add postfix instrumented debugging

add global debug flag and instrument dovecot with it
2026-05-12 00:54:37 +00:00 · 2023-10-16 22:38:36 +02:00 · 2023-10-16 22:29:40 +02:00
13 changed files with 77 additions and 77 deletions
--- a/README.md
+++ b/README.md
@@ -1,40 +1,61 @@
 # Chat Mail server configuration
-This repository setups a ready-to-go chatmail instance
+This package deploys Postfix and Dovecot servers, including OpenDKIM for DKIM signing.
-comprised of a minimal setup of the battle-tested 
+
-[postfix smtp server](https://www.postfix.org) and [dovecot imap server](https://www.dovecot.org).
+Postfix uses Dovecot for authentication as described in <https://www.postfix.org/SASL_README.html#server_dovecot>
 ## Getting started 
-1. prepare your local system:
+prepare:
-    scripts/init.sh 
+    pip install -e chatmail-infra
 2. set environment variable to the chatmail domain you want to setup:
    export CHATMAIL_DOMAIN=c1.testrun.org   # replace with your host
 3. run the deploy of the chat mail instance: 
    scripts/deploy.sh 
-## Running tests and benchmarks (offline and online) 
+then run with pyinfra command line tool: 
-1. Set `CHATMAIL_SSH` so that `ssh root@$CHATMAIL_SSH` allows 
+    CHATMAIL_DOMAIN=c1.testrun.org pyinfra --ssh-user root c1.testrun.org deploy.py
   to login to the chatmail instance server. 
 2. To run local and online tests: 
-    scripts/test.sh 
+## Structure (wip)
 ```
-3. To run benchmarks against your chatmail instance: 
+# package doveauth tool and deploy chatmail server to a envvar-specified ssh-reachable host 
 deploy.py 
-    scripts/bench.sh 
+# chatmail pyinfra deploy package 
 chatmail-pyinfra 
    pyproject.toml
    chatmail/__init__ ...
-## Running tests (offline and online) 
+# doveauth tool used by dovecot's auth mechanism on the host system 
 doveauth
    README.md
    pyproject.toml
    doveauth.py
    test_doveauth.py
 # lmtp server to block (outgoing) unencrypted messages 
 filtermail 
    README.md
    pyproject.toml
    .... 
 # online tests (after deploy)
 online-tests  # runnable via pytest 
 # scripts for setup/development/deployment 
 scripts/
    init.sh  # create venv/other perequires
    deploy.sh  # run pyinfra based deploy of everything
    test.sh # run all local and online tests 
    bench.sh # run performance benchmark tests
 ```
 ## Dovecot/Postfix configuration
 ### Ports
@@ -44,6 +65,4 @@ Dovecot listens on ports 143(imap) and 993 (imaps).
 ## DNS
-For DKIM you must add a DNS entry as found in /etc/opendkim/selector.txt on your chatmail instance.
+For DKIM you must add a DNS entry as in /etc/opendkim/selector.txt (where selector is the opendkim_selector configured in the chatmail inventory).
 The above `scripts/deploy.sh` prints out the DKIM selector and DNS entry you
 need to setup with your DNS provider. 
--- a/chatmaild/src/chatmaild/filtermail.py
+++ b/chatmaild/src/chatmaild/filtermail.py
@@ -9,8 +9,9 @@ from aiosmtpd.controller import UnixSocketController
 from smtplib import SMTP as SMTPClient
-def check_encrypted(message):
+def check_encrypted(content):
    """Check that the message is an OpenPGP-encrypted message."""
    message = BytesParser(policy=policy.default).parsebytes(content)
    if not message.is_multipart():
        return False
    if message.get("subject") != "...":
@@ -46,8 +47,7 @@ class ExampleHandler:
        valid_recipients = []
-        message = BytesParser(policy=policy.default).parsebytes(envelope.content)
+        mail_encrypted = check_encrypted(envelope.content)
        mail_encrypted = check_encrypted(message)
        res = []
        for recipient in envelope.rcpt_tos:
@@ -68,13 +68,7 @@ class ExampleHandler:
                continue
            is_outgoing = recipient_local_domain[1] != my_local_domain[1]
-
+            if is_outgoing and not mail_encrypted:
            if (
                is_outgoing
                and not mail_encrypted
                and message.get("secure-join") != "vc-request"
                and message.get("secure-join") != "vg-request"
            ):
                res += ["500 Outgoing mail must be encrypted"]
                continue
--- a/chatmaild/src/chatmaild/test_filtermail.py
+++ b/chatmaild/src/chatmaild/test_filtermail.py
@@ -1,16 +1,12 @@
 import pytest
 from .filtermail import check_encrypted
 from email.parser import BytesParser
 from email import policy
 def test_filtermail():
-    def check_encrypted_bstr(content):
+    assert not check_encrypted(b"foo")
        message = BytesParser(policy=policy.default).parsebytes(content)
        return check_encrypted(message)
-    assert not check_encrypted_bstr(b"foo")
+    assert not check_encrypted(
    assert not check_encrypted_bstr(
        "\r\n".join(
            [
                "Subject: =?utf-8?q?Message_from_foobar=40c2=2Etestrun=2Eorg?=",
@@ -40,7 +36,7 @@ def test_filtermail():
        ).encode()
    )
-    assert not check_encrypted_bstr(
+    assert not check_encrypted(
        "\r\n".join(
            [
                "Subject: =?utf-8?q?Message_from_foobar=40c2=2Etestrun=2Eorg?=",
@@ -71,7 +67,7 @@ def test_filtermail():
    )
    # https://xkcd.com/1181/
-    assert not check_encrypted_bstr(
+    assert not check_encrypted(
        "\r\n".join(
            [
                "Subject: =?utf-8?q?Message_from_foobar=40c2=2Etestrun=2Eorg?=",
@@ -103,7 +99,7 @@ def test_filtermail():
        ).encode()
    )
-    assert check_encrypted_bstr(
+    assert check_encrypted(
        "\r\n".join(
            [
                "Subject: ...",
@@ -176,7 +172,7 @@ def test_filtermail():
        ).encode()
    )
-    assert not check_encrypted_bstr(
+    assert not check_encrypted(
        "\r\n".join(
            [
                "Subject: Buy Penis Enlargement at www.malicious-domain.com",
@@ -249,7 +245,7 @@ def test_filtermail():
        ).encode()
    )
-    assert not check_encrypted_bstr(
+    assert not check_encrypted(
        "\r\n".join(
            [
                "Subject: Message opened",
--- a/deploy-chatmail/src/deploy_chatmail/acmetool/init.py
+++ b/deploy-chatmail/src/deploy_chatmail/acmetool/init.py
@@ -50,8 +50,8 @@ def deploy_acmetool(nginx_hook=False, email="", domains=[]):
    systemd.service(
        name="Setup acmetool-redirector service",
        service="acmetool-redirector.service",
-        running=False,
+        running=True,
-        enabled=False,
+        enabled=True,
        restarted=service_file.changed,
    )
--- a/deploy-chatmail/src/deploy_chatmail/dovecot/dovecot.conf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/dovecot/dovecot.conf.j2
@@ -16,12 +16,6 @@ mail_debug = yes
 mail_plugins = quota
 # these are the capabilities Delta Chat cares about actually 
 # so let's keep the network overhead per login small
 # https://github.com/deltachat/deltachat-core-rust/blob/master/src/imap/capabilities.rs
 imap_capability = IMAP4rev1 IDLE MOVE QUOTA CONDSTORE
 # Authentication for system users.
 passdb {
  driver = dict
--- a/deploy-chatmail/src/deploy_chatmail/postfix/master.cf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/postfix/master.cf.j2
@@ -70,6 +70,8 @@ showq     unix  n       -       y       -       -       showq
 error     unix  -       -       y       -       -       error
 retry     unix  -       -       y       -       -       error
 discard   unix  -       -       y       -       -       discard
 local     unix  -       n       n       -       -       local
 virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       y       -       -       lmtp
 anvil     unix  -       -       y       -       1       anvil
 scache    unix  -       -       y       -       1       scache
--- a/deploy-chatmail/src/deploy_chatmail/deploy.py
+++ b/deploy-chatmail/src/deploy_chatmail/deploy.py
--- a/online-tests/test_1_deltachat.py
+++ b/online-tests/test_1_deltachat.py
@@ -67,17 +67,3 @@ class TestEndToEndDeltaChat:
                    break
        pytest.fail("sending succeeded although messages should exceed quota")
    def test_securejoin(self, cmfactory, lp, maildomain2):
        ac1 = cmfactory.new_online_configuring_account(cache=False)
        cmfactory.switch_maildomain(maildomain2)
        ac2 = cmfactory.new_online_configuring_account(cache=False)
        cmfactory.bring_accounts_online()
        lp.sec("ac1: create QR code and let ac2 scan it, starting the securejoin")
        qr = ac1.get_setup_contact_qr()
        lp.sec("ac2: start QR-code based setup contact protocol")
        ch = ac2.qr_setup_contact(qr)
        assert ch.id >= 10
        ac1._evtracker.wait_securejoin_inviter_progress(1000)
--- a/plan.txt
+++ b/plan.txt
@@ -8,6 +8,12 @@
 - limit: configure max-connections per account
 ## Filtermail
 - (alex, Only allow (outgoing) mails if secure-join or autocrypt-pgp-encrypted format.
  TODO: mime-parse mails and check/add tests
 ## nami: send out rate limit / rspamd
 - basic outgoing send rate/limits (depending on "account-rating")
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -2,9 +2,8 @@
 : ${CHATMAIL_DOMAIN:=c1.testrun.org}
 export CHATMAIL_DOMAIN
-chatmaild/venv/bin/python3 -m build -n --sdist chatmaild --outdir dist
+venv/bin/python3 -m build -n --sdist chatmaild --outdir dist
-deploy-chatmail/venv/bin/pyinfra --ssh-user root "$CHATMAIL_DOMAIN" \
+deploy-chatmail/venv/bin/pyinfra --ssh-user root "$CHATMAIL_DOMAIN" deploy.py
    deploy-chatmail/src/deploy_chatmail/deploy.py
 rm -r dist/
--- a/scripts/init.sh
+++ b/scripts/init.sh
@@ -6,8 +6,12 @@ deploy-chatmail/venv/bin/pip install -e deploy-chatmail
 deploy-chatmail/venv/bin/pip install -e chatmaild
 python3 -m venv chatmaild/venv
-chatmaild/venv/bin/pip install --upgrade pytest build 'setuptools>=68'
+chatmaild/venv/bin/pip install pytest
 chatmaild/venv/bin/pip install -e chatmaild
 python3 -m venv online-tests/venv
 online-tests/venv/bin/pip install pytest pytest-timeout pdbpp deltachat pytest-benchmark
 python3 -m venv venv
 venv/bin/pip install build
 venv/bin/pip install 'setuptools>=68'
--- a/scripts/remote-deploy.sh
+++ b/scripts/remote-deploy.sh
@@ -2,7 +2,7 @@
 set -e
 : ${CHATMAIL_DOMAIN:=c1.testrun.org}
-: ${CHATMAIL_SSH:=$CHATMAIL_DOMAIN}
+: ${CHATMAIL_SSH_HOST:=$CHATMAIL_DOMAIN}
-rsync -avz . "root@$CHATMAIL_SSH:/root/chatmail" --exclude='/.git' --filter="dir-merge,- .gitignore"
+rsync -avz . "root@$CHATMAIL_SSH_HOST:/root/chatmail" --exclude='/.git' --filter="dir-merge,- .gitignore"
-ssh "root@$CHATMAIL_SSH" "cd /root/chatmail; apt install -y python3-venv; python3 -m venv venv; venv/bin/pip install pyinfra build; venv/bin/python3 -m build -n --sdist chatmaild --outdir dist; venv/bin/pip install -e ./deploy-chatmail -e ./chatmaild; export CHATMAIL_DOMAIN=$CHATMAIL_DOMAIN; venv/bin/pyinfra @local deploy.py"
+ssh "root@$CHATMAIL_SSH_HOST" "cd /root/chatmail; apt install -y python3-venv; python3 -m venv venv; venv/bin/pip install pyinfra build; venv/bin/python3 -m build -n --sdist chatmaild --outdir dist; venv/bin/pip install -e ./deploy-chatmail -e ./chatmaild; export CHATMAIL_DOMAIN=$CHATMAIL_DOMAIN; venv/bin/pyinfra @local deploy.py"
--- a/scripts/test.sh
+++ b/scripts/test.sh
@@ -4,4 +4,4 @@ pushd chatmaild/src/chatmaild
 ../../venv/bin/pytest
 popd
-online-tests/venv/bin/pytest online-tests/ -vrx --durations=5
+online-tests/venv/bin/pytest online-tests/ -vrx --durations=5 --slow
Author	SHA1	Message	Date
holger krekel	b441891d1f	add postfix instrumented debugging	2023-10-16 22:38:36 +02:00
holger krekel	1c37d1f59b	add global debug flag and instrument dovecot with it	2023-10-16 22:29:40 +02:00