From: Ian Kelling <ian@iankelling.org>
Date: Sun, 19 Dec 2021 23:07:47 +0000 (-0500)
Subject: change email backups to use smtp
X-Git-Url: https://iankelling.org/git/?a=commitdiff_plain;h=83cb9e1b1731b6473c48189c971b55eb43888a95;p=distro-setup

change email backups to use smtp
---

diff --git a/brc2 b/brc2
index 51e2af5..4dc573b 100644
--- a/brc2
+++ b/brc2
@@ -213,29 +213,8 @@ tback() {
   sqlite3 /p/.timetrap.db "update entries set end = NULL where id = (select max(id) from entries);"
 }
 
-bum() {
-  local cur host
-  host=$1
-  (( $# == 1 )) || return 1
-  cur="$(awk '$2 == "/bu/mnt" {print $1}' /proc/mounts)"
-  if [[ $cur ]]; then
-    if [[ $cur == "$host:/bu/md" ]]; then
-      return 0
-    else
-      s fusermount -u /bu/mnt
-    fi
-  fi
-  s sshfs bu@$host:/bu/home/md /bu/mnt -o reconnect,ServerAliveInterval=20,ServerAliveCountMax=30 -o allow_other
-  ser start exim4
-}
-bu() {
-  if mountpoint -q /bu/mnt; then
-    if ! s timeout -s 9 10 fusermount -u /bu/mnt; then
-      s fusermount -zu /bu/mnt
-    fi
-  fi
-}
-
+# sshfs example:
+# s sshfs bu@$host:/bu/home/md /bu/mnt -o reconnect,ServerAliveInterval=20,ServerAliveCountMax=30 -o allow_other
 
 eqgo() {
   enn -M $(exiqgrep -i)
@@ -1040,35 +1019,31 @@ wghole() {
   local host ipsuf umask_orig
   host=$1
   ipsuf=$2
-  umask_orig=$(umask)
   mkdir -p /p/c/machine_specific/$host/filesystem/etc/{wireguard,network/interfaces.d}
   cd /p/c/machine_specific/$host/filesystem/etc/wireguard
+  umask_orig=$(umask)
   umask 0077
-  if [[ ! -e hole-priv.key || ! -e hole-pub.key ]]; then
-    wg genkey | tee hole-priv.key | wg pubkey > hole-pub.key
-  fi
+  wg genkey | tee $host-priv.key | wg pubkey > $host-pub.key
   cat >wghole.conf <<EOF
 [Interface]
 # contents hole-priv.key
 PrivateKey = $(cat hole-priv.key)
 # UDP service port
 ListenPort = 32454
+Address = 10.5.3.$ipsuf/24
+# https://dev.to/tangramvision/what-they-don-t-tell-you-about-setting-up-a-wireguard-vpn-1h2g
+PostUp = ping -c1 10.5.3.1
 
 [Peer]
 # li
 PublicKey = zePGl7LoS3iv6ziTI/k8BMh4L3iL3K2t9xJheMR4hQA=
 AllowedIPs = 10.5.3.0/24
 Endpoint = 72.14.176.105:32454
+PersistentKeepalive = 25
 EOF
   umask $umask_orig
-  cat > ../network/interfaces.d/wghole <<EOF
-auto wghole
-iface wghole inet static
- address 10.5.3.$ipsuf/24
- pre-up ip link add wghole type wireguard
- pre-up wg setconf wghole /etc/wireguard/wghole.conf
- post-down ip link del wghole
-EOF
+  # old approach. systemd seems to work fine and cleaner.
+  rm -f ../network/interfaces.d/wghole
   cedit -q $host /p/c/machine_specific/li/filesystem/etc/wireguard/wghole.conf <<EOF || [[ $? == 1 ]]
 [Peer]
 PublicKey = $(cat hole-pub.key)
@@ -1078,7 +1053,6 @@ EOF
 }
 
