Skip to content

MI-483 - Staging configuration, service files and setup script #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

MI-483 - Staging configuration, service files and setup script #1

wants to merge 5 commits into from

Conversation

@transilvlad
Copy link
Collaborator

This is the first commit that implements deployable scripts in our internal robin fork.

  • I configured the RAW web hook to post to Postal instance in staging
    • This needs templating in cfg-prod/webhooks.json5
  • Also configured Dovecot LDA binary and AUTH socket to validate and authenticate users and deliver to their mailbox in cfg-prod/dovecot.json5
  • Logs rotate automagically daily and will be in /var/log/robin-20281020.log (see cfg-prod/log4j2.xml)
  • We can push metrics to Betterstack by configuring the endpoint in cfg-prod/prometheus.json5
  • Relaying both inbound and outbound are enabled in cfg-prod/relay.json5
  • Ports and threads and more are configured in cfg-prod/server.json5
  • It's temporary storage and dovecot storage/LDA is enabled in cfg-prod/storage.json5
  • Queue and it's DB location and email storage folder are configured in cfg-prod/queue.json5

Note:

  • We need to install JDK 21 or 17 from Amazon Coretto to run it and latest Maven to compile it.
  • It needs to run on the same host as Dovecot to use Dovecot-LDA binary.
  • It has endpoints on ports 8080 for metrics and 8090 for client API and queueing and queue listing

Improvements:

  • Queue could use a SQL integration
  • LMTP proxy could be used instead of the socket and binary allowing containerisation (to be developed).

@transilvlad transilvlad self-assigned this Oct 22, 2025
@notion-workspace
Copy link

[Robin] Add required features to integrate with Dovecot and Postal replacing Postfix & relay.py

Copilot AI reviewed Oct 22, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements staging deployment configuration for the Robin MTA service, enabling it to be deployed and managed on production infrastructure. The changes include configuration files for webhook integration with Postal, Dovecot integration for mail delivery, logging rotation, metrics collection, and systemd service management.

Key Changes:

  • Added deployment scripts (setup.sh, robin.sh, robin.service) for automated installation and service lifecycle management
  • Configured production settings for SMTP server, storage, relaying, queueing, and monitoring in cfg-prod/ directory
  • Integrated Dovecot LDA for local mail delivery and authentication

Reviewed Changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
setup.sh Automated setup script that builds the project, deploys binaries and configuration files, and installs systemd service
robin.sh Service control script for managing Robin MTA lifecycle (start, stop, restart, status, tail)
robin.service Systemd unit file for running Robin as a managed service
cfg-prod/webhooks.json5 Webhook configurations for SMTP extensions with Postal integration endpoint
cfg-prod/dovecot.json5 Dovecot authentication socket and LDA binary paths for local mail delivery
cfg-prod/server.json5 SMTP server configuration including ports, TLS, thread pools, and metrics endpoints
cfg-prod/storage.json5 Email storage configuration with Dovecot LDA integration enabled
cfg-prod/relay.json5 Inbound/outbound relay configuration with MX lookup and LMTP protocol settings
cfg-prod/queue.json5 Queue persistence and processing interval settings
cfg-prod/log4j2.xml Log4j2 configuration with daily log rotation
cfg-prod/prometheus.json5 Prometheus metrics push configuration template
cfg-prod/properties.json5 General properties including logging levels and HTTP timeouts
cfg-prod/routes.json5 Predefined delivery routes for localhost and staging environments
cfg-prod/scenarios.json5 SMTP response scenarios for testing and custom behaviors
cfg-prod/client.json5 Default SMTP client configuration with TLS settings
cfg-prod/users.json5 Empty users array (authentication disabled)

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

setup.sh
Comment on lines +39 to +40
# Copy keystore
cp src/test/resources/keystore.jks /usr/local/robin/keystore.jks
Copy link

Copilot AI Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copying a test keystore to production is a security risk. Production environments should use properly generated certificates and keystores, not test resources. Consider generating a production keystore or documenting that this must be replaced before production use.

Suggested change
# Copy keystore
cp src/test/resources/keystore.jks /usr/local/robin/keystore.jks
# DO NOT copy test keystore to production. Please generate or provide a secure production keystore.
echo "[WARN] No production keystore deployed. Please generate a secure keystore and place it at /usr/local/robin/keystore.jks before starting the service." >&2

Copilot uses AI. Check for mistakes.
cfg-prod/server.json5
Comment on lines +71 to +77
keystorepassword: "avengers",

// Java truststore (default: /usr/local/truststore.jks).
truststore: "/usr/local/robin/truststore.jks",

// Truststore password or path to password file.
truststorepassword: "avengers",
Copy link

Copilot AI Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hardcoded password 'avengers' in production configuration is a security vulnerability. Passwords should be stored in secure vaults or environment variables, not committed to version control.

Suggested change
keystorepassword: "avengers",
// Java truststore (default: /usr/local/truststore.jks).
truststore: "/usr/local/robin/truststore.jks",
// Truststore password or path to password file.
truststorepassword: "avengers",
keystorepassword: "/run/secrets/keystorepassword",
// Java truststore (default: /usr/local/truststore.jks).
truststore: "/usr/local/robin/truststore.jks",
// Truststore password or path to password file.
truststorepassword: "/run/secrets/truststorepassword",

Copilot uses AI. Check for mistakes.
cfg-prod/server.json5
truststore: "/usr/local/robin/truststore.jks",

// Truststore password or path to password file.
truststorepassword: "avengers",
Copy link

Copilot AI Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hardcoded password 'avengers' in production configuration is a security vulnerability. Passwords should be stored in secure vaults or environment variables, not committed to version control.

Suggested change
truststorepassword: "avengers",
truststorepassword: "/run/secrets/truststorepassword",

Copilot uses AI. Check for mistakes.
cfg-prod/properties.json5
// Path to MTA logs if one running on local host.
localLogsDir: "/var/log/",

// Pattern to match UID out of SMT responses.
Copy link

Copilot AI Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Corrected spelling of 'SMT' to 'SMTP' in comment.

Suggested change
// Pattern to match UID out of SMT responses.
// Pattern to match UID out of SMTP responses.

Copilot uses AI. Check for mistakes.
cfg-prod/log4j2.xml
<?xml version="1.0" encoding="UTF-8"?>
<Configuration monitorInterval="30" shutdownHook="disable">
<Appenders>
<RollingFile name="appender" filePattern="/var/log/robin-%d{yyyyMMdd}.log">
Copy link

Copilot AI Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The RollingFile appender is missing the required 'fileName' attribute which specifies the current log file. Without it, the appender may not function correctly. Add 'fileName="/var/log/robin.log"' to the RollingFile element.

Suggested change
<RollingFile name="appender" filePattern="/var/log/robin-%d{yyyyMMdd}.log">
<RollingFile name="appender" fileName="/var/log/robin.log" filePattern="/var/log/robin-%d{yyyyMMdd}.log">

Copilot uses AI. Check for mistakes.
cfg-prod/properties.json5

// Humio configuration.
humio: {
auth: "YOUR_API_KEY",
Copy link

Copilot AI Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Placeholder API key should be removed or documented as requiring configuration. Committing placeholder credentials can lead to misconfigurations in production deployments.

Suggested change
auth: "YOUR_API_KEY",
// WARNING: Set a valid Humio API key here before deploying to production. Do NOT commit real credentials.
auth: "__REQUIRED__",

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@webcat12345 webcat12345 Awaiting requested review from webcat12345

@looped0 looped0 Awaiting requested review from looped0

Assignees

@transilvlad transilvlad

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@transilvlad