Try without gcc

.github/workflows/test-and-deploy-ipv4only.yaml

@@ -38,8 +38,8 @@ jobs:
           if [ -f dkimkeys-ipv4/dkimkeys/opendkim.private ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" dkimkeys-ipv4 root@ns.testrun.org:/tmp/ || true; fi
           if [ "$(ls -A acme-ipv4/acme/certs)" ]; then rsync -avz -e "ssh -o StrictHostKeyChecking=accept-new" acme-ipv4 root@ns.testrun.org:/tmp/ || true; fi
           # make sure CAA record isn't set
-          scp -o StrictHostKeyChecking=accept-new .github/workflows/staging-ipv4.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging-ipv4.testrun.org.zone
-          ssh root@ns.testrun.org sed -i '/CAA/d' /etc/nsd/staging-ipv4.testrun.org.zone
+          scp .github/workflows/staging-ipv4.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging-ipv4.testrun.org.zone
+          ssh -o StrictHostKeyChecking=accept-new root@ns.testrun.org sed -i '/CAA/d' /etc/nsd/staging-ipv4.testrun.org.zone
           ssh root@ns.testrun.org nsd-checkzone staging-ipv4.testrun.org /etc/nsd/staging-ipv4.testrun.org.zone
           ssh root@ns.testrun.org systemctl reload nsd
 
@@ -49,7 +49,7 @@ jobs:
             -H "Authorization: Bearer ${{ secrets.HETZNER_API_TOKEN }}" \
             -H "Content-Type: application/json" \
             -d '{"image":"debian-12"}' \
-            "https://api.hetzner.cloud/v1/servers/${{ secrets.STAGING_IPV4_SERVER_ID }}/actions/rebuild"
+            "https://api.hetzner.cloud/v1/servers/${{ secrets.STAGING_SERVER_ID }}/actions/rebuild"
 
       - run: scripts/initenv.sh
 
@@ -63,11 +63,11 @@ jobs:
           while ! ssh -o ConnectTimeout=180 -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org id -u ; do sleep 1 ; done
           ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org id -u
           # download acme & dkim state from ns.testrun.org
-          rsync -e "ssh -o StrictHostKeyChecking=accept-new" -avz root@ns.testrun.org:/tmp/acme-ipv4/acme acme-restore || true
-          rsync -avz root@ns.testrun.org:/tmp/dkimkeys-ipv4/dkimkeys dkimkeys-restore || true
+          rsync -e "ssh -o StrictHostKeyChecking=accept-new" -avz root@ns.testrun.org:/tmp/acme-ipv4 acme-restore || true
+          rsync -avz root@ns.testrun.org:/tmp/dkimkeys-ipv4 dkimkeys-restore || true
           # restore acme & dkim state to staging2.testrun.org
-          rsync -avz acme-restore/acme root@staging-ipv4.testrun.org:/var/lib/ || true
-          rsync -avz dkimkeys-restore/dkimkeys root@staging-ipv4.testrun.org:/etc/ || true
+          rsync -avz acme-restore/acme-ipv4/acme root@staging-ipv4.testrun.org:/var/lib/ || true
+          rsync -avz dkimkeys-restore/dkimkeys-ipv4/dkimkeys root@staging-ipv4.testrun.org:/etc/ || true
           ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org chown root:root -R /var/lib/acme || true
 
       - name: run formatting checks 

CHANGELOG.md

@@ -2,75 +2,42 @@
 
 ## untagged
 
-- cmdeploy dovecot: delete big messages after 7 days
-  ([#504](https://github.com/chatmail/server/pull/504))
-
-- mtail: fix getting logs from STDIN
-  ([#502](https://github.com/chatmail/server/pull/502))
-
-- filtermail: don't require exactly 2 lines after openPGP payload
-  ([#497](https://github.com/chatmail/server/pull/497))
-
 - cmdeploy dns: offer alternative DKIM record format for some web interfaces
-  ([#470](https://github.com/chatmail/server/pull/470))
-
-- journald: remove old logs from disk
-  ([#490](https://github.com/chatmail/server/pull/490))
-
-- opendkim: restart once every day to mend RAM leaks
-  ([#498](https://github.com/chatmail/server/pull/498)
+  ([#470](https://github.com/deltachat/chatmail/pull/470))
 
 - migration guide: let opendkim own the DKIM keys directory
-  ([#468](https://github.com/chatmail/server/pull/468))
-
-- improve secure-join message detection
-  ([#473](https://github.com/chatmail/server/pull/473))
-
-- use old crypt lib in python < 3.11
-  ([#483](https://github.com/chatmail/server/pull/483))
-
-- chatmaild: set umask to 0700 for doveauth + metadata
-  ([#490](https://github.com/chatmail/server/pull/492))
-
-- remove MTA-STS daemon
-  ([#488](https://github.com/chatmail/server/pull/488))
-
-- replace `Subject` with `[...]` for all outgoing mails.
-  ([#481](https://github.com/chatmail/server/pull/481))
-
-- opendkim: use su instead of sudo
-  ([#491](https://github.com/chatmail/server/pull/491))
+  ([#468](https://github.com/deltachat/chatmail/pull/468))
 
 ## 1.5.0 2024-12-20
 
 - cmdeploy dns: always show recommended DNS records
-  ([#463](https://github.com/chatmail/server/pull/463))
+  ([#463](https://github.com/deltachat/chatmail/pull/463))
 
