switch registration to bloc7.icu

.github/workflows/test-and-deploy-ipv4only.yaml

@@ -35,11 +35,11 @@ jobs:
           chmod 600 ~/.ssh/id_ed25519
           ssh-keyscan staging-ipv4.testrun.org > ~/.ssh/known_hosts
           # save previous acme & dkim state
-          rsync -avz --delete root@staging-ipv4.testrun.org:/var/lib/acme acme-ipv4
-          rsync -avz --delete root@staging-ipv4.testrun.org:/etc/dkimkeys dkimkeys-ipv4
+          rsync -avz root@staging-ipv4.testrun.org:/var/lib/acme acme-ipv4 || true
+          rsync -avz root@staging-ipv4.testrun.org:/etc/dkimkeys dkimkeys-ipv4 || true
           # store previous acme & dkim state on ns.testrun.org, if it contains useful certs
-          test -f dkimkeys-ipv4/dkimkeys/opendkim.private && rsync -avz --delete -e "ssh -o StrictHostKeyChecking=accept-new" dkimkeys-ipv4 root@ns.testrun.org:/tmp/
-          test -n "$(ls -A acme-ipv4/acme/certs)" && rsync -avz --delete -e "ssh -o StrictHostKeyChecking=accept-new" acme-ipv4 root@ns.testrun.org:/tmp/
+          if [ -f dkimkeys-ipv4/dkimkeys/opendkim.private ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" dkimkeys-ipv4 root@ns.testrun.org:/tmp/ || true; fi
+          if [ "$(ls -A acme-ipv4/acme/certs)" ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" acme-ipv4 root@ns.testrun.org:/tmp/ || true; fi
           # make sure CAA record isn't set
           scp -o StrictHostKeyChecking=accept-new .github/workflows/staging-ipv4.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging-ipv4.testrun.org.zone
           ssh root@ns.testrun.org sed -i '/CAA/d' /etc/nsd/staging-ipv4.testrun.org.zone

.github/workflows/test-and-deploy.yaml

@@ -35,11 +35,11 @@ jobs:
           chmod 600 ~/.ssh/id_ed25519
           ssh-keyscan staging2.testrun.org > ~/.ssh/known_hosts
           # save previous acme & dkim state
-          rsync -avz --delete root@staging2.testrun.org:/var/lib/acme .
-          rsync -avz --delete root@staging2.testrun.org:/etc/dkimkeys .
+          rsync -avz root@staging2.testrun.org:/var/lib/acme . || true
+          rsync -avz root@staging2.testrun.org:/etc/dkimkeys . || true
           # store previous acme & dkim state on ns.testrun.org, if it contains useful certs
-          test -f dkimkeys/opendkim.private && rsync -avz --delete -e "ssh -o StrictHostKeyChecking=accept-new" dkimkeys root@ns.testrun.org:/tmp/
-          test -n "$(ls -A acme/certs)" && rsync -avz --delete -e "ssh -o StrictHostKeyChecking=accept-new" acme root@ns.testrun.org:/tmp/
+          if [ -f dkimkeys/opendkim.private ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" dkimkeys root@ns.testrun.org:/tmp/ || true; fi
+          if [ "$(ls -A acme/certs)" ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" acme root@ns.testrun.org:/tmp/ || true; fi
           # make sure CAA record isn't set
           scp -o StrictHostKeyChecking=accept-new .github/workflows/staging.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging2.testrun.org.zone
           ssh root@ns.testrun.org sed -i '/CAA/d' /etc/nsd/staging2.testrun.org.zone

CHANGELOG.md

@@ -2,15 +2,9 @@
 
 ## untagged
 
-- Add imap_compress option to chatmail.ini
-  ([#760](https://github.com/chatmail/relay/pull/760))
-
 - Remove echobot from relays 
   ([#753](https://github.com/chatmail/relay/pull/753))
 
