X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=mail-setup;h=86464f1aaf3ca337bb9ef2ede0d7e94f32826550;hb=12cab163424e3a7b0815646d1d4407f9b5839bcb;hp=4ce604b0eed1011908505728dcfd71f1911ce84a;hpb=aa9cb10514e29340a6d6a194ee189fa4364f1f2e;p=distro-setup

diff --git a/mail-setup b/mail-setup
index 4ce604b..86464f1 100755
--- a/mail-setup
+++ b/mail-setup
@@ -3,6 +3,22 @@
 # Copyright (C) 2019 Ian Kelling
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
+# todo: sandbox / harden exim:
+#  1. stop it from running as root. how?
+#  https://www.exim.org/exim-html-current/doc/html/spec_html/ch-security_considerations.html
+#  * avoid using .forward files, remove that router
+#  * set deliver_drop_privilege
+#  * set user to run as Debian-exim in systemd
+#  * set port to something like 2500, and forward 25 to 2500 with iptables. same for 587.
+#  https://superuser.com/questions/710253/allow-non-root-process-to-bind-to-port-80-and-443/1334552#1334552
+#  * consider whether other routers like postmaster need modification / removal.
+#  2. restrict its filesystem access from within systemd
+
+#  todo: harden dovecot. need to do some research. one way is for it to only listen on a wireguard vpn interface, so only clients that are on the vpn can access it.
+#  todo: consider hardening cups listening on 0.0.0.0
+#  todo: stop/disable local apache, and rpc.mountd, and kdeconnect when not in use.
+#  todo: check that spamd and unbound only listen locally.
+
 # todo:  hosts should only allow external mail that is authed and
 # destined for backup route. it is a minor issue since traffic is
 # limited to the wghole network.
@@ -310,11 +326,6 @@ sre() {
     m systemctl enable $service;
   done
 }
-sstart() {
-  for service; do
-    m systemctl enable --now $service;
-  done
-}
 mailhost() {
   [[ $HOSTNAME == "$MAIL_HOST" ]]
 }
@@ -407,21 +418,6 @@ fi
 # our nostart pi fails to avoid enabling
 
 
-# * user forward file
-case $HOSTNAME in
-  $MAIL_HOST)
-    # afaik, these will get ignored on MAIL_HOST because they are routing to my own
-    # machine, but rm them is safer
-    rm -fv $uhome/.forward /root/.forward
-    ;;
-  *)
-    # this can\'t be a symlink and has permission restrictions
-    # it might work in /etc/aliases, but this seems more proper.
-    e setting $uhome/.forward to $forward
-    install -m 644 {-o,-g}$u <(e $forward) $uhome/.forward
-    ;;
-esac
-
 # * Mail clean cronjob
 
 i /etc/systemd/system/mailclean.timer <<'EOF'
@@ -584,6 +580,24 @@ ExecStart=/bin/sleep infinity
 WantedBy=multi-user.target
 EOF
 
+i /etc/systemd/system/mailbindwatchdog.service <<EOF
+[Unit]
+Description=Watchdog to restart services relying on systemd-resolved dir
+After=syslog.target network-online.target
+Wants=network-online.target
+BindsTo=mailnn.service
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/mailbindwatchdog $vpnser ${nn_progs[@]} unbound.service radicale.service
+Restart=always
+# time to sleep before restarting a service
+RestartSec=1
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
 
 
 # old service name
@@ -812,9 +826,13 @@ fi
 # * common exim4 config
 
 
+## old, not using forward files anymore
+rm -fv $uhome/.forward /root/.forward
+
+
 # Make all system users be aliases. preventative
-# measure for things like cron mail for user without alias
-awk 'BEGIN { FS = ":" } ; $6 !~ /^\/home/ { print $1 }' /etc/passwd| while read -r user; do
+# prevents things like cron mail for user without alias
+awk 'BEGIN { FS = ":" } ; $6 !~ /^\/home/ || $7 ~ /\/nologin$/  { print $1 }' /etc/passwd| while read -r user; do
   if [[ ! $user ]]; then
     continue
   fi
@@ -823,6 +841,20 @@ awk 'BEGIN { FS = ":" } ; $6 !~ /^\/home/ { print $1 }' /etc/passwd| while read
   fi
 done
 
+
+awk 'BEGIN { FS = ":" } ; $6 ~ /^\/home/ && $7 !~ /\/nologin$/ { print $1 }' /etc/passwd| while read -r user; do
+  case $HOSTNAME in
+    $MAIL_HOST)
+      sed -i "/^user:/d" /etc/aliases
+    ;;
+    *)
+      if ! grep -q "^$user:" /etc/aliases; then
+        echo "$user: root" |m tee -a /etc/aliases
+      fi
+      ;;
+  esac
+done
+
 if ! grep -q "^ncsoft:" /etc/aliases; then
   echo "ncsoft: graceq2323@gmail.com" |m tee -a /etc/aliases
 fi
@@ -1698,7 +1730,7 @@ if [[ $HOSTNAME == bk ]]; then
 
   #### begin dl roundcube
   # note, im r2e subbed to https://github.com/roundcube/roundcubemail/releases.atom
-  v=1.4.11; f=roundcubemail-$v-complete.tar.gz
+  v=1.4.13; f=roundcubemail-$v-complete.tar.gz
   cd /a/opt
   if [[ -e $f ]]; then
     timestamp=$(stat -c %Y $f)
@@ -1937,7 +1969,7 @@ EOF
   m phpenmod -v php mcrypt imap
   # dpkg says this is required
   m a2enmod proxy_fcgi setenvif
-  fpm=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* (php[^ ]*-fpm)( .*|$)/\1/p') # eg: php7.3-fpm
+  fpm=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* (php[^ ]*-fpm)( .*|$)/\1/p') # eg: php7.4-fpm
   phpver=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* php([^ ]*)-fpm( .*|$)/\1/p')
   m a2enconf $fpm
   # 3 useless guides on php fpm fcgi debian 10 later, i figure out from reading
@@ -2210,7 +2242,6 @@ EOF
 CHECK_RCPT_VERIFY_SENDER = true
 # default config comment says: If you enable this, you might reject legitimate mail,
 # but eggs has had this a long time, so that seems unlikely.
-CHECK_DATA_VERIFY_HEADER_SYNTAX = true
 CHECK_RCPT_SPF = true
 CHECK_RCPT_REVERSE_DNS = true
 CHECK_MAIL_HELO_ISSUED = true
@@ -2340,6 +2371,7 @@ ignore_target_hosts = ${HOSTNAME}wg.b8.nz
 # note changes here also require change in passwd.client
 route_list = * eximbackup.b8.nz
 same_domain_copy_routing = yes
+errors_to = alerts@iankelling.org
 no_more
 EOF
 
@@ -2353,9 +2385,8 @@ backup_remote:
 .endif
   hosts_require_auth = *
   hosts_try_auth = *
-  return_path = alerts@iankelling.org
   envelope_to_add
-  # manual return path because we dont want it to be the envelope sender
+  # manual return path because we want it to be the envelope sender
   # we got not the one we are using in this smtp transport
   headers_add = "Return-path: $sender_address"
 .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
@@ -2393,10 +2424,10 @@ EOF
 
     # this avoids some error. i cant remember what. todo:
     # test it out and document why/if its needed.
-    i /etc/exim4/host_local_deny_exceptions <<'EOF'
-mail.fsf.org
-*.posteo.de
-EOF
+#     i /etc/exim4/host_local_deny_exceptions <<'EOF'
+# mail.fsf.org
+# *.posteo.de
+# EOF
 
     # cron email from smarthost hosts will automatically be to
     # USER@FQDN. I redirect that to alerts@, on the smarthosts, but in
@@ -2479,10 +2510,12 @@ EOF
     # The debconf questions output is additional documentation that is not
     # easily accessible, but super long, along with the initial default comment in this
     # file, so I've saved that into ./mail-notes.conf.
+    #
+    # # TODO: remove mx.iankelling.org once systems get updated mail-setup from jan 2022
     cat >>/etc/exim4/update-exim4.conf.conf <<EOF
 # man page: is used to build the local_domains list, together with "localhost"
 # this is duplicated in a later router.
-dc_other_hostnames='iankelling.org;zroe.org;r2e.iankelling.org;!je.b8.nz;!bk.b8.nz;*.b8.nz;b8.nz'
+dc_other_hostnames='iankelling.org;zroe.org;r2e.iankelling.org;mx.iankelling.org;!je.b8.nz;!bk.b8.nz;*.b8.nz;b8.nz'
 EOF
 
 
@@ -2596,7 +2629,10 @@ EOF
     echo | /a/exe/cedit nn /etc/hosts || [[ $? == 1 ]]
     echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]]
 
+
     if $bhost_t; then
+      install -d /bu
+      install -d -g $u -o $u -m 771 /bu/md
       i /etc/exim4/conf.d/transport/30_backup_maildir <<EOF
 # modified debian maildir transport
 backup_maildir:
@@ -2622,11 +2658,14 @@ backup_local:
   transport = backup_maildir
 EOF
 
