streamline account creation and add tests

also incorporates nine.testrun.org user policies
simplify sysctl call
2026-05-11 00:14:36 +00:00 · 2023-11-01 20:30:12 +01:00 · 2023-10-31 22:03:03 +01:00 · 2023-10-31 22:03:03 +01:00 · 2023-10-29 19:09:33 +00:00 · 2023-10-28 16:50:24 +02:00
16 changed files with 175 additions and 54 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -159,3 +159,5 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+
+chatmail.zone
--- a/README.md
+++ b/README.md
@@ -10,14 +10,17 @@ comprised of a minimal setup of the battle-tested

    scripts/init.sh 

-2. set environment variable to the chatmail domain you want to setup:
+2. setup a domain with `A` and `AAAA` records for your chatmail server
+
+3. set environment variable to the chatmail domain you want to setup:

    export CHATMAIL_DOMAIN=c1.testrun.org   # replace with your host

-3. run the deploy of the chat mail instance: 
+4. run the deploy of the chat mail instance: 

    scripts/deploy.sh 

+5. run `scripts/generate-dns-zone.sh` and create the generated DNS records at your DNS provider

 ## Running tests and benchmarks (offline and online) 

--- a/chatmaild/src/chatmaild/dictproxy.py
+++ b/chatmaild/src/chatmaild/dictproxy.py
@@ -21,15 +21,40 @@ def encrypt_password(password: str):
    return "{SHA512-CRYPT}" + passhash


-def create_user(db, user, password):
+def is_allowed_to_create(user, cleartext_password) -> bool:
+    """Return True if user and password are admissable."""
    if os.path.exists(NOCREATE_FILE):
-        logging.warning(
-            f"Didn't create account: {NOCREATE_FILE} exists. Delete the file to enable account creation."
-        )
-        return
+        logging.warning(f"blocked account creation because {NOCREATE_FILE!r} exists.")
+        return False
+
+    if len(cleartext_password) < 10:
+        logging.warning("Password needs to be at least 10 characters long")
+        return False
+
+    parts = user.split("@")
+    if len(parts) != 2:
+        logging.warning(f"user {user!r} is not a proper e-mail address")
+        return False
+    localpart, domain = parts
+
+    if domain == "nine.testrun.org":
+        # nine.testrun.org policy, username has to be exactly nine chars
+        if len(localpart) != 9:
+            logging.warning(f"localpart {localpart!r} has not exactly nine chars")
+            return False
+
+    return True
+
+
+def create_user(db, user, encrypted_password):
    with db.write_transaction() as conn:
-        conn.create_user(user, password)
-    return dict(home=f"/home/vmail/{user}", uid="vmail", gid="vmail", password=password)
+        conn.create_user(user, encrypted_password)
+    return dict(
+        home=f"/home/vmail/{user}",
+        uid="vmail",
+        gid="vmail",
+        password=encrypted_password,
+    )


 def get_user_data(db, user):
@@ -45,10 +70,13 @@ def lookup_userdb(db, user):
    return get_user_data(db, user)


-def lookup_passdb(db, user, password):
+def lookup_passdb(db, user, cleartext_password):
    userdata = get_user_data(db, user)
    if not userdata:
-        return create_user(db, user, encrypt_password(password))
+        if not is_allowed_to_create(user, cleartext_password):
+            return
+        encrypted_password = encrypt_password(cleartext_password)
+        userdata = create_user(db=db, user=user, encrypted_password=encrypted_password)
    userdata["password"] = userdata["password"].strip()
    return userdata

@@ -72,7 +100,7 @@ def handle_dovecot_request(msg, db, mail_domain):
                    reply_command = "N"
            elif type == "passdb":
                if user.endswith(f"@{mail_domain}"):
-                    res = lookup_passdb(db, user, password=args[0])
+                    res = lookup_passdb(db, user, cleartext_password=args[0])
                if res:
                    reply_command = "O"
                else:
--- a/deploy-chatmail/src/deploy_chatmail/init.py
+++ b/deploy-chatmail/src/deploy_chatmail/init.py
@@ -4,8 +4,8 @@ Chat Mail pyinfra deploy.
 import importlib.resources
 from pathlib import Path

