tests: other bots could be in passthrough_recipients

Without this option parsing of answer was flaky
as for long records like
_submission._tcp.nine.testrun.org.
dig printed the result with a space rather
than tab as a separator and .split("\t") did not work.

This change makes the `dig` command print the answer
in the form we need so there is no need for complex parsing
other than taking the first line.

`-r` option is added to make sure options are not changed by .digrc
in the root home directory.

.github/workflows/ci.yaml

@@ -33,8 +33,5 @@ jobs:
       - name: run deploy-chatmail offline tests 
         run: pytest --pyargs cmdeploy 
 
-      - name: initialize with chatmail domain
-        run: cmdeploy init chat.example.org  
-
       # all other cmdeploy commands require a staging server 
       # see https://github.com/deltachat/chatmail/issues/100

README.md

@@ -15,28 +15,29 @@ after which the initially specified password is required for using them.
 
 ## Deploying your own chatmail server 
 
-We subsequently use `CHATMAIL_DOMAIN` as a placeholder for your fully qualified 
-DNS domain name (FQDN), for example `chat.example.org`.
+We use `chat.example.org` as the chatmail domain in the following steps. 
+Please substitute it with your own domain. 
 
-1. Setup DNS `A` and `AAAA` records for your `CHATMAIL_DOMAIN`. 
-   Verify that DNS is set and SSH root login works:
-
-   ```
-        ssh root@CHATMAIL_DOMAIN 
-   ```
-
-2. Install the `cmdeploy` command in a virtualenv
+1. Install the `cmdeploy` command in a virtualenv
 
    ```
     git clone https://github.com/deltachat/chatmail
     cd chatmail
     scripts/initenv.sh
    ```
-  
-3. Create chatmail configuration file `chatmail.ini`:
+
+2. Create chatmail configuration file `chatmail.ini`:
 
    ```
-    scripts/cmdeploy init CHATMAIL_DOMAIN
+    scripts/cmdeploy init chat.example.org  # <-- use your domain 
+   ```
+
+3. Setup first DNS records for your chatmail domain, 
+   according to the hints provided by `cmdeploy init`.
+   Verify that SSH root login works:
+
+   ```
+    ssh root@chat.example.org   # <-- use your domain 
    ```
 
 4. Deploy to the remote chatmail server:
@@ -44,119 +45,118 @@ DNS domain name (FQDN), for example `chat.example.org`.
    ```
     scripts/cmdeploy run
    ```
+   This script will also show you additional DNS records
+   which you should configure at your DNS provider
+   (it can take some time until they are public).
 
-5. To output a DNS zone file from which you can transfer DNS records 
-   to your DNS provider:
+### Other helpful commands:
 
-   ```
-    scripts/cmdeploy dns
-   ```
+To check the status of your remotely running chatmail service:
 
-6. To check status of your remotely running chatmail service: 
-
-   ```
-    scripts/cmdeploy status
-   ```
-
-7. To test your chatmail service: 
-
-   ```
-    scripts/cmdeploy test
-   ```
-
-8. To benchmark your chatmail service: 
-
-   ```
-    scripts/cmdeploy bench
-   ```
-
-### Refining the web pages 
-
-
-``` 
-    scripts/cmdeploy webdev 
+```
+scripts/cmdeploy status
 ```
 
-This starts a local live development cycle for chatmail Web pages: 
+To check whether your DNS records are correct:
 
-- uses the `www/src/page-layout.html` file for producing static 
-  HTML pages from `www/src/*.md` files
+```
+scripts/cmdeploy dns
+```
 
-- continously builds the web presence reading files from `www/src` directory
-  and generating html files and copying assets to the `www/build` directory. 
+To test whether your chatmail service is working correctly:
 
-- Starts a browser window automatically where you can "refresh" as needed. 
+```
+scripts/cmdeploy test
+```
 
+To measure the performance of your chatmail service:
 
-### Home page and getting started for users 
+```
+scripts/cmdeploy bench
+```
 
-`cmdeploy run` sets up mail services,
-and also creates default static Web pages and deploys them: 
+## Overview of this repository
 
-- a default `index.html` along with a QR code that users can click to 
-  create accounts on your chatmail provider,
+This repository drives the development of chatmail services, 
+comprised of minimal setups of
 
-- a default `info.html` that is linked from the home page,
+- [postfix smtp server](https://www.postfix.org)
+- [dovecot imap server](https://www.dovecot.org)
 
-- a default `policy.html` that is linked from the home page. 
-
-All `.html` files are generated 
-by the according markdown `.md` file in the `www/src` directory.
-
-
-### Ports
-
-Postfix listens on ports 25 (smtp) and 587 (submission) and 465 (submissions).
-Dovecot listens on ports 143(imap) and 993 (imaps).
-
-Delta Chat will, however, discover all ports and configurations 
-automatically by reading the `autoconfig.xml` file from the chatmail instance. 
-
-
-## Emergency Commands to disable automatic account creation 
-
-If you need to stop account creation,
-e.g. because some script is wildly creating accounts, run:
-
-    touch /etc/chatmail-nocreate
-
-While this file is present, account creation will be blocked. 
-
-
-## Running tests and benchmarks (offline and online) 
-
-1. Set `CHATMAIL_SSH` so that `ssh root@$CHATMAIL_SSH` allows 
-   to login to the chatmail instance server. 
-
-2. To run local and online tests: 
-
-    scripts/test.sh 
-
-3. To run benchmarks against your chatmail instance: 
-
-    scripts/bench.sh 
-
-
-## Development Background for chatmail instances 
-
-This repository drives the development of "chatmail instances", 
-comprised of minimal setups of 
-
-- [postfix smtp server](https://www.postfix.org) 
-- [dovecot imap server](https://www.dovecot.org) 
-
-as well as two custom services that are integrated with these two: 
+as well as custom services that are integrated with these two:
 
 - `chatmaild/src/chatmaild/doveauth.py` implements
   create-on-login account creation semantics and is used
   by Dovecot during login authentication and by Postfix
   which in turn uses [Dovecot SASL](https://doc.dovecot.org/configuration_manual/authentication/dict/#complete-example-for-authenticating-via-a-unix-socket)
   to authenticate users
-  to send mails for them. 
+  to send mails for them.
 
-- `chatmaild/src/chatmaild/filtermail.py` prevents 
-  unencrypted e-mail from leaving the chatmail instance
-  and is integrated into postfix's outbound mail pipelines. 
+- `chatmaild/src/chatmaild/filtermail.py` prevents
+  unencrypted e-mail from leaving the chatmail service
+  and is integrated into postfix's outbound mail pipelines.
+
+There is also the `cmdeploy/src/cmdeploy/cmdeploy.py` command line tool
+which helps with setting up and managing the chatmail service.
+`cmdeploy run` uses [pyinfra-based scripting](https://pyinfra.com/)
+in `cmdeploy/src/cmdeploy/__init__.py`
+to automatically install all chatmail components on a server.
 
 
+### Home page and getting started for users
+
+`cmdeploy run` also creates default static Web pages and deploys them
+to a nginx web server with: 
+
+- a default `index.html` along with a QR code that users can click to
+  create accounts on your chatmail provider,
+
+- a default `info.html` that is linked from the home page,
+
+- a default `policy.html` that is linked from the home page.
+
+All `.html` files are generated
+by the according markdown `.md` file in the `www/src` directory.
+
+
+### Refining the web pages
+
+
+```
+scripts/cmdeploy webdev
+```
+
+This starts a local live development cycle for chatmail Web pages:
+
+- uses the `www/src/page-layout.html` file for producing static
+  HTML pages from `www/src/*.md` files
+
+- continously builds the web presence reading files from `www/src` directory
+  and generating html files and copying assets to the `www/build` directory.
+
+- Starts a browser window automatically where you can "refresh" as needed.
+
+
+## Emergency Commands to disable automatic account creation
+
+If you need to stop account creation,
+e.g. because some script is wildly creating accounts,
+login to the server with ssh and run:
+
+```
+    touch /etc/chatmail-nocreate
+```
+
+While this file is present, account creation will be blocked.
+
+### Ports
+
+[Postfix](http://www.postfix.org/) listens on ports 25 (smtp) and 587 (submission) and 465 (submissions).
+[Dovecot](https://www.dovecot.org/) listens on ports 143 (imap) and 993 (imaps).
+[nginx](https://www.nginx.com/) listens on port 443 (https).
+[acmetool](https://hlandau.github.io/acmetool/) listens on port 80 (http).
+
+Delta Chat apps will, however, discover all ports and configurations
+automatically by reading the [autoconfig XML file](https://web.archive.org/web/20210624004729/https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration) from the chatmail service.
+
 

chatmaild/pyproject.toml

@@ -8,6 +8,8 @@ version = "0.2"
 dependencies = [
   "aiosmtpd",
   "iniconfig",
+  "deltachat-rpc-server",
+  "deltachat-rpc-client",
 ]
 
 [tool.setuptools]
@@ -19,6 +21,8 @@ where = ['src']
 [project.scripts]
 doveauth = "chatmaild.doveauth:main"
 filtermail = "chatmaild.filtermail:main"
+echobot = "chatmaild.echo:main"
+chatmail-metrics = "chatmaild.metrics:main"
 
 [project.entry-points.pytest11]
 "chatmaild.testplugin" = "chatmaild.tests.plugin"

chatmaild/src/chatmaild/doveauth.py

@@ -46,13 +46,14 @@ def is_allowed_to_create(config: Config, user, cleartext_password) -> bool:
         len(localpart) > config.username_max_length
         or len(localpart) < config.username_min_length
     ):
-        logging.warning(
-            "localpart %s has to be between %s and %s chars long",
-            localpart,
-            config.username_min_length,
-            config.username_max_length,
-        )
-        return False
+        if localpart != "echo":
+            logging.warning(
+                "localpart %s has to be between %s and %s chars long",
+                localpart,
+                config.username_min_length,
+                config.username_max_length,
+            )
+            return False
 
     return True
 
@@ -97,16 +98,49 @@ def lookup_passdb(db, config: Config, user, cleartext_password):
         )
 
 
+def split_and_unescape(s):
+    """Split strings using double quote as a separator and backslash as escape character
+    into parts."""
+
+    out = ""
+    i = 0
+    while i < len(s):
+        c = s[i]
+        if c == "\\":
+            # Skip escape character.
+            i += 1
+
+            # This will raise IndexError if there is no character
+            # after escape character. This is expected
+            # as this is an invalid input.
+            out += s[i]
+        elif c == '"':
+            # Separator
+            yield out
+            out = ""
+        else:
+            out += c
+        i += 1
+    yield out
+
+
 def handle_dovecot_request(msg, db, config: Config):
     short_command = msg[0]
     if short_command == "L":  # LOOKUP
         parts = msg[1:].split("\t")
-        keyname, user = parts[:2]
-        namespace, type, *args = keyname.split("/")
+
+        # Dovecot <2.3.17 has only one part,
+        # do not attempt to read any other parts for compatibility.
+        keyname = parts[0]
+
+        namespace, type, args = keyname.split("/", 2)
+        args = list(split_and_unescape(args))
+
         reply_command = "F"
         res = ""
         if namespace == "shared":
             if type == "userdb":
+                user = args[0]
                 if user.endswith(f"@{config.mail_domain}"):
                     res = lookup_userdb(db, user)
                 if res:
@@ -114,6 +148,7 @@ def handle_dovecot_request(msg, db, config: Config):
                 else:
                     reply_command = "N"
             elif type == "passdb":
+                user = args[1]
                 if user.endswith(f"@{config.mail_domain}"):
                     res = lookup_passdb(db, config, user, cleartext_password=args[0])
                 if res:

chatmaild/src/chatmaild/echo.py

@@ -0,0 +1,84 @@
+#!/usr/bin/env python3
+"""Advanced echo bot example.
+
+it will echo back any message that has non-empty text and also supports the /help command.
+"""
+import logging
+import os
+import sys
+
+from deltachat_rpc_client import Bot, DeltaChat, EventType, Rpc, events
+
+from chatmaild.newemail import create_newemail_dict
+from chatmaild.config import read_config
+
+hooks = events.HookCollection()
+
+
+@hooks.on(events.RawEvent)
+def log_event(event):
+    if event.kind == EventType.INFO:
+        logging.info(event.msg)
+    elif event.kind == EventType.WARNING:
+        logging.warning(event.msg)
+
+
+@hooks.on(events.RawEvent(EventType.ERROR))
+def log_error(event):
+    logging.error(event.msg)
+
+
+@hooks.on(events.MemberListChanged)
+def on_memberlist_changed(event):
+    logging.info(
+        "member %s was %s", event.member, "added" if event.member_added else "removed"
+    )
+
+
+@hooks.on(events.GroupImageChanged)
+def on_group_image_changed(event):
+    logging.info("group image %s", "deleted" if event.image_deleted else "changed")
+
+
+@hooks.on(events.GroupNameChanged)
+def on_group_name_changed(event):
+    logging.info("group name changed, old name: %s", event.old_name)
+
+
+@hooks.on(events.NewMessage(func=lambda e: not e.command))
+def echo(event):
+    snapshot = event.message_snapshot
+    if snapshot.text or snapshot.file:
+        snapshot.chat.send_message(text=snapshot.text, file=snapshot.file)
+
+
+@hooks.on(events.NewMessage(command="/help"))
+def help_command(event):
+    snapshot = event.message_snapshot
+    snapshot.chat.send_text("Send me any message and I will echo it back")
+
+
+def main():
+    path = os.environ.get("PATH")
+    venv_path = sys.argv[0].strip("echobot")
+    os.environ["PATH"] = path + ":" + venv_path
+    with Rpc() as rpc:
+        deltachat = DeltaChat(rpc)
+        system_info = deltachat.get_system_info()
+        logging.info("Running deltachat core %s", system_info.deltachat_core_version)
+
+        accounts = deltachat.get_all_accounts()
+        account = accounts[0] if accounts else deltachat.add_account()
+
+        bot = Bot(account, hooks)
+        if not bot.is_configured():
+            config = read_config(sys.argv[1])
+            password = create_newemail_dict(config).get("password")
+            email = "echo@" + config.mail_domain
+            bot.configure(email, password)
+        bot.run_forever()
+
+
+if __name__ == "__main__":
+    logging.basicConfig(level=logging.INFO)
+    main()

chatmaild/src/chatmaild/echobot.service.f

@@ -0,0 +1,11 @@
+[Unit]
+Description=Chatmail echo bot for testing it works
+
+[Service]
+ExecStart={execpath} {config_path}
+Environment="PATH={remote_venv_dir}:$PATH"
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

chatmaild/src/chatmaild/ini/chatmail.ini.f

@@ -17,8 +17,8 @@ max_user_send_per_minute = 60
 # maximum mailbox size of a chatmail account
 max_mailbox_size = 100M
 
-# time after which seen mails are deleted
-delete_mails_after = 40d
+# days after which mails are unconditionally deleted
+delete_mails_after = 40
 
 # minimum length a username must have
 username_min_length = 9
@@ -33,7 +33,7 @@ password_min_length = 9
 passthrough_senders =
 
 # list of e-mail recipients for which to accept outbound un-encrypted mails
-passthrough_recipients =
+passthrough_recipients = xstore@testrun.org groupsbot@hispanilandia.net
 
 #
 # Deployment Details

chatmaild/src/chatmaild/ini/override-testrun.ini

@@ -1,7 +1,7 @@
 
 [privacy]
 
-passthrough_recipients = privacy@testrun.org
+passthrough_recipients = privacy@testrun.org xstore@testrun.org groupsbot@hispanilandia.net
 
 privacy_postal =
     Merlinux GmbH, Represented by the managing director H. Krekel,

chatmaild/src/chatmaild/metrics.py

@@ -0,0 +1,25 @@
+#!/usr/bin/env python3
+from pathlib import Path
+import time
+import sys
+
+
+def main(vmail_dir=None):
+    if vmail_dir is None:
+        vmail_dir = sys.argv[1]
+
+    accounts = 0
+    ci_accounts = 0
+
+    for path in Path(vmail_dir).iterdir():
+        accounts += 1
+        if path.name[:3] in ("ci-", "ac_"):
+            ci_accounts += 1
+
+    timestamp = int(time.time() * 1000)
+    print(f"accounts {accounts} {timestamp}")
+    print(f"ci_accounts {ci_accounts} {timestamp}")
+
+
+if __name__ == "__main__":
+    main()

chatmaild/src/chatmaild/newemail.py

@@ -4,16 +4,22 @@
 
 import json
 import random
+import secrets
+import string
 
 from chatmaild.config import read_config, Config
 
 CONFIG_PATH = "/usr/local/lib/chatmaild/chatmail.ini"
+ALPHANUMERIC = string.ascii_lowercase + string.digits
+ALPHANUMERIC_PUNCT = string.ascii_letters + string.digits + string.punctuation
 
 
 def create_newemail_dict(config: Config):
-    alphanumeric = "abcdefghijklmnopqrstuvwxyz1234567890"
-    user = "".join(random.choices(alphanumeric, k=config.username_min_length))
-    password = "".join(random.choices(alphanumeric, k=config.password_min_length + 3))
+    user = "".join(random.choices(ALPHANUMERIC, k=config.username_min_length))
+    password = "".join(
+        secrets.choice(ALPHANUMERIC_PUNCT)
+        for _ in range(config.password_min_length + 3)
+    )
     return dict(email=f"{user}@{config.mail_domain}", password=f"{password}")
 
 

chatmaild/src/chatmaild/tests/test_config.py

@@ -24,9 +24,9 @@ def test_read_config_testrun(make_config):
     assert config.postfix_reinject_port == 10025
     assert config.max_user_send_per_minute == 60
     assert config.max_mailbox_size == "100M"
-    assert config.delete_mails_after == "40d"
+    assert config.delete_mails_after == "40"
     assert config.username_min_length == 9
     assert config.username_max_length == 9
     assert config.password_min_length == 9
-    assert config.passthrough_recipients == ["privacy@testrun.org"]
+    assert "privacy@testrun.org" in config.passthrough_recipients
     assert config.passthrough_senders == []

chatmaild/src/chatmaild/tests/test_doveauth.py

@@ -52,8 +52,9 @@ def test_too_high_db_version(db):
 
 
 def test_handle_dovecot_request(db, example_config):
+    # Test that password can contain ", ', \ and /
     msg = (
-        "Lshared/passdb/laksjdlaksjdlaksjdlk12j3l1k2j3123/"
+        'Lshared/passdb/laksjdlaksjdlak\\\\sjdlk\\"12j\\\'3l1/k2j3123"'
         "some42123@chat.example.org\tsome42123@chat.example.org"
     )
     res = handle_dovecot_request(msg, db, example_config)

chatmaild/src/chatmaild/tests/test_metrics.py

@@ -0,0 +1,16 @@
+from chatmaild.metrics import main
+
+
+def test_main(tmp_path, capsys):
+    for x in ("ci-asllkj", "ac_12l3kj", "qweqwe", "ci-l1k2j31l2k3"):
+        tmp_path.joinpath(x).mkdir()
+    main(tmp_path)
+    out, _ = capsys.readouterr()
+    d = {}
+    for line in out.split("\n"):
+        if line.strip():
+            name, num, _ = line.split()
+            d[name] = int(num)
+
+    assert d["accounts"] == 4
+    assert d["ci_accounts"] == 3

cmdeploy/src/cmdeploy/__init__.py

@@ -84,14 +84,28 @@ def _install_remote_venv_with_chatmaild(config) -> None:
         ],
     )
 
+    files.template(
+        src=importlib.resources.files(__package__).joinpath("metrics.cron.j2"),
+        dest="/etc/cron.d/chatmail-metrics",
+        user="root",
+        group="root",
+        mode="644",
+        config={
+            "mail_domain": config.mail_domain,
+            "execpath": f"{remote_venv_dir}/bin/chatmail-metrics",
+        },
+    )
+
     # install systemd units
     for fn in (
         "doveauth",
         "filtermail",
+        "echobot",
     ):
         params = dict(
             execpath=f"{remote_venv_dir}/bin/{fn}",
             config_path=remote_chatmail_inipath,
+            remote_venv_dir=remote_venv_dir,
         )
         source_path = importlib.resources.files("chatmaild").joinpath(f"{fn}.service.f")
         content = source_path.read_text().format(**params).encode()
@@ -112,7 +126,7 @@ def _install_remote_venv_with_chatmaild(config) -> None:
         )
 
 
-def _configure_opendkim(domain: str, dkim_selector: str) -> bool:
+def _configure_opendkim(domain: str, dkim_selector: str = "dkim") -> bool:
     """Configures OpenDKIM"""
     need_restart = False
 
@@ -350,20 +364,22 @@ def check_config(config):
     if mail_domain != "testrun.org" and not mail_domain.endswith(".testrun.org"):
         blocked_words = "merlinux schmieder testrun.org".split()
         for value in config.__dict__.values():
-            if any(x in value for x in blocked_words):
+            if any(x in str(value) for x in blocked_words):
                 raise ValueError(
                     f"please set your own privacy contacts/addresses in {config._inipath}"
                 )
     return config
 
 
-def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> None:
+def deploy_chatmail(config_path: Path) -> None:
     """Deploy a chat-mail instance.
 
-    :param mail_domain: domain part of your future email addresses
-    :param mail_server: the DNS name under which your mail server is reachable
-    :param dkim_selector:
+    :param config_path: path to chatmail.ini
     """
+    config = read_config(config_path)
+    check_config(config)
+    mail_domain = config.mail_domain
+
     from .www import build_webpages
 
     apt.update(name="apt update", cache_time=24 * 3600)
@@ -383,7 +399,11 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
     # to use 127.0.0.1 as the resolver.
     apt.packages(
         name="Install unbound",
-        packages="unbound",
+        packages=["unbound", "unbound-anchor", "dnsutils"],
+    )
+    server.shell(
+        name="Generate root keys for validating DNSSEC",
+        commands=["unbound-anchor -a /var/lib/unbound/root.key || true"],
     )
     systemd.service(
         name="Start and enable unbound",
@@ -393,7 +413,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
     )
 
     # Deploy acmetool to have TLS certificates.
-    deploy_acmetool(nginx_hook=True, domains=[mail_server, f"mta-sts.{mail_server}"])
+    deploy_acmetool(nginx_hook=True, domains=[mail_domain, f"mta-sts.{mail_domain}"])
 
     apt.packages(
         name="Install Postfix",
@@ -423,11 +443,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
         packages=["fcgiwrap"],
     )
 
-    pkg_root = importlib.resources.files(__package__)
-    chatmail_ini = pkg_root.joinpath("../../../chatmail.ini").resolve()
-    config = read_config(chatmail_ini)
-    check_config(config)
-    www_path = pkg_root.joinpath("../../../www").resolve()
+    www_path = importlib.resources.files(__package__).joinpath("../../../www").resolve()
 
     build_dir = www_path.joinpath("build")
     src_dir = www_path.joinpath("src")
@@ -438,7 +454,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
     debug = False
     dovecot_need_restart = _configure_dovecot(config, debug=debug)
     postfix_need_restart = _configure_postfix(config, debug=debug)
-    opendkim_need_restart = _configure_opendkim(mail_domain, dkim_selector)
+    opendkim_need_restart = _configure_opendkim(mail_domain)
     mta_sts_need_restart = _install_mta_sts_daemon()
     nginx_need_restart = _configure_nginx(mail_domain)
 

cmdeploy/src/cmdeploy/acmetool/__init__.py

@@ -1,6 +1,8 @@
 import importlib.resources
 
-from pyinfra.operations import apt, files, server
+from pyinfra.operations import apt, files, systemd, server
+from pyinfra import host
+from pyinfra.facts.systemd import SystemdStatus
 
 
 def deploy_acmetool(nginx_hook=False, email="", domains=[]):
@@ -46,6 +48,30 @@ def deploy_acmetool(nginx_hook=False, email="", domains=[]):
         mode="644",
     )
 
+    service_file = files.put(
+        src=importlib.resources.files(__package__).joinpath(
+            "acmetool-redirector.service"
+        ),
+        dest="/etc/systemd/system/acmetool-redirector.service",
+        user="root",
+        group="root",
+        mode="644",
+    )
+    if host.get_fact(SystemdStatus).get("nginx.service"):
+        systemd.service(
+            name="Stop nginx service to free port 80",
+            service="nginx",
+            running=False,
+        )
+
+    systemd.service(
+        name="Setup acmetool-redirector service",
+        service="acmetool-redirector.service",
+        running=True,
+        enabled=True,
+        restarted=service_file.changed,
+    )
+
     server.shell(
         name=f"Request certificate for: { ', '.join(domains) }",
         commands=[f"acmetool want { ' '.join(domains)}"],

cmdeploy/src/cmdeploy/acmetool/acmetool-redirector.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=acmetool HTTP redirector
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/acmetool redirector --service.uid=daemon
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

cmdeploy/src/cmdeploy/chatmail.zone.f

@@ -1,12 +1,14 @@
+{chatmail_domain}.                   A     {ipv4}
+{chatmail_domain}.                   AAAA  {ipv6}
 {chatmail_domain}.                   MX 10 {chatmail_domain}.
 _submission._tcp.{chatmail_domain}.  SRV 0 1 587 {chatmail_domain}.
 _submissions._tcp.{chatmail_domain}. SRV 0 1 465 {chatmail_domain}.
 _imap._tcp.{chatmail_domain}.        SRV 0 1 143 {chatmail_domain}.
 _imaps._tcp.{chatmail_domain}.       SRV 0 1 993 {chatmail_domain}.
-{chatmail_domain}.                IN CAA 128 issue "letsencrypt.org;accounturi={acme_account_url}"
+{chatmail_domain}.                   CAA 128 issue "letsencrypt.org;accounturi={acme_account_url}"
 {chatmail_domain}.                   TXT "v=spf1 a:{chatmail_domain} -all"
 _dmarc.{chatmail_domain}.            TXT "v=DMARC1;p=reject;rua=mailto:{email};ruf=mailto:{email};fo=1;adkim=r;aspf=r"
-_mta-sts.{chatmail_domain}.       IN TXT "v=STSv1; id={sts_id}"
-mta-sts.{chatmail_domain}.        IN CNAME {chatmail_domain}.
-_smtp._tls.{chatmail_domain}.     IN TXT "v=TLSRPTv1;rua=mailto:{email}"
+_mta-sts.{chatmail_domain}.          TXT "v=STSv1; id={sts_id}"
+mta-sts.{chatmail_domain}.           CNAME {chatmail_domain}.
+_smtp._tls.{chatmail_domain}.        TXT "v=TLSRPTv1;rua=mailto:{email}"
 {dkim_entry}

cmdeploy/src/cmdeploy/cmdeploy.py

@@ -3,7 +3,6 @@ Provides the `cmdeploy` entry point function,
 along with command line option and subcommand parsing.
 """
 import argparse
-import datetime
 import shutil
 import subprocess
 import importlib.resources
@@ -15,6 +14,7 @@ from pathlib import Path
 
 from termcolor import colored
 from chatmaild.config import read_config, write_initial_config
+from cmdeploy.dns import show_dns, check_necessary_dns
 
 
 #
@@ -32,11 +32,16 @@ def init_cmd_options(parser):
 
 def init_cmd(args, out):
     """Initialize chatmail config file."""
+    mail_domain = args.chatmail_domain
     if args.inipath.exists():
-        out.red(f"Path exists, not modifying: {args.inipath}")
-        raise SystemExit(1)
-    write_initial_config(args.inipath, args.chatmail_domain)
-    out.green(f"created config file for {args.chatmail_domain} in {args.inipath}")
+        print(f"Path exists, not modifying: {args.inipath}")
+    else:
+        write_initial_config(args.inipath, mail_domain)
+        out.green(f"created config file for {mail_domain} in {args.inipath}")
+    check_necessary_dns(
+        out,
+        mail_domain,
+    )
 
 
 def run_cmd_options(parser):
@@ -50,47 +55,34 @@ def run_cmd_options(parser):
 
 def run_cmd(args, out):
     """Deploy chatmail services on the remote server."""
+    mail_domain = args.config.mail_domain
+    if not check_necessary_dns(
+        out,
+        mail_domain,
+    ):
+        sys.exit(1)
 
     env = os.environ.copy()
-    env["CHATMAIL_DOMAIN"] = args.config.mail_domain
-    deploy_path = "cmdeploy/src/cmdeploy/deploy.py"
+    env["CHATMAIL_INI"] = args.inipath
+    deploy_path = importlib.resources.files(__package__).joinpath("deploy.py").resolve()
     pyinf = "pyinfra --dry" if args.dry_run else "pyinfra"
     cmd = f"{pyinf} --ssh-user root {args.config.mail_domain} {deploy_path}"
+
     out.check_call(cmd, env=env)
+    print("Deploy completed, call `cmdeploy dns` next.")
+
+
+def dns_cmd_options(parser):
+    parser.add_argument(
+        "--zonefile",
+        dest="zonefile",
+        help="print the whole zonefile for deploying directly",
+    )
 
 
 def dns_cmd(args, out):
     """Generate dns zone file."""
-    template = importlib.resources.files(__package__).joinpath("chatmail.zone.f")
-    ssh = f"ssh root@{args.config.mail_domain}"
-
-    def read_dkim_entries(entry):
-        lines = []
-        for line in entry.split("\n"):
-            if line.startswith(";") or not line.strip():
-                continue
-            line = line.replace("\t", " ")
-            lines.append(line)
-        return "\n".join(lines)
-
-    acme_account_url = out.shell_output(f"{ssh} -- acmetool account-url")
-    dkim_entry = read_dkim_entries(out.shell_output(f"{ssh} -- opendkim-genzone -F"))
-
-    out(
-        f"[writing {args.config.mail_domain} zone data (using space as separator) to stdout output]",
-        green=True,
-    )
-    print(
-        template.read_text()
-        .format(
-            acme_account_url=acme_account_url,
-            email=f"root@{args.config.mail_domain}",
-            sts_id=datetime.datetime.now().strftime("%Y%m%d%H%M"),
-            chatmail_domain=args.config.mail_domain,
-            dkim_entry=dkim_entry,
-        )
-        .strip()
-    )
+    show_dns(args, out)
 
 
 def status_cmd(args, out):
@@ -219,9 +211,15 @@ class Out:
         color = "red" if red else ("green" if green else None)
         print(colored(msg, color), file=file)
 
-    def shell_output(self, arg):
-        self(f"[$ {arg}]", file=sys.stderr)
-        return subprocess.check_output(arg, shell=True).decode()
+    def shell_output(self, arg, no_print=False, timeout=10):
+        if not no_print:
+            self(f"[$ {arg}]", file=sys.stderr)
+            output = subprocess.STDOUT
+        else:
+            output = subprocess.DEVNULL
+        return subprocess.check_output(
+            arg, shell=True, timeout=timeout, stderr=output
+        ).decode()
 
     def check_call(self, arg, env=None, quiet=False):
         if not quiet:

cmdeploy/src/cmdeploy/deploy.py

@@ -1,18 +1,16 @@
 import os
+import importlib.resources
 import pyinfra
 from cmdeploy import deploy_chatmail
 
 
 def main():
-    mail_domain = os.getenv("CHATMAIL_DOMAIN")
-    mail_server = os.getenv("CHATMAIL_SERVER", mail_domain)
-    dkim_selector = os.getenv("CHATMAIL_DKIM_SELECTOR", "dkim")
+    config_path = os.getenv(
+        "CHATMAIL_INI",
+        importlib.resources.files("cmdeploy").joinpath("../../../chatmail.ini"),
+    )
 
-    assert mail_domain
-    assert mail_server
-    assert dkim_selector
-
-    deploy_chatmail(mail_domain, mail_server, dkim_selector)
+    deploy_chatmail(config_path)
 
 
 if pyinfra.is_cli:

cmdeploy/src/cmdeploy/dns.py

@@ -0,0 +1,205 @@
+import sys
+
+import requests
+import importlib
+import subprocess
+import datetime
+from ipaddress import ip_address
+
+
+class DNS:
+    def __init__(self, out, mail_domain):
+        self.session = requests.Session()
+        self.out = out
+        self.ssh = f"ssh root@{mail_domain} -- "
+        try:
+            self.shell(f"unbound-control flush_zone {mail_domain}")
+        except subprocess.CalledProcessError:
+            pass
+
+    def shell(self, cmd):
+        try:
+            return self.out.shell_output(f"{self.ssh}{cmd}", no_print=True)
+        except (subprocess.CalledProcessError, subprocess.TimeoutExpired) as e:
+            if "exit status 255" in str(e) or "timed out" in str(e):
+                self.out.red(f"Error: can't reach the server with: {self.ssh[:-4]}")
+                sys.exit(1)
+            else:
+                raise
+
+    def get_ipv4(self):
+        cmd = "ip a | grep 'inet ' | grep 'scope global' | grep -oE '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' | head -1"
+        return self.shell(cmd).strip()
+
+    def get_ipv6(self):
+        cmd = "ip a | grep inet6 | grep 'scope global' | sed -e 's#/64 scope global##' | sed -e 's#inet6##'"
+        return self.shell(cmd).strip()
+
+    def get(self, typ: str, domain: str) -> str | None:
+        """Get a DNS entry"""
+        dig_result = self.shell(f"dig -r -q {domain} -t {typ} +short")
+        line = dig_result.partition("\n")[0]
+        if line:
+            return line
+
+    def check_ptr_record(self, ip: str, mail_domain) -> bool:
+        """Check the PTR record for an IPv4 or IPv6 address."""
+        result = self.shell(f"dig -r -x {ip} +short").rstrip()
+        return result == f"{mail_domain}."
+
+
+def show_dns(args, out):
+    template = importlib.resources.files(__package__).joinpath("chatmail.zone.f")
+    mail_domain = args.config.mail_domain
+    ssh = f"ssh root@{mail_domain}"
+    dns = DNS(out, mail_domain)
+
+    def read_dkim_entries(entry):
+        lines = []
+        for line in entry.split("\n"):
+            if line.startswith(";") or not line.strip():
+                continue
+            line = line.replace("\t", " ")
+            lines.append(line)
+        return "\n".join(lines)
+
+    print("Checking your DKIM keys and DNS entries...")
+    try:
+        acme_account_url = out.shell_output(f"{ssh} -- acmetool account-url")
+    except subprocess.CalledProcessError:
+        print("Please run `cmdeploy run` first.")
+        return
+    dkim_entry = read_dkim_entries(out.shell_output(f"{ssh} -- opendkim-genzone -F"))
+
+    ipv6 = dns.get_ipv6()
+    reverse_ipv6 = dns.check_ptr_record(ipv6, mail_domain)
+    ipv4 = dns.get_ipv4()
+    reverse_ipv4 = dns.check_ptr_record(ipv4, mail_domain)
+    to_print = []
+
+    with open(template, "r") as f:
+        zonefile = (
+            f.read()
+            .format(
+                acme_account_url=acme_account_url,
+                email=f"root@{args.config.mail_domain}",
+                sts_id=datetime.datetime.now().strftime("%Y%m%d%H%M"),
+                chatmail_domain=args.config.mail_domain,
+                dkim_entry=dkim_entry,
+                ipv6=ipv6,
+                ipv4=ipv4,
+            )
+            .strip()
+        )
+        try:
+            with open(args.zonefile, "w+") as zf:
+                zf.write(zonefile)
+                print(f"DNS records successfully written to: {args.zonefile}")
+            return
+        except TypeError:
+            pass
+        started_dkim_parsing = False
+        for line in zonefile.splitlines():
+            line = line.format(
+                acme_account_url=acme_account_url,
+                email=f"root@{args.config.mail_domain}",
+                sts_id=datetime.datetime.now().strftime("%Y%m%d%H%M"),
+                chatmail_domain=args.config.mail_domain,
+                dkim_entry=dkim_entry,
+                ipv6=ipv6,
+            ).strip()
+            for typ in ["A", "AAAA", "CNAME", "CAA"]:
+                if f" {typ} " in line:
+                    domain, value = line.split(f" {typ} ")
+                    current = dns.get(typ, domain.strip()[:-1])
+                    if current != value.strip():
+                        to_print.append(line)
+            if " MX " in line:
+                domain, typ, prio, value = line.split()
+                current = dns.get(typ, domain[:-1])
+                if not current:
+                    to_print.append(line)
+                elif current.split()[1] != value:
+                    print(line.replace(prio, str(int(current[0]) + 1)))
+            if " SRV " in line:
+                domain, typ, prio, weight, port, value = line.split()
+                current = dns.get("SRV", domain[:-1])
+                if current != f"{prio} {weight} {port} {value}":
+                    to_print.append(line)
+            if "  TXT " in line:
+                domain, value = line.split(" TXT ")
+                current = dns.get("TXT", domain.strip()[:-1])
+                if domain.startswith("_mta-sts."):
+                    if current:
+                        if current.split("id=")[0] == value.split("id=")[0]:
+                            continue
+                if current != value:
+                    to_print.append(line)
+            if " IN TXT ( " in line:
+                started_dkim_parsing = True
+                dkim_lines = [line]
+            if started_dkim_parsing and line.startswith('"'):
+                dkim_lines.append(" " + line)
+        domain, data = "\n".join(dkim_lines).split(" IN TXT ")
+        current = dns.get("TXT", domain.strip()[:-1])
+        if current:
+            current = "( %s )" % (current.replace('" "', '"\n "'))
+            if current.replace(";", "\\;") != data:
+                to_print.append(dkim_entry)
+        else:
+            to_print.append(dkim_entry)
+
+    if to_print:
+        to_print.insert(
+            0, "You should configure the following DNS entries at your provider:\n"
+        )
+        to_print.append(
+            "\nIf you already configured the DNS entries, wait a bit until the DNS entries propagate to the Internet."
+        )
+        print("\n".join(to_print))
+    else:
+        out.green("Great! All your DNS entries are correct.")
+
+    to_print = []
+    if not reverse_ipv4:
+        to_print.append(f"\tIPv4:\t{ipv4}\t{args.config.mail_domain}")
+    if not reverse_ipv6:
+        to_print.append(f"\tIPv6:\t{ipv6}\t{args.config.mail_domain}")
+    if len(to_print) > 0:
+        if len(to_print) == 1:
+            warning = "You should add the following PTR/reverse DNS entry:"
+        else:
+            warning = "You should add the following PTR/reverse DNS entries:"
+        out.red(warning)
+        for entry in to_print:
+            print(entry)
+        print(
+            "You can do so at your hosting provider (maybe this isn't your DNS provider)."
+        )
+
+
+def check_necessary_dns(out, mail_domain):
+    """Check whether $mail_domain and mta-sts.$mail_domain resolve."""
+    dns = DNS(out, mail_domain)
+    ipv4 = dns.get("A", mail_domain)
+    ipv6 = dns.get("AAAA", mail_domain)
+    mta_entry = dns.get("CNAME", "mta-sts." + mail_domain)
+    mta_ip = dns.get("A", mta_entry)
+    if not mta_ip:
+        mta_ip = dns.get("AAAA", mta_entry)
+    to_print = []
+    if not (ipv4 or ipv6):
+        to_print.append(f"\t{mail_domain}.\t\t\tA<your server's IPv4 address>")
+    if not mta_ip or not (mta_ip == ipv4 or mta_ip == ipv6):
+        to_print.append(f"\tmta-sts.{mail_domain}.\tCNAME\t{mail_domain}.")
+    if to_print:
+        to_print.insert(
+            0,
+            "\nFor chatmail to work, you need to configure this at your DNS provider:\n",
+        )
+        for line in to_print:
+            print(line)
+        print()
+    else:
+        dns.out.green("\nAll necessary DNS entries seem to be set.")
+        return True

cmdeploy/src/cmdeploy/dovecot/auth.conf

@@ -1,5 +1,10 @@
 uri = proxy:/run/dovecot/doveauth.socket:auth
 iterate_disable = yes
 default_pass_scheme = plain
-password_key = passdb/%w/%u
-user_key = userdb/%u
+# %E escapes characters " (double quote), ' (single quote) and \ (backslash) with \ (backslash).
+# See <https://doc.dovecot.org/configuration_manual/config_file/config_variables/#modifiers>
+# for documentation.
+#
+# We escape user-provided input and use double quote as a separator.
+password_key = passdb/%Ew"%Eu
+user_key = userdb/%Eu

cmdeploy/src/cmdeploy/dovecot/expunge.cron.j2

@@ -1,4 +1,10 @@
-2 0 * * * dovecot doveadm expunge -A SEEN BEFORE {{ config.delete_mails_after }} INBOX
-2 0 * * * dovecot doveadm expunge -A SEEN BEFORE {{ config.delete_mails_after }} Deltachat
-2 0 * * * dovecot doveadm expunge -A SEEN BEFORE {{ config.delete_mails_after }} Trash
-2 30 * * * dovecot doveadm purge -A
+# delete all mails after {{ config.delete_mails_after }} days, in the Inbox
+2 0 * * * dovecot find /home/vmail/mail/{{ config.mail_domain }}/*/cur -mtime +{{ config.delete_mails_after }} -type f -delete
+# or in any IMAP subfolder
+2 0 * * * dovecot find /home/vmail/mail/{{ config.mail_domain }}/*/.*/cur -mtime +{{ config.delete_mails_after }} -type f -delete
+# even if they are unseen
+2 0 * * * dovecot find /home/vmail/mail/{{ config.mail_domain }}/*/new -mtime +{{ config.delete_mails_after }} -type f -delete
+2 0 * * * dovecot find /home/vmail/mail/{{ config.mail_domain }}/*/.*/new -mtime +{{ config.delete_mails_after }} -type f -delete
+# or only temporary (but then they shouldn't be around after {{ config.delete_mails_after }} days anyway).
+2 0 * * * dovecot find /home/vmail/mail/{{ config.mail_domain }}/*/tmp -mtime +{{ config.delete_mails_after }} -type f -delete
+2 0 * * * dovecot find /home/vmail/mail/{{ config.mail_domain }}/*/.*/tmp -mtime +{{ config.delete_mails_after }} -type f -delete

cmdeploy/src/cmdeploy/metrics.cron.j2

@@ -0,0 +1 @@
+*/5 * * * * root {{ config.execpath }} /home/vmail/mail/{{ config.mail_domain }} >/var/www/html/metrics

cmdeploy/src/cmdeploy/nginx/nginx.conf.j2

@@ -41,15 +41,11 @@ http {
 			try_files $uri $uri/ =404;
 		}
 
+                location /metrics {
+                        default_type text/plain;
+                }
+
         # add cgi-bin support
         include /usr/share/doc/fcgiwrap/examples/nginx.conf;
 	}
-    server {
-        listen 80 default_server;
-        listen [::]:80 default_server;
-        server_name _;
-
-        return 301 https://$host$request_uri;
-    }
 }
-

cmdeploy/src/cmdeploy/postfix/main.cf.j2

@@ -11,9 +11,8 @@ append_dot_mydomain = no
 
 readme_directory = no
 
-# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
-# fresh installs.
-compatibility_level = 2
+# See http://www.postfix.org/COMPATIBILITY_README.html
+compatibility_level = 3.6
 
 # TLS parameters
 smtpd_tls_cert_file=/var/lib/acme/live/{{ config.mail_domain }}/fullchain

cmdeploy/src/cmdeploy/tests/online/test_0_login.py

@@ -2,6 +2,16 @@ import pytest
 import threading
 import queue
 
+from chatmaild.config import read_config
+from cmdeploy.cmdeploy import main
+
+
+def test_init(tmp_path, maildomain):
+    inipath = tmp_path.joinpath("chatmail.ini")
+    main(["init", "--config", str(inipath), maildomain])
+    config = read_config(inipath)
+    assert config.mail_domain == maildomain
+
 
 def test_login_basic_functioning(imap_or_smtp, gencreds, lp):
     """Test a) that an initial login creates a user automatically

cmdeploy/src/cmdeploy/tests/online/test_0_qr.py

@@ -14,3 +14,12 @@ def test_fastcgi_working(maildomain, chatmail_config):
     res = requests.post(url)
     assert maildomain in res.json().get("email")
     assert len(res.json().get("password")) > chatmail_config.password_min_length
+
+
+def test_newemail_configure(maildomain, rpc):
+    """Test configuring accounts by scanning a QR code works."""
+    url = f"DCACCOUNT:https://{maildomain}/cgi-bin/newemail.py"
+    for i in range(3):
+        account_id = rpc.add_account()
+        rpc.set_config_from_qr(account_id, url)
+        rpc.configure(account_id)

cmdeploy/src/cmdeploy/tests/test_cmdeploy.py

@@ -2,7 +2,6 @@ import os
 
 import pytest
 from cmdeploy.cmdeploy import get_parser, main
-from chatmaild.config import read_config
 
 
 @pytest.fixture(autouse=True)
@@ -21,12 +20,7 @@ class TestCmdline:
         run = parser.parse_args(["run"])
         assert init and run
 
-    def test_init(self, tmp_path):
-        main(["init", "chat.example.org"])
-        inipath = tmp_path.joinpath("chatmail.ini")
-        config = read_config(inipath)
-        assert config.mail_domain == "chat.example.org"
-
+    @pytest.mark.xfail(reason="init doesn't exit anymore, check for CLI output instead")
     def test_init_not_overwrite(self):
         main(["init", "chat.example.org"])
         with pytest.raises(SystemExit):

cmdeploy/src/cmdeploy/www.py

@@ -36,29 +36,6 @@ def build_webpages(src_dir, build_dir, config):
         print(traceback.format_exc())
 
 
-def timespan_to_english(timespan):
-    val = int(timespan[:-1])
-    c = timespan[-1].lower()
-    match c:
-        case "y":
-            return f"{val} years"
-        case "m":
-            return f"{val} months"
-        case "w":
-            return f"{val} weeks"
-        case "d":
-            return f"{val} days"
-        case "h":
-            return f"{val} hours"
-        case "c":
-            return f"{val} seconds"
-        case _:
-            raise ValueError(
-                c
-                + " is not a valid time unit. Try [y]ears, [w]eeks, [d]ays, or [h]ours"
-            )
-
-
 def int_to_english(number):
     if number >= 0 and number <= 12:
         a = [
@@ -104,9 +81,6 @@ def _build_webpages(src_dir, build_dir, config):
             render_vars["password_min_length"] = int_to_english(
                 config.password_min_length
             )
-            render_vars["delete_mails_after"] = timespan_to_english(
-                config.delete_mails_after
-            )
             target = build_dir.joinpath(path.stem + ".html")
 
             # recursive jinja2 rendering

www/src/index.md

@@ -14,7 +14,6 @@ Welcome to instant, interoperable and [privacy-preserving](privacy.html) messagi
 
 💬 **Start** chatting with any Delta Chat contacts using [QR invite codes](https://delta.chat/en/help#howtoe2ee)
 
-<div class="experimental">Note: this is an experimental service</div>
-
-
-
+{% if config.mail_domain != "nine.testrun.org" %}
+<div class="experimental">Note: this is only a temporary development chatmail service</div>
+{% endif %}

www/src/info.md

@@ -3,6 +3,11 @@
 
 ## More information 
 
+`nine.testrun.org` provides a low-maintenance, resource efficient and 
+interoperable e-mail service for everyone. What's behind a `chatmail` is 
+effectively a normal e-mail address just like any other but optimized 
+for the usage in chats, especially DeltaChat.
+
 ### Choosing a chatmail address instead of using a random one
 
 In the Delta Chat account setup 
@@ -37,7 +42,7 @@ The first login sets your password.
 
 - You may send up to {{ config.max_user_send_per_minute }} messages per minute.
 
-- Seen messages are removed {{ delete_mails_after }} after arriving on the server.
+- Messages are unconditionally removed {{ config.delete_mails_after }} days after arriving on the server.
 
 - You can store up to [{{ config.max_mailbox_size }} messages on the server](https://delta.chat/en/help#what-happens-if-i-turn-on-delete-old-messages-from-server).
 

www/src/privacy.md

@@ -62,7 +62,7 @@ we process the following data and details:
 Creating an account happens in one of two ways on our mail servers: 
 
 - with a QR invitation token 
-  which is scanned using the DeltaChat app
+  which is scanned using the Delta Chat app
   and then the account is created.
 
 - by letting Delta Chat otherwise create an account