X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=mail-setup;h=b0454841ad1874b53f5a9dc85890743183fb9275;hb=77917a8fbf2032a8b2634a1b3de0879ec45cf213;hp=7921a22fd0ed262ff47760e9397e5c1293bd6e48;hpb=efcd10d3b49c93cc3f6a8ae8276dcc1607cb2574;p=distro-setup diff --git a/mail-setup b/mail-setup index 7921a22..b045484 100755 --- a/mail-setup +++ b/mail-setup @@ -1,53 +1,83 @@ -#!/bin/bash -l -# Copyright (C) 2016 Ian Kelling +#!/bin/bash +# -*- eval: (outline-minor-mode); -*- +# * intro +# Copyright (C) 2019 Ian Kelling +# SPDX-License-Identifier: AGPL-3.0-or-later -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at +if [ -z "$BASH_VERSION" ]; then echo "error: shell is not bash" >&2; exit 1; fi -# http://www.apache.org/licenses/LICENSE-2.0 +pre="${0##*/}:" +m() { printf "$pre %s\n" "$*"; "$@"; } +e() { printf "$pre %s\n" "$*"; } +err() { echo "[$(date +'%Y-%m-%d %H:%M:%S%z')]: $0: $*" >&2; } -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. +shopt -s nullglob + +if [[ -s /usr/local/lib/err ]]; then + source /usr/local/lib/err +elif [[ -s /a/bin/errhandle/err ]]; then + source /a/bin/errhandle/err +else + err "no err tracing script found" + exit 1 +fi + +[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@" +if [[ ! $SUDO_USER ]]; then + echo "$0: error: requires running as nonroot or sudo" + exit 1 +fi +u=$SUDO_USER + + +usage() { + cat < preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false +# background: ovecot does not yet have ocsp stapling support +# reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921 +# +# for phone, k9mail, same thing but username alerts, pass in ivy-pass. +# also, l2.b8.nz for secondary alerts +# fetching mail settings: folder poll frequency 10 minutes +####### -set -eE -o pipefail -trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR -####### begin perstent password instructions ###### +# * perstent password instructions # # exim passwords: # # for hosts which have all private files I just use the same user # # for other hosts, each one get\'s their own password. # # for generating secure pass, and storing for server too: -# # user=USUALLY_SAME_AS_HOSTNAME -# user=li # f=$(mktemp) +# I use $HOSTNAME as username # apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f -# s sed -i "/^$user:/d" /p/c/filesystem/etc/exim4/passwd -# echo "$user:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd -# echo "mail.iankelling.org:$user:$(<$f)" >> /p/c/machine_specific/$user/filesystem/etc/mailpass -# # then run this script, or part of it which uses /etc/mailpass +# s sed -i "/^$HOSTNAME:/d" /p/c/filesystem/etc/exim4/passwd +# echo "$HOSTNAME:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd +# reference: exim4_passwd_client(5) +# echo "mail.iankelling.org:$HOSTNAME:$(<$f)" > /p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/passwd.client +# # then run this script # # dovecot password, i just need 1 as I\'m the only user # mkdir /p/c/filesystem/etc/dovecot -# echo "ian:$(doveadm pw -s ssha256)::::::" >/p/c/filesystem/etc/dovecot/users -# conflink +# echo "iank:$(doveadm pw -s ssha256)::::::" >>/p/c/filesystem/etc/dovecot/users - - -# # for ad-hoc testing of some random new host sending mail: -# user=li # client host username & hostname -# f=$(mktemp) -# apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f -# s sed -i "/^$user:/d" /etc/exim4/passwd -# echo "$user:$(mkpasswd -m sha-512 -s <$f)" | s tee -a /etc/exim4/passwd -# echo "mail.iankelling.org:$user:$(<$f)" | ssh root@$user dd of=/etc/exim4/passwd.client ####### end perstent password instructions ###### -####### begin persistent dkim/dns instructions ######### +# * persistent dkim/dns instructions # # Remove 1 level of comments in this section, set the domain var # # for the domain you are setting up, then run this and copy dns settings # # into dns. @@ -69,25 +99,24 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR # # lines 2+: append to hold space # echo "txt record contents:" # echo "v=DKIM1; k=rsa; p=$(sed -n '${x;s/\n//gp};2,$H' $domain.pem)" -# chmod 644 $domain.pem -# chmod 640 $domain-private.pem -# # in conflink, we chown these to group debian -# conflink -# # selector was also put into /etc/exim4/conf.d/main/000_localmacros, -# # via