# /usr/sbin/invoke-rc.d-diverted "$@"
# fi
-# Things I tend to forget. on MAIL_HOST, daemon runs with /etc/exim4/my.conf,
+# Things I tend to forget. on MAIL_HOST, daemon runs with /etc/exim4/nn-mainlog.conf,
# due to /etc/default/exim4 containing:
-# COMMONOPTIONS='-C /etc/exim4/my.conf'
-# UPEX4OPTS='-o /etc/exim4/my.conf'
+# COMMONOPTIONS='-C /etc/exim4/nn-mainlog.conf'
+# UPEX4OPTS='-o /etc/exim4/nn-mainlog.conf'
#
# The non-daemon config
-# gets generated from this script calling update-exim4.conf -d /etc/myexim4
+# gets generated from this script calling update-exim4.conf -d /etc/nond-exim4
# which has log path
-# log_file_path = /var/log/exim4/my%s
+# log_file_path = /var/log/exim4/nond%s
#
# On non bk|MAIL_HOST, the config and log file are all standard.
#
# todo: run mailping test after running, or otherwise
# clear out terminal alert
-# todo: disable postgrey
+# todo: disable postgrey. (why did we have it?)
# todo: in testforward-check, we should also look
if [[ -e /var/local/mail-setup-reload ]]; then
reload=true
fi
-u() { # update file. note: duplicated in brc
- local tmp tmpdir dest="$1"
- local base="${dest##*/}"
- local dir="${dest%/*}"
- if [[ $dir != "$base" ]]; then
- # dest has a directory component
- mkdir -p "$dir"
- fi
- ur=false # u result
- tmpdir=$(mktemp -d)
- cat >$tmpdir/"$base"
- tmp=$(rsync -ic $tmpdir/"$base" "$dest")
- if [[ $tmp ]]; then
- printf "%s\n" "$tmp"
- ur=true
- if [[ $dest == /etc/systemd/system/* ]]; then
- touch /var/local/mail-setup-reload
- reload=true
- fi
- fi
- rm -rf $tmpdir
-}
+
+source /a/bin/fai/fai/config/distro-install-common/bash-misc-funcs
setini() {
key="$1" value="$2" section="$3"
file="/etc/radicale/config"
mailhost() {
[[ $HOSTNAME == "$MAIL_HOST" ]]
}
-e() { printf "%s\n" "$*"; }
reifactive() {
for service; do
if systemctl is-active $service >/dev/null; then
bhost_t=false
case $HOSTNAME in
$MAIL_HOST) : ;;
- kd|frodo|x2|x3|kw|sy|bo)
+ kd|x2|x3|kw|sy|bo|so)
bhost_t=true
;;
esac
EOF
fi
+
+unit-exists() {
+ systemctl cat $1 &>/dev/null
+}
+spamd-timer-exists() {
+ unit-exists spamassassin-maintenance.timer
+}
+
+# name change in t12, and now timer instead of cron option in /etc/default
+first_spamd_run=false
+if ! spamd-timer-exists; then
+ first_spamd_run=true
+fi
+
+
# light version of exim does not have sasl auth support.
# note: for bitfolk hosts, unbound has important config with conflink.
pi-nostart exim4 exim4-daemon-heavy spamassassin unbound clamav-daemon wireguard
+spamd_ser=spamd
+if systemctl cat spamassassin &>/dev/null; then
+ spamd_ser=spamassassin
+elif $first_spamd_run; then
+ if spamd-timer-exists; then
+ systemctl start spamassassin-maintenance
+ fi
+fi
+
+if spamd-timer-exists; then
+ systemctl enable --now spamassassin-maintenance.timer
+fi
+
# note: pyzor debian readme says you need to run some initialization command
# but its outdated.
-pi spf-tools-perl p0f postgrey pyzor razor jq moreutils certbot fail2ban
+pi spf-tools-perl p0f pyzor razor jq moreutils certbot fail2ban
+pu postgrey
case $HOSTNAME in
je) : ;;
# not included due to using wireguard: openvpn
# our nostart pi fails to avoid enabling
+
+# * initial dns config & daemon setup
+#
+# use systemd-resolved for glibc resolutions, setup symlinks
+
+pi libnss-resolve
+
+# if this link gets replaced with a normal file we will get exim log
+# errors on MAIL_HOST like so:
+#
+# R=fsfsmarthost defer (-36) DT=0s: host lookup for mail.fsf.org did not complete (DNS timeout?)