 - add `--all` to `cmdeploy dns`
-  ([#462](https://github.com/chatmail/server/pull/462))
+  ([#462](https://github.com/deltachat/chatmail/pull/462))
 
 - fix `_mta-sts` TXT DNS record
-  ([#461](https://github.com/chatmail/server/pull/461)
+  ([#461](https://github.com/deltachat/chatmail/pull/461)
 
 - deploy `iroh-relay` and also update "realtime relay services" in privacy policy. 
-  ([#434](https://github.com/chatmail/server/pull/434))
-  ([#451](https://github.com/chatmail/server/pull/451))
+  ([#434](https://github.com/deltachat/chatmail/pull/434))
+  ([#451](https://github.com/deltachat/chatmail/pull/451))
 
 - add guide to migrate chatmail to a new server
-  ([#429](https://github.com/chatmail/server/pull/429))
+  ([#429](https://github.com/deltachat/chatmail/pull/429))
 
 - disable anvil authentication penalty
-  ([#414](https://github.com/chatmail/server/pull/444)
+  ([#414](https://github.com/deltachat/chatmail/pull/444)
 
 - increase `request_queue_size` for UNIX sockets to 1000.
-  ([#437](https://github.com/chatmail/server/pull/437))
+  ([#437](https://github.com/deltachat/chatmail/pull/437))
 
 - add argument to `cmdeploy run` for specifying
   a different SSH host than `mail_domain`
-  ([#439](https://github.com/chatmail/server/pull/439))
+  ([#439](https://github.com/deltachat/chatmail/pull/439))
 
 - query autoritative nameserver to bypass DNS cache
-  ([#424](https://github.com/chatmail/server/pull/424))
+  ([#424](https://github.com/deltachat/chatmail/pull/424))
 
 - add mtail support (new optional `mtail_address` ini value)
   This defines the address on which [`mtail`](https://google.github.io/mtail/)
@@ -80,195 +47,195 @@
   and assign an IP address from this network to the host.
   If you do not plan to collect metrics,
   keep this setting unset.
-  ([#388](https://github.com/chatmail/server/pull/388))
+  ([#388](https://github.com/deltachat/chatmail/pull/388))
 
 - fix checking for required DNS records
-  ([#412](https://github.com/chatmail/server/pull/412))
+  ([#412](https://github.com/deltachat/chatmail/pull/412))
 
 - add support for specifying whole domains for recipient passthrough list
-  ([#408](https://github.com/chatmail/server/pull/408))
+  ([#408](https://github.com/deltachat/chatmail/pull/408))
 
 - add a paragraph about "account deletion" to info page 
-  ([#405](https://github.com/chatmail/server/pull/405))
+  ([#405](https://github.com/deltachat/chatmail/pull/405))
 
 - avoid nginx listening on ipv6 if v6 is dsiabled 
-  ([#402](https://github.com/chatmail/server/pull/402))
+  ([#402](https://github.com/deltachat/chatmail/pull/402))
 
 - refactor ssh-based execution to allow organizing remote functions in
   modules. 
-  ([#396](https://github.com/chatmail/server/pull/396))
+  ([#396](https://github.com/deltachat/chatmail/pull/396))
 
 - trigger "apt upgrade" during "cmdeploy run" 
-  ([#398](https://github.com/chatmail/server/pull/398))
+  ([#398](https://github.com/deltachat/chatmail/pull/398))
 
 - drop hispanilandia passthrough address
-  ([#401](https://github.com/chatmail/server/pull/401))
+  ([#401](https://github.com/deltachat/chatmail/pull/401))
 
 - set CAA record flags to 0
 
 - add IMAP capabilities instead of overwriting them
-  ([#413](https://github.com/chatmail/server/pull/413))
+  ([#413](https://github.com/deltachat/chatmail/pull/413))
 
 - fix OpenPGP payload check
-  ([#435](https://github.com/chatmail/server/pull/435))
+  ([#435](https://github.com/deltachat/chatmail/pull/435))
 
 - fix Dovecot quota_max_mail_size to use max_message_size config value
-  ([#438](https://github.com/chatmail/server/pull/438))
+  ([#438](https://github.com/deltachat/chatmail/pull/438))
 
 
 ## 1.4.1 2024-07-31
 
 - fix metadata dictproxy which would confuse transactions
   resulting in missed notifications and other issues. 
-  ([#393](https://github.com/chatmail/server/pull/393))
-  ([#394](https://github.com/chatmail/server/pull/394))
+  ([#393](https://github.com/deltachat/chatmail/pull/393))
+  ([#394](https://github.com/deltachat/chatmail/pull/394))
 
 - add optional "imap_rawlog" config option. If true, 
   .in/.out files are created in user home dirs 
   containing the imap protocol messages. 
-  ([#389](https://github.com/chatmail/server/pull/389))
+  ([#389](https://github.com/deltachat/chatmail/pull/389))
 
 ## 1.4.0 2024-07-28
 
 - Add `disable_ipv6` config option to chatmail.ini.
   Required if the server doesn't have IPv6 connectivity.
-  ([#312](https://github.com/chatmail/server/pull/312))
+  ([#312](https://github.com/deltachat/chatmail/pull/312))
 
 - allow current K9/Thunderbird-mail releases to send encrypted messages
   outside by accepting their localized "encrypted subject" strings. 
-  ([#370](https://github.com/chatmail/server/pull/370))
+  ([#370](https://github.com/deltachat/chatmail/pull/370))
 
