X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=mail-setup;h=7da0524bedc188bb98fe9d9783a824576a7db27b;hb=fa5deaee2e0182ddfc7b39eea7ee2acedb259ddf;hp=71b086b72b85f4621a0fa10686b9b866f1ce43b2;hpb=b18dade73dedfe69aa741f8417947d83c4208f2d;p=distro-setup

diff --git a/mail-setup b/mail-setup
index 71b086b..7da0524 100755
--- a/mail-setup
+++ b/mail-setup
@@ -3,6 +3,9 @@
 # Copyright (C) 2019 Ian Kelling
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
+
+# todo: add a prometheus alert for dovecot.
+
 # todo: handle errors like this:
 # Mar 02 12:44:26 kw systemd[1]: exim4.service: Found left-over process 68210 (exim4) in control group while starting unit. Ignoring.
 # Mar 02 12:44:26 kw systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
@@ -22,8 +25,6 @@
 # todo: run mailping test after running, or otherwise
 # clear out terminal alert
 
-# todo: reinstall bk with bigger filesystem
-
 # todo: on bk, dont send email if mailvpn is not up
 
 # todo: mailtest-check should check on bk too
@@ -385,11 +386,16 @@ EOF
 fi
 
 # light version of exim does not have sasl auth support.
-pi-nostart exim4 exim4-daemon-heavy spamassassin openvpn unbound clamav-daemon wireguard
+pi-nostart exim4 exim4-daemon-heavy spamassassin unbound clamav-daemon wireguard
 
 # note: pyzor debian readme says you need to run some initialization command
 # but its outdated.
 pi spf-tools-perl p0f postgrey pyzor razor jq moreutils certbot fail2ban
+case $HOSTNAME in
+  je) : ;;
+  # not included due to using wireguard: openvpn
+  *) pi wget git unzip iptables ;;
+esac
 # bad packages that sometimes get automatically installed
 pu openresolv resolvconf
 
@@ -484,7 +490,6 @@ case $HOSTNAME in
     i /etc/systemd/system/wg-quick@wgmail.service.d/override.conf <<EOF
 [Unit]
 Requires=mailnn.service
-After=network.target mailnn.service
 JoinsNamespaceOf=mailnn.service
 BindsTo=mailnn.service
 StartLimitIntervalSec=0
@@ -660,6 +665,7 @@ fi
 
 case $HOSTNAME in
   $MAIL_HOST)
+    # todo, should this be after vpn service
     i /etc/systemd/system/unbound.service.d/nn.conf <<EOF
 [Unit]
 After=mailnn.service
@@ -711,8 +717,12 @@ EOF
     for unit in ${nn_progs[@]}; do
       i /etc/systemd/system/$unit.service.d/nn.conf <<EOF
 [Unit]
-# commented for old openvpn
-Requires=$vpnser
+
+# Wants appears better than requires because with requires,
+# if the vpnser fails to start, this service won't get run at
+# all, even if the vpnser starts on an automatic restart.
+
+Wants=$vpnser
 After=network.target mailnn.service $vpnser
 JoinsNamespaceOf=mailnn.service
 BindsTo=mailnn.service
@@ -787,14 +797,20 @@ if [[ -e /p/c/filesystem ]]; then
   # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
   m /a/exe/vpn-mk-client-cert -b mailclient -n mail li.iankelling.org
 fi
-case $HOSTNAME in
-  bk)
-    if [[ ! -e /etc/openvpn/client/mail.conf ]]; then
-      echo "$0: error: first, on a system with /p/c/filesystem, run mail-setup, or the vpn-mk-client-cert line above this err" 2>&2
-      exit 1
-    fi
-    ;;
-esac
+
+# With openvpn, I didn't get around to persisting the openvpn
+# cert/configs into /p/c/machine_specific/bk, so I had this case to
+# manually get the cert. However, we aren't using openvpn anymore, so it
+# is commented out.
+#
+# case $HOSTNAME in
+#   bk)
+#     if [[ ! -e /etc/openvpn/client/mail.conf ]]; then
+#       echo "$0: error: first, on a system with /p/c/filesystem, run mail-setup, or the vpn-mk-client-cert line above this err" 2>&2
+#       exit 1
+#     fi
+#     ;;
+# esac
 
 m rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/mail-cert-cron /usr/local/bin
 
@@ -1053,6 +1069,16 @@ expertpathologyreview.com * F,1d,10m;F,14d,1h
 je.b8.nz * F,1d,10m;F,14d,1h
 zroe.org * F,1d,10m;F,14d,1h
 eximbackup.b8.nz * F,1d,4m;F,14d,1h
+
+# The spec says the target domain will be used for temporary host errors,
+# but i've found that isn't correct, the hostname is required
+# at least sometimes.
+nn.b8.nz * F,1d,4m;F,14d,1h
+defaultnn.b8.nz * F,1d,4m;F,14d,1h
+mx.iankelling.org * F,1d,4m;F,14d,1h
+bk.b8.nz * F,1d,4m;F,14d,1h
+eggs.gnu.org * F,1d,4m;F,14d,1h
+mail.fsf.org * F,1d,15m;F,14d,1h
 EOF
 
 
@@ -1401,13 +1427,10 @@ if mailhost; then
 
   i /etc/systemd/system/radicale.service.d/override.conf <<EOF
 [Unit]
-# this unit is configured to start and stop whenever
-# $vpnser does
 
 After=network.target network-online.target mailnn.service $vpnser
-BindsTo=$vpnser
 
-Wants=network-online.target
+Wants=$vpnser
 JoinsNamespaceOf=mailnn.service
 StartLimitIntervalSec=0
 
@@ -1521,7 +1544,7 @@ case $HOSTNAME in
     # sieve has the benefit of being supported in postfix and
     # proprietary/weird environments, so there is more examples on the
     # internet.
-    pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd dovecot-sqlite sqlite3
+    pi-nostart dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd dovecot-sqlite sqlite3
 
     for f in /p/c{/machine_specific/$HOSTNAME,}/filesystem/etc/dovecot/users; do
       if [[ -e $f ]]; then
@@ -1545,17 +1568,23 @@ xioE3sYKdjOt+p6mlg3l8+OLtODEFPHDqwIBAg==
 -----END DH PARAMETERS-----
 EOF
     {
+
       if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
         cat <<'EOF'
 ssl_cert = </etc/exim4/fullchain.pem
 ssl_key = </etc/exim4/privkey.pem
 EOF
       else
+        # We have a lets encrypt hooks that puts things here.
+        # This is just for bk, which uses the vpn cert in exim
+        # for sending mail, but the local hostname cert for
+        # dovecot.
         cat <<'EOF'
 ssl_cert = </etc/exim4/exim.crt
 ssl_key = </etc/exim4/exim.key
 EOF
       fi
+
       cat <<'EOF'
 # https://ssl-config.mozilla.org
 ssl = required
@@ -1739,6 +1768,7 @@ EOF
     i /etc/dovecot/dovecot-sql.conf.ext <<'EOF'
 # from mailinabox
 driver = sqlite
+# for je and bk, populated the testignore users for the relevant domains
 connect = /m/rc/users.sqlite
 default_pass_scheme = SHA512-CRYPT
 password_query = SELECT email as user, password FROM users WHERE email='%u';
@@ -1760,6 +1790,8 @@ extra,
 privileges TEXT NOT NULL DEFAULT '');
 EOF
     fi
+    # users.sqlite is saved into /p/c/machine_specific, so update it there!.
+    #
     # example of adding a user:
     # hash: doveadm pw -s SHA512-CRYPT -p passhere
     # sqlite3 /m/rc/users.sqlite <<'EOF'
@@ -1866,6 +1898,7 @@ if [[ $HOSTNAME == bk ]]; then
   ### end composer install
 
   rcdirs=(/usr/local/lib/rcexpertpath /usr/local/lib/rcninja)
+  ncdirs=(/var/www/ncninja)
   ncdirs=(/var/www/ncexpertpath /var/www/ncninja)
   # point debian cronjob to our local install, preventing daily cron error
 
