docs: Remove section about use of objects

docs: Update cmdeploy architecture details
- Revised cmdeploy documentation in doc/source/overview.rst to reflect the recent revisions to the Deployer interface.
2026-05-10 16:04:37 +00:00 · 2025-11-13 07:40:40 -06:00 · 2025-11-12 23:24:14 -06:00 · 2025-11-12 19:16:51 -06:00 · 2025-11-12 19:16:51 -06:00 · 2025-11-12 19:16:51 -06:00
70 changed files with 2581 additions and 2400 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -14,8 +14,7 @@ jobs:
        # Otherwise `test_deployed_state` will be unhappy.
        with:
          ref: ${{ github.event.pull_request.head.sha }}
-      - name: download filtermail
-        run: curl -L https://github.com/chatmail/filtermail/releases/download/v0.3.0/filtermail-x86_64 -o /usr/local/bin/filtermail && chmod +x /usr/local/bin/filtermail
+
      - name: run chatmaild tests 
        working-directory: chatmaild
        run: pipx run tox
--- a/.github/workflows/docs-preview.yaml
+++ b/.github/workflows/docs-preview.yaml
@@ -11,9 +11,6 @@ jobs:
  scripts:
    name: build 
    runs-on: ubuntu-latest
-    environment:
-      name: 'staging.chatmail.at/doc/relay/'
-      url: https://staging.chatmail.at/doc/relay/${{ steps.prepare.outputs.prid }}
    steps:
      - uses: actions/checkout@v4

@@ -47,6 +44,36 @@ jobs:
          chmod 600 "$HOME/.ssh/key"
          rsync -rILvh -e "ssh -i $HOME/.ssh/key -o StrictHostKeyChecking=no" $GITHUB_WORKSPACE/doc/build/ "${{ secrets.USERNAME }}@chatmail.at:/var/www/html/staging.chatmail.at/doc/relay/${{ steps.prepare.outputs.prid }}/"

+      - name: "Post links to details"
+        id: details
+        if: steps.prepare.outputs.uploadtoserver
+        run: |
+          # URLs for API connection and uploads
+          export GITHUB_API_URL="https://api.github.com/repos/chatmail/relay/statuses/${{ github.event.after }}"
+          export PREVIEW_LINK="https://staging.chatmail.at/doc/relay/${{ steps.prepare.outputs.prid }}/"
+          export STATUS_DATA="{\"state\": \"success\", \
+                               \"description\": \"Preview the changed documentation here:\", \
+                               \"context\": \"Documentation Preview\", \
+                               \"target_url\": \"${PREVIEW_LINK}\"}"
+          curl -X POST --header "Accept: application/vnd.github+json" --header "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" --url "$GITHUB_API_URL" --header "content-type: application/json" --data "$STATUS_DATA"
+
+          #check if comment already exists, if not post it
+          export GITHUB_API_URL="https://api.github.com/repos/chatmail/relay/issues/${{ steps.prepare.outputs.prid }}/comments"
+          export RESPONSE=$(curl -L --header "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" --url "$GITHUB_API_URL" --header "content-type: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28")
+          echo $RESPONSE > response
+          grep -v '"Check out the page preview at https://staging.chatmail.at/doc/relay' response && echo "comment=true" >> $GITHUB_OUTPUT || true
+      - name: "Post link to comments"
+        if: steps.details.outputs.comment
+        uses: actions/github-script@v7
+        with:
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: "Check out the page preview at https://staging.chatmail.at/doc/relay/${{ steps.prepare.outputs.prid }}/"
+            })
+
      - name: check links 
        working-directory: doc
        run: sphinx-build --builder linkcheck source build
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -14,9 +14,6 @@ jobs:
  scripts:
    name: build 
    runs-on: ubuntu-latest
-    environment: 
-      name: 'chatmail.at/doc/relay/'
-      url: https://chatmail.at/doc/relay/
    steps:
      - uses: actions/checkout@v4

--- a/.github/workflows/test-and-deploy-ipv4only.yaml
+++ b/.github/workflows/test-and-deploy-ipv4only.yaml
@@ -16,11 +16,13 @@ jobs:
    name: deploy on staging-ipv4.testrun.org, and run tests
    runs-on: ubuntu-latest
    timeout-minutes: 30
-    environment:
-      name: staging-ipv4.testrun.org
-      url: https://staging-ipv4.testrun.org/
-    concurrency: staging-ipv4.testrun.org
+    concurrency:
+      group: ci-ipv4-${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: ${{ !contains(github.ref, '$GITHUB_REF') }}
    steps:
+      - uses: jsok/serialize-workflow-action@515cd04c46d7ea7435c4a22a3b4419127afdefe9
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
      - uses: actions/checkout@v4

      - name: prepare SSH
@@ -71,35 +73,25 @@ jobs:
      - name: run deploy-chatmail offline tests 
        run: pytest --pyargs cmdeploy 

-      - name: setup dependencies
-        run: |
-          ssh root@staging-ipv4.testrun.org apt update
-          ssh root@staging-ipv4.testrun.org apt install -y git python3.11-venv python3-dev gcc
-          ssh root@staging-ipv4.testrun.org git clone https://github.com/chatmail/relay
-          ssh root@staging-ipv4.testrun.org "cd relay && git checkout " ${{ github.head_ref }}
-          ssh root@staging-ipv4.testrun.org "cd relay && scripts/initenv.sh"
+      - run: |
+          cmdeploy init staging-ipv4.testrun.org
+          sed -i 's#disable_ipv6 = False#disable_ipv6 = True#' chatmail.ini

-      - name: initialize config
-        run: |
-          ssh root@staging-ipv4.testrun.org "cd relay && scripts/cmdeploy init staging-ipv4.testrun.org"
-          ssh root@staging-ipv4.testrun.org "sed -i 's#disable_ipv6 = False#disable_ipv6 = True#' relay/chatmail.ini"
-          ssh root@staging-ipv4.testrun.org "sed -i 's/#\s*mtail_address/mtail_address/' relay/chatmail.ini"
-
-      - run: ssh root@staging-ipv4.testrun.org "cd relay && scripts/cmdeploy run --verbose --skip-dns-check"
+      - run: cmdeploy run --verbose --skip-dns-check

      - name: set DNS entries
        run: |
-          ssh root@staging-ipv4.testrun.org chown opendkim:opendkim -R /etc/dkimkeys
-          ssh root@staging-ipv4.testrun.org "cd relay && scripts/cmdeploy dns --zonefile staging-generated.zone"
-          ssh root@staging-ipv4.testrun.org cat relay/staging-generated.zone >> .github/workflows/staging-ipv4.testrun.org-default.zone
+          ssh -o StrictHostKeyChecking=accept-new -v root@staging-ipv4.testrun.org chown opendkim:opendkim -R /etc/dkimkeys
+          cmdeploy dns --zonefile staging-generated.zone
+          cat staging-generated.zone >> .github/workflows/staging-ipv4.testrun.org-default.zone
          cat .github/workflows/staging-ipv4.testrun.org-default.zone
          scp .github/workflows/staging-ipv4.testrun.org-default.zone root@ns.testrun.org:/etc/nsd/staging-ipv4.testrun.org.zone
          ssh root@ns.testrun.org nsd-checkzone staging-ipv4.testrun.org /etc/nsd/staging-ipv4.testrun.org.zone
          ssh root@ns.testrun.org systemctl reload nsd

      - name: cmdeploy test
-        run: ssh root@staging-ipv4.testrun.org "cd relay && CHATMAIL_DOMAIN2=ci-chatmail.testrun.org scripts/cmdeploy test --slow"
+        run: CHATMAIL_DOMAIN2=nine.testrun.org cmdeploy test --slow

      - name: cmdeploy dns
-        run: ssh root@staging-ipv4.testrun.org "cd relay && scripts/cmdeploy dns -v"
+        run: cmdeploy dns -v

--- a/.github/workflows/test-and-deploy.yaml
+++ b/.github/workflows/test-and-deploy.yaml
@@ -16,11 +16,13 @@ jobs:
    name: deploy on staging2.testrun.org, and run tests
    runs-on: ubuntu-latest
    timeout-minutes: 30
-    environment:
-      name: staging2.testrun.org
-      url: https://staging2.testrun.org/
-    concurrency: staging2.testrun.org
+    concurrency:
+      group: ci-${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: ${{ !contains(github.ref, '$GITHUB_REF') }}
    steps:
+      - uses: jsok/serialize-workflow-action@515cd04c46d7ea7435c4a22a3b4419127afdefe9
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
      - uses: actions/checkout@v4

      - name: prepare SSH
@@ -68,16 +70,10 @@ jobs:
          rsync -avz dkimkeys-restore/dkimkeys root@staging2.testrun.org:/etc/ || true
          ssh -o StrictHostKeyChecking=accept-new -v root@staging2.testrun.org chown root:root -R /var/lib/acme || true

-      - name: add hpk42 key to staging server
-        run: ssh root@staging2.testrun.org 'curl -s https://github.com/hpk42.keys >> .ssh/authorized_keys'
-
      - name: run deploy-chatmail offline tests 
        run: pytest --pyargs cmdeploy 

-      - run: |
-          cmdeploy init staging2.testrun.org
-          sed -i 's/^ssh_host/#ssh_host/' chatmail.ini
-          sed -i 's/#\s*mtail_address/mtail_address/' chatmail.ini
+      - run: cmdeploy init staging2.testrun.org

      - run: cmdeploy run --verbose --skip-dns-check

@@ -92,7 +88,7 @@ jobs:
          ssh root@ns.testrun.org systemctl reload nsd

      - name: cmdeploy test
-        run: CHATMAIL_DOMAIN2=ci-chatmail.testrun.org cmdeploy test --slow
+        run: CHATMAIL_DOMAIN2=nine.testrun.org cmdeploy test --slow

      - name: cmdeploy dns
        run: cmdeploy dns -v
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,47 +1,6 @@
 # Changelog for chatmail deployment 

-## 1.9.0 2025-12-18
-
-### Documentation
-
- Add RELEASE.md and CONTRIBUTING.md
- README update, mention Chatmail Cookbook project
-
-### Bug Fixes
-
- Expire messages also from IMAP subfolders
- Use absolute path instead of relative path in message expiration script
- Restart Postfix and Dovecot automatically on failure
- acmetool: Use a fixed name and `reconcile` instead of `want`
-
-### Features
-
- Report DKIM error code in SMTP response
- Remove development notice from the web pages
-
-### Miscellaneous Tasks
-
- Update the heading in the CHANGELOG.md
- Setup git-cliff
- Run tests against ci-chatmail.testrun.org instead of nine.testrun.org
- Cleanup remaining echobot code, remove echobot user from deployment and passthrough recipients
-
-## 1.8.0 2025-12-12
-
- Add imap_compress option to chatmail.ini
-  ([#760](https://github.com/chatmail/relay/pull/760))
-
- Remove echobot from relays 
-  ([#753](https://github.com/chatmail/relay/pull/753))
-
- Fix `cmdeploy webdev`
-  ([#743](https://github.com/chatmail/relay/pull/743))
-
- Add robots.txt to exclude all web crawlers
-  ([#732](https://github.com/chatmail/relay/pull/732))
-
- acmetool: accept new Let's Encrypt ToS: https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf
-  ([#729](https://github.com/chatmail/relay/pull/729))
+## untagged

 - Organized cmdeploy into install, configure, and activate stages
  ([#695](https://github.com/chatmail/relay/pull/695))
@@ -62,10 +21,10 @@
  ([#689](https://github.com/chatmail/relay/pull/689))

 - Require TLS 1.2 for outgoing SMTP connections
-  ([#685](https://github.com/chatmail/relay/pull/685), [#730](https://github.com/chatmail/relay/pull/730))
+  ([#685](https://github.com/chatmail/relay/pull/685))

 - require STARTTLS for incoming port 25 connections
-  ([#684](https://github.com/chatmail/relay/pull/684), [#730](https://github.com/chatmail/relay/pull/730))
+  ([#684](https://github.com/chatmail/relay/pull/684))

 - filtermail: run CPU-intensive handle_DATA in a thread pool executor
  ([#676](https://github.com/chatmail/relay/pull/676))
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,7 +0,0 @@
-# Contributing to the chatmail relay
-
-Commit messages follow the [Conventional Commits] notation.
-We use [git-cliff] to generate the changelog from commit messages before the release.
-
-[Conventional Commits]: https://www.conventionalcommits.org/
-[git-cliff]: https://git-cliff.org/
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -1,15 +0,0 @@
-# Releasing a new version of chatmail relay
-
-For example, to release version 1.9.0 of chatmail relay, do the following steps.
-
-1. Update the changelog: `git cliff --unreleased --tag 1.9.0 --prepend CHANGELOG.md` or `git cliff -u -t 1.9.0 -p CHANGELOG.md`.
-
-2. Open the changelog in the editor, edit it if required.
-
-3. Commit the changes to the changelog with a commit message `chore(release): prepare for 1.9.0`.
-
-3. Tag the release: `git tag --annotate 1.9.0`.
-
-4. Push the release tag: `git push origin 1.9.0`.
-
-5. Create a GitHub release: `gh release create 1.9.0`.
--- a/chatmaild/pyproject.toml
+++ b/chatmaild/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"

 [project]
 name = "chatmaild"
-version = "0.3"
+version = "0.2"
 dependencies = [
  "aiosmtpd",
  "iniconfig",
@@ -24,6 +24,8 @@ where = ['src']
 [project.scripts]
 doveauth = "chatmaild.doveauth:main"
 chatmail-metadata = "chatmaild.metadata:main"
+filtermail = "chatmaild.filtermail:main"
+echobot = "chatmaild.echo:main"
 chatmail-metrics = "chatmaild.metrics:main"
 chatmail-expire = "chatmaild.expire:main"
 chatmail-fsreport = "chatmaild.fsreport:main"
@@ -71,6 +73,5 @@ commands =
 deps = pytest 
       pdbpp 
       pytest-localserver
-       execnet
 commands = pytest -v -rsXx {posargs}
 """
--- a/chatmaild/src/chatmaild/config.py
+++ b/chatmaild/src/chatmaild/config.py
@@ -1,52 +1,51 @@
-import os
 from pathlib import Path

 import iniconfig

 from chatmaild.user import User

+echobot_password_path = Path("/run/echobot/password")
+

 def read_config(inipath):
    assert Path(inipath).exists(), inipath
    cfg = iniconfig.IniConfig(inipath)
-    return Config(inipath, params=cfg.sections["params"])
+    params = cfg.sections["params"]
+    default_config_content = get_default_config_content(params["mail_domain"])
+    df_params = iniconfig.IniConfig("ini", data=default_config_content)["params"]
+    new_params = dict(df_params.items())
+    new_params.update(params)
+    return Config(inipath, params=new_params)


 class Config:
    def __init__(self, inipath, params):
        self._inipath = inipath
        self.mail_domain = params["mail_domain"]
-        self.ssh_host = params.get("ssh_host", self.mail_domain)
-        self.max_user_send_per_minute = int(params.get("max_user_send_per_minute", 60))
-        self.max_user_send_burst_size = int(params.get("max_user_send_burst_size", 10))
-        self.max_mailbox_size = params.get("max_mailbox_size", "500M")
-        self.max_message_size = int(params.get("max_message_size", 31457280))
-        self.delete_mails_after = params.get("delete_mails_after", "20")
-        self.delete_large_after = params.get("delete_large_after", "7")
-        self.delete_inactive_users_after = int(
-            params.get("delete_inactive_users_after", 100)
-        )
-        self.username_min_length = int(params.get("username_min_length", 9))
-        self.username_max_length = int(params.get("username_max_length", 9))
-        self.password_min_length = int(params.get("password_min_length", 9))
-        self.passthrough_senders = params.get("passthrough_senders", "").split()
-        self.passthrough_recipients = params.get("passthrough_recipients", "").split()
+        self.max_user_send_per_minute = int(params["max_user_send_per_minute"])
+        self.max_mailbox_size = params["max_mailbox_size"]
+        self.max_message_size = int(params.get("max_message_size", "31457280"))
+        self.delete_mails_after = params["delete_mails_after"]
+        self.delete_large_after = params["delete_large_after"]
+        self.delete_inactive_users_after = int(params["delete_inactive_users_after"])
+        self.username_min_length = int(params["username_min_length"])
+        self.username_max_length = int(params["username_max_length"])
+        self.password_min_length = int(params["password_min_length"])
+        self.passthrough_senders = params["passthrough_senders"].split()
+        self.passthrough_recipients = params["passthrough_recipients"].split()
        self.www_folder = params.get("www_folder", "")
-        self.filtermail_smtp_port = int(params.get("filtermail_smtp_port", "10080"))
+        self.filtermail_smtp_port = int(params["filtermail_smtp_port"])
        self.filtermail_smtp_port_incoming = int(
-            params.get("filtermail_smtp_port_incoming", "10081")
+            params["filtermail_smtp_port_incoming"]
        )
-        self.postfix_reinject_port = int(params.get("postfix_reinject_port", "10025"))
+        self.postfix_reinject_port = int(params["postfix_reinject_port"])
        self.postfix_reinject_port_incoming = int(
-            params.get("postfix_reinject_port_incoming", "10026")
+            params["postfix_reinject_port_incoming"]
        )
        self.mtail_address = params.get("mtail_address")
        self.disable_ipv6 = params.get("disable_ipv6", "false").lower() == "true"
-        self.addr_v4 = os.environ.get("CHATMAIL_ADDR_V4", "")
-        self.addr_v6 = os.environ.get("CHATMAIL_ADDR_V6", "")
        self.acme_email = params.get("acme_email", "")
        self.imap_rawlog = params.get("imap_rawlog", "false").lower() == "true"
-        self.imap_compress = params.get("imap_compress", "false").lower() == "true"
        if "iroh_relay" not in params:
            self.iroh_relay = "https://" + params["mail_domain"]
            self.enable_iroh_relay = True
@@ -73,7 +72,10 @@ class Config:
            raise ValueError(f"invalid address {addr!r}")

        maildir = self.mailboxes_dir.joinpath(addr)
-        password_path = maildir.joinpath("password")
+        if addr.startswith("echo@"):
+            password_path = echobot_password_path
+        else:
+            password_path = maildir.joinpath("password")

        return User(maildir, addr, password_path, uid="vmail", gid="vmail")

--- a/chatmaild/src/chatmaild/dictproxy.py
+++ b/chatmaild/src/chatmaild/dictproxy.py
@@ -22,7 +22,7 @@ class DictProxy:
                wfile.flush()

    def handle_dovecot_request(self, msg, transactions):
-        # see https://doc.dovecot.org/2.3/developer_manual/design/dict_protocol/#dovecot-dict-protocol
+        # see https://doc.dovecot.org/developer_manual/design/dict_protocol/#dovecot-dict-protocol
        short_command = msg[0]
        parts = msg[1:].split("\t")

--- a/chatmaild/src/chatmaild/doveauth.py
+++ b/chatmaild/src/chatmaild/doveauth.py
@@ -16,7 +16,7 @@ NOCREATE_FILE = "/etc/chatmail-nocreate"


 def encrypt_password(password: str):
-    # https://doc.dovecot.org/2.3/configuration_manual/authentication/password_schemes/
+    # https://doc.dovecot.org/configuration_manual/authentication/password_schemes/
    passhash = crypt_r.crypt(password, crypt_r.METHOD_SHA512)
    return "{SHA512-CRYPT}" + passhash

@@ -40,6 +40,10 @@ def is_allowed_to_create(config: Config, user, cleartext_password) -> bool:
        return False
    localpart, domain = parts

+    if localpart == "echo":
+        # echobot account should not be created in the database
+        return False
+
    if (
        len(localpart) > config.username_max_length
        or len(localpart) < config.username_min_length
--- a/chatmaild/src/chatmaild/echo.py
+++ b/chatmaild/src/chatmaild/echo.py
@@ -0,0 +1,109 @@
+#!/usr/bin/env python3
+"""Advanced echo bot example.
+
+it will echo back any message that has non-empty text and also supports the /help command.
+"""
+
+import logging
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+from deltachat_rpc_client import Bot, DeltaChat, EventType, Rpc, events
+
+from chatmaild.config import echobot_password_path, read_config
+from chatmaild.doveauth import encrypt_password
+from chatmaild.newemail import create_newemail_dict
+
+hooks = events.HookCollection()
+
+
+@hooks.on(events.RawEvent)
+def log_event(event):
+    if event.kind == EventType.INFO:
+        logging.info(event.msg)
+    elif event.kind == EventType.WARNING:
+        logging.warning(event.msg)
+
+
+@hooks.on(events.RawEvent(EventType.ERROR))
+def log_error(event):
+    logging.error("%s", event.msg)
+
+
+@hooks.on(events.MemberListChanged)
+def on_memberlist_changed(event):
+    logging.info(
+        "member %s was %s", event.member, "added" if event.member_added else "removed"
+    )
+
+
+@hooks.on(events.GroupImageChanged)
+def on_group_image_changed(event):
+    logging.info("group image %s", "deleted" if event.image_deleted else "changed")
+
+
+@hooks.on(events.GroupNameChanged)
+def on_group_name_changed(event):
+    logging.info(f"group name changed, old name: {event.old_name}")
+
+
+@hooks.on(events.NewMessage(func=lambda e: not e.command))
+def echo(event):
+    snapshot = event.message_snapshot
+    if snapshot.is_info:
+        # Ignore info messages
+        return
+    if snapshot.text or snapshot.file:
+        snapshot.chat.send_message(text=snapshot.text, file=snapshot.file)
+
+
+@hooks.on(events.NewMessage(command="/help"))
+def help_command(event):
+    snapshot = event.message_snapshot
+    snapshot.chat.send_text("Send me any message and I will echo it back")
+
+
+def main():
+    logging.basicConfig(level=logging.INFO)
+    path = os.environ.get("PATH")
+    venv_path = sys.argv[0].strip("echobot")
+    os.environ["PATH"] = path + ":" + venv_path
+    with Rpc() as rpc:
+        deltachat = DeltaChat(rpc)
+        system_info = deltachat.get_system_info()
+        logging.info(f"Running deltachat core {system_info.deltachat_core_version}")
+
+        accounts = deltachat.get_all_accounts()
+        account = accounts[0] if accounts else deltachat.add_account()
+
+        bot = Bot(account, hooks)
+
+        config = read_config(sys.argv[1])
+        addr = "echo@" + config.mail_domain
+
+        # Create password file
+        if bot.is_configured():
+            password = bot.account.get_config("mail_pw")
+        else:
+            password = create_newemail_dict(config)["password"]
+
+        echobot_password_path.write_text(encrypt_password(password))
+        # Give the user which doveauth runs as access to the password file.
+        subprocess.check_call(
+            ["/usr/bin/setfacl", "-m", "user:vmail:r", echobot_password_path],
+        )
+
+        if not bot.is_configured():
+            bot.configure(addr, password)
+
+        # write invite link to working directory
+        invitelink = bot.account.get_qr_code()
+        Path("invite-link.txt").write_text(invitelink)
+
+        bot.run_forever()
+
+
+if __name__ == "__main__":
+    main()
--- a/chatmaild/src/chatmaild/expire.py
+++ b/chatmaild/src/chatmaild/expire.py
@@ -14,7 +14,7 @@ from stat import S_ISREG

 from chatmaild.config import read_config

-FileEntry = namedtuple("FileEntry", ("path", "mtime", "size"))
+FileEntry = namedtuple("FileEntry", ("relpath", "mtime", "size"))


 def iter_mailboxes(basedir, maxnum):
@@ -51,27 +51,33 @@ class MailboxStat:

    def __init__(self, basedir):
        self.basedir = str(basedir)
+        # all detected messages in cur/new/tmp folders
        self.messages = []
-        self.extrafiles = []
-        self.scandir(self.basedir)

-    def scandir(self, folderdir):
-        for name in os_listdir_if_exists(folderdir):
-            path = f"{folderdir}/{name}"
+        # all detected files in mailbox top dir
+        self.extrafiles = []
+
+        # scan all relevant files (without recursion)
+        old_cwd = os.getcwd()
+        try:
+            os.chdir(self.basedir)
+        except FileNotFoundError:
+            return
+        for name in os_listdir_if_exists("."):
            if name in ("cur", "new", "tmp"):
-                for msg_name in os_listdir_if_exists(path):
-                    entry = get_file_entry(f"{path}/{msg_name}")
+                for msg_name in os_listdir_if_exists(name):
+                    entry = get_file_entry(f"{name}/{msg_name}")
                    if entry is not None:
                        self.messages.append(entry)
-            elif os.path.isdir(path):
-                self.scandir(path)
+
            else:
-                entry = get_file_entry(path)
+                entry = get_file_entry(name)
                if entry is not None:
                    self.extrafiles.append(entry)
                    if name == "password":
                        self.last_login = entry.mtime
        self.extrafiles.sort(key=lambda x: -x.size)
+        os.chdir(old_cwd)


 def print_info(msg):
@@ -124,6 +130,13 @@ class Expiry:
            self.remove_mailbox(mbox.basedir)
            return

