X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=mail-setup;h=b0454841ad1874b53f5a9dc85890743183fb9275;hb=77917a8fbf2032a8b2634a1b3de0879ec45cf213;hp=9b30579ba5c002062e386dfe5055f6bc69169f97;hpb=f95f9128ba77e77d41389810affd475581075246;p=distro-setup

diff --git a/mail-setup b/mail-setup
index 9b30579..b045484 100755
--- a/mail-setup
+++ b/mail-setup
@@ -1,26 +1,28 @@
 #!/bin/bash
-set -x
+# -*- eval: (outline-minor-mode); -*-
+# * intro
+# Copyright (C) 2019 Ian Kelling
+# SPDX-License-Identifier: AGPL-3.0-or-later
 
-# Copyright (C) 2016 Ian Kelling
+if [ -z "$BASH_VERSION" ]; then echo "error: shell is not bash" >&2; exit 1; fi
 
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+pre="${0##*/}:"
+m() { printf "$pre %s\n"  "$*"; "$@"; }
+e() { printf "$pre %s\n"  "$*"; }
+err() { echo "[$(date +'%Y-%m-%d %H:%M:%S%z')]: $0: $*" >&2; }
 
-#     http://www.apache.org/licenses/LICENSE-2.0
+shopt -s nullglob
 
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# todo: make quick backups of maildir, or deliver to multiple hosts.
-
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+if [[ -s /usr/local/lib/err ]]; then
+  source /usr/local/lib/err
+elif [[ -s /a/bin/errhandle/err ]]; then
+  source /a/bin/errhandle/err
+else
+  err "no err tracing script found"
+  exit 1
+fi
 
-[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
+[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
 if [[ ! $SUDO_USER ]]; then
   echo "$0: error: requires running as nonroot or sudo"
   exit 1
@@ -30,32 +32,14 @@ u=$SUDO_USER
 
 usage() {
   cat <<EOF
-Usage: ${0##*/} exim4|postfix
-Setup exim4 / postfix / dovecot
-
-The minimal assumption we have is that /etc/mailpass exists
-
-
-I've had problems with postfix on debian:
-on stretch, a startup ordering issue caused all mail to fail.
-postfix changed defaults to only use ipv6 dns, causing all my mail to fail.
-I haven't gotten around to getting a non-debian exim
-setup.
-
-
+Usage: ${0##*/}
+Setup exim4 & dovecot & related things
 
 -h|--help  Print help and exit.
 EOF
   exit $1
 }
 
-type=$1
-postfix() { [[ $type == postfix ]]; }
-exim() { [[ $type == exim4 ]]; }
-
-if ! exim && ! postfix; then
-  usage 1
-fi
 
 
 ####### instructions for icedove #####
@@ -65,41 +49,35 @@ fi
 # hamburger -> preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false
 # background: ovecot does not yet have ocsp stapling support
 # reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921
+#
+# for phone, k9mail, same thing but username alerts, pass in ivy-pass.
+# also, l2.b8.nz for secondary alerts
+# fetching mail settings: folder poll frequency 10 minutes
 #######
 
 
-####### begin perstent password instructions ######
+# * perstent password instructions
 # # exim passwords:
 # # for hosts which have all private files I just use the same user
 # # for other hosts, each one get\'s their own password.
 # # for generating secure pass, and storing for server too:
-# # user=USUALLY_SAME_AS_HOSTNAME
-# user=li
 # f=$(mktemp)
+# I use $HOSTNAME as username
 # apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
-# s sed -i "/^$user:/d" /p/c/filesystem/etc/exim4/passwd
-# echo "$user:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd
-# echo "mail.iankelling.org 587 $user:$(<$f)" >> /p/c/machine_specific/$user/filesystem/etc/mailpass
-# # then run this script, or part of it which uses /etc/mailpass
+# s sed -i "/^$HOSTNAME:/d" /p/c/filesystem/etc/exim4/passwd
+# echo "$HOSTNAME:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd
+# reference: exim4_passwd_client(5)
+# echo "mail.iankelling.org:$HOSTNAME:$(<$f)" > /p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/passwd.client
+# # then run this script
 
 # # dovecot password, i just need 1 as I\'m the only user
 # mkdir /p/c/filesystem/etc/dovecot
-# echo "iank:$(doveadm pw -s ssha256)::::::" >/p/c/filesystem/etc/dovecot/users
-# conflink
+# echo "iank:$(doveadm pw -s ssha256)::::::" >>/p/c/filesystem/etc/dovecot/users
 
-
-
-# # for ad-hoc testing of some random new host sending mail:
-# user=li # client host username & hostname
-# f=$(mktemp)
-# apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
-# s sed -i "/^$user:/d" /etc/exim4/passwd
-# echo "$user:$(mkpasswd -m sha-512 -s <$f)" | s tee -a /etc/exim4/passwd
-# echo "mail.iankelling.org:$user:$(<$f)" | ssh root@$user dd of=/etc/exim4/passwd.client
 ####### end perstent password instructions ######
 
 
-####### begin persistent dkim/dns instructions #########
+# * persistent dkim/dns instructions
 # # Remove 1 level of comments in this section, set the domain var
 # # for the domain you are setting up, then run this and copy dns settings
 # # into dns.
@@ -121,12 +99,7 @@ fi
 # # lines 2+: append to hold space
 # echo "txt record contents:"
 # echo "v=DKIM1; k=rsa; p=$(sed -n '${x;s/\n//gp};2,$H' $domain.pem)"
-# chmod 644 $domain.pem
-# chmod 640 $domain-private.pem
-# # in conflink, we chown these to group debian
-# conflink
-# # selector was also put into /etc/exim4/conf.d/main/000_localmacros,
-# # via the mail-setup scripts
+# # selector was also put into /etc/exim4/conf.d/main/000_local,
 
 # # 2017-02 dmarc policies:
 # # host -t txt _dmarc.gmail.com
@@ -144,7 +117,6 @@ fi
 # # i include fastmail\'s settings, per their instructions,
 # # and follow their policy. In mail in a box, or similar instructions,
 # # I\'ve seen recommended to not use a restrictive policy.
-# echo "spf dns: name is empty, value: v=spf1 a include:spf.messagingengine.com ?all"
 
 # # to check if dns has updated, you do
 # host -a mesmtp._domainkey.$domain
@@ -155,64 +127,37 @@ fi
 # cat <<'EOF'
 # mx records, 2 records each, for * and empty domain
 # pri 10 mail.iankelling.org
-# pri 20 in1-smtp.messagingengine.com
-# pri 30 in2-smtp.messagingengine.com
 # EOF
 ####### end  persistent dkim instructions #########
 
 
-# misc exim notes:
-# useful exim docs:
-# /usr/share/doc/exim4-base/README.Debian.gz
-# /usr/share/doc/exim4-base/spec.txt.gz
-
-# routers, transports, and authenticators are sections, and you define
-# driver instances in those sections, and the manual calls them driver
-# types but there is also a more specific "type" of driver, which is specified
-# with the driver = some_module setting in the driver.
-
-# the driver option must precede and private options (options that are
-# specific to that driver), so follow example of putting it at beginning.
-
-# The full list of option settings for any particular driver instance,
-# including all the defaulted values, can be extracted by making use of
-# the -bP command line option.
-# exim -bP config_file to see what config file it used
-# exim -bP config to see
-
-# exim clear out message queue. as root:
-# adapted from somewhere on stackoverflow.
-# ser stop exim4; sleep 1; exim -bp | exiqgrep -i | xargs exim -Mrm; ser start exim4
-
-# fastmail has changed their smtp server, but the old one still works,
-# I see no reason to bother changing.
-# New one is smtp.fastmail.com
-
-# test delivery & rewrite settings:
-#exim4 -bt iank@localhost
-
-
-postconfin() {
-  local MAPFILE
-  mapfile -t
-  local s
-  postconf -ev "${MAPFILE[@]}"
-}
+# * functions  constants
 e() { printf "%s\n" "$*"; }
-pi() { # package install
-  local s f
+pi() { # package install without starting daemons
+  local f
   if dpkg -s -- "$@" &> /dev/null; then
     return 0;
   fi;
   while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done
   f=/var/cache/apt/pkgcache.bin;
   if [[ ! -r $f ]] || (( $(( $(date +%s) - $(stat -c %Y $f ) )) > 60*60*12 )); then
-    apt-get update
+    m apt-get update
+  fi
+  f=/usr/sbin/policy-rc.d
+  dd of=$f 2>/dev/null <<EOF
+#!/bin/sh
+exit 101
+EOF
+  chmod +x $f
+  ret=
+  DEBIAN_FRONTEND=noninteractive m apt-get -y install --purge --auto-remove "$@" || ret=$?
+  rm $f
+  if [[ $ret ]]; then
+    err-exit $ret "failed apt-get install above"
   fi
-  apt-get -y install --purge --auto-remove "$@"
 }
 
