lots of fixes

[distro-setup] / mail-setup

#!/bin/bash
set -x

# Copyright (C) 2016 Ian Kelling

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# todo: make quick backups of maildir, or deliver to multiple hosts.

set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR

[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
if [[ ! $SUDO_USER ]]; then
  echo "$0: error: requires running as nonroot or sudo"
  exit 1
fi
u=$SUDO_USER


usage() {
  cat <<EOF
Usage: ${0##*/} exim4|postfix
Setup exim4 / postfix / dovecot

The minimal assumption we have is that /etc/mailpass exists


I've had problems with postfix on debian:
on stretch, a startup ordering issue caused all mail to fail.
postfix changed defaults to only use ipv6 dns, causing all my mail to fail.
I haven't gotten around to getting a non-debian exim
setup.



-h|--help  Print help and exit.
EOF
  exit $1
}

type=$1
postfix() { [[ $type == postfix ]]; }
exim() { [[ $type == exim4 ]]; }

if ! exim && ! postfix; then
  usage 1
fi



####### begin perstent password instructions ######
# # exim passwords:
# # for hosts which have all private files I just use the same user
# # for other hosts, each one get\'s their own password.
# # for generating secure pass, and storing for server too:
# # user=USUALLY_SAME_AS_HOSTNAME
# user=li
# f=$(mktemp)
# apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
# s sed -i "/^$user:/d" /p/c/filesystem/etc/exim4/passwd
# echo "$user:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd
# echo "mail.iankelling.org $user $(<$f)" >> /p/c/machine_specific/$user/filesystem/etc/mailpass
# # then run this script, or part of it which uses /etc/mailpass

# # dovecot password, i just need 1 as I\'m the only user
# mkdir /p/c/filesystem/etc/dovecot
# echo "ian:$(doveadm pw -s ssha256)::::::" >/p/c/filesystem/etc/dovecot/users
# conflink



# # for ad-hoc testing of some random new host sending mail:
# user=li # client host username & hostname
# f=$(mktemp)
# apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
# s sed -i "/^$user:/d" /etc/exim4/passwd
# echo "$user:$(mkpasswd -m sha-512 -s <$f)" | s tee -a /etc/exim4/passwd
# echo "mail.iankelling.org:$user:$(<$f)" | ssh root@$user dd of=/etc/exim4/passwd.client
####### end perstent password instructions ######


####### begin persistent dkim/dns instructions #########
# # Remove 1 level of comments in this section, set the domain var
# # for the domain you are setting up, then run this and copy dns settings
# # into dns.
# domain=iankelling.org
# c /p/c/filesystem/etc/exim4
# # this has several bugs addressed in comments, but it was helpful
# # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4

# openssl genrsa -out $domain-private.pem 2048 -outform PEM
# openssl rsa -in $domain-private.pem -out $domain.pem -pubout -outform PEM
# # selector is needed for having multiple keys for one domain.
# # I dun do that, so just use a static one: li
# echo "txt record name: li._domainkey.$domain"
# # Debadmin page does not have v=, fastmail does, and this
# # says it\'s recommended in 3.6.1, default is DKIM1 anyways.
# # https://www.ietf.org/rfc/rfc6376.txt
# # Join and print all but first and last line.
# # last line: swap hold & pattern, remove newlines, print.
# # lines 2+: append to hold space
# echo "txt record contents:"
# echo "v=DKIM1; k=rsa; p=$(sed -n '${x;s/\n//gp};2,$H' $domain.pem)"
# chmod 644 $domain.pem
# chmod 640 $domain-private.pem
# # in conflink, we chown these to group debian
# conflink
# # selector was also put into /etc/exim4/conf.d/main/000_localmacros,
# # via the mail-setup scripts

# # 2017-02 dmarc policies:
# # host -t txt _dmarc.gmail.com
# # yahoo: p=reject, hotmail: p=none, gmail: p=none, fastmail none for legacy reasons
# # there were articles claiming gmail would be  changing
# # to p=reject, in early 2017, which didn\'t happen. I see no sources on them. It\'s
# # expected to cause problems
# # with a few old mailing lists, copying theirs for now.
#
# echo "dmarc dns, name: _dmarc value: v=DMARC1; p=none; rua=mailto:mailauth-reports@$domain"

# # 2017-02 spf policies:
# # host -t txt lists.fedoraproject.org
# # google ~all, hotmail -all, yahoo: ?all, fastmail ?all
# # i include fastmail\'s settings, per their instructions,
# # and follow their policy. In mail in a box, or similar instructions,
# # I\'ve seen recommended to not use a restrictive policy.
# echo "spf dns: name is empty, value: v=spf1 a include:spf.messagingengine.com ?all"

# # to check if dns has updated, you do
# host -a mesmtp._domainkey.$domain

# # mx records,
# # setting it to iankelling.org would work the same, but this
# # is more flexible, I could change where mail.iankelling.org pointed.
# cat <<'EOF'
# mx records, 2 records each, for * and empty domain
# pri 10 mail.iankelling.org
# pri 20 in1-smtp.messagingengine.com
# pri 30 in2-smtp.messagingengine.com
# EOF
####### end  persistent dkim instructions #########


# misc exim notes:
# useful exim docs:
# /usr/share/doc/exim4-base/README.Debian.gz
# /usr/share/doc/exim4-base/spec.txt.gz

# routers, transports, and authenticators are sections, and you define
# driver instances in those sections, and the manual calls them driver
# types but there is also a more specific "type" of driver, which is specified
# with the driver = some_module setting in the driver.

# the driver option must precede and private options (options that are
# specific to that driver), so follow example of putting it at beginning.

# The full list of option settings for any particular driver instance,
# including all the defaulted values, can be extracted by making use of
# the -bP command line option.
# exim -bP config_file to see what config file it used
# exim -bP config to see

# exim clear out message queue. as root:
# adapted from somewhere on stackoverflow.
# ser stop exim4; sleep 1; exim -bp | exiqgrep -i | xargs exim -Mrm; ser start exim4

# fastmail has changed their smtp server, but the old one still works,
# I see no reason to bother changing.
# New one is smtp.fastmail.com

# test delivery & rewrite settings:
#exim4 -bt iank@localhost


postconfin() {
  local MAPFILE
  mapfile -t
  local s
  postconf -ev "${MAPFILE[@]}"
}
e() { printf "%s\n" "$*"; }
pi() { # package install
  local s f
  if dpkg -s -- "$@" &> /dev/null; then
    return 0;
  fi;
  while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done
  f=/var/cache/apt/pkgcache.bin;
  if [[ ! -r $f ]] || (( $(( $(date +%s) - $(stat -c %Y $f ) )) > 60*60*12 )); then
    apt-get update
  fi
  apt-get -y install --purge --auto-remove "$@"
}

postmaster=$u
mxhost=mail.iankelling.org
mxport=25
forward=$u@$mxhost

# old setup. left as comment for example
# mxhost=mail.messagingengine.com
# mxport=587
# forward=ian@iankelling.org

relayhost="[$mxhost]:$mxport" # postfix
smarthost="$mxhost::$mxport" # exim

# trisquel 8 = openvpn, debian stretch = openvpn-client
vpn_ser=openvpn-client
if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
  vpn_ser=openvpn
fi

if [[ $HOSTNAME == $MAIL_HOST ]]; then
  # afaik, these will get ignored because they are routing to my own
  # machine, but rm them is safer
  rm -f $(eval echo ~$postmaster)/.forward /root/.forward
else
  # this can\'t be a symlink and has permission restrictions
  # it might work in /etc/aliases, but this seems more proper.
  install -m 644 {-o,-g}$postmaster <(e $forward) $(eval echo ~$postmaster)/.forward
fi

# offlineimap uses this too, it is much easier to use one location than to
# condition it\'s config and postfix\'s config
if [[ -f /etc/fedora-release ]]; then
  /a/exe/lnf -T ca-certificates.crt /etc/ssl/ca-bundle.trust.crt
fi

if postfix; then
  # dunno why, but debian installed postfix with builddep emacs
  # but I will just explicitly install it here since
  # I use it for sending mail in emacs.
  if command -v apt-get &> /dev/null; then
    debconf-set-selections <<EOF
postfix postfix/main_mailer_type select Satellite system
postfix postfix/mailname string $(hostname -f)
postfix postfix/relayhost string $relayhost
postfix postfix/root_address string $postmaster
EOF
    if dpkg -s postfix &>/dev/null; then
      while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done
      dpkg-reconfigure -u -fnoninteractive postfix
    else
      pi postfix
    fi
  else
    source /a/bin/distro-functions/src/package-manager-abstractions
    pi postfix
    # Settings from reading the output when installing on debian,
    # then seeing which were different in a default install on arch.
    # I assume the same works for fedora.
    postconfin <<EOF
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
relayhost = $relayhost
inet_interfaces = loopback-only
EOF

    systemctl enable postfix
    systemctl start postfix
  fi
  # i\'m assuming mail just won\'t work on systems without the sasl_passwd.
  postconfin <<'EOF'
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = secure
message_size_limit =  20480000
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
inet_protocols = ipv4
EOF
  # msg_size_limit: I ran into a log file not sending cuz of size. double from 10 to 20 meg limit
  # inet_protocols: without this, I\'ve had postfix try an ipv6 lookup then gives
  # up and fail forever. snippet from syslog: type=AAAA: Host not found, try again


  f=/etc/postfix/sasl_passwd
  install -m 600 /dev/null $f
  cat /etc/mailpass| while read -r domain port pass; do
    # format: domain port user:pass
    # mailpass is just a name i made up, since postfix and
    # exim both use a slightly crazy format to translate to
    # each other, it\'s easier to use my own format.
    printf "[%s]:%s %s" "$domain" "$port" "${pass/@/#}" >>$f
  done
  postmap hash:/etc/postfix/sasl_passwd
  # need restart instead of reload when changing
  # inet_protocols
  service postfix restart

else # begin exim. has debian specific stuff for now

  pi openvpn

  if [[ -e /p/c/filesystem ]]; then
    # allow failure of these commands when our internet is down, they are likely not needed,
    # we check that a valid cert is there already.
    # to put the hostname in the known hosts
    if ! ssh -o StrictHostKeyChecking=no root@li.iankelling.org :; then
      # This just causes failure if our cert is going to expire in the next 30 days.
      # Certs I generate last 10 years.
      openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in /etc/openvpn/mail.crt
    else
      # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
      # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
      # after my internet was down for a bit:
      # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
      /a/exe/vpn-mk-client-cert -b mail -n mail -s /b/ds/mail-route li.iankelling.org
    fi
  fi

  cat >/etc/systemd/system/offlineimapsync.timer <<'EOF'
[Unit]
Description=Run offlineimap-sync once every min

[Timer]
OnCalendar=*:0/1

[Install]
WantedBy=timers.target
EOF

  cat >/etc/systemd/system/offlineimapsync.service <<EOF
[Unit]
Description=Offlineimap sync
After=multi-user.target

[Service]
User=$u
Type=oneshot
ExecStart=/a/bin/log-quiet/sysd-mail-once offlineimap-sync /a/bin/distro-setup/offlineimap-sync
EOF
  systemctl daemon-reload

  # wording of question from dpkg-reconfigure exim4-config
  # 1. internet site; mail is sent and received directly using SMTP
  # 2. mail sent by smarthost; received via SMTP or fetchmail
  # 3. mail sent by smarthost; no local mail
  # 4. local delivery only; not on a network
  # 5. no configuration at this time
  #
  # Note, I have used option 2 in the past for receiving mail
  # from lan hosts, sending external mail via another smtp server.
  #
  # Note, other than configtype, we could set all the options in
  # both types of configs without harm, they would either be
  # ignored or be disabled by other settings, but the default
  # local_interfaces definitely makes things more secure.

  # most of these settings get translated into settings
  # in /etc/exim4/update-exim4.conf.conf
  # how /etc/exim4/update-exim4.conf.conf translates into actual exim settings is
  # documented in man update-exim4.conf, which outputs to the config that
  # exim actually reads. except the man page is not perfect, for example,
  # it doesn't document that it sets
  # DCconfig_${dc_eximconfig_configtype}" "1"
  # which is a line from update-exim4.conf, which is a relatively short bash script.
  # mailname setting sets /etc/mailname

  debconf-set-selections <<EOF
exim4-config exim4/use_split_config boolean true
EOF

  source /a/bin/bash_unpublished/source-semi-priv
  mkdir -p /etc/exim4/conf.d/{main,transport,auth,router}

  cat >/etc/exim4/rcpt_local_acl <<'EOF'
# Only hosts we control send to mail.iankelling.org, so make sure
# they are all authed.
# Note, if we wanted authed senders for all domains,
# we could make this condition in acl_check_mail
deny
  message = ian trusted domain recepient but no auth
  !authenticated = *
  domains = mail.iankelling.org
EOF
  cat >/etc/exim4/data_local_acl <<'EOF'
# Except for the "condition =", this was
# a comment in the check_data acl. The comment about this not
# being suitable is mostly bs. The only thing related I found was to
# add the condition =, cuz spamassassin has problems with big
# messages and spammers don't bother with big messages,
# but I've increased the size from 10k
# suggested in official docs, and 100k in the wiki example because
# those docs are rather old and I see a 110k spam message
# pretty quickly looking through my spam folder.
  warn
    condition = ${if < {$message_size}{2000K}}
    spam = Debian-exim:true
    add_header = X-Spam_score: $spam_score\n\
              X-Spam_score_int: $spam_score_int\n\
              X-Spam_bar: $spam_bar\n\
              X-Spam_report: $spam_report

EOF
  cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
# from 30_exim4-config_examples

plain_server:
driver = plaintext
public_name = PLAIN
server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
.endif
EOF

  cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
### router/900_exim4-config_local_user
#################################

# This router matches local user mailboxes. If the router fails, the error
# message is "Unknown user".

local_user:
  debug_print = "R: local_user for $local_part@$domain"
  driver = accept
  domains = +local_domains
# ian: commented this, in conjunction with a dovecot lmtp
# change so I get mail for all users.
#  check_local_user
  local_parts = ! root
  transport = LOCAL_DELIVERY
  cannot_route_message = Unknown user
EOF
  cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
dovecot_lmtp:
        driver = lmtp
        socket = /var/run/dovecot/lmtp
        #maximum number of deliveries per batch, default 1
        batch_max = 200
EOF

  cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
# smarthost for fsf mail
# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
# replaced DCsmarthost with mail.fsf.org
fsfsmarthost:
  debug_print = "R: smarthost for $local_part@$domain"
  driver = manualroute
  domains = ! +local_domains
  senders = *@fsf.org
  transport = remote_smtp_smarthost
  route_list = * mail.fsf.org byname
  host_find_failed = ignore
  same_domain_copy_routing = yes
  no_more
EOF


  #### begin mail cert setup ###
  f=/usr/local/bin/mail-cert-cron
  cat >$f <<'EOF'
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR

[[ $EUID == 0 ]] || exec sudo "$BASH_SOURCE" "$@"

f=/a/bin/bash_unpublished/source-semi-priv
if [[ -e $f ]]; then
    source $f
fi
if [[ $HOSTNAME == $MAIL_HOST ]]; then
    local_mx=mail.iankelling.org
    rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/"
    ${rsync_common}fullchain.pem /etc/exim4/exim.crt
    ret=$?
    ${rsync_common}privkey.pem /etc/exim4/exim.key
    new_ret=$?
    if [[ $ret != $new_ret ]]; then
       echo "$0: error: differing rsync returns, $ret, $new_ret"
       exit 1
    fi
fi
if [[ $new_ret != 0 ]]; then
    if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then
        echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
        exit 1
    fi
fi
exit 0
EOF
  chmod 755 $f

  cat >/etc/systemd/system/mailcert.service <<'EOF'
[Unit]
Description=Mail cert rsync
After=multi-user.target

[Service]
Type=oneshot
ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
EOF

  cat >/etc/systemd/system/mailcert.timer <<'EOF'
[Unit]
Description=Run mail-cert once a day

[Timer]
OnCalendar=daily

[Install]
WantedBy=timers.target
EOF
  systemctl daemon-reload
  systemctl start mailcert
  systemctl restart mailcert.timer
  systemctl enable mailcert.timer

  ##### end mailcert setup #####



  if [[ $HOSTNAME == $MAIL_HOST ]]; then

    debconf-set-selections <<EOF
# Mail Server configuration
# -------------------------

# Please select the mail server configuration type that best meets your needs.

# Systems with dynamic IP addresses, including dialup systems, should generally be
# configured to send outgoing mail to another machine, called a 'smarthost' for
# delivery because many receiving systems on the Internet block incoming mail from
# dynamic IP addresses as spam protection.

# A system with a dynamic IP address can receive its own mail, or local delivery can be
# disabled entirely (except mail for root and postmaster).

#   1. internet site; mail is sent and received directly using SMTP
#   2. mail sent by smarthost; received via SMTP or fetchmail
#   3. mail sent by smarthost; no local mail
#   4. local delivery only; not on a network
#   5. no configuration at this time

# General type of mail configuration: 1
exim4-config exim4/dc_eximconfig_configtype select internet site; mail is sent and received directly using SMTP



# The 'mail name' is the domain name used to 'qualify' mail addresses without a domain
# name.

# This name will also be used by other programs. It should be the single, fully
# qualified domain name (FQDN).

# Thus, if a mail address on the local host is foo@example.org, the correct value for
# this option would be example.org.

# This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.

# System mail name:
# iank: see comment elsewhere on mailname
exim4-config exim4/mailname string mail.iankelling.org




# Please enter a semicolon-separated list of recipient domains for which this machine
# should consider itself the final destination. These domains are commonly called
# 'local domains'. The local hostname (kd.lan) and 'localhost' are always added
# to the list given here.

# By default all local domains will be treated identically. If both a.example and
# b.example are local domains, acc@a.example and acc@b.example will be delivered to the
# same final destination. If different domain names should be treated differently, it
# is necessary to edit the config files afterwards.

# Other destinations for which mail is accepted:
# iank.bid is for testing
# mail.iankelling.org is for machines i own
exim4-config exim4/dc_other_hostnames string *.iankelling.org;iankelling.org;*iank.bid;iank.bid;*zroe.org;zroe.org;*.b8.nz;b8.nz




# Please enter a semicolon-separated list of IP addresses. The Exim SMTP listener
# daemon will listen on all IP addresses listed here.

# An empty value will cause Exim to listen for connections on all available network
# interfaces.

# If this system only receives mail directly from local services (and not from other
# hosts), it is suggested to prohibit external connections to the local Exim daemon.
# Such services include e-mail programs (MUAs) which talk to localhost only as well as
# fetchmail. External connections are impossible when 127.0.0.1 is entered here, as
# this will disable listening on public network interfaces.

# IP-addresses to listen on for incoming SMTP connections:
exim4-config exim4/dc_local_interfaces  string




# Mail for the 'postmaster', 'root', and other system accounts needs to be redirected
# to the user account of the actual system administrator.

# If this value is left empty, such mail will be saved in /var/mail/mail, which is not
# recommended.

# Note that postmaster\'s mail should be read on the system to which it is directed,
# rather than being forwarded elsewhere, so (at least one of) the users listed here
# should not redirect their mail off this machine. A 'real-' prefix can be used to
# force local delivery.

# Multiple user names need to be separated by spaces.

# Root and postmaster mail recipient:
exim4-config exim4/dc_postmaster string $postmaster



# Exim is able to store locally delivered email in different formats. The most commonly
# used ones are mbox and Maildir. mbox uses a single file for the complete mail folder
# stored in /var/mail/. With Maildir format every single message is stored in a
# separate file in ~/Maildir/.

# Please note that most mail tools in Debian expect the local delivery method to be
# mbox in their default.

#   1. mbox format in /var/mail/  2. Maildir format in home directory

# Delivery method for local mail: 2
exim4-config exim4/dc_localdelivery select Maildir format in home directory
EOF
    echo mail.iankelling.org > /etc/mailname

    # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
    # smarthost config type, not sure. all other settings
    # would be unused in that config type.
    cat >/etc/exim4/conf.d/main/000_localmacros <<EOF
# i don't have ipv6 setup for my vpn tunnel yet.
disable_ipv6 = true

MAIN_TLS_ENABLE = true

DKIM_CANON = relaxed
DKIM_SELECTOR = li

# from comments in
# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4

# The file is based on the outgoing domain-name in the from-header.
DKIM_DOMAIN = \${lc:\${domain:\$h_from:}}
# sign if key exists
DKIM_PRIVATE_KEY= \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}}


# failing message on mail-tester.com:
# We check if there is a server (A Record) behind your hostname kd.
# You may want to publish a DNS record (A type) for the hostname kd or use a different hostname in your mail software
# https://serverfault.com/questions/46545/how-do-i-change-exim4s-primary-hostname-on-a-debian-box
# and this one seemed appropriate from grepping config.
# I originally set this to li.iankelling.org, but then ended up with errors when li tried to send
# mail to kd, so this should basically be a name that no host has as their
# canonical hostname since the actual host sits behind a nat and changes.
# Seems logical for this to be the same as mailname.
MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.iankelling.org

# normally empty, I set this so I can set the envelope address
# when doing mail redelivery to invoke filters
MAIN_TRUSTED_GROUPS = $u

LOCAL_DELIVERY = dovecot_lmtp

# options exim has to avoid having to alter the default config files
CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/rcpt_local_acl
CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/data_local_acl

# debian exim config added this in 2016 or so?
# it's part of the smtp spec, to limit lines to 998 chars
# but a fair amount of legit mail does not adhere to it. I don't think
# this should be default, like it says in
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
# todo: the bug for introducing this was about headers, but
# the fix maybe is for all lines? one says gmail rejects, the
# other says gmail does not reject. figure out and open a new bug.
IGNORE_SMTP_LINE_LENGTH_LIMIT = true

# most of the ones that gmail seems to use.
# Exim has horrible default of signing unincluded
# list- headers since they got mentioned in an
# rfc, but this messes up mailing lists, like gnu/debian which want to
# keep your dkim signature intact but add list- headers.
DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to

EOF


    ####### begin dovecot setup ########
    # based on a little google and package search, just the dovecot
    # packages we need instead of dovecot-common.
    #
    # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
    # directly.  The reason to do this is to use dovecot\'s sieve, which
    # has extensions that allow it to be almost equivalent to exim\'s
    # filter capabilities, some ways probably better, some worse, and
    # sieve has the benefit of being supported in postfix and
    # proprietary/weird environments, so there is more examples on the
    # internet. I was torn about whether to do this or not, meh.
    pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd

    # if we changed 90-sieve.conf and removed the active part of the
    # sieve option, we wouldn\'t need this, but I\'d rather not modify a
    # default config if not needed. This won\'t work as a symlink in /a/c
    # unfortunately.
    sudo -u $postmaster /a/exe/lnf -T sieve/main.sieve $(eval echo ~$postmaster)/.dovecot.sieve

    sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
1i mail_location = maildir:/m/md:LAYOUT=fs:INBOX=/m/md/INBOX
/^\s*mail_location\s*=/d
EOF

    cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
protocol lmtp {
#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
  mail_plugins = \$mail_plugins sieve
# default was
  #mail_plugins = \$mail_plugins

# For a normal setup with exim, we need something like this, which
# removes the domain part
#  auth_username_format = %Ln
#
#  or else # Exim says something like
#  "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
# Dovecot verbose log says something like
# "auth-worker(9048): passwd(someuser@somedomain): unknown user"
# reference: http://wiki.dovecot.org/LMTP/Exim
#
# However, I use this to direct all mail to the same inbox.
# A normal way to do this, which I did at first is to have
# a router in exim almost at the end, eg 950,
#local_catchall:
#  debug_print = "R: catchall for \$local_part@\$domain"
#  driver = redirect
#  domains = +local_domains
#  data = $u
# based on
# http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
# with superflous options removed.
# However, this causes the envelope to be rewritten,
# which makes filtering into mailboxes a little less robust or more complicated,
# so I've done it this way instead. it also requires
# modifying the local router in exim.
  auth_username_format = $u
}

EOF


    cat >/etc/dovecot/local.conf <<'EOF'
# so I can use a different login that my shell login for mail.  this is
# worth doing solely for the reason that if this login is compromised,
# it won't also compromise my shell password.
!include conf.d/auth-passwdfile.conf.ext

# settings derived from wiki and 10-ssl.conf
ssl = required
ssl_cert = </etc/exim4/exim.crt
ssl_key = </etc/exim4/exim.key
# https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
# in my cert cronjob, I check if that has changed upstream.
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

# ian: added this, more secure, per google etc
ssl_prefer_server_ciphers = yes

# for debugging info, uncomment these.
# logs go to syslog and to /var/log/mail.log
# auth_verbose=yes
#mail_debug=yes
EOF
    ####### end dovecot setup ########

    # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
    d=/etc/systemd/system/openvpn@mail
    mkdir -p $d
    cat >$d/override.conf <<'EOF'
[Service]
Restart=always
# time to sleep before restarting a service
RestartSec=1

[Unit]
# StartLimitIntervalSec in recent systemd versions
StartLimitInterval=0
EOF

    systemctl enable offlineimapsync.timer
    systemctl start offlineimapsync.timer
    systemctl restart $vpn_ser@mail
    systemctl enable $vpn_ser@mail
    systemctl enable dovecot
    systemctl restart dovecot

  else # $HOSTNAME != $MAIL_HOST
    systemctl disable offlineimapsync.timer &>/dev/null ||:
    systemctl stop offlineimapsync.timer &>/dev/null ||:
    systemctl disable $vpn_ser@mail
    systemctl stop $vpn_ser@mail
    systemctl disable dovecot ||:
    systemctl stop dovecot ||:
    #
    #
    # would only exist because I wrote it i the previous condition,
    # it\'s not part of exim
    rm -f /etc/exim4/conf.d/main/000_localmacros
    debconf-set-selections <<EOF
exim4-config exim4/dc_eximconfig_configtype select mail sent by smarthost; no local mail
exim4-config exim4/dc_smarthost string $smarthost
# afaik, on dpkg-reconfigure noninteractive, this sets /etc/mailname if it does not exist.
# if it does exist, it immediately changes the value to whats in /etc/mailname.
# So, I don't think there's any point in setting it, but might as well since
# ignoring what I set here is brain dead and might change.
exim4-config exim4/mailname string $(hostname -f)
EOF
    hostname -f > /etc/mailname

  fi # end $HOSTNAME != $MAIL_HOST

  # if we already have it installed, need to reconfigure, without being prompted
  if dpkg -s exim4-config &>/dev/null; then
    # gotta remove this, otherwise the set-selections are completely
    # ignored. It woulda been nice if this was documented somewhere!
    rm -f /etc/exim4/update-exim4.conf.conf
    while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done
    dpkg-reconfigure -u -fnoninteractive exim4-config
  fi

  # i have the spool directory be common to distro multi-boot, so
  # we need the uid to be the same. 608 cuz it's kind of in the middle
  # of the free system uids.
  IFS=:; read _ _ uid _ < <(getent passwd Debian-exim ||:) ||:; unset IFS
  IFS=:; read _ _ gid _ < <(getent group Debian-exim ||:) ||:; unset IFS
  if [[ ! $uid ]]; then
    # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
    adduser --uid 608 --system --group --quiet --home /var/spool/exim4 \
            --no-create-home --disabled-login --force-badname Debian-exim
  elif [[ $uid != 608 ]]; then
    systemctl stop exim4 ||:
    usermod -u 608 Debian-exim
    groupmod -g 608 Debian-exim
    usermod -g 608 Debian-exim
    find / /nocow -xdev -uid $uid -exec chown -h 608 {} +
    find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} +
  fi


  # light version of exim does not have sasl auth support.
  pi exim4-daemon-heavy spamassassin



  ##### begin spamassassin config
  systemctl enable spamassassin
  # per readme.debian
  sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
  e CRON=1 >>/etc/default/spamassassin
  # just noticed this in the config file, seems like a good idea.
  sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
  e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin
  systemctl start spamassassin
  systemctl reload spamassassin

  cat >/etc/systemd/system/spamddnsfix.service <<'EOF'
[Unit]
Description=spamd dns bug fix cronjob

[Service]
Type=oneshot
ExecStart=/a/bin/distro-setup/spamd-dns-fix
EOF
  # 2017-09, debian closed the bug on this saying upstream had fixed it.
  # remove this when i\'m using the newer package, ie, debian 10, or maybe
  # ubuntu 18.04.
  cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
[Unit]
Description=run spamd bug fix script every 10 minutes

[Timer]
OnActiveSec=60
# the script looks back 9 minutes into the journal,
# it takes a second to run,
# so lets run every 9 minutes and 10 seconds.
OnUnitActiveSec=550

[Install]
WantedBy=timers.target
EOF
  systemctl daemon-reload
  systemctl restart spamddnsfix.timer
  systemctl enable spamddnsfix.timer
  #
  #####   end spamassassin config





  # https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
  # i only need .forwards, so just doing that one.
  cd /etc/exim4/conf.d/router
  b=userforward_higher_priority
  # replace the router name so it is unique
  sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b

  # begin setup passwd.client
  f=/etc/exim4/passwd.client
  rm -f /etc/exim4/passwd.client
  install -m 640 -g Debian-exim /dev/null $f
  cat /etc/mailpass| while read -r domain port pass; do
    # reference: exim4_passwd_client(5)
    printf "%s:%s\n" "$domain" "$pass" >>$f
  done
  # end setup passwd.client

  # by default, only 10 days of logs are kept. increase that.
  sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base

  systemctl restart exim4

fi  #### end if exim4

# /etc/alias setup is debian specific, and
# exim config sets up an /etc/alias from root to the postmaster, which i
# config to ian, as long as there exists an entry for root, or there was
# no preexisting aliases file. based on the postinst file. postfix
# won\'t set up a root to $postmaster alias if it\'s already installed.
# Since postfix is not the greatest, just set it ourselves.
if [[ $postmaster != root ]]; then
  sed -i --follow-symlinks -f - /etc/aliases <<EOF
\$a root: $postmaster
/^root:/d
EOF
  newaliases
fi

# put spool dir in directory that spans multiple distros.
# based on http://www.postfix.org/qmgr.8.html and my notes in gnus
#
# todo: I\'m suspicious of uids for Debian-exim being the same across
# distros. It would be good to test this.
dir=/nocow/$type
sdir=/var/spool/$type
# we only do this if our system has $dir
if [[ -e /nocow && $(readlink -f $sdir) != $dir ]]; then
  systemctl stop $type
  if [[ ! -e $dir && -d $sdir ]]; then
    mv $sdir $dir
  fi
  /a/exe/lnf -T $dir $sdir
fi

systemctl restart $type
systemctl enable $type

# MAIL_HOST also does radicale, and easier to start and stop it here
# for when MAIL_HOST changes, so radicale gets the synced files and
# does not stop us from remounting /o.
if dpkg -s radicale &>/dev/null; then
  if [[ $HOSTNAME == $MAIL_HOST ]]; then
    systemctl restart radicale
    systemctl enable radicale
    if [[ -e /etc/logrotate.d/radicale.disabled ]]; then
      mv /etc/logrotate.d/radicale{.disabled,}
    fi
  else
    systemctl stop radicale
    systemctl disable radicale
    # weekly logrotate tries to restart radicale even if it's a disabled service in flidas.
    if [[ -e /etc/logrotate.d/radicale ]]; then
      mv /etc/logrotate.d/radicale{,.disabled}
    fi
  fi
fi
exit 0
:
# if I wanted the from address to be renamed and sent to a different address,
# echo "sdx@localhost development@localhost" | sudo dd of=/etc/postfix/recipient_canonical
# sudo postmap hash:/etc/postfix/recipient_canonical
# sudo service postfix reload