Remove unnecessary opendkim milter from reinjecting smtpd

OpenDKIM milter is only needed on port 25,
it seems to do nothing on reinjecting port.

.github/workflows/staging-ipv4.testrun.org-default.zone

@@ -17,6 +17,4 @@ $TTL 300
 ;; DNS records.
 @       IN      A       37.27.95.249
 mta-sts.staging-ipv4.testrun.org.    CNAME   staging-ipv4.testrun.org.
-iroh.staging-ipv4.testrun.org.       CNAME   staging-ipv4.testrun.org.
 www.staging-ipv4.testrun.org.        CNAME   staging-ipv4.testrun.org.
-mx.staging-ipv4.testrun.org.         CNAME   staging-ipv4.testrun.org.

.github/workflows/staging.testrun.org-default.zone

@@ -17,7 +17,5 @@ $TTL 300
 ;; DNS records.
 @       IN      A       37.27.24.139
 mta-sts.staging2.testrun.org.    CNAME   staging2.testrun.org.
-iroh.staging2.testrun.org.       CNAME   staging2.testrun.org.
 www.staging2.testrun.org.        CNAME   staging2.testrun.org.
-mx.staging2.testrun.org.         CNAME   staging2.testrun.org.
 

.github/workflows/test-and-deploy-ipv4only.yaml

@@ -38,8 +38,8 @@ jobs:
           if [ -f dkimkeys-ipv4/dkimkeys/opendkim.private ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" dkimkeys-ipv4 root@ns.testrun.org:/tmp/ || true; fi
           if [ "$(ls -A acme-ipv4/acme/certs)" ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" acme-ipv4 root@ns.testrun.org:/tmp/ || true; fi
           # make sure CAA record isn't set
-          scp .github/workflows/staging-ipv4.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging-ipv4.testrun.org.zone
-          ssh -o StrictHostKeyChecking=accept-new root@ns.testrun.org sed -i '/CAA/d' /etc/nsd/staging-ipv4.testrun.org.zone
+          scp -o StrictHostKeyChecking=accept-new .github/workflows/staging-ipv4.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging-ipv4.testrun.org.zone
+          ssh root@ns.testrun.org sed -i '/CAA/d' /etc/nsd/staging-ipv4.testrun.org.zone
           ssh root@ns.testrun.org nsd-checkzone staging-ipv4.testrun.org /etc/nsd/staging-ipv4.testrun.org.zone
           ssh root@ns.testrun.org systemctl reload nsd
 
@@ -49,7 +49,7 @@ jobs:
             -H "Authorization: Bearer ${{ secrets.HETZNER_API_TOKEN }}" \
             -H "Content-Type: application/json" \
             -d '{"image":"debian-12"}' \
-            "https://api.hetzner.cloud/v1/servers/${{ secrets.STAGING_SERVER_ID }}/actions/rebuild"
+            "https://api.hetzner.cloud/v1/servers/${{ secrets.STAGING_IPV4_SERVER_ID }}/actions/rebuild"
 
       - run: scripts/initenv.sh
 
@@ -63,11 +63,11 @@ jobs:
           while ! ssh -o ConnectTimeout=180 -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org id -u ; do sleep 1 ; done
           ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org id -u
           # download acme & dkim state from ns.testrun.org
-          rsync -e "ssh -o StrictHostKeyChecking=accept-new" -avz root@ns.testrun.org:/tmp/acme-ipv4 acme-restore || true
-          rsync -avz root@ns.testrun.org:/tmp/dkimkeys-ipv4 dkimkeys-restore || true
+          rsync -e "ssh -o StrictHostKeyChecking=accept-new" -avz root@ns.testrun.org:/tmp/acme-ipv4/acme acme-restore || true
+          rsync -avz root@ns.testrun.org:/tmp/dkimkeys-ipv4/dkimkeys dkimkeys-restore || true
           # restore acme & dkim state to staging2.testrun.org
-          rsync -avz acme-restore/acme-ipv4/acme root@staging-ipv4.testrun.org:/var/lib/ || true
-          rsync -avz dkimkeys-restore/dkimkeys-ipv4/dkimkeys root@staging-ipv4.testrun.org:/etc/ || true
+          rsync -avz acme-restore/acme root@staging-ipv4.testrun.org:/var/lib/ || true
+          rsync -avz dkimkeys-restore/dkimkeys root@staging-ipv4.testrun.org:/etc/ || true
           ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org chown root:root -R /var/lib/acme || true
 
       - name: run formatting checks 

CHANGELOG.md

@@ -2,6 +2,50 @@
 
 ## untagged
 
+- filtermail: don't require exactly 2 lines after openPGP payload
+  ([#497](https://github.com/chatmail/chatmail/pull/497))
+
+- cmdeploy dns: offer alternative DKIM record format for some web interfaces
+  ([#470](https://github.com/deltachat/chatmail/pull/470))
+
+- journald: remove old logs from disk
+  ([#490](https://github.com/deltachat/chatmail/pull/490))
+
+- opendkim: restart once every day to mend RAM leaks
+  ([#498](https://github.com/chatmail/chatmail/pull/498)
+
+- migration guide: let opendkim own the DKIM keys directory
+  ([#468](https://github.com/deltachat/chatmail/pull/468))
+
+- improve secure-join message detection
+  ([#473](https://github.com/deltachat/chatmail/pull/473))
+
+- use old crypt lib in python < 3.11
+  ([#483](https://github.com/deltachat/chatmail/pull/483))
+
+- chatmaild: set umask to 0700 for doveauth + metadata
+  ([#490](https://github.com/deltachat/chatmail/pull/492))
+
+- remove MTA-STS daemon
+  ([#488](https://github.com/deltachat/chatmail/pull/488))
+
+- replace `Subject` with `[...]` for all outgoing mails.
+  ([#481](https://github.com/deltachat/chatmail/pull/481))
+
+- opendkim: use su instead of sudo
+  ([#491](https://github.com/deltachat/chatmail/pull/491))
+
+## 1.5.0 2024-12-20
+
+- cmdeploy dns: always show recommended DNS records
+  ([#463](https://github.com/deltachat/chatmail/pull/463))
+
+- add `--all` to `cmdeploy dns`
+  ([#462](https://github.com/deltachat/chatmail/pull/462))
+
+- fix `_mta-sts` TXT DNS record
+  ([#461](https://github.com/deltachat/chatmail/pull/461)
+
 - deploy `iroh-relay` and also update "realtime relay services" in privacy policy. 
   ([#434](https://github.com/deltachat/chatmail/pull/434))
   ([#451](https://github.com/deltachat/chatmail/pull/451))
@@ -65,8 +109,6 @@
 - fix Dovecot quota_max_mail_size to use max_message_size config value
   ([#438](https://github.com/deltachat/chatmail/pull/438))
 
-- Move MX record to its own subdomain
-  ([#403](https://github.com/deltachat/chatmail/pull/403))
 
 ## 1.4.1 2024-07-31
 

README.md

@@ -281,7 +281,7 @@ to make sure you can connect with SSH.
    `ssh root@13.37.13.37 tar c /etc/dkimkeys | ssh root@13.12.23.42 tar x -C /etc/`
    so the DKIM DNS record stays correct.
 
-3. On the new server, run `chown root: -R /var/lib/acme` and `chown root: -R /etc/dkimkeys` to make sure the permissions are correct.
+3. On the new server, run `chown root: -R /var/lib/acme` and `chown opendkim: -R /etc/dkimkeys` to make sure the permissions are correct.
 
 4. Run `cmdeploy run --disable-mail --ssh-host 13.12.23.42` to install chatmail on the new machine.
    postfix and dovecot are disabled for now,

chatmaild/pyproject.toml

@@ -12,6 +12,7 @@ dependencies = [
   "deltachat-rpc-client",
   "filelock",
   "requests",
+  "crypt-r >= 3.13.1 ; python_version >= '3.11'",
 ]
 
 [tool.setuptools]

chatmaild/src/chatmaild/common_encrypted_subjects.py

@@ -1,59 +0,0 @@
-"""Generated from deltachat, draft-ietf-lamps-header-protection, and
-encrypted_subject localizations in
-https://github.com/thunderbird/thunderbird-android/
-
-"""
-
-common_encrypted_subjects = {
-    "...",
-    "[...]",
-    "암호화된 메시지",
-    "Ĉifrita mesaĝo",
-    "Courriel chiffré",
-    "Dulrituð skilaboð",
-    "Encrypted Message",
-    "Fersifere berjocht",
-    "Kemennadenn enrineget",
-    "Krüptitud kiri",
-    "Krypterat meddelande",
-    "Krypteret besked",
-    "Kryptert melding",
-    "Mensagem criptografada",
-    "Mensagem encriptada",
-    "Mensaje cifrado",
-    "Mensaxe cifrada",
-    "Mesaj Criptat",
-    "Mesazh i Fshehtëzuar",
-    "Messaggio criptato",
-    "Messaghju cifratu",
-    "Missatge encriptat",
-    "Neges wedi'i Hamgryptio",
-    "Pesan terenkripsi",
-    "Salattu viesti",
-    "Şifreli İleti",
-    "Šifrēta ziņa",
-    "Šifrirana poruka",
-    "Šifrirano sporočilo",
-    "Šifruotas laiškas",
-    "Tin nhắn được mã hóa",
-    "Titkosított üzenet",
-    "Verschlüsselte Nachricht",
-    "Versleuteld bericht",
-    "Zašifrovaná zpráva",
-    "Zaszyfrowana wiadomość",
-    "Zifratu mezua",
-    "Κρυπτογραφημένο μήνυμα",
-    "Зашифроване повідомлення",
-    "Зашифрованное сообщение",
-    "Зашыфраваны ліст",
-    "Криптирано съобщение",
-    "Шифрована порука",
-    "დაშიფრული წერილი",
-    "הודעה מוצפנת",
-    "پیام رمزنگاری‌شده",
-    "رسالة مشفّرة",
-    "എൻക്രിപ്റ്റുചെയ്‌ത സന്ദേശം",
-    "加密邮件",
-    "已加密的訊息",
-    "暗号化されたメッセージ",
-}

chatmaild/src/chatmaild/doveauth.py

@@ -1,9 +1,13 @@
-import crypt
 import json
 import logging
 import os
 import sys
 
+try:
+    import crypt_r
+except ImportError:
+    import crypt as crypt_r
+
 from .config import Config, read_config
 from .dictproxy import DictProxy
 from .migrate_db import migrate_from_db_to_maildir
@@ -13,7 +17,7 @@ NOCREATE_FILE = "/etc/chatmail-nocreate"
 
 def encrypt_password(password: str):
     # https://doc.dovecot.org/configuration_manual/authentication/password_schemes/
-    passhash = crypt.crypt(password, crypt.METHOD_SHA512)
+    passhash = crypt_r.crypt(password, crypt_r.METHOD_SHA512)
     return "{SHA512-CRYPT}" + passhash
 
 

chatmaild/src/chatmaild/filtermail.py

@@ -12,7 +12,6 @@ from smtplib import SMTP as SMTPClient
 
 from aiosmtpd.controller import Controller
 
-from .common_encrypted_subjects import common_encrypted_subjects
 from .config import read_config
 
 
@@ -81,7 +80,9 @@ def check_armored_payload(payload: str):
         return False
     payload = payload.removeprefix(prefix)
 
-    suffix = "-----END PGP MESSAGE-----\r\n\r\n"
+    while payload.endswith("\r\n"):
+        payload = payload.removesuffix("\r\n")
+    suffix = "-----END PGP MESSAGE-----"
     if not payload.endswith(suffix):
         return False
     payload = payload.removesuffix(suffix)
@@ -100,6 +101,27 @@ def check_armored_payload(payload: str):
         return False
 
 
+def is_securejoin(message):
+    if message.get("secure-join") not in ["vc-request", "vg-request"]:
+        return False
+    if not message.is_multipart():
+        return False
+    parts_count = 0
+    for part in message.iter_parts():
+        parts_count += 1
+        if parts_count > 1:
+            return False
+        if part.is_multipart():
+            return False
+        if part.get_content_type() != "text/plain":
+            return False
+
+        payload = part.get_payload().strip().lower()
+        if payload not in ("secure-join: vc-request", "secure-join: vg-request"):
+            return False
+    return True
+
+
 def check_encrypted(message):
     """Check that the message is an OpenPGP-encrypted message.
 
@@ -107,8 +129,6 @@ def check_encrypted(message):
     """
     if not message.is_multipart():
         return False
-    if message.get("subject") not in common_encrypted_subjects:
-        return False
     if message.get_content_type() != "multipart/encrypted":
         return False
     parts_count = 0
@@ -203,11 +223,7 @@ class BeforeQueueHandler:
 
         passthrough_recipients = self.config.passthrough_recipients
 
-        is_securejoin = message.get("secure-join") in [
-            "vc-request",
-            "vg-request",
-        ]
-        if is_securejoin:
+        if mail_encrypted or is_securejoin(message):
             return
 
         for recipient in envelope.rcpt_tos:
@@ -222,7 +238,7 @@ class BeforeQueueHandler:
             _recipient_addr, recipient_domain = res
 
             is_outgoing = recipient_domain != envelope_from_domain
-            if is_outgoing and not mail_encrypted:
+            if is_outgoing:
                 print("Rejected unencrypted mail.", file=sys.stderr)
                 return f"500 Invalid unencrypted mail to <{recipient}>"
 

chatmaild/src/chatmaild/migrate_db.py

@@ -32,7 +32,7 @@ def migrate_from_db_to_maildir(config, chunking=10000):
     # don't transfer special/CI accounts
     rows = [row for row in all_rows if row[0][:3] not in ("ci-", "ac_")]
 
-    logging.info(f"ignoring {len(all_rows)-len(rows)} CI accounts")
+    logging.info(f"ignoring {len(all_rows) - len(rows)} CI accounts")
     logging.info(f"migrating {len(rows)} sqlite database passwords to user dirs")
 
     for i, row in enumerate(rows):

chatmaild/src/chatmaild/tests/mail-data/securejoin-vc-fake.eml

@@ -0,0 +1,21 @@
+Subject: Message from {from_addr}
+From: <{from_addr}>
+To: <{to_addr}>
+Date: Sun, 15 Oct 2023 16:43:25 +0000
+Message-ID: <Mr.78MWtlV7RAi.goCFzBhCYfy@c2.testrun.org>
+Chat-Version: 1.0
+Secure-Join: vc-request
+Secure-Join-Invitenumber: RANDOM-TOKEN
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi"
+
+
+--Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi
+Content-Type: text/plain; charset=utf-8
+
+Buy viagra!
+
+
+--Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi--
+
+

chatmaild/src/chatmaild/tests/mail-data/securejoin-vc.eml

@@ -0,0 +1,21 @@
+Subject: Message from {from_addr}
+From: <{from_addr}>
+To: <{to_addr}>
+Date: Sun, 15 Oct 2023 16:43:25 +0000
+Message-ID: <Mr.78MWtlV7RAi.goCFzBhCYfy@c2.testrun.org>
+Chat-Version: 1.0
+Secure-Join: vc-request
+Secure-Join-Invitenumber: RANDOM-TOKEN
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi"
+
+
+--Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi
+Content-Type: text/plain; charset=utf-8
+
+Secure-Join: vc-request
+
+
+--Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi--
+
+

chatmaild/src/chatmaild/tests/plugin.py

@@ -69,7 +69,7 @@ def maildata(request):
 
     assert datadir.exists(), datadir
 
-    def maildata(name, from_addr, to_addr, subject="..."):
+    def maildata(name, from_addr, to_addr, subject="[...]"):
         # Using `.read_bytes().decode()` instead of `.read_text()` to preserve newlines.
         data = datadir.joinpath(name).read_bytes().decode()
 

chatmaild/src/chatmaild/tests/test_filtermail.py

@@ -5,7 +5,7 @@ from chatmaild.filtermail import (
     SendRateLimiter,
     check_armored_payload,
     check_encrypted,
-    common_encrypted_subjects,
+    is_securejoin,
 )
 
 
@@ -55,19 +55,28 @@ def test_filtermail_no_encryption_detection(maildata):
     assert not check_encrypted(msg)
 
 
-def test_filtermail_encryption_detection(maildata):
-    for subject in common_encrypted_subjects:
-        msg = maildata(
-            "encrypted.eml",
-            from_addr="1@example.org",
-            to_addr="2@example.org",
-            subject=subject,
-        )
-        assert check_encrypted(msg)
+def test_filtermail_securejoin_detection(maildata):
+    msg = maildata(
+        "securejoin-vc.eml", from_addr="some@example.org", to_addr="other@example.org"
+    )
+    assert is_securejoin(msg)
 
-    # if the subject is not a known encrypted subject value, it is not considered ac-encrypted
-    msg.replace_header("Subject", "Click this link")
-    assert not check_encrypted(msg)
+    msg = maildata(
+        "securejoin-vc-fake.eml",
+        from_addr="some@example.org",
+        to_addr="other@example.org",
+    )
+    assert not is_securejoin(msg)
+
+
+def test_filtermail_encryption_detection(maildata):
+    msg = maildata(
+        "encrypted.eml",
+        from_addr="1@example.org",
+        to_addr="2@example.org",
+        subject="Subject does not matter, will be replaced anyway",
+    )
+    assert check_encrypted(msg)
 
 
 def test_filtermail_no_literal_packets(maildata):
@@ -196,10 +205,20 @@ UN4fiB0KR9JyG2ayUdNJVkXZSZLnHyRgiaadlpUo16LVvw==\r
 =b5Kp\r
 -----END PGP MESSAGE-----\r
 \r
+\r
 """
 
     assert check_armored_payload(payload) == True
 
+    payload = payload.removesuffix("\r\n")
+    assert check_armored_payload(payload) == True
+
+    payload = payload.removesuffix("\r\n")
+    assert check_armored_payload(payload) == True
+
+    payload = payload.removesuffix("\r\n")
+    assert check_armored_payload(payload) == True
+
     payload = """-----BEGIN PGP MESSAGE-----\r
 \r
 HELLOWORLD

cmdeploy/src/cmdeploy/__init__.py

@@ -10,7 +10,7 @@ import sys
 from pathlib import Path
 
 from chatmaild.config import Config, read_config
-from pyinfra import host, facts
+from pyinfra import facts, host
 from pyinfra.facts.files import File
 from pyinfra.facts.systemd import SystemdEnabled
 from pyinfra.operations import apt, files, pip, server, systemd
@@ -78,6 +78,11 @@ def _install_remote_venv_with_chatmaild(config) -> None:
         always_copy=True,
     )
 
+    apt.packages(
+        name="install gcc and headers to build crypt_r source package",
+        packages=["gcc", "python3-dev"],
+    )
+
     server.shell(
         name=f"forced pip-install {dist_file.name}",
         commands=[
@@ -212,49 +217,36 @@ def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool:
             commands=[
                 f"opendkim-genkey -D /etc/dkimkeys -d {domain} -s {dkim_selector}"
             ],
-            _sudo=True,
-            _sudo_user="opendkim",
+            _use_su_login=True,
+            _su_user="opendkim",
         )
 
+    service_file = files.put(
+        name="Configure opendkim to restart once a day",
+        src=importlib.resources.files(__package__).joinpath("opendkim/systemd.conf"),
+        dest="/etc/systemd/system/opendkim.service.d/10-prevent-memory-leak.conf",
+    )
+    need_restart |= service_file.changed
+
+
     return need_restart
 
 
-def _install_mta_sts_daemon() -> bool:
-    need_restart = False
+def _uninstall_mta_sts_daemon() -> None:
+    # Remove configuration.
+    files.file("/etc/mta-sts-daemon.yml", present=False)
 
-    config = files.put(
-        name="upload postfix-mta-sts-resolver config",
-        src=importlib.resources.files(__package__).joinpath(
-            "postfix/mta-sts-daemon.yml"
-        ),
-        dest="/etc/mta-sts-daemon.yml",
-        user="root",
-        group="root",
-        mode="644",
+    files.directory("/usr/local/lib/postfix-mta-sts-resolver", present=False)
+
+    files.file("/etc/systemd/system/mta-sts-daemon.service", present=False)
+
+    systemd.service(
+        name="Stop MTA-STS daemon",
+        service="mta-sts-daemon.service",
+        daemon_reload=True,
+        running=False,
+        enabled=False,
     )
-    need_restart |= config.changed
-
-    server.shell(
-        name="install postfix-mta-sts-resolver with pip",
-        commands=[
-            "python3 -m virtualenv /usr/local/lib/postfix-mta-sts-resolver",
-            "/usr/local/lib/postfix-mta-sts-resolver/bin/pip install postfix-mta-sts-resolver",
-        ],
-    )
-
-    systemd_unit = files.put(
-        name="upload mta-sts-daemon systemd unit",
-        src=importlib.resources.files(__package__).joinpath(
-            "postfix/mta-sts-daemon.service"
-        ),
-        dest="/etc/systemd/system/mta-sts-daemon.service",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= systemd_unit.changed
-
-    return need_restart
 
 
 def _configure_postfix(config: Config, debug: bool = False) -> bool:
@@ -517,9 +509,9 @@ def deploy_iroh_relay(config) -> None:
     need_restart |= systemd_unit.changed
 
     iroh_config = files.put(
-        name=f"Upload iroh-relay config",
+        name="Upload iroh-relay config",
         src=importlib.resources.files(__package__).joinpath("iroh-relay.toml"),
-        dest=f"/etc/iroh-relay.toml",
+        dest="/etc/iroh-relay.toml",
         user="root",
         group="root",
         mode="644",
@@ -616,12 +608,7 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
     deploy_iroh_relay(config)
 
     # Deploy acmetool to have TLS certificates.
-    tls_domains = [
-        mail_domain,
-        f"mta-sts.{mail_domain}",
-        f"www.{mail_domain}",
-        f"mx.{mail_domain}",
-    ]
+    tls_domains = [mail_domain, f"mta-sts.{mail_domain}", f"www.{mail_domain}"]
     deploy_acmetool(
         domains=tls_domains,
     )
@@ -663,8 +650,8 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
     debug = False
     dovecot_need_restart = _configure_dovecot(config, debug=debug)
     postfix_need_restart = _configure_postfix(config, debug=debug)
-    mta_sts_need_restart = _install_mta_sts_daemon()
     nginx_need_restart = _configure_nginx(config)
+    _uninstall_mta_sts_daemon()
 
     _remove_rspamd()
     opendkim_need_restart = _configure_opendkim(mail_domain, "opendkim")
@@ -674,18 +661,10 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
         service="opendkim.service",
         running=True,
         enabled=True,
+        daemon_reload=opendkim_need_restart,
         restarted=opendkim_need_restart,
     )
 
-    systemd.service(
-        name="Start and enable MTA-STS daemon",
-        service="mta-sts-daemon.service",
-        daemon_reload=True,
-        running=True,
-        enabled=True,
-        restarted=mta_sts_need_restart,
-    )
-
     # Dovecot should be started before Postfix
     # because it creates authentication socket
     # required by Postfix.
@@ -735,6 +714,11 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
         enabled=True,
         restarted=journald_conf.changed,
     )
+    files.directory(
+        name="Ensure old logs on disk are deleted",
+        path="/var/log/journal/",
+        present=False,
+    )
 
     apt.packages(
         name="Ensure cron is installed",

cmdeploy/src/cmdeploy/acmetool/__init__.py

@@ -70,6 +70,6 @@ def deploy_acmetool(email="", domains=[]):
     )
 
     server.shell(
-        name=f"Request certificate for: { ', '.join(domains) }",
-        commands=[f"acmetool want --xlog.severity=debug { ' '.join(domains)}"],
+        name=f"Request certificate for: {', '.join(domains)}",
+        commands=[f"acmetool want --xlog.severity=debug {' '.join(domains)}"],
     )

cmdeploy/src/cmdeploy/chatmail.zone.j2

@@ -7,17 +7,16 @@
 {% if AAAA %}
 {{ mail_domain }}.                   AAAA  {{ AAAA }}
 {% endif %}
-{{ mail_domain }}.                   MX 10 mx.{{ mail_domain }}.
+{{ mail_domain }}.                   MX 10 {{ mail_domain }}.
 _mta-sts.{{ mail_domain }}.          TXT "v=STSv1; id={{ sts_id }}"
 mta-sts.{{ mail_domain }}.           CNAME {{ mail_domain }}.
 www.{{ mail_domain }}.               CNAME {{ mail_domain }}.
-mx.{{ mail_domain }}.                CNAME {{ mail_domain }}.
 {{ dkim_entry }}
 
 ;
 ; Recommended DNS entries for interoperability and security-hardening
 ;
-{{ mail_domain }}.                   TXT "v=spf1 a:{{ mail_domain }} ~all"
+{{ mail_domain }}.                   TXT "v=spf1 a ~all"
 _dmarc.{{ mail_domain }}.            TXT "v=DMARC1;p=reject;adkim=s;aspf=s"
 
 {% if acme_account_url %}

cmdeploy/src/cmdeploy/cmdeploy.py

@@ -56,12 +56,12 @@ def run_cmd_options(parser):
         "--disable-mail",
         dest="disable_mail",
         action="store_true",
-        help="install/upgrade the server, but disable postfix & dovecot for now"
+        help="install/upgrade the server, but disable postfix & dovecot for now",
     )
     parser.add_argument(
         "--ssh-host",
         dest="ssh_host",
-        help="specify an SSH host to deploy to; uses mail_domain from chatmail.ini by default"
+        help="specify an SSH host to deploy to; uses mail_domain from chatmail.ini by default",
     )
 
 

cmdeploy/src/cmdeploy/deploy.py

@@ -11,7 +11,7 @@ def main():
         "CHATMAIL_INI",
         importlib.resources.files("cmdeploy").joinpath("../../../chatmail.ini"),
     )
-    disable_mail = bool(os.environ.get('CHATMAIL_DISABLE_MAIL'))
+    disable_mail = bool(os.environ.get("CHATMAIL_DISABLE_MAIL"))
 
     deploy_chatmail(config_path, disable_mail)
 

cmdeploy/src/cmdeploy/dns.py

@@ -29,7 +29,7 @@ def check_initial_remote_data(remote_data, *, print=print):
 def get_filled_zone_file(remote_data):
     sts_id = remote_data.get("sts_id")
     if not sts_id:
-        sts_id = datetime.datetime.now().strftime("%Y%m%d%H%M")
+        remote_data["sts_id"] = datetime.datetime.now().strftime("%Y%m%d%H%M")
 
     template = importlib.resources.files(__package__).joinpath("chatmail.zone.j2")
     content = template.read_text()
@@ -49,16 +49,23 @@ def check_full_zone(sshexec, remote_data, out, zonefile) -> int:
         kwargs=dict(zonefile=zonefile, mail_domain=remote_data["mail_domain"]),
     )
 
+    returncode = 0
     if required_diff:
         out.red("Please set required DNS entries at your DNS provider:\n")
         for line in required_diff:
             out(line)
-        return 1
-    elif recommended_diff:
+        out("")
+        returncode = 1
+    if remote_data.get("dkim_entry") in required_diff:
+        out(
+            "If the DKIM entry above does not work with your DNS provider, you can try this one:\n"
+        )
+        out(remote_data.get("web_dkim_entry") + "\n")
+    if recommended_diff:
         out("WARNING: these recommended DNS entries are not set:\n")
         for line in recommended_diff:
             out(line)
-        return 0
 
-    out.green("Great! All your DNS entries are verified and correct.")
-    return 0
+    if not (recommended_diff or required_diff):
+        out.green("Great! All your DNS entries are verified and correct.")
+    return returncode

cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2

@@ -209,7 +209,7 @@ ssl = required
 ssl_cert = </var/lib/acme/live/{{ config.mail_domain }}/fullchain
 ssl_key = </var/lib/acme/live/{{ config.mail_domain }}/privkey
 ssl_dh = </usr/share/dovecot/dh.pem
-ssl_min_protocol = TLSv1.2
+ssl_min_protocol = TLSv1.3
 ssl_prefer_server_ciphers = yes
 
 

cmdeploy/src/cmdeploy/nginx/mta-sts.txt.j2

@@ -1,4 +1,4 @@
 version: STSv1
 mode: enforce
-mx: mx.{{ config.domain_name }}
+mx: {{ config.domain_name }}
 max_age: 2419200

cmdeploy/src/cmdeploy/opendkim/systemd.conf

@@ -0,0 +1,3 @@
+[Service]
+Restart=always
+RuntimeMaxSec=1d

cmdeploy/src/cmdeploy/postfix/main.cf.j2

@@ -20,9 +20,9 @@ smtpd_tls_key_file=/var/lib/acme/live/{{ config.mail_domain }}/privkey
 smtpd_tls_security_level=may
 
 smtp_tls_CApath=/etc/ssl/certs
-smtp_tls_security_level=may
+smtp_tls_security_level=verify
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
+smtp_tls_policy_maps = inline:{nauta.cu=may}
 smtpd_tls_protocols = >=TLSv1.2
 
 # Disable anonymous cipher suites

cmdeploy/src/cmdeploy/postfix/master.cf.j2

@@ -18,6 +18,7 @@ smtp      inet  n       -       y       -       -       smtpd
 submission inet n       -       y       -       5000    smtpd
   -o syslog_name=postfix/submission
   -o smtpd_tls_security_level=encrypt
+  -o smtpd_tls_mandatory_protocols=>=TLSv1.3
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_sasl_type=dovecot
   -o smtpd_sasl_path=private/auth
@@ -36,6 +37,7 @@ smtps     inet  n       -       y       -       5000    smtpd
   -o syslog_name=postfix/smtps
   -o smtpd_tls_wrappermode=yes
   -o smtpd_tls_security_level=encrypt
+  -o smtpd_tls_mandatory_protocols=>=TLSv1.3
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_sasl_type=dovecot
   -o smtpd_sasl_path=private/auth
@@ -79,7 +81,6 @@ filter    unix -        n       n       -       -       lmtp
 # Local SMTP server for reinjecting filered mail.
 localhost:{{ config.postfix_reinject_port }} inet  n       -       n       -       10      smtpd
   -o syslog_name=postfix/reinject
-  -o smtpd_milters=unix:opendkim/opendkim.sock
   -o cleanup_service_name=authclean
 
 # Cleanup `Received` headers for authenticated mail

cmdeploy/src/cmdeploy/postfix/submission_header_cleanup

@@ -2,3 +2,4 @@
 /^X-Originating-IP:/    IGNORE
 /^X-Mailer:/            IGNORE
 /^User-Agent:/          IGNORE
+/^Subject:/             REPLACE Subject: [...]

cmdeploy/src/cmdeploy/remote/rdns.py

@@ -27,7 +27,9 @@ def perform_initial_checks(mail_domain):
 
     res = dict(mail_domain=mail_domain, A=A, AAAA=AAAA, MTA_STS=MTA_STS, WWW=WWW)
     res["acme_account_url"] = shell("acmetool account-url", fail_ok=True)
-    res["dkim_entry"] = get_dkim_entry(mail_domain, dkim_selector="opendkim")
+    res["dkim_entry"], res["web_dkim_entry"] = get_dkim_entry(
+        mail_domain, dkim_selector="opendkim"
+    )
 
     if not MTA_STS or not WWW or (not A and not AAAA):
         return res
@@ -48,7 +50,11 @@ def get_dkim_entry(mail_domain, dkim_selector):
         return
     dkim_value_raw = f"v=DKIM1;k=rsa;p={dkim_pubkey};s=email;t=s"
     dkim_value = '" "'.join(re.findall(".{1,255}", dkim_value_raw))
-    return f'{dkim_selector}._domainkey.{mail_domain}. TXT "{dkim_value}"'
+    web_dkim_value = "".join(re.findall(".{1,255}", dkim_value_raw))
+    return (
+        f'{dkim_selector}._domainkey.{mail_domain}. TXT "{dkim_value}"',
+        f'{dkim_selector}._domainkey.{mail_domain}. TXT "{web_dkim_value}"',
+    )
 
 
 def query_dns(typ, domain):

cmdeploy/src/cmdeploy/service/chatmail-metadata.service.f

@@ -7,6 +7,7 @@ Restart=always
 RestartSec=30
 User=vmail
 RuntimeDirectory=chatmail-metadata
+UMask=0077
 
 [Install]
 WantedBy=multi-user.target

cmdeploy/src/cmdeploy/service/doveauth.service.f

@@ -7,6 +7,7 @@ Restart=always
 RestartSec=30
 User=vmail
 RuntimeDirectory=doveauth
+UMask=0077
 
 [Install]
 WantedBy=multi-user.target

cmdeploy/src/cmdeploy/tests/online/test_1_basic.py

@@ -1,3 +1,4 @@
+import datetime
 import smtplib
 
 import pytest
@@ -52,6 +53,14 @@ class TestSSHExecutor:
         else:
             pytest.fail("didn't raise exception")
 
+    def test_opendkim_restarted(self, sshexec):
+        """check that opendkim is not running for longer than a day."""
+        out = sshexec(call=remote.rshell.shell, kwargs=dict(command="systemctl status opendkim"))
+        assert type(out) == str
+        since_date_str = out.split("since ")[1].split(";")[0]
+        since_date = datetime.datetime.strptime(since_date_str, "%a %Y-%m-%d %H:%M:%S %Z")
+        assert (datetime.datetime.now() - since_date).total_seconds() < 60 * 60 * 24
+
 
 def test_remote(remote, imap_or_smtp):
     lineproducer = remote.iter_output(imap_or_smtp.logcmd)
@@ -115,6 +124,27 @@ def test_reject_missing_dkim(cmsetup, maildata, from_addr):
             s.sendmail(from_addr=from_addr, to_addrs=recipient.addr, msg=msg)
 
 
+def test_rewrite_subject(cmsetup, maildata):
+    """Test that subject gets replaced with [...]."""
+    user1, user2 = cmsetup.gen_users(2)
+
+    sent_msg = maildata(
+        "encrypted.eml",
+        from_addr=user1.addr,
+        to_addr=user2.addr,
+        subject="Unencrypted subject",
+    ).as_string()
+    user1.smtp.sendmail(from_addr=user1.addr, to_addrs=[user2.addr], msg=sent_msg)
+
+    messages = user2.imap.fetch_all_messages()
+    assert len(messages) == 1
+    rcvd_msg = messages[0]
+    assert "Subject: [...]" not in sent_msg
+    assert "Subject: [...]" in rcvd_msg
+    assert "Subject: Unencrypted subject" in sent_msg
+    assert "Subject: Unencrypted subject" not in rcvd_msg
+
+
 @pytest.mark.slow
 def test_exceed_rate_limit(cmsetup, gencreds, maildata, chatmail_config):
     """Test that the per-account send-mail limit is exceeded."""

cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py

@@ -85,7 +85,7 @@ class TestEndToEndDeltaChat:
         attachsize = 1 * 1024 * 1024
         num_to_send = quota // attachsize + 2
         lp.sec(f"ac1: send {num_to_send} large files to ac2")
-        lp.indent(f"per-user quota is assumed to be: {quota/(1024*1024)}MB")
+        lp.indent(f"per-user quota is assumed to be: {quota / (1024 * 1024)}MB")
         alphanumeric = "abcdefghijklmnopqrstuvwxyz1234567890"
         msgs = []
         for i in range(num_to_send):
@@ -97,7 +97,7 @@ class TestEndToEndDeltaChat:
 
             msg = chat.send_file(str(attachment))
             msgs.append(msg)
-            lp.indent(f"Sent out msg {i}, size {attachsize/(1024*1024)}MB")
+            lp.indent(f"Sent out msg {i}, size {attachsize / (1024 * 1024)}MB")
 
         lp.sec("ac2: check messages are arriving until quota is reached")