From 2290a83fe3b24e2ffcfa8993de88e39050ecc630 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Sat, 7 Nov 2020 06:51:44 -0500
Subject: [PATCH] various fixes

---
 distro-begin     |  7 +++++++
 distro-end       |  4 ++--
 mail-setup       | 13 ++++++++++---
 vpn-mail-forward | 48 ++++++++++++++++++++++++++++++------------------
 4 files changed, 49 insertions(+), 23 deletions(-)

diff --git a/distro-begin b/distro-begin
index 1546647..df11e93 100755
--- a/distro-begin
+++ b/distro-begin
@@ -292,6 +292,13 @@ if [[ ! -L /etc/nsswitch.conf ]]; then
   sudo mv /etc/nsswitch.conf /etc/nsswitch
   sudo ln -sf /etc/nsswitch/nsswitch.conf /etc
 fi
+
+f=/etc/apparmor.d/abstractions/nameservice
+if ! grep -q /etc/nsswitch/nsswitch.conf $f; then
+  sudo sed -i '/\/etc\/nsswitch.conf/a /etc/nsswitch/nsswitch.conf r,' $f
+  m ser reload apparmor
+fi
+
 pi libnss-resolve
 # default is
 # files mdns4_minimal [NOTFOUND=return] dns myhostname
diff --git a/distro-end b/distro-end
index 0053171..d917b58 100755
--- a/distro-end
+++ b/distro-end
@@ -519,7 +519,7 @@ ifconfig-push 10.8.0.5 255.255.255.0
 ifconfig-ipv6-push 2600:3c00:e000:280::3/64
 EOF
 
-    sudo dd of=/etc/systemd/system/vpnmail.service <<'EOF'
+    sudo dd of=/etc/systemd/system/vpn-mail-forward.service <<'EOF'
 [Unit]
 Description=Turns on iptables mail nat
 BindsTo=openvpn-server@mail.service
@@ -533,7 +533,7 @@ ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
 RequiredBy=openvpn-server@mail.service
 EOF
     ser daemon-reload
-    sgo vpnmail.service
+    sgo vpn-mail-forward.service
     # needed for li's local mail delivery.
     tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
     sgo openvpn-server@mail
diff --git a/mail-setup b/mail-setup
index ea9e82d..b8377ed 100755
--- a/mail-setup
+++ b/mail-setup
@@ -339,6 +339,7 @@ pi exim4 exim4-daemon-heavy spamassassin spf-tools-perl openvpn p0f postgrey pyz
 # note: pyzor debian readme says you need to run some initialization command
 # but its outdated.
 
+m usermod -a -G Debian-exim clamav
 soff openvpn
 
 
@@ -814,12 +815,15 @@ warn
 
 
 deny
-# defer_ok = accept messages even if there is a problem with clamav.
-# clamav regularly has fails, we havent had a reported problem with mail
-# not getting through, but this seems better.
   malware = */defer_ok
+  !condition = ${if match {$malware_name}{\N^Heuristic\N}}
   message = This message was detected as possible malware ($malware_name).
 
+warn
+  condition = ${if def:malware_name}
+  remove_header = Subject:
+  add_header = Subject: [Clamav warning: $malware_name] $h_subject
+  log_message = heuristic malware warning: $malware_name
 
 #accept
 #  spf = pass:fail:softfail:none:neutral:permerror:temperror
@@ -2120,6 +2124,9 @@ esac
 
 # * mail monitoring / testing
 
+# note, to test clamav, send an email with body that only contains
+# https://en.wikipedia.org/wiki/EICAR_test_file
+# which set malware_name to Eicar-Signature
 case $HOSTNAME in
   $MAIL_HOST|bk|je)
     # note: cronjob "ian" also does some important monitoring
diff --git a/vpn-mail-forward b/vpn-mail-forward
index 7965263..54e0139 100755
--- a/vpn-mail-forward
+++ b/vpn-mail-forward
@@ -3,27 +3,39 @@
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 m() { printf "%s\n" "$*";  "$@"; }
-gw=$(/usr/sbin/ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p')
+found=false
+# wait up to 10 seconds for the gateway to appear
+for i in in {1..10}; do
+  gw=$(/usr/sbin/ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p')
+  if [[ $gw ]]; then
+    found=true
+  fi
+  sleep 1
+done
+if ! $found; then
+  echo $0: error: couldnt find gateway interface in 10 seconds >&2
+  exit 1
+fi
 do-forward() {
-    cmd=$1; shift
-    for port; do
-        m /sbin/iptables -t nat $cmd PREROUTING -i $gw -p tcp -m tcp --dport $port -j DNAT --to-destination 10.8.0.4:$port
-        # we could leave these on all the time but its convenient to do it here
-    done
-    m /sbin/iptables $cmd FORWARD -i tun+ -o $gw -j ACCEPT
-    m /sbin/iptables $cmd FORWARD -i $gw -o tun+ -j ACCEPT
+  cmd=$1; shift
+  for port; do
+    m /sbin/iptables -t nat $cmd PREROUTING -i $gw -p tcp -m tcp --dport $port -j DNAT --to-destination 10.8.0.4:$port
+  done
+  # we could leave these on all the time but its convenient to do it here
+  m /sbin/iptables $cmd FORWARD -i tun+ -o $gw -j ACCEPT
+  m /sbin/iptables $cmd FORWARD -i $gw -o tun+ -j ACCEPT
 }
 
 ports=(25 143 587)
 case $1 in
-    start)
-        do-forward -A ${ports[@]}
-        ;;
-    stop)
-        do-forward -D ${ports[@]}
-        ;;
-    *)
-        echo "$0: error: expected 1 argument of start or stop"
-        exit 1
-        ;;
+  start)
+    do-forward -A ${ports[@]}
+    ;;
+  stop)
+    do-forward -D ${ports[@]}
+    ;;
+  *)
+    echo "$0: error: expected 1 argument of start or stop"
+    exit 1
+    ;;
 esac
-- 
2.30.2