X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=mail-setup;h=3b281990b11943e0167bd0556db7e153cba0671a;hb=ce4cacd36c5b5babeea85d0f93771017e6169180;hp=ea2b1f25ec13763495629935b965799c5e8d044a;hpb=2a1cee2e73d9291dde9af831bbe9e996199b7cbc;p=distro-setup

diff --git a/mail-setup b/mail-setup
index ea2b1f2..3b28199 100755
--- a/mail-setup
+++ b/mail-setup
@@ -4,10 +4,6 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 
-# todo: install new alertmanager, like new prometheus
-
-# todo: setup a logrotate for /var/log/mymain and mypanic
-
 # todo: setup an alert for bouncing test emails.
 
 # todo: bounces to my fsf mail can come from fsf@iankelling.org,
@@ -18,11 +14,13 @@
 # todo: handle errors like this:
 # Mar 02 12:44:26 kw systemd[1]: exim4.service: Found left-over process 68210 (exim4) in control group while starting unit. Ignoring.
 # Mar 02 12:44:26 kw systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
+#eg: on eggs, on may 1st, ps grep for exim, 2 daemons running. 1 leftover from a month ago
+#Debian-+  1954     1  0 36231 11560   4 Apr02 ?        00:40:25 /usr/sbin/exim4 -bd -q30m
+#Debian-+ 23058  1954  0 36821 10564   0 20:38 ?        00:00:00 /usr/sbin/exim4 -bd -q30m
 
 #  todo: harden dovecot. need to do some research. one way is for it to only listen on a wireguard vpn interface, so only clients that are on the vpn can access it.
 #  todo: consider hardening cups listening on 0.0.0.0
 #  todo: stop/disable local apache, and rpc.mountd, and kdeconnect when not in use.
-#  todo: check that spamd and unbound only listen locally.
 
 # todo:  hosts should only allow external mail that is authed and
 # destined for backup route. it is a minor issue since traffic is
@@ -34,10 +32,6 @@
 # todo: run mailping test after running, or otherwise
 # clear out terminal alert
 
-# todo: on bk, dont send email if mailvpn is not up
-
-# todo: mailtest-check should check on bk too
-
 # todo: disable postgrey
 
 # todo: in testforward-check, we should also look
@@ -296,7 +290,8 @@ i() { # install file
   local base="${dest##*/}"
   local dir="${dest%/*}"
   if [[ $dir != "$base" ]]; then
-    mkdir -p ${dest%/*}
+    # dest has a directory component
+    mkdir -p "$dir"
   fi
   ir=false # i result
   tmpdir=$(mktemp -d)
@@ -352,7 +347,6 @@ stopifactive() {
 
 mxhost=mx.iankelling.org
 mxport=587
-forward=$u@$mxhost
 
 # old setup. left as comment for example
 # mxhost=mail.messagingengine.com
@@ -395,6 +389,7 @@ EOF
 fi
 
 # light version of exim does not have sasl auth support.
+# note: for bitfolk hosts, unbound has important config with conflink.
 pi-nostart exim4 exim4-daemon-heavy spamassassin unbound clamav-daemon wireguard
 
 # note: pyzor debian readme says you need to run some initialization command
@@ -1008,10 +1003,8 @@ awk 'BEGIN { FS = ":" } ; $6 ~ /^\/home/ && $7 !~ /\/nologin$/ { print $1 }' /et
   esac
 done
 
-if ! grep -q "^ncsoft:" /etc/aliases; then
-  echo "ncsoft: graceq2323@gmail.com" |m tee -a /etc/aliases
-fi
 
+. /a/bin/bash_unpublished/priv-mail-setup
 
 
 m gpasswd -a iank adm #needed for reading logs
@@ -1097,6 +1090,11 @@ bk.b8.nz * F,1d,4m;F,14d,1h
 eggs.gnu.org * F,1d,4m;F,14d,1h
 fencepost.gnu.org * F,1d,4m;F,14d,1h
 
+# afaik our retry doesnt need this, but just using everything
+mx.amnimal.ninja * F,1d,4m;F,14d,1h
+mx.expertpathologyreview.com * F,1d,4m;F,14d,1h
+
+
 mail.fsf.org * F,1d,15m;F,14d,1h
 EOF
 
@@ -1165,17 +1163,17 @@ DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
 
 domainlist local_hostnames = ! je.b8.nz : ! bk.b8.nz : *.b8.nz : b8.nz
 
-hostlist iank_trusted = <; \\
+hostlist iank_trusted = <; \
 # veth0
-10.173.8.1 ; \\
+10.173.8.1 ; \
 # li li_ip6
-72.14.176.105 ; 2600:3c00::f03c:91ff:fe6d:baf8 ; \\
+72.14.176.105 ; 2600:3c00::f03c:91ff:fe6d:baf8 ; \
 # li_vpn_net li_vpn_net_ip6s
-10.8.0.0/24; 2600:3c00:e000:280::/64 ; 2600:3c00:e002:3800::/56 ;  \\
+10.8.0.0/24; 2600:3c00:e000:280::/64 ; 2600:3c00:e002:3800::/56 ;  \
 # bk bk_ip6
-85.119.83.50 ; 2001:ba8:1f1:f0c9::2 ; \\
+85.119.83.50 ; 2001:ba8:1f1:f0c9::2 ; \
 # je je_ipv6
-85.119.82.128 ; 2001:ba8:1f1:f09d::2 ; \\
+85.119.82.128 ; 2001:ba8:1f1:f09d::2 ; \
 # fsf_mit_net fsf_mit_net_ip6 fsf_net fsf_net_ip6 fsf_office_net
 18.4.89.0/24 ; 2603:3005:71a:2e00::/64 ; 209.51.188.0/24 ; 2001:470:142::/48 ; 74.94.156.208/28
 
@@ -1191,6 +1189,17 @@ delay_warning_condition = ${if or {\
   } {no}{yes}}
 
 
+# enable 587 in addition to the default 25, so that
+# i can send mail where port 25 is firewalled by isp
+daemon_smtp_ports = 25 : 587
+# default of 25, can get stuck when catching up on mail
+smtp_accept_max = 400
+smtp_accept_reserve = 100
+smtp_reserve_hosts = +iank_trusted
+
+# Rules that make receiving more liberal should be on backup hosts
+# so that we dont reject mail accepted by MAIL_HOST
+LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE = /etc/exim4/conf.d/local_deny_exceptions_acl
 EOF
 
 rm -fv /etc/exim4/rcpt_local_acl # old path
@@ -1211,6 +1220,7 @@ accept
 EOF
 
 rm -fv /etc/exim4/data_local_acl # old path
+
 i /etc/exim4/conf.d/data_local_acl <<'EOF'
 # Except for the "condition =", this was
 # a comment in the check_data acl. The comment about this not
@@ -1229,6 +1239,8 @@ warn
 
 warn
   !hosts = +iank_trusted
+  # Smarthosts connect with residential ips and thus get flagged as spam if we do a spam check.
+  !authenticated = plain_server:login_server
   condition = ${if < {$message_size}{5000K}}
   spam = Debian-exim:true
   add_header = X-Spam_score_int: $spam_score_int
@@ -1237,11 +1249,6 @@ warn
   add_header = X-Spam_report: $spam_report
   add_header = X-Spam_action: $spam_action
 
-warn
-  condition = ${if def:malware_name}
-  remove_header = Subject:
-  add_header = Subject: [Clamav warning: $malware_name] $h_subject
-  log_message = heuristic malware warning: $malware_name
 
 #accept
 #  spf = pass:fail:softfail:none:neutral:permerror:temperror
@@ -1500,7 +1507,7 @@ EOF
   # disable power management feature, set to 240 min sync interval,
   # so it shouldn't be bad.
 
-  # davdroid from f-druid.
+  # davx^5 from f-droid
   # login with url and user name
   # url https://cal.iankelling.org/ian
   # username ian
@@ -1607,7 +1614,7 @@ EOF
       cat <<'EOF'
 # https://ssl-config.mozilla.org
 ssl = required
-# this is the same as the certbot list, in my cert cronjob, I check if that has changed upstream.
+# this is the same as the certbot list, i check changes in /a/bin/ds/filesystem/usr/local/bin/check-lets-encrypt-ssl-settings
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 ssl_protocols = TLSv1.2
 ssl_prefer_server_ciphers = no
@@ -1618,7 +1625,7 @@ protocol lmtp {
   mail_plugins = $mail_plugins sieve
 }
 EOF
-      if dpkg --compare-versions $(dpkg-query -f='${Version}\n' --show dovecot-core) ge 1:2.3; then
+      if dpkg --compare-versions "$(dpkg-query -f='${Version}\n' --show dovecot-core)" ge 1:2.3; then
         cat <<EOF
 ssl_dh = </etc/dovecot/dhparam
 EOF
@@ -2267,8 +2274,10 @@ fwrite(STDOUT, "<?php\n\\\$CONFIG = ");
 var_export(\$CONFIG);
 fwrite(STDOUT, ";\n");
 EOF
-    m php tmp.php >config.php
-    m rm -f tmp.php
+    e running php tmp.php
+    php tmp.php >config.php
+    # leave in place for debugging
+    #m rm -f tmp.php
     m sudo -u www-data php $ncdir/occ maintenance:update:htaccess
     list=$(sudo -u www-data php $ncdir/occ --output=json_pretty app:list)
     # user_external not compaible with nc 23
@@ -2302,22 +2311,39 @@ EOF
     systemctl enable --now $ncbase.timer
     i /usr/local/bin/ncup <<'EOFOUTER'
 #!/bin/bash
-if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi
-shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR
 
-ncbase=$1
-if ! php /var/www/$ncbase/updater/updater.phar -n; then
+source /usr/local/lib/err
+
+m() { printf "%s\n" "$*";  "$@"; }
+err-cleanup() {
   echo failed nextcloud update for $ncbase >&2
-  /sbin/exim -t <<EOF
+  # -odf or else systemd will kill the background delivery process
+  # and the message will sit in the queue until the next queue run.
+  exim -odf -t <<EOF
 To: alerts@iankelling.org
-From: root@$(hostname -f)
+From: www-data@$(hostname -f)
 Subject: failed nextcloud update for $ncbase
 
 For logs, run: jr -u $ncbase
 EOF
+}
+
+if [[ $(id -u -n) != www-data ]]; then
+  echo error: running as wrong user: $(id -u -n), expected www-data
+  exit 1
 fi
+
+if [[ ! $1 ]]; then
+  echo error: expected an arg, nextcloud relative base dir
+  exit 1
+fi
+
+ncbase=$1
+cd /var/www/$ncbase
+m php /var/www/$ncbase/updater/updater.phar -n
+# just being overly cautious
+sleep 3
+m php occ -n upgrade
 EOFOUTER
     chmod +x /usr/local/bin/ncup
 
@@ -2496,26 +2522,31 @@ CHECK_RCPT_SPF = true
 CHECK_RCPT_REVERSE_DNS = true
 CHECK_MAIL_HELO_ISSUED = true
 
-# enable 587 in addition to the default 25, so that
-# i can send mail where port 25 is firewalled by isp
-daemon_smtp_ports = 25 : 587
-# default of 25, can get stuck when catching up on mail
-smtp_accept_max = 400
-smtp_accept_reserve = 100
-smtp_reserve_hosts = +iank_trusted
 
-# options exim has to avoid having to alter the default config files
-CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/conf.d/rcpt_local_acl
 CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/conf.d/data_local_acl
-LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE = /etc/exim4/conf.d/local_deny_exceptions_acl
+CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/conf.d/rcpt_local_acl
+
 # testing dmarc
 #dmarc_tld_file = /etc/public_suffix_list.dat
+
 EOF
     ;;&
 