the mail-setup scripts +# # selector was also put into /etc/exim4/conf.d/main/000_local, # # 2017-02 dmarc policies: +# # host -t txt _dmarc.gmail.com # # yahoo: p=reject, hotmail: p=none, gmail: p=none, fastmail none for legacy reasons -# # gmail will be changing to p=reject, which is expected to cause problems +# # there were articles claiming gmail would be changing +# # to p=reject, in early 2017, which didn\'t happen. I see no sources on them. It\'s +# # expected to cause problems # # with a few old mailing lists, copying theirs for now. +# # echo "dmarc dns, name: _dmarc value: v=DMARC1; p=none; rua=mailto:mailauth-reports@$domain" # # 2017-02 spf policies: -# # google ~all, hotmail -all, yahoo: ?all, fastmail ?all +# # host -t txt lists.fedoraproject.org +# # google ~all, hotmail ~all, yahoo: ?all, fastmail ?all, outlook ~all # # i include fastmail\'s settings, per their instructions, # # and follow their policy. In mail in a box, or similar instructions, # # I\'ve seen recommended to not use a restrictive policy. -# echo "spf dns: name is empty, value: v=spf1 a include:spf.messagingengine.com ?all" # # to check if dns has updated, you do # host -a mesmtp._domainkey.$domain @@ -98,516 +127,903 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR # cat <<'EOF' # mx records, 2 records each, for * and empty domain # pri 10 mail.iankelling.org -# pri 20 in1-smtp.messagingengine.com -# pri 30 in2-smtp.messagingengine.com # EOF ####### end persistent dkim instructions ######### -# misc exim notes: -# useful exim docs: -# /usr/share/doc/exim4-base/README.Debian.gz -# /usr/share/doc/exim4-base/spec.txt.gz +# * functions constants +e() { printf "%s\n" "$*"; } +pi() { # package install without starting daemons + local f + if dpkg -s -- "$@" &> /dev/null; then + return 0; + fi; + while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done + f=/var/cache/apt/pkgcache.bin; + if [[ ! -r $f ]] || (( $(( $(date +%s) - $(stat -c %Y $f ) )) > 60*60*12 )); then + m apt-get update + fi + f=/usr/sbin/policy-rc.d + dd of=$f 2>/dev/null </etc/systemd/system/mailclean.timer <<'EOF' +[Unit] +Description=Run mailclean daily -# exim clear out message queue. as root: -# adapted from somewhere on stackoverflow. -# ser stop exim4; sleep 1; exim -bp | exiqgrep -i | xargs exim -Mrm; ser start exim4 +[Timer] +OnCalendar=monthly -# fastmail has changed their smtp server, but the old one still works, -# I see no reason to bother changing. -# New one is smtp.fastmail.com +[Install] +WantedBy=timers.target +EOF -# test delivery & rewrite settings: -#exim4 -bt ian@localhost +cat >/etc/systemd/system/mailclean.service <>/etc/default/spamassassin + # just noticed this in the config file, seems like a good idea. + sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin + e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin -# this was for when I used the exim config type -# "mail sent by smarthost; received via SMTP or fetchmail" -# if [[ $HOSTNAME == $MAIL_HOST ]]; then -# host=mail.messagingengine.com -# relayhost="[$host]:587" # postfix -# smarthost="$host::587" # exim -# fi + m systemctl enable spamassassin + m systemctl start spamassassin + m systemctl reload spamassassin -forward=ian@$local_mx + cat >/etc/systemd/system/spamddnsfix.service <<'EOF' +[Unit] +Description=spamd dns bug fix cronjob +[Service] +Type=oneshot +ExecStart=/a/bin/distro-setup/spamd-dns-fix +EOF + # 2017-09, debian closed the bug on this saying upstream had fixed it. + # remove this when i\'m using the newer package, ie, debian 10, or maybe + # ubuntu 18.04. + cat >/etc/systemd/system/spamddnsfix.timer <<'EOF' +[Unit] +Description=run spamd bug fix script every 10 minutes -if [[ $HOSTNAME == $MAIL_HOST ]]; then - # if we are MAIL_HOST, exim config sets up an /etc/alias from - # root to the postmaster, which i config to ian, as long as there - # exists an entry for root, or there was no preexisting aliases file. - # based on the postinst file. - s rm -f /etc/aliases -else - # linode image has a root alias, I think it might override our .forward - sudo sed -i '/^root:/d' /etc/aliases - s newaliases +[Timer] +OnActiveSec=60 +# the script looks back 9 minutes into the journal, +# it takes a second to run, +# so lets run every 9 minutes and 10 seconds. +OnUnitActiveSec=550 - # background: This also works instead of ~/.forward - # s sed -i --follow-symlinks '/^root/d' /etc/aliases ||: - #echo "root: $HOSTNAME@$SOME_DOMAIN" | s tee -a /etc/aliases - # this can\'t be a symlink and has permission restrictions - # it might work in /etc/aliases, but this seems more proper. - e $forward > ~/.forward - e $forward | s tee /root/.forward - # 644 is required. shouldn\'t need changing, but set it just in case. - s chmod 644 ~/.forward /root/.forward +[Install] +WantedBy=timers.target +EOF + m systemctl daemon-reload + m systemctl restart spamddnsfix.timer + m systemctl enable spamddnsfix.timer + +fi # [[ $HOSTNAME != "$MAIL_HOST" ]] +##### end spamassassin config + + +# * Update mail cert +if [[ -e /p/c/filesystem ]]; then + # allow failure of these commands when our internet is down, they are likely not needed, + # we check that a valid cert is there already. + # to put the hostname in the known hosts + if ! ssh -o StrictHostKeyChecking=no root@li.iankelling.org :; then + # This just causes failure if our cert is going to expire in the next 30 days. + # Certs I generate last 10 years. + openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in /etc/openvpn/mail.crt + else + # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with + # systemd, buuut it can remake the tun device unexpectedly, i got this in the log + # after my internet was down for a bit: + # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device. + m /a/exe/vpn-mk-client-cert -b mail -n mail -s /b/ds/mail-route li.iankelling.org + fi fi -# offlineimap uses this too, it is much easier to use one location than to -# condition it\'s config and postfix\'s config -case $distro in - fedora) s lnf -T ca-certificates.crt /etc/ssl/ca-bundle.trust.crt ;; - *) : -esac -if postfix; then - # dunno why, but debian installed postfix with builddep emacs - # but I will just explicitly install it here since - # I use it for sending mail in emacs. - if isdeb; then - s debconf-set-selections </dev/null - done - s postmap hash:/etc/postfix/sasl_passwd - s service postfix reload - -else # exim. has debian specific stuff for now - - - # wording of question from dpkg-reconfigure exim4-config - # 1. internet site; mail is sent and received directly using SMTP - # 2. mail sent by smarthost; received via SMTP or fetchmail - # 3. mail sent by smarthost; no local mail - # 4. local delivery only; not on a network - # 5. no configuration at this time - # - # Note, I have used option 2 in the past for receiving mail - # from lan hosts, sending external mail via another smtp server. - # - # Note, other than configtype, we could set all the options in - # both types of configs without harm, they would either be - # ignored or be disabled by other settings, but the default - # local_interfaces definitely makes things more secure. - # most of these settings get translated into settings - # in /etc/exim4/update-exim4.conf.conf - # mailname setting sets /etc/mailname +f=/usr/local/bin/mail-cert-cron +cat >$f <<'EOF' +#!/bin/bash +set -eE -o pipefail +trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR + +[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@" - s debconf-set-selections </etc/systemd/system/mailcert.service <<'EOF' +[Unit] +Description=Mail cert rsync +After=multi-user.target - s debconf-set-selections </etc/systemd/system/mailcert.timer <<'EOF' +[Unit] +Description=Run mail-cert once a day -# Systems with dynamic IP addresses, including dialup systems, should generally be -# configured to send outgoing mail to another machine, called a 'smarthost' for -# delivery because many receiving systems on the Internet block incoming mail from -# dynamic IP addresses as spam protection. +[Timer] +OnCalendar=daily -# A system with a dynamic IP address can receive its own mail, or local delivery can be -# disabled entirely (except mail for root and postmaster). +[Install] +WantedBy=timers.target +EOF +m systemctl daemon-reload +m systemctl start mailcert +m systemctl restart mailcert.timer +m systemctl enable mailcert.timer -# 1. internet site; mail is sent and received directly using SMTP -# 2. mail sent by