####### instructions for icedove #####
-# Incoming mail server: mail.iankelling.org, port 143, username iank, connection security starttls, authentication method normal password
-# we could also just use 127.0.0.1 with no ssl, but todo: disable that in dovecot, so mail is secure from local programs.
+# Incoming mail server: mail.iankelling.org, port 143, username iank, connection security starttls, authentication method normal password,
+# then click advanced so it accepts it.
+# we could also just use 127.0.0.1 with no ssl
#
# hamburger -> preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false
# background: dovecot does not yet have ocsp stapling support
# # dovecot password, i just need 1 as I\'m the only user
# mkdir /p/c/filesystem/etc/dovecot
-# echo "iank:$(doveadm pw -s ssha256)::::::" >>/p/c/filesystem/etc/dovecot/users
+# echo "iank:$(doveadm pw -s SHA512-CRYPT)::::::" >>/p/c/filesystem/etc/dovecot/users
####### end perstent password instructions ######
# * persistent dkim/dns instructions
+
+#### begin dkim generation section ####
# # Remove 1 level of comments in this section, set the domain var
# # for the domain you are setting up, then run this and copy dns settings
# # into dns.
# # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
# openssl genrsa -out $domain-private.pem 2048
-# Then, to get the public key strings to put in bind:
-#
-# sed explanation: skip the first few lines, then put them into the hold space, then
-# on the last line, back to the patern space, remove the newlines, then add a newline
-# at the last char - 240, because bind txt records need strings <=255 chars,
-# other dkim stuff at the begining is is 25 chars, and the pubkey is 393, so this
-# leaves us a bit of extra room at the end and a bunch at the beginning.
-#
+# # Then, to get the public key strings to put in bind:
+
# # selector is needed for having multiple keys for one domain.
# # I dun do that, so just use a static one: li
-# echo "txt record name: li._domainkey.$domain"
# # Debadmin page does not have v=, fastmail does, and this
# # says it\'s recommended in 3.6.1, default is DKIM1 anyways.
# # https://www.ietf.org/rfc/rfc6376.txt
# # Join and print all but first and last line.
# # last line: swap hold & pattern, remove newlines, print.
# # lines 2+: append to hold space
-# echo "bind txt record contents:"
+# echo "bind txt record:"
# cat <<EOF
-# v=DKIM1\059 k=rsa\059 p="string1" "string2"
-# replace strin1 and 2 with
-# openssl rsa -in $domain-private.pem -pubout |&sed -rn '${x;s/\n//g;s/^(.*)(.{240}$)/\1\n\2/p};3,$H'
+# li._domainkey.$domain TXT (
+# v=DKIM1\059 k=rsa\059 p="$(openssl rsa -in $domain-private.pem -pubout |&sed -rn '${x;s/\n//g;s/^(.*)(.{240}$)/\1"\n"\2/p};3,$H')" )
+# EOF
+# # sed explanation: skip the first few lines, then put them into the hold space, then
+# # on the last line, back to the patern space, remove the newlines, then add a newline
+# # at the last char - 240, because bind txt records need strings <=255 chars,
+# # other dkim stuff at the begining is is 25 chars, and the pubkey is 393, so this
+# # leaves us a bit of extra room at the end and a bunch at the beginning.
+
# # selector was also put into /etc/exim4/conf.d/main/000_local,
+#### end dkim generation section ####
+
# # 2017-02 dmarc policies:
# # host -t txt _dmarc.gmail.com
fi
}
-postmaster=alerts
mxhost=mail.iankelling.org
mxport=587
forward=$u@$mxhost
if [[ $(debian-codename) == etiona ]]; then
# ip6tables stopped loading on boot. openvpn has reduced capability set,
# so running iptables as part of openvpn startup wont work. This should do it.
- # todo: im sure there is a better way.
+ # Im sure there is a better way, but this works fine.
yes no | pi iptables-persistent || [[ $? == 141 ]]
cat >/etc/iptables/rules.v6 <<'EOF'
*nat
fi
# our nostart pi fails to avoid enabling
-sudo systemctl disable openvpn
+systemctl disable openvpn
# trisquel 8 = openvpn, debian stretch = openvpn-client
vpn_ser=openvpn-client
# entirely of whitespace".) This is a safe, terse alternative:
clear_report_template
report (_SCORE_ / _REQD_ requ) _TESTSSCORES(,)_ autolearn=_AUTOLEARN
-internal_networks 85.119.83.50 2001:ba8:1f1:f0c9::2 209.51.188.13 2001:470:142::13
+internal_networks 85.119.83.50
+trusted_networks 72.14.176.105 2600:3c00:e000:280::2 85.119.83.50 18.4.89.0/24 209.51.188.0/24 74.94.156.208/28 2603:3005:71a:2e00::/64 2001:470:142::/48
EOF
-
-if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
- m systemctl stop spamassassin
- m systemctl disable spamassassin
-
- # per readme.debian
- sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
- e CRON=1 >>/etc/default/spamassassin
- # just noticed this in the config file, seems like a good idea.
- sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
- e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin
-
- m systemctl enable spamassassin
- m systemctl start spamassassin
- m systemctl reload spamassassin
-
- cat >/etc/systemd/system/spamddnsfix.service <<'EOF'
+case $HOSTNAME in
+ bk|$MAIL_HOST)
+ m systemctl stop spamassassin
+ m systemctl disable spamassassin
+
+ # per readme.debian
+ sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
+ e CRON=1 >>/etc/default/spamassassin
+ # just noticed this in the config file, seems like a good idea.
+ sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
+ e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin
+
+ m systemctl enable spamassassin
+ m systemctl start spamassassin
+ m systemctl reload spamassassin
+
+ cat >/etc/systemd/system/spamddnsfix.service <<'EOF'
[Unit]
Description=spamd dns bug fix cronjob
Type=oneshot
ExecStart=/a/bin/distro-setup/spamd-dns-fix
EOF
- # 2017-09, debian closed the bug on this saying upstream had fixed it.
- # remove this when i\'m using the newer package, ie, debian 10, or maybe
- # ubuntu 18.04.
- cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
+ # 2017-09, debian closed the bug on this saying upstream had fixed it.
+ # remove this when i\'m using the newer package, ie, debian 10, or maybe
+ # ubuntu 18.04.
+ cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
[Unit]
Description=run spamd bug fix script every 10 minutes
[Install]
WantedBy=timers.target
EOF
- m systemctl daemon-reload
- m systemctl restart spamddnsfix.timer
- m systemctl enable spamddnsfix.timer
-fi
+ m systemctl daemon-reload
+ m systemctl restart spamddnsfix.timer
+ m systemctl enable spamddnsfix.timer
+ ;;
+esac
+
##### end spamassassin config
err "\$MAIL_HOST not set"
fi
-m sudo gpasswd -a iank adm #needed for reading logs
+m gpasswd -a iank adm #needed for reading logs
### make local bounces go to normal maildir
m mkdir -p ${dirs[@]}
m chown iank:iank /m /m/md
m ln -sfT /m/md /m/iank
-m chmod 700 /m /m/md
+m chmod 771 /m /m/md
m chown -R $u:Debian-exim /m/md/bounces
m chmod 775 ${dirs[@]}
m usermod -a -G Debian-exim $u
if [[ ! -e $f ]]; then
f=/p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/passwd.client
fi
-m sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 $f /etc/exim4/
+m rsync -ahhi --chown=root:Debian-exim --chmod=0640 $f /etc/exim4/
# by default, only 10 days of logs are kept. increase that.
m sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
# pretty quickly looking through my spam folder.
warn
+ # all internal ips. note this is duplicated in mylocal.cf, shouldnt have any effect there but leaving just in case
+ !hosts = <; 72.14.176.105 2600:3c00:e000:280::2 85.119.83.50 18.4.89.0/24 209.51.188.0/24 74.94.156.208/28 2603:3005:71a:2e00::/64 2001:470:142::/48
+ remove_header = X-Spam_score: X-Spam_score_int : X-Spam_bar : X-Spam_report
+
+warn
+ !hosts = <; 72.14.176.105 2600:3c00:e000:280::2 85.119.83.50 18.4.89.0/24 209.51.188.0/24 74.94.156.208/28 2603:3005:71a:2e00::/64 2001:470:142::/48
condition = ${if < {$message_size}{5000K}}
spam = Debian-exim:true
- add_header = X-Spam_score: $spam_score\n\
- X-Spam_score_int: $spam_score_int\n\
- X-Spam_bar: $spam_bar\n\
- X-Spam_report: $spam_report
+ add_header = X-Spam_score_int: $spam_score_int
+ add_header = X-Spam_score: $spam_score
+ add_header = X-Spam_bar: $spam_bar
+ add_header = X-Spam_report: $spam_report
+ add_header = X-Spam_action: $spam_action
#accept
# spf = pass:fail:softfail:none:neutral:permerror:temperror
# add_header = Reply-to: dmarctest@iankelling.org
EOF
-cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+
+case $HOSTNAME in
+ $MAIL_HOST)
+ cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
# from 30_exim4-config_examples
plain_server:
server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
.endif
EOF
+ ;;
+ bk)
+
+ # avoid accepting mail for invalid users
+ # https://wiki.dovecot.org/LMTP/Exim
+ cat >>/etc/exim4/conf.d/rcpt_local_acl <<'EOF'
+deny
+ message = invalid recipient
+ domains = +local_domains
+ !verify = recipient/callout=no_cache
+EOF
+
+ cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+dovecot_plain:
+ driver = dovecot
+ public_name = PLAIN
+ server_socket = /var/run/dovecot/auth-client
+ server_set_id = $auth1
+EOF
+ ;;
+esac
+# todo: for mail submission, test imap based authentication for bk.
