From 2d40608dc83d3ee2c302b96997a0dbc124846b38 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Mon, 2 Nov 2020 23:38:47 -0500 Subject: [PATCH] minor mail improvements --- brc2 | 65 ++++++++++++++----- .../vps/filesystem/etc/bind/named.conf.local | 11 ++-- mail-setup | 30 ++++----- subdir_files/.config/mpv/mpv.conf | 2 +- 4 files changed, 72 insertions(+), 36 deletions(-) diff --git a/brc2 b/brc2 index 6d6991a..773b3bb 100644 --- a/brc2 +++ b/brc2 @@ -314,7 +314,7 @@ lipush() { p[0]=/a/opt/emacs-ubuntu20.04 p[1]=/a/opt/emacs-ubuntu20.04-nox done - m rsync "$@" -ahviSAXPH root@iankelling.org:/a/h/proposed-comments/ /a/h/proposed-comments || ret=$? + m rsync "$@" -ahviSAXPH root@li:/a/h/proposed-comments/ /a/h/proposed-comments || ret=$? return $ret } bkpush() { # no emacs. for running faster. @@ -332,22 +332,19 @@ bkpush() { # no emacs. for running faster. return $ret } - bindpush() { - lipush || return 1 + lipush for h in li bk; do - sl $h <<'EOF' || return 1 -set -e + m sl $h <<'EOF' source ~/.bashrc -dnsup -dnsb8 +m dnsup +m dnsb8 EOF done } - dnsup() { conflink - ser reload bind9 + m ser reload bind9 } dnsb8() { local f=/var/lib/bind/db.b8.nz @@ -356,6 +353,41 @@ dnsb8() { sudo install -m 644 -o bind -g bind /p/c/machine_specific/vps/bind-initial/db.b8.nz $f ser restart bind9 } +dnsecgen() { + # keys generated like this + # because of https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf + # https://blog.apnic.net/2019/05/23/how-to-deploying-dnssec-with-bind-and-ubuntu-server/ + + # key length is longer than that guide because + # we are using those at fsf and when old key lengths + # become insecure, I want some extra time to update. + # dnsecgen (in brc2) + + local zone=$1 + local f tag + dnssec-keygen -a RSASHA256 -b 2048 $zone + dnssec-keygen -f KSK -a RSASHA256 -b 4096 $zone + for f in K$zone.*.key; do + # eg Kb8.nz.+008+47995.key tag=47995 + # in dnsimple, you add the long string from this. + # in gandi, you add the long string from the .key file, + # then see that the digest matches the ds. + echo "tag is the number after DS" + dnssec-dsfromkey -a SHA-256 $f + done + # For b8.nz, we let bind read the keys and sign, and + # right now they have root ownership, so let them + # get group read. + chmod g+r *.private +} +dsign() { + # created .signed file that + # note: full paths probably not needed. + local arg=$1 + local zone=${arg#db.} + local dir=/p/c/machine_specific/vps/filesystem/var/lib/bind + dnssec-signzone -S -e +31536000 -o $zone -K $dir -d $dir $dir/db.$zone +} #### begin bitcoin related things @@ -1222,6 +1254,11 @@ tu() { $s /a/exe/teeu "$@" } +# a1 = awk {print $1} +for field in {1..20}; do + eval a$field"() { awk '{print \$$field}'; }" +done + enn() { local ecmd pid @@ -1230,12 +1267,8 @@ enn() { s $ecmd "$@" return fi - - pid=$(pgrep -f "/usr/sbin/exim4 -bd -q30m -C /etc/exim4/my.conf") - - if $dosudo; then - s nsenter -t $pid -n -m $ecmd "$@" - fi + pid=$(pgrep -f "/usr/sbin/exim4 -bd -q30m -C /etc/exim4/my.conf"|a1) + m s nsenter -t $pid -n -m $ecmd "$@" } mailnnbash() { @@ -1245,7 +1278,7 @@ mailvpnbash() { m sudo nsenter -t $(pgrep -f "/usr/sbin/openvpn .* --config /etc/openvpn/.*mail.conf") -n -m sudo -u $USER -i bash } eximbash() { - m sudo nsenter -t $(pgrep -f "/usr/sbin/exim4 -bd -q30m -C /etc/exim4/my.conf") -n -m sudo -u $USER -i bash + m sudo nsenter -t $(pgrep -f "/usr/sbin/exim4 -bd -q30m -C /etc/exim4/my.conf"|a1) -n -m sudo -u $USER -i bash } diff --git a/machine_specific/vps/filesystem/etc/bind/named.conf.local b/machine_specific/vps/filesystem/etc/bind/named.conf.local index 62f38d2..3808500 100644 --- a/machine_specific/vps/filesystem/etc/bind/named.conf.local +++ b/machine_specific/vps/filesystem/etc/bind/named.conf.local @@ -12,6 +12,9 @@ include "/etc/bind/zones.rfc1918"; zone "b8.nz" { type master; file "/var/lib/bind/db.b8.nz"; +key-directory "/var/lib/bind"; +auto-dnssec maintain; +inline-signing yes; update-policy { // allow updating almost anything in the zone or subdomains. grant b8.nz. subdomain b8.nz.; @@ -21,22 +24,22 @@ include "/etc/bind/key.b8.nz"; zone "iankelling.org" { type master; -file "/var/lib/bind/db.iankelling.org"; +file "/var/lib/bind/db.iankelling.org.signed"; }; zone "zroe.org" { type master; -file "/var/lib/bind/db.zroe.org"; +file "/var/lib/bind/db.zroe.org.signed"; }; zone "expertpathologyreview.com" { type master; -file "/var/lib/bind/db.expertpathologyreview.com"; +file "/var/lib/bind/db.expertpathologyreview.com.signed"; }; zone "amnimal.ninja" { type master; -file "/var/lib/bind/db.amnimal.ninja"; +file "/var/lib/bind/db.amnimal.ninja.signed"; }; zone "9.c.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa" { diff --git a/mail-setup b/mail-setup index 18f0357..2437ea6 100755 --- a/mail-setup +++ b/mail-setup @@ -3,22 +3,25 @@ # Copyright (C) 2019 Ian Kelling # SPDX-License-Identifier: AGPL-3.0-or-later +# todo: create a cronjob to update or warn on expiring dnssec keys + +# todo: turn on dnssec validation for dns resolution. +# use unbound on server so we have a unique ip for +# dnsbl servers. + # todo: we should test failed mail daily or so # failed cronjob, failed sysd-log-once, # a local bounce from a cronjob, a local bounce # to a bad remote address, perhaps a local failure # when the sending daemon is down. # And send an alert email if no alerts have been sent -# in 2 or 3 days or something. +# in 2 or 3 days or something. todo, test cron mail on li. # todo: look at mailinabox extra dns records # todo: mailtest-check failure on remote hosts is not going to alert me. # sort that out. -# todo: test out icedove - -# todo: test out nextcloud mail plugin # background: I want to run exim in a network namespace so it can send # and receive through a vpn. This is needed so it can do ipv6, because @@ -158,9 +161,7 @@ fi ####### end perstent password instructions ###### -# * persistent dkim/dns instructions - -#### begin dkim generation section #### +# * dkim dns # # Remove 1 level of comments in this section, set the domain var # # for the domain you are setting up, then run this and copy dns settings # # into dns. @@ -192,8 +193,8 @@ fi # # leaves us a bit of extra room at the end and a bunch at the beginning. # # selector was also put into /etc/exim4/conf.d/main/000_local, -#### end dkim generation section #### +# * dmarc dns # # 2017-02 dmarc policies: # # host -t txt _dmarc.gmail.com @@ -205,6 +206,8 @@ fi # # echo "dmarc dns, name: _dmarc value: v=DMARC1; p=none; rua=mailto:mailauth-reports@$domain" +# * other dms + # # 2017-02 spf policies: # # host -t txt lists.fedoraproject.org # # google ~all, hotmail ~all, yahoo: ?all, fastmail ?all, outlook ~all @@ -222,8 +225,9 @@ fi # mx records, 2 records each, for * and empty domain # pri 10 mail.iankelling.org # EOF -####### end persistent dkim instructions ######### +# # dnssec +# from brc2, run dnsecgen then dsign, update named.local.conf, publish keys to registrar # * functions & constants @@ -1224,7 +1228,7 @@ if [[ $HOSTNAME == bk ]]; then m mkdir -p $dir # taken from mailinabox i $dir/config-v1.1.xml < + $domain @@ -1433,8 +1437,6 @@ EOF ?> EOF - # todo, default charset an option? set to utf-8 - m mkdir -p $rclogdir m chmod 750 $rclogdir m chown www-data:adm $rclogdir @@ -1444,7 +1446,6 @@ EOF m chmod 750 $rctmpdir # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start. # todo: setup fail2ban - # todo: setup dnssec. # todo: check for other mailinabox things m sudo -u www-data touch $rclogdir/errors.log @@ -1511,7 +1512,7 @@ EOF cd $rcdir/plugins/html5_notifier m git pull --rebase - # todo: try out roundcube plugins: html5 notifier, nextcloud, thunderbird labels + # todo: try out roundcube plugins: thunderbird labels # Password changing plugin settings cat $rcdir/plugins/password/config.inc.php.dist - >$rcdir/plugins/password/config.inc.php <<'EOF' @@ -2094,7 +2095,6 @@ esac case $HOSTNAME in $MAIL_HOST|bk|je) # note: cronjob "ian" also does some important monitoring - # todo: setup test mail cron for 3rd host cat >/etc/cron.d/mailtest <