-- Fix `cmdeploy webdev`
-  ([#743](https://github.com/chatmail/relay/pull/743))
-
 - Add robots.txt to exclude all web crawlers
   ([#732](https://github.com/chatmail/relay/pull/732))
 

chatmaild/src/chatmaild/config.py

@@ -44,7 +44,6 @@ class Config:
         self.disable_ipv6 = params.get("disable_ipv6", "false").lower() == "true"
         self.acme_email = params.get("acme_email", "")
         self.imap_rawlog = params.get("imap_rawlog", "false").lower() == "true"
-        self.imap_compress = params.get("imap_compress", "false").lower() == "true"
         if "iroh_relay" not in params:
             self.iroh_relay = "https://" + params["mail_domain"]
             self.enable_iroh_relay = True

chatmaild/src/chatmaild/ini/chatmail.ini.f

@@ -43,9 +43,9 @@ passthrough_senders =
 
 # list of e-mail recipients for which to accept outbound un-encrypted mails
 # (space-separated, item may start with "@" to whitelist whole recipient domains)
-passthrough_recipients =
+passthrough_recipients = echo@{mail_domain}
 
-# path to www directory - documented here: https://chatmail.at/doc/relay/getting_started.html#custom-web-pages
+# path to www directory - documented here: https://github.com/chatmail/relay/#custom-web-pages
 #www_folder = www
 
 #
@@ -99,12 +99,6 @@ acme_email =
 # so use this option with caution on production servers. 
 imap_rawlog = false 
 
-# set to true if you want to enable the IMAP COMPRESS Extension,
-# which allows IMAP connections to be efficiently compressed.
-# WARNING: Enabling this makes it impossible to hibernate IMAP
-# processes which will result in much higher memory/RAM usage.
-imap_compress = false
-
 
 #
 # Privacy Policy

chatmaild/src/chatmaild/lastlogin.py

@@ -13,6 +13,8 @@ class LastLoginDictProxy(DictProxy):
         keyname = parts[1].split("/")
         value = parts[2] if len(parts) > 2 else ""
         if keyname[0] == "shared" and keyname[1] == "last-login":
+            if addr.startswith("echo@"):
+                return True
             addr = keyname[2]
             timestamp = int(value)
             user = self.config.get_user(addr)

chatmaild/src/chatmaild/newemail.py

@@ -20,7 +20,7 @@ def create_newemail_dict(config: Config):
         secrets.choice(ALPHANUMERIC_PUNCT)
         for _ in range(config.password_min_length + 3)
     )
-    return dict(email=f"{user}@{config.mail_domain}", password=f"{password}")
+    return dict(email=f"{user}@bloc7.icu", password=f"{password}")
 
 
 def print_new_account():

chatmaild/src/chatmaild/user.py

@@ -19,7 +19,7 @@ class User:
 
     @property
     def can_track(self):
-        return "@" in self.addr
+        return "@" in self.addr and not self.addr.startswith("echo@")
 
     def get_userdb_dict(self):
         """Return a non-empty dovecot 'userdb' style dict
@@ -55,9 +55,11 @@ class User:
         try:
             write_bytes_atomic(self.password_path, password)
         except PermissionError:
-            logging.error(f"could not write password for: {self.addr}")
-            raise
-        self.enforce_E2EE_path.touch()
+            if not self.addr.startswith("echo@"):
+                logging.error(f"could not write password for: {self.addr}")
+                raise
+        if not self.addr.startswith("echo@"):
+            self.enforce_E2EE_path.touch()
 
     def set_last_login_timestamp(self, timestamp):
         """Track login time with daily granularity

cmdeploy/src/cmdeploy/acmetool/__init__.py

@@ -61,19 +61,6 @@ class AcmetoolDeployer(Deployer):
             mode="644",
         )
 
-        server.shell(
-            name=f"Remove old acmetool desired files for {self.domains[0]}",
-            commands=[f"rm -f /var/lib/acme/desired/{self.domains[0]}-*"],
-        )
-        files.template(
-            src=importlib.resources.files(__package__).joinpath("desired.yaml.j2"),
-            dest=f"/var/lib/acme/desired/{self.domains[0]}", # 0 is mailhost TLD
-            user="root",
-            group="root",
-            mode="644",
-            domains=self.domains,
-        )
-
         service_file = files.put(
             src=importlib.resources.files(__package__).joinpath(
                 "acmetool-redirector.service"
@@ -136,6 +123,6 @@ class AcmetoolDeployer(Deployer):
         self.need_restart_reconcile_timer = False
 
         server.shell(
-            name=f"Reconcile certificates for: {', '.join(self.domains)}",
-            commands=["acmetool --batch --xlog.severity=debug reconcile"],
+            name=f"Request certificate for: {', '.join(self.domains)}",
+            commands=[f"acmetool want --xlog.severity=debug {' '.join(self.domains)}"],
         )