-from pyinfra import host, logger
-from pyinfra.operations import apt, files, server, systemd, python
+from pyinfra import host
+from pyinfra.operations import apt, files, server, systemd
 from pyinfra.facts.files import File
 from .acmetool import deploy_acmetool

@@ -70,6 +70,36 @@ def _configure_opendkim(domain: str, dkim_selector: str) -> bool:
        mode="644",
        config={"domain_name": domain, "opendkim_selector": dkim_selector},
    )
+    need_restart |= main_config.changed
+
+    files.directory(
+        name="Add opendkim directory to /etc",
+        path="/etc/opendkim",
+        user="opendkim",
+        group="opendkim",
+        mode="750",
+        present=True,
+    )
+
+    keytable = files.template(
+        src=importlib.resources.files(__package__).joinpath("opendkim/KeyTable"),
+        dest="/etc/dkimkeys/KeyTable",
+        user="opendkim",
+        group="opendkim",
+        mode="644",
+        config={"domain_name": domain, "opendkim_selector": dkim_selector},
+    )
+    need_restart |= keytable.changed
+
+    signing_table = files.template(
+        src=importlib.resources.files(__package__).joinpath("opendkim/SigningTable"),
+        dest="/etc/dkimkeys/SigningTable",
+        user="opendkim",
+        group="opendkim",
+        mode="644",
+        config={"domain_name": domain, "opendkim_selector": dkim_selector},
+    )
+    need_restart |= signing_table.changed

    files.directory(
        name="Add opendkim socket directory to /var/spool/postfix",
@@ -90,8 +120,6 @@ def _configure_opendkim(domain: str, dkim_selector: str) -> bool:
            _sudo_user="opendkim",
        )

-    need_restart |= main_config.changed
-
    return need_restart


@@ -155,6 +183,17 @@ def _configure_dovecot(mail_server: str, debug: bool = False) -> bool:
        mode="644",
    )

+    # as per https://doc.dovecot.org/configuration_manual/os/
+    # it is recommended to set the following inotify limits
+    for name in ("max_user_instances", "max_user_watches"):
+        key = f"fs.inotify.{name}"
+        server.sysctl(
+            name=f"Change {key}",
+            key=key,
+            value=65535,
+            persist=True,
+        )
+
    return need_restart


@@ -292,14 +331,3 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
        enabled=True,
        restarted=journald_conf,
    )
-
-    def callback():
-        result = server.shell(
-            commands=[
-                f"""sed 's/\tIN/ 600 IN/;s/\t(//;s/\"$//;s/^\t  \"//g; s/ ).*//' """
-                f"""/etc/dkimkeys/{dkim_selector}.txt | tr --delete '\n'"""
-            ]
-        )
-        logger.info(f"Add this TXT entry into DNS zone: {result.stdout}")
-
-    python.call(name="Print TXT entry for DKIM", function=callback)
--- a/deploy-chatmail/src/deploy_chatmail/deploy.py
+++ b/deploy-chatmail/src/deploy_chatmail/deploy.py
@@ -6,7 +6,7 @@ from deploy_chatmail import deploy_chatmail
 def main():
    mail_domain = os.getenv("CHATMAIL_DOMAIN")
    mail_server = os.getenv("CHATMAIL_SERVER", mail_domain)
-    dkim_selector = os.getenv("CHATMAIL_DKIM_SELECTOR", "2023")
+    dkim_selector = os.getenv("CHATMAIL_DKIM_SELECTOR", "dkim")

    assert mail_domain
    assert mail_server
--- a/deploy-chatmail/src/deploy_chatmail/dovecot/dovecot.conf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/dovecot/dovecot.conf.j2
@@ -118,6 +118,24 @@ service auth-worker {
  user = vmail
 }

+service imap-login {
+    # High-security mode.
+    # Each process serves a single connection and exits afterwards.
+    # This is the default, but we set it explicitly to be sure.
+    # See <https://doc.dovecot.org/admin_manual/login_processes/#high-security-mode> for details.
+    service_count = 1
+
+    # Inrease the number of simultaneous connections.
+    #
+    # As of Dovecot 2.3.19.1 the default is 100 processes.
+    # Combined with `service_count = 1` it means only 100 connections
+    # can be handled simultaneously.
+    process_limit = 10000
+
+    # Avoid startup latency for new connections.
+    process_min_avail = 10
+}
+
 ssl = required
 ssl_cert = </var/lib/acme/live/{{ config.hostname }}/fullchain
 ssl_key = </var/lib/acme/live/{{ config.hostname }}/privkey
--- a/deploy-chatmail/src/deploy_chatmail/opendkim/KeyTable
+++ b/deploy-chatmail/src/deploy_chatmail/opendkim/KeyTable
@@ -0,0 +1 @@
+dkim._domainkey.{{ config.domain_name }} {{ config.domain_name }}:{{ config.opendkim_selector }}:/etc/dkimkeys/dkim.private
--- a/deploy-chatmail/src/deploy_chatmail/opendkim/SigningTable
+++ b/deploy-chatmail/src/deploy_chatmail/opendkim/SigningTable
@@ -0,0 +1 @@
+*@{{ config.domain_name }} {{ config.opendkim_selector }}._domainkey.{{ config.domain_name }}
--- a/deploy-chatmail/src/deploy_chatmail/opendkim/opendkim.conf
+++ b/deploy-chatmail/src/deploy_chatmail/opendkim/opendkim.conf
@@ -1,7 +1,4 @@
-# This is a basic configuration for signing and verifying. It can easily be
-# adapted to suit a basic installation. See opendkim.conf(5) and
-# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
-# documentation of available configuration parameters.
+# OpenDKIM configuration.

 Syslog			yes
 SyslogSuccess		yes
@@ -21,7 +18,9 @@ OversignHeaders		From
 # setup options can be found in /usr/share/doc/opendkim/README.opendkim.
 Domain			{{ config.domain_name }}
 Selector		{{ config.opendkim_selector }}
-KeyFile		/etc/dkimkeys/{{ config.opendkim_selector }}.private
+KeyFile		  /etc/dkimkeys/{{ config.opendkim_selector }}.private
+KeyTable          /etc/dkimkeys/KeyTable
+SigningTable      /etc/dkimkeys/SigningTable

 # In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
 # using a local socket with MTAs that access the socket as a non-privileged
--- a/scripts/bench.sh
+++ b/scripts/bench.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
 set -e

-online-tests/venv/bin/pytest online-tests/benchmark.py -vrx 
+venv/bin/pytest online-tests/benchmark.py -vrx 
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -1,10 +1,15 @@
 #!/usr/bin/env bash
-: ${CHATMAIL_DOMAIN:=c1.testrun.org}
-export CHATMAIL_DOMAIN

-chatmaild/venv/bin/python3 -m build -n --sdist chatmaild --outdir dist
+echo -----------------------------------------
+echo deploying to $CHATMAIL_DOMAIN 
+echo -----------------------------------------

-deploy-chatmail/venv/bin/pyinfra --ssh-user root "$CHATMAIL_DOMAIN" \
+echo WARNING: in five seconds deploy to $CHATMAIL_DOMAIN starts
+sleep 5
+
+venv/bin/python3 -m build -n --sdist chatmaild --outdir dist
+
+venv/bin/pyinfra --ssh-user root "$CHATMAIL_DOMAIN" \
    deploy-chatmail/src/deploy_chatmail/deploy.py

 rm -r dist/
--- a/scripts/generate-dns-zone.sh
+++ b/scripts/generate-dns-zone.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+: ${CHATMAIL_DOMAIN:=c1.testrun.org}
+: ${CHATMAIL_SSH:=$CHATMAIL_DOMAIN}
+
+set -e
+SSH="ssh root@$CHATMAIL_SSH"
+EMAIL="root@$CHATMAIL_DOMAIN"
+ACME_ACCOUNT_URL="$($SSH -- acmetool account-url)"
+
+cat <<EOF
+$CHATMAIL_DOMAIN. MX 10 $CHATMAIL_DOMAIN.
+$CHATMAIL_DOMAIN. TXT "v=spf1 a:$CHATMAIL_DOMAIN -all"
+_dmarc.$CHATMAIL_DOMAIN. TXT "v=DMARC1;p=reject;rua=mailto:$EMAIL;ruf=mailto:$EMAIL;fo=1;adkim=r;aspf=r"
+_submission._tcp.$CHATMAIL_DOMAIN.  SRV 0 1 587 $CHATMAIL_DOMAIN.
+_submissions._tcp.$CHATMAIL_DOMAIN. SRV 0 1 465 $CHATMAIL_DOMAIN.
+_imap._tcp.$CHATMAIL_DOMAIN.        SRV 0 1 143 $CHATMAIL_DOMAIN.
+_imaps._tcp.$CHATMAIL_DOMAIN.       SRV 0 1 993 $CHATMAIL_DOMAIN.
+$CHATMAIL_DOMAIN. IN CAA 0 issue "letsencrypt.org; accounturi=$ACME_ACCOUNT_URL"
+EOF
+$SSH opendkim-genzone -F | sed 's/^;.*$//;/^$/d'
--- a/scripts/test.sh
+++ b/scripts/test.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
-tox -c chatmaild
-tox -c deploy-chatmail
+venv/bin/tox -c chatmaild
+venv/bin/tox -c deploy-chatmail
 venv/bin/pytest tests/online -vrx --durations=5 $@
--- a/tests/chatmaild/test_dictproxy.py
+++ b/tests/chatmaild/test_dictproxy.py
@@ -1,9 +1,10 @@
 import os
+import json

 import pytest

 import chatmaild.dictproxy
-from chatmaild.dictproxy import get_user_data, lookup_passdb
+from chatmaild.dictproxy import get_user_data, lookup_passdb, handle_dovecot_request
 from chatmaild.database import Database, DBError


@@ -14,13 +15,13 @@ def db(tmpdir):
    return Database(db_path)


+
 def test_basic(db):
-    chatmaild.dictproxy.NOCREATE_FILE = "/tmp/nocreate"
-    if os.path.exists(chatmaild.dictproxy.NOCREATE_FILE):
-        os.remove(chatmaild.dictproxy.NOCREATE_FILE)
-    lookup_passdb(db, "link2xt@c1.testrun.org", "asdf")
+    lookup_passdb(db, "link2xt@c1.testrun.org", "Pieg9aeToe3eghuthe5u")
    data = get_user_data(db, "link2xt@c1.testrun.org")
    assert data
+    data2 = lookup_passdb(db, "link2xt@c1.testrun.org", "Pieg9aeToe3eghuthe5u")
+    assert data == data2


 def test_dont_overwrite_password_on_wrong_login(db):
@@ -32,14 +33,12 @@ def test_dont_overwrite_password_on_wrong_login(db):
    assert res["password"] == res2["password"]


-def test_nocreate_file(db):
-    chatmaild.dictproxy.NOCREATE_FILE = "/tmp/nocreate"
-    with open(chatmaild.dictproxy.NOCREATE_FILE, "w+") as f:
-        f.write("")
-    assert os.path.exists(chatmaild.dictproxy.NOCREATE_FILE)
-    lookup_passdb(db, "newuser1@something.org", "kajdlqweqwe")
+def test_nocreate_file(db, monkeypatch, tmpdir):
+    p = tmpdir.join("nocreate")
+    p.write("")
+    monkeypatch.setattr(chatmaild.dictproxy, "NOCREATE_FILE", str(p))
+    lookup_passdb(db, "newuser1@something.org", "zequ0Aimuchoodaechik")
    assert not get_user_data(db, "newuser1@something.org")
-    os.remove(chatmaild.dictproxy.NOCREATE_FILE)


 def test_db_version(db):
@@ -51,3 +50,15 @@ def test_too_high_db_version(db):
        conn.execute("PRAGMA user_version=%s;" % (999,))
    with pytest.raises(DBError):
        db.ensure_tables()
+
+
+def test_handle_dovecot_request(db):
+    msg = ('Lshared/passdb/laksjdlaksjdlaksjdlk12j3l1k2j3123/'
+           'some42@c3.testrun.org\tsome42@c3.testrun.org')
+    res = handle_dovecot_request(msg, db, "c3.testrun.org")
+    assert res
+    assert res[0] == "O" and res.endswith("\n")
+    userdata = json.loads(res[1:].strip())
+    assert userdata["home"] == "/home/vmail/some42@c3.testrun.org"
+    assert userdata["uid"] == userdata["gid"] == "vmail"
+    assert userdata["password"].startswith("{SHA512-CRYPT}")
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -195,8 +195,8 @@ def gencreds(maildomain):
            num = next(count)
            alphanumeric = "abcdefghijklmnopqrstuvwxyz1234567890"
            user = "".join(random.choices(alphanumeric, k=10))
-            user = f"ac{num}_{user}"
-            password = "".join(random.choices(alphanumeric, k=10))
+            user = f"ac{num}_{user}"[:9]
+            password = "".join(random.choices(alphanumeric, k=12))
            yield f"{user}@{domain}", f"{password}"

    return lambda domain=None: next(gen(domain))
--- a/tests/online/test_0_login.py
+++ b/tests/online/test_0_login.py
@@ -23,6 +23,11 @@ def test_login_basic_functioning(imap_or_smtp, gencreds, lp):
    with pytest.raises(imap_or_smtp.AuthError):
        imap_or_smtp.login(user, password + "wrong")

+    lp.sec(f"creating users with a short password is not allowed")
+    user, _password = gencreds()
+    with pytest.raises(imap_or_smtp.AuthError):
+        imap_or_smtp.login(user, "admin")
+

 def test_login_same_password(imap_or_smtp, gencreds):
    """Test two different users logging in with the same password
Author	SHA1	Message	Date
holger krekel	ca763960e5	streamline account creation and add tests also incorporates nine.testrun.org user policies	2023-11-01 20:30:12 +01:00
holger krekel	3a9db729f8	simplify sysctl call	2023-10-31 22:03:03 +01:00
holger krekel	7eb86cba34	increase inotify limits for dovecot	2023-10-31 22:03:03 +01:00
link2xt	5633c0612e	dovecot: increase number of simultaneous connections handled by imap-login Otherwise deltachat core CI running fails with "Connection queue full" error on IMAP connections.	2023-10-29 19:09:33 +00:00
holger krekel	d5912b909c	fix benchmark script	2023-10-28 16:50:24 +02:00
link2xt	f75eb0658c	Require that passwords are at least 10 characters long	2023-10-28 13:38:15 +00:00
link2xt	7c5ec1e0df	Add scripts/generate-dns-zone.sh	2023-10-24 21:23:20 +00:00
holger krekel	11ebc4623c	somehow this deploy.sh adpatation was missing from main, not sure why	2023-10-24 23:19:40 +02:00
missytake	cf29053389	added full path to tox	2023-10-24 23:19:27 +02:00
holger krekel	1e7d0d10f5	follow link2xt advise and don't check subject/body at all -- turns out there were no tests anyway.	2023-10-22 14:59:37 +02:00
holger krekel	3dd94cbe69	passes the test	2023-10-22 14:59:37 +02:00
holger krekel	ed1b2f9da1	add a failing test for read receipts between two instances	2023-10-22 14:59:37 +02:00
				`@@ -0,0 +1 @@`
				`dkim._domainkey.{{ config.domain_name }} {{ config.domain_name }}:{{ config.opendkim_selector }}:/etc/dkimkeys/dkim.private`
				`@@ -0,0 +1 @@`
				`*@{{ config.domain_name }} {{ config.opendkim_selector }}._domainkey.{{ config.domain_name }}`