# Copyright (C) 2019 Ian Kelling
# SPDX-License-Identifier: AGPL-3.0-or-later
+# todo: handle errors like this:
+# Mar 02 12:44:26 kw systemd[1]: exim4.service: Found left-over process 68210 (exim4) in control group while starting unit. Ignoring.
+# Mar 02 12:44:26 kw systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
+
# todo: harden dovecot. need to do some research. one way is for it to only listen on a wireguard vpn interface, so only clients that are on the vpn can access it.
# todo: consider hardening cups listening on 0.0.0.0
# todo: stop/disable local apache, and rpc.mountd, and kdeconnect when not in use.
# background: dovecot does not yet have ocsp stapling support
# reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921
#
-# for phone, k9mail, same thing but username alerts, pass in ivy-pass.
+# for phone, k9mail, fdroid, same thing but username alerts, pass in ivy-pass.
# also, bk.b8.nz for secondary alerts, username is iank. same alerts pass.
-# fetching mail settings: folder poll frequency 10 minutes
+# fetching mail settings: folder poll frequency 10 minutes.
+# account settings, fetching mail, push folders: All. Then disable the persistent notification.
#######
rm -fv /etc/systemd/system/exim4.service.d/nonroot.conf
;;
*)
- i /etc/systemd/system/exim4.service.d/nonroot.conf <<'EOF'
+ dirs=()
+ for d in /d /m /media /mnt /nocow /o /p /q; do
+ if [[ -d $d ]]; then
+ dirs+=($d)
+ fi
+ done
+ i /etc/systemd/system/exim4.service.d/nonroot.conf <<EOF
[Service]
# see 56.2 Root privilege in exim spec
AmbientCapabilities=CAP_NET_BIND_SERVICE
# note, in t10 systemd, if one of these is an sshfs mountpoint,
# this whole setting doesnt work. tried it with a newer systemd 250 though
# an nspawn, and it worked there.
-InaccessiblePaths=d m media mnt nocow o p q
+InaccessiblePaths=${dirs[@]}
NoNewPrivileges=yes
ProtectSystem=yes
echo|i /etc/exim4/conf.d/rcpt_local_acl
echo|i /etc/exim4/conf.d/router/880_universal_forward
- echo amnimal.ninja > /etc/mailname
-
/a/exe/cedit nn /etc/hosts <<'EOF' || [[ $? == 1 ]]
10.173.8.2 nn.b8.nz
EOF
UPEX4OPTS='-d /etc/myexim4'
EOF
+ echo bk.b8.nz > /etc/mailname
cat >>/etc/exim4/update-exim4.conf.conf <<EOF
# man page: is used to build the local_domains list, together with "localhost"
-dc_other_hostnames='amnimal.ninja;expertpathologyreview.com'
+dc_other_hostnames='amnimal.ninja;expertpathologyreview.com;bk.b8.nz'
EOF
;;
if $bhost_t; then
install -d /bu
- install -d -g $u -o $u -m 771 /bu/md
+ install -d -g Debian-exim -o Debian-exim -m 771 /bu/md
+ if [[ -e /bu/md/cur && $(stat -c %u /bu/md/cur) == 1000 ]]; then
+ chown -R Debian-exim:Debian-exim /bu/md
+ fi
i /etc/exim4/conf.d/transport/30_backup_maildir <<EOF
# modified debian maildir transport
backup_maildir:
directory_mode = 0700
mode = 0644
mode_fail_narrower = false
- user = $u
EOF
i /etc/exim4/conf.d/router/870_backup_local <<'EOF'
m systemctl daemon-reload
fi
-m systemctl --now enable epanicclean.timer
+m systemctl --now enable epanicclean
case $HOSTNAME in
je)
fi
if ! systemctl is-active clamav-daemon >/dev/null; then
m systemctl --now enable clamav-daemon
- out=$(rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/filesystem/etc/systemd/system/epanicclean.{timer,service} /etc/systemd/system)
+ out=$(rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/filesystem/etc/systemd/system/epanicclean.service /etc/systemd/system)
if [[ $out ]]; then
reload=true
fi
cat >/etc/cron.d/mailtest <<EOF
SHELL=/bin/bash
PATH=/usr/bin:/bin:/usr/local/bin
-MAILTO=alerts@iankelling.org
-*/5 * * * * $u send-test-forward |& log-once send-test-forward
+MAILTO=daylerts@iankelling.org
+*/5 * * * * $u send-test-forward |& log-once send-test-forward
*/10 * * * * root chmod -R g+rw /m/md/bounces |& log-once -1 bounces-chmod
-# im seeing some intermittent failures on the slow check, do it all the time
-# for now. It looks like a dns failure.
-#5-59/5 * * * * root mailtest-check |& log-once -1 mailtest-check
-#0 * * * * root mailtest-check slow |& log-once -1 mailtest-slow
-*/5 * * * * root timeout 290 mailtest-check slow |& log-once -12 mailtest-check
+*/5 * * * * root timeout 290 mailtest-check slow |& log-once -4 mailtest-check
# if a bounce happened yesterday, dont let it slip through the cracks
-8 1 * * * root awk '$5 == "**"' /var/log/exim4/mainlog.1
+8 1 * * * root export MAILTO=alerts@iankelling.org; awk '\$5 == "**"' /var/log/exim4/mainlog.1
+0 13 * * * root echo "If the 1pm doesnt happen, you are in the matrix. Wake up."
EOF
m sudo rsync -ahhi --chown=root:root --chmod=0755 \
/b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/