fix: set relay restrictions per smtpd service with default reject

We never want to defer email with a tepporary error when it has destination
that we cannot deliver locally and don't want to relay.
To avoid doing this accidentally, set default action to "reject"
and then override it with the minimal restrictions per smtpd.

Submission ports already had smtpd_relay_restrictions=permit_sasl_authenticated,reject override.

Each smtpd port must have at least one of
reject, reject_unauth_destination, defer, defer_if_permit, defer_unauth_destination
according to <https://www.postfix.org/postconf.5.html#smtpd_relay_restrictions>.

I have set smtpd_relay_restrictions=reject_unauth_destination for port 25 and incoming reinject port,
and smtpd_relay_restrictions=permit_mynetworks,reject for outgoing reinject port.

.github/workflows/docker-dispatch.yaml

@@ -9,6 +9,7 @@ name: Trigger Docker build
 on:
   push:
     branches: [main]
+    tags: ['[0-9]+.[0-9]+.[0-9]+']
   workflow_dispatch:
 
 permissions: {}

CHANGELOG.md

@@ -1,5 +1,47 @@
 # Changelog for chatmail deployment
 
+## [1.11.0] - 2026-05-15
+
+### Breaking Changes
+
+- [**breaking**] Drop passthrough_sender and passthrough_recipients chatmail.ini options to eliminate one more source of unencrypted messages
+
+### Features
+
+- Use filtermail for delivery to remote MTAs
+- Expose metadata "maxsmtprecipients" value
+- Support setup without domain, with only an IPv4 address (#963)
+- *(doc/docker)* Introduce docker images in documentation
+- DKIM-sign bounce messages (mainly "user does not exist")
+- *(config)* Load default values from Config(), not chatmail.ini.f (#853)
+- Make turn_socket_path configurable, and cleanup tests and turnserver code.
+- Warn about any unused chatmail.ini parameter at the end of "cmdeploy run"
+
+### Bug Fixes
+
+- Make www tests work with editable instead of just plain installs
+- Use path with no leading slash for mxdeliv
+- Increase filtermail-transport concurrency limit
+- Fix #972 by increasing file descriptors for filtermail
+- *(mtail)* Correct boot ordering and deploy restart logic
+- *(cmdeploy)* Stop and disable unbound-resolvconf
+- *(nginx)* Properly redirect www to mail_domain
+- *(dns)* Query correct NS if MNAME server is hidden (#954)
+- Legacy token metadata storage used list type, but if no new setmetadata happened, the user would not be notified at all.
+- *(logging)* Log all http requests to syslog
+
+### Documentation
+
+- Document how to upgrade to new version (#965)
+
+### Other
+
+- *(deps)* Upgrade to filtermail v0.6.4
+
+### Refactor
+
+- Introduce automated change-tracking across deployers
+
 ## 1.10.0 2026-04-30
 
 * start mtail after networking is fully up <https://github.com/chatmail/relay/pull/942>

chatmaild/pyproject.toml

@@ -26,7 +26,6 @@ chatmail-expire = "chatmaild.expire:daily_expire_main"
 chatmail-quota-expire = "chatmaild.expire:quota_expire_main"
 chatmail-fsreport = "chatmaild.fsreport:main"
 lastlogin = "chatmaild.lastlogin:main"
-turnserver = "chatmaild.turnserver:main"
 
 [project.entry-points.pytest11]
 "chatmaild.testplugin" = "chatmaild.tests.plugin"

chatmaild/src/chatmaild/config.py

@@ -10,18 +10,14 @@ from chatmaild.user import User
 def read_config(inipath):
     assert Path(inipath).exists(), inipath
     cfg = iniconfig.IniConfig(inipath)
-    params = cfg.sections["params"]
-    default_config_content = get_default_config_content(params["mail_domain"])
-    df_params = iniconfig.IniConfig("ini", data=default_config_content)["params"]
-    new_params = dict(df_params.items())
-    new_params.update(params)
-    return Config(inipath, params=new_params)
+    return Config(inipath, params=cfg.sections["params"])
 
 
 class Config:
     def __init__(self, inipath, params):
         self._inipath = inipath
-        raw_domain = params["mail_domain"]
+        params = dict(params)
+        raw_domain = params.pop("mail_domain")
         self.mail_domain_bare = raw_domain
 
         if is_valid_ipv4(raw_domain):
@@ -34,55 +30,59 @@ class Config:
             self.mail_domain = raw_domain
             self.postfix_myhostname = raw_domain
 
