# 2025-02-28 23:41:40 [3939978] 1toEfR-0000000GWy2-4A1N <= <FF>Amazon.meguminozaki@tischlermeister-luempert.de H=(localhost) [183.167.149.235] P=esmtp S=9416 id=1461312104.1131284.1740804083757@localhost T="\343\200\214\351\207\215\350\246\201\343\201\252\343\201\212\347\237\245\343\202\211\343\201\233\357\274\232\343\202\242\343\202\253\343\202\246\343\203\263\343\203\210\345\206\215\350\252\215\350\250\274\343\201\256\343\201\212\351\241\230\343\201\204\343\200\215" from <<FF>Amazon.meguminozaki@tischlermeister-luempert.de> for ian@iankelling.org
# 2025-02-28 23:41:41 [3940022] 1toEfR-0000000GWy2-4A1N ** ian@iankelling.org F=<<FF>Amazon.meguminozaki@tischlermeister-luempert.de> P=<<FF>Amazon.meguminozaki@tischlermeister-luempert.de> R=local_user T=dovecot_lmtp: LMTP error after MAIL FROM:<\377Amazon.meguminozaki@tischlermeister-luempert.de>: 500 5.5.2 Invalid command syntax DT=0s
# There was nothing useful in /var/log/mail.log.
+#
+# I was going to fix by transitioning to exim mailfilter, but I think I
+# found an acl that will work and is less work for now.
+# I was initially testing exim mail filter with:
+# exim -f vojdedIdNejyebni@b8.nz -bf /m/exim-filter </m/4e/Sent/cur/1739266450.de3db24c7af81d7a.frodo:2,S
+# I would need to put exim-filter into a git repo, perhaps put it into /m with conflink.
+#
+# I would also need to setup a way to do an offline refile, I think I could do it with some exim command line flags.
+#
# todo: this message seems to get dropped on the floor, it was due to a missing 2nd colon in
# condition = ${if def:h_fdate:}
} | u /etc/exim4/conf.d/transport/30_backup_remote
u /etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
+# # iank: incomplete implementation of switching to exim filters
+#
+# # copied from 600_exim4-config_userforward except where noted
+# iank_forward:
+# debug_print = "R: userforward for $local_part@$domain"
+# driver = redirect
+# domains = +local_domains
+# user = iank
+# #check_local_user
+# file = /m/exim-filter
+# #require_files = $local_part_data:$home/.forward
+# no_verify
+# no_expn
+# check_ancestor
+# allow_filter
+# forbid_smtp_code = true
+# directory_transport = address_directory
+# file_transport = iank_maildir
+# pipe_transport = address_pipe
+# reply_transport = address_reply
+# skip_syntax_errors
+# syntax_errors_to = real-$local_part@$domain
+# syntax_errors_text = \
+# This is an automatically generated message. An error has\n\
+# been found in your .forward file. Details of the error are\n\
+# reported below. While this error persists, you will receive\n\
+# a copy of this message for every message that is addressed\n\
+# to you. If your .forward file is a filter file, or if it is\n\
+# a non-filter file containing no valid forwarding addresses,\n\
+# a copy of each incoming message will be put in your normal\n\
+# mailbox. If a non-filter file contains at least one valid\n\
+# forwarding address, forwarding to the valid addresses will\n\
+# happen, and those will be the only deliveries that occur.
+
+
### router/900_exim4-config_local_user
#################################
envelope_to_add
EOF
+# iank: incomplete switch to exim mail filters
+u /etc/exim4/conf.d/transport/30_iank_maildir <<'EOF'
+# for deliveries to files generated by filtering
+iank_maildir:
+ debug_print = "T: iank_maildir for $local_part@$domain"
+ driver = appendfile
+ maildir_format
+ create_directory
+ delivery_date_add
+ envelope_to_add
+ return_path_add
+
+# if our filter is busted, we fallback here.
+iank_maildir_fallback:
+ debug_print = "T: iank_maildir for $local_part@$domain"
+ driver = appendfile
+ directory = /m/md/unsorted
+ maildir_format
+ create_directory
+ delivery_date_add
+ envelope_to_add
+ return_path_add
+
+EOF
+
{
cat <<'EOF'
# same as debians 30_exim4-config_remote_smtp, but
# i use epanic-clean for alerting if there are bad paniclog entries
E4BCD_WATCH_PANICLOG='no'
EOF
- # make exim be a nonroot setuid program.
- chown Debian-exim:Debian-exim /usr/sbin/exim4
- # needs guid set in order to become Debian-exim
- chmod g+s,u+s /usr/sbin/exim4
- # need this to avoid error on service reload:
- # 2022-08-07 18:44:34.005 [892491] pid 892491: SIGHUP received: re-exec daemon
- # 2022-08-07 18:44:34.036 [892491] cwd=/var/spool/exim4 5 args: /usr/sbin/exim4 -bd -q30m -C /etc/exim4/nn-mainlog.conf
- # 2022-08-07 18:44:34.043 [892491] socket bind() to port 25 for address (any IPv6) failed: Permission denied: waiting 30s before trying again (9 more tries)
- # note: the daemon gives up and dies after retrying those 9 times.
- # I came upon this by guessing and trial and error.
- # set capability
- setcap CAP_NET_BIND_SERVICE+ei /usr/sbin/exim4
+
+ ## temporarily running as root. undo nonroot modifications
+ ## note: nonroot also exists in
+ ## /b/ds/filesystem/usr/local/bin/mailbindwatchdog
+ chown root:root /usr/sbin/exim4
+ chmod g-s /usr/sbin/exim4
+ setcap -r /usr/sbin/exim4
+
+ # # make exim be a nonroot setuid program.
+ # chown Debian-exim:Debian-exim /usr/sbin/exim4
+ # # needs guid set in order to become Debian-exim
+ # chmod g+s,u+s /usr/sbin/exim4
+
+ # # need this to avoid error on service reload:
+ # # pid 892491: SIGHUP received: re-exec daemon
+ # # cwd=/var/spool/exim4 5 args: /usr/sbin/exim4 -bd -q30m -C /etc/exim4/nn-mainlog.conf
+ # # socket bind() to port 25 for address (any IPv6) failed: Permission denied: waiting 30s before trying again (9 more tries)
+ # # note: the daemon gives up and dies after retrying those 9 times.
+ # # I came upon this by guessing and trial and error.
+
+ # setcap CAP_NET_BIND_SERVICE+ei /usr/sbin/exim4
+
u /etc/exim4/trusted_configs <<'EOF'
/etc/exim4/nn-mainlog.conf
EOF
[Service]
# see 56.2 Root privilege in exim spec
AmbientCapabilities=CAP_NET_BIND_SERVICE
+
# https://www.redhat.com/sysadmin/mastering-systemd
# things that seem good and reasonabl.e
PrivateTmp=yes
# when we get newer systemd
#ProtectDevices=yes
EOF
- u /etc/exim4/conf.d/main/000_local-noroot <<'EOF'
-# see 56.2 Root privilege in exim spec
-deliver_drop_privilege = true
-EOF
+
+ # temp: running as root
+ echo | u /etc/exim4/conf.d/main/000_local-noroot
+# u /etc/exim4/conf.d/main/000_local-noroot <<'EOF'
+# # see 56.2 Root privilege in exim spec
+# deliver_drop_privilege = true
+# EOF
+#
files=(
300_exim4-config_real_local
600_exim4-config_userforward
# note: some things we don't set that are here by default because they are unused.
dc_local_interfaces=''
dc_eximconfig_configtype='internet'
+# sets LOCAL_DELIVERY
dc_localdelivery='dovecot_lmtp'
EOF
cat >>/etc/exim4/conf.d/main/000_local <<EOF
# from any host except the smarthosts. local_hostnames and this rule
# is for that purpose.
u /etc/exim4/conf.d/rcpt_local_acl <<'EOF'
+# iank: i think this will deal with the spam of mail from
+# <FF>Amaz..., because it has use_sender.
+deny
+ message = invalid recipient
+ domains = +local_domains
+ !verify = recipient/callout=no_cache,use_sender
+
deny
!authenticated = *
domains = +local_hostnames
iankelling.org / git / distro-setup / commitdiff