docker: integrate documentation

delete original markdown notes (the russian version was severely outdated) and add a new section.
docker: move key files to repo root as per convention
2026-05-12 00:54:37 +00:00 · 2026-02-18 17:05:28 +01:00 · 2026-02-18 17:05:28 +01:00 · 2026-02-18 17:05:28 +01:00 · 2026-02-18 17:05:28 +01:00 · 2026-02-18 17:05:28 +01:00
48 changed files with 1151 additions and 830 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -0,0 +1,18 @@
 data/
 venv/
 __pycache__
 *.pyc
 *.orig
 *.ini
 .pytest_cache
 .env
 # Slim build context — .git/ alone can be 100s of MB
 .git
 .github/
 docs/
 tests/
 # Exclude markdown files but keep www/src/*.md (used by WebsiteDeployer)
 *.md
 !www/**/*.md
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -14,7 +14,8 @@ jobs:
        # Otherwise `test_deployed_state` will be unhappy.
        with:
          ref: ${{ github.event.pull_request.head.sha }}
-
+      - name: download filtermail
        run: curl -L https://github.com/chatmail/filtermail/releases/download/v0.3.0/filtermail-x86_64 -o /usr/local/bin/filtermail && chmod +x /usr/local/bin/filtermail
      - name: run chatmaild tests 
        working-directory: chatmaild
        run: pipx run tox
--- a/.github/workflows/docker-build.yaml
+++ b/.github/workflows/docker-build.yaml
@@ -0,0 +1,76 @@
 name: Docker Build
 on:
  pull_request:
    paths:
      - 'docker/**'
      - 'docker-compose.yaml'
      - '.dockerignore'
      - 'chatmaild/**'
      - 'cmdeploy/**'
      - '.github/workflows/docker-build.yaml'
  push:
    branches:
      - main
      - j4n/docker
    paths:
      - 'docker/**'
      - 'docker-compose.yaml'
      - '.dockerignore'
      - 'chatmaild/**'
      - 'cmdeploy/**'
      - '.github/workflows/docker-build.yaml'
    tags:
      - 'v*'
 env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}
 jobs:
  build:
    name: Build Docker image
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - uses: actions/checkout@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to GHCR
        if: github.event_name == 'push'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Extract metadata (tags, labels)
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            # Tagged releases: v1.2.3 → :1.2.3, :1.2, :latest
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            # Branch pushes: j4n/docker → :j4n-docker
            type=ref,event=branch
            # Always: :sha-<hash>
            type=sha
      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          file: docker/chatmail_relay.dockerfile
          push: ${{ github.event_name == 'push' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          build-args: |
            GIT_HASH=${{ github.sha }}
--- a/.gitignore
+++ b/.gitignore
@@ -164,3 +164,9 @@ cython_debug/
 #.idea/
 chatmail.zone
 # docker
 /data/
 /custom/
 docker-compose.override.yaml
 .env
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -121,6 +121,13 @@
  Provide an "fsreport" CLI for more fine grained analysis of message files. 
  ([#637](https://github.com/chatmail/relay/pull/637))
 - Add installation via docker compose (MVP 1). The instructions, known issues and limitations are located in `/docs` 
  ([#614](https://github.com/chatmail/relay/pull/614))
 - Add configuration parameters
  ([#614](https://github.com/chatmail/relay/pull/614)):
  - `change_kernel_settings` - Whether to change kernel parameters during installation (default: `True`)
  - `fs_inotify_max_user_instances_and_watchers` - Value for kernel parameters `fs.inotify.max_user_instances` and `fs.inotify.max_user_watches` (default: `65535`)
 ## 1.7.0 2025-09-11
--- a/chatmaild/pyproject.toml
+++ b/chatmaild/pyproject.toml
@@ -24,7 +24,6 @@ where = ['src']
 [project.scripts]
 doveauth = "chatmaild.doveauth:main"
 chatmail-metadata = "chatmaild.metadata:main"
 filtermail = "chatmaild.filtermail:main"
 chatmail-metrics = "chatmaild.metrics:main"
 chatmail-expire = "chatmaild.expire:main"
 chatmail-fsreport = "chatmaild.fsreport:main"
--- a/chatmaild/src/chatmaild/config.py
+++ b/chatmaild/src/chatmaild/config.py
@@ -1,3 +1,4 @@
 import os
 from pathlib import Path
 import iniconfig
@@ -20,7 +21,8 @@ class Config:
    def __init__(self, inipath, params):
        self._inipath = inipath
        self.mail_domain = params["mail_domain"]
-        self.max_user_send_per_minute = int(params["max_user_send_per_minute"])
+        self.max_user_send_per_minute = int(params.get("max_user_send_per_minute", 60))
        self.max_user_send_burst_size = int(params.get("max_user_send_burst_size", 10))
        self.max_mailbox_size = params["max_mailbox_size"]
        self.max_message_size = int(params.get("max_message_size", "31457280"))
        self.delete_mails_after = params["delete_mails_after"]
@@ -32,16 +34,19 @@ class Config:
        self.passthrough_senders = params["passthrough_senders"].split()
        self.passthrough_recipients = params["passthrough_recipients"].split()
        self.www_folder = params.get("www_folder", "")
-        self.filtermail_smtp_port = int(params["filtermail_smtp_port"])
+        self.filtermail_smtp_port = int(params.get("filtermail_smtp_port", "10080"))
        self.filtermail_smtp_port_incoming = int(
-            params["filtermail_smtp_port_incoming"]
+            params.get("filtermail_smtp_port_incoming", "10081")
        )
-        self.postfix_reinject_port = int(params["postfix_reinject_port"])
+        self.postfix_reinject_port = int(params.get("postfix_reinject_port", "10025"))
        self.postfix_reinject_port_incoming = int(
-            params["postfix_reinject_port_incoming"]
+            params.get("postfix_reinject_port_incoming", "10026")
        )
        self.mtail_address = params.get("mtail_address")
        self.disable_ipv6 = params.get("disable_ipv6", "false").lower() == "true"
        self.noacme = os.environ.get("CHATMAIL_NOACME", "false").lower() == "true"
        self.addr_v4 = os.environ.get("CHATMAIL_ADDR_V4", "")
        self.addr_v6 = os.environ.get("CHATMAIL_ADDR_V6", "")
        self.acme_email = params.get("acme_email", "")
        self.imap_rawlog = params.get("imap_rawlog", "false").lower() == "true"
        self.imap_compress = params.get("imap_compress", "false").lower() == "true"
--- a/chatmaild/src/chatmaild/filtermail.py
+++ b/chatmaild/src/chatmaild/filtermail.py
@@ -1,378 +0,0 @@
 #!/usr/bin/env python3
 import asyncio
 import base64
 import binascii
 import sys
 import time
 from email import policy
 from email.parser import BytesParser
 from email.utils import parseaddr
 from smtplib import SMTP as SMTPClient
 from aiosmtpd.controller import Controller
 from aiosmtpd.smtp import SMTP
 from .config import read_config
 ENCRYPTION_NEEDED_523 = "523 Encryption Needed: Invalid Unencrypted Mail"
 def check_openpgp_payload(payload: bytes):
    """Checks the OpenPGP payload.
    OpenPGP payload must consist only of PKESK and SKESK packets
    terminated by a single SEIPD packet.
    Returns True if OpenPGP payload is correct,
    False otherwise.
    May raise IndexError while trying to read OpenPGP packet header
    if it is truncated.
    """
    i = 0
    while i < len(payload):
        # Only OpenPGP format is allowed.
        if payload[i] & 0xC0 != 0xC0:
            return False
        packet_type_id = payload[i] & 0x3F
        i += 1
        while payload[i] >= 224 and payload[i] < 255:
            # Partial body length.
            partial_length = 1 << (payload[i] & 0x1F)
            i += 1 + partial_length
        if payload[i] < 192:
            # One-octet length.
            body_len = payload[i]
            i += 1
        elif payload[i] < 224:
            # Two-octet length.
            body_len = ((payload[i] - 192) << 8) + payload[i + 1] + 192
            i += 2
        elif payload[i] == 255:
            # Five-octet length.
            body_len = (
                (payload[i + 1] << 24)
                | (payload[i + 2] << 16)
                | (payload[i + 3] << 8)
                | payload[i + 4]
            )
            i += 5
        else:
            # Impossible, partial body length was processed above.
            return False
        i += body_len
        if i == len(payload):
            # Last packet should be
            # Symmetrically Encrypted and Integrity Protected Data Packet (SEIPD)
            #
            # This is the only place where this function may return `True`.
            return packet_type_id == 18
        elif packet_type_id not in [1, 3]:
            # All packets except the last one must be either
            # Public-Key Encrypted Session Key Packet (PKESK)
            # or
            # Symmetric-Key Encrypted Session Key Packet (SKESK)
            return False
    return False
 def check_armored_payload(payload: str, outgoing: bool):
    """Check the armored PGP message for invalid content.
    :param payload: the armored PGP message
    :param outgoing: whether the message is outgoing or incoming
    :return: whether the message is a valid PGP message
    """
    prefix = "-----BEGIN PGP MESSAGE-----\r\n"
    if not payload.startswith(prefix):
        return False
    payload = payload.removeprefix(prefix)
    while payload.endswith("\r\n"):
        payload = payload.removesuffix("\r\n")
    suffix = "-----END PGP MESSAGE-----"
    if not payload.endswith(suffix):
        return False
    payload = payload.removesuffix(suffix)
    version_comment = "Version: "
    if payload.startswith(version_comment):
        if outgoing:  # Disallow comments in outgoing messages
            return False
        # Remove comments from incoming messages
        payload = payload.partition("\r\n")[2]
    while payload.startswith("\r\n"):
        payload = payload.removeprefix("\r\n")
    # Remove CRC24.
    payload = payload.rpartition("=")[0]
    try:
        payload = base64.b64decode(payload)
    except binascii.Error:
        return False
    try:
        return check_openpgp_payload(payload)
    except IndexError:
        return False
 def is_securejoin(message):
    if message.get("secure-join") not in ["vc-request", "vg-request"]:
        return False
    if not message.is_multipart():
        return False
    parts_count = 0
    for part in message.iter_parts():
        parts_count += 1
        if parts_count > 1:
            return False
        if part.is_multipart():
            return False
        if part.get_content_type() != "text/plain":
            return False
        payload = part.get_payload().strip().lower()
        if payload not in ("secure-join: vc-request", "secure-join: vg-request"):
            return False
    return True
 def check_encrypted(message, outgoing=True):
    """Check that the message is an OpenPGP-encrypted message.
    MIME structure of the message must correspond to <https://www.rfc-editor.org/rfc/rfc3156>.
    """
    if not message.is_multipart():
        return False
    if message.get_content_type() != "multipart/encrypted":
        return False
    parts_count = 0
    for part in message.iter_parts():
        # We explicitly check Content-Type of each part later,
        # but this is to be absolutely sure `get_payload()` returns string and not list.
        if part.is_multipart():
            return False
        if parts_count == 0:
            if part.get_content_type() != "application/pgp-encrypted":
                return False
            payload = part.get_payload()
            if payload.strip() != "Version: 1":
                return False
        elif parts_count == 1:
            if part.get_content_type() != "application/octet-stream":
                return False
            if not check_armored_payload(part.get_payload(), outgoing=outgoing):
                return False
        else:
            return False
        parts_count += 1
    return True
 async def asyncmain_beforequeue(config, mode):
    if mode == "outgoing":
        port = config.filtermail_smtp_port
        handler = OutgoingBeforeQueueHandler(config)
    else:
        port = config.filtermail_smtp_port_incoming
        handler = IncomingBeforeQueueHandler(config)
    HackedController(
        handler,
        hostname="127.0.0.1",
        port=port,
        data_size_limit=config.max_message_size,
    ).start()
 def recipient_matches_passthrough(recipient, passthrough_recipients):
    for addr in passthrough_recipients:
        if recipient == addr:
            return True
        if addr[0] == "@" and recipient.endswith(addr):
            return True
    return False
 class HackedController(Controller):
    def factory(self):
        return SMTPDiscardRCPTO_options(self.handler, **self.SMTP_kwargs)
 class SMTPDiscardRCPTO_options(SMTP):
    def _getparams(self, params):
        # Ignore RCPT TO parameters.
        #
        # Otherwise parameters such as `ORCPT=...`
        # or `NOTIFY=DELAY,FAILURE` (generated by Stalwart)
        # make aiosmtpd reject the message here:
        # <https://github.com/aio-libs/aiosmtpd/blob/98f578389ae86e5345cc343fa4e5a17b21d9c96d/aiosmtpd/smtp.py#L1379-L1384>
        return {}
 class OutgoingBeforeQueueHandler:
    def __init__(self, config):
        self.config = config
        self.send_rate_limiter = SendRateLimiter()
    async def handle_MAIL(self, server, session, envelope, address, mail_options):
        log_info(f"handle_MAIL from {address}")
        envelope.mail_from = address
        max_sent = self.config.max_user_send_per_minute
        if not self.send_rate_limiter.is_sending_allowed(address, max_sent):
            return f"450 4.7.1: Too much mail from {address}"
        parts = envelope.mail_from.split("@")
        if len(parts) != 2:
            return f"500 Invalid from address <{envelope.mail_from!r}>"
        return "250 OK"
    async def handle_DATA(self, server, session, envelope):
        loop = asyncio.get_running_loop()
        return await loop.run_in_executor(None, self.sync_handle_DATA, envelope)
    def sync_handle_DATA(self, envelope):
        log_info("handle_DATA before-queue")
        error = self.check_DATA(envelope)
        if error:
            return error
        log_info("re-injecting the mail that passed checks")
        client = SMTPClient("localhost", self.config.postfix_reinject_port)
        client.sendmail(
            envelope.mail_from, envelope.rcpt_tos, envelope.original_content
        )
        return "250 OK"
    def check_DATA(self, envelope):
        """the central filtering function for e-mails."""
        log_info(f"Processing DATA message from {envelope.mail_from}")
        message = BytesParser(policy=policy.default).parsebytes(envelope.content)
        mail_encrypted = check_encrypted(message, outgoing=True)
        _, from_addr = parseaddr(message.get("from").strip())
        if envelope.mail_from.lower() != from_addr.lower():
            return f"500 Invalid FROM <{from_addr!r}> for <{envelope.mail_from!r}>"
        if mail_encrypted or is_securejoin(message):
            print("Outgoing: Filtering encrypted mail.", file=sys.stderr)
            return
        print("Outgoing: Filtering unencrypted mail.", file=sys.stderr)
        if envelope.mail_from in self.config.passthrough_senders:
            return
        # allow self-sent Autocrypt Setup Message
        if envelope.rcpt_tos == [from_addr]:
            if message.get("subject") == "Autocrypt Setup Message":
                if message.get_content_type() == "multipart/mixed":
                    return
        passthrough_recipients = self.config.passthrough_recipients
        for recipient in envelope.rcpt_tos:
            if recipient_matches_passthrough(recipient, passthrough_recipients):
                continue
            print("Rejected unencrypted mail.", file=sys.stderr)
            return ENCRYPTION_NEEDED_523
 class IncomingBeforeQueueHandler:
    def __init__(self, config):
        self.config = config
    async def handle_DATA(self, server, session, envelope):
        loop = asyncio.get_running_loop()
        return await loop.run_in_executor(None, self.sync_handle_DATA, envelope)
    def sync_handle_DATA(self, envelope):
        log_info("handle_DATA before-queue")
        error = self.check_DATA(envelope)
        if error:
            return error
        log_info("re-injecting the mail that passed checks")
        client = SMTPClient(
            "localhost",
            self.config.postfix_reinject_port_incoming,
        )
        client.sendmail(
            envelope.mail_from, envelope.rcpt_tos, envelope.original_content
        )
        return "250 OK"
    def check_DATA(self, envelope):
        """the central filtering function for e-mails."""
        log_info(f"Processing DATA message from {envelope.mail_from}")
        message = BytesParser(policy=policy.default).parsebytes(envelope.content)
        mail_encrypted = check_encrypted(message, outgoing=False)
        if mail_encrypted or is_securejoin(message):
            print("Incoming: Filtering encrypted mail.", file=sys.stderr)
            return
        print("Incoming: Filtering unencrypted mail.", file=sys.stderr)
        # we want cleartext mailer-daemon messages to pass through
        # chatmail core will typically not display them as normal messages
        if message.get("auto-submitted"):
            _, from_addr = parseaddr(message.get("from").strip())
            if from_addr.lower().startswith("mailer-daemon@"):
                if message.get_content_type() == "multipart/report":
                    return
        for recipient in envelope.rcpt_tos:
            user = self.config.get_user(recipient)
            if user is None or user.is_incoming_cleartext_ok():
                continue
            print("Rejected unencrypted mail.", file=sys.stderr)
            return ENCRYPTION_NEEDED_523
 class SendRateLimiter:
    def __init__(self):
        self.addr2timestamps = {}
    def is_sending_allowed(self, mail_from, max_send_per_minute):
        last = self.addr2timestamps.setdefault(mail_from, [])
        now = time.time()
        last[:] = [ts for ts in last if ts >= (now - 60)]
        if len(last) <= max_send_per_minute:
            last.append(now)
            return True
        return False
 def log_info(msg):
    print(msg, file=sys.stderr)
 def main():
    args = sys.argv[1:]
    assert len(args) == 2
    config = read_config(args[0])
    mode = args[1]
    loop = asyncio.new_event_loop()
    asyncio.set_event_loop(loop)
    assert mode in ["incoming", "outgoing"]
    task = asyncmain_beforequeue(config, mode)
    loop.create_task(task)
    log_info("entering serving loop")
    loop.run_forever()
--- a/chatmaild/src/chatmaild/ini/chatmail.ini.f
+++ b/chatmaild/src/chatmaild/ini/chatmail.ini.f
@@ -11,9 +11,12 @@ mail_domain = {mail_domain}
 # Restrictions on user addresses
 #
-# how many mails a user can send out per minute
+# email sending rate per user and minute
 max_user_send_per_minute = 60
 # per-user max burst size for sending rate limiting (GCRA bucket capacity)
 max_user_send_burst_size = 10
 # maximum mailbox size of a chatmail address
 max_mailbox_size = 500M
--- a/chatmaild/src/chatmaild/tests/test_filtermail.py
+++ b/chatmaild/src/chatmaild/tests/test_filtermail.py
@@ -1,361 +0,0 @@
 import pytest
 from chatmaild.filtermail import (
    IncomingBeforeQueueHandler,
    OutgoingBeforeQueueHandler,
    SendRateLimiter,
    check_armored_payload,
    check_encrypted,
    is_securejoin,
 )
@pytest.fixture
 def maildomain():
    # let's not depend on a real chatmail instance for the offline tests below
    return "chatmail.example.org"
@pytest.fixture
 def handler(make_config, maildomain):
    config = make_config(maildomain)
    return OutgoingBeforeQueueHandler(config)
@pytest.fixture
 def inhandler(make_config, maildomain):
    config = make_config(maildomain)
    return IncomingBeforeQueueHandler(config)
 def test_reject_forged_from(maildata, gencreds, handler):
    class env:
        mail_from = gencreds()[0]
        rcpt_tos = [gencreds()[0]]
    # test that the filter lets good mail through
    to_addr = gencreds()[0]
    env.content = maildata(
        "encrypted.eml", from_addr=env.mail_from, to_addr=to_addr
    ).as_bytes()
    assert not handler.check_DATA(envelope=env)
    # test that the filter rejects forged mail
    env.content = maildata(
        "encrypted.eml", from_addr="forged@c3.testrun.org", to_addr=to_addr
    ).as_bytes()
    error = handler.check_DATA(envelope=env)
    assert "500" in error
 def test_filtermail_no_encryption_detection(maildata):
    msg = maildata(
        "plain.eml", from_addr="some@example.org", to_addr="other@example.org"
    )
    assert not check_encrypted(msg)
    # https://xkcd.com/1181/
    msg = maildata(
        "fake-encrypted.eml", from_addr="some@example.org", to_addr="other@example.org"
    )
    assert not check_encrypted(msg)
 def test_filtermail_securejoin_detection(maildata):
    msg = maildata(
        "securejoin-vc.eml", from_addr="some@example.org", to_addr="other@example.org"
    )
    assert is_securejoin(msg)
    msg = maildata(
        "securejoin-vc-fake.eml",
        from_addr="some@example.org",
        to_addr="other@example.org",
    )
    assert not is_securejoin(msg)
 def test_filtermail_encryption_detection(maildata):
    msg = maildata(
        "encrypted.eml",
        from_addr="1@example.org",
        to_addr="2@example.org",
        subject="Subject does not matter, will be replaced anyway",
    )
    assert check_encrypted(msg)
 def test_filtermail_no_literal_packets(maildata):
    """Test that literal OpenPGP packet is not considered an encrypted mail."""
    msg = maildata("literal.eml", from_addr="1@example.org", to_addr="2@example.org")
    assert not check_encrypted(msg)
 def test_filtermail_unencrypted_mdn(maildata, gencreds):
    """Unencrypted MDNs should not pass."""
    from_addr = gencreds()[0]
    to_addr = gencreds()[0] + ".other"
    msg = maildata("mdn.eml", from_addr=from_addr, to_addr=to_addr)
    assert not check_encrypted(msg)
 def test_send_rate_limiter():
    limiter = SendRateLimiter()
    for i in range(100):
        if limiter.is_sending_allowed("some@example.org", 10):
            if i <= 10:
                continue
            pytest.fail("limiter didn't work")
        else:
            assert i == 11
            break
 def test_cleartext_excempt_privacy(maildata, gencreds, handler):
    from_addr = gencreds()[0]
    to_addr = "privacy@testrun.org"
    handler.config.passthrough_recipients = [to_addr]
    false_to = "privacy@something.org"
    msg = maildata("plain.eml", from_addr=from_addr, to_addr=to_addr)
    class env:
        mail_from = from_addr
        rcpt_tos = [to_addr]
        content = msg.as_bytes()
    # assert that None/no error is returned
    assert not handler.check_DATA(envelope=env)
    class env2:
        mail_from = from_addr
        rcpt_tos = [to_addr, false_to]
        content = msg.as_bytes()
    assert "523" in handler.check_DATA(envelope=env2)
 def test_cleartext_self_send_autocrypt_setup_message(maildata, gencreds, handler):
    from_addr = gencreds()[0]
    to_addr = from_addr
    msg = maildata("asm.eml", from_addr=from_addr, to_addr=to_addr)
    class env:
        mail_from = from_addr
        rcpt_tos = [to_addr]
        content = msg.as_bytes()
    assert not handler.check_DATA(envelope=env)
 def test_cleartext_send_fails(maildata, gencreds, handler):
    from_addr = gencreds()[0]
    to_addr = gencreds()[0]
    msg = maildata("plain.eml", from_addr=from_addr, to_addr=to_addr)
    class env:
        mail_from = from_addr
        rcpt_tos = [to_addr]
        content = msg.as_bytes()
    res = handler.check_DATA(envelope=env)
    assert "523 Encryption Needed" in res
 def test_cleartext_incoming_fails(maildata, gencreds, inhandler):
    from_addr = gencreds()[0]
    to_addr, password = gencreds()
    msg = maildata("plain.eml", from_addr=from_addr, to_addr=to_addr)
    class env:
        mail_from = from_addr
        rcpt_tos = [to_addr]
        content = msg.as_bytes()
    user = inhandler.config.get_user(to_addr)
    user.set_password(password)
    res = inhandler.check_DATA(envelope=env)
    assert "523 Encryption Needed" in res
    user.allow_incoming_cleartext()
    assert not inhandler.check_DATA(envelope=env)
 def test_cleartext_incoming_mailer_daemon(maildata, gencreds, inhandler):
    from_addr = "mailer-daemon@example.org"
    to_addr = gencreds()[0]
    msg = maildata("mailer-daemon.eml", from_addr=from_addr, to_addr=to_addr)
    class env:
        mail_from = from_addr
        rcpt_tos = [to_addr]
        content = msg.as_bytes()
    assert not inhandler.check_DATA(envelope=env)
 def test_cleartext_passthrough_domains(maildata, gencreds, handler):
    from_addr = gencreds()[0]
    to_addr = "privacy@x.y.z"
    handler.config.passthrough_recipients = ["@x.y.z"]
    false_to = "something@x.y"
    msg = maildata("plain.eml", from_addr=from_addr, to_addr=to_addr)
    class env:
        mail_from = from_addr
        rcpt_tos = [to_addr]
        content = msg.as_bytes()
    # assert that None/no error is returned
    assert not handler.check_DATA(envelope=env)
    class env2:
        mail_from = from_addr
        rcpt_tos = [to_addr, false_to]
        content = msg.as_bytes()
    assert "523" in handler.check_DATA(envelope=env2)
 def test_cleartext_passthrough_senders(gencreds, handler, maildata):
    acc1 = gencreds()[0]
    to_addr = "recipient@something.org"
    handler.config.passthrough_senders = [acc1]
    msg = maildata("plain.eml", from_addr=acc1, to_addr=to_addr)
    class env:
        mail_from = acc1
        rcpt_tos = to_addr
        content = msg.as_bytes()
    # assert that None/no error is returned
    assert not handler.check_DATA(envelope=env)
 def test_check_armored_payload():
    prefix = "-----BEGIN PGP MESSAGE-----\r\n"
    comment = "Version: ProtonMail\r\n"
    payload = """\r
 wU4DSqFx0d1yqAoSAQdAYkX/ZN/Az4B0k7X47zKyWrXxlDEdS3WOy0Yf2+GJTFgg\r
 Zk5ql0mLG8Ze+ZifCS0XMO4otlemSyJ0K1ZPdFMGzUDBTgNqzkFabxXoXRIBB0AM\r
 755wlX41X6Ay3KhnwBq7yEqSykVH6F3x11iHPKraLCAGZoaS8bKKNy/zg5slda1X\r
 pt14b4aC1VwtSnYhcRRELNLD/wE2TFif+g7poMmFY50VyMPLYjVP96Z5QCT4+z4H\r
 Ikh/pRRN8S3JNMrRJHc6prooSJmLcx47Y5un7VFy390MsJ+LiUJuQMDdYWRAinfs\r
 Ebm89Ezjm7F03qbFPXE0X4ZNzVXS/eKO0uhJQdiov/vmbn41rNtHmNpqjaO0vi5+\r
 sS9tR7yDUrIXiCUCN78eBLVioxtktsPZm5cDORbQWzv+7nmCEz9/JowCUcBVdCGn\r
 1ofOaH82JCAX/cRx08pLaDNj6iolVBsi56Dd+2bGxJOZOG2AMcEyz0pXY0dOAJCD\r
 iUThcQeGIdRnU3j8UBcnIEsjLu2+C+rrwMZQESMWKnJ0rnqTk0pK5kXScr6F/L0L\r
 UE49ccIexNm3xZvYr5drszr6wz3Tv5fdue87P4etBt90gF/Vzknck+g1LLlkzZkp\r
 d8dI0k2tOSPjUbDPnSy1x+X73WGpPZmj0kWT+RGvq0nH6UkJj3AQTG2qf1T8jK+3\r
 rTp3LR9vDkMwDjX4R8SA9c0wdnUzzr79OYQC9lTnzcx+fM6BBmgQ2GrS33jaFLp7\r
 L6/DFpCl5zhnPjM/2dKvMkw/Kd6XS/vjwsO405FQdjSDiQEEAZA+ZvAfcjdccbbU\r
 yCO+x0QNdeBsufDVnh3xvzuWy4CICdTQT4s1AWRPCzjOj+SGmx5WqCLWfsd8Ma0+\r
 w/C7SfTYu1FDQILLM+llpq1M/9GPley4QZ8JQjo262AyPXsPF/OW48uuZz0Db1xT\r
 Yh4iHBztj4VSdy7l2+IyaIf7cnL4EEBFxv/MwmVDXvDlxyvfAfIsd3D9SvJESzKZ\r
 VWDYwaocgeCN+ojKu1p885lu1EfRbX3fr3YO02K5/c2JYDkc0Py0W3wUP/J1XUax\r
 pbKpzwlkxEgtmzsGqsOfMJqBV3TNDrOA2uBsa+uBqP5MGYLZ49S/4v/bW9I01Cr1\r
 D2ZkV510Y1Vgo66WlP8mRqOTyt/5WRhPD+MxXdk67BNN/PmO6tMlVoJDuk+XwWPR\r
 t2TvNaND/yabT9eYI55Og4fzKD6RIjouUX8DvKLkm+7aXxVs2uuLQ3Jco3O82z55\r
 dbShU1jYsrw9oouXUz06MHPbkdhNbF/2hfhZ2qA31sNeovJw65iUv7sDKX3LVWgJ\r
 10jlywcDwqlU8CO7WC9lGixYTbnOkYZpXCGEl8e6Jbs79l42YFo4ogYpFK1NXFhV\r
 kOXRmDf/wmfj+c/ld3L2PkvwlgofhCudOQknZbo3ub1gjiTn7L+lMGHIj/3suMIl\r
 ID4EUxAXScIM1ZEz2fjtW5jATlqYcLjLTbf/olw6HFyPNH+9IssqXeZNKnGwPUB9\r
 3lTXsg0tpzl+x7F/2WjEw1DSNhjC0KnHt1vEYNMkUGDGFdN9y3ERLqX/FIgiASUb\r
 bTvAVupnAK3raBezGmhrs6LsQtLS9P0VvQiLU3uDhMqw8Z4SISLpcD+NnVBHzQqm\r
 6W5Qn/8xsCL6av18yUVTi2G3igt3QCNoYx9evt2ZcIkNoyyagUVjfZe5GHXh8Dnz\r
 GaBXW/hg3HlXLRGaQu4RYCzBMJILcO25OhZOg6jbkCLiEexQlm2e9krB5cXR49Al\r
 UN4fiB0KR9JyG2ayUdNJVkXZSZLnHyRgiaadlpUo16LVvw==\r
 =b5Kp\r
 -----END PGP MESSAGE-----\r
 \r
 \r
 """
    commented_payload = prefix + comment + payload
    assert check_armored_payload(commented_payload, outgoing=False) == True
    assert check_armored_payload(commented_payload, outgoing=True) == False
    payload = prefix + payload
    assert check_armored_payload(payload, outgoing=False) == True
    assert check_armored_payload(payload, outgoing=True) == True
    payload = payload.removesuffix("\r\n")
    assert check_armored_payload(payload, outgoing=False) == True
    assert check_armored_payload(payload, outgoing=True) == True
    payload = payload.removesuffix("\r\n")
    assert check_armored_payload(payload, outgoing=False) == True
    assert check_armored_payload(payload, outgoing=True) == True
    payload = payload.removesuffix("\r\n")
    assert check_armored_payload(payload, outgoing=False) == True
    assert check_armored_payload(payload, outgoing=True) == True
    payload = """-----BEGIN PGP MESSAGE-----\r
 \r
 HELLOWORLD
 -----END PGP MESSAGE-----\r
 \r
 """
    assert check_armored_payload(payload, outgoing=False) == False
    assert check_armored_payload(payload, outgoing=True) == False
    payload = """-----BEGIN PGP MESSAGE-----\r
 \r
 =njUN
 -----END PGP MESSAGE-----\r
 \r
 """
    assert check_armored_payload(payload, outgoing=False) == False
    assert check_armored_payload(payload, outgoing=True) == False
    # Test payload using partial body length
    # as generated by GopenPGP.
    payload = """-----BEGIN PGP MESSAGE-----\r
 \r
 wV4DdCVjRfOT3TQSAQdAY5+pjT6mlCxPGdR3be4w7oJJRUGIPI/Vnh+mJxGSm34w\r
 LNlVc89S1g22uQYFif2sUJsQWbpoHpNkuWpkSgOaHmNvrZiY/YU5iv+cZ3LbmtUG\r
 0uoBisSHh9O1c+5sYZSbrvYZ1NOwlD7Fv/U5/Mw4E5+CjxfdgNGp5o3DDddzPK78\r
 jseDhdSXxnaiIJC93hxNX6R1RPt3G2gukyzx69wciPQShcF8zf3W3o75Ed7B8etV\r
 QEeB16xzdFhKa9JxdjTu3osgCs21IO7wpcFkjc7nZzlW6jPnELJJaNmv4yOOCjMp\r
 6YAkaN/BkL+jHTznHDuDsT5ilnTXpwHDU1Cm9PIx/KFcNCQnIB+2DcdIHPHUH1ci\r
 jvqoeXAVWjKXEjS7PqPFuP/xGbrWG2ugs+toXJOKbgRkExvKs1dwPFKrgghvCVbW\r
 AcKejQKAPArLwpkA7aD875TZQShvGt74fNs45XBlGOYOnNOAJ1KAmzrXLIDViyyB\r
 kDsmTBk785xofuCkjBpXSe6vsMprPzCteDfaUibh8FHeJjucxPerwuOPEmnogNaf\r
 YyL4+iy8H8I9/p7pmUqILprxTG0jTOtlk0bTVzeiF56W1xbtSEMuOo4oFbQTyOM2\r
 bKXaYo774Jm+rRtKAnnI2dtf9RpK19cog6YNzfYjesLKbXDsPZbN5rmwyFiCvvxC\r
 kQ6JLob+B2fPdY2gzy7LypxktS8Zi1HJcWDHJGVmQodaDLqKUObb4M26bXDe6oxI\r
 NS8PJz5exVbM3KhZnUOEn6PJRBBf5a/ZqxlhZPcQo/oBuhKpBRpO5kSDwPIUByu3\r
 UlXLSkpMqe9pUarAOEuQjfl2RVY7U+RrQYp4YP5keMO+i8NCefAFbowTTufO1JIq\r
 2nVgCi/QVnxZyEc9OYt/8AE3g4cdojE+vsSDifZLSWYIetpfrohHv3dT3StD1QRG\r
 0QE6qq6oKpg/IL0cjvuX4c7a7bslv2fXp8t75y37RU6253qdIebhxc/cRhPbc/yu\r
 p0YLyD4SrvKTLP2ZV95jT4IPEpqm4AN3QmiOzdtqR2gLyb62L8QfqI/FdwsIiRiM\r
 hqydwoqt/lfSqG1WKPh+6EkMkH+TDiCC1BQdbN1MNcyUtcjb35PR2c8Ld2TF3guA\r
 jLIqMt/Vb7hBoMb2FcsOYY25ka9oV62OwgKWLXnFzk+modMR5fzb4kxVVAYEqP+D\r
 T5KO1Vs76v1fyPGOq6BbBCvLwTqe/e6IZInJles4v5jrhnLcGKmNGivCUDe6X6NY\r
 UKNt5RsZllwDQpaAb5dMNhyrk8SgIE7TBI7rvqIdUCE52Vy+0JDxFg5olRpFUfO6\r
 /MyTW3Yo/ekk/npHr7iYYqJTCc21bDGLWQcIo/XO7WPxrKNWGBNPFnkRdw0MaKr4\r
 +cEM3V8NFnSEpC12xA+RX/CezuJtwXZK5MpG76eYqMO6qyC+c25YcFecEufDZDxx\r
 ZLqRszVRyxyWPtk/oIeQK2v9wOqY6N9/ff01gHz69vqYqN5bUw/QKZsmx1zW+gPw\r
 6x2tDK2BHeYl182gCbhlKISRFwCtbjqZSkiKWao/VtygHkw0fK34avJuyQ/X9YaN\r
 BRy+7Lf3VA53pnB5WJ1xwRXN8VDvmZeXzv2krHveCMemj0OjnRoCLu117xN0A5m9\r
 Fm/RoDix5PolDHtWTtr2m1n2hp2LHnj8at9lFEd0SKhAYHVL9KjzycwWODZRXt+x\r
 zGDDuooEeTvdY5NLyKcl4gETz1ZP4Ez5jGGjhPSwSpq1mU7UaJ9ZXXdr4KHyifW6\r
 ggNzNsGhXTap7IWZpTtqXABydfiBshmH2NjqtNDwBweJVSgP10+r0WhMWlaZs6xl\r
 V3o5yskJt6GlkwpJxZrTvN6Tiww/eW7HFV6NGf7IRSWY5tJc/iA7/92tOmkdvJ1q\r
 myLbG7cJB787QjplEyVe2P/JBO6xYvbkJLf9Q+HaviTO25rugRSrYsoKMDfO8VlQ\r
 1CcnTPVtApPZJEQzAWJEgVAM8uIlkqWJJMgyWT34sTkdBeCUFGloXQFs9Yxd0AGf\r
 /zHEkYZSTKpVSvAIGu4=\r
 =6iHb\r
 -----END PGP MESSAGE-----\r
 """
    assert check_armored_payload(payload, outgoing=False) == True
    assert check_armored_payload(payload, outgoing=True) == True
--- a/chatmaild/src/chatmaild/tests/test_filtermail_blackbox.py
+++ b/chatmaild/src/chatmaild/tests/test_filtermail_blackbox.py
@@ -57,10 +57,19 @@ def test_one_mail(
    path = str(config._inipath)
    popen = make_popen(["filtermail", path, filtermail_mode])
-    line = popen.stderr.readline().strip()
+
-    if b"loop" not in line:
+    # Wait for filtermail to start accepting connections
-        print(line.decode("ascii"), file=sys.stderr)
+    import socket
-        pytest.fail("starting filtermail failed")
+    import time
    for _ in range(50):  # 5 second timeout
        try:
            sock = socket.create_connection(("127.0.0.1", smtp_inject_port), timeout=0.1)
            sock.close()
            break
        except (ConnectionRefusedError, OSError):
            time.sleep(0.1)
    else:
        pytest.fail("filtermail failed to start accepting connections")
    addr = f"user1@{config.mail_domain}"
    config.get_user(addr).set_password("l1k2j3l1k2j3l")
--- a/cmdeploy/src/cmdeploy/basedeploy.py
+++ b/cmdeploy/src/cmdeploy/basedeploy.py
@@ -5,6 +5,11 @@ import os
 from pyinfra.operations import files, server, systemd
 def has_systemd():
    """Returns False during Docker image builds or any other non-systemd environment."""
    return os.path.isdir("/run/systemd/system")
 def get_resource(arg, pkg=__package__):
    return importlib.resources.files(pkg).joinpath(arg)
@@ -17,9 +22,8 @@ def configure_remote_units(mail_domain, units) -> None:
    # install systemd units
    for fn in units:
        execpath = fn if fn != "filtermail-incoming" else "filtermail"
        params = dict(
-            execpath=f"{remote_venv_dir}/bin/{execpath}",
+            execpath=f"{remote_venv_dir}/bin/{fn}",
            config_path=remote_chatmail_inipath,
            remote_venv_dir=remote_venv_dir,
            mail_domain=mail_domain,
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -101,11 +101,17 @@ def run_cmd(args, out):
    env["CHATMAIL_WEBSITE_ONLY"] = "True" if args.website_only else ""
    env["CHATMAIL_DISABLE_MAIL"] = "True" if args.disable_mail else ""
    env["CHATMAIL_REQUIRE_IROH"] = "True" if require_iroh else ""
    if not args.dns_check_disabled:
        env["CHATMAIL_ADDR_V4"] = remote_data.get("A") or ""
        env["CHATMAIL_ADDR_V6"] = remote_data.get("AAAA") or ""
    deploy_path = importlib.resources.files(__package__).joinpath("run.py").resolve()
    pyinf = "pyinfra --dry" if args.dry_run else "pyinfra"
    cmd = f"{pyinf} --ssh-user root {ssh_host} {deploy_path} -y"
    if ssh_host in ["localhost", "@docker"]:
        if ssh_host == "@docker":
            env["CHATMAIL_NOPORTCHECK"] = "True"
            env["CHATMAIL_NOSYSCTL"] = "True"
        cmd = f"{pyinf} @local {deploy_path} -y"
    if version.parse(pyinfra.__version__) < version.parse("3"):
@@ -121,7 +127,7 @@ def run_cmd(args, out):
                out.red("Website deployment failed.")
        elif retcode == 0:
            out.green("Deploy completed, call `cmdeploy dns` next.")
-        elif not remote_data["acme_account_url"]:
+        elif not args.dns_check_disabled and not remote_data["acme_account_url"]:
            out.red("Deploy completed but letsencrypt not configured")
            out.red("Run 'cmdeploy run' again")
            retcode = 0
@@ -325,7 +331,7 @@ def add_config_option(parser):
        "--config",
        dest="inipath",
        action="store",
-        default=Path("chatmail.ini"),
+        default=Path(os.environ.get("CHATMAIL_INI", "chatmail.ini")),
        type=Path,
        help="path to the chatmail.ini file",
    )
--- a/cmdeploy/src/cmdeploy/deployers.py
+++ b/cmdeploy/src/cmdeploy/deployers.py
@@ -2,6 +2,7 @@
 Chat Mail pyinfra deploy.
 """
 import os
 import shutil
 import subprocess
 import sys
@@ -10,6 +11,7 @@ from pathlib import Path
 from chatmaild.config import read_config
 from pyinfra import facts, host, logger
 from pyinfra.facts import hardware
 from pyinfra.api import FactBase
 from pyinfra.facts.files import Sha256File
 from pyinfra.facts.systemd import SystemdEnabled
@@ -24,8 +26,10 @@ from .basedeploy import (
    activate_remote_units,
    configure_remote_units,
    get_resource,
    has_systemd,
 )
 from .dovecot.deployer import DovecotDeployer
 from .filtermail.deployer import FiltermailDeployer
 from .mtail.deployer import MtailDeployer
 from .nginx.deployer import NginxDeployer
 from .opendkim.deployer import OpendkimDeployer
@@ -35,7 +39,7 @@ from .www import build_webpages, find_merge_conflict, get_paths
 class Port(FactBase):
    """
-    Returns the process occuping a port.
+    Returns the process occupying a port.
    """
    def command(self, port: int) -> str:
@@ -63,6 +67,8 @@ def _build_chatmaild(dist_dir) -> None:
 def remove_legacy_artifacts():
    if not has_systemd():
        return
    # disable legacy doveauth-dictproxy.service
    if host.get_fact(SystemdEnabled).get("doveauth-dictproxy.service"):
        systemd.service(
@@ -140,6 +146,10 @@ def _configure_remote_venv_with_chatmaild(config) -> None:
 class UnboundDeployer(Deployer):
    def __init__(self, config):
        self.config = config
        self.need_restart = False
    def install(self):
        # Run local DNS resolver `unbound`.
        # `resolvconf` takes care of setting up /etc/resolv.conf
@@ -176,6 +186,27 @@ class UnboundDeployer(Deployer):
                "unbound-anchor -a /var/lib/unbound/root.key || true",
            ],
        )
        if self.config.disable_ipv6:
            files.directory(
                path="/etc/unbound/unbound.conf.d",
                present=True,
                user="root",
                group="root",
                mode="755",
            )
            conf = files.put(
                src=get_resource("unbound/unbound.conf.j2"),
                dest="/etc/unbound/unbound.conf.d/chatmail.conf",
                user="root",
                group="root",
                mode="644",
            )
        else:
            conf = files.file(
                path="/etc/unbound/unbound.conf.d/chatmail.conf",
                present=False,
            )
        self.need_restart |= conf.changed
    def activate(self):
        server.shell(
@@ -190,6 +221,7 @@ class UnboundDeployer(Deployer):
            service="unbound.service",
            running=True,
            enabled=True,
            restarted=self.need_restart,
        )
@@ -271,7 +303,7 @@ class LegacyRemoveDeployer(Deployer):
            present=False,
        )
        # remove echobot if it is still running
-        if host.get_fact(SystemdEnabled).get("echobot.service"):
+        if has_systemd() and host.get_fact(SystemdEnabled).get("echobot.service"):
            systemd.service(
                name="Disable echobot.service",
                service="echobot.service",
@@ -416,8 +448,6 @@ class ChatmailVenvDeployer(Deployer):
    def __init__(self, config):
        self.config = config
        self.units = (
            "filtermail",
            "filtermail-incoming",
            "chatmail-metadata",
            "lastlogin",
            "chatmail-expire",
@@ -528,47 +558,64 @@ def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -
        files.line(
            name="Add 9.9.9.9 to resolv.conf",
            path="/etc/resolv.conf",
-            line="nameserver 9.9.9.9",
+            # Guard against resolv.conf missing a trailing newline (SolusVM bug).
            line="\nnameserver 9.9.9.9",
        )
-    port_services = [
+    # Check if mtail_address interface is available (if configured)
-        (["master", "smtpd"], 25),
+    if config.mtail_address and config.mtail_address not in ('127.0.0.1', '::1', 'localhost'):
-        ("unbound", 53),
+        ipv4_addrs = host.get_fact(hardware.Ipv4Addrs)
-        ("acmetool", 80),
+        all_addresses = [addr for addrs in ipv4_addrs.values() for addr in addrs]
-        (["imap-login", "dovecot"], 143),
+        if config.mtail_address not in all_addresses:
-        ("nginx", 443),
+            Out().red(f"Deploy failed: mtail_address {config.mtail_address} is not available (VPN up?).\n")
-        (["master", "smtpd"], 465),
+            exit(1)
-        (["master", "smtpd"], 587),
+
-        (["imap-login", "dovecot"], 993),
+    if not os.environ.get("CHATMAIL_NOPORTCHECK"):
-        ("iroh-relay", 3340),
+        port_services = [
-        ("mtail", 3903),
+            (["master", "smtpd"], 25),
-        ("dovecot-stats", 3904),
+            ("unbound", 53),
-        ("nginx", 8443),
+            ("acmetool", 80),
-        (["master", "smtpd"], config.postfix_reinject_port),
+            (["imap-login", "dovecot"], 143),
-        (["master", "smtpd"], config.postfix_reinject_port_incoming),
+            ("nginx", 443),
-        ("filtermail", config.filtermail_smtp_port),
+            (["master", "smtpd"], 465),
-        ("filtermail", config.filtermail_smtp_port_incoming),
+            (["master", "smtpd"], 587),
-    ]
+            (["imap-login", "dovecot"], 993),
-    for service, port in port_services:
+            ("iroh-relay", 3340),
-        print(f"Checking if port {port} is available for {service}...")
+            ("mtail", 3903),
-        running_service = host.get_fact(Port, port=port)
+            ("stats", 3904),
-        if running_service:
+            ("nginx", 8443),
-            if running_service not in service:
+            (["master", "smtpd"], config.postfix_reinject_port),
-                Out().red(
+            (["master", "smtpd"], config.postfix_reinject_port_incoming),
-                    f"Deploy failed: port {port} is occupied by: {running_service}"
+            ("filtermail", config.filtermail_smtp_port),
-                )
+            ("filtermail", config.filtermail_smtp_port_incoming),
-                exit(1)
+        ]
        for service, port in port_services:
            print(f"Checking if port {port} is available for {service}...")
            running_service = host.get_fact(Port, port=port)
            services = [service] if isinstance(service, str) else service
            if running_service:
                if running_service not in services:
                    Out().red(
                        f"Deploy failed: port {port} is occupied by: {running_service}"
                    )
                    exit(1)
    tls_domains = [mail_domain, f"mta-sts.{mail_domain}", f"www.{mail_domain}"]
    all_deployers = [
        ChatmailDeployer(mail_domain),
        LegacyRemoveDeployer(),
        FiltermailDeployer(),
        JournaldDeployer(),
-        UnboundDeployer(),
+        UnboundDeployer(config),
        TurnDeployer(mail_domain),
        IrohDeployer(config.enable_iroh_relay),
-        AcmetoolDeployer(config.acme_email, tls_domains),
+    ]
    if not config.noacme:
        all_deployers.append(AcmetoolDeployer(config.acme_email, tls_domains))
    all_deployers += [
        WebsiteDeployer(config),
        ChatmailVenvDeployer(config),
        MtastsDeployer(),
--- a/cmdeploy/src/cmdeploy/dovecot/deployer.py
+++ b/cmdeploy/src/cmdeploy/dovecot/deployer.py
@@ -1,3 +1,5 @@
 import os
 from chatmaild.config import Config
 from pyinfra import host
 from pyinfra.facts.server import Arch, Sysctl
@@ -9,6 +11,7 @@ from cmdeploy.basedeploy import (
    activate_remote_units,
    configure_remote_units,
    get_resource,
    has_systemd,
 )
@@ -22,10 +25,11 @@ class DovecotDeployer(Deployer):
    def install(self):
        arch = host.get_fact(Arch)
-        if not "dovecot.service" in host.get_fact(SystemdEnabled):
+        if has_systemd() and "dovecot.service" in host.get_fact(SystemdEnabled):
-            _install_dovecot_package("core", arch)
+            return  # already installed and running
-            _install_dovecot_package("imapd", arch)
+        _install_dovecot_package("core", arch)
-            _install_dovecot_package("lmtpd", arch)
+        _install_dovecot_package("imapd", arch)
        _install_dovecot_package("lmtpd", arch)
    def configure(self):
        configure_remote_units(self.config.mail_domain, self.units)
@@ -116,18 +120,19 @@ def _configure_dovecot(config: Config, debug: bool = False) -> (bool, bool):
    # as per https://doc.dovecot.org/2.3/configuration_manual/os/
    # it is recommended to set the following inotify limits
-    for name in ("max_user_instances", "max_user_watches"):
+    if not os.environ.get("CHATMAIL_NOSYSCTL"):
-        key = f"fs.inotify.{name}"
+        for name in ("max_user_instances", "max_user_watches"):
-        if host.get_fact(Sysctl)[key] > 65535:
+            key = f"fs.inotify.{name}"
-            # Skip updating limits if already sufficient
+            if host.get_fact(Sysctl)[key] > 65535:
-            # (enables running in incus containers where sysctl readonly)
+                # Skip updating limits if already sufficient
-            continue
+                # (enables running in incus containers where sysctl readonly)
-        server.sysctl(
+                continue
-            name=f"Change {key}",
+            server.sysctl(
-            key=key,
+                name=f"Change {key}",
-            value=65535,
+                key=key,
-            persist=True,
+                value=65535,
-        )
+                persist=True,
            )
    timezone_env = files.line(
        name="Set TZ environment variable",
--- a/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
+++ b/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
@@ -1,7 +1,7 @@
 ## Dovecot configuration file
 {% if disable_ipv6 %}
-listen = *
+listen = 0.0.0.0
 {% endif %}
 protocols = imap lmtp
--- a/cmdeploy/src/cmdeploy/filtermail/deployer.py
+++ b/cmdeploy/src/cmdeploy/filtermail/deployer.py
@@ -0,0 +1,52 @@
 from pyinfra import facts, host
 from pyinfra.operations import files, systemd
 from cmdeploy.basedeploy import Deployer, get_resource
 class FiltermailDeployer(Deployer):
    services = ["filtermail", "filtermail-incoming"]
    bin_path = "/usr/local/bin/filtermail"
    config_path = "/usr/local/lib/chatmaild/chatmail.ini"
    def __init__(self):
        self.need_restart = False
    def install(self):
        arch = host.get_fact(facts.server.Arch)
        url = f"https://github.com/chatmail/filtermail/releases/download/v0.3.0/filtermail-{arch}"
        sha256sum = {
            "x86_64": "f14a31323ae2dad3b59d3fdafcde507521da2f951a9478cd1f2fe2b4463df71d",
            "aarch64": "933770d75046c4fd7084ce8d43f905f8748333426ad839154f0fc654755ef09f",
        }[arch]
        self.need_restart |= files.download(
            name="Download filtermail",
            src=url,
            sha256sum=sha256sum,
            dest=self.bin_path,
            mode="755",
        ).changed
    def configure(self):
        for service in self.services:
            self.need_restart |= files.template(
                src=get_resource(f"filtermail/{service}.service.j2"),
                dest=f"/etc/systemd/system/{service}.service",
                user="root",
                group="root",
                mode="644",
                bin_path=self.bin_path,
                config_path=self.config_path,
            ).changed
    def activate(self):
        for service in self.services:
            systemd.service(
                name=f"Start and enable {service}",
                service=f"{service}.service",
                running=True,
                enabled=True,
                restarted=self.need_restart,
                daemon_reload=True,
            )
        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/filtermail/filtermail-incoming.service.j2
+++ b/cmdeploy/src/cmdeploy/filtermail/filtermail-incoming.service.j2
@@ -2,11 +2,10 @@
 Description=Incoming Chatmail Postfix before queue filter 
 [Service]
-ExecStart={execpath} {config_path} incoming
+ExecStart={{ bin_path }} {{ config_path }} incoming
 Restart=always
 RestartSec=30
 User=vmail
 [Install]
 WantedBy=multi-user.target
--- a/cmdeploy/src/cmdeploy/filtermail/filtermail.service.j2
+++ b/cmdeploy/src/cmdeploy/filtermail/filtermail.service.j2
@@ -2,7 +2,7 @@
 Description=Outgoing Chatmail Postfix before queue filter
 [Service]
-ExecStart={execpath} {config_path} outgoing
+ExecStart={{ bin_path }} {{ config_path }} outgoing
 Restart=always
 RestartSec=30
 User=vmail
--- a/cmdeploy/src/cmdeploy/mtail/delivered_mail.mtail
+++ b/cmdeploy/src/cmdeploy/mtail/delivered_mail.mtail
@@ -44,21 +44,37 @@ counter warning_count
 }
-counter filtered_mail_count
+counter filtered_outgoing_mail_count
-counter encrypted_mail_count
+counter outgoing_encrypted_mail_count
-/Filtering encrypted mail\./ {
+/Outgoing: Filtering encrypted mail\./ {
-  encrypted_mail_count++
+  outgoing_encrypted_mail_count++
-  filtered_mail_count++
+  filtered_outgoing_mail_count++
 }
-counter unencrypted_mail_count
+counter outgoing_unencrypted_mail_count
-/Filtering unencrypted mail\./ {
+/Outgoing: Filtering unencrypted mail\./ {
-  unencrypted_mail_count++
+  outgoing_unencrypted_mail_count++
-  filtered_mail_count++
+  filtered_outgoing_mail_count++
 }
 counter filtered_incoming_mail_count
 counter incoming_encrypted_mail_count
 /Incoming: Filtering encrypted mail\./ {
  incoming_encrypted_mail_count++
  filtered_incoming_mail_count++
 }
 counter incoming_unencrypted_mail_count
 /Incoming: Filtering unencrypted mail\./ {
  incoming_unencrypted_mail_count++
  filtered_incoming_mail_count++
 }
 counter rejected_unencrypted_mail_count
-/Rejected unencrypted mail\./ {
+/Rejected unencrypted mail/ {
  rejected_unencrypted_mail_count++
 }
--- a/cmdeploy/src/cmdeploy/postfix/deployer.py
+++ b/cmdeploy/src/cmdeploy/postfix/deployer.py
@@ -61,6 +61,20 @@ class PostfixDeployer(Deployer):
        )
        need_restart |= lmtp_header_cleanup.changed
        tls_policy_map = files.put(
            name="Upload SMTP TLS Policy that accepts self-signed certificates for IP-only hosts",
            src=get_resource("postfix/smtp_tls_policy_map"),
            dest="/etc/postfix/smtp_tls_policy_map",
            user="root",
            group="root",
            mode="644",
        )
        need_restart |= tls_policy_map.changed
        if tls_policy_map.changed:
            server.shell(
                commands=["postmap /etc/postfix/smtp_tls_policy_map"],
            )
        # Login map that 1:1 maps email address to login.
        login_map = files.put(
            src=get_resource("postfix/login_map"),
--- a/cmdeploy/src/cmdeploy/postfix/lmtp_header_cleanup
+++ b/cmdeploy/src/cmdeploy/postfix/lmtp_header_cleanup
@@ -1,2 +1,3 @@
 /^DKIM-Signature:/            IGNORE
 /^Authentication-Results:/            IGNORE
 /^Received:/            IGNORE
--- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
@@ -25,7 +25,7 @@ smtp_tls_security_level=verify
 # <https://www.postfix.org/postconf.5.html#smtp_tls_servername>
 smtp_tls_servername = hostname
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-smtp_tls_policy_maps = inline:{nauta.cu=may}
+smtp_tls_policy_maps = regexp:/etc/postfix/smtp_tls_policy_map
 smtp_tls_protocols = >=TLSv1.2
 smtp_tls_mandatory_protocols = >=TLSv1.2
@@ -64,7 +64,20 @@ alias_database = hash:/etc/aliases
 mydestination =
 relayhost = 
 {% if disable_ipv6 %}
 mynetworks = 127.0.0.0/8
 {% else %}
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 {% endif %}
 {% if config.addr_v4 %}
 smtp_bind_address = {{ config.addr_v4 }}
 {% endif %}
 {% if config.addr_v6 %}
 smtp_bind_address6 = {{ config.addr_v6 }}
 {% endif %}
 {% if config.addr_v4 or config.addr_v6 %}
 smtp_bind_address_enforce = yes
 {% endif %}
 mailbox_size_limit = 0
 message_size_limit = {{config.max_message_size}}
 recipient_delimiter = +
--- a/cmdeploy/src/cmdeploy/postfix/smtp_tls_policy_map
+++ b/cmdeploy/src/cmdeploy/postfix/smtp_tls_policy_map
@@ -0,0 +1,2 @@
 /^\[[^]]+\]$/ encrypt
 /^nauta\.cu$/    may
--- a/cmdeploy/src/cmdeploy/sshexec.py
+++ b/cmdeploy/src/cmdeploy/sshexec.py
@@ -89,6 +89,11 @@ class LocalExec:
        self.verbose = verbose
        self.docker = docker
    def __call__(self, call, kwargs=None, log_callback=None):
        if kwargs is None:
            kwargs = {}
        return call(**kwargs)
    def logged(self, call, kwargs: dict):
        where = "locally"
        if self.docker:
--- a/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
@@ -189,12 +189,14 @@ def test_exceed_rate_limit(cmsetup, gencreds, maildata, chatmail_config):
    mail = maildata(
        "encrypted.eml", from_addr=user1.addr, to_addr=user2.addr
    ).as_string()
-    for i in range(chatmail_config.max_user_send_per_minute + 5):
+
-        print("Sending mail", str(i))
+    start = time.time()
    for i in range(chatmail_config.max_user_send_per_minute * 3):
        print("Sending mail", str(i + 1), "at", time.time() - start, "s.")
        try:
            user1.smtp.sendmail(user1.addr, [user2.addr], mail)
        except smtplib.SMTPException as e:
-            if i < chatmail_config.max_user_send_per_minute:
+            if i < chatmail_config.max_user_send_burst_size:
                pytest.fail(f"rate limit was exceeded too early with msg {i}")
            outcome = e.recipients[user2.addr]
            assert outcome[0] == 450
--- a/cmdeploy/src/cmdeploy/unbound/unbound.conf.j2
+++ b/cmdeploy/src/cmdeploy/unbound/unbound.conf.j2
@@ -0,0 +1,4 @@
 # Managed by cmdeploy: disable IPv6 in unbound.
 server:
  interface: 127.0.0.1
  do-ip6: no
--- a/doc/source/docker.rst
+++ b/doc/source/docker.rst
@@ -0,0 +1,262 @@
 Docker installation
 ===================
 This section provides instructions for installing a chatmail relay
 using Docker Compose.
 .. note::
   Docker support is experimental and not yet covered by automated tests, please report bugs.
 Known limitations
 -----------------
 - Requires cgroups v2 on the host. Operation with cgroups v1 has not been tested.
 - This preliminary image simply wraps the cmdeploy process detailed in the :doc:`getting_started` instructions in a full Debian-systemd image. 
 - Currently, the image has only been tested and built on amd64, though arm64 should theoretically work as well.
 Prerequisites
 -------------
 - **Docker Compose v2** (``docker compose``, not ``docker-compose``) is
  required for its ``cgroup: host`` support (`Install instructions <https://docs.docker.com/engine/install/debian/#install-using-the-repository>`_:)
 - **DNS records** for your domain (see step 1 below).
 - **Kernel parameters** — ``fs.inotify.max_user_instances`` and
  ``fs.inotify.max_user_watches`` must be raised on the host because they
  cannot be changed inside the container (see step 2 below).
 Preliminary setup
 -----------------
 We use ``chat.example.org`` as the chatmail domain in the following
 steps. Please substitute it with your own domain.
 1. Setup the initial DNS records.
   The following is an example in the familiar BIND zone file format with
   a TTL of 1 hour (3600 seconds).
   Please substitute your domain and IP addresses.
   ::
       chat.example.org. 3600 IN A 198.51.100.5
       chat.example.org. 3600 IN AAAA 2001:db8::5
       www.chat.example.org. 3600 IN CNAME chat.example.org.
       mta-sts.chat.example.org. 3600 IN CNAME chat.example.org.
 2. Configure kernel parameters on the host, as these can not be set from the container::
       echo "fs.inotify.max_user_instances=65536" | sudo tee -a /etc/sysctl.d/99-inotify.conf
       echo "fs.inotify.max_user_watches=65536" | sudo tee -a /etc/sysctl.d/99-inotify.conf
       sudo sysctl --system
 Docker Compose Setup
 --------------------
 Pre-built images are available from GitHub Container Registry. The
 ``main`` branch and tagged releases are pushed automatically by CI::
    docker pull ghcr.io/chatmail/relay:main      # latest main branch
    docker pull ghcr.io/chatmail/relay:1.2.3     # tagged release
 Create service directory
 ^^^^^^^^^^^^^^^^^^^^^^^^
 Either:
 - Create a service directory, e.g., `/srv/chatmail-relay`::
    mkdir -p /srv/chatmail-relay && cd /srv/chatmail-relay
    wget https://raw.githubusercontent.com/chatmail/relay/refs/heads/main/docker-compose.yaml https://raw.githubusercontent.com/chatmail/relay/refs/heads/main/docker-compose.override.yaml.example
    wget https://raw.githubusercontent.com/chatmail/relay/refs/heads/main/docker/env.example -O .env
 - or clone the chatmail repo ::
   git clone https://github.com/chatmail/relay
   cd relay
   cp example.env .env
 Customize and start
 ^^^^^^^^^^^^^^^^^^^
 1. All local customizations (data paths, extra volumes, config mounts) go in
   ``docker-compose.override.yaml``, which Compose merges automatically with
   the base file. By default, all data is stored in docker volumes, you will
   likely want to at least create and configure the mail storage location. Copy
   the example to get started::
       cp docker/docker-compose.override.yaml.example docker-compose.override.yaml
       # and edit docker-compose.override.yaml
 2. Configure the ``.env`` file. Only ``MAIL_DOMAIN`` is required, the domain
   name of the future server.
   The container generates a ``chatmail.ini`` with defaults from
   ``MAIL_DOMAIN`` on first start. To customize chatmail settings, mount
   your own ``chatmail.ini`` instead (see `Custom chatmail.ini`_ below).
 3. Start the container::
       docker compose up -d
       docker compose logs -f chatmail   # view logs, Ctrl+C to exit
 4. After installation is complete, open ``https://chat.example.org`` in
   your browser.
 Managing the server
 -------------------
 Use ``docker exec`` to run cmdeploy commands inside the container::
    # Show required DNS records
    docker exec chatmail /opt/cmdeploy/bin/cmdeploy dns --ssh-host @local
    # Check server status
    docker exec chatmail /opt/cmdeploy/bin/cmdeploy status --ssh-host @local
    # Run benchmarks (can also run from any machine with cmdeploy installed)
    docker exec chatmail /opt/cmdeploy/bin/cmdeploy bench chat.example.org
 Customization
 -------------
 Custom website
 ^^^^^^^^^^^^^^
 You can customize the chatmail landing page by mounting a directory with
 your own website source files.
 1. Create a directory with your custom website source::
       mkdir -p ./custom/www/src
       nano ./custom/www/src/index.md
 2. Add the volume mount in ``docker-compose.override.yaml``::
       services:
         chatmail:
           volumes:
             - ./custom/www:/opt/chatmail-www
 3. Restart the service::
       docker compose down
       docker compose up -d
 Custom chatmail.ini
 ^^^^^^^^^^^^^^^^^^^
 There are two configuration modes:
 **Simple (default):** Set ``MAIL_DOMAIN`` in ``.env``. The container
 auto-generates ``chatmail.ini`` with defaults on first start. This is
 sufficient for most deployments.
 **Advanced:** Generate a ``chatmail.ini``, edit it, and mount it into
 the container. This gives you full control over all chatmail settings.
 1. Extract the generated config from a running container::
       docker cp chatmail:/etc/chatmail/chatmail.ini ./chatmail.ini
 2. Edit ``chatmail.ini`` as needed.
 3. Add the volume mount in ``docker-compose.override.yaml`` ::
       services:
         chatmail:
           volumes:
             - ./chatmail.ini:/etc/chatmail/chatmail.ini
 4. Restart the container, the container skips generating a new one: ::
       docker compose down && docker compose up -d
 Migrating from a bare-metal install
 ------------------------------------
 If you have an existing bare-metal chatmail installation and want to
 switch to Docker:
 1. Stop all existing services::
       systemctl stop postfix dovecot doveauth nginx opendkim unbound \
         acmetool-redirector filtermail filtermail-incoming chatmail-turn \
         iroh-relay chatmail-metadata lastlogin mtail
       systemctl disable postfix dovecot doveauth nginx opendkim unbound \
         acmetool-redirector filtermail filtermail-incoming chatmail-turn \
         iroh-relay chatmail-metadata lastlogin mtail
 2. Copy your existing ``chatmail.ini`` and mount it into the container
   (see `Custom chatmail.ini`_ above)::
       cp /usr/local/lib/chatmaild/chatmail.ini ./chatmail.ini
 3. Copy persistent data into the ``./data/`` subdirectories (for example, as configured in `Customize and start`_) ::
       mkdir -p data/chatmail-dkimkeys data/chatmail-acme data/chatmail
       # DKIM keys
       cp -a /etc/dkimkeys/* data/chatmail-dkimkeys/
       # ACME certificates and account
       rsync -a /var/lib/acme/ data/chatmail-acme/
       # Mail data
       rsync -a /home/ data/chatmail/
   Alternatively, mount ``/home/vmail`` directly by changing the volume
   in ``docker-compose-override.yaml``::
       - /home/vmail:/home/vmail
   The three ``./data/`` subdirectories cover all persistent state.
   Everything else is regenerated by the ``configure`` and ``activate``
   stages on container start.
 Building the image
 ------------------
 Clone the repository and build the Docker image::
    git clone https://github.com/chatmail/relay
    cd relay
    docker compose build chatmail
 The build bakes all binaries, Python packages, and the install stage
 into the image. After building, only ``docker-compose.yaml`` and ``.env``
 are needed to run the container.
 You can transfer a locally built image to your server directly (pigz is parallel `gzip` which can be used instead as well) ::
    docker save chatmail-relay:latest | pigz | ssh chat.example.org 'pigz -d | docker load'
 Forcing a full reinstall
 ------------------------
 On container start, only the ``configure`` and ``activate`` stages run by default.
 To force a full reinstall (e.g. after updating the source), either
 rebuild the image::
    docker compose build chatmail
    docker compose up -d
 Or override the stages at runtime without rebuilding::
    CMDEPLOY_STAGES="install,configure,activate" docker compose up -d
--- a/doc/source/getting_started.rst
+++ b/doc/source/getting_started.rst
@@ -80,6 +80,12 @@ steps. Please substitute it with your own domain.
   configure at your DNS provider (it can take some time until they are
   public).
 Docker installation
 -------------------
 There is experimental support for running chatmail via Docker Compose.
 See :doc:`docker` for full setup instructions.
 Other helpful commands
 ----------------------
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -13,6 +13,7 @@ Contributions and feedback welcome through the https://github.com/chatmail/relay
    :maxdepth: 5
    getting_started
    docker
    proxy
    migrate
    overview
--- a/doc/source/overview.rst
+++ b/doc/source/overview.rst
@@ -42,6 +42,11 @@ The deployed system components of a chatmail relay are:
 -  Dovecot_ is the Mail Delivery Agent (MDA) and
   stores messages for users until they download them
 -  `filtermail <https://github.com/chatmail/filtermail>`_
   prevents unencrypted email from leaving or entering the chatmail
   service and is integrated into Postfix’s outbound and inbound mail
   pipelines.
 -  Nginx_ shows the web page with privacy policy and additional information
 -  `acmetool <https://hlandau.github.io/acmetool/>`_ manages TLS
@@ -85,11 +90,6 @@ short overview of ``chatmaild`` services:
   <https://doc.dovecot.org/2.3/configuration_manual/authentication/dict/#complete-example-for-authenticating-via-a-unix-socket>`_
   to authenticate logins.
 -  `filtermail <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/filtermail.py>`_
   prevents unencrypted email from leaving or entering the chatmail
   service and is integrated into Postfix’s outbound and inbound mail
   pipelines.
 -  `chatmail-metadata <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/metadata.py>`_
   is contacted by a `Dovecot lua
   script <https://github.com/chatmail/relay/blob/main/cmdeploy/src/cmdeploy/dovecot/push_notification.lua>`_
--- a/doc/source/related.rst
+++ b/doc/source/related.rst
@@ -14,8 +14,8 @@ We know of three work-in-progress alternative implementation efforts:
   it to support all of the features and configuration settings required
   to operate as a chatmail relay.
-  `Madmail <https://github.com/omidz4t/madmail>`_: an
+-  `Madmail <https://github.com/themadorg/madmail>`_: an
-   experimental fork of Maddy Mail Server <https://maddy.email/>`_ optimized
+   experimental fork of `Maddy Mail Server <https://maddy.email/>`_, modified
   for chatmail deployments.  It provides a single binary solution
   for running a chatmail relay.
--- a/docker-compose.override.yaml.example
+++ b/docker-compose.override.yaml.example
@@ -0,0 +1,33 @@
 # Local overrides — copy to docker-compose.override.yaml in the repo root.
 # Compose automatically merges this with docker-compose.yaml.
 #
 #   cp docker/docker-compose.override.yaml.example docker-compose.override.yaml
 #
 # Volumes listed here are APPENDED to the base file's volumes.
 # Scalar values (environment, image, etc.) are REPLACED.
 services:
  chatmail:
    volumes:
      ## Data paths — bind-mount to host directories for easy access/backup.
      ## Uncomment and adjust paths as needed. These override the named
      ## volumes in the base docker-compose.yaml.
      # - ./data/chatmail:/home/vmail
      # - ./data/chatmail-dkimkeys:/etc/dkimkeys
      # - ./data/chatmail-acme:/var/lib/acme
      ## Or mount data from an existing bare-metal install.
      ## Note: DKIM key ownership is fixed automatically on startup
      ## (the host's opendkim UID may differ from the container's).
      # - /home/vmail:/home/vmail
      # - /etc/dkimkeys:/etc/dkimkeys
      # - /var/lib/acme:/var/lib/acme
      ## Mount your own chatmail.ini (skips auto-generation):
      # - ./chatmail.ini:/etc/chatmail/chatmail.ini
      ## Custom website:
      # - ./custom/www:/opt/chatmail-www
      ## Debug — mount scripts from the repo for live editing:
      # - ./docker/files/setup_chatmail_docker.sh:/setup_chatmail_docker.sh
      # - ./docker/files/entrypoint.sh:/entrypoint.sh
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -0,0 +1,51 @@
 # Base compose file — do not edit. Put customizations (data paths, extra
 # volumes, env overrides) in docker-compose.override.yaml instead.
 # See docker/docker-compose.override.yaml.example for a starting point.
 #
 # Security note: this container uses network_mode:host (chatmail needs many
 # ports: 25, 53, 80, 143, 443, 465, 587, 993, 3340, 8443) and cgroup:host
 # (required for systemd). Together these give the container near-host-level
 # access. This is acceptable for a dedicated mail server, but be aware that
 # the container can bind any port and see all host network traffic.
 services:
  chatmail:
    build:
      context: ./
      dockerfile: docker/chatmail_relay.dockerfile
      args:
        GIT_HASH: ${GIT_HASH:-unknown}
    image: chatmail-relay:latest
    restart: unless-stopped
    container_name: chatmail
    # Required for systemd — use only one of the following:
    cgroup: host          # compose v2 only
    # privileged: true    # compose v1 (not tested)
    tty: true # required for logs
    tmpfs: # required for systemd
      - /tmp
      - /run
      - /run/lock
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"
    environment:
      MAIL_DOMAIN: $MAIL_DOMAIN
      CMDEPLOY_STAGES: ${CMDEPLOY_STAGES:-}
      CHATMAIL_NOSYSCTL: ${CHATMAIL_NOSYSCTL:-True}
      CHATMAIL_NOPORTCHECK: ${CHATMAIL_NOPORTCHECK:-True}
      CHATMAIL_NOACME: ${CHATMAIL_NOACME:-}
    network_mode: "host"
    volumes:
      ## system (required)
      - /sys/fs/cgroup:/sys/fs/cgroup:rw
      ## data (defaults — override in docker-compose.override.yaml)
      - chatmail-data:/home/vmail
      - chatmail-dkimkeys:/etc/dkimkeys
      - chatmail-acme:/var/lib/acme
 volumes:
  chatmail-data:
  chatmail-dkimkeys:
  chatmail-acme:
--- a/docker/build.sh
+++ b/docker/build.sh
@@ -0,0 +1,9 @@
 #!/bin/sh
 # Build the chatmail Docker image with the current git hash baked in.
 # Usage: ./docker/build.sh [extra docker-compose build args...]
 #
 # .git/ is excluded from the build context (.dockerignore) so the hash
 # must be passed as a build arg from the host.
 export GIT_HASH=$(git rev-parse --short HEAD)
 exec docker compose build "$@"
--- a/docker/chatmail_relay.dockerfile
+++ b/docker/chatmail_relay.dockerfile
@@ -0,0 +1,105 @@
 FROM jrei/systemd-debian:12 AS base
 ENV LANG=en_US.UTF-8
 RUN echo 'APT::Install-Recommends "0";' > /etc/apt/apt.conf.d/01norecommend && \
    echo 'APT::Install-Suggests "0";' >> /etc/apt/apt.conf.d/01norecommend && \
    apt-get update && \
    apt-get install -y \
        ca-certificates && \
    DEBIAN_FRONTEND=noninteractive \
    TZ=UTC \
    apt-get install -y tzdata && \
    apt-get install -y locales && \
    sed -i -e "s/# $LANG.*/$LANG UTF-8/" /etc/locale.gen && \
    dpkg-reconfigure --frontend=noninteractive locales && \
    update-locale LANG=$LANG \
    && rm -rf /var/lib/apt/lists/*
 RUN apt-get update && \
    apt-get install -y \
        git \
        python3 \
        python3-venv \
        python3-virtualenv \
        gcc \
        python3-dev \
        opendkim \
        opendkim-tools \
        curl \
        rsync \
        unbound \
        unbound-anchor \
        dnsutils \
        postfix \
        acl \
        nginx \
        libnginx-mod-stream \
        fcgiwrap \
        cron \
    && rm -rf /var/lib/apt/lists/*
 # --- Build-time: install cmdeploy venv and run install stage ---
 # Editable install so importlib.resources reads directly from the source tree.
 # On container start only "configure,activate" stages run.
 COPY . /opt/chatmail/
 WORKDIR /opt/chatmail
 RUN printf '[params]\nmail_domain = build.local\n' > /tmp/chatmail.ini
 # Dummy git repo init: .git/ is excluded from the build context (.dockerignore)
 # but setuptools calls `git ls-files` when building the sdist.
 RUN git init -q && \
    python3 -m venv /opt/cmdeploy && \
    /opt/cmdeploy/bin/pip install --no-cache-dir \
        -e chatmaild/ -e cmdeploy/
 RUN CMDEPLOY_STAGES=install \
    CHATMAIL_INI=/tmp/chatmail.ini \
    CHATMAIL_NOSYSCTL=True \
    CHATMAIL_NOPORTCHECK=True \
    /opt/cmdeploy/bin/pyinfra @local \
        /opt/chatmail/cmdeploy/src/cmdeploy/run.py -y
 RUN cp -a www/ /opt/chatmail-www/
 RUN rm -f /tmp/chatmail.ini
 # Record image version (used in deploy fingerprint at runtime).
 # GIT_HASH is passed as a build arg (from docker-compose or CI) so that
 # .git/ can be excluded from the build context via .dockerignore.
 ARG GIT_HASH=unknown
 RUN echo "$GIT_HASH" > /etc/chatmail-image-version && \
    echo "$GIT_HASH" > /etc/chatmail-version
 # --- End build-time install ---
 ENV CHATMAIL_INI=/etc/chatmail/chatmail.ini
 ENV PATH="/opt/cmdeploy/bin:${PATH}"
 RUN ln -s /etc/chatmail/chatmail.ini /opt/chatmail/chatmail.ini
 ARG SETUP_CHATMAIL_SERVICE_PATH=/lib/systemd/system/setup_chatmail.service
 COPY ./docker/files/setup_chatmail.service "$SETUP_CHATMAIL_SERVICE_PATH"
 RUN ln -sf "$SETUP_CHATMAIL_SERVICE_PATH" "/etc/systemd/system/multi-user.target.wants/setup_chatmail.service"
 # Remove default nginx site config at build time (not in entrypoint)
 RUN rm -f /etc/nginx/sites-enabled/default
 COPY --chmod=555 ./docker/files/setup_chatmail_docker.sh /setup_chatmail_docker.sh
 COPY --chmod=555 ./docker/files/entrypoint.sh /entrypoint.sh
 # Certificate monitoring as a proper systemd timer (not a background process)
 COPY --chmod=555 ./docker/files/chatmail-certmon.sh /chatmail-certmon.sh
 COPY ./docker/files/chatmail-certmon.service /lib/systemd/system/chatmail-certmon.service
 COPY ./docker/files/chatmail-certmon.timer /lib/systemd/system/chatmail-certmon.timer
 RUN ln -sf /lib/systemd/system/chatmail-certmon.timer /etc/systemd/system/timers.target.wants/chatmail-certmon.timer
 HEALTHCHECK --interval=60s --timeout=10s --retries=3 \
  CMD systemctl is-active dovecot postfix nginx unbound opendkim filtermail doveauth chatmail-metadata || exit 1
 STOPSIGNAL SIGRTMIN+3
 ENTRYPOINT ["/entrypoint.sh"]
 CMD [   "--default-standard-output=journal+console", \
        "--default-standard-error=journal+console" ]
--- a/docker/docker-compose-traefik.yaml
+++ b/docker/docker-compose-traefik.yaml
@@ -0,0 +1,116 @@
 # Traefik reverse proxy + cert manager for chatmail.
 # Use this instead of docker-compose.yaml when Traefik manages TLS certificates.
 #
 # Required .env vars:
 #   MAIL_DOMAIN=chat.example.com
 #   ACME_EMAIL=admin@example.com
 #
 # Usage:
 #   cp docker/example-traefik.env .env
 #   docker compose -f docker/docker-compose-traefik.yaml build
 #   docker compose -f docker/docker-compose-traefik.yaml up -d
 services:
  chatmail:
    build:
      context: ../
      dockerfile: docker/chatmail_relay.dockerfile
    image: chatmail-relay:latest
    restart: unless-stopped
    container_name: chatmail
    depends_on:
      traefik-certs-dumper:
        condition: service_started
    cgroup: host
    tty: true
    tmpfs:
      - /tmp
      - /run
      - /run/lock
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"
    environment:
      MAIL_DOMAIN: $MAIL_DOMAIN
      CMDEPLOY_STAGES: ${CMDEPLOY_STAGES:-}
      CHATMAIL_NOACME: "true"
      PATH_TO_SSL: /var/lib/acme/live/${MAIL_DOMAIN}
    ports:
      - "25:25"
      - "143:143"
      - "465:465"
      - "587:587"
      - "993:993"
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:rw
      - chatmail-data:/home
      - chatmail-dkimkeys:/etc/dkimkeys
      - traefik-certs:/var/lib/acme/live:ro
    labels:
      - traefik.enable=true
      - traefik.http.services.chatmail.loadbalancer.server.scheme=https
      - traefik.http.services.chatmail.loadbalancer.server.port=443
      - traefik.http.services.chatmail.loadbalancer.serverstransport=insecure@file
      - traefik.http.routers.chatmail.rule=Host(`${MAIL_DOMAIN}`) || Host(`mta-sts.${MAIL_DOMAIN}`) || Host(`www.${MAIL_DOMAIN}`)
      - traefik.http.routers.chatmail.tls=true
      - traefik.http.routers.chatmail.tls.certresolver=letsEncrypt
  traefik:
    image: traefik:v3.3
    container_name: traefik
    restart: unless-stopped
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"
    command:
      - "--configFile=/config.yaml"
      - "--certificatesresolvers.letsEncrypt.acme.email=${ACME_EMAIL}"
    network_mode: host
    depends_on:
      traefik-init:
        condition: service_completed_successfully
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik/config.yaml:/config.yaml:ro
      - traefik-data:/data
      - ./traefik/dynamic-configs:/dynamic/conf:ro
  traefik-init:
    image: alpine:latest
    restart: "no"
    entrypoint: sh -c 'touch /data/acme.json && chmod 600 /data/acme.json'
    volumes:
      - traefik-data:/data
  traefik-certs-dumper:
    image: ldez/traefik-certs-dumper:v2.10.0
    restart: unless-stopped
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"
    depends_on:
      - traefik
    entrypoint: sh -c '
      apk add openssl
      && while ! [ -e /data/acme.json ] || ! [ "$$(jq ".[] | .Certificates | length" /data/acme.json | jq -s "add")" != "0" ]; do
        sleep 1
      ; done
      && traefik-certs-dumper file --version v3 --watch --domain-subdir=true
        --source /data/acme.json --dest /certs --post-hook "sh /post-hook.sh"'
    volumes:
      - traefik-data:/data:ro
      - traefik-certs:/certs
      - ./traefik/post-hook.sh:/post-hook.sh:ro
 volumes:
  chatmail-data:
  chatmail-dkimkeys:
  traefik-data:
  traefik-certs:
--- a/docker/example-traefik.env
+++ b/docker/example-traefik.env
@@ -0,0 +1,5 @@
 MAIL_DOMAIN="chat.example.com"
 ACME_EMAIL="admin@example.com"
 # CMDEPLOY_STAGES - default: "configure,activate". Set to "install,configure,activate" to force full reinstall.
 # CMDEPLOY_STAGES="configure,activate"
--- a/docker/files/chatmail-certmon.service
+++ b/docker/files/chatmail-certmon.service
@@ -0,0 +1,8 @@
 [Unit]
 Description=Check TLS certificate changes and reload services
 After=setup_chatmail.service
 [Service]
 Type=oneshot
 ExecStart=/bin/bash /chatmail-certmon.sh
 PassEnvironment=MAIL_DOMAIN PATH_TO_SSL
--- a/docker/files/chatmail-certmon.sh
+++ b/docker/files/chatmail-certmon.sh
@@ -0,0 +1,28 @@
 #!/bin/bash
 # Check if TLS certificates have changed and reload services if so.
 # Called by chatmail-certmon.timer (systemd timer, default every 60s).
 set -eo pipefail
 PATH_TO_SSL="${PATH_TO_SSL:-/var/lib/acme/live/${MAIL_DOMAIN}}"
 HASH_FILE="/run/chatmail-certmon.hash"
 if [ ! -d "$PATH_TO_SSL" ]; then
    exit 0
 fi
 current_hash=$(find "$PATH_TO_SSL" -type f -exec sha1sum {} \; | sort | sha1sum | awk '{print $1}')
 previous_hash=""
 if [ -f "$HASH_FILE" ]; then
    previous_hash=$(cat "$HASH_FILE")
 fi
 if [ -n "$current_hash" ] && [ "$current_hash" != "$previous_hash" ]; then
    echo "[INFO] Certificate hash changed, reloading nginx, dovecot and postfix."
    echo "$current_hash" > "$HASH_FILE"
    # On first run (no previous hash), don't reload — services may not be up yet
    if [ -n "$previous_hash" ]; then
        systemctl reload nginx.service
        systemctl reload dovecot.service
        systemctl reload postfix.service
    fi
 fi
--- a/docker/files/chatmail-certmon.timer
+++ b/docker/files/chatmail-certmon.timer
@@ -0,0 +1,9 @@
 [Unit]
 Description=Periodically check TLS certificate changes
 [Timer]
 OnBootSec=120
 OnUnitActiveSec=60
 [Install]
 WantedBy=timers.target
--- a/docker/files/entrypoint.sh
+++ b/docker/files/entrypoint.sh
@@ -0,0 +1,12 @@
 #!/bin/bash
 set -eo pipefail
 SETUP_CHATMAIL_SERVICE_PATH="${SETUP_CHATMAIL_SERVICE_PATH:-/lib/systemd/system/setup_chatmail.service}"
 # Whitelist only the env vars needed by setup_chatmail_docker.sh.
 # Forwarding all env vars (via printenv) would leak Docker internals,
 # orchestrator secrets, and other unrelated variables into systemd.
 env_vars="MAIL_DOMAIN CMDEPLOY_STAGES CHATMAIL_INI CHATMAIL_NOSYSCTL CHATMAIL_NOPORTCHECK CHATMAIL_NOACME PATH_TO_SSL PATH"
 sed -i "s|<envs_list>|$env_vars|g" "$SETUP_CHATMAIL_SERVICE_PATH"
 exec /lib/systemd/systemd "$@"
--- a/docker/files/setup_chatmail.service
+++ b/docker/files/setup_chatmail.service
@@ -0,0 +1,14 @@
 [Unit]
 Description=Run container setup commands
 After=multi-user.target
 ConditionPathExists=/setup_chatmail_docker.sh
 [Service]
 Type=oneshot
 ExecStart=/bin/bash /setup_chatmail_docker.sh
 RemainAfterExit=true
 WorkingDirectory=/opt/chatmail
 PassEnvironment=<envs_list>
 [Install]
 WantedBy=multi-user.target
--- a/docker/files/setup_chatmail_docker.sh
+++ b/docker/files/setup_chatmail_docker.sh
@@ -0,0 +1,54 @@
 #!/bin/bash
 set -euo pipefail
 export CHATMAIL_INI="${CHATMAIL_INI:-/etc/chatmail/chatmail.ini}"
 CMDEPLOY=/opt/cmdeploy/bin/cmdeploy
 if [ -z "$MAIL_DOMAIN" ]; then
    echo "ERROR: Environment variable 'MAIL_DOMAIN' must be set!" >&2
    exit 1
 fi
 ### MAIN
 if [ ! -f /etc/dkimkeys/opendkim.private ]; then
    /usr/sbin/opendkim-genkey -D /etc/dkimkeys -d "$MAIL_DOMAIN" -s opendkim
 fi
 # Fix ownership for bind-mounted keys (host opendkim UID may differ from container)
 chown -R opendkim:opendkim /etc/dkimkeys
 # Journald: forward to console for docker logs
 grep -q '^ForwardToConsole=yes' /etc/systemd/journald.conf \
    || echo "ForwardToConsole=yes" >> /etc/systemd/journald.conf
 systemctl restart systemd-journald
 # Create chatmail.ini (skips if file already exists, e.g. volume-mounted)
 mkdir -p "$(dirname "$CHATMAIL_INI")"
 if [ ! -f "$CHATMAIL_INI" ]; then
    $CMDEPLOY init --config "$CHATMAIL_INI" "$MAIL_DOMAIN"
 fi
 # --- Deploy fingerprint: skip cmdeploy run if nothing changed ---
 # On restart with identical image+config, systemd already brings up all
 # enabled services — the full cmdeploy run is redundant (~30s saved).
 # The install stage runs at image build time (Dockerfile), so only
 # configure+activate are needed here.
 IMAGE_VERSION_FILE="/etc/chatmail-image-version"
 FINGERPRINT_FILE="/etc/chatmail/.deploy-fingerprint"
 image_ver="none"
 [ -f "$IMAGE_VERSION_FILE" ] && image_ver=$(cat "$IMAGE_VERSION_FILE")
 config_hash=$(sha256sum "$CHATMAIL_INI" | cut -c1-16)
 current_fp="${image_ver}:${config_hash}"
 # CMDEPLOY_STAGES non-empty in env = operator override → always run.
 # Otherwise, if fingerprint matches the last successful deploy, skip.
 if [ -z "${CMDEPLOY_STAGES:-}" ] \
    && [ -f "$FINGERPRINT_FILE" ] \
    && [ "$(cat "$FINGERPRINT_FILE")" = "$current_fp" ]; then
    echo "[INFO] No changes detected ($current_fp), skipping deploy."
 else
    export CMDEPLOY_STAGES="${CMDEPLOY_STAGES:-configure,activate}"
    $CMDEPLOY run --config "$CHATMAIL_INI" --ssh-host @local
    echo "$current_fp" > "$FINGERPRINT_FILE"
 fi
--- a/docker/traefik/config.yaml
+++ b/docker/traefik/config.yaml
@@ -0,0 +1,30 @@
 log:
  level: INFO
 entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          permanent: true
  websecure:
    address: ":443"
 providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    directory: /dynamic/conf
    watch: true
 certificatesResolvers:
  letsEncrypt:
    acme:
      storage: /data/acme.json
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      tlschallenge: true
      httpChallenge:
        entryPoint: web
--- a/docker/traefik/dynamic-configs/insecure.yaml
+++ b/docker/traefik/dynamic-configs/insecure.yaml
@@ -0,0 +1,4 @@
 http:
  serversTransports:
    insecure:
      insecureSkipVerify: true
--- a/docker/traefik/post-hook.sh
+++ b/docker/traefik/post-hook.sh
@@ -0,0 +1,12 @@
 #!/bin/sh
 # Post-hook for traefik-certs-dumper: create symlinks from Traefik's
 # cert dump format to the paths chatmail expects (fullchain, privkey).
 CERTS_DIR="${CERTS_DIR:-/certs}"
 for dir in "$CERTS_DIR"/*/; do
    [ -d "$dir" ] || continue
    cd "$dir"
    [ -f "certificate.crt" ] && ln -sf certificate.crt fullchain
    [ -f "privatekey.key" ] && ln -sf privatekey.key privkey
    cd - > /dev/null
 done
--- a/env.example
+++ b/env.example
@@ -0,0 +1,7 @@
 MAIL_DOMAIN="chat.example.com"
 # CMDEPLOY_STAGES - default: "configure,activate". Set to "install,configure,activate" to force full reinstall.
 # CMDEPLOY_STAGES="configure,activate"
 # Skip acmetool when using an external certificate manager (e.g. Traefik, Caddy).
 # CHATMAIL_NOACME="True"
Author	SHA1	Message	Date
j4n	606f36ee13	docker: integrate documentation delete original markdown notes (the russian version was severely outdated) and add a new section.	2026-02-18 17:05:28 +01:00
j4n	72973631f7	docker: move key files to repo root as per convention	2026-02-18 17:05:28 +01:00
j4n	5b5b09dc2e	filtermail wait dont know where this came from	2026-02-18 17:05:28 +01:00
j4n	aa2f41158f	docker: move all relevant files to repository root as per convention	2026-02-18 17:05:28 +01:00
j4n	e0ca4b25f4	docker/chatmaild/config: default to false on CHATMAIL_NOACME	2026-02-18 17:05:28 +01:00
j4n	0b593f98bf	docker: chatmail.ini.f empty line remove	2026-02-18 17:05:28 +01:00
j4n	2e23fadb54	docker: skip redundant cmdeploy run on container restart Replace the old IMAGE_VERSION_FILE/RUNNING_VERSION_FILE mechanism with a single deploy fingerprint (image_version:sha256(chatmail.ini)) stored at /etc/chatmail/.deploy-fingerprint. On restart, if the fingerprint matches the last successful deploy, skip cmdeploy run entirely. The fingerprint lives on the container's writable layer. On fresh containers, setting CMDEPLOY_STAGES non-empty in env forces a deploy run regardless of fingerprint. Also narrow the /home volume mount to /home/vmail.	2026-02-18 17:05:28 +01:00
j4n	bc19966801	docker: run a dummy git init to make cmdeploy tooling happy	2026-02-18 17:05:28 +01:00
j4n	bafbaa1b81	docker: fix DKIM key permission denied on bind-mounted volumes chown the entire /etc/acmekeys directory	2026-02-18 17:05:28 +01:00
j4n	feecf6affd	docker: add build.sh to set GIT_HASH for local builds Simple wrapper as .git is excluded from build context.	2026-02-18 17:05:28 +01:00
j4n	c2c3be1115	docker: add DKIM/ACME mount examples for bare-metal migration	2026-02-18 17:05:28 +01:00
j4n	c6d6e272be	docker: pass CHATMAIL_NOSYSCTL and CHATMAIL_NOPORTCHECK to container These got lost somehow	2026-02-18 17:05:28 +01:00
j4n	425e3db07a	docker: slim build by excluding .git and non-essential files Replace the in-Dockerfile `git rev-parse HEAD` with a GIT_HASH build arg passed from docker-compose (local) or github.sha (CI), defaulting to "unknown" when unset. Also exclude .github/, docs/, tests/, and .md (except www//.md).	2026-02-18 17:05:28 +01:00
j4n	c22efeb74b	docker: use docker-compose.override.yaml for user customizations The base docker-compose.yaml was checked into git and thus would get overwritten on pull. - docker-compose.yaml uses named volumes as safe defaults - docker-compose.override.yaml (gitignored) holds user customizations - Compose automatically merges both files	2026-02-18 17:05:28 +01:00
j4n	71bd0da51a	docs: document ghcr.io built images Added pull instructions for pre-built images from ghcr.io (main branch, tagged releases, feature branches).	2026-02-18 17:05:28 +01:00
j4n	0ed5ec75fb	docker: add GitHub Action to build Docker image Builds the Docker image on PRs and pushes that touch docker/, compose, chatmaild/, or cmdeploy/ files. - PRs: build only (no push, no login) - Branch push (main, j4n/docker): build + push as :main or :j4n-docker - Tagged release (v*): build + push as :1.2.3, :1.2, :sha-<hash> Uses GITHUB_TOKEN for ghcr.io auth.	2026-02-18 17:05:28 +01:00
j4n	4fd0429cd3	docker: add Traefik support USE_FOREIGN_CERT_MANAGER existed in compose/example.env but was never read by any code. This wires it up end-to-end based on PR 662. - Preliminarily add config options for this, and skip AcmetoolDeployer if set. - Add Traefik integration in docker/docker-compose-traefik.yaml, with traefik-certs-dumper - post-hook.sh creates fullchain/privkey symlinks for chatmail - Chatmail container uses ports 25/143/465/587/993 directly, Traefik handles 80/443 - docker/traefik/ contains config.yaml and dynamic configs - docker/example-traefik.env for the Traefik setup - rename USE_FOREIGN_CERT_MANAGER to CHATMAIL_NOACME	2026-02-18 17:05:28 +01:00
j4n	45717de6cb	docker: add set -u to setup_chatmail_docker.sh	2026-02-18 17:05:28 +01:00
j4n	77dc67dde9	docker: auto-detect image upgrades and include install stage Without version tracking, if a new image requires the install stage (e.g. new package versions), the default configure,activate will skip it and potentially fail silently. At build time, the git hash is written to /etc/chatmail-image-version. At runtime, setup_chatmail_docker.sh compares it against the persisted /home/.chatmail-running-version (survives container restarts via the /home volume). If they differ, the install stage is automatically prepended to CMDEPLOY_STAGES. After a successful deploy, the running version is updated. Files: docker/chatmail_relay.dockerfile:68-69, docker/files/setup_chatmail_docker.sh:27-48	2026-02-18 17:05:28 +01:00
j4n	f017f88901	docker: docs: replace outdated Russian Docker docs with redirect to EN	2026-02-18 17:05:28 +01:00
j4n	0585314468	docker: extract cert monitor from background process to systemd timer The cert monitoring was an orphaned background process (`monitor_certificates &`) Replace with a proper systemd timer/service (every 60s). Also made journald ForwardToConsole=yes idempotent.	2026-02-18 17:05:28 +01:00
j4n	85ee7dbeb5	docker: document security implications of host networking + cgroups	2026-02-18 17:05:28 +01:00
j4n	e503e120e5	docker: add HEALTHCHECK, remove VOLUME, fix Dockerfile hygiene - Added HEALTHCHECK that verifies chatmail services are active via systemctl - Removed `VOLUME ["/sys/fs/cgroup", "/home"]` as anonymous volumes are an anti-pattern for user data (leads to data loss on upgrades). Let compose/`docker run -v` handle volume management. - Changed TZ from Europe/London to UTC (server best practice) - Removed duplicate WORKDIR /opt/chatmail - Moved `unlink /etc/nginx/sites-enabled/default` from entrypoint.sh to Dockerfile build time	2026-02-18 17:05:28 +01:00
j4n	475975dfa0	docker: use @local instead of @docker inside container	2026-02-18 17:05:28 +01:00
j4n	a930f8f46b	docker: whitelist env vars in entrypoint, quote $@ and paths Instead of forwarding ALL environment variables into systemd's PassEnvironment, only forward a whitelist of variables to prevent leaking of environment variables.	2026-02-18 17:05:28 +01:00
j4n	75ef0f2698	docker: remove duplicated dovecot hashes from Dockerfile	2026-02-18 17:05:28 +01:00
j4n	57f9327d4d	docker: fix cert monitoring — wait for certs dir, use return not exit Fix bugs in certificate monitoring function: - `exit 0` inside monitor_certificates() would kill the background process - calculate_hash() now checks dir existence instead of silenty dying - Added wait loop until $PATH_TO_SSL exists before monitoring Files: docker/files/setup_chatmail_docker.sh:16-41	2026-02-18 17:05:28 +01:00
j4n	e99d979eb8	docker: update docs to use @local for cmdeploy	2026-02-18 17:05:28 +01:00
j4n	ffa45c1ca1	docker: symlink chatmail.ini into /opt/chatmail for bench/tests	2026-02-18 17:05:28 +01:00
j4n	9f6de19121	fix(cmdeploy): add __call__ to LocalExec so status works with @local	2026-02-18 17:05:28 +01:00
j4n	cc779ec04f	feat(cmdeploy): read CHATMAIL_INI env var for default --config path Avoids needing --config /etc/chatmail/chatmail.ini on every command inside the Docker container, where CHATMAIL_INI is already set.	2026-02-18 17:05:28 +01:00
j4n	04bd38baaa	docker: add quickstart docker send note	2026-02-18 17:05:28 +01:00
j4n	4df6a96a14	docker: keep .git in build context for GithashDeployer	2026-02-18 17:05:28 +01:00
j4n	47131533df	docker: set CHATMAIL_NOPORTCHECK during build-time install	2026-02-18 17:05:28 +01:00
j4n	a84c02e1e5	docker: replace config flags with env vars, drop docker param from deploy_chatmail Remove change_kernel_settings/fs_inotify_max_user_instances_and_watchers from chatmail.ini — use CHATMAIL_NOSYSCTL and CHATMAIL_NOPORTCHECK env vars instead. deploy_chatmail() no longer takes a docker flag; deployers check the env directly.	2026-02-18 17:05:28 +01:00
j4n	0edff3205f	docker: remove dead utilities, fix cmdeploy run using wrong config path Remove no longer needed docker/files/update_ini.sh and docker/cm_ini_to_env.py. Fix cmdeploy run not receiving --config. Document env files	2026-02-18 17:05:28 +01:00
j4n	a48552d69e	docker: drop env to ini translation, use chatmail.ini directly Remove update_ini.sh and the env-var-to-ini pipeline. The container now has two config modes: - Simple: set MAIL_DOMAIN in .env, container generates chatmail.ini with defaults via `cmdeploy init` on first start. - Advanced: mount a custom chatmail.ini into the container; the init step is skipped when the file already exists. This eliminates the fragile FORCE_REINIT_INI_FILE / INI_CMD_ARGS machinery and the env vars that duplicated chatmail.ini settings Also add *.ini and .env to .dockerignore so local config files don't leak into the image.	2026-02-18 17:05:28 +01:00
j4n	0c746553b3	docker: move cmdeploy into docker image	2026-02-18 17:05:28 +01:00
j4n	ce65866595	docker: make compose work with cgroups (v2), conversion scripts/docs	2026-02-18 17:05:28 +01:00
j4n	557ad2ed3c	docker: don't overwrite existing DKIM keys on container start opendkim-genkey was running unconditionally on every startup, check if file exists and skip.	2026-02-18 17:05:28 +01:00
j4n	87b1680621	docker: run install stage at build time, configure+activate at startup Move the CMDEPLOY_STAGES=install execution into the Dockerfile these operations baked into the image layer. On container start, only configure and activate stages run by default. Users can override with CMDEPLOY_STAGES="install,configure,activate" to force a full reinstall without rebuilding the image. Also fixes CERTS_MONITORING_TIMEOUT typo in docker-compose.yaml (was "$CERTS MONITORING TIMEOUT"), and replaces the docker-commit workaround in docs with CMDEPLOY_STAGES documentation.	2026-02-18 17:05:28 +01:00
j4n	872fd2d846	docker: widen build context to repo root for build-time install stage The Dockerfile will need access to chatmaild/ and cmdeploy/ source trees to run CMDEPLOY_STAGES=install via pyinfra during image build, moving install-time work out of container startup. The previous context (./docker) only included helper scripts. Also adds .dockerignore to exclude .git, data/, venv/ etc. from the build context, and updates COPY paths accordingly.	2026-02-18 17:05:28 +01:00
j4n	fa2827a07e	feat(cmdeploy): guard against non-running systemd This enables docker image building without systemd running, which would make pyinfra SystemdEnabled fail.	2026-02-18 17:05:28 +01:00
j4n	c68df8551c	docker: remove echobot parts that were lingering in the feature branch	2026-02-18 17:05:28 +01:00
Keonik1	23ddd087ad	cmdeploy: Add config parameters `change_kernel_settings` and `fs_inotify_max_user_instances_and_watchers`	2026-02-18 17:05:28 +01:00
missytake	4278799f51	cmdeploy: add config (, )	2026-02-18 17:05:28 +01:00
missytake	ec26ac5dbf	docker: use --network=host so chatmail-turn can use any port	2026-02-18 17:05:28 +01:00
missytake	ee4648967e	docker: open ports for TURN + STUN	2026-02-18 17:05:28 +01:00
missytake	92c8b83a5e	docker: move all configuration to example.env	2026-02-18 17:05:28 +01:00
missytake	c33b5ade30	doc: fix linebreak	2026-02-18 17:05:28 +01:00
missytake	09c0af2c99	docker: disable port check if docker is running. fix #694	2026-02-18 17:05:28 +01:00
missytake	8d76b28a59	Suggestions from @Keonik1 Co-authored-by: Keonik <57857901+Keonik1@users.noreply.github.com>	2026-02-18 17:05:28 +01:00
missytake	ed9c7631bc	docker: enable DNS checks before cmdeploy run again	2026-02-18 17:05:28 +01:00
Keonik1	9c0a3a1718	fix unlink if default nginx conf is not exist - https://github.com/chatmail/relay/pull/614#discussion_r2297828830	2026-02-18 17:05:28 +01:00
Keonik1	bb590bb5ae	Fix issue with acmetool - https://github.com/chatmail/relay/pull/614#discussion_r2279630626	2026-02-18 17:05:28 +01:00
Keonik1	e1c0bffa52	Delete ssh connection from docker installation - https://github.com/chatmail/relay/pull/614#discussion_r2269986372 - https://github.com/chatmail/relay/pull/614#discussion_r2269991175 - https://github.com/chatmail/relay/pull/614#discussion_r2269995037 - https://github.com/chatmail/relay/pull/614#discussion_r2270004922	2026-02-18 17:05:28 +01:00
Keonik1	e272bb9069	fix docs - nginx "restart" to "reload" https://github.com/chatmail/relay/pull/614#discussion_r2269896158	2026-02-18 17:05:27 +01:00
Keonik1	87bd0323c2	Fix bug with attaching certs	2026-02-18 17:05:27 +01:00
Keonik1	d2f169af0d	pass values to `MAIL_DOMAIN` and `ACME_EMAIL` from vars for docker-compose-default https://github.com/chatmail/relay/pull/614#discussion_r2279591922	2026-02-18 17:05:27 +01:00
Keonik1	0603be8cff	change "restart nginx" to "reload nginx" https://github.com/chatmail/relay/pull/614#discussion_r2269896158	2026-02-18 17:05:27 +01:00
Keonik1	5b66fb9ade	add RECREATE_VENV var https://github.com/chatmail/relay/pull/614#discussion_r2279742769	2026-02-18 17:05:27 +01:00
Keonik1	7f151b368b	add 465 port https://github.com/chatmail/relay/pull/614#discussion_r2279707059	2026-02-18 17:05:27 +01:00
Keonik1	59362b4cf9	add port 80 to docker-compose-default https://github.com/chatmail/relay/pull/614#discussion_r2279656441	2026-02-18 17:05:27 +01:00
Keonik1	f8af0e2c33	rename dockerfile https://github.com/chatmail/relay/pull/614#discussion_r2270031966	2026-02-18 17:05:27 +01:00
Keonik1	beef0ecb19	Add installation via docker compose (MVP 1)	2026-02-18 17:05:27 +01:00
Mark Felder	36eb63faa1	feat: Strip Received headers before delivery	2026-02-17 21:16:11 +01:00
Jagoda Estera Ślązak	91df11015e	chore(deps): upgrade to filtermail v0.3 (#850 ) ## 0.3.0 - 2026-02-14 ### Features - Support legacy, pre-OpenPGP packet format ### Miscellaneous Tasks - (dist) Switch to musl targets ### Refactor - Remove unnecessary Arc - Use a custom, minimal SMTP client instead of lettre Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>	2026-02-14 18:02:05 +01:00
link2xt	d4f8a29243	docs: fix link to Maddy and update madmail URL	2026-02-13 09:49:29 +00:00
missytake	0144fc3ea8	postfix: only look for square brackets, they are only allowed for address literals	2026-02-12 10:45:15 +01:00
missytake	e7ce6679b9	postfix: IPv6 literals have a prefix	2026-02-12 10:45:15 +01:00
missytake	d1adf52f89	postfix: also accept self-signed for IPv6-only	2026-02-12 10:45:15 +01:00
missytake	56d0e2ca27	postfix: be more exact with nauta.cu	2026-02-12 10:45:15 +01:00
missytake	2613558db6	postfix uses POSIX EREs, not PCRE, so some stuff doesn't work	2026-02-12 10:45:15 +01:00
missytake	6843fcb1a0	postfix: fix tls policy regexp map	2026-02-12 10:45:15 +01:00
missytake	ff54ad88d8	postfix: use regexp to match IPv4 addresses	2026-02-12 10:45:15 +01:00
missytake	cce2b27ae7	postfix: accept self-signed certificates for IP-only relays	2026-02-12 10:45:15 +01:00
j4n	87022e3681	fix(cmdeploy): check if dns_check_disabled before trying to warn about LE If --skip-dns-check is used and retcode != 0, remote_data is undefined.	2026-02-11 12:13:24 +01:00
j4n	06560dd071	feat(postfix): bind to mail_domain's A/AAAA addresses for outbound mail Carry forward A/AAAA address from the DNS check to the postfix deploy stage and set accordingly in main.cf.	2026-02-11 12:13:24 +01:00
j4n	1b0337a5f7	fix(cmdeploy): port check: check addresses, fix single services Ensure that the interface for mtail_address is available and fix a bug in port checking where single services were always passing regardless of the specified service name.	2026-02-11 09:36:04 +01:00
373[Ø]™	dfcaf415b1	Merge pull request #834 from chatmail/373/fix-dns-resolver-injection fix: remediates issue with improper concat on resolver injection	2026-01-30 23:36:46 +00:00
ccclxxiii	c0718325ef	fix: simplify resolver fix	2026-01-30 22:17:53 +00:00
ccclxxiii	7d72b0e592	fix:[wip] fix concact issue which causes dns failure	2026-01-30 21:10:19 +00:00
373[Ø]™	8f1e23d98e	Merge pull request #832 from chatmail/373/respect-ipv4-ipv6-boolean-config remediates ipv6 boolean not being respected during operations	2026-01-30 17:53:36 +00:00
ccclxxiii	56aaf2649b	chore: fixes bug in dovecot template	2026-01-30 15:52:32 +00:00
ccclxxiii	2660b4d24c	feat: updates postfix for ipv4/v6	2026-01-30 15:27:02 +00:00
ccclxxiii	ea60ecfb57	feat: updates deployers for ipv4/v6 bool	2026-01-30 15:26:45 +00:00
ccclxxiii	2a3a224cc2	feat: adds template for unbound v4/v6	2026-01-30 15:24:26 +00:00
Jagoda Ślązak	e42139e97b	chore(deps): upgrade to filtermail v0.2 Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>	2026-01-28 20:46:02 +00:00
Jagoda Estera Ślązak	65b660c413	docs: update information about filtermail (#824 ) Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>	2026-01-27 13:20:09 +01:00
link2xt	dd2beb226a	test(test_exceed_rate_limit): print timestamps when sending messages	2026-01-26 14:25:06 +00:00
link2xt	9c7508cc33	test: fix flaky test_exceed_rate_limit filtermail rate limiter is using leaky bucket algorithm (GCRA). Exceeting the limit requires sending at least max_user_send_per_minute messages to exhaust allowed burst, and then sending messages faster than the leak rate. As we don't know how fast is the network between the server and test runner, try to send 3 times max_user_send_per_minute messages to ensure the test does not fail randomly.	2026-01-26 12:07:10 +00:00
Jagoda Estera Ślązak	ab3492d9a1	feat(filtermail): Replace filtermail with rust reimplementation (#808 ) Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>	2026-01-23 16:31:45 +01:00
Jagoda Estera Ślązak	032faf0a94	feat(config): Set default internal SMTP ports in Config (#819 ) Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>	2026-01-23 09:34:16 +01:00
link2xt	c45fe03652	fix(mtail): separate metrics for incoming and outgoing messages	2026-01-22 14:45:33 +00:00