 - Migrate and remove sqlite database in favor of password/lastlogin tracking 
   in a user's maildir.  
-  ([#379](https://github.com/chatmail/server/pull/379))
+  ([#379](https://github.com/deltachat/chatmail/pull/379))
 
 - Require pyinfra V3 installed on the client side,
   run `./scripts/initenv.sh` to upgrade locally.
-  ([#378](https://github.com/chatmail/server/pull/378))
+  ([#378](https://github.com/deltachat/chatmail/pull/378))
 
 - don't hardcode "/home/vmail" paths but rather set them 
   once in the config object and use it everywhere else, 
   thereby also improving testability.  
-  ([#351](https://github.com/chatmail/server/pull/351))
+  ([#351](https://github.com/deltachat/chatmail/pull/351))
   temporarily introduced obligatory "passdb_path" and "mailboxes_dir" 
   settings but they were removed/obsoleted in 
-  ([#380](https://github.com/chatmail/server/pull/380))
+  ([#380](https://github.com/deltachat/chatmail/pull/380))
 
 - BREAKING: new required chatmail.ini value 'delete_inactive_users_after = 100'
   which removes users from database and mails after 100 days without any login. 
-  ([#350](https://github.com/chatmail/server/pull/350))
+  ([#350](https://github.com/deltachat/chatmail/pull/350))
 
 - Refine DNS checking to distinguish between "required" and "recommended" settings 
-  ([#372](https://github.com/chatmail/server/pull/372))
+  ([#372](https://github.com/deltachat/chatmail/pull/372))
 
 - reload nginx in the acmetool cronjob
-  ([#360](https://github.com/chatmail/server/pull/360))
+  ([#360](https://github.com/deltachat/chatmail/pull/360))
 
 - remove checking of reverse-DNS PTR records.  Chatmail-servers don't
   depend on it and even in the wider e-mail system it's not common anymore. 
   If it's an issue, a chatmail operator can still care to properly set reverse DNS. 
-  ([#348](https://github.com/chatmail/server/pull/348))
+  ([#348](https://github.com/deltachat/chatmail/pull/348))
 
 - Make DNS-checking faster and more interactive, run it fully during "cmdeploy run",
   also introducing a generic mechanism for rapid remote ssh-based python function execution. 
-  ([#346](https://github.com/chatmail/server/pull/346))
+  ([#346](https://github.com/deltachat/chatmail/pull/346))
 
 - Don't fix file owner ship of /home/vmail 
-  ([#345](https://github.com/chatmail/server/pull/345))
+  ([#345](https://github.com/deltachat/chatmail/pull/345))
 
 - Support iterating over all users with doveadm commands 
-  ([#344](https://github.com/chatmail/server/pull/344))
+  ([#344](https://github.com/deltachat/chatmail/pull/344))
 
 - Test and fix for attempts to create inadmissible accounts 
-  ([#333](https://github.com/chatmail/server/pull/321))
+  ([#333](https://github.com/deltachat/chatmail/pull/321))
 
 - check that OpenPGP has only PKESK, SKESK and SEIPD packets
-  ([#323](https://github.com/chatmail/server/pull/323),
-   [#324](https://github.com/chatmail/server/pull/324))
+  ([#323](https://github.com/deltachat/chatmail/pull/323),
+   [#324](https://github.com/deltachat/chatmail/pull/324))
 
 - improve filtermail checks for encrypted messages and drop support for unencrypted MDNs
-  ([#320](https://github.com/chatmail/server/pull/320))
+  ([#320](https://github.com/deltachat/chatmail/pull/320))
 
 - replace `bash` with `/bin/sh`
-  ([#334](https://github.com/chatmail/server/pull/334))
+  ([#334](https://github.com/deltachat/chatmail/pull/334))
 
 - Increase number of logged in IMAP sessions to 50000
-  ([#335](https://github.com/chatmail/server/pull/335))
+  ([#335](https://github.com/deltachat/chatmail/pull/335))
 
 - filtermail: do not allow ASCII armor without actual payload
-  ([#325](https://github.com/chatmail/server/pull/325))
+  ([#325](https://github.com/deltachat/chatmail/pull/325))
 
 - Remove sieve to enable hardlink deduplication in LMTP
-  ([#343](https://github.com/chatmail/server/pull/343))
+  ([#343](https://github.com/deltachat/chatmail/pull/343))
 
 - dovecot: enable gzip compression on disk
-  ([#341](https://github.com/chatmail/server/pull/341))
+  ([#341](https://github.com/deltachat/chatmail/pull/341))
 
 - DKIM-sign Content-Type and oversign all signed headers
-  ([#296](https://github.com/chatmail/server/pull/296))
+  ([#296](https://github.com/deltachat/chatmail/pull/296))
 
 - Add nonci_accounts metric
-  ([#347](https://github.com/chatmail/server/pull/347))
+  ([#347](https://github.com/deltachat/chatmail/pull/347))
 
 - doveauth: log when a new account is created
-  ([#349](https://github.com/chatmail/server/pull/349))
+  ([#349](https://github.com/deltachat/chatmail/pull/349))
 
 - Multiplex HTTPS, IMAP and SMTP on port 443
-  ([#357](https://github.com/chatmail/server/pull/357))
+  ([#357](https://github.com/deltachat/chatmail/pull/357))
 