+
+if [[ ! -L /etc/nsswitch.conf ]]; then
+ sudo mkdir -p /etc/resolved-nsswitch
+ sudo mv /etc/nsswitch.conf /etc/resolved-nsswitch
+ sudo ln -sf /etc/resolved-nsswitch/nsswitch.conf /etc
+fi
+
+f=/etc/basic-nsswitch/nsswitch.conf
+if [[ ! -e $f ]]; then
+ sudo mkdir -p ${f%/*}
+ sudo cp /etc/nsswitch.conf $f
+ sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' $f
+fi
+case $HOSTNAME in
+ bk|je)
+ # je should be able to get along systemd-resolved, but ive had some odd
+ # very intermittent dns failures with spamassassin, it seems it might only
+ # be happening with systemd-resolved, so just use unbound
+ # to make it consistent with the other hosts.
+ sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' /etc/nsswitch.conf
+ soff systemd-resolved
+ sudo ln -sf 127.0.0.1-resolv/stub-resolv.conf /etc/resolv.conf
+ sgo unbound
+ # cautious measure to make sure resolution is working
+ sleep 1
+ ;;
+ *)
+ # default is
+ # files mdns4_minimal [NOTFOUND=return] dns myhostname
+ # mdns4 is needed for my printer and for bbb webrtc, not sure exactly why.
+ # https://www.freedesktop.org/software/systemd/man/nss-resolve.html#
+ # seems more important than some potential use case.
+ # Interestingly, t9/t10 man page says use files before resolve, debian 10 says the opposite.
+ # removing files makes hostname -f not actually give the fully qualified domain name.
+ sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] myhostname/' /etc/resolved-nsswitch/nsswitch.conf
+ ;;
+esac
+
+case $HOSTNAME in
+ bk)
+ sgo named
+ ;;
+esac
+
+
+u /etc/apparmor.d/abstractions/nameservice.d/iank <<'EOF'
+/etc/resolved-nsswitch/nsswitch.conf r,
+/etc/basic-nsswitch/nsswitch.conf r,
+# Aug 06 23:09:11 kd audit[3995]: AVC apparmor="DENIED" operation="connect" profile="/usr/bin/freshclam" name="/run/systemd/resolve/io.systemd.Resolve" pid=3995 comm="freshclam" requested_mask="wr" denied_mask="wr" fsuid=109 ouid=101
+# I dont know if this is quite the right fix, but I saw other sockets
+# in the nameservice files that were rw, so figured it was ok to add this and it worked.
+/run/systemd/resolve/io.systemd.Resolve rw,
+EOF
+
+if $ur && systemctl is-active apparmor; then
+ m systemctl reload apparmor
+fi
+
+
+
# * Mail clean cronjob
u /etc/systemd/system/mailclean.timer <<'EOF'
# this is just a bug fix for trisquel.
f=/etc/apparmor.d/usr.sbin.unbound
-line="/usr/sbin/unbound flags=(attach_disconnected) {"
-if ! grep -qFx "$line" $f; then
- badline="/usr/sbin/unbound {"
- if ! grep -qFx "$badline" $f; then
+good_string="/usr/sbin/unbound flags=(attach_disconnected) {"
+if ! grep -qF "$good_string" $f; then
+ bad_string="/usr/sbin/unbound {"
+ if ! grep -qF "$bad_string" $f; then
err expected line in $f not found
fi
- sed -i "s,^$badline$,$line," $f
+ sed -i "s,$bad_string$,$good_string," $f
if systemctl is-active apparmor &>/dev/null; then
m systemctl reload apparmor
fi
fi
+
# note: anything added to nn_progs needs corresponding rm
# down below in the host switch
nn_progs=(exim4)
