various fixes

[distro-setup] / mail-setup

#!/bin/bash
# -*- eval: (outline-minor-mode); -*-
# * intro
# Copyright (C) 2019 Ian Kelling
# SPDX-License-Identifier: AGPL-3.0-or-later

if [ -z "$BASH_VERSION" ]; then echo "error: shell is not bash" >&2; exit 1; fi

pre="${0##*/}:"
m() { printf "$pre %s\n"  "$*"; "$@"; }
e() { printf "$pre %s\n"  "$*"; }
err() { echo "[$(date +'%Y-%m-%d %H:%M:%S%z')]: $0: $*" >&2; }

shopt -s nullglob

if [[ -s /usr/local/lib/err ]]; then
  source /usr/local/lib/err
elif [[ -s /a/bin/errhandle/err ]]; then
  source /a/bin/errhandle/err
else
  err "no err tracing script found"
  exit 1
fi
source /a/bin/distro-functions/src/identify-distros


[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
if [[ ! $SUDO_USER ]]; then
  echo "$0: error: requires running as nonroot or sudo"
  exit 1
fi
u=$SUDO_USER


usage() {
  cat <<EOF
Usage: ${0##*/}
Setup exim4 & dovecot & related things

-h|--help  Print help and exit.
EOF
  exit $1
}



####### instructions for icedove #####
# Incoming mail server: mail.iankelling.org, port 143, username iank, connection security starttls, authentication method normal password
# we could also just use 127.0.0.1 with no ssl, but todo: disable that in dovecot, so mail is secure from local programs.
#
# hamburger -> preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false
# background: ovecot does not yet have ocsp stapling support
# reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921
#
# for phone, k9mail, same thing but username alerts, pass in ivy-pass.
# also, l2.b8.nz for secondary alerts, username is iank. same alerts pass.
# fetching mail settings: folder poll frequency 10 minutes
#######


# * perstent password instructions
# # exim passwords:
# # for hosts which have all private files I just use the same user
# # for other hosts, each one get\'s their own password.
# # for generating secure pass, and storing for server too:
# f=$(mktemp)
# I use $HOSTNAME as username
# apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
# s sed -i "/^$HOSTNAME:/d" /p/c/filesystem/etc/exim4/passwd
# echo "$HOSTNAME:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd
# reference: exim4_passwd_client(5)
# echo "mail.iankelling.org:$HOSTNAME:$(<$f)" > /p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/passwd.client
# # then run this script

# # dovecot password, i just need 1 as I\'m the only user
# mkdir /p/c/filesystem/etc/dovecot
# echo "iank:$(doveadm pw -s ssha256)::::::" >>/p/c/filesystem/etc/dovecot/users

####### end perstent password instructions ######


# * persistent dkim/dns instructions
# # Remove 1 level of comments in this section, set the domain var
# # for the domain you are setting up, then run this and copy dns settings
# # into dns.
# domain=iankelling.org
# c /p/c/filesystem/etc/exim4
# # this has several bugs addressed in comments, but it was helpful
# # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4

# openssl genrsa -out $domain-private.pem 2048 -outform PEM
# openssl rsa -in $domain-private.pem -out $domain.pem -pubout -outform PEM
# # selector is needed for having multiple keys for one domain.
# # I dun do that, so just use a static one: li
# echo "txt record name: li._domainkey.$domain"
# # Debadmin page does not have v=, fastmail does, and this
# # says it\'s recommended in 3.6.1, default is DKIM1 anyways.
# # https://www.ietf.org/rfc/rfc6376.txt
# # Join and print all but first and last line.
# # last line: swap hold & pattern, remove newlines, print.
# # lines 2+: append to hold space
# echo "txt record contents:"
# echo "v=DKIM1; k=rsa; p=$(sed -n '${x;s/\n//gp};2,$H' $domain.pem)"
# # selector was also put into /etc/exim4/conf.d/main/000_local,

# # 2017-02 dmarc policies:
# # host -t txt _dmarc.gmail.com
# # yahoo: p=reject, hotmail: p=none, gmail: p=none, fastmail none for legacy reasons
# # there were articles claiming gmail would be  changing
# # to p=reject, in early 2017, which didn\'t happen. I see no sources on them. It\'s
# # expected to cause problems
# # with a few old mailing lists, copying theirs for now.
#
# echo "dmarc dns, name: _dmarc value: v=DMARC1; p=none; rua=mailto:mailauth-reports@$domain"

# # 2017-02 spf policies:
# # host -t txt lists.fedoraproject.org
# # google ~all, hotmail ~all, yahoo: ?all, fastmail ?all, outlook ~all
# # i include fastmail\'s settings, per their instructions,
# # and follow their policy. In mail in a box, or similar instructions,
# # I\'ve seen recommended to not use a restrictive policy.

# # to check if dns has updated, you do
# host -a mesmtp._domainkey.$domain

# # mx records,
# # setting it to iankelling.org would work the same, but this
# # is more flexible, I could change where mail.iankelling.org pointed.
# cat <<'EOF'
# mx records, 2 records each, for * and empty domain
# pri 10 mail.iankelling.org
# EOF
####### end  persistent dkim instructions #########


# * functions  constants
e() { printf "%s\n" "$*"; }
pi() { # package install without starting daemons
  local f
  if dpkg -s -- "$@" &> /dev/null; then
    return 0;
  fi;
  while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done
  f=/var/cache/apt/pkgcache.bin;
  if [[ ! -r $f ]] || (( $(( $(date +%s) - $(stat -c %Y $f ) )) > 60*60*12 )); then
    m apt-get update
  fi
  f=/usr/sbin/policy-rc.d
  dd of=$f 2>/dev/null <<EOF
#!/bin/sh
exit 101
EOF
  chmod +x $f
  ret=
  DEBIAN_FRONTEND=noninteractive m apt-get -y install --purge --auto-remove "$@" || ret=$?
  rm $f
  if [[ $ret ]]; then
    err-exit $ret "failed apt-get install above"
  fi
}

postmaster=alerts
mxhost=mail.iankelling.org
mxport=587
forward=$u@$mxhost

# old setup. left as comment for example
# mxhost=mail.messagingengine.com
# mxport=587
# forward=ian@iankelling.org

smarthost="$mxhost::$mxport"

## * Install packages
# light version of exim does not have sasl auth support.
pi exim4-daemon-heavy spamassassin spf-tools-perl dnsmasq openvpn

if [[ $(debian-codename) == etiona ]]; then
  # ip6tables stopped loading on boot. openvpn has reduced capability set,
  # so running iptables as part of openvpn startup wont work. This should do it.
  # todo: im sure there is a better way.
  yes no | pi iptables-persistent || [[ $? == 141 ]]
  cat >/etc/iptables/rules.v6 <<'EOF'
*nat
*mangle
*filter
COMMIT
EOF
  # load it now.
  ip6tables -S &>/dev/null
fi

# our nostart pi fails to avoid enabling
sudo systemctl disable openvpn

# trisquel 8 = openvpn, debian stretch = openvpn-client
vpn_ser=openvpn-client
if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
  vpn_ser=openvpn
fi

uhome=$(eval echo ~$u)
### * user forward file

case $HOSTNAME in
  $MAIL_HOST|l2)
    # afaik, these will get ignored on MAIL_HOST because they are routing to my own
    # machine, but rm them is safer
    rm -fv $uhome/.forward /root/.forward
    ;;
  *)
    # this can\'t be a symlink and has permission restrictions
    # it might work in /etc/aliases, but this seems more proper.
    e setting $uhome/.forward to $forward
    install -m 644 {-o,-g}$u <(e $forward) $uhome/.forward
    ;;
esac

# * Mail clean cronjob

cat >/etc/systemd/system/mailclean.timer <<'EOF'
[Unit]
Description=Run mailclean daily

[Timer]
OnCalendar=monthly

[Install]
WantedBy=timers.target
EOF

cat >/etc/systemd/system/mailclean.service <<EOF
[Unit]
Description=Delete and archive old mail files
After=multi-user.target

[Service]
User=$u
Type=oneshot
ExecStart=/a/bin/log-quiet/sysd-mail-once mailclean /a/bin/distro-setup/mailclean
EOF

systemctl daemon-reload


# * spamassassin

if [[ $HOSTNAME != "$MAIL_HOST" ]]; then
  m systemctl stop spamassassin
  m systemctl disable spamassassin
else

  # per readme.debian
  sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
  e CRON=1 >>/etc/default/spamassassin
  # just noticed this in the config file, seems like a good idea.
  sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
  e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin

  m systemctl enable spamassassin
  m systemctl start spamassassin
  m systemctl reload spamassassin

  cat >/etc/systemd/system/spamddnsfix.service <<'EOF'
[Unit]
Description=spamd dns bug fix cronjob

[Service]
Type=oneshot
ExecStart=/a/bin/distro-setup/spamd-dns-fix
EOF
  # 2017-09, debian closed the bug on this saying upstream had fixed it.
  # remove this when i\'m using the newer package, ie, debian 10, or maybe
  # ubuntu 18.04.
  cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
[Unit]
Description=run spamd bug fix script every 10 minutes

[Timer]
OnActiveSec=60
# the script looks back 9 minutes into the journal,
# it takes a second to run,
# so lets run every 9 minutes and 10 seconds.
OnUnitActiveSec=550

[Install]
WantedBy=timers.target
EOF
  m systemctl daemon-reload
  m systemctl restart spamddnsfix.timer
  m systemctl enable spamddnsfix.timer

fi # [[ $HOSTNAME != "$MAIL_HOST" ]]
#####   end spamassassin config


# * Update mail cert
if [[ -e /p/c/filesystem ]]; then
  # allow failure of these commands when our internet is down, they are likely not needed,
  # we check that a valid cert is there already.
  # to put the hostname in the known hosts
  if ! ssh -o StrictHostKeyChecking=no root@li.iankelling.org :; then
    # This just causes failure if our cert is going to expire in the next 30 days.
    # Certs I generate last 10 years.
    openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in /etc/openvpn/mail.crt
  else
    # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
    # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
    # after my internet was down for a bit:
    # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
    m /a/exe/vpn-mk-client-cert -b mail -n mail -s /b/ds/mail-route li.iankelling.org
  fi
fi



f=/usr/local/bin/mail-cert-cron
cat >$f <<'EOF'
#!/bin/bash
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR

[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"

f=/a/bin/bash_unpublished/source-state
if [[ -e $f ]]; then
    source $f
fi
if [[ $HOSTNAME != "$MAIL_HOST" ]]; then
  exit 0
fi
local_mx=mail.iankelling.org
mkdir -p /etc/letsencrypt/live/$local_mx
chmod 700 /etc/letsencrypt/live
rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/"
# allow for temporary connection issues
${rsync_common}fullchain.pem /etc/exim4/exim.crt ||:
${rsync_common}privkey.pem /etc/exim4/exim.key ||:
if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then
    echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
    exit 1
fi
exit 0
EOF
m chmod 755 $f

cat >/etc/systemd/system/mailcert.service <<'EOF'
[Unit]
Description=Mail cert rsync
After=multi-user.target

[Service]
Type=oneshot
ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
EOF

cat >/etc/systemd/system/mailcert.timer <<'EOF'
[Unit]
Description=Run mail-cert once a day

[Timer]
OnCalendar=daily

[Install]
WantedBy=timers.target
EOF
m systemctl daemon-reload
m systemctl start mailcert
m systemctl restart mailcert.timer
m systemctl enable mailcert.timer



# * common exim4 config
source /a/bin/bash_unpublished/source-state

if [[ ! $MAIL_HOST ]]; then
  err "\$MAIL_HOST not set"
fi

m sudo gpasswd -a iank adm #needed for reading logs


### make local bounces go to normal maildir
# local mail that bounces goes to /Maildir or /root/Maildir
dirs=(/m/md/bounces/{cur,tmp,new})
m mkdir -p ${dirs[@]}
m chown iank:iank /m /m/md
m ln -sfT /m/md /m/iank
m chmod 700 /m /m/md
m chown -R $u:Debian-exim /m/md/bounces
m chmod 775 ${dirs[@]}
m usermod -a -G Debian-exim $u
for d in /Maildir /root/Maildir; do
  if [[ ! -L $d ]]; then
    m rm -rf $d
  fi
  m ln -sf -T /m/md/bounces $d
done

# Note, even the server needs permissions of this file right
# if it exists, so do this up here.
f=/p/c/filesystem/etc/exim4/passwd.client
if [[ ! -e $f ]]; then
  f=/p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/passwd.client
fi
m sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 $f /etc/exim4/

# by default, only 10 days of logs are kept. increase that.
m sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base


## https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
# i only need .forwards, so just doing that one.
cd /etc/exim4/conf.d/router
b=userforward_higher_priority
# replace the router name so it is unique
sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b


rm -vf /etc/exim4/conf.d/main/000_localmacros # old filename
cat >/etc/exim4/conf.d/main/000_local <<EOF
MAIN_TLS_ENABLE = true

# debian exim config added this in 2016 or so?
# it's part of the smtp spec, to limit lines to 998 chars
# but a fair amount of legit mail does not adhere to it. I don't think
# this should be default, like it says in
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
# todo: the bug for introducing this was about headers, but
# the fix maybe is for all lines? one says gmail rejects, the
# other says gmail does not reject. figure out and open a new bug.
IGNORE_SMTP_LINE_LENGTH_LIMIT = true

# more verbose logs
MAIN_LOG_SELECTOR = +all


# normally empty, I set this so I can set the envelope address
# when doing mail redelivery to invoke filters. Also allows
# me exiqgrep and stuff.
MAIN_TRUSTED_GROUPS = $u

# default is 10. when exim has been down for a bit, fsf mailserver
# will do a big send in one connection, then exim decides to put
# the messages in the queue instead of delivering them, to avoid
# spawning too many delivery processes. Pretty sure my system
# can handle a lot more, but lets go with this.
smtp_accept_queue_per_connection = 100


DKIM_CANON = relaxed
DKIM_SELECTOR = li

# from comments in
# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4

# The file is based on the outgoing domain-name in the from-header.
DKIM_DOMAIN = \${lc:\${domain:\$h_from:}}
# sign if key exists
DKIM_PRIVATE_KEY = \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}}

# most of the ones that gmail seems to use.
# Exim has horrible default of signing unincluded
# list- headers since they got mentioned in an
# rfc, but this messes up mailing lists, like gnu/debian which want to
# keep your dkim signature intact but add list- headers.
DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
EOF

rm -fv /etc/exim4/rcpt_local_acl # old path
cat >/etc/exim4/conf.d/rcpt_local_acl <<'EOF'
# Only hosts we control send to @mail.iankelling.org, so make sure
# they are all authed.
# Note, if we wanted authed senders for all domains,
# we could make this condition in acl_check_mail
deny
  message = ian trusted domain recepient but no auth
  !authenticated = *
  domains = mail.iankelling.org
EOF
rm -fv /etc/exim4/data_local_acl # old path
cat >/etc/exim4/conf.d/data_local_acl <<'EOF'
# Except for the "condition =", this was
# a comment in the check_data acl. The comment about this not
# being suitable is mostly bs. The only thing related I found was to
# add the condition =, cuz spamassassin has problems with big
# messages and spammers don't bother with big messages,
# but I've increased the size from 10k
# suggested in official docs, and 100k in the wiki example because
# those docs are rather old and I see a 110k spam message
# pretty quickly looking through my spam folder.
warn
  condition = ${if < {$message_size}{2000K}}
  spam = Debian-exim:true
  add_header = X-Spam_score: $spam_score\n\
            X-Spam_score_int: $spam_score_int\n\
            X-Spam_bar: $spam_bar\n\
            X-Spam_report: $spam_report

#accept
#  spf = pass:fail:softfail:none:neutral:permerror:temperror
#  dmarc_status = reject:quarantine
#  add_header = Reply-to: dmarctest@iankelling.org

EOF
cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
# from 30_exim4-config_examples

plain_server:
driver = plaintext
public_name = PLAIN
server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
.endif
EOF

cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
### router/900_exim4-config_local_user
#################################

# This router matches local user mailboxes. If the router fails, the error
# message is "Unknown user".

local_user:
  debug_print = "R: local_user for $local_part@$domain"
  driver = accept
  domains = +local_domains
# ian: commented this, in conjunction with a dovecot lmtp
# change so I get mail for all users.
#  check_local_user
  local_parts = ! root
  transport = LOCAL_DELIVERY
  cannot_route_message = Unknown user
EOF
cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
dovecot_lmtp:
        driver = lmtp
        socket = /var/run/dovecot/lmtp
        #maximum number of deliveries per batch, default 1
        batch_max = 200
EOF

# this avoids some error. i cant remember what. todo:
# test it out and document why/if its needed.
cat >/etc/exim4/host_local_deny_exceptions <<'EOF'
mail.fsf.org
*.posteo.de
EOF

# for iank@fsf.org, i have mail.fsf.org forward it to fsf@iankelling.org.
# and also have mail.iankelling.org whitelisted as a relay domain.
# I could avoid that if I changed this to submit to 587 with a
# password like a standard mua.
cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
# smarthost for fsf mail
# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
# replaced DCsmarthost with mail.fsf.org
fsfsmarthost:
  debug_print = "R: smarthost for $local_part@$domain"
  driver = manualroute
  domains = ! +local_domains
  senders = *@fsf.org
  transport = remote_smtp_smarthost
  route_list = * mail.fsf.org byname
  host_find_failed = ignore
  same_domain_copy_routing = yes
  no_more
EOF


cat >/etc/exim4/update-exim4.conf.conf  <<'EOF'
# default stuff, i havent checked if its needed
dc_minimaldns='false'
dc_relay_nets=''
CFILEMODE='644'
dc_use_split_config='true'
dc_local_interfaces=''
dc_mailname_in_oh='true'
EOF


# ** dovecot
dovecot-setup() {
  # based on a little google and package search, just the dovecot
  # packages we need instead of dovecot-common.
  #
  # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
  # directly.  The reason to do this is to use dovecot\'s sieve, which
  # has extensions that allow it to be almost equivalent to exim\'s
  # filter capabilities, some ways probably better, some worse, and
  # sieve has the benefit of being supported in postfix and
  # proprietary/weird environments, so there is more examples on the
  # internet. I was torn about whether to do this or not, meh.
  pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd

  for f in /p/c{/machine_specific/$HOSTNAME,}/filesystem/etc/dovecot/users; do
    e $f
    if [[ -e $f ]]; then
      m sudo rsync -ahhi --chown=root:dovecot --chmod=0640 $f /etc/dovecot/
      break
    fi
  done
  for f in /p/c/subdir_files/sieve/*sieve /a/c/subdir_files/sieve/*sieve; do
    m sudo -u $u /a/exe/lnf -T $f $uhome/sieve/${f##*/}
  done


  # If we changed 90-sieve.conf and removed the active part of the
  # sieve option, we wouldn\'t need this, but I\'d rather not modify a
  # default config if not needed. This won\'t work as a symlink in /a/c
  # unfortunately.
  m sudo -u $u /a/exe/lnf -T sieve/main.sieve $uhome/.dovecot.sieve

  if [[ ! -e $uhome/sieve/personal.sieve ]]; then
    touch $uhome/sieve/personal{,end}{,test}.sieve
  fi

  # we set this later in local.conf
  sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
/^\s*mail_location\s*=/d
EOF

  cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
protocol lmtp {
#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
  mail_plugins = \$mail_plugins sieve
# default was
  #mail_plugins = \$mail_plugins

# For a normal setup with exim, we need something like this, which
# removes the domain part
#  auth_username_format = %Ln
#
#  or else # Exim says something like
#  "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
# Dovecot verbose log says something like
# "auth-worker(9048): passwd(someuser@somedomain): unknown user"
# reference: http://wiki.dovecot.org/LMTP/Exim
#
# However, I use this to direct all mail to the same inbox.
# A normal way to do this, which I did at first is to have
# a router in exim almost at the end, eg 950,
#local_catchall:
#  debug_print = "R: catchall for \$local_part@\$domain"
#  driver = redirect
#  domains = +local_domains
#  data = $u
# based on
# http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
# with superflous options removed.
# However, this causes the envelope to be rewritten,
# which makes filtering into mailboxes a little less robust or more complicated,
# so I've done it this way instead. it also requires
# modifying the local router in exim.
  auth_username_format = $u
}

EOF


  cat >/etc/dovecot/local.conf <<EOF
# so I can use a different login that my shell login for mail.  this is
# worth doing solely for the reason that if this login is compromised,
# it won't also compromise my shell password.
!include conf.d/auth-passwdfile.conf.ext

# settings derived from wiki and 10-ssl.conf
ssl = required
ssl_cert = </etc/exim4/exim.crt
ssl_key = </etc/exim4/exim.key
# https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
# in my cert cronjob, I check if that has changed upstream.
ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

# ian: added this, more secure, per google etc
ssl_prefer_server_ciphers = yes

# ian: %u is used for alerts user vs iank
mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
mail_uid = $u
mail_gid = $u

# for debugging info, uncomment these.
# logs go to syslog and to /var/log/mail.log
# auth_verbose=yes
#mail_debug=yes
EOF
  ####### end dovecot-setup ########
}



# * if MAIL_HOST
case $HOSTNAME in
  $MAIL_HOST|l2)
    dovecot-setup
    m systemctl enable dovecot
    m systemctl restart dovecot
    cat >>/etc/exim4/update-exim4.conf.conf <<EOF
# note: some things we don't set that are here by default because they are unused.
dc_eximconfig_configtype='internet'
dc_localdelivery='dovecot_lmtp'
EOF
    cat >>/etc/exim4/conf.d/main/000_local <<EOF
# recommended if dns is expected to work
CHECK_RCPT_VERIFY_SENDER = true
# seems like a good idea
CHECK_DATA_VERIFY_HEADER_SENDER = true
CHECK_RCPT_SPF = true
CHECK_RCPT_REVERSE_DNS = true
CHECK_MAIL_HELO_ISSUED = true
EOF

    m systemctl enable mailclean.timer
    m systemctl start mailclean.timer

    ;;&
  $MAIL_HOST)

    # ** exim

    # todo, these pem files look old and useless. whats going on
    sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 \
         /p/c/filesystem/etc/exim4/passwd /p/c/filesystem/etc/exim4/*.pem /etc/exim4/


    # mail.iankelling.org so local imap clients can connect with tls and
    # when they happen to not be local.
    sed -ri -f - /etc/hosts <<'EOF'
/^127\.0\.1\.1.* mail\.iankelling\.org\b/{p;d}
/^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/
EOF

    # note: systemd-resolved will consult /etc/hosts, dnsmasq wont. this assumes
    # weve configured this file in dnsmasq if we are using it.
    /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]]
server=/mail.iankelling.org/127.0.1.1
EOF
    if systemctl is-active dnsmasq >/dev/null; then
      m systemctl restart dnsmasq
    fi
    m nscd -i hosts

    # I used to use debconf-set-selections + dpkg-reconfigure,
    # which then updates this file
    # but the process is slower than updating it directly and then I want to set other things in
    # update-exim4.conf.conf, so there's no point.
    # The file is documented in man update-exim4.conf,
    # except the man page is not perfect, read the bash script to be sure about things.

    # The debconf questions output is additional documentation that is not
    # easily accessible, but super long, along with the initial default comment in this
    # file, so I've saved that into ./mail-notes.conf.

    cat >>/etc/exim4/update-exim4.conf.conf <<EOF
# man page: is used to build the local_domains list, together with "localhost"
# iank.bid is for testing
# mail.iankelling.org is for machines i own
dc_other_hostnames='*.iankelling.org;iankelling.org;*zroe.org;zroe.org;$HOSTNAME.b8.nz;b8.nz'

EOF


    # the debconf output about mailname is as follows:
    # The 'mail name' is the domain name used to 'qualify' mail addresses without a domain
    # name.
    # This name will also be used by other programs. It should be the single, fully
    # qualified domain name (FQDN).
    # Thus, if a mail address on the local host is foo@example.org, the correct value for
    # this option would be example.org.
    # This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.

    echo mail.iankelling.org > /etc/mailname

    # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
    # smarthost config type, not sure. all other settings
    # would be unused in that config type.
    cat >>/etc/exim4/conf.d/main/000_local <<EOF
# enable 587 in addition to the default 25, so that
# i can send mail where port 25 is firewalled by isp
daemon_smtp_ports = 25 : 587

# failing message on mail-tester.com:
# We check if there is a server (A Record) behind your hostname kd.
# You may want to publish a DNS record (A type) for the hostname kd or use a different hostname in your mail software
# https://serverfault.com/questions/46545/how-do-i-change-exim4s-primary-hostname-on-a-debian-box
# and this one seemed appropriate from grepping config.
# I originally set this to li.iankelling.org, but then ended up with errors when li tried to send
# mail to kd, so this should basically be a name that no host has as their
# canonical hostname since the actual host sits behind a nat and changes.
# Seems logical for this to be the same as mailname.
MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.iankelling.org

# options exim has to avoid having to alter the default config files
CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/conf.d/rcpt_local_acl
CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/conf.d/data_local_acl


# testing dmarc
#dmarc_tld_file = /etc/public_suffix_list.dat
EOF

    f=/etc/cron.daily/refresh-dmarc-tld-file
    cat >$f <<'EOF'
#!/bin/bash
cd /etc
wget -q -N https://publicsuffix.org/list/public_suffix_list.dat
EOF
    m chmod 755 $f

    sed -i --follow-symlinks -f - /etc/aliases <<EOF
\$a root: $postmaster
/^root:/d
EOF


    # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
    d=/etc/systemd/system/openvpn@mail.service.d
    m mkdir -p $d
    cat >$d/override.conf <<'EOF'
[Service]
Restart=always
# time to sleep before restarting a service
RestartSec=1

[Unit]
# StartLimitIntervalSec in recent systemd versions
StartLimitInterval=0
EOF
    if ! systemctl cat openvpn@mail.service|grep -xF StartLimitInterval=0 &>/dev/null; then
      # needed for the above config to go into effect
      m systemctl daemon-reexec
    fi


    m systemctl restart $vpn_ser@mail
    m systemctl enable $vpn_ser@mail
    ;;
  # * not MAIL_HOST
  *) # $HOSTNAME != $MAIL_HOST
    # remove mail. uses 2 lines to properly remove whitespace
    sed -ri -f - /etc/hosts <<'EOF'
s#^(127\.0\.1\.1 .*) +mail\.iankelling\.org$#\1#
s#^(127\.0\.1\.1 .*)mail\.iankelling\.org +(.*)#\1\2#
EOF

    echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]]
    if systemctl is-active dnsmasq >/dev/null; then
      m systemctl restart dnsmasq # reload does not ensure new config is used
    fi
    m nscd -i hosts

    m systemctl disable mailclean.timer &>/dev/null ||:
    m systemctl stop mailclean.timer &>/dev/null ||:
    m systemctl disable $vpn_ser@mail
    m systemctl stop $vpn_ser@mail
    #
    #
    # would only exist because I wrote it i the previous condition,
    # it\'s not part of exim
    rm -fv /etc/exim4/conf.d/main/000_localmacros
    cat >>/etc/exim4/update-exim4.conf.conf <<EOF
dc_eximconfig_configtype='smarthost'
dc_smarthost='$smarthost'
# The manpage incorrectly states this will do header rewriting, but
# that only happens if we have dc_hide_mailname is set.
dc_readhost='iankelling.org'
EOF

    hostname -f >/etc/mailname


    ;;&
  ## we use this host to monitor MAIL_HOST
  l2)

    cat >>/etc/exim4/update-exim4.conf.conf <<EOF
# man page: is used to build the local_domains list, together with "localhost"
# mail.iankelling.org is for machines i own
dc_other_hostnames='l2.b8.nz'
EOF
    # This ends up at alerts mailbox on MAIL_HOST, but using a user that doesn't exist elsewhere
    # is no good.
    sed -i --follow-symlinks -f - /etc/aliases <<EOF
\$a root: iank
/^root:/d
EOF
    ;;
  # not l2 and not MAIL_HOST
  *)


    # This ends up at alerts mailbox on MAIL_HOST, but using a user that doesn't exist elsewhere
    # is no good.
    sed -i --follow-symlinks -f - /etc/aliases <<EOF
\$a root: root@mail.iankelling.org
/^root:/d
EOF
    cat >>/etc/exim4/update-exim4.conf.conf <<EOF
# Only used in case of bounces.
dc_localdelivery='maildir_home'
EOF
    m systemctl disable dovecot ||:
    m systemctl stop dovecot ||:
    ;;
esac # end $HOSTNAME != $MAIL_HOST

# * spool dir setup

# ** bind mount setup
# put spool dir in directory that spans multiple distros.
# based on http://www.postfix.org/qmgr.8.html and my notes in gnus
#
# todo: I\'m suspicious of uids for Debian-exim being the same across
# distros. It would be good to test this.
dir=/nocow/exim4
sdir=/var/spool/exim4
# we only do this if our system has $dir

# this used to do a symlink, but, in the boot logs, /nocow would get mounted succesfully,
# about 2 seconds later, exim starts, and immediately puts into paniclog:
# honVi-0000u3-82 Failed to create directory "/var/spool/exim4/input": No such file or directory
# so, im trying a bind mount to get rid of that.
if [[ -e /nocow ]]; then
  if ! grep -Fx "/nocow/exim4  /var/spool/exim4  none  bind  0 0" /etc/fstab; then
    echo "/nocow/exim4  /var/spool/exim4  none  bind  0 0" >>/etc/fstab
  fi
  if ! mountpoint -q $sdir; then
    m systemctl stop exim4
    if [[ -L $sdir ]]; then
      m rm $sdir
    fi
    if [[ ! -e $dir && -d $sdir ]]; then
      m mv $sdir $dir
    fi
    if [[ ! -d $sdir ]]; then
      m mkdir $sdir
      m chmod 000 $sdir # only want it to be used when its mounted
    fi
    m mount $sdir
  fi
fi



# ** exim/spool uid setup
# i have the spool directory be common to distro multi-boot, so
# we need the uid to be the same. 608 cuz it's kind of in the middle
# of the free system uids.
IFS=:; read -r _ _ uid _ < <(getent passwd Debian-exim ||:) ||:; unset IFS
IFS=:; read -r _ _ gid _ < <(getent group Debian-exim ||:) ||:; unset IFS
if [[ ! $uid ]]; then
  # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
  m adduser --uid 608 --system --group --quiet --home /var/spool/exim4 \
    --no-create-home --disabled-login --force-badname Debian-exim
elif [[ $uid != 608 ]]; then
  m systemctl stop exim4 ||:
  m usermod -u 608 Debian-exim
  m groupmod -g 608 Debian-exim
  m usermod -g 608 Debian-exim
  m find / /nocow -path ./var/tmp -prune -o -xdev -uid $uid -execdir chown -h 608 {} +
  m find / /nocow -path ./var/tmp -prune -o -xdev -gid $gid -execdir chgrp -h 608 {} +
fi




# * reload exim

if systemctl is-active exim4 >/dev/null; then
  m systemctl reload exim4
else
  m systemctl start exim4
fi


# * mail monitoring / testing

case $HOSTNAME in
  $MAIL_HOST|l2)
    # note: cronjob "ian" also does some important monitoring
    cat >/etc/cron.d/mailtest <<EOF
SHELL=/bin/bash
PATH=/usr/bin:/bin:/usr/local/bin
*/5 * * * *   $u send-test-forward |& log-once send-test-forward
*/10 * * * *   root chmod -R g+rw /m/md/bounces |& log-once -1 bounces-chmod
*/5 * * * *   $u mailtest-check |& log-once -1 mailtest-check
EOF
    ;;&
  $MAIL_HOST)
    test_from=ian@iankelling.org
    test_to=testignore@l2.b8.nz

    cat >>/etc/cron.d/mailtest <<EOF
2   * * * *   $u check-remote-mailqs |& log-once check-remote-mailqs
EOF
    m sudo rsync -ahhi --chown=root:root --chmod=0755 \
      /b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
    ;;&
  l2)
    test_from=iank@l2.b8.nz
    test_to=testignore@iankelling.org
    ;;&
  $MAIL_HOST|l2)
    cat >/usr/local/bin/send-test-forward <<EOFOUTER
#!/bin/bash
/usr/sbin/exim -t <<EOF
From: $test_from
To: $test_to
Subject: primary_test \$(date +%s) \$(date +%Y-%m-%dT%H:%M:%S%z)

eom
EOF
EOFOUTER
    m chmod +x /usr/local/bin/send-test-forward
    ;;
  *)
    rm -fv /etc/cron.d/mailtest
    ;;
esac



# * misc
m sudo -u $u ln -sf -T /m/.mu /home/$u/.mu


# /etc/alias setup is debian specific, and exim postinst script sets up
# an /etc/alias from root to the postmaster, based on the question
# exim4-config exim4/dc_postmaster, as long as there exists an entry for
# root, or there was no preexisting aliases file. postfix won\'t set up
# a root to $postmaster alias if it\'s already installed. Easiest to
# just set it ourselves.

# debconf question for postmaster:
# Mail for the 'postmaster', 'root', and other system accounts needs to be redirected
# to the user account of the actual system administrator.
# If this value is left empty, such mail will be saved in /var/mail/mail, which is not
# recommended.
# Note that postmaster\'s mail should be read on the system to which it is directed,
# rather than being forwarded elsewhere, so (at least one of) the users listed here
# should not redirect their mail off this machine. A 'real-' prefix can be used to
# force local delivery.
# Multiple user names need to be separated by spaces.
# Root and postmaster mail recipient:


exit 0
: