X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=mail-setup;h=9b30579ba5c002062e386dfe5055f6bc69169f97;hb=f95f9128ba77e77d41389810affd475581075246;hp=f43b6ba8b136ab697a19b210c5fd10b1109c87e9;hpb=25d20d07292550e8701e33aa409e4947f3075ede;p=distro-setup

diff --git a/mail-setup b/mail-setup
index f43b6ba..9b30579 100755
--- a/mail-setup
+++ b/mail-setup
@@ -58,6 +58,15 @@ if ! exim && ! postfix; then
 fi
 
 
+####### instructions for icedove #####
+# Incoming mail server: mail.iankelling.org, port 143, username iank, connection security starttls, authentication method normal password
+# we could also just use 127.0.0.1 with no ssl, but todo: disable that in dovecot, so mail is secure from local programs.
+#
+# hamburger -> preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false
+# background: ovecot does not yet have ocsp stapling support
+# reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921
+#######
+
 
 ####### begin perstent password instructions ######
 # # exim passwords:
@@ -70,12 +79,12 @@ fi
 # apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
 # s sed -i "/^$user:/d" /p/c/filesystem/etc/exim4/passwd
 # echo "$user:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd
-# echo "mail.iankelling.org $user $(<$f)" >> /p/c/machine_specific/$user/filesystem/etc/mailpass
+# echo "mail.iankelling.org 587 $user:$(<$f)" >> /p/c/machine_specific/$user/filesystem/etc/mailpass
 # # then run this script, or part of it which uses /etc/mailpass
 
 # # dovecot password, i just need 1 as I\'m the only user
 # mkdir /p/c/filesystem/etc/dovecot
-# echo "ian:$(doveadm pw -s ssha256)::::::" >/p/c/filesystem/etc/dovecot/users
+# echo "iank:$(doveadm pw -s ssha256)::::::" >/p/c/filesystem/etc/dovecot/users
 # conflink
 
 
@@ -131,7 +140,7 @@ fi
 
 # # 2017-02 spf policies:
 # # host -t txt lists.fedoraproject.org
-# # google ~all, hotmail -all, yahoo: ?all, fastmail ?all
+# # google ~all, hotmail ~all, yahoo: ?all, fastmail ?all, outlook ~all
 # # i include fastmail\'s settings, per their instructions,
 # # and follow their policy. In mail in a box, or similar instructions,
 # # I\'ve seen recommended to not use a restrictive policy.
@@ -342,6 +351,29 @@ User=$u
 Type=oneshot
 ExecStart=/a/bin/log-quiet/sysd-mail-once offlineimap-sync /a/bin/distro-setup/offlineimap-sync
 EOF
+
+  cat >/etc/systemd/system/mailclean.timer <<'EOF'
+[Unit]
+Description=Run mailclean daily
+
+[Timer]
+OnCalendar=monthly
+
+[Install]
+WantedBy=timers.target
+EOF
+
+  cat >/etc/systemd/system/mailclean.service <<EOF
+[Unit]
+Description=Delete and archive old mail files
+After=multi-user.target
+
+[Service]
+User=$u
+Type=oneshot
+ExecStart=/a/bin/log-quiet/sysd-mail-once mailclean /a/bin/distro-setup/mailclean
+EOF
+
   systemctl daemon-reload
 
   # wording of question from dpkg-reconfigure exim4-config
@@ -702,6 +734,13 @@ IGNORE_SMTP_LINE_LENGTH_LIMIT = true
 # keep your dkim signature intact but add list- headers.
 DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
 
+# recommended if dns is expected to work
+CHECK_RCPT_VERIFY_SENDER = true
+# seems like a good idea
+CHECK_DATA_VERIFY_HEADER_SENDER = true
+CHECK_RCPT_SPF = true
+CHECK_RCPT_REVERSE_DNS = true
+CHECK_MAIL_HELO_ISSUED = true
 EOF
 
 
@@ -807,6 +846,8 @@ EOF
 
     systemctl enable offlineimapsync.timer
     systemctl start offlineimapsync.timer
+    systemctl enable mailclean.timer
+    systemctl start mailclean.timer
     systemctl restart $vpn_ser@mail
     systemctl enable $vpn_ser@mail
     systemctl enable dovecot
@@ -815,6 +856,8 @@ EOF
   else # $HOSTNAME != $MAIL_HOST
     systemctl disable offlineimapsync.timer &>/dev/null ||:
     systemctl stop offlineimapsync.timer &>/dev/null ||:
+    systemctl disable mailclean.timer &>/dev/null ||:
+    systemctl stop mailclean.timer &>/dev/null ||:
     systemctl disable $vpn_ser@mail
     systemctl stop $vpn_ser@mail
     systemctl disable dovecot ||:
@@ -866,7 +909,7 @@ EOF
 
 
   # light version of exim does not have sasl auth support.
-  pi exim4-daemon-heavy spamassassin
+  pi exim4-daemon-heavy spamassassin spf-tools-perl