 ## 1.3.0 - 2024-06-06
 
 - don't check necessary DNS records on cmdeploy init anymore
-  ([#316](https://github.com/chatmail/server/pull/316))
+  ([#316](https://github.com/deltachat/chatmail/pull/316))
 
 - ensure cron and acl are installed
-  ([#293](https://github.com/chatmail/server/pull/293),
-  [#310](https://github.com/chatmail/server/pull/310))
+  ([#293](https://github.com/deltachat/chatmail/pull/293),
+  [#310](https://github.com/deltachat/chatmail/pull/310))
 
 - change default for delete_mails_after from 40 to 20 days
-  ([#300](https://github.com/chatmail/server/pull/300))
+  ([#300](https://github.com/deltachat/chatmail/pull/300))
 
 - save journald logs only to memory and save nginx logs to journald instead of file
-  ([#299](https://github.com/chatmail/server/pull/299))
+  ([#299](https://github.com/deltachat/chatmail/pull/299))
 
 - fix writing of multiple obs repositories in `/etc/apt/sources.list`
-  ([#290](https://github.com/chatmail/server/pull/290))
+  ([#290](https://github.com/deltachat/chatmail/pull/290))
 
 - metadata: add support for `/shared/vendor/deltachat/irohrelay`
-  ([#284](https://github.com/chatmail/server/pull/284))
+  ([#284](https://github.com/deltachat/chatmail/pull/284))
 
 - Emit "XCHATMAIL" capability from IMAP server 
-  ([#278](https://github.com/chatmail/server/pull/278))
+  ([#278](https://github.com/deltachat/chatmail/pull/278))
 
 - Move echobot `into /var/lib/echobot`
-  ([#281](https://github.com/chatmail/server/pull/281))
+  ([#281](https://github.com/deltachat/chatmail/pull/281))
 
 - Accept Let's Encrypt's new Terms of Services
-  ([#275](https://github.com/chatmail/server/pull/276))
+  ([#275](https://github.com/deltachat/chatmail/pull/276))
 
 - Reload Dovecot and Postfix when TLS certificate updates
-  ([#271](https://github.com/chatmail/server/pull/271))
+  ([#271](https://github.com/deltachat/chatmail/pull/271))
 
 - Use forked version of dovecot without hardcoded delays
-  ([#270](https://github.com/chatmail/server/pull/270))
+  ([#270](https://github.com/deltachat/chatmail/pull/270))
 
 ## 1.2.0 - 2024-04-04
 
 - Install dig on the server to resolve DNS records
-  ([#267](https://github.com/chatmail/server/pull/267))
+  ([#267](https://github.com/deltachat/chatmail/pull/267))
 
 - preserve notification order and exponentially backoff with 
   retries for tokens where we didn't get a successful return
-  ([#265](https://github.com/chatmail/server/pull/263))
+  ([#265](https://github.com/deltachat/chatmail/pull/263))
 
 - Run chatmail-metadata and doveauth as vmail
-  ([#261](https://github.com/chatmail/server/pull/261))
+  ([#261](https://github.com/deltachat/chatmail/pull/261))
 
 - Apply systemd restrictions to echobot
-  ([#259](https://github.com/chatmail/server/pull/259))
+  ([#259](https://github.com/deltachat/chatmail/pull/259))
 
 - re-enable running the CI in pull requests, but not concurrently 
-  ([#258](https://github.com/chatmail/server/pull/258))
+  ([#258](https://github.com/deltachat/chatmail/pull/258))
 
 
 ## 1.1.0 - 2024-03-28
@@ -276,27 +243,27 @@
 ### The changelog starts to record changes from March 15th, 2024 
 
 - Move systemd unit templates to cmdeploy package 
-  ([#255](https://github.com/chatmail/server/pull/255))
+  ([#255](https://github.com/deltachat/chatmail/pull/255))
 
 - Persist push tokens and support multiple device per address 
-  ([#254](https://github.com/chatmail/server/pull/254))
+  ([#254](https://github.com/deltachat/chatmail/pull/254))
 
 - Avoid warning for regular doveauth protocol's hello message. 
-  ([#250](https://github.com/chatmail/server/pull/250))
+  ([#250](https://github.com/deltachat/chatmail/pull/250))
 
 - Fix various tests to pass again with "cmdeploy test". 
-  ([#245](https://github.com/chatmail/server/pull/245),
-  [#242](https://github.com/chatmail/server/pull/242)
+  ([#245](https://github.com/deltachat/chatmail/pull/245),
+  [#242](https://github.com/deltachat/chatmail/pull/242)
 
 - Ensure lets-encrypt certificates are reloaded after renewal 
-  ([#244]) https://github.com/chatmail/server/pull/244
+  ([#244]) https://github.com/deltachat/chatmail/pull/244
 
 - Persist tokens to avoid iOS users loosing push-notifications when the
   chatmail metadata service is restarted (happens regularly during deploys)
-  ([#238](https://github.com/chatmail/server/pull/239)
+  ([#238](https://github.com/deltachat/chatmail/pull/239)
 
 - Fix failing sieve-script compile errors on incoming messages
-  ([#237](https://github.com/chatmail/server/pull/239)
+  ([#237](https://github.com/deltachat/chatmail/pull/239)
 
 - Fix quota reporting after expunging of old mails
-  ([#233](https://github.com/chatmail/server/pull/239)
+  ([#233](https://github.com/deltachat/chatmail/pull/239)

chatmaild/pyproject.toml

@@ -12,7 +12,7 @@ dependencies = [
   "deltachat-rpc-client",
   "filelock",
   "requests",
-  "crypt-r >= 3.13.1 ; python_version >= '3.11'",
+  "crypt-r",
 ]
 
