dictproxy: use crypt instead of doveadm pw

Set syslog name for reinject proxy
Turn filtermail into a beforequeue handler and implement rate limit
2026-05-11 16:34:39 +00:00 · 2023-10-20 08:30:36 +00:00 · 2023-10-19 03:22:27 +00:00 · 2023-10-19 03:04:00 +00:00 · 2023-10-19 02:22:38 +00:00 · 2023-10-19 02:22:30 +00:00
49 changed files with 1890 additions and 320 deletions
--- a/README.md
+++ b/README.md
@@ -1,20 +1,59 @@
 # Chat Mail server configuration
-This package deploys Postfix and Dovecot servers, including OpenDKIM for DKIM signing.
+This repository setups a ready-to-go chatmail instance
 comprised of a minimal setup of the battle-tested 
 [postfix smtp server](https://www.postfix.org) and [dovecot imap server](https://www.dovecot.org).
-Postfix uses Dovecot for authentication as described in <https://www.postfix.org/SASL_README.html#server_dovecot>
+## Getting started 
-## Ports
+1. prepare your local system:
    scripts/init.sh 
 2. set environment variable to the chatmail domain you want to setup:
    export CHATMAIL_DOMAIN=c1.testrun.org   # replace with your host
 3. run the deploy of the chat mail instance: 
    scripts/deploy.sh 
 ## Running tests and benchmarks (offline and online) 
 1. Set `CHATMAIL_SSH` so that `ssh root@$CHATMAIL_SSH` allows 
   to login to the chatmail instance server. 
 2. To run local and online tests: 
    scripts/test.sh 
 3. To run benchmarks against your chatmail instance: 
    scripts/bench.sh 
 ## Running tests (offline and online) 
 ```
 ## Dovecot/Postfix configuration
 ### Ports
 Postfix listens on ports 25 (smtp) and 587 (submission) and 465 (submissions).
 Dovecot listens on ports 143(imap) and 993 (imaps).
 ## DNS
-For DKIM you must add a DNS entry as in /etc/opendkim/selector.txt (where selector is the opendkim_selector configured in the chatmail inventory).
+For DKIM you must add a DNS entry as found in /etc/opendkim/selector.txt on your chatmail instance.
 The above `scripts/deploy.sh` prints out the DKIM selector and DNS entry you
 need to setup with your DNS provider. 
-## Run with pyinfra
+## Emergency Commands
 If you need to stop account creation,
 e.g. because some script is wildly creating accounts,
 just run `touch /tmp/nocreate`.
 You can remove the file
 as soon as the attacker was banned
 by different means.
 ```
 CHATMAIL_DOMAIN=c1.testrun.org pyinfra --ssh-user root c1.testrun.org deploy.py
 ```
--- a/chatmaild/README.md
+++ b/chatmaild/README.md
@@ -0,0 +1,5 @@
 # chatmaild
 chatmaild provides dovecot autentication
 to create dovecot users on login
 and mail filtering.
--- a/chatmaild/pyproject.toml
+++ b/chatmaild/pyproject.toml
@@ -0,0 +1,34 @@
 [build-system]
 requires = ["setuptools>=45"]
 build-backend = "setuptools.build_meta"
 [project]
 name = "chatmaild"
 version = "0.1"
 dependencies = [
  "aiosmtpd"
 ]
 [project.scripts]
 doveauth-dictproxy = "chatmaild.dictproxy:main"
 filtermail = "chatmaild.filtermail:main"
 [tool.pytest.ini_options]
 addopts = "-v -ra --strict-markers"
 [tool.tox]
 legacy_tox_ini = """
 [tox]
 isolated_build = true
 envlist = lint
 [testenv:lint]
 skipdist = True
 skip_install = True
 deps =
  ruff
  black
 commands =
  black --quiet --check --diff src/
  ruff src/
 """
--- a/chatmaild/src/chatmaild/init.py
+++ b/chatmaild/src/chatmaild/init.py
--- a/chatmaild/src/chatmaild/database.py
+++ b/chatmaild/src/chatmaild/database.py
@@ -0,0 +1,140 @@
 import sqlite3
 import contextlib
 import time
 from pathlib import Path
 class DBError(Exception):
    """error during an operation on the database."""
 class Connection:
    def __init__(self, sqlconn, write):
        self._sqlconn = sqlconn
        self._write = write
    def close(self):
        self._sqlconn.close()
    def commit(self):
        self._sqlconn.commit()
    def rollback(self):
        self._sqlconn.rollback()
    def execute(self, query, params=()):
        cur = self.cursor()
        try:
            cur.execute(query, params)
        except sqlite3.IntegrityError as e:
            raise DBError(e)
        return cur
    def cursor(self):
        return self._sqlconn.cursor()
    def create_user(self, addr: str, password: str):
        """Create a row in the users table."""
        self.execute("PRAGMA foreign_keys=on")
        q = """INSERT INTO users (addr, password, last_login)
               VALUES (?, ?, ?)"""
        self.execute(q, (addr, password, int(time.time())))
    def get_user(self, addr: str) -> {}:
        """Get a row from the users table."""
        q = "SELECT addr, password, last_login from users WHERE addr = ?"
        row = self._sqlconn.execute(q, (addr,)).fetchone()
        result = {}
        if row:
            result = dict(
                user=row[0],
                password=row[1],
                last_login=row[2],
            )
        return result
 class Database:
    def __init__(self, path: str):
        self.path = Path(path)
        self.ensure_tables()
    def _get_connection(
        self, write=False, transaction=False, closing=False
    ) -> Connection:
        # we let the database serialize all writers at connection time
        # to play it very safe (we don't have massive amounts of writes).
        mode = "ro"
        if write:
            mode = "rw"
        if not self.path.exists():
            mode = "rwc"
        uri = "file:%s?mode=%s" % (self.path, mode)
        sqlconn = sqlite3.connect(
            uri,
            timeout=60,
            isolation_level=None if transaction else "DEFERRED",
            uri=True,
        )
        # Enable Write-Ahead Logging to avoid readers blocking writers and vice versa.
        if write:
            sqlconn.execute("PRAGMA journal_mode=wal")
        if transaction:
            start_time = time.time()
            while 1:
                try:
                    sqlconn.execute("begin immediate")
                    break
                except sqlite3.OperationalError:
                    # another thread may be writing, give it a chance to finish
                    time.sleep(0.1)
                    if time.time() - start_time > 5:
                        # if it takes this long, something is wrong
                        raise
        conn = Connection(sqlconn, write=write)
        if closing:
            conn = contextlib.closing(conn)
        return conn
    @contextlib.contextmanager
    def write_transaction(self):
        conn = self._get_connection(closing=False, write=True, transaction=True)
        try:
            yield conn
        except Exception:
            conn.rollback()
            conn.close()
            raise
        else:
            conn.commit()
            conn.close()
    def read_connection(self, closing=True) -> Connection:
        return self._get_connection(closing=closing, write=False)
    def get_schema_version(self) -> int:
        with self.read_connection() as conn:
            dbversion = conn.execute("PRAGMA user_version").fetchone()[0]
        return dbversion
    CURRENT_DBVERSION = 1
    def ensure_tables(self):
        with self.write_transaction() as conn:
            if self.get_schema_version() > 1:
                raise DBError(
                    "version is %s; downgrading schema is not supported"
                    % (self.get_schema_version(),)
                )
            conn.execute(
                """
                CREATE TABLE IF NOT EXISTS users (
                    addr TEXT PRIMARY KEY,
                    password TEXT,
                    last_login INTEGER
                )
            """,
            )
            conn.execute("PRAGMA user_version=%s" % (self.CURRENT_DBVERSION,))
--- a/chatmaild/src/chatmaild/dictproxy.py
+++ b/chatmaild/src/chatmaild/dictproxy.py
@@ -0,0 +1,119 @@
 import logging
 import os
 import sys
 import json
 import crypt
 from socketserver import (
    UnixStreamServer,
    StreamRequestHandler,
    ThreadingMixIn,
 )
 import pwd
 from .database import Database
 NOCREATE_FILE = "/etc/chatmail-nocreate"
 def encrypt_password(password: str):
    # https://doc.dovecot.org/configuration_manual/authentication/password_schemes/
    passhash = crypt.crypt(password, crypt.METHOD_SHA512)
    return "{SHA512-CRYPT}" + passhash
 def create_user(db, user, password):
    if os.path.exists(NOCREATE_FILE):
        logging.warning(
            f"Didn't create account: {NOCREATE_FILE} exists. Delete the file to enable account creation."
        )
        return
    with db.write_transaction() as conn:
        conn.create_user(user, password)
    return dict(home=f"/home/vmail/{user}", uid="vmail", gid="vmail", password=password)
 def get_user_data(db, user):
    with db.read_connection() as conn:
        result = conn.get_user(user)
    if result:
        result["uid"] = "vmail"
        result["gid"] = "vmail"
    return result
 def lookup_userdb(db, user):
    return get_user_data(db, user)
 def lookup_passdb(db, user, password):
    userdata = get_user_data(db, user)
    if not userdata:
        return create_user(db, user, encrypt_password(password))
    userdata["password"] = userdata["password"].strip()
    return userdata
 def handle_dovecot_request(msg, db, mail_domain):
    print(f"received msg: {msg!r}", file=sys.stderr)
    short_command = msg[0]
    if short_command == "L":  # LOOKUP
        parts = msg[1:].split("\t")
        keyname, user = parts[:2]
        namespace, type, *args = keyname.split("/")
        reply_command = "F"
        res = ""
        if namespace == "shared":
            if type == "userdb":
                if user.endswith(f"@{mail_domain}"):
                    res = lookup_userdb(db, user)
                if res:
                    reply_command = "O"
                else:
                    reply_command = "N"
            elif type == "passdb":
                if user.endswith(f"@{mail_domain}"):
                    res = lookup_passdb(db, user, password=args[0])
                if res:
                    reply_command = "O"
                else:
                    reply_command = "N"
        print(f"res: {res!r}", file=sys.stderr)
        json_res = json.dumps(res) if res else ""
        return f"{reply_command}{json_res}\n"
    return None
 class ThreadedUnixStreamServer(ThreadingMixIn, UnixStreamServer):
    pass
 def main():
    socket = sys.argv[1]
    passwd_entry = pwd.getpwnam(sys.argv[2])
    db = Database(sys.argv[3])
    with open("/etc/mailname", "r") as fp:
        mail_domain = fp.read().strip()
    class Handler(StreamRequestHandler):
        def handle(self):
            while True:
                msg = self.rfile.readline().strip().decode()
                if not msg:
                    break
                res = handle_dovecot_request(msg, db, mail_domain)
                if res:
                    print(f"sending result: {res!r}", file=sys.stderr)
                    self.wfile.write(res.encode("ascii"))
                    self.wfile.flush()
    try:
        os.unlink(socket)
    except FileNotFoundError:
        pass
    with ThreadedUnixStreamServer(socket, Handler) as server:
        os.chown(socket, uid=passwd_entry.pw_uid, gid=passwd_entry.pw_gid)
        try:
            server.serve_forever()
        except KeyboardInterrupt:
            pass
--- a/chatmaild/src/chatmaild/doveauth-dictproxy.service
+++ b/chatmaild/src/chatmaild/doveauth-dictproxy.service
@@ -0,0 +1,10 @@
 [Unit]
 Description=Dict authentication proxy for dovecot
 [Service]
 ExecStart=/usr/local/bin/doveauth-dictproxy /run/dovecot/doveauth.socket vmail /home/vmail/passdb.sqlite
 Restart=always
 RestartSec=30
 [Install]
 WantedBy=multi-user.target
--- a/chatmaild/src/chatmaild/filtermail.py
+++ b/chatmaild/src/chatmaild/filtermail.py
@@ -0,0 +1,126 @@
 #!/usr/bin/env python3
 import asyncio
 import logging
 import time
 import sys
 from email.parser import BytesParser
 from email import policy
 from email.utils import parseaddr
 from aiosmtpd.smtp import SMTP
 from aiosmtpd.controller import Controller
 from smtplib import SMTP as SMTPClient
 def check_encrypted(message):
    """Check that the message is an OpenPGP-encrypted message."""
    if not message.is_multipart():
        return False
    if message.get("subject") != "...":
        return False
    if message.get_content_type() != "multipart/encrypted":
        return False
    parts_count = 0
    for part in message.iter_parts():
        if parts_count == 0:
            if part.get_content_type() != "application/pgp-encrypted":
                return False
        elif parts_count == 1:
            if part.get_content_type() != "application/octet-stream":
                return False
        else:
            return False
        parts_count += 1
    return True
 class SMTPController(Controller):
    def factory(self):
        return SMTP(self.handler, **self.SMTP_kwargs)
 class BeforeQueueHandler:
    def __init__(self):
        self.send_rate_limiter = SendRateLimiter()
    async def handle_MAIL(self, server, session, envelope, address, mail_options):
        logging.info(f"handle_MAIL from {address}")
        envelope.mail_from = address
        if not self.send_rate_limiter.is_sending_allowed(address):
            return f"450 4.7.1: Too much mail from {address}"
        parts = envelope.mail_from.split("@")
        if len(parts) != 2:
            return f"500 Invalid from address <{envelope.mail_from!r}>"
        return "250 OK"
    async def handle_DATA(self, server, session, envelope):
        logging.info("handle_DATA before-queue")
        error = check_DATA(envelope)
        if error:
            return error
        logging.info("re-injecting the mail that passed checks")
        client = SMTPClient("localhost", "10025")
        client.sendmail(envelope.mail_from, envelope.rcpt_tos, envelope.content)
        return "250 OK"
 async def asyncmain_beforequeue(port):
    Controller(BeforeQueueHandler(), hostname="127.0.0.1", port=port).start()
 def check_DATA(envelope):
    """the central filtering function for e-mails."""
    logging.info(f"Processing DATA message from {envelope.mail_from}")
    message = BytesParser(policy=policy.default).parsebytes(envelope.content)
    mail_encrypted = check_encrypted(message)
    _, from_addr = parseaddr(message.get("from").strip())
    logging.info(f"mime-from: {from_addr} envelope-from: {envelope.mail_from!r}")
    if envelope.mail_from.lower() != from_addr.lower():
        return f"500 Invalid FROM <{from_addr!r}> for <{envelope.mail_from!r}>"
    envelope_from_domain = from_addr.split("@").pop()
    for recipient in envelope.rcpt_tos:
        if envelope.mail_from == recipient:
            # Always allow sending emails to self.
            continue
        res = recipient.split("@")
        if len(res) != 2:
            return f"500 Invalid address <{recipient}>"
        _recipient_addr, recipient_domain = res
        is_outgoing = recipient_domain != envelope_from_domain
        if is_outgoing and not mail_encrypted:
            is_securejoin = message.get("secure-join") in ["vc-request", "vg-request"]
            if not is_securejoin:
                return f"500 Invalid unencrypted mail to <{recipient}>"
 class SendRateLimiter:
    MAX_USER_SEND_PER_MINUTE = 80
    def __init__(self):
        self.addr2timestamps = {}
    def is_sending_allowed(self, mail_from):
        last = self.addr2timestamps.setdefault(mail_from, [])
        now = time.time()
        last[:] = [ts for ts in last if ts >= (now - 60)]
        if len(last) <= self.MAX_USER_SEND_PER_MINUTE:
            last.append(now)
            return True
        return False
 def main():
    args = sys.argv[1:]
    assert len(args) == 1
    logging.basicConfig(level=logging.INFO)
    loop = asyncio.new_event_loop()
    asyncio.set_event_loop(loop)
    task = asyncmain_beforequeue(port=int(args[0]))
    loop.create_task(task)
    loop.run_forever()
--- a/chatmaild/src/chatmaild/filtermail.service
+++ b/chatmaild/src/chatmaild/filtermail.service
@@ -0,0 +1,10 @@
 [Unit]
 Description=Chatmail Postfix BeforeQeue filter 
 [Service]
 ExecStart=/usr/local/bin/filtermail 10080
 Restart=always
 RestartSec=30
 [Install]
 WantedBy=multi-user.target
--- a/chatmaild/src/chatmaild/test_doveauth.py
+++ b/chatmaild/src/chatmaild/test_doveauth.py
@@ -0,0 +1,53 @@
 import os
 import pytest
 import chatmaild.dictproxy
 from .dictproxy import get_user_data, lookup_passdb
 from .database import Database, DBError
@pytest.fixture()
 def db(tmpdir):
    db_path = tmpdir / "passdb.sqlite"
    print("database path:", db_path)
    return Database(db_path)
 def test_basic(db):
    chatmaild.dictproxy.NOCREATE_FILE = "/tmp/nocreate"
    if os.path.exists(chatmaild.dictproxy.NOCREATE_FILE):
        os.remove(chatmaild.dictproxy.NOCREATE_FILE)
    lookup_passdb(db, "link2xt@c1.testrun.org", "asdf")
    data = get_user_data(db, "link2xt@c1.testrun.org")
    assert data
 def test_dont_overwrite_password_on_wrong_login(db):
    """Test that logging in with a different password doesn't create a new user"""
    res = lookup_passdb(db, "newuser1@something.org", "kajdlkajsldk12l3kj1983")
    assert res["password"]
    res2 = lookup_passdb(db, "newuser1@something.org", "kajdlqweqwe")
    # this function always returns a password hash, which is actually compared by dovecot.
    assert res["password"] == res2["password"]
 def test_nocreate_file(db):
    chatmaild.dictproxy.NOCREATE_FILE = "/tmp/nocreate"
    with open(chatmaild.dictproxy.NOCREATE_FILE, "w+") as f:
        f.write("")
    assert os.path.exists(chatmaild.dictproxy.NOCREATE_FILE)
    lookup_passdb(db, "newuser1@something.org", "kajdlqweqwe")
    assert not get_user_data(db, "newuser1@something.org")
    os.remove(chatmaild.dictproxy.NOCREATE_FILE)
 def test_db_version(db):
    assert db.get_schema_version() == 1
 def test_too_high_db_version(db):
    with db.write_transaction() as conn:
        conn.execute("PRAGMA user_version=%s;" % (999,))
    with pytest.raises(DBError):
        db.ensure_tables()
--- a/chatmaild/src/chatmaild/test_filtermail.py
+++ b/chatmaild/src/chatmaild/test_filtermail.py
@@ -0,0 +1,338 @@
 from .filtermail import check_encrypted, check_DATA, SendRateLimiter
 from email.parser import BytesParser
 from email import policy
 import pytest
 def test_reject_forged_from():
    def makemail(from_addr):
        return BytesParser(policy=policy.default).parsebytes(
            "\r\n".join(
                [
                    f"From: <{from_addr}",
                    "To: <barbaz@c3.testrun.org>",
                    "Date: Sun, 15 Oct 2023 16:41:44 +0000",
                    "Message-ID: <Mr.3gckbNy5bch.uK3Hd2Ws6-w@c2.testrun.org>",
                    "References: <Mr.3gckbNy5bch.uK3Hd2Ws6-w@c2.testrun.org>",
                    "Chat-Version: 1.0",
                    "MIME-Version: 1.0",
                    "Content-Type: text/plain; charset=utf-8; format=flowed; delsp=no",
                    "",
                    "Hi!",
                    "",
                    "",
                ]
            ).encode()
        )
    class envelope:
        mail_from = "bob@c3.testrun.org"
        rcpt_tos = ["somebody@c3.testrun.org"]
    # test that the filter lets good mail through
    envelope.content = makemail(envelope.mail_from).as_bytes()
    assert not check_DATA(envelope=envelope)
    # test that the filter rejects forged mail
    envelope.content = makemail("forged@c3.testrun.org").as_bytes()
    error = check_DATA(envelope=envelope)
    assert "500" in error
 def test_filtermail():
    def check_encrypted_bstr(content):
        message = BytesParser(policy=policy.default).parsebytes(content)
        return check_encrypted(message)
    assert not check_encrypted_bstr(b"foo")
    assert not check_encrypted_bstr(
        "\r\n".join(
            [
                "Subject: =?utf-8?q?Message_from_foobar=40c2=2Etestrun=2Eorg?=",
                "Chat-Disposition-Notification-To: foobar@c2.testrun.org",
                "Chat-User-Avatar: 0",
                "From: <foobar@c2.testrun.org>",
                "To: <barbaz@c2.testrun.org>",
                "Date: Sun, 15 Oct 2023 16:41:44 +0000",
                "Message-ID: <Mr.3gckbNy5bch.uK3Hd2Ws6-w@c2.testrun.org>",
                "References: <Mr.3gckbNy5bch.uK3Hd2Ws6-w@c2.testrun.org>",
                "Chat-Version: 1.0",
                "Autocrypt: addr=foobar@c2.testrun.org; prefer-encrypt=mutual;",
                "\tkeydata=xjMEZSrw3hYJKwYBBAHaRw8BAQdAiEKNQFU28c6qsx4vo/JHdt73RXdjMOmByf/XsGiJ7m",
                "\tnNFzxmb29iYXJAYzIudGVzdHJ1bi5vcmc+wosEEBYIADMCGQEFAmUq8N4CGwMECwkIBwYVCAkKCwID",
                "\tFgIBFiEEGil0OvTIa6RngmCLUYNnEa9leJAACgkQUYNnEa9leJCX3gEAhm0MehE5byBBU1avPczr/I",
                "\tHjNLht7Qf6++mAhlJmtDcA/0C8VYJhsUpmiDjuZaMDWNv4FO2BJG6LH7gSm6n7ClMJzjgEZSrw3hIK",
                "\tKwYBBAGXVQEFAQEHQAxGG/QW0owCfMp1A+vXEMwgzWcBpNFr58kX2eXuPpM6AwEIB8J4BBgWCAAgBQ",
                "\tJlKvDeAhsMFiEEGil0OvTIa6RngmCLUYNnEa9leJAACgkQUYNnEa9leJDg1gEAwLf8KDoAAKyYgjyI",
                "\tvYvO9VEgBni1C4Xx1VjcaEmlDK8BALoFuUCK+enw76TtDcAUKhlhUiM6SDRExkS4Nskp/BcK",
                "MIME-Version: 1.0",
                "Content-Type: text/plain; charset=utf-8; format=flowed; delsp=no",
                "",
                "Hi!",
                "",
                "",
            ]
        ).encode()
    )
    assert not check_encrypted_bstr(
        "\r\n".join(
            [
                "Subject: =?utf-8?q?Message_from_foobar=40c2=2Etestrun=2Eorg?=",
                "Chat-Disposition-Notification-To: foobar@c2.testrun.org",
                "Chat-User-Avatar: 0",
                "From: <foobar@c2.testrun.org>",
                "To: <barbaz@c2.testrun.org>",
                "Date: Sun, 15 Oct 2023 16:41:44 +0000",
                "Message-ID: <Mr.3gckbNy5bch.uK3Hd2Ws6-w@c2.testrun.org>",
                "References: <Mr.3gckbNy5bch.uK3Hd2Ws6-w@c2.testrun.org>",
                "Chat-Version: 1.0",
                "Autocrypt: addr=foobar@c2.testrun.org; prefer-encrypt=mutual;",
                "\tkeydata=xjMEZSrw3hYJKwYBBAHaRw8BAQdAiEKNQFU28c6qsx4vo/JHdt73RXdjMOmByf/XsGiJ7m",
                "\tnNFzxmb29iYXJAYzIudGVzdHJ1bi5vcmc+wosEEBYIADMCGQEFAmUq8N4CGwMECwkIBwYVCAkKCwID",
                "\tFgIBFiEEGil0OvTIa6RngmCLUYNnEa9leJAACgkQUYNnEa9leJCX3gEAhm0MehE5byBBU1avPczr/I",
                "\tHjNLht7Qf6++mAhlJmtDcA/0C8VYJhsUpmiDjuZaMDWNv4FO2BJG6LH7gSm6n7ClMJzjgEZSrw3hIK",
                "\tKwYBBAGXVQEFAQEHQAxGG/QW0owCfMp1A+vXEMwgzWcBpNFr58kX2eXuPpM6AwEIB8J4BBgWCAAgBQ",
                "\tJlKvDeAhsMFiEEGil0OvTIa6RngmCLUYNnEa9leJAACgkQUYNnEa9leJDg1gEAwLf8KDoAAKyYgjyI",
                "\tvYvO9VEgBni1C4Xx1VjcaEmlDK8BALoFuUCK+enw76TtDcAUKhlhUiM6SDRExkS4Nskp/BcK",
                "MIME-Version: 1.0",
                "Content-Type: text/plain; charset=utf-8; format=flowed; delsp=no",
                "",
                "Hi!",
                "",
                "",
            ]
        ).encode()
    )
    # https://xkcd.com/1181/
    assert not check_encrypted_bstr(
        "\r\n".join(
            [
                "Subject: =?utf-8?q?Message_from_foobar=40c2=2Etestrun=2Eorg?=",
                "Chat-Disposition-Notification-To: foobar@c2.testrun.org",
                "Chat-User-Avatar: 0",
                "From: <foobar@c2.testrun.org>",
                "To: <barbaz@c2.testrun.org>",
                "Date: Sun, 15 Oct 2023 16:41:44 +0000",
                "Message-ID: <Mr.3gckbNy5bch.uK3Hd2Ws6-w@c2.testrun.org>",
                "References: <Mr.3gckbNy5bch.uK3Hd2Ws6-w@c2.testrun.org>",
                "Chat-Version: 1.0",
                "Autocrypt: addr=foobar@c2.testrun.org; prefer-encrypt=mutual;",
                "\tkeydata=xjMEZSrw3hYJKwYBBAHaRw8BAQdAiEKNQFU28c6qsx4vo/JHdt73RXdjMOmByf/XsGiJ7m",
                "\tnNFzxmb29iYXJAYzIudGVzdHJ1bi5vcmc+wosEEBYIADMCGQEFAmUq8N4CGwMECwkIBwYVCAkKCwID",
                "\tFgIBFiEEGil0OvTIa6RngmCLUYNnEa9leJAACgkQUYNnEa9leJCX3gEAhm0MehE5byBBU1avPczr/I",
                "\tHjNLht7Qf6++mAhlJmtDcA/0C8VYJhsUpmiDjuZaMDWNv4FO2BJG6LH7gSm6n7ClMJzjgEZSrw3hIK",
                "\tKwYBBAGXVQEFAQEHQAxGG/QW0owCfMp1A+vXEMwgzWcBpNFr58kX2eXuPpM6AwEIB8J4BBgWCAAgBQ",
                "\tJlKvDeAhsMFiEEGil0OvTIa6RngmCLUYNnEa9leJAACgkQUYNnEa9leJDg1gEAwLf8KDoAAKyYgjyI",
                "\tvYvO9VEgBni1C4Xx1VjcaEmlDK8BALoFuUCK+enw76TtDcAUKhlhUiM6SDRExkS4Nskp/BcK",
                "MIME-Version: 1.0",
                "Content-Type: text/plain; charset=utf-8; format=flowed; delsp=no",
                "",
                "-----BEGIN PGP MESSAGE-----",
                "Hi!",
                "-----END PGP MESSAGE-----",
                "",
                "",
            ]
        ).encode()
    )
    assert check_encrypted_bstr(
        "\r\n".join(
            [
                "Subject: ...",
                "From: <barbaz@c2.testrun.org>",
                "To: <foobar@c2.testrun.org>",
                "Date: Sun, 15 Oct 2023 16:43:21 +0000",
                "Message-ID: <Mr.UVyJWZmkCKM.hGzNc6glBE_@c2.testrun.org>",
                "In-Reply-To: <Mr.MvmCz-GQbi_.6FGRkhDf05c@c2.testrun.org>",
                "References: <Mr.3gckbNy5bch.uK3Hd2Ws6-w@c2.testrun.org>",
                "\t<Mr.MvmCz-GQbi_.6FGRkhDf05c@c2.testrun.org>",
                "Chat-Version: 1.0",
                "Autocrypt: addr=barbaz@c2.testrun.org; prefer-encrypt=mutual;",
                "\tkeydata=xjMEZSwWjhYJKwYBBAHaRw8BAQdAQBEhqeJh0GueHB6kF/DUQqYCxARNBVokg/AzT+7LqH",
                "\trNFzxiYXJiYXpAYzIudGVzdHJ1bi5vcmc+wosEEBYIADMCGQEFAmUsFo4CGwMECwkIBwYVCAkKCwID",
                "\tFgIBFiEEFTfUNvVnY3b9F7yHnmme1PfUhX8ACgkQnmme1PfUhX9A4AEAnHWHp49eBCMHK5t66gYPiW",
                "\tXQuB1mwUjzGfYWB+0RXUoA/0xcQ3FbUNlGKW7Blp6eMFfViv6Mv2d3kNSXACB6nmcMzjgEZSwWjhIK",
                "\tKwYBBAGXVQEFAQEHQBpY5L2M1XHo0uxf8SX1wNLBp/OVvidoWHQF2Jz+kJsUAwEIB8J4BBgWCAAgBQ",
                "\tJlLBaOAhsMFiEEFTfUNvVnY3b9F7yHnmme1PfUhX8ACgkQnmme1PfUhX/INgEA37AJaNvruYsJVanP",
                "\tIXnYw4CKd55UAwl8Zcy+M2diAbkA/0fHHcGV4r78hpbbL1Os52DPOdqYQRauIeJUeG+G6bQO",
                "MIME-Version: 1.0",
                'Content-Type: multipart/encrypted; protocol="application/pgp-encrypted";',
                '\tboundary="YFrteb74qSXmggbOxZL9dRnhymywAi"',
                "",
                "",
                "--YFrteb74qSXmggbOxZL9dRnhymywAi",
                "Content-Description: PGP/MIME version identification",
                "Content-Type: application/pgp-encrypted",
                "",
                "Version: 1",
                "",
                "",
                "--YFrteb74qSXmggbOxZL9dRnhymywAi",
                "Content-Description: OpenPGP encrypted message",
                'Content-Disposition: inline; filename="encrypted.asc";',
                'Content-Type: application/octet-stream; name="encrypted.asc"',
                "",
                "-----BEGIN PGP MESSAGE-----",
                "",
                "wU4DhW3gBZ/VvCYSAQdA8bMs2spwbKdGjVsL1ByPkNrqD7frpB73maeL6I6SzDYg",
                "O5G53tv339RdKq3WRcCtEEvxjHlUx2XNwXzC04BpmfvBTgNfPUyLDzjXnxIBB0Ae",
                "8ymwGvXMCCimHXN0Dg8Ui62KOi03h0UgheoHWovJSCDF4CKre/xtFr3nL7lq/PKI",
                "JsjVNz7/RK9FSXF6WwfONtLCyQGEuVAsB/KXfCBEyfKhaMwGHvhujRidGW5uV1no",
                "lMGl3ODmo29Lgeu2uSE7EpJRZoe6hU6ddmBkqxax61ZtkaFlGFFpdo2K8balNNdz",
                "ZsJ/9mmI9x3oOJ4/l1nhQbUO9ADbs7gJhFdV5Qkp30b5fCI7bU+aoe1ccBbLe/WM",
                "YUty1PqcuQT7XjA+XmYuL261tvW8pBetT+i33/E2d8PzzYt2IuK9qeevyS+yxdwA",
                "kfwejFWzzsUlJaDxs1x4XOxkMgSj+jo+g12dFOb7fyClsAnq23iDb8AuaT/BScAI",
                "+lO+gher69+6LmM7VGHLG5k762J1jTaQCaKt1s8TAWV99Eo4491vL6fyvk3l/Cfg",
                "RXSwiWFgj19Pn0Rq7CD9v22UE2vdUMBTcV4aw79mClk1YQ23jbF0y5DCjPdJ62Zo",
                "tskBgFt3NoWV80jZ76zIBLrrjLwCCll8JjJtFwSkt2GX5RFBsVa4A8IDht9RtEk7",
                "rrHgbSZQfkauEi/mH3/6CDZoLqSHudUZ7d4MaJwun1TkFYGe2ORwGJd4OBj3oGJp",
                "H8YBwCpk///L/fKjX0Gg3M8nrpM4wrRFhPKidAgO/kcm25X4+ZHlVkWBTCt5RWKI",
                "fHh6oLDZCqCfcgMkE1KKmwfIHaUkhq5BPRigwy6i5dh1DM4+1UCLh3dxzVbqE9b9",
                "61NB19nXdRtDA2sOUnj9ve6m/wEPyCb6/zBQZqvCBYb1/AjdXpUrFT+DbpfyxaXN",
                "XfhDVb5mNqNM/IVj0V5fvTc6vOfYbzQtPm10H+FdWWfb+rJRfyC3MA2w2IqstFe3",
                "w3bu2iE6CQvSqRvge+ZqLKt/NqYwOURiUmpuklbl3kPJ97+mfKWoiqk8Iz1VY+bb",
                "NMUC7aoGv+jcoj+WS6PYO8N6BeRVUUB3ZJSf8nzjgxm1/BcM+UD3BPrlhT11ODRs",
                "baifGbprMWwt3dhb8cQgRT8GPdpO1OsDkzL6iikMjLHWWiA99GV6ruiHsIPw6boW",
                "A6/uSOskbDHOROotKmddGTBd0iiHXAoQsJFt1ZjUkt6EHrgWs+GAvrvKpXs1mrz8",
                "uj3GwEFrHS+Xuf2UDgpszYT3hI2cL/kUtGakVR7m7vVMZqXBUbZdGAEb1PZNPwsI",
                "E4aMK02+EVB+tSN4Fzj99N2YD0inVYt+oPjr2tHhUS6aSGBNS/48Ki47DOg4Sxkn",
                "lkOWnEbCD+XTnbDd",
                "=agR5",
                "-----END PGP MESSAGE-----",
                "",
                "",
                "--YFrteb74qSXmggbOxZL9dRnhymywAi--",
                "",
                "",
            ]
        ).encode()
    )
    assert not check_encrypted_bstr(
        "\r\n".join(
            [
                "Subject: Buy Penis Enlargement at www.malicious-domain.com",
                "From: <barbaz@c2.testrun.org>",
                "To: <foobar@c2.testrun.org>",
                "Date: Sun, 15 Oct 2023 16:43:21 +0000",
                "Message-ID: <Mr.UVyJWZmkCKM.hGzNc6glBE_@c2.testrun.org>",
                "In-Reply-To: <Mr.MvmCz-GQbi_.6FGRkhDf05c@c2.testrun.org>",
                "References: <Mr.3gckbNy5bch.uK3Hd2Ws6-w@c2.testrun.org>",
                "\t<Mr.MvmCz-GQbi_.6FGRkhDf05c@c2.testrun.org>",
                "Chat-Version: 1.0",
                "Autocrypt: addr=barbaz@c2.testrun.org; prefer-encrypt=mutual;",
                "\tkeydata=xjMEZSwWjhYJKwYBBAHaRw8BAQdAQBEhqeJh0GueHB6kF/DUQqYCxARNBVokg/AzT+7LqH",
                "\trNFzxiYXJiYXpAYzIudGVzdHJ1bi5vcmc+wosEEBYIADMCGQEFAmUsFo4CGwMECwkIBwYVCAkKCwID",
                "\tFgIBFiEEFTfUNvVnY3b9F7yHnmme1PfUhX8ACgkQnmme1PfUhX9A4AEAnHWHp49eBCMHK5t66gYPiW",
                "\tXQuB1mwUjzGfYWB+0RXUoA/0xcQ3FbUNlGKW7Blp6eMFfViv6Mv2d3kNSXACB6nmcMzjgEZSwWjhIK",
                "\tKwYBBAGXVQEFAQEHQBpY5L2M1XHo0uxf8SX1wNLBp/OVvidoWHQF2Jz+kJsUAwEIB8J4BBgWCAAgBQ",
                "\tJlLBaOAhsMFiEEFTfUNvVnY3b9F7yHnmme1PfUhX8ACgkQnmme1PfUhX/INgEA37AJaNvruYsJVanP",
                "\tIXnYw4CKd55UAwl8Zcy+M2diAbkA/0fHHcGV4r78hpbbL1Os52DPOdqYQRauIeJUeG+G6bQO",
                "MIME-Version: 1.0",
                'Content-Type: multipart/encrypted; protocol="application/pgp-encrypted";',
                '\tboundary="YFrteb74qSXmggbOxZL9dRnhymywAi"',
                "",
                "",
                "--YFrteb74qSXmggbOxZL9dRnhymywAi",
                "Content-Description: PGP/MIME version identification",
                "Content-Type: application/pgp-encrypted",
                "",
                "Version: 1",
                "",
                "",
                "--YFrteb74qSXmggbOxZL9dRnhymywAi",
                "Content-Description: OpenPGP encrypted message",
                'Content-Disposition: inline; filename="encrypted.asc";',
                'Content-Type: application/octet-stream; name="encrypted.asc"',
                "",
                "-----BEGIN PGP MESSAGE-----",
                "",
                "wU4DhW3gBZ/VvCYSAQdA8bMs2spwbKdGjVsL1ByPkNrqD7frpB73maeL6I6SzDYg",
                "O5G53tv339RdKq3WRcCtEEvxjHlUx2XNwXzC04BpmfvBTgNfPUyLDzjXnxIBB0Ae",
                "8ymwGvXMCCimHXN0Dg8Ui62KOi03h0UgheoHWovJSCDF4CKre/xtFr3nL7lq/PKI",
                "JsjVNz7/RK9FSXF6WwfONtLCyQGEuVAsB/KXfCBEyfKhaMwGHvhujRidGW5uV1no",
                "lMGl3ODmo29Lgeu2uSE7EpJRZoe6hU6ddmBkqxax61ZtkaFlGFFpdo2K8balNNdz",
                "ZsJ/9mmI9x3oOJ4/l1nhQbUO9ADbs7gJhFdV5Qkp30b5fCI7bU+aoe1ccBbLe/WM",
                "YUty1PqcuQT7XjA+XmYuL261tvW8pBetT+i33/E2d8PzzYt2IuK9qeevyS+yxdwA",
                "kfwejFWzzsUlJaDxs1x4XOxkMgSj+jo+g12dFOb7fyClsAnq23iDb8AuaT/BScAI",
                "+lO+gher69+6LmM7VGHLG5k762J1jTaQCaKt1s8TAWV99Eo4491vL6fyvk3l/Cfg",
                "RXSwiWFgj19Pn0Rq7CD9v22UE2vdUMBTcV4aw79mClk1YQ23jbF0y5DCjPdJ62Zo",
                "tskBgFt3NoWV80jZ76zIBLrrjLwCCll8JjJtFwSkt2GX5RFBsVa4A8IDht9RtEk7",
                "rrHgbSZQfkauEi/mH3/6CDZoLqSHudUZ7d4MaJwun1TkFYGe2ORwGJd4OBj3oGJp",
                "H8YBwCpk///L/fKjX0Gg3M8nrpM4wrRFhPKidAgO/kcm25X4+ZHlVkWBTCt5RWKI",
                "fHh6oLDZCqCfcgMkE1KKmwfIHaUkhq5BPRigwy6i5dh1DM4+1UCLh3dxzVbqE9b9",
                "61NB19nXdRtDA2sOUnj9ve6m/wEPyCb6/zBQZqvCBYb1/AjdXpUrFT+DbpfyxaXN",
                "XfhDVb5mNqNM/IVj0V5fvTc6vOfYbzQtPm10H+FdWWfb+rJRfyC3MA2w2IqstFe3",
                "w3bu2iE6CQvSqRvge+ZqLKt/NqYwOURiUmpuklbl3kPJ97+mfKWoiqk8Iz1VY+bb",
                "NMUC7aoGv+jcoj+WS6PYO8N6BeRVUUB3ZJSf8nzjgxm1/BcM+UD3BPrlhT11ODRs",
                "baifGbprMWwt3dhb8cQgRT8GPdpO1OsDkzL6iikMjLHWWiA99GV6ruiHsIPw6boW",
                "A6/uSOskbDHOROotKmddGTBd0iiHXAoQsJFt1ZjUkt6EHrgWs+GAvrvKpXs1mrz8",
                "uj3GwEFrHS+Xuf2UDgpszYT3hI2cL/kUtGakVR7m7vVMZqXBUbZdGAEb1PZNPwsI",
                "E4aMK02+EVB+tSN4Fzj99N2YD0inVYt+oPjr2tHhUS6aSGBNS/48Ki47DOg4Sxkn",
                "lkOWnEbCD+XTnbDd",
                "=agR5",
                "-----END PGP MESSAGE-----",
                "",
                "",
                "--YFrteb74qSXmggbOxZL9dRnhymywAi--",
                "",
                "",
            ]
        ).encode()
    )
    assert not check_encrypted_bstr(
        "\r\n".join(
            [
                "Subject: Message opened",
                "From: <barbaz@c2.testrun.org>",
                "To: <foobar@c2.testrun.org>",
                "Date: Sun, 15 Oct 2023 16:43:25 +0000",
                "Message-ID: <Mr.78MWtlV7RAi.goCFzBhCYfy@c2.testrun.org>",
                "Auto-Submitted: auto-replied",
                "Chat-Version: 1.0",
                "MIME-Version: 1.0",
                "Content-Type: multipart/report; report-type=disposition-notification;",
                '\tboundary="Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi"',
                "",
                "",
                "--Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi",
                "Content-Type: text/plain; charset=utf-8; format=flowed; delsp=no",
                "",
                'The "Hi!" message you sent was displayed on the screen of the recipient.',
                "",
                "This is no guarantee the content was read.",
                "",
                "",
                "--Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi",
                "Content-Type: message/disposition-notification",
                "",
                "Reporting-UA: Delta Chat 1.124.1",
                "Original-Recipient: rfc822;barbaz@c2.testrun.org",
                "Final-Recipient: rfc822;barbaz@c2.testrun.org",
                "Original-Message-ID: <Mr.MvmCz-GQbi_.6FGRkhDf05c@c2.testrun.org>",
                "Disposition: manual-action/MDN-sent-automatically; displayed",
                "",
                "",
                "--Gl92xgZjOShJ5PGHntqYkoo2OK2Dvi--",
                "",
                "",
            ]
        ).encode()
    )
 def test_send_rate_limiter():
    limiter = SendRateLimiter()
    for i in range(100):
        if limiter.is_sending_allowed("some@example.org"):
            if i <= SendRateLimiter.MAX_USER_SEND_PER_MINUTE:
                continue
            pytest.fail("limiter didn't work")
        else:
            assert i == SendRateLimiter.MAX_USER_SEND_PER_MINUTE + 1
            break
--- a/deploy-chatmail/pyproject.toml
+++ b/deploy-chatmail/pyproject.toml
@@ -3,7 +3,7 @@ requires = ["setuptools>=45"]
 build-backend = "setuptools.build_meta"
 [project]
-name = "chatmail"
+name = "deploy-chatmail"
 version = "0.1"
 dependencies = [
  "pyinfra",
--- a/deploy-chatmail/src/deploy_chatmail/init.py
+++ b/deploy-chatmail/src/deploy_chatmail/init.py
@@ -2,6 +2,7 @@
 Chat Mail pyinfra deploy.
