# /usr/sbin/invoke-rc.d-diverted "$@"
# fi
-# Things I tend to forget. on MAIL_HOST, daemon runs with /etc/exim4/my.conf,
+# Things I tend to forget. on MAIL_HOST, daemon runs with /etc/exim4/nn-mainlog.conf,
# due to /etc/default/exim4 containing:
-# COMMONOPTIONS='-C /etc/exim4/my.conf'
-# UPEX4OPTS='-o /etc/exim4/my.conf'
+# COMMONOPTIONS='-C /etc/exim4/nn-mainlog.conf'
+# UPEX4OPTS='-o /etc/exim4/nn-mainlog.conf'
#
# The non-daemon config
-# gets generated from this script calling update-exim4.conf -d /etc/myexim4
+# gets generated from this script calling update-exim4.conf -d /etc/nond-exim4
# which has log path
-# log_file_path = /var/log/exim4/my%s
+# log_file_path = /var/log/exim4/nond%s
#
# On non bk|MAIL_HOST, the config and log file are all standard.
#
if [[ -e /var/local/mail-setup-reload ]]; then
reload=true
fi
-u() { # update file. note: duplicated in brc
- local tmp tmpdir dest="$1"
- local base="${dest##*/}"
- local dir="${dest%/*}"
- if [[ $dir != "$base" ]]; then
- # dest has a directory component
- mkdir -p "$dir"
- fi
- ur=false # u result
- tmpdir=$(mktemp -d)
- cat >$tmpdir/"$base"
- tmp=$(rsync -ic $tmpdir/"$base" "$dest")
- if [[ $tmp ]]; then
- printf "%s\n" "$tmp"
- ur=true
- if [[ $dest == /etc/systemd/system/* ]]; then
- touch /var/local/mail-setup-reload
- reload=true
- fi
- fi
- rm -rf $tmpdir
-}
+
+source /a/bin/fai/fai/config/distro-install-common/bash-misc-funcs
setini() {
key="$1" value="$2" section="$3"
file="/etc/radicale/config"
esac
-lines=(
- "/etc/resolved-nsswitch/nsswitch.conf r,"
- "/etc/basic-nsswitch/nsswitch.conf r,"
- # Aug 06 23:09:11 kd audit[3995]: AVC apparmor="DENIED" operation="connect" profile="/usr/bin/freshclam" name="/run/systemd/resolve/io.systemd.Resolve" pid=3995 comm="freshclam" requested_mask="wr" denied_mask="wr" fsuid=109 ouid=101
- # I dont know if this is quite the right fix, but I saw other sockets
- # in the nameservice files that were rw, so figured it was ok to add this and it worked.
- "/run/systemd/resolve/io.systemd.Resolve rw,"
-)
-f=/etc/apparmor.d/abstractions/nameservice
-apparmor_reload=false
-if [[ -e $f ]]; then
- for l in "${lines[@]}"; do
- if ! grep -qF "$l" $f; then
- sudo sed -i "/\/nsswitch.conf/a $l" $f
- apparmor_reload=true
- if ! grep -qF "$l" $f; then
- echo "$0: failed editing $f. investigate"
- exit 1
- fi
- fi
- done
- if $apparmor_reload && systemctl is-active apparmor; then
- m ser reload apparmor
- fi
+u /etc/apparmor.d/abstractions/nameservice.d/iank <<'EOF'
+/etc/resolved-nsswitch/nsswitch.conf r,
+/etc/basic-nsswitch/nsswitch.conf r,
+# Aug 06 23:09:11 kd audit[3995]: AVC apparmor="DENIED" operation="connect" profile="/usr/bin/freshclam" name="/run/systemd/resolve/io.systemd.Resolve" pid=3995 comm="freshclam" requested_mask="wr" denied_mask="wr" fsuid=109 ouid=101
+# I dont know if this is quite the right fix, but I saw other sockets
+# in the nameservice files that were rw, so figured it was ok to add this and it worked.
