fixes

[distro-setup] / exim-nn-iptables

diff --git a/exim-nn-iptables b/exim-nn-iptables
new file mode 100755 (executable)
index 0000000..119eaf0
--- /dev/null
+++ b/exim-nn-iptables
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi
+shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR
+
+# This prevents exim from connecting out to an ip not through the vpn.
+# Before this, I had set exim to be BindsTo=wg-quick@wgmail, which
+# generally made sure it wouldn't run unless the vpn ran, and plus I set
+# a specific interface in the main remote smtp transport. However,
+# However, that wasn't bulletproof, exim spec says about "interface: The
+# first interface of the correct type (IPv4 or IPv6) is used for the
+# outgoing connection. If none of them are the correct type, the option
+# is ignored." And then I found out that the BindsTo results in exim
+# never starting if the vpn fails to start the first time, then starts
+# on the systemd automatic restart. Ugh. So, better to use Wants instead
+# and this.
+
+if !/usr/sbin/iptables -C OUTPUT -p tcp -m tcp --dport 25 -o veth1-mail -j REJECT &>/dev/null; then
+ /usr/sbin/iptables -I OUTPUT -p tcp -m tcp --dport 25 -o veth1-mail -j REJECT
+fi
+
+
+if !/usr/sbin/ip6tables -C OUTPUT -p tcp -m tcp --dport 25 -o veth1-mail -j REJECT &>/dev/null; then
+ /usr/sbin/ip6tables -I OUTPUT -p tcp -m tcp --dport 25 -o veth1-mail -j REJECT
+fi