+# eg: can we send as other ppl?
+# see sender validation in /a/opt/mailinabox/setup/mail-users.sh
cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
### router/900_exim4-config_local_user
#################################
EOF
cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
dovecot_lmtp:
- driver = lmtp
- socket = /var/run/dovecot/lmtp
- #maximum number of deliveries per batch, default 1
- batch_max = 200
+ driver = lmtp
+ socket = /var/run/dovecot/lmtp
+ #maximum number of deliveries per batch, default 1
+ batch_max = 200
+ envelope_to_add
EOF
# this avoids some error. i cant remember what. todo:
#
# dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
# directly. The reason to do this is to use dovecot\'s sieve, which
- # has extensions that allow it to be almost equivalent to exim\'s
- # filter capabilities, some ways probably better, some worse, and
+ # can generally do more than exims filters (a few things less) and
# sieve has the benefit of being supported in postfix and
# proprietary/weird environments, so there is more examples on the
- # internet. I was torn about whether to do this or not, meh.
- pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
+ # internet.
+ pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd dovecot-sqlite
for f in /p/c{/machine_specific/$HOSTNAME,}/filesystem/etc/dovecot/users; do
e $f
if [[ -e $f ]]; then
- m sudo rsync -ahhi --chown=root:dovecot --chmod=0640 $f /etc/dovecot/
+ m rsync -ahhi --chown=root:dovecot --chmod=0640 $f /etc/dovecot/
break
fi
done
m sudo -u $u /a/exe/lnf -T $f $uhome/sieve/${f##*/}
done
+ # https://wiki.dovecot.org/SSL/DovecotConfiguration
+ cat >/etc/dovecot/dhparam <<'EOF'
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAoleil6SBxGqQKk7j0y2vV3Oklv6XupZKn7PkPv485QuFeFagifeS
+A+Jz6Wquqk5zhGyCu63Hp4wzGs4TyQqoLjkaWL6Ra/Bw3g3ofPEzMGEsV1Qdqde4
+jorwiwtr2i9E6TXQp0noT/7VFeHulIkayTeW8JulINdMHs+oLylv16McGCIrxbkM
+8D1PuO0TP/CNDs2QbRvJ1RjY3CeGpxMhrSHVgBCUMwnA2cvz3bYjI7UMYMMDPNrE
+PLrwsYzXGGCdJsO2vsmmqqgLsZiapYJlUNjfiyWLt7E2H6WzkNB3VIhIPfLqFDPK
+xioE3sYKdjOt+p6mlg3l8+OLtODEFPHDqwIBAg==
+-----END DH PARAMETERS-----
+EOF
+ cat >/etc/dovecot/local.conf <<EOF
+!include /etc/dovecot/local.conf.ext
+# https://ssl-config.mozilla.org
+ssl = required
+ssl_cert = </etc/exim4/exim.crt
+ssl_key = </etc/exim4/exim.key
+# this is the same as the certbot list, in my cert cronjob, I check if that has changed upstream.
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ssl_protocols = TLSv1.2
+ssl_prefer_server_ciphers = no
+ssl_dh_parameters_length = 2048
- # If we changed 90-sieve.conf and removed the active part of the
- # sieve option, we wouldn\'t need this, but I\'d rather not modify a
- # default config if not needed. This won\'t work as a symlink in /a/c
- # unfortunately.
- m sudo -u $u /a/exe/lnf -T sieve/main.sieve $uhome/.dovecot.sieve
+protocol lmtp {
+#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
+# default is just \$mail_plugins
+ mail_plugins = \$mail_plugins sieve
+# This downcases the localpart. default is case sensitive.
+# case sensitive local part will miss out on valid email when some person or system
+# mistakenly capitalizes things.
+ auth_username_format = %Lu
+}
+
+# make 147 only listen on localhost, plan to use for nextcloud.
