apply cmdeploy fmt linting, no content changes

2026-05-13 17:34:38 +00:00 · 2026-04-28 21:31:38 +02:00
55 changed files with 981 additions and 1172 deletions
--- a/.github/workflows/ci-no-dns.yaml
+++ b/.github/workflows/ci-no-dns.yaml
@@ -1,40 +0,0 @@
 name: No-DNS
 on:
  # Triggers when a PR is merged into main or a direct push occurs
  push:
    branches: [ "main" ]
  # Triggers for any PR (and its subsequent commits) targeting the main branch
  pull_request:
    branches: [ "main" ]
 permissions: {}
 # Newest push wins: Prevents multiple runs from clashing and wasting runner efforts
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 jobs:
  no-dns:
    name: LXC deploy and test
    uses: chatmail/cmlxc/.github/workflows/lxc-test.yml@v0.14.6
    with:
      cmlxc_version: v0.14.6
      cmlxc_commands: |
        cmlxc init 
        # single cmdeploy relay test
        cmlxc -v deploy-cmdeploy --source ./repo --type ipv4 cm0
        cmlxc -v test-cmdeploy cm0
        # cross cmdeploy relay test (two ipv4 relays)
        cmlxc -v deploy-cmdeploy --source ./repo --ipv4-only --type ipv4 cm1
        cmlxc -v test-cmdeploy cm0 cm1
        # cross cmdeploy/madmail relay tests
        cmlxc -v deploy-madmail mad0
        cmlxc -v test-cmdeploy cm0 mad0
        cmlxc -v test-mini mad0 cm0
        cmlxc -v test-mini cm0 mad0
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,4 +1,4 @@
-name: CI
+name: Run unit-tests and container-based deploy+test verification
 on:
  # Triggers when a PR is merged into main or a direct push occurs
@@ -9,8 +9,6 @@ on:
  pull_request:
    branches: [ "main" ]
 permissions: {}
 # Newest push wins: Prevents multiple runs from clashing and wasting runner efforts
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -27,9 +25,8 @@ jobs:
        # Otherwise `test_deployed_state` will be unhappy.
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          persist-credentials: false
      - name: download filtermail
-        run: curl -L https://github.com/chatmail/filtermail/releases/download/v0.6.6/filtermail-x86_64 -o /usr/local/bin/filtermail && chmod +x /usr/local/bin/filtermail
+        run: curl -L https://github.com/chatmail/filtermail/releases/download/v0.6.1/filtermail-x86_64 -o /usr/local/bin/filtermail && chmod +x /usr/local/bin/filtermail
      - name: run chatmaild tests 
        working-directory: chatmaild
        run: pipx run tox
@@ -41,7 +38,6 @@ jobs:
      - uses: actions/checkout@v6
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          persist-credentials: false
      - name: initenv 
        run: scripts/initenv.sh
@@ -57,9 +53,8 @@ jobs:
  lxc-test:
    name: LXC deploy and test
-    uses: chatmail/cmlxc/.github/workflows/lxc-test.yml@v0.14.6
+    uses: chatmail/cmlxc/.github/workflows/lxc-test.yml@v0.10.0
    with:
      cmlxc_version: v0.14.6
      cmlxc_commands: |
        cmlxc init 
        # single cmdeploy relay test
@@ -76,4 +71,3 @@ jobs:
        cmlxc -v test-cmdeploy cm0 mad0
        cmlxc -v test-mini cm0 mad0
        cmlxc -v test-mini mad0 cm0
--- a/.github/workflows/docker-dispatch.yaml
+++ b/.github/workflows/docker-dispatch.yaml
@@ -1,37 +0,0 @@
 # Notify the docker repo to build and test a new image after relay CI passes.
 #
 # Sends a repository_dispatch event to chatmail/docker with the relay ref
 # and short SHA, which triggers docker-ci.yaml to build, push to GHCR,
 # and run integration tests via cmlxc.
 name: Trigger Docker build
 on:
  push:
    branches: [main]
  workflow_dispatch:
 permissions: {}
 jobs:
  dispatch:
    name: Dispatch build to chatmail/docker
    runs-on: ubuntu-latest
    if: github.repository == 'chatmail/relay'
    steps:
      - name: Compute short SHA
        id: sha
        run: echo "short=$(echo '${{ github.sha }}' | cut -c1-7)" >> "$GITHUB_OUTPUT"
      - name: Send repository_dispatch
        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
        with:
          token: ${{ secrets.CHATMAIL_DOCKER_DISPATCH_TOKEN }}
          repository: chatmail/docker
          event-type: relay-updated
          client-payload: >-
            {
              "relay_ref": "${{ github.ref_name }}",
              "relay_sha": "${{ github.sha }}",
              "relay_sha_short": "${{ steps.sha.outputs.short }}"
            }
--- a/.github/workflows/docs-preview.yaml
+++ b/.github/workflows/docs-preview.yaml
@@ -7,8 +7,6 @@ on:
      - 'scripts/build-docs.sh'
      - '.github/workflows/docs-preview.yaml'
 permissions: {}
 jobs:
  scripts:
    name: build 
@@ -18,8 +16,6 @@ jobs:
      url: https://staging.chatmail.at/doc/relay/${{ steps.prepare.outputs.prid }}
    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: initenv 
        run: scripts/initenv.sh
@@ -38,22 +34,18 @@ jobs:
      - name: Get Pullrequest ID
        id: prepare
        run: |
-          export PULLREQUEST_ID=$(echo "${GITHUB_REF}" | cut -d "/" -f3)
+          export PULLREQUEST_ID=$(echo "${{ github.ref }}" | cut -d "/" -f3)
          echo "prid=$PULLREQUEST_ID" >> $GITHUB_OUTPUT
          if [ $(expr length "${{ secrets.USERNAME }}") -gt "1" ]; then echo "uploadtoserver=true" >> $GITHUB_OUTPUT; fi
      - run: |
-          echo "baseurl: /${STEPS_PREPARE_OUTPUTS_PRID}" >> _config.yml
+          echo "baseurl: /${{ steps.prepare.outputs.prid }}" >> _config.yml
        env:
          STEPS_PREPARE_OUTPUTS_PRID: ${{ steps.prepare.outputs.prid }}
      - name: Upload preview
        run: |
          mkdir -p "$HOME/.ssh"
          echo "${{ secrets.CHATMAIL_STAGING_SSHKEY }}" > "$HOME/.ssh/key"
          chmod 600 "$HOME/.ssh/key"
-          rsync -rILvh -e "ssh -i $HOME/.ssh/key -o StrictHostKeyChecking=no" $GITHUB_WORKSPACE/doc/build/ "${{ secrets.USERNAME }}@chatmail.at:/var/www/html/staging.chatmail.at/doc/relay/${STEPS_PREPARE_OUTPUTS_PRID}/"
+          rsync -rILvh -e "ssh -i $HOME/.ssh/key -o StrictHostKeyChecking=no" $GITHUB_WORKSPACE/doc/build/ "${{ secrets.USERNAME }}@chatmail.at:/var/www/html/staging.chatmail.at/doc/relay/${{ steps.prepare.outputs.prid }}/"
        env:
          STEPS_PREPARE_OUTPUTS_PRID: ${{ steps.prepare.outputs.prid }}
      - name: check links 
        working-directory: doc
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -10,8 +10,6 @@ on:
      - 'scripts/build-docs.sh'
      - '.github/workflows/docs.yaml'
 permissions: {}
 jobs:
  scripts:
    name: build 
@@ -21,8 +19,6 @@ jobs:
      url: https://chatmail.at/doc/relay/
    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: initenv 
        run: scripts/initenv.sh
--- a/.github/workflows/zizmor-scan.yml
+++ b/.github/workflows/zizmor-scan.yml
@@ -1,26 +0,0 @@
 name: GitHub Actions Security Analysis with zizmor
 on:
  push:
    branches: ["main"]
  pull_request:
    branches: ["**"]
 permissions: {}
 jobs:
  zizmor:
    name: Run zizmor
    runs-on: ubuntu-latest
    permissions:
      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
      contents: read
      actions: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          persist-credentials: false
      - name: Run zizmor
        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -1,7 +0,0 @@
 rules:
  unpinned-uses:
    config:
      policies:
        actions/*: ref-pin
        dependabot/*: ref-pin
        chatmail/*: ref-pin
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,89 +1,5 @@
 # Changelog for chatmail deployment 
 ## 1.10.0 2026-04-30
 * start mtail after networking is fully up <https://github.com/chatmail/relay/pull/942>
 * support specifying custom filtermail binary through environment variable <https://github.com/chatmail/relay/pull/941>
 * add automated zizmor scanning of github workflows <https://github.com/chatmail/relay/pull/938>
 * added dispatch for *automated builds of chatmail relay docker images* <https://github.com/chatmail/relay/pull/934>
 * do not bind SMTP client sockets to public addresses <https://github.com/chatmail/relay/pull/932>
 * underline in docs that scripts/initenv.sh should be used for building the docs <https://github.com/chatmail/relay/pull/933>
 * automatic oldest-first message removal from mailboxes to always stay under max_mailbox_size <https://github.com/chatmail/relay/pull/929>
 * remove --slow from cmdeploy test <https://github.com/chatmail/relay/pull/931>
 * handle missing inotify sysctl keys in containers <https://github.com/chatmail/relay/pull/930>
 * replace resolvconf with static resolv.conf <https://github.com/chatmail/relay/pull/928>
 * disable fsync for LMTP and IMAP services <https://github.com/chatmail/relay/pull/925>
 * re-use cmlxc workflow, replacing CI with hetzner staging servers with local lxc containers <https://github.com/chatmail/relay/pull/917>
 * explicitly install resolvconf <https://github.com/chatmail/relay/pull/924>
 * detect stale dovecot binary and force restart in activate() <https://github.com/chatmail/relay/pull/922>
 * Rename filtermail_http_port to filtermail_http_port_incoming <https://github.com/chatmail/relay/pull/921>
 * consolidated is_in_container() check https://github.com/chatmail/relay/pull/920>
 * restart dovecot after package replacement (rebase, test condense) <https://github.com/chatmail/relay/pull/913>
 * Set permissions on dovecot pin prefs <https://github.com/chatmail/relay/pull/915>
 * Route `/mxdeliv/` to configurable port <https://github.com/chatmail/relay/pull/901>
 * fix VM detection, automated testing fixes, use newer chatmail-turn and move to standard BIND DNS zone format <https://github.com/chatmail/relay/pull/912>
 * Upgrade to filtermail 0.6.1 <https://github.com/chatmail/relay/pull/910>
 * pin dovecot packages to prevent apt upgrades <https://github.com/chatmail/relay/pull/908>
 * add rpc server to cmdeploy along with client <https://github.com/chatmail/relay/pull/906>
 * remove unused deps from chatmaild <https://github.com/chatmail/relay/pull/905>
 * set default smtp_tls_security_level to "verify" unconditionally <https://github.com/chatmail/relay/pull/902>
 * featprefer IPv4 in SMTP client <https://github.com/chatmail/relay/pull/900>
 * Install dovecot .deb packages atomically <https://github.com/chatmail/relay/pull/899>
 * stop installing cron package <https://github.com/chatmail/relay/pull/898>
 * Rewrite dovecot install logic, update <https://github.com/chatmail/relay/pull/862>
 * fix a test and some linting fixes <https://github.com/chatmail/relay/pull/897>
 * Disable IP verification on domain-literal addresses <https://github.com/chatmail/relay/pull/895>
 * disable installing recommended packages globally on the relay <https://github.com/chatmail/relay/pull/887>
 * multiple bug fixes across chatmaild and cmdeploy <https://github.com/chatmail/relay/pull/883>
 * remove /metrics from the website <https://github.com/chatmail/relay/pull/703>
 * add Prometheus textfile output to fsreport <https://github.com/chatmail/relay/pull/881>
 * chown opendkim: private key <https://github.com/chatmail/relay/pull/879>
 * make sure chatmail-metadata was started <https://github.com/chatmail/relay/pull/882>
 * dovecot update url <https://github.com/chatmail/relay/pull/880>
 * upgrade to filtermail v0.5.2 <https://github.com/chatmail/relay/pull/876>
 * download dovecot packages from github release <https://github.com/chatmail/relay/pull/875>
 * replace DKIM verification with filtermail v0.5 <https://github.com/chatmail/relay/pull/831>
 * remove CFFI deltachat bindings usage, and consolidate test support with rpc-bindings <https://github.com/chatmail/relay/pull/872>
 * prepare chatmaild/cmdeploy changes for Docker support <https://github.com/chatmail/relay/pull/857>
 * stabilize online benchmark timing adding rate-limit-aware cooldown between iterations <https://github.com/chatmail/relay/pull/867>
 * move rate-limit cooldown to benchmark fixture <https://github.com/chatmail/relay/pull/868>
 * reconfigure acmetool from redirector to proxy mode <https://github.com/chatmail/relay/pull/861>
 * make tests work with `--ssh-host localhost` <https://github.com/chatmail/relay/pull/856>
 * mark f-string with f prefix in test_expunged <https://github.com/chatmail/relay/pull/863>
 * install also if dovecot.service=False in SystemdEnabled Fact <https://github.com/chatmail/relay/pull/841>
 * Introduce support for self-signed chatmail relays <https://github.com/chatmail/relay/pull/855>
 * Strip Received headers before delivery <https://github.com/chatmail/relay/pull/849>
 * upgrade to filtermail v0.3 <https://github.com/chatmail/relay/pull/850>
 * fix link to Maddy and update madmail URL <https://github.com/chatmail/relay/pull/847>
 * accept self-signed certificates for IP-only relays <https://github.com/chatmail/relay/pull/846>
 * enforce sending from public IP addresses <https://github.com/chatmail/relay/pull/845>
 * port check: check addresses, fix single services <https://github.com/chatmail/relay/pull/844>
 * remediates issue with improper concat on resolver injection <https://github.com/chatmail/relay/pull/834>
 * ipv6 boolean not being respected during operations <https://github.com/chatmail/relay/pull/832>
 * upgrade to filtermail v0.2 by <https://github.com/chatmail/relay/pull/825>
 * fix link to filtermail <https://github.com/chatmail/relay/pull/824>
 * print timestamps when sending messages <https://github.com/chatmail/relay/pull/823>
 * fix flaky test_exceed_rate_limit <https://github.com/chatmail/relay/pull/822>
 * Replace filtermail with rust reimplementation <https://github.com/chatmail/relay/pull/808>
 * Set default internal SMTP ports in Config <https://github.com/chatmail/relay/pull/819>
 * separate metrics for incoming and outgoing messages <https://github.com/chatmail/relay/pull/820>
 * disable appending the Received header <https://github.com/chatmail/relay/pull/815>
 * fail on errors in postfix/dovecot config <https://github.com/chatmail/relay/pull/813>
 * tweak idle/hibernate metrics some more <https://github.com/chatmail/relay/pull/811>
 * add config flag to export statistics <https://github.com/chatmail/relay/pull/806>
 * add --website-only option to run subcommand <https://github.com/chatmail/relay/pull/768>
 * Strip DKIM-Signature header before LMTP <https://github.com/chatmail/relay/pull/803>
 * properly make sure that postfix gets restarted on failure <https://github.com/chatmail/relay/pull/802>
 * expire.py: use absolute path to maildirsize <https://github.com/chatmail/relay/pull/807>
 * pin Dovecot documentation URLs to version 2.3 <https://github.com/chatmail/relay/pull/800>
 * try to use "build machine" and "deployment server"  consistently  <https://github.com/chatmail/relay/pull/797>
 * adds instructions for migrating control machines <https://github.com/chatmail/relay/pull/795>
 * use consistent naming schema in getting started <https://github.com/chatmail/relay/pull/793>
 * remove jsok/serialize-workflow-action dependency <https://github.com/chatmail/relay/pull/790>
 * streamline migration guide wording, provide titled steps  <https://github.com/chatmail/relay/pull/789>
 * increases default max mailbox size <https://github.com/chatmail/relay/pull/792>
 * use daemon_name for OpenDKIM sign-verify decision instead of IP <https://github.com/chatmail/relay/pull/784>
 ## 1.9.0 2025-12-18
 ### Documentation
--- a/chatmaild/pyproject.toml
+++ b/chatmaild/pyproject.toml
@@ -10,7 +10,6 @@ dependencies = [
  "filelock",
  "requests",
  "crypt-r >= 3.13.1 ; python_version >= '3.11'",
  "domain-validator",
 ]
 [tool.setuptools]
--- a/chatmaild/src/chatmaild/config.py
+++ b/chatmaild/src/chatmaild/config.py
