recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
3859cd7f4029aaa5bdf683d25deb391d82ad14b4
cc-ci/tests/mailu/PARITY.md
autonomic-bot 88449431e1 fix(2): Q4.9 mailu — rewrite mail-flow via in-container sendmail+doveadm; drop network IMAP-auth test 
Root cause of the 2 failing custom tests: TLS_FLAVOR=notls → dovecot refuses plaintext auth over
network 143, so host-side IMAP login/auth isn't a meaningful signal. Smoke2 PROVED the in-container
path: sendmail (postfix container) local-injects a marker mail → doveadm search (imap container) finds
it in INBOX. test_mail_flow now exercises the real postfix→rspamd→dovecot deliver/store/fetch via
exec_in_app(service=smtp/imap). Dropped test_imap_login (network plaintext-auth disallowed under notls).
test_mailbox (create+config-export read-back) unchanged. PARITY.md updated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-29 21:33:11 +01:00

3.0 KiB
Raw Blame History

mailu — recipe-maintainer → cc-ci parity (Phase 2 P2)

P2 is VACUOUS for mailu: there is no recipe-info/mailu/tests/ corpus in the recipe-maintainer workspace (/srv/recipe-maintainer), so there are no recipe-maintainer tests to port. Coverage is therefore health + recipe-specific functional tests (P3), authored from what mailu is (a full email stack: nginx front + admin + postfix/smtp + dovecot/imap + rspamd/antispam + webmail + redis).

cc-ci deployment notes

  • COMPOSE_FILE=compose.yml (base). recipe_meta.EXTRA_ENV(domain) pins MAIL_DOMAIN/HOSTNAMES to the per-run domain, TRAEFIK_STACK_NAME=traefik_ci_commoninternet_net (so the external *_letsencrypt volume the certdumper mounts resolves), and TLS_FLAVOR=notls — mailu's mail-port TLS normally comes from certdumper dumping traefik's ACME acme.json, but cc-ci uses a file-provider wildcard cert (no ACME), so there is no acme.json; notls removes that dependency. (certdumper still runs idle; harmless — it converges 1/1.) Web/admin is served over the real wildcard TLS via Traefik. Mail ports 25/465/587/110/143/993/995 are published mode:host → on-host (cc-ci-run) tests reach SMTP/IMAP at 127.0.0.1.

Recipe-specific functional tests (P3 — ≥2)

  1. functional/test_mailbox.py — §4.3 create-an-object + read-back: create a mailbox via the admin container's flask mailu user CLI, then read it back from flask mailu config-export --json and assert the address is present (admin-DB provisioning round-trip).
  2. functional/test_mail_flow.py — the characteristic end-to-end mail flow: INJECT a uniquely-marked message to the mailbox via the postfix container's local sendmail (locally-originated → not greylisted), then VERIFY delivery+storage via dovecot's doveadm search in the imap container — a real postfix → rspamd → dovecot deliver/store/fetch round-trip. We use the in-container mail tools (not the host network ports) because TLS_FLAVOR=notls makes dovecot refuse plaintext auth over the network (143); the in-container path exercises the same delivery/storage stack. (A network IMAP-auth test was dropped: under notls dovecot disallows plaintext network auth, so a host-side login is not a meaningful signal here.)

Backup data-integrity (P4) — N/A (recipe ships no backup config)

The upstream mailu recipe declares no backupbot.backup label on any service, so the cc-ci backup/restore tiers cleanly SKIP (backup_capable=False). There is no recipe backup mechanism to exercise — P4 is genuinely N/A for mailu as published, not a cut corner. The durable fix (if P4 coverage is wanted) is a recipe-PR adding backupbot labels (mailu admin sqlite at /data + mail volume), filed as a deferral mirroring the immich Q3.5 / Q3.2b pattern — see DEFERRED.md. Pending Adversary §7.1 sign-off on the N/A.

Browser flow (P6)

Not added: mailu's user-facing UX (webmail/admin) is a standard web UI; the characteristic behaviour (mail send/receive, account auth) is covered functionally above. No Playwright flow owed.