+# copied from mailinabox
+service imap-login {
+ inet_listener imap {
+ address = 127.0.0.1
+ }
+}
+# https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_dovecot_authenticator.html
+service auth {
+ unix_listener auth-client {
+ user = Debian-exim
+ group = Debian-exim
+ }
+}
+EOF
- if [[ ! -e $uhome/sieve/personal.sieve ]]; then
- touch $uhome/sieve/personal{,end}{,test}.sieve
+ if dpkg --compare-versions $(dpkg-query -f='${Version}\n' --show dovecot-core) ge 1:2.3; then
+ cat >>/etc/dovecot/local.conf <<EOF
+ssl_dh = </etc/dovecot/dhparam
+EOF
fi
- # we set this later in local.conf
- sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
-/^\s*mail_location\s*=/d
+ cat >/etc/dovecot/local.conf.ext <<'EOF'
+passdb {
+ driver = sql
+ args = /etc/dovecot/dovecot-sql.conf.ext
+}
+userdb {
+ driver = sql
+ args = /etc/dovecot/dovecot-sql.conf.ext
+}
+
EOF
- cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
-protocol lmtp {
-#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
- mail_plugins = \$mail_plugins sieve
-# default was
- #mail_plugins = \$mail_plugins
+ cat >/etc/dovecot/dovecot-sql.conf.ext <<'EOF'
+# from mailinabox
+driver = sqlite
+connect = /m/rc/users.sqlite
+default_pass_scheme = SHA512-CRYPT
+password_query = SELECT email as user, password FROM users WHERE email='%u';
+user_query = SELECT email AS user, "mail" as uid, "mail" as gid, "/m/md/%d/%n" as home FROM users WHERE email='%u';
+iterate_query = SELECT email AS user FROM users;
+EOF
+ chmod 0600 /etc/dovecot/dovecot-sql.conf.ext # per Dovecot instructions
+
+ # db needs to be in a www-data writable directory
+ db=/m/rc/users.sqlite
+ if [[ ! -s $db ]]; then
+ sqlite3 $db <<'EOF'
+CREATE TABLE users (
+id INTEGER PRIMARY KEY AUTOINCREMENT,
+email TEXT NOT NULL UNIQUE,
+password TEXT NOT NULL,
+extra,
+privileges TEXT NOT NULL DEFAULT '');
+EOF
+ fi
+ # example of adding a user:
+ # hash: doveadm pw -s SHA512-CRYPT -p passhere
+ # sqlite3 /m/rc/users.sqlite <<'EOF'
+ #insert into users (email, password) values ('testignore@bk.b8.nz', 'hash');
+ #EOF
+
+
+
+
+ case $HOSTNAME in
+ $MAIL_HOST)
+ # If we changed 90-sieve.conf and removed the active part of the
+ # sieve option, we wouldn\'t need this, but I\'d rather not modify a
+ # default config if not needed. This won\'t work as a symlink in /a/c
+ # unfortunately.
+ m sudo -u $u /a/exe/lnf -T sieve/main.sieve $uhome/.dovecot.sieve
+
+ if [[ ! -e $uhome/sieve/personal.sieve ]]; then
+ touch $uhome/sieve/personal{,end}{,test}.sieve
+ fi
+ rm -fv /etc/dovecot/conf.d/20-lmtp.conf # file from prev version
+ cat >>/etc/dovecot/local.conf <<EOF
+# simple password file based login
+!include conf.d/auth-passwdfile.conf.ext
+
+# ian: %u is used for alerts user vs iank
+mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
+mail_uid = $u
+mail_gid = $u
+
+protocol lmtp {
# For a normal setup with exim, we need something like this, which
# removes the domain part
# auth_username_format = %Ln
# modifying the local router in exim.
auth_username_format = $u
}
-
EOF
+ ;;
+ bk)
+ chown -R mail.mail /m/md
+ f=/etc/dovecot/conf.d/10-auth.conf
+ if [[ -e $f ]]; then
+ mv $f $f-iank-disabled
+ fi
+ cat >>/etc/dovecot/local.conf <<EOF
- cat >/etc/dovecot/local.conf <<EOF
-# so I can use a different login that my shell login for mail. this is
-# worth doing solely for the reason that if this login is compromised,
-# it won't also compromise my shell password.
-!include conf.d/auth-passwdfile.conf.ext
+# for debugging info, uncomment these.