@@ -1,8 +1,6 @@
 import ipaddress
 from pathlib import Path
 import iniconfig
 from domain_validator import DomainValidator
 from chatmaild.user import User
@@ -10,39 +8,30 @@ from chatmaild.user import User
 def read_config(inipath):
    assert Path(inipath).exists(), inipath
    cfg = iniconfig.IniConfig(inipath)
-    return Config(inipath, params=cfg.sections["params"])
+    params = cfg.sections["params"]
    default_config_content = get_default_config_content(params["mail_domain"])
    df_params = iniconfig.IniConfig("ini", data=default_config_content)["params"]
    new_params = dict(df_params.items())
    new_params.update(params)
    return Config(inipath, params=new_params)
 class Config:
    def __init__(self, inipath, params):
        self._inipath = inipath
-        raw_domain = params["mail_domain"]
+        self.mail_domain = params["mail_domain"]
        self.mail_domain_bare = raw_domain
        if is_valid_ipv4(raw_domain):
            self.ipv4_relay = raw_domain
            self.mail_domain = f"[{raw_domain}]"
            self.postfix_myhostname = ipaddress.IPv4Address(raw_domain).reverse_pointer
        else:
            DomainValidator().validate_domain_re(raw_domain)
            self.ipv4_relay = None
            self.mail_domain = raw_domain
            self.postfix_myhostname = raw_domain
        self.max_user_send_per_minute = int(params.get("max_user_send_per_minute", 60))
        self.max_user_send_burst_size = int(params.get("max_user_send_burst_size", 10))
-        self.max_mailbox_size = params.get("max_mailbox_size", "500M")
+        self.max_mailbox_size = params["max_mailbox_size"]
-        self.max_message_size = int(params.get("max_message_size", 31457280))
+        self.max_message_size = int(params.get("max_message_size", "31457280"))
-        self.delete_mails_after = params.get("delete_mails_after", "20")
+        self.delete_mails_after = params["delete_mails_after"]
-        self.delete_large_after = params.get("delete_large_after", "7")
+        self.delete_large_after = params["delete_large_after"]
-        self.delete_inactive_users_after = int(
+        self.delete_inactive_users_after = int(params["delete_inactive_users_after"])
-            params.get("delete_inactive_users_after", 90)
+        self.username_min_length = int(params["username_min_length"])
-        )
+        self.username_max_length = int(params["username_max_length"])
-        self.username_min_length = int(params.get("username_min_length", 9))
+        self.password_min_length = int(params["password_min_length"])
-        self.username_max_length = int(params.get("username_max_length", 9))
+        self.passthrough_senders = params["passthrough_senders"].split()
-        self.password_min_length = int(params.get("password_min_length", 9))
+        self.passthrough_recipients = params["passthrough_recipients"].split()
        self.passthrough_senders = params.get("passthrough_senders", "").split()
        self.passthrough_recipients = params.get("passthrough_recipients", "").split()
        self.www_folder = params.get("www_folder", "")
        self.filtermail_smtp_port = int(params.get("filtermail_smtp_port", "10080"))
        self.filtermail_smtp_port_incoming = int(
@@ -51,9 +40,6 @@ class Config:
        self.filtermail_http_port_incoming = int(
            params.get("filtermail_http_port_incoming", "10082")
        )
        self.filtermail_lmtp_port_transport = int(
            params.get("filtermail_lmtp_port_transport", "10083")
        )
        self.postfix_reinject_port = int(params.get("postfix_reinject_port", "10025"))
        self.postfix_reinject_port_incoming = int(
            params.get("postfix_reinject_port_incoming", "10026")
@@ -64,7 +50,7 @@ class Config:
        self.imap_rawlog = params.get("imap_rawlog", "false").lower() == "true"
        self.imap_compress = params.get("imap_compress", "false").lower() == "true"
        if "iroh_relay" not in params:
-            self.iroh_relay = "https://" + raw_domain
+            self.iroh_relay = "https://" + params["mail_domain"]
            self.enable_iroh_relay = True
        else:
            self.iroh_relay = params["iroh_relay"].strip()
@@ -90,17 +76,17 @@ class Config:
                )
            self.tls_cert_mode = "external"
            self.tls_cert_path, self.tls_key_path = parts
-        elif raw_domain.startswith("_") or self.ipv4_relay:
+        elif self.mail_domain.startswith("_"):
            self.tls_cert_mode = "self"
            self.tls_cert_path = "/etc/ssl/certs/mailserver.pem"
            self.tls_key_path = "/etc/ssl/private/mailserver.key"
        else:
            self.tls_cert_mode = "acme"
-            self.tls_cert_path = f"/var/lib/acme/live/{raw_domain}/fullchain"
+            self.tls_cert_path = f"/var/lib/acme/live/{self.mail_domain}/fullchain"
-            self.tls_key_path = f"/var/lib/acme/live/{raw_domain}/privkey"
+            self.tls_key_path = f"/var/lib/acme/live/{self.mail_domain}/privkey"
        # deprecated option
-        mbdir = params.get("mailboxes_dir", f"/home/vmail/mail/{raw_domain}")
+        mbdir = params.get("mailboxes_dir", f"/home/vmail/mail/{self.mail_domain}")
        self.mailboxes_dir = Path(mbdir.strip())
        # old unused option (except for first migration from sqlite to maildir store)
@@ -161,13 +147,28 @@ def get_default_config_content(mail_domain, **overrides):
    for name, value in extra.items():
        new_line = f"{name} = {value}"
        new_lines.append(new_line)
    return "\n".join(new_lines)
    content = "\n".join(new_lines)
-def is_valid_ipv4(address: str) -> bool:
+    # apply testrun privacy overrides
-    """Check if a mail_domain is an IPv4 address."""
+
-    try:
+    if mail_domain.endswith(".testrun.org"):
-        ipaddress.IPv4Address(address)
+        override_inipath = inidir.joinpath("override-testrun.ini")
-        return True
+        privacy = iniconfig.IniConfig(override_inipath)["privacy"]
-    except ValueError:
+        lines = []
-        return False
+        for line in content.split("\n"):
            for key, value in privacy.items():
                value_lines = value.format(mail_domain=mail_domain).strip().split("\n")
                if not line.startswith(f"{key} =") or not value_lines:
                    continue
                if len(value_lines) == 1:
                    lines.append(f"{key} = {value}")
                else:
                    lines.append(f"{key} =")
                    for vl in value_lines:
                        lines.append(f"    {vl}")
                break
            else:
                lines.append(line)
        content = "\n".join(lines)
    return content
--- a/chatmaild/src/chatmaild/ini/chatmail.ini.f
+++ b/chatmaild/src/chatmaild/ini/chatmail.ini.f
@@ -12,42 +12,42 @@ mail_domain = {mail_domain}
 #
 # email sending rate per user and minute
-#max_user_send_per_minute = 60
+max_user_send_per_minute = 60
 # per-user max burst size for sending rate limiting (GCRA bucket capacity)
-#max_user_send_burst_size = 10
+max_user_send_burst_size = 10
 # maximum mailbox size of a chatmail address
-# (Oldest messages will be removed automatically, so mailboxes never run full)
+# Oldest messages will be removed automatically, so mailboxes never run full.
-#max_mailbox_size = 500M
+max_mailbox_size = 500M
 # maximum message size for an e-mail in bytes
-#max_message_size = 31457280
+max_message_size = 31457280
 # days after which mails are unconditionally deleted
-#delete_mails_after = 20
+delete_mails_after = 20
 # days after which large messages (>200k) are unconditionally deleted
-#delete_large_after = 7
+delete_large_after = 7
 # days after which users without a successful login are deleted (database and mails)
-#delete_inactive_users_after = 90
+delete_inactive_users_after = 90
 # minimum length a username must have
-#username_min_length = 9
+username_min_length = 9
 # maximum length a username can have
-#username_max_length = 9
+username_max_length = 9
 # minimum length a password must have
-#password_min_length = 9
+password_min_length = 9
 # list of chatmail addresses which can send outbound un-encrypted mail
-#passthrough_senders =
+passthrough_senders =
 # list of e-mail recipients for which to accept outbound un-encrypted mails
 # (space-separated, item may start with "@" to whitelist whole recipient domains)
-#passthrough_recipients =
+passthrough_recipients =
 # Use externally managed TLS certificates instead of built-in acmetool.
 # Paths refer to files on the deployment server (not the build machine).
@@ -63,11 +63,19 @@ mail_domain = {mail_domain}
 # Deployment Details
 #
 # SMTP outgoing filtermail and reinjection 
 filtermail_smtp_port = 10080
 postfix_reinject_port = 10025
 # SMTP incoming filtermail and reinjection 
 filtermail_smtp_port_incoming = 10081
 postfix_reinject_port_incoming = 10026
 # if set to "True" IPv6 is disabled
-#disable_ipv6 = False
+disable_ipv6 = False
 # Your email adress, which will be used in acmetool to manage Let's Encrypt SSL certificates
-#acme_email =
+acme_email = 
 # Defaults to https://iroh.{{mail_domain}} and running `iroh-relay` on the chatmail
 # service.
@@ -100,13 +108,13 @@ mail_domain = {mail_domain}
 # in per-maildir ".in/.out" files. 
 # Note that you need to manually cleanup these files
 # so use this option with caution on production servers. 
-#imap_rawlog = false
+imap_rawlog = false 
 # set to true if you want to enable the IMAP COMPRESS Extension,
 # which allows IMAP connections to be efficiently compressed.
 # WARNING: Enabling this makes it impossible to hibernate IMAP
 # processes which will result in much higher memory/RAM usage.
-#imap_compress = false
+imap_compress = false
 #
--- a/chatmaild/src/chatmaild/ini/override-testrun.ini
+++ b/chatmaild/src/chatmaild/ini/override-testrun.ini
@@ -0,0 +1,16 @@
 [privacy]
 passthrough_recipients = privacy@testrun.org echo@{mail_domain}
 privacy_postal =
    Merlinux GmbH, Represented by the managing director H. Krekel,
    Reichgrafen Str. 20, 79102 Freiburg, Germany
 privacy_mail = privacy@testrun.org
 privacy_pdo =
    Prof. Dr. Fabian Schmieder, lexICT UG (limited), Ostfeldstr. 49, 30559 Hannover.
    You can contact him at *delta-privacy@merlinux.eu* (Keyword: DPO)
 privacy_supervisor =
    State Commissioner for Data Protection and Freedom of Information of
    Baden-Württemberg in 70173 Stuttgart, Germany.
--- a/chatmaild/src/chatmaild/metadata.py
+++ b/chatmaild/src/chatmaild/metadata.py
@@ -70,9 +70,6 @@ class Metadata:
                # Some tokens have expired, remove them.
                with self._modify_tokens(addr) as _tokens:
                    pass
        elif isinstance(tokens, list):
            with self._modify_tokens(addr) as tokens:
                token_list = list(tokens.keys())
        else:
            token_list = []
        return token_list
@@ -88,27 +85,29 @@ class MetadataDictProxy(DictProxy):
    def handle_lookup(self, parts):
        # Lpriv/43f5f508a7ea0366dff30200c15250e3/devicetoken\tlkj123poi@c2.testrun.org
-        match parts[0].split("/", 2):
+        keyparts = parts[0].split("/", 2)
-            case ["priv", _, keyname] if keyname == self.metadata.DEVICETOKEN_KEY:
+        if keyparts[0] == "priv":
-                addr = parts[1]
+            keyname = keyparts[2]
            addr = parts[1]
            if keyname == self.metadata.DEVICETOKEN_KEY:
                res = " ".join(self.metadata.get_tokens_for_addr(addr))
                return f"O{res}\n"
-            case ["shared", _, keyname]:
+        elif keyparts[0] == "shared":
-                prefix = "vendor/vendor.dovecot/pvt/server/vendor/deltachat/"
+            keyname = keyparts[2]
-                if keyname.startswith(prefix):
+            if (
-                    match keyname[len(prefix) :]:
+                keyname == "vendor/vendor.dovecot/pvt/server/vendor/deltachat/irohrelay"
-                        case "irohrelay" if self.iroh_relay:
+                and self.iroh_relay
-                            return f"O{self.iroh_relay}\n"
+            ):
-                        case "turn":
+                # Handle `GETMETADATA "" /shared/vendor/deltachat/irohrelay`
-                            try:
+                return f"O{self.iroh_relay}\n"
-                                res = turn_credentials()
+            elif keyname == "vendor/vendor.dovecot/pvt/server/vendor/deltachat/turn":
-                            except Exception:
+                try:
-                                logging.exception("failed to get TURN credentials")
+                    res = turn_credentials()
-                                return "N\n"
+                except Exception:
-                            return f"O{self.turn_hostname}:3478:{res}\n"
+                    logging.exception("failed to get TURN credentials")
-                        case "maxsmtprecipients":
+                    return "N\n"
-                            # postfix default  (see "postconf smtpd_recipient_limit")
+                port = 3478
-                            return "O1000\n"
+                return f"O{self.turn_hostname}:{port}:{res}\n"
        logging.warning(f"lookup ignored: {parts!r}")
        return "N\n"
@@ -118,13 +117,12 @@ class MetadataDictProxy(DictProxy):
        # https://github.com/dovecot/core/blob/main/src/lib-storage/mailbox-attribute.h
        keyname = parts[1].split("/")
        value = parts[2] if len(parts) > 2 else ""
-        match keyname:
+        if keyname[0] == "priv" and keyname[2] == self.metadata.DEVICETOKEN_KEY:
-            case ["priv", _, key] if key == self.metadata.DEVICETOKEN_KEY:
+            self.metadata.add_token_to_addr(addr, value)
-                self.metadata.add_token_to_addr(addr, value)
+            return True
-                return True
+        elif keyname[0] == "priv" and keyname[2] == "messagenew":
-            case ["priv", _, "messagenew"]:
+            self.notifier.new_message_for_addr(addr, self.metadata)
-                self.notifier.new_message_for_addr(addr, self.metadata)
+            return True
                return True
        return False
--- a/chatmaild/src/chatmaild/newemail.py
+++ b/chatmaild/src/chatmaild/newemail.py
@@ -2,6 +2,7 @@
 """CGI script for creating new accounts."""
 import ipaddress
 import json
 import secrets
 import string
@@ -14,6 +15,16 @@ ALPHANUMERIC = string.ascii_lowercase + string.digits
 ALPHANUMERIC_PUNCT = string.ascii_letters + string.digits + string.punctuation
 def wrap_ip(host):
    if host.startswith("[") and host.endswith("]"):
        return host
    try:
        ipaddress.ip_address(host)
        return f"[{host}]"
    except ValueError:
        return host
 def create_newemail_dict(config: Config):
    user = "".join(
        secrets.choice(ALPHANUMERIC) for _ in range(config.username_max_length)
@@ -22,22 +33,16 @@ def create_newemail_dict(config: Config):
        secrets.choice(ALPHANUMERIC_PUNCT)
        for _ in range(config.password_min_length + 3)
    )
-    return dict(email=f"{user}@{config.mail_domain}", password=f"{password}")
+    return dict(email=f"{user}@{wrap_ip(config.mail_domain)}", password=f"{password}")
-def create_dclogin_url(config, email, password):
+def create_dclogin_url(email, password):
    """Build a dclogin: URL with credentials and self-signed cert acceptance.
    Uses ic=3 (AcceptInvalidCertificates) so chatmail clients
    can connect to servers with self-signed TLS certificates.
