docker: make compose work with cgroups (v2), conversion scripts/docs

opendkim-genkey was running unconditionally on every startup,
check if file exists and skip.

.dockerignore

@@ -1,18 +1,7 @@
+.git
 data/
 venv/
 __pycache__
 *.pyc
 *.orig
-*.ini
 .pytest_cache
-.env
-
-# Slim build context — .git/ alone can be 100s of MB
-.git
-.github/
-docs/
-tests/
-
-# Exclude markdown files but keep www/src/*.md (used by WebsiteDeployer)
-*.md
-!www/**/*.md

.github/workflows/docker-build.yaml

@@ -1,76 +0,0 @@
-name: Docker Build
-
-on:
-  pull_request:
-    paths:
-      - 'docker/**'
-      - 'docker-compose.yaml'
-      - '.dockerignore'
-      - 'chatmaild/**'
-      - 'cmdeploy/**'
-      - '.github/workflows/docker-build.yaml'
-  push:
-    branches:
-      - main
-      - j4n/docker
-    paths:
-      - 'docker/**'
-      - 'docker-compose.yaml'
-      - '.dockerignore'
-      - 'chatmaild/**'
-      - 'cmdeploy/**'
-      - '.github/workflows/docker-build.yaml'
-    tags:
-      - 'v*'
-
-env:
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
-
-jobs:
-  build:
-    name: Build Docker image
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to GHCR
-        if: github.event_name == 'push'
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract metadata (tags, labels)
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          tags: |
-            # Tagged releases: v1.2.3 → :1.2.3, :1.2, :latest
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            # Branch pushes: j4n/docker → :j4n-docker
-            type=ref,event=branch
-            # Always: :sha-<hash>
-            type=sha
-
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: docker/chatmail_relay.dockerfile
-          push: ${{ github.event_name == 'push' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
-          build-args: |
-            GIT_HASH=${{ github.sha }}

.github/workflows/test-and-deploy-ipv4only.yaml

@@ -75,7 +75,8 @@ jobs:
           cmdeploy init staging-ipv4.testrun.org
           sed -i 's#disable_ipv6 = False#disable_ipv6 = True#' chatmail.ini
           sed -i 's/#\s*mtail_address/mtail_address/' chatmail.ini
-          cmdeploy run --verbose --skip-dns-check
+
+      - run: cmdeploy run --verbose --skip-dns-check
 
       - name: set DNS entries
         run: |

.github/workflows/test-tls-external.yaml

@@ -1,37 +0,0 @@
-name: test tls_external_cert_and_key on staging2.testrun.org
-
-on:
-  workflow_run:
-    workflows:
-      - "deploy on staging2.testrun.org, and run tests"
-    types:
-      - completed
-
-jobs:
-  test-tls-external:
-    name: test tls_external_cert_and_key
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    concurrency: staging2.testrun.org
-    environment:
-      name: staging2.testrun.org
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: prepare SSH
-        run: |
-          mkdir -p ~/.ssh
-          echo "${{ secrets.STAGING_SSH_KEY }}" >> ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-          ssh-keyscan staging2.testrun.org >> ~/.ssh/known_hosts 2>/dev/null
-
-      - run: scripts/initenv.sh
-
-      - name: append venv/bin to PATH
-        run: echo venv/bin >>$GITHUB_PATH
-
-      - name: run tls_external e2e test
-        run: |
-          python -m cmdeploy.tests.setup_tls_external \
-            staging2.testrun.org

.gitignore

@@ -168,5 +168,4 @@ chatmail.zone
 # docker
 /data/
 /custom/
-docker-compose.override.yaml
 .env

CHANGELOG.md

@@ -121,6 +121,13 @@
   Provide an "fsreport" CLI for more fine grained analysis of message files. 
   ([#637](https://github.com/chatmail/relay/pull/637))
 
+- Add installation via docker compose (MVP 1). The instructions, known issues and limitations are located in `/docs` 
+  ([#614](https://github.com/chatmail/relay/pull/614))
+
+- Add configuration parameters
+  ([#614](https://github.com/chatmail/relay/pull/614)):
+  - `change_kernel_settings` - Whether to change kernel parameters during installation (default: `True`)
+  - `fs_inotify_max_user_instances_and_watchers` - Value for kernel parameters `fs.inotify.max_user_instances` and `fs.inotify.max_user_watches` (default: `65535`)
 
 ## 1.7.0 2025-09-11
 

chatmaild/src/chatmaild/config.py

@@ -47,6 +47,12 @@ class Config:
         self.addr_v4 = os.environ.get("CHATMAIL_ADDR_V4", "")
         self.addr_v6 = os.environ.get("CHATMAIL_ADDR_V6", "")
         self.acme_email = params.get("acme_email", "")
+        self.change_kernel_settings = (
+            params.get("change_kernel_settings", "true").lower() == "true"
+        )
+        self.fs_inotify_max_user_instances_and_watchers = int(
+            params["fs_inotify_max_user_instances_and_watchers"]
+        )
         self.imap_rawlog = params.get("imap_rawlog", "false").lower() == "true"
         self.imap_compress = params.get("imap_compress", "false").lower() == "true"
         if "iroh_relay" not in params:
@@ -60,32 +66,6 @@ class Config:
         self.privacy_pdo = params.get("privacy_pdo")
         self.privacy_supervisor = params.get("privacy_supervisor")
 
-        # TLS certificate management.
-        # If tls_external_cert_and_key is set, use externally managed certs.
-        # Otherwise derived from the domain name:
-        # - Domains starting with "_" use self-signed certificates
-        # - All other domains use ACME.
-        external = params.get("tls_external_cert_and_key", "").strip()
-
-        if external:
-            parts = external.split()
-            if len(parts) != 2:
-                raise ValueError(
-                    "tls_external_cert_and_key must have two space-separated"
-                    " paths: CERT_PATH KEY_PATH"
-                )
-            self.tls_cert_mode = "external"
-            self.tls_cert_path = parts[0]
-            self.tls_key_path = parts[1]
-        elif self.mail_domain.startswith("_"):
-            self.tls_cert_mode = "self"
-            self.tls_cert_path = "/etc/ssl/certs/mailserver.pem"
-            self.tls_key_path = "/etc/ssl/private/mailserver.key"
-        else:
-            self.tls_cert_mode = "acme"
-            self.tls_cert_path = f"/var/lib/acme/live/{self.mail_domain}/fullchain"
-            self.tls_key_path = f"/var/lib/acme/live/{self.mail_domain}/privkey"
-
         # deprecated option
         mbdir = params.get("mailboxes_dir", f"/home/vmail/mail/{self.mail_domain}")
         self.mailboxes_dir = Path(mbdir.strip())

chatmaild/src/chatmaild/ini/chatmail.ini.f

@@ -48,13 +48,6 @@ passthrough_senders =
 # (space-separated, item may start with "@" to whitelist whole recipient domains)
 passthrough_recipients =
 
-# Use externally managed TLS certificates instead of built-in acmetool.
-# Paths refer to files on the deployment server (not the build machine).
-# Both files must already exist before running cmdeploy.
-# Certificate renewal is your responsibility; changed files are
-# picked up automatically by all relay services.
-# tls_external_cert_and_key = /path/to/fullchain.pem /path/to/privkey.pem
-
 # path to www directory - documented here: https://chatmail.at/doc/relay/getting_started.html#custom-web-pages
 #www_folder = www
 
@@ -76,6 +69,16 @@ disable_ipv6 = False
 # Your email adress, which will be used in acmetool to manage Let's Encrypt SSL certificates
 acme_email = 
 
+#
+# Kernel settings
+#
+
+# if you set "True", the kernel settings will be configured according to the values below
+change_kernel_settings  = True
+
+# change fs.inotify.max_user_instances and fs.inotify.max_user_watches kernel settings
+fs_inotify_max_user_instances_and_watchers = 65535
+
 # Defaults to https://iroh.{{mail_domain}} and running `iroh-relay` on the chatmail
 # service.
 # If you set it to anything else, the service will be disabled

chatmaild/src/chatmaild/newemail.py

@@ -6,7 +6,6 @@ import json
 import random
 import secrets
 import string
-from urllib.parse import quote
 
 from chatmaild.config import Config, read_config
 
@@ -24,26 +23,13 @@ def create_newemail_dict(config: Config):
     return dict(email=f"{user}@{config.mail_domain}", password=f"{password}")
 
 
-def create_dclogin_url(email, password):
-    """Build a dclogin: URL with credentials and self-signed cert acceptance.
-
-    Uses ic=3 (AcceptInvalidCertificates) so chatmail clients
-    can connect to servers with self-signed TLS certificates.
-    """
-    return f"dclogin:{quote(email, safe='@')}?p={quote(password, safe='')}&v=1&ic=3"
-
-
 def print_new_account():
     config = read_config(CONFIG_PATH)
     creds = create_newemail_dict(config)
 
-    result = dict(email=creds["email"], password=creds["password"])
-    if config.tls_cert_mode == "self":
-        result["dclogin_url"] = create_dclogin_url(creds["email"], creds["password"])
-
     print("Content-Type: application/json")
     print("")
-    print(json.dumps(result))
+    print(json.dumps(creds))
 
 
 if __name__ == "__main__":

chatmaild/src/chatmaild/tests/test_config.py

@@ -73,50 +73,3 @@ def test_config_userstate_paths(make_config, tmp_path):
 def test_config_max_message_size(make_config, tmp_path):
     config = make_config("something.testrun.org", dict(max_message_size="10000"))
     assert config.max_message_size == 10000
-
-
-def test_config_tls_default_acme(make_config):
-    config = make_config("chat.example.org")
-    assert config.tls_cert_mode == "acme"
-    assert config.tls_cert_path == "/var/lib/acme/live/chat.example.org/fullchain"
-    assert config.tls_key_path == "/var/lib/acme/live/chat.example.org/privkey"
-
-
-def test_config_tls_self(make_config):
-    config = make_config("_test.example.org")
-    assert config.tls_cert_mode == "self"
-    assert config.tls_cert_path == "/etc/ssl/certs/mailserver.pem"
-    assert config.tls_key_path == "/etc/ssl/private/mailserver.key"
-
-
-def test_config_tls_external(make_config):
-    config = make_config(
-        "chat.example.org",
-        {
-            "tls_external_cert_and_key": "/custom/fullchain.pem /custom/privkey.pem",
-        },
-    )
-    assert config.tls_cert_mode == "external"
-    assert config.tls_cert_path == "/custom/fullchain.pem"
-    assert config.tls_key_path == "/custom/privkey.pem"
-
-
-def test_config_tls_external_overrides_underscore(make_config):
-    config = make_config(
-        "_test.example.org",
-        {
-            "tls_external_cert_and_key": "/certs/fullchain.pem /certs/privkey.pem",
-        },
-    )
-    assert config.tls_cert_mode == "external"
-    assert config.tls_cert_path == "/certs/fullchain.pem"
-
-
-def test_config_tls_external_bad_format(make_config):
-    with pytest.raises(ValueError, match="two space-separated"):
-        make_config(
-            "chat.example.org",
-            {
-                "tls_external_cert_and_key": "/only/one/path.pem",
-            },
-        )

chatmaild/src/chatmaild/tests/test_filtermail_blackbox.py

@@ -1,15 +1,9 @@
-import shutil
 import smtplib
 import subprocess
 import sys
 
 import pytest
 
-pytestmark = pytest.mark.skipif(
-    shutil.which("filtermail") is None,
-    reason="filtermail binary not found",
-)
-
 
 @pytest.fixture
 def smtpserver():

chatmaild/src/chatmaild/tests/test_newmail.py

@@ -1,11 +1,7 @@
 import json
 
 import chatmaild
-from chatmaild.newemail import (
-    create_dclogin_url,
-    create_newemail_dict,
-    print_new_account,
-)
+from chatmaild.newemail import create_newemail_dict, print_new_account
 
 
 def test_create_newemail_dict(example_config):
@@ -19,18 +15,6 @@ def test_create_newemail_dict(example_config):
     assert ac1["password"] != ac2["password"]
 
 
-def test_create_dclogin_url():
-    url = create_dclogin_url("user@example.org", "p@ss w+rd")
-    assert url.startswith("dclogin:")
-    assert "v=1" in url
-    assert "ic=3" in url
-
-    assert "user@example.org" in url
-    # password special chars must be encoded
-    assert "p%40ss" in url
-    assert "w%2Brd" in url
-
-
 def test_print_new_account(capsys, monkeypatch, maildomain, tmpdir, example_config):
     monkeypatch.setattr(chatmaild.newemail, "CONFIG_PATH", str(example_config._inipath))
     print_new_account()
@@ -41,20 +25,3 @@ def test_print_new_account(capsys, monkeypatch, maildomain, tmpdir, example_conf
     dic = json.loads(lines[2])
     assert dic["email"].endswith(f"@{example_config.mail_domain}")
     assert len(dic["password"]) >= 10
-    # default tls_cert=acme should not include dclogin_url
-    assert "dclogin_url" not in dic
-
-
-def test_print_new_account_self_signed(capsys, monkeypatch, make_config):
-    config = make_config("_test.example.org")
-    monkeypatch.setattr(chatmaild.newemail, "CONFIG_PATH", str(config._inipath))
-    print_new_account()
-    out, err = capsys.readouterr()
-    lines = out.split("\n")
-    dic = json.loads(lines[2])
-    assert "dclogin_url" in dic
-    url = dic["dclogin_url"]
-    assert url.startswith("dclogin:")
-    assert "ic=3" in url
-
-    assert dic["email"].split("@")[0] in url

cmdeploy/src/cmdeploy/chatmail.zone.j2

@@ -8,10 +8,8 @@
 {{ mail_domain }}.                   AAAA  {{ AAAA }}
 {% endif %}
 {{ mail_domain }}.                   MX 10 {{ mail_domain }}.
-{% if strict_tls %}
 _mta-sts.{{ mail_domain }}.          TXT "v=STSv1; id={{ sts_id }}"
 mta-sts.{{ mail_domain }}.           CNAME {{ mail_domain }}.
-{% endif %}
 www.{{ mail_domain }}.               CNAME {{ mail_domain }}.
 {{ dkim_entry }}
 

cmdeploy/src/cmdeploy/cmdeploy.py

@@ -91,10 +91,9 @@ def run_cmd(args, out):
     ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
     sshexec = get_sshexec(ssh_host)
     require_iroh = args.config.enable_iroh_relay
-    strict_tls = args.config.tls_cert_mode == "acme"
     if not args.dns_check_disabled:
         remote_data = dns.get_initial_remote_data(sshexec, args.config.mail_domain)
-        if not dns.check_initial_remote_data(remote_data, strict_tls=strict_tls, print=out.red):
+        if not dns.check_initial_remote_data(remote_data, print=out.red):
             return 1
 
     env = os.environ.copy()
@@ -111,8 +110,7 @@ def run_cmd(args, out):
     cmd = f"{pyinf} --ssh-user root {ssh_host} {deploy_path} -y"
     if ssh_host in ["localhost", "@docker"]:
         if ssh_host == "@docker":
-            env["CHATMAIL_NOPORTCHECK"] = "True"
-            env["CHATMAIL_NOSYSCTL"] = "True"
+            env["CHATMAIL_DOCKER"] = "True"
         cmd = f"{pyinf} @local {deploy_path} -y"
 
     if version.parse(pyinfra.__version__) < version.parse("3"):
@@ -128,7 +126,7 @@ def run_cmd(args, out):
                 out.red("Website deployment failed.")
         elif retcode == 0:
             out.green("Deploy completed, call `cmdeploy dns` next.")
-        elif not args.dns_check_disabled and strict_tls and not remote_data["acme_account_url"]:
+        elif not args.dns_check_disabled and not remote_data["acme_account_url"]:
             out.red("Deploy completed but letsencrypt not configured")
             out.red("Run 'cmdeploy run' again")
             retcode = 0
@@ -155,13 +153,11 @@ def dns_cmd(args, out):
     """Check DNS entries and optionally generate dns zone file."""
     ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
     sshexec = get_sshexec(ssh_host, verbose=args.verbose)
-    tls_cert_mode = args.config.tls_cert_mode
-    strict_tls = tls_cert_mode == "acme"
     remote_data = dns.get_initial_remote_data(sshexec, args.config.mail_domain)
-    if not dns.check_initial_remote_data(remote_data, strict_tls=strict_tls):
+    if not remote_data:
         return 1
 