 
-
 lom() {
   local l base
   if [[ $1 == /* ]]; then
diff --git a/btrbk-run b/btrbk-run
index 6dda15f..99c980e 100644
--- a/btrbk-run
+++ b/btrbk-run
@@ -523,7 +523,9 @@ else
 fi
 
 if [[ $ret == 0 ]]; then
-  m /a/exe/mail-backup-clean
+  for tg in ${targets[@]}; do
+    ssh root@$tg /a/exe/mail-backup-clean
+  done
 fi
 
 mexit $ret
diff --git a/distro-end b/distro-end
index 4d7ff22..880c25b 100755
--- a/distro-end
+++ b/distro-end
@@ -608,6 +608,9 @@ sudo rm -f /etc/cron.d/unattended-upgrade-reboot /usr/local/bin/zelous-unattende
 # Pin-Priority: 500
 # EOF
 
+if [[ -e /etc/wireguard/wghole.conf ]]; then
+  sgo wg-quick@wghole
+fi
 
 ###### begin website setup
 case $HOSTNAME in
diff --git a/le-dns-challenge b/le-dns-challenge
new file mode 100755
index 0000000..e41e472
--- /dev/null
+++ b/le-dns-challenge
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+
+f=$(mktemp)
+
+cat >$f <<EOF
+server iankelling.org
+zone b8.nz
+update add _acme-challenge.$CERTBOT_DOMAIN. 300 TXT "$CERTBOT_VALIDATION"
+show
+send
+answer
+quit
+EOF
+
+nsupdate -k /p/c/machine_specific/vps/filesystem/etc/bind/Kb8.nz.*.private <$f
+sed -i 's/^server .*/server bk.b8.nz/' $f
+nsupdate -k /p/c/machine_specific/vps/filesystem/etc/bind/Kb8.nz.*.private <$f
diff --git a/le-dns-challenge-cleanup b/le-dns-challenge-cleanup
new file mode 100755
index 0000000..d163d41
--- /dev/null
+++ b/le-dns-challenge-cleanup
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+
+f=$(mktemp)
+
+cat >$f <<EOF
+server iankelling.org
+zone b8.nz
+update delete _acme-challenge.$CERTBOT_DOMAIN. TXT
+show
+send
+answer
+quit
+EOF
+
+nsupdate -k /p/c/machine_specific/vps/filesystem/etc/bind/Kb8.nz.*.private <$f
+sed -i 's/^server .*/server bk.b8.nz/' $f
+nsupdate -k /p/c/machine_specific/vps/filesystem/etc/bind/Kb8.nz.*.private <$f
diff --git a/le-exim-deploy b/le-exim-deploy
new file mode 100755
index 0000000..de8c9cd
--- /dev/null
+++ b/le-exim-deploy
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+shopt -s extglob
+ldir=${RENEWED_LINEAGE%%+(/)}
+primary_domain=${ldir##*/}
+install -D -t /etc/exim4/certs/$primary_domain -m 0640 -g Debian-exim -o root $ldir/{privkey,fullchain}.pem
diff --git a/mail-backup-clean b/mail-backup-clean
index 79ffe9b..c45e00a 100755
--- a/mail-backup-clean
+++ b/mail-backup-clean
@@ -18,13 +18,9 @@ shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR
 
-if ! mountpoint /bu/mnt &>/dev/null; then
-  exit 0
-fi
-
 cd /mnt/root/btrbk
 tmp=(o*)
 last_snap_date=${tmp[-1]#o.}
 time=$(( $(date -d $(sed -r  's/(.{4})(..)(.{5})(..)(.*)/\1-\2-\3:\4:\5/' <<<$last_snap_date) +%s) -1 ))
 # 1 second granularity, so we could have a duplicate file, oh well, not worrying about that.
-find /bu/md /bu/mnt -type f \! -newermt @$time -delete
+find /bu/md -type f \! -newermt @$time -delete
diff --git a/mail-setup b/mail-setup
index 526c51e..82d3d37 100755
--- a/mail-setup
+++ b/mail-setup
@@ -3,6 +3,10 @@
 # Copyright (C) 2019 Ian Kelling
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
+# todo: backup hosts should only allow external mail that is authed and
+# destined for backup route. it is a minor issue since traffic is
+# limited to the wghole network.
+
 # todo: emailing info@amnimal.ninja produces a bounce, user doesn't exist
 # instead of a simple rejection like it should.
 
