4 # Copyright (C) 2016 Ian Kelling
6 # Licensed under the Apache License, Version 2.0 (the "License");
7 # you may not use this file except in compliance with the License.
8 # You may obtain a copy of the License at
10 # http://www.apache.org/licenses/LICENSE-2.0
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS,
14 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 # See the License for the specific language governing permissions and
16 # limitations under the License.
18 # todo: make quick backups of maildir, or deliver to multiple hosts.
21 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
23 [[ $EUID == 0 ]] ||
exec sudo
-E "$BASH_SOURCE" "$@"
24 if [[ ! $SUDO_USER ]]; then
25 echo "$0: error: requires running as nonroot or sudo"
33 Usage: ${0##*/} exim4|postfix
34 Setup exim4 / postfix / dovecot
36 The minimal assumption we have is that /etc/mailpass exists
39 I've had problems with postfix on debian:
40 on stretch, a startup ordering issue caused all mail to fail.
41 postfix changed defaults to only use ipv6 dns, causing all my mail to fail.
42 I haven't gotten around to getting a non-debian exim
47 -h|--help Print help and exit.
53 postfix
() { [[ $type == postfix
]]; }
54 exim
() { [[ $type == exim4
]]; }
56 if ! exim
&& ! postfix
; then
62 ####### begin perstent password instructions ######
64 # # for hosts which have all private files I just use the same user
65 # # for other hosts, each one get\'s their own password.
66 # # for generating secure pass, and storing for server too:
67 # # user=USUALLY_SAME_AS_HOSTNAME
70 # apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
71 # s sed -i "/^$user:/d" /p/c/filesystem/etc/exim4/passwd
72 # echo "$user:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd
73 # echo "mail.iankelling.org $user $(<$f)" >> /p/c/machine_specific/$user/filesystem/etc/mailpass
74 # # then run this script, or part of it which uses /etc/mailpass
76 # # dovecot password, i just need 1 as I\'m the only user
77 # mkdir /p/c/filesystem/etc/dovecot
78 # echo "ian:$(doveadm pw -s ssha256)::::::" >/p/c/filesystem/etc/dovecot/users
83 # # for ad-hoc testing of some random new host sending mail:
84 # user=li # client host username & hostname
86 # apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
87 # s sed -i "/^$user:/d" /etc/exim4/passwd
88 # echo "$user:$(mkpasswd -m sha-512 -s <$f)" | s tee -a /etc/exim4/passwd
89 # echo "mail.iankelling.org:$user:$(<$f)" | ssh root@$user dd of=/etc/exim4/passwd.client
90 ####### end perstent password instructions ######
93 ####### begin persistent dkim/dns instructions #########
94 # # Remove 1 level of comments in this section, set the domain var
95 # # for the domain you are setting up, then run this and copy dns settings
97 # domain=iankelling.org
98 # c /p/c/filesystem/etc/exim4
99 # # this has several bugs addressed in comments, but it was helpful
100 # # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
102 # openssl genrsa -out $domain-private.pem 2048 -outform PEM
103 # openssl rsa -in $domain-private.pem -out $domain.pem -pubout -outform PEM
104 # # selector is needed for having multiple keys for one domain.
105 # # I dun do that, so just use a static one: li
106 # echo "txt record name: li._domainkey.$domain"
107 # # Debadmin page does not have v=, fastmail does, and this
108 # # says it\'s recommended in 3.6.1, default is DKIM1 anyways.
109 # # https://www.ietf.org/rfc/rfc6376.txt
110 # # Join and print all but first and last line.
111 # # last line: swap hold & pattern, remove newlines, print.
112 # # lines 2+: append to hold space
113 # echo "txt record contents:"
114 # echo "v=DKIM1; k=rsa; p=$(sed -n '${x;s/\n//gp};2,$H' $domain.pem)"
115 # chmod 644 $domain.pem
116 # chmod 640 $domain-private.pem
117 # # in conflink, we chown these to group debian
119 # # selector was also put into /etc/exim4/conf.d/main/000_localmacros,
120 # # via the mail-setup scripts
122 # # 2017-02 dmarc policies:
123 # # host -t txt _dmarc.gmail.com
124 # # yahoo: p=reject, hotmail: p=none, gmail: p=none, fastmail none for legacy reasons
125 # # there were articles claiming gmail would be changing
126 # # to p=reject, in early 2017, which didn\'t happen. I see no sources on them. It\'s
127 # # expected to cause problems
128 # # with a few old mailing lists, copying theirs for now.