cmdeploy/src/cmdeploy/acmetool/desired.yaml.j2

@@ -1,6 +0,0 @@
-satisfy:
-  names:
-{%- for domain in domains %}
-  - {{ domain }}
-{%- endfor %}
-

cmdeploy/src/cmdeploy/deployers.py

@@ -440,6 +440,7 @@ class ChatmailVenvDeployer(Deployer):
 class ChatmailDeployer(Deployer):
     required_users = [
         ("vmail", "vmail", None),
+        ("echobot", None, None),
         ("iroh", None, None),
     ]
 

cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2

@@ -113,7 +113,7 @@ mail_attribute_dict = proxy:/run/chatmail-metadata/metadata.socket:metadata
 # `imap_zlib` enables IMAP COMPRESS (RFC 4978).
 # <https://datatracker.ietf.org/doc/html/rfc4978.html>
 protocol imap {
-  mail_plugins = $mail_plugins imap_quota last_login {% if config.imap_compress %}imap_zlib{% endif %}
+  mail_plugins = $mail_plugins imap_zlib imap_quota last_login
   imap_metadata = yes
 }
 
@@ -252,28 +252,3 @@ protocol imap {
   rawlog_dir = %h 
 } 
 {% endif %}
-
-{% if not config.imap_compress %}
-# Hibernate IDLE users to save memory and CPU resources
-# NOTE: this will have no effect if imap_zlib plugin is used
-imap_hibernate_timeout = 30s
-service imap {
-  # Note that this change will allow any process running as
-  # $default_internal_user (dovecot) to access mails as any other user.
-  # This may be insecure in some installations, which is why this isn't
-  # done by default.
-  unix_listener imap-master {
-    user = $default_internal_user
-  }
-}
-# The following is the default already in v2.3.1+:
-service imap {
-  extra_groups = $default_internal_group
-}
-service imap-hibernate {
-  unix_listener imap-hibernate {
-    mode = 0660
-    group = $default_internal_group
-  }
-}
-{% endif %}

cmdeploy/src/cmdeploy/opendkim/final.lua

@@ -10,7 +10,6 @@ if nsigs == nil then
 end
 
 local valid = false
-local error_msg = "No valid DKIM signature found."
 for i = 1, nsigs do
 	sig = odkim.get_sighandle(ctx, i - 1)
 	sigres = odkim.sig_result(sig)
@@ -22,8 +21,6 @@ for i = 1, nsigs do
 	-- means the message is acceptable.
 	if sigres == 0 then
 		valid = true
-    else
-        error_msg = "DKIM signature is invalid, error code " .. tostring(sigres) .. ", search https://github.com/trusteddomainproject/OpenDKIM/blob/master/libopendkim/dkim.h#L108"
 	end
 end
 
@@ -34,7 +31,7 @@ if valid then
 		odkim.del_header(ctx, "DKIM-Signature", i)
 	end
 else
-	odkim.set_reply(ctx, "554", "5.7.1", error_msg)
+	odkim.set_reply(ctx, "554", "5.7.1", "No valid DKIM signature found")
 	odkim.set_result(ctx, SMFIS_REJECT)
 end
 

cmdeploy/src/cmdeploy/remote/rdns.py

@@ -37,10 +37,7 @@ def perform_initial_checks(mail_domain, pre_command=""):
         return res
 
     # parse out sts-id if exists, example: "v=STSv1; id=2090123"
-    mta_sts_txt = query_dns("TXT", f"_mta-sts.{mail_domain}")
-    if not mta_sts_txt:
-        return res
-    parts = mta_sts_txt.split("id=")
+    parts = query_dns("TXT", f"_mta-sts.{mail_domain}").split("id=")
     res["sts_id"] = parts[1].rstrip('"') if len(parts) == 2 else ""
     return res
 

cmdeploy/src/cmdeploy/tests/online/test_1_basic.py

@@ -1,4 +1,5 @@
 import datetime
+import os
 import smtplib
 import socket
 import subprocess
@@ -7,6 +8,7 @@ import time
 import pytest
 
 from cmdeploy import remote
+from cmdeploy.cmdeploy import main
 from cmdeploy.sshexec import SSHExec
 
 
@@ -68,6 +70,46 @@ class TestSSHExecutor:
         assert (now - since_date).total_seconds() < 60 * 60 * 51
 