    """
-    if config.ipv4_relay:
+    return f"dclogin:{quote(email, safe='@')}?p={quote(password, safe='')}&v=1&ic=3"
        imap_host = "&ih=" + config.ipv4_relay
        smtp_host = "&sh=" + config.ipv4_relay
    else:
        imap_host = ""
        smtp_host = ""
    return f"dclogin:{quote(email, safe='@[]')}?p={quote(password, safe='')}&v=1{imap_host}{smtp_host}&ic=3"
 def print_new_account():
@@ -46,9 +51,7 @@ def print_new_account():
    result = dict(email=creds["email"], password=creds["password"])
    if config.tls_cert_mode == "self":
-        result["dclogin_url"] = create_dclogin_url(
+        result["dclogin_url"] = create_dclogin_url(creds["email"], creds["password"])
            config, creds["email"], creds["password"]
        )
    print("Content-Type: application/json")
    print("")
--- a/chatmaild/src/chatmaild/tests/plugin.py
+++ b/chatmaild/src/chatmaild/tests/plugin.py
@@ -31,11 +31,6 @@ def example_config(make_config):
    return make_config("chat.example.org")
@pytest.fixture
 def ipv4_config(make_config):
    return make_config("1.3.3.7")
@pytest.fixture
 def maildomain(example_config):
    return example_config.mail_domain
--- a/chatmaild/src/chatmaild/tests/test_config.py
+++ b/chatmaild/src/chatmaild/tests/test_config.py
@@ -1,10 +1,6 @@
 import pytest
-from chatmaild.config import (
+from chatmaild.config import parse_size_mb, read_config
    is_valid_ipv4,
    parse_size_mb,
    read_config,
 )
 def test_read_config_basic(example_config):
@@ -13,21 +9,10 @@ def test_read_config_basic(example_config):
    assert not example_config.privacy_pdo and not example_config.privacy_postal
    inipath = example_config._inipath
-    inipath.write_text(
+    inipath.write_text(inipath.read_text().replace("60", "37"))
        inipath.read_text().replace(
            "#max_user_send_per_minute = 60",
            "max_user_send_per_minute = 37",
        )
    )
    example_config = read_config(inipath)
    assert example_config.max_user_send_per_minute == 37
    assert example_config.mail_domain == "chat.example.org"
    assert example_config.ipv4_relay is None
 def test_read_config_ipv4(ipv4_config):
    assert ipv4_config.ipv4_relay == "1.3.3.7"
    assert ipv4_config.mail_domain == "[1.3.3.7]"
 def test_read_config_basic_using_defaults(tmp_path, maildomain):
@@ -36,17 +21,26 @@ def test_read_config_basic_using_defaults(tmp_path, maildomain):
    example_config = read_config(inipath)
    assert example_config.max_user_send_per_minute == 60
    assert example_config.filtermail_smtp_port_incoming == 10081
-    assert example_config.filtermail_smtp_port == 10080
+
-    assert example_config.postfix_reinject_port == 10025
+
-    assert example_config.max_user_send_per_minute == 60
+def test_read_config_testrun(make_config):
-    assert example_config.max_mailbox_size == "500M"
+    config = make_config("something.testrun.org")
-    assert example_config.delete_mails_after == "20"
+    assert config.mail_domain == "something.testrun.org"
-    assert example_config.delete_large_after == "7"
+    assert len(config.privacy_postal.split("\n")) > 1
-    assert example_config.username_min_length == 9
+    assert len(config.privacy_supervisor.split("\n")) > 1
-    assert example_config.username_max_length == 9
+    assert len(config.privacy_pdo.split("\n")) > 1
-    assert example_config.password_min_length == 9
+    assert config.privacy_mail == "privacy@testrun.org"
-    assert example_config.passthrough_recipients == []
+    assert config.filtermail_smtp_port == 10080
-    assert example_config.passthrough_senders == []
+    assert config.postfix_reinject_port == 10025
    assert config.max_user_send_per_minute == 60
    assert config.max_mailbox_size == "500M"
    assert config.delete_mails_after == "20"
    assert config.delete_large_after == "7"
    assert config.username_min_length == 9
    assert config.username_max_length == 9
    assert config.password_min_length == 9
    assert "privacy@testrun.org" in config.passthrough_recipients
    assert config.passthrough_senders == []
 def test_config_userstate_paths(make_config, tmp_path):
@@ -141,17 +135,3 @@ def test_max_mailbox_size_mb(make_config):
    config = make_config("chat.example.org")
    assert config.max_mailbox_size == "500M"
    assert config.max_mailbox_size_mb == 500
@pytest.mark.parametrize(
    ["input", "result"],
    [
        ("example.org", False),
        ("1.3.3.7", True),
        ("fe::1", False),
        ("ad.1e.dag.adf", False),
        ("12394142", False),
    ],
 )
 def test_is_valid_ipv4(input, result):
    assert result == is_valid_ipv4(input)
--- a/chatmaild/src/chatmaild/tests/test_metadata.py
+++ b/chatmaild/src/chatmaild/tests/test_metadata.py
@@ -360,39 +360,15 @@ def test_turn_credentials_success(notifier, metadata, monkeypatch):
 def test_iroh_relay(dictproxy):
-    key = b"Lshared/0123/vendor/vendor.dovecot/pvt/server/vendor/deltachat/irohrelay\tuser@example.org"
+    rfile = io.BytesIO(
-    rfile, wfile = io.BytesIO(b"H\n" + key), io.BytesIO()
+        b"\n".join(
            [
                b"H",
                b"Lshared/0123/vendor/vendor.dovecot/pvt/server/vendor/deltachat/irohrelay\tuser@example.org",
            ]
        )
    )
    wfile = io.BytesIO()
    dictproxy.iroh_relay = "https://example.org/"
    dictproxy.loop_forever(rfile, wfile)
    assert wfile.getvalue() == b"Ohttps://example.org/\n"
 def test_legacy_token_migration(metadata, testaddr):
    with metadata.get_metadata_dict(testaddr).modify() as data:
        data[metadata.DEVICETOKEN_KEY] = ["oldtoken1", "oldtoken2"]
    assert metadata.get_tokens_for_addr(testaddr) == ["oldtoken1", "oldtoken2"]
    mdict = metadata.get_metadata_dict(testaddr).read()
    tokens = mdict[metadata.DEVICETOKEN_KEY]
    assert isinstance(tokens, dict)
    assert "oldtoken1" in tokens and "oldtoken2" in tokens
@pytest.mark.parametrize(
    "suffix, expected",
    [
        (b"vendor/deltachat/maxsmtprecipients", b"O1000\n"),
        (b"wrong/prefix/key", b"N\n"),
        (b"vendor/deltachat/unknown", b"N\n"),
    ],
    ids=["maxsmtprecipients", "prefix_mismatch", "unknown_name"],
 )
 def test_shared_lookup(dictproxy, suffix, expected):
    key = (
        b"Lshared/0123/vendor/vendor.dovecot/pvt/server/"
        + suffix
        + b"\tuser@example.org"
    )
    rfile, wfile = io.BytesIO(b"H\n" + key), io.BytesIO()
    dictproxy.loop_forever(rfile, wfile)
    assert wfile.getvalue() == expected
--- a/chatmaild/src/chatmaild/tests/test_migrate_db.py
+++ b/chatmaild/src/chatmaild/tests/test_migrate_db.py
@@ -48,8 +48,6 @@ def test_migration(tmp_path, example_config, caplog):
    assert passdb_path.stat().st_size > 10000
    example_config.passdb_path = passdb_path
    # ensure logging.info records are captured regardless of global configuration
    caplog.set_level("INFO")
    assert not caplog.records
--- a/chatmaild/src/chatmaild/tests/test_newmail.py
+++ b/chatmaild/src/chatmaild/tests/test_newmail.py
@@ -19,35 +19,24 @@ def test_create_newemail_dict(example_config):
    assert ac1["password"] != ac2["password"]
-def test_create_newemail_dict_ip(ipv4_config):
+def test_create_newemail_dict_ip(make_config):
-    ac = create_newemail_dict(ipv4_config)
+    config = make_config("1.2.3.4")
-    assert ac["email"].endswith("@[1.3.3.7]")
+    ac = create_newemail_dict(config)
    assert ac["email"].endswith("@[1.2.3.4]")
-def test_create_dclogin_url(example_config):
+def test_create_dclogin_url():
-    addr = "user@example.org"
+    url = create_dclogin_url("user@example.org", "p@ss w+rd")
    password = "p@ss w+rd"
    url = create_dclogin_url(example_config, addr, password)
    assert url.startswith("dclogin:")
    assert "v=1" in url
    assert "ic=3" in url
-    assert addr in url
+    assert "user@example.org" in url
    # password special chars must be encoded
    assert "p%40ss" in url
    assert "w%2Brd" in url
 def test_create_dclogin_url_ipv4(ipv4_config):
    addr = "user@[1.3.3.7]"
    password = "p@ss w+rd"
    url = create_dclogin_url(ipv4_config, addr, password)
    assert url.startswith("dclogin:")
    assert "v=1" in url
    assert "ic=3" in url
    assert addr in url
 def test_print_new_account(capsys, monkeypatch, maildomain, tmpdir, example_config):
    monkeypatch.setattr(chatmaild.newemail, "CONFIG_PATH", str(example_config._inipath))
    print_new_account()
--- a/cmdeploy/src/cmdeploy/acmetool/init.py
+++ b/cmdeploy/src/cmdeploy/acmetool/init.py
@@ -1,4 +1,6 @@
-from pyinfra.operations import apt, server
+import importlib.resources
 from pyinfra.operations import apt, files, server, systemd
 from ..basedeploy import Deployer
@@ -7,6 +9,9 @@ class AcmetoolDeployer(Deployer):
    def __init__(self, email, domains):
        self.domains = domains
        self.email = email
        self.need_restart_redirector = False
        self.need_restart_reconcile_service = False
        self.need_restart_reconcile_timer = False
    def install(self):
        apt.packages(
@@ -14,41 +19,121 @@ class AcmetoolDeployer(Deployer):
            packages=["acmetool"],
        )
-        self.remove_file("/etc/cron.d/acmetool")
+        files.file(
            name="Remove old acmetool cronjob, it is replaced with systemd timer.",
            path="/etc/cron.d/acmetool",
            present=False,
        )
-        self.put_executable("acmetool/acmetool.hook", "/etc/acme/hooks/nginx")
+        files.put(
-        self.remove_file("/usr/lib/acme/hooks/nginx")
+            name="Install acmetool hook.",
            src=importlib.resources.files(__package__)
            .joinpath("acmetool.hook")
            .open("rb"),
            dest="/etc/acme/hooks/nginx",
            user="root",
            group="root",
            mode="755",
        )
        files.file(
            name="Remove acmetool hook from the wrong location where it was previously installed.",
            path="/usr/lib/acme/hooks/nginx",
            present=False,
        )
    def configure(self):
-        self.put_template(
+        files.template(
-            "acmetool/response-file.yaml.j2",
+            src=importlib.resources.files(__package__).joinpath(
-            "/var/lib/acme/conf/responses",
+                "response-file.yaml.j2"
            ),
            dest="/var/lib/acme/conf/responses",
            user="root",
            group="root",
            mode="644",
            email=self.email,
        )
-        self.put_template(
+        files.template(
-            "acmetool/target.yaml.j2",
+            src=importlib.resources.files(__package__).joinpath("target.yaml.j2"),
-            "/var/lib/acme/conf/target",
+            dest="/var/lib/acme/conf/target",
            user="root",
            group="root",
            mode="644",
        )
        server.shell(
            name=f"Remove old acmetool desired files for {self.domains[0]}",
            commands=[f"rm -f /var/lib/acme/desired/{self.domains[0]}-*"],
        )
-        self.put_template(
+        files.template(
-            "acmetool/desired.yaml.j2",
+            src=importlib.resources.files(__package__).joinpath("desired.yaml.j2"),
-            f"/var/lib/acme/desired/{self.domains[0]}",
+            dest=f"/var/lib/acme/desired/{self.domains[0]}",  # 0 is mailhost TLD
            user="root",
            group="root",
            mode="644",
            domains=self.domains,
        )
-        self.ensure_systemd_unit("acmetool/acmetool-redirector.service")
+        service_file = files.put(
-        self.ensure_systemd_unit("acmetool/acmetool-reconcile.service")
+            src=importlib.resources.files(__package__).joinpath(
-        self.ensure_systemd_unit("acmetool/acmetool-reconcile.timer")
+                "acmetool-redirector.service"
            ),
            dest="/etc/systemd/system/acmetool-redirector.service",
            user="root",
            group="root",
            mode="644",
        )
        self.need_restart_redirector = service_file.changed
        reconcile_service_file = files.put(
            src=importlib.resources.files(__package__).joinpath(
                "acmetool-reconcile.service"
            ),
            dest="/etc/systemd/system/acmetool-reconcile.service",
            user="root",
            group="root",
            mode="644",
        )
        self.need_restart_reconcile_service = reconcile_service_file.changed
        reconcile_timer_file = files.put(
            src=importlib.resources.files(__package__).joinpath(
                "acmetool-reconcile.timer"
            ),
            dest="/etc/systemd/system/acmetool-reconcile.timer",
            user="root",
            group="root",
            mode="644",
        )
        self.need_restart_reconcile_timer = reconcile_timer_file.changed
    def activate(self):
-        self.ensure_service("acmetool-redirector.service")
+        systemd.service(
-        self.ensure_service("acmetool-reconcile.service", running=False, enabled=False)
+            name="Setup acmetool-redirector service",
-        self.ensure_service("acmetool-reconcile.timer")
+            service="acmetool-redirector.service",
            running=True,
            enabled=True,
            restarted=self.need_restart_redirector,
        )
        self.need_restart_redirector = False
        systemd.service(
            name="Setup acmetool-reconcile service",
            service="acmetool-reconcile.service",
            running=False,
            enabled=False,
            daemon_reload=self.need_restart_reconcile_service,
        )
        self.need_restart_reconcile_service = False
        systemd.service(
            name="Setup acmetool-reconcile timer",
            service="acmetool-reconcile.timer",
            running=True,
            enabled=True,
            daemon_reload=self.need_restart_reconcile_timer,
        )
        self.need_restart_reconcile_timer = False
        server.shell(
            name=f"Reconcile certificates for: {', '.join(self.domains)}",
--- a/cmdeploy/src/cmdeploy/basedeploy.py
+++ b/cmdeploy/src/cmdeploy/basedeploy.py
@@ -4,7 +4,6 @@ import os
 from contextlib import contextmanager
 from pyinfra import host
 from pyinfra.facts.files import Sha256File
 from pyinfra.facts.server import Command
 from pyinfra.operations import files, server, systemd
@@ -51,10 +50,11 @@ def get_resource(arg, pkg=__package__):
    return importlib.resources.files(pkg).joinpath(arg)
-def configure_remote_units(deployer, mail_domain, units) -> None:
+def configure_remote_units(mail_domain, units) -> None:
    remote_base_dir = "/usr/local/lib/chatmaild"
    remote_venv_dir = f"{remote_base_dir}/venv"
    remote_chatmail_inipath = f"{remote_base_dir}/chatmail.ini"
    root_owned = dict(user="root", group="root", mode="644")
    # install systemd units
    for fn in units:
@@ -70,13 +70,15 @@ def configure_remote_units(deployer, mail_domain, units) -> None:
        source_path = get_resource(f"service/{basename}.f")
        content = source_path.read_text().format(**params).encode()
-        deployer.put_file(
+        files.put(
            name=f"Upload {basename}",
            src=io.BytesIO(content),
            dest=f"/etc/systemd/system/{basename}",
            **root_owned,
        )
-def activate_remote_units(deployer, units) -> None:
+def activate_remote_units(units) -> None:
    # activate systemd units
    for fn in units:
        basename = fn if "." in fn else f"{fn}.service"
@@ -86,8 +88,14 @@ def activate_remote_units(deployer, units) -> None:
            enabled = False
        else:
            enabled = True
-
+        systemd.service(
-        deployer.ensure_service(basename, running=enabled, enabled=enabled)
+            name=f"Setup {basename}",
            service=basename,
            running=enabled,
            enabled=enabled,
            restarted=enabled,
            daemon_reload=True,
        )
 class Deployment:
@@ -133,7 +141,6 @@ class Deployment:
 class Deployer:
    need_restart = False
    daemon_reload = False
    def install(self):
        pass
@@ -143,113 +150,3 @@ class Deployer:
    def activate(self):
        pass
    def ensure_service(self, service, running=True, enabled=True):
        if running:
            verb = "Start and enable"
        else:
            verb = "Stop"
        systemd.service(
            name=f"{verb} {service}",
            service=service,
            running=running,
            enabled=enabled,
            restarted=self.need_restart if running else False,
            daemon_reload=self.daemon_reload,
        )
        self.daemon_reload = False
    def ensure_systemd_unit(self, src, **kwargs):
        dest_name = src.split("/")[-1].replace(".j2", "")
        dest = f"/etc/systemd/system/{dest_name}"
        if src.endswith(".j2"):
            return self.put_template(src, dest, **kwargs)
        return self.put_file(src, dest)
    def put_file(self, src, dest, mode="644"):
        if isinstance(src, str):
            src = get_resource(src)
        res = files.put(
            name=f"Upload {dest}",
            src=src,
            dest=dest,
            user="root",
            group="root",
            mode=mode,
        )
        return self._update_restart_signals(dest, res)
    def put_executable(self, src, dest):
        return self.put_file(src, dest, mode="755")
    def put_template(self, src, dest, owner="root", **kwargs):
        if isinstance(src, str):
            src = get_resource(src)
        res = files.template(
            name=f"Upload {dest}",
            src=src,
            dest=dest,
            user=owner,
            group=owner,
            mode="644",
            **kwargs,
        )
        return self._update_restart_signals(dest, res)
    def remove_file(self, dest):
        res = files.file(name=f"Remove {dest}", path=dest, present=False)
        return self._update_restart_signals(dest, res)
    def ensure_line(self, path, line, **kwargs):
        name = kwargs.pop("name", f"Ensure line in {path}")
        res = files.line(name=name, path=path, line=line, **kwargs)
        return self._update_restart_signals(path, res)
    def ensure_directory(self, path, owner="root", mode="755", **kwargs):
        name = kwargs.pop("name", f"Ensure directory {path}")
        res = files.directory(
            name=name,
            path=path,
            user=owner,
            group=owner,
            mode=mode,
            present=True,
            **kwargs,
        )
        return self._update_restart_signals(path, res)
    def remove_directory(self, path, **kwargs):
        name = kwargs.pop("name", f"Remove directory {path}")
        res = files.directory(name=name, path=path, present=False, **kwargs)
        return self._update_restart_signals(path, res)
    def download_executable(self, url, dest, sha256sum, extract=None):
        existing = host.get_fact(Sha256File, dest)
        if existing == sha256sum:
            return
        tmp = f"{dest}.new"
        if extract:
            dl_cmd = f"curl -fSL {url} | {extract} >{tmp}"
        else:
            dl_cmd = f"curl -fSL {url} -o {tmp}"
        server.shell(
            name=f"Download {dest}",
            commands=[
                f"({dl_cmd}"
                f" && echo '{sha256sum}  {tmp}' | sha256sum -c"
                f" && mv {tmp} {dest})",
                f"chmod 755 {dest}",
            ],
        )
        self.need_restart = True
    def _update_restart_signals(self, path, res):
        if res.changed:
            self.need_restart = True
            if str(path).startswith("/etc/systemd/system/"):
                self.daemon_reload = True
        return res
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -87,15 +87,15 @@ def run_cmd_options(parser):
 def run_cmd(args, out):
    """Deploy chatmail services on the remote server."""