130 # echo "dmarc dns, name: _dmarc value: v=DMARC1; p=none; rua=mailto:mailauth-reports@$domain"
132 # # 2017-02 spf policies:
133 # # host -t txt lists.fedoraproject.org
134 # # google ~all, hotmail -all, yahoo: ?all, fastmail ?all
135 # # i include fastmail\'s settings, per their instructions,
136 # # and follow their policy. In mail in a box, or similar instructions,
137 # # I\'ve seen recommended to not use a restrictive policy.
138 # echo "spf dns: name is empty, value: v=spf1 a include:spf.messagingengine.com ?all"
140 # # to check if dns has updated, you do
141 # host -a mesmtp._domainkey.$domain
144 # # setting it to iankelling.org would work the same, but this
145 # # is more flexible, I could change where mail.iankelling.org pointed.
147 # mx records, 2 records each, for * and empty domain
148 # pri 10 mail.iankelling.org
149 # pri 20 in1-smtp.messagingengine.com
150 # pri 30 in2-smtp.messagingengine.com
152 ####### end persistent dkim instructions #########
157 # /usr/share/doc/exim4-base/README.Debian.gz
158 # /usr/share/doc/exim4-base/spec.txt.gz
160 # routers, transports, and authenticators are sections, and you define
161 # driver instances in those sections, and the manual calls them driver
162 # types but there is also a more specific "type" of driver, which is specified
163 # with the driver = some_module setting in the driver.
165 # the driver option must precede and private options (options that are
166 # specific to that driver), so follow example of putting it at beginning.
168 # The full list of option settings for any particular driver instance,
169 # including all the defaulted values, can be extracted by making use of
170 # the -bP command line option.
171 # exim -bP config_file to see what config file it used
172 # exim -bP config to see
174 # exim clear out message queue. as root:
175 # adapted from somewhere on stackoverflow.
176 # ser stop exim4; sleep 1; exim -bp | exiqgrep -i | xargs exim -Mrm; ser start exim4
178 # fastmail has changed their smtp server, but the old one still works,
179 # I see no reason to bother changing.
180 # New one is smtp.fastmail.com
182 # test delivery & rewrite settings:
183 #exim4 -bt iank@localhost
190 postconf
-ev "${MAPFILE[@]}"
192 e
() { printf "%s\n" "$*"; }
193 pi
() { # package install
195 if dpkg
-s -- "$@" &> /dev
/null
; then
198 while fuser
/var
/lib
/dpkg
/lock
&>/dev
/null
; do sleep 1; done
199 f
=/var
/cache
/apt
/pkgcache.bin
;
200 if [[ ! -r $f ]] ||
(( $
(( $
(date +%s
) - $
(stat
-c %Y
$f ) )) > 60*60*12 )); then
203 apt-get
-y install --purge --auto-remove "$@"
207 mxhost
=mail.iankelling.org
211 # old setup. left as comment for example
212 # mxhost=mail.messagingengine.com
214 # forward=ian@iankelling.org
216 relayhost
="[$mxhost]:$mxport" # postfix
217 smarthost
="$mxhost::$mxport" # exim
219 # trisquel 8 = openvpn, debian stretch = openvpn-client
220 vpn_ser
=openvpn-client
221 if [[ ! -e /lib
/systemd
/system
/openvpn-client@.service
]]; then
225 if [[ $HOSTNAME == $MAIL_HOST ]]; then
226 # afaik, these will get ignored because they are routing to my own
227 # machine, but rm them is safer
228 rm -f $
(eval echo ~
$postmaster)/.forward
/root
/.forward
230 # this can\'t be a symlink and has permission restrictions
231 # it might work in /etc/aliases, but this seems more proper.
232 install -m 644 {-o,-g}$postmaster <(e
$forward) $
(eval echo ~
$postmaster)/.forward
235 # offlineimap uses this too, it is much easier to use one location than to
236 # condition it\'s config and postfix\'s config
237 if [[ -f /etc
/fedora-release
]]; then
238 /a
/exe
/lnf
-T ca-certificates.crt
/etc
/ssl
/ca-bundle.trust.crt
242 # dunno why, but debian installed postfix with builddep emacs
243 # but I will just explicitly install it here since
244 # I use it for sending mail in emacs.
