Add /etc/mailname

dictproxy: make NOCREATE_FILE a constant; log warning if creating account fails
tests: pass CLI arguments to pytest, don't run chatmails tests in weird subdir
2026-05-11 16:34:39 +00:00 · 2023-10-17 19:26:39 +00:00 · 2023-10-17 20:03:18 +02:00 · 2023-10-17 20:03:18 +02:00 · 2023-10-17 20:03:18 +02:00 · 2023-10-17 20:03:18 +02:00
11 changed files with 67 additions and 88 deletions
--- a/README.md
+++ b/README.md
@@ -47,3 +47,13 @@ Dovecot listens on ports 143(imap) and 993 (imaps).
 For DKIM you must add a DNS entry as found in /etc/opendkim/selector.txt on your chatmail instance.
 The above `scripts/deploy.sh` prints out the DKIM selector and DNS entry you
 need to setup with your DNS provider. 
+
+## Emergency Commands
+
+If you need to stop account creation,
+e.g. because some script is wildly creating accounts,
+just run `touch /tmp/nocreate`.
+You can remove the file
+as soon as the attacker was banned
+by different means.
+
--- a/chatmaild/pyproject.toml
+++ b/chatmaild/pyproject.toml
@@ -10,7 +10,6 @@ dependencies = [
 ]

 [project.scripts]
-doveauth = "chatmaild.doveauth:main"
 doveauth-dictproxy = "chatmaild.dictproxy:main"
 filtermail = "chatmaild.filtermail:main"

--- a/chatmaild/src/chatmaild/dictproxy.py
+++ b/chatmaild/src/chatmaild/dictproxy.py
@@ -1,3 +1,4 @@
+import logging
 import os
 import sys
 import json
@@ -11,6 +12,8 @@ import subprocess

 from .database import Database

+NOCREATE_FILE = "/etc/chatmail-nocreate"
+

 def encrypt_password(password: str):
    password = password.encode("ascii")
@@ -27,6 +30,9 @@ def encrypt_password(password: str):


 def create_user(db, user, password):
+    if os.path.exists(NOCREATE_FILE):
+        logging.warning(f"Didn't create account: {NOCREATE_FILE} exists. Delete the file to enable account creation.")
+        return
    with db.write_transaction() as conn:
        conn.create_user(user, password)
    return dict(home=f"/home/vmail/{user}", uid="vmail", gid="vmail", password=password)
@@ -53,7 +59,7 @@ def lookup_passdb(db, user, password):
    return userdata


-def handle_dovecot_request(msg, db):
+def handle_dovecot_request(msg, db, mail_domain):
    print(f"received msg: {msg!r}", file=sys.stderr)
    short_command = msg[0]
    if short_command == "L":  # LOOKUP
@@ -64,13 +70,15 @@ def handle_dovecot_request(msg, db):
        res = ""
        if namespace == "shared":
            if type == "userdb":
-                res = lookup_userdb(db, user)
+                if user.endswith(f"@{mail_domain}"):
+                    res = lookup_userdb(db, user)
                if res:
                    reply_command = "O"
                else:
                    reply_command = "N"
            elif type == "passdb":
-                res = lookup_passdb(db, user, password=args[0])
+                if user.endswith(f"@{mail_domain}"):
+                    res = lookup_passdb(db, user, password=args[0])
                if res:
                    reply_command = "O"
                else:
@@ -89,6 +97,8 @@ def main():
    socket = sys.argv[1]
    passwd_entry = pwd.getpwnam(sys.argv[2])
    db = Database(sys.argv[3])
+    with open("/etc/mailname", "r") as fp:
+        mail_domain = fp.read().strip()

