From f23cccfe15e770d7d617b9aee5923bd9b0117007 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Sun, 8 Nov 2020 21:32:26 -0500 Subject: [PATCH] various fixes --- brc2 | 14 +++++++---- mail-setup | 62 +++++++++++++++++++++++++++++++++++------------- vpn-mail-forward | 2 ++ 3 files changed, 56 insertions(+), 22 deletions(-) diff --git a/brc2 b/brc2 index e997984..e2d9bce 100644 --- a/brc2 +++ b/brc2 @@ -333,6 +333,7 @@ bkpush() { # no emacs. for running faster. } bindpush() { + dsign iankelling.org expertpathologyreview.com zroe.org amnimal.ninja lipush for h in li bk; do m sl $h <<'EOF' @@ -342,6 +343,7 @@ EOF done } bindpushb8() { + dsign iankelling.org expertpathologyreview.com zroe.org amnimal.ninja lipush for h in li bk; do m sl $h <<'EOF' @@ -391,12 +393,14 @@ dnsecgen() { chmod g+r *.private } dsign() { - # created .signed file that + # create .signed file # note: full paths probably not needed. - local arg=$1 - local zone=${arg#db.} - local dir=/p/c/machine_specific/vps/filesystem/var/lib/bind - dnssec-signzone -S -e +31536000 -o $zone -K $dir -d $dir $dir/db.$zone + local arg + for arg; do + local zone=${arg#db.} + local dir=/p/c/machine_specific/vps/filesystem/var/lib/bind + dnssec-signzone -S -e +31536000 -o $zone -K $dir -d $dir $dir/db.$zone + done } diff --git a/mail-setup b/mail-setup index bca15a0..d076600 100755 --- a/mail-setup +++ b/mail-setup @@ -5,14 +5,14 @@ # todo: move mail stuff in distro-end into this file +# todo: consider how to get clamav out of Debian-exim group +# so it cant read/write the whole mail spool, for better +# security. + # todo: fix ipv6 addr for li # todo: create a cronjob to update or warn on expiring dnssec keys -# todo: turn on dnssec validation for dns resolution. -# use unbound on server so we have a unique ip for -# dnsbl servers. - # todo: we should test failed mail daily or so # failed cronjob, failed sysd-log-once, # a local bounce from a cronjob, a local bounce @@ -333,9 +333,10 @@ Pin-Priority: 500 EOF fi +pi spf-tools-perl p0f postgrey pyzor razor jq moreutils clamav-daemon # light version of exim does not have sasl auth support. -pi exim4 exim4-daemon-heavy spamassassin spf-tools-perl openvpn p0f postgrey pyzor razor jq moreutils clamav-daemon +pi-nostart exim4 exim4-daemon-heavy spamassassin openvpn unbound # note: pyzor debian readme says you need to run some initialization command # but its outdated. @@ -475,11 +476,33 @@ RestartSec=1 WantedBy=multi-user.target EOF -i /etc/nn-resolv/stub-resolv.conf <<<"nameserver 8.8.8.8" -m chattr +i /etc/nn-resolv/stub-resolv.conf - +# We use a local unbound because systemd-resolved wont accept our +# request, it will only listen to 127.0.0.53 in the main network +# namespace, and rejected feature requests to change that (although I +# could change the code and recompile), but anyways, that could answer +# with things specific to the lan that aren't applicable in this +# namespace, and since unbound is a recursive resolver, it means we just +# use our own ip against dnsbl rate limits. +# +# If we ever notice this change, chattr +i on it +i /etc/nn-resolv/stub-resolv.conf <<'EOF' +nameserver 127.0.0.1 +options edns0 +EOF + +# this is just a bug fix for trisquel. +f=/etc/apparmor.d/usr.sbin.unbound +line="/usr/sbin/unbound flags=(attach_disconnected) {" +if ! grep -qFx "$line" $f; then + badline="/usr/sbin/unbound {" + if ! grep -qFx "$badline" $f; then + err expected line in $f not found + fi + sed -i "s,^$badline$,$line," $f + m ser reload apparmor +fi -nn_progs=(exim4) +nn_progs=(exim4 unbound) if mailhost; then # Note dovecots lmtp doesnt need to be in the same nn to accept delivery. nn_progs+=(spamassassin dovecot) @@ -2096,13 +2119,18 @@ sre mailcert.timer case $HOSTNAME in $MAIL_HOST|bk) - # If mailvpn has changes, id rather manually restart it, id rather - # not restart and lose connectivity. - sstart mailnn mailvpn + sstart mailnn + if $reload; then + sre mailvpn unbound + else + # If these have changes, id rather manually restart it, id rather + # not restart and lose connectivity + sstart mailvpn unbound + fi ;;& $MAIL_HOST|bk|je) # start spamassassin/dovecot before exim. - sre dovecot spamassassin + sre dovecot spamassassin clamav-daemon sstart mailclean.timer ;;& $MAIL_HOST) @@ -2143,19 +2171,19 @@ EOF ;;& $MAIL_HOST) test_froms=(ian@iankelling.org z@zroe.org) - test_to="testignore@expertpathologyreview.com, testignore@je.b8.nz" + test_to="testignore@expertpathologyreview.com, testignore@je.b8.nz, testignore@amnimal.ninja" cat >>/etc/cron.d/mailtest </usr/local/bin/send-test-forward diff --git a/vpn-mail-forward b/vpn-mail-forward index e311078..059ad60 100755 --- a/vpn-mail-forward +++ b/vpn-mail-forward @@ -22,6 +22,8 @@ do-forward() { m /sbin/iptables -t nat $cmd PREROUTING -i $gw -p tcp -m tcp --dport $port -j DNAT --to-destination 10.8.0.4 m /sbin/ip6tables -t nat $cmd PREROUTING -i $gw -p tcp -m tcp --dport $port -j DNAT --to-destination 2600:3c00:e002:3800::4 done + # for bk to talk to MAIL_HOST, only need port 25. + ip6tables -t nat $cmd PREROUTING -i tun1 -s 2600:3c00:e002:3800::5 -d 2600:3c00:e000:280::2 -p tcp -m tcp --dport 25 -j DNAT --to-destination 2600:3c00:e002:3800::4 # we could leave these on all the time but its convenient to do it here m /sbin/iptables $cmd FORWARD -i tun+ -o $gw -j ACCEPT m /sbin/iptables $cmd FORWARD -i $gw -o tun+ -j ACCEPT -- 2.30.2