245 if command -v apt-get
&> /dev
/null
; then
246 debconf-set-selections
<<EOF
247 postfix postfix/main_mailer_type select Satellite system
248 postfix postfix/mailname string $(hostname -f)
249 postfix postfix/relayhost string $relayhost
250 postfix postfix/root_address string $postmaster
252 if dpkg
-s postfix
&>/dev
/null
; then
253 while fuser
/var
/lib
/dpkg
/lock
&>/dev
/null
; do sleep 1; done
254 dpkg-reconfigure
-u -fnoninteractive postfix
259 source /a
/bin
/distro-functions
/src
/package-manager-abstractions
261 # Settings from reading the output when installing on debian,
262 # then seeing which were different in a default install on arch.
263 # I assume the same works for fedora.
265 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
266 mailbox_size_limit = 0
267 relayhost = $relayhost
268 inet_interfaces = loopback-only
271 systemctl
enable postfix
272 systemctl start postfix
274 # i\'m assuming mail just won\'t work on systems without the sasl_passwd.
276 smtp_sasl_auth_enable = yes
277 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
278 smtp_sasl_security_options = noanonymous
279 smtp_tls_security_level = secure
280 message_size_limit = 20480000
281 smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
282 inet_protocols = ipv4
284 # msg_size_limit: I ran into a log file not sending cuz of size. double from 10 to 20 meg limit
285 # inet_protocols: without this, I\'ve had postfix try an ipv6 lookup then gives
286 # up and fail forever. snippet from syslog: type=AAAA: Host not found, try again
289 f
=/etc
/postfix
/sasl_passwd
290 install -m 600 /dev
/null
$f
291 cat /etc
/mailpass|
while read -r domain port pass
; do
292 # format: domain port user:pass
293 # mailpass is just a name i made up, since postfix and
294 # exim both use a slightly crazy format to translate to
295 # each other, it\'s easier to use my own format.
296 printf "[%s]:%s %s" "$domain" "$port" "${pass/@/#}" >>$f
298 postmap
hash:/etc
/postfix
/sasl_passwd
299 # need restart instead of reload when changing
301 service postfix restart
303 else # begin exim. has debian specific stuff for now
307 if [[ -e /p
/c
/filesystem
]]; then
308 # allow failure of these commands when our internet is down, they are likely not needed,
309 # we check that a valid cert is there already.
310 # to put the hostname in the known hosts
311 if ! ssh -o StrictHostKeyChecking
=no root@li.iankelling.org
:; then
312 # This just causes failure if our cert is going to expire in the next 30 days.
313 # Certs I generate last 10 years.
314 openssl x509
-checkend $
(( 60 * 60 * 24 * 30 )) -noout -in /etc
/openvpn
/mail.crt
316 # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
317 # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
318 # after my internet was down for a bit:
319 # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
320 /a
/exe
/vpn-mk-client-cert
-b mail -n mail -s /b
/ds
/mail-route li.iankelling.org
324 cat >/etc
/systemd
/system
/offlineimapsync.timer
<<'EOF'
326 Description=Run offlineimap-sync once every min
332 WantedBy=timers.target
335 cat >/etc
/systemd
/system
/offlineimapsync.service
<<EOF
337 Description=Offlineimap sync
338 After=multi-user.target
343 ExecStart=/a/bin/log-quiet/sysd-mail-once offlineimap-sync /a/bin/distro-setup/offlineimap-sync
345 systemctl daemon-reload
347 # wording of question from dpkg-reconfigure exim4-config
348 # 1. internet site; mail is sent and received directly using SMTP
349 # 2. mail sent by smarthost; received via SMTP or fetchmail
350 # 3. mail sent by smarthost; no local mail
351 # 4. local delivery only; not on a network
352 # 5. no configuration at this time
354 # Note, I have used option 2 in the past for receiving mail
355 # from lan hosts, sending external mail via another smtp server.
357 # Note, other than configtype, we could set all the options in
358 # both types of configs without harm, they would either be
359 # ignored or be disabled by other settings, but the default
360 # local_interfaces definitely makes things more secure.
362 # most of these settings get translated into settings
363 # in /etc/exim4/update-exim4.conf.conf
364 # how /etc/exim4/update-exim4.conf.conf translates into actual exim settings is
365 # documented in man update-exim4.conf, which outputs to the config that
366 # exim actually reads. except the man page is not perfect, for example,
367 # it doesn't document that it sets
368 # DCconfig_${dc_eximconfig_configtype}" "1"
369 # which is a line from update-exim4.conf, which is a relatively short bash script.
