fixes and some improvements

[distro-setup] / mail-setup

#!/bin/bash
# * intro
# Copyright (C) 2019 Ian Kelling
# SPDX-License-Identifier: AGPL-3.0-or-later

# perusing through /el/mainlog without test messages:
# &!testignore|jtuttle|
#
#&! testignore|jtuttle|eximbackup|/usr/sbin/exim4 -bpu

# todo: check new macro DKIM_TIMESTAMPS

# todo: check if REMOTE_SMTP_INTERFACE or REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE can simplify my or fsfs config

# todo: max line length macro changed in t11. look into it
# todo: check that all macros we use are still valid in t11

# todo: setup an alert for bouncing test emails.

# todo: bounces to my fsf mail can come from fsf@iankelling.org,
# think about making bounces go from the original address.

# todo: add a prometheus alert for dovecot.

# todo: handle errors like this:
# Mar 02 12:44:26 kw systemd[1]: exim4.service: Found left-over process 68210 (exim4) in control group while starting unit. Ignoring.
# Mar 02 12:44:26 kw systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
#eg: on eggs, on may 1st, ps grep for exim, 2 daemons running. 1 leftover from a month ago
#Debian-+  1954     1  0 36231 11560   4 Apr02 ?        00:40:25 /usr/sbin/exim4 -bd -q30m
#Debian-+ 23058  1954  0 36821 10564   0 20:38 ?        00:00:00 /usr/sbin/exim4 -bd -q30m

#  todo: harden dovecot. need to do some research. one way is for it to only listen on a wireguard vpn interface, so only clients that are on the vpn can access it.
#  todo: consider hardening cups listening on 0.0.0.0
#  todo: stop/disable local apache, and rpc.mountd, and kdeconnect when not in use.

# todo:  hosts should only allow external mail that is authed and
# destined for backup route. it is a minor issue since traffic is
# limited to the wghole network.

# todo: emailing info@amnimal.ninja produces a bounce, user doesn't exist
# instead of a simple rejection like it should.

# todo: run mailping test after running, or otherwise
# clear out terminal alert

# todo: disable postgrey

# todo: in testforward-check, we should also look

# todo: test that bounces dont help create valid mailtest-check

# todo: move mail stuff in distro-end into this file

# todo: consider rotating dkim & publishing key so every past email I sent
# isnt necessarily signed

# todo: consider how to get clamav out of Debian-exim group
# so it cant read/write the whole mail spool, for better
# security.

# todo: create a cronjob to update or warn on expiring dnssec keys

# todo: we should test failed mail daily or so
# failed cronjob, failed sysd-log-once,
# a local bounce from a cronjob, a local bounce
# to a bad remote address, perhaps a local failure
# when the sending daemon is down.
# And send an alert email if no alerts have been sent
# in 2 or 3 days or something. todo, test cron mail on li.

# todo: look at mailinabox extra dns records, note these changelogs:
# - An MTA-STS policy for incoming mail is now published (in DNS and over HTTPS) when the primary hostname and email address domain both have a signed TLS certificate installed, allowing senders to know that an encrypted connection should be enforced.
# - The per-IP connection limit to the IMAP server has been doubled to allow more devices to connect at once, especially with multiple users behind a NAT.
#

# todo: mailtest-check failure on remote hosts is not going to alert me.
# sort that out.
# todo: test mail failure as well as success.
#
# todo: validate that mailtest-check is doing dnsbl checks.

# background: I want to run exim in a network namespace so it can send
# and receive through a vpn. This is needed so it can do ipv6, because
# outside the namespace if we dont have ipv6, to send ipv6 through the
# vpn, we have to send all our ipv6 through the vpn. I did this for a
# long time, it was fine, but it causes various pains, like increased
# latency, increased recaptcha because my ip is from a data center, just
# various issues I dont want on all the time. The problem with the
# namespace is that all kinds of programs want to invoke exim, but they
# wont be in the namespace. I could replace exim with a wrapper that
# jumps into the namespace, i tried that, it works fine.  One remaining
# problem was that I would have needed to hook into exim upgrades to
# move exim and replace it with my wrapper script. Also, my script to
# join the namespace is not super reliable because it uses a pgrep.
# Instead, I should have created a systemd service for a process that
# will never die and just writes its pid somewhere convenient.
# That implementation
# is below here:
#
# sudoers:
# user ALL=(ALL) /usr/sbin/exim4
#
# move exim4 to eximian, use this script for exim4:
#
# #!/bin/bash
# if ip a show veth1-mail &>/dev/null; then
#   /usr/sbin/eximian "$@"
#   exit
# fi
# dosudo=false
# if [[ $USER && $USER != root ]]; then
#   dosudo=true
# fi
# pid=$(pgrep -f "/usr/sbin/openvpn .* --config /etc/openvpn/.*mail.conf")
# if $dosudo; then
#   sudo nsenter -t $pid -n -m sudo -u $USER /usr/sbin/eximian "$@"
# else
#   nsenter -t $pid -n -m /usr/sbin/eximian "$@"
# fi
# ## end script
#
# an alternate solution: there is a small setguid program for
# network namespaces in my bookmarks.
#
# However, the solution I went with is: have 2 exim
# configs. A nonstandard location for the daemon that runs
# in the namespace. For all other invocations, it uses
# the default config location, which is altered to be
# in a smarthost config which sends mail to the deaemon.
#
# I have a bash function, enn to invoke exim like the daemon is running.
# and mailbash to just enter its network namespace.

if [ -z "$BASH_VERSION" ]; then echo "error: shell is not bash" >&2; exit 1; fi

shopt -s nullglob

if [[ -s /usr/local/lib/err ]]; then
  source /usr/local/lib/err
elif [[ -s /a/bin/errhandle/err ]]; then
  source /a/bin/errhandle/err
else
  echo "no err tracing script found"
  exit 1
fi
source /a/bin/distro-functions/src/identify-distros
source /a/bin/distro-functions/src/package-manager-abstractions

# has nextcloud_admin_pass in it
f=/p/c/machine_specific/$HOSTNAME/mail
if [[ -e $f ]]; then
  # shellcheck source=/p/c/machine_specific/bk/mail
  source $f
fi


[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"

# note, this is hardcoded in /etc/exim4/conf.d/main/000_local
u=$(id -nu 1000)


usage() {
  cat <<EOF
Usage: ${0##*/} anything_here_to_debug
Setup exim4 & dovecot & related things

-h|--help  Print help and exit.
EOF
  exit $1
}

# debug output if we pass any arg
if (( $# )); then
  set -x
fi


####### instructions for icedove #####
# Incoming mail server: mail.iankelling.org, port 143, username iank, connection security starttls, authentication method normal password,
# then click advanced so it accepts it.
# we could also just use 127.0.0.1 with no ssl
#
# hamburger -> preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false
# background: dovecot does not yet have ocsp stapling support
# reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921
#
# for phone, k9mail, fdroid, same thing but username alerts, pass in ivy-pass.
# also, bk.b8.nz for secondary alerts, username is iank. same alerts pass.
# fetching mail settings: folder poll frequency 10 minutes.
# account settings, fetching mail, push folders: All. Then disable the persistent notification.
#######


# * perstent password instructions
# Note: for cert cron, we need to manually run first to accept known_hosts

# # exim passwords:
# # for hosts which have all private files I just use the same user
# # for other hosts, each one get\'s their own password.
# # for generating secure pass, and storing for server too:
# f=$(mktemp)
# host=tp
# apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
# s sed -i "/^$host:/d" /p/c/filesystem/etc/exim4/passwd
# echo "$host:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd
# #reference: exim4_passwd_client(5)
# dir=/p/c/machine_specific/$host/filesystem/etc/exim4
# mkdir -p $dir
# echo "mail.iankelling.org:$host:$(<$f)" > $dir/passwd.client
# # then run this script

# # dovecot password, i just need 1 as I\'m the only user
# mkdir /p/c/filesystem/etc/dovecot
# echo "iank:$(doveadm pw -s SHA512-CRYPT)::::::" >>/p/c/filesystem/etc/dovecot/users

####### end perstent password instructions ######


# * dkim dns
# # Remove 1 level of comments in this section, set the domain var
# # for the domain you are setting up, then run this and copy dns settings
# # into dns.
# domain=iankelling.org
# c /p/c/filesystem/etc/exim4
# # this has several bugs addressed in comments, but it was helpful
# # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4

# openssl genrsa -out $domain-private.pem 2048
# # Then, to get the public key strings to put in bind:

# # selector is needed for having multiple keys for one domain.
# # I dun do that, so just use a static one: li
# # Debadmin page does not have v=, fastmail does, and this
# # says it\'s recommended in 3.6.1, default is DKIM1 anyways.
# # https://www.ietf.org/rfc/rfc6376.txt
# # Join and print all but first and last line.
# # last line: swap hold & pattern, remove newlines, print.
# # lines 2+: append to hold space
# echo "bind txt record: remember to truncate $domain so its relative to the bind zone"
# cat <<EOF
# a._domainkey.$domain  TXT     (
# "v=DKIM1\059 k=rsa\059 p=$(openssl rsa -in $domain-private.pem -pubout |&sed -rn '${x;s/\n//g;s/^(.*)(.{240}$)/\1"\n"\2/p};3,$H')" )
# EOF
# # sed explanation: skip the first few lines, then put them into the hold space, then
# # on the last line, back to the patern space, remove the newlines, then add a newline
# # at the last char - 240, because bind txt records need strings <=255 chars,
# # other dkim stuff at the begining is is 25 chars, and the pubkey is 393, so this
# # leaves us a bit of extra room at the end and a bunch at the beginning.

# # selector was also put into /etc/exim4/conf.d/main/000_local,

# * dmarc dns

# # 2017-02 dmarc policies:
# # host -t txt _dmarc.gmail.com
# # yahoo: p=reject, hotmail: p=none, gmail: p=none, fastmail none for legacy reasons
# # there were articles claiming gmail would be  changing
# # to p=reject, in early 2017, which didn\'t happen. I see no sources on them. It\'s
# # expected to cause problems
# # with a few old mailing lists, copying theirs for now.
#
# echo "dmarc dns, name: _dmarc value: v=DMARC1; p=none; rua=mailto:mailauth-reports@$domain"

# * other dns

# # 2017-02 spf policies:
# # host -t txt lists.fedoraproject.org
# # google ~all, hotmail ~all, yahoo: ?all, fastmail ?all, outlook ~all
# # i include fastmail\'s settings, per their instructions,
# # and follow their policy. In mail in a box, or similar instructions,
# # I\'ve seen recommended to not use a restrictive policy.

# # to check if dns has updated, you do
# host -a mesmtp._domainkey.$domain

# # mx records,
# # setting it to iankelling.org would work the same, but this
# # is more flexible, I could change where mail.iankelling.org pointed.
# cat <<'EOF'
# mx records, 2 records each, for * and empty domain
# pri 10 mail.iankelling.org
# EOF

# # dnssec
# from brc2, run dnsecgen then dsign, update named.local.conf, publish keys to registrar

# * functions & constants

pre="${0##*/}:"
m() { printf "$pre %s\n"  "$*"; "$@"; }
e() { printf "$pre %s\n"  "$*"; }
err() { printf "$pre %s\n"  "$*" >&2; exit 1; }

reload=false
# This file is so if we fail in the middle and rerun, we dont lose state
if [[ -e /var/local/mail-setup-reload ]]; then
  reload=true
fi
u() { # update file. note: duplicated in brc
  local tmp tmpdir dest="$1"
  local base="${dest##*/}"
  local dir="${dest%/*}"
  if [[ $dir != "$base" ]]; then
    # dest has a directory component
    mkdir -p "$dir"
  fi
  ur=false # u result
  tmpdir=$(mktemp -d)
  cat >$tmpdir/"$base"
  tmp=$(rsync -ic $tmpdir/"$base" "$dest")
  if [[ $tmp ]]; then
    printf "%s\n" "$tmp"
    ur=true
    if [[ $dest == /etc/systemd/system/* ]]; then
      touch /var/local/mail-setup-reload
      reload=true
    fi
  fi
  rm -rf $tmpdir
}
setini() {
  key="$1" value="$2" section="$3"
  file="/etc/radicale/config"
  sed -ri "/ *\[$section\]/,/^ *\[[^]]+\]/{/^\s*${key}[[:space:]=]/d};/ *\[$section\]/a $key = $value" "$file"
}
soff () {
  for service; do
    # ignore services that dont exist
    if systemctl cat $service &>/dev/null; then
      m systemctl disable --now $service
    fi
  done
}
sre() {
  local enabled
  for service; do
    m systemctl restart $service
    # Optimization for exim,
    # is-enabled: 0m0.015s
    # enable: 0m0.748s
    # It is related to this message:
    # exim4.service is not a native service, redirecting to systemd-sysv-install.
    # Executing: /lib/systemd/systemd-sysv-install enable exim4
    enabled=$(systemctl is-enabled $service 2>/dev/null ||:)
    if [[ $enabled != enabled ]]; then
      m systemctl enable $service
    fi
  done
}
mailhost() {
  [[ $HOSTNAME == "$MAIL_HOST" ]]
}
e() { printf "%s\n" "$*"; }
reifactive() {
  for service; do
    if systemctl is-active $service >/dev/null; then
      m systemctl restart $service
    fi
  done
}
stopifactive() {
  for service; do
    if systemctl is-active $service >/dev/null; then
      m systemctl stop $service
    fi
  done
}

mxhost=mx.iankelling.org
mxport=587

# old setup. left as comment for example
# mxhost=mail.messagingengine.com
# mxport=587
# forward=ian@iankelling.org

smarthost="$mxhost::$mxport"
uhome=$(eval echo ~$u)