if mailhost; then
# Note dovecots lmtp doesnt need to be in the same nn to accept delivery.
# Its in the nn so remote clients can connect to it.
- nn_progs+=(spamassassin dovecot)
+ nn_progs+=($spamd_ser dovecot)
fi
case $HOSTNAME in
done
;;
*)
- for unit in exim4 spamassassin dovecot unbound; do
+ for unit in exim4 $spamd_ser dovecot unbound; do
f=/etc/systemd/system/$unit.service.d/nn.conf
if [[ -s $f ]]; then
rm -fv $f
# 2020-10-19 remove old file. remove this when all hosts updated
rm -fv /etc/systemd/system/spamddnsfix.{timer,service}
-u /etc/default/spamassassin <<'EOF'
+u /etc/default/$spamd_ser <<'EOF'
# defaults plus debugging flags for an issue im having
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
-PIDFILE="/var/run/spamd.pid"
+PIDFILE="/run/spamd.pid"
# my additions
NICE="--nicelevel 15"
+# not used in t12+, that uses
+# /usr/lib/systemd/system/spamassassin-maintenance.timer
CRON=1
EOF
ignoreip = 209.51.188.13 2001:470:142::13 209.51.188.92 2001:470:142:3::10 72.14.176.105 2600:3c00:e000:280::2 10.173.8.1
EOF
if $ur; then
+ # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
+ if [[ ! -e /var/log/exim4/mainlog ]]; then
+ install -m 640 -o Debian-exim -g adm /dev/null /var/log/exim4/mainlog
+ fi
m systemctl restart fail2ban
fi
m mkdir -p $rctmpdir /m/rc
m chown -R www-data.www-data $rctmpdir /m/rc
m chmod 750 $rctmpdir
- # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
# todo: check for other mailinabox things
+ # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
m sudo -u www-data touch $rclogdir/errors.log
#### begin carddav install
# ld for local debbugs
-/a/exe/web-conf -t -a 127.0.1.1 -p 80 -r /var/lib/debbugs/www - apache2 ld <<'EOF'
+/a/exe/web-conf -l -t -a 127.0.1.1 -p 80 -r /var/lib/debbugs/www - apache2 ld <<'EOF'
# copied from debbugs upstream example
<Directory /var/lib/debbugs/www>
Options Indexes SymLinksIfOwnerMatch MultiViews
# which will overwrite any existing file
u /etc/default/exim4 <<'EOF'
QUEUERUNNER='combined'
-# note: this is duplicated in brc2, 10m here is -q10m there.
QUEUEINTERVAL='10m'
-COMMONOPTIONS='-C /etc/exim4/my.conf'
-UPEX4OPTS='-o /etc/exim4/my.conf'
+COMMONOPTIONS='-C /etc/exim4/nn-mainlog.conf'
+UPEX4OPTS='-o /etc/exim4/nn-mainlog.conf'
+# in t12 exim, this replaces all the above options
+EXIMSERVICE='-bdf -q10m -C /etc/exim4/nn-mainlog.conf'
# i use epanic-clean for alerting if there are bad paniclog entries
E4BCD_WATCH_PANICLOG='no'
EOF
chmod g+s,u+s /usr/sbin/exim4
# need this to avoid error on service reload:
# 2022-08-07 18:44:34.005 [892491] pid 892491: SIGHUP received: re-exec daemon
- # 2022-08-07 18:44:34.036 [892491] cwd=/var/spool/exim4 5 args: /usr/sbin/exim4 -bd -q30m -C /etc/exim4/my.conf
+ # 2022-08-07 18:44:34.036 [892491] cwd=/var/spool/exim4 5 args: /usr/sbin/exim4 -bd -q30m -C /etc/exim4/nn-mainlog.conf
# 2022-08-07 18:44:34.043 [892491] socket bind() to port 25 for address (any IPv6) failed: Permission denied: waiting 30s before trying again (9 more tries)
# note: the daemon gives up and dies after retrying those 9 times.
# I came upon this by guessing and trial and error.
setcap CAP_NET_BIND_SERVICE+ei /usr/sbin/exim4
u /etc/exim4/trusted_configs <<'EOF'
-/etc/exim4/my.conf
+/etc/exim4/nn-mainlog.conf
EOF
;;
*)
domains = DEBBUGS_DOMAIN
EOF
+ install -m=0775 -d -g Debian-exim -o iank /var/spool/exim4/gw
+ f=/var/spool/exim4/gw/.no-delay-eximids
+ if [[ ! -e $f ]]; then
+ install -g Debian-exim -o iank /dev/null $f
+ fi
u /etc/exim4/conf.d/router/155_delay <<'EOF'
# By default, delay sending email by 30-40 minutes in case I
# change my mind.
condition = ${if and { \
{< {$tod_epoch} {${eval10:$received_time + 60*30}}} \
{!def:h_i:} \
-{!bool{${lookup{$message_exim_id}lsearch{/etc/exim4/no-delay-eximids}{true}}}} \
-{!bool{${lookup{all}lsearch{/etc/exim4/no-delay-eximids}{true}}}} \
+{!bool{${lookup{$message_exim_id}lsearch{/var/spool/exim4/gw/.no-delay-eximids}{true}}}} \
+{!bool{${lookup{all}lsearch{/var/spool/exim4/gw/.no-delay-eximids}{true}}}} \
} {true}{false}}
headers_remove = <; i:
domains = ! +local_domains
# uncomment for testing delays to jtuttle
# local_parts = ! root : ! testignore : ! alerts : ! ian-pager : ! daylert
- local_parts = ! root : ! testignore : ! alerts : ! jtuttle : ! ian-pager : ! daylert
+ local_parts = ! root : ! testignore : ! alerts : ! jtuttle : ! ian-pager : ! daylert : ! r2e
ignore_target_hosts = ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS
EOF
# defaults but no queue runner and alternate config dir
QUEUERUNNER='no'
COMMONOPTIONS='-oP /run/exim4/eximin.pid'
-UPEX4OPTS='-d /etc/myexim4'
+UPEX4OPTS='-d /etc/nond-exim4'
EOF
echo bk.b8.nz > /etc/mailname
EOF
# Bind to wghole to receive mailbackup.
- wgholeip=$(sed -rn 's/^ *Address *= *([^/]+).*/\1/p' /etc/wireguard/wghole.conf)
- cat >>/etc/exim4/update-exim4.conf.conf <<EOF
+ if [[ -e /etc/wireguard/wghole.conf ]]; then
+ wgholeip=$(sed -rn 's/^ *Address *= *([^/]+).*/\1/p' /etc/wireguard/wghole.conf)
+ cat >>/etc/exim4/update-exim4.conf.conf <<EOF
dc_other_hostnames='eximbackup.b8.nz'
dc_local_interfaces='127.0.0.1;::1;$wgholeip'
EOF
+ fi
# wghole & thus exim will fail to start without internet connectivity.
u /etc/systemd/system/exim4.service.d/backup.conf <<'EOF'
m rsync -ra --delete --delete-excluded \
--exclude=/conf.d/router/161_backup_redir_nn \
--exclude=/conf.d/router/186_sentarchive_nn \
- --exclude=/conf.d/main/000_local-nn /etc/exim4/ /etc/myexim4
- cat >>/etc/myexim4/conf.d/main/000_local <<'EOF'
+ --exclude=/conf.d/main/000_local-nn /etc/exim4/ /etc/nond-exim4
+ cat >>/etc/nond-exim4/conf.d/main/000_local <<'EOF'
# this makes it easier to see which exim is doing what
-log_file_path = /var/log/exim4/my%s
+log_file_path = /var/log/exim4/nond%s
EOF
cat >/etc/logrotate.d/myexim <<'EOF'
-/var/log/exim4/mymain /var/log/exim4/myreject {
+/var/log/exim4/nondmain /var/log/exim4/nondreject {
daily
missingok
rotate 1000
notifempty
nocreate
}
-/var/log/exim4/mypanic {
+/var/log/exim4/nondpanic {
size 10M
missingok
rotate 10
# If we ever wanted to have a separate spool,
# we could do it like this.
# cat >>/etc/exim4/conf.d/main/000_local-nn <<'EOF'
- # spool_directory = /var/spool/myexim4
+ # spool_directory = /var/spool/nond-exim4
# EOF
- cat >>/etc/myexim4/update-exim4.conf.conf <<'EOF'
+ cat >>/etc/nond-exim4/update-exim4.conf.conf <<'EOF'
dc_eximconfig_configtype='smarthost'
dc_smarthost='nn.b8.nz'
EOF
bk)
# config for the non-nn exim
- cat >>/etc/myexim4/conf.d/main/000_local <<'EOF'
+ cat >>/etc/nond-exim4/conf.d/main/000_local <<'EOF'
MAIN_HARDCODE_PRIMARY_HOSTNAME = mail2.iankelling.org
EOF
;;
$MAIL_HOST)
- u /etc/myexim4/conf.d/router/185_sentarchive <<'EOF'
+ u /etc/nond-exim4/conf.d/router/185_sentarchive <<'EOF'
sentarchive:
driver = redirect
domains = ! +local_domains
unseen
EOF
- u /etc/myexim4/conf.d/router/160_backup_redir <<'EOF'
+ u /etc/nond-exim4/conf.d/router/160_backup_redir <<'EOF'
backup_redir:
driver = redirect
# i dont email myself from my own machine much, so lets ignore that.
EOF
# for bk, we have a exim4in.service that will do this for us.
- m update-exim4.conf -d /etc/myexim4
+ m update-exim4.conf -d /etc/nond-exim4
;;
esac
# if [[ ! $uid ]]; then
# # /a/opt/debbugs/debian/README.mail
# adduser --uid 610 --system --group --home /o/debbugs \
-# --no-create-home --disabled-login --force-badname debbugs
+ # --no-create-home --disabled-login --force-badname debbugs
# m find /o/debbugs -xdev -path ./var/tmp -prune -o -uid $uid -execdir chown -h 610 {} +
# m find /o/debbugs -xdev -path ./var/tmp -prune -o -gid $gid -execdir chgrp -h 610 {} +
# elif [[ $uid != 610 ]]; then
# err debbugs exist but is not uid 610: investigate
# fi
+# * mail monitoring / testing
+
+# note, to test clamav, send an email with body that only contains
+# https://en.wikipedia.org/wiki/EICAR_test_file
+# which set malware_name to Eicar-Signature
+case $HOSTNAME in
+ $MAIL_HOST|bk|je)
+ # note: cronjob "ian" also does some important monitoring
+ # todo: this will sometimes cause an alert because mailtest-check will run
+ # before we have setup network namespace and spamassassin
+ u /etc/cron.d/mailtest <<EOF
+SHELL=/bin/bash
+PATH=/usr/bin:/bin:/usr/local/bin
+MAILTO=daylert@iankelling.org
+*/5 * * * * $u send-test-forward |& log-once send-test-forward
+*/10 * * * * root chmod -R g+rw /m/md/bounces |& log-once -1 bounces-chmod
+# if a bounce happened yesterday, dont let it slip through the cracks
+8 1 * * * root export MAILTO=alerts@iankelling.org; [[ -s /var/log/exim4/mainlog.1 ]] && awk '\$5 == "**"' /var/log/exim4/mainlog.1
+EOF
+
+
+ m sudo rsync -ahhi --chown=root:root --chmod=0755 \
+ /b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
+ u /etc/systemd/system/mailtest-check.service <<'EOF'
+[Unit]
+Description=mailtest-check
+After=local-fs.target
+StartLimitIntervalSec=0
+
+[Service]
+# avoid fans spinning up
+CPUQuota=22%
+Type=simple
+ExecStart=/usr/local/bin/mailtest-check slow
+Restart=always
+RestartSec=60
+
+[Install]
+WantedBy=graphical.target
+EOF
+ sysd-prom-fail-install mailtest-check
+ ;;&
+ $MAIL_HOST)
+ test_froms=(ian@iankelling.org z@zroe.org iank@gnu.org)
+ test_tos=(testignore@expertpathologyreview.com testignore@je.b8.nz testignore@amnimal.ninja jtuttle@gnu.org)
+
+ cat >>/etc/cron.d/mailtest <<EOF
+# 10 am friday
+0 10 * * 5 root echo "weekly alert. You are not in the matrix."
+2 * * * * root check-remote-mailqs |& log-once check-remote-mailqs
+EOF
+ ;;&
+ bk)
+ test_froms=(testignore@amnimal.ninja testignore@expertpathologyreview.com)
+ test_tos=(testignore@iankelling.org testignore@je.b8.nz)
+ # We dont need to send from different addresses to the same
+ # address. this breaks down our nice elegant logic of building up
+ # froms and tos , so I just handle expertpath in a special case
+ # below and set the to: to be testignore@zroe.org. If we did sent
+ # that way, it would also mess up our mailtest-check logic that
+ # finds which messages to check.
+ # for example: from testignore@amnimal.ninja to: testignore@iankelling.org testignore@zroe.org
+ # that would become 2 messages and we'd only check 1.
