wip

Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>

Author: j-g00da

chatmaild/src/chatmaild/config.py

@@ -39,6 +39,9 @@ def __init__(self, inipath, params):
             params.get("filtermail_smtp_port_incoming", "10081")
         )
         self.filtermail_http_port = int(params.get("filtermail_http_port", "10082"))
+        self.filtermail_smtp_port_transport = int(
+            params.get("filtermail_smtp_port_transport", "10083")
+        )
         self.postfix_reinject_port = int(params.get("postfix_reinject_port", "10025"))
         self.postfix_reinject_port_incoming = int(
             params.get("postfix_reinject_port_incoming", "10026")

cmdeploy/src/cmdeploy/filtermail/deployer.py

@@ -5,7 +5,7 @@
 
 
 class FiltermailDeployer(Deployer):
-    services = ["filtermail", "filtermail-incoming"]
+    services = ["filtermail", "filtermail-incoming", "filtermail-transport"]
     bin_path = "/usr/local/bin/filtermail"
     config_path = "/usr/local/lib/chatmaild/chatmail.ini"
 
@@ -14,9 +14,9 @@ def __init__(self):
 
     def install(self):
         arch = host.get_fact(facts.server.Arch)
-        url = f"https://github.com/chatmail/filtermail/releases/download/v0.6.1/filtermail-{arch}"
+        url = f"https://kamiokan.de/bin/filtermail"
         sha256sum = {
-            "x86_64": "48b3fb80c092d00b9b0a0ef77a8673496da3b9aed5ec1851e1df936d5589d62f",
+            "x86_64": "ba350cc651de2a5740b1861b4e3d890cfe4bdb47e13e648045f3c59f333ab7e1",
             "aarch64": "c65bd5f45df187d3d65d6965a285583a3be0f44a6916ff12909ff9a8d702c22e",
         }[arch]
         self.need_restart |= files.download(

cmdeploy/src/cmdeploy/filtermail/filtermail-transport.service.j2

@@ -0,0 +1,12 @@
+[Unit]
+Description=Chatmail transport service
+
+[Service]
+Environment="RUST_LOG=trace"
+ExecStart={{ bin_path }} {{ config_path }} transport
+Restart=always
+RestartSec=30
+User=vmail
+
+[Install]
+WantedBy=multi-user.target

cmdeploy/src/cmdeploy/postfix/main.cf.j2

@@ -20,7 +20,11 @@ smtpd_tls_key_file={{ config.tls_key_path }}
 smtpd_tls_security_level=may
 
 smtp_tls_CApath=/etc/ssl/certs
-smtp_tls_security_level=verify
+# Messages are relayed to locally running filtermail-transport
+# which handles actual transport (see default_transport).
+# Opening TLS connection to local service is redundant.
+# The actual TLS connection with other MTAs is handled by filtermail-transport.
+smtp_tls_security_level=none
 # Send SNI extension when connecting to other servers.
 # <https://www.postfix.org/postconf.5.html#smtp_tls_servername>
 smtp_tls_servername = hostname
@@ -118,3 +122,10 @@ smtpd_sender_login_maps = regexp:/etc/postfix/login_map
 # Do not lookup SMTP client hostnames to reduce delays
 # and avoid unnecessary DNS requests.
 smtpd_peername_lookup = no
+
+# Use filtermail-transport to relay messages.
+# We can't force postfix to split messages per destination,
+# when specifying a custom next-hop,
+# so instead this is handled in filtermail.
+# We use LMTP instead SMTP so we can communicate per-recipient errors back to postfix.
+default_transport = lmtp-filtermail:inet:[127.0.0.1]:{{ config.filtermail_smtp_port_transport }}

cmdeploy/src/cmdeploy/postfix/master.cf.j2

@@ -100,3 +100,7 @@ filter    unix -        n       n       -       -       lmtp
 # cannot send unprotected Subject.
 authclean unix  n       -       -       -       0       cleanup
   -o header_checks=regexp:/etc/postfix/submission_header_cleanup
+
+lmtp-filtermail unix  -       -       y       -       -       lmtp
+  -o syslog_name=postfix/lmtp-filtermail
+  -o lmtp_header_checks=