# todo: move mail stuff in distro-end into this file
+# todo: consider how to get clamav out of Debian-exim group
+# so it cant read/write the whole mail spool, for better
+# security.
+
# todo: fix ipv6 addr for li
# todo: create a cronjob to update or warn on expiring dnssec keys
-# todo: turn on dnssec validation for dns resolution.
-# use unbound on server so we have a unique ip for
-# dnsbl servers.
-
# todo: we should test failed mail daily or so
# failed cronjob, failed sysd-log-once,
# a local bounce from a cronjob, a local bounce
EOF
fi
+pi spf-tools-perl p0f postgrey pyzor razor jq moreutils clamav-daemon
# light version of exim does not have sasl auth support.
-pi exim4 exim4-daemon-heavy spamassassin spf-tools-perl openvpn p0f postgrey pyzor razor jq moreutils clamav-daemon
+pi-nostart exim4 exim4-daemon-heavy spamassassin openvpn unbound
# note: pyzor debian readme says you need to run some initialization command
# but its outdated.
WantedBy=multi-user.target
EOF
-i /etc/nn-resolv/stub-resolv.conf <<<"nameserver 8.8.8.8"
-m chattr +i /etc/nn-resolv/stub-resolv.conf
-
+# We use a local unbound because systemd-resolved wont accept our
+# request, it will only listen to 127.0.0.53 in the main network
+# namespace, and rejected feature requests to change that (although I
+# could change the code and recompile), but anyways, that could answer
+# with things specific to the lan that aren't applicable in this
+# namespace, and since unbound is a recursive resolver, it means we just
+# use our own ip against dnsbl rate limits.
+#
+# If we ever notice this change, chattr +i on it
+i /etc/nn-resolv/stub-resolv.conf <<'EOF'
+nameserver 127.0.0.1
+options edns0
+EOF
+
+# this is just a bug fix for trisquel.
+f=/etc/apparmor.d/usr.sbin.unbound
+line="/usr/sbin/unbound flags=(attach_disconnected) {"
+if ! grep -qFx "$line" $f; then
+ badline="/usr/sbin/unbound {"
+ if ! grep -qFx "$badline" $f; then
+ err expected line in $f not found
+ fi
+ sed -i "s,^$badline$,$line," $f
+ m ser reload apparmor
+fi
-nn_progs=(exim4)
+nn_progs=(exim4 unbound)
if mailhost; then
# Note dovecots lmtp doesnt need to be in the same nn to accept delivery.
nn_progs+=(spamassassin dovecot)
case $HOSTNAME in
$MAIL_HOST|bk)
- # If mailvpn has changes, id rather manually restart it, id rather
- # not restart and lose connectivity.
- sstart mailnn mailvpn
+ sstart mailnn
+ if $reload; then
+ sre mailvpn unbound
+ else
+ # If these have changes, id rather manually restart it, id rather
+ # not restart and lose connectivity
+ sstart mailvpn unbound
+ fi
;;&
$MAIL_HOST|bk|je)
# start spamassassin/dovecot before exim.
- sre dovecot spamassassin
+ sre dovecot spamassassin clamav-daemon
sstart mailclean.timer
;;&
$MAIL_HOST)
;;&
$MAIL_HOST)
test_froms=(ian@iankelling.org z@zroe.org)
- test_to="testignore@expertpathologyreview.com, testignore@je.b8.nz"
+ test_to="testignore@expertpathologyreview.com, testignore@je.b8.nz, testignore@amnimal.ninja"
cat >>/etc/cron.d/mailtest <<EOF
2 * * * * $u check-remote-mailqs |& log-once check-remote-mailqs
EOF
;;&
bk)
- test_froms=(testignore@expertpathologyreview.com ziva@amnimal.ninja)
- test_to="testignore@iankelling.org, testignore@je.b8.nz"
+ test_froms=(testignore@expertpathologyreview.com testignore@amnimal.ninja)
+ test_to="testignore@iankelling.org, testignore@zroe.org, testignore@je.b8.nz"
;;&
je)
test_froms=(testignore@je.b8.nz)
- test_to="testignore@iankelling.org, testignore@expertpathologyreview.com"
+ test_to="testignore@iankelling.org, testignore@zroe.org, testignore@expertpathologyreview.com, testignore@amnimal.ninja"
;;&
$MAIL_HOST|bk|je)
echo '#!/bin/bash' >/usr/local/bin/send-test-forward
iankelling.org / git / distro-setup / commitdiff