X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=mail-setup;h=b53530a2a9c9ab2610aa18d82b194c74e8c26a8e;hb=606cd070ab0d88f45dae54ae960fef7245894373;hp=e12149f114bc06b0b79bc980359cb6dd743f8b8d;hpb=56c55d8e02cdd6ec67d2fe53cc03785d8876442e;p=distro-setup diff --git a/mail-setup b/mail-setup index e12149f..b53530a 100755 --- a/mail-setup +++ b/mail-setup @@ -14,6 +14,9 @@ # todo: handle errors like this: # Mar 02 12:44:26 kw systemd[1]: exim4.service: Found left-over process 68210 (exim4) in control group while starting unit. Ignoring. # Mar 02 12:44:26 kw systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies. +#eg: on eggs, on may 1st, ps grep for exim, 2 daemons running. 1 leftover from a month ago +#Debian-+ 1954 1 0 36231 11560 4 Apr02 ? 00:40:25 /usr/sbin/exim4 -bd -q30m +#Debian-+ 23058 1954 0 36821 10564 0 20:38 ? 00:00:00 /usr/sbin/exim4 -bd -q30m # todo: harden dovecot. need to do some research. one way is for it to only listen on a wireguard vpn interface, so only clients that are on the vpn can access it. # todo: consider hardening cups listening on 0.0.0.0 @@ -29,10 +32,6 @@ # todo: run mailping test after running, or otherwise # clear out terminal alert -# todo: on bk, dont send email if mailvpn is not up - -# todo: mailtest-check should check on bk too - # todo: disable postgrey # todo: in testforward-check, we should also look @@ -291,7 +290,8 @@ i() { # install file local base="${dest##*/}" local dir="${dest%/*}" if [[ $dir != "$base" ]]; then - mkdir -p ${dest%/*} + # dest has a directory component + mkdir -p "$dir" fi ir=false # i result tmpdir=$(mktemp -d) @@ -1004,10 +1004,8 @@ awk 'BEGIN { FS = ":" } ; $6 ~ /^\/home/ && $7 !~ /\/nologin$/ { print $1 }' /et esac done -if ! grep -q "^ncsoft:" /etc/aliases; then - echo "ncsoft: graceq2323@gmail.com" |m tee -a /etc/aliases -fi +. /a/bin/bash_unpublished/priv-mail-setup m gpasswd -a iank adm #needed for reading logs @@ -1166,17 +1164,17 @@ DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to domainlist local_hostnames = ! je.b8.nz : ! bk.b8.nz : *.b8.nz : b8.nz -hostlist iank_trusted = <; \\ +hostlist iank_trusted = <; \ # veth0 -10.173.8.1 ; \\ +10.173.8.1 ; \ # li li_ip6 -72.14.176.105 ; 2600:3c00::f03c:91ff:fe6d:baf8 ; \\ +72.14.176.105 ; 2600:3c00::f03c:91ff:fe6d:baf8 ; \ # li_vpn_net li_vpn_net_ip6s -10.8.0.0/24; 2600:3c00:e000:280::/64 ; 2600:3c00:e002:3800::/56 ; \\ +10.8.0.0/24; 2600:3c00:e000:280::/64 ; 2600:3c00:e002:3800::/56 ; \ # bk bk_ip6 -85.119.83.50 ; 2001:ba8:1f1:f0c9::2 ; \\ +85.119.83.50 ; 2001:ba8:1f1:f0c9::2 ; \ # je je_ipv6 -85.119.82.128 ; 2001:ba8:1f1:f09d::2 ; \\ +85.119.82.128 ; 2001:ba8:1f1:f09d::2 ; \ # fsf_mit_net fsf_mit_net_ip6 fsf_net fsf_net_ip6 fsf_office_net 18.4.89.0/24 ; 2603:3005:71a:2e00::/64 ; 209.51.188.0/24 ; 2001:470:142::/48 ; 74.94.156.208/28 @@ -1192,6 +1190,17 @@ delay_warning_condition = ${if or {\ } {no}{yes}} +# enable 587 in addition to the default 25, so that +# i can send mail where port 25 is firewalled by isp +daemon_smtp_ports = 25 : 587 +# default of 25, can get stuck when catching up on mail +smtp_accept_max = 400 +smtp_accept_reserve = 100 +smtp_reserve_hosts = +iank_trusted + +# Rules that make receiving more liberal should be on backup hosts +# so that we dont reject mail accepted by MAIL_HOST +LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE = /etc/exim4/conf.d/local_deny_exceptions_acl EOF rm -fv /etc/exim4/rcpt_local_acl # old path @@ -1212,6 +1221,7 @@ accept EOF rm -fv /etc/exim4/data_local_acl # old path + i /etc/exim4/conf.d/data_local_acl <<'EOF' # Except for the "condition =", this was # a comment in the check_data acl. The comment about this not @@ -1230,6 +1240,8 @@ warn warn !hosts = +iank_trusted + # Smarthosts connect with residential ips and thus get flagged as spam if we do a spam check. + !authenticated = plain_server:login_server condition = ${if < {$message_size}{5000K}} spam = Debian-exim:true add_header = X-Spam_score_int: $spam_score_int @@ -1239,6 +1251,8 @@ warn add_header = X-Spam_action: $spam_action warn + !hosts = +iank_trusted + !authenticated = plain_server:login_server condition = ${if def:malware_name} remove_header = Subject: add_header = Subject: [Clamav warning: $malware_name] $h_subject @@ -2497,20 +2511,13 @@ CHECK_RCPT_SPF = true CHECK_RCPT_REVERSE_DNS = true CHECK_MAIL_HELO_ISSUED = true -# enable 587 in addition to the default 25, so that -# i can send mail where port 25 is firewalled by isp -daemon_smtp_ports = 25 : 587 -# default of 25, can get stuck when catching up on mail -smtp_accept_max = 400 -smtp_accept_reserve = 100 -smtp_reserve_hosts = +iank_trusted -# options exim has to avoid having to alter the default config files -CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/conf.d/rcpt_local_acl CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/conf.d/data_local_acl -LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE = /etc/exim4/conf.d/local_deny_exceptions_acl +CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/conf.d/rcpt_local_acl + # testing dmarc #dmarc_tld_file = /etc/public_suffix_list.dat + EOF ;;& @@ -3200,14 +3207,12 @@ case $HOSTNAME in # note: cronjob "ian" also does some important monitoring # todo: this will sometimes cause an alert because mailtest-check will run # before we have setup network namespace and spamassassin - cat >/etc/cron.d/mailtest </etc/systemd/system/mailtest-check.service <<'EOF' + i /etc/systemd/system/mailtest-check.service <<'EOF' [Unit] Description=mailtest-check After=local-fs.target @@ -3303,7 +3308,9 @@ EOFOUTER ;; *) soff mailtest-check.service - rm -fv /etc/cron.d/mailtest /var/lib/prometheus/node-exporter/mailtest-check.prom* + rm -fv /etc/cron.d/mailtest \ + /var/lib/prometheus/node-exporter/mailtest-check.prom* \ + /var/local/cron-errors/check-remote-mailqs* ;; esac