-    if strict_tls and not remote_data["acme_account_url"]:
+    if not remote_data["acme_account_url"]:
         out.red("could not get letsencrypt account url, please run 'cmdeploy run'")
         return 1
 
@@ -169,7 +165,6 @@ def dns_cmd(args, out):
         out.red("could not determine dkim_entry, please run 'cmdeploy run'")
         return 1
 
-    remote_data["strict_tls"] = strict_tls
     zonefile = dns.get_filled_zone_file(remote_data)
 
     if args.zonefile:
@@ -335,7 +330,7 @@ def add_config_option(parser):
         "--config",
         dest="inipath",
         action="store",
-        default=Path(os.environ.get("CHATMAIL_INI", "chatmail.ini")),
+        default=Path("chatmail.ini"),
         type=Path,
         help="path to the chatmail.ini file",
     )

cmdeploy/src/cmdeploy/deployers.py

@@ -2,7 +2,6 @@
 Chat Mail pyinfra deploy.
 """
 
-import os
 import shutil
 import subprocess
 import sys
@@ -20,7 +19,6 @@ from pyinfra.operations import apt, files, pip, server, systemd
 from cmdeploy.cmdeploy import Out
 
 from .acmetool import AcmetoolDeployer
-from .external.deployer import ExternalTlsDeployer
 from .basedeploy import (
     Deployer,
     Deployment,
@@ -35,7 +33,6 @@ from .mtail.deployer import MtailDeployer
 from .nginx.deployer import NginxDeployer
 from .opendkim.deployer import OpendkimDeployer
 from .postfix.deployer import PostfixDeployer
-from .selfsigned.deployer import SelfSignedTlsDeployer
 from .www import build_webpages, find_merge_conflict, get_paths
 
 
@@ -541,26 +538,13 @@ class GithashDeployer(Deployer):
         )
 
 
-def get_tls_deployer(config, mail_domain):
-    """Select the appropriate TLS deployer based on config."""
-    tls_domains = [mail_domain, f"mta-sts.{mail_domain}", f"www.{mail_domain}"]
-
-    if config.tls_cert_mode == "acme":
-        return AcmetoolDeployer(config.acme_email, tls_domains)
-    elif config.tls_cert_mode == "self":
-        return SelfSignedTlsDeployer(mail_domain)
-    elif config.tls_cert_mode == "external":
-        return ExternalTlsDeployer(config.tls_cert_path, config.tls_key_path)
-    else:
-        raise ValueError(f"Unknown tls_cert_mode: {config.tls_cert_mode}")
-
-
-def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -> None:
+def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool, docker: bool) -> None:
     """Deploy a chat-mail instance.
 
     :param config_path: path to chatmail.ini
     :param disable_mail: whether to disable postfix & dovecot
     :param website_only: if True, only deploy the website
+    :param docker: whether it is running in a docker container
     """
     config = read_config(config_path)
     check_config(config)
@@ -586,14 +570,11 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
             Out().red(f"Deploy failed: mtail_address {config.mtail_address} is not available (VPN up?).\n")
             exit(1)
 
-    if not os.environ.get("CHATMAIL_NOPORTCHECK"):
+    if not docker:
         port_services = [
             (["master", "smtpd"], 25),
             ("unbound", 53),
-        ]
-        if config.tls_cert_mode == "acme":
-            port_services.append(("acmetool", 80))
-        port_services += [
+            ("acmetool", 80),
             (["imap-login", "dovecot"], 143),
             ("nginx", 443),
             (["master", "smtpd"], 465),
@@ -619,7 +600,7 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
                     )
                     exit(1)
 
-    tls_deployer = get_tls_deployer(config, mail_domain)
+    tls_domains = [mail_domain, f"mta-sts.{mail_domain}", f"www.{mail_domain}"]
 
     all_deployers = [
         ChatmailDeployer(mail_domain),
@@ -629,7 +610,7 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
         UnboundDeployer(config),
         TurnDeployer(mail_domain),
         IrohDeployer(config.enable_iroh_relay),
-        tls_deployer,
+        AcmetoolDeployer(config.acme_email, tls_domains),
         WebsiteDeployer(config),
         ChatmailVenvDeployer(config),
         MtastsDeployer(),

cmdeploy/src/cmdeploy/dns.py

@@ -12,14 +12,14 @@ def get_initial_remote_data(sshexec, mail_domain):
     )
 
 
-def check_initial_remote_data(remote_data, *, strict_tls=True, print=print):
+def check_initial_remote_data(remote_data, *, print=print):
     mail_domain = remote_data["mail_domain"]
     if not remote_data["A"] and not remote_data["AAAA"]:
         print(f"Missing A and/or AAAA DNS records for {mail_domain}!")
-    elif strict_tls and remote_data["MTA_STS"] != f"{mail_domain}.":
+    elif remote_data["MTA_STS"] != f"{mail_domain}.":
         print("Missing MTA-STS CNAME record:")
         print(f"mta-sts.{mail_domain}.   CNAME  {mail_domain}.")
-    elif strict_tls and remote_data["WWW"] != f"{mail_domain}.":
+    elif remote_data["WWW"] != f"{mail_domain}.":
         print("Missing www CNAME record:")
         print(f"www.{mail_domain}.   CNAME  {mail_domain}.")
     else:

cmdeploy/src/cmdeploy/dovecot/deployer.py

@@ -1,5 +1,3 @@
-import os
-
 from chatmaild.config import Config
 from pyinfra import host
 from pyinfra.facts.server import Arch, Sysctl
@@ -120,7 +118,7 @@ def _configure_dovecot(config: Config, debug: bool = False) -> (bool, bool):
 
     # as per https://doc.dovecot.org/2.3/configuration_manual/os/
     # it is recommended to set the following inotify limits
-    if not os.environ.get("CHATMAIL_NOSYSCTL"):
+    if config.change_kernel_settings:
         for name in ("max_user_instances", "max_user_watches"):
             key = f"fs.inotify.{name}"
             if host.get_fact(Sysctl)[key] > 65535:

cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2

@@ -228,8 +228,8 @@ service anvil {
 }
 
 ssl = required
-ssl_cert = <{{ config.tls_cert_path }}
-ssl_key = <{{ config.tls_key_path }}
+ssl_cert = </var/lib/acme/live/{{ config.mail_domain }}/fullchain
+ssl_key = </var/lib/acme/live/{{ config.mail_domain }}/privkey
 ssl_dh = </usr/share/dovecot/dh.pem
 ssl_min_protocol = TLSv1.3
 ssl_prefer_server_ciphers = yes

cmdeploy/src/cmdeploy/external/deployer.py

@@ -1,69 +0,0 @@
-from pyinfra.operations import files, server, systemd
-
-from cmdeploy.basedeploy import Deployer, get_resource
-
-
-class ExternalTlsDeployer(Deployer):
-    """Expects TLS certificates to be managed on the server.
-
-    Validates that the configured certificate and key files
-    exist on the remote host.  Installs a systemd path unit
-    that watches the certificate file and automatically
-    restarts/reloads affected services when it changes.
-    """
-
-    def __init__(self, cert_path, key_path):
-        self.cert_path = cert_path
-        self.key_path = key_path
-
-    def configure(self):
-        server.shell(
-            name="Verify external TLS certificate and key exist",
-            commands=[
-                f"test -f {self.cert_path} && test -f {self.key_path}",
-            ],
-        )
-
-        # Deploy the .path unit (templated with the cert path).
-        source = get_resource("tls-cert-reload.path.f", pkg=__package__)
-        content = source.read_text().format(cert_path=self.cert_path).encode()
-
-        import io
-
-        path_unit = files.put(
-            name="Upload tls-cert-reload.path",
-            src=io.BytesIO(content),
-            dest="/etc/systemd/system/tls-cert-reload.path",
-            user="root",
-            group="root",
-            mode="644",
-        )
-
-        service_unit = files.put(
-            name="Upload tls-cert-reload.service",
-            src=get_resource("tls-cert-reload.service", pkg=__package__),
-            dest="/etc/systemd/system/tls-cert-reload.service",
-            user="root",
-            group="root",
-            mode="644",
-        )
-
-        if path_unit.changed or service_unit.changed:
-            self.need_restart = True
-
-    def activate(self):
-        systemd.service(
-            name="Enable tls-cert-reload path watcher",
-            service="tls-cert-reload.path",
-            running=True,
-            enabled=True,
-            restarted=self.need_restart,
-            daemon_reload=self.need_restart,
-        )
-        # Always trigger a reload so services pick up the current cert.
-        # The path unit handles future changes via inotify.
-        server.shell(
-            name="Reload TLS services for current certificate",
-            commands=["systemctl start tls-cert-reload.service"],
-        )
-

cmdeploy/src/cmdeploy/external/tls-cert-reload.path.f

@@ -1,11 +0,0 @@
-# Watch the TLS certificate file for changes.
-# When the cert is updated (e.g. renewed by an external process),
-# this triggers tls-cert-reload.service to restart the affected services.
-[Unit]
-Description=Watch TLS certificate for changes
-
-[Path]
-PathChanged={cert_path}
-
-[Install]
-WantedBy=multi-user.target

cmdeploy/src/cmdeploy/external/tls-cert-reload.service

@@ -1,15 +0,0 @@
-# Reload services that cache the TLS certificate.
-#
-# dovecot: caches the cert at startup; reload re-reads SSL certs
-#          without dropping existing connections.
-# nginx:   caches the cert at startup; reload gracefully picks up
-#          the new cert for new connections.
-# postfix: reads the cert fresh on each TLS handshake,
-#          does NOT need a reload/restart.
-[Unit]
-Description=Reload TLS services after certificate change
-
-[Service]
-Type=oneshot
-ExecStart=/bin/systemctl reload dovecot
-ExecStart=/bin/systemctl reload nginx

cmdeploy/src/cmdeploy/nginx/autoconfig.xml.j2

@@ -1,47 +1,47 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
 <clientConfig version="1.1">
-  <emailProvider id="{{ config.mail_domain }}">
-    <domain>{{ config.mail_domain }}</domain>
-    <displayName>{{ config.mail_domain }} chatmail</displayName>
-    <displayShortName>{{ config.mail_domain }}</displayShortName>
+  <emailProvider id="{{ config.domain_name }}">
+    <domain>{{ config.domain_name }}</domain>
+    <displayName>{{ config.domain_name }} chatmail</displayName>
+    <displayShortName>{{ config.domain_name }}</displayShortName>
     <incomingServer type="imap">
-      <hostname>{{ config.mail_domain }}</hostname>
+      <hostname>{{ config.domain_name }}</hostname>
       <port>993</port>
       <socketType>SSL</socketType>
       <authentication>password-cleartext</authentication>
       <username>%EMAILADDRESS%</username>
     </incomingServer>
     <incomingServer type="imap">
-      <hostname>{{ config.mail_domain }}</hostname>
+      <hostname>{{ config.domain_name }}</hostname>
       <port>143</port>
       <socketType>STARTTLS</socketType>
       <authentication>password-cleartext</authentication>
       <username>%EMAILADDRESS%</username>
     </incomingServer>
     <incomingServer type="imap">
-      <hostname>{{ config.mail_domain }}</hostname>
+      <hostname>{{ config.domain_name }}</hostname>
       <port>443</port>
       <socketType>SSL</socketType>
       <authentication>password-cleartext</authentication>
       <username>%EMAILADDRESS%</username>
     </incomingServer>
     <outgoingServer type="smtp">
-      <hostname>{{ config.mail_domain }}</hostname>
+      <hostname>{{ config.domain_name }}</hostname>
       <port>465</port>
       <socketType>SSL</socketType>
       <authentication>password-cleartext</authentication>
       <username>%EMAILADDRESS%</username>
     </outgoingServer>
     <outgoingServer type="smtp">
-      <hostname>{{ config.mail_domain }}</hostname>
+      <hostname>{{ config.domain_name }}</hostname>
       <port>587</port>
       <socketType>STARTTLS</socketType>
       <authentication>password-cleartext</authentication>
       <username>%EMAILADDRESS%</username>
     </outgoingServer>
     <outgoingServer type="smtp">
-      <hostname>{{ config.mail_domain }}</hostname>
+      <hostname>{{ config.domain_name }}</hostname>
       <port>443</port>
       <socketType>SSL</socketType>
       <authentication>password-cleartext</authentication>

cmdeploy/src/cmdeploy/nginx/deployer.py

@@ -70,7 +70,7 @@ def _configure_nginx(config: Config, debug: bool = False) -> bool:
         user="root",
         group="root",
         mode="644",
-        config=config,
+        config={"domain_name": config.mail_domain},
         disable_ipv6=config.disable_ipv6,
     )
     need_restart |= main_config.changed
@@ -81,7 +81,7 @@ def _configure_nginx(config: Config, debug: bool = False) -> bool:
         user="root",
         group="root",
         mode="644",
-        config=config,
+        config={"domain_name": config.mail_domain},
     )
     need_restart |= autoconfig.changed
 
@@ -91,7 +91,7 @@ def _configure_nginx(config: Config, debug: bool = False) -> bool:
         user="root",
         group="root",
         mode="644",
-        config=config,
+        config={"domain_name": config.mail_domain},
     )
     need_restart |= mta_sts_config.changed
 

cmdeploy/src/cmdeploy/nginx/mta-sts.txt.j2

@@ -1,4 +1,4 @@
 version: STSv1
 mode: enforce
-mx: {{ config.mail_domain }}
+mx: {{ config.domain_name }}
 max_age: 2419200

cmdeploy/src/cmdeploy/nginx/nginx.conf.j2

@@ -42,9 +42,6 @@ stream {
 }
 
 http {
-{% if config.tls_cert_mode == "self" %}
-	limit_req_zone $binary_remote_addr zone=newaccount:10m rate=2r/s;
-{% endif %}
 	sendfile on;
 	tcp_nopush on;
 
@@ -56,8 +53,8 @@ http {
 
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
 	ssl_prefer_server_ciphers on;
-	ssl_certificate {{ config.tls_cert_path }};
-	ssl_certificate_key {{ config.tls_key_path }};
+	ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
+	ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
 
 	gzip on;
 
@@ -69,7 +66,7 @@ http {
 
 		index index.html index.htm;
 