# Somehow on one machine, a file got written with 664 perms.
# just being defensive here.
umask 0022

source /a/bin/bash_unpublished/source-state
if [[ ! $MAIL_HOST ]]; then
  err "\$MAIL_HOST not set"
fi

bhost_t=false
case $HOSTNAME in
  $MAIL_HOST) : ;;
  kd|frodo|x2|x3|kw|sy|bo)
    bhost_t=true
    ;;
esac


# * Install universal packages


# installs epanicclean iptables-exim ip6tables-exim
/a/bin/ds/install-my-scripts

if [[ $(debian-codename-compat) == bionic ]]; then
  cat >/etc/apt/preferences.d/spamassassin <<'EOF'
Package: spamassassin sa-compile spamc
Pin: release n=focal,o=Ubuntu
Pin-Priority: 500
EOF
fi

# light version of exim does not have sasl auth support.
# note: for bitfolk hosts, unbound has important config with conflink.
pi-nostart exim4 exim4-daemon-heavy spamassassin unbound clamav-daemon wireguard

# note: pyzor debian readme says you need to run some initialization command
# but its outdated.
pi spf-tools-perl p0f postgrey pyzor razor jq moreutils certbot fail2ban
case $HOSTNAME in
  je) : ;;
  # not included due to using wireguard: openvpn
  *) pi wget git unzip iptables ;;
esac
# bad packages that sometimes get automatically installed
pu openresolv resolvconf

soff openvpn


if [[ $(debian-codename) == etiona ]]; then
  # ip6tables stopped loading on boot. openvpn has reduced capability set,
  # so running iptables as part of openvpn startup wont work. This should do it.
  pi iptables-persistent
  cat >/etc/iptables/rules.v6 <<'EOF'
*mangle
COMMIT
*nat
COMMIT
EOF
  # load it now.
  m ip6tables -S >/dev/null
fi

# our nostart pi fails to avoid enabling


# * Mail clean cronjob

u /etc/systemd/system/mailclean.timer <<'EOF'
[Unit]
Description=Run mailclean daily

[Timer]
OnCalendar=monthly

[Install]
WantedBy=timers.target
EOF

u /etc/systemd/system/mailclean.service <<EOF
[Unit]
Description=Delete and archive old mail files
After=multi-user.target

[Service]
User=$u
Type=oneshot
ExecStart=/usr/local/bin/sysd-mail-once mailclean /a/bin/distro-setup/mailclean
EOF

# * postgrey


u /etc/default/postgrey <<'EOF'
POSTGREY_OPTS="--exim --unix=/var/run/postgrey/postgrey.sock --retry-window=4 --max-age=60"
EOF

# * clamav

m usermod -a -G Debian-exim clamav

u /etc/systemd/system/clamav-daemon.service.d/fix.conf <<EOF
[Service]
ExecStartPre=-/bin/mkdir -p /var/run/clamav
ExecStartPre=/bin/chown clamav /var/run/clamav
EOF

# * mail vpn config

# old.
#vpnser=mailvpn.service
# note: this hangs if it cant resolv the endpoint. we
# want it to just retry in the background. i just use a static ip instead.
#
# Note: at least on t10, on reboot, the service fails to come up according to systemd, but
# in reality it is up and working, then it tries to restart infinitely, and fails
# because it detects that the interface exists.
#
# failing output:
#
# Aug 02 21:59:27 sy wg-quick[2092]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
# Aug 02 21:59:27 sy wg-quick[2248]: [#] iptables-restore -n
# Aug 02 21:59:27 sy wg-quick[2249]: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
# Aug 02 21:59:27 sy wg-quick[2259]: [#] iptables-restore -n
# Aug 02 21:59:27 sy wg-quick[2260]: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
# Aug 02 21:59:27 sy systemd[1]: wg-quick@wgmail.service: Main process exited, code=exited, status=4/NOPERMISSION


# successful output.
# Aug 03 14:12:47 sy wg-quick[711336]: [#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
# Aug 03 14:12:47 sy wg-quick[711384]: [#] iptables-restore -n
# Aug 03 14:12:47 sy wg-quick[711336]: [#] ping -w10 -c1 10.8.0.1 ||:
# Aug 03 14:12:47 sy wg-quick[711389]: PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
# Aug 03 14:12:47 sy wg-quick[711389]: 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=73.0 ms
# Aug 03 14:12:47 sy wg-quick[711389]: --- 10.8.0.1 ping statistics ---
# Aug 03 14:12:47 sy wg-quick[711389]: 1 packets transmitted, 1 received, 0% packet loss, time 0ms
# Aug 03 14:12:47 sy wg-quick[711389]: rtt min/avg/max/mdev = 72.993/72.993/72.993/0.000 ms
# Aug 03 14:12:47 sy systemd[1]: Finished WireGuard via wg-quick(8) for wgmail.
# Aug 02 21:59:27 sy systemd[1]: wg-quick@wgmail.service: Failed with result 'exit-code'.
# Aug 02 21:59:27 sy systemd[1]: Failed to start WireGuard via wg-quick(8) for wgmail.
# Aug 02 21:59:47 sy systemd[1]: wg-quick@wgmail.service: Scheduled restart job, restart counter is at 1.
# Aug 02 21:59:47 sy systemd[1]: Stopped WireGuard via wg-quick(8) for wgmail.
# Aug 02 21:59:47 sy systemd[1]: Starting WireGuard via wg-quick(8) for wgmail...
# Aug 02 21:59:47 sy wg-quick[3424]: wg-quick: `wgmail' already exists
# Aug 02 21:59:47 sy systemd[1]: wg-quick@wgmail.service: Main process exited, code=exited, status=1/FAILURE
# Aug 02 21:59:47 sy systemd[1]: wg-quick@wgmail.service: Failed with result 'exit-code'.
# Aug 02 21:59:47 sy systemd[1]: Failed to start WireGuard via wg-quick(8) for wgmail.


# According to iptables -S and iptables -t nat -S,
# there are no modifications to iptables rules on a succsfull run,
# and

vpnser=wg-quick@wgmail.service

case $HOSTNAME in
  $MAIL_HOST)
    rsync -aiSAX --chown=root:root --chmod=g-s /p/c/filesystem/etc/wireguard/ /etc/wireguard
    bindpaths="/etc/127.0.0.1-resolv:/run/systemd/resolve /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind"
    ;;&
  bk)
    bindpaths="/etc/10.173.8.1-resolv:/etc/127.0.0.1-resolv"
    ;;&
  *)
    d=/p/c/machine_specific/$HOSTNAME/filesystem/etc/wireguard/
    if [[ -d $d ]]; then
      rsync -aiSAX --chown=root:root --chmod=g-s $d  /etc/wireguard
    fi
    ;;
esac

case $HOSTNAME in
  li) : ;;
  *)
    u /etc/systemd/system/wg-quick@wgmail.service.d/override.conf <<EOF
[Unit]
Requires=mailnn.service
JoinsNamespaceOf=mailnn.service
BindsTo=mailnn.service
StartLimitIntervalSec=0

[Service]
PrivateNetwork=true
# i dont think we need any of these, but it doesnt hurt to stay consistent
BindPaths=$bindpaths

Restart=on-failure
RestartSec=20
EOF
    ;;
esac


# https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
u /etc/systemd/system/mailvpn.service <<EOF
[Unit]
Description=OpenVPN tunnel for mail
After=syslog.target network-online.target mailnn.service
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
# needed to continually restatr
JoinsNamespaceOf=mailnn.service
BindsTo=mailnn.service
StartLimitIntervalSec=0

[Service]
Type=notify
RuntimeDirectory=openvpn-client
RuntimeDirectoryMode=0710
WorkingDirectory=/etc/openvpn/client
ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/mail.conf
#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
LimitNPROC=10
# DeviceAllow=/dev/null rw
# DeviceAllow=/dev/net/tun rw
PrivateNetwork=true
# in the network namespace, we cant connect to systemd-resolved on 127.0.0.53,
# because of
# https://unix.stackexchange.com/questions/445782/how-to-allow-systemd-resolved-to-listen-to-an-interface-other-than-loopback
# there is a workaround there, but i dont think its really worth it,
# the mail server is fine with a static dns anyways.
# This thread is also interesting,
# https://github.com/slingamn/namespaced-openvpn/issues/7
# todo: the iptables rule at the bottom could be useful to prevent
# dns from leaking in my network namespaced vpn.
# I also like the idea of patching systemd-resolved so it
# will listen on other interfaces, but its not worth my time.
BindPaths=$bindpaths
Restart=always
# time to sleep before restarting a service
RestartSec=20

[Install]
WantedBy=multi-user.target
EOF

u /etc/systemd/system/mailnnroute.service <<'EOF'
[Unit]
Description=Network routing for mailnn
After=syslog.target network-online.target mailnn.service
Wants=network-online.target
JoinsNamespaceOf=mailnn.service
BindsTo=mailnn.service
StartLimitIntervalSec=0

[Service]
Type=simple
RemainAfterExit=true
PrivateNetwork=true
ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.8 start mail
ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop mail
Restart=always
RestartSec=20


[Install]
WantedBy=multi-user.target
EOF

#
u /etc/systemd/system/mailnn.service <<'EOF'
[Unit]
Description=Network Namespace for mail vpn service that will live forever and cant fail
After=syslog.target network-online.target
Wants=network-online.target

[Service]
Type=simple
PrivateNetwork=true
ExecStart=/bin/sleep infinity

[Install]
WantedBy=multi-user.target
EOF

u /etc/systemd/system/mailbindwatchdog.service <<EOF
[Unit]
Description=Watchdog to restart services relying on systemd-resolved dir
After=syslog.target network-online.target
Wants=network-online.target
BindsTo=mailnn.service

[Service]
Type=simple
ExecStart=/usr/local/bin/mailbindwatchdog $vpnser ${nn_progs[@]} unbound.service radicale.service
Restart=always
# time to sleep before restarting a service
RestartSec=10

[Install]
WantedBy=multi-user.target
EOF



# old service name
rm -fv /etc/systemd/system/openvpn-client-mail@.service

# We use a local unbound because systemd-resolved wont accept our
# request, it will only listen to 127.0.0.53 in the main network
# namespace, and rejected feature requests to change that (although I
# could change the code and recompile), but anyways, that could answer
# with things specific to the lan that aren't applicable in this
# namespace, and since unbound is a recursive resolver, it means we just
# use our own ip against dnsbl rate limits.
#
# If we ever notice this change, chattr +i on it
# trust-ad is used in t10+, glibc 2.31

u /etc/127.0.0.1-resolv/stub-resolv.conf <<'EOF'
nameserver 127.0.0.1
options edns0 trust-ad
EOF

u /etc/127.0.0.53-resolv/stub-resolv.conf <<'EOF'
nameserver 127.0.0.53
options edns0 trust-ad
EOF


u /etc/10.173.8.1-resolv/stub-resolv.conf <<'EOF'
nameserver 10.173.8.1
options edns0 trust-ad
EOF

# this is just a bug fix for trisquel.
f=/etc/apparmor.d/usr.sbin.unbound
line="/usr/sbin/unbound flags=(attach_disconnected) {"
if ! grep -qFx "$line" $f; then
  badline="/usr/sbin/unbound {"
  if ! grep -qFx "$badline" $f; then
    err expected line in $f not found
  fi
  sed -i "s,^$badline$,$line," $f
  if systemctl is-active apparmor &>/dev/null; then
    m systemctl reload apparmor
  fi
fi

# note: anything added to nn_progs needs corresponding rm
# down below in the host switch
nn_progs=(exim4)
if mailhost; then
  # Note dovecots lmtp doesnt need to be in the same nn to accept delivery.
  # Its in the nn so remote clients can connect to it.
  nn_progs+=(spamassassin dovecot)
fi

case $HOSTNAME in
  $MAIL_HOST)
    # todo, should this be after vpn service
    u /etc/systemd/system/unbound.service.d/nn.conf <<EOF
[Unit]
After=mailnn.service
JoinsNamespaceOf=mailnn.service
BindsTo=mailnn.service
StartLimitIntervalSec=0

[Service]
PrivateNetwork=true
# note the nsswitch bind is actually not needed for bk, but
# its the same file so it does no harm.
BindPaths=$bindpaths

Restart=always
RestartSec=20
EOF

    # sooo, there are a few ways to get traffic from the mail network
    # namespace to go over the wghole.
    #
    #1: unify the mail vpn and wghole
    # into 1 network.  this seems simple and logical, so I'm doing it.
    # One general downside is tying things together, if I need to mess
    # with one thing, it breaks the other. Oh well for now.
    #
    # 2. We can route 10.5.3.0/24 out of the mail nn and nat it into wghole.
    #
    # 3. We can setup the routing to happen on li, which seemed like I
    # just needed to add 10.8.0.4/24 to AllowedIPs in at least the
    # wghole clients, but I think that is kind of hacky and breaks ipv4
    # routing within the mailvpn, it happened to work just because exim
    # prefers ipv6 and that was also available in the mailvpn.
    #
    # 4. Put the hole interface into the mail network namespace. This
    # doesn't work if the mail vpn is wg.  For openvpn, it bypasses the
    # vpn routing and establishes a direct connection.  I only use the
    # hole vpn for randomish things, it should be fine to join the mail
    # nn for that. There should be some way to fix the routing issue
    # by doing manual routing, but that doesn't seem like a good use of time.
    # relevant:
    # https://www.wireguard.com/netns/#
    #
    # for wireguard debugging
    # echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
    # dmesg -w

    ;;&
  $MAIL_HOST|bk)
    for unit in ${nn_progs[@]}; do
      u /etc/systemd/system/$unit.service.d/nn.conf <<EOF
[Unit]

# Wants appears better than requires because with requires,
# if the vpnser fails to start, this service won't get run at
# all, even if the vpnser starts on an automatic restart.

