X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=mail-setup;h=31841b9ef71f6293a95e0784411fbbef44eebd48;hb=8052829d2babeda2fc639666cf6b1ee649f283a6;hp=7cc7a32b6244b2b162ef5a16214c579cc3dddc82;hpb=7a82762b44f4732f6b075a0cb5d8b258f5022d12;p=distro-setup diff --git a/mail-setup b/mail-setup index 7cc7a32..31841b9 100755 --- a/mail-setup +++ b/mail-setup @@ -1,7 +1,7 @@ #!/bin/bash set -x -# Copyright (C) 2016 Ian Kelling +# Copyright (C) 2019 Ian Kelling # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -15,35 +15,44 @@ set -x # See the License for the specific language governing permissions and # limitations under the License. +# todo: make quick backups of maildir, or deliver to multiple hosts. + set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" +if [[ ! $SUDO_USER ]]; then + echo "$0: error: requires running as nonroot or sudo" + exit 1 +fi +u=$SUDO_USER + usage() { - cat < preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false +# background: ovecot does not yet have ocsp stapling support +# reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921 +# +# for phone, same thing but username alerts, pass in ivy-pass. +####### ####### begin perstent password instructions ###### @@ -57,12 +66,13 @@ u=$SUDO_USER # apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f # s sed -i "/^$user:/d" /p/c/filesystem/etc/exim4/passwd # echo "$user:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd -# echo "mail.iankelling.org $user $(<$f)" >> /p/c/machine_specific/$user/filesystem/etc/mailpass +# # todo: port is no longer used in mailpass, remove it. +# echo "mail.iankelling.org 587 $user:$(<$f)" >> /p/c/machine_specific/$user/filesystem/etc/mailpass # # then run this script, or part of it which uses /etc/mailpass # # dovecot password, i just need 1 as I\'m the only user # mkdir /p/c/filesystem/etc/dovecot -# echo "ian:$(doveadm pw -s ssha256)::::::" >/p/c/filesystem/etc/dovecot/users +# echo "iank:$(doveadm pw -s ssha256)::::::" >>/p/c/filesystem/etc/dovecot/users # conflink @@ -117,7 +127,8 @@ u=$SUDO_USER # echo "dmarc dns, name: _dmarc value: v=DMARC1; p=none; rua=mailto:mailauth-reports@$domain" # # 2017-02 spf policies: -# # google ~all, hotmail -all, yahoo: ?all, fastmail ?all +# # host -t txt lists.fedoraproject.org +# # google ~all, hotmail ~all, yahoo: ?all, fastmail ?all, outlook ~all # # i include fastmail\'s settings, per their instructions, # # and follow their policy. In mail in a box, or similar instructions, # # I\'ve seen recommended to not use a restrictive policy. @@ -138,48 +149,24 @@ u=$SUDO_USER ####### end persistent dkim instructions ######### -# misc exim notes: -# useful exim docs: -# /usr/share/doc/exim4-base/README.Debian.gz -# /usr/share/doc/exim4-base/spec.txt.gz - -# routers, transports, and authenticators are sections, and you define -# driver instances in those sections, and the manual calls them driver -# types but there is also a more specific "type" of driver, which is specified -# with the driver = some_module setting in the driver. - -# the driver option must precede and private options (options that are -# specific to that driver), so follow example of putting it at beginning. - -# The full list of option settings for any particular driver instance, -# including all the defaulted values, can be extracted by making use of -# the -bP command line option. -# exim -bP config_file to see what config file it used -# exim -bP config to see - -# exim clear out message queue. as root: -# adapted from somewhere on stackoverflow. -# ser stop exim4; sleep 1; exim -bp | exiqgrep -i | xargs exim -Mrm; ser start exim4 -# fastmail has changed their smtp server, but the old one still works, -# I see no reason to bother changing. -# New one is smtp.fastmail.com - -# test delivery & rewrite settings: -#exim4 -bt iank@localhost - - -postconfin() { - local MAPFILE - mapfile -t - local s - postconf -ev "${MAPFILE[@]}" -} e() { printf "%s\n" "$*"; } +pi() { # package install + local f + if dpkg -s -- "$@" &> /dev/null; then + return 