-postmaster=$u
+postmaster=alerts
 mxhost=mail.iankelling.org
 mxport=587
 forward=$u@$mxhost
@@ -222,8 +167,13 @@ forward=$u@$mxhost
 # mxport=587
 # forward=ian@iankelling.org
 
-relayhost="[$mxhost]:$mxport" # postfix
-smarthost="$mxhost::$mxport" # exim
+smarthost="$mxhost::$mxport"
+
+## * Install packages
+# light version of exim does not have sasl auth support.
+pi exim4-daemon-heavy spamassassin spf-tools-perl dnsmasq openvpn
+# our nostart pi fails to avoid enabling
+sudo systemctl disable openvpn
 
 # trisquel 8 = openvpn, debian stretch = openvpn-client
 vpn_ser=openvpn-client
@@ -231,185 +181,278 @@ if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
   vpn_ser=openvpn
 fi
 
-if [[ $HOSTNAME == $MAIL_HOST ]]; then
-  # afaik, these will get ignored because they are routing to my own
-  # machine, but rm them is safer
-  rm -f $(eval echo ~$postmaster)/.forward /root/.forward
-else
-  # this can\'t be a symlink and has permission restrictions
-  # it might work in /etc/aliases, but this seems more proper.
-  install -m 644 {-o,-g}$postmaster <(e $forward) $(eval echo ~$postmaster)/.forward
-fi
-
-# offlineimap uses this too, it is much easier to use one location than to
-# condition it\'s config and postfix\'s config
-if [[ -f /etc/fedora-release ]]; then
-  /a/exe/lnf -T ca-certificates.crt /etc/ssl/ca-bundle.trust.crt
-fi
-
-if postfix; then
-  # dunno why, but debian installed postfix with builddep emacs
-  # but I will just explicitly install it here since
-  # I use it for sending mail in emacs.
-  if command -v apt-get &> /dev/null; then
-    debconf-set-selections <<EOF
-postfix postfix/main_mailer_type select Satellite system
-postfix postfix/mailname string $(hostname -f)
-postfix postfix/relayhost string $relayhost
-postfix postfix/root_address string $postmaster
-EOF
-    if dpkg -s postfix &>/dev/null; then
-      while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done
-      dpkg-reconfigure -u -fnoninteractive postfix
-    else
-      pi postfix
-    fi
-  else
-    source /a/bin/distro-functions/src/package-manager-abstractions
-    pi postfix
-    # Settings from reading the output when installing on debian,
-    # then seeing which were different in a default install on arch.
-    # I assume the same works for fedora.
-    postconfin <<EOF
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-mailbox_size_limit = 0
-relayhost = $relayhost
-inet_interfaces = loopback-only
-EOF
-
-    systemctl enable postfix
-    systemctl start postfix
-  fi
-  # i\'m assuming mail just won\'t work on systems without the sasl_passwd.
-  postconfin <<'EOF'
-smtp_sasl_auth_enable = yes
-smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
-smtp_sasl_security_options = noanonymous
-smtp_tls_security_level = secure
-message_size_limit =  20480000
-smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
-inet_protocols = ipv4
-EOF
-  # msg_size_limit: I ran into a log file not sending cuz of size. double from 10 to 20 meg limit
-  # inet_protocols: without this, I\'ve had postfix try an ipv6 lookup then gives
-  # up and fail forever. snippet from syslog: type=AAAA: Host not found, try again
-
-
-  f=/etc/postfix/sasl_passwd
-  install -m 600 /dev/null $f
-  cat /etc/mailpass| while read -r domain port pass; do
-    # format: domain port user:pass
-    # mailpass is just a name i made up, since postfix and
-    # exim both use a slightly crazy format to translate to
-    # each other, it\'s easier to use my own format.
-    printf "[%s]:%s %s" "$domain" "$port" "${pass/@/#}" >>$f
-  done
-  postmap hash:/etc/postfix/sasl_passwd
-  # need restart instead of reload when changing
-  # inet_protocols
-  service postfix restart
-
-else # begin exim. has debian specific stuff for now
-
-  pi openvpn
-
-  if [[ -e /p/c/filesystem ]]; then
-    # allow failure of these commands when our internet is down, they are likely not needed,
-    # we check that a valid cert is there already.
-    # to put the hostname in the known hosts
-    if ! ssh -o StrictHostKeyChecking=no root@li.iankelling.org :; then
-      # This just causes failure if our cert is going to expire in the next 30 days.
-      # Certs I generate last 10 years.
-      openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in /etc/openvpn/mail.crt
-    else
-      # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
-      # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
-      # after my internet was down for a bit:
-      # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
-      /a/exe/vpn-mk-client-cert -b mail -n mail -s /b/ds/mail-route li.iankelling.org
-    fi
-  fi
-
-  cat >/etc/systemd/system/offlineimapsync.timer <<'EOF'
+uhome=$(eval echo ~$u)
+### * user forward file
+
+case $HOSTNAME in
+  $MAIL_HOST|l2)
+    # afaik, these will get ignored on MAIL_HOST because they are routing to my own
+    # machine, but rm them is safer
+    rm -fv $uhome/.forward /root/.forward
+    ;;
+  *)
+    # this can\'t be a symlink and has permission restrictions
+    # it might work in /etc/aliases, but this seems more proper.
+    e setting $uhome/.forward to $forward
+    install -m 644 {-o,-g}$u <(e $forward) $uhome/.forward
+    ;;
+esac
+
+# * Mail clean cronjob
+
+cat >/etc/systemd/system/mailclean.timer <<'EOF'
 [Unit]
-Description=Run offlineimap-sync once every min
+Description=Run mailclean daily
 
 [Timer]
-OnCalendar=*:0/1
+OnCalendar=monthly
 
 [Install]
 WantedBy=timers.target
 EOF
 
-  cat >/etc/systemd/system/offlineimapsync.service <<EOF
+cat >/etc/systemd/system/mailclean.service <<EOF
 [Unit]
-Description=Offlineimap sync
+Description=Delete and archive old mail files
 After=multi-user.target
 
 [Service]
 User=$u
 Type=oneshot
-ExecStart=/a/bin/log-quiet/sysd-mail-once offlineimap-sync /a/bin/distro-setup/offlineimap-sync
+ExecStart=/a/bin/log-quiet/sysd-mail-once mailclean /a/bin/distro-setup/mailclean
 EOF
 
