autonomic-bot
88449431e1
Root cause of the 2 failing custom tests: TLS_FLAVOR=notls → dovecot refuses plaintext auth over network 143, so host-side IMAP login/auth isn't a meaningful signal. Smoke2 PROVED the in-container path: sendmail (postfix container) local-injects a marker mail → doveadm search (imap container) finds it in INBOX. test_mail_flow now exercises the real postfix→rspamd→dovecot deliver/store/fetch via exec_in_app(service=smtp/imap). Dropped test_imap_login (network plaintext-auth disallowed under notls). test_mailbox (create+config-export read-back) unchanged. PARITY.md updated. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
42 lines
3.0 KiB
Markdown
42 lines
3.0 KiB
Markdown
# mailu — recipe-maintainer → cc-ci parity (Phase 2 P2)
|
|
|
|
**P2 is VACUOUS for mailu:** there is no `recipe-info/mailu/tests/` corpus in the recipe-maintainer
|
|
workspace (`/srv/recipe-maintainer`), so there are no recipe-maintainer tests to port. Coverage is
|
|
therefore health + recipe-specific functional tests (P3), authored from what mailu *is* (a full
|
|
email stack: nginx front + admin + postfix/smtp + dovecot/imap + rspamd/antispam + webmail + redis).
|
|
|
|
## cc-ci deployment notes
|
|
- `COMPOSE_FILE=compose.yml` (base). recipe_meta.EXTRA_ENV(domain) pins `MAIL_DOMAIN`/`HOSTNAMES` to
|
|
the per-run domain, `TRAEFIK_STACK_NAME=traefik_ci_commoninternet_net` (so the external
|
|
`*_letsencrypt` volume the certdumper mounts resolves), and **`TLS_FLAVOR=notls`** — mailu's
|
|
mail-port TLS normally comes from `certdumper` dumping traefik's ACME `acme.json`, but cc-ci uses a
|
|
file-provider wildcard cert (no ACME), so there is no acme.json; `notls` removes that dependency.
|
|
(certdumper still runs idle; harmless — it converges 1/1.) Web/admin is served over the real
|
|
wildcard TLS via Traefik. Mail ports 25/465/587/110/143/993/995 are published mode:host → on-host
|
|
(cc-ci-run) tests reach SMTP/IMAP at 127.0.0.1.
|
|
|
|
## Recipe-specific functional tests (P3 — ≥2)
|
|
1. `functional/test_mailbox.py` — §4.3 create-an-object + read-back: create a mailbox via the admin
|
|
container's `flask mailu user` CLI, then read it back from `flask mailu config-export --json` and
|
|
assert the address is present (admin-DB provisioning round-trip).
|
|
2. `functional/test_mail_flow.py` — the characteristic end-to-end mail flow: INJECT a uniquely-marked
|
|
message to the mailbox via the postfix container's local `sendmail` (locally-originated → not
|
|
greylisted), then VERIFY delivery+storage via dovecot's `doveadm search` in the imap container —
|
|
a real postfix → rspamd → dovecot deliver/store/fetch round-trip. We use the in-container mail
|
|
tools (not the host network ports) because TLS_FLAVOR=notls makes dovecot refuse plaintext auth
|
|
over the network (143); the in-container path exercises the same delivery/storage stack. (A
|
|
network IMAP-auth test was dropped: under notls dovecot disallows plaintext network auth, so a
|
|
host-side login is not a meaningful signal here.)
|
|
|
|
## Backup data-integrity (P4) — N/A (recipe ships no backup config)
|
|
The upstream mailu recipe declares **no `backupbot.backup` label** on any service, so the cc-ci
|
|
backup/restore tiers cleanly SKIP (`backup_capable=False`). There is no recipe backup mechanism to
|
|
exercise — P4 is genuinely N/A for mailu as published, not a cut corner. The durable fix (if P4
|
|
coverage is wanted) is a recipe-PR adding backupbot labels (mailu admin sqlite at /data + mail
|
|
volume), filed as a deferral mirroring the immich Q3.5 / Q3.2b pattern — see DEFERRED.md. Pending
|
|
Adversary §7.1 sign-off on the N/A.
|
|
|
|
## Browser flow (P6)
|
|
Not added: mailu's user-facing UX (webmail/admin) is a standard web UI; the characteristic behaviour
|
|
(mail send/receive, account auth) is covered functionally above. No Playwright flow owed.
|