0; + fi; + while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done + f=/var/cache/apt/pkgcache.bin; + if [[ ! -r $f ]] || (( $(( $(date +%s) - $(stat -c %Y $f ) )) > 60*60*12 )); then + apt-get update + fi + apt-get -y install --purge --auto-remove "$@" +} -postmaster=$u +postmaster=alerts mxhost=mail.iankelling.org -mxport=25 +mxport=587 forward=$u@$mxhost # old setup. left as comment for example @@ -187,198 +174,203 @@ forward=$u@$mxhost # mxport=587 # forward=ian@iankelling.org -relayhost="[$mxhost]:$mxport" # postfix smarthost="$mxhost::$mxport" # exim # trisquel 8 = openvpn, debian stretch = openvpn-client vpn_ser=openvpn-client if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then - vpn_ser=openvpn + vpn_ser=openvpn fi if [[ $HOSTNAME == $MAIL_HOST ]]; then - # afaik, these will get ignored because they are routing to my own - # machine, but rm them is safer - rm -f $(eval echo ~$postmaster)/.forward /root/.forward + # afaik, these will get ignored because they are routing to my own + # machine, but rm them is safer + rm -f $(eval echo ~$u)/.forward /root/.forward else - # this can\'t be a symlink and has permission restrictions - # it might work in /etc/aliases, but this seems more proper. - install -m 644 {-o,-g}$postmaster <(e $forward) $(eval echo ~$postmaster)/.forward -fi - -# offlineimap uses this too, it is much easier to use one location than to -# condition it\'s config and postfix\'s config -if [[ -f /etc/fedora-release ]]; then - /a/exe/lnf -T ca-certificates.crt /etc/ssl/ca-bundle.trust.crt + # this can\'t be a symlink and has permission restrictions + # it might work in /etc/aliases, but this seems more proper. + install -m 644 {-o,-g}$u <(e $forward) $(eval echo ~$u)/.forward fi -if postfix; then - # dunno why, but debian installed postfix with builddep emacs - # but I will just explicitly install it here since - # I use it for sending mail in emacs. - if command -v apt-get &> /dev/null; then - debconf-set-selections </dev/null; then - dpkg-reconfigure -u -fnoninteractive postfix - else - apt-get -y install --purge --auto-remove postfix - fi - else - source /a/bin/distro-functions/src/package-manager-abstractions - pi postfix - # Settings from reading the output when installing on debian, - # then seeing which were different in a default install on arch. - # I assume the same works for fedora. - postconfin <>$f - done - postmap hash:/etc/postfix/sasl_passwd - # need restart instead of reload when changing - # inet_protocols - service postfix restart - -else # begin exim. has debian specific stuff for now - - if ! dpkg -s openvpn &>/dev/null; then - apt-get -y install --purge --auto-remove openvpn - fi - - if [[ -e /p/c/filesystem ]]; then - # to put the hostname in the known hosts - ssh -o StrictHostKeyChecking=no root@li.iankelling.org : - /a/exe/vpn-mk-client-cert -b mail -n mail li.iankelling.org - fi - - cat >/etc/systemd/system/mailroute.service </etc/systemd/system/offlineimapsync.timer <<'EOF' +cat >/etc/systemd/system/mailclean.timer <<'EOF' [Unit] -Description=Run offlineimap-sync once every 5 mins +Description=Run mailclean daily [Timer] -OnCalendar=*:0/5 +OnCalendar=monthly [Install] WantedBy=timers.target EOF - cat >/etc/systemd/system/offlineimapsync.service </etc/systemd/system/mailclean.service </etc/exim4/rcpt_local_acl <<'EOF' +# Only hosts we control send to @mail.iankelling.org, so make sure +# they are all authed. +# Note, if we wanted authed senders for all domains, +# we could make this condition in acl_check_mail +deny + message = ian trusted domain recepient but no auth + !authenticated = * + domains = mail.iankelling.org EOF +cat >/etc/exim4/data_local_acl <<'EOF' +# Except for the "condition =", this was +# a comment in the check_data acl. The comment about this not +# being suitable is mostly bs. The only thing related I found was to +# add the condition =, cuz spamassassin has problems with big +# messages and spammers don't bother with big messages, +# but I've increased the size from 10k +# suggested in official docs, and 100k in the wiki example because +# those docs are rather old and I see a 110k spam message +# pretty quickly looking through my spam folder. +warn + condition = ${if < {$message_size}{2000K}} + spam = Debian-exim:true + add_header = X-Spam_score: $spam_score\n\ + X-Spam_score_int: $spam_score_int\n\ + X-Spam_bar: $spam_bar\n\ + X-Spam_report: $spam_report + +#accept +# spf = pass:fail:softfail:none:neutral:permerror:temperror +# dmarc_status = reject:quarantine +# add_header = Reply-to: dmarctest@iankelling.org - source /a/bin/bash_unpublished/source-semi-priv - exim_main_dir=/etc/exim4/conf.d/main - mkdir -p $exim_main_dir +EOF +cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF' +# from 30_exim4-config_examples +plain_server: +driver = plaintext +public_name = PLAIN +server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" +server_set_id = $auth2 +server_prompts = : +.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +.endif +EOF +cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF' +### router/900_exim4-config_local_user +################################# + +# This router matches local user mailboxes. If the router fails, the error +# message is "Unknown user". + +local_user: + debug_print = "R: local_user for $local_part@$domain" + driver = accept + domains = +local_domains +# ian: commented this, in conjunction with a dovecot lmtp +# change so I get mail for all users. +# check_local_user + local_parts = ! root + transport = LOCAL_DELIVERY + cannot_route_message = Unknown user +EOF +cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF' +dovecot_lmtp: + driver = lmtp + socket = /var/run/dovecot/lmtp + #maximum number of deliveries per batch, default 1 + batch_max = 200 +EOF - #### begin mail cert setup ### - f=/usr/local/bin/mail-cert-cron - cat >$f <<'EOF' +cat >/etc/exim4/host_local_deny_exceptions <<'EOF' +mail.fsf.org +EOF + +cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF' +# smarthost for fsf mail +# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and +# replaced DCsmarthost with mail.fsf.org +fsfsmarthost: + debug_print = "R: smarthost for $local_part@$domain" + driver = manualroute + domains = ! +local_domains + senders = *@fsf.org + transport = remote_smtp_smarthost + route_list = * mail.fsf.org byname + host_find_failed = ignore + same_domain_copy_routing = yes + no_more +EOF + + +#### begin mail cert setup ### +f=/usr/local/bin/mail-cert-cron +cat >$f <<'EOF' set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR [[ $EUID == 0 ]] || exec sudo "$BASH_SOURCE" "$@" -f=/a/bin/bash_unpublished/source-semi-priv +f=/a/bin/bash_unpublished/source-state if [[ -e $f ]]; then source $f fi if [[ $HOSTNAME == $MAIL_HOST ]]; then local_mx=mail.iankelling.org - rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li:/etc/letsencrypt/live/$local_mx/" + rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/" ${rsync_common}fullchain.pem /etc/exim4/exim.crt + ret=$? ${rsync_common}privkey.pem /etc/exim4/exim.key + new_ret=$? + if [[ $ret != $new_ret ]]; then + echo "$0: error: differing rsync returns, $ret, $new_ret" + exit 1 + fi +fi +if [[ $new_ret != 0 ]]; then + if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then + echo "$0: error!: cert rsync failed and it will expire in less than 3 days" + exit 1 + fi fi +exit 0 EOF - chmod 755 $f +chmod 755 $f - cat >/etc/systemd/system/mailcert.service <<'EOF' +cat >/etc/systemd/system/mailcert.service <<'EOF' [Unit] Description=Mail cert rsync After=multi-user.target @@ -388,7 +380,7 @@ Type=oneshot ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron EOF - cat >/etc/systemd/system/mailcert.timer <<'EOF' +cat >/etc/systemd/system/mailcert.timer <<'EOF' [Unit] Description=Run mail-cert once a day @@ -398,131 +390,87 @@ OnCalendar=daily [Install] WantedBy=timers.target EOF - systemctl daemon-reload - systemctl start mailcert - systemctl restart mailcert.timer - systemctl enable mailcert.timer - - ##### end mailcert setup ##### - - - - if [[ $HOSTNAME == $MAIL_HOST ]]; then - - debconf-set-selections </etc/exim4/update-exim4.conf.conf <<'EOF' +# default stuff, i havent checked if its needed +dc_minimaldns='false' +dc_relay_nets='' +CFILEMODE='644' +dc_use_split_config='true' +dc_local_interfaces='' +dc_mailname_in_oh='true' +EOF -# This name won\'t appear on From: lines of outgoing messages if rewriting is enabled. -# System mail name: -exim4-config exim4/mailname string mail.iankelling.org +if [[ $HOSTNAME == $MAIL_HOST ]]; then + # mail.iankelling.org so local imap clients can connect with tls and + # when they happen to not be local. + sed -ri -f - /etc/hosts <<'EOF' +/^127\.0\.1\.1.