Repository files navigation

Chatmail relay servers are interoperable Mail Transport Agents (MTAs) designed for:

• Convenience: Low friction instant onboarding

• Privacy: No name, phone numbers, email required or collected

• End-to-End Encryption enforced: only OpenPGP messages with metadata minimization allowed

• Instant: Privacy-preserving Push Notifications for Apple, Google, and Huawei

• Speed: Message delivery in half a second, with optional P2P realtime connections

• Transport Security: Strict TLS and DKIM enforced

• Reliability: No spam or IP reputation checks; rate-limits are suitable for realtime chats

• Efficiency: Messages are only stored for transit and removed automatically

This repository contains everything needed to setup a ready-to-use chatmail relaycomprised of a minimal setup of the battle-testedPostfix SMTP andDovecot IMAP MTAs/MDAs.

The automated setup is designed and optimized for providing chatmail addressesfor immediate permission-free onboarding through chat apps and bots.Chatmail addresses are automatically created at first login,after which the initially specified password is requiredfor sending and receiving messages through them.

Please seethis list of known apps and client projectsandthis list of known public 3rd party chatmail relay servers.

You will need the following:

• Control over a domain through a DNS provider of your choice.

• A Debian 12 server with reachable SMTP/SUBMISSIONS/IMAPS/HTTPS ports.IPv6 is encouraged if available.Chatmail relay servers only require 1GB RAM, one CPU, and perhaps 10GB storage for afew thousand active chatmail addresses.

• Key-based SSH authentication to the root user.You must add a passphrase-protected private key to your local ssh-agentbecause you can't type in your passphrase during deployment.(An ed25519 private key is required due to anupstream bug in paramiko)

We usechat.example.org as the chatmail domain in the following steps.Please substitute it with your own domain.

1. Setup the initial DNS records.The following is an example in the familiar BIND zone file format witha TTL of 1 hour (3600 seconds).Please substitute your domain and IP addresses.

    chat.example.com. 3600 IN A 198.51.100.5 chat.example.com. 3600 IN AAAA 2001:db8::5 www.chat.example.com. 3600 IN CNAME chat.example.com. mta-sts.chat.example.com. 3600 IN CNAME chat.example.com.

2. On your local PC, clone the repository and bootstrap the Python virtualenv.

    git clone https://github.com/chatmail/relay cd relay scripts/initenv.sh

3. On your local PC, create chatmail configuration filechatmail.ini:

    scripts/cmdeploy init chat.example.org  # <-- use your domain

4. Verify that SSH root login to your remote server works:

    ssh root@chat.example.org  # <-- use your domain

5. From your local PC, deploy the remote chatmail relay server:

    scripts/cmdeploy run

   This script will also check that you have all necessary DNS records.If DNS records are missing, it will recommendwhich you should configure at your DNS provider(it can take some time until they are public).

To check the status of your remotely running chatmail service:

scripts/cmdeploy status

To display and check all recommended DNS records:

scripts/cmdeploy dns

To test whether your chatmail service is working correctly:

scripts/cmdeploy test

To measure the performance of your chatmail service:

scripts/cmdeploy bench

This repository has four directories:

• cmdeployis a collection of configuration filesand apyinfra-based deployment script.

• chatmaildis a Python package containing several small serviceswhich handle authentication,trigger push notifications on new messages,ensure that outbound mails are encrypted,delete inactive users,and some other minor things.chatmaild can also be installed as a stand-alone Python package.

• wwwcontains the html, css, and markdown fileswhich make up a chatmail relay's web page.Edit them before deploying to make your chatmail relay stand out.

• scriptsoffers two convenience tools for beginners;initenv.sh installs the necessary dependencies to a local virtual environment,and thescripts/cmdeploy script enables youto run thecmdeploy command line tool in the local virtual environment.

Thecmdeploy/src/cmdeploy/cmdeploy.py command line toolhelps with setting up and managing the chatmail service.cmdeploy init creates thechatmail.ini config file.cmdeploy run uses apyinfra-basedscriptto automatically install or upgrade all chatmail components on a relay,according to thechatmail.ini config.

The components of chatmail are:

• Postfix SMTP MTA accepts and relays messages(both from your users and from the wider e-mail MTA network)

• Dovecot IMAP MDA stores messages for your users until they download them

• Nginx shows the web page with your privacy policy and additional information

• acmetool manages TLS certificates for Dovecot, Postfix, and Nginx

• OpenDKIM for signing messages with DKIM and rejecting inbound messages without DKIM

• mtail for collecting anonymized metrics in case you have monitoring

• Iroh relaywhich helps client devices to establish Peer-to-Peer connections

• and the chatmaild services, explained in the next section:

chatmaild implements various systemd-controlled services
that integrate with Dovecot and Postfix to achieve instant-onboarding andonly relaying OpenPGP end-to-end messages encrypted messages.A short overview ofchatmaild services:

• doveauthimplements create-on-login address semantics and is usedby Dovecot during IMAP login and by Postfix during SMTP/SUBMISSION loginwhich in turn usesDovecot SASLto authenticate logins.

• filtermailprevents unencrypted email from leaving or entering the chatmail serviceand is integrated into Postfix's outbound and inbound mail pipelines.

• chatmail-metadata is contacted by aDovecot lua scriptto store user-specific relay-side config.On new messages,itpasses the user's push notification tokentonotifications.delta.chatso the push notifications on the user's phone can be triggeredby Apple/Google/Huawei.

• delete_inactive_usersdeletes users if they have not logged in for a very long time.The timeframe can be configured inchatmail.ini.

• lastloginis contacted by Dovecot when a user logs inand stores the date of the login.

• echobotis a small bot for test purposes.It simply echoes back messages from users.

• chatmail-metricscollects some metrics and displays them athttps://example.org/metrics.

cmdeploy run also creates default static web pages and deploys themto a Nginx web server with:

• a defaultindex.html along with a QR code that users can click tocreate an address on your chatmail relay

• a defaultinfo.html that is linked from the home page

• a defaultpolicy.html that is linked from the home page

All.html files are generatedby the according markdown.md file in thewww/src directory.

scripts/cmdeploy webdev

This starts a local live development cycle for chatmail web pages:

• uses thewww/src/page-layout.html file for producing staticHTML pages fromwww/src/*.md files

• continously builds the web presence reading files fromwww/src directoryand generating HTML files and copying assets to thewww/build directory.

• Starts a browser window automatically where you can "refresh" as needed.

Fresh chatmail addresses have a mailbox directory that contains:

• apassword file with the salted password required for authenticatingwhether a login may use the address to send/receive messages.If you modify the password file manually, you effectively block the user.

• enforceE2EEincoming is a default-created file with each address.If present the file indicates that this chatmail address rejects incoming cleartext messages.If absent the address accepts incoming cleartext messages.

• dovecot*,cur,new andtmp represent IMAP/mailbox state.If the address is only used by one device, the Maildir directorieswill typically be empty unless the user of that address hasn't been onlinefor a while.

If you need to stop address creation,e.g. because some script is wildly creating addresses,login with ssh and run:

    touch /etc/chatmail-nocreate

Chatmail address creation will be denied while this file is present.

Postfix listens on ports 25 (SMTP) and 587 (SUBMISSION) and 465 (SUBMISSIONS).Dovecot listens on ports 143 (IMAP) and 993 (IMAPS).Nginx listens on port 8443 (HTTPS-ALT) and 443 (HTTPS).Port 443 multiplexes HTTPS, IMAP and SMTP using ALPN to redirect connections to ports 8443, 465 or 993.acmetool listens on port 80 (HTTP).

chatmail-core based apps will, however, discover all ports and configurationsautomatically by reading theautoconfig XML file from the chatmail relay server.

Chatmail relays enforceDKIMto authenticate incoming emails.Incoming emails must have a valid DKIM signature withSigning Domain Identifier (SDID,d= parameter in the DKIM-Signature header)equal to theFrom: header domain.This property is checked by OpenDKIM screen policy scriptbefore validating the signatures.This correpsonds to strictDMARC alignment (adkim=s),but chatmail does not rely on DMARC and does not consult the sender policy published in DMARC records.Other legacy authentication mechanisms such asiprevandSPF are also not taken into account.If there is no valid DKIM signature on the incoming email,the sender receives a "5.7.1 No valid DKIM signature found" error.

Outgoing emails must be sent over authenticated connectionwith envelope MAIL FROM (return path) corresponding to the login.This is ensured by Postfix which maps login usernameto MAIL FROM withsmtpd_sender_login_mapsand rejects incorrectly authenticated emails withreject_sender_login_mismatch policy.From: header must correspond to envelope MAIL FROM,this is ensured byfiltermail proxy.

Postfix is configured to require valid TLSby settingsmtp_tls_security_level toverify.If emails don't arrive at your chatmail relay server,the problem is likely that your relay does not have a valid TLS certificate.

You can test it by resolvingMX records of your relay domainand then connecting to MX relays (e.gmx.example.org) withopenssl s_client -connect mx.example.org:25 -verify_hostname mx.example.org -verify_return_error -starttls smtpfrom the host that has open port 25 to verify that certificate is valid.

When providing a TLS certificate to your chatmail relay server,make sure to provide the full certificate chainand not just the last certificate.

If you are running an Exim server and don't see incoming connectionsfrom a chatmail relay server in the logs,make suresmtp_no_mail log item is enabled in the configwithlog_selector = +smtp_no_mail.By default Exim does not log sessions that are closedbefore sending theMAIL command.This happens if certificate is not recognized as valid by Postfix,so you might think that connection is not establishedwhile actually it is a problem with your TLS certificate.

If you want to migrate chatmail relay from an old machineto a new machine,you can use these steps.They were tested with a Linux laptop;you might need to adjust some of the steps to your environment.

Let's assume that yourmail_domain ismail.example.org,all involved machines run Debian 12,your old site's IP address is13.37.13.37,and your new site's IP address is13.12.23.42.

Note, you should lower the TTLs of your DNS records to a valuesuch as 300 (5 minutes) so the migration happens as smoothly as possible.

During the guide you might get a warning about changed SSH Host keys;in this case, just runssh-keygen -R "mail.example.org" as recommended.

1. First, disable mail services on the old site.

    cmdeploy run --disable-mail --ssh-host 13.37.13.37

   Now your users will notice the migrationand will not be able to send or receive messagesuntil the migration is completed.

2. Now we want to copy/home/vmail,/var/lib/acme,/etc/dkimkeys,/run/echobot, and/var/spool/postfix to the new site.Login to the old site while forwarding your SSH agentso you can copy directly from the old to the new site with your SSH key:

    ssh -A root@13.37.13.37 tar c - /home/vmail/mail /var/lib/acme /etc/dkimkeys /run/echobot /var/spool/postfix | ssh root@13.12.23.42 "tar x -C /"

   This transfers all addresses, the TLS certificate, DKIM keys (so DKIM DNS record remains valid), and the echobot's password so it continues to function.It also preserves the Postfix mail spool so any messages pending delivery will still be delivered.

3. Install chatmail on the new machine:

    cmdeploy run --disable-mail --ssh-host 13.12.23.42

   Postfix and Dovecot are disabled for now; we will enable them later.We first need to make the new site fully operational.

4. On the new site, run the following to ensure the ownership is correct in case UIDs/GIDs changed:

    chown root: -R /var/lib/acme chown opendkim: -R /etc/dkimkeys chown vmail: -R /home/vmail/mail chown echobot: -R /run/echobot

5. Now, update DNS entries.

   If other MTAs try to deliver messages to your chatmail domain they may fail intermittently,as DNS catches up with the new site settingsbut normally will retry delivering messagesfor at least a week, so messages will not be lost.

6. Finally, you can executecmdeploy run --ssh-host 13.12.23.42 to turn on chatmail on the new relay.Your users will be able to use the chatmail relay as soon as the DNS changes have propagated.Voilà!

A chatmail relay MTA does not track or depend on the client IP addressfor its operation, so it can be run behind a reverse proxy.This will not even affect incoming mail authenticationas DKIM only checks the cryptographic signatureof the message and does not use the IP address as the input.

For example, you may want to self-host your chatmail relayand only use hosted VPS to provide a public IP addressfor client connections and incoming mail.You can connect chatmail relay to VPSusing a tunnel protocolsuch asWireGuardand setup a reverse proxy on a VPSto forward connections to the chatmail relayover the tunnel.You can also setup multiple reverse proxiesfor your chatmail relay in different networksto ensure your relay is reachable even whenone of the IPs becomes inaccessible due tohosting or routing problems.

Note that your chatmail relay still needsto be able to make outgoing connections on port 25to send messages outside.

To setup a reverse proxy(or rather Destination NAT, DNAT)for your chatmail relay,put the following configuration in/etc/nftables.conf:

#!/usr/sbin/nft -fflush rulesetdefine wan = eth0# Which ports to proxy.## Note that SSH is not proxied# so it is possible to log into the proxy server # and not the original one.define ports = { smtp, http, https, imap, imaps, submission, submissions }# The host we want to proxy to.define ipv4_address = AAA.BBB.CCC.DDDdefine ipv6_address = [XXX::1]table ip nat {        chain prerouting {                type nat hook prerouting priority dstnat; policy accept;                iif $wan tcp dport $ports dnat to $ipv4_address        }        chain postrouting {                type nat hook postrouting priority 0;                oifname $wan masquerade        }}table ip6 nat {        chain prerouting {                type nat hook prerouting priority dstnat; policy accept;                iif $wan tcp dport $ports dnat to $ipv6_address        }        chain postrouting {                type nat hook postrouting priority 0;                oifname $wan masquerade        }}table inet filter {        chain input {                type filter hook input priority filter; policy drop;                # Accept ICMP.                # It is especially important to accept ICMPv6 ND messages,                # otherwise IPv6 connectivity breaks.                icmp type { echo-request } accept                icmpv6 type { echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept                # Allow incoming SSH connections.                tcp dport { ssh } accept                ct state established accept        }        chain forward {                type filter hook forward priority filter; policy drop;                ct state established accept                ip daddr $ipv4_address counter accept                ip6 daddr $ipv6_address counter accept        }        chain output {                type filter hook output priority filter;        }}

Runsystemctl enable nftables.serviceto ensure configuration is reloaded when the proxy relay reboots.

Uncomment in/etc/sysctl.conf the following two lines:

net.ipv4.ip_forward=1net.ipv6.conf.all.forwarding=1

Then reboot the relay or dosysctl -p andnft -f /etc/nftables.conf.

Once proxy relay is set up,you can add its IP address to the DNS.

Here are some related projects that you may be interested in:

• Mox: A Golang email server.Work is inprogress to modify it to support allof the features and configuration settings required to operate as a chatmailrelay.