Add required SMTP headers to fix spam classification issues:
- Message-ID: generated from timestamp and from_address domain
- MIME-Version: 1.0 header for proper email formatting
- Content-Transfer-Encoding: 8bit for UTF-8 content
Fixes rspamd spam score from 10.42/10.00 (reject) to 4.80/10.00 (clean)
by resolving MISSING_MID (-2.50), MISSING_MIME_VERSION (-2.00),
and R_BAD_CTE_7BIT (-1.05) penalties.
Tested with mail-tester.com (10/10 score) and production deployment
on tiamat shows successful delivery to inbox instead of spam folder.
Related DAW/infrastruktur#35
- Add STARTTLS handshake after EHLO for port 587
- Upgrade socket to SSL after STARTTLS command
- Perform second EHLO over encrypted connection
- Resolves authentication issues with Hetzner and other SMTP providers
- Fixes 'Must issue a STARTTLS command first' error
Closes#113
- Strip README to essentials with wiki references only
- Remove non-existent API docs and troubleshooting links
- Focus on quick start and actual integrations (merkwerk)
- Remove FreeBSD support from all installation scripts
- Clean up platform detection logic in scripts
- Maintain OpenBSD and Linux support only
Reduces maintenance burden and aligns with actual project scope.
- Remove production_test_sequence.sh (DAW-specific production tests)
- Remove setup_env.sh (obsolete .env setup, replaced by furt.conf)
- Sanitize test scripts: replace dragons-at-work.de with example.com
- Sanitize API keys: replace dev keys with placeholder values
- Remove hardcoded DAW fallbacks from http_server.lua and smtp.lua
- Update .gitignore to exclude production-specific test files
Tests remain functional for developers with example domains.
All internal DAW infrastructure details removed from package.
Closes#101
Merge feature/systemd-hardening
This merge introduces production-ready security hardening for the
systemd service with 6 pragmatic security options:
- ProtectSystem=strict for read-only filesystem
- ReadWritePaths for required directories only
- ProtectHome=yes to block home directory access
- NoNewPrivileges=yes to prevent privilege escalation
- PrivateTmp=yes for isolated temporary space
- RestrictAddressFamilies=AF_INET for IPv4-only networking
Testing completed successfully on:
- Debian 12 (systemd 247)
- Arch Linux (systemd 256)
No performance impact observed (812K RAM usage).
ClosesDAW/furt#110
- Add ProtectSystem=strict for read-only filesystem
- Add ReadWritePaths for required directories
- Add ProtectHome=yes to block home access
- Add NoNewPrivileges=yes to prevent escalation
- Add PrivateTmp=yes for isolated temp space
- Add RestrictAddressFamilies=AF_INET for IPv4-only
Related DAW/furt#110
- Replace \s* with [ \t]* for POSIX-compatible whitespace matching
- Addresses false positive 'server port not configured' error
- Ensures validation works correctly across all POSIX-compliant systems
Related to DAW/furt#111
This merge introduces reliable cross-platform service detection using
PID-files instead of fragile pexp patterns, resolving rcctl check
issues on OpenBSD.
Key improvements:
- PID-file creation in /var/run/furt/ with proper permissions
- Updated start.sh for service vs interactive mode detection
- Fixed OpenBSD rc.d script with PID-file based rc_check()
- Corrected systemd service PIDFile parameter
- Enhanced setup-directories.sh for PID directory creation
Tested successfully on werner (OpenBSD):
- rcctl check furt now shows (ok) instead of (failed)
- Service start/stop/restart works reliably
- PID-file management handles permissions correctly
Closes#100
- Add PID directory creation in setup-directories.sh
- Update start.sh to use /var/run/furt/furt.pid for both platforms
- Fix OpenBSD rc.d script pidfile variable path
- Correct systemd service PIDFile parameter path
- Resolve rcctl check detection issues on OpenBSD
Fixes service detection problems where rcctl check would show (failed)
even when service was running. PID-file approach provides reliable
cross-platform service status detection instead of fragile pexp patterns.
Related DAW/furt#100
- Replace unreliable pexp patterns with PID-file approach
- Add graceful shutdown with timeout handling in rc.d script
- Implement process validation after startup
- Add SIGHUP config reload support for Unix services
- Ensure PID-file cleanup on service exit
- Update systemd service to use PIDFile parameter
Platform improvements:
- OpenBSD: rc_check/rc_stop functions now PID-file based
- Linux: systemd Type=forking with proper PIDFile support
- Cross-platform: /var/run/furt.pid standard location
Resolves service status detection issues where rcctl check showed
(failed) despite running service due to process name variations
across platforms.
- Extract health routes to src/routes/health.lua (80 lines)
- Extract HTTP server core to src/http_server.lua (256 lines)
- Reduce main.lua to pure orchestration (342 → 27 lines)
- Preserve all functionality and API compatibility
- Add proper module separation following existing patterns
- Enable future service self-registration architecture
Closes#96
- Add SSL/TLS library validation before startup
- Unify all dependency error messages with install instructions
- Provide platform-specific package names for all dependencies
- Prevents silent SMTP SSL failures at runtime
Fixes#109
- Add flexible JSON detection (cjson preferred, dkjson fallback)
- Update main.lua and mail.lua with found_cjson detection
- Update start.sh to check both JSON libraries
- Enables furt to run on Arch Linux without manual patches
- Maintains API compatibility with existing cjson usage
Fixes#108
- Add platform detection to start.sh for consistent config paths
- BSD systems: /usr/local/etc/furt/furt.conf
- Linux systems: /etc/furt/furt.conf
- Now consistent with setup-directories.sh and validate-config.sh
- Follows DAW service separation standards
Fixes#103
- Add scripts/build-package.sh for production-ready packages
- VCS-agnostic archive creation (git/hg/bzr/fossil support)
- Automatic version detection from VERSION file or git tags
- Secure exclusions for development files and secrets
- Package validation and content verification
- Support for explicit version override
Creates dist/furt-api-gateway-vX.Y.Z.tar.gz with clean structure
for deployment without development dependencies.
Related to DAW/furt#88
