# See the License for the specific language governing permissions and
# limitations under the License.
+# todo: make quick backups of maildir, or deliver to multiple hosts.
+
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
+if [[ ! $SUDO_USER ]]; then
+ echo "$0: error: requires running as nonroot or sudo"
+ exit 1
+fi
+u=$SUDO_USER
+
usage() {
- cat <<EOF
-Usage: ${0##*/} exim4|postfix
-Setup exim4 / postfix / dovecot
+ cat <<EOF
+Usage: ${0##*/}
+Setup exim4 & dovecot & related things
The minimal assumption we have is that /etc/mailpass exists
+
-h|--help Print help and exit.
EOF
- exit $1
+ exit $1
}
-type=$1
-postfix() { [[ $type == postfix ]]; }
-exim() { [[ $type == exim4 ]]; }
-if ! exim && ! postfix; then
- usage 1
-fi
-if [[ ! $SUDO_USER ]]; then
- echo "$0: error: requires running as nonroot or sudo"
-fi
-u=$SUDO_USER
+####### instructions for icedove #####
+# Incoming mail server: mail.iankelling.org, port 143, username iank, connection security starttls, authentication method normal password
+# we could also just use 127.0.0.1 with no ssl, but todo: disable that in dovecot, so mail is secure from local programs.
+#
+# hamburger -> preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false
+# background: ovecot does not yet have ocsp stapling support
+# reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921
+#######
####### begin perstent password instructions ######
# apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
# s sed -i "/^$user:/d" /p/c/filesystem/etc/exim4/passwd
# echo "$user:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd
-# echo "mail.iankelling.org $user $(<$f)" >> /p/c/machine_specific/$user/filesystem/etc/mailpass
+# echo "mail.iankelling.org 587 $user:$(<$f)" >> /p/c/machine_specific/$user/filesystem/etc/mailpass
# # then run this script, or part of it which uses /etc/mailpass
# # dovecot password, i just need 1 as I\'m the only user
# mkdir /p/c/filesystem/etc/dovecot
-# echo "ian:$(doveadm pw -s ssha256)::::::" >/p/c/filesystem/etc/dovecot/users
+# echo "iank:$(doveadm pw -s ssha256)::::::" >/p/c/filesystem/etc/dovecot/users
# conflink
# echo "dmarc dns, name: _dmarc value: v=DMARC1; p=none; rua=mailto:mailauth-reports@$domain"
# # 2017-02 spf policies:
-# # google ~all, hotmail -all, yahoo: ?all, fastmail ?all
+# # host -t txt lists.fedoraproject.org
+# # google ~all, hotmail ~all, yahoo: ?all, fastmail ?all, outlook ~all
# # i include fastmail\'s settings, per their instructions,
# # and follow their policy. In mail in a box, or similar instructions,
# # I\'ve seen recommended to not use a restrictive policy.
postconfin() {
- local MAPFILE
- mapfile -t
- local s
- postconf -ev "${MAPFILE[@]}"
+ local MAPFILE
+ mapfile -t
+ local s
+ postconf -ev "${MAPFILE[@]}"
}
e() { printf "%s\n" "$*"; }
+pi() { # package install
+ local s f
+ if dpkg -s -- "$@" &> /dev/null; then
+ return 0;
+ fi;
+ while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done
+ f=/var/cache/apt/pkgcache.bin;
+ if [[ ! -r $f ]] || (( $(( $(date +%s) - $(stat -c %Y $f ) )) > 60*60*12 )); then
+ apt-get update
+ fi
+ apt-get -y install --purge --auto-remove "$@"
+}
postmaster=$u
mxhost=mail.iankelling.org
-mxport=25
+mxport=587
forward=$u@$mxhost
# old setup. left as comment for example
# mxport=587
# forward=ian@iankelling.org
-relayhost="[$mxhost]:$mxport" # postfix
smarthost="$mxhost::$mxport" # exim
# trisquel 8 = openvpn, debian stretch = openvpn-client
vpn_ser=openvpn-client
if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
- vpn_ser=openvpn
+ vpn_ser=openvpn
fi
if [[ $HOSTNAME == $MAIL_HOST ]]; then
- # afaik, these will get ignored because they are routing to my own
- # machine, but rm them is safer
- rm -f $(eval echo ~$postmaster)/.forward /root/.forward
+ # afaik, these will get ignored because they are routing to my own
+ # machine, but rm them is safer
+ rm -f $(eval echo ~$postmaster)/.forward /root/.forward
else
- # this can\'t be a symlink and has permission restrictions
- # it might work in /etc/aliases, but this seems more proper.
- install -m 644 {-o,-g}$postmaster <(e $forward) $(eval echo ~$postmaster)/.forward
+ # this can\'t be a symlink and has permission restrictions
+ # it might work in /etc/aliases, but this seems more proper.