 [tool.setuptools]

chatmaild/src/chatmaild/common_encrypted_subjects.py

@@ -0,0 +1,59 @@
+"""Generated from deltachat, draft-ietf-lamps-header-protection, and
+encrypted_subject localizations in
+https://github.com/thunderbird/thunderbird-android/
+
+"""
+
+common_encrypted_subjects = {
+    "...",
+    "[...]",
+    "암호화된 메시지",
+    "Ĉifrita mesaĝo",
+    "Courriel chiffré",
+    "Dulrituð skilaboð",
+    "Encrypted Message",
+    "Fersifere berjocht",
+    "Kemennadenn enrineget",
+    "Krüptitud kiri",
+    "Krypterat meddelande",
+    "Krypteret besked",
+    "Kryptert melding",
+    "Mensagem criptografada",
+    "Mensagem encriptada",
+    "Mensaje cifrado",
+    "Mensaxe cifrada",
+    "Mesaj Criptat",
+    "Mesazh i Fshehtëzuar",
+    "Messaggio criptato",
+    "Messaghju cifratu",
+    "Missatge encriptat",
+    "Neges wedi'i Hamgryptio",
+    "Pesan terenkripsi",
+    "Salattu viesti",
+    "Şifreli İleti",
+    "Šifrēta ziņa",
+    "Šifrirana poruka",
+    "Šifrirano sporočilo",
+    "Šifruotas laiškas",
+    "Tin nhắn được mã hóa",
+    "Titkosított üzenet",
+    "Verschlüsselte Nachricht",
+    "Versleuteld bericht",
+    "Zašifrovaná zpráva",
+    "Zaszyfrowana wiadomość",
+    "Zifratu mezua",
+    "Κρυπτογραφημένο μήνυμα",
+    "Зашифроване повідомлення",
+    "Зашифрованное сообщение",
+    "Зашыфраваны ліст",
+    "Криптирано съобщение",
+    "Шифрована порука",
+    "დაშიფრული წერილი",
+    "הודעה מוצפנת",
+    "پیام رمزنگاری‌شده",
+    "رسالة مشفّرة",
+    "എൻക്രിപ്റ്റുചെയ്‌ത സന്ദേശം",
+    "加密邮件",
+    "已加密的訊息",
+    "暗号化されたメッセージ",
+}

chatmaild/src/chatmaild/doveauth.py

@@ -3,10 +3,7 @@ import logging
 import os
 import sys
 
-try:
-    import crypt_r
-except ImportError:
-    import crypt as crypt_r
+import crypt_r
 
 from .config import Config, read_config
 from .dictproxy import DictProxy

chatmaild/src/chatmaild/filtermail.py

@@ -12,6 +12,7 @@ from smtplib import SMTP as SMTPClient
 
 from aiosmtpd.controller import Controller
 
+from .common_encrypted_subjects import common_encrypted_subjects
 from .config import read_config
 
 
@@ -80,9 +81,7 @@ def check_armored_payload(payload: str):
         return False
     payload = payload.removeprefix(prefix)
 
-    while payload.endswith("\r\n"):
-        payload = payload.removesuffix("\r\n")
-    suffix = "-----END PGP MESSAGE-----"
+    suffix = "-----END PGP MESSAGE-----\r\n\r\n"
     if not payload.endswith(suffix):
         return False
     payload = payload.removesuffix(suffix)
@@ -101,27 +100,6 @@ def check_armored_payload(payload: str):
         return False
 
 
-def is_securejoin(message):
-    if message.get("secure-join") not in ["vc-request", "vg-request"]:
-        return False
-    if not message.is_multipart():
-        return False
-    parts_count = 0
-    for part in message.iter_parts():
-        parts_count += 1
-        if parts_count > 1:
-            return False
-        if part.is_multipart():
-            return False
-        if part.get_content_type() != "text/plain":
-            return False
-
-        payload = part.get_payload().strip().lower()
-        if payload not in ("secure-join: vc-request", "secure-join: vg-request"):
-            return False
-    return True
-
-
 def check_encrypted(message):
     """Check that the message is an OpenPGP-encrypted message.
 
@@ -129,6 +107,8 @@ def check_encrypted(message):
     """
     if not message.is_multipart():
         return False
+    if message.get("subject") not in common_encrypted_subjects:
+        return False
     if message.get_content_type() != "multipart/encrypted":
         return False
     parts_count = 0
@@ -223,7 +203,11 @@ class BeforeQueueHandler:
 
         passthrough_recipients = self.config.passthrough_recipients
 
-        if mail_encrypted or is_securejoin(message):
+        is_securejoin = message.get("secure-join") in [
+            "vc-request",
+            "vg-request",
+        ]
+        if is_securejoin:
             return
 
         for recipient in envelope.rcpt_tos:
@@ -238,7 +222,7 @@ class BeforeQueueHandler:
             _recipient_addr, recipient_domain = res
 
             is_outgoing = recipient_domain != envelope_from_domain
-            if is_outgoing:
+            if is_outgoing and not mail_encrypted:
                 print("Rejected unencrypted mail.", file=sys.stderr)
                 return f"500 Invalid unencrypted mail to <{recipient}>"
 