+# logs go to syslog and to /var/log/mail.log
+auth_verbose=yes
+mail_debug=yes
+
+plugin {
+ sieve_before = /etc/dovecot/sieve-spam.sieve
+ # from mailinabox
+ sieve = /m/sieve/%d/%n.sieve
+ sieve_dir = /m/sieve/%d/%n
+}
-# settings derived from wiki and 10-ssl.conf
-ssl = required
-ssl_cert = </etc/exim4/exim.crt
-ssl_key = </etc/exim4/exim.key
-# https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
-# in my cert cronjob, I check if that has changed upstream.
-ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
-# ian: added this, more secure, per google etc
-ssl_prefer_server_ciphers = yes
+# all taken from mailinabox.
+mail_location = maildir:/m/md/%d/%n
+# meh, ok.
+mail_privileged_group = mail
+# By default Dovecot allows users to log in only with UID numbers 500 and above. mail is 8
+first_valid_uid = 1
+
+# todo: test these changes in the universal config
+# mailboxes taken from mailinabox but removed
+# settings duplicate to defaults
+namespace inbox {
+ mailbox INBOX {
+ auto = subscribe
+ }
+ mailbox Spam {
+ special_use = \Junk
+ auto = subscribe
+ }
+ mailbox Drafts {
+ auto = subscribe
+ }
+ mailbox Sent {
+ auto = subscribe
+ }
+ mailbox Trash {
+ auto = subscribe
+ }
+ mailbox Archive {
+ special_use = \Archive
+ auto = subscribe
+ }
+}
+auth_mechanisms = plain login
+EOF
-# ian: %u is used for alerts user vs iank
-mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
-mail_uid = $u
-mail_gid = $u
+ cat >/etc/dovecot/sieve-spam.sieve <<'EOF'
+require ["regex", "fileinto", "imap4flags"];
-# for debugging info, uncomment these.
-# logs go to syslog and to /var/log/mail.log
-# auth_verbose=yes
-#mail_debug=yes
+if allof (header :regex "X-Spam-Status" "^Yes") {
+ fileinto "Spam";
+ stop;
+}
EOF
+ sievec /etc/dovecot/sieve-spam.sieve
+
+ ;;
+ esac
####### end dovecot-setup ########
}
+# * nextcloud setup
+
+# https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html
+# curl from the web installer requirement, but i switched to cli
+pi php-curl php-fileinfo php-bz2
+web-conf - apache2 expertpathologyreview.com <<'EOF'
+Alias /nextcloud "/var/www/nextcloud/"
+<Directory /var/www/nextcloud/>
+ Require all granted
+ AllowOverride All
+ Options FollowSymLinks MultiViews
+
+ <IfModule mod_dav.c>
+ Dav off
+ </IfModule>
+
+</Directory>
+EOF
+
+cd /var/www
+wget https://download.nextcloud.com/server/releases/latest.zip
+unzip -q latest.zip
+rm latest.zip
+chown -R www-data.www-data nextcloud
+cd /var/www/nextcloud
+sudo -u www-data php occ maintenance:install --database sqlite --admin-user iank --admin-pass swarm.numbered.alienist
+cd /var/www/nextcloud/config
+# https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html
+cat >/etc/php/$phpver/fpm/pool.d/localwww.conf <<'EOF'
+[www]
+clear_env = no
+EOF
+cat config.php - >tmp.php <<'EOF'
+$CONFIG['overwrite.cli.url'] = 'https://expertpathologyreview.com/nextcloud';
+$CONFIG['htaccess.RewriteBase'] = '/nextcloud';
+$CONFIG['trusted_domains'] = array (
+ 0 => 'expertpathologyreview.com',
+ );
+#$CONFIG[''] = '';
+fwrite(STDOUT, "<?php\n\$CONFIG = ");
+var_export($CONFIG);
+fwrite(STDOUT, ";\n");
+EOF
+php tmp.php >config.php 2>/dev/null
+rm tmp.php
+sudo -u www-data php /var/www/nextcloud/occ maintenance:update:htaccess
+
+
+# * roundcube setup
+
+roundcube-setup() {
+ # avoid prompt
+ debconf-set-selections <<'EOF'
+roundcube-core roundcube/dbconfig-install boolean false
+EOF
+ # zip according to /installer
+ # which requires adding a line to /usr/local/lib/roundcubemail/config/config.inc.php
+ # $config['enable_installer'] = true;
+ pi roundcube roundcube-sqlite3 php-zip
+ rcdir=/usr/local/lib/roundcubemail
+ # point debian cronjob to our local install, preventing daily cron error
+
+ f=/usr/share/roundcube/bin/cleandb.sh
+ if [[ ! -L $f ]]; then
+ if [[ -e $f ]]; then
+ m rm -f $f
+ fi
+ m ln -sfT $rcdir/bin/cleandb.sh /usr/share/roundcube/bin/cleandb.sh
+ fi
+
+ # todo, consider installing the extensions mailinabox uses
+
+ #### begin dl roundcube
+ # note, im r2e subbed to https://github.com/roundcube/roundcubemail/releases.atom
+ v=1.4.8; f=roundcubemail-$v-complete.tar.gz
+ cd /a/opt
+ if [[ -e $f ]]; then
+ timestamp=$(stat -c %Y $f)
+ else
+ timestamp=0
+ fi
+ m wget -nv -N https://github.com/roundcube/roundcubemail/releases/download/$v/$f
+ new_timestamp=$(stat -c %Y $f)
+ if [[ $timestamp != $new_timestamp ]]; then
+ m tar -C /usr/local/lib --no-same-owner -zxf $f
+ m rm -rf $rcdir
+ m mv $rcdir-$v $rcdir
+ fi
+ cd -
+ #### end dl roundcube
+
+ /a/exe/web-conf -r $rcdir - apache2 mail.expertpathologyreview.com <<EOF
+# taken from /etc/apache2/conf-available/roundcube.conf version 1.4.8+dfsg.1-1~bpo10+1
+<Directory $rcdir/>
+ Options +FollowSymLinks
+ # This is needed to parse $rcdir/.htaccess.
