postfix: discard all messages to nine.testrun.org

add asking domain at first
refactor: Move systemd-resolved service stop/disable from install to activate method.
2026-05-10 16:04:37 +00:00 · 2026-01-11 23:57:27 +01:00 · 2026-01-07 21:10:18 +01:00 · 2026-01-06 13:41:25 +01:00 · 2026-01-06 12:58:51 +01:00 · 2026-01-06 12:22:07 +01:00
157 changed files with 11011 additions and 2238 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,33 @@
+---
+name: Bug report
+about: Report something that isn't working.
+title: ''
+assignees: ''
+
+---
+
+<!--
+Please fill out as much of this form as you can (leaving out stuff that is not applicable is ok).
+-->
+
+- Server OS (Operating System) - preferably Debian 12: 
+- On which OS you run cmdeploy:
+- chatmail/relay version: `git rev-parse HEAD`
+
+## Expected behavior
+
+*What did you try to achieve?*
+
+## Actual behavior
+
+*What happened instead?*
+
+### Steps to reproduce the problem:
+
+1. 
+2.
+
+### Screenshots
+
+### Logs
+
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1 @@
+blank_issues_enabled: true
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -9,7 +9,11 @@ jobs:
    name: isolated chatmaild tests
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+        # Checkout pull request HEAD commit instead of merge commit
+        # Otherwise `test_deployed_state` will be unhappy.
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}

      - name: run chatmaild tests 
        working-directory: chatmaild
@@ -19,7 +23,7 @@ jobs:
    name: deploy-chatmail tests 
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4

      - name: initenv 
        run: scripts/initenv.sh
--- a/.github/workflows/docs-preview.yaml
+++ b/.github/workflows/docs-preview.yaml
@@ -0,0 +1,53 @@
+name: documentation preview
+
+on:
+  pull_request:
+    paths:
+      - 'doc/**'
+      - 'scripts/build-docs.sh'
+      - '.github/workflows/docs-preview.yaml'
+
+jobs:
+  scripts:
+    name: build 
+    runs-on: ubuntu-latest
+    environment:
+      name: 'staging.chatmail.at/doc/relay/'
+      url: https://staging.chatmail.at/doc/relay/${{ steps.prepare.outputs.prid }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: initenv 
+        run: scripts/initenv.sh
+
+      - name: append venv/bin to PATH
+        run: echo `pwd`/venv/bin >>$GITHUB_PATH
+
+      - name: build documentation 
+        working-directory: doc
+        run: sphinx-build source build
+
+      - name: build documentation second time (for TOC)
+        working-directory: doc
+        run: sphinx-build source build
+
+      - name: Get Pullrequest ID
+        id: prepare
+        run: |
+          export PULLREQUEST_ID=$(echo "${{ github.ref }}" | cut -d "/" -f3)
+          echo "prid=$PULLREQUEST_ID" >> $GITHUB_OUTPUT
+          if [ $(expr length "${{ secrets.USERNAME }}") -gt "1" ]; then echo "uploadtoserver=true" >> $GITHUB_OUTPUT; fi
+      - run: |
+          echo "baseurl: /${{ steps.prepare.outputs.prid }}" >> _config.yml
+
+      - name: Upload preview
+        run: |
+          mkdir -p "$HOME/.ssh"
+          echo "${{ secrets.CHATMAIL_STAGING_SSHKEY }}" > "$HOME/.ssh/key"
+          chmod 600 "$HOME/.ssh/key"
+          rsync -rILvh -e "ssh -i $HOME/.ssh/key -o StrictHostKeyChecking=no" $GITHUB_WORKSPACE/doc/build/ "${{ secrets.USERNAME }}@chatmail.at:/var/www/html/staging.chatmail.at/doc/relay/${{ steps.prepare.outputs.prid }}/"
+
+      - name: check links 
+        working-directory: doc
+        run: sphinx-build --builder linkcheck source build
+
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -0,0 +1,47 @@
+name: build and upload documentation
+
+on:
+  push:
+    branches:
+      - main
+      - 'missytake/docs-ci'
+    paths:
+      - 'doc/**'
+      - 'scripts/build-docs.sh'
+      - '.github/workflows/docs.yaml'
+
+jobs:
+  scripts:
+    name: build 
+    runs-on: ubuntu-latest
+    environment: 
+      name: 'chatmail.at/doc/relay/'
+      url: https://chatmail.at/doc/relay/
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: initenv 
+        run: scripts/initenv.sh
+
+      - name: append venv/bin to PATH
+        run: echo `pwd`/venv/bin >>$GITHUB_PATH
+
+      - name: build documentation 
+        working-directory: doc
+        run: sphinx-build source build
+
+      - name: build documentation second time (for TOC)
+        working-directory: doc
+        run: sphinx-build source build
+
+      - name: check links 
+        working-directory: doc
+        run: sphinx-build --builder linkcheck source build
+
+      - name: upload documentation
+        run: |
+          mkdir -p "$HOME/.ssh"
+          echo "${{ secrets.CHATMAIL_STAGING_SSHKEY }}" > "$HOME/.ssh/key"
+          chmod 600 "$HOME/.ssh/key"
+          rsync -rILvh -e "ssh -i $HOME/.ssh/key -o StrictHostKeyChecking=no" $GITHUB_WORKSPACE/doc/build/ "${{ secrets.USERNAME }}@chatmail.at:/var/www/html/chatmail.at/doc/relay/"
+
--- a/.github/workflows/staging-ipv4.testrun.org-default.zone
+++ b/.github/workflows/staging-ipv4.testrun.org-default.zone
@@ -0,0 +1,20 @@
+;; Zone file for staging-ipv4.testrun.org
+
+$ORIGIN staging-ipv4.testrun.org.
+$TTL 300
+
+@  IN  SOA     ns.testrun.org. root.nine.testrun.org (
+  2023010101 ; Serial
+  7200       ; Refresh
+  3600       ; Retry
+  1209600    ; Expire
+  3600       ; Negative response caching TTL
+)
+
+;; Nameservers.
+@  IN NS ns.testrun.org.
+
+;; DNS records.
+@       IN      A       37.27.95.249
+mta-sts.staging-ipv4.testrun.org.    CNAME   staging-ipv4.testrun.org.
+www.staging-ipv4.testrun.org.        CNAME   staging-ipv4.testrun.org.
--- a/.github/workflows/staging.testrun.org-default.zone
+++ b/.github/workflows/staging.testrun.org-default.zone
@@ -1,6 +1,6 @@
-;; Zone file for staging.testrun.org
+;; Zone file for staging2.testrun.org

-$ORIGIN staging.testrun.org.
+$ORIGIN staging2.testrun.org.
 $TTL 300

@  IN  SOA     ns.testrun.org. root.nine.testrun.org (
@@ -15,6 +15,7 @@ $TTL 300
@  IN NS ns.testrun.org.

 ;; DNS records.
-@       IN      A       37.27.37.98
-mta-sts.staging.testrun.org.    CNAME   staging.testrun.org.
-www.staging.testrun.org.        CNAME   staging.testrun.org.
+@       IN      A       37.27.24.139
+mta-sts.staging2.testrun.org.    CNAME   staging2.testrun.org.
+www.staging2.testrun.org.        CNAME   staging2.testrun.org.
+
--- a/.github/workflows/test-and-deploy-ipv4only.yaml
+++ b/.github/workflows/test-and-deploy-ipv4only.yaml
@@ -0,0 +1,95 @@
+name: deploy on staging-ipv4.testrun.org, and run tests
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths-ignore:
+      - 'scripts/**'
+      - '**/README.md'
+      - 'CHANGELOG.md'
+      - 'LICENSE'
+
+jobs:
+  deploy:
+    name: deploy on staging-ipv4.testrun.org, and run tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    environment:
+      name: staging-ipv4.testrun.org
+      url: https://staging-ipv4.testrun.org/
+    concurrency: staging-ipv4.testrun.org
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: prepare SSH
+        run: |
+          mkdir ~/.ssh
+          echo "${{ secrets.STAGING_SSH_KEY }}" >> ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan staging-ipv4.testrun.org > ~/.ssh/known_hosts
+          # save previous acme & dkim state
+          rsync -avz root@staging-ipv4.testrun.org:/var/lib/acme acme-ipv4 || true
+          rsync -avz root@staging-ipv4.testrun.org:/etc/dkimkeys dkimkeys-ipv4 || true
+          # store previous acme & dkim state on ns.testrun.org, if it contains useful certs
+          if [ -f dkimkeys-ipv4/dkimkeys/opendkim.private ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" dkimkeys-ipv4 root@ns.testrun.org:/tmp/ || true; fi
+          if [ "$(ls -A acme-ipv4/acme/certs)" ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" acme-ipv4 root@ns.testrun.org:/tmp/ || true; fi
+          # make sure CAA record isn't set
+          scp -o StrictHostKeyChecking=accept-new .github/workflows/staging-ipv4.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging-ipv4.testrun.org.zone
+          ssh root@ns.testrun.org sed -i '/CAA/d' /etc/nsd/staging-ipv4.testrun.org.zone
+          ssh root@ns.testrun.org nsd-checkzone staging-ipv4.testrun.org /etc/nsd/staging-ipv4.testrun.org.zone
+          ssh root@ns.testrun.org systemctl reload nsd
+
+      - name: rebuild staging-ipv4.testrun.org to have a clean VPS
+        run: |
+            curl -X POST \
+            -H "Authorization: Bearer ${{ secrets.HETZNER_API_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            -d '{"image":"debian-12"}' \
+            "https://api.hetzner.cloud/v1/servers/${{ secrets.STAGING_IPV4_SERVER_ID }}/actions/rebuild"
+
+      - run: scripts/initenv.sh
+
+      - name: append venv/bin to PATH
+        run: echo venv/bin >>$GITHUB_PATH
+
+      - name: upload TLS cert after rebuilding
+        run: |
+          echo " --- wait until staging-ipv4.testrun.org VPS is rebuilt --- "
+          rm ~/.ssh/known_hosts
+          while ! ssh -o ConnectTimeout=180 -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org id -u ; do sleep 1 ; done
+          ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org id -u
+          # download acme & dkim state from ns.testrun.org
+          rsync -e "ssh -o StrictHostKeyChecking=accept-new" -avz root@ns.testrun.org:/tmp/acme-ipv4/acme acme-restore || true
+          rsync -avz root@ns.testrun.org:/tmp/dkimkeys-ipv4/dkimkeys dkimkeys-restore || true
+          # restore acme & dkim state to staging2.testrun.org
+          rsync -avz acme-restore/acme root@staging-ipv4.testrun.org:/var/lib/ || true
+          rsync -avz dkimkeys-restore/dkimkeys root@staging-ipv4.testrun.org:/etc/ || true
+          ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org chown root:root -R /var/lib/acme || true
+
+      - name: run deploy-chatmail offline tests 
+        run: pytest --pyargs cmdeploy 
+
+      - run: |
+          cmdeploy init staging-ipv4.testrun.org
+          sed -i 's#disable_ipv6 = False#disable_ipv6 = True#' chatmail.ini
+
+      - run: cmdeploy run --verbose --skip-dns-check
+
+      - name: set DNS entries
+        run: |
+          ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org chown opendkim:opendkim -R /etc/dkimkeys
+          cmdeploy dns --zonefile staging-generated.zone
+          cat staging-generated.zone >> .github/workflows/staging-ipv4.testrun.org-default.zone
+          cat .github/workflows/staging-ipv4.testrun.org-default.zone
+          scp .github/workflows/staging-ipv4.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging-ipv4.testrun.org.zone
+          ssh root@ns.testrun.org nsd-checkzone staging-ipv4.testrun.org /etc/nsd/staging-ipv4.testrun.org.zone
+          ssh root@ns.testrun.org systemctl reload nsd
+
+      - name: cmdeploy test
+        run: CHATMAIL_DOMAIN2=ci-chatmail.testrun.org cmdeploy test --slow
+
+      - name: cmdeploy dns
+        run: cmdeploy dns -v
+
--- a/.github/workflows/test-and-deploy.yaml
+++ b/.github/workflows/test-and-deploy.yaml
@@ -1,4 +1,4 @@
-name: deploy on staging.testrun.org, and run tests
+name: deploy on staging2.testrun.org, and run tests

 on:
  push:
@@ -7,31 +7,41 @@ on:
  pull_request:
    paths-ignore:
      - 'scripts/**'
+      - '**/README.md'
+      - 'CHANGELOG.md'
+      - 'LICENSE'

 jobs:
  deploy:
-    name: deploy on staging.testrun.org, and run tests
+    name: deploy on staging2.testrun.org, and run tests
    runs-on: ubuntu-latest
-    concurrency:
-      group: staging-deploy
-      cancel-in-progress: true
+    timeout-minutes: 30
+    environment:
+      name: staging2.testrun.org
+      url: https://staging2.testrun.org/
+    concurrency: staging2.testrun.org
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4

      - name: prepare SSH
        run: |
          mkdir ~/.ssh
          echo "${{ secrets.STAGING_SSH_KEY }}" >> ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
-          ssh-keyscan staging.testrun.org > ~/.ssh/known_hosts
+          ssh-keyscan staging2.testrun.org > ~/.ssh/known_hosts
          # save previous acme & dkim state
-          rsync -avz root@staging.testrun.org:/var/lib/acme . || true
-          rsync -avz root@staging.testrun.org:/etc/dkimkeys . || true
+          rsync -avz root@staging2.testrun.org:/var/lib/acme . || true
+          rsync -avz root@staging2.testrun.org:/etc/dkimkeys . || true
          # store previous acme & dkim state on ns.testrun.org, if it contains useful certs
          if [ -f dkimkeys/opendkim.private ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" dkimkeys root@ns.testrun.org:/tmp/ || true; fi
-          if [ -z "$(ls -A acme/certs)" ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" acme root@ns.testrun.org:/tmp/ || true; fi
+          if [ "$(ls -A acme/certs)" ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" acme root@ns.testrun.org:/tmp/ || true; fi
+          # make sure CAA record isn't set
+          scp -o StrictHostKeyChecking=accept-new .github/workflows/staging.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging2.testrun.org.zone
+          ssh root@ns.testrun.org sed -i '/CAA/d' /etc/nsd/staging2.testrun.org.zone
+          ssh root@ns.testrun.org nsd-checkzone staging2.testrun.org /etc/nsd/staging2.testrun.org.zone
+          ssh root@ns.testrun.org systemctl reload nsd

-      - name: rebuild staging.testrun.org to have a clean VPS
+      - name: rebuild staging2.testrun.org to have a clean VPS
        run: |
            curl -X POST \
            -H "Authorization: Bearer ${{ secrets.HETZNER_API_TOKEN }}" \
@@ -46,41 +56,41 @@ jobs:

      - name: upload TLS cert after rebuilding
        run: |
-          echo " --- wait until staging.testrun.org VPS is rebuilt --- "
+          echo " --- wait until staging2.testrun.org VPS is rebuilt --- "
          rm ~/.ssh/known_hosts
-          while ! ssh -o ConnectTimeout=180 -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org id -u ; do sleep 1 ; done
-          ssh -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org id -u
+          while ! ssh -o ConnectTimeout=180 -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org id -u ; do sleep 1 ; done
+          ssh -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org id -u
          # download acme & dkim state from ns.testrun.org
          rsync -e "ssh -o StrictHostKeyChecking=accept-new" -avz root@ns.testrun.org:/tmp/acme acme-restore || true
          rsync -avz root@ns.testrun.org:/tmp/dkimkeys dkimkeys-restore || true
-          # restore acme & dkim state to staging.testrun.org
-          rsync -avz acme-restore/acme/ root@staging.testrun.org:/var/lib/acme || true
-          rsync -avz dkimkeys-restore/dkimkeys/ root@staging.testrun.org:/etc/dkimkeys || true
-          ssh -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org chown root:root -R /var/lib/acme
+          # restore acme & dkim state to staging2.testrun.org
+          rsync -avz acme-restore/acme root@staging2.testrun.org:/var/lib/ || true
+          rsync -avz dkimkeys-restore/dkimkeys root@staging2.testrun.org:/etc/ || true
+          ssh -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org chown root:root -R /var/lib/acme || true

-      - name: run formatting checks 
-        run: cmdeploy fmt -v 
+      - name: add hpk42 key to staging server
+        run: ssh root@staging2.testrun.org 'curl -s https://github.com/hpk42.keys >> .ssh/authorized_keys'

      - name: run deploy-chatmail offline tests 
        run: pytest --pyargs cmdeploy 

-      - run: cmdeploy init staging.testrun.org
+      - run: cmdeploy init staging2.testrun.org

-      - run: cmdeploy run
+      - run: cmdeploy run --verbose --skip-dns-check

      - name: set DNS entries
        run: |
-          ssh -o StrictHostKeyChecking=accept-new -v root@staging.testrun.org chown opendkim:opendkim -R /etc/dkimkeys
-          cmdeploy dns --zonefile staging-generated.zone
+          ssh -o StrictHostKeyChecking=accept-new root@staging2.testrun.org chown opendkim:opendkim -R /etc/dkimkeys
+          cmdeploy dns --zonefile staging-generated.zone --verbose
          cat staging-generated.zone >> .github/workflows/staging.testrun.org-default.zone
          cat .github/workflows/staging.testrun.org-default.zone
-          scp .github/workflows/staging.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging.testrun.org.zone
-          ssh root@ns.testrun.org nsd-checkzone staging.testrun.org /etc/nsd/staging.testrun.org.zone
+          scp .github/workflows/staging.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging2.testrun.org.zone
+          ssh root@ns.testrun.org nsd-checkzone staging2.testrun.org /etc/nsd/staging2.testrun.org.zone
          ssh root@ns.testrun.org systemctl reload nsd

      - name: cmdeploy test
-        run: CHATMAIL_DOMAIN2=nine.testrun.org cmdeploy test --slow
+        run: CHATMAIL_DOMAIN2=ci-chatmail.testrun.org cmdeploy test --slow

-      - name: cmdeploy dns (try 3 times)
-        run: cmdeploy dns || cmdeploy dns || cmdeploy dns
+      - name: cmdeploy dns
+        run: cmdeploy dns -v

--- a/.python-version
+++ b/.python-version
@@ -0,0 +1 @@
+3.11
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,24 +1,491 @@
 # Changelog for chatmail deployment 

-## untagged
+## 1.9.0 2025-12-18
+
+### Documentation
+
+- Add RELEASE.md and CONTRIBUTING.md
+- README update, mention Chatmail Cookbook project
+
+### Bug Fixes
+
+- Expire messages also from IMAP subfolders
+- Use absolute path instead of relative path in message expiration script
+- Restart Postfix and Dovecot automatically on failure
+- acmetool: Use a fixed name and `reconcile` instead of `want`
+
+### Features
+
+- Report DKIM error code in SMTP response
+- Remove development notice from the web pages
+
+### Miscellaneous Tasks
+
+- Update the heading in the CHANGELOG.md
+- Setup git-cliff
+- Run tests against ci-chatmail.testrun.org instead of nine.testrun.org
+- Cleanup remaining echobot code, remove echobot user from deployment and passthrough recipients
+
+## 1.8.0 2025-12-12
+
+- Add imap_compress option to chatmail.ini
+  ([#760](https://github.com/chatmail/relay/pull/760))
+
+- Remove echobot from relays 
+  ([#753](https://github.com/chatmail/relay/pull/753))
+
+- Fix `cmdeploy webdev`
+  ([#743](https://github.com/chatmail/relay/pull/743))
+
+- Add robots.txt to exclude all web crawlers
+  ([#732](https://github.com/chatmail/relay/pull/732))
+
+- acmetool: accept new Let's Encrypt ToS: https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf
+  ([#729](https://github.com/chatmail/relay/pull/729))
+
+- Organized cmdeploy into install, configure, and activate stages
+  ([#695](https://github.com/chatmail/relay/pull/695))
+
+- docs: move readme.md docs to sphinx documentation rendered at https://chatmail.at/doc/relay 
+  ([#711](https://github.com/chatmail/relay/pull/711))
+
+- acmetool: replace cronjob with a systemd timer
+  ([#719](https://github.com/chatmail/relay/pull/719))
+
+- remove xstore@testrun.org from default passthrough recipients
+  ([#722](https://github.com/chatmail/relay/pull/722))
+
+- don't deploy the website if there are merge conflicts in the www folder
+  ([#714](https://github.com/chatmail/relay/pull/714))
+
+- acmetool: use ECDSA keys instead of RSA
+  ([#689](https://github.com/chatmail/relay/pull/689))
+
+- Require TLS 1.2 for outgoing SMTP connections
+  ([#685](https://github.com/chatmail/relay/pull/685), [#730](https://github.com/chatmail/relay/pull/730))
+
+- require STARTTLS for incoming port 25 connections
+  ([#684](https://github.com/chatmail/relay/pull/684), [#730](https://github.com/chatmail/relay/pull/730))
+
+- filtermail: run CPU-intensive handle_DATA in a thread pool executor
+  ([#676](https://github.com/chatmail/relay/pull/676))
+
+- don't use the complicated logging module in filtermail to exclude a potential source of errors. 
+  ([#674](https://github.com/chatmail/relay/pull/674))
+
+- Specify nginx.conf to only handle `mail_domain`, www, and mta-sts domains
+  ([#636](https://github.com/chatmail/relay/pull/636))
+
+- Setup TURN server
+  ([#621](https://github.com/chatmail/relay/pull/621))
+
+- cmdeploy: make --ssh-host work with localhost
+  ([#659](https://github.com/chatmail/relay/pull/659))
+
+- Update iroh-relay to 0.35.0
+  ([#650](https://github.com/chatmail/relay/pull/650))
+
+- filtermail: accept mails from Protonmail
+  ([#616](https://github.com/chatmail/relay/pull/616))
+
+- Ignore all RCPT TO: parameters
+  ([#651](https://github.com/chatmail/relay/pull/651))
+
+- Increase opendkim DNS Timeout from 5 to 60 seconds
+  ([#672](https://github.com/chatmail/relay/pull/672))
+
+- Add config parameter for Let's Encrypt ACME email
+  ([#663](https://github.com/chatmail/relay/pull/663))
+
+- Use max username length in newemail.py, not min
+  ([#648](https://github.com/chatmail/relay/pull/648))
+
+- Add startup for `fcgiwrap.service` because sometimes it did not start automatically.
+  ([#657](https://github.com/chatmail/relay/pull/657))
+
+- Add `cmdeploy init --force` command for recreating chatmail.ini
+  ([#656](https://github.com/chatmail/relay/pull/656))
+
+- Increase maxproc for reinjecting ports from 10 to 100
+  ([#646](https://github.com/chatmail/relay/pull/646))
+
+- Allow ports 143 and 993 to be used by `dovecot` process
+  ([#639](https://github.com/chatmail/relay/pull/639))
+
+- Add `--skip-dns-check` argument to `cmdeploy run` command, which disables DNS record checking before installation.
+  ([#661](https://github.com/chatmail/relay/pull/661))
+
+- Rework expiry of message files and mailboxes in Python 
+  to only do a single iteration over sometimes millions of messages
+  instead of doing "find" commands that iterate 9 times over the messages. 
+  Provide an "fsreport" CLI for more fine grained analysis of message files. 
+  ([#637](https://github.com/chatmail/relay/pull/637))
+
+
+## 1.7.0 2025-09-11
+
+- Make www upload path configurable
+  ([#618](https://github.com/chatmail/relay/pull/618))
+
+- Check whether GCC is installed in initenv.sh
+  ([#608](https://github.com/chatmail/relay/pull/608))
+
+- Expire push notification tokens after 90 days
+  ([#583](https://github.com/chatmail/relay/pull/583))
+
+- Use official `mtail` binary instead of `mtail` package
+  ([#581](https://github.com/chatmail/relay/pull/581))
+
+- dovecot: install from download.delta.chat instead of openSUSE Build Service
+  ([#590](https://github.com/chatmail/relay/pull/590))
+
+- Reconfigure Dovecot imap-login service to high-performance mode
+  ([#578](https://github.com/chatmail/relay/pull/578))
+
+- Set timezone to improve dovecot performance
+  ([#584](https://github.com/chatmail/relay/pull/584))
+
+- Increase nginx connection limits
+  ([#576](https://github.com/chatmail/relay/pull/576))
+
+- If `dns-utils` needs to be installed before cmdeploy run, apt update to make sure it works
+  ([#560](https://github.com/chatmail/relay/pull/560))
+
+- filtermail: respect config message size limit
+  ([#572](https://github.com/chatmail/relay/pull/572))
+
+- Don't deploy if one of the ports used for chatmail relay services is occupied by an unexpected process
+  ([#568](https://github.com/chatmail/relay/pull/568))
+
+- Add config value after how many days large files are deleted
+  ([#555](https://github.com/chatmail/relay/pull/555))
+
+- cmdeploy: push relay version to /etc/chatmail-version
+  ([#573](https://github.com/chatmail/relay/pull/573))
+
+- filtermail: allow partial body length in OpenPGP payloads
+  ([#570](https://github.com/chatmail/relay/pull/570))
+
+- chatmaild: allow echobot to receive unencrypted messages by default
+  ([#556](https://github.com/chatmail/relay/pull/556))
+
+
+## 1.6.0 2025-04-11
+
+- Handle Port-25 connect errors more gracefully (common with VPNs)
+  ([#552](https://github.com/chatmail/relay/pull/552))
+
+- Avoid "acmetool not found" during initial run
+  ([#550](https://github.com/chatmail/relay/pull/550))
+
+- Fix timezone handling such that client/servers do not need to use
+  same timezone. 
+  ([#553](https://github.com/chatmail/relay/pull/553))
+
+- Enforce end-to-end encryption for incoming messages. 
+  New user address mailboxes now get a `enforceE2EEincoming` file 
+  which prohibits incoming cleartext messages from other domains. 
+  An outside MTA trying to submit a cleartext message will 
+  get a "523 Encryption Needed" response, see RFC5248. 
+  If the file does not exist (as it the case for all existing accounts) 
+  incoming cleartext messages are accepted. 
+  ([#538](https://github.com/chatmail/server/pull/538))
+
+- Enforce end-to-end encryption between local addresses 
+  ([#535](https://github.com/chatmail/server/pull/535))
+
+- unbound: check that port 53 is not occupied by a different process
+  ([#537](https://github.com/chatmail/server/pull/537))
+
+- unbound: before unbound is there, use 9.9.9.9 for resolving
+  ([#518](https://github.com/chatmail/relay/pull/518))
+
+- Limit the bind for the HTTPS server on 8443 to 127.0.0.1 
+  ([#522](https://github.com/chatmail/server/pull/522))
+  ([#532](https://github.com/chatmail/server/pull/532))
+
+- Send SNI when connecting to outside servers
+  ([#524](https://github.com/chatmail/server/pull/524))
+
+- postfix master.cf: use 127.0.0.1 for consistency
+  ([#544](https://github.com/chatmail/relay/pull/544))
+
+- Pass through `original_content` instead of `content` in filtermail
+  ([#509](https://github.com/chatmail/server/pull/509))
+
+- Document TLS requirements in the readme
+  ([#514](https://github.com/chatmail/server/pull/514))
+
+- Remove cleanup service from submission ports
+  ([#512](https://github.com/chatmail/server/pull/512))
+
+- cmdeploy dovecot: delete big messages after 7 days
+  ([#504](https://github.com/chatmail/server/pull/504))
+
+- mtail: fix getting logs from STDIN
+  ([#502](https://github.com/chatmail/server/pull/502))
+
+- filtermail: don't require exactly 2 lines after openPGP payload
+  ([#497](https://github.com/chatmail/server/pull/497))
+
+- cmdeploy dns: offer alternative DKIM record format for some web interfaces
+  ([#470](https://github.com/chatmail/server/pull/470))
+
+- journald: remove old logs from disk
+  ([#490](https://github.com/chatmail/server/pull/490))
+
+- opendkim: restart once every day to mend RAM leaks
+  ([#498](https://github.com/chatmail/server/pull/498)
+
+- migration guide: let opendkim own the DKIM keys directory
+  ([#468](https://github.com/chatmail/server/pull/468))
+
+- improve secure-join message detection
+  ([#473](https://github.com/chatmail/server/pull/473))
+
+- use old crypt lib in python < 3.11
+  ([#483](https://github.com/chatmail/server/pull/483))
+
+- chatmaild: set umask to 0700 for doveauth + metadata
+  ([#490](https://github.com/chatmail/server/pull/492))
+
+- remove MTA-STS daemon
+  ([#488](https://github.com/chatmail/server/pull/488))
+
+- replace `Subject` with `[...]` for all outgoing mails.
+  ([#481](https://github.com/chatmail/server/pull/481))
+
+- opendkim: use su instead of sudo
+  ([#491](https://github.com/chatmail/server/pull/491))
+
+## 1.5.0 2024-12-20
+
+- cmdeploy dns: always show recommended DNS records
+  ([#463](https://github.com/chatmail/server/pull/463))
+
+- add `--all` to `cmdeploy dns`
+  ([#462](https://github.com/chatmail/server/pull/462))
+
+- fix `_mta-sts` TXT DNS record
+  ([#461](https://github.com/chatmail/server/pull/461)
+
+- deploy `iroh-relay` and also update "realtime relay services" in privacy policy. 
+  ([#434](https://github.com/chatmail/server/pull/434))
+  ([#451](https://github.com/chatmail/server/pull/451))
+
+- add guide to migrate chatmail to a new server
+  ([#429](https://github.com/chatmail/server/pull/429))
+
+- disable anvil authentication penalty
+  ([#414](https://github.com/chatmail/server/pull/444)
+
+- increase `request_queue_size` for UNIX sockets to 1000.
+  ([#437](https://github.com/chatmail/server/pull/437))
+
+- add argument to `cmdeploy run` for specifying
+  a different SSH host than `mail_domain`
+  ([#439](https://github.com/chatmail/server/pull/439))
+
+- query autoritative nameserver to bypass DNS cache
+  ([#424](https://github.com/chatmail/server/pull/424))
+
+- add mtail support (new optional `mtail_address` ini value)
+  This defines the address on which [`mtail`](https://google.github.io/mtail/)
+  exposes its metrics collected from the logs.
+  If you want to collect the metrics with Prometheus,
+  setup a private network (e.g. WireGuard interface)
+  and assign an IP address from this network to the host.
+  If you do not plan to collect metrics,
+  keep this setting unset.
+  ([#388](https://github.com/chatmail/server/pull/388))
+
+- fix checking for required DNS records
+  ([#412](https://github.com/chatmail/server/pull/412))
+
+- add support for specifying whole domains for recipient passthrough list
+  ([#408](https://github.com/chatmail/server/pull/408))
+
+- add a paragraph about "account deletion" to info page 
+  ([#405](https://github.com/chatmail/server/pull/405))
+
+- avoid nginx listening on ipv6 if v6 is dsiabled 
+  ([#402](https://github.com/chatmail/server/pull/402))
+
+- refactor ssh-based execution to allow organizing remote functions in
+  modules. 
+  ([#396](https://github.com/chatmail/server/pull/396))
+
+- trigger "apt upgrade" during "cmdeploy run" 
+  ([#398](https://github.com/chatmail/server/pull/398))
+
+- drop hispanilandia passthrough address
+  ([#401](https://github.com/chatmail/server/pull/401))
+
+- set CAA record flags to 0
+
+- add IMAP capabilities instead of overwriting them
+  ([#413](https://github.com/chatmail/server/pull/413))
+
+- fix OpenPGP payload check
+  ([#435](https://github.com/chatmail/server/pull/435))
+
+- fix Dovecot quota_max_mail_size to use max_message_size config value
+  ([#438](https://github.com/chatmail/server/pull/438))
+
+
+## 1.4.1 2024-07-31
+
+- fix metadata dictproxy which would confuse transactions
+  resulting in missed notifications and other issues. 
+  ([#393](https://github.com/chatmail/server/pull/393))
+  ([#394](https://github.com/chatmail/server/pull/394))
+
+- add optional "imap_rawlog" config option. If true, 
+  .in/.out files are created in user home dirs 
+  containing the imap protocol messages. 
+  ([#389](https://github.com/chatmail/server/pull/389))
+
+## 1.4.0 2024-07-28
+
+- Add `disable_ipv6` config option to chatmail.ini.
+  Required if the server doesn't have IPv6 connectivity.
+  ([#312](https://github.com/chatmail/server/pull/312))
+
+- allow current K9/Thunderbird-mail releases to send encrypted messages
+  outside by accepting their localized "encrypted subject" strings. 
+  ([#370](https://github.com/chatmail/server/pull/370))
+
+- Migrate and remove sqlite database in favor of password/lastlogin tracking 
+  in a user's maildir.  
+  ([#379](https://github.com/chatmail/server/pull/379))
+
+- Require pyinfra V3 installed on the client side,
+  run `./scripts/initenv.sh` to upgrade locally.
+  ([#378](https://github.com/chatmail/server/pull/378))
+
+- don't hardcode "/home/vmail" paths but rather set them 
+  once in the config object and use it everywhere else, 
+  thereby also improving testability.  
+  ([#351](https://github.com/chatmail/server/pull/351))
+  temporarily introduced obligatory "passdb_path" and "mailboxes_dir" 
+  settings but they were removed/obsoleted in 
+  ([#380](https://github.com/chatmail/server/pull/380))
+
+- BREAKING: new required chatmail.ini value 'delete_inactive_users_after = 100'
+  which removes users from database and mails after 100 days without any login. 
+  ([#350](https://github.com/chatmail/server/pull/350))
+
+- Refine DNS checking to distinguish between "required" and "recommended" settings 
+  ([#372](https://github.com/chatmail/server/pull/372))
+
+- reload nginx in the acmetool cronjob
+  ([#360](https://github.com/chatmail/server/pull/360))
+
+- remove checking of reverse-DNS PTR records.  Chatmail-servers don't
+  depend on it and even in the wider e-mail system it's not common anymore. 
+  If it's an issue, a chatmail operator can still care to properly set reverse DNS. 
+  ([#348](https://github.com/chatmail/server/pull/348))
+
+- Make DNS-checking faster and more interactive, run it fully during "cmdeploy run",
+  also introducing a generic mechanism for rapid remote ssh-based python function execution. 
+  ([#346](https://github.com/chatmail/server/pull/346))
+
+- Don't fix file owner ship of /home/vmail 
+  ([#345](https://github.com/chatmail/server/pull/345))
+
+- Support iterating over all users with doveadm commands 
+  ([#344](https://github.com/chatmail/server/pull/344))
+
+- Test and fix for attempts to create inadmissible accounts 
+  ([#333](https://github.com/chatmail/server/pull/321))
+
+- check that OpenPGP has only PKESK, SKESK and SEIPD packets
+  ([#323](https://github.com/chatmail/server/pull/323),
+   [#324](https://github.com/chatmail/server/pull/324))
+
+- improve filtermail checks for encrypted messages and drop support for unencrypted MDNs
+  ([#320](https://github.com/chatmail/server/pull/320))
+
+- replace `bash` with `/bin/sh`
+  ([#334](https://github.com/chatmail/server/pull/334))
+
+- Increase number of logged in IMAP sessions to 50000
+  ([#335](https://github.com/chatmail/server/pull/335))
+
+- filtermail: do not allow ASCII armor without actual payload
+  ([#325](https://github.com/chatmail/server/pull/325))
+
+- Remove sieve to enable hardlink deduplication in LMTP
+  ([#343](https://github.com/chatmail/server/pull/343))
+
+- dovecot: enable gzip compression on disk
+  ([#341](https://github.com/chatmail/server/pull/341))
+
+- DKIM-sign Content-Type and oversign all signed headers
+  ([#296](https://github.com/chatmail/server/pull/296))
+
+- Add nonci_accounts metric
+  ([#347](https://github.com/chatmail/server/pull/347))
+
+- doveauth: log when a new account is created
+  ([#349](https://github.com/chatmail/server/pull/349))
+
+- Multiplex HTTPS, IMAP and SMTP on port 443
+  ([#357](https://github.com/chatmail/server/pull/357))
+
+## 1.3.0 - 2024-06-06
+
+- don't check necessary DNS records on cmdeploy init anymore
+  ([#316](https://github.com/chatmail/server/pull/316))
+
+- ensure cron and acl are installed
+  ([#293](https://github.com/chatmail/server/pull/293),
+  [#310](https://github.com/chatmail/server/pull/310))
+
+- change default for delete_mails_after from 40 to 20 days
+  ([#300](https://github.com/chatmail/server/pull/300))
+
+- save journald logs only to memory and save nginx logs to journald instead of file
+  ([#299](https://github.com/chatmail/server/pull/299))
+
+- fix writing of multiple obs repositories in `/etc/apt/sources.list`
+  ([#290](https://github.com/chatmail/server/pull/290))
+
+- metadata: add support for `/shared/vendor/deltachat/irohrelay`
+  ([#284](https://github.com/chatmail/server/pull/284))
+
+- Emit "XCHATMAIL" capability from IMAP server 
+  ([#278](https://github.com/chatmail/server/pull/278))
+
+- Move echobot `into /var/lib/echobot`
+  ([#281](https://github.com/chatmail/server/pull/281))
+
+- Accept Let's Encrypt's new Terms of Services
+  ([#275](https://github.com/chatmail/server/pull/276))
+
+- Reload Dovecot and Postfix when TLS certificate updates
+  ([#271](https://github.com/chatmail/server/pull/271))
+
+- Use forked version of dovecot without hardcoded delays
+  ([#270](https://github.com/chatmail/server/pull/270))

 ## 1.2.0 - 2024-04-04

 - Install dig on the server to resolve DNS records
-  ([#267](https://github.com/deltachat/chatmail/pull/267))
+  ([#267](https://github.com/chatmail/server/pull/267))

 - preserve notification order and exponentially backoff with 
  retries for tokens where we didn't get a successful return
-  ([#265](https://github.com/deltachat/chatmail/pull/263))
+  ([#265](https://github.com/chatmail/server/pull/263))

 - Run chatmail-metadata and doveauth as vmail
-  ([#261](https://github.com/deltachat/chatmail/pull/261))
+  ([#261](https://github.com/chatmail/server/pull/261))

 - Apply systemd restrictions to echobot
-  ([#259](https://github.com/deltachat/chatmail/pull/259))
+  ([#259](https://github.com/chatmail/server/pull/259))

 - re-enable running the CI in pull requests, but not concurrently 
-  ([#258](https://github.com/deltachat/chatmail/pull/258))
+  ([#258](https://github.com/chatmail/server/pull/258))


 ## 1.1.0 - 2024-03-28
@@ -26,27 +493,27 @@
 ### The changelog starts to record changes from March 15th, 2024 

 - Move systemd unit templates to cmdeploy package 
-  ([#255](https://github.com/deltachat/chatmail/pull/255))
+  ([#255](https://github.com/chatmail/server/pull/255))

 - Persist push tokens and support multiple device per address 
-  ([#254](https://github.com/deltachat/chatmail/pull/254))
+  ([#254](https://github.com/chatmail/server/pull/254))

 - Avoid warning for regular doveauth protocol's hello message. 
-  ([#250](https://github.com/deltachat/chatmail/pull/250))
+  ([#250](https://github.com/chatmail/server/pull/250))

 - Fix various tests to pass again with "cmdeploy test". 
-  ([#245](https://github.com/deltachat/chatmail/pull/245),
-  [#242](https://github.com/deltachat/chatmail/pull/242)
+  ([#245](https://github.com/chatmail/server/pull/245),
+  [#242](https://github.com/chatmail/server/pull/242)

 - Ensure lets-encrypt certificates are reloaded after renewal 
-  ([#244]) https://github.com/deltachat/chatmail/pull/244
+  ([#244]) https://github.com/chatmail/server/pull/244

 - Persist tokens to avoid iOS users loosing push-notifications when the
  chatmail metadata service is restarted (happens regularly during deploys)
-  ([#238](https://github.com/deltachat/chatmail/pull/239)
+  ([#238](https://github.com/chatmail/server/pull/239)

 - Fix failing sieve-script compile errors on incoming messages
-  ([#237](https://github.com/deltachat/chatmail/pull/239)
+  ([#237](https://github.com/chatmail/server/pull/239)

 - Fix quota reporting after expunging of old mails
-  ([#233](https://github.com/deltachat/chatmail/pull/239)
+  ([#233](https://github.com/chatmail/server/pull/239)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,7 @@
+# Contributing to the chatmail relay
+
+Commit messages follow the [Conventional Commits] notation.
+We use [git-cliff] to generate the changelog from commit messages before the release.
+
+[Conventional Commits]: https://www.conventionalcommits.org/
+[git-cliff]: https://git-cliff.org/
--- a/README.md
+++ b/README.md
@@ -1,162 +1,43 @@
+# سرور رله چت‌میل (Chatmail Relay)

-<img width="800px" src="www/src/collage-top.png"/>
+این پروژه برای راه‌اندازی سریع و آسان سرورهای رله **Chatmail** طراحی شده است. چت‌میل یک سیستم ایمیل امن و بهینه برای پیام‌رسان **Delta Chat** است که بر حفظ حریم خصوصی و سرعت بالا تمرکز دارد.

-# Chatmail services optimized for Delta Chat apps 
+### ویژگی‌های کلیدی:
+- **بدون ذخیره‌سازی داده (Zero State):** پیام‌ها پس از تحویل حذف می‌شوند و هیچ متادیتای خصوصی ذخیره نخواهد شد.
+- **سرعت لحظه‌ای (Realtime):** تحویل پیام در کمتر از یک ثانیه و پشتیبانی از پوش‌نوتیفیکیشن‌های امن.
+- **امنیت سخت‌گیرانه:** استفاده اجباری از TLS، DKIM و OpenPGP.
+- **غیرمتمرکز و استاندارد:** بر اساس پروتکل‌های استاندارد IETF بدون نیاز به چک کردن IP یا اسپم.

-This repository helps to setup a ready-to-use chatmail server
-comprised of a minimal setup of the battle-tested 
-[postfix smtp](https://www.postfix.org) and [dovecot imap](https://www.dovecot.org) services. 
+---

-The setup is designed and optimized for providing chatmail accounts 
-for use by [Delta Chat apps](https://delta.chat).
+### شیوه‌ی نصب

-Chatmail accounts are automatically created by a first login, 
-after which the initially specified password is required for using them. 
+برای نصب سریع روی سرور لینوکس (توصیه شده: Debian یا Ubuntu)، می‌توانید از دستور زیر استفاده کنید:

-## Deploying your own chatmail server 
-
-We use `chat.example.org` as the chatmail domain in the following steps. 
-Please substitute it with your own domain. 
-
-1. Install the `cmdeploy` command in a virtualenv
-
-   ```
-    git clone https://github.com/deltachat/chatmail
-    cd chatmail
-    scripts/initenv.sh
-   ```
-
-2. Create chatmail configuration file `chatmail.ini`:
-
-   ```
-    scripts/cmdeploy init chat.example.org  # <-- use your domain 
-   ```
-
-3. Setup first DNS records for your chatmail domain, 
-   according to the hints provided by `cmdeploy init`.
-   Verify that SSH root login works:
-
-   ```
-    ssh root@chat.example.org   # <-- use your domain 
-   ```
-
-4. Deploy to the remote chatmail server:
-
-   ```
-    scripts/cmdeploy run
-   ```
-   This script will also show you additional DNS records
-   which you should configure at your DNS provider
-   (it can take some time until they are public).
-
-### Other helpful commands:
-
-To check the status of your remotely running chatmail service:
-
-```
-scripts/cmdeploy status
+```bash
+curl https://raw.githubusercontent.com/omidz4t/relay-ir/refs/heads/main/init.sh | sudo bash
 ```

-To check whether your DNS records are correct:
+**روش جایگزین (دانلود و اجرای دستی):**
+اگر مایل هستید فایل را ابتدا دانلود و سپس اجرا کنید:

-```
-scripts/cmdeploy dns
+```bash
+wget https://raw.githubusercontent.com/omidz4t/relay-ir/refs/heads/main/init.sh
+chmod +x init.sh
+sudo ./init.sh
 ```

-To test whether your chatmail service is working correctly:
+---

-```
-scripts/cmdeploy test
-```
+### اسکریپت `init.sh` چه کاری انجام می‌دهد؟

-To measure the performance of your chatmail service:
-
-```
-scripts/cmdeploy bench
-```
-
-## Overview of this repository
-
-This repository drives the development of chatmail services, 
-comprised of minimal setups of
-
- [postfix smtp server](https://www.postfix.org)
- [dovecot imap server](https://www.dovecot.org)
-
-as well as custom services that are integrated with these two:
-
- `chatmaild/src/chatmaild/doveauth.py` implements
-  create-on-login account creation semantics and is used
-  by Dovecot during login authentication and by Postfix
-  which in turn uses [Dovecot SASL](https://doc.dovecot.org/configuration_manual/authentication/dict/#complete-example-for-authenticating-via-a-unix-socket)
-  to authenticate users
-  to send mails for them.
-
- `chatmaild/src/chatmaild/filtermail.py` prevents
-  unencrypted e-mail from leaving the chatmail service
-  and is integrated into postfix's outbound mail pipelines.
-
-There is also the `cmdeploy/src/cmdeploy/cmdeploy.py` command line tool
-which helps with setting up and managing the chatmail service.
-`cmdeploy run` uses [pyinfra-based scripting](https://pyinfra.com/)
-in `cmdeploy/src/cmdeploy/__init__.py`
-to automatically install all chatmail components on a server.
-
-
-### Home page and getting started for users
-
-`cmdeploy run` also creates default static Web pages and deploys them
-to a nginx web server with: 
-
- a default `index.html` along with a QR code that users can click to
-  create accounts on your chatmail provider,
-
- a default `info.html` that is linked from the home page,
-
- a default `policy.html` that is linked from the home page.
-
-All `.html` files are generated
-by the according markdown `.md` file in the `www/src` directory.
-
-
-### Refining the web pages
-
-
-```
-scripts/cmdeploy webdev
-```
-
-This starts a local live development cycle for chatmail Web pages:
-
- uses the `www/src/page-layout.html` file for producing static
-  HTML pages from `www/src/*.md` files
-
- continously builds the web presence reading files from `www/src` directory
-  and generating html files and copying assets to the `www/build` directory.
-
- Starts a browser window automatically where you can "refresh" as needed.
-
-
-## Emergency Commands to disable automatic account creation
-
-If you need to stop account creation,
-e.g. because some script is wildly creating accounts,
-login to the server with ssh and run:
-
-```
-    touch /etc/chatmail-nocreate
-```
-
-While this file is present, account creation will be blocked.
-
-### Ports
-
-[Postfix](http://www.postfix.org/) listens on ports 25 (smtp) and 587 (submission) and 465 (submissions).
-[Dovecot](https://www.dovecot.org/) listens on ports 143 (imap) and 993 (imaps).
-[nginx](https://www.nginx.com/) listens on port 443 (https).
-[acmetool](https://hlandau.github.io/acmetool/) listens on port 80 (http).
-
-Delta Chat apps will, however, discover all ports and configurations
-automatically by reading the [autoconfig XML file](https://www.ietf.org/archive/id/draft-bucksch-autoconfig-00.html) from the chatmail service.
+اسکریپت `init.sh` تمام مراحل لازم برای آماده‌سازی سرور را به صورت خودکار انجام می‌دهد:

+1. **نصب وابستگی‌ها:** ابزارهای مورد نیاز مانند `git`, `curl`, `python3`, `gcc` و غیره را نصب می‌کند.
+2. **مدیریت محیط پایتون:** ابزار مدرن `uv` را برای مدیریت سریع و بهینه بسته‌ها و محیط مجازی (venv) نصب و پیکربندی می‌کند.
+3. **دریافت سورس‌کد:** آخرین نسخه پروژه را از گیت‌هاب دریافت می‌کند.
+4. **تنظیمات خودکار:** از شما نام دامنه و ایمیل (برای گواهی SSL) را می‌پرسد و فایل تنظیمات `chatmail.ini` را بر اساس استانداردهای بهینه ویرایش می‌کند (تنظیم حجم صندوق پستی، مدت زمان نگهداری پیام‌ها و غیره).
+5. **استقرار (Deployment):** در نهایت تمام سرویس‌های لازم (Postfix, Dovecot, Nginx و غیره) را به صورت خودکار نصب و فعال می‌کند.

