Remove smtp_tls_security_level exception for nauta.cu

nauta.cu MX servers don't support STARTTLS and we have maintained this exception to allow delivery to nauta.cu. Since nauta.cu has blocked largest chatmail relay instances, we can remove this exception. Even if it works today for some chatmail servers, they will likely be blocked once the number of users grows. Even now users from nauta.cu cannot practically participate in groups.
Update dovecot-core deb sha256 sums
2026-05-11 08:24:37 +00:00 · 2025-10-31 07:41:47 +00:00 · 2025-10-30 11:23:19 +01:00 · 2025-10-29 13:33:25 +01:00 · 2025-10-28 16:12:07 +01:00 · 2025-10-28 01:44:14 +00:00
10 changed files with 43 additions and 29 deletions
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,5 +1 @@
 blank_issues_enabled: true
-contact_links:
-  - name: Mutual Help Chat Group
-    url: https://i.delta.chat/#6CBFF8FFD505C0FDEA20A66674F2916EA8FBEE99&a=invitebot%40nine.testrun.org&g=Chatmail%20Mutual%20Help&x=7sFF7Ik50pWv6J1z7RVC5527&i=X69wTFfvCfs3d-JzqP0kVA3i&s=ibp-447dU-wUq-52QanwAtWc
-    about: If you have troubles setting up the relay server, feel free to ask here.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,9 +2,15 @@

 ## untagged

+- acmetool: use ECDSA keys instead of RSA
+  ([#689](https://github.com/chatmail/relay/pull/689))
+
 - Require TLS 1.2 for outgoing SMTP connections
  ([#685](https://github.com/chatmail/relay/pull/685))

+- require STARTTLS for incoming port 25 connections
+  ([#684](https://github.com/chatmail/relay/pull/684))
+
 - filtermail: run CPU-intensive handle_DATA in a thread pool executor
  ([#676](https://github.com/chatmail/relay/pull/676))

@@ -24,7 +30,7 @@
  ([#650](https://github.com/chatmail/relay/pull/650))

 - filtermail: accept mails from Protonmail
-  ([#616](https://github.com/chatmail/relay/pull/655))
+  ([#616](https://github.com/chatmail/relay/pull/616))

 - Ignore all RCPT TO: parameters
  ([#651](https://github.com/chatmail/relay/pull/651))
@@ -57,7 +63,7 @@
  to only do a single iteration over sometimes millions of messages
  instead of doing "find" commands that iterate 9 times over the messages. 
  Provide an "fsreport" CLI for more fine grained analysis of message files. 
-  ([#637](https://github.com/chatmail/relay/pull/632))
+  ([#637](https://github.com/chatmail/relay/pull/637))


 ## 1.7.0 2025-09-11
--- a/README.md
+++ b/README.md
@@ -180,6 +180,10 @@ The components of chatmail are:
 - [Iroh relay](https://www.iroh.computer/docs/concepts/relay) 
  which helps client devices to establish Peer-to-Peer connections 

+- [TURN](https://github.com/chatmail/chatmail-turn)
+  to enable relay users to start webRTC calls
+  even if a p2p connection can't be established
+
 - and the chatmaild services, explained in the next section:

 ### chatmaild
@@ -304,6 +308,8 @@ Chatmail address creation will be denied while this file is present.
 [Nginx](https://www.nginx.com/) listens on port 8443 (HTTPS-ALT) and 443 (HTTPS).
 Port 443 multiplexes HTTPS, IMAP and SMTP using ALPN to redirect connections to ports 8443, 465 or 993.
 [acmetool](https://hlandau.github.io/acmetool/) listens on port 80 (HTTP).
+[chatmail-turn](https://github.com/chatmail/chatmail-turn) listens on UDP port 3478 (STUN/TURN),
+and temporarily opens UDP ports when users request them. UDP port range is not restricted, any free port may be allocated.

 chatmail-core based apps will, however, discover all ports and configurations
 automatically by reading the [autoconfig XML file](https://www.ietf.org/archive/id/draft-bucksch-autoconfig-00.html) from the chatmail relay server.
--- a/cmdeploy/src/cmdeploy/init.py
+++ b/cmdeploy/src/cmdeploy/init.py
@@ -338,9 +338,9 @@ def _install_dovecot_package(package: str, arch: str):

    match (package, arch):
        case ("core", "amd64"):
-            sha256 = "43f593332e22ac7701c62d58b575d2ca409e0f64857a2803be886c22860f5587"
+            sha256 = "dd060706f52a306fa863d874717210b9fe10536c824afe1790eec247ded5b27d"
        case ("core", "arm64"):
-            sha256 = "4d21eba1a83f51c100f08f2e49f0c9f8f52f721ebc34f75018e043306da993a7"
+            sha256 = "e7548e8a82929722e973629ecc40fcfa886894cef3db88f23535149e7f730dc9"
        case ("imapd", "amd64"):
            sha256 = "8d8dc6fc00bbb6cdb25d345844f41ce2f1c53f764b79a838eb2a03103eebfa86"
        case ("imapd", "arm64"):
--- a/cmdeploy/src/cmdeploy/acmetool/target.yaml.j2
+++ b/cmdeploy/src/cmdeploy/acmetool/target.yaml.j2
@@ -1,7 +1,8 @@
 request:
  provider: https://acme-v02.api.letsencrypt.org/directory
  key:
-    type: rsa
+    type: ecdsa
+    ecdsa-curve: nistp256
  challenge:
    webroot-paths:
    - /var/www/html/.well-known/acme-challenge
--- a/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
+++ b/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
@@ -70,6 +70,12 @@ userdb {
 # Mailboxes are stored in the "mail" directory of the vmail user home.
 mail_location = maildir:{{ config.mailboxes_dir }}/%u

