%global forgeurl https://github.com/stalwartlabs/stalwart
%global tag v%{version}

Name:           stalwart-mail
Version:        0.13.4
Release:        1%{?dist}
Summary:        Secure, scalable mail & collaboration server with comprehensive protocol support

License:        AGPL-3.0-only OR LicenseRef-SEL
URL:            https://stalw.art
Source0:        %{forgeurl}/archive/%{tag}/stalwart-%{version}.tar.gz

BuildRequires:  rust >= 1.70
BuildRequires:  cargo
BuildRequires:  gcc
BuildRequires:  gcc-c++
BuildRequires:  openssl-devel
BuildRequires:  systemd-devel
BuildRequires:  systemd-rpm-macros
BuildRequires:  pkgconfig(openssl)
BuildRequires:  pkgconfig(systemd)
BuildRequires:  make

# Only build on supported architectures for Rust
ExcludeArch:    i686 s390 %{power64}

# For COPR compatibility
%if 0%{?fedora} >= 36 || 0%{?rhel} >= 9
%bcond_without check
%else
%bcond_with check
%endif

Requires:       glibc
Requires:       openssl
Requires:       systemd
Requires(pre):  shadow-utils
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd

%description
Stalwart is an open-source mail & collaboration server with JMAP, IMAP4, POP3, 
SMTP, CalDAV, CardDAV and WebDAV support and a wide range of modern features. 
It is written in Rust and designed to be secure, fast, robust and scalable.

Key features include complete email server with JMAP, IMAP4rev2/IMAP4rev1, 
POP3, SMTP with built-in DMARC, DKIM, SPF and ARC support, CalDAV/CardDAV 
server for contacts and calendars, WebDAV server for file storage, built-in 
spam and phishing filter, LDAP and SQL authentication, encryption at rest, 
clustering support, and web-based administration interface.

%prep
%autosetup -n stalwart-%{version}

%build
# Set build environment for optimal compilation
export CARGO_TARGET_DIR=%{_builddir}/stalwart-%{version}/target
export RUSTFLAGS="-Ccodegen-units=1 -Clink-dead-code=off"
export CARGO_PROFILE_RELEASE_BUILD_OVERRIDE_DEBUG=false

# Configure cargo for offline builds if available
%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9
export CARGO_NET_OFFLINE=true
%endif

# Ensure we have a proper Cargo.lock
[ -f Cargo.lock ] || cargo generate-lockfile

# Build with default features (rocks and enterprise)
# Use single codegen unit for smaller binaries
cargo build --release --verbose --locked

%install
# Create directory structure
install -d %{buildroot}%{_bindir}
install -d %{buildroot}%{_sysconfdir}/stalwart
install -d %{buildroot}%{_sharedstatedir}/stalwart
install -d %{buildroot}%{_localstatedir}/log/stalwart
install -d %{buildroot}%{_unitdir}
install -d %{buildroot}%{_docdir}/%{name}

# Install binary
install -D -m 755 %{_builddir}/stalwart-%{version}/target/release/stalwart %{buildroot}%{_bindir}/stalwart

# Create and install systemd service file
cat > %{buildroot}%{_unitdir}/stalwart-mail.service << 'EOF'
[Unit]
Description=Stalwart Mail Server
Conflicts=postfix.service sendmail.service exim4.service
ConditionPathExists=%{_sysconfdir}/stalwart/config.toml
After=network-online.target

[Service]
Type=simple
LimitNOFILE=65536
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
ExecStart=%{_bindir}/stalwart --config=%{_sysconfdir}/stalwart/config.toml
SyslogIdentifier=stalwart
User=stalwart
Group=stalwart
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target
EOF

# Install configuration file
install -m 640 resources/config/config.toml %{buildroot}%{_sysconfdir}/stalwart/config.toml

# Install documentation
install -m 644 README.md %{buildroot}%{_docdir}/%{name}/
install -m 644 CHANGELOG.md %{buildroot}%{_docdir}/%{name}/
install -m 644 CONTRIBUTING.md %{buildroot}%{_docdir}/%{name}/
install -m 644 UPGRADING.md %{buildroot}%{_docdir}/%{name}/
install -m 644 SECURITY.md %{buildroot}%{_docdir}/%{name}/

# Install license files
install -m 644 LICENSES/AGPL-3.0-only.txt %{buildroot}%{_docdir}/%{name}/
install -m 644 LICENSES/LicenseRef-SEL.txt %{buildroot}%{_docdir}/%{name}/

%files
%license %{_docdir}/%{name}/AGPL-3.0-only.txt
%license %{_docdir}/%{name}/LicenseRef-SEL.txt
%doc %{_docdir}/%{name}/README.md
%doc %{_docdir}/%{name}/CHANGELOG.md
%doc %{_docdir}/%{name}/CONTRIBUTING.md
%doc %{_docdir}/%{name}/UPGRADING.md
%doc %{_docdir}/%{name}/SECURITY.md
%config(noreplace) %{_sysconfdir}/stalwart/config.toml
%{_bindir}/stalwart
%{_unitdir}/stalwart-mail.service
%attr(0750,stalwart,stalwart) %dir %{_sharedstatedir}/stalwart
%attr(0750,stalwart,stalwart) %dir %{_localstatedir}/log/stalwart
%attr(0750,stalwart,stalwart) %dir %{_sysconfdir}/stalwart

%pre
# Create stalwart user and group
getent group stalwart >/dev/null || groupadd -r stalwart
getent passwd stalwart >/dev/null || useradd -r -g stalwart -s /usr/sbin/nologin -M -d %{_sharedstatedir}/stalwart -c "Stalwart Mail Server" stalwart

%post
# Initialize configuration if this is a fresh install
if [ $1 -eq 1 ]; then
    # Run stalwart --init to create initial configuration (run as root, then fix ownership)
    %{_bindir}/stalwart --init %{_sharedstatedir}/stalwart >/dev/null 2>&1 || true
    # Ensure proper ownership of data directories
    chown -R stalwart:stalwart %{_sharedstatedir}/stalwart %{_localstatedir}/log/stalwart 2>/dev/null || true
    chmod 640 %{_sysconfdir}/stalwart/config.toml 2>/dev/null || true
    chown stalwart:stalwart %{_sysconfdir}/stalwart/config.toml 2>/dev/null || true
fi
%systemd_post stalwart-mail.service

%preun
%systemd_preun stalwart-mail.service

%postun
%systemd_postun_with_restart stalwart-mail.service
# Remove user and group on complete removal
if [ $1 -eq 0 ]; then
    # Clean up data directories on uninstall
    rm -rf %{_sharedstatedir}/stalwart/* 2>/dev/null || true
    getent passwd stalwart >/dev/null && userdel stalwart >/dev/null 2>&1 || true
    getent group stalwart >/dev/null && groupdel stalwart >/dev/null 2>&1 || true
fi

%changelog
* Mon Oct 07 2024 mdecimus <hello@stalw.art> - 0.13.4-1
- Security fix: IMAP unbounded memory allocation in request parser (CVE-2025-61600)
- Security fix: CalDAV limit recurrence expansions in calendar reports (CVE-2025-59045)
- Fixed IMAP wrong permission checked for GETACL
- Fixed JMAP references to previous method fail when there are no results
- Fixed JMAP enforce quota checks on Blob/copy
- Fixed JMAP Mailbox/get fails without accountId argument
- Fixed iTIP include date properties in REPLY messages
- Fixed OIDC do not set username field if same as email field
- Fixed telemetry calculateMetrics housekeeper task
- Changed JMAP protocol layer rewrite for zero-copy deserialization

* Tue Sep 10 2024 mdecimus <hello@stalw.art> - 0.13.3-1
- Added CLI health checks
- Changed WebDAV assisted discovery v2
- Fixed iTIP do not send REPLY when deleting unaccepted events
- Fixed OIDC do not overwrite locally defined aliases
- Fixed HTTP scan ban should only be triggered by HTTP parse errors
- Fixed JMAP do not allow roles to be removed from system mailboxes
- Fixed SMTP do not send EHLO twice when STARTTLS unavailable
- Fixed IMAP allow ENABLE UTF8 in IMAPrev1
- Fixed IMAP increase maximum quoted argument size

* Sun Jul 28 2024 mdecimus <hello@stalw.art> - 0.13.2-1
- Added ACME DeSEC and OVH cloud DNS provider support
- Added CalDAV Scheduling Catalan language support
- Added MTA allow sending emails as group member
- Added OIDC allow local access tokens with third-party OIDC backends
- Fixed MTA do not convert email local parts to lowercase
- Fixed Sieve fileinto should override spam filter
- Fixed JMAP incorrect accountId used in email set and import methods
- Fixed LDAP only set account name if not returned in LDAP query

* Tue Jul 16 2024 mdecimus <hello@stalw.art> - 0.13.1-1
- Added ACME DigitalOcean cloud DNS provider support
- Fixed migration old queue events not deleted causing high CPU usage
- Fixed MTA mta-sts setting parsing issue
- Fixed JMAP sortOrder should not be null
- Fixed invalid TOML parsing in database settings

* Mon Jul 15 2024 mdecimus <hello@stalw.art> - 0.13.0-1
- Added MTA queue enhancements with breaking changes
- Added Danish locale support
- Added DKIM support for stalwart-cli
- Changed invalidate access token caches using pub/sub
- Fixed WebDAV return all shared resources in calendar-home-set
- Fixed CalDAV Scheduling include DTSTART/DTEND in iMIP CANCEL messages
- Fixed IMAP custom name for shared folders and subfolders under INBOX

* Tue Jun 25 2024 mdecimus <hello@stalw.art> - 0.12.5-1
- Added Calendar Scheduling Extensions to CalDAV (RFC6368)
- Added Calendar Email Notifications with limited i18n support
- Added assisted CalDAV/CardDAV shared resource discovery
- Fixed WebDAV return NOTFOUND error instead of MULTISTATUS on empty PROPFIND
- Fixed JMAP do not include email address in identity names
- Fixed antispam skip card-is-ham override when sender does not pass DMARC

* Sun May 26 2024 mdecimus <hello@stalw.art> - 0.12.0-1
- Major release: Added collaboration features (CalDAV, CardDAV, WebDAV)
- Added peer-to-peer cluster coordination with Kafka, NATS, Redis support
- Added incremental caching and zero-copy deserialization
- Added XOAUTH2 SASL mechanism and RFC9698 JMAPACCESS extension for IMAP
- Added spam training when sender is in user's address book
- Breaking changes: Deprecated gossip protocol, renamed settings
- Fixed allow undiscovered UIDs in IMAP COPY/MOVE operations
- Fixed MySQL TLS support and nested transactions issue

* Mon Jan 06 2024 mdecimus <hello@stalw.art> - 0.11.0-1
- Major release: Spam filter rewritten in Rust for performance improvement
- Added spam/ham training when moving between inbox and spam folders
- Added improved distributed locking and large SMTP queue handling
- Added ASN and GeoIP lookups, bulk operations REST endpoints
- Added faster S3-FIFO caching and Delivered-To header support
- Added semver compatibility checks and sharded in-memory store
- Breaking changes to configuration file
- Fixed OpenPGP EOF error and LDAP email mapping issues

* Wed Dec 04 2024 mdecimus <hello@stalw.art> - 0.10.7-1
- Added delivery and DMARC troubleshooting support
- Added external email addresses on mailing lists support
- Added Azure blob storage support
- Fixed mails cannot be moved out of junk folder
- Fixed UTF8 support in IMAP4rev1 and Sieve script issues
- Fixed missing User-Agent header for ACME

* Sat Oct 05 2024 mdecimus <hello@stalw.art> - 0.10.4-1
- Added port scanner and abuse detection with auto-ban
- Added ACME External Account Binding support
- Changed server.fail2ban.* settings to server.auto-ban.*
- Fixed SPF failure reports to local domains
- Fixed OAuth nonce in code requests

* Wed Oct 02 2024 mdecimus <hello@stalw.art> - 0.10.2-1
- Added OpenID Connect server and dynamic client registration
- Added OAuth 2.0 token introspection (RFC7662)
- Added contact form submission handling
- Fixed missing LIST-STATUS from RFC5819 in IMAP capability
- Fixed tenant domain deletion with active members

* Sat Sep 21 2024 mdecimus <hello@stalw.art> - 0.10.0-1
- Major release: Added multi-tenancy and branding (Enterprise features)
- Added roles and permissions system
- Added full-text search re-indexing and partial database backups
- Breaking changes to account storage format
- Fixed IMAP IDLE support for command pipelining (Apple Mail iOS 18 bug)
- Fixed case insensitive INBOX fileinto

* Thu Aug 08 2024 mdecimus <hello@stalw.art> - 0.9.1-1
- Added metrics support with OpenTelemetry and Prometheus exporters
- Added HTTP endpoint access controls
- Fixed Forwarded and X-Forwarded-For header parsing
- Fixed DKIM macro resolution in DNS record generation
- Fixed is_local_domain Sieve function

* Thu Aug 01 2024 mdecimus <hello@stalw.art> - 0.9.0-1
- Added improved and faster tracing and logging
- Added customizable event logging levels
- Breaking changes to Webhooks configuration and log output
- Fixed ManageSieve STARTTLS capability response
- Fixed Milter macro authentication handling

* Sun Jul 07 2024 mdecimus <hello@stalw.art> - 0.8.5-1
- Added restore deleted emails (Enterprise Edition)
- Added Kubernetes livenessProbe and readinessProbe endpoints
- Fixed refresh old FoundationDB read transactions
- Fixed subscribing shared mailboxes

* Mon Jul 01 2024 mdecimus <hello@stalw.art> - 0.8.3-1
- Added two-factor authentication with TOTP
- Added application passwords and account disable option
- Fixed ManageSieve GETSCRIPT response formatting
- Fixed POP3 QUIT response requirement

* Sat Jun 22 2024 mdecimus <hello@stalw.art> - 0.8.2-1
- Added webhooks and MTA hooks support
- Added manual spam classifier training and testing
- Added configurable default mailbox names and roles
- Enhanced Milter support on all SMTP stages
- Fixed incoming reports storage and ManageSieve SASL authentication

* Thu May 23 2024 mdecimus <hello@stalw.art> - 0.8.1-1
- Added POP3 support and DKIM signature length exploit protection
- Added faster email deletion and auto-expunge for Junk/Trash folders
- Added IP allowlists and HTTP Strict Transport Security
- Fixed IP address false positives in spam detection
- Fixed JMAP identity signature handling

* Mon May 13 2024 mdecimus <hello@stalw.art> - 0.8.0-1
- Major release: Added clustering with auto-discovery and failure detection
- Added autoconfig and MS Autodiscover support
- Added MTA-STS policy management and TLSA records for DANE
- Added master user support and queued message visualization
- Breaking changes: Different database layout, incompatible with previous versions
- Fixed MySQL TLS support and SMTP AUTH=LOGIN compatibility