-        self.max_user_send_per_minute = int(params.get("max_user_send_per_minute", 60))
-        self.max_user_send_burst_size = int(params.get("max_user_send_burst_size", 10))
-        self.max_mailbox_size = params["max_mailbox_size"]
-        self.max_message_size = int(params.get("max_message_size", "31457280"))
-        self.delete_mails_after = params["delete_mails_after"]
-        self.delete_large_after = params["delete_large_after"]
-        self.delete_inactive_users_after = int(params["delete_inactive_users_after"])
-        self.username_min_length = int(params["username_min_length"])
-        self.username_max_length = int(params["username_max_length"])
-        self.password_min_length = int(params["password_min_length"])
-        self.passthrough_senders = params["passthrough_senders"].split()
-        self.passthrough_recipients = params["passthrough_recipients"].split()
-        self.www_folder = params.get("www_folder", "")
-        self.filtermail_smtp_port = int(params.get("filtermail_smtp_port", "10080"))
+        self.max_user_send_per_minute = int(params.pop("max_user_send_per_minute", 60))
+        self.max_user_send_burst_size = int(params.pop("max_user_send_burst_size", 10))
+        self.max_mailbox_size = params.pop("max_mailbox_size", "500M")
+        self.max_message_size = int(params.pop("max_message_size", 31457280))
+        self.delete_mails_after = params.pop("delete_mails_after", "20")
+        self.delete_large_after = params.pop("delete_large_after", "7")
+        self.delete_inactive_users_after = int(
+            params.pop("delete_inactive_users_after", 90)
+        )
+        self.username_min_length = int(params.pop("username_min_length", 9))
+        self.username_max_length = int(params.pop("username_max_length", 9))
+        self.password_min_length = int(params.pop("password_min_length", 9))
+        self.www_folder = params.pop("www_folder", "")
+        self.filtermail_smtp_port = int(params.pop("filtermail_smtp_port", "10080"))
         self.filtermail_smtp_port_incoming = int(
-            params.get("filtermail_smtp_port_incoming", "10081")
+            params.pop("filtermail_smtp_port_incoming", "10081")
         )
         self.filtermail_http_port_incoming = int(
-            params.get("filtermail_http_port_incoming", "10082")
+            params.pop("filtermail_http_port_incoming", "10082")
         )
         self.filtermail_lmtp_port_transport = int(
-            params.get("filtermail_lmtp_port_transport", "10083")
+            params.pop("filtermail_lmtp_port_transport", "10083")
         )
-        self.postfix_reinject_port = int(params.get("postfix_reinject_port", "10025"))
+        self.postfix_reinject_port = int(params.pop("postfix_reinject_port", "10025"))
         self.postfix_reinject_port_incoming = int(
-            params.get("postfix_reinject_port_incoming", "10026")
+            params.pop("postfix_reinject_port_incoming", "10026")
         )
-        self.mtail_address = params.get("mtail_address")
-        self.disable_ipv6 = params.get("disable_ipv6", "false").lower() == "true"
-        self.acme_email = params.get("acme_email", "")
-        self.imap_rawlog = params.get("imap_rawlog", "false").lower() == "true"
-        self.imap_compress = params.get("imap_compress", "false").lower() == "true"
-        if "iroh_relay" not in params:
+        self.mtail_address = params.pop("mtail_address", None)
+        self.disable_ipv6 = params.pop("disable_ipv6", "false").lower() == "true"
+        self.acme_email = params.pop("acme_email", "")
+        self.imap_rawlog = params.pop("imap_rawlog", "false").lower() == "true"
+        self.imap_compress = params.pop("imap_compress", "false").lower() == "true"
+        self.turn_socket_path = params.pop(
+            "turn_socket_path", "/run/chatmail-turn/turn.socket"
+        )
+        iroh_relay = params.pop("iroh_relay", None)
+        if iroh_relay is None:
             self.iroh_relay = "https://" + raw_domain
             self.enable_iroh_relay = True
         else:
-            self.iroh_relay = params["iroh_relay"].strip()
+            self.iroh_relay = iroh_relay.strip()
             self.enable_iroh_relay = False
-        self.privacy_postal = params.get("privacy_postal")
-        self.privacy_mail = params.get("privacy_mail")
-        self.privacy_pdo = params.get("privacy_pdo")
-        self.privacy_supervisor = params.get("privacy_supervisor")
+        self.privacy_postal = params.pop("privacy_postal", None)
+        self.privacy_mail = params.pop("privacy_mail", None)
+        self.privacy_pdo = params.pop("privacy_pdo", None)
+        self.privacy_supervisor = params.pop("privacy_supervisor", None)
 