-		server_name {{ config.mail_domain }} www.{{ config.mail_domain }} mta-sts.{{ config.mail_domain }};
+		server_name {{ config.domain_name }} www.{{ config.domain_name }} mta-sts.{{ config.domain_name }};
 
 		access_log syslog:server=unix:/dev/log,facility=local7;
 
@@ -84,15 +81,11 @@ http {
 		}
 
 		location /new {
-{% if config.tls_cert_mode != "self" %}
 			if ($request_method = GET) {
 				# Redirect to Delta Chat,
 				# which will in turn do a POST request.
-				return 301 dcaccount:https://{{ config.mail_domain }}/new;
+				return 301 dcaccount:https://{{ config.domain_name }}/new;
 			}
-{% else %}
-			limit_req zone=newaccount burst=5 nodelay;
-{% endif %}
 
 			fastcgi_pass unix:/run/fcgiwrap.socket;
 			include /etc/nginx/fastcgi_params;
@@ -106,11 +99,9 @@ http {
 		#
 		# Redirects are only for browsers.
 		location /cgi-bin/newemail.py {
-{% if config.tls_cert_mode != "self" %}
 			if ($request_method = GET) {
-				return 301 dcaccount:https://{{ config.mail_domain }}/new;
+				return 301 dcaccount:https://{{ config.domain_name }}/new;
 			}
-{% endif %}
 
 			fastcgi_pass unix:/run/fcgiwrap.socket;
 			include /etc/nginx/fastcgi_params;
@@ -141,8 +132,8 @@ http {
 	# Redirect www. to non-www
 	server {
 		listen 127.0.0.1:8443 ssl;
-		server_name www.{{ config.mail_domain }};
-		return 301 $scheme://{{ config.mail_domain }}$request_uri;
+		server_name www.{{ config.domain_name }};
+		return 301 $scheme://{{ config.domain_name }}$request_uri;
 		access_log syslog:server=unix:/dev/log,facility=local7;
 	}
 }

cmdeploy/src/cmdeploy/postfix/lmtp_header_cleanup

@@ -1,3 +1,2 @@
 /^DKIM-Signature:/            IGNORE
 /^Authentication-Results:/            IGNORE
-/^Received:/            IGNORE

cmdeploy/src/cmdeploy/postfix/main.cf.j2

@@ -15,12 +15,12 @@ readme_directory = no
 compatibility_level = 3.6
 
 # TLS parameters
-smtpd_tls_cert_file={{ config.tls_cert_path }}
-smtpd_tls_key_file={{ config.tls_key_path }}
+smtpd_tls_cert_file=/var/lib/acme/live/{{ config.mail_domain }}/fullchain
+smtpd_tls_key_file=/var/lib/acme/live/{{ config.mail_domain }}/privkey
 smtpd_tls_security_level=may
 
 smtp_tls_CApath=/etc/ssl/certs
-smtp_tls_security_level={{ "verify" if config.tls_cert_mode == "acme" else "encrypt" }}
+smtp_tls_security_level=verify
 # Send SNI extension when connecting to other servers.
 # <https://www.postfix.org/postconf.5.html#smtp_tls_servername>
 smtp_tls_servername = hostname

cmdeploy/src/cmdeploy/postfix/smtp_tls_policy_map

@@ -1,3 +1,2 @@
 /^\[[^]]+\]$/ encrypt
-/^_/          encrypt
 /^nauta\.cu$/    may

cmdeploy/src/cmdeploy/run.py

@@ -15,8 +15,9 @@ def main():
     )
     disable_mail = bool(os.environ.get("CHATMAIL_DISABLE_MAIL"))
     website_only = bool(os.environ.get("CHATMAIL_WEBSITE_ONLY"))
+    docker = bool(os.environ.get("CHATMAIL_DOCKER"))
 
-    deploy_chatmail(config_path, disable_mail, website_only)
+    deploy_chatmail(config_path, disable_mail, website_only, docker)
 
 
 if pyinfra.is_cli:

cmdeploy/src/cmdeploy/selfsigned/deployer.py

@@ -1,52 +0,0 @@
-import shlex
-
-from pyinfra.operations import apt, server
-
-from cmdeploy.basedeploy import Deployer
-
-
-def openssl_selfsigned_args(domain, cert_path, key_path, days=36500):
-    """Return the openssl argument list for a self-signed certificate.
-
-    The certificate uses an EC P-256 key with SAN entries for *domain*,
-    ``www.<domain>`` and ``mta-sts.<domain>``.
-    """
-    return [
-        "openssl", "req", "-x509",
-        "-newkey", "ec", "-pkeyopt", "ec_paramgen_curve:P-256",
-        "-noenc", "-days", str(days),
-        "-keyout", str(key_path),
-        "-out", str(cert_path),
-        "-subj", f"/CN={domain}",
-        "-addext", "extendedKeyUsage=serverAuth,clientAuth",
-        "-addext",
-        f"subjectAltName=DNS:{domain},DNS:www.{domain},DNS:mta-sts.{domain}",
-    ]
-
-
-class SelfSignedTlsDeployer(Deployer):
-    """Generates a self-signed TLS certificate for all chatmail endpoints."""
-
-    def __init__(self, mail_domain):
-        self.mail_domain = mail_domain
-        self.cert_path = "/etc/ssl/certs/mailserver.pem"
-        self.key_path = "/etc/ssl/private/mailserver.key"
-
-    def install(self):
-        apt.packages(
-            name="Install openssl",
-            packages=["openssl"],
-        )
-
-    def configure(self):
-        args = openssl_selfsigned_args(
-            self.mail_domain, self.cert_path, self.key_path,
-        )
-        cmd = shlex.join(args)
-        server.shell(
-            name="Generate self-signed TLS certificate if not present",
-            commands=[f"[ -f {self.cert_path} ] || {cmd}"],
-        )
-
-    def activate(self):
-        pass

cmdeploy/src/cmdeploy/sshexec.py

@@ -89,11 +89,6 @@ class LocalExec:
         self.verbose = verbose
         self.docker = docker
 
-    def __call__(self, call, kwargs=None, log_callback=None):
-        if kwargs is None:
-            kwargs = {}
-        return call(**kwargs)
-
     def logged(self, call, kwargs: dict):
         where = "locally"
         if self.docker:

cmdeploy/src/cmdeploy/tests/online/test_0_qr.py

@@ -1,4 +1,3 @@
-import pytest
 import requests
 
 from cmdeploy.genqr import gen_qr_png_data
@@ -9,33 +8,18 @@ def test_gen_qr_png_data(maildomain):
     assert data
 
 
-@pytest.mark.filterwarnings("ignore::urllib3.exceptions.InsecureRequestWarning")
 def test_fastcgi_working(maildomain, chatmail_config):
     url = f"https://{maildomain}/new"
     print(url)
-    verify = chatmail_config.tls_cert_mode == "acme"
-    res = requests.post(url, verify=verify)
+    res = requests.post(url)
     assert maildomain in res.json().get("email")
     assert len(res.json().get("password")) > chatmail_config.password_min_length
 
 
-@pytest.mark.filterwarnings("ignore::urllib3.exceptions.InsecureRequestWarning")
-def test_newemail_configure(maildomain, rpc, chatmail_config):
+def test_newemail_configure(maildomain, rpc):
     """Test configuring accounts by scanning a QR code works."""
     url = f"DCACCOUNT:https://{maildomain}/new"
     for i in range(3):
         account_id = rpc.add_account()
-        if chatmail_config.tls_cert_mode == "self":
-            # deltachat core's rustls rejects self-signed HTTPS certs during
-            # set_config_from_qr, so fetch credentials via requests instead
-            res = requests.post(f"https://{maildomain}/new", verify=False)
-            data = res.json()
-            rpc.add_or_update_transport(account_id, {
-                "addr": data["email"],
-                "password": data["password"],
-                "imapServer": maildomain,
-                "smtpServer": maildomain,
-                "certificateChecks": "acceptInvalidCertificates",
-            })
-        else:
-            rpc.add_transport_from_qr(account_id, url)
+        rpc.set_config_from_qr(account_id, url)
+        rpc.configure(account_id)

cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py

@@ -11,12 +11,11 @@ from cmdeploy.sshexec import SSHExec
 
 
 @pytest.fixture
-def imap_mailbox(cmfactory, ssl_context):
+def imap_mailbox(cmfactory):
     (ac1,) = cmfactory.get_online_accounts(1)
     user = ac1.get_config("addr")
     password = ac1.get_config("mail_pw")
-    host = user.split("@")[1]
-    mailbox = imap_tools.MailBox(host, ssl_context=ssl_context)
+    mailbox = imap_tools.MailBox(user.split("@")[1])
     mailbox.login(user, password)
     mailbox.dc_ac = ac1
     return mailbox
@@ -172,7 +171,7 @@ class TestEndToEndDeltaChat:
             time.sleep(1)
 
 
-def test_hide_senders_ip_address(cmfactory, ssl_context):
+def test_hide_senders_ip_address(cmfactory):
     public_ip = requests.get("http://icanhazip.com").content.decode().strip()
     assert ipaddress.ip_address(public_ip)
 
@@ -181,11 +180,6 @@ def test_hide_senders_ip_address(cmfactory, ssl_context):
 
     chat.send_text("testing submission header cleanup")
     user2._evtracker.wait_next_incoming_message()
-    addr = user2.get_config("addr")
-    host = addr.split("@")[1]
-    pw = user2.get_config("mail_pw")
-    mailbox = imap_tools.MailBox(host, ssl_context=ssl_context)
-    mailbox.login(addr, pw)
-    msgs = list(mailbox.fetch(mark_seen=False))
-    assert msgs, "expected at least one message"
-    assert public_ip not in msgs[0].obj.as_string()
+    user2.direct_imap.select_folder("Inbox")
+    msg = user2.direct_imap.get_all_messages()[0]
+    assert public_ip not in msg.obj.as_string()

cmdeploy/src/cmdeploy/tests/plugin.py

@@ -4,7 +4,6 @@ import itertools
 import os
 import random
 import smtplib
-import ssl
 import subprocess
 import time
 from pathlib import Path
@@ -145,25 +144,15 @@ def pytest_terminal_summary(terminalreporter):
             tr.write_line(line)
 
 
-@pytest.fixture(scope="session")
-def ssl_context(chatmail_config):
-    if chatmail_config.tls_cert_mode == "self":
-        ctx = ssl.create_default_context()
-        ctx.check_hostname = False
-        ctx.verify_mode = ssl.CERT_NONE
-        return ctx
-    return None
+@pytest.fixture
+def imap(maildomain):
+    return ImapConn(maildomain)
 
 
 @pytest.fixture
-def imap(maildomain, ssl_context):
-    return ImapConn(maildomain, ssl_context=ssl_context)
-
-
-@pytest.fixture
-def make_imap_connection(maildomain, ssl_context):
+def make_imap_connection(maildomain):
     def make_imap_connection():
-        conn = ImapConn(maildomain, ssl_context=ssl_context)
+        conn = ImapConn(maildomain)
         conn.connect()
         return conn
 
@@ -175,13 +164,12 @@ class ImapConn:
     logcmd = "journalctl -f -u dovecot"
     name = "dovecot"
 
-    def __init__(self, host, ssl_context=None):
+    def __init__(self, host):
         self.host = host
-        self.ssl_context = ssl_context
 
     def connect(self):
         print(f"imap-connect {self.host}")
-        self.conn = imaplib.IMAP4_SSL(self.host, ssl_context=self.ssl_context)
+        self.conn = imaplib.IMAP4_SSL(self.host)
 
     def login(self, user, password):
         print(f"imap-login {user!r} {password!r}")
@@ -207,14 +195,14 @@ class ImapConn:
 
 
 @pytest.fixture
-def smtp(maildomain, ssl_context):
-    return SmtpConn(maildomain, ssl_context=ssl_context)
+def smtp(maildomain):
+    return SmtpConn(maildomain)
 
 
 @pytest.fixture
-def make_smtp_connection(maildomain, ssl_context):
+def make_smtp_connection(maildomain):
     def make_smtp_connection():
-        conn = SmtpConn(maildomain, ssl_context=ssl_context)
+        conn = SmtpConn(maildomain)
         conn.connect()
         return conn
 
@@ -226,14 +214,12 @@ class SmtpConn:
     logcmd = "journalctl -f -t postfix/smtpd -t postfix/smtp -t postfix/lmtp"
     name = "postfix"
 
-    def __init__(self, host, ssl_context=None):
+    def __init__(self, host):
         self.host = host
-        self.ssl_context = ssl_context
 
     def connect(self):
         print(f"smtp-connect {self.host}")
-        context = self.ssl_context or ssl.create_default_context()
-        self.conn = smtplib.SMTP_SSL(self.host, context=context)
+        self.conn = smtplib.SMTP_SSL(self.host)
 
     def login(self, user, password):
         print(f"smtp-login {user!r} {password!r}")
@@ -284,12 +270,11 @@ def gencreds(chatmail_config):
 class ChatmailTestProcess:
     """Provider for chatmail instance accounts as used by deltachat.testplugin.acfactory"""
 
-    def __init__(self, pytestconfig, maildomain, gencreds, chatmail_config):
+    def __init__(self, pytestconfig, maildomain, gencreds):
         self.pytestconfig = pytestconfig
         self.maildomain = maildomain
         assert "." in self.maildomain, maildomain
         self.gencreds = gencreds
-        self.chatmail_config = chatmail_config
         self._addr2files = {}
 
     def get_liveconfig_producer(self):
@@ -302,9 +287,6 @@ class ChatmailTestProcess:
             # speed up account configuration
             config["mail_server"] = self.maildomain
             config["send_server"] = self.maildomain
-            if self.chatmail_config.tls_cert_mode == "self":
-                # Accept self-signed TLS certificates
-                config["imap_certificate_checks"] = "3"
             yield config
 
     def cache_maybe_retrieve_configured_db_files(self, cache_addr, db_target_path):
@@ -315,14 +297,12 @@ class ChatmailTestProcess:
 
 
 @pytest.fixture
-def cmfactory(request, gencreds, tmpdir, maildomain, chatmail_config):
+def cmfactory(request, gencreds, tmpdir, maildomain):
     # cloned from deltachat.testplugin.amfactory
     pytest.importorskip("deltachat")
     from deltachat.testplugin import ACFactory
 
-    testproc = ChatmailTestProcess(
-        request.config, maildomain, gencreds, chatmail_config
-    )
+    testproc = ChatmailTestProcess(request.config, maildomain, gencreds)
 
     class Data:
         def read_path(self, path):
@@ -330,10 +310,6 @@ def cmfactory(request, gencreds, tmpdir, maildomain, chatmail_config):
 
     am = ACFactory(request=request, tmpdir=tmpdir, testprocess=testproc, data=Data())
 
-    # Skip upstream's init_imap to prevent extra imap connections not
-    # needed for relay testing
-    am._acsetup.init_imap = lambda acc: None
-
     # nb. a bit hacky
     # would probably be better if deltachat's test machinery grows native support
     def switch_maildomain(maildomain2):
@@ -387,40 +363,38 @@ def lp(request):
 
 
 @pytest.fixture
-def cmsetup(maildomain, gencreds, ssl_context):
-    return CMSetup(maildomain, gencreds, ssl_context)
+def cmsetup(maildomain, gencreds):
+    return CMSetup(maildomain, gencreds)
 
 
 class CMSetup:
-    def __init__(self, maildomain, gencreds, ssl_context):
+    def __init__(self, maildomain, gencreds):
         self.maildomain = maildomain
         self.gencreds = gencreds
-        self.ssl_context = ssl_context
 
     def gen_users(self, num):
         print(f"Creating {num} online users")
         users = []
         for i in range(num):
             addr, password = self.gencreds()
-            user = CMUser(self.maildomain, addr, password, self.ssl_context)
+            user = CMUser(self.maildomain, addr, password)
             assert user.smtp
             users.append(user)
         return users
 
 
 class CMUser:
-    def __init__(self, maildomain, addr, password, ssl_context=None):
+    def __init__(self, maildomain, addr, password):
         self.maildomain = maildomain
         self.addr = addr
         self.password = password
-        self.ssl_context = ssl_context
         self._smtp = None
         self._imap = None
 
     @property
     def smtp(self):
         if not self._smtp:
-            handle = SmtpConn(self.maildomain, ssl_context=self.ssl_context)
+            handle = SmtpConn(self.maildomain)
             handle.connect()
             handle.login(self.addr, self.password)
             self._smtp = handle
@@ -429,7 +403,7 @@ class CMUser:
     @property
     def imap(self):
         if not self._imap:
-            imap = ImapConn(self.maildomain, ssl_context=self.ssl_context)
+            imap = ImapConn(self.maildomain)
             imap.connect()
             imap.login(self.addr, self.password)
             self._imap = imap

cmdeploy/src/cmdeploy/tests/setup_tls_external.py

@@ -1,362 +0,0 @@
-"""Setup and verify external TLS certificates for a chatmail server.
-
-Generates a self-signed TLS certificate, uploads it to the chatmail
-server via SCP, runs ``cmdeploy run``, and then probes all TLS-enabled
-ports (nginx, postfix, dovecot) to verify the certificate is actually
-served.  After probing, checks remote service logs for errors.
-
-Prerequisites
-~~~~~~~~~~~~~
-- SSH root access to the target server (same as ``cmdeploy run``)
-- ``cmdeploy`` in PATH (activate the venv first)
-
-How to run
-~~~~~~~~~~
-From the repository root::
-
-    # Full run: generate cert, deploy, probe ports, check services
-    python -m cmdeploy.tests.setup_tls_external DOMAIN
-
-    # Re-probe only (after a previous deploy)
-    python -m cmdeploy.tests.setup_tls_external DOMAIN \\
-        --skip-deploy --skip-certgen
-
-    # Override SSH host (e.g. when domain doesn't resolve to the server)
-    python -m cmdeploy.tests.setup_tls_external DOMAIN \\
-        --ssh-host staging-ipv4.testrun.org
-
-Arguments
-~~~~~~~~~
-DOMAIN            mail domain for the chatmail server (SSH root login must work)
-
-Options
-~~~~~~~
---skip-deploy     skip ``cmdeploy run``, only probe ports
---skip-certgen    skip cert generation/upload, use certs already on server
---ssh-host HOST   SSH host override (defaults to DOMAIN)
-"""
-
-import argparse
-import shutil
-import smtplib
-import socket
-import ssl
-import subprocess
-import sys
-import tempfile
-import time
-from pathlib import Path
-
-# Cert paths on the remote server
-REMOTE_CERT = "/etc/ssl/certs/tmp_fullchain.pem"
-REMOTE_KEY = "/etc/ssl/private/tmp_privkey.pem"
-
-
-# ---------------------------------------------------------------------------
-# Config generation
-# ---------------------------------------------------------------------------
-
-
-def generate_config(domain: str, config_dir: Path) -> Path:
-    """Generate a chatmail.ini with tls_external_cert_and_key for *domain*."""
-    from chatmaild.config import write_initial_config
-
-    ini_path = config_dir / "chatmail.ini"
-    write_initial_config(
-        ini_path,
-        domain,
-        overrides={
-            "tls_external_cert_and_key": f"{REMOTE_CERT} {REMOTE_KEY}",
-        },
-    )
-    print(f"[+] Generated chatmail.ini for {domain} in {config_dir}")
-    return ini_path
-
-
-# ---------------------------------------------------------------------------
-# Certificate generation
-# ---------------------------------------------------------------------------
-
-
-def generate_cert(domain: str, cert_dir: Path) -> tuple:
-    """Generate a self-signed TLS cert+key for *domain* with proper SANs."""
-    from cmdeploy.selfsigned.deployer import openssl_selfsigned_args
-
-    cert_path = cert_dir / "fullchain.pem"
-    key_path = cert_dir / "privkey.pem"
-    subprocess.check_call(openssl_selfsigned_args(domain, cert_path, key_path, days=30))
-    print(f"[+] Generated cert for {domain} in {cert_dir}")
-    return cert_path, key_path
-
-
-# ---------------------------------------------------------------------------
-# Upload certs to remote server
-# ---------------------------------------------------------------------------
-
-
-def upload_certs(
-    ssh_host: str,
-    cert_path: Path,
-    key_path: Path,
-) -> None:
-    """SCP cert and key to the remote server."""
-    subprocess.check_call([
-        "scp", str(cert_path), f"root@{ssh_host}:{REMOTE_CERT}",
-    ])
-    subprocess.check_call([
-        "scp", str(key_path), f"root@{ssh_host}:{REMOTE_KEY}",
-    ])
-    # Ensure cert is world-readable and key is readable by ssl-cert group
-    # (dovecot/postfix/nginx need to read these files)
-    subprocess.check_call([
-        "ssh", f"root@{ssh_host}",
-        f"chmod 644 {REMOTE_CERT} && chmod 640 {REMOTE_KEY}"
-        f" && chgrp ssl-cert {REMOTE_KEY}",
-    ])
-    print(f"[+] Uploaded cert/key to {ssh_host}")
-
-
-# ---------------------------------------------------------------------------
-# Deploy
-# ---------------------------------------------------------------------------
-
-
-def run_deploy(ini_path: str) -> None:
-    """Run ``cmdeploy run --skip-dns-check --config <ini>``."""
-    cmd = ["cmdeploy", "run", "--config", str(ini_path), "--skip-dns-check"]
-    print(f"[+] Running: {' '.join(cmd)}")
-    subprocess.check_call(cmd)
-    print("[+] Deploy completed successfully")
-
-
-# ---------------------------------------------------------------------------
-# TLS port probing
-# ---------------------------------------------------------------------------
-
-
-def get_peer_cert_binary(host: str, port: int) -> bytes:
-    """Connect to host:port with TLS and return the DER-encoded peer cert."""
-    ctx = ssl.create_default_context()
-    ctx.check_hostname = False
-    ctx.verify_mode = ssl.CERT_NONE
-    with socket.create_connection((host, port), timeout=15) as sock:
-        with ctx.wrap_socket(sock, server_hostname=host) as ssock:
-            return ssock.getpeercert(binary_form=True)
-
-
-def get_smtp_starttls_cert_binary(host: str, port: int = 587) -> bytes:
-    """Connect via SMTP STARTTLS and return the DER cert."""
-    ctx = ssl.create_default_context()
-    ctx.check_hostname = False
-    ctx.verify_mode = ssl.CERT_NONE
-    with smtplib.SMTP(host, port, timeout=15) as smtp:
-        smtp.starttls(context=ctx)
-        return smtp.sock.getpeercert(binary_form=True)
-
-
-def check_cert_matches(
-    label: str, served_der: bytes, expected_der: bytes,
-) -> bool:
-    """Compare served DER cert against the expected cert."""
-    if served_der == expected_der:
-        print(f"  [OK]   {label}: certificate matches")
-        return True
-    else:
-        print(f"  [FAIL] {label}: certificate does NOT match")
-        return False
-
-
-def load_cert_der(cert_pem_path: Path) -> bytes:
-    """Load a PEM cert file and return its DER encoding."""
-    pem_text = cert_pem_path.read_text()
-    start = pem_text.index("-----BEGIN CERTIFICATE-----")
-    end = pem_text.index("-----END CERTIFICATE-----") + len(
-        "-----END CERTIFICATE-----"
-    )
-    return ssl.PEM_cert_to_DER_cert(pem_text[start:end])
-
-
-def probe_all_ports(host: str, expected_cert_der: bytes) -> bool:
-    """Probe TLS ports and verify the served certificate matches.
-
-    Checks ports 993 (IMAP), 465 (SMTPS), 587 (STARTTLS), and 443
-    (nginx stream).  Port 8443 is skipped as nginx binds it to
-    localhost behind the stream proxy on 443.
-    """
-    print(f"\n[+] Probing TLS ports on {host}...")
-    all_ok = True
-
-    for label, port in [
-        ("IMAP/TLS (993)", 993),
-        ("SMTP/TLS (465)", 465),
-    ]:
-        try:
-            served = get_peer_cert_binary(host, port)
-            if not check_cert_matches(label, served, expected_cert_der):
-                all_ok = False
-        except Exception as e:
-            print(f"  [FAIL] {label}: connection failed: {e}")
-            all_ok = False
-
-    # STARTTLS on port 587
-    try:
-        served = get_smtp_starttls_cert_binary(host, 587)
-        if not check_cert_matches("SMTP/STARTTLS (587)", served, expected_cert_der):
-            all_ok = False
-    except Exception as e:
-        print(f"  [FAIL] SMTP/STARTTLS (587): connection failed: {e}")
-        all_ok = False
-
-    # Port 443 (nginx stream proxy with ALPN routing)
-    try:
-        served = get_peer_cert_binary(host, 443)
-        if not check_cert_matches("nginx/443 (stream)", served, expected_cert_der):
-            all_ok = False
-    except Exception as e:
-        print(f"  [FAIL] nginx/443 (stream): connection failed: {e}")
-        all_ok = False
-
-    return all_ok
-
-
-# ---------------------------------------------------------------------------
-# Post-deploy service health checks
-# ---------------------------------------------------------------------------
-
-SERVICES = ["dovecot", "postfix", "nginx"]
-
-
-def check_remote_services(ssh_host: str, since: str = "") -> bool:
-    """SSH to the server and check for service failures or errors.
-
-    *since* is a ``journalctl --since`` timestamp (e.g. ``"5 min ago"``).
-    If empty, checks the entire boot journal.
-    """
-    print(f"\n[+] Checking remote service health on {ssh_host}...")
-    all_ok = True
-
-    for svc in SERVICES:
-        try:
-            result = subprocess.run(
-                ["ssh", f"root@{ssh_host}",
-                 f"systemctl is-active {svc}.service"],
-                capture_output=True, text=True, timeout=15, check=False,
-            )
-            status = result.stdout.strip()
-            if status == "active":
-                print(f"  [OK]   {svc}: active")
-            else:
-                print(f"  [FAIL] {svc}: {status}")
-                all_ok = False
-        except Exception as e:
-            print(f"  [FAIL] {svc}: check failed: {e}")
-            all_ok = False
-
-    since_arg = f'--since="{since}"' if since else ""
-    print(f"\n[+] Checking journal for errors on {ssh_host}...")
-    for svc in SERVICES:
-        try:
-            result = subprocess.run(
-                ["ssh", f"root@{ssh_host}",
-                 f"journalctl -u {svc}.service {since_arg}"
-                 f" --no-pager -p err -q"],
-                capture_output=True, text=True, timeout=15, check=False,
-            )
-            errors = result.stdout.strip()
-            if errors:
-                print(f"  [WARN] {svc} errors in journal:")
-                for line in errors.splitlines()[:10]:
-                    print(f"         {line}")
-                all_ok = False
-            else:
-                print(f"  [OK]   {svc}: no errors in journal")
-        except Exception as e:
-            print(f"  [FAIL] {svc}: journal check failed: {e}")
-            all_ok = False
-
-    return all_ok
-
-
-# ---------------------------------------------------------------------------
-# Main
-# ---------------------------------------------------------------------------
-
-
-def main():
-    parser = argparse.ArgumentParser(
-        description=__doc__,
-        formatter_class=argparse.RawDescriptionHelpFormatter,
-    )
-    parser.add_argument(
-        "domain",
-        help="mail domain (SSH root login must work to this host)",
-    )
-    parser.add_argument(
-        "--skip-deploy",
-        action="store_true",
-        help="skip cmdeploy run, only probe ports",
-    )
-    parser.add_argument(
-        "--skip-certgen",
-        action="store_true",
-        help="skip cert generation and upload (use existing)",
-    )
-    parser.add_argument(
-        "--ssh-host",
-        help="SSH host override (defaults to DOMAIN)",
-    )
-    args = parser.parse_args()
-
-    domain = args.domain
-    ssh_host = args.ssh_host or domain
-    print(f"[+] Domain: {domain}")
-    print(f"[+] SSH host: {ssh_host}")
-    print(f"[+] Remote cert: {REMOTE_CERT}")
-    print(f"[+] Remote key:  {REMOTE_KEY}")
-
-    work_dir = Path(tempfile.mkdtemp(prefix="tls-external-test-"))
-    try:
-        # Generate chatmail.ini
-        ini_path = generate_config(domain, work_dir)
-
-        if not args.skip_certgen:
-            local_cert, local_key = generate_cert(domain, work_dir)
-            upload_certs(ssh_host, local_cert, local_key)
-        else:
-            local_cert = work_dir / "fullchain.pem"
-            subprocess.check_call([
-                "scp", f"root@{ssh_host}:{REMOTE_CERT}", str(local_cert),
-            ])
-
-        # Record timestamp before deploy for journal filtering
-        deploy_start = time.strftime("%Y-%m-%d %H:%M:%S")
-
-        if not args.skip_deploy:
-            run_deploy(ini_path)
-
-        # Probe TLS ports
-        expected_der = load_cert_der(local_cert)
-        ports_ok = probe_all_ports(domain, expected_der)
-
-        # Check service health (only errors since deploy started)
-        services_ok = check_remote_services(ssh_host, since=deploy_start)
-
-        if ports_ok and services_ok:
-            print(
-                "\n[SUCCESS] All TLS port probes passed and services are healthy"
-            )
-            return 0
-        else:
-            if not ports_ok:
-                print("\n[FAILURE] Some TLS port probes failed", file=sys.stderr)
-            if not services_ok:
-                print(
-                    "\n[FAILURE] Some services have errors", file=sys.stderr
-                )
-            return 1
-    finally:
-        shutil.rmtree(work_dir, ignore_errors=True)
-
-
-if __name__ == "__main__":
-    sys.exit(main())

cmdeploy/src/cmdeploy/tests/test_dns.py

@@ -91,16 +91,6 @@ class TestPerformInitialChecks:
         assert not res
         assert len(l) == 2
 