smarthost; received via SMTP or fetchmail -# 3. mail sent by smarthost; no local mail -# 4. local delivery only; not on a network -# 5. no configuration at this time -# General type of mail configuration: 1 -exim4-config exim4/dc_eximconfig_configtype select internet site; mail is sent and received directly using SMTP +# * common exim4 config +source /a/bin/bash_unpublished/source-state +if [[ ! $MAIL_HOST ]]; then + err "\$MAIL_HOST not set" +fi -# The 'mail name' is the domain name used to 'qualify' mail addresses without a domain -# name. +m sudo gpasswd -a iank adm #needed for reading logs + + +### make local bounces go to normal maildir +# local mail that bounces goes to /Maildir or /root/Maildir +dirs=(/m/md/bounces/{cur,tmp,new}) +m mkdir -p ${dirs[@]} +m chown iank:iank /m /m/md +m ln -sfT /m/md /m/iank +m chmod 700 /m /m/md +m chown -R $u:Debian-exim /m/md/bounces +m chmod 775 ${dirs[@]} +m usermod -a -G Debian-exim $u +for d in /Maildir /root/Maildir; do + if [[ ! -L $d ]]; then + m rm -rf $d + fi + m ln -sf -T /m/md/bounces $d +done + +# Note, even the server needs permissions of this file right +# if it exists, so do this up here. +f=/p/c/filesystem/etc/exim4/passwd.client +if [[ ! -e $f ]]; then + f=/p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/passwd.client +fi +m sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 $f /etc/exim4/ -# This name will also be used by other programs. It should be the single, fully -# qualified domain name (FQDN). +# by default, only 10 days of logs are kept. increase that. +m sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base -# Thus, if a mail address on the local host is foo@example.org, the correct value for -# this option would be example.org. -# This name won\'t appear on From: lines of outgoing messages if rewriting is enabled. +## https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost +# i only need .forwards, so just doing that one. +cd /etc/exim4/conf.d/router +b=userforward_higher_priority +# replace the router name so it is unique +sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b -# System mail name: -exim4-config exim4/mailname string li.iankelling.org +rm -vf /etc/exim4/conf.d/main/000_localmacros # old filename +cat >/etc/exim4/conf.d/main/000_local </etc/exim4/conf.d/rcpt_local_acl <<'EOF' +# Only hosts we control send to @mail.iankelling.org, so make sure +# they are all authed. +# Note, if we wanted authed senders for all domains, +# we could make this condition in acl_check_mail +deny + message = ian trusted domain recepient but no auth + !authenticated = * + domains = mail.iankelling.org +EOF +rm -fv /etc/exim4/data_local_acl # old path +cat >/etc/exim4/conf.d/data_local_acl <<'EOF' +# Except for the "condition =", this was +# a comment in the check_data acl. The comment about this not +# being suitable is mostly bs. The only thing related I found was to +# add the condition =, cuz spamassassin has problems with big +# messages and spammers don't bother with big messages, +# but I've increased the size from 10k +# suggested in official docs, and 100k in the wiki example because +# those docs are rather old and I see a 110k spam message +# pretty quickly looking through my spam folder. +warn + condition = ${if < {$message_size}{2000K}} + spam = Debian-exim:true + add_header = X-Spam_score: $spam_score\n\ + X-Spam_score_int: $spam_score_int\n\ + X-Spam_bar: $spam_bar\n\ + X-Spam_report: $spam_report + +#accept +# spf = pass:fail:softfail:none:neutral:permerror:temperror +# dmarc_status = reject:quarantine +# add_header = Reply-to: dmarctest@iankelling.org -# If this system only receives mail directly from local services (and not from other -# hosts), it is suggested to prohibit external connections to the local Exim daemon. -# Such services include e-mail programs (MUAs) which talk to localhost only as well as -# fetchmail. External connections are impossible when 127.0.0.1 is entered here, as -# this will disable listening on public network interfaces. +EOF +cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF' +# from 30_exim4-config_examples + +plain_server: +driver = plaintext +public_name = PLAIN +server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" +server_set_id = $auth2 +server_prompts = : +.