+ ;;&
+ je)
+ test_froms=(testignore@je.b8.nz)
+ test_tos=(testignore@iankelling.org testignore@zroe.org testignore@expertpathologyreview.com testignore@amnimal.ninja)
+ ;;&
+ $MAIL_HOST|bk|je)
+
+ # Dont put these test messages into the sent folder or else it will
+ # overwhelm it, plus i dont want to save a copy at all.
+ # Plus addresses we generally want to ignore.
+ u /etc/exim4/ignore-sent <<EOF
+$(printf "%s\n" ${test_tos[@]})
+vojdedIdNejyebni@b8.nz
+b@eximbackup.b8.nz
+EOF
+
+ cat >/usr/local/bin/send-test-forward <<'EOF'
+#!/bin/bash
+# we remove from the queue older than 4.3 minutes since we send every 5 minutes.
+olds=(
+$(/usr/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$')
+)
+if (( ${#olds[@]} )); then
+ /usr/sbin/exim -Mrm "${olds[@]}" >/dev/null
+fi
+EOF
+ for test_from in ${test_froms[@]}; do
+
+ test_to=${test_tos[0]}
+ for t in ${test_tos[@]:1}; do
+ if [[ $test_from == *@gnu.org && $t == *@gnu.org ]]; then
+ continue
+ fi
+ test_to+=", $t"
+ done
+ case $test_from in
+ testignore@expertpathologyreview.com)
+ test_to=testignore@zroe.org
+ ;;
+ esac
+
+ cat >>/usr/local/bin/send-test-forward <<EOFOUTER
+/usr/sbin/exim -odf -f $test_from -t <<EOF
+From: $test_from
+To: $test_to
+Subject: test \$(date +%Y-%m-%dT%H:%M:%S%z) \$EPOCHSECONDS
+
+/usr/local/bin/send-test-forward
+EOF
+EOFOUTER
+ done
+ m chmod +x /usr/local/bin/send-test-forward
+ ;;
+ *)
+ soff mailtest-check.service
+ rm -fv /etc/cron.d/mailtest \
+ /var/lib/prometheus/node-exporter/mailtest-check.prom* \
+ /var/local/cron-errors/check-remote-mailqs*
+ ;;
+esac
+
+
# * start / stop services
reifactive dnsmasq nscd
# optimization, this only needs to run once. But, if we move to a
# computer we haven't used much, we need to fetch a fresh cert.
-if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/fullchain.pem; then
+# Existence check is just to avoid ugly error message from openssl.
+if [[ ! -e /etc/exim4/fullchain.pem ]] || ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/fullchain.pem; then
m /a/bin/ds/mail-cert-cron -1 -i
m systemctl --now enable mailcert.timer
fi
;;&
$MAIL_HOST|bk|je)
# start spamassassin/dovecot before exim.
- sre dovecot spamassassin
+ sre dovecot $spamd_ser mailtest-check
# Wait a bit before restarting exim, else I get a paniclog entry
# like: spam acl condition: all spamd servers failed. But I'm tired
# of waiting. I'll deal with this some other way.
:
;;
*)
- soff radicale mailclean.timer dovecot spamassassin $vpnser mailnn clamav-daemon
+ soff radicale mailclean.timer dovecot $spamd_ser $vpnser mailnn clamav-daemon
;;
esac
bk) sre exim4in ;;
esac
-# * mail monitoring / testing
-
-# note, to test clamav, send an email with body that only contains
-# https://en.wikipedia.org/wiki/EICAR_test_file
-# which set malware_name to Eicar-Signature
-case $HOSTNAME in
- $MAIL_HOST|bk|je)
- # note: cronjob "ian" also does some important monitoring
- # todo: this will sometimes cause an alert because mailtest-check will run
- # before we have setup network namespace and spamassassin
- u /etc/cron.d/mailtest <<EOF
-SHELL=/bin/bash
-PATH=/usr/bin:/bin:/usr/local/bin
-MAILTO=daylert@iankelling.org
-*/5 * * * * $u send-test-forward |& log-once send-test-forward
-*/10 * * * * root chmod -R g+rw /m/md/bounces |& log-once -1 bounces-chmod
-# if a bounce happened yesterday, dont let it slip through the cracks
-8 1 * * * root export MAILTO=alerts@iankelling.org; [[ -s /var/log/exim4/mainlog.1 ]] && awk '\$5 == "**"' /var/log/exim4/mainlog.1
-EOF
-
-
- m sudo rsync -ahhi --chown=root:root --chmod=0755 \
- /b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
- u /etc/systemd/system/mailtest-check.service <<'EOF'
-[Unit]
-Description=mailtest-check
-After=local-fs.target
-StartLimitIntervalSec=0
-
-[Service]
-Type=simple
-ExecStart=/usr/local/bin/mailtest-check slow
-Restart=always
-RestartSec=60
-
-[Install]
-WantedBy=graphical.target
-EOF
- sysd-prom-fail-install mailtest-check
- sre mailtest-check
- ;;&
- $MAIL_HOST)
- test_froms=(ian@iankelling.org z@zroe.org iank@gnu.org)
- test_tos=(testignore@expertpathologyreview.com testignore@je.b8.nz testignore@amnimal.ninja jtuttle@gnu.org)
-
- cat >>/etc/cron.d/mailtest <<EOF
-# 10 am friday
-0 10 * * 5 root echo "weekly alert. You are not in the matrix."
-2 * * * * root check-remote-mailqs |& log-once check-remote-mailqs
-EOF
- ;;&
- bk)
- test_froms=(testignore@amnimal.ninja testignore@expertpathologyreview.com)
- test_tos=(testignore@iankelling.org testignore@je.b8.nz)
- # We dont need to send from different addresses to the same
- # address. this breaks down our nice elegant logic of building up
- # froms and tos , so I just handle expertpath in a special case
- # below and set the to: to be testignore@zroe.org. If we did sent
- # that way, it would also mess up our mailtest-check logic that
- # finds which messages to check.
- # for example: from testignore@amnimal.ninja to: testignore@iankelling.org testignore@zroe.org
- # that would become 2 messages and we'd only check 1.
- ;;&
- je)
- test_froms=(testignore@je.b8.nz)
- test_tos=(testignore@iankelling.org testignore@zroe.org testignore@expertpathologyreview.com testignore@amnimal.ninja)
- ;;&
- $MAIL_HOST|bk|je)
-
- # Dont put these test messages into the sent folder or else it will
- # overwhelm it, plus i dont want to save a copy at all.
- # Plus addresses we generally want to ignore.
- u /etc/exim4/ignore-sent <<EOF
-$(printf "%s\n" ${test_tos[@]})
-vojdedIdNejyebni@b8.nz
-b@eximbackup.b8.nz
-EOF
-
- cat >/usr/local/bin/send-test-forward <<'EOF'
-#!/bin/bash
-# we remove from the queue older than 4.3 minutes since we send every 5 minutes.
-olds=(
-$(/usr/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$')
-)
-if (( ${#olds[@]} )); then
- /usr/sbin/exim -Mrm "${olds[@]}" >/dev/null
-fi
-EOF
- for test_from in ${test_froms[@]}; do
-
- test_to=${test_tos[0]}
- for t in ${test_tos[@]:1}; do
- if [[ $test_from == *@gnu.org && $t == *@gnu.org ]]; then
- continue
- fi
- test_to+=", $t"
- done
- case $test_from in
- testignore@expertpathologyreview.com)
- test_to=testignore@zroe.org
- ;;
- esac
-
- cat >>/usr/local/bin/send-test-forward <<EOFOUTER
-/usr/sbin/exim -odf -f $test_from -t <<EOF
-From: $test_from
-To: $test_to
-Subject: test \$(date +%Y-%m-%dT%H:%M:%S%z) \$EPOCHSECONDS
-
-/usr/local/bin/send-test-forward
-EOF
-EOFOUTER
- done
- m chmod +x /usr/local/bin/send-test-forward
- ;;
- *)
- soff mailtest-check.service
- rm -fv /etc/cron.d/mailtest \
- /var/lib/prometheus/node-exporter/mailtest-check.prom* \
- /var/local/cron-errors/check-remote-mailqs*
- ;;
-esac
-
-
-
# * misc
m sudo -u $u mkdir -p /home/$u/.cache
set -- /m/mucache /home/$u/.cache/mu /m/.mu /home/$u/.mu