lint: fix issues

Co-authored-by: holger krekel  <holger@merlinux.eu>

README.md

@@ -151,10 +151,12 @@ While this file is present, account creation will be blocked.
 
 ### Ports
 
-Postfix listens on ports 25 (smtp) and 587 (submission) and 465 (submissions).
+[Postfix](http://www.postfix.org/) listens on ports 25 (smtp) and 587 (submission) and 465 (submissions).
-Dovecot listens on ports 143(imap) and 993 (imaps).
+[Dovecot](https://www.dovecot.org/) listens on ports 143 (imap) and 993 (imaps).
+[nginx](https://www.nginx.com/) listens on port 443 (https).
+[acmetool](https://hlandau.github.io/acmetool/) listens on port 80 (http).
 
 Delta Chat apps will, however, discover all ports and configurations
-automatically by reading the `autoconfig.xml` file from the chatmail service.
+automatically by reading the [autoconfig XML file](https://www.ietf.org/archive/id/draft-bucksch-autoconfig-00.html) from the chatmail service.
 
 

chatmaild/pyproject.toml

@@ -10,6 +10,10 @@ dependencies = [
   "iniconfig",
   "deltachat-rpc-server",
   "deltachat-rpc-client",
+  "ConfigArgParse",
+  "deltachat",
+  "setuptools>=60",
+  "setuptools-scm>=8",
 ]
 
 [tool.setuptools]
@@ -22,6 +26,7 @@ where = ['src']
 doveauth = "chatmaild.doveauth:main"
 filtermail = "chatmaild.filtermail:main"
 echobot = "chatmaild.echo:main"
+greeterbot = "chatmaild.greeterbot:main"
 chatmail-metrics = "chatmaild.metrics:main"
 
 [project.entry-points.pytest11]

chatmaild/src/chatmaild/database.py

@@ -46,11 +46,17 @@ class Connection:
             )
         return result
 
+    def get_user_list(self) -> set[str]:
+        """Get a set of all users."""
+        q = "SELECT addr from users"
+        return set([tup[0] for tup in self._sqlconn.execute(q).fetchall()])
+
 
 class Database:
-    def __init__(self, path: str):
+    def __init__(self, path: str, read_only=False):
         self.path = Path(path)
-        self.ensure_tables()
+        if not read_only:
+            self.ensure_tables()
 
     def _get_connection(
         self, write=False, transaction=False, closing=False

chatmaild/src/chatmaild/doveauth.py

@@ -46,7 +46,7 @@ def is_allowed_to_create(config: Config, user, cleartext_password) -> bool:
         len(localpart) > config.username_max_length
         or len(localpart) < config.username_min_length
     ):
-        if localpart != "echo":
+        if localpart not in ("echo", "hello"):
             logging.warning(
                 "localpart %s has to be between %s and %s chars long",
                 localpart,
@@ -91,13 +91,39 @@ def lookup_passdb(db, config: Config, user, cleartext_password):
                VALUES (?, ?, ?)"""
         conn.execute(q, (user, encrypted_password, int(time.time())))
         return dict(
-            home=f"/home/vmail/{user}",
+            home=f"/home/vmail/mail/{config.mail_domain}/{user}",
             uid="vmail",
             gid="vmail",
             password=encrypted_password,
         )
 
 
+def split_and_unescape(s):
+    """Split strings using double quote as a separator and backslash as escape character
+    into parts."""
+
+    out = ""
+    i = 0
+    while i < len(s):
+        c = s[i]
+        if c == "\\":
+            # Skip escape character.
+            i += 1
+
+            # This will raise IndexError if there is no character
+            # after escape character. This is expected
+            # as this is an invalid input.
+            out += s[i]
+        elif c == '"':
+            # Separator
+            yield out
+            out = ""
+        else:
+            out += c
+        i += 1
+    yield out
+
+
 def handle_dovecot_request(msg, db, config: Config):
     short_command = msg[0]
     if short_command == "L":  # LOOKUP
@@ -107,7 +133,9 @@ def handle_dovecot_request(msg, db, config: Config):
         # do not attempt to read any other parts for compatibility.
         keyname = parts[0]
 