+        # all to-be-removed files are relative to the mailbox basedir
+        try:
+            os.chdir(mbox.basedir)
+        except FileNotFoundError:
+            print_info(f"mailbox not found/vanished {mbox.basedir}")
+            return
+
        mboxname = os.path.basename(mbox.basedir)
        if self.verbose:
            date = datetime.fromtimestamp(mbox.last_login) if mbox.last_login else None
@@ -134,17 +147,16 @@ class Expiry:
        self.all_files += len(mbox.messages)
        for message in mbox.messages:
            if message.mtime < cutoff_mails:
-                self.remove_file(message.path, mtime=message.mtime)
+                self.remove_file(message.relpath, mtime=message.mtime)
            elif message.size > 200000 and message.mtime < cutoff_large_mails:
                # we only remove noticed large files (not unnoticed ones in new/)
-                parts = message.path.split("/")
-                if len(parts) >= 2 and parts[-2] == "cur":
-                    self.remove_file(message.path, mtime=message.mtime)
+                if message.relpath.startswith("cur/"):
+                    self.remove_file(message.relpath, mtime=message.mtime)
            else:
                continue
            changed = True
        if changed:
-            self.remove_file(f"{mbox.basedir}/maildirsize")
+            self.remove_file("maildirsize")

    def get_summary(self):
        return (
--- a/chatmaild/src/chatmaild/filtermail.py
+++ b/chatmaild/src/chatmaild/filtermail.py
@@ -0,0 +1,381 @@
+#!/usr/bin/env python3
+import asyncio
+import base64
+import binascii
+import sys
+import time
+from email import policy
+from email.parser import BytesParser
+from email.utils import parseaddr
+from smtplib import SMTP as SMTPClient
+
+from aiosmtpd.controller import Controller
+from aiosmtpd.smtp import SMTP
+
+from .config import read_config
+
+ENCRYPTION_NEEDED_523 = "523 Encryption Needed: Invalid Unencrypted Mail"
+
+
+def check_openpgp_payload(payload: bytes):
+    """Checks the OpenPGP payload.
+
+    OpenPGP payload must consist only of PKESK and SKESK packets
+    terminated by a single SEIPD packet.
+
+    Returns True if OpenPGP payload is correct,
+    False otherwise.
+
+    May raise IndexError while trying to read OpenPGP packet header
+    if it is truncated.
+    """
+    i = 0
+    while i < len(payload):
+        # Only OpenPGP format is allowed.
+        if payload[i] & 0xC0 != 0xC0:
+            return False
+
+        packet_type_id = payload[i] & 0x3F
+        i += 1
+
+        while payload[i] >= 224 and payload[i] < 255:
+            # Partial body length.
+            partial_length = 1 << (payload[i] & 0x1F)
+            i += 1 + partial_length
+
+        if payload[i] < 192:
+            # One-octet length.
+            body_len = payload[i]
+            i += 1
+        elif payload[i] < 224:
+            # Two-octet length.
+            body_len = ((payload[i] - 192) << 8) + payload[i + 1] + 192
+            i += 2
+        elif payload[i] == 255:
+            # Five-octet length.
+            body_len = (
+                (payload[i + 1] << 24)
+                | (payload[i + 2] << 16)
+                | (payload[i + 3] << 8)
+                | payload[i + 4]
+            )
+            i += 5
+        else:
+            # Impossible, partial body length was processed above.
+            return False
+
+        i += body_len
+
+        if i == len(payload):
+            # Last packet should be
+            # Symmetrically Encrypted and Integrity Protected Data Packet (SEIPD)
+            #
+            # This is the only place where this function may return `True`.
+            return packet_type_id == 18
+        elif packet_type_id not in [1, 3]:
+            # All packets except the last one must be either
+            # Public-Key Encrypted Session Key Packet (PKESK)
+            # or
+            # Symmetric-Key Encrypted Session Key Packet (SKESK)
+            return False
+
+    return False
+
+
+def check_armored_payload(payload: str, outgoing: bool):
+    """Check the armored PGP message for invalid content.
+
+    :param payload: the armored PGP message
+    :param outgoing: whether the message is outgoing or incoming
+    :return: whether the message is a valid PGP message
+    """
+    prefix = "-----BEGIN PGP MESSAGE-----\r\n"
+    if not payload.startswith(prefix):
+        return False
+    payload = payload.removeprefix(prefix)
+
+    while payload.endswith("\r\n"):
+        payload = payload.removesuffix("\r\n")
+    suffix = "-----END PGP MESSAGE-----"
+    if not payload.endswith(suffix):
+        return False
+    payload = payload.removesuffix(suffix)
+
+    version_comment = "Version: "
+    if payload.startswith(version_comment):
+        if outgoing:  # Disallow comments in outgoing messages
+            return False
+        # Remove comments from incoming messages
+        payload = payload.partition("\r\n")[2]
+
+    while payload.startswith("\r\n"):
+        payload = payload.removeprefix("\r\n")
+
+    # Remove CRC24.
+    payload = payload.rpartition("=")[0]
+
+    try:
+        payload = base64.b64decode(payload)
+    except binascii.Error:
+        return False
+
+    try:
+        return check_openpgp_payload(payload)
+    except IndexError:
+        return False
+
+
+def is_securejoin(message):
+    if message.get("secure-join") not in ["vc-request", "vg-request"]:
+        return False
+    if not message.is_multipart():
+        return False
+    parts_count = 0
+    for part in message.iter_parts():
+        parts_count += 1
+        if parts_count > 1:
+            return False
+        if part.is_multipart():
+            return False
+        if part.get_content_type() != "text/plain":
+            return False
+
+        payload = part.get_payload().strip().lower()
+        if payload not in ("secure-join: vc-request", "secure-join: vg-request"):
+            return False
+    return True
+
+
+def check_encrypted(message, outgoing=True):
+    """Check that the message is an OpenPGP-encrypted message.
+
+    MIME structure of the message must correspond to <https://www.rfc-editor.org/rfc/rfc3156>.
+    """
+    if not message.is_multipart():
+        return False
+    if message.get_content_type() != "multipart/encrypted":
+        return False
+    parts_count = 0
+    for part in message.iter_parts():
+        # We explicitly check Content-Type of each part later,
+        # but this is to be absolutely sure `get_payload()` returns string and not list.
+        if part.is_multipart():
+            return False
+
+        if parts_count == 0:
+            if part.get_content_type() != "application/pgp-encrypted":
+                return False
+
+            payload = part.get_payload()
+            if payload.strip() != "Version: 1":
+                return False
+        elif parts_count == 1:
+            if part.get_content_type() != "application/octet-stream":
+                return False
+
+            if not check_armored_payload(part.get_payload(), outgoing=outgoing):
+                return False
+        else:
+            return False
+        parts_count += 1
+    return True
+
+
+async def asyncmain_beforequeue(config, mode):
+    if mode == "outgoing":
+        port = config.filtermail_smtp_port
+        handler = OutgoingBeforeQueueHandler(config)
+    else:
+        port = config.filtermail_smtp_port_incoming
+        handler = IncomingBeforeQueueHandler(config)
+    HackedController(
+        handler,
+        hostname="127.0.0.1",
+        port=port,
+        data_size_limit=config.max_message_size,
+    ).start()
+
+
+def recipient_matches_passthrough(recipient, passthrough_recipients):
+    for addr in passthrough_recipients:
+        if recipient == addr:
+            return True
+        if addr[0] == "@" and recipient.endswith(addr):
+            return True
+    return False
+
+
+class HackedController(Controller):
+    def factory(self):
+        return SMTPDiscardRCPTO_options(self.handler, **self.SMTP_kwargs)
+
+
+class SMTPDiscardRCPTO_options(SMTP):
+    def _getparams(self, params):
+        # Ignore RCPT TO parameters.
+        #
+        # Otherwise parameters such as `ORCPT=...`
+        # or `NOTIFY=DELAY,FAILURE` (generated by Stalwart)
+        # make aiosmtpd reject the message here:
+        # <https://github.com/aio-libs/aiosmtpd/blob/98f578389ae86e5345cc343fa4e5a17b21d9c96d/aiosmtpd/smtp.py#L1379-L1384>
+        return {}
+
+
+class OutgoingBeforeQueueHandler:
+    def __init__(self, config):
+        self.config = config
+        self.send_rate_limiter = SendRateLimiter()
+
+    async def handle_MAIL(self, server, session, envelope, address, mail_options):
+        log_info(f"handle_MAIL from {address}")
+        envelope.mail_from = address
+        max_sent = self.config.max_user_send_per_minute
+        if not self.send_rate_limiter.is_sending_allowed(address, max_sent):
+            return f"450 4.7.1: Too much mail from {address}"
+
+        parts = envelope.mail_from.split("@")
+        if len(parts) != 2:
+            return f"500 Invalid from address <{envelope.mail_from!r}>"
+
+        return "250 OK"
+
+    async def handle_DATA(self, server, session, envelope):
+        loop = asyncio.get_running_loop()
+        return await loop.run_in_executor(None, self.sync_handle_DATA, envelope)
+
+    def sync_handle_DATA(self, envelope):
+        log_info("handle_DATA before-queue")
+        error = self.check_DATA(envelope)
+        if error:
+            return error
+        log_info("re-injecting the mail that passed checks")
+        client = SMTPClient("localhost", self.config.postfix_reinject_port)
+        client.sendmail(
+            envelope.mail_from, envelope.rcpt_tos, envelope.original_content
+        )
+        return "250 OK"
+
+    def check_DATA(self, envelope):
+        """the central filtering function for e-mails."""
+        log_info(f"Processing DATA message from {envelope.mail_from}")
+
+        message = BytesParser(policy=policy.default).parsebytes(envelope.content)
+        mail_encrypted = check_encrypted(message, outgoing=True)
+
+        _, from_addr = parseaddr(message.get("from").strip())
+
+        if envelope.mail_from.lower() != from_addr.lower():
+            return f"500 Invalid FROM <{from_addr!r}> for <{envelope.mail_from!r}>"
+
+        if mail_encrypted or is_securejoin(message):
+            print("Outgoing: Filtering encrypted mail.", file=sys.stderr)
+            return
+
+        print("Outgoing: Filtering unencrypted mail.", file=sys.stderr)
+
+        if envelope.mail_from in self.config.passthrough_senders:
+            return
+
+        # allow self-sent Autocrypt Setup Message
+        if envelope.rcpt_tos == [from_addr]:
+            if message.get("subject") == "Autocrypt Setup Message":
+                if message.get_content_type() == "multipart/mixed":
+                    return
+
+        passthrough_recipients = self.config.passthrough_recipients
+
+        for recipient in envelope.rcpt_tos:
+            if recipient_matches_passthrough(recipient, passthrough_recipients):
+                continue
+
+            print("Rejected unencrypted mail.", file=sys.stderr)
+            return ENCRYPTION_NEEDED_523
+
+
+class IncomingBeforeQueueHandler:
+    def __init__(self, config):
+        self.config = config
+
+    async def handle_DATA(self, server, session, envelope):
+        loop = asyncio.get_running_loop()
+        return await loop.run_in_executor(None, self.sync_handle_DATA, envelope)
+
+    def sync_handle_DATA(self, envelope):
+        log_info("handle_DATA before-queue")
+        error = self.check_DATA(envelope)
+        if error:
+            return error
+        log_info("re-injecting the mail that passed checks")
+
+        # the smtp daemon on reinject_port_incoming gives it to dkim milter
+        # which looks at source address to determine whether to verify or sign
+        client = SMTPClient(
+            "localhost",
+            self.config.postfix_reinject_port_incoming,
+            source_address=("127.0.0.2", 0),
+        )
+        client.sendmail(
+            envelope.mail_from, envelope.rcpt_tos, envelope.original_content
+        )
+        return "250 OK"
+
+    def check_DATA(self, envelope):
+        """the central filtering function for e-mails."""
+        log_info(f"Processing DATA message from {envelope.mail_from}")
+
+        message = BytesParser(policy=policy.default).parsebytes(envelope.content)
+        mail_encrypted = check_encrypted(message, outgoing=False)
+
+        if mail_encrypted or is_securejoin(message):
+            print("Incoming: Filtering encrypted mail.", file=sys.stderr)
+            return
+
+        print("Incoming: Filtering unencrypted mail.", file=sys.stderr)
+
+        # we want cleartext mailer-daemon messages to pass through
+        # chatmail core will typically not display them as normal messages
+        if message.get("auto-submitted"):
+            _, from_addr = parseaddr(message.get("from").strip())
+            if from_addr.lower().startswith("mailer-daemon@"):
+                if message.get_content_type() == "multipart/report":
+                    return
+
+        for recipient in envelope.rcpt_tos:
+            user = self.config.get_user(recipient)
+            if user is None or user.is_incoming_cleartext_ok():
+                continue
+
+            print("Rejected unencrypted mail.", file=sys.stderr)
+            return ENCRYPTION_NEEDED_523
+
+
+class SendRateLimiter:
+    def __init__(self):
+        self.addr2timestamps = {}
+
+    def is_sending_allowed(self, mail_from, max_send_per_minute):
+        last = self.addr2timestamps.setdefault(mail_from, [])
+        now = time.time()
+        last[:] = [ts for ts in last if ts >= (now - 60)]
+        if len(last) <= max_send_per_minute:
+            last.append(now)
+            return True
+        return False
+
+
+def log_info(msg):
+    print(msg, file=sys.stderr)
+
+
+def main():
+    args = sys.argv[1:]
+    assert len(args) == 2
+    config = read_config(args[0])
+    mode = args[1]
+    loop = asyncio.new_event_loop()
+    asyncio.set_event_loop(loop)
+    assert mode in ["incoming", "outgoing"]
+    task = asyncmain_beforequeue(config, mode)
+    loop.create_task(task)
+    log_info("entering serving loop")
+    loop.run_forever()
--- a/chatmaild/src/chatmaild/ini/chatmail.ini.f
+++ b/chatmaild/src/chatmaild/ini/chatmail.ini.f
@@ -3,9 +3,6 @@
 # mail domain (MUST be set to fully qualified chat mail domain)
 mail_domain = {mail_domain}

-# Where to deploy the relay - if unspecified, mail_domain will be used.
-ssh_host = localhost
-
 #
 # If you only do private test deploys, you don't need to modify any settings below
 #
@@ -14,14 +11,11 @@ ssh_host = localhost
 # Restrictions on user addresses
 #

-# email sending rate per user and minute
+# how many mails a user can send out per minute
 max_user_send_per_minute = 60

-# per-user max burst size for sending rate limiting (GCRA bucket capacity)
-max_user_send_burst_size = 10
-
 # maximum mailbox size of a chatmail address
-max_mailbox_size = 500M
+max_mailbox_size = 100M

 # maximum message size for an e-mail in bytes
 max_message_size = 31457280
@@ -49,9 +43,9 @@ passthrough_senders =

 # list of e-mail recipients for which to accept outbound un-encrypted mails
 # (space-separated, item may start with "@" to whitelist whole recipient domains)
-passthrough_recipients =
+passthrough_recipients = echo@{mail_domain}

-# path to www directory - documented here: https://chatmail.at/doc/relay/getting_started.html#custom-web-pages
+# path to www directory - documented here: https://github.com/chatmail/relay/#custom-web-pages
 #www_folder = www

 #
@@ -105,12 +99,6 @@ acme_email =
 # so use this option with caution on production servers. 
 imap_rawlog = false 

-# set to true if you want to enable the IMAP COMPRESS Extension,
-# which allows IMAP connections to be efficiently compressed.
-# WARNING: Enabling this makes it impossible to hibernate IMAP
-# processes which will result in much higher memory/RAM usage.
-imap_compress = false
-

 #
 # Privacy Policy
--- a/chatmaild/src/chatmaild/lastlogin.py
+++ b/chatmaild/src/chatmaild/lastlogin.py
@@ -13,6 +13,8 @@ class LastLoginDictProxy(DictProxy):
        keyname = parts[1].split("/")
        value = parts[2] if len(parts) > 2 else ""
        if keyname[0] == "shared" and keyname[1] == "last-login":
+            if addr.startswith("echo@"):
+                return True
            addr = keyname[2]
            timestamp = int(value)
            user = self.config.get_user(addr)
--- a/chatmaild/src/chatmaild/tests/test_config.py
+++ b/chatmaild/src/chatmaild/tests/test_config.py
@@ -33,7 +33,7 @@ def test_read_config_testrun(make_config):
    assert config.filtermail_smtp_port == 10080
    assert config.postfix_reinject_port == 10025
    assert config.max_user_send_per_minute == 60
-    assert config.max_mailbox_size == "500M"
+    assert config.max_mailbox_size == "100M"
    assert config.delete_mails_after == "20"
    assert config.delete_large_after == "7"
    assert config.username_min_length == 9
--- a/chatmaild/src/chatmaild/tests/test_expire.py
+++ b/chatmaild/src/chatmaild/tests/test_expire.py
@@ -17,17 +17,19 @@ from chatmaild.expire import main as expiry_main
 from chatmaild.fsreport import main as report_main


-def fill_mbox(folderdir):
-    password = folderdir.joinpath("password")
+def fill_mbox(basedir):
+    basedir1 = basedir.joinpath("mailbox1@example.org")
+    basedir1.mkdir()
+    password = basedir1.joinpath("password")
    password.write_text("xxx")
-    folderdir.joinpath("maildirsize").write_text("xxx")
+    basedir1.joinpath("maildirsize").write_text("xxx")

-    garbagedir = folderdir.joinpath("garbagedir")
+    garbagedir = basedir1.joinpath("garbagedir")
    garbagedir.mkdir()
-    garbagedir.joinpath("bimbum").write_text("hello")

-    create_new_messages(folderdir, ["cur/msg1"], size=500)
-    create_new_messages(folderdir, ["new/msg2"], size=600)
+    create_new_messages(basedir1, ["cur/msg1"], size=500)
+    create_new_messages(basedir1, ["new/msg2"], size=600)
+    return basedir1


 def create_new_messages(basedir, relpaths, size=1000, days=0):
@@ -43,21 +45,8 @@ def create_new_messages(basedir, relpaths, size=1000, days=0):

@pytest.fixture
 def mbox1(example_config):
-    mboxdir = example_config.mailboxes_dir.joinpath("mailbox1@example.org")
-    mboxdir.mkdir()
-    fill_mbox(mboxdir)
-    return MailboxStat(mboxdir)
-
-
-def test_deltachat_folder(example_config):
-    """Test old setups that might have a .DeltaChat folder where messages also need to get removed."""
-    mboxdir = example_config.mailboxes_dir.joinpath("mailbox1@example.org")
-    mboxdir.mkdir()
-    mbox2dir = mboxdir.joinpath(".DeltaChat")
-    mbox2dir.mkdir()
-    fill_mbox(mbox2dir)
-    mb = MailboxStat(mboxdir)
-    assert len(mb.messages) == 2
+    basedir1 = fill_mbox(example_config.mailboxes_dir)
+    return MailboxStat(basedir1)


 def test_filentry_ordering(tmp_path):
@@ -87,7 +76,7 @@ def test_stats_mailbox(mbox1):
    create_new_messages(mbox1.basedir, ["large-extra"], size=1000)
    create_new_messages(mbox1.basedir, ["index-something"], size=3)
    mbox2 = MailboxStat(mbox1.basedir)
-    assert len(mbox2.extrafiles) == 5
+    assert len(mbox2.extrafiles) == 4
    assert mbox2.extrafiles[0].size == 1000

    # cope well with mailbox dirs that have no password (for whatever reason)
--- a/chatmaild/src/chatmaild/tests/test_filtermail.py
+++ b/chatmaild/src/chatmaild/tests/test_filtermail.py
@@ -0,0 +1,361 @@
+import pytest
+
+from chatmaild.filtermail import (
+    IncomingBeforeQueueHandler,
+    OutgoingBeforeQueueHandler,
+    SendRateLimiter,
+    check_armored_payload,
+    check_encrypted,
+    is_securejoin,
+)
+
+
+@pytest.fixture
+def maildomain():
+    # let's not depend on a real chatmail instance for the offline tests below
+    return "chatmail.example.org"
+
+
+@pytest.fixture
+def handler(make_config, maildomain):
+    config = make_config(maildomain)
+    return OutgoingBeforeQueueHandler(config)
+
+
+@pytest.fixture
+def inhandler(make_config, maildomain):
+    config = make_config(maildomain)
+    return IncomingBeforeQueueHandler(config)
+
+
+def test_reject_forged_from(maildata, gencreds, handler):
+    class env:
+        mail_from = gencreds()[0]
+        rcpt_tos = [gencreds()[0]]
+
+    # test that the filter lets good mail through
+    to_addr = gencreds()[0]
+    env.content = maildata(
+        "encrypted.eml", from_addr=env.mail_from, to_addr=to_addr
+    ).as_bytes()
+
+    assert not handler.check_DATA(envelope=env)
+
+    # test that the filter rejects forged mail
+    env.content = maildata(
+        "encrypted.eml", from_addr="forged@c3.testrun.org", to_addr=to_addr
+    ).as_bytes()
+    error = handler.check_DATA(envelope=env)
+    assert "500" in error
+
+
+def test_filtermail_no_encryption_detection(maildata):
+    msg = maildata(
+        "plain.eml", from_addr="some@example.org", to_addr="other@example.org"
+    )
+    assert not check_encrypted(msg)
+
+    # https://xkcd.com/1181/
+    msg = maildata(
+        "fake-encrypted.eml", from_addr="some@example.org", to_addr="other@example.org"
+    )
+    assert not check_encrypted(msg)
+
+
+def test_filtermail_securejoin_detection(maildata):
+    msg = maildata(
+        "securejoin-vc.eml", from_addr="some@example.org", to_addr="other@example.org"
+    )
+    assert is_securejoin(msg)
+
+    msg = maildata(
+        "securejoin-vc-fake.eml",
+        from_addr="some@example.org",
+        to_addr="other@example.org",
+    )
+    assert not is_securejoin(msg)
+
+
+def test_filtermail_encryption_detection(maildata):
+    msg = maildata(
+        "encrypted.eml",
+        from_addr="1@example.org",
+        to_addr="2@example.org",
+        subject="Subject does not matter, will be replaced anyway",
+    )
+    assert check_encrypted(msg)
+
+
+def test_filtermail_no_literal_packets(maildata):
+    """Test that literal OpenPGP packet is not considered an encrypted mail."""
+    msg = maildata("literal.eml", from_addr="1@example.org", to_addr="2@example.org")
+    assert not check_encrypted(msg)
+
+
+def test_filtermail_unencrypted_mdn(maildata, gencreds):
+    """Unencrypted MDNs should not pass."""
+    from_addr = gencreds()[0]
+    to_addr = gencreds()[0] + ".other"
+    msg = maildata("mdn.eml", from_addr=from_addr, to_addr=to_addr)
+
+    assert not check_encrypted(msg)
+
+
+def test_send_rate_limiter():
+    limiter = SendRateLimiter()
+    for i in range(100):
+        if limiter.is_sending_allowed("some@example.org", 10):
+            if i <= 10:
+                continue
+            pytest.fail("limiter didn't work")
+        else:
+            assert i == 11
+            break
+
+
+def test_cleartext_excempt_privacy(maildata, gencreds, handler):
+    from_addr = gencreds()[0]
+    to_addr = "privacy@testrun.org"
+    handler.config.passthrough_recipients = [to_addr]
+    false_to = "privacy@something.org"
+
+    msg = maildata("plain.eml", from_addr=from_addr, to_addr=to_addr)
+
+    class env:
+        mail_from = from_addr
+        rcpt_tos = [to_addr]
+        content = msg.as_bytes()
+
+    # assert that None/no error is returned
+    assert not handler.check_DATA(envelope=env)
+
+    class env2:
+        mail_from = from_addr
+        rcpt_tos = [to_addr, false_to]
+        content = msg.as_bytes()
+
+    assert "523" in handler.check_DATA(envelope=env2)
+
+
+def test_cleartext_self_send_autocrypt_setup_message(maildata, gencreds, handler):
+    from_addr = gencreds()[0]
+    to_addr = from_addr
+
+    msg = maildata("asm.eml", from_addr=from_addr, to_addr=to_addr)
+
+    class env:
+        mail_from = from_addr
+        rcpt_tos = [to_addr]
+        content = msg.as_bytes()
+
+    assert not handler.check_DATA(envelope=env)
+
+
+def test_cleartext_send_fails(maildata, gencreds, handler):
+    from_addr = gencreds()[0]
+    to_addr = gencreds()[0]
+
+    msg = maildata("plain.eml", from_addr=from_addr, to_addr=to_addr)
+
+    class env:
+        mail_from = from_addr
+        rcpt_tos = [to_addr]
+        content = msg.as_bytes()
+
+    res = handler.check_DATA(envelope=env)
+    assert "523 Encryption Needed" in res
+
+
+def test_cleartext_incoming_fails(maildata, gencreds, inhandler):
+    from_addr = gencreds()[0]
+    to_addr, password = gencreds()
+
+    msg = maildata("plain.eml", from_addr=from_addr, to_addr=to_addr)
+
+    class env:
+        mail_from = from_addr
+        rcpt_tos = [to_addr]
+        content = msg.as_bytes()
+
+    user = inhandler.config.get_user(to_addr)
+    user.set_password(password)
+    res = inhandler.check_DATA(envelope=env)
+    assert "523 Encryption Needed" in res
+
+    user.allow_incoming_cleartext()
+    assert not inhandler.check_DATA(envelope=env)
+
+
+def test_cleartext_incoming_mailer_daemon(maildata, gencreds, inhandler):
+    from_addr = "mailer-daemon@example.org"
+    to_addr = gencreds()[0]
+
+    msg = maildata("mailer-daemon.eml", from_addr=from_addr, to_addr=to_addr)
+
+    class env:
+        mail_from = from_addr
+        rcpt_tos = [to_addr]
+        content = msg.as_bytes()
+
+    assert not inhandler.check_DATA(envelope=env)
+
+
+def test_cleartext_passthrough_domains(maildata, gencreds, handler):
+    from_addr = gencreds()[0]
+    to_addr = "privacy@x.y.z"
+    handler.config.passthrough_recipients = ["@x.y.z"]
+    false_to = "something@x.y"
+
+    msg = maildata("plain.eml", from_addr=from_addr, to_addr=to_addr)
+
+    class env:
+        mail_from = from_addr
+        rcpt_tos = [to_addr]
+        content = msg.as_bytes()
+
+    # assert that None/no error is returned
+    assert not handler.check_DATA(envelope=env)
+
+    class env2:
+        mail_from = from_addr
+        rcpt_tos = [to_addr, false_to]
+        content = msg.as_bytes()
+
+    assert "523" in handler.check_DATA(envelope=env2)
+
+
+def test_cleartext_passthrough_senders(gencreds, handler, maildata):
+    acc1 = gencreds()[0]
+    to_addr = "recipient@something.org"
+    handler.config.passthrough_senders = [acc1]
+
+    msg = maildata("plain.eml", from_addr=acc1, to_addr=to_addr)
+
+    class env:
+        mail_from = acc1
+        rcpt_tos = to_addr
+        content = msg.as_bytes()
+
+    # assert that None/no error is returned
+    assert not handler.check_DATA(envelope=env)
+
+
+def test_check_armored_payload():
+    prefix = "-----BEGIN PGP MESSAGE-----\r\n"
+    comment = "Version: ProtonMail\r\n"
+    payload = """\r
+wU4DSqFx0d1yqAoSAQdAYkX/ZN/Az4B0k7X47zKyWrXxlDEdS3WOy0Yf2+GJTFgg\r
+Zk5ql0mLG8Ze+ZifCS0XMO4otlemSyJ0K1ZPdFMGzUDBTgNqzkFabxXoXRIBB0AM\r
+755wlX41X6Ay3KhnwBq7yEqSykVH6F3x11iHPKraLCAGZoaS8bKKNy/zg5slda1X\r
+pt14b4aC1VwtSnYhcRRELNLD/wE2TFif+g7poMmFY50VyMPLYjVP96Z5QCT4+z4H\r
+Ikh/pRRN8S3JNMrRJHc6prooSJmLcx47Y5un7VFy390MsJ+LiUJuQMDdYWRAinfs\r
+Ebm89Ezjm7F03qbFPXE0X4ZNzVXS/eKO0uhJQdiov/vmbn41rNtHmNpqjaO0vi5+\r
+sS9tR7yDUrIXiCUCN78eBLVioxtktsPZm5cDORbQWzv+7nmCEz9/JowCUcBVdCGn\r
+1ofOaH82JCAX/cRx08pLaDNj6iolVBsi56Dd+2bGxJOZOG2AMcEyz0pXY0dOAJCD\r
+iUThcQeGIdRnU3j8UBcnIEsjLu2+C+rrwMZQESMWKnJ0rnqTk0pK5kXScr6F/L0L\r
+UE49ccIexNm3xZvYr5drszr6wz3Tv5fdue87P4etBt90gF/Vzknck+g1LLlkzZkp\r
+d8dI0k2tOSPjUbDPnSy1x+X73WGpPZmj0kWT+RGvq0nH6UkJj3AQTG2qf1T8jK+3\r
+rTp3LR9vDkMwDjX4R8SA9c0wdnUzzr79OYQC9lTnzcx+fM6BBmgQ2GrS33jaFLp7\r
+L6/DFpCl5zhnPjM/2dKvMkw/Kd6XS/vjwsO405FQdjSDiQEEAZA+ZvAfcjdccbbU\r
+yCO+x0QNdeBsufDVnh3xvzuWy4CICdTQT4s1AWRPCzjOj+SGmx5WqCLWfsd8Ma0+\r
+w/C7SfTYu1FDQILLM+llpq1M/9GPley4QZ8JQjo262AyPXsPF/OW48uuZz0Db1xT\r
+Yh4iHBztj4VSdy7l2+IyaIf7cnL4EEBFxv/MwmVDXvDlxyvfAfIsd3D9SvJESzKZ\r
+VWDYwaocgeCN+ojKu1p885lu1EfRbX3fr3YO02K5/c2JYDkc0Py0W3wUP/J1XUax\r
+pbKpzwlkxEgtmzsGqsOfMJqBV3TNDrOA2uBsa+uBqP5MGYLZ49S/4v/bW9I01Cr1\r
+D2ZkV510Y1Vgo66WlP8mRqOTyt/5WRhPD+MxXdk67BNN/PmO6tMlVoJDuk+XwWPR\r
+t2TvNaND/yabT9eYI55Og4fzKD6RIjouUX8DvKLkm+7aXxVs2uuLQ3Jco3O82z55\r
+dbShU1jYsrw9oouXUz06MHPbkdhNbF/2hfhZ2qA31sNeovJw65iUv7sDKX3LVWgJ\r
+10jlywcDwqlU8CO7WC9lGixYTbnOkYZpXCGEl8e6Jbs79l42YFo4ogYpFK1NXFhV\r
+kOXRmDf/wmfj+c/ld3L2PkvwlgofhCudOQknZbo3ub1gjiTn7L+lMGHIj/3suMIl\r
+ID4EUxAXScIM1ZEz2fjtW5jATlqYcLjLTbf/olw6HFyPNH+9IssqXeZNKnGwPUB9\r
+3lTXsg0tpzl+x7F/2WjEw1DSNhjC0KnHt1vEYNMkUGDGFdN9y3ERLqX/FIgiASUb\r
+bTvAVupnAK3raBezGmhrs6LsQtLS9P0VvQiLU3uDhMqw8Z4SISLpcD+NnVBHzQqm\r
+6W5Qn/8xsCL6av18yUVTi2G3igt3QCNoYx9evt2ZcIkNoyyagUVjfZe5GHXh8Dnz\r
+GaBXW/hg3HlXLRGaQu4RYCzBMJILcO25OhZOg6jbkCLiEexQlm2e9krB5cXR49Al\r
+UN4fiB0KR9JyG2ayUdNJVkXZSZLnHyRgiaadlpUo16LVvw==\r
+=b5Kp\r
+-----END PGP MESSAGE-----\r
+\r
+\r
+"""
+
+    commented_payload = prefix + comment + payload
+    assert check_armored_payload(commented_payload, outgoing=False) == True
+    assert check_armored_payload(commented_payload, outgoing=True) == False
+
+    payload = prefix + payload
+    assert check_armored_payload(payload, outgoing=False) == True
+    assert check_armored_payload(payload, outgoing=True) == True
+
+    payload = payload.removesuffix("\r\n")
+    assert check_armored_payload(payload, outgoing=False) == True
+    assert check_armored_payload(payload, outgoing=True) == True
+
+    payload = payload.removesuffix("\r\n")
+    assert check_armored_payload(payload, outgoing=False) == True
+    assert check_armored_payload(payload, outgoing=True) == True
+
+    payload = payload.removesuffix("\r\n")
+    assert check_armored_payload(payload, outgoing=False) == True
+    assert check_armored_payload(payload, outgoing=True) == True
+
+    payload = """-----BEGIN PGP MESSAGE-----\r
+\r
+HELLOWORLD
+-----END PGP MESSAGE-----\r
+\r
+"""
+    assert check_armored_payload(payload, outgoing=False) == False
+    assert check_armored_payload(payload, outgoing=True) == False
+
+    payload = """-----BEGIN PGP MESSAGE-----\r
+\r
+=njUN
+-----END PGP MESSAGE-----\r
+\r
+"""
+    assert check_armored_payload(payload, outgoing=False) == False
+    assert check_armored_payload(payload, outgoing=True) == False
+
+    # Test payload using partial body length
+    # as generated by GopenPGP.
+    payload = """-----BEGIN PGP MESSAGE-----\r
+\r
+wV4DdCVjRfOT3TQSAQdAY5+pjT6mlCxPGdR3be4w7oJJRUGIPI/Vnh+mJxGSm34w\r
+LNlVc89S1g22uQYFif2sUJsQWbpoHpNkuWpkSgOaHmNvrZiY/YU5iv+cZ3LbmtUG\r
+0uoBisSHh9O1c+5sYZSbrvYZ1NOwlD7Fv/U5/Mw4E5+CjxfdgNGp5o3DDddzPK78\r
+jseDhdSXxnaiIJC93hxNX6R1RPt3G2gukyzx69wciPQShcF8zf3W3o75Ed7B8etV\r
+QEeB16xzdFhKa9JxdjTu3osgCs21IO7wpcFkjc7nZzlW6jPnELJJaNmv4yOOCjMp\r
+6YAkaN/BkL+jHTznHDuDsT5ilnTXpwHDU1Cm9PIx/KFcNCQnIB+2DcdIHPHUH1ci\r
+jvqoeXAVWjKXEjS7PqPFuP/xGbrWG2ugs+toXJOKbgRkExvKs1dwPFKrgghvCVbW\r
+AcKejQKAPArLwpkA7aD875TZQShvGt74fNs45XBlGOYOnNOAJ1KAmzrXLIDViyyB\r
+kDsmTBk785xofuCkjBpXSe6vsMprPzCteDfaUibh8FHeJjucxPerwuOPEmnogNaf\r
+YyL4+iy8H8I9/p7pmUqILprxTG0jTOtlk0bTVzeiF56W1xbtSEMuOo4oFbQTyOM2\r
+bKXaYo774Jm+rRtKAnnI2dtf9RpK19cog6YNzfYjesLKbXDsPZbN5rmwyFiCvvxC\r
+kQ6JLob+B2fPdY2gzy7LypxktS8Zi1HJcWDHJGVmQodaDLqKUObb4M26bXDe6oxI\r
+NS8PJz5exVbM3KhZnUOEn6PJRBBf5a/ZqxlhZPcQo/oBuhKpBRpO5kSDwPIUByu3\r
+UlXLSkpMqe9pUarAOEuQjfl2RVY7U+RrQYp4YP5keMO+i8NCefAFbowTTufO1JIq\r
+2nVgCi/QVnxZyEc9OYt/8AE3g4cdojE+vsSDifZLSWYIetpfrohHv3dT3StD1QRG\r
+0QE6qq6oKpg/IL0cjvuX4c7a7bslv2fXp8t75y37RU6253qdIebhxc/cRhPbc/yu\r
+p0YLyD4SrvKTLP2ZV95jT4IPEpqm4AN3QmiOzdtqR2gLyb62L8QfqI/FdwsIiRiM\r
+hqydwoqt/lfSqG1WKPh+6EkMkH+TDiCC1BQdbN1MNcyUtcjb35PR2c8Ld2TF3guA\r
+jLIqMt/Vb7hBoMb2FcsOYY25ka9oV62OwgKWLXnFzk+modMR5fzb4kxVVAYEqP+D\r
+T5KO1Vs76v1fyPGOq6BbBCvLwTqe/e6IZInJles4v5jrhnLcGKmNGivCUDe6X6NY\r
+UKNt5RsZllwDQpaAb5dMNhyrk8SgIE7TBI7rvqIdUCE52Vy+0JDxFg5olRpFUfO6\r
+/MyTW3Yo/ekk/npHr7iYYqJTCc21bDGLWQcIo/XO7WPxrKNWGBNPFnkRdw0MaKr4\r
+cEM3V8NFnSEpC12xA+RX/CezuJtwXZK5MpG76eYqMO6qyC+c25YcFecEufDZDxx\r
+ZLqRszVRyxyWPtk/oIeQK2v9wOqY6N9/ff01gHz69vqYqN5bUw/QKZsmx1zW+gPw\r
+6x2tDK2BHeYl182gCbhlKISRFwCtbjqZSkiKWao/VtygHkw0fK34avJuyQ/X9YaN\r
+BRy+7Lf3VA53pnB5WJ1xwRXN8VDvmZeXzv2krHveCMemj0OjnRoCLu117xN0A5m9\r
+Fm/RoDix5PolDHtWTtr2m1n2hp2LHnj8at9lFEd0SKhAYHVL9KjzycwWODZRXt+x\r
+zGDDuooEeTvdY5NLyKcl4gETz1ZP4Ez5jGGjhPSwSpq1mU7UaJ9ZXXdr4KHyifW6\r
+ggNzNsGhXTap7IWZpTtqXABydfiBshmH2NjqtNDwBweJVSgP10+r0WhMWlaZs6xl\r
+V3o5yskJt6GlkwpJxZrTvN6Tiww/eW7HFV6NGf7IRSWY5tJc/iA7/92tOmkdvJ1q\r
+myLbG7cJB787QjplEyVe2P/JBO6xYvbkJLf9Q+HaviTO25rugRSrYsoKMDfO8VlQ\r
+1CcnTPVtApPZJEQzAWJEgVAM8uIlkqWJJMgyWT34sTkdBeCUFGloXQFs9Yxd0AGf\r
+/zHEkYZSTKpVSvAIGu4=\r
+=6iHb\r
+-----END PGP MESSAGE-----\r
+"""
+    assert check_armored_payload(payload, outgoing=False) == True
+    assert check_armored_payload(payload, outgoing=True) == True
--- a/chatmaild/src/chatmaild/tests/test_lastlogin.py
+++ b/chatmaild/src/chatmaild/tests/test_lastlogin.py
@@ -36,3 +36,29 @@ def test_handle_dovecot_request_last_login(testaddr, example_config):
    res = dictproxy.handle_dovecot_request(msg, dictproxy_transactions)
    assert res == "O\n"
    assert len(dictproxy_transactions) == 0
+
+
+def test_handle_dovecot_request_last_login_echobot(example_config):
+    dictproxy = LastLoginDictProxy(config=example_config)
+
+    authproxy = AuthDictProxy(config=example_config)
+    testaddr = f"echo@{example_config.mail_domain}"
+    authproxy.lookup_passdb(testaddr, "ignore")
+    user = dictproxy.config.get_user(testaddr)
+
+    transactions = {}
+
+    # set last-login info for user
+    tx = "1111"
+    msg = f"B{tx}\t{testaddr}"
+    res = dictproxy.handle_dovecot_request(msg, transactions)
+    assert not res
+    assert transactions == {tx: dict(addr=testaddr, res="O\n")}
+
+    timestamp = int(time.time())
+    msg = f"S{tx}\tshared/last-login/{testaddr}\t{timestamp}"
+    res = dictproxy.handle_dovecot_request(msg, transactions)
+    assert not res
+    assert len(transactions) == 1
+    read_timestamp = user.get_last_login_timestamp()
+    assert read_timestamp is None
--- a/chatmaild/src/chatmaild/user.py
+++ b/chatmaild/src/chatmaild/user.py
@@ -19,7 +19,7 @@ class User:

    @property
    def can_track(self):
-        return "@" in self.addr
+        return "@" in self.addr and not self.addr.startswith("echo@")

    def get_userdb_dict(self):
        """Return a non-empty dovecot 'userdb' style dict
@@ -55,9 +55,11 @@ class User:
        try:
            write_bytes_atomic(self.password_path, password)
        except PermissionError:
-            logging.error(f"could not write password for: {self.addr}")
-            raise
-        self.enforce_E2EE_path.touch()
+            if not self.addr.startswith("echo@"):
+                logging.error(f"could not write password for: {self.addr}")
+                raise
+        if not self.addr.startswith("echo@"):
+            self.enforce_E2EE_path.touch()

    def set_last_login_timestamp(self, timestamp):
        """Track login time with daily granularity
--- a/cliff.toml
+++ b/cliff.toml
@@ -1,94 +0,0 @@
-# git-cliff ~ configuration file
-# https://git-cliff.org/docs/configuration
-
-
-[changelog]
-# A Tera template to be rendered for each release in the changelog.
-# See https://keats.github.io/tera/docs/#introduction
-body = """
-{% if version %}\
-    ## [{{ version | trim_start_matches(pat="v") }}] - {{ timestamp | date(format="%Y-%m-%d") }}
-{% else %}\
-    ## [unreleased]
-{% endif %}\
-{% for group, commits in commits | group_by(attribute="group") %}
-    ### {{ group | striptags | trim | upper_first }}
-    {% for commit in commits %}
-        - {% if commit.scope %}*({{ commit.scope }})* {% endif %}\
-            {% if commit.breaking %}[**breaking**] {% endif %}\
-            {{ commit.message | upper_first }}\
-    {% endfor %}
-{% endfor %}
-"""
-# Remove leading and trailing whitespaces from the changelog's body.
-trim = true
-# Render body even when there are no releases to process.
-render_always = true
-# An array of regex based postprocessors to modify the changelog.
-postprocessors = [
-    # Replace the placeholder <REPO> with a URL.
-    #{ pattern = '<REPO>', replace = "https://github.com/orhun/git-cliff" },
-]
-# render body even when there are no releases to process
-# render_always = true
-# output file path
-# output = "test.md"
-
-[git]
-# Parse commits according to the conventional commits specification.
-# See https://www.conventionalcommits.org
-conventional_commits = true
-# Exclude commits that do not match the conventional commits specification.
-filter_unconventional = true
-# Require all commits to be conventional.
-# Takes precedence over filter_unconventional.
-require_conventional = false
-# Split commits on newlines, treating each line as an individual commit.
-split_commits = false
-# An array of regex based parsers to modify commit messages prior to further processing.
-commit_preprocessors = [
-    # Replace issue numbers with link templates to be updated in `changelog.postprocessors`.
-    #{ pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](<REPO>/issues/${2}))"},
-    # Check spelling of the commit message using https://github.com/crate-ci/typos.
-    # If the spelling is incorrect, it will be fixed automatically.
-    #{ pattern = '.*', replace_command = 'typos --write-changes -' },
-]
-# Prevent commits that are breaking from being excluded by commit parsers.
-protect_breaking_commits = false
-# An array of regex based parsers for extracting data from the commit message.
-# Assigns commits to groups.
-# Optionally sets the commit's scope and can decide to exclude commits from further processing.
-commit_parsers = [
-    { message = "^feat", group = "Features" },
-    { message = "^fix", group = "Bug Fixes" },
-    { message = "^docs", group = "Documentation" },
-    { message = "^perf", group = "Performance" },
-    { message = "^refactor", group = "Refactor" },
-    { message = "^style", group = "Styling" },
-    { message = "^test", group = "Testing" },
-    { message = "^chore\\(release\\): prepare for", skip = true },
-    { message = "^chore\\(deps.*\\)", skip = true },
-    { message = "^chore\\(pr\\)", skip = true },
-    { message = "^chore\\(pull\\)", skip = true },
-    { message = "^chore|^ci", group = "Miscellaneous Tasks" },
-    { body = ".*security", group = "Security" },
-    { message = "^revert", group = "Revert" },
-    { message = ".*", group = "Other" },
-]
-# Exclude commits that are not matched by any commit parser.
-filter_commits = false
-# Fail on a commit that is not matched by any commit parser.
-fail_on_unmatched_commit = false
-# An array of link parsers for extracting external references, and turning them into URLs, using regex.
-link_parsers = []
-# Include only the tags that belong to the current branch.
-use_branch_tags = false
-# Order releases topologically instead of chronologically.
-topo_order = false
-# Order commits topologically instead of chronologically.
-topo_order_commits = true
-# Order of commits in each group/release within the changelog.
-# Allowed values: newest, oldest
-sort_commits = "oldest"
-# Process submodules commits
-recurse_submodules = false
--- a/cmdeploy/src/cmdeploy/init.py
+++ b/cmdeploy/src/cmdeploy/init.py
--- a/cmdeploy/src/cmdeploy/acmetool/init.py
+++ b/cmdeploy/src/cmdeploy/acmetool/init.py
@@ -2,7 +2,7 @@ import importlib.resources

 from pyinfra.operations import apt, files, server, systemd

-from ..basedeploy import Deployer
+from ..deployer import Deployer


 class AcmetoolDeployer(Deployer):
@@ -27,9 +27,7 @@ class AcmetoolDeployer(Deployer):

        files.put(
            name="Install acmetool hook.",
-            src=importlib.resources.files(__package__)
-            .joinpath("acmetool.hook")
-            .open("rb"),
+            src=importlib.resources.files(__package__).joinpath("acmetool.hook").open("rb"),
            dest="/etc/acme/hooks/nginx",
            user="root",
            group="root",
@@ -43,9 +41,7 @@ class AcmetoolDeployer(Deployer):

    def configure(self):
        files.template(
-            src=importlib.resources.files(__package__).joinpath(
-                "response-file.yaml.j2"
-            ),
+            src=importlib.resources.files(__package__).joinpath("response-file.yaml.j2"),
            dest="/var/lib/acme/conf/responses",
            user="root",
            group="root",
@@ -61,19 +57,6 @@ class AcmetoolDeployer(Deployer):
            mode="644",
        )

-        server.shell(
-            name=f"Remove old acmetool desired files for {self.domains[0]}",
-            commands=[f"rm -f /var/lib/acme/desired/{self.domains[0]}-*"],
-        )
-        files.template(
-            src=importlib.resources.files(__package__).joinpath("desired.yaml.j2"),
-            dest=f"/var/lib/acme/desired/{self.domains[0]}", # 0 is mailhost TLD
-            user="root",
-            group="root",
-            mode="644",
-            domains=self.domains,
-        )
-
        service_file = files.put(
            src=importlib.resources.files(__package__).joinpath(
                "acmetool-redirector.service"
@@ -97,9 +80,7 @@ class AcmetoolDeployer(Deployer):
        self.need_restart_reconcile_service = reconcile_service_file.changed

        reconcile_timer_file = files.put(
-            src=importlib.resources.files(__package__).joinpath(
-                "acmetool-reconcile.timer"
-            ),
+            src=importlib.resources.files(__package__).joinpath("acmetool-reconcile.timer"),
            dest="/etc/systemd/system/acmetool-reconcile.timer",
            user="root",
            group="root",
@@ -136,6 +117,6 @@ class AcmetoolDeployer(Deployer):
        self.need_restart_reconcile_timer = False

        server.shell(
-            name=f"Reconcile certificates for: {', '.join(self.domains)}",
-            commands=["acmetool --batch --xlog.severity=debug reconcile"],
+            name=f"Request certificate for: {', '.join(self.domains)}",
+            commands=[f"acmetool want --xlog.severity=debug {' '.join(self.domains)}"],
        )
--- a/cmdeploy/src/cmdeploy/acmetool/desired.yaml.j2
+++ b/cmdeploy/src/cmdeploy/acmetool/desired.yaml.j2
@@ -1,6 +0,0 @@
-satisfy:
-  names:
-{%- for domain in domains %}
-  - {{ domain }}
-{%- endfor %}
-
--- a/cmdeploy/src/cmdeploy/acmetool/response-file.yaml.j2
+++ b/cmdeploy/src/cmdeploy/acmetool/response-file.yaml.j2
@@ -1,2 +1,2 @@
 "acme-enter-email": "{{ email }}"
-"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf": true
+"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf": true
--- a/cmdeploy/src/cmdeploy/basedeploy.py
+++ b/cmdeploy/src/cmdeploy/basedeploy.py
@@ -1,111 +0,0 @@
-import importlib.resources
-import io
-import os
-
-from pyinfra.operations import files, server, systemd
-
-
-def get_resource(arg, pkg=__package__):
-    return importlib.resources.files(pkg).joinpath(arg)
-
-
-def configure_remote_units(mail_domain, units) -> None:
-    remote_base_dir = "/usr/local/lib/chatmaild"
-    remote_venv_dir = f"{remote_base_dir}/venv"
-    remote_chatmail_inipath = f"{remote_base_dir}/chatmail.ini"
-    root_owned = dict(user="root", group="root", mode="644")
-
-    # install systemd units
-    for fn in units:
-        params = dict(
-            execpath=f"{remote_venv_dir}/bin/{fn}",
-            config_path=remote_chatmail_inipath,
-            remote_venv_dir=remote_venv_dir,
-            mail_domain=mail_domain,
-        )
-
-        basename = fn if "." in fn else f"{fn}.service"
-
-        source_path = get_resource(f"service/{basename}.f")
-        content = source_path.read_text().format(**params).encode()
-
-        files.put(
-            name=f"Upload {basename}",
-            src=io.BytesIO(content),
-            dest=f"/etc/systemd/system/{basename}",
-            **root_owned,
-        )
-
-
-def activate_remote_units(units) -> None:
-    # activate systemd units
-    for fn in units:
-        basename = fn if "." in fn else f"{fn}.service"
-
-        if fn == "chatmail-expire" or fn == "chatmail-fsreport":
-            # don't auto-start but let the corresponding timer trigger execution
-            enabled = False
-        else:
-            enabled = True
-        systemd.service(
-            name=f"Setup {basename}",
-            service=basename,
-            running=enabled,
-            enabled=enabled,
-            restarted=enabled,
-            daemon_reload=True,
-        )
-
-
-class Deployment:
-    def install(self, deployer):
-        # optional 'required_users' contains a list of (user, group, secondary-group-list) tuples.
-        # If the group is None, no group is created corresponding to that user.
-        # If the secondary group list is not None, all listed groups are created as well.
-        required_users = getattr(deployer, "required_users", [])
-        for user, group, groups in required_users:
-            if group is not None:
-                server.group(
-                    name="Create {} group".format(group), group=group, system=True
-                )
-            if groups is not None:
-                for group2 in groups:
-                    server.group(
-                        name="Create {} group".format(group2), group=group2, system=True
-                    )
-            server.user(
-                name="Create {} user".format(user),
-                user=user,
-                group=group,
-                groups=groups,
-                system=True,
-            )
-
-        deployer.install()
-
-    def configure(self, deployer):
-        deployer.configure()
-
-    def activate(self, deployer):
-        deployer.activate()
-
-    def perform_stages(self, deployers):
-        default_stages = "install,configure,activate"
-        stages = os.getenv("CMDEPLOY_STAGES", default_stages).split(",")
-
-        for stage in stages:
-            for deployer in deployers:
-                getattr(self, stage)(deployer)
-
-
-class Deployer:
-    need_restart = False
-
-    def install(self):
-        pass
-
-    def configure(self):
-        pass
-
-    def activate(self):
-        pass
--- a/cmdeploy/src/cmdeploy/cmdeploy.py
+++ b/cmdeploy/src/cmdeploy/cmdeploy.py
@@ -19,7 +19,7 @@ from packaging import version
 from termcolor import colored

 from . import dns, remote
-from .sshexec import LocalExec, SSHExec
+from .sshexec import SSHExec, LocalExec

 #
 # cmdeploy sub commands and options
@@ -71,11 +71,6 @@ def run_cmd_options(parser):
        action="store_true",
        help="install/upgrade the server, but disable postfix & dovecot for now",
    )
-    parser.add_argument(
-        "--website-only",
-        action="store_true",
-        help="only update/deploy the website, skipping full server upgrade/deployment, useful when you only changed/updated the web pages and don't need to re-run a full server upgrade",
-    )
    parser.add_argument(
        "--skip-dns-check",
        dest="dns_check_disabled",
@@ -88,7 +83,7 @@ def run_cmd_options(parser):
 def run_cmd(args, out):
    """Deploy chatmail services on the remote server."""

-    ssh_host = args.ssh_host if args.ssh_host else args.config.ssh_host
+    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
    sshexec = get_sshexec(ssh_host)
    require_iroh = args.config.enable_iroh_relay
    if not args.dns_check_disabled:
@@ -98,17 +93,13 @@ def run_cmd(args, out):

    env = os.environ.copy()
    env["CHATMAIL_INI"] = args.inipath
-    env["CHATMAIL_WEBSITE_ONLY"] = "True" if args.website_only else ""
    env["CHATMAIL_DISABLE_MAIL"] = "True" if args.disable_mail else ""
    env["CHATMAIL_REQUIRE_IROH"] = "True" if require_iroh else ""
-    if not args.dns_check_disabled:
-        env["CHATMAIL_ADDR_V4"] = remote_data.get("A") or ""
-        env["CHATMAIL_ADDR_V6"] = remote_data.get("AAAA") or ""
-    deploy_path = importlib.resources.files(__package__).joinpath("run.py").resolve()
+    deploy_path = importlib.resources.files(__package__).joinpath("deploy.py").resolve()
    pyinf = "pyinfra --dry" if args.dry_run else "pyinfra"

    cmd = f"{pyinf} --ssh-user root {ssh_host} {deploy_path} -y"
-    if ssh_host in ["localhost", "@local", "@docker"]:
+    if ssh_host in ["localhost", "@docker"]:
        cmd = f"{pyinf} @local {deploy_path} -y"

    if version.parse(pyinfra.__version__) < version.parse("3"):
@@ -117,14 +108,18 @@ def run_cmd(args, out):

    try:
        retcode = out.check_call(cmd, env=env)
-        if args.website_only:
-            if retcode == 0:
-                out.green("Website deployment completed.")
-            else:
-                out.red("Website deployment failed.")
-        elif retcode == 0:
+        if retcode == 0:
+            if not args.disable_mail:
+                print("\nYou can try out the relay by talking to this echo bot: ")
+                sshexec = SSHExec(args.config.mail_domain, verbose=args.verbose)
+                print(
+                    sshexec(
+                        call=remote.rshell.shell,
+                        kwargs=dict(command="cat /var/lib/echobot/invite-link.txt"),
+                    )
+                )
            out.green("Deploy completed, call `cmdeploy dns` next.")
-        elif not args.dns_check_disabled and not remote_data["acme_account_url"]:
+        elif not remote_data["acme_account_url"]:
            out.red("Deploy completed but letsencrypt not configured")
            out.red("Run 'cmdeploy run' again")
            retcode = 0
@@ -149,7 +144,7 @@ def dns_cmd_options(parser):

 def dns_cmd(args, out):
    """Check DNS entries and optionally generate dns zone file."""
-    ssh_host = args.ssh_host if args.ssh_host else args.config.ssh_host
+    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
    sshexec = get_sshexec(ssh_host, verbose=args.verbose)
    remote_data = dns.get_initial_remote_data(sshexec, args.config.mail_domain)
    if not remote_data:
@@ -183,7 +178,7 @@ def status_cmd_options(parser):
 def status_cmd(args, out):
    """Display status for online chatmail instance."""

-    ssh_host = args.ssh_host if args.ssh_host else args.config.ssh_host
+    ssh_host = args.ssh_host if args.ssh_host else args.config.mail_domain
    sshexec = get_sshexec(ssh_host, verbose=args.verbose)

    out.green(f"chatmail domain: {args.config.mail_domain}")
@@ -203,7 +198,6 @@ def test_cmd_options(parser):
        action="store_true",
        help="also run slow tests",
    )
-    add_ssh_host_option(parser)


 def test_cmd(args, out):
@@ -215,9 +209,6 @@ def test_cmd(args, out):
    x = importlib.util.find_spec("deltachat")
    if x is None:
        out.check_call(f"{sys.executable} -m pip install deltachat")
-    env = os.environ.copy()
-    if args.ssh_host:
-        env["CHATMAIL_SSH"] = args.ssh_host

    pytest_path = shutil.which("pytest")
    pytest_args = [
@@ -231,7 +222,7 @@ def test_cmd(args, out):
    ]
    if args.slow:
        pytest_args.append("--slow")
-    ret = out.run_ret(pytest_args, env=env)
+    ret = out.run_ret(pytest_args)
    return ret


@@ -247,12 +238,7 @@ def fmt_cmd_options(parser):
 def fmt_cmd(args, out):
    """Run formattting fixes on all chatmail source code."""

-    chatmaild_dir = importlib.resources.files("chatmaild").resolve()
-    cmdeploy_dir = chatmaild_dir.joinpath(
-        "..", "..", "..", "cmdeploy", "src", "cmdeploy"
-    ).resolve()
-    sources = [str(chatmaild_dir), str(cmdeploy_dir)]
-
+    sources = [str(importlib.resources.files(x)) for x in ("chatmaild", "cmdeploy")]
    format_args = [shutil.which("ruff"), "format"]
    check_args = [shutil.which("ruff"), "check"]

@@ -323,7 +309,7 @@ def add_ssh_host_option(parser):
        "--ssh-host",
        dest="ssh_host",
        help="Run commands on 'localhost', via '@docker', or on a specific SSH host "
-        "instead of chatmail.ini's mail_domain.",
+             "instead of chatmail.ini's mail_domain.",
    )


--- a/cmdeploy/src/cmdeploy/deploy.py
+++ b/cmdeploy/src/cmdeploy/deploy.py
@@ -3,9 +3,7 @@ import os

 import pyinfra

-# pyinfra runs this module as a python file and not as a module so
-# import paths must be absolute
-from cmdeploy.deployers import deploy_chatmail
+from cmdeploy import deploy_chatmail


 def main():
@@ -14,9 +12,8 @@ def main():
        importlib.resources.files("cmdeploy").joinpath("../../../chatmail.ini"),
    )
    disable_mail = bool(os.environ.get("CHATMAIL_DISABLE_MAIL"))
-    website_only = bool(os.environ.get("CHATMAIL_WEBSITE_ONLY"))

-    deploy_chatmail(config_path, disable_mail, website_only)
+    deploy_chatmail(config_path, disable_mail)


 if pyinfra.is_cli:
--- a/cmdeploy/src/cmdeploy/deployer.py
+++ b/cmdeploy/src/cmdeploy/deployer.py
@@ -0,0 +1,57 @@
+import os
+
+from pyinfra.operations import server
+
+
+class Deployment:
+    def install(self, deployer):
+        # optional 'required_users' contains a list of (user, group, secondary-group-list) tuples.
+        # If the group is None, no group is created corresponding to that user.
+        # If the secondary group list is not None, all listed groups are created as well.
+        required_users = getattr(deployer, "required_users", [])
+        for user, group, groups in required_users:
+            if group is not None:
+                server.group(
+                    name="Create {} group".format(group), group=group, system=True
+                )
+            if groups is not None:
+                for group2 in groups:
+                    server.group(
+                        name="Create {} group".format(group2), group=group2, system=True
+                    )
+            server.user(
+                name="Create {} user".format(user),
+                user=user,
+                group=group,
+                groups=groups,
+                system=True,
+            )
+
+        deployer.install()
+
+    def configure(self, deployer):
+        deployer.configure()
+
+    def activate(self, deployer):
+        deployer.activate()
+
+    def perform_stages(self, deployers):
+        default_stages = "install,configure,activate"
+        stages = os.getenv("CMDEPLOY_STAGES", default_stages).split(",")
+
+        for stage in stages:
+            for deployer in deployers:
+                getattr(self, stage)(deployer)
+
+
+class Deployer:
+    need_restart = False
+
+    def install(self):
+        pass
+
+    def configure(self):
+        pass
+
+    def activate(self):
+        pass
--- a/cmdeploy/src/cmdeploy/deployers.py
+++ b/cmdeploy/src/cmdeploy/deployers.py
@@ -1,624 +0,0 @@
-"""
-Chat Mail pyinfra deploy.
-"""
-
-import shutil
-import subprocess
-import sys
-from io import StringIO
-from pathlib import Path
-
-from chatmaild.config import read_config
-from pyinfra import facts, host, logger
-from pyinfra.facts import hardware
-from pyinfra.api import FactBase
-from pyinfra.facts.files import Sha256File
-from pyinfra.facts.systemd import SystemdEnabled
-from pyinfra.operations import apt, files, pip, server, systemd
-
-from cmdeploy.cmdeploy import Out
-
-from .acmetool import AcmetoolDeployer
-from .basedeploy import (
-    Deployer,
-    Deployment,
-    activate_remote_units,
-    configure_remote_units,
-    get_resource,
-)
-from .dovecot.deployer import DovecotDeployer
-from .filtermail.deployer import FiltermailDeployer
-from .mtail.deployer import MtailDeployer
-from .nginx.deployer import NginxDeployer
-from .opendkim.deployer import OpendkimDeployer
-from .postfix.deployer import PostfixDeployer
-from .www import build_webpages, find_merge_conflict, get_paths
-
-
-class Port(FactBase):
-    """
-    Returns the process occupying a port.
-    """
-
-    def command(self, port: int) -> str:
-        return (
-            "ss -lptn 'src :%d' | awk 'NR>1 {print $6,$7}' | sed 's/users:((\"//;s/\".*//'"
-            % (port,)
-        )
-
-    def process(self, output: [str]) -> str:
-        return output[0]
-
-
-def _build_chatmaild(dist_dir) -> None:
-    dist_dir = Path(dist_dir).resolve()
-    if dist_dir.exists():
-        shutil.rmtree(dist_dir)
-    dist_dir.mkdir()
-    subprocess.check_output(
-        [sys.executable, "-m", "build", "-n"]
-        + ["--sdist", "chatmaild", "--outdir", str(dist_dir)]
-    )
-    entries = list(dist_dir.iterdir())
-    assert len(entries) == 1
-    return entries[0]
-
-
-def remove_legacy_artifacts():
-    # disable legacy doveauth-dictproxy.service
-    if host.get_fact(SystemdEnabled).get("doveauth-dictproxy.service"):
-        systemd.service(
-            name="Disable legacy doveauth-dictproxy.service",
-            service="doveauth-dictproxy.service",
-            running=False,
-            enabled=False,
-        )
-
-
-def _install_remote_venv_with_chatmaild() -> None:
-    remove_legacy_artifacts()
-    dist_file = _build_chatmaild(dist_dir=Path("chatmaild/dist"))
-    remote_base_dir = "/usr/local/lib/chatmaild"
-    remote_dist_file = f"{remote_base_dir}/dist/{dist_file.name}"
-    remote_venv_dir = f"{remote_base_dir}/venv"
-    root_owned = dict(user="root", group="root", mode="644")
-
-    apt.packages(
-        name="apt install python3-virtualenv",
-        packages=["python3-virtualenv"],
-    )
-
-    files.put(
-        name="Upload chatmaild source package",
-        src=dist_file.open("rb"),
-        dest=remote_dist_file,
-        create_remote_dir=True,
-        **root_owned,
-    )
-
-    pip.virtualenv(
-        name=f"chatmaild virtualenv {remote_venv_dir}",
-        path=remote_venv_dir,
-        always_copy=True,
-    )
-
-    apt.packages(
-        name="install gcc and headers to build crypt_r source package",
-        packages=["gcc", "python3-dev"],
-    )
-
-    server.shell(
-        name=f"forced pip-install {dist_file.name}",
-        commands=[
-            f"{remote_venv_dir}/bin/pip install --force-reinstall {remote_dist_file}"
-        ],
-    )
-
-
-def _configure_remote_venv_with_chatmaild(config) -> None:
-    remote_base_dir = "/usr/local/lib/chatmaild"
-    remote_venv_dir = f"{remote_base_dir}/venv"
-    remote_chatmail_inipath = f"{remote_base_dir}/chatmail.ini"
-    root_owned = dict(user="root", group="root", mode="644")
-
-    files.put(
-        name=f"Upload {remote_chatmail_inipath}",
-        src=config._getbytefile(),
-        dest=remote_chatmail_inipath,
-        **root_owned,
-    )
-
-    files.template(
-        src=get_resource("metrics.cron.j2"),
-        dest="/etc/cron.d/chatmail-metrics",
-        user="root",
-        group="root",
-        mode="644",
-        config={
-            "mailboxes_dir": config.mailboxes_dir,
-            "execpath": f"{remote_venv_dir}/bin/chatmail-metrics",
-        },
-    )
-
-
-class UnboundDeployer(Deployer):
-    def __init__(self, config):
-        self.config = config
-        self.need_restart = False
-
-    def install(self):
-        # Run local DNS resolver `unbound`.
-        # `resolvconf` takes care of setting up /etc/resolv.conf
-        # to use 127.0.0.1 as the resolver.
-
-        #
-        # On an IPv4-only system, if unbound is started but not
-        # configured, it causes subsequent steps to fail to resolve hosts.
-        # Here, we use policy-rc.d to prevent unbound from starting up
-        # on initial install.  Later, we will configure it and start it.
-        #
-        # For documentation about policy-rc.d, see:
-        # https://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt
-        #
-        files.put(
-            src=get_resource("policy-rc.d"),
-            dest="/usr/sbin/policy-rc.d",
-            user="root",
-            group="root",
-            mode="755",
-        )
-
-        apt.packages(
-            name="Install unbound",
-            packages=["unbound", "unbound-anchor", "dnsutils"],
-        )
-
-        files.file("/usr/sbin/policy-rc.d", present=False)
-
-    def configure(self):
-        server.shell(
-            name="Generate root keys for validating DNSSEC",
-            commands=[
-                "unbound-anchor -a /var/lib/unbound/root.key || true",
-            ],
-        )
-        if self.config.disable_ipv6:
-            files.directory(
-                path="/etc/unbound/unbound.conf.d",
-                present=True,
-                user="root",
-                group="root",
-                mode="755",
-            )
-            conf = files.put(
-                src=get_resource("unbound/unbound.conf.j2"),
-                dest="/etc/unbound/unbound.conf.d/chatmail.conf",
-                user="root",
-                group="root",
-                mode="644",
-            )
-        else:
-            conf = files.file(
-                path="/etc/unbound/unbound.conf.d/chatmail.conf",
-                present=False,
-            )
-        self.need_restart |= conf.changed
-
-    def activate(self):
-        server.shell(
-            name="Generate root keys for validating DNSSEC",
-            commands=[
-                "systemctl reset-failed unbound.service",
-            ],
-        )
-
-        systemd.service(
-            name="Start and enable unbound",
-            service="unbound.service",
-            running=True,
-            enabled=True,
-            restarted=self.need_restart,
-        )
-
-
-class MtastsDeployer(Deployer):
-    def configure(self):
-        # Remove configuration.
-        files.file("/etc/mta-sts-daemon.yml", present=False)
-        files.directory("/usr/local/lib/postfix-mta-sts-resolver", present=False)
-        files.file("/etc/systemd/system/mta-sts-daemon.service", present=False)
-
-    def activate(self):
-        systemd.service(
-            name="Stop MTA-STS daemon",
-            service="mta-sts-daemon.service",
-            daemon_reload=True,
-            running=False,
-            enabled=False,
-        )
-
-
-class WebsiteDeployer(Deployer):
-    def __init__(self, config):
-        self.config = config
-
-    def install(self):
-        files.directory(
-            name="Ensure /var/www exists",
-            path="/var/www",
-            user="root",
-            group="root",
-            mode="755",
-            present=True,
-        )
-
-    def configure(self):
-        www_path, src_dir, build_dir = get_paths(self.config)
-        # if www_folder was set to a non-existing folder, skip upload
-        if not www_path.is_dir():
-            logger.warning("Building web pages is disabled in chatmail.ini, skipping")
-        elif (path := find_merge_conflict(src_dir)) is not None:
-            logger.warning(
-                f"Merge conflict found in {path}, skipping website deployment. Fix merge conflict if you want to upload your web page."
-            )
-        else:
-            # if www_folder is a hugo page, build it
-            if build_dir:
-                www_path = build_webpages(src_dir, build_dir, self.config)
-            # if it is not a hugo page, upload it as is
-            files.rsync(
-                f"{www_path}/", "/var/www/html", flags=["-avz", "--chown=www-data"]
-            )
-
-
-class LegacyRemoveDeployer(Deployer):
-    def install(self):
-        apt.packages(name="Remove rspamd", packages="rspamd", present=False)
-
-        # remove historic expunge script
-        # which is now implemented through a systemd timer (chatmail-expire)
-        files.file(
-            path="/etc/cron.d/expunge",
-            present=False,
-        )
-
-        # Remove OBS repository key that is no longer used.
-        files.file("/etc/apt/keyrings/obs-home-deltachat.gpg", present=False)
-        files.line(
-            name="Remove DeltaChat OBS home repository from sources.list",
-            path="/etc/apt/sources.list",
-            line="deb [signed-by=/etc/apt/keyrings/obs-home-deltachat.gpg] https://download.opensuse.org/repositories/home:/deltachat/Debian_12/ ./",
-            escape_regex_characters=True,
-            present=False,
-        )
-
-        # prior relay versions used filelogging
-        files.directory(
-            name="Ensure old logs on disk are deleted",
-            path="/var/log/journal/",
-            present=False,
-        )
-        # remove echobot if it is still running
-        if host.get_fact(SystemdEnabled).get("echobot.service"):
-            systemd.service(
-                name="Disable echobot.service",
-                service="echobot.service",
-                running=False,
-                enabled=False,
-            )
-
-
-def check_config(config):
-    mail_domain = config.mail_domain
-    if mail_domain != "testrun.org" and not mail_domain.endswith(".testrun.org"):
-        blocked_words = "merlinux schmieder testrun.org".split()
-        for key in config.__dict__:
-            value = config.__dict__[key]
-            if key.startswith("privacy") and any(
-                x in str(value) for x in blocked_words
-            ):
-                raise ValueError(
-                    f"please set your own privacy contacts/addresses in {config._inipath}"
-                )
-    return config
-
-
-class TurnDeployer(Deployer):
-    def __init__(self, mail_domain):
-        self.mail_domain = mail_domain
-        self.units = ["turnserver"]
-
-    def install(self):
-        (url, sha256sum) = {
-            "x86_64": (
-                "https://github.com/chatmail/chatmail-turn/releases/download/v0.3/chatmail-turn-x86_64-linux",
-                "841e527c15fdc2940b0469e206188ea8f0af48533be12ecb8098520f813d41e4",
-            ),
-            "aarch64": (
-                "https://github.com/chatmail/chatmail-turn/releases/download/v0.3/chatmail-turn-aarch64-linux",
-                "a5fc2d06d937b56a34e098d2cd72a82d3e89967518d159bf246dc69b65e81b42",
-            ),
-        }[host.get_fact(facts.server.Arch)]
-
-        existing_sha256sum = host.get_fact(Sha256File, "/usr/local/bin/chatmail-turn")
-        if existing_sha256sum != sha256sum:
-            server.shell(
-                name="Download chatmail-turn",
-                commands=[
-                    f"(curl -L {url} >/usr/local/bin/chatmail-turn.new && (echo '{sha256sum} /usr/local/bin/chatmail-turn.new' | sha256sum -c) && mv /usr/local/bin/chatmail-turn.new /usr/local/bin/chatmail-turn)",
-                    "chmod 755 /usr/local/bin/chatmail-turn",
-                ],
-            )
-
-    def configure(self):
-        configure_remote_units(self.mail_domain, self.units)
-
-    def activate(self):
-        activate_remote_units(self.units)
-
-
-class IrohDeployer(Deployer):
-    def __init__(self, enable_iroh_relay):
-        self.enable_iroh_relay = enable_iroh_relay
-
-    def install(self):
-        (url, sha256sum) = {
-            "x86_64": (
-                "https://github.com/n0-computer/iroh/releases/download/v0.35.0/iroh-relay-v0.35.0-x86_64-unknown-linux-musl.tar.gz",
-                "45c81199dbd70f8c4c30fef7f3b9727ca6e3cea8f2831333eeaf8aa71bf0fac1",
-            ),
-            "aarch64": (
-                "https://github.com/n0-computer/iroh/releases/download/v0.35.0/iroh-relay-v0.35.0-aarch64-unknown-linux-musl.tar.gz",
-                "f8ef27631fac213b3ef668d02acd5b3e215292746a3fc71d90c63115446008b1",
-            ),
-        }[host.get_fact(facts.server.Arch)]
-
-        existing_sha256sum = host.get_fact(Sha256File, "/usr/local/bin/iroh-relay")
-        if existing_sha256sum != sha256sum:
-            server.shell(
-                name="Download iroh-relay",
-                commands=[
-                    f"(curl -L {url} | gunzip | tar -x -f - ./iroh-relay -O >/usr/local/bin/iroh-relay.new && (echo '{sha256sum} /usr/local/bin/iroh-relay.new' | sha256sum -c) && mv /usr/local/bin/iroh-relay.new /usr/local/bin/iroh-relay)",
-                    "chmod 755 /usr/local/bin/iroh-relay",
-                ],
-            )
-
-            self.need_restart = True
-
-    def configure(self):
-        systemd_unit = files.put(
-            name="Upload iroh-relay systemd unit",
-            src=get_resource("iroh-relay.service"),
-            dest="/etc/systemd/system/iroh-relay.service",
-            user="root",
-            group="root",
-            mode="644",
-        )
-        self.need_restart |= systemd_unit.changed
-
-        iroh_config = files.put(
-            name="Upload iroh-relay config",
-            src=get_resource("iroh-relay.toml"),
-            dest="/etc/iroh-relay.toml",
-            user="root",
-            group="root",
-            mode="644",
-        )
-        self.need_restart |= iroh_config.changed
-
-    def activate(self):
-        systemd.service(
-            name="Start and enable iroh-relay",
-            service="iroh-relay.service",
-            running=True,
-            enabled=self.enable_iroh_relay,
-            restarted=self.need_restart,
-        )
-        self.need_restart = False
-
-
-class JournaldDeployer(Deployer):
-    def configure(self):
-        journald_conf = files.put(
-            name="Configure journald",
-            src=get_resource("journald.conf"),
-            dest="/etc/systemd/journald.conf",
-            user="root",
-            group="root",
-            mode="644",
-        )
-        self.need_restart = journald_conf.changed
-
-    def activate(self):
-        systemd.service(
-            name="Start and enable journald",
-            service="systemd-journald.service",
-            running=True,
-            enabled=True,
-            restarted=self.need_restart,
-        )
-        self.need_restart = False
-
-
-class ChatmailVenvDeployer(Deployer):
-    def __init__(self, config):
-        self.config = config
-        self.units = (
-            "chatmail-metadata",
-            "lastlogin",
-            "chatmail-expire",
-            "chatmail-expire.timer",
-            "chatmail-fsreport",
-            "chatmail-fsreport.timer",
-        )
-
-    def install(self):
-        _install_remote_venv_with_chatmaild()
-
-    def configure(self):
-        _configure_remote_venv_with_chatmaild(self.config)
-        configure_remote_units(self.config.mail_domain, self.units)
-
-    def activate(self):
-        activate_remote_units(self.units)
-
-
-class ChatmailDeployer(Deployer):
-    required_users = [
-        ("vmail", "vmail", None),
-        ("iroh", None, None),
-    ]
-
-    def __init__(self, mail_domain):
-        self.mail_domain = mail_domain
-
-    def install(self):
-        apt.update(name="apt update", cache_time=24 * 3600)
-        apt.upgrade(name="upgrade apt packages", auto_remove=True)
-
-        apt.packages(
-            name="Install curl",
-            packages=["curl"],
-        )
-
-        apt.packages(
-            name="Install rsync",
-            packages=["rsync"],
-        )
-        apt.packages(
-            name="Ensure cron is installed",
-            packages=["cron"],
-        )
-
-    def configure(self):
-        # This file is used by auth proxy.
-        # https://wiki.debian.org/EtcMailName
-        server.shell(
-            name="Setup /etc/mailname",
-            commands=[
-                f"echo {self.mail_domain} >/etc/mailname; chmod 644 /etc/mailname"
-            ],
-        )
-
-
-class FcgiwrapDeployer(Deployer):
-    def install(self):
-        apt.packages(
-            name="Install fcgiwrap",
-            packages=["fcgiwrap"],
-        )
-
-    def activate(self):
-        systemd.service(
-            name="Start and enable fcgiwrap",
-            service="fcgiwrap.service",
-            running=True,
-            enabled=True,
-        )
-
-
-class GithashDeployer(Deployer):
-    def activate(self):
-        try:
-            git_hash = subprocess.check_output(["git", "rev-parse", "HEAD"]).decode()
-        except Exception:
-            git_hash = "unknown\n"
-        try:
-            git_diff = subprocess.check_output(["git", "diff"]).decode()
-        except Exception:
-            git_diff = ""
-        files.put(
-            name="Upload chatmail relay git commit hash",
-            src=StringIO(git_hash + git_diff),
-            dest="/etc/chatmail-version",
-            mode="700",
-        )
-
-
-def deploy_chatmail(config_path: Path, disable_mail: bool, website_only: bool) -> None:
-    """Deploy a chat-mail instance.
-
-    :param config_path: path to chatmail.ini
-    :param disable_mail: whether to disable postfix & dovecot
-    :param website_only: if True, only deploy the website
-    """
-    config = read_config(config_path)
-    check_config(config)
-    mail_domain = config.mail_domain
-
-    if website_only:
-        Deployment().perform_stages([WebsiteDeployer(config)])
-        return
-
-    if host.get_fact(Port, port=53) != "unbound":
-        files.line(
-            name="Add 9.9.9.9 to resolv.conf",
-            path="/etc/resolv.conf",
-            # Guard against resolv.conf missing a trailing newline (SolusVM bug).
-            line="\nnameserver 9.9.9.9",
-        )
-
-    # Check if mtail_address interface is available (if configured)
-    if config.mtail_address and config.mtail_address not in ('127.0.0.1', '::1', 'localhost'):
-        ipv4_addrs = host.get_fact(hardware.Ipv4Addrs)
-        all_addresses = [addr for addrs in ipv4_addrs.values() for addr in addrs]
-        if config.mtail_address not in all_addresses:
-            Out().red(f"Deploy failed: mtail_address {config.mtail_address} is not available (VPN up?).\n")
-            exit(1)
-
-    port_services = [
-        (["master", "smtpd"], 25),
-        ("unbound", 53),
-        ("acmetool", 80),
-        (["imap-login", "dovecot"], 143),
-        ("nginx", 443),
-        (["master", "smtpd"], 465),
-        (["master", "smtpd"], 587),
-        (["imap-login", "dovecot"], 993),
-        ("iroh-relay", 3340),
-        ("mtail", 3903),
-        ("stats", 3904),
-        ("nginx", 8443),
-        (["master", "smtpd"], config.postfix_reinject_port),
-        (["master", "smtpd"], config.postfix_reinject_port_incoming),
-        ("filtermail", config.filtermail_smtp_port),
-        ("filtermail", config.filtermail_smtp_port_incoming),
-    ]
-    for service, port in port_services:
-        print(f"Checking if port {port} is available for {service}...")
-        running_service = host.get_fact(Port, port=port)
-        services = [service] if isinstance(service, str) else service
-        if running_service:
-            if running_service not in services:
-                Out().red(
-                    f"Deploy failed: port {port} is occupied by: {running_service}"
-                )
-                exit(1)
-
-    tls_domains = [mail_domain, f"mta-sts.{mail_domain}", f"www.{mail_domain}"]
-
-    all_deployers = [
-        ChatmailDeployer(mail_domain),
-        LegacyRemoveDeployer(),
-        FiltermailDeployer(),
-        JournaldDeployer(),
-        UnboundDeployer(config),
-        TurnDeployer(mail_domain),
-        IrohDeployer(config.enable_iroh_relay),
-        AcmetoolDeployer(config.acme_email, tls_domains),
-        WebsiteDeployer(config),
-        ChatmailVenvDeployer(config),
-        MtastsDeployer(),
-        OpendkimDeployer(mail_domain),
-        # Dovecot should be started before Postfix
-        # because it creates authentication socket
-        # required by Postfix.
-        DovecotDeployer(config, disable_mail),
-        PostfixDeployer(config, disable_mail),
-        FcgiwrapDeployer(),
-        NginxDeployer(config),
-        MtailDeployer(config.mtail_address),
-        GithashDeployer(),
-    ]
-
-    Deployment().perform_stages(all_deployers)
--- a/cmdeploy/src/cmdeploy/dns.py
+++ b/cmdeploy/src/cmdeploy/dns.py
@@ -45,8 +45,7 @@ def check_full_zone(sshexec, remote_data, out, zonefile) -> int:
    and return (exitcode, remote_data) tuple."""