+---
+برای اطلاعات بیشتر و مستندات فنی دقیق‌تر به [مستندات اصلی](https://chatmail.at/doc/relay) مراجعه کنید.
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -0,0 +1,15 @@
+# Releasing a new version of chatmail relay
+
+For example, to release version 1.9.0 of chatmail relay, do the following steps.
+
+1. Update the changelog: `git cliff --unreleased --tag 1.9.0 --prepend CHANGELOG.md` or `git cliff -u -t 1.9.0 -p CHANGELOG.md`.
+
+2. Open the changelog in the editor, edit it if required.
+
+3. Commit the changes to the changelog with a commit message `chore(release): prepare for 1.9.0`.
+
+3. Tag the release: `git tag --annotate 1.9.0`.
+
+4. Push the release tag: `git push origin 1.9.0`.
+
+5. Create a GitHub release: `gh release create 1.9.0`.
--- a/chatmaild/pyproject.toml
+++ b/chatmaild/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"

 [project]
 name = "chatmaild"
-version = "0.2"
+version = "0.3"
 dependencies = [
  "aiosmtpd",
  "iniconfig",
@@ -12,6 +12,7 @@ dependencies = [
  "deltachat-rpc-client",
  "filelock",
  "requests",
+  "crypt-r >= 3.13.1 ; python_version >= '3.11'",
 ]

 [tool.setuptools]
@@ -24,8 +25,11 @@ where = ['src']
 doveauth = "chatmaild.doveauth:main"
 chatmail-metadata = "chatmaild.metadata:main"
 filtermail = "chatmaild.filtermail:main"
-echobot = "chatmaild.echo:main"
 chatmail-metrics = "chatmaild.metrics:main"
+chatmail-expire = "chatmaild.expire:main"
+chatmail-fsreport = "chatmaild.fsreport:main"
+lastlogin = "chatmaild.lastlogin:main"
+turnserver = "chatmaild.turnserver:main"

 [project.entry-points.pytest11]
 "chatmaild.testplugin" = "chatmaild.tests.plugin"
@@ -36,6 +40,19 @@ log_format = "%(asctime)s %(levelname)s %(message)s"
 log_date_format = "%Y-%m-%d %H:%M:%S"
 log_level = "INFO"

+[tool.ruff]
+lint.select = [
+  "F", # Pyflakes
+  "I", # isort
+
+  "PLC", # Pylint Convention
+  "PLE", # Pylint Error
+  "PLW", # Pylint Warning
+]
+lint.ignore = [
+  "PLC0415" # import-outside-top-level
+]
+
 [tool.tox]
 legacy_tox_ini = """
 [tox]
@@ -47,13 +64,14 @@ skipdist = True
 skip_install = True
 deps =
  ruff
-  black
 commands =
-  black --quiet --check --diff src/
-  ruff src/
+  ruff format --quiet --diff src/
+  ruff check src/

 [testenv]
 deps = pytest 
       pdbpp 
+       pytest-localserver
+       execnet
 commands = pytest -v -rsXx {posargs}
 """
--- a/chatmaild/src/chatmaild/init.py
+++ b/chatmaild/src/chatmaild/init.py
@@ -0,0 +1 @@
+
--- a/chatmaild/src/chatmaild/config.py
+++ b/chatmaild/src/chatmaild/config.py
@@ -1,9 +1,19 @@
+from pathlib import Path
+
 import iniconfig

+from chatmaild.user import User
+

 def read_config(inipath):
+    assert Path(inipath).exists(), inipath
    cfg = iniconfig.IniConfig(inipath)
-    return Config(inipath, params=cfg.sections["params"])
+    params = cfg.sections["params"]
+    default_config_content = get_default_config_content(params["mail_domain"])
+    df_params = iniconfig.IniConfig("ini", data=default_config_content)["params"]
+    new_params = dict(df_params.items())
+    new_params.update(params)
+    return Config(inipath, params=new_params)


 class Config:
@@ -12,37 +22,99 @@ class Config:
        self.mail_domain = params["mail_domain"]
        self.max_user_send_per_minute = int(params["max_user_send_per_minute"])
        self.max_mailbox_size = params["max_mailbox_size"]
+        self.max_message_size = int(params.get("max_message_size", "31457280"))
        self.delete_mails_after = params["delete_mails_after"]
+        self.delete_large_after = params["delete_large_after"]
+        self.delete_inactive_users_after = int(params["delete_inactive_users_after"])
        self.username_min_length = int(params["username_min_length"])
        self.username_max_length = int(params["username_max_length"])
        self.password_min_length = int(params["password_min_length"])
        self.passthrough_senders = params["passthrough_senders"].split()
        self.passthrough_recipients = params["passthrough_recipients"].split()
+        self.www_folder = params.get("www_folder", "")
        self.filtermail_smtp_port = int(params["filtermail_smtp_port"])
+        self.filtermail_smtp_port_incoming = int(
+            params["filtermail_smtp_port_incoming"]
+        )
        self.postfix_reinject_port = int(params["postfix_reinject_port"])
+        self.postfix_reinject_port_incoming = int(
+            params["postfix_reinject_port_incoming"]
+        )
+        self.mtail_address = params.get("mtail_address")
+        self.disable_ipv6 = params.get("disable_ipv6", "false").lower() == "true"
+        self.acme_email = params.get("acme_email", "")
+        self.imap_rawlog = params.get("imap_rawlog", "false").lower() == "true"
+        self.imap_compress = params.get("imap_compress", "false").lower() == "true"
+        if "iroh_relay" not in params:
+            self.iroh_relay = "https://" + params["mail_domain"]
+            self.enable_iroh_relay = True
+        else:
+            self.iroh_relay = params["iroh_relay"].strip()
+            self.enable_iroh_relay = False
        self.privacy_postal = params.get("privacy_postal")
        self.privacy_mail = params.get("privacy_mail")
        self.privacy_pdo = params.get("privacy_pdo")
        self.privacy_supervisor = params.get("privacy_supervisor")

+        # deprecated option
+        mbdir = params.get("mailboxes_dir", f"/home/vmail/mail/{self.mail_domain}")
+        self.mailboxes_dir = Path(mbdir.strip())
+
+        # old unused option (except for first migration from sqlite to maildir store)
+        self.passdb_path = Path(params.get("passdb_path", "/home/vmail/passdb.sqlite"))
+
    def _getbytefile(self):
        return open(self._inipath, "rb")

+    def get_user(self, addr) -> User:
+        if not addr or "@" not in addr or "/" in addr:
+            raise ValueError(f"invalid address {addr!r}")

-def write_initial_config(inipath, mail_domain):
+        maildir = self.mailboxes_dir.joinpath(addr)
+        password_path = maildir.joinpath("password")
+
+        return User(maildir, addr, password_path, uid="vmail", gid="vmail")
+
+
+def write_initial_config(inipath, mail_domain, overrides):
+    """Write out default config file, using the specified config value overrides."""
+    content = get_default_config_content(mail_domain, **overrides)
+    inipath.write_text(content)
+
+
+def get_default_config_content(mail_domain, **overrides):
    from importlib.resources import files

    inidir = files(__package__).joinpath("ini")
-    content = (
-        inidir.joinpath("chatmail.ini.f").read_text().format(mail_domain=mail_domain)
-    )
+    source_inipath = inidir.joinpath("chatmail.ini.f")
+    content = source_inipath.read_text().format(mail_domain=mail_domain)
+
+    # apply config overrides
+    new_lines = []
+    extra = overrides.copy()
+    for line in content.split("\n"):
+        new_line = line.strip()
+        if new_line and new_line[0] not in "#[":
+            name, value = map(str.strip, new_line.split("=", maxsplit=1))
+            value = extra.pop(name, value)
+            new_line = f"{name} = {value}"
+        new_lines.append(new_line)
+
+    for name, value in extra.items():
+        new_line = f"{name} = {value}"
+        new_lines.append(new_line)
+
+    content = "\n".join(new_lines)
+
+    # apply testrun privacy overrides
+
    if mail_domain.endswith(".testrun.org"):
        override_inipath = inidir.joinpath("override-testrun.ini")
        privacy = iniconfig.IniConfig(override_inipath)["privacy"]
        lines = []
        for line in content.split("\n"):
            for key, value in privacy.items():
-                value_lines = value.strip().split("\n")
+                value_lines = value.format(mail_domain=mail_domain).strip().split("\n")
                if not line.startswith(f"{key} =") or not value_lines:
                    continue
                if len(value_lines) == 1:
@@ -55,5 +127,4 @@ def write_initial_config(inipath, mail_domain):
            else:
                lines.append(line)
        content = "\n".join(lines)
-
-    inipath.write_text(content)
+    return content
--- a/chatmaild/src/chatmaild/database.py
+++ b/chatmaild/src/chatmaild/database.py
@@ -1,133 +0,0 @@
-import sqlite3
-import contextlib
-import time
-from pathlib import Path
-
-
-class DBError(Exception):
-    """error during an operation on the database."""
-
-
-class Connection:
-    def __init__(self, sqlconn, write):
-        self._sqlconn = sqlconn
-        self._write = write
-
-    def close(self):
-        self._sqlconn.close()
-
-    def commit(self):
-        self._sqlconn.commit()
-
-    def rollback(self):
-        self._sqlconn.rollback()
-
-    def execute(self, query, params=()):
-        cur = self.cursor()
-        try:
-            cur.execute(query, params)
-        except sqlite3.IntegrityError as e:
-            raise DBError(e)
-        return cur
-
-    def cursor(self):
-        return self._sqlconn.cursor()
-
-    def get_user(self, addr: str) -> {}:
-        """Get a row from the users table."""
-        q = "SELECT addr, password, last_login from users WHERE addr = ?"
-        row = self._sqlconn.execute(q, (addr,)).fetchone()
-        result = {}
-        if row:
-            result = dict(
-                user=row[0],
-                password=row[1],
-                last_login=row[2],
-            )
-        return result
-
-
-class Database:
-    def __init__(self, path: str):
-        self.path = Path(path)
-        self.ensure_tables()
-
-    def _get_connection(
-        self, write=False, transaction=False, closing=False
-    ) -> Connection:
-        # we let the database serialize all writers at connection time
-        # to play it very safe (we don't have massive amounts of writes).
-        mode = "ro"
-        if write:
-            mode = "rw"
-        if not self.path.exists():
-            mode = "rwc"
-        uri = "file:%s?mode=%s" % (self.path, mode)
-        sqlconn = sqlite3.connect(
-            uri,
-            timeout=60,
-            isolation_level=None if transaction else "DEFERRED",
-            uri=True,
-        )
-
-        # Enable Write-Ahead Logging to avoid readers blocking writers and vice versa.
-        if write:
-            sqlconn.execute("PRAGMA journal_mode=wal")
-
-        if transaction:
-            start_time = time.time()
-            while 1:
-                try:
-                    sqlconn.execute("begin immediate")
-                    break
-                except sqlite3.OperationalError:
-                    # another thread may be writing, give it a chance to finish
-                    time.sleep(0.1)
-                    if time.time() - start_time > 5:
-                        # if it takes this long, something is wrong
-                        raise
-        conn = Connection(sqlconn, write=write)
-        if closing:
-            conn = contextlib.closing(conn)
-        return conn
-
-    @contextlib.contextmanager
-    def write_transaction(self):
-        conn = self._get_connection(closing=False, write=True, transaction=True)
-        try:
-            yield conn
-        except Exception:
-            conn.rollback()
-            conn.close()
-            raise
-        else:
-            conn.commit()
-            conn.close()
-
-    def read_connection(self, closing=True) -> Connection:
-        return self._get_connection(closing=closing, write=False)
-
-    def get_schema_version(self) -> int:
-        with self.read_connection() as conn:
-            dbversion = conn.execute("PRAGMA user_version").fetchone()[0]
-        return dbversion
-
-    CURRENT_DBVERSION = 1
-
-    def ensure_tables(self):
-        with self.write_transaction() as conn:
-            if self.get_schema_version() > 1:
-                raise DBError(
-                    "version is %s; downgrading schema is not supported"
-                    % (self.get_schema_version(),)
-                )
-            conn.execute(
-                """
-                CREATE TABLE IF NOT EXISTS users (
-                    addr TEXT PRIMARY KEY,
-                    password TEXT,
-                    last_login INTEGER
-                )
-            """,
-            )
-            conn.execute("PRAGMA user_version=%s" % (self.CURRENT_DBVERSION,))
--- a/chatmaild/src/chatmaild/dictproxy.py
+++ b/chatmaild/src/chatmaild/dictproxy.py
@@ -0,0 +1,98 @@
+import logging
+import os
+from socketserver import StreamRequestHandler, ThreadingUnixStreamServer
+
+
+class DictProxy:
+    def loop_forever(self, rfile, wfile):
+        # Transaction storage is local to each handler loop.
+        # Dovecot reuses transaction IDs across connections,
+        # starting transaction with the name `1`
+        # on two different connections to the same proxy sometimes.
+        transactions = {}
+
+        while True:
+            msg = rfile.readline().strip().decode()
+            if not msg:
+                break
+
+            res = self.handle_dovecot_request(msg, transactions)
+            if res:
+                wfile.write(res.encode("ascii"))
+                wfile.flush()
+
+    def handle_dovecot_request(self, msg, transactions):
+        # see https://doc.dovecot.org/developer_manual/design/dict_protocol/#dovecot-dict-protocol
+        short_command = msg[0]
+        parts = msg[1:].split("\t")
+
+        if short_command == "L":
+            return self.handle_lookup(parts)
+        elif short_command == "I":
+            return self.handle_iterate(parts)
+        elif short_command == "H":
+            return  # no version checking
+
+        if short_command not in ("BSC"):
+            logging.warning(f"unknown dictproxy request: {msg!r}")
+            return
+
+        transaction_id = parts[0]
+
+        if short_command == "B":
+            return self.handle_begin_transaction(transaction_id, parts, transactions)
+        elif short_command == "C":
+            return self.handle_commit_transaction(transaction_id, parts, transactions)
+        elif short_command == "S":
+            addr = transactions[transaction_id]["addr"]
+            if not self.handle_set(addr, parts):
+                transactions[transaction_id]["res"] = "F\n"
+                logging.error(f"dictproxy-set failed for {addr!r}: {msg!r}")
+
+    def handle_lookup(self, parts):
+        logging.warning(f"lookup ignored: {parts!r}")
+        return "N\n"
+
+    def handle_iterate(self, parts):
+        # Empty line means ITER_FINISHED.
+        # If we don't return empty line Dovecot will timeout.
+        return "\n"
+
+    def handle_begin_transaction(self, transaction_id, parts, transactions):
+        addr = parts[1]
+        transactions[transaction_id] = dict(addr=addr, res="O\n")
+
+    def handle_set(self, addr, parts):
+        # For documentation on key structure see
+        # https://github.com/dovecot/core/blob/main/src/lib-storage/mailbox-attribute.h
+        return False
+
+    def handle_commit_transaction(self, transaction_id, parts, transactions):
+        # return whatever "set" command(s) set as result.
+        return transactions.pop(transaction_id)["res"]
+
+    def serve_forever_from_socket(self, socket):
+        dictproxy = self
+
+        class Handler(StreamRequestHandler):
+            def handle(self):
+                try:
+                    dictproxy.loop_forever(self.rfile, self.wfile)
+                except Exception:
+                    logging.exception("Exception in the handler")
+                    raise
+
+        try:
+            os.unlink(socket)
+        except FileNotFoundError:
+            pass
+
+        with CustomThreadingUnixStreamServer(socket, Handler) as server:
+            try:
+                server.serve_forever()
+            except KeyboardInterrupt:
+                pass
+
+
+class CustomThreadingUnixStreamServer(ThreadingUnixStreamServer):
+    request_queue_size = 1000
--- a/chatmaild/src/chatmaild/doveauth.py
+++ b/chatmaild/src/chatmaild/doveauth.py
@@ -1,28 +1,23 @@
+import json
 import logging
 import os
-import time
 import sys
-import json
-import crypt
-from socketserver import (
-    UnixStreamServer,
-    StreamRequestHandler,
-    ThreadingMixIn,
-)

-from .database import Database
-from .config import read_config, Config
+try:
+    import crypt_r
+except ImportError:
+    import crypt as crypt_r
+
+from .config import Config, read_config
+from .dictproxy import DictProxy
+from .migrate_db import migrate_from_db_to_maildir

 NOCREATE_FILE = "/etc/chatmail-nocreate"


-class UnknownCommand(ValueError):
-    """dictproxy handler received an unkown command"""
-
-
 def encrypt_password(password: str):
    # https://doc.dovecot.org/configuration_manual/authentication/password_schemes/
-    passhash = crypt.crypt(password, crypt.METHOD_SHA512)
+    passhash = crypt_r.crypt(password, crypt_r.METHOD_SHA512)
    return "{SHA512-CRYPT}" + passhash


@@ -49,60 +44,17 @@ def is_allowed_to_create(config: Config, user, cleartext_password) -> bool:
        len(localpart) > config.username_max_length
        or len(localpart) < config.username_min_length
    ):
-        if localpart != "echo":
-            logging.warning(
-                "localpart %s has to be between %s and %s chars long",
-                localpart,
-                config.username_min_length,
-                config.username_max_length,
-            )
-            return False
+        logging.warning(
+            "localpart %s has to be between %s and %s chars long",
+            localpart,
+            config.username_min_length,
+            config.username_max_length,
+        )
+        return False

    return True


-def get_user_data(db, config: Config, user):
-    with db.read_connection() as conn:
-        result = conn.get_user(user)
-    if result:
-        result["home"] = f"/home/vmail/mail/{config.mail_domain}/{user}"
-        result["uid"] = "vmail"
-        result["gid"] = "vmail"
-    return result
-
-
-def lookup_userdb(db, config: Config, user):
-    return get_user_data(db, config, user)
-
-
-def lookup_passdb(db, config: Config, user, cleartext_password):
-    with db.write_transaction() as conn:
-        userdata = conn.get_user(user)
-        if userdata:
-            # Update last login time.
-            conn.execute(
-                "UPDATE users SET last_login=? WHERE addr=?", (int(time.time()), user)
-            )
-
-            userdata["home"] = f"/home/vmail/mail/{config.mail_domain}/{user}"
-            userdata["uid"] = "vmail"
-            userdata["gid"] = "vmail"
-            return userdata
-        if not is_allowed_to_create(config, user, cleartext_password):
-            return
-
-        encrypted_password = encrypt_password(cleartext_password)
-        q = """INSERT INTO users (addr, password, last_login)
-               VALUES (?, ?, ?)"""
-        conn.execute(q, (user, encrypted_password, int(time.time())))
-        return dict(
-            home=f"/home/vmail/mail/{config.mail_domain}/{user}",
-            uid="vmail",
-            gid="vmail",
-            password=encrypted_password,
-        )
-
-
 def split_and_unescape(s):
    """Split strings using double quote as a separator and backslash as escape character
    into parts."""
@@ -129,15 +81,12 @@ def split_and_unescape(s):
    yield out


-def handle_dovecot_request(msg, db, config: Config):
-    # see https://doc.dovecot.org/3.0/developer_manual/design/dict_protocol/
-    short_command = msg[0]
-    if short_command == "H":  # HELLO
-        # we don't do any checking on versions and just return
-        return
-    elif short_command == "L":  # LOOKUP
-        parts = msg[1:].split("\t")
+class AuthDictProxy(DictProxy):
+    def __init__(self, config):
+        super().__init__()
+        self.config = config

+    def handle_lookup(self, parts):
        # Dovecot <2.3.17 has only one part,
        # do not attempt to read any other parts for compatibility.
        keyname = parts[0]
@@ -145,13 +94,14 @@ def handle_dovecot_request(msg, db, config: Config):
        namespace, type, args = keyname.split("/", 2)
        args = list(split_and_unescape(args))

+        config = self.config
        reply_command = "F"
        res = ""
        if namespace == "shared":
            if type == "userdb":
                user = args[0]
                if user.endswith(f"@{config.mail_domain}"):
-                    res = lookup_userdb(db, config, user)
+                    res = self.lookup_userdb(user)
                if res:
                    reply_command = "O"
                else:
@@ -159,55 +109,48 @@ def handle_dovecot_request(msg, db, config: Config):
            elif type == "passdb":
                user = args[1]
                if user.endswith(f"@{config.mail_domain}"):
-                    res = lookup_passdb(db, config, user, cleartext_password=args[0])
+                    res = self.lookup_passdb(user, cleartext_password=args[0])
                if res:
                    reply_command = "O"
                else:
                    reply_command = "N"
        json_res = json.dumps(res) if res else ""
        return f"{reply_command}{json_res}\n"
-    raise UnknownCommand(msg)

+    def handle_iterate(self, parts):
+        # example: I0\t0\tshared/userdb/
+        if parts[2] == "shared/userdb/":
+            result = "".join(
+                f"Oshared/userdb/{user}\t\n" for user in self.iter_userdb()
+            )
+            return f"{result}\n"

-def handle_dovecot_protocol(rfile, wfile, db: Database, config: Config):
-    while True:
-        msg = rfile.readline().strip().decode()
-        if not msg:
-            break
-        try:
-            res = handle_dovecot_request(msg, db, config)
-        except UnknownCommand:
-            logging.warning("unknown command: %r", msg)
-        else:
-            if res:
-                wfile.write(res.encode("ascii"))
-                wfile.flush()
+    def iter_userdb(self) -> list:
+        """Get a list of all user addresses."""
+        return [x for x in os.listdir(self.config.mailboxes_dir) if "@" in x]

+    def lookup_userdb(self, addr):
+        return self.config.get_user(addr).get_userdb_dict()

-class ThreadedUnixStreamServer(ThreadingMixIn, UnixStreamServer):
-    request_queue_size = 100
+    def lookup_passdb(self, addr, cleartext_password):
+        user = self.config.get_user(addr)
+        userdata = user.get_userdb_dict()
+        if userdata:
+            return userdata
+        if not is_allowed_to_create(self.config, addr, cleartext_password):
+            return
+
+        user.set_password(encrypt_password(cleartext_password))
+        print(f"Created address: {addr}", file=sys.stderr)
+        return user.get_userdb_dict()


 def main():
-    socket = sys.argv[1]
-    db = Database(sys.argv[2])
-    config = read_config(sys.argv[3])
+    socket, cfgpath = sys.argv[1:]
+    config = read_config(cfgpath)

-    class Handler(StreamRequestHandler):
-        def handle(self):
-            try:
-                handle_dovecot_protocol(self.rfile, self.wfile, db, config)
-            except Exception:
-                logging.exception("Exception in the handler")
-                raise
+    migrate_from_db_to_maildir(config)

-    try:
-        os.unlink(socket)
-    except FileNotFoundError:
-        pass
+    dictproxy = AuthDictProxy(config=config)

-    with ThreadedUnixStreamServer(socket, Handler) as server:
-        try:
-            server.serve_forever()
-        except KeyboardInterrupt:
-            pass
+    dictproxy.serve_forever_from_socket(socket)
--- a/chatmaild/src/chatmaild/echo.py
+++ b/chatmaild/src/chatmaild/echo.py
@@ -1,87 +0,0 @@
-#!/usr/bin/env python3
-"""Advanced echo bot example.
-
-it will echo back any message that has non-empty text and also supports the /help command.
-"""
-import logging
-import os
-import sys
-
-from deltachat_rpc_client import Bot, DeltaChat, EventType, Rpc, events
-
-from chatmaild.newemail import create_newemail_dict
-from chatmaild.config import read_config
-
-hooks = events.HookCollection()
-
-
-@hooks.on(events.RawEvent)
-def log_event(event):
-    if event.kind == EventType.INFO:
-        logging.info("%s", event.msg)
-    elif event.kind == EventType.WARNING:
-        logging.warning("%s", event.msg)
-
-
-@hooks.on(events.RawEvent(EventType.ERROR))
-def log_error(event):
-    logging.error("%s", event.msg)
-
-
-@hooks.on(events.MemberListChanged)
-def on_memberlist_changed(event):
-    logging.info(
-        "member %s was %s", event.member, "added" if event.member_added else "removed"
-    )
-
-
-@hooks.on(events.GroupImageChanged)
-def on_group_image_changed(event):
-    logging.info("group image %s", "deleted" if event.image_deleted else "changed")
-
-
-@hooks.on(events.GroupNameChanged)
-def on_group_name_changed(event):
-    logging.info("group name changed, old name: %s", event.old_name)
-
-
-@hooks.on(events.NewMessage(func=lambda e: not e.command))
-def echo(event):
-    snapshot = event.message_snapshot
-    if snapshot.is_info:
-        # Ignore info messages
-        return
-    if snapshot.text or snapshot.file:
-        snapshot.chat.send_message(text=snapshot.text, file=snapshot.file)
-
-
-@hooks.on(events.NewMessage(command="/help"))
-def help_command(event):
-    snapshot = event.message_snapshot
-    snapshot.chat.send_text("Send me any message and I will echo it back")
-
-
-def main():
-    logging.basicConfig(level=logging.INFO)
-    path = os.environ.get("PATH")
-    venv_path = sys.argv[0].strip("echobot")
-    os.environ["PATH"] = path + ":" + venv_path
-    with Rpc() as rpc:
-        deltachat = DeltaChat(rpc)
-        system_info = deltachat.get_system_info()
-        logging.info("Running deltachat core %s", system_info.deltachat_core_version)
-
-        accounts = deltachat.get_all_accounts()
-        account = accounts[0] if accounts else deltachat.add_account()
-
-        bot = Bot(account, hooks)
-        if not bot.is_configured():
-            config = read_config(sys.argv[1])
-            password = create_newemail_dict(config).get("password")
-            email = "echo@" + config.mail_domain
-            bot.configure(email, password)
-        bot.run_forever()
-
-
-if __name__ == "__main__":
-    main()
--- a/chatmaild/src/chatmaild/expire.py
+++ b/chatmaild/src/chatmaild/expire.py
@@ -0,0 +1,206 @@
+"""
+Expire old messages and addresses.
+
+"""
+
+import os
+import shutil
+import sys
+import time
+from argparse import ArgumentParser
+from collections import namedtuple
+from datetime import datetime
+from stat import S_ISREG
+
+from chatmaild.config import read_config
+
+FileEntry = namedtuple("FileEntry", ("path", "mtime", "size"))
+
+
+def iter_mailboxes(basedir, maxnum):
+    if not os.path.exists(basedir):
+        print_info(f"no mailboxes found at: {basedir}")
+        return
+
+    for name in os_listdir_if_exists(basedir)[:maxnum]:
+        if "@" in name:
+            yield MailboxStat(basedir + "/" + name)
+
+
+def get_file_entry(path):
+    """return a FileEntry or None if the path does not exist or is not a regular file."""
+    try:
+        st = os.stat(path)
+    except FileNotFoundError:
+        return None
+    if not S_ISREG(st.st_mode):
+        return None
+    return FileEntry(path, st.st_mtime, st.st_size)
+
+
+def os_listdir_if_exists(path):
+    """return a list of names obtained from os.listdir or an empty list if the path does not exist."""
+    try:
+        return os.listdir(path)
+    except FileNotFoundError:
+        return []
+
+
+class MailboxStat:
+    last_login = None
+
+    def __init__(self, basedir):
+        self.basedir = str(basedir)
+        self.messages = []
+        self.extrafiles = []
+        self.scandir(self.basedir)
+
+    def scandir(self, folderdir):
+        for name in os_listdir_if_exists(folderdir):
+            path = f"{folderdir}/{name}"
+            if name in ("cur", "new", "tmp"):
+                for msg_name in os_listdir_if_exists(path):
+                    entry = get_file_entry(f"{path}/{msg_name}")
+                    if entry is not None:
+                        self.messages.append(entry)
+            elif os.path.isdir(path):
+                self.scandir(path)
+            else:
+                entry = get_file_entry(path)
+                if entry is not None:
+                    self.extrafiles.append(entry)
+                    if name == "password":
+                        self.last_login = entry.mtime
+        self.extrafiles.sort(key=lambda x: -x.size)
+
+
+def print_info(msg):
+    print(msg, file=sys.stderr)
+
+
+class Expiry:
+    def __init__(self, config, dry, now, verbose):
+        self.config = config
+        self.dry = dry
+        self.now = now
+        self.verbose = verbose
+        self.del_mboxes = 0
+        self.all_mboxes = 0
+        self.del_files = 0
+        self.all_files = 0
+        self.start = time.time()
+
+    def remove_mailbox(self, mboxdir):
+        if self.verbose:
+            print_info(f"removing {mboxdir}")
+        if not self.dry:
+            shutil.rmtree(mboxdir)
+        self.del_mboxes += 1
+
+    def remove_file(self, path, mtime=None):
+        if self.verbose:
+            if mtime is not None:
+                date = datetime.fromtimestamp(mtime).strftime("%b %d")
+                print_info(f"removing {date} {path}")
+            else:
+                print_info(f"removing {path}")
+        if not self.dry:
+            try:
+                os.unlink(path)
+            except FileNotFoundError:
+                print_info(f"file not found/vanished {path}")
+        self.del_files += 1
+
+    def process_mailbox_stat(self, mbox):
+        cutoff_without_login = (
+            self.now - int(self.config.delete_inactive_users_after) * 86400
+        )
+        cutoff_mails = self.now - int(self.config.delete_mails_after) * 86400
+        cutoff_large_mails = self.now - int(self.config.delete_large_after) * 86400
+
+        self.all_mboxes += 1
+        changed = False
+        if mbox.last_login and mbox.last_login < cutoff_without_login:
+            self.remove_mailbox(mbox.basedir)
+            return
+
+        mboxname = os.path.basename(mbox.basedir)
+        if self.verbose:
+            date = datetime.fromtimestamp(mbox.last_login) if mbox.last_login else None
+            if date:
+                print_info(f"checking mailbox {date.strftime('%b %d')} {mboxname}")
+            else:
+                print_info(f"checking mailbox (no last_login) {mboxname}")
+        self.all_files += len(mbox.messages)
+        for message in mbox.messages:
+            if message.mtime < cutoff_mails:
+                self.remove_file(message.path, mtime=message.mtime)
+            elif message.size > 200000 and message.mtime < cutoff_large_mails:
+                # we only remove noticed large files (not unnoticed ones in new/)
+                parts = message.path.split("/")
+                if len(parts) >= 2 and parts[-2] == "cur":
+                    self.remove_file(message.path, mtime=message.mtime)
+            else:
+                continue
+            changed = True
+        if changed:
+            self.remove_file("maildirsize")
+
+    def get_summary(self):
+        return (
+            f"Removed {self.del_mboxes} out of {self.all_mboxes} mailboxes "
+            f"and {self.del_files} out of {self.all_files} files in existing mailboxes "
+            f"in {time.time() - self.start:2.2f} seconds"
+        )
+
+
+def main(args=None):
+    """Expire mailboxes and messages according to chatmail config"""
+    parser = ArgumentParser(description=main.__doc__)
+    ini = "/usr/local/lib/chatmaild/chatmail.ini"
+    parser.add_argument(
+        "chatmail_ini",
+        action="store",
+        nargs="?",
+        help=f"path pointing to chatmail.ini file, default: {ini}",
+        default=ini,
+    )
+    parser.add_argument(
+        "--days", action="store", help="assume date to be days older than now"
+    )
+
+    parser.add_argument(
+        "--maxnum",
+        default=None,
+        action="store",
+        help="maximum number of mailboxes to iterate on",
+    )
+    parser.add_argument(
+        "-v",
+        dest="verbose",
+        action="store_true",
+        help="print out removed files and mailboxes",
+    )
+
+    parser.add_argument(
+        "--remove",
+        dest="remove",
+        action="store_true",
+        help="actually remove all expired files and dirs",
+    )
+    args = parser.parse_args(args)
+
+    config = read_config(args.chatmail_ini)
+    now = datetime.utcnow().timestamp()
+    if args.days:
+        now = now - 86400 * int(args.days)
+
+    maxnum = int(args.maxnum) if args.maxnum else None
+    exp = Expiry(config, dry=not args.remove, now=now, verbose=args.verbose)
+    for mailbox in iter_mailboxes(str(config.mailboxes_dir), maxnum=maxnum):
+        exp.process_mailbox_stat(mailbox)
+    print(exp.get_summary())
+
+
+if __name__ == "__main__":
+    main(sys.argv[1:])
--- a/chatmaild/src/chatmaild/filedict.py
+++ b/chatmaild/src/chatmaild/filedict.py
@@ -1,8 +1,10 @@
-import os
-import logging
 import json
-import filelock
+import logging
+import os
 from contextlib import contextmanager
+from random import randint
+
+import filelock


 class FileDict:
@@ -31,5 +33,12 @@ class FileDict:
        except FileNotFoundError:
            return {}
        except Exception:
-            logging.warning("corrupt serialization state at: %r", self.path)
+            logging.warning(f"corrupt serialization state at: {self.path!r}")
            return {}
+
+
+def write_bytes_atomic(path, content):
+    rint = randint(0, 10000000)
+    tmp = path.with_name(path.name + f".tmp-{rint}")
+    tmp.write_bytes(content)
+    os.rename(tmp, path)
--- a/chatmaild/src/chatmaild/filtermail.py
+++ b/chatmaild/src/chatmaild/filtermail.py
@@ -1,80 +1,233 @@
 #!/usr/bin/env python3
 import asyncio
-import logging
-import time
+import base64
+import binascii
 import sys
-from email.parser import BytesParser
+import time
 from email import policy
+from email.parser import BytesParser
 from email.utils import parseaddr
+from smtplib import SMTP as SMTPClient

 from aiosmtpd.controller import Controller
-from smtplib import SMTP as SMTPClient
+from aiosmtpd.smtp import SMTP

 from .config import read_config

+ENCRYPTION_NEEDED_523 = "523 Encryption Needed: Invalid Unencrypted Mail"

-def check_encrypted(message):
-    """Check that the message is an OpenPGP-encrypted message."""
+
+def check_openpgp_payload(payload: bytes):
+    """Checks the OpenPGP payload.
+
+    OpenPGP payload must consist only of PKESK and SKESK packets
+    terminated by a single SEIPD packet.
+
+    Returns True if OpenPGP payload is correct,
+    False otherwise.
+
+    May raise IndexError while trying to read OpenPGP packet header
+    if it is truncated.
+    """
+    i = 0
+    while i < len(payload):
+        # Only OpenPGP format is allowed.
+        if payload[i] & 0xC0 != 0xC0:
+            return False
+
+        packet_type_id = payload[i] & 0x3F
+        i += 1
+
+        while payload[i] >= 224 and payload[i] < 255:
+            # Partial body length.
+            partial_length = 1 << (payload[i] & 0x1F)
+            i += 1 + partial_length
+
+        if payload[i] < 192:
+            # One-octet length.
+            body_len = payload[i]
+            i += 1
+        elif payload[i] < 224:
+            # Two-octet length.
+            body_len = ((payload[i] - 192) << 8) + payload[i + 1] + 192
+            i += 2
+        elif payload[i] == 255:
+            # Five-octet length.
+            body_len = (
+                (payload[i + 1] << 24)
+                | (payload[i + 2] << 16)
+                | (payload[i + 3] << 8)
+                | payload[i + 4]
+            )
+            i += 5
+        else:
+            # Impossible, partial body length was processed above.
+            return False
+
+        i += body_len
+
+        if i == len(payload):
+            # Last packet should be
+            # Symmetrically Encrypted and Integrity Protected Data Packet (SEIPD)
+            #
+            # This is the only place where this function may return `True`.
+            return packet_type_id == 18
+        elif packet_type_id not in [1, 3]:
+            # All packets except the last one must be either
+            # Public-Key Encrypted Session Key Packet (PKESK)
+            # or
+            # Symmetric-Key Encrypted Session Key Packet (SKESK)
+            return False
+
+    return False
+
+
+def check_armored_payload(payload: str, outgoing: bool):
+    """Check the armored PGP message for invalid content.
+
+    :param payload: the armored PGP message
+    :param outgoing: whether the message is outgoing or incoming
+    :return: whether the message is a valid PGP message
+    """
+    prefix = "-----BEGIN PGP MESSAGE-----\r\n"
+    if not payload.startswith(prefix):
+        return False
+    payload = payload.removeprefix(prefix)
+
+    while payload.endswith("\r\n"):
+        payload = payload.removesuffix("\r\n")
+    suffix = "-----END PGP MESSAGE-----"
+    if not payload.endswith(suffix):
+        return False
+    payload = payload.removesuffix(suffix)
+
+    version_comment = "Version: "
+    if payload.startswith(version_comment):
+        if outgoing:  # Disallow comments in outgoing messages
+            return False
+        # Remove comments from incoming messages
+        payload = payload.partition("\r\n")[2]
+
+    while payload.startswith("\r\n"):
+        payload = payload.removeprefix("\r\n")
+
+    # Remove CRC24.
+    payload = payload.rpartition("=")[0]
+
+    try:
+        payload = base64.b64decode(payload)
+    except binascii.Error:
+        return False
+
+    try:
+        return check_openpgp_payload(payload)
+    except IndexError:
+        return False
+
+
+def is_securejoin(message):
+    if message.get("secure-join") not in ["vc-request", "vg-request"]:
+        return False
    if not message.is_multipart():
        return False
-    if message.get("subject") != "...":
+    parts_count = 0
+    for part in message.iter_parts():
+        parts_count += 1
+        if parts_count > 1:
+            return False
+        if part.is_multipart():
+            return False
+        if part.get_content_type() != "text/plain":
+            return False
+
+        payload = part.get_payload().strip().lower()
+        if payload not in ("secure-join: vc-request", "secure-join: vg-request"):
+            return False
+    return True
+
+
+def check_encrypted(message, outgoing=True):
+    """Check that the message is an OpenPGP-encrypted message.
+
+    MIME structure of the message must correspond to <https://www.rfc-editor.org/rfc/rfc3156>.
+    """
+    if not message.is_multipart():
        return False
    if message.get_content_type() != "multipart/encrypted":
        return False
    parts_count = 0
    for part in message.iter_parts():
+        # We explicitly check Content-Type of each part later,
+        # but this is to be absolutely sure `get_payload()` returns string and not list.
+        if part.is_multipart():
+            return False
+
        if parts_count == 0:
            if part.get_content_type() != "application/pgp-encrypted":
                return False
+
+            payload = part.get_payload()
+            if payload.strip() != "Version: 1":
+                return False
        elif parts_count == 1:
            if part.get_content_type() != "application/octet-stream":
                return False
+
+            if not check_armored_payload(part.get_payload(), outgoing=outgoing):
+                return False
        else:
            return False
        parts_count += 1
    return True


-def check_mdn(message, envelope):
-    if len(envelope.rcpt_tos) != 1:
-        return False
-
-    for name in ["auto-submitted", "chat-version"]:
-        if not message.get(name):
-            return False
-
-    if message.get_content_type() != "multipart/report":
-        return False
-
-    body = message.get_body()
-    if body.get_content_type() != "text/plain":
-        return False
-
-    if list(body.iter_attachments()) or list(body.iter_parts()):
-        return False
-
-    # even with all mime-structural checks an attacker
-    # could try to abuse the subject or body to contain links or other
-    # annoyance -- we skip on checking subject/body for now as Delta Chat
-    # should evolve to create E2E-encrypted read receipts anyway.
-    # and then MDNs are just encrypted mail and can pass the border
-    # to other instances.
-
-    return True
+async def asyncmain_beforequeue(config, mode):
+    if mode == "outgoing":
+        port = config.filtermail_smtp_port
+        handler = OutgoingBeforeQueueHandler(config)
+    else:
+        port = config.filtermail_smtp_port_incoming
+        handler = IncomingBeforeQueueHandler(config)
+    HackedController(
+        handler,
+        hostname="127.0.0.1",
+        port=port,
+        data_size_limit=config.max_message_size,
+    ).start()


-async def asyncmain_beforequeue(config):
-    port = config.filtermail_smtp_port
-    Controller(BeforeQueueHandler(config), hostname="127.0.0.1", port=port).start()
+def recipient_matches_passthrough(recipient, passthrough_recipients):
+    for addr in passthrough_recipients:
+        if recipient == addr:
+            return True
+        if addr[0] == "@" and recipient.endswith(addr):
+            return True
+    return False


-class BeforeQueueHandler:
+class HackedController(Controller):
+    def factory(self):
+        return SMTPDiscardRCPTO_options(self.handler, **self.SMTP_kwargs)
+
+
+class SMTPDiscardRCPTO_options(SMTP):
+    def _getparams(self, params):
+        # Ignore RCPT TO parameters.
+        #
+        # Otherwise parameters such as `ORCPT=...`
+        # or `NOTIFY=DELAY,FAILURE` (generated by Stalwart)
+        # make aiosmtpd reject the message here:
+        # <https://github.com/aio-libs/aiosmtpd/blob/98f578389ae86e5345cc343fa4e5a17b21d9c96d/aiosmtpd/smtp.py#L1379-L1384>
+        return {}
+
+
+class OutgoingBeforeQueueHandler:
    def __init__(self, config):
        self.config = config
        self.send_rate_limiter = SendRateLimiter()

    async def handle_MAIL(self, server, session, envelope, address, mail_options):
-        logging.info(f"handle_MAIL from {address}")
+        log_info(f"handle_MAIL from {address}")
        envelope.mail_from = address
        max_sent = self.config.max_user_send_per_minute
        if not self.send_rate_limiter.is_sending_allowed(address, max_sent):
@@ -87,54 +240,110 @@ class BeforeQueueHandler:
        return "250 OK"

    async def handle_DATA(self, server, session, envelope):
-        logging.info("handle_DATA before-queue")
+        loop = asyncio.get_running_loop()
+        return await loop.run_in_executor(None, self.sync_handle_DATA, envelope)
+
+    def sync_handle_DATA(self, envelope):
+        log_info("handle_DATA before-queue")
        error = self.check_DATA(envelope)
        if error:
            return error
-        logging.info("re-injecting the mail that passed checks")
+        log_info("re-injecting the mail that passed checks")
        client = SMTPClient("localhost", self.config.postfix_reinject_port)
-        client.sendmail(envelope.mail_from, envelope.rcpt_tos, envelope.content)
+        client.sendmail(
+            envelope.mail_from, envelope.rcpt_tos, envelope.original_content
+        )
        return "250 OK"

    def check_DATA(self, envelope):
        """the central filtering function for e-mails."""
-        logging.info(f"Processing DATA message from {envelope.mail_from}")
+        log_info(f"Processing DATA message from {envelope.mail_from}")

        message = BytesParser(policy=policy.default).parsebytes(envelope.content)
-        mail_encrypted = check_encrypted(message)
+        mail_encrypted = check_encrypted(message, outgoing=True)

        _, from_addr = parseaddr(message.get("from").strip())
-        logging.info(f"mime-from: {from_addr} envelope-from: {envelope.mail_from!r}")
+
        if envelope.mail_from.lower() != from_addr.lower():
            return f"500 Invalid FROM <{from_addr!r}> for <{envelope.mail_from!r}>"

-        if not mail_encrypted and check_mdn(message, envelope):
+        if mail_encrypted or is_securejoin(message):
+            print("Outgoing: Filtering encrypted mail.", file=sys.stderr)
            return

+        print("Outgoing: Filtering unencrypted mail.", file=sys.stderr)
+
        if envelope.mail_from in self.config.passthrough_senders:
            return

-        passthrough_recipients = self.config.passthrough_recipients
-        envelope_from_domain = from_addr.split("@").pop()
-        for recipient in envelope.rcpt_tos:
-            if envelope.mail_from == recipient:
-                # Always allow sending emails to self.
-                continue
-            if recipient in passthrough_recipients:
-                continue
-            res = recipient.split("@")
-            if len(res) != 2:
-                return f"500 Invalid address <{recipient}>"
-            _recipient_addr, recipient_domain = res
+        # allow self-sent Autocrypt Setup Message
+        if envelope.rcpt_tos == [from_addr]:
+            if message.get("subject") == "Autocrypt Setup Message":
+                if message.get_content_type() == "multipart/mixed":
+                    return

-            is_outgoing = recipient_domain != envelope_from_domain
-            if is_outgoing and not mail_encrypted:
-                is_securejoin = message.get("secure-join") in [
-                    "vc-request",
-                    "vg-request",
-                ]
-                if not is_securejoin:
-                    return f"500 Invalid unencrypted mail to <{recipient}>"
+        passthrough_recipients = self.config.passthrough_recipients
+
+        for recipient in envelope.rcpt_tos:
+            if recipient_matches_passthrough(recipient, passthrough_recipients):
+                continue
+
+            print("Rejected unencrypted mail.", file=sys.stderr)
+            return ENCRYPTION_NEEDED_523
+
+
+class IncomingBeforeQueueHandler:
+    def __init__(self, config):
+        self.config = config
+
+    async def handle_DATA(self, server, session, envelope):
+        loop = asyncio.get_running_loop()
+        return await loop.run_in_executor(None, self.sync_handle_DATA, envelope)
+
+    def sync_handle_DATA(self, envelope):
+        log_info("handle_DATA before-queue")
+        error = self.check_DATA(envelope)
+        if error:
+            return error
+        log_info("re-injecting the mail that passed checks")
+
+        client = SMTPClient(
+            "localhost",
+            self.config.postfix_reinject_port_incoming,
+        )
+        client.sendmail(
+            envelope.mail_from, envelope.rcpt_tos, envelope.original_content
+        )
+        return "250 OK"
+
+    def check_DATA(self, envelope):
+        """the central filtering function for e-mails."""
+        log_info(f"Processing DATA message from {envelope.mail_from}")
+
+        message = BytesParser(policy=policy.default).parsebytes(envelope.content)
+        mail_encrypted = check_encrypted(message, outgoing=False)
+
+        if mail_encrypted or is_securejoin(message):
+            print("Incoming: Filtering encrypted mail.", file=sys.stderr)
+            return
+
+        print("Incoming: Filtering unencrypted mail.", file=sys.stderr)
+
+        # we want cleartext mailer-daemon messages to pass through
+        # chatmail core will typically not display them as normal messages
+        if message.get("auto-submitted"):
+            _, from_addr = parseaddr(message.get("from").strip())
+            if from_addr.lower().startswith("mailer-daemon@"):
+                if message.get_content_type() == "multipart/report":
+                    return
+
+        for recipient in envelope.rcpt_tos:
+            user = self.config.get_user(recipient)
+            if user is None or user.is_incoming_cleartext_ok():
+                continue
+
+            print("Rejected unencrypted mail.", file=sys.stderr)
+            return ENCRYPTION_NEEDED_523


 class SendRateLimiter:
@@ -151,13 +360,19 @@ class SendRateLimiter:
        return False


+def log_info(msg):
+    print(msg, file=sys.stderr)
+
+
 def main():
    args = sys.argv[1:]
-    assert len(args) == 1
+    assert len(args) == 2
    config = read_config(args[0])
-    logging.basicConfig(level=logging.WARN)
+    mode = args[1]
    loop = asyncio.new_event_loop()
    asyncio.set_event_loop(loop)
-    task = asyncmain_beforequeue(config)
+    assert mode in ["incoming", "outgoing"]
+    task = asyncmain_beforequeue(config, mode)
    loop.create_task(task)
+    log_info("entering serving loop")
    loop.run_forever()
--- a/chatmaild/src/chatmaild/fsreport.py
+++ b/chatmaild/src/chatmaild/fsreport.py
@@ -0,0 +1,168 @@
+"""
+command line tool to analyze mailbox message storage
+
+example invocation:
+
+    python -m chatmaild.fsreport /path/to/chatmail.ini
+
+to show storage summaries for all "cur" folders
+
+    python -m chatmaild.fsreport /path/to/chatmail.ini --mdir cur
+
+to show storage summaries only for first 1000 mailboxes
+
+    python -m chatmaild.fsreport /path/to/chatmail.ini --maxnum 1000
+
+"""
+
+import os
+from argparse import ArgumentParser
+from datetime import datetime
+
+from chatmaild.config import read_config
+from chatmaild.expire import iter_mailboxes
+
+DAYSECONDS = 24 * 60 * 60
+MONTHSECONDS = DAYSECONDS * 30
+
+
+def HSize(size: int):
+    """Format a size integer as a Human-readable string Kilobyte, Megabyte or Gigabyte"""
+    if size < 10000:
+        return f"{size / 1000:5.2f}K"
+    if size < 1000 * 1000:
+        return f"{size / 1000:5.0f}K"
+    if size < 1000 * 1000 * 1000:
+        return f"{int(size / 1000000):5.0f}M"
+    return f"{size / 1000000000:5.2f}G"
+
+
+class Report:
+    def __init__(self, now, min_login_age, mdir):
+        self.size_extra = 0
+        self.size_messages = 0
+        self.now = now
+        self.min_login_age = min_login_age
+        self.mdir = mdir
+
+        self.num_ci_logins = self.num_all_logins = 0
+        self.login_buckets = {x: 0 for x in (1, 10, 30, 40, 80, 100, 150)}
+
+        self.message_buckets = {x: 0 for x in (0, 160000, 500000, 2000000)}
+
+    def process_mailbox_stat(self, mailbox):
+        # categorize login times
+        last_login = mailbox.last_login
+        if last_login:
+            self.num_all_logins += 1
+            if os.path.basename(mailbox.basedir)[:3] == "ci-":
+                self.num_ci_logins += 1
+            else:
+                for days in self.login_buckets:
+                    if last_login >= self.now - days * DAYSECONDS:
+                        self.login_buckets[days] += 1
+
+        cutoff_login_date = self.now - self.min_login_age * DAYSECONDS
+        if last_login and last_login <= cutoff_login_date:
+            # categorize message sizes
+            for size in self.message_buckets:
+                for msg in mailbox.messages:
+                    if msg.size >= size:
+                        if self.mdir and not msg.relpath.startswith(self.mdir):
+                            continue
+                        self.message_buckets[size] += msg.size
+
+        self.size_messages += sum(entry.size for entry in mailbox.messages)
+        self.size_extra += sum(entry.size for entry in mailbox.extrafiles)
+
+    def dump_summary(self):
+        all_messages = self.size_messages
+        print()
+        print("## Mailbox storage use analysis")
+        print(f"Mailbox data total size: {HSize(self.size_extra + all_messages)}")
+        print(f"Messages total size    : {HSize(all_messages)}")
+        try:
+            percent = self.size_extra / (self.size_extra + all_messages) * 100
+        except ZeroDivisionError:
+            percent = 100
+        print(f"Extra files : {HSize(self.size_extra)} ({percent:.2f}%)")
+
+        print()
+        if self.min_login_age:
+            print(f"### Message storage for {self.min_login_age} days old logins")
+
+        pref = f"[{self.mdir}] " if self.mdir else ""
+        for minsize, sumsize in self.message_buckets.items():
+            percent = (sumsize / all_messages * 100) if all_messages else 0
+            print(
+                f"{pref}larger than {HSize(minsize)}: {HSize(sumsize)} ({percent:.2f}%)"
+            )
+
+        user_logins = self.num_all_logins - self.num_ci_logins
+
+        def p(num):
+            return f"({num / user_logins * 100:2.2f}%)" if user_logins else "100%"
+
+        print()
+        print(f"## Login stats, from date reference {datetime.fromtimestamp(self.now)}")
+        print(f"all:     {HSize(self.num_all_logins)}")
+        print(f"non-ci:  {HSize(user_logins)}")
+        print(f"ci:      {HSize(self.num_ci_logins)}")
+        for days, active in self.login_buckets.items():
+            print(f"last {days:3} days: {HSize(active)} {p(active)}")
+
+
+def main(args=None):
+    """Report about filesystem storage usage of all mailboxes and messages"""
+    parser = ArgumentParser(description=main.__doc__)
+    ini = "/usr/local/lib/chatmaild/chatmail.ini"
+    parser.add_argument(
+        "chatmail_ini",
+        action="store",
+        nargs="?",
+        help=f"path pointing to chatmail.ini file, default: {ini}",
+        default=ini,
+    )
+    parser.add_argument(
+        "--days",
+        default=0,
+        action="store",
+        help="assume date to be days older than now",
+    )
+    parser.add_argument(
+        "--min-login-age",
+        default=0,
+        dest="min_login_age",
+        action="store",
+        help="only sum up message size if last login is at least min-login-age days old",
+    )
+    parser.add_argument(
+        "--mdir",
+        action="store",
+        help="only consider 'cur' or 'new' or 'tmp' messages for summary",
+    )
+
+    parser.add_argument(
+        "--maxnum",
+        default=None,
+        action="store",
+        help="maximum number of mailboxes to iterate on",
+    )
+
+    args = parser.parse_args(args)
+
+    config = read_config(args.chatmail_ini)
+
+    now = datetime.utcnow().timestamp()
+    if args.days:
+        now = now - 86400 * int(args.days)
+
+    maxnum = int(args.maxnum) if args.maxnum else None
+    rep = Report(now=now, min_login_age=int(args.min_login_age), mdir=args.mdir)
+    for mbox in iter_mailboxes(str(config.mailboxes_dir), maxnum=maxnum):
+        rep.process_mailbox_stat(mbox)
+    rep.dump_summary()
+
+
+if __name__ == "__main__":
+    main()
--- a/chatmaild/src/chatmaild/ini/chatmail.ini.f
+++ b/chatmaild/src/chatmaild/ini/chatmail.ini.f
@@ -8,17 +8,26 @@ mail_domain = {mail_domain}
 #

 #
-# Account Restrictions
+# Restrictions on user addresses
 #

 # how many mails a user can send out per minute
 max_user_send_per_minute = 60

-# maximum mailbox size of a chatmail account
-max_mailbox_size = 100M
+# maximum mailbox size of a chatmail address
+max_mailbox_size = 500M
+
+# maximum message size for an e-mail in bytes
+max_message_size = 31457280

 # days after which mails are unconditionally deleted
-delete_mails_after = 40
+delete_mails_after = 20
+
+# days after which large messages (>200k) are unconditionally deleted
+delete_large_after = 7
+
+# days after which users without a successful login are deleted (database and mails)
+delete_inactive_users_after = 90

 # minimum length a username must have
 username_min_length = 9
@@ -29,22 +38,74 @@ username_max_length = 9
 # minimum length a password must have
 password_min_length = 9

-# list of chatmail accounts which can send outbound un-encrypted mail
+# list of chatmail addresses which can send outbound un-encrypted mail
 passthrough_senders =

 # list of e-mail recipients for which to accept outbound un-encrypted mails
-passthrough_recipients = xstore@testrun.org groupsbot@hispanilandia.net
+# (space-separated, item may start with "@" to whitelist whole recipient domains)
+passthrough_recipients =
+
+# path to www directory - documented here: https://chatmail.at/doc/relay/getting_started.html#custom-web-pages
+#www_folder = www

 #
 # Deployment Details
 #

-# where the filtermail SMTP service listens
+# SMTP outgoing filtermail and reinjection 
 filtermail_smtp_port = 10080
-
-# postfix accepts on the localhost reinject SMTP port
 postfix_reinject_port = 10025

+# SMTP incoming filtermail and reinjection 
+filtermail_smtp_port_incoming = 10081
+postfix_reinject_port_incoming = 10026
+
+# if set to "True" IPv6 is disabled
+disable_ipv6 = False
+
+# Your email adress, which will be used in acmetool to manage Let's Encrypt SSL certificates
+acme_email = 
+
+# Defaults to https://iroh.{{mail_domain}} and running `iroh-relay` on the chatmail
+# service.
+# If you set it to anything else, the service will be disabled
+# and users will be directed to use the given iroh relay URL.
+# Set it to empty string if you want users to use their default iroh relay.
+# iroh_relay =
+
+# Address on which `mtail` listens,
+# e.g. 127.0.0.1 or some private network
+# address like 192.168.10.1.
+# You can point Prometheus
+# or some other OpenMetrics-compatible
+# collector to
+# http://{{mtail_address}}:3903/metrics
+# and display collected metrics with Grafana.
+#
+# WARNING: do not expose this service
+# to the public IP address.
+#
+# `mtail is not running if the setting is not set.
+
+# mtail_address = 127.0.0.1
+
+#
+# Debugging options 
+#
+
+# set to True if you want to track imap protocol execution
+# in per-maildir ".in/.out" files. 
+# Note that you need to manually cleanup these files
+# so use this option with caution on production servers. 
+imap_rawlog = false 
+
+# set to true if you want to enable the IMAP COMPRESS Extension,
+# which allows IMAP connections to be efficiently compressed.
+# WARNING: Enabling this makes it impossible to hibernate IMAP
+# processes which will result in much higher memory/RAM usage.
+imap_compress = false
+
+
 #
 # Privacy Policy
 #
@@ -60,4 +121,3 @@ privacy_pdo =

 # postal address of the privacy supervisor
 privacy_supervisor =
-
--- a/chatmaild/src/chatmaild/ini/override-testrun.ini
+++ b/chatmaild/src/chatmaild/ini/override-testrun.ini
@@ -1,7 +1,7 @@

 [privacy]

-passthrough_recipients = privacy@testrun.org xstore@testrun.org groupsbot@hispanilandia.net
+passthrough_recipients = privacy@testrun.org echo@{mail_domain}

 privacy_postal =
    Merlinux GmbH, Represented by the managing director H. Krekel,
--- a/chatmaild/src/chatmaild/lastlogin.py
+++ b/chatmaild/src/chatmaild/lastlogin.py
@@ -0,0 +1,29 @@
+import sys
+
+from .config import read_config
+from .dictproxy import DictProxy
+
+
+class LastLoginDictProxy(DictProxy):
+    def __init__(self, config):
+        super().__init__()
+        self.config = config
+
+    def handle_set(self, addr, parts):
+        keyname = parts[1].split("/")
+        value = parts[2] if len(parts) > 2 else ""
+        if keyname[0] == "shared" and keyname[1] == "last-login":
+            addr = keyname[2]
+            timestamp = int(value)
+            user = self.config.get_user(addr)
+            user.set_last_login_timestamp(timestamp)
+            return True
+
+        return False
+
+
+def main():
+    socket, config_path = sys.argv[1:]
+    config = read_config(config_path)
+    dictproxy = LastLoginDictProxy(config=config)
+    dictproxy.serve_forever_from_socket(socket)
--- a/chatmaild/src/chatmaild/metadata.py
+++ b/chatmaild/src/chatmaild/metadata.py
@@ -1,28 +1,24 @@
-from pathlib import Path
-from socketserver import (
-    UnixStreamServer,
-    StreamRequestHandler,
-    ThreadingMixIn,
-)
-import sys
 import logging
-import os
+import sys
+import time
+from contextlib import contextmanager

+from .config import read_config
+from .dictproxy import DictProxy
 from .filedict import FileDict
 from .notifier import Notifier
+from .turnserver import turn_credentials


-DICTPROXY_HELLO_CHAR = "H"
-DICTPROXY_LOOKUP_CHAR = "L"
-DICTPROXY_ITERATE_CHAR = "I"
-DICTPROXY_BEGIN_TRANSACTION_CHAR = "B"
-DICTPROXY_SET_CHAR = "S"
-DICTPROXY_COMMIT_TRANSACTION_CHAR = "C"
-DICTPROXY_TRANSACTION_CHARS = "BSC"
+def _is_valid_token_timestamp(timestamp, now):
+    # Token if invalid after 90 days
+    # or if the timestamp is in the future.
+    return timestamp > now - 3600 * 24 * 90 and timestamp < now + 60


 class Metadata:
-    # each SETMETADATA on this key appends to a list of unique device tokens
+    # each SETMETADATA on this key appends to dictionary
+    # mapping of unique device tokens
    # which only ever get removed if the upstream indicates the token is invalid
    DEVICETOKEN_KEY = "devicetoken"

@@ -32,97 +28,109 @@ class Metadata:
    def get_metadata_dict(self, addr):
        return FileDict(self.vmail_dir / addr / "metadata.json")

-    def add_token_to_addr(self, addr, token):
+    @contextmanager
+    def _modify_tokens(self, addr):
        with self.get_metadata_dict(addr).modify() as data:
-            tokens = data.setdefault(self.DEVICETOKEN_KEY, [])
-            if token not in tokens:
-                tokens.append(token)
+            tokens = data.setdefault(self.DEVICETOKEN_KEY, {})
+            now = int(time.time())
+            if isinstance(tokens, list):
+                data[self.DEVICETOKEN_KEY] = tokens = {t: now for t in tokens}
+
+            expired_tokens = [
+                token
+                for token, timestamp in tokens.items()
+                if not _is_valid_token_timestamp(tokens[token], now)
+            ]
+            for expired_token in expired_tokens:
+                del tokens[expired_token]
+
+            yield tokens
+
+    def add_token_to_addr(self, addr, token):
+        with self._modify_tokens(addr) as tokens:
+            tokens[token] = int(time.time())

    def remove_token_from_addr(self, addr, token):
-        with self.get_metadata_dict(addr).modify() as data:
-            tokens = data.get(self.DEVICETOKEN_KEY, [])
+        with self._modify_tokens(addr) as tokens:
            if token in tokens:
-                tokens.remove(token)
+                del tokens[token]

    def get_tokens_for_addr(self, addr):
        mdict = self.get_metadata_dict(addr).read()
-        return mdict.get(self.DEVICETOKEN_KEY, [])
+        tokens = mdict.get(self.DEVICETOKEN_KEY, {})
+
+        now = int(time.time())
+        if isinstance(tokens, dict):
+            token_list = [
+                token
+                for token, timestamp in tokens.items()
+                if _is_valid_token_timestamp(timestamp, now)
+            ]
+            if len(token_list) < len(tokens):
+                # Some tokens have expired, remove them.
+                with self._modify_tokens(addr) as _tokens:
+                    pass
+        else:
+            token_list = []
+        return token_list


-def handle_dovecot_protocol(rfile, wfile, notifier, metadata):
-    transactions = {}
-    while True:
-        msg = rfile.readline().strip().decode()
-        if not msg:
-            break
+class MetadataDictProxy(DictProxy):
+    def __init__(self, notifier, metadata, iroh_relay=None, turn_hostname=None):
+        super().__init__()
+        self.notifier = notifier
+        self.metadata = metadata
+        self.iroh_relay = iroh_relay
+        self.turn_hostname = turn_hostname

-        res = handle_dovecot_request(msg, transactions, notifier, metadata)
-        if res:
-            wfile.write(res.encode("ascii"))
-            wfile.flush()
-
-
-def handle_dovecot_request(msg, transactions, notifier, metadata):
-    # see https://doc.dovecot.org/3.0/developer_manual/design/dict_protocol/
-    short_command = msg[0]
-    parts = msg[1:].split("\t")
-    if short_command == DICTPROXY_LOOKUP_CHAR:
+    def handle_lookup(self, parts):
        # Lpriv/43f5f508a7ea0366dff30200c15250e3/devicetoken\tlkj123poi@c2.testrun.org
-        keyparts = parts[0].split("/")
+        keyparts = parts[0].split("/", 2)
        if keyparts[0] == "priv":
            keyname = keyparts[2]
            addr = parts[1]
-            if keyname == metadata.DEVICETOKEN_KEY:
-                res = " ".join(metadata.get_tokens_for_addr(addr))
+            if keyname == self.metadata.DEVICETOKEN_KEY:
+                res = " ".join(self.metadata.get_tokens_for_addr(addr))
                return f"O{res}\n"
-        logging.warning("lookup ignored: %r", msg)
+        elif keyparts[0] == "shared":
+            keyname = keyparts[2]
+            if (
+                keyname == "vendor/vendor.dovecot/pvt/server/vendor/deltachat/irohrelay"
+                and self.iroh_relay
+            ):
+                # Handle `GETMETADATA "" /shared/vendor/deltachat/irohrelay`
+                return f"O{self.iroh_relay}\n"
+            elif keyname == "vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn":
+                res = turn_credentials()
+                port = 3478
+                return f"O{self.turn_hostname}:{port}:{res}\n"
+
+        logging.warning(f"lookup ignored: {parts!r}")
        return "N\n"
-    elif short_command == DICTPROXY_ITERATE_CHAR:
-        # Empty line means ITER_FINISHED.
-        # If we don't return empty line Dovecot will timeout.
-        return "\n"
-    elif short_command == DICTPROXY_HELLO_CHAR:
-        return  # no version checking

-    if short_command not in (DICTPROXY_TRANSACTION_CHARS):
-        logging.warning("unknown dictproxy request: %r", msg)
-        return
-
-    transaction_id = parts[0]
-
-    if short_command == DICTPROXY_BEGIN_TRANSACTION_CHAR:
-        addr = parts[1]
-        transactions[transaction_id] = dict(addr=addr, res="O\n")
-    elif short_command == DICTPROXY_COMMIT_TRANSACTION_CHAR:
-        # each set devicetoken operation persists directly
-        # and does not wait until a "commit" comes
-        # because our dovecot config does not involve
-        # multiple set-operations in a single commit
-        return transactions.pop(transaction_id)["res"]
-    elif short_command == DICTPROXY_SET_CHAR:
+    def handle_set(self, addr, parts):
        # For documentation on key structure see
        # https://github.com/dovecot/core/blob/main/src/lib-storage/mailbox-attribute.h
-
        keyname = parts[1].split("/")
        value = parts[2] if len(parts) > 2 else ""
-        addr = transactions[transaction_id]["addr"]
-        if keyname[0] == "priv" and keyname[2] == metadata.DEVICETOKEN_KEY:
-            metadata.add_token_to_addr(addr, value)
+        if keyname[0] == "priv" and keyname[2] == self.metadata.DEVICETOKEN_KEY:
+            self.metadata.add_token_to_addr(addr, value)
+            return True
        elif keyname[0] == "priv" and keyname[2] == "messagenew":
-            notifier.new_message_for_addr(addr, metadata)
-        else:
-            # Transaction failed.
-            transactions[transaction_id]["res"] = "F\n"
+            self.notifier.new_message_for_addr(addr, self.metadata)
+            return True

-
-class ThreadedUnixStreamServer(ThreadingMixIn, UnixStreamServer):
-    request_queue_size = 100
+        return False


 def main():
-    socket, vmail_dir = sys.argv[1:]
+    socket, config_path = sys.argv[1:]

-    vmail_dir = Path(vmail_dir)
+    config = read_config(config_path)
+    iroh_relay = config.iroh_relay
+    mail_domain = config.mail_domain
+
+    vmail_dir = config.mailboxes_dir
    if not vmail_dir.exists():
        logging.error("vmail dir does not exist: %r", vmail_dir)
        return 1
@@ -133,21 +141,11 @@ def main():
    notifier = Notifier(queue_dir)
    notifier.start_notification_threads(metadata.remove_token_from_addr)

-    class Handler(StreamRequestHandler):
-        def handle(self):
-            try:
-                handle_dovecot_protocol(self.rfile, self.wfile, notifier, metadata)
-            except Exception:
-                logging.exception("Exception in the dovecot dictproxy handler")
-                raise
+    dictproxy = MetadataDictProxy(
+        notifier=notifier,
+        metadata=metadata,
+        iroh_relay=iroh_relay,
+        turn_hostname=mail_domain,
+    )

-    try:
-        os.unlink(socket)
-    except FileNotFoundError:
-        pass
-
-    with ThreadedUnixStreamServer(socket, Handler) as server:
-        try:
-            server.serve_forever()
-        except KeyboardInterrupt:
-            pass
+    dictproxy.serve_forever_from_socket(socket)
--- a/chatmaild/src/chatmaild/metrics.py
+++ b/chatmaild/src/chatmaild/metrics.py
@@ -1,7 +1,6 @@
 #!/usr/bin/env python3
-from pathlib import Path
-import time
 import sys
+from pathlib import Path


 def main(vmail_dir=None):
@@ -12,13 +11,21 @@ def main(vmail_dir=None):
    ci_accounts = 0

    for path in Path(vmail_dir).iterdir():
+        if not path.joinpath("cur").is_dir():
+            continue
        accounts += 1
        if path.name[:3] in ("ci-", "ac_"):
            ci_accounts += 1

-    timestamp = int(time.time() * 1000)
-    print(f"accounts {accounts} {timestamp}")
-    print(f"ci_accounts {ci_accounts} {timestamp}")
+    print("# HELP total number of accounts")
+    print("# TYPE accounts gauge")
+    print(f"accounts {accounts}")
+    print("# HELP number of CI accounts")
+    print("# TYPE ci_accounts gauge")
+    print(f"ci_accounts {ci_accounts}")
+    print("# HELP number of non-CI accounts")
+    print("# TYPE nonci_accounts gauge")
+    print(f"nonci_accounts {accounts - ci_accounts}")


 if __name__ == "__main__":
--- a/chatmaild/src/chatmaild/migrate_db.py
+++ b/chatmaild/src/chatmaild/migrate_db.py
@@ -0,0 +1,63 @@
+"""
+migration code from old sqlite databases into per-maildir "password" files
+where mtime reflects and is updated to be the "last-login" time.
+"""
+
+import logging
+import os
+import sqlite3
+import sys
+
+from chatmaild.config import read_config
+
+
+def get_all_rows(path):
+    assert path.exists()
+    uri = f"file:{path}?mode=ro"
+    sqlconn = sqlite3.connect(uri, timeout=60, isolation_level="DEFERRED", uri=True)
+    cur = sqlconn.cursor()
+    cur.execute("SELECT * from users")
+    rows = cur.fetchall()
+    sqlconn.close()
+    return rows
+
+
+def migrate_from_db_to_maildir(config, chunking=10000):
+    path = config.passdb_path
+    if not path.exists():
+        return
+
+    all_rows = get_all_rows(path)
+
+    # don't transfer special/CI accounts
+    rows = [row for row in all_rows if row[0][:3] not in ("ci-", "ac_")]
+
+    logging.info(f"ignoring {len(all_rows) - len(rows)} CI accounts")
+    logging.info(f"migrating {len(rows)} sqlite database passwords to user dirs")
+
+    for i, row in enumerate(rows):
+        addr = row[0]
+        enc_password = row[1]
+        user = config.get_user(addr)
+        user.set_password(enc_password)
+
+        if len(row) == 3 and row[2]:
+            timestamp = int(row[2])
+            user.set_last_login_timestamp(timestamp)
+
+        if i > 0 and i % chunking == 0:
+            logging.info(f"migration-progress: {i} passwords transferred")
+
+    logging.info("migration: all passwords migrated")
+    oldpath = config.passdb_path.with_suffix(config.passdb_path.suffix + ".old")
+    os.rename(config.passdb_path, oldpath)
+    for path in config.passdb_path.parent.iterdir():
+        if path.name.startswith(config.passdb_path.name + "-"):
+            path.unlink()
+    logging.info(f"migration: moved database to {oldpath!r}")
+
+
+if __name__ == "__main__":
+    config = read_config(sys.argv[1])
+    logging.basicConfig(level=logging.INFO)
+    migrate_from_db_to_maildir(config)
--- a/chatmaild/src/chatmaild/newemail.py
+++ b/chatmaild/src/chatmaild/newemail.py
@@ -1,13 +1,13 @@
 #!/usr/local/lib/chatmaild/venv/bin/python3

-""" CGI script for creating new accounts. """
+"""CGI script for creating new accounts."""

 import json
 import random
 import secrets
 import string

-from chatmaild.config import read_config, Config
+from chatmaild.config import Config, read_config

 CONFIG_PATH = "/usr/local/lib/chatmaild/chatmail.ini"
 ALPHANUMERIC = string.ascii_lowercase + string.digits
@@ -15,7 +15,7 @@ ALPHANUMERIC_PUNCT = string.ascii_letters + string.digits + string.punctuation


 def create_newemail_dict(config: Config):
-    user = "".join(random.choices(ALPHANUMERIC, k=config.username_min_length))
+    user = "".join(random.choices(ALPHANUMERIC, k=config.username_max_length))
    password = "".join(
        secrets.choice(ALPHANUMERIC_PUNCT)
        for _ in range(config.password_min_length + 3)
--- a/chatmaild/src/chatmaild/notifier.py
+++ b/chatmaild/src/chatmaild/notifier.py
@@ -17,23 +17,24 @@ and which are scheduled for retry using exponential back-off timing.
 If a token notification would be scheduled more than DROP_DEADLINE seconds
 after its first attempt, it is dropped with a log error.

-Note that tokens are completely opaque to the notification machinery here
-and will in the future be encrypted foreclosing all ability to distinguish
+Note that tokens are opaque to the notification machinery here
+and are encrypted foreclosing all ability to distinguish
 which device token ultimately goes to which phone-provider notification service,
 or to understand the relation of "device tokens" and chatmail addresses.
-The meaning and format of tokens is basically a matter of Delta-Chat Core and
+The meaning and format of tokens is basically a matter of chatmail Core and
 the `notification.delta.chat` service.
 """

+import logging
+import math
 import os
 import time
-import math
-import logging
-from uuid import uuid4
-from threading import Thread
+from dataclasses import dataclass
 from pathlib import Path
 from queue import PriorityQueue
-from dataclasses import dataclass
+from threading import Thread
+from uuid import uuid4
+
 import requests


@@ -91,10 +92,15 @@ class Notifier:
    def requeue_persistent_queue_items(self):
        for queue_path in self.queue_dir.iterdir():
            if queue_path.name.endswith(".tmp"):
-                logging.warning("removing spurious queue item: %r", queue_path)
+                logging.warning(f"removing spurious queue item: {queue_path!r}")
+                queue_path.unlink()
+                continue
+            try:
+                queue_item = PersistentQueueItem.read_from_path(queue_path)
+            except ValueError:
+                logging.warning(f"removing spurious queue item: {queue_path!r}")
                queue_path.unlink()
                continue
-            queue_item = PersistentQueueItem.read_from_path(queue_path)
            self.queue_for_retry(queue_item)

    def queue_for_retry(self, queue_item, retry_num=0):
@@ -103,7 +109,7 @@ class Notifier:
        deadline = queue_item.start_ts + self.DROP_DEADLINE
        if retry_num >= len(self.retry_queues) or when > deadline:
            queue_item.delete()
-            logging.error("notification exceeded deadline: %r", queue_item.token)
+            logging.error(f"notification exceeded deadline: {queue_item.token!r}")
            return

        self.retry_queues[retry_num].put((when, queue_item))
@@ -161,5 +167,5 @@ class NotifyThread(Thread):
                queue_item.delete()
                return

-        logging.warning("Notification request failed: %r", res)
+        logging.warning(f"Notification request failed: {res!r}")
        self.notifier.queue_for_retry(queue_item, retry_num=self.retry_num + 1)
--- a/chatmaild/src/chatmaild/tests/mail-data/asm.eml
+++ b/chatmaild/src/chatmaild/tests/mail-data/asm.eml
@@ -0,0 +1,56 @@
+From: {from_addr}
+To: {to_addr}
+Autocrypt-Setup-Message: v1
+Subject: Autocrypt Setup Message
+Date: Tue, 22 Jan 2019 12:56:29 +0100
+Content-type: multipart/mixed; boundary="Y6fyGi9SoGeH8WwRaEdC6bbBcYOedDzrQ"
+
+--Y6fyGi9SoGeH8WwRaEdC6bbBcYOedDzrQ
+Content-Type: text/plain
+
+This message contains all information to transfer your Autocrypt
+settings along with your secret key securely from your original
+device.
+
+To set up your new device for Autocrypt, please follow the
+instuctions that should be presented by your new device.
+
+You can keep this message and use it as a backup for your secret
+key. If you want to do this, you should write down the Setup Code
+and store it securely.
+--Y6fyGi9SoGeH8WwRaEdC6bbBcYOedDzrQ
+Content-Type: application/autocrypt-setup
+Content-Disposition: attachment; filename="autocrypt-setup-message.html"
+
+<html><body>
+<p>
+This is the Autocrypt setup file used to transfer settings and
+keys between clients. You can decrypt it using the Setup Code
+presented on your old device, and then import the contained key
+into your keyring.
+</p>
+
+<pre>
+-----BEGIN PGP MESSAGE-----
+Passphrase-Format: numeric9x4
+Passphrase-Begin: 17
+
+jA0EBwMCFAxADoCdzeX/0ukBlqI5+pfpKb751qd/7nLNbkpy3gVcaf1QwRPZYt40
+Ynp08UqRQ2g48ZlnzHLSwlTGOPTuv2Jt8ka+pgZ45xzvJSG2gau03xP4VsC271kR
+VmCjdb0Y6Rk96mAwfGzrkbaRQ9Z7fIoL866GOv6h9neiVIkp+JYlTV6ISD0ZQJ4Q
+I6dOQkB/TWZyVjtiJDOQHdfNWliA6NtqaLq19wlu9L5xXjuNpY95KwR8EJXWe0+o
+Y3d2U/KxOAkXKghP2Qg1GtlPVeGC5T4p03TGI6pzKT+kHX6Rrm9wK6sM9aTquMmF
+Vok84Jg1DFnwivWC2RILR81rXi7k/+Y6MUbveFgJ9cQduqpxnmD7TjOblYu7M6zp
+YGAUxh8DRKlIMn2QsA++DBYQ6ACZvwuY8qTDLkqPDo4WqM313dsMJbyGjDdVE7EM
+PESS+RlABETpZXz8g/ycr6DIUNdlbPcmYlsBfHWDOuR2GFFTwmlv5slWS39dJv38
+E0eIe1CwdxI801Se7t7dUUS/ZF8wb6GlmxOcqGbF8eko1Z0S64IAm7/h13MRQCxI
+geQnHfGYVJ2FOimoCMEKwfa9x++RFTDW0u7spDC2uWvK/1viV8OfRppFhLr/kmKb
+18lWXuAz80DAjUDUsVqEq2MvJBJGoCJUEyjuRsLkHYRM5jYk4v50LyyR0Om73nWF
+nZBqmqNzdr7Xb9PHHdFhnEc0VvoYbrcM0RVYcEMW3YbmejM891j1d6Iv+/n/qND/
+NdebGrfWJMmFLf/iEkzTZ3/v5inW9LpWoRc94ioCjJTaEo8Rib6ARRFaJVIsmNXi
+YicFGO98D+zX+a2t9Yz6IpPajVslnOp6ScpmXgts/2XWD7oE+JgxSAqo/dLVsHgP
+Ufo=
+=pulM
+-----END PGP MESSAGE-----
+</pre></body></html>
+--Y6fyGi9SoGeH8WwRaEdC6bbBcYOedDzrQ--
--- a/chatmaild/src/chatmaild/tests/mail-data/encrypted.eml
+++ b/chatmaild/src/chatmaild/tests/mail-data/encrypted.eml
@@ -1,6 +1,6 @@
 From: {from_addr}
 To: {to_addr}
-Subject: ...
+Subject: {subject}
 Date: Sun, 15 Oct 2023 16:43:21 +0000
 Message-ID: <Mr.UVyJWZmkCKM.hGzNc6glBE_@c2.testrun.org>
 In-Reply-To: <Mr.MvmCz-GQbi_.6FGRkhDf05c@c2.testrun.org>
--- a/chatmaild/src/chatmaild/tests/mail-data/literal.eml
+++ b/chatmaild/src/chatmaild/tests/mail-data/literal.eml
@@ -0,0 +1,44 @@
+From: {from_addr}
+To: {to_addr}
+Subject: ...
+Date: Sun, 15 Oct 2023 16:43:21 +0000
+Message-ID: <Mr.UVyJWZmkCKM.hGzNc6glBE_@c2.testrun.org>
+In-Reply-To: <Mr.MvmCz-GQbi_.6FGRkhDf05c@c2.testrun.org>
+References: <Mr.3gckbNy5bch.uK3Hd2Ws6-w@c2.testrun.org>
+	<Mr.MvmCz-GQbi_.6FGRkhDf05c@c2.testrun.org>
+Chat-Version: 1.0
+Autocrypt: addr={from_addr}; prefer-encrypt=mutual;
+	keydata=xjMEZSwWjhYJKwYBBAHaRw8BAQdAQBEhqeJh0GueHB6kF/DUQqYCxARNBVokg/AzT+7LqH
+	rNFzxiYXJiYXpAYzIudGVzdHJ1bi5vcmc+wosEEBYIADMCGQEFAmUsFo4CGwMECwkIBwYVCAkKCwID
+	FgIBFiEEFTfUNvVnY3b9F7yHnmme1PfUhX8ACgkQnmme1PfUhX9A4AEAnHWHp49eBCMHK5t66gYPiW
+	XQuB1mwUjzGfYWB+0RXUoA/0xcQ3FbUNlGKW7Blp6eMFfViv6Mv2d3kNSXACB6nmcMzjgEZSwWjhIK
+	KwYBBAGXVQEFAQEHQBpY5L2M1XHo0uxf8SX1wNLBp/OVvidoWHQF2Jz+kJsUAwEIB8J4BBgWCAAgBQ
+	JlLBaOAhsMFiEEFTfUNvVnY3b9F7yHnmme1PfUhX8ACgkQnmme1PfUhX/INgEA37AJaNvruYsJVanP
+	IXnYw4CKd55UAwl8Zcy+M2diAbkA/0fHHcGV4r78hpbbL1Os52DPOdqYQRauIeJUeG+G6bQO
+MIME-Version: 1.0
+Content-Type: multipart/encrypted; protocol="application/pgp-encrypted";
+	boundary="YFrteb74qSXmggbOxZL9dRnhymywAi"
+
+
+--YFrteb74qSXmggbOxZL9dRnhymywAi
+Content-Description: PGP/MIME version identification
+Content-Type: application/pgp-encrypted
+
+Version: 1
+
+
+--YFrteb74qSXmggbOxZL9dRnhymywAi
+Content-Description: OpenPGP encrypted message
+Content-Disposition: inline; filename="encrypted.asc";
+Content-Type: application/octet-stream; name="encrypted.asc"
+
+-----BEGIN PGP MESSAGE-----
+
+yxJiAAAAAABIZWxsbyB3b3JsZCE=
+=1I/B
+-----END PGP MESSAGE-----
+
+
+--YFrteb74qSXmggbOxZL9dRnhymywAi--
+
+
--- a/chatmaild/src/chatmaild/tests/mail-data/mailer-daemon.eml
+++ b/chatmaild/src/chatmaild/tests/mail-data/mailer-daemon.eml
@@ -0,0 +1,46 @@
+Date: Fri, 8 Jul 1994 09:21:47 -0400
+From: Mail Delivery Subsystem <MAILER-DAEMON@example.org>
+Subject: Returned mail: User unknown
+To: <owner-ups-mib@CS.UTK.EDU>
+Auto-Submitted: auto-replied 
+MIME-Version: 1.0
+Content-Type: multipart/report; report-type=delivery-status;
+      boundary="JAA13167.773673707/CS.UTK.EDU"
+
+--JAA13167.773673707/CS.UTK.EDU
+content-type: text/plain; charset=us-ascii
+
+   ----- The following addresses had delivery problems -----
+<arathib@vnet.ibm.com>  (unrecoverable error)
+<wsnell@sdcc13.ucsd.edu>  (unrecoverable error)
+
+--JAA13167.773673707/CS.UTK.EDU
+content-type: message/delivery-status
+
+Reporting-MTA: dns; cs.utk.edu
+
+Original-Recipient: rfc822;arathib@vnet.ibm.com
+Final-Recipient: rfc822;arathib@vnet.ibm.com
+Action: failed
+Status: 5.0.0 (permanent failure)
+Diagnostic-Code: smtp;
+ 550 'arathib@vnet.IBM.COM' is not a registered gateway user
+Remote-MTA: dns; vnet.ibm.com
+
+Original-Recipient: rfc822;johnh@hpnjld.njd.hp.com
+Final-Recipient: rfc822;johnh@hpnjld.njd.hp.com
+Action: delayed
+Status: 4.0.0 (hpnjld.njd.jp.com: host name lookup failure)
+
+Original-Recipient: rfc822;wsnell@sdcc13.ucsd.edu
+Final-Recipient: rfc822;wsnell@sdcc13.ucsd.edu
+Action: failed
+Status: 5.0.0
+Diagnostic-Code: smtp; 550 user unknown
+Remote-MTA: dns; sdcc13.ucsd.edu
+
+--JAA13167.773673707/CS.UTK.EDU
+content-type: message/rfc822
+
+[original message goes here]
+--JAA13167.773673707/CS.UTK.EDU--
--- a/chatmaild/src/chatmaild/tests/mail-data/securejoin-vc-fake.eml
+++ b/chatmaild/src/chatmaild/tests/mail-data/securejoin-vc-fake.eml
@@ -0,0 +1,21 @@
+Subject: Message from {from_addr}
+From: <{from_addr}>
+To: <{to_addr}>
+Date: Sun, 15 Oct 2023 16:43:25 +0000
+Message-ID: <Mr.78MWtlV7RAi.goCFzBhCYfy@c2.testrun.org>
+Chat-Version: 1.0
+Secure-Join: vc-request
+Secure-Join-Invitenumber: RANDOM-TOKEN
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi"
+
+
+--Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi
+Content-Type: text/plain; charset=utf-8
+
+Buy viagra!
+
+
+--Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi--
+
+
--- a/chatmaild/src/chatmaild/tests/mail-data/securejoin-vc.eml
+++ b/chatmaild/src/chatmaild/tests/mail-data/securejoin-vc.eml
@@ -0,0 +1,21 @@
+Subject: Message from {from_addr}
+From: <{from_addr}>
+To: <{to_addr}>
+Date: Sun, 15 Oct 2023 16:43:25 +0000
+Message-ID: <Mr.78MWtlV7RAi.goCFzBhCYfy@c2.testrun.org>
+Chat-Version: 1.0
+Secure-Join: vc-request
+Secure-Join-Invitenumber: RANDOM-TOKEN
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi"
+
+
+--Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi
+Content-Type: text/plain; charset=utf-8
+
+Secure-Join: vc-request
+
+
+--Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi--
+
+
--- a/chatmaild/src/chatmaild/tests/plugin.py
+++ b/chatmaild/src/chatmaild/tests/plugin.py
@@ -1,13 +1,13 @@
-import random
-from pathlib import Path
-import os
 import importlib.resources
 import itertools
-from email.parser import BytesParser
+import os
+import random
 from email import policy
+from email.parser import BytesParser
+from pathlib import Path
+
 import pytest

-from chatmaild.database import Database
 from chatmaild.config import read_config, write_initial_config


@@ -15,8 +15,12 @@ from chatmaild.config import read_config, write_initial_config
 def make_config(tmp_path):
    inipath = tmp_path.joinpath("chatmail.ini")

-    def make_conf(mail_domain):
-        write_initial_config(inipath, mail_domain=mail_domain)
+    def make_conf(mail_domain, settings=None):
+        basedir = tmp_path.joinpath(f"vmail/{mail_domain}")
+        basedir.mkdir(parents=True, exist_ok=True)
+        overrides = settings.copy() if settings else {}
+        overrides["mailboxes_dir"] = str(basedir)
+        write_initial_config(inipath, mail_domain, overrides=overrides)
        return read_config(inipath)

    return make_conf
@@ -32,6 +36,11 @@ def maildomain(example_config):
    return example_config.mail_domain


+@pytest.fixture
+def testaddr(maildomain):
+    return f"user.name@{maildomain}"
+
+
@pytest.fixture
 def gencreds(maildomain):
    count = itertools.count()
@@ -50,13 +59,6 @@ def gencreds(maildomain):
    return lambda domain=None: next(gen(domain))


-@pytest.fixture()
-def db(tmpdir):
-    db_path = tmpdir / "passdb.sqlite"
-    print("database path:", db_path)
-    return Database(db_path)
-
-
@pytest.fixture
 def maildata(request):
    try:
@@ -67,9 +69,29 @@ def maildata(request):

    assert datadir.exists(), datadir

-    def maildata(name, from_addr, to_addr):
-        data = datadir.joinpath(name).read_text()
-        text = data.format(from_addr=from_addr, to_addr=to_addr)
-        return BytesParser(policy=policy.default).parsebytes(text.encode())
+    def maildata(name, from_addr, to_addr, subject="[...]"):
+        # Using `.read_bytes().decode()` instead of `.read_text()` to preserve newlines.
+        data = datadir.joinpath(name).read_bytes().decode()
+        text = data.format(from_addr=from_addr, to_addr=to_addr, subject=subject)
+        return BytesParser(policy=policy.SMTP).parsebytes(text.encode())

    return maildata
+
+
+@pytest.fixture
+def mockout():
+    class MockOut:
+        captured_red = []
+        captured_green = []
+        captured_plain = []
+
+        def red(self, msg):
+            self.captured_red.append(msg)
+
+        def green(self, msg):
+            self.captured_green.append(msg)
+
+        def __call__(self, msg):
+            self.captured_plain.append(msg)
+
+    return MockOut()
--- a/chatmaild/src/chatmaild/tests/test_config.py
+++ b/chatmaild/src/chatmaild/tests/test_config.py
@@ -1,3 +1,5 @@
+import pytest
+
 from chatmaild.config import read_config


@@ -13,6 +15,14 @@ def test_read_config_basic(example_config):
    assert example_config.mail_domain == "chat.example.org"


+def test_read_config_basic_using_defaults(tmp_path, maildomain):
+    inipath = tmp_path.joinpath("chatmail.ini")
+    inipath.write_text(f"[params]\nmail_domain = {maildomain}")
+    example_config = read_config(inipath)
+    assert example_config.max_user_send_per_minute == 60
+    assert example_config.filtermail_smtp_port_incoming == 10081
+
+
 def test_read_config_testrun(make_config):
    config = make_config("something.testrun.org")
    assert config.mail_domain == "something.testrun.org"
@@ -23,10 +33,43 @@ def test_read_config_testrun(make_config):
    assert config.filtermail_smtp_port == 10080
    assert config.postfix_reinject_port == 10025
    assert config.max_user_send_per_minute == 60
-    assert config.max_mailbox_size == "100M"
-    assert config.delete_mails_after == "40"
+    assert config.max_mailbox_size == "500M"
+    assert config.delete_mails_after == "20"
+    assert config.delete_large_after == "7"
    assert config.username_min_length == 9
    assert config.username_max_length == 9
    assert config.password_min_length == 9
    assert "privacy@testrun.org" in config.passthrough_recipients
    assert config.passthrough_senders == []
+
+
+def test_config_userstate_paths(make_config, tmp_path):
+    config = make_config("something.testrun.org")
+    mailboxes_dir = config.mailboxes_dir
+    passdb_path = config.passdb_path
+    assert mailboxes_dir.name == "something.testrun.org"
+    assert str(passdb_path) == "/home/vmail/passdb.sqlite"
+    assert config.mail_domain == "something.testrun.org"
+    path = config.get_user("user1@something.testrun.org").maildir
+    assert not path.exists()
+    assert path == mailboxes_dir.joinpath("user1@something.testrun.org")
+
+    with pytest.raises(ValueError):
+        config.get_user("")
+
+    with pytest.raises(ValueError):
+        config.get_user(None)
+
+    with pytest.raises(ValueError):
+        config.get_user("../some@something.testrun.org").maildir
+
+    with pytest.raises(ValueError):
+        config.get_user("..").maildir
+
+    with pytest.raises(ValueError):
+        config.get_user(".")
+
+
+def test_config_max_message_size(make_config, tmp_path):
+    config = make_config("something.testrun.org", dict(max_message_size="10000"))
+    assert config.max_message_size == 10000
--- a/chatmaild/src/chatmaild/tests/test_delete_inactive_users.py
+++ b/chatmaild/src/chatmaild/tests/test_delete_inactive_users.py
@@ -0,0 +1,64 @@
+import time
+
+from chatmaild.doveauth import AuthDictProxy
+from chatmaild.expire import main as main_expire
+
+
+def test_login_timestamps(example_config):
+    testaddr = "someuser@chat.example.org"
+    user = example_config.get_user(testaddr)
+
+    # password file needs to be set because it's mtime tracks last-login time
+    user.set_password("1l2k3j1l2k3j123")
+    for i in range(10):
+        user.set_last_login_timestamp(86400 * 4 + i)
+        assert user.get_last_login_timestamp() == 86400 * 4
+
+
+def test_delete_inactive_users(example_config):
+    new = time.time()
+    old = new - (example_config.delete_inactive_users_after * 86400) - 1
+    dictproxy = AuthDictProxy(example_config)
+
+    def create_user(addr, last_login):
+        dictproxy.lookup_passdb(addr, "q9mr3faue")
+        user = example_config.get_user(addr)
+        user.maildir.joinpath("cur").mkdir()
+        user.maildir.joinpath("cur", "something").mkdir()
+        user.set_last_login_timestamp(timestamp=last_login)
+
+    # create some stale and some new accounts
+    to_remove = []
+    for i in range(150):
+        addr = f"oldold{i:03}@chat.example.org"
+        create_user(addr, last_login=old)
+        to_remove.append(addr)
+
+    remain = []
+    for i in range(5):
+        addr = f"newnew{i:03}@chat.example.org"
+        create_user(addr, last_login=new)
+        remain.append(addr)
+
+    # check pre and post-conditions for delete_inactive_users()
+
+    for addr in to_remove:
+        assert example_config.get_user(addr).maildir.exists()
+
+    main_expire(
+        args=[
+            "--remove",
+            str(example_config._inipath),
+        ]
+    )
+
+    for p in example_config.mailboxes_dir.iterdir():
+        assert not p.name.startswith("old")
+
+    for addr in to_remove:
+        assert not example_config.get_user(addr).maildir.exists()
+
+    for addr in remain:
+        userdir = example_config.get_user(addr).maildir
+        assert userdir.exists()
+        assert userdir.joinpath("password").read_text()
--- a/chatmaild/src/chatmaild/tests/test_doveauth.py
+++ b/chatmaild/src/chatmaild/tests/test_doveauth.py
@@ -1,107 +1,135 @@
 import io
 import json
-import pytest
 import queue
 import threading
 import traceback

+import pytest
+
 import chatmaild.doveauth
 from chatmaild.doveauth import (
-    get_user_data,
-    lookup_passdb,
-    handle_dovecot_request,
-    handle_dovecot_protocol,
+    AuthDictProxy,
+    is_allowed_to_create,
 )
-from chatmaild.database import DBError
+from chatmaild.newemail import create_newemail_dict


-def test_basic(db, example_config):
-    lookup_passdb(db, example_config, "asdf12345@chat.example.org", "q9mr3faue")
-    data = get_user_data(db, example_config, "asdf12345@chat.example.org")
+@pytest.fixture
+def dictproxy(example_config):
+    return AuthDictProxy(config=example_config)
+
+
+def test_basic(dictproxy, gencreds):
+    addr, password = gencreds()
+    dictproxy.lookup_passdb(addr, password)
+    data = dictproxy.lookup_userdb(addr)
    assert data
-    data2 = lookup_passdb(
-        db, example_config, "asdf12345@chat.example.org", "q9mr3jewvadsfaue"
-    )
+    data2 = dictproxy.lookup_passdb(addr, password)
    assert data == data2


-def test_dont_overwrite_password_on_wrong_login(db, example_config):
+def test_iterate_addresses(dictproxy):
+    addresses = []
+
+    for i in range(10):
+        addresses.append(f"asdf1234{i}@chat.example.org")
+        dictproxy.lookup_passdb(addresses[-1], "q9mr3faue")
+
+    res = dictproxy.iter_userdb()
+    assert set(res) == set(addresses)
+
+
+def test_invalid_username_length(example_config):
+    config = example_config
+    config.username_min_length = 6
+    config.username_max_length = 10
+    password = create_newemail_dict(config)["password"]
+    assert not is_allowed_to_create(config, f"a1234@{config.mail_domain}", password)
+    assert is_allowed_to_create(config, f"012345@{config.mail_domain}", password)
+    assert is_allowed_to_create(config, f"0123456@{config.mail_domain}", password)
+    assert is_allowed_to_create(config, f"0123456789@{config.mail_domain}", password)
+    assert not is_allowed_to_create(
+        config, f"0123456789x@{config.mail_domain}", password
+    )
+
+
+def test_dont_overwrite_password_on_wrong_login(dictproxy):
    """Test that logging in with a different password doesn't create a new user"""
-    res = lookup_passdb(
-        db, example_config, "newuser12@chat.example.org", "kajdlkajsldk12l3kj1983"
+    res = dictproxy.lookup_passdb(
+        "newuser12@chat.example.org", "kajdlkajsldk12l3kj1983"
    )
    assert res["password"]
-    res2 = lookup_passdb(db, example_config, "newuser12@chat.example.org", "kajdslqwe")
+    res2 = dictproxy.lookup_passdb("newuser12@chat.example.org", "kajdslqwe")
    # this function always returns a password hash, which is actually compared by dovecot.
    assert res["password"] == res2["password"]


-def test_nocreate_file(db, monkeypatch, tmpdir, example_config):
+def test_nocreate_file(monkeypatch, tmpdir, dictproxy):
    p = tmpdir.join("nocreate")
    p.write("")
    monkeypatch.setattr(chatmaild.doveauth, "NOCREATE_FILE", str(p))
-    lookup_passdb(
-        db, example_config, "newuser12@chat.example.org", "zequ0Aimuchoodaechik"
-    )
-    assert not get_user_data(db, example_config, "newuser12@chat.example.org")
+    dictproxy.lookup_passdb("newuser12@chat.example.org", "zequ0Aimuchoodaechik")
+    assert not dictproxy.lookup_userdb("newuser12@chat.example.org")


-def test_db_version(db):
-    assert db.get_schema_version() == 1
-
-
-def test_too_high_db_version(db):
-    with db.write_transaction() as conn:
-        conn.execute("PRAGMA user_version=%s;" % (999,))
-    with pytest.raises(DBError):
-        db.ensure_tables()
-
-
-def test_handle_dovecot_request(db, example_config):
+def test_handle_dovecot_request(dictproxy):
+    transactions = {}
    # Test that password can contain ", ', \ and /
    msg = (
        'Lshared/passdb/laksjdlaksjdlak\\\\sjdlk\\"12j\\\'3l1/k2j3123"'
        "some42123@chat.example.org\tsome42123@chat.example.org"
    )
-    res = handle_dovecot_request(msg, db, example_config)
+    res = dictproxy.handle_dovecot_request(msg, transactions)
    assert res
    assert res[0] == "O" and res.endswith("\n")
    userdata = json.loads(res[1:].strip())
-    assert (
-        userdata["home"]
-        == "/home/vmail/mail/chat.example.org/some42123@chat.example.org"
-    )
+    assert userdata["home"].endswith("chat.example.org/some42123@chat.example.org")
    assert userdata["uid"] == userdata["gid"] == "vmail"
    assert userdata["password"].startswith("{SHA512-CRYPT}")


-def test_handle_dovecot_protocol_hello_is_skipped(db, example_config, caplog):
+def test_handle_dovecot_protocol_hello_is_skipped(example_config, caplog):
+    dictproxy = AuthDictProxy(config=example_config)
    rfile = io.BytesIO(b"H3\t2\t0\t\tauth\n")
    wfile = io.BytesIO()
-    handle_dovecot_protocol(rfile, wfile, db, example_config)
+    dictproxy.loop_forever(rfile, wfile)
    assert wfile.getvalue() == b""
    assert not caplog.messages


-def test_handle_dovecot_protocol(db, example_config):
+def test_handle_dovecot_protocol_user_not_exists(example_config):
+    dictproxy = AuthDictProxy(config=example_config)
    rfile = io.BytesIO(
        b"H3\t2\t0\t\tauth\nLshared/userdb/foobar@chat.example.org\tfoobar@chat.example.org\n"
    )
    wfile = io.BytesIO()
-    handle_dovecot_protocol(rfile, wfile, db, example_config)
+    dictproxy.loop_forever(rfile, wfile)
    assert wfile.getvalue() == b"N\n"


-def test_50_concurrent_lookups_different_accounts(db, gencreds, example_config):
+def test_handle_dovecot_protocol_iterate(gencreds, example_config):
+    dictproxy = AuthDictProxy(config=example_config)
+    dictproxy.lookup_passdb("asdf00000@chat.example.org", "q9mr3faue")
+    dictproxy.lookup_passdb("asdf11111@chat.example.org", "q9mr3faue")
+    rfile = io.BytesIO(b"H3\t2\t0\t\tauth\nI0\t0\tshared/userdb/")
+    wfile = io.BytesIO()
+    dictproxy.loop_forever(rfile, wfile)
+    lines = wfile.getvalue().decode("ascii").split("\n")
+    assert "Oshared/userdb/asdf00000@chat.example.org\t" in lines
+    assert "Oshared/userdb/asdf11111@chat.example.org\t" in lines
+    assert not lines[2]
+
+
+def test_50_concurrent_lookups_different_accounts(gencreds, dictproxy):
    num_threads = 50
    req_per_thread = 5
    results = queue.Queue()

-    def lookup(db):
+    def lookup():
        for i in range(req_per_thread):
            addr, password = gencreds()
            try:
-                lookup_passdb(db, example_config, addr, password)
+                dictproxy.lookup_passdb(addr, password)
            except Exception:
                results.put(traceback.format_exc())
            else:
@@ -109,7 +137,7 @@ def test_50_concurrent_lookups_different_accounts(db, gencreds, example_config):

    threads = []
    for i in range(num_threads):
-        thread = threading.Thread(target=lookup, args=(db,), daemon=True)
+        thread = threading.Thread(target=lookup, daemon=True)
        threads.append(thread)

    print(f"created {num_threads} threads, starting them and waiting for results")
--- a/chatmaild/src/chatmaild/tests/test_expire.py
+++ b/chatmaild/src/chatmaild/tests/test_expire.py
@@ -0,0 +1,161 @@
+import os
+import random
+from datetime import datetime
+from fnmatch import fnmatch
+from pathlib import Path
+
+import pytest
+
+from chatmaild.expire import (
+    FileEntry,
+    MailboxStat,
+    get_file_entry,
+    iter_mailboxes,
+    os_listdir_if_exists,
+)
+from chatmaild.expire import main as expiry_main
+from chatmaild.fsreport import main as report_main
+
+
+def fill_mbox(folderdir):
+    password = folderdir.joinpath("password")
+    password.write_text("xxx")
+    folderdir.joinpath("maildirsize").write_text("xxx")
+
+    garbagedir = folderdir.joinpath("garbagedir")
+    garbagedir.mkdir()
+    garbagedir.joinpath("bimbum").write_text("hello")
+
+    create_new_messages(folderdir, ["cur/msg1"], size=500)
+    create_new_messages(folderdir, ["new/msg2"], size=600)
+
+
+def create_new_messages(basedir, relpaths, size=1000, days=0):
+    now = datetime.utcnow().timestamp()
+
+    for relpath in relpaths:
+        msg_path = Path(basedir).joinpath(relpath)
+        msg_path.parent.mkdir(parents=True, exist_ok=True)
+        msg_path.write_text("x" * size)
+        # accessed now, modified N days ago
+        os.utime(msg_path, (now, now - days * 86400))
+
+
+@pytest.fixture
+def mbox1(example_config):
+    mboxdir = example_config.mailboxes_dir.joinpath("mailbox1@example.org")
+    mboxdir.mkdir()
+    fill_mbox(mboxdir)
+    return MailboxStat(mboxdir)
+
+
+def test_deltachat_folder(example_config):
+    """Test old setups that might have a .DeltaChat folder where messages also need to get removed."""
+    mboxdir = example_config.mailboxes_dir.joinpath("mailbox1@example.org")
+    mboxdir.mkdir()
+    mbox2dir = mboxdir.joinpath(".DeltaChat")
+    mbox2dir.mkdir()
+    fill_mbox(mbox2dir)
+    mb = MailboxStat(mboxdir)
+    assert len(mb.messages) == 2
+
+
+def test_filentry_ordering(tmp_path):
+    l = [FileEntry(f"x{i}", size=i + 10, mtime=1000 - i) for i in range(10)]
+    sorted = list(l)
+    random.shuffle(l)
+    l.sort(key=lambda x: x.size)
+    assert l == sorted
+
+
+def test_no_mailbxoes(tmp_path, capsys):
+    assert [] == list(iter_mailboxes(str(tmp_path.joinpath("notexists")), maxnum=10))
+    out, err = capsys.readouterr()
+    assert "no mailboxes" in err
+
+
+def test_stats_mailbox(mbox1):
+    password = Path(mbox1.basedir).joinpath("password")
+    assert mbox1.last_login == password.stat().st_mtime
+    assert len(mbox1.messages) == 2
+
+    msgs = list(sorted(mbox1.messages, key=lambda x: x.size))
+    assert len(msgs) == 2
+    assert msgs[0].size == 500  # cur
+    assert msgs[1].size == 600  # new
+
+    create_new_messages(mbox1.basedir, ["large-extra"], size=1000)
+    create_new_messages(mbox1.basedir, ["index-something"], size=3)
+    mbox2 = MailboxStat(mbox1.basedir)
+    assert len(mbox2.extrafiles) == 5
+    assert mbox2.extrafiles[0].size == 1000
+
+    # cope well with mailbox dirs that have no password (for whatever reason)
+    Path(mbox1.basedir).joinpath("password").unlink()
+    mbox3 = MailboxStat(mbox1.basedir)
+    assert mbox3.last_login is None
+
+
+def test_report_no_mailboxes(example_config):
+    args = (str(example_config._inipath),)
+    report_main(args)
+
+
+def test_report(mbox1, example_config):
+    args = (str(example_config._inipath),)
+    report_main(args)
+    args = list(args) + "--days 1".split()
+    report_main(args)
+    args = list(args) + "--min-login-age 1".split()
+    report_main(args)
+    args = list(args) + "--mdir cur".split()
+    report_main(args)
+
+
+def test_expiry_cli_basic(example_config, mbox1):
+    args = (str(example_config._inipath),)
+    expiry_main(args)
+
+
+def test_expiry_cli_old_files(capsys, example_config, mbox1):
+    relpaths_old = ["cur/msg_old1", "cur/msg_old1"]
+    cutoff_days = int(example_config.delete_mails_after) + 1
+    create_new_messages(mbox1.basedir, relpaths_old, size=1000, days=cutoff_days)
+
+    relpaths_large = ["cur/msg_old_large1", "new/msg_old_large2"]
+    cutoff_days = int(example_config.delete_large_after) + 1
+    create_new_messages(
+        mbox1.basedir, relpaths_large, size=1000 * 300, days=cutoff_days
+    )
+
+    create_new_messages(mbox1.basedir, ["cur/shouldstay"], size=1000 * 300, days=1)
+
+    args = str(example_config._inipath), "--remove", "-v"
+    expiry_main(args)
+    out, err = capsys.readouterr()
+
+    allpaths = relpaths_old + relpaths_large + ["maildirsize"]
+    for path in allpaths:
+        for line in err.split("\n"):
+            if fnmatch(line, f"removing*{path}"):
+                break
+        else:
+            if path != "new/msg_old_large2":
+                pytest.fail(f"failed to remove {path}\n{err}")
+
+    assert "shouldstay" not in err
+
+
+def test_get_file_entry(tmp_path):
+    assert get_file_entry(str(tmp_path.joinpath("123123"))) is None
+    p = tmp_path.joinpath("x")
+    p.write_text("hello")
+    entry = get_file_entry(str(p))
+    assert entry.size == 5
+    assert entry.mtime
+
+
+def test_os_listdir_if_exists(tmp_path):
+    tmp_path.joinpath("x").write_text("hello")
+    assert len(os_listdir_if_exists(str(tmp_path))) == 1
+    assert len(os_listdir_if_exists(str(tmp_path.joinpath("123123")))) == 0
--- a/chatmaild/src/chatmaild/tests/test_filedict.py
+++ b/chatmaild/src/chatmaild/tests/test_filedict.py
@@ -1,4 +1,6 @@
-from chatmaild.filedict import FileDict
+import threading
+
+from chatmaild.filedict import FileDict, write_bytes_atomic


 def test_basic(tmp_path):
@@ -17,3 +19,21 @@ def test_bad_marshal_file(tmp_path, caplog):
    fdict1.path.write_bytes(b"l12k3l12k3l")
    assert fdict1.read() == {}
    assert "corrupt" in caplog.records[0].msg
+
+
+def test_write_bytes_atomic_concurrent(tmp_path):
+    p = tmp_path.joinpath("somefile.ext")
+    write_bytes_atomic(p, b"hello")
+
+    threads = []
+    for i in range(30):
+        content = f"hello{i}".encode("ascii")
+        t = threading.Thread(target=lambda: write_bytes_atomic(p, content))
+        t.start()
+        threads.append(t)
+
+    for t in threads:
+        t.join()
+
+    assert p.read_text().strip() != "hello"
+    assert len(list(p.parent.iterdir())) == 1
--- a/chatmaild/src/chatmaild/tests/test_filtermail.py
+++ b/chatmaild/src/chatmaild/tests/test_filtermail.py
@@ -1,12 +1,14 @@
-from chatmaild.filtermail import (
-    check_encrypted,
-    BeforeQueueHandler,
-    SendRateLimiter,
-    check_mdn,
-)
-
 import pytest

+from chatmaild.filtermail import (
+    IncomingBeforeQueueHandler,
+    OutgoingBeforeQueueHandler,
+    SendRateLimiter,
+    check_armored_payload,
+    check_encrypted,
+    is_securejoin,
+)
+

@pytest.fixture
 def maildomain():
@@ -17,7 +19,13 @@ def maildomain():
@pytest.fixture
 def handler(make_config, maildomain):
    config = make_config(maildomain)
-    return BeforeQueueHandler(config)
+    return OutgoingBeforeQueueHandler(config)
+
+
+@pytest.fixture
+def inhandler(make_config, maildomain):
+    config = make_config(maildomain)
+    return IncomingBeforeQueueHandler(config)


 def test_reject_forged_from(maildata, gencreds, handler):
@@ -28,14 +36,14 @@ def test_reject_forged_from(maildata, gencreds, handler):
    # test that the filter lets good mail through
    to_addr = gencreds()[0]
    env.content = maildata(
-        "plain.eml", from_addr=env.mail_from, to_addr=to_addr
+        "encrypted.eml", from_addr=env.mail_from, to_addr=to_addr
    ).as_bytes()

    assert not handler.check_DATA(envelope=env)

    # test that the filter rejects forged mail
    env.content = maildata(
-        "plain.eml", from_addr="forged@c3.testrun.org", to_addr=to_addr
+        "encrypted.eml", from_addr="forged@c3.testrun.org", to_addr=to_addr
    ).as_bytes()
    error = handler.check_DATA(envelope=env)
    assert "500" in error
@@ -54,43 +62,43 @@ def test_filtermail_no_encryption_detection(maildata):
    assert not check_encrypted(msg)


+def test_filtermail_securejoin_detection(maildata):
+    msg = maildata(
+        "securejoin-vc.eml", from_addr="some@example.org", to_addr="other@example.org"
+    )
+    assert is_securejoin(msg)
+
+    msg = maildata(
+        "securejoin-vc-fake.eml",
+        from_addr="some@example.org",
+        to_addr="other@example.org",
+    )
+    assert not is_securejoin(msg)
+
+
 def test_filtermail_encryption_detection(maildata):
-    msg = maildata("encrypted.eml", from_addr="1@example.org", to_addr="2@example.org")
+    msg = maildata(
+        "encrypted.eml",
+        from_addr="1@example.org",
+        to_addr="2@example.org",
+        subject="Subject does not matter, will be replaced anyway",
+    )
    assert check_encrypted(msg)

-    # if the subject is not "..." it is not considered ac-encrypted
-    msg.replace_header("Subject", "Click this link")
+
+def test_filtermail_no_literal_packets(maildata):
+    """Test that literal OpenPGP packet is not considered an encrypted mail."""
+    msg = maildata("literal.eml", from_addr="1@example.org", to_addr="2@example.org")
    assert not check_encrypted(msg)


-def test_filtermail_is_mdn(maildata, gencreds, handler):
+def test_filtermail_unencrypted_mdn(maildata, gencreds):
+    """Unencrypted MDNs should not pass."""
    from_addr = gencreds()[0]
    to_addr = gencreds()[0] + ".other"
-    msg = maildata("mdn.eml", from_addr, to_addr)
+    msg = maildata("mdn.eml", from_addr=from_addr, to_addr=to_addr)

-    class env:
-        mail_from = from_addr
-        rcpt_tos = [to_addr]
-        content = msg.as_bytes()
-
-    assert check_mdn(msg, env)
-    print(msg.as_string())
-
-    assert not handler.check_DATA(env)
-
-
-def test_filtermail_to_multiple_recipients_no_mdn(maildata, gencreds):
-    from_addr = gencreds()[0]
-    to_addr = gencreds()[0] + ".other"
-    thirdaddr = gencreds()[0]
-    msg = maildata("mdn.eml", from_addr, to_addr)
-
-    class env:
-        mail_from = from_addr
-        rcpt_tos = [to_addr, thirdaddr]
-        content = msg.as_bytes()
-
-    assert not check_mdn(msg, env)
+    assert not check_encrypted(msg)


 def test_send_rate_limiter():
@@ -105,13 +113,13 @@ def test_send_rate_limiter():
            break


-def test_excempt_privacy(maildata, gencreds, handler):
+def test_cleartext_excempt_privacy(maildata, gencreds, handler):
    from_addr = gencreds()[0]
    to_addr = "privacy@testrun.org"
    handler.config.passthrough_recipients = [to_addr]
    false_to = "privacy@something.org"

-    msg = maildata("plain.eml", from_addr, to_addr)
+    msg = maildata("plain.eml", from_addr=from_addr, to_addr=to_addr)

    class env:
        mail_from = from_addr
@@ -126,15 +134,102 @@ def test_excempt_privacy(maildata, gencreds, handler):
        rcpt_tos = [to_addr, false_to]
        content = msg.as_bytes()

-    assert "500" in handler.check_DATA(envelope=env2)
+    assert "523" in handler.check_DATA(envelope=env2)


-def test_passthrough_senders(gencreds, handler, maildata):
+def test_cleartext_self_send_autocrypt_setup_message(maildata, gencreds, handler):
+    from_addr = gencreds()[0]
+    to_addr = from_addr
+
+    msg = maildata("asm.eml", from_addr=from_addr, to_addr=to_addr)
+
+    class env:
+        mail_from = from_addr
+        rcpt_tos = [to_addr]
+        content = msg.as_bytes()
+
+    assert not handler.check_DATA(envelope=env)
+
+
+def test_cleartext_send_fails(maildata, gencreds, handler):
+    from_addr = gencreds()[0]
+    to_addr = gencreds()[0]
+
+    msg = maildata("plain.eml", from_addr=from_addr, to_addr=to_addr)
+
+    class env:
+        mail_from = from_addr
+        rcpt_tos = [to_addr]
+        content = msg.as_bytes()
+
+    res = handler.check_DATA(envelope=env)
+    assert "523 Encryption Needed" in res
+
+
+def test_cleartext_incoming_fails(maildata, gencreds, inhandler):
+    from_addr = gencreds()[0]
+    to_addr, password = gencreds()
+
+    msg = maildata("plain.eml", from_addr=from_addr, to_addr=to_addr)
+
+    class env:
+        mail_from = from_addr
+        rcpt_tos = [to_addr]
+        content = msg.as_bytes()
+
+    user = inhandler.config.get_user(to_addr)
+    user.set_password(password)
+    res = inhandler.check_DATA(envelope=env)
+    assert "523 Encryption Needed" in res
+
+    user.allow_incoming_cleartext()
+    assert not inhandler.check_DATA(envelope=env)
+
+
+def test_cleartext_incoming_mailer_daemon(maildata, gencreds, inhandler):
+    from_addr = "mailer-daemon@example.org"
+    to_addr = gencreds()[0]
+
+    msg = maildata("mailer-daemon.eml", from_addr=from_addr, to_addr=to_addr)
+
+    class env:
+        mail_from = from_addr
+        rcpt_tos = [to_addr]
+        content = msg.as_bytes()
+
+    assert not inhandler.check_DATA(envelope=env)
+
+
+def test_cleartext_passthrough_domains(maildata, gencreds, handler):
+    from_addr = gencreds()[0]
+    to_addr = "privacy@x.y.z"
+    handler.config.passthrough_recipients = ["@x.y.z"]
+    false_to = "something@x.y"
+
+    msg = maildata("plain.eml", from_addr=from_addr, to_addr=to_addr)
+
+    class env:
+        mail_from = from_addr
+        rcpt_tos = [to_addr]
+        content = msg.as_bytes()
+
+    # assert that None/no error is returned
+    assert not handler.check_DATA(envelope=env)
+
+    class env2:
+        mail_from = from_addr
+        rcpt_tos = [to_addr, false_to]
+        content = msg.as_bytes()
+
+    assert "523" in handler.check_DATA(envelope=env2)
+
+
+def test_cleartext_passthrough_senders(gencreds, handler, maildata):
    acc1 = gencreds()[0]
    to_addr = "recipient@something.org"
    handler.config.passthrough_senders = [acc1]

-    msg = maildata("plain.eml", acc1, to_addr)
+    msg = maildata("plain.eml", from_addr=acc1, to_addr=to_addr)

    class env:
        mail_from = acc1
@@ -143,3 +238,124 @@ def test_passthrough_senders(gencreds, handler, maildata):

    # assert that None/no error is returned
    assert not handler.check_DATA(envelope=env)
+
+
+def test_check_armored_payload():
+    prefix = "-----BEGIN PGP MESSAGE-----\r\n"
+    comment = "Version: ProtonMail\r\n"
+    payload = """\r
+wU4DSqFx0d1yqAoSAQdAYkX/ZN/Az4B0k7X47zKyWrXxlDEdS3WOy0Yf2+GJTFgg\r
+Zk5ql0mLG8Ze+ZifCS0XMO4otlemSyJ0K1ZPdFMGzUDBTgNqzkFabxXoXRIBB0AM\r
+755wlX41X6Ay3KhnwBq7yEqSykVH6F3x11iHPKraLCAGZoaS8bKKNy/zg5slda1X\r
+pt14b4aC1VwtSnYhcRRELNLD/wE2TFif+g7poMmFY50VyMPLYjVP96Z5QCT4+z4H\r
+Ikh/pRRN8S3JNMrRJHc6prooSJmLcx47Y5un7VFy390MsJ+LiUJuQMDdYWRAinfs\r
+Ebm89Ezjm7F03qbFPXE0X4ZNzVXS/eKO0uhJQdiov/vmbn41rNtHmNpqjaO0vi5+\r
+sS9tR7yDUrIXiCUCN78eBLVioxtktsPZm5cDORbQWzv+7nmCEz9/JowCUcBVdCGn\r
+1ofOaH82JCAX/cRx08pLaDNj6iolVBsi56Dd+2bGxJOZOG2AMcEyz0pXY0dOAJCD\r
+iUThcQeGIdRnU3j8UBcnIEsjLu2+C+rrwMZQESMWKnJ0rnqTk0pK5kXScr6F/L0L\r
+UE49ccIexNm3xZvYr5drszr6wz3Tv5fdue87P4etBt90gF/Vzknck+g1LLlkzZkp\r
+d8dI0k2tOSPjUbDPnSy1x+X73WGpPZmj0kWT+RGvq0nH6UkJj3AQTG2qf1T8jK+3\r
+rTp3LR9vDkMwDjX4R8SA9c0wdnUzzr79OYQC9lTnzcx+fM6BBmgQ2GrS33jaFLp7\r
+L6/DFpCl5zhnPjM/2dKvMkw/Kd6XS/vjwsO405FQdjSDiQEEAZA+ZvAfcjdccbbU\r
+yCO+x0QNdeBsufDVnh3xvzuWy4CICdTQT4s1AWRPCzjOj+SGmx5WqCLWfsd8Ma0+\r
+w/C7SfTYu1FDQILLM+llpq1M/9GPley4QZ8JQjo262AyPXsPF/OW48uuZz0Db1xT\r
+Yh4iHBztj4VSdy7l2+IyaIf7cnL4EEBFxv/MwmVDXvDlxyvfAfIsd3D9SvJESzKZ\r
+VWDYwaocgeCN+ojKu1p885lu1EfRbX3fr3YO02K5/c2JYDkc0Py0W3wUP/J1XUax\r
+pbKpzwlkxEgtmzsGqsOfMJqBV3TNDrOA2uBsa+uBqP5MGYLZ49S/4v/bW9I01Cr1\r
+D2ZkV510Y1Vgo66WlP8mRqOTyt/5WRhPD+MxXdk67BNN/PmO6tMlVoJDuk+XwWPR\r
+t2TvNaND/yabT9eYI55Og4fzKD6RIjouUX8DvKLkm+7aXxVs2uuLQ3Jco3O82z55\r
+dbShU1jYsrw9oouXUz06MHPbkdhNbF/2hfhZ2qA31sNeovJw65iUv7sDKX3LVWgJ\r
+10jlywcDwqlU8CO7WC9lGixYTbnOkYZpXCGEl8e6Jbs79l42YFo4ogYpFK1NXFhV\r
+kOXRmDf/wmfj+c/ld3L2PkvwlgofhCudOQknZbo3ub1gjiTn7L+lMGHIj/3suMIl\r
+ID4EUxAXScIM1ZEz2fjtW5jATlqYcLjLTbf/olw6HFyPNH+9IssqXeZNKnGwPUB9\r
+3lTXsg0tpzl+x7F/2WjEw1DSNhjC0KnHt1vEYNMkUGDGFdN9y3ERLqX/FIgiASUb\r
+bTvAVupnAK3raBezGmhrs6LsQtLS9P0VvQiLU3uDhMqw8Z4SISLpcD+NnVBHzQqm\r
+6W5Qn/8xsCL6av18yUVTi2G3igt3QCNoYx9evt2ZcIkNoyyagUVjfZe5GHXh8Dnz\r
+GaBXW/hg3HlXLRGaQu4RYCzBMJILcO25OhZOg6jbkCLiEexQlm2e9krB5cXR49Al\r
+UN4fiB0KR9JyG2ayUdNJVkXZSZLnHyRgiaadlpUo16LVvw==\r
+=b5Kp\r
+-----END PGP MESSAGE-----\r
+\r
+\r
+"""
+
+    commented_payload = prefix + comment + payload
+    assert check_armored_payload(commented_payload, outgoing=False) == True
+    assert check_armored_payload(commented_payload, outgoing=True) == False
+
+    payload = prefix + payload
+    assert check_armored_payload(payload, outgoing=False) == True
+    assert check_armored_payload(payload, outgoing=True) == True
+
+    payload = payload.removesuffix("\r\n")
+    assert check_armored_payload(payload, outgoing=False) == True
+    assert check_armored_payload(payload, outgoing=True) == True
+
+    payload = payload.removesuffix("\r\n")
+    assert check_armored_payload(payload, outgoing=False) == True
+    assert check_armored_payload(payload, outgoing=True) == True
+
+    payload = payload.removesuffix("\r\n")
+    assert check_armored_payload(payload, outgoing=False) == True
+    assert check_armored_payload(payload, outgoing=True) == True
+
+    payload = """-----BEGIN PGP MESSAGE-----\r
+\r
+HELLOWORLD
+-----END PGP MESSAGE-----\r
+\r
+"""
+    assert check_armored_payload(payload, outgoing=False) == False
+    assert check_armored_payload(payload, outgoing=True) == False
+
+    payload = """-----BEGIN PGP MESSAGE-----\r
+\r
+=njUN
+-----END PGP MESSAGE-----\r
+\r
+"""
+    assert check_armored_payload(payload, outgoing=False) == False
+    assert check_armored_payload(payload, outgoing=True) == False
+
+    # Test payload using partial body length
+    # as generated by GopenPGP.
+    payload = """-----BEGIN PGP MESSAGE-----\r
+\r
+wV4DdCVjRfOT3TQSAQdAY5+pjT6mlCxPGdR3be4w7oJJRUGIPI/Vnh+mJxGSm34w\r
+LNlVc89S1g22uQYFif2sUJsQWbpoHpNkuWpkSgOaHmNvrZiY/YU5iv+cZ3LbmtUG\r
+0uoBisSHh9O1c+5sYZSbrvYZ1NOwlD7Fv/U5/Mw4E5+CjxfdgNGp5o3DDddzPK78\r
+jseDhdSXxnaiIJC93hxNX6R1RPt3G2gukyzx69wciPQShcF8zf3W3o75Ed7B8etV\r
+QEeB16xzdFhKa9JxdjTu3osgCs21IO7wpcFkjc7nZzlW6jPnELJJaNmv4yOOCjMp\r
+6YAkaN/BkL+jHTznHDuDsT5ilnTXpwHDU1Cm9PIx/KFcNCQnIB+2DcdIHPHUH1ci\r
+jvqoeXAVWjKXEjS7PqPFuP/xGbrWG2ugs+toXJOKbgRkExvKs1dwPFKrgghvCVbW\r
+AcKejQKAPArLwpkA7aD875TZQShvGt74fNs45XBlGOYOnNOAJ1KAmzrXLIDViyyB\r
+kDsmTBk785xofuCkjBpXSe6vsMprPzCteDfaUibh8FHeJjucxPerwuOPEmnogNaf\r
+YyL4+iy8H8I9/p7pmUqILprxTG0jTOtlk0bTVzeiF56W1xbtSEMuOo4oFbQTyOM2\r
+bKXaYo774Jm+rRtKAnnI2dtf9RpK19cog6YNzfYjesLKbXDsPZbN5rmwyFiCvvxC\r
+kQ6JLob+B2fPdY2gzy7LypxktS8Zi1HJcWDHJGVmQodaDLqKUObb4M26bXDe6oxI\r
+NS8PJz5exVbM3KhZnUOEn6PJRBBf5a/ZqxlhZPcQo/oBuhKpBRpO5kSDwPIUByu3\r
+UlXLSkpMqe9pUarAOEuQjfl2RVY7U+RrQYp4YP5keMO+i8NCefAFbowTTufO1JIq\r
+2nVgCi/QVnxZyEc9OYt/8AE3g4cdojE+vsSDifZLSWYIetpfrohHv3dT3StD1QRG\r
+0QE6qq6oKpg/IL0cjvuX4c7a7bslv2fXp8t75y37RU6253qdIebhxc/cRhPbc/yu\r
+p0YLyD4SrvKTLP2ZV95jT4IPEpqm4AN3QmiOzdtqR2gLyb62L8QfqI/FdwsIiRiM\r
+hqydwoqt/lfSqG1WKPh+6EkMkH+TDiCC1BQdbN1MNcyUtcjb35PR2c8Ld2TF3guA\r
+jLIqMt/Vb7hBoMb2FcsOYY25ka9oV62OwgKWLXnFzk+modMR5fzb4kxVVAYEqP+D\r
+T5KO1Vs76v1fyPGOq6BbBCvLwTqe/e6IZInJles4v5jrhnLcGKmNGivCUDe6X6NY\r
+UKNt5RsZllwDQpaAb5dMNhyrk8SgIE7TBI7rvqIdUCE52Vy+0JDxFg5olRpFUfO6\r
+/MyTW3Yo/ekk/npHr7iYYqJTCc21bDGLWQcIo/XO7WPxrKNWGBNPFnkRdw0MaKr4\r
+cEM3V8NFnSEpC12xA+RX/CezuJtwXZK5MpG76eYqMO6qyC+c25YcFecEufDZDxx\r
+ZLqRszVRyxyWPtk/oIeQK2v9wOqY6N9/ff01gHz69vqYqN5bUw/QKZsmx1zW+gPw\r
+6x2tDK2BHeYl182gCbhlKISRFwCtbjqZSkiKWao/VtygHkw0fK34avJuyQ/X9YaN\r
+BRy+7Lf3VA53pnB5WJ1xwRXN8VDvmZeXzv2krHveCMemj0OjnRoCLu117xN0A5m9\r
+Fm/RoDix5PolDHtWTtr2m1n2hp2LHnj8at9lFEd0SKhAYHVL9KjzycwWODZRXt+x\r
+zGDDuooEeTvdY5NLyKcl4gETz1ZP4Ez5jGGjhPSwSpq1mU7UaJ9ZXXdr4KHyifW6\r
+ggNzNsGhXTap7IWZpTtqXABydfiBshmH2NjqtNDwBweJVSgP10+r0WhMWlaZs6xl\r
+V3o5yskJt6GlkwpJxZrTvN6Tiww/eW7HFV6NGf7IRSWY5tJc/iA7/92tOmkdvJ1q\r
+myLbG7cJB787QjplEyVe2P/JBO6xYvbkJLf9Q+HaviTO25rugRSrYsoKMDfO8VlQ\r
+1CcnTPVtApPZJEQzAWJEgVAM8uIlkqWJJMgyWT34sTkdBeCUFGloXQFs9Yxd0AGf\r
+/zHEkYZSTKpVSvAIGu4=\r
+=6iHb\r
+-----END PGP MESSAGE-----\r
+"""
+    assert check_armored_payload(payload, outgoing=False) == True
+    assert check_armored_payload(payload, outgoing=True) == True
--- a/chatmaild/src/chatmaild/tests/test_filtermail_blackbox.py
+++ b/chatmaild/src/chatmaild/tests/test_filtermail_blackbox.py
@@ -0,0 +1,78 @@
+import smtplib
+import subprocess
+import sys
+
+import pytest
+
+
+@pytest.fixture
+def smtpserver():
+    from pytest_localserver import smtp
+
+    server = smtp.Server("127.0.0.1")
+    server.start()
+    yield server
+    server.stop()
+
+
+@pytest.fixture
+def make_popen(request):
+    def popen(cmdargs, stdout=subprocess.PIPE, stderr=subprocess.PIPE, **kw):
+        p = subprocess.Popen(
+            cmdargs,
+            stdout=subprocess.PIPE,
+            stderr=subprocess.PIPE,
+        )
+
+        def fin():
+            p.terminate()
+            out, err = p.communicate()
+            print(out.decode("ascii"))
+            print(err.decode("ascii"), file=sys.stderr)
+
+        request.addfinalizer(fin)
+        return p
+
+    return popen
+
+
+@pytest.mark.parametrize("filtermail_mode", ["outgoing", "incoming"])
+def test_one_mail(
+    make_config, make_popen, smtpserver, maildata, filtermail_mode, monkeypatch
+):
+    monkeypatch.setenv("PYTHONUNBUFFERED", "1")
+    smtp_inject_port = 20025
+    if filtermail_mode == "outgoing":
+        settings = dict(
+            postfix_reinject_port=smtpserver.port,
+            filtermail_smtp_port=smtp_inject_port,
+        )
+    else:
+        settings = dict(
+            postfix_reinject_port_incoming=smtpserver.port,
+            filtermail_smtp_port_incoming=smtp_inject_port,
+        )
+
+    config = make_config("example.org", settings=settings)
+    path = str(config._inipath)
+
+    popen = make_popen(["filtermail", path, filtermail_mode])
+    line = popen.stderr.readline().strip()
+    if b"loop" not in line:
+        print(line.decode("ascii"), file=sys.stderr)
+        pytest.fail("starting filtermail failed")
+
+    addr = f"user1@{config.mail_domain}"
+    config.get_user(addr).set_password("l1k2j3l1k2j3l")
+
+    # send encrypted mail
+    data = str(maildata("encrypted.eml", from_addr=addr, to_addr=addr))
+    client = smtplib.SMTP("localhost", smtp_inject_port)
+    client.sendmail(addr, [addr], data)
+    assert len(smtpserver.outbox) == 1
+
+    # send un-encrypted mail that errors
+    data = str(maildata("fake-encrypted.eml", from_addr=addr, to_addr=addr))
+    with pytest.raises(smtplib.SMTPDataError) as e:
+        client.sendmail(addr, [addr], data)
+    assert e.value.smtp_code == 523
--- a/chatmaild/src/chatmaild/tests/test_lastlogin.py
+++ b/chatmaild/src/chatmaild/tests/test_lastlogin.py
@@ -0,0 +1,38 @@
+import time
+
+from chatmaild.doveauth import AuthDictProxy
+from chatmaild.lastlogin import (
+    LastLoginDictProxy,
+)
+
+
+def test_handle_dovecot_request_last_login(testaddr, example_config):
+    dictproxy = LastLoginDictProxy(config=example_config)
+
+    authproxy = AuthDictProxy(config=example_config)
+    authproxy.lookup_passdb(testaddr, "1l2k3j1l2k3jl123")
+
+    dictproxy_transactions = {}
+
+    # Begin transaction
+    tx = "1111"
+    msg = f"B{tx}\t{testaddr}"
+    res = dictproxy.handle_dovecot_request(msg, dictproxy_transactions)
+    assert not res
+    assert dictproxy_transactions == {tx: dict(addr=testaddr, res="O\n")}
+
+    # set last-login info for user
+    user = dictproxy.config.get_user(testaddr)
+    timestamp = int(time.time())
+    msg = f"S{tx}\tshared/last-login/{testaddr}\t{timestamp}"
+    res = dictproxy.handle_dovecot_request(msg, dictproxy_transactions)
+    assert not res
+    assert len(dictproxy_transactions) == 1
+    read_timestamp = user.get_last_login_timestamp()
+    assert read_timestamp == timestamp // 86400 * 86400
+
+    # finish transaction
+    msg = f"C{tx}"
+    res = dictproxy.handle_dovecot_request(msg, dictproxy_transactions)
+    assert res == "O\n"
+    assert len(dictproxy_transactions) == 0
--- a/chatmaild/src/chatmaild/tests/test_metadata.py
+++ b/chatmaild/src/chatmaild/tests/test_metadata.py
@@ -1,12 +1,12 @@
 import io
-import pytest
-import requests
 import time

+import pytest
+import requests
+
 from chatmaild.metadata import (
-    handle_dovecot_request,
-    handle_dovecot_protocol,
    Metadata,
+    MetadataDictProxy,
 )
 from chatmaild.notifier import (
    Notifier,
@@ -30,8 +30,8 @@ def metadata(tmp_path):


@pytest.fixture
-def testaddr():
-    return "user.name@example.org"
+def dictproxy(notifier, metadata):
+    return MetadataDictProxy(notifier=notifier, metadata=metadata)


@pytest.fixture
@@ -88,51 +88,51 @@ def test_notifier_remove_without_set(metadata, testaddr):
    assert not metadata.get_tokens_for_addr(testaddr)


-def test_handle_dovecot_request_lookup_fails(notifier, metadata, testaddr):
-    res = handle_dovecot_request(
-        f"Lpriv/123/chatmail\t{testaddr}", {}, notifier, metadata
+def test_handle_dovecot_request_lookup_fails(dictproxy, testaddr):
+    transactions = {}
+    res = dictproxy.handle_dovecot_request(
+        f"Lpriv/123/chatmail\t{testaddr}", transactions
    )
    assert res == "N\n"


-def test_handle_dovecot_request_happy_path(notifier, metadata, testaddr, token):
+def test_handle_dovecot_request_happy_path(dictproxy, testaddr, token):
+    metadata = dictproxy.metadata
    transactions = {}
+    notifier = dictproxy.notifier

    # set device token in a transaction
    tx = "1111"
    msg = f"B{tx}\t{testaddr}"
-    res = handle_dovecot_request(msg, transactions, notifier, metadata)
+    res = dictproxy.handle_dovecot_request(msg, transactions)
    assert not res and not metadata.get_tokens_for_addr(testaddr)
    assert transactions == {tx: dict(addr=testaddr, res="O\n")}

    msg = f"S{tx}\tpriv/guid00/devicetoken\t{token}"
-    res = handle_dovecot_request(msg, transactions, notifier, metadata)
+    res = dictproxy.handle_dovecot_request(msg, transactions)
    assert not res
    assert len(transactions) == 1
    assert metadata.get_tokens_for_addr(testaddr) == [token]

    msg = f"C{tx}"
-    res = handle_dovecot_request(msg, transactions, notifier, metadata)
+    res = dictproxy.handle_dovecot_request(msg, transactions)
    assert res == "O\n"
    assert len(transactions) == 0
    assert metadata.get_tokens_for_addr(testaddr) == [token]

    # trigger notification for incoming message
    tx2 = "2222"
-    assert (
-        handle_dovecot_request(f"B{tx2}\t{testaddr}", transactions, notifier, metadata)
-        is None
-    )
+    assert dictproxy.handle_dovecot_request(f"B{tx2}\t{testaddr}", transactions) is None
    msg = f"S{tx2}\tpriv/guid00/messagenew"
-    assert handle_dovecot_request(msg, transactions, notifier, metadata) is None
+    assert dictproxy.handle_dovecot_request(msg, transactions) is None
    queue_item = notifier.retry_queues[0].get()[1]
    assert queue_item.token == token
-    assert handle_dovecot_request(f"C{tx2}", transactions, notifier, metadata) == "O\n"
+    assert dictproxy.handle_dovecot_request(f"C{tx2}", transactions) == "O\n"
    assert not transactions
    assert queue_item.path.exists()


-def test_handle_dovecot_protocol_set_devicetoken(metadata, notifier):
+def test_handle_dovecot_protocol_set_devicetoken(dictproxy):
    rfile = io.BytesIO(
        b"\n".join(
            [
@@ -144,12 +144,12 @@ def test_handle_dovecot_protocol_set_devicetoken(metadata, notifier):
        )
    )
    wfile = io.BytesIO()
-    handle_dovecot_protocol(rfile, wfile, notifier, metadata)
+    dictproxy.loop_forever(rfile, wfile)
    assert wfile.getvalue() == b"O\n"
-    assert metadata.get_tokens_for_addr("user@example.org") == ["01234"]
+    assert dictproxy.metadata.get_tokens_for_addr("user@example.org") == ["01234"]


-def test_handle_dovecot_protocol_set_get_devicetoken(metadata, notifier):
+def test_handle_dovecot_protocol_set_get_devicetoken(dictproxy):
    rfile = io.BytesIO(
        b"\n".join(
            [
@@ -161,19 +161,19 @@ def test_handle_dovecot_protocol_set_get_devicetoken(metadata, notifier):
        )
    )
    wfile = io.BytesIO()
-    handle_dovecot_protocol(rfile, wfile, notifier, metadata)
-    assert metadata.get_tokens_for_addr("user@example.org") == ["01234"]
+    dictproxy.loop_forever(rfile, wfile)
+    assert dictproxy.metadata.get_tokens_for_addr("user@example.org") == ["01234"]
    assert wfile.getvalue() == b"O\n"

    rfile = io.BytesIO(
        b"\n".join([b"HELLO", b"Lpriv/0123/devicetoken\tuser@example.org"])
    )
    wfile = io.BytesIO()
-    handle_dovecot_protocol(rfile, wfile, notifier, metadata)
+    dictproxy.loop_forever(rfile, wfile)
    assert wfile.getvalue() == b"O01234\n"


-def test_handle_dovecot_protocol_iterate(metadata, notifier):
+def test_handle_dovecot_protocol_iterate(dictproxy):
    rfile = io.BytesIO(
        b"\n".join(
            [
@@ -183,7 +183,7 @@ def test_handle_dovecot_protocol_iterate(metadata, notifier):
        )
    )
    wfile = io.BytesIO()
-    handle_dovecot_protocol(rfile, wfile, notifier, metadata)
+    dictproxy.loop_forever(rfile, wfile)
    assert wfile.getvalue() == b"\n"


@@ -242,6 +242,22 @@ def test_requeue_removes_tmp_files(notifier, metadata, testaddr, caplog):
    assert queue_item.addr == testaddr


+def test_requeue_removes_invalid_files(notifier, metadata, testaddr, caplog):
+    metadata.add_token_to_addr(testaddr, "01234")
+    notifier.new_message_for_addr(testaddr, metadata)
+    # empty/invalid files should be ignored
+    p = notifier.queue_dir.joinpath("1203981203")
+    p.touch()
+    notifier2 = notifier.__class__(notifier.queue_dir)
+    notifier2.requeue_persistent_queue_items()
+    assert "spurious" in caplog.records[0].msg
+    assert not p.exists()
+    assert notifier2.retry_queues[0].qsize() == 1
+    when, queue_item = notifier2.retry_queues[0].get()
+    assert when <= int(time.time())
+    assert queue_item.addr == testaddr
+
+
 def test_start_and_stop_notification_threads(notifier, testaddr):
    threads = notifier.start_notification_threads(None)
    for retry_num, threadlist in threads.items():
@@ -296,3 +312,18 @@ def test_persistent_queue_items(tmp_path, testaddr, token):
    item2.delete()
    assert not item2.path.exists()
    assert not queue_item < item2 and not item2 < queue_item
+
+
+def test_iroh_relay(dictproxy):
+    rfile = io.BytesIO(
+        b"\n".join(
+            [
+                b"H",
+                b"Lshared/0123/vendor/vendor.dovecot/pvt/server/vendor/deltachat/irohrelay\tuser@example.org",
+            ]
+        )
+    )
+    wfile = io.BytesIO()
+    dictproxy.iroh_relay = "https://example.org/"
+    dictproxy.loop_forever(rfile, wfile)
+    assert wfile.getvalue() == b"Ohttps://example.org/\n"
--- a/chatmaild/src/chatmaild/tests/test_metrics.py
+++ b/chatmaild/src/chatmaild/tests/test_metrics.py
@@ -2,15 +2,23 @@ from chatmaild.metrics import main


 def test_main(tmp_path, capsys):
+    paths = []
    for x in ("ci-asllkj", "ac_12l3kj", "qweqwe", "ci-l1k2j31l2k3"):
-        tmp_path.joinpath(x).mkdir()
+        p = tmp_path.joinpath(x)
+        p.mkdir()
+        p.joinpath("cur").mkdir()
+        paths.append(p)
+
+    tmp_path.joinpath("nomailbox").mkdir()
+
    main(tmp_path)
    out, _ = capsys.readouterr()
    d = {}
    for line in out.split("\n"):
-        if line.strip():
-            name, num, _ = line.split()
+        if line.strip() and not line.startswith("#"):
+            name, num = line.split()
            d[name] = int(num)

    assert d["accounts"] == 4
    assert d["ci_accounts"] == 3
+    assert d["nonci_accounts"] == 1
--- a/chatmaild/src/chatmaild/tests/test_migrate_db.py
+++ b/chatmaild/src/chatmaild/tests/test_migrate_db.py
@@ -0,0 +1,67 @@
+import sqlite3
+
+from chatmaild.migrate_db import migrate_from_db_to_maildir
+
+
+def test_migration_not_exists(tmp_path, example_config):
+    example_config.passdb_path = tmp_path.joinpath("sqlite")
+
+
+def test_migration(tmp_path, example_config, caplog):
+    passdb_path = tmp_path.joinpath("passdb.sqlite")
+    uri = f"file:{passdb_path}?mode=rwc"
+    sqlconn = sqlite3.connect(uri, timeout=60, uri=True)
+    sqlconn.execute(
+        """
+        CREATE TABLE users (
+            addr TEXT PRIMARY KEY,
+            password TEXT,
+            last_login INTEGER
+        )
+    """
+    )
+    all = {}
+
+    for i in range(500):
+        values = (f"somsom{i:03}@example.org", f"passwo{i:03}", i * 86400)
+        sqlconn.execute(
+            """
+            INSERT INTO users (addr, password, last_login)
+            VALUES (?, ?, ?)""",
+            values,
+        )
+        all[values[0]] = values[1:]
+
+    for i in range(500):
+        values = (f"pompom{i:03}@example.org", f"wopass{i:03}", "")
+        sqlconn.execute(
+            """
+            INSERT INTO users (addr, password, last_login)
+            VALUES (?, ?, ?)""",
+            values,
+        )
+        all[values[0]] = values[1:]
+
+    sqlconn.commit()
+    sqlconn.close()
+
+    assert passdb_path.stat().st_size > 10000
+
+    example_config.passdb_path = passdb_path
+
+    assert not caplog.records
+
+    migrate_from_db_to_maildir(example_config, chunking=500)
+    assert len(caplog.records) > 3
+
+    for path in example_config.mailboxes_dir.iterdir():
+        if "@" not in path.name:
+            continue
+        password, last_login = all.pop(path.name)
+        user = example_config.get_user(path.name)
+        if last_login:
+            assert user.get_last_login_timestamp() == last_login
+        assert password == user.get_userdb_dict()["password"]
+
+    assert not all
+    assert not example_config.passdb_path.exists()
--- a/chatmaild/src/chatmaild/tests/test_user.py
+++ b/chatmaild/src/chatmaild/tests/test_user.py
@@ -0,0 +1,56 @@
+def test_login_timestamp(testaddr, example_config):
+    user = example_config.get_user(testaddr)
+    user.set_password("someeqkjwelkqwjleqwe")
+    user.set_last_login_timestamp(100000)
+    assert user.get_last_login_timestamp() == 86400
+
+    user.set_last_login_timestamp(200000)
+    assert user.get_last_login_timestamp() == 86400 * 2
+
+
+def test_get_user_dict_not_set(testaddr, example_config, caplog):
+    user = example_config.get_user(testaddr)
+    assert not caplog.records
+    assert user.get_userdb_dict() == {}
+    assert len(caplog.records) == 0
+
+    user.set_password("")
+    assert user.get_userdb_dict() == {}
+    assert len(caplog.records) == 1
+
+
+def test_get_user_dict(make_config, tmp_path):
+    config = make_config("something.testrun.org")
+    addr = "user1@something.org"
+    user = config.get_user(addr)
+    enc_password = "l1k2j31lk2j3l1k23j123"
+    user.set_password(enc_password)
+    data = user.get_userdb_dict()
+    assert addr in str(data["home"])
+    assert data["uid"] == "vmail"
+    assert data["gid"] == "vmail"
+    assert data["password"] == enc_password
+
+
+def test_no_mailboxes_dir(testaddr, example_config, tmp_path):
+    p = tmp_path.joinpath("a", "mailboxes")
+    example_config.mailboxes_dir = p
+
+    user = example_config.get_user(testaddr)
+    user.set_password("someeqkjwelkqwjleqwe")
+    user.set_last_login_timestamp(100000)
+    assert user.get_last_login_timestamp() == 86400
+
+
+def test_set_get_cleartext_flag(testaddr, example_config, tmp_path):
+    p = tmp_path.joinpath("a", "mailboxes")
+    example_config.mailboxes_dir = p
+
+    user = example_config.get_user(testaddr)
+    user.set_password("someeqkjwelkqwjleqwe")
+    user.set_last_login_timestamp(100000)
+    assert user.get_last_login_timestamp() == 86400
+
+    assert not user.is_incoming_cleartext_ok()
+    user.allow_incoming_cleartext()
+    assert user.is_incoming_cleartext_ok()
--- a/chatmaild/src/chatmaild/turnserver.py
+++ b/chatmaild/src/chatmaild/turnserver.py
@@ -0,0 +1,9 @@
+#!/usr/bin/env python3
+import socket
+
+
+def turn_credentials() -> str:
+    with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as client_socket:
+        client_socket.connect("/run/chatmail-turn/turn.socket")
+        with client_socket.makefile("rb") as file:
+            return file.readline().decode("utf-8").strip()
--- a/chatmaild/src/chatmaild/user.py
+++ b/chatmaild/src/chatmaild/user.py
@@ -0,0 +1,82 @@
+import logging
+import os
+
+from chatmaild.filedict import write_bytes_atomic
+
+
+def get_daytimestamp(timestamp) -> int:
+    return int(timestamp) // 86400 * 86400
+
+
+class User:
+    def __init__(self, maildir, addr, password_path, uid, gid):
+        self.maildir = maildir
+        self.addr = addr
+        self.password_path = password_path
+        self.enforce_E2EE_path = maildir.joinpath("enforceE2EEincoming")
+        self.uid = uid
+        self.gid = gid
+
+    @property
+    def can_track(self):
+        return "@" in self.addr
+
+    def get_userdb_dict(self):
+        """Return a non-empty dovecot 'userdb' style dict
+        if the user has an existing non-empty password"""
+        try:
+            pw = self.password_path.read_text()
+        except FileNotFoundError:
+            return {}
+
+        if not pw:
+            logging.error(f"password is empty for: {self.addr}")
+            return {}
+
+        home = str(self.maildir)
+        return dict(addr=self.addr, home=home, uid=self.uid, gid=self.gid, password=pw)
+
+    def is_incoming_cleartext_ok(self):
+        return not self.enforce_E2EE_path.exists()
+
+    def allow_incoming_cleartext(self):
+        if self.enforce_E2EE_path.exists():
+            self.enforce_E2EE_path.unlink()
+
+    def set_password(self, enc_password):
+        """Set the specified password for this user.
+
+        This method can be called concurrently
+        but there is no guarantee which of the password-set calls will win.
+        """
+        self.maildir.mkdir(exist_ok=True, parents=True)
+        password = enc_password.encode("ascii")
+
+        try:
+            write_bytes_atomic(self.password_path, password)
+        except PermissionError:
+            logging.error(f"could not write password for: {self.addr}")
+            raise
+        self.enforce_E2EE_path.touch()
+
+    def set_last_login_timestamp(self, timestamp):
+        """Track login time with daily granularity
+        to minimize touching files and to minimize metadata leakage."""
+        if not self.can_track:
+            return
+        try:
+            mtime = int(os.stat(self.password_path).st_mtime)
+        except FileNotFoundError:
+            logging.error(f"Can not get last login timestamp for {self.addr}")
+            return
+
+        timestamp = get_daytimestamp(timestamp)
+        if mtime != timestamp:
+            os.utime(self.password_path, (timestamp, timestamp))
+
+    def get_last_login_timestamp(self):
+        if self.can_track:
+            try:
+                return int(self.password_path.stat().st_mtime)
+            except FileNotFoundError:
+                pass
--- a/chatmaild/uv.lock
+++ b/chatmaild/uv.lock
@@ -0,0 +1,209 @@
+version = 1
+revision = 1
+requires-python = ">=3.12"
+
+[[package]]
+name = "aiosmtpd"
+version = "1.4.6"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "atpublic" },
+    { name = "attrs" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/c4/ca/b2b7cc880403ef24be77383edaadfcf0098f5d7b9ddbf3e2c17ef0a6af0d/aiosmtpd-1.4.6.tar.gz", hash = "sha256:5a811826e1a5a06c25ebc3e6c4a704613eb9a1bcf6b78428fbe865f4f6c9a4b8", size = 152775 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/ec/39/d401756df60a8344848477d54fdf4ce0f50531f6149f3b8eaae9c06ae3dc/aiosmtpd-1.4.6-py3-none-any.whl", hash = "sha256:72c99179ba5aa9ae0abbda6994668239b64a5ce054471955fe75f581d2592475", size = 154263 },
+]
+
+[[package]]
+name = "atpublic"
+version = "7.0.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/a9/05/e2e131a0debaf0f01b8a1b586f5f11713f6affc3e711b406f15f11eafc92/atpublic-7.0.0.tar.gz", hash = "sha256:466ef10d0c8bbd14fd02a5fbd5a8b6af6a846373d91106d3a07c16d72d96b63e", size = 17801 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/96/c0/271f3e1e3502a8decb8ee5c680dbed2d8dc2cd504f5e20f7ed491d5f37e1/atpublic-7.0.0-py3-none-any.whl", hash = "sha256:6702bd9e7245eb4e8220a3e222afcef7f87412154732271ee7deee4433b72b4b", size = 6421 },
+]
+
+[[package]]
+name = "attrs"
+version = "25.4.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/6b/5c/685e6633917e101e5dcb62b9dd76946cbb57c26e133bae9e0cd36033c0a9/attrs-25.4.0.tar.gz", hash = "sha256:16d5969b87f0859ef33a48b35d55ac1be6e42ae49d5e853b597db70c35c57e11", size = 934251 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/3a/2a/7cc015f5b9f5db42b7d48157e23356022889fc354a2813c15934b7cb5c0e/attrs-25.4.0-py3-none-any.whl", hash = "sha256:adcf7e2a1fb3b36ac48d97835bb6d8ade15b8dcce26aba8bf1d14847b57a3373", size = 67615 },
+]
+
+[[package]]
+name = "certifi"
+version = "2025.11.12"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/a2/8c/58f469717fa48465e4a50c014a0400602d3c437d7c0c468e17ada824da3a/certifi-2025.11.12.tar.gz", hash = "sha256:d8ab5478f2ecd78af242878415affce761ca6bc54a22a27e026d7c25357c3316", size = 160538 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/70/7d/9bc192684cea499815ff478dfcdc13835ddf401365057044fb721ec6bddb/certifi-2025.11.12-py3-none-any.whl", hash = "sha256:97de8790030bbd5c2d96b7ec782fc2f7820ef8dba6db909ccf95449f2d062d4b", size = 159438 },
+]
+
+[[package]]
+name = "charset-normalizer"
+version = "3.4.4"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/13/69/33ddede1939fdd074bce5434295f38fae7136463422fe4fd3e0e89b98062/charset_normalizer-3.4.4.tar.gz", hash = "sha256:94537985111c35f28720e43603b8e7b43a6ecfb2ce1d3058bbe955b73404e21a", size = 129418 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/f3/85/1637cd4af66fa687396e757dec650f28025f2a2f5a5531a3208dc0ec43f2/charset_normalizer-3.4.4-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:0a98e6759f854bd25a58a73fa88833fba3b7c491169f86ce1180c948ab3fd394", size = 208425 },
+    { url = "https://files.pythonhosted.org/packages/9d/6a/04130023fef2a0d9c62d0bae2649b69f7b7d8d24ea5536feef50551029df/charset_normalizer-3.4.4-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:b5b290ccc2a263e8d185130284f8501e3e36c5e02750fc6b6bdeb2e9e96f1e25", size = 148162 },
+    { url = "https://files.pythonhosted.org/packages/78/29/62328d79aa60da22c9e0b9a66539feae06ca0f5a4171ac4f7dc285b83688/charset_normalizer-3.4.4-cp312-cp312-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:74bb723680f9f7a6234dcf67aea57e708ec1fbdf5699fb91dfd6f511b0a320ef", size = 144558 },
+    { url = "https://files.pythonhosted.org/packages/86/bb/b32194a4bf15b88403537c2e120b817c61cd4ecffa9b6876e941c3ee38fe/charset_normalizer-3.4.4-cp312-cp312-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:f1e34719c6ed0b92f418c7c780480b26b5d9c50349e9a9af7d76bf757530350d", size = 161497 },
+    { url = "https://files.pythonhosted.org/packages/19/89/a54c82b253d5b9b111dc74aca196ba5ccfcca8242d0fb64146d4d3183ff1/charset_normalizer-3.4.4-cp312-cp312-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:2437418e20515acec67d86e12bf70056a33abdacb5cb1655042f6538d6b085a8", size = 159240 },
+    { url = "https://files.pythonhosted.org/packages/c0/10/d20b513afe03acc89ec33948320a5544d31f21b05368436d580dec4e234d/charset_normalizer-3.4.4-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:11d694519d7f29d6cd09f6ac70028dba10f92f6cdd059096db198c283794ac86", size = 153471 },
+    { url = "https://files.pythonhosted.org/packages/61/fa/fbf177b55bdd727010f9c0a3c49eefa1d10f960e5f09d1d887bf93c2e698/charset_normalizer-3.4.4-cp312-cp312-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:ac1c4a689edcc530fc9d9aa11f5774b9e2f33f9a0c6a57864e90908f5208d30a", size = 150864 },
+    { url = "https://files.pythonhosted.org/packages/05/12/9fbc6a4d39c0198adeebbde20b619790e9236557ca59fc40e0e3cebe6f40/charset_normalizer-3.4.4-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:21d142cc6c0ec30d2efee5068ca36c128a30b0f2c53c1c07bd78cb6bc1d3be5f", size = 150647 },
+    { url = "https://files.pythonhosted.org/packages/ad/1f/6a9a593d52e3e8c5d2b167daf8c6b968808efb57ef4c210acb907c365bc4/charset_normalizer-3.4.4-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:5dbe56a36425d26d6cfb40ce79c314a2e4dd6211d51d6d2191c00bed34f354cc", size = 145110 },
+    { url = "https://files.pythonhosted.org/packages/30/42/9a52c609e72471b0fc54386dc63c3781a387bb4fe61c20231a4ebcd58bdd/charset_normalizer-3.4.4-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:5bfbb1b9acf3334612667b61bd3002196fe2a1eb4dd74d247e0f2a4d50ec9bbf", size = 162839 },
+    { url = "https://files.pythonhosted.org/packages/c4/5b/c0682bbf9f11597073052628ddd38344a3d673fda35a36773f7d19344b23/charset_normalizer-3.4.4-cp312-cp312-musllinux_1_2_riscv64.whl", hash = "sha256:d055ec1e26e441f6187acf818b73564e6e6282709e9bcb5b63f5b23068356a15", size = 150667 },
+    { url = "https://files.pythonhosted.org/packages/e4/24/a41afeab6f990cf2daf6cb8c67419b63b48cf518e4f56022230840c9bfb2/charset_normalizer-3.4.4-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:af2d8c67d8e573d6de5bc30cdb27e9b95e49115cd9baad5ddbd1a6207aaa82a9", size = 160535 },
+    { url = "https://files.pythonhosted.org/packages/2a/e5/6a4ce77ed243c4a50a1fecca6aaaab419628c818a49434be428fe24c9957/charset_normalizer-3.4.4-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:780236ac706e66881f3b7f2f32dfe90507a09e67d1d454c762cf642e6e1586e0", size = 154816 },
+    { url = "https://files.pythonhosted.org/packages/a8/ef/89297262b8092b312d29cdb2517cb1237e51db8ecef2e9af5edbe7b683b1/charset_normalizer-3.4.4-cp312-cp312-win32.whl", hash = "sha256:5833d2c39d8896e4e19b689ffc198f08ea58116bee26dea51e362ecc7cd3ed26", size = 99694 },
+    { url = "https://files.pythonhosted.org/packages/3d/2d/1e5ed9dd3b3803994c155cd9aacb60c82c331bad84daf75bcb9c91b3295e/charset_normalizer-3.4.4-cp312-cp312-win_amd64.whl", hash = "sha256:a79cfe37875f822425b89a82333404539ae63dbdddf97f84dcbc3d339aae9525", size = 107131 },
+    { url = "https://files.pythonhosted.org/packages/d0/d9/0ed4c7098a861482a7b6a95603edce4c0d9db2311af23da1fb2b75ec26fc/charset_normalizer-3.4.4-cp312-cp312-win_arm64.whl", hash = "sha256:376bec83a63b8021bb5c8ea75e21c4ccb86e7e45ca4eb81146091b56599b80c3", size = 100390 },
+    { url = "https://files.pythonhosted.org/packages/97/45/4b3a1239bbacd321068ea6e7ac28875b03ab8bc0aa0966452db17cd36714/charset_normalizer-3.4.4-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:e1f185f86a6f3403aa2420e815904c67b2f9ebc443f045edd0de921108345794", size = 208091 },
+    { url = "https://files.pythonhosted.org/packages/7d/62/73a6d7450829655a35bb88a88fca7d736f9882a27eacdca2c6d505b57e2e/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:6b39f987ae8ccdf0d2642338faf2abb1862340facc796048b604ef14919e55ed", size = 147936 },
+    { url = "https://files.pythonhosted.org/packages/89/c5/adb8c8b3d6625bef6d88b251bbb0d95f8205831b987631ab0c8bb5d937c2/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:3162d5d8ce1bb98dd51af660f2121c55d0fa541b46dff7bb9b9f86ea1d87de72", size = 144180 },
+    { url = "https://files.pythonhosted.org/packages/91/ed/9706e4070682d1cc219050b6048bfd293ccf67b3d4f5a4f39207453d4b99/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:81d5eb2a312700f4ecaa977a8235b634ce853200e828fbadf3a9c50bab278328", size = 161346 },
+    { url = "https://files.pythonhosted.org/packages/d5/0d/031f0d95e4972901a2f6f09ef055751805ff541511dc1252ba3ca1f80cf5/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:5bd2293095d766545ec1a8f612559f6b40abc0eb18bb2f5d1171872d34036ede", size = 158874 },
+    { url = "https://files.pythonhosted.org/packages/f5/83/6ab5883f57c9c801ce5e5677242328aa45592be8a00644310a008d04f922/charset_normalizer-3.4.4-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:a8a8b89589086a25749f471e6a900d3f662d1d3b6e2e59dcecf787b1cc3a1894", size = 153076 },
+    { url = "https://files.pythonhosted.org/packages/75/1e/5ff781ddf5260e387d6419959ee89ef13878229732732ee73cdae01800f2/charset_normalizer-3.4.4-cp313-cp313-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:bc7637e2f80d8530ee4a78e878bce464f70087ce73cf7c1caf142416923b98f1", size = 150601 },
+    { url = "https://files.pythonhosted.org/packages/d7/57/71be810965493d3510a6ca79b90c19e48696fb1ff964da319334b12677f0/charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:f8bf04158c6b607d747e93949aa60618b61312fe647a6369f88ce2ff16043490", size = 150376 },
+    { url = "https://files.pythonhosted.org/packages/e5/d5/c3d057a78c181d007014feb7e9f2e65905a6c4ef182c0ddf0de2924edd65/charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:554af85e960429cf30784dd47447d5125aaa3b99a6f0683589dbd27e2f45da44", size = 144825 },
+    { url = "https://files.pythonhosted.org/packages/e6/8c/d0406294828d4976f275ffbe66f00266c4b3136b7506941d87c00cab5272/charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:74018750915ee7ad843a774364e13a3db91682f26142baddf775342c3f5b1133", size = 162583 },
+    { url = "https://files.pythonhosted.org/packages/d7/24/e2aa1f18c8f15c4c0e932d9287b8609dd30ad56dbe41d926bd846e22fb8d/charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_riscv64.whl", hash = "sha256:c0463276121fdee9c49b98908b3a89c39be45d86d1dbaa22957e38f6321d4ce3", size = 150366 },
+    { url = "https://files.pythonhosted.org/packages/e4/5b/1e6160c7739aad1e2df054300cc618b06bf784a7a164b0f238360721ab86/charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:362d61fd13843997c1c446760ef36f240cf81d3ebf74ac62652aebaf7838561e", size = 160300 },
+    { url = "https://files.pythonhosted.org/packages/7a/10/f882167cd207fbdd743e55534d5d9620e095089d176d55cb22d5322f2afd/charset_normalizer-3.4.4-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:9a26f18905b8dd5d685d6d07b0cdf98a79f3c7a918906af7cc143ea2e164c8bc", size = 154465 },
+    { url = "https://files.pythonhosted.org/packages/89/66/c7a9e1b7429be72123441bfdbaf2bc13faab3f90b933f664db506dea5915/charset_normalizer-3.4.4-cp313-cp313-win32.whl", hash = "sha256:9b35f4c90079ff2e2edc5b26c0c77925e5d2d255c42c74fdb70fb49b172726ac", size = 99404 },
+    { url = "https://files.pythonhosted.org/packages/c4/26/b9924fa27db384bdcd97ab83b4f0a8058d96ad9626ead570674d5e737d90/charset_normalizer-3.4.4-cp313-cp313-win_amd64.whl", hash = "sha256:b435cba5f4f750aa6c0a0d92c541fb79f69a387c91e61f1795227e4ed9cece14", size = 107092 },
+    { url = "https://files.pythonhosted.org/packages/af/8f/3ed4bfa0c0c72a7ca17f0380cd9e4dd842b09f664e780c13cff1dcf2ef1b/charset_normalizer-3.4.4-cp313-cp313-win_arm64.whl", hash = "sha256:542d2cee80be6f80247095cc36c418f7bddd14f4a6de45af91dfad36d817bba2", size = 100408 },
+    { url = "https://files.pythonhosted.org/packages/2a/35/7051599bd493e62411d6ede36fd5af83a38f37c4767b92884df7301db25d/charset_normalizer-3.4.4-cp314-cp314-macosx_10_13_universal2.whl", hash = "sha256:da3326d9e65ef63a817ecbcc0df6e94463713b754fe293eaa03da99befb9a5bd", size = 207746 },
+    { url = "https://files.pythonhosted.org/packages/10/9a/97c8d48ef10d6cd4fcead2415523221624bf58bcf68a802721a6bc807c8f/charset_normalizer-3.4.4-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:8af65f14dc14a79b924524b1e7fffe304517b2bff5a58bf64f30b98bbc5079eb", size = 147889 },
+    { url = "https://files.pythonhosted.org/packages/10/bf/979224a919a1b606c82bd2c5fa49b5c6d5727aa47b4312bb27b1734f53cd/charset_normalizer-3.4.4-cp314-cp314-manylinux2014_armv7l.manylinux_2_17_armv7l.manylinux_2_31_armv7l.whl", hash = "sha256:74664978bb272435107de04e36db5a9735e78232b85b77d45cfb38f758efd33e", size = 143641 },
+    { url = "https://files.pythonhosted.org/packages/ba/33/0ad65587441fc730dc7bd90e9716b30b4702dc7b617e6ba4997dc8651495/charset_normalizer-3.4.4-cp314-cp314-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:752944c7ffbfdd10c074dc58ec2d5a8a4cd9493b314d367c14d24c17684ddd14", size = 160779 },
+    { url = "https://files.pythonhosted.org/packages/67/ed/331d6b249259ee71ddea93f6f2f0a56cfebd46938bde6fcc6f7b9a3d0e09/charset_normalizer-3.4.4-cp314-cp314-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:d1f13550535ad8cff21b8d757a3257963e951d96e20ec82ab44bc64aeb62a191", size = 159035 },
+    { url = "https://files.pythonhosted.org/packages/67/ff/f6b948ca32e4f2a4576aa129d8bed61f2e0543bf9f5f2b7fc3758ed005c9/charset_normalizer-3.4.4-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:ecaae4149d99b1c9e7b88bb03e3221956f68fd6d50be2ef061b2381b61d20838", size = 152542 },
+    { url = "https://files.pythonhosted.org/packages/16/85/276033dcbcc369eb176594de22728541a925b2632f9716428c851b149e83/charset_normalizer-3.4.4-cp314-cp314-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:cb6254dc36b47a990e59e1068afacdcd02958bdcce30bb50cc1700a8b9d624a6", size = 149524 },
+    { url = "https://files.pythonhosted.org/packages/9e/f2/6a2a1f722b6aba37050e626530a46a68f74e63683947a8acff92569f979a/charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:c8ae8a0f02f57a6e61203a31428fa1d677cbe50c93622b4149d5c0f319c1d19e", size = 150395 },
+    { url = "https://files.pythonhosted.org/packages/60/bb/2186cb2f2bbaea6338cad15ce23a67f9b0672929744381e28b0592676824/charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_armv7l.whl", hash = "sha256:47cc91b2f4dd2833fddaedd2893006b0106129d4b94fdb6af1f4ce5a9965577c", size = 143680 },
+    { url = "https://files.pythonhosted.org/packages/7d/a5/bf6f13b772fbb2a90360eb620d52ed8f796f3c5caee8398c3b2eb7b1c60d/charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_ppc64le.whl", hash = "sha256:82004af6c302b5d3ab2cfc4cc5f29db16123b1a8417f2e25f9066f91d4411090", size = 162045 },
+    { url = "https://files.pythonhosted.org/packages/df/c5/d1be898bf0dc3ef9030c3825e5d3b83f2c528d207d246cbabe245966808d/charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_riscv64.whl", hash = "sha256:2b7d8f6c26245217bd2ad053761201e9f9680f8ce52f0fcd8d0755aeae5b2152", size = 149687 },
+    { url = "https://files.pythonhosted.org/packages/a5/42/90c1f7b9341eef50c8a1cb3f098ac43b0508413f33affd762855f67a410e/charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_s390x.whl", hash = "sha256:799a7a5e4fb2d5898c60b640fd4981d6a25f1c11790935a44ce38c54e985f828", size = 160014 },
+    { url = "https://files.pythonhosted.org/packages/76/be/4d3ee471e8145d12795ab655ece37baed0929462a86e72372fd25859047c/charset_normalizer-3.4.4-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:99ae2cffebb06e6c22bdc25801d7b30f503cc87dbd283479e7b606f70aff57ec", size = 154044 },
+    { url = "https://files.pythonhosted.org/packages/b0/6f/8f7af07237c34a1defe7defc565a9bc1807762f672c0fde711a4b22bf9c0/charset_normalizer-3.4.4-cp314-cp314-win32.whl", hash = "sha256:f9d332f8c2a2fcbffe1378594431458ddbef721c1769d78e2cbc06280d8155f9", size = 99940 },
+    { url = "https://files.pythonhosted.org/packages/4b/51/8ade005e5ca5b0d80fb4aff72a3775b325bdc3d27408c8113811a7cbe640/charset_normalizer-3.4.4-cp314-cp314-win_amd64.whl", hash = "sha256:8a6562c3700cce886c5be75ade4a5db4214fda19fede41d9792d100288d8f94c", size = 107104 },
+    { url = "https://files.pythonhosted.org/packages/da/5f/6b8f83a55bb8278772c5ae54a577f3099025f9ade59d0136ac24a0df4bde/charset_normalizer-3.4.4-cp314-cp314-win_arm64.whl", hash = "sha256:de00632ca48df9daf77a2c65a484531649261ec9f25489917f09e455cb09ddb2", size = 100743 },
+    { url = "https://files.pythonhosted.org/packages/0a/4c/925909008ed5a988ccbb72dcc897407e5d6d3bd72410d69e051fc0c14647/charset_normalizer-3.4.4-py3-none-any.whl", hash = "sha256:7a32c560861a02ff789ad905a2fe94e3f840803362c84fecf1851cb4cf3dc37f", size = 53402 },
+]
+
+[[package]]
+name = "chatmaild"
+version = "0.3"
+source = { editable = "." }
+dependencies = [
+    { name = "aiosmtpd" },
+    { name = "crypt-r" },
+    { name = "deltachat-rpc-client" },
+    { name = "deltachat-rpc-server" },
+    { name = "filelock" },
+    { name = "iniconfig" },
+    { name = "requests" },
+]
+
+[package.metadata]
+requires-dist = [
+    { name = "aiosmtpd" },
+    { name = "crypt-r", marker = "python_full_version >= '3.11'", specifier = ">=3.13.1" },
+    { name = "deltachat-rpc-client" },
+    { name = "deltachat-rpc-server" },
+    { name = "filelock" },
+    { name = "iniconfig" },
+    { name = "requests" },
+]
+
+[[package]]
+name = "crypt-r"
+version = "3.13.1"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/18/ec/23c7745f9e8fae4ee0309aa2220258902e35a01bcace636223150e00bee8/crypt_r-3.13.1.tar.gz", hash = "sha256:5bd46ad51f5b7fe5f0ecf49d8ba2cafd6fbd43aa3bb5efbcaa6b44df6340c1a6", size = 20908 }
+
+[[package]]
+name = "deltachat-rpc-client"
+version = "2.35.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/3c/92/4fa49736244a45ddf07aa45ca6f7e87b3c9512ff7b1e3014c08cd831a0cb/deltachat_rpc_client-2.35.0.tar.gz", hash = "sha256:7c93b0728f32f963e4086e78771e075a368224e2ba5ea1859121a426b39a63b6", size = 56856 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/aa/33/8f7d58aeb0ee60696a425d9c9d0e7c3c326e6f5e3538fd34e48c108fcd2a/deltachat_rpc_client-2.35.0-py3-none-any.whl", hash = "sha256:aa19982c59754045cfb7adc0b618f289023fe83437d6daeef549bacaad77d0fa", size = 35481 },
+]
+
+[[package]]
+name = "deltachat-rpc-server"
+version = "2.35.0"
+source = { registry = "https://pypi.org/simple" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/f4/6e/cea4a319f1d5a52e78430a22b192f33c39696f6cd0879a7f0a2d132498f7/deltachat_rpc_server-2.35.0-py3-none-android_21_arm64_v8a.whl", hash = "sha256:d6b82d362682161cd05f6fe99b85710892d86be93d135817c9ddce5fa259ed6f", size = 11602680 },
+    { url = "https://files.pythonhosted.org/packages/6f/82/330fe7f187c53988978e5d7664a632c1eb3704284aeefa9eddf00ad6e605/deltachat_rpc_server-2.35.0-py3-none-android_21_armeabi_v7a.whl", hash = "sha256:04592521c034e9d99c7ac4620bb216f4a90c1b4fae9262e5ce260b6607b836d1", size = 9854866 },
+    { url = "https://files.pythonhosted.org/packages/13/19/a766f8435331eb3604e4c25c61da91e9db4a6e7c8acba5f97ab05bac26b4/deltachat_rpc_server-2.35.0-py3-none-linux_armv6l.whl", hash = "sha256:7071bf4b670c4d10409d260903ec55ea8e464c218de391d1dda65b24b79aaba7", size = 10720204 },
+    { url = "https://files.pythonhosted.org/packages/f5/a9/938ee287956e24543b263fc2eee63dc8065ab6d571dd7a2caec316c75ee1/deltachat_rpc_server-2.35.0-py3-none-linux_armv7l.manylinux_2_17_armv7l.manylinux2014_armv7l.musllinux_1_1_armv7l.whl", hash = "sha256:7607941e2d3fa799c46d35d0aedce5eb2f45be03590c6d1fe77f8e73320c5ef7", size = 10617853 },
+    { url = "https://files.pythonhosted.org/packages/28/72/0115d13b6d1e6c146c29413900d24e9e0aaf67e04cc59ff0730d948762d4/deltachat_rpc_server-2.35.0-py3-none-macosx_10_7_x86_64.whl", hash = "sha256:66a235e1524ec68518020c5774a546af894836a178b51d64ede42b8e74c6ae5a", size = 10219508 },
+    { url = "https://files.pythonhosted.org/packages/37/59/71d48a81fc9a677323dcd305219cb7d586f28a1f81022e75d6d6e3145180/deltachat_rpc_server-2.35.0-py3-none-macosx_11_0_arm64.whl", hash = "sha256:6bec48840e36e70b373bba6ccb11a31cf8f47b8f0e87d74533fa567de1a997ff", size = 10001473 },
+    { url = "https://files.pythonhosted.org/packages/6f/db/e722be9bc23d0b92684374373b330947f07231e15247c5e71bc23e7294b7/deltachat_rpc_server-2.35.0-py3-none-manylinux_2_12_i686.manylinux2010_i686.musllinux_1_1_i686.whl", hash = "sha256:c1d84f1db409f7ae5434d2cbafb2f1b91555465b419edc6a891e8751446fafbb", size = 11264723 },
+    { url = "https://files.pythonhosted.org/packages/bf/96/462c06910bbfe7fb79490eca61cbef8fc9d1ec4ba5fbb82ea9aeeab3506b/deltachat_rpc_server-2.35.0-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.musllinux_1_1_aarch64.whl", hash = "sha256:e1d33e3d93d8131e74da6a13b9f9316c3558f0d876d4ec7cdba92daae7d2eb42", size = 11550860 },
+    { url = "https://files.pythonhosted.org/packages/5c/27/c7ea8096b01931b3f2e2bf449500b10e546669c81739410a7f6a0fbb120f/deltachat_rpc_server-2.35.0-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.musllinux_1_1_x86_64.whl", hash = "sha256:d48e1ad018a59ccbd898cf3d9f5ce7b3bd882d9ff2619497628943ac1243800f", size = 11868158 },
+    { url = "https://files.pythonhosted.org/packages/d1/4e/b66959b8bdfe68a6760a1cf10dc38031ccfeba74f45c52d4a10aeacf78c6/deltachat_rpc_server-2.35.0-py3-none-win32.whl", hash = "sha256:f9f56bcb75a083f7b46afef35871f844e2582f82f2f884984d827264da10d904", size = 10639500 },
+    { url = "https://files.pythonhosted.org/packages/3d/81/b4ee510e88d942b2f98ca1a2d69a5286e6723473b71deca8e3a256b3b725/deltachat_rpc_server-2.35.0-py3-none-win_amd64.whl", hash = "sha256:9e6f40b469f1816092b96e5248c0cd246ce59dcb49f3b57877301e7afe077833", size = 10659609 },
+]
+
+[[package]]
+name = "filelock"
+version = "3.20.1"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/a7/23/ce7a1126827cedeb958fc043d61745754464eb56c5937c35bbf2b8e26f34/filelock-3.20.1.tar.gz", hash = "sha256:b8360948b351b80f420878d8516519a2204b07aefcdcfd24912a5d33127f188c", size = 19476 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/e3/7f/a1a97644e39e7316d850784c642093c99df1290a460df4ede27659056834/filelock-3.20.1-py3-none-any.whl", hash = "sha256:15d9e9a67306188a44baa72f569d2bfd803076269365fdea0934385da4dc361a", size = 16666 },
+]
+
+[[package]]
+name = "idna"
+version = "3.11"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/6f/6d/0703ccc57f3a7233505399edb88de3cbd678da106337b9fcde432b65ed60/idna-3.11.tar.gz", hash = "sha256:795dafcc9c04ed0c1fb032c2aa73654d8e8c5023a7df64a53f39190ada629902", size = 194582 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/0e/61/66938bbb5fc52dbdf84594873d5b51fb1f7c7794e9c0f5bd885f30bc507b/idna-3.11-py3-none-any.whl", hash = "sha256:771a87f49d9defaf64091e6e6fe9c18d4833f140bd19464795bc32d966ca37ea", size = 71008 },
+]
+
+[[package]]
+name = "iniconfig"
+version = "2.3.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/72/34/14ca021ce8e5dfedc35312d08ba8bf51fdd999c576889fc2c24cb97f4f10/iniconfig-2.3.0.tar.gz", hash = "sha256:c76315c77db068650d49c5b56314774a7804df16fee4402c1f19d6d15d8c4730", size = 20503 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/cb/b1/3846dd7f199d53cb17f49cba7e651e9ce294d8497c8c150530ed11865bb8/iniconfig-2.3.0-py3-none-any.whl", hash = "sha256:f631c04d2c48c52b84d0d0549c99ff3859c98df65b3101406327ecc7d53fbf12", size = 7484 },
+]
+
+[[package]]
+name = "requests"
+version = "2.32.5"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "certifi" },
+    { name = "charset-normalizer" },
+    { name = "idna" },
+    { name = "urllib3" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/c9/74/b3ff8e6c8446842c3f5c837e9c3dfcfe2018ea6ecef224c710c85ef728f4/requests-2.32.5.tar.gz", hash = "sha256:dbba0bac56e100853db0ea71b82b4dfd5fe2bf6d3754a8893c3af500cec7d7cf", size = 134517 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/1e/db/4254e3eabe8020b458f1a747140d32277ec7a271daf1d235b70dc0b4e6e3/requests-2.32.5-py3-none-any.whl", hash = "sha256:2462f94637a34fd532264295e186976db0f5d453d1cdd31473c85a6a161affb6", size = 64738 },
+]
+
+[[package]]
+name = "urllib3"
+version = "2.6.2"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/1e/24/a2a2ed9addd907787d7aa0355ba36a6cadf1768b934c652ea78acbd59dcd/urllib3-2.6.2.tar.gz", hash = "sha256:016f9c98bb7e98085cb2b4b17b87d2c702975664e4f060c6532e64d1c1a5e797", size = 432930 }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/6d/b9/4095b668ea3678bf6a0af005527f39de12fb026516fb3df17495a733b7f8/urllib3-2.6.2-py3-none-any.whl", hash = "sha256:ec21cddfe7724fc7cb4ba4bea7aa8e2ef36f607a4bab81aa6ce42a13dc3f03dd", size = 131182 },
+]
--- a/cliff.toml
+++ b/cliff.toml
@@ -0,0 +1,94 @@
+# git-cliff ~ configuration file
+# https://git-cliff.org/docs/configuration
+
+
+[changelog]
+# A Tera template to be rendered for each release in the changelog.
+# See https://keats.github.io/tera/docs/#introduction
+body = """
+{% if version %}\
+    ## [{{ version | trim_start_matches(pat="v") }}] - {{ timestamp | date(format="%Y-%m-%d") }}
+{% else %}\
+    ## [unreleased]
+{% endif %}\
+{% for group, commits in commits | group_by(attribute="group") %}
+    ### {{ group | striptags | trim | upper_first }}
+    {% for commit in commits %}
+        - {% if commit.scope %}*({{ commit.scope }})* {% endif %}\
+            {% if commit.breaking %}[**breaking**] {% endif %}\
+            {{ commit.message | upper_first }}\
+    {% endfor %}
+{% endfor %}
+"""
+# Remove leading and trailing whitespaces from the changelog's body.
+trim = true
+# Render body even when there are no releases to process.
+render_always = true
+# An array of regex based postprocessors to modify the changelog.
+postprocessors = [
+    # Replace the placeholder <REPO> with a URL.
+    #{ pattern = '<REPO>', replace = "https://github.com/orhun/git-cliff" },
+]
+# render body even when there are no releases to process
+# render_always = true
+# output file path
+# output = "test.md"
+
+[git]
+# Parse commits according to the conventional commits specification.
+# See https://www.conventionalcommits.org
+conventional_commits = true
+# Exclude commits that do not match the conventional commits specification.
+filter_unconventional = true
+# Require all commits to be conventional.
+# Takes precedence over filter_unconventional.
+require_conventional = false
+# Split commits on newlines, treating each line as an individual commit.
+split_commits = false
+# An array of regex based parsers to modify commit messages prior to further processing.
+commit_preprocessors = [
+    # Replace issue numbers with link templates to be updated in `changelog.postprocessors`.
+    #{ pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](<REPO>/issues/${2}))"},
+    # Check spelling of the commit message using https://github.com/crate-ci/typos.
+    # If the spelling is incorrect, it will be fixed automatically.
+    #{ pattern = '.*', replace_command = 'typos --write-changes -' },
+]
+# Prevent commits that are breaking from being excluded by commit parsers.
+protect_breaking_commits = false
+# An array of regex based parsers for extracting data from the commit message.
+# Assigns commits to groups.
+# Optionally sets the commit's scope and can decide to exclude commits from further processing.
+commit_parsers = [
+    { message = "^feat", group = "Features" },
+    { message = "^fix", group = "Bug Fixes" },
+    { message = "^docs", group = "Documentation" },
+    { message = "^perf", group = "Performance" },
+    { message = "^refactor", group = "Refactor" },
+    { message = "^style", group = "Styling" },
+    { message = "^test", group = "Testing" },
+    { message = "^chore\\(release\\): prepare for", skip = true },
+    { message = "^chore\\(deps.*\\)", skip = true },
+    { message = "^chore\\(pr\\)", skip = true },
+    { message = "^chore\\(pull\\)", skip = true },
+    { message = "^chore|^ci", group = "Miscellaneous Tasks" },
+    { body = ".*security", group = "Security" },
+    { message = "^revert", group = "Revert" },
+    { message = ".*", group = "Other" },
+]
+# Exclude commits that are not matched by any commit parser.
+filter_commits = false
+# Fail on a commit that is not matched by any commit parser.
+fail_on_unmatched_commit = false
+# An array of link parsers for extracting external references, and turning them into URLs, using regex.
+link_parsers = []
+# Include only the tags that belong to the current branch.
+use_branch_tags = false
+# Order releases topologically instead of chronologically.
+topo_order = false
+# Order commits topologically instead of chronologically.
+topo_order_commits = true
+# Order of commits in each group/release within the changelog.
+# Allowed values: newest, oldest
+sort_commits = "oldest"
+# Process submodules commits
+recurse_submodules = false
--- a/cmdeploy/pyproject.toml
+++ b/cmdeploy/pyproject.toml
@@ -6,7 +6,7 @@ build-backend = "setuptools.build_meta"
 name = "cmdeploy"
 version = "0.2"
 dependencies = [
-  "pyinfra",
+  "pyinfra>=3",
  "pillow",
  "qrcode",
  "markdown",
@@ -16,9 +16,9 @@ dependencies = [
  "build",
  "tox",
  "ruff",
-  "black",
  "pytest",
  "pytest-xdist", 
+  "execnet",
  "imap_tools",
 ]

@@ -31,3 +31,16 @@ cmdeploy = "cmdeploy.cmdeploy:main"

 [tool.pytest.ini_options]
 addopts = "-v -ra --strict-markers"
+
+[tool.ruff]
+lint.select = [
+  "F", # Pyflakes
+  "I", # isort
+
+  "PLC", # Pylint Convention
+  "PLE", # Pylint Error
+  "PLW", # Pylint Warning
+]
+lint.ignore = [
+  "PLC0415" # import-outside-top-level
+]
--- a/cmdeploy/src/cmdeploy/init.py
+++ b/cmdeploy/src/cmdeploy/init.py
@@ -1,622 +0,0 @@
-"""
-Chat Mail pyinfra deploy.
-"""
-
-import sys
-import importlib.resources
-import subprocess
-import shutil
-import io
-from pathlib import Path
-
-from pyinfra import host
-from pyinfra.operations import apt, files, server, systemd, pip
-from pyinfra.facts.files import File
-from pyinfra.facts.systemd import SystemdEnabled
-from .acmetool import deploy_acmetool
-
-from chatmaild.config import read_config, Config
-
-
-def _build_chatmaild(dist_dir) -> None:
-    dist_dir = Path(dist_dir).resolve()
-    if dist_dir.exists():
-        shutil.rmtree(dist_dir)
-    dist_dir.mkdir()
-    subprocess.check_output(
-        [sys.executable, "-m", "build", "-n"]
-        + ["--sdist", "chatmaild", "--outdir", str(dist_dir)]
-    )
-    entries = list(dist_dir.iterdir())
-    assert len(entries) == 1
-    return entries[0]
-
-
-def remove_legacy_artifacts():
-    # disable legacy doveauth-dictproxy.service
-    if host.get_fact(SystemdEnabled).get("doveauth-dictproxy.service"):
-        systemd.service(
-            name="Disable legacy doveauth-dictproxy.service",
-            service="doveauth-dictproxy.service",
-            running=False,
-            enabled=False,
-        )
-
-
-def _install_remote_venv_with_chatmaild(config) -> None:
-    remove_legacy_artifacts()
-    dist_file = _build_chatmaild(dist_dir=Path("chatmaild/dist"))
-    remote_base_dir = "/usr/local/lib/chatmaild"
-    remote_dist_file = f"{remote_base_dir}/dist/{dist_file.name}"
-    remote_venv_dir = f"{remote_base_dir}/venv"
-    remote_chatmail_inipath = f"{remote_base_dir}/chatmail.ini"
-    root_owned = dict(user="root", group="root", mode="644")
-
-    apt.packages(
-        name="apt install python3-virtualenv",
-        packages=["python3-virtualenv"],
-    )
-
-    files.put(
-        name="Upload chatmaild source package",
-        src=dist_file.open("rb"),
-        dest=remote_dist_file,
-        create_remote_dir=True,
-        **root_owned,
-    )
-
-    files.put(
-        name=f"Upload {remote_chatmail_inipath}",
-        src=config._getbytefile(),
-        dest=remote_chatmail_inipath,
-        **root_owned,
-    )
-
-    pip.virtualenv(
-        name=f"chatmaild virtualenv {remote_venv_dir}",
-        path=remote_venv_dir,
-        always_copy=True,
-    )
-
-    server.shell(
-        name=f"forced pip-install {dist_file.name}",
-        commands=[
-            f"{remote_venv_dir}/bin/pip install --force-reinstall {remote_dist_file}"
-        ],
-    )
-
-    files.template(
-        src=importlib.resources.files(__package__).joinpath("metrics.cron.j2"),
-        dest="/etc/cron.d/chatmail-metrics",
-        user="root",
-        group="root",
-        mode="644",
-        config={
-            "mail_domain": config.mail_domain,
-            "execpath": f"{remote_venv_dir}/bin/chatmail-metrics",
-        },
-    )
-
-    # install systemd units
-    for fn in (
-        "doveauth",
-        "filtermail",
-        "echobot",
-        "chatmail-metadata",
-    ):
-        params = dict(
-            execpath=f"{remote_venv_dir}/bin/{fn}",
-            config_path=remote_chatmail_inipath,
-            remote_venv_dir=remote_venv_dir,
-            mail_domain=config.mail_domain,
-        )
-        source_path = importlib.resources.files(__package__).joinpath(
-            "service", f"{fn}.service.f"
-        )
-        content = source_path.read_text().format(**params).encode()
-
-        files.put(
-            name=f"Upload {fn}.service",
-            src=io.BytesIO(content),
-            dest=f"/etc/systemd/system/{fn}.service",
-            **root_owned,
-        )
-        systemd.service(
-            name=f"Setup {fn} service",
-            service=f"{fn}.service",
-            running=True,
-            enabled=True,
-            restarted=True,
-            daemon_reload=True,
-        )
-
-
-def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool:
-    """Configures OpenDKIM"""
-    need_restart = False
-
-    main_config = files.template(
-        src=importlib.resources.files(__package__).joinpath("opendkim/opendkim.conf"),
-        dest="/etc/opendkim.conf",
-        user="root",
-        group="root",
-        mode="644",
-        config={"domain_name": domain, "opendkim_selector": dkim_selector},
-    )
-    need_restart |= main_config.changed
-
-    screen_script = files.put(
-        src=importlib.resources.files(__package__).joinpath("opendkim/screen.lua"),
-        dest="/etc/opendkim/screen.lua",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= screen_script.changed
-
-    final_script = files.put(
-        src=importlib.resources.files(__package__).joinpath("opendkim/final.lua"),
-        dest="/etc/opendkim/final.lua",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= final_script.changed
-
-    files.directory(
-        name="Add opendkim directory to /etc",
-        path="/etc/opendkim",
-        user="opendkim",
-        group="opendkim",
-        mode="750",
-        present=True,
-    )
-
-    keytable = files.template(
-        src=importlib.resources.files(__package__).joinpath("opendkim/KeyTable"),
-        dest="/etc/dkimkeys/KeyTable",
-        user="opendkim",
-        group="opendkim",
-        mode="644",
-        config={"domain_name": domain, "opendkim_selector": dkim_selector},
-    )
-    need_restart |= keytable.changed
-
-    signing_table = files.template(
-        src=importlib.resources.files(__package__).joinpath("opendkim/SigningTable"),
-        dest="/etc/dkimkeys/SigningTable",
-        user="opendkim",
-        group="opendkim",
-        mode="644",
-        config={"domain_name": domain, "opendkim_selector": dkim_selector},
-    )
-    need_restart |= signing_table.changed
-    files.directory(
-        name="Add opendkim socket directory to /var/spool/postfix",
-        path="/var/spool/postfix/opendkim",
-        user="opendkim",
-        group="opendkim",
-        mode="750",
-        present=True,
-    )
-
-    apt.packages(
-        name="apt install opendkim opendkim-tools",
-        packages=["opendkim", "opendkim-tools"],
-    )
-
-    if not host.get_fact(File, f"/etc/dkimkeys/{dkim_selector}.private"):
-        server.shell(
-            name="Generate OpenDKIM domain keys",
-            commands=[
-                f"opendkim-genkey -D /etc/dkimkeys -d {domain} -s {dkim_selector}"
-            ],
-            _sudo=True,
-            _sudo_user="opendkim",
-        )
-
-    return need_restart
-
-
-def _install_mta_sts_daemon() -> bool:
-    need_restart = False
-
-    config = files.put(
-        name="upload postfix-mta-sts-resolver config",
-        src=importlib.resources.files(__package__).joinpath(
-            "postfix/mta-sts-daemon.yml"
-        ),
-        dest="/etc/mta-sts-daemon.yml",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= config.changed
-
-    server.shell(
-        name="install postfix-mta-sts-resolver with pip",
-        commands=[
-            "python3 -m virtualenv /usr/local/lib/postfix-mta-sts-resolver",
-            "/usr/local/lib/postfix-mta-sts-resolver/bin/pip install postfix-mta-sts-resolver",
-        ],
-    )
-
-    systemd_unit = files.put(
-        name="upload mta-sts-daemon systemd unit",
-        src=importlib.resources.files(__package__).joinpath(
-            "postfix/mta-sts-daemon.service"
-        ),
-        dest="/etc/systemd/system/mta-sts-daemon.service",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= systemd_unit.changed
-
-    return need_restart
-
-
-def _configure_postfix(config: Config, debug: bool = False) -> bool:
-    """Configures Postfix SMTP server."""
-    need_restart = False
-
-    main_config = files.template(
-        src=importlib.resources.files(__package__).joinpath("postfix/main.cf.j2"),
-        dest="/etc/postfix/main.cf",
-        user="root",
-        group="root",
-        mode="644",
-        config=config,
-    )
-    need_restart |= main_config.changed
-
-    master_config = files.template(
-        src=importlib.resources.files(__package__).joinpath("postfix/master.cf.j2"),
-        dest="/etc/postfix/master.cf",
-        user="root",
-        group="root",
-        mode="644",
-        debug=debug,
-        config=config,
-    )
-    need_restart |= master_config.changed
-
-    header_cleanup = files.put(
-        src=importlib.resources.files(__package__).joinpath(
-            "postfix/submission_header_cleanup"
-        ),
-        dest="/etc/postfix/submission_header_cleanup",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= header_cleanup.changed
-
-    # Login map that 1:1 maps email address to login.
-    login_map = files.put(
-        src=importlib.resources.files(__package__).joinpath("postfix/login_map"),
-        dest="/etc/postfix/login_map",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= login_map.changed
-
-    return need_restart
-
-
-def _configure_dovecot(config: Config, debug: bool = False) -> bool:
-    """Configures Dovecot IMAP server."""
-    need_restart = False
-
-    main_config = files.template(
-        src=importlib.resources.files(__package__).joinpath("dovecot/dovecot.conf.j2"),
-        dest="/etc/dovecot/dovecot.conf",
-        user="root",
-        group="root",
-        mode="644",
-        config=config,
-        debug=debug,
-    )
-    need_restart |= main_config.changed
-    auth_config = files.put(
-        src=importlib.resources.files(__package__).joinpath("dovecot/auth.conf"),
-        dest="/etc/dovecot/auth.conf",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= auth_config.changed
-    lua_push_notification_script = files.put(
-        src=importlib.resources.files(__package__).joinpath(
-            "dovecot/push_notification.lua"
-        ),
-        dest="/etc/dovecot/push_notification.lua",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= lua_push_notification_script.changed
-
-    sieve_script = files.put(
-        src=importlib.resources.files(__package__).joinpath("dovecot/default.sieve"),
-        dest="/etc/dovecot/default.sieve",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= sieve_script.changed
-    if sieve_script.changed:
-        server.shell(
-            name="compile sieve script",
-            commands=["/usr/bin/sievec /etc/dovecot/default.sieve"],
-        )
-
-    files.template(
-        src=importlib.resources.files(__package__).joinpath("dovecot/expunge.cron.j2"),
-        dest="/etc/cron.d/expunge",
-        user="root",
-        group="root",
-        mode="644",
-        config=config,
-    )
-
-    # as per https://doc.dovecot.org/configuration_manual/os/
-    # it is recommended to set the following inotify limits
-    for name in ("max_user_instances", "max_user_watches"):
-        key = f"fs.inotify.{name}"
-        server.sysctl(
-            name=f"Change {key}",
-            key=key,
-            value=65535,
-            persist=True,
-        )
-
-    return need_restart
-
-
-def _configure_nginx(domain: str, debug: bool = False) -> bool:
-    """Configures nginx HTTP server."""
-    need_restart = False
-
-    main_config = files.template(
-        src=importlib.resources.files(__package__).joinpath("nginx/nginx.conf.j2"),
-        dest="/etc/nginx/nginx.conf",
-        user="root",
-        group="root",
-        mode="644",
-        config={"domain_name": domain},
-    )
-    need_restart |= main_config.changed
-
-    autoconfig = files.template(
-        src=importlib.resources.files(__package__).joinpath("nginx/autoconfig.xml.j2"),
-        dest="/var/www/html/.well-known/autoconfig/mail/config-v1.1.xml",
-        user="root",
-        group="root",
-        mode="644",
-        config={"domain_name": domain},
-    )
-    need_restart |= autoconfig.changed
-
-    mta_sts_config = files.template(
-        src=importlib.resources.files(__package__).joinpath("nginx/mta-sts.txt.j2"),
-        dest="/var/www/html/.well-known/mta-sts.txt",
-        user="root",
-        group="root",
-        mode="644",
-        config={"domain_name": domain},
-    )
-    need_restart |= mta_sts_config.changed
-
-    # install CGI newemail script
-    #
-    cgi_dir = "/usr/lib/cgi-bin"
-    files.directory(
-        name=f"Ensure {cgi_dir} exists",
-        path=cgi_dir,
-        user="root",
-        group="root",
-    )
-
-    files.put(
-        name="Upload cgi newemail.py script",
-        src=importlib.resources.files("chatmaild").joinpath("newemail.py").open("rb"),
-        dest=f"{cgi_dir}/newemail.py",
-        user="root",
-        group="root",
-        mode="755",
-    )
-
-    return need_restart
-
-
-def _remove_rspamd() -> None:
-    """Remove rspamd"""
-    apt.packages(name="Remove rspamd", packages="rspamd", present=False)
-
-
-def check_config(config):
-    mail_domain = config.mail_domain
-    if mail_domain != "testrun.org" and not mail_domain.endswith(".testrun.org"):
-        blocked_words = "merlinux schmieder testrun.org".split()
-        for key in config.__dict__:
-            value = config.__dict__[key]
-            if key.startswith("privacy") and any(
-                x in str(value) for x in blocked_words
-            ):
-                raise ValueError(
-                    f"please set your own privacy contacts/addresses in {config._inipath}"
-                )
-    return config
-
-
-def deploy_chatmail(config_path: Path) -> None:
-    """Deploy a chat-mail instance.
-
-    :param config_path: path to chatmail.ini
-    """
-    config = read_config(config_path)
-    check_config(config)
-    mail_domain = config.mail_domain
-
-    from .www import build_webpages
-
-    server.group(name="Create vmail group", group="vmail", system=True)
-    server.user(name="Create vmail user", user="vmail", group="vmail", system=True)
-    server.group(name="Create opendkim group", group="opendkim", system=True)
-    server.user(
-        name="Create opendkim user",
-        user="opendkim",
-        groups=["opendkim"],
-        system=True,
-    )
-    server.user(
-        name="Add postfix user to opendkim group for socket access",
-        user="postfix",
-        groups=["opendkim"],
-        system=True,
-    )
-
-    server.shell(
-        name="Fix file owner in /home/vmail",
-        commands=["test -d /home/vmail && chown -R vmail:vmail /home/vmail"],
-    )
-
-    apt.update(name="apt update", cache_time=24 * 3600)
-
-    apt.packages(
-        name="Install rsync",
-        packages=["rsync"],
-    )
-
-    # Run local DNS resolver `unbound`.
-    # `resolvconf` takes care of setting up /etc/resolv.conf
-    # to use 127.0.0.1 as the resolver.
-    apt.packages(
-        name="Install unbound",
-        packages=["unbound", "unbound-anchor", "dnsutils"],
-    )
-    server.shell(
-        name="Generate root keys for validating DNSSEC",
-        commands=[
-            "unbound-anchor -a /var/lib/unbound/root.key || true",
-            "systemctl reset-failed unbound.service",
-        ],
-    )
-    systemd.service(
-        name="Start and enable unbound",
-        service="unbound.service",
-        running=True,
-        enabled=True,
-    )
-
-    # Deploy acmetool to have TLS certificates.
-    deploy_acmetool(
-        nginx_hook=True,
-        domains=[mail_domain, f"mta-sts.{mail_domain}", f"www.{mail_domain}"],
-    )
-
-    apt.packages(
-        name="Install Postfix",
-        packages="postfix",
-    )
-
-    apt.packages(
-        name="Install Dovecot",
-        packages=["dovecot-imapd", "dovecot-lmtpd", "dovecot-sieve"],
-    )
-
-    apt.packages(
-        name="Install nginx",
-        packages=["nginx"],
-    )
-
-    apt.packages(
-        name="Install fcgiwrap",
-        packages=["fcgiwrap"],
-    )
-
-    www_path = importlib.resources.files(__package__).joinpath("../../../www").resolve()
-
-    build_dir = www_path.joinpath("build")
-    src_dir = www_path.joinpath("src")
-    build_webpages(src_dir, build_dir, config)
-    files.rsync(f"{build_dir}/", "/var/www/html", flags=["-avz"])
-
-    _install_remote_venv_with_chatmaild(config)
-    debug = False
-    dovecot_need_restart = _configure_dovecot(config, debug=debug)
-    postfix_need_restart = _configure_postfix(config, debug=debug)
-    mta_sts_need_restart = _install_mta_sts_daemon()
-    nginx_need_restart = _configure_nginx(mail_domain)
-
-    _remove_rspamd()
-    opendkim_need_restart = _configure_opendkim(mail_domain, "opendkim")
-
-    systemd.service(
-        name="Start and enable OpenDKIM",
-        service="opendkim.service",
-        running=True,
-        enabled=True,
-        restarted=opendkim_need_restart,
-    )
-
-    systemd.service(
-        name="Start and enable MTA-STS daemon",
-        service="mta-sts-daemon.service",
-        daemon_reload=True,
-        running=True,
-        enabled=True,
-        restarted=mta_sts_need_restart,
-    )
-
-    # Dovecot should be started before Postfix
-    # because it creates authentication socket
-    # required by Postfix.
-    systemd.service(
-        name="Start and enable Dovecot",
-        service="dovecot.service",
-        running=True,
-        enabled=True,
-        restarted=dovecot_need_restart,
-    )
-
-    systemd.service(
-        name="Start and enable Postfix",
-        service="postfix.service",
-        running=True,
-        enabled=True,
-        restarted=postfix_need_restart,
-    )
-
-    systemd.service(
-        name="Start and enable nginx",
-        service="nginx.service",
-        running=True,
-        enabled=True,
-        restarted=nginx_need_restart,
-    )
-
-    # This file is used by auth proxy.
-    # https://wiki.debian.org/EtcMailName
-    server.shell(
-        name="Setup /etc/mailname",
-        commands=[f"echo {mail_domain} >/etc/mailname; chmod 644 /etc/mailname"],
-    )
-
-    journald_conf = files.put(
-        name="Configure journald",
-        src=importlib.resources.files(__package__).joinpath("journald.conf"),
-        dest="/etc/systemd/journald.conf",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    systemd.service(
-        name="Start and enable journald",
-        service="systemd-journald.service",
-        running=True,
-        enabled=True,
-        restarted=journald_conf,
-    )
--- a/cmdeploy/src/cmdeploy/acmetool/init.py
+++ b/cmdeploy/src/cmdeploy/acmetool/init.py
@@ -1,78 +1,157 @@
 import importlib.resources

-from pyinfra.operations import apt, files, systemd, server
-from pyinfra import host
-from pyinfra.facts.systemd import SystemdStatus
+from pyinfra.operations import apt, files, server, systemd
+
+from ..basedeploy import Deployer


-def deploy_acmetool(nginx_hook=False, email="", domains=[]):
-    """Deploy acmetool."""
-    apt.packages(
-        name="Install acmetool",
-        packages=["acmetool"],
-    )
+class AcmetoolDeployer(Deployer):
+    def __init__(self, email, domains):
+        self.domains = domains
+        self.email = email
+        self.need_restart_redirector = False
+        self.need_restart_reconcile_service = False
+        self.need_restart_reconcile_timer = False

-    files.put(
-        src=importlib.resources.files(__package__).joinpath("acmetool.cron").open("rb"),
-        dest="/etc/cron.d/acmetool",
-        user="root",
-        group="root",
-        mode="644",
-    )
+    def install(self):
+        apt.packages(
+            name="Install acmetool",
+            packages=["acmetool"],
+        )
+
+        files.file(
+            name="Remove old acmetool cronjob, it is replaced with systemd timer.",
+            path="/etc/cron.d/acmetool",
+            present=False,
+        )

-    if nginx_hook:
        files.put(
+            name="Install acmetool hook.",
            src=importlib.resources.files(__package__)
            .joinpath("acmetool.hook")
            .open("rb"),
-            dest="/usr/lib/acme/hooks/nginx",
+            dest="/etc/acme/hooks/nginx",
            user="root",
            group="root",
-            mode="744",
+            mode="755",
+        )
+        files.file(
+            name="Remove acmetool hook from the wrong location where it was previously installed.",
+            path="/usr/lib/acme/hooks/nginx",
+            present=False,
        )

-    files.template(
-        src=importlib.resources.files(__package__).joinpath("response-file.yaml.j2"),
-        dest="/var/lib/acme/conf/responses",
-        user="root",
-        group="root",
-        mode="644",
-        email=email,
-    )
+    def configure(self):
+        files.template(
+            src=importlib.resources.files(__package__).joinpath(
+                "response-file.yaml.j2"
+            ),
+            dest="/var/lib/acme/conf/responses",
+            user="root",
+            group="root",
+            mode="644",
+            email=self.email,
+        )

-    files.template(
-        src=importlib.resources.files(__package__).joinpath("target.yaml.j2"),
-        dest="/var/lib/acme/conf/target",
-        user="root",
-        group="root",
-        mode="644",
-    )
+        files.template(
+            src=importlib.resources.files(__package__).joinpath("target.yaml.j2"),
+            dest="/var/lib/acme/conf/target",
+            user="root",
+            group="root",
+            mode="644",
+        )

-    service_file = files.put(
-        src=importlib.resources.files(__package__).joinpath(
-            "acmetool-redirector.service"
-        ),
-        dest="/etc/systemd/system/acmetool-redirector.service",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    if host.get_fact(SystemdStatus).get("nginx.service"):
+        server.shell(
+            name=f"Remove old acmetool desired files for {self.domains[0]}",
+            commands=[f'rm -f /var/lib/acme/desired/"{self.domains[0]}"-*'],
+        )
+        files.template(
+            src=importlib.resources.files(__package__).joinpath("desired.yaml.j2"),
+            dest=f"/var/lib/acme/desired/{self.domains[0]}", # 0 is mailhost TLD
+            user="root",
+            group="root",
+            mode="644",
+            domains=self.domains,
+        )
+
+        service_file = files.put(
+            src=importlib.resources.files(__package__).joinpath(
+                "acmetool-redirector.service"
+            ),
+            dest="/etc/systemd/system/acmetool-redirector.service",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        self.need_restart_redirector = service_file.changed
+
+        reconcile_service_file = files.put(
+            src=importlib.resources.files(__package__).joinpath(
+                "acmetool-reconcile.service"
+            ),
+            dest="/etc/systemd/system/acmetool-reconcile.service",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        self.need_restart_reconcile_service = reconcile_service_file.changed
+
+        reconcile_timer_file = files.put(
+            src=importlib.resources.files(__package__).joinpath(
+                "acmetool-reconcile.timer"
+            ),
+            dest="/etc/systemd/system/acmetool-reconcile.timer",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        self.need_restart_reconcile_timer = reconcile_timer_file.changed
+
+    def activate(self):
        systemd.service(
-            name="Stop nginx service to free port 80",
-            service="nginx",
+            name="Stop nginx to free port 80 for acmetool",
+            service="nginx.service",
            running=False,
+            enabled=True,
        )

-    systemd.service(
-        name="Setup acmetool-redirector service",
-        service="acmetool-redirector.service",
-        running=True,
-        enabled=True,
-        restarted=service_file.changed,
-    )
+        systemd.service(
+            name="Setup acmetool-redirector service",
+            service="acmetool-redirector.service",
+            running=True,
+            enabled=True,
+            restarted=self.need_restart_redirector,
+        )
+        self.need_restart_redirector = False

-    server.shell(
-        name=f"Request certificate for: { ', '.join(domains) }",
-        commands=[f"acmetool want { ' '.join(domains)}"],
-    )
+        systemd.service(
+            name="Setup acmetool-reconcile service",
+            service="acmetool-reconcile.service",
+            running=False,
+            enabled=False,
+            daemon_reload=self.need_restart_reconcile_service,
+        )
+        self.need_restart_reconcile_service = False
+
+        systemd.service(
+            name="Setup acmetool-reconcile timer",
+            service="acmetool-reconcile.timer",
+            running=True,
+            enabled=True,
+            daemon_reload=self.need_restart_reconcile_timer,
+        )
+        self.need_restart_reconcile_timer = False
+
+        # Add the first domain to /etc/hosts to help acmetool's self-test
+        # bypass external firewalls or split-brain DNS issues.
+        server.shell(
+            name=f"Add {self.domains[0]} to /etc/hosts for self-test",
+            commands=[
+                f"grep -q ' {self.domains[0]}$' /etc/hosts || echo '127.0.0.1 {self.domains[0]}' >> /etc/hosts"
+            ],
+        )
+
+        server.shell(
+            name=f"Reconcile certificates for: {', '.join(self.domains)}",
+            commands=["acmetool --batch --xlog.severity=debug reconcile"],
+        )
--- a/cmdeploy/src/cmdeploy/acmetool/acmetool-reconcile.service
+++ b/cmdeploy/src/cmdeploy/acmetool/acmetool-reconcile.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Renew TLS certificates with acmetool
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/acmetool --batch reconcile
+
--- a/cmdeploy/src/cmdeploy/acmetool/acmetool-reconcile.timer
+++ b/cmdeploy/src/cmdeploy/acmetool/acmetool-reconcile.timer
@@ -0,0 +1,8 @@
+[Unit]
+Description=Renew TLS certificates with acmetool
+
+[Timer]
+OnCalendar=*-*-* 16:20:00
+
+[Install]
+WantedBy=timers.target
--- a/cmdeploy/src/cmdeploy/acmetool/acmetool.cron
+++ b/cmdeploy/src/cmdeploy/acmetool/acmetool.cron
@@ -1,4 +0,0 @@
-SHELL=/bin/sh
-PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
-MAILTO=root
-20 16 * * * root /usr/bin/acmetool --batch reconcile && systemctl reload dovecot && systemctl reload postfix
--- a/cmdeploy/src/cmdeploy/acmetool/acmetool.hook
+++ b/cmdeploy/src/cmdeploy/acmetool/acmetool.hook
@@ -3,3 +3,5 @@ set -e
 EVENT_NAME="$1"
 [ "$EVENT_NAME" = "live-updated" ] || exit 42
 systemctl restart nginx.service
+systemctl reload dovecot.service
+systemctl reload postfix.service
--- a/cmdeploy/src/cmdeploy/acmetool/desired.yaml.j2
+++ b/cmdeploy/src/cmdeploy/acmetool/desired.yaml.j2
@@ -0,0 +1,6 @@
+satisfy:
+  names:
+{%- for domain in domains %}
+  - {{ domain }}
+{%- endfor %}
+
--- a/cmdeploy/src/cmdeploy/acmetool/response-file.yaml.j2
+++ b/cmdeploy/src/cmdeploy/acmetool/response-file.yaml.j2
@@ -1,2 +1,2 @@
 "acme-enter-email": "{{ email }}"
-"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf": true
+"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf": true
--- a/cmdeploy/src/cmdeploy/acmetool/target.yaml.j2
+++ b/cmdeploy/src/cmdeploy/acmetool/target.yaml.j2
@@ -1,7 +1,8 @@
 request:
  provider: https://acme-v02.api.letsencrypt.org/directory
  key:
-    type: rsa
+    type: ecdsa
+    ecdsa-curve: nistp256
  challenge:
    webroot-paths:
    - /var/www/html/.well-known/acme-challenge
--- a/cmdeploy/src/cmdeploy/basedeploy.py
+++ b/cmdeploy/src/cmdeploy/basedeploy.py
@@ -0,0 +1,112 @@
+import importlib.resources
+import io
+import os
+
+from pyinfra.operations import files, server, systemd
+
+
+def get_resource(arg, pkg=__package__):
+    return importlib.resources.files(pkg).joinpath(arg)
+
+
+def configure_remote_units(mail_domain, units) -> None:
+    remote_base_dir = "/usr/local/lib/chatmaild"
+    remote_venv_dir = f"{remote_base_dir}/venv"
+    remote_chatmail_inipath = f"{remote_base_dir}/chatmail.ini"
+    root_owned = dict(user="root", group="root", mode="644")
+
+    # install systemd units
+    for fn in units:
+        execpath = fn if fn != "filtermail-incoming" else "filtermail"
+        params = dict(
+            execpath=f"{remote_venv_dir}/bin/{execpath}",
+            config_path=remote_chatmail_inipath,
+            remote_venv_dir=remote_venv_dir,
+            mail_domain=mail_domain,
+        )
+
+        basename = fn if "." in fn else f"{fn}.service"
+
+        source_path = get_resource(f"service/{basename}.f")
+        content = source_path.read_text().format(**params).encode()
+
+        files.put(
+            name=f"Upload {basename}",
+            src=io.BytesIO(content),
+            dest=f"/etc/systemd/system/{basename}",
+            **root_owned,
+        )
+
+
+def activate_remote_units(units) -> None:
+    # activate systemd units
+    for fn in units:
+        basename = fn if "." in fn else f"{fn}.service"
+
+        if fn == "chatmail-expire" or fn == "chatmail-fsreport":
+            # don't auto-start but let the corresponding timer trigger execution
+            enabled = False
+        else:
+            enabled = True
+        systemd.service(
+            name=f"Setup {basename}",
+            service=basename,
+            running=enabled,
+            enabled=enabled,
+            restarted=enabled,
+            daemon_reload=True,
+        )
+
+
+class Deployment:
+    def install(self, deployer):
+        # optional 'required_users' contains a list of (user, group, secondary-group-list) tuples.
+        # If the group is None, no group is created corresponding to that user.
+        # If the secondary group list is not None, all listed groups are created as well.
+        required_users = getattr(deployer, "required_users", [])
+        for user, group, groups in required_users:
+            if group is not None:
+                server.group(
+                    name="Create {} group".format(group), group=group, system=True
+                )
+            if groups is not None:
+                for group2 in groups:
+                    server.group(
+                        name="Create {} group".format(group2), group=group2, system=True
+                    )
+            server.user(
+                name="Create {} user".format(user),
+                user=user,
+                group=group,
+                groups=groups,
+                system=True,
+            )
+
+        deployer.install()
+
+    def configure(self, deployer):
+        deployer.configure()
+
+    def activate(self, deployer):
+        deployer.activate()
+
+    def perform_stages(self, deployers):
+        default_stages = "install,configure,activate"
+        stages = os.getenv("CMDEPLOY_STAGES", default_stages).split(",")
+
+        for stage in stages:
+            for deployer in deployers:
+                getattr(self, stage)(deployer)
+
+
+class Deployer:
+    need_restart = False
+
+    def install(self):
+        pass
+
+    def configure(self):
+        pass
+
+    def activate(self):
+        pass
--- a/cmdeploy/src/cmdeploy/chatmail.zone.f
+++ b/cmdeploy/src/cmdeploy/chatmail.zone.f
@@ -1,15 +0,0 @@
-{chatmail_domain}.                   A     {ipv4}
-{chatmail_domain}.                   AAAA  {ipv6}
-{chatmail_domain}.                   MX 10 {chatmail_domain}.
-_submission._tcp.{chatmail_domain}.  SRV 0 1 587 {chatmail_domain}.
-_submissions._tcp.{chatmail_domain}. SRV 0 1 465 {chatmail_domain}.
-_imap._tcp.{chatmail_domain}.        SRV 0 1 143 {chatmail_domain}.
-_imaps._tcp.{chatmail_domain}.       SRV 0 1 993 {chatmail_domain}.
-{chatmail_domain}.                   CAA 128 issue "letsencrypt.org;accounturi={acme_account_url}"
-{chatmail_domain}.                   TXT "v=spf1 a:{chatmail_domain} ~all"
-_dmarc.{chatmail_domain}.            TXT "v=DMARC1;p=reject;adkim=s;aspf=s"
-_mta-sts.{chatmail_domain}.          TXT "v=STSv1; id={sts_id}"
-mta-sts.{chatmail_domain}.           CNAME {chatmail_domain}.
-www.{chatmail_domain}.               CNAME {chatmail_domain}.
-{dkim_entry}
-_adsp._domainkey.{chatmail_domain}.  TXT "dkim=discardable"
--- a/cmdeploy/src/cmdeploy/chatmail.zone.j2
+++ b/cmdeploy/src/cmdeploy/chatmail.zone.j2
@@ -0,0 +1,30 @@
+;
+; Required DNS entries for chatmail servers 
+;
+{% if A %}
+{{ mail_domain }}.                   A     {{ A }}
+{% endif %}
+{% if AAAA %}
+{{ mail_domain }}.                   AAAA  {{ AAAA }}
+{% endif %}
+{{ mail_domain }}.                   MX 10 {{ mail_domain }}.
+_mta-sts.{{ mail_domain }}.          TXT "v=STSv1; id={{ sts_id }}"
+mta-sts.{{ mail_domain }}.           CNAME {{ mail_domain }}.
+www.{{ mail_domain }}.               CNAME {{ mail_domain }}.
+{{ dkim_entry }}
+
+;
+; Recommended DNS entries for interoperability and security-hardening
+;
+{{ mail_domain }}.                   TXT "v=spf1 a ~all"
+_dmarc.{{ mail_domain }}.            TXT "v=DMARC1;p=reject;adkim=s;aspf=s"
+
+{% if acme_account_url %}
+{{ mail_domain }}.                   CAA 0 issue "letsencrypt.org;accounturi={{ acme_account_url }}"
+{% endif %}
+_adsp._domainkey.{{ mail_domain }}.  TXT "dkim=discardable"
+
+_submission._tcp.{{ mail_domain }}.  SRV 0 1 587 {{ mail_domain }}.
+_submissions._tcp.{{ mail_domain }}. SRV 0 1 465 {{ mail_domain }}.
+_imap._tcp.{{ mail_domain }}.        SRV 0 1 143 {{ mail_domain }}.
+_imaps._tcp.{{ mail_domain }}.       SRV 0 1 993 {{ mail_domain }}.
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -4,19 +4,22 @@ along with command line option and subcommand parsing.
 """

 import argparse
-import shutil
-import subprocess
 import importlib.resources
 import importlib.util
 import os
+import pathlib
+import shutil
+import subprocess
 import sys
 from pathlib import Path

-
-from termcolor import colored
+import pyinfra
 from chatmaild.config import read_config, write_initial_config
-from cmdeploy.dns import show_dns, check_necessary_dns
+from packaging import version
+from termcolor import colored

+from . import dns, remote
+from .sshexec import LocalExec, SSHExec

 #
 # cmdeploy sub commands and options
@@ -29,20 +32,30 @@ def init_cmd_options(parser):
        action="store",
        help="fully qualified DNS domain name for your chatmail instance",
    )
+    parser.add_argument(
+        "--force",
+        dest="recreate_ini",
+        action="store_true",
+        help="force reacreate ini file",
+    )


 def init_cmd(args, out):
    """Initialize chatmail config file."""
    mail_domain = args.chatmail_domain
+    inipath = args.inipath
    if args.inipath.exists():
-        print(f"Path exists, not modifying: {args.inipath}")
-    else:
-        write_initial_config(args.inipath, mail_domain)
-        out.green(f"created config file for {mail_domain} in {args.inipath}")
-    check_necessary_dns(
-        out,
-        mail_domain,
-    )
+        if not args.recreate_ini:
+            print(f"[WARNING] Path exists, not modifying: {inipath}")
+            return 1
+        else:
+            print(
+                f"[WARNING] Force argument was provided, deleting config file: {inipath}"
+            )
+            inipath.unlink()
+
+    write_initial_config(inipath, mail_domain, overrides={})
+    out.green(f"created config file for {mail_domain} in {inipath}")


 def run_cmd_options(parser):
@@ -52,45 +65,112 @@ def run_cmd_options(parser):
        action="store_true",
        help="don't actually modify the server",
    )
+    parser.add_argument(
+        "--disable-mail",
+        dest="disable_mail",
+        action="store_true",
+        help="install/upgrade the server, but disable postfix & dovecot for now",
+    )
+    parser.add_argument(
+        "--skip-dns-check",
+        dest="dns_check_disabled",
+        action="store_true",
+        help="disable checks nslookup for dns",
+    )
+    add_ssh_host_option(parser)


 def run_cmd(args, out):
    """Deploy chatmail services on the remote server."""
-    mail_domain = args.config.mail_domain
-    if not check_necessary_dns(
-        out,
-        mail_domain,
-    ):
-        sys.exit(1)
+
+    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
+    sshexec = get_sshexec(ssh_host)
+    require_iroh = args.config.enable_iroh_relay
+    if not args.dns_check_disabled:
+        remote_data = dns.get_initial_remote_data(sshexec, args.config.mail_domain)
+        if not dns.check_initial_remote_data(remote_data, print=out.red):
+            return 1

    env = os.environ.copy()
    env["CHATMAIL_INI"] = args.inipath
-    deploy_path = importlib.resources.files(__package__).joinpath("deploy.py").resolve()
+    env["CHATMAIL_DISABLE_MAIL"] = "True" if args.disable_mail else ""
+    env["CHATMAIL_REQUIRE_IROH"] = "True" if require_iroh else ""
+    deploy_path = importlib.resources.files(__package__).joinpath("run.py").resolve()
    pyinf = "pyinfra --dry" if args.dry_run else "pyinfra"
-    cmd = f"{pyinf} --ssh-user root {args.config.mail_domain} {deploy_path}"

-    out.check_call(cmd, env=env)
-    print("Deploy completed, call `cmdeploy dns` next.")
+    cmd = f"{pyinf} --ssh-user root {ssh_host} {deploy_path} -y"
+    if ssh_host in ["localhost", "@docker"]:
+        cmd = f"{pyinf} @local {deploy_path} -y"
+
+    if version.parse(pyinfra.__version__) < version.parse("3"):
+        out.red("Please re-run scripts/initenv.sh to update pyinfra to version 3.")
+        return 1
+
+    try:
+        retcode = out.check_call(cmd, env=env)
+        if retcode == 0:
+            out.green("Deploy completed, call `cmdeploy dns` next.")
+        elif not remote_data["acme_account_url"]:
+            out.red("Deploy completed but letsencrypt not configured")
+            out.red("Run 'cmdeploy run' again")
+            retcode = 0
+        else:
+            out.red("Deploy failed")
+    except subprocess.CalledProcessError:
+        out.red("Deploy failed")
+        retcode = 1
+    return retcode


 def dns_cmd_options(parser):
    parser.add_argument(
        "--zonefile",
        dest="zonefile",
-        help="print the whole zonefile for deploying directly",
+        type=pathlib.Path,
+        default=None,
+        help="write out a zonefile",
    )
+    add_ssh_host_option(parser)


 def dns_cmd(args, out):
-    """Generate dns zone file."""
-    exit_code = show_dns(args, out)
-    exit(exit_code)
+    """Check DNS entries and optionally generate dns zone file."""
+    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
+    sshexec = get_sshexec(ssh_host, verbose=args.verbose)
+    remote_data = dns.get_initial_remote_data(sshexec, args.config.mail_domain)
+    if not remote_data:
+        return 1
+
+    if not remote_data["acme_account_url"]:
+        out.red("could not get letsencrypt account url, please run 'cmdeploy run'")
+        return 1
+
+    if not remote_data["dkim_entry"]:
+        out.red("could not determine dkim_entry, please run 'cmdeploy run'")
+        return 1
+
+    zonefile = dns.get_filled_zone_file(remote_data)
+
+    if args.zonefile:
+        args.zonefile.write_text(zonefile)
+        out.green(f"DNS records successfully written to: {args.zonefile}")
+        return 0
+
+    retcode = dns.check_full_zone(
+        sshexec, remote_data=remote_data, zonefile=zonefile, out=out
+    )
+    return retcode
+
+
+def status_cmd_options(parser):
+    add_ssh_host_option(parser)


 def status_cmd(args, out):
    """Display status for online chatmail instance."""

-    ssh = f"ssh root@{args.config.mail_domain}"
+    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
+    sshexec = get_sshexec(ssh_host, verbose=args.verbose)

    out.green(f"chatmail domain: {args.config.mail_domain}")
    if args.config.privacy_mail:
@@ -98,10 +178,8 @@ def status_cmd(args, out):
    else:
        out.red("no privacy settings")

-    s1 = "systemctl --type=service --state=running"
-    for line in out.shell_output(f"{ssh} -- {s1}").split("\n"):
-        if line.startswith("  "):
-            print(line)
+    for line in sshexec(remote.rshell.get_systemd_running):
+        print(line)


 def test_cmd_options(parser):
@@ -116,12 +194,12 @@ def test_cmd_options(parser):
 def test_cmd(args, out):
    """Run local and online tests for chatmail deployment.

-    This will automatically pip-install 'deltachat' if it's not available.
+    This will automatically uv-pip-install 'deltachat' if it's not available.
    """

    x = importlib.util.find_spec("deltachat")
    if x is None:
-        out.check_call(f"{sys.executable} -m pip install deltachat")
+        out.check_call("uv pip install deltachat")

    pytest_path = shutil.which("pytest")
    pytest_args = [
@@ -130,7 +208,7 @@ def test_cmd(args, out):
        "-n4",
        "-rs",
        "-x",
-        "-vrx",
+        "-v",
        "--durations=5",
    ]
    if args.slow:
@@ -140,14 +218,6 @@ def test_cmd(args, out):


 def fmt_cmd_options(parser):
-    parser.add_argument(
-        "--verbose",
-        "-v",
-        dest="verbose",
-        action="store_true",
-        help="provide information on invocations",
-    )
-
    parser.add_argument(
        "--check",
        "-c",
@@ -157,27 +227,31 @@ def fmt_cmd_options(parser):


 def fmt_cmd(args, out):
-    """Run formattting fixes (ruff and black) on all chatmail source code."""
+    """Run formattting fixes on all chatmail source code."""

-    sources = [str(importlib.resources.files(x)) for x in ("chatmaild", "cmdeploy")]
-    black_args = [shutil.which("black")]
-    ruff_args = [shutil.which("ruff")]
+    chatmaild_dir = importlib.resources.files("chatmaild").resolve()
+    cmdeploy_dir = chatmaild_dir.joinpath(
+        "..", "..", "..", "cmdeploy", "src", "cmdeploy"
+    ).resolve()
+    sources = [str(chatmaild_dir), str(cmdeploy_dir)]
+
+    format_args = [shutil.which("ruff"), "format"]
+    check_args = [shutil.which("ruff"), "check"]

    if args.check:
-        black_args.append("--check")
+        format_args.append("--diff")
    else:
-        ruff_args.append("--fix")
+        check_args.append("--fix")

    if not args.verbose:
-        black_args.append("-q")
-        ruff_args.append("-q")
+        check_args.append("--quiet")
+        format_args.append("--quiet")

-    black_args.extend(sources)
-    ruff_args.extend(sources)
+    format_args.extend(sources)
+    check_args.extend(sources)

-    out.check_call(" ".join(black_args), quiet=not args.verbose)
-    out.check_call(" ".join(ruff_args), quiet=not args.verbose)
-    return 0
+    out.check_call(" ".join(format_args), quiet=not args.verbose)
+    out.check_call(" ".join(check_args), quiet=not args.verbose)


 def bench_cmd(args, out):
@@ -213,16 +287,6 @@ class Out:
        color = "red" if red else ("green" if green else None)
        print(colored(msg, color), file=file)

-    def shell_output(self, arg, no_print=False, timeout=10):
-        if not no_print:
-            self(f"[$ {arg}]", file=sys.stderr)
-            output = subprocess.STDOUT
-        else:
-            output = subprocess.DEVNULL
-        return subprocess.check_output(
-            arg, shell=True, timeout=timeout, stderr=output
-        ).decode()
-
    def check_call(self, arg, env=None, quiet=False):
        if not quiet:
            self(f"[$ {arg}]", file=sys.stderr)
@@ -232,10 +296,19 @@ class Out:
        if not quiet:
            cmdstring = " ".join(args)
            self(f"[$ {cmdstring}]", file=sys.stderr)
-        proc = subprocess.run(args, env=env)
+        proc = subprocess.run(args, env=env, check=False)
        return proc.returncode


+def add_ssh_host_option(parser):
+    parser.add_argument(
+        "--ssh-host",
+        dest="ssh_host",
+        help="Run commands on 'localhost', via '@docker', or on a specific SSH host "
+        "instead of chatmail.ini's mail_domain.",
+    )
+
+
 def add_config_option(parser):
    parser.add_argument(
        "--config",
@@ -245,6 +318,14 @@ def add_config_option(parser):
        type=Path,
        help="path to the chatmail.ini file",
    )
+    parser.add_argument(
+        "--verbose",
+        "-v",
+        dest="verbose",
+        action="store_true",
+        default=False,
+        help="provide verbose logging",
+    )


 def add_subcommand(subparsers, func):
@@ -283,12 +364,23 @@ def get_parser():
    return parser


+def get_sshexec(ssh_host: str, verbose=True):
+    if ssh_host in ["localhost", "@local"]:
+        return LocalExec(verbose, docker=False)
+    elif ssh_host == "@docker":
+        return LocalExec(verbose, docker=True)
+    if verbose:
+        print(f"[ssh] login to {ssh_host}")
+    return SSHExec(ssh_host, verbose=verbose)
+
+
 def main(args=None):
-    """Provide main entry point for 'xdcget' CLI invocation."""
+    """Provide main entry point for 'cmdeploy' CLI invocation."""
    parser = get_parser()
    args = parser.parse_args(args=args)
    if not hasattr(args, "func"):
        return parser.parse_args(["-h"])
+
    out = Out()
    kwargs = {}
    if args.func.__name__ not in ("init_cmd", "fmt_cmd"):
@@ -306,7 +398,6 @@ def main(args=None):
        if res is None:
            res = 0
        return res
-
    except KeyboardInterrupt:
        out.red("KeyboardInterrupt")
        sys.exit(130)
--- a/cmdeploy/src/cmdeploy/deploy.py
+++ b/cmdeploy/src/cmdeploy/deploy.py
@@ -1,17 +0,0 @@
-import os
-import importlib.resources
-import pyinfra
-from cmdeploy import deploy_chatmail
-
-
-def main():
-    config_path = os.getenv(
-        "CHATMAIL_INI",
-        importlib.resources.files("cmdeploy").joinpath("../../../chatmail.ini"),
-    )
-
-    deploy_chatmail(config_path)
-
-
-if pyinfra.is_cli:
-    main()
--- a/cmdeploy/src/cmdeploy/deployers.py
+++ b/cmdeploy/src/cmdeploy/deployers.py
@@ -0,0 +1,641 @@
+"""
+Chat Mail pyinfra deploy.
+"""
+
+import shutil
+import subprocess
+import sys
+from io import StringIO
+from pathlib import Path
+
+from chatmaild.config import read_config
+from pyinfra import facts, host, logger
+from pyinfra.api import FactBase
+from pyinfra.facts.files import Sha256File
+from pyinfra.facts.systemd import SystemdEnabled
+from pyinfra.operations import apt, files, server, systemd
+
+from cmdeploy.cmdeploy import Out
+
+from .acmetool import AcmetoolDeployer
+from .basedeploy import (
+    Deployer,
+    Deployment,
+    activate_remote_units,
+    configure_remote_units,
+    get_resource,
+)
+from .dovecot.deployer import DovecotDeployer
+from .mtail.deployer import MtailDeployer
+from .nginx.deployer import NginxDeployer
+from .opendkim.deployer import OpendkimDeployer
+from .postfix.deployer import PostfixDeployer
+from .www import build_webpages, find_merge_conflict, get_paths
+
+
+class Port(FactBase):
+    """
+    Returns the process occuping a port.
+    """
+
+    def command(self, port: int) -> str:
+        return (
+            "ss -lptn 'src :%d' | awk 'NR>1 {print $6,$7}' | sed 's/users:((\"//;s/\".*//'"
+            % (port,)
+        )
+
+    def process(self, output: [str]) -> str:
+        return output[0]
+
+
+def _build_chatmaild(dist_dir) -> None:
+    dist_dir = Path(dist_dir).resolve()
+    if dist_dir.exists():
+        shutil.rmtree(dist_dir)
+    dist_dir.mkdir()
+    subprocess.check_output(
+        ["uv", "run", "python", "-m", "build", "-n"]
+        + ["--sdist", "chatmaild", "--outdir", str(dist_dir)]
+    )
+    entries = list(dist_dir.iterdir())
+    assert len(entries) == 1
+    return entries[0]
+
+
+def remove_legacy_artifacts():
+    # disable legacy doveauth-dictproxy.service
+    if host.get_fact(SystemdEnabled).get("doveauth-dictproxy.service"):
+        systemd.service(
+            name="Disable legacy doveauth-dictproxy.service",
+            service="doveauth-dictproxy.service",
+            running=False,
+            enabled=False,
+        )
+
+
+def _install_remote_venv_with_chatmaild() -> None:
+    remove_legacy_artifacts()
+    dist_file = _build_chatmaild(dist_dir=Path("chatmaild/dist"))
+    remote_base_dir = "/usr/local/lib/chatmaild"
+    remote_dist_file = f"{remote_base_dir}/dist/{dist_file.name}"
+    remote_venv_dir = f"{remote_base_dir}/venv"
+    root_owned = dict(user="root", group="root", mode="644")
+    root_owned_dir = dict(user="root", group="root", mode="755")
+    uv_prefix = "UV_PYTHON_INSTALL_DIR=/usr/local/share/uv/python"
+
+    server.shell(
+        name="Install uv globally if not present",
+        commands=[
+            "command -v uv >/dev/null 2>&1 || (curl -LsSf https://astral.sh/uv/install.sh | INSTALLER_NO_MODIFY_PATH=1 sudo sh -s -- --install-dir /usr/local/bin)",
+        ],
+    )
+
+    files.directory(
+        name="Ensure shared uv python directory exists",
+        path="/usr/local/share/uv/python",
+        **root_owned_dir,
+    )
+
+    files.put(
+        name="Upload chatmaild source package",
+        src=dist_file.open("rb"),
+        dest=remote_dist_file,
+        create_remote_dir=True,
+        **root_owned,
+    )
+    # Ensure parent directory is accessible
+    files.directory(
+        name=f"Ensure {remote_base_dir} is accessible",
+        path=remote_base_dir,
+        **root_owned_dir,
+    )
+    files.directory(
+        name=f"Ensure {remote_base_dir}/dist is accessible",
+        path=f"{remote_base_dir}/dist",
+        **root_owned_dir,
+    )
+
+    server.shell(
+        name=f"chatmaild virtualenv {remote_venv_dir}",
+        commands=[f"{uv_prefix} uv venv {remote_venv_dir} --python 3.11 --allow-existing"],
+    )
+
+    # Ensure venv and managed pythons are accessible by other users (like www-data)
+    server.shell(
+        name="Make venv and managed pythons accessible",
+        commands=[
+            f"chmod -R a+rX {remote_venv_dir}",
+            "chmod -R a+rX /usr/local/share/uv/python || true",
+        ],
+    )
+
+    apt.packages(
+        name="install build-essential and headers to build crypt_r source package",
+        packages=["build-essential", "python3-dev"],
+    )
+
+    server.shell(
+        name=f"forced uv-pip-install {dist_file.name}",
+        commands=[
+            f"{uv_prefix} uv pip install --python {remote_venv_dir}/bin/python --force-reinstall {remote_dist_file}"
+        ],
+    )
+
+
+def _configure_remote_venv_with_chatmaild(config) -> None:
+    remote_base_dir = "/usr/local/lib/chatmaild"
+    remote_venv_dir = f"{remote_base_dir}/venv"
+    remote_chatmail_inipath = f"{remote_base_dir}/chatmail.ini"
+    root_owned = dict(user="root", group="root", mode="644")
+
+    files.put(
+        name=f"Upload {remote_chatmail_inipath}",
+        src=config._getbytefile(),
+        dest=remote_chatmail_inipath,
+        **root_owned,
+    )
+
+    files.template(
+        src=get_resource("metrics.cron.j2"),
+        dest="/etc/cron.d/chatmail-metrics",
+        user="root",
+        group="root",
+        mode="644",
+        config={
+            "mailboxes_dir": config.mailboxes_dir,
+            "execpath": f"{remote_venv_dir}/bin/chatmail-metrics",
+        },
+    )
+
+
+class UnboundDeployer(Deployer):
+    def install(self):
+        # Run local DNS resolver `unbound`.
+        # `resolvconf` takes care of setting up /etc/resolv.conf
+        # to use 127.0.0.1 as the resolver.
+
+        #
+        # On an IPv4-only system, if unbound is started but not
+        # configured, it causes subsequent steps to fail to resolve hosts.
+        # Here, we use policy-rc.d to prevent unbound from starting up
+        # on initial install.  Later, we will configure it and start it.
+        #
+        # For documentation about policy-rc.d, see:
+        # https://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt
+        #
+        files.put(
+            src=get_resource("policy-rc.d"),
+            dest="/usr/sbin/policy-rc.d",
+            user="root",
+            group="root",
+            mode="755",
+        )
+
+        apt.packages(
+            name="Install unbound",
+            packages=["unbound", "unbound-anchor", "dnsutils"],
+        )
+
+        files.file("/usr/sbin/policy-rc.d", present=False)
+
+    def configure(self):
+        server.shell(
+            name="Generate root keys for validating DNSSEC",
+            commands=[
+                "unbound-anchor -a /var/lib/unbound/root.key || true",
+            ],
+        )
+
+    def activate(self):
+        # Stop and disable systemd-resolved if it's running.
+        systemd.service(
+            name="Stop and disable systemd-resolved",
+            service="systemd-resolved.service",
+            running=False,
+            enabled=False,
+            _ignore_errors=True,
+        )
+
+        server.shell(
+            name="Generate root keys for validating DNSSEC",
+            commands=[
+                "systemctl reset-failed unbound.service",
+            ],
+        )
+
+        systemd.service(
+            name="Start and enable unbound",
+            service="unbound.service",
+            running=True,
+            enabled=True,
+        )
+
+
+class MtastsDeployer(Deployer):
+    def configure(self):
+        # Remove configuration.
+        files.file("/etc/mta-sts-daemon.yml", present=False)
+        files.directory("/usr/local/lib/postfix-mta-sts-resolver", present=False)
+        files.file("/etc/systemd/system/mta-sts-daemon.service", present=False)
+
+    def activate(self):
+        systemd.service(
+            name="Stop MTA-STS daemon",
+            service="mta-sts-daemon.service",
+            daemon_reload=True,
+            running=False,
+            enabled=False,
+        )
+
+
+class WebsiteDeployer(Deployer):
+    def __init__(self, config):
+        self.config = config
+
+    def install(self):
+        files.directory(
+            name="Ensure /var/www exists",
+            path="/var/www",
+            user="root",
+            group="root",
+            mode="755",
+            present=True,
+        )
+
+    def configure(self):
+        www_path, src_dir, build_dir = get_paths(self.config)
+        # if www_folder was set to a non-existing folder, skip upload
+        if not www_path.is_dir():
+            logger.warning("Building web pages is disabled in chatmail.ini, skipping")
+        elif (path := find_merge_conflict(src_dir)) is not None:
+            logger.warning(
+                f"Merge conflict found in {path}, skipping website deployment. Fix merge conflict if you want to upload your web page."
+            )
+        else:
+            # if www_folder is a hugo page, build it
+            if build_dir:
+                www_path = build_webpages(src_dir, build_dir, self.config)
+            # if it is not a hugo page, upload it as is
+            files.rsync(
+                f"{www_path}/", "/var/www/html", flags=["-avz", "--chown=www-data"]
+            )
+
+
+class LegacyRemoveDeployer(Deployer):
+    def install(self):
+        apt.packages(name="Remove rspamd", packages="rspamd", present=False)
+
+        # remove historic expunge script
+        # which is now implemented through a systemd timer (chatmail-expire)
+        files.file(
+            path="/etc/cron.d/expunge",
+            present=False,
+        )
+
+        # Remove OBS repository key that is no longer used.
+        files.file("/etc/apt/keyrings/obs-home-deltachat.gpg", present=False)
+        files.line(
+            name="Remove DeltaChat OBS home repository from sources.list",
+            path="/etc/apt/sources.list",
+            line="deb [signed-by=/etc/apt/keyrings/obs-home-deltachat.gpg] https://download.opensuse.org/repositories/home:/deltachat/Debian_12/ ./",
+            escape_regex_characters=True,
+            present=False,
+        )
+
+        # prior relay versions used filelogging
+        files.directory(
+            name="Ensure old logs on disk are deleted",
+            path="/var/log/journal/",
+            present=False,
+        )
+        # remove echobot if it is still running
+        if host.get_fact(SystemdEnabled).get("echobot.service"):
+            systemd.service(
+                name="Disable echobot.service",
+                service="echobot.service",
+                running=False,
+                enabled=False,
+            )
+
+
+def check_config(config):
+    mail_domain = config.mail_domain
+    if mail_domain != "testrun.org" and not mail_domain.endswith(".testrun.org"):
+        blocked_words = "merlinux schmieder testrun.org".split()
+        for key in config.__dict__:
+            value = config.__dict__[key]
+            if key.startswith("privacy") and any(
+                x in str(value) for x in blocked_words
+            ):
+                raise ValueError(
+                    f"please set your own privacy contacts/addresses in {config._inipath}"
+                )
+    return config
+
+
+class TurnDeployer(Deployer):
+    def __init__(self, mail_domain):
+        self.mail_domain = mail_domain
+        self.units = ["turnserver"]
+
+    def install(self):
+        (url, sha256sum) = {
+            "x86_64": (
+                "https://github.com/chatmail/chatmail-turn/releases/download/v0.3/chatmail-turn-x86_64-linux",
+                "841e527c15fdc2940b0469e206188ea8f0af48533be12ecb8098520f813d41e4",
+            ),
+            "aarch64": (
+                "https://github.com/chatmail/chatmail-turn/releases/download/v0.3/chatmail-turn-aarch64-linux",
+                "a5fc2d06d937b56a34e098d2cd72a82d3e89967518d159bf246dc69b65e81b42",
+            ),
+        }[host.get_fact(facts.server.Arch)]
+
+        existing_sha256sum = host.get_fact(Sha256File, "/usr/local/bin/chatmail-turn")
+        if existing_sha256sum != sha256sum:
+            server.shell(
+                name="Download chatmail-turn",
+                commands=[
+                    f"(curl -L {url} >/usr/local/bin/chatmail-turn.new && (echo '{sha256sum} /usr/local/bin/chatmail-turn.new' | sha256sum -c) && mv /usr/local/bin/chatmail-turn.new /usr/local/bin/chatmail-turn)",
+                    "chmod 755 /usr/local/bin/chatmail-turn",
+                ],
+            )
+
+    def configure(self):
+        configure_remote_units(self.mail_domain, self.units)
+
+    def activate(self):
+        activate_remote_units(self.units)
+
+
+class IrohDeployer(Deployer):
+    def __init__(self, enable_iroh_relay):
+        self.enable_iroh_relay = enable_iroh_relay
+
+    def install(self):
+        (url, sha256sum) = {
+            "x86_64": (
+                "https://github.com/n0-computer/iroh/releases/download/v0.35.0/iroh-relay-v0.35.0-x86_64-unknown-linux-musl.tar.gz",
+                "45c81199dbd70f8c4c30fef7f3b9727ca6e3cea8f2831333eeaf8aa71bf0fac1",
+            ),
+            "aarch64": (
+                "https://github.com/n0-computer/iroh/releases/download/v0.35.0/iroh-relay-v0.35.0-aarch64-unknown-linux-musl.tar.gz",
+                "f8ef27631fac213b3ef668d02acd5b3e215292746a3fc71d90c63115446008b1",
+            ),
+        }[host.get_fact(facts.server.Arch)]
+
+        existing_sha256sum = host.get_fact(Sha256File, "/usr/local/bin/iroh-relay")
+        if existing_sha256sum != sha256sum:
+            server.shell(
+                name="Download iroh-relay",
+                commands=[
+                    f"(curl -L {url} | gunzip | tar -x -f - ./iroh-relay -O >/usr/local/bin/iroh-relay.new && (echo '{sha256sum} /usr/local/bin/iroh-relay.new' | sha256sum -c) && mv /usr/local/bin/iroh-relay.new /usr/local/bin/iroh-relay)",
+                    "chmod 755 /usr/local/bin/iroh-relay",
+                ],
+            )
+
+            self.need_restart = True
+
+    def configure(self):
+        systemd_unit = files.put(
+            name="Upload iroh-relay systemd unit",
+            src=get_resource("iroh-relay.service"),
+            dest="/etc/systemd/system/iroh-relay.service",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        self.need_restart |= systemd_unit.changed
+
+        iroh_config = files.put(
+            name="Upload iroh-relay config",
+            src=get_resource("iroh-relay.toml"),
+            dest="/etc/iroh-relay.toml",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        self.need_restart |= iroh_config.changed
+
+    def activate(self):
+        systemd.service(
+            name="Start and enable iroh-relay",
+            service="iroh-relay.service",
+            running=True,
+            enabled=self.enable_iroh_relay,
+            restarted=self.need_restart,
+        )
+        self.need_restart = False
+
+
+class JournaldDeployer(Deployer):
+    def configure(self):
+        journald_conf = files.put(
+            name="Configure journald",
+            src=get_resource("journald.conf"),
+            dest="/etc/systemd/journald.conf",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        self.need_restart = journald_conf.changed
+
+    def activate(self):
+        systemd.service(
+            name="Start and enable journald",
+            service="systemd-journald.service",
+            running=True,
+            enabled=True,
+            restarted=self.need_restart,
+        )
+        self.need_restart = False
+
+
+class ChatmailVenvDeployer(Deployer):
+    def __init__(self, config):
+        self.config = config
+        self.units = (
+            "filtermail",
+            "filtermail-incoming",
+            "chatmail-metadata",
+            "lastlogin",
+            "chatmail-expire",
+            "chatmail-expire.timer",
+            "chatmail-fsreport",
+            "chatmail-fsreport.timer",
+        )
+
+    def install(self):
+        _install_remote_venv_with_chatmaild()
+
+    def configure(self):
+        # Ensure postfix can read certificates
+        server.shell(
+            name="Add postfix to ssl-cert group and fix acme permissions",
+            commands=[
+                "groupadd -f ssl-cert",
+                "usermod -a -G ssl-cert postfix",
+                "usermod -a -G ssl-cert dovecot",
+                "if [ -d /var/lib/acme/live ]; then "
+                "chown -R root:ssl-cert /var/lib/acme/live && "
+                "chmod 750 /var/lib/acme/live && "
+                "chmod 640 /var/lib/acme/live/*/privkey && "
+                "chmod 644 /var/lib/acme/live/*/fullchain; "
+                "fi",
+            ],
+        )
+        _configure_remote_venv_with_chatmaild(self.config)
+        configure_remote_units(self.config.mail_domain, self.units)
+
+    def activate(self):
+        activate_remote_units(self.units)
+
+
+class ChatmailDeployer(Deployer):
+    required_users = [
+        ("vmail", "vmail", None),
+        ("iroh", None, None),
+    ]
+
+    def __init__(self, mail_domain):
+        self.mail_domain = mail_domain
+
+    def install(self):
+        server.shell(
+            name="Fix broken packages",
+            commands=["apt-get install -f -y"],
+        )
+        server.shell(
+            name="Enable universe repository",
+            commands=["add-apt-repository -y universe || true"],
+        )
+        apt.update(name="apt update", cache_time=24 * 3600)
+        apt.upgrade(name="upgrade apt packages", auto_remove=True)
+
+        apt.packages(
+            name="Install curl",
+            packages=["curl"],
+        )
+
+        apt.packages(
+            name="Install rsync",
+            packages=["rsync"],
+        )
+        apt.packages(
+            name="Ensure cron is installed",
+            packages=["cron"],
+        )
+
+    def configure(self):
+        # This file is used by auth proxy.
+        # https://wiki.debian.org/EtcMailName
+        server.shell(
+            name="Setup /etc/mailname",
+            commands=[
+                f"echo {self.mail_domain} >/etc/mailname; chmod 644 /etc/mailname"
+            ],
+        )
+
+
+class FcgiwrapDeployer(Deployer):
+    def install(self):
+        apt.packages(
+            name="Install fcgiwrap",
+            packages=["fcgiwrap"],
+        )
+
+    def activate(self):
+        systemd.service(
+            name="Start and enable fcgiwrap",
+            service="fcgiwrap.service",
+            running=True,
+            enabled=True,
+        )
+
+
+class GithashDeployer(Deployer):
+    def activate(self):
+        try:
+            git_hash = subprocess.check_output(["git", "rev-parse", "HEAD"]).decode()
+        except Exception:
+            git_hash = "unknown\n"
+        try:
+            git_diff = subprocess.check_output(["git", "diff"]).decode()
+        except Exception:
+            git_diff = ""
+        files.put(
+            name="Upload chatmail relay git commiit hash",
+            src=StringIO(git_hash + git_diff),
+            dest="/etc/chatmail-version",
+            mode="700",
+        )
+
+
+def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
+    """Deploy a chat-mail instance.
+
+    :param config_path: path to chatmail.ini
+    :param disable_mail: whether to disable postfix & dovecot
+    """
+    config = read_config(config_path)
+    check_config(config)
+    mail_domain = config.mail_domain
+
+    if host.get_fact(Port, port=53) != "unbound":
+        files.line(
+            name="Add 9.9.9.9 to resolv.conf",
+            path="/etc/resolv.conf",
+            line="nameserver 9.9.9.9",
+        )
+
+    port_services = [
+        (["master", "smtpd"], 25),
+        (["unbound", "systemd-resolve", "systemd-resolved"], 53),
+        ("acmetool", 80),
+        (["imap-login", "dovecot"], 143),
+        ("nginx", 443),
+        (["master", "smtpd"], 465),
+        (["master", "smtpd"], 587),
+        (["imap-login", "dovecot"], 993),
+        ("iroh-relay", 3340),
+        ("nginx", 8443),
+        (["master", "smtpd"], config.postfix_reinject_port),
+        (["master", "smtpd"], config.postfix_reinject_port_incoming),
+        ("filtermail", config.filtermail_smtp_port),
+        ("filtermail", config.filtermail_smtp_port_incoming),
+    ]
+    for service, port in port_services:
+        print(f"Checking if port {port} is available for {service}...")
+        running_service = host.get_fact(Port, port=port)
+        if running_service:
+            if running_service not in service:
+                Out().red(
+                    f"Deploy failed: port {port} is occupied by: {running_service}"
+                )
+                exit(1)
+
+    tls_domains = [mail_domain]
+
+    all_deployers = [
+        ChatmailDeployer(mail_domain),
+        LegacyRemoveDeployer(),
+        JournaldDeployer(),
+        UnboundDeployer(),
+        TurnDeployer(mail_domain),
+        IrohDeployer(config.enable_iroh_relay),
+        AcmetoolDeployer(config.acme_email, tls_domains),
+        WebsiteDeployer(config),
+        ChatmailVenvDeployer(config),
+        MtastsDeployer(),
+        OpendkimDeployer(mail_domain),
+        # Dovecot should be started before Postfix
+        # because it creates authentication socket
+        # required by Postfix.
+        DovecotDeployer(config, disable_mail),
+        PostfixDeployer(config, disable_mail),
+        FcgiwrapDeployer(),
+        NginxDeployer(config),
+        MtailDeployer(config.mtail_address),
+        GithashDeployer(),
+    ]
+
+    Deployment().perform_stages(all_deployers)
--- a/cmdeploy/src/cmdeploy/dns.py
+++ b/cmdeploy/src/cmdeploy/dns.py
@@ -1,208 +1,71 @@
-import sys
-
-import requests
-import importlib
-import subprocess
 import datetime
+import importlib
+
+from jinja2 import Template
+
+from . import remote


-class DNS:
-    def __init__(self, out, mail_domain):
-        self.session = requests.Session()
-        self.out = out
-        self.ssh = f"ssh root@{mail_domain} -- "
-        self.out.shell_output(
-            f"{ self.ssh }'apt-get update && apt-get install -y dnsutils'",
-            timeout=60,
-            no_print=True,
-        )
-        try:
-            self.shell(f"unbound-control flush_zone {mail_domain}")
-        except subprocess.CalledProcessError:
-            pass
-
-    def shell(self, cmd):
-        try:
-            return self.out.shell_output(f"{self.ssh}{cmd}", no_print=True)
-        except (subprocess.CalledProcessError, subprocess.TimeoutExpired) as e:
-            if "exit status 255" in str(e) or "timed out" in str(e):
-                self.out.red(f"Error: can't reach the server with: {self.ssh[:-4]}")
-                sys.exit(1)
-            else:
-                raise
-
-    def get_ipv4(self):
-        cmd = "ip a | grep 'inet ' | grep 'scope global' | grep -oE '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' | head -1"
-        return self.shell(cmd).strip()
-
-    def get_ipv6(self):
-        cmd = "ip a | grep inet6 | grep 'scope global' | sed -e 's#/64 scope global##' | sed -e 's#inet6##'"
-        return self.shell(cmd).strip()
-
-    def get(self, typ: str, domain: str) -> str:
-        """Get a DNS entry or empty string if there is none."""
-        dig_result = self.shell(f"dig -r -q {domain} -t {typ} +short")
-        line = dig_result.partition("\n")[0]
-        return line
-
-    def check_ptr_record(self, ip: str, mail_domain) -> bool:
-        """Check the PTR record for an IPv4 or IPv6 address."""
-        result = self.shell(f"dig -r -x {ip} +short").rstrip()
-        return result == f"{mail_domain}."
-
-
-def show_dns(args, out) -> int:
-    """Check existing DNS records, optionally write them to zone file, return exit code 0 or 1."""
-    template = importlib.resources.files(__package__).joinpath("chatmail.zone.f")
-    mail_domain = args.config.mail_domain
-    ssh = f"ssh root@{mail_domain}"
-    dns = DNS(out, mail_domain)
-
-    print("Checking your DKIM keys and DNS entries...")
-    try:
-        acme_account_url = out.shell_output(f"{ssh} -- acmetool account-url")
-    except subprocess.CalledProcessError:
-        print("Please run `cmdeploy run` first.")
-        return 1
-
-    dkim_selector = "opendkim"
-    dkim_pubkey = out.shell_output(
-        ssh + f" -- openssl rsa -in /etc/dkimkeys/{dkim_selector}.private"
-        " -pubout 2>/dev/null | awk '/-/{next}{printf(\"%s\",$0)}'"
+def get_initial_remote_data(sshexec, mail_domain):
+    return sshexec.logged(
+        call=remote.rdns.perform_initial_checks, kwargs=dict(mail_domain=mail_domain)
    )
-    dkim_entry_value = f"v=DKIM1;k=rsa;p={dkim_pubkey};s=email;t=s"
-    dkim_entry_str = ""
-    while len(dkim_entry_value) >= 255:
-        dkim_entry_str += '"' + dkim_entry_value[:255] + '" '
-        dkim_entry_value = dkim_entry_value[255:]
-    dkim_entry_str += '"' + dkim_entry_value + '"'
-    dkim_entry = f"{dkim_selector}._domainkey.{mail_domain}. TXT {dkim_entry_str}"

-    ipv6 = dns.get_ipv6()
-    reverse_ipv6 = dns.check_ptr_record(ipv6, mail_domain)
-    ipv4 = dns.get_ipv4()
-    reverse_ipv4 = dns.check_ptr_record(ipv4, mail_domain)
-    to_print = []

-    with open(template, "r") as f:
-        zonefile = (
-            f.read()
-            .format(
-                acme_account_url=acme_account_url,
-                sts_id=datetime.datetime.now().strftime("%Y%m%d%H%M"),
-                chatmail_domain=args.config.mail_domain,
-                dkim_entry=dkim_entry,
-                ipv6=ipv6,
-                ipv4=ipv4,
-            )
-            .strip()
-        )
-        try:
-            with open(args.zonefile, "w+") as zf:
-                zf.write(zonefile)
-                print(f"DNS records successfully written to: {args.zonefile}")
-            return 0
-        except TypeError:
-            pass
-        for line in zonefile.splitlines():
-            line = line.format(
-                acme_account_url=acme_account_url,
-                sts_id=datetime.datetime.now().strftime("%Y%m%d%H%M"),
-                chatmail_domain=args.config.mail_domain,
-                dkim_entry=dkim_entry,
-                ipv6=ipv6,
-            ).strip()
-            for typ in ["A", "AAAA", "CNAME", "CAA"]:
-                if f" {typ} " in line:
-                    domain, value = line.split(f" {typ} ")
-                    current = dns.get(typ, domain.strip()[:-1])
-                    if current != value.strip():
-                        to_print.append(line)
-            if " MX " in line:
-                domain, typ, prio, value = line.split()
-                current = dns.get(typ, domain[:-1])
-                if not current:
-                    to_print.append(line)
-                elif current.split()[1] != value:
-                    print(line.replace(prio, str(int(current[0]) + 1)))
-            if " SRV " in line:
-                domain, typ, prio, weight, port, value = line.split()
-                current = dns.get("SRV", domain[:-1])
-                if current != f"{prio} {weight} {port} {value}":
-                    to_print.append(line)
-            if " TXT " in line:
-                domain, value = line.split(" TXT ")
-                current = dns.get("TXT", domain.strip()[:-1])
-                if domain.startswith("_mta-sts."):
-                    if current:
-                        if current.split("id=")[0] == value.split("id=")[0]:
-                            continue
-
-                # TXT records longer than 255 bytes
-                # are split into multiple <character-string>s.
-                # This typically happens with DKIM record
-                # which contains long RSA key.
-                #
-                # Removing `" "` before comparison
-                # to get back a single string.
-                if current.replace('" "', "") != value.replace('" "', ""):
-                    to_print.append(line)
-
-    exit_code = 0
-    if to_print:
-        to_print.insert(
-            0, "You should configure the following DNS entries at your provider:\n"
-        )
-        to_print.append(
-            "\nIf you already configured the DNS entries, wait a bit until the DNS entries propagate to the Internet."
-        )
-        print("\n".join(to_print))
-        exit_code = 1
+def check_initial_remote_data(remote_data, *, print=print):
+    mail_domain = remote_data["mail_domain"]
+    if not remote_data["A"] and not remote_data["AAAA"]:
+        print(f"Missing A and/or AAAA DNS records for {mail_domain}!")
+    elif remote_data["MTA_STS"] != f"{mail_domain}.":
+        print("Missing MTA-STS CNAME record:")
+        print(f"mta-sts.{mail_domain}.   CNAME  {mail_domain}.")
+    elif remote_data["WWW"] != f"{mail_domain}.":
+        print("Missing www CNAME record:")
+        print(f"www.{mail_domain}.   CNAME  {mail_domain}.")
    else:
-        out.green("Great! All your DNS entries are correct.")
+        return remote_data

-    to_print = []
-    if not reverse_ipv4:
-        to_print.append(f"\tIPv4:\t{ipv4}\t{args.config.mail_domain}")
-    if not reverse_ipv6:
-        to_print.append(f"\tIPv6:\t{ipv6}\t{args.config.mail_domain}")
-    if len(to_print) > 0:
-        if len(to_print) == 1:
-            warning = "You should add the following PTR/reverse DNS entry:"
-        else:
-            warning = "You should add the following PTR/reverse DNS entries:"
-        out.red(warning)
-        for entry in to_print:
-            print(entry)
-        print(
-            "You can do so at your hosting provider (maybe this isn't your DNS provider)."
+
+def get_filled_zone_file(remote_data):
+    sts_id = remote_data.get("sts_id")
+    if not sts_id:
+        remote_data["sts_id"] = datetime.datetime.now().strftime("%Y%m%d%H%M")
+
+    template = importlib.resources.files(__package__).joinpath("chatmail.zone.j2")
+    content = template.read_text()
+    zonefile = Template(content).render(**remote_data)
+    lines = [x.strip() for x in zonefile.split("\n") if x.strip()]
+    lines.append("")
+    zonefile = "\n".join(lines)
+    return zonefile
+
+
+def check_full_zone(sshexec, remote_data, out, zonefile) -> int:
+    """Check existing DNS records, optionally write them to zone file
+    and return (exitcode, remote_data) tuple."""
+
+    required_diff, recommended_diff = sshexec.logged(
+        remote.rdns.check_zonefile,
+        kwargs=dict(zonefile=zonefile, verbose=False),
+    )
+
+    returncode = 0
+    if required_diff:
+        out.red("Please set required DNS entries at your DNS provider:\n")
+        for line in required_diff:
+            out(line)
+        out("")
+        returncode = 1
+    if remote_data.get("dkim_entry") in required_diff:
+        out(
+            "If the DKIM entry above does not work with your DNS provider, you can try this one:\n"
        )
-        exit_code = 1
-    return exit_code
+        out(remote_data.get("web_dkim_entry") + "\n")
+    if recommended_diff:
+        out("WARNING: these recommended DNS entries are not set:\n")
+        for line in recommended_diff:
+            out(line)

-
-def check_necessary_dns(out, mail_domain):
-    """Check whether $mail_domain and mta-sts.$mail_domain resolve."""
-    dns = DNS(out, mail_domain)
-    ipv4 = dns.get("A", mail_domain)
-    ipv6 = dns.get("AAAA", mail_domain)
-    mta_entry = dns.get("CNAME", "mta-sts." + mail_domain)
-    www_entry = dns.get("CNAME", "www." + mail_domain)
-    to_print = []
-    if not (ipv4 or ipv6):
-        to_print.append(f"\t{mail_domain}.\t\t\tA<your server's IPv4 address>")
-    if mta_entry != mail_domain + ".":
-        to_print.append(f"\tmta-sts.{mail_domain}.\tCNAME\t{mail_domain}.")
-    if www_entry != mail_domain + ".":
-        to_print.append(f"\twww.{mail_domain}.\tCNAME\t{mail_domain}.")
-    if to_print:
-        to_print.insert(
-            0,
-            "\nFor chatmail to work, you need to configure this at your DNS provider:\n",
-        )
-        for line in to_print:
-            print(line)
-        print()
-    else:
-        dns.out.green("\nAll necessary DNS entries seem to be set.")
-        return True
+    if not (recommended_diff or required_diff):
+        out.green("Great! All your DNS entries are verified and correct.")
+    return returncode
--- a/cmdeploy/src/cmdeploy/dovecot/auth.conf
+++ b/cmdeploy/src/cmdeploy/dovecot/auth.conf
@@ -1,5 +1,7 @@
 uri = proxy:/run/doveauth/doveauth.socket:auth
-iterate_disable = yes
+iterate_disable = no
+iterate_prefix = userdb/
+
 default_pass_scheme = plain
 # %E escapes characters " (double quote), ' (single quote) and \ (backslash) with \ (backslash).
 # See <https://doc.dovecot.org/configuration_manual/config_file/config_variables/#modifiers>
--- a/cmdeploy/src/cmdeploy/dovecot/default.sieve
+++ b/cmdeploy/src/cmdeploy/dovecot/default.sieve
@@ -1,7 +0,0 @@
-require ["imap4flags"];
-
-# flag the message so it doesn't cause a push notification
-
-if header :is ["Auto-Submitted"] ["auto-replied", "auto-generated"] {
-	addflag "$Auto";
-}
--- a/cmdeploy/src/cmdeploy/dovecot/deployer.py
+++ b/cmdeploy/src/cmdeploy/dovecot/deployer.py
@@ -0,0 +1,206 @@
+from chatmaild.config import Config
+from pyinfra import host
+from pyinfra.facts.server import Arch, LinuxDistribution, Sysctl
+from pyinfra.facts.systemd import SystemdEnabled
+from pyinfra.operations import apt, files, server, systemd
+
+from cmdeploy.basedeploy import (
+    Deployer,
+    activate_remote_units,
+    configure_remote_units,
+    get_resource,
+)
+
+
+class DovecotDeployer(Deployer):
+    daemon_reload = False
+
+    def __init__(self, config, disable_mail):
+        self.config = config
+        self.disable_mail = disable_mail
+        self.units = ["doveauth"]
+
+    def install(self):
+        arch = host.get_fact(Arch)
+        if not "dovecot.service" in host.get_fact(SystemdEnabled):
+            _install_dovecot_package("core", arch)
+            _install_dovecot_package("imapd", arch)
+            _install_dovecot_package("lmtpd", arch)
+
+    def configure(self):
+        configure_remote_units(self.config.mail_domain, self.units)
+        self.need_restart, self.daemon_reload = _configure_dovecot(self.config)
+
+    def activate(self):
+        activate_remote_units(self.units)
+
+        restart = False if self.disable_mail else self.need_restart
+
+        systemd.service(
+            name="disable dovecot for now"
+            if self.disable_mail
+            else "Start and enable Dovecot",
+            service="dovecot.service",
+            running=False if self.disable_mail else True,
+            enabled=False if self.disable_mail else True,
+            restarted=restart,
+            daemon_reload=self.daemon_reload,
+        )
+        self.need_restart = False
+
+
+def _install_dovecot_package(package: str, arch: str):
+    distro = host.get_fact(LinuxDistribution)
+    is_old_debian = False
+    if distro:
+        distro_id = str(distro.get("id", "")).lower()
+        distro_name = str(distro.get("name", "")).lower()
+        major_version = str(distro.get("major_version", "0"))
+        
+        if "debian" in distro_id or "debian" in distro_name:
+            try:
+                # Handle cases where major_version might be '11.13'
+                m_ver = major_version.split(".")[0]
+                if m_ver.isdigit() and 0 < int(m_ver) < 12:
+                    is_old_debian = True
+            except (ValueError, TypeError, IndexError):
+                pass
+        # Fallback for systems where major_version might not be parsed correctly but name contains 'bullseye'
+        if "bullseye" in distro_name or "buster" in distro_name:
+            is_old_debian = True
+
+    if is_old_debian:
+        apt.packages(
+            name=f"Install system dovecot-{package}",
+            packages=[f"dovecot-{package}"],
+            update=True,
+        )
+        return
+
+    arch = "amd64" if arch == "x86_64" else arch
+    arch = "arm64" if arch == "aarch64" else arch
+    url = f"https://download.delta.chat/dovecot/dovecot-{package}_2.3.21%2Bdfsg1-3_{arch}.deb"
+    deb_filename = "/root/" + url.split("/")[-1]
+
+    match (package, arch):
+        case ("core", "amd64"):
+            sha256 = "dd060706f52a306fa863d874717210b9fe10536c824afe1790eec247ded5b27d"
+        case ("core", "arm64"):
+            sha256 = "e7548e8a82929722e973629ecc40fcfa886894cef3db88f23535149e7f730dc9"
+        case ("imapd", "amd64"):
+            sha256 = "8d8dc6fc00bbb6cdb25d345844f41ce2f1c53f764b79a838eb2a03103eebfa86"
+        case ("imapd", "arm64"):
+            sha256 = "178fa877ddd5df9930e8308b518f4b07df10e759050725f8217a0c1fb3fd707f"
+        case ("lmtpd", "amd64"):
+            sha256 = "2f69ba5e35363de50962d42cccbfe4ed8495265044e244007d7ccddad77513ab"
+        case ("lmtpd", "arm64"):
+            sha256 = "89f52fb36524f5877a177dff4a713ba771fd3f91f22ed0af7238d495e143b38f"
+        case _:
+            apt.packages(packages=[f"dovecot-{package}"])
+            return
+
+    files.download(
+        name=f"Download dovecot-{package}",
+        src=url,
+        dest=deb_filename,
+        sha256sum=sha256,
+        cache_time=60 * 60 * 24 * 365 * 10,  # never redownload the package
+    )
+
+    # Use a shell command to try installing the custom .deb and fallback if it fails.
+    # This prevents the whole deployment from failing if custom dovecot is not compatible.
+    server.shell(
+        name=f"Install dovecot-{package} (custom or system fallback)",
+        commands=[
+            f"if ! dpkg -i {deb_filename}; then "
+            f"echo 'HEY: dovecot the custom is not installed, we install your os main one' >&2; "
+            f"DEBIAN_FRONTEND=noninteractive apt-get install -f -y; "
+            f"DEBIAN_FRONTEND=noninteractive apt-get install -y dovecot-{package}; "
+            f"fi"
+        ],
+    )
+
+
+def _configure_dovecot(config: Config, debug: bool = False) -> (bool, bool):
+    """Configures Dovecot IMAP server."""
+    need_restart = False
+    daemon_reload = False
+
+    main_config = files.template(
+        src=get_resource("dovecot/dovecot.conf.j2"),
+        dest="/etc/dovecot/dovecot.conf",
+        user="root",
+        group="root",
+        mode="644",
+        config=config,
+        debug=debug,
+        disable_ipv6=config.disable_ipv6,
+    )
+    need_restart |= main_config.changed
+    files.directory(
+        name="Ensure mailboxes directory exists",
+        path=str(config.mailboxes_dir),
+        user="vmail",
+        group="vmail",
+        mode="750",
+    )
+    auth_config = files.put(
+        src=get_resource("dovecot/auth.conf"),
+        dest="/etc/dovecot/auth.conf",
+        user="root",
+        group="root",
+        mode="644",
+    )
+    need_restart |= auth_config.changed
+    lua_push_notification_script = files.put(
+        src=get_resource("dovecot/push_notification.lua"),
+        dest="/etc/dovecot/push_notification.lua",
+        user="root",
+        group="root",
+        mode="644",
+    )
+    need_restart |= lua_push_notification_script.changed
+
+    # as per https://doc.dovecot.org/configuration_manual/os/
+    # it is recommended to set the following inotify limits
+    try:
+        sysctls = host.get_fact(Sysctl)
+    except Exception:
+        sysctls = None
+
+    if sysctls:
+        for name in ("max_user_instances", "max_user_watches"):
+            key = f"fs.inotify.{name}"
+            if sysctls.get(key, 0) > 65535:
+                # Skip updating limits if already sufficient
+                # (enables running in incus containers where sysctl readonly)
+                continue
+            server.sysctl(
+                name=f"Change {key}",
+                key=key,
+                value=65535,
+                persist=True,
+                _ignore_errors=True,
+            )
+
+    timezone_env = files.line(
+        name="Set TZ environment variable",
+        path="/etc/environment",
+        line="TZ=:/etc/localtime",
+    )
+    need_restart |= timezone_env.changed
+    files.directory(
+        name="Ensure dovecot.service.d directory exists",
+        path="/etc/systemd/system/dovecot.service.d",
+        user="root",
+        group="root",
+        mode="755",
+    )
+    restart_conf = files.put(
+        name="dovecot: restart automatically on failure",
+        src=get_resource("service/10_restart.conf"),
+        dest="/etc/systemd/system/dovecot.service.d/10_restart.conf",
+    )
+    daemon_reload |= restart_conf.changed
+
+    return need_restart, daemon_reload
--- a/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
+++ b/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
@@ -1,5 +1,9 @@
 ## Dovecot configuration file

+{% if disable_ipv6 %}
+listen = *
+{% endif %}
+
 protocols = imap lmtp

 auth_mechanisms = plain
@@ -19,15 +23,35 @@ mail_debug = yes
 #   master: Warning: service(stats): client_limit (1000) reached, client connections are being dropped
 default_client_limit = 20000

+# Increase number of logged in IMAP connections.
+# Each connection is handled by a separate `imap` process.
+# `imap` process should have `client_limit=1` as described in
+# <https://doc.dovecot.org/configuration_manual/service_configuration/#service-limits>
+# so each logged in IMAP session will need its own `imap` process.
+#
+# If this limit is reached,
+# users will fail to LOGIN as `imap-login` process
+# will accept them logging in but fail to transfer logged in
+# connection to `imap` process until someone logs out and
+# the following warning will be logged:
+#   Warning: service(imap): process_limit (1024) reached, client connections are being dropped
+service imap {
+  process_limit = 50000
+}
+
 mail_server_admin = mailto:root@{{ config.mail_domain }}
 mail_server_comment = Chatmail server

-mail_plugins = quota
+# `zlib` enables compressing messages stored in the maildir.
+# See
+# <https://doc.dovecot.org/configuration_manual/zlib_plugin/>
+# for documentation.
+#
+# quota plugin documentation:
+# <https://doc.dovecot.org/configuration_manual/quota_plugin/>
+mail_plugins = zlib quota

-# these are the capabilities Delta Chat cares about actually 
-# so let's keep the network overhead per login small
-# https://github.com/deltachat/deltachat-core-rust/blob/master/src/imap/capabilities.rs
-imap_capability = IMAP4rev1 IDLE MOVE QUOTA CONDSTORE NOTIFY METADATA XDELTAPUSH
+imap_capability = +XDELTAPUSH XCHATMAIL


 # Authentication for system users.
@@ -44,7 +68,13 @@ userdb {
 ##

 # Mailboxes are stored in the "mail" directory of the vmail user home.
-mail_location = maildir:/home/vmail/mail/%d/%u
+mail_location = maildir:{{ config.mailboxes_dir }}/%u
+
+# index/cache files are not very useful for chatmail relay operations 
+# but it's not clear how to disable them completely. 
+# According to https://doc.dovecot.org/2.3/settings/advanced/#core_setting-mail_cache_max_size
+# if the cache file becomes larger than the specified size, it is truncated by dovecot 
+mail_cache_max_size = 500K

 namespace inbox {
  inbox = yes
@@ -80,17 +110,20 @@ mail_privileged_group = vmail
 # Pass all IMAP METADATA requests to the server implementing Dovecot's dict protocol.
 mail_attribute_dict = proxy:/run/chatmail-metadata/metadata.socket:metadata

-# Enable IMAP COMPRESS (RFC 4978).
+# `imap_zlib` enables IMAP COMPRESS (RFC 4978).
 # <https://datatracker.ietf.org/doc/html/rfc4978.html>
 protocol imap {
-  mail_plugins = $mail_plugins imap_zlib imap_quota
+  mail_plugins = $mail_plugins imap_quota last_login {% if config.imap_compress %}imap_zlib{% endif %}
  imap_metadata = yes
 }

+plugin {
+  last_login_dict = proxy:/run/chatmail-lastlogin/lastlogin.socket:lastlogin
+  #last_login_key = last-login/%u # default
+  last_login_precision = s
+}
+
 protocol lmtp {
-  # quota plugin documentation:
-  # <https://doc.dovecot.org/configuration_manual/quota_plugin/>
-  #
  # notify plugin is a dependency of push_notification plugin:
  # <https://doc.dovecot.org/settings/plugin/notify-plugin/>
  #
@@ -99,10 +132,11 @@ protocol lmtp {
  #
  # mail_lua and push_notification_lua are needed for Lua push notification handler.
  # <https://doc.dovecot.org/configuration_manual/push_notification/#configuration>
-  #
-  # Sieve to mark messages that should not be notified as \Seen
-  # <https://doc.dovecot.org/configuration_manual/sieve/configuration/>
-  mail_plugins = $mail_plugins quota mail_lua notify push_notification push_notification_lua sieve
+  mail_plugins = $mail_plugins mail_lua notify push_notification push_notification_lua
+}
+
+plugin {
+  zlib_save = gz
 }

 plugin {
@@ -113,7 +147,7 @@ plugin {
  # for now we define static quota-rules for all users 
  quota = maildir:User quota
  quota_rule = *:storage={{ config.max_mailbox_size }}
-  quota_max_mail_size=30M
+  quota_max_mail_size={{ config.max_message_size }}
  quota_grace = 0
  # quota_over_flag_value = TRUE
 }
@@ -124,10 +158,6 @@ plugin {
  push_notification_driver = lua:file=/etc/dovecot/push_notification.lua
 }

-plugin {
-  sieve_default = file:/etc/dovecot/default.sieve
-}
-
 service lmtp {
  user=vmail

@@ -153,26 +183,97 @@ service auth-worker {
 }

 service imap-login {
-    # High-security mode.
-    # Each process serves a single connection and exits afterwards.
-    # This is the default, but we set it explicitly to be sure.
-    # See <https://doc.dovecot.org/admin_manual/login_processes/#high-security-mode> for details.
-    service_count = 1
-
-    # Inrease the number of simultaneous connections.
+    # High-performance mode as described in
+    # <https://doc.dovecot.org/2.3/admin_manual/login_processes/#high-performance-mode>
    #
-    # As of Dovecot 2.3.19.1 the default is 100 processes.
-    # Combined with `service_count = 1` it means only 100 connections
-    # can be handled simultaneously.
-    process_limit = 10000
+    # So-called high-security mode described in
+    # <https://doc.dovecot.org/2.3/admin_manual/login_processes/#high-security-mode>
+    # and enabled by default with `service_count = 1` starts one process per connection
+    # and has problems logging in thousands of users after Dovecot restart.
+    service_count = 0
+
+    # Increase virtual memory size limit.
+    # Since imap-login processes handle TLS connections
+    # even after logging users in
+    # and many connections are handled by each process,
+    # memory size limit should be increased.
+    #
+    # Otherwise the whole process eventually dies
+    # with an error similar to
+    #   imap-login: Fatal: master: service(imap-login):
+    #   child 1422951 returned error 83
+    #   (Out of memory (service imap-login { vsz_limit=256 MB },
+    #    you may need to increase it)
+    # and takes down all its TLS connections at once.
+    vsz_limit = 1G

    # Avoid startup latency for new connections.
+    #
+    # Should be set to at least the number of CPU cores
+    # according to the documentation.
    process_min_avail = 10
 }

+service anvil {
+    # We are disabling anvil penalty on failed login attempts
+    # because it can only detect brute forcing by IP address
+    # not by username. As the correct IP address is not handed
+    # to dovecot anyway, it is more of hindrance than of use.
+    # See <https://www.dovecot.org/list/dovecot/2012-May/135485.html> for details.
+    unix_listener anvil-auth-penalty {
+        mode = 0
+    }
+}
+
 ssl = required
 ssl_cert = </var/lib/acme/live/{{ config.mail_domain }}/fullchain
 ssl_key = </var/lib/acme/live/{{ config.mail_domain }}/privkey
 ssl_dh = </usr/share/dovecot/dh.pem
 ssl_min_protocol = TLSv1.2
 ssl_prefer_server_ciphers = yes
+
+
+{% if config.imap_rawlog %}
+service postlogin {
+  executable = script-login -d rawlog
+  unix_listener postlogin {
+ }  
+} 
+service imap {
+  executable = imap postlogin 
+} 
+  
+protocol imap { 
+  #rawlog_dir = /tmp/rawlog/%u
+  # Put .in and .out imap protocol logging files into per-user homedir 
+  # You can use a command like this to combine into one protocol stream:
+  # sort -sn <(sed 's/ / C: /' *.in) <(sed 's/ / S: /' cat *.out)
+
+  rawlog_dir = %h 
+} 
+{% endif %}
+
+{% if not config.imap_compress %}
+# Hibernate IDLE users to save memory and CPU resources
+# NOTE: this will have no effect if imap_zlib plugin is used
+imap_hibernate_timeout = 30s
+service imap {
+  # Note that this change will allow any process running as
+  # $default_internal_user (dovecot) to access mails as any other user.
+  # This may be insecure in some installations, which is why this isn't
+  # done by default.
+  unix_listener imap-master {
+    user = $default_internal_user
+  }
+}
+# The following is the default already in v2.3.1+:
+service imap {
+  extra_groups = $default_internal_group
+}
+service imap-hibernate {
+  unix_listener imap-hibernate {
+    mode = 0660
+    group = $default_internal_group
+  }
+}
+{% endif %}
--- a/cmdeploy/src/cmdeploy/dovecot/expunge.cron.j2
+++ b/cmdeploy/src/cmdeploy/dovecot/expunge.cron.j2
@@ -1,11 +0,0 @@
-# delete all mails after {{ config.delete_mails_after }} days, in the Inbox
-2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/cur/*' -mtime +{{ config.delete_mails_after }} -type f -delete
-# or in any IMAP subfolder
-2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/.*/cur/*' -mtime +{{ config.delete_mails_after }} -type f -delete
-# even if they are unseen
-2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/new/*' -mtime +{{ config.delete_mails_after }} -type f -delete
-2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/.*/new/*' -mtime +{{ config.delete_mails_after }} -type f -delete
-# or only temporary (but then they shouldn't be around after {{ config.delete_mails_after }} days anyway).
-2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/tmp/*' -mtime +{{ config.delete_mails_after }} -type f -delete
-2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/.*/tmp/*' -mtime +{{ config.delete_mails_after }} -type f -delete
-3 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -name 'maildirsize' -type f -delete
--- a/cmdeploy/src/cmdeploy/dovecot/push_notification.lua
+++ b/cmdeploy/src/cmdeploy/dovecot/push_notification.lua
@@ -2,27 +2,14 @@ function dovecot_lua_notify_begin_txn(user)
  return user
 end

-function contains(v, needle)
-  for _, keyword in ipairs(v) do
-    if keyword == needle then
-      return true
-    end
-  end
-  return false
-end
-
 function dovecot_lua_notify_event_message_new(user, event)
  local mbox = user:mailbox(event.mailbox)
  mbox:sync()

  if user.username ~= event.from_address then
    -- Incoming message
-    if not contains(event.keywords, "$Auto") then
-      -- Not an Auto-Submitted message, notifying.
-
-      -- Notify METADATA server about new message.
-      mbox:metadata_set("/private/messagenew", "")
-    end
+    -- Notify METADATA server about new message.
+    mbox:metadata_set("/private/messagenew", "")
  end

  mbox:free()
--- a/cmdeploy/src/cmdeploy/genqr.py
+++ b/cmdeploy/src/cmdeploy/genqr.py
@@ -1,8 +1,9 @@
 import importlib
-import qrcode
-import os
-from PIL import ImageFont, ImageDraw, Image
 import io
+import os
+
+import qrcode
+from PIL import Image, ImageDraw, ImageFont


 def gen_qr_png_data(maildomain):
--- a/cmdeploy/src/cmdeploy/iroh-relay.service
+++ b/cmdeploy/src/cmdeploy/iroh-relay.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Iroh relay
+
+[Service]
+ExecStart=/usr/local/bin/iroh-relay --config-path /etc/iroh-relay.toml
+Restart=on-failure
+RestartSec=5s
+User=iroh
+Group=iroh
+
+[Install]
+WantedBy=multi-user.target
--- a/cmdeploy/src/cmdeploy/iroh-relay.toml
+++ b/cmdeploy/src/cmdeploy/iroh-relay.toml
@@ -0,0 +1,11 @@
+enable_relay = true
+http_bind_addr = "[::]:3340"
+
+# Disable built-in STUN server in iroh-relay 0.35
+# as we deploy our own TURN server instead.
+# STUN server is going to be removed in iroh-relay 1.0
+# and this line can be removed after upgrade.
+enable_stun = false
+
+enable_metrics = false
+metrics_bind_addr = "127.0.0.1:9092"
--- a/cmdeploy/src/cmdeploy/journald.conf
+++ b/cmdeploy/src/cmdeploy/journald.conf
@@ -1,2 +1,3 @@
 [Journal]
 MaxRetentionSec=3d
+Storage=volatile
--- a/cmdeploy/src/cmdeploy/metrics.cron.j2
+++ b/cmdeploy/src/cmdeploy/metrics.cron.j2
@@ -1 +1 @@
-*/5 * * * * root {{ config.execpath }} /home/vmail/mail/{{ config.mail_domain }} >/var/www/html/metrics
+*/5 * * * * root {{ config.execpath }} {{ config.mailboxes_dir }} >/var/www/html/metrics
--- a/cmdeploy/src/cmdeploy/mtail/delivered_mail.mtail
+++ b/cmdeploy/src/cmdeploy/mtail/delivered_mail.mtail
@@ -0,0 +1,64 @@
+counter delivered_mail
+/saved mail to INBOX$/ {
+  delivered_mail++
+}
+
+counter quota_exceeded
+/Quota exceeded \(mailbox for user is full\)$/ {
+  quota_exceeded++
+}
+
+# Essentially the number of outgoing messages.
+counter dkim_signed
+/DKIM-Signature field added/ {
+  dkim_signed++
+}
+
+counter created_accounts
+counter created_ci_accounts
+counter created_nonci_accounts
+
+/: Created address: (?P<addr>.*)$/ {
+  created_accounts++
+
+  $addr =~ /ci-/ {
+    created_ci_accounts++
+  } else {
+    created_nonci_accounts++
+  }
+}
+
+counter postfix_timeouts
+/timeout after DATA/ {
+  postfix_timeouts++
+}
+
+counter postfix_noqueue
+/postfix\/.*NOQUEUE/ {
+  postfix_noqueue++
+}
+
+counter warning_count
+/warning/ {
+  warning_count++
+}
+
+
+counter filtered_mail_count
+
+counter encrypted_mail_count
+/Filtering encrypted mail\./ {
+  encrypted_mail_count++
+  filtered_mail_count++
+}
+
+counter unencrypted_mail_count
+/Filtering unencrypted mail\./ {
+  unencrypted_mail_count++
+  filtered_mail_count++
+}
+
+counter rejected_unencrypted_mail_count
+/Rejected unencrypted mail\./ {
+  rejected_unencrypted_mail_count++
+}
--- a/cmdeploy/src/cmdeploy/mtail/deployer.py
+++ b/cmdeploy/src/cmdeploy/mtail/deployer.py
@@ -0,0 +1,68 @@
+from pyinfra import facts, host
+from pyinfra.operations import apt, files, server, systemd
+
+from cmdeploy.basedeploy import (
+    Deployer,
+    get_resource,
+)
+
+
+class MtailDeployer(Deployer):
+    def __init__(self, mtail_address):
+        self.mtail_address = mtail_address
+
+    def install(self):
+        # Uninstall mtail package to install a static binary.
+        apt.packages(name="Uninstall mtail", packages=["mtail"], present=False)
+
+        (url, sha256sum) = {
+            "x86_64": (
+                "https://github.com/google/mtail/releases/download/v3.0.8/mtail_3.0.8_linux_amd64.tar.gz",
+                "123c2ee5f48c3eff12ebccee38befd2233d715da736000ccde49e3d5607724e4",
+            ),
+            "aarch64": (
+                "https://github.com/google/mtail/releases/download/v3.0.8/mtail_3.0.8_linux_arm64.tar.gz",
+                "aa04811c0929b6754408676de520e050c45dddeb3401881888a092c9aea89cae",
+            ),
+        }[host.get_fact(facts.server.Arch)]
+
+        server.shell(
+            name="Download mtail",
+            commands=[
+                f"(echo '{sha256sum} /usr/local/bin/mtail' | sha256sum -c) || (curl -L {url} | gunzip | tar -x -f - mtail -O >/usr/local/bin/mtail.new && mv /usr/local/bin/mtail.new /usr/local/bin/mtail)",
+                "chmod 755 /usr/local/bin/mtail",
+            ],
+        )
+
+    def configure(self):
+        # Using our own systemd unit instead of `/usr/lib/systemd/system/mtail.service`.
+        # This allows to read from journalctl instead of log files.
+        files.template(
+            src=get_resource("mtail/mtail.service.j2"),
+            dest="/etc/systemd/system/mtail.service",
+            user="root",
+            group="root",
+            mode="644",
+            address=self.mtail_address or "127.0.0.1",
+            port=3903,
+        )
+
+        mtail_conf = files.put(
+            name="Mtail configuration",
+            src=get_resource("mtail/delivered_mail.mtail"),
+            dest="/etc/mtail/delivered_mail.mtail",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        self.need_restart = mtail_conf.changed
+
+    def activate(self):
+        systemd.service(
+            name="Start and enable mtail",
+            service="mtail.service",
+            running=bool(self.mtail_address),
+            enabled=bool(self.mtail_address),
+            restarted=self.need_restart,
+        )
+        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/mtail/mtail.service.j2
+++ b/cmdeploy/src/cmdeploy/mtail/mtail.service.j2
@@ -0,0 +1,10 @@
+[Unit]
+Description=mtail
+
+[Service]
+Type=simple
+ExecStart=/bin/sh -c "journalctl -f -o short-iso -n 0 | /usr/local/bin/mtail --address={{ address }} --port={{ port }} --progs /etc/mtail --logtostderr --logs -"
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
--- a/cmdeploy/src/cmdeploy/nginx/autoconfig.xml.j2
+++ b/cmdeploy/src/cmdeploy/nginx/autoconfig.xml.j2
@@ -19,6 +19,13 @@
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </incomingServer>
+    <incomingServer type="imap">
+      <hostname>{{ config.domain_name }}</hostname>
+      <port>443</port>
+      <socketType>SSL</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILADDRESS%</username>
+    </incomingServer>
    <outgoingServer type="smtp">
      <hostname>{{ config.domain_name }}</hostname>
      <port>465</port>
@@ -33,5 +40,12 @@
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </outgoingServer>
+    <outgoingServer type="smtp">
+      <hostname>{{ config.domain_name }}</hostname>
+      <port>443</port>
+      <socketType>SSL</socketType>
+      <authentication>password-cleartext</authentication>
+      <username>%EMAILADDRESS%</username>
+    </outgoingServer>
  </emailProvider>
 </clientConfig>
--- a/cmdeploy/src/cmdeploy/nginx/deployer.py
+++ b/cmdeploy/src/cmdeploy/nginx/deployer.py
@@ -0,0 +1,124 @@
+from chatmaild.config import Config
+from pyinfra.operations import apt, files, server, systemd
+
+from cmdeploy.basedeploy import (
+    Deployer,
+    get_resource,
+)
+
+
+class NginxDeployer(Deployer):
+    def __init__(self, config):
+        self.config = config
+
+    def install(self):
+        #
+        # If we allow nginx to start up on install, it will grab port
+        # 80, which then will block acmetool from listening on the port.
+        # That in turn prevents getting certificates, which then causes
+        # an error when we try to start nginx on the custom config
+        # that leaves port 80 open but also requires certificates to
+        # be present.  To avoid getting into that interlocking mess,
+        # we use policy-rc.d to prevent nginx from starting up when it
+        # is installed.
+        #
+        # This approach allows us to avoid performing any explicit
+        # systemd operations during the install stage (as opposed to
+        # allowing it to start and then forcing it to stop), which allows
+        # the install stage to run in non-systemd environments like a
+        # container image build.
+        #
+        # For documentation about policy-rc.d, see:
+        # https://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt
+        #
+        files.put(
+            src=get_resource("policy-rc.d"),
+            dest="/usr/sbin/policy-rc.d",
+            user="root",
+            group="root",
+            mode="755",
+        )
+
+        apt.packages(
+            name="Install nginx",
+            packages=["nginx", "libnginx-mod-stream"],
+        )
+        server.shell(
+            name="Remove default nginx configuration",
+            commands=[
+                "rm -f /etc/nginx/sites-enabled/default",
+                "rm -f /etc/nginx/conf.d/default.conf",
+            ],
+        )
+
+        files.file("/usr/sbin/policy-rc.d", present=False)
+
+    def configure(self):
+        self.need_restart = _configure_nginx(self.config)
+
+    def activate(self):
+        systemd.service(
+            name="Start and enable nginx",
+            service="nginx.service",
+            running=True,
+            enabled=True,
+            restarted=self.need_restart,
+        )
+        self.need_restart = False
+
+
+def _configure_nginx(config: Config, debug: bool = False) -> bool:
+    """Configures nginx HTTP server."""
+    need_restart = False
+
+    main_config = files.template(
+        src=get_resource("nginx/nginx.conf.j2"),
+        dest="/etc/nginx/nginx.conf",
+        user="root",
+        group="root",
+        mode="644",
+        config={"domain_name": config.mail_domain},
+        disable_ipv6=config.disable_ipv6,
+    )
+    need_restart |= main_config.changed
+
+    autoconfig = files.template(
+        src=get_resource("nginx/autoconfig.xml.j2"),
+        dest="/var/www/html/.well-known/autoconfig/mail/config-v1.1.xml",
+        user="root",
+        group="root",
+        mode="644",
+        config={"domain_name": config.mail_domain},
+    )
+    need_restart |= autoconfig.changed
+
+    mta_sts_config = files.template(
+        src=get_resource("nginx/mta-sts.txt.j2"),
+        dest="/var/www/html/.well-known/mta-sts.txt",
+        user="root",
+        group="root",
+        mode="644",
+        config={"domain_name": config.mail_domain},
+    )
+    need_restart |= mta_sts_config.changed
+
+    # install CGI newemail script
+    #
+    cgi_dir = "/usr/lib/cgi-bin"
+    files.directory(
+        name=f"Ensure {cgi_dir} exists",
+        path=cgi_dir,
+        user="root",
+        group="root",
+    )
+
+    files.put(
+        name="Upload cgi newemail.py script",
+        src=get_resource("newemail.py", pkg="chatmaild").open("rb"),
+        dest=f"{cgi_dir}/newemail.py",
+        user="root",
+        group="root",
+        mode="755",
+    )
+
+    return need_restart
--- a/cmdeploy/src/cmdeploy/nginx/nginx.conf.j2
+++ b/cmdeploy/src/cmdeploy/nginx/nginx.conf.j2
@@ -1,13 +1,46 @@
+load_module modules/ngx_stream_module.so;
+
 user www-data;
 worker_processes auto;
+
+# Increase the number of connections
+# that a worker process can open
+# to avoid errors such as
+#   accept4() failed (24: Too many open files)
+# and
+#   socket() failed (24: Too many open files) while connecting to upstream
+# in the logs.
+# <https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile>
+worker_rlimit_nofile 2048;
 pid /run/nginx.pid;
-error_log /var/log/nginx/error.log;
+error_log syslog:server=unix:/dev/log,facility=local3;

 events {
-	worker_connections 768;
+        # Increase to avoid errors such as
+        #   768 worker_connections are not enough while connecting to upstream
+        # in the logs.
+        # <https://nginx.org/en/docs/ngx_core_module.html#worker_connections>
+	worker_connections 2048;
 	# multi_accept on;
 }

+stream {
+        map $ssl_preread_alpn_protocols $proxy {
+            default 127.0.0.1:8443;
+            ~\bsmtp\b 127.0.0.1:465;
+            ~\bimap\b 127.0.0.1:993;
+        }
+
+        server {
+                listen 443;
+                {% if not disable_ipv6 %}
+                listen [::]:443;
+                {% endif %}
+                proxy_pass $proxy;
+                ssl_preread on;
+        }
+}
+
 http {
 	sendfile on;
 	tcp_nopush on;
@@ -26,14 +59,16 @@ http {
 	gzip on;

 	server {
-		listen 443 ssl default_server;
-		listen [::]:443 ssl default_server;
+  
+		listen 127.0.0.1:8443 ssl default_server;

 		root /var/www/html;

 		index index.html index.htm;

-		server_name _;
+		server_name {{ config.domain_name }};
+
+		access_log syslog:server=unix:/dev/log,facility=local7;

 		location / {
 			# First attempt to serve request as file, then
@@ -72,13 +107,33 @@ http {
 			include /etc/nginx/fastcgi_params;
 			fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/newemail.py;
 		}
+
+                # Proxy to iroh-relay service.
+                location /relay {
+                        proxy_pass http://127.0.0.1:3340;
+                        proxy_http_version 1.1;
+
+                        # Upgrade header is normally set to "iroh derp http" or "websocket".
+                        proxy_set_header Upgrade $http_upgrade;
+                        proxy_set_header Connection "upgrade";
+                }
+
+		location /relay/probe {
+                        proxy_pass http://127.0.0.1:3340;
+                        proxy_http_version 1.1;
+		}
+
+		location /generate_204 {
+                        proxy_pass http://127.0.0.1:3340;
+                        proxy_http_version 1.1;
+		}
 	}

 	# Redirect www. to non-www
 	server {
-		listen 443 ssl;
-		listen [::]:443 ssl;
+		listen 127.0.0.1:8443 ssl;
 		server_name www.{{ config.domain_name }};
 		return 301 $scheme://{{ config.domain_name }}$request_uri;
+		access_log syslog:server=unix:/dev/log,facility=local7;
 	}
 }
--- a/cmdeploy/src/cmdeploy/opendkim/deployer.py
+++ b/cmdeploy/src/cmdeploy/opendkim/deployer.py
@@ -0,0 +1,123 @@
+"""
+Installs OpenDKIM
+"""
+
+from pyinfra import host
+from pyinfra.facts.files import File
+from pyinfra.operations import apt, files, server, systemd
+
+from cmdeploy.basedeploy import Deployer, get_resource
+
+
+class OpendkimDeployer(Deployer):
+    required_users = [("opendkim", None, ["opendkim"])]
+
+    def __init__(self, mail_domain):
+        self.mail_domain = mail_domain
+
+    def install(self):
+        apt.packages(
+            name="apt install opendkim opendkim-tools",
+            packages=["opendkim", "opendkim-tools"],
+        )
+
+    def configure(self):
+        domain = self.mail_domain
+        dkim_selector = "opendkim"
+        """Configures OpenDKIM"""
+        need_restart = False
+
+        main_config = files.template(
+            src=get_resource("opendkim/opendkim.conf"),
+            dest="/etc/opendkim.conf",
+            user="root",
+            group="root",
+            mode="644",
+            config={"domain_name": domain, "opendkim_selector": dkim_selector},
+        )
+        need_restart |= main_config.changed
+
+        screen_script = files.put(
+            src=get_resource("opendkim/screen.lua"),
+            dest="/etc/opendkim/screen.lua",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        need_restart |= screen_script.changed
+
+        final_script = files.put(
+            src=get_resource("opendkim/final.lua"),
+            dest="/etc/opendkim/final.lua",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        need_restart |= final_script.changed
+
+        files.directory(
+            name="Add opendkim directory to /etc",
+            path="/etc/opendkim",
+            user="opendkim",
+            group="opendkim",
+            mode="750",
+            present=True,
+        )
+
+        keytable = files.template(
+            src=get_resource("opendkim/KeyTable"),
+            dest="/etc/dkimkeys/KeyTable",
+            user="opendkim",
+            group="opendkim",
+            mode="644",
+            config={"domain_name": domain, "opendkim_selector": dkim_selector},
+        )
+        need_restart |= keytable.changed
+
+        signing_table = files.template(
+            src=get_resource("opendkim/SigningTable"),
+            dest="/etc/dkimkeys/SigningTable",
+            user="opendkim",
+            group="opendkim",
+            mode="644",
+            config={"domain_name": domain, "opendkim_selector": dkim_selector},
+        )
+        need_restart |= signing_table.changed
+        files.directory(
+            name="Add opendkim socket directory to /var/spool/postfix",
+            path="/var/spool/postfix/opendkim",
+            user="opendkim",
+            group="opendkim",
+            mode="750",
+            present=True,
+        )
+
+        if not host.get_fact(File, f"/etc/dkimkeys/{dkim_selector}.private"):
+            server.shell(
+                name="Generate OpenDKIM domain keys",
+                commands=[
+                    f"/usr/sbin/opendkim-genkey -D /etc/dkimkeys -d {domain} -s {dkim_selector}"
+                ],
+                _use_su_login=True,
+                _su_user="opendkim",
+            )
+
+        service_file = files.put(
+            name="Configure opendkim to restart once a day",
+            src=get_resource("opendkim/systemd.conf"),
+            dest="/etc/systemd/system/opendkim.service.d/10-prevent-memory-leak.conf",
+        )
+        need_restart |= service_file.changed
+
+        self.need_restart = need_restart
+
+    def activate(self):
+        systemd.service(
+            name="Start and enable OpenDKIM",
+            service="opendkim.service",
+            running=True,
+            enabled=True,
+            daemon_reload=self.need_restart,
+            restarted=self.need_restart,
+        )
+        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/opendkim/final.lua
+++ b/cmdeploy/src/cmdeploy/opendkim/final.lua
@@ -1,4 +1,5 @@
-if odkim.internal_ip(ctx) == 1 then
+mtaname = odkim.get_mtasymbol(ctx, "{daemon_name}")
+if mtaname == "ORIGINATING" then
 	-- Outgoing message will be signed,
 	-- no need to look for signatures.
 	return nil
@@ -9,9 +10,11 @@ if nsigs == nil then
 	return nil
 end

+local valid = false
+local error_msg = "No valid DKIM signature found."
 for i = 1, nsigs do
-        sig = odkim.get_sighandle(ctx, i - 1)
-        sigres = odkim.sig_result(sig)
+	sig = odkim.get_sighandle(ctx, i - 1)
+	sigres = odkim.sig_result(sig)

 	-- All signatures that do not correspond to From: 
 	-- were ignored in screen.lua and return sigres -1.
@@ -19,10 +22,21 @@ for i = 1, nsigs do
 	-- Any valid signature that was not ignored like this
 	-- means the message is acceptable.
 	if sigres == 0 then
-		return nil
-	end	
+		valid = true
+    else
+        error_msg = "DKIM signature is invalid, error code " .. tostring(sigres) .. ", search https://github.com/trusteddomainproject/OpenDKIM/blob/master/libopendkim/dkim.h#L108"
+	end
+end
+
+if valid then
+	-- Strip all DKIM-Signature headers after successful validation
+	-- Delete in reverse order to avoid index shifting.
+	for i = nsigs, 1, -1 do
+		odkim.del_header(ctx, "DKIM-Signature", i)
+	end
+else
+	odkim.set_reply(ctx, "554", "5.7.1", error_msg)
+	odkim.set_result(ctx, SMFIS_REJECT)
 end

-odkim.set_reply(ctx, "554", "5.7.1", "No valid DKIM signature found")
-odkim.set_result(ctx, SMFIS_REJECT)
 return nil
--- a/cmdeploy/src/cmdeploy/opendkim/opendkim.conf
+++ b/cmdeploy/src/cmdeploy/opendkim/opendkim.conf
@@ -13,6 +13,7 @@ OversignHeaders		From
 On-BadSignature         reject
 On-KeyNotFound          reject
 On-NoSignature          reject
+DNSTimeout          60

 # Signing domain, selector, and key (required). For example, perform signing
 # for domain "example.com" with selector "2020" (2020._domainkey.example.com),
@@ -25,7 +26,24 @@ KeyTable          /etc/dkimkeys/KeyTable
 SigningTable      refile:/etc/dkimkeys/SigningTable

 # Sign Autocrypt header in addition to the default specified in RFC 6376.
-SignHeaders *,+autocrypt
+#
+# Default list is here:
+# <https://github.com/trusteddomainproject/OpenDKIM/blob/5c539587561785a66c1f67f720f2fb741f320785/libopendkim/dkim.c#L221-L245>
+SignHeaders *,+autocrypt,+content-type
+
+# Prevent addition of second Content-Type header
+# and other important headers that should not be added
+# after signing the message.
+# See
+# <https://www.zone.eu/blog/2024/05/17/bimi-and-dmarc-cant-save-you/>
+# and RFC 6376 (page 41) for reference.
+#
+# We don't use "l=" body length so the problem described in RFC 6376
+# is not applicable, but adding e.g. a second "From" header
+# or second "Autocrypt" header is better prevented in any case.
+#
+# Default is empty.
+OversignHeaders from,reply-to,subject,date,to,cc,resent-date,resent-from,resent-sender,resent-to,resent-cc,in-reply-to,references,list-id,list-help,list-unsubscribe,list-subscribe,list-post,list-owner,list-archive,autocrypt

 # Script to ignore signatures that do not correspond to the From: domain.
 ScreenPolicyScript /etc/opendkim/screen.lua
@@ -47,3 +65,9 @@ PidFile			/run/opendkim/opendkim.pid
 # The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
 # by the package dns-root-data.
 TrustAnchorFile		/usr/share/dns/root.key
+
+# Sign messages when `-o milter_macro_daemon_name=ORIGINATING` is set.
+MTA ORIGINATING
+
+# No hosts are treated as internal, ORIGINATING daemon name should be set explicitly.
+InternalHosts -
--- a/cmdeploy/src/cmdeploy/opendkim/systemd.conf
+++ b/cmdeploy/src/cmdeploy/opendkim/systemd.conf
@@ -0,0 +1,3 @@
+[Service]
+Restart=always
+RuntimeMaxSec=1d
--- a/cmdeploy/src/cmdeploy/policy-rc.d
+++ b/cmdeploy/src/cmdeploy/policy-rc.d
@@ -0,0 +1,3 @@
+#!/bin/sh
+echo "All runlevel operations denied by policy" >&2
+exit 101
--- a/cmdeploy/src/cmdeploy/postfix/deployer.py
+++ b/cmdeploy/src/cmdeploy/postfix/deployer.py
@@ -0,0 +1,105 @@
+from pyinfra.operations import apt, files, systemd, server
+
+from cmdeploy.basedeploy import Deployer, get_resource
+
+
+class PostfixDeployer(Deployer):
+    required_users = [("postfix", None, ["opendkim"])]
+    daemon_reload = False
+
+    def __init__(self, config, disable_mail):
+        self.config = config
+        self.disable_mail = disable_mail
+
+    def install(self):
+        apt.packages(
+            name="Install Postfix",
+            packages="postfix",
+        )
+
+    def configure(self):
+        config = self.config
+        need_restart = False
+
+        main_config = files.template(
+            src=get_resource("postfix/main.cf.j2"),
+            dest="/etc/postfix/main.cf",
+            user="root",
+            group="root",
+            mode="644",
+            config=config,
+            disable_ipv6=config.disable_ipv6,
+        )
+        need_restart |= main_config.changed
+
+        master_config = files.template(
+            src=get_resource("postfix/master.cf.j2"),
+            dest="/etc/postfix/master.cf",
+            user="root",
+            group="root",
+            mode="644",
+            debug=False,
+            config=config,
+        )
+        need_restart |= master_config.changed
+
+        header_cleanup = files.put(
+            src=get_resource("postfix/submission_header_cleanup"),
+            dest="/etc/postfix/submission_header_cleanup",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        need_restart |= header_cleanup.changed
+
+        # Transport map that discards messages to nine.testrun.org
+        transport_map = files.put(
+            src=get_resource("postfix/discard-nine.map"),
+            dest="/etc/postfix/discard-nine.map",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        need_restart |= transport_map.changed
+        if transport_map.changed:
+            server.shell(
+                commands=["postmap /etc/postfix/discard-nine.map"],
+            )
+        # Login map that 1:1 maps email address to login.
+        login_map = files.put(
+            src=get_resource("postfix/login_map"),
+            dest="/etc/postfix/login_map",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        need_restart |= login_map.changed
+        files.directory(
+            name="Ensure postfix@.service.d directory exists",
+            path="/etc/systemd/system/postfix@.service.d",
+            user="root",
+            group="root",
+            mode="755",
+        )
+        restart_conf = files.put(
+            name="postfix: restart automatically on failure",
+            src=get_resource("service/10_restart.conf"),
+            dest="/etc/systemd/system/postfix@.service.d/10_restart.conf",
+        )
+        self.daemon_reload = restart_conf.changed
+        self.need_restart = need_restart
+
+    def activate(self):
+        restart = False if self.disable_mail else self.need_restart
+
+        systemd.service(
+            name="disable postfix for now"
+            if self.disable_mail
+            else "Start and enable Postfix",
+            service="postfix.service",
+            running=False if self.disable_mail else True,
+            enabled=False if self.disable_mail else True,
+            restarted=restart,
+            daemon_reload=self.daemon_reload,
+        )
+        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/postfix/discard-nine.map
+++ b/cmdeploy/src/cmdeploy/postfix/discard-nine.map
@@ -0,0 +1,2 @@
+nine.testrun.org discard:
+* :
--- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
@@ -20,10 +20,14 @@ smtpd_tls_key_file=/var/lib/acme/live/{{ config.mail_domain }}/privkey
 smtpd_tls_security_level=may

 smtp_tls_CApath=/etc/ssl/certs
-smtp_tls_security_level=may
+smtp_tls_security_level=verify
+# Send SNI extension when connecting to other servers.
+# <https://www.postfix.org/postconf.5.html#smtp_tls_servername>
+smtp_tls_servername = hostname
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
-smtpd_tls_protocols = >=TLSv1.2
+smtp_tls_policy_maps = inline:{nauta.cu=may}
+smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

 # Disable anonymous cipher suites
 # and known insecure algorithms.
@@ -62,11 +66,14 @@ mydestination =
 relayhost = 
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_size_limit = 0
-# maximum 30MB sized messages
-message_size_limit = 31457280
+message_size_limit = {{config.max_message_size}}
 recipient_delimiter = +
 inet_interfaces = all
+{% if disable_ipv6 %}
+inet_protocols = ipv4
+{% else %}
 inet_protocols = all
+{% endif %}

 virtual_transport = lmtp:unix:private/dovecot-lmtp
 virtual_mailbox_domains = {{ config.mail_domain }}
@@ -75,5 +82,12 @@ mua_client_restrictions = permit_sasl_authenticated, reject
 mua_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, reject
 mua_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit

+# Discard messages to nine.testrun.org
+transport_maps = hash:/etc/postfix/discard-nine.map
+
 # 1:1 map MAIL FROM to SASL login name.
 smtpd_sender_login_maps = regexp:/etc/postfix/login_map
+
+# Do not lookup SMTP client hostnames to reduce delays
+# and avoid unnecessary DNS requests.
+smtpd_peername_lookup = no
--- a/cmdeploy/src/cmdeploy/postfix/master.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/master.cf.j2
@@ -10,14 +10,17 @@
 #               (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
 {% if debug == true %}
-smtp      inet  n       -       y       -       -       smtpd -v
+smtp      inet  n       -       n       -       -       smtpd -v
 {%- else %}
-smtp      inet  n       -       y       -       -       smtpd 
+smtp      inet  n       -       n       -       -       smtpd 
 {%- endif %}
-  -o smtpd_milters=unix:opendkim/opendkim.sock
-submission inet n       -       y       -       -       smtpd
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
+  -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port_incoming }}
+submission inet n       -       n       -       5000    smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
+  -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
@@ -28,14 +31,13 @@ submission inet n       -       y       -       -       smtpd
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_client_connection_count_limit=1000
  -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port }}
-  -o cleanup_service_name=authclean
-smtps     inet  n       -       y       -       -       smtpd
+smtps     inet  n       -       n       -       5000    smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_security_level=encrypt
+  -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
@@ -46,9 +48,7 @@ smtps     inet  n       -       y       -       -       smtpd
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_client_connection_count_limit=1000
-  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port }}
-  -o cleanup_service_name=authclean
 #628       inet  n       -       y       -       -       qmqpd
 pickup    unix  n       -       y       60      1       pickup
 cleanup   unix  n       -       y       -       0       cleanup
@@ -76,17 +76,28 @@ anvil     unix  -       -       y       -       1       anvil
 scache    unix  -       -       y       -       1       scache
 postlog   unix-dgram n  -       n       -       1       postlogd
 filter    unix -        n       n       -       -       lmtp
-# Local SMTP server for reinjecting filered mail.
-localhost:{{ config.postfix_reinject_port }} inet  n       -       n       -       10      smtpd
+# Local SMTP server for reinjecting outgoing filtered mail.
+127.0.0.1:{{ config.postfix_reinject_port }} inet  n       -       n       -       100      smtpd
  -o syslog_name=postfix/reinject
+  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_milters=unix:opendkim/opendkim.sock
  -o cleanup_service_name=authclean

+# Local SMTP server for reinjecting incoming filtered mail 
+127.0.0.1:{{ config.postfix_reinject_port_incoming }} inet  n       -       n       -       100      smtpd
+  -o syslog_name=postfix/reinject_incoming
+#  -o smtpd_milters=unix:opendkim/opendkim.sock
+
 # Cleanup `Received` headers for authenticated mail
 # to avoid leaking client IP.
 #
 # We do not do this for received mails
 # as this will break DKIM signatures
 # if `Received` header is signed.
+#
+# This service also rewrites
+# Subject with `[...]`
+# to make sure the users
+# cannot send unprotected Subject.
 authclean unix  n       -       -       -       0       cleanup
  -o header_checks=regexp:/etc/postfix/submission_header_cleanup
--- a/cmdeploy/src/cmdeploy/postfix/submission_header_cleanup
+++ b/cmdeploy/src/cmdeploy/postfix/submission_header_cleanup
@@ -2,3 +2,4 @@
 /^X-Originating-IP:/    IGNORE
 /^X-Mailer:/            IGNORE
 /^User-Agent:/          IGNORE
+/^Subject:/             REPLACE Subject: [...]
--- a/Show More
+++ b/Show More