cmdeploy/src/cmdeploy/dkim_milter/dkim-milter@.service

@@ -1,15 +0,0 @@
-[Unit]
-Description=DKIM Milter %i
-Documentation=man:dkim-milter(8) man:dkim-milter.conf(5)
-After=network-online.target nss-lookup.target
-Wants=network-online.target
-
-[Service]
-User=dkim-milter
-UMask=007
-ExecStart=/usr/local/sbin/dkim-milter -c /etc/dkim-milter/dkim-milter-%i.conf
-ExecReload=/bin/kill -HUP $MAINPID
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target

cmdeploy/src/cmdeploy/dkim_milter/signing-keys

@@ -1,2 +0,0 @@
-# Key name                       Signing key
-{{ config.signing_key_name }}    </etc/dkimkeys/{{ config.signing_key_filename }}

cmdeploy/src/cmdeploy/dkim_milter/signing-senders

@@ -1,2 +0,0 @@
-# Sender expression    Domain                 Selector                 Key name
-.{{ config.domain }}   {{ config.domain }}    {{ config.selector }}    {{ config.signing_key_name }}

cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2

@@ -7,6 +7,7 @@ listen = *
 protocols = imap lmtp
 
 auth_mechanisms = plain
+auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@[]
 
 {% if debug == true %}
 auth_verbose = yes
@@ -228,8 +229,8 @@ service anvil {
 }
 
 ssl = required
-ssl_cert = </var/lib/acme/live/{{ config.mail_domain }}/fullchain
-ssl_key = </var/lib/acme/live/{{ config.mail_domain }}/privkey
+ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
+ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
 ssl_dh = </usr/share/dovecot/dh.pem
 ssl_min_protocol = TLSv1.3
 ssl_prefer_server_ciphers = yes

cmdeploy/src/cmdeploy/filtermail/deployer.py

@@ -14,10 +14,10 @@ class FiltermailDeployer(Deployer):
 
     def install(self):
         arch = host.get_fact(facts.server.Arch)
-        url = f"https://github.com/chatmail/filtermail/releases/download/v0.2.0/filtermail-{arch}-musl"
+        url = f"https://github.com/chatmail/filtermail/releases/download/v0.1.2/filtermail-{arch}"
         sha256sum = {
-            "x86_64": "1e5bbb646582cb16740c6dfbbca39edba492b78cc96ec9fa2528c612bb504edd",
-            "aarch64": "3564fba8605f8f9adfeefff3f4580533205da043f47c5968d0d10db17e50f44e",
+            "x86_64": "de7de6e011ffc06881d3a05fc9788e327ba2389219e77280ace38b429e11a5ce",
+            "aarch64": "a78fcdfb81eb3d9c8a8b6f84f6c0a75519b8be01aa25bd4617d72aae543992b4",
         }[arch]
         self.need_restart |= files.download(
             name="Download filtermail",

cmdeploy/src/cmdeploy/nginx/nginx.conf.j2

@@ -53,8 +53,8 @@ http {
 
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
 	ssl_prefer_server_ciphers on;
-	ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
-	ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
+	ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+	ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
 
 	gzip on;
 

cmdeploy/src/cmdeploy/opendkim/KeyTable

@@ -0,0 +1 @@
+{{ config.opendkim_selector }}._domainkey.{{ config.domain_name }} {{ config.domain_name }}:{{ config.opendkim_selector }}:/etc/dkimkeys/{{ config.opendkim_selector }}.private

cmdeploy/src/cmdeploy/opendkim/SigningTable

@@ -0,0 +1 @@
+*@{{ config.domain_name }} {{ config.opendkim_selector }}._domainkey.{{ config.domain_name }}

