X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=mail-setup;h=bbe0defeb3f803a1cedf759c9b1e62f6c77389a0;hb=fde3746c622eb042ce1fd051cdfea2f9a247cd53;hp=b3cb092539fc6b6ccd079c0c102ce74980a77d0f;hpb=602a1874cc11a7d371890cdae4c0dc982267ea89;p=distro-setup

diff --git a/mail-setup b/mail-setup
index b3cb092..bbe0def 100755
--- a/mail-setup
+++ b/mail-setup
@@ -3,6 +3,10 @@
 # Copyright (C) 2019 Ian Kelling
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
+# todo: check new macro DKIM_TIMESTAMPS
+
+# todo: check if REMOTE_SMTP_INTERFACE or REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE can simplify my or fsfs config
+
 # todo: max line length macro changed in t11. look into it
 # todo: check that all macros we use are still valid in t11
 
@@ -849,13 +853,16 @@ EOF
 
 
 # * Update mail cert
-if [[ -e /p/c/filesystem ]]; then
-  # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
-  # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
-  # after my internet was down for a bit:
-  # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
-  m /a/exe/vpn-mk-client-cert -b mailclient -n mail li.iankelling.org
-fi
+
+
+## needed only for openvpn mail vpn.
+# if [[ -e /p/c/filesystem ]]; then
+#   # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
+#   # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
+#   # after my internet was down for a bit:
+#   # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
+#   m /a/exe/vpn-mk-client-cert -b mailclient -n mail li.iankelling.org
+# fi
 
 # With openvpn, I didn't get around to persisting the openvpn
 # cert/configs into /p/c/machine_specific/bk, so I had this case to
@@ -1171,7 +1178,9 @@ cd /etc/exim4
   done
 } | i /etc/exim4/conf.d/my-dkim-domains
 
-cat >/etc/exim4/conf.d/transport/11_iank <<'EOF'
+if grep -Fq REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS \
+        /etc/exim4/conf.d/transport/10_exim4-config_transport-macros; then
+  cat >/etc/exim4/conf.d/transport/11_iank <<'EOF'
 # This unsets the default macro defined in on t11 in
 # /etc/exim4/conf.d/transport/10_exim4-config_transport-macros
 # It seems like a very odd choice that this has become
@@ -1179,6 +1188,9 @@ cat >/etc/exim4/conf.d/transport/11_iank <<'EOF'
 # auth. Oh well.
 REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS ==
 EOF
+else
+  rm -f /etc/exim4/conf.d/transport/11_iank
+fi
 
 cat >/etc/exim4/conf.d/main/000_local <<'EOF'
 MAIN_TLS_ENABLE = true
@@ -1214,16 +1226,6 @@ smtp_accept_queue_per_connection = 500
 DKIM_CANON = relaxed
 DKIM_SELECTOR = li
 
-# From comments in
-# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
-# and its best for this to align https://tools.ietf.org/html/rfc7489#page-8
-# There could be some circumstance when the
-# from: isnt our domain, but the envelope sender is
-# and so still want to sign, but I cant think of any case.
-#DKIM_DOMAIN = ${lc:${domain:$rh_from:}}
-# In t11, we cant do the above anymore because this is tainted data used in a file lookup.
-# /usr/share/doc/exim4/NEWS.Debian.gz suggests to use lookups to untaint data.
-DKIM_DOMAIN = ${lookup {${domain:$rh_from:}}lsearch,ret=key{/etc/exim4/conf.d/my-dkim-domains}}
 
 # The file is based on the outgoing domain-name in the from-header.
 # sign if key exists
@@ -1277,6 +1279,24 @@ smtp_reserve_hosts = +iank_trusted
 LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE = /etc/exim4/conf.d/local_deny_exceptions_acl
 EOF
 
