iankelling.org
/
git
/
distro-setup
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
e958999
)
make mail system more robus
author
Ian Kelling
<ian@iankelling.org>
Thu, 24 Feb 2022 14:24:58 +0000
(09:24 -0500)
committer
Ian Kelling
<ian@iankelling.org>
Thu, 24 Feb 2022 14:56:07 +0000
(09:56 -0500)
mail-setup
patch
|
blob
|
history
mailtest-check
patch
|
blob
|
history
diff --git
a/mail-setup
b/mail-setup
index 28e02ce089f63edc39362f7123610f77bc3ad578..46933160539e29a67fbc258a3c5ae0c208268d82 100755
(executable)
--- a/
mail-setup
+++ b/
mail-setup
@@
-136,7
+136,7
@@
fi
[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
-
+# note, this is hardcoded in /etc/exim4/conf.d/main/000_local
u=$(id -nu 1000)
u=$(id -nu 1000)
@@
-279,7
+279,10
@@
fi
i() { # install file
local tmp tmpdir dest="$1"
local base="${dest##*/}"
i() { # install file
local tmp tmpdir dest="$1"
local base="${dest##*/}"
- mkdir -p ${dest%/*}
+ local dir="${dest%/*}"
+ if [[ $dir != "$base" ]]; then
+ mkdir -p ${dest%/*}
+ fi
ir=false # i result
tmpdir=$(mktemp -d)
cat >$tmpdir/"$base"
ir=false # i result
tmpdir=$(mktemp -d)
cat >$tmpdir/"$base"
@@
-1003,9
+1006,14
@@
if (( ${#files[@]} )); then
${files[@]} /etc/exim4
fi
${files[@]} /etc/exim4
fi
-# by default, only 10 days of logs are kept. increase that.
-m sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
-
+# By default, only 10 days of logs are kept. increase that.
+# And dont compress, I look back at logs too often and
+# dont need the annoyance of decompressing them all the time.
+m sed -ri '/^\s*compress\s*$/d;s/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
+files=(/var/log/exim4/*.gz)
+if (( ${#files[@]} )); then
+ gunzip ${files[@]}
+fi
## disabled. not using .forward files, but this is still interesting
## for reference.
## disabled. not using .forward files, but this is still interesting
## for reference.
@@
-1015,6
+1023,7
@@
m sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
# b=userforward_higher_priority
# # replace the router name so it is unique
# sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
# b=userforward_higher_priority
# # replace the router name so it is unique
# sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
+rm -fv /etc/exim4/conf.d/router/175_userforward_higher_priority
# todo, consider 'separate' in etc/exim4.conf, could it help on busy systems?
# todo, consider 'separate' in etc/exim4.conf, could it help on busy systems?
@@
-1043,7
+1052,16
@@
EOF
rm -vf /etc/exim4/conf.d/main/000_localmacros # old filename
rm -vf /etc/exim4/conf.d/main/000_localmacros # old filename
-cat >/etc/exim4/conf.d/main/000_local <<EOF
+
+# separate file so without quoted EOF for convenience
+cat >/etc/exim4/conf.d/main/000_local2 <<EOF
+# normally empty, I set this so I can set the envelope address
+# when doing mail redelivery to invoke filters. Also allows
+# me exiqgrep and stuff.
+MAIN_TRUSTED_GROUPS = $u
+EOF
+
+cat >/etc/exim4/conf.d/main/000_local <<'EOF'
MAIN_TLS_ENABLE = true
# require tls connections for all smarthosts
MAIN_TLS_ENABLE = true
# require tls connections for all smarthosts
@@
-1065,11
+1083,6
@@
MAIN_LOG_SELECTOR = +all
# Based on spec, seems like a good idea to be nice.
smtp_return_error_details = true
# Based on spec, seems like a good idea to be nice.
smtp_return_error_details = true
-# normally empty, I set this so I can set the envelope address
-# when doing mail redelivery to invoke filters. Also allows
-# me exiqgrep and stuff.