chatmaild/src/chatmaild/tests/mail-data/securejoin-vc-fake.eml

@@ -1,21 +0,0 @@
-Subject: Message from {from_addr}
-From: <{from_addr}>
-To: <{to_addr}>
-Date: Sun, 15 Oct 2023 16:43:25 +0000
-Message-ID: <Mr.78MWtlV7RAi.goCFzBhCYfy@c2.testrun.org>
-Chat-Version: 1.0
-Secure-Join: vc-request
-Secure-Join-Invitenumber: RANDOM-TOKEN
-MIME-Version: 1.0
-Content-Type: multipart/mixed; boundary="Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi"
-
-
---Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi
-Content-Type: text/plain; charset=utf-8
-
-Buy viagra!
-
-
---Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi--
-
-

chatmaild/src/chatmaild/tests/mail-data/securejoin-vc.eml

@@ -1,21 +0,0 @@
-Subject: Message from {from_addr}
-From: <{from_addr}>
-To: <{to_addr}>
-Date: Sun, 15 Oct 2023 16:43:25 +0000
-Message-ID: <Mr.78MWtlV7RAi.goCFzBhCYfy@c2.testrun.org>
-Chat-Version: 1.0
-Secure-Join: vc-request
-Secure-Join-Invitenumber: RANDOM-TOKEN
-MIME-Version: 1.0
-Content-Type: multipart/mixed; boundary="Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi"
-
-
---Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi
-Content-Type: text/plain; charset=utf-8
-
-Secure-Join: vc-request
-
-
---Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi--
-
-

chatmaild/src/chatmaild/tests/plugin.py

@@ -69,7 +69,7 @@ def maildata(request):
 
     assert datadir.exists(), datadir
 
-    def maildata(name, from_addr, to_addr, subject="[...]"):
+    def maildata(name, from_addr, to_addr, subject="..."):
         # Using `.read_bytes().decode()` instead of `.read_text()` to preserve newlines.
         data = datadir.joinpath(name).read_bytes().decode()
 

chatmaild/src/chatmaild/tests/test_filtermail.py

@@ -5,7 +5,7 @@ from chatmaild.filtermail import (
     SendRateLimiter,
     check_armored_payload,
     check_encrypted,
-    is_securejoin,
+    common_encrypted_subjects,
 )
 
 
@@ -55,28 +55,19 @@ def test_filtermail_no_encryption_detection(maildata):
     assert not check_encrypted(msg)
 
 
-def test_filtermail_securejoin_detection(maildata):
-    msg = maildata(
-        "securejoin-vc.eml", from_addr="some@example.org", to_addr="other@example.org"
-    )
-    assert is_securejoin(msg)
-
-    msg = maildata(
-        "securejoin-vc-fake.eml",
-        from_addr="some@example.org",
-        to_addr="other@example.org",
-    )
-    assert not is_securejoin(msg)
-
-
 def test_filtermail_encryption_detection(maildata):
-    msg = maildata(
-        "encrypted.eml",
-        from_addr="1@example.org",
-        to_addr="2@example.org",
-        subject="Subject does not matter, will be replaced anyway",
-    )
-    assert check_encrypted(msg)
+    for subject in common_encrypted_subjects:
+        msg = maildata(
+            "encrypted.eml",
+            from_addr="1@example.org",
+            to_addr="2@example.org",
+            subject=subject,
+        )
+        assert check_encrypted(msg)
+
+    # if the subject is not a known encrypted subject value, it is not considered ac-encrypted
+    msg.replace_header("Subject", "Click this link")
+    assert not check_encrypted(msg)
 
 
 def test_filtermail_no_literal_packets(maildata):
@@ -205,20 +196,10 @@ UN4fiB0KR9JyG2ayUdNJVkXZSZLnHyRgiaadlpUo16LVvw==\r
 =b5Kp\r
 -----END PGP MESSAGE-----\r
 \r
-\r
 """
 
     assert check_armored_payload(payload) == True
 
-    payload = payload.removesuffix("\r\n")
-    assert check_armored_payload(payload) == True
-
-    payload = payload.removesuffix("\r\n")
-    assert check_armored_payload(payload) == True
-
-    payload = payload.removesuffix("\r\n")
-    assert check_armored_payload(payload) == True
-
     payload = """-----BEGIN PGP MESSAGE-----\r
 \r
 HELLOWORLD

cmdeploy/src/cmdeploy/__init__.py

@@ -79,8 +79,8 @@ def _install_remote_venv_with_chatmaild(config) -> None:
     )
 
     apt.packages(
-        name="install gcc and headers to build crypt_r source package",
-        packages=["gcc", "python3-dev"],
+        name="install python3-dev to build crypt_r source package",
+        packages=["python3-dev"],
     )
 
     server.shell(
@@ -217,36 +217,49 @@ def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool:
             commands=[
                 f"opendkim-genkey -D /etc/dkimkeys -d {domain} -s {dkim_selector}"
             ],
-            _use_su_login=True,
-            _su_user="opendkim",
+            _sudo=True,
+            _sudo_user="opendkim",
         )
 
-    service_file = files.put(
-        name="Configure opendkim to restart once a day",
-        src=importlib.resources.files(__package__).joinpath("opendkim/systemd.conf"),
-        dest="/etc/systemd/system/opendkim.service.d/10-prevent-memory-leak.conf",
-    )
-    need_restart |= service_file.changed
-
-
     return need_restart
 