-        namespace, type, *args = keyname.split("/")
+        namespace, type, args = keyname.split("/", 2)
+        args = list(split_and_unescape(args))
+
         reply_command = "F"
         res = ""
         if namespace == "shared":

chatmaild/src/chatmaild/greeterbot.py

@@ -0,0 +1,132 @@
+import time
+
+import deltachat
+from deltachat.tracker import ConfigureFailed
+from time import sleep
+import tempfile
+import os
+import configargparse
+import pkg_resources
+import secrets
+
+from chatmaild.database import Database
+from chatmaild.config import read_config
+from chatmaild.newemail import ALPHANUMERIC_PUNCT, CONFIG_PATH
+
+PASSDB_PATH = "/home/vmail/passdb.sqlite"
+
+
+def setup_account(data_dir: str, debug: bool) -> deltachat.Account:
+    """Create a deltachat account with a given addr/password combination.
+
+    :param data_dir: the directory where the data(base) is stored.
+    :param debug: whether to show log messages for the account.
+    :return: the deltachat account object.
+    """
+    chatmail_config = read_config(CONFIG_PATH)
+    addr = "hello@" + chatmail_config.mail_domain
+
+    try:
+        os.mkdir(os.path.join(data_dir, addr))
+    except FileExistsError:
+        pass
+    db_path = os.path.join(data_dir, addr, "db.sqlite")
+
+    ac = deltachat.Account(db_path)
+    if debug:
+        ac.add_account_plugin(deltachat.events.FFIEventLogger(ac))
+
+    ac.set_config("mvbox_move", "0")
+    ac.set_config("sentbox_watch", "0")
+    ac.set_config("bot", "1")
+    ac.set_config("mdns_enabled", "0")
+
+    if not ac.is_configured():
+        cleartext_password = "".join(
+            secrets.choice(ALPHANUMERIC_PUNCT)
+            for _ in range(chatmail_config.password_min_length + 3)
+        )
+        ac.set_config("mail_pw", cleartext_password)
+        ac.set_config("addr", addr)
+
+        configtracker = ac.configure()
+        try:
+            configtracker.wait_finish()
+        except ConfigureFailed:
+            print(
+                "configuration setup failed for %s with password:\n%s"
+                % (ac.get_config("addr"), ac.get_config("mail_pw"))
+            )
+            raise
+
+    ac.start_io()
+    avatar = pkg_resources.resource_filename(__name__, "avatar.jpg")
+    ac.set_avatar(avatar)
+    ac.set_config("displayname", f"Hello at {chatmail_config.mail_domain}!")
+    return ac
+
+
+class GreetBot:
+    def __init__(self, passdb, account):
+        self.db = Database(passdb, read_only=True)
+        self.account = account
+        self.domain = account.get_config("addr").split("@")[1]
+        with self.db.read_connection() as conn:
+            self.existing_users = conn.get_user_list()
+
+    def greet_users(self):
+        with self.db.read_connection() as conn:
+            users = conn.get_user_list()
+        new_users = users.difference(self.existing_users)
+        self.existing_users = users
+        time.sleep(20)  # wait until Delta is configured on the user side
+        for user in new_users:
+            for ci_prefix in ["ac1_", "ac2_", "ac3_", "ac4_", "ac5_", "ci-"]:
+                if user.startswith(ci_prefix):
+                    continue
+            if user not in [c.addr for c in self.account.get_contacts()]:
+                print("Inviting", user)
+                contact = self.account.create_contact(user)
+                chat = contact.create_chat()
+                chat.send_text(
+                    "Welcome to %s! Here you can try out Delta Chat." % (self.domain,)
+                )
+                chat.send_text(
+                    "I prepared some webxdc apps for you, if you are interested:"
+                )
+                chat.send_file(pkg_resources.resource_filename(__name__, "editor.xdc"))
+                chat.send_file(
+                    pkg_resources.resource_filename(__name__, "tower-builder.xdc")
+                )
+                chat.send_text(
+                    "You can visit https://webxdc.org/apps to discover more apps! "
+                    "Some of these games you can also play with friends, directly in the chat."
+                )
+
+
+def main():
+    args = configargparse.ArgumentParser()
+    args.add_argument("--db_path", help="location of the Delta Chat database")
+    args.add_argument(
+        "--passdb", default=PASSDB_PATH, help="location of the chatmail passdb"
+    )
+    args.add_argument("--show-ffi", action="store_true", help="print Delta Chat log")
+    ops = args.parse_args()
+
+    # ensuring account data directory
+    if ops.db_path is None:
+        tempdir = tempfile.TemporaryDirectory(prefix="hellobot")
+        ops.db_path = tempdir.name
+    elif not os.path.exists(ops.db_path):
+        os.mkdir(ops.db_path)
+
+    ac = setup_account(ops.db_path, ops.show_ffi)
+    greeter = GreetBot(ops.passdb, ac)
+    print("waiting for new chatmail users...")
+    while 1:
+        greeter.greet_users()
+        sleep(5)
+
+
+if __name__ == "__main__":
+    main()