-    def test_perform_initial_checks_no_mta_sts_self_signed(self, mockdns):
-        del mockdns["CNAME"]["mta-sts.some.domain"]
-        remote_data = remote.rdns.perform_initial_checks("some.domain")
-        assert not remote_data["MTA_STS"]
-
-        l = []
-        res = check_initial_remote_data(remote_data, strict_tls=False, print=l.append)
-        assert res
-        assert not l
-
 
 def parse_zonefile_into_dict(zonefile, mockdns_base, only_required=False):
     for zf_line in zonefile.split("\n"):

cmdeploy/src/cmdeploy/tests/test_external_tls.py

@@ -1,78 +0,0 @@
-"""Functional tests for tls_external_cert_and_key option."""
-
-import json
-
-import chatmaild.newemail
-import pytest
-from chatmaild.config import read_config, write_initial_config
-
-
-def make_external_config(tmp_path, cert_key=None):
-    inipath = tmp_path / "chatmail.ini"
-    overrides = {}
-    if cert_key is not None:
-        overrides["tls_external_cert_and_key"] = cert_key
-    write_initial_config(inipath, "chat.example.org", overrides=overrides)
-    return inipath
-
-
-def test_external_tls_config_reads_paths(tmp_path):
-    inipath = make_external_config(
-        tmp_path,
-        cert_key=(
-            "/etc/letsencrypt/live/chat.example.org/fullchain.pem"
-            " /etc/letsencrypt/live/chat.example.org/privkey.pem"
-        ),
-    )
-    config = read_config(inipath)
-    assert config.tls_cert_mode == "external"
-    assert (
-        config.tls_cert_path == "/etc/letsencrypt/live/chat.example.org/fullchain.pem"
-    )
-    assert config.tls_key_path == "/etc/letsencrypt/live/chat.example.org/privkey.pem"
-
-
-def test_external_tls_missing_option_uses_acme(tmp_path):
-    config = read_config(make_external_config(tmp_path))
-    assert config.tls_cert_mode == "acme"
-
-
-def test_external_tls_bad_format_raises(tmp_path):
-    inipath = make_external_config(tmp_path, cert_key="/only/one/path.pem")
-    with pytest.raises(ValueError, match="two space-separated"):
-        read_config(inipath)
-
-
-def test_external_tls_three_paths_raises(tmp_path):
-    inipath = make_external_config(tmp_path, cert_key="/a /b /c")
-    with pytest.raises(ValueError, match="two space-separated"):
-        read_config(inipath)
-
-
-def test_external_tls_no_dclogin_url(tmp_path, capsys, monkeypatch):
-    inipath = make_external_config(
-        tmp_path, cert_key="/certs/fullchain.pem /certs/privkey.pem"
-    )
-    monkeypatch.setattr(chatmaild.newemail, "CONFIG_PATH", str(inipath))
-    chatmaild.newemail.print_new_account()
-    out, _ = capsys.readouterr()
-    lines = out.split("\n")
-    dic = json.loads(lines[2])
-    assert "dclogin_url" not in dic
-
-
-def test_external_tls_selects_correct_deployer(tmp_path):
-    from cmdeploy.deployers import get_tls_deployer
-    from cmdeploy.external.deployer import ExternalTlsDeployer
-    from cmdeploy.selfsigned.deployer import SelfSignedTlsDeployer
-
-    inipath = make_external_config(
-        tmp_path, cert_key="/certs/fullchain.pem /certs/privkey.pem"
-    )
-    config = read_config(inipath)
-    deployer = get_tls_deployer(config, "chat.example.org")
-
-    assert isinstance(deployer, ExternalTlsDeployer)
-    assert not isinstance(deployer, SelfSignedTlsDeployer)
-    assert deployer.cert_path == "/certs/fullchain.pem"
-    assert deployer.key_path == "/certs/privkey.pem"

doc/source/docker.rst

@@ -1,260 +0,0 @@
-Docker installation
-===================
-
-This section provides instructions for installing a chatmail relay
-using Docker Compose.
-
-.. note::
-
-    - Docker support is experimental and not yet covered by automated tests, please report bugs.
-    - This preliminary image simply wraps the cmdeploy process detailed in the :doc:`getting_started` instructions in a full Debian-systemd image with r/w access to `/sys/fs`
-    - Currently, the image has only been tested and built on amd64, though arm64 should theoretically work as well.
-
-
-Setup Preparation
------------------
-
-We use ``chat.example.org`` as the chatmail domain in the following
-steps. Please substitute it with your own domain.
-
-1. Install docker and docker compose v2 (check with `docker compose version`), install, e.g., through
-    - Debian 12 through the `official install instructions <https://docs.docker.com/engine/install/debian/#install-using-the-repository>`_
-    - Debian 13+ with `apt install docker docker-compose`
-
-   If you must use v1 (EOL since 2023), use `docker-compose` in the following and modify the `docker-compose.yaml` to use `privileged: true` instead of `cgroup: host`, though that will run give the container all priviledges.
-
-2. Setup the initial DNS records.
-   The following is an example in the familiar BIND zone file format with
-   a TTL of 1 hour (3600 seconds).
-   Please substitute your domain and IP addresses.
-
-   ::
-
-       chat.example.org. 3600 IN A 198.51.100.5
-       chat.example.org. 3600 IN AAAA 2001:db8::5
-       www.chat.example.org. 3600 IN CNAME chat.example.org.
-       mta-sts.chat.example.org. 3600 IN CNAME chat.example.org.
-
-3. Configure kernel parameters on the host, as these can not be set from the container::
-
-       echo "fs.inotify.max_user_instances=65536" | sudo tee -a /etc/sysctl.d/99-inotify.conf
-       echo "fs.inotify.max_user_watches=65536" | sudo tee -a /etc/sysctl.d/99-inotify.conf
-       sudo sysctl --system
-
-
-Docker Compose Setup
---------------------
-
-Pre-built images are available from GitHub Container Registry. The
-``main`` branch and tagged releases are pushed automatically by CI::
-
-    docker pull ghcr.io/chatmail/relay:main      # latest main branch
-    docker pull ghcr.io/chatmail/relay:1.2.3     # tagged release
-
-
-Create service directory
-^^^^^^^^^^^^^^^^^^^^^^^^
-
-Either:
-
-- Create a service directory, e.g., `/srv/chatmail-relay`::
-
-    mkdir -p /srv/chatmail-relay && cd /srv/chatmail-relay
-    wget https://raw.githubusercontent.com/chatmail/relay/refs/heads/main/docker-compose.yaml
-    wget https://raw.githubusercontent.com/chatmail/relay/refs/heads/main/docker-compose.override.yaml.example -O docker-compose.override.yaml
-
-- or clone the chatmail repo ::
-
-   git clone https://github.com/chatmail/relay
-   cd relay
-
-
-Customize and start
-^^^^^^^^^^^^^^^^^^^
-
-1. Set the fully qualified domain name of the relay::
-
-       echo 'MAIL_DOMAIN=chat.example.org' > .env
-
-   The container generates a ``chatmail.ini`` with defaults from
-   ``MAIL_DOMAIN`` on first start. To customize chatmail settings, mount
-   your own ``chatmail.ini`` instead (see `Custom chatmail.ini`_ below).
-
-2. All local customizations (data paths, extra volumes, config mounts) go in
-   ``docker-compose.override.yaml``, which Compose merges automatically with
-   the base file. By default, all data is stored in docker volumes, you will
-   likely want to at least create and configure the mail storage location, but
-   you might also want to configure external TLS certificates there.
-
-3. Start the container::
-
-       docker compose up -d
-       docker compose logs -f chatmail   # view logs, Ctrl+C to exit
-
-4. After installation is complete, open ``https://chat.example.org`` in
-   your browser.
-
-Finish install and test
------------------------
-
-You can test the installation with::
-
-        pip install cmping chat.example.org # or
-        uvx cmping chat.example.org # if you use https://docs.astral.sh/uv/
-
-You should check and extend your DNS records for better interoperability::
-
-    # Show required DNS records
-    docker exec chatmail /opt/cmdeploy/bin/cmdeploy dns --ssh-host @local
-
-You can check server status with::
-
-    docker exec chatmail /opt/cmdeploy/bin/cmdeploy status --ssh-host @local
-
-You can run some benchmarks (can also run from any machine with cmdeploy installed)
-
-    docker exec chatmail /opt/cmdeploy/bin/cmdeploy bench chat.example.org
-
-You can run the test suite with
-
-    docker exec chatmail /opt/cmdeploy/bin/cmdeploy test chat.example.org --ssh-host localhost
-
-
-Customization
--------------
-
-Website
-^^^^^^^^^^^^^^
-
-You can customize the chatmail landing page by mounting a directory with
-your own website source files.
-
-1. Create a directory with your custom website source::
-
-       mkdir -p ./custom/www/src
-       nano ./custom/www/src/index.md
-
-2. Add the volume mount in ``docker-compose.override.yaml``::
-
-       services:
-         chatmail:
-           volumes:
-             - ./custom/www:/opt/chatmail-www
-
-3. Restart the service::
-
-       docker compose down
-       docker compose up -d
-
-
-Custom chatmail.ini
-^^^^^^^^^^^^^^^^^^^
-
-If you want to go beyond simply setting the ``MAIL_DOMAIN`` in ``.env``, you
-can use a regular `chatmail.ini` to give you full control.
-
-1. Extract the generated config from a running container::
-
-       docker cp chatmail:/etc/chatmail/chatmail.ini ./chatmail.ini
-
-2. Edit ``chatmail.ini`` as needed.
-
-3. Add the volume mount in ``docker-compose.override.yaml`` ::
-
-       services:
-         chatmail:
-           volumes:
-             - ./chatmail.ini:/etc/chatmail/chatmail.ini
-
-4. Restart the container, the container skips generating a new one: ::
-
-       docker compose down && docker compose up -d
-
-
-External TLS certificates
-^^^^^^^^^^^^^^^^^^^^^^^^^
-
-If TLS certificates are managed outside the container (e.g. by certbot,
-acmetool, or Traefik on the host), mount them into the container and set
-``TLS_EXTERNAL_CERT_AND_KEY`` in ``docker-compose.override.yaml``.
-Changed certificates are picked up automatically via inotify.
-See the examples in the example override and :ref:`external-tls` in the getting started guide for details.
-
-
-Migrating from a bare-metal install
-------------------------------------
-
-If you have an existing bare-metal chatmail installation and want to
-switch to Docker:
-
-1. Stop all existing services::
-
-       systemctl stop postfix dovecot doveauth nginx opendkim unbound \
-         acmetool-redirector filtermail filtermail-incoming chatmail-turn \
-         iroh-relay chatmail-metadata lastlogin mtail
-       systemctl disable postfix dovecot doveauth nginx opendkim unbound \
-         acmetool-redirector filtermail filtermail-incoming chatmail-turn \
-         iroh-relay chatmail-metadata lastlogin mtail
-
-2. Copy your existing ``chatmail.ini`` and mount it into the container
-   (see `Custom chatmail.ini`_ above)::
-
-       cp /usr/local/lib/chatmaild/chatmail.ini ./chatmail.ini
-
-3. Copy persistent data into the ``./data/`` subdirectories (for example, as configured in `Customize and start`_) ::
-
-       mkdir -p data/dkim data/certs data/mail
-
-       # DKIM keys
-       cp -a /etc/dkimkeys/* data/dkim/
-
-       # TLS certificates
-       rsync -a /var/lib/acme/ data/certs/
-
-   Note that ownership of dkim and acme is adjusted on container start.
-
-   For the mail directory::
-
-       rsync -a /home/vmail/ data/mail/
-
-   Alternatively, mount ``/home/vmail`` directly by changing the volume
-   in ``docker-compose-override.yaml``::
-
-       - /home/vmail:/home/vmail
-
-   The three ``./data/`` subdirectories cover all persistent state.
-   Everything else is regenerated by the ``configure`` and ``activate``
-   stages on container start.
-
-Building the image
-------------------
-
-Clone the repository and build the Docker image::
-
-    git clone https://github.com/chatmail/relay
-    cd relay
-    docker compose build chatmail
-
-The build bakes all binaries, Python packages, and the install stage
-into the image. After building, only ``docker-compose.yaml`` and a ``.env`` with
-``MAIL_DOMAIN`` are needed to run the container.
-
-You can transfer a locally built image to your server directly (pigz is parallel `gzip` which can be used instead as well) ::
-
-    docker save chatmail-relay:latest | pigz | ssh chat.example.org 'pigz -d | docker load'
-
-
-Forcing a full reinstall
-------------------------
-
-On container start, only the ``configure`` and ``activate`` stages run by default.
-
-To force a full reinstall (e.g. after updating the source), either
-rebuild the image::
-
-    docker compose build chatmail
-    docker compose up -d
-
-Or override the stages at runtime without rebuilding::
-
-    CMDEPLOY_STAGES="install,configure,activate" docker compose up -d

doc/source/getting_started.rst

@@ -47,14 +47,6 @@ steps. Please substitute it with your own domain.
        www.chat.example.org. 3600 IN CNAME chat.example.org.
        mta-sts.chat.example.org. 3600 IN CNAME chat.example.org.
 
-   .. note::
-
-      For experimental deployments using self-signed certificates,
-      use a domain name starting with ``_``
-      (e.g. ``_chat.example.org``).
-      The ``mta-sts`` CNAME and ``_mta-sts`` TXT records
-      are not needed for such domains.
-
 2. On your local PC, clone the repository and bootstrap the Python
    virtualenv.
 
@@ -71,16 +63,6 @@ steps. Please substitute it with your own domain.
 
        scripts/cmdeploy init chat.example.org  # <-- use your domain
 
-   To use self-signed TLS certificates
-   instead of Let's Encrypt,
-   use a domain name starting with ``_``
-   (e.g. ``scripts/cmdeploy init _chat.example.org``).
-   Domains starting with ``_`` cannot obtain WebPKI certificates,
-   so self-signed mode is derived automatically.
-   This is useful for private or test deployments.
-   See the :doc:`overview`
-   for details on certificate provisioning.
-
 4. Verify that SSH root login to the deployment server server works:
 
    ::
@@ -101,8 +83,9 @@ steps. Please substitute it with your own domain.
 Docker installation
 -------------------
 
-There is experimental support for running chatmail via Docker Compose.
-See :doc:`docker` for full setup instructions.
+We have experimental support for `docker compose <https://github.com/chatmail/relay/blob/docker-rebase/docs/DOCKER_INSTALLATION_EN.md>`_,
+but it is not covered by automated tests yet,
+so don't expect everything to work.
 
 Other helpful commands
 ----------------------
@@ -193,51 +176,6 @@ creating addresses, login with ssh to the deployment machine and run:
 Chatmail address creation will be denied while this file is present.
 
 
-Running a relay with self-signed certificates
-----------------------------------------------
-
-Use a domain name starting with ``_`` (e.g. ``_chat.example.org``)
-to run a relay with self-signed certificates.
-Domains starting with ``_`` cannot obtain WebPKI certificates
-so the relay automatically uses self-signed certificates
-and all other relays will accept connections from it
-without requiring certificate verification.
-This is useful for experimental setups and testing.
-
-.. _external-tls:
-
-Running a relay with externally managed certificates
------------------------------------------------------
-
-If you already have a TLS certificate manager
-(e.g. Traefik, certbot, or another ACME client)
-running on the deployment server,
-you can configure the relay to use those certificates
-instead of the built-in ``acmetool``.
-
-Set the following in ``chatmail.ini``::
-
-    tls_external_cert_and_key = /path/to/fullchain.pem /path/to/privkey.pem
-
-The paths must point to certificate and key files
-on the deployment server.
-During ``cmdeploy run``, these paths are written into
-the Postfix, Dovecot, and Nginx configurations.
-No certificate files are transferred from the build machine —
-they must already exist on the server,
-managed by your external certificate tool.
-
-The deploy will verify that both files exist on the server.
-``acmetool`` is **not** installed or run in this mode.
-
-.. note::
-
-   You are responsible for certificate renewal.
-   When the certificate file changes on disk,
-   all relay services pick up the new certificate automatically
-   (via a systemd path watcher installed during deploy).
-
-
 Migrating to a new build machine
 ----------------------------------
 

doc/source/index.rst

@@ -13,7 +13,6 @@ Contributions and feedback welcome through the https://github.com/chatmail/relay
     :maxdepth: 5
 
     getting_started
-    docker
     proxy
     migrate
     overview

doc/source/overview.rst

@@ -297,7 +297,8 @@ TLS requirements
 
 Postfix is configured to require valid TLS by setting
 `smtp_tls_security_level <https://www.postfix.org/postconf.5.html#smtp_tls_security_level>`_
-to ``verify``.
+to ``verify``. If emails don’t arrive at your chatmail relay server, the
+problem is likely that your relay does not have a valid TLS certificate.
 