 
-def _uninstall_mta_sts_daemon() -> None:
-    # Remove configuration.
-    files.file("/etc/mta-sts-daemon.yml", present=False)
+def _install_mta_sts_daemon() -> bool:
+    need_restart = False
 
-    files.directory("/usr/local/lib/postfix-mta-sts-resolver", present=False)
-
-    files.file("/etc/systemd/system/mta-sts-daemon.service", present=False)
-
-    systemd.service(
-        name="Stop MTA-STS daemon",
-        service="mta-sts-daemon.service",
-        daemon_reload=True,
-        running=False,
-        enabled=False,
+    config = files.put(
+        name="upload postfix-mta-sts-resolver config",
+        src=importlib.resources.files(__package__).joinpath(
+            "postfix/mta-sts-daemon.yml"
+        ),
+        dest="/etc/mta-sts-daemon.yml",
+        user="root",
+        group="root",
+        mode="644",
     )
+    need_restart |= config.changed
+
+    server.shell(
+        name="install postfix-mta-sts-resolver with pip",
+        commands=[
+            "python3 -m virtualenv /usr/local/lib/postfix-mta-sts-resolver",
+            "/usr/local/lib/postfix-mta-sts-resolver/bin/pip install postfix-mta-sts-resolver",
+        ],
+    )
+
+    systemd_unit = files.put(
+        name="upload mta-sts-daemon systemd unit",
+        src=importlib.resources.files(__package__).joinpath(
+            "postfix/mta-sts-daemon.service"
+        ),
+        dest="/etc/systemd/system/mta-sts-daemon.service",
+        user="root",
+        group="root",
+        mode="644",
+    )
+    need_restart |= systemd_unit.changed
+
+    return need_restart
 
 
 def _configure_postfix(config: Config, debug: bool = False) -> bool:
@@ -650,8 +663,8 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
     debug = False
     dovecot_need_restart = _configure_dovecot(config, debug=debug)
     postfix_need_restart = _configure_postfix(config, debug=debug)
+    mta_sts_need_restart = _install_mta_sts_daemon()
     nginx_need_restart = _configure_nginx(config)
-    _uninstall_mta_sts_daemon()
 
     _remove_rspamd()
     opendkim_need_restart = _configure_opendkim(mail_domain, "opendkim")
@@ -661,10 +674,18 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
         service="opendkim.service",
         running=True,
         enabled=True,
-        daemon_reload=opendkim_need_restart,
         restarted=opendkim_need_restart,
     )
 
+    systemd.service(
+        name="Start and enable MTA-STS daemon",
+        service="mta-sts-daemon.service",
+        daemon_reload=True,
+        running=True,
+        enabled=True,
+        restarted=mta_sts_need_restart,
+    )
+
     # Dovecot should be started before Postfix
     # because it creates authentication socket
     # required by Postfix.
@@ -714,11 +735,6 @@ def deploy_chatmail(config_path: Path, disable_mail: bool) -> None:
         enabled=True,
         restarted=journald_conf.changed,
     )
-    files.directory(
-        name="Ensure old logs on disk are deleted",
-        path="/var/log/journal/",
-        present=False,
-    )
 
     apt.packages(
         name="Ensure cron is installed",

cmdeploy/src/cmdeploy/acmetool/response-file.yaml.j2

@@ -1,2 +1,2 @@
 "acme-enter-email": "{{ email }}"
-"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf": true
+"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf": true

cmdeploy/src/cmdeploy/chatmail.zone.j2

@@ -16,7 +16,7 @@ www.{{ mail_domain }}.               CNAME {{ mail_domain }}.
 ;
 ; Recommended DNS entries for interoperability and security-hardening
 ;
-{{ mail_domain }}.                   TXT "v=spf1 a ~all"
+{{ mail_domain }}.                   TXT "v=spf1 a:{{ mail_domain }} ~all"
 _dmarc.{{ mail_domain }}.            TXT "v=DMARC1;p=reject;adkim=s;aspf=s"
 
 {% if acme_account_url %}

cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2

@@ -209,7 +209,7 @@ ssl = required
 ssl_cert = </var/lib/acme/live/{{ config.mail_domain }}/fullchain
 ssl_key = </var/lib/acme/live/{{ config.mail_domain }}/privkey
 ssl_dh = </usr/share/dovecot/dh.pem
-ssl_min_protocol = TLSv1.3
+ssl_min_protocol = TLSv1.2
 ssl_prefer_server_ciphers = yes
 
 

cmdeploy/src/cmdeploy/dovecot/expunge.cron.j2

@@ -1,5 +1,3 @@
-# delete already seen big mails after 7 days, in the INBOX
-2 0 * * * vmail find {{ config.mailboxes_dir }} -path '*/cur/*' -mtime +7 -size +200k -type f -delete
 # delete all mails after {{ config.delete_mails_after }} days, in the Inbox
 2 0 * * * vmail find {{ config.mailboxes_dir }} -path '*/cur/*' -mtime +{{ config.delete_mails_after }} -type f -delete
 # or in any IMAP subfolder

cmdeploy/src/cmdeploy/mtail/mtail.service.j2

@@ -3,7 +3,7 @@ Description=mtail
 
 [Service]
 Type=simple
-ExecStart=/bin/sh -c "journalctl -f -o short-iso -n 0 | /usr/bin/mtail --address={{ address }} --port={{ port }} --progs /etc/mtail --logtostderr --logs /dev/stdin"
+ExecStart=/bin/sh -c "journalctl -f -o short-iso -n 0 | /usr/bin/mtail --address={{ address }} --port={{ port }} --progs /etc/mtail --logtostderr --logs -"
 Restart=on-failure
 
