#!/bin/bash # * intro # Copyright (C) 2019 Ian Kelling # SPDX-License-Identifier: AGPL-3.0-or-later # todo: setup an alert for bouncing test emails. # todo: bounces to my fsf mail can come from fsf@iankelling.org, # think about making bounces go from the original address. # todo: add a prometheus alert for dovecot. # todo: handle errors like this: # Mar 02 12:44:26 kw systemd[1]: exim4.service: Found left-over process 68210 (exim4) in control group while starting unit. Ignoring. # Mar 02 12:44:26 kw systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies. #eg: on eggs, on may 1st, ps grep for exim, 2 daemons running. 1 leftover from a month ago #Debian-+ 1954 1 0 36231 11560 4 Apr02 ? 00:40:25 /usr/sbin/exim4 -bd -q30m #Debian-+ 23058 1954 0 36821 10564 0 20:38 ? 00:00:00 /usr/sbin/exim4 -bd -q30m # todo: harden dovecot. need to do some research. one way is for it to only listen on a wireguard vpn interface, so only clients that are on the vpn can access it. # todo: consider hardening cups listening on 0.0.0.0 # todo: stop/disable local apache, and rpc.mountd, and kdeconnect when not in use. # todo: hosts should only allow external mail that is authed and # destined for backup route. it is a minor issue since traffic is # limited to the wghole network. # todo: emailing info@amnimal.ninja produces a bounce, user doesn't exist # instead of a simple rejection like it should. # todo: run mailping test after running, or otherwise # clear out terminal alert # todo: disable postgrey # todo: in testforward-check, we should also look # todo: test that bounces dont help create valid mailtest-check # todo: move mail stuff in distro-end into this file # todo: consider rotating dkim & publishing key so every past email I sent # isnt necessarily signed # todo: consider how to get clamav out of Debian-exim group # so it cant read/write the whole mail spool, for better # security. # todo: create a cronjob to update or warn on expiring dnssec keys # todo: we should test failed mail daily or so # failed cronjob, failed sysd-log-once, # a local bounce from a cronjob, a local bounce # to a bad remote address, perhaps a local failure # when the sending daemon is down. # And send an alert email if no alerts have been sent # in 2 or 3 days or something. todo, test cron mail on li. # todo: look at mailinabox extra dns records, note these changelogs: # - An MTA-STS policy for incoming mail is now published (in DNS and over HTTPS) when the primary hostname and email address domain both have a signed TLS certificate installed, allowing senders to know that an encrypted connection should be enforced. # - The per-IP connection limit to the IMAP server has been doubled to allow more devices to connect at once, especially with multiple users behind a NAT. # # todo: mailtest-check failure on remote hosts is not going to alert me. # sort that out. # todo: test mail failure as well as success. # # todo: validate that mailtest-check is doing dnsbl checks. # background: I want to run exim in a network namespace so it can send # and receive through a vpn. This is needed so it can do ipv6, because # outside the namespace if we dont have ipv6, to send ipv6 through the # vpn, we have to send all our ipv6 through the vpn. I did this for a # long time, it was fine, but it causes various pains, like increased # latency, increased recaptcha because my ip is from a data center, just # various issues I dont want on all the time. The problem with the # namespace is that all kinds of programs want to invoke exim, but they # wont be in the namespace. I could replace exim with a wrapper that # jumps into the namespace, i tried that, it works fine. One remaining # problem was that I would have needed to hook into exim upgrades to # move exim and replace it with my wrapper script. Also, my script to # join the namespace is not super reliable because it uses a pgrep. # Instead, I should have created a systemd service for a process that # will never die and just writes its pid somewhere convenient. # That implementation # is below here: # # sudoers: # user ALL=(ALL) /usr/sbin/exim4 # # move exim4 to eximian, use this script for exim4: # # #!/bin/bash # if ip a show veth1-mail &>/dev/null; then # /usr/sbin/eximian "$@" # exit # fi # dosudo=false # if [[ $USER && $USER != root ]]; then # dosudo=true # fi # pid=$(pgrep -f "/usr/sbin/openvpn .* --config /etc/openvpn/.*mail.conf") # if $dosudo; then # sudo nsenter -t $pid -n -m sudo -u $USER /usr/sbin/eximian "$@" # else # nsenter -t $pid -n -m /usr/sbin/eximian "$@" # fi # ## end script # # an alternate solution: there is a small setguid program for # network namespaces in my bookmarks. # # However, the solution I went with is: have 2 exim # configs. A nonstandard location for the daemon that runs # in the namespace. For all other invocations, it uses # the default config location, which is altered to be # in a smarthost config which sends mail to the deaemon. # # I have a bash function, enn to invoke exim like the daemon is running. # and mailbash to just enter its network namespace. if [ -z "$BASH_VERSION" ]; then echo "error: shell is not bash" >&2; exit 1; fi shopt -s nullglob if [[ -s /usr/local/lib/err ]]; then source /usr/local/lib/err elif [[ -s /a/bin/errhandle/err ]]; then source /a/bin/errhandle/err else err "no err tracing script found" fi source /a/bin/distro-functions/src/identify-distros source /a/bin/distro-functions/src/package-manager-abstractions # has nextcloud_admin_pass in it f=/p/c/machine_specific/$HOSTNAME/mail if [[ -e $f ]]; then # shellcheck source=/p/c/machine_specific/bk/mail source $f fi [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@" # note, this is hardcoded in /etc/exim4/conf.d/main/000_local u=$(id -nu 1000) usage() { cat < preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false # background: dovecot does not yet have ocsp stapling support # reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921 # # for phone, k9mail, fdroid, same thing but username alerts, pass in ivy-pass. # also, bk.b8.nz for secondary alerts, username is iank. same alerts pass. # fetching mail settings: folder poll frequency 10 minutes. # account settings, fetching mail, push folders: All. Then disable the persistent notification. ####### # * perstent password instructions # Note: for cert cron, we need to manually run first to accept known_hosts # # exim passwords: # # for hosts which have all private files I just use the same user # # for other hosts, each one get\'s their own password. # # for generating secure pass, and storing for server too: # f=$(mktemp) # host=tp # apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f # s sed -i "/^$host:/d" /p/c/filesystem/etc/exim4/passwd # echo "$host:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd # #reference: exim4_passwd_client(5) # dir=/p/c/machine_specific/$host/filesystem/etc/exim4 # mkdir -p $dir # echo "mail.iankelling.org:$host:$(<$f)" > $dir/passwd.client # # then run this script # # dovecot password, i just need 1 as I\'m the only user # mkdir /p/c/filesystem/etc/dovecot # echo "iank:$(doveadm pw -s SHA512-CRYPT)::::::" >>/p/c/filesystem/etc/dovecot/users ####### end perstent password instructions ###### # * dkim dns # # Remove 1 level of comments in this section, set the domain var # # for the domain you are setting up, then run this and copy dns settings # # into dns. # domain=iankelling.org # c /p/c/filesystem/etc/exim4 # # this has several bugs addressed in comments, but it was helpful # # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4 # openssl genrsa -out $domain-private.pem 2048 # # Then, to get the public key strings to put in bind: # # selector is needed for having multiple keys for one domain. # # I dun do that, so just use a static one: li # # Debadmin page does not have v=, fastmail does, and this # # says it\'s recommended in 3.6.1, default is DKIM1 anyways. # # https://www.ietf.org/rfc/rfc6376.txt # # Join and print all but first and last line. # # last line: swap hold & pattern, remove newlines, print. # # lines 2+: append to hold space # echo "bind txt record: remember to truncate $domain so its relative to the bind zone" # cat <&2; exit 1; } reload=false # This file is so if we fail in the middle and rerun, we dont lose state if [[ -e /var/local/mail-setup-reload ]]; then reload=true fi i() { # install file local tmp tmpdir dest="$1" local base="${dest##*/}" local dir="${dest%/*}" if [[ $dir != "$base" ]]; then # dest has a directory component mkdir -p "$dir" fi ir=false # i result tmpdir=$(mktemp -d) cat >$tmpdir/"$base" tmp=$(rsync -ic $tmpdir/"$base" "$dest") if [[ $tmp ]]; then printf "%s\n" "$tmp" ir=true if [[ $dest == /etc/systemd/system/* ]]; then touch /var/local/mail-setup-reload reload=true fi fi rm -rf $tmpdir } setini() { key="$1" value="$2" section="$3" file="/etc/radicale/config" sed -ri "/ *\[$section\]/,/^ *\[[^]]+\]/{/^\s*${key}[[:space:]=]/d};/ *\[$section\]/a $key = $value" "$file" } soff () { for service; do # ignore services that dont exist if systemctl cat $service &>/dev/null; then m systemctl disable --now $service fi done } sre() { for service; do m systemctl restart $service m systemctl enable $service; done } mailhost() { [[ $HOSTNAME == "$MAIL_HOST" ]] } e() { printf "%s\n" "$*"; } reifactive() { for service; do if systemctl is-active $service >/dev/null; then m systemctl restart $service fi done } stopifactive() { for service; do if systemctl is-active $service >/dev/null; then m systemctl stop $service fi done } mxhost=mx.iankelling.org mxport=587 # old setup. left as comment for example # mxhost=mail.messagingengine.com # mxport=587 # forward=ian@iankelling.org smarthost="$mxhost::$mxport" uhome=$(eval echo ~$u) # Somehow on one machine, a file got written with 664 perms. # just being defensive here. umask 0022 source /a/bin/bash_unpublished/source-state if [[ ! $MAIL_HOST ]]; then err "\$MAIL_HOST not set" fi bhost_t=false case $HOSTNAME in $MAIL_HOST) : ;; kd|frodo|x2|x3|kw|sy|bo) bhost_t=true ;; esac # * Install universal packages # installs epanicclean iptables-exim ip6tables-exim /a/bin/ds/install-my-scripts if [[ $(debian-codename-compat) == bionic ]]; then cat >/etc/apt/preferences.d/spamassassin <<'EOF' Package: spamassassin sa-compile spamc Pin: release n=focal,o=Ubuntu Pin-Priority: 500 EOF fi # light version of exim does not have sasl auth support. # note: for bitfolk hosts, unbound has important config with conflink. pi-nostart exim4 exim4-daemon-heavy spamassassin unbound clamav-daemon wireguard # note: pyzor debian readme says you need to run some initialization command # but its outdated. pi spf-tools-perl p0f postgrey pyzor razor jq moreutils certbot fail2ban case $HOSTNAME in je) : ;; # not included due to using wireguard: openvpn *) pi wget git unzip iptables ;; esac # bad packages that sometimes get automatically installed pu openresolv resolvconf soff openvpn if [[ $(debian-codename) == etiona ]]; then # ip6tables stopped loading on boot. openvpn has reduced capability set, # so running iptables as part of openvpn startup wont work. This should do it. pi iptables-persistent cat >/etc/iptables/rules.v6 <<'EOF' *mangle COMMIT *nat COMMIT EOF # load it now. m ip6tables -S >/dev/null fi # our nostart pi fails to avoid enabling # * Mail clean cronjob i /etc/systemd/system/mailclean.timer <<'EOF' [Unit] Description=Run mailclean daily [Timer] OnCalendar=monthly [Install] WantedBy=timers.target EOF i /etc/systemd/system/mailclean.service </dev/null; then m systemctl reload apparmor fi fi # note: anything added to nn_progs needs corresponding rm # down below in the host switch nn_progs=(exim4) if mailhost; then # Note dovecots lmtp doesnt need to be in the same nn to accept delivery. # Its in the nn so remote clients can connect to it. nn_progs+=(spamassassin dovecot) fi case $HOSTNAME in $MAIL_HOST) # todo, should this be after vpn service i /etc/systemd/system/unbound.service.d/nn.conf < /sys/kernel/debug/dynamic_debug/control # dmesg -w ;;& $MAIL_HOST|bk) for unit in ${nn_progs[@]}; do i /etc/systemd/system/$unit.service.d/nn.conf <&2 # exit 1 # fi # ;; # esac m rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/mail-cert-cron /usr/local/bin i /etc/systemd/system/mailcert.service <<'EOF' [Unit] Description=Mail cert rsync After=multi-user.target [Service] Type=oneshot ExecStart=/usr/local/bin/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron EOF i /etc/systemd/system/mailcert.timer <<'EOF' [Unit] Description=Run mail-cert once a day [Timer] OnCalendar=daily [Install] WantedBy=timers.target EOF wghost=${HOSTNAME}wg.b8.nz if $bhost_t && [[ ! -e /etc/exim4/certs/$wghost/privkey.pem ]]; then certbot -n --manual-public-ip-logging-ok --eff-email --agree-tos -m letsencrypt@iankelling.org \ certonly --manual --preferred-challenges=dns \ --manual-auth-hook /a/bin/ds/le-dns-challenge \ --manual-cleanup-hook /a/bin/ds/le-dns-challenge-cleanup \ --deploy-hook /a/bin/ds/le-exim-deploy -d $wghost fi # * fail2ban # todo: test that these configs actually work, eg run # s iptables-exim -S # and see someone is banned. sed 's/^ *before *= *iptables-common.conf/before = iptables-common-exim.conf/' \ /etc/fail2ban/action.d/iptables-multiport.conf| i /etc/fail2ban/action.d/iptables-exim.conf i /etc/fail2ban/action.d/iptables-common-exim.conf <<'EOF' # iank: same as iptables-common, except iptables is iptables-exim, ip6tables is ip6tables-exim # Fail2Ban configuration file # # Author: Daniel Black # # This is a included configuration file and includes the definitions for the iptables # used in all iptables based actions by default. # # The user can override the defaults in iptables-common.local # # Modified: Alexander Koeppe , Serg