From 3ab04cd07ad6c02d9ba01720083b2910f179e6b0 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Fri, 29 May 2026 20:57:39 +0100 Subject: [PATCH] =?UTF-8?q?journal(2):=20mailu=20Q4.9=20deeper=20recon=20?= =?UTF-8?q?=E2=80=94=20certdumper/ACME=20TLS=20friction;=20start=20with=20?= =?UTF-8?q?TLS=5FFLAVOR=3Dnotls?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Opus 4.8 (1M context) --- machine-docs/JOURNAL-2.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/machine-docs/JOURNAL-2.md b/machine-docs/JOURNAL-2.md index 2373e4c..4fd85fd 100644 --- a/machine-docs/JOURNAL-2.md +++ b/machine-docs/JOURNAL-2.md @@ -1078,3 +1078,22 @@ Hold the deploy until the Adversary's mumble cold-verify frees the single node. - recipe_meta: DEPLOY_TIMEOUT generous (multi-service); confirm version tags for the upgrade tier. - Build next iteration (fresh context): scaffold tests/mailu/, smoke deploy install,custom to find the exact `flask mailu` invocation + health path + mail-port reachability, then add §4.3 tests. + +## 2026-05-29 — mailu (Q4.9) deeper recon: TLS/certdumper friction noted +- Services: `app`=ghcr.io/mailu/nginx (the front/web+mail proxy), `db`=redis:8.0.3-alpine (redis, NOT + a SQL DB — mailu admin uses sqlite at /data inside the admin container), `admin`=ghcr.io/mailu/admin + (mgmt API + `flask mailu` CLI), imap(dovecot), smtp(postfix), antispam(rspamd), webmail, **certdumper** + (ldez/traefik-certs-dumper). All images PULLABLE (ghcr.io/mailu/* + redis + ldez). NO backupbot → P4 N/A. +- **FRICTION (cc-ci-specific): certdumper expects traefik's ACME acme.json** (it dumps certs from + traefik_letsencrypt volume for the mail ports' TLS). cc-ci uses a FILE-PROVIDER wildcard cert, NOT + ACME (Class-A1, ACME forbidden) → no acme.json → certdumper likely never converges → services_converged + False → install "fails". MITIGATION to try: set TLS_FLAVOR (mailu env) to `notls` (disables mail TLS, + no cert needed) or `mail-letsencrypt`→ avoid; OR drop certdumper from COMPOSE_FILE if the recipe allows; + OR provide the cc-ci wildcard cert files to mailu's expected path. Smoke deploy will reveal whether + certdumper blocks convergence; START with TLS_FLAVOR=notls in EXTRA_ENV. The web/admin HTTP path + (traefik file-provider wildcard) works regardless; functional create-mailbox is via the admin CLI + (no mail-TLS needed). SMTP/IMAP send-receive distinctive test may need TLS_FLAVOR handled. +- Versions: 1.1.0/1.1.1/2.0.0/3.0.0/3.0.1; prev=3.0.0+2024.06.27 → head 3.0.1+2024.06.37 (real upgrade). +- Build approach: EXTRA_ENV callable(domain)→{MAIL_DOMAIN:domain, HOSTNAMES:domain, TRAEFIK_STACK_NAME: + "traefik_ci_commoninternet_net", SITENAME:"ccci", POSTMASTER:"admin", TLS_FLAVOR:"notls"}. Smoke + install,custom first to confirm convergence (esp. certdumper) + find `flask mailu` syntax + health path.