+/run/systemd/resolve/io.systemd.Resolve rw,
+EOF
+
+if $ur && systemctl is-active apparmor; then
+ m systemctl reload apparmor
fi
# which will overwrite any existing file
u /etc/default/exim4 <<'EOF'
QUEUERUNNER='combined'
-# note: this is duplicated in brc2, 10m here is -q10m there.
QUEUEINTERVAL='10m'
-COMMONOPTIONS='-C /etc/exim4/my.conf'
-UPEX4OPTS='-o /etc/exim4/my.conf'
+COMMONOPTIONS='-C /etc/exim4/nn-mainlog.conf'
+UPEX4OPTS='-o /etc/exim4/nn-mainlog.conf'
+# in t12 exim, this replaces all the above options
+EXIMSERVICE='-bdf -q10m -C /etc/exim4/nn-mainlog.conf'
# i use epanic-clean for alerting if there are bad paniclog entries
E4BCD_WATCH_PANICLOG='no'
EOF
chmod g+s,u+s /usr/sbin/exim4
# need this to avoid error on service reload:
# 2022-08-07 18:44:34.005 [892491] pid 892491: SIGHUP received: re-exec daemon
- # 2022-08-07 18:44:34.036 [892491] cwd=/var/spool/exim4 5 args: /usr/sbin/exim4 -bd -q30m -C /etc/exim4/my.conf
+ # 2022-08-07 18:44:34.036 [892491] cwd=/var/spool/exim4 5 args: /usr/sbin/exim4 -bd -q30m -C /etc/exim4/nn-mainlog.conf
# 2022-08-07 18:44:34.043 [892491] socket bind() to port 25 for address (any IPv6) failed: Permission denied: waiting 30s before trying again (9 more tries)
# note: the daemon gives up and dies after retrying those 9 times.
# I came upon this by guessing and trial and error.
setcap CAP_NET_BIND_SERVICE+ei /usr/sbin/exim4
u /etc/exim4/trusted_configs <<'EOF'
-/etc/exim4/my.conf
+/etc/exim4/nn-mainlog.conf
EOF
;;
*)
EOF
install -m=0775 -d -g Debian-exim -o iank /var/spool/exim4/gw
+ f=/var/spool/exim4/gw/.no-delay-eximids
+ if [[ ! -e $f ]]; then
+ install -g Debian-exim -o iank /dev/null $f
+ fi
u /etc/exim4/conf.d/router/155_delay <<'EOF'
# By default, delay sending email by 30-40 minutes in case I
# change my mind.
# defaults but no queue runner and alternate config dir
QUEUERUNNER='no'
COMMONOPTIONS='-oP /run/exim4/eximin.pid'
-UPEX4OPTS='-d /etc/myexim4'
+UPEX4OPTS='-d /etc/nond-exim4'
EOF
echo bk.b8.nz > /etc/mailname
m rsync -ra --delete --delete-excluded \
--exclude=/conf.d/router/161_backup_redir_nn \
--exclude=/conf.d/router/186_sentarchive_nn \
- --exclude=/conf.d/main/000_local-nn /etc/exim4/ /etc/myexim4
- cat >>/etc/myexim4/conf.d/main/000_local <<'EOF'
+ --exclude=/conf.d/main/000_local-nn /etc/exim4/ /etc/nond-exim4
+ cat >>/etc/nond-exim4/conf.d/main/000_local <<'EOF'
# this makes it easier to see which exim is doing what
-log_file_path = /var/log/exim4/my%s
+log_file_path = /var/log/exim4/nond%s
EOF
cat >/etc/logrotate.d/myexim <<'EOF'
-/var/log/exim4/mymain /var/log/exim4/myreject {
+/var/log/exim4/nondmain /var/log/exim4/nondreject {
daily
missingok
rotate 1000
notifempty
nocreate
}
-/var/log/exim4/mypanic {
+/var/log/exim4/nondpanic {
size 10M
missingok
rotate 10
# If we ever wanted to have a separate spool,
# we could do it like this.
# cat >>/etc/exim4/conf.d/main/000_local-nn <<'EOF'
- # spool_directory = /var/spool/myexim4
+ # spool_directory = /var/spool/nond-exim4
# EOF
- cat >>/etc/myexim4/update-exim4.conf.conf <<'EOF'
+ cat >>/etc/nond-exim4/update-exim4.conf.conf <<'EOF'
dc_eximconfig_configtype='smarthost'
dc_smarthost='nn.b8.nz'
EOF
bk)
# config for the non-nn exim
- cat >>/etc/myexim4/conf.d/main/000_local <<'EOF'
+ cat >>/etc/nond-exim4/conf.d/main/000_local <<'EOF'
MAIN_HARDCODE_PRIMARY_HOSTNAME = mail2.iankelling.org
EOF
;;
$MAIL_HOST)
- u /etc/myexim4/conf.d/router/185_sentarchive <<'EOF'
+ u /etc/nond-exim4/conf.d/router/185_sentarchive <<'EOF'
sentarchive:
driver = redirect
domains = ! +local_domains
unseen
EOF
- u /etc/myexim4/conf.d/router/160_backup_redir <<'EOF'
+ u /etc/nond-exim4/conf.d/router/160_backup_redir <<'EOF'
backup_redir:
driver = redirect
# i dont email myself from my own machine much, so lets ignore that.
EOF
# for bk, we have a exim4in.service that will do this for us.
- m update-exim4.conf -d /etc/myexim4
+ m update-exim4.conf -d /etc/nond-exim4
;;
esac
# err debbugs exist but is not uid 610: investigate
# fi
+# * mail monitoring / testing
+
+# note, to test clamav, send an email with body that only contains
+# https://en.wikipedia.org/wiki/EICAR_test_file
+# which set malware_name to Eicar-Signature
+case $HOSTNAME in
+ $MAIL_HOST|bk|je)
+ # note: cronjob "ian" also does some important monitoring
+ # todo: this will sometimes cause an alert because mailtest-check will run
+ # before we have setup network namespace and spamassassin
+ u /etc/cron.d/mailtest <<EOF
+SHELL=/bin/bash
+PATH=/usr/bin:/bin:/usr/local/bin
+MAILTO=daylert@iankelling.org
+*/5 * * * * $u send-test-forward |& log-once send-test-forward
+*/10 * * * * root chmod -R g+rw /m/md/bounces |& log-once -1 bounces-chmod
+# if a bounce happened yesterday, dont let it slip through the cracks
+8 1 * * * root export MAILTO=alerts@iankelling.org; [[ -s /var/log/exim4/mainlog.1 ]] && awk '\$5 == "**"' /var/log/exim4/mainlog.1
+EOF
+
+
+ m sudo rsync -ahhi --chown=root:root --chmod=0755 \
+ /b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
+ u /etc/systemd/system/mailtest-check.service <<'EOF'
+[Unit]
+Description=mailtest-check
+After=local-fs.target
+StartLimitIntervalSec=0
+
+[Service]
+# avoid fans spinning up
+CPUQuota=22%
+Type=simple
+ExecStart=/usr/local/bin/mailtest-check slow
+Restart=always
+RestartSec=60
+
+[Install]
+WantedBy=graphical.target
+EOF
+ sysd-prom-fail-install mailtest-check
+ ;;&
+ $MAIL_HOST)
+ test_froms=(ian@iankelling.org z@zroe.org iank@gnu.org)
+ test_tos=(testignore@expertpathologyreview.com testignore@je.b8.nz testignore@amnimal.ninja jtuttle@gnu.org)
+
+ cat >>/etc/cron.d/mailtest <<EOF
+# 10 am friday
+0 10 * * 5 root echo "weekly alert. You are not in the matrix."
+2 * * * * root check-remote-mailqs |& log-once check-remote-mailqs
+EOF
+ ;;&
+ bk)
+ test_froms=(testignore@amnimal.ninja testignore@expertpathologyreview.com)
+ test_tos=(testignore@iankelling.org testignore@je.b8.nz)
+ # We dont need to send from different addresses to the same
+ # address. this breaks down our nice elegant logic of building up
+ # froms and tos , so I just handle expertpath in a special case
+ # below and set the to: to be testignore@zroe.org. If we did sent
+ # that way, it would also mess up our mailtest-check logic that
+ # finds which messages to check.