    class Handler(StreamRequestHandler):
        def handle(self):
@@ -96,7 +106,7 @@ def main():
                msg = self.rfile.readline().strip().decode()
                if not msg:
                    break
-                res = handle_dovecot_request(msg, db)
+                res = handle_dovecot_request(msg, db, mail_domain)
                if res:
                    print(f"sending result: {res!r}", file=sys.stderr)
                    self.wfile.write(res.encode("ascii"))
--- a/chatmaild/src/chatmaild/doveauth.py
+++ b/chatmaild/src/chatmaild/doveauth.py
@@ -1,65 +0,0 @@
-#!/usr/bin/env python3
-import base64
-import sys
-
-from .database import Database
-
-
-def get_user_data(db, user):
-    with db.read_connection() as conn:
-        result = conn.get_user(user)
-    if result:
-        result["uid"] = "vmail"
-        result["gid"] = "vmail"
-    return result
-
-
-def create_user(db, user, password):
-    with db.write_transaction() as conn:
-        conn.create_user(user, password)
-    return dict(home=f"/home/vmail/{user}", uid="vmail", gid="vmail", password=password)
-
-
-def verify_user(db, user, password):
-    userdata = get_user_data(db, user)
-    if userdata:
-        if userdata.get("password") == password:
-            userdata["status"] = "ok"
-        else:
-            userdata["status"] = "fail"
-    else:
-        userdata = create_user(db, user, password)
-        userdata["status"] = "ok"
-
-    return userdata
-
-
-def lookup_user(db, user):
-    userdata = get_user_data(db, user)
-    if userdata:
-        userdata["status"] = "ok"
-    else:
-        userdata["status"] = "fail"
-    return userdata
-
-
-def dump_result(res):
-    for key, value in res.items():
-        print(f"{key}={value}")
-
-
-def main():
-    db = Database("/home/vmail/passdb.sqlite")
-    if sys.argv[1] == "hexauth":
-        login = base64.b16decode(sys.argv[2]).decode()
-        password = base64.b16decode(sys.argv[3]).decode()
-        res = verify_user(db, login, password)
-        dump_result(res)
-    elif sys.argv[1] == "hexlookup":
-        login = base64.b16decode(sys.argv[2]).decode()
-        res = lookup_user(db, login)
-        dump_result(res)
-
-
-if __name__ == "__main__":
-    main()
--- a/chatmaild/src/chatmaild/test_doveauth.py
+++ b/chatmaild/src/chatmaild/test_doveauth.py
@@ -1,7 +1,9 @@
+import os
+
 import pytest

-from .dictproxy import get_user_data
-from .doveauth import verify_user
+import chatmaild.dictproxy
+from .dictproxy import get_user_data, lookup_passdb
 from .database import Database, DBError


@@ -13,16 +15,31 @@ def db(tmpdir):


 def test_basic(db):
-    verify_user(db, "link2xt@c1.testrun.org", "asdf")
+    chatmaild.dictproxy.NOCREATE_FILE = "/tmp/nocreate"
+    if os.path.exists(chatmaild.dictproxy.NOCREATE_FILE):
+        os.remove(chatmaild.dictproxy.NOCREATE_FILE)
+    lookup_passdb(db, "link2xt@c1.testrun.org", "asdf")
    data = get_user_data(db, "link2xt@c1.testrun.org")
    assert data


-def test_verify_or_create(db):
-    res = verify_user(db, "newuser1@something.org", "kajdlkajsldk12l3kj1983")
-    assert res["status"] == "ok"
-    res = verify_user(db, "newuser1@something.org", "kajdlqweqwe")
-    assert res["status"] == "fail"
+def test_dont_overwrite_password_on_wrong_login(db):
+    """Test that logging in with a different password doesn't create a new user"""
+    res = lookup_passdb(db, "newuser1@something.org", "kajdlkajsldk12l3kj1983")
+    assert res["password"]
+    res2 = lookup_passdb(db, "newuser1@something.org", "kajdlqweqwe")
+    # this function always returns a password hash, which is actually compared by dovecot.
+    assert res["password"] == res2["password"]
+
+
+def test_nocreate_file(db):
+    chatmaild.dictproxy.NOCREATE_FILE = "/tmp/nocreate"
+    with open(chatmaild.dictproxy.NOCREATE_FILE, "w+") as f:
+        f.write("")
+    assert os.path.exists(chatmaild.dictproxy.NOCREATE_FILE)
+    lookup_passdb(db, "newuser1@something.org", "kajdlqweqwe")
+    assert not get_user_data(db, "newuser1@something.org")
+    os.remove(chatmaild.dictproxy.NOCREATE_FILE)


 def test_db_version(db):
--- a/deploy-chatmail/src/deploy_chatmail/init.py
+++ b/deploy-chatmail/src/deploy_chatmail/init.py
@@ -244,6 +244,13 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
        restarted=dovecot_need_restart,
    )

+    # This file is used by auth proxy.
+    # https://wiki.debian.org/EtcMailName
+    server.shell(
+        name="Setup /etc/mailname",
+        commands=[f"echo {mail_domain} >/etc/mailname; chmod 644 /etc/mailname"],
+    )
+
    def callback():
        result = server.shell(
            commands=[
--- a/deploy-chatmail/src/deploy_chatmail/acmetool/init.py
+++ b/deploy-chatmail/src/deploy_chatmail/acmetool/init.py
@@ -50,8 +50,8 @@ def deploy_acmetool(nginx_hook=False, email="", domains=[]):
    systemd.service(
        name="Setup acmetool-redirector service",
        service="acmetool-redirector.service",
-        running=True,
-        enabled=True,
+        running=False,
+        enabled=False,
        restarted=service_file.changed,
    )

--- a/deploy-chatmail/src/deploy_chatmail/dovecot/dovecot.conf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/dovecot/dovecot.conf.j2
@@ -16,6 +16,12 @@ mail_debug = yes

 mail_plugins = quota

+# these are the capabilities Delta Chat cares about actually 
+# so let's keep the network overhead per login small
+# https://github.com/deltachat/deltachat-core-rust/blob/master/src/imap/capabilities.rs
+imap_capability = IMAP4rev1 IDLE MOVE QUOTA CONDSTORE
+
+
 # Authentication for system users.
 passdb {
  driver = dict
--- a/deploy-chatmail/src/deploy_chatmail/postfix/master.cf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/postfix/master.cf.j2
@@ -70,8 +70,6 @@ showq     unix  n       -       y       -       -       showq
 error     unix  -       -       y       -       -       error
 retry     unix  -       -       y       -       -       error
 discard   unix  -       -       y       -       -       discard
-local     unix  -       n       n       -       -       local
-virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       y       -       -       lmtp
 anvil     unix  -       -       y       -       1       anvil
 scache    unix  -       -       y       -       1       scache
--- a/scripts/init.sh
+++ b/scripts/init.sh
@@ -6,6 +6,7 @@ deploy-chatmail/venv/bin/pip install -e deploy-chatmail
 deploy-chatmail/venv/bin/pip install -e chatmaild

 python3 -m venv chatmaild/venv
+sudo apt install -y dovecot-core && sudo systemctl disable --now dovecot
 chatmaild/venv/bin/pip install --upgrade pytest build 'setuptools>=68'
 chatmaild/venv/bin/pip install -e chatmaild

--- a/scripts/test.sh
+++ b/scripts/test.sh
@@ -1,7 +1,3 @@
 #!/bin/bash
-set -e
-pushd chatmaild/src/chatmaild
-../../venv/bin/pytest
-popd
-
-online-tests/venv/bin/pytest online-tests/ -vrx --durations=5
+chatmaild/venv/bin/pytest chatmaild/ $@
+online-tests/venv/bin/pytest online-tests/ -vrx --durations=5 $@
Author	SHA1	Message	Date
link2xt	a6a94944e0	Add /etc/mailname	2023-10-17 19:26:39 +00:00
missytake	f333226abe	dictproxy: make NOCREATE_FILE a constant; log warning if creating account fails	2023-10-17 20:03:18 +02:00
missytake	45fe8a668b	tests: pass CLI arguments to pytest, don't run chatmails tests in weird subdir	2023-10-17 20:03:18 +02:00
missytake	beac91159d	tests: install doveadm for being able to run dictproxy tests	2023-10-17 20:03:18 +02:00
missytake	75e7c85e61	tests: adjust to dictproxy, test /tmp/nocreate	2023-10-17 20:03:18 +02:00
missytake	040b7a74a6	doveauth: don't create users if /tmp/nocreate exists	2023-10-17 20:03:18 +02:00
missytake	0138e59355	doveauth: removed doveauth.py from the project	2023-10-17 20:03:18 +02:00
holger krekel	fffbdc10c3	minimize capabilities	2023-10-17 01:22:19 +02:00
holger krekel	3419e359c8	create build venv in chatmaild/venv	2023-10-17 00:35:07 +02:00
holger krekel	0b051f8154	move deploy.py file and revamp README	2023-10-17 00:35:07 +02:00
link2xt	5936f7a3be	postfix: disable `virtual` and `local` MDAs We do not need them, all mails are delivered to Dovecot over LMTP.	2023-10-16 22:21:39 +00:00
link2xt	983ffa6236	Disable acmetool redirector	2023-10-16 22:12:45 +00:00