+ install -m 644 {-o,-g}$postmaster <(e $forward) $(eval echo ~$postmaster)/.forward
fi
-# offlineimap uses this too, it is much easier to use one location than to
-# condition it\'s config and postfix\'s config
-if [[ -f /etc/fedora-release ]]; then
- /a/exe/lnf -T ca-certificates.crt /etc/ssl/ca-bundle.trust.crt
+
+pi openvpn
+
+if [[ -e /p/c/filesystem ]]; then
+ # allow failure of these commands when our internet is down, they are likely not needed,
+ # we check that a valid cert is there already.
+ # to put the hostname in the known hosts
+ if ! ssh -o StrictHostKeyChecking=no root@li.iankelling.org :; then
+ # This just causes failure if our cert is going to expire in the next 30 days.
+ # Certs I generate last 10 years.
+ openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in /etc/openvpn/mail.crt
+ else
+ # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
+ # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
+ # after my internet was down for a bit:
+ # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
+ /a/exe/vpn-mk-client-cert -b mail -n mail -s /b/ds/mail-route li.iankelling.org
+ fi
fi
-if postfix; then
- # dunno why, but debian installed postfix with builddep emacs
- # but I will just explicitly install it here since
- # I use it for sending mail in emacs.
- if command -v apt-get &> /dev/null; then
- debconf-set-selections <<EOF
-postfix postfix/main_mailer_type select Satellite system
-postfix postfix/mailname string $HOSTNAME
-postfix postfix/relayhost string $relayhost
-postfix postfix/root_address string $postmaster
-EOF
- if dpkg -s postfix &>/dev/null; then
- dpkg-reconfigure -u -fnoninteractive postfix
- else
- apt-get -y install --purge --auto-remove postfix
- fi
- else
- source /a/bin/distro-functions/src/package-manager-abstractions
- pi postfix
- # Settings from reading the output when installing on debian,
- # then seeing which were different in a default install on arch.
- # I assume the same works for fedora.
- postconfin <<EOF
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-mailbox_size_limit = 0
-relayhost = $relayhost
-inet_interfaces = loopback-only
-EOF
+cat >/etc/systemd/system/offlineimapsync.timer <<'EOF'
+[Unit]
+Description=Run offlineimap-sync once every min
- systemctl enable postfix
- systemctl start postfix
- fi
- # i\'m assuming mail just won\'t work on systems without the sasl_passwd.
- postconfin <<'EOF'
-smtp_sasl_auth_enable = yes
-smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
-smtp_sasl_security_options = noanonymous
-smtp_tls_security_level = secure
-message_size_limit = 20480000
-smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
-inet_protocols = ipv4
-EOF
- # msg_size_limit: I ran into a log file not sending cuz of size. double from 10 to 20 meg limit
- # inet_protocols: without this, I\'ve had postfix try an ipv6 lookup then gives
- # up and fail forever. snippet from syslog: type=AAAA: Host not found, try again
-
-
- f=/etc/postfix/sasl_passwd
- install -m 600 /dev/null $f
- cat /etc/mailpass| while read -r domain port pass; do
- # format: domain port user:pass
- # mailpass is just a name i made up, since postfix and
- # exim both use a slightly crazy format to translate to
- # each other, it\'s easier to use my own format.
