Skip to content

feat: Sign bounce messages#874

Closed
j-g00da wants to merge 1 commit into
mainfrom
j-g00da/sign-bounce
Closed

feat: Sign bounce messages#874
j-g00da wants to merge 1 commit into
mainfrom
j-g00da/sign-bounce

Conversation

@j-g00da
Copy link
Copy Markdown
Collaborator

@j-g00da j-g00da commented Feb 26, 2026

Closes #873

@j-g00da j-g00da temporarily deployed to staging2.testrun.org February 26, 2026 12:05 — with GitHub Actions Inactive
@j-g00da j-g00da temporarily deployed to staging-ipv4.testrun.org February 26, 2026 12:05 — with GitHub Actions Inactive
missytake
missytake reviewed Feb 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@missytake missytake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this approach would work, see my comment. In any case, this PR needs a test.

Comment thread cmdeploy/src/cmdeploy/postfix/main.cf.j2 Outdated
@j-g00da j-g00da marked this pull request as draft February 26, 2026 15:39
@j-g00da j-g00da force-pushed the j-g00da/sign-bounce branch from 2e2e6cd to 0bfc671 Compare March 2, 2026 11:06
@j-g00da j-g00da temporarily deployed to staging2.testrun.org March 2, 2026 11:06 — with GitHub Actions Inactive
@j-g00da j-g00da temporarily deployed to staging-ipv4.testrun.org March 2, 2026 11:06 — with GitHub Actions Inactive
@j-g00da j-g00da force-pushed the j-g00da/sign-bounce branch from 0bfc671 to ada0060 Compare March 2, 2026 11:34
@j-g00da j-g00da force-pushed the j-g00da/sign-bounce branch from ada0060 to 9dac959 Compare March 2, 2026 11:40
@j-g00da j-g00da force-pushed the j-g00da/sign-bounce branch from 9dac959 to 43590d3 Compare March 3, 2026 09:56
@j-g00da j-g00da force-pushed the j-g00da/sign-bounce branch from 43590d3 to b197edf Compare March 3, 2026 10:38
@j-g00da j-g00da force-pushed the j-g00da/sign-bounce branch from b197edf to 726837f Compare March 3, 2026 11:11
@j-g00da j-g00da had a problem deploying to staging2.testrun.org March 3, 2026 11:54 — with GitHub Actions Error
@j-g00da j-g00da had a problem deploying to staging-ipv4.testrun.org March 3, 2026 11:54 — with GitHub Actions Error
@j-g00da j-g00da force-pushed the j-g00da/sign-bounce branch from ae0ef53 to 40ee20f Compare March 3, 2026 11:55
@j-g00da j-g00da force-pushed the j-g00da/sign-bounce branch from 40ee20f to d0d5635 Compare March 3, 2026 12:11
@j-g00da j-g00da had a problem deploying to staging-ipv4.testrun.org March 3, 2026 12:11 — with GitHub Actions Error
@j-g00da
Copy link
Copy Markdown
Collaborator Author

j-g00da commented Apr 10, 2026

@j-g00da in the spirit of clean-up april, what's the status of this PR?

CI fails because ci-chatmail runs old filtermail version, it has to be upgraded. Other than that this is ready.

@missytake
Copy link
Copy Markdown
Contributor

missytake commented Apr 13, 2026

CI fails because ci-chatmail runs old filtermail version, it has to be upgraded. Other than that this is ready.

I upgraded ci-chatmail.testrun.org to main :) weirdly, I can't restart the failed CI jobs, maybe you can rebase on main to re-trigger the CI?

@j-g00da j-g00da force-pushed the j-g00da/sign-bounce branch from 89bfab6 to 3dea2a1 Compare April 14, 2026 08:20
@j-g00da j-g00da force-pushed the j-g00da/sign-bounce branch from 3dea2a1 to 91e8d2a Compare April 14, 2026 10:45
@j-g00da
feat: Sign bounce messages
5cd887f 
Closes #873

Signed-off-by: Jagoda Ślązak <jslazak@jslazak.com>
@j-g00da j-g00da force-pushed the j-g00da/sign-bounce branch from 91e8d2a to 5cd887f Compare April 14, 2026 11:06
@j-g00da j-g00da temporarily deployed to staging2.testrun.org April 14, 2026 11:07 — with GitHub Actions Inactive
@j-g00da
Copy link
Copy Markdown
Collaborator Author

j-g00da commented Apr 14, 2026

staging2.testrun.org works, but staging-ipv4.testrun.org can't authenticate, is the key missing?

@missytake
Copy link
Copy Markdown
Contributor

missytake commented Apr 15, 2026
edited
Loading

staging2.testrun.org works, but staging-ipv4.testrun.org can't authenticate, is the key missing?

ah yes, it is - it runs the tests with --ssh-host @local, and only the github runner has the key. You need to forward the github runner's SSH agent to the VPS, so it can connect to ci-chatmail.testrun.org. Or maybe generate an SSH key for each run, and copy it on the VPS/ci-chatmail.testrun.org before testing, that's better security-wise.

@j-g00da
Copy link
Copy Markdown
Collaborator Author

j-g00da commented Apr 15, 2026

I wonder if this will require further changes after #917

@j-g00da
Copy link
Copy Markdown
Collaborator Author

j-g00da commented May 4, 2026

Closing, since we should no longer send bounce messages anyway

@j-g00da j-g00da closed this May 4, 2026
@missytake
Copy link
Copy Markdown
Contributor

missytake commented May 5, 2026
edited
Loading

We still do send bounce messages in some cases (e.g. mailbox doesn't exist), and that they are not DKIM signed causes non-delivered bounces:

May 05 13:33:34 nine postfix/lmtp[3828308]: F3B411902838: to=<zagkkunah@nine.testrun.org>, relay=nine.testrun.org[private/dovecot-lmtp], delay=0.05, delays=0.01/0/0/0.04, dsn=5.1.1, status=bounced (host nine.testrun.org[private/dovecot-lmtp] said: 550 5.1.1 <zagkkunah@nine.testrun.org> User doesn't exist: zagkkunah@nine.testrun.org (in reply to RCPT TO command))
May 05 13:33:34 nine postfix/cleanup[3802146]: 0BD7A190283E: message-id=<20260505113334.0BD7A190283E@nine.testrun.org>
May 05 13:33:34 nine postfix/qmgr[3621966]: 0BD7A190283E: from=<>, size=10315, nrcpt=1 (queue active)
May 05 13:33:34 nine postfix/bounce[3802149]: F3B411902838: sender non-delivery notification: 0BD7A190283E
May 05 13:33:34 nine postfix/qmgr[3621966]: F3B411902838: removed
May 05 13:33:34 nine postfix/lmtp-filtermail/lmtp[3773206]: 0BD7A190283E: to=<feedsb@mailchat.pl>, relay=127.0.0.1[127.0.0.1]:10083, delay=0.06, delays=0.01/0/0/0.06, dsn=5.7.1, status=bounced (host 127.0.0.1[127.0.0.1] said: 554 5.7.1 No DKIM signature found (in reply to end of DATA command))
May 05 13:33:34 nine postfix/qmgr[3621966]: 0BD7A190283E: removed

@missytake missytake reopened this May 5, 2026
@hpk42 hpk42 mentioned this pull request May 11, 2026
Merged
@hpk42
Copy link
Copy Markdown
Contributor

hpk42 commented May 11, 2026

re-did and amended this PR into #964

hpk42 added a commit that referenced this pull request May 12, 2026
@hpk42
feat: DKIM-sign bounce messages (mainly "user does not exist")
a6b0d99 
This is based on Jagoda's #874
but comes with a simpler and more robust test.

TODO: requires chatmail/filtermail#149
hpk42 added a commit that referenced this pull request May 12, 2026
@hpk42
feat: DKIM-sign bounce messages (mainly "user does not exist")
4643b0d 
This was originally based on Jagoda's #874
but then the postfix config was simplified, and it comes with a simpler and more robust test.
hpk42 added a commit that referenced this pull request May 12, 2026
@hpk42
feat: DKIM-sign bounce messages (mainly "user does not exist")
0a260d8 
This was originally based on Jagoda's #874
but then the postfix config was simplified, and it comes with a simpler and more robust test.
hpk42 added a commit that referenced this pull request May 12, 2026
@hpk42
feat: DKIM-sign bounce messages (mainly "user does not exist")
26a13fb 
This was originally based on Jagoda's #874
but then the postfix config was simplified, and it comes with a simpler and more robust test.
@hpk42 hpk42 closed this May 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@missytake missytake missytake left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bounce messages are not signed with DKIM

3 participants

@j-g00da @missytake @hpk42