+ AllowOverride All
+ Require all granted
+</Directory>
+# Protecting basic directories:
+<Directory $rcdir/config>
+ Options -FollowSymLinks
+ AllowOverride None
+</Directory>
+EOF
+
+ if [[ ! -e $rcdir/config/secret ]]; then
+ base64 </dev/urandom | head -c24 >$rcdir/config/secret || [[ $? == 141 ]]
+ fi
+ secret=$(cat $rcdir/config/secret)
+ # todo: expire mail for testignore@b8.nz
+
+ # config from mailinabox
+ cat >$rcdir/config/config.inc.php <<EOF
+<?php
+\$config = array();
+# debian creates this for us
+\$config['log_dir'] = '/var/log/roundcube/';
+# debian also creates a temp dir, but it is under its install dir,
+# seems better to have our own.
+\$config['temp_dir'] = '/var/tmp/roundcube/';
+\$config['db_dsnw'] = 'sqlite:////m/rc/roundcube.sqlite?mode=0640';
+\$config['default_host'] = 'ssl://localhost';
+\$config['default_port'] = 993;
+\$config['imap_conn_options'] = array(
+ 'ssl' => array(
+ 'verify_peer' => false,
+ 'verify_peer_name' => false,
+ ),
+ );
+\$config['imap_timeout'] = 15;
+\$config['smtp_server'] = 'tls://127.0.0.1';
+\$config['smtp_conn_options'] = array(
+ 'ssl' => array(
+ 'verify_peer' => false,
+ 'verify_peer_name' => false,
+ ),
+ );
+\$config['product_name'] = 'webmail';
+\$config['des_key'] = '$secret';
+\$config['plugins'] = array('archive', 'zipdownload', 'password', 'managesieve', 'jqueryui');
+\$config['skin'] = 'elastic';
+\$config['login_autocomplete'] = 2;
+\$config['password_charset'] = 'UTF-8';
+\$config['junk_mbox'] = 'Spam';
+?>
+EOF
+
+ m mkdir -p /var/tmp/roundcubemail /m/rc
+ m chown -R www-data.www-data /var/tmp/roundcubemail /m/rc
+ m chmod 750 /var/tmp/roundcubemail
+ # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
+ # todo: setup fail2ban
+ # todo: setup dnssec.
+ # todo: check for other mailinabox things
+ m sudo -u www-data touch /var/log/roundcube/errors.log
+
+ # Password changing plugin settings
+ cat $rcdir/plugins/password/config.inc.php.dist - >$rcdir/plugins/password/config.inc.php <<'EOF'
+# following are from mailinabox
+$config['password_minimum_length'] = 8;
+$config['password_db_dsn'] = 'sqlite:////m/rc/users.sqlite';
+$config['password_query'] = 'UPDATE users SET password=%D WHERE email=%u';
+$config['password_dovecotpw'] = '/usr/bin/doveadm pw';
+$config['password_dovecotpw_method'] = 'SHA512-CRYPT';
+$config['password_dovecotpw_with_method'] = true;
+EOF
+ # so PHP can use doveadm, for the password changing plugin
+ m usermod -a -G dovecot www-data
+ m usermod -a -G mail $u
+
+ # so php can update passwords
+ m chown www-data:dovecot /m/rc/users.sqlite
+ m chmod 664 /m/rc/users.sqlite
+
+ # Run Roundcube database migration script (database is created if it does not exist)
+ m $rcdir/bin/updatedb.sh --dir $rcdir/SQL --package roundcube
+ m chown www-data:www-data /m/rc/roundcube.sqlite
+ m chmod 664 /m/rc/roundcube.sqlite
+
+ # Enable PHP modules.
+ m phpenmod -v php mcrypt imap
+
+ # dpkg says this is required
+ m a2enmod proxy_fcgi setenvif
+ fpm=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* (php[^ ]*-fpm)( .*|$)/\1/p') # eg: php7.3-fpm
+ phpver=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* php([^ ]*)-fpm( .*|$)/\1/p')
+ m a2enconf $fpm
+ # 3 useless guides on php fpm fcgi debian 10 later, i figure out from reading
+ # /etc/apache2/conf-enabled/php7.3-fpm.conf
+ m a2dismod php$phpver
+ # according to /install, we should set date.timezone,
+ # but that is dumb, the system already has the right zone in
+ # /var/log/roundcubemail/errors.log
+ cat >/etc/php/$phpver/fpm/conf.d/30-local.ini <<'EOF'
+date.timezone = "America/New_York"
+# for nextcloud
+upload_max_filesize = 2000M
+post_max_size = 2000M
+EOF
+
+ m systemctl restart $fpm
+ # dunno if reload/restart is needed
+ m systemctl reload apache2
+ m systemctl reload exim4
+
+ # todo: backups, carddav w nextcloud
+}
# * if MAIL_HOST
# * exim
- # todo, these pem files look old and useless. whats going on
sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 \
/p/c/filesystem/etc/exim4/passwd /p/c/filesystem/etc/exim4/*.pem /etc/exim4/
# man page: is used to build the local_domains list, together with "localhost"
# iank.bid is for testing
# mail.iankelling.org is for machines i own
-dc_other_hostnames='*.iankelling.org;iankelling.org;*zroe.org;zroe.org;!bk.b8.nz;*.b8.nz;b8.nz'
-
+dc_other_hostnames='!mail2.iankelling.org;!mibtest.iankelling.org;*.iankelling.org;iankelling.org;zroe.org;!bk.b8.nz;*.b8.nz;b8.nz'
EOF
EOF
m chmod 755 $f
+ # make all system users be aliases
+ for u in $(awk 'BEGIN { FS = ":" } ; $6 !~ /^\/home/ { print $1 }' /etc/passwd); do
+ if ! grep -q "^$u:" aliases; then
+ echo "$u: root" |tee -a /etc/aliases
+ fi
+ done
+
+ # alerts is basically the postmaster address
sed -i --follow-symlinks -f - /etc/aliases <<EOF
-\$a root: $postmaster
+\$a root: alerts@mail.iankelling.org
/^root:/d
EOF
m systemctl restart $vpn_ser@mail
m systemctl enable $vpn_ser@mail
;;
- # * not MAIL_HOST
- *) # $HOSTNAME != $MAIL_HOST
+ # * bk
+ ## we use this host to monitor MAIL_HOST and host a mail server for someone
+ bk)
+
+ # dkim, client passwd file
+ rsync -ahhi --chown=root:Debian-exim --chmod=0640 \
+ /p/c/machine_specific/bk/filesystem/etc/exim4/* /etc/exim4
+
+ echo mail2.iankelling.org > /etc/mailname
+ cat >>/etc/exim4/conf.d/main/000_local <<EOF
+CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/conf.d/data_local_acl
+MAIN_HARDCODE_PRIMARY_HOSTNAME = mail2.iankelling.org
+EOF
+
+ cat >>/etc/exim4/update-exim4.conf.conf <<EOF
+# man page: is used to build the local_domains list, together with "localhost"
+dc_other_hostnames='bk.b8.nz;expertpathologyreview.com'
+EOF
+
+
+ /a/exe/web-conf apache2 autoconfig.expertpathologyreview.com
+ dir=/var/www/autoconfig.expertpathologyreview.com/html/mail
+ mkdir -p $dir
+ # taken from mailinabox
+ cat >$dir/config-v1.1.xml <<'EOF'
+<?xml version="1.0"?>
+<clientConfig version="1.1">
+ <emailProvider id="expertpathologyreview.com">
+ <domain>expertpathologyreview.com</domain>
+
+ <displayName>expertpathologyreview.com Mail</displayName>
+ <displayShortName>expertpathologyreview.com</displayShortName>
+
+ <incomingServer type="imap">
+ <hostname>mail2.iankelling.org</hostname>
+ <port>993</port>
+ <socketType>SSL</socketType>
+ <username>%EMAILADDRESS%</username>