-  cat >/etc/systemd/system/mailclean.timer <<'EOF'
+systemctl daemon-reload
+
+
+# * spamassassin
+
+if [[ $HOSTNAME != "$MAIL_HOST" ]]; then
+  m systemctl stop spamassassin
+  m systemctl disable spamassassin
+else
+
+  # per readme.debian
+  sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
+  e CRON=1 >>/etc/default/spamassassin
+  # just noticed this in the config file, seems like a good idea.
+  sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
+  e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin
+
+  m systemctl enable spamassassin
+  m systemctl start spamassassin
+  m systemctl reload spamassassin
+
+  cat >/etc/systemd/system/spamddnsfix.service <<'EOF'
 [Unit]
-Description=Run mailclean daily
+Description=spamd dns bug fix cronjob
+
+[Service]
+Type=oneshot
+ExecStart=/a/bin/distro-setup/spamd-dns-fix
+EOF
+  # 2017-09, debian closed the bug on this saying upstream had fixed it.
+  # remove this when i\'m using the newer package, ie, debian 10, or maybe
+  # ubuntu 18.04.
+  cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
+[Unit]
+Description=run spamd bug fix script every 10 minutes
 
 [Timer]
-OnCalendar=monthly
+OnActiveSec=60
+# the script looks back 9 minutes into the journal,
+# it takes a second to run,
+# so lets run every 9 minutes and 10 seconds.
+OnUnitActiveSec=550
 
 [Install]
 WantedBy=timers.target
 EOF
+  m systemctl daemon-reload
+  m systemctl restart spamddnsfix.timer
+  m systemctl enable spamddnsfix.timer
+
+fi # [[ $HOSTNAME != "$MAIL_HOST" ]]
+#####   end spamassassin config
+
+
+# * Update mail cert
+if [[ -e /p/c/filesystem ]]; then
+  # allow failure of these commands when our internet is down, they are likely not needed,
+  # we check that a valid cert is there already.
+  # to put the hostname in the known hosts
+  if ! ssh -o StrictHostKeyChecking=no root@li.iankelling.org :; then
+    # This just causes failure if our cert is going to expire in the next 30 days.
+    # Certs I generate last 10 years.
+    openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in /etc/openvpn/mail.crt
+  else
+    # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
+    # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
+    # after my internet was down for a bit:
+    # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
+    m /a/exe/vpn-mk-client-cert -b mail -n mail -s /b/ds/mail-route li.iankelling.org
+  fi
+fi
+
+
 
-  cat >/etc/systemd/system/mailclean.service <<EOF
+f=/usr/local/bin/mail-cert-cron
+cat >$f <<'EOF'
+#!/bin/bash
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
+
+f=/a/bin/bash_unpublished/source-state
+if [[ -e $f ]]; then
+    source $f
+fi
+if [[ $HOSTNAME != "$MAIL_HOST" ]]; then
+  exit 0
+fi
+local_mx=mail.iankelling.org
+mkdir -p /etc/letsencrypt/live/$local_mx
+chmod 700 /etc/letsencrypt/live
+rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/"
+# allow for temporary connection issues
+${rsync_common}fullchain.pem /etc/exim4/exim.crt ||:
+${rsync_common}privkey.pem /etc/exim4/exim.key ||:
+if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then
+    echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
+    exit 1
+fi
+exit 0
+EOF
+m chmod 755 $f
+
+cat >/etc/systemd/system/mailcert.service <<'EOF'
 [Unit]
-Description=Delete and archive old mail files
+Description=Mail cert rsync
 After=multi-user.target
 
 [Service]
-User=$u
 Type=oneshot
-ExecStart=/a/bin/log-quiet/sysd-mail-once mailclean /a/bin/distro-setup/mailclean
+ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
 EOF
 
-  systemctl daemon-reload
+cat >/etc/systemd/system/mailcert.timer <<'EOF'
+[Unit]
+Description=Run mail-cert once a day
 
-  # wording of question from dpkg-reconfigure exim4-config
-  # 1. internet site; mail is sent and received directly using SMTP
-  # 2. mail sent by smarthost; received via SMTP or fetchmail
-  # 3. mail sent by smarthost; no local mail
-  # 4. local delivery only; not on a network
-  # 5. no configuration at this time
-  #
-  # Note, I have used option 2 in the past for receiving mail
-  # from lan hosts, sending external mail via another smtp server.
-  #
-  # Note, other than configtype, we could set all the options in
-  # both types of configs without harm, they would either be
-  # ignored or be disabled by other settings, but the default
-  # local_interfaces definitely makes things more secure.
-
-  # most of these settings get translated into settings
-  # in /etc/exim4/update-exim4.conf.conf
-  # how /etc/exim4/update-exim4.conf.conf translates into actual exim settings is
-  # documented in man update-exim4.conf, which outputs to the config that
-  # exim actually reads. except the man page is not perfect, for example,
-  # it doesn't document that it sets
-  # DCconfig_${dc_eximconfig_configtype}" "1"
-  # which is a line from update-exim4.conf, which is a relatively short bash script.
-  # mailname setting sets /etc/mailname
-
-  debconf-set-selections <<EOF
-exim4-config exim4/use_split_config boolean true
+[Timer]
+OnCalendar=daily
+
+[Install]
+WantedBy=timers.target
 EOF
+m systemctl daemon-reload
+m systemctl start mailcert
+m systemctl restart mailcert.timer
+m systemctl enable mailcert.timer
+
+
 
-  source /a/bin/bash_unpublished/source-semi-priv
-  mkdir -p /etc/exim4/conf.d/{main,transport,auth,router}
+# * common exim4 config
+source /a/bin/bash_unpublished/source-state
 