Wants=$vpnser
After=network.target mailnn.service $vpnser
JoinsNamespaceOf=mailnn.service
BindsTo=mailnn.service
StartLimitIntervalSec=0

[Service]
PrivateNetwork=true
# note the nsswitch bind is actually not needed for bk, but
# its the same file so it does no harm.
BindPaths=$bindpaths

Restart=always
RestartSec=20
EOF
    done
    ;;
  *)
    for unit in exim4 spamassassin dovecot unbound; do
      f=/etc/systemd/system/$unit.service.d/nn.conf
      if [[ -s $f ]]; then
        rm -fv $f
        reload=true
      fi
    done
    ;;
esac

# * wghole (another mail vpn)

if $bhost_t; then
  u /etc/systemd/system/wg-quick@wghole.service.d/override.conf <<'EOF'
[Unit]
StartLimitIntervalSec=0

[Service]
Restart=on-failure
RestartSec=20
EOF
fi

# * spamassassin config
u /etc/sysctl.d/80-iank-mail.conf <<'EOF'
# see exim spec
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 120
EOF
if $ur; then
  m sysctl -p
fi

u /etc/spamassassin/mylocal.cf <<'EOF'
# this is mylocal.cf because the normal local.cf has a bunch of upstream stuff i dont want to mess with

# /usr/share/doc/exim4-base/README.Debian.gz:
#   SpamAssassin's default report should not be used in a add_header
#   statement since it contains empty lines. (This triggers e.g. Amavis'
#   warning "BAD HEADER SECTION, Improper folded header field made up
#   entirely of whitespace".) This is a safe, terse alternative:
clear_report_template
report (_SCORE_ / _REQD_ requ) _TESTSSCORES(,)_ autolearn=_AUTOLEARN
uridnsbl_skip_domain iankelling.org
uridnsbl_skip_domain amnimal.ninja
uridnsbl_skip_domain expertpathologyreview.com
uridnsbl_skip_domain zroe.org
EOF

# 2020-10-19 remove old file. remove this when all hosts updated
rm -fv /etc/systemd/system/spamddnsfix.{timer,service}

u /etc/default/spamassassin <<'EOF'
# defaults plus debugging flags for an issue im having
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
PIDFILE="/var/run/spamd.pid"
# my additions
NICE="--nicelevel 15"
CRON=1
EOF
#####   end spamassassin config


# * Update mail cert


## needed only for openvpn mail vpn.
# if [[ -e /p/c/filesystem ]]; then
#   # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
#   # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
#   # after my internet was down for a bit:
#   # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
#   m /a/exe/vpn-mk-client-cert -b mailclient -n mail li.iankelling.org
# fi

# With openvpn, I didn't get around to persisting the openvpn
# cert/configs into /p/c/machine_specific/bk, so I had this case to
# manually get the cert. However, we aren't using openvpn anymore, so it
# is commented out.
#
# case $HOSTNAME in
#   bk)
#     if [[ ! -e /etc/openvpn/client/mail.conf ]]; then
#       echo "$0: error: first, on a system with /p/c/filesystem, run mail-setup, or the vpn-mk-client-cert line above this err" 2>&2
#       exit 1
#     fi
#     ;;
# esac

m rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/mail-cert-cron /usr/local/bin

u /etc/systemd/system/mailcert.service <<'EOF'
[Unit]
Description=Mail cert rsync
After=multi-user.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
EOF
u /etc/systemd/system/mailcert.timer <<'EOF'
[Unit]
Description=Run mail-cert once a day

[Timer]
OnCalendar=daily

[Install]
WantedBy=timers.target
EOF


wghost=${HOSTNAME}wg.b8.nz
if $bhost_t && [[ ! -e /etc/exim4/certs/$wghost/privkey.pem ]]; then
  certbot -n --manual-public-ip-logging-ok --eff-email --agree-tos -m letsencrypt@iankelling.org \
          certonly --manual --preferred-challenges=dns \
          --manual-auth-hook /a/bin/ds/le-dns-challenge \
          --manual-cleanup-hook /a/bin/ds/le-dns-challenge-cleanup \
          --deploy-hook /a/bin/ds/le-exim-deploy -d $wghost
fi

# * fail2ban

# todo: test that these configs actually work, eg run
# s iptables-exim -S
# and see someone is banned.

sed 's/^ *before *= *iptables-common.conf/before = iptables-common-exim.conf/' \
    /etc/fail2ban/action.d/iptables-multiport.conf| u /etc/fail2ban/action.d/iptables-exim.conf
u /etc/fail2ban/action.d/iptables-common-exim.conf <<'EOF'
# iank: same as iptables-common, except iptables is iptables-exim, ip6tables is ip6tables-exim

# Fail2Ban configuration file
#
# Author: Daniel Black
#
# This is a included configuration file and includes the definitions for the iptables
# used in all iptables based actions by default.
#
# The user can override the defaults in iptables-common.local
#
# Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
#       made config file IPv6 capable (see new section Init?family=inet6)

[INCLUDES]

after = iptables-blocktype.local
        iptables-common.local
# iptables-blocktype.local is obsolete

[Definition]

# Option:  actionflush
# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
# Values:  CMD
#
actionflush = <iptables> -F f2b-<name>


[Init]

# Option:  chain
# Notes    specifies the iptables chain to which the Fail2Ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT

# Default name of the chain
#
name = default

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = ssh

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

# Option:  blocktype
# Note:    This is what the action does with rules. This can be any jump target
#          as per the iptables man page (section 8). Common values are DROP
#          REJECT, REJECT --reject-with icmp-port-unreachable
# Values:  STRING
blocktype = REJECT --reject-with icmp-port-unreachable

# Option:  returntype
# Note:    This is the default rule on "actionstart". This should be RETURN
#          in all (blocking) actions, except REJECT in allowing actions.
# Values:  STRING
returntype = RETURN

# Option:  lockingopt
# Notes.:  Option was introduced to iptables to prevent multiple instances from
#          running concurrently and causing irratic behavior.  -w was introduced
#          in iptables 1.4.20, so might be absent on older systems
#          See https://github.com/fail2ban/fail2ban/issues/1122
# Values:  STRING
lockingopt = -w

# Option:  iptables
# Notes.:  Actual command to be executed, including common to all calls options
# Values:  STRING
iptables = /usr/local/bin/iptables-exim <lockingopt>


[Init?family=inet6]

# Option:  blocktype (ipv6)
# Note:    This is what the action does with rules. This can be any jump target
#          as per the iptables man page (section 8). Common values are DROP
#          REJECT, REJECT --reject-with icmp6-port-unreachable
# Values:  STRING
blocktype = REJECT --reject-with icmp6-port-unreachable

# Option:  iptables (ipv6)
# Notes.:  Actual command to be executed, including common to all calls options
# Values:  STRING
iptables = /usr/local/bin/ip6tables-exim <lockingopt>
EOF

u /etc/fail2ban/jail.d/exim.local <<'EOF'
[exim]
enabled  = true
port     = 25,587
filter   = exim
banaction = iptables-exim

# 209.51.188.13 = mail.fsf.org
# 2001:470:142::13 = mail.fsf.org
# 209.51.188.92 = eggs.gnu.org
# 2001:470:142:3::10 = eggs.gnu.org
# 72.14.176.105 2600:3c00:e000:280::2 = mail.iankelling.org
# 10.173.8.1 = non-nn net
ignoreip = 209.51.188.13 2001:470:142::13 209.51.188.92 2001:470:142:3::10 72.14.176.105 2600:3c00:e000:280::2 10.173.8.1
EOF
if $ur; then
  m systemctl restart fail2ban
fi

# * common exim4 config


## old, not using forward files anymore
rm -fv $uhome/.forward /root/.forward


# Make all system users be aliases. preventative
# prevents things like cron mail for user without alias
awk 'BEGIN { FS = ":" } ; $6 !~ /^\/home/ || $7 ~ /\/nologin$/  { print $1 }' /etc/passwd| while read -r user; do
  if [[ ! $user ]]; then
    continue
  fi
  if ! grep -q "^$user:" /etc/aliases; then
    echo "$user: root" |m tee -a /etc/aliases
  fi
done


awk 'BEGIN { FS = ":" } ; $6 ~ /^\/home/ && $7 !~ /\/nologin$/ { print $1 }' /etc/passwd| while read -r user; do
  case $HOSTNAME in
    $MAIL_HOST)
      sed -i "/^user:/d" /etc/aliases
      ;;
    *)
      if ! grep -q "^$user:" /etc/aliases; then
        echo "$user: root" |m tee -a /etc/aliases
      fi
      ;;
  esac
done


. /a/bin/bash_unpublished/priv-mail-setup


m gpasswd -a iank adm #needed for reading logs

### make local bounces go to normal maildir
# local mail that bounces goes to /Maildir or /root/Maildir
dirs=(/m/md/bounces/{cur,tmp,new})
m mkdir -p ${dirs[@]}
m chown iank:iank /m /m/md
m ln -sfT /m/md /m/iank
m chmod 771 /m /m/md
m chown -R $u:Debian-exim /m/md/bounces
m chmod 775 ${dirs[@]}
m usermod -a -G Debian-exim $u
for d in /Maildir /root/Maildir; do
  if [[ ! -L $d ]]; then
    m rm -rf $d
  fi
  m ln -sf -T /m/md/bounces $d
done

# dkim, client passwd file
files=(/p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/*)
f=/p/c/filesystem/etc/exim4/passwd.client
if [[ -e $f ]]; then
  files+=($f)
fi
if (( ${#files[@]} )); then
  m rsync -ahhi --chown=root:Debian-exim --chmod=0640 \
    ${files[@]} /etc/exim4
fi

# By default, only 10 days of logs are kept. increase that.
# And dont compress, I look back at logs too often and
# dont need the annoyance of decompressing them all the time.
m sed -ri '/^\s*compress\s*$/d;s/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
files=(/var/log/exim4/*.gz)
if (( ${#files[@]} )); then
  gunzip ${files[@]}
fi

## disabled. not using .forward files, but this is still interesting
## for reference.
# ## https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
# # i only need .forwards, so just doing that one.
# cd /etc/exim4/conf.d/router
# b=userforward_higher_priority
# # replace the router name so it is unique
# sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
rm -fv /etc/exim4/conf.d/router/175_userforward_higher_priority

# todo, consider 'separate' in etc/exim4.conf, could it help on busy systems?

# alerts is basically the postmaster address
m sed -i --follow-symlinks -f - /etc/aliases <<EOF
\$a root: alerts@iankelling.org
/^root:/d
EOF

cat >/etc/exim4/conf.d/rewrite/34_iank_rewriting <<'EOF'
ncsoft@zroe.org graceq2323@gmail.com hE
EOF

# old name
rm -fv /etc/exim4/conf.d/retry/37_retry

cat >/etc/exim4/conf.d/retry/17_retry <<'EOF'
# Retry fast for my own domains
iankelling.org * F,1d,1m;F,14d,1h
amnimal.ninja * F,1d,1m;F,14d,1h
expertpathologyreview.com * F,1d,1m;F,14d,1h
je.b8.nz * F,1d,1m;F,14d,1h
zroe.org * F,1d,1m;F,14d,1h
eximbackup.b8.nz * F,1d,1m;F,14d,1h

# The spec says the target domain will be used for temporary host errors,
# but i've found that isn't correct, the hostname is required
# at least sometimes.
nn.b8.nz * F,1d,1m;F,14d,1h
defaultnn.b8.nz * F,1d,1m;F,14d,1h
mx.iankelling.org * F,1d,1m;F,14d,1h
bk.b8.nz * F,1d,1m;F,14d,1h
eggs.gnu.org * F,1d,1m;F,14d,1h
fencepost.gnu.org * F,1d,1m;F,14d,1h

# afaik our retry doesnt need this, but just using everything
mx.amnimal.ninja * F,1d,1m;F,14d,1h
mx.expertpathologyreview.com * F,1d,1m;F,14d,1h


mail.fsf.org * F,1d,15m;F,14d,1h
EOF


rm -vf /etc/exim4/conf.d/main/000_localmacros # old filename

# separate file so without quoted EOF for convenience
cat >/etc/exim4/conf.d/main/000_local2 <<EOF
# normally empty, I set this so I can set the envelope address
# when doing mail redelivery to invoke filters. Also allows
# me exiqgrep and stuff.
MAIN_TRUSTED_GROUPS = $u
EOF

cd /etc/exim4
{
  for f in *-private.pem; do
    echo ${f%-private.pem}
  done
} | u /etc/exim4/conf.d/my-dkim-domains

rm -f /etc/exim4/conf.d/transport/11_iank

cat >/etc/exim4/conf.d/main/000_local <<'EOF'
MAIN_TLS_ENABLE = true

# require tls connections for all smarthosts
REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS = ! nn.b8.nz
REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS = nn.b8.nz

# debian exim config added this in 2016 or so?
# it's part of the smtp spec, to limit lines to 998 chars
# but a fair amount of legit mail does not adhere to it. I don't think
# this should be default, like it says in
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
# todo: the bug for introducing this was about headers, but
# the fix maybe is for all lines? one says gmail rejects, the
# other says gmail does not reject. figure out and open a new bug.
IGNORE_SMTP_LINE_LENGTH_LIMIT = true

