4 # Program to install and configure Ian's email related programs
5 # Copyright (C) 2024 Ian Kelling
7 # This program is free software: you can redistribute it and/or modify
8 # it under the terms of the GNU General Public License as published by
9 # the Free Software Foundation, either version 3 of the License, or
10 # (at your option) any later version.
12 # This program is distributed in the hope that it will be useful,
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
17 # You should have received a copy of the GNU General Public License
18 # along with this program. If not, see <http://www.gnu.org/licenses/>.
20 # SPDX-License-Identifier: GPL-3.0-or-later
23 # on bk (and fsf servers that run multiple exim4 daemons, eg eximfsf2 and eximfsf3),
24 # make it so that when exim is restarted due to package upgrades,
25 # we also restart those daemons, which can be done like so, based on looking
26 # at the prerm and postinst scripts of exim4-daemon-heavy.
28 # if [[ ! -e /usr/sbin/invoke-rc.d-diverted ]]; then
29 # mv /usr/sbin/invoke-rc.d /usr/sbin/invoke-rc.d-diverted
30 # dpkg --divert /usr/sbin/invoke-rc.d-diverted --no-rename /usr/sbin/invoke-rc.d
32 # /usr/sbin/invoke-rc.d:
34 # if [[ DPKG_MAINTSCRIPT_PACKAGE == exim4* && $1 == exim4 ]]; then
37 # for daemon in exim4 eximfsf2 eximfsf3; do
38 # /usr/sbin/invoke-rc.d-diverted $daemon "$@" || ret=$?
41 # /usr/sbin/invoke-rc.d-diverted "$@"
44 # Things I tend to forget. on MAIL_HOST, daemon runs with /etc/exim4/nn-mainlog.conf,
45 # due to /etc/default/exim4 containing:
46 # COMMONOPTIONS='-C /etc/exim4/nn-mainlog.conf'
47 # UPEX4OPTS='-o /etc/exim4/nn-mainlog.conf'
49 # The non-daemon config
50 # gets generated from this script calling update-exim4.conf -d /etc/nond-exim4
52 # log_file_path = /var/log/exim4/nond%s
54 # On non bk|MAIL_HOST, the config and log file are all standard.
56 # eximbackup folder is /bu/md
57 # it is cleaned up by mail-backup-clean, which is run by btrbk-run
59 # shellcheck disable=SC2254 # makes for a lot of unneeded quotes
62 # perusing through /el/mainlog without test messages:
63 # &!testignore|jtuttle|
65 #&! testignore|jtuttle|eximbackup|/usr/sbin/exim4 -bpu
67 # todo: this message seems to get dropped on the floor, it was due to a missing 2nd colon in
68 # condition = ${if def:h_fdate:}
69 # Figure out how to avoid this message being discarded.
71 # 2023-09-12 01:41:43 [722371] 1qfw9f-0031v9-0S <= ian@iankelling.org U=iank P=local S=483 id=87cyyogd7t.fsf@iankelling.org T="iank2" from <ian@iankelling.org> for testignore@amnimal.ninja
72 # 2023-09-12 01:41:43 [722373] 1qfw9f-0031v9-0S H=nn.b8.nz [10.173.8.2]: SMTP error from remote mail server after pipelined end of data: 451 Temporary local problem - please try later
73 # 2023-09-12 01:41:43 [722372] 1qfw9f-0031v9-0S == testignore@amnimal.ninja R=smarthost T=remote_smtp_smarthost defer (-46) H=nn.b8.nz [10.173.8.2] DT=0s: SMTP error from remote mail server after pipelined end of data: 451 Temporary local problem - please try later
75 # todo: check new macro DKIM_TIMESTAMPS
77 # todo: check if REMOTE_SMTP_INTERFACE or REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE can simplify my or fsfs config
79 # todo: max line length macro changed in t11. look into it
80 # todo: check that all macros we use are still valid in t11
82 # todo: setup an alert for bouncing test emails.
84 # todo: bounces to my fsf mail can come from fsf@iankelling.org,
85 # think about making bounces go from the original address.
87 # todo: add a prometheus alert for dovecot.
89 # todo: handle errors like this:
90 # Mar 02 12:44:26 kw systemd[1]: exim4.service: Found left-over process 68210 (exim4) in control group while starting unit. Ignoring.
91 # Mar 02 12:44:26 kw systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
92 #eg: on eggs, on may 1st, ps grep for exim, 2 daemons running. 1 leftover from a month ago
93 #Debian-+ 1954 1 0 36231 11560 4 Apr02 ? 00:40:25 /usr/sbin/exim4 -bd -q30m
94 #Debian-+ 23058 1954 0 36821 10564 0 20:38 ? 00:00:00 /usr/sbin/exim4 -bd -q30m
96 # todo: harden dovecot. need to do some research. one way is for it to only listen on a wireguard vpn interface, so only clients that are on the vpn can access it.
97 # todo: consider hardening cups listening on 0.0.0.0
98 # todo: stop/disable local apache, and rpc.mountd, and kdeconnect when not in use.
100 # todo: hosts should only allow external mail that is authed and
101 # destined for backup route. it is a minor issue since traffic is
102 # limited to the wghole network.
104 # todo: emailing info@amnimal.ninja produces a bounce, user doesn't exist
105 # instead of a simple rejection like it should.
107 # todo: run mailping test after running, or otherwise
108 # clear out terminal alert
110 # todo: disable postgrey. (why did we have it?)
112 # todo: in testforward-check, we should also look
114 # todo: test that bounces dont help create valid mailtest-check
116 # todo: move mail stuff in distro-end into this file
118 # todo: consider rotating dkim & publishing key so every past email I sent
119 # isnt necessarily signed
121 # todo: consider how to get clamav out of Debian-exim group
122 # so it cant read/write the whole mail spool, for better
125 # todo: create a cronjob to update or warn on expiring dnssec keys
127 # todo: we should test failed mail daily or so
128 # failed cronjob, failed sysd-log-once,
129 # a local bounce from a cronjob, a local bounce
130 # to a bad remote address, perhaps a local failure
131 # when the sending daemon is down.
132 # And send an alert email if no alerts have been sent
133 # in 2 or 3 days or something. todo, test cron mail on li.
135 # todo: look at mailinabox extra dns records, note these changelogs:
136 # - An MTA-STS policy for incoming mail is now published (in DNS and over HTTPS) when the primary hostname and email address domain both have a signed TLS certificate installed, allowing senders to know that an encrypted connection should be enforced.
137 # - The per-IP connection limit to the IMAP server has been doubled to allow more devices to connect at once, especially with multiple users behind a NAT.
140 # todo: mailtest-check failure on remote hosts is not going to alert me.
142 # todo: test mail failure as well as success.
144 # todo: validate that mailtest-check is doing dnsbl checks.
146 # background: I want to run exim in a network namespace so it can send
147 # and receive through a vpn. This is needed so it can do ipv6, because
148 # outside the namespace if we dont have ipv6, to send ipv6 through the
149 # vpn, we have to send all our ipv6 through the vpn. I did this for a
150 # long time, it was fine, but it causes various pains, like increased
151 # latency, increased recaptcha because my ip is from a data center, just
152 # various issues I dont want on all the time. The problem with the
153 # namespace is that all kinds of programs want to invoke exim, but they
154 # wont be in the namespace. I could replace exim with a wrapper that
155 # jumps into the namespace, i tried that, it works fine. One remaining
156 # problem was that I would have needed to hook into exim upgrades to
157 # move exim and replace it with my wrapper script. Also, my script to
158 # join the namespace is not super reliable because it uses a pgrep.
159 # Instead, I should have created a systemd service for a process that
160 # will never die and just writes its pid somewhere convenient.
161 # That implementation
165 # user ALL=(ALL) /usr/sbin/exim4
167 # move exim4 to eximian, use this script for exim4:
170 # if ip a show veth1-mail &>/dev/null; then
171 # /usr/sbin/eximian "$@"
175 # if [[ $USER && $USER != root ]]; then
178 # pid=$(pgrep -f "/usr/sbin/openvpn .* --config /etc/openvpn/.*mail.conf")
180 # sudo nsenter -t $pid -n -m sudo -u $USER /usr/sbin/eximian "$@"
182 # nsenter -t $pid -n -m /usr/sbin/eximian "$@"
186 # an alternate solution: there is a small setguid program for
187 # network namespaces in my bookmarks.
189 # However, the solution I went with is: have 2 exim
190 # configs. A nonstandard location for the daemon that runs
191 # in the namespace. For all other invocations, it uses
192 # the default config location, which is altered to be
193 # in a smarthost config which sends mail to the deaemon.
195 # I have a bash function, enn to invoke exim like the daemon is running.
196 # and mailbash to just enter its network namespace.
198 if [ -z "$BASH_VERSION" ]; then echo "error: shell is not bash" >&2; exit 1; fi
202 if [[ -s /usr
/local
/lib
/bash-bear
]]; then
203 source /usr
/local
/lib
/bash-bear
204 elif [[ -s /a
/bin
/bash-bear-trap
/bash-bear
]]; then
205 source /a
/bin
/bash-bear-trap
/bash-bear
207 echo "no err tracing script found"
210 source /a
/bin
/distro-functions
/src
/identify-distros
211 source /a
/bin
/distro-functions
/src
/package-manager-abstractions
213 # has nextcloud_admin_pass in it
214 f
=/p
/c
/machine_specific
/$HOSTNAME/mail
216 # shellcheck source=/p/c/machine_specific/bk/mail
221 [[ $EUID == 0 ]] ||
exec sudo
-E "${BASH_SOURCE[0]}" "$@"
223 # note, this is hardcoded in /etc/exim4/conf.d/main/000_local
229 Usage: ${0##*/} anything_here_to_debug
230 Setup exim4 & dovecot & related things
232 -h|--help Print help and exit.
237 # debug output if we pass any arg
243 ####### instructions for icedove #####
244 # Incoming mail server: mail.iankelling.org, port 143, username iank, connection security starttls, authentication method normal password,
245 # then click advanced so it accepts it.
246 # we could also just use 127.0.0.1 with no ssl
248 # hamburger -> preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false
249 # background: dovecot does not yet have ocsp stapling support
250 # reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921
252 # for phone, k9mail, fdroid, same thing but username alerts, pass in ivy-pass.
253 # also, bk.b8.nz for secondary alerts, username is iank. same alerts pass.
254 # fetching mail settings: folder poll frequency 10 minutes.
255 # account settings, fetching mail, push folders: All. Then disable the persistent notification.
259 # * perstent password instructions Note: for cert cron, we need to
260 # manually run first to accept known_hosts
263 # # for hosts which have all private files I just use the same user
264 # # for other hosts, each one get\'s their own password.
265 # # for generating secure pass, and storing for server too:
268 # apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
269 # s sed -i "/^$host:/d" /p/c/filesystem/etc/exim4/passwd
270 # echo "$host:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd
271 # #reference: exim4_passwd_client(5)
272 # dir=/p/c/machine_specific/$host/filesystem/etc/exim4
274 # echo "mail.iankelling.org:$host:$(<$f)" > $dir/passwd.client
275 # # then run this script
277 # # dovecot password, i just need 1 as I\'m the only user
278 # mkdir /p/c/filesystem/etc/dovecot
279 # echo "iank:$(doveadm pw -s SHA512-CRYPT)::::::" >>/p/c/filesystem/etc/dovecot/users
281 ####### end perstent password instructions ######
285 # # Remove 1 level of comments in this section, set the domain var
286 # # for the domain you are setting up, then run this and copy dns settings
288 # domain=iankelling.org
289 # c /p/c/filesystem/etc/exim4
290 # # this has several bugs addressed in comments, but it was helpful
291 # # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
293 # openssl genrsa -out $domain-private.pem 2048
294 # # Then, to get the public key strings to put in bind:
296 # # selector is needed for having multiple keys for one domain.
297 # # I dun do that, so just use a static one: li
298 # # Debadmin page does not have v=, fastmail does, and this
299 # # says it\'s recommended in 3.6.1, default is DKIM1 anyways.
300 # # https://www.ietf.org/rfc/rfc6376.txt
301 # # Join and print all but first and last line.
302 # # last line: swap hold & pattern, remove newlines, print.
303 # # lines 2+: append to hold space
304 # echo "bind txt record: remember to truncate $domain so its relative to the bind zone"
306 # a._domainkey.$domain TXT (
307 # "v=DKIM1\059 k=rsa\059 p=$(openssl rsa -in $domain-private.pem -pubout |&sed -rn '${x;s/\n//g;s/^(.*)(.{240}$)/\1"\n"\2/p};3,$H')" )
309 # # sed explanation: skip the first few lines, then put them into the hold space, then
310 # # on the last line, back to the patern space, remove the newlines, then add a newline
311 # # at the last char - 240, because bind txt records need strings <=255 chars,
312 # # other dkim stuff at the begining is is 25 chars, and the pubkey is 393, so this
313 # # leaves us a bit of extra room at the end and a bunch at the beginning.
315 # # selector was also put into /etc/exim4/conf.d/main/000_local,
319 # # 2017-02 dmarc policies:
320 # # host -t txt _dmarc.gmail.com
321 # # yahoo: p=reject, hotmail: p=none, gmail: p=none, fastmail none for legacy reasons
322 # # there were articles claiming gmail would be changing
323 # # to p=reject, in early 2017, which didn\'t happen. I see no sources on them. It\'s
324 # # expected to cause problems
325 # # with a few old mailing lists, copying theirs for now.
327 # echo "dmarc dns, name: _dmarc value: v=DMARC1; p=none; rua=mailto:mailauth-reports@$domain"
331 # # 2017-02 spf policies:
332 # # host -t txt lists.fedoraproject.org
333 # # google ~all, hotmail ~all, yahoo: ?all, fastmail ?all, outlook ~all
334 # # i include fastmail\'s settings, per their instructions,
335 # # and follow their policy. In mail in a box, or similar instructions,
336 # # I\'ve seen recommended to not use a restrictive policy.
338 # # to check if dns has updated, you do
339 # host -a mesmtp._domainkey.$domain
342 # # setting it to iankelling.org would work the same, but this
343 # # is more flexible, I could change where mail.iankelling.org pointed.
345 # mx records, 2 records each, for * and empty domain
346 # pri 10 mail.iankelling.org
350 # from brc2, run dnsecgen then dsign, update named.local.conf, publish keys to registrar
352 # * functions & constants
354 pre
="${0##*/}:${SSH_CLIENT:+ $HOSTNAME:}"
355 m
() { printf "$pre %s\n" "$*"; "$@"; }
356 e
() { printf "$pre %s\n" "$*"; }
357 err
() { printf "$pre %s\n" "$*" >&2; exit 1; }
360 # This file is so if we fail in the middle and rerun, we dont lose state
361 if [[ -e /var
/local
/mail-setup-reload
]]; then
365 source /a
/bin
/fai
/fai
/config
/distro-install-common
/bash-misc-funcs
367 key
="$1" value
="$2" section
="$3"
368 file="/etc/radicale/config"
369 sed -ri "/ *\[$section\]/,/^ *\[[^]]+\]/{/^\s*${key}[[:space:]=]/d};/ *\[$section\]/a $key = $value" "$file"
373 # ignore services that dont exist
374 if systemctl
cat $service &>/dev
/null
; then
375 m systemctl disable
--now $service
382 m systemctl restart
$service
383 # Optimization for exim,
384 # is-enabled: 0m0.015s
386 # It is related to this message:
387 # exim4.service is not a native service, redirecting to systemd-sysv-install.
388 # Executing: /lib/systemd/systemd-sysv-install enable exim4
389 enabled
=$
(systemctl is-enabled
$service 2>/dev
/null ||
:)
390 if [[ $enabled != enabled
]]; then
391 m systemctl
enable $service
396 [[ $HOSTNAME == "$MAIL_HOST" ]]
400 if systemctl is-active
$service >/dev
/null
; then
401 m systemctl restart
$service
407 if systemctl is-active
$service >/dev
/null
; then
408 m systemctl stop
$service
413 mxhost
=mx.iankelling.org
416 # old setup. left as comment for example
417 # mxhost=mail.messagingengine.com
419 # forward=ian@iankelling.org
421 smarthost
="$mxhost::$mxport"
422 uhome
=$
(eval echo ~
$u)
424 # Somehow on one machine, a file got written with 664 perms.
425 # just being defensive here.
428 source /a
/bin
/bash_unpublished
/source-state
429 if [[ ! $MAIL_HOST ]]; then
430 err
"\$MAIL_HOST not set"
436 kd|x2|x3|kw|sy|bo|so
)
442 # * Install universal packages
445 # installs epanicclean iptables-exim ip6tables-exim
446 /a
/bin
/ds
/install-my-scripts
448 if [[ $
(debian-codename-compat
) == bionic
]]; then
449 cat >/etc
/apt
/preferences.d
/spamassassin
<<'EOF'
450 Package: spamassassin sa-compile spamc
451 Pin: release n=focal,o=Ubuntu
458 systemctl
cat $1 &>/dev
/null
460 spamd-timer-exists
() {
461 unit-exists spamassassin-maintenance.timer
464 # name change in t12, and now timer instead of cron option in /etc/default
465 first_spamd_run
=false
466 if ! spamd-timer-exists
; then
471 # light version of exim does not have sasl auth support.
472 # note: for bitfolk hosts, unbound has important config with conflink.
473 pi-nostart exim4 exim4-daemon-heavy spamassassin unbound clamav-daemon wireguard
476 if systemctl
cat spamassassin
&>/dev
/null
; then
477 spamd_ser
=spamassassin
478 elif $first_spamd_run; then
479 if spamd-timer-exists
; then
480 systemctl start spamassassin-maintenance
484 if spamd-timer-exists
; then
485 systemctl
enable --now spamassassin-maintenance.timer
488 # note: pyzor debian readme says you need to run some initialization command
490 pi spf-tools-perl p0f pyzor razor jq moreutils certbot fail2ban
494 # not included due to using wireguard: openvpn
495 *) pi wget git
unzip iptables
;;
497 # bad packages that sometimes get automatically installed
498 pu openresolv resolvconf
503 if [[ $
(debian-codename
) == etiona
]]; then
504 # ip6tables stopped loading on boot. openvpn has reduced capability set,
505 # so running iptables as part of openvpn startup wont work. This should do it.
506 pi iptables-persistent
507 cat >/etc
/iptables
/rules.v6
<<'EOF'
514 m ip6tables
-S >/dev
/null
517 # our nostart pi fails to avoid enabling
521 # * initial dns config & daemon setup
523 # use systemd-resolved for glibc resolutions, setup symlinks
527 # if this link gets replaced with a normal file we will get exim log
528 # errors on MAIL_HOST like so:
530 # R=fsfsmarthost defer (-36) DT=0s: host lookup for mail.fsf.org did not complete (DNS timeout?)