+      # Bind to wghole to receive mailbackup.
+      # todo: will wghole fail to start without internet connectivity?
+      # if so, we need to set it automatically restart infinitely,
+      # and same with exim.
       wgholeip=$(sed -rn 's/^ *Address *= *([^/]+).*/\1/p' /etc/wireguard/wghole.conf)
       cat >>/etc/exim4/update-exim4.conf.conf <<EOF
 dc_other_hostnames='eximbackup.b8.nz'
 dc_local_interfaces='127.0.0.1;::1;$wgholeip'
-
 EOF
     else
       cat >>/etc/exim4/update-exim4.conf.conf <<EOF
@@ -2660,6 +2699,11 @@ case $HOSTNAME in
   $MAIL_HOST|bk)
     # config for the non-nn exim
     m rsync -ra --delete /etc/exim4/ /etc/myexim4
+    # If we ever wanted to have a separate spool,
+    # we could do it like this.
+#     cat >>/etc/exim4/conf.d/main/000_local-nn <<'EOF'
+# spool_directory = /var/spool/myexim4
+# EOF
     cat >>/etc/myexim4/update-exim4.conf.conf <<'EOF'
 dc_eximconfig_configtype='smarthost'
 dc_smarthost='nn.b8.nz'
@@ -2747,7 +2791,7 @@ if $reload; then
   m systemctl daemon-reload
 fi
 
-sstart epanicclean.timer
+m systemctl --now enable epanicclean.timer
 
 case $HOSTNAME in
   je)
@@ -2768,14 +2812,14 @@ case $HOSTNAME in
     ln -sf 127.0.0.1-resolv/stub-resolv.conf /etc/resolv.conf
     ;;&
   $MAIL_HOST|bk)
-    sstart mailnn mailnnroute
+    m systemctl --now enable mailnn mailnnroute
     ;;&
   $MAIL_HOST)
     # we use dns to start wg
     if $reload; then
       sre unbound
     else
-      sstart unbound
+      m systemctl --now enable unbound
     fi
     ;;&
   $MAIL_HOST|bk)
@@ -2784,10 +2828,10 @@ case $HOSTNAME in
     if $reload; then
       sre $vpnser
     else
-      sstart $vpnser
+      m systemctl --now enable $vpnser
     fi
     if ! systemctl is-active clamav-daemon >/dev/null; then
-      sstart clamav-daemon
+      m systemctl --now enable clamav-daemon
       out=$(rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/filesystem/etc/systemd/system/epanicclean.{timer,service} /etc/systemd/system)
       if [[ $out ]]; then
         reload=true
@@ -2804,13 +2848,13 @@ case $HOSTNAME in
     # need to wait a bit before restarting exim, else I
     # get a paniclog entry like: spam acl condition: all spamd servers failed
     sleep 3
-    sstart mailclean.timer
+    m systemctl --now enable mailclean.timer
     ;;&
   $MAIL_HOST)
     # < 2.1 (eg: in t9), uses a different data format which required manual
     # migration. dont start if we are running an old version.
     if dpkg --compare-versions $(dpkg -s radicale | awk '$1 == "Version:" { print $2 }') ge 2.1; then
-      sstart radicale
+      m systemctl --now enable radicale
     fi
     ;;&
 esac
@@ -2828,6 +2872,16 @@ esac
 
 sre exim4
 
+case $HOSTNAME in
+  $MAIL_HOST)
+    m systemctl --now enable mailbindwatchdog
+  ;;
+  *)
+    soff mailbindwatchdog
+    ;;
+esac
+
+
 case $HOSTNAME in
   bk) sre exim4in ;;
 esac
@@ -2862,7 +2916,7 @@ EOF
     test_to="testignore@expertpathologyreview.com, testignore@je.b8.nz, testignore@amnimal.ninja, jtuttle@gnu.org"
 
     cat >>/etc/cron.d/mailtest <<EOF
-2   * * * *   $u check-remote-mailqs |& log-once check-remote-mailqs
+2   * * * *   root check-remote-mailqs |& log-once check-remote-mailqs
 EOF
     ;;&
   bk)
@@ -2877,7 +2931,8 @@ EOF
     cat >/usr/local/bin/send-test-forward <<'EOF'
 #!/bin/bash
 olds=(
-/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$')
+$(/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$')
+)
 if (( ${#olds[@]} )); then
   /sbin/exim -Mrm "${olds[@]}" >/dev/null
 fi