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS +server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} +.endif +EOF -# IP-addresses to listen on for incoming SMTP connections: -exim4-config exim4/dc_local_interfaces string +cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF' +### router/900_exim4-config_local_user +################################# + +# This router matches local user mailboxes. If the router fails, the error +# message is "Unknown user". + +local_user: + debug_print = "R: local_user for $local_part@$domain" + driver = accept + domains = +local_domains +# ian: commented this, in conjunction with a dovecot lmtp +# change so I get mail for all users. +# check_local_user + local_parts = ! root + transport = LOCAL_DELIVERY + cannot_route_message = Unknown user +EOF +cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF' +dovecot_lmtp: + driver = lmtp + socket = /var/run/dovecot/lmtp + #maximum number of deliveries per batch, default 1 + batch_max = 200 +EOF +cat >/etc/exim4/host_local_deny_exceptions <<'EOF' +mail.fsf.org +*.posteo.de +EOF +cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF' +# smarthost for fsf mail +# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and +# replaced DCsmarthost with mail.fsf.org +fsfsmarthost: + debug_print = "R: smarthost for $local_part@$domain" + driver = manualroute + domains = ! +local_domains + senders = *@fsf.org + transport = remote_smtp_smarthost + route_list = * mail.fsf.org byname + host_find_failed = ignore + same_domain_copy_routing = yes + no_more +EOF -# Mail for the 'postmaster', 'root', and other system accounts needs to be redirected -# to the user account of the actual system administrator. +cat >/etc/exim4/update-exim4.conf.conf <<'EOF' +# default stuff, i havent checked if its needed +dc_minimaldns='false' +dc_relay_nets='' +CFILEMODE='644' +dc_use_split_config='true' +dc_local_interfaces='' +dc_mailname_in_oh='true' +EOF -# If this value is left empty, such mail will be saved in /var/mail/mail, which is not -# recommended. -# Note that postmaster\'s mail should be read on the system to which it is directed, -# rather than being forwarded elsewhere, so (at least one of) the users listed here -# should not redirect their mail off this machine. A 'real-' prefix can be used to -# force local delivery. +# ** dovecot +dovecot-setup() { + # based on a little google and package search, just the dovecot + # packages we need instead of dovecot-common. + # + # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir + # directly. The reason to do this is to use dovecot\'s sieve, which + # has extensions that allow it to be almost equivalent to exim\'s + # filter capabilities, some ways probably better, some worse, and + # sieve has the benefit of being supported in postfix and + # proprietary/weird environments, so there is more examples on the + # internet. I was torn about whether to do this or not, meh. + pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd + + for f in /p/c{/machine_specific/$HOSTNAME,}/filesystem/etc/dovecot/users; do + e $f + if [[ -e $f ]]; then + m sudo rsync -ahhi --chown=root:dovecot --chmod=0640 $f /etc/dovecot/ + break + fi + done + for f in /p/c/subdir_files/sieve/*sieve /a/c/subdir_files/sieve/*sieve; do + m sudo -u $u /a/exe/lnf -T $f $uhome/sieve/${f##*/} + done + # If we changed 90-sieve.conf and removed the active part of the + # sieve option, we wouldn\'t need this, but I\'d rather not modify a + # default config if not needed. This won\'t work as a symlink in /a/c + # unfortunately. + if [[ -e $uhome/sieve/personal.sieve ]]; then + m sudo -u $u /a/exe/lnf -T sieve/main.sieve $uhome/.dovecot.sieve + fi + + # we set this later in local.conf + sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF' +/^\s*mail_location\s*=/d +EOF -# Multiple user names need to be separated by spaces. + cat >/etc/dovecot/conf.d/20-lmtp.conf </etc/dovecot/local.conf </dev/null <<'EOF' -MAIN_TLS_ENABLE = true + # ** exim -DKIM_CANON = relaxed -DKIM_SELECTOR = li + sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 \ + /p/c/filesystem/etc/exim4/passwd /p/c/filesystem/etc/exim4/*.pem /etc/exim4/ -# from comments in -# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4 -# The file is based on the outgoing domain-name in the from-header. -DKIM_DOMAIN = ${lc:${domain:$h_from:}} -# sign if key exists -DKIM_PRIVATE_KEY= ${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}} + # mail.iankelling.org so local imap clients can connect with tls and + # when they happen to not be local. + sed -ri -f - /etc/hosts <<'EOF' +/^127\.0\.1\.1.* mail\.iankelling\.org\b/{p;d} +/^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/ +EOF + # note: systemd-resolved will consult /etc/hosts, dnsmasq wont. this assumes + # weve configured this file in dnsmasq if we are using it. + /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]] +server=/mail.iankelling.org/127.0.1.1 +EOF + if systemctl is-active dnsmasq >/dev/null; then + m systemctl restart dnsmasq + fi + m nscd -i hosts -# failing message on mail-tester.com: -# We check if there is a server (A Record) behind your hostname treetowl. -# You may want to publish a DNS record (A type) for the hostname treetowl or use a different hostname in your mail software -# https://serverfault.com/questions/46545/how-do-i-change-exim4s-primary-hostname-on-a-debian-box -# and this one seemed appropriate from grepping config -MAIN_HARDCODE_PRIMARY_HOSTNAME = li.iankelling.org + # I used to use debconf-set-selections + dpkg-reconfigure, + # which then updates this file + # but the process is slower than updating it directly and then I want to set other things in + # update-exim4.conf.conf, so there's no point. + # The file is documented in man update-exim4.conf, + # except the man page is not perfect, read the bash script to be sure about things. -# normally empty, I set this so I can set the envelope address -# when doing mail redelivery to invoke filters -MAIN_TRUSTED_GROUPS = ian + # The debconf questions output is additional documentation that is not + # easily accessible, but super long, along with the initial default comment in this + # file, so I've saved that into ./mail-notes.conf. -LOCAL_DELIVERY = dovecot_lmtp + cat >>/etc/exim4/update-exim4.conf.conf < /etc/mailname -[Install] -WantedBy=timers.target + # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the + # smarthost config type, not sure. all other settings + # would be unused in that config type. + cat >>/etc/exim4/conf.d/main/000_local <$f <<'EOF' +#!/bin/bash +cd /etc +wget -q -N https://publicsuffix.org/list/public_suffix_list.dat +EOF + m chmod 755 $f -[Service] -User=ian -Type=oneshot -ExecStart=/a/bin/log-quiet/sysd-mail-once offlineimap-sync /a/bin/distro-setup/offlineimap-sync -EOF - s systemctl daemon-reload - s systemctl enable offlineimapsync.timer - s systemctl start offlineimapsync.timer - - else # $HOSTNAME != $MAIL_HOST - s systemctl disable offlineimapsync.timer &>/dev/null ||: - s systemctl stop offlineimapsync.timer &>/dev/null ||: - # - # - # would only exist because I wrote it i the previous condition, - # it\'s not part of exim - s rm -f $exim_main_dir/000_localmacros - s debconf-set-selections </dev/null; then - # gotta remove this, otherwise the set-selections are completely - # ignored. It woulda been nice if this was documented somewhere! - s rm -f /etc/exim4/update-exim4.conf.conf - s dpkg-reconfigure -u -fnoninteractive exim4-config - fi - # light version does not have sasl auth support. - pi exim4-daemon-heavy spamassassin - - ##### begin spamassassin config - ser enable spamassassin - # per readme.debian - s sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin - s tee -a /etc/default/spamassassin <<$d/override.conf <<'EOF' [Service] -Type=oneshot -ExecStart=/a/bin/distro-setup/spamd-dns-fix -EOF - s dd of=/etc/systemd/system/spamddnsfix.timer <<'EOF' +Restart=always +# time to sleep before restarting a service +RestartSec=1 + [Unit] -Description=run spamd bug fix script every 10 minutes +# StartLimitIntervalSec in recent systemd versions +StartLimitInterval=0 +EOF + if ! systemctl cat openvpn@mail.service|grep -xF StartLimitInterval=0 &>/dev/null; then + # needed for the above config to go into effect + m systemctl daemon-reexec + fi -[Timer] -OnActiveSec=60 -# the script looks back 9 minutes into the journal, -# it takes a second to run, -# so lets run every 9 minutes and 10 seconds. -OnUnitActiveSec=550 -[Install] -WantedBy=timers.target + m systemctl enable mailclean.timer + m systemctl start mailclean.timer + m systemctl restart $vpn_ser@mail + m systemctl enable $vpn_ser@mail + m systemctl enable dovecot + m systemctl restart dovecot + ;; + # * not MAIL_HOST + *) # $HOSTNAME != $MAIL_HOST + # remove mail. uses 2 lines to properly remove whitespace + sed -ri -f - /etc/hosts <<'EOF' +s#^(127\.0\.1\.1 .*) +mail\.iankelling\.org$#\1# +s#^(127\.0\.1\.1 .*)mail\.iankelling\.org +(.*)#\1\2# EOF - ser daemon-reload - sgo spamddnsfix.timer - # - ##### end spamassassin config - gitslink # needed to install the execstart files below - s dd of=/etc/systemd/system/mailcert.service <<'EOF' -[Unit] -Description=Mail cert rsync -After=multi-user.target + echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]] + if systemctl is-active dnsmasq >/dev/null; then + m systemctl restart dnsmasq # reload does not ensure new config is used + fi + m nscd -i hosts -[Service] -Type=oneshot -ExecStart=/usr/local/bin/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron + m systemctl disable mailclean.timer &>/dev/null ||: + m systemctl stop mailclean.timer &>/dev/null ||: + m systemctl disable $vpn_ser@mail + m systemctl stop $vpn_ser@mail + # + # + # would only exist because I wrote it i the previous condition, + # it\'s not part of exim + rm -fv /etc/exim4/conf.d/main/000_localmacros + cat >>/etc/exim4/update-exim4.conf.conf </etc/mailname -[Timer] -OnCalendar=daily -[Install] -WantedBy=timers.target + ;;& + ## we use this host to monitor MAIL_HOST + l2) + dovecot-setup + m systemctl enable dovecot + m systemctl restart dovecot + cat >>/etc/exim4/update-exim4.conf.conf </dev/null - done - # end setup passwd.client - - # https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost - # i only need .forwards, so just doing that one. - cd /etc/exim4/conf.d/router - a=userforward - b=${a}_higher_priority - tmp=$(mktemp) - of=175_$b - # sed to make the router name unique - sed -r s/^\\S+:/$b:/ 600_exim4-config_$a | s dd of=$tmp 2>/dev/null - if ! diff -q $tmp $of &>/dev/null; then - s dd if=$tmp of=$of >/dev/null + # This ends up at alerts mailbox on MAIL_HOST, but using a user that doesn't exist elsewhere + # is no good. + sed -i --follow-symlinks -f - /etc/aliases <>/etc/exim4/update-exim4.conf.conf <>/etc/fstab + fi + if ! mountpoint -q $sdir; then + m systemctl stop exim4 + if [[ -L $sdir ]]; then + m rm $sdir + fi + if [[ ! -e $dir && -d $sdir ]]; then + m mv $sdir $dir + fi + if [[ ! -d $sdir ]]; then + m mkdir $sdir + m chmod 000 $sdir # only want it to be used when its mounted fi + m mount $sdir + fi +fi - ser restart exim4 +# ** exim/spool uid setup +# i have the spool directory be common to distro multi-boot, so +# we need the uid to be the same. 608 cuz it's kind of in the middle +# of the free system uids. +IFS=:; read -r _ _ uid _ < <(getent passwd Debian-exim ||:) ||:; unset IFS +IFS=:; read -r _ _ gid _ < <(getent group Debian-exim ||:) ||:; unset IFS +if [[ ! $uid ]]; then + # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options + m adduser --uid 608 --system --group --quiet --home /var/spool/exim4 \ + --no-create-home --disabled-login --force-badname Debian-exim +elif [[ $uid != 608 ]]; then + m systemctl stop exim4 ||: + m usermod -u 608 Debian-exim + m groupmod -g 608 Debian-exim + m usermod -g 608 Debian-exim + m find / /nocow -path ./var/tmp -prune -o -xdev -uid $uid -execdir chown -h 608 {} + + m find / /nocow -path ./var/tmp -prune -o -xdev -gid $gid -execdir chgrp -h 608 {} + fi +# * reload exim -# based on http://www.postfix.org/qmgr.8.html and my notes in gnus -dir=/nocow/$type -sdir=/var/spool/$type -if [[ $(readlink -f $sdir) != $dir ]]; then - ser stop $type - if [[ ! -e $dir && -d $sdir ]]; then - s mv $sdir $dir - fi - s lnf -T $dir $sdir +if systemctl is-active exim4 >/dev/null; then + m systemctl reload exim4 +else + m systemctl start exim4 fi -sgo $type + +# * mail monitoring / testing + +case $HOSTNAME in + $MAIL_HOST|l2) + # note: cronjob "ian" also does some important monitoring + cat >/etc/cron.d/mailtest <>/etc/cron.d/mailtest </usr/local/bin/send-test-forward <