-    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain_bare
+    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
    sshexec = get_sshexec(ssh_host)
    require_iroh = args.config.enable_iroh_relay
    strict_tls = args.config.tls_cert_mode == "acme"
    if args.config.ipv4_relay:
        args.dns_check_disabled = True
    if not args.dns_check_disabled:
        remote_data = dns.get_initial_remote_data(sshexec, args.config.mail_domain)
-        if not dns.check_initial_remote_data(remote_data, strict_tls=strict_tls, print=out.red):
+        if not dns.check_initial_remote_data(
            remote_data, strict_tls=strict_tls, print=out.red
        ):
            return 1
    env = os.environ.copy()
@@ -118,11 +118,13 @@ def run_cmd(args, out):
        out.check_call(cmd, env=env)
        if args.website_only:
            out.green("Website deployment completed.")
-        elif not args.dns_check_disabled and strict_tls and not remote_data["acme_account_url"]:
+        elif (
            not args.dns_check_disabled
            and strict_tls
            and not remote_data["acme_account_url"]
        ):
            out.red("Deploy completed but letsencrypt not configured")
            out.red("Run 'cmdeploy run' again")
        elif args.config.ipv4_relay:
            out.green("Deploy completed.")
        else:
            out.green("Deploy completed, call `cmdeploy dns` next.")
        return 0
@@ -144,10 +146,6 @@ def dns_cmd_options(parser):
 def dns_cmd(args, out):
    """Check DNS entries and optionally generate dns zone file."""
    if args.config.ipv4_relay:
        ipv4 = args.config.ipv4_relay
        print(f"[WARNING] {ipv4} is not a domain, skipping DNS checks.")
        return 0
    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
    sshexec = get_sshexec(ssh_host, verbose=args.verbose)
    tls_cert_mode = args.config.tls_cert_mode
@@ -185,7 +183,7 @@ def status_cmd_options(parser):
 def status_cmd(args, out):
    """Display status for online chatmail instance."""
-    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain_bare
+    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
    sshexec = get_sshexec(ssh_host, verbose=args.verbose)
    out.green(f"chatmail domain: {args.config.mail_domain}")
--- a/cmdeploy/src/cmdeploy/deployers.py
+++ b/cmdeploy/src/cmdeploy/deployers.py
@@ -12,6 +12,7 @@ from chatmaild.config import read_config
 from pyinfra import facts, host, logger
 from pyinfra.api import FactBase
 from pyinfra.facts import hardware
 from pyinfra.facts.files import Sha256File
 from pyinfra.facts.systemd import SystemdEnabled
 from pyinfra.operations import apt, files, pip, server, systemd
@@ -24,6 +25,7 @@ from .basedeploy import (
    activate_remote_units,
    blocked_service_startup,
    configure_remote_units,
    get_resource,
    has_systemd,
    is_in_container,
 )
@@ -80,22 +82,25 @@ def remove_legacy_artifacts():
        )
-def _install_remote_venv_with_chatmaild(deployer) -> None:
+def _install_remote_venv_with_chatmaild() -> None:
    remove_legacy_artifacts()
    dist_file = _build_chatmaild(dist_dir=Path("chatmaild/dist"))
    remote_base_dir = "/usr/local/lib/chatmaild"
    remote_dist_file = f"{remote_base_dir}/dist/{dist_file.name}"
    remote_venv_dir = f"{remote_base_dir}/venv"
    root_owned = dict(user="root", group="root", mode="644")
    apt.packages(
        name="apt install python3-virtualenv",
        packages=["python3-virtualenv"],
    )
-    deployer.ensure_directory(f"{remote_base_dir}/dist")
+    files.put(
-    deployer.put_file(
+        name="Upload chatmaild source package",
        src=dist_file.open("rb"),
        dest=remote_dist_file,
        create_remote_dir=True,
        **root_owned,
    )
    pip.virtualenv(
@@ -117,22 +122,32 @@ def _install_remote_venv_with_chatmaild(deployer) -> None:
    )
-def _configure_remote_venv_with_chatmaild(deployer, config) -> None:
+def _configure_remote_venv_with_chatmaild(config) -> None:
    remote_base_dir = "/usr/local/lib/chatmaild"
    remote_chatmail_inipath = f"{remote_base_dir}/chatmail.ini"
    root_owned = dict(user="root", group="root", mode="644")
-    deployer.put_file(
+    files.put(
        name=f"Upload {remote_chatmail_inipath}",
        src=config._getbytefile(),
        dest=remote_chatmail_inipath,
        **root_owned,
    )
-    deployer.remove_file("/etc/cron.d/chatmail-metrics")
+    files.file(
-    deployer.remove_file("/var/www/html/metrics")
+        path="/etc/cron.d/chatmail-metrics",
        present=False,
    )
    files.file(
        path="/var/www/html/metrics",
        present=False,
    )
 class UnboundDeployer(Deployer):
    def __init__(self, config):
        self.config = config
        self.need_restart = False
    def install(self):
        # On an IPv4-only system, if unbound is started but not configured,
@@ -161,9 +176,13 @@ class UnboundDeployer(Deployer):
        )
        # Configure unbound resolver with Quad9 fallback and a trailing newline
        # (SolusVM bug).
-        self.put_file(
+        files.put(
            name="Write static resolv.conf",
            src=BytesIO(b"nameserver 127.0.0.1\nnameserver 9.9.9.9\n"),
            dest="/etc/resolv.conf",
            user="root",
            group="root",
            mode="644",
        )
        server.shell(
            name="Generate root keys for validating DNSSEC",
@@ -172,15 +191,26 @@ class UnboundDeployer(Deployer):
            ],
        )
        if self.config.disable_ipv6:
-            self.ensure_directory(
+            files.directory(
                path="/etc/unbound/unbound.conf.d",
                present=True,
                user="root",
                group="root",
                mode="755",
            )
-            self.put_template(
+            conf = files.put(
-                "unbound/unbound.conf.j2",
+                src=get_resource("unbound/unbound.conf.j2"),
-                "/etc/unbound/unbound.conf.d/chatmail.conf",
+                dest="/etc/unbound/unbound.conf.d/chatmail.conf",
                user="root",
                group="root",
                mode="644",
            )
        else:
-            self.remove_file("/etc/unbound/unbound.conf.d/chatmail.conf")
+            conf = files.file(
                path="/etc/unbound/unbound.conf.d/chatmail.conf",
                present=False,
            )
        self.need_restart |= conf.changed
    def activate(self):
        server.shell(
@@ -190,25 +220,27 @@ class UnboundDeployer(Deployer):
            ],
        )
-        self.ensure_service("unbound.service")
+        systemd.service(
-
+            name="Start and enable unbound",
-        self.ensure_service(
+            service="unbound.service",
-            "unbound-resolvconf.service",
+            running=True,
-            running=False,
+            enabled=True,
-            enabled=False,
+            restarted=self.need_restart,
        )
 class MtastsDeployer(Deployer):
    def configure(self):
        # Remove configuration.
-        self.remove_file("/etc/mta-sts-daemon.yml")
+        files.file("/etc/mta-sts-daemon.yml", present=False)
-        self.remove_directory("/usr/local/lib/postfix-mta-sts-resolver")
+        files.directory("/usr/local/lib/postfix-mta-sts-resolver", present=False)
-        self.remove_file("/etc/systemd/system/mta-sts-daemon.service")
+        files.file("/etc/systemd/system/mta-sts-daemon.service", present=False)
    def activate(self):
-        self.ensure_service(
+        systemd.service(
-            "mta-sts-daemon.service",
+            name="Stop MTA-STS daemon",
            service="mta-sts-daemon.service",
            daemon_reload=True,
            running=False,
            enabled=False,
        )
@@ -219,7 +251,14 @@ class WebsiteDeployer(Deployer):
        self.config = config
    def install(self):
-        self.ensure_directory("/var/www")
+        files.directory(
            name="Ensure /var/www exists",
            path="/var/www",
            user="root",
            group="root",
            mode="755",
            present=True,
        )
    def configure(self):
        www_path, src_dir, build_dir = get_paths(self.config)
@@ -249,11 +288,15 @@ class LegacyRemoveDeployer(Deployer):
        # remove historic expunge script
        # which is now implemented through a systemd timer (chatmail-expire)
-        self.remove_file("/etc/cron.d/expunge")
+        files.file(
            path="/etc/cron.d/expunge",
            present=False,
        )
        # Remove OBS repository key that is no longer used.
-        self.remove_file("/etc/apt/keyrings/obs-home-deltachat.gpg")
+        files.file("/etc/apt/keyrings/obs-home-deltachat.gpg", present=False)
-        self.ensure_line(
+        files.line(
            name="Remove DeltaChat OBS home repository from sources.list",
            path="/etc/apt/sources.list",
            line="deb [signed-by=/etc/apt/keyrings/obs-home-deltachat.gpg] https://download.opensuse.org/repositories/home:/deltachat/Debian_12/ ./",
            escape_regex_characters=True,
@@ -261,7 +304,11 @@ class LegacyRemoveDeployer(Deployer):
        )
        # prior relay versions used filelogging
-        self.remove_directory("/var/log/journal/")
+        files.directory(
            name="Ensure old logs on disk are deleted",
            path="/var/log/journal/",
            present=False,
        )
        # remove echobot if it is still running
        if has_systemd() and host.get_fact(SystemdEnabled).get("echobot.service"):
            systemd.service(
@@ -303,13 +350,22 @@ class TurnDeployer(Deployer):
                "0fb3e792419494e21ecad536464929dba706bb2c88884ed8f1788141d26fc756",
            ),
        }[host.get_fact(facts.server.Arch)]
-        self.download_executable(url, "/usr/local/bin/chatmail-turn", sha256sum)
+
        existing_sha256sum = host.get_fact(Sha256File, "/usr/local/bin/chatmail-turn")
        if existing_sha256sum != sha256sum:
            server.shell(
                name="Download chatmail-turn",
                commands=[
                    f"(curl -L {url} >/usr/local/bin/chatmail-turn.new && (echo '{sha256sum} /usr/local/bin/chatmail-turn.new' | sha256sum -c) && mv /usr/local/bin/chatmail-turn.new /usr/local/bin/chatmail-turn)",
                    "chmod 755 /usr/local/bin/chatmail-turn",
                ],
            )
    def configure(self):
-        configure_remote_units(self, self.mail_domain, self.units)
+        configure_remote_units(self.mail_domain, self.units)
    def activate(self):
-        activate_remote_units(self, self.units)
+        activate_remote_units(self.units)
 class IrohDeployer(Deployer):
@@ -327,30 +383,72 @@ class IrohDeployer(Deployer):
                "f8ef27631fac213b3ef668d02acd5b3e215292746a3fc71d90c63115446008b1",
            ),
        }[host.get_fact(facts.server.Arch)]
-        self.download_executable(
+
-            url,
+        existing_sha256sum = host.get_fact(Sha256File, "/usr/local/bin/iroh-relay")
-            "/usr/local/bin/iroh-relay",
+        if existing_sha256sum != sha256sum:
-            sha256sum,
+            server.shell(
-            extract="gunzip | tar -xf - ./iroh-relay -O",
+                name="Download iroh-relay",
-        )
+                commands=[
                    f"(curl -L {url} | gunzip | tar -x -f - ./iroh-relay -O >/usr/local/bin/iroh-relay.new && (echo '{sha256sum} /usr/local/bin/iroh-relay.new' | sha256sum -c) && mv /usr/local/bin/iroh-relay.new /usr/local/bin/iroh-relay)",
                    "chmod 755 /usr/local/bin/iroh-relay",
                ],
            )
            self.need_restart = True
    def configure(self):
-        self.ensure_systemd_unit("iroh-relay.service")
+        systemd_unit = files.put(
-        self.put_file("iroh-relay.toml", "/etc/iroh-relay.toml")
+            name="Upload iroh-relay systemd unit",
            src=get_resource("iroh-relay.service"),
            dest="/etc/systemd/system/iroh-relay.service",
            user="root",
            group="root",
            mode="644",
        )
        self.need_restart |= systemd_unit.changed
        iroh_config = files.put(
            name="Upload iroh-relay config",
            src=get_resource("iroh-relay.toml"),
            dest="/etc/iroh-relay.toml",
            user="root",
            group="root",
            mode="644",
        )
        self.need_restart |= iroh_config.changed
    def activate(self):
-        self.ensure_service(
+        systemd.service(
-            "iroh-relay.service",
+            name="Start and enable iroh-relay",
            service="iroh-relay.service",
            running=True,
            enabled=self.enable_iroh_relay,
            restarted=self.need_restart,
        )
        self.need_restart = False
 class JournaldDeployer(Deployer):
    def configure(self):
-        self.put_file("journald.conf", "/etc/systemd/journald.conf")
+        journald_conf = files.put(
            name="Configure journald",
            src=get_resource("journald.conf"),
            dest="/etc/systemd/journald.conf",
            user="root",
            group="root",
            mode="644",
        )
        self.need_restart = journald_conf.changed
    def activate(self):
-        self.ensure_service("systemd-journald.service")
+        systemd.service(
            name="Start and enable journald",
            service="systemd-journald.service",
            running=True,
            enabled=True,
            restarted=self.need_restart,
        )
        self.need_restart = False
 class ChatmailVenvDeployer(Deployer):
@@ -366,14 +464,14 @@ class ChatmailVenvDeployer(Deployer):
        )
    def install(self):
-        _install_remote_venv_with_chatmaild(self)
+        _install_remote_venv_with_chatmaild()
    def configure(self):
-        _configure_remote_venv_with_chatmaild(self, self.config)
+        _configure_remote_venv_with_chatmaild(self.config)
-        configure_remote_units(self, self.config.mail_domain_bare, self.units)
+        configure_remote_units(self.config.mail_domain, self.units)
    def activate(self):
-        activate_remote_units(self, self.units)
+        activate_remote_units(self.units)
 class ChatmailDeployer(Deployer):
@@ -387,9 +485,13 @@ class ChatmailDeployer(Deployer):
        self.mail_domain = config.mail_domain
    def install(self):
-        self.put_file(
+        files.put(
            name="Disable installing recommended packages globally",
            src=BytesIO(b'APT::Install-Recommends "false";\n'),
            dest="/etc/apt/apt.conf.d/00InstallRecommends",
            user="root",
            group="root",
            mode="644",
        )
        apt.update(name="apt update", cache_time=24 * 3600)
        apt.upgrade(name="upgrade apt packages", auto_remove=True)
@@ -406,10 +508,13 @@ class ChatmailDeployer(Deployer):
    def configure(self):
        # metadata crashes if the mailboxes dir does not exist
-        self.ensure_directory(
+        files.directory(
-            str(self.config.mailboxes_dir),
+            name="Ensure vmail mailbox directory exists",
-            owner="vmail",
+            path=str(self.config.mailboxes_dir),
            user="vmail",
            group="vmail",
            mode="700",
            present=True,
        )
        # This file is used by auth proxy.
@@ -430,7 +535,12 @@ class FcgiwrapDeployer(Deployer):
        )
    def activate(self):
-        self.ensure_service("fcgiwrap.service")
+        systemd.service(
            name="Start and enable fcgiwrap",
            service="fcgiwrap.service",
            running=True,
            enabled=True,
        )
 class GithashDeployer(Deployer):
@@ -443,7 +553,12 @@ class GithashDeployer(Deployer):
            git_diff = subprocess.check_output(["git", "diff"]).decode()
        except Exception:
            git_diff = ""
-        self.put_file(src=StringIO(git_hash + git_diff), dest="/etc/chatmail-version")
+        files.put(
            name="Upload chatmail relay git commit hash",
            src=StringIO(git_hash + git_diff),
            dest="/etc/chatmail-version",
            mode="700",
        )
 def get_tls_deployer(config, mail_domain):
@@ -469,7 +584,7 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
    """
    config = read_config(config_path)
    check_config(config)
-    bare_host = config.mail_domain_bare
+    mail_domain = config.mail_domain
    if website_only:
        Deployment().perform_stages([WebsiteDeployer(config)])
@@ -526,7 +641,7 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
                    )
                    exit(1)
-    tls_deployer = get_tls_deployer(config, bare_host)
+    tls_deployer = get_tls_deployer(config, mail_domain)
    all_deployers = [
        ChatmailDeployer(config),
@@ -534,13 +649,13 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
        FiltermailDeployer(),
        JournaldDeployer(),
        UnboundDeployer(config),
-        TurnDeployer(bare_host),
+        TurnDeployer(mail_domain),
        IrohDeployer(config.enable_iroh_relay),
        tls_deployer,
        WebsiteDeployer(config),
        ChatmailVenvDeployer(config),
        MtastsDeployer(),
-        *([] if config.ipv4_relay else [OpendkimDeployer(bare_host)]),
+        OpendkimDeployer(mail_domain),
        # Dovecot should be started before Postfix
        # because it creates authentication socket
        # required by Postfix.
--- a/cmdeploy/src/cmdeploy/dovecot/deployer.py
+++ b/cmdeploy/src/cmdeploy/dovecot/deployer.py
@@ -5,13 +5,14 @@ from chatmaild.config import Config
 from pyinfra import host
 from pyinfra.facts.deb import DebPackages
 from pyinfra.facts.server import Arch, Command, Sysctl
-from pyinfra.operations import apt, files, server
+from pyinfra.operations import apt, files, server, systemd
 from cmdeploy.basedeploy import (
    Deployer,
    activate_remote_units,
    blocked_service_startup,
    configure_remote_units,
    get_resource,
    is_in_container,
 )
@@ -19,12 +20,30 @@ DOVECOT_ARCHIVE_VERSION = "2.3.21+dfsg1-3"
 DOVECOT_PACKAGE_VERSION = f"1:{DOVECOT_ARCHIVE_VERSION}"
 DOVECOT_SHA256 = {
-    ("core", "amd64"): "dd060706f52a306fa863d874717210b9fe10536c824afe1790eec247ded5b27d",
+    (
-    ("core", "arm64"): "e7548e8a82929722e973629ecc40fcfa886894cef3db88f23535149e7f730dc9",
+        "core",
-    ("imapd", "amd64"): "8d8dc6fc00bbb6cdb25d345844f41ce2f1c53f764b79a838eb2a03103eebfa86",
+        "amd64",
-    ("imapd", "arm64"): "178fa877ddd5df9930e8308b518f4b07df10e759050725f8217a0c1fb3fd707f",
+    ): "dd060706f52a306fa863d874717210b9fe10536c824afe1790eec247ded5b27d",
-    ("lmtpd", "amd64"): "2f69ba5e35363de50962d42cccbfe4ed8495265044e244007d7ccddad77513ab",
+    (
-    ("lmtpd", "arm64"): "89f52fb36524f5877a177dff4a713ba771fd3f91f22ed0af7238d495e143b38f",
+        "core",
        "arm64",
    ): "e7548e8a82929722e973629ecc40fcfa886894cef3db88f23535149e7f730dc9",
    (
        "imapd",
        "amd64",
    ): "8d8dc6fc00bbb6cdb25d345844f41ce2f1c53f764b79a838eb2a03103eebfa86",
    (
        "imapd",
        "arm64",
    ): "178fa877ddd5df9930e8308b518f4b07df10e759050725f8217a0c1fb3fd707f",
    (
        "lmtpd",
        "amd64",
    ): "2f69ba5e35363de50962d42cccbfe4ed8495265044e244007d7ccddad77513ab",
    (
        "lmtpd",
        "arm64",
    ): "89f52fb36524f5877a177dff4a713ba771fd3f91f22ed0af7238d495e143b38f",
 }
@@ -58,39 +77,47 @@ class DovecotDeployer(Deployer):
                    ],
                )
                self.need_restart = True
-        self.put_file(
+        files.put(
-            src=io.StringIO(
+            name="Pin dovecot packages to block Debian dist-upgrades",
-                "Package: dovecot-*\n"
+            src=io.StringIO("Package: dovecot-*\nPin: version *\nPin-Priority: -1\n"),
                "Pin: version *\n"
                "Pin-Priority: -1\n"
            ),
            dest="/etc/apt/preferences.d/pin-dovecot",
            user="root",
            group="root",
            mode="644",
        )
    def configure(self):
-        configure_remote_units(self, self.config.mail_domain_bare, self.units)
+        configure_remote_units(self.config.mail_domain, self.units)
-        _configure_dovecot(self, self.config)
+        config_restart, self.daemon_reload = _configure_dovecot(self.config)
        self.need_restart |= config_restart
    def activate(self):
-        activate_remote_units(self, self.units)
+        activate_remote_units(self.units)
        # Detect stale binary: package installed but service still runs old (deleted) binary.
        if not self.disable_mail and not self.need_restart:
            stale = host.get_fact(
                Command,
-                'pid=$(systemctl show -p MainPID --value dovecot.service 2>/dev/null);'
+                "pid=$(systemctl show -p MainPID --value dovecot.service 2>/dev/null);"
                ' [ "${pid:-0}" != "0" ] && readlink "/proc/$pid/exe" 2>/dev/null | grep -q "(deleted)"'
                " && echo STALE || true",
            )
            if stale == "STALE":
                self.need_restart = True
-        active = not self.disable_mail
+        restart = False if self.disable_mail else self.need_restart
-        self.ensure_service(
+
-            "dovecot.service",
+        systemd.service(
-            running=active,
+            name="Disable dovecot for now"
-            enabled=active,
+            if self.disable_mail
            else "Start and enable Dovecot",
            service="dovecot.service",
            running=False if self.disable_mail else True,
            enabled=False if self.disable_mail else True,
            restarted=restart,
            daemon_reload=self.daemon_reload,
        )
        self.need_restart = False
 def _pick_url(primary, fallback):
@@ -134,19 +161,39 @@ def _download_dovecot_package(package: str, arch: str) -> tuple[str | None, bool
    return deb_filename, True
-def _configure_dovecot(deployer, config: Config, debug: bool = False):
+
 def _configure_dovecot(config: Config, debug: bool = False) -> tuple[bool, bool]:
    """Configures Dovecot IMAP server."""
-    deployer.put_template(
+    need_restart = False
-        "dovecot/dovecot.conf.j2",
+    daemon_reload = False
-        "/etc/dovecot/dovecot.conf",
+
    main_config = files.template(
        src=get_resource("dovecot/dovecot.conf.j2"),
        dest="/etc/dovecot/dovecot.conf",
        user="root",
        group="root",
        mode="644",
        config=config,
        debug=debug,
        disable_ipv6=config.disable_ipv6,
    )
-    deployer.put_file("dovecot/auth.conf", "/etc/dovecot/auth.conf")
+    need_restart |= main_config.changed
-    deployer.put_file(
+    auth_config = files.put(
-        "dovecot/push_notification.lua", "/etc/dovecot/push_notification.lua"
+        src=get_resource("dovecot/auth.conf"),
        dest="/etc/dovecot/auth.conf",
        user="root",
        group="root",
        mode="644",
    )
    need_restart |= auth_config.changed
    lua_push_notification_script = files.put(
        src=get_resource("dovecot/push_notification.lua"),
        dest="/etc/dovecot/push_notification.lua",
        user="root",
        group="root",
        mode="644",
    )
    need_restart |= lua_push_notification_script.changed
    # as per https://doc.dovecot.org/2.3/configuration_manual/os/
    # it is recommended to set the following inotify limits
@@ -170,20 +217,25 @@ def _configure_dovecot(deployer, config: Config, debug: bool = False):
            persist=True,
        )
-    deployer.ensure_line(
+    timezone_env = files.line(
        name="Set TZ environment variable",
        path="/etc/environment",
        line="TZ=:/etc/localtime",
    )
    need_restart |= timezone_env.changed
-    deployer.put_file(
+    restart_conf = files.put(
-        "service/10_restart_on_failure.conf",
+        name="dovecot: restart automatically on failure",
-        "/etc/systemd/system/dovecot.service.d/10_restart.conf",
+        src=get_resource("service/10_restart.conf"),
        dest="/etc/systemd/system/dovecot.service.d/10_restart.conf",
    )
    daemon_reload |= restart_conf.changed
    # Validate dovecot configuration before restart
-    if deployer.need_restart:
+    if need_restart:
        server.shell(
            name="Validate dovecot configuration",
            commands=["doveconf -n >/dev/null"],
        )
    return need_restart, daemon_reload
--- a/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
+++ b/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
@@ -7,7 +7,6 @@ listen = 0.0.0.0
 protocols = imap lmtp
 auth_mechanisms = plain
 auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@[]
 {% if debug == true %}
 auth_verbose = yes
--- a/cmdeploy/src/cmdeploy/external/deployer.py
+++ b/cmdeploy/src/cmdeploy/external/deployer.py
@@ -1,7 +1,10 @@
 import io
 from pyinfra import host
 from pyinfra.facts.files import File
 from pyinfra.operations import files, systemd
-from ..basedeploy import Deployer
+from cmdeploy.basedeploy import Deployer, get_resource
 class ExternalTlsDeployer(Deployer):
@@ -20,22 +23,45 @@ class ExternalTlsDeployer(Deployer):
    def configure(self):
        # Verify cert and key exist on the remote host using pyinfra facts.
        for path in (self.cert_path, self.key_path):
-            if host.get_fact(File, path=path) is None:
+            info = host.get_fact(File, path=path)
            if info is None:
                raise Exception(f"External TLS file not found on server: {path}")
-        self.ensure_systemd_unit(
+        # Deploy the .path unit (templated with the cert path).
-            "external/tls-cert-reload.path.j2",
+        # pkg=__package__ is required here because the resource files
-            cert_path=self.cert_path,
+        # live in cmdeploy.external, not the default cmdeploy package.
-        )
+        source = get_resource("tls-cert-reload.path.f", pkg=__package__)
-        self.ensure_systemd_unit(
+        content = source.read_text().format(cert_path=self.cert_path).encode()
-            "external/tls-cert-reload.service",
+
        path_unit = files.put(
            name="Upload tls-cert-reload.path",
            src=io.BytesIO(content),
            dest="/etc/systemd/system/tls-cert-reload.path",
            user="root",
            group="root",
            mode="644",
        )
        service_unit = files.put(
            name="Upload tls-cert-reload.service",
            src=get_resource("tls-cert-reload.service", pkg=__package__),
            dest="/etc/systemd/system/tls-cert-reload.service",
            user="root",
            group="root",
            mode="644",
        )
        if path_unit.changed or service_unit.changed:
            self.need_restart = True
    def activate(self):
-        # No explicit reload needed here: dovecot/nginx read the cert
+        systemd.service(
-        # on startup, and the .path watcher handles live changes.
+            name="Enable tls-cert-reload path watcher",
-        self.ensure_service(
+            service="tls-cert-reload.path",
            "tls-cert-reload.path",
            running=True,
            enabled=True,
            restarted=self.need_restart,
            daemon_reload=self.need_restart,
        )
        # No explicit reload needed here: dovecot/nginx read the cert
        # on startup, and the .path watcher handles live changes.
--- a/cmdeploy/src/cmdeploy/external/tls-cert-reload.path.j2
+++ b/cmdeploy/src/cmdeploy/external/tls-cert-reload.path.j2
@@ -9,7 +9,7 @@
 Description=Watch TLS certificate for changes
 [Path]
-PathChanged={{ cert_path }}
+PathChanged={cert_path}
 [Install]
 WantedBy=multi-user.target
--- a/cmdeploy/src/cmdeploy/filtermail/deployer.py
+++ b/cmdeploy/src/cmdeploy/filtermail/deployer.py
@@ -1,40 +1,52 @@
 import os
 from pyinfra import facts, host
 from pyinfra.operations import files, systemd
-from cmdeploy.basedeploy import Deployer
+from cmdeploy.basedeploy import Deployer, get_resource
 class FiltermailDeployer(Deployer):
-    services = ["filtermail", "filtermail-incoming", "filtermail-transport"]
+    services = ["filtermail", "filtermail-incoming"]
    bin_path = "/usr/local/bin/filtermail"
    config_path = "/usr/local/lib/chatmaild/chatmail.ini"
-    def install(self):
+    def __init__(self):
-        local_bin = os.environ.get("CHATMAIL_FILTERMAIL_BINARY")
+        self.need_restart = False
        if local_bin:
            self.put_executable(
                src=local_bin,
                dest=self.bin_path,
            )
            return
    def install(self):
        arch = host.get_fact(facts.server.Arch)
-        url = f"https://github.com/chatmail/filtermail/releases/download/v0.6.6/filtermail-{arch}"
+        url = f"https://github.com/chatmail/filtermail/releases/download/v0.6.1/filtermail-{arch}"
        sha256sum = {
-            "x86_64": "05c7e7ac244606c2eeb275f2d282ffdbc2403e0169f1cdd3110ffcebdb994a92",
+            "x86_64": "48b3fb80c092d00b9b0a0ef77a8673496da3b9aed5ec1851e1df936d5589d62f",
-            "aarch64": "8cf8bbda4d907beca547b365cc7e6753532a74b1712492d0d2f3d2d8a553fb3d",
+            "aarch64": "c65bd5f45df187d3d65d6965a285583a3be0f44a6916ff12909ff9a8d702c22e",
        }[arch]
-        self.download_executable(url, self.bin_path, sha256sum)
+        self.need_restart |= files.download(
            name="Download filtermail",
            src=url,
            sha256sum=sha256sum,
            dest=self.bin_path,
            mode="755",
        ).changed
    def configure(self):
        for service in self.services:
-            self.ensure_systemd_unit(
+            self.need_restart |= files.template(
-                f"filtermail/{service}.service.j2",
+                src=get_resource(f"filtermail/{service}.service.j2"),
                dest=f"/etc/systemd/system/{service}.service",
                user="root",
                group="root",
                mode="644",
                bin_path=self.bin_path,
                config_path=self.config_path,
-            )
+            ).changed
    def activate(self):
        for service in self.services:
-            self.ensure_service(f"{service}.service")
+            systemd.service(
                name=f"Start and enable {service}",
                service=f"{service}.service",
                running=True,
                enabled=True,
                restarted=self.need_restart,
                daemon_reload=True,
            )
        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/filtermail/filtermail-transport.service.j2
+++ b/cmdeploy/src/cmdeploy/filtermail/filtermail-transport.service.j2
@@ -1,11 +0,0 @@
 [Unit]
 Description=Chatmail transport service
 [Service]
 ExecStart={{ bin_path }} {{ config_path }} transport
 Restart=always
 RestartSec=30
 User=vmail
 [Install]
 WantedBy=multi-user.target
--- a/cmdeploy/src/cmdeploy/mtail/deployer.py
+++ b/cmdeploy/src/cmdeploy/mtail/deployer.py
@@ -1,7 +1,10 @@
 from pyinfra import facts, host
-from pyinfra.operations import apt
+from pyinfra.operations import apt, files, server, systemd
-from cmdeploy.basedeploy import Deployer
+from cmdeploy.basedeploy import (
    Deployer,
    get_resource,
 )
 class MtailDeployer(Deployer):
@@ -15,30 +18,51 @@ class MtailDeployer(Deployer):
        (url, sha256sum) = {
            "x86_64": (
                "https://github.com/google/mtail/releases/download/v3.0.8/mtail_3.0.8_linux_amd64.tar.gz",
-                "d55cb601049c5e61eabab29998dbbcea95d480e5448544f9470337ba2eea882e",
+                "123c2ee5f48c3eff12ebccee38befd2233d715da736000ccde49e3d5607724e4",
            ),
            "aarch64": (
                "https://github.com/google/mtail/releases/download/v3.0.8/mtail_3.0.8_linux_arm64.tar.gz",
-                "f748db8ad2a1e0b63684d4c8868cf6a373a20f7e6922e5ece601fff0ee00eb1a",
+                "aa04811c0929b6754408676de520e050c45dddeb3401881888a092c9aea89cae",
            ),
        }[host.get_fact(facts.server.Arch)]
-        self.download_executable(
+
-            url,
+        server.shell(
-            "/usr/local/bin/mtail",
+            name="Download mtail",
-            sha256sum,
+            commands=[
-            extract="gunzip | tar -xf - mtail -O",
+                f"(echo '{sha256sum} /usr/local/bin/mtail' | sha256sum -c) || (curl -L {url} | gunzip | tar -x -f - mtail -O >/usr/local/bin/mtail.new && mv /usr/local/bin/mtail.new /usr/local/bin/mtail)",
                "chmod 755 /usr/local/bin/mtail",
            ],
        )
    def configure(self):
        # Using our own systemd unit instead of `/usr/lib/systemd/system/mtail.service`.
        # This allows to read from journalctl instead of log files.
-        self.ensure_systemd_unit(
+        files.template(
-            "mtail/mtail.service.j2",
+            src=get_resource("mtail/mtail.service.j2"),
            dest="/etc/systemd/system/mtail.service",
            user="root",
            group="root",
            mode="644",
            address=self.mtail_address or "127.0.0.1",
            port=3903,
        )
-        self.put_file("mtail/delivered_mail.mtail", "/etc/mtail/delivered_mail.mtail")
+
        mtail_conf = files.put(
            name="Mtail configuration",
            src=get_resource("mtail/delivered_mail.mtail"),
            dest="/etc/mtail/delivered_mail.mtail",
            user="root",
            group="root",
            mode="644",
        )
        self.need_restart = mtail_conf.changed
    def activate(self):
-        active = bool(self.mtail_address)
+        systemd.service(
-        self.ensure_service("mtail.service", running=active, enabled=active)
+            name="Start and enable mtail",
            service="mtail.service",
            running=bool(self.mtail_address),
            enabled=bool(self.mtail_address),
            restarted=self.need_restart,
        )
        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/mtail/mtail.service.j2
+++ b/cmdeploy/src/cmdeploy/mtail/mtail.service.j2
@@ -1,13 +1,10 @@
 [Unit]
 Description=mtail
 After=network-online.target
 Wants=network-online.target
 [Service]
 Type=simple
 ExecStart=/bin/sh -c "journalctl -f -o short-iso -n 0 | /usr/local/bin/mtail --address={{ address }} --port={{ port }} --progs /etc/mtail --logtostderr --logs -"
 Restart=on-failure
 RestartSec=2s
 [Install]
 WantedBy=multi-user.target
--- a/cmdeploy/src/cmdeploy/nginx/deployer.py
+++ b/cmdeploy/src/cmdeploy/nginx/deployer.py
@@ -1,5 +1,5 @@
 from chatmaild.config import Config
-from pyinfra.operations import apt
+from pyinfra.operations import apt, files, systemd
 from cmdeploy.basedeploy import (
    Deployer,
@@ -31,50 +31,87 @@ class NginxDeployer(Deployer):
        # For documentation about policy-rc.d, see:
        # https://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt
        #
-        self.put_executable(src="policy-rc.d", dest="/usr/sbin/policy-rc.d")
+        files.put(
            src=get_resource("policy-rc.d"),
            dest="/usr/sbin/policy-rc.d",
            user="root",
            group="root",
            mode="755",
        )
        apt.packages(
            name="Install nginx",
            packages=["nginx", "libnginx-mod-stream"],
        )
-        self.remove_file("/usr/sbin/policy-rc.d")
+        files.file("/usr/sbin/policy-rc.d", present=False)
    def configure(self):
-        _configure_nginx(self, self.config)
+        self.need_restart = _configure_nginx(self.config)
    def activate(self):
-        self.ensure_service("nginx.service")
+        systemd.service(
            name="Start and enable nginx",
            service="nginx.service",
            running=True,
            enabled=True,
            restarted=self.need_restart,
        )
        self.need_restart = False
-def _configure_nginx(deployer, config: Config, debug: bool = False):
+def _configure_nginx(config: Config, debug: bool = False) -> bool:
    """Configures nginx HTTP server."""
    need_restart = False
-    deployer.put_template(
+    main_config = files.template(
-        "nginx/nginx.conf.j2",
+        src=get_resource("nginx/nginx.conf.j2"),
-        "/etc/nginx/nginx.conf",
+        dest="/etc/nginx/nginx.conf",
        user="root",
        group="root",
        mode="644",
        config=config,
        disable_ipv6=config.disable_ipv6,
    )
    need_restart |= main_config.changed
-    deployer.put_template(
+    autoconfig = files.template(
-        "nginx/autoconfig.xml.j2",
+        src=get_resource("nginx/autoconfig.xml.j2"),
-        "/var/www/html/.well-known/autoconfig/mail/config-v1.1.xml",
+        dest="/var/www/html/.well-known/autoconfig/mail/config-v1.1.xml",
        user="root",
        group="root",
        mode="644",
        config=config,
    )
    need_restart |= autoconfig.changed
-    deployer.put_template(
+    mta_sts_config = files.template(
-        "nginx/mta-sts.txt.j2",
+        src=get_resource("nginx/mta-sts.txt.j2"),
-        "/var/www/html/.well-known/mta-sts.txt",
+        dest="/var/www/html/.well-known/mta-sts.txt",
        user="root",
        group="root",
        mode="644",
        config=config,
    )
    need_restart |= mta_sts_config.changed
    # install CGI newemail script
    #
    cgi_dir = "/usr/lib/cgi-bin"
-    deployer.ensure_directory(cgi_dir)
+    files.directory(
        name=f"Ensure {cgi_dir} exists",
        path=cgi_dir,
        user="root",
        group="root",
    )
-    deployer.put_executable(
+    files.put(
        name="Upload cgi newemail.py script",
        src=get_resource("newemail.py", pkg="chatmaild").open("rb"),
        dest=f"{cgi_dir}/newemail.py",
        user="root",
        group="root",
        mode="755",
    )
    return need_restart
--- a/cmdeploy/src/cmdeploy/nginx/nginx.conf.j2
+++ b/cmdeploy/src/cmdeploy/nginx/nginx.conf.j2
@@ -42,9 +42,6 @@ stream {
 }
 http {
 	# access_log setting is inherited by all server sections
 	access_log syslog:server=unix:/dev/log,facility=local7;
 {% if config.tls_cert_mode == "self" %}
 	limit_req_zone $binary_remote_addr zone=newaccount:10m rate=2r/s;
 {% endif %}
@@ -72,9 +69,11 @@ http {
 		index index.html index.htm;
-		server_name {{ config.mail_domain }} mta-sts.{{ config.mail_domain }};
+		server_name {{ config.mail_domain }} www.{{ config.mail_domain }} mta-sts.{{ config.mail_domain }};
-		location /mxdeliv {
+		access_log syslog:server=unix:/dev/log,facility=local7;
 		location /mxdeliv/ {
 		    proxy_pass http://127.0.0.1:{{ config.filtermail_http_port_incoming }};
 		}
@@ -144,6 +143,7 @@ http {
 		listen 127.0.0.1:8443 ssl;
 		server_name www.{{ config.mail_domain }};
 		return 301 $scheme://{{ config.mail_domain }}$request_uri;
 		access_log syslog:server=unix:/dev/log,facility=local7;
 	}
 	server {
--- a/cmdeploy/src/cmdeploy/opendkim/deployer.py
+++ b/cmdeploy/src/cmdeploy/opendkim/deployer.py
@@ -4,9 +4,9 @@ Installs OpenDKIM
 from pyinfra import host
 from pyinfra.facts.files import File
-from pyinfra.operations import apt, files, server
+from pyinfra.operations import apt, files, server, systemd
-from cmdeploy.basedeploy import Deployer
+from cmdeploy.basedeploy import Deployer, get_resource
 class OpendkimDeployer(Deployer):
@@ -25,39 +25,65 @@ class OpendkimDeployer(Deployer):
        domain = self.mail_domain
        dkim_selector = "opendkim"
        """Configures OpenDKIM"""
        need_restart = False
-        self.put_template(
+        main_config = files.template(
-            "opendkim/opendkim.conf",
+            src=get_resource("opendkim/opendkim.conf"),
-            "/etc/opendkim.conf",
+            dest="/etc/opendkim.conf",
            user="root",
            group="root",
            mode="644",
            config={"domain_name": domain, "opendkim_selector": dkim_selector},
        )
        need_restart |= main_config.changed
-        self.remove_file("/etc/opendkim/screen.lua")
+        screen_script = files.file(
-        self.remove_file("/etc/opendkim/final.lua")
+            path="/etc/opendkim/screen.lua",
            present=False,
        )
        need_restart |= screen_script.changed
-        self.ensure_directory(
+        final_script = files.file(
-            "/etc/opendkim",
+            path="/etc/opendkim/final.lua",
-            owner="opendkim",
+            present=False,
        )
        need_restart |= final_script.changed
        files.directory(
            name="Add opendkim directory to /etc",
            path="/etc/opendkim",
            user="opendkim",
            group="opendkim",
            mode="750",
            present=True,
        )
-        self.put_template(
+        keytable = files.template(
-            "opendkim/KeyTable",
+            src=get_resource("opendkim/KeyTable"),
-            "/etc/dkimkeys/KeyTable",
+            dest="/etc/dkimkeys/KeyTable",
-            owner="opendkim",
+            user="opendkim",
            group="opendkim",
            mode="644",
            config={"domain_name": domain, "opendkim_selector": dkim_selector},
        )
        need_restart |= keytable.changed
-        self.put_template(
+        signing_table = files.template(
-            "opendkim/SigningTable",
+            src=get_resource("opendkim/SigningTable"),
-            "/etc/dkimkeys/SigningTable",
+            dest="/etc/dkimkeys/SigningTable",
-            owner="opendkim",
+            user="opendkim",
            group="opendkim",
            mode="644",
            config={"domain_name": domain, "opendkim_selector": dkim_selector},
        )
-        self.ensure_directory(
+        need_restart |= signing_table.changed
-            "/var/spool/postfix/opendkim",
+        files.directory(
-            owner="opendkim",
+            name="Add opendkim socket directory to /var/spool/postfix",
            path="/var/spool/postfix/opendkim",
            user="opendkim",
            group="opendkim",
            mode="750",
            present=True,
        )
        if not host.get_fact(File, f"/etc/dkimkeys/{dkim_selector}.private"):
@@ -70,10 +96,12 @@ class OpendkimDeployer(Deployer):
                _su_user="opendkim",
            )
-        self.put_file(
+        service_file = files.put(
-            "opendkim/systemd.conf",
+            name="Configure opendkim to restart once a day",
-            "/etc/systemd/system/opendkim.service.d/10-prevent-memory-leak.conf",
+            src=get_resource("opendkim/systemd.conf"),
            dest="/etc/systemd/system/opendkim.service.d/10-prevent-memory-leak.conf",
        )
        need_restart |= service_file.changed
        files.file(
            name="chown opendkim: /etc/dkimkeys/opendkim.private",
@@ -82,5 +110,15 @@ class OpendkimDeployer(Deployer):
            group="opendkim",
        )
        self.need_restart = need_restart
    def activate(self):
-        self.ensure_service("opendkim.service")
+        systemd.service(
            name="Start and enable OpenDKIM",
            service="opendkim.service",
            running=True,
            enabled=True,
            daemon_reload=self.need_restart,
            restarted=self.need_restart,
        )
        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/postfix/deployer.py
+++ b/cmdeploy/src/cmdeploy/postfix/deployer.py
@@ -1,10 +1,11 @@
-from pyinfra.operations import apt, server
+from pyinfra.operations import apt, files, server, systemd
-from cmdeploy.basedeploy import Deployer
+from cmdeploy.basedeploy import Deployer, get_resource
 class PostfixDeployer(Deployer):
    required_users = [("postfix", None, ["opendkim"])]
    daemon_reload = False
    def __init__(self, config, disable_mail):
        self.config = config
@@ -18,46 +19,81 @@ class PostfixDeployer(Deployer):
    def configure(self):
        config = self.config
        need_restart = False
-        self.put_template(
+        main_config = files.template(
-            "postfix/main.cf.j2",
+            src=get_resource("postfix/main.cf.j2"),
-            "/etc/postfix/main.cf",
+            dest="/etc/postfix/main.cf",
            user="root",
            group="root",
            mode="644",
            config=config,
            disable_ipv6=config.disable_ipv6,
        )
        need_restart |= main_config.changed
-        self.put_template(
+        master_config = files.template(
-            "postfix/master.cf.j2",
+            src=get_resource("postfix/master.cf.j2"),
-            "/etc/postfix/master.cf",
+            dest="/etc/postfix/master.cf",
            user="root",
            group="root",
            mode="644",
            debug=False,
            config=config,
        )
        need_restart |= master_config.changed
-        self.put_file(
+        header_cleanup = files.put(
-            "postfix/submission_header_cleanup",
+            src=get_resource("postfix/submission_header_cleanup"),
-            "/etc/postfix/submission_header_cleanup",
+            dest="/etc/postfix/submission_header_cleanup",
            user="root",
            group="root",
            mode="644",
        )
-        self.put_file("postfix/lmtp_header_cleanup", "/etc/postfix/lmtp_header_cleanup")
+        need_restart |= header_cleanup.changed
-        res = self.put_file(
+        lmtp_header_cleanup = files.put(
-            "postfix/smtp_tls_policy_map", "/etc/postfix/smtp_tls_policy_map"
+            src=get_resource("postfix/lmtp_header_cleanup"),
            dest="/etc/postfix/lmtp_header_cleanup",
            user="root",
            group="root",
            mode="644",
        )
-        tls_policy_changed = res.changed
+        need_restart |= lmtp_header_cleanup.changed
-        if tls_policy_changed:
+
        tls_policy_map = files.put(
            name="Upload SMTP TLS Policy that accepts self-signed certificates for IP-only hosts",
            src=get_resource("postfix/smtp_tls_policy_map"),
            dest="/etc/postfix/smtp_tls_policy_map",
            user="root",
            group="root",
            mode="644",
        )
        need_restart |= tls_policy_map.changed
        if tls_policy_map.changed:
            server.shell(
                commands=["postmap /etc/postfix/smtp_tls_policy_map"],
            )
        # Login map that 1:1 maps email address to login.
-        self.put_file("postfix/login_map", "/etc/postfix/login_map")
+        login_map = files.put(
-
+            src=get_resource("postfix/login_map"),
-        self.put_file(
+            dest="/etc/postfix/login_map",
-            "service/10_restart_on_failure.conf",
+            user="root",
-            "/etc/systemd/system/postfix@.service.d/10_restart.conf",
+            group="root",
            mode="644",
        )
        need_restart |= login_map.changed
        restart_conf = files.put(
            name="postfix: restart automatically on failure",
            src=get_resource("service/10_restart.conf"),
            dest="/etc/systemd/system/postfix@.service.d/10_restart.conf",
        )
        self.daemon_reload = restart_conf.changed
        # Validate postfix configuration before restart
-        if self.need_restart:
+        if need_restart:
            server.shell(
                name="Validate postfix configuration",
                # Extract stderr and quit with error if non-zero
@@ -65,11 +101,19 @@ class PostfixDeployer(Deployer):
                    """bash -c 'w=$(postconf 2>&1 >/dev/null); [[ -z "$w" ]] || { echo "$w"; false; }'"""
                ],
            )
        self.need_restart = need_restart
    def activate(self):
-        active = not self.disable_mail
+        restart = False if self.disable_mail else self.need_restart
-        self.ensure_service(
+
-            "postfix.service",
+        systemd.service(
-            running=active,
+            name="disable postfix for now"
-            enabled=active,
+            if self.disable_mail
            else "Start and enable Postfix",
            service="postfix.service",
            running=False if self.disable_mail else True,
            enabled=False if self.disable_mail else True,
            restarted=restart,
            daemon_reload=self.daemon_reload,
        )
        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
@@ -54,17 +54,14 @@ smtpd_tls_exclude_ciphers = aNULL, RC4, MD5, DES
 tls_preempt_cipherlist = yes
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-myhostname = {{ config.postfix_myhostname }}
+myhostname = {{ config.mail_domain }}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
-# When postfix receives mail for $mydestination,
+# Postfix does not deliver mail for any domain by itself.
-# it hands it over to dovecot via $local_transport.
+# Primary domain is listed in `virtual_mailbox_domains` instead
-# Note: IP literals must be handled via local delivery / mydestination.
+# and handed over to Dovecot.
-mydestination = {{ config.mail_domain }}
+mydestination =
 local_transport = lmtp:unix:private/dovecot-lmtp
 # postfix doesn't check whether local users exist or not:
 local_recipient_maps =
 relayhost = 
 {% if disable_ipv6 %}
@@ -82,6 +79,24 @@ inet_protocols = ipv4
 inet_protocols = all
 {% endif %}
 # Postfix does not try IPv4 and IPv6 connections
 # concurrently as of version 3.7.11.
 #
 # When relay has both A (IPv4) and AAAA (IPv6) records,
 # but broken IPv6 connectivity,
 # every second message is delayed by the connection timeout
 # <https://www.postfix.org/postconf.5.html#smtp_connect_timeout>
 # which defaults to 30 seconds. Reducing timeouts is not a solution
 # as this will result in a failure to connect to slow servers.
 #
 # As a workaround we always prefer IPv4 when it is available.
 # 
 # The setting is documented at
 # <https://www.postfix.org/postconf.5.html#smtp_address_preference>
 smtp_address_preference=ipv4
 virtual_transport = lmtp:unix:private/dovecot-lmtp
 virtual_mailbox_domains = {{ config.mail_domain }}
 lmtp_header_checks = regexp:/etc/postfix/lmtp_header_cleanup
 mua_client_restrictions = permit_sasl_authenticated, reject
@@ -94,20 +109,3 @@ smtpd_sender_login_maps = regexp:/etc/postfix/login_map
 # Do not lookup SMTP client hostnames to reduce delays
 # and avoid unnecessary DNS requests.
 smtpd_peername_lookup = no
 # Use filtermail-transport to relay messages.
 # We can't force postfix to split messages per destination,
 # when specifying a custom next-hop,
 # so instead this is handled in filtermail.
 # We use LMTP instead SMTP so we can communicate per-recipient errors back to postfix.
 default_transport = lmtp-filtermail:inet:[127.0.0.1]:{{ config.filtermail_lmtp_port_transport }}
 lmtp-filtermail_initial_destination_concurrency=10000
 lmtp-filtermail_destination_concurrency_limit=10000
 {% if not config.ipv4_relay %}
 # DKIM-sign locally generated mail (bounces, DSNs).
 # These bypass smtpd, so they need explicit milter configuration.
 non_smtpd_milters = unix:opendkim/opendkim.sock
 internal_mail_filter_classes = bounce
 milter_macro_daemon_name = ORIGINATING
 {% endif %}
--- a/cmdeploy/src/cmdeploy/postfix/master.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/master.cf.j2
@@ -80,9 +80,8 @@ filter    unix -        n       n       -       -       lmtp
 127.0.0.1:{{ config.postfix_reinject_port }} inet  n       -       n       -       100      smtpd
  -o syslog_name=postfix/reinject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_milters=unix:opendkim/opendkim.sock
  -o cleanup_service_name=authclean
 {% if not config.ipv4_relay %}  -o smtpd_milters=unix:opendkim/opendkim.sock
 {% endif %}
 # Local SMTP server for reinjecting incoming filtered mail 
 127.0.0.1:{{ config.postfix_reinject_port_incoming }} inet  n       -       n       -       100      smtpd
@@ -101,8 +100,3 @@ filter    unix -        n       n       -       -       lmtp
 # cannot send unprotected Subject.
 authclean unix  n       -       -       -       0       cleanup
  -o header_checks=regexp:/etc/postfix/submission_header_cleanup
 lmtp-filtermail unix  -       -       y       -       10000       lmtp
  -o syslog_name=postfix/lmtp-filtermail
  -o lmtp_header_checks=
  -o lmtp_tls_security_level=none
--- a/cmdeploy/src/cmdeploy/remote/rdns.py
+++ b/cmdeploy/src/cmdeploy/remote/rdns.py
@@ -64,25 +64,21 @@ def get_dkim_entry(mail_domain, pre_command, dkim_selector):
    )
-def get_authoritative_ns(domain):
+def query_dns(typ, domain):
-    ns_replies = [
+    # Get autoritative nameserver from the SOA record.
    soa_answers = [
        x.split()
        for x in shell(
-            f"dig -r -q {domain} -t NS +noall +authority +answer", print=log_progress
+            f"dig -r -q {domain} -t SOA +noall +authority +answer", print=log_progress
        ).split("\n")
    ]
-    filtered_replies = [a for a in ns_replies if len(a) >= 5 and a[3] == "NS"]
+    soa = [a for a in soa_answers if len(a) >= 3 and a[3] == "SOA"]
-    if not filtered_replies:
+    if not soa:
        return
-    return filtered_replies[0][4]
+    ns = soa[0][4]
 def query_dns(typ, domain):
    ns = get_authoritative_ns(domain)
    # Query authoritative nameserver directly to bypass DNS cache.
-    direct_ns = f"@{ns}" if ns else ""
+    res = shell(f"dig @{ns} -r -q {domain} -t {typ} +short", print=log_progress)
    res = shell(f"dig {direct_ns} -r -q {domain} -t {typ} +short", print=log_progress)
    return next((line for line in res.split("\n") if not line.startswith(";")), "")
--- a/cmdeploy/src/cmdeploy/selfsigned/deployer.py
+++ b/cmdeploy/src/cmdeploy/selfsigned/deployer.py
@@ -1,8 +1,8 @@
 import shlex
-from pyinfra.operations import server
+from pyinfra.operations import apt, server
-from ..basedeploy import Deployer
+from cmdeploy.basedeploy import Deployer
 def openssl_selfsigned_args(domain, cert_path, key_path, days=36500):
@@ -12,15 +12,27 @@ def openssl_selfsigned_args(domain, cert_path, key_path, days=36500):
    ``www.<domain>`` and ``mta-sts.<domain>``.
    """
    return [
-        "openssl", "req", "-x509",
+        "openssl",
-        "-newkey", "ec", "-pkeyopt", "ec_paramgen_curve:P-256",
+        "req",
-        "-noenc", "-days", str(days),
+        "-x509",
-        "-keyout", str(key_path),
+        "-newkey",
-        "-out", str(cert_path),
+        "ec",
-        "-subj", f"/CN={domain}",
+        "-pkeyopt",
        "ec_paramgen_curve:P-256",
        "-noenc",
        "-days",
        str(days),
        "-keyout",
        str(key_path),
        "-out",
        str(cert_path),
        "-subj",
        f"/CN={domain}",
        # Mark as end-entity cert so it cannot be used as a CA to sign others.
-        "-addext", "basicConstraints=critical,CA:FALSE",
+        "-addext",
-        "-addext", "extendedKeyUsage=serverAuth,clientAuth",
+        "basicConstraints=critical,CA:FALSE",
        "-addext",
        "extendedKeyUsage=serverAuth,clientAuth",
        "-addext",
        f"subjectAltName=DNS:{domain},DNS:www.{domain},DNS:mta-sts.{domain}",
    ]
@@ -34,11 +46,17 @@ class SelfSignedTlsDeployer(Deployer):
        self.cert_path = "/etc/ssl/certs/mailserver.pem"
        self.key_path = "/etc/ssl/private/mailserver.key"
-
+    def install(self):
        apt.packages(
            name="Install openssl",
            packages=["openssl"],
        )
    def configure(self):
        args = openssl_selfsigned_args(
-            self.mail_domain, self.cert_path, self.key_path,
+            self.mail_domain,
            self.cert_path,
            self.key_path,
        )
        cmd = shlex.join(args)
        server.shell(
@@ -48,5 +66,3 @@ class SelfSignedTlsDeployer(Deployer):
    def activate(self):
        pass
--- a/cmdeploy/src/cmdeploy/service/10_restart_on_failure.conf
+++ b/cmdeploy/src/cmdeploy/service/10_restart_on_failure.conf
--- a/cmdeploy/src/cmdeploy/tests/online/test_0_login.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_0_login.py
@@ -12,7 +12,7 @@ def test_init(tmp_path, maildomain):
    inipath = tmp_path.joinpath("chatmail.ini")
    main(["init", "--config", str(inipath), maildomain])
    config = read_config(inipath)
-    assert config.mail_domain_bare == maildomain
+    assert config.mail_domain == maildomain
 def test_capabilities(imap):
@@ -89,11 +89,12 @@ def test_concurrent_logins_same_account(
        assert login_results.get()
-def test_no_vrfy(cmfactory, chatmail_config, maildomain):
+def test_no_vrfy(cmfactory, chatmail_config):
    ac = cmfactory.get_online_account()
    addr = ac.get_config("addr")
    domain = chatmail_config.mail_domain
-    s = smtplib.SMTP(maildomain)
+    s = smtplib.SMTP(domain)
    s.starttls()
    s.putcmd("vrfy", f"wrongaddress@{chatmail_config.mail_domain}")
--- a/cmdeploy/src/cmdeploy/tests/online/test_0_qr.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_0_qr.py
@@ -30,12 +30,15 @@ def test_newemail_configure(maildomain, rpc, chatmail_config):
            # set_config_from_qr, so fetch credentials via requests instead
            res = requests.post(f"https://{maildomain}/new", verify=False)
            data = res.json()
-            rpc.add_or_update_transport(account_id, {
+            rpc.add_or_update_transport(
-                "addr": data["email"],
+                account_id,
-                "password": data["password"],
+                {
-                "imapServer": maildomain,
+                    "addr": data["email"],
-                "smtpServer": maildomain,
+                    "password": data["password"],
-                "certificateChecks": "acceptInvalidCertificates",
+                    "imapServer": maildomain,
-            })
+                    "smtpServer": maildomain,
                    "certificateChecks": "acceptInvalidCertificates",
                },
            )
        else:
            rpc.add_transport_from_qr(account_id, url)
--- a/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
@@ -5,7 +5,6 @@ import subprocess
 import time
 import pytest
 from chatmaild.config import is_valid_ipv4
 from cmdeploy import remote
 from cmdeploy.cmdeploy import get_sshexec
@@ -22,8 +21,6 @@ class TestSSHExecutor:
        assert out == out2
    def test_perform_initial(self, sshexec, maildomain):
        if is_valid_ipv4(maildomain):
            pytest.skip(f"{maildomain} is not a domain")
        res = sshexec(
            remote.rdns.perform_initial_checks, kwargs=dict(mail_domain=maildomain)
        )
@@ -64,10 +61,8 @@ class TestSSHExecutor:
        else:
            pytest.fail("didn't raise exception")
-    def test_opendkim_restarted(self, sshexec, maildomain):
+    def test_opendkim_restarted(self, sshexec):
        """check that opendkim is not running for longer than a day."""
        if is_valid_ipv4(maildomain):
            pytest.skip(f"{maildomain} is an IPv4 relay, opendkim is not installed")
        cmd = "systemctl show opendkim --timestamp=utc --property=ActiveEnterTimestamp"
        out = sshexec(call=remote.rshell.shell, kwargs=dict(command=cmd))
        datestring = out.split("=")[1]
@@ -194,34 +189,6 @@ def test_reject_missing_dkim(cmsetup, maildata, from_addr):
            s.sendmail(from_addr=from_addr, to_addrs=recipient.addr, msg=msg)
 def test_bounces_are_dkim_signed(cmsetup, cmsetup2, maildata, maildomain):
    # we send a message to non-existant user and expect a bounce message
    # which will only get through if the bounce message was DKIM-signed
    if is_valid_ipv4(maildomain):
        pytest.skip("DKIM is not configured on IPv4-only relays")
    sender = cmsetup2.gen_users(1)[0]
    nonexistent = f"nosuchuser_test42@{cmsetup.maildomain}"
    msg = maildata(
        "encrypted.eml",
        from_addr=sender.addr,
        to_addr=nonexistent,
    ).as_string()
    sender.smtp.sendmail(sender.addr, [nonexistent], msg)
    def bounce_in_inbox():
        messages = sender.imap.fetch_all_messages()
        for m in messages:
            if "mail delivery" in m.lower() or "undelivered" in m.lower():
                return m
        raise ValueError("bounce not yet in inbox")
    bounce = try_n_times(30, bounce_in_inbox)
    assert "nosuchuser_test42" in bounce
 def try_n_times(n, f):
    for _ in range(n - 1):
        try:
@@ -314,15 +281,3 @@ def test_deployed_state(remote):
    # assert len(git_status) == len(remote_version)  # for some reason, we only get 11 lines from remote.iter_output()
    for i in range(len(remote_version)):
        assert git_status[i] == remote_version[i], "You have undeployed changes."
 def test_nginx_access_log_only_defined_once(sshdomain):
    sshexec = get_sshexec(sshdomain)
    conf = sshexec(
        call=remote.rshell.shell,
        kwargs=dict(command="nginx -T 2>/dev/null"),
    )
    access_logs = [l for l in conf.splitlines() if l.strip().startswith("access_log")]
    assert len(access_logs) == 1, (
        f"expected 1 access_log, found {len(access_logs)}: {access_logs}"
    )
--- a/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py
@@ -15,7 +15,7 @@ def imap_mailbox(cmfactory, ssl_context):
    (ac1,) = cmfactory.get_online_accounts(1)
    user = ac1.get_config("addr")
    password = ac1.get_config("mail_pw")
-    host = user.split("@")[1].strip("[").strip("]")
+    host = user.split("@")[1]
    mailbox = imap_tools.MailBox(host, ssl_context=ssl_context)
    mailbox.login(user, password)
    mailbox.dc_ac = ac1
@@ -178,7 +178,7 @@ def test_hide_senders_ip_address(cmfactory, ssl_context):
    chat.send_text("testing submission header cleanup")
    user2.wait_for_incoming_msg()
    addr = user2.get_config("addr")
-    host = addr.split("@")[1].strip("[").strip("]")
+    host = addr.split("@")[1]
    pw = user2.get_config("mail_pw")
    mailbox = imap_tools.MailBox(host, ssl_context=ssl_context)
    mailbox.login(addr, pw)
--- a/cmdeploy/src/cmdeploy/tests/plugin.py
+++ b/cmdeploy/src/cmdeploy/tests/plugin.py
@@ -1,4 +1,5 @@
 import imaplib
 import ipaddress
 import itertools
 import os
 import random
@@ -9,20 +10,19 @@ import time
 from pathlib import Path
 import pytest
-from chatmaild.config import is_valid_ipv4, read_config
+from chatmaild.config import read_config
 from domain_validator import DomainValidator
 def format_mail_domain(raw_domain: str) -> str:
    if is_valid_ipv4(raw_domain):
        return f"[{raw_domain}]"
    DomainValidator().validate_domain_re(raw_domain)
    return raw_domain
 conftestdir = Path(__file__).parent
 def _is_ip(domain):
    try:
        ipaddress.ip_address(domain)
        return True
    except ValueError:
        return False
 def pytest_configure(config):
    config._benchresults = {}
    config.addinivalue_line(
@@ -58,7 +58,7 @@ def chatmail_config(pytestconfig):
@pytest.fixture(scope="session")
 def maildomain(chatmail_config):
-    return chatmail_config.mail_domain_bare
+    return chatmail_config.mail_domain
@pytest.fixture(scope="session")
@@ -278,6 +278,7 @@ def gencreds(chatmail_config):
    def gen(domain=None):
        domain = domain if domain else chatmail_config.mail_domain
        addr_domain = f"[{domain}]" if _is_ip(domain) else domain
        while 1:
            num = next(count)
            alphanumeric = "abcdefghijklmnopqrstuvwxyz1234567890"
@@ -291,7 +292,7 @@ def gencreds(chatmail_config):
            password = "".join(
                random.choices(alphanumeric, k=chatmail_config.password_min_length)
            )
-            yield f"{user}@{domain}", f"{password}"
+            yield f"{user}@{addr_domain}", f"{password}"
    return lambda domain=None: next(gen(domain))
@@ -316,8 +317,7 @@ class ChatmailACFactory:
    def _make_transport(self, domain):
        """Build a transport config dict for the given domain."""
-        domain_deliverable = format_mail_domain(domain)
+        addr, password = self.gencreds(domain)
        addr, password = self.gencreds(domain_deliverable)
        transport = {
            "addr": addr,
            "password": password,
@@ -326,7 +326,7 @@ class ChatmailACFactory:
            "imapServer": domain,
            "smtpServer": domain,
        }
-        if domain.startswith("_") or is_valid_ipv4(domain):
+        if self.chatmail_config.tls_cert_mode == "self":
            transport["certificateChecks"] = "acceptInvalidCertificates"
        return transport
@@ -341,9 +341,8 @@ class ChatmailACFactory:
        accounts = []
        for _ in range(num):
            account = self.dc.add_account()
-            domain_deliverable = format_mail_domain(domain)
+            addr, password = self.gencreds(domain)
-            addr, password = self.gencreds(domain_deliverable)
+            if _is_ip(domain):
            if is_valid_ipv4(domain):
                # Use DCLOGIN scheme with explicit server hosts,
                # matching how madmail presents its addresses to users.
                qr = (
@@ -417,10 +416,13 @@ class Remote:
    def iter_output(self, logcmd="", ready=None):
        getjournal = "journalctl -f" if not logcmd else logcmd
        print(self.sshdomain)
-        if self.sshdomain in ("@local", "localhost"):
+        match self.sshdomain:
-            command = []
+            case "@local":
-        else:
+                command = []
-            command = ["ssh", f"root@{self.sshdomain}"]
+            case "localhost":
                command = []
            case _:
                command = ["ssh", f"root@{self.sshdomain}"]
        [command.append(arg) for arg in getjournal.split()]
        popen = subprocess.Popen(
            command,
@@ -467,11 +469,6 @@ def cmsetup(maildomain, gencreds, ssl_context):
    return CMSetup(maildomain, gencreds, ssl_context)
@pytest.fixture
 def cmsetup2(maildomain2, gencreds, ssl_context):
    return CMSetup(maildomain2, gencreds, ssl_context)
 class CMSetup:
    def __init__(self, maildomain, gencreds, ssl_context):
        self.maildomain = maildomain
@@ -482,7 +479,7 @@ class CMSetup:
        print(f"Creating {num} online users")
        users = []
        for i in range(num):
-            addr, password = self.gencreds(format_mail_domain(self.maildomain))
+            addr, password = self.gencreds()
            user = CMUser(self.maildomain, addr, password, self.ssl_context)
            assert user.smtp
            users.append(user)
--- a/cmdeploy/src/cmdeploy/tests/test_basedeploy.py
+++ b/cmdeploy/src/cmdeploy/tests/test_basedeploy.py
@@ -1,118 +0,0 @@
 from unittest.mock import MagicMock, patch
 from cmdeploy.basedeploy import Deployer
 def test_put_file_restart_and_reload():
    deployer = Deployer()
    mock_res = MagicMock()
    mock_res.changed = True
    with patch("cmdeploy.basedeploy.files.put", return_value=mock_res):
        deployer.put_file("foo.conf", "/etc/foo.conf")
        assert deployer.need_restart is True
        assert deployer.daemon_reload is False
        deployer = Deployer()
        deployer.put_file("test.service", "/etc/systemd/system/test.service")
        assert deployer.need_restart is True
        assert deployer.daemon_reload is True
 def test_remove_file():
    deployer = Deployer()
    mock_res = MagicMock()
    mock_res.changed = True
    with patch("cmdeploy.basedeploy.files.file", return_value=mock_res) as mock_file:
        deployer.remove_file("/etc/foo.conf")
        mock_file.assert_called_once_with(
            name="Remove /etc/foo.conf", path="/etc/foo.conf", present=False
        )
        assert deployer.need_restart is True
 def test_ensure_systemd_unit():
    deployer = Deployer()
    mock_res = MagicMock()
    mock_res.changed = True
    # Plain service file
    with patch("cmdeploy.basedeploy.files.put", return_value=mock_res) as mock_put:
        deployer.ensure_systemd_unit("iroh-relay.service")
        assert (
            mock_put.call_args.kwargs["dest"]
            == "/etc/systemd/system/iroh-relay.service"
        )
        assert deployer.need_restart is True
        assert deployer.daemon_reload is True
    deployer = Deployer()
    # Template (.j2) dispatches to put_template and strips .j2 suffix
    with patch("cmdeploy.basedeploy.files.template", return_value=mock_res) as mock_tpl:
        deployer.ensure_systemd_unit(
            "filtermail/chatmaild.service.j2",
            bin_path="/usr/local/bin/filtermail",
        )
        assert (
            mock_tpl.call_args.kwargs["dest"] == "/etc/systemd/system/chatmaild.service"
        )
    deployer = Deployer()
    # Explicit dest_name override
    with patch("cmdeploy.basedeploy.files.put", return_value=mock_res) as mock_put:
        deployer.ensure_systemd_unit(
            "acmetool/acmetool-reconcile.timer",
            dest_name="acmetool-reconcile.timer",
        )
        assert (
            mock_put.call_args.kwargs["dest"]
            == "/etc/systemd/system/acmetool-reconcile.timer"
        )
 def test_ensure_service():
    with patch("cmdeploy.basedeploy.systemd.service") as mock_svc:
        deployer = Deployer()
        deployer.need_restart = True
        deployer.daemon_reload = True
        deployer.ensure_service("nginx.service")
        mock_svc.assert_called_once_with(
            name="Start and enable nginx.service",
            service="nginx.service",
            running=True,
            enabled=True,
            restarted=True,
            daemon_reload=True,
        )
        # daemon_reload is cleared to avoid multiple systemctl daemon-reload calls
        # need_restart is kept to ensure all subsequent services also restart
        assert deployer.need_restart is True
        assert deployer.daemon_reload is False
    with patch("cmdeploy.basedeploy.systemd.service") as mock_svc:
        # Stopping suppresses restarted even when need_restart is True
        deployer = Deployer()
        deployer.need_restart = True
        deployer.daemon_reload = True
        deployer.ensure_service(
            "mta-sts-daemon.service",
            running=False,
            enabled=False,
        )
        assert mock_svc.call_args.kwargs["restarted"] is False
        assert deployer.need_restart is True
    with patch("cmdeploy.basedeploy.systemd.service") as mock_svc:
        # Multiple calls: daemon_reload resets after first, need_restart persists
        deployer = Deployer()
        deployer.need_restart = True
        deployer.daemon_reload = True
        deployer.ensure_service("chatmaild.service")
        deployer.ensure_service("chatmaild-metadata.service")
        second_call = mock_svc.call_args_list[1]
        assert second_call.kwargs["restarted"] is True
        assert second_call.kwargs["daemon_reload"] is False
--- a/cmdeploy/src/cmdeploy/tests/test_cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/tests/test_cmdeploy.py
@@ -39,14 +39,6 @@ class TestCmdline:
        out, err = capsys.readouterr()
        assert "deleting config file" in out.lower()
    def test_dns_skip_on_ip(self, capsys, tmp_path, monkeypatch):
        monkeypatch.delenv("CHATMAIL_INI", raising=False)
        inipath = tmp_path / "chatmail.ini"
        assert main(["init", "--config", str(inipath), "1.3.3.7"]) == 0
        assert main(["dns", "--config", str(inipath)]) == 0
        out, err = capsys.readouterr()
        assert out == "[WARNING] 1.3.3.7 is not a domain, skipping DNS checks.\n"
 def test_www_folder(example_config, tmp_path):
    reporoot = importlib.resources.files(__package__).joinpath("../../../../").resolve()
--- a/cmdeploy/src/cmdeploy/tests/test_dns.py
+++ b/cmdeploy/src/cmdeploy/tests/test_dns.py
@@ -4,7 +4,6 @@ import pytest
 from cmdeploy import remote
 from cmdeploy.dns import check_full_zone, check_initial_remote_data, parse_zone_records
 from cmdeploy.remote.rdns import get_authoritative_ns
@pytest.fixture
@@ -15,15 +14,11 @@ def mockdns_base(monkeypatch):
        if command.startswith("dig"):
            if command == "dig":
                return "."
-            if "with.public.soa" in command and "NS" in command:
+            if "SOA" in command:
                return "domain.with.public.soa. 2419 IN NS ns1.first-ns.de."
            if "with.hidden.soa" in command and "NS" in command:
                return (
-                    "domain.with.hidden.soa. 2137 IN NS ns1.desec.io.\n"
+                    "delta.chat. 21600 IN SOA ns1.first-ns.de. dns.hetzner.com."
-                    "domain.with.hidden.soa. 2137 IN NS ns2.desec.org."
+                    " 2025102800 14400 1800 604800 3600"
                )
            if "NS" in command:
                return "delta.chat. 21600 IN NS ns1.first-ns.de."
            command_chunks = command.split()
            domain, typ = command_chunks[4], command_chunks[6]
            try:
@@ -130,17 +125,6 @@ class TestPerformInitialChecks:
        assert not l
@pytest.mark.parametrize(
    ("domain", "ns"),
    [
        ("domain.with.public.soa", "ns1.first-ns.de."),
        ("domain.with.hidden.soa", "ns1.desec.io."),
    ],
 )
 def test_get_authoritative_ns(domain, ns, mockdns):
    assert get_authoritative_ns(domain) == ns
 def test_parse_zone_records():
    text = """
    ; This is a comment
--- a/cmdeploy/src/cmdeploy/tests/test_helpers.py
+++ b/cmdeploy/src/cmdeploy/tests/test_helpers.py
@@ -1,10 +1,11 @@
-from pathlib import Path
+import importlib.resources
 from cmdeploy.www import build_webpages
 def test_build_webpages(tmp_path, make_config):
-    src_dir = (Path(__file__).resolve() / "../../../../../www/src").resolve()
+    pkgroot = importlib.resources.files("cmdeploy")
    src_dir = pkgroot.joinpath("../../../www/src").resolve()
    assert src_dir.exists(), src_dir
    config = make_config("chat.example.org")
    build_dir = tmp_path.joinpath("build")
--- a/cmdeploy/src/cmdeploy/www.py
+++ b/cmdeploy/src/cmdeploy/www.py
@@ -1,4 +1,5 @@
 import hashlib
 import importlib.resources
 import re
 import time
 import traceback
@@ -36,7 +37,7 @@ def prepare_template(source):
 def get_paths(config) -> (Path, Path, Path):
-    reporoot = (Path(__file__).resolve() / "../../../../").resolve()
+    reporoot = importlib.resources.files(__package__).joinpath("../../../").resolve()
    www_path = Path(config.www_folder)
    # if www_folder was not set, use default directory
    if config.www_folder == "":
@@ -132,7 +133,8 @@ def find_merge_conflict(src_dir) -> Path:
 def main():
-    reporoot = (Path(__file__).resolve() / "../../../../").resolve()
+    path = importlib.resources.files(__package__)
    reporoot = path.joinpath("../../../").resolve()
    inipath = reporoot.joinpath("chatmail.ini")
    config = read_config(inipath)
    config.webdev = True
--- a/doc/source/faq.rst
+++ b/doc/source/faq.rst
@@ -15,7 +15,6 @@ goes beyond what classic email servers offer:
   streaming, privacy-preserving Push Notifications for Apple, Google, and `Ubuntu Touch <https://docs.ubports.com/en/latest/appdev/guides/pushnotifications.html>`_;
 -  **Security Enforcement**: only strict TLS, DKIM and OpenPGP with minimized metadata accepted
   (DKIM is not enforced on :ref:`IP-only relays <iponly>`)
 -  **Reliable Federation and Decentralization:** No spam or IP reputation checks, federating
   depends on established IETF standards and protocols.
@@ -48,28 +47,6 @@ Dovecot, and are configured to run unattended without much maintenance
 effort. Chatmail relays happily run on low-end hardware like a Raspberry
 Pi.
 .. _upgrade:
 How can I upgrade my chatmail relay?
 ------------------------------------
 To upgrade to the latest ``main`` branch,
 ``cd`` into your local checkout of `https://github.com/chatmail/relay/`_
 and run the following commands:
   ::
       git pull origin main --rebase --autostash
       scripts/cmdeploy run
 If you don't want the latest development version,
 but a specific tagged release like `1.10.0 <https://github.com/chatmail/relay/releases/tag/1.10.0>`_,
 run ``git pull origin 1.10.0`` instead.
 If you made local changes for your setup,
 they will be reapplied as long as they don't conflict with the upgrade.
 If a conflict arises, ``git status`` will tell you how to resolve it.
 How trustable are chatmail relays?
 ----------------------------------
--- a/doc/source/getting_started.rst
+++ b/doc/source/getting_started.rst
@@ -14,6 +14,8 @@ Minimal requirements and prerequisites
 You will need the following:
 -  Control over a domain through a DNS provider of your choice.
 -  A Debian 12 **deployment server** with reachable SMTP/SUBMISSIONS/IMAPS/HTTPS ports.
   IPv6 is encouraged if available. Chatmail relay servers only require
   1GB RAM, one CPU, and perhaps 10GB storage for a few thousand active
@@ -26,11 +28,6 @@ You will need the following:
   (An ed25519 private key is required due to an `upstream bug in
   paramiko <https://github.com/paramiko/paramiko/issues/2191>`_)
 -  Control over a domain through a DNS provider of your choice
   (there is experimental support for :ref:`IP-only relays <iponly>`).
 .. _setup:
 Setup with ``scripts/cmdeploy``
 -------------------------------------
@@ -101,15 +98,6 @@ steps. Please substitute it with your own domain.
   configure at your DNS provider (it can take some time until they are
   public).
 Docker installation
 -------------------
 There is experimental support for running chatmail via Docker.
 A monolithic image based on the above cmdeploy method is available `through a separate repository <https://github.com/chatmail/docker/pkgs/container/docker>`_.
 See the `chatmail/docker README <https://github.com/chatmail/docker>`_ for full setup instructions.
 Other helpful commands
 ----------------------
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -19,4 +19,3 @@ Contributions and feedback welcome through the https://github.com/chatmail/relay
    reverse_dns
    related
    faq
    iponly
--- a/doc/source/iponly.rst
+++ b/doc/source/iponly.rst
@@ -1,40 +0,0 @@
 .. _iponly:
 Hosting without DNS records
 ===========================
 .. note::
   This option is experimental and might change without notice.
 In case you don't have a domain,
 for example in a local network,
 you can run a chatmail relay with only an IPv4 address as well.
 To deploy a relay without a domain,
 run ``cmdeploy init`` with only the IPv4 address
 during the :ref:`installation steps <setup>`,
 for example ``cmdeploy init 13.12.23.42``.
 Drawbacks
 ---------
 - your transport encryption will only use self-signed TLS certificates,
  which are vulnerable against MITM attacks.
  the chatmail core's end-to-end encryption should suffice in most scenarios though.
 - your messages will not be DKIM-signed;
  experimentally, most chatmail relays accept non-DKIM-signed messages from IP-only relays,
  but some relays might not accept messages from yours.
 Email addresses
 ---------------
 When running without a domain,
 your chatmail addresses will use the IPv4 address
 in brackets as the domain part,
 for example ``user@[13.12.23.42]``.
 This is a valid email address format
 according to :rfc:`5321`.
--- a/doc/source/overview.rst
+++ b/doc/source/overview.rst
@@ -153,7 +153,6 @@ Chatmail relay dependency diagram
        autoconfig.xml --- dovecot;
        postfix --- |10080|filtermail-outgoing;
        postfix --- |10081|filtermail-incoming;
        postfix --- |10083|filtermail-transport;
        filtermail-outgoing --- |10025 reinject|postfix;
        filtermail-incoming --- |10026 reinject|postfix;
        dovecot --- |doveauth.socket|doveauth;
@@ -265,8 +264,7 @@ from the chatmail relay server.
 Email domain authentication (DKIM)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Chatmail relays enforce :rfc:`DKIM <6376>` to authenticate incoming emails
+Chatmail relays enforce :rfc:`DKIM <6376>` to authenticate incoming emails.
 (except for :ref:`IP-only relays <iponly>`).
 Incoming emails must have a valid DKIM signature with
 Signing Domain Identifier (SDID, ``d=`` parameter in the DKIM-Signature
 header) equal to the ``From:`` header domain. This property is checked
@@ -297,7 +295,9 @@ ensured by ``filtermail`` proxy.
 TLS requirements
 ~~~~~~~~~~~~~~~~
-Filtermail (used for delivery) requires a valid TLS.
+Postfix is configured to require valid TLS by setting
 `smtp_tls_security_level <https://www.postfix.org/postconf.5.html#smtp_tls_security_level>`_
 to ``verify``.
 You can test it by resolving ``MX`` records of your relay domain and
 then connecting to MX relays (e.g ``mx.example.org``) with