370 # mailname setting sets /etc/mailname
372 debconf-set-selections
<<EOF
373 exim4-config exim4/use_split_config boolean true
376 source /a
/bin
/bash_unpublished
/source-semi-priv
377 mkdir
-p /etc
/exim
4/conf.d
/{main
,transport
,auth
,router
}
379 cat >/etc
/exim
4/rcpt_local_acl
<<'EOF'
380 # Only hosts we control send to mail.iankelling.org, so make sure
381 # they are all authed.
382 # Note, if we wanted authed senders for all domains,
383 # we could make this condition in acl_check_mail
385 message = ian trusted domain recepient but no auth
387 domains = mail.iankelling.org
389 cat >/etc
/exim
4/data_local_acl
<<'EOF'
390 # Except for the "condition =", this was
391 # a comment in the check_data acl. The comment about this not
392 # being suitable is mostly bs. The only thing related I found was to
393 # add the condition =, cuz spamassassin has problems with big
394 # messages and spammers don't bother with big messages,
395 # but I've increased the size from 10k
396 # suggested in official docs, and 100k in the wiki example because
397 # those docs are rather old and I see a 110k spam message
398 # pretty quickly looking through my spam folder.
400 condition = ${if < {$message_size}{2000K}}
401 spam = Debian-exim:true
402 add_header = X-Spam_score: $spam_score\n\
403 X-Spam_score_int: $spam_score_int\n\
404 X-Spam_bar: $spam_bar\n\
405 X-Spam_report: $spam_report
408 cat >/etc
/exim
4/conf.d
/auth
/29_exim4-config_auth
<<'EOF'
409 # from 30_exim4-config_examples
414 server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
415 server_set_id = $auth2
417 .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
418 server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
422 cat >/etc
/exim
4/conf.d
/router
/900_exim4-config_local_user
<<'EOF'
423 ### router/900_exim4-config_local_user
424 #################################
426 # This router matches local user mailboxes. If the router fails, the error
427 # message is "Unknown user".
430 debug_print = "R: local_user for $local_part@$domain"
432 domains = +local_domains
433 # ian: commented this, in conjunction with a dovecot lmtp
434 # change so I get mail for all users.
437 transport = LOCAL_DELIVERY
438 cannot_route_message = Unknown user
440 cat >/etc
/exim
4/conf.d
/transport
/30_exim4-config_dovecot_lmtp
<<'EOF'
443 socket = /var/run/dovecot/lmtp
444 #maximum number of deliveries per batch, default 1
448 cat >/etc
/exim
4/conf.d
/router
/190_exim4-config_fsfsmarthost
<<'EOF'
449 # smarthost for fsf mail
450 # ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
451 # replaced DCsmarthost with mail.fsf.org
453 debug_print = "R: smarthost for $local_part@$domain"
455 domains = ! +local_domains
457 transport = remote_smtp_smarthost
458 route_list = * mail.fsf.org byname
459 host_find_failed = ignore
460 same_domain_copy_routing = yes
465 #### begin mail cert setup ###
466 f
=/usr
/local
/bin
/mail-cert-cron
469 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
471 [[ $EUID == 0 ]] || exec sudo "$BASH_SOURCE" "$@"
473 f=/a/bin/bash_unpublished/source-semi-priv
477 if [[ $HOSTNAME == $MAIL_HOST ]]; then
478 local_mx=mail.iankelling.org
479 rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/"
480 ${rsync_common}fullchain.pem /etc/exim4/exim.crt
482 ${rsync_common}privkey.pem /etc/exim4/exim.key
484 if [[ $ret != $new_ret ]]; then
485 echo "$0: error: differing rsync returns, $ret, $new_ret"
489 if [[ $new_ret != 0 ]]; then
490 if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then
491 echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
499 cat >/etc
/systemd
/system
/mailcert.service
<<'EOF'
501 Description=Mail cert rsync
502 After=multi-user.target
506 ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
509 cat >/etc
/systemd
/system
/mailcert.timer
<<'EOF'
511 Description=Run mail-cert once a day
517 WantedBy=timers.target
519 systemctl daemon-reload
520 systemctl start mailcert
521 systemctl restart mailcert.timer
522 systemctl
enable mailcert.timer
524 ##### end mailcert setup #####
528 if [[ $HOSTNAME == $MAIL_HOST ]]; then
530 debconf-set-selections
<<EOF
531 # Mail Server configuration
532 # -------------------------
534 # Please select the mail server configuration type that best meets your needs.
