X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=mail-setup;h=9ada9b6c5060c54ba2e8d1e3ca1df52c642634e9;hb=6d1ec26482f86b0f2d9560ce3d04ea8c63297c25;hp=e2f7b21991ced794b4081ed1f05fac6b198f7020;hpb=51c8b40fd2aac71d29dc9298ca65425725ad1edd;p=distro-setup
diff --git a/mail-setup b/mail-setup
index e2f7b21..9ada9b6 100755
--- a/mail-setup
+++ b/mail-setup
@@ -1,7 +1,23 @@
#!/bin/bash
# * intro
-# Copyright (C) 2019 Ian Kelling
-# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# Program to install and configure Ian's email related programs
+# Copyright (C) 2024 Ian Kelling
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+# SPDX-License-Identifier: GPL-3.0-or-later
# todo:
# on bk (and fsf servers that run multiple exim4 daemons, eg eximfsf2 and eximfsf3),
@@ -438,7 +454,7 @@ fi
bhost_t=false
case $HOSTNAME in
$MAIL_HOST) : ;;
- kd|frodo|x2|x3|kw|sy|bo)
+ kd|x2|x3|kw|sy|bo|so)
bhost_t=true
;;
esac
@@ -1127,6 +1143,10 @@ banaction = iptables-exim
ignoreip = 209.51.188.13 2001:470:142::13 209.51.188.92 2001:470:142:3::10 72.14.176.105 2600:3c00:e000:280::2 10.173.8.1
EOF
if $ur; then
+ # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
+ if [[ ! -e /var/log/exim4/mainlog ]]; then
+ install -m 640 -o Debian-exim -g adm /dev/null /var/log/exim4/mainlog
+ fi
m systemctl restart fail2ban
fi
@@ -2037,7 +2057,7 @@ EOF
ssl = required
# this is the same as the certbot list, i check changes in /a/bin/ds/filesystem/usr/local/bin/check-lets-encrypt-ssl-settings
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
-ssl_protocols = TLSv1.2
+ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = no
protocol lmtp {
@@ -2045,6 +2065,23 @@ protocol lmtp {
# default is just $mail_plugins
mail_plugins = $mail_plugins sieve
}
+
+# /etc/dovecot/conf.d/10-master.conf says the default is 256M.
+# but I started getting oom errors in the syslog
+# Mar 27 15:10:04 sy dovecot[330088]: lmtp(iank)<3839880>: Fatal: master: service(lmtp): child 3839880 returned error 83 (Out of memory (service lmtp { vsz_limit=256 MB }, you may need to increase it) - set CORE_OUTOFMEM=1 environment to get core dump)
+# exim would just queue mail until it eventually succeeded.
+# Deciding what to increase it to, I found this
+# https://dovecot.org/list/dovecot/2011-December/080056.html
+# which suggests 3x the largest dovecot.index.cache file
+# and then I found that
+# md/l/testignore/dovecot.index.cache is 429M, my largest cache file,
+# but that folder only has 2k messages.
+# next biggest is md/l/qemu-devel/dovecot.index.cache 236M
+# which lead to me a search https://doc.dovecot.org/admin_manual/known_issues/large_cache/
+# which suggests 1.5x the maximum cache file size 1G, and
+# that I can safely rm the index.
+default_vsz_limit = 1500M
+
EOF
if dpkg --compare-versions "$(dpkg-query -f='${Version}\n' --show dovecot-core)" ge 1:2.3; then
cat <>/etc/dovecot/local.conf <
Options Indexes SymLinksIfOwnerMatch MultiViews
@@ -3229,16 +3280,27 @@ MAILDIR_HOME_MAILDIR_LOCATION = /m/md/Sent
EOF
+ # ian: save a copy of sent mail. i thought of other ways to do this,
+ # for example, to only save sent mail that is not sent from my mail
+ # client which saves a copy by default, but in the end, it seems
+ # simplest to turn that off. We want to save external mail sent by
+ # smarthosts. However, there is one complication: encrypted
+ # mail. Saving it here just gets us an encrypted copy that we can't
+ # read. Soo, we could bcc ourselves: then we still have the
+ # annoyance that it is encrypted so we can't grep it. Or, we could
+ # hack emacs so that it sends us an unencrypted copy. Turns out that
+ # the emacs function which saves sent email can also send us a
+ # copy. But, then we have 3 copies: the encrypted copy exim saves,
+ # the unencrypted copy exim saves, and the copy emacs saves. Soo,
+ # we can emacs send a copy directly to the sent alias but only when
+ # it is not mail_host, and have the exim condition for redirecting a
+ # copy to the sent alias avoid doing it if it has an emacs user
+ # agent header.
u /etc/exim4/conf.d/router/186_sentarchive_nn <<'EOF'
-# ian: save a copy of sent mail. i thought of other ways to
-# do this, for example, to only save sent mail that is not sent
-# from my mail client which saves a copy by default, but in the
-# end, it seems simplest to turn that off. We want to save
-# external mail sent by smarthosts.
sentarchive_nn:
driver = redirect
domains = ! +local_domains
- condition = ${if !bool{${lookup{$local_part@$domain}lsearch{/etc/exim4/ignore-sent}{true}}}}
+ condition = ${if and {{!bool{${lookup{$local_part@$domain}lsearch{/etc/exim4/ignore-sent}{true}}}} {!match {$h_user-agent:}{emacs}}}}
data = vojdedIdNejyebni@b8.nz
unseen
EOF
@@ -3286,6 +3348,12 @@ EOF
# This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
echo iankelling.org > /etc/mailname
+ # mail default domain.
+ u /etc/mailutils.conf <<'EOF'
+address {
+ email-domain iankelling.org;
+};
+EOF
# mail.iankelling.org so local imap clients can connect with tls and
# when they happen to not be local.
@@ -3500,11 +3568,13 @@ backup_local:
EOF
# Bind to wghole to receive mailbackup.
- wgholeip=$(sed -rn 's/^ *Address *= *([^/]+).*/\1/p' /etc/wireguard/wghole.conf)
- cat >>/etc/exim4/update-exim4.conf.conf <>/etc/exim4/update-exim4.conf.conf <