From 23994eaa08c25e8aa1736aa33df50b564e64818b Mon Sep 17 00:00:00 2001 From: link2xt Date: Tue, 30 Jul 2024 23:06:41 +0000 Subject: [PATCH 1/3] Setup mtail --- CHANGELOG.md | 11 ++++ chatmaild/src/chatmaild/config.py | 1 + chatmaild/src/chatmaild/filtermail.py | 24 +++++-- chatmaild/src/chatmaild/ini/chatmail.ini.f | 13 ++++ cmdeploy/src/cmdeploy/__init__.py | 40 ++++++++++++ .../src/cmdeploy/mtail/delivered_mail.mtail | 64 +++++++++++++++++++ cmdeploy/src/cmdeploy/mtail/mtail.service.j2 | 10 +++ 7 files changed, 156 insertions(+), 7 deletions(-) create mode 100644 cmdeploy/src/cmdeploy/mtail/delivered_mail.mtail create mode 100644 cmdeploy/src/cmdeploy/mtail/mtail.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index 551c29e9..e803eca4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,17 @@ ## untagged +There is a new required setting in `chatmail.ini`: `mtail_address`. +This defines the address on which [`mtail`](https://google.github.io/mtail/) +exposes its metrics collected from the logs. +If you want to collect the metrics with Prometheus, +setup a private network (e.g. WireGuard interface) +and assign an IP address from this network to the host. +If unsure, set this setting to `127.0.0.1`. + +- add mtail + ([#388](https://github.com/deltachat/chatmail/pull/388)) + - fix checking for required DNS records ([#412](https://github.com/deltachat/chatmail/pull/412)) diff --git a/chatmaild/src/chatmaild/config.py b/chatmaild/src/chatmaild/config.py index f8109520..b870d7a1 100644 --- a/chatmaild/src/chatmaild/config.py +++ b/chatmaild/src/chatmaild/config.py @@ -30,6 +30,7 @@ def __init__(self, inipath, params): self.passthrough_recipients = params["passthrough_recipients"].split() self.filtermail_smtp_port = int(params["filtermail_smtp_port"]) self.postfix_reinject_port = int(params["postfix_reinject_port"]) + self.mtail_address = params["mtail_address"] self.disable_ipv6 = params.get("disable_ipv6", "false").lower() == "true" self.imap_rawlog = params.get("imap_rawlog", "false").lower() == "true" self.iroh_relay = params.get("iroh_relay") diff --git a/chatmaild/src/chatmaild/filtermail.py b/chatmaild/src/chatmaild/filtermail.py index 140e7172..fb149446 100644 --- a/chatmaild/src/chatmaild/filtermail.py +++ b/chatmaild/src/chatmaild/filtermail.py @@ -183,15 +183,29 @@ def check_DATA(self, envelope): mail_encrypted = check_encrypted(message) _, from_addr = parseaddr(message.get("from").strip()) + envelope_from_domain = from_addr.split("@").pop() + logging.info(f"mime-from: {from_addr} envelope-from: {envelope.mail_from!r}") if envelope.mail_from.lower() != from_addr.lower(): return f"500 Invalid FROM <{from_addr!r}> for <{envelope.mail_from!r}>" + if mail_encrypted: + print("Filtering encrypted mail.", file=sys.stderr) + else: + print("Filtering unencrypted mail.", file=sys.stderr) + if envelope.mail_from in self.config.passthrough_senders: return passthrough_recipients = self.config.passthrough_recipients - envelope_from_domain = from_addr.split("@").pop() + + is_securejoin = message.get("secure-join") in [ + "vc-request", + "vg-request", + ] + if is_securejoin: + return + for recipient in envelope.rcpt_tos: if envelope.mail_from == recipient: # Always allow sending emails to self. @@ -205,12 +219,8 @@ def check_DATA(self, envelope): is_outgoing = recipient_domain != envelope_from_domain if is_outgoing and not mail_encrypted: - is_securejoin = message.get("secure-join") in [ - "vc-request", - "vg-request", - ] - if not is_securejoin: - return f"500 Invalid unencrypted mail to <{recipient}>" + print("Rejected unencrypted mail.", file=sys.stderr) + return f"500 Invalid unencrypted mail to <{recipient}>" class SendRateLimiter: diff --git a/chatmaild/src/chatmaild/ini/chatmail.ini.f b/chatmaild/src/chatmaild/ini/chatmail.ini.f index b2a5ff12..48b9f800 100644 --- a/chatmaild/src/chatmaild/ini/chatmail.ini.f +++ b/chatmaild/src/chatmaild/ini/chatmail.ini.f @@ -55,6 +55,19 @@ # if set to "True" IPv6 is disabled disable_ipv6 = False +# Address on which `mtail` listens, +# e.g. 127.0.0.1 or some private network +# address like 192.168.10.1. +# You can point Prometheus +# or some other OpenMetrics-compatible +# collector to +# http://{{mtail_address}}:3903/metrics +# and display collected metrics with Grafana. +# +# WARNING: do not expose this service +# to the public IP address. +mtail_address = 127.0.0.1 + # # Debugging options # diff --git a/cmdeploy/src/cmdeploy/__init__.py b/cmdeploy/src/cmdeploy/__init__.py index ace9e47b..5c4c2d1c 100644 --- a/cmdeploy/src/cmdeploy/__init__.py +++ b/cmdeploy/src/cmdeploy/__init__.py @@ -441,6 +441,44 @@ def check_config(config): return config +def deploy_mtail(config): + apt.packages( + name="Install mtail", + packages=["mtail"], + ) + + # Using our own systemd unit instead of `/usr/lib/systemd/system/mtail.service`. + # This allows to read from journalctl instead of log files. + files.template( + src=importlib.resources.files(__package__).joinpath("mtail/mtail.service.j2"), + dest="/etc/systemd/system/mtail.service", + user="root", + group="root", + mode="644", + address=config.mtail_address, + port=3903, + ) + + mtail_conf = files.put( + name="Mtail configuration", + src=importlib.resources.files(__package__).joinpath( + "mtail/delivered_mail.mtail" + ), + dest="/etc/mtail/delivered_mail.mtail", + user="root", + group="root", + mode="644", + ) + + systemd.service( + name="Start and enable mtail", + service="mtail.service", + running=True, + enabled=True, + restarted=mtail_conf.changed, + ) + + def deploy_chatmail(config_path: Path) -> None: """Deploy a chat-mail instance. @@ -636,3 +674,5 @@ def deploy_chatmail(config_path: Path) -> None: name="Ensure cron is installed", packages=["cron"], ) + + deploy_mtail(config) diff --git a/cmdeploy/src/cmdeploy/mtail/delivered_mail.mtail b/cmdeploy/src/cmdeploy/mtail/delivered_mail.mtail new file mode 100644 index 00000000..dc55e340 --- /dev/null +++ b/cmdeploy/src/cmdeploy/mtail/delivered_mail.mtail @@ -0,0 +1,64 @@ +counter delivered_mail +/saved mail to INBOX$/ { + delivered_mail++ +} + +counter quota_exceeded +/Quota exceeded \(mailbox for user is full\)$/ { + quota_exceeded++ +} + +# Essentially the number of outgoing messages. +counter dkim_signed +/DKIM-Signature field added/ { + dkim_signed++ +} + +counter created_accounts +counter created_ci_accounts +counter created_nonci_accounts + +/: Created address: (?P.*)$/ { + created_accounts++ + + $addr =~ /ci-/ { + created_ci_accounts++ + } else { + created_nonci_accounts++ + } +} + +counter postfix_timeouts +/timeout after DATA/ { + postfix_timeouts++ +} + +counter postfix_noqueue +/postfix\/.*NOQUEUE/ { + postfix_noqueue++ +} + +counter warning_count +/warning/ { + warning_count++ +} + + +counter filtered_mail_count + +counter encrypted_mail_count +/Filtering encrypted mail\./ { + encrypted_mail_count++ + filtered_mail_count++ +} + +counter unencrypted_mail_count +/Filtering unencrypted mail\./ { + unencrypted_mail_count++ + filtered_mail_count++ +} + +counter rejected_unencrypted_mail_count +/Rejected unencrypted mail\./ { + rejected_unencrypted_mail_count++ +} diff --git a/cmdeploy/src/cmdeploy/mtail/mtail.service.j2 b/cmdeploy/src/cmdeploy/mtail/mtail.service.j2 new file mode 100644 index 00000000..97d209d1 --- /dev/null +++ b/cmdeploy/src/cmdeploy/mtail/mtail.service.j2 @@ -0,0 +1,10 @@ +[Unit] +Description=mtail + +[Service] +Type=simple +ExecStart=/bin/sh -c "journalctl -f -o short-iso -n 0 | /usr/bin/mtail --address={{ address }} --port={{ port }} --progs /etc/mtail --logtostderr --logs -" +Restart=on-failure + +[Install] +WantedBy=multi-user.target From 4e2882457e67fae02594015d32c4b3cc5197520d Mon Sep 17 00:00:00 2001 From: link2xt Date: Mon, 14 Oct 2024 08:49:39 +0000 Subject: [PATCH 2/3] Make `mtail_address` optional --- CHANGELOG.md | 5 +++-- chatmaild/src/chatmaild/config.py | 2 +- chatmaild/src/chatmaild/ini/chatmail.ini.f | 5 ++++- cmdeploy/src/cmdeploy/__init__.py | 6 +++--- 4 files changed, 11 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e803eca4..b0d9c251 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,13 +2,14 @@ ## untagged -There is a new required setting in `chatmail.ini`: `mtail_address`. +There is a new setting in `chatmail.ini`: `mtail_address`. This defines the address on which [`mtail`](https://google.github.io/mtail/) exposes its metrics collected from the logs. If you want to collect the metrics with Prometheus, setup a private network (e.g. WireGuard interface) and assign an IP address from this network to the host. -If unsure, set this setting to `127.0.0.1`. +If you do not plan to collect metrics, +keep this setting unset. - add mtail ([#388](https://github.com/deltachat/chatmail/pull/388)) diff --git a/chatmaild/src/chatmaild/config.py b/chatmaild/src/chatmaild/config.py index b870d7a1..53c83f94 100644 --- a/chatmaild/src/chatmaild/config.py +++ b/chatmaild/src/chatmaild/config.py @@ -30,7 +30,7 @@ def __init__(self, inipath, params): self.passthrough_recipients = params["passthrough_recipients"].split() self.filtermail_smtp_port = int(params["filtermail_smtp_port"]) self.postfix_reinject_port = int(params["postfix_reinject_port"]) - self.mtail_address = params["mtail_address"] + self.mtail_address = params.get("mtail_address") self.disable_ipv6 = params.get("disable_ipv6", "false").lower() == "true" self.imap_rawlog = params.get("imap_rawlog", "false").lower() == "true" self.iroh_relay = params.get("iroh_relay") diff --git a/chatmaild/src/chatmaild/ini/chatmail.ini.f b/chatmaild/src/chatmaild/ini/chatmail.ini.f index 48b9f800..e8e8ef5d 100644 --- a/chatmaild/src/chatmaild/ini/chatmail.ini.f +++ b/chatmaild/src/chatmaild/ini/chatmail.ini.f @@ -66,7 +66,10 @@ # # WARNING: do not expose this service # to the public IP address. -mtail_address = 127.0.0.1 +# +# `mtail is not running if the setting is not set. + +# mtail_address = 127.0.0.1 # # Debugging options diff --git a/cmdeploy/src/cmdeploy/__init__.py b/cmdeploy/src/cmdeploy/__init__.py index 5c4c2d1c..226d17d2 100644 --- a/cmdeploy/src/cmdeploy/__init__.py +++ b/cmdeploy/src/cmdeploy/__init__.py @@ -455,7 +455,7 @@ def deploy_mtail(config): user="root", group="root", mode="644", - address=config.mtail_address, + address=config.mtail_address or "127.0.0.1", port=3903, ) @@ -473,8 +473,8 @@ def deploy_mtail(config): systemd.service( name="Start and enable mtail", service="mtail.service", - running=True, - enabled=True, + running=bool(config.mtail_address), + enabled=bool(config.mtail_address), restarted=mtail_conf.changed, ) From 6eb5ce8e0de9a6274781bf3ef8618dfcc37e9650 Mon Sep 17 00:00:00 2001 From: holger krekel Date: Mon, 14 Oct 2024 11:03:59 +0200 Subject: [PATCH 3/3] better format changelog entry --- CHANGELOG.md | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b0d9c251..09ea6c83 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,16 +2,14 @@ ## untagged -There is a new setting in `chatmail.ini`: `mtail_address`. -This defines the address on which [`mtail`](https://google.github.io/mtail/) -exposes its metrics collected from the logs. -If you want to collect the metrics with Prometheus, -setup a private network (e.g. WireGuard interface) -and assign an IP address from this network to the host. -If you do not plan to collect metrics, -keep this setting unset. - -- add mtail +- add mtail support (new optional `mail_address` ini value) + This defines the address on which [`mtail`](https://google.github.io/mtail/) + exposes its metrics collected from the logs. + If you want to collect the metrics with Prometheus, + setup a private network (e.g. WireGuard interface) + and assign an IP address from this network to the host. + If you do not plan to collect metrics, + keep this setting unset. ([#388](https://github.com/deltachat/chatmail/pull/388)) - fix checking for required DNS records