sudo mv /etc/nsswitch.conf /etc/nsswitch
sudo ln -sf /etc/nsswitch/nsswitch.conf /etc
fi
+
+f=/etc/apparmor.d/abstractions/nameservice
+if ! grep -q /etc/nsswitch/nsswitch.conf $f; then
+ sudo sed -i '/\/etc\/nsswitch.conf/a /etc/nsswitch/nsswitch.conf r,' $f
+ m ser reload apparmor
+fi
+
pi libnss-resolve
# default is
# files mdns4_minimal [NOTFOUND=return] dns myhostname
ifconfig-ipv6-push 2600:3c00:e000:280::3/64
EOF
- sudo dd of=/etc/systemd/system/vpnmail.service <<'EOF'
+ sudo dd of=/etc/systemd/system/vpn-mail-forward.service <<'EOF'
[Unit]
Description=Turns on iptables mail nat
BindsTo=openvpn-server@mail.service
RequiredBy=openvpn-server@mail.service
EOF
ser daemon-reload
- sgo vpnmail.service
+ sgo vpn-mail-forward.service
# needed for li's local mail delivery.
tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
sgo openvpn-server@mail
# note: pyzor debian readme says you need to run some initialization command
# but its outdated.
+m usermod -a -G Debian-exim clamav
soff openvpn
deny
-# defer_ok = accept messages even if there is a problem with clamav.
-# clamav regularly has fails, we havent had a reported problem with mail
-# not getting through, but this seems better.
malware = */defer_ok
+ !condition = ${if match {$malware_name}{\N^Heuristic\N}}
message = This message was detected as possible malware ($malware_name).
+warn
+ condition = ${if def:malware_name}
+ remove_header = Subject:
+ add_header = Subject: [Clamav warning: $malware_name] $h_subject
+ log_message = heuristic malware warning: $malware_name
#accept
# spf = pass:fail:softfail:none:neutral:permerror:temperror
# * mail monitoring / testing
+# note, to test clamav, send an email with body that only contains
+# https://en.wikipedia.org/wiki/EICAR_test_file
+# which set malware_name to Eicar-Signature
case $HOSTNAME in
$MAIL_HOST|bk|je)
# note: cronjob "ian" also does some important monitoring
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
m() { printf "%s\n" "$*"; "$@"; }
-gw=$(/usr/sbin/ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p')
+found=false
+# wait up to 10 seconds for the gateway to appear
+for i in in {1..10}; do
+ gw=$(/usr/sbin/ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p')
+ if [[ $gw ]]; then
+ found=true
+ fi
+ sleep 1
+done
+if ! $found; then
+ echo $0: error: couldnt find gateway interface in 10 seconds >&2
+ exit 1
+fi
do-forward() {
- cmd=$1; shift
- for port; do
- m /sbin/iptables -t nat $cmd PREROUTING -i $gw -p tcp -m tcp --dport $port -j DNAT --to-destination 10.8.0.4:$port
- # we could leave these on all the time but its convenient to do it here
- done
- m /sbin/iptables $cmd FORWARD -i tun+ -o $gw -j ACCEPT
- m /sbin/iptables $cmd FORWARD -i $gw -o tun+ -j ACCEPT
+ cmd=$1; shift
+ for port; do
+ m /sbin/iptables -t nat $cmd PREROUTING -i $gw -p tcp -m tcp --dport $port -j DNAT --to-destination 10.8.0.4:$port
+ done
+ # we could leave these on all the time but its convenient to do it here
+ m /sbin/iptables $cmd FORWARD -i tun+ -o $gw -j ACCEPT
+ m /sbin/iptables $cmd FORWARD -i $gw -o tun+ -j ACCEPT
}
ports=(25 143 587)
case $1 in
- start)
- do-forward -A ${ports[@]}
- ;;
- stop)
- do-forward -D ${ports[@]}
- ;;
- *)
- echo "$0: error: expected 1 argument of start or stop"
- exit 1
- ;;
+ start)
+ do-forward -A ${ports[@]}
+ ;;
+ stop)
+ do-forward -D ${ports[@]}
+ ;;
+ *)
+ echo "$0: error: expected 1 argument of start or stop"
+ exit 1
+ ;;
esac
iankelling.org / git / distro-setup / commitdiff