+if [[ -s /usr/local/lib/err ]]; then
+ source /usr/local/lib/err
+elif [[ -s /a/bin/errhandle/err ]]; then
+ source /a/bin/errhandle/err
+else
+ err "no err tracing script found"
+ exit 1
+fi
+
+[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
+if [[ ! $SUDO_USER ]]; then
+ echo "$0: error: requires running as nonroot or sudo"
+ exit 1
+fi
+u=$SUDO_USER
+
+
+usage() {
+ cat <<EOF
+Usage: ${0##*/}
+Setup exim4 & dovecot & related things
+
+-h|--help Print help and exit.
+EOF
+ exit $1
+}
+
+
+
+####### instructions for icedove #####
+# Incoming mail server: mail.iankelling.org, port 143, username iank, connection security starttls, authentication method normal password
+# we could also just use 127.0.0.1 with no ssl, but todo: disable that in dovecot, so mail is secure from local programs.
+#
+# hamburger -> preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false
+# background: ovecot does not yet have ocsp stapling support
+# reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921
+#
+# for phone, k9mail, same thing but username alerts, pass in ivy-pass.
+# also, l2.b8.nz for secondary alerts
+# fetching mail settings: folder poll frequency 10 minutes
+#######
+
+
+# * perstent password instructions
+# # exim passwords:
+# # for hosts which have all private files I just use the same user
+# # for other hosts, each one get\'s their own password.
+# # for generating secure pass, and storing for server too:
+# f=$(mktemp)
+# I use $HOSTNAME as username
+# apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
+# s sed -i "/^$HOSTNAME:/d" /p/c/filesystem/etc/exim4/passwd
+# echo "$HOSTNAME:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd
+# reference: exim4_passwd_client(5)
+# echo "mail.iankelling.org:$HOSTNAME:$(<$f)" > /p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/passwd.client
+# # then run this script
+
+# # dovecot password, i just need 1 as I\'m the only user
+# mkdir /p/c/filesystem/etc/dovecot
+# echo "iank:$(doveadm pw -s ssha256)::::::" >>/p/c/filesystem/etc/dovecot/users
+
+####### end perstent password instructions ######
+
+
+# * persistent dkim/dns instructions
+# # Remove 1 level of comments in this section, set the domain var
+# # for the domain you are setting up, then run this and copy dns settings
+# # into dns.
+# domain=iankelling.org
+# c /p/c/filesystem/etc/exim4
+# # this has several bugs addressed in comments, but it was helpful
+# # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
+
+# openssl genrsa -out $domain-private.pem 2048 -outform PEM
+# openssl rsa -in $domain-private.pem -out $domain.pem -pubout -outform PEM
+# # selector is needed for having multiple keys for one domain.
+# # I dun do that, so just use a static one: li
+# echo "txt record name: li._domainkey.$domain"
+# # Debadmin page does not have v=, fastmail does, and this
+# # says it\'s recommended in 3.6.1, default is DKIM1 anyways.
+# # https://www.ietf.org/rfc/rfc6376.txt
+# # Join and print all but first and last line.
+# # last line: swap hold & pattern, remove newlines, print.
+# # lines 2+: append to hold space
+# echo "txt record contents:"
+# echo "v=DKIM1; k=rsa; p=$(sed -n '${x;s/\n//gp};2,$H' $domain.pem)"
+# # selector was also put into /etc/exim4/conf.d/main/000_local,
+
+# # 2017-02 dmarc policies:
+# # host -t txt _dmarc.gmail.com
+# # yahoo: p=reject, hotmail: p=none, gmail: p=none, fastmail none for legacy reasons
+# # there were articles claiming gmail would be changing
+# # to p=reject, in early 2017, which didn\'t happen. I see no sources on them. It\'s
+# # expected to cause problems
+# # with a few old mailing lists, copying theirs for now.
+#
+# echo "dmarc dns, name: _dmarc value: v=DMARC1; p=none; rua=mailto:mailauth-reports@$domain"
+
+# # 2017-02 spf policies:
+# # host -t txt lists.fedoraproject.org
+# # google ~all, hotmail ~all, yahoo: ?all, fastmail ?all, outlook ~all
+# # i include fastmail\'s settings, per their instructions,
+# # and follow their policy. In mail in a box, or similar instructions,
+# # I\'ve seen recommended to not use a restrictive policy.
+
+# # to check if dns has updated, you do
+# host -a mesmtp._domainkey.$domain
+
+# # mx records,
+# # setting it to iankelling.org would work the same, but this
+# # is more flexible, I could change where mail.iankelling.org pointed.
+# cat <<'EOF'
+# mx records, 2 records each, for * and empty domain
+# pri 10 mail.iankelling.org
+# EOF
+####### end persistent dkim instructions #########
+
+
+# * functions constants
+e() { printf "%s\n" "$*"; }
+pi() { # package install without starting daemons
+ local f
+ if dpkg -s -- "$@" &> /dev/null; then
+ return 0;
+ fi;
+ while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done
+ f=/var/cache/apt/pkgcache.bin;
+ if [[ ! -r $f ]] || (( $(( $(date +%s) - $(stat -c %Y $f ) )) > 60*60*12 )); then
+ m apt-get update
+ fi
+ f=/usr/sbin/policy-rc.d
+ dd of=$f 2>/dev/null <<EOF
+#!/bin/sh
+exit 101
+EOF
+ chmod +x $f
+ ret=
+ DEBIAN_FRONTEND=noninteractive m apt-get -y install --purge --auto-remove "$@" || ret=$?
+ rm $f
+ if [[ $ret ]]; then
+ err-exit $ret "failed apt-get install above"
+ fi
+}
+
+postmaster=alerts
+mxhost=mail.iankelling.org
+mxport=587
+forward=$u@$mxhost
+
+# old setup. left as comment for example
+# mxhost=mail.messagingengine.com
+# mxport=587
+# forward=ian@iankelling.org
+
+smarthost="$mxhost::$mxport"
+
+## * Install packages
+# light version of exim does not have sasl auth support.
+pi exim4-daemon-heavy spamassassin spf-tools-perl openvpn dnsmasq
+
+# trisquel 8 = openvpn, debian stretch = openvpn-client
+vpn_ser=openvpn-client
+if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
+ vpn_ser=openvpn
+fi
+
+uhome=$(eval echo ~$u)
+### * user forward file
+
+case $HOSTNAME in
+ $MAIL_HOST|l2)
+ # afaik, these will get ignored on MAIL_HOST because they are routing to my own
+ # machine, but rm them is safer
+ rm -fv $uhome/.forward /root/.forward
+ ;;
+ *)
+ # this can\'t be a symlink and has permission restrictions
+ # it might work in /etc/aliases, but this seems more proper.
+ e setting $uhome/.forward to $forward
+ install -m 644 {-o,-g}$u <(e $forward) $uhome/.forward
+ ;;
+esac
+
+# * Mail clean cronjob
+
+cat >/etc/systemd/system/mailclean.timer <<'EOF'
+[Unit]
+Description=Run mailclean daily
+
+[Timer]
+OnCalendar=monthly
+
+[Install]
+WantedBy=timers.target
+EOF
+
+cat >/etc/systemd/system/mailclean.service <<EOF
+[Unit]
+Description=Delete and archive old mail files
+After=multi-user.target
+
+[Service]
+User=$u
+Type=oneshot
+ExecStart=/a/bin/log-quiet/sysd-mail-once mailclean /a/bin/distro-setup/mailclean
+EOF
+
+systemctl daemon-reload