- # wording of question from dpkg-reconfigure exim4-config
- # 1. internet site; mail is sent and received directly using SMTP
- # 2. mail sent by smarthost; received via SMTP or fetchmail
- # 3. mail sent by smarthost; no local mail
- # 4. local delivery only; not on a network
- # 5. no configuration at this time
- #
- # Note, I have used option 2 in the past for receiving mail
- # from lan hosts, sending external mail via another smtp server.
- #
- # Note, other than configtype, we could set all the options in
- # both types of configs without harm, they would either be
- # ignored or be disabled by other settings, but the default
- # local_interfaces definitely makes things more secure.
-
- # most of these settings get translated into settings
- # in /etc/exim4/update-exim4.conf.conf
- # how /etc/exim4/update-exim4.conf.conf translates into actual exim settings is
- # documented in man update-exim4.conf, which outputs to the config that
- # exim actually reads. except the man page is not perfect, for example,
- # it doesn't document that it sets
- # DCconfig_${dc_eximconfig_configtype}" "1"
- # which is a line from update-exim4.conf, which is a relatively short bash script.
- # mailname setting sets /etc/mailname
-
- debconf-set-selections <<EOF
-exim4-config exim4/use_split_config boolean true
-EOF
-
- source /a/bin/bash_unpublished/source-semi-priv
- mkdir -p /etc/exim4/conf.d/{main,transport,auth,router}
-
- cat >/etc/exim4/rcpt_local_acl <<'EOF'
-# Only hosts we control send to mail.iankelling.org, so make sure
+cat >/etc/systemd/system/mailcert.timer <<'EOF'
+[Unit]
+Description=Run mail-cert once a day
+
+[Timer]
+OnCalendar=daily
+
+[Install]
+WantedBy=timers.target
+EOF
+m systemctl daemon-reload
+m systemctl start mailcert
+m systemctl restart mailcert.timer
+m systemctl enable mailcert.timer
+
+
+
+# * common exim4 config
+source /a/bin/bash_unpublished/source-state
+
+if [[ ! $MAIL_HOST ]]; then
+ err "\$MAIL_HOST not set"
+fi
+
+m sudo gpasswd -a iank adm #needed for reading logs
+
+
+### make local bounces go to normal maildir
+# local mail that bounces goes to /Maildir or /root/Maildir
+dirs=(/m/md/bounces/{cur,tmp,new})
+m mkdir -p ${dirs[@]}
+m chown iank:iank /m /m/md
+m ln -sfT /m/md /m/iank
+m chmod 700 /m /m/md
+m chown -R $u:Debian-exim /m/md/bounces
+m chmod 775 ${dirs[@]}
+m usermod -a -G Debian-exim $u
+for d in /Maildir /root/Maildir; do
+ if [[ ! -L $d ]]; then
+ m rm -rf $d
+ fi
+ m ln -sf -T /m/md/bounces $d
+done
+
+# Note, even the server needs permissions of this file right
+# if it exists, so do this up here.
+f=/p/c/filesystem/etc/exim4/passwd.client
+if [[ ! -e $f ]]; then
+ f=/p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/passwd.client
+fi
+m sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 $f /etc/exim4/
+
+# by default, only 10 days of logs are kept. increase that.
+m sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
+
+
+## https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
+# i only need .forwards, so just doing that one.
+cd /etc/exim4/conf.d/router
+b=userforward_higher_priority
+# replace the router name so it is unique
+sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
+
+
+rm -vf /etc/exim4/conf.d/main/000_localmacros # old filename
+cat >/etc/exim4/conf.d/main/000_local <<EOF
+MAIN_TLS_ENABLE = true
+
+# debian exim config added this in 2016 or so?
+# it's part of the smtp spec, to limit lines to 998 chars
+# but a fair amount of legit mail does not adhere to it. I don't think
+# this should be default, like it says in
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
+# todo: the bug for introducing this was about headers, but
+# the fix maybe is for all lines? one says gmail rejects, the
+# other says gmail does not reject. figure out and open a new bug.
+IGNORE_SMTP_LINE_LENGTH_LIMIT = true
+
+# more verbose logs
+MAIN_LOG_SELECTOR = +all
+
+
+# normally empty, I set this so I can set the envelope address
+# when doing mail redelivery to invoke filters. Also allows
+# me exiqgrep and stuff.
+MAIN_TRUSTED_GROUPS = $u
+
+# default is 10. when exim has been down for a bit, fsf mailserver
+# will do a big send in one connection, then exim decides to put
+# the messages in the queue instead of delivering them, to avoid
+# spawning too many delivery processes. Pretty sure my system
+# can handle a lot more, but lets go with this.
+smtp_accept_queue_per_connection = 100
+
+
+DKIM_CANON = relaxed
+DKIM_SELECTOR = li
+
+# from comments in
+# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
+
+# The file is based on the outgoing domain-name in the from-header.
+DKIM_DOMAIN = \${lc:\${domain:\$h_from:}}
+# sign if key exists
+DKIM_PRIVATE_KEY = \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}}
+
+# most of the ones that gmail seems to use.
+# Exim has horrible default of signing unincluded
+# list- headers since they got mentioned in an
+# rfc, but this messes up mailing lists, like gnu/debian which want to
+# keep your dkim signature intact but add list- headers.
+DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
+EOF
+
+rm -fv /etc/exim4/rcpt_local_acl # old path
+cat >/etc/exim4/conf.d/rcpt_local_acl <<'EOF'
+# Only hosts we control send to @mail.iankelling.org, so make sure