X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=mail-setup;h=058fb4f52d4d56e4894212a2a1d804d4b36f4a05;hb=f7eaad64a7c5f3bc851f146e1f258d34f398a7d7;hp=c062362c18b70409db760268fc74a0ef40ea167b;hpb=c8f87d4173949b8d96c9c34e2d2c0730caeba0eb;p=distro-setup

diff --git a/mail-setup b/mail-setup
index c062362..058fb4f 100755
--- a/mail-setup
+++ b/mail-setup
@@ -50,6 +50,8 @@ EOF
 # hamburger -> preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false
 # background: ovecot does not yet have ocsp stapling support
 # reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921
+#
+# for phone, same thing but username alerts, pass in ivy-pass.
 #######
 
 
@@ -69,7 +71,7 @@ EOF
 
 # # dovecot password, i just need 1 as I\'m the only user
 # mkdir /p/c/filesystem/etc/dovecot
-# echo "iank:$(doveadm pw -s ssha256)::::::" >/p/c/filesystem/etc/dovecot/users
+# echo "iank:$(doveadm pw -s ssha256)::::::" >>/p/c/filesystem/etc/dovecot/users
 # conflink
 
 
@@ -197,7 +199,7 @@ pi() { # package install
   apt-get -y install --purge --auto-remove "$@"
 }
 
-postmaster=$u
+postmaster=alerts
 mxhost=mail.iankelling.org
 mxport=587
 forward=$u@$mxhost
@@ -218,11 +220,11 @@ fi
 if [[ $HOSTNAME == $MAIL_HOST ]]; then
   # afaik, these will get ignored because they are routing to my own
   # machine, but rm them is safer
-  rm -f $(eval echo ~$postmaster)/.forward /root/.forward
+  rm -f $(eval echo ~$u)/.forward /root/.forward
 else
   # this can\'t be a symlink and has permission restrictions
   # it might work in /etc/aliases, but this seems more proper.
-  install -m 644 {-o,-g}$postmaster <(e $forward) $(eval echo ~$postmaster)/.forward
+  install -m 644 {-o,-g}$u <(e $forward) $(eval echo ~$u)/.forward
 fi
 
 
@@ -320,7 +322,7 @@ debconf-set-selections <<EOF
 exim4-config exim4/use_split_config boolean true
 EOF
 
-source /a/bin/bash_unpublished/source-semi-priv
+source /a/bin/bash_unpublished/source-state
 mkdir -p /etc/exim4/conf.d/{main,transport,auth,router}
 
 cat >/etc/exim4/rcpt_local_acl <<'EOF'
@@ -417,7 +419,7 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 [[ $EUID == 0 ]] || exec sudo "$BASH_SOURCE" "$@"
 
-f=/a/bin/bash_unpublished/source-semi-priv
+f=/a/bin/bash_unpublished/source-state
 if [[ -e $f ]]; then
     source $f
 fi
@@ -474,6 +476,17 @@ systemctl enable mailcert.timer
 
 if [[ $HOSTNAME == $MAIL_HOST ]]; then
 
+  # mail.iankelling.org so local imap clients can connect with tls and
+  # when they happen to not be local.
+  sed -ri -f - /etc/hosts <<'EOF'
+/^127\.0\.1\.1.* mail\.iankelling\.org\b/q
+/^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/
+EOF
+  /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]]
+server=/mail.iankelling.org/127.0.1.1
+EOF
+  systemctl reload dnsmasq
+
   debconf-set-selections <<EOF
 # Mail Server configuration
 # -------------------------
@@ -530,8 +543,7 @@ exim4-config exim4/mailname string mail.iankelling.org
 # Other destinations for which mail is accepted:
 # iank.bid is for testing
 # mail.iankelling.org is for machines i own
-exim4-config exim4/dc_other_hostnames string *.iankelling.org;iankelling.org;*iank.bid;iank.bid;*zroe.org;zroe.org;*.b8.nz;b8.nz
-
+exim4-config exim4/dc_other_hostnames string *.iankelling.org;iankelling.org;*iank.bid;iank.bid;*zroe.org;zroe.org;*.b8.nz;b8.nz;*.fsf.org;fsf.org
 
 
 
@@ -676,10 +688,10 @@ EOF
   # sieve option, we wouldn\'t need this, but I\'d rather not modify a
   # default config if not needed. This won\'t work as a symlink in /a/c
   # unfortunately.
-  sudo -u $postmaster /a/exe/lnf -T sieve/main.sieve $(eval echo ~$postmaster)/.dovecot.sieve
+  sudo -u $u /a/exe/lnf -T sieve/main.sieve $(eval echo ~$u)/.dovecot.sieve
 
+  # we set this later in local.conf
   sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
-1i mail_location = maildir:/m/md:LAYOUT=fs:INBOX=/m/md/INBOX
 /^\s*mail_location\s*=/d
 EOF
 
@@ -733,11 +745,16 @@ ssl_cert = </etc/exim4/exim.crt
 ssl_key = </etc/exim4/exim.key
 # https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
 # in my cert cronjob, I check if that has changed upstream.
-ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 
 # ian: added this, more secure, per google etc
 ssl_prefer_server_ciphers = yes
 
+
+mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
+mail_uid = iank
+mail_gid = iank
+
 # for debugging info, uncomment these.
 # logs go to syslog and to /var/log/mail.log
 # auth_verbose=yes
@@ -769,6 +786,15 @@ EOF
   systemctl restart dovecot
 
 else # $HOSTNAME != $MAIL_HOST
+  # remove mail. 2 lines to properly remove whitespace
+  sed -ri -f - /etc/hosts <<'EOF'
+s#^(127\.0\.1\.1 .*) +mail\.iankelling\.org$#\1#
+s#^(127\.0\.1\.1 .*)mail\.iankelling\.org +(.*)#\1\2#
+EOF
+
+  echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]]
+  systemctl reload dnsmasq
+
   systemctl disable offlineimapsync.timer &>/dev/null ||:
   systemctl stop offlineimapsync.timer &>/dev/null ||:
   systemctl disable mailclean.timer &>/dev/null ||:
@@ -918,17 +944,45 @@ fi
 dir=/nocow/exim4
 sdir=/var/spool/exim4
 # we only do this if our system has $dir
-if [[ -e /nocow && $(readlink -f $sdir) != $dir ]]; then
-  systemctl stop exim4
-  if [[ ! -e $dir && -d $sdir ]]; then
-    mv $sdir $dir
+
+# this used to do a symlink, but, in the boot logs, /nocow would get mounted succesfully,
+# about 2 seconds later, exim starts, and immediately puts into paniclog:
+# honVi-0000u3-82 Failed to create directory "/var/spool/exim4/input": No such file or directory
+# so, im trying a bind mount to get rid of that.
+if [[ -e /nocow ]]; then
+  if ! grep -Fx "/nocow/exim4  /var/spool/exim4  none  bind  0 0" /etc/fstab; then
+    echo "/nocow/exim4  /var/spool/exim4  none  bind  0 0" >> /etc/fstab
+  fi
+  if ! mountpoint -q $sdir; then
+    systemctl stop exim4
+    if [[ -L $sdir ]]; then
+      rm $sdir
+    fi
+    if [[ ! -e $dir && -d $sdir ]]; then
+      mv $sdir $dir
+    fi
+    if [[ ! -d $sdir ]]; then
+      mkdir $sdir
+      chmod 000 $sdir # only want it to be used when its mounted
+    fi
+    mount $sdir
   fi
-  /a/exe/lnf -T $dir $sdir
 fi
 
 systemctl restart exim4
 systemctl enable exim4
 
+
+if [[ $HOSTNAME == $MAIL_HOST ]]; then
+  cat >/etc/cron.d/mailtest <<'EOF'
+*/10 * * * *   iank echo body_test | mail -s "primary_test $(date +%s) $(date +%Y-%m-%dT%H:%M:%S%z)" iank@posteo.de
+2/10 * * * *   root /usr/local/bin/mailtest-check
+EOF
+  cp /a/bin/distro-setup/filesystem/usr/local/bin/mailtest-check /usr/local/bin
+else
+  rm -f /etc/cron.d/mailtest
+fi
+
 # MAIL_HOST also does radicale, and easier to start and stop it here
 # for when MAIL_HOST changes, so radicale gets the synced files and
 # does not stop us from remounting /o.