- printf "[%s]:%s %s" "$domain" "$port" "${pass/@/#}" >>$f
- done
- postmap hash:/etc/postfix/sasl_passwd
- # need restart instead of reload when changing
- # inet_protocols
- service postfix restart
-
-else # begin exim. has debian specific stuff for now
-
- if ! dpkg -s openvpn &>/dev/null; then
- apt-get -y install --purge --auto-remove openvpn
- fi
+[Timer]
+OnCalendar=*:0/1
- if [[ -e /p/c/filesystem ]]; then
- # to put the hostname in the known hosts
- ssh -o StrictHostKeyChecking=no root@li.iankelling.org :
- /a/exe/vpn-mk-client-cert -b mail -n mail li.iankelling.org
- fi
+[Install]
+WantedBy=timers.target
+EOF
- cat >/etc/systemd/system/mailroute.service <<EOF
+cat >/etc/systemd/system/offlineimapsync.service <<EOF
[Unit]
-# this unit is configured to start and stop whenever $vpn_ser@mail.service
-# does
-Description=Routing for email vpn
-After=network.target
-BindsTo=$vpn_ser@mail.service
-After=$vpn_ser@mail.service
+Description=Offlineimap sync
+After=multi-user.target
[Service]
+User=$u
Type=oneshot
-ExecStart=/a/bin/distro-setup/mail-route start
-ExecStop=/a/bin/distro-setup/mail-route stop
-RemainAfterExit=yes
-
-[Install]
-RequiredBy=$vpn_ser@mail.service
+ExecStart=/a/bin/log-quiet/sysd-mail-once offlineimap-sync /a/bin/distro-setup/offlineimap-sync
EOF
- cat >/etc/systemd/system/offlineimapsync.timer <<'EOF'
+cat >/etc/systemd/system/mailclean.timer <<'EOF'
[Unit]
-Description=Run offlineimap-sync once every 5 mins
+Description=Run mailclean daily
[Timer]
-OnCalendar=*:0/5
+OnCalendar=monthly
[Install]
WantedBy=timers.target
EOF
- cat >/etc/systemd/system/offlineimapsync.service <<EOF
+cat >/etc/systemd/system/mailclean.service <<EOF
[Unit]
-Description=Offlineimap sync
+Description=Delete and archive old mail files
After=multi-user.target
[Service]
User=$u
Type=oneshot
-ExecStart=/a/bin/log-quiet/sysd-mail-once offlineimap-sync /a/bin/distro-setup/offlineimap-sync
+ExecStart=/a/bin/log-quiet/sysd-mail-once mailclean /a/bin/distro-setup/mailclean
EOF
- systemctl daemon-reload
- systemctl enable mailroute
-
- # wording of question from dpkg-reconfigure exim4-config
- # 1. internet site; mail is sent and received directly using SMTP
- # 2. mail sent by smarthost; received via SMTP or fetchmail
- # 3. mail sent by smarthost; no local mail
- # 4. local delivery only; not on a network
- # 5. no configuration at this time
- #
- # Note, I have used option 2 in the past for receiving mail
- # from lan hosts, sending external mail via another smtp server.
- #
- # Note, other than configtype, we could set all the options in
- # both types of configs without harm, they would either be
- # ignored or be disabled by other settings, but the default
- # local_interfaces definitely makes things more secure.
-
- # most of these settings get translated into settings
- # in /etc/exim4/update-exim4.conf.conf
- # how /etc/exim4/update-exim4.conf.conf translates into actual exim settings is
- # documented in man update-exim4.conf, which outputs to the config that
- # exim actually reads. except the man page is not perfect, for example,
- # it doesn't document that it sets
- # DCconfig_${dc_eximconfig_configtype}" "1"
- # which is a line from update-exim4.conf, which is a relatively short bash script.
- # mailname setting sets /etc/mailname
-
- debconf-set-selections <<EOF
+
+systemctl daemon-reload
+
+# wording of question from dpkg-reconfigure exim4-config
+# 1. internet site; mail is sent and received directly using SMTP
+# 2. mail sent by smarthost; received via SMTP or fetchmail
+# 3. mail sent by smarthost; no local mail
+# 4. local delivery only; not on a network
+# 5. no configuration at this time
+#
+# Note, I have used option 2 in the past for receiving mail
+# from lan hosts, sending external mail via another smtp server.
+#
+# Note, other than configtype, we could set all the options in
+# both types of configs without harm, they would either be
+# ignored or be disabled by other settings, but the default
+# local_interfaces definitely makes things more secure.
+
+# most of these settings get translated into settings
+# in /etc/exim4/update-exim4.conf.conf
+# how /etc/exim4/update-exim4.conf.conf translates into actual exim settings is
+# documented in man update-exim4.conf, which outputs to the config that
+# exim actually reads. except the man page is not perfect, for example,
+# it doesn't document that it sets
+# DCconfig_${dc_eximconfig_configtype}" "1"
+# which is a line from update-exim4.conf, which is a relatively short bash script.
+# mailname setting sets /etc/mailname
+
+debconf-set-selections <<EOF
exim4-config exim4/use_split_config boolean true
EOF
- source /a/bin/bash_unpublished/source-semi-priv
- exim_main_dir=/etc/exim4/conf.d/main
- mkdir -p $exim_main_dir
+source /a/bin/bash_unpublished/source-semi-priv
+mkdir -p /etc/exim4/conf.d/{main,transport,auth,router}
+
+cat >/etc/exim4/rcpt_local_acl <<'EOF'
+# Only hosts we control send to mail.iankelling.org, so make sure
+# they are all authed.
+# Note, if we wanted authed senders for all domains,
+# we could make this condition in acl_check_mail
+deny
+ message = ian trusted domain recepient but no auth
+ !authenticated = *
+ domains = mail.iankelling.org
+EOF
+cat >/etc/exim4/data_local_acl <<'EOF'
+# Except for the "condition =", this was
+# a comment in the check_data acl. The comment about this not
+# being suitable is mostly bs. The only thing related I found was to
+# add the condition =, cuz spamassassin has problems with big
+# messages and spammers don't bother with big messages,
+# but I've increased the size from 10k
+# suggested in official docs, and 100k in the wiki example because
+# those docs are rather old and I see a 110k spam message
+# pretty quickly looking through my spam folder.
+ warn
+ condition = ${if < {$message_size}{2000K}}
+ spam = Debian-exim:true
+ add_header = X-Spam_score: $spam_score\n\
+ X-Spam_score_int: $spam_score_int\n\
+ X-Spam_bar: $spam_bar\n\
+ X-Spam_report: $spam_report
+
+EOF
+cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+# from 30_exim4-config_examples
+
+plain_server:
+driver = plaintext
+public_name = PLAIN
+server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
+server_set_id = $auth2
+server_prompts = :
+.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+.endif
+EOF
+
+cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
+### router/900_exim4-config_local_user
+#################################
+# This router matches local user mailboxes. If the router fails, the error
+# message is "Unknown user".
+
+local_user:
+ debug_print = "R: local_user for $local_part@$domain"
+ driver = accept
+ domains = +local_domains
+# ian: commented this, in conjunction with a dovecot lmtp
+# change so I get mail for all users.
+# check_local_user
+ local_parts = ! root
+ transport = LOCAL_DELIVERY
+ cannot_route_message = Unknown user
+EOF
+cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
+dovecot_lmtp:
+ driver = lmtp
+ socket = /var/run/dovecot/lmtp
+ #maximum number of deliveries per batch, default 1
+ batch_max = 200
+EOF
+
+cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
+# smarthost for fsf mail
+# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
+# replaced DCsmarthost with mail.fsf.org
+fsfsmarthost:
+ debug_print = "R: smarthost for $local_part@$domain"
+ driver = manualroute
+ domains = ! +local_domains
+ senders = *@fsf.org
+ transport = remote_smtp_smarthost
+ route_list = * mail.fsf.org byname
+ host_find_failed = ignore
+ same_domain_copy_routing = yes
+ no_more
+EOF
- #### begin mail cert setup ###
- f=/usr/local/bin/mail-cert-cron
- cat >$f <<'EOF'
+#### begin mail cert setup ###
+f=/usr/local/bin/mail-cert-cron
+cat >$f <<'EOF'
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
fi
if [[ $HOSTNAME == $MAIL_HOST ]]; then
local_mx=mail.iankelling.org
- rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li:/etc/letsencrypt/live/$local_mx/"
+ rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/"
${rsync_common}fullchain.pem /etc/exim4/exim.crt
+ ret=$?
${rsync_common}privkey.pem /etc/exim4/exim.key
+ new_ret=$?
+ if [[ $ret != $new_ret ]]; then
+ echo "$0: error: differing rsync returns, $ret, $new_ret"
+ exit 1
+ fi
+fi
+if [[ $new_ret != 0 ]]; then
+ if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then
+ echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
+ exit 1
+ fi
fi
+exit 0
EOF
- chmod 755 $f
+chmod 755 $f
- cat >/etc/systemd/system/mailcert.service <<'EOF'
+cat >/etc/systemd/system/mailcert.service <<'EOF'
[Unit]
Description=Mail cert rsync
After=multi-user.target
ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
EOF
- cat >/etc/systemd/system/mailcert.timer <<'EOF'
+cat >/etc/systemd/system/mailcert.timer <<'EOF'
[Unit]
Description=Run mail-cert once a day
[Install]
WantedBy=timers.target
EOF
- systemctl daemon-reload
- systemctl start mailcert
- systemctl restart mailcert.timer
- systemctl enable mailcert.timer
+systemctl daemon-reload
+systemctl start mailcert
+systemctl restart mailcert.timer
+systemctl enable mailcert.timer
- ##### end mailcert setup #####
+##### end mailcert setup #####
- if [[ $HOSTNAME == $MAIL_HOST ]]; then
+if [[ $HOSTNAME == $MAIL_HOST ]]; then
- debconf-set-selections <<EOF
+ debconf-set-selections <<EOF
# Mail Server configuration
# -------------------------
# This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
# System mail name:
+# iank: see comment elsewhere on mailname
exim4-config exim4/mailname string mail.iankelling.org
# Please enter a semicolon-separated list of recipient domains for which this machine
# should consider itself the final destination. These domains are commonly called
-# 'local domains'. The local hostname (treetowl.lan) and 'localhost' are always added
+# 'local domains'. The local hostname (kd.lan) and 'localhost' are always added
# to the list given here.
# By default all local domains will be treated identically. If both a.example and
# Delivery method for local mail: 2
exim4-config exim4/dc_localdelivery select Maildir format in home directory
EOF
- # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
- # smarthost config type, not sure. all other settings
- # would be unused in that config type.
- cat >$exim_main_dir/000_localmacros <<EOF
-# i don't have ipv6 setup for my tunnel yet.
+ echo mail.iankelling.org > /etc/mailname
+
+ # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
+ # smarthost config type, not sure. all other settings
+ # would be unused in that config type.
+ rm -f /etc/exim4/conf.d/main/000_localmacros # old filename
+ cat >/etc/exim4/conf.d/main/000_local <<EOF
+# enable 587 in addition to the default 25, so that
+# i can send mail where port 25 is firewalled by isp
+daemon_smtp_ports = 25 : 587
+# i don't have ipv6 setup for my vpn tunnel yet.
disable_ipv6 = true
MAIN_TLS_ENABLE = true
# failing message on mail-tester.com:
-# We check if there is a server (A Record) behind your hostname treetowl.
-# You may want to publish a DNS record (A type) for the hostname treetowl or use a different hostname in your mail software
+# We check if there is a server (A Record) behind your hostname kd.
+# You may want to publish a DNS record (A type) for the hostname kd or use a different hostname in your mail software
# https://serverfault.com/questions/46545/how-do-i-change-exim4s-primary-hostname-on-a-debian-box
# and this one seemed appropriate from grepping config.
# I originally set this to li.iankelling.org, but then ended up with errors when li tried to send
-# mail to treetowl, so this should basically be a name that no host has as their
+# mail to kd, so this should basically be a name that no host has as their
# canonical hostname since the actual host sits behind a nat and changes.
# Seems logical for this to be the same as mailname.
MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.iankelling.org
# keep your dkim signature intact but add list- headers.
DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
+# recommended if dns is expected to work
+CHECK_RCPT_VERIFY_SENDER = true
+# seems like a good idea
+CHECK_DATA_VERIFY_HEADER_SENDER = true
+CHECK_RCPT_SPF = true
+CHECK_RCPT_REVERSE_DNS = true
+CHECK_MAIL_HELO_ISSUED = true
EOF
- ####### begin dovecot setup ########
- # based on a little google and package search, just the dovecot
- # packages we need instead of dovecot-common.
- #
- # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
- # directly. The reason to do this is to use dovecot\'s sieve, which
- # has extensions that allow it to be almost equivalent to exim\'s
- # filter capabilities, some ways probably better, some worse, and
- # sieve has the benefit of being supported in postfix and
- # proprietary/weird environments, so there is more examples on the
- # internet. I was torn about whether to do this or not, meh.
- apt-get -y install --purge --auto-remove \
- dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
-
- # if we changed 90-sieve.conf and removed the active part of the
- # sieve option, we wouldn\'t need this, but I\'d rather not modify a
- # default config if not needed. This won\'t work as a symlink in /a/c
- # unfortunately.
- sudo -u $postmaster /a/exe/lnf -T sieve/main.sieve $(eval echo ~$postmaster)/.dovecot.sieve
-
- sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
+ ####### begin dovecot setup ########
+ # based on a little google and package search, just the dovecot
+ # packages we need instead of dovecot-common.
+ #
+ # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
+ # directly. The reason to do this is to use dovecot\'s sieve, which
+ # has extensions that allow it to be almost equivalent to exim\'s
+ # filter capabilities, some ways probably better, some worse, and
+ # sieve has the benefit of being supported in postfix and
+ # proprietary/weird environments, so there is more examples on the
+ # internet. I was torn about whether to do this or not, meh.
+ pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
+
+ # if we changed 90-sieve.conf and removed the active part of the
+ # sieve option, we wouldn\'t need this, but I\'d rather not modify a
+ # default config if not needed. This won\'t work as a symlink in /a/c
+ # unfortunately.
+ sudo -u $postmaster /a/exe/lnf -T sieve/main.sieve $(eval echo ~$postmaster)/.dovecot.sieve
+
+ sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
1i mail_location = maildir:/m/md:LAYOUT=fs:INBOX=/m/md/INBOX
/^\s*mail_location\s*=/d
EOF
- cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
+ cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
protocol lmtp {
#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
mail_plugins = \$mail_plugins sieve
EOF
- cat >/etc/dovecot/local.conf <<'EOF'
+ cat >/etc/dovecot/local.conf <<'EOF'
# so I can use a different login that my shell login for mail. this is
# worth doing solely for the reason that if this login is compromised,
# it won't also compromise my shell password.
# auth_verbose=yes
#mail_debug=yes
EOF
- ####### end dovecot setup ########
-
-
- systemctl enable offlineimapsync.timer
- systemctl start offlineimapsync.timer
- systemctl restart $vpn_ser@mail
- systemctl enable $vpn_ser@mail
- systemctl enable dovecot
- systemctl restart dovecot
-
- else # $HOSTNAME != $MAIL_HOST
- systemctl disable offlineimapsync.timer &>/dev/null ||:
- systemctl stop offlineimapsync.timer &>/dev/null ||:
- systemctl disable $vpn_ser@mail
- systemctl stop $vpn_ser@mail
- systemctl disable dovecot ||:
- systemctl stop dovecot ||:
- #
- #
- # would only exist because I wrote it i the previous condition,
- # it\'s not part of exim
- rm -f $exim_main_dir/000_localmacros
- debconf-set-selections <<EOF
+ ####### end dovecot setup ########
+
+ # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
+ d=/etc/systemd/system/openvpn@mail
+ mkdir -p $d
+ cat >$d/override.conf <<'EOF'
+[Service]
+Restart=always
+# time to sleep before restarting a service
+RestartSec=1
+
+[Unit]
+# StartLimitIntervalSec in recent systemd versions
+StartLimitInterval=0
+EOF
+
+ systemctl enable offlineimapsync.timer
+ systemctl start offlineimapsync.timer
+ systemctl enable mailclean.timer
+ systemctl start mailclean.timer
+ systemctl restart $vpn_ser@mail
+ systemctl enable $vpn_ser@mail
+ systemctl enable dovecot
+ systemctl restart dovecot
+
+else # $HOSTNAME != $MAIL_HOST
+ systemctl disable offlineimapsync.timer &>/dev/null ||:
+ systemctl stop offlineimapsync.timer &>/dev/null ||:
+ systemctl disable mailclean.timer &>/dev/null ||:
+ systemctl stop mailclean.timer &>/dev/null ||:
+ systemctl disable $vpn_ser@mail
+ systemctl stop $vpn_ser@mail
+ systemctl disable dovecot ||:
+ systemctl stop dovecot ||:
+ #
+ #
+ # would only exist because I wrote it i the previous condition,
+ # it\'s not part of exim
+ rm -f /etc/exim4/conf.d/main/000_localmacros
+ debconf-set-selections <<EOF
exim4-config exim4/dc_eximconfig_configtype select mail sent by smarthost; no local mail
exim4-config exim4/dc_smarthost string $smarthost
-# the default, i think is from /etc/mailname. better to set it to
-# whatever the current fqdn is.
+# afaik, on dpkg-reconfigure noninteractive, this sets /etc/mailname if it does not exist.
+# if it does exist, it immediately changes the value to whats in /etc/mailname.
+# So, I don't think there's any point in setting it, but might as well since
+# ignoring what I set here is brain dead and might change.
exim4-config exim4/mailname string $(hostname -f)
EOF
+ hostname -f > /etc/mailname
- fi # end $HOSTNAME != $MAIL_HOST
+fi # end $HOSTNAME != $MAIL_HOST
- # if we already have it installed, need to reconfigure, without being prompted
- if dpkg -s exim4-config &>/dev/null; then
- # gotta remove this, otherwise the set-selections are completely
- # ignored. It woulda been nice if this was documented somewhere!
- rm -f /etc/exim4/update-exim4.conf.conf
- dpkg-reconfigure -u -fnoninteractive exim4-config
- fi
+# if we already have it installed, need to reconfigure, without being prompted
+if dpkg -s exim4-config &>/dev/null; then
+ # gotta remove this, otherwise the set-selections are completely
+ # ignored. It woulda been nice if this was documented somewhere!
+ rm -f /etc/exim4/update-exim4.conf.conf
+ while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done
+ dpkg-reconfigure -u -fnoninteractive exim4-config
+fi
- # i have the spool directory be common to distro multi-boot, so
- # we need the uid to be the same. 608 cuz it's kind of in the middle
- # of the free system uids.
- IFS=:; read _ _ uid _ < <(getent passwd Debian-exim ); unset IFS
- IFS=:; read _ _ gid _ < <(getent group Debian-exim ); unset IFS
- if [[ ! $uid ]]; then
- # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
- adduser --uid 608 --gid 608 --system --group --quiet --home /var/spool/exim4 \
- --no-create-home --disabled-login --force-badname Debian-exim
- elif [[ $uid != 608 ]]; then
- systemctl stop exim4 ||:
- usermod -u 608 Debian-exim
- groupmod -g 608 Debian-exim
- usermod -g 608 Debian-exim
- find / /nocow -xdev -uid $uid -exec chown -h 608 {} +
- find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} +
- fi
+# i have the spool directory be common to distro multi-boot, so
+# we need the uid to be the same. 608 cuz it's kind of in the middle
+# of the free system uids.
+IFS=:; read _ _ uid _ < <(getent passwd Debian-exim ||:) ||:; unset IFS
+IFS=:; read _ _ gid _ < <(getent group Debian-exim ||:) ||:; unset IFS
+if [[ ! $uid ]]; then
+ # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
+ adduser --uid 608 --system --group --quiet --home /var/spool/exim4 \
+ --no-create-home --disabled-login --force-badname Debian-exim
+elif [[ $uid != 608 ]]; then
+ systemctl stop exim4 ||:
+ usermod -u 608 Debian-exim
+ groupmod -g 608 Debian-exim
+ usermod -g 608 Debian-exim
+ find / /nocow -xdev -uid $uid -exec chown -h 608 {} +
+ find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} +
+fi
- # light version of exim does not have sasl auth support.
- apt-get -y install --purge --auto-remove exim4-daemon-heavy spamassassin
+# light version of exim does not have sasl auth support.
+pi exim4-daemon-heavy spamassassin spf-tools-perl
- ##### begin spamassassin config
- systemctl enable spamassassin
- # per readme.debian
- sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
- e CRON=1 >>/etc/default/spamassassin
- # just noticed this in the config file, seems like a good idea.
- sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
- e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin
- systemctl start spamassassin
- systemctl reload spamassassin
+##### begin spamassassin config
+systemctl enable spamassassin
+# per readme.debian
+sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
+e CRON=1 >>/etc/default/spamassassin
+# just noticed this in the config file, seems like a good idea.
+sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
+e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin
+systemctl start spamassassin
+systemctl reload spamassassin
- cat >/etc/systemd/system/spamddnsfix.service <<'EOF'
+cat >/etc/systemd/system/spamddnsfix.service <<'EOF'
[Unit]
Description=spamd dns bug fix cronjob
Type=oneshot
ExecStart=/a/bin/distro-setup/spamd-dns-fix
EOF
- # 2017-09, debian closed the bug on this saying upstream had fixed it.
- # remove this when i\'m using the newer package, ie, debian 10, or maybe
- # ubuntu 18.04.
- cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
+# 2017-09, debian closed the bug on this saying upstream had fixed it.
+# remove this when i\'m using the newer package, ie, debian 10, or maybe
+# ubuntu 18.04.
+cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
[Unit]
Description=run spamd bug fix script every 10 minutes
[Install]
WantedBy=timers.target
EOF
- systemctl daemon-reload
- systemctl restart spamddnsfix.timer
- systemctl enable spamddnsfix.timer
- #
- ##### end spamassassin config
-
-
-
-
-
- cat >/etc/exim4/rcpt_local_acl <<'EOF'
-# Only hosts we control send to mail.iankelling.org, so make sure
-# they are all authed.
-# Note, if we wanted authed senders for all domains,
-# we could make this condition in acl_check_mail
-deny
- message = ian trusted domain recepient but no auth
- !authenticated = *
- domains = mail.iankelling.org
-EOF
- cat >/etc/exim4/data_local_acl <<'EOF'
-# Except for the "condition =", this was
-# a comment in the check_data acl. The comment about this not
-# being suitable is mostly bs. The only thing related I found was to
-# add the condition =, cuz spamassassin has problems with big
-# messages and spammers don't bother with big messages,
-# but I've increased the size from 10k
-# suggested in official docs, and 100k in the wiki example because
-# those docs are rather old and I see a 110k spam message
-# pretty quickly looking through my spam folder.
- warn
- condition = ${if < {$message_size}{2000K}}
- spam = Debian-exim:true
- add_header = X-Spam_score: $spam_score\n\
- X-Spam_score_int: $spam_score_int\n\
- X-Spam_bar: $spam_bar\n\
- X-Spam_report: $spam_report
-
-EOF
- cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
-# from 30_exim4-config_examples
+systemctl daemon-reload
+systemctl restart spamddnsfix.timer
+systemctl enable spamddnsfix.timer
+#
+##### end spamassassin config
-plain_server:
-driver = plaintext
-public_name = PLAIN
-server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
-server_set_id = $auth2
-server_prompts = :
-.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
-.endif
-EOF
- cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
-### router/900_exim4-config_local_user
-#################################
-# This router matches local user mailboxes. If the router fails, the error
-# message is "Unknown user".
-local_user:
- debug_print = "R: local_user for $local_part@$domain"
- driver = accept
- domains = +local_domains
-# ian: commented this, in conjunction with a dovecot lmtp
-# change so I get mail for all users.
-# check_local_user
- local_parts = ! root
- transport = LOCAL_DELIVERY
- cannot_route_message = Unknown user
-EOF
- cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
-dovecot_lmtp:
- driver = lmtp
- socket = /var/run/dovecot/lmtp
- #maximum number of deliveries per batch, default 1
- batch_max = 200
-EOF
-
- cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
-# smarthost for fsf mail
-# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
-# replaced DCsmarthost with mail.fsf.org
-fsfsmarthost:
- debug_print = "R: smarthost for $local_part@$domain"
- driver = manualroute
- domains = ! +local_domains
- senders = *@fsf.org
- transport = remote_smtp_smarthost
- route_list = * mail.fsf.org byname
- host_find_failed = ignore
- same_domain_copy_routing = yes
- no_more
-EOF
- # https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
- # i only need .forwards, so just doing that one.
- cd /etc/exim4/conf.d/router
- b=userforward_higher_priority
- # replace the router name so it is unique
- sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
+# https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
+# i only need .forwards, so just doing that one.
+cd /etc/exim4/conf.d/router
+b=userforward_higher_priority
+# replace the router name so it is unique
+sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
- # begin setup passwd.client
- f=/etc/exim4/passwd.client
- rm -f /etc/exim4/passwd.client
- install -m 640 -g Debian-exim /dev/null $f
- cat /etc/mailpass| while read -r domain port pass; do
- # reference: exim4_passwd_client(5)
- printf "%s:%s\n" "$domain" "$pass" >>$f
- done
- # end setup passwd.client
+# begin setup passwd.client
+f=/etc/exim4/passwd.client
+rm -f /etc/exim4/passwd.client
+install -m 640 -g Debian-exim /dev/null $f
+cat /etc/mailpass| while read -r domain port pass; do
+ # reference: exim4_passwd_client(5)
+ printf "%s:%s\n" "$domain" "$pass" >>$f
+done
+# end setup passwd.client
- systemctl restart exim4
+# by default, only 10 days of logs are kept. increase that.
+sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
-fi #### end if exim4
+systemctl restart exim4
# /etc/alias setup is debian specific, and
# exim config sets up an /etc/alias from root to the postmaster, which i
# won\'t set up a root to $postmaster alias if it\'s already installed.
# Since postfix is not the greatest, just set it ourselves.
if [[ $postmaster != root ]]; then
- sed -i --follow-symlinks -f - /etc/aliases <<EOF
+ sed -i --follow-symlinks -f - /etc/aliases <<EOF
\$a root: $postmaster
/^root:/d
EOF
- newaliases
+ newaliases
fi
# put spool dir in directory that spans multiple distros.
#
# todo: I\'m suspicious of uids for Debian-exim being the same across
# distros. It would be good to test this.
-dir=/nocow/$type
-sdir=/var/spool/$type
+dir=/nocow/exim4
+sdir=/var/spool/exim4
# we only do this if our system has $dir
if [[ -e /nocow && $(readlink -f $sdir) != $dir ]]; then
- systemctl stop $type
- if [[ ! -e $dir && -d $sdir ]]; then
- mv $sdir $dir
- fi
- /a/exe/lnf -T $dir $sdir
+ systemctl stop exim4
+ if [[ ! -e $dir && -d $sdir ]]; then
+ mv $sdir $dir
+ fi
+ /a/exe/lnf -T $dir $sdir
fi
-systemctl restart $type
-systemctl enable $type
+systemctl restart exim4
+systemctl enable exim4
# MAIL_HOST also does radicale, and easier to start and stop it here
# for when MAIL_HOST changes, so radicale gets the synced files and
# does not stop us from remounting /o.
if dpkg -s radicale &>/dev/null; then
- if [[ $HOSTNAME == $MAIL_HOST ]]; then
- systemctl restart radicale
- systemctl enable radicale
- if [[ -e /etc/logrotate.d/radicale.disabled ]]; then
- mv /etc/logrotate.d/radicale{.disabled,}
- fi
- else
- systemctl stop radicale
- systemctl disable radicale
- # weekly logrotate tries to restart radicale even if it's a disabled service in flidas.
- if [[ -e /etc/logrotate.d/radicale ]]; then
- mv /etc/logrotate.d/radicale{,.disabled}
- fi
+ if [[ $HOSTNAME == $MAIL_HOST ]]; then
+ systemctl restart radicale
+ systemctl enable radicale
+ if [[ -e /etc/logrotate.d/radicale.disabled ]]; then
+ mv /etc/logrotate.d/radicale{.disabled,}
+ fi
+ else
+ systemctl stop radicale
+ systemctl disable radicale
+ # weekly logrotate tries to restart radicale even if it's a disabled service in flidas.
+ if [[ -e /etc/logrotate.d/radicale ]]; then
+ mv /etc/logrotate.d/radicale{,.disabled}
fi
+ fi
fi
exit 0
-
-# if I wanted the from address to be renamed and sent to a different address,
-# echo "sdx@localhost development@localhost" | sudo dd of=/etc/postfix/recipient_canonical
-# sudo postmap hash:/etc/postfix/recipient_canonical
-# sudo service postfix reload
+: