X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=mail-setup;h=b3cb092539fc6b6ccd079c0c102ce74980a77d0f;hb=602a1874cc11a7d371890cdae4c0dc982267ea89;hp=0514ea55998b10e1048e44de542a548b72ac9b19;hpb=c5ef5441cb9193cbc9e27466945bf5daf72fce34;p=distro-setup diff --git a/mail-setup b/mail-setup index 0514ea5..b3cb092 100755 --- a/mail-setup +++ b/mail-setup @@ -3,21 +3,26 @@ # Copyright (C) 2019 Ian Kelling # SPDX-License-Identifier: AGPL-3.0-or-later -# todo: sandbox / harden exim: -# 1. stop it from running as root. how? -# https://www.exim.org/exim-html-current/doc/html/spec_html/ch-security_considerations.html -# * avoid using .forward files, remove that router -# * set deliver_drop_privilege -# * set user to run as Debian-exim in systemd -# * set port to something like 2500, and forward 25 to 2500 with iptables. same for 587. -# https://superuser.com/questions/710253/allow-non-root-process-to-bind-to-port-80-and-443/1334552#1334552 -# * consider whether other routers like postmaster need modification / removal. -# 2. restrict its filesystem access from within systemd +# todo: max line length macro changed in t11. look into it +# todo: check that all macros we use are still valid in t11 + +# todo: setup an alert for bouncing test emails. + +# todo: bounces to my fsf mail can come from fsf@iankelling.org, +# think about making bounces go from the original address. + +# todo: add a prometheus alert for dovecot. + +# todo: handle errors like this: +# Mar 02 12:44:26 kw systemd[1]: exim4.service: Found left-over process 68210 (exim4) in control group while starting unit. Ignoring. +# Mar 02 12:44:26 kw systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies. +#eg: on eggs, on may 1st, ps grep for exim, 2 daemons running. 1 leftover from a month ago +#Debian-+ 1954 1 0 36231 11560 4 Apr02 ? 00:40:25 /usr/sbin/exim4 -bd -q30m +#Debian-+ 23058 1954 0 36821 10564 0 20:38 ? 00:00:00 /usr/sbin/exim4 -bd -q30m # todo: harden dovecot. need to do some research. one way is for it to only listen on a wireguard vpn interface, so only clients that are on the vpn can access it. # todo: consider hardening cups listening on 0.0.0.0 # todo: stop/disable local apache, and rpc.mountd, and kdeconnect when not in use. -# todo: check that spamd and unbound only listen locally. # todo: hosts should only allow external mail that is authed and # destined for backup route. it is a minor issue since traffic is @@ -26,17 +31,9 @@ # todo: emailing info@amnimal.ninja produces a bounce, user doesn't exist # instead of a simple rejection like it should. -# todo: auto restart of je on checkrestart - # todo: run mailping test after running, or otherwise # clear out terminal alert -# todo: reinstall bk with bigger filesystem - -# todo: on bk, dont send email if mailvpn is not up - -# todo: mailtest-check should check on bk too - # todo: disable postgrey # todo: in testforward-check, we should also look @@ -149,7 +146,7 @@ fi [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@" - +# note, this is hardcoded in /etc/exim4/conf.d/main/000_local u=$(id -nu 1000) @@ -178,9 +175,10 @@ fi # background: dovecot does not yet have ocsp stapling support # reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921 # -# for phone, k9mail, same thing but username alerts, pass in ivy-pass. +# for phone, k9mail, fdroid, same thing but username alerts, pass in ivy-pass. # also, bk.b8.nz for secondary alerts, username is iank. same alerts pass. -# fetching mail settings: folder poll frequency 10 minutes +# fetching mail settings: folder poll frequency 10 minutes. +# account settings, fetching mail, push folders: All. Then disable the persistent notification. ####### @@ -292,7 +290,11 @@ fi i() { # install file local tmp tmpdir dest="$1" local base="${dest##*/}" - mkdir -p ${dest%/*} + local dir="${dest%/*}" + if [[ $dir != "$base" ]]; then + # dest has a directory component + mkdir -p "$dir" + fi ir=false # i result tmpdir=$(mktemp -d) cat >$tmpdir/"$base" @@ -347,7 +349,6 @@ stopifactive() { mxhost=mx.iankelling.org mxport=587 -forward=$u@$mxhost # old setup. left as comment for example # mxhost=mail.messagingengine.com @@ -378,7 +379,7 @@ esac # * Install universal packages -# installs epanicclean +# installs epanicclean iptables-exim ip6tables-exim /a/bin/ds/install-my-scripts if [[ $(debian-codename-compat) == bionic ]]; then @@ -390,11 +391,17 @@ EOF fi # light version of exim does not have sasl auth support. -pi-nostart exim4 exim4-daemon-heavy spamassassin openvpn unbound clamav-daemon wireguard +# note: for bitfolk hosts, unbound has important config with conflink. +pi-nostart exim4 exim4-daemon-heavy spamassassin unbound clamav-daemon wireguard # note: pyzor debian readme says you need to run some initialization command # but its outdated. -pi spf-tools-perl p0f postgrey pyzor razor jq moreutils certbot +pi spf-tools-perl p0f postgrey pyzor razor jq moreutils certbot fail2ban +case $HOSTNAME in + je) : ;; + # not included due to using wireguard: openvpn + *) pi wget git unzip iptables ;; +esac # bad packages that sometimes get automatically installed pu openresolv resolvconf @@ -455,7 +462,7 @@ m usermod -a -G Debian-exim clamav i /etc/systemd/system/clamav-daemon.service.d/fix.conf <&2 - exit 1 - fi - ;; -esac + +# With openvpn, I didn't get around to persisting the openvpn +# cert/configs into /p/c/machine_specific/bk, so I had this case to +# manually get the cert. However, we aren't using openvpn anymore, so it +# is commented out. +# +# case $HOSTNAME in +# bk) +# if [[ ! -e /etc/openvpn/client/mail.conf ]]; then +# echo "$0: error: first, on a system with /p/c/filesystem, run mail-setup, or the vpn-mk-client-cert line above this err" 2>&2 +# exit 1 +# fi +# ;; +# esac m rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/mail-cert-cron /usr/local/bin @@ -833,6 +903,129 @@ if $bhost_t && [[ ! -e /etc/exim4/certs/$wghost/privkey.pem ]]; then --deploy-hook /a/bin/ds/le-exim-deploy -d $wghost fi +# * fail2ban + +# todo: test that these configs actually work, eg run +# s iptables-exim -S +# and see someone is banned. + +sed 's/^ *before *= *iptables-common.conf/before = iptables-common-exim.conf/' \ + /etc/fail2ban/action.d/iptables-multiport.conf| i /etc/fail2ban/action.d/iptables-exim.conf +i /etc/fail2ban/action.d/iptables-common-exim.conf <<'EOF' +# iank: same as iptables-common, except iptables is iptables-exim, ip6tables is ip6tables-exim + +# Fail2Ban configuration file +# +# Author: Daniel Black +# +# This is a included configuration file and includes the definitions for the iptables +# used in all iptables based actions by default. +# +# The user can override the defaults in iptables-common.local +# +# Modified: Alexander Koeppe , Serg G. Brester +# made config file IPv6 capable (see new section Init?family=inet6) + +[INCLUDES] + +after = iptables-blocktype.local + iptables-common.local +# iptables-blocktype.local is obsolete + +[Definition] + +# Option: actionflush +# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action) +# Values: CMD +# +actionflush = -F f2b- + + +[Init] + +# Option: chain +# Notes specifies the iptables chain to which the Fail2Ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT + +# Default name of the chain +# +name = default + +# Option: port +# Notes.: specifies port to monitor +# Values: [ NUM | STRING ] Default: +# +port = ssh + +# Option: protocol +# Notes.: internally used by config reader for interpolations. +# Values: [ tcp | udp | icmp | all ] Default: tcp +# +protocol = tcp + +# Option: blocktype +# Note: This is what the action does with rules. This can be any jump target +# as per the iptables man page (section 8). Common values are DROP +# REJECT, REJECT --reject-with icmp-port-unreachable +# Values: STRING +blocktype = REJECT --reject-with icmp-port-unreachable + +# Option: returntype +# Note: This is the default rule on "actionstart". This should be RETURN +# in all (blocking) actions, except REJECT in allowing actions. +# Values: STRING +returntype = RETURN + +# Option: lockingopt +# Notes.: Option was introduced to iptables to prevent multiple instances from +# running concurrently and causing irratic behavior. -w was introduced +# in iptables 1.4.20, so might be absent on older systems +# See https://github.com/fail2ban/fail2ban/issues/1122 +# Values: STRING +lockingopt = -w + +# Option: iptables +# Notes.: Actual command to be executed, including common to all calls options +# Values: STRING +iptables = /usr/local/bin/iptables-exim + + +[Init?family=inet6] + +# Option: blocktype (ipv6) +# Note: This is what the action does with rules. This can be any jump target +# as per the iptables man page (section 8). Common values are DROP +# REJECT, REJECT --reject-with icmp6-port-unreachable +# Values: STRING +blocktype = REJECT --reject-with icmp6-port-unreachable + +# Option: iptables (ipv6) +# Notes.: Actual command to be executed, including common to all calls options +# Values: STRING +iptables = /usr/local/bin/ip6tables-exim +EOF + +i /etc/fail2ban/jail.d/exim.local <<'EOF' +[exim] +enabled = true +port = 25,587 +filter = exim +banaction = iptables-exim + +# 209.51.188.13 = mail.fsf.org +# 2001:470:142::13 = mail.fsf.org +# 209.51.188.92 = eggs.gnu.org +# 2001:470:142:3::10 = eggs.gnu.org +# 72.14.176.105 2600:3c00:e000:280::2 = mail.iankelling.org +# 10.173.8.1 = non-nn net +ignoreip = 209.51.188.13 2001:470:142::13 209.51.188.92 2001:470:142:3::10 72.14.176.105 2600:3c00:e000:280::2 10.173.8.1 +EOF +if $ir; then + m systemctl restart fail2ban +fi + # * common exim4 config @@ -865,10 +1058,8 @@ awk 'BEGIN { FS = ":" } ; $6 ~ /^\/home/ && $7 !~ /\/nologin$/ { print $1 }' /et esac done -if ! grep -q "^ncsoft:" /etc/aliases; then - echo "ncsoft: graceq2323@gmail.com" |m tee -a /etc/aliases -fi +. /a/bin/bash_unpublished/priv-mail-setup m gpasswd -a iank adm #needed for reading logs @@ -901,16 +1092,24 @@ if (( ${#files[@]} )); then ${files[@]} /etc/exim4 fi -# by default, only 10 days of logs are kept. increase that. -m sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base - +# By default, only 10 days of logs are kept. increase that. +# And dont compress, I look back at logs too often and +# dont need the annoyance of decompressing them all the time. +m sed -ri '/^\s*compress\s*$/d;s/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base +files=(/var/log/exim4/*.gz) +if (( ${#files[@]} )); then + gunzip ${files[@]} +fi -## https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost -# i only need .forwards, so just doing that one. -cd /etc/exim4/conf.d/router -b=userforward_higher_priority -# replace the router name so it is unique -sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b +## disabled. not using .forward files, but this is still interesting +## for reference. +# ## https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost +# # i only need .forwards, so just doing that one. +# cd /etc/exim4/conf.d/router +# b=userforward_higher_priority +# # replace the router name so it is unique +# sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b +rm -fv /etc/exim4/conf.d/router/175_userforward_higher_priority # todo, consider 'separate' in etc/exim4.conf, could it help on busy systems? @@ -929,17 +1128,59 @@ rm -fv /etc/exim4/conf.d/retry/37_retry cat >/etc/exim4/conf.d/retry/17_retry <<'EOF' # Retry fast for my own domains -iankelling.org * F,1d,10m;F,14d,1h -amnimal.ninja * F,1d,10m;F,14d,1h -expertpathologyreview.com * F,1d,10m;F,14d,1h -je.b8.nz * F,1d,10m;F,14d,1h -zroe.org * F,1d,10m;F,14d,1h +iankelling.org * F,1d,4m;F,14d,1h +amnimal.ninja * F,1d,4m;F,14d,1h +expertpathologyreview.com * F,1d,4m;F,14d,1h +je.b8.nz * F,1d,4m;F,14d,1h +zroe.org * F,1d,4m;F,14d,1h eximbackup.b8.nz * F,1d,4m;F,14d,1h + +# The spec says the target domain will be used for temporary host errors, +# but i've found that isn't correct, the hostname is required +# at least sometimes. +nn.b8.nz * F,1d,4m;F,14d,1h +defaultnn.b8.nz * F,1d,4m;F,14d,1h +mx.iankelling.org * F,1d,4m;F,14d,1h +bk.b8.nz * F,1d,4m;F,14d,1h +eggs.gnu.org * F,1d,4m;F,14d,1h +fencepost.gnu.org * F,1d,4m;F,14d,1h + +# afaik our retry doesnt need this, but just using everything +mx.amnimal.ninja * F,1d,4m;F,14d,1h +mx.expertpathologyreview.com * F,1d,4m;F,14d,1h + + +mail.fsf.org * F,1d,15m;F,14d,1h EOF rm -vf /etc/exim4/conf.d/main/000_localmacros # old filename -cat >/etc/exim4/conf.d/main/000_local </etc/exim4/conf.d/main/000_local2 </etc/exim4/conf.d/transport/11_iank <<'EOF' +# This unsets the default macro defined in on t11 in +# /etc/exim4/conf.d/transport/10_exim4-config_transport-macros +# It seems like a very odd choice that this has become +# the default in t11. Normal smarthost clients use username/password +# auth. Oh well. +REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS == +EOF + +cat >/etc/exim4/conf.d/main/000_local <<'EOF' MAIN_TLS_ENABLE = true # require tls connections for all smarthosts @@ -961,11 +1202,6 @@ MAIN_LOG_SELECTOR = +all # Based on spec, seems like a good idea to be nice. smtp_return_error_details = true -# normally empty, I set this so I can set the envelope address -# when doing mail redelivery to invoke filters. Also allows -# me exiqgrep and stuff. -MAIN_TRUSTED_GROUPS = $u - # default is 10. when exim has been down for a bit, fsf mailserver # will do a big send in one connection, then exim decides to put # the messages in the queue instead of delivering them, to avoid @@ -978,16 +1214,20 @@ smtp_accept_queue_per_connection = 500 DKIM_CANON = relaxed DKIM_SELECTOR = li -# from comments in +# From comments in # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4 # and its best for this to align https://tools.ietf.org/html/rfc7489#page-8 # There could be some circumstance when the # from: isnt our domain, but the envelope sender is # and so still want to sign, but I cant think of any case. -DKIM_DOMAIN = \${lc:\${domain:\$rh_from:}} +#DKIM_DOMAIN = ${lc:${domain:$rh_from:}} +# In t11, we cant do the above anymore because this is tainted data used in a file lookup. +# /usr/share/doc/exim4/NEWS.Debian.gz suggests to use lookups to untaint data. +DKIM_DOMAIN = ${lookup {${domain:$rh_from:}}lsearch,ret=key{/etc/exim4/conf.d/my-dkim-domains}} + # The file is based on the outgoing domain-name in the from-header. # sign if key exists -DKIM_PRIVATE_KEY = \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}} +DKIM_PRIVATE_KEY = ${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}} # most of the ones that gmail seems to use. # Exim has horrible default of signing unincluded @@ -998,19 +1238,43 @@ DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to domainlist local_hostnames = ! je.b8.nz : ! bk.b8.nz : *.b8.nz : b8.nz -hostlist iank_trusted = <; \\ +hostlist iank_trusted = <; \ # veth0 -10.173.8.1 ; \\ +10.173.8.1 ; \ # li li_ip6 -72.14.176.105 ; 2600:3c00::f03c:91ff:fe6d:baf8 ; \\ +72.14.176.105 ; 2600:3c00::f03c:91ff:fe6d:baf8 ; \ # li_vpn_net li_vpn_net_ip6s -10.8.0.0/24; 2600:3c00:e000:280::/64 ; 2600:3c00:e002:3800::/56 ; \\ +10.8.0.0/24; 2600:3c00:e000:280::/64 ; 2600:3c00:e002:3800::/56 ; \ # bk bk_ip6 -85.119.83.50 ; 2001:ba8:1f1:f0c9::2 ; \\ +85.119.83.50 ; 2001:ba8:1f1:f0c9::2 ; \ # je je_ipv6 -85.119.82.128 ; 2001:ba8:1f1:f09d::2 ; \\ +85.119.82.128 ; 2001:ba8:1f1:f09d::2 ; \ # fsf_mit_net fsf_mit_net_ip6 fsf_net fsf_net_ip6 fsf_office_net 18.4.89.0/24 ; 2603:3005:71a:2e00::/64 ; 209.51.188.0/24 ; 2001:470:142::/48 ; 74.94.156.208/28 + + +# this is the default delay_warning_condition, plus matching on local_domains. +# If I have some problem with my local system that causes delayed delivery, +# I dont want to send warnings out to non-local domains. +delay_warning_condition = ${if or {\ + { !