 [Install]

cmdeploy/src/cmdeploy/opendkim/systemd.conf

@@ -1,3 +0,0 @@
-[Service]
-Restart=always
-RuntimeMaxSec=1d

cmdeploy/src/cmdeploy/postfix/main.cf.j2

@@ -20,9 +20,9 @@ smtpd_tls_key_file=/var/lib/acme/live/{{ config.mail_domain }}/privkey
 smtpd_tls_security_level=may
 
 smtp_tls_CApath=/etc/ssl/certs
-smtp_tls_security_level=verify
+smtp_tls_security_level=may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-smtp_tls_policy_maps = inline:{nauta.cu=may}
+smtp_tls_policy_maps = socketmap:inet:127.0.0.1:8461:postfix
 smtpd_tls_protocols = >=TLSv1.2
 
 # Disable anonymous cipher suites

cmdeploy/src/cmdeploy/postfix/master.cf.j2

@@ -18,7 +18,6 @@ smtp      inet  n       -       y       -       -       smtpd
 submission inet n       -       y       -       5000    smtpd
   -o syslog_name=postfix/submission
   -o smtpd_tls_security_level=encrypt
-  -o smtpd_tls_mandatory_protocols=>=TLSv1.3
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_sasl_type=dovecot
   -o smtpd_sasl_path=private/auth
@@ -37,7 +36,6 @@ smtps     inet  n       -       y       -       5000    smtpd
   -o syslog_name=postfix/smtps
   -o smtpd_tls_wrappermode=yes
   -o smtpd_tls_security_level=encrypt
-  -o smtpd_tls_mandatory_protocols=>=TLSv1.3
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_sasl_type=dovecot
   -o smtpd_sasl_path=private/auth
@@ -82,6 +80,7 @@ filter    unix -        n       n       -       -       lmtp
 localhost:{{ config.postfix_reinject_port }} inet  n       -       n       -       10      smtpd
   -o syslog_name=postfix/reinject
   -o smtpd_milters=unix:opendkim/opendkim.sock
+  -o cleanup_service_name=authclean
 
 # Cleanup `Received` headers for authenticated mail
 # to avoid leaking client IP.

cmdeploy/src/cmdeploy/postfix/submission_header_cleanup

@@ -2,4 +2,3 @@
 /^X-Originating-IP:/    IGNORE
 /^X-Mailer:/            IGNORE
 /^User-Agent:/          IGNORE
-/^Subject:/             REPLACE Subject: [...]

cmdeploy/src/cmdeploy/service/chatmail-metadata.service.f

@@ -7,7 +7,6 @@ Restart=always
 RestartSec=30
 User=vmail
 RuntimeDirectory=chatmail-metadata
-UMask=0077
 
 [Install]
 WantedBy=multi-user.target

cmdeploy/src/cmdeploy/service/doveauth.service.f

@@ -7,7 +7,6 @@ Restart=always
 RestartSec=30
 User=vmail
 RuntimeDirectory=doveauth
-UMask=0077
 
 [Install]
 WantedBy=multi-user.target

cmdeploy/src/cmdeploy/tests/online/test_1_basic.py

@@ -1,4 +1,3 @@
-import datetime
 import smtplib
 
 import pytest
@@ -53,14 +52,6 @@ class TestSSHExecutor:
         else:
             pytest.fail("didn't raise exception")
 
-    def test_opendkim_restarted(self, sshexec):
-        """check that opendkim is not running for longer than a day."""
-        out = sshexec(call=remote.rshell.shell, kwargs=dict(command="systemctl status opendkim"))
-        assert type(out) == str
-        since_date_str = out.split("since ")[1].split(";")[0]
-        since_date = datetime.datetime.strptime(since_date_str, "%a %Y-%m-%d %H:%M:%S %Z")
-        assert (datetime.datetime.now() - since_date).total_seconds() < 60 * 60 * 24
-
 
 def test_remote(remote, imap_or_smtp):
     lineproducer = remote.iter_output(imap_or_smtp.logcmd)
@@ -124,27 +115,6 @@ def test_reject_missing_dkim(cmsetup, maildata, from_addr):
             s.sendmail(from_addr=from_addr, to_addrs=recipient.addr, msg=msg)
 
 
-def test_rewrite_subject(cmsetup, maildata):
-    """Test that subject gets replaced with [...]."""
-    user1, user2 = cmsetup.gen_users(2)
-
-    sent_msg = maildata(
-        "encrypted.eml",
-        from_addr=user1.addr,
-        to_addr=user2.addr,
-        subject="Unencrypted subject",
-    ).as_string()
-    user1.smtp.sendmail(from_addr=user1.addr, to_addrs=[user2.addr], msg=sent_msg)
-
-    messages = user2.imap.fetch_all_messages()
-    assert len(messages) == 1
-    rcvd_msg = messages[0]
-    assert "Subject: [...]" not in sent_msg
-    assert "Subject: [...]" in rcvd_msg
-    assert "Subject: Unencrypted subject" in sent_msg
-    assert "Subject: Unencrypted subject" not in rcvd_msg
-
-
 @pytest.mark.slow
 def test_exceed_rate_limit(cmsetup, gencreds, maildata, chatmail_config):
     """Test that the per-account send-mail limit is exceeded."""