# Copyright (C) 2019 Ian Kelling
# SPDX-License-Identifier: AGPL-3.0-or-later
-
# background: I want to run exim in a network namespace so it can send
# and receive through a vpn. This is needed so it can do ipv6, because
# outside the namespace if we dont have ipv6, to send ipv6 through the
exit 1
fi
source /a/bin/distro-functions/src/identify-distros
+
+# has nextcloud_admin_pass in it
f=/p/c/machine_specific/bk/mail
if [[ -e $f ]]; then
source $f
exit $1
}
-debug=false
+# debug output if we pass any arg
if (( $# )); then
- debug=true
set -x
fi
# * perstent password instructions
+# Note: for cert cron, we need to manually run first to accept known_hosts
+
# # exim passwords:
# # for hosts which have all private files I just use the same user
# # for other hosts, each one get\'s their own password.
# # Join and print all but first and last line.
# # last line: swap hold & pattern, remove newlines, print.
# # lines 2+: append to hold space
-# echo "bind txt record:"
+# echo "bind txt record: remember to truncate $domain so its relative to the bind zone"
# cat <<EOF
# li._domainkey.$domain TXT (
# v=DKIM1\059 k=rsa\059 p="$(openssl rsa -in $domain-private.pem -pubout |&sed -rn '${x;s/\n//g;s/^(.*)(.{240}$)/\1"\n"\2/p};3,$H')" )
####### end persistent dkim instructions #########
-# * functions constants
+# * functions & constants
e() { printf "%s\n" "$*"; }
pi() { # package install without starting daemons
local f
# forward=ian@iankelling.org
smarthost="$mxhost::$mxport"
+uhome=$(eval echo ~$u)
+
+source /a/bin/bash_unpublished/source-state
+if [[ ! $MAIL_HOST ]]; then
+ err "\$MAIL_HOST not set"
+fi
+
+## * Install packages
if [[ $(debian-codename-compat) == bionic ]]; then
cat >/etc/apt/preferences.d/spamassassin <<'EOF'
fi
-## * Install packages
# light version of exim does not have sasl auth support.
pi exim4 exim4-daemon-heavy spamassassin spf-tools-perl openvpn p0f postgrey pyzor razor jq moreutils
# note: pyzor debian readme says you need to run some initialization command
# our nostart pi fails to avoid enabling
systemctl disable openvpn
-uhome=$(eval echo ~$u)
### * user forward file
-
case $HOSTNAME in
$MAIL_HOST|bk)
# afaik, these will get ignored on MAIL_HOST because they are routing to my own
# entirely of whitespace".) This is a safe, terse alternative:
clear_report_template
report (_SCORE_ / _REQD_ requ) _TESTSSCORES(,)_ autolearn=_AUTOLEARN
-internal_networks 85.119.83.50
-trusted_networks 72.14.176.105 2600:3c00:e000:280::2 85.119.83.50 18.4.89.0/24 209.51.188.0/24 74.94.156.208/28 2603:3005:71a:2e00::/64 2001:470:142::/48
+internal_networks 85.119.83.50 10.173.8.1
+trusted_networks 72.14.176.105 2600:3c00:e000:280::2 85.119.83.50 18.4.89.0/24 209.51.188.0/24 74.94.156.208/28 2603:3005:71a:2e00::/64 2001:470:142::/48 10.173.8.1
EOF
+# todo: figure out a reverse dns lookup for 10.173.8.1 in the nn.
+# perhaps adding files in nsswitch should fix it?
+
# https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
tmpdir=$(mktemp -d)
cat >$tmpdir/openvpn-client-mail@.service <<'EOF'
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
-Requires=iptables.service
# needed to continually restatr
StartLimitIntervalSec=0
[Install]
WantedBy=multi-user.target
EOF
-tmp=$(install -vC $tmpdir/* /etc/systemd/system)
+tmp=$(rsync -ic $tmpdir/* /etc/systemd/system)
rm -rf $tmpdir
if [[ $tmp ]]; then
m systemctl daemon-reload
fi
+tmpdir=$(mktemp -d)
+echo "nameserver 8.8.8.8" >$tmpdir/stub-resolv.conf
+mkdir -p /etc/nn-resolv
+rsync -ic $tmpdir/* /etc/nn-resolv
+rm -rf $tmpdir
+m chattr +i /etc/nn-resolv/stub-resolv.conf
+
+### begin setup network namespace ###
-f=/etc/nn-resolv/stub-resolv.conf
-l="nameserver 8.8.8.8"
-if ! grep -Fxq "$l" /etc/nn-resolv/stub-resolv.conf &>/dev/null; then
- mkdir -p ${f%/*}
- echo "$l" >$f
- chattr +i $f
+nn_progs=(exim4)
+if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
+ # Note dovecots lmtp doesnt need to be in the same nn to accept delivery.
+ nn_progs+=(spamassassin dovecot)
fi
-### begin setup network namespace ###
case $HOSTNAME in
$MAIL_HOST|bk)
reload=false
tmpdir=$(mktemp -d)
- for unit in exim4 spamassassin; do
- dir=/etc/systemd/system/$unit.service.d
- mkdir -p $dir
+ for unit in ${nn_progs[@]}; do
cat >$tmpdir/nn.conf <<'EOF'
[Unit]
After=network.target
# time to sleep before restarting a service
RestartSec=1
EOF
- tmp=$(install -vC $tmpdir/* $dir)
+ mkdir -p /etc/systemd/system/$unit.service.d
+ tmp=$(rsync -ic $tmpdir/* /etc/systemd/system/$unit.service.d)
if [[ $tmp ]]; then
+ printf "rsync to /etc/systemd/system/$unit.service.d\n%s\n" "$tmp"
reload=true
fi
done
sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin
- # We wait until later to stop if we arent mailhost, so that if we
- # are transitioning from mail host to non-mail host, we wont screw
- # up exim.
- m systemctl enable spamassassin
- m systemctl start spamassassin
;;
esac
##### end spamassassin config
# after my internet was down for a bit:
# NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
m /a/exe/vpn-mk-client-cert -b mailclient -n mail -s /b/ds/mail-route li.iankelling.org
+ m /a/exe/vpn-mk-client-cert -c bk.b8.nz -b expertpath -n mail -s /b/ds/mail-route li.iankelling.org
fi
m rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/mail-cert-cron /usr/local/bin
[Install]
WantedBy=timers.target
EOF
-tmp=$(install -vC $tmpdir/* /etc/systemd/system)
+tmp=$(rsync -ic $tmpdir/* /etc/systemd/system)
if [[ $tmp ]]; then
m systemctl daemon-reload
fi
m systemctl restart mailcert.timer
m systemctl enable mailcert.timer
+# * common exim4 config
-# * common exim4 config
-source /a/bin/bash_unpublished/source-state
-if [[ ! $MAIL_HOST ]]; then
- err "\$MAIL_HOST not set"
-fi
+# Make all system users be aliases. preventative
+# measure for things like cron mail for user without alias
+awk 'BEGIN { FS = ":" } ; $6 !~ /^\/home/ { print $1 }' /etc/passwd| while read -r user; do
+ if [[ ! $user ]]; then
+ continue
+ fi
+ if ! grep -q "^$user:" /etc/aliases; then
+ echo "$user: root" |tee -a /etc/aliases
+ fi
+done
-m gpasswd -a iank adm #needed for reading logs
+m gpasswd -a iank adm #needed for reading logs
### make local bounces go to normal maildir
# local mail that bounces goes to /Maildir or /root/Maildir
# replace the router name so it is unique
sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
-#### begin setup alternate config for daemon
+# todo, consider 'separate' in etc/exim4.conf, could it help on busy systems?
+
+#### begin setup alternate config for main daemon
+
+#in debian, config file used is first found of:
+#CONFIGURE_FILE=/etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated
+# but we can use this alternate for the daemon
update-exim4defaults -f --commonoptions '-C /etc/exim4/my.conf'
l="UPEX4OPTS='-o /etc/exim4/my.conf'"
if ! grep -Fxq "$l" /etc/default/exim4; then
cat >/etc/exim4/trusted_configs <<'EOF'
/etc/exim4/my.conf
EOF
-#### end setup alternate config for daemon
+#### end setup alternate config for main daemon
# alerts is basically the postmaster address
sed -i --follow-symlinks -f - /etc/aliases <<EOF
-\$a root: alerts@mail.iankelling.org
+\$a root: alerts@iankelling.org
/^root:/d
EOF
DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
EOF
+# This file only exists in the nn config. for bk to accept mail
+# outside the nn, it needs a separate cert
+cat >/etc/exim4/conf.d/main/000_local-nn <<EOF
+MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem
+MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem
+EOF
+
rm -fv /etc/exim4/rcpt_local_acl # old path
cat >/etc/exim4/conf.d/rcpt_local_acl <<'EOF'
-# Only hosts we control send to @mail.iankelling.org, so make sure
-# they are all authed.
-# Note, if we wanted authed senders for all domains,
-# we could make this condition in acl_check_mail
-deny
- message = ian trusted domain recepient but no auth
- !authenticated = *
- domains = mail.iankelling.org
+# i had a thing here so alerts would only come from
+# authed hosts. I ditched it, but leaving this here since
+# I might add somethign later.
EOF
# This acl already exists in rcpt, this just makes it more widespread.
warn
# all internal ips. note this is duplicated in mylocal.cf, shouldnt have any effect there but leaving just in case
- !hosts = <; 72.14.176.105 2600:3c00:e000:280::2 85.119.83.50 18.4.89.0/24 209.51.188.0/24 74.94.156.208/28 2603:3005:71a:2e00::/64 2001:470:142::/48
+ !hosts = <; 72.14.176.105 ; 2600:3c00:e000:280::2 ; 85.119.83.50 ; 18.4.89.0/24 ; 209.51.188.0/24 ; 74.94.156.208/28 ; 2603:3005:71a:2e00::/64 ; 2001:470:142::/48 ; 10.173.8.1
remove_header = X-Spam_score: X-Spam_score_int : X-Spam_bar : X-Spam_report
warn
- !hosts = <; 72.14.176.105 2600:3c00:e000:280::2 85.119.83.50 18.4.89.0/24 209.51.188.0/24 74.94.156.208/28 2603:3005:71a:2e00::/64 2001:470:142::/48
+ !hosts = <; 72.14.176.105 ; 2600:3c00:e000:280::2 ; 85.119.83.50 ; 18.4.89.0/24 ; 209.51.188.0/24 ; 74.94.156.208/28 ; 2603:3005:71a:2e00::/64 ; 2001:470:142::/48 ; 10.173.8.1
condition = ${if < {$message_size}{5000K}}
spam = Debian-exim:true
add_header = X-Spam_score_int: $spam_score_int
EOF
-case $HOSTNAME in
- $MAIL_HOST)
- cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
-# from 30_exim4-config_examples
-
-plain_server:
-driver = plaintext
-public_name = PLAIN
-server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
-server_set_id = $auth2
-server_prompts = :
-.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
-.endif
-EOF
- ;;
- bk)
-
- # avoid accepting mail for invalid users
- # https://wiki.dovecot.org/LMTP/Exim
- cat >>/etc/exim4/conf.d/rcpt_local_acl <<'EOF'
-deny
- message = invalid recipient
- domains = +local_domains
- !verify = recipient/callout=no_cache
-EOF
-
- cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
-dovecot_plain:
- driver = dovecot
- public_name = PLAIN
- server_socket = /var/run/dovecot/auth-client
- server_set_id = $auth1
-EOF
- ;;
-esac
-
# see sender validation in /a/opt/mailinabox/setup/mail-users.sh
cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
### router/900_exim4-config_local_user
envelope_to_add
EOF
-# this avoids some error. i cant remember what. todo:
-# test it out and document why/if its needed.
-cat >/etc/exim4/host_local_deny_exceptions <<'EOF'
-mail.fsf.org
-*.posteo.de
-EOF
-
-# for iank@fsf.org, i have mail.fsf.org forward it to fsf@iankelling.org.
-# and also have mail.iankelling.org whitelisted as a relay domain.
-# I could avoid that if I changed this to submit to 587 with a
-# password like a standard mua.
-cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
-# smarthost for fsf mail
-# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
-# replaced DCsmarthost with mail.fsf.org
-fsfsmarthost:
- debug_print = "R: smarthost for $local_part@$domain"
- driver = manualroute
- domains = ! +local_domains
- senders = *@fsf.org
- transport = remote_smtp_smarthost
- route_list = * mail.fsf.org::587 byname
- host_find_failed = ignore
- same_domain_copy_routing = yes
- no_more
-
-posteosmarthost:
- debug_print = "R: smarthost for $local_part@$domain"
- driver = manualroute
- domains = ! +local_domains
- senders = *@posteo.net
- transport = remote_smtp_smarthost
- route_list = * posteo.de::587 byname
- host_find_failed = ignore
- same_domain_copy_routing = yes
- no_more
-
-gnusmarthost:
- debug_print = "R: smarthost for $local_part@$domain"
- driver = manualroute
- domains = ! +local_domains
- senders = *@gnu.org
- transport = remote_smtp_smarthost
- route_list = * fencepost.gnu.org::587 byname
- host_find_failed = ignore
- same_domain_copy_routing = yes
- no_more
-EOF
-
-
cat >/etc/exim4/update-exim4.conf.conf <<'EOF'
# default stuff, i havent checked if its needed
dc_minimaldns='false'
####### end dovecot-setup ########
}
-# * nextcloud setup
+# * thunderbird autoconfig setup
-nextcloud-setup() {
- # https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html
- # curl from the web installer requirement, but i switched to cli
- pi php-curl php-fileinfo php-bz2
- # install checker, nextcloud/settings/admin/overview
- pi php-gmp php-bcmath php-imagick php-apcu
+if [[ $HOSTNAME == bk ]]; then
+ /a/exe/web-conf apache2 autoconfig.expertpathologyreview.com
+ dir=/var/www/autoconfig.expertpathologyreview.com/html/mail
+ mkdir -p $dir
+ # taken from mailinabox
+ cat >$dir/config-v1.1.xml <<'EOF'
+<?xml version="1.0"?>
+<clientConfig version="1.1">
+ <emailProvider id="expertpathologyreview.com">
+ <domain>expertpathologyreview.com</domain>
- cd /var/www
- if [[ ! -e nextcloud/index.php ]]; then
- wget https://download.nextcloud.com/server/releases/latest.zip
- unzip -q latest.zip
- rm -f latest.zip
- chown -R www-data.www-data nextcloud
- cd /var/www/nextcloud
- sudo -u www-data php occ maintenance:install --database sqlite --admin-user iank --admin-pass $nextcloud_admin_pass
- fi
- cd /var/www/nextcloud/config
- # https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html
- cat >/etc/php/$phpver/fpm/pool.d/localwww.conf <<'EOF'
-[www]
-clear_env = no
-EOF
- cat config.php - >tmp.php <<'EOF'
-# https://docs.nextcloud.com/server/19/admin_manual/configuration_server/email_configuration.html
-$CONFIG["mail_smtpmode"] = "sendmail";
-$CONFIG["mail_smtphost"] = "127.0.0.1";
-$CONFIG["mail_smtpport"] = 25;
-$CONFIG["mail_smtptimeout"] = 10;
-$CONFIG["mail_smtpsecure"] = "";
-$CONFIG["mail_smtpauth"] = false;
-$CONFIG["mail_smtpauthtype"] = "LOGIN";
-$CONFIG["mail_smtpname"] = "";
-$CONFIG["mail_smtppassword"] = "";
-$CONFIG["mail_domain"] = "expertpathologyreview.com";
+ <displayName>expertpathologyreview.com Mail</displayName>
+ <displayShortName>expertpathologyreview.com</displayShortName>
-# https://github.com/nextcloud/user_external#readme
-# plus mailinabox example
-$CONFIG['user_backends'] = array(array('class' => 'OC_User_IMAP','arguments' => array('127.0.0.1', 143, null),),);
+ <incomingServer type="imap">
+ <hostname>mail2.iankelling.org</hostname>
+ <port>993</port>
+ <socketType>SSL</socketType>
+ <username>%EMAILADDRESS%</username>
+ <authentication>password-cleartext</authentication>
+ </incomingServer>
+ <outgoingServer type="smtp">
+ <hostname>mail2.iankelling.org</hostname>
+ <port>587</port>
+ <socketType>STARTTLS</socketType>
+ <username>%EMAILADDRESS%</username>
+ <authentication>password-cleartext</authentication>
+ <addThisServer>true</addThisServer>
+ <useGlobalPreferredServer>false</useGlobalPreferredServer>
+ </outgoingServer>
-# based on installer check
-# https://docs.nextcloud.com/server/19/admin_manual/configuration_server/caching_configuration.html
-$CONFIG['memcache.local'] = '\OC\Memcache\APCu';
+ <documentation url="https://expertpathologyreview.com/">
+ <descr lang="en">expertpathologyreview.com website.</descr>
+ </documentation>
+ </emailProvider>
-$CONFIG['overwrite.cli.url'] = 'https://expertpathologyreview.com/nextcloud';
-$CONFIG['htaccess.RewriteBase'] = '/nextcloud';
-$CONFIG['trusted_domains'] = array (
- 0 => 'expertpathologyreview.com',
- );
-#$CONFIG[''] = '';
-fwrite(STDOUT, "<?php\n\$CONFIG = ");
-var_export($CONFIG);
-fwrite(STDOUT, ";\n");
+ <webMail>
+ <loginPage url="https://expertpathologyreview.com/roundcube" />
+ <loginPageInfo url="https://expertpathologyreview.com/roundcube" >
+ <username>%EMAILADDRESS%</username>
+ <usernameField id="rcmloginuser" name="_user" />
+ <passwordField id="rcmloginpwd" name="_pass" />
+ <loginButton id="rcmloginsubmit" />
+ </loginPageInfo>
+ </webMail>
+ <clientConfigUpdate url="https://autoconfig.expertpathologyreview.com/mail/config-v1.1.xml" />
+</clientConfig>
EOF
- php tmp.php >config.php 2>/dev/null
- rm tmp.php
- sudo -u www-data php /var/www/nextcloud/occ maintenance:update:htaccess
- list=$(sudo -u www-data php /var/www/nextcloud/occ --output=json_pretty app:list)
- for app in contacts calendar user_external; do
- if [[ $(printf "%s\n" "$list"| jq ".enabled.$app") == null ]]; then
- m sudo -u www-data php /var/www/nextcloud/occ app:install $app
- fi
- done
-
- # todo: install apps with occ. contacts, calendar, mail
-}
+fi
# * roundcube setup
-roundcube-setup() {
+if [[ $HOSTNAME == bk ]]; then
### begin composer install
# https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md
fi
m wget -nv -N https://github.com/roundcube/roundcubemail/releases/download/$v/$f
new_timestamp=$(stat -c %Y $f)
- if [[ $timestamp != $new_timestamp || ! -e $rcdir/config/secret ]]; then
+ if [[ $timestamp != "$new_timestamp" || ! -e "$rcdir/config/secret" ]]; then
m tar -C /usr/local/lib --no-same-owner -zxf $f
m rm -rf $rcdir
m mv $rcdir-$v $rcdir
# based on install checker, links to
# https://docs.nextcloud.com/server/19/admin_manual/issues/general_troubleshooting.html#service-discovery
-RewriteRule ^\.well-known/host-meta /nextcloud/public.php?service=host-meta [QSA,L]
-RewriteRule ^\.well-known/host-meta\.json /nextcloud/public.php?service=host-meta-json [QSA,L]
-RewriteRule ^\.well-known/webfinger /nextcloud/public.php?service=webfinger [QSA,L]
-RewriteRule ^\.well-known/carddav /nextcloud/remote.php/dav/ [R=301,L]
-RewriteRule ^\.well-known/caldav /nextcloud/remote.php/dav/ [R=301,L]
+# their example was a bit wrong, I figured it out by adding
+# LogLevel warn rewrite:trace5
+# then watching the apache logs
+
+RewriteEngine on
+RewriteRule ^/\.well-known/host-meta /nextcloud/public.php?service=host-meta [QSA,L]
+RewriteRule ^/\.well-known/host-meta\.json /nextcloud/public.php?service=host-meta-json [QSA,L]
+RewriteRule ^/\.well-known/webfinger /nextcloud/public.php?service=webfinger [QSA,L]
+RewriteRule ^/\.well-known/carddav /nextcloud/remote.php/dav/ [R=301,L]
+RewriteRule ^/\.well-known/caldav /nextcloud/remote.php/dav/ [R=301,L]
### end nextcloud settings
EOF
base64 </dev/urandom | head -c24 >$rcdir/config/secret || [[ $? == 141 ]]
fi
secret=$(cat $rcdir/config/secret)
- # todo: expire mail for testignore@b8.nz
# config from mailinabox
cat >$rcdir/config/config.inc.php <<EOF
# todo: check for other mailinabox things
m sudo -u www-data touch /var/log/roundcube/errors.log
-
- # todo: look at .well-known for carddav?
-
#### begin carddav install
# This is the official roundcube carddav repo.
# Install doc suggests downloading with composer, but that
install=false
v=4.0.0
if [[ -e $verf ]]; then
- if [[ $(cat $verf) != $v ]]; then
+ if [[ $(cat $verf) != "$v" ]]; then
install=true
upgrade=true
fi
# dunno if reload/restart is needed
m systemctl reload apache2
# note bk backups are defined in crontab outside this file
-}
-
+fi # end nextcloud setup
-# * exim host conditional config
+# * nextcloud setup
+if [[ $HOSTNAME == bk ]]; then
+ # https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html
+ # curl from the web installer requirement, but i switched to cli
+ pi php-curl php-fileinfo php-bz2
+ # install checker, nextcloud/settings/admin/overview
+ pi php-gmp php-bcmath php-imagick php-apcu
-case $HOSTNAME in
- # ** $MAIL_HOST|bk)
- $MAIL_HOST|bk)
- dovecot-setup
- m systemctl enable dovecot
- m systemctl restart dovecot
- cat >>/etc/exim4/update-exim4.conf.conf <<EOF
-# note: some things we don't set that are here by default because they are unused.
-dc_eximconfig_configtype='internet'
-dc_localdelivery='dovecot_lmtp'
+ cd /var/www
+ if [[ ! -e nextcloud/index.php ]]; then
+ wget https://download.nextcloud.com/server/releases/latest.zip
+ unzip -q latest.zip
+ rm -f latest.zip
+ chown -R www-data.www-data nextcloud
+ cd /var/www/nextcloud
+ sudo -u www-data php occ maintenance:install --database sqlite --admin-user iank --admin-pass $nextcloud_admin_pass
+ fi
+ cd /var/www/nextcloud/config
+ # https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html
+ cat >/etc/php/$phpver/fpm/pool.d/localwww.conf <<'EOF'
+[www]
+clear_env = no
EOF
- cat >>/etc/exim4/conf.d/main/000_local <<EOF
-# recommended if dns is expected to work
-CHECK_RCPT_VERIFY_SENDER = true
-# These seem like a good idea and have stoped spammers on my server
-CHECK_DATA_VERIFY_HEADER_SENDER = true
+ cat config.php - >tmp.php <<'EOF'
+# https://docs.nextcloud.com/server/19/admin_manual/configuration_server/email_configuration.html
+$CONFIG["mail_smtpmode"] = "sendmail";
+$CONFIG["mail_smtphost"] = "127.0.0.1";
+$CONFIG["mail_smtpport"] = 25;
+$CONFIG["mail_smtptimeout"] = 10;
+$CONFIG["mail_smtpsecure"] = "";
+$CONFIG["mail_smtpauth"] = false;
+$CONFIG["mail_smtpauthtype"] = "LOGIN";
+$CONFIG["mail_smtpname"] = "";
+$CONFIG["mail_smtppassword"] = "";
+$CONFIG["mail_domain"] = "expertpathologyreview.com";
+
+# https://github.com/nextcloud/user_external#readme
+# plus mailinabox example
+$CONFIG['user_backends'] = array(array('class' => 'OC_User_IMAP','arguments' => array('127.0.0.1', 143, null),),);
+
+
+# based on installer check
+# https://docs.nextcloud.com/server/19/admin_manual/configuration_server/caching_configuration.html
+$CONFIG['memcache.local'] = '\OC\Memcache\APCu';
+
+$CONFIG['overwrite.cli.url'] = 'https://expertpathologyreview.com/nextcloud';
+$CONFIG['htaccess.RewriteBase'] = '/nextcloud';
+$CONFIG['trusted_domains'] = array (
+ 0 => 'expertpathologyreview.com',
+ );
+#$CONFIG[''] = '';
+fwrite(STDOUT, "<?php\n\$CONFIG = ");
+var_export($CONFIG);
+fwrite(STDOUT, ";\n");
+EOF
+ php tmp.php >config.php 2>/dev/null
+ rm tmp.php
+ sudo -u www-data php /var/www/nextcloud/occ maintenance:update:htaccess
+ list=$(sudo -u www-data php /var/www/nextcloud/occ --output=json_pretty app:list)
+ for app in contacts calendar user_external; do
+ if [[ $(printf "%s\n" "$list"| jq ".enabled.$app") == null ]]; then
+ m sudo -u www-data php /var/www/nextcloud/occ app:install $app
+ fi
+ done
+fi
+
+# * exim host conditional config
+
+# ** auth
+case $HOSTNAME in
+ $MAIL_HOST)
+ cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+# from 30_exim4-config_examples
+plain_server:
+driver = plaintext
+public_name = PLAIN
+server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
+server_set_id = $auth2
+server_prompts = :
+.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+.endif
+EOF
+ ;;
+ bk)
+ # avoid accepting mail for invalid users
+ # https://wiki.dovecot.org/LMTP/Exim
+ cat >>/etc/exim4/conf.d/rcpt_local_acl <<'EOF'
+deny
+ message = invalid recipient
+ domains = +local_domains
+ !verify = recipient/callout=no_cache
+EOF
+ cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+dovecot_plain:
+ driver = dovecot
+ public_name = PLAIN
+ server_socket = /var/run/dovecot/auth-client
+ server_set_id = $auth1
+EOF
+ ;;
+esac
+
+
+case $HOSTNAME in
+ # ** $MAIL_HOST|bk)
+ $MAIL_HOST|bk)
+ dovecot-setup
+ m systemctl enable dovecot
+ m systemctl restart dovecot
+ cat >>/etc/exim4/update-exim4.conf.conf <<EOF
+# note: some things we don't set that are here by default because they are unused.
+dc_eximconfig_configtype='internet'
+dc_localdelivery='dovecot_lmtp'
+EOF
+ cat >>/etc/exim4/conf.d/main/000_local <<EOF
+# recommended if dns is expected to work
+CHECK_RCPT_VERIFY_SENDER = true
+# These seem like a good idea and have stoped spammers on my server
+CHECK_DATA_VERIFY_HEADER_SENDER = true
# default config comment says: If you enable this, you might reject legitimate mail,
# but eggs has had this a long time, so that seems unlikely.
CHECK_DATA_VERIFY_HEADER_SYNTAX = true
smtp_accept_max = 200
smtp_accept_reserve = 50
smtp_reserve_hosts = <; 85.119.83.50 ; 2001:ba8:1f1:f0c9::2 ; 209.51.188.13 ; 2001:470:142::13
+
+# options exim has to avoid having to alter the default config files
+CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/conf.d/rcpt_local_acl
+CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/conf.d/data_local_acl
+LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE = /etc/exim4/conf.d/local_deny_exceptions_acl
+# testing dmarc
+#dmarc_tld_file = /etc/public_suffix_list.dat
+EOF
+
+
+ cat >>/etc/exim4/conf.d/main/000_local-nn <<EOF
+# MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
+# smarthost config type, not sure.
+# failing message on mail-tester.com:
+# We check if there is a server (A Record) behind your hostname kd.
+# You may want to publish a DNS record (A type) for the hostname kd or use a different hostname in your mail software
+# https://serverfault.com/questions/46545/how-do-i-change-exim4s-primary-hostname-on-a-debian-box
+# and this one seemed appropriate from grepping config.
+# I originally set this to li.iankelling.org, but then ended up with errors when li tried to send
+# mail to kd, so this should basically be a name that no host has as their
+# canonical hostname since the actual host sits behind a nat and changes.
+# Seems logical for this to be the same as mailname.
+MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.iankelling.org
EOF
+ /a/exe/cedit nn.b8.nz /etc/hosts <<'EOF' || [[ $? == 1 ]]
+# note: i put this into bind for good measure
+10.173.8.2 nn.b8.nz
+# this is just here to avoid mainlog errors, however, it doesnt seem to work
+# todo: look into it more. nsswitch.conf? cached result? i dunno
+# list matching forced to fail: failed to find host name for 10.173.8.1
+10.173.8.1 defaultnn.b8.nz
+EOF
+ m systemctl start openvpn-client-mail@mail
+ m systemctl enable openvpn-client-mail@mail
+
m systemctl enable mailclean.timer
m systemctl start mailclean.timer
+
;;&
# ** $MAIL_HOST)
$MAIL_HOST)
+
+ # this avoids some error. i cant remember what. todo:
+ # test it out and document why/if its needed.
+ cat >/etc/exim4/host_local_deny_exceptions <<'EOF'
+mail.fsf.org
+*.posteo.de
+EOF
+
+ # for iank@fsf.org, i have mail.fsf.org forward it to fsf@iankelling.org.
+ # and also have mail.iankelling.org whitelisted as a relay domain.
+ # I could avoid that if I changed this to submit to 587 with a
+ # password like a standard mua.
+ cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
+# smarthost for fsf mail
+# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
+# replaced DCsmarthost with mail.fsf.org
+fsfsmarthost:
+ debug_print = "R: smarthost for $local_part@$domain"
+ driver = manualroute
+ domains = ! +local_domains
+ senders = *@fsf.org
+ transport = remote_smtp_smarthost
+ route_list = * mail.fsf.org::587 byname
+ host_find_failed = ignore
+ same_domain_copy_routing = yes
+ no_more
+
+posteosmarthost:
+ debug_print = "R: smarthost for $local_part@$domain"
+ driver = manualroute
+ domains = ! +local_domains
+ senders = *@posteo.net
+ transport = remote_smtp_smarthost
+ route_list = * posteo.de::587 byname
+ host_find_failed = ignore
+ same_domain_copy_routing = yes
+ no_more
+
+gnusmarthost:
+ debug_print = "R: smarthost for $local_part@$domain"
+ driver = manualroute
+ domains = ! +local_domains
+ senders = *@gnu.org
+ transport = remote_smtp_smarthost
+ route_list = * fencepost.gnu.org::587 byname
+ host_find_failed = ignore
+ same_domain_copy_routing = yes
+ no_more
+EOF
+
+ # Greping /etc/exim4, unqualified mails this would end up as
+ # a return path, so it should go somewhere we will see.
+ # The debconf output about mailname is as follows:
+ # The 'mail name' is the domain name used to 'qualify' mail addresses without a domain
+ # name.
+ # This name will also be used by other programs. It should be the single, fully
+ # qualified domain name (FQDN).
+ # Thus, if a mail address on the local host is foo@example.org, the correct value for
+ # this option would be example.org.
+ # This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
+ echo iankelling.org > /etc/mailname
+
sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 \
/p/c/filesystem/etc/exim4/passwd /p/c/filesystem/etc/exim4/*.pem /etc/exim4/
# The debconf questions output is additional documentation that is not
# easily accessible, but super long, along with the initial default comment in this
# file, so I've saved that into ./mail-notes.conf.
-
cat >>/etc/exim4/update-exim4.conf.conf <<EOF
# man page: is used to build the local_domains list, together with "localhost"
# iank.bid is for testing
# mail.iankelling.org is for machines i own
-dc_other_hostnames='!mail2.iankelling.org;!mibtest.iankelling.org;*.iankelling.org;iankelling.org;zroe.org;!bk.b8.nz;*.b8.nz;b8.nz'
+# this is duplicated in a later router
+dc_other_hostnames='iankelling.org;zroe.org'
EOF
- # the debconf output about mailname is as follows:
- # The 'mail name' is the domain name used to 'qualify' mail addresses without a domain
- # name.
- # This name will also be used by other programs. It should be the single, fully
- # qualified domain name (FQDN).
- # Thus, if a mail address on the local host is foo@example.org, the correct value for
- # this option would be example.org.
- # This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
-
- echo mail.iankelling.org > /etc/mailname
-
- # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
- # smarthost config type, not sure. all other settings
- # would be unused in that config type.
- cat >>/etc/exim4/conf.d/main/000_local <<EOF
-# failing message on mail-tester.com:
-# We check if there is a server (A Record) behind your hostname kd.
-# You may want to publish a DNS record (A type) for the hostname kd or use a different hostname in your mail software
-# https://serverfault.com/questions/46545/how-do-i-change-exim4s-primary-hostname-on-a-debian-box
-# and this one seemed appropriate from grepping config.
-# I originally set this to li.iankelling.org, but then ended up with errors when li tried to send
-# mail to kd, so this should basically be a name that no host has as their
-# canonical hostname since the actual host sits behind a nat and changes.
-# Seems logical for this to be the same as mailname.
-MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.iankelling.org
-
-# options exim has to avoid having to alter the default config files
-CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/conf.d/rcpt_local_acl
-CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/conf.d/data_local_acl
-LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE = /etc/exim4/conf.d/local_deny_exceptions_acl
-
-
-# testing dmarc
-#dmarc_tld_file = /etc/public_suffix_list.dat
-EOF
-
+ # dmarc. not used currently
f=/etc/cron.daily/refresh-dmarc-tld-file
cat >$f <<'EOF'
#!/bin/bash
EOF
m chmod 755 $f
- # make all system users be aliases
- for user in $(awk 'BEGIN { FS = ":" } ; $6 !~ /^\/home/ { print $1 }' /etc/passwd); do
- if ! grep -q "^$user:" /etc/aliases; then
- echo "$u: root" |tee -a /etc/aliases
- fi
- done
+ ;;
+ # ** bk
+ ## we use this host to monitor MAIL_HOST and host a mail server for someone
+ bk)
+ echo bk.b8.nz > /etc/mailname
+
+ cat >/etc/myexim4/conf.d/router/180_vpnmanual <<'EOF'
+# copied from dnslookup, altered domains, added route_list,
+# changed driver, removed ignore_target_hosts since it
+# relies on a later defined macro
+vpnmanual:
+ debug_print = "R: dnslookup for $local_part@$domain"
+ driver = manualroute
+ domains = iankelling.org:zroe.org
+ transport = remote_smtp
+ same_domain_copy_routing = yes
+ route_list = * 10.8.0.4
+ no_more
+EOF
+ tmpdir=$(mktemp -d)
+ cp -a /etc/init.d/exim4 $tmpdir/exim4in
+ sed -i -f - $tmpdir/exim4in <<'EOF'
+s,/etc/default/exim4,/etc/default/exim4in,g
+s,/run/exim4/exim.pid,/run/exim4/eximin.pid,g
+EOF
+ tmp=$(rsync -ic $tmpdir/* /etc/init.d)
+ rm -rf $tmpdir
- m systemctl start openvpn-client-mail@mail
- m systemctl enable openvpn-client-mail@mail
+ tmpdir=$(mktemp -d)
+ cat >$tmpdir/alwaysrestart.conf <<'EOF'
+[Unit]
+# needed to continually restart
+StartLimitIntervalSec=0
- /a/exe/cedit nn.b8.nz /etc/hosts <<'EOF' || [[ $? == 1 ]]
-# note: i put this into bind for good measure
-10.173.8.2 nn.b8.nz
-# this is just here to avoid mainlog errors, however, it doesnt seem to work
-# todo: look into it more. nsswitch.conf? cached result? i dunno
-# list matching forced to fail: failed to find host name for 10.173.8.1
-10.173.8.1 defaultnn.b8.nz
+[Service]
+Restart=always
+# time to sleep before restarting a service
+RestartSec=1
EOF
+ mkdir -p /etc/systemd/system/exim4in.service.d
+ tmp+=$(rsync -ic $tmpdir/* /etc/systemd/system/exim4in.service.d)
+ if [[ $tmp ]]; then
+ printf "rsync to /etc/systemd/system/exim4in.service.d\n%s\n" "$tmp"
+ m systemctl daemon-reload
+ fi
- rsync -ra --delete /etc/exim4/ /etc/myexim4
- cat >>/etc/myexim4/update-exim4.conf.conf <<'EOF'
-dc_eximconfig_configtype='smarthost'
-dc_smarthost='nn.b8.nz'
+ cat >/etc/default/exim4in <<'EOF'
+# defaults but no queue runner and alternate config dir
+QUEUERUNNER='no'
+COMMONOPTIONS='-oP /run/exim4/eximin.pid'
+UPEX4OPTS='-d /etc/myexim4'
EOF
- update-exim4.conf -d /etc/myexim4
-
- ;;
- # ** bk
- ## we use this host to monitor MAIL_HOST and host a mail server for someone
- bk)
# dkim, client passwd file
rsync -ahhi --chown=root:Debian-exim --chmod=0640 \
/p/c/machine_specific/bk/filesystem/etc/exim4/* /etc/exim4
- echo mail2.iankelling.org > /etc/mailname
- cat >>/etc/exim4/conf.d/main/000_local <<EOF
-CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/conf.d/data_local_acl
-MAIN_HARDCODE_PRIMARY_HOSTNAME = mail2.iankelling.org
-EOF
-
cat >>/etc/exim4/update-exim4.conf.conf <<EOF
# man page: is used to build the local_domains list, together with "localhost"
dc_other_hostnames='bk.b8.nz;expertpathologyreview.com'
EOF
-
- /a/exe/web-conf apache2 autoconfig.expertpathologyreview.com
- dir=/var/www/autoconfig.expertpathologyreview.com/html/mail
- mkdir -p $dir
- # taken from mailinabox
- cat >$dir/config-v1.1.xml <<'EOF'
-<?xml version="1.0"?>
-<clientConfig version="1.1">
- <emailProvider id="expertpathologyreview.com">
- <domain>expertpathologyreview.com</domain>
-
- <displayName>expertpathologyreview.com Mail</displayName>
- <displayShortName>expertpathologyreview.com</displayShortName>
-
- <incomingServer type="imap">
- <hostname>mail2.iankelling.org</hostname>
- <port>993</port>
- <socketType>SSL</socketType>
- <username>%EMAILADDRESS%</username>
- <authentication>password-cleartext</authentication>
- </incomingServer>
-
- <outgoingServer type="smtp">
- <hostname>mail2.iankelling.org</hostname>
- <port>587</port>
- <socketType>STARTTLS</socketType>
- <username>%EMAILADDRESS%</username>
- <authentication>password-cleartext</authentication>
- <addThisServer>true</addThisServer>
- <useGlobalPreferredServer>false</useGlobalPreferredServer>
- </outgoingServer>
-
- <documentation url="https://expertpathologyreview.com/">
- <descr lang="en">expertpathologyreview.com website.</descr>
- </documentation>
- </emailProvider>
-
- <webMail>
- <loginPage url="https://expertpathologyreview.com/roundcube" />
- <loginPageInfo url="https://expertpathologyreview.com/roundcube" >
- <username>%EMAILADDRESS%</username>
- <usernameField id="rcmloginuser" name="_user" />
- <passwordField id="rcmloginpwd" name="_pass" />
- <loginButton id="rcmloginsubmit" />
- </loginPageInfo>
- </webMail>
- <clientConfigUpdate url="https://autoconfig.expertpathologyreview.com/mail/config-v1.1.xml" />
-</clientConfig>
-EOF
-
- roundcube-setup
- nextcloud-setup
;;
# ** not MAIL_HOST and not bk
*)
- for unit in exim4 spamassassin; do
+ for unit in ${nn_progs[@]}; do
f=/etc/systemd/system/$unit.service.d/nn.conf
rm -fv $f
done
m systemctl disable openvpn-client-mail@mail
m systemctl stop openvpn-client-mail@mail
- rm -fv /etc/exim4/conf.d/main/000_localmacros # old filename
-
- cat >>/etc/exim4/update-exim4.conf.conf <<'EOF'
+ cat >>/etc/exim4/update-exim4.conf.conf <<EOF
dc_eximconfig_configtype='smarthost'
dc_smarthost='$smarthost'
EOF
- hostname -f >/etc/mailname
+ hostname -A|awk '{print $1}' >/etc/mailname
cat >>/etc/exim4/update-exim4.conf.conf <<EOF
# The manpage incorrectly states this will do header rewriting, but
+
+# ** $MAILHOST & bk, things that belong at the end
+case $HOSTNAME in
+ $MAIL_HOST|bk)
+ # config for the non-nn exim
+ rsync -ra --delete /etc/exim4/ /etc/myexim4
+ cat >>/etc/myexim4/update-exim4.conf.conf <<'EOF'
+dc_eximconfig_configtype='smarthost'
+dc_smarthost='nn.b8.nz'
+EOF
+ ;;&
+ bk)
+ rm -f /etc/myexim4/conf.d/router/180_vpnmanual
+ # config for the non-nn exim
+ cat >/etc/myexim4/conf.d/main/000_local-nn <<'EOF'
+MAIN_HARDCODE_PRIMARY_HOSTNAME = mail2.iankelling.org
+EOF
+ ;;
+ $MAIL_HOST)
+ # for bk, we have a exim4in.service that will do this for us.
+ update-exim4.conf -d /etc/myexim4
+ ;;
+esac
+
# * spool dir setup
# ** bind mount setup
After=local-fs.target
After=network.target
EOF
- dir=/etc/systemd/system/exim4.service.d
- mkdir -p $dir
- tmp=$(install -vC $tmpdir/* $dir)
+ mkdir -p /etc/systemd/system/exim4.service.d
+ tmp=$(rsync -ic $tmpdir/* /etc/systemd/system/exim4.service.d)
rm -rf $tmpdir
if [[ $tmp ]]; then
+ printf "rsync to /etc/systemd/system/exim4.service.d\n%s\n" "$tmp"
m systemctl daemon-reload
fi
if ! mountpoint -q $sdir; then
-# * reload exim
+# * start exim / spamassassin
+
+# start spamassassin before exim, stop it after so if we are
+# transitioning from being mail_host to not, we dont have exim
+# complaining about no spamassassin.
+case $HOSTNAME in
+ $MAIL_HOST|bk)
+ m systemctl enable spamassassin
+ m systemctl start spamassassin
+ ;;
+esac
if systemctl is-active exim4 >/dev/null; then
m systemctl reload exim4
fi
case $HOSTNAME in
- bk|$MAIL_HOST) : ;;
+ $MAIL_HOST) : ;;
+ bk)
+ if systemctl is-active exim4in >/dev/null; then
+ m systemctl reload exim4in
+ else
+ m systemctl start exim4in
+ fi
+ m systemctl enable exim4in
+ ;;
*)
m systemctl stop spamassassin
m systemctl disable spamassassin
;;&
$MAIL_HOST)
test_from=ian@iankelling.org
- test_to=testignore@bk.b8.nz
+ test_to=testignore@expertpathologyreview.com
cat >>/etc/cron.d/mailtest <<EOF
2 * * * * $u check-remote-mailqs |& log-once check-remote-mailqs
EOF
;;&
bk)
- test_from=testignore@bk.b8.nz
+ test_from=testignore@expertpathologyreview.com
test_to=testignore@iankelling.org
;;&
$MAIL_HOST|bk)
iankelling.org / git / distro-setup / commitdiff