experiment with allowing "Encrypted Subject" which is what K-9 generates in english locale instead of the "..." that Delta Chat and thunderbird use

I installed pyenv and then installed Python 3.9:
$ pyenv install 3.9
$ eval "$(pyenv init -)"
$ pyenv shell 3.9

In a clean repository I ran
$ scripts/cmdeploy init
$ scripts/cmdeploy run
$ scripts/cmdeploy dns
$ scripts/cmdeploy fmt

With the changes made all these commands work.

scripts/cmdeploy test fails some tests
using maildata fixture at
  importlib.resources.files(__package__).joinpath("mail-data")
line but this is not critical.

chatmaild/src/chatmaild/doveauth.py

@@ -160,6 +160,19 @@ def handle_dovecot_request(msg, db, config: Config):
     return None
 
 
+def handle_dovecot_protocol(rfile, wfile, db: Database, config: Config):
+    while True:
+        msg = rfile.readline().strip().decode()
+        if not msg:
+            break
+        res = handle_dovecot_request(msg, db, config)
+        if res:
+            wfile.write(res.encode("ascii"))
+            wfile.flush()
+        else:
+            logging.warning("request had no answer: %r", msg)
+
+
 class ThreadedUnixStreamServer(ThreadingMixIn, UnixStreamServer):
     request_queue_size = 100
 
@@ -173,16 +186,7 @@ def main():
     class Handler(StreamRequestHandler):
         def handle(self):
             try:
-                while True:
-                    msg = self.rfile.readline().strip().decode()
-                    if not msg:
-                        break
-                    res = handle_dovecot_request(msg, db, config)
-                    if res:
-                        self.wfile.write(res.encode("ascii"))
-                        self.wfile.flush()
-                    else:
-                        logging.warn("request had no answer: %r", msg)
+                handle_dovecot_protocol(self.rfile, self.wfile, db, config)
             except Exception:
                 logging.exception("Exception in the handler")
                 raise

chatmaild/src/chatmaild/filtermail.py

@@ -17,7 +17,8 @@ def check_encrypted(message):
     """Check that the message is an OpenPGP-encrypted message."""
     if not message.is_multipart():
         return False
-    if message.get("subject") != "...":
+    subject = message.get("subject")
+    if subject not in ("...", "Encrypted Message"):
         return False
     if message.get_content_type() != "multipart/encrypted":
         return False

chatmaild/src/chatmaild/ini/chatmail.ini.f

@@ -33,7 +33,7 @@ password_min_length = 9
 passthrough_senders =
 
 # list of e-mail recipients for which to accept outbound un-encrypted mails
-passthrough_recipients =
+passthrough_recipients = xstore@testrun.org groupsbot@hispanilandia.net
 
 #
 # Deployment Details

chatmaild/src/chatmaild/ini/override-testrun.ini

@@ -1,7 +1,7 @@
 
 [privacy]
 
-passthrough_recipients = privacy@testrun.org
+passthrough_recipients = privacy@testrun.org xstore@testrun.org groupsbot@hispanilandia.net
 
 privacy_postal =
     Merlinux GmbH, Represented by the managing director H. Krekel,