@@ -1875,7 +1908,7 @@ if [[ $HOSTNAME == bk ]]; then
   #### begin dl roundcube
   # note, im r2e subbed to https://github.com/roundcube/roundcubemail/releases.atom
   v=1.4.13; f=roundcubemail-$v-complete.tar.gz
-  cd /a/opt
+  cd /root
   if [[ -e $f ]]; then
     timestamp=$(stat -c %Y $f)
   else
@@ -2216,7 +2249,7 @@ var_export(\$CONFIG);
 fwrite(STDOUT, ";\n");
 EOF
     m php tmp.php >config.php
-    m rm tmp.php
+    m rm -f tmp.php
     m sudo -u www-data php $ncdir/occ maintenance:update:htaccess
     list=$(sudo -u www-data php $ncdir/occ --output=json_pretty app:list)
     # user_external not compaible with nc 23
@@ -2267,11 +2300,12 @@ For logs, run: jr -u $ncbase
 EOF
 fi
 EOFOUTER
+    chmod +x /usr/local/bin/ncup
 
     mkdir -p /var/www/cron-errors
     chown www-data.www-data /var/www/cron-errors
     i /etc/cron.d/$ncbase <<EOF
-PATH=/sbin:/usr/sbin:/usr/bin:/bin:/usr/local/bin
+PATH=/usr/sbin:/sbin:/usr/bin:/bin:/usr/local/bin
 SHELL=/bin/bash
 # https://docs.nextcloud.com/server/20/admin_manual/configuration_server/background_jobs_configuration.html
 */5  *  *  *  * www-data php -f $ncdir/cron.php --define apc.enable_cli=1 |& log-once nccron
@@ -2353,7 +2387,8 @@ QUEUERUNNER='combined'
 QUEUEINTERVAL='30m'
 COMMONOPTIONS='-C /etc/exim4/my.conf'
 UPEX4OPTS='-o /etc/exim4/my.conf'
-#E4BCD_PANICLOG_NOISE='exim user lost privilege for using -C option'
+# i use epanic-clean for alerting if there are bad paniclog entries
+E4BCD_WATCH_PANICLOG='no'
 EOF
     chown Debian-exim:Debian-exim /usr/sbin/exim4
     # needs guid set in order to become Debian-exim
@@ -2380,7 +2415,7 @@ case $HOSTNAME in
     ;;
   *)
     dirs=()
-    for d in /d /m /media /mnt /nocow /o /p /q; do
+    for d in /a /d /m /media /mnt /nocow /o /p /q; do
       if [[ -d $d ]]; then
         dirs+=($d)
       fi
@@ -2951,6 +2986,9 @@ if [[ -e /nocow ]]; then
 # without local-fs on exim, we get these kind of errors in paniclog on shutdown:
 # Failed to create spool file /var/spool/exim4//input//1jCLxz-0008V4-V9-D: Permission denied
 After=local-fs.target
+
+[Service]
+ExecStartPre=/usr/local/bin/exim-nn-iptables
 EOF
   if ! mountpoint -q $sdir; then
     stopifactive exim4 exim4in
@@ -2985,8 +3023,8 @@ elif [[ $uid != 608 ]]; then
   m usermod -u 608 Debian-exim
   m groupmod -g 608 Debian-exim
   m usermod -g 608 Debian-exim
-  m find / /nocow -path ./var/tmp -prune -o -xdev -uid $uid -execdir chown -h 608 {} +
-  m find / /nocow -path ./var/tmp -prune -o -xdev -gid $gid -execdir chgrp -h 608 {} +
+  m find / /nocow -xdev -path ./var/tmp -prune -o -uid $uid -execdir chown -h 608 {} +
+  m find / /nocow -xdev -path ./var/tmp -prune -o -gid $gid -execdir chgrp -h 608 {} +
 fi
 
 # * start / stop services
@@ -2997,6 +3035,7 @@ if $reload; then
   m systemctl daemon-reload
 fi
 
+sysd-prom-fail-install epanicclean
 m systemctl --now enable epanicclean
 
 case $HOSTNAME in
@@ -3012,11 +3051,6 @@ m /a/bin/ds/mail-cert-cron -1
 sre mailcert.timer
 
 case $HOSTNAME in
-  bk)
-    # todo, this should be done in distro-begin
-    soff systemd-resolved
-    ln -sf 127.0.0.1-resolv/stub-resolv.conf /etc/resolv.conf
-    ;;&
   $MAIL_HOST|bk)
     m systemctl --now enable mailnn mailnnroute
     ;;&
@@ -3070,7 +3104,10 @@ rm -f /var/local/mail-setup-reload
 
 
 case $HOSTNAME in
-  $MAIL_HOST|bk|je) : ;;
+  $MAIL_HOST|bk|je|li)
+    # on li, these are never started, except $vpnser
+    :
+    ;;
   *)
     soff radicale mailclean.timer dovecot spamassassin $vpnser mailnn clamav-daemon
     ;;
@@ -3105,13 +3142,12 @@ case $HOSTNAME in
     cat >/etc/cron.d/mailtest <<EOF
 SHELL=/bin/bash
 PATH=/usr/bin:/bin:/usr/local/bin
-MAILTO=daylerts@iankelling.org
+MAILTO=daylert@iankelling.org
 */5  * * * *   $u send-test-forward |& log-once send-test-forward
 */10 * * * *   root chmod -R g+rw /m/md/bounces |& log-once -1 bounces-chmod
 */5  * * * *   root timeout 290 mailtest-check slow |& log-once -4 mailtest-check
 # if a bounce happened yesterday, dont let it slip through the cracks
-8   1 * * *   root export MAILTO=alerts@iankelling.org; awk '\$5 == "**"' /var/log/exim4/mainlog.1
-0   13 * * *  root echo "If the 1pm doesnt happen, you are in the matrix. Wake up."
+8   1 * * *   root export MAILTO=alerts@iankelling.org; [[ -s /var/log/exim4/mainlog.1 ]] && awk '\$5 == "**"' /var/log/exim4/mainlog.1
 EOF
     m sudo rsync -ahhi --chown=root:root --chmod=0755 \
       /b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
@@ -3121,6 +3157,7 @@ EOF
     test_to="testignore@expertpathologyreview.com, testignore@je.b8.nz, testignore@amnimal.ninja, jtuttle@gnu.org"
 
     cat >>/etc/cron.d/mailtest <<EOF
+0   13 * * *  root echo "1pm alert. You are not in the matrix."
 2   * * * *   root check-remote-mailqs |& log-once check-remote-mailqs
 EOF
     ;;&
@@ -3136,10 +3173,10 @@ EOF
     cat >/usr/local/bin/send-test-forward <<'EOF'
 #!/bin/bash
 olds=(
-$(/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$')
+$(/usr/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$')
 )
 if (( ${#olds[@]} )); then
-  /sbin/exim -Mrm "${olds[@]}" >/dev/null
+  /usr/sbin/exim -Mrm "${olds[@]}" >/dev/null
 fi
 EOF
     for test_from in ${test_froms[@]}; do
@@ -3147,7 +3184,7 @@ EOF
 /usr/sbin/exim -f $test_from -t <<EOF
 From: $test_from
 To: $test_to
-Subject: test \$(date +%Y-%m-%dT%H:%M:%S%z) \$(date +%s)
+Subject: test \$(date +%Y-%m-%dT%H:%M:%S%z) \$EPOCHSECONDS
 
 /usr/local/bin/send-test-forward
 EOF