fix: pin chatmail core to 2.49.0

2.50.0 has delete_server_after config removed,
but it is still used in the tests.

.github/workflows/docker-dispatch.yaml

@@ -9,6 +9,7 @@ name: Trigger Docker build
 on:
   push:
     branches: [main]
+    tags: ['[0-9]+.[0-9]+.[0-9]+']
   workflow_dispatch:
 
 permissions: {}

CHANGELOG.md

@@ -1,5 +1,47 @@
 # Changelog for chatmail deployment
 
+## [1.11.0] - 2026-05-15
+
+### Breaking Changes
+
+- [**breaking**] Drop passthrough_sender and passthrough_recipients chatmail.ini options to eliminate one more source of unencrypted messages
+
+### Features
+
+- Use filtermail for delivery to remote MTAs
+- Expose metadata "maxsmtprecipients" value
+- Support setup without domain, with only an IPv4 address (#963)
+- *(doc/docker)* Introduce docker images in documentation
+- DKIM-sign bounce messages (mainly "user does not exist")
+- *(config)* Load default values from Config(), not chatmail.ini.f (#853)
+- Make turn_socket_path configurable, and cleanup tests and turnserver code.
+- Warn about any unused chatmail.ini parameter at the end of "cmdeploy run"
+
+### Bug Fixes
+
+- Make www tests work with editable instead of just plain installs
+- Use path with no leading slash for mxdeliv
+- Increase filtermail-transport concurrency limit
+- Fix #972 by increasing file descriptors for filtermail
+- *(mtail)* Correct boot ordering and deploy restart logic
+- *(cmdeploy)* Stop and disable unbound-resolvconf
+- *(nginx)* Properly redirect www to mail_domain
+- *(dns)* Query correct NS if MNAME server is hidden (#954)
+- Legacy token metadata storage used list type, but if no new setmetadata happened, the user would not be notified at all.
+- *(logging)* Log all http requests to syslog
+
+### Documentation
+
+- Document how to upgrade to new version (#965)
+
+### Other
+
+- *(deps)* Upgrade to filtermail v0.6.4
+
+### Refactor
+
+- Introduce automated change-tracking across deployers
+
 ## 1.10.0 2026-04-30
 
 * start mtail after networking is fully up <https://github.com/chatmail/relay/pull/942>

chatmaild/pyproject.toml

@@ -26,7 +26,6 @@ chatmail-expire = "chatmaild.expire:daily_expire_main"
 chatmail-quota-expire = "chatmaild.expire:quota_expire_main"
 chatmail-fsreport = "chatmaild.fsreport:main"
 lastlogin = "chatmaild.lastlogin:main"
-turnserver = "chatmaild.turnserver:main"
 
 [project.entry-points.pytest11]
 "chatmaild.testplugin" = "chatmaild.tests.plugin"

chatmaild/src/chatmaild/config.py

@@ -10,18 +10,14 @@ from chatmaild.user import User
 def read_config(inipath):
     assert Path(inipath).exists(), inipath
     cfg = iniconfig.IniConfig(inipath)
-    params = cfg.sections["params"]
+    return Config(inipath, params=cfg.sections["params"])
-    default_config_content = get_default_config_content(params["mail_domain"])
-    df_params = iniconfig.IniConfig("ini", data=default_config_content)["params"]
-    new_params = dict(df_params.items())
-    new_params.update(params)
-    return Config(inipath, params=new_params)
 
 
 class Config:
     def __init__(self, inipath, params):
         self._inipath = inipath
-        raw_domain = params["mail_domain"]
+        params = dict(params)
+        raw_domain = params.pop("mail_domain")
         self.mail_domain_bare = raw_domain
 
         if is_valid_ipv4(raw_domain):
@@ -34,55 +30,59 @@ class Config:
             self.mail_domain = raw_domain
             self.postfix_myhostname = raw_domain
 
-        self.max_user_send_per_minute = int(params.get("max_user_send_per_minute", 60))
+        self.max_user_send_per_minute = int(params.pop("max_user_send_per_minute", 60))
-        self.max_user_send_burst_size = int(params.get("max_user_send_burst_size", 10))
+        self.max_user_send_burst_size = int(params.pop("max_user_send_burst_size", 10))
-        self.max_mailbox_size = params["max_mailbox_size"]
+        self.max_mailbox_size = params.pop("max_mailbox_size", "500M")
-        self.max_message_size = int(params.get("max_message_size", "31457280"))
+        self.max_message_size = int(params.pop("max_message_size", 31457280))
-        self.delete_mails_after = params["delete_mails_after"]
+        self.delete_mails_after = params.pop("delete_mails_after", "20")
-        self.delete_large_after = params["delete_large_after"]
+        self.delete_large_after = params.pop("delete_large_after", "7")
-        self.delete_inactive_users_after = int(params["delete_inactive_users_after"])
+        self.delete_inactive_users_after = int(
-        self.username_min_length = int(params["username_min_length"])
+            params.pop("delete_inactive_users_after", 90)
-        self.username_max_length = int(params["username_max_length"])
+        )
-        self.password_min_length = int(params["password_min_length"])
+        self.username_min_length = int(params.pop("username_min_length", 9))
-        self.passthrough_senders = params["passthrough_senders"].split()
+        self.username_max_length = int(params.pop("username_max_length", 9))
-        self.passthrough_recipients = params["passthrough_recipients"].split()
+        self.password_min_length = int(params.pop("password_min_length", 9))
-        self.www_folder = params.get("www_folder", "")
+        self.www_folder = params.pop("www_folder", "")
-        self.filtermail_smtp_port = int(params.get("filtermail_smtp_port", "10080"))
+        self.filtermail_smtp_port = int(params.pop("filtermail_smtp_port", "10080"))
         self.filtermail_smtp_port_incoming = int(
-            params.get("filtermail_smtp_port_incoming", "10081")
+            params.pop("filtermail_smtp_port_incoming", "10081")
         )
         self.filtermail_http_port_incoming = int(
-            params.get("filtermail_http_port_incoming", "10082")
+            params.pop("filtermail_http_port_incoming", "10082")
         )
         self.filtermail_lmtp_port_transport = int(
-            params.get("filtermail_lmtp_port_transport", "10083")
+            params.pop("filtermail_lmtp_port_transport", "10083")
         )
-        self.postfix_reinject_port = int(params.get("postfix_reinject_port", "10025"))
+        self.postfix_reinject_port = int(params.pop("postfix_reinject_port", "10025"))
         self.postfix_reinject_port_incoming = int(
-            params.get("postfix_reinject_port_incoming", "10026")
+            params.pop("postfix_reinject_port_incoming", "10026")
         )
-        self.mtail_address = params.get("mtail_address")
+        self.mtail_address = params.pop("mtail_address", None)
-        self.disable_ipv6 = params.get("disable_ipv6", "false").lower() == "true"
+        self.disable_ipv6 = params.pop("disable_ipv6", "false").lower() == "true"
-        self.acme_email = params.get("acme_email", "")
+        self.acme_email = params.pop("acme_email", "")
-        self.imap_rawlog = params.get("imap_rawlog", "false").lower() == "true"
+        self.imap_rawlog = params.pop("imap_rawlog", "false").lower() == "true"
-        self.imap_compress = params.get("imap_compress", "false").lower() == "true"
+        self.imap_compress = params.pop("imap_compress", "false").lower() == "true"
-        if "iroh_relay" not in params:
+        self.turn_socket_path = params.pop(
+            "turn_socket_path", "/run/chatmail-turn/turn.socket"
+        )
+        iroh_relay = params.pop("iroh_relay", None)
+        if iroh_relay is None:
             self.iroh_relay = "https://" + raw_domain
             self.enable_iroh_relay = True
         else:
-            self.iroh_relay = params["iroh_relay"].strip()
+            self.iroh_relay = iroh_relay.strip()
             self.enable_iroh_relay = False
-        self.privacy_postal = params.get("privacy_postal")
+        self.privacy_postal = params.pop("privacy_postal", None)
-        self.privacy_mail = params.get("privacy_mail")
+        self.privacy_mail = params.pop("privacy_mail", None)
-        self.privacy_pdo = params.get("privacy_pdo")
+        self.privacy_pdo = params.pop("privacy_pdo", None)
-        self.privacy_supervisor = params.get("privacy_supervisor")
+        self.privacy_supervisor = params.pop("privacy_supervisor", None)
 
         # TLS certificate management.
         # If tls_external_cert_and_key is set, use externally managed certs.
         # Otherwise derived from the domain name:
         # - Domains starting with "_" use self-signed certificates
         # - All other domains use ACME.
-        external = params.get("tls_external_cert_and_key", "").strip()
+        external = params.pop("tls_external_cert_and_key", "").strip()
 
         if external:
             parts = external.split()
@@ -103,11 +103,12 @@ class Config:
             self.tls_key_path = f"/var/lib/acme/live/{raw_domain}/privkey"
 
         # deprecated option
-        mbdir = params.get("mailboxes_dir", f"/home/vmail/mail/{raw_domain}")
+        mbdir = params.pop("mailboxes_dir", f"/home/vmail/mail/{raw_domain}")
         self.mailboxes_dir = Path(mbdir.strip())
 
         # old unused option (except for first migration from sqlite to maildir store)
-        self.passdb_path = Path(params.get("passdb_path", "/home/vmail/passdb.sqlite"))
+        self.passdb_path = Path(params.pop("passdb_path", "/home/vmail/passdb.sqlite"))
+        self._unused_keys = list(params)
 
     @property
     def max_mailbox_size_mb(self):
@@ -164,31 +165,7 @@ def get_default_config_content(mail_domain, **overrides):
     for name, value in extra.items():
         new_line = f"{name} = {value}"
         new_lines.append(new_line)
-
+    return "\n".join(new_lines)
-    content = "\n".join(new_lines)
-
-    # apply testrun privacy overrides
-
-    if mail_domain.endswith(".testrun.org"):
-        override_inipath = inidir.joinpath("override-testrun.ini")
-        privacy = iniconfig.IniConfig(override_inipath)["privacy"]
-        lines = []
-        for line in content.split("\n"):
-            for key, value in privacy.items():
-                value_lines = value.format(mail_domain=mail_domain).strip().split("\n")
-                if not line.startswith(f"{key} =") or not value_lines:
-                    continue
-                if len(value_lines) == 1:
-                    lines.append(f"{key} = {value}")
-                else:
-                    lines.append(f"{key} =")
-                    for vl in value_lines:
-                        lines.append(f"    {vl}")
-                break
-            else:
-                lines.append(line)
-        content = "\n".join(lines)
-    return content
 
 
 def is_valid_ipv4(address: str) -> bool:

chatmaild/src/chatmaild/ini/chatmail.ini.f

@@ -12,42 +12,35 @@ mail_domain = {mail_domain}
 #
 
 # email sending rate per user and minute
-max_user_send_per_minute = 60
+#max_user_send_per_minute = 60
 
 # per-user max burst size for sending rate limiting (GCRA bucket capacity)
-max_user_send_burst_size = 10
+#max_user_send_burst_size = 10
 
 # maximum mailbox size of a chatmail address
-# Oldest messages will be removed automatically, so mailboxes never run full.
+# (Oldest messages will be removed automatically, so mailboxes never run full)
-max_mailbox_size = 500M
+#max_mailbox_size = 500M
 
 # maximum message size for an e-mail in bytes
-max_message_size = 31457280
+#max_message_size = 31457280
 
 # days after which mails are unconditionally deleted
-delete_mails_after = 20
+#delete_mails_after = 20
 
 # days after which large messages (>200k) are unconditionally deleted
-delete_large_after = 7
+#delete_large_after = 7
 
 # days after which users without a successful login are deleted (database and mails)
-delete_inactive_users_after = 90
+#delete_inactive_users_after = 90
 
 # minimum length a username must have
-username_min_length = 9
+#username_min_length = 9
 
 # maximum length a username can have
-username_max_length = 9
+#username_max_length = 9
 
 # minimum length a password must have
-password_min_length = 9
+#password_min_length = 9
-
-# list of chatmail addresses which can send outbound un-encrypted mail
-passthrough_senders =
-
-# list of e-mail recipients for which to accept outbound un-encrypted mails
-# (space-separated, item may start with "@" to whitelist whole recipient domains)
-passthrough_recipients =
 
 # Use externally managed TLS certificates instead of built-in acmetool.
 # Paths refer to files on the deployment server (not the build machine).
@@ -63,19 +56,11 @@ passthrough_recipients =
 # Deployment Details
 #
 
-# SMTP outgoing filtermail and reinjection 
-filtermail_smtp_port = 10080
-postfix_reinject_port = 10025
-
-# SMTP incoming filtermail and reinjection 
-filtermail_smtp_port_incoming = 10081
-postfix_reinject_port_incoming = 10026
-
 # if set to "True" IPv6 is disabled
-disable_ipv6 = False
+#disable_ipv6 = False
 
 # Your email adress, which will be used in acmetool to manage Let's Encrypt SSL certificates
-acme_email = 
+#acme_email =
 
 # Defaults to https://iroh.{{mail_domain}} and running `iroh-relay` on the chatmail
 # service.
@@ -108,13 +93,13 @@ acme_email =
 # in per-maildir ".in/.out" files. 
 # Note that you need to manually cleanup these files
 # so use this option with caution on production servers. 
-imap_rawlog = false 
+#imap_rawlog = false
 
 # set to true if you want to enable the IMAP COMPRESS Extension,
 # which allows IMAP connections to be efficiently compressed.
 # WARNING: Enabling this makes it impossible to hibernate IMAP
 # processes which will result in much higher memory/RAM usage.
-imap_compress = false
+#imap_compress = false
 
 
 #

chatmaild/src/chatmaild/ini/override-testrun.ini

@@ -1,16 +0,0 @@
-
-[privacy]
-
-passthrough_recipients = privacy@testrun.org echo@{mail_domain}
-
-privacy_postal =
-    Merlinux GmbH, Represented by the managing director H. Krekel,
-    Reichgrafen Str. 20, 79102 Freiburg, Germany
-
-privacy_mail = privacy@testrun.org
-privacy_pdo =
-    Prof. Dr. Fabian Schmieder, lexICT UG (limited), Ostfeldstr. 49, 30559 Hannover.
-    You can contact him at *delta-privacy@merlinux.eu* (Keyword: DPO)
-privacy_supervisor =
-    State Commissioner for Data Protection and Freedom of Information of
-    Baden-Württemberg in 70173 Stuttgart, Germany.

chatmaild/src/chatmaild/metadata.py

@@ -1,4 +1,5 @@
 import logging
+import socket
 import sys
 import time
 from contextlib import contextmanager
@@ -7,7 +8,14 @@ from .config import read_config
 from .dictproxy import DictProxy
 from .filedict import FileDict
 from .notifier import Notifier
-from .turnserver import turn_credentials
+
+
+def turn_credentials(turn_socket_path):
+    with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as client_socket:
+        client_socket.settimeout(5)
+        client_socket.connect(turn_socket_path)
+        with client_socket.makefile("rb") as file:
+            return file.readline().decode("utf-8").strip()
 
 
 def _is_valid_token_timestamp(timestamp, now):
@@ -79,12 +87,20 @@ class Metadata:
 
 
 class MetadataDictProxy(DictProxy):
-    def __init__(self, notifier, metadata, iroh_relay=None, turn_hostname=None):
+    def __init__(
+        self,
+        notifier,
+        metadata,
+        iroh_relay=None,
+        turn_hostname=None,
+        turn_socket_path=None,
+    ):
         super().__init__()
         self.notifier = notifier
         self.metadata = metadata
         self.iroh_relay = iroh_relay
         self.turn_hostname = turn_hostname
+        self.turn_socket_path = turn_socket_path
 
     def handle_lookup(self, parts):
         # Lpriv/43f5f508a7ea0366dff30200c15250e3/devicetoken\tlkj123poi@c2.testrun.org
@@ -101,7 +117,7 @@ class MetadataDictProxy(DictProxy):
                             return f"O{self.iroh_relay}\n"
                         case "turn":
                             try:
-                                res = turn_credentials()
+                                res = turn_credentials(self.turn_socket_path)
                             except Exception:
                                 logging.exception("failed to get TURN credentials")
                                 return "N\n"
@@ -135,6 +151,7 @@ def main():
     config = read_config(config_path)
     iroh_relay = config.iroh_relay
     mail_domain = config.mail_domain
+    socket_path = config.turn_socket_path
 
     vmail_dir = config.mailboxes_dir
     if not vmail_dir.exists():
@@ -152,6 +169,7 @@ def main():
         metadata=metadata,
         iroh_relay=iroh_relay,
         turn_hostname=mail_domain,
+        turn_socket_path=socket_path,
     )
 
     dictproxy.serve_forever_from_socket(socket)

chatmaild/src/chatmaild/tests/test_config.py

@@ -13,7 +13,12 @@ def test_read_config_basic(example_config):
     assert not example_config.privacy_pdo and not example_config.privacy_postal
 
     inipath = example_config._inipath
-    inipath.write_text(inipath.read_text().replace("60", "37"))
+    inipath.write_text(
+        inipath.read_text().replace(
+            "#max_user_send_per_minute = 60",
+            "max_user_send_per_minute = 37",
+        )
+    )
     example_config = read_config(inipath)
     assert example_config.max_user_send_per_minute == 37
     assert example_config.mail_domain == "chat.example.org"
@@ -31,26 +36,21 @@ def test_read_config_basic_using_defaults(tmp_path, maildomain):
     example_config = read_config(inipath)
     assert example_config.max_user_send_per_minute == 60
     assert example_config.filtermail_smtp_port_incoming == 10081
+    assert example_config.filtermail_smtp_port == 10080
+    assert example_config.postfix_reinject_port == 10025
+    assert example_config.max_user_send_per_minute == 60
+    assert example_config.max_mailbox_size == "500M"
+    assert example_config.delete_mails_after == "20"
+    assert example_config.delete_large_after == "7"
+    assert example_config.username_min_length == 9
+    assert example_config.username_max_length == 9
+    assert example_config.password_min_length == 9
+    assert example_config._unused_keys == []
 
 
-def test_read_config_testrun(make_config):
+def test_config_unused_keys(make_config):
-    config = make_config("something.testrun.org")
+    config = make_config("chat.example.org", {"passthrough_senders": "x@y.org"})
-    assert config.mail_domain == "something.testrun.org"
+    assert config._unused_keys == ["passthrough_senders"]
-    assert len(config.privacy_postal.split("\n")) > 1
-    assert len(config.privacy_supervisor.split("\n")) > 1
-    assert len(config.privacy_pdo.split("\n")) > 1
-    assert config.privacy_mail == "privacy@testrun.org"
-    assert config.filtermail_smtp_port == 10080
-    assert config.postfix_reinject_port == 10025
-    assert config.max_user_send_per_minute == 60
-    assert config.max_mailbox_size == "500M"
-    assert config.delete_mails_after == "20"
-    assert config.delete_large_after == "7"
-    assert config.username_min_length == 9
-    assert config.username_max_length == 9
-    assert config.password_min_length == 9
-    assert "privacy@testrun.org" in config.passthrough_recipients
-    assert config.passthrough_senders == []
 
 
 def test_config_userstate_paths(make_config, tmp_path):

chatmaild/src/chatmaild/tests/test_metadata.py

@@ -324,7 +324,7 @@ def test_turn_credentials_exception_returns_N(notifier, metadata, monkeypatch):
         turn_hostname="turn.example.org",
     )
 
-    def mock_turn_credentials():
+    def mock_turn_credentials(turn_socket_path):
         raise ConnectionRefusedError("socket not available")
 
     monkeypatch.setattr(chatmaild.metadata, "turn_credentials", mock_turn_credentials)
@@ -348,7 +348,9 @@ def test_turn_credentials_success(notifier, metadata, monkeypatch):
         turn_hostname="turn.example.org",
     )
 
-    monkeypatch.setattr(chatmaild.metadata, "turn_credentials", lambda: "user:pass")
+    monkeypatch.setattr(
+        chatmaild.metadata, "turn_credentials", lambda path: "user:pass"
+    )
 
     transactions = {}
     res = dictproxy.handle_dovecot_request(

chatmaild/src/chatmaild/tests/test_turn.py

@@ -0,0 +1,46 @@
+import socket
+import threading
+
+import pytest
+
+from chatmaild.metadata import turn_credentials
+
+
+@pytest.fixture
+def turn_socket(tmp_path):
+    sock_path = str(tmp_path / "turn.socket")
+    server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+    server.bind(sock_path)
+    server.listen(1)
+    yield sock_path, server
+    server.close()
+
+
+def test_turn_credentials_timeout(turn_socket):
+    sock_path, server = turn_socket
+    with pytest.raises(socket.timeout):
+        # Inside turn_credentials the kernel listen backlog (1)
+        # completes connect() without accept()
+        # so the client blocks on readline() until the 5s timeout fires.
+        turn_credentials(sock_path)
+
+
+def test_turn_credentials_connection_refused_on_not_existing_socket(tmp_path):
+    missing = str(tmp_path / "nonexistent.socket")
+    with pytest.raises((ConnectionRefusedError, FileNotFoundError)):
+        turn_credentials(missing)
+
+
+def test_turn_credentials_socket_success(turn_socket):
+    sock_path, server = turn_socket
+
+    def respond():
+        conn, _ = server.accept()
+        conn.sendall(b"testuser:testpass\n")
+        conn.close()
+
+    t = threading.Thread(target=respond, daemon=True)
+    t.start()
+
+    result = turn_credentials(sock_path)
+    assert result == "testuser:testpass"

chatmaild/src/chatmaild/tests/test_turnserver.py

@@ -1,73 +0,0 @@
-import socket
-import threading
-import time
-from unittest.mock import patch
-
-import pytest
-
-from chatmaild.turnserver import turn_credentials
-
-SOCKET_PATH = "/run/chatmail-turn/turn.socket"
-
-
-@pytest.fixture
-def turn_socket(tmp_path):
-    """Create a real Unix socket server at a temp path."""
-    sock_path = str(tmp_path / "turn.socket")
-    server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
-    server.bind(sock_path)
-    server.listen(1)
-    yield sock_path, server
-    server.close()
-
-
-def _call_turn_credentials(sock_path):
-    """Call turn_credentials but connect to sock_path instead of hardcoded path."""
-    original_connect = socket.socket.connect
-
-    def patched_connect(self, address):
-        if address == SOCKET_PATH:
-            address = sock_path
-        return original_connect(self, address)
-
-    with patch.object(socket.socket, "connect", patched_connect):
-        return turn_credentials()
-
-
-def test_turn_credentials_timeout(turn_socket):
-    """Server accepts but never responds — must raise socket.timeout."""
-    sock_path, server = turn_socket
-
-    def accept_and_hang():
-        conn, _ = server.accept()
-        time.sleep(30)
-        conn.close()
-
-    t = threading.Thread(target=accept_and_hang, daemon=True)
-    t.start()
-
-    with pytest.raises(socket.timeout):
-        _call_turn_credentials(sock_path)
-
-
-def test_turn_credentials_connection_refused(tmp_path):
-    """Socket file doesn't exist — must raise ConnectionRefusedError or FileNotFoundError."""
-    missing = str(tmp_path / "nonexistent.socket")
-    with pytest.raises((ConnectionRefusedError, FileNotFoundError)):
-        _call_turn_credentials(missing)
-
-
-def test_turn_credentials_success(turn_socket):
-    """Server responds with credentials — must return stripped string."""
-    sock_path, server = turn_socket
-
-    def respond():
-        conn, _ = server.accept()
-        conn.sendall(b"testuser:testpass\n")
-        conn.close()
-
-    t = threading.Thread(target=respond, daemon=True)
-    t.start()
-
-    result = _call_turn_credentials(sock_path)
-    assert result == "testuser:testpass"

chatmaild/src/chatmaild/turnserver.py

@@ -1,10 +0,0 @@
-#!/usr/bin/env python3
-import socket
-
-
-def turn_credentials() -> str:
-    with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as client_socket:
-        client_socket.settimeout(5)
-        client_socket.connect("/run/chatmail-turn/turn.socket")
-        with client_socket.makefile("rb") as file:
-            return file.readline().decode("utf-8").strip()

cmdeploy/pyproject.toml

@@ -19,8 +19,8 @@ dependencies = [
   "pytest-xdist", 
   "execnet",
   "imap_tools",
-  "deltachat-rpc-client",
+  "deltachat-rpc-client==2.49.0",
-  "deltachat-rpc-server",
+  "deltachat-rpc-server==2.49.0",
 ]
 
 [project.scripts]

cmdeploy/src/cmdeploy/cmdeploy.py

@@ -84,6 +84,15 @@ def run_cmd_options(parser):
     add_ssh_host_option(parser)
 
 
+def _warn_unused_settings(unused_keys, out):
+    if unused_keys:
+        names = ", ".join(unused_keys)
+        out.red(
+            f"WARNING: chatmail.ini contains settings that have no effect: {names}\n"
+            "Please remove them from chatmail.ini."
+        )
+
+
 def run_cmd(args, out):
     """Deploy chatmail services on the remote server."""
 
@@ -125,6 +134,7 @@ def run_cmd(args, out):
             out.green("Deploy completed.")
         else:
             out.green("Deploy completed, call `cmdeploy dns` next.")
+        _warn_unused_settings(args.config._unused_keys, out)
         return 0
     except subprocess.CalledProcessError:
         out.red("Deploy failed")

cmdeploy/src/cmdeploy/filtermail/filtermail-transport.service.j2

@@ -6,6 +6,7 @@ ExecStart={{ bin_path }} {{ config_path }} transport
 Restart=always
 RestartSec=30
 User=vmail
+LimitNOFILE=524288
 
 [Install]
 WantedBy=multi-user.target

cmdeploy/src/cmdeploy/postfix/main.cf.j2

@@ -53,7 +53,8 @@ smtpd_tls_exclude_ciphers = aNULL, RC4, MD5, DES
 # See <https://www.postfix.org/FORWARD_SECRECY_README.html#server_fs>.
 tls_preempt_cipherlist = yes
 
-smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+# Reject by default, override per smtpd in master.cf
+smtpd_relay_restrictions = reject
 myhostname = {{ config.postfix_myhostname }}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
@@ -101,9 +102,24 @@ smtpd_peername_lookup = no
 # so instead this is handled in filtermail.
 # We use LMTP instead SMTP so we can communicate per-recipient errors back to postfix.
 default_transport = lmtp-filtermail:inet:[127.0.0.1]:{{ config.filtermail_lmtp_port_transport }}
+
+# All deliveries over lmtp-filtermail are treated
+# as having the same destination [127.0.0.1],
+# so it is not possible to limit per-destination concurrency here,
+# it is a job for filtermail-transport.
+# Total number of parallel deliveries is limited
+# by "maxproc" column in /etc/postfix/master.cf for lmtp-filtermail.
+# Settings below are to prevent Postfix queue manager
+# from limiting the number of LMTP connections to filtermail-transport.
+# Read <https://www.postfix.org/TUNING_README.html#rope> and
+# <https://www.postfix.org/SCHEDULER_README.html> for the details
+# of the Postfix algorithm that we effectively disable here.
 lmtp-filtermail_initial_destination_concurrency=10000
 lmtp-filtermail_destination_concurrency_limit=10000
 
+# Do not try to deliver messages for more than 2 days.
+maximal_queue_lifetime = 2d
+
 {% if not config.ipv4_relay %}
 # DKIM-sign locally generated mail (bounces, DSNs).
 # These bypass smtpd, so they need explicit milter configuration.

cmdeploy/src/cmdeploy/postfix/master.cf.j2

@@ -17,6 +17,7 @@ smtp      inet  n       -       y       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_tls_mandatory_protocols=>=TLSv1.2
   -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port_incoming }}
+  -o smtpd_relay_restrictions=reject_unauth_destination
 submission inet n       -       y       -       5000    smtpd
   -o syslog_name=postfix/submission
   -o smtpd_tls_security_level=encrypt
@@ -81,12 +82,14 @@ filter    unix -        n       n       -       -       lmtp
   -o syslog_name=postfix/reinject
   -o milter_macro_daemon_name=ORIGINATING
   -o cleanup_service_name=authclean
+  -o smtpd_relay_restrictions=permit_mynetworks,reject
 {% if not config.ipv4_relay %}  -o smtpd_milters=unix:opendkim/opendkim.sock
 {% endif %}
 
 # Local SMTP server for reinjecting incoming filtered mail 
 127.0.0.1:{{ config.postfix_reinject_port_incoming }} inet  n       -       n       -       100      smtpd
   -o syslog_name=postfix/reinject_incoming
+  -o smtpd_relay_restrictions=reject_unauth_destination
 
 # Cleanup `Received` headers for authenticated mail
 # to avoid leaking client IP.
@@ -102,7 +105,15 @@ filter    unix -        n       n       -       -       lmtp
 authclean unix  n       -       -       -       0       cleanup
   -o header_checks=regexp:/etc/postfix/submission_header_cleanup
 
-lmtp-filtermail unix  -       -       y       -       10000       lmtp
+# Reducing `maxproc` here may result in a head of line blocking
+# when there are many messages sent to unreachable destinations
+# at the same time.
+# LMTP clients here talk to filtermail-transport.
+# LMTP has no pipelining,
+# so while filtermail-transport tries to deliver the message,
+# possibly waiting for a long connection timeout
+# or talking to a slow server, LMTP client cannot be reused.
+lmtp-filtermail unix  -       -       y       -       500       lmtp
   -o syslog_name=postfix/lmtp-filtermail
   -o lmtp_header_checks=
   -o lmtp_tls_security_level=none

doc/source/faq.rst

@@ -60,6 +60,7 @@ and run the following commands:
    ::
 
        git pull origin main --rebase --autostash
+       scripts/initenv.sh
        scripts/cmdeploy run
 
 If you don't want the latest development version,