cmdeploy/src/cmdeploy/opendkim/deployer.py

@@ -0,0 +1,123 @@
+"""
+Installs OpenDKIM
+"""
+
+from pyinfra import host
+from pyinfra.facts.files import File
+from pyinfra.operations import apt, files, server, systemd
+
+from cmdeploy.basedeploy import Deployer, get_resource
+
+
+class OpendkimDeployer(Deployer):
+    required_users = [("opendkim", None, ["opendkim"])]
+
+    def __init__(self, mail_domain):
+        self.mail_domain = mail_domain
+
+    def install(self):
+        apt.packages(
+            name="apt install opendkim opendkim-tools",
+            packages=["opendkim", "opendkim-tools"],
+        )
+
+    def configure(self):
+        domain = self.mail_domain
+        dkim_selector = "opendkim"
+        """Configures OpenDKIM"""
+        need_restart = False
+
+        main_config = files.template(
+            src=get_resource("opendkim/opendkim.conf"),
+            dest="/etc/opendkim.conf",
+            user="root",
+            group="root",
+            mode="644",
+            config={"domain_name": domain, "opendkim_selector": dkim_selector},
+        )
+        need_restart |= main_config.changed
+
+        screen_script = files.put(
+            src=get_resource("opendkim/screen.lua"),
+            dest="/etc/opendkim/screen.lua",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        need_restart |= screen_script.changed
+
+        final_script = files.put(
+            src=get_resource("opendkim/final.lua"),
+            dest="/etc/opendkim/final.lua",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        need_restart |= final_script.changed
+
+        files.directory(
+            name="Add opendkim directory to /etc",
+            path="/etc/opendkim",
+            user="opendkim",
+            group="opendkim",
+            mode="750",
+            present=True,
+        )
+
+        keytable = files.template(
+            src=get_resource("opendkim/KeyTable"),
+            dest="/etc/dkimkeys/KeyTable",
+            user="opendkim",
+            group="opendkim",
+            mode="644",
+            config={"domain_name": domain, "opendkim_selector": dkim_selector},
+        )
+        need_restart |= keytable.changed
+
+        signing_table = files.template(
+            src=get_resource("opendkim/SigningTable"),
+            dest="/etc/dkimkeys/SigningTable",
+            user="opendkim",
+            group="opendkim",
+            mode="644",
+            config={"domain_name": domain, "opendkim_selector": dkim_selector},
+        )
+        need_restart |= signing_table.changed
+        files.directory(
+            name="Add opendkim socket directory to /var/spool/postfix",
+            path="/var/spool/postfix/opendkim",
+            user="opendkim",
+            group="opendkim",
+            mode="750",
+            present=True,
+        )
+
+        if not host.get_fact(File, f"/etc/dkimkeys/{dkim_selector}.private"):
+            server.shell(
+                name="Generate OpenDKIM domain keys",
+                commands=[
+                    f"/usr/sbin/opendkim-genkey -D /etc/dkimkeys -d {domain} -s {dkim_selector}"
+                ],
+                _use_su_login=True,
+                _su_user="opendkim",
+            )
+
+        service_file = files.put(
+            name="Configure opendkim to restart once a day",
+            src=get_resource("opendkim/systemd.conf"),
+            dest="/etc/systemd/system/opendkim.service.d/10-prevent-memory-leak.conf",
+        )
+        need_restart |= service_file.changed
+
+        self.need_restart = need_restart
+
+    def activate(self):
+        systemd.service(
+            name="Start and enable OpenDKIM",
+            service="opendkim.service",
+            running=True,
+            enabled=True,
+            daemon_reload=self.need_restart,
+            restarted=self.need_restart,
+        )
+        self.need_restart = False

cmdeploy/src/cmdeploy/opendkim/final.lua

@@ -0,0 +1,42 @@
+mtaname = odkim.get_mtasymbol(ctx, "{daemon_name}")
+if mtaname == "ORIGINATING" then
+	-- Outgoing message will be signed,
+	-- no need to look for signatures.
+	return nil
+end
+
+nsigs = odkim.get_sigcount(ctx)
+if nsigs == nil then
+	return nil
+end
+
+local valid = false
+local error_msg = "No valid DKIM signature found."
+for i = 1, nsigs do
+	sig = odkim.get_sighandle(ctx, i - 1)
+	sigres = odkim.sig_result(sig)
+
+	-- All signatures that do not correspond to From: 
+	-- were ignored in screen.lua and return sigres -1.
+	-- 
+	-- Any valid signature that was not ignored like this
+	-- means the message is acceptable.
+	if sigres == 0 then
+		valid = true
+    else
+        error_msg = "DKIM signature is invalid, error code " .. tostring(sigres) .. ", search https://github.com/trusteddomainproject/OpenDKIM/blob/master/libopendkim/dkim.h#L108"
+	end
+end
+
+if valid then
+	-- Strip all DKIM-Signature headers after successful validation
+	-- Delete in reverse order to avoid index shifting.
+	for i = nsigs, 1, -1 do
+		odkim.del_header(ctx, "DKIM-Signature", i)
+	end
+else
+	odkim.set_reply(ctx, "554", "5.7.1", error_msg)
+	odkim.set_result(ctx, SMFIS_REJECT)
+end
+
+return nil