G. Brester # made config file IPv6 capable (see new section Init?family=inet6) [INCLUDES] after = iptables-blocktype.local iptables-common.local # iptables-blocktype.local is obsolete [Definition] # Option: actionflush # Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action) # Values: CMD # actionflush = -F f2b- [Init] # Option: chain # Notes specifies the iptables chain to which the Fail2Ban rules should be # added # Values: STRING Default: INPUT chain = INPUT # Default name of the chain # name = default # Option: port # Notes.: specifies port to monitor # Values: [ NUM | STRING ] Default: # port = ssh # Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp # Option: blocktype # Note: This is what the action does with rules. This can be any jump target # as per the iptables man page (section 8). Common values are DROP # REJECT, REJECT --reject-with icmp-port-unreachable # Values: STRING blocktype = REJECT --reject-with icmp-port-unreachable # Option: returntype # Note: This is the default rule on "actionstart". This should be RETURN # in all (blocking) actions, except REJECT in allowing actions. # Values: STRING returntype = RETURN # Option: lockingopt # Notes.: Option was introduced to iptables to prevent multiple instances from # running concurrently and causing irratic behavior. -w was introduced # in iptables 1.4.20, so might be absent on older systems # See https://github.com/fail2ban/fail2ban/issues/1122 # Values: STRING lockingopt = -w # Option: iptables # Notes.: Actual command to be executed, including common to all calls options # Values: STRING iptables = /usr/local/bin/iptables-exim [Init?family=inet6] # Option: blocktype (ipv6) # Note: This is what the action does with rules. This can be any jump target # as per the iptables man page (section 8). Common values are DROP # REJECT, REJECT --reject-with icmp6-port-unreachable # Values: STRING blocktype = REJECT --reject-with icmp6-port-unreachable # Option: iptables (ipv6) # Notes.: Actual command to be executed, including common to all calls options # Values: STRING iptables = /usr/local/bin/ip6tables-exim EOF i /etc/fail2ban/jail.d/exim.local <<'EOF' [exim] enabled = true port = 25,587 filter = exim banaction = iptables-exim # 209.51.188.13 = mail.fsf.org # 2001:470:142::13 = mail.fsf.org # 209.51.188.92 = eggs.gnu.org # 2001:470:142:3::10 = eggs.gnu.org # 72.14.176.105 2600:3c00:e000:280::2 = mail.iankelling.org # 10.173.8.1 = non-nn net ignoreip = 209.51.188.13 2001:470:142::13 209.51.188.92 2001:470:142:3::10 72.14.176.105 2600:3c00:e000:280::2 10.173.8.1 EOF if $ir; then m systemctl restart fail2ban fi # * common exim4 config ## old, not using forward files anymore rm -fv $uhome/.forward /root/.forward # Make all system users be aliases. preventative # prevents things like cron mail for user without alias awk 'BEGIN { FS = ":" } ; $6 !~ /^\/home/ || $7 ~ /\/nologin$/ { print $1 }' /etc/passwd| while read -r user; do if [[ ! $user ]]; then continue fi if ! grep -q "^$user:" /etc/aliases; then echo "$user: root" |m tee -a /etc/aliases fi done awk 'BEGIN { FS = ":" } ; $6 ~ /^\/home/ && $7 !~ /\/nologin$/ { print $1 }' /etc/passwd| while read -r user; do case $HOSTNAME in $MAIL_HOST) sed -i "/^user:/d" /etc/aliases ;; *) if ! grep -q "^$user:" /etc/aliases; then echo "$user: root" |m tee -a /etc/aliases fi ;; esac done . /a/bin/bash_unpublished/priv-mail-setup m gpasswd -a iank adm #needed for reading logs ### make local bounces go to normal maildir # local mail that bounces goes to /Maildir or /root/Maildir dirs=(/m/md/bounces/{cur,tmp,new}) m mkdir -p ${dirs[@]} m chown iank:iank /m /m/md m ln -sfT /m/md /m/iank m chmod 771 /m /m/md m chown -R $u:Debian-exim /m/md/bounces m chmod 775 ${dirs[@]} m usermod -a -G Debian-exim $u for d in /Maildir /root/Maildir; do if [[ ! -L $d ]]; then m rm -rf $d fi m ln -sf -T /m/md/bounces $d done # dkim, client passwd file files=(/p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/*) f=/p/c/filesystem/etc/exim4/passwd.client if [[ -e $f ]]; then files+=($f) fi if (( ${#files[@]} )); then m rsync -ahhi --chown=root:Debian-exim --chmod=0640 \ ${files[@]} /etc/exim4 fi # By default, only 10 days of logs are kept. increase that. # And dont compress, I look back at logs too often and # dont need the annoyance of decompressing them all the time. m sed -ri '/^\s*compress\s*$/d;s/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base files=(/var/log/exim4/*.gz) if (( ${#files[@]} )); then gunzip ${files[@]} fi ## disabled. not using .forward files, but this is still interesting ## for reference. # ## https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost # # i only need .forwards, so just doing that one. # cd /etc/exim4/conf.d/router # b=userforward_higher_priority # # replace the router name so it is unique # sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b rm -fv /etc/exim4/conf.d/router/175_userforward_higher_priority # todo, consider 'separate' in etc/exim4.conf, could it help on busy systems? # alerts is basically the postmaster address m sed -i --follow-symlinks -f - /etc/aliases </etc/exim4/conf.d/rewrite/34_iank_rewriting <<'EOF' ncsoft@zroe.org graceq2323@gmail.com hE EOF # old name rm -fv /etc/exim4/conf.d/retry/37_retry cat >/etc/exim4/conf.d/retry/17_retry <<'EOF' # Retry fast for my own domains iankelling.org * F,1d,4m;F,14d,1h amnimal.ninja * F,1d,4m;F,14d,1h expertpathologyreview.com * F,1d,4m;F,14d,1h je.b8.nz * F,1d,4m;F,14d,1h zroe.org * F,1d,4m;F,14d,1h eximbackup.b8.nz * F,1d,4m;F,14d,1h # The spec says the target domain will be used for temporary host errors, # but i've found that isn't correct, the hostname is required # at least sometimes. nn.b8.nz * F,1d,4m;F,14d,1h defaultnn.b8.nz * F,1d,4m;F,14d,1h mx.iankelling.org * F,1d,4m;F,14d,1h bk.b8.nz * F,1d,4m;F,14d,1h eggs.gnu.org * F,1d,4m;F,14d,1h fencepost.gnu.org * F,1d,4m;F,14d,1h # afaik our retry doesnt need this, but just using everything mx.amnimal.ninja * F,1d,4m;F,14d,1h mx.expertpathologyreview.com * F,1d,4m;F,14d,1h mail.fsf.org * F,1d,15m;F,14d,1h EOF rm -vf /etc/exim4/conf.d/main/000_localmacros # old filename # separate file so without quoted EOF for convenience cat >/etc/exim4/conf.d/main/000_local2 </etc/exim4/conf.d/main/000_local <<'EOF' MAIN_TLS_ENABLE = true # require tls connections for all smarthosts REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = * # debian exim config added this in 2016 or so? # it's part of the smtp spec, to limit lines to 998 chars # but a fair amount of legit mail does not adhere to it. I don't think # this should be default, like it says in # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801 # todo: the bug for introducing this was about headers, but # the fix maybe is for all lines? one says gmail rejects, the # other says gmail does not reject. figure out and open a new bug. IGNORE_SMTP_LINE_LENGTH_LIMIT = true # more verbose logs MAIN_LOG_SELECTOR = +all # Based on spec, seems like a good idea to be nice. smtp_return_error_details = true # default is 10. when exim has been down for a bit, fsf mailserver # will do a big send in one connection, then exim decides to put # the messages in the queue instead of delivering them, to avoid # spawning too many delivery processes. This is the same as the # fsfs value. And the corresponding one for how many messages # to send out in 1 connection remote_max_parallel = 256 smtp_accept_queue_per_connection = 500 DKIM_CANON = relaxed DKIM_SELECTOR = li # from comments in # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4 # and its best for this to align https://tools.ietf.org/html/rfc7489#page-8 # There could be some circumstance when the # from: isnt our domain, but the envelope sender is # and so still want to sign, but I cant think of any case. DKIM_DOMAIN = ${lc:${domain:$rh_from:}} # The file is based on the outgoing domain-name in the from-header. # sign if key exists DKIM_PRIVATE_KEY = ${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}} # most of the ones that gmail seems to use. # Exim has horrible default of signing unincluded # list- headers since they got mentioned in an # rfc, but this messes up mailing lists, like gnu/debian which want to # keep your dkim signature intact but add list- headers. DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to domainlist local_hostnames = ! je.b8.nz : ! bk.b8.nz : *.b8.nz : b8.nz hostlist iank_trusted = <; \ # veth0 10.173.8.1 ; \ # li li_ip6 72.14.176.105 ; 2600:3c00::f03c:91ff:fe6d:baf8 ; \ # li_vpn_net li_vpn_net_ip6s 10.8.0.0/24; 2600:3c00:e000:280::/64 ; 2600:3c00:e002:3800::/56 ; \ # bk bk_ip6 85.119.83.50 ; 2001:ba8:1f1:f0c9::2 ; \ # je je_ipv6 85.119.82.128 ; 2001:ba8:1f1:f09d::2 ; \ # fsf_mit_net fsf_mit_net_ip6 fsf_net fsf_net_ip6 fsf_office_net 18.4.89.0/24 ; 2603:3005:71a:2e00::/64 ; 209.51.188.0/24 ; 2001:470:142::/48 ; 74.94.156.208/28 # this is the default delay_warning_condition, plus matching on local_domains. # If I have some problem with my local system that causes delayed delivery, # I dont want to send warnings out to non-local domains. delay_warning_condition = ${if or {\ { !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} }\ { match{$h_precedence:}{(?i)bulk|list|junk} }\ { match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }\ { match_domain{$domain}{+local_domains} }\ } {no}{yes}} # enable 587 in addition to the default 25, so that # i can send mail where port 25 is firewalled by isp daemon_smtp_ports = 25 : 587 # default of 25, can get stuck when catching up on mail smtp_accept_max = 400 smtp_accept_reserve = 100 smtp_reserve_hosts = +iank_trusted # Rules that make receiving more liberal should be on backup hosts # so that we dont reject mail accepted by MAIL_HOST LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE = /etc/exim4/conf.d/local_deny_exceptions_acl EOF rm -fv /etc/exim4/rcpt_local_acl # old path i /etc/exim4/conf.d/local_deny_exceptions_acl <<'EOF' # This acl already exists in rcpt, this just makes it more widespread. # See the comment there for its rationale. The reason it needs to be # more widespread is that I've turned on sender verification, but cron # emails can fail sender verification since I may be in a network that # doesn't have my local dns. accept authenticated = * # i setup a local programs smtp to mail.iankelling.org, this # skips sender verification for it. accept hosts = 10.173.8.1 EOF rm -fv /etc/exim4/data_local_acl # old path i /etc/exim4/conf.d/data_local_acl <<'EOF' # Except for the "condition =", this was # a comment in the check_data acl. The comment about this not # being suitable has been changed in newer exim versions. The only thing # related I found was to # add the condition =, cuz spamassassin has problems with big # messages and spammers don't bother with big messages, # but I've increased the size from 10k # suggested in official docs, and 100k in the wiki example because # those docs are rather old and I see a 110k spam message # pretty quickly looking through my spam folder. warn !hosts = +iank_trusted remove_header = X-Spam_score: X-Spam_score_int : X-Spam_bar : X-Spam_report warn !hosts = +iank_trusted # Smarthosts connect with residential ips and thus get flagged as spam if we do a spam check. !authenticated = plain_server:login_server condition = ${if < {$message_size}{5000K}} spam = Debian-exim:true add_header = X-Spam_score_int: $spam_score_int add_header = X-Spam_score: $spam_score add_header = X-Spam_bar: $spam_bar add_header = X-Spam_report: $spam_report add_header = X-Spam_action: $spam_action #accept # spf = pass:fail:softfail:none:neutral:permerror:temperror # dmarc_status = reject:quarantine # add_header = Reply-to: dmarctest@iankelling.org EOF i /etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF' ### router/900_exim4-config_local_user ################################# # This router matches local user mailboxes. If the router fails, the error # message is "Unknown user". local_user: debug_print = "R: local_user for $local_part@$domain" driver = accept domains = +local_domains # ian: default file except where mentioned. # ian: commented this. I get all local parts. for bk, an rcpt # check handles checking with dovecot, and the only router # after this is root. # local_parts = ! root transport = LOCAL_DELIVERY cannot_route_message = Unknown user # ian: added for + addressing. local_part_suffix = +* local_part_suffix_optional EOF i /etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF' dovecot_lmtp: driver = lmtp socket = /var/run/dovecot/lmtp #maximum number of deliveries per batch, default 1 batch_max = 200 envelope_to_add EOF i /etc/exim4/conf.d/transport/30_remote_smtp_vpn <<'EOF' # same as debians 30_exim4-config_remote_smtp, but # with interface added at the end. remote_smtp_vpn: debug_print = "T: remote_smtp_vpn for $local_part@$domain" driver = smtp .ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} .endif .ifdef REMOTE_SMTP_HOSTS_AVOID_TLS hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS .endif .ifdef REMOTE_SMTP_HEADERS_REWRITE headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE .endif .ifdef REMOTE_SMTP_RETURN_PATH return_path = REMOTE_SMTP_RETURN_PATH .endif .ifdef REMOTE_SMTP_HELO_DATA helo_data=REMOTE_SMTP_HELO_DATA .endif .ifdef DKIM_DOMAIN dkim_domain = DKIM_DOMAIN .endif .ifdef DKIM_SELECTOR dkim_selector = DKIM_SELECTOR .endif .ifdef DKIM_PRIVATE_KEY dkim_private_key = DKIM_PRIVATE_KEY .endif .ifdef DKIM_CANON dkim_canon = DKIM_CANON .endif .ifdef DKIM_STRICT dkim_strict = DKIM_STRICT .endif .ifdef DKIM_SIGN_HEADERS dkim_sign_headers = DKIM_SIGN_HEADERS .endif .ifdef TLS_DH_MIN_BITS tls_dh_min_bits = TLS_DH_MIN_BITS .endif .ifdef REMOTE_SMTP_TLS_CERTIFICATE tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE .endif .ifdef REMOTE_SMTP_PRIVATEKEY tls_privatekey = REMOTE_SMTP_PRIVATEKEY .endif .ifdef REMOTE_SMTP_HOSTS_REQUIRE_TLS hosts_require_tls = REMOTE_SMTP_HOSTS_REQUIRE_TLS .endif .ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE .endif interface = <; 10.8.0.4 ; 2600:3c00:e002:3800::4 EOF i /etc/exim4/conf.d/transport/30_smarthost_dkim <<'EOF' # ian: this is remote_smtp_smarthost plus the dkim parts from remote_smtp smarthost_dkim: debug_print = "T: remote_smtp_smarthost for $local_part@$domain" driver = smtp multi_domain .ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} .endif hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \ {\ ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\ }\ {} \ } .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS .endif .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS .endif .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES .endif .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOST .endif .ifdef REMOTE_SMTP_HEADERS_REWRITE headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE .endif .ifdef REMOTE_SMTP_RETURN_PATH return_path = REMOTE_SMTP_RETURN_PATH .endif .ifdef REMOTE_SMTP_HELO_DATA helo_data=REMOTE_SMTP_HELO_DATA .endif .ifdef TLS_DH_MIN_BITS tls_dh_min_bits = TLS_DH_MIN_BITS .endif .ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE .endif .ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY .endif .ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE .endif .ifdef DKIM_DOMAIN dkim_domain = DKIM_DOMAIN .endif .ifdef DKIM_SELECTOR dkim_selector = DKIM_SELECTOR .endif .ifdef DKIM_PRIVATE_KEY dkim_private_key = DKIM_PRIVATE_KEY .endif .ifdef DKIM_CANON dkim_canon = DKIM_CANON .endif .ifdef DKIM_STRICT dkim_strict = DKIM_STRICT .endif .ifdef DKIM_SIGN_HEADERS dkim_sign_headers = DKIM_SIGN_HEADERS .endif EOF cat >/etc/exim4/update-exim4.conf.conf <<'EOF' # default stuff, i havent checked if its needed dc_minimaldns='false' dc_relay_nets='' CFILEMODE='644' dc_use_split_config='true' dc_mailname_in_oh='true' EOF # * radicale if mailhost; then if ! mountpoint /o; then echo "error /o is not a mountpoint" >&2 exit 1 fi # davx/davdroid setup instructions at the bottom # main docs: # http://radicale.org/user_documentation/ # https://davdroid.bitfire.at/configuration/ # note on debugging: if radicale can't bind to the address, # in the log it just says "Starting Radicale". If you run # it in the foreground, it will give more info. Background # plus debug does not help. # sudo -u radicale radicale -D -f # created password file with: # htpasswd -c /p/c/machine_specific/li/filesystem/etc/caldav-htpasswd # chmod 640 /p/c/machine_specific/li/filesystem/etc/caldav-htpasswd # # setup chgrp www-data in ./conflink pi-nostart radicale i /etc/systemd/system/radicale.service.d/override.conf </etc/dovecot/local.conf ;;& # ** $MAIL_HOST) $MAIL_HOST) # If we changed 90-sieve.conf and removed the active part of the # sieve option, we wouldn\'t need this, but I\'d rather not modify a # default config if not needed. This won\'t work as a symlink in /a/c # unfortunately. m sudo -u $u /a/exe/lnf -T sieve/main.sieve $uhome/.dovecot.sieve if [[ ! -e $uhome/sieve/personal.sieve ]]; then m touch $uhome/sieve/personal{,end}{,test}.sieve fi rm -fv /etc/dovecot/conf.d/20-lmtp.conf # file from prev version cat >>/etc/dovecot/local.conf <>/etc/dovecot/local.conf < $domain $domain Mail $domain mail2.iankelling.org 993 SSL %EMAILADDRESS% password-cleartext mail2.iankelling.org 587 STARTTLS %EMAILADDRESS% password-cleartext true false $domain website. %EMAILADDRESS% EOF done fi # * roundcube setup if [[ $HOSTNAME == bk ]]; then # zip according to /installer # which requires adding a line to /usr/local/lib/roundcubemail/config/config.inc.php # $config['enable_installer'] = true; pi roundcube roundcube-sqlite3 php-zip apache2 php-fpm ### begin composer install # https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md # cd $(mktemp -d) # sum="$(wget -q -O - https://composer.github.io/installer.sig)" # m php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" # if [[ $sum != $(php -r "echo hash_file('sha384', 'composer-setup.php');") ]]; then # echo 'ERROR: Invalid composer installer checksum' >&2 # rm -fv composer-setup.php # exit 1 # fi # m php composer-setup.php --quiet # rm -fv composer-setup.php # m mv composer.phar /usr/local/bin # the above method gets composer2, carddav plugin at least doesnt work with that # yet, it was just released 10-24-2020. m cd /usr/local/bin m wget -nv -N https://getcomposer.org/composer-1.phar chmod +x composer-1.phar ### end composer install rcdirs=(/usr/local/lib/rcexpertpath /usr/local/lib/rcninja) ncdirs=(/var/www/ncninja) ncdirs=(/var/www/ncexpertpath /var/www/ncninja) # point debian cronjob to our local install, preventing daily cron error # debian's cronjob will fail, remove both paths it uses just to be sure rm -fv /usr/share/roundcube/bin/cleandb.sh /etc/cron.d/roundcube-core #### begin dl roundcube # note, im r2e subbed to https://github.com/roundcube/roundcubemail/releases.atom v=1.4.13; f=roundcubemail-$v-complete.tar.gz cd /root if [[ -e $f ]]; then timestamp=$(stat -c %Y $f) else timestamp=0 fi m wget -nv -N https://github.com/roundcube/roundcubemail/releases/download/$v/$f new_timestamp=$(stat -c %Y $f) for rcdir in ${rcdirs[@]}; do if [[ $timestamp != "$new_timestamp" || ! -e "$rcdir/config/secret" ]]; then m tar -C /usr/local/lib --no-same-owner -zxf $f m rm -rf $rcdir m mv /usr/local/lib/roundcubemail-$v $rcdir fi done #### end dl roundcube for ((i=0; i < ${#bkdomains[@]}; i++)); do domain=${bkdomains[i]} rcdir=${rcdirs[i]} rcbase=${rcdir##*/} ncdir=${ncdirs[i]} # copied from debians cronjob i /etc/cron.d/$rcbase </dev/null EOF m /a/exe/web-conf - apache2 $domain < Options +FollowSymLinks # This is needed to parse $rcdir/.htaccess. AllowOverride All Require all granted # Protecting basic directories: Options -FollowSymLinks AllowOverride None ### end roundcube settings ### begin nextcloud settings Alias /nextcloud "$ncdir/" Require all granted AllowOverride All Options FollowSymLinks MultiViews Dav off # based on install checker, links to # https://docs.nextcloud.com/server/19/admin_manual/issues/general_troubleshooting.html#service-discovery # their example was a bit wrong, I figured it out by adding # LogLevel warn rewrite:trace5 # then watching the apache logs RewriteEngine on RewriteRule ^/\.well-known/host-meta /nextcloud/public.php?service=host-meta [QSA,L] RewriteRule ^/\.well-known/host-meta\.json /nextcloud/public.php?service=host-meta-json [QSA,L] RewriteRule ^/\.well-known/webfinger /nextcloud/public.php?service=webfinger [QSA,L] RewriteRule ^/\.well-known/carddav /nextcloud/remote.php/dav/ [R=301,L] RewriteRule ^/\.well-known/caldav /nextcloud/remote.php/dav/ [R=301,L] ### end nextcloud settings EOF if [[ ! -e $rcdir/config/secret ]]; then base64 $rcdir/config/secret || [[ $? == 141 || ${PIPESTATUS[0]} == 32 ]] fi secret=$(cat $rcdir/config/secret) rclogdir=/var/log/$rcbase rctmpdir=/var/tmp/$rcbase rcdb=/m/rc/$rcbase.sqlite # config from mailinabox i $rcdir/config/config.inc.php < array( 'verify_peer' => false, 'verify_peer_name' => false, ), ); \$config['imap_timeout'] = 15; \$config['smtp_server'] = 'tls://127.0.0.1'; \$config['smtp_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'verify_peer_name' => false, ), ); \$config['product_name'] = 'webmail'; \$config['des_key'] = '$secret'; \$config['plugins'] = array('archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'carddav', 'html5_notifier'); \$config['skin'] = 'elastic'; \$config['login_autocomplete'] = 2; \$config['password_charset'] = 'UTF-8'; \$config['junk_mbox'] = 'Spam'; # disable builtin addressbook \$config['address_book_type'] = ''; ?