-  cat >/etc/exim4/rcpt_local_acl <<'EOF'
-# Only hosts we control send to mail.iankelling.org, so make sure
+if [[ ! $MAIL_HOST ]]; then
+  err "\$MAIL_HOST not set"
+fi
+
+m sudo gpasswd -a iank adm #needed for reading logs
+
+
+### make local bounces go to normal maildir
+# local mail that bounces goes to /Maildir or /root/Maildir
+dirs=(/m/md/bounces/{cur,tmp,new})
+m mkdir -p ${dirs[@]}
+m chown iank:iank /m /m/md
+m ln -sfT /m/md /m/iank
+m chmod 700 /m /m/md
+m chown -R $u:Debian-exim /m/md/bounces
+m chmod 775 ${dirs[@]}
+m usermod -a -G Debian-exim $u
+for d in /Maildir /root/Maildir; do
+  if [[ ! -L $d ]]; then
+    m rm -rf $d
+  fi
+  m ln -sf -T /m/md/bounces $d
+done
+
+# Note, even the server needs permissions of this file right
+# if it exists, so do this up here.
+f=/p/c/filesystem/etc/exim4/passwd.client
+if [[ ! -e $f ]]; then
+  f=/p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/passwd.client
+fi
+m sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 $f /etc/exim4/
+
+# by default, only 10 days of logs are kept. increase that.
+m sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
+
+
+## https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
+# i only need .forwards, so just doing that one.
+cd /etc/exim4/conf.d/router
+b=userforward_higher_priority
+# replace the router name so it is unique
+sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
+
+
+rm -vf /etc/exim4/conf.d/main/000_localmacros # old filename
+cat >/etc/exim4/conf.d/main/000_local <<EOF
+MAIN_TLS_ENABLE = true
+
+# debian exim config added this in 2016 or so?
+# it's part of the smtp spec, to limit lines to 998 chars
+# but a fair amount of legit mail does not adhere to it. I don't think
+# this should be default, like it says in
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
+# todo: the bug for introducing this was about headers, but
+# the fix maybe is for all lines? one says gmail rejects, the
+# other says gmail does not reject. figure out and open a new bug.
+IGNORE_SMTP_LINE_LENGTH_LIMIT = true
+
+# more verbose logs
+MAIN_LOG_SELECTOR = +all
+
+
+# normally empty, I set this so I can set the envelope address
+# when doing mail redelivery to invoke filters. Also allows
+# me exiqgrep and stuff.
+MAIN_TRUSTED_GROUPS = $u
+
+# default is 10. when exim has been down for a bit, fsf mailserver
+# will do a big send in one connection, then exim decides to put
+# the messages in the queue instead of delivering them, to avoid
+# spawning too many delivery processes. Pretty sure my system
+# can handle a lot more, but lets go with this.
+smtp_accept_queue_per_connection = 100
+
+
+DKIM_CANON = relaxed
+DKIM_SELECTOR = li
+
+# from comments in
+# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
+
+# The file is based on the outgoing domain-name in the from-header.
+DKIM_DOMAIN = \${lc:\${domain:\$h_from:}}
+# sign if key exists
+DKIM_PRIVATE_KEY = \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}}
+
+# most of the ones that gmail seems to use.
+# Exim has horrible default of signing unincluded
+# list- headers since they got mentioned in an
+# rfc, but this messes up mailing lists, like gnu/debian which want to
+# keep your dkim signature intact but add list- headers.
+DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
+EOF
+
+rm -fv /etc/exim4/rcpt_local_acl # old path
+cat >/etc/exim4/conf.d/rcpt_local_acl <<'EOF'
+# Only hosts we control send to @mail.iankelling.org, so make sure
 # they are all authed.
 # Note, if we wanted authed senders for all domains,
 # we could make this condition in acl_check_mail
@@ -418,7 +461,8 @@ deny
   !authenticated = *
   domains = mail.iankelling.org
 EOF
-  cat >/etc/exim4/data_local_acl <<'EOF'
+rm -fv /etc/exim4/data_local_acl # old path
+cat >/etc/exim4/conf.d/data_local_acl <<'EOF'
 # Except for the "condition =", this was
 # a comment in the check_data acl. The comment about this not
 # being suitable is mostly bs. The only thing related I found was to
@@ -428,16 +472,21 @@ EOF
 # suggested in official docs, and 100k in the wiki example because
 # those docs are rather old and I see a 110k spam message
 # pretty quickly looking through my spam folder.
-  warn
-    condition = ${if < {$message_size}{2000K}}
-    spam = Debian-exim:true
-    add_header = X-Spam_score: $spam_score\n\
-              X-Spam_score_int: $spam_score_int\n\
-              X-Spam_bar: $spam_bar\n\
-              X-Spam_report: $spam_report
+warn
+  condition = ${if < {$message_size}{2000K}}
+  spam = Debian-exim:true
+  add_header = X-Spam_score: $spam_score\n\
+            X-Spam_score_int: $spam_score_int\n\
+            X-Spam_bar: $spam_bar\n\
+            X-Spam_report: $spam_report
+
+#accept
+#  spf = pass:fail:softfail:none:neutral:permerror:temperror
+#  dmarc_status = reject:quarantine
+#  add_header = Reply-to: dmarctest@iankelling.org
 
 EOF
-  cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
 # from 30_exim4-config_examples
 
 plain_server:
@@ -451,7 +500,7 @@ server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
 .endif
 EOF
 
-  cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
+cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
 ### router/900_exim4-config_local_user
 #################################
 
@@ -469,7 +518,7 @@ local_user:
   transport = LOCAL_DELIVERY
   cannot_route_message = Unknown user
 EOF
-  cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
+cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
 dovecot_lmtp:
         driver = lmtp
         socket = /var/run/dovecot/lmtp
@@ -477,7 +526,12 @@ dovecot_lmtp:
         batch_max = 200
 EOF
 
-  cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
+cat >/etc/exim4/host_local_deny_exceptions <<'EOF'
+mail.fsf.org
+*.posteo.de
+EOF
+
+cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
 # smarthost for fsf mail
 # ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
 # replaced DCsmarthost with mail.fsf.org
@@ -494,206 +548,201 @@ fsfsmarthost:
 EOF
 
 
-  #### begin mail cert setup ###
-  f=/usr/local/bin/mail-cert-cron
-  cat >$f <<'EOF'
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+cat >/etc/exim4/update-exim4.conf.conf  <<'EOF'
+# default stuff, i havent checked if its needed
+dc_minimaldns='false'
+dc_relay_nets=''
+CFILEMODE='644'
+dc_use_split_config='true'
+dc_local_interfaces=''
+dc_mailname_in_oh='true'
+EOF
 
-[[ $EUID == 0 ]] || exec sudo "$BASH_SOURCE" "$@"
 
-f=/a/bin/bash_unpublished/source-semi-priv
-if [[ -e $f ]]; then
-    source $f
-fi
-if [[ $HOSTNAME == $MAIL_HOST ]]; then
-    local_mx=mail.iankelling.org
-    rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/"
-    ${rsync_common}fullchain.pem /etc/exim4/exim.crt
-    ret=$?
-    ${rsync_common}privkey.pem /etc/exim4/exim.key
-    new_ret=$?
-    if [[ $ret != $new_ret ]]; then
-       echo "$0: error: differing rsync returns, $ret, $new_ret"
-       exit 1
-    fi
-fi
-if [[ $new_ret != 0 ]]; then
-    if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then
-        echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
-        exit 1
+# ** dovecot
+dovecot-setup() {
+  # based on a little google and package search, just the dovecot
+  # packages we need instead of dovecot-common.
+  #
+  # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
+  # directly.  The reason to do this is to use dovecot\'s sieve, which
+  # has extensions that allow it to be almost equivalent to exim\'s
+  # filter capabilities, some ways probably better, some worse, and
+  # sieve has the benefit of being supported in postfix and
+  # proprietary/weird environments, so there is more examples on the
+  # internet. I was torn about whether to do this or not, meh.
+  pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
+
+  for f in /p/c{/machine_specific/$HOSTNAME,}/filesystem/etc/dovecot/users; do
+    e $f
+    if [[ -e $f ]]; then
+      m sudo rsync -ahhi --chown=root:dovecot --chmod=0640 $f /etc/dovecot/
+      break
     fi
-fi
-exit 0
-EOF
-  chmod 755 $f
-
-  cat >/etc/systemd/system/mailcert.service <<'EOF'
-[Unit]
-Description=Mail cert rsync
-After=multi-user.target
+  done
+  for f in /p/c/subdir_files/sieve/*sieve /a/c/subdir_files/sieve/*sieve; do
+    m sudo -u $u /a/exe/lnf -T $f $uhome/sieve/${f##*/}
+  done
+  # If we changed 90-sieve.conf and removed the active part of the
+  # sieve option, we wouldn\'t need this, but I\'d rather not modify a
+  # default config if not needed. This won\'t work as a symlink in /a/c
+  # unfortunately.
+  if [[ -e $uhome/sieve/personal.sieve ]]; then
+    m sudo -u $u /a/exe/lnf -T sieve/main.sieve $uhome/.dovecot.sieve
+  fi
 
-[Service]
-Type=oneshot
-ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
+  # we set this later in local.conf
+  sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
+/^\s*mail_location\s*=/d
 EOF
 
-  cat >/etc/systemd/system/mailcert.timer <<'EOF'
-[Unit]
-Description=Run mail-cert once a day
+  cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
+protocol lmtp {
+#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
+  mail_plugins = \$mail_plugins sieve
+# default was
+  #mail_plugins = \$mail_plugins
 
-[Timer]
-OnCalendar=daily
+# For a normal setup with exim, we need something like this, which
+# removes the domain part
+#  auth_username_format = %Ln
+#
+#  or else # Exim says something like
+#  "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
+# Dovecot verbose log says something like
+# "auth-worker(9048): passwd(someuser@somedomain): unknown user"
+# reference: http://wiki.dovecot.org/LMTP/Exim
+#
+# However, I use this to direct all mail to the same inbox.
+# A normal way to do this, which I did at first is to have
+# a router in exim almost at the end, eg 950,
+#local_catchall:
+#  debug_print = "R: catchall for \$local_part@\$domain"
+#  driver = redirect
+#  domains = +local_domains
+#  data = $u
+# based on
+# http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
+# with superflous options removed.
+# However, this causes the envelope to be rewritten,
+# which makes filtering into mailboxes a little less robust or more complicated,
+# so I've done it this way instead. it also requires
+# modifying the local router in exim.
+  auth_username_format = $u
+}
 
-[Install]
-WantedBy=timers.target
 EOF
-  systemctl daemon-reload
-  systemctl start mailcert
-  systemctl restart mailcert.timer
-  systemctl enable mailcert.timer
-
-  ##### end mailcert setup #####
 
 
+  cat >/etc/dovecot/local.conf <<EOF
+# so I can use a different login that my shell login for mail.  this is
+# worth doing solely for the reason that if this login is compromised,
+# it won't also compromise my shell password.
+!include conf.d/auth-passwdfile.conf.ext
 
-  if [[ $HOSTNAME == $MAIL_HOST ]]; then
-
-    debconf-set-selections <<EOF
-# Mail Server configuration
-# -------------------------
-
-# Please select the mail server configuration type that best meets your needs.
-
-# Systems with dynamic IP addresses, including dialup systems, should generally be
-# configured to send outgoing mail to another machine, called a 'smarthost' for
-# delivery because many receiving systems on the Internet block incoming mail from
-# dynamic IP addresses as spam protection.
+# settings derived from wiki and 10-ssl.conf
+ssl = required
+ssl_cert = </etc/exim4/exim.crt
+ssl_key = </etc/exim4/exim.key
+# https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
+# in my cert cronjob, I check if that has changed upstream.
+ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 
-# A system with a dynamic IP address can receive its own mail, or local delivery can be
-# disabled entirely (except mail for root and postmaster).
+# ian: added this, more secure, per google etc
+ssl_prefer_server_ciphers = yes
 
-#   1. internet site; mail is sent and received directly using SMTP
-#   2. mail sent by smarthost; received via SMTP or fetchmail
-#   3. mail sent by smarthost; no local mail
-#   4. local delivery only; not on a network
-#   5. no configuration at this time
+# ian: %u is used for alerts user vs iank
+mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
+mail_uid = $u
+mail_gid = $u
 
-# General type of mail configuration: 1
-exim4-config exim4/dc_eximconfig_configtype select internet site; mail is sent and received directly using SMTP
+# for debugging info, uncomment these.
+# logs go to syslog and to /var/log/mail.log
+# auth_verbose=yes
+#mail_debug=yes
+EOF
+  ####### end dovecot-setup ########
+}
 
 
 
-# The 'mail name' is the domain name used to 'qualify' mail addresses without a domain
-# name.
+# * if MAIL_HOST
+case $HOSTNAME in
+  $MAIL_HOST)
+    dovecot-setup
 
-# This name will also be used by other programs. It should be the single, fully
-# qualified domain name (FQDN).
+    # ** exim
 
-# Thus, if a mail address on the local host is foo@example.org, the correct value for
-# this option would be example.org.
+    sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 \
+         /p/c/filesystem/etc/exim4/passwd /p/c/filesystem/etc/exim4/*.pem /etc/exim4/
 
-# This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
 
-# System mail name:
-# iank: see comment elsewhere on mailname
-exim4-config exim4/mailname string mail.iankelling.org
+    # mail.iankelling.org so local imap clients can connect with tls and
+    # when they happen to not be local.
+    sed -ri -f - /etc/hosts <<'EOF'
+/^127\.0\.1\.1.* mail\.iankelling\.org\b/{p;d}
+/^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/
+EOF
 
+    # note: systemd-resolved will consult /etc/hosts, dnsmasq wont. this assumes
+    # weve configured this file in dnsmasq if we are using it.
+    /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]]
+server=/mail.iankelling.org/127.0.1.1
+EOF
+    if systemctl is-active dnsmasq >/dev/null; then
+      m systemctl restart dnsmasq
+    fi
+    m nscd -i hosts
 
+    # I used to use debconf-set-selections + dpkg-reconfigure,
+    # which then updates this file
+    # but the process is slower than updating it directly and then I want to set other things in
+    # update-exim4.conf.conf, so there's no point.
+    # The file is documented in man update-exim4.conf,
+    # except the man page is not perfect, read the bash script to be sure about things.
 
+    # The debconf questions output is additional documentation that is not
+    # easily accessible, but super long, along with the initial default comment in this
+    # file, so I've saved that into ./mail-notes.conf.
 
-# Please enter a semicolon-separated list of recipient domains for which this machine
-# should consider itself the final destination. These domains are commonly called
-# 'local domains'. The local hostname (kd.lan) and 'localhost' are always added
-# to the list given here.
+    cat >>/etc/exim4/update-exim4.conf.conf <<EOF
+# note: some things we don't set that are here by default because they are unused.
 
-# By default all local domains will be treated identically. If both a.example and
-# b.example are local domains, acc@a.example and acc@b.example will be delivered to the
-# same final destination. If different domain names should be treated differently, it
-# is necessary to edit the config files afterwards.
+dc_eximconfig_configtype='internet'
 
-# Other destinations for which mail is accepted:
+# man page: is used to build the local_domains list, together with "localhost"
 # iank.bid is for testing
 # mail.iankelling.org is for machines i own
-exim4-config exim4/dc_other_hostnames string *.iankelling.org;iankelling.org;*iank.bid;iank.bid;*zroe.org;zroe.org;*.b8.nz;b8.nz
-
-
-
-
-# Please enter a semicolon-separated list of IP addresses. The Exim SMTP listener
-# daemon will listen on all IP addresses listed here.
-
-# An empty value will cause Exim to listen for connections on all available network
-# interfaces.
-
-# If this system only receives mail directly from local services (and not from other
-# hosts), it is suggested to prohibit external connections to the local Exim daemon.
-# Such services include e-mail programs (MUAs) which talk to localhost only as well as
-# fetchmail. External connections are impossible when 127.0.0.1 is entered here, as
-# this will disable listening on public network interfaces.
-
-# IP-addresses to listen on for incoming SMTP connections:
-exim4-config exim4/dc_local_interfaces	string
-
-
-
-
-# Mail for the 'postmaster', 'root', and other system accounts needs to be redirected
-# to the user account of the actual system administrator.
-
-# If this value is left empty, such mail will be saved in /var/mail/mail, which is not
-# recommended.
-
-# Note that postmaster\'s mail should be read on the system to which it is directed,
-# rather than being forwarded elsewhere, so (at least one of) the users listed here
-# should not redirect their mail off this machine. A 'real-' prefix can be used to
-# force local delivery.
-
-# Multiple user names need to be separated by spaces.
-
-# Root and postmaster mail recipient:
-exim4-config exim4/dc_postmaster string $postmaster
-
-
-
-# Exim is able to store locally delivered email in different formats. The most commonly
-# used ones are mbox and Maildir. mbox uses a single file for the complete mail folder
-# stored in /var/mail/. With Maildir format every single message is stored in a
-# separate file in ~/Maildir/.
+dc_other_hostnames='*.iankelling.org;iankelling.org;*iank.bid;iank.bid;*zroe.org;zroe.org;*.b8.nz;b8.nz'
+
+# from man page:
+# Is  a  list  of  domains for which we accept mail from anywhere on the Internet but which are not delivered locally, e.g.
+# because this machine serves as secondary MX for these domains. Sets MAIN_RELAY_TO_DOMAINS.
+# todo: we should not accept from anywhere, only the mx for fsf.
+dc_relay_domains='*.fsf.org;fsf.org'
+dc_localdelivery='dovecot_lmtp'
+EOF
 
-# Please note that most mail tools in Debian expect the local delivery method to be
-# mbox in their default.
 
-#   1. mbox format in /var/mail/  2. Maildir format in home directory
+    # the debconf output about mailname is as follows:
+    # The 'mail name' is the domain name used to 'qualify' mail addresses without a domain
+    # name.
+    # This name will also be used by other programs. It should be the single, fully
+    # qualified domain name (FQDN).
+    # Thus, if a mail address on the local host is foo@example.org, the correct value for
+    # this option would be example.org.
+    # This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
 
-# Delivery method for local mail: 2
-exim4-config exim4/dc_localdelivery select Maildir format in home directory
-EOF
     echo mail.iankelling.org > /etc/mailname
 
     # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
     # smarthost config type, not sure. all other settings
     # would be unused in that config type.
-    rm -f /etc/exim4/conf.d/main/000_localmacros # old filename
-    cat >/etc/exim4/conf.d/main/000_local <<EOF
+    cat >>/etc/exim4/conf.d/main/000_local <<EOF
 # enable 587 in addition to the default 25, so that
 # i can send mail where port 25 is firewalled by isp
 daemon_smtp_ports = 25 : 587
-# i don't have ipv6 setup for my vpn tunnel yet.
-disable_ipv6 = true
-
-MAIN_TLS_ENABLE = true
-
-DKIM_CANON = relaxed
-DKIM_SELECTOR = li
 
-# from comments in
-# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
-
-# The file is based on the outgoing domain-name in the from-header.
-DKIM_DOMAIN = \${lc:\${domain:\$h_from:}}
-# sign if key exists
-DKIM_PRIVATE_KEY= \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}}
 
 
 # failing message on mail-tester.com:
@@ -707,32 +756,10 @@ DKIM_PRIVATE_KEY= \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exi
 # Seems logical for this to be the same as mailname.
 MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.iankelling.org
 
-# normally empty, I set this so I can set the envelope address
-# when doing mail redelivery to invoke filters
-MAIN_TRUSTED_GROUPS = $u
-
-LOCAL_DELIVERY = dovecot_lmtp
-
 # options exim has to avoid having to alter the default config files
-CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/rcpt_local_acl
-CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/data_local_acl
+CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/conf.d/rcpt_local_acl
+CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/conf.d/data_local_acl
 
-# debian exim config added this in 2016 or so?
-# it's part of the smtp spec, to limit lines to 998 chars
-# but a fair amount of legit mail does not adhere to it. I don't think
-# this should be default, like it says in
-# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
-# todo: the bug for introducing this was about headers, but
-# the fix maybe is for all lines? one says gmail rejects, the
-# other says gmail does not reject. figure out and open a new bug.
-IGNORE_SMTP_LINE_LENGTH_LIMIT = true
-
-# most of the ones that gmail seems to use.
-# Exim has horrible default of signing unincluded
-# list- headers since they got mentioned in an
-# rfc, but this messes up mailing lists, like gnu/debian which want to
-# keep your dkim signature intact but add list- headers.
-DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
 
 # recommended if dns is expected to work
 CHECK_RCPT_VERIFY_SENDER = true
@@ -741,98 +768,28 @@ CHECK_DATA_VERIFY_HEADER_SENDER = true
 CHECK_RCPT_SPF = true
 CHECK_RCPT_REVERSE_DNS = true
 CHECK_MAIL_HELO_ISSUED = true
-EOF
-
 
-    ####### begin dovecot setup ########
-    # based on a little google and package search, just the dovecot
-    # packages we need instead of dovecot-common.
-    #
-    # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
-    # directly.  The reason to do this is to use dovecot\'s sieve, which
-    # has extensions that allow it to be almost equivalent to exim\'s
-    # filter capabilities, some ways probably better, some worse, and
-    # sieve has the benefit of being supported in postfix and
-    # proprietary/weird environments, so there is more examples on the
-    # internet. I was torn about whether to do this or not, meh.
-    pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
-
-    # if we changed 90-sieve.conf and removed the active part of the
-    # sieve option, we wouldn\'t need this, but I\'d rather not modify a
-    # default config if not needed. This won\'t work as a symlink in /a/c
-    # unfortunately.
-    sudo -u $postmaster /a/exe/lnf -T sieve/main.sieve $(eval echo ~$postmaster)/.dovecot.sieve
-
-    sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
-1i mail_location = maildir:/m/md:LAYOUT=fs:INBOX=/m/md/INBOX
-/^\s*mail_location\s*=/d
+# testing dmarc
+#dmarc_tld_file = /etc/public_suffix_list.dat
 EOF
 
-    cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
-protocol lmtp {
-#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
-  mail_plugins = \$mail_plugins sieve
-# default was
-  #mail_plugins = \$mail_plugins
-
-# For a normal setup with exim, we need something like this, which
-# removes the domain part
-#  auth_username_format = %Ln
-#
-#  or else # Exim says something like
-#  "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
-# Dovecot verbose log says something like
-# "auth-worker(9048): passwd(someuser@somedomain): unknown user"
-# reference: http://wiki.dovecot.org/LMTP/Exim
-#
-# However, I use this to direct all mail to the same inbox.
-# A normal way to do this, which I did at first is to have
-# a router in exim almost at the end, eg 950,
-#local_catchall:
-#  debug_print = "R: catchall for \$local_part@\$domain"
-#  driver = redirect
-#  domains = +local_domains
-#  data = $u
-# based on
-# http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
-# with superflous options removed.
-# However, this causes the envelope to be rewritten,
-# which makes filtering into mailboxes a little less robust or more complicated,
-# so I've done it this way instead. it also requires
-# modifying the local router in exim.
-  auth_username_format = $u
-}
-
+    f=/etc/cron.daily/refresh-dmarc-tld-file
+    cat >$f <<'EOF'
+#!/bin/bash
+cd /etc
+wget -q -N https://publicsuffix.org/list/public_suffix_list.dat
 EOF
+    m chmod 755 $f
 
-
-    cat >/etc/dovecot/local.conf <<'EOF'
-# so I can use a different login that my shell login for mail.  this is
-# worth doing solely for the reason that if this login is compromised,
-# it won't also compromise my shell password.
-!include conf.d/auth-passwdfile.conf.ext
-
-# settings derived from wiki and 10-ssl.conf
-ssl = required
-ssl_cert = </etc/exim4/exim.crt
-ssl_key = </etc/exim4/exim.key
-# https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
-# in my cert cronjob, I check if that has changed upstream.
-ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
-
-# ian: added this, more secure, per google etc
-ssl_prefer_server_ciphers = yes
-
-# for debugging info, uncomment these.
-# logs go to syslog and to /var/log/mail.log
-# auth_verbose=yes
-#mail_debug=yes
+    sed -i --follow-symlinks -f - /etc/aliases <<EOF
+\$a root: $postmaster
+/^root:/d
 EOF
-    ####### end dovecot setup ########
+
 
     # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
-    d=/etc/systemd/system/openvpn@mail
-    mkdir -p $d
+    d=/etc/systemd/system/openvpn@mail.service.d
+    m mkdir -p $d
     cat >$d/override.conf <<'EOF'
 [Service]
 Restart=always
@@ -843,201 +800,230 @@ RestartSec=1
 # StartLimitIntervalSec in recent systemd versions
 StartLimitInterval=0
 EOF
+    if ! systemctl cat openvpn@mail.service|grep -xF StartLimitInterval=0 &>/dev/null; then
+      # needed for the above config to go into effect
+      m systemctl daemon-reexec
+    fi
 
-    systemctl enable offlineimapsync.timer
-    systemctl start offlineimapsync.timer
-    systemctl enable mailclean.timer
-    systemctl start mailclean.timer
-    systemctl restart $vpn_ser@mail
-    systemctl enable $vpn_ser@mail
-    systemctl enable dovecot
-    systemctl restart dovecot
-
-  else # $HOSTNAME != $MAIL_HOST
-    systemctl disable offlineimapsync.timer &>/dev/null ||:
-    systemctl stop offlineimapsync.timer &>/dev/null ||:
-    systemctl disable mailclean.timer &>/dev/null ||:
-    systemctl stop mailclean.timer &>/dev/null ||:
-    systemctl disable $vpn_ser@mail
-    systemctl stop $vpn_ser@mail
-    systemctl disable dovecot ||:
-    systemctl stop dovecot ||:
+
+    m systemctl enable mailclean.timer
+    m systemctl start mailclean.timer
+    m systemctl restart $vpn_ser@mail
+    m systemctl enable $vpn_ser@mail
+    m systemctl enable dovecot
+    m systemctl restart dovecot
+    ;;
+  # * not MAIL_HOST
+  *) # $HOSTNAME != $MAIL_HOST
+    # remove mail. uses 2 lines to properly remove whitespace
+    sed -ri -f - /etc/hosts <<'EOF'
+s#^(127\.0\.1\.1 .*) +mail\.iankelling\.org$#\1#
+s#^(127\.0\.1\.1 .*)mail\.iankelling\.org +(.*)#\1\2#
+EOF
+
+    echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]]
+    if systemctl is-active dnsmasq >/dev/null; then
+      m systemctl restart dnsmasq # reload does not ensure new config is used
+    fi
+    m nscd -i hosts
+
+    m systemctl disable mailclean.timer &>/dev/null ||:
+    m systemctl stop mailclean.timer &>/dev/null ||:
+    m systemctl disable $vpn_ser@mail
+    m systemctl stop $vpn_ser@mail
     #
     #
     # would only exist because I wrote it i the previous condition,
     # it\'s not part of exim
-    rm -f /etc/exim4/conf.d/main/000_localmacros
-    debconf-set-selections <<EOF
-exim4-config exim4/dc_eximconfig_configtype select mail sent by smarthost; no local mail
-exim4-config exim4/dc_smarthost string $smarthost
-# afaik, on dpkg-reconfigure noninteractive, this sets /etc/mailname if it does not exist.
-# if it does exist, it immediately changes the value to whats in /etc/mailname.
-# So, I don't think there's any point in setting it, but might as well since
-# ignoring what I set here is brain dead and might change.
-exim4-config exim4/mailname string $(hostname -f)
+    rm -fv /etc/exim4/conf.d/main/000_localmacros
+    cat >>/etc/exim4/update-exim4.conf.conf <<EOF
+dc_eximconfig_configtype='smarthost'
+dc_smarthost='$smarthost'
+# The manpage incorrectly states this will do header rewriting, but
+# that only happens if we have dc_hide_mailname is set.
+dc_readhost='iankelling.org'
 EOF
-    hostname -f > /etc/mailname
 
-  fi # end $HOSTNAME != $MAIL_HOST
+    hostname -f >/etc/mailname
 
-  # if we already have it installed, need to reconfigure, without being prompted
-  if dpkg -s exim4-config &>/dev/null; then
-    # gotta remove this, otherwise the set-selections are completely
-    # ignored. It woulda been nice if this was documented somewhere!
-    rm -f /etc/exim4/update-exim4.conf.conf
-    while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done
-    dpkg-reconfigure -u -fnoninteractive exim4-config
-  fi
 
-  # i have the spool directory be common to distro multi-boot, so
-  # we need the uid to be the same. 608 cuz it's kind of in the middle
-  # of the free system uids.
-  IFS=:; read _ _ uid _ < <(getent passwd Debian-exim ||:) ||:; unset IFS
-  IFS=:; read _ _ gid _ < <(getent group Debian-exim ||:) ||:; unset IFS
-  if [[ ! $uid ]]; then
-    # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
-    adduser --uid 608 --system --group --quiet --home /var/spool/exim4 \
-	    --no-create-home --disabled-login --force-badname Debian-exim
-  elif [[ $uid != 608 ]]; then
-    systemctl stop exim4 ||:
-    usermod -u 608 Debian-exim
-    groupmod -g 608 Debian-exim
-    usermod -g 608 Debian-exim
-    find / /nocow -xdev -uid $uid -exec chown -h 608 {} +
-    find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} +
-  fi
+    ;;&
+  ## we use this host to monitor MAIL_HOST
+  l2)
+    dovecot-setup
+    m systemctl enable dovecot
+    m systemctl restart dovecot
+    cat >>/etc/exim4/update-exim4.conf.conf <<EOF
+# man page: is used to build the local_domains list, together with "localhost"
+# mail.iankelling.org is for machines i own
+dc_other_hostnames='l2.b8.nz'
+dc_localdelivery='dovecot_lmtp'
+EOF
+    # This ends up at alerts mailbox on MAIL_HOST, but using a user that doesn't exist elsewhere
+    # is no good.
+    sed -i --follow-symlinks -f - /etc/aliases <<EOF
+\$a root: iank
+/^root:/d
+EOF
+    ;;
+  # not l2 and not MAIL_HOST
+  *)
 
 
-  # light version of exim does not have sasl auth support.
-  pi exim4-daemon-heavy spamassassin spf-tools-perl
+    # This ends up at alerts mailbox on MAIL_HOST, but using a user that doesn't exist elsewhere
+    # is no good.
+    sed -i --follow-symlinks -f - /etc/aliases <<EOF
+\$a root: root@mail.iankelling.org
+/^root:/d
+EOF
+    cat >>/etc/exim4/update-exim4.conf.conf <<EOF
+# Only used in case of bounces.
+dc_localdelivery='maildir_home'
+EOF
+    m systemctl disable dovecot ||:
+    m systemctl stop dovecot ||:
+    ;;
+esac # end $HOSTNAME != $MAIL_HOST
 
+# * spool dir setup
 
+# ** bind mount setup
+# put spool dir in directory that spans multiple distros.
+# based on http://www.postfix.org/qmgr.8.html and my notes in gnus
+#
+# todo: I\'m suspicious of uids for Debian-exim being the same across
+# distros. It would be good to test this.
+dir=/nocow/exim4
+sdir=/var/spool/exim4
+# we only do this if our system has $dir
 
-  ##### begin spamassassin config
-  systemctl enable spamassassin
-  # per readme.debian
-  sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
-  e CRON=1 >>/etc/default/spamassassin
-  # just noticed this in the config file, seems like a good idea.
-  sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
-  e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin
-  systemctl start spamassassin
-  systemctl reload spamassassin
+# this used to do a symlink, but, in the boot logs, /nocow would get mounted succesfully,
+# about 2 seconds later, exim starts, and immediately puts into paniclog:
+# honVi-0000u3-82 Failed to create directory "/var/spool/exim4/input": No such file or directory
+# so, im trying a bind mount to get rid of that.
+if [[ -e /nocow ]]; then
+  if ! grep -Fx "/nocow/exim4  /var/spool/exim4  none  bind  0 0" /etc/fstab; then
+    echo "/nocow/exim4  /var/spool/exim4  none  bind  0 0" >>/etc/fstab
+  fi
+  if ! mountpoint -q $sdir; then
+    m systemctl stop exim4
+    if [[ -L $sdir ]]; then
+      m rm $sdir
+    fi
+    if [[ ! -e $dir && -d $sdir ]]; then
+      m mv $sdir $dir
+    fi
+    if [[ ! -d $sdir ]]; then
+      m mkdir $sdir
+      m chmod 000 $sdir # only want it to be used when its mounted
+    fi
+    m mount $sdir
+  fi
+fi
 
-  cat >/etc/systemd/system/spamddnsfix.service <<'EOF'
-[Unit]
-Description=spamd dns bug fix cronjob
 
-[Service]
-Type=oneshot
-ExecStart=/a/bin/distro-setup/spamd-dns-fix
-EOF
-  # 2017-09, debian closed the bug on this saying upstream had fixed it.
-  # remove this when i\'m using the newer package, ie, debian 10, or maybe
-  # ubuntu 18.04.
-  cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
-[Unit]
-Description=run spamd bug fix script every 10 minutes
 
-[Timer]
-OnActiveSec=60
-# the script looks back 9 minutes into the journal,
-# it takes a second to run,
-# so lets run every 9 minutes and 10 seconds.
-OnUnitActiveSec=550
+# ** exim/spool uid setup
+# i have the spool directory be common to distro multi-boot, so
+# we need the uid to be the same. 608 cuz it's kind of in the middle
+# of the free system uids.
+IFS=:; read -r _ _ uid _ < <(getent passwd Debian-exim ||:) ||:; unset IFS
+IFS=:; read -r _ _ gid _ < <(getent group Debian-exim ||:) ||:; unset IFS
+if [[ ! $uid ]]; then
+  # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
+  m adduser --uid 608 --system --group --quiet --home /var/spool/exim4 \
+    --no-create-home --disabled-login --force-badname Debian-exim
+elif [[ $uid != 608 ]]; then
+  m systemctl stop exim4 ||:
+  m usermod -u 608 Debian-exim
+  m groupmod -g 608 Debian-exim
+  m usermod -g 608 Debian-exim
+  m find / /nocow -path ./var/tmp -prune -o -xdev -uid $uid -execdir chown -h 608 {} +
+  m find / /nocow -path ./var/tmp -prune -o -xdev -gid $gid -execdir chgrp -h 608 {} +
+fi
 
-[Install]
-WantedBy=timers.target
-EOF
-  systemctl daemon-reload
-  systemctl restart spamddnsfix.timer
-  systemctl enable spamddnsfix.timer
-  #
-  #####   end spamassassin config
 
 
 
+# * reload exim
 
+if systemctl is-active exim4 >/dev/null; then
+  m systemctl reload exim4
+else
+  m systemctl start exim4
+fi
 
-  # https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
-  # i only need .forwards, so just doing that one.
-  cd /etc/exim4/conf.d/router
-  b=userforward_higher_priority
-  # replace the router name so it is unique
-  sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
 
-  # begin setup passwd.client
-  f=/etc/exim4/passwd.client
-  rm -f /etc/exim4/passwd.client
-  install -m 640 -g Debian-exim /dev/null $f
-  cat /etc/mailpass| while read -r domain port pass; do
-    # reference: exim4_passwd_client(5)
-    printf "%s:%s\n" "$domain" "$pass" >>$f
-  done
-  # end setup passwd.client
+# * mail monitoring / testing
 
-  # by default, only 10 days of logs are kept. increase that.
-  sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
+case $HOSTNAME in
+  $MAIL_HOST|l2)
+    # note: cronjob "ian" also does some important monitoring
+    cat >/etc/cron.d/mailtest <<EOF
+SHELL=/bin/bash
+PATH=/usr/bin:/bin:/usr/local/bin
+*/5 * * * *   $u send-test-forward |& log-once send-test-forward
+*/10 * * * *   root chmod -R g+rw /m/md/bounces |& log-once -1 bounces-chmod
+EOF
+    ;;&
+  $MAIL_HOST)
+    test_from=ian@iankelling.org
+    test_to=iank@posteo.de
+
+    cat >>/etc/cron.d/mailtest <<EOF
+*/5 * * * *   $u mailtest-check |& log-once -1 mailtest-check
+2   * * * *   $u check-remote-mailqs |& log-once check-remote-mailqs
+EOF
+    m sudo rsync -ahhi --chown=root:root --chmod=0755 \
+      /b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
+    ;;&
+  l2)
+    test_from=iank@l2.b8.nz
+    test_to=testignore@iankelling.org
+    ;;&
+  $MAIL_HOST|l2)
+    cat >/usr/local/bin/send-test-forward <<EOFOUTER
+#!/bin/bash
+/usr/sbin/exim -t <<EOF
+From: $test_from
+To: $test_to
+Subject: primary_test \$(date +%s) \$(date +%Y-%m-%dT%H:%M:%S%z)
 
-  systemctl restart exim4
+eom
+EOF
+EOFOUTER
+    m chmod +x /usr/local/bin/send-test-forward
+    ;;
+  *)
+    rm -fv /etc/cron.d/mailtest
+    ;;
+esac
 
-fi  #### end if exim4
 
-# /etc/alias setup is debian specific, and
-# exim config sets up an /etc/alias from root to the postmaster, which i
-# config to ian, as long as there exists an entry for root, or there was
-# no preexisting aliases file. based on the postinst file. postfix
-# won\'t set up a root to $postmaster alias if it\'s already installed.
-# Since postfix is not the greatest, just set it ourselves.
-if [[ $postmaster != root ]]; then
-  sed -i --follow-symlinks -f - /etc/aliases <<EOF
-\$a root: $postmaster
-/^root:/d
-EOF
-  newaliases
-fi
 
-# put spool dir in directory that spans multiple distros.
-# based on http://www.postfix.org/qmgr.8.html and my notes in gnus
-#
-# todo: I\'m suspicious of uids for Debian-exim being the same across
-# distros. It would be good to test this.
-dir=/nocow/$type
-sdir=/var/spool/$type
-# we only do this if our system has $dir
-if [[ -e /nocow && $(readlink -f $sdir) != $dir ]]; then
-  systemctl stop $type
-  if [[ ! -e $dir && -d $sdir ]]; then
-    mv $sdir $dir
-  fi
-  /a/exe/lnf -T $dir $sdir
-fi
+# * misc
+m sudo -u $u ln -sf -T /m/.mu /home/$u/.mu
+
+
+# /etc/alias setup is debian specific, and exim postinst script sets up
+# an /etc/alias from root to the postmaster, based on the question
+# exim4-config exim4/dc_postmaster, as long as there exists an entry for
+# root, or there was no preexisting aliases file. postfix won\'t set up
+# a root to $postmaster alias if it\'s already installed. Easiest to
+# just set it ourselves.
+
+# debconf question for postmaster:
+# Mail for the 'postmaster', 'root', and other system accounts needs to be redirected
+# to the user account of the actual system administrator.
+# If this value is left empty, such mail will be saved in /var/mail/mail, which is not
+# recommended.
+# Note that postmaster\'s mail should be read on the system to which it is directed,
+# rather than being forwarded elsewhere, so (at least one of) the users listed here
+# should not redirect their mail off this machine. A 'real-' prefix can be used to
+# force local delivery.
+# Multiple user names need to be separated by spaces.
+# Root and postmaster mail recipient:
+
 
-systemctl restart $type
-systemctl enable $type
-
-# MAIL_HOST also does radicale, and easier to start and stop it here
-# for when MAIL_HOST changes, so radicale gets the synced files and
-# does not stop us from remounting /o.
-if dpkg -s radicale &>/dev/null; then
-  if [[ $HOSTNAME == $MAIL_HOST ]]; then
-    systemctl restart radicale
-    systemctl enable radicale
-    if [[ -e /etc/logrotate.d/radicale.disabled ]]; then
-      mv /etc/logrotate.d/radicale{.disabled,}
-    fi
-  else
-    systemctl stop radicale
-    systemctl disable radicale
-    # weekly logrotate tries to restart radicale even if it's a disabled service in flidas.
-    if [[ -e /etc/logrotate.d/radicale ]]; then
-      mv /etc/logrotate.d/radicale{,.disabled}
-    fi
-  fi
-fi
 exit 0
 :
-# if I wanted the from address to be renamed and sent to a different address,
-# echo "sdx@localhost development@localhost" | sudo dd of=/etc/postfix/recipient_canonical
-# sudo postmap hash:/etc/postfix/recipient_canonical
-# sudo service postfix reload