532 if [[ ! -L /etc
/nsswitch.conf
]]; then
533 sudo mkdir
-p /etc
/resolved-nsswitch
534 sudo
mv /etc
/nsswitch.conf
/etc
/resolved-nsswitch
535 sudo
ln -sf /etc
/resolved-nsswitch
/nsswitch.conf
/etc
538 f
=/etc
/basic-nsswitch
/nsswitch.conf
539 if [[ ! -e $f ]]; then
540 sudo mkdir
-p ${f%/*}
541 sudo
cp /etc
/nsswitch.conf
$f
542 sudo
sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' $f
546 # je should be able to get along systemd-resolved, but ive had some odd
547 # very intermittent dns failures with spamassassin, it seems it might only
548 # be happening with systemd-resolved, so just use unbound
549 # to make it consistent with the other hosts.
550 sudo
sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' /etc
/nsswitch.conf
551 soff systemd-resolved
552 sudo
ln -sf 127.0.0.1-resolv/stub-resolv.conf
/etc
/resolv.conf
554 # cautious measure to make sure resolution is working
559 # files mdns4_minimal [NOTFOUND=return] dns myhostname
560 # mdns4 is needed for my printer and for bbb webrtc, not sure exactly why.
561 # https://www.freedesktop.org/software/systemd/man/nss-resolve.html#
562 # seems more important than some potential use case.
563 # Interestingly, t9/t10 man page says use files before resolve, debian 10 says the opposite.
564 # removing files makes hostname -f not actually give the fully qualified domain name.
565 sudo
sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] myhostname/' /etc
/resolved-nsswitch
/nsswitch.conf
576 u
/etc
/apparmor.d
/abstractions
/nameservice.d
/iank
<<'EOF'
577 /etc/resolved-nsswitch/nsswitch.conf r,
578 /etc/basic-nsswitch/nsswitch.conf r,
579 # Aug 06 23:09:11 kd audit[3995]: AVC apparmor="DENIED" operation="connect" profile="/usr/bin/freshclam" name="/run/systemd/resolve/io.systemd.Resolve" pid=3995 comm="freshclam" requested_mask="wr" denied_mask="wr" fsuid=109 ouid=101
580 # I dont know if this is quite the right fix, but I saw other sockets
581 # in the nameservice files that were rw, so figured it was ok to add this and it worked.
582 /run/systemd/resolve/io.systemd.Resolve rw,
585 if $ur && systemctl is-active apparmor
; then
586 m systemctl reload apparmor
591 # * Mail clean cronjob
593 u
/etc
/systemd
/system
/mailclean.timer
<<'EOF'
595 Description=Run mailclean daily
601 WantedBy=timers.target
604 u
/etc
/systemd
/system
/mailclean.service
<<EOF
606 Description=Delete and archive old mail files
607 After=multi-user.target
612 ExecStart=/usr/local/bin/sysd-mail-once mailclean /a/bin/distro-setup/mailclean
618 u
/etc
/default
/postgrey
<<'EOF'
619 POSTGREY_OPTS="--exim --unix=/var/run/postgrey/postgrey.sock --retry-window=4 --max-age=60"
624 # old file. remove when all hosts updated, 2023-09-11
625 rm -fv /etc
/exim
4/conf.d
/clamav_data_acl
627 m usermod
-a -G Debian-exim clamav
629 u
/etc
/systemd
/system
/clamav-daemon.service.d
/fix.conf
<<EOF
631 ExecStartPre=-/bin/mkdir -p /var/run/clamav
632 ExecStartPre=/bin/chown clamav /var/run/clamav
638 #vpnser=mailvpn.service
639 # note: this hangs if it cant resolv the endpoint. we
640 # want it to just retry in the background. i just use a static ip instead.
642 # Note: at least on t10, on reboot, the service fails to come up according to systemd, but
643 # in reality it is up and working, then it tries to restart infinitely, and fails
644 # because it detects that the interface exists.
648 # Aug 02 21:59:27 sy wg-quick[2092]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
649 # Aug 02 21:59:27 sy wg-quick[2248]: [#] iptables-restore -n
650 # Aug 02 21:59:27 sy wg-quick[2249]: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
651 # Aug 02 21:59:27 sy wg-quick[2259]: [#] iptables-restore -n
652 # Aug 02 21:59:27 sy wg-quick[2260]: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
653 # Aug 02 21:59:27 sy systemd[1]: wg-quick@wgmail.service: Main process exited, code=exited, status=4/NOPERMISSION
657 # Aug 03 14:12:47 sy wg-quick[711336]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
658 # Aug 03 14:12:47 sy wg-quick[711384]: [#] iptables-restore -n
659 # Aug 03 14:12:47 sy wg-quick[711336]: [#] ping -w10 -c1 10.8.0.1 ||:
660 # Aug 03 14:12:47 sy wg-quick[711389]: PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
661 # Aug 03 14:12:47 sy wg-quick[711389]: 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=73.0 ms
662 # Aug 03 14:12:47 sy wg-quick[711389]: --- 10.8.0.1 ping statistics ---
663 # Aug 03 14:12:47 sy wg-quick[711389]: 1 packets transmitted, 1 received, 0% packet loss, time 0ms
664 # Aug 03 14:12:47 sy wg-quick[711389]: rtt min/avg/max/mdev = 72.993/72.993/72.993/0.000 ms
665 # Aug 03 14:12:47 sy systemd[1]: Finished WireGuard via wg-quick(8) for wgmail.
666 # Aug 02 21:59:27 sy systemd[1]: wg-quick@wgmail.service: Failed with result 'exit-code'.
667 # Aug 02 21:59:27 sy systemd[1]: Failed to start WireGuard via wg-quick(8) for wgmail.
668 # Aug 02 21:59:47 sy systemd[1]: wg-quick@wgmail.service: Scheduled restart job, restart counter is at 1.
669 # Aug 02 21:95:47 sy systemd[1]: Stopped WireGuard via wg-quick(8) for wgmail.
670 # Aug 02 21:59:47 sy systemd[1]: Starting WireGuard via wg-quick(8) for wgmail...
671 # Aug 02 21:59:47 sy wg-quick[3424]: wg-quick: `wgmail' already exists
672 # Aug 02 21:59:47 sy systemd[1]: wg-quick@wgmail.service: Main process exited, code=exited, status=1/FAILURE
673 # Aug 02 21:59:47 sy systemd[1]: wg-quick@wgmail.service: Failed with result 'exit-code'.
674 # Aug 02 21:59:47 sy systemd[1]: Failed to start WireGuard via wg-quick(8) for wgmail.
677 # According to iptables -S and iptables -t nat -S,
678 # there are no modifications to iptables rules on a succsfull run,
681 vpnser
=wg-quick@wgmail.service
685 rsync
-aiSAX --chown=root
:root
--chmod=g-s
/p
/c
/filesystem
/etc
/wireguard
/ /etc
/wireguard
686 bindpaths
="/etc/127.0.0.1-resolv:/run/systemd/resolve /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind"
689 bindpaths
="/etc/10.173.8.1-resolv:/etc/127.0.0.1-resolv"
692 d
=/p
/c
/machine_specific
/$HOSTNAME/filesystem
/etc
/wireguard
/
694 rsync
-aiSAX --chown=root
:root
--chmod=g-s
$d /etc
/wireguard
702 u
/etc
/systemd
/system
/wg-quick@wgmail.service.d
/override.conf
<<EOF
704 Requires=mailnn.service
705 JoinsNamespaceOf=mailnn.service
706 BindsTo=mailnn.service
707 StartLimitIntervalSec=0
711 # i dont think we need any of these, but it doesnt hurt to stay consistent
721 # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
722 u
/etc
/systemd
/system
/mailvpn.service
<<EOF
724 Description=OpenVPN tunnel for mail
725 After=syslog.target network-online.target mailnn.service
726 Wants=network-online.target
727 Documentation=man:openvpn(8)
728 Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
729 Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
730 # needed to continually restatr
731 JoinsNamespaceOf=mailnn.service
732 BindsTo=mailnn.service
733 StartLimitIntervalSec=0
737 RuntimeDirectory=openvpn-client
738 RuntimeDirectoryMode=0710
739 WorkingDirectory=/etc/openvpn/client
740 ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/mail.conf
741 #CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
743 # DeviceAllow=/dev/null rw
744 # DeviceAllow=/dev/net/tun rw
746 # in the network namespace, we cant connect to systemd-resolved on 127.0.0.53,
748 # https://unix.stackexchange.com/questions/445782/how-to-allow-systemd-resolved-to-listen-to-an-interface-other-than-loopback
749 # there is a workaround there, but i dont think its really worth it,
750 # the mail server is fine with a static dns anyways.
751 # This thread is also interesting,
752 # https://github.com/slingamn/namespaced-openvpn/issues/7
753 # todo: the iptables rule at the bottom could be useful to prevent
754 # dns from leaking in my network namespaced vpn.
755 # I also like the idea of patching systemd-resolved so it
756 # will listen on other interfaces, but its not worth my time.
759 # time to sleep before restarting a service
763 WantedBy=multi-user.target
766 u
/etc
/systemd
/system
/mailnnroute.service
<<'EOF'
768 Description=Network routing for mailnn
769 After=syslog.target network-online.target mailnn.service
770 Wants=network-online.target
771 JoinsNamespaceOf=mailnn.service
772 BindsTo=mailnn.service
773 StartLimitIntervalSec=0
779 ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.8 start mail
780 ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop mail
786 WantedBy=multi-user.target
790 u
/etc
/systemd
/system
/mailnn.service
<<'EOF'
792 Description=Network Namespace for mail vpn service that will live forever and cant fail
793 After=syslog.target network-online.target
794 Wants=network-online.target
799 ExecStart=/bin/sleep infinity
802 WantedBy=multi-user.target
805 u
/etc
/systemd
/system
/mailbindwatchdog.service
<<EOF
807 Description=Watchdog to restart services relying on systemd-resolved dir
808 After=syslog.target network-online.target
809 Wants=network-online.target
810 BindsTo=mailnn.service
814 ExecStart=/usr/local/bin/mailbindwatchdog $vpnser ${nn_progs[@]} unbound.service radicale.service
816 # time to sleep before restarting a service
820 WantedBy=multi-user.target
826 rm -fv /etc
/systemd
/system
/openvpn-client-mail@.service
828 # We use a local unbound because systemd-resolved wont accept our
829 # request, it will only listen to 127.0.0.53 in the main network
830 # namespace, and rejected feature requests to change that (although I
831 # could change the code and recompile), but anyways, that could answer
832 # with things specific to the lan that aren't applicable in this
833 # namespace, and since unbound is a recursive resolver, it means we just
834 # use our own ip against dnsbl rate limits.
836 # If we ever notice this change, chattr +i on it
837 # trust-ad is used in t10+, glibc 2.31
839 u
/etc
/127.0.0.1-resolv/stub-resolv.conf
<<'EOF'
841 options edns0 trust-ad
844 u
/etc
/127.0.0.53-resolv/stub-resolv.conf
<<'EOF'
845 nameserver 127.0.0.53
846 options edns0 trust-ad
850 u
/etc
/10.173.8.1-resolv/stub-resolv.conf
<<'EOF'
851 nameserver 10.173.8.1
852 options edns0 trust-ad
855 # this is just a bug fix for trisquel.
856 f
=/etc
/apparmor.d
/usr.sbin.unbound
857 good_string
="/usr/sbin/unbound flags=(attach_disconnected) {"
858 if ! grep -qF "$good_string" $f; then
859 bad_string
="/usr/sbin/unbound {"
860 if ! grep -qF "$bad_string" $f; then
861 err expected line
in $f not found
863 sed -i "s,$bad_string$,$good_string," $f
864 if systemctl is-active apparmor
&>/dev
/null
; then
865 m systemctl reload apparmor
870 # note: anything added to nn_progs needs corresponding rm
871 # down below in the host switch
874 # Note dovecots lmtp doesnt need to be in the same nn to accept delivery.
875 # Its in the nn so remote clients can connect to it.
876 nn_progs
+=($spamd_ser dovecot
)
881 # todo, should this be after vpn service
882 u
/etc
/systemd
/system
/unbound.service.d
/nn.conf
<<EOF
885 JoinsNamespaceOf=mailnn.service
886 BindsTo=mailnn.service
887 StartLimitIntervalSec=0
891 # note the nsswitch bind is actually not needed for bk, but
892 # its the same file so it does no harm.
899 # sooo, there are a few ways to get traffic from the mail network
900 # namespace to go over the wghole.
902 #1: unify the mail vpn and wghole
903 # into 1 network. this seems simple and logical, so I'm doing it.
904 # One general downside is tying things together, if I need to mess
905 # with one thing, it breaks the other. Oh well for now.
907 # 2. We can route 10.5.3.0/24 out of the mail nn and nat it into wghole.
909 # 3. We can setup the routing to happen on li, which seemed like I
910 # just needed to add 10.8.0.4/24 to AllowedIPs in at least the
911 # wghole clients, but I think that is kind of hacky and breaks ipv4
912 # routing within the mailvpn, it happened to work just because exim
913 # prefers ipv6 and that was also available in the mailvpn.
915 # 4. Put the hole interface into the mail network namespace. This
916 # doesn't work if the mail vpn is wg. For openvpn, it bypasses the
917 # vpn routing and establishes a direct connection. I only use the
918 # hole vpn for randomish things, it should be fine to join the mail
919 # nn for that. There should be some way to fix the routing issue
920 # by doing manual routing, but that doesn't seem like a good use of time.
922 # https://www.wireguard.com/netns/#
924 # for wireguard debugging
925 # echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
930 for unit
in ${nn_progs[@]}; do
931 u
/etc
/systemd
/system
/$unit.service.d
/nn.conf
<<EOF
934 # Wants appears better than requires because with requires,
935 # if the vpnser fails to start, this service won't get run at
936 # all, even if the vpnser starts on an automatic restart.
939 After=network.target mailnn.service $vpnser
940 JoinsNamespaceOf=mailnn.service
941 BindsTo=mailnn.service
942 StartLimitIntervalSec=0
946 # note the nsswitch bind is actually not needed for bk, but
947 # its the same file so it does no harm.
956 for unit
in exim4
$spamd_ser dovecot unbound
; do
957 f
=/etc
/systemd
/system
/$unit.service.d
/nn.conf
966 # * wghole (another mail vpn)
969 u
/etc
/systemd
/system
/wg-quick@wghole.service.d
/override.conf
<<'EOF'
971 StartLimitIntervalSec=0
979 # * spamassassin config
980 u
/etc
/sysctl.d
/80-iank-mail.conf
<<'EOF'
982 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 120
988 u
/etc
/spamassassin
/mylocal.cf
<<'EOF'
989 # this is mylocal.cf because the normal local.cf has a bunch of upstream stuff i dont want to mess with
992 # /usr/share/doc/exim4-base/README.Debian.gz:
993 # SpamAssassin's default report should not be used in a add_header
994 # statement since it contains empty lines. (This triggers e.g. Amavis'
995 # warning "BAD HEADER SECTION, Improper folded header field made up
996 # entirely of whitespace".) This is a safe, terse alternative:
997 clear_report_template
998 report (_SCORE_ / _REQD_ requ) _TESTSSCORES(,)_ autolearn=_AUTOLEARN
999 uridnsbl_skip_domain iankelling.org
1000 uridnsbl_skip_domain amnimal.ninja
1001 uridnsbl_skip_domain expertpathologyreview.com
1002 uridnsbl_skip_domain zroe.org
1005 # 2020-10-19 remove old file. remove this when all hosts updated
1006 rm -fv /etc
/systemd
/system
/spamddnsfix.
{timer
,service
}
1008 u
/etc
/default
/$spamd_ser <<'EOF'
1009 # defaults plus debugging flags for an issue im having
1010 OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
1011 PIDFILE="/run/spamd.pid"
1013 NICE="--nicelevel 15"
1014 # not used in t12+, that uses
1015 # /usr/lib/systemd/system/spamassassin-maintenance.timer
1021 u
/etc
/spamassassin
/my_thishost.cf
<<'EOF'
1022 # note: these are duplicated in exim config
1023 # veth0/1 # bk bk_ip6
1024 internal_networks 10.173.8.1/32 10.173.8.2/32 85.119.83.50/32 2001:ba8:1f1:f0c9::2
1025 trusted_networks 10.173.8.1/32 10.173.8.2/32 85.119.83.50/32 2001:ba8:1f1:f0c9::2
1030 u
/etc
/spamassassin
/my_thishost.cf
<<'EOF'
1031 # note: these are duplicated in exim config
1032 # veth0/1 # je je_ipv6
1033 internal_networks 10.173.8.1/32 10.173.8.2/32 85.119.82.128/32 2001:ba8:1f1:f09d::2/128
1034 trusted_networks 10.173.8.1/32 10.173.8.2/32 85.119.82.128/32 2001:ba8:1f1:f09d::2/128
1038 u
/etc
/spamassassin
/my_thishost.cf
<<'EOF'
1039 # note: these are duplicated in exim config
1040 # veth0/1 # li li_ip6
1041 internal_networks 10.173.8.1/32 10.173.8.2/32 72.14.176.105/32 2600:3c00::f03c:91ff:fe6d:baf8/128
1042 trusted_networks 10.173.8.1/32 10.173.8.2/32 72.14.176.105/32 2600:3c00::f03c:91ff:fe6d:baf8/128
1047 ##### end spamassassin config
1050 # * Update mail cert
1053 ## needed only for openvpn mail vpn.