> EOF m mkdir -p $rclogdir m chmod 750 $rclogdir m chown www-data:adm $rclogdir # note: subscribed to updates: # r2e add rcmcarddav https://github.com/blind-coder/rcmcarddav/commits/master.atom ian@iankelling.org # r2e add roundcube https://github.com/roundcube/roundcubemail/releases.atom ian@iankelling.org m mkdir -p $rctmpdir /m/rc m chown -R www-data.www-data $rctmpdir /m/rc m chmod 750 $rctmpdir # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start. # todo: check for other mailinabox things m sudo -u www-data touch $rclogdir/errors.log #### begin carddav install # This is the official roundcube carddav repo. # Install doc suggests downloading with composer, but that # didnt work, it said some ldap package for roundcube was missing, # but I dont want to download some extra ldap thing. # https://github.com/blind-coder/rcmcarddav/blob/master/doc/INSTALL.md verf=$rcdir/plugins/carddav/myversion upgrade=false install=false v=4.0.0 if [[ -e $verf ]]; then if [[ $(cat $verf) != "$v" ]]; then install=true upgrade=true fi else install=true fi if $install; then m rm -rf $rcdir/plugins/carddav tmpd=$(mktemp -d) m wget -nv -O $tmpd/t.tgz https://github.com/blind-coder/rcmcarddav/releases/download/v$v/carddav-v$v.tgz cd $rcdir/plugins tar xzf $tmpd/t.tgz rm -rf $tmpd m chown -R www-data:www-data $rcdir/plugins/carddav m cd $rcdir/plugins/carddav if $upgrade; then m sudo -u www-data composer-1.phar update --no-dev else m sudo -u www-data composer-1.phar install --no-dev fi m chown -R root:root $rcdir/plugins/carddav echo $v >$verf fi # So, strangely, this worked in initial testing, but then # on first run it wouldn't show the existing contacts until # I went into the carddav settings and did "force immediate sync", # which seemed to fix things. Note, some of these settings # get initalized per/addressbook in the db, then need changing # there or through the settings menu. # About categories, see https://www.davx5.com/tested-with/nextcloud # https://github.com/blind-coder/rcmcarddav/blob/master/doc/GROUPS.md i $rcdir/plugins/carddav/config.inc.php < 'Main', 'username' => '%u', // login username 'password' => '%p', // login password 'url' => 'https://$domain/nextcloud/remote.php/dav/addressbooks/users/%u/contacts', 'active' => true, 'readonly' => false, 'refresh_time' => '00:10:00', 'fixed' => array('username','password'), 'use_categories' => false, 'hide' => false, ); ?> EOF #### end carddav install cd $rcdir/plugins if [[ ! -d html5_notifier ]]; then m git clone https://github.com/stremlau/html5_notifier fi cd $rcdir/plugins/html5_notifier m git pull --rebase # todo: try out roundcube plugins: thunderbird labels # Password changing plugin settings cat $rcdir/plugins/password/config.inc.php.dist - >$rcdir/plugins/password/config.inc.php <<'EOF' # following are from mailinabox $config['password_minimum_length'] = 8; $config['password_db_dsn'] = 'sqlite:////m/rc/users.sqlite'; $config['password_query'] = 'UPDATE users SET password=%D WHERE email=%u'; $config['password_dovecotpw'] = '/usr/bin/doveadm pw'; $config['password_dovecotpw_method'] = 'SHA512-CRYPT'; $config['password_dovecotpw_with_method'] = true; EOF # so PHP can use doveadm, for the password changing plugin m usermod -a -G dovecot www-data m usermod -a -G mail $u # so php can update passwords m chown www-data:dovecot /m/rc/users.sqlite m chmod 664 /m/rc/users.sqlite # Run Roundcube database migration script (database is created if it does not exist) m $rcdir/bin/updatedb.sh --dir $rcdir/SQL --package roundcube m chown www-data:www-data $rcdb m chmod 664 $rcdb done # end loop over domains and rcdirs ### begin php setup for rc ### # Enable PHP modules. m phpenmod -v php mcrypt imap # dpkg says this is required m a2enmod proxy_fcgi setenvif fpm=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* (php[^ ]*-fpm)( .*|$)/\1/p') # eg: php7.4-fpm phpver=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* php([^ ]*)-fpm( .*|$)/\1/p') m a2enconf $fpm # 3 useless guides on php fpm fcgi debian 10 later, i figure out from reading # /etc/apache2/conf-enabled/php7.3-fpm.conf m a2dismod php$phpver # according to /install, we should set date.timezone, # but that is dumb, the system already has the right zone in # $rclogdir/errors.log # todo: consider other settings in # /a/opt/mailinabox/setup/nextcloud.sh i /etc/php/$phpver/cli/conf.d/30-local.ini <<'EOF' apc.enable_cli = 1 EOF i /etc/php/$phpver/fpm/conf.d/30-local.ini <<'EOF' date.timezone = "America/New_York" # for nextcloud upload_max_filesize = 2000M post_max_size = 2000M # install checker, nextcloud/settings/admin/overview memory_limit = 512M EOF m systemctl restart $fpm # dunno if reload/restart is needed m systemctl reload apache2 # note bk backups are defined in crontab outside this file ### end php setup for rc ### fi # end roundcube setup # * nextcloud setup if [[ $HOSTNAME == bk ]]; then # from install checker, nextcloud/settings/admin/overview and # https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html # curl from the web installer requirement, but i switched to cli # it recommends php-file info, but that is part of php7.3-common, already got installed # with roundcube. m pi php-curl php-bz2 php-gmp php-bcmath php-imagick php-apcu # https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html cat >/etc/php/$phpver/fpm/pool.d/localwww.conf <<'EOF' [www] clear_env = no EOF for ((i=0; i < ${#bkdomains[@]}; i++)); do domain=${bkdomains[i]} ncdir=${ncdirs[i]} ncbase=${ncdir##*/} m cd /var/www if [[ ! -e $ncdir/index.php ]]; then # if we wanted to only install a specific version, use something like # file=latest-22.zip file=latest.zip m wget -nv -N https://download.nextcloud.com/server/releases/$file m rm -rf nextcloud m unzip -q $file m rm -f $file m chown -R www-data.www-data nextcloud m mv nextcloud $ncdir m cd $ncdir m sudo -u www-data php occ maintenance:install --database sqlite --admin-user iank --admin-pass $nextcloud_admin_pass fi # note, strange this happend where updater did not increment the version var, # mine was stuck on 20. I manually updated it. m cd $ncdir/config if [[ ! -e config.php-orig ]]; then m cp -a config.php config.php-orig fi cat config.php-orig - >tmp.php < 'OC_User_IMAP','arguments' => array('127.0.0.1', 143, null),),); # based on installer check # https://docs.nextcloud.com/server/19/admin_manual/configuration_server/caching_configuration.html \$CONFIG['memcache.local'] = '\OC\Memcache\APCu'; \$CONFIG['overwrite.cli.url'] = 'https://$domain/nextcloud'; \$CONFIG['htaccess.RewriteBase'] = '/nextcloud'; \$CONFIG['trusted_domains'] = array ( 0 => '$domain', ); #\$CONFIG[''] = ''; fwrite(STDOUT, "config.php # leave in place for debugging #m rm -f tmp.php m sudo -u www-data php $ncdir/occ maintenance:update:htaccess list=$(sudo -u www-data php $ncdir/occ --output=json_pretty app:list) # user_external not compaible with nc 23 for app in contacts calendar; do if [[ $(printf "%s\n" "$list"| jq ".enabled.