+ # for example: from testignore@amnimal.ninja to: testignore@iankelling.org testignore@zroe.org
+ # that would become 2 messages and we'd only check 1.
+ ;;&
+ je)
+ test_froms=(testignore@je.b8.nz)
+ test_tos=(testignore@iankelling.org testignore@zroe.org testignore@expertpathologyreview.com testignore@amnimal.ninja)
+ ;;&
+ $MAIL_HOST|bk|je)
+
+ # Dont put these test messages into the sent folder or else it will
+ # overwhelm it, plus i dont want to save a copy at all.
+ # Plus addresses we generally want to ignore.
+ u /etc/exim4/ignore-sent <<EOF
+$(printf "%s\n" ${test_tos[@]})
+vojdedIdNejyebni@b8.nz
+b@eximbackup.b8.nz
+EOF
+
+ cat >/usr/local/bin/send-test-forward <<'EOF'
+#!/bin/bash
+# we remove from the queue older than 4.3 minutes since we send every 5 minutes.
+olds=(
+$(/usr/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$')
+)
+if (( ${#olds[@]} )); then
+ /usr/sbin/exim -Mrm "${olds[@]}" >/dev/null
+fi
+EOF
+ for test_from in ${test_froms[@]}; do
+
+ test_to=${test_tos[0]}
+ for t in ${test_tos[@]:1}; do
+ if [[ $test_from == *@gnu.org && $t == *@gnu.org ]]; then
+ continue
+ fi
+ test_to+=", $t"
+ done
+ case $test_from in
+ testignore@expertpathologyreview.com)
+ test_to=testignore@zroe.org
+ ;;
+ esac
+
+ cat >>/usr/local/bin/send-test-forward <<EOFOUTER
+/usr/sbin/exim -odf -f $test_from -t <<EOF
+From: $test_from
+To: $test_to
+Subject: test \$(date +%Y-%m-%dT%H:%M:%S%z) \$EPOCHSECONDS
+
+/usr/local/bin/send-test-forward
+EOF
+EOFOUTER
+ done
+ m chmod +x /usr/local/bin/send-test-forward
+ ;;
+ *)
+ soff mailtest-check.service
+ rm -fv /etc/cron.d/mailtest \
+ /var/lib/prometheus/node-exporter/mailtest-check.prom* \
+ /var/local/cron-errors/check-remote-mailqs*
+ ;;
+esac
+
+
# * start / stop services
reifactive dnsmasq nscd
;;&
$MAIL_HOST|bk|je)
# start spamassassin/dovecot before exim.
- sre dovecot $spamd_ser
+ sre dovecot $spamd_ser mailtest-check
# Wait a bit before restarting exim, else I get a paniclog entry
# like: spam acl condition: all spamd servers failed. But I'm tired
# of waiting. I'll deal with this some other way.
bk) sre exim4in ;;
esac
-# * mail monitoring / testing
-
-# note, to test clamav, send an email with body that only contains
-# https://en.wikipedia.org/wiki/EICAR_test_file
-# which set malware_name to Eicar-Signature
-case $HOSTNAME in
- $MAIL_HOST|bk|je)
- # note: cronjob "ian" also does some important monitoring
- # todo: this will sometimes cause an alert because mailtest-check will run
- # before we have setup network namespace and spamassassin
- u /etc/cron.d/mailtest <<EOF
-SHELL=/bin/bash
-PATH=/usr/bin:/bin:/usr/local/bin
-MAILTO=daylert@iankelling.org
-*/5 * * * * $u send-test-forward |& log-once send-test-forward
-*/10 * * * * root chmod -R g+rw /m/md/bounces |& log-once -1 bounces-chmod
-# if a bounce happened yesterday, dont let it slip through the cracks
-8 1 * * * root export MAILTO=alerts@iankelling.org; [[ -s /var/log/exim4/mainlog.1 ]] && awk '\$5 == "**"' /var/log/exim4/mainlog.1
-EOF
-
-
- m sudo rsync -ahhi --chown=root:root --chmod=0755 \
- /b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
- u /etc/systemd/system/mailtest-check.service <<'EOF'
-[Unit]
-Description=mailtest-check
-After=local-fs.target
-StartLimitIntervalSec=0
-
-[Service]
-Type=simple
-ExecStart=/usr/local/bin/mailtest-check slow
-Restart=always
-RestartSec=60
-
-[Install]
-WantedBy=graphical.target
-EOF
- sysd-prom-fail-install mailtest-check
- sre mailtest-check
- ;;&
- $MAIL_HOST)
- test_froms=(ian@iankelling.org z@zroe.org iank@gnu.org)
- test_tos=(testignore@expertpathologyreview.com testignore@je.b8.nz testignore@amnimal.ninja jtuttle@gnu.org)
-
- cat >>/etc/cron.d/mailtest <<EOF
-# 10 am friday
-0 10 * * 5 root echo "weekly alert. You are not in the matrix."
-2 * * * * root check-remote-mailqs |& log-once check-remote-mailqs
-EOF
- ;;&
- bk)
- test_froms=(testignore@amnimal.ninja testignore@expertpathologyreview.com)
- test_tos=(testignore@iankelling.org testignore@je.b8.nz)
- # We dont need to send from different addresses to the same
- # address. this breaks down our nice elegant logic of building up
- # froms and tos , so I just handle expertpath in a special case
- # below and set the to: to be testignore@zroe.org. If we did sent
- # that way, it would also mess up our mailtest-check logic that
- # finds which messages to check.
- # for example: from testignore@amnimal.ninja to: testignore@iankelling.org testignore@zroe.org
- # that would become 2 messages and we'd only check 1.
- ;;&
- je)
- test_froms=(testignore@je.b8.nz)
- test_tos=(testignore@iankelling.org testignore@zroe.org testignore@expertpathologyreview.com testignore@amnimal.ninja)
- ;;&
- $MAIL_HOST|bk|je)
-
- # Dont put these test messages into the sent folder or else it will
- # overwhelm it, plus i dont want to save a copy at all.
- # Plus addresses we generally want to ignore.
- u /etc/exim4/ignore-sent <<EOF
-$(printf "%s\n" ${test_tos[@]})
-vojdedIdNejyebni@b8.nz
-b@eximbackup.b8.nz
-EOF
-
- cat >/usr/local/bin/send-test-forward <<'EOF'
-#!/bin/bash
-# we remove from the queue older than 4.3 minutes since we send every 5 minutes.
-olds=(
-$(/usr/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$')
-)
-if (( ${#olds[@]} )); then
- /usr/sbin/exim -Mrm "${olds[@]}" >/dev/null
-fi
-EOF
- for test_from in ${test_froms[@]}; do
-
- test_to=${test_tos[0]}
- for t in ${test_tos[@]:1}; do
- if [[ $test_from == *@gnu.org && $t == *@gnu.org ]]; then
- continue
- fi
- test_to+=", $t"
- done
- case $test_from in
- testignore@expertpathologyreview.com)
- test_to=testignore@zroe.org
- ;;
- esac
-
- cat >>/usr/local/bin/send-test-forward <<EOFOUTER
-/usr/sbin/exim -odf -f $test_from -t <<EOF
-From: $test_from
-To: $test_to
-Subject: test \$(date +%Y-%m-%dT%H:%M:%S%z) \$EPOCHSECONDS
-
-/usr/local/bin/send-test-forward
-EOF
-EOFOUTER
- done
- m chmod +x /usr/local/bin/send-test-forward
- ;;
- *)
- soff mailtest-check.service
- rm -fv /etc/cron.d/mailtest \
- /var/lib/prometheus/node-exporter/mailtest-check.prom* \
- /var/local/cron-errors/check-remote-mailqs*
- ;;
-esac
-
-
-
# * misc
m sudo -u $u mkdir -p /home/$u/.cache
set -- /m/mucache /home/$u/.cache/mu /m/.mu /home/$u/.mu