From a45d64d4ed52c7f987f3c3306004eea51cc4b848 Mon Sep 17 00:00:00 2001
From: Ronni Baslund <rhb@vdoc.dk>
Date: Thu, 11 Jun 2026 08:41:19 +0200
Subject: [PATCH] fix(portal): Apple profile labels derive from the user's
 domain
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

'dezky mail (…)' in the customer's account list is the same white-label
leak as 'Stalwart Calendar' one layer up — partner tenants must see THEIR
domain, not the platform brand. Every user-visible label in the
.mobileconfig (account descriptions, payload names, organization) now
derives from the address's own domain.
---
 .../portal/server/api/apple-mailconfig.get.ts | 21 ++++++++++++-------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/apps/portal/server/api/apple-mailconfig.get.ts b/apps/portal/server/api/apple-mailconfig.get.ts
index 82a202d..35221cf 100644
--- a/apps/portal/server/api/apple-mailconfig.get.ts
+++ b/apps/portal/server/api/apple-mailconfig.get.ts
@@ -41,6 +41,11 @@ export default defineEventHandler(async (event) => {
   const mailHost = new URL(useRuntimeConfig().public.mailUrl as string).host
   // The regex above guarantees an @, but noUncheckedIndexedAccess doesn't know.
   const localPart = email.split('@')[0] ?? email
+  // All user-visible labels derive from the address's own domain — this is a
+  // white-label platform, so neither "dezky" nor "Stalwart" may appear in a
+  // customer's account list.
+  const domain = email.split('@')[1] ?? mailHost
+  const d = xmlEscape(domain)
   const accountUuid = randomUUID()
   const caldavUuid = randomUUID()
   const carddavUuid = randomUUID()
@@ -56,7 +61,7 @@ export default defineEventHandler(async (event) => {
   <key>PayloadContent</key>
   <array>
     <dict>
-      <key>EmailAccountDescription</key><string>dezky mail (${e})</string>
+      <key>EmailAccountDescription</key><string>${d}</string>
       <key>EmailAccountName</key><string>${n}</string>
       <key>EmailAccountType</key><string>EmailTypeIMAP</string>
       <key>EmailAddress</key><string>${e}</string>
@@ -75,33 +80,33 @@ export default defineEventHandler(async (event) => {
       <key>PreventMove</key><false/>
       <key>SMIMEEnabled</key><false/>
       <key>PayloadDescription</key><string>Configures the ${e} mail account.</string>
-      <key>PayloadDisplayName</key><string>dezky mail</string>
+      <key>PayloadDisplayName</key><string>Mail (${d})</string>
       <key>PayloadIdentifier</key><string>eu.dezky.mail.${xmlEscape(localPart)}</string>
       <key>PayloadType</key><string>com.apple.mail.managed</string>
       <key>PayloadUUID</key><string>${accountUuid}</string>
       <key>PayloadVersion</key><integer>1</integer>
     </dict>
     <dict>
-      <key>CalDAVAccountDescription</key><string>dezky calendar (${e})</string>
+      <key>CalDAVAccountDescription</key><string>${d} calendar</string>
       <key>CalDAVHostName</key><string>${h}</string>
       <key>CalDAVPort</key><integer>443</integer>
       <key>CalDAVUseSSL</key><true/>
       <key>CalDAVUsername</key><string>${e}</string>
       <key>PayloadDescription</key><string>Configures the ${e} calendar account.</string>
-      <key>PayloadDisplayName</key><string>dezky calendar</string>
+      <key>PayloadDisplayName</key><string>Calendar (${d})</string>
       <key>PayloadIdentifier</key><string>eu.dezky.caldav.${xmlEscape(localPart)}</string>
       <key>PayloadType</key><string>com.apple.caldav.account</string>
       <key>PayloadUUID</key><string>${caldavUuid}</string>
       <key>PayloadVersion</key><integer>1</integer>
     </dict>
     <dict>
-      <key>CardDAVAccountDescription</key><string>dezky contacts (${e})</string>
+      <key>CardDAVAccountDescription</key><string>${d} contacts</string>
       <key>CardDAVHostName</key><string>${h}</string>
       <key>CardDAVPort</key><integer>443</integer>
       <key>CardDAVUseSSL</key><true/>
       <key>CardDAVUsername</key><string>${e}</string>
       <key>PayloadDescription</key><string>Configures the ${e} contacts account.</string>
-      <key>PayloadDisplayName</key><string>dezky contacts</string>
+      <key>PayloadDisplayName</key><string>Contacts (${d})</string>
       <key>PayloadIdentifier</key><string>eu.dezky.carddav.${xmlEscape(localPart)}</string>
       <key>PayloadType</key><string>com.apple.carddav.account</string>
       <key>PayloadUUID</key><string>${carddavUuid}</string>
@@ -109,9 +114,9 @@ export default defineEventHandler(async (event) => {
     </dict>
   </array>
   <key>PayloadDescription</key><string>Sets up ${e} in Apple Mail, Calendar and Contacts. You'll be asked for the mailbox password during installation.</string>
-  <key>PayloadDisplayName</key><string>dezky mail — ${e}</string>
+  <key>PayloadDisplayName</key><string>${d} — mail, calendar &amp; contacts (${e})</string>
   <key>PayloadIdentifier</key><string>eu.dezky.profile.${xmlEscape(localPart)}</string>
-  <key>PayloadOrganization</key><string>dezky</string>
+  <key>PayloadOrganization</key><string>${d}</string>
   <key>PayloadRemovalDisallowed</key><false/>
   <key>PayloadType</key><string>Configuration</string>
   <key>PayloadUUID</key><string>${profileUuid}</string>