@@ -309,8 +313,7 @@ sre () {
 }
 sstart() {
   for service; do
-    m systemctl start $service
-    m systemctl enable $service;
+    m systemctl enable --now $service;
   done
 }
 mailhost() {
@@ -332,7 +335,7 @@ stopifactive() {
   done
 }
 
-mxhost=mail.iankelling.org
+mxhost=mx.iankelling.org
 mxport=587
 forward=$u@$mxhost
 
@@ -353,6 +356,14 @@ if [[ ! $MAIL_HOST ]]; then
   err "\$MAIL_HOST not set"
 fi
 
+bhost_t=false
+case $HOSTNAME in
+  $MAIL_HOST) : ;;
+  kd|frodo|x2|x3|kw|sy)
+    bhost_t=true
+    ;;
+esac
+
 
 # * Install universal packages
 
@@ -369,7 +380,7 @@ pi-nostart exim4 exim4-daemon-heavy spamassassin openvpn unbound clamav-daemon w
 
 # note: pyzor debian readme says you need to run some initialization command
 # but its outdated.
-pi spf-tools-perl p0f postgrey pyzor razor jq moreutils
+pi spf-tools-perl p0f postgrey pyzor razor jq moreutils certbot
 # bad packages that sometimes get automatically installed
 pu openresolv resolvconf
 
@@ -393,45 +404,6 @@ fi
 # our nostart pi fails to avoid enabling
 
 
-# * bu setup
-
-if ! getent passwd bu; then
-  useradd -c bu -Um -s /bin/bash -d /bu/home bu
-  usermod -a -G bu $u
-  # note, no reason for /bu/mnt to be owned by bu,
-  # but its just convenient to have it here.
-  for dir in /bu/mnt /bu/home/md /bu/home/md/{cur,tmp,new}; do
-    [[ -e $dir ]] && continue
-    dirs+=($dir)
-  done
-  if (( ${#dirs[@]} )); then
-    mkdir -p "${dirs[@]}"
-    chown bu:bu  "${dirs[@]}"
-  fi
-  sed -ri '/Subsystem[[:space:]]+sftp/d' /etc/ssh/sshd_config
-
-  install -d -o bu -g bu /bu/home/.ssh
-  install -T -o bu -g bu /root/.ssh/h.pub /bu/home/.ssh/authorized_keys
-
-  i /etc/ssh/sshd_config.d/mail.conf <<'EOF'
-# for mail chroot restriction
-# https://serverfault.com/questions/660160/openssh-difference-between-internal-sftp-and-sftp-server
-Subsystem sftp internal-sftp
-Match user bu
- ChrootDirectory /bu/home
- X11Forwarding no
- AllowTcpForwarding no
- PermitTunnel no
- AllowAgentForwarding no
- ForceCommand internal-sftp
-EOF
-  if $ir; then
-    systemctl reload sshd
-  fi
-fi
-
-
-
 # * user forward file
 case $HOSTNAME in
   $MAIL_HOST)
@@ -657,6 +629,42 @@ BindPaths=$bindpaths
 
 Restart=always
 RestartSec=1
+EOF
+
+    # sooo, there are a few ways to get traffic from the mail network
+    # namespace to go over the wghole.
+    #
+    #1: unify the mail vpn and wghole
+    # into 1 network.  this seems simple and logical, but the thing is
+    # that if we ever have a network block we need to overcome, for
+    # example with a tcp 443 vpn connection, then i'd need to setup some
+    # hole hosts on that vpn too, which is kind of a pain.
+    #
+    # 2. We can route 10.5.3.0/24 out of the mail nn and nat it into wghole.
+    #
+    # 3. We can setup the routing to happen on li, which seemed like I
+    # just needed to add 10.8.0.4/24 to AllowedIPs in at least the
+    # wghole clients, but I think that is kind of hacky and breaks ipv4
+    # routing within the mailvpn, it happened to work just because exim
+    # prefers ipv6 and that was also available in the mailvpn.
+    #
+    # 4. Put the hole interface into the mail network
+    # namespace. Apparently wireguard is smart enough to get around the
+    # mailvpn default routing and establish a direct connection. That is
+    # what I'm doing here. I only use the hole vpn for randomish things,
+    # it should be fine to join the mail nn for that. If that becomes a
+    # problem, I think I'd go with option #2.
+    i /etc/systemd/system/wg-quick@wghole.service.d/override.conf <<'EOF'
+[Unit]
+Requires=mailvpn.service
+After=network.target mailnn.service mailvpn.service
+JoinsNamespaceOf=mailnn.service
+BindsTo=mailnn.service
+
+[Service]
+PrivateNetwork=true
+# i dont think we need any of these, but it doesnt hurt to stay consistent
+BindPaths=$bindpaths
 EOF
 
     ;;&
@@ -770,6 +778,16 @@ OnCalendar=daily
 WantedBy=timers.target
 EOF
 
+
+wghost=${HOSTNAME}wg.b8.nz
+if $bhost_t && [[ ! -e /etc/exim4/certs/$wghost/privkey.pem ]]; then
+  certbot -n --manual-public-ip-logging-ok --eff-email --agree-tos -m letsencrypt@iankelling.org \
+          certonly --manual --preferred-challenges=dns \
+          --manual-auth-hook /a/bin/ds/le-dns-challenge \
+          --manual-cleanup-hook /a/bin/ds/le-dns-challenge-cleanup \
+          --deploy-hook /a/bin/ds/le-exim-deploy -d $wghost
+fi
+
 # * common exim4 config
 
 
@@ -846,8 +864,8 @@ EOF
 # old name
 rm -fv /etc/exim4/conf.d/retry/37_retry
 
-# Retry faster than usual for domains that I send with send-test-forward.
 cat >/etc/exim4/conf.d/retry/17_retry <<'EOF'
+# Retry faster than usual for sending to domains that I send with send-test-forward.
 iankelling.org * F,2d,15m;F,14d,2h
 amnimal.ninja * F,2d,15m;F,14d,2h
 expertpathologyreview.com * F,2d,15m;F,14d,2h
@@ -860,6 +878,9 @@ rm -vf /etc/exim4/conf.d/main/000_localmacros # old filename
 cat >/etc/exim4/conf.d/main/000_local <<EOF
 MAIN_TLS_ENABLE = true
 
+# require tls connections for all smarthosts
+REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = *
+
 # debian exim config added this in 2016 or so?
 # it's part of the smtp spec, to limit lines to 998 chars
 # but a fair amount of legit mail does not adhere to it. I don't think
@@ -998,7 +1019,7 @@ local_user:
 # ian: commented this. I get all local parts. for bk, an rcpt
 # check handles checking with dovecot, and the only router
 # after this is root.
-  local_parts = ! root
+#  local_parts = ! root
   transport = LOCAL_DELIVERY
   cannot_route_message = Unknown user
 # ian: added for + addressing.
@@ -2086,20 +2107,6 @@ fi
 # ** auth
 
 case $HOSTNAME in
-  $MAIL_HOST)
-    i /etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
-# from 30_exim4-config_examples
-plain_server:
-driver = plaintext
-public_name = PLAIN
-server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
-server_set_id = $auth2
-server_prompts = :
-.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
-.endif
-EOF
-    ;;
   bk|je)
     # avoid accepting mail for invalid users
     # https://wiki.dovecot.org/LMTP/Exim
@@ -2118,7 +2125,20 @@ dovecot_plain:
 EOF
     ;;
 esac
-
+if $bhost_t; then
+  i /etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+# from 30_exim4-config_examples
+plain_server:
+driver = plaintext
+public_name = PLAIN
+server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
+server_set_id = $auth2
+server_prompts = :
+.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+.endif
+EOF
+fi
 
 # ** main daemon use non-default config file
 case $HOSTNAME in
@@ -2150,6 +2170,8 @@ case $HOSTNAME in
   # ** $MAIL_HOST|bk|je)
   $MAIL_HOST|bk|je)
 
+    echo|i /etc/exim4/conf.d/router/870_backup_local
+
     cat >>/etc/exim4/update-exim4.conf.conf <<EOF
 # note: some things we don't set that are here by default because they are unused.
 dc_local_interfaces=''
@@ -2259,42 +2281,89 @@ dnslookup_vpn:
 EOF
 
 
-    i /etc/exim4/conf.d/transport/30_backup_maildir <<EOF
-# modified debian maildir transport
-backup_maildir:
-  driver = appendfile
-  directory = /bu/mnt
-  delivery_date_add
-  envelope_to_add
-  return_path_add
-  maildir_format
-  directory_mode = 0700
-  mode = 0644
-  mode_fail_narrower = false
-  # this makes it so if the directory is unmounted, messages stay in the queue
-  create_directory = false
-EOF
+    # note on backups: I used to do an automatic sshfs and restricted
+    # permissions to a specific directory on the remote server, /bu/mnt,
+    # which required using a dedicated user, but realized smtp will be
+    # more reliable and less fuss. If I ever need that again, see the
+    # history of this file, and bum in brc2.
 
     i /etc/exim4/conf.d/router/890_backup_copy <<EOF
 ### router/900_exim4-config_local_user
 #################################
 
 # todo, it would be nice to save sent email too,
-# but its not so important, they still exist in my head.
+# but its not so important, they still exist in my head
+
+backup_redir:
+driver = redirect
+domains = +local_domains
+# b is just an arbirary short string
+data = b@eximbackup.b8.nz
+# note, to test this, i could temporarily allow testignore.
+# alerts avoids potential mail loop. root is already
+# redirected earlier, so that is just being overly cautious.
+local_parts = ! root : ! testignore : ! alerts
+unseen
+
 backup_copy:
-  driver = accept
-  domains = +local_domains
-  local_parts = ! root : ! testignore
-  # uncomment this when testing, comment the above line
-  #local_parts = ! root : testignore
-  transport = backup_maildir
-  cannot_route_message = Unknown user
-  local_part_suffix = +*
-  local_part_suffix_optional
-  unseen
-  user = bu
+driver = manualroute
+domains = eximbackup.b8.nz
+transport = backup_remote
+ignore_target_hosts = ${HOSTNAME}wg.b8.nz
+# note changes here also require change in passwd.client
+route_list = * eximbackup.b8.nz
+same_domain_copy_routing = yes
+no_more
+EOF
+
+
+    i /etc/exim4/conf.d/transport/30_backup_remote <<'EOF'
+backup_remote:
+  driver = smtp
+  multi_domain
+.ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
+  message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+.endif
+  hosts_require_auth = *
+  hosts_try_auth = *
+  return_path = alerts@iankelling.org
+  envelope_to_add
+  # manual return path because we dont want it to be the envelope sender
+  # we got not the one we are using in this smtp transport
+  headers_add = "Return-path: $sender_address"
+.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
+  hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
+  hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
+  tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
+  tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOST
+.endif
+.ifdef REMOTE_SMTP_HEADERS_REWRITE
+  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
+.endif
+.ifdef REMOTE_SMTP_HELO_DATA
+  helo_data=REMOTE_SMTP_HELO_DATA
+.endif
+.ifdef TLS_DH_MIN_BITS
+tls_dh_min_bits = TLS_DH_MIN_BITS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
+tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
+.endif
+.ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+  headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+.endif
 EOF
 
+
     # this avoids some error. i cant remember what. todo:
     # test it out and document why/if its needed.
     i /etc/exim4/host_local_deny_exceptions <<'EOF'
@@ -2464,6 +2533,21 @@ EOF
     echo|i /etc/exim4/conf.d/router/188_exim4-config_smarthost
     echo|i /etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost
     echo|i /etc/exim4/conf.d/rcpt_local_acl
+    echo|i /etc/exim4/conf.d/router/890_backup_copy
+
+
+    if $bhost_t; then
+      cat >>/etc/exim4/conf.d/main/000_local <<EOF
+MAIN_TLS_CERTIFICATE = /etc/exim4/certs/$wghost/fullchain.pem
+MAIN_TLS_PRIVATEKEY = /etc/exim4/certs/$wghost/privkey.pem
+# so we can maintiain the originals of the backups.
+# we wouldnt want this if we were dealing with any other
+# local deliveries, but we sent all others to the smarthost
+# which then strips the headers.
+envelope_to_remove = false
+return_path_remove = false
+EOF
+    fi
 
     # catches things like cronjob email
     i /etc/exim4/conf.d/router/880_universal_forward <<'EOF'
@@ -2484,17 +2568,52 @@ EOF
     echo | /a/exe/cedit nn /etc/hosts || [[ $? == 1 ]]
     echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]]
 