+if dpkg --compare-versions "$(dpkg-query -f='${Version}\n' --show exim4)" ge 4.94; then
+  cat >>/etc/exim4/conf.d/main/000_local <<'EOF'
+# In t11, we cant do the old anymore because this is tainted data used in a file lookup.
+# /usr/share/doc/exim4/NEWS.Debian.gz suggests to use lookups to untaint data.
+DKIM_DOMAIN = ${lookup {${domain:$rh_from:}}lsearch,ret=key{/etc/exim4/conf.d/my-dkim-domains}}
+EOF
+else
+  cat >>/etc/exim4/conf.d/main/000_local <<'EOF'
+# From comments in
+# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
+# and its best for this to align https://tools.ietf.org/html/rfc7489#page-8
+# There could be some circumstance when the
+# from: isnt our domain, but the envelope sender is
+# and so still want to sign, but I cant think of any case.
+DKIM_DOMAIN = ${lc:${domain:$rh_from:}}
+EOF
+fi
+
 rm -fv /etc/exim4/rcpt_local_acl # old path
 
 i /etc/exim4/conf.d/local_deny_exceptions_acl <<'EOF'
@@ -1332,6 +1352,207 @@ warn
 
 EOF
 
+
+# old file
+rm -fv /etc/exim4/conf.d/router/880_backup_copy
+
+
+# It is important for this to exist everywhere except in MAIL_HOST
+# non-nn config. Previously, just had it in the nn-config on MAIL_HOST,
+# but that is a problem if we change mail host and still have something
+# in the queue which was destined for this router, but hosts were
+# unreachable, the routers will be reevaluated on the next retry.
+i /etc/exim4/conf.d/router/890_backup_copy <<EOF
+### router/900_exim4-config_local_user
+#################################
+
+# todo, it would be nice backup sent email too,
+# but its not so important, they still exist in my head
+
+backup_copy:
+driver = manualroute
+domains = eximbackup.b8.nz
+transport = backup_remote
+ignore_target_hosts = ${HOSTNAME}wg.b8.nz
+# note changes here also require change in passwd.client
+route_list = * eximbackup.b8.nz
+same_domain_copy_routing = yes
+errors_to = alerts@iankelling.org
+no_more
+EOF
+
+# exim4-config transports are the same as default except for
+# message_linelength_limit = 2097152
+#
+# TODO: copy the defaults into their own file, and setup a cronjob so
+# that if file.dpkg-dist shows up, and it is different, we get an alert.
+
+i /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost <<'EOF'
+### transport/30_exim4-config_remote_smtp_smarthost
+#################################
+
+# This transport is used for delivering messages over SMTP connections
+# to a smarthost. The local host tries to authenticate.
+# This transport is used for smarthost and satellite configurations.
+
+remote_smtp_smarthost:
+  debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
+  driver = smtp
+  message_linelength_limit = 2097152
+  multi_domain
+  hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
+        {\
+        ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
+        }\
+        {} \
+      }
+.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
+  hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
+  hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
+  tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
+  tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
+.endif
+.ifdef REMOTE_SMTP_HEADERS_REWRITE
+  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
+.endif
+.ifdef REMOTE_SMTP_RETURN_PATH
+  return_path = REMOTE_SMTP_RETURN_PATH
+.endif
+.ifdef REMOTE_SMTP_HELO_DATA
+  helo_data=REMOTE_SMTP_HELO_DATA
+.endif
+.ifdef TLS_DH_MIN_BITS
+tls_dh_min_bits = TLS_DH_MIN_BITS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
+tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
+.endif
+.ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+  headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_PROTOCOL
+  protocol = REMOTE_SMTP_SMARTHOST_PROTOCOL
+.endif
+EOF
+
+i /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp <<'EOF'
+### transport/30_exim4-config_remote_smtp
+#################################
+# This transport is used for delivering messages over SMTP connections.
+
+remote_smtp:
+  debug_print = "T: remote_smtp for $local_part@$domain"
+  driver = smtp
+  message_linelength_limit = 2097152
+.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