 """
 import importlib.resources
 from pathlib import Path
 from pyinfra import host, logger
 from pyinfra.operations import apt, files, server, systemd, python
@@ -9,17 +10,52 @@ from pyinfra.facts.files import File
 from .acmetool import deploy_acmetool
-def _install_chatctl() -> None:
+def _install_chatmaild() -> None:
-    """Setup chatctl."""
+    chatmaild_filename = "chatmaild-0.1.tar.gz"
-    files.put(
+    chatmaild_path = importlib.resources.files(__package__).joinpath(
-        src=importlib.resources.files(__package__)
+        f"../../../dist/{chatmaild_filename}"
        .joinpath("dovecot/doveauth.py")
        .open("rb"),
        dest="/home/vmail/chatctl",
        user="vmail",
        group="vmail",
        mode="755",
    )
    remote_path = f"/tmp/{chatmaild_filename}"
    if Path(str(chatmaild_path)).exists():
        files.put(
            name="Upload chatmaild source package",
            src=chatmaild_path.open("rb"),
            dest=remote_path,
        )
        apt.packages(
            name="apt install python3-aiosmtpd",
            packages=["python3-aiosmtpd", "python3-pip"],
        )
        # --no-deps because aiosmtplib is installed with `apt`.
        server.shell(
            name="install chatmaild with pip",
            commands=[f"pip install --break-system-packages {remote_path}"],
        )
        for fn in (
            "doveauth-dictproxy",
            "filtermail",
        ):
            files.put(
                name=f"Upload {fn}.service",
                src=importlib.resources.files("chatmaild")
                .joinpath(f"{fn}.service")
                .open("rb"),
                dest=f"/etc/systemd/system/{fn}.service",
                user="root",
                group="root",
                mode="644",
            )
            systemd.service(
                name=f"Setup {fn} service",
                service=f"{fn}.service",
                running=True,
                enabled=True,
                restarted=True,
                daemon_reload=True,
            )
 def _configure_opendkim(domain: str, dkim_selector: str) -> bool:
@@ -59,7 +95,7 @@ def _configure_opendkim(domain: str, dkim_selector: str) -> bool:
    return need_restart
-def _configure_postfix(domain: str) -> bool:
+def _configure_postfix(domain: str, debug: bool = False) -> bool:
    """Configures Postfix SMTP server."""
    need_restart = False
@@ -73,21 +109,20 @@ def _configure_postfix(domain: str) -> bool:
    )
    need_restart |= main_config.changed
-    master_config = files.put(
+    master_config = files.template(
-        src=importlib.resources.files(__package__)
+        src=importlib.resources.files(__package__).joinpath("postfix/master.cf.j2"),
        .joinpath("postfix/master.cf")
        .open("rb"),
        dest="/etc/postfix/master.cf",
        user="root",
        group="root",
        mode="644",
        debug=debug,
    )
    need_restart |= master_config.changed
    return need_restart
-def _configure_dovecot(mail_server: str) -> bool:
+def _configure_dovecot(mail_server: str, debug: bool = False) -> bool:
    """Configures Dovecot IMAP server."""
    need_restart = False
@@ -98,18 +133,54 @@ def _configure_dovecot(mail_server: str) -> bool:
        group="root",
        mode="644",
        config={"hostname": mail_server},
        debug=debug,
    )
    need_restart |= main_config.changed
-
+    auth_config = files.put(
-    # luarocks install http lpeg_patterns fifo
+        src=importlib.resources.files(__package__).joinpath("dovecot/auth.conf"),
-    auth_script = files.put(
+        dest="/etc/dovecot/auth.conf",
        src=importlib.resources.files(__package__).joinpath("dovecot/doveauth.lua"),
        dest="/etc/dovecot/doveauth.lua",
        user="root",
        group="root",
        mode="644",
    )
-    need_restart |= auth_script.changed
+    need_restart |= auth_config.changed
    files.put(
        src=importlib.resources.files(__package__)
        .joinpath("dovecot/expunge.cron")
        .open("rb"),
        dest="/etc/cron.d/expunge",
        user="root",
        group="root",
        mode="644",
    )
    return need_restart
 def _configure_nginx(domain: str, debug: bool = False) -> bool:
    """Configures nginx HTTP server."""
    need_restart = False
    main_config = files.template(
        src=importlib.resources.files(__package__).joinpath("nginx.conf.j2"),
        dest="/etc/nginx/nginx.conf",
        user="root",
        group="root",
        mode="644",
        config={"domain_name": domain},
    )
    need_restart |= main_config.changed
    autoconfig = files.template(
        src=importlib.resources.files(__package__).joinpath("autoconfig.xml.j2"),
        dest="/var/www/html/.well-known/autoconfig/mail/config-v1.1.xml",
        user="root",
        group="root",
        mode="644",
        config={"domain_name": domain},
    )
    need_restart |= autoconfig.changed
    return need_restart
@@ -122,7 +193,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
    :param dkim_selector:
    """
-    apt.update(name="apt update")
+    apt.update(name="apt update", cache_time=24 * 3600)
    server.group(name="Create vmail group", group="vmail", system=True)
    server.user(name="Create vmail user", user="vmail", group="vmail", system=True)
@@ -135,7 +206,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
    )
    # Deploy acmetool to have TLS certificates.
-    deploy_acmetool(domains=[mail_server])
+    deploy_acmetool(nginx_hook=True, domains=[mail_server])
    apt.packages(
        name="Install Postfix",
@@ -144,11 +215,7 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
    apt.packages(
        name="Install Dovecot",
-        packages=[
+        packages=["dovecot-imapd", "dovecot-lmtpd"],
            "dovecot-imapd",
            "dovecot-lmtpd",
            "dovecot-auth-lua",
        ],
    )
    apt.packages(
@@ -159,10 +226,17 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
        ],
    )
-    _install_chatctl()
+    apt.packages(
-    dovecot_need_restart = _configure_dovecot(mail_server)
+        name="Install nginx",
-    postfix_need_restart = _configure_postfix(mail_domain)
+        packages=["nginx"],
    )
    _install_chatmaild()
    debug = False
    dovecot_need_restart = _configure_dovecot(mail_server, debug=debug)
    postfix_need_restart = _configure_postfix(mail_domain, debug=debug)
    opendkim_need_restart = _configure_opendkim(mail_domain, dkim_selector)
    nginx_need_restart = _configure_nginx(mail_domain)
    systemd.service(
        name="Start and enable OpenDKIM",
@@ -188,6 +262,37 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
        restarted=dovecot_need_restart,
    )
    systemd.service(
        name="Start and enable nginx",
        service="nginx.service",
        running=True,
        enabled=True,
        restarted=nginx_need_restart,
    )
    # This file is used by auth proxy.
    # https://wiki.debian.org/EtcMailName
    server.shell(
        name="Setup /etc/mailname",
        commands=[f"echo {mail_domain} >/etc/mailname; chmod 644 /etc/mailname"],
    )
    journald_conf = files.put(
        name="Configure journald",
        src=importlib.resources.files(__package__).joinpath("journald.conf"),
        dest="/etc/systemd/journald.conf",
        user="root",
        group="root",
        mode="644",
    )
    systemd.service(
        name="Start and enable journald",
        service="systemd-journald.service",
        running=True,
        enabled=True,
        restarted=journald_conf,
    )
    def callback():
        result = server.shell(
            commands=[
--- a/deploy-chatmail/src/deploy_chatmail/acmetool/init.py
+++ b/deploy-chatmail/src/deploy_chatmail/acmetool/init.py
@@ -38,22 +38,13 @@ def deploy_acmetool(nginx_hook=False, email="", domains=[]):
        email=email,
    )
-    service_file = files.put(
+    files.template(
-        src=importlib.resources.files(__package__)
+        src=importlib.resources.files(__package__).joinpath("target.yaml.j2"),
-        .joinpath("acmetool-redirector.service")
+        dest="/var/lib/acme/conf/target",
        .open("rb"),
        dest="/etc/systemd/system/acmetool-redirector.service",
        user="root",
        group="root",
        mode="644",
    )
    systemd.service(
        name="Setup acmetool-redirector service",
        service="acmetool-redirector.service",
        running=True,
        enabled=True,
        restarted=service_file.changed,
    )
    for domain in domains:
        server.shell(
--- a/deploy-chatmail/src/deploy_chatmail/acmetool/acmetool.cron
+++ b/deploy-chatmail/src/deploy_chatmail/acmetool/acmetool.cron
--- a/deploy-chatmail/src/deploy_chatmail/acmetool/acmetool.hook
+++ b/deploy-chatmail/src/deploy_chatmail/acmetool/acmetool.hook
--- a/deploy-chatmail/src/deploy_chatmail/acmetool/response-file.yaml.j2
+++ b/deploy-chatmail/src/deploy_chatmail/acmetool/response-file.yaml.j2
--- a/deploy-chatmail/src/deploy_chatmail/acmetool/target.yaml.j2
+++ b/deploy-chatmail/src/deploy_chatmail/acmetool/target.yaml.j2
@@ -0,0 +1,7 @@
 request:
  provider: https://acme-v02.api.letsencrypt.org/directory
  key:
    type: rsa
  challenge:
    webroot-paths:
    - /var/www/html/.well-known/acme-challenge
--- a/deploy-chatmail/src/deploy_chatmail/autoconfig.xml.j2
+++ b/deploy-chatmail/src/deploy_chatmail/autoconfig.xml.j2
@@ -0,0 +1,37 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <clientConfig version="1.1">
  <emailProvider id="{{ config.domain_name }}">
    <domain>{{ config.domain_name }}</domain>
    <displayName>{{ config.domain_name }} chatmail</displayName>
    <displayShortName>{{ config.domain_name }}</displayShortName>
    <incomingServer type="imap">
      <hostname>{{ config.domain_name }}</hostname>
      <port>993</port>
      <socketType>SSL</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </incomingServer>
    <incomingServer type="imap">
      <hostname>{{ config.domain_name }}</hostname>
      <port>143</port>
      <socketType>STARTTLS</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </incomingServer>
    <outgoingServer type="smtp">
      <hostname>{{ config.domain_name }}</hostname>
      <port>465</port>
      <socketType>SSL</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </outgoingServer>
    <outgoingServer type="smtp">
      <hostname>{{ config.domain_name }}</hostname>
      <port>587</port>
      <socketType>STARTTLS</socketType>
      <authentication>password-cleartext</authentication>
      <username>%EMAILADDRESS%</username>
    </outgoingServer>
  </emailProvider>
 </clientConfig>
--- a/deploy-chatmail/src/deploy_chatmail/deploy.py
+++ b/deploy-chatmail/src/deploy_chatmail/deploy.py
@@ -1,6 +1,6 @@
 import os
-from pyinfra import host, facts
+import pyinfra
-from chatmail import deploy_chatmail
+from deploy_chatmail import deploy_chatmail
 def main():
@@ -15,4 +15,5 @@ def main():
    deploy_chatmail(mail_domain, mail_server, dkim_selector)
-main()
+if pyinfra.is_cli:
    main()
--- a/deploy-chatmail/src/deploy_chatmail/dovecot/auth.conf
+++ b/deploy-chatmail/src/deploy_chatmail/dovecot/auth.conf
@@ -0,0 +1,5 @@
 uri = proxy:/run/dovecot/doveauth.socket:auth
 iterate_disable = yes
 default_pass_scheme = plain
 password_key = passdb/%w/%u
 user_key = userdb/%u
--- a/deploy-chatmail/src/deploy_chatmail/dovecot/dovecot.conf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/dovecot/dovecot.conf.j2
@@ -4,21 +4,33 @@ protocols = imap lmtp
 auth_mechanisms = plain
 {% if debug == true %}
 auth_verbose = yes
 auth_debug = yes
 auth_debug_passwords = yes
 auth_verbose_passwords = plain
 auth_cache_size = 100M
 mail_debug = yes
 {% endif %}
 mail_plugins = quota
 # these are the capabilities Delta Chat cares about actually 
 # so let's keep the network overhead per login small
 # https://github.com/deltachat/deltachat-core-rust/blob/master/src/imap/capabilities.rs
 imap_capability = IMAP4rev1 IDLE MOVE QUOTA CONDSTORE
 # Authentication for system users.
 passdb {
-  driver = lua
+  driver = dict
-  args = file=/etc/dovecot/doveauth.lua
+  args = /etc/dovecot/auth.conf
 }
 userdb {
-  driver = lua
+  driver = dict
-  args = file=/etc/dovecot/doveauth.lua
+  args = /etc/dovecot/auth.conf
 }
 ##
 ## Mailbox locations and namespaces
 ##
@@ -60,13 +72,28 @@ mail_privileged_group = vmail
 # Enable IMAP COMPRESS (RFC 4978).
 # <https://datatracker.ietf.org/doc/html/rfc4978.html>
 protocol imap {
-  mail_plugins = $mail_plugins imap_zlib
+  mail_plugins = $mail_plugins imap_zlib imap_quota
 }
 protocol lmtp {
  mail_plugins = $mail_plugins quota
 }
 plugin {
  imap_compress_deflate_level = 6
 }
 plugin {
  # for now we define static quota-rules for all users 
  quota = maildir:User quota
  quota_rule = *:storage=100M
  quota_max_mail_size=30M
  quota_grace = 0
  # quota_over_flag_value = TRUE
 }
 service lmtp {
  user=vmail
@@ -88,7 +115,7 @@ service auth {
 service auth-worker {
  # Default is root.
  # Drop privileges we don't need.
-  user = $default_internal_user
+  user = vmail
 }
 ssl = required
--- a/deploy-chatmail/src/deploy_chatmail/dovecot/expunge.cron
+++ b/deploy-chatmail/src/deploy_chatmail/dovecot/expunge.cron
@@ -0,0 +1,4 @@
 2 0 * * * dovecot doveadm expunge -A SEEN BEFORE 40d INBOX
 2 0 * * * dovecot doveadm expunge -A SEEN BEFORE 40d Deltachat
 2 0 * * * dovecot doveadm expunge -A SEEN BEFORE 40d Trash
 2 30 * * * dovecot doveadm purge -A
--- a/deploy-chatmail/src/deploy_chatmail/journald.conf
+++ b/deploy-chatmail/src/deploy_chatmail/journald.conf
@@ -0,0 +1,2 @@
 [Journal]
 MaxRetentionSec=3d
--- a/deploy-chatmail/src/deploy_chatmail/nginx.conf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/nginx.conf.j2
@@ -0,0 +1,47 @@
 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
 error_log /var/log/nginx/error.log;
 events {
 	worker_connections 768;
 	# multi_accept on;
 }
 http {
 	sendfile on;
 	tcp_nopush on;
 	# Do not emit nginx version on error pages.
 	server_tokens off;
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
 	ssl_prefer_server_ciphers on;
 	ssl_certificate /var/lib/acme/live/{{ config.domain_name }}/fullchain;
 	ssl_certificate_key /var/lib/acme/live/{{ config.domain_name }}/privkey;
 	gzip on;
 	server {
 		listen 80 default_server;
 		listen [::]:80 default_server;
 		listen 443 ssl default_server;
 		listen [::]:443 ssl default_server;
 		root /var/www/html;
 		index index.html index.htm;
 		server_name _;
 		location / {
 			# First attempt to serve request as file, then
 			# as directory, then fall back to displaying a 404.
 			try_files $uri $uri/ =404;
 		}
 	}
 }
--- a/deploy-chatmail/src/deploy_chatmail/opendkim/opendkim.conf
+++ b/deploy-chatmail/src/deploy_chatmail/opendkim/opendkim.conf
--- a/deploy-chatmail/src/deploy_chatmail/postfix/main.cf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/postfix/main.cf.j2
@@ -37,6 +37,8 @@ mydestination =
 relayhost = 
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 mailbox_size_limit = 0
 # maximum 30MB sized messages
 message_size_limit = 31457280
 recipient_delimiter = +
 inet_interfaces = all
 inet_protocols = all
--- a/deploy-chatmail/src/deploy_chatmail/postfix/master.cf.j2
+++ b/deploy-chatmail/src/deploy_chatmail/postfix/master.cf.j2
@@ -9,7 +9,11 @@
 # service type  private unpriv  chroot  wakeup  maxproc command + args
 #               (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
-smtp      inet  n       -       y       -       -       smtpd
+{% if debug == true %}
 smtp      inet  n       -       y       -       -       smtpd -v
 {% else %}
 smtp      inet  n       -       y       -       -       smtpd 
 {% endif %}
 #smtp      inet  n       -       y       -       1       postscreen
 #smtpd     pass  -       -       y       -       -       smtpd
 #dnsblog   unix  -       -       y       -       0       dnsblog
@@ -28,6 +32,7 @@ submission inet n       -       y       -       -       smtpd
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_proxy_filter=127.0.0.1:10080
 smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
@@ -42,6 +47,7 @@ smtps     inet  n       -       y       -       -       smtpd
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_proxy_filter=127.0.0.1:10080
 #628       inet  n       -       y       -       -       qmqpd
 pickup    unix  n       -       y       60      1       pickup
 cleanup   unix  n       -       y       -       0       cleanup
@@ -64,9 +70,11 @@ showq     unix  n       -       y       -       -       showq
 error     unix  -       -       y       -       -       error
 retry     unix  -       -       y       -       -       error
 discard   unix  -       -       y       -       -       discard
 local     unix  -       n       n       -       -       local
 virtual   unix  -       n       n       -       -       virtual
 lmtp      unix  -       -       y       -       -       lmtp
 anvil     unix  -       -       y       -       1       anvil
 scache    unix  -       -       y       -       1       scache
 postlog   unix-dgram n  -       n       -       1       postlogd
 filter    unix -        n       n       -       -       lmtp
 # Local SMTP server for reinjecting filered mail.
 localhost:10025 inet  n       -       n       -       10      smtpd
  -o syslog_name=postfix/reinject
--- a/online-tests/benchmark.py
+++ b/online-tests/benchmark.py
@@ -0,0 +1,34 @@
 def test_tls_serialized_connect(benchmark, imap_or_smtp):
    def connect():
        imap_or_smtp.connect()
    benchmark(connect)
 def test_login(benchmark, imap_or_smtp, gencreds):
    cls = imap_or_smtp.__class__
    conns = []
    for i in range(20):
        conn = cls(imap_or_smtp.host)
        conn.connect()
        conns.append(conn)
    def login():
        conn = conns.pop()
        conn.login(*gencreds())
    benchmark(login)
 def test_send_and_receive_10(benchmark, cmfactory, lp):
    """send many messages between two accounts"""
    ac1, ac2 = cmfactory.get_online_accounts(2)
    chat = cmfactory.get_accepted_chat(ac1, ac2)
    def send_10_receive_all():
        for i in range(10):
            chat.send_text(f"hello {i}")
        for i in range(10):
            ac2.wait_next_incoming_message()
    benchmark(send_10_receive_all)
--- a/online-tests/conftest.py
+++ b/online-tests/conftest.py
@@ -0,0 +1,286 @@
 import os
 import io
 import random
 import subprocess
 import imaplib
 import smtplib
 import itertools
 import pytest
 def pytest_addoption(parser):
    parser.addoption(
        "--slow", action="store_true", default=False, help="also run slow tests"
    )
 def pytest_runtest_setup(item):
    markers = list(item.iter_markers(name="slow"))
    if markers:
        if not item.config.getoption("--slow"):
            pytest.skip("skipping slow test, use --slow to run")
@pytest.fixture
 def maildomain():
    domain = os.environ.get("CHATMAIL_DOMAIN")
    if not domain:
        pytest.skip("set CHATMAIL_DOMAIN to a ssh-reachable chatmail instance")
    return domain
@pytest.fixture
 def sshdomain(maildomain):
    return os.environ.get("CHATMAIL_SSH", maildomain)
@pytest.fixture
 def maildomain2():
    domain = os.environ.get("CHATMAIL_DOMAIN2")
    if not domain:
        pytest.skip("set CHATMAIL_DOMAIN2 to a ssh-reachable chatmail instance")
    return domain
@pytest.fixture
 def sshdomain2(maildomain2):
    return os.environ.get("CHATMAIL_SSH2", maildomain2)
 def pytest_report_header():
    domain = os.environ.get("CHATMAIL_DOMAIN")
    if domain:
        text = f"chatmail test instance: {domain}"
        return ["-" * len(text), text, "-" * len(text)]
@pytest.fixture
 def imap(maildomain):
    return ImapConn(maildomain)
 class ImapConn:
    AuthError = imaplib.IMAP4.error
    logcmd = "journalctl -f -u dovecot"
    name = "dovecot"
    def __init__(self, host):
        self.host = host
    def connect(self):
        print(f"imap-connect {self.host}")
        self.conn = imaplib.IMAP4_SSL(self.host)
    def login(self, user, password):
        print(f"imap-login {user!r} {password!r}")
        self.conn.login(user, password)
    def fetch_all(self):
        print("imap-fetch all")
        status, res = self.conn.select()
        if int(res[0]) == 0:
            raise ValueError("no messages in imap folder")
        status, results = self.conn.fetch("1:*", "(RFC822)")
        assert status == "OK"
        return results
    def fetch_all_messages(self):
        print("imap-fetch all messages")
        results = self.fetch_all()
        messages = []
        for item in results:
            if len(item) == 2:
                messages.append(item[1].decode())
        return messages
@pytest.fixture
 def smtp(maildomain):
    return SmtpConn(maildomain)
 class SmtpConn:
    AuthError = smtplib.SMTPAuthenticationError
    logcmd = "journalctl -f -t postfix/smtpd -t postfix/smtp -t postfix/lmtp"
    name = "postfix"
    def __init__(self, host):
        self.host = host
    def connect(self):
        print(f"smtp-connect {self.host}")
        self.conn = smtplib.SMTP_SSL(self.host)
    def login(self, user, password):
        print(f"smtp-login {user!r} {password!r}")
        self.conn.login(user, password)
    def sendmail(self, from_addr, to_addrs, msg):
        print(f"smtp-sendmail from={from_addr!r} to_addrs={to_addrs!r}")
        print(f"smtp-sendmail message size: {len(msg)}")
        return self.conn.sendmail(from_addr=from_addr, to_addrs=to_addrs, msg=msg)
@pytest.fixture(params=["imap", "smtp"])
 def imap_or_smtp(request):
    return request.getfixturevalue(request.param)
@pytest.fixture
 def gencreds(maildomain):
    count = itertools.count()
    next(count)
    def gen(domain=None):
        domain = domain if domain else maildomain
        while 1:
            num = next(count)
            alphanumeric = "abcdefghijklmnopqrstuvwxyz1234567890"
            user = "".join(random.choices(alphanumeric, k=10))
            user = f"ac{num}_{user}"
            password = "".join(random.choices(alphanumeric, k=10))
            yield f"{user}@{domain}", f"{password}"
    return lambda domain=None: next(gen(domain))
 #
 # Delta Chat testplugin re-use
 # use the cmfactory fixture to get chatmail instance accounts
 #
 class ChatmailTestProcess:
    """Provider for chatmail instance accounts as used by deltachat.testplugin.acfactory"""
    def __init__(self, pytestconfig, maildomain, gencreds):
        self.pytestconfig = pytestconfig
        self.maildomain = maildomain
        assert "." in self.maildomain, maildomain
        self.gencreds = gencreds
        self._addr2files = {}
    def get_liveconfig_producer(self):
        while 1:
            user, password = self.gencreds(self.maildomain)
            config = {
                "addr": user,
                "mail_pw": password,
            }
            # speed up account configuration
            config["mail_server"] = self.maildomain
            config["send_server"] = self.maildomain
            yield config
    def cache_maybe_retrieve_configured_db_files(self, cache_addr, db_target_path):
        pass
    def cache_maybe_store_configured_db_files(self, acc):
        pass
@pytest.fixture
 def cmfactory(request, gencreds, tmpdir, data, maildomain):
    # cloned from deltachat.testplugin.amfactory
    pytest.importorskip("deltachat")
    from deltachat.testplugin import ACFactory
    testproc = ChatmailTestProcess(request.config, maildomain, gencreds)
    am = ACFactory(request=request, tmpdir=tmpdir, testprocess=testproc, data=data)
    # nb. a bit hacky
    # would probably be better if deltachat's test machinery grows native support
    def switch_maildomain(maildomain2):
        am.testprocess.maildomain = maildomain2
    am.switch_maildomain = switch_maildomain
    yield am
    if hasattr(request.node, "rep_call") and request.node.rep_call.failed:
        if testproc.pytestconfig.getoption("--extra-info"):
            logfile = io.StringIO()
            am.dump_imap_summary(logfile=logfile)
            print(logfile.getvalue())
            # request.node.add_report_section("call", "imap-server-state", s)
@pytest.fixture
 def remote(sshdomain):
    return Remote(sshdomain)
 class Remote:
    def __init__(self, sshdomain):
        self.sshdomain = sshdomain
    def iter_output(self, logcmd=""):
        getjournal = f"journalctl -f" if not logcmd else logcmd
        self.popen = subprocess.Popen(
            ["ssh", f"root@{self.sshdomain}", getjournal],
            stdout=subprocess.PIPE,
        )
        while 1:
            line = self.popen.stdout.readline()
            res = line.decode().strip().lower()
            if res:
                yield res
            else:
                break
@pytest.fixture
 def mailgen(request):
    class Mailgen:
        def get_encrypted(self, from_addr, to_addr):
            data = request.fspath.dirpath("mailgen/encrypted.eml").read()
            return data.format(from_addr=from_addr, to_addr=to_addr)
    return Mailgen()
@pytest.fixture
 def cmsetup(maildomain, gencreds):
    return CMSetup(maildomain, gencreds)
 class CMSetup:
    def __init__(self, maildomain, gencreds):
        self.maildomain = maildomain
        self.gencreds = gencreds
    def gen_users(self, num):
        print(f"Creating {num} online users")
        users = []
        for i in range(num):
            addr, password = self.gencreds()
            user = CMUser(self.maildomain, addr, password)
            assert user.smtp
            users.append(user)
        return users
 class CMUser:
    def __init__(self, maildomain, addr, password):
        self.maildomain = maildomain
        self.addr = addr
        self.password = password
        self._smtp = None
        self._imap = None
    @property
    def smtp(self):
        if not self._smtp:
            handle = SmtpConn(self.maildomain)
            handle.connect()
            handle.login(self.addr, self.password)
            self._smtp = handle
        return self._smtp
    @property
    def imap(self):
        if not self._imap:
            imap = ImapConn(self.maildomain)
            imap.connect()
            imap.login(self.addr, self.password)
            self._imap = imap
        return self._imap
--- a/online-tests/mailgen/encrypted.eml
+++ b/online-tests/mailgen/encrypted.eml
@@ -0,0 +1,66 @@
 From: {from_addr}
 To: {to_addr}
 Subject: ...
 Date: Sun, 15 Oct 2023 16:43:21 +0000
 Message-ID: <Mr.UVyJWZmkCKM.hGzNc6glBE_@c2.testrun.org>
 In-Reply-To: <Mr.MvmCz-GQbi_.6FGRkhDf05c@c2.testrun.org>
 References: <Mr.3gckbNy5bch.uK3Hd2Ws6-w@c2.testrun.org>
 	<Mr.MvmCz-GQbi_.6FGRkhDf05c@c2.testrun.org>
 Chat-Version: 1.0
 Autocrypt: addr={from_addr}; prefer-encrypt=mutual;
 	keydata=xjMEZSwWjhYJKwYBBAHaRw8BAQdAQBEhqeJh0GueHB6kF/DUQqYCxARNBVokg/AzT+7LqH
 	rNFzxiYXJiYXpAYzIudGVzdHJ1bi5vcmc+wosEEBYIADMCGQEFAmUsFo4CGwMECwkIBwYVCAkKCwID
 	FgIBFiEEFTfUNvVnY3b9F7yHnmme1PfUhX8ACgkQnmme1PfUhX9A4AEAnHWHp49eBCMHK5t66gYPiW
 	XQuB1mwUjzGfYWB+0RXUoA/0xcQ3FbUNlGKW7Blp6eMFfViv6Mv2d3kNSXACB6nmcMzjgEZSwWjhIK
 	KwYBBAGXVQEFAQEHQBpY5L2M1XHo0uxf8SX1wNLBp/OVvidoWHQF2Jz+kJsUAwEIB8J4BBgWCAAgBQ
 	JlLBaOAhsMFiEEFTfUNvVnY3b9F7yHnmme1PfUhX8ACgkQnmme1PfUhX/INgEA37AJaNvruYsJVanP
 	IXnYw4CKd55UAwl8Zcy+M2diAbkA/0fHHcGV4r78hpbbL1Os52DPOdqYQRauIeJUeG+G6bQO
 MIME-Version: 1.0
 Content-Type: multipart/encrypted; protocol="application/pgp-encrypted";
 	boundary="YFrteb74qSXmggbOxZL9dRnhymywAi"
 --YFrteb74qSXmggbOxZL9dRnhymywAi
 Content-Description: PGP/MIME version identification
 Content-Type: application/pgp-encrypted
 Version: 1
 --YFrteb74qSXmggbOxZL9dRnhymywAi
 Content-Description: OpenPGP encrypted message
 Content-Disposition: inline; filename="encrypted.asc";
 Content-Type: application/octet-stream; name="encrypted.asc"
 -----BEGIN PGP MESSAGE-----
 wU4DhW3gBZ/VvCYSAQdA8bMs2spwbKdGjVsL1ByPkNrqD7frpB73maeL6I6SzDYg
 O5G53tv339RdKq3WRcCtEEvxjHlUx2XNwXzC04BpmfvBTgNfPUyLDzjXnxIBB0Ae
 8ymwGvXMCCimHXN0Dg8Ui62KOi03h0UgheoHWovJSCDF4CKre/xtFr3nL7lq/PKI
 JsjVNz7/RK9FSXF6WwfONtLCyQGEuVAsB/KXfCBEyfKhaMwGHvhujRidGW5uV1no
 lMGl3ODmo29Lgeu2uSE7EpJRZoe6hU6ddmBkqxax61ZtkaFlGFFpdo2K8balNNdz
 ZsJ/9mmI9x3oOJ4/l1nhQbUO9ADbs7gJhFdV5Qkp30b5fCI7bU+aoe1ccBbLe/WM
 YUty1PqcuQT7XjA+XmYuL261tvW8pBetT+i33/E2d8PzzYt2IuK9qeevyS+yxdwA
 kfwejFWzzsUlJaDxs1x4XOxkMgSj+jo+g12dFOb7fyClsAnq23iDb8AuaT/BScAI
 +lO+gher69+6LmM7VGHLG5k762J1jTaQCaKt1s8TAWV99Eo4491vL6fyvk3l/Cfg
 RXSwiWFgj19Pn0Rq7CD9v22UE2vdUMBTcV4aw79mClk1YQ23jbF0y5DCjPdJ62Zo
 tskBgFt3NoWV80jZ76zIBLrrjLwCCll8JjJtFwSkt2GX5RFBsVa4A8IDht9RtEk7
 rrHgbSZQfkauEi/mH3/6CDZoLqSHudUZ7d4MaJwun1TkFYGe2ORwGJd4OBj3oGJp
 H8YBwCpk///L/fKjX0Gg3M8nrpM4wrRFhPKidAgO/kcm25X4+ZHlVkWBTCt5RWKI
 fHh6oLDZCqCfcgMkE1KKmwfIHaUkhq5BPRigwy6i5dh1DM4+1UCLh3dxzVbqE9b9
 61NB19nXdRtDA2sOUnj9ve6m/wEPyCb6/zBQZqvCBYb1/AjdXpUrFT+DbpfyxaXN
 XfhDVb5mNqNM/IVj0V5fvTc6vOfYbzQtPm10H+FdWWfb+rJRfyC3MA2w2IqstFe3
 w3bu2iE6CQvSqRvge+ZqLKt/NqYwOURiUmpuklbl3kPJ97+mfKWoiqk8Iz1VY+bb
 NMUC7aoGv+jcoj+WS6PYO8N6BeRVUUB3ZJSf8nzjgxm1/BcM+UD3BPrlhT11ODRs
 baifGbprMWwt3dhb8cQgRT8GPdpO1OsDkzL6iikMjLHWWiA99GV6ruiHsIPw6boW
 A6/uSOskbDHOROotKmddGTBd0iiHXAoQsJFt1ZjUkt6EHrgWs+GAvrvKpXs1mrz8
 uj3GwEFrHS+Xuf2UDgpszYT3hI2cL/kUtGakVR7m7vVMZqXBUbZdGAEb1PZNPwsI
 E4aMK02+EVB+tSN4Fzj99N2YD0inVYt+oPjr2tHhUS6aSGBNS/48Ki47DOg4Sxkn
 lkOWnEbCD+XTnbDd
 =agR5
 -----END PGP MESSAGE-----
 --YFrteb74qSXmggbOxZL9dRnhymywAi--
--- a/online-tests/pytest.ini
+++ b/online-tests/pytest.ini
@@ -0,0 +1,3 @@
 [pytest]
 addopts = -vrsx --strict-markers
 markers = slow: mark test as slow (requires --slow option to run)
--- a/online-tests/test_0_basic.py
+++ b/online-tests/test_0_basic.py
@@ -0,0 +1,60 @@
 import smtplib
 import pytest
 def test_remote(remote, imap_or_smtp):
    lineproducer = remote.iter_output(imap_or_smtp.logcmd)
    imap_or_smtp.connect()
    assert imap_or_smtp.name in next(lineproducer)
 def test_use_two_chatmailservers(cmfactory, maildomain2):
    ac1 = cmfactory.new_online_configuring_account(cache=False)
    cmfactory.switch_maildomain(maildomain2)
    ac2 = cmfactory.new_online_configuring_account(cache=False)
    cmfactory.bring_accounts_online()
    cmfactory.get_accepted_chat(ac1, ac2)
    domain1 = ac1.get_config("addr").split("@")[1]
    domain2 = ac2.get_config("addr").split("@")[1]
    assert domain1 != domain2
@pytest.mark.parametrize("forgeaddr", ["internal", "someone@example.org"])
 def test_reject_forged_from(cmsetup, mailgen, lp, forgeaddr):
    user1, user3 = cmsetup.gen_users(2)
    lp.sec("send encrypted message with forged from")
    print("envelope_from", user1.addr)
    if forgeaddr == "internal":
        addr_to_forge = cmsetup.gen_users(1)[0].addr
    else:
        addr_to_forge = "someone@example.org"
    print("message to inject:")
    msg = mailgen.get_encrypted(from_addr=addr_to_forge, to_addr=user3.addr)
    for line in msg.split("\n")[:4]:
        print(f"   {line}")
    lp.sec("Send forged mail and check remote postfix lmtp processing result")
    with pytest.raises(smtplib.SMTPException) as e:
        user1.smtp.sendmail(from_addr=user1.addr, to_addrs=[user3.addr], msg=msg)
    assert "500" in str(e.value)
@pytest.mark.slow
 def test_exceed_rate_limit(cmsetup, gencreds, mailgen):
    """Test that the per-account send-mail limit is exceeded."""
    user1, user2 = cmsetup.gen_users(2)
    mail = mailgen.get_encrypted(user1.addr, user2.addr)
    for i in range(100):
        print("Sending mail", str(i))
        try:
            user1.smtp.sendmail(user1.addr, [user2.addr], mail)
        except smtplib.SMTPException as e:
            if i < 80:
                pytest.fail(f"rate limit was exceeded too early with msg {i}")
            outcome = e.recipients[user2.addr]
            assert outcome[0] == 450
            assert b'4.7.1: Too much mail from' in outcome[1]
            return
    pytest.fail("Rate limit was not exceeded")
--- a/online-tests/test_0_login.py
+++ b/online-tests/test_0_login.py
@@ -0,0 +1,37 @@
 import pytest
 import smtplib
 def test_login_basic_functioning(imap_or_smtp, gencreds, lp):
    """Test a) that an initial login creates a user automatically
    and b) verify we can also login a second time with the same password
    and c) that using a different password fails the login."""
    user, password = gencreds()
    lp.sec(f"login first time with {user} {password}")
    imap_or_smtp.connect()
    imap_or_smtp.login(user, password)
    lp.indent("success")
    lp.sec(f"reconnect and login second time {user} {password}")
    imap_or_smtp.connect()
    imap_or_smtp.login(user, password)
    imap_or_smtp.connect()
    lp.sec("success")
    lp.sec(f"reconnect and verify wrong password fails {user} ")
    imap_or_smtp.connect()
    with pytest.raises(imap_or_smtp.AuthError):
        imap_or_smtp.login(user, password + "wrong")
 def test_login_same_password(imap_or_smtp, gencreds):
    """Test two different users logging in with the same password
    to ensure that authentication process does not confuse the users
    by using only the password hash as a key.
    """
    user1, password1 = gencreds()
    user2, _ = gencreds()
    imap_or_smtp.connect()
    imap_or_smtp.login(user1, password1)
    imap_or_smtp.connect()
    imap_or_smtp.login(user2, password1)
--- a/online-tests/test_1_deltachat.py
+++ b/online-tests/test_1_deltachat.py
@@ -0,0 +1,83 @@
 import random
 import pytest
 class TestEndToEndDeltaChat:
    "Tests that use Delta Chat accounts on the chat mail instance."
    def test_one_on_one(self, cmfactory, lp):
        """Test that a DC account can send a message to a second DC account
        on the same chat-mail instance."""
        ac1, ac2 = cmfactory.get_online_accounts(2)
        chat = cmfactory.get_accepted_chat(ac1, ac2)
        lp.sec("ac1: prepare and send text message to ac2")
        chat.send_text("message0")
        lp.sec("wait for ac2 to receive message")
        msg2 = ac2._evtracker.wait_next_incoming_message()
        assert msg2.text == "message0"
    @pytest.mark.slow
    def test_exceed_quota(self, cmfactory, lp, tmpdir, remote):
        """This is a very slow test as it needs to upload >100MB of mail data
        before quota is exceeded, and thus depends on the speed of the upload.
        """
        ac1, ac2 = cmfactory.get_online_accounts(2)
        chat = cmfactory.get_accepted_chat(ac1, ac2)
        quota = 1024 * 1024 * 100
        attachsize = 1 * 1024 * 1024
        num_to_send = quota // attachsize + 2
        lp.sec(f"ac1: send {num_to_send} large files to ac2")
        lp.indent(f"per-user quota is assumed to be: {quota/(1024*1024)}MB")
        alphanumeric = "abcdefghijklmnopqrstuvwxyz1234567890"
        msgs = []
        for i in range(num_to_send):
            attachment = tmpdir / f"attachment{i}"
            data = "".join(random.choice(alphanumeric) for i in range(1024))
            with open(attachment, "w+") as f:
                for j in range(attachsize // len(data)):
                    f.write(data)
            msg = chat.send_file(str(attachment))
            msgs.append(msg)
            lp.indent(f"Sent out msg {i}, size {attachsize/(1024*1024)}MB")
        lp.sec("ac2: check messages are arriving until quota is reached")
        addr = ac2.get_config("addr").lower()
        saved_ok = 0
        for line in remote.iter_output("journalctl -f -u dovecot"):
            if addr not in line:
                # print(line)
                continue
            if "quota" in line:
                if "quota exceeded" in line:
                    if saved_ok < num_to_send // 2:
                        pytest.fail(
                            f"quota exceeded too early: after {saved_ok} messages already"
                        )
                    lp.indent("good, message sending failed because quota was exceeded")
                    return
            if "saved mail to inbox" in line:
                saved_ok += 1
                print(f"{saved_ok}: {line}")
                if saved_ok >= num_to_send:
                    break
        pytest.fail("sending succeeded although messages should exceed quota")
    def test_securejoin(self, cmfactory, lp, maildomain2):
        ac1 = cmfactory.new_online_configuring_account(cache=False)
        cmfactory.switch_maildomain(maildomain2)
        ac2 = cmfactory.new_online_configuring_account(cache=False)
        cmfactory.bring_accounts_online()
        lp.sec("ac1: create QR code and let ac2 scan it, starting the securejoin")
        qr = ac1.get_setup_contact_qr()
        lp.sec("ac2: start QR-code based setup contact protocol")
        ch = ac2.qr_setup_contact(qr)
        assert ch.id >= 10
        ac1._evtracker.wait_securejoin_inviter_progress(1000)
--- a/plan.txt
+++ b/plan.txt
@@ -0,0 +1,65 @@
 # Chat-mail server development (up until Oct 18th)
 ## Dovecot goals/steps
 - automatic expiry of messages older than M days
   - also expunge unread messages
 - limit: configure max-connections per account
 ## nami: send out rate limit / rspamd
 - basic outgoing send rate/limits (depending on "account-rating")
  use rspamd in a minimal way, check support dkim-signing
  (including an online test exceeding rate limit)
 ## doveauth questions/futures
 - bcrypt-password scheme is slow: require long passwords, use faster hashing
 - define user-name and password policies, and implement them
  (be very restrictive at the beginning, we can relax later)
 - password is part of the dictproxy-lookup key, is it safe to use auth-caching?
 ## How to limit creation of accounts?
 attack: a 3-line bash script to fill the chatmail db with millions of unused accouts
 - make it computationally expensive (somehow try to except our tests from it)
  1st pass instant onboarding: create userid + cheap password -- if it fails then
  2nd pass instant onboarding: create userdid + comput. expensive password
 - probably also do firewall: limit number of new tcp-connections per IP address per duration
 ## Open/deferred questions
 - automatic expiry of users that haven't logged in for N days
  Is it neccessary?  If all messages are gone, does the existence of
  an e-mail address bother anybody?
 ## web page for chat-mail servers?
 - documentation for users, privacy policy etc.
  (probably also with provider-messages ...)
 ## online tests (first with plain python/pytest)
 - write tests for dovecot login (exists)
 - write tests for postfix logins (exists)
 - write A<>B send/receive tests (exists)
 ## Delta Chat
 1. qr code that defines access to a chatmail instance (like mailadm but without http etc.)
 2. support for creating username/password and verifying login works
--- a/scripts/bench.sh
+++ b/scripts/bench.sh
@@ -0,0 +1,4 @@
 #!/bin/bash
 set -e
 online-tests/venv/bin/pytest online-tests/benchmark.py -vrx 
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -0,0 +1,10 @@
 #!/usr/bin/env bash
 : ${CHATMAIL_DOMAIN:=c1.testrun.org}
 export CHATMAIL_DOMAIN
 chatmaild/venv/bin/python3 -m build -n --sdist chatmaild --outdir dist
 deploy-chatmail/venv/bin/pyinfra --ssh-user root "$CHATMAIL_DOMAIN" \
    deploy-chatmail/src/deploy_chatmail/deploy.py
 rm -r dist/
--- a/scripts/get_imap_capabilities.py
+++ b/scripts/get_imap_capabilities.py
@@ -0,0 +1,14 @@
 import os
 import time
 import imaplib
 domain = os.environ.get("CHATMAIL_DOMAIN", "c3.testrun.org")
 print("connecting")
 conn = imaplib.IMAP4_SSL(domain)
 print("logging in")
 conn.login(f"imapcapa", "pass")
 status, res = conn.capability()
 for capa in sorted(res[0].decode().split()):
    print(capa)
--- a/scripts/init.sh
+++ b/scripts/init.sh
@@ -0,0 +1,13 @@
 #!/bin/sh
 set -e
 python3 -m venv deploy-chatmail/venv
 deploy-chatmail/venv/bin/pip install pyinfra pytest
 deploy-chatmail/venv/bin/pip install -e deploy-chatmail
 deploy-chatmail/venv/bin/pip install -e chatmaild
 python3 -m venv chatmaild/venv
 chatmaild/venv/bin/pip install --upgrade pytest build 'setuptools>=68'
 chatmaild/venv/bin/pip install -e chatmaild
 python3 -m venv online-tests/venv
 online-tests/venv/bin/pip install pytest pytest-timeout pdbpp deltachat pytest-benchmark
--- a/scripts/measure_tls_and_logins.py
+++ b/scripts/measure_tls_and_logins.py
@@ -0,0 +1,28 @@
 #!/usr/bin/env python3
 import os
 import time
 import imaplib
 domain = os.environ.get("CHATMAIL_DOMAIN", "c3.testrun.org")
 NUM_CONNECTIONS=10
 conns = []
 start = time.time()
 for i in range(NUM_CONNECTIONS):
    print(f"opening connection {i} to {domain}")
    conn = imaplib.IMAP4_SSL(domain)
    conns.append(conn)
 tlsdone = time.time()
 duration = tlsdone-start
 print(f"{duration}: TLS connections opening TLS connections")
 for i, conn in enumerate(conns):
    print(f"logging into connection {i}")
    conn.login(f"measure{i}", "pass")
 logindone = time.time()
 duration = logindone - tlsdone
 print(f"{duration}: LOGINS done")
--- a/scripts/remote-deploy.sh
+++ b/scripts/remote-deploy.sh
@@ -0,0 +1,8 @@
 #!/bin/sh
 set -e
 : ${CHATMAIL_DOMAIN:=c1.testrun.org}
 : ${CHATMAIL_SSH:=$CHATMAIL_DOMAIN}
 rsync -avz . "root@$CHATMAIL_SSH:/root/chatmail" --exclude='/.git' --filter="dir-merge,- .gitignore"
 ssh "root@$CHATMAIL_SSH" "cd /root/chatmail; apt install -y python3-venv; python3 -m venv venv; venv/bin/pip install pyinfra build; venv/bin/python3 -m build -n --sdist chatmaild --outdir dist; venv/bin/pip install -e ./deploy-chatmail -e ./chatmaild; export CHATMAIL_DOMAIN=$CHATMAIL_DOMAIN; venv/bin/pyinfra @local deploy.py"
--- a/scripts/test.sh
+++ b/scripts/test.sh
@@ -0,0 +1,3 @@
 #!/bin/bash
 chatmaild/venv/bin/pytest chatmaild/ $@
 online-tests/venv/bin/pytest online-tests/ -vrx --durations=5 $@
--- a/src/chatmail/acmetool/acmetool-redirector.service
+++ b/src/chatmail/acmetool/acmetool-redirector.service
@@ -1,11 +0,0 @@
 [Unit]
 Description=acmetool HTTP redirector
 [Service]
 Type=notify
 ExecStart=/usr/bin/acmetool redirector --service.uid=daemon
 Restart=always
 RestartSec=30
 [Install]
 WantedBy=multi-user.target
--- a/src/chatmail/dovecot/doveauth.lua
+++ b/src/chatmail/dovecot/doveauth.lua
@@ -1,57 +0,0 @@
 -- Escape shell argument by hex encoding it and wrapping in quotes.
 function escape(data)
   b16 = data:gsub(".", function(char) return string.format("%2X", char:byte()) end)
   return ("'"..b16.."'")
 end
 -- call out to python program to actually manage authentication for dovecot
 function chatctl_verify(user, password)
    local cmd = "python3 /home/vmail/chatctl hexauth "..escape(user).." "..escape(password)
    print("executing: "..cmd)
    local handle = io.popen(cmd)
    local result = handle:read("*a")
    handle:close()
    return split_chatctl(result)
 end
 function chatctl_lookup(user) 
    assert(user)
    local handle = io.popen("python3 /home/vmail/chatctl hexlookup "..escape(user))
    local result = handle:read("*a")
    handle:close()
    return split_chatctl(result)
 end
 function get_extra_dovecot_output(res)
    return {home=res.home, uid=res.uid, gid=res.gid}
 end
 function auth_password_verify(request, password)
    local res = chatctl_verify(request.user, password)
    -- request:log_error("auth_password_verify "..request.user.." "..password)
    if res.status == "ok" then 
        local extra = get_extra_dovecot_output(res)
        return dovecot.auth.PASSDB_RESULT_OK, get_extra_dovecot_output(res)
    end
    return dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH, ""
 end
 function auth_userdb_lookup(request)
    local res = chatctl_lookup(request.user) 
    if res.status == "ok" then
        return dovecot.auth.USERDB_RESULT_OK, get_extra_dovecot_output(res)
    end
    return dovecot.auth.USERDB_RESULT_USER_UNKNOWN, "no such user"
 end
 function split_chatctl(output) 
    local ret = {}
    for key, value in output:gmatch "(%w+)%s*=%s*(%w+)" do
        ret[key] = value
    end
    return ret
 end
--- a/src/chatmail/dovecot/doveauth.py
+++ b/src/chatmail/dovecot/doveauth.py
@@ -1,57 +0,0 @@
 #!/usr/bin/env python3
 import base64
 import sys
 def get_user_data(user):
    if user == "link2xt@c1.testrun.org":
        return dict(
            uid="vmail",
            gid="vmail",
            password="Ahyei6ie",
        )
    return {}
 def create_user(user, password):
    return dict(home=f"/home/vmail/{user}", uid="vmail", gid="vmail", password=password)
 def verify_user(user, password):
    userdata = get_user_data(user)
    if userdata:
        if userdata.get("password") == password:
            userdata["status"] = "ok"
        else:
            userdata["status"] = "fail"
    else:
        userdata = create_user(user, password)
        userdata["status"] = "ok"
    return userdata
 def lookup_user(user):
    userdata = get_user_data(user)
    if userdata:
        userdata["status"] = "ok"
    else:
        userdata["status"] = "fail"
    return userdata
 def dump_result(res):
    for key, value in res.items():
        print(f"{key}={value}")
 if __name__ == "__main__":
    if sys.argv[1] == "hexauth":
        login = base64.b16decode(sys.argv[2]).decode()
        password = base64.b16decode(sys.argv[3]).decode()
        res = verify_user(login, password)
        dump_result(res)
    elif sys.argv[1] == "hexlookup":
        login = base64.b16decode(sys.argv[2]).decode()
        res = lookup_user(login)
        dump_result(res)
--- a/src/chatmail/dovecot/test_doveauth.lua
+++ b/src/chatmail/dovecot/test_doveauth.lua
@@ -1,78 +0,0 @@
 require "doveauth"
 -- simulate dovecot defined result codes 
 dovecot = {
    auth = {
        PASSDB_RESULT_OK="PASSWORD-OK",
        PASSDB_RESULT_PASSWORD_MISMATCH="PASSWORD-MISMATCH",
        USERDB_RESULT_OK="USERDB-OK",
        USERDB_RESULT_USER_UNKNOWN="USERDB-UNKNOWN"
    }
 }
 -- Tests for testing the lua<->python interaction 
 function test_password_verify_ok(user, password) 
    local res, extra = auth_password_verify({user=user}, password)
    assert(res==dovecot.auth.PASSDB_RESULT_OK)
    assert(extra.uid == "vmail")
    assert(extra.gid == "vmail")
    -- assert(extra.homedir == "/home/vmail/link2xt")
    print("OK test_password_verify_ok "..user.." "..password)
 end
 function test_password_verify_mismatch(user, password) 
    local res = auth_password_verify({user=user}, password)
    assert(res == dovecot.auth.PASSDB_RESULT_PASSWORD_MISMATCH)
    print("OK test_password_verify_mismatch "..user.." "..password)
 end
 function test_userdb_lookup_ok(user)
    local res, extra = auth_userdb_lookup({user=user})
    assert(extra.uid == "vmail")
    assert(extra.gid == "vmail")
    assert(res == dovecot.auth.USERDB_RESULT_OK)
    print("OK test_userdb_lookup_ok "..user)
 end
 function test_userdb_lookup_mismatch(user)
    local res, extra = auth_userdb_lookup({user=user})
    assert(res == dovecot.auth.USERDB_RESULT_USER_UNKNOWN)
    print("OK test_userdb_lookup_mismatch "..user)
 end
 function test_passdb_lookup_ok(user)
    local res, extra = auth_passdb_lookup({user=user})
    assert(extra.uid == "vmail")
    assert(extra.gid == "vmail")
    assert(res == dovecot.auth.PASSDB_RESULT_OK)
    print("OK test_passdb_lookup_ok "..user)
 end
 function test_passdb_lookup_mismatch(user)
    local res, extra = auth_passdb_lookup({user=user})
    assert(res == dovecot.auth.PASSDB_RESULT_USER_UNKNOWN)
    print("OK test_passdb_lookup_mismatch "..user)
 end
 function test_split_chatctl()
    local res = split_chatctl("a=3 b=4\nc=5")
    assert(res["a"] == "3")
    assert(res["b"] == "4")
    assert(res["c"] == "5")
    print("OK test_split_chatctl")
 end 
 test_split_chatctl()
 test_password_verify_ok("link2xt@c1.testrun.org", "Ahyei6ie")
 test_password_verify_mismatch("link2xt@c1.testrun.org", "Aqwlek")
 test_userdb_lookup_ok("link2xt@c1.testrun.org")
 test_userdb_lookup_mismatch("wlekqjlew@xyz.org")
 -- probably not needed by dovecot? 
 -- test_passdb_lookup_ok("link2xt@c1.testrun.org")
 -- test_passdb_lookup_mismatch("llqkwjelqwe@xyz.org")
--- a/src/chatmail/dovecot/test_doveauth.py
+++ b/src/chatmail/dovecot/test_doveauth.py
@@ -1,23 +0,0 @@
 import subprocess
 import pytest
 from doveauth import get_user_data, verify_user
 def test_basic():
    data = get_user_data("link2xt@c1.testrun.org")
    assert data
@pytest.mark.xfail(reason="no persistence yet")
 def test_verify_or_create():
    res = verify_user("newuser1@something.org", "kajdlkajsldk12l3kj1983")
    assert res["status"] == "ok"
    res = verify_user("newuser1@something.org", "kajdlqweqwe")
    assert res["status"] == "fail"
 def test_lua_integration(request):
    p = request.fspath.dirpath("test_doveauth.lua")
    proc = subprocess.run(["lua", str(p)])
    assert proc.returncode == 0
--- a/tests/test_online_login.py
+++ b/tests/test_online_login.py
@@ -1,28 +0,0 @@
 import pytest
 import imaplib
@pytest.fixture
 def conn():
    return connect("c1.testrun.org")
 def login(conn, user, password):
    print("trying to login", user, password)
    conn.login(user, password)
 def connect(host):
    print(f"connecting to {host}")
    conn = imaplib.IMAP4_SSL(host)
    return conn
 def test_login_ok(conn):
    login(conn, "link2xt@c1.testrun.org", "Ahyei6ie")
 def test_login_fail(conn):
    with pytest.raises(imaplib.IMAP4.error) as excinfo:
        login(conn, "link2xt@c1.testrun.org", "qweqwe")
    assert "AUTHENTICATIONFAILED" in str(excinfo)
Author	SHA1	Message	Date
link2xt	15a9b4a2ef	dictproxy: use `crypt` instead of `doveadm pw`	2023-10-20 08:30:36 +00:00
link2xt	902f98c9ba	Set syslog name for reinject proxy	2023-10-19 03:22:27 +00:00
link2xt	89311063f8	Turn filtermail into a beforequeue handler and implement rate limit	2023-10-19 03:04:00 +00:00
link2xt	1cdc5d1351	Revert "open a persistent client between the BeforeQueueHandler and postfix smtpd without content filter" This reverts commit `fb2ea27477`.	2023-10-19 02:22:38 +00:00
link2xt	30680cb170	filtermail: port is args[0], not args[1]	2023-10-19 02:22:30 +00:00
link2xt	c514fb00a3	Import SMTP from aiosmtpd.lmtp, not aiosmtpd.smtp	2023-10-19 02:22:15 +00:00
holger krekel	c7995356b9	shift for simpler diff	2023-10-19 01:16:19 +02:00
holger krekel	fb2ea27477	open a persistent client between the BeforeQueueHandler and postfix smtpd without content filter	2023-10-19 01:10:06 +02:00
holger krekel	7cf6cc2c91	remove filtermail split and LMTP backend	2023-10-19 01:05:49 +02:00
holger krekel	4358d5fe61	only do a smtp beforequeue-handler, also simplifies the send-rate-limiting test and improves DC behaviour	2023-10-19 00:54:45 +02:00
holger krekel	10cb099c0e	all tests pass	2023-10-19 00:07:22 +02:00
link2xt	329b845c79	Configure journald to retain logs for 3 days	2023-10-18 22:54:50 +02:00
holger krekel	bbd2773506	refactor test and filtermail to prepare it for BeforeQueue handling	2023-10-18 21:43:06 +02:00
missytake	410bc50a8b	test: report if rate limit from last test was still active	2023-10-18 19:02:40 +02:00
missytake	015269fa7b	test: test that there is no internal limit (xfail for now)	2023-10-18 19:02:40 +02:00
missytake	b8673d8625	postfix: add simple rate limiting without allow list or leaky bucket, also for internal mail	2023-10-18 19:02:40 +02:00
missytake	31c71fa6e9	add test for postfix rate limiting	2023-10-18 19:02:40 +02:00
holger krekel	8fcd423015	apply most of linkxt review comments	2023-10-18 18:59:01 +02:00
holger krekel	df39d05263	doc the test	2023-10-18 18:59:01 +02:00
holger krekel	05ce4f769b	make test more readable	2023-10-18 18:59:01 +02:00
holger krekel	8dc05ba7ec	also test that external addresses fail to be forged	2023-10-18 18:59:01 +02:00
holger krekel	6701c9749c	refactor test to be more strict	2023-10-18 18:59:01 +02:00
holger krekel	c6d8f7e759	initial forged-from protection	2023-10-18 18:59:01 +02:00
link2xt	76765164dc	Deploy nginx and autoconfig XML	2023-10-18 18:32:28 +02:00
link2xt	1ea25eb28c	Add /etc/mailname	2023-10-17 19:27:57 +00:00
missytake	f333226abe	dictproxy: make NOCREATE_FILE a constant; log warning if creating account fails	2023-10-17 20:03:18 +02:00
missytake	45fe8a668b	tests: pass CLI arguments to pytest, don't run chatmails tests in weird subdir	2023-10-17 20:03:18 +02:00
missytake	beac91159d	tests: install doveadm for being able to run dictproxy tests	2023-10-17 20:03:18 +02:00
missytake	75e7c85e61	tests: adjust to dictproxy, test /tmp/nocreate	2023-10-17 20:03:18 +02:00
missytake	040b7a74a6	doveauth: don't create users if /tmp/nocreate exists	2023-10-17 20:03:18 +02:00
missytake	0138e59355	doveauth: removed doveauth.py from the project	2023-10-17 20:03:18 +02:00
holger krekel	fffbdc10c3	minimize capabilities	2023-10-17 01:22:19 +02:00
holger krekel	3419e359c8	create build venv in chatmaild/venv	2023-10-17 00:35:07 +02:00
holger krekel	0b051f8154	move deploy.py file and revamp README	2023-10-17 00:35:07 +02:00
link2xt	5936f7a3be	postfix: disable `virtual` and `local` MDAs We do not need them, all mails are delivered to Dovecot over LMTP.	2023-10-16 22:21:39 +00:00
link2xt	983ffa6236	Disable acmetool redirector	2023-10-16 22:12:45 +00:00
holger krekel	b74fde2a9f	add postfix instrumented debugging	2023-10-16 23:38:02 +02:00
holger krekel	e176595f1f	add global debug flag and instrument dovecot with it	2023-10-16 23:38:02 +02:00
link2xt	179c79a052	Allow to send securejoin	2023-10-16 21:15:56 +00:00
link2xt	408da296f1	test.sh: do not run slow tests by default	2023-10-16 20:13:41 +00:00
missytake	192238567b	add some initial benchmarks Co-Authored-By: holger krekel <holger@merlinux.eu>	2023-10-16 21:51:53 +02:00
holger krekel	c35e485510	an empty message in the handler means EOF	2023-10-16 21:49:56 +02:00
holger krekel	1bac4b5b46	generalize remotelog to "remote" and offer remote.iter_output method	2023-10-16 20:49:30 +02:00
holger krekel	63a7ad82ff	fix capturing of logging to capture postfix better	2023-10-16 20:49:30 +02:00
holger krekel	37ef3f13b4	fix bugs	2023-10-16 20:49:30 +02:00
holger krekel	9dfd0ceb5a	simplify and speedup multi-chatmail instance support	2023-10-16 20:49:30 +02:00
holger krekel	55c58e3c7a	add support for using a second chatmail server	2023-10-16 20:49:30 +02:00
holger krekel	c2692c7e92	introduce remotelog fixture for capturing systemd-unit logs	2023-10-16 20:49:30 +02:00
missytake	ea5eccf377	plan: seen messages should be expunged, too	2023-10-16 17:56:51 +02:00
missytake	c9ecf24b3e	dovecot: expunge seen messages older than 40 days each night	2023-10-16 17:56:51 +02:00
holger krekel	b943f24587	apply nami's suggestions (chatmail SSH env var, running --slow in test.sh)	2023-10-16 17:52:08 +02:00
holger krekel	df00333a19	also show the chatmail instance prominently in the test header	2023-10-16 17:52:08 +02:00
holger krekel	4fc63461fb	- introduce pytest.mark.slow marker and "--slow" CLI option - refactor login tests to allow running them against both imap/smtp	2023-10-16 17:52:08 +02:00
holger krekel	00af333694	test works by logging into remote machine and checking the dovecot quota log	2023-10-16 15:19:29 +02:00
holger krekel	c9fd133942	improved test but still not doing what it should	2023-10-16 15:19:29 +02:00
holger krekel	caed6a3754	some fixes but still not quite running through	2023-10-16 15:19:29 +02:00
holger krekel	f71d372491	add a quota test (inspired by nami's #21 ) and try to get postfix/dovecot to implement the limit and the test to pass (it doesn't yet)	2023-10-16 15:19:29 +02:00
missytake	6debf11f6f	sieve is not installed and we don't need it	2023-10-16 15:19:29 +02:00
holger krekel	60e1671062	make quota work	2023-10-16 15:19:29 +02:00
missytake	3c57155c40	fix: typo in postfix/master.cf	2023-10-16 01:31:03 +02:00
link2xt	cf1be90115	Switch from BLF-CRYPT to SHA512-CRYPT	2023-10-15 21:42:14 +00:00
link2xt	5781d3b04e	Make scripts/measure_tls_and_logins.py executable	2023-10-15 21:42:14 +00:00
link2xt	862b09d268	dovecot: enable authentication cache	2023-10-15 21:42:14 +00:00
link2xt	9b438a7a96	Test different users logging in with the same password	2023-10-15 21:42:14 +00:00
link2xt	a107fb3cca	Avoid reusing accounts between tests Add time as a prefix.	2023-10-15 21:42:14 +00:00
link2xt	2a59cd4702	Do not `apt update` more than once a day	2023-10-15 20:31:13 +00:00
link2xt	57df5e254c	Require that encrypted messages have "..." as a Subject	2023-10-15 19:10:25 +00:00
missytake	8cef4d7119	test: assert you can't just write suspicious things into subject	2023-10-15 19:10:25 +00:00
link2xt	20b7af9d71	filtermail: more robust check_encrypted()	2023-10-15 19:10:14 +00:00
missytake	df6ec4bd6d	fix: chatmaild build + deployment	2023-10-15 20:08:00 +02:00
holger krekel	ade18aab7b	refine script	2023-10-15 19:14:18 +02:00
holger krekel	a61f1fbf39	add capability getter for CHATMAIL_DOMAIN	2023-10-15 19:11:32 +02:00
holger krekel	26e4e1d9be	refine measure script, update plan	2023-10-15 19:03:38 +02:00
holger krekel	a0e1d9e4d7	add a measurement for login/tls	2023-10-15 18:55:36 +02:00
link2xt	b05154b818	Remove chatmaild merging from the plan	2023-10-15 16:09:29 +00:00
link2xt	aab0a1f992	Update chatmaild README	2023-10-15 16:08:58 +00:00
link2xt	40ad67dc20	Merge doveauth and filtermail folders	2023-10-15 16:07:26 +00:00
link2xt	b548a8ddbd	Merge doveauth and filtermail into chatmaild	2023-10-15 15:57:36 +00:00
link2xt	262eb36a5c	Rename chatmail-pyinfra into deploy-chatmail	2023-10-15 15:40:17 +00:00
holger krekel	bd152c4a4e	updated plan after joint nami,alex,holger session with adb around	2023-10-15 17:42:13 +02:00
link2xt	08a88d0fb3	dictproxy: log to stderr	2023-10-15 12:59:59 +00:00
link2xt	23145cad28	Encrypt the passwords in the database There is also no need to compare the passwords manually, dovecot does it for us.	2023-10-15 14:49:44 +02:00
missytake	735ccbc1f2	fix: remote-deploy.sh needs python3-venv	2023-10-15 12:07:55 +02:00
missytake	247eb55886	doveauth: switch from lua authentication to dict authentication Co-Authored-By: holger krekel <holger@merlinux.eu> Co-Authored-By: link2xt <link2xt@testrun.org>	2023-10-15 01:13:13 +00:00
link2xt	f85e4cdbd5	Add scripts/remote-deploy.sh It is faster than deploying over SSH, 23 seconds vs 40 seconds here.	2023-10-15 01:06:38 +00:00
link2xt	1d7ebfa7a5	Do not build wheels and use a single dist/ directory (#11 ) Only sdists are used for deployment.	2023-10-14 23:35:06 +00:00
missytake	f98f08f8f0	filtermail: daemon-reload systemd service on pyinfra deploy	2023-10-15 00:52:51 +02:00
link2xt	c9dc32bd10	Add filtermail	2023-10-14 21:52:47 +00:00
missytake	e061d98cfc	doveauth: ; in sqlite statements not necessary	2023-10-14 18:39:01 +02:00
missytake	a9669d5c0f	tests: test DB version	2023-10-14 18:39:01 +02:00
missytake	1520b3d567	doveauth: remove config table, read dbversion from PRAGMA instead #8	2023-10-14 18:39:01 +02:00
missytake	704ad72753	doveauth: add importable to __init__.py	2023-10-14 18:39:01 +02:00
missytake	6d590103ee	tests: move database initialization to fixture	2023-10-14 18:39:01 +02:00
holger krekel	8217dc6f01	fix formatting	2023-10-14 14:34:54 +02:00
holger krekel	802f67cf54	fix formatting	2023-10-14 14:34:27 +02:00
holger krekel	a1e82a9969	some renaming and adding a pytest.ini	2023-10-14 14:34:12 +02:00
holger krekel	8d3e2af303	adapt init	2023-10-14 14:32:22 +02:00
holger krekel	369a0f8783	add basic delta chat tests	2023-10-14 14:32:22 +02:00
holger krekel	33000e18c0	fix/merge test files	2023-10-14 14:32:22 +02:00
holger krekel	397eed65a7	merge accidental test files	2023-10-14 14:32:22 +02:00
holger krekel	c8b593f5e2	let mail connection setting come from CHATMAIL_DOMAIN env	2023-10-14 14:32:22 +02:00
holger krekel	6003c9294d	add tests	2023-10-14 14:32:22 +02:00
holger krekel	1742ee07c8	add smtp tests and fix scripts	2023-10-14 14:32:22 +02:00
holger krekel	5cd54026a8	refactor dovecot tests, move online tests one level up	2023-10-14 14:32:22 +02:00
missytake	290933e8b2	plan: persistence is achieved	2023-10-14 10:41:56 +02:00
missytake	d758b4c078	dovecot: run auth-worker as vmail user	2023-10-14 10:41:56 +02:00
missytake	552135317d	doveauth: adjust pytest for persistent database	2023-10-14 10:41:56 +02:00
missytake	f940a962cc	doveauth: integrate sqlite database	2023-10-14 10:41:56 +02:00
missytake	7eeb777ed9	doveauth: add sqlite database to persist accounts	2023-10-14 10:41:56 +02:00
missytake	ae2ee84db2	part of plan was resolved	2023-10-13 21:13:53 +02:00
missytake	69b9df9480	add comment about installing doveauth system-wide	2023-10-13 21:12:56 +02:00
missytake	4ebec75d95	apply suggestion about pathlib	2023-10-13 21:12:56 +02:00
link2xt	453910c57e	Remove hardcoded domain from doveauth.py	2023-10-13 21:12:56 +02:00
link2xt	dd9b33907a	Log the lookup command in doveauth.lua	2023-10-13 21:12:56 +02:00
missytake	716b8169f8	fix lint issues	2023-10-13 21:12:56 +02:00
missytake	6a6255b6d0	script to run all tests from repository root	2023-10-13 21:12:56 +02:00
missytake	fbda0fb53c	install doveauth system-wide via pip	2023-10-13 21:12:56 +02:00
missytake	01f350fa0b	make doveauth tests pass again	2023-10-13 21:12:56 +02:00
missytake	93a84617a8	add doveauth entrypoint for lua	2023-10-13 21:12:56 +02:00
link2xt	3b0037dc3a	scripts/deploy.sh: allow to set $CHATMAIL_DOMAIN externally	2023-10-13 17:29:41 +00:00
missytake	9dfd0ee979	don't run deploy on import	2023-10-13 18:36:15 +02:00
missytake	344e799a51	move doveauth scripts to its own python project	2023-10-13 18:36:15 +02:00
missytake	556d9d37a4	added doveauth python project and README	2023-10-13 18:36:15 +02:00
holger krekel	6d3ffd8f4e	add plan as discussed with alex and nami	2023-10-13 15:44:06 +00:00
holger krekel	a24f1e8393	create venv in chatmail-pyinfra	2023-10-13 15:44:06 +00:00
holger krekel	f84692a07a	fix/rename	2023-10-13 15:44:06 +00:00
holger krekel	4badc7c8d6	(nami, hpk) draft repackaging goal	2023-10-13 15:44:06 +00:00
link2xt	4b82fd6f77	Add init.sh and deploy.sh scripts (#2 )	2023-10-13 16:14:02 +02:00