X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=mail-setup;h=d19fba0306f2317068ab9c8efed4a99f7801e4d5;hb=55b37c2dbe292fa1023c0c5376c2104fbe568011;hp=eb3689ebf535c4aa162ad884443aea6d2b6e0bed;hpb=f27b67a1dfa58b5f101bba607b2f91a73e65299e;p=distro-setup

diff --git a/mail-setup b/mail-setup
index eb3689e..d19fba0 100755
--- a/mail-setup
+++ b/mail-setup
@@ -361,7 +361,10 @@ reload=false
 if [[ -e /var/local/mail-setup-reload ]]; then
   reload=true
 fi
-u() { # update file. note: duplicated in brc
+# update file.
+# if the file changed, ur=true, else false.
+# note: duplicated in brc
+u() {
   local tmp tmpdir dest="$1"
   local base="${dest##*/}"
   local dir="${dest%/*}"
@@ -581,30 +584,17 @@ case $HOSTNAME in
 esac
 
 
-lines=(
-  "/etc/resolved-nsswitch/nsswitch.conf r,"
-  "/etc/basic-nsswitch/nsswitch.conf r,"
-  # Aug 06 23:09:11 kd audit[3995]: AVC apparmor="DENIED" operation="connect" profile="/usr/bin/freshclam" name="/run/systemd/resolve/io.systemd.Resolve" pid=3995 comm="freshclam" requested_mask="wr" denied_mask="wr" fsuid=109 ouid=101
-  # I dont know if this is quite the right fix, but I saw other sockets
-  # in the nameservice files that were rw, so figured it was ok to add this and it worked.
-  "/run/systemd/resolve/io.systemd.Resolve rw,"
-)
-f=/etc/apparmor.d/abstractions/nameservice
-apparmor_reload=false
-if [[ -e $f ]]; then
-  for l in "${lines[@]}"; do
-    if ! grep -qF "$l" $f; then
-      sudo sed -i "/\/nsswitch.conf/a $l" $f
-      apparmor_reload=true
-      if ! grep -qF "$l" $f; then
-        echo "$0: failed editing $f. investigate"
-        exit 1
-      fi
-    fi
-  done
-  if $apparmor_reload && systemctl is-active apparmor; then
-    m ser reload apparmor
-  fi
+u /etc/apparmor.d/abstractions/nameservice.d/iank <<'EOF'
+/etc/resolved-nsswitch/nsswitch.conf r,
+/etc/basic-nsswitch/nsswitch.conf r,
+# Aug 06 23:09:11 kd audit[3995]: AVC apparmor="DENIED" operation="connect" profile="/usr/bin/freshclam" name="/run/systemd/resolve/io.systemd.Resolve" pid=3995 comm="freshclam" requested_mask="wr" denied_mask="wr" fsuid=109 ouid=101
+# I dont know if this is quite the right fix, but I saw other sockets
+# in the nameservice files that were rw, so figured it was ok to add this and it worked.
+/run/systemd/resolve/io.systemd.Resolve rw,
+EOF
+
+if $ur && systemctl is-active apparmor; then
+  m systemctl reload apparmor
 fi
 
 
@@ -3084,10 +3074,11 @@ case $HOSTNAME in
     # which will overwrite any existing file
     u /etc/default/exim4 <<'EOF'
 QUEUERUNNER='combined'
-# note: this is duplicated in brc2, 10m here is -q10m there.
 QUEUEINTERVAL='10m'
 COMMONOPTIONS='-C /etc/exim4/my.conf'
 UPEX4OPTS='-o /etc/exim4/my.conf'
+# in t12 exim, this replaces all the above options
+EXIMSERVICE='-bdf -q10m -C /etc/exim4/my.conf'
 # i use epanic-clean for alerting if there are bad paniclog entries
 E4BCD_WATCH_PANICLOG='no'
 EOF
@@ -3285,6 +3276,10 @@ bounce_debbugs:
 EOF
 
     install -m=0775 -d -g Debian-exim -o iank /var/spool/exim4/gw
+    f=/var/spool/exim4/gw/.no-delay-eximids
+    if [[ ! -e $f ]]; then
+      install -g Debian-exim -o iank /dev/null $f
+    fi
     u /etc/exim4/conf.d/router/155_delay <<'EOF'
 # By default, delay sending email by 30-40 minutes in case I
 # change my mind.
@@ -3888,6 +3883,131 @@ fi
 #   err debbugs exist but is not uid 610: investigate
 # fi
 
