X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=mail-setup;h=f43b6ba8b136ab697a19b210c5fd10b1109c87e9;hb=25d20d07292550e8701e33aa409e4947f3075ede;hp=c3b11d8109ea7577b1d2315f7e55104af8180bba;hpb=b857462732e15f455e41f26e3048a390d7b399c0;p=distro-setup

diff --git a/mail-setup b/mail-setup
index c3b11d8..f43b6ba 100755
--- a/mail-setup
+++ b/mail-setup
@@ -15,10 +15,18 @@ set -x
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# todo: make quick backups of maildir, or deliver to multiple hosts.
+
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
+if [[ ! $SUDO_USER ]]; then
+  echo "$0: error: requires running as nonroot or sudo"
+  exit 1
+fi
+u=$SUDO_USER
+
 
 usage() {
   cat <<EOF
@@ -49,10 +57,6 @@ if ! exim && ! postfix; then
   usage 1
 fi
 
-if [[ ! $SUDO_USER ]]; then
-  echo "$0: error: requires running as nonroot or sudo"
-fi
-u=$SUDO_USER
 
 
 ####### begin perstent password instructions ######
@@ -201,7 +205,7 @@ pi() { # package install
 
 postmaster=$u
 mxhost=mail.iankelling.org
-mxport=25
+mxport=587
 forward=$u@$mxhost
 
 # old setup. left as comment for example
@@ -241,7 +245,7 @@ if postfix; then
   if command -v apt-get &> /dev/null; then
     debconf-set-selections <<EOF
 postfix postfix/main_mailer_type select Satellite system
-postfix postfix/mailname string $HOSTNAME
+postfix postfix/mailname string $(hostname -f)
 postfix postfix/relayhost string $relayhost
 postfix postfix/root_address string $postmaster
 EOF
@@ -305,7 +309,9 @@ else # begin exim. has debian specific stuff for now
     # we check that a valid cert is there already.
     # to put the hostname in the known hosts
     if ! ssh -o StrictHostKeyChecking=no root@li.iankelling.org :; then
-      openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/openvpn/mail.crt
+      # This just causes failure if our cert is going to expire in the next 30 days.
+      # Certs I generate last 10 years.
+      openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in /etc/openvpn/mail.crt
     else
       # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
       # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
@@ -368,9 +374,92 @@ exim4-config exim4/use_split_config boolean true
 EOF
 
   source /a/bin/bash_unpublished/source-semi-priv
-  exim_main_dir=/etc/exim4/conf.d/main
-  mkdir -p $exim_main_dir
+  mkdir -p /etc/exim4/conf.d/{main,transport,auth,router}
 
+  cat >/etc/exim4/rcpt_local_acl <<'EOF'
+# Only hosts we control send to mail.iankelling.org, so make sure
+# they are all authed.
+# Note, if we wanted authed senders for all domains,
+# we could make this condition in acl_check_mail
+deny
+  message = ian trusted domain recepient but no auth
+  !authenticated = *
+  domains = mail.iankelling.org
+EOF
+  cat >/etc/exim4/data_local_acl <<'EOF'
+# Except for the "condition =", this was
+# a comment in the check_data acl. The comment about this not
+# being suitable is mostly bs. The only thing related I found was to
+# add the condition =, cuz spamassassin has problems with big
+# messages and spammers don't bother with big messages,
+# but I've increased the size from 10k
+# suggested in official docs, and 100k in the wiki example because
+# those docs are rather old and I see a 110k spam message
+# pretty quickly looking through my spam folder.
+  warn
+    condition = ${if < {$message_size}{2000K}}
+    spam = Debian-exim:true
+    add_header = X-Spam_score: $spam_score\n\
+              X-Spam_score_int: $spam_score_int\n\
+              X-Spam_bar: $spam_bar\n\
+              X-Spam_report: $spam_report
+
+EOF
+  cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+# from 30_exim4-config_examples
+
+plain_server:
+driver = plaintext
+public_name = PLAIN
+server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
+server_set_id = $auth2
+server_prompts = :
+.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+.endif
+EOF
+
+  cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
+### router/900_exim4-config_local_user
+#################################
+
+# This router matches local user mailboxes. If the router fails, the error
+# message is "Unknown user".
+
+local_user:
+  debug_print = "R: local_user for $local_part@$domain"
+  driver = accept
+  domains = +local_domains
+# ian: commented this, in conjunction with a dovecot lmtp
+# change so I get mail for all users.
+#  check_local_user
+  local_parts = ! root
+  transport = LOCAL_DELIVERY
+  cannot_route_message = Unknown user
+EOF
+  cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
+dovecot_lmtp:
+        driver = lmtp
+        socket = /var/run/dovecot/lmtp
+        #maximum number of deliveries per batch, default 1
+        batch_max = 200
+EOF
+
+  cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
+# smarthost for fsf mail
+# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
+# replaced DCsmarthost with mail.fsf.org
+fsfsmarthost:
+  debug_print = "R: smarthost for $local_part@$domain"
+  driver = manualroute
+  domains = ! +local_domains
+  senders = *@fsf.org
+  transport = remote_smtp_smarthost
+  route_list = * mail.fsf.org byname
+  host_find_failed = ignore
+  same_domain_copy_routing = yes
+  no_more
+EOF
 
 
   #### begin mail cert setup ###
@@ -387,7 +476,7 @@ if [[ -e $f ]]; then
 fi
 if [[ $HOSTNAME == $MAIL_HOST ]]; then
     local_mx=mail.iankelling.org
-    rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li:/etc/letsencrypt/live/$local_mx/"
+    rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/"
     ${rsync_common}fullchain.pem /etc/exim4/exim.crt
     ret=$?
     ${rsync_common}privkey.pem /etc/exim4/exim.key
@@ -475,6 +564,7 @@ exim4-config exim4/dc_eximconfig_configtype select internet site; mail is sent a
 # This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
 
 # System mail name:
+# iank: see comment elsewhere on mailname
 exim4-config exim4/mailname string mail.iankelling.org
 
 
@@ -482,7 +572,7 @@ exim4-config exim4/mailname string mail.iankelling.org
 
 # Please enter a semicolon-separated list of recipient domains for which this machine
 # should consider itself the final destination. These domains are commonly called
-# 'local domains'. The local hostname (treetowl.lan) and 'localhost' are always added
+# 'local domains'. The local hostname (kd.lan) and 'localhost' are always added
 # to the list given here.
 
 # By default all local domains will be treated identically. If both a.example and
@@ -547,11 +637,17 @@ exim4-config exim4/dc_postmaster string $postmaster
 # Delivery method for local mail: 2
 exim4-config exim4/dc_localdelivery select Maildir format in home directory
 EOF
+    echo mail.iankelling.org > /etc/mailname
+
     # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
     # smarthost config type, not sure. all other settings
     # would be unused in that config type.
-    cat >$exim_main_dir/000_localmacros <<EOF
-# i don't have ipv6 setup for my tunnel yet.
+    rm -f /etc/exim4/conf.d/main/000_localmacros # old filename
+    cat >/etc/exim4/conf.d/main/000_local <<EOF
+# enable 587 in addition to the default 25, so that
+# i can send mail where port 25 is firewalled by isp
+daemon_smtp_ports = 25 : 587
+# i don't have ipv6 setup for my vpn tunnel yet.
 disable_ipv6 = true
 
 MAIN_TLS_ENABLE = true
@@ -569,12 +665,12 @@ DKIM_PRIVATE_KEY= \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exi
 
 
 # failing message on mail-tester.com:
-# We check if there is a server (A Record) behind your hostname treetowl.
-# You may want to publish a DNS record (A type) for the hostname treetowl or use a different hostname in your mail software
+# We check if there is a server (A Record) behind your hostname kd.
+# You may want to publish a DNS record (A type) for the hostname kd or use a different hostname in your mail software
 # https://serverfault.com/questions/46545/how-do-i-change-exim4s-primary-hostname-on-a-debian-box
 # and this one seemed appropriate from grepping config.
 # I originally set this to li.iankelling.org, but then ended up with errors when li tried to send
-# mail to treetowl, so this should basically be a name that no host has as their
+# mail to kd, so this should basically be a name that no host has as their
 # canonical hostname since the actual host sits behind a nat and changes.
 # Seems logical for this to be the same as mailname.
 MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.iankelling.org
@@ -695,6 +791,19 @@ ssl_prefer_server_ciphers = yes
 EOF
     ####### end dovecot setup ########
 
+    # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
+    d=/etc/systemd/system/openvpn@mail
+    mkdir -p $d
+    cat >$d/override.conf <<'EOF'
+[Service]
+Restart=always
+# time to sleep before restarting a service
+RestartSec=1
+
+[Unit]
+# StartLimitIntervalSec in recent systemd versions
+StartLimitInterval=0
+EOF
 
     systemctl enable offlineimapsync.timer
     systemctl start offlineimapsync.timer
@@ -714,14 +823,17 @@ EOF
     #
     # would only exist because I wrote it i the previous condition,
     # it\'s not part of exim
-    rm -f $exim_main_dir/000_localmacros
+    rm -f /etc/exim4/conf.d/main/000_localmacros
     debconf-set-selections <<EOF
 exim4-config exim4/dc_eximconfig_configtype select mail sent by smarthost; no local mail
 exim4-config exim4/dc_smarthost string $smarthost
-# the default, i think is from /etc/mailname. better to set it to
-# whatever the current fqdn is.
+# afaik, on dpkg-reconfigure noninteractive, this sets /etc/mailname if it does not exist.
+# if it does exist, it immediately changes the value to whats in /etc/mailname.
+# So, I don't think there's any point in setting it, but might as well since
+# ignoring what I set here is brain dead and might change.
 exim4-config exim4/mailname string $(hostname -f)
 EOF
+    hostname -f > /etc/mailname
 
   fi # end $HOSTNAME != $MAIL_HOST
 
@@ -737,11 +849,11 @@ EOF
   # i have the spool directory be common to distro multi-boot, so
   # we need the uid to be the same. 608 cuz it's kind of in the middle
   # of the free system uids.
-  IFS=:; read _ _ uid _ < <(getent passwd Debian-exim ); unset IFS
-  IFS=:; read _ _ gid _ < <(getent group Debian-exim ); unset IFS
+  IFS=:; read _ _ uid _ < <(getent passwd Debian-exim ||:) ||:; unset IFS
+  IFS=:; read _ _ gid _ < <(getent group Debian-exim ||:) ||:; unset IFS
   if [[ ! $uid ]]; then
     # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
-    adduser --uid 608 --gid 608 --system --group --quiet --home /var/spool/exim4 \
+    adduser --uid 608 --system --group --quiet --home /var/spool/exim4 \
 	    --no-create-home --disabled-login --force-badname Debian-exim
   elif [[ $uid != 608 ]]; then
     systemctl stop exim4 ||:
@@ -752,12 +864,12 @@ EOF
     find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} +
   fi
 
+
   # light version of exim does not have sasl auth support.
   pi exim4-daemon-heavy spamassassin
 
 
 
-
   ##### begin spamassassin config
   systemctl enable spamassassin
   # per readme.debian
@@ -804,91 +916,6 @@ EOF
 
 
 
-  cat >/etc/exim4/rcpt_local_acl <<'EOF'
-# Only hosts we control send to mail.iankelling.org, so make sure
-# they are all authed.
-# Note, if we wanted authed senders for all domains,
-# we could make this condition in acl_check_mail
-deny
-  message = ian trusted domain recepient but no auth
-  !authenticated = *
-  domains = mail.iankelling.org
-EOF
-  cat >/etc/exim4/data_local_acl <<'EOF'
-# Except for the "condition =", this was
-# a comment in the check_data acl. The comment about this not
-# being suitable is mostly bs. The only thing related I found was to
-# add the condition =, cuz spamassassin has problems with big
-# messages and spammers don't bother with big messages,
-# but I've increased the size from 10k
-# suggested in official docs, and 100k in the wiki example because
-# those docs are rather old and I see a 110k spam message
-# pretty quickly looking through my spam folder.
-  warn
-    condition = ${if < {$message_size}{2000K}}
-    spam = Debian-exim:true
-    add_header = X-Spam_score: $spam_score\n\
-              X-Spam_score_int: $spam_score_int\n\
-              X-Spam_bar: $spam_bar\n\
-              X-Spam_report: $spam_report
-
-EOF
-  cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
-# from 30_exim4-config_examples
-
-plain_server:
-driver = plaintext
-public_name = PLAIN
-server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
-server_set_id = $auth2
-server_prompts = :
-.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
-.endif
-EOF
-
-  cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
-### router/900_exim4-config_local_user
-#################################
-
-# This router matches local user mailboxes. If the router fails, the error
-# message is "Unknown user".
-
-local_user:
-  debug_print = "R: local_user for $local_part@$domain"
-  driver = accept
-  domains = +local_domains
-# ian: commented this, in conjunction with a dovecot lmtp
-# change so I get mail for all users.
-#  check_local_user
-  local_parts = ! root
-  transport = LOCAL_DELIVERY
-  cannot_route_message = Unknown user
-EOF
-  cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
-dovecot_lmtp:
-        driver = lmtp
-        socket = /var/run/dovecot/lmtp
-        #maximum number of deliveries per batch, default 1
-        batch_max = 200
-EOF
-
-  cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
-# smarthost for fsf mail
-# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
-# replaced DCsmarthost with mail.fsf.org
-fsfsmarthost:
-  debug_print = "R: smarthost for $local_part@$domain"
-  driver = manualroute
-  domains = ! +local_domains
-  senders = *@fsf.org
-  transport = remote_smtp_smarthost
-  route_list = * mail.fsf.org byname
-  host_find_failed = ignore
-  same_domain_copy_routing = yes
-  no_more
-EOF
-
   # https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
   # i only need .forwards, so just doing that one.
   cd /etc/exim4/conf.d/router