X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=mail-setup;h=eb3689ebf535c4aa162ad884443aea6d2b6e0bed;hb=f27b67a1dfa58b5f101bba607b2f91a73e65299e;hp=9ada9b6c5060c54ba2e8d1e3ca1df52c642634e9;hpb=ef95a0340c000f1b047928e92bbb82f538726c51;p=distro-setup diff --git a/mail-setup b/mail-setup index 9ada9b6..eb3689e 100755 --- a/mail-setup +++ b/mail-setup @@ -107,7 +107,7 @@ # todo: run mailping test after running, or otherwise # clear out terminal alert -# todo: disable postgrey +# todo: disable postgrey. (why did we have it?) # todo: in testforward-check, we should also look @@ -415,7 +415,6 @@ sre() { mailhost() { [[ $HOSTNAME == "$MAIL_HOST" ]] } -e() { printf "%s\n" "$*"; } reifactive() { for service; do if systemctl is-active $service >/dev/null; then @@ -474,13 +473,30 @@ Pin-Priority: 500 EOF fi +# name change in t12, and now timer instead of cron option in /etc/default +first_spamd_run=false +if ! systemctl cat spamassassin-maintenance.timer &>/dev/null; then + first_spamd_run=true +fi + + # light version of exim does not have sasl auth support. # note: for bitfolk hosts, unbound has important config with conflink. pi-nostart exim4 exim4-daemon-heavy spamassassin unbound clamav-daemon wireguard +spamd_ser=spamd +if systemctl cat spamassassin &>/dev/null; then + spamd_ser=spamassassin +elif $first_spamd_run; then + systemctl start spamassassin-maintenance +fi + +systemctl enable --now spamassassin-maintenance.timer + # note: pyzor debian readme says you need to run some initialization command # but its outdated. -pi spf-tools-perl p0f postgrey pyzor razor jq moreutils certbot fail2ban +pi spf-tools-perl p0f pyzor razor jq moreutils certbot fail2ban +pu postgrey case $HOSTNAME in je) : ;; # not included due to using wireguard: openvpn @@ -509,6 +525,90 @@ fi # our nostart pi fails to avoid enabling + +# * initial dns config & daemon setup +# +# use systemd-resolved for glibc resolutions, setup symlinks + +pi libnss-resolve + +# if this link gets replaced with a normal file we will get exim log +# errors on MAIL_HOST like so: +# +# R=fsfsmarthost defer (-36) DT=0s: host lookup for mail.fsf.org did not complete (DNS timeout?) + +if [[ ! -L /etc/nsswitch.conf ]]; then + sudo mkdir -p /etc/resolved-nsswitch + sudo mv /etc/nsswitch.conf /etc/resolved-nsswitch + sudo ln -sf /etc/resolved-nsswitch/nsswitch.conf /etc +fi + +f=/etc/basic-nsswitch/nsswitch.conf +if [[ ! -e $f ]]; then + sudo mkdir -p ${f%/*} + sudo cp /etc/nsswitch.conf $f + sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' $f +fi +case $HOSTNAME in + bk|je) + # je should be able to get along systemd-resolved, but ive had some odd + # very intermittent dns failures with spamassassin, it seems it might only + # be happening with systemd-resolved, so just use unbound + # to make it consistent with the other hosts. + sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' /etc/nsswitch.conf + soff systemd-resolved + sudo ln -sf 127.0.0.1-resolv/stub-resolv.conf /etc/resolv.conf + sgo unbound + # cautious measure to make sure resolution is working + sleep 1 + ;; + *) + # default is + # files mdns4_minimal [NOTFOUND=return] dns myhostname + # mdns4 is needed for my printer and for bbb webrtc, not sure exactly why. + # https://www.freedesktop.org/software/systemd/man/nss-resolve.html# + # seems more important than some potential use case. + # Interestingly, t9/t10 man page says use files before resolve, debian 10 says the opposite. + # removing files makes hostname -f not actually give the fully qualified domain name. + sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] myhostname/' /etc/resolved-nsswitch/nsswitch.conf + ;; +esac + +case $HOSTNAME in + bk) + sgo named + ;; +esac + + +lines=( + "/etc/resolved-nsswitch/nsswitch.conf r," + "/etc/basic-nsswitch/nsswitch.conf r," + # Aug 06 23:09:11 kd audit[3995]: AVC apparmor="DENIED" operation="connect" profile="/usr/bin/freshclam" name="/run/systemd/resolve/io.systemd.Resolve" pid=3995 comm="freshclam" requested_mask="wr" denied_mask="wr" fsuid=109 ouid=101 + # I dont know if this is quite the right fix, but I saw other sockets + # in the nameservice files that were rw, so figured it was ok to add this and it worked. + "/run/systemd/resolve/io.systemd.Resolve rw," +) +f=/etc/apparmor.d/abstractions/nameservice +apparmor_reload=false +if [[ -e $f ]]; then + for l in "${lines[@]}"; do + if ! grep -qF "$l" $f; then + sudo sed -i "/\/nsswitch.conf/a $l" $f + apparmor_reload=true + if ! grep -qF "$l" $f; then + echo "$0: failed editing $f. investigate" + exit 1 + fi + fi + done + if $apparmor_reload && systemctl is-active apparmor; then + m ser reload apparmor + fi +fi + + + # * Mail clean cronjob u /etc/systemd/system/mailclean.timer <<'EOF' @@ -775,25 +875,26 @@ EOF # this is just a bug fix for trisquel. f=/etc/apparmor.d/usr.sbin.unbound -line="/usr/sbin/unbound flags=(attach_disconnected) {" -if ! grep -qFx "$line" $f; then - badline="/usr/sbin/unbound {" - if ! grep -qFx "$badline" $f; then +good_string="/usr/sbin/unbound flags=(attach_disconnected) {" +if ! grep -qF "$good_string" $f; then + bad_string="/usr/sbin/unbound {" + if ! grep -qF "$bad_string" $f; then err expected line in $f not found fi - sed -i "s,^$badline$,$line," $f + sed -i "s,$bad_string$,$good_string," $f if systemctl is-active apparmor &>/dev/null; then m systemctl reload apparmor fi fi + # note: anything added to nn_progs needs corresponding rm # down below in the host switch nn_progs=(exim4) if mailhost; then # Note dovecots lmtp doesnt need to be in the same nn to accept delivery. # Its in the nn so remote clients can connect to it. - nn_progs+=(spamassassin dovecot) + nn_progs+=($spamd_ser dovecot) fi case $HOSTNAME in @@ -873,7 +974,7 @@ EOF done ;; *) - for unit in exim4 spamassassin dovecot unbound; do + for unit in exim4 $spamd_ser dovecot unbound; do f=/etc/systemd/system/$unit.service.d/nn.conf if [[ -s $f ]]; then rm -fv $f @@ -925,12 +1026,14 @@ EOF # 2020-10-19 remove old file. remove this when all hosts updated rm -fv /etc/systemd/system/spamddnsfix.{timer,service} -u /etc/default/spamassassin <<'EOF' +u /etc/default/$spamd_ser <<'EOF' # defaults plus debugging flags for an issue im having OPTIONS="--create-prefs --max-children 5 --helper-home-dir" -PIDFILE="/var/run/spamd.pid" +PIDFILE="/run/spamd.pid" # my additions NICE="--nicelevel 15" +# not used in t12+, that uses +# /usr/lib/systemd/system/spamassassin-maintenance.timer CRON=1 EOF @@ -3181,6 +3284,7 @@ bounce_debbugs: domains = DEBBUGS_DOMAIN EOF + install -m=0775 -d -g Debian-exim -o iank /var/spool/exim4/gw u /etc/exim4/conf.d/router/155_delay <<'EOF' # By default, delay sending email by 30-40 minutes in case I # change my mind. @@ -3200,14 +3304,14 @@ delay_iank: condition = ${if and { \ {< {$tod_epoch} {${eval10:$received_time + 60*30}}} \ {!def:h_i:} \ -{!bool{${lookup{$message_exim_id}lsearch{/etc/exim4/no-delay-eximids}{true}}}} \ -{!bool{${lookup{all}lsearch{/etc/exim4/no-delay-eximids}{true}}}} \ +{!bool{${lookup{$message_exim_id}lsearch{/var/spool/exim4/gw/.no-delay-eximids}{true}}}} \ +{!bool{${lookup{all}lsearch{/var/spool/exim4/gw/.no-delay-eximids}{true}}}} \ } {true}{false}} headers_remove = <; i: domains = ! +local_domains # uncomment for testing delays to jtuttle # local_parts = ! root : ! testignore : ! alerts : ! ian-pager : ! daylert - local_parts = ! root : ! testignore : ! alerts : ! jtuttle : ! ian-pager : ! daylert + local_parts = ! root : ! testignore : ! alerts : ! jtuttle : ! ian-pager : ! daylert : ! r2e ignore_target_hosts = ROUTER_DNSLOOKUP_IGNORE_TARGET_HOSTS EOF @@ -3860,7 +3964,7 @@ case $HOSTNAME in ;;& $MAIL_HOST|bk|je) # start spamassassin/dovecot before exim. - sre dovecot spamassassin + sre dovecot $spamd_ser # Wait a bit before restarting exim, else I get a paniclog entry # like: spam acl condition: all spamd servers failed. But I'm tired # of waiting. I'll deal with this some other way. @@ -3894,7 +3998,7 @@ case $HOSTNAME in : ;; *) - soff radicale mailclean.timer dovecot spamassassin $vpnser mailnn clamav-daemon + soff radicale mailclean.timer dovecot $spamd_ser $vpnser mailnn clamav-daemon ;; esac