   # ** $MAIL_HOST|bk)
   $MAIL_HOST|bk)
 
+
+    # no clamav on je, it has 1.5g memory and clamav uses most of it
+    i /etc/exim4/conf.d/clamav_data_acl <<'EOF'
+warn
+!hosts = +iank_trusted
+!authenticated = plain_server:login_server
+condition = ${if def:malware_name}
+remove_header = Subject:
+add_header = Subject: [Clamav warning: $malware_name] $h_subject
+log_message = heuristic malware warning: $malware_name
+EOF
+
     cat >>/etc/exim4/conf.d/main/000_local <<EOF
 # je.b8.nz will run out of memory with freshclam
 av_scanner = clamd:/var/run/clamav/clamd.ctl
@@ -2860,6 +2891,7 @@ EOF
     echo|i /etc/exim4/conf.d/rcpt_local_acl
     echo|i /etc/exim4/conf.d/router/890_backup_copy
     echo|i /etc/exim4/conf.d/main/000_local-nn
+    echo|i /etc/exim4/conf.d/clamav_data_acl
 
 
     if $bhost_t; then
@@ -2979,6 +3011,27 @@ case $HOSTNAME in
 # this makes it easier to see which exim is doing what
 log_file_path = /var/log/exim4/my%s
 EOF
+
+    cat >/etc/logrotate.d/myexim <<'EOF'
+/var/log/exim4/mymain /var/log/exim4/myreject {
+	daily
+	missingok
+	rotate 1000
+	delaycompress
+	notifempty
+	nocreate
+}
+/var/log/exim4/mypanic {
+	size 10M
+	missingok
+	rotate 10
+	compress
+	delaycompress
+	notifempty
+	nocreate
+}
+EOF
+
     # If we ever wanted to have a separate spool,
     # we could do it like this.
     #     cat >>/etc/exim4/conf.d/main/000_local-nn <<'EOF'
@@ -3132,12 +3185,19 @@ case $HOSTNAME in
   $MAIL_HOST)
     # < 2.1 (eg: in t9), uses a different data format which required manual
     # migration. dont start if we are running an old version.
-    if dpkg --compare-versions $(dpkg -s radicale | awk '$1 == "Version:" { print $2 }') ge 2.1; then
+    if dpkg --compare-versions "$(dpkg -s radicale | awk '$1 == "Version:" { print $2 }')" ge 2.1; then
       m systemctl --now enable radicale
     fi
     ;;&
 esac
 
+# for debugging dns issues
+case $HOSTNAME in
+  je|bk)
+    systemctl enable --now logrotate-fast.timer
+    ;;
+esac
+
 # last use of $reload happens in previous block
 rm -f /var/local/mail-setup-reload
 
@@ -3178,47 +3238,75 @@ case $HOSTNAME in
     # note: cronjob "ian" also does some important monitoring
     # todo: this will sometimes cause an alert because mailtest-check will run
     # before we have setup network namespace and spamassassin
-    cat >/etc/cron.d/mailtest <<EOF
+    i /etc/cron.d/mailtest <<EOF
 SHELL=/bin/bash
 PATH=/usr/bin:/bin:/usr/local/bin
 MAILTO=daylert@iankelling.org
 */5  * * * *   $u send-test-forward |& log-once send-test-forward
 */10 * * * *   root chmod -R g+rw /m/md/bounces |& log-once -1 bounces-chmod
-*/5  * * * *   root timeout 290 mailtest-check slow |& log-once -4 mailtest-check
 # if a bounce happened yesterday, dont let it slip through the cracks
 8   1 * * *   root export MAILTO=alerts@iankelling.org; [[ -s /var/log/exim4/mainlog.1 ]] && awk '\$5 == "**"' /var/log/exim4/mainlog.1
 EOF
+
+
     m sudo rsync -ahhi --chown=root:root --chmod=0755 \
       /b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
+    i /etc/systemd/system/mailtest-check.service <<'EOF'
+[Unit]
+Description=mailtest-check
+After=local-fs.target
+StartLimitIntervalSec=0
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/mailtest-check slow
+Restart=always
+RestartSec=60
+
+[Install]
+WantedBy=graphical.target
+EOF
+    sysd-prom-fail-install mailtest-check
+    sre mailtest-check
     ;;&
   $MAIL_HOST)
     test_froms=(ian@iankelling.org z@zroe.org iank@gnu.org)
     test_tos=(testignore@expertpathologyreview.com testignore@je.b8.nz testignore@amnimal.ninja jtuttle@gnu.org)
 
     cat >>/etc/cron.d/mailtest <<EOF
-0   13 * * *  root echo "1pm alert. You are not in the matrix."
+# 10 am friday
+0   10 * * 5  root echo "weekly alert. You are not in the matrix."
 2   * * * *   root check-remote-mailqs |& log-once check-remote-mailqs
 EOF
     ;;&
   bk)
-    test_froms=(testignore@expertpathologyreview.com testignore@amnimal.ninja)
-    test_tos=(testignore@iankelling.org testignore@zroe.org testignore@je.b8.nz)
+    test_froms=(testignore@amnimal.ninja testignore@expertpathologyreview.com)
+    test_tos=(testignore@iankelling.org testignore@je.b8.nz)
+    # We dont need to send from different addresses to the same
+    # address. this breaks down our nice elegant logic of building up
+    # froms and tos , so I just handle expertpath in a special case
+    # below and set the to: to be testignore@zroe.org.  If we did sent
+    # that way, it would also mess up our mailtest-check logic that
+    # finds which messages to check.
+    # for example: from testignore@amnimal.ninja to: testignore@iankelling.org testignore@zroe.org
+    # that would become 2 messages and we'd only check 1.
     ;;&
   je)
     test_froms=(testignore@je.b8.nz)
     test_tos=(testignore@iankelling.org testignore@zroe.org testignore@expertpathologyreview.com testignore@amnimal.ninja)
     ;;&
   $MAIL_HOST|bk|je)
-    test_to=${test_tos[0]}
-    # dont put these test messages into the sent folder or else it will
+
+    # Dont put these test messages into the sent folder or else it will
     # overwhelm it, plus i dont want to save a copy at all.
-    echo $test_to > /etc/exim4/ignore-sent
-    for t in ${test_tos[@]:1}; do
-      test_to+=", $t"
+    rm -f /etc/exim4/ignore-sent
+    for t in ${test_tos[@]}; do
       echo $t >> /etc/exim4/ignore-sent
     done
+
     cat >/usr/local/bin/send-test-forward <<'EOF'
 #!/bin/bash
+# we remove from the queue older than 4.3 minutes since we send every 5 minutes.
 olds=(
 $(/usr/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$')
 )
@@ -3227,8 +3315,19 @@ if (( ${#olds[@]} )); then
 fi
 EOF
     for test_from in ${test_froms[@]}; do
+
+      test_to=${test_tos[0]}
+      for t in ${test_tos[@]:1}; do
+        test_to+=", $t"
+      done
+      case $test_from in
+        testignore@expertpathologyreview.com)
+          test_to=testignore@zroe.org
+          ;;
+      esac
+
       cat >>/usr/local/bin/send-test-forward <<EOFOUTER
-/usr/sbin/exim -f $test_from -t <<EOF
+/usr/sbin/exim -odf -f $test_from -t <<EOF
 From: $test_from
 To: $test_to
 Subject: test \$(date +%Y-%m-%dT%H:%M:%S%z) \$EPOCHSECONDS
@@ -3240,7 +3339,10 @@ EOFOUTER
     m chmod +x /usr/local/bin/send-test-forward
     ;;
   *)
-    rm -fv /etc/cron.d/mailtest
+    soff mailtest-check.service
+    rm -fv /etc/cron.d/mailtest \
+       /var/lib/prometheus/node-exporter/mailtest-check.prom* \
+       /var/local/cron-errors/check-remote-mailqs*
     ;;
 esac