# more verbose logs. used to use +all, but made it less for more efficiency.
MAIN_LOG_SELECTOR = -skip_delivery -tls_cipher -tls_certificate_verified +all_parents +address_rewrite +arguments +deliver_time +pid +queue_time +queue_time_overall +received_recipients +received_sender +return_path_on_delivery +sender_on_delivery +smtp_confirmation +subject

# Based on spec, seems like a good idea to be nice.
smtp_return_error_details = true

# default is 10. when exim has been down for a bit, fsf mailserver
# will do a big send in one connection, then exim decides to put
# the messages in the queue instead of delivering them, to avoid
# spawning too many delivery processes. This is the same as the
# fsfs value. And the corresponding one for how many messages
# to send out in 1 connection remote_max_parallel = 256
smtp_accept_queue_per_connection = 500


DKIM_CANON = relaxed
DKIM_SELECTOR = li


# The file is based on the outgoing domain-name in the from-header.
# sign if key exists
DKIM_PRIVATE_KEY = ${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}}

# most of the ones that gmail seems to use.
# Exim has horrible default of signing unincluded
# list- headers since they got mentioned in an
# rfc, but this messes up mailing lists, like gnu/debian which want to
# keep your dkim signature intact but add list- headers.
DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to

domainlist local_hostnames = ! je.b8.nz : ! bk.b8.nz : *.b8.nz : b8.nz

hostlist iank_trusted = <; \
# veth0
10.173.8.1 ; \
# li li_ip6
72.14.176.105 ; 2600:3c00::f03c:91ff:fe6d:baf8 ; \
# li_vpn_net li_vpn_net_ip6s
10.8.0.0/24; 2600:3c00:e000:280::/64 ; 2600:3c00:e002:3800::/56 ;  \
# bk bk_ip6
85.119.83.50 ; 2001:ba8:1f1:f0c9::2 ; \
# je je_ipv6
85.119.82.128 ; 2001:ba8:1f1:f09d::2 ; \
# fsf_mit_net fsf_mit_net_ip6 fsf_net fsf_net_ip6 fsf_office_net
18.4.89.0/24 ; 2603:3005:71a:2e00::/64 ; 209.51.188.0/24 ; 2001:470:142::/48 ; 74.94.156.208/28


# this is the default delay_warning_condition, plus matching on local_domains.
# If I have some problem with my local system that causes delayed delivery,
# I dont want to send warnings out to non-local domains.
delay_warning_condition = ${if or {\
  { !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} }\
  { match{$h_precedence:}{(?i)bulk|list|junk} }\
  { match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }\
  { match_domain{$domain}{+local_domains} }\
  } {no}{yes}}


# enable 587 in addition to the default 25, so that
# i can send mail where port 25 is firewalled by isp
daemon_smtp_ports = 25 : 587 : 10025
# default of 25, can get stuck when catching up on mail
smtp_accept_max = 400
smtp_accept_reserve = 100
smtp_reserve_hosts = +iank_trusted

# Rules that make receiving more liberal should be on backup hosts
# so that we dont reject mail accepted by MAIL_HOST
LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE = /etc/exim4/conf.d/local_deny_exceptions_acl
EOF

if dpkg --compare-versions "$(dpkg-query -f='${Version}\n' --show exim4)" ge 4.94; then
  cat >>/etc/exim4/conf.d/main/000_local <<'EOF'
# In t11, we cant do the old anymore because this is tainted data used in a file lookup.
# /usr/share/doc/exim4/NEWS.Debian.gz suggests to use lookups to untaint data.
DKIM_DOMAIN = ${lookup {${domain:$rh_from:}}lsearch,ret=key{/etc/exim4/conf.d/my-dkim-domains}}
EOF
else
  cat >>/etc/exim4/conf.d/main/000_local <<'EOF'
# From comments in
# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
# and its best for this to align https://tools.ietf.org/html/rfc7489#page-8
# There could be some circumstance when the
# from: isnt our domain, but the envelope sender is
# and so still want to sign, but I cant think of any case.
DKIM_DOMAIN = ${lc:${domain:$rh_from:}}
EOF
fi

rm -fv /etc/exim4/rcpt_local_acl # old path

u /etc/exim4/conf.d/local_deny_exceptions_acl <<'EOF'
# This acl already exists in rcpt, this just makes it more widespread.
# See the comment there for its rationale. The reason it needs to be
# more widespread is that I've turned on sender verification, but cron
# emails can fail sender verification since I may be in a network that
# doesn't have my local dns.
accept
  authenticated = *

# i setup a local programs smtp to mail.iankelling.org, this
# skips sender verification for it.
accept
  hosts = 10.173.8.1
EOF

rm -fv /etc/exim4/data_local_acl # old path

u /etc/exim4/conf.d/data_local_acl <<'EOF'
# Except for the "condition =", this was
# a comment in the check_data acl. The comment about this not
# being suitable has been changed in newer exim versions. The only thing
# related I found was to
# add the condition =, cuz spamassassin has problems with big
# messages and spammers don't bother with big messages,
# but I've increased the size from 10k
# suggested in official docs, and 100k in the wiki example because
# those docs are rather old and I see a 110k spam message
# pretty quickly looking through my spam folder.

#warn
  !hosts = +iank_trusted
  remove_header = X-Spam_score: X-Spam_score_int : X-Spam_bar : X-Spam_report

warn
  !hosts = +iank_trusted
  # Smarthosts connect with residential ips and thus get flagged as spam if we do a spam check.
  !authenticated = plain_server:login_server
  condition = ${if < {$message_size}{5000K}}
  spam = Debian-exim:true
  add_header = X-Spam_score_int: $spam_score_int
  add_header = X-Spam_score: $spam_score
  add_header = X-Spam_bar: $spam_bar
  add_header = X-Spam_report: $spam_report
  add_header = X-Spam_action: $spam_action


#accept
#  spf = pass:fail:softfail:none:neutral:permerror:temperror
#  dmarc_status = reject:quarantine
#  add_header = Reply-to: dmarctest@iankelling.org

EOF


# old file
rm -fv /etc/exim4/conf.d/router/8{8,9}0_backup_copy \
   /etc/exim4/conf.d/router/865_backup_redir \
   /etc/exim4/conf.d/router/870_backup_local

# It is important for this to exist everywhere except in MAIL_HOST
# non-nn config. Previously, just had it in the nn-config on MAIL_HOST,
# but that is a problem if we change mail host and still have something
# in the queue which was destined for this router, but hosts were
# unreachable, the routers will be reevaluated on the next retry.
u /etc/exim4/conf.d/router/170_backup_copy <<EOF
### router/900_exim4-config_local_user
#################################

backup_copy:
driver = manualroute
domains = eximbackup.b8.nz
transport = backup_remote
ignore_target_hosts = ${HOSTNAME}wg.b8.nz
# note changes here also require change in passwd.client
route_list = * eximbackup.b8.nz
same_domain_copy_routing = yes
errors_to = alerts@iankelling.org
no_more
EOF


# exim4-config transports are the same as default except for
# message_linelength_limit = 2097152
#
# TODO: copy the defaults into their own file, and setup a cronjob so
# that if file.dpkg-dist shows up, and it is different, we get an alert.

u /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost <<'EOF'
### transport/30_exim4-config_remote_smtp_smarthost
#################################

# This transport is used for delivering messages over SMTP connections
# to a smarthost. The local host tries to authenticate.
# This transport is used for smarthost and satellite configurations.

remote_smtp_smarthost:
  debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
  driver = smtp
  message_linelength_limit = 2097152
  multi_domain
  hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
        {\
        ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
        }\
        {} \
      }
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
  hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
.endif
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
  hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
.endif
.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
  tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
.endif
.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
  tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
.endif
.ifdef REMOTE_SMTP_HEADERS_REWRITE
  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
.endif
.ifdef REMOTE_SMTP_RETURN_PATH
  return_path = REMOTE_SMTP_RETURN_PATH
.endif
.ifdef REMOTE_SMTP_HELO_DATA
  helo_data=REMOTE_SMTP_HELO_DATA
.endif
.ifdef TLS_DH_MIN_BITS
tls_dh_min_bits = TLS_DH_MIN_BITS
.endif
.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
.endif
.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
.endif
.ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
  headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
.endif
.ifdef REMOTE_SMTP_SMARTHOST_PROTOCOL
  protocol = REMOTE_SMTP_SMARTHOST_PROTOCOL
.endif
EOF

u /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp <<'EOF'
### transport/30_exim4-config_remote_smtp
#################################
# This transport is used for delivering messages over SMTP connections.

remote_smtp:
  debug_print = "T: remote_smtp for $local_part@$domain"
  driver = smtp
  message_linelength_limit = 2097152
.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
  hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
.endif
.ifdef REMOTE_SMTP_HEADERS_REWRITE
  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
.endif
.ifdef REMOTE_SMTP_RETURN_PATH
  return_path = REMOTE_SMTP_RETURN_PATH
.endif
.ifdef REMOTE_SMTP_HELO_DATA
  helo_data=REMOTE_SMTP_HELO_DATA
.endif
.ifdef REMOTE_SMTP_INTERFACE
  interface = REMOTE_SMTP_INTERFACE
.endif
.ifdef DKIM_DOMAIN
dkim_domain = DKIM_DOMAIN
.endif
.ifdef DKIM_IDENTITY
dkim_identity = DKIM_IDENTITY
.endif
.ifdef DKIM_SELECTOR
dkim_selector = DKIM_SELECTOR
.endif
.ifdef DKIM_PRIVATE_KEY
dkim_private_key = DKIM_PRIVATE_KEY
.endif
.ifdef DKIM_CANON
dkim_canon = DKIM_CANON
.endif
.ifdef DKIM_STRICT
dkim_strict = DKIM_STRICT
.endif
.ifdef DKIM_SIGN_HEADERS
dkim_sign_headers = DKIM_SIGN_HEADERS
.endif
.ifdef DKIM_TIMESTAMPS
dkim_timestamps = DKIM_TIMESTAMPS
.endif
.ifdef TLS_DH_MIN_BITS
tls_dh_min_bits = TLS_DH_MIN_BITS
.endif
.ifdef REMOTE_SMTP_TLS_CERTIFICATE
tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
.endif
.ifdef REMOTE_SMTP_PRIVATEKEY
tls_privatekey = REMOTE_SMTP_PRIVATEKEY
.endif
.ifdef REMOTE_SMTP_HOSTS_REQUIRE_TLS
  hosts_require_tls = REMOTE_SMTP_HOSTS_REQUIRE_TLS
.endif
.ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
  headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
.endif

EOF

u /etc/exim4/conf.d/transport/30_backup_remote <<'EOF'
backup_remote:
  driver = smtp
  multi_domain
  message_linelength_limit = 2097152
  hosts_require_auth = *
  hosts_try_auth = *
  envelope_to_add
  # manual return path because we want it to be the envelope sender
  # we got not the one we are using in this smtp transport
  headers_add = "Return-path: $sender_address"
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
  hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
.endif
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
  hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
.endif
.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
  tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
.endif
.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
  tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOST
.endif
.ifdef REMOTE_SMTP_HEADERS_REWRITE
  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
.endif
.ifdef REMOTE_SMTP_HELO_DATA
  helo_data=REMOTE_SMTP_HELO_DATA
.endif
.ifdef TLS_DH_MIN_BITS
tls_dh_min_bits = TLS_DH_MIN_BITS
.endif
.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
.endif
.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
.endif
.ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
  headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
.endif
EOF

u /etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
### router/900_exim4-config_local_user
#################################

# This router matches local user mailboxes. If the router fails, the error
# message is "Unknown user".
local_user:
  debug_print = "R: local_user for $local_part@$domain"
  driver = accept
  domains = +local_domains
# ian: default file except where mentioned.
# ian: commented this. I get all local parts. for bk, an rcpt
# check handles checking with dovecot, and the only router
# after this is root.
#  local_parts = ! root
  transport = LOCAL_DELIVERY
  cannot_route_message = Unknown user
# ian: added for + addressing.
  local_part_suffix = +*
  local_part_suffix_optional
EOF
u /etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
dovecot_lmtp:
  driver = lmtp
  socket = /var/run/dovecot/lmtp
  #maximum number of deliveries per batch, default 1
  batch_max = 200
  envelope_to_add
EOF

u /etc/exim4/conf.d/transport/30_remote_smtp_vpn <<'EOF'
# same as debians 30_exim4-config_remote_smtp, but
# with interface added at the end.

remote_smtp_vpn:
  debug_print = "T: remote_smtp_vpn for $local_part@$domain"
  driver = smtp
  message_linelength_limit = 2097152
.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
  hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
.endif
.ifdef REMOTE_SMTP_HEADERS_REWRITE
  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
.endif
.ifdef REMOTE_SMTP_RETURN_PATH
  return_path = REMOTE_SMTP_RETURN_PATH
.endif
.ifdef REMOTE_SMTP_HELO_DATA
  helo_data=REMOTE_SMTP_HELO_DATA
.endif
.ifdef DKIM_DOMAIN
dkim_domain = DKIM_DOMAIN
.endif
.ifdef DKIM_SELECTOR
dkim_selector = DKIM_SELECTOR
.endif
.ifdef DKIM_PRIVATE_KEY
dkim_private_key = DKIM_PRIVATE_KEY
.endif
.ifdef DKIM_CANON
dkim_canon = DKIM_CANON
.endif
.ifdef DKIM_STRICT
dkim_strict = DKIM_STRICT
.endif
.ifdef DKIM_SIGN_HEADERS
dkim_sign_headers = DKIM_SIGN_HEADERS
.endif
.ifdef TLS_DH_MIN_BITS
tls_dh_min_bits = TLS_DH_MIN_BITS
.endif
.ifdef REMOTE_SMTP_TLS_CERTIFICATE
tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
.endif
.ifdef REMOTE_SMTP_PRIVATEKEY
tls_privatekey = REMOTE_SMTP_PRIVATEKEY
.endif
.ifdef REMOTE_SMTP_HOSTS_REQUIRE_TLS
  hosts_require_tls = REMOTE_SMTP_HOSTS_REQUIRE_TLS
.endif
.ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
  headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
.endif
  interface = <; 10.8.0.4 ; 2600:3c00:e002:3800::4
EOF

u /etc/exim4/conf.d/transport/30_smarthost_dkim <<'EOF'
# ian: this is remote_smtp_smarthost plus the dkim parts from remote_smtp

smarthost_dkim:
  debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
  driver = smtp
  message_linelength_limit = 2097152
  multi_domain
  hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
        {\
        ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
        }\
        {} \
      }
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
  hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
.endif
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
  hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
.endif
.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
  tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
.endif
.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
  tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOST
.endif
.ifdef REMOTE_SMTP_HEADERS_REWRITE
  headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
.endif
.ifdef REMOTE_SMTP_RETURN_PATH
  return_path = REMOTE_SMTP_RETURN_PATH
.endif
.ifdef REMOTE_SMTP_HELO_DATA
  helo_data=REMOTE_SMTP_HELO_DATA
.endif
.ifdef TLS_DH_MIN_BITS
tls_dh_min_bits = TLS_DH_MIN_BITS
.endif
.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
.endif
.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
.endif
.ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
  headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
.endif
.ifdef DKIM_DOMAIN
dkim_domain = DKIM_DOMAIN
.endif
.ifdef DKIM_SELECTOR
dkim_selector = DKIM_SELECTOR
.endif
.ifdef DKIM_PRIVATE_KEY
dkim_private_key = DKIM_PRIVATE_KEY
.endif
.ifdef DKIM_CANON
dkim_canon = DKIM_CANON
.endif
.ifdef DKIM_STRICT
dkim_strict = DKIM_STRICT
.endif
.ifdef DKIM_SIGN_HEADERS
dkim_sign_headers = DKIM_SIGN_HEADERS
.endif
EOF


cat >/etc/exim4/update-exim4.conf.conf  <<'EOF'
# default stuff, i havent checked if its needed
dc_minimaldns='false'
CFILEMODE='644'
dc_use_split_config='true'
dc_mailname_in_oh='true'
EOF


# * radicale
if mailhost; then
  if ! mountpoint /o; then
    echo "error /o is not a mountpoint" >&2
    exit 1
  fi

  # davx/davdroid setup instructions at the bottom

  # main docs:
  # http://radicale.org/user_documentation/
  # https://davdroid.bitfire.at/configuration/

  # note on debugging: if radicale can't bind to the address,
  # in the log it just says "Starting Radicale". If you run
  # it in the foreground, it will give more info. Background
  # plus debug does not help.
  # sudo -u radicale radicale -D

  # created password file with:
  # htpasswd -c /p/c/machine_specific/li/filesystem/etc/caldav-htpasswd
  # chmod 640 /p/c/machine_specific/li/filesystem/etc/caldav-htpasswd
  # # setup chgrp www-data in ./conflink

  pi-nostart radicale
  m usermod -a -G radicale iank

  u /etc/systemd/system/radicale.service.d/override.conf <<EOF
[Unit]

After=network.target network-online.target mailnn.service $vpnser

Wants=$vpnser
JoinsNamespaceOf=mailnn.service
StartLimitIntervalSec=0

[Service]
PrivateNetwork=true
BindPaths=$bindpaths
Restart=always
# time to sleep before restarting a service
RestartSec=20

[Install]
# for openvpn
RequiredBy=$vpnser
EOF


  # use persistent uid/gid
  IFS=:; read -r _ _ uid _ < <(getent passwd radicale ); unset IFS
  IFS=:; read -r _ _ gid _ < <(getent group radicale ); unset IFS
  if [[ $uid != 609 ]]; then
    m systemctl stop radicale ||:
    m usermod -u 609 radicale
    m groupmod -g 609 radicale
    m usermod -g 609 radicale
  fi
  m find /o/radicale  -xdev -exec chown -h 609 {} +
  m find /o/radicale -xdev -exec chgrp -h 609 {} +


  # I moved /var/lib/radicale after it's initialization.
  # I did a sudo -u radicale git init in the collections subfolder
  # after it gets created, per the git docs.
  m /a/exe/lnf -T /o/radicale /var/lib/radicale

  # from https://www.williamjbowman.com/blog/2015/07/24/setting-up-webdav-caldav-and-carddav-servers/

  # more config is for li in distro-end

  # coment in this file says this is needed for it to run on startup
  sed -ri 's/^\s*#+\s*(ENABLE_RADICALE\s*=\s*yes\s*)/\1/' /etc/default/radicale

  # comments say default is 0.0.0.0:5232
  m setini hosts 10.8.0.4:5232 server
  # https://radicale.org/2.1.html
  m setini type http_x_remote_user auth


  # disable power management feature, set to 240 min sync interval,
  # so it shouldn't be bad.

  # davx^5 from f-droid
  # login with url and user name
  # url https://cal.iankelling.org/ian
  # username ian
  # pass, see password manager for radicale
  #
  # add account dialog:
  #
  # set account name as ian@iankelling.org, per help text below the
  # field.
  #
  # switch to groups are per-contact categories,
  # per https://davdroid.bitfire.at/configuration/radicale/
  #
  #
  # After setting up account, I added one address book, named
  # ianaddr. calender was already created, named ian. checked boxes under
  # both. synced.
  #
  # To restore from old phone to new phone, I wiped all data out, then copied over the newly created files. I think
  #
  # ignorable background info:
  #
  # opentasks uses the calendar file.
  #
  # The address book I created got a uuid as a name for the file. Note
  # the .props file says if it's a calendar or addressbook.
  #
  # When debugging, tailed /var/log/radicale/radicale.log and apache log,
  # both show the requests happening. Without creating the address book,
  # after creating a contact, a sync would delete it.
  #
  # Address books correspond to .props files in the radicale dir.
  #
  #  Some background is here,
  # https://davdroid.bitfire.at/faq/entry/cant-manage-groups-on-device/
  # which shows separate vcard option is from rfc 6350, the other is 2426,
  # radicale page says it implements the former not the latter,
  # which conflicts with the documentation of which to select, but whatever.
  # http://radicale.org/technical_choices/
  # https://davdroid.bitfire.at/faq/entry/cant-manage-groups-on-device/
  #
  # Note, url above says only cayanogenmod 13+ and omnirom can manage groups.

  # Note, radicale had built-in git support to track changes, but they
  # removed it in 2.0.

fi

# * dovecot

# ** $MAIL_HOST|bk|je)
case $HOSTNAME in
  $MAIL_HOST|bk|je)
    # based on a little google and package search, just the dovecot
    # packages we need instead of dovecot-common.
    #
    # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
    # directly.  The reason to do this is to use dovecot\'s sieve, which
    # can generally do more than exims filters (a few things less) and
    # sieve has the benefit of being supported in postfix and
    # proprietary/weird environments, so there is more examples on the
    # internet.
    pi-nostart dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd dovecot-sqlite sqlite3

    for f in /p/c{/machine_specific/$HOSTNAME,}/filesystem/etc/dovecot/users; do
      if [[ -e $f ]]; then
        m rsync -ahhi --chown=root:dovecot --chmod=0640 $f /etc/dovecot/
        break
      fi
    done
    for f in /p/c/subdir_files/sieve/*sieve /a/bin/ds/subdir_files/sieve/*sieve; do
      m sudo -u $u /a/exe/lnf -v -T $f $uhome/sieve/${f##*/}
    done

    # https://wiki.dovecot.org/SSL/DovecotConfiguration
    u /etc/dovecot/dhparam <<'EOF'
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAoleil6SBxGqQKk7j0y2vV3Oklv6XupZKn7PkPv485QuFeFagifeS
A+Jz6Wquqk5zhGyCu63Hp4wzGs4TyQqoLjkaWL6Ra/Bw3g3ofPEzMGEsV1Qdqde4
jorwiwtr2i9E6TXQp0noT/7VFeHulIkayTeW8JulINdMHs+oLylv16McGCIrxbkM
8D1PuO0TP/CNDs2QbRvJ1RjY3CeGpxMhrSHVgBCUMwnA2cvz3bYjI7UMYMMDPNrE
PLrwsYzXGGCdJsO2vsmmqqgLsZiapYJlUNjfiyWLt7E2H6WzkNB3VIhIPfLqFDPK
xioE3sYKdjOt+p6mlg3l8+OLtODEFPHDqwIBAg==
-----END DH PARAMETERS-----
EOF
    {

      if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
        cat <<'EOF'
ssl_cert = </etc/exim4/fullchain.pem
ssl_key = </etc/exim4/privkey.pem
EOF
      else
        # We have a lets encrypt hooks that puts things here.
        # This is just for bk, which uses the vpn cert in exim
        # for sending mail, but the local hostname cert for
        # dovecot.
        cat <<'EOF'
ssl_cert = </etc/exim4/exim.crt
ssl_key = </etc/exim4/exim.key
EOF
      fi

      cat <<'EOF'
# https://ssl-config.mozilla.org
ssl = required
# this is the same as the certbot list, i check changes in /a/bin/ds/filesystem/usr/local/bin/check-lets-encrypt-ssl-settings
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_protocols = TLSv1.2
ssl_prefer_server_ciphers = no

protocol lmtp {
#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
# default is just $mail_plugins
  mail_plugins = $mail_plugins sieve
}
EOF
      if dpkg --compare-versions "$(dpkg-query -f='${Version}\n' --show dovecot-core)" ge 1:2.3; then
        cat <<EOF
ssl_dh = </etc/dovecot/dhparam
EOF
      fi
    } >/etc/dovecot/local.conf

    ;;&

  # **  $MAIL_HOST)
  $MAIL_HOST)
    # If we changed 90-sieve.conf and removed the active part of the
    # sieve option, we wouldn\'t need this, but I\'d rather not modify a
    # default config if not needed. This won\'t work as a symlink in /a/c
    # unfortunately.
    m sudo -u $u /a/exe/lnf -T sieve/main.sieve $uhome/.dovecot.sieve

    if [[ ! -e $uhome/sieve/personal.sieve ]]; then
      m touch $uhome/sieve/personal{,end}{,test}.sieve
    fi

    rm -fv /etc/dovecot/conf.d/20-lmtp.conf # file from prev version
    cat >>/etc/dovecot/local.conf <<EOF
# simple password file based login
!include conf.d/auth-passwdfile.conf.ext

# ian: %u is used for alerts user vs iank
mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
mail_uid = $u
mail_gid = $u

protocol lmtp {
# For a normal setup with exim, we need something like this, which
# removes the domain part
#  auth_username_format = %Ln
#
#  or else # Exim says something like
#  "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
# Dovecot verbose log says something like
# "auth-worker(9048): passwd(someuser@somedomain): unknown user"
# reference: http://wiki.dovecot.org/LMTP/Exim
#
# However, I use this to direct all mail to the same inbox.
# A normal way to do this, which I did at first is to have
# a router in exim almost at the end, eg 950,
#local_catchall:
#  debug_print = "R: catchall for \$local_part@\$domain"
#  driver = redirect
#  domains = +local_domains
#  data = $u
# based on
# http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
# with superflous options removed.
# However, this causes the envelope to be rewritten,
# which makes filtering into mailboxes a little less robust or more complicated,
# so I've done it this way instead. it also requires
# modifying the local router in exim.
  auth_username_format = $u
}
EOF
    ;;&
  # **  bk|je)
  bk|je)
    chown -R mail.mail /m/md

    f=/etc/dovecot/conf.d/10-auth.conf
    if [[ -e $f ]]; then
      mv $f $f-iank-disabled
    fi

    cat >>/etc/dovecot/local.conf <<EOF
!include /etc/dovecot/local.conf.ext

# for debugging info, uncomment these.
# logs go to syslog and to /var/log/mail.log
#auth_verbose=yes
#mail_debug=yes


protocol lmtp {
# This downcases the localpart. default is case sensitive.
# case sensitive local part will miss out on valid email when some person or system
# mistakenly capitalizes things.
  auth_username_format = %Lu
}

# make 147 only listen on localhost, plan to use for nextcloud.
# copied from mailinabox
service imap-login {
  inet_listener imap {
    address = 127.0.0.1
  }
}
# https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_dovecot_authenticator.html
service auth {
  unix_listener auth-client {
    user = Debian-exim
    group = Debian-exim
  }
}


plugin {
  sieve_before = /etc/dovecot/sieve-spam.sieve
  # from mailinabox
  sieve = /m/sieve/%d/%n.sieve
  sieve_dir = /m/sieve/%d/%n
}


# all taken from mailinabox.
mail_location = maildir:/m/md/%d/%n
# meh, ok.
mail_privileged_group = mail
# By default Dovecot allows users to log in only with UID numbers 500 and above. mail is 8
first_valid_uid = 1

# todo: test these changes in the universal config
# mailboxes taken from mailinabox but removed
# settings duplicate to defaults
namespace inbox {
  mailbox INBOX {
    auto = subscribe
  }
  mailbox Spam {
    special_use = \Junk
    auto = subscribe
  }
  mailbox Drafts {
    auto = subscribe
  }
  mailbox Sent {
    auto = subscribe
  }
  mailbox Trash {
    auto = subscribe
  }
  mailbox Archive {
    special_use = \Archive
    auto = subscribe
  }
}
auth_mechanisms = plain login
EOF

    u /etc/dovecot/sieve-spam.sieve <<'EOF'
require ["regex", "fileinto", "imap4flags"];

if allof (header :regex "X-Spam-Status" "^Yes") {
  fileinto "Spam";
  stop;
}
EOF

    u /etc/dovecot/local.conf.ext <<'EOF'
passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
}

EOF

    u /etc/dovecot/dovecot-sql.conf.ext <<'EOF'
# from mailinabox
driver = sqlite
# for je and bk, populated the testignore users for the relevant domains
connect = /m/rc/users.sqlite
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM users WHERE email='%u';
user_query = SELECT email AS user, "mail" as uid, "mail" as gid, "/m/md/%d/%n" as home FROM users WHERE email='%u';
iterate_query = SELECT email AS user FROM users;
EOF
    m chmod 0600 /etc/dovecot/dovecot-sql.conf.ext # per Dovecot instructions

    # db needs to be in a www-data writable directory
    db=/m/rc/users.sqlite
    if [[ ! -s $db ]]; then
      m mkdir -p /m/rc
      m sqlite3 $db <<'EOF'
CREATE TABLE users (
id INTEGER PRIMARY KEY AUTOINCREMENT,
email TEXT NOT NULL UNIQUE,
password TEXT NOT NULL,
extra,
privileges TEXT NOT NULL DEFAULT '');
EOF
    fi
    # users.sqlite is saved into /p/c/machine_specific, so update it there!.
    #
    # example of adding a user:
    # hash: doveadm pw -s SHA512-CRYPT -p passhere
    # sqlite3 /m/rc/users.sqlite <<'EOF'
    #insert into users (email, password) values ('testignore@bk.b8.nz', 'hash');
    #EOF
    # update users set password = 'hash' where email = 'testignore@bk.b8.nz';

    # this should be at the end since it requires a valid dovecot config
    m sievec /etc/dovecot/sieve-spam.sieve
    ;;&
  # **  bk)
  bk)
    # roundcube uses this
    mkdir -p /m/sieve
    chown mail.mail /m/sieve
    m pi dovecot-managesieved
    ;;
esac

# * thunderbird autoconfig setup

bkdomains=(expertpathologyreview.com amnimal.ninja)
if [[ $HOSTNAME == bk ]]; then
  for domain in ${bkdomains[@]}; do
    m /a/exe/web-conf apache2 autoconfig.$domain
    dir=/var/www/autoconfig.$domain/html/mail
    m mkdir -p $dir
    # taken from mailinabox
    u $dir/config-v1.1.xml <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<clientConfig version="1.1">
    <emailProvider id="$domain">
      <domain>$domain</domain>

      <displayName>$domain Mail</displayName>
      <displayShortName>$domain</displayShortName>

      <incomingServer type="imap">
         <hostname>mail2.iankelling.org</hostname>
         <port>993</port>
         <socketType>SSL</socketType>
         <username>%EMAILADDRESS%</username>
         <authentication>password-cleartext</authentication>
      </incomingServer>

      <outgoingServer type="smtp">
         <hostname>mail2.iankelling.org</hostname>
         <port>587</port>
         <socketType>STARTTLS</socketType>
         <username>%EMAILADDRESS%</username>
         <authentication>password-cleartext</authentication>
         <addThisServer>true</addThisServer>
         <useGlobalPreferredServer>false</useGlobalPreferredServer>
      </outgoingServer>

      <documentation url="https://$domain/">
         <descr lang="en">$domain website.</descr>
      </documentation>
    </emailProvider>

    <webMail>
      <loginPage url="https://$domain/roundcube" />
      <loginPageInfo url="https://$domain/roundcube" >
        <username>%EMAILADDRESS%</username>
        <usernameField id="rcmloginuser" name="_user" />
        <passwordField id="rcmloginpwd" name="_pass" />
        <loginButton id="rcmloginsubmit" />
      </loginPageInfo>
    </webMail>
    <clientConfigUpdate url="https://autoconfig.$domain/mail/config-v1.1.xml" />
</clientConfig>
EOF
  done
fi

# * roundcube setup

if [[ $HOSTNAME == bk ]]; then

  # zip according to /installer
  # which requires adding a line to /usr/local/lib/roundcubemail/config/config.inc.php
  # $config['enable_installer'] = true;
  pi roundcube roundcube-sqlite3 php-zip apache2 php-fpm

  ### begin composer install
  # https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md
  # cd $(mktemp -d)
  # sum="$(wget -q -O - https://composer.github.io/installer.sig)"
  # m php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
  # if [[ $sum != $(php -r "echo hash_file('sha384', 'composer-setup.php');") ]]; then
  #   echo 'ERROR: Invalid composer installer checksum' >&2
  #   rm -fv composer-setup.php
  #   exit 1
  # fi
  # m php composer-setup.php --quiet
  # rm -fv composer-setup.php
  # m mv composer.phar /usr/local/bin

  # the above method gets composer2, carddav plugin at least doesnt work with that
  # yet, it was just released 10-24-2020.
  m cd /usr/local/bin
  m wget -nv -N https://getcomposer.org/composer-1.phar
  chmod +x composer-1.phar
  ### end composer install

  rcdirs=(/usr/local/lib/rcexpertpath /usr/local/lib/rcninja)
  ncdirs=(/var/www/ncninja)
  ncdirs=(/var/www/ncexpertpath /var/www/ncninja)
  # point debian cronjob to our local install, preventing daily cron error

  # debian's cronjob will fail, remove both paths it uses just to be sure
  rm -fv /usr/share/roundcube/bin/cleandb.sh /etc/cron.d/roundcube-core

  #### begin dl roundcube
  # note, im r2e subbed to https://github.com/roundcube/roundcubemail/releases.atom
  v=1.4.13; f=roundcubemail-$v-complete.tar.gz
  cd /root
  if [[ -e $f ]]; then
    timestamp=$(stat -c %Y $f)
  else
    timestamp=0
  fi
  m wget -nv -N https://github.com/roundcube/roundcubemail/releases/download/$v/$f
  new_timestamp=$(stat -c %Y $f)
  for rcdir in ${rcdirs[@]}; do
    if [[ $timestamp != "$new_timestamp" ||  ! -e "$rcdir/config/secret" ]]; then
      m tar -C /usr/local/lib --no-same-owner -zxf $f
      m rm -rf $rcdir
      m mv /usr/local/lib/roundcubemail-$v $rcdir
    fi
  done
  #### end dl roundcube

  for ((i=0; i < ${#bkdomains[@]}; i++)); do
    domain=${bkdomains[i]}
    rcdir=${rcdirs[i]}
    rcbase=${rcdir##*/}
    ncdir=${ncdirs[i]}
    myncdir=/root/${ncdir##*/}
    mkdir -p $myncdir

    # copied from debians cronjob
    u /etc/cron.d/$rcbase <<EOF
#  Roundcube database cleaning: finally removes all records that are
#  marked as deleted.
0   5  *   *   *   www-data $rcdir/bin/cleandb.sh >/dev/null
EOF

    m /a/exe/web-conf - apache2 $domain <<EOF
Alias /roundcube $rcdir
### begin roundcube settings
# taken from /etc/apache2/conf-available/roundcube.conf version 1.4.8+dfsg.1-1~bpo10+1
<Directory $rcdir/>
  Options +FollowSymLinks
  # This is needed to parse $rcdir/.htaccess.
  AllowOverride All
  Require all granted
</Directory>
# Protecting basic directories:
<Directory $rcdir/config>
  Options -FollowSymLinks
  AllowOverride None
</Directory>
### end roundcube settings


### begin nextcloud settings
Alias /nextcloud "$ncdir/"
<Directory $ncdir/>
  Require all granted
  AllowOverride All
  Options FollowSymLinks MultiViews

  <IfModule mod_dav.c>
    Dav off
  </IfModule>

</Directory>

# based on install checker, links to
# https://docs.nextcloud.com/server/19/admin_manual/issues/general_troubleshooting.html#service-discovery
# their example was a bit wrong, I figured it out by adding
# LogLevel warn rewrite:trace5
# then watching the apache logs

RewriteEngine on
RewriteRule ^/\.well-known/host-meta /nextcloud/public.php?service=host-meta [QSA,L]
RewriteRule ^/\.well-known/host-meta\.json /nextcloud/public.php?service=host-meta-json [QSA,L]
RewriteRule ^/\.well-known/webfinger /nextcloud/public.php?service=webfinger [QSA,L]
RewriteRule ^/\.well-known/carddav /nextcloud/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/caldav /nextcloud/remote.php/dav/ [R=301,L]
### end nextcloud settings
EOF
    if [[ ! -e $rcdir/config/secret ]]; then
      base64 </dev/urandom | head -c24 >$rcdir/config/secret || [[ $? == 141 || ${PIPESTATUS[0]} == 32 ]]
    fi
    secret=$(cat $rcdir/config/secret)

    rclogdir=/var/log/$rcbase
    rctmpdir=/var/tmp/$rcbase
    rcdb=/m/rc/$rcbase.sqlite
    # config from mailinabox
    u $rcdir/config/config.inc.php <<EOF
<?php
\$config = array();
# debian creates this for us
\$config['log_dir'] = '$rclogdir/';
# debian also creates a temp dir, but it is under its install dir,
# seems better to have our own.
\$config['temp_dir'] = '$rctmpdir/';
\$config['db_dsnw'] = 'sqlite:///$rcdb?mode=0640';
\$config['default_host'] = 'ssl://localhost';
\$config['default_port'] = 993;
\$config['imap_conn_options'] = array(
  'ssl'         => array(
     'verify_peer'  => false,
     'verify_peer_name'  => false,
   ),
 );
\$config['imap_timeout'] = 15;
\$config['smtp_server'] = 'tls://127.0.0.1';
\$config['smtp_conn_options'] = array(
  'ssl'         => array(
     'verify_peer'  => false,
     'verify_peer_name'  => false,
   ),
 );
\$config['product_name'] = 'webmail';
\$config['des_key'] = '$secret';
\$config['plugins'] = array('archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'carddav', 'html5_notifier');
\$config['skin'] = 'elastic';
\$config['login_autocomplete'] = 2;
\$config['password_charset'] = 'UTF-8';
\$config['junk_mbox'] = 'Spam';
# disable builtin addressbook
\$config['address_book_type'] = '';
?>
EOF

    m mkdir -p $rclogdir
    m chmod 750 $rclogdir
    m chown www-data:adm $rclogdir
    # note: subscribed to updates:
    # r2e add rcmcarddav https://github.com/blind-coder/rcmcarddav/commits/master.atom ian@iankelling.org
    # r2e add roundcube https://github.com/roundcube/roundcubemail/releases.atom ian@iankelling.org
    m mkdir -p $rctmpdir /m/rc
    m chown -R www-data.www-data $rctmpdir /m/rc
    m chmod 750 $rctmpdir
    # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
    # todo: check for other mailinabox things
    m sudo -u www-data touch $rclogdir/errors.log

    #### begin carddav install
    # This is the official roundcube carddav repo.
    # Install doc suggests downloading with composer, but that
    # didnt work, it said some ldap package for roundcube was missing,
    # but I dont want to download some extra ldap thing.
    # https://github.com/blind-coder/rcmcarddav/blob/master/doc/INSTALL.md
    verf=$rcdir/plugins/carddav/myversion
    upgrade=false
    install=false
    v=4.0.0
    if [[ -e $verf ]]; then
      if [[ $(cat $verf) != "$v" ]]; then
        install=true
        upgrade=true
      fi
    else
      install=true
    fi
    if $install; then
      m rm -rf $rcdir/plugins/carddav
      tmpd=$(mktemp -d)
      m wget -nv -O $tmpd/t.tgz https://github.com/blind-coder/rcmcarddav/releases/download/v$v/carddav-v$v.tgz
      cd $rcdir/plugins
      tar xzf $tmpd/t.tgz
      rm -rf $tmpd
      m chown -R www-data:www-data $rcdir/plugins/carddav
      m cd $rcdir/plugins/carddav
      if $upgrade; then
        m sudo -u www-data composer-1.phar update --no-dev
      else
        m sudo -u www-data composer-1.phar install --no-dev
      fi
      m chown -R root:root $rcdir/plugins/carddav
      echo $v >$verf
    fi

    # So, strangely, this worked in initial testing, but then
    # on first run it wouldn't show the existing contacts until
    # I went into the carddav settings and did "force immediate sync",
    # which seemed to fix things. Note, some of these settings
    # get initalized per/addressbook in the db, then need changing
    # there or through the settings menu.