536 # Systems with dynamic IP addresses, including dialup systems, should generally be
537 # configured to send outgoing mail to another machine, called a 'smarthost' for
538 # delivery because many receiving systems on the Internet block incoming mail from
539 # dynamic IP addresses as spam protection.
541 # A system with a dynamic IP address can receive its own mail, or local delivery can be
542 # disabled entirely (except mail for root and postmaster).
544 # 1. internet site; mail is sent and received directly using SMTP
545 # 2. mail sent by smarthost; received via SMTP or fetchmail
546 # 3. mail sent by smarthost; no local mail
547 # 4. local delivery only; not on a network
548 # 5. no configuration at this time
550 # General type of mail configuration: 1
551 exim4-config exim4/dc_eximconfig_configtype select internet site; mail is sent and received directly using SMTP
555 # The 'mail name' is the domain name used to 'qualify' mail addresses without a domain
558 # This name will also be used by other programs. It should be the single, fully
559 # qualified domain name (FQDN).
561 # Thus, if a mail address on the local host is foo@example.org, the correct value for
562 # this option would be example.org.
564 # This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
567 # iank: see comment elsewhere on mailname
568 exim4-config exim4/mailname string mail.iankelling.org
573 # Please enter a semicolon-separated list of recipient domains for which this machine
574 # should consider itself the final destination. These domains are commonly called
575 # 'local domains'. The local hostname (kd.lan) and 'localhost' are always added
576 # to the list given here.
578 # By default all local domains will be treated identically. If both a.example and
579 # b.example are local domains, acc@a.example and acc@b.example will be delivered to the
580 # same final destination. If different domain names should be treated differently, it
581 # is necessary to edit the config files afterwards.
583 # Other destinations for which mail is accepted:
584 # iank.bid is for testing
585 # mail.iankelling.org is for machines i own
586 exim4-config exim4/dc_other_hostnames string *.iankelling.org;iankelling.org;*iank.bid;iank.bid;*zroe.org;zroe.org;*.b8.nz;b8.nz
591 # Please enter a semicolon-separated list of IP addresses. The Exim SMTP listener
592 # daemon will listen on all IP addresses listed here.
594 # An empty value will cause Exim to listen for connections on all available network
597 # If this system only receives mail directly from local services (and not from other
598 # hosts), it is suggested to prohibit external connections to the local Exim daemon.
599 # Such services include e-mail programs (MUAs) which talk to localhost only as well as
600 # fetchmail. External connections are impossible when 127.0.0.1 is entered here, as
601 # this will disable listening on public network interfaces.
603 # IP-addresses to listen on for incoming SMTP connections:
604 exim4-config exim4/dc_local_interfaces string
609 # Mail for the 'postmaster', 'root', and other system accounts needs to be redirected
610 # to the user account of the actual system administrator.
612 # If this value is left empty, such mail will be saved in /var/mail/mail, which is not
615 # Note that postmaster\'s mail should be read on the system to which it is directed,
616 # rather than being forwarded elsewhere, so (at least one of) the users listed here
617 # should not redirect their mail off this machine. A 'real-' prefix can be used to
618 # force local delivery.
620 # Multiple user names need to be separated by spaces.
622 # Root and postmaster mail recipient:
623 exim4-config exim4/dc_postmaster string $postmaster
627 # Exim is able to store locally delivered email in different formats. The most commonly
628 # used ones are mbox and Maildir. mbox uses a single file for the complete mail folder
629 # stored in /var/mail/. With Maildir format every single message is stored in a
630 # separate file in ~/Maildir/.
632 # Please note that most mail tools in Debian expect the local delivery method to be
633 # mbox in their default.
635 # 1. mbox format in /var/mail/ 2. Maildir format in home directory
637 # Delivery method for local mail: 2
638 exim4-config exim4/dc_localdelivery select Maildir format in home directory
640 echo mail.iankelling.org
> /etc
/mailname
642 # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
643 # smarthost config type, not sure. all other settings
644 # would be unused in that config type.