 You can test it by resolving ``MX`` records of your relay domain and
 then connecting to MX relays (e.g ``mx.example.org``) with
@@ -308,11 +309,6 @@ When providing a TLS certificate to your chatmail relay server, make
 sure to provide the full certificate chain and not just the last
 certificate.
 
-If you use an external certificate manager (e.g. Traefik or certbot),
-set ``tls_external_cert_and_key`` in ``chatmail.ini``
-to provide the certificate and key paths.
-See :ref:`external-tls` for details.
-
 If you are running an Exim server and don’t see incoming connections
 from a chatmail relay server in the logs, make sure ``smtp_no_mail`` log
 item is enabled in the config with ``log_selector = +smtp_no_mail``. By
@@ -321,14 +317,6 @@ default Exim does not log sessions that are closed before sending the
 by Postfix, so you might think that connection is not established while
 actually it is a problem with your TLS certificate.
 
-If emails don’t arrive at your chatmail relay server, the
-problem is likely that your relay does not have a valid TLS certificate.
-
-Note that connections to relays with underscore-prefixed test domains
-(e.g. ``_chat.example.org``) use ``encrypt`` tls security level,
-because such domains cannot obtain valid Let's Encrypt certificates
-and run with self-signed certificates.
-
 
 .. _dovecot: https://dovecot.org
 .. _postfix: https://www.postfix.org

docker-compose.override.yaml.example

@@ -1,40 +0,0 @@
-# Local overrides — copy to docker-compose.override.yaml in the repo root.
-# Compose automatically merges this with docker-compose.yaml.
-#
-#   cp docker-compose.override.yaml.example docker-compose.override.yaml
-#
-# Volumes are APPENDED to the base file's volumes list.
-# Environment and other scalar keys are MERGED by key.
-services:
-  chatmail:
-    volumes:
-      ## Data paths — bind-mount to host directories for easy access/backup.
-
-      # - ./data/dkim:/etc/dkimkeys
-      # - ./data/certs:/var/lib/acme
-
-      # - ./data/mail:/home/vmail
-      ## Or mount from an existing bare-metal install.
-      # - /home/vmail:/home/vmail
-
-      ## Mount your own chatmail.ini (skips auto-generation):
-      # - ./chatmail.ini:/etc/chatmail/chatmail.ini
-
-      ## Custom website:
-      # - ./custom/www:/opt/chatmail-www
-
-      ## Debug — mount scripts from the repo for live editing:
-      # - ./docker/files/setup_chatmail_docker.sh:/setup_chatmail_docker.sh
-      # - ./docker/files/entrypoint.sh:/entrypoint.sh
-
-    # environment:
-      ## Mount certs (above) and set TLS_EXTERNAL_CERT_AND_KEY to in-container paths.
-      ## Changed certs are picked up automatically (inotify via tls-cert-reload.path).
-      ##
-      ## Host acmetool (bare-metal migration): create mount above, and
-      ##   rsync -a /var/lib/acme/live data/certs
-      # TLS_EXTERNAL_CERT_AND_KEY: "/var/lib/acme/live/${MAIL_DOMAIN}/fullchain /var/lib/acme/live/${MAIL_DOMAIN}/privkey"
-      ##
-      ## (Untested) Traefik certs-dumper (see docker/docker-compose-traefik.yaml) - also add volume:
-      ##   - traefik-certs:/certs:ro
-      # TLS_EXTERNAL_CERT_AND_KEY: "/certs/${MAIL_DOMAIN}/certificate.crt /certs/${MAIL_DOMAIN}/privatekey.key"

docker-compose.yaml

@@ -1,25 +1,14 @@
-# Base compose file — do not edit. Put customizations (data paths, extra
-# volumes, env overrides) in docker-compose.override.yaml instead.
-# See docker/docker-compose.override.yaml.example for a starting point.
-#
-# Security note: this container uses network_mode:host (chatmail needs many
-# ports: 25, 53, 80, 143, 443, 465, 587, 993, 3340, 8443) and cgroup:host
-# (required for systemd). Together these give the container near-host-level
-# access. This is acceptable for a dedicated mail server, but be aware that
-# the container can bind any port and see all host network traffic.
 services:
   chatmail:
     build:
       context: ./
       dockerfile: docker/chatmail_relay.dockerfile
-      args:
-        GIT_HASH: ${GIT_HASH:-unknown}
     image: chatmail-relay:latest
     restart: unless-stopped
     container_name: chatmail
     # Required for systemd — use only one of the following:
-    cgroup: host          # compose v2
-    # privileged: true    # compose v1 (less restricted)
+    cgroup: host          # compose v2 only
+    # privileged: true    # compose v1 (not tested)
     tty: true # required for logs
     tmpfs: # required for systemd
       - /tmp
@@ -31,17 +20,33 @@ services:
         max-size: "10m"
         max-file: "3"
     environment:
+      CHANGE_KERNEL_SETTINGS: "False"
       MAIL_DOMAIN: $MAIL_DOMAIN
+      ACME_EMAIL: $ACME_EMAIL
+      RECREATE_VENV: $RECREATE_VENV
+      MAX_MESSAGE_SIZE: $MAX_MESSAGE_SIZE
+      DEBUG_COMMANDS_ENABLED: $DEBUG_COMMANDS_ENABLED
+      FORCE_REINIT_INI_FILE: $FORCE_REINIT_INI_FILE
+      USE_FOREIGN_CERT_MANAGER: $USE_FOREIGN_CERT_MANAGER
+      ENABLE_CERTS_MONITORING: $ENABLE_CERTS_MONITORING
+      CERTS_MONITORING_TIMEOUT: $CERTS_MONITORING_TIMEOUT
+      IS_DEVELOPMENT_INSTANCE: $IS_DEVELOPMENT_INSTANCE
+      CMDEPLOY_STAGES: ${CMDEPLOY_STAGES:-}
     network_mode: "host"
     volumes:
-      ## system (required)
-      - /sys/fs/cgroup:/sys/fs/cgroup:rw
-      ## data (defaults — override in docker-compose.override.yaml)
-      - mail:/home/vmail
-      - dkim:/etc/dkimkeys
-      - certs:/var/lib/acme
+      ## system
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw # required for systemd
+      - ./:/opt/chatmail
 
-volumes:
-  mail:
-  dkim:
-  certs:
+      ## data
+      - ./data/chatmail:/home
+      - ./data/chatmail-dkimkeys:/etc/dkimkeys
+      - ./data/chatmail-acme:/var/lib/acme
+
+      ## custom resources
+      # - ./custom/www/src/index.md:/opt/chatmail/www/src/index.md
+
+      ## debug
+      # - ./docker/files/setup_chatmail_docker.sh:/setup_chatmail_docker.sh
+      # - ./docker/files/entrypoint.sh:/entrypoint.sh
+      # - ./docker/files/update_ini.sh:/update_ini.sh

docker/build.sh

@@ -1,9 +0,0 @@
-#!/bin/sh
-# Build the chatmail Docker image with the current git hash baked in.
-# Usage: ./docker/build.sh [extra docker-compose build args...]
-#
-# .git/ is excluded from the build context (.dockerignore) so the hash
-# must be passed as a build arg from the host.
-
-export GIT_HASH=$(git rev-parse --short HEAD)
-exec docker compose build "$@"

docker/chatmail_relay.dockerfile

@@ -8,7 +8,7 @@ RUN echo 'APT::Install-Recommends "0";' > /etc/apt/apt.conf.d/01norecommend && \
     apt-get install -y \
         ca-certificates && \
     DEBIAN_FRONTEND=noninteractive \
-    TZ=UTC \
+    TZ=Europe/London \
     apt-get install -y tzdata && \
     apt-get install -y locales && \
     sed -i -e "s/# $LANG.*/$LANG UTF-8/" /etc/locale.gen && \
@@ -37,58 +37,59 @@ RUN apt-get update && \
         libnginx-mod-stream \
         fcgiwrap \
         cron \
+    && for pkg in core imapd lmtpd; do \
+      case "$pkg" in \
+        core) sha256="43f593332e22ac7701c62d58b575d2ca409e0f64857a2803be886c22860f5587" ;; \
+        imapd) sha256="8d8dc6fc00bbb6cdb25d345844f41ce2f1c53f764b79a838eb2a03103eebfa86" ;; \
+        lmtpd) sha256="2f69ba5e35363de50962d42cccbfe4ed8495265044e244007d7ccddad77513ab" ;; \
+      esac; \
+      url="https://download.delta.chat/dovecot/dovecot-${pkg}_2.3.21%2Bdfsg1-3_amd64.deb"; \
+      file="/tmp/$(basename "$url")"; \
+      curl -fsSL "$url" -o "$file"; \
+      echo "$sha256  $file" | sha256sum -c -; \
+      apt-get install -y "$file"; \
+      rm -f "$file"; \
+    done \
     && rm -rf /var/lib/apt/lists/*
 
-# --- Build-time: install cmdeploy venv and run install stage ---
-# Editable install so importlib.resources reads directly from the source tree.
-# On container start only "configure,activate" stages run.
-COPY . /opt/chatmail/
 WORKDIR /opt/chatmail
 
+# --- Build-time install stage ---
+# Bake the "install" deployer stage into the image; we can't use
+# scripts/initenv.sh because /opt/chatmail is empty at build time as 
+# source arrives at runtime via volume mount., so we use a throwaway venv.
+# On container start only "configure,activate" stages run.
+COPY . /tmp/chatmail-src/
+WORKDIR /tmp/chatmail-src
+
+# Dummy config — deploy_chatmail() needs a parseable ini to instantiate deployers
 RUN printf '[params]\nmail_domain = build.local\n' > /tmp/chatmail.ini
 
-# Dummy git repo init: .git/ is excluded from the build context (.dockerignore)
-# but setuptools calls `git ls-files` when building the sdist.
-RUN git init -q && \
-    python3 -m venv /opt/cmdeploy && \
-    /opt/cmdeploy/bin/pip install --no-cache-dir \
-        -e chatmaild/ -e cmdeploy/
+# Do what initenv.sh would do without the docs
+RUN python3 -m venv /tmp/build-venv && \
+    /tmp/build-venv/bin/pip install --no-cache-dir \
+        -e chatmaild -e cmdeploy
 
 RUN CMDEPLOY_STAGES=install \
     CHATMAIL_INI=/tmp/chatmail.ini \
-    CHATMAIL_NOSYSCTL=True \
-    CHATMAIL_NOPORTCHECK=True \
-    /opt/cmdeploy/bin/pyinfra @local \
-        /opt/chatmail/cmdeploy/src/cmdeploy/run.py -y
+    CHATMAIL_DOCKER=True \
+    /tmp/build-venv/bin/pyinfra @local \
+        /tmp/chatmail-src/cmdeploy/src/cmdeploy/run.py -y
 
-RUN cp -a www/ /opt/chatmail-www/
+RUN rm -rf /tmp/chatmail-src /tmp/build-venv /tmp/chatmail.ini
 
-RUN rm -f /tmp/chatmail.ini
-
-# Record image version (used in deploy fingerprint at runtime).
-# GIT_HASH is passed as a build arg (from docker-compose or CI) so that
-# .git/ can be excluded from the build context via .dockerignore.
-ARG GIT_HASH=unknown
-RUN echo "$GIT_HASH" > /etc/chatmail-image-version && \
-    echo "$GIT_HASH" > /etc/chatmail-version
-# --- End build-time install ---
-
-ENV TZ=:/etc/localtime
-ENV PATH="/opt/cmdeploy/bin:${PATH}"
-RUN ln -s /etc/chatmail/chatmail.ini /opt/chatmail/chatmail.ini
+WORKDIR /opt/chatmail
+# --- End build-time install stage ---
 
 ARG SETUP_CHATMAIL_SERVICE_PATH=/lib/systemd/system/setup_chatmail.service
 COPY ./docker/files/setup_chatmail.service "$SETUP_CHATMAIL_SERVICE_PATH"
 RUN ln -sf "$SETUP_CHATMAIL_SERVICE_PATH" "/etc/systemd/system/multi-user.target.wants/setup_chatmail.service"
 
-# Remove default nginx site config at build time (not in entrypoint)
-RUN rm -f /etc/nginx/sites-enabled/default
-
 COPY --chmod=555 ./docker/files/setup_chatmail_docker.sh /setup_chatmail_docker.sh
+COPY --chmod=555 ./docker/files/update_ini.sh /update_ini.sh
 COPY --chmod=555 ./docker/files/entrypoint.sh /entrypoint.sh
 
-HEALTHCHECK --interval=60s --timeout=10s --retries=3 \
-  CMD systemctl is-active dovecot postfix nginx unbound opendkim filtermail doveauth chatmail-metadata || exit 1
+VOLUME ["/sys/fs/cgroup", "/home"]
 