    # About categories, see https://www.davx5.com/tested-with/nextcloud
    # https://github.com/blind-coder/rcmcarddav/blob/master/doc/GROUPS.md
    u $rcdir/plugins/carddav/config.inc.php <<EOF;
<?php
\$prefs['_GLOBAL']['hide_preferences'] = false;
\$prefs['davserver'] = array(
# name in the UI is kind of dumb. This is just something short that seems to fit ok.
  'name'         =>  'Main',
  'username'     =>  '%u', // login username
  'password'     =>  '%p', // login password
  'url'          =>  'https://$domain/nextcloud/remote.php/dav/addressbooks/users/%u/contacts',
  'active'       =>  true,
  'readonly'     =>  false,
  'refresh_time' => '00:10:00',
  'fixed'        =>  array('username','password'),
  'use_categories' => false,
  'hide'        =>  false,
);
?>
EOF
    #### end carddav install

    cd $rcdir/plugins
    if [[ ! -d html5_notifier ]]; then
      m git clone https://github.com/stremlau/html5_notifier
    fi
    cd $rcdir/plugins/html5_notifier
    m git pull --rebase

    # todo: try out roundcube plugins: thunderbird labels

    # Password changing plugin settings
    cat $rcdir/plugins/password/config.inc.php.dist - >$rcdir/plugins/password/config.inc.php <<'EOF'
# following are from mailinabox
$config['password_minimum_length'] = 8;
$config['password_db_dsn'] = 'sqlite:////m/rc/users.sqlite';
$config['password_query'] = 'UPDATE users SET password=%D WHERE email=%u';
$config['password_dovecotpw'] = '/usr/bin/doveadm pw';
$config['password_dovecotpw_method'] = 'SHA512-CRYPT';
$config['password_dovecotpw_with_method'] = true;
EOF
    # so PHP can use doveadm, for the password changing plugin
    m usermod -a -G dovecot www-data
    m usermod -a -G mail $u

    # so php can update passwords
    m chown www-data:dovecot /m/rc/users.sqlite
    m chmod 664 /m/rc/users.sqlite

    # Run Roundcube database migration script (database is created if it does not exist)
    m $rcdir/bin/updatedb.sh --dir $rcdir/SQL --package roundcube
    m chown www-data:www-data $rcdb
    m chmod 664 $rcdb
  done # end loop over domains and rcdirs

  ### begin php setup for rc ###
  # Enable PHP modules.
  m phpenmod -v php mcrypt imap
  # dpkg says this is required.
  # nextcloud needs these too
  m a2enmod proxy_fcgi setenvif
  fpm=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* (php[^ ]*-fpm)( .*|$)/\1/p') # eg: php7.4-fpm
  phpver=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* php([^ ]*)-fpm( .*|$)/\1/p')
  m a2enconf $fpm
  # 3 useless guides on php fpm fcgi debian 10 later, i figure out from reading
  # /etc/apache2/conf-enabled/php7.3-fpm.conf
  m a2dismod php$phpver
  # according to /install, we should set date.timezone,
  # but that is dumb, the system already has the right zone in
  # $rclogdir/errors.log
  # todo: consider other settings in
  # /a/opt/mailinabox/setup/nextcloud.sh
  u /etc/php/$phpver/cli/conf.d/30-local.ini <<'EOF'
apc.enable_cli = 1
EOF

  u /etc/php/$phpver/fpm/conf.d/30-local.ini <<'EOF'
date.timezone = "America/New_York"
# for nextcloud
upload_max_filesize = 2000M
post_max_size = 2000M
# install checker, nextcloud/settings/admin/overview
memory_limit = 512M
EOF
  m systemctl restart $fpm
  # dunno if reload/restart is needed
  m systemctl reload apache2
  # note bk backups are defined in crontab outside this file
  ### end php setup for rc ###

fi # end roundcube setup

# * nextcloud setup

if [[ $HOSTNAME == bk ]]; then
  # from install checker, nextcloud/settings/admin/overview and
  # https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html
  # curl from the web installer requirement, but i switched to cli
  # it recommends php-file info, but that is part of php7.3-common, already got installed
  # with roundcube.
  m pi php-curl php-bz2 php-gmp php-bcmath php-imagick php-apcu

  # https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html
  cat >/etc/php/$phpver/fpm/pool.d/localwww.conf <<'EOF'
[www]
clear_env = no
EOF

  for ((i=0; i < ${#bkdomains[@]}; i++)); do
    domain=${bkdomains[i]}
    ncdir=${ncdirs[i]}
    ncbase=${ncdir##*/}
    m cd /var/www
    if [[ ! -e $ncdir/index.php ]]; then
      # if we wanted to only install a specific version, use something like
      # file=latest-22.zip
      file=latest.zip
      m wget -nv -N https://download.nextcloud.com/server/releases/$file
      m rm -rf nextcloud
      m unzip -q $file
      m rm -f $file
      m chown -R www-data.www-data nextcloud
      m mv nextcloud $ncdir
    fi

    if [[ ! -e $myncdir/done-install ]]; then
      m cd $ncdir
      m sudo -u www-data php occ  maintenance:install --database sqlite --admin-user iank --admin-pass $nextcloud_admin_pass
      m touch $myncdir/done-install
    fi

    # note, strange this happend where updater did not increment the version var,
    # mine was stuck on 20. I manually updated it.
    m cd $ncdir/config
    if [[ ! -e $myncdir/config.php-orig ]]; then
      m cp -a config.php $myncdir/config.php-orig
    fi
    cat $myncdir/config.php-orig - >$myncdir/tmp.php <<EOF
# https://docs.nextcloud.com/server/19/admin_manual/configuration_server/email_configuration.html
\$CONFIG["mail_smtpmode"] = "sendmail";
\$CONFIG["mail_smtphost"] = "127.0.0.1";
\$CONFIG["mail_smtpport"] = 25;
\$CONFIG["mail_smtptimeout"] = 10;
\$CONFIG["mail_smtpsecure"] = "";
\$CONFIG["mail_smtpauth"] = false;
\$CONFIG["mail_smtpauthtype"] = "LOGIN";
\$CONFIG["mail_smtpname"] = "";
\$CONFIG["mail_smtppassword"] = "";
\$CONFIG["mail_domain"] = "$domain";

# https://github.com/nextcloud/user_external#readme
# plus mailinabox example
#\$CONFIG['user_backends'] = array(array('class' => 'OC_User_IMAP','arguments' => array('127.0.0.1', 143, null),),);


# based on installer check
# https://docs.nextcloud.com/server/19/admin_manual/configuration_server/caching_configuration.html
\$CONFIG['memcache.local'] = '\OC\Memcache\APCu';

\$CONFIG['overwrite.cli.url'] = 'https://$domain/nextcloud';
\$CONFIG['htaccess.RewriteBase'] = '/nextcloud';
\$CONFIG['trusted_domains'] = array (
        0 => '$domain',
    );
#\$CONFIG[''] = '';
fwrite(STDOUT, "<?php\n\\\$CONFIG = ");
var_export(\$CONFIG);
fwrite(STDOUT, ";\n");
EOF
    e running php $myncdir/tmp.php
    # note: we leave it around place for debugging
    php $myncdir/tmp.php >config.php
    cd $ncdir
    m sudo -u www-data php occ maintenance:update:htaccess
    list=$(sudo -u www-data php $ncdir/occ --output=json_pretty app:list)
    # user_external not compaible with nc 23
    for app in contacts calendar; do
      if [[ $(printf "%s\n" "$list"| jq ".enabled.$app") == null ]]; then
        cd $ncdir
        m sudo -u www-data php occ app:install $app
      fi
    done
    u /etc/systemd/system/$ncbase.service <<EOF
[Unit]
Description=ncup $ncbase
After=multi-user.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/ncup $ncbase
User=www-data
IOSchedulingClass=idle
CPUSchedulingPolicy=idle
EOF
    u /etc/systemd/system/$ncbase.timer <<EOF
[Unit]
Description=ncup $ncbase timer

[Timer]
OnCalendar=Daily

[Install]
WantedBy=timers.target
EOF
    systemctl enable --now $ncbase.timer
    u /usr/local/bin/ncup <<'EOFOUTER'
#!/bin/bash

source /usr/local/lib/err

m() { printf "%s\n" "$*";  "$@"; }
err-cleanup() {
  echo failed nextcloud update for $ncbase >&2
  # -odf or else systemd will kill the background delivery process
  # and the message will sit in the queue until the next queue run.
  exim -odf -t <<EOF
To: alerts@iankelling.org
From: www-data@$(hostname -f)
Subject: failed nextcloud update for $ncbase

For logs, run: jr -u $ncbase
EOF
}

if [[ $(id -u -n) != www-data ]]; then
  echo error: running as wrong user: $(id -u -n), expected www-data
  exit 1
fi

if [[ ! $1 ]]; then
  echo error: expected an arg, nextcloud relative base dir
  exit 1
fi

ncbase=$1
cd /var/www/$ncbase
# https://docs.nextcloud.com/server/22/admin_manual/maintenance/update.html?highlight=updater+phar
m php /var/www/$ncbase/updater/updater.phar -n
EOFOUTER
    chmod +x /usr/local/bin/ncup

    mkdir -p /var/www/cron-errors
    chown www-data.www-data /var/www/cron-errors
    u /etc/cron.d/$ncbase <<EOF
PATH=/usr/sbin:/sbin:/usr/bin:/bin:/usr/local/bin
SHELL=/bin/bash
# https://docs.nextcloud.com/server/20/admin_manual/configuration_server/background_jobs_configuration.html
*/5  *  *  *  * www-data php -f $ncdir/cron.php --define apc.enable_cli=1 |& log-once nccron
EOF

  done
fi


# * exim host conditional config

# ** exim certs

all_dirs=(/p/c/filesystem)
for x in /p/c/machine_specific/*.hosts /a/bin/ds/machine_specific/*.hosts; do
  if grep -qxF $HOSTNAME $x; then all_dirs+=( ${x%.hosts} ); fi
done
files=()
for d in ${all_dirs[@]}; do
  f=$d/etc/exim4/passwd
  if [[ -e $f  ]]; then
    files+=($f)
  fi
  tmp=($d/etc/exim4/*.pem)
  if (( ${#tmp[@]} )); then
    files+=(${tmp[@]})
  fi
done

if (( ${#files[@]} )); then
  sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 ${files[@]} /etc/exim4/
fi


# ** exim: auth

case $HOSTNAME in
  bk|je)
    # avoid accepting mail for invalid users
    # https://wiki.dovecot.org/LMTP/Exim
    cat >>/etc/exim4/conf.d/rcpt_local_acl <<'EOF'
deny
  message = invalid recipient
  domains = +local_domains
  !verify = recipient/callout=no_cache
EOF
    u /etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
dovecot_plain:
  driver = dovecot
  public_name = PLAIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1
EOF
    ;;
esac
if $bhost_t; then
  u /etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
# from 30_exim4-config_examples
plain_server:
driver = plaintext
public_name = PLAIN
server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
.endif
EOF
fi

# ** exim: main daemon use non-default config file
case $HOSTNAME in
  bk|$MAIL_HOST)
    # to see the default comments in /etc/default/exim4:
    # s update-exim4defaults --force --init
    # which will overwrite any existing file
    u /etc/default/exim4 <<'EOF'
QUEUERUNNER='combined'
QUEUEINTERVAL='30m'
COMMONOPTIONS='-C /etc/exim4/my.conf'
UPEX4OPTS='-o /etc/exim4/my.conf'
# i use epanic-clean for alerting if there are bad paniclog entries
E4BCD_WATCH_PANICLOG='no'
EOF
    # make exim be a nonroot setuid program.
    chown Debian-exim:Debian-exim /usr/sbin/exim4
    # needs guid set in order to become Debian-exim
    chmod g+s,u+s /usr/sbin/exim4
    # need this to avoid error on service reload:
    # 2022-08-07 18:44:34.005 [892491] pid 892491: SIGHUP received: re-exec daemon
    # 2022-08-07 18:44:34.036 [892491] cwd=/var/spool/exim4 5 args: /usr/sbin/exim4 -bd -q30m -C /etc/exim4/my.conf
    # 2022-08-07 18:44:34.043 [892491] socket bind() to port 25 for address (any IPv6) failed: Permission denied: waiting 30s before trying again (9 more tries)
    # note: the daemon gives up and dies after retrying those 9 times.
    # I came upon this by guessing and trial and error.
    setcap CAP_NET_BIND_SERVICE+ei /usr/sbin/exim4
    u /etc/exim4/trusted_configs <<'EOF'
/etc/exim4/my.conf
EOF
    ;;
  *)
    # default file
    u /etc/default/exim4 <<'EOF'
QUEUERUNNER='combined'
QUEUEINTERVAL='30m'
EOF
    ;;
esac

# ** exim non-root

case $HOSTNAME in
  bk|je|li)
    # no reason to expect it to ever be there.
    rm -fv /etc/systemd/system/exim4.service.d/nonroot.conf
    ;;
  *)
    dirs=()
    for d in /a /d /m /media /mnt /nocow /o /p /q; do
      if [[ -d $d ]]; then
        dirs+=($d)
      fi
    done
    u /etc/systemd/system/exim4.service.d/nonroot.conf <<EOF
[Service]
# see 56.2 Root privilege in exim spec
AmbientCapabilities=CAP_NET_BIND_SERVICE
# https://www.redhat.com/sysadmin/mastering-systemd
# things that seem good and reasonabl.e
PrivateTmp=yes
ProtectHome=yes
# note, in t10 systemd, if one of these is an sshfs mountpoint,
# this whole setting doesnt work. tried it with a newer systemd 250 though
# an nspawn, and it worked there.
InaccessiblePaths=${dirs[@]}
# this gives us the permission denied error:
# socket bind() to port 25 for address (any IPv6) failed: Permission denied
# but we also have to set the file capabilities to avoid the error.
#NoNewPrivileges=yes
ProtectSystem=yes

# when we get newer systemd
#ProtectDevices=yes
EOF
    u /etc/exim4/conf.d/main/000_local-noroot <<'EOF'
# see 56.2 Root privilege in exim spec
deliver_drop_privilege = true
EOF
    files=(
      300_exim4-config_real_local
      600_exim4-config_userforward
      700_exim4-config_procmail
      800_exim4-config_maildrop
      mmm_mail4root
    )
    for f in ${files[@]}; do
      echo "# iank: removed due to running nonroot"|u /etc/exim4/conf.d/router/$f
    done
    ;;
esac

case $HOSTNAME in

  # ** $MAIL_HOST|bk|je)
  $MAIL_HOST|bk|je)

    echo|u /etc/exim4/conf.d/router/165_backup_local

    cat >>/etc/exim4/update-exim4.conf.conf <<EOF
# note: some things we don't set that are here by default because they are unused.
dc_local_interfaces=''
dc_eximconfig_configtype='internet'
dc_localdelivery='dovecot_lmtp'
EOF
    cat >>/etc/exim4/conf.d/main/000_local <<EOF
# recommended if dns is expected to work
CHECK_RCPT_VERIFY_SENDER = true
# default config comment says: If you enable this, you might reject legitimate mail,
# but eggs has had this a long time, so that seems unlikely.
CHECK_RCPT_SPF = true
CHECK_RCPT_REVERSE_DNS = true
CHECK_MAIL_HELO_ISSUED = true


CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/conf.d/data_local_acl
CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/conf.d/rcpt_local_acl

# testing dmarc
#dmarc_tld_file = /etc/public_suffix_list.dat

EOF
    ;;&

  # ** $MAIL_HOST|bk)
  $MAIL_HOST|bk)


    # no clamav on je, it has 1.5g memory and clamav uses most of it
    u /etc/exim4/conf.d/clamav_data_acl <<'EOF'
warn
!hosts = +iank_trusted
!authenticated = plain_server:login_server
condition = ${if def:malware_name}
remove_header = Subject:
add_header = Subject: [Clamav warning: $malware_name] $h_subject
log_message = heuristic malware warning: $malware_name
EOF

    cat >>/etc/exim4/conf.d/main/000_local <<EOF
# je.b8.nz will run out of memory with freshclam
av_scanner = clamd:/var/run/clamav/clamd.ctl
EOF

    cat >> /etc/exim4/conf.d/data_local_acl <<'EOF'
deny
  malware = */defer_ok
  !condition = ${if match {$malware_name}{\N^Heuristic\N}}
  message = This message was detected as possible malware ($malware_name).
EOF

    cat >/etc/exim4/conf.d/main/000_local-nn <<EOF
# MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
# smarthost config type, not sure.
# failing message on mail-tester.com:
# We check if there is a server (A Record) behind your hostname kd.
# You may want to publish a DNS record (A type) for the hostname kd or use a different hostname in your mail software
# https://serverfault.com/questions/46545/how-do-i-change-exim4s-primary-hostname-on-a-debian-box
# and this one seemed appropriate from grepping config.
# I originally set this to li.iankelling.org, but then ended up with errors when li tried to send
# mail to kd, so this should basically be a name that no host has as their
# canonical hostname since the actual host sits behind a nat and changes.
MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.iankelling.org
# I used this to avoid sender verification, didnt work but it still
# makes sense based on the spec.
hosts_treat_as_local = defaultnn.b8.nz

# Outside nn, we get the default cert location from a debian macro,
# and the cert file is put in place by a certbot hook.
MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem
MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem
EOF

    u /etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
gnusmarthost:
  debug_print = "R: smarthost for $local_part@$domain"
  driver = manualroute
  domains = ! +local_domains
# send most mail through eggs, helps fsfs sender reputation.
# uncomment and optionally move to 188 file to send through my own servers again
  senders = *@gnu.org
  transport = smarthost_dkim
  route_list = * fencepost.gnu.org::587 byname
  host_find_failed = ignore
  same_domain_copy_routing = yes
  no_more
EOF

    /a/exe/cedit defaultnn /etc/hosts <<'EOF' || [[ $? == 1 ]]
10.173.8.1 defaultnn.b8.nz
EOF
    ;;&
  # ** $MAIL_HOST)
  $MAIL_HOST)

    u /etc/exim4/conf.d/router/195_dnslookup_vpn <<'EOF'
# copied from /etc/exim4/conf.d/router/200_exim4-config_primary, but
# use vpn transport. lower priority so it overrides the default route.
# Use this in case our vpn fails, we dont send anything without it.
.ifdef DCconfig_internet
dnslookup_vpn:
  debug_print = "R: dnslookup for $local_part@$domain"
  driver = dnslookup
  domains = ! +local_domains
  transport = remote_smtp_vpn
  same_domain_copy_routing = yes
  ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; 192.168.0.0/16 ; 172.16.0.0/12 ; 10.0.0.0/8 ; 169.254.0.0/16 ; 255.255.255.255 ; ::/128 ; ::1/128 ; fc00::/7 ; fe80::/10 ; 100::/64
  no_more
.endif
EOF


    # note on backups: I used to do an automatic sshfs and restricted
    # permissions to a specific directory on the remote server, /bu/mnt,
    # which required using a dedicated user, but realized smtp will be
    # more reliable and less fuss. If I ever need that again, see the
    # history of this file, and bum in brc2.
    u /etc/exim4/conf.d/router/161_backup_redir_nn <<'EOF'
backup_redir_nn:
driver = redirect
# b is just an arbirary short string
data = b@eximbackup.b8.nz
condition = ${if !bool{${lookup{$local_part@$domain}lsearch{/etc/exim4/ignore-sent}{true}}}}
# note, to test this, i could temporarily allow testignore.
# alerts avoids potential mail loop. root is already
# redirected earlier, so that is just being overly cautious.
local_parts = ! root : ! testignore : ! alerts
unseen = true
errors_to = alerts@iankelling.org
EOF



    # This allows for forwarded mail to not get most rcpt checks, especially SPF,
    # which would incorrectly get denied.
    u /etc/exim4/host_local_deny_exceptions <<'EOF'
mail.fsf.org
*.posteo.de
EOF

    # cron email from smarthost hosts will automatically be to
    # USER@FQDN. I redirect that to alerts@, on the smarthosts, but in
    # case that doesn't work, we still want to accept that mail, but not
    # from any host except the smarthosts. local_hostnames and this rule
    # is for that purpose.
    u /etc/exim4/conf.d/rcpt_local_acl <<'EOF'
deny
  !authenticated = *
  domains = +local_hostnames
  message = no relay

# for testing bounce behavior
#deny
#  senders = testlist-bounces+test=zroe.org@fsf.org
#  message = iank-bounce
EOF
    echo|u /etc/exim4/conf.d/router/880_universal_forward


    cat >>/etc/exim4/conf.d/main/000_local <<EOF
MAILDIR_HOME_MAILDIR_LOCATION = /m/md/Sent
EOF


    u /etc/exim4/conf.d/router/186_sentarchive_nn <<'EOF'
# ian: save a copy of sent mail. i thought of other ways to
# do this, for example, to only save sent mail that is not sent
# from my mail client which saves a copy by default, but in the
# end, it seems simplest to turn that off. We want to save
# external mail sent by smarthosts.
sentarchive_nn:
  driver = redirect
  domains = ! +local_domains
  condition = ${if !bool{${lookup{$local_part@$domain}lsearch{/etc/exim4/ignore-sent}{true}}}}
  data    = vojdedIdNejyebni@b8.nz
  unseen
EOF


    # for iank@fsf.org, i have mail.fsf.org forward it to fsf@iankelling.org.
    # and also have mail.iankelling.org whitelisted as a relay domain.
    # I could avoid that if I changed this to submit to 587 with a
    # password like a standard mua.
    u /etc/exim4/conf.d/router/188_exim4-config_smarthost <<'EOF'
# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
# replaced DCsmarthost with hostname
fsfsmarthost:
  debug_print = "R: smarthost for $local_part@$domain"
  driver = manualroute
  domains = ! +local_domains
  senders = *@fsf.org
  transport = remote_smtp_smarthost
  route_list = * mail.fsf.org::587 byname
  host_find_failed = ignore
  same_domain_copy_routing = yes
  no_more

posteosmarthost:
  debug_print = "R: smarthost for $local_part@$domain"
  driver = manualroute
  domains = ! +local_domains
  senders = *@posteo.net
  transport = remote_smtp_smarthost
  route_list = * posteo.de::587 byname
  host_find_failed = ignore
  same_domain_copy_routing = yes
  no_more
EOF

    # Greping /etc/exim4, unqualified mails this would end up as
    # a return path, so it should go somewhere we will see.
    # The debconf output about mailname is as follows:
    # The 'mail name' is the domain name used to 'qualify' mail addresses without a domain
    # name.
    # This name will also be used by other programs. It should be the single, fully
    # qualified domain name (FQDN).
    # Thus, if a mail address on the local host is foo@example.org, the correct value for
    # this option would be example.org.
    # This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
    echo iankelling.org > /etc/mailname


    # mail.iankelling.org so local imap clients can connect with tls and
    # when they happen to not be local.
    # todo: this should be 10.8.0.4

    /a/exe/cedit nn /etc/hosts <<'EOF' || [[ $? == 1 ]]
# note: i put nn.b8.nz into bind for good measure
10.173.8.2 nn.b8.nz mx.iankelling.org
EOF

    # note: systemd-resolved will consult /etc/hosts, dnsmasq wont. this assumes
    # weve configured this file in dnsmasq if we are using it.
    /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]]
server=/mx.iankelling.org/127.0.1.1
EOF
    # I used to use debconf-set-selections + dpkg-reconfigure,
    # which then updates this file
    # but the process is slower than updating it directly and then I want to set other things in
    # update-exim4.conf.conf, so there's no point.
    # The file is documented in man update-exim4.conf,
    # except the man page is not perfect, read the bash script to be sure about things.

    # The debconf questions output is additional documentation that is not
    # easily accessible, but super long, along with the initial default comment in this
    # file, so I've saved that into ./mail-notes.conf.
    #
    # # TODO: remove mx.iankelling.org once systems get updated mail-setup from jan 2022
    cat >>/etc/exim4/update-exim4.conf.conf <<EOF
# man page: is used to build the local_domains list, together with "localhost"
# this is duplicated in a later router.
dc_other_hostnames='iankelling.org;zroe.org;r2e.iankelling.org;mx.iankelling.org;!je.b8.nz;!bk.b8.nz;*.b8.nz;b8.nz'
dc_relay_nets='defaultnn.b8.nz'
EOF


    # dmarc. not used currently
    f=/etc/cron.daily/refresh-dmarc-tld-file
    cat >$f <<'EOF'
#!/bin/bash
cd /etc
wget -q -N https://publicsuffix.org/list/public_suffix_list.dat
EOF
    m chmod 755 $f

    ;;
  # ** bk
  ## we use this host to monitor MAIL_HOST and host a mail server for someone
  bk)


    /a/exe/cedit nn /etc/hosts <<'EOF' || [[ $? == 1 ]]
10.173.8.2 nn.b8.nz
EOF

    sed -r -f - /etc/init.d/exim4  <<'EOF' |u /etc/init.d/exim4in
s,/etc/default/exim4,/etc/default/exim4in,g
s,/run/exim4/exim.pid,/run/exim4/eximin.pid,g
s,(^[ #]*Provides:).*,\1 exim4in,
s,(^[ #]*NAME=).*,\1"exim4in",
EOF
    chmod +x /etc/init.d/exim4in
    u /etc/systemd/system/exim4in.service.d/alwaysrestart.conf <<'EOF'
[Unit]
# needed to continually restart
StartLimitIntervalSec=0

[Service]
Restart=always
# time to sleep before restarting a service
RestartSec=20
EOF

    u /etc/default/exim4in <<'EOF'
# defaults but no queue runner and alternate config dir
QUEUERUNNER='no'
COMMONOPTIONS='-oP /run/exim4/eximin.pid'
UPEX4OPTS='-d /etc/myexim4'
EOF

    echo bk.b8.nz > /etc/mailname
    cat >>/etc/exim4/update-exim4.conf.conf <<EOF
# man page: is used to build the local_domains list, together with "localhost"
dc_other_hostnames='amnimal.ninja;expertpathologyreview.com;bk.b8.nz'
EOF

    ;;
  # ** je
  je)
    echo je.b8.nz > /etc/mailname
    cat >>/etc/exim4/update-exim4.conf.conf <<EOF
dc_other_hostnames='je.b8.nz'
EOF
    ;;
  # ** not MAIL_HOST|bk|je
  *)
    # this one should be removed for all non mail hosts, but
    # bk and je never become mail_host
    echo|u /etc/exim4/conf.d/router/195_dnslookup_vpn
    echo|u /etc/exim4/conf.d/router/160_backup_redir
    echo|u /etc/exim4/conf.d/router/161_backup_redir_nn
    echo|u /etc/exim4/conf.d/router/185_sentarchive
    echo|u /etc/exim4/conf.d/router/186_sentarchive_nn
    echo|u /etc/exim4/conf.d/router/188_exim4-config_smarthost
    echo|u /etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost
    echo|u /etc/exim4/conf.d/rcpt_local_acl
    echo|u /etc/exim4/conf.d/main/000_local-nn
    echo|u /etc/exim4/conf.d/clamav_data_acl


    if $bhost_t; then
      cat >>/etc/exim4/conf.d/main/000_local <<EOF
MAIN_TLS_CERTIFICATE = /etc/exim4/certs/$wghost/fullchain.pem
MAIN_TLS_PRIVATEKEY = /etc/exim4/certs/$wghost/privkey.pem
# so we can maintiain the originals of the backups.
# we wouldnt want this if we were dealing with any other
# local deliveries, but we sent all others to the smarthost
# which then