+# index/cache files are not very useful for chatmail relay operations 
+# but it's not clear how to disable them completely. 
+# According to https://doc.dovecot.org/2.3/settings/advanced/#core_setting-mail_cache_max_size
+# if the cache file becomes larger than the specified size, it is truncated by dovecot 
+mail_cache_max_size = 500K
+
 namespace inbox {
  inbox = yes

--- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
@@ -25,7 +25,6 @@ smtp_tls_security_level=verify
 # <https://www.postfix.org/postconf.5.html#smtp_tls_servername>
 smtp_tls_servername = hostname
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-smtp_tls_policy_maps = inline:{nauta.cu=may}
 smtp_tls_protocols = >=TLSv1.2
 smtpd_tls_protocols = >=TLSv1.2

--- a/cmdeploy/src/cmdeploy/postfix/master.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/master.cf.j2
@@ -14,6 +14,7 @@ smtp      inet  n       -       y       -       -       smtpd -v
 {%- else %}
 smtp      inet  n       -       y       -       -       smtpd 
 {%- endif %}
+  -o smtpd_tls_security_level=encrypt
  -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port_incoming }}
 submission inet n       -       y       -       5000    smtpd
  -o syslog_name=postfix/submission
--- a/cmdeploy/src/cmdeploy/tests/online/test_0_login.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_0_login.py
@@ -1,5 +1,5 @@
 import queue
-import socket
+import smtplib
 import threading

 import pytest
@@ -91,25 +91,23 @@ def test_concurrent_logins_same_account(

 def test_no_vrfy(chatmail_config):
    domain = chatmail_config.mail_domain
-    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    sock.settimeout(10)
-    try:
-        sock.connect((domain, 25))
-    except socket.timeout:
-        pytest.skip(f"port 25 not reachable for {domain}")
-    banner = sock.recv(1024)
-    print(banner)
-    sock.send(b"VRFY wrongaddress@%s\r\n" % (chatmail_config.mail_domain.encode(),))
-    result = sock.recv(1024)
+
+    s = smtplib.SMTP(domain)
+    s.starttls()
+
+    s.putcmd("vrfy", f"wrongaddress@{chatmail_config.mail_domain}")
+    result = s.getreply()
    print(result)
-    sock.send(b"VRFY echo@%s\r\n" % (chatmail_config.mail_domain.encode(),))
-    result2 = sock.recv(1024)
+    s.putcmd("vrfy", f"echo@{chatmail_config.mail_domain}")
+    result2 = s.getreply()
    print(result2)
-    assert result[0:10] == result2[0:10]
-    sock.send(b"VRFY wrongaddress\r\n")
-    result = sock.recv(1024)
+    assert result[0] == result2[0] == 252
+    assert result[1][0:6] == result2[1][0:6] == b"2.0.0 "
+    s.putcmd("vrfy", "wrongaddress")
+    result = s.getreply()
    print(result)
-    sock.send(b"VRFY echo\r\n")
-    result2 = sock.recv(1024)
+    s.putcmd("vrfy", "echo")
+    result2 = s.getreply()
    print(result2)
-    assert result[0:10] == result2[0:10] == b"252 2.0.0 "
+    assert result[0] == result2[0] == 252
+    assert result[1][0:6] == result2[1][0:6] == b"2.0.0 "
--- a/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
@@ -143,6 +143,7 @@ def test_reject_missing_dkim(cmsetup, maildata, from_addr):
        "encrypted.eml", from_addr=from_addr, to_addr=recipient.addr
    ).as_string()
    conn = smtplib.SMTP(cmsetup.maildomain, 25, timeout=10)
+    conn.starttls()

    with conn as s:
        with pytest.raises(smtplib.SMTPDataError, match="No valid DKIM signature"):
Author	SHA1	Message	Date
link2xt	0d1d7d6e1f	Remove smtp_tls_security_level exception for nauta.cu nauta.cu MX servers don't support STARTTLS and we have maintained this exception to allow delivery to nauta.cu. Since nauta.cu has blocked largest chatmail relay instances, we can remove this exception. Even if it works today for some chatmail servers, they will likely be blocked once the number of users grows. Even now users from nauta.cu cannot practically participate in groups.	2025-10-31 07:41:47 +00:00
Serge Matveenko	dd3cf4d449	Update dovecot-core deb sha256 sums	2025-10-30 11:23:19 +01:00
holger krekel	7361cc9350	fix changelog references	2025-10-29 13:33:25 +01:00
missytake	00f199816d	unpublish mutual help group invite link	2025-10-28 16:12:07 +01:00
link2xt	8d7e1dad0e	Require STARTTLS for incoming port 25 connections We already require that outgoing connections use STARTTLS so other servers need a valid TLS certificate to accept messages from us. It is then very unlikely that they cannot use TLS to send messages to us. Conversely, if they only can send messages to use without TLS, it likely does not have STARTLS on its port 25 and then we don't want to accept messages from them because we will likely not be able to reply.	2025-10-28 01:44:14 +00:00
link2xt	c0da7bb3bf	docs: chatmail-turn listens on 3478 UDP, not TCP port	2025-10-28 01:08:06 +00:00
holger krekel	863ded6480	try to limit index cache max size	2025-10-28 01:42:37 +01:00
missytake	d75321b355	doc: write down some basic infos on chatmail-turn (#693 ) Co-authored-by: l <link2xt@testrun.org>	2025-10-27 09:00:07 +01:00
link2xt	9148b16d81	acmetool: use ECDSA keys instead of RSA	2025-10-25 08:00:31 +00:00