BackendCombined login is all-or-nothing, and Stalwart returns 404 for
/dav/card/<account>/ when the account's default address book was never
created (it doesn't auto-create on the gateway's PROPFIND the way the
calendar home worked) — so CardDAV killed every otherwise-successful
EAS login. Exchange accounts now bundle mail + calendar; contacts stay
on the Apple-profile CardDAV path. Re-enable BackendCardDAV once
platform-api provisions a default address book at mailbox creation.
Copy/docs aligned: portal hint, SERVICES.md, website FAQ (da+en).
include/z_caldav.php needs XMLDocument.php from AWL (Andrew's Web
Libraries); the Debian z-push packages pull php-awl in automatically
but bookworm dropped the package, so vendor it from upstream at
r0.65 into /usr/share/awl/inc (already on Z-Push's include_path).
Only surfaces on *authenticated* requests: combined login hits IMAP
first, so fake-credential smoke tests never reach the CalDAV class.
Hardening from the same incident: a build-time class-load smoke test
fails the image if any backend dependency is missing, and
zend.exception_ignore_args stops uncaught fatals from logging the
raw passwords Z-Push passes through Logon().
The replacement imap.config.php omitted constants the backend
references unconditionally — SYSTEM_MIME_TYPES_MAPPING 500'd every
authenticated request (backend construction, before login, so the
unauthenticated 401 smoke tests never hit it). Define all remaining
upstream constants with their defaults so the replacement file can
never be narrower than the template it replaces.
Wraps Stalwart in EAS so iOS/Android native Mail/Calendar 'Exchange'
accounts get two-way mail+calendar+contacts sync (BackendCombined:
IMAP + CalDAV /dav/cal/%l/ + CardDAV, credentials pass through).
- services/zpush: Z-Push 2.6.4 (AGPLv3, see LICENSE-NOTES.md) on
php:8.2-apache-bookworm (trixie dropped libc-client); PHP 8 sysv
sprintf fatal sed-patched; autodiscover dispatcher answers
mobilesync schema, proxies outlook schema to Stalwart unchanged
- prod: zpush Deployment (replicas:1, Recreate — file sync state),
/Microsoft-Server-ActiveSync Ingress on mail.dezky.eu (no redirect,
POST-heavy), autodiscover.dezky.eu repointed to the dispatcher,
selectorless stalwart-imaps/-smtps Services (host-Stalwart is
implicit-TLS only: 993/465, no plain 143/587 — verified on node1)
- CI: build+deploy zpush like the other apps
EAS tops out at 14.1: covers native mobile clients, NOT the Outlook
mobile app (needs 16.1) and not new Outlook for Windows (no EAS).
Ronni Baslund