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} }\ + { match{$h_precedence:}{(?i)bulk|list|junk} }\ + { match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }\ + { match_domain{$domain}{+local_domains} }\ + } {no}{yes}} + + +# enable 587 in addition to the default 25, so that +# i can send mail where port 25 is firewalled by isp +daemon_smtp_ports = 25 : 587 +# default of 25, can get stuck when catching up on mail +smtp_accept_max = 400 +smtp_accept_reserve = 100 +smtp_reserve_hosts = +iank_trusted + +# Rules that make receiving more liberal should be on backup hosts +# so that we dont reject mail accepted by MAIL_HOST +LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE = /etc/exim4/conf.d/local_deny_exceptions_acl EOF rm -fv /etc/exim4/rcpt_local_acl # old path @@ -1031,6 +1295,7 @@ accept EOF rm -fv /etc/exim4/data_local_acl # old path + i /etc/exim4/conf.d/data_local_acl <<'EOF' # Except for the "condition =", this was # a comment in the check_data acl. The comment about this not @@ -1049,6 +1314,8 @@ warn warn !hosts = +iank_trusted + # Smarthosts connect with residential ips and thus get flagged as spam if we do a spam check. + !authenticated = plain_server:login_server condition = ${if < {$message_size}{5000K}} spam = Debian-exim:true add_header = X-Spam_score_int: $spam_score_int @@ -1057,11 +1324,6 @@ warn add_header = X-Spam_report: $spam_report add_header = X-Spam_action: $spam_action -warn - condition = ${if def:malware_name} - remove_header = Subject: - add_header = Subject: [Clamav warning: $malware_name] $h_subject - log_message = heuristic malware warning: $malware_name #accept # spf = pass:fail:softfail:none:neutral:permerror:temperror @@ -1070,14 +1332,14 @@ warn EOF -i /etc/exim4/conf.d/router/900_exim4-config_local_user <config.php - m rm tmp.php + e running php tmp.php + php tmp.php >config.php + # leave in place for debugging + #m rm -f tmp.php m sudo -u www-data php $ncdir/occ maintenance:update:htaccess list=$(sudo -u www-data php $ncdir/occ --output=json_pretty app:list) # user_external not compaible with nc 23 @@ -2116,28 +2386,46 @@ EOF systemctl enable --now $ncbase.timer i /usr/local/bin/ncup <<'EOFOUTER' #!/bin/bash -if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi -shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4 -set -eE -o pipefail -trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR -ncbase=$1 -if ! php /var/www/$ncbase/updater/updater.phar -n; then +source /usr/local/lib/err + +m() { printf "%s\n" "$*"; "$@"; } +err-cleanup() { echo failed nextcloud update for $ncbase >&2 - /sbin/exim -t <>/etc/exim4/conf.d/main/000_local <>/etc/exim4/conf.d/main/000_local < /etc/mailname - /a/exe/cedit nn /etc/hosts <<'EOF' || [[ $? == 1 ]] 10.173.8.2 nn.b8.nz EOF @@ -2576,9 +2948,10 @@ COMMONOPTIONS='-oP /run/exim4/eximin.pid' UPEX4OPTS='-d /etc/myexim4' EOF + echo bk.b8.nz > /etc/mailname cat >>/etc/exim4/update-exim4.conf.conf <>/etc/exim4/update-exim4.conf.conf <>/etc/myexim4/conf.d/main/000_local <<'EOF' +# this makes it easier to see which exim is doing what +log_file_path = /var/log/exim4/my%s +EOF + + + + cat >/etc/logrotate.d/myexim <<'EOF' +/var/log/exim4/mymain /var/log/exim4/myreject { + daily + missingok + rotate 1000 + delaycompress + notifempty + nocreate +} +/var/log/exim4/mypanic { + size 10M + missingok + rotate 10 + compress + delaycompress + notifempty + nocreate +} +EOF + # If we ever wanted to have a separate spool, # we could do it like this. # cat >>/etc/exim4/conf.d/main/000_local-nn <<'EOF' @@ -2763,6 +3166,9 @@ if [[ -e /nocow ]]; then # without local-fs on exim, we get these kind of errors in paniclog on shutdown: # Failed to create spool file /var/spool/exim4//input//1jCLxz-0008V4-V9-D: Permission denied After=local-fs.target + +[Service] +ExecStartPre=/usr/local/bin/exim-nn-iptables EOF if ! mountpoint -q $sdir; then stopifactive exim4 exim4in @@ -2797,8 +3203,8 @@ elif [[ $uid != 608 ]]; then m usermod -u 608 Debian-exim m groupmod -g 608 Debian-exim m usermod -g 608 Debian-exim - m find / /nocow -path ./var/tmp -prune -o -xdev -uid $uid -execdir chown -h 608 {} + - m find / /nocow -path ./var/tmp -prune -o -xdev -gid $gid -execdir chgrp -h 608 {} + + m find / /nocow -xdev -path ./var/tmp -prune -o -uid $uid -execdir chown -h 608 {} + + m find / /nocow -xdev -path ./var/tmp -prune -o -gid $gid -execdir chgrp -h 608 {} + fi # * start / stop services @@ -2809,7 +3215,14 @@ if $reload; then m systemctl daemon-reload fi -m systemctl --now enable epanicclean.timer +# checking bhost_t is redundant, but could help us catch errors. +if $bhost_t || [[ -e /etc/wireguard/wghole.conf ]]; then + # todo: in mail-setup, we have a static list of backup hosts, not *y + m systemctl --now enable wg-quick@wghole +fi + +sysd-prom-fail-install epanicclean +m systemctl --now enable epanicclean case $HOSTNAME in je) @@ -2824,11 +3237,6 @@ m /a/bin/ds/mail-cert-cron -1 sre mailcert.timer case $HOSTNAME in - bk) - # todo, this should be done in distro-begin - soff systemd-resolved - ln -sf 127.0.0.1-resolv/stub-resolv.conf /etc/resolv.conf - ;;& $MAIL_HOST|bk) m systemctl --now enable mailnn mailnnroute ;;& @@ -2850,7 +3258,7 @@ case $HOSTNAME in fi if ! systemctl is-active clamav-daemon >/dev/null; then m systemctl --now enable clamav-daemon - out=$(rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/filesystem/etc/systemd/system/epanicclean.{timer,service} /etc/systemd/system) + out=$(rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/filesystem/etc/systemd/system/epanicclean.service /etc/systemd/system) if [[ $out ]]; then reload=true fi @@ -2871,18 +3279,28 @@ case $HOSTNAME in $MAIL_HOST) # < 2.1 (eg: in t9), uses a different data format which required manual # migration. dont start if we are running an old version. - if dpkg --compare-versions $(dpkg -s radicale | awk '$1 == "Version:" { print $2 }') ge 2.1; then + if dpkg --compare-versions "$(dpkg -s radicale | awk '$1 == "Version:" { print $2 }')" ge 2.1; then m systemctl --now enable radicale fi ;;& esac +# for debugging dns issues +case $HOSTNAME in + je|bk) + systemctl enable --now logrotate-fast.timer + ;; +esac + # last use of $reload happens in previous block rm -f /var/local/mail-setup-reload case $HOSTNAME in - $MAIL_HOST|bk|je) : ;; + $MAIL_HOST|bk|je|li) + # on li, these are never started, except $vpnser + : + ;; *) soff radicale mailclean.timer dovecot spamassassin $vpnser mailnn clamav-daemon ;; @@ -2914,53 +3332,99 @@ case $HOSTNAME in # note: cronjob "ian" also does some important monitoring # todo: this will sometimes cause an alert because mailtest-check will run # before we have setup network namespace and spamassassin - cat >/etc/cron.d/mailtest <>/etc/cron.d/mailtest <> /etc/exim4/ignore-sent + done + cat >/usr/local/bin/send-test-forward <<'EOF' #!/bin/bash +# we remove from the queue older than 4.3 minutes since we send every 5 minutes. olds=( -$(/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$') +$(/usr/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$') ) if (( ${#olds[@]} )); then - /sbin/exim -Mrm "${olds[@]}" >/dev/null + /usr/sbin/exim -Mrm "${olds[@]}" >/dev/null fi EOF for test_from in ${test_froms[@]}; do + + test_to=${test_tos[0]} + for t in ${test_tos[@]:1}; do + test_to+=", $t" + done + case $test_from in + testignore@expertpathologyreview.com) + test_to=testignore@zroe.org + ;; + esac + cat >>/usr/local/bin/send-test-forward <