4 # Copyright (C) 2016 Ian Kelling
6 # Licensed under the Apache License, Version 2.0 (the "License");
7 # you may not use this file except in compliance with the License.
8 # You may obtain a copy of the License at
10 # http://www.apache.org/licenses/LICENSE-2.0
12 # Unless required by applicable law or agreed to in writing, software
13 # distributed under the License is distributed on an "AS IS" BASIS,
14 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 # See the License for the specific language governing permissions and
16 # limitations under the License.
18 # todo: make quick backups of maildir, or deliver to multiple hosts.
21 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
23 [[ $EUID == 0 ]] ||
exec sudo
-E "$BASH_SOURCE" "$@"
24 if [[ ! $SUDO_USER ]]; then
25 echo "$0: error: requires running as nonroot or sudo"
34 Setup exim4 & dovecot & related things
36 The minimal assumption we have is that /etc/mailpass exists
39 -h|--help Print help and exit.
46 ####### instructions for icedove #####
47 # Incoming mail server: mail.iankelling.org, port 143, username iank, connection security starttls, authentication method normal password
48 # we could also just use 127.0.0.1 with no ssl, but todo: disable that in dovecot, so mail is secure from local programs.
50 # hamburger -> preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false
51 # background: ovecot does not yet have ocsp stapling support
52 # reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921
54 # for phone, same thing but username alerts, pass in ivy-pass.
58 ####### begin perstent password instructions ######
60 # # for hosts which have all private files I just use the same user
61 # # for other hosts, each one get\'s their own password.
62 # # for generating secure pass, and storing for server too:
63 # # user=USUALLY_SAME_AS_HOSTNAME
66 # apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
67 # s sed -i "/^$user:/d" /p/c/filesystem/etc/exim4/passwd
68 # echo "$user:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd
69 # # todo: port is no longer used in mailpass, remove it.
70 # echo "mail.iankelling.org 587 $user:$(<$f)" >> /p/c/machine_specific/$user/filesystem/etc/mailpass
71 # # then run this script, or part of it which uses /etc/mailpass
73 # # dovecot password, i just need 1 as I\'m the only user
74 # mkdir /p/c/filesystem/etc/dovecot
75 # echo "iank:$(doveadm pw -s ssha256)::::::" >>/p/c/filesystem/etc/dovecot/users
80 # # for ad-hoc testing of some random new host sending mail:
81 # user=li # client host username & hostname
83 # apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
84 # s sed -i "/^$user:/d" /etc/exim4/passwd
85 # echo "$user:$(mkpasswd -m sha-512 -s <$f)" | s tee -a /etc/exim4/passwd
86 # echo "mail.iankelling.org:$user:$(<$f)" | ssh root@$user dd of=/etc/exim4/passwd.client
87 ####### end perstent password instructions ######
90 ####### begin persistent dkim/dns instructions #########
91 # # Remove 1 level of comments in this section, set the domain var
92 # # for the domain you are setting up, then run this and copy dns settings
94 # domain=iankelling.org
95 # c /p/c/filesystem/etc/exim4
96 # # this has several bugs addressed in comments, but it was helpful
97 # # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
99 # openssl genrsa -out $domain-private.pem 2048 -outform PEM
100 # openssl rsa -in $domain-private.pem -out $domain.pem -pubout -outform PEM
101 # # selector is needed for having multiple keys for one domain.
102 # # I dun do that, so just use a static one: li
103 # echo "txt record name: li._domainkey.$domain"
104 # # Debadmin page does not have v=, fastmail does, and this
105 # # says it\'s recommended in 3.6.1, default is DKIM1 anyways.
106 # # https://www.ietf.org/rfc/rfc6376.txt
107 # # Join and print all but first and last line.
108 # # last line: swap hold & pattern, remove newlines, print.
109 # # lines 2+: append to hold space
110 # echo "txt record contents:"
111 # echo "v=DKIM1; k=rsa; p=$(sed -n '${x;s/\n//gp};2,$H' $domain.pem)"
112 # chmod 644 $domain.pem
113 # chmod 640 $domain-private.pem
114 # # in conflink, we chown these to group debian
116 # # selector was also put into /etc/exim4/conf.d/main/000_localmacros,
117 # # via the mail-setup scripts
119 # # 2017-02 dmarc policies:
120 # # host -t txt _dmarc.gmail.com
121 # # yahoo: p=reject, hotmail: p=none, gmail: p=none, fastmail none for legacy reasons
122 # # there were articles claiming gmail would be changing
123 # # to p=reject, in early 2017, which didn\'t happen. I see no sources on them. It\'s
124 # # expected to cause problems
125 # # with a few old mailing lists, copying theirs for now.
127 # echo "dmarc dns, name: _dmarc value: v=DMARC1; p=none; rua=mailto:mailauth-reports@$domain"
129 # # 2017-02 spf policies:
130 # # host -t txt lists.fedoraproject.org
131 # # google ~all, hotmail ~all, yahoo: ?all, fastmail ?all, outlook ~all
132 # # i include fastmail\'s settings, per their instructions,
133 # # and follow their policy. In mail in a box, or similar instructions,
134 # # I\'ve seen recommended to not use a restrictive policy.
135 # echo "spf dns: name is empty, value: v=spf1 a include:spf.messagingengine.com ?all"
137 # # to check if dns has updated, you do
138 # host -a mesmtp._domainkey.$domain
141 # # setting it to iankelling.org would work the same, but this
142 # # is more flexible, I could change where mail.iankelling.org pointed.
144 # mx records, 2 records each, for * and empty domain
145 # pri 10 mail.iankelling.org
146 # pri 20 in1-smtp.messagingengine.com
147 # pri 30 in2-smtp.messagingengine.com
149 ####### end persistent dkim instructions #########
154 # /usr/share/doc/exim4-base/README.Debian.gz
155 # /usr/share/doc/exim4-base/spec.txt.gz
157 # routers, transports, and authenticators are sections, and you define
158 # driver instances in those sections, and the manual calls them driver
159 # types but there is also a more specific "type" of driver, which is specified
160 # with the driver = some_module setting in the driver.
162 # the driver option must precede and private options (options that are
163 # specific to that driver), so follow example of putting it at beginning.
165 # The full list of option settings for any particular driver instance,
166 # including all the defaulted values, can be extracted by making use of
167 # the -bP command line option.
168 # exim -bP config_file to see what config file it used
169 # exim -bP config to see
171 # exim clear out message queue. as root:
172 # adapted from somewhere on stackoverflow.
173 # ser stop exim4; sleep 1; exim -bp | exiqgrep -i | xargs exim -Mrm; ser start exim4
175 # fastmail has changed their smtp server, but the old one still works,
176 # I see no reason to bother changing.
177 # New one is smtp.fastmail.com
179 # test delivery & rewrite settings:
180 #exim4 -bt iank@localhost
183 e
() { printf "%s\n" "$*"; }
184 pi
() { # package install
186 if dpkg
-s -- "$@" &> /dev
/null
; then
189 while fuser
/var
/lib
/dpkg
/lock
&>/dev
/null
; do sleep 1; done
190 f
=/var
/cache
/apt
/pkgcache.bin
;
191 if [[ ! -r $f ]] ||
(( $
(( $
(date +%s
) - $
(stat
-c %Y
$f ) )) > 60*60*12 )); then
194 apt-get
-y install --purge --auto-remove "$@"
198 mxhost
=mail.iankelling.org
202 # old setup. left as comment for example
203 # mxhost=mail.messagingengine.com
205 # forward=ian@iankelling.org
207 smarthost
="$mxhost::$mxport" # exim
209 # trisquel 8 = openvpn, debian stretch = openvpn-client
210 vpn_ser
=openvpn-client
211 if [[ ! -e /lib
/systemd
/system
/openvpn-client@.service
]]; then
215 if [[ $HOSTNAME == $MAIL_HOST ]]; then
216 # afaik, these will get ignored because they are routing to my own
217 # machine, but rm them is safer
218 rm -f $
(eval echo ~
$u)/.forward
/root
/.forward
220 # this can\'t be a symlink and has permission restrictions
221 # it might work in /etc/aliases, but this seems more proper.
222 install -m 644 {-o,-g}$u <(e
$forward) $
(eval echo ~
$u)/.forward
228 if [[ -e /p
/c
/filesystem
]]; then
229 # allow failure of these commands when our internet is down, they are likely not needed,
230 # we check that a valid cert is there already.
231 # to put the hostname in the known hosts
232 if ! ssh -o StrictHostKeyChecking
=no root@li.iankelling.org
:; then
233 # This just causes failure if our cert is going to expire in the next 30 days.
234 # Certs I generate last 10 years.
235 openssl x509
-checkend $
(( 60 * 60 * 24 * 30 )) -noout -in /etc
/openvpn
/mail.crt
237 # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
238 # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
239 # after my internet was down for a bit:
240 # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
241 /a
/exe
/vpn-mk-client-cert
-b mail -n mail -s /b
/ds
/mail-route li.iankelling.org
246 cat >/etc
/systemd
/system
/mailclean.timer
<<'EOF'
248 Description=Run mailclean daily
254 WantedBy=timers.target
257 cat >/etc
/systemd
/system
/mailclean.service
<<EOF
259 Description=Delete and archive old mail files
260 After=multi-user.target
265 ExecStart=/a/bin/log-quiet/sysd-mail-once mailclean /a/bin/distro-setup/mailclean
268 systemctl daemon-reload
271 source /a
/bin
/bash_unpublished
/source-state
272 mkdir
-p /etc
/exim
4/conf.d
/{main
,transport
,auth
,router
}
274 cat >/etc
/exim
4/rcpt_local_acl
<<'EOF'
275 # Only hosts we control send to mail.iankelling.org, so make sure
276 # they are all authed.
277 # Note, if we wanted authed senders for all domains,
278 # we could make this condition in acl_check_mail
280 message = ian trusted domain recepient but no auth
282 domains = mail.iankelling.org
284 cat >/etc
/exim
4/data_local_acl
<<'EOF'
285 # Except for the "condition =", this was
286 # a comment in the check_data acl. The comment about this not
287 # being suitable is mostly bs. The only thing related I found was to
288 # add the condition =, cuz spamassassin has problems with big
289 # messages and spammers don't bother with big messages,
290 # but I've increased the size from 10k
291 # suggested in official docs, and 100k in the wiki example because
292 # those docs are rather old and I see a 110k spam message
293 # pretty quickly looking through my spam folder.
295 condition = ${if < {$message_size}{2000K}}
296 spam = Debian-exim:true
297 add_header = X-Spam_score: $spam_score\n\
298 X-Spam_score_int: $spam_score_int\n\
299 X-Spam_bar: $spam_bar\n\
300 X-Spam_report: $spam_report
303 cat >/etc
/exim
4/conf.d
/auth
/29_exim4-config_auth
<<'EOF'
304 # from 30_exim4-config_examples
309 server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
310 server_set_id = $auth2
312 .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
313 server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
317 cat >/etc
/exim
4/conf.d
/router
/900_exim4-config_local_user
<<'EOF'
318 ### router/900_exim4-config_local_user
319 #################################
321 # This router matches local user mailboxes. If the router fails, the error
322 # message is "Unknown user".
325 debug_print = "R: local_user for $local_part@$domain"
327 domains = +local_domains
328 # ian: commented this, in conjunction with a dovecot lmtp
329 # change so I get mail for all users.
332 transport = LOCAL_DELIVERY
333 cannot_route_message = Unknown user
335 cat >/etc
/exim
4/conf.d
/transport
/30_exim4-config_dovecot_lmtp
<<'EOF'
338 socket = /var/run/dovecot/lmtp
339 #maximum number of deliveries per batch, default 1
343 cat >/etc
/exim
4/conf.d
/router
/190_exim4-config_fsfsmarthost
<<'EOF'
344 # smarthost for fsf mail
345 # ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
346 # replaced DCsmarthost with mail.fsf.org
348 debug_print = "R: smarthost for $local_part@$domain"
350 domains = ! +local_domains
352 transport = remote_smtp_smarthost
353 route_list = * mail.fsf.org byname
354 host_find_failed = ignore
355 same_domain_copy_routing = yes
360 #### begin mail cert setup ###
361 f
=/usr
/local
/bin
/mail-cert-cron
364 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
366 [[ $EUID == 0 ]] || exec sudo "$BASH_SOURCE" "$@"
368 f=/a/bin/bash_unpublished/source-state
372 if [[ $HOSTNAME == $MAIL_HOST ]]; then
373 local_mx=mail.iankelling.org
374 rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/"
375 ${rsync_common}fullchain.pem /etc/exim4/exim.crt
377 ${rsync_common}privkey.pem /etc/exim4/exim.key
379 if [[ $ret != $new_ret ]]; then
380 echo "$0: error: differing rsync returns, $ret, $new_ret"
384 if [[ $new_ret != 0 ]]; then
385 if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then
386 echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
394 cat >/etc
/systemd
/system
/mailcert.service
<<'EOF'
396 Description=Mail cert rsync
397 After=multi-user.target
401 ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
404 cat >/etc
/systemd
/system
/mailcert.timer
<<'EOF'
406 Description=Run mail-cert once a day
412 WantedBy=timers.target
414 systemctl daemon-reload
415 systemctl start mailcert
416 systemctl restart mailcert.timer
417 systemctl
enable mailcert.timer
419 ##### end mailcert setup #####
422 cat >/etc
/exim
4/update-exim4.conf.conf
<<'EOF'
423 # default stuff, i havent checked if its needed
424 dc_minimaldns='false'
427 dc_use_split_config='true'
428 dc_local_interfaces=''
429 dc_mailname_in_oh='true'
433 if [[ $HOSTNAME == $MAIL_HOST ]]; then
435 # mail.iankelling.org so local imap clients can connect with tls and
436 # when they happen to not be local.
437 sed -ri -f - /etc
/hosts
<<'EOF'
438 /^127\.0\.1\.1.* mail\.iankelling\.org\b/q
439 /^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/
441 /a
/exe
/cedit
mail /etc
/dnsmasq-servers.conf
<<'EOF' || [[ $? == 1 ]]
442 server=/mail.iankelling.org/127.0.1.1
444 systemctl reload dnsmasq
446 # I used to use debconf-set-selections + dpkg-reconfigure,
447 # which then updates this file
448 # but the process is slower than updating it directly and then I want to set other things in
449 # update-exim4.conf.conf, so there's no point.
450 # The file is documented in man update-exim4.conf,
451 # except the man page is not perfect, read the bash script to be sure about things.
453 # The debconf questions output is additional documentation that is not
454 # easily accessible, but super long, along with the initial default comment in this
455 # file, so I've saved that into ./mail-notes.conf.
457 cat >>/etc
/exim
4/update-exim4.conf.conf
<<EOF
458 # note: some things we don't set that are here by default because they are unused.
460 dc_eximconfig_configtype='internet'
462 # man page: is used to build the local_domains list, together with “localhost”
463 # iank.bid is for testing
464 # mail.iankelling.org is for machines i own
465 dc_other_hostnames='*.iankelling.org;iankelling.org;*iank.bid;iank.bid;*zroe.org;zroe.org;*.b8.nz;b8.nz'
468 # Is a list of domains for which we accept mail from anywhere on the Internet but which are not delivered locally, e.g.
469 # because this machine serves as secondary MX for these domains. Sets MAIN_RELAY_TO_DOMAINS.
470 # todo: we should not accept from anywhere, only the mx for fsf.
471 dc_relay_domains='*.fsf.org;fsf.org'
475 # the debconf output about mailname is as follows:
476 # The 'mail name' is the domain name used to 'qualify' mail addresses without a domain
478 # This name will also be used by other programs. It should be the single, fully
479 # qualified domain name (FQDN).
480 # Thus, if a mail address on the local host is foo@example.org, the correct value for
481 # this option would be example.org.
482 # This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
484 echo mail.iankelling.org
> /etc
/mailname
486 # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
487 # smarthost config type, not sure. all other settings
488 # would be unused in that config type.
489 rm -f /etc
/exim
4/conf.d
/main
/000_localmacros
# old filename
490 cat >/etc
/exim
4/conf.d
/main
/000_local
<<EOF
491 # enable 587 in addition to the default 25, so that
492 # i can send mail where port 25 is firewalled by isp
493 daemon_smtp_ports = 25 : 587
494 # i don't have ipv6 setup for my vpn tunnel yet.
497 MAIN_TLS_ENABLE = true
503 # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
505 # The file is based on the outgoing domain-name in the from-header.
506 DKIM_DOMAIN = \${lc:\${domain:\$h_from:}}
508 DKIM_PRIVATE_KEY= \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}}
511 # failing message on mail-tester.com:
512 # We check if there is a server (A Record) behind your hostname kd.
513 # You may want to publish a DNS record (A type) for the hostname kd or use a different hostname in your mail software
514 # https://serverfault.com/questions/46545/how-do-i-change-exim4s-primary-hostname-on-a-debian-box
515 # and this one seemed appropriate from grepping config.
516 # I originally set this to li.iankelling.org, but then ended up with errors when li tried to send
517 # mail to kd, so this should basically be a name that no host has as their
518 # canonical hostname since the actual host sits behind a nat and changes.
519 # Seems logical for this to be the same as mailname.
520 MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.iankelling.org
522 # normally empty, I set this so I can set the envelope address
523 # when doing mail redelivery to invoke filters
524 MAIN_TRUSTED_GROUPS = $u
526 LOCAL_DELIVERY = dovecot_lmtp
528 # options exim has to avoid having to alter the default config files
529 CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/rcpt_local_acl
530 CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/data_local_acl
532 # debian exim config added this in 2016 or so?
533 # it's part of the smtp spec, to limit lines to 998 chars
534 # but a fair amount of legit mail does not adhere to it. I don't think
535 # this should be default, like it says in
536 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
537 # todo: the bug for introducing this was about headers, but
538 # the fix maybe is for all lines? one says gmail rejects, the
539 # other says gmail does not reject. figure out and open a new bug.
540 IGNORE_SMTP_LINE_LENGTH_LIMIT = true
542 # most of the ones that gmail seems to use.
543 # Exim has horrible default of signing unincluded
544 # list- headers since they got mentioned in an
545 # rfc, but this messes up mailing lists, like gnu/debian which want to
546 # keep your dkim signature intact but add list- headers.
547 DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
549 # recommended if dns is expected to work
550 CHECK_RCPT_VERIFY_SENDER = true
551 # seems like a good idea
552 CHECK_DATA_VERIFY_HEADER_SENDER = true
553 CHECK_RCPT_SPF = true
554 CHECK_RCPT_REVERSE_DNS = true
555 CHECK_MAIL_HELO_ISSUED = true
559 ####### begin dovecot setup ########
560 # based on a little google and package search, just the dovecot
561 # packages we need instead of dovecot-common.
563 # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
564 # directly. The reason to do this is to use dovecot\'s sieve, which
565 # has extensions that allow it to be almost equivalent to exim\'s
566 # filter capabilities, some ways probably better, some worse, and
567 # sieve has the benefit of being supported in postfix and
568 # proprietary/weird environments, so there is more examples on the
569 # internet. I was torn about whether to do this or not, meh.
570 pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
572 # if we changed 90-sieve.conf and removed the active part of the
573 # sieve option, we wouldn\'t need this, but I\'d rather not modify a
574 # default config if not needed. This won\'t work as a symlink in /a/c
576 sudo
-u $u /a
/exe
/lnf
-T sieve
/main.sieve $
(eval echo ~
$u)/.dovecot.sieve
578 # we set this later in local.conf
579 sed -ri -f - /etc
/dovecot
/conf.d
/10-mail.conf
<<'EOF'
580 /^\s*mail_location\s*=/d
583 cat >/etc
/dovecot
/conf.d
/20-lmtp.conf
<<EOF
585 #per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
586 mail_plugins = \$mail_plugins sieve
588 #mail_plugins = \$mail_plugins
590 # For a normal setup with exim, we need something like this, which
591 # removes the domain part
592 # auth_username_format = %Ln
594 # or else # Exim says something like
595 # "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
596 # Dovecot verbose log says something like
597 # "auth-worker(9048): passwd(someuser@somedomain): unknown user"
598 # reference: http://wiki.dovecot.org/LMTP/Exim
600 # However, I use this to direct all mail to the same inbox.
601 # A normal way to do this, which I did at first is to have
602 # a router in exim almost at the end, eg 950,
604 # debug_print = "R: catchall for \$local_part@\$domain"
606 # domains = +local_domains
609 # http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
610 # with superflous options removed.
611 # However, this causes the envelope to be rewritten,
612 # which makes filtering into mailboxes a little less robust or more complicated,
613 # so I've done it this way instead. it also requires
614 # modifying the local router in exim.
615 auth_username_format = $u
621 cat >/etc
/dovecot
/local.conf
<<'EOF'
622 # so I can use a different login that my shell login for mail. this is
623 # worth doing solely for the reason that if this login is compromised,
624 # it won't also compromise my shell password.
625 !include conf.d/auth-passwdfile.conf.ext
627 # settings derived from wiki and 10-ssl.conf
629 ssl_cert = </etc/exim4/exim.crt
630 ssl_key = </etc/exim4/exim.key
631 # https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
632 # in my cert cronjob, I check if that has changed upstream.
633 ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
635 # ian: added this, more secure, per google etc
636 ssl_prefer_server_ciphers = yes
639 mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
643 # for debugging info, uncomment these.
644 # logs go to syslog and to /var/log/mail.log
648 ####### end dovecot setup ########
650 # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
651 d
=/etc
/systemd
/system
/openvpn@
mail
653 cat >$d/override.conf
<<'EOF'
656 # time to sleep before restarting a service
660 # StartLimitIntervalSec in recent systemd versions
664 systemctl
enable mailclean.timer
665 systemctl start mailclean.timer
666 systemctl restart
$vpn_ser@
mail
667 systemctl
enable $vpn_ser@
mail
668 systemctl
enable dovecot
669 systemctl restart dovecot
671 else # $HOSTNAME != $MAIL_HOST
672 # remove mail. 2 lines to properly remove whitespace
673 sed -ri -f - /etc
/hosts
<<'EOF'
674 s#^(127\.0\.1\.1 .*) +mail\.iankelling\.org$#\1#
675 s#^(127\.0\.1\.1 .*)mail\.iankelling\.org +(.*)#\1\2#
678 echo |
/a
/exe
/cedit
mail /etc
/dnsmasq-servers.conf ||
[[ $?
== 1 ]]
679 systemctl reload dnsmasq
681 systemctl disable mailclean.timer
&>/dev
/null ||
:
682 systemctl stop mailclean.timer
&>/dev
/null ||
:
683 systemctl disable
$vpn_ser@
mail
684 systemctl stop
$vpn_ser@
mail
685 systemctl disable dovecot ||
:
686 systemctl stop dovecot ||
:
689 # would only exist because I wrote it i the previous condition,
690 # it\'s not part of exim
691 rm -f /etc
/exim
4/conf.d
/main
/000_localmacros
692 cat >>/etc
/exim
4/update-exim4.conf.conf
<<EOF
693 dc_eximconfig_configtype='satellite'
694 dc_smarthost='$smarthost'
695 dc_readhost='$(hostname -f)'
696 # i dunno if this would ever get used.
697 dc_localdelivery='maildir_home'
701 hostname
-f > /etc
/mailname
703 fi # end $HOSTNAME != $MAIL_HOST
705 systemctl reload exim4
707 # i have the spool directory be common to distro multi-boot, so
708 # we need the uid to be the same. 608 cuz it's kind of in the middle
709 # of the free system uids.
710 IFS
=:; read _ _ uid _
< <(getent passwd Debian-exim ||
:) ||
:; unset IFS
711 IFS
=:; read _ _ gid _
< <(getent group Debian-exim ||
:) ||
:; unset IFS
712 if [[ ! $uid ]]; then
713 # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
714 adduser
--uid 608 --system --group --quiet --home /var
/spool
/exim4 \
715 --no-create-home --disabled-login --force-badname Debian-exim
716 elif [[ $uid != 608 ]]; then
717 systemctl stop exim4 ||
:
718 usermod
-u 608 Debian-exim
719 groupmod
-g 608 Debian-exim
720 usermod
-g 608 Debian-exim
721 find / /nocow
-xdev -uid $uid -exec chown
-h 608 {} +
722 find / /nocow
-xdev -gid $gid -exec chgrp
-h 608 {} +
726 # light version of exim does not have sasl auth support.
727 pi exim4-daemon-heavy spamassassin spf-tools-perl
731 ##### begin spamassassin config
732 systemctl
enable spamassassin
734 sed -i '/^\s*CRON\s*=/d' /etc
/default
/spamassassin
735 e CRON
=1 >>/etc
/default
/spamassassin
736 # just noticed this in the config file, seems like a good idea.
737 sed -i '/^\s*NICE\s*=/d' /etc
/default
/spamassassin
738 e
'NICE="--nicelevel 15"' >>/etc
/default
/spamassassin
739 systemctl start spamassassin
740 systemctl reload spamassassin
742 cat >/etc
/systemd
/system
/spamddnsfix.service
<<'EOF'
744 Description=spamd dns bug fix cronjob
748 ExecStart=/a/bin/distro-setup/spamd-dns-fix
750 # 2017-09, debian closed the bug on this saying upstream had fixed it.
751 # remove this when i\'m using the newer package, ie, debian 10, or maybe
753 cat >/etc
/systemd
/system
/spamddnsfix.timer
<<'EOF'
755 Description=run spamd bug fix script every 10 minutes
759 # the script looks back 9 minutes into the journal,
760 # it takes a second to run,
761 # so lets run every 9 minutes and 10 seconds.
765 WantedBy=timers.target
767 systemctl daemon-reload
768 systemctl restart spamddnsfix.timer
769 systemctl
enable spamddnsfix.timer
771 ##### end spamassassin config
777 # https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
778 # i only need .forwards, so just doing that one.
779 cd /etc
/exim
4/conf.d
/router
780 b
=userforward_higher_priority
781 # replace the router name so it is unique
782 sed -r s
/^
\\S
+:/$b:/ 600_exim4-config_userforward
>175_
$b
784 # begin setup passwd.client
785 f
=/etc
/exim
4/passwd.client
786 rm -f /etc
/exim
4/passwd.client
787 install -m 640 -g Debian-exim
/dev
/null
$f
788 while read -r domain _ pass
; do
789 # reference: exim4_passwd_client(5)
790 printf "%s:%s\n" "$domain" "$pass" >>$f
792 # end setup passwd.client
794 # by default, only 10 days of logs are kept. increase that.
795 sed -ri 's/^(\s*rotate\s).*/\11000/' /etc
/logrotate.d
/exim4-base
797 systemctl restart exim4
801 # /etc/alias setup is debian specific, and exim postinst script sets up
802 # an /etc/alias from root to the postmaster, based on the question
803 # exim4-config exim4/dc_postmaster, as long as there exists an entry for
804 # root, or there was no preexisting aliases file. postfix won\'t set up
805 # a root to $postmaster alias if it\'s already installed. Easiest to
806 # just set it ourselves.
808 # debconf question for postmaster:
809 # Mail for the 'postmaster', 'root', and other system accounts needs to be redirected
810 # to the user account of the actual system administrator.
811 # If this value is left empty, such mail will be saved in /var/mail/mail, which is not
813 # Note that postmaster\'s mail should be read on the system to which it is directed,
814 # rather than being forwarded elsewhere, so (at least one of) the users listed here
815 # should not redirect their mail off this machine. A 'real-' prefix can be used to
816 # force local delivery.
817 # Multiple user names need to be separated by spaces.
818 # Root and postmaster mail recipient:
820 if [[ $postmaster != root
]]; then
821 sed -i --follow-symlinks -f - /etc
/aliases
<<EOF
822 \$a root: $postmaster
828 # put spool dir in directory that spans multiple distros.
829 # based on http://www.postfix.org/qmgr.8.html and my notes in gnus
831 # todo: I\'m suspicious of uids for Debian-exim being the same across
832 # distros. It would be good to test this.
834 sdir
=/var
/spool
/exim4
835 # we only do this if our system has $dir
837 # this used to do a symlink, but, in the boot logs, /nocow would get mounted succesfully,
838 # about 2 seconds later, exim starts, and immediately puts into paniclog:
839 # honVi-0000u3-82 Failed to create directory "/var/spool/exim4/input": No such file or directory
840 # so, im trying a bind mount to get rid of that.
841 if [[ -e /nocow
]]; then
842 if ! grep -Fx "/nocow/exim4 /var/spool/exim4 none bind 0 0" /etc
/fstab
; then
843 echo "/nocow/exim4 /var/spool/exim4 none bind 0 0" >> /etc
/fstab
845 if ! mountpoint
-q $sdir; then
847 if [[ -L $sdir ]]; then
850 if [[ ! -e $dir && -d $sdir ]]; then
853 if [[ ! -d $sdir ]]; then
855 chmod 000 $sdir # only want it to be used when its mounted
861 systemctl restart exim4
862 systemctl
enable exim4
865 if [[ $HOSTNAME == $MAIL_HOST ]]; then
866 cat >/etc
/cron.d
/mailtest
<<'EOF'
867 */10 * * * * iank echo body_test | mail -s "primary_test $(date +%s) $(date +%Y-%m-%dT%H:%M:%S%z)" iank@posteo.de
868 2/10 * * * * root /usr/local/bin/mailtest-check
870 cp /a
/bin
/distro-setup
/filesystem
/usr
/local
/bin
/mailtest-check
/usr
/local
/bin
872 rm -f /etc
/cron.d
/mailtest
875 # MAIL_HOST also does radicale, and easier to start and stop it here
876 # for when MAIL_HOST changes, so radicale gets the synced files and
877 # does not stop us from remounting /o.
878 if dpkg
-s radicale
&>/dev
/null
; then
879 if [[ $HOSTNAME == $MAIL_HOST ]]; then
880 systemctl restart radicale
881 systemctl
enable radicale
882 if [[ -e /etc
/logrotate.d
/radicale.disabled
]]; then
883 mv /etc
/logrotate.d
/radicale
{.disabled
,}
886 systemctl stop radicale
887 systemctl disable radicale
888 # weekly logrotate tries to restart radicale even if it's a disabled service in flidas.
889 if [[ -e /etc
/logrotate.d
/radicale
]]; then
890 mv /etc
/logrotate.d
/radicale
{,.disabled
}