1054 # if [[ -e /p/c/filesystem ]]; then
1055 # # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
1056 # # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
1057 # # after my internet was down for a bit:
1058 # # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
1059 # m /a/exe/vpn-mk-client-cert -b mailclient -n mail li.iankelling.org
1062 # With openvpn, I didn't get around to persisting the openvpn
1063 # cert/configs into /p/c/machine_specific/bk, so I had this case to
1064 # manually get the cert. However, we aren't using openvpn anymore, so it
1069 # if [[ ! -e /etc/openvpn/client/mail.conf ]]; then
1070 # echo "$0: error: first, on a system with /p/c/filesystem, run mail-setup, or the vpn-mk-client-cert line above this err" 2>&2
1076 m rsync
-aiSAX --chown=root
:root
--chmod=g-s
/a
/bin
/ds
/mail-cert-cron
/usr
/local
/bin
1078 u
/etc
/systemd
/system
/mailcert.service
<<'EOF'
1080 Description=Mail cert rsync
1081 After=multi-user.target
1085 ExecStart=/usr/local/bin/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
1087 u
/etc
/systemd
/system
/mailcert.timer
<<'EOF'
1089 Description=Run mail-cert once a day
1095 WantedBy=timers.target
1099 wghost
=${HOSTNAME}wg.b8.nz
1100 if $bhost_t && [[ ! -e /etc
/exim
4/certs
/$wghost/privkey.pem
]]; then
1101 certbot
-n --manual-public-ip-logging-ok --eff-email --agree-tos -m letsencrypt@iankelling.org \
1102 certonly
--manual --preferred-challenges=dns \
1103 --manual-auth-hook /a
/bin
/ds
/le-dns-challenge \
1104 --manual-cleanup-hook /a
/bin
/ds
/le-dns-challenge-cleanup \
1105 --deploy-hook /a
/bin
/ds
/le-exim-deploy
-d $wghost
1110 # todo: test that these configs actually work, eg run
1111 # s iptables-exim -S
1112 # and see someone is banned.
1114 sed 's/^ *before *= *iptables-common.conf/before = iptables-common-exim.conf/' \
1115 /etc
/fail2ban
/action.d
/iptables-multiport.conf| u
/etc
/fail2ban
/action.d
/iptables-exim.conf
1116 u
/etc
/fail2ban
/action.d
/iptables-common-exim.conf
<<'EOF'
1117 # iank: same as iptables-common, except iptables is iptables-exim, ip6tables is ip6tables-exim
1119 # Fail2Ban configuration file
1121 # Author: Daniel Black
1123 # This is a included configuration file and includes the definitions for the iptables
1124 # used in all iptables based actions by default.
1126 # The user can override the defaults in iptables-common.local
1128 # Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
1129 # made config file IPv6 capable (see new section Init?family=inet6)
1133 after = iptables-blocktype.local
1134 iptables-common.local
1135 # iptables-blocktype.local is obsolete
1139 # Option: actionflush
1140 # Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
1143 actionflush = <iptables> -F f2b-<name>
1149 # Notes specifies the iptables chain to which the Fail2Ban rules should be
1151 # Values: STRING Default: INPUT
1154 # Default name of the chain
1159 # Notes.: specifies port to monitor
1160 # Values: [ NUM | STRING ] Default:
1165 # Notes.: internally used by config reader for interpolations.
1166 # Values: [ tcp | udp | icmp | all ] Default: tcp
1171 # Note: This is what the action does with rules. This can be any jump target
1172 # as per the iptables man page (section 8). Common values are DROP
1173 # REJECT, REJECT --reject-with icmp-port-unreachable
1175 blocktype = REJECT --reject-with icmp-port-unreachable
1177 # Option: returntype
1178 # Note: This is the default rule on "actionstart". This should be RETURN
1179 # in all (blocking) actions, except REJECT in allowing actions.
1183 # Option: lockingopt
1184 # Notes.: Option was introduced to iptables to prevent multiple instances from
1185 # running concurrently and causing irratic behavior. -w was introduced
1186 # in iptables 1.4.20, so might be absent on older systems
1187 # See https://github.com/fail2ban/fail2ban/issues/1122
1192 # Notes.: Actual command to be executed, including common to all calls options
1194 iptables = /usr/local/bin/iptables-exim <lockingopt>
1199 # Option: blocktype (ipv6)
1200 # Note: This is what the action does with rules. This can be any jump target
1201 # as per the iptables man page (section 8). Common values are DROP
1202 # REJECT, REJECT --reject-with icmp6-port-unreachable
1204 blocktype = REJECT --reject-with icmp6-port-unreachable
1206 # Option: iptables (ipv6)
1207 # Notes.: Actual command to be executed, including common to all calls options
1209 iptables = /usr/local/bin/ip6tables-exim <lockingopt>
1212 u
/etc
/fail2ban
/jail.d
/exim.
local <<'EOF'
1217 banaction = iptables-exim
1219 # 209.51.188.13 = mail.fsf.org
1220 # 2001:470:142::13 = mail.fsf.org
1221 # 209.51.188.92 = eggs.gnu.org
1222 # 2001:470:142:3::10 = eggs.gnu.org
1223 # 72.14.176.105 2600:3c00:e000:280::2 = mail.iankelling.org
1224 # 10.173.8.1 = non-nn net
1225 ignoreip = 209.51.188.13 2001:470:142::13 209.51.188.92 2001:470:142:3::10 72.14.176.105 2600:3c00:e000:280::2 10.173.8.1
1228 # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
1229 if [[ ! -e /var
/log
/exim
4/mainlog
]]; then
1230 install -m 640 -o Debian-exim
-g adm
/dev
/null
/var
/log
/exim
4/mainlog
1232 m systemctl restart fail2ban
1235 # * common exim4 config
1238 ## old, not using forward files anymore
1239 rm -fv $uhome/.forward
/root
/.forward
1242 # Make all system users be aliases. preventative
1243 # prevents things like cron mail for user without alias
1244 awk 'BEGIN { FS = ":" } ; $6 !~ /^\/home/ || $7 ~ /\/nologin$/ { print $1 }' /etc
/passwd|
while read -r user
; do
1245 if [[ ! $user ]]; then
1248 if ! grep -q "^$user:" /etc
/aliases
; then
1249 echo "$user: root" |m
tee -a /etc
/aliases
1254 awk 'BEGIN { FS = ":" } ; $6 ~ /^\/home/ && $7 !~ /\/nologin$/ { print $1 }' /etc
/passwd|
while read -r user
; do
1257 sed -i "/^user:/d" /etc
/aliases
1260 if ! grep -q "^$user:" /etc
/aliases
; then
1261 echo "$user: root" |m
tee -a /etc
/aliases
1268 .
/a
/bin
/bash_unpublished
/priv-mail-setup
1271 m gpasswd
-a iank adm
#needed for reading logs
1273 ### make local bounces go to normal maildir
1274 # local mail that bounces goes to /Maildir or /root/Maildir
1275 dirs=(/m
/md
/bounces
/{cur
,tmp
,new
})
1276 m mkdir
-p ${dirs[@]}
1277 m chown iank
:iank
/m
/m
/md
1278 m
ln -sfT /m
/md
/m
/iank
1279 m
chmod 771 /m
/m
/md
1280 m chown
-R $u:Debian-exim
/m
/md
/bounces
1281 m
chmod 775 ${dirs[@]}
1282 m usermod
-a -G Debian-exim
$u
1283 for d
in /Maildir
/root
/Maildir
; do
1284 if [[ ! -L $d ]]; then
1287 m
ln -sf -T /m
/md
/bounces
$d
1290 # dkim, client passwd file
1291 files
=(/p
/c
/machine_specific
/$HOSTNAME/filesystem
/etc
/exim
4/*)
1292 f
=/p
/c
/filesystem
/etc
/exim
4/passwd.client
1293 if [[ -e $f ]]; then
1296 if (( ${#files[@]} )); then
1297 m rsync
-ahhi --chown=root
:Debian-exim
--chmod=0640 \
1298 ${files[@]} /etc
/exim4
1301 # By default, only 10 days of logs are kept. increase that.
1302 # And dont compress, I look back at logs too often and
1303 # dont need the annoyance of decompressing them all the time.
1304 m
sed -ri '/^\s*compress\s*$/d;s/^(\s*rotate\s).*/\11000/' /etc
/logrotate.d
/exim4-base
1305 files
=(/var
/log
/exim
4/*.gz
)
1306 if (( ${#files[@]} )); then
1310 ## disabled. not using .forward files, but this is still interesting
1312 # ## https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
1313 # # i only need .forwards, so just doing that one.
1314 # cd /etc/exim4/conf.d/router
1315 # b=userforward_higher_priority
1316 # # replace the router name so it is unique
1317 # sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
1318 rm -fv /etc
/exim
4/conf.d
/router
/175_userforward_higher_priority
1320 # todo, consider 'separate' in etc/exim4.conf, could it help on busy systems?
1322 # alerts is basically the postmaster address
1323 m
sed -i --follow-symlinks -f - /etc
/aliases
<<EOF
1324 \$a root: alerts@iankelling.org
1328 cat >/etc
/exim
4/conf.d
/rewrite
/34_iank_rewriting
<<'EOF'
1329 ncsoft@zroe.org graceq2323@gmail.com hE
1333 rm -fv /etc
/exim
4/conf.d
/retry
/37_retry
1335 cat >/etc
/exim
4/conf.d
/retry
/17_retry
<<'EOF'
1336 # Retry fast for my own domains
1337 iankelling.org * F,1d,1m;F,14d,1h
1338 amnimal.ninja * F,1d,1m;F,14d,1h
1339 expertpathologyreview.com * F,1d,1m;F,14d,1h
1340 je.b8.nz * F,1d,1m;F,14d,1h
1341 zroe.org * F,1d,1m;F,14d,1h
1342 eximbackup.b8.nz * F,1d,1m;F,14d,1h
1344 # The spec says the target domain will be used for temporary host errors,
1345 # but i've found that isn't correct, the hostname is required
1346 # at least sometimes.
1347 nn.b8.nz * F,1d,1m;F,14d,1h
1348 defaultnn.b8.nz * F,1d,1m;F,14d,1h
1349 mx.iankelling.org * F,1d,1m;F,14d,1h
1350 bk.b8.nz * F,1d,1m;F,14d,1h
1351 eggs.gnu.org * F,1d,1m;F,14d,1h
1352 fencepost.gnu.org * F,1d,1m;F,14d,1h
1354 # afaik our retry doesnt need this, but just using everything
1355 mx.amnimal.ninja * F,1d,1m;F,14d,1h
1356 mx.expertpathologyreview.com * F,1d,1m;F,14d,1h
1359 mail.fsf.org * F,1d,15m;F,14d,1h
1363 rm -vf /etc
/exim
4/conf.d
/main
/000_localmacros
# old filename
1365 # separate file so without quoted EOF for convenience
1366 cat >/etc
/exim
4/conf.d
/main
/000_local2
<<EOF
1367 # normally empty, I set this so I can set the envelope address
1368 # when doing mail redelivery to invoke filters. Also allows
1369 # me exiqgrep and stuff.
1370 MAIN_TRUSTED_GROUPS = $u
1375 for f
in *-private.pem
; do
1376 echo ${f%-private.pem}
1378 } | u
/etc
/exim
4/conf.d
/my-dkim-domains
1380 rm -f /etc
/exim
4/conf.d
/transport
/11_iank
1382 cat >/etc
/exim
4/conf.d
/main
/000_local
<<'EOF'
1383 MAIN_TLS_ENABLE = true
1385 # require tls connections for all smarthosts
1386 REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = ! nn.b8.nz
1387 REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS = nn.b8.nz
1389 # debian exim config added this in 2016 or so?
1390 # it's part of the smtp spec, to limit lines to 998 chars
1391 # but a fair amount of legit mail does not adhere to it. I don't think
1392 # this should be default, like it says in
1393 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
1394 # todo: the bug for introducing this was about headers, but
1395 # the fix maybe is for all lines? one says gmail rejects, the
1396 # other says gmail does not reject. figure out and open a new bug.
1397 IGNORE_SMTP_LINE_LENGTH_LIMIT = true
1399 # more verbose logs. used to use +all, but made it less for more efficiency.
1400 MAIN_LOG_SELECTOR = -skip_delivery -tls_cipher -tls_certificate_verified +all_parents +address_rewrite +arguments +deliver_time +pid +queue_time +queue_time_overall +received_recipients +received_sender +return_path_on_delivery +sender_on_delivery +smtp_confirmation +subject
1402 # Based on spec, seems like a good idea to be nice.
1403 smtp_return_error_details = true
1405 # default is 10. when exim has been down for a bit, fsf mailserver
1406 # will do a big send in one connection, then exim decides to put
1407 # the messages in the queue instead of delivering them, to avoid
1408 # spawning too many delivery processes. This is the same as the
1409 # fsfs value. And the corresponding one for how many messages
1410 # to send out in 1 connection remote_max_parallel = 256
1411 smtp_accept_queue_per_connection = 500
1414 DKIM_CANON = relaxed
1418 # The file is based on the outgoing domain-name in the from-header.
1419 # sign if key exists
1420 DKIM_PRIVATE_KEY = ${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}}
1422 # most of the ones that gmail seems to use.
1423 # Exim has horrible default of signing unincluded
1424 # list- headers since they got mentioned in an
1425 # rfc, but this messes up mailing lists, like gnu/debian which want to
1426 # keep your dkim signature intact but add list- headers.
1427 DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
1429 domainlist local_hostnames = ! je.b8.nz : ! bk.b8.nz : *.b8.nz : b8.nz
1431 # note: most of these are duplicated in spamassassin config
1432 hostlist iank_trusted = <; \
1436 72.14.176.105 ; 2600:3c00::f03c:91ff:fe6d:baf8 ; \
1437 # li_vpn_net li_vpn_net_ip6s
1438 10.8.0.0/24; 2600:3c00:e000:280::/64 ; 2600:3c00:e002:3800::/56 ; \
1440 85.119.83.50 ; 2001:ba8:1f1:f0c9::2 ; \
1442 85.119.82.128 ; 2001:ba8:1f1:f09d::2 ; \
1443 # fsf_mit_net fsf_mit_net_ip6 fsf_net fsf_net_ip6 fsf_office_net
1444 18.4.89.0/24 ; 2603:3005:71a:2e00::/64 ; 209.51.188.0/24 ; 2001:470:142::/48 ; 74.94.156.208/28
1447 # this is the default delay_warning_condition, plus matching on local_domains.
1448 # If I have some problem with my local system that causes delayed delivery,
1449 # I dont want to send warnings out to non-local domains.
1450 delay_warning_condition = ${if or {\
1451 { !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} }\
1452 { match{$h_precedence:}{(?i)bulk|list|junk} }\
1453 { match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }\
1454 { match_domain{$domain}{+local_domains} }\
1458 # enable 587 in addition to the default 25, so that
1459 # i can send mail where port 25 is firewalled by isp
1460 daemon_smtp_ports = 25 : 587 : 10025
1461 # default of 25, can get stuck when catching up on mail
1462 smtp_accept_max = 400
1463 smtp_accept_reserve = 100
1464 smtp_reserve_hosts = +iank_trusted
1466 # Rules that make receiving more liberal should be on backup hosts
1467 # so that we dont reject mail accepted by MAIL_HOST
1468 LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE = /etc/exim4/conf.d/local_deny_exceptions_acl
1470 acl_not_smtp = acl_check_not_smtp
1473 DEBBUGS_DOMAIN = b.b8.nz
1477 if dpkg
--compare-versions "$(dpkg-query -f='${Version}\n' --show exim4)" ge
4.94; then
1478 cat >>/etc
/exim
4/conf.d
/main
/000_local
<<'EOF'
1479 # In t11, we cant do the old anymore because this is tainted data used in a file lookup.
1480 # /usr/share/doc/exim4/NEWS.Debian.gz suggests to use lookups to untaint data.
1481 DKIM_DOMAIN = ${lookup {${domain:$rh_from:}}lsearch,ret=key{/etc/exim4/conf.d/my-dkim-domains}}
1484 cat >>/etc
/exim
4/conf.d
/main
/000_local
<<'EOF'
1486 # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
1487 # and its best for this to align https://tools.ietf.org/html/rfc7489#page-8
1488 # There could be some circumstance when the
1489 # from: isnt our domain, but the envelope sender is
1490 # and so still want to sign, but I cant think of any case.
1491 DKIM_DOMAIN = ${lc:${domain:$rh_from:}}
1495 cat >/etc
/exim
4/conf.d
/main
/30_local
<<EOF
1500 rm -fv /etc
/exim
4/rcpt_local_acl
# old path
1502 u
/etc
/exim
4/conf.d
/local_deny_exceptions_acl
<<'EOF'
1503 # This acl already exists in rcpt, this just makes it more widespread.
1504 # See the comment there for its rationale. The reason it needs to be
1505 # more widespread is that I've turned on sender verification, but cron
1506 # emails can fail sender verification since I may be in a network that
1507 # doesn't have my local dns.
1511 # i setup a local programs smtp to mail.iankelling.org, this
1512 # skips sender verification for it.
1517 rm -fv /etc
/exim
4/data_local_acl
# old path
1519 u
/etc
/exim
4/conf.d
/data_local_acl
<<'EOF'
1520 # Except for the "condition =", this was
1521 # a comment in the check_data acl. The comment about this not
1522 # being suitable has been changed in newer exim versions. The only thing
1523 # related I found was to
1524 # add the condition =, cuz spamassassin has problems with big
1525 # messages and spammers don't bother with big messages,
1526 # but I've increased the size from 10k
1527 # suggested in official docs, and 100k in the wiki example because
1528 # those docs are rather old and I see a 110k spam message
1529 # pretty quickly looking through my spam folder.
1532 !hosts = +iank_trusted
1533 remove_header = X-Spam_score: X-Spam_score_int : X-Spam_bar : X-Spam_report
1536 !hosts = +iank_trusted
1537 # Smarthosts connect with residential ips and thus get flagged as spam if we do a spam check.
1538 !authenticated = plain_server:login_server
1539 condition = ${if < {$message_size}{5000K}}
1540 spam = Debian-exim:true
1541 add_header = X-Spam_score_int: $spam_score_int
1542 add_header = X-Spam_score: $spam_score
1543 add_header = X-Spam_bar: $spam_bar
1544 add_header = X-Spam_report: $spam_report
1545 add_header = X-Spam_action: $spam_action
1549 # spf = pass:fail:softfail:none:neutral:permerror:temperror
1550 # dmarc_status = reject:quarantine
1551 # add_header = Reply-to: dmarctest@iankelling.org
1553 # This allows us to delay sending an email until a specific time,
1554 # allowing us time to change our mind and also to appear to have
1555 # sent the message at a different time. In emacs copy the
1556 # automcatically date header add an f to make it fdate,
1557 # and then change the date to whenever you want to send it.
1558 # In the system-status script, I check once per minute
1559 # or more if it should be sent.
1562 # fdate = future date.
1563 condition = ${if def:h_fdate:}
1564 remove_header = fdate:
1565 remove_header = date:
1566 add_header = date: $h_fdate
1569 sed -i 's/^freeze_tell =.*/#\0/' /etc
/exim
4/conf.d
/main
/02_exim4-config_options
1571 u
/etc
/exim
4/conf.d
/acl
/41_check_not_smtp
<<'EOF'
1572 # todo: for non MAIL_HOST machines, i'd like
1573 # to send to the MAIL_HOST without freezing.