    required_diff, recommended_diff = sshexec.logged(
-        remote.rdns.check_zonefile,
-        kwargs=dict(zonefile=zonefile, verbose=False),
+        remote.rdns.check_zonefile, kwargs=dict(zonefile=zonefile, verbose=False),
    )

    returncode = 0
--- a/cmdeploy/src/cmdeploy/dovecot/auth.conf
+++ b/cmdeploy/src/cmdeploy/dovecot/auth.conf
@@ -4,7 +4,7 @@ iterate_prefix = userdb/

 default_pass_scheme = plain
 # %E escapes characters " (double quote), ' (single quote) and \ (backslash) with \ (backslash).
-# See <https://doc.dovecot.org/2.3/configuration_manual/config_file/config_variables/#modifiers>
+# See <https://doc.dovecot.org/configuration_manual/config_file/config_variables/#modifiers>
 # for documentation.
 #
 # We escape user-provided input and use double quote as a separator.
--- a/cmdeploy/src/cmdeploy/dovecot/deployer.py
+++ b/cmdeploy/src/cmdeploy/dovecot/deployer.py
@@ -1,153 +0,0 @@
-from chatmaild.config import Config
-from pyinfra import host
-from pyinfra.facts.server import Arch, Sysctl
-from pyinfra.facts.systemd import SystemdEnabled
-from pyinfra.operations import apt, files, server, systemd
-
-from cmdeploy.basedeploy import (
-    Deployer,
-    activate_remote_units,
-    configure_remote_units,
-    get_resource,
-)
-
-
-class DovecotDeployer(Deployer):
-    daemon_reload = False
-
-    def __init__(self, config, disable_mail):
-        self.config = config
-        self.disable_mail = disable_mail
-        self.units = ["doveauth"]
-
-    def install(self):
-        arch = host.get_fact(Arch)
-        if not "dovecot.service" in host.get_fact(SystemdEnabled):
-            _install_dovecot_package("core", arch)
-            _install_dovecot_package("imapd", arch)
-            _install_dovecot_package("lmtpd", arch)
-
-    def configure(self):
-        configure_remote_units(self.config.mail_domain, self.units)
-        self.need_restart, self.daemon_reload = _configure_dovecot(self.config)
-
-    def activate(self):
-        activate_remote_units(self.units)
-
-        restart = False if self.disable_mail else self.need_restart
-
-        systemd.service(
-            name="Disable dovecot for now" if self.disable_mail else "Start and enable Dovecot",
-            service="dovecot.service",
-            running=False if self.disable_mail else True,
-            enabled=False if self.disable_mail else True,
-            restarted=restart,
-            daemon_reload=self.daemon_reload,
-        )
-        self.need_restart = False
-
-
-def _install_dovecot_package(package: str, arch: str):
-    arch = "amd64" if arch == "x86_64" else arch
-    arch = "arm64" if arch == "aarch64" else arch
-    url = f"https://download.delta.chat/dovecot/dovecot-{package}_2.3.21%2Bdfsg1-3_{arch}.deb"
-    deb_filename = "/root/" + url.split("/")[-1]
-
-    match (package, arch):
-        case ("core", "amd64"):
-            sha256 = "dd060706f52a306fa863d874717210b9fe10536c824afe1790eec247ded5b27d"
-        case ("core", "arm64"):
-            sha256 = "e7548e8a82929722e973629ecc40fcfa886894cef3db88f23535149e7f730dc9"
-        case ("imapd", "amd64"):
-            sha256 = "8d8dc6fc00bbb6cdb25d345844f41ce2f1c53f764b79a838eb2a03103eebfa86"
-        case ("imapd", "arm64"):
-            sha256 = "178fa877ddd5df9930e8308b518f4b07df10e759050725f8217a0c1fb3fd707f"
-        case ("lmtpd", "amd64"):
-            sha256 = "2f69ba5e35363de50962d42cccbfe4ed8495265044e244007d7ccddad77513ab"
-        case ("lmtpd", "arm64"):
-            sha256 = "89f52fb36524f5877a177dff4a713ba771fd3f91f22ed0af7238d495e143b38f"
-        case _:
-            apt.packages(packages=[f"dovecot-{package}"])
-            return
-
-    files.download(
-        name=f"Download dovecot-{package}",
-        src=url,
-        dest=deb_filename,
-        sha256sum=sha256,
-        cache_time=60 * 60 * 24 * 365 * 10,  # never redownload the package
-    )
-
-    apt.deb(name=f"Install dovecot-{package}", src=deb_filename)
-
-
-def _configure_dovecot(config: Config, debug: bool = False) -> (bool, bool):
-    """Configures Dovecot IMAP server."""
-    need_restart = False
-    daemon_reload = False
-
-    main_config = files.template(
-        src=get_resource("dovecot/dovecot.conf.j2"),
-        dest="/etc/dovecot/dovecot.conf",
-        user="root",
-        group="root",
-        mode="644",
-        config=config,
-        debug=debug,
-        disable_ipv6=config.disable_ipv6,
-    )
-    need_restart |= main_config.changed
-    auth_config = files.put(
-        src=get_resource("dovecot/auth.conf"),
-        dest="/etc/dovecot/auth.conf",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= auth_config.changed
-    lua_push_notification_script = files.put(
-        src=get_resource("dovecot/push_notification.lua"),
-        dest="/etc/dovecot/push_notification.lua",
-        user="root",
-        group="root",
-        mode="644",
-    )
-    need_restart |= lua_push_notification_script.changed
-
-    # as per https://doc.dovecot.org/2.3/configuration_manual/os/
-    # it is recommended to set the following inotify limits
-    for name in ("max_user_instances", "max_user_watches"):
-        key = f"fs.inotify.{name}"
-        if host.get_fact(Sysctl)[key] > 65535:
-            # Skip updating limits if already sufficient
-            # (enables running in incus containers where sysctl readonly)
-            continue
-        server.sysctl(
-            name=f"Change {key}",
-            key=key,
-            value=65535,
-            persist=True,
-        )
-
-    timezone_env = files.line(
-        name="Set TZ environment variable",
-        path="/etc/environment",
-        line="TZ=:/etc/localtime",
-    )
-    need_restart |= timezone_env.changed
-
-    restart_conf = files.put(
-        name="dovecot: restart automatically on failure",
-        src=get_resource("service/10_restart.conf"),
-        dest="/etc/systemd/system/dovecot.service.d/10_restart.conf",
-    )
-    daemon_reload |= restart_conf.changed
-
-    # Validate dovecot configuration before restart
-    if need_restart:
-        server.shell(
-            name="Validate dovecot configuration",
-            commands=["doveconf -n >/dev/null"],
-        )
-
-    return need_restart, daemon_reload
--- a/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
+++ b/cmdeploy/src/cmdeploy/dovecot/dovecot.conf.j2
@@ -1,7 +1,7 @@
 ## Dovecot configuration file

 {% if disable_ipv6 %}
-listen = 0.0.0.0
+listen = *
 {% endif %}

 protocols = imap lmtp
@@ -26,7 +26,7 @@ default_client_limit = 20000
 # Increase number of logged in IMAP connections.
 # Each connection is handled by a separate `imap` process.
 # `imap` process should have `client_limit=1` as described in
-# <https://doc.dovecot.org/2.3/configuration_manual/service_configuration/#service-limits>
+# <https://doc.dovecot.org/configuration_manual/service_configuration/#service-limits>
 # so each logged in IMAP session will need its own `imap` process.
 #
 # If this limit is reached,
@@ -44,11 +44,11 @@ mail_server_comment = Chatmail server

 # `zlib` enables compressing messages stored in the maildir.
 # See
-# <https://doc.dovecot.org/2.3/configuration_manual/zlib_plugin/>
+# <https://doc.dovecot.org/configuration_manual/zlib_plugin/>
 # for documentation.
 #
 # quota plugin documentation:
-# <https://doc.dovecot.org/2.3/configuration_manual/quota_plugin/>
+# <https://doc.dovecot.org/configuration_manual/quota_plugin/>
 mail_plugins = zlib quota

 imap_capability = +XDELTAPUSH XCHATMAIL
@@ -113,7 +113,7 @@ mail_attribute_dict = proxy:/run/chatmail-metadata/metadata.socket:metadata
 # `imap_zlib` enables IMAP COMPRESS (RFC 4978).
 # <https://datatracker.ietf.org/doc/html/rfc4978.html>
 protocol imap {
-  mail_plugins = $mail_plugins imap_quota last_login {% if config.imap_compress %}imap_zlib{% endif %}
+  mail_plugins = $mail_plugins imap_zlib imap_quota last_login
  imap_metadata = yes
 }

@@ -125,13 +125,13 @@ plugin {

 protocol lmtp {
  # notify plugin is a dependency of push_notification plugin:
-  # <https://doc.dovecot.org/2.3/settings/plugin/notify-plugin/>
+  # <https://doc.dovecot.org/settings/plugin/notify-plugin/>
  #
  # push_notification plugin documentation:
-  # <https://doc.dovecot.org/2.3/configuration_manual/push_notification/>
+  # <https://doc.dovecot.org/configuration_manual/push_notification/>
  #
  # mail_lua and push_notification_lua are needed for Lua push notification handler.
-  # <https://doc.dovecot.org/2.3/configuration_manual/push_notification/#configuration>
+  # <https://doc.dovecot.org/configuration_manual/push_notification/#configuration>
  mail_plugins = $mail_plugins mail_lua notify push_notification push_notification_lua
 }

@@ -154,7 +154,7 @@ plugin {

 # push_notification configuration
 plugin {
-  # <https://doc.dovecot.org/2.3/configuration_manual/push_notification/#lua-lua>
+  # <https://doc.dovecot.org/configuration_manual/push_notification/#lua-lua>
  push_notification_driver = lua:file=/etc/dovecot/push_notification.lua
 }

@@ -168,8 +168,6 @@ service lmtp {
  }
 }

-lmtp_add_received_header = no
-
 service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
@@ -254,181 +252,3 @@ protocol imap {
  rawlog_dir = %h 
 } 
 {% endif %}
-
-{% if not config.imap_compress %}
-# Hibernate IDLE users to save memory and CPU resources
-# NOTE: this will have no effect if imap_zlib plugin is used
-imap_hibernate_timeout = 30s
-service imap {
-  # Note that this change will allow any process running as
-  # $default_internal_user (dovecot) to access mails as any other user.
-  # This may be insecure in some installations, which is why this isn't
-  # done by default.
-  unix_listener imap-master {
-    user = $default_internal_user
-  }
-}
-# The following is the default already in v2.3.1+:
-service imap {
-  extra_groups = $default_internal_group
-}
-service imap-hibernate {
-  unix_listener imap-hibernate {
-    mode = 0660
-    group = $default_internal_group
-  }
-}
-{% endif %}
-
-{% if config.mtail_address %}
-#
-# Dovecot Statistics
-#
-# OpenMetrics endpoint at http://{{- config.mtail_address}}:3904/metrics
-service stats {
-  inet_listener http {
-    port = 3904
-    address = {{- config.mtail_address}}
-  }
-}
-
-# IMAP Command Metrics
-# - Bytes in/out for compression efficiency analysis
-# - Lock wait time for contention debugging
-# - Grouped by command name and reply state
-metric imap_command {
-  filter = event=imap_command_finished
-  fields = bytes_in bytes_out lock_wait_usecs running_usecs
-  group_by = cmd_name tagged_reply_state
-}
-
-# Duration buckets for latency histograms (base 10: 10us, 100us, 1ms, 10ms, 100ms, 1s, 10s, 100s)
-metric imap_command_duration {
-  filter = event=imap_command_finished
-  group_by = cmd_name duration:exponential:1:8:10
-}
-
-# Slow command outliers (>1 second = 1000000 usecs)
-# Useful for alerting without high cardinality
-metric imap_command_slow {
-  filter = event=imap_command_finished AND duration>1000000 AND NOT cmd_name=IDLE
-  group_by = cmd_name
-}
-
-# IDLE-specific Metrics
-
-metric imap_idle {
-  filter = event=imap_command_finished AND cmd_name=IDLE
-  fields = bytes_in bytes_out running_usecs
-  group_by = tagged_reply_state
-}
-
-metric imap_idle_duration {
-  filter = event=imap_command_finished AND cmd_name=IDLE
-  # Base 10: 100ms to 27h (covers short wakeups to long idle sessions)
-  group_by = duration:exponential:5:11:10
-}
-
-metric imap_idle_commands {
-  filter = event=imap_command_finished AND cmd_name=IDLE
-  group_by = tagged_reply_state
-}
-
-metric imap_idle_failed {
-  filter = event=imap_command_finished AND cmd_name=IDLE AND NOT tagged_reply_state=OK
-}
-
-# Hibernation Metrics (requires imap_hibernate_timeout)
-
-metric imap_hibernated {
-  filter = event=imap_client_hibernated
-}
-
-metric imap_hibernated_failed {
-  filter = event=imap_client_hibernated AND error=*
-}
-
-metric imap_unhibernated {
-  filter = event=imap_client_unhibernated
-  fields = hibernation_usecs
-}
-
-metric imap_unhibernated_reason {
-  filter = event=imap_client_unhibernated
-  group_by = reason
-  fields = hibernation_usecs
-}
-
-metric imap_unhibernated_reason_sleep {
-  filter = event=imap_client_unhibernated
-  group_by = reason hibernation_usecs:exponential:4:8:10
-}
-
-metric imap_unhibernated_failed {
-  filter = event=imap_client_unhibernated AND error=*
-}
-
-# Hibernation duration buckets (how long clients stayed hibernated)
-# Base 10: 100ms to 27h
-metric imap_hibernation_duration {
-  filter = event=imap_client_unhibernated
-  group_by = reason duration:exponential:5:11:10
-}
-
-# Authentication / Login Metrics
-
-metric auth_request {
-  filter = event=auth_request_finished
-  group_by = success
-}
-
-metric auth_request_duration {
-  filter = event=auth_request_finished
-  group_by = success duration:exponential:2:6:10
-}
-
-metric auth_failed {
-  filter = event=auth_request_finished AND success=no
-}
-
-# Passdb cache effectiveness
-metric auth_passdb {
-  filter = event=auth_passdb_request_finished
-  group_by = result cache
-}
-
-# Master login (post-auth userdb lookup)
-metric auth_master_login {
-  filter = event=auth_master_client_login_finished
-}
-
-metric auth_master_login_failed {
-  filter = event=auth_master_client_login_finished AND error=*
-}
-
-# Mail Delivery (LMTP) - affects IDLE wakeup latency
-
-metric mail_delivery {
-  filter = event=mail_delivery_finished
-}
-
-metric mail_delivery_duration {
-  filter = event=mail_delivery_finished
-  group_by = duration:exponential:3:7:10
-}
-
-metric mail_delivery_failed {
-  filter = event=mail_delivery_finished AND error=*
-}
-
-# Connection Events
-
-metric client_connected {
-  filter = event=client_connection_connected AND category="service:imap"
-}
-
-metric client_disconnected {
-  filter = event=client_connection_disconnected AND category="service:imap"
-  fields = bytes_in bytes_out
-}
-{% endif %}
--- a/cmdeploy/src/cmdeploy/filtermail/deployer.py
+++ b/cmdeploy/src/cmdeploy/filtermail/deployer.py
@@ -1,52 +0,0 @@
-from pyinfra import facts, host
-from pyinfra.operations import files, systemd
-
-from cmdeploy.basedeploy import Deployer, get_resource
-
-
-class FiltermailDeployer(Deployer):
-    services = ["filtermail", "filtermail-incoming"]
-    bin_path = "/usr/local/bin/filtermail"
-    config_path = "/usr/local/lib/chatmaild/chatmail.ini"
-
-    def __init__(self):
-        self.need_restart = False
-
-    def install(self):
-        arch = host.get_fact(facts.server.Arch)
-        url = f"https://github.com/chatmail/filtermail/releases/download/v0.3.0/filtermail-{arch}"
-        sha256sum = {
-            "x86_64": "f14a31323ae2dad3b59d3fdafcde507521da2f951a9478cd1f2fe2b4463df71d",
-            "aarch64": "933770d75046c4fd7084ce8d43f905f8748333426ad839154f0fc654755ef09f",
-        }[arch]
-        self.need_restart |= files.download(
-            name="Download filtermail",
-            src=url,
-            sha256sum=sha256sum,
-            dest=self.bin_path,
-            mode="755",
-        ).changed
-
-    def configure(self):
-        for service in self.services:
-            self.need_restart |= files.template(
-                src=get_resource(f"filtermail/{service}.service.j2"),
-                dest=f"/etc/systemd/system/{service}.service",
-                user="root",
-                group="root",
-                mode="644",
-                bin_path=self.bin_path,
-                config_path=self.config_path,
-            ).changed
-
-    def activate(self):
-        for service in self.services:
-            systemd.service(
-                name=f"Start and enable {service}",
-                service=f"{service}.service",
-                running=True,
-                enabled=True,
-                restarted=self.need_restart,
-                daemon_reload=True,
-            )
-        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/mtail/delivered_mail.mtail
+++ b/cmdeploy/src/cmdeploy/mtail/delivered_mail.mtail
@@ -44,37 +44,21 @@ counter warning_count
 }


-counter filtered_outgoing_mail_count
+counter filtered_mail_count

-counter outgoing_encrypted_mail_count
-/Outgoing: Filtering encrypted mail\./ {
-  outgoing_encrypted_mail_count++
-  filtered_outgoing_mail_count++
+counter encrypted_mail_count
+/Filtering encrypted mail\./ {
+  encrypted_mail_count++
+  filtered_mail_count++
 }

-counter outgoing_unencrypted_mail_count
-/Outgoing: Filtering unencrypted mail\./ {
-  outgoing_unencrypted_mail_count++
-  filtered_outgoing_mail_count++
+counter unencrypted_mail_count
+/Filtering unencrypted mail\./ {
+  unencrypted_mail_count++
+  filtered_mail_count++
 }

-
-counter filtered_incoming_mail_count
-
-counter incoming_encrypted_mail_count
-/Incoming: Filtering encrypted mail\./ {
-  incoming_encrypted_mail_count++
-  filtered_incoming_mail_count++
-}
-
-counter incoming_unencrypted_mail_count
-/Incoming: Filtering unencrypted mail\./ {
-  incoming_unencrypted_mail_count++
-  filtered_incoming_mail_count++
-}
-
-
 counter rejected_unencrypted_mail_count
-/Rejected unencrypted mail/ {
+/Rejected unencrypted mail\./ {
  rejected_unencrypted_mail_count++
 }
--- a/cmdeploy/src/cmdeploy/mtail/deployer.py
+++ b/cmdeploy/src/cmdeploy/mtail/deployer.py
@@ -1,68 +0,0 @@
-from pyinfra import facts, host
-from pyinfra.operations import apt, files, server, systemd
-
-from cmdeploy.basedeploy import (
-    Deployer,
-    get_resource,
-)
-
-
-class MtailDeployer(Deployer):
-    def __init__(self, mtail_address):
-        self.mtail_address = mtail_address
-
-    def install(self):
-        # Uninstall mtail package to install a static binary.
-        apt.packages(name="Uninstall mtail", packages=["mtail"], present=False)
-
-        (url, sha256sum) = {
-            "x86_64": (
-                "https://github.com/google/mtail/releases/download/v3.0.8/mtail_3.0.8_linux_amd64.tar.gz",
-                "123c2ee5f48c3eff12ebccee38befd2233d715da736000ccde49e3d5607724e4",
-            ),
-            "aarch64": (
-                "https://github.com/google/mtail/releases/download/v3.0.8/mtail_3.0.8_linux_arm64.tar.gz",
-                "aa04811c0929b6754408676de520e050c45dddeb3401881888a092c9aea89cae",
-            ),
-        }[host.get_fact(facts.server.Arch)]
-
-        server.shell(
-            name="Download mtail",
-            commands=[
-                f"(echo '{sha256sum} /usr/local/bin/mtail' | sha256sum -c) || (curl -L {url} | gunzip | tar -x -f - mtail -O >/usr/local/bin/mtail.new && mv /usr/local/bin/mtail.new /usr/local/bin/mtail)",
-                "chmod 755 /usr/local/bin/mtail",
-            ],
-        )
-
-    def configure(self):
-        # Using our own systemd unit instead of `/usr/lib/systemd/system/mtail.service`.
-        # This allows to read from journalctl instead of log files.
-        files.template(
-            src=get_resource("mtail/mtail.service.j2"),
-            dest="/etc/systemd/system/mtail.service",
-            user="root",
-            group="root",
-            mode="644",
-            address=self.mtail_address or "127.0.0.1",
-            port=3903,
-        )
-
-        mtail_conf = files.put(
-            name="Mtail configuration",
-            src=get_resource("mtail/delivered_mail.mtail"),
-            dest="/etc/mtail/delivered_mail.mtail",
-            user="root",
-            group="root",
-            mode="644",
-        )
-        self.need_restart = mtail_conf.changed
-
-    def activate(self):
-        systemd.service(
-            name="Start and enable mtail",
-            service="mtail.service",
-            running=bool(self.mtail_address),
-            enabled=bool(self.mtail_address),
-            restarted=self.need_restart,
-        )
-        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/nginx/deployer.py
+++ b/cmdeploy/src/cmdeploy/nginx/deployer.py
@@ -1,117 +0,0 @@
-from chatmaild.config import Config
-from pyinfra.operations import apt, files, systemd
-
-from cmdeploy.basedeploy import (
-    Deployer,
-    get_resource,
-)
-
-
-class NginxDeployer(Deployer):
-    def __init__(self, config):
-        self.config = config
-
-    def install(self):
-        #
-        # If we allow nginx to start up on install, it will grab port
-        # 80, which then will block acmetool from listening on the port.
-        # That in turn prevents getting certificates, which then causes
-        # an error when we try to start nginx on the custom config
-        # that leaves port 80 open but also requires certificates to
-        # be present.  To avoid getting into that interlocking mess,
-        # we use policy-rc.d to prevent nginx from starting up when it
-        # is installed.
-        #
-        # This approach allows us to avoid performing any explicit
-        # systemd operations during the install stage (as opposed to
-        # allowing it to start and then forcing it to stop), which allows
-        # the install stage to run in non-systemd environments like a
-        # container image build.
-        #
-        # For documentation about policy-rc.d, see:
-        # https://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt
-        #
-        files.put(
-            src=get_resource("policy-rc.d"),
-            dest="/usr/sbin/policy-rc.d",
-            user="root",
-            group="root",
-            mode="755",
-        )
-
-        apt.packages(
-            name="Install nginx",
-            packages=["nginx", "libnginx-mod-stream"],
-        )
-
-        files.file("/usr/sbin/policy-rc.d", present=False)
-
-    def configure(self):
-        self.need_restart = _configure_nginx(self.config)
-
-    def activate(self):
-        systemd.service(
-            name="Start and enable nginx",
-            service="nginx.service",
-            running=True,
-            enabled=True,
-            restarted=self.need_restart,
-        )
-        self.need_restart = False
-
-
-def _configure_nginx(config: Config, debug: bool = False) -> bool:
-    """Configures nginx HTTP server."""
-    need_restart = False
-
-    main_config = files.template(
-        src=get_resource("nginx/nginx.conf.j2"),
-        dest="/etc/nginx/nginx.conf",
-        user="root",
-        group="root",
-        mode="644",
-        config={"domain_name": config.mail_domain},
-        disable_ipv6=config.disable_ipv6,
-    )
-    need_restart |= main_config.changed
-
-    autoconfig = files.template(
-        src=get_resource("nginx/autoconfig.xml.j2"),
-        dest="/var/www/html/.well-known/autoconfig/mail/config-v1.1.xml",
-        user="root",
-        group="root",
-        mode="644",
-        config={"domain_name": config.mail_domain},
-    )
-    need_restart |= autoconfig.changed
-
-    mta_sts_config = files.template(
-        src=get_resource("nginx/mta-sts.txt.j2"),
-        dest="/var/www/html/.well-known/mta-sts.txt",
-        user="root",
-        group="root",
-        mode="644",
-        config={"domain_name": config.mail_domain},
-    )
-    need_restart |= mta_sts_config.changed
-
-    # install CGI newemail script
-    #
-    cgi_dir = "/usr/lib/cgi-bin"
-    files.directory(
-        name=f"Ensure {cgi_dir} exists",
-        path=cgi_dir,
-        user="root",
-        group="root",
-    )
-
-    files.put(
-        name="Upload cgi newemail.py script",
-        src=get_resource("newemail.py", pkg="chatmaild").open("rb"),
-        dest=f"{cgi_dir}/newemail.py",
-        user="root",
-        group="root",
-        mode="755",
-    )
-
-    return need_restart
--- a/cmdeploy/src/cmdeploy/opendkim/deployer.py
+++ b/cmdeploy/src/cmdeploy/opendkim/deployer.py
@@ -1,123 +0,0 @@
-"""
-Installs OpenDKIM
-"""
-
-from pyinfra import host
-from pyinfra.facts.files import File
-from pyinfra.operations import apt, files, server, systemd
-
-from cmdeploy.basedeploy import Deployer, get_resource
-
-
-class OpendkimDeployer(Deployer):
-    required_users = [("opendkim", None, ["opendkim"])]
-
-    def __init__(self, mail_domain):
-        self.mail_domain = mail_domain
-
-    def install(self):
-        apt.packages(
-            name="apt install opendkim opendkim-tools",
-            packages=["opendkim", "opendkim-tools"],
-        )
-
-    def configure(self):
-        domain = self.mail_domain
-        dkim_selector = "opendkim"
-        """Configures OpenDKIM"""
-        need_restart = False
-
-        main_config = files.template(
-            src=get_resource("opendkim/opendkim.conf"),
-            dest="/etc/opendkim.conf",
-            user="root",
-            group="root",
-            mode="644",
-            config={"domain_name": domain, "opendkim_selector": dkim_selector},
-        )
-        need_restart |= main_config.changed
-
-        screen_script = files.put(
-            src=get_resource("opendkim/screen.lua"),
-            dest="/etc/opendkim/screen.lua",
-            user="root",
-            group="root",
-            mode="644",
-        )
-        need_restart |= screen_script.changed
-
-        final_script = files.put(
-            src=get_resource("opendkim/final.lua"),
-            dest="/etc/opendkim/final.lua",
-            user="root",
-            group="root",
-            mode="644",
-        )
-        need_restart |= final_script.changed
-
-        files.directory(
-            name="Add opendkim directory to /etc",
-            path="/etc/opendkim",
-            user="opendkim",
-            group="opendkim",
-            mode="750",
-            present=True,
-        )
-
-        keytable = files.template(
-            src=get_resource("opendkim/KeyTable"),
-            dest="/etc/dkimkeys/KeyTable",
-            user="opendkim",
-            group="opendkim",
-            mode="644",
-            config={"domain_name": domain, "opendkim_selector": dkim_selector},
-        )
-        need_restart |= keytable.changed
-
-        signing_table = files.template(
-            src=get_resource("opendkim/SigningTable"),
-            dest="/etc/dkimkeys/SigningTable",
-            user="opendkim",
-            group="opendkim",
-            mode="644",
-            config={"domain_name": domain, "opendkim_selector": dkim_selector},
-        )
-        need_restart |= signing_table.changed
-        files.directory(
-            name="Add opendkim socket directory to /var/spool/postfix",
-            path="/var/spool/postfix/opendkim",
-            user="opendkim",
-            group="opendkim",
-            mode="750",
-            present=True,
-        )
-
-        if not host.get_fact(File, f"/etc/dkimkeys/{dkim_selector}.private"):
-            server.shell(
-                name="Generate OpenDKIM domain keys",
-                commands=[
-                    f"/usr/sbin/opendkim-genkey -D /etc/dkimkeys -d {domain} -s {dkim_selector}"
-                ],
-                _use_su_login=True,
-                _su_user="opendkim",
-            )
-
-        service_file = files.put(
-            name="Configure opendkim to restart once a day",
-            src=get_resource("opendkim/systemd.conf"),
-            dest="/etc/systemd/system/opendkim.service.d/10-prevent-memory-leak.conf",
-        )
-        need_restart |= service_file.changed
-
-        self.need_restart = need_restart
-
-    def activate(self):
-        systemd.service(
-            name="Start and enable OpenDKIM",
-            service="opendkim.service",
-            running=True,
-            enabled=True,
-            daemon_reload=self.need_restart,
-            restarted=self.need_restart,
-        )
-        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/opendkim/final.lua
+++ b/cmdeploy/src/cmdeploy/opendkim/final.lua
@@ -1,5 +1,4 @@
-mtaname = odkim.get_mtasymbol(ctx, "{daemon_name}")
-if mtaname == "ORIGINATING" then
+if odkim.internal_ip(ctx) == 1 then
 	-- Outgoing message will be signed,
 	-- no need to look for signatures.
 	return nil
@@ -10,11 +9,9 @@ if nsigs == nil then
 	return nil
 end

-local valid = false
-local error_msg = "No valid DKIM signature found."
 for i = 1, nsigs do
-	sig = odkim.get_sighandle(ctx, i - 1)
-	sigres = odkim.sig_result(sig)
+        sig = odkim.get_sighandle(ctx, i - 1)
+        sigres = odkim.sig_result(sig)

 	-- All signatures that do not correspond to From: 
 	-- were ignored in screen.lua and return sigres -1.
@@ -22,21 +19,10 @@ for i = 1, nsigs do
 	-- Any valid signature that was not ignored like this
 	-- means the message is acceptable.
 	if sigres == 0 then
-		valid = true
-    else
-        error_msg = "DKIM signature is invalid, error code " .. tostring(sigres) .. ", search https://github.com/trusteddomainproject/OpenDKIM/blob/master/libopendkim/dkim.h#L108"
-	end
-end
-
-if valid then
-	-- Strip all DKIM-Signature headers after successful validation
-	-- Delete in reverse order to avoid index shifting.
-	for i = nsigs, 1, -1 do
-		odkim.del_header(ctx, "DKIM-Signature", i)
-	end
-else
-	odkim.set_reply(ctx, "554", "5.7.1", error_msg)
-	odkim.set_result(ctx, SMFIS_REJECT)
+		return nil
+	end	
 end

+odkim.set_reply(ctx, "554", "5.7.1", "No valid DKIM signature found")
+odkim.set_result(ctx, SMFIS_REJECT)
 return nil
--- a/cmdeploy/src/cmdeploy/opendkim/opendkim.conf
+++ b/cmdeploy/src/cmdeploy/opendkim/opendkim.conf
@@ -65,9 +65,3 @@ PidFile			/run/opendkim/opendkim.pid
 # The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
 # by the package dns-root-data.
 TrustAnchorFile		/usr/share/dns/root.key
-
-# Sign messages when `-o milter_macro_daemon_name=ORIGINATING` is set.
-MTA ORIGINATING
-
-# No hosts are treated as internal, ORIGINATING daemon name should be set explicitly.
-InternalHosts -
--- a/cmdeploy/src/cmdeploy/postfix/deployer.py
+++ b/cmdeploy/src/cmdeploy/postfix/deployer.py
@@ -1,117 +0,0 @@
-from pyinfra.operations import apt, files, server, systemd
-
-from cmdeploy.basedeploy import Deployer, get_resource
-
-
-class PostfixDeployer(Deployer):
-    required_users = [("postfix", None, ["opendkim"])]
-    daemon_reload = False
-
-    def __init__(self, config, disable_mail):
-        self.config = config
-        self.disable_mail = disable_mail
-
-    def install(self):
-        apt.packages(
-            name="Install Postfix",
-            packages="postfix",
-        )
-
-    def configure(self):
-        config = self.config
-        need_restart = False
-
-        main_config = files.template(
-            src=get_resource("postfix/main.cf.j2"),
-            dest="/etc/postfix/main.cf",
-            user="root",
-            group="root",
-            mode="644",
-            config=config,
-            disable_ipv6=config.disable_ipv6,
-        )
-        need_restart |= main_config.changed
-
-        master_config = files.template(
-            src=get_resource("postfix/master.cf.j2"),
-            dest="/etc/postfix/master.cf",
-            user="root",
-            group="root",
-            mode="644",
-            debug=False,
-            config=config,
-        )
-        need_restart |= master_config.changed
-
-        header_cleanup = files.put(
-            src=get_resource("postfix/submission_header_cleanup"),
-            dest="/etc/postfix/submission_header_cleanup",
-            user="root",
-            group="root",
-            mode="644",
-        )
-        need_restart |= header_cleanup.changed
-
-        lmtp_header_cleanup = files.put(
-            src=get_resource("postfix/lmtp_header_cleanup"),
-            dest="/etc/postfix/lmtp_header_cleanup",
-            user="root",
-            group="root",
-            mode="644",
-        )
-        need_restart |= lmtp_header_cleanup.changed
-
-        tls_policy_map = files.put(
-            name="Upload SMTP TLS Policy that accepts self-signed certificates for IP-only hosts",
-            src=get_resource("postfix/smtp_tls_policy_map"),
-            dest="/etc/postfix/smtp_tls_policy_map",
-            user="root",
-            group="root",
-            mode="644",
-        )
-        need_restart |= tls_policy_map.changed
-        if tls_policy_map.changed:
-            server.shell(
-                commands=["postmap /etc/postfix/smtp_tls_policy_map"],
-            )
-
-        # Login map that 1:1 maps email address to login.
-        login_map = files.put(
-            src=get_resource("postfix/login_map"),
-            dest="/etc/postfix/login_map",
-            user="root",
-            group="root",
-            mode="644",
-        )
-        need_restart |= login_map.changed
-
-        restart_conf = files.put(
-            name="postfix: restart automatically on failure",
-            src=get_resource("service/10_restart.conf"),
-            dest="/etc/systemd/system/postfix@.service.d/10_restart.conf",
-        )
-        self.daemon_reload = restart_conf.changed
-
-        # Validate postfix configuration before restart
-        if need_restart:
-            server.shell(
-                name="Validate postfix configuration",
-                # Extract stderr and quit with error if non-zero
-                commands=["""bash -c 'w=$(postconf 2>&1 >/dev/null); [[ -z "$w" ]] || { echo "$w"; false; }'"""],
-            )
-        self.need_restart = need_restart
-
-    def activate(self):
-        restart = False if self.disable_mail else self.need_restart
-
-        systemd.service(
-            name="disable postfix for now"
-            if self.disable_mail
-            else "Start and enable Postfix",
-            service="postfix.service",
-            running=False if self.disable_mail else True,
-            enabled=False if self.disable_mail else True,
-            restarted=restart,
-            daemon_reload=self.daemon_reload,
-        )
-        self.need_restart = False
--- a/cmdeploy/src/cmdeploy/postfix/lmtp_header_cleanup
+++ b/cmdeploy/src/cmdeploy/postfix/lmtp_header_cleanup
@@ -1,3 +0,0 @@
-/^DKIM-Signature:/            IGNORE
-/^Authentication-Results:/            IGNORE
-/^Received:/            IGNORE
--- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
@@ -25,9 +25,9 @@ smtp_tls_security_level=verify
 # <https://www.postfix.org/postconf.5.html#smtp_tls_servername>
 smtp_tls_servername = hostname
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-smtp_tls_policy_maps = regexp:/etc/postfix/smtp_tls_policy_map
+smtp_tls_policy_maps = inline:{nauta.cu=may}
 smtp_tls_protocols = >=TLSv1.2
-smtp_tls_mandatory_protocols = >=TLSv1.2
+smtpd_tls_protocols = >=TLSv1.2

 # Disable anonymous cipher suites
 # and known insecure algorithms.
@@ -64,20 +64,7 @@ alias_database = hash:/etc/aliases
 mydestination =

 relayhost = 
-{% if disable_ipv6 %}
-mynetworks = 127.0.0.0/8
-{% else %}
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-{% endif %}
-{% if config.addr_v4 %}
-smtp_bind_address = {{ config.addr_v4 }}
-{% endif %}
-{% if config.addr_v6 %}
-smtp_bind_address6 = {{ config.addr_v6 }}
-{% endif %}
-{% if config.addr_v4 or config.addr_v6 %}
-smtp_bind_address_enforce = yes
-{% endif %}
 mailbox_size_limit = 0
 message_size_limit = {{config.max_message_size}}
 recipient_delimiter = +
@@ -90,7 +77,6 @@ inet_protocols = all

 virtual_transport = lmtp:unix:private/dovecot-lmtp
 virtual_mailbox_domains = {{ config.mail_domain }}
-lmtp_header_checks = regexp:/etc/postfix/lmtp_header_cleanup

 mua_client_restrictions = permit_sasl_authenticated, reject
 mua_sender_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated, reject
--- a/cmdeploy/src/cmdeploy/postfix/master.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/master.cf.j2
@@ -15,7 +15,6 @@ smtp      inet  n       -       y       -       -       smtpd -v
 smtp      inet  n       -       y       -       -       smtpd 
 {%- endif %}
  -o smtpd_tls_security_level=encrypt
-  -o smtpd_tls_mandatory_protocols=>=TLSv1.2
  -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port_incoming }}
 submission inet n       -       y       -       5000    smtpd
  -o syslog_name=postfix/submission
@@ -31,6 +30,7 @@ submission inet n       -       y       -       5000    smtpd
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_client_connection_count_limit=1000
  -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port }}
 smtps     inet  n       -       y       -       5000    smtpd
@@ -48,6 +48,7 @@ smtps     inet  n       -       y       -       5000    smtpd
  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_client_connection_count_limit=1000
+  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port }}
 #628       inet  n       -       y       -       -       qmqpd
 pickup    unix  n       -       y       60      1       pickup
@@ -79,7 +80,6 @@ filter    unix -        n       n       -       -       lmtp
 # Local SMTP server for reinjecting outgoing filtered mail.
 127.0.0.1:{{ config.postfix_reinject_port }} inet  n       -       n       -       100      smtpd
  -o syslog_name=postfix/reinject
-  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_milters=unix:opendkim/opendkim.sock
  -o cleanup_service_name=authclean

--- a/cmdeploy/src/cmdeploy/postfix/smtp_tls_policy_map
+++ b/cmdeploy/src/cmdeploy/postfix/smtp_tls_policy_map
@@ -1,2 +0,0 @@
-/^\[[^]]+\]$/ encrypt
-/^nauta\.cu$/    may
--- a/cmdeploy/src/cmdeploy/remote/rdns.py
+++ b/cmdeploy/src/cmdeploy/remote/rdns.py
@@ -12,7 +12,7 @@ All functions of this module

 import re

-from .rshell import CalledProcessError, log_progress, shell
+from .rshell import CalledProcessError, shell, log_progress


 def perform_initial_checks(mail_domain, pre_command=""):
@@ -26,9 +26,7 @@ def perform_initial_checks(mail_domain, pre_command=""):
    WWW = query_dns("CNAME", f"www.{mail_domain}")

    res = dict(mail_domain=mail_domain, A=A, AAAA=AAAA, MTA_STS=MTA_STS, WWW=WWW)
-    res["acme_account_url"] = shell(
-        pre_command + "acmetool account-url", fail_ok=True, print=log_progress
-    )
+    res["acme_account_url"] = shell(pre_command + "acmetool account-url", fail_ok=True, print=log_progress)
    res["dkim_entry"], res["web_dkim_entry"] = get_dkim_entry(
        mail_domain, pre_command, dkim_selector="opendkim"
    )
@@ -37,10 +35,7 @@ def perform_initial_checks(mail_domain, pre_command=""):
        return res

    # parse out sts-id if exists, example: "v=STSv1; id=2090123"
-    mta_sts_txt = query_dns("TXT", f"_mta-sts.{mail_domain}")
-    if not mta_sts_txt:
-        return res
-    parts = mta_sts_txt.split("id=")
+    parts = query_dns("TXT", f"_mta-sts.{mail_domain}").split("id=")
    res["sts_id"] = parts[1].rstrip('"') if len(parts) == 2 else ""
    return res

@@ -50,7 +45,7 @@ def get_dkim_entry(mail_domain, pre_command, dkim_selector):
        dkim_pubkey = shell(
            f"{pre_command}openssl rsa -in /etc/dkimkeys/{dkim_selector}.private "
            "-pubout 2>/dev/null | awk '/-/{next}{printf(\"%s\",$0)}'",
-            print=log_progress,
+            print=log_progress
        )
    except CalledProcessError:
        return
@@ -67,9 +62,9 @@ def query_dns(typ, domain):
    # Get autoritative nameserver from the SOA record.
    soa_answers = [
        x.split()
-        for x in shell(
-            f"dig -r -q {domain} -t SOA +noall +authority +answer", print=log_progress
-        ).split("\n")
+        for x in shell(f"dig -r -q {domain} -t SOA +noall +authority +answer", print=log_progress).split(
+            "\n"
+        )
    ]
    soa = [a for a in soa_answers if len(a) >= 3 and a[3] == "SOA"]
    if not soa:
@@ -78,7 +73,7 @@ def query_dns(typ, domain):

    # Query authoritative nameserver directly to bypass DNS cache.
    res = shell(f"dig @{ns} -r -q {domain} -t {typ} +short", print=log_progress)
-    return next((line for line in res.split("\n") if not line.startswith(";")), "")
+    return next((line for line in res.split("\n") if not line.startswith(';')), '')


 def check_zonefile(zonefile, verbose=True):
--- a/cmdeploy/src/cmdeploy/remote/rshell.py
+++ b/cmdeploy/src/cmdeploy/remote/rshell.py
@@ -1,4 +1,5 @@
 import sys
+
 from subprocess import DEVNULL, CalledProcessError, check_output


--- a/cmdeploy/src/cmdeploy/service/10_restart.conf
+++ b/cmdeploy/src/cmdeploy/service/10_restart.conf
@@ -1,3 +0,0 @@
-[Service]
-Restart=always
-RestartSec=30
--- a/cmdeploy/src/cmdeploy/service/echobot.service.f
+++ b/cmdeploy/src/cmdeploy/service/echobot.service.f
@@ -0,0 +1,67 @@
+[Unit]
+Description=Chatmail echo bot for testing it works
+
+[Service]
+ExecStart={execpath} {config_path}
+Environment="PATH={remote_venv_dir}:$PATH"
+Restart=always
+RestartSec=30
+
+User=echobot
+Group=echobot
+
+# Create /var/lib/echobot
+StateDirectory=echobot
+
+# Create /run/echobot
+#
+# echobot stores /run/echobot/password
+# with a password there, which doveauth then reads.
+RuntimeDirectory=echobot
+
+WorkingDirectory=/var/lib/echobot
+
+# Apply security restrictions suggested by
+#   systemd-analyze security echobot.service
+CapabilityBoundingSet=
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateMounts=true
+PrivateTmp=true
+
+# We need to know about doveauth user to give it access to /run/echobot/password
+PrivateUsers=false
+
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=noaccess
+
+# Should be "strict", but we currently write /accounts folder in a protected path
+ProtectSystem=full
+
+RemoveIPC=true
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock
+SystemCallFilter=~@cpu-emulation
+SystemCallFilter=~@debug
+SystemCallFilter=~@module
+SystemCallFilter=~@mount
+SystemCallFilter=~@obsolete
+SystemCallFilter=~@raw-io
+SystemCallFilter=~@reboot
+SystemCallFilter=~@resources
+SystemCallFilter=~@swap
+UMask=0077
+
+[Install]
+WantedBy=multi-user.target
--- a/cmdeploy/src/cmdeploy/filtermail/filtermail-incoming.service.j2
+++ b/cmdeploy/src/cmdeploy/filtermail/filtermail-incoming.service.j2
@@ -2,10 +2,11 @@
 Description=Incoming Chatmail Postfix before queue filter 

 [Service]
-ExecStart={{ bin_path }} {{ config_path }} incoming
+ExecStart={execpath} {config_path} incoming
 Restart=always
 RestartSec=30
 User=vmail

 [Install]
 WantedBy=multi-user.target
+
--- a/cmdeploy/src/cmdeploy/filtermail/filtermail.service.j2
+++ b/cmdeploy/src/cmdeploy/filtermail/filtermail.service.j2
@@ -2,7 +2,7 @@
 Description=Outgoing Chatmail Postfix before queue filter

 [Service]
-ExecStart={{ bin_path }} {{ config_path }} outgoing
+ExecStart={execpath} {config_path} outgoing
 Restart=always
 RestartSec=30
 User=vmail
--- a/cmdeploy/src/cmdeploy/sshexec.py
+++ b/cmdeploy/src/cmdeploy/sshexec.py
@@ -85,31 +85,16 @@ class SSHExec:


 class LocalExec:
-    FuncError = FuncError
-
    def __init__(self, verbose=False, docker=False):
        self.verbose = verbose
        self.docker = docker

-    def __call__(self, call, kwargs=None, log_callback=None):
-        if kwargs is None:
-            kwargs = {}
-        return call(**kwargs)
-
    def logged(self, call, kwargs: dict):
-        title = call.__doc__
-        if not title:
-            title = call.__name__
        where = "locally"
        if self.docker:
            if call == remote.rdns.perform_initial_checks:
-                kwargs["pre_command"] = "docker exec chatmail "
+                kwargs['pre_command'] = "docker exec chatmail "
                where = "in docker"
        if self.verbose:
-            print_stderr(f"Running {where}: {title}(**{kwargs})")
-            return self(call, kwargs, log_callback=print_stderr)
-        else:
-            print_stderr(title, end="")
-            res = self(call, kwargs, log_callback=remote.rshell.log_progress)
-            print_stderr()
-            return res
+            print(f"Running {where}: {call.__name__}(**{kwargs})")
+        return call(**kwargs)
--- a/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_1_basic.py
@@ -1,4 +1,5 @@
 import datetime
+import os
 import smtplib
 import socket
 import subprocess
@@ -7,13 +8,14 @@ import time
 import pytest

 from cmdeploy import remote
-from cmdeploy.cmdeploy import get_sshexec
+from cmdeploy.cmdeploy import main
+from cmdeploy.sshexec import SSHExec


 class TestSSHExecutor:
    @pytest.fixture(scope="class")
    def sshexec(self, sshdomain):
-        return get_sshexec(sshdomain)
+        return SSHExec(sshdomain)

    def test_ls(self, sshexec):
        out = sshexec(call=remote.rdns.shell, kwargs=dict(command="ls"))
@@ -27,14 +29,13 @@ class TestSSHExecutor:
        assert res["A"] or res["AAAA"]

    def test_logged(self, sshexec, maildomain, capsys):
-        sshexec.verbose = False
        sshexec.logged(
            remote.rdns.perform_initial_checks, kwargs=dict(mail_domain=maildomain)
        )
        out, err = capsys.readouterr()
        assert err.startswith("Collecting")
        # XXX could not figure out how capturing can be made to work properly
-        # assert err.endswith("....\n")
+        #assert err.endswith("....\n")
        assert err.count("\n") == 1

        sshexec.verbose = True
@@ -44,7 +45,7 @@ class TestSSHExecutor:
        out, err = capsys.readouterr()
        lines = err.split("\n")
        # XXX could not figure out how capturing can be made to work properly
-        # assert len(lines) > 4
+        #assert len(lines) > 4
        assert remote.rdns.perform_initial_checks.__doc__ in lines[0]

    def test_exception(self, sshexec, capsys):
@@ -53,8 +54,6 @@ class TestSSHExecutor:
                remote.rdns.perform_initial_checks,
                kwargs=dict(mail_domain=None),
            )
-        except AssertionError:
-            pass
        except sshexec.FuncError as e:
            assert "rdns.py" in str(e)
            assert "AssertionError" in str(e)
@@ -71,6 +70,47 @@ class TestSSHExecutor:
        assert (now - since_date).total_seconds() < 60 * 60 * 51


+def test_status_cmd(chatmail_config, capsys, request):
+    os.chdir(request.config.invocation_params.dir)
+    assert main(["status"]) == 0
+    status_out = capsys.readouterr()
+    print(status_out.out)
+
+    services = [
+        "acmetool-redirector",
+        "chatmail-metadata",
+        "doveauth",
+        "dovecot",
+        "echobot",
+        "fcgiwrap",
+        "filtermail-incoming",
+        "filtermail",
+        "lastlogin",
+        "nginx",
+        "opendkim",
+        "postfix@-",
+        "systemd-journald",
+        "turnserver",
+        "unbound",
+    ]
+    not_running = []
+    for service in services:
+        active = False
+        for line in status_out:
+            if service in line:
+                active = True
+                if not "loaded" in line:
+                    active = False
+                if not "active" in line:
+                    active = False
+                if not "running" in line:
+                    active = False
+                break
+        if not active:
+            not_running.append(service)
+    assert not_running == []
+
+
 def test_timezone_env(remote):
    for line in remote.iter_output("env"):
        print(line)
@@ -192,14 +232,12 @@ def test_exceed_rate_limit(cmsetup, gencreds, maildata, chatmail_config):
    mail = maildata(
        "encrypted.eml", from_addr=user1.addr, to_addr=user2.addr
    ).as_string()
-
-    start = time.time()
-    for i in range(chatmail_config.max_user_send_per_minute * 3):
-        print("Sending mail", str(i + 1), "at", time.time() - start, "s.")
+    for i in range(chatmail_config.max_user_send_per_minute + 5):
+        print("Sending mail", str(i))
        try:
            user1.smtp.sendmail(user1.addr, [user2.addr], mail)
        except smtplib.SMTPException as e:
-            if i < chatmail_config.max_user_send_burst_size:
+            if i < chatmail_config.max_user_send_per_minute:
                pytest.fail(f"rate limit was exceeded too early with msg {i}")
            outcome = e.recipients[user2.addr]
            assert outcome[0] == 450
--- a/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_2_deltachat.py
@@ -7,7 +7,7 @@ import pytest
 import requests

 from cmdeploy.remote import rshell
-from cmdeploy.cmdeploy import get_sshexec
+from cmdeploy.sshexec import SSHExec


@pytest.fixture
@@ -17,7 +17,6 @@ def imap_mailbox(cmfactory):
    password = ac1.get_config("mail_pw")
    mailbox = imap_tools.MailBox(user.split("@")[1])
    mailbox.login(user, password)
-    mailbox.dc_ac = ac1
    return mailbox


@@ -90,7 +89,7 @@ class TestEndToEndDeltaChat:
        lp.sec(f"filling remote inbox for {user}")
        fn = f"7743102289.M843172P2484002.c20,S={quota},W=2398:2,"
        path = chatmail_config.mailboxes_dir.joinpath(user, "cur", fn)
-        sshexec = get_sshexec(sshdomain)
+        sshexec = SSHExec(sshdomain)
        sshexec(call=rshell.write_numbytes, kwargs=dict(path=str(path), num=120))
        res = sshexec(call=rshell.dovecot_recalc_quota, kwargs=dict(user=user))
        assert res["percent"] >= 100
@@ -122,28 +121,6 @@ class TestEndToEndDeltaChat:
        assert ch.id >= 10
        ac1._evtracker.wait_securejoin_inviter_progress(1000)

-    def test_dkim_header_stripped(self, cmfactory, maildomain2, lp, imap_mailbox):
-        """Test that if a DC address receives a message, it has no
-        DKIM-Signature and Authentication-Results headers."""
-        ac1 = cmfactory.new_online_configuring_account(cache=False)
-        cmfactory.switch_maildomain(maildomain2)
-        ac2 = cmfactory.new_online_configuring_account(cache=False)
-        cmfactory.bring_accounts_online()
-        chat = cmfactory.get_accepted_chat(ac1, imap_mailbox.dc_ac)
-        chat.send_text("message0")
-        chat2 = cmfactory.get_accepted_chat(ac2, imap_mailbox.dc_ac)
-        chat2.send_text("message1")
-
-        lp.sec("receive message with ac1...")
-        received = 0
-        while received < 2:
-            msgs = imap_mailbox.fetch()
-            for msg in msgs:
-                lp.sec(f"ac1 received msg from {msg.from_}")
-                received += 1
-                assert "authentication-results" not in msg.headers
-                assert "dkim-signature" not in msg.headers
-
    def test_read_receipts_between_instances(self, cmfactory, lp, maildomain2):
        ac1 = cmfactory.new_online_configuring_account(cache=False)
        cmfactory.switch_maildomain(maildomain2)
@@ -183,3 +160,22 @@ def test_hide_senders_ip_address(cmfactory):
    user2.direct_imap.select_folder("Inbox")
    msg = user2.direct_imap.get_all_messages()[0]
    assert public_ip not in msg.obj.as_string()
+
+
+def test_echobot(cmfactory, chatmail_config, lp, sshdomain):
+    ac = cmfactory.get_online_accounts(1)[0]
+
+    # establish contact with echobot
+    sshexec = SSHExec(sshdomain)
+    command = "cat /var/lib/echobot/invite-link.txt"
+    echo_invite_link = sshexec(call=rshell.shell, kwargs=dict(command=command))
+    chat = ac.qr_setup_contact(echo_invite_link)
+    ac._evtracker.wait_securejoin_joiner_progress(1000)
+
+    # send message and check it gets replied back
+    lp.sec("Send message to echobot")
+    text = "hi, I hope you text me back"
+    chat.send_text(text)
+    lp.sec("Wait for reply from echobot")
+    reply = ac._evtracker.wait_next_incoming_message()
+    assert reply.text == text
--- a/cmdeploy/src/cmdeploy/tests/online/test_3_status.py
+++ b/cmdeploy/src/cmdeploy/tests/online/test_3_status.py
@@ -1,53 +0,0 @@
-import os
-
-from cmdeploy.cmdeploy import main
-
-
-def test_status_cmd(chatmail_config, capsys, request):
-    os.chdir(request.config.invocation_params.dir)
-    command = ["status"]
-    if os.getenv("CHATMAIL_SSH"):
-        command.append("--ssh-host")
-        command.append(os.getenv("CHATMAIL_SSH"))
-    assert main(command) == 0
-    status_out = capsys.readouterr()
-    print(status_out.out)
-
-    assert len(status_out.out.splitlines()) > 5
-
-    """
-    don't test actual server state:
-
-    services = [
-        "acmetool-redirector",
-        "chatmail-metadata",
-        "doveauth",
-        "dovecot",
-        "fcgiwrap",
-        "filtermail-incoming",
-        "filtermail",
-        "lastlogin",
-        "nginx",
-        "opendkim",
-        "postfix@-",
-        "systemd-journald",
-        "turnserver",
-        "unbound",
-    ]
-    not_running = []
-    for service in services:
-        active = False
-        for line in status_out:
-            if service in line:
-                active = True
-                if not "loaded" in line:
-                    active = False
-                if not "active" in line:
-                    active = False
-                if not "running" in line:
-                    active = False
-                break
-        if not active:
-            not_running.append(service)
-    assert not_running == []
-    """
--- a/cmdeploy/src/cmdeploy/tests/plugin.py
+++ b/cmdeploy/src/cmdeploy/tests/plugin.py
@@ -54,8 +54,8 @@ def maildomain(chatmail_config):


@pytest.fixture(scope="session")
-def sshdomain(chatmail_config):
-    return os.environ.get("CHATMAIL_SSH", chatmail_config.ssh_host)
+def sshdomain(maildomain):
+    return os.environ.get("CHATMAIL_SSH", maildomain)


@pytest.fixture
@@ -337,14 +337,8 @@ class Remote:

    def iter_output(self, logcmd=""):
        getjournal = "journalctl -f" if not logcmd else logcmd
-        print(self.sshdomain)
-        match self.sshdomain:
-            case "@local": command = []
-            case "localhost": command = []
-            case _: command = ["ssh", f"root@{self.sshdomain}"]
-        [command.append(arg) for arg in getjournal.split()]
        self.popen = subprocess.Popen(
-            command,
+            ["ssh", f"root@{self.sshdomain}", getjournal],
            stdout=subprocess.PIPE,
        )
        while 1:
--- a/cmdeploy/src/cmdeploy/tests/test_dns.py
+++ b/cmdeploy/src/cmdeploy/tests/test_dns.py
@@ -65,9 +65,7 @@ class TestPerformInitialChecks:
        remote_data = remote.rdns.perform_initial_checks("some.domain")
        assert remote_data["A"] == mockdns_expected["A"]["some.domain"]
        assert remote_data["AAAA"] == mockdns_expected["AAAA"]["some.domain"]
-        assert (
-            remote_data["MTA_STS"] == mockdns_expected["CNAME"]["mta-sts.some.domain"]
-        )
+        assert remote_data["MTA_STS"] == mockdns_expected["CNAME"]["mta-sts.some.domain"]
        assert remote_data["WWW"] == mockdns_expected["CNAME"]["www.some.domain"]

    @pytest.mark.parametrize("drop", ["A", "AAAA"])
--- a/cmdeploy/src/cmdeploy/unbound/unbound.conf.j2
+++ b/cmdeploy/src/cmdeploy/unbound/unbound.conf.j2
@@ -1,4 +0,0 @@
-# Managed by cmdeploy: disable IPv6 in unbound.
-server:
-  interface: 127.0.0.1
-  do-ip6: no
--- a/cmdeploy/src/cmdeploy/www.py
+++ b/cmdeploy/src/cmdeploy/www.py
@@ -1,10 +1,10 @@
 import hashlib
 import importlib.resources
-import re
 import time
 import traceback
 import webbrowser
 from pathlib import Path
+import re

 import markdown
 from chatmaild.config import read_config
@@ -12,9 +12,8 @@ from jinja2 import Template

 from .genqr import gen_qr_png_data

-_MERGE_CONFLICT_RE = re.compile(
-    r"^<<<<<<<.+^=======.+^>>>>>>>", re.DOTALL | re.MULTILINE
-)
+
+_MERGE_CONFLICT_RE = re.compile(r"^<<<<<<<.+^=======.+^>>>>>>>", re.DOTALL | re.MULTILINE)


 def snapshot_dir_stats(somedir):
@@ -140,34 +139,34 @@ def main():
    config.webdev = True
    assert config.mail_domain

+    # start web page generation, open a browser and wait for changes
    www_path, src_path, build_dir = get_paths(config)
    build_dir = build_webpages(src_path, build_dir, config)
    index_path = build_dir.joinpath("index.html")
    webbrowser.open(str(index_path))
-
-    print(f"\nOpened URL: file://{index_path.resolve()}\n")
-    print(f"Watching {src_path} directory for changes...")
-
    stats = snapshot_dir_stats(src_path)
+    print(f"\nOpened URL: file://{index_path.resolve()}\n")
+    print(f"watching {src_path} directory for changes")
+
    changenum = 0
-    debounce_time = 0.5  # wait 0.5s after detecting a change
-
+    count = 0
    while True:
-        time.sleep(1)
        newstats = snapshot_dir_stats(src_path)
+        if newstats == stats and count % 60 != 0:
+            count += 1
+            time.sleep(1.0)
+            continue

-        if newstats != stats:
-            changed_files = [f for f in newstats if stats.get(f) != newstats[f]]
-            for f in changed_files:
-                print(f"*** CHANGED: {f}")
+        for key in newstats:
+            if stats[key] != newstats[key]:
+                print(f"*** CHANGED: {key}")
+                changenum += 1

-            stats = newstats
-            changenum += 1
-            build_webpages(src_path, build_dir, config)
-            print(f"[{changenum}] regenerated web pages at: {index_path}")
-            print(f"URL: file://{index_path.resolve()}\n\n")
-
-            time.sleep(debounce_time)  # simple debounce
+        stats = newstats
+        build_webpages(src_path, build_dir, config)
+        print(f"[{changenum}] regenerated web pages at: {index_path}")
+        print(f"URL: file://{index_path.resolve()}\n\n")
+        count = 0


 if __name__ == "__main__":
--- a/doc/README.md
+++ b/doc/README.md
@@ -6,7 +6,7 @@ You can use the `make` command and `make html` to build web pages.

 You need a Python environment where the following install was excuted: 

-    pip install furo sphinx-autobuild
+    pip install sphinx-build furo sphinx-autobuild 

 To develop/change documentation, you can then do: 

--- a/doc/source/getting_started.rst
+++ b/doc/source/getting_started.rst
@@ -21,6 +21,12 @@ You will need the following:
   1GB RAM, one CPU, and perhaps 10GB storage for a few thousand active
   chatmail addresses.

+-  Key-based SSH authentication to the root user. You must add a
+   passphrase-protected private key to your local ssh-agent because you
+   can’t type in your passphrase during deployment. (An ed25519 private
+   key is required due to an `upstream bug in
+   paramiko <https://github.com/paramiko/paramiko/issues/2191>`_)
+

 Setup with ``scripts/cmdeploy``
 -------------------------------------
@@ -28,36 +34,40 @@ Setup with ``scripts/cmdeploy``
 We use ``chat.example.org`` as the chatmail domain in the following
 steps. Please substitute it with your own domain.

-1. Setup the initial DNS records for your relay.
-   The following is an example in the
+1. Setup the initial DNS records. The following is an example in the
   familiar BIND zone file format with a TTL of 1 hour (3600 seconds).
   Please substitute your domain and IP addresses.

   ::

-       chat.example.org. 3600 IN A 198.51.100.5
-       chat.example.org. 3600 IN AAAA 2001:db8::5
-       www.chat.example.org. 3600 IN CNAME chat.example.org.
-       mta-sts.chat.example.org. 3600 IN CNAME chat.example.org.
+       chat.example.com. 3600 IN A 198.51.100.5
+       chat.example.com. 3600 IN AAAA 2001:db8::5
+       www.chat.example.com. 3600 IN CNAME chat.example.com.
+       mta-sts.chat.example.com. 3600 IN CNAME chat.example.com.

-2. Login to the server with SSH, clone the repository and bootstrap the Python
+2. On your local PC, clone the repository and bootstrap the Python
   virtualenv.

   ::

-       ssh root@chat.example.org
       git clone https://github.com/chatmail/relay
       cd relay
       scripts/initenv.sh

-3. Then, create a chatmail configuration file
+3. On your local PC, create chatmail configuration file
   ``chatmail.ini``:

   ::

       scripts/cmdeploy init chat.example.org  # <-- use your domain

-4. Now run the deployment script to install the relay to the server:
+4. Verify that SSH root login to your remote server works:
+
+   ::
+
+       ssh root@chat.example.org  # <-- use your domain
+
+5. From your local PC, deploy the remote chatmail relay server:

   ::

@@ -68,31 +78,26 @@ steps. Please substitute it with your own domain.
   configure at your DNS provider (it can take some time until they are
   public).

-Next Steps
----------
-
-Now you should display and check all recommended DNS records
-to enable federation with other relays:
-
-::
-
-   scripts/cmdeploy dns
-
-You should also test whether your chatmail service is working correctly:
-
-::
-
-   scripts/cmdeploy test
-
-Other Helpful Commands
+Other helpful commands
 ----------------------

-To check the status of your chatmail relay:
+To check the status of your remotely running chatmail service:

 ::

   scripts/cmdeploy status

+To display and check all recommended DNS records:
+
+::
+
+   scripts/cmdeploy dns
+
+To test whether your chatmail service is working correctly:
+
+::
+
+   scripts/cmdeploy test

 To measure the performance of your chatmail service:

@@ -134,9 +139,8 @@ This starts a local live development cycle for chatmail web pages:
   directory and generating HTML files and copying assets to the
   ``www/build`` directory.

-  if you are running scripts/cmdeploy webdev on the relay itself,
-   you need to configure a route in /etc/nginx/nginx.conf
-   to expose the build directory.
+-  Starts a browser window automatically where you can “refresh” as
+   needed.

 Custom web pages
 ----------------
@@ -154,7 +158,7 @@ Disable automatic address creation
 --------------------------------------------------------

 If you need to stop address creation, e.g. because some script is wildly
-creating addresses, login with ssh to the relay and run:
+creating addresses, login with ssh and run:

 ::

@@ -162,3 +166,4 @@ creating addresses, login with ssh to the relay and run:

 Chatmail address creation will be denied while this file is present.

+
--- a/doc/source/migrate.rst
+++ b/doc/source/migrate.rst
@@ -1,98 +1,73 @@

-Migrating to a new machine
-===========================
+Migrating to a new host
+-----------------------

-This migration tutorial provides a step-wise approach
-to safely migrate a chatmail relay from one remote machine to another.
+If you want to migrate chatmail relay from an old machine to a new
+machine, you can use these steps. They were tested with a Linux laptop;
+you might need to adjust some of the steps to your environment.

-Preliminary notes and assumptions
---------------------------------
+Let’s assume that your ``mail_domain`` is ``mail.example.org``, all
+involved machines run Debian 12, your old site’s IP address is
+``13.37.13.37``, and your new site’s IP address is ``13.12.23.42``.

- If the migration is a planned move,
-  it's recommended to lower the Time To Live (TTL) of your DNS records to a value such as 300 (5 minutes),
-  at best much earlier than the actual planned migration.
-  This speeds up propagation of DNS changes in the Internet after the migration is complete.
+Note, you should lower the TTLs of your DNS records to a value such as
+300 (5 minutes) so the migration happens as smoothly as possible.

- The migration steps were tested with a Linux laptop; you might need to adjust some of the steps to your local environment.
+During the guide you might get a warning about changed SSH Host keys; in
+this case, just run ``ssh-keygen -R "mail.example.org"`` as recommended.

- Your ``mail_domain`` is ``mail.example.org``.
-
- All remote machines run Debian 12.
-
- The old site’s IP version 4 address is ``$OLD_IP4``.
-
- The new site’s IP addresses are ``$NEW_IP4`` and ``$NEW_IPV6``.
-
-
-The six steps to migrate
------------------------
-
-Note that during some of the following steps you might get a warning about changed SSH Host keys;
-in this case, just run ``ssh-keygen -R "mail.example.org"`` as recommended.
-
-
-1. **Initially transfer mailboxes from old to new site.**
-
-   Login to old site, forwarding your ssh-agent with ``ssh -A``
-   to allow using ssh to directly copy files from old to new site.
-   ::
-
-       ssh -A root@$OLD_IP4
-       tar c /home/vmail/mail | ssh root@$NEW_IP4 "tar x -C /"
-
-
-2. **Pre-configure the new site but keep it inactive until step 6**
-   ::
-
-       CMDEPLOY_STAGES=install,configure scripts/cmdeploy run --ssh-host $NEW_IP4
-
-
-3. **It's getting serious: disable mail services on the old site.**
-   Users will not be able to send or receive messages until all steps are completed.
-   Other relays and mail servers will retry delivering messages from time to time,
-   so nothing is lost for users.
+1. First, disable mail services on the old site.

   ::

-       scripts/cmdeploy run --disable-mail --ssh-host $OLD_IP4
+       cmdeploy run --disable-mail --ssh-host 13.37.13.37

+   Now your users will notice the migration and will not be able to send
+   or receive messages until the migration is completed.

-4. **Final synchronization of TLS/DKIM secrets, mail queues and mailboxes.**
-   Again we use ssh-agent forwarding (``-A``) to allow transfering all important data directly
-   from the old to the new site.
-   ::
-
-       ssh -A root@$OLD_IP4
-       tar c /var/lib/acme /etc/dkimkeys /var/spool/postfix | ssh root@$NEW_IP4 "tar x -C /"
-       rsync -azH /home/vmail/mail root@$NEW_IP4:/home/vmail/
-
-   Login to the new site and ensure file ownerships are correctly set:
+2. Now we want to copy ``/home/vmail``, ``/var/lib/acme``,
+   ``/etc/dkimkeys``, ``/run/echobot``, and ``/var/spool/postfix`` to
+   the new site. Login to the old site while forwarding your SSH agent
+   so you can copy directly from the old to the new site with your SSH
+   key:
+
+   ::
+
+       ssh -A root@13.37.13.37
+       tar c - /home/vmail/mail /var/lib/acme /etc/dkimkeys /run/echobot /var/spool/postfix | ssh root@13.12.23.42 "tar x -C /"
+
+   This transfers all addresses, the TLS certificate, DKIM keys (so DKIM
+   DNS record remains valid), and the echobot’s password so it continues
+   to function. It also preserves the Postfix mail spool so any messages
+   pending delivery will still be delivered.
+
+3. Install chatmail on the new machine:
+
+   ::
+
+       cmdeploy run --disable-mail --ssh-host 13.12.23.42
+
+   Postfix and Dovecot are disabled for now; we will enable them later.
+   We first need to make the new site fully operational.
+
+4. On the new site, run the following to ensure the ownership is correct
+   in case UIDs/GIDs changed:

   ::

-       ssh root@$NEW_IP4
       chown root: -R /var/lib/acme
       chown opendkim: -R /etc/dkimkeys
       chown vmail: -R /home/vmail/mail
+       chown echobot: -R /run/echobot

+5. Now, update DNS entries.

-5. **Update the DNS entries to point to the new site.**
-   You only need to change the ``A`` and ``AAAA`` records, for example:
+   If other MTAs try to deliver messages to your chatmail domain they
+   may fail intermittently, as DNS catches up with the new site settings
+   but normally will retry delivering messages for at least a week, so
+   messages will not be lost.

-   ::
-
-       mail.example.org.    IN A    $NEW_IP4
-       mail.example.org.    IN AAAA $NEW_IP6
-
-
-6. **Activate chatmail relay on new site.**
-
-   ::
-
-        CMDEPLOY_STAGES=activate scripts/cmdeploy run --ssh-host $NEW_IP4
-
-   Voilà!
-   Users will be able to use the relay as soon as the DNS changes have propagated.
-   If you have lowered the Time-to-Live for DNS records in step 1,
-   better use a higher value again (between 14400 and 86400 seconds) once you are sure everything works.
+6. Finally, you can execute ``cmdeploy run --ssh-host 13.12.23.42`` to
+   turn on chatmail on the new relay. Your users will be able to use the
+   chatmail relay as soon as the DNS changes have propagated. Voilà!

--- a/doc/source/overview.rst
+++ b/doc/source/overview.rst
@@ -42,11 +42,6 @@ The deployed system components of a chatmail relay are:
 -  Dovecot_ is the Mail Delivery Agent (MDA) and
   stores messages for users until they download them

-  `filtermail <https://github.com/chatmail/filtermail>`_
-   prevents unencrypted email from leaving or entering the chatmail
-   service and is integrated into Postfix’s outbound and inbound mail
-   pipelines.
-
 -  Nginx_ shows the web page with privacy policy and additional information

 -  `acmetool <https://hlandau.github.io/acmetool/>`_ manages TLS
@@ -90,6 +85,11 @@ short overview of ``chatmaild`` services:
   <https://doc.dovecot.org/2.3/configuration_manual/authentication/dict/#complete-example-for-authenticating-via-a-unix-socket>`_
   to authenticate logins.

+-  `filtermail <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/filtermail.py>`_
+   prevents unencrypted email from leaving or entering the chatmail
+   service and is integrated into Postfix’s outbound and inbound mail
+   pipelines.
+
 -  `chatmail-metadata <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/metadata.py>`_
   is contacted by a `Dovecot lua
   script <https://github.com/chatmail/relay/blob/main/cmdeploy/src/cmdeploy/dovecot/push_notification.lua>`_
@@ -109,6 +109,10 @@ short overview of ``chatmaild`` services:
   is contacted by Dovecot when a user logs in and stores the date of
   the login.

+-  `echobot <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/echo.py>`_
+   is a small bot for test purposes. It simply echoes back messages from
+   users.
+
 -  `metrics <https://github.com/chatmail/relay/blob/main/chatmaild/src/chatmaild/metrics.py>`_
   collects some metrics and displays them at
   ``https://example.org/metrics``.
@@ -122,13 +126,14 @@ web page. Edit them before deploying to make your chatmail relay
 stand out.


-Chatmail relay dependency diagram
---------------------------------
+Component dependency diagram
+--------------------------------------

 .. mermaid::
   :caption: This diagram shows relay components and dependencies/communication paths.

    graph LR;
+        cmdeploy --- sshd;
        letsencrypt --- |80|acmetool-redirector;
        acmetool-redirector --- |443|nginx-right(["`nginx
        (external)`"]);
@@ -142,62 +147,33 @@ Chatmail relay dependency diagram
        nginx-internal --- autoconfig.xml;
        certs-nginx[("`TLS certs
        /var/lib/acme`")] --> nginx-internal;
-        systemd-timer --- chatmail-metrics;
-        systemd-timer --- acmetool;
-        systemd-timer --- chatmail-expire-daily;
-        systemd-timer --- chatmail-fsreport-daily;
+        cron --- chatmail-metrics;
+        cron --- acmetool;
        chatmail-metrics --- website;
        acmetool --> certs[("`TLS certs
        /var/lib/acme`")];
        nginx-external --- |993|dovecot;
-        postfix --- |SASL|dovecot;
        autoconfig.xml --- postfix;
        autoconfig.xml --- dovecot;
-        postfix --- |10080|filtermail-outgoing;
-        postfix --- |10081|filtermail-incoming;
-        filtermail-outgoing --- |10025 reinject|postfix;
-        filtermail-incoming --- |10026 reinject|postfix;
+        postfix --- echobot;
+        postfix --- |10080,10081|filtermail;
+        postfix --- users["`User data
+        home/vmail/mail`"];
+        postfix --- |doveauth.socket|doveauth;
        dovecot --- |doveauth.socket|doveauth;
-        dovecot --- |message delivery|maildir["maildir
-        /home/vmail/.../user"];
-        dovecot --- |lastlogin.socket|lastlogin;
-        dovecot --- chatmail-metadata;
-        lastlogin --- maildir;
-        doveauth --- maildir;
-        chatmail-expire-daily --- maildir;
-        chatmail-fsreport-daily --- maildir;
+        dovecot --- users;
+        dovecot --- |metadata.socket|chatmail-metadata;
+        doveauth --- users;
+        chatmail-expire-daily --- users;
+        chatmail-fsreport-daily --- users;
        chatmail-metadata --- iroh-relay;
-        chatmail-metadata --- |encrypted device token| notifications.delta.chat;
        certs-nginx --> postfix;
        certs-nginx --> dovecot;
        style certs fill:#ff6;
-        style website fill:#ff6;
-        style maildir fill:#ff6;
        style certs-nginx fill:#ff6;
-        style nginx-external fill:#f66;
-        style nginx-right fill:#f66;
-        style postfix fill:#f66;
-        style dovecot fill:#f66;
-        style notification-proxy fill:#f66;
+        style nginx-external fill:#fc9;
+        style nginx-right fill:#fc9;

-Message between users on the same relay
---------------------------------------
-
-.. mermaid::
-    :caption: This diagram shows the path a non-federated message takes.
-
-    graph LR;
-        sender --> |465|smtps/smtpd;
-        sender --> |587|submission/smtpd;
-        smtps/smtpd --> |10080|filtermail;
-        submission/smtpd --> |10080|filtermail;
-        filtermail --> |10025|smtpd_reinject;
-        smtpd_reinject --> cleanup;
-        cleanup --> qmgr;
-        qmgr --> smtpd_accepts_message;
-        qmgr --> |lmtp|dovecot;
-        dovecot --> recipient;
-        dovecot --> sender's_other_devices;

 Operational details of a chatmail relay
 ----------------------------------------
@@ -269,11 +245,9 @@ Incoming emails must have a valid DKIM signature with
 Signing Domain Identifier (SDID, ``d=`` parameter in the DKIM-Signature
 header) equal to the ``From:`` header domain. This property is checked
 by OpenDKIM screen policy script before validating the signatures. This
-corresponds to strict :rfc:`DMARC <7489>` alignment (``adkim=s``).
+correpsonds to strict :rfc:`DMARC <7489>` alignment (``adkim=s``).
 If there is no valid DKIM signature on the incoming email, the
 sender receives a “5.7.1 No valid DKIM signature found” error.
-After validating the DKIM signature,
-the `final.lua` script strips all ``OpenDKIM:`` headers to reduce message size on disc.

 Note that chatmail relays

--- a/doc/source/proxy.rst
+++ b/doc/source/proxy.rst
@@ -22,12 +22,7 @@ Note that your chatmail relay still needs to be able to make outgoing
 connections on port 25 to send messages outside.

 To setup a reverse proxy (or rather Destination NAT, DNAT) for your
-chatmail relay, follow these instructions:
-
-Linux
-^^^^^
-
-Put the following configuration in
+chatmail relay, put the following configuration in
 ``/etc/nftables.conf``:

 ::
@@ -115,61 +110,5 @@ Uncomment in ``/etc/sysctl.conf`` the following two lines:
 Then reboot the relay or do ``sysctl -p`` and
 ``nft -f /etc/nftables.conf``.

-FreeBSD / pf
-^^^^^^^^^^^^
-
-Put the following configuration in
-``/etc/pf.conf``:
-
-::
-
-    ext_if = "em0"
-    forward_ports = "{ 25, 80, 143, 443, 465, 587, 993 }"
-    chatmail_ipv4 = "AAA.BBB.CCC.DDD"
-    icmp_types = "{ echoreq, echorep, unreach, timex }"
-    chatmail_ipv6 = "XXX::1"
-    icmp6_types = "{ echorep, echoreq, neighbradv, neighbrsol, routeradv, routersol, unreach, toobig, timex }"
-
-    set skip on lo0
-
-    nat on $ext_if inet from any to any -> ($ext_if:0)
-    nat on $ext_if inet6 from any to any -> ($ext_if:0)
-
-    # Define the redirect rules
-    rdr on $ext_if inet proto tcp from any to ($ext_if:0) port $forward_ports -> $chatmail_ipv4
-    rdr on $ext_if inet6 proto tcp from any to ($ext_if:0) port $forward_ports -> $chatmail_ipv6
-
-    # Accept the incoming traffic to the specified ports we will NAT redirect
-    pass in quick on $ext_if inet proto tcp from any to any port $forward_ports flags S/SA modulate state
-    pass in quick on $ext_if inet6 proto tcp from any to any port $forward_ports flags S/SA modulate state
-
-    # Allow incoming SSH for host mgmt
-    pass in quick on $ext_if proto tcp from any to ($ext_if) port 22 flags S/SA modulate state
-
-    # Allow ICMP
-    pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types keep state
-    pass in quick on $ext_if inet6 proto ipv6-icmp all icmp6-type $icmp6_types keep state
-
-    # Allow traffic from anyone to go through the NAT
-    pass on $ext_if inet proto tcp from any to $chatmail_ipv4 flags S/SA modulate state
-    pass on $ext_if inet6 proto tcp from any to $chatmail_ipv6 flags S/SA modulate state
-
-    # Default allow out
-    pass out quick on $ext_if from any to any
-
-    # Default block
-    block drop in log all
-
-Insert into ``/etc/sysctl.conf.local`` the following two lines:
-
-::
-
-    net.inet.ip.forwarding=1
-    net.inet6.ip6.forwarding=1
-
-Activate the sysctls with ``service sysctl onestart``.
-Enable the pf firewall with ``service pf enable``.
-Apply the firewall rules with ``service pf start`` or ``pfctl -f /etc/pf.conf``.
-Note, enabling the firewall may interrupt your SSH session, but you can reconnect.
-
 Once proxy relay is set up, you can add its IP address to the DNS.
+
--- a/doc/source/related.rst
+++ b/doc/source/related.rst
@@ -7,21 +7,14 @@ Active development takes place in the `chatmail/relay github repository <https:/
 You can check out the `'chatmail' tag in the support.delta.chat forum <https://support.delta.chat/tag/chatmail>`_
 and ask to get added to a non-public support chat for debugging issues.

-We know of three work-in-progress alternative implementation efforts:
+We know of two work-in-progress alternative implementation efforts:

 -  `Mox <https://github.com/mjl-/mox>`_: A Golang email server. `Work
   is in progress <https://github.com/mjl-/mox/issues/251>`_ to modify
   it to support all of the features and configuration settings required
   to operate as a chatmail relay.

-  `Madmail <https://github.com/themadorg/madmail>`_: an
-   experimental fork of `Maddy Mail Server <https://maddy.email/>`_, modified
-   for chatmail deployments.  It provides a single binary solution
-   for running a chatmail relay.
-
-  `Chatmail Cookbook <https://github.com/feld/chatmail-cookbook>`_:
-   A Chef Cookbook implementing a relay server. The project follows the
-   official relay server software and configurations converted to a Chef
-   Cookbook with only minor differences. The cookbook uses DNS-01 for
-   certificate validation and additionally supports FreeBSD. It does not
-   require a Chef server to use.
+-  `Maddy-Chatmail <https://github.com/sadraiiali/maddy_chatmail>`_: a
+   plugin for the `Maddy email server <https://maddy.email/>`_ which
+   aims to implement the chatmail relay features and configuration
+   options.
--- a/www/src/index.md
+++ b/www/src/index.md
@@ -23,3 +23,7 @@ you can also **scan this QR code** with Delta Chat:
 🐣 **Choose** your Avatar and Name

 💬 **Start** chatting with any Delta Chat contacts using [QR invite codes](https://delta.chat/en/help#howtoe2ee)
+
+{% if config.mail_domain != "nine.testrun.org" %}
+<div class="experimental">Note: this is only a temporary development chatmail service</div>
+{% endif %}
--- a/www/src/robots.txt
+++ b/www/src/robots.txt
@@ -1,2 +0,0 @@
-User-agent: *
-Disallow: /
Author	SHA1	Message	Date
cliffmccarthy	2522fb676c	docs: Remove section about use of objects	2025-11-13 07:40:40 -06:00
cliffmccarthy	01cd634be6	docs: Update cmdeploy architecture details - Revised cmdeploy documentation in doc/source/overview.rst to reflect the recent revisions to the Deployer interface.	2025-11-12 23:24:14 -06:00
cliffmccarthy	e20226f331	refactor: Simplify interface to Deployer.install() - In the current code, the only class using the interface that sets need_restart() from the return value of the install() method was IrohDeployer. That interface was created when the install method was a static method, but now it is an instance method with access to 'self'. Therefore, we don't need to pass anything up to the caller to have them set the attribute, we can just set it. - Revised IrohDeployer.install() to set self.need_restart directly, rather than returning a value. - Revised Deployment.install() to ignore the return value of the deployers' install() methods. - need_restart is still present in the base Deployer class to ensure that it is always defined, even when classes do not set it in a constructor. Apart from this initialization for convenience, there is no longer any specific exposure of need_restart in the interface of the Deployer class. - In general, install() methods should use 'self' as little as possible, preferably not at all. In particular, install() methods should never depend on "config" data, such as the config dictionary in self.config or specific values like self.mail_domain. This ensures that these methods can be used to perform generic installation operations that are applicable across multiple relay deployments, and therefore can be called in the process of building a general-purpose container image.	2025-11-12 19:16:51 -06:00
cliffmccarthy	354418c877	refactor: Pass all constructor arguments by position - The constructor arguments do not have default values; they are all required. Revised deploy_chatmail() to pass them by position rather than name, so that the caller is not coupled to the names of the arguments inside the method definition.	2025-11-12 19:16:51 -06:00
cliffmccarthy	e98b142585	style: Formatting revisions	2025-11-12 19:16:51 -06:00
cliffmccarthy	2ca4dd5f30	refactor: Revise AcmetoolDeployer for new Deployer interface	2025-11-12 19:16:51 -06:00
holger krekel	47c14f0b70	use a Deployer for setting the remote git hash	2025-11-12 19:16:51 -06:00
holger krekel	258cd9f4c3	strike unneccessary ,* argument flexibility	2025-11-12 19:16:51 -06:00
holger krekel	282b4965a2	remove static method and Make Deployer instances not set any default state	2025-11-12 19:16:51 -06:00
holger krekel	6a1f7543a5	now that Deployer class is clean and not mixed with what is in Deployment, use the simpler "install", "configure" and "activate" namings instead of *_impl	2025-11-12 19:16:51 -06:00
holger krekel	b0f247a41f	further reduce indirections for staged install	2025-11-12 19:16:51 -06:00
holger krekel	66daf3003b	simplify required_users configuration (a method is not needed for now)	2025-11-12 19:16:51 -06:00
holger krekel	4a154b0a2c	remove indirection with "stages"	2025-11-12 19:16:51 -06:00
holger krekel	8557abacda	strike unnccessary deployer variables	2025-11-12 19:16:51 -06:00
cliffmccarthy	415dc15e49	refactor: Move doveauth out of ChatmailVenvDeployer - Revised DovecotDeployer to use _configure_remote_units() and _activate_remote_units() to deploy doveauth. This keeps the Dovecot-related services in a single deployer class, leaving only services that are part of the chatmail project in ChatmailVenvDeployer. - Removed doveauth from the unit list in ChatmailVenvDeployer.	2025-11-12 19:16:51 -06:00
cliffmccarthy	1166877eef	refactor: Move echobot out of ChatmailVenvDeployer - Revised EchobotDeployer to use _configure_remote_units() and _activate_remote_units(). The 'activate' stage of ChatmailVenvDeployer was unconditionally restarting the service every time, so EchobotDeployer no longer needs to depend on the was_restarted attributes of the postfix and dovecot deployers in an attempt to avoid restarting it; we can just handle the unconditional restart in EchobotDeployer.activate_impl(). - Removed echobot from the unit list in ChatmailVenvDeployer. - Removed now-unused was_restarted attribute from PostfixDeployer and DovecotDeployer.	2025-11-12 19:16:51 -06:00
cliffmccarthy	12884e0caf	refactor: Move turnserver out of ChatmailVenvDeployer - Revised TurnDeployer to use _configure_remote_units() and _activate_remote_units(). This class no longer uses need_restart and daemon_reload attributes to keep track of state. The activate stage of ChatmailVenvDeployer was unconditionally restarting the service every time, so we don't need to keep track of extra state in an attempt to avoid restarting it; we can just handle the unconditional restart in TurnDeployer.activate_impl(). - Removed turnserver from the unit list in ChatmailVenvDeployer.	2025-11-12 19:16:51 -06:00
cliffmccarthy	897d4f161b	refactor: Move unit list to ChatmailVenvDeployer - Split _configure_remote_venv_with_chatmaild() into two functions. _configure_remote_venv_with_chatmaild() handles details specific to the "venv", while the new _configure_remote_units() is a more general function that is applicable to several services. - Renamed _activate_remote_venv_with_chatmaild() to _activate_remote_units() because doesn't have anything venv-specific. - Removed list of units from helper functions (where it appeared twice); moved it to ChatmailVenvDeployer, where its is passed as an argument to _configure_remote_units() and _activate_remote_units().	2025-11-12 19:16:51 -06:00
cliffmccarthy	8afbea9b31	chore: Add CHANGELOG.md entry for cmdeploy refactor	2025-11-12 19:16:51 -06:00
cliffmccarthy	ca1bd77d37	feat: Reorder deployers - Moved fcgiwrap before nginx. - Exchanged order of turn and unbound. - Moved journald as early as possible. - Suggested in review by missytake.	2025-11-12 19:16:51 -06:00
cliffmccarthy	b2de410335	feat: Remove obs-home-deltachat.gpg - We don't install Dovecot from OBS anymore. - Removed files.put() that creates /etc/apt/keyrings/obs-home-deltachat.gpg; replaced this with a files.file() that sets present=False to remove the file from any existing installations where it already has been installed. - Removed now-unused obs-home-deltachat.gpg file. - Clarified description of sources.list operation. - Suggested in review by missytake and hpk42.	2025-11-12 19:16:51 -06:00
cliffmccarthy	656cc71f08	fix: Block unbound from starting up on install - On an IPv4-only system, if unbound is started but not configured, it causes subsequent steps to fail to resolve hosts. - Revised UnboundDeployer.install_impl() to use policy-rc.d to prevent the service from starting when installed. This is the same mechanism used to keep nginx from starting on install.	2025-11-12 19:16:51 -06:00
cliffmccarthy	181b7a6d5b	docs: Add architectural information about deployer classes - Updated overview.rst to describe the Deployer class hierarchy and the motivations behind it.	2025-11-12 19:16:51 -06:00
cliffmccarthy	0273768c0d	refactor: Call install, configure, and activate methods in loops - Revised deploy_chatmail() to use all_deployers to call the install(), configure(), and activate() methods on all the deployers, rather than listing them explicitly in the code.	2025-11-12 19:16:51 -06:00
cliffmccarthy	0a2ade038c	refactor: Reorder deploy_chatmail() - The previous commits that added Deployer classes mostly kept deployment operations in the same order that they were in before. To organize the process into separate stages for install, configure, and activate, we need to reorder the method calls. This is the commit that does that, and thus this is the commit that has the largest effect on the order of operations. - The calls for the deployer objects are all reordered here so that the methods are called in the same sequence for each stage. This will allow us to collect the calls into loops in the next commit. This commit provides a way to see a diff showing exactly how the sequence changed. - The sequence of deployers was largely based on preserving the order of the "activate" stage, as this seems like the place order might be the most likely to matter. Installation of packages and configuration of files should generally be able to run in any order. (ChatmailDeployer handles updating the apt data, and therefore needs to be first, however.)	2025-11-12 19:16:51 -06:00
cliffmccarthy	67c5cf3204	refactor: Move curl installation from IrohDeployer to ChatmailDeployer - The 'curl' program is used in TurnDeployer and IrohDeployer, so it makes more sense to install it at the beginning in ChatmailDeployer, rather than have each thing that uses it install it separately.	2025-11-12 19:16:51 -06:00
cliffmccarthy	e70c023541	refactor: Add TurnDeployer - This splits the existing deploy_turn_server() routine into methods for the install, configure, and activate stages.	2025-11-12 19:16:51 -06:00
cliffmccarthy	7b75944f6b	refactor: Add WebsiteDeployer - This adds a step to create /var/www in the install stage, because the directory needs to exist for the rsync in the configure stage to work.	2025-11-12 19:16:51 -06:00
cliffmccarthy	3b44b61586	refactor: Add EchobotDeployer - This class is a special case because it has a dependency on the Postfix and Dovecot deployers. When deciding whether to restart the echobot service, it needs to know whether the Postfix and Dovecot deployers restarted their services. To support this dependency, the PostfixDeployer and DovecotDeployer objects are passed to the EchobotDeployer object, so it can check their was_restarted attributes.	2025-11-12 19:16:51 -06:00
cliffmccarthy	533f0afde0	refactor: Add FcgiwrapDeployer	2025-11-12 19:16:51 -06:00
cliffmccarthy	3e4a602a5d	refactor: Add ChatmailDeployer - This moves the installation of cron earlier in the deployment sequence.	2025-11-12 19:16:51 -06:00
cliffmccarthy	e1d5d3e609	refactor: Add ChatmailVenvDeployer	2025-11-12 19:16:51 -06:00
cliffmccarthy	4dd041d799	refactor: Split _install_remote_venv_with_chatmaild into stages - Split _install_remote_venv_with_chatmaild() into three routines, to handle the install, configure, and activate stages. - This moves the upload of chatmail.ini later in the deployment process, because it is a configuration file specific to the instance, not software installation that would be uniform across all deployments.	2025-11-12 19:16:51 -06:00
cliffmccarthy	54c6bf6351	refactor: Add RspamdDeployer - This replaces the existing _remove_rspamd() routine with a method for the install stage.	2025-11-12 19:16:51 -06:00
cliffmccarthy	f904c4e400	refactor: Add MtastsDeployer - This splits the existing _uninstall_mta_sts_daemon() routine into methods for the configure and activate stages.	2025-11-12 19:16:51 -06:00
cliffmccarthy	a1972acf8f	refactor: Add MtailDeployer - This splits the existing deploy_mtail() routine into methods for the install, configure, and activate stages.	2025-11-12 19:16:51 -06:00
cliffmccarthy	afc1be2671	refactor: Add AcmetoolDeployer - This splits the existing deploy_acmetool() routine into methods for the install, configure, and activate stages.	2025-11-12 19:16:51 -06:00
cliffmccarthy	6afd31fb17	refactor: Add JournaldDeployer	2025-11-12 19:16:51 -06:00
cliffmccarthy	93d9c0eb40	refactor: Add IrohDeployer - This splits the existing deploy_iroh_relay() routine into methods for the install, configure, and activate stages.	2025-11-12 19:16:51 -06:00
cliffmccarthy	e3718eb4f8	refactor: Add UnboundDeployer	2025-11-12 19:16:51 -06:00
cliffmccarthy	b43059764b	refactor: Add OpendkimDeployer - Note that this moves the installation of the opendkim package earlier in the deployment sequence. Previously, it was installed during the _configure_opendkim() routine.	2025-11-12 19:16:51 -06:00
cliffmccarthy	95edf42069	refactor: Add NginxDeployer - Use policy-rc.d during nginx install. This is needed to keep nginx from starting up and interfering with acmetool. For more information see: - https://serverfault.com/questions/861583/how-to-stop-nginx-from-being-automatically-started-on-install - https://major.io/p/install-debian-packages-without-starting-daemons/ - https://people.debian.org/~hmh/invokerc.d-policyrc.d-specification.txt	2025-11-12 19:16:51 -06:00
cliffmccarthy	b966c37740	refactor: Add PostfixDeployer - Removed now-unused 'debug' variable from deploy_chatmail().	2025-11-12 19:16:51 -06:00
cliffmccarthy	1d1522880e	refactor: Add DovecotDeployer	2025-11-12 19:16:51 -06:00
cliffmccarthy	2aeea0d95f	refactor: Add Deployer base class - Added a Deployer class that defines the base for objects that will handle installation of individual components, with install, configure, and activate stages. Subclasses will override the implementation methods of those stages as needed, while the base class handles all the logic of deciding which stages to execute. - The CMDEPLOY_STAGES environment variable is used to determine what stages to run. If this is not defined, all stages run as usual. - Added import of Deployer to cmdeploy/__init__.py. This is not yet used, but the next series of commits will use it. - In deploy_chatmail(), define an empty list of deployers, and call the create_groups() and create_users() methods for the items in the list. This list will get filled with Deployer objects in the next series of commits.	2025-11-12 19:16:51 -06:00
cliffmccarthy	8bb0c20276	refactor: Move addition of 9.9.9.9 resolver earlier - Moved the "Add 9.9.9.9 to resolv.conf" step earlier, before the creation of users or updates to any config files. This should not affect any of those operations. Moving this step earlier makes it easier to accommodate the restructuring of the deployment process into separate components with separate stages for install, configure, and activate.	2025-11-12 19:16:51 -06:00
cliffmccarthy	e6c97786dc	refactor: Move all imports to top of cmdeploy/__init__.py	2025-11-12 19:16:51 -06:00