* mail\.iankelling\.org\b/{p;d} +/^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/ +EOF + /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]] +server=/mail.iankelling.org/127.0.1.1 +EOF + systemctl reload dnsmasq + # I used to use debconf-set-selections + dpkg-reconfigure, + # which then updates this file + # but the process is slower than updating it directly and then I want to set other things in + # update-exim4.conf.conf, so there's no point. + # The file is documented in man update-exim4.conf, + # except the man page is not perfect, read the bash script to be sure about things. + # The debconf questions output is additional documentation that is not + # easily accessible, but super long, along with the initial default comment in this + # file, so I've saved that into ./mail-notes.conf. -# Please enter a semicolon-separated list of recipient domains for which this machine -# should consider itself the final destination. These domains are commonly called -# 'local domains'. The local hostname (treetowl.lan) and 'localhost' are always added -# to the list given here. + cat >>/etc/exim4/update-exim4.conf.conf <$exim_main_dir/000_localmacros < /etc/mailname + + # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the + # smarthost config type, not sure. all other settings + # would be unused in that config type. + rm -f /etc/exim4/conf.d/main/000_localmacros # old filename + cat >/etc/exim4/conf.d/main/000_local <$f <<'EOF' +#!/bin/bash +cd /etc +wget -nv -N https://publicsuffix.org/list/public_suffix_list.dat +EOF + chmod 755 $f + + + ####### begin dovecot setup ######## + # based on a little google and package search, just the dovecot + # packages we need instead of dovecot-common. + # + # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir + # directly. The reason to do this is to use dovecot\'s sieve, which + # has extensions that allow it to be almost equivalent to exim\'s + # filter capabilities, some ways probably better, some worse, and + # sieve has the benefit of being supported in postfix and + # proprietary/weird environments, so there is more examples on the + # internet. I was torn about whether to do this or not, meh. + pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd + + # if we changed 90-sieve.conf and removed the active part of the + # sieve option, we wouldn\'t need this, but I\'d rather not modify a + # default config if not needed. This won\'t work as a symlink in /a/c + # unfortunately. + sudo -u $u /a/exe/lnf -T sieve/main.sieve $(eval echo ~$u)/.dovecot.sieve + + # we set this later in local.conf + sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF' /^\s*mail_location\s*=/d EOF - cat >/etc/dovecot/conf.d/20-lmtp.conf </etc/dovecot/conf.d/20-lmtp.conf </etc/dovecot/local.conf <<'EOF' + cat >/etc/dovecot/local.conf <<'EOF' # so I can use a different login that my shell login for mail. this is # worth doing solely for the reason that if this login is compromised, # it won't also compromise my shell password. @@ -655,73 +622,114 @@ ssl_cert = /dev/null ||: - systemctl stop offlineimapsync.timer &>/dev/null ||: - systemctl disable $vpn_ser@mail - systemctl stop $vpn_ser@mail - systemctl disable dovecot ||: - systemctl stop dovecot ||: - # - # - # would only exist because I wrote it i the previous condition, - # it\'s not part of exim - rm -f $exim_main_dir/000_localmacros - debconf-set-selections <$d/override.conf <<'EOF' +[Service] +Restart=always +# time to sleep before restarting a service +RestartSec=1 + +[Unit] +# StartLimitIntervalSec in recent systemd versions +StartLimitInterval=0 EOF - fi # end $HOSTNAME != $MAIL_HOST + systemctl enable mailclean.timer + systemctl start mailclean.timer + systemctl restart $vpn_ser@mail + systemctl enable $vpn_ser@mail + systemctl enable dovecot + systemctl restart dovecot + +else # $HOSTNAME != $MAIL_HOST + # remove mail. 2 lines to properly remove whitespace + sed -ri -f - /etc/hosts <<'EOF' +s#^(127\.0\.1\.1 .