cmdeploy/src/cmdeploy/opendkim/opendkim.conf

@@ -0,0 +1,73 @@
+# OpenDKIM configuration.
+
+Syslog			yes
+SyslogSuccess		yes
+#LogWhy			no
+
+# Common signing and verification parameters. In Debian, the "From" header is
+# oversigned, because it is often the identity key used by reputation systems
+# and thus somewhat security sensitive.
+Canonicalization	relaxed/simple
+OversignHeaders		From
+
+On-BadSignature         reject
+On-KeyNotFound          reject
+On-NoSignature          reject
+DNSTimeout          60
+
+# Signing domain, selector, and key (required). For example, perform signing
+# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
+# using the private key stored in /etc/dkimkeys/example.private. More granular
+# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
+Domain			{{ config.domain_name }}
+Selector		{{ config.opendkim_selector }}
+KeyFile		  /etc/dkimkeys/{{ config.opendkim_selector }}.private
+KeyTable          /etc/dkimkeys/KeyTable
+SigningTable      refile:/etc/dkimkeys/SigningTable
+
+# Sign Autocrypt header in addition to the default specified in RFC 6376.
+#
+# Default list is here:
+# <https://github.com/trusteddomainproject/OpenDKIM/blob/5c539587561785a66c1f67f720f2fb741f320785/libopendkim/dkim.c#L221-L245>
+SignHeaders *,+autocrypt,+content-type
+
+# Prevent addition of second Content-Type header
+# and other important headers that should not be added
+# after signing the message.
+# See
+# <https://www.zone.eu/blog/2024/05/17/bimi-and-dmarc-cant-save-you/>
+# and RFC 6376 (page 41) for reference.
+#
+# We don't use "l=" body length so the problem described in RFC 6376
+# is not applicable, but adding e.g. a second "From" header
+# or second "Autocrypt" header is better prevented in any case.
+#
+# Default is empty.
+OversignHeaders from,reply-to,subject,date,to,cc,resent-date,resent-from,resent-sender,resent-to,resent-cc,in-reply-to,references,list-id,list-help,list-unsubscribe,list-subscribe,list-post,list-owner,list-archive,autocrypt
+
+# Script to ignore signatures that do not correspond to the From: domain.
+ScreenPolicyScript /etc/opendkim/screen.lua
+
+# Script to reject mails without a valid DKIM signature.
+FinalPolicyScript /etc/opendkim/final.lua
+
+# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
+# using a local socket with MTAs that access the socket as a non-privileged
+# user (for example, Postfix). You may need to add user "postfix" to group
+# "opendkim" in that case.
+UserID			opendkim
+UMask			007
+
+Socket			local:/var/spool/postfix/opendkim/opendkim.sock
+
+PidFile			/run/opendkim/opendkim.pid
+
+# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
+# by the package dns-root-data.
+TrustAnchorFile		/usr/share/dns/root.key
+
+# Sign messages when `-o milter_macro_daemon_name=ORIGINATING` is set.
+MTA ORIGINATING
+
+# No hosts are treated as internal, ORIGINATING daemon name should be set explicitly.
+InternalHosts -

cmdeploy/src/cmdeploy/opendkim/screen.lua

@@ -0,0 +1,21 @@
+-- Ignore signatures that do not correspond to the From: domain.
+
+from_domain = odkim.get_fromdomain(ctx)
+if from_domain == nil then
+	return nil
+end
+
+n = odkim.get_sigcount(ctx)
+if n == nil then
+	return nil
+end
+
+for i = 1, n do
+	sig = odkim.get_sighandle(ctx, i - 1)
+	sig_domain = odkim.sig_getdomain(sig)
+	if from_domain ~= sig_domain then
+		odkim.sig_ignore(sig)
+	end
+end
+
+return nil

cmdeploy/src/cmdeploy/opendkim/systemd.conf

@@ -0,0 +1,3 @@
+[Service]
+Restart=always
+RuntimeMaxSec=1d

cmdeploy/src/cmdeploy/postfix/deployer.py

@@ -4,7 +4,7 @@ from cmdeploy.basedeploy import Deployer, get_resource
 
 
 class PostfixDeployer(Deployer):
-    required_users = [("postfix", None, ["dkim-milter"])]
+    required_users = [("postfix", None, ["opendkim"])]
     daemon_reload = False
 
     def __init__(self, config, disable_mail):
@@ -60,7 +60,19 @@ class PostfixDeployer(Deployer):
             mode="644",
         )
         need_restart |= lmtp_header_cleanup.changed
-
+        # Transport map that discards messages to nine.testrun.org
+        transport_map = files.put(
+            src=get_resource("postfix/transport"),
+            dest="/etc/postfix/transport",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        need_restart |= transport_map.changed
+        if transport_map.changed:
+            server.shell(
+                commands=["postmap /etc/postfix/transport"],
+            )
         # Login map that 1:1 maps email address to login.
         login_map = files.put(
             src=get_resource("postfix/login_map"),

cmdeploy/src/cmdeploy/postfix/main.cf.j2

@@ -15,12 +15,12 @@ readme_directory = no
 compatibility_level = 3.6
 
 # TLS parameters
-smtpd_tls_cert_file=/var/lib/acme/live/{{ config.mail_domain }}/fullchain
-smtpd_tls_key_file=/var/lib/acme/live/{{ config.mail_domain }}/privkey
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
 smtpd_tls_security_level=may
 
 smtp_tls_CApath=/etc/ssl/certs
-smtp_tls_security_level=verify
+smtp_tls_security_level=encrypt
 # Send SNI extension when connecting to other servers.
 # <https://www.postfix.org/postconf.5.html#smtp_tls_servername>
 smtp_tls_servername = hostname
@@ -54,14 +54,15 @@ smtpd_tls_exclude_ciphers = aNULL, RC4, MD5, DES
 tls_preempt_cipherlist = yes
 
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-myhostname = {{ config.mail_domain }}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 
 # Postfix does not deliver mail for any domain by itself.
 # Primary domain is listed in `virtual_mailbox_domains` instead
 # and handed over to Dovecot.
-mydestination =
+mydestination = {{ config.mail_domain }}
+local_transport = lmtp:unix:private/dovecot-lmtp
+local_recipient_maps =
 
 relayhost = 
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
@@ -75,14 +76,15 @@ inet_protocols = ipv4
 inet_protocols = all
 {% endif %}
 
-virtual_transport = lmtp:unix:private/dovecot-lmtp
-virtual_mailbox_domains = {{ config.mail_domain }}
 lmtp_header_checks = regexp:/etc/postfix/lmtp_header_cleanup
 
 mua_client_restrictions = permit_sasl_authenticated, reject
 mua_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, reject
 mua_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit
 
+# Discard messages to nine.testrun.org
+transport_maps = hash:/etc/postfix/transport
+
 # 1:1 map MAIL FROM to SASL login name.
 smtpd_sender_login_maps = regexp:/etc/postfix/login_map
 

cmdeploy/src/cmdeploy/postfix/master.cf.j2

@@ -80,13 +80,13 @@ filter    unix -        n       n       -       -       lmtp
 127.0.0.1:{{ config.postfix_reinject_port }} inet  n       -       n       -       100      smtpd
   -o syslog_name=postfix/reinject
   -o milter_macro_daemon_name=ORIGINATING
-  -o smtpd_milters=unix:dkim-milter/dkim-milter-sign.sock
+  -o smtpd_milters=unix:opendkim/opendkim.sock
   -o cleanup_service_name=authclean
 
 # Local SMTP server for reinjecting incoming filtered mail 
 127.0.0.1:{{ config.postfix_reinject_port_incoming }} inet  n       -       n       -       100      smtpd
   -o syslog_name=postfix/reinject_incoming
-  -o smtpd_milters=unix:dkim-milter/dkim-milter-verify.sock
+#  -o smtpd_milters=unix:opendkim/opendkim.sock
 
 # Cleanup `Received` headers for authenticated mail
 # to avoid leaking client IP.

cmdeploy/src/cmdeploy/postfix/transport

@@ -0,0 +1,2 @@
+nine.testrun.org discard:
+* :

cmdeploy/src/cmdeploy/tests/online/test_1_basic.py

@@ -1,3 +1,4 @@
+import datetime
 import smtplib
 import socket
 import subprocess
@@ -57,6 +58,15 @@ class TestSSHExecutor:
         else:
             pytest.fail("didn't raise exception")
 
+    def test_opendkim_restarted(self, sshexec):
+        """check that opendkim is not running for longer than a day."""
+        cmd = "systemctl show opendkim --timestamp=utc --property=ActiveEnterTimestamp"
+        out = sshexec(call=remote.rshell.shell, kwargs=dict(command=cmd))
+        datestring = out.split("=")[1]
+        since_date = datetime.datetime.strptime(datestring, "%a %Y-%m-%d %H:%M:%S %Z")
+        now = datetime.datetime.now(since_date.tzinfo)
+        assert (now - since_date).total_seconds() < 60 * 60 * 51
+
 
 def test_timezone_env(remote):
     for line in remote.iter_output("env"):
@@ -136,7 +146,7 @@ def test_reject_missing_dkim(cmsetup, maildata, from_addr):
     conn.starttls()
 
     with conn as s:
-        with pytest.raises(smtplib.SMTPDataError, match="No DKIM signature found"):
+        with pytest.raises(smtplib.SMTPDataError, match="No valid DKIM signature"):
             s.sendmail(from_addr=from_addr, to_addrs=recipient.addr, msg=msg)
 
 
@@ -180,18 +190,22 @@ def test_exceed_rate_limit(cmsetup, gencreds, maildata, chatmail_config):
         "encrypted.eml", from_addr=user1.addr, to_addr=user2.addr
     ).as_string()
 
-    start = time.time()
-    for i in range(chatmail_config.max_user_send_per_minute * 3):
-        print("Sending mail", str(i + 1), "at", time.time() - start, "s.")
+    timestamps = []
+    i = 0
+    while len(timestamps) <= chatmail_config.max_user_send_per_minute * 1.7:
+        print("Sending mail", str(i))
+        i += 1
         try:
             user1.smtp.sendmail(user1.addr, [user2.addr], mail)
+            timestamps.append(time.time())
         except smtplib.SMTPException as e:
-            if i < chatmail_config.max_user_send_burst_size:
+            if len(timestamps) < chatmail_config.max_user_send_per_minute:
                 pytest.fail(f"rate limit was exceeded too early with msg {i}")
             outcome = e.recipients[user2.addr]
             assert outcome[0] == 450
             assert b"4.7.1: Too much mail from" in outcome[1]
             return
+        timestamps[:] = [ts for ts in timestamps if ts >= (time.time() - 60)]
     pytest.fail("Rate limit was not exceeded")
 
 

cmdeploy/src/cmdeploy/tests/online/test_3_status.py

@@ -24,7 +24,7 @@ def test_status_cmd(chatmail_config, capsys, request):
         "filtermail",
         "lastlogin",
         "nginx",
-        "dkim-milter",
+        "opendkim",
         "postfix@-",
         "systemd-journald",
         "turnserver",

doc/source/migrate.rst

@@ -72,7 +72,7 @@ in this case, just run ``ssh-keygen -R "mail.example.org"`` as recommended.
 
        ssh root@$NEW_IP4
        chown root: -R /var/lib/acme
-       chown dkim-milter: -R /etc/dkimkeys
+       chown opendkim: -R /etc/dkimkeys
        chown vmail: -R /home/vmail/mail
 
 

doc/source/overview.rst

@@ -42,17 +42,12 @@ The deployed system components of a chatmail relay are:
 -  Dovecot_ is the Mail Delivery Agent (MDA) and
    stores messages for users until they download them
 
--  `filtermail <https://github.com/chatmail/filtermail>`_
-   prevents unencrypted email from leaving or entering the chatmail
-   service and is integrated into Postfix’s outbound and inbound mail
-   pipelines.
-
 -  Nginx_ shows the web page with privacy policy and additional information
 
 -  `acmetool <https://hlandau.github.io/acmetool/>`_ manages TLS
    certificates for Dovecot, Postfix, and Nginx
 
--  `DKIM Milter <https://github.com/chatmail/dkim-milter>`_ for signing messages with
+-  `OpenDKIM <http://www.opendkim.org/>`_ for signing messages with
    DKIM and rejecting inbound messages without DKIM
 
 -  `mtail <https://google.github.io/mtail/>`_ for collecting anonymized
@@ -90,6 +85,11 @@ short overview of ``chatmaild`` services:
    <https://doc.dovecot.org/2.3/configuration_manual/authentication/dict/#complete-example-for-authenticating-via-a-unix-socket>`_
    to authenticate logins.
 
+-  `filtermail <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/filtermail.py>`_
+   prevents unencrypted email from leaving or entering the chatmail
+   service and is integrated into Postfix’s outbound and inbound mail
+   pipelines.
+
 -  `chatmail-metadata <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/metadata.py>`_
    is contacted by a `Dovecot lua
    script <https://github.com/chatmail/relay/blob/main/cmdeploy/src/cmdeploy/dovecot/push_notification.lua>`_
@@ -268,10 +268,12 @@ Chatmail relays enforce :rfc:`DKIM <6376>` to authenticate incoming emails.
 Incoming emails must have a valid DKIM signature with
 Signing Domain Identifier (SDID, ``d=`` parameter in the DKIM-Signature
 header) equal to the ``From:`` header domain. This property is checked
-by dkim-milter ``reject_failures = author-mismatch `` policy. This
+by OpenDKIM screen policy script before validating the signatures. This
 corresponds to strict :rfc:`DMARC <7489>` alignment (``adkim=s``).
 If there is no valid DKIM signature on the incoming email, the
 sender receives a “5.7.1 No valid DKIM signature found” error.
+After validating the DKIM signature,
+the `final.lua` script strips all ``OpenDKIM:`` headers to reduce message size on disc.
 
 Note that chatmail relays