645 rm -f /etc
/exim
4/conf.d
/main
/000_localmacros
# old filename
646 cat >/etc
/exim
4/conf.d
/main
/000_local
<<EOF
647 # enable 587 in addition to the default 25, so that
648 # i can send mail where port 25 is firewalled by isp
649 daemon_smtp_ports = 25 : 587
650 # i don't have ipv6 setup for my vpn tunnel yet.
653 MAIN_TLS_ENABLE = true
659 # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
661 # The file is based on the outgoing domain-name in the from-header.
662 DKIM_DOMAIN = \${lc:\${domain:\$h_from:}}
664 DKIM_PRIVATE_KEY= \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}}
667 # failing message on mail-tester.com:
668 # We check if there is a server (A Record) behind your hostname kd.
669 # You may want to publish a DNS record (A type) for the hostname kd or use a different hostname in your mail software
670 # https://serverfault.com/questions/46545/how-do-i-change-exim4s-primary-hostname-on-a-debian-box
671 # and this one seemed appropriate from grepping config.
672 # I originally set this to li.iankelling.org, but then ended up with errors when li tried to send
673 # mail to kd, so this should basically be a name that no host has as their
674 # canonical hostname since the actual host sits behind a nat and changes.
675 # Seems logical for this to be the same as mailname.
676 MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.iankelling.org
678 # normally empty, I set this so I can set the envelope address
679 # when doing mail redelivery to invoke filters
680 MAIN_TRUSTED_GROUPS = $u
682 LOCAL_DELIVERY = dovecot_lmtp
684 # options exim has to avoid having to alter the default config files
685 CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/rcpt_local_acl
686 CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/data_local_acl
688 # debian exim config added this in 2016 or so?
689 # it's part of the smtp spec, to limit lines to 998 chars
690 # but a fair amount of legit mail does not adhere to it. I don't think
691 # this should be default, like it says in
692 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
693 # todo: the bug for introducing this was about headers, but
694 # the fix maybe is for all lines? one says gmail rejects, the
695 # other says gmail does not reject. figure out and open a new bug.
696 IGNORE_SMTP_LINE_LENGTH_LIMIT = true
698 # most of the ones that gmail seems to use.
699 # Exim has horrible default of signing unincluded
700 # list- headers since they got mentioned in an
701 # rfc, but this messes up mailing lists, like gnu/debian which want to
702 # keep your dkim signature intact but add list- headers.
703 DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
708 ####### begin dovecot setup ########
709 # based on a little google and package search, just the dovecot
710 # packages we need instead of dovecot-common.
712 # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
713 # directly. The reason to do this is to use dovecot\'s sieve, which
714 # has extensions that allow it to be almost equivalent to exim\'s
715 # filter capabilities, some ways probably better, some worse, and
716 # sieve has the benefit of being supported in postfix and
717 # proprietary/weird environments, so there is more examples on the
718 # internet. I was torn about whether to do this or not, meh.
719 pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
721 # if we changed 90-sieve.conf and removed the active part of the
722 # sieve option, we wouldn\'t need this, but I\'d rather not modify a
723 # default config if not needed. This won\'t work as a symlink in /a/c
725 sudo
-u $postmaster /a
/exe
/lnf
-T sieve
/main.sieve $
(eval echo ~
$postmaster)/.dovecot.sieve
727 sed -ri -f - /etc
/dovecot
/conf.d
/10-mail.conf
<<'EOF'
728 1i mail_location = maildir:/m/md:LAYOUT=fs:INBOX=/m/md/INBOX
729 /^\s*mail_location\s*=/d
732 cat >/etc
/dovecot
/conf.d
/20-lmtp.conf
<<EOF
734 #per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
735 mail_plugins = \$mail_plugins sieve
737 #mail_plugins = \$mail_plugins
739 # For a normal setup with exim, we need something like this, which
740 # removes the domain part
741 # auth_username_format = %Ln
743 # or else # Exim says something like
744 # "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
745 # Dovecot verbose log says something like
746 # "auth-worker(9048): passwd(someuser@somedomain): unknown user"
747 # reference: http://wiki.dovecot.org/LMTP/Exim
749 # However, I use this to direct all mail to the same inbox.
750 # A normal way to do this, which I did at first is to have
751 # a router in exim almost at the end, eg 950,
753 # debug_print = "R: catchall for \$local_part@\$domain"
755 # domains = +local_domains
758 # http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
759 # with superflous options removed.
760 # However, this causes the envelope to be rewritten,
761 # which makes filtering into mailboxes a little less robust or more complicated,
762 # so I've done it this way instead. it also requires
763 # modifying the local router in exim.