-    cat >>/etc/exim4/update-exim4.conf.conf <<EOF
-# If theres like a temporary problem where mail gets sent to
+    if $bhost_t; then
+      i /etc/exim4/conf.d/transport/30_backup_maildir <<EOF
+# modified debian maildir transport
+backup_maildir:
+  driver = appendfile
+  directory = /bu/md
+  delivery_date_add
+  # note, no return path or envelope added
+  maildir_format
+  directory_mode = 0700
+  mode = 0644
+  mode_fail_narrower = false
+  user = $u
+EOF
+
+      i /etc/exim4/conf.d/router/870_backup_local <<EOF
+### router/900_exim4-config_local_user
+#################################
+
+backup_local:
+  debug_print = "R: local_user for \$local_part@\$domain"
+  driver = accept
+  domains = eximbackup.b8.nz
+  transport = backup_maildir
+EOF
+
+
+      wgholeip=$(sed -rn 's/^ *Address *= *([^/]+).*/\1/p' /etc/wireguard/wghole.conf)
+      cat >>/etc/exim4/update-exim4.conf.conf <<EOF
+dc_other_hostnames='eximbackup.b8.nz'
+dc_local_interfaces='127.0.0.1;::1;$wgholeip'
+EOF
+    else
+      cat >>/etc/exim4/update-exim4.conf.conf <<EOF
+# Note: If theres like a temporary problem where mail gets sent to
 # one of these hosts, if exim isnt listening, it will be a temporary error
 # instead of a permanent 5xx.
 dc_local_interfaces='127.0.0.1;::1'
+EOF
+    fi
+    cat >>/etc/exim4/update-exim4.conf.conf <<EOF
 dc_eximconfig_configtype='smarthost'
 dc_smarthost='$smarthost'
 EOF
 
     hostname -f |i /etc/mailname
-
     cat >>/etc/exim4/update-exim4.conf.conf <<EOF
 # The manpage incorrectly states this will do header rewriting, but
 # that only happens if we have dc_hide_mailname is set.
@@ -2697,7 +2816,7 @@ MAILTO=alerts@iankelling.org
 # for now. It looks like a dns failure.
 #5-59/5 * * * *   root mailtest-check |& log-once -1 mailtest-check
 #0 * * * *   root mailtest-check slow |& log-once -1 mailtest-slow
-*/5 * * * *   root mailtest-check slow |& log-once -12 mailtest-check
+*/5 * * * *   root timeout 290 mailtest-check slow |& log-once -12 mailtest-check
 EOF
     m sudo rsync -ahhi --chown=root:root --chmod=0755 \
       /b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
diff --git a/mailtest-check b/mailtest-check
index 1332fe6..c4bc303 100755
--- a/mailtest-check
+++ b/mailtest-check
@@ -68,7 +68,9 @@ case $HOSTNAME in
   *)
     folders=(/m/md/l/testignore)
     froms=(testignore@je.b8.nz testignore@expertpathologyreview.com testignore@amnimal.ninja ian@iankelling.org z@zroe.org iank@gnu.org)
-    rsync -e "ssh -oIdentitiesOnly=yes -F /dev/null -i /root/.ssh/jtuttle" -t --inplace -r 'jtuttle@fencepost.gnu.org:/home/j/jtuttle/Maildir/new/' /m/md/l/testignore/new
+    if ! $int; then
+      timeout 120 rsync -e "ssh -oIdentitiesOnly=yes -F /dev/null -i /root/.ssh/jtuttle" -t --inplace -r 'jtuttle@fencepost.gnu.org:/home/j/jtuttle/Maildir/new/' /m/md/l/testignore/new
+    fi
     ;;
 esac
 
@@ -104,7 +106,9 @@ for folder in ${folders[@]}; do
       last_sec=$(awk '/^Subject: / {print $4}' $latest)
 
       if $slow; then
-        find $folder/new $folder/cur -type f -mmin +1080 -delete
+        if ! $int; then
+          find $folder/new $folder/cur -type f -mmin +1080 -delete
+        fi
         getspamdpid
         if [[ $spamdpid ]]; then
           if [[ $(readlink /proc/$$/ns/net) != "$(readlink /proc/$spamdpid/ns/net)" ]]; then