         # TLS certificate management.
         # If tls_external_cert_and_key is set, use externally managed certs.
         # Otherwise derived from the domain name:
         # - Domains starting with "_" use self-signed certificates
         # - All other domains use ACME.
-        external = params.get("tls_external_cert_and_key", "").strip()
+        external = params.pop("tls_external_cert_and_key", "").strip()
 
         if external:
             parts = external.split()
@@ -103,11 +103,12 @@ class Config:
             self.tls_key_path = f"/var/lib/acme/live/{raw_domain}/privkey"
 
         # deprecated option
-        mbdir = params.get("mailboxes_dir", f"/home/vmail/mail/{raw_domain}")
+        mbdir = params.pop("mailboxes_dir", f"/home/vmail/mail/{raw_domain}")
         self.mailboxes_dir = Path(mbdir.strip())
 
         # old unused option (except for first migration from sqlite to maildir store)
-        self.passdb_path = Path(params.get("passdb_path", "/home/vmail/passdb.sqlite"))
+        self.passdb_path = Path(params.pop("passdb_path", "/home/vmail/passdb.sqlite"))
+        self._unused_keys = list(params)
 
     @property
     def max_mailbox_size_mb(self):
@@ -164,31 +165,7 @@ def get_default_config_content(mail_domain, **overrides):
     for name, value in extra.items():
         new_line = f"{name} = {value}"
         new_lines.append(new_line)
-
-    content = "\n".join(new_lines)
-
-    # apply testrun privacy overrides
-
-    if mail_domain.endswith(".testrun.org"):
-        override_inipath = inidir.joinpath("override-testrun.ini")
-        privacy = iniconfig.IniConfig(override_inipath)["privacy"]
-        lines = []
-        for line in content.split("\n"):
-            for key, value in privacy.items():
-                value_lines = value.format(mail_domain=mail_domain).strip().split("\n")
-                if not line.startswith(f"{key} =") or not value_lines:
-                    continue
-                if len(value_lines) == 1:
-                    lines.append(f"{key} = {value}")
-                else:
-                    lines.append(f"{key} =")
-                    for vl in value_lines:
-                        lines.append(f"    {vl}")
-                break
-            else:
-                lines.append(line)
-        content = "\n".join(lines)
-    return content
+    return "\n".join(new_lines)
 
 
 def is_valid_ipv4(address: str) -> bool:

chatmaild/src/chatmaild/ini/chatmail.ini.f

@@ -12,42 +12,35 @@ mail_domain = {mail_domain}
 #
 
 # email sending rate per user and minute
-max_user_send_per_minute = 60
+#max_user_send_per_minute = 60
 
 # per-user max burst size for sending rate limiting (GCRA bucket capacity)
-max_user_send_burst_size = 10
+#max_user_send_burst_size = 10
 
 # maximum mailbox size of a chatmail address
-# Oldest messages will be removed automatically, so mailboxes never run full.
-max_mailbox_size = 500M
+# (Oldest messages will be removed automatically, so mailboxes never run full)
+#max_mailbox_size = 500M
 
