X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=mail-setup;h=b0454841ad1874b53f5a9dc85890743183fb9275;hb=77917a8fbf2032a8b2634a1b3de0879ec45cf213;hp=68478bec55a07860a6c86d82ec3cefaae97704c9;hpb=32a1673064cfd9eaa165b4ea62fa416f02f3dfd2;p=distro-setup diff --git a/mail-setup b/mail-setup index 68478be..b045484 100755 --- a/mail-setup +++ b/mail-setup @@ -171,7 +171,9 @@ smarthost="$mxhost::$mxport" ## * Install packages # light version of exim does not have sasl auth support. -pi exim4-daemon-heavy spamassassin spf-tools-perl openvpn dnsmasq +pi exim4-daemon-heavy spamassassin spf-tools-perl dnsmasq openvpn +# our nostart pi fails to avoid enabling +sudo systemctl disable openvpn # trisquel 8 = openvpn, debian stretch = openvpn-client vpn_ser=openvpn-client @@ -306,23 +308,19 @@ f=/a/bin/bash_unpublished/source-state if [[ -e $f ]]; then source $f fi -if [[ $HOSTNAME == "$MAIL_HOST" ]]; then - local_mx=mail.iankelling.org - rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/" - ${rsync_common}fullchain.pem /etc/exim4/exim.crt - ret=$? - ${rsync_common}privkey.pem /etc/exim4/exim.key - new_ret=$? - if [[ $ret != $new_ret ]]; then - echo "$0: error: differing rsync returns, $ret, $new_ret" - exit 1 - fi +if [[ $HOSTNAME != "$MAIL_HOST" ]]; then + exit 0 fi -if [[ $new_ret != 0 ]]; then - if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then - echo "$0: error!: cert rsync failed and it will expire in less than 3 days" - exit 1 - fi +local_mx=mail.iankelling.org +mkdir -p /etc/letsencrypt/live/$local_mx +chmod 700 /etc/letsencrypt/live +rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/" +# allow for temporary connection issues +${rsync_common}fullchain.pem /etc/exim4/exim.crt ||: +${rsync_common}privkey.pem /etc/exim4/exim.key ||: +if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then + echo "$0: error!: cert rsync failed and it will expire in less than 3 days" + exit 1 fi exit 0 EOF @@ -358,6 +356,12 @@ m systemctl enable mailcert.timer # * common exim4 config source /a/bin/bash_unpublished/source-state +if [[ ! $MAIL_HOST ]]; then + err "\$MAIL_HOST not set" +fi + +m sudo gpasswd -a iank adm #needed for reading logs + ### make local bounces go to normal maildir # local mail that bounces goes to /Maildir or /root/Maildir @@ -376,6 +380,13 @@ for d in /Maildir /root/Maildir; do m ln -sf -T /m/md/bounces $d done +# Note, even the server needs permissions of this file right +# if it exists, so do this up here. +f=/p/c/filesystem/etc/exim4/passwd.client +if [[ ! -e $f ]]; then + f=/p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/passwd.client +fi +m sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 $f /etc/exim4/ # by default, only 10 days of logs are kept. increase that. m sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base @@ -429,7 +440,7 @@ DKIM_SELECTOR = li # The file is based on the outgoing domain-name in the from-header. DKIM_DOMAIN = \${lc:\${domain:\$h_from:}} # sign if key exists -DKIM_PRIVATE_KEY= \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}} +DKIM_PRIVATE_KEY = \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}} # most of the ones that gmail seems to use. # Exim has horrible default of signing unincluded @@ -672,13 +683,16 @@ case $HOSTNAME in /^127\.0\.1\.1.* mail\.iankelling\.org\b/{p;d} /^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/ EOF + + # note: systemd-resolved will consult /etc/hosts, dnsmasq wont. this assumes + # weve configured this file in dnsmasq if we are using it. /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]] server=/mail.iankelling.org/127.0.1.1 EOF if systemctl is-active dnsmasq >/dev/null; then - m systemctl reload dnsmasq - m nscd -i hosts + m systemctl restart dnsmasq fi + m nscd -i hosts # I used to use debconf-set-selections + dpkg-reconfigure, # which then updates this file @@ -801,7 +815,7 @@ EOF ;; # * not MAIL_HOST *) # $HOSTNAME != $MAIL_HOST - # remove mail. 2 lines to properly remove whitespace + # remove mail. uses 2 lines to properly remove whitespace sed -ri -f - /etc/hosts <<'EOF' s#^(127\.0\.1\.1 .*) +mail\.iankelling\.org$#\1# s#^(127\.0\.1\.1 .*)mail\.iankelling\.org +(.*)#\1\2# @@ -809,9 +823,9 @@ EOF echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]] if systemctl is-active dnsmasq >/dev/null; then - m nscd -i hosts - m systemctl reload dnsmasq + m systemctl restart dnsmasq # reload does not ensure new config is used fi + m nscd -i hosts m systemctl disable mailclean.timer &>/dev/null ||: m systemctl stop mailclean.timer &>/dev/null ||: @@ -832,6 +846,7 @@ EOF hostname -f >/etc/mailname + ;;& ## we use this host to monitor MAIL_HOST l2) @@ -851,13 +866,9 @@ EOF /^root:/d EOF ;; + # not l2 and not MAIL_HOST *) - f=/p/c/filesystem/etc/exim4/passwd.client - if [[ ! -e $f ]]; then - f=/p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/passwd.client - fi - sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 $f /etc/exim4/ # This ends up at alerts mailbox on MAIL_HOST, but using a user that doesn't exist elsewhere # is no good. @@ -927,8 +938,8 @@ elif [[ $uid != 608 ]]; then m usermod -u 608 Debian-exim m groupmod -g 608 Debian-exim m usermod -g 608 Debian-exim - m find / /nocow -xdev -uid $uid -exec chown -h 608 {} + - m find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} + + m find / /nocow -path ./var/tmp -prune -o -xdev -uid $uid -execdir chown -h 608 {} + + m find / /nocow -path ./var/tmp -prune -o -xdev -gid $gid -execdir chgrp -h 608 {} + fi