-MAIN_TRUSTED_GROUPS = $u
-
# default is 10. when exim has been down for a bit, fsf mailserver
# will do a big send in one connection, then exim decides to put
# the messages in the queue instead of delivering them, to avoid
# default is 10. when exim has been down for a bit, fsf mailserver
# will do a big send in one connection, then exim decides to put
# the messages in the queue instead of delivering them, to avoid
@@
-1088,10
+1101,10
@@
DKIM_SELECTOR = li
# There could be some circumstance when the
# from: isnt our domain, but the envelope sender is
# and so still want to sign, but I cant think of any case.
# There could be some circumstance when the
# from: isnt our domain, but the envelope sender is
# and so still want to sign, but I cant think of any case.
-DKIM_DOMAIN =
\${lc:\${domain:\
$rh_from:}}
+DKIM_DOMAIN =
${lc:${domain:
$rh_from:}}
# The file is based on the outgoing domain-name in the from-header.
# sign if key exists
# The file is based on the outgoing domain-name in the from-header.
# sign if key exists
-DKIM_PRIVATE_KEY =
\${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\
${dkim_domain}-private.pem}}
+DKIM_PRIVATE_KEY =
${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/
${dkim_domain}-private.pem}}
# most of the ones that gmail seems to use.
# Exim has horrible default of signing unincluded
# most of the ones that gmail seems to use.
# Exim has horrible default of signing unincluded
@@
-1115,6
+1128,19
@@
hostlist iank_trusted = <; \\
85.119.82.128 ; 2001:ba8:1f1:f09d::2 ; \\
# fsf_mit_net fsf_mit_net_ip6 fsf_net fsf_net_ip6 fsf_office_net
18.4.89.0/24 ; 2603:3005:71a:2e00::/64 ; 209.51.188.0/24 ; 2001:470:142::/48 ; 74.94.156.208/28
85.119.82.128 ; 2001:ba8:1f1:f09d::2 ; \\
# fsf_mit_net fsf_mit_net_ip6 fsf_net fsf_net_ip6 fsf_office_net
18.4.89.0/24 ; 2603:3005:71a:2e00::/64 ; 209.51.188.0/24 ; 2001:470:142::/48 ; 74.94.156.208/28
+
+
+# this is the default delay_warning_condition, plus matching on local_domains.
+# If I have some problem with my local system that causes delayed delivery,
+# I dont want to send warnings out to non-local domains.
+delay_warning_condition = ${if or {\
+ { !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} }\
+ { match{$h_precedence:}{(?i)bulk|list|junk} }\
+ { match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }\
+ { match_domain{$domain}{+local_domains} }\
+ } {no}{yes}}
+
+
EOF
rm -fv /etc/exim4/rcpt_local_acl # old path
EOF
rm -fv /etc/exim4/rcpt_local_acl # old path
@@
-1174,14
+1200,14
@@
warn
EOF
EOF
-i /etc/exim4/conf.d/router/900_exim4-config_local_user <<
EOF
+i /etc/exim4/conf.d/router/900_exim4-config_local_user <<
'EOF'
### router/900_exim4-config_local_user
#################################
# This router matches local user mailboxes. If the router fails, the error
# message is "Unknown user".
local_user:
### router/900_exim4-config_local_user
#################################
# This router matches local user mailboxes. If the router fails, the error
# message is "Unknown user".
local_user:
- debug_print = "R: local_user for
\$local_part@\
$domain"
+ debug_print = "R: local_user for
$local_part@
$domain"
driver = accept
domains = +local_domains
# ian: default file except where mentioned.
driver = accept
domains = +local_domains
# ian: default file except where mentioned.
@@
-1525,7
+1551,7
@@
ssl_cert = </etc/exim4/exim.crt
ssl_key = </etc/exim4/exim.key
EOF
fi
ssl_key = </etc/exim4/exim.key
EOF
fi
- cat <<
EOF
+ cat <<
'EOF'
# https://ssl-config.mozilla.org
ssl = required
# this is the same as the certbot list, in my cert cronjob, I check if that has changed upstream.
# https://ssl-config.mozilla.org
ssl = required
# this is the same as the certbot list, in my cert cronjob, I check if that has changed upstream.
@@
-1535,8
+1561,8
@@
ssl_prefer_server_ciphers = no
protocol lmtp {
#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
protocol lmtp {
#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
-# default is just
\
$mail_plugins
- mail_plugins =
\
$mail_plugins sieve
+# default is just $mail_plugins
+ mail_plugins = $mail_plugins sieve
}
EOF
if dpkg --compare-versions $(dpkg-query -f='${Version}\n' --show dovecot-core) ge 1:2.3; then
}
EOF
if dpkg --compare-versions $(dpkg-query -f='${Version}\n' --show dovecot-core) ge 1:2.3; then
@@
-2370,10
+2396,16
@@
EOF
# see 56.2 Root privilege in exim spec
deliver_drop_privilege = true
EOF
# see 56.2 Root privilege in exim spec
deliver_drop_privilege = true
EOF
- # Note: there are other routers that would also fail due to not running as root,
- # but afaik, the main router will catch all mail. If not, we will see
- # something in the queue.
- rm -fv /etc/exim4/conf.d/router/600_exim4-config_userforward
+ files=(
+ 300_exim4-config_real_local
+ 600_exim4-config_userforward
+ 700_exim4-config_procmail
+ 800_exim4-config_maildrop
+ mmm_mail4root
+ )
+ for f in ${files[@]}; do
+ echo "# iank: removed due to running nonroot"|i /etc/exim4/conf.d/router/$f
+ done
;;
esac
;;
esac
@@
-2800,12
+2832,12
@@
backup_maildir:
user = $u
EOF
user = $u
EOF
- i /etc/exim4/conf.d/router/870_backup_local <<
EOF
+ i /etc/exim4/conf.d/router/870_backup_local <<
'EOF'
### router/900_exim4-config_local_user
#################################
backup_local:
### router/900_exim4-config_local_user
#################################
backup_local:
- debug_print = "R: local_user for
\$local_part@\
$domain"
+ debug_print = "R: local_user for
$local_part@
$domain"
driver = accept
domains = eximbackup.b8.nz
transport = backup_maildir
driver = accept
domains = eximbackup.b8.nz
transport = backup_maildir
@@
-3069,6
+3101,8
@@
MAILTO=alerts@iankelling.org
#5-59/5 * * * * root mailtest-check |& log-once -1 mailtest-check
#0 * * * * root mailtest-check slow |& log-once -1 mailtest-slow
*/5 * * * * root timeout 290 mailtest-check slow |& log-once -12 mailtest-check
#5-59/5 * * * * root mailtest-check |& log-once -1 mailtest-check
#0 * * * * root mailtest-check slow |& log-once -1 mailtest-slow
*/5 * * * * root timeout 290 mailtest-check slow |& log-once -12 mailtest-check
+# if a bounce happened yesterday, dont let it slip through the cracks
+8 1 * * * root awk '$5 == "**"' /var/log/exim4/mainlog.1
EOF
m sudo rsync -ahhi --chown=root:root --chmod=0755 \
/b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
EOF
m sudo rsync -ahhi --chown=root:root --chmod=0755 \
/b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
diff --git
a/mailtest-check
b/mailtest-check
index 81363012fc0b3de90f64b47ee3213caaa4a21256..1975dc960b71f2023b2162f3e929de7aed0b56e3 100755
(executable)
--- a/
mailtest-check
+++ b/
mailtest-check
@@
-21,7
+21,7
@@
e() { $int || return 0; printf "mailtest-check: %s\n" "$*"; }
# We run this cronjob along with sending the test email every 5 minutes,
# so give it 1 minute to arrive, then if the latest email is older than
# 7 minutes, the last 2 haven't arrived in a reasonable amount of time.
# We run this cronjob along with sending the test email every 5 minutes,
# so give it 1 minute to arrive, then if the latest email is older than
# 7 minutes, the last 2 haven't arrived in a reasonable amount of time.
-min_limit=
7
+min_limit=
8
# spamassassin checking takes about 8 seconds. only do that every
# spamassassin checking takes about 8 seconds. only do that every