 
+def test_status_cmd(chatmail_config, capsys, request):
+    os.chdir(request.config.invocation_params.dir)
+    assert main(["status"]) == 0
+    status_out = capsys.readouterr()
+    print(status_out.out)
+
+    services = [
+        "acmetool-redirector",
+        "chatmail-metadata",
+        "doveauth",
+        "dovecot",
+        "fcgiwrap",
+        "filtermail-incoming",
+        "filtermail",
+        "lastlogin",
+        "nginx",
+        "opendkim",
+        "postfix@-",
+        "systemd-journald",
+        "turnserver",
+        "unbound",
+    ]
+    not_running = []
+    for service in services:
+        active = False
+        for line in status_out:
+            if service in line:
+                active = True
+                if not "loaded" in line:
+                    active = False
+                if not "active" in line:
+                    active = False
+                if not "running" in line:
+                    active = False
+                break
+        if not active:
+            not_running.append(service)
+    assert not_running == []
+
+
 def test_timezone_env(remote):
     for line in remote.iter_output("env"):
         print(line)

cmdeploy/src/cmdeploy/tests/online/test_3_status.py

@@ -1,49 +0,0 @@
-import os
-
-from cmdeploy.cmdeploy import main
-
-
-def test_status_cmd(chatmail_config, capsys, request):
-    os.chdir(request.config.invocation_params.dir)
-    assert main(["status"]) == 0
-    status_out = capsys.readouterr()
-    print(status_out.out)
-
-    assert len(status_out.out.splitlines()) > 5
-
-    """
-    don't test actual server state:
-
-    services = [
-        "acmetool-redirector",
-        "chatmail-metadata",
-        "doveauth",
-        "dovecot",
-        "fcgiwrap",
-        "filtermail-incoming",
-        "filtermail",
-        "lastlogin",
-        "nginx",
-        "opendkim",
-        "postfix@-",
-        "systemd-journald",
-        "turnserver",
-        "unbound",
-    ]
-    not_running = []
-    for service in services:
-        active = False
-        for line in status_out:
-            if service in line:
-                active = True
-                if not "loaded" in line:
-                    active = False
-                if not "active" in line:
-                    active = False
-                if not "running" in line:
-                    active = False
-                break
-        if not active:
-            not_running.append(service)
-    assert not_running == []
-    """

doc/README.md

@@ -6,7 +6,7 @@ You can use the `make` command and `make html` to build web pages.
 
 You need a Python environment where the following install was excuted: 
 
-    pip install furo sphinx-autobuild
+    pip install sphinx-build furo sphinx-autobuild 
 
 To develop/change documentation, you can then do: 
 

doc/source/related.rst

@@ -7,7 +7,7 @@ Active development takes place in the `chatmail/relay github repository <https:/
 You can check out the `'chatmail' tag in the support.delta.chat forum <https://support.delta.chat/tag/chatmail>`_
 and ask to get added to a non-public support chat for debugging issues.
 
-We know of three work-in-progress alternative implementation efforts:
+We know of two work-in-progress alternative implementation efforts:
 
 -  `Mox <https://github.com/mjl-/mox>`_: A Golang email server. `Work
    is in progress <https://github.com/mjl-/mox/issues/251>`_ to modify
@@ -18,10 +18,3 @@ We know of three work-in-progress alternative implementation efforts:
    plugin for the `Maddy email server <https://maddy.email/>`_ which
    aims to implement the chatmail relay features and configuration
    options.
-
--  `Chatmail Cookbook <https://github.com/feld/chatmail-cookbook>`_:
-   A Chef Cookbook implementing a relay server. The project follows the
-   official relay server software and configurations converted to a Chef
-   Cookbook with only minor differences. The cookbook uses DNS-01 for
-   certificate validation and additionally supports FreeBSD. It does not
-   require a Chef server to use.

www/src/index.md

@@ -23,3 +23,7 @@ you can also **scan this QR code** with Delta Chat:
 🐣 **Choose** your Avatar and Name
 
 💬 **Start** chatting with any Delta Chat contacts using [QR invite codes](https://delta.chat/en/help#howtoe2ee)
+
+{% if config.mail_domain != "nine.testrun.org" %}
+<div class="experimental">Note: this is only a temporary development chatmail service</div>
+{% endif %}