1574 # So, only do this if we are MAIL_HOST.
1578 # fdate = future date.
1579 condition = ${if def:h_fdate:}
1580 remove_header = fdate:
1581 remove_header = date:
1582 add_header = Date: $h_fdate
1589 rm -fv /etc
/exim
4/conf.d
/router
/8{8,9}0_backup_copy \
1590 /etc
/exim
4/conf.d
/router
/865_backup_redir \
1591 /etc
/exim
4/conf.d
/router
/870_backup_local
1593 # It is important for this to exist everywhere except in MAIL_HOST
1594 # non-nn config. Previously, just had it in the nn-config on MAIL_HOST,
1595 # but that is a problem if we change mail host and still have something
1596 # in the queue which was destined for this router, but hosts were
1597 # unreachable, the routers will be reevaluated on the next retry.
1598 u
/etc
/exim
4/conf.d
/router
/170_backup_copy
<<EOF
1599 ### router/900_exim4-config_local_user
1600 #################################
1603 driver = manualroute
1604 domains = eximbackup.b8.nz
1605 transport = backup_remote
1606 ignore_target_hosts = ${HOSTNAME}wg.b8.nz
1607 # note changes here also require change in passwd.client
1608 route_list = * eximbackup.b8.nz
1609 same_domain_copy_routing = yes
1610 errors_to = alerts@iankelling.org
1615 # exim4-config transports are the same as default except for
1616 # message_linelength_limit = 2097152
1618 # TODO: copy the defaults into their own file, and setup a cronjob so
1619 # that if file.dpkg-dist shows up, and it is different, we get an alert.
1621 u
/etc
/exim
4/conf.d
/transport
/30_exim4-config_remote_smtp_smarthost
<<'EOF'
1622 ### transport/30_exim4-config_remote_smtp_smarthost
1623 #################################
1625 # This transport is used for delivering messages over SMTP connections
1626 # to a smarthost. The local host tries to authenticate.
1627 # This transport is used for smarthost and satellite configurations.
1629 remote_smtp_smarthost:
1630 debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
1632 message_linelength_limit = 2097152
1634 hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
1636 ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
1640 .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
1641 hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
1643 .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
1644 hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
1646 .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
1647 tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
1649 .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
1650 tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
1652 .ifdef REMOTE_SMTP_HEADERS_REWRITE
1653 headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
1655 .ifdef REMOTE_SMTP_RETURN_PATH
1656 return_path = REMOTE_SMTP_RETURN_PATH
1658 .ifdef REMOTE_SMTP_HELO_DATA
1659 helo_data=REMOTE_SMTP_HELO_DATA
1661 .ifdef TLS_DH_MIN_BITS
1662 tls_dh_min_bits = TLS_DH_MIN_BITS
1664 .ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
1665 tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
1667 .ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
1668 tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
1670 .ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
1671 headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
1673 .ifdef REMOTE_SMTP_SMARTHOST_PROTOCOL
1674 protocol = REMOTE_SMTP_SMARTHOST_PROTOCOL
1678 u
/etc
/exim
4/conf.d
/transport
/30_exim4-config_remote_smtp
<<'EOF'
1679 ### transport/30_exim4-config_remote_smtp
1680 #################################
1681 # This transport is used for delivering messages over SMTP connections.
1684 debug_print = "T: remote_smtp for $local_part@$domain"
1686 message_linelength_limit = 2097152
1687 .ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
1688 hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
1690 .ifdef REMOTE_SMTP_HEADERS_REWRITE
1691 headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
1693 .ifdef REMOTE_SMTP_RETURN_PATH
1694 return_path = REMOTE_SMTP_RETURN_PATH
1696 .ifdef REMOTE_SMTP_HELO_DATA
1697 helo_data=REMOTE_SMTP_HELO_DATA
1699 .ifdef REMOTE_SMTP_INTERFACE
1700 interface = REMOTE_SMTP_INTERFACE
1703 dkim_domain = DKIM_DOMAIN
1705 .ifdef DKIM_IDENTITY
1706 dkim_identity = DKIM_IDENTITY
1708 .ifdef DKIM_SELECTOR
1709 dkim_selector = DKIM_SELECTOR
1711 .ifdef DKIM_PRIVATE_KEY
1712 dkim_private_key = DKIM_PRIVATE_KEY
1715 dkim_canon = DKIM_CANON
1718 dkim_strict = DKIM_STRICT
1720 .ifdef DKIM_SIGN_HEADERS
1721 dkim_sign_headers = DKIM_SIGN_HEADERS
1723 .ifdef DKIM_TIMESTAMPS
1724 dkim_timestamps = DKIM_TIMESTAMPS
1726 .ifdef TLS_DH_MIN_BITS
1727 tls_dh_min_bits = TLS_DH_MIN_BITS
1729 .ifdef REMOTE_SMTP_TLS_CERTIFICATE
1730 tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
1732 .ifdef REMOTE_SMTP_PRIVATEKEY
1733 tls_privatekey = REMOTE_SMTP_PRIVATEKEY
1735 .ifdef REMOTE_SMTP_HOSTS_REQUIRE_TLS
1736 hosts_require_tls = REMOTE_SMTP_HOSTS_REQUIRE_TLS
1738 .ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
1739 headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
1744 u
/etc
/exim
4/conf.d
/transport
/30_backup_remote
<<'EOF'
1748 message_linelength_limit = 2097152
1749 hosts_require_auth = *
1752 # manual return path because we want it to be the envelope sender
1753 # we got not the one we are using in this smtp transport
1754 headers_add = "Return-path: $sender_address"
1755 .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
1756 hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
1758 .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
1759 hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
1761 .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
1762 tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
1764 .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
1765 tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOST
1767 .ifdef REMOTE_SMTP_HEADERS_REWRITE
1768 headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
1770 .ifdef REMOTE_SMTP_HELO_DATA
1771 helo_data=REMOTE_SMTP_HELO_DATA
1773 .ifdef TLS_DH_MIN_BITS
1774 tls_dh_min_bits = TLS_DH_MIN_BITS
1776 .ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
1777 tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
1779 .ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
1780 tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
1782 .ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
1783 headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
1787 u
/etc
/exim
4/conf.d
/router
/900_exim4-config_local_user
<<'EOF'
1788 ### router/900_exim4-config_local_user
1789 #################################
1791 # This router matches local user mailboxes. If the router fails, the error
1792 # message is "Unknown user".
1794 debug_print = "R: local_user for $local_part@$domain"
1796 domains = +local_domains
1797 # ian: default file except where mentioned.
1798 # ian: commented this. I get all local parts. for bk, an rcpt
1799 # check handles checking with dovecot, and the only router
1800 # after this is root.
1801 # local_parts = ! root
1802 transport = LOCAL_DELIVERY
1803 cannot_route_message = Unknown user
1804 # ian: added for + addressing.
1805 local_part_suffix = +*
1806 local_part_suffix_optional
1808 u
/etc
/exim
4/conf.d
/transport
/30_exim4-config_dovecot_lmtp
<<'EOF'
1811 socket = /var/run/dovecot/lmtp
1812 #maximum number of deliveries per batch, default 1
1817 u
/etc
/exim
4/conf.d
/transport
/30_remote_smtp_vpn
<<'EOF'
1818 # same as debians 30_exim4-config_remote_smtp, but
1819 # with interface added at the end.
1822 debug_print = "T: remote_smtp_vpn for $local_part@$domain"
1824 message_linelength_limit = 2097152
1825 .ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
1826 hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
1828 .ifdef REMOTE_SMTP_HEADERS_REWRITE
1829 headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
1831 .ifdef REMOTE_SMTP_RETURN_PATH
1832 return_path = REMOTE_SMTP_RETURN_PATH
1834 .ifdef REMOTE_SMTP_HELO_DATA
1835 helo_data=REMOTE_SMTP_HELO_DATA
1838 dkim_domain = DKIM_DOMAIN
1840 .ifdef DKIM_SELECTOR
1841 dkim_selector = DKIM_SELECTOR
1843 .ifdef DKIM_PRIVATE_KEY
1844 dkim_private_key = DKIM_PRIVATE_KEY
1847 dkim_canon = DKIM_CANON
1850 dkim_strict = DKIM_STRICT
1852 .ifdef DKIM_SIGN_HEADERS
1853 dkim_sign_headers = DKIM_SIGN_HEADERS
1855 .ifdef TLS_DH_MIN_BITS
1856 tls_dh_min_bits = TLS_DH_MIN_BITS
1858 .ifdef REMOTE_SMTP_TLS_CERTIFICATE
1859 tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
1861 .ifdef REMOTE_SMTP_PRIVATEKEY
1862 tls_privatekey = REMOTE_SMTP_PRIVATEKEY
1864 .ifdef REMOTE_SMTP_HOSTS_REQUIRE_TLS
1865 hosts_require_tls = REMOTE_SMTP_HOSTS_REQUIRE_TLS
1867 .ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
1868 headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
1870 interface = <; 10.8.0.4 ; 2600:3c00:e002:3800::4
1873 u
/etc
/exim
4/conf.d
/transport
/30_smarthost_dkim
<<'EOF'
1874 # ian: this is remote_smtp_smarthost plus the dkim parts from remote_smtp
1877 debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
1879 message_linelength_limit = 2097152
1881 hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
1883 ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
1887 .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
1888 hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
1890 .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
1891 hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
1893 .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
1894 tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
1896 .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
1897 tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOST
1899 .ifdef REMOTE_SMTP_HEADERS_REWRITE
1900 headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
1902 .ifdef REMOTE_SMTP_RETURN_PATH
1903 return_path = REMOTE_SMTP_RETURN_PATH
1905 .ifdef REMOTE_SMTP_HELO_DATA
1906 helo_data=REMOTE_SMTP_HELO_DATA
1908 .ifdef TLS_DH_MIN_BITS
1909 tls_dh_min_bits = TLS_DH_MIN_BITS
1911 .ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
1912 tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
1914 .ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
1915 tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
1917 .ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
1918 headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
1921 dkim_domain = DKIM_DOMAIN
1923 .ifdef DKIM_SELECTOR
1924 dkim_selector = DKIM_SELECTOR
1926 .ifdef DKIM_PRIVATE_KEY
1927 dkim_private_key = DKIM_PRIVATE_KEY
1930 dkim_canon = DKIM_CANON
1933 dkim_strict = DKIM_STRICT
1935 .ifdef DKIM_SIGN_HEADERS
1936 dkim_sign_headers = DKIM_SIGN_HEADERS
1941 cat >/etc
/exim
4/update-exim4.conf.conf
<<'EOF'
1942 # default stuff, i havent checked if its needed
1943 dc_minimaldns='false'
1945 dc_use_split_config='true'
1946 dc_mailname_in_oh='true'
1952 if ! mountpoint
/o
; then
1953 echo "error /o is not a mountpoint" >&2
1957 # davx/davdroid setup instructions at the bottom
1960 # http://radicale.org/user_documentation/
1961 # https://davdroid.bitfire.at/configuration/
1963 # note on debugging: if radicale can't bind to the address,
1964 # in the log it just says "Starting Radicale". If you run
1965 # it in the foreground, it will give more info. Background
1966 # plus debug does not help.
1967 # sudo -u radicale radicale -D
1969 # created radicale password file with:
1970 # htpasswd -c /p/c/machine_specific/li/filesystem/etc/caldav-htpasswd ian
1971 # chmod 640 /p/c/machine_specific/li/filesystem/etc/caldav-htpasswd
1972 # # setup chgrp www-data in ./conflink
1975 m usermod
-a -G radicale iank
1977 u
/etc
/systemd
/system
/radicale.service.d
/override.conf
<<EOF
1980 After=network.target network-online.target mailnn.service $vpnser
1983 JoinsNamespaceOf=mailnn.service
1984 StartLimitIntervalSec=0
1988 BindPaths=$bindpaths
1990 # time to sleep before restarting a service
1999 # use persistent uid/gid
2000 IFS
=:; read -r _ _ uid _
< <(getent passwd radicale
); unset IFS
2001 IFS
=:; read -r _ _ gid _
< <(getent group radicale
); unset IFS
2002 if [[ $uid != 609 ]]; then
2003 m systemctl stop radicale ||
:
2004 m usermod
-u 609 radicale
2005 m groupmod
-g 609 radicale
2006 m usermod
-g 609 radicale
2008 m
find /o
/radicale
-xdev -exec chown
-h 609 {} +
2009 m
find /o
/radicale
-xdev -exec chgrp
-h 609 {} +
2012 # I moved /var/lib/radicale after it's initialization.
2013 # I did a sudo -u radicale git init in the collections subfolder
2014 # after it gets created, per the git docs.
2015 m
/a
/exe
/lnf
-T /o
/radicale
/var
/lib
/radicale
2017 # from https://www.williamjbowman.com/blog/2015/07/24/setting-up-webdav-caldav-and-carddav-servers/
2019 # more config is for li in distro-end
2021 # coment in this file says this is needed for it to run on startup
2022 sed -ri 's/^\s*#+\s*(ENABLE_RADICALE\s*=\s*yes\s*)/\1/' /etc
/default
/radicale
2024 # comments say default is 0.0.0.0:5232
2025 m setini hosts
10.8.0.4:5232 server
2026 # https://radicale.org/2.1.html
2027 m setini
type http_x_remote_user auth
2030 # disable power management feature, set to 240 min sync interval,
2031 # so it shouldn't be bad.
2033 # davx^5 from f-droid
2034 # login with url and user name
2035 # url https://cal.iankelling.org/ian
2037 # pass, see password manager for radicale
2039 # add account dialog:
2041 # set account name as ian@iankelling.org, per help text below the
2044 # switch to groups are per-contact categories,
2045 # per https://davdroid.bitfire.at/configuration/radicale/
2048 # After setting up account, I added one address book, named
2049 # ianaddr. calender was already created, named ian. checked boxes under
2052 # To restore from old phone to new phone, I wiped all data out, then copied over the newly created files. I think
2054 # ignorable background info:
2056 # opentasks uses the calendar file.
2058 # The address book I created got a uuid as a name for the file. Note
2059 # the .props file says if it's a calendar or addressbook.
2061 # When debugging, tailed /var/log/radicale/radicale.log and apache log,
2062 # both show the requests happening. Without creating the address book,
2063 # after creating a contact, a sync would delete it.
2065 # Address books correspond to .props files in the radicale dir.
2067 # Some background is here,
2068 # https://davdroid.bitfire.at/faq/entry/cant-manage-groups-on-device/
2069 # which shows separate vcard option is from rfc 6350, the other is 2426,
2070 # radicale page says it implements the former not the latter,
2071 # which conflicts with the documentation of which to select, but whatever.
2072 # http://radicale.org/technical_choices/
2073 # https://davdroid.bitfire.at/faq/entry/cant-manage-groups-on-device/
2075 # Note, url above says only cayanogenmod 13+ and omnirom can manage groups.
2077 # Note, radicale had built-in git support to track changes, but they
2078 # removed it in 2.0.
2084 # ** $MAIL_HOST|bk|je)
2087 # based on a little google and package search, just the dovecot
2088 # packages we need instead of dovecot-common.
2090 # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
2091 # directly. The reason to do this is to use dovecot\'s sieve, which
2092 # can generally do more than exims filters (a few things less) and
2093 # sieve has the benefit of being supported in postfix and
2094 # proprietary/weird environments, so there is more examples on the
2096 pi-nostart dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd dovecot-sqlite sqlite3
2098 for f
in /p
/c
{/machine_specific
/$HOSTNAME,}/filesystem
/etc
/dovecot
/users
; do
2099 if [[ -e $f ]]; then
2100 m rsync
-ahhi --chown=root
:dovecot
--chmod=0640 $f /etc
/dovecot
/
2104 for f
in /p
/c
/subdir_files
/sieve
/*sieve
/a
/bin
/ds
/subdir_files
/sieve
/*sieve
; do
2105 m sudo
-u $u /a
/exe
/lnf
-v -T $f $uhome/sieve
/${f##*/}
2108 # https://wiki.dovecot.org/SSL/DovecotConfiguration
2109 u
/etc
/dovecot
/dhparam
<<'EOF'
2110 -----BEGIN DH PARAMETERS-----
2111 MIIBCAKCAQEAoleil6SBxGqQKk7j0y2vV3Oklv6XupZKn7PkPv485QuFeFagifeS
2112 A+Jz6Wquqk5zhGyCu63Hp4wzGs4TyQqoLjkaWL6Ra/Bw3g3ofPEzMGEsV1Qdqde4
2113 jorwiwtr2i9E6TXQp0noT/7VFeHulIkayTeW8JulINdMHs+oLylv16McGCIrxbkM
2114 8D1PuO0TP/CNDs2QbRvJ1RjY3CeGpxMhrSHVgBCUMwnA2cvz3bYjI7UMYMMDPNrE
2115 PLrwsYzXGGCdJsO2vsmmqqgLsZiapYJlUNjfiyWLt7E2H6WzkNB3VIhIPfLqFDPK
2116 xioE3sYKdjOt+p6mlg3l8+OLtODEFPHDqwIBAg==
2117 -----END DH PARAMETERS-----
2121 if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
2123 ssl_cert = </etc/exim4/fullchain.pem
2124 ssl_key = </etc/exim4/privkey.pem
2127 # We have a lets encrypt hooks that puts things here.
2128 # This is just for bk, which uses the vpn cert in exim
2129 # for sending mail, but the local hostname cert for
2132 ssl_cert = </etc/exim4/exim.crt
2133 ssl_key = </etc/exim4/exim.key
2138 # https://ssl-config.mozilla.org
2140 # this is the same as the certbot list, i check changes in /a/bin/ds/filesystem/usr/local/bin/check-lets-encrypt-ssl-settings
2141 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
2142 ssl_min_protocol = TLSv1.2
2143 ssl_prefer_server_ciphers = no
2146 #per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
2147 # default is just $mail_plugins
2148 mail_plugins = $mail_plugins sieve
2151 # /etc/dovecot/conf.d/10-master.conf says the default is 256M.
2152 # but I started getting oom errors in the syslog
2153 # Mar 27 15:10:04 sy dovecot[330088]: lmtp(iank)<3839880><gO/BDwtvBGaIlzoA7AdaJQ>: Fatal: master: service(lmtp): child 3839880 returned error 83 (Out of memory (service lmtp { vsz_limit=256 MB }, you may need to increase it) - set CORE_OUTOFMEM=1 environment to get core dump)
2154 # exim would just queue mail until it eventually succeeded.
2155 # Deciding what to increase it to, I found this
2156 # https://dovecot.org/list/dovecot/2011-December/080056.html
2157 # which suggests 3x the largest dovecot.index.cache file
2158 # and then I found that
2159 # md/l/testignore/dovecot.index.cache is 429M, my largest cache file,
2160 # but that folder only has 2k messages.
2161 # next biggest is md/l/qemu-devel/dovecot.index.cache 236M
2162 # which lead to me a search https://doc.dovecot.org/admin_manual/known_issues/large_cache/
2163 # which suggests 1.5x the maximum cache file size 1G, and
2164 # that I can safely rm the index.
2165 default_vsz_limit = 1500M
2168 if dpkg
--compare-versions "$(dpkg-query -f='${Version}\n' --show dovecot-core)" ge
1:2.3; then
2170 ssl_dh = </etc/dovecot/dhparam
2173 } >/etc
/dovecot
/local.conf
2179 # If we changed 90-sieve.conf and removed the active part of the
2180 # sieve option, we wouldn\'t need this, but I\'d rather not modify a
2181 # default config if not needed. This won\'t work as a symlink in /a/c
2183 m sudo
-u $u /a
/exe
/lnf
-T sieve
/main.sieve
$uhome/.dovecot.sieve
2185 if [[ ! -e $uhome/sieve
/personal.sieve
]]; then
2186 m
touch $uhome/sieve
/personal
{,end
}{,test}.sieve
2189 rm -fv /etc
/dovecot
/conf.d
/20-lmtp.conf
# file from prev version
2191 # Having backups of indexes is a waste of space. This also means we
2192 # don't send them around with btrbk, I think it is probably
2193 # preferable use a bit more cpu to recalculate indexes.
2194 install -d -m 700 -o iank
-g iank
/var
/dovecot-indexes
2195 cat >>/etc
/dovecot
/local.conf
<<EOF
2198 # This will decrease memory use, and seems likely to decrease cpu & disk
2199 # use since I rarely use dovecot for most folders.
2200 mail_cache_max_size = 50M
2203 # simple password file based login
2204 !include conf.d/auth-passwdfile.conf.ext
2206 # ian: %u is used for alerts user vs iank
2207 # https://doc.dovecot.org/configuration_manual/mail_location/Maildir/
2208 mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX:INDEX=/var/dovecot-indexes/%u
2209 # note: i don't know if these need to be set, but this seems fine.
2214 # For a normal setup with exim, we need something like this, which
2215 # removes the domain part
2216 # auth_username_format = %Ln
2218 # or else # Exim says something like
2219 # "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
2220 # Dovecot verbose log says something like
2221 # "auth-worker(9048): passwd(someuser@somedomain): unknown user"
2222 # reference: http://wiki.dovecot.org/LMTP/Exim
2224 # However, I use this to direct all mail to the same inbox.
2225 # A normal way to do this, which I did at first is to have
2226 # a router in exim almost at the end, eg 950,
2228 # debug_print = "R: catchall for \$local_part@\$domain"
2230 # domains = +local_domains
2233 # http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
2234 # with superflous options removed.
2235 # However, this causes the envelope to be rewritten,
2236 # which makes filtering into mailboxes a little less robust or more complicated,
2237 # so I've done it this way instead. it also requires
2238 # modifying the local router in exim.
2239 auth_username_format = $u
2245 chown
-R mail.
mail /m
/md
2247 f
=/etc
/dovecot
/conf.d
/10-auth.conf
2248 if [[ -e $f ]]; then
2249 mv $f $f-iank-disabled
2252 cat >>/etc
/dovecot
/local.conf
<<EOF
2253 !include /etc/dovecot/local.conf.ext
2255 # for debugging info, uncomment these.
2256 # logs go to syslog and to /var/log/mail.log
2262 # This downcases the localpart. default is case sensitive.
2263 # case sensitive local part will miss out on valid email when some person or system
2264 # mistakenly capitalizes things.
2265 auth_username_format = %Lu
2268 # make 147 only listen on localhost, plan to use for nextcloud.
2269 # copied from mailinabox
2270 service imap-login {
2271 inet_listener imap {
2275 # https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_dovecot_authenticator.html
2277 unix_listener auth-client {
2285 sieve_before = /etc/dovecot/sieve-spam.sieve
2287 sieve = /m/sieve/%d/%n.sieve
2288 sieve_dir = /m/sieve/%d/%n
2292 # all taken from mailinabox.
2293 mail_location = maildir:/m/md/%d/%n
2295 mail_privileged_group = mail
2296 # By default Dovecot allows users to log in only with UID numbers 500 and above. mail is 8
2299 # todo: test these changes in the universal config
2300 # mailboxes taken from mailinabox but removed
2301 # settings duplicate to defaults
2320 special_use = \Archive
2324 auth_mechanisms = plain login
2327 u
/etc
/dovecot
/sieve-spam.sieve
<<'EOF'
2328 require ["regex", "fileinto", "imap4flags"];
2330 if allof (header :regex "X-Spam-Status" "^Yes") {
2336 u
/etc
/dovecot
/local.conf.ext
<<'EOF'
2339 args = /etc/dovecot/dovecot-sql.conf.ext
2343 args = /etc/dovecot/dovecot-sql.conf.ext
2348 u
/etc
/dovecot
/dovecot-sql.conf.ext
<<'EOF'
2351 # for je and bk, populated the testignore users for the relevant domains
2352 connect = /m/rc/users.sqlite
2353 default_pass_scheme = SHA512-CRYPT
2354 password_query = SELECT email as user, password FROM users WHERE email='%u';
2355 user_query = SELECT email AS user, "mail" as uid, "mail" as gid, "/m/md/%d/%n" as home FROM users WHERE email='%u';
2356 iterate_query = SELECT email AS user FROM users;
2358 m
chmod 0600 /etc
/dovecot
/dovecot-sql.conf.ext
# per Dovecot instructions
2360 # db needs to be in a www-data writable directory
2361 db
=/m
/rc
/users.sqlite
2362 if [[ ! -s $db ]]; then
2364 m sqlite3
$db <<'EOF'
2365 CREATE TABLE users (
2366 id INTEGER PRIMARY KEY AUTOINCREMENT,
2367 email TEXT NOT NULL UNIQUE,
2368 password TEXT NOT NULL,
2370 privileges TEXT NOT NULL DEFAULT '');
2373 # users.sqlite is saved into /p/c/machine_specific, so update it there!.
2375 # example of adding a user:
2376 # hash: doveadm pw -s SHA512-CRYPT -p passhere
2377 # sqlite3 /m/rc/users.sqlite <<'EOF'
2378 #insert into users (email, password) values ('testignore@bk.b8.nz', 'hash');
2380 # update users set password = 'hash' where email = 'testignore@bk.b8.nz';
2382 # this should be at the end since it requires a valid dovecot config
2383 m sievec
/etc
/dovecot
/sieve-spam.sieve
2387 # roundcube uses this
2389 chown
mail.
mail /m
/sieve
2390 m pi dovecot-managesieved
2394 # * thunderbird autoconfig setup
2396 bkdomains
=(expertpathologyreview.com amnimal.ninja
)
2397 if [[ $HOSTNAME == bk
]]; then
2398 for domain
in ${bkdomains[@]}; do
2399 m
/a
/exe
/web-conf apache2 autoconfig.
$domain
2400 dir
=/var
/www
/autoconfig.
$domain/html
/mail
2402 # taken from mailinabox
2403 u
$dir/config-v1.1.xml
<<EOF
2404 <?xml version="1.0" encoding="UTF-8"?>
2405 <clientConfig version="1.1">
2406 <emailProvider id="$domain">
2407 <domain>$domain</domain>
2409 <displayName>$domain Mail</displayName>
2410 <displayShortName>$domain</displayShortName>
2412 <incomingServer type="imap">
2413 <hostname>mail2.iankelling.org</hostname>
2415 <socketType>SSL</socketType>
2416 <username>%EMAILADDRESS%</username>
2417 <authentication>password-cleartext</authentication>
2420 <outgoingServer type="smtp">
2421 <hostname>mail2.iankelling.org</hostname>
2423 <socketType>STARTTLS</socketType>
2424 <username>%EMAILADDRESS%</username>
2425 <authentication>password-cleartext</authentication>
2426 <addThisServer>true</addThisServer>
2427 <useGlobalPreferredServer>false</useGlobalPreferredServer>
2430 <documentation url="https://$domain/">
2431 <descr lang="en">$domain website.</descr>
2436 <loginPage url="https://$domain/roundcube" />
2437 <loginPageInfo url="https://$domain/roundcube" >
2438 <username>%EMAILADDRESS%</username>
2439 <usernameField id="rcmloginuser" name="_user" />
2440 <passwordField id="rcmloginpwd" name="_pass" />
2441 <loginButton id="rcmloginsubmit" />
2444 <clientConfigUpdate url="https://autoconfig.$domain/mail/config-v1.1.xml" />
2452 if [[ $HOSTNAME == bk
]]; then
2454 # zip according to /installer
2455 # which requires adding a line to /usr/local/lib/roundcubemail/config/config.inc.php
2456 # $config['enable_installer'] = true;
2457 pi roundcube roundcube-sqlite3 php-zip apache2 php-fpm
2459 ### begin composer install
2460 # https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md
2462 EXPECTED_CHECKSUM
="$(php -r 'copy("https
://composer.github.io
/installer.sig
", "php
://stdout
");')"
2463 php
-r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
2464 ACTUAL_CHECKSUM
="$(php -r "echo hash_file
('sha384', 'composer-setup.php');")"
2466 if [ "$EXPECTED_CHECKSUM" != "$ACTUAL_CHECKSUM" ]
2468 >&2 echo 'ERROR: Invalid installer checksum'
2469 rm composer-setup.php
2473 php composer-setup.php
--quiet
2474 rm composer-setup.php
2476 # based on error when running composer
2477 mkdir
-p /var
/www
/.composer
2478 chown www-data
:www-data
/var
/www
/.composer
2480 ### end composer install
2482 rcdirs
=(/usr
/local
/lib
/rcexpertpath
/usr
/local
/lib
/rcninja
)
2483 ncdirs
=(/var
/www
/ncexpertpath
/var
/www
/ncninja
)
2484 # point debian cronjob to our local install, preventing daily cron error
2486 # debian's cronjob will fail, remove both paths it uses just to be sure
2487 rm -fv /usr
/share
/roundcube
/bin
/cleandb.sh
/etc
/cron.d
/roundcube-core
2489 #### begin dl roundcube
2490 # note, im r2e subbed to https://github.com/roundcube/roundcubemail/releases.atom
2491 v
=1.4.13; f
=roundcubemail-
$v-complete.
tar.gz
2493 if [[ -e $f ]]; then
2494 timestamp
=$
(stat
-c %Y
$f)
2498 m wget
-nv -N https
://github.com
/roundcube
/roundcubemail
/releases
/download
/$v/$f
2499 new_timestamp
=$
(stat
-c %Y
$f)
2500 for rcdir
in ${rcdirs[@]}; do
2501 if [[ $timestamp != "$new_timestamp" ||
! -e "$rcdir/config/secret" ]]; then
2502 m
tar -C /usr
/local
/lib
--no-same-owner -zxf $f
2504 m
mv /usr
/local
/lib
/roundcubemail-
$v $rcdir
2507 #### end dl roundcube
2509 for ((i
=0; i
< ${#bkdomains[@]}; i
++)); do
2510 domain
=${bkdomains[i]}
2515 # copied from debians cronjob
2516 u
/etc
/cron.d
/$rcbase <<EOF
2517 # Roundcube database cleaning: finally removes all records that are
2518 # marked as deleted.
2519 0 5 * * * www-data $rcdir/bin/cleandb.sh >/dev/null
2522 m
/a
/exe
/web-conf
- apache2
$domain <<EOF
2523 Alias /roundcube $rcdir
2524 ### begin roundcube settings
2525 # taken from /etc/apache2/conf-available/roundcube.conf version 1.4.8+dfsg.1-1~bpo10+1
2527 Options +FollowSymLinks
2528 # This is needed to parse $rcdir/.htaccess.
2532 # Protecting basic directories:
2533 <Directory $rcdir/config>
2534 Options -FollowSymLinks
2537 ### end roundcube settings
2540 ### begin nextcloud settings
2541 Alias /nextcloud "$ncdir/"
2545 Options FollowSymLinks MultiViews
2547 <IfModule mod_dav.c>
2553 # based on install checker, links to
2554 # https://docs.nextcloud.com/server/19/admin_manual/issues/general_troubleshooting.html#service-discovery
2555 # their example was a bit wrong, I figured it out by adding
2556 # LogLevel warn rewrite:trace5
2557 # then watching the apache logs
2560 RewriteRule ^/\.well-known/host-meta /nextcloud/public.php?service=host-meta [QSA,L]
2561 RewriteRule ^/\.well-known/host-meta\.json /nextcloud/public.php?service=host-meta-json [QSA,L]
2562 RewriteRule ^/\.well-known/webfinger /nextcloud/public.php?service=webfinger [QSA,L]
2563 RewriteRule ^/\.well-known/carddav /nextcloud/remote.php/dav/ [R=301,L]
2564 RewriteRule ^/\.well-known/caldav /nextcloud/remote.php/dav/ [R=301,L]
2565 ### end nextcloud settings
2567 if [[ ! -e $rcdir/config
/secret
]]; then
2568 base64
</dev
/urandom |
head -c24 >$rcdir/config
/secret ||
[[ $?
== 141 ||
${PIPESTATUS[0]} == 32 ]]
2570 secret
=$
(cat $rcdir/config
/secret
)
2572 rclogdir
=/var
/log
/$rcbase
2573 rctmpdir
=/var
/tmp
/$rcbase
2574 rcdb
=/m
/rc
/$rcbase.sqlite
2575 # config from mailinabox
2576 u
$rcdir/config
/config.inc.php
<<EOF
2579 # debian creates this for us
2580 \$config['log_dir'] = '$rclogdir/';
2581 # debian also creates a temp dir, but it is under its install dir,
2582 # seems better to have our own.
2583 \$config['temp_dir'] = '$rctmpdir/';
2584 \$config['db_dsnw'] = 'sqlite:///$rcdb?mode=0640';
2585 \$config['default_host'] = 'ssl://localhost';
2586 \$config['default_port'] = 993;
2587 \$config['imap_conn_options'] = array(
2589 'verify_peer' => false,
2590 'verify_peer_name' => false,
2593 \$config['imap_timeout'] = 15;
2594 \$config['smtp_server'] = 'tls://127.0.0.1';
2595 \$config['smtp_conn_options'] = array(
2597 'verify_peer' => false,
2598 'verify_peer_name' => false,
2601 \$config['product_name'] = 'webmail';
2602 \$config['des_key'] = '$secret';
2603 \$config['plugins'] = array('archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'carddav', 'html5_notifier');
2604 \$config['skin'] = 'elastic';
2605 \$config['login_autocomplete'] = 2;
2606 \$config['password_charset'] = 'UTF-8';
2607 \$config['junk_mbox'] = 'Spam';
2608 # disable builtin addressbook
2609 \$config['address_book_type'] = '';
2613 m mkdir
-p $rclogdir
2614 m
chmod 750 $rclogdir
2615 m chown www-data
:adm
$rclogdir
2616 # note: subscribed to updates:
2617 # r2e add rcmcarddav https://github.com/blind-coder/rcmcarddav/commits/master.atom ian@iankelling.org
2618 # r2e add roundcube https://github.com/roundcube/roundcubemail/releases.atom ian@iankelling.org
2619 m mkdir
-p $rctmpdir /m
/rc
2620 m chown
-R www-data.www-data
$rctmpdir /m
/rc
2621 m
chmod 750 $rctmpdir
2622 # todo: check for other mailinabox things
2623 # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
2624 m sudo
-u www-data
touch $rclogdir/errors.log
2626 #### begin carddav install
2627 # This is the official roundcube carddav repo.
2628 # Install doc suggests downloading with composer, but that
2629 # didnt work, it said some ldap package for roundcube was missing,
2630 # but I dont want to download some extra ldap thing.
2631 # https://github.com/blind-coder/rcmcarddav/blob/master/doc/INSTALL.md
2632 verf
=$rcdir/plugins
/carddav
/myversion
2636 if [[ -e $verf ]]; then
2637 if [[ $
(cat $verf) != "$v" ]]; then
2645 m
rm -rf $rcdir/plugins
/carddav
2647 m wget
-nv -O $tmpd/t.tgz https
://github.com
/blind-coder
/rcmcarddav
/releases
/download
/v
$v/carddav-v
$v.
tar.gz
2651 m chown
-R www-data
:www-data
$rcdir/plugins
/carddav
2652 m
cd $rcdir/plugins
/carddav
2654 m sudo
-u www-data composer.phar update
--no-dev
2656 m sudo
-u www-data composer.phar
install --no-dev
2658 m chown
-R root
:root
$rcdir/plugins
/carddav
2662 # So, strangely, this worked in initial testing, but then
2663 # on first run it wouldn't show the existing contacts until
2664 # I went into the carddav settings and did "force immediate sync",
2665 # which seemed to fix things. Note, some of these settings
2666 # get initalized per/addressbook in the db, then need changing
2667 # there or through the settings menu.
2669 # About categories, see https://www.davx5.com/tested-with/nextcloud
2670 # https://github.com/blind-coder/rcmcarddav/blob/master/doc/GROUPS.md
2671 u
$rcdir/plugins
/carddav
/config.inc.php
<<EOF;
2673 \$prefs['_GLOBAL']['hide_preferences'] = false;
2674 \$prefs['davserver'] = array(
2675 # name in the UI is kind of dumb. This is just something short that seems to fit ok.
2677 'username' => '%u', // login username
2678 'password' => '%p', // login password
2679 'url' => 'https://$domain/nextcloud/remote.php/dav/addressbooks/users/%u/contacts',
2681 'readonly' => false,
2682 'refresh_time' => '00:10:00',
2683 'fixed' => array('username','password'),
2684 'use_categories' => false,
2689 #### end carddav install
2692 if [[ ! -d html5_notifier
]]; then
2693 m git clone https
://github.com
/stremlau
/html5_notifier
2695 cd $rcdir/plugins
/html5_notifier
2698 # todo: try out roundcube plugins: thunderbird labels
2700 # Password changing plugin settings
2701 cat $rcdir/plugins
/password
/config.inc.php.dist
- >$rcdir/plugins
/password
/config.inc.php
<<'EOF'
2702 # following are from mailinabox
2703 $config['password_minimum_length'] = 8;
2704 $config['password_db_dsn'] = 'sqlite:////m/rc/users.sqlite';
2705 $config['password_query'] = 'UPDATE users SET password=%D WHERE email=%u';
2706 $config['password_dovecotpw'] = '/usr/bin/doveadm pw';
2707 $config['password_dovecotpw_method'] = 'SHA512-CRYPT';
2708 $config['password_dovecotpw_with_method'] = true;
2710 # so PHP can use doveadm, for the password changing plugin
2711 m usermod
-a -G dovecot www-data
2712 m usermod
-a -G mail $u
2714 # so php can update passwords
2715 m chown www-data
:dovecot
/m
/rc
/users.sqlite
2716 m
chmod 664 /m
/rc
/users.sqlite
2718 # Run Roundcube database migration script (database is created if it does not exist)
2719 m
$rcdir/bin
/updatedb.sh
--dir $rcdir/SQL
--package roundcube
2720 m chown www-data
:www-data
$rcdb
2722 done # end loop over domains and rcdirs
2724 ### begin php setup for rc ###
2725 # Enable PHP modules.
2726 m phpenmod
-v php mcrypt imap
2727 # dpkg says this is required.
2728 # nextcloud needs these too
2729 m a2enmod proxy_fcgi setenvif
2730 fpm
=$
(dpkg-query
-s php-fpm |
sed -nr 's/^Depends:.* (php[^ ]*-fpm)( .*|$)/\1/p') # eg: php7.4-fpm
2731 phpver
=$
(dpkg-query
-s php-fpm |
sed -nr 's/^Depends:.* php([^ ]*)-fpm( .*|$)/\1/p')
2733 # 3 useless guides on php fpm fcgi debian 10 later, i figure out from reading
2734 # /etc/apache2/conf-enabled/php7.3-fpm.conf
2735 m a2dismod php
$phpver
2736 # according to /install, we should set date.timezone,
2737 # but that is dumb, the system already has the right zone in
2738 # $rclogdir/errors.log
2739 # todo: consider other settings in
2740 # /a/opt/mailinabox/setup/nextcloud.sh
2741 u
/etc
/php
/$phpver/cli
/conf.d
/30-local.ini
<<'EOF'
2745 u
/etc
/php
/$phpver/fpm
/conf.d
/30-local.ini
<<'EOF'
2746 date.timezone = "America/New_York"
2748 upload_max_filesize = 2000M
2749 post_max_size = 2000M
2750 # install checker, nextcloud/settings/admin/overview
2753 m systemctl restart
$fpm
2754 # dunno if reload/restart is needed
2755 m systemctl reload apache2
2756 # note bk backups are defined in crontab outside this file
2757 ### end php setup for rc ###
2759 fi # end roundcube setup
2763 if [[ $HOSTNAME == bk
]]; then
2764 # from install checker, nextcloud/settings/admin/overview and
2765 # https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html
2766 # curl from the web installer requirement, but i switched to cli
2767 # it recommends php-file info, but that is part of php7.3-common, already got installed
2769 m pi php-curl php-bz2 php-gmp php-bcmath php-imagick php-apcu
2771 # https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html
2772 cat >/etc
/php
/$phpver/fpm
/pool.d
/localwww.conf
<<'EOF'
2777 for ((i
=0; i
< ${#bkdomains[@]}; i
++)); do
2778 domain
=${bkdomains[i]}
2780 myncdir
=/var
/local
/${ncdir##*/}
2784 if [[ ! -e $ncdir/index.php
]]; then
2785 # if we wanted to only install a specific version, use something like
2786 # file=latest-22.zip
2788 m wget
-nv -N https
://download.nextcloud.com
/server
/releases
/$file
2792 m chown
-R www-data.www-data nextcloud
2793 m
mv nextcloud
$ncdir
2796 if [[ ! -e $myncdir/done-install
]]; then
2798 m sudo
-u www-data php occ maintenance
:install --database sqlite
--admin-user iank
--admin-pass $nextcloud_admin_pass
2799 m
touch $myncdir/done-install
2803 # if we did this more than once, it would revert the
2804 # version number to the original.
2805 if [[ ! -e $myncdir/config.php-orig ||
! -s config.php
]]; then
2806 if [[ -s config.php
]]; then
2807 m
cp -a config.php
$myncdir/config.php-orig
2808 # keep the file so it keeps the same permissions.
2809 truncate
-s0 config.php
2811 cat $myncdir/config.php-orig
- >$myncdir/tmp.php
<<EOF
2812 # https://docs.nextcloud.com/server/19/admin_manual/configuration_server/email_configuration.html
2813 \$CONFIG["mail_smtpmode"] = "sendmail";
2814 \$CONFIG["mail_smtphost"] = "127.0.0.1";
2815 \$CONFIG["mail_smtpport"] = 25;
2816 \$CONFIG["mail_smtptimeout"] = 10;
2817 \$CONFIG["mail_smtpsecure"] = "";
2818 \$CONFIG["mail_smtpauth"] = false;
2819 \$CONFIG["mail_smtpauthtype"] = "LOGIN";
2820 \$CONFIG["mail_smtpname"] = "";
2821 \$CONFIG["mail_smtppassword"] = "";
2822 \$CONFIG["mail_domain"] = "$domain";
2824 # https://github.com/nextcloud/user_external#readme
2825 # plus mailinabox example
2826 #\$CONFIG['user_backends'] = array(array('class' => 'OC_User_IMAP','arguments' => array('127.0.0.1', 143, null),),);
2829 # based on installer check
2830 # https://docs.nextcloud.com/server/19/admin_manual/configuration_server/caching_configuration.html
2831 \$CONFIG['memcache.local'] = '\OC\Memcache\APCu';
2833 \$CONFIG['overwrite.cli.url'] = 'https://$domain/nextcloud';
2834 \$CONFIG['htaccess.RewriteBase'] = '/nextcloud';
2835 \$CONFIG['trusted_domains'] = array (
2839 fwrite(STDOUT, "<?php\n\\\$CONFIG = ");
2840 var_export(\$CONFIG);
2841 fwrite(STDOUT, ";\n");
2843 e running php
$myncdir/tmp.php
2844 # note: we leave it around place for debugging
2845 # shellcheck disable=SC2024 # intended
2846 sudo
-u www-data php
$myncdir/tmp.php
>config.php
2849 m sudo
-u www-data php occ maintenance
:update
:htaccess
2850 list
=$
(sudo
-u www-data php
$ncdir/occ
--output=json_pretty app
:list
)
2851 # user_external not compaible with nc 23
2852 for app
in contacts calendar
; do
2853 if [[ $
(printf "%s\n" "$list"| jq
".enabled.$app") == null
]]; then
2855 m sudo
-u www-data php occ app
:install $app
2858 u
/etc
/systemd
/system
/$ncbase.service
<<EOF
2860 Description=ncup $ncbase
2861 After=multi-user.target
2865 ExecStart=/usr/local/bin/ncup $ncbase
2867 IOSchedulingClass=idle
2868 CPUSchedulingPolicy=idle
2870 u
/etc
/systemd
/system
/$ncbase.timer
<<EOF
2872 Description=ncup $ncbase timer
2878 WantedBy=timers.target
2880 systemctl
enable --now $ncbase.timer
2881 u
/usr
/local
/bin
/ncup
<<'EOFOUTER'
2884 source /usr/local/lib/bash-bear
2886 m() { printf "%s\n" "$*"; "$@"; }
2888 echo failed nextcloud update for $ncbase >&2
2889 # -odf or else systemd will kill the background delivery process
2890 # and the message will sit in the queue until the next queue run.
2892 To: alerts@iankelling.org
2893 From: www-data@$(hostname -f)
2894 Subject: failed nextcloud update for $ncbase
2896 For logs, run: jr -u $ncbase
2900 if [[ $(id -u -n) != www-data ]]; then
2901 echo error: running as wrong user: $(id -u -n), expected www-data
2906 echo error: expected an arg, nextcloud relative base dir
2912 # https://docs.nextcloud.com/server/22/admin_manual/maintenance/update.html?highlight=updater+phar
2913 # the docs claim this is all you need, which is not true.
2914 # You will go to the web ui and it will say that you need to click a button to update,
2915 # or that you can run occ upgrade
2916 m php /var/www/$ncbase/updater/updater.phar -n
2917 # throw a sleep in just because who knows what else is undocumented
2921 chmod +x
/usr
/local
/bin
/ncup
2923 mkdir
-p /var
/www
/cron-errors
2924 chown www-data.www-data
/var
/www
/cron-errors
2925 u
/etc
/cron.d
/$ncbase <<EOF
2926 PATH=/usr/sbin:/sbin:/usr/bin:/bin:/usr/local/bin
2928 # https://docs.nextcloud.com/server/20/admin_manual/configuration_server/background_jobs_configuration.html
2929 */5 * * * * www-data php -f $ncdir/cron.php --define apc.enable_cli=1 |& log-once nccron
2939 # missing dependency. apache error log:
2940 # Can't locate List/AllUtils.pm in @INC (you may need to install the List::AllUtils module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.34.0 /usr/local/share/perl/5.34.0 /usr/lib/x86_64-linux-gnu/perl5/5.34 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl-base /usr/lib/x86_64-linux-gnu/perl/5.34 /usr/share/perl/5.34 /usr/local/lib/site_perl) at /var/lib/debbugs/www/cgi/pkgreport.cgi line 23.
2941 pi liblist-allutils-perl lynx
2942 # workarounds for broken debbugsconfig which is
2943 # itself deprecated. this is temporary before I
2944 # figure out how to install from git
2945 if [[ -e /usr
/share
/doc
/debbugs
/examples
/text.gz
]]; then
2946 gunzip
/usr
/share
/doc
/debbugs
/examples
/text.gz
2948 mkdir
-p /etc
/debbugs
/indices
2952 # ld for local debbugs
2953 /a
/exe
/web-conf
-l -t -a 127.0.1.1 -p 80 -r /var
/lib
/debbugs
/www
- apache2 ld
<<'EOF'
2954 # copied from debbugs upstream example
2955 <Directory /var/lib/debbugs/www>
2956 Options Indexes SymLinksIfOwnerMatch MultiViews
2957 DirectoryIndex index.html
2961 ScriptAlias /cgi/ /var/lib/debbugs/www/cgi/
2962 <Directory "/var/lib/debbugs/www/cgi/">
2964 Options ExecCGI SymLinksIfOwnerMatch
2969 RewriteCond %{HTTP_USER_AGENT} .*apt-listbugs.*
2970 RewriteRule .* /apt-listbugs.html [R,L]
2972 # RewriteLog /org/bugs.debian.org/apache-rewrite.log
2975 #RewriteRule ^/$ http://www.debian.org/Bugs/
2976 RewriteRule ^/(robots\.txt|release-critical|apt-listbugs\.html)$ - [L]
2977 # The following two redirect to up-to-date pages
2978 RewriteRule ^/[[:space:]]*#?([[:digit:]][[:digit:]][[:digit:]]+)([;&].+)?$ /cgi-bin/bugreport.cgi?bug=$1$2 [L,R,NE]
2979 RewriteRule ^/([^/+]*)([+])([^/]*)$ "/$1%%{%}2B$3" [N]
2980 RewriteRule ^/[Ff][Rr][Oo][Mm]:([^/]+\@.+)$ /cgi-bin/pkgreport.cgi?submitter=$1 [PT,NE]
2981 # Commented out, 'cuz aj says it will crash master. (old master)
2982 # RewriteRule ^/[Ss][Ee][Vv][Ee][Rr][Ii][Tt][Yy]:([^/]+\@.+)$ /cgi-bin/pkgreport.cgi?severity=$1 [L,R]
2983 RewriteRule ^/([^/]+\@.+)$ /cgi-bin/pkgreport.cgi?maint=$1 [PT,NE]
2984 RewriteRule ^/mbox:([[:digit:]][[:digit:]][[:digit:]]+)([;&].+)?$ /cgi-bin/bugreport.cgi?mbox=yes&bug=$1$2 [PT,NE]
2985 RewriteRule ^/src:([^/]+)$ /cgi-bin/pkgreport.cgi?src=$1 [PT,NE]
2986 RewriteRule ^/severity:([^/]+)$ /cgi-bin/pkgreport.cgi?severity=$1 [PT,NE]
2987 RewriteRule ^/tag:([^/]+)$ /cgi-bin/pkgreport.cgi?tag=$1 [PT,NE]
2988 # RewriteMap fix-chars int:noescape
2989 RewriteCond %{REQUEST_URI} ^/(Access\.html|Developer\.html|Reporting\.html|server-request\.html|server-control\.html|server-refcard\.html).* [NC]
2990 RewriteRule .* - [L]
2991 # PT|passthrough to bugreport.cgi and pkgreport.cgi
2992 RewriteRule ^/([0-9]+)$ /cgi-bin/bugreport.cgi?bug=$1 [PT,NE]
2993 RewriteRule ^/([^/]+)$ /cgi-bin/pkgreport.cgi?pkg=$1 [PT,NE]
2997 # * exim host conditional config
3001 all_dirs
=(/p
/c
/filesystem
)
3002 for x
in /p
/c
/machine_specific
/*.hosts
/a
/bin
/ds
/machine_specific
/*.hosts
; do
3003 if grep -qxF $HOSTNAME $x; then all_dirs
+=( ${x%.hosts} ); fi
3006 for d
in ${all_dirs[@]}; do
3007 f
=$d/etc
/exim
4/passwd
3008 if [[ -e $f ]]; then
3011 tmp
=($d/etc
/exim
4/*.pem
)
3012 if (( ${#tmp[@]} )); then
3017 if (( ${#files[@]} )); then
3018 sudo rsync
-ahhi --chown=root
:Debian-exim
--chmod=0640 ${files[@]} /etc
/exim
4/
3026 # avoid accepting mail for invalid users
3027 # https://wiki.dovecot.org/LMTP/Exim
3028 cat >>/etc
/exim
4/conf.d
/rcpt_local_acl
<<'EOF'
3030 message = invalid recipient
3031 domains = +local_domains
3032 !verify = recipient/callout=no_cache
3034 u
/etc
/exim
4/conf.d
/auth
/29_exim4-config_auth
<<'EOF'
3038 server_socket = /var/run/dovecot/auth-client
3039 server_set_id = $auth1
3044 u
/etc
/exim
4/conf.d
/auth
/29_exim4-config_auth
<<'EOF'
3045 # from 30_exim4-config_examples
3049 server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
3050 server_set_id = $auth2
3052 .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
3053 server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
3058 # ** exim: main daemon use non-default config file
3061 # to see the default comments in /etc/default/exim4:
3062 # s update-exim4defaults --force --init
3063 # which will overwrite any existing file
3064 u
/etc
/default
/exim4
<<'EOF'
3065 QUEUERUNNER='combined'
3067 COMMONOPTIONS='-C /etc/exim4/nn-mainlog.conf'
3068 UPEX4OPTS='-o /etc/exim4/nn-mainlog.conf'
3069 # in t12 exim, this replaces all the above options
3070 EXIMSERVICE='-bdf -q10m -C /etc/exim4/nn-mainlog.conf'
3071 # i use epanic-clean for alerting if there are bad paniclog entries
3072 E4BCD_WATCH_PANICLOG='no'
3074 # make exim be a nonroot setuid program.
3075 chown Debian-exim
:Debian-exim
/usr
/sbin
/exim4
3076 # needs guid set in order to become Debian-exim
3077 chmod g
+s
,u
+s
/usr
/sbin
/exim4
3078 # need this to avoid error on service reload:
3079 # 2022-08-07 18:44:34.005 [892491] pid 892491: SIGHUP received: re-exec daemon
3080 # 2022-08-07 18:44:34.036 [892491] cwd=/var/spool/exim4 5 args: /usr/sbin/exim4 -bd -q30m -C /etc/exim4/nn-mainlog.conf
3081 # 2022-08-07 18:44:34.043 [892491] socket bind() to port 25 for address (any IPv6) failed: Permission denied: waiting 30s before trying again (9 more tries)
3082 # note: the daemon gives up and dies after retrying those 9 times.
3083 # I came upon this by guessing and trial and error.
3084 setcap CAP_NET_BIND_SERVICE
+ei
/usr
/sbin
/exim4
3085 u
/etc
/exim
4/trusted_configs
<<'EOF'
3086 /etc/exim4/nn-mainlog.conf
3091 u
/etc
/default
/exim4
<<'EOF'
3092 QUEUERUNNER='combined'
3102 # no reason to expect it to ever be there.
3103 rm -fv /etc
/systemd
/system
/exim4.service.d
/nonroot.conf
3107 for d
in /a
/d
/m
/media
/mnt
/nocow
/o
/p
/q
; do
3108 if [[ -d $d ]]; then
3112 u
/etc
/systemd
/system
/exim4.service.d
/nonroot.conf
<<EOF
3114 # see 56.2 Root privilege in exim spec
3115 AmbientCapabilities=CAP_NET_BIND_SERVICE
3116 # https://www.redhat.com/sysadmin/mastering-systemd
3117 # things that seem good and reasonabl.e
3120 # note, in t10 systemd, if one of these is an sshfs mountpoint,
3121 # this whole setting doesnt work. tried it with a newer systemd 250 though
3122 # an nspawn, and it worked there.
3123 InaccessiblePaths=${dirs[@]}
3124 # this gives us the permission denied error:
3125 # socket bind() to port 25 for address (any IPv6) failed: Permission denied
3126 # but we also have to set the file capabilities to avoid the error.
3127 #NoNewPrivileges=yes
3130 # when we get newer systemd
3133 u
/etc
/exim
4/conf.d
/main
/000_local-noroot
<<'EOF'
3134 # see 56.2 Root privilege in exim spec
3135 deliver_drop_privilege = true
3138 300_exim4-config_real_local
3139 600_exim4-config_userforward
3140 700_exim4-config_procmail
3141 800_exim4-config_maildrop
3144 for f
in ${files[@]}; do
3145 echo "# iank: removed due to running nonroot"|u
/etc
/exim
4/conf.d
/router
/$f
3152 # ** $MAIL_HOST|bk|je)
3155 echo|u
/etc
/exim
4/conf.d
/router
/165_backup_local
3157 cat >>/etc
/exim
4/update-exim4.conf.conf
<<EOF
3158 # note: some things we don't set that are here by default because they are unused.
3159 dc_local_interfaces=''
3160 dc_eximconfig_configtype='internet'
3161 dc_localdelivery='dovecot_lmtp'
3163 cat >>/etc
/exim
4/conf.d
/main
/000_local
<<EOF
3164 # recommended if dns is expected to work
3165 CHECK_RCPT_VERIFY_SENDER = true
3166 # default config comment says: If you enable this, you might reject legitimate mail,
3167 # but eggs has had this a long time, so that seems unlikely.