 STOPSIGNAL SIGRTMIN+3
 

docker/cm_ini_to_env.py

@@ -0,0 +1,84 @@
+#!/usr/bin/env python3
+"""Convert a chatmail.ini to a Docker .env file.
+
+Usage: python docker/cm_ini_to_env.py [chatmail.ini] [.env]
+
+Reads the ini file, extracts all non-default key=value pairs,
+and writes them as UPPER_CASE env vars suitable for docker-compose.
+"""
+
+import configparser
+import sys
+from pathlib import Path
+
+# Keys that only make sense for bare-metal deploys or are handled
+# separately by the Docker setup and should not appear in .env.
+SKIP_KEYS = set()
+
+# Keys that exist in .env but have a different name than the ini key.
+# ini_key -> env_key
+RENAMES = {}
+
+
+def read_ini(path):
+    """Return dict of key=value from [params] section."""
+    cp = configparser.ConfigParser()
+    cp.read(path)
+    if not cp.has_section("params"):
+        sys.exit(f"Error: {path} has no [params] section")
+    return dict(cp.items("params"))
+
+
+def read_defaults():
+    """Return dict of default values from the ini template."""
+    template = Path(__file__).resolve().parent.parent / "chatmaild/src/chatmaild/ini/chatmail.ini.f"
+    if not template.exists():
+        return {}
+    cp = configparser.ConfigParser()
+    cp.read(template)
+    if not cp.has_section("params"):
+        return {}
+    defaults = {}
+    for key, value in cp.items("params"):
+        # Template placeholders like {mail_domain} aren't real defaults.
+        if "{" not in value:
+            defaults[key] = value
+    return defaults
+
+
+def ini_to_env(ini_path, only_non_default=True):
+    """Yield (ENV_KEY, value) pairs from an ini file."""
+    params = read_ini(ini_path)
+    defaults = read_defaults() if only_non_default else {}
+
+    for key, value in sorted(params.items()):
+        if key in SKIP_KEYS:
+            continue
+        if only_non_default and key in defaults and value.strip() == defaults[key].strip():
+            continue
+        env_key = RENAMES.get(key, key.upper())
+        yield env_key, value.strip()
+
+
+def main():
+    ini_path = sys.argv[1] if len(sys.argv) > 1 else "chatmail.ini"
+    env_path = sys.argv[2] if len(sys.argv) > 2 else None
+
+    if not Path(ini_path).exists():
+        sys.exit(f"Error: {ini_path} not found")
+
+    lines = []
+    for env_key, value in ini_to_env(ini_path):
+        lines.append(f'{env_key}="{value}"')
+
+    output = "\n".join(lines) + "\n"
+
+    if env_path:
+        Path(env_path).write_text(output)
+        print(f"Wrote {len(lines)} variables to {env_path}")
+    else:
+        print(output, end="")
+
+
+if __name__ == "__main__":
+    main()

docker/example.env

@@ -0,0 +1,11 @@
+MAIL_DOMAIN="chat.example.com"
+# ACME_EMAIL=""
+# RECREATE_VENV="false"
+# MAX_MESSAGE_SIZE="50M"
+# DEBUG_COMMANDS_ENABLED="true"
+# FORCE_REINIT_INI_FILE="true"
+# USE_FOREIGN_CERT_MANAGER="True"
+# ENABLE_CERTS_MONITORING="true"
+# CERTS_MONITORING_TIMEOUT=10
+# IS_DEVELOPMENT_INSTANCE="True"
+# CMDEPLOY_STAGES - default: "configure,activate". Set to "install,configure,activate" to force full reinstall.

docker/files/entrypoint.sh

@@ -1,12 +1,11 @@
 #!/bin/bash
 set -eo pipefail
 
+unlink /etc/nginx/sites-enabled/default || true
+
 SETUP_CHATMAIL_SERVICE_PATH="${SETUP_CHATMAIL_SERVICE_PATH:-/lib/systemd/system/setup_chatmail.service}"
 
-# Whitelist only the env vars needed by setup_chatmail_docker.sh.
-# Forwarding all env vars (via printenv) would leak Docker internals,
-# orchestrator secrets, and other unrelated variables into systemd.
-env_vars="MAIL_DOMAIN CMDEPLOY_STAGES CHATMAIL_INI TLS_EXTERNAL_CERT_AND_KEY PATH"
-sed -i "s|<envs_list>|$env_vars|g" "$SETUP_CHATMAIL_SERVICE_PATH"
+env_vars=$(printenv | cut -d= -f1 | xargs)
+sed -i "s|<envs_list>|$env_vars|g" $SETUP_CHATMAIL_SERVICE_PATH
 
-exec /lib/systemd/systemd "$@"
+exec /lib/systemd/systemd $@

docker/files/setup_chatmail_docker.sh

@@ -1,63 +1,84 @@
 #!/bin/bash
 
-set -euo pipefail
-export CHATMAIL_INI="${CHATMAIL_INI:-/etc/chatmail/chatmail.ini}"
-export CHATMAIL_NOSYSCTL=True
-export CHATMAIL_NOPORTCHECK=True
-
-CMDEPLOY=/opt/cmdeploy/bin/cmdeploy
+set -eo pipefail
+export INI_FILE="${INI_FILE:-chatmail.ini}"
+export ENABLE_CERTS_MONITORING="${ENABLE_CERTS_MONITORING:-true}"
+export CERTS_MONITORING_TIMEOUT="${CERTS_MONITORING_TIMEOUT:-60}"
+export PATH_TO_SSL="${PATH_TO_SSL:-/var/lib/acme/live/${MAIL_DOMAIN}}"
+export CHANGE_KERNEL_SETTINGS=${CHANGE_KERNEL_SETTINGS:-"False"}
+export RECREATE_VENV=${RECREATE_VENV:-"false"}
 
 if [ -z "$MAIL_DOMAIN" ]; then
     echo "ERROR: Environment variable 'MAIL_DOMAIN' must be set!" >&2
     exit 1
 fi
 
+debug_commands() {
+    echo "Executing debug commands"
+    # git config --global --add safe.directory /opt/chatmail
+    # ./scripts/initenv.sh
+}
+
+calculate_hash() {
+    find "$PATH_TO_SSL" -type f -exec sha1sum {} \; | sort | sha1sum | awk '{print $1}'
+}
+
+monitor_certificates() {
+    if [ "$ENABLE_CERTS_MONITORING" != "true" ]; then
+        echo "Certs monitoring disabled."
+        exit 0
+    fi
+
+    current_hash=$(calculate_hash)
+    previous_hash=$current_hash
+
+    while true; do
+        current_hash=$(calculate_hash)
+        if [[ "$current_hash" != "$previous_hash" ]]; then
+        # TODO: add an option to restart at a specific time interval 
+            echo "[INFO] Certificate's folder hash was changed, reloading nginx, dovecot and postfix services."
+            systemctl reload nginx.service
+            systemctl reload dovecot.service
+            systemctl reload postfix.service
+            previous_hash=$current_hash
+        fi
+        sleep $CERTS_MONITORING_TIMEOUT
+    done
+}
+
 ### MAIN
 
-if [ ! -f /etc/dkimkeys/opendkim.private ]; then
-    /usr/sbin/opendkim-genkey -D /etc/dkimkeys -d "$MAIL_DOMAIN" -s opendkim
+if [ "$DEBUG_COMMANDS_ENABLED" = true ]; then
+    debug_commands
 fi
-# Fix ownership for bind-mounted keys (host opendkim UID may differ from container)
-chown -R opendkim:opendkim /etc/dkimkeys
 
-# Journald: forward to console for docker logs
-grep -q '^ForwardToConsole=yes' /etc/systemd/journald.conf \
-    || echo "ForwardToConsole=yes" >> /etc/systemd/journald.conf
+if [ "$FORCE_REINIT_INI_FILE" = true ]; then 
+    INI_CMD_ARGS=--force
+fi
+
+if [ ! -f /etc/dkimkeys/opendkim.private ]; then
+    /usr/sbin/opendkim-genkey -D /etc/dkimkeys -d $MAIL_DOMAIN -s opendkim
+fi
+chown opendkim:opendkim /etc/dkimkeys/opendkim.private
+chown opendkim:opendkim /etc/dkimkeys/opendkim.txt
+
+# TODO: Move to debug_commands after git clone is moved to dockerfile. 
+git config --global --add safe.directory /opt/chatmail
+if [ "$RECREATE_VENV" = true ]; then
+    rm -rf venv
+fi
+# Skip venv creation if it already exists
+if [ ! -x venv/bin/python ] || [ ! -x venv/bin/cmdeploy ]; then
+    ./scripts/initenv.sh
+fi
+
+./scripts/cmdeploy init --config "${INI_FILE}" $INI_CMD_ARGS $MAIL_DOMAIN || true
+bash /update_ini.sh
+
+export CMDEPLOY_STAGES="${CMDEPLOY_STAGES:-configure,activate}"
+./scripts/cmdeploy run --ssh-host @docker
+
+echo "ForwardToConsole=yes" >> /etc/systemd/journald.conf
 systemctl restart systemd-journald
 
-# Create chatmail.ini (skips if file already exists, e.g. volume-mounted)
-mkdir -p "$(dirname "$CHATMAIL_INI")"
-if [ ! -f "$CHATMAIL_INI" ]; then
-    $CMDEPLOY init --config "$CHATMAIL_INI" "$MAIL_DOMAIN"
-fi
-
-# Inject external TLS paths from env var (unless user mounted their own ini)
-if [ -n "${TLS_EXTERNAL_CERT_AND_KEY:-}" ]; then
-    if ! grep -q '^tls_external_cert_and_key' "$CHATMAIL_INI"; then
-        echo "tls_external_cert_and_key = $TLS_EXTERNAL_CERT_AND_KEY" >> "$CHATMAIL_INI"
-    fi
-fi
-
-# --- Deploy fingerprint: skip cmdeploy run if nothing changed ---
-# On restart with identical image+config, systemd already brings up all
-# enabled services — the full cmdeploy run is redundant (~30s saved).
-# The install stage runs at image build time (Dockerfile), so only
-# configure+activate are needed here.
-IMAGE_VERSION_FILE="/etc/chatmail-image-version"
-FINGERPRINT_FILE="/etc/chatmail/.deploy-fingerprint"
-image_ver="none"
-[ -f "$IMAGE_VERSION_FILE" ] && image_ver=$(cat "$IMAGE_VERSION_FILE")
-config_hash=$(sha256sum "$CHATMAIL_INI" | cut -c1-16)
-current_fp="${image_ver}:${config_hash}"
-
-# CMDEPLOY_STAGES non-empty in env = operator override → always run.
-# Otherwise, if fingerprint matches the last successful deploy, skip.
-if [ -z "${CMDEPLOY_STAGES:-}" ] \
-    && [ -f "$FINGERPRINT_FILE" ] \
-    && [ "$(cat "$FINGERPRINT_FILE")" = "$current_fp" ]; then
-    echo "[INFO] No changes detected ($current_fp), skipping deploy."
-else
-    export CMDEPLOY_STAGES="${CMDEPLOY_STAGES:-configure,activate}"
-    $CMDEPLOY run --config "$CHATMAIL_INI" --ssh-host @local
-    echo "$current_fp" > "$FINGERPRINT_FILE"
-fi
+monitor_certificates &

docker/files/update_ini.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+set -eo pipefail
+
+INI_FILE="${INI_FILE:-chatmail.ini}"
+
+if [ ! -f "$INI_FILE" ]; then
+    echo "Error: file $INI_FILE not found." >&2
+    exit 1
+fi
+
+TMP_FILE="$(mktemp)"
+
+convert_to_bytes() {
+    local value="$1"
+    if [[ "$value" =~ ^([0-9]+)([KkMmGgTt])$ ]]; then
+        local num="${BASH_REMATCH[1]}"
+        local unit="${BASH_REMATCH[2]}"
+        case "$unit" in
+            [Kk]) echo $((num * 1024)) ;;
+            [Mm]) echo $((num * 1024 * 1024)) ;;
+            [Gg]) echo $((num * 1024 * 1024 * 1024)) ;;
+            [Tt]) echo $((num * 1024 * 1024 * 1024 * 1024)) ;;
+        esac
+    elif [[ "$value" =~ ^[0-9]+$ ]]; then
+        echo "$value"
+    else
+        echo "Error: incorrect size format: $value." >&2
+        return 1
+    fi
+}
+
+process_specific_params() {
+    local key=$1
+    local value=$2
+    local destination_file=$3
+
+    if [[ "$key" == "max_message_size" ]]; then
+        converted=$(convert_to_bytes "$value") || exit 1
+        if grep -q -e "## .* = .* bytes" "$destination_file"; then 
+            sed "s|## .* = .* bytes|## $value = $converted bytes|g" "$destination_file";
+        else
+            echo "## $value = $converted bytes"  >> "$destination_file"
+        fi
+        echo "$key = $converted" >> "$destination_file"
+    else
+        echo "$key = $value" >> "$destination_file"
+    fi
+}
+
+while IFS= read -r line; do
+    if [[ "$line" =~ ^[[:space:]]*#.* || "$line" =~ ^[[:space:]]*$ ]]; then
+        echo "$line" >> "$TMP_FILE"
+        continue
+    fi
+
+    if [[ "$line" =~ ^([a-z0-9_]+)[[:space:]]*=[[:space:]]*(.*)$ ]]; then
+        key="${BASH_REMATCH[1]}"
+        current_value="${BASH_REMATCH[2]}"
+        env_var_name=$(echo "$key" | tr 'a-z' 'A-Z')
+        env_value="${!env_var_name}"
+
+        if [[ -n "$env_value" ]]; then
+            process_specific_params "$key" "$env_value" "$TMP_FILE"
+        else
+            echo "$line" >> "$TMP_FILE"
+        fi
+    else
+        echo "$line" >> "$TMP_FILE"
+    fi
+done < "$INI_FILE"
+
+PERMS=$(stat -c %a "$INI_FILE")
+OWNER=$(stat -c %u "$INI_FILE")
+GROUP=$(stat -c %g "$INI_FILE")
+
+chmod "$PERMS" "$TMP_FILE"
+chown "$OWNER":"$GROUP" "$TMP_FILE"
+
+mv "$TMP_FILE" "$INI_FILE"

docs/DOCKER_INSTALLATION_EN.md

@@ -0,0 +1,185 @@
+# Known issues and limitations
+
+- Requires cgroups v2 configured in the system. Operation with cgroups v1 has not been tested.
+- Yes, of course, using systemd inside a container is a hack, and it would be better to split it into several services, but since this is an MVP, it turned out to be easier to do it this way initially than to rewrite the entire deployment system.
+- The Docker image is only suitable for amd64. If you need to run it on a different architecture, try modifying the Dockerfile (specifically the part responsible for installing dovecot).
+
+# Docker installation
+This section provides instructions for installing Chatmail using Docker Compose.
+
+**Note:** Docker Compose v2 is required (`docker compose`, not `docker-compose`) for its support of the `cgroup: host` option in `docker-compose.yaml` is only supported by Compose v2.
+[see documentation](https://docs.docker.com/engine/install/debian/#install-using-the-repository)
+```shell
+apt install docker-ce docker-compose-plugin docker.io- docker-compose-
+```
+
+## Preliminary setup
+We use `chat.example.org` as the Chatmail domain in the following steps.
+Please substitute it with your own domain.
+
+1. Setup the initial DNS records.
+   The following is an example in the familiar BIND zone file format with
+   a TTL of 1 hour (3600 seconds).
+   Please substitute your domain and IP addresses.
+
+   ```
+    chat.example.com. 3600 IN A 198.51.100.5
+    chat.example.com. 3600 IN AAAA 2001:db8::5
+    www.chat.example.com. 3600 IN CNAME chat.example.com.
+    mta-sts.chat.example.com. 3600 IN CNAME chat.example.com.
+   ```
+
+2. clone the repository on your server.
+
+   ```shell
+    git clone https://github.com/chatmail/relay
+    cd relay
+   ```
+
+## Installation
+
+1. Configure kernel parameters because they cannot be changed inside the container, specifically `fs.inotify.max_user_instances` and `fs.inotify.max_user_watches`. Run the following:
+
+```shell
+echo "fs.inotify.max_user_instances=65536" | sudo tee -a /etc/sysctl.d/99-inotify.conf
+echo "fs.inotify.max_user_watches=65536" | sudo tee -a /etc/sysctl.d/99-inotify.conf
+sudo sysctl --system
+```
+
+2. Copy `./docker/example.env` and rename it to `.env`. This file stores variables used in `docker-compose.yaml`.
+
+```shell
+cp ./docker/example.env .env
+```
+
+3. Configure environment variables in the `.env` file. These variables are used in the `docker-compose.yaml` file to pass repeated values.
+   Below is the list of variables used during deployment:
+
+- `MAIL_DOMAIN` – The domain name of the future server. (required)
+- `DEBUG_COMMANDS_ENABLED` – Run debug commands before installation. (default: `false`)
+- `FORCE_REINIT_INI_FILE` – Recreate the ini configuration file on startup. (default: `false`)
+- `USE_FOREIGN_CERT_MANAGER` – Use a third-party certificate manager. (default: `false`)
+- `RECREATE_VENV` - Recreate the virtual environment (venv). If set to `true`, the environment will be recreated when the container starts, which will increase the startup time of the service but can help avoid certain errors. (default: `false`)
+- `INI_FILE` – Path to the ini configuration file. (default: `./chatmail.ini`)
+- `PATH_TO_SSL` – Path to where the certificates are stored. (default: `/var/lib/acme/live/${MAIL_DOMAIN}`)
+- `ENABLE_CERTS_MONITORING` – Enable certificate monitoring if `USE_FOREIGN_CERT_MANAGER=true`. If certificates change, services will be automatically restarted. (default: `false`)
+- `CERTS_MONITORING_TIMEOUT` – Interval in seconds to check if certificates have changed. (default: `'60'`)
+- `CMDEPLOY_STAGES` – Deployment stages to run on container start. (default: `"configure,activate"`). Set to `"install,configure,activate"` to force a full reinstall.
+
+You can also use any variables from the [ini configuration file](https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/ini/chatmail.ini.f); they must be in uppercase.
+
+4. Build the Docker image:
+
+```shell
+docker compose build chatmail
+```
+
+5. Start docker compose and wait for the installation to finish:
+
+```shell
+docker compose up -d # start service
+docker compose logs -f chatmail # view container logs, press CTRL+C to exit
+```
+
+### venv creation
+The first container start takes longer because it creates the cmdeploy Python virtualenv at `/opt/chatmail/venv` (persisted on the host via volume mount). Subsequent starts reuse the existing venv. Set `RECREATE_VENV=true` in `.env` to force a rebuild if needed.
+
+6. After installation is complete, you can open `https://<your_domain_name>` in your browser.
+
+## Using custom files
+
+When using Docker, you can apply modified configuration files to make the installation more personalized. This is usually needed for the `www/src` section so that the Chatmail landing page is customized to your taste, but it can be used for any other cases as well.
+
+To replace files correctly:
+
+1. Create the `./custom` directory. It is in `.gitignore`, so it won’t cause conflicts when updating.
+
+```shell
+mkdir -p ./custom
+```
+
+2. Modify the required file. For example, `index.md`:
+
+```shell
+mkdir -p ./custom/www/src
+nano ./custom/www/src/index.md
+```
+
+3. In `docker-compose.yaml`, add the file mount in the `volumes` section:
+
+```yaml
+services:
+  chatmail:
+    volumes:
+      ...
+      ## custom resources
+      - ./custom/www/src/index.md:/opt/chatmail/www/src/index.md
+```
+
+4. Restart the service:
+
+```shell
+docker compose down
+docker compose up -d
+```
+
+## Migrating from a bare-metal install
+
+If you have an existing bare-metal Chatmail installation and want to switch to Docker:
+
+1. Stop all existing services:
+
+```shell
+systemctl stop postfix dovecot doveauth nginx opendkim unbound acmetool-redirector \
+  filtermail filtermail-incoming chatmail-turn iroh-relay chatmail-metadata \
+  lastlogin mtail
+systemctl disable postfix dovecot doveauth nginx opendkim unbound acmetool-redirector \
+  filtermail filtermail-incoming chatmail-turn iroh-relay chatmail-metadata \
+  lastlogin mtail
+```
+
+2. Convert your existing `chatmail.ini` to the Docker `.env` format:
+
+```shell
+python3 docker/cm_ini_to_env.py /usr/local/lib/chatmaild/chatmail.ini .env
+```
+
+3. Copy persistent data into the `./data/` subdirectories:
+
+```shell
+mkdir -p data/chatmail-dkimkeys data/chatmail-acme data/chatmail
+
+# DKIM keys
+cp -a /etc/dkimkeys/* data/chatmail-dkimkeys/
+
+# ACME certificates and account
+rsync -a /var/lib/acme/ data/chatmail-acme/
+
+# Mail data
+rsync -a /home/ data/chatmail/
+```
+
+Alternatively, you can mount `/home/vmail` directly by changing the volume in `docker-compose.yaml`:
+
+```yaml
+- /home/vmail:/home/vmail
+```
+
+The three `./data/` subdirectories cover all persistent state. Everything else is regenerated by the `configure` and `activate` stages on container start.
+
+## Forcing a full reinstall
+
+The Docker image bakes the install stage (binary downloads, package setup, chatmaild venv) into the image at build time. On container start, only the `configure` and `activate` stages run by default.
+
+To force a full reinstall (e.g., after updating the source), either rebuild the image:
+
+```shell
+docker compose build chatmail
+docker compose up -d
+```
+
+Or override the stages at runtime without rebuilding:
+
+```shell
+CMDEPLOY_STAGES="install,configure,activate" docker compose up -d
+```

docs/DOCKER_INSTALLATION_RU.md

@@ -0,0 +1,174 @@
+# Известные проблемы и ограничения
+- Chatmail будет переустановлен при каждом запуске контейнера (при первом - долго, при последующих быстрее). Так устроен изначальный установщик, потому что он не был заточен под docker. В конце документации [представлено](#фиксирование-версии-chatmail) возможное решение
+- Требуется настроенный в системе cgroups v2. Работа с cgroups v1 не тестировалась.
+- Да, понятно дело что systemd использовать в контейнере костыль и надо это всё разнести на несколько сервисов, но это MVP и в первом приближении оказалось сделать проще так, чем переписывать всю систему развертывания.
+- docker образ подходит только для amd64, если нужно запустить на другой архитектуре, попробуйте изменить dockerfile (конкретно ту часть что ответсвенна за установку dovecot)
+
+# Docker installation
+Здесь представлена инструкция по установке chatmail с помощью docker-compose.
+
+## Предварительная настройка
+We use `chat.example.org` as the chatmail domain in the following steps.
+Please substitute it with your own domain. 
+
+1. Настройте начальные записи DNS.Ниже приведен пример в привычном формате файла зоны BIND сTTL 1 час (3600 секунд).
+   Замените домен и IP-адреса на свои.
+
+   ```
+    chat.example.com. 3600 IN A 198.51.100.5
+    chat.example.com. 3600 IN AAAA 2001:db8::5
+    www.chat.example.com. 3600 IN CNAME chat.example.com.
+    mta-sts.chat.example.com. 3600 IN CNAME chat.example.com.
+   ```
+
+2. Склонируйте репозиторий на свой сервер.
+
+   ```shell
+    git clone https://github.com/chatmail/relay
+    cd relay
+   ```
+
+## Installation
+
+1. Настроить параметры ядра, потому что внутри контейнера их нельзя изменить, а конкретно `fs.inotify.max_user_instances` и `fs.inotify.max_user_watches`. Для этого выполнить следующее:
+```shell
+echo "fs.inotify.max_user_instances=65536" | sudo tee -a /etc/sysctl.d/99-inotify.conf
+echo "fs.inotify.max_user_watches=65536" | sudo tee -a /etc/sysctl.d/99-inotify.conf
+sudo sysctl --system
+```
+
+2. Скопировать `./docker/example.env` и переименовать в `.env`. Здесь хранятся переменные, которые используются в `docker-compose.yaml`.
+```shell
+cp ./docker/example.env .env
+```
+
+3. Настроить переменные окружения в `.env` файле. Эти переменные используются в `docker-compose.yaml` файле, чтобы передавать повторяющиеся значения.
+   Ниже перечислен список переменных учавствующих при развертывании:
+
+- `MAIL_DOMAIN` - Доменное имя будущего сервера. (required)
+- `DEBUG_COMMANDS_ENABLED` - Выполнить debug команды перед установкой. (default: `false`)
+- `FORCE_REINIT_INI_FILE` - Пересоздавать ini файл конфигурации при запуске. (default: `false`)
+- `USE_FOREIGN_CERT_MANAGER` - Использовать сторонний менеджер сертификатов. (default: `false`)
+- `RECREATE_VENV` - Пересоздать виртуальное окружение (venv). Если выставлено `true`, то окружение будет пересоздано при запуске контейнера, из-за чего включение сервиса займет больше времени, но поможет избежать ряда ошибок. (default: `false`)
+- `INI_FILE` - путь к ini файлу конфигурации. (default: `./chatmail.ini`)
+- `PATH_TO_SSL` - Путь где располагаются сертификаты. (default: `/var/lib/acme/live/${MAIL_DOMAIN}`)
+- `ENABLE_CERTS_MONITORING` - Включить мониторинг сертификатов, если `USE_FOREIGN_CERT_MANAGER=true`.  Если сертфикаты изменятся сервисы будут автоматически перезапущены. (default: `false`)
+- `CERTS_MONITORING_TIMEOUT` - Раз во сколько секунд проверять что изменились сертификаты. (default: `'60'`)
+
+Также могут быть использованы все переменные из [ini файла конфигурации](https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/ini/chatmail.ini.f), они обязаны быть в uppercase формате. 
+
+4. Собрать docker образ
+```shell
+docker compose build chatmail
+```
+
+5. Запустить docker compose и дождаться завершения установки
+```shell
+docker compose up -d # запуск сервиса
+docker compose logs -f chatmail # просмотр логов контейнера. Для выхода нажать CTRL+C
+```
+
+6. По окончанию установки можно открыть в браузер `https://<your_domain_name>`
+
+## Использование кастомных файлов
+При использовании docker есть возможность использовать измененые файлы конфигурации, чтобы сделать установку более персонализированной. Обычно это требуется для секции `www/src`, чтобы ознакомительная страница Chatmail была сделана на ваш вкус. Но также это можно использовать и для любых других случаев.
+
+Для того чтобы корректно выполнить подмену файлов необходимо 
+1. создать каталог `./custom`, он находится в `.gitignore`, поэтому при обновлении не вызовет конфликтов.
+```shell
+mkdir -p ./custom
+```
+
+2. Изменить нужный файл. Для примера возьмем `index.md`
+```shell
+mkdir -p ./custom/www/src
+nano ./custom/www/src/index.md
+```
+
+3. В `docker-compose.yaml` добавить монтирование файла с помощью секции `volumes`
+```yaml
+services:
+  chatmail:
+    volumes:
+      ...
+      ## custom resources
+      - ./custom/www/src/index.md:/opt/chatmail/www/src/index.md
+```
+
+4. Перезапустить сервис
+```shell
+docker compose down
+docker compose up -d
+```
+
+## Фиксирование версии Chatmail
+> [!note]
+> Это опциональные шаги, их делать требуется только если вас не устраивает что сервис устанавливается каждый раз при запуске
+
+Поскольку в текущей версии docker chatmail сервис устанавливается каждый раз запуске контейнера, чтобы этого не происходило можно зафиксировать версию контейнера после установки. Делается это следующим образом:
+
+1. Зафиксировать текущее состояние сконфигурированного контейнера
+```shell
+docker container commit chatmail configured-chatmail:$(date +'%Y-%m-%d')
+docker image ls | grep configured-chatmail
+```
+
+2. Изменить entrypoint для контейнера в `docker-compose.yaml` на
+```yaml
+services:
+  chatmail:
+    image: <image name from step 1>
+    volumes:
+      ...
+      ## custom resources
+      - ./custom/setup_chatmail_docker.sh:/setup_chatmail_docker.sh
+```
+
+3. Создать файл `./custom/setup_chatmail_docker.sh` с новым файлом конфигурации
+```shell
+mkdir -p ./custom
+cat > ./custom/setup_chatmail_docker.sh << 'EOF'
+#!/bin/bash
+
+set -eo pipefail
+
+export ENABLE_CERTS_MONITORING="${ENABLE_CERTS_MONITORING:-true}"
+export CERTS_MONITORING_TIMEOUT="${CERTS_MONITORING_TIMEOUT:-60}"
+export PATH_TO_SSL="${PATH_TO_SSL:-/var/lib/acme/live/${MAIL_DOMAIN}}"
+
+calculate_hash() {
+    find "$PATH_TO_SSL" -type f -exec sha1sum {} \; | sort | sha1sum | awk '{print $1}'
+}
+
+monitor_certificates() {
+    if [ "$ENABLE_CERTS_MONITORING" != "true" ]; then
+        echo "Certs monitoring disabled."
+        exit 0
+    fi
+
+    current_hash=$(calculate_hash)
+    previous_hash=$current_hash
+
+    while true; do
+        current_hash=$(calculate_hash)
+        if [[ "$current_hash" != "$previous_hash" ]]; then
+        # TODO: add an option to restart at a specific time interval 
+            echo "[INFO] Certificate's folder hash was changed, reloading nginx, dovecot and postfix services."
+            systemctl reload nginx.service
+            systemctl reload dovecot.service
+            systemctl reload postfix.service
+            previous_hash=$current_hash
+        fi
+        sleep $CERTS_MONITORING_TIMEOUT
+    done
+}
+
+monitor_certificates &
+EOF
+```
+
+4. Перезапустить сервис
+```shell
+docker compose down
+docker compose up -d
+```

env.example

@@ -1 +0,0 @@
-MAIL_DOMAIN=chat.example.com

www/src/dclogin.js

@@ -1,21 +0,0 @@
-/* dclogin profile generator for self-signed chatmail relays.
- * Fetches credentials from /new and generates a dclogin: QR code.
- * Requires qrcode-svg.min.js to be loaded first.
- */
-(function () {
-    function generateProfile() {
-        fetch('/new')
-            .then(function (r) { return r.json(); })
-            .then(function (data) {
-                var url = data.dclogin_url;
-                var link = document.getElementById('dclogin-link');
-                link.href = url;
-                var qrLink = document.getElementById('qr-link');
-                qrLink.href = url;
-                var qrCode = document.getElementById('qr-code');
-                var qr = new QRCode({ content: url, width: 300, height: 300, padding: 1, join: true });
-                qrCode.innerHTML = qr.svg();
-            });
-    }
-    generateProfile();
-})();

www/src/index.md

@@ -11,18 +11,6 @@ for Delta Chat users.  For details how it avoids storing personal information
 please see our [privacy policy](privacy.html). 
 {% endif %}
 
-{% if config.tls_cert_mode == "self" %}
-<a class="cta-button" id="dclogin-link" href="#">Get a {{config.mail_domain}} chat profile</a>
-
-If you are viewing this page on a different device
-without a Delta Chat app,
-you can also **scan this QR code** with Delta Chat:
-
-<a id="qr-link" href="#"><div id="qr-code"></div></a>
-
-<script src="qrcode-svg.min.js"></script>
-<script src="dclogin.js"></script>
-{% else %}
 <a class="cta-button" href="DCACCOUNT:https://{{ config.mail_domain }}/new">Get a {{config.mail_domain}} chat profile</a>
 
 If you are viewing this page on a different device
@@ -31,7 +19,6 @@ you can also **scan this QR code** with Delta Chat:
 
 <a href="DCACCOUNT:https://{{ config.mail_domain }}/new">
     <img width=300 style="float: none;" src="qr-chatmail-invite-{{config.mail_domain}}.png" /></a>
-{% endif %}
 
 🐣 **Choose** your Avatar and Name