*) +mail\.iankelling\.org$#\1# +s#^(127\.0\.1\.1 .*)mail\.iankelling\.org +(.*)#\1\2# +EOF - # if we already have it installed, need to reconfigure, without being prompted - if dpkg -s exim4-config &>/dev/null; then - # gotta remove this, otherwise the set-selections are completely - # ignored. It woulda been nice if this was documented somewhere! - rm -f /etc/exim4/update-exim4.conf.conf - dpkg-reconfigure -u -fnoninteractive exim4-config - fi - # light version of exim does not have sasl auth support. - apt-get -y install --purge --auto-remove exim4-daemon-heavy spamassassin + echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]] + systemctl reload dnsmasq + + systemctl disable mailclean.timer &>/dev/null ||: + systemctl stop mailclean.timer &>/dev/null ||: + systemctl disable $vpn_ser@mail + systemctl stop $vpn_ser@mail + systemctl disable dovecot ||: + systemctl stop dovecot ||: + # + # + # would only exist because I wrote it i the previous condition, + # it\'s not part of exim + rm -f /etc/exim4/conf.d/main/000_localmacros + cat >>/etc/exim4/update-exim4.conf.conf < /etc/mailname + +fi # end $HOSTNAME != $MAIL_HOST + +systemctl reload exim4 + +# i have the spool directory be common to distro multi-boot, so +# we need the uid to be the same. 608 cuz it's kind of in the middle +# of the free system uids. +IFS=:; read _ _ uid _ < <(getent passwd Debian-exim ||:) ||:; unset IFS +IFS=:; read _ _ gid _ < <(getent group Debian-exim ||:) ||:; unset IFS +if [[ ! $uid ]]; then + # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options + adduser --uid 608 --system --group --quiet --home /var/spool/exim4 \ + --no-create-home --disabled-login --force-badname Debian-exim +elif [[ $uid != 608 ]]; then + systemctl stop exim4 ||: + usermod -u 608 Debian-exim + groupmod -g 608 Debian-exim + usermod -g 608 Debian-exim + find / /nocow -xdev -uid $uid -exec chown -h 608 {} + + find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} + +fi +# light version of exim does not have sasl auth support. +pi exim4-daemon-heavy spamassassin spf-tools-perl - ##### begin spamassassin config - systemctl enable spamassassin - # per readme.debian - sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin - e CRON=1 >>/etc/default/spamassassin - # just noticed this in the config file, seems like a good idea. - sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin - e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin - systemctl start spamassassin - systemctl reload spamassassin - cat >/etc/systemd/system/spamddnsfix.service <<'EOF' +##### begin spamassassin config +systemctl enable spamassassin +# per readme.debian +sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin +e CRON=1 >>/etc/default/spamassassin +# just noticed this in the config file, seems like a good idea. +sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin +e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin +systemctl start spamassassin +systemctl reload spamassassin + +cat >/etc/systemd/system/spamddnsfix.service <<'EOF' [Unit] Description=spamd dns bug fix cronjob @@ -729,10 +737,10 @@ Description=spamd dns bug fix cronjob Type=oneshot ExecStart=/a/bin/distro-setup/spamd-dns-fix EOF - # 2017-09, debian closed the bug on this saying upstream had fixed it. - # remove this when i\'m using the newer package, ie, debian 10, or maybe - # ubuntu 18.04. - cat >/etc/systemd/system/spamddnsfix.timer <<'EOF' +# 2017-09, debian closed the bug on this saying upstream had fixed it. +# remove this when i\'m using the newer package, ie, debian 10, or maybe +# ubuntu 18.04. +cat >/etc/systemd/system/spamddnsfix.timer <<'EOF' [Unit] Description=run spamd bug fix script every 10 minutes @@ -746,153 +754,145 @@ OnUnitActiveSec=550 [Install] WantedBy=timers.target EOF - systemctl daemon-reload - systemctl restart spamddnsfix.timer - systemctl enable spamddnsfix.timer - # - ##### end spamassassin config +systemctl daemon-reload +systemctl restart spamddnsfix.timer +systemctl enable spamddnsfix.timer +# +##### end spamassassin config - cat >/etc/exim4/rcpt_local_acl <<'EOF' -# Only hosts we control send to mail.iankelling.org, so make sure -# they are all authed. -# Note, if we wanted authed senders for all domains, -# we could make this condition in acl_check_mail -deny - message = ian trusted domain recepient but no auth - !authenticated = * - domains = mail.iankelling.org -EOF - cat >/etc/exim4/data_local_acl <<'EOF' -# Except for the "condition =", this was -# a comment in the check_data acl. The comment about this not -# being suitable is mostly bs. The only thing related I found was to -# add the condition =, cuz spamassassin has problems with big -# messages and spammers don't bother with big messages, -# but I've increased the size from 10k -# suggested in official docs, and 100k in the wiki example because -# those docs are rather old and I see a 110k spam message -# pretty quickly looking through my spam folder. - warn - condition = ${if < {$message_size}{2000K}} - spam = Debian-exim:true - add_header = X-Spam_score: $spam_score\n\ - X-Spam_score_int: $spam_score_int\n\ - X-Spam_bar: $spam_bar\n\ - X-Spam_report: $spam_report +# https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost +# i only need .forwards, so just doing that one. +cd /etc/exim4/conf.d/router +b=userforward_higher_priority +# replace the router name so it is unique +sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b -EOF - cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF' -# from 30_exim4-config_examples +# begin setup passwd.client +f=/etc/exim4/passwd.client +rm -f /etc/exim4/passwd.client +install -m 640 -g Debian-exim /dev/null $f +while read -r domain _ pass; do + # reference: exim4_passwd_client(5) + printf "%s:%s\n" "$domain" "$pass" >>$f +done /etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF' -### router/900_exim4-config_local_user -################################# +systemctl restart exim4 -# This router matches local user mailboxes. If the router fails, the error -# message is "Unknown user". -local_user: - debug_print = "R: local_user for $local_part@$domain" - driver = accept - domains = +local_domains -# ian: commented this, in conjunction with a dovecot lmtp -# change so I get mail for all users. -# check_local_user - local_parts = ! root - transport = LOCAL_DELIVERY - cannot_route_message = Unknown user -EOF - cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF' -dovecot_lmtp: - driver = lmtp - socket = /var/run/dovecot/lmtp - #maximum number of deliveries per batch, default 1 - batch_max = 200 -EOF +# /etc/alias setup is debian specific, and exim postinst script sets up +# an /etc/alias from root to the postmaster, based on the question +# exim4-config exim4/dc_postmaster, as long as there exists an entry for +# root, or there was no preexisting aliases file. postfix won\'t set up +# a root to $postmaster alias if it\'s already installed. Easiest to +# just set it ourselves. + +# debconf question for postmaster: +# Mail for the 'postmaster', 'root', and other system accounts needs to be redirected +# to the user account of the actual system administrator. +# If this value is left empty, such mail will be saved in /var/mail/mail, which is not +# recommended. +# Note that postmaster\'s mail should be read on the system to which it is directed, +# rather than being forwarded elsewhere, so (at least one of) the users listed here +# should not redirect their mail off this machine. A 'real-' prefix can be used to +# force local delivery. +# Multiple user names need to be separated by spaces. +# Root and postmaster mail recipient: - # begin setup passwd.client - f=/etc/exim4/passwd.client - rm -f /etc/exim4/passwd.client - install -m 640 -g Debian-exim /dev/null $f - cat /etc/mailpass| while read -r domain port pass; do - # reference: exim4_passwd_client(5) - printf "%s:%s\n" "$domain" "$pass" >>$f - done - # end setup passwd.client - - # https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost - # i only need .forwards, so just doing that one. - cd /etc/exim4/conf.d/router - b=userforward_higher_priority - # replace the router name so it is unique - sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b - systemctl restart exim4 - -fi #### end if exim4 - -# /etc/alias setup is debian specific, and -# exim config sets up an /etc/alias from root to the postmaster, which i -# config to ian, as long as there exists an entry for root, or there was -# no preexisting aliases file. based on the postinst file. postfix -# won\'t set up a root to $postmaster alias if it\'s already installed. -# Since postfix is not the greatest, just set it ourselves. if [[ $postmaster != root ]]; then - sed -i --follow-symlinks -f - /etc/aliases </dev/null; then + chgrp 1000 /m/md/INBOX + usermod -a -G 1000 Debian-exim +else + chgrp Debian-exim /m/md/INBOX fi +ln -s /m/md/INBOX /Maildir # put spool dir in directory that spans multiple distros. # based on http://www.postfix.org/qmgr.8.html and my notes in gnus # # todo: I\'m suspicious of uids for Debian-exim being the same across # distros. It would be good to test this. -dir=/nocow/$type -sdir=/var/spool/$type +dir=/nocow/exim4 +sdir=/var/spool/exim4 # we only do this if our system has $dir -if [[ -e $dir && $(readlink -f $sdir) != $dir ]]; then - systemctl stop $type + +# this used to do a symlink, but, in the boot logs, /nocow would get mounted succesfully, +# about 2 seconds later, exim starts, and immediately puts into paniclog: +# honVi-0000u3-82 Failed to create directory "/var/spool/exim4/input": No such file or directory +# so, im trying a bind mount to get rid of that. +if [[ -e /nocow ]]; then + if ! grep -Fx "/nocow/exim4 /var/spool/exim4 none bind 0 0" /etc/fstab; then + echo "/nocow/exim4 /var/spool/exim4 none bind 0 0" >> /etc/fstab + fi + if ! mountpoint -q $sdir; then + systemctl stop exim4 + if [[ -L $sdir ]]; then + rm $sdir + fi if [[ ! -e $dir && -d $sdir ]]; then - mv $sdir $dir + mv $sdir $dir fi - /a/exe/lnf -T $dir $sdir + if [[ ! -d $sdir ]]; then + mkdir $sdir + chmod 000 $sdir # only want it to be used when its mounted + fi + mount $sdir + fi fi -systemctl restart $type -systemctl enable $type + + +systemctl restart exim4 +systemctl enable exim4 + + +if [[ $HOSTNAME == $MAIL_HOST ]]; then + cat >/etc/cron.d/mailtest <<'EOF' +*/10 * * * * iank echo body_test | mail -s "primary_test $(date +%s) $(date +%Y-%m-%dT%H:%M:%S%z)" iank@posteo.de +2/10 * * * * root /usr/local/bin/mailtest-check +EOF + cp /a/bin/distro-setup/filesystem/usr/local/bin/mailtest-check /usr/local/bin +else + rm -f /etc/cron.d/mailtest +fi # MAIL_HOST also does radicale, and easier to start and stop it here # for when MAIL_HOST changes, so radicale gets the synced files and # does not stop us from remounting /o. if dpkg -s radicale &>/dev/null; then - if [[ $HOSTNAME == $MAIL_HOST ]]; then - systemctl restart radicale - systemctl enable radicale - else - systemctl stop radicale - systemctl disable radicale + if [[ $HOSTNAME == $MAIL_HOST ]]; then + systemctl restart radicale + systemctl enable radicale + if [[ -e /etc/logrotate.d/radicale.disabled ]]; then + mv /etc/logrotate.d/radicale{.disabled,} + fi + else + systemctl stop radicale + systemctl disable radicale + # weekly logrotate tries to restart radicale even if it's a disabled service in flidas. + if [[ -e /etc/logrotate.d/radicale ]]; then + mv /etc/logrotate.d/radicale{,.disabled} fi + fi fi - -# if I wanted the from address to be renamed and sent to a different address, -# echo "sdx@localhost development@localhost" | sudo dd of=/etc/postfix/recipient_canonical -# sudo postmap hash:/etc/postfix/recipient_canonical -# sudo service postfix reload +exit 0 +: