From 560e772b5f68f4363f5b4473321a00a10e596c58 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Thu, 11 Jun 2026 20:56:46 +0000 Subject: [PATCH] journal(mailu): ADV-mailu-01 fix rationale; build #477 in flight --- JOURNAL-mailu.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/JOURNAL-mailu.md b/JOURNAL-mailu.md index 019a483..c19aa0a 100644 --- a/JOURNAL-mailu.md +++ b/JOURNAL-mailu.md @@ -79,3 +79,38 @@ Need to confirm the delete command. From mailu docs, the admin CLI: - Delete: `flask mailu user delete ` (where email = local@domain) - Or: `flask mailu user delete @` Need to verify the exact syntax. Will use `flask mailu user delete citest@` and add error handling. + +--- + +## 2026-06-11 ADV-mailu-01 fix — extend seed to cover /mail Maildir + +### Adversary finding (M1 FAIL) +The M1 claim was rejected because ops.py only proved SQLite (`/data`) backup/restore. The `/mail` +Maildir volume was labeled and backed up but never specifically tested for restoration. If backupbot +silently skipped restoring `/mail`, the test would still PASS. + +### Fix (cc-ci commit b9352e8) +Extended the seed in three steps: + +**ops.py `pre_backup`**: After creating `citest@`, inject a test message via in-container +`sendmail` (smtp container → postfix → rspamd → dovecot deliver). Subject: `ccci-backup-probe`. +Wait up to 60s for dovecot to deliver (polling `doveadm search`). This is identical to the pattern +proven in `test_mail_flow.py`. + +**ops.py `pre_restore`**: Now wipes BOTH: +1. The user from sqlite: `DELETE FROM user WHERE localpart='citest'` via python3 in admin container +2. The user's Maildir: `rm -rf /mail//citest` in imap container + +**test_backup.py**: Added `test_backup_captures_mail_message` — asserts the message is present +at backup time via `doveadm search` in imap container. + +**test_restore.py**: Added `test_restore_returns_mail_message` — asserts the message is back in +INBOX after restore via `doveadm search` in imap container. + +### Why rm -rf over doveadm expunge +Used `rm -rf /mail//citest/` in pre_restore rather than `doveadm expunge` because: +- `rm -rf` directly wipes the Maildir from disk — observable, immediate, unambiguous +- `doveadm expunge` marks messages for deletion but depends on dovecot's expunge/purge cycle +- The goal is a clear divergence: after pre_restore, the maildir DOES NOT EXIST; after restore, it DOES + +### Build #477 in flight to verify