764 auth_username_format = $u
770 cat >/etc
/dovecot
/local.conf
<<'EOF'
771 # so I can use a different login that my shell login for mail. this is
772 # worth doing solely for the reason that if this login is compromised,
773 # it won't also compromise my shell password.
774 !include conf.d/auth-passwdfile.conf.ext
776 # settings derived from wiki and 10-ssl.conf
778 ssl_cert = </etc/exim4/exim.crt
779 ssl_key = </etc/exim4/exim.key
780 # https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
781 # in my cert cronjob, I check if that has changed upstream.
782 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
784 # ian: added this, more secure, per google etc
785 ssl_prefer_server_ciphers = yes
787 # for debugging info, uncomment these.
788 # logs go to syslog and to /var/log/mail.log
792 ####### end dovecot setup ########
794 # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
795 d
=/etc
/systemd
/system
/openvpn@
mail
797 cat >$d/override.conf
<<'EOF'
800 # time to sleep before restarting a service
804 # StartLimitIntervalSec in recent systemd versions
808 systemctl
enable offlineimapsync.timer
809 systemctl start offlineimapsync.timer
810 systemctl restart
$vpn_ser@
mail
811 systemctl
enable $vpn_ser@
mail
812 systemctl
enable dovecot
813 systemctl restart dovecot
815 else # $HOSTNAME != $MAIL_HOST
816 systemctl disable offlineimapsync.timer
&>/dev
/null ||
:
817 systemctl stop offlineimapsync.timer
&>/dev
/null ||
:
818 systemctl disable
$vpn_ser@
mail
819 systemctl stop
$vpn_ser@
mail
820 systemctl disable dovecot ||
:
821 systemctl stop dovecot ||
:
824 # would only exist because I wrote it i the previous condition,
825 # it\'s not part of exim
826 rm -f /etc
/exim
4/conf.d
/main
/000_localmacros
827 debconf-set-selections
<<EOF
828 exim4-config exim4/dc_eximconfig_configtype select mail sent by smarthost; no local mail
829 exim4-config exim4/dc_smarthost string $smarthost
830 # afaik, on dpkg-reconfigure noninteractive, this sets /etc/mailname if it does not exist.
831 # if it does exist, it immediately changes the value to whats in /etc/mailname.
832 # So, I don't think there's any point in setting it, but might as well since
833 # ignoring what I set here is brain dead and might change.
834 exim4-config exim4/mailname string $(hostname -f)
836 hostname
-f > /etc
/mailname
838 fi # end $HOSTNAME != $MAIL_HOST
840 # if we already have it installed, need to reconfigure, without being prompted
841 if dpkg
-s exim4-config
&>/dev
/null
; then
842 # gotta remove this, otherwise the set-selections are completely
843 # ignored. It woulda been nice if this was documented somewhere!
844 rm -f /etc
/exim
4/update-exim4.conf.conf
845 while fuser
/var
/lib
/dpkg
/lock
&>/dev
/null
; do sleep 1; done
846 dpkg-reconfigure
-u -fnoninteractive exim4-config
849 # i have the spool directory be common to distro multi-boot, so
850 # we need the uid to be the same. 608 cuz it's kind of in the middle
851 # of the free system uids.
852 IFS
=:; read _ _ uid _
< <(getent passwd Debian-exim ||
:) ||
:; unset IFS
853 IFS
=:; read _ _ gid _
< <(getent group Debian-exim ||
:) ||
:; unset IFS
854 if [[ ! $uid ]]; then
855 # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
856 adduser
--uid 608 --system --group --quiet --home /var
/spool
/exim4 \
857 --no-create-home --disabled-login --force-badname Debian-exim
858 elif [[ $uid != 608 ]]; then
859 systemctl stop exim4 ||
:
860 usermod
-u 608 Debian-exim
861 groupmod
-g 608 Debian-exim
862 usermod
-g 608 Debian-exim
863 find / /nocow
-xdev -uid $uid -exec chown
-h 608 {} +
864 find / /nocow
-xdev -gid $gid -exec chgrp
-h 608 {} +
868 # light version of exim does not have sasl auth support.
869 pi exim4-daemon-heavy spamassassin
873 ##### begin spamassassin config
874 systemctl
enable spamassassin
876 sed -i '/^\s*CRON\s*=/d' /etc
/default
/spamassassin
877 e CRON
=1 >>/etc
/default
/spamassassin
878 # just noticed this in the config file, seems like a good idea.
879 sed -i '/^\s*NICE\s*=/d' /etc
/default
/spamassassin
880 e
'NICE="--nicelevel 15"' >>/etc
/default
/spamassassin
881 systemctl start spamassassin
882 systemctl reload spamassassin
884 cat >/etc
/systemd
/system
/spamddnsfix.service
<<'EOF'
886 Description=spamd dns bug fix cronjob
890 ExecStart=/a/bin/distro-setup/spamd-dns-fix
892 # 2017-09, debian closed the bug on this saying upstream had fixed it.
893 # remove this when i\'m using the newer package, ie, debian 10, or maybe
895 cat >/etc
/systemd
/system
/spamddnsfix.timer
<<'EOF'
897 Description=run spamd bug fix script every 10 minutes
901 # the script looks back 9 minutes into the journal,
902 # it takes a second to run,
903 # so lets run every 9 minutes and 10 seconds.
907 WantedBy=timers.target
909 systemctl daemon-reload
910 systemctl restart spamddnsfix.timer
911 systemctl
enable spamddnsfix.timer
913 ##### end spamassassin config
919 # https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
920 # i only need .forwards, so just doing that one.
921 cd /etc
/exim
4/conf.d
/router
922 b
=userforward_higher_priority
923 # replace the router name so it is unique
924 sed -r s
/^
\\S
+:/$b:/ 600_exim4-config_userforward
>175_
$b
926 # begin setup passwd.client
927 f
=/etc
/exim
4/passwd.client
928 rm -f /etc
/exim
4/passwd.client
929 install -m 640 -g Debian-exim
/dev
/null
$f
930 cat /etc
/mailpass|
while read -r domain port pass
; do
931 # reference: exim4_passwd_client(5)
932 printf "%s:%s\n" "$domain" "$pass" >>$f
934 # end setup passwd.client
936 # by default, only 10 days of logs are kept. increase that.
937 sed -ri 's/^(\s*rotate\s).*/\11000/' /etc
/logrotate.d
/exim4-base
939 systemctl restart exim4
943 # /etc/alias setup is debian specific, and
944 # exim config sets up an /etc/alias from root to the postmaster, which i
945 # config to ian, as long as there exists an entry for root, or there was
946 # no preexisting aliases file. based on the postinst file. postfix
947 # won\'t set up a root to $postmaster alias if it\'s already installed.
948 # Since postfix is not the greatest, just set it ourselves.
949 if [[ $postmaster != root
]]; then
950 sed -i --follow-symlinks -f - /etc
/aliases
<<EOF
951 \$a root: $postmaster
957 # put spool dir in directory that spans multiple distros.
958 # based on http://www.postfix.org/qmgr.8.html and my notes in gnus
960 # todo: I\'m suspicious of uids for Debian-exim being the same across
961 # distros. It would be good to test this.
963 sdir
=/var
/spool
/$type
964 # we only do this if our system has $dir
965 if [[ -e /nocow
&& $
(readlink
-f $sdir) != $dir ]]; then
967 if [[ ! -e $dir && -d $sdir ]]; then
970 /a
/exe
/lnf
-T $dir $sdir
973 systemctl restart
$type
974 systemctl
enable $type
976 # MAIL_HOST also does radicale, and easier to start and stop it here
977 # for when MAIL_HOST changes, so radicale gets the synced files and
978 # does not stop us from remounting /o.
979 if dpkg
-s radicale
&>/dev
/null
; then
980 if [[ $HOSTNAME == $MAIL_HOST ]]; then
981 systemctl restart radicale
982 systemctl
enable radicale
983 if [[ -e /etc
/logrotate.d
/radicale.disabled
]]; then
984 mv /etc
/logrotate.d
/radicale
{.disabled
,}
987 systemctl stop radicale
988 systemctl disable radicale
989 # weekly logrotate tries to restart radicale even if it's a disabled service in flidas.
990 if [[ -e /etc
/logrotate.d
/radicale
]]; then
991 mv /etc
/logrotate.d
/radicale
{,.disabled
}
997 # if I wanted the from address to be renamed and sent to a different address,
998 # echo "sdx@localhost development@localhost" | sudo dd of=/etc/postfix/recipient_canonical
999 # sudo postmap hash:/etc/postfix/recipient_canonical
1000 # sudo service postfix reload