+# * mail monitoring / testing
+
+# note, to test clamav, send an email with body that only contains
+# https://en.wikipedia.org/wiki/EICAR_test_file
+# which set malware_name to Eicar-Signature
+case $HOSTNAME in
+  $MAIL_HOST|bk|je)
+    # note: cronjob "ian" also does some important monitoring
+    # todo: this will sometimes cause an alert because mailtest-check will run
+    # before we have setup network namespace and spamassassin
+    u /etc/cron.d/mailtest <<EOF
+SHELL=/bin/bash
+PATH=/usr/bin:/bin:/usr/local/bin
+MAILTO=daylert@iankelling.org
+*/5  * * * *   $u send-test-forward |& log-once send-test-forward
+*/10 * * * *   root chmod -R g+rw /m/md/bounces |& log-once -1 bounces-chmod
+# if a bounce happened yesterday, dont let it slip through the cracks
+8   1 * * *   root export MAILTO=alerts@iankelling.org; [[ -s /var/log/exim4/mainlog.1 ]] && awk '\$5 == "**"' /var/log/exim4/mainlog.1
+EOF
+
+
+    m sudo rsync -ahhi --chown=root:root --chmod=0755 \
+      /b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
+    u /etc/systemd/system/mailtest-check.service <<'EOF'
+[Unit]
+Description=mailtest-check
+After=local-fs.target
+StartLimitIntervalSec=0
+
+[Service]
+# avoid fans spinning up
+CPUQuota=22%
+Type=simple
+ExecStart=/usr/local/bin/mailtest-check slow
+Restart=always
+RestartSec=60
+
+[Install]
+WantedBy=graphical.target
+EOF
+    sysd-prom-fail-install mailtest-check
+    ;;&
+  $MAIL_HOST)
+    test_froms=(ian@iankelling.org z@zroe.org iank@gnu.org)
+    test_tos=(testignore@expertpathologyreview.com testignore@je.b8.nz testignore@amnimal.ninja jtuttle@gnu.org)
+
+    cat >>/etc/cron.d/mailtest <<EOF
+# 10 am friday
+0   10 * * 5  root echo "weekly alert. You are not in the matrix."
+2   * * * *   root check-remote-mailqs |& log-once check-remote-mailqs
+EOF
+    ;;&
+  bk)
+    test_froms=(testignore@amnimal.ninja testignore@expertpathologyreview.com)
+    test_tos=(testignore@iankelling.org testignore@je.b8.nz)
+    # We dont need to send from different addresses to the same
+    # address. this breaks down our nice elegant logic of building up
+    # froms and tos , so I just handle expertpath in a special case
+    # below and set the to: to be testignore@zroe.org.  If we did sent
+    # that way, it would also mess up our mailtest-check logic that
+    # finds which messages to check.
+    # for example: from testignore@amnimal.ninja to: testignore@iankelling.org testignore@zroe.org
+    # that would become 2 messages and we'd only check 1.
+    ;;&
+  je)
+    test_froms=(testignore@je.b8.nz)
+    test_tos=(testignore@iankelling.org testignore@zroe.org testignore@expertpathologyreview.com testignore@amnimal.ninja)
+    ;;&
+  $MAIL_HOST|bk|je)
+
+    # Dont put these test messages into the sent folder or else it will
+    # overwhelm it, plus i dont want to save a copy at all.
+    # Plus addresses we generally want to ignore.
+    u /etc/exim4/ignore-sent <<EOF
+$(printf "%s\n" ${test_tos[@]})
+vojdedIdNejyebni@b8.nz
+b@eximbackup.b8.nz
+EOF
+
+    cat >/usr/local/bin/send-test-forward <<'EOF'
+#!/bin/bash
+# we remove from the queue older than 4.3 minutes since we send every 5 minutes.
+olds=(
+$(/usr/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$')
+)
+if (( ${#olds[@]} )); then
+  /usr/sbin/exim -Mrm "${olds[@]}" >/dev/null
+fi
+EOF
+    for test_from in ${test_froms[@]}; do
+
+      test_to=${test_tos[0]}
+      for t in ${test_tos[@]:1}; do
+        if [[ $test_from == *@gnu.org && $t == *@gnu.org ]]; then
+          continue
+        fi
+        test_to+=", $t"
+      done
+      case $test_from in
+        testignore@expertpathologyreview.com)
+          test_to=testignore@zroe.org
+          ;;
+      esac
+
+      cat >>/usr/local/bin/send-test-forward <<EOFOUTER
+/usr/sbin/exim -odf -f $test_from -t <<EOF
+From: $test_from
+To: $test_to
+Subject: test \$(date +%Y-%m-%dT%H:%M:%S%z) \$EPOCHSECONDS
+
+/usr/local/bin/send-test-forward
+EOF
+EOFOUTER
+    done
+    m chmod +x /usr/local/bin/send-test-forward
+    ;;
+  *)
+    soff mailtest-check.service
+    rm -fv /etc/cron.d/mailtest \
+       /var/lib/prometheus/node-exporter/mailtest-check.prom* \
+       /var/local/cron-errors/check-remote-mailqs*
+    ;;
+esac
+
+
 # * start / stop services
 
 reifactive dnsmasq nscd
@@ -3964,7 +4084,7 @@ case $HOSTNAME in
     ;;&
   $MAIL_HOST|bk|je)
     # start spamassassin/dovecot before exim.
-    sre dovecot $spamd_ser
+    sre dovecot $spamd_ser mailtest-check
     # Wait a bit before restarting exim, else I get a paniclog entry
     # like: spam acl condition: all spamd servers failed. But I'm tired
     # of waiting. I'll deal with this some other way.
@@ -4018,131 +4138,6 @@ case $HOSTNAME in
   bk) sre exim4in ;;
 esac
 
-# * mail monitoring / testing
-
-# note, to test clamav, send an email with body that only contains
-# https://en.wikipedia.org/wiki/EICAR_test_file
-# which set malware_name to Eicar-Signature
-case $HOSTNAME in
-  $MAIL_HOST|bk|je)
-    # note: cronjob "ian" also does some important monitoring
-    # todo: this will sometimes cause an alert because mailtest-check will run
-    # before we have setup network namespace and spamassassin
-    u /etc/cron.d/mailtest <<EOF
-SHELL=/bin/bash
-PATH=/usr/bin:/bin:/usr/local/bin
-MAILTO=daylert@iankelling.org
-*/5  * * * *   $u send-test-forward |& log-once send-test-forward
-*/10 * * * *   root chmod -R g+rw /m/md/bounces |& log-once -1 bounces-chmod
-# if a bounce happened yesterday, dont let it slip through the cracks
-8   1 * * *   root export MAILTO=alerts@iankelling.org; [[ -s /var/log/exim4/mainlog.1 ]] && awk '\$5 == "**"' /var/log/exim4/mainlog.1
-EOF
-
-
-    m sudo rsync -ahhi --chown=root:root --chmod=0755 \
-      /b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
-    u /etc/systemd/system/mailtest-check.service <<'EOF'
-[Unit]
-Description=mailtest-check
-After=local-fs.target
-StartLimitIntervalSec=0
-
-[Service]
-Type=simple
-ExecStart=/usr/local/bin/mailtest-check slow
-Restart=always
-RestartSec=60
-
-[Install]
-WantedBy=graphical.target
-EOF
-    sysd-prom-fail-install mailtest-check
-    sre mailtest-check
-    ;;&
-  $MAIL_HOST)
-    test_froms=(ian@iankelling.org z@zroe.org iank@gnu.org)
-    test_tos=(testignore@expertpathologyreview.com testignore@je.b8.nz testignore@amnimal.ninja jtuttle@gnu.org)
-
-    cat >>/etc/cron.d/mailtest <<EOF
-# 10 am friday
-0   10 * * 5  root echo "weekly alert. You are not in the matrix."
-2   * * * *   root check-remote-mailqs |& log-once check-remote-mailqs
-EOF
-    ;;&
-  bk)
-    test_froms=(testignore@amnimal.ninja testignore@expertpathologyreview.com)
-    test_tos=(testignore@iankelling.org testignore@je.b8.nz)
-    # We dont need to send from different addresses to the same
-    # address. this breaks down our nice elegant logic of building up
-    # froms and tos , so I just handle expertpath in a special case
-    # below and set the to: to be testignore@zroe.org.  If we did sent
-    # that way, it would also mess up our mailtest-check logic that
-    # finds which messages to check.
-    # for example: from testignore@amnimal.ninja to: testignore@iankelling.org testignore@zroe.org
-    # that would become 2 messages and we'd only check 1.
-    ;;&
-  je)
-    test_froms=(testignore@je.b8.nz)
-    test_tos=(testignore@iankelling.org testignore@zroe.org testignore@expertpathologyreview.com testignore@amnimal.ninja)
-    ;;&
-  $MAIL_HOST|bk|je)
-
-    # Dont put these test messages into the sent folder or else it will
-    # overwhelm it, plus i dont want to save a copy at all.
-    # Plus addresses we generally want to ignore.
-    u /etc/exim4/ignore-sent <<EOF
-$(printf "%s\n" ${test_tos[@]})
-vojdedIdNejyebni@b8.nz
-b@eximbackup.b8.nz
-EOF
-
-    cat >/usr/local/bin/send-test-forward <<'EOF'
-#!/bin/bash
-# we remove from the queue older than 4.3 minutes since we send every 5 minutes.
-olds=(
-$(/usr/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$')
-)
-if (( ${#olds[@]} )); then
-  /usr/sbin/exim -Mrm "${olds[@]}" >/dev/null
-fi
-EOF
-    for test_from in ${test_froms[@]}; do
-
-      test_to=${test_tos[0]}
-      for t in ${test_tos[@]:1}; do
-        if [[ $test_from == *@gnu.org && $t == *@gnu.org ]]; then
-          continue
-        fi
-        test_to+=", $t"
-      done
-      case $test_from in
-        testignore@expertpathologyreview.com)
-          test_to=testignore@zroe.org
-          ;;
-      esac
-
-      cat >>/usr/local/bin/send-test-forward <<EOFOUTER
-/usr/sbin/exim -odf -f $test_from -t <<EOF
-From: $test_from
-To: $test_to
-Subject: test \$(date +%Y-%m-%dT%H:%M:%S%z) \$EPOCHSECONDS
-
-/usr/local/bin/send-test-forward
-EOF
-EOFOUTER
-    done
-    m chmod +x /usr/local/bin/send-test-forward
-    ;;
-  *)
-    soff mailtest-check.service
-    rm -fv /etc/cron.d/mailtest \
-       /var/lib/prometheus/node-exporter/mailtest-check.prom* \
-       /var/local/cron-errors/check-remote-mailqs*
-    ;;
-esac
-
-
-
 # * misc
 m sudo -u $u mkdir -p /home/$u/.cache
 set -- /m/mucache /home/$u/.cache/mu /m/.mu /home/$u/.mu