+  hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
+.endif
+.ifdef REMOTE_SMTP_HEADERS_REWRITE
+  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
+.endif
+.ifdef REMOTE_SMTP_RETURN_PATH
+  return_path = REMOTE_SMTP_RETURN_PATH
+.endif
+.ifdef REMOTE_SMTP_HELO_DATA
+  helo_data=REMOTE_SMTP_HELO_DATA
+.endif
+.ifdef REMOTE_SMTP_INTERFACE
+  interface = REMOTE_SMTP_INTERFACE
+.endif
+.ifdef DKIM_DOMAIN
+dkim_domain = DKIM_DOMAIN
+.endif
+.ifdef DKIM_IDENTITY
+dkim_identity = DKIM_IDENTITY
+.endif
+.ifdef DKIM_SELECTOR
+dkim_selector = DKIM_SELECTOR
+.endif
+.ifdef DKIM_PRIVATE_KEY
+dkim_private_key = DKIM_PRIVATE_KEY
+.endif
+.ifdef DKIM_CANON
+dkim_canon = DKIM_CANON
+.endif
+.ifdef DKIM_STRICT
+dkim_strict = DKIM_STRICT
+.endif
+.ifdef DKIM_SIGN_HEADERS
+dkim_sign_headers = DKIM_SIGN_HEADERS
+.endif
+.ifdef DKIM_TIMESTAMPS
+dkim_timestamps = DKIM_TIMESTAMPS
+.endif
+.ifdef TLS_DH_MIN_BITS
+tls_dh_min_bits = TLS_DH_MIN_BITS
+.endif
+.ifdef REMOTE_SMTP_TLS_CERTIFICATE
+tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
+.endif
+.ifdef REMOTE_SMTP_PRIVATEKEY
+tls_privatekey = REMOTE_SMTP_PRIVATEKEY
+.endif
+.ifdef REMOTE_SMTP_HOSTS_REQUIRE_TLS
+  hosts_require_tls = REMOTE_SMTP_HOSTS_REQUIRE_TLS
+.endif
+.ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+  headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+.endif
+
+EOF
+
+i /etc/exim4/conf.d/transport/30_backup_remote <<'EOF'
+backup_remote:
+  driver = smtp
+  multi_domain
+  message_linelength_limit = 2097152
+  hosts_require_auth = *
+  hosts_try_auth = *
+  envelope_to_add
+  # manual return path because we want it to be the envelope sender
+  # we got not the one we are using in this smtp transport
+  headers_add = "Return-path: $sender_address"
+.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
+  hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
+  hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
+  tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
+  tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOST
+.endif
+.ifdef REMOTE_SMTP_HEADERS_REWRITE
+  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
+.endif
+.ifdef REMOTE_SMTP_HELO_DATA
+  helo_data=REMOTE_SMTP_HELO_DATA
+.endif
+.ifdef TLS_DH_MIN_BITS
+tls_dh_min_bits = TLS_DH_MIN_BITS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
+tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
+.endif
+.ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+  headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+.endif
+EOF
+
 i /etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
 ### router/900_exim4-config_local_user
 #################################
@@ -1369,9 +1590,7 @@ i /etc/exim4/conf.d/transport/30_remote_smtp_vpn <<'EOF'
 remote_smtp_vpn:
   debug_print = "T: remote_smtp_vpn for $local_part@$domain"
   driver = smtp
-.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
-  message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
-.endif
+  message_linelength_limit = 2097152
 .ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
   hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
 .endif
@@ -1426,10 +1645,8 @@ i /etc/exim4/conf.d/transport/30_smarthost_dkim <<'EOF'
 smarthost_dkim:
   debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
   driver = smtp
+  message_linelength_limit = 2097152
   multi_domain
-.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
-  message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
-.endif
   hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
         {\
         ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
@@ -1517,7 +1734,7 @@ if mailhost; then
   # in the log it just says "Starting Radicale". If you run
   # it in the foreground, it will give more info. Background
   # plus debug does not help.
-  # sudo -u radicale radicale -D -f
+  # sudo -u radicale radicale -D
 
   # created password file with:
   # htpasswd -c /p/c/machine_specific/li/filesystem/etc/caldav-htpasswd
@@ -2031,6 +2248,8 @@ if [[ $HOSTNAME == bk ]]; then
     rcdir=${rcdirs[i]}
     rcbase=${rcdir##*/}
     ncdir=${ncdirs[i]}
+    myncdir=/root/${ncdir##*/}
+    mkdir -p $myncdir
 
     # copied from debians cronjob
     i /etc/cron.d/$rcbase <<EOF
@@ -2244,7 +2463,8 @@ EOF
   ### begin php setup for rc ###
   # Enable PHP modules.
   m phpenmod -v php mcrypt imap
-  # dpkg says this is required
+  # dpkg says this is required.
+  # nextcloud needs these too
   m a2enmod proxy_fcgi setenvif
   fpm=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* (php[^ ]*-fpm)( .*|$)/\1/p') # eg: php7.4-fpm
   phpver=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* php([^ ]*)-fpm( .*|$)/\1/p')
@@ -2308,16 +2528,21 @@ EOF
       m rm -f $file
       m chown -R www-data.www-data nextcloud
       m mv nextcloud $ncdir
+    fi
+
+    if [[ ! -e $myncdir/done-install ]]; then
       m cd $ncdir
       m sudo -u www-data php occ  maintenance:install --database sqlite --admin-user iank --admin-pass $nextcloud_admin_pass
+      m touch $myncdir/done-install
     fi
+
     # note, strange this happend where updater did not increment the version var,
     # mine was stuck on 20. I manually updated it.
     m cd $ncdir/config
-    if [[ ! -e config.php-orig ]]; then
-      m cp -a config.php config.php-orig
+    if [[ ! -e $myncdir/config.php-orig ]]; then
+      m cp -a config.php $myncdir/config.php-orig
     fi
-    cat config.php-orig - >tmp.php <<EOF
+    cat $myncdir/config.php-orig - >$myncdir/tmp.php <<EOF
 # https://docs.nextcloud.com/server/19/admin_manual/configuration_server/email_configuration.html
 \$CONFIG["mail_smtpmode"] = "sendmail";
 \$CONFIG["mail_smtphost"] = "127.0.0.1";
@@ -2349,16 +2574,17 @@ fwrite(STDOUT, "<?php\n\\\$CONFIG = ");
 var_export(\$CONFIG);
 fwrite(STDOUT, ";\n");
 EOF
-    e running php tmp.php
-    php tmp.php >config.php
-    # leave in place for debugging
-    #m rm -f tmp.php
-    m sudo -u www-data php $ncdir/occ maintenance:update:htaccess
+    e running php $myncdir/tmp.php
+    # note: we leave it around place for debugging
+    php $myncdir/tmp.php >config.php
+    cd $ncdir
+    m sudo -u www-data php occ maintenance:update:htaccess
     list=$(sudo -u www-data php $ncdir/occ --output=json_pretty app:list)
     # user_external not compaible with nc 23
     for app in contacts calendar; do
       if [[ $(printf "%s\n" "$list"| jq ".enabled.$app") == null ]]; then
-        m sudo -u www-data php $ncdir/occ app:install $app
+        cd $ncdir
+        m sudo -u www-data php occ app:install $app
       fi
     done
     i /etc/systemd/system/$ncbase.service <<EOF
@@ -2415,10 +2641,8 @@ fi
 
 ncbase=$1
 cd /var/www/$ncbase
+# https://docs.nextcloud.com/server/22/admin_manual/maintenance/update.html?highlight=updater+phar
 m php /var/www/$ncbase/updater/updater.phar -n
-# just being overly cautious
-sleep 3
-m php occ -n upgrade
 EOFOUTER
     chmod +x /usr/local/bin/ncup
 
@@ -2711,14 +2935,7 @@ EOF
     # which required using a dedicated user, but realized smtp will be
     # more reliable and less fuss. If I ever need that again, see the
     # history of this file, and bum in brc2.
-
-    i /etc/exim4/conf.d/router/890_backup_copy <<EOF
-### router/900_exim4-config_local_user
-#################################
-
-# todo, it would be nice to save sent email too,
-# but its not so important, they still exist in my head
-
+    i /etc/exim4/conf.d/router/865_backup_redir <<EOF
 backup_redir:
 driver = redirect
 domains = +local_domains
@@ -2729,72 +2946,17 @@ data = b@eximbackup.b8.nz
 # redirected earlier, so that is just being overly cautious.
 local_parts = ! root : ! testignore : ! alerts
 unseen = true
-
-backup_copy:
-driver = manualroute
-domains = eximbackup.b8.nz
-transport = backup_remote
-ignore_target_hosts = ${HOSTNAME}wg.b8.nz
-# note changes here also require change in passwd.client
-route_list = * eximbackup.b8.nz
-same_domain_copy_routing = yes
 errors_to = alerts@iankelling.org
-no_more
 EOF
 
 
-    i /etc/exim4/conf.d/transport/30_backup_remote <<'EOF'
-backup_remote:
-  driver = smtp
-  multi_domain
-.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
-  message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
-.endif
-  hosts_require_auth = *
-  hosts_try_auth = *
-  envelope_to_add
-  # manual return path because we want it to be the envelope sender
-  # we got not the one we are using in this smtp transport
-  headers_add = "Return-path: $sender_address"
-.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
-  hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
-.endif
-.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
-  hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
-.endif
-.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
-  tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
-.endif
-.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
-  tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOST
-.endif
-.ifdef REMOTE_SMTP_HEADERS_REWRITE
-  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
-.endif
-.ifdef REMOTE_SMTP_HELO_DATA
-  helo_data=REMOTE_SMTP_HELO_DATA
-.endif
-.ifdef TLS_DH_MIN_BITS
-tls_dh_min_bits = TLS_DH_MIN_BITS
-.endif
-.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
-tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
-.endif
-.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
-tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
-.endif
-.ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
-  headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
-.endif
-EOF
 
-
-    # this avoids some error. i cant remember what. todo:
-    # test it out and document why/if its needed.
-    #     i /etc/exim4/host_local_deny_exceptions <<'EOF'
-    # mail.fsf.org
-    # *.posteo.de
-    # EOF
+    # This allows for forwarded mail to not get most rcpt checks, especially SPF,
+    # which would incorrectly get denied.
+    i /etc/exim4/host_local_deny_exceptions <<'EOF'
+mail.fsf.org
+*.posteo.de
+EOF
 
     # cron email from smarthost hosts will automatically be to
     # USER@FQDN. I redirect that to alerts@, on the smarthosts, but in
@@ -2975,7 +3137,7 @@ EOF
     echo|i /etc/exim4/conf.d/router/188_exim4-config_smarthost
     echo|i /etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost
     echo|i /etc/exim4/conf.d/rcpt_local_acl
-    echo|i /etc/exim4/conf.d/router/890_backup_copy
+    echo|i /etc/exim4/conf.d/router/865_backup_redir
     echo|i /etc/exim4/conf.d/main/000_local-nn
     echo|i /etc/exim4/conf.d/clamav_data_acl
 
@@ -3091,8 +3253,9 @@ esac
 # ** $MAILHOST|bk, things that belong at the end
 case $HOSTNAME in
   $MAIL_HOST|bk)
-    # config for the non-nn exim
-    m rsync -ra --delete --delete-excluded --exclude=/conf.d/main/000_local-nn /etc/exim4/ /etc/myexim4
+    # config for the non-nn exim. note, it uses not default dir, but we
+    # generate that into the default config file
+    m rsync -ra --delete --delete-excluded --exclude=/conf.d/main/000_local-nn --exclude=/conf.d/router/890_backup_copy /etc/exim4/ /etc/myexim4
     cat >>/etc/myexim4/conf.d/main/000_local <<'EOF'
 # this makes it easier to see which exim is doing what
 log_file_path = /var/log/exim4/my%s
@@ -3393,10 +3556,12 @@ EOF
 
     # Dont put these test messages into the sent folder or else it will
     # overwhelm it, plus i dont want to save a copy at all.
-    rm -f /etc/exim4/ignore-sent
-    for t in ${test_tos[@]}; do
-      echo $t >> /etc/exim4/ignore-sent
-    done
+    # Plus addresses we generally want to ignore.
+    i /etc/exim4/ignore-sent <<EOF
+$(printf "%s\n" ${test_tos[@]})
+vojdedIdNejyebni@b8.nz
+b@eximbackup.b8.nz
+EOF
 
     cat >/usr/local/bin/send-test-forward <<'EOF'
 #!/bin/bash