chatmaild/src/chatmaild/greeterbot.service.f

@@ -0,0 +1,11 @@
+[Unit]
+Description=Chatmail greeterbot, a Delta Chat bot to greet new users
+
+[Service]
+ExecStart={execpath} --passdb {passdb_path} --db_path /home/vmail/greeterbot/ --show-ffi
+User=vmail
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

chatmaild/src/chatmaild/tests/mail-data/plain.eml

@@ -7,7 +7,7 @@ Date: Sun, 15 Oct 2023 16:41:44 +0000
 Message-ID: <Mr.3gckbNy5bch.uK3Hd2Ws6-w@c2.testrun.org>
 References: <Mr.3gckbNy5bch.uK3Hd2Ws6-w@c2.testrun.org>
 Chat-Version: 1.0
-Autocrypt: addr=foobar@c2.testrun.org; prefer-encrypt=mutual;
+Autocrypt: addr={from_addr}; prefer-encrypt=mutual;
 	keydata=xjMEZSrw3hYJKwYBBAHaRw8BAQdAiEKNQFU28c6qsx4vo/JHdt73RXdjMOmByf/XsGiJ7m
 	nNFzxmb29iYXJAYzIudGVzdHJ1bi5vcmc+wosEEBYIADMCGQEFAmUq8N4CGwMECwkIBwYVCAkKCwID
 	FgIBFiEEGil0OvTIa6RngmCLUYNnEa9leJAACgkQUYNnEa9leJCX3gEAhm0MehE5byBBU1avPczr/I
@@ -20,4 +20,4 @@ Content-Type: text/plain; charset=utf-8; format=flowed; delsp=no
 
 Hi!
 
-
+

chatmaild/src/chatmaild/tests/test_doveauth.py

@@ -52,15 +52,19 @@ def test_too_high_db_version(db):
 
 
 def test_handle_dovecot_request(db, example_config):
+    # Test that password can contain ", ', \ and /
     msg = (
-        "Lshared/passdb/laksjdlaksjdlaksjdlk12j3l1k2j3123/"
+        'Lshared/passdb/laksjdlaksjdlak\\\\sjdlk\\"12j\\\'3l1/k2j3123"'
         "some42123@chat.example.org\tsome42123@chat.example.org"
     )
     res = handle_dovecot_request(msg, db, example_config)
     assert res
     assert res[0] == "O" and res.endswith("\n")
     userdata = json.loads(res[1:].strip())
-    assert userdata["home"] == "/home/vmail/some42123@chat.example.org"
+    assert (
+        userdata["home"]
+        == "/home/vmail/mail/chat.example.org/some42123@chat.example.org"
+    )
     assert userdata["uid"] == userdata["gid"] == "vmail"
     assert userdata["password"].startswith("{SHA512-CRYPT}")
 

cmdeploy/src/cmdeploy/__init__.py

@@ -101,11 +101,13 @@ def _install_remote_venv_with_chatmaild(config) -> None:
         "doveauth",
         "filtermail",
         "echobot",
+        "greeterbot",
     ):
         params = dict(
             execpath=f"{remote_venv_dir}/bin/{fn}",
             config_path=remote_chatmail_inipath,
             remote_venv_dir=remote_venv_dir,
+            passdb_path="/home/vmail/passdb.sqlite",
         )
         source_path = importlib.resources.files("chatmaild").joinpath(f"{fn}.service.f")
         content = source_path.read_text().format(**params).encode()
@@ -126,71 +128,6 @@ def _install_remote_venv_with_chatmaild(config) -> None:
         )
 