+ <authentication>password-cleartext</authentication>
+ </incomingServer>
+
+ <outgoingServer type="smtp">
+ <hostname>mail2.iankelling.org</hostname>
+ <port>587</port>
+ <socketType>STARTTLS</socketType>
+ <username>%EMAILADDRESS%</username>
+ <authentication>password-cleartext</authentication>
+ <addThisServer>true</addThisServer>
+ <useGlobalPreferredServer>false</useGlobalPreferredServer>
+ </outgoingServer>
+
+ <documentation url="https://expertpathologyreview.com/">
+ <descr lang="en">expertpathologyreview.com website.</descr>
+ </documentation>
+ </emailProvider>
+
+ <webMail>
+ <loginPage url="https://mail.expertpathologyreview.com" />
+ <loginPageInfo url="https://mail.expertpathologyreview.com" >
+ <username>%EMAILADDRESS%</username>
+ <usernameField id="rcmloginuser" name="_user" />
+ <passwordField id="rcmloginpwd" name="_pass" />
+ <loginButton id="rcmloginsubmit" />
+ </loginPageInfo>
+ </webMail>
+ <clientConfigUpdate url="https://autoconfig.expertpathologyreview.com/mail/config-v1.1.xml" />
+</clientConfig>
+EOF
+
+ roundcube-setup
+ ;;
+ # * not MAIL_HOST and not bk
+ *)
# remove mail. uses 2 lines to properly remove whitespace
sed -ri -f - /etc/hosts <<'EOF'
s#^(127\.0\.1\.1 .*) +mail\.iankelling\.org$#\1#
m systemctl stop mailclean.timer &>/dev/null ||:
m systemctl disable $vpn_ser@mail
m systemctl stop $vpn_ser@mail
- #
- #
- # would only exist because I wrote it i the previous condition,
- # it\'s not part of exim
- rm -fv /etc/exim4/conf.d/main/000_localmacros
+
+ rm -fv /etc/exim4/conf.d/main/000_localmacros # old filename
cat >>/etc/exim4/update-exim4.conf.conf <<EOF
dc_eximconfig_configtype='smarthost'
dc_smarthost='$smarthost'
hostname -f >/etc/mailname
-
- ;;&
- ## we use this host to monitor MAIL_HOST
- bk)
-
- cat >>/etc/exim4/update-exim4.conf.conf <<EOF
-# man page: is used to build the local_domains list, together with "localhost"
-# mail.iankelling.org is for machines i own
-dc_other_hostnames='bk.b8.nz'
-EOF
- # This ends up at alerts mailbox on MAIL_HOST, but using a user that doesn't exist elsewhere
- # is no good.
- sed -i --follow-symlinks -f - /etc/aliases <<EOF
-\$a root: iank
-/^root:/d
-EOF
- ;;
- # not bk and not MAIL_HOST
- *)
-
-
- # This ends up at alerts mailbox on MAIL_HOST, but using a user that doesn't exist elsewhere
- # is no good.
+ # This ends up at alerts mailbox on MAIL_HOST
sed -i --follow-symlinks -f - /etc/aliases <<EOF
\$a root: root@mail.iankelling.org
/^root:/d
m systemctl disable dovecot ||:
m systemctl stop dovecot ||:
;;
-esac # end $HOSTNAME != $MAIL_HOST
+esac
# * spool dir setup
# put spool dir in directory that spans multiple distros.
# based on http://www.postfix.org/qmgr.8.html and my notes in gnus
#
-# todo: I\'m suspicious of uids for Debian-exim being the same across
-# distros. It would be good to test this.
dir=/nocow/exim4
sdir=/var/spool/exim4
# we only do this if our system has $dir
m systemctl start exim4
fi
-if [[ $HOSTNAME != "$MAIL_HOST" ]]; then
- m systemctl stop spamassassin
- m systemctl disable spamassassin
-fi
+case $HOSTNAME in
+ bk|$MAIL_HOST) : ;;
+ *)
+ m systemctl stop spamassassin
+ m systemctl disable spamassassin
+ ;;
+esac
# * mail monitoring / testing
EOF
;;&
bk)
- test_from=iank@bk.b8.nz
+ test_from=testignore@bk.b8.nz
test_to=testignore@iankelling.org
;;&
$MAIL_HOST|bk)
iankelling.org / git / distro-setup / commitdiff