From: Ian Kelling <ian@iankelling.org>
Date: Tue, 11 Mar 2025 23:20:36 +0000 (-0400)
Subject: prepare for using exim mail filters, but stop short and use a new acl to deal with... 
X-Git-Url: https://iankelling.org/git/?a=commitdiff_plain;h=c8ef5c2e9cc492ed4af5a030bd95241353e0761b;p=distro-setup

prepare for using exim mail filters, but stop short and use a new acl to deal with spammer
---

diff --git a/filesystem/usr/local/bin/mailbindwatchdog b/filesystem/usr/local/bin/mailbindwatchdog
index 3ad297a..aededd1 100755
--- a/filesystem/usr/local/bin/mailbindwatchdog
+++ b/filesystem/usr/local/bin/mailbindwatchdog
@@ -55,11 +55,15 @@ while true; do
   done
 
   # settings that go away when exim gets upgraded. obviously the best way to do this would be to modify the exim package itself, but this is easier
-  caps=$(getcap /usr/sbin/exim4)
-  if [[ ! $caps ]]; then
-    echo "$0: setting capabilities, user and setuid/gid on /usr/sbin/exim4"
-    chown Debian-exim:Debian-exim /usr/sbin/exim4
-    chmod g+s,u+s /usr/sbin/exim4
-    setcap CAP_NET_BIND_SERVICE+ei /usr/sbin/exim4
-  fi
+
+  ## temporarily running as root
+  # caps=$(getcap /usr/sbin/exim4)
+  # if [[ ! $caps ]]; then
+  #   echo "$0: setting capabilities, user and setuid/gid on /usr/sbin/exim4"
+  #   chown Debian-exim:Debian-exim /usr/sbin/exim4
+  #   chmod g+s,u+s /usr/sbin/exim4
+  #   setcap CAP_NET_BIND_SERVICE+ei /usr/sbin/exim4
+  # fi
+
+
 done
diff --git a/mail-setup b/mail-setup
index 6d48cb4..dc8d6c2 100755
--- a/mail-setup
+++ b/mail-setup
@@ -70,6 +70,15 @@
 # 2025-02-28 23:41:40 [3939978] 1toEfR-0000000GWy2-4A1N <= <FF>Amazon.meguminozaki@tischlermeister-luempert.de H=(localhost) [183.167.149.235] P=esmtp S=9416 id=1461312104.1131284.1740804083757@localhost T="\343\200\214\351\207\215\350\246\201\343\201\252\343\201\212\347\237\245\343\202\211\343\201\233\357\274\232\343\202\242\343\202\253\343\202\246\343\203\263\343\203\210\345\206\215\350\252\215\350\250\274\343\201\256\343\201\212\351\241\230\343\201\204\343\200\215" from <<FF>Amazon.meguminozaki@tischlermeister-luempert.de> for ian@iankelling.org
 # 2025-02-28 23:41:41 [3940022] 1toEfR-0000000GWy2-4A1N ** ian@iankelling.org F=<<FF>Amazon.meguminozaki@tischlermeister-luempert.de> P=<<FF>Amazon.meguminozaki@tischlermeister-luempert.de> R=local_user T=dovecot_lmtp: LMTP error after MAIL FROM:<\377Amazon.meguminozaki@tischlermeister-luempert.de>: 500 5.5.2 Invalid command syntax DT=0s
 # There was nothing useful in /var/log/mail.log.
+#
+# I was going to fix by transitioning to exim mailfilter, but I think I
+# found an acl that will work and is less work for now.
+# I was initially testing exim mail filter with:
+# exim -f vojdedIdNejyebni@b8.nz -bf /m/exim-filter </m/4e/Sent/cur/1739266450.de3db24c7af81d7a.frodo:2,S
+# I would need to put exim-filter into a git repo, perhaps put it into /m with conflink.
+#
+# I would also need to setup a way to do an offline refile, I think I could do it with some exim command line flags.
+#
 
 # todo: this message seems to get dropped on the floor, it was due to a missing 2nd colon in
 #  condition = ${if def:h_fdate:}
@@ -1928,6 +1937,41 @@ EOF
 } | u /etc/exim4/conf.d/transport/30_backup_remote
 
 u /etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
+# # iank: incomplete implementation of switching to exim filters
+#
+# # copied from 600_exim4-config_userforward except where noted
+# iank_forward:
+#   debug_print = "R: userforward for $local_part@$domain"
+#   driver = redirect
+#   domains = +local_domains
+#   user = iank
+#   #check_local_user
+#   file = /m/exim-filter
+#   #require_files = $local_part_data:$home/.forward
+#   no_verify
+#   no_expn
+#   check_ancestor
+#   allow_filter
+#   forbid_smtp_code = true
+#   directory_transport = address_directory
+#   file_transport = iank_maildir
+#   pipe_transport = address_pipe
+#   reply_transport = address_reply
+#   skip_syntax_errors
+#   syntax_errors_to = real-$local_part@$domain
+#   syntax_errors_text = \
+#     This is an automatically generated message. An error has\n\
+#     been found in your .forward file. Details of the error are\n\
+#     reported below. While this error persists, you will receive\n\
+#     a copy of this message for every message that is addressed\n\
+#     to you. If your .forward file is a filter file, or if it is\n\
+#     a non-filter file containing no valid forwarding addresses,\n\
+#     a copy of each incoming message will be put in your normal\n\
+#     mailbox. If a non-filter file contains at least one valid\n\
+#     forwarding address, forwarding to the valid addresses will\n\
+#     happen, and those will be the only deliveries that occur.
+
+
 ### router/900_exim4-config_local_user
 #################################
 
@@ -1957,6 +2001,31 @@ dovecot_lmtp:
   envelope_to_add
 EOF
 
+# iank: incomplete switch to exim mail filters
+u /etc/exim4/conf.d/transport/30_iank_maildir <<'EOF'
+# for deliveries to files generated by filtering
+iank_maildir:
+  debug_print = "T: iank_maildir for $local_part@$domain"
+  driver = appendfile
+  maildir_format
+  create_directory
+  delivery_date_add
+  envelope_to_add
+  return_path_add
+
+# if our filter is busted, we fallback here.
+iank_maildir_fallback:
+  debug_print = "T: iank_maildir for $local_part@$domain"
+  driver = appendfile
+  directory = /m/md/unsorted
+  maildir_format
+  create_directory
+  delivery_date_add
+  envelope_to_add
+  return_path_add
+
+EOF
+
 {
   cat <<'EOF'
 # same as debians 30_exim4-config_remote_smtp, but
@@ -3266,18 +3335,28 @@ EXIMSERVICE='-bdf -q10m -C /etc/exim4/nn-mainlog.conf'
 # i use epanic-clean for alerting if there are bad paniclog entries
 E4BCD_WATCH_PANICLOG='no'
 EOF
-    # make exim be a nonroot setuid program.
-    chown Debian-exim:Debian-exim /usr/sbin/exim4
-    # needs guid set in order to become Debian-exim
-    chmod g+s,u+s /usr/sbin/exim4
-    # need this to avoid error on service reload:
-    # 2022-08-07 18:44:34.005 [892491] pid 892491: SIGHUP received: re-exec daemon
-    # 2022-08-07 18:44:34.036 [892491] cwd=/var/spool/exim4 5 args: /usr/sbin/exim4 -bd -q30m -C /etc/exim4/nn-mainlog.conf
-    # 2022-08-07 18:44:34.043 [892491] socket bind() to port 25 for address (any IPv6) failed: Permission denied: waiting 30s before trying again (9 more tries)
-    # note: the daemon gives up and dies after retrying those 9 times.
-    # I came upon this by guessing and trial and error.
-	# set capability
-    setcap CAP_NET_BIND_SERVICE+ei /usr/sbin/exim4
+
+    ## temporarily running as root. undo nonroot modifications
+    ## note: nonroot also exists in
+    ## /b/ds/filesystem/usr/local/bin/mailbindwatchdog
+    chown root:root /usr/sbin/exim4
+    chmod g-s /usr/sbin/exim4
+    setcap -r /usr/sbin/exim4
+
+    # # make exim be a nonroot setuid program.
+    # chown Debian-exim:Debian-exim /usr/sbin/exim4
+    # # needs guid set in order to become Debian-exim
+    # chmod g+s,u+s /usr/sbin/exim4
+
+    # # need this to avoid error on service reload:
+    # # pid 892491: SIGHUP received: re-exec daemon
+    # # cwd=/var/spool/exim4 5 args: /usr/sbin/exim4 -bd -q30m -C /etc/exim4/nn-mainlog.conf
+    # #  socket bind() to port 25 for address (any IPv6) failed: Permission denied: waiting 30s before trying again (9 more tries)
+    # # note: the daemon gives up and dies after retrying those 9 times.
+    # # I came upon this by guessing and trial and error.
+
+    # setcap CAP_NET_BIND_SERVICE+ei /usr/sbin/exim4
+
     u /etc/exim4/trusted_configs <<'EOF'
 /etc/exim4/nn-mainlog.conf
 EOF
@@ -3309,6 +3388,7 @@ case $HOSTNAME in
 [Service]
 # see 56.2 Root privilege in exim spec
 AmbientCapabilities=CAP_NET_BIND_SERVICE
+
 # https://www.redhat.com/sysadmin/mastering-systemd
 # things that seem good and reasonabl.e
 PrivateTmp=yes
@@ -3326,10 +3406,14 @@ ProtectSystem=yes
 # when we get newer systemd
 #ProtectDevices=yes
 EOF
-    u /etc/exim4/conf.d/main/000_local-noroot <<'EOF'
-# see 56.2 Root privilege in exim spec
-deliver_drop_privilege = true
-EOF
+
+    # temp: running as root
+    echo | u /etc/exim4/conf.d/main/000_local-noroot
+#     u /etc/exim4/conf.d/main/000_local-noroot <<'EOF'
+# # see 56.2 Root privilege in exim spec
+# deliver_drop_privilege = true
+# EOF
+#
     files=(
       300_exim4-config_real_local
       600_exim4-config_userforward
@@ -3354,6 +3438,7 @@ case $HOSTNAME in
 # note: some things we don't set that are here by default because they are unused.
 dc_local_interfaces=''
 dc_eximconfig_configtype='internet'
+# sets LOCAL_DELIVERY
 dc_localdelivery='dovecot_lmtp'
 EOF
     cat >>/etc/exim4/conf.d/main/000_local <<EOF
@@ -3548,6 +3633,13 @@ EOF
     # from any host except the smarthosts. local_hostnames and this rule
     # is for that purpose.
     u /etc/exim4/conf.d/rcpt_local_acl <<'EOF'
+# iank: i think this will deal with the spam of mail from
+# <FF>Amaz..., because it has use_sender.
+deny
+  message = invalid recipient
+  domains = +local_domains
+  !verify = recipient/callout=no_cache,use_sender
+
 deny
   !authenticated = *
   domains = +local_hostnames