 
-def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool:
-    """Configures OpenDKIM"""
-    need_restart = False
-
-    main_config = files.template(
-        src=importlib.resources.files(__package__).joinpath("opendkim/opendkim.conf"),
-        dest="/etc/opendkim.conf",
-        user="root",
-        group="root",
-        mode="644",
-        config={"domain_name": domain, "opendkim_selector": dkim_selector},
-    )
-    need_restart |= main_config.changed
-
-    files.directory(
-        name="Add opendkim directory to /etc",
-        path="/etc/opendkim",
-        user="opendkim",
-        group="opendkim",
-        mode="750",
-        present=True,
-    )
-
-    keytable = files.template(
-        src=importlib.resources.files(__package__).joinpath("opendkim/KeyTable"),
-        dest="/etc/dkimkeys/KeyTable",
-        user="opendkim",
-        group="opendkim",
-        mode="644",
-        config={"domain_name": domain, "opendkim_selector": dkim_selector},
-    )
-    need_restart |= keytable.changed
-
-    signing_table = files.template(
-        src=importlib.resources.files(__package__).joinpath("opendkim/SigningTable"),
-        dest="/etc/dkimkeys/SigningTable",
-        user="opendkim",
-        group="opendkim",
-        mode="644",
-        config={"domain_name": domain, "opendkim_selector": dkim_selector},
-    )
-    need_restart |= signing_table.changed
-
-    files.directory(
-        name="Add opendkim socket directory to /var/spool/postfix",
-        path="/var/spool/postfix/opendkim",
-        user="opendkim",
-        group="opendkim",
-        mode="750",
-        present=True,
-    )
-
-    if not host.get_fact(File, f"/etc/dkimkeys/{dkim_selector}.private"):
-        server.shell(
-            name="Generate OpenDKIM domain keys",
-            commands=[
-                f"opendkim-genkey -D /etc/dkimkeys -d {domain} -s {dkim_selector}"
-            ],
-            _sudo=True,
-            _sudo_user="opendkim",
-        )
-
-    return need_restart
-
-
 def _install_mta_sts_daemon() -> bool:
     need_restart = False
 
@@ -254,6 +191,17 @@ def _configure_postfix(config: Config, debug: bool = False) -> bool:
     )
     need_restart |= master_config.changed
 
+    header_cleanup = files.put(
+        src=importlib.resources.files(__package__).joinpath(
+            "postfix/submission_header_cleanup"
+        ),
+        dest="/etc/postfix/submission_header_cleanup",
+        user="root",
+        group="root",
+        mode="644",
+    )
+    need_restart |= header_cleanup.changed
+
     return need_restart
 
 
@@ -359,6 +307,107 @@ def _configure_nginx(domain: str, debug: bool = False) -> bool:
     return need_restart
 
 
+def remove_opendkim() -> None:
+    """Remove OpenDKIM, deprecated"""
+    files.file(
+        name="Remove legacy opendkim.conf",
+        path="/etc/opendkim.conf",
+        present=False,
+    )
+
+    files.directory(
+        name="Remove legacy opendkim socket directory from /var/spool/postfix",
+        path="/var/spool/postfix/opendkim",
+        present=False,
+    )
+
+    apt.packages(name="Remove openDKIM", packages="opendkim", present=False)
+
+
+def _configure_rspamd(dkim_selector: str, mail_domain: str) -> bool:
+    """Configures rspamd for Rate Limiting."""
+    need_restart = False
+
+    apt.packages(
+        name="apt install rspamd",
+        packages="rspamd",
+    )
+
+    for module in ["phishing", "rbl", "hfilter", "ratelimit"]:
+        disabled_module_conf = files.put(
+            name=f"disable {module} rspamd plugin",
+            src=importlib.resources.files(__package__).joinpath("rspamd/disabled.conf"),
+            dest=f"/etc/rspamd/local.d/{module}.conf",
+            user="root",
+            group="root",
+            mode="644",
+        )
+        need_restart |= disabled_module_conf.changed
+
+    options_inc = files.put(
+        name="disable fuzzy checks",
+        src=importlib.resources.files(__package__).joinpath("rspamd/options.inc"),
+        dest="/etc/rspamd/local.d/options.inc",
+        user="root",
+        group="root",
+        mode="644",
+    )
+    need_restart |= options_inc.changed
+
+    # https://rspamd.com/doc/modules/force_actions.html
+    force_actions_conf = files.put(
+        name="Set up rules to reject on DKIM, SPF and DMARC fails",
+        src=importlib.resources.files(__package__).joinpath(
+            "rspamd/force_actions.conf"
+        ),
+        dest="/etc/rspamd/local.d/force_actions.conf",
+        user="root",
+        group="root",
+        mode="644",
+    )
+    need_restart |= force_actions_conf.changed
+
+    dkim_directory = "/var/lib/rspamd/dkim/"
+    dkim_key_path = f"{dkim_directory}{mail_domain}.{dkim_selector}.key"
+    dkim_dns_file = f"{dkim_directory}{mail_domain}.{dkim_selector}.zone"
+
+    dkim_config = files.template(
+        src=importlib.resources.files(__package__).joinpath(
+            "rspamd/dkim_signing.conf.j2"
+        ),
+        dest="/etc/rspamd/local.d/dkim_signing.conf",
+        user="root",
+        group="root",
+        mode="644",
+        config={
+            "dkim_selector": str(dkim_selector),
+            "mail_domain": mail_domain,
+            "dkim_key_path": dkim_key_path,
+        },
+    )
+    need_restart |= dkim_config.changed
+
+    files.directory(
+        name="ensure DKIM key directory exists",
+        path=dkim_directory,
+        present=True,
+        user="_rspamd",
+        group="_rspamd",
+    )
+
+    if not host.get_fact(File, dkim_key_path):
+        server.shell(
+            name="Generate DKIM domain keys with rspamd",
+            commands=[
+                f"rspamadm dkim_keygen -b 2048 -s {dkim_selector} -d {mail_domain} -k {dkim_key_path} > {dkim_dns_file}"
+            ],
+            _sudo=True,
+            _sudo_user="_rspamd",
+        )
+
+    return need_restart
+
+
 def check_config(config):
     mail_domain = config.mail_domain
     if mail_domain != "testrun.org" and not mail_domain.endswith(".testrun.org"):
@@ -386,14 +435,6 @@ def deploy_chatmail(config_path: Path) -> None:
     server.group(name="Create vmail group", group="vmail", system=True)
     server.user(name="Create vmail user", user="vmail", group="vmail", system=True)
 
-    server.group(name="Create opendkim group", group="opendkim", system=True)
-    server.user(
-        name="Add postfix user to opendkim group for socket access",
-        user="postfix",
-        groups=["opendkim"],
-        system=True,
-    )
-
     # Run local DNS resolver `unbound`.
     # `resolvconf` takes care of setting up /etc/resolv.conf
     # to use 127.0.0.1 as the resolver.
@@ -413,7 +454,10 @@ def deploy_chatmail(config_path: Path) -> None:
     )
 
     # Deploy acmetool to have TLS certificates.
-    deploy_acmetool(nginx_hook=True, domains=[mail_domain, f"mta-sts.{mail_domain}"])
+    deploy_acmetool(
+        nginx_hook=True,
+        domains=[mail_domain, f"mta-sts.{mail_domain}", f"www.{mail_domain}"],
+    )
 
     apt.packages(
         name="Install Postfix",
@@ -425,14 +469,6 @@ def deploy_chatmail(config_path: Path) -> None:
         packages=["dovecot-imapd", "dovecot-lmtpd"],
     )
 
-    apt.packages(
-        name="Install OpenDKIM",
-        packages=[
-            "opendkim",
-            "opendkim-tools",
-        ],
-    )
-
     apt.packages(
         name="Install nginx",
         packages=["nginx"],
@@ -454,16 +490,18 @@ def deploy_chatmail(config_path: Path) -> None:
     debug = False
     dovecot_need_restart = _configure_dovecot(config, debug=debug)
     postfix_need_restart = _configure_postfix(config, debug=debug)
-    opendkim_need_restart = _configure_opendkim(mail_domain)
     mta_sts_need_restart = _install_mta_sts_daemon()
     nginx_need_restart = _configure_nginx(mail_domain)
 
+    remove_opendkim()
+    rspamd_need_restart = _configure_rspamd("dkim", mail_domain)
+
     systemd.service(
-        name="Start and enable OpenDKIM",
+        name="Start and enable rspamd",
-        service="opendkim.service",
+        service="rspamd.service",
         running=True,
         enabled=True,
-        restarted=opendkim_need_restart,
+        restarted=rspamd_need_restart,
     )
 
     systemd.service(

cmdeploy/src/cmdeploy/acmetool/__init__.py

@@ -1,6 +1,8 @@
 import importlib.resources
 
 from pyinfra.operations import apt, files, systemd, server
+from pyinfra import host
+from pyinfra.facts.systemd import SystemdStatus
 
 
 def deploy_acmetool(nginx_hook=False, email="", domains=[]):
@@ -55,6 +57,13 @@ def deploy_acmetool(nginx_hook=False, email="", domains=[]):
         group="root",
         mode="644",
     )
+    if host.get_fact(SystemdStatus).get("nginx.service"):
+        systemd.service(
+            name="Stop nginx service to free port 80",
+            service="nginx",
+            running=False,
+        )
+
     systemd.service(
         name="Setup acmetool-redirector service",
         service="acmetool-redirector.service",

cmdeploy/src/cmdeploy/chatmail.zone.f

@@ -7,8 +7,9 @@ _imap._tcp.{chatmail_domain}.        SRV 0 1 143 {chatmail_domain}.
 _imaps._tcp.{chatmail_domain}.       SRV 0 1 993 {chatmail_domain}.
 {chatmail_domain}.                   CAA 128 issue "letsencrypt.org;accounturi={acme_account_url}"
 {chatmail_domain}.                   TXT "v=spf1 a:{chatmail_domain} -all"
-_dmarc.{chatmail_domain}.            TXT "v=DMARC1;p=reject;rua=mailto:{email};ruf=mailto:{email};fo=1;adkim=r;aspf=r"
+_dmarc.{chatmail_domain}.            TXT "v=DMARC1;p=reject;rua=mailto:{email};ruf=mailto:{email};fo=1;adkim=s;aspf=s"
 _mta-sts.{chatmail_domain}.          TXT "v=STSv1; id={sts_id}"
 mta-sts.{chatmail_domain}.           CNAME {chatmail_domain}.
+www.{chatmail_domain}.               CNAME {chatmail_domain}.
 _smtp._tls.{chatmail_domain}.        TXT "v=TLSRPTv1;rua=mailto:{email}"
 {dkim_entry}

cmdeploy/src/cmdeploy/dns.py

@@ -4,7 +4,6 @@ import requests
 import importlib
 import subprocess
 import datetime
-from ipaddress import ip_address
 
 
 class DNS:
@@ -37,21 +36,15 @@ class DNS:
 
     def get(self, typ: str, domain: str) -> str | None:
         """Get a DNS entry"""
-        dig_result = self.shell(f"dig {typ} {domain}")
+        dig_result = self.shell(f"dig -r -q {domain} -t {typ} +short")
-        line_num = 0
+        line = dig_result.partition("\n")[0]
-        for line in dig_result.splitlines():
+        if line:
-            line_num += 1
+            return line
-            if line.strip() == ";; ANSWER SECTION:":
-                return dig_result.splitlines()[line_num].split("\t")[-1]
 
-    def check_ptr_record(self, ip: str, mail_domain) -> str:
+    def check_ptr_record(self, ip: str, mail_domain) -> bool:
         """Check the PTR record for an IPv4 or IPv6 address."""
-        result = self.get("-x", ip)
+        result = self.shell(f"dig -r -x {ip} +short").rstrip()
-        if result:
+        return result == f"{mail_domain}."
-            if ip_address(ip).version == 6:
-                result = result.split()[-1]
-            if result[:-1] == mail_domain:
-                return result
 
 
 def show_dns(args, out):
@@ -67,6 +60,9 @@ def show_dns(args, out):
                 continue
             line = line.replace("\t", " ")
             lines.append(line)
+        lines[0] = f"dkim._domainkey.{mail_domain}. IN TXT " + lines[0].strip(
+            "dkim._domainkey IN TXT "
+        )
         return "\n".join(lines)
 
     print("Checking your DKIM keys and DNS entries...")
@@ -75,7 +71,9 @@ def show_dns(args, out):
     except subprocess.CalledProcessError:
         print("Please run `cmdeploy run` first.")
         return
-    dkim_entry = read_dkim_entries(out.shell_output(f"{ssh} -- opendkim-genzone -F"))
+    dkim_entry = read_dkim_entries(
+        out.shell_output(f"{ssh} -- cat /var/lib/rspamd/dkim/{mail_domain}.dkim.zone")
+    )
 
     ipv6 = dns.get_ipv6()
     reverse_ipv6 = dns.check_ptr_record(ipv6, mail_domain)
@@ -149,8 +147,8 @@ def show_dns(args, out):
         domain, data = "\n".join(dkim_lines).split(" IN TXT ")
         current = dns.get("TXT", domain.strip()[:-1])
         if current:
-            current = "( %s )" % (current.replace('" "', '"\n "'))
+            current = "( %s" % (current.replace('" "', '"\n "'))
-            if current.replace(";", "\\;") != data:
+            if current != data:
                 to_print.append(dkim_entry)
         else:
             to_print.append(dkim_entry)
@@ -190,14 +188,14 @@ def check_necessary_dns(out, mail_domain):
     ipv4 = dns.get("A", mail_domain)
     ipv6 = dns.get("AAAA", mail_domain)
     mta_entry = dns.get("CNAME", "mta-sts." + mail_domain)
-    mta_ip = dns.get("A", mta_entry)
+    www_entry = dns.get("CNAME", "www." + mail_domain)
-    if not mta_ip:
-        mta_ip = dns.get("AAAA", mta_entry)
     to_print = []
     if not (ipv4 or ipv6):
         to_print.append(f"\t{mail_domain}.\t\t\tA<your server's IPv4 address>")
-    if not mta_ip or not (mta_ip == ipv4 or mta_ip == ipv6):
+    if mta_entry != mail_domain + ".":
         to_print.append(f"\tmta-sts.{mail_domain}.\tCNAME\t{mail_domain}.")
+    if www_entry != mail_domain + ".":
+        to_print.append(f"\twww.{mail_domain}.\tCNAME\t{mail_domain}.")
     if to_print:
         to_print.insert(
             0,

cmdeploy/src/cmdeploy/dovecot/auth.conf

@@ -1,5 +1,10 @@
 uri = proxy:/run/dovecot/doveauth.socket:auth
 iterate_disable = yes
 default_pass_scheme = plain
-password_key = passdb/%w/%u
+# %E escapes characters " (double quote), ' (single quote) and \ (backslash) with \ (backslash).
-user_key = userdb/%u
+# See <https://doc.dovecot.org/configuration_manual/config_file/config_variables/#modifiers>
+# for documentation.
+#
+# We escape user-provided input and use double quote as a separator.
+password_key = passdb/%Ew"%Eu
+user_key = userdb/%Eu

cmdeploy/src/cmdeploy/nginx/nginx.conf.j2

@@ -41,11 +41,19 @@ http {
 			try_files $uri $uri/ =404;
 		}
 
-                location /metrics {
+		location /metrics {
-                        default_type text/plain;
+			default_type text/plain;
-                }
+		}
 
-        # add cgi-bin support
+		# add cgi-bin support
-        include /usr/share/doc/fcgiwrap/examples/nginx.conf;
+		include /usr/share/doc/fcgiwrap/examples/nginx.conf;
+	}
+
+	# Redirect www. to non-www
+	server {
+		listen 443 ssl;
+		listen [::]:443 ssl;
+		server_name www.{{ config.domain_name }};
+		return 301 $scheme://{{ config.domain_name }}$request_uri;
 	}
 }

cmdeploy/src/cmdeploy/postfix/main.cf.j2

@@ -11,9 +11,8 @@ append_dot_mydomain = no
 
 readme_directory = no
 
-# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+# See http://www.postfix.org/COMPATIBILITY_README.html
-# fresh installs.
+compatibility_level = 3.6
-compatibility_level = 2
 
 # TLS parameters
 smtpd_tls_cert_file=/var/lib/acme/live/{{ config.mail_domain }}/fullchain
@@ -47,5 +46,7 @@ inet_protocols = all
 virtual_transport = lmtp:unix:private/dovecot-lmtp
 virtual_mailbox_domains = {{ config.mail_domain }}
 
-smtpd_milters = unix:opendkim/opendkim.sock
+smtpd_milters = inet:127.0.0.1:11332
 non_smtpd_milters = $smtpd_milters
+
+header_checks = regexp:/etc/postfix/submission_header_cleanup

cmdeploy/src/cmdeploy/postfix/submission_header_cleanup

@@ -0,0 +1,4 @@
+/^Received:/            IGNORE
+/^X-Originating-IP:/    IGNORE
+/^X-Mailer:/            IGNORE
+/^User-Agent:/          IGNORE

cmdeploy/src/cmdeploy/rspamd/disabled.conf

@@ -0,0 +1 @@
+enabled = false;

cmdeploy/src/cmdeploy/rspamd/dkim_signing.conf.j2

@@ -0,0 +1,10 @@
+selector = {{ config.dkim_selector }}
+use_esld = false  # don't cut c1.testrun.org down to testrun.org
+domain = {
+    {{ config.mail_domain }} {
+        selectors [
+            selector = {{ config.dkim_selector }}
+            path = {{ config.dkim_key_path }}
+        ]
+    }
+}

cmdeploy/src/cmdeploy/rspamd/force_actions.conf

@@ -0,0 +1,30 @@
+rules {
+    REJECT_DKIM_SPF {
+        action = "reject";
+        # Reject if
+        #   - R_DKIM_RJECT: DKIM reject inserted by `dkim` module.
+        #   - R_DKIM_PERMFAIL: permanent failure inserted by `dkim` module e.g. no DKIM DNS record found.
+        #   - No DKIM signing (R_DKIM_NA symbol inserted by `dkim` module)
+        #
+        #   - SPF failure (R_SPF_FAIL)
+        #   - SPF permanent failure, e.g. failed to resolve DNS record referenced from SPF (R_SPF_PERMFAIL)
+        #
+        #   - DMARC policy failure (DMARC_POLICY_REJECT)
+        #
+        # Do not reject if:
+        #   - R_DKIM_TEMPFAIL, it is a DNS resolution failure
+        #     and we do not want to lose messages because of faulty network.
+        #
+        #   - R_SPF_SOFTFAIL
+        #   - R_SPF_NEUTRAL
+        #   - R_SPF_DNSFAIL
+        #   - R_SPF_NA
+        #
+        #   - DMARC_DNSFAIL
+        #   - DMARC_NA
+        #   - DMARC_POLICY_SOFTFAIL
+        #   - DMARC_POLICY_QUARANTINE
+        #   - DMARC_BAD_POLICY
+        expression = "R_DKIM_REJECT | R_DKIM_PERMFAIL | R_DKIM_NA | R_SPF_FAIL | R_SPF_PERMFAIL | DMARC_POLICY_REJECT";
+    }
+}

cmdeploy/src/cmdeploy/rspamd/options.inc

@@ -0,0 +1 @@
+filters = "dkim";

cmdeploy/src/cmdeploy/tests/online/test_0_qr.py

@@ -14,3 +14,12 @@ def test_fastcgi_working(maildomain, chatmail_config):
     res = requests.post(url)
     assert maildomain in res.json().get("email")
     assert len(res.json().get("password")) > chatmail_config.password_min_length
+
+
+def test_newemail_configure(maildomain, rpc):
+    """Test configuring accounts by scanning a QR code works."""
+    url = f"DCACCOUNT:https://{maildomain}/cgi-bin/newemail.py"
+    for i in range(3):
+        account_id = rpc.add_account()
+        rpc.set_config_from_qr(account_id, url)
+        rpc.configure(account_id)

cmdeploy/src/cmdeploy/tests/online/test_1_basic.py

@@ -42,6 +42,16 @@ def test_reject_forged_from(cmsetup, maildata, gencreds, lp, forgeaddr):
     assert "500" in str(e.value)
 
 
+@pytest.mark.parametrize("from_addr", ["fake@example.org", "fake@testrun.org"])
+def test_reject_missing_dkim(cmsetup, maildata, from_addr):
+    """Test that emails with missing or wrong DMARC, DKIM, and SPF entries are rejected."""
+    recipient = cmsetup.gen_users(1)[0]
+    msg = maildata("plain.eml", from_addr=from_addr, to_addr=recipient.addr).as_string()
+    with smtplib.SMTP(cmsetup.maildomain, 25) as s:
+        with pytest.raises(smtplib.SMTPDataError, match="Spam message rejected"):
+            s.sendmail(from_addr=from_addr, to_addrs=recipient.addr, msg=msg)
+
+
 @pytest.mark.slow
 def test_exceed_rate_limit(cmsetup, gencreds, maildata, chatmail_config):
     """Test that the per-account send-mail limit is exceeded."""

cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py

@@ -1,7 +1,10 @@
 import time
 import re
 import random
+
 import pytest
+import requests
+import ipaddress
 
 
 class TestEndToEndDeltaChat:
@@ -119,3 +122,17 @@ class TestEndToEndDeltaChat:
             for msg in msgs:
                 assert "error" not in m.get_message_info()
             time.sleep(1)
+
+
+def test_hide_senders_ip_address(cmfactory):
+    public_ip = requests.get("http://icanhazip.com").content.decode().strip()
+    assert ipaddress.ip_address(public_ip)
+
+    user1, user2 = cmfactory.get_online_accounts(2)
+    chat = cmfactory.get_accepted_chat(user1, user2)
+
+    chat.send_text("testing submission header cleanup")
+    user2.wait_next_incoming_message()
+    user2.direct_imap.select_folder("Inbox")
+    msg = user2.direct_imap.get_all_messages()[0]
+    assert public_ip not in msg.obj.as_string()

www/src/info.md

@@ -3,7 +3,7 @@
 
 ## More information 
 
-`nine.testrun.org` provides a low-maintenance, resource efficient and 
+{{ config.mail_domain }} provides a low-maintenance, resource efficient and 
 interoperable e-mail service for everyone. What's behind a `chatmail` is 
 effectively a normal e-mail address just like any other but optimized 
 for the usage in chats, especially DeltaChat.