$app") == null ]]; then m sudo -u www-data php $ncdir/occ app:install $app fi done i /etc/systemd/system/$ncbase.service <&2 /sbin/exim -t <>/etc/exim4/conf.d/rcpt_local_acl <<'EOF' deny message = invalid recipient domains = +local_domains !verify = recipient/callout=no_cache EOF i /etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF' dovecot_plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 EOF ;; esac if $bhost_t; then i /etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF' # from 30_exim4-config_examples plain_server: driver = plaintext public_name = PLAIN server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" server_set_id = $auth2 server_prompts = : .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} .endif EOF fi # ** exim: main daemon use non-default config file case $HOSTNAME in bk|$MAIL_HOST) # to see the default comments in /etc/default/exim4: # s update-exim4defaults --force --init # which will overwrite any existing file i /etc/default/exim4 <<'EOF' QUEUERUNNER='combined' QUEUEINTERVAL='30m' COMMONOPTIONS='-C /etc/exim4/my.conf' UPEX4OPTS='-o /etc/exim4/my.conf' # i use epanic-clean for alerting if there are bad paniclog entries E4BCD_WATCH_PANICLOG='no' EOF chown Debian-exim:Debian-exim /usr/sbin/exim4 # needs guid set in order to become Debian-exim chmod g+s,u+s /usr/sbin/exim4 i /etc/exim4/trusted_configs <<'EOF' /etc/exim4/my.conf EOF ;; *) # default file i /etc/default/exim4 <<'EOF' QUEUERUNNER='combined' QUEUEINTERVAL='30m' EOF ;; esac # ** exim non-root case $HOSTNAME in bk|je|li) # no reason to expect it to ever be there. rm -fv /etc/systemd/system/exim4.service.d/nonroot.conf ;; *) dirs=() for d in /a /d /m /media /mnt /nocow /o /p /q; do if [[ -d $d ]]; then dirs+=($d) fi done i /etc/systemd/system/exim4.service.d/nonroot.conf <>/etc/exim4/update-exim4.conf.conf <>/etc/exim4/conf.d/main/000_local <>/etc/exim4/conf.d/main/000_local <> /etc/exim4/conf.d/data_local_acl <<'EOF' deny malware = */defer_ok !condition = ${if match {$malware_name}{\N^Heuristic\N}} message = This message was detected as possible malware ($malware_name). EOF cat >/etc/exim4/conf.d/main/000_local-nn < {$max_received_linelength}{998} {1}{0}} .endif hosts_require_auth = * hosts_try_auth = * envelope_to_add # manual return path because we want it to be the envelope sender # we got not the one we are using in this smtp transport headers_add = "Return-path: $sender_address" .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS .endif .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS .endif .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES .endif .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOST .endif .ifdef REMOTE_SMTP_HEADERS_REWRITE headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE .endif .ifdef REMOTE_SMTP_HELO_DATA helo_data=REMOTE_SMTP_HELO_DATA .endif .ifdef TLS_DH_MIN_BITS tls_dh_min_bits = TLS_DH_MIN_BITS .endif .ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE .endif .ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY .endif .ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE .endif EOF # this avoids some error. i cant remember what. todo: # test it out and document why/if its needed. # i /etc/exim4/host_local_deny_exceptions <<'EOF' # mail.fsf.org # *.posteo.de # EOF # cron email from smarthost hosts will automatically be to # USER@FQDN. I redirect that to alerts@, on the smarthosts, but in # case that doesn't work, we still want to accept that mail, but not # from any host except the smarthosts. local_hostnames and this rule # is for that purpose. i /etc/exim4/conf.d/rcpt_local_acl <<'EOF' deny !authenticated = * domains = +local_hostnames message = no relay EOF echo|i /etc/exim4/conf.d/router/880_universal_forward cat >>/etc/exim4/conf.d/main/000_local < /etc/mailname # mail.iankelling.org so local imap clients can connect with tls and # when they happen to not be local. # todo: this should be 10.8.0.4 /a/exe/cedit nn /etc/hosts <<'EOF' || [[ $? == 1 ]] # note: i put nn.b8.nz into bind for good measure 10.173.8.2 nn.b8.nz mx.iankelling.org EOF # note: systemd-resolved will consult /etc/hosts, dnsmasq wont. this assumes # weve configured this file in dnsmasq if we are using it. /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]] server=/mx.iankelling.org/127.0.1.1 EOF # I used to use debconf-set-selections + dpkg-reconfigure, # which then updates this file # but the process is slower than updating it directly and then I want to set other things in # update-exim4.conf.conf, so there's no point. # The file is documented in man update-exim4.conf, # except the man page is not perfect, read the bash script to be sure about things. # The debconf questions output is additional documentation that is not # easily accessible, but super long, along with the initial default comment in this # file, so I've saved that into ./mail-notes.conf. # # # TODO: remove mx.iankelling.org once systems get updated mail-setup from jan 2022 cat >>/etc/exim4/update-exim4.conf.conf <$f <<'EOF' #!/bin/bash cd /etc wget -q -N https://publicsuffix.org/list/public_suffix_list.dat EOF m chmod 755 $f ;; # ** bk ## we use this host to monitor MAIL_HOST and host a mail server for someone bk) echo|i /etc/exim4/conf.d/rcpt_local_acl echo|i /etc/exim4/conf.d/router/880_universal_forward /a/exe/cedit nn /etc/hosts <<'EOF' || [[ $? == 1 ]] 10.173.8.2 nn.b8.nz EOF sed -r -f - /etc/init.d/exim4 <<'EOF' | i /etc/init.d/exim4in s,/etc/default/exim4,/etc/default/exim4in,g s,/run/exim4/exim.pid,/run/exim4/eximin.pid,g s,(^[ #]*Provides:).*,\1 exim4in, s,(^[ #]*NAME=).*,\1"exim4in", EOF chmod +x /etc/init.d/exim4in i /etc/systemd/system/exim4in.service.d/alwaysrestart.conf <<'EOF' [Unit] # needed to continually restart StartLimitIntervalSec=0 [Service] Restart=always # time to sleep before restarting a service RestartSec=20 EOF i /etc/default/exim4in <<'EOF' # defaults but no queue runner and alternate config dir QUEUERUNNER='no' COMMONOPTIONS='-oP /run/exim4/eximin.pid' UPEX4OPTS='-d /etc/myexim4' EOF echo bk.b8.nz > /etc/mailname cat >>/etc/exim4/update-exim4.conf.conf < /etc/mailname cat >>/etc/exim4/update-exim4.conf.conf <>/etc/exim4/conf.d/main/000_local <>/etc/exim4/update-exim4.conf.conf <>/etc/exim4/update-exim4.conf.conf <>/etc/exim4/update-exim4.conf.conf <>/etc/exim4/update-exim4.conf.conf <>/etc/myexim4/conf.d/main/000_local-nn <<'EOF' # this makes it easier to see which exim is doing what log_file_path = /var/log/exim4/my%s EOF cat >/etc/logrotate.d/myexim <<'EOF' /var/log/exim4/mymain /var/log/exim4/myreject { daily missingok rotate 1000 delaycompress notifempty nocreate } /var/log/exim4/mypanic { size 10M missingok rotate 10 compress delaycompress notifempty nocreate } EOF # If we ever wanted to have a separate spool, # we could do it like this. # cat >>/etc/exim4/conf.d/main/000_local-nn <<'EOF' # spool_directory = /var/spool/myexim4 # EOF cat >>/etc/myexim4/update-exim4.conf.conf <<'EOF' dc_eximconfig_configtype='smarthost' dc_smarthost='nn.b8.nz' EOF ;;& bk) # config for the non-nn exim cat >/etc/myexim4/conf.d/main/000_local-nn <<'EOF' MAIN_HARDCODE_PRIMARY_HOSTNAME = mail2.iankelling.org EOF ;; $MAIL_HOST) # for bk, we have a exim4in.service that will do this for us. m update-exim4.conf -d /etc/myexim4 ;; esac # * spool dir setup # ** bind mount setup # put spool dir in directory that spans multiple distros. # based on http://www.postfix.org/qmgr.8.html and my notes in gnus # dir=/nocow/exim4 sdir=/var/spool/exim4 # we only do this if our system has $dir # this used to do a symlink, but, in the boot logs, /nocow would get mounted succesfully, # about 2 seconds later, exim starts, and immediately puts into paniclog: # honVi-0000u3-82 Failed to create directory "/var/spool/exim4/input": No such file or directory # so, im trying a bind mount to get rid of that. if [[ -e /nocow ]]; then if ! grep -Fx "/nocow/exim4 /var/spool/exim4 none bind 0 0" /etc/fstab; then echo "/nocow/exim4 /var/spool/exim4 none bind 0 0" >>/etc/fstab fi i /etc/systemd/system/exim4.service.d/override.conf <<'EOF' [Unit] # without local-fs on exim, we get these kind of errors in paniclog on shutdown: # Failed to create spool file /var/spool/exim4//input//1jCLxz-0008V4-V9-D: Permission denied After=local-fs.target [Service] ExecStartPre=/usr/local/bin/exim-nn-iptables EOF if ! mountpoint -q $sdir; then stopifactive exim4 exim4in if [[ -L $sdir ]]; then m rm $sdir fi if [[ ! -e $dir && -d $sdir ]]; then m mv $sdir $dir fi if [[ ! -d $sdir ]]; then m mkdir $sdir m chmod 000 $sdir # only want it to be used when its mounted fi m mount $sdir fi fi # ** exim/spool uid setup # i have the spool directory be common to distro multi-boot, so # we need the uid to be the same. 608 cuz it's kind of in the middle # of the free system uids. IFS=:; read -r _ _ uid _ < <(getent passwd Debian-exim ||:) ||:; unset IFS IFS=:; read -r _ _ gid _ < <(getent group Debian-exim ||:) ||:; unset IFS if [[ ! $uid ]]; then # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options m adduser --uid 608 --system --group --quiet --home /var/spool/exim4 \ --no-create-home --disabled-login --force-badname Debian-exim elif [[ $uid != 608 ]]; then stopifactive exim4 exim4in m usermod -u 608 Debian-exim m groupmod -g 608 Debian-exim m usermod -g 608 Debian-exim m find / /nocow -xdev -path ./var/tmp -prune -o -uid $uid -execdir chown -h 608 {} + m find / /nocow -xdev -path ./var/tmp -prune -o -gid $gid -execdir chgrp -h 608 {} + fi # * start / stop services reifactive dnsmasq nscd if $reload; then m systemctl daemon-reload fi sysd-prom-fail-install epanicclean m systemctl --now enable epanicclean case $HOSTNAME in je) /a/exe/web-conf apache2 je.b8.nz ;; bk) /a/exe/web-conf apache2 mail2.iankelling.org ;; esac m /a/bin/ds/mail-cert-cron -1 sre mailcert.timer case $HOSTNAME in $MAIL_HOST|bk) m systemctl --now enable mailnn mailnnroute ;;& $MAIL_HOST) # we use dns to start wg if $reload; then sre unbound else m systemctl --now enable unbound fi ;;& $MAIL_HOST|bk) # If these have changes, id rather manually restart it, id rather # not restart and cause temporary errors if $reload; then sre $vpnser else m systemctl --now enable $vpnser fi if ! systemctl is-active clamav-daemon >/dev/null; then m systemctl --now enable clamav-daemon out=$(rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/filesystem/etc/systemd/system/epanicclean.service /etc/systemd/system) if [[ $out ]]; then reload=true fi # note, this will cause paniclog entries because it takes like 45 # seconds for clamav to start, i use ./epanic-clean to remove # them. fi ;;& $MAIL_HOST|bk|je) # start spamassassin/dovecot before exim. sre dovecot spamassassin # need to wait a bit before restarting exim, else I # get a paniclog entry like: spam acl condition: all spamd servers failed sleep 3 m systemctl --now enable mailclean.timer ;;& $MAIL_HOST) # < 2.1 (eg: in t9), uses a different data format which required manual # migration. dont start if we are running an old version. if dpkg --compare-versions "$(dpkg -s radicale | awk '$1 == "Version:" { print $2 }')" ge 2.1; then m systemctl --now enable radicale fi ;;& esac # for debugging dns issues case $HOSTNAME in je|bk) systemctl enable --now logrotate-fast.timer ;; esac # last use of $reload happens in previous block rm -f /var/local/mail-setup-reload case $HOSTNAME in $MAIL_HOST|bk|je|li) # on li, these are never started, except $vpnser : ;; *) soff radicale mailclean.timer dovecot spamassassin $vpnser mailnn clamav-daemon ;; esac sre exim4 case $HOSTNAME in $MAIL_HOST) m systemctl --now enable mailbindwatchdog ;; *) soff mailbindwatchdog ;; esac case $HOSTNAME in bk) sre exim4in ;; esac # * mail monitoring / testing # note, to test clamav, send an email with body that only contains # https://en.wikipedia.org/wiki/EICAR_test_file # which set malware_name to Eicar-Signature case $HOSTNAME in $MAIL_HOST|bk|je) # note: cronjob "ian" also does some important monitoring # todo: this will sometimes cause an alert because mailtest-check will run # before we have setup network namespace and spamassassin i /etc/cron.d/mailtest <>/etc/cron.d/mailtest <> /etc/exim4/ignore-sent done cat >/usr/local/bin/send-test-forward <<'EOF' #!/bin/bash # we remove from the queue older than 4.3 minutes since we send every 5 minutes. olds=( $(/usr/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$') ) if (( ${#olds[@]} )); then /usr/sbin/exim -Mrm "${olds[@]}" >/dev/null fi EOF for test_from in ${test_froms[@]}; do test_to=${test_tos[0]} for t in ${test_tos[@]:1}; do test_to+=", $t" done case $test_from in testignore@expertpathologyreview.com) test_to=testignore@zroe.org ;; esac cat >>/usr/local/bin/send-test-forward <