2 # -*- eval: (outline-minor-mode); -*-
4 # Copyright (C) 2019 Ian Kelling
5 # SPDX-License-Identifier: AGPL-3.0-or-later
7 if [ -z "$BASH_VERSION" ]; then echo "error: shell is not bash" >&2; exit 1; fi
10 m
() { printf "$pre %s\n" "$*"; "$@"; }
11 e
() { printf "$pre %s\n" "$*"; }
12 err
() { echo "[$(date +'%Y-%m-%d %H:%M:%S%z')]: $0: $*" >&2; }
16 if [[ -s /usr
/local
/lib
/err
]]; then
17 source /usr
/local
/lib
/err
18 elif [[ -s /a
/bin
/errhandle
/err
]]; then
19 source /a
/bin
/errhandle
/err
21 err
"no err tracing script found"
24 source /a
/bin
/distro-functions
/src
/identify-distros
27 [[ $EUID == 0 ]] ||
exec sudo
-E "${BASH_SOURCE[0]}" "$@"
28 if [[ ! $SUDO_USER ]]; then
29 echo "$0: error: requires running as nonroot or sudo"
38 Setup exim4 & dovecot & related things
40 -h|--help Print help and exit.
47 ####### instructions for icedove #####
48 # Incoming mail server: mail.iankelling.org, port 143, username iank, connection security starttls, authentication method normal password
49 # we could also just use 127.0.0.1 with no ssl, but todo: disable that in dovecot, so mail is secure from local programs.
51 # hamburger -> preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false
52 # background: ovecot does not yet have ocsp stapling support
53 # reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921
55 # for phone, k9mail, same thing but username alerts, pass in ivy-pass.
56 # also, l2.b8.nz for secondary alerts, username is iank. same alerts pass.
57 # fetching mail settings: folder poll frequency 10 minutes
61 # * perstent password instructions
63 # # for hosts which have all private files I just use the same user
64 # # for other hosts, each one get\'s their own password.
65 # # for generating secure pass, and storing for server too:
67 # I use $HOSTNAME as username
68 # apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
69 # s sed -i "/^$HOSTNAME:/d" /p/c/filesystem/etc/exim4/passwd
70 # echo "$HOSTNAME:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd
71 # reference: exim4_passwd_client(5)
72 # echo "mail.iankelling.org:$HOSTNAME:$(<$f)" > /p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/passwd.client
73 # # then run this script
75 # # dovecot password, i just need 1 as I\'m the only user
76 # mkdir /p/c/filesystem/etc/dovecot
77 # echo "iank:$(doveadm pw -s ssha256)::::::" >>/p/c/filesystem/etc/dovecot/users
79 ####### end perstent password instructions ######
82 # * persistent dkim/dns instructions
83 # # Remove 1 level of comments in this section, set the domain var
84 # # for the domain you are setting up, then run this and copy dns settings
86 # domain=iankelling.org
87 # c /p/c/filesystem/etc/exim4
88 # # this has several bugs addressed in comments, but it was helpful
89 # # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
91 # openssl genrsa -out $domain-private.pem 2048 -outform PEM
92 # openssl rsa -in $domain-private.pem -out $domain.pem -pubout -outform PEM
93 # # selector is needed for having multiple keys for one domain.
94 # # I dun do that, so just use a static one: li
95 # echo "txt record name: li._domainkey.$domain"
96 # # Debadmin page does not have v=, fastmail does, and this
97 # # says it\'s recommended in 3.6.1, default is DKIM1 anyways.
98 # # https://www.ietf.org/rfc/rfc6376.txt
99 # # Join and print all but first and last line.
100 # # last line: swap hold & pattern, remove newlines, print.
101 # # lines 2+: append to hold space
102 # echo "txt record contents:"
103 # echo "v=DKIM1; k=rsa; p=$(sed -n '${x;s/\n//gp};2,$H' $domain.pem)"
104 # # selector was also put into /etc/exim4/conf.d/main/000_local,
106 # # 2017-02 dmarc policies:
107 # # host -t txt _dmarc.gmail.com
108 # # yahoo: p=reject, hotmail: p=none, gmail: p=none, fastmail none for legacy reasons
109 # # there were articles claiming gmail would be changing
110 # # to p=reject, in early 2017, which didn\'t happen. I see no sources on them. It\'s
111 # # expected to cause problems
112 # # with a few old mailing lists, copying theirs for now.
114 # echo "dmarc dns, name: _dmarc value: v=DMARC1; p=none; rua=mailto:mailauth-reports@$domain"
116 # # 2017-02 spf policies:
117 # # host -t txt lists.fedoraproject.org
118 # # google ~all, hotmail ~all, yahoo: ?all, fastmail ?all, outlook ~all
119 # # i include fastmail\'s settings, per their instructions,
120 # # and follow their policy. In mail in a box, or similar instructions,
121 # # I\'ve seen recommended to not use a restrictive policy.
123 # # to check if dns has updated, you do
124 # host -a mesmtp._domainkey.$domain
127 # # setting it to iankelling.org would work the same, but this
128 # # is more flexible, I could change where mail.iankelling.org pointed.
130 # mx records, 2 records each, for * and empty domain
131 # pri 10 mail.iankelling.org
133 ####### end persistent dkim instructions #########
136 # * functions constants
137 e
() { printf "%s\n" "$*"; }
138 pi
() { # package install without starting daemons
140 if dpkg
-s -- "$@" &> /dev
/null
; then
143 while fuser
/var
/lib
/dpkg
/lock
&>/dev
/null
; do sleep 1; done
144 f
=/var
/cache
/apt
/pkgcache.bin
;
145 if [[ ! -r $f ]] ||
(( $
(( $
(date +%s
) - $
(stat
-c %Y
$f ) )) > 60*60*12 )); then
148 f
=/usr
/sbin
/policy-rc.d
149 dd of
=$f 2>/dev
/null
<<EOF
155 DEBIAN_FRONTEND
=noninteractive m apt-get
-y install --purge --auto-remove "$@" || ret
=$?
158 err-exit
$ret "failed apt-get install above"
163 mxhost
=mail.iankelling.org
167 # old setup. left as comment for example
168 # mxhost=mail.messagingengine.com
170 # forward=ian@iankelling.org
172 smarthost
="$mxhost::$mxport"
174 ## * Install packages
175 # light version of exim does not have sasl auth support.
176 pi exim4-daemon-heavy spamassassin spf-tools-perl dnsmasq openvpn
178 if [[ $
(debian-codename
) == etiona
]]; then
179 # ip6tables stopped loading on boot. openvpn has reduced capability set,
180 # so running iptables as part of openvpn startup wont work. This should do it.
181 # todo: im sure there is a better way.
182 yes no | pi iptables-persistent ||
[[ $?
== 141 ]]
183 cat >/etc
/iptables
/rules.v6
<<'EOF'
190 ip6tables
-S &>/dev
/null
193 # our nostart pi fails to avoid enabling
194 sudo systemctl disable openvpn
196 # trisquel 8 = openvpn, debian stretch = openvpn-client
197 vpn_ser
=openvpn-client
198 if [[ ! -e /lib
/systemd
/system
/openvpn-client@.service
]]; then
202 uhome
=$
(eval echo ~
$u)
203 ### * user forward file
207 # afaik, these will get ignored on MAIL_HOST because they are routing to my own
208 # machine, but rm them is safer
209 rm -fv $uhome/.forward
/root
/.forward
212 # this can\'t be a symlink and has permission restrictions
213 # it might work in /etc/aliases, but this seems more proper.
214 e setting
$uhome/.forward to
$forward
215 install -m 644 {-o,-g}$u <(e
$forward) $uhome/.forward
219 # * Mail clean cronjob
221 cat >/etc
/systemd
/system
/mailclean.timer
<<'EOF'
223 Description=Run mailclean daily
229 WantedBy=timers.target
232 cat >/etc
/systemd
/system
/mailclean.service
<<EOF
234 Description=Delete and archive old mail files
235 After=multi-user.target
240 ExecStart=/a/bin/log-quiet/sysd-mail-once mailclean /a/bin/distro-setup/mailclean
243 systemctl daemon-reload
248 if [[ $HOSTNAME != "$MAIL_HOST" ]]; then
249 m systemctl stop spamassassin
250 m systemctl disable spamassassin
254 sed -i '/^\s*CRON\s*=/d' /etc
/default
/spamassassin
255 e CRON
=1 >>/etc
/default
/spamassassin
256 # just noticed this in the config file, seems like a good idea.
257 sed -i '/^\s*NICE\s*=/d' /etc
/default
/spamassassin
258 e
'NICE="--nicelevel 15"' >>/etc
/default
/spamassassin
260 m systemctl
enable spamassassin
261 m systemctl start spamassassin
262 m systemctl reload spamassassin
264 cat >/etc
/systemd
/system
/spamddnsfix.service
<<'EOF'
266 Description=spamd dns bug fix cronjob
270 ExecStart=/a/bin/distro-setup/spamd-dns-fix
272 # 2017-09, debian closed the bug on this saying upstream had fixed it.
273 # remove this when i\'m using the newer package, ie, debian 10, or maybe
275 cat >/etc
/systemd
/system
/spamddnsfix.timer
<<'EOF'
277 Description=run spamd bug fix script every 10 minutes
281 # the script looks back 9 minutes into the journal,
282 # it takes a second to run,
283 # so lets run every 9 minutes and 10 seconds.
287 WantedBy=timers.target
289 m systemctl daemon-reload
290 m systemctl restart spamddnsfix.timer
291 m systemctl
enable spamddnsfix.timer
293 fi # [[ $HOSTNAME != "$MAIL_HOST" ]]
294 ##### end spamassassin config
298 if [[ -e /p
/c
/filesystem
]]; then
299 # allow failure of these commands when our internet is down, they are likely not needed,
300 # we check that a valid cert is there already.
301 # to put the hostname in the known hosts
302 if ! ssh -o StrictHostKeyChecking
=no root@li.iankelling.org
:; then
303 # This just causes failure if our cert is going to expire in the next 30 days.
304 # Certs I generate last 10 years.
305 openssl x509
-checkend $
(( 60 * 60 * 24 * 30 )) -noout -in /etc
/openvpn
/mail.crt
307 # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
308 # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
309 # after my internet was down for a bit:
310 # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
311 m
/a
/exe
/vpn-mk-client-cert
-b mail -n mail -s /b
/ds
/mail-route li.iankelling.org
317 f
=/usr
/local
/bin
/mail-cert-cron
321 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
323 [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
325 f=/a/bin/bash_unpublished/source-state
329 if [[ $HOSTNAME != "$MAIL_HOST" ]]; then
332 local_mx=mail.iankelling.org
333 mkdir -p /etc/letsencrypt/live/$local_mx
334 chmod 700 /etc/letsencrypt/live
335 rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/"
336 # allow for temporary connection issues
337 ${rsync_common}fullchain.pem /etc/exim4/exim.crt ||:
338 ${rsync_common}privkey.pem /etc/exim4/exim.key ||:
339 if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then
340 echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
347 cat >/etc
/systemd
/system
/mailcert.service
<<'EOF'
349 Description=Mail cert rsync
350 After=multi-user.target
354 ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
357 cat >/etc
/systemd
/system
/mailcert.timer
<<'EOF'
359 Description=Run mail-cert once a day
365 WantedBy=timers.target
367 m systemctl daemon-reload
368 m systemctl start mailcert
369 m systemctl restart mailcert.timer
370 m systemctl
enable mailcert.timer
374 # * common exim4 config
375 source /a
/bin
/bash_unpublished
/source-state
377 if [[ ! $MAIL_HOST ]]; then
378 err
"\$MAIL_HOST not set"
381 m sudo gpasswd
-a iank adm
#needed for reading logs
384 ### make local bounces go to normal maildir
385 # local mail that bounces goes to /Maildir or /root/Maildir
386 dirs=(/m
/md
/bounces
/{cur
,tmp
,new
})
387 m mkdir
-p ${dirs[@]}
388 m chown iank
:iank
/m
/m
/md
389 m
ln -sfT /m
/md
/m
/iank
391 m chown
-R $u:Debian-exim
/m
/md
/bounces
392 m
chmod 775 ${dirs[@]}
393 m usermod
-a -G Debian-exim
$u
394 for d
in /Maildir
/root
/Maildir
; do
395 if [[ ! -L $d ]]; then
398 m
ln -sf -T /m
/md
/bounces
$d
401 # Note, even the server needs permissions of this file right
402 # if it exists, so do this up here.
403 f
=/p
/c
/filesystem
/etc
/exim
4/passwd.client
404 if [[ ! -e $f ]]; then
405 f
=/p
/c
/machine_specific
/$HOSTNAME/filesystem
/etc
/exim
4/passwd.client
407 m sudo rsync
-ahhi --chown=root
:Debian-exim
--chmod=0640 $f /etc
/exim
4/
409 # by default, only 10 days of logs are kept. increase that.
410 m
sed -ri 's/^(\s*rotate\s).*/\11000/' /etc
/logrotate.d
/exim4-base
413 ## https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
414 # i only need .forwards, so just doing that one.
415 cd /etc
/exim
4/conf.d
/router
416 b
=userforward_higher_priority
417 # replace the router name so it is unique
418 sed -r s
/^
\\S
+:/$b:/ 600_exim4-config_userforward
>175_
$b
421 rm -vf /etc
/exim
4/conf.d
/main
/000_localmacros
# old filename
422 cat >/etc
/exim
4/conf.d
/main
/000_local
<<EOF
423 MAIN_TLS_ENABLE = true
425 # debian exim config added this in 2016 or so?
426 # it's part of the smtp spec, to limit lines to 998 chars
427 # but a fair amount of legit mail does not adhere to it. I don't think
428 # this should be default, like it says in
429 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
430 # todo: the bug for introducing this was about headers, but
431 # the fix maybe is for all lines? one says gmail rejects, the
432 # other says gmail does not reject. figure out and open a new bug.
433 IGNORE_SMTP_LINE_LENGTH_LIMIT = true
436 MAIN_LOG_SELECTOR = +all
439 # normally empty, I set this so I can set the envelope address
440 # when doing mail redelivery to invoke filters. Also allows
441 # me exiqgrep and stuff.
442 MAIN_TRUSTED_GROUPS = $u
444 # default is 10. when exim has been down for a bit, fsf mailserver
445 # will do a big send in one connection, then exim decides to put
446 # the messages in the queue instead of delivering them, to avoid
447 # spawning too many delivery processes. Pretty sure my system
448 # can handle a lot more, but lets go with this.
449 smtp_accept_queue_per_connection = 100
456 # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
458 # The file is based on the outgoing domain-name in the from-header.
459 DKIM_DOMAIN = \${lc:\${domain:\$h_from:}}
461 DKIM_PRIVATE_KEY = \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}}
463 # most of the ones that gmail seems to use.
464 # Exim has horrible default of signing unincluded
465 # list- headers since they got mentioned in an
466 # rfc, but this messes up mailing lists, like gnu/debian which want to
467 # keep your dkim signature intact but add list- headers.
468 DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
471 rm -fv /etc
/exim
4/rcpt_local_acl
# old path
472 cat >/etc
/exim
4/conf.d
/rcpt_local_acl
<<'EOF'
473 # Only hosts we control send to @mail.iankelling.org, so make sure
474 # they are all authed.
475 # Note, if we wanted authed senders for all domains,
476 # we could make this condition in acl_check_mail
478 message = ian trusted domain recepient but no auth
480 domains = mail.iankelling.org
482 rm -fv /etc
/exim
4/data_local_acl
# old path
483 cat >/etc
/exim
4/conf.d
/data_local_acl
<<'EOF'
484 # Except for the "condition =", this was
485 # a comment in the check_data acl. The comment about this not
486 # being suitable is mostly bs. The only thing related I found was to
487 # add the condition =, cuz spamassassin has problems with big
488 # messages and spammers don't bother with big messages,
489 # but I've increased the size from 10k
490 # suggested in official docs, and 100k in the wiki example because
491 # those docs are rather old and I see a 110k spam message
492 # pretty quickly looking through my spam folder.
494 condition = ${if < {$message_size}{2000K}}
495 spam = Debian-exim:true
496 add_header = X-Spam_score: $spam_score\n\
497 X-Spam_score_int: $spam_score_int\n\
498 X-Spam_bar: $spam_bar\n\
499 X-Spam_report: $spam_report
502 # spf = pass:fail:softfail:none:neutral:permerror:temperror
503 # dmarc_status = reject:quarantine
504 # add_header = Reply-to: dmarctest@iankelling.org
507 cat >/etc
/exim
4/conf.d
/auth
/29_exim4-config_auth
<<'EOF'
508 # from 30_exim4-config_examples
513 server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
514 server_set_id = $auth2
516 .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
517 server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
521 cat >/etc
/exim
4/conf.d
/router
/900_exim4-config_local_user
<<'EOF'
522 ### router/900_exim4-config_local_user
523 #################################
525 # This router matches local user mailboxes. If the router fails, the error
526 # message is "Unknown user".
529 debug_print = "R: local_user for $local_part@$domain"
531 domains = +local_domains
532 # ian: commented this, in conjunction with a dovecot lmtp
533 # change so I get mail for all users.
536 transport = LOCAL_DELIVERY
537 cannot_route_message = Unknown user
539 cat >/etc
/exim
4/conf.d
/transport
/30_exim4-config_dovecot_lmtp
<<'EOF'
542 socket = /var/run/dovecot/lmtp
543 #maximum number of deliveries per batch, default 1
547 # this avoids some error. i cant remember what. todo:
548 # test it out and document why/if its needed.
549 cat >/etc
/exim
4/host_local_deny_exceptions
<<'EOF'
554 # for iank@fsf.org, i have mail.fsf.org forward it to fsf@iankelling.org.
555 # and also have mail.iankelling.org whitelisted as a relay domain.
556 # I could avoid that if I changed this to submit to 587 with a
557 # password like a standard mua.
558 cat >/etc
/exim
4/conf.d
/router
/190_exim4-config_fsfsmarthost
<<'EOF'
559 # smarthost for fsf mail
560 # ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
561 # replaced DCsmarthost with mail.fsf.org
563 debug_print = "R: smarthost for $local_part@$domain"
565 domains = ! +local_domains
567 transport = remote_smtp_smarthost
568 route_list = * mail.fsf.org byname
569 host_find_failed = ignore
570 same_domain_copy_routing = yes
575 cat >/etc
/exim
4/update-exim4.conf.conf
<<'EOF'
576 # default stuff, i havent checked if its needed
577 dc_minimaldns='false'
580 dc_use_split_config='true'
581 dc_local_interfaces=''
582 dc_mailname_in_oh='true'
588 # based on a little google and package search, just the dovecot
589 # packages we need instead of dovecot-common.
591 # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
592 # directly. The reason to do this is to use dovecot\'s sieve, which
593 # has extensions that allow it to be almost equivalent to exim\'s
594 # filter capabilities, some ways probably better, some worse, and
595 # sieve has the benefit of being supported in postfix and
596 # proprietary/weird environments, so there is more examples on the
597 # internet. I was torn about whether to do this or not, meh.
598 pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
600 for f
in /p
/c
{/machine_specific
/$HOSTNAME,}/filesystem
/etc
/dovecot
/users
; do
603 m sudo rsync
-ahhi --chown=root
:dovecot
--chmod=0640 $f /etc
/dovecot
/
607 for f
in /p
/c
/subdir_files
/sieve
/*sieve
/a
/c
/subdir_files
/sieve
/*sieve
; do
608 m sudo
-u $u /a
/exe
/lnf
-T $f $uhome/sieve
/${f##*/}
612 # If we changed 90-sieve.conf and removed the active part of the
613 # sieve option, we wouldn\'t need this, but I\'d rather not modify a
614 # default config if not needed. This won\'t work as a symlink in /a/c
616 m sudo
-u $u /a
/exe
/lnf
-T sieve
/main.sieve
$uhome/.dovecot.sieve
618 if [[ ! -e $uhome/sieve
/personal.sieve
]]; then
619 touch $uhome/sieve
/personal
{,end
}{,test}.sieve
622 # we set this later in local.conf
623 sed -ri -f - /etc
/dovecot
/conf.d
/10-mail.conf
<<'EOF'
624 /^\s*mail_location\s*=/d
627 cat >/etc
/dovecot
/conf.d
/20-lmtp.conf
<<EOF
629 #per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
630 mail_plugins = \$mail_plugins sieve
632 #mail_plugins = \$mail_plugins
634 # For a normal setup with exim, we need something like this, which
635 # removes the domain part
636 # auth_username_format = %Ln
638 # or else # Exim says something like
639 # "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
640 # Dovecot verbose log says something like
641 # "auth-worker(9048): passwd(someuser@somedomain): unknown user"
642 # reference: http://wiki.dovecot.org/LMTP/Exim
644 # However, I use this to direct all mail to the same inbox.
645 # A normal way to do this, which I did at first is to have
646 # a router in exim almost at the end, eg 950,
648 # debug_print = "R: catchall for \$local_part@\$domain"
650 # domains = +local_domains
653 # http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
654 # with superflous options removed.
655 # However, this causes the envelope to be rewritten,
656 # which makes filtering into mailboxes a little less robust or more complicated,
657 # so I've done it this way instead. it also requires
658 # modifying the local router in exim.
659 auth_username_format = $u
665 cat >/etc
/dovecot
/local.conf
<<EOF
666 # so I can use a different login that my shell login for mail. this is
667 # worth doing solely for the reason that if this login is compromised,
668 # it won't also compromise my shell password.
669 !include conf.d/auth-passwdfile.conf.ext
671 # settings derived from wiki and 10-ssl.conf
673 ssl_cert = </etc/exim4/exim.crt
674 ssl_key = </etc/exim4/exim.key
675 # https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
676 # in my cert cronjob, I check if that has changed upstream.
677 ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
679 # ian: added this, more secure, per google etc
680 ssl_prefer_server_ciphers = yes
682 # ian: %u is used for alerts user vs iank
683 mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
687 # for debugging info, uncomment these.
688 # logs go to syslog and to /var/log/mail.log
692 ####### end dovecot-setup ########
701 m systemctl
enable dovecot
702 m systemctl restart dovecot
703 cat >>/etc
/exim
4/update-exim4.conf.conf
<<EOF
704 # note: some things we don't set that are here by default because they are unused.
705 dc_eximconfig_configtype='internet'
706 dc_localdelivery='dovecot_lmtp'
708 cat >>/etc
/exim
4/conf.d
/main
/000_local
<<EOF
709 # recommended if dns is expected to work
710 CHECK_RCPT_VERIFY_SENDER = true
711 # seems like a good idea
712 CHECK_DATA_VERIFY_HEADER_SENDER = true
713 CHECK_RCPT_SPF = true
714 CHECK_RCPT_REVERSE_DNS = true
715 CHECK_MAIL_HELO_ISSUED = true
718 m systemctl
enable mailclean.timer
719 m systemctl start mailclean.timer
726 # todo, these pem files look old and useless. whats going on
727 sudo rsync
-ahhi --chown=root
:Debian-exim
--chmod=0640 \
728 /p
/c
/filesystem
/etc
/exim
4/passwd
/p
/c
/filesystem
/etc
/exim
4/*.pem
/etc
/exim
4/
731 # mail.iankelling.org so local imap clients can connect with tls and
732 # when they happen to not be local.
733 sed -ri -f - /etc
/hosts
<<'EOF'
734 /^127\.0\.1\.1.* mail\.iankelling\.org\b/{p;d}
735 /^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/
738 # note: systemd-resolved will consult /etc/hosts, dnsmasq wont. this assumes
739 # weve configured this file in dnsmasq if we are using it.
740 /a
/exe
/cedit
mail /etc
/dnsmasq-servers.conf
<<'EOF' || [[ $? == 1 ]]
741 server=/mail.iankelling.org/127.0.1.1
743 if systemctl is-active dnsmasq
>/dev
/null
; then
744 m systemctl restart dnsmasq
748 # I used to use debconf-set-selections + dpkg-reconfigure,
749 # which then updates this file
750 # but the process is slower than updating it directly and then I want to set other things in
751 # update-exim4.conf.conf, so there's no point.
752 # The file is documented in man update-exim4.conf,
753 # except the man page is not perfect, read the bash script to be sure about things.
755 # The debconf questions output is additional documentation that is not
756 # easily accessible, but super long, along with the initial default comment in this
757 # file, so I've saved that into ./mail-notes.conf.
759 cat >>/etc
/exim
4/update-exim4.conf.conf
<<EOF
760 # man page: is used to build the local_domains list, together with "localhost"
761 # iank.bid is for testing
762 # mail.iankelling.org is for machines i own
763 dc_other_hostnames='*.iankelling.org;iankelling.org;*zroe.org;zroe.org;$HOSTNAME.b8.nz;b8.nz'
768 # the debconf output about mailname is as follows:
769 # The 'mail name' is the domain name used to 'qualify' mail addresses without a domain
771 # This name will also be used by other programs. It should be the single, fully
772 # qualified domain name (FQDN).
773 # Thus, if a mail address on the local host is foo@example.org, the correct value for
774 # this option would be example.org.
775 # This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
777 echo mail.iankelling.org
> /etc
/mailname
779 # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
780 # smarthost config type, not sure. all other settings
781 # would be unused in that config type.
782 cat >>/etc
/exim
4/conf.d
/main
/000_local
<<EOF
783 # enable 587 in addition to the default 25, so that
784 # i can send mail where port 25 is firewalled by isp
785 daemon_smtp_ports = 25 : 587
787 # failing message on mail-tester.com:
788 # We check if there is a server (A Record) behind your hostname kd.
789 # You may want to publish a DNS record (A type) for the hostname kd or use a different hostname in your mail software
790 # https://serverfault.com/questions/46545/how-do-i-change-exim4s-primary-hostname-on-a-debian-box
791 # and this one seemed appropriate from grepping config.
792 # I originally set this to li.iankelling.org, but then ended up with errors when li tried to send
793 # mail to kd, so this should basically be a name that no host has as their
794 # canonical hostname since the actual host sits behind a nat and changes.
795 # Seems logical for this to be the same as mailname.
796 MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.iankelling.org
798 # options exim has to avoid having to alter the default config files
799 CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/conf.d/rcpt_local_acl
800 CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/conf.d/data_local_acl
804 #dmarc_tld_file = /etc/public_suffix_list.dat
807 f
=/etc
/cron.daily
/refresh-dmarc-tld-file
811 wget -q -N https://publicsuffix.org/list/public_suffix_list.dat
815 sed -i --follow-symlinks -f - /etc
/aliases
<<EOF
816 \$a root: $postmaster
821 # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
822 d
=/etc
/systemd
/system
/openvpn@
mail.service.d
824 cat >$d/override.conf
<<'EOF'
827 # time to sleep before restarting a service
831 # StartLimitIntervalSec in recent systemd versions
834 if ! systemctl
cat openvpn@
mail.service|
grep -xF StartLimitInterval
=0 &>/dev
/null
; then
835 # needed for the above config to go into effect
836 m systemctl daemon-reexec
840 m systemctl restart
$vpn_ser@
mail
841 m systemctl
enable $vpn_ser@
mail
844 *) # $HOSTNAME != $MAIL_HOST
845 # remove mail. uses 2 lines to properly remove whitespace
846 sed -ri -f - /etc
/hosts
<<'EOF'
847 s#^(127\.0\.1\.1 .*) +mail\.iankelling\.org$#\1#
848 s#^(127\.0\.1\.1 .*)mail\.iankelling\.org +(.*)#\1\2#
851 echo |
/a
/exe
/cedit
mail /etc
/dnsmasq-servers.conf ||
[[ $?
== 1 ]]
852 if systemctl is-active dnsmasq
>/dev
/null
; then
853 m systemctl restart dnsmasq
# reload does not ensure new config is used
857 m systemctl disable mailclean.timer
&>/dev
/null ||
:
858 m systemctl stop mailclean.timer
&>/dev
/null ||
:
859 m systemctl disable
$vpn_ser@
mail
860 m systemctl stop
$vpn_ser@
mail
863 # would only exist because I wrote it i the previous condition,
864 # it\'s not part of exim
865 rm -fv /etc
/exim
4/conf.d
/main
/000_localmacros
866 cat >>/etc
/exim
4/update-exim4.conf.conf
<<EOF
867 dc_eximconfig_configtype='smarthost'
868 dc_smarthost='$smarthost'
869 # The manpage incorrectly states this will do header rewriting, but
870 # that only happens if we have dc_hide_mailname is set.
871 dc_readhost='iankelling.org'
874 hostname
-f >/etc
/mailname
878 ## we use this host to monitor MAIL_HOST
881 cat >>/etc
/exim
4/update-exim4.conf.conf
<<EOF
882 # man page: is used to build the local_domains list, together with "localhost"
883 # mail.iankelling.org is for machines i own
884 dc_other_hostnames='l2.b8.nz'
886 # This ends up at alerts mailbox on MAIL_HOST, but using a user that doesn't exist elsewhere
888 sed -i --follow-symlinks -f - /etc
/aliases
<<EOF
893 # not l2 and not MAIL_HOST
897 # This ends up at alerts mailbox on MAIL_HOST, but using a user that doesn't exist elsewhere
899 sed -i --follow-symlinks -f - /etc
/aliases
<<EOF
900 \$a root: root@mail.iankelling.org
903 cat >>/etc
/exim
4/update-exim4.conf.conf
<<EOF
904 # Only used in case of bounces.
905 dc_localdelivery='maildir_home'
907 m systemctl disable dovecot ||
:
908 m systemctl stop dovecot ||
:
910 esac # end $HOSTNAME != $MAIL_HOST
914 # ** bind mount setup
915 # put spool dir in directory that spans multiple distros.
916 # based on http://www.postfix.org/qmgr.8.html and my notes in gnus
918 # todo: I\'m suspicious of uids for Debian-exim being the same across
919 # distros. It would be good to test this.
921 sdir
=/var
/spool
/exim4
922 # we only do this if our system has $dir
924 # this used to do a symlink, but, in the boot logs, /nocow would get mounted succesfully,
925 # about 2 seconds later, exim starts, and immediately puts into paniclog:
926 # honVi-0000u3-82 Failed to create directory "/var/spool/exim4/input": No such file or directory
927 # so, im trying a bind mount to get rid of that.
928 if [[ -e /nocow
]]; then
929 if ! grep -Fx "/nocow/exim4 /var/spool/exim4 none bind 0 0" /etc
/fstab
; then
930 echo "/nocow/exim4 /var/spool/exim4 none bind 0 0" >>/etc
/fstab
932 if ! mountpoint
-q $sdir; then
933 m systemctl stop exim4
934 if [[ -L $sdir ]]; then
937 if [[ ! -e $dir && -d $sdir ]]; then
940 if [[ ! -d $sdir ]]; then
942 m
chmod 000 $sdir # only want it to be used when its mounted
950 # ** exim/spool uid setup
951 # i have the spool directory be common to distro multi-boot, so
952 # we need the uid to be the same. 608 cuz it's kind of in the middle
953 # of the free system uids.
954 IFS
=:; read -r _ _ uid _
< <(getent passwd Debian-exim ||
:) ||
:; unset IFS
955 IFS
=:; read -r _ _ gid _
< <(getent group Debian-exim ||
:) ||
:; unset IFS
956 if [[ ! $uid ]]; then
957 # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
958 m adduser
--uid 608 --system --group --quiet --home /var
/spool
/exim4 \
959 --no-create-home --disabled-login --force-badname Debian-exim
960 elif [[ $uid != 608 ]]; then
961 m systemctl stop exim4 ||
:
962 m usermod
-u 608 Debian-exim
963 m groupmod
-g 608 Debian-exim
964 m usermod
-g 608 Debian-exim
965 m
find / /nocow
-path .
/var
/tmp
-prune -o -xdev -uid $uid -execdir chown
-h 608 {} +
966 m
find / /nocow
-path .
/var
/tmp
-prune -o -xdev -gid $gid -execdir chgrp
-h 608 {} +
974 if systemctl is-active exim4
>/dev
/null
; then
975 m systemctl reload exim4
977 m systemctl start exim4
981 # * mail monitoring / testing
985 # note: cronjob "ian" also does some important monitoring
986 cat >/etc
/cron.d
/mailtest
<<EOF
988 PATH=/usr/bin:/bin:/usr/local/bin
989 */5 * * * * $u send-test-forward |& log-once send-test-forward
990 */10 * * * * root chmod -R g+rw /m/md/bounces |& log-once -1 bounces-chmod
991 */5 * * * * $u mailtest-check |& log-once -1 mailtest-check
995 test_from
=ian@iankelling.org
996 test_to
=testignore@l2.b8.nz
998 cat >>/etc
/cron.d
/mailtest
<<EOF
999 2 * * * * $u check-remote-mailqs |& log-once check-remote-mailqs
1001 m sudo rsync
-ahhi --chown=root
:root
--chmod=0755 \
1002 /b
/ds
/mailtest-check
/b
/ds
/check-remote-mailqs
/usr
/local
/bin
/
1005 test_from
=iank@l2.b8.nz
1006 test_to
=testignore@iankelling.org
1009 cat >/usr
/local
/bin
/send-test-forward
<<EOFOUTER
1011 /usr/sbin/exim -t <<EOF
1014 Subject: primary_test \$(date +%s) \$(date +%Y-%m-%dT%H:%M:%S%z)
1019 m
chmod +x
/usr
/local
/bin
/send-test-forward
1022 rm -fv /etc
/cron.d
/mailtest
1029 m sudo
-u $u ln -sf -T /m
/.mu
/home
/$u/.mu
1032 # /etc/alias setup is debian specific, and exim postinst script sets up
1033 # an /etc/alias from root to the postmaster, based on the question
1034 # exim4-config exim4/dc_postmaster, as long as there exists an entry for
1035 # root, or there was no preexisting aliases file. postfix won\'t set up
1036 # a root to $postmaster alias if it\'s already installed. Easiest to
1037 # just set it ourselves.
1039 # debconf question for postmaster:
1040 # Mail for the 'postmaster', 'root', and other system accounts needs to be redirected
1041 # to the user account of the actual system administrator.
1042 # If this value is left empty, such mail will be saved in /var/mail/mail, which is not
1044 # Note that postmaster\'s mail should be read on the system to which it is directed,
1045 # rather than being forwarded elsewhere, so (at least one of) the users listed here
1046 # should not redirect their mail off this machine. A 'real-' prefix can be used to
1047 # force local delivery.
1048 # Multiple user names need to be separated by spaces.
1049 # Root and postmaster mail recipient: