fix lint

CHANGELOG.md

@@ -2,8 +2,11 @@
 
 ## untagged
 
-- Test and fix for attempts to create inadmissible accounts 
-  ([#333](https://github.com/deltachat/chatmail/pull/321))
+- replace crypt with passlib, as crypt will be deprecated in Python 3.13
+  ([#319](https://github.com/deltachat/chatmail/pull/319))
+
+- Reject DKIM signatures that do not cover the whole message body.
+  ([#321](https://github.com/deltachat/chatmail/pull/321))
 
 - check that OpenPGP has only PKESK, SKESK and SEIPD packets
   ([#323](https://github.com/deltachat/chatmail/pull/323),
@@ -12,15 +15,6 @@
 - improve filtermail checks for encrypted messages and drop support for unencrypted MDNs
   ([#320](https://github.com/deltachat/chatmail/pull/320))
 
-- replace `bash` with `/bin/sh`
-  ([#334](https://github.com/deltachat/chatmail/pull/334))
-
-- Increase number of logged in IMAP sessions to 50000
-  ([#335](https://github.com/deltachat/chatmail/pull/335))
-
-- filtermail: do not allow ASCII armor without actual payload
-  ([#325](https://github.com/deltachat/chatmail/pull/325))
-
 ## 1.3.0 - 2024-06-06
 
 - don't check necessary DNS records on cmdeploy init anymore

chatmaild/pyproject.toml

@@ -12,6 +12,7 @@ dependencies = [
   "deltachat-rpc-client",
   "filelock",
   "requests",
+  "passlib",
 ]
 
 [tool.setuptools]

chatmaild/src/chatmaild/doveauth.py

@@ -1,4 +1,3 @@
-import crypt
 import json
 import logging
 import os
@@ -11,6 +10,8 @@ from socketserver import (
     UnixStreamServer,
 )
 
+import passlib.hash
+
 from .config import Config, read_config
 from .database import Database
 
@@ -23,8 +24,9 @@ class UnknownCommand(ValueError):
 
 def encrypt_password(password: str):
     # https://doc.dovecot.org/configuration_manual/authentication/password_schemes/
-    passhash = crypt.crypt(password, crypt.METHOD_SHA512)
-    return "{SHA512-CRYPT}" + passhash
+    pw = passlib.hash.sha512_crypt.hash(password).split("$")
+
+    return "{SHA512-CRYPT}$" + pw[1] + "$" + pw[3] + "$" + pw[4]
 
 
 def is_allowed_to_create(config: Config, user, cleartext_password) -> bool:
@@ -60,7 +62,6 @@ def is_allowed_to_create(config: Config, user, cleartext_password) -> bool:
             config.username_min_length,
             config.username_max_length,
         )
-        return False
 
     return True
 

chatmaild/src/chatmaild/filtermail.py

@@ -70,9 +70,6 @@ def check_openpgp_payload(payload: bytes):
             # Symmetric-Key Encrypted Session Key Packet (SKESK)
             return False
 
-    if i == 0:
-        return False
-
     if i > len(payload):
         # Payload is truncated.
         return False

chatmaild/src/chatmaild/tests/test_doveauth.py

@@ -11,10 +11,8 @@ from chatmaild.doveauth import (
     get_user_data,
     handle_dovecot_protocol,
     handle_dovecot_request,
-    is_allowed_to_create,
     lookup_passdb,
 )
-from chatmaild.newemail import create_newemail_dict
 
 
 def test_basic(db, example_config):
@@ -27,20 +25,6 @@ def test_basic(db, example_config):
     assert data == data2
 
 
-def test_invalid_username_length(example_config):
-    config = example_config
-    config.username_min_length = 6
-    config.username_max_length = 10
-    password = create_newemail_dict(config)["password"]
-    assert not is_allowed_to_create(config, f"a1234@{config.mail_domain}", password)
-    assert is_allowed_to_create(config, f"012345@{config.mail_domain}", password)
-    assert is_allowed_to_create(config, f"0123456@{config.mail_domain}", password)
-    assert is_allowed_to_create(config, f"0123456789@{config.mail_domain}", password)
-    assert not is_allowed_to_create(
-        config, f"0123456789x@{config.mail_domain}", password
-    )
-
-
 def test_dont_overwrite_password_on_wrong_login(db, example_config):
     """Test that logging in with a different password doesn't create a new user"""
     res = lookup_passdb(

chatmaild/src/chatmaild/tests/test_filtermail.py

@@ -167,19 +167,3 @@ UN4fiB0KR9JyG2ayUdNJVkXZSZLnHyRgiaadlpUo16LVvw==\r
 """
 
     assert check_armored_payload(payload) == True
-
-    payload = """-----BEGIN PGP MESSAGE-----\r
-\r
-HELLOWORLD
------END PGP MESSAGE-----\r
-\r
-"""
-    assert check_armored_payload(payload) == False
-
-    payload = """-----BEGIN PGP MESSAGE-----\r
-\r
-=njUN
------END PGP MESSAGE-----\r
-\r
-"""
-    assert check_armored_payload(payload) == False

cmdeploy/src/cmdeploy/__init__.py

@@ -361,14 +361,6 @@ def _configure_dovecot(config: Config, debug: bool = False) -> bool:
         config=config,
     )
 
-    files.put(
-            src=importlib.resources.files(__package__).joinpath("dovecot/remove-seen.py"),
-            dest="/usr/local/bin/remove-seen.py",
-            user="root",
-            group="root",
-            mode="755"
-    )
-
     # as per https://doc.dovecot.org/configuration_manual/os/
     # it is recommended to set the following inotify limits
     for name in ("max_user_instances", "max_user_watches"):
@@ -657,5 +649,3 @@ def deploy_chatmail(config_path: Path) -> None:
         name="Ensure cron is installed",
         packages=["cron"],
     )
-
-

cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2

@@ -19,22 +19,6 @@ mail_debug = yes
 #   master: Warning: service(stats): client_limit (1000) reached, client connections are being dropped
 default_client_limit = 20000
 
-# Increase number of logged in IMAP connections.
-# Each connection is handled by a separate `imap` process.
-# `imap` process should have `client_limit=1` as described in
-# <https://doc.dovecot.org/configuration_manual/service_configuration/#service-limits>
-# so each logged in IMAP session will need its own `imap` process.
-#
-# If this limit is reached,
-# users will fail to LOGIN as `imap-login` process
-# will accept them logging in but fail to transfer logged in
-# connection to `imap` process until someone logs out and
-# the following warning will be logged:
-#   Warning: service(imap): process_limit (1024) reached, client connections are being dropped
-service imap {
-  process_limit = 50000
-}
-
 mail_server_admin = mailto:root@{{ config.mail_domain }}
 mail_server_comment = Chatmail server
 

cmdeploy/src/cmdeploy/dovecot/expunge.cron.j2

@@ -9,4 +9,3 @@
 2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/tmp/*' -mtime +{{ config.delete_mails_after }} -type f -delete
 2 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -path '*/.*/tmp/*' -mtime +{{ config.delete_mails_after }} -type f -delete
 3 0 * * * vmail find /home/vmail/mail/{{ config.mail_domain }} -name 'maildirsize' -type f -delete
-4 0 * * * vmail /usr/local/bin/remove-seen.py /home/vmail/mail/{{ config.mail_domain }}

cmdeploy/src/cmdeploy/dovecot/remove-seen.py

@@ -1,41 +0,0 @@
-#!/usr/bin/env python3
-"""Remove seen messages that are older than two days
-if maildir has more than 80 MB of messages."""
-import sys
-import time
-from pathlib import Path
-
-
-def getdirsize(path):
-    return sum(f.stat().st_size for f in path.glob("**/*") if f.is_file())
-
-
-def parse_dovecot_seen(path):
-    return "S" in path.name.split(":2,")[-1]
-
-
-def main():
-    now = time.time()
-
-    mailhome = Path(sys.argv[1])
-
-    for p in mailhome.iterdir():
-        dirsize = getdirsize(p / "cur") + getdirsize(p / "new")
-        if dirsize < 80000000:
-            continue
-
-        removed_bytes = 0
-        for mailpath in (p / "cur").iterdir():
-            seen = parse_dovecot_seen(mailpath)
-            stat = mailpath.stat()
-            size = stat.st_size
-            if seen and now > stat.st_mtime + 2 * 24 * 3600:
-                removed_bytes += size
-                mailpath.unlink(missing_ok=True)
-
-        if removed_bytes > 0:
-            (p / "maildirsize").unlink(missing_ok=True)
-
-
-if __name__ == "__main__":
-    main()

cmdeploy/src/cmdeploy/opendkim/final.lua

@@ -19,7 +19,11 @@ for i = 1, nsigs do
 	-- Any valid signature that was not ignored like this
 	-- means the message is acceptable.
 	if sigres == 0 then
-		return nil
+		-- Do not accept the signature if it does not cover the whole body
+		-- of the message by using `l=` tag.
+		if odkim.sig_canonlength(ctx, sig) < odkim.sig_bodylength(ctx, sig) then
+			return nil
+		end
 	end	
 end
 

scripts/cmdeploy

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env bash
 #
 # Wrapper for cmdelpoy to run it in activated virtualenv.
 set -e

scripts/dovecot/build-obs.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 
 # Install dependencies
 echo "Installing dependencies for this script:"

scripts/initenv.sh

@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 set -e
 python3 -m venv --upgrade-deps venv
 

www/src/privacy.md

@@ -77,7 +77,7 @@ we process the following data and details:
 - Users can retrieve or delete all stored messages 
   without intervention from the operators using standard IMAP client tools.
 
-### 2.1 Account setup
+### 3.1 Account setup
 
 Creating an account happens in one of two ways on our mail servers: 
 
@@ -98,7 +98,7 @@ Art. 6 (1) lit. b GDPR,
 as you have a usage contract with us
 by using our services.
 
-### 2.2 Processing of E-Mail-Messages
+## 3.2 Processing of E-Mail-Messages
 
 In addition,
 we will process data
@@ -124,7 +124,7 @@ Therefore, limits are enforced:
 
 - message size limits
 
-- any other limit necessary for the whole server to function in a healthy way
+- any other limit neccessary for the whole server to function in a healthy way
   and to prevent abuse.
 
 The processing and use of the above permissions