chatmaild/src/chatmaild/tests/mail-data/encrypted-k9.eml

@@ -0,0 +1,92 @@
+Date: Mon, 05 Feb 2024 12:22:17 +0100
+From: Jus <tqwertyjd@nine.testrun.org>
+To: REDACTED
+User-Agent: K-9 Mail for Android
+Message-ID: <A238D610-1471-4A32-B387-B07811665F6D@nine.testrun.org>
+Autocrypt: addr=tqwertyjd@nine.testrun.org; keydata=
+ mQGNBGWNXoMBDAC+D3Na6zJX8d8NEIIoYqcGsOeJCtPs4DZIE8x4nVIRewwG6+CU0/Su8J1sdNL8
+ InVYnE0DUnRfL9RpT/6oHPsbuN8Yo/xyZbc6Df0MgstrbkiIpIb6YdpMB9vnS9phpTDXuVXwOdb+
+ Q8woi46bZ4jdCm1x/5zW8e2fbahHSSFjDYTKydu3SVTeKPNVdHv9gG7SNQy0emOCP7NXxloi8+aR
+ 4fbgfWpm6yb/pJFDH6jmPZ8LK228qXqSv6urquaCu/yD4S+XR/DvGqj2lA/ntvNhDOjrK4gWt5EA
+ 4djfnTK6z/vt/IkSSca5ITjcbyPBpXnId896NQk76sAdG+K+mJGMJn9YahoI4UvISfCp/B5Fw3Bq
+ 5NmeL5zKN14R5AW5E/Y2J693MJ+VubRoB3VR/RZi5ZeEd1aLkxhqITv6m8FRXrSpC6fIhbqAZGmm
+ 91OAAVNn5/MqaAaWJ5iUKGlNJrDFHVBXEpNah24FEoe6olNiBDNnWJ9tqOmZIiIDPCl8FIEAEQEA
+ AbQadHF3ZXJ0eWpkQG5pbmUudGVzdHJ1bi5vcmeJAbAEEwEKABoECwkIBwIVCgIWAQIZAAWCZY1e
+ gwKeAQKbAwAKCRDtNhlhxu8KoFcjDACfMwEEuEStLsY8Wo/r/mmhZKLjgwRgdcVV7sFpksgk+Myy
+ UyL5VUEi9KVd4lKWNqDSi9S67lW+6hwf/kUrycVIT5AA0i8ZXdtroUpkUIwMOaSEfGpUhPI/kQbz
+ wqYJYES1XPqtpUmL4WR+52CHwtEeKZp+jiKnSNeh1QocBYjld0617dpb6XnAVl+69sQUHioxX7Bu
+ c60CuABcFw78/9hvzX37NC7mvP1vbYS7iEze5p2CUweKtrnnDJpi+oBLAucKQRErIUfJUV/XFdE4
+ j4m+NWAtcnyRVx3WruEWW+fzzb7+fc3fwV8pGCUcD4cb/Bzssg3LVLQiBENRXTmTc5RFxQXWbZae
+ 5f6VLAkVEdoxOMVT2dCjLbwo1nPl9emTTIneRLjLX/cTNdbVZuq/Kv/SoXa05ayljSlZmrCF8k3x
+ zESSeJLrrHkoSPoXECeAJbZyMYmOxZPZChVQhUCxDBAR9wzJmLoHBxoDxYMq16S+Ws4Z+lR2cHj2
+ 4lFAMIzCKsy5AY0EZY1egwEMAIkCo235tKDEUjcW8w77AHFf6+W0183E7US8ze3C8T3UUDsh1nQn
+ h+nZFOnKBRNQHUwRzWgV0ZQmllTrZt67fHOwywqHtaQMe90cZXbvhVoTzehw3B9bYT1j/24LDMy/
+ /eQBZuQeSlcLD6+BC0ro7EGxn5T24CAsmMjrI2ppjgZFlcXo9bA+Xp6rI/HX8AQgWbbegtGnSIDB
+ K20+e+xWANaWUsSBhIwsx2qz0IEq+RER60Zd1xZ41acVyNbDHNocEBnfzOF4GXRAz4M/v9l7ABep
+ 21ALLC/OOKuC8cZDeY+HAbJ0qxggh//+ucpfBF0poOQDJzfNaOGysfn/0NGfxRVbFJc8fNc9P5+K
+ fnjm4RdNkwQRXQeQfqPU9a4AlAH5vl8zHabyYIJUUtP+b7VF6VPfSVzJ+h4BPPIVS/TqKQM6HShX
+ rGs9/DcXfDfcIXxhAfo2M+VKkrlunBev0OrhIDLNn5IigNIa78ZN9cZ/3SZVTfOzFnFuFtnO50tv
+ q5OpvQARAQABiQGfBBgBCgAJBYJljV6DApsMAAoJEO02GWHG7wqgwnQL/ijcTiKNO2Cw4pvgggbL
+ 8e2mgXCQn0aNufbYeylGdX/BP2SMRku5OubjESU0oMVx/Hhy19UkUFhCuOeouSNsbTd6w8Ou+nkh
+ 6bs4KJvhMUFVQe6dE8Reci3EoImcTxV9nqWuvhdXkPddht9Pa5PoRpJlpWxHKpMfrPwWtbW/J8qn
+ dnnc+x9FqxLVY+Z75GbrrMI/I2ClvbfgMnOGQxyZRhcPesiaMyp4bYbX3zxrIZXSG68CQERiMXk8
+ UAeZFPgnm4Hh0rP5cn9enn8tj67ruFsEAU3YMi7eOVOSFlamjH0PTVr3ztdoMathEL7n1s5ksk5b
+ Rgo0SgQy4OgApJIB0B16Zhcd66I4sTZLb2RRkFO9uHDFIOuJGTqYfR3ZjWlEftfxW80g7uLZYwfW
+ gzMOEa9jSZpfWpiWDYfVYcHqQTOAoyc1ndwJno/4pO+kRmYoIUaoBqNqiqNtnTl9eiJHcb8kuaxa
+ PP5Qy9N6C2QONUAb4aFBPe0cYXQ6AUnOqBmd3w==
+Subject: Encrypted Message
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Content-Type: multipart/encrypted; boundary="----GAXGEBIG1Q6UA7H3D91DE8MM3Q54OF";
+  protocol="application/pgp-encrypted"
+
+------GAXGEBIG1Q6UA7H3D91DE8MM3Q54OF
+Content-Type: application/pgp-encrypted
+Content-Transfer-Encoding: quoted-printable
+
+Version: 1
+------GAXGEBIG1Q6UA7H3D91DE8MM3Q54OF
+Content-Type: application/octet-stream; name="encrypted.asc"
+Content-Transfer-Encoding: 7bit
+Content-Disposition: inline; filename="encrypted.asc"
+
+-----BEGIN PGP MESSAGE-----
+
+hQGMAzhWohyp3KpBAQwAp76KkR97c29iXj6XwvYIom2c5jx9tNWBKR4t/oz1ltuh
+LR2NUAOxL2dNxBY8AFlFK8G6nWwDt29nOQhmPCSImI/WcG0NqIzZ3Sc+fTbBvnPy
+ne62g686UoE9la7qBSlNo0loQaJOBJ1MnFiVJ8o/p49TV1QoLAxXcaHp9eCs1lDa
+g+wWAxnoCANvPKQLTyDKHC98VBXeiNZuJuXK+yVcLojo/4Bd32py/a2eOKZcQMXs
+DGYZrL5ldphApUlD0R8cNjUA6AfIfwf6kBvN9GgacRFOLUMtP5/7CoYmZJd4ia8o
+8T1WjqlNZtwVcWLRe36Ry9aatavYhjtn5FPr7E/RO9BB0kDYMR5HkaT+WZgDQV1V
+/yaWzPSTP9tuCb4ZWz9St5K2zEcoTKpGbNwmX9YLr0tbcym+nLo6kB8ikD2nN3of
+d5aoDeKutoecMLGIF9pseJAGVkHqKj6FQ/kYYrKDlsA0kqvHuSHj/tI2ANB60TME
+diEy6e+wOn/V+Aq7AImphQGMA+7z+cqPiMawAQv8DtpHdiBdRkW85ZURmEsQQUKy
+6PsMqtRXE/kqU4O1HVyUWsUknDNtbziQDpmcfv1FZzJryLgrHNYbObgsbCgGJ/Ru
+3ahQwOkcHV6lzDZCwYs7QjYLAuw8SvWIISvqYOCHS0x/T0b/kjr3Gl+RJSvt78WW
+YhO0R9z/JagTn+uiHjbmAtN2yJyyk5AfLySZ7gixMkkUlz87AAHVpwopNXdzsJKP
+Qa4Kkc2BUWDCz9JLNEc8U2XmMXLEiXxOBKuvCaDqLnPORP2I7PZnXwyanB8ti10h
+Li3U5R5+/n4TmQwF3e7lbJSpkZAPxBrRNxwASqa5nzm90/SWpYhkZBgWder1vFJA
+rGOK7zOXFYxG6/SsRhftJPW8RC4MM5icK5Au+uUfA3Idosq49tZirjx6t9hdEjDK
+bh1Xj5EbJj78q8LqZhpd3SZD2jFa7TKrfGgtxujEujUtojf/VEcAmwKtxkuP7T12
+OktKIZ3BmeRiUfQVrPUoi/Y/VgBIj9wWQaDuh4QX0sJjAWigCK6gOWqYtWUEjVtL
+PeJB7ZMTTsivKxSS0/uhOap3Ur7nq8vofCY5g60uSAPXsbjIH/ZEAIbS2Stw+pxu
+PzG43YLXuvIOClmQ5iJtjPriUcXAWgf2/Ntcev3pIyuCvKHdrKCDADq871SWUyKj
+1/qmw4YNvGVVfmys1d77KO+TGZeKm5j9XhmJ8WJGw2g8uFKEj9IeZlfPNmhF2dtL
+xVjl/lrJPsZPepzh2MOHh78lHD9zq4voAPog2FXogBiZ4xKWVXPswiqOnHwFe9dn
+yOo3cM6dWKXDhOHWK6a8dF9NQ2Q7RrHlXrXwbfeS7ZQ9llXRa0auPkRQKK0XzdhK
+5otAcu0x65aw40hWOTboJR4AN3ypf8okLLN4fnB1kKaVIdMoWlYdTot3ezt0vy99
+cqpKH6/w6pzxRufezW11bxBFYEPnFzhoblN2VuChPFY2nleiifBS+aaKt2EzF1q5
+iL+dfvJupFXQtKyk8mLBB1QKl/qnBIAJchCeJET4xMpWvAhnluLbT9NO3G1uvN11
+U9ZWi9yhZbYxCubYdVYmI6ZD0NIOxV5kTLdRbWm+Ctz+Lm3I/8bO68J73qqKWbYQ
+rNEhj8QUAmKCdrFGufKp7t7wjgSG+h4/U5Xb+/glPuNgVF110BgbgUaAPGvttQO6
+M+QnelZeb4B525Gj7VYDDVcrEjKDK2kXidxfo8nKN3HFM+eU1cWBJqtJHJXbZ5XZ
+d1pmDypu3O8gOs/re1AVdYdGDou8axCC/yTTwbbbgNFxp88CBUe/Xzoaky4ZKunQ
+Q3rlpD9ayzE7Lp0NvxH90pQWsxDCEkJaADbwcbYtOmvoR1uUAfo2NwWuITG70iFz
+v0lqoiezn7D2J9XutpASQQInJus0gvy0ywjh3XirSoeZ2D4l6XcGMJjz7XNjzfnc
+B4lmHQiGbKsfkPyLdPNkobUHjA2TzyEqxs/tAyMSypo9UwNiGsn2NdMs7oif/xiQ
+X+/e2t5Rm+AJk9U7QYPN8o++px+JDZ+r3PkVAWW4c9rHgzf98Lo6pbt5h4eBrt/X
+MrxVY64iHOwasTdMu9F+fv8+akI=
+=Dj6B
+-----END PGP MESSAGE-----
+
+------GAXGEBIG1Q6UA7H3D91DE8MM3Q54OF--