 # maximum message size for an e-mail in bytes
-max_message_size = 31457280
+#max_message_size = 31457280
 
 # days after which mails are unconditionally deleted
-delete_mails_after = 20
+#delete_mails_after = 20
 
 # days after which large messages (>200k) are unconditionally deleted
-delete_large_after = 7
+#delete_large_after = 7
 
 # days after which users without a successful login are deleted (database and mails)
-delete_inactive_users_after = 90
+#delete_inactive_users_after = 90
 
 # minimum length a username must have
-username_min_length = 9
+#username_min_length = 9
 
 # maximum length a username can have
-username_max_length = 9
+#username_max_length = 9
 
 # minimum length a password must have
-password_min_length = 9
-
-# list of chatmail addresses which can send outbound un-encrypted mail
-passthrough_senders =
-
-# list of e-mail recipients for which to accept outbound un-encrypted mails
-# (space-separated, item may start with "@" to whitelist whole recipient domains)
-passthrough_recipients =
+#password_min_length = 9
 
 # Use externally managed TLS certificates instead of built-in acmetool.
 # Paths refer to files on the deployment server (not the build machine).
@@ -63,19 +56,11 @@ passthrough_recipients =
 # Deployment Details
 #
 
-# SMTP outgoing filtermail and reinjection 
-filtermail_smtp_port = 10080
-postfix_reinject_port = 10025
-
-# SMTP incoming filtermail and reinjection 
-filtermail_smtp_port_incoming = 10081
-postfix_reinject_port_incoming = 10026
-
 # if set to "True" IPv6 is disabled
-disable_ipv6 = False
+#disable_ipv6 = False
 
 # Your email adress, which will be used in acmetool to manage Let's Encrypt SSL certificates
-acme_email = 
+#acme_email =
 
 # Defaults to https://iroh.{{mail_domain}} and running `iroh-relay` on the chatmail
 # service.
@@ -108,13 +93,13 @@ acme_email =
 # in per-maildir ".in/.out" files. 
 # Note that you need to manually cleanup these files
 # so use this option with caution on production servers. 
-imap_rawlog = false 
+#imap_rawlog = false
 
 # set to true if you want to enable the IMAP COMPRESS Extension,
 # which allows IMAP connections to be efficiently compressed.
 # WARNING: Enabling this makes it impossible to hibernate IMAP
 # processes which will result in much higher memory/RAM usage.
-imap_compress = false
+#imap_compress = false
 
 
 #

chatmaild/src/chatmaild/ini/override-testrun.ini

@@ -1,16 +0,0 @@
-
-[privacy]
-
-passthrough_recipients = privacy@testrun.org echo@{mail_domain}
-
-privacy_postal =
-    Merlinux GmbH, Represented by the managing director H. Krekel,
-    Reichgrafen Str. 20, 79102 Freiburg, Germany
-
-privacy_mail = privacy@testrun.org
-privacy_pdo =
-    Prof. Dr. Fabian Schmieder, lexICT UG (limited), Ostfeldstr. 49, 30559 Hannover.
-    You can contact him at *delta-privacy@merlinux.eu* (Keyword: DPO)
-privacy_supervisor =
-    State Commissioner for Data Protection and Freedom of Information of
-    Baden-Württemberg in 70173 Stuttgart, Germany.

chatmaild/src/chatmaild/metadata.py

@@ -1,4 +1,5 @@
 import logging
+import socket
 import sys
 import time
 from contextlib import contextmanager
@@ -7,7 +8,14 @@ from .config import read_config
 from .dictproxy import DictProxy
 from .filedict import FileDict
 from .notifier import Notifier
-from .turnserver import turn_credentials
+
+
+def turn_credentials(turn_socket_path):
+    with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as client_socket:
+        client_socket.settimeout(5)
+        client_socket.connect(turn_socket_path)
+        with client_socket.makefile("rb") as file:
+            return file.readline().decode("utf-8").strip()
 
 
 def _is_valid_token_timestamp(timestamp, now):
@@ -79,12 +87,20 @@ class Metadata:
 
 
 class MetadataDictProxy(DictProxy):
-    def __init__(self, notifier, metadata, iroh_relay=None, turn_hostname=None):
+    def __init__(
+        self,
+        notifier,
+        metadata,
+        iroh_relay=None,
+        turn_hostname=None,
+        turn_socket_path=None,
+    ):
         super().__init__()
         self.notifier = notifier
         self.metadata = metadata
         self.iroh_relay = iroh_relay
         self.turn_hostname = turn_hostname
+        self.turn_socket_path = turn_socket_path
 
     def handle_lookup(self, parts):
         # Lpriv/43f5f508a7ea0366dff30200c15250e3/devicetoken\tlkj123poi@c2.testrun.org
@@ -101,7 +117,7 @@ class MetadataDictProxy(DictProxy):
                             return f"O{self.iroh_relay}\n"
                         case "turn":
                             try:
-                                res = turn_credentials()
+                                res = turn_credentials(self.turn_socket_path)
                             except Exception:
                                 logging.exception("failed to get TURN credentials")
                                 return "N\n"
@@ -135,6 +151,7 @@ def main():
     config = read_config(config_path)
     iroh_relay = config.iroh_relay
     mail_domain = config.mail_domain
+    socket_path = config.turn_socket_path
 
     vmail_dir = config.mailboxes_dir
     if not vmail_dir.exists():
@@ -152,6 +169,7 @@ def main():
         metadata=metadata,
         iroh_relay=iroh_relay,
         turn_hostname=mail_domain,
+        turn_socket_path=socket_path,
     )
 
     dictproxy.serve_forever_from_socket(socket)

chatmaild/src/chatmaild/tests/test_config.py

@@ -13,7 +13,12 @@ def test_read_config_basic(example_config):
     assert not example_config.privacy_pdo and not example_config.privacy_postal
 
     inipath = example_config._inipath
-    inipath.write_text(inipath.read_text().replace("60", "37"))
+    inipath.write_text(
+        inipath.read_text().replace(
+            "#max_user_send_per_minute = 60",
+            "max_user_send_per_minute = 37",
+        )
+    )
     example_config = read_config(inipath)
     assert example_config.max_user_send_per_minute == 37
     assert example_config.mail_domain == "chat.example.org"
@@ -31,26 +36,21 @@ def test_read_config_basic_using_defaults(tmp_path, maildomain):
     example_config = read_config(inipath)
     assert example_config.max_user_send_per_minute == 60
     assert example_config.filtermail_smtp_port_incoming == 10081
+    assert example_config.filtermail_smtp_port == 10080
+    assert example_config.postfix_reinject_port == 10025
+    assert example_config.max_user_send_per_minute == 60
+    assert example_config.max_mailbox_size == "500M"
+    assert example_config.delete_mails_after == "20"
+    assert example_config.delete_large_after == "7"
+    assert example_config.username_min_length == 9
+    assert example_config.username_max_length == 9
+    assert example_config.password_min_length == 9
+    assert example_config._unused_keys == []
 
 
-def test_read_config_testrun(make_config):
-    config = make_config("something.testrun.org")
-    assert config.mail_domain == "something.testrun.org"
-    assert len(config.privacy_postal.split("\n")) > 1
-    assert len(config.privacy_supervisor.split("\n")) > 1
-    assert len(config.privacy_pdo.split("\n")) > 1
-    assert config.privacy_mail == "privacy@testrun.org"
-    assert config.filtermail_smtp_port == 10080
-    assert config.postfix_reinject_port == 10025
-    assert config.max_user_send_per_minute == 60
-    assert config.max_mailbox_size == "500M"
-    assert config.delete_mails_after == "20"
-    assert config.delete_large_after == "7"
-    assert config.username_min_length == 9
-    assert config.username_max_length == 9
-    assert config.password_min_length == 9
-    assert "privacy@testrun.org" in config.passthrough_recipients
-    assert config.passthrough_senders == []
+def test_config_unused_keys(make_config):
+    config = make_config("chat.example.org", {"passthrough_senders": "x@y.org"})
+    assert config._unused_keys == ["passthrough_senders"]
 
 
 def test_config_userstate_paths(make_config, tmp_path):

chatmaild/src/chatmaild/tests/test_metadata.py

@@ -324,7 +324,7 @@ def test_turn_credentials_exception_returns_N(notifier, metadata, monkeypatch):
         turn_hostname="turn.example.org",
     )
 
-    def mock_turn_credentials():
+    def mock_turn_credentials(turn_socket_path):
         raise ConnectionRefusedError("socket not available")
 
     monkeypatch.setattr(chatmaild.metadata, "turn_credentials", mock_turn_credentials)
@@ -348,7 +348,9 @@ def test_turn_credentials_success(notifier, metadata, monkeypatch):
         turn_hostname="turn.example.org",
     )
 
-    monkeypatch.setattr(chatmaild.metadata, "turn_credentials", lambda: "user:pass")
+    monkeypatch.setattr(
+        chatmaild.metadata, "turn_credentials", lambda path: "user:pass"
+    )
 
     transactions = {}
     res = dictproxy.handle_dovecot_request(

chatmaild/src/chatmaild/tests/test_turn.py

@@ -0,0 +1,46 @@
+import socket
+import threading
+
+import pytest
+
+from chatmaild.metadata import turn_credentials
+
+
+@pytest.fixture
+def turn_socket(tmp_path):
+    sock_path = str(tmp_path / "turn.socket")
+    server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+    server.bind(sock_path)
+    server.listen(1)
+    yield sock_path, server
+    server.close()
+
+
+def test_turn_credentials_timeout(turn_socket):
+    sock_path, server = turn_socket
+    with pytest.raises(socket.timeout):
+        # Inside turn_credentials the kernel listen backlog (1)
+        # completes connect() without accept()
+        # so the client blocks on readline() until the 5s timeout fires.
+        turn_credentials(sock_path)
+
+
+def test_turn_credentials_connection_refused_on_not_existing_socket(tmp_path):
+    missing = str(tmp_path / "nonexistent.socket")
+    with pytest.raises((ConnectionRefusedError, FileNotFoundError)):
+        turn_credentials(missing)
+
+
+def test_turn_credentials_socket_success(turn_socket):
+    sock_path, server = turn_socket
+
+    def respond():
+        conn, _ = server.accept()
+        conn.sendall(b"testuser:testpass\n")
+        conn.close()
+
+    t = threading.Thread(target=respond, daemon=True)
+    t.start()
+
+    result = turn_credentials(sock_path)
+    assert result == "testuser:testpass"

chatmaild/src/chatmaild/tests/test_turnserver.py

@@ -1,73 +0,0 @@
-import socket
-import threading
-import time
-from unittest.mock import patch
-
-import pytest
-
-from chatmaild.turnserver import turn_credentials
-
-SOCKET_PATH = "/run/chatmail-turn/turn.socket"
-
-
-@pytest.fixture
-def turn_socket(tmp_path):
-    """Create a real Unix socket server at a temp path."""
-    sock_path = str(tmp_path / "turn.socket")
-    server = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
-    server.bind(sock_path)
-    server.listen(1)
-    yield sock_path, server
-    server.close()
-
-
-def _call_turn_credentials(sock_path):
-    """Call turn_credentials but connect to sock_path instead of hardcoded path."""
-    original_connect = socket.socket.connect
-
-    def patched_connect(self, address):
-        if address == SOCKET_PATH:
-            address = sock_path
-        return original_connect(self, address)
-
-    with patch.object(socket.socket, "connect", patched_connect):
-        return turn_credentials()
-
-
-def test_turn_credentials_timeout(turn_socket):
-    """Server accepts but never responds — must raise socket.timeout."""
-    sock_path, server = turn_socket
-
-    def accept_and_hang():
-        conn, _ = server.accept()
-        time.sleep(30)
-        conn.close()
-
-    t = threading.Thread(target=accept_and_hang, daemon=True)
-    t.start()
-
-    with pytest.raises(socket.timeout):
-        _call_turn_credentials(sock_path)
-
-
-def test_turn_credentials_connection_refused(tmp_path):
-    """Socket file doesn't exist — must raise ConnectionRefusedError or FileNotFoundError."""
-    missing = str(tmp_path / "nonexistent.socket")
-    with pytest.raises((ConnectionRefusedError, FileNotFoundError)):
-        _call_turn_credentials(missing)
-
-
-def test_turn_credentials_success(turn_socket):
-    """Server responds with credentials — must return stripped string."""
-    sock_path, server = turn_socket
-
-    def respond():
-        conn, _ = server.accept()
-        conn.sendall(b"testuser:testpass\n")
-        conn.close()
-
-    t = threading.Thread(target=respond, daemon=True)
-    t.start()
-
-    result = _call_turn_credentials(sock_path)
-    assert result == "testuser:testpass"

chatmaild/src/chatmaild/turnserver.py

@@ -1,10 +0,0 @@
-#!/usr/bin/env python3
-import socket
-
-
-def turn_credentials() -> str:
-    with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as client_socket:
-        client_socket.settimeout(5)
-        client_socket.connect("/run/chatmail-turn/turn.socket")
-        with client_socket.makefile("rb") as file:
-            return file.readline().decode("utf-8").strip()

cmdeploy/src/cmdeploy/cmdeploy.py

@@ -84,6 +84,15 @@ def run_cmd_options(parser):
     add_ssh_host_option(parser)
 
 
+def _warn_unused_settings(unused_keys, out):
+    if unused_keys:
+        names = ", ".join(unused_keys)
+        out.red(
+            f"WARNING: chatmail.ini contains settings that have no effect: {names}\n"
+            "Please remove them from chatmail.ini."
+        )
+
+
 def run_cmd(args, out):
     """Deploy chatmail services on the remote server."""
 
@@ -125,6 +134,7 @@ def run_cmd(args, out):
             out.green("Deploy completed.")
         else:
             out.green("Deploy completed, call `cmdeploy dns` next.")
+        _warn_unused_settings(args.config._unused_keys, out)
         return 0
     except subprocess.CalledProcessError:
         out.red("Deploy failed")

cmdeploy/src/cmdeploy/filtermail/filtermail-transport.service.j2

@@ -6,6 +6,7 @@ ExecStart={{ bin_path }} {{ config_path }} transport
 Restart=always
 RestartSec=30
 User=vmail
+LimitNOFILE=524288
 
 [Install]
 WantedBy=multi-user.target

cmdeploy/src/cmdeploy/postfix/main.cf.j2

@@ -53,7 +53,8 @@ smtpd_tls_exclude_ciphers = aNULL, RC4, MD5, DES
 # See <https://www.postfix.org/FORWARD_SECRECY_README.html#server_fs>.
 tls_preempt_cipherlist = yes
 
-smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+# Reject by default, override per smtpd in master.cf
+smtpd_relay_restrictions = reject
 myhostname = {{ config.postfix_myhostname }}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases

cmdeploy/src/cmdeploy/postfix/master.cf.j2

@@ -17,6 +17,7 @@ smtp      inet  n       -       y       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_tls_mandatory_protocols=>=TLSv1.2
   -o smtpd_proxy_filter=127.0.0.1:{{ config.filtermail_smtp_port_incoming }}
+  -o smtpd_relay_restrictions=reject_unauth_destination
 submission inet n       -       y       -       5000    smtpd
   -o syslog_name=postfix/submission
   -o smtpd_tls_security_level=encrypt
@@ -81,12 +82,14 @@ filter    unix -        n       n       -       -       lmtp
   -o syslog_name=postfix/reinject
   -o milter_macro_daemon_name=ORIGINATING
   -o cleanup_service_name=authclean
+  -o smtpd_relay_restrictions=permit_mynetworks,reject
 {% if not config.ipv4_relay %}  -o smtpd_milters=unix:opendkim/opendkim.sock
 {% endif %}
 
 # Local SMTP server for reinjecting incoming filtered mail 
 127.0.0.1:{{ config.postfix_reinject_port_incoming }} inet  n       -       n       -       100      smtpd
   -o syslog_name=postfix/reinject_incoming
+  -o smtpd_relay_restrictions=reject_unauth_destination
 
 # Cleanup `Received` headers for authenticated mail
 # to avoid leaking client IP.

doc/source/faq.rst

@@ -60,6 +60,7 @@ and run the following commands:
    ::
 
        git pull origin main --rebase --autostash
+       scripts/initenv.sh
        scripts/cmdeploy run
 
 If you don't want the latest development version,