3168 CHECK_RCPT_SPF = true
3169 CHECK_RCPT_REVERSE_DNS = true
3170 CHECK_MAIL_HELO_ISSUED = true
3173 CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/conf.d/data_local_acl
3174 CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/conf.d/rcpt_local_acl
3177 #dmarc_tld_file = /etc/public_suffix_list.dat
3185 cat >>/etc
/exim
4/update-exim4.conf.conf
<<EOF
3186 dc_relay_nets='defaultnn.b8.nz'
3190 cat >/etc
/exim
4/conf.d
/main
/000_local-nn
<<EOF
3191 # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
3192 # smarthost config type, not sure.
3193 # failing message on mail-tester.com:
3194 # We check if there is a server (A Record) behind your hostname kd.
3195 # You may want to publish a DNS record (A type) for the hostname kd or use a different hostname in your mail software
3196 # https://serverfault.com/questions/46545/how-do-i-change-exim4s-primary-hostname-on-a-debian-box
3197 # and this one seemed appropriate from grepping config.
3198 # I originally set this to li.iankelling.org, but then ended up with errors when li tried to send
3199 # mail to kd, so this should basically be a name that no host has as their
3200 # canonical hostname since the actual host sits behind a nat and changes.
3201 MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.iankelling.org
3202 # I used this to avoid sender verification, didnt work but it still
3203 # makes sense based on the spec.
3204 hosts_treat_as_local = defaultnn.b8.nz
3206 # Outside nn, we get the default cert location from a debian macro,
3207 # and the cert file is put in place by a certbot hook.
3208 MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem
3209 MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem
3212 u
/etc
/exim
4/conf.d
/router
/190_exim4-config_fsfsmarthost
<<'EOF'
3214 debug_print = "R: smarthost for $local_part@$domain"
3215 driver = manualroute
3216 domains = ! +local_domains
3217 # comment senders to send most mail through eggs, helps fsfs sender reputation.
3218 # uncomment and optionally move to 188 file to send through my own servers again
3220 transport = smarthost_dkim
3221 route_list = * fencepost.gnu.org::587 byname
3222 host_find_failed = ignore
3223 same_domain_copy_routing = yes
3227 /a
/exe
/cedit defaultnn
/etc
/hosts
<<'EOF' || [[ $? == 1 ]]
3228 10.173.8.1 defaultnn.b8.nz
3234 if [[ ! -e /etc
/exim
4/no-delay-eximids
]]; then
3235 install -o iank
-g iank
<(echo) /etc
/exim
4/no-delay-eximids
3238 u
/etc
/exim
4/conf.d
/transport
/30_debbugs
<<'EOF'
3240 debug_print = "T: debbugs_pipe for $local_part@$domain"
3242 command = /usr/lib/debbugs/receive
3247 # We dont want delays or backups for mail being stored locally.
3248 # We could put domain exclusion on other routes, but going for
3249 # higher priority instead.
3250 u
/etc
/exim
4/conf.d
/router
/153_debbugs
<<'EOF'
3252 debug_print = "R: debbugs for $local_part@$domain"
3254 transport = debbugs_pipe
3255 local_parts = submit : bugs : maintonly : quiet : forwarded : \
3256 done : close : request : submitter : control : ^\\d+
3257 domains = DEBBUGS_DOMAIN
3260 debug_print = "R: bounce_debbugs for $local_part@$domain"
3263 data = :fail: Unknown user
3264 domains = DEBBUGS_DOMAIN
3267 install -m=0775 -d -g Debian-exim
-o iank
/var
/spool
/exim
4/gw
3268 f
=/var
/spool
/exim
4/gw
/.no-delay-eximids
3269 if [[ ! -e $f ]]; then
3270 install -g Debian-exim
-o iank
/dev
/null
$f
3272 u
/etc
/exim
4/conf.d
/router
/155_delay
<<'EOF'
3273 # By default, delay sending email by 30-40 minutes in case I
3276 # Note, if we switch mail_host, the next queue run will
3277 # send the message to mail_host and the delay will be reset.
3278 # That is fine. I could probably set some header to track
3279 # the delay but it is not worth it.
3284 # It hasnt been 30 minutes since we received the message.
3285 # we can avoid delay by adding the header i: or putting the exim message id into a file,
3286 # or pulling "all" into a file.
3287 # note, true false at the end just for easier debugging when pasting into a exim -Mset ID -be.
3288 condition = ${if and { \
3289 {< {$tod_epoch} {${eval10:$received_time + 60*30}}} \
3291 {!bool{${lookup{$message_exim_id}lsearch{/var/spool/exim4/gw/.no-delay-eximids}{true}}}} \
3292 {!bool{${lookup{all}lsearch{/var/spool/exim4/gw/.no-delay-eximids}{true}}}} \
3294 headers_remove = <; i:
3295 domains = ! +local_domains
3296 # uncomment for testing delays to jtuttle
3297 # local_parts = ! root : ! testignore : ! alerts : ! ian-pager : ! daylert
3298 local_parts = ! root : ! testignore : ! alerts : ! jtuttle : ! ian-pager : ! daylert : ! r2e
3299 ignore_target_hosts = ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS
3302 u
/etc
/exim
4/conf.d
/router
/195_dnslookup_vpn
<<'EOF'
3303 # copied from /etc/exim4/conf.d/router/200_exim4-config_primary, but
3304 # use vpn transport. lower priority so it overrides the default route.
3305 # Use this in case our vpn fails, we dont send anything without it.
3306 .ifdef DCconfig_internet
3308 debug_print = "R: dnslookup for $local_part@$domain"
3310 domains = ! +local_domains
3311 transport = remote_smtp_vpn
3312 same_domain_copy_routing = yes
3313 ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 192.168.0.0/16 ; 172.16.0.0/12 ; 10.0.0.0/8 ; 169.254.0.0/16 ; 255.255.255.255 ; ::/128 ; ::1/128 ; fc00::/7 ; fe80::/10 ; 100::/64
3319 # note on backups: I used to do an automatic sshfs and restricted
3320 # permissions to a specific directory on the remote server, /bu/mnt,
3321 # which required using a dedicated user, but realized smtp will be
3322 # more reliable and less fuss. If I ever need that again, see the
3323 # history of this file, and bum in brc2.
3324 u
/etc
/exim
4/conf.d
/router
/161_backup_redir_nn
<<'EOF'
3327 # b is just an arbirary short string
3328 data = b@eximbackup.b8.nz
3329 condition = ${if !bool{${lookup{$local_part@$domain}lsearch{/etc/exim4/ignore-sent}{true}}}}
3330 # note, to test this, i could temporarily allow testignore.
3331 # alerts avoids potential mail loop. root is already
3332 # redirected earlier, so that is just being overly cautious.
3333 local_parts = ! root : ! testignore : ! alerts : ! jtuttle : ! ian-pager : ! daylert
3335 errors_to = alerts@iankelling.org
3340 # This allows for forwarded mail to not get most rcpt checks, especially SPF,
3341 # which would incorrectly get denied.
3342 u
/etc
/exim
4/host_local_deny_exceptions
<<'EOF'
3347 # cron email from smarthost hosts will automatically be to
3348 # USER@FQDN. I redirect that to alerts@, on the smarthosts, but in
3349 # case that doesn't work, we still want to accept that mail, but not
3350 # from any host except the smarthosts. local_hostnames and this rule
3351 # is for that purpose.
3352 u
/etc
/exim
4/conf.d
/rcpt_local_acl
<<'EOF'
3355 domains = +local_hostnames
3358 # for testing bounce behavior
3360 # senders = testlist-bounces+test=zroe.org@fsf.org
3361 # message = iank-bounce
3363 echo|u
/etc
/exim
4/conf.d
/router
/880_universal_forward
3366 cat >>/etc
/exim
4/conf.d
/main
/000_local
<<EOF
3367 MAILDIR_HOME_MAILDIR_LOCATION = /m/md/Sent
3371 # ian: save a copy of sent mail. i thought of other ways to do this,
3372 # for example, to only save sent mail that is not sent from my mail
3373 # client which saves a copy by default, but in the end, it seems
3374 # simplest to turn that off. We want to save external mail sent by
3375 # smarthosts. However, there is one complication: encrypted
3376 # mail. Saving it here just gets us an encrypted copy that we can't
3377 # read. Soo, we could bcc ourselves: then we still have the
3378 # annoyance that it is encrypted so we can't grep it. Or, we could
3379 # hack emacs so that it sends us an unencrypted copy. Turns out that
3380 # the emacs function which saves sent email can also send us a
3381 # copy. But, then we have 3 copies: the encrypted copy exim saves,
3382 # the unencrypted copy exim saves, and the copy emacs saves. Soo,
3383 # we can emacs send a copy directly to the sent alias but only when
3384 # it is not mail_host, and have the exim condition for redirecting a
3385 # copy to the sent alias avoid doing it if it has an emacs user
3387 u
/etc
/exim
4/conf.d
/router
/186_sentarchive_nn
<<'EOF'
3390 domains = ! +local_domains
3391 condition = ${if and {{!bool{${lookup{$local_part@$domain}lsearch{/etc/exim4/ignore-sent}{true}}}} {!match {$h_user-agent:}{emacs}}}}
3392 data = vojdedIdNejyebni@b8.nz
3397 # for iank@fsf.org, i have mail.fsf.org forward it to fsf@iankelling.org.
3398 # and also have mail.iankelling.org whitelisted as a relay domain.
3399 # I could avoid that if I changed this to submit to 587 with a
3400 # password like a standard mua.
3401 u
/etc
/exim
4/conf.d
/router
/188_exim4-config_smarthost
<<'EOF'
3402 # ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
3403 # replaced DCsmarthost with hostname
3405 debug_print = "R: smarthost for $local_part@$domain"
3406 driver = manualroute
3407 domains = ! +local_domains
3409 transport = remote_smtp_smarthost
3410 route_list = * mail.fsf.org::587 byname
3411 host_find_failed = ignore
3412 same_domain_copy_routing = yes
3416 debug_print = "R: smarthost for $local_part@$domain"
3417 driver = manualroute
3418 domains = ! +local_domains
3419 senders = *@posteo.net
3420 transport = remote_smtp_smarthost
3421 route_list = * posteo.de::587 byname
3422 host_find_failed = ignore
3423 same_domain_copy_routing = yes
3427 # Greping /etc/exim4, unqualified mails this would end up as
3428 # a return path, so it should go somewhere we will see.
3429 # The debconf output about mailname is as follows:
3430 # The 'mail name' is the domain name used to 'qualify' mail addresses without a domain
3432 # This name will also be used by other programs. It should be the single, fully
3433 # qualified domain name (FQDN).
3434 # Thus, if a mail address on the local host is foo@example.org, the correct value for
3435 # this option would be example.org.
3436 # This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
3437 echo iankelling.org
> /etc
/mailname
3439 # mail default domain.
3440 u
/etc
/mailutils.conf
<<'EOF'
3442 email-domain iankelling.org;
3446 # mail.iankelling.org so local imap clients can connect with tls and
3447 # when they happen to not be local.
3448 # todo: this should be 10.8.0.4
3450 /a
/exe
/cedit nn
/etc
/hosts
<<'EOF' || [[ $? == 1 ]]
3451 # note: i put nn.b8.nz into bind for good measure
3452 10.173.8.2 nn.b8.nz mx.iankelling.org
3455 # note: systemd-resolved will consult /etc/hosts, dnsmasq wont. this assumes
3456 # weve configured this file in dnsmasq if we are using it.
3457 /a
/exe
/cedit
mail /etc
/dnsmasq-servers.conf
<<'EOF' || [[ $? == 1 ]]
3458 server=/mx.iankelling.org/127.0.1.1
3460 # I used to use debconf-set-selections + dpkg-reconfigure,
3461 # which then updates this file
3462 # but the process is slower than updating it directly and then I want to set other things in
3463 # update-exim4.conf.conf, so there's no point.
3464 # The file is documented in man update-exim4.conf,
3465 # except the man page is not perfect, read the bash script to be sure about things.
3467 # The debconf questions output is additional documentation that is not
3468 # easily accessible, but super long, along with the initial default comment in this
3469 # file, so I've saved that into ./mail-notes.conf.
3471 # # TODO: remove mx.iankelling.org once systems get updated mail-setup from jan 2022
3472 cat >>/etc
/exim
4/update-exim4.conf.conf
<<EOF
3473 # man page: is used to build the local_domains list, together with "localhost"
3474 # this is duplicated in a later router.
3475 dc_other_hostnames='iankelling.org;zroe.org;r2e.iankelling.org;mx.iankelling.org;!je.b8.nz;!bk.b8.nz;*.b8.nz;b8.nz'
3479 # dmarc. not used currently
3480 f
=/etc
/cron.daily
/refresh-dmarc-tld-file
3484 wget -q -N https://publicsuffix.org/list/public_suffix_list.dat
3490 ## we use this host to monitor MAIL_HOST and host a mail server for someone
3493 # No clamav on je, it has 1.5g memory and clamav uses most of it.
3495 # No clamav on MAIL_HOST because it is just a waste of useful cpu
3496 # time and memory when I'm running on an x200, and it takes 30
3497 # seconds to shut down.
3499 cat >>/etc
/exim
4/conf.d
/main
/000_local
<<EOF
3500 # je.b8.nz will run out of memory with freshclam
3501 av_scanner = clamd:/var/run/clamav/clamd.ctl
3504 cat >> /etc
/exim
4/conf.d
/data_local_acl
<<'EOF'
3506 malware = */defer_ok
3507 !condition = ${if match {$malware_name}{\N^Heuristic\N}}
3508 message = This message was detected as possible malware ($malware_name).
3511 !hosts = +iank_trusted
3513 condition = ${if def:malware_name}
3514 remove_header = Subject:
3515 add_header = Subject: [Clamav warning: $malware_name] $h_subject
3516 log_message = heuristic malware warning: $malware_name
3519 # fdate = future date. # tdate = temporary date.
3520 condition = ${if def:h_fdate}
3521 remove_header = fdate:
3527 /a
/exe
/cedit nn
/etc
/hosts
<<'EOF' || [[ $? == 1 ]]
3531 sed -r -f - /etc
/init.d
/exim4
<<'EOF' |u /etc/init.d/exim4in
3532 s,/etc/default/exim4,/etc/default/exim4in,g
3533 s,/run/exim4/exim.pid,/run/exim4/eximin.pid,g
3534 s,(^[ #]*Provides:).*,\1 exim4in,
3535 s,(^[ #]*NAME=).*,\1"exim4in",
3537 chmod +x
/etc
/init.d
/exim4in
3538 u
/etc
/systemd
/system
/exim4in.service.d
/alwaysrestart.conf
<<'EOF'
3540 # needed to continually restart
3541 StartLimitIntervalSec=0
3545 # time to sleep before restarting a service
3549 u
/etc
/default
/exim4in
<<'EOF'
3550 # defaults but no queue runner and alternate config dir
3552 COMMONOPTIONS='-oP /run/exim4/eximin.pid'
3553 UPEX4OPTS='-d /etc/nond-exim4'
3556 echo bk.b8.nz
> /etc
/mailname
3557 cat >>/etc
/exim
4/update-exim4.conf.conf
<<EOF
3558 # man page: is used to build the local_domains list, together with "localhost"
3559 dc_other_hostnames='amnimal.ninja;expertpathologyreview.com;bk.b8.nz'
3565 echo je.b8.nz
> /etc
/mailname
3566 cat >>/etc
/exim
4/update-exim4.conf.conf
<<EOF
3567 dc_other_hostnames='je.b8.nz'
3570 # ** not MAIL_HOST|bk|je
3572 echo|u
/etc
/exim
4/conf.d
/transport
/30_debbugs
3573 echo|u
/etc
/exim
4/conf.d
/router
/153_debbugs
3574 echo|u
/etc
/exim
4/conf.d
/router
/155_delay
3575 # this one should be removed for all non mail_hosts. note
3576 # bk and je never become mail_host
3577 echo|u
/etc
/exim
4/conf.d
/router
/195_dnslookup_vpn
3578 echo|u
/etc
/exim
4/conf.d
/router
/160_backup_redir
3579 echo|u
/etc
/exim
4/conf.d
/router
/161_backup_redir_nn
3580 echo|u
/etc
/exim
4/conf.d
/router
/185_sentarchive
3581 echo|u
/etc
/exim
4/conf.d
/router
/186_sentarchive_nn
3582 # Note, in general we could submit to smarthosts on non MAIL_HOST.
3583 # however, delayed mail makes this inconvenient, because I
3584 # occasionally want to send an email from a non-MAIL_HOST and then
3585 # turn off that computer or travel with it so it is disconnected.
3586 # It is also probably easier to setup emacs to delay messages, but
3587 # that would mean we need to keep emacs running, this is much
3589 echo|u
/etc
/exim
4/conf.d
/router
/188_exim4-config_smarthost
3590 echo|u
/etc
/exim
4/conf.d
/router
/190_exim4-config_fsfsmarthost
3591 echo|u
/etc
/exim
4/conf.d
/rcpt_local_acl
3592 echo|u
/etc
/exim
4/conf.d
/main
/000_local-nn
3596 cat >>/etc
/exim
4/conf.d
/main
/000_local
<<EOF
3597 MAIN_TLS_CERTIFICATE = /etc/exim4/certs/$wghost/fullchain.pem
3598 MAIN_TLS_PRIVATEKEY = /etc/exim4/certs/$wghost/privkey.pem
3599 # so we can maintiain the originals of the backups.
3600 # we wouldnt want this if we were dealing with any other
3601 # local deliveries, but we sent all others to the smarthost
3602 # which then strips the headers.
3603 envelope_to_remove = false
3604 return_path_remove = false
3608 # catches things like cronjob email
3609 u
/etc
/exim
4/conf.d
/router
/880_universal_forward
<<'EOF'
3612 domains = +local_domains
3613 data = alerts@iankelling.org
3617 for unit
in ${nn_progs[@]}; do
3618 f
=/etc
/systemd
/system
/$unit.service.d
/nn.conf
3622 # dont i dont care if defaultnn section gets left, it wont
3624 echo |
/a
/exe
/cedit nn
/etc
/hosts ||
[[ $?
== 1 ]]
3625 echo |
/a
/exe
/cedit
mail /etc
/dnsmasq-servers.conf ||
[[ $?
== 1 ]]
3627 # note: condition duplicated at else
3630 install -d -g Debian-exim
-o Debian-exim
-m 771 /bu
/md
3631 if [[ -e /bu
/md
/cur
&& $
(stat
-c %u
/bu
/md
/cur
) == 1000 ]]; then
3632 chown
-R Debian-exim
:Debian-exim
/bu
/md
3634 u
/etc
/exim
4/conf.d
/transport
/30_backup_maildir
<<EOF
3635 # modified debian maildir transport
3640 # note, no return path or envelope added
3642 directory_mode = 0700
3644 mode_fail_narrower = false
3647 u
/etc
/exim
4/conf.d
/router
/165_backup_local
<<'EOF'
3648 ### router/900_exim4-config_local_user
3649 #################################
3652 debug_print = "R: local_user for $local_part@$domain"
3654 domains = eximbackup.b8.nz
3655 transport = backup_maildir
3658 # Bind to wghole to receive mailbackup.
3659 if [[ -e /etc
/wireguard
/wghole.conf
]]; then
3660 wgholeip
=$
(sed -rn 's/^ *Address *= *([^/]+).*/\1/p' /etc
/wireguard
/wghole.conf
)
3661 cat >>/etc
/exim
4/update-exim4.conf.conf
<<EOF
3662 dc_other_hostnames='eximbackup.b8.nz'
3663 dc_local_interfaces='127.0.0.1;::1;$wgholeip'
3667 # wghole & thus exim will fail to start without internet connectivity.
3668 u
/etc
/systemd
/system
/exim4.service.d
/backup.conf
<<'EOF'
3670 StartLimitIntervalSec=0
3677 else # if $bhost_t; then
3678 cat >>/etc
/exim
4/update-exim4.conf.conf
<<EOF
3679 # Note: If theres like a temporary problem where mail gets sent to
3680 # one of these hosts, if exim isnt listening, it will be a temporary error
3681 # instead of a permanent 5xx.
3682 dc_local_interfaces='127.0.0.1;::1'
3684 rm -fv /etc
/systemd
/system
/exim4.service.d
/backup.conf
3686 cat >>/etc
/exim
4/update-exim4.conf.conf
<<EOF
3687 dc_eximconfig_configtype='smarthost'
3688 dc_smarthost='$smarthost'
3691 hostname
-f |u
/etc
/mailname
3692 cat >>/etc
/exim
4/update-exim4.conf.conf
<<EOF
3693 # The manpage incorrectly states this will do header rewriting, but
3694 # that only happens if we have dc_hide_mailname is set.
3695 dc_readhost='iankelling.org'
3696 # Only used in case of bounces.
3697 dc_localdelivery='maildir_home'
3705 # ** $MAILHOST|bk, things that belong at the end
3708 # config for the non-nn exim. note, it uses not default dir, but we
3709 # generate that into the default config file
3710 m rsync
-ra --delete --delete-excluded \
3711 --exclude=/conf.d
/router
/161_backup_redir_nn \
3712 --exclude=/conf.d
/router
/186_sentarchive_nn \
3713 --exclude=/conf.d
/main
/000_local-nn
/etc
/exim
4/ /etc
/nond-exim4
3714 cat >>/etc
/nond-exim
4/conf.d
/main
/000_local
<<'EOF'
3715 # this makes it easier to see which exim is doing what
3716 log_file_path = /var/log/exim4/nond%s
3721 cat >/etc
/logrotate.d
/myexim
<<'EOF'
3722 /var/log/exim4/nondmain /var/log/exim4/nondreject {
3730 /var/log/exim4/nondpanic {
3741 # If we ever wanted to have a separate spool,
3742 # we could do it like this.
3743 # cat >>/etc/exim4/conf.d/main/000_local-nn <<'EOF'
3744 # spool_directory = /var/spool/nond-exim4
3746 cat >>/etc
/nond-exim
4/update-exim4.conf.conf
<<'EOF'
3747 dc_eximconfig_configtype='smarthost'
3748 dc_smarthost='nn.b8.nz'
3753 # config for the non-nn exim
3754 cat >>/etc
/nond-exim
4/conf.d
/main
/000_local
<<'EOF'
3755 MAIN_HARDCODE_PRIMARY_HOSTNAME = mail2.iankelling.org
3761 u
/etc
/nond-exim
4/conf.d
/router
/185_sentarchive
<<'EOF'
3764 domains = ! +local_domains
3765 senders = <; *@fsf.org ; *@posteo.net
3766 condition = ${if and {{!bool{${lookup{$local_part@$domain}lsearch{/etc/exim4/ignore-sent}{true}}}} {!match {$h_user-agent:}{emacs}}}}
3767 data = vojdedIdNejyebni@b8.nz
3771 u
/etc
/nond-exim
4/conf.d
/router
/160_backup_redir
<<'EOF'
3774 # i dont email myself from my own machine much, so lets ignore that.
3775 domains = ! +local_domains
3776 senders = <; *@fsf.org ; *@posteo.net
3777 condition = ${if and {{!bool{${lookup{$local_part@$domain}lsearch{/etc/exim4/ignore-sent}{true}}}} {!match {$h_user-agent:}{emacs}}}}
3778 # b is just an arbirary short string
3779 data = b@eximbackup.b8.nz
3780 # note, to test this, i could temporarily allow testignore.
3781 # alerts avoids potential mail loop.
3782 local_parts = ! root : ! testignore : ! alerts : ! daylert
3784 errors_to = alerts@iankelling.org
3787 # for bk, we have a exim4in.service that will do this for us.
3788 m update-exim4.conf
-d /etc
/nond-exim4
3794 # ** bind mount setup
3795 # put spool dir in directory that spans multiple distros.
3796 # based on http://www.postfix.org/qmgr.8.html and my notes in gnus
3799 sdir
=/var
/spool
/exim4
3800 # we only do this if our system has $dir
3802 # this used to do a symlink, but, in the boot logs, /nocow would get mounted succesfully,
3803 # about 2 seconds later, exim starts, and immediately puts into paniclog:
3804 # honVi-0000u3-82 Failed to create directory "/var/spool/exim4/input": No such file or directory
3805 # so, im trying a bind mount to get rid of that.
3806 if [[ -e /nocow
]]; then
3807 if ! grep -Fx "/nocow/exim4 /var/spool/exim4 none bind 0 0" /etc
/fstab
; then
3808 echo "/nocow/exim4 /var/spool/exim4 none bind 0 0" >>/etc
/fstab
3810 u
/etc
/systemd
/system
/exim4.service.d
/override.conf
<<'EOF'
3812 # without local-fs on exim, we get these kind of errors in paniclog on shutdown:
3813 # Failed to create spool file /var/spool/exim4//input//1jCLxz-0008V4-V9-D: Permission denied
3814 After=local-fs.target
3817 ExecStartPre=/usr/local/bin/exim-nn-iptables
3819 if ! mountpoint
-q $sdir; then
3820 stopifactive exim4 exim4in
3821 if [[ -L $sdir ]]; then
3824 if [[ ! -e $dir && -d $sdir ]]; then
3827 if [[ ! -d $sdir ]]; then
3829 m
chmod 000 $sdir # only want it to be used when its mounted
3837 # ** exim/spool uid setup
3838 # i have the spool directory be common to distro multi-boot, so
3839 # we need the uid to be the same. 608 cuz it's kind of in the middle
3840 # of the free system uids.
3841 IFS
=:; read -r _ _ uid _
< <(getent passwd Debian-exim ||
:) ||
:; unset IFS
3842 IFS
=:; read -r _ _ gid _
< <(getent group Debian-exim ||
:) ||
:; unset IFS
3843 if [[ ! $uid ]]; then
3844 # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
3845 m adduser
--uid 608 --system --group --quiet --home /var
/spool
/exim4 \
3846 --no-create-home --disabled-login --force-badname Debian-exim
3847 elif [[ $uid != 608 ]]; then
3848 stopifactive exim4 exim4in
3849 m usermod
-u 608 Debian-exim
3850 m groupmod
-g 608 Debian-exim
3851 m usermod
-g 608 Debian-exim
3852 m
find / /nocow
-xdev -path .
/var
/tmp
-prune -o -uid $uid -execdir chown
-h 608 {} +
3853 m
find / /nocow
-xdev -path .
/var
/tmp
-prune -o -gid $gid -execdir chgrp
-h 608 {} +
3857 # note: example config has a debbugs user,
3858 # but my exim runs setuid as Debian-exim so it can't switch
3859 # to another user. Anyways, I'm not exposing this to the
3860 # internet at this time. If I do, the thing to do would
3861 # be to use a sudo config (or sudo alternative). This
3862 # would be how to setup
3864 # IFS=:; read -r _ _ uid _ < <(getent passwd debbugs||:) ||:; unset IFS
3865 # if [[ ! $uid ]]; then
3866 # # /a/opt/debbugs/debian/README.mail
3867 # adduser --uid 610 --system --group --home /o/debbugs \
3868 # --no-create-home --disabled-login --force-badname debbugs
3869 # m find /o/debbugs -xdev -path ./var/tmp -prune -o -uid $uid -execdir chown -h 610 {} +
3870 # m find /o/debbugs -xdev -path ./var/tmp -prune -o -gid $gid -execdir chgrp -h 610 {} +
3871 # elif [[ $uid != 610 ]]; then
3872 # err debbugs exist but is not uid 610: investigate
3875 # * mail monitoring / testing
3877 # note, to test clamav, send an email with body that only contains
3878 # https://en.wikipedia.org/wiki/EICAR_test_file
3879 # which set malware_name to Eicar-Signature
3882 # note: cronjob "ian" also does some important monitoring
3883 # todo: this will sometimes cause an alert because mailtest-check will run
3884 # before we have setup network namespace and spamassassin
3885 u
/etc
/cron.d
/mailtest
<<EOF
3887 PATH=/usr/bin:/bin:/usr/local/bin
3888 MAILTO=daylert@iankelling.org
3889 */5 * * * * $u send-test-forward |& log-once send-test-forward
3890 */10 * * * * root chmod -R g+rw /m/md/bounces |& log-once -1 bounces-chmod
3891 # if a bounce happened yesterday, dont let it slip through the cracks
3892 8 1 * * * root export MAILTO=alerts@iankelling.org; [[ -s /var/log/exim4/mainlog.1 ]] && awk '\$5 == "**"' /var/log/exim4/mainlog.1
3896 m sudo rsync
-ahhi --chown=root
:root
--chmod=0755 \
3897 /b
/ds
/mailtest-check
/b
/ds
/check-remote-mailqs
/usr
/local
/bin
/
3898 u
/etc
/systemd
/system
/mailtest-check.service
<<'EOF'
3900 Description=mailtest-check
3901 After=local-fs.target
3902 StartLimitIntervalSec=0
3905 # avoid fans spinning up
3908 ExecStart=/usr/local/bin/mailtest-check slow
3913 WantedBy=graphical.target
3915 sysd-prom-fail-install mailtest-check
3918 test_froms
=(ian@iankelling.org z@zroe.org iank@gnu.org
)
3919 test_tos
=(testignore@expertpathologyreview.com testignore@je.b8.nz testignore@amnimal.ninja jtuttle@gnu.org
)
3921 cat >>/etc
/cron.d
/mailtest
<<EOF
3923 0 10 * * 5 root echo "weekly alert. You are not in the matrix."
3924 2 * * * * root check-remote-mailqs |& log-once check-remote-mailqs
3928 test_froms
=(testignore@amnimal.ninja testignore@expertpathologyreview.com
)
3929 test_tos
=(testignore@iankelling.org testignore@je.b8.nz
)
3930 # We dont need to send from different addresses to the same
3931 # address. this breaks down our nice elegant logic of building up
3932 # froms and tos , so I just handle expertpath in a special case
3933 # below and set the to: to be testignore@zroe.org. If we did sent
3934 # that way, it would also mess up our mailtest-check logic that
3935 # finds which messages to check.
3936 # for example: from testignore@amnimal.ninja to: testignore@iankelling.org testignore@zroe.org
3937 # that would become 2 messages and we'd only check 1.
3940 test_froms
=(testignore@je.b8.nz
)
3941 test_tos
=(testignore@iankelling.org testignore@zroe.org testignore@expertpathologyreview.com testignore@amnimal.ninja
)
3945 # Dont put these test messages into the sent folder or else it will
3946 # overwhelm it, plus i dont want to save a copy at all.
3947 # Plus addresses we generally want to ignore.
3948 u
/etc
/exim
4/ignore-sent
<<EOF
3949 $(printf "%s\n" ${test_tos[@]})
3950 vojdedIdNejyebni@b8.nz
3954 cat >/usr
/local
/bin
/send-test-forward
<<'EOF'
3956 # we remove from the queue older than 4.3 minutes since we send every 5 minutes.
3958 $(/usr/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$')
3960 if (( ${#olds[@]} )); then
3961 /usr/sbin/exim -Mrm "${olds[@]}" >/dev/null
3964 for test_from
in ${test_froms[@]}; do
3966 test_to
=${test_tos[0]}
3967 for t
in ${test_tos[@]:1}; do
3968 if [[ $test_from == *@gnu.org
&& $t == *@gnu.org
]]; then
3974 testignore@expertpathologyreview.com
)
3975 test_to
=testignore@zroe.org
3979 cat >>/usr
/local
/bin
/send-test-forward
<<EOFOUTER
3980 /usr/sbin/exim -odf -f $test_from -t <<EOF
3983 Subject: test \$(date +%Y-%m-%dT%H:%M:%S%z) \$EPOCHSECONDS
3985 /usr/local/bin/send-test-forward
3989 m
chmod +x
/usr
/local
/bin
/send-test-forward
3992 soff mailtest-check.service
3993 rm -fv /etc
/cron.d
/mailtest \
3994 /var
/lib
/prometheus
/node-exporter
/mailtest-check.prom
* \
3995 /var
/local
/cron-errors
/check-remote-mailqs
*
4000 # * start / stop services
4002 reifactive dnsmasq nscd
4005 m systemctl daemon-reload
4008 # optimization, this only needs to run once.
4009 if [[ ! -e /sys
/class
/net
/wghole
]]; then
4010 # checking bhost_t is redundant, but could help us catch errors.
4011 if $bhost_t ||
[[ -e /etc
/wireguard
/wghole.conf
]]; then
4012 # todo: in mail-setup, we have a static list of backup hosts, not *y
4013 m systemctl
--now enable wg-quick@wghole
4017 # optimization, this only needs to be run once
4018 if [[ ! -e /var
/lib
/prometheus
/node-exporter
/exim_paniclog.prom
]]; then
4019 sysd-prom-fail-install epanicclean
4020 m systemctl
--now enable epanicclean
4025 /a
/exe
/web-conf apache2 je.b8.nz
4028 /a
/exe
/web-conf apache2 mail2.iankelling.org
4032 # optimization, this only needs to run once. But, if we move to a
4033 # computer we haven't used much, we need to fetch a fresh cert.
4034 # Existence check is just to avoid ugly error message from openssl.
4035 if [[ ! -e /etc
/exim
4/fullchain.pem
]] ||
! openssl x509
-checkend $
(( 60 * 60 * 24 * 3 )) -noout -in /etc
/exim
4/fullchain.pem
; then
4036 m
/a
/bin
/ds
/mail-cert-cron
-1 -i
4037 m systemctl
--now enable mailcert.timer
4042 m systemctl
--now enable mailnn mailnnroute
4045 # we use dns to start wg
4049 m systemctl
--now enable unbound
4053 # If these have changes, id rather manually restart it, id rather
4054 # not restart and cause temporary errors
4058 m systemctl
--now enable $vpnser
4062 if ! systemctl is-active clamav-daemon
>/dev
/null
; then
4063 m systemctl
--now enable clamav-daemon
4064 out
=$
(rsync
-aiSAX --chown=root
:root
--chmod=g-s
/a
/bin
/ds
/filesystem
/etc
/systemd
/system
/epanicclean.service
/etc
/systemd
/system
)
4069 # note, this will cause paniclog entries because it takes like 45
4070 # seconds for clamav to start, i use ./epanic-clean to remove
4075 # start spamassassin/dovecot before exim.
4076 sre dovecot
$spamd_ser mailtest-check
4077 # Wait a bit before restarting exim, else I get a paniclog entry
4078 # like: spam acl condition: all spamd servers failed. But I'm tired
4079 # of waiting. I'll deal with this some other way.
4082 m systemctl
--now enable mailclean.timer
4085 # < 2.1 (eg: in t9), uses a different data format which required manual
4086 # migration. dont start if we are running an old version.
4087 if dpkg
--compare-versions "$(dpkg -s radicale | awk '$1 == "Version
:" { print $2 }')" ge
2.1; then
4088 m systemctl
--now enable radicale
4093 # for debugging dns issues
4096 systemctl
enable --now logrotate-fast.timer
4100 # last use of $reload happens in previous block
4101 rm -f /var
/local
/mail-setup-reload
4105 $MAIL_HOST|bk|je|li
)
4106 # on li, these are never started, except $vpnser
4110 soff radicale mailclean.timer dovecot
$spamd_ser $vpnser mailnn clamav-daemon
4118 m systemctl
--now enable mailbindwatchdog
4121 soff mailbindwatchdog
4131 m sudo
-u $u mkdir
-p /home
/$u/.cache
4132 set -- /m
/mucache
/home
/$u/.cache
/mu
/m
/.mu
/home
/$u/.mu
4137 if [[ ! -L $f ]]; then
4138 if [[ -e $f ]]; then
4141 m sudo
-u $u ln -sf -T $target $f
4146 # /etc/alias setup is debian specific, and exim postinst script sets up
4147 # an /etc/alias from root to the postmaster, based on the question
4148 # exim4-config exim4/dc_postmaster, as long as there exists an entry for
4149 # root, or there was no preexisting aliases file. postfix won\'t set up
4150 # a root to $postmaster alias if it\'s already installed. Easiest to
4151 # just set it ourselves.
4153 # debconf question for postmaster:
4154 # Mail for the 'postmaster', 'root', and other system accounts needs to be redirected
4155 # to the user account of the actual system administrator.
4156 # If this value is left empty, such mail will be saved in /var/mail/mail, which is not
4158 # Note that postmaster\'s mail should be read on the system to which it is directed,
4159 # rather than being forwarded elsewhere, so (at least one of) the users listed here
4160 # should not redirect their mail off this machine. A 'real-' prefix can be used to
4161 # force local delivery.
4162 # Multiple user names need to be separated by spaces.
4163 # Root and postmaster mail recipient:
4169 # eval: (outline-minor-mode)
4170 # outline-regexp: "\\( *\\)# [*]\\{1,8\\} "
4172 # this is combined with defining outline-level in init.el