chatmaild/src/chatmaild/tests/plugin.py

@@ -1,4 +1,6 @@
 import random
+from pathlib import Path
+import os
 import importlib.resources
 import itertools
 from email.parser import BytesParser
@@ -57,7 +59,12 @@ def db(tmpdir):
 
 @pytest.fixture
 def maildata(request):
-    datadir = importlib.resources.files(__package__).joinpath("mail-data")
+    try:
+        datadir = importlib.resources.files(__package__).joinpath("mail-data")
+    except TypeError:
+        # in python3.9 or lower, the above doesn't work, so we get datadir this way:
+        datadir = Path(os.getcwd()).joinpath("chatmaild/src/chatmaild/tests/mail-data")
+
     assert datadir.exists(), datadir
 
     def maildata(name, from_addr, to_addr):

chatmaild/src/chatmaild/tests/test_config.py

@@ -28,5 +28,5 @@ def test_read_config_testrun(make_config):
     assert config.username_min_length == 9
     assert config.username_max_length == 9
     assert config.password_min_length == 9
-    assert config.passthrough_recipients == ["privacy@testrun.org"]
+    assert "privacy@testrun.org" in config.passthrough_recipients
     assert config.passthrough_senders == []

chatmaild/src/chatmaild/tests/test_doveauth.py

@@ -1,11 +1,17 @@
+import io
 import json
 import pytest
-import threading
 import queue
+import threading
 import traceback
 
 import chatmaild.doveauth
-from chatmaild.doveauth import get_user_data, lookup_passdb, handle_dovecot_request
+from chatmaild.doveauth import (
+    get_user_data,
+    lookup_passdb,
+    handle_dovecot_request,
+    handle_dovecot_protocol,
+)
 from chatmaild.database import DBError
 
 
@@ -69,6 +75,15 @@ def test_handle_dovecot_request(db, example_config):
     assert userdata["password"].startswith("{SHA512-CRYPT}")
 
 
+def test_handle_dovecot_protocol(db, example_config):
+    rfile = io.BytesIO(
+        b"H3\t2\t0\t\tauth\nLshared/userdb/foobar@chat.example.org\tfoobar@chat.example.org\n"
+    )
+    wfile = io.BytesIO()
+    handle_dovecot_protocol(rfile, wfile, db, example_config)
+    assert wfile.getvalue() == b"N\n"
+
+
 def test_50_concurrent_lookups_different_accounts(db, gencreds, example_config):
     num_threads = 50
     req_per_thread = 5

chatmaild/src/chatmaild/tests/test_filtermail.py

@@ -63,6 +63,17 @@ def test_filtermail_encryption_detection(maildata):
     assert not check_encrypted(msg)
 
 
+def test_filtermail_encryption_detection_k9subject(maildata):
+    msg = maildata(
+        "encrypted-k9.eml", from_addr="1@example.org", to_addr="2@example.org"
+    )
+    assert check_encrypted(msg)
+
+    # if the subject is not "..." it is not considered ac-encrypted
+    msg.replace_header("Subject", "Click this link")
+    assert not check_encrypted(msg)
+
+
 def test_filtermail_is_mdn(maildata, gencreds, handler):
     from_addr = gencreds()[0]
     to_addr = gencreds()[0] + ".other"

cmdeploy/src/cmdeploy/__init__.py

@@ -1,6 +1,7 @@
 """
 Chat Mail pyinfra deploy.
 """
+
 import sys
 import importlib.resources
 import subprocess
@@ -126,6 +127,107 @@ def _install_remote_venv_with_chatmaild(config) -> None:
         )
 
 
+def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool:
+    """Configures OpenDKIM"""
+    need_restart = False
+
+    server.group(name="Create opendkim group", group="opendkim", system=True)
+    server.user(
+        name="Create opendkim user",
+        user="opendkim",
+        groups=["opendkim"],
+        system=True,
+    )
+    server.user(
+        name="Add postfix user to opendkim group for socket access",
+        user="postfix",
+        groups=["opendkim"],
+        system=True,
+    )
+
+    main_config = files.template(
+        src=importlib.resources.files(__package__).joinpath("opendkim/opendkim.conf"),
+        dest="/etc/opendkim.conf",
+        user="root",
+        group="root",
+        mode="644",
+        config={"domain_name": domain, "opendkim_selector": dkim_selector},
+    )
+    need_restart |= main_config.changed
+
+    screen_script = files.put(
+        src=importlib.resources.files(__package__).joinpath("opendkim/screen.lua"),
+        dest="/etc/opendkim/screen.lua",
+        user="root",
+        group="root",
+        mode="644",
+    )
+    need_restart |= screen_script.changed
+
+    final_script = files.put(
+        src=importlib.resources.files(__package__).joinpath("opendkim/final.lua"),
+        dest="/etc/opendkim/final.lua",
+        user="root",
+        group="root",
+        mode="644",
+    )
+    need_restart |= final_script.changed
+
+    files.directory(
+        name="Add opendkim directory to /etc",
+        path="/etc/opendkim",
+        user="opendkim",
+        group="opendkim",
+        mode="750",
+        present=True,
+    )
+
+    keytable = files.template(
+        src=importlib.resources.files(__package__).joinpath("opendkim/KeyTable"),
+        dest="/etc/dkimkeys/KeyTable",
+        user="opendkim",
+        group="opendkim",
+        mode="644",
+        config={"domain_name": domain, "opendkim_selector": dkim_selector},
+    )
+    need_restart |= keytable.changed
+
+    signing_table = files.template(
+        src=importlib.resources.files(__package__).joinpath("opendkim/SigningTable"),
+        dest="/etc/dkimkeys/SigningTable",
+        user="opendkim",
+        group="opendkim",
+        mode="644",
+        config={"domain_name": domain, "opendkim_selector": dkim_selector},
+    )
+    need_restart |= signing_table.changed
+    files.directory(
+        name="Add opendkim socket directory to /var/spool/postfix",
+        path="/var/spool/postfix/opendkim",
+        user="opendkim",
+        group="opendkim",
+        mode="750",
+        present=True,
+    )
+
+    apt.packages(
+        name="apt install opendkim opendkim-tools",
+        packages=["opendkim", "opendkim-tools"],
+    )
+
+    if not host.get_fact(File, f"/etc/dkimkeys/{dkim_selector}.private"):
+        server.shell(
+            name="Generate OpenDKIM domain keys",
+            commands=[
+                f"opendkim-genkey -D /etc/dkimkeys -d {domain} -s {dkim_selector}"
+            ],
+            _sudo=True,
+            _sudo_user="opendkim",
+        )
+
+    return need_restart
+
+
 def _install_mta_sts_daemon() -> bool:
     need_restart = False
 
@@ -200,6 +302,16 @@ def _configure_postfix(config: Config, debug: bool = False) -> bool:
     )
     need_restart |= header_cleanup.changed
 
+    # Login map that 1:1 maps email address to login.
+    login_map = files.put(
+        src=importlib.resources.files(__package__).joinpath("postfix/login_map"),
+        dest="/etc/postfix/login_map",
+        user="root",
+        group="root",
+        mode="644",
+    )
+    need_restart |= login_map.changed
+
     return need_restart
 
 
@@ -305,105 +417,9 @@ def _configure_nginx(domain: str, debug: bool = False) -> bool:
     return need_restart
 
 
-def remove_opendkim() -> None:
-    """Remove OpenDKIM, deprecated"""
-    files.file(
-        name="Remove legacy opendkim.conf",
-        path="/etc/opendkim.conf",
-        present=False,
-    )
-
-    files.directory(
-        name="Remove legacy opendkim socket directory from /var/spool/postfix",
-        path="/var/spool/postfix/opendkim",
-        present=False,
-    )
-
-    apt.packages(name="Remove openDKIM", packages="opendkim", present=False)
-
-
-def _configure_rspamd(dkim_selector: str, mail_domain: str) -> bool:
-    """Configures rspamd for Rate Limiting."""
-    need_restart = False
-
-    apt.packages(
-        name="apt install rspamd",
-        packages="rspamd",
-    )
-
-    for module in ["phishing", "rbl", "hfilter", "ratelimit"]:
-        disabled_module_conf = files.put(
-            name=f"disable {module} rspamd plugin",
-            src=importlib.resources.files(__package__).joinpath("rspamd/disabled.conf"),
-            dest=f"/etc/rspamd/local.d/{module}.conf",
-            user="root",
-            group="root",
-            mode="644",
-        )
-        need_restart |= disabled_module_conf.changed
-
-    options_inc = files.put(
-        name="disable fuzzy checks",
-        src=importlib.resources.files(__package__).joinpath("rspamd/options.inc"),
-        dest="/etc/rspamd/local.d/options.inc",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= options_inc.changed
-
-    # https://rspamd.com/doc/modules/force_actions.html
-    force_actions_conf = files.put(
-        name="Set up rules to reject on DKIM, SPF and DMARC fails",
-        src=importlib.resources.files(__package__).joinpath(
-            "rspamd/force_actions.conf"
-        ),
-        dest="/etc/rspamd/local.d/force_actions.conf",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= force_actions_conf.changed
-
-    dkim_directory = "/var/lib/rspamd/dkim/"
-    dkim_key_path = f"{dkim_directory}{mail_domain}.{dkim_selector}.key"
-    dkim_dns_file = f"{dkim_directory}{mail_domain}.{dkim_selector}.zone"
-
-    dkim_config = files.template(
-        src=importlib.resources.files(__package__).joinpath(
-            "rspamd/dkim_signing.conf.j2"
-        ),
-        dest="/etc/rspamd/local.d/dkim_signing.conf",
-        user="root",
-        group="root",
-        mode="644",
-        config={
-            "dkim_selector": str(dkim_selector),
-            "mail_domain": mail_domain,
-            "dkim_key_path": dkim_key_path,
-        },
-    )
-    need_restart |= dkim_config.changed
-
-    files.directory(
-        name="ensure DKIM key directory exists",
-        path=dkim_directory,
-        present=True,
-        user="_rspamd",
-        group="_rspamd",
-    )
-
-    if not host.get_fact(File, dkim_key_path):
-        server.shell(
-            name="Generate DKIM domain keys with rspamd",
-            commands=[
-                f"rspamadm dkim_keygen -b 2048 -s {dkim_selector} -d {mail_domain} -k {dkim_key_path} > {dkim_dns_file}"
-            ],
-            _sudo=True,
-            _sudo_user="_rspamd",
-        )
-
-    return need_restart
+def _remove_rspamd() -> None:
+    """Remove rspamd"""
+    apt.packages(name="Remove rspamd", packages="rspamd", present=False)
 
 
 def check_config(config):
@@ -494,15 +510,15 @@ def deploy_chatmail(config_path: Path) -> None:
     mta_sts_need_restart = _install_mta_sts_daemon()
     nginx_need_restart = _configure_nginx(mail_domain)
 
-    remove_opendkim()
-    rspamd_need_restart = _configure_rspamd("dkim", mail_domain)
+    _remove_rspamd()
+    opendkim_need_restart = _configure_opendkim(mail_domain, "opendkim")
 
     systemd.service(
-        name="Start and enable rspamd",
-        service="rspamd.service",
+        name="Start and enable OpenDKIM",
+        service="opendkim.service",
         running=True,
         enabled=True,
-        restarted=rspamd_need_restart,
+        restarted=opendkim_need_restart,
     )
 
     systemd.service(

cmdeploy/src/cmdeploy/chatmail.zone.f

@@ -11,5 +11,5 @@ _dmarc.{chatmail_domain}.            TXT "v=DMARC1;p=reject;adkim=s;aspf=s"
 _mta-sts.{chatmail_domain}.          TXT "v=STSv1; id={sts_id}"
 mta-sts.{chatmail_domain}.           CNAME {chatmail_domain}.
 www.{chatmail_domain}.               CNAME {chatmail_domain}.
-_smtp._tls.{chatmail_domain}.        TXT "v=TLSRPTv1;rua=mailto:{email}"
 {dkim_entry}
+_adsp._domainkey.{chatmail_domain}.  TXT "dkim=discardable"

cmdeploy/src/cmdeploy/cmdeploy.py

@@ -2,6 +2,7 @@
 Provides the `cmdeploy` entry point function,
 along with command line option and subcommand parsing.
 """
+
 import argparse
 import shutil
 import subprocess

cmdeploy/src/cmdeploy/dns.py

@@ -5,6 +5,8 @@ import importlib
 import subprocess
 import datetime
 
+from typing import Optional
+
 
 class DNS:
     def __init__(self, out, mail_domain):
@@ -34,7 +36,7 @@ class DNS:
         cmd = "ip a | grep inet6 | grep 'scope global' | sed -e 's#/64 scope global##' | sed -e 's#inet6##'"
         return self.shell(cmd).strip()
 
-    def get(self, typ: str, domain: str) -> str | None:
+    def get(self, typ: str, domain: str) -> Optional[str]:
         """Get a DNS entry"""
         dig_result = self.shell(f"dig -r -q {domain} -t {typ} +short")
         line = dig_result.partition("\n")[0]
@@ -54,27 +56,25 @@ def show_dns(args, out) -> int:
     ssh = f"ssh root@{mail_domain}"
     dns = DNS(out, mail_domain)
 
-    def read_dkim_entries(entry):
-        lines = []
-        for line in entry.split("\n"):
-            if line.startswith(";") or not line.strip():
-                continue
-            line = line.replace("\t", " ")
-            lines.append(line)
-        lines[0] = f"dkim._domainkey.{mail_domain}. IN TXT " + lines[0].strip(
-            "dkim._domainkey IN TXT "
-        )
-        return "\n".join(lines)
-
     print("Checking your DKIM keys and DNS entries...")
     try:
         acme_account_url = out.shell_output(f"{ssh} -- acmetool account-url")
     except subprocess.CalledProcessError:
         print("Please run `cmdeploy run` first.")
         return 1
-    dkim_entry = read_dkim_entries(
-        out.shell_output(f"{ssh} -- cat /var/lib/rspamd/dkim/{mail_domain}.dkim.zone")
+
+    dkim_selector = "opendkim"
+    dkim_pubkey = out.shell_output(
+        ssh + f" -- openssl rsa -in /etc/dkimkeys/{dkim_selector}.private"
+        " -pubout 2>/dev/null | awk '/-/{next}{printf(\"%s\",$0)}'"
     )
+    dkim_entry_value = f"v=DKIM1;k=rsa;p={dkim_pubkey};s=email;t=s"
+    dkim_entry_str = ""
+    while len(dkim_entry_value) >= 255:
+        dkim_entry_str += '"' + dkim_entry_value[:255] + '" '
+        dkim_entry_value = dkim_entry_value[255:]
+    dkim_entry_str += '"' + dkim_entry_value + '"'
+    dkim_entry = f"{dkim_selector}._domainkey.{mail_domain}. TXT {dkim_entry_str}"
 
     ipv6 = dns.get_ipv6()
     reverse_ipv6 = dns.check_ptr_record(ipv6, mail_domain)
@@ -87,7 +87,6 @@ def show_dns(args, out) -> int:
             f.read()
             .format(
                 acme_account_url=acme_account_url,
-                email=f"root@{args.config.mail_domain}",
                 sts_id=datetime.datetime.now().strftime("%Y%m%d%H%M"),
                 chatmail_domain=args.config.mail_domain,
                 dkim_entry=dkim_entry,
@@ -103,11 +102,9 @@ def show_dns(args, out) -> int:
             return 0
         except TypeError:
             pass
-        started_dkim_parsing = False
         for line in zonefile.splitlines():
             line = line.format(
                 acme_account_url=acme_account_url,
-                email=f"root@{args.config.mail_domain}",
                 sts_id=datetime.datetime.now().strftime("%Y%m%d%H%M"),
                 chatmail_domain=args.config.mail_domain,
                 dkim_entry=dkim_entry,
@@ -131,28 +128,23 @@ def show_dns(args, out) -> int:
                 current = dns.get("SRV", domain[:-1])
                 if current != f"{prio} {weight} {port} {value}":
                     to_print.append(line)
-            if "  TXT " in line:
+            if " TXT " in line:
                 domain, value = line.split(" TXT ")
                 current = dns.get("TXT", domain.strip()[:-1])
                 if domain.startswith("_mta-sts."):
                     if current:
                         if current.split("id=")[0] == value.split("id=")[0]:
                             continue
-                if current != value:
+
+                # TXT records longer than 255 bytes
+                # are split into multiple <character-string>s.
+                # This typically happens with DKIM record
+                # which contains long RSA key.
+                #
+                # Removing `" "` before comparison
+                # to get back a single string.
+                if current.replace('" "', "") != value.replace('" "', ""):
                     to_print.append(line)
-            if " IN TXT ( " in line:
-                started_dkim_parsing = True
-                dkim_lines = [line]
-            if started_dkim_parsing and line.startswith('"'):
-                dkim_lines.append(" " + line)
-        domain, data = "\n".join(dkim_lines).split(" IN TXT ")
-        current = dns.get("TXT", domain.strip()[:-1])
-        if current:
-            current = "( %s" % (current.replace('" "', '"\n "'))
-            if current != data:
-                to_print.append(dkim_entry)
-        else:
-            to_print.append(dkim_entry)
 
     exit_code = 0
     if to_print:

cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2

@@ -13,13 +13,15 @@ auth_cache_size = 100M
 mail_debug = yes
 {% endif %}
 
+mail_server_admin = mailto:root@{{ config.mail_domain }}
+mail_server_comment = Chatmail server
 
 mail_plugins = quota
 
 # these are the capabilities Delta Chat cares about actually 
 # so let's keep the network overhead per login small
 # https://github.com/deltachat/deltachat-core-rust/blob/master/src/imap/capabilities.rs
-imap_capability = IMAP4rev1 IDLE MOVE QUOTA CONDSTORE NOTIFY
+imap_capability = IMAP4rev1 IDLE MOVE QUOTA CONDSTORE NOTIFY METADATA
 
 
 # Authentication for system users.
@@ -73,6 +75,7 @@ mail_privileged_group = vmail
 # <https://datatracker.ietf.org/doc/html/rfc4978.html>
 protocol imap {
   mail_plugins = $mail_plugins imap_zlib imap_quota
+  imap_metadata = yes
 }
 
 protocol lmtp {

cmdeploy/src/cmdeploy/dovecot/expunge.cron.j2

@@ -1,10 +1,10 @@
 # delete all mails after {{ config.delete_mails_after }} days, in the Inbox
-2 0 * * * dovecot find /home/vmail/mail/{{ config.mail_domain }}/*/cur -mtime +{{ config.delete_mails_after }} -type f -delete
+2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/cur/*' -mtime +{{ config.delete_mails_after }} -type f -delete
 # or in any IMAP subfolder
-2 0 * * * dovecot find /home/vmail/mail/{{ config.mail_domain }}/*/.*/cur -mtime +{{ config.delete_mails_after }} -type f -delete
+2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/.*/cur/*' -mtime +{{ config.delete_mails_after }} -type f -delete
 # even if they are unseen
-2 0 * * * dovecot find /home/vmail/mail/{{ config.mail_domain }}/*/new -mtime +{{ config.delete_mails_after }} -type f -delete
-2 0 * * * dovecot find /home/vmail/mail/{{ config.mail_domain }}/*/.*/new -mtime +{{ config.delete_mails_after }} -type f -delete
+2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/new/*' -mtime +{{ config.delete_mails_after }} -type f -delete
+2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/.*/new/*' -mtime +{{ config.delete_mails_after }} -type f -delete
 # or only temporary (but then they shouldn't be around after {{ config.delete_mails_after }} days anyway).
-2 0 * * * dovecot find /home/vmail/mail/{{ config.mail_domain }}/*/tmp -mtime +{{ config.delete_mails_after }} -type f -delete
-2 0 * * * dovecot find /home/vmail/mail/{{ config.mail_domain }}/*/.*/tmp -mtime +{{ config.delete_mails_after }} -type f -delete
+2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/tmp/*' -mtime +{{ config.delete_mails_after }} -type f -delete
+2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/.*/tmp/*' -mtime +{{ config.delete_mails_after }} -type f -delete

cmdeploy/src/cmdeploy/nginx/nginx.conf.j2

@@ -58,8 +58,19 @@ http {
 		}
 
 		# Old URL for compatibility with e.g. printed QR codes.
+		#
+		# Copy-paste instead of redirect to /new
+		# because Delta Chat core does not follow redirects.
+		#
+		# Redirects are only for browsers.
 		location /cgi-bin/newemail.py {
-			return 301 /new;
+			if ($request_method = GET) {
+				return 301 dcaccount:https://{{ config.domain_name }}/new;
+			}
+
+			fastcgi_pass unix:/run/fcgiwrap.socket;
+			include /etc/nginx/fastcgi_params;
+			fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/newemail.py;
 		}
 	}
 

cmdeploy/src/cmdeploy/opendkim/KeyTable

@@ -1 +1 @@
-dkim._domainkey.{{ config.domain_name }} {{ config.domain_name }}:{{ config.opendkim_selector }}:/etc/dkimkeys/dkim.private
+{{ config.opendkim_selector }}._domainkey.{{ config.domain_name }} {{ config.domain_name }}:{{ config.opendkim_selector }}:/etc/dkimkeys/{{ config.opendkim_selector }}.private

cmdeploy/src/cmdeploy/opendkim/final.lua

@@ -0,0 +1,28 @@
+if odkim.internal_ip(ctx) == 1 then
+	-- Outgoing message will be signed,
+	-- no need to look for signatures.
+	return nil
+end
+
+nsigs = odkim.get_sigcount(ctx)
+if nsigs == nil then
+	return nil
+end
+
+for i = 1, nsigs do
+        sig = odkim.get_sighandle(ctx, i - 1)
+        sigres = odkim.sig_result(sig)
+
+	-- All signatures that do not correspond to From: 
+	-- were ignored in screen.lua and return sigres -1.
+	-- 
+	-- Any valid signature that was not ignored like this
+	-- means the message is acceptable.
+	if sigres == 0 then
+		return nil
+	end	
+end
+
+odkim.set_reply(ctx, "554", "5.7.1", "No valid DKIM signature found")
+odkim.set_result(ctx, SMFIS_REJECT)
+return nil

cmdeploy/src/cmdeploy/opendkim/opendkim.conf

@@ -8,10 +8,12 @@ SyslogSuccess		yes
 # oversigned, because it is often the identity key used by reputation systems
 # and thus somewhat security sensitive.
 Canonicalization	relaxed/simple
-#Mode			sv
-#SubDomains		no
 OversignHeaders		From
 
+On-BadSignature         reject
+On-KeyNotFound          reject
+On-NoSignature          reject
+
 # Signing domain, selector, and key (required). For example, perform signing
 # for domain "example.com" with selector "2020" (2020._domainkey.example.com),
 # using the private key stored in /etc/dkimkeys/example.private. More granular
@@ -22,6 +24,15 @@ KeyFile		  /etc/dkimkeys/{{ config.opendkim_selector }}.private
 KeyTable          /etc/dkimkeys/KeyTable
 SigningTable      refile:/etc/dkimkeys/SigningTable
 
+# Sign Autocrypt header in addition to the default specified in RFC 6376.
+SignHeaders *,+autocrypt
+
+# Script to ignore signatures that do not correspond to the From: domain.
+ScreenPolicyScript /etc/opendkim/screen.lua
+
+# Script to reject mails without a valid DKIM signature.
+FinalPolicyScript /etc/opendkim/final.lua
+
 # In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
 # using a local socket with MTAs that access the socket as a non-privileged
 # user (for example, Postfix). You may need to add user "postfix" to group
@@ -29,22 +40,10 @@ SigningTable      refile:/etc/dkimkeys/SigningTable
 UserID			opendkim
 UMask			007
 
-# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
-# it must be ensured that the socket is accessible. In Debian, Postfix runs in
-# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
-# configured as shown on the last line below.
-#Socket			local:/run/opendkim/opendkim.sock
-#Socket			inet:8891@localhost
-#Socket			inet:8891
 Socket			local:/var/spool/postfix/opendkim/opendkim.sock
 
 PidFile			/run/opendkim/opendkim.pid
 
-# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
-# OPERATION section of opendkim(8) for more information.
-#InternalHosts		192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
-
 # The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
 # by the package dns-root-data.
 TrustAnchorFile		/usr/share/dns/root.key
-#Nameservers		127.0.0.1

cmdeploy/src/cmdeploy/opendkim/screen.lua

@@ -0,0 +1,21 @@
+-- Ignore signatures that do not correspond to the From: domain.
+
+from_domain = odkim.get_fromdomain(ctx)
+if from_domain == nil then
+	return nil
+end
+
+n = odkim.get_sigcount(ctx)
+if n == nil then
+	return nil
+end
+
+for i = 1, n do
+	sig = odkim.get_sighandle(ctx, i - 1)
+	sig_domain = odkim.sig_getdomain(sig)
+	if from_domain ~= sig_domain then
+		odkim.sig_ignore(sig)
+	end
+end
+
+return nil

cmdeploy/src/cmdeploy/postfix/login_map

@@ -0,0 +1 @@
+/^(.*)$/	${1}

cmdeploy/src/cmdeploy/postfix/main.cf.j2

@@ -23,6 +23,31 @@ smtp_tls_CApath=/etc/ssl/certs
 smtp_tls_security_level=may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
+smtpd_tls_protocols = >=TLSv1.2
+
+# Disable anonymous cipher suites
+# and known insecure algorithms.
+#
+# Disabling anonymous ciphers
+# does not generally improve security
+# because clients that want to verify certificate
+# will not select them anyway,
+# but makes cipher suite list shorter and security scanners happy.
+# See <https://www.postfix.org/TLS_README.html> for discussion.
+#
+# Only ancient insecure ciphers should be disabled here
+# as MTA clients that do not support more secure cipher
+# likely do not support MTA-STS either and will
+# otherwise fall back to using plaintext connection.
+smtpd_tls_exclude_ciphers = aNULL, RC4, MD5, DES
+
+# Override client's preference order.
+# <https://www.postfix.org/postconf.5.html#tls_preempt_cipherlist>
+#
+# This is mostly to ensure cipher suites with forward secrecy
+# are preferred over non cipher suites without forward secrecy.
+# See <https://www.postfix.org/FORWARD_SECRECY_README.html#server_fs>.
+tls_preempt_cipherlist = yes
 
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
 myhostname = {{ config.mail_domain }}
@@ -46,7 +71,9 @@ inet_protocols = all
 virtual_transport = lmtp:unix:private/dovecot-lmtp
 virtual_mailbox_domains = {{ config.mail_domain }}
 
-smtpd_milters = inet:127.0.0.1:11332
-non_smtpd_milters = $smtpd_milters
+mua_client_restrictions = permit_sasl_authenticated, reject
+mua_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, reject
+mua_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit
 
-header_checks = regexp:/etc/postfix/submission_header_cleanup
+# 1:1 map MAIL FROM to SASL login name.
+smtpd_sender_login_maps = regexp:/etc/postfix/login_map

cmdeploy/src/cmdeploy/postfix/master.cf.j2

@@ -11,13 +11,10 @@
 # ==========================================================================
 {% if debug == true %}
 smtp      inet  n       -       y       -       -       smtpd -v
-{% else %}
+{%- else %}
 smtp      inet  n       -       y       -       -       smtpd 
-{% endif %}
-#smtp      inet  n       -       y       -       1       postscreen
-#smtpd     pass  -       -       y       -       -       smtpd
-#dnsblog   unix  -       -       y       -       0       dnsblog
-#tlsproxy  unix  -       -       y       -       0       tlsproxy
+{%- endif %}
+  -o smtpd_milters=unix:opendkim/opendkim.sock
 submission inet n       -       y       -       -       smtpd
   -o syslog_name=postfix/submission
   -o smtpd_tls_security_level=encrypt
@@ -34,6 +31,7 @@ submission inet n       -       y       -       -       smtpd
   -o milter_macro_daemon_name=ORIGINATING
   -o smtpd_client_connection_count_limit=1000
   -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port }}
+  -o cleanup_service_name=authclean
 smtps     inet  n       -       y       -       -       smtpd
   -o syslog_name=postfix/smtps
   -o smtpd_tls_wrappermode=yes
@@ -50,6 +48,7 @@ smtps     inet  n       -       y       -       -       smtpd
   -o smtpd_client_connection_count_limit=1000
   -o milter_macro_daemon_name=ORIGINATING
   -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port }}
+  -o cleanup_service_name=authclean
 #628       inet  n       -       y       -       -       qmqpd
 pickup    unix  n       -       y       60      1       pickup
 cleanup   unix  n       -       y       -       0       cleanup
@@ -80,3 +79,14 @@ filter    unix -        n       n       -       -       lmtp
 # Local SMTP server for reinjecting filered mail.
 localhost:{{ config.postfix_reinject_port }} inet  n       -       n       -       10      smtpd
   -o syslog_name=postfix/reinject
+  -o smtpd_milters=unix:opendkim/opendkim.sock
+  -o cleanup_service_name=authclean
+
+# Cleanup `Received` headers for authenticated mail
+# to avoid leaking client IP.
+#
+# We do not do this for received mails
+# as this will break DKIM signatures
+# if `Received` header is signed.
+authclean unix  n       -       -       -       0       cleanup
+  -o header_checks=regexp:/etc/postfix/submission_header_cleanup

cmdeploy/src/cmdeploy/rspamd/disabled.conf

@@ -1 +0,0 @@
-enabled = false;

cmdeploy/src/cmdeploy/rspamd/dkim_signing.conf.j2

@@ -1,10 +0,0 @@
-selector = {{ config.dkim_selector }}
-use_esld = false  # don't cut c1.testrun.org down to testrun.org
-domain = {
-    {{ config.mail_domain }} {
-        selectors [
-            selector = {{ config.dkim_selector }}
-            path = {{ config.dkim_key_path }}
-        ]
-    }
-}

cmdeploy/src/cmdeploy/rspamd/force_actions.conf

@@ -1,60 +0,0 @@
-rules {
-    ## Reject on missing or invalid DKIM signatures.
-    ##
-    ## We require DKIM signature on incoming mails regardless of DMARC policy.
-
-    # R_DKIM_REJECT: DKIM reject inserted by `dkim` module.
-    REJECT_INVALID_DKIM {
-        action = "reject";
-        expression = "R_DKIM_REJECT";
-        message = "Rejected due to invalid DKIM signature";
-    }
-
-    # R_DKIM_PERMFAIL: permanent failure inserted by `dkim` module e.g. no DKIM DNS record found.
-    REJECT_PERMFAIL_DKIM {
-        action = "reject";
-        expression = "R_DKIM_PERMFAIL";
-        message = "Rejected due to missing DKIM DNS entry";
-    }
-
-    # No DKIM signature (R_DKIM_NA symbol inserted by `dkim` module).
-    REJECT_MISSING_DKIM {
-        action = "reject";
-        expression = "R_DKIM_NA";
-        message = "Rejected due to missing DKIM signature";
-    }
-
-
-    ## Reject on SPF failure.
-
-    # - SPF failure (R_SPF_FAIL)
-    # - SPF permanent failure, e.g. failed to resolve DNS record referenced from SPF (R_SPF_PERMFAIL)
-    REJECT_SPF {
-        action = "reject";
-        expression = "R_SPF_FAIL | R_SPF_PERMFAIL";
-        message = "Rejected due to failed SPF check";
-    }
-
-    # Reject on DMARC policy check failure.
-    REJECT_DMARC {
-        action = "reject";
-        expression = "DMARC_POLICY_REJECT";
-        message = "Rejected due to DMARC policy";
-    }
-
-
-    # Do not reject if:
-    # - R_DKIM_TEMPFAIL, it is a DNS resolution failure
-    #   and we do not want to lose messages because of faulty network.
-    #
-    # - R_SPF_SOFTFAIL
-    # - R_SPF_NEUTRAL
-    # - R_SPF_DNSFAIL
-    # - R_SPF_NA
-    #
-    # - DMARC_DNSFAIL
-    # - DMARC_NA
-    # - DMARC_POLICY_SOFTFAIL
-    # - DMARC_POLICY_QUARANTINE
-    # - DMARC_BAD_POLICY
-}

cmdeploy/src/cmdeploy/rspamd/options.inc

@@ -1 +0,0 @@
-filters = "dkim";

cmdeploy/src/cmdeploy/tests/online/test_0_login.py

@@ -1,6 +1,7 @@
 import pytest
 import threading
 import queue
+import socket
 
 from chatmaild.config import read_config
 from cmdeploy.cmdeploy import main
@@ -78,3 +79,24 @@ def test_concurrent_logins_same_account(
 
     for _ in conns:
         assert login_results.get()
+
+
+def test_no_vrfy(chatmail_config):
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.connect((chatmail_config.mail_domain, 25))
+    banner = sock.recv(1024)
+    print(banner)
+    sock.send(b"VRFY wrongaddress@%s\r\n" % (chatmail_config.mail_domain.encode(),))
+    result = sock.recv(1024)
+    print(result)
+    sock.send(b"VRFY echo@%s\r\n" % (chatmail_config.mail_domain.encode(),))
+    result2 = sock.recv(1024)
+    print(result2)
+    assert result[0:10] == result2[0:10]
+    sock.send(b"VRFY wrongaddress\r\n")
+    result = sock.recv(1024)
+    print(result)
+    sock.send(b"VRFY echo\r\n")
+    result2 = sock.recv(1024)
+    print(result2)
+    assert result[0:10] == result2[0:10] == b"252 2.0.0 "

cmdeploy/src/cmdeploy/tests/online/test_1_basic.py

@@ -42,13 +42,25 @@ def test_reject_forged_from(cmsetup, maildata, gencreds, lp, forgeaddr):
     assert "500" in str(e.value)
 
 
+def test_authenticated_from(cmsetup, maildata):
+    """Test that envelope FROM must be the same as login."""
+    user1, user2, user3 = cmsetup.gen_users(3)
+
+    msg = maildata("encrypted.eml", from_addr=user2.addr, to_addr=user3.addr)
+    with pytest.raises(smtplib.SMTPException) as e:
+        user1.smtp.sendmail(
+            from_addr=user2.addr, to_addrs=[user3.addr], msg=msg.as_string()
+        )
+    assert e.value.recipients[user3.addr][0] == 553
+
+
 @pytest.mark.parametrize("from_addr", ["fake@example.org", "fake@testrun.org"])
 def test_reject_missing_dkim(cmsetup, maildata, from_addr):
     """Test that emails with missing or wrong DMARC, DKIM, and SPF entries are rejected."""
     recipient = cmsetup.gen_users(1)[0]
     msg = maildata("plain.eml", from_addr=from_addr, to_addr=recipient.addr).as_string()
     with smtplib.SMTP(cmsetup.maildomain, 25) as s:
-        with pytest.raises(smtplib.SMTPDataError, match="missing DKIM signature"):
+        with pytest.raises(smtplib.SMTPDataError, match="No valid DKIM signature"):
             s.sendmail(from_addr=from_addr, to_addrs=recipient.addr, msg=msg)
 
 
@@ -71,3 +83,18 @@ def test_exceed_rate_limit(cmsetup, gencreds, maildata, chatmail_config):
             assert b"4.7.1: Too much mail from" in outcome[1]
             return
     pytest.fail("Rate limit was not exceeded")
+
+
+def test_expunged(remote, chatmail_config):
+    outdated_days = int(chatmail_config.delete_mails_after) + 1
+    find_cmds = [
+        f"find /home/vmail/mail/{chatmail_config.mail_domain} -path '*/cur/*' -mtime +{outdated_days} -type f",
+        f"find /home/vmail/mail/{chatmail_config.mail_domain} -path '*/.*/cur/*' -mtime +{outdated_days} -type f",
+        f"find /home/vmail/mail/{chatmail_config.mail_domain} -path '*/new/*' -mtime +{outdated_days} -type f",
+        f"find /home/vmail/mail/{chatmail_config.mail_domain} -path '*/.*/new/*' -mtime +{outdated_days} -type f",
+        f"find /home/vmail/mail/{chatmail_config.mail_domain} -path '*/tmp/*' -mtime +{outdated_days} -type f",
+        f"find /home/vmail/mail/{chatmail_config.mail_domain} -path '*/.*/tmp/*' -mtime +{outdated_days} -type f",
+    ]
+    for cmd in find_cmds:
+        for line in remote.iter_output(cmd):
+            assert not line

cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py

@@ -136,3 +136,15 @@ def test_hide_senders_ip_address(cmfactory):
     user2.direct_imap.select_folder("Inbox")
     msg = user2.direct_imap.get_all_messages()[0]
     assert public_ip not in msg.obj.as_string()
+
+
+def test_echobot(cmfactory, chatmail_config, lp):
+    ac = cmfactory.get_online_accounts(1)[0]
+
+    lp.sec(f"Send message to echo@{chatmail_config.mail_domain}")
+    chat = ac.create_chat(f"echo@{chatmail_config.mail_domain}")
+    text = "hi, I hope you text me back"
+    chat.send_text(text)
+    lp.sec("Wait for reply from echobot")
+    reply = ac.wait_next_incoming_message()
+    assert reply.text == text

scripts/initenv.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 set -e
-python3 -m venv venv
+python3 -m venv --upgrade-deps venv
 
 venv/bin/pip install -e chatmaild 
 venv/bin/pip install -e cmdeploy