#
#&! testignore|jtuttle|eximbackup|/usr/sbin/exim4 -bpu
-# todo: this should have been rejected at smtp-time. the <FF> is a translation of �
-# 2025-02-28 23:41:40 [3939978] 1toEfR-0000000GWy2-4A1N <= <FF>Amazon.meguminozaki@tischlermeister-luempert.de H=(localhost) [183.167.149.235] P=esmtp S=9416 id=1461312104.1131284.1740804083757@localhost T="\343\200\214\351\207\215\350\246\201\343\201\252\343\201\212\347\237\245\343\202\211\343\201\233\357\274\232\343\202\242\343\202\253\343\202\246\343\203\263\343\203\210\345\206\215\350\252\215\350\250\274\343\201\256\343\201\212\351\241\230\343\201\204\343\200\215" from <<FF>Amazon.meguminozaki@tischlermeister-luempert.de> for ian@iankelling.org
-# 2025-02-28 23:41:41 [3940022] 1toEfR-0000000GWy2-4A1N ** ian@iankelling.org F=<<FF>Amazon.meguminozaki@tischlermeister-luempert.de> P=<<FF>Amazon.meguminozaki@tischlermeister-luempert.de> R=local_user T=dovecot_lmtp: LMTP error after MAIL FROM:<\377Amazon.meguminozaki@tischlermeister-luempert.de>: 500 5.5.2 Invalid command syntax DT=0s
-# There was nothing useful in /var/log/mail.log.
-#
-# I was going to fix by transitioning to exim mailfilter, but I think I
-# found an acl that will work and is less work for now.
-# I was initially testing exim mail filter with:
-# exim -f vojdedIdNejyebni@b8.nz -bf /m/exim-filter </m/4e/Sent/cur/1739266450.de3db24c7af81d7a.frodo:2,S
-# I would need to put exim-filter into a git repo, perhaps put it into /m with conflink.
-#
-# I would also need to setup a way to do an offline refile, I think I could do it with some exim command line flags.
-#
# todo: this message seems to get dropped on the floor, it was due to a missing 2nd colon in
# condition = ${if def:h_fdate:}
# note: most of these are duplicated in spamassassin config
hostlist iank_trusted = <; \
-# veth0
-10.173.8.1 ; \
+# veth0/1-mail
+10.173.8.1 ; 10.173.8.2 ; \
# li li_ip6
72.14.176.105 ; 2600:3c00::f03c:91ff:fe6d:baf8 ; \
# li_vpn_net li_vpn_net_ip6s
# message is "Unknown user".
local_user:
debug_print = "R: local_user for $local_part@$domain"
- driver = accept
+ #driver = accept # for lmtp via unix socket.
+
domains = +local_domains
# ian: default file except where mentioned.
# ian: commented this. I get all local parts. for bk, an rcpt
# ian: added for + addressing.
local_part_suffix = +*
local_part_suffix_optional
+ # these 3 for lmtp via tcp socket. (last one is host conditional)
+ driver = manualroute
+ self = send
EOF
u /etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
dovecot_lmtp:
- driver = lmtp
- socket = /var/run/dovecot/lmtp
- #maximum number of deliveries per batch, default 1
- batch_max = 200
+ driver = smtp
+ protocol = lmtp
+ # Set port appropriate to your setup.
+ port = 24
envelope_to_add
+ hosts_avoid_tls = *
+ message_linelength_limit = 2097152
+
+## unix socket version of lmtp. see notes elsewhere.
+# dovecot_lmtp:
+# driver = lmtp
+# socket = /var/run/dovecot/lmtp
+# #maximum number of deliveries per batch, default 1
+# batch_max = 200
+# envelope_to_add
EOF
# iank: incomplete switch to exim mail filters
EOF
{
- if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
- # begin dovecot settings
- cat <<'EOF'
-listen = 127.0.0.1, ::1, 10.8.0.4
-
-info_log_path = /dev/null
-
-ssl_cert = </etc/exim4/fullchain.pem
-ssl_key = </etc/exim4/privkey.pem
-EOF
- else
- # We have a lets encrypt hooks that puts things here.
- # This is just for bk, which uses the vpn cert in exim
- # for sending mail, but the local hostname cert for
- # dovecot.
- cat <<'EOF'
-ssl_cert = </etc/exim4/exim.crt
-ssl_key = </etc/exim4/exim.key
-EOF
- fi
-
cat <<'EOF'
# https://ssl-config.mozilla.org
ssl = required
ssl_min_protocol = TLSv1.2
ssl_prefer_server_ciphers = no
-protocol lmtp {
-#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
-# default is just $mail_plugins
- mail_plugins = $mail_plugins sieve
-}
# /etc/dovecot/conf.d/10-master.conf says the default is 256M.
# but I started getting oom errors in the syslog
# preferable use a bit more cpu to recalculate indexes.
install -d -m 700 -o iank -g iank /var/dovecot-indexes
cat >>/etc/dovecot/local.conf <<EOF
+listen = 127.0.0.1, ::1, 10.8.0.4
+# afaik, just making normal mail and spammers create less logs.
+info_log_path = /dev/null
+
+ssl_cert = </etc/exim4/fullchain.pem
+ssl_key = </etc/exim4/privkey.pem
+
+# Default uses unix socket file. note also, it would be fine to add
+# localhost to the address option: ::1 127.0.0.1,
+# but i have nothing configured to use that, so just leaving it off.
+service lmtp {
+ inet_listener lmtp {
+ address = 10.173.8.2
+ port = 24
+ }
+}
+
# This will decrease memory use, and seems likely to decrease cpu & disk
mail_gid = iank
protocol lmtp {
+#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
+# default is just \$mail_plugins
+ mail_plugins = \$mail_plugins sieve
+
# For a normal setup with exim, we need something like this, which
# removes the domain part
# auth_username_format = %Ln
fi
cat >>/etc/dovecot/local.conf <<EOF
+# We have a lets encrypt hooks that puts things here.
+# This is just for bk, which uses the vpn cert in exim
+# for sending mail, but the local hostname cert for
+# dovecot.
+ssl_cert = </etc/exim4/exim.crt
+ssl_key = </etc/exim4/exim.key
+
+# Default uses unix socket file. note also, it would be fine to add
+# localhost to the address option: ::1 127.0.0.1,
+# but i have nothing configured to use that, so just leaving it off.
+service lmtp {
+ inet_listener lmtp {
+ address = 127.0.0.1
+ port = 24
+ }
+}
+
!include /etc/dovecot/local.conf.ext
# for debugging info, uncomment these.
protocol lmtp {
+#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
+# default is just \$mail_plugins
+ mail_plugins = \$mail_plugins sieve
+
# This downcases the localpart. default is case sensitive.
# case sensitive local part will miss out on valid email when some person or system
# mistakenly capitalizes things.
auth_username_format = %Lu
}
+service lmtp {
+ inet_listener lmtp {
+ address =
+ port = 24
+ }
+}
+
# make 147 only listen on localhost, plan to use for nextcloud.
# copied from mailinabox
fi
# ** exim: main daemon use non-default config file
+run_as_nonroot=true
+
case $HOSTNAME in
bk|$MAIL_HOST)
# to see the default comments in /etc/default/exim4:
E4BCD_WATCH_PANICLOG='no'
EOF
- ## temporarily running as root. undo nonroot modifications
- ## note: nonroot also exists in
- ## /b/ds/filesystem/usr/local/bin/mailbindwatchdog
+ # for debugging/testing, sometimes I need debian to run as root, so
+ # made it conditional here.
+ # note: nonroot settings also exists in
+ # /b/ds/filesystem/usr/local/bin/mailbindwatchdog
- owners=$(stat -c %U:%G /usr/sbin/exim4)
- if [[ $owners != root:root ]]; then
- m chown root:root /usr/sbin/exim4
- # chown clears setuid
- m chmod 4755 /usr/sbin/exim4
- fi
- m chmod g-s /usr/sbin/exim4
- caps=$(getcap /usr/sbin/exim4)
- if [[ $caps ]]; then
- # this returns an error if it has no capabilities.
- m setcap -r /usr/sbin/exim4
- fi
+ if $run_as_nonroot; then
+ owners=$(stat -c %U:%G /usr/sbin/exim4)
+ if [[ $owners != Debian-exim:Debian-exim ]]; then
+ # make exim be a nonroot setuid program.
+ m chown Debian-exim:Debian-exim /usr/sbin/exim4
+ fi
+ # needs guid set in order to become Debian-exim
+ m chmod g+s,u+s /usr/sbin/exim4
+ # need this to avoid error on service reload:
+ # 2022-08-07 18:44:34.005 [892491] pid 892491: SIGHUP received: re-exec daemon
+ # 2022-08-07 18:44:34.036 [892491] cwd=/var/spool/exim4 5 args: /usr/sbin/exim4 -bd -q30m -C /etc/exim4/nn-mainlog.conf
+ # 2022-08-07 18:44:34.043 [892491] socket bind() to port 25 for address (any IPv6) failed: Permission denied: waiting 30s before trying again (9 more tries)
+ # note: the daemon gives up and dies after retrying those 9 times.
+ # I came upon this by guessing and trial and error.
+ # set capability
+ caps=$(getcap /usr/sbin/exim4)
+ if [[ ! $caps ]]; then
+ m setcap CAP_NET_BIND_SERVICE+ei /usr/sbin/exim4
+ fi
- # # make exim be a nonroot setuid program.
- # chown Debian-exim:Debian-exim /usr/sbin/exim4
- # # needs guid set in order to become Debian-exim
- # chmod g+s,u+s /usr/sbin/exim4
+ else
- # # need this to avoid error on service reload:
- # # pid 892491: SIGHUP received: re-exec daemon
- # # cwd=/var/spool/exim4 5 args: /usr/sbin/exim4 -bd -q30m -C /etc/exim4/nn-mainlog.conf
- # # socket bind() to port 25 for address (any IPv6) failed: Permission denied: waiting 30s before trying again (9 more tries)
- # # note: the daemon gives up and dies after retrying those 9 times.
- # # I came upon this by guessing and trial and error.
+ ## undo nonroot modifications
- # setcap CAP_NET_BIND_SERVICE+ei /usr/sbin/exim4
+ owners=$(stat -c %U:%G /usr/sbin/exim4)
+ if [[ $owners != root:root ]]; then
+ m chown root:root /usr/sbin/exim4
+ ## note: chown clears setuid
+ m chmod 4755 /usr/sbin/exim4
+ fi
+ m chmod g-s /usr/sbin/exim4
+ caps=$(getcap /usr/sbin/exim4)
+ if [[ $caps ]]; then
+ # this returns an error if it has no capabilities.
+ m setcap -r /usr/sbin/exim4
+ fi
+ fi
u /etc/exim4/trusted_configs <<'EOF'
/etc/exim4/nn-mainlog.conf
u /etc/systemd/system/exim4.service.d/nonroot.conf <<EOF
[Service]
# see 56.2 Root privilege in exim spec
-# disabled due to running as root.
-#AmbientCapabilities=CAP_NET_BIND_SERVICE
+$(if $run_as_nonroot; then e AmbientCapabilities=CAP_NET_BIND_SERVICE; fi)
# https://www.redhat.com/sysadmin/mastering-systemd
# things that seem good and reasonabl.e
#ProtectDevices=yes
EOF
- # temp: running as root
- echo | u /etc/exim4/conf.d/main/000_local-noroot
- # u /etc/exim4/conf.d/main/000_local-noroot <<'EOF'
- # # see 56.2 Root privilege in exim spec
- # deliver_drop_privilege = true
- # EOF
- #
- files=(
- 300_exim4-config_real_local
- 600_exim4-config_userforward
- 700_exim4-config_procmail
- 800_exim4-config_maildrop
- mmm_mail4root
- )
- for f in ${files[@]}; do
- echo "# iank: removed due to running nonroot"|u /etc/exim4/conf.d/router/$f
- done
+ if $run_as_nonroot; then
+ u /etc/exim4/conf.d/main/000_local-noroot <<'EOF'
+ # see 56.2 Root privilege in exim spec
+ deliver_drop_privilege = true
+EOF
+ files=(
+ 300_exim4-config_real_local
+ 600_exim4-config_userforward
+ 700_exim4-config_procmail
+ 800_exim4-config_maildrop
+ mmm_mail4root
+ )
+ for f in ${files[@]}; do
+ echo "# iank: removed due to running nonroot"|u /etc/exim4/conf.d/router/$f
+ done
+ else
+ echo | u /etc/exim4/conf.d/main/000_local-noroot
+ fi
;;
esac
# ** $MAIL_HOST)
$MAIL_HOST)
+ cat >>/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
+# note: in my debug testing, byname option makes no diff,
+# it seems byname gets used either way.
+ route_list = * 10.173.8.2::24
+EOF
+
+
if [[ ! -e /etc/exim4/no-delay-eximids ]]; then
install -o iank -g iank <(echo) /etc/exim4/no-delay-eximids
fi
*.posteo.de
EOF
- # cron email from smarthost hosts will automatically be to
- # USER@FQDN. I redirect that to alerts@, on the smarthosts, but in
- # case that doesn't work, we still want to accept that mail, but not
- # from any host except the smarthosts. local_hostnames and this rule
- # is for that purpose.
u /etc/exim4/conf.d/rcpt_local_acl <<'EOF'
+
+## I thought up the following acl to deal with this lmtp 500 error. However,
+# exim doesn't support a callout except over smtp. So, i switched dovecot's
+# lmto to use tcp, and then lmtp in exim is set to use smtp. But, that actually
+# fixed the 500 error. So, whatever, but I'm still leaving this here
+# just so that if dovecot does reject any mail, we won't have a backscatter
+# problem. I was initially going to fix by transitioning to using exim mailfilter
+# instead of dovecot's sieve, and then have exim just deliver to the maildir
+# without using dovecot at all, but I figured this would be easier.
+# I would also need to setup a way to do an offline refile, I think I
+# could do it with some exim command line flags. I wrote some initial config
+# changes to enable that, including disabling extra exim security.
+# TODO: reenable that.
+
+# I tested this acl with the following script:
+# while read -r line; do
+# echo "$line"
+# sleep 2
+# done <<'EOF'| exim -d+all -bhc 177.185.43.158
+# helo localhost
+# mail from:<ÿMatsu.cha1971@skmsm.com>
+# rcpt to:<ian@iankelling.org>
+# data
+# From: Matsu.cha1971@skmsm.com
+# To: ian@iankelling.org
+# Subject: Testing Exim
+
+# This is a test message.
+# .
+# quit
+# EOF
+
+# 2025-07-23 02:11:52 [514980] 1ueShh-000000029y8-15RA <= ÿMatsu.cha1971@skmsm.com H=(vm253) [177.185.43.158] P=esmtp S=11805 id=1039013636.43627.1753251091676@vm253 T="\343\200\214\346\235\276\344\272\225\350\250\274\345\210\270\357\274\232\343\202\273\343\202\255\343\203\245\343\203\252\343\203\206\343\202\243\343\202\242\343\203\203\343\203\227\343\202\260\343\203\254\343\203\274\343\203\211\343\201\253\351\226\242\343\201\231\343\202\213\343\201\224\346\241\210\345\206\205\343\200\215" from <ÿMatsu.cha1971@skmsm.com> for ian@iankelling.org
+# 2025-07-23 02:11:52 [516231] cwd=/var/spool/exim4 5 args: /usr/sbin/exim4 -C /etc/exim4/nn-mainlog.conf -Mc 1ueShh-000000029y8-15RA
+# 2025-07-23 02:11:52 [516231] 1ueShh-000000029y8-15RA ** ian@iankelling.org F=<ÿMatsu.cha1971@skmsm.com> P=<ÿMatsu.cha1971@skmsm.com> R=local_user T=dovecot_lmtp: LMTP error after MAIL FROM:<\377Matsu.cha1971@skmsm.com>: 500 5.5.2 Invalid command syntax DT=0s
+# 2025-07-23 02:11:52 [516244] 1ueShh-000000029y8-15RA no IP address found for host REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOST
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA SIGSEGV (fault address: (nil))
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA SEGV_MAPERR
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA SIGSEGV (null pointer indirection)
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA SIGSEGV (516231 delivering 1ueShh-000000029y8-15RA
+# )
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA backtrace
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA ---
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA /usr/sbin/exim4(+0x5a9b2) [0x556f5a0699b2]
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA /usr/sbin/exim4(+0x5ab74) [0x556f5a069b74]
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA /lib/x86_64-linux-gnu/libc.so.6(+0x45330) [0x712c65e45330]
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA /lib/x86_64-linux-gnu/libc.so.6(+0x18b75d) [0x712c65f8b75d]
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA /usr/sbin/exim4(+0xc9725) [0x556f5a0d8725]
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA /usr/sbin/exim4(+0x4da90) [0x556f5a05ca90]
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA /usr/sbin/exim4(+0x4e6aa) [0x556f5a05d6aa]
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA /usr/sbin/exim4(+0x4f364) [0x556f5a05e364]
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA /usr/sbin/exim4(+0x4f9a9) [0x556f5a05e9a9]
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA /usr/sbin/exim4(+0x4fdaa) [0x556f5a05edaa]
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA /usr/sbin/exim4(+0x60fb2) [0x556f5a06ffb2]
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA /usr/sbin/exim4(+0x3aea6) [0x556f5a049ea6]
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA /lib/x86_64-linux-gnu/libc.so.6(+0x2a1ca) [0x712c65e2a1ca]
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x8b) [0x712c65e2a28b]
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA /usr/sbin/exim4(_start+0x25) [0x556f5a04d9d5]
+# 2025-07-23 02:11:53 [516231] 1ueShh-000000029y8-15RA ---
+
+
+
# iank: i think this will deal with the spam of mail from
# <FF>Amaz..., because it has use_sender.
deny
domains = +local_domains
!verify = recipient/callout=no_cache,use_sender
+# Cron email from smarthost hosts will automatically be to
+# USER@FQDN. I redirect that to alerts@, on the smarthosts, but in
+# case that doesn't work, we still want to accept that mail, but not
+# from any host except the smarthosts. local_hostnames and this rule
+# is for that purpose.
deny
!authenticated = *
domains = +local_hostnames
## we use this host to monitor MAIL_HOST and host a mail server for someone
bk)
+ cat >>/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
+ route_list = * 127.0.0.1
+EOF
+
+
# No clamav on je, it has 1.5g memory and clamav uses most of it.
#
# No clamav on MAIL_HOST because it is just a waste of useful cpu
fi
test_to+=", $t"
done
- case $test_from in
- testignore@expertpathologyreview.com)
- test_to=testignore@zroe.org
- ;;
- esac
+ if [[ $test_from == testignore@expertpathologyreview.com ]]; then
+ test_to=testignore@zroe.org
+ fi
cat >>/usr/local/bin/send-test-forward <<EOFOUTER
/usr/sbin/exim -odf -f $test_from -t <<EOF
iankelling.org / git / distro-setup / commitdiff