# Chat-mail server development (up until Oct 18th)

## Dovecot goals/steps

- automatic expiry of messages older than M days
   - also expunge unread messages

- limit: configure max-connections per account


## nami: send out rate limit / rspamd

- basic outgoing send rate/limits (depending on "account-rating")
  use rspamd in a minimal way, check support dkim-signing
  (including an online test exceeding rate limit)


## doveauth questions/futures

- bcrypt-password scheme is slow: require long passwords, use faster hashing

- define user-name and password policies, and implement them
  (be very restrictive at the beginning, we can relax later)

- password is part of the dictproxy-lookup key, is it safe to use auth-caching?


## How to limit creation of accounts?

attack: a 3-line bash script to fill the chatmail db with millions of unused accouts

- make it computationally expensive (somehow try to except our tests from it)
  1st pass instant onboarding: create userid + cheap password -- if it fails then
  2nd pass instant onboarding: create userdid + comput. expensive password

- probably also do firewall: limit number of new tcp-connections per IP address per duration


## Open/deferred questions

- automatic expiry of users that haven't logged in for N days
  Is it neccessary?  If all messages are gone, does the existence of
  an e-mail address bother anybody?


## web page for chat-mail servers?

- documentation for users, privacy policy etc.
  (probably also with provider-messages ...)


## online tests (first with plain python/pytest)

- write tests for dovecot login (exists)
- write tests for postfix logins (exists)
- write A<>B send/receive tests (exists)


## Delta Chat

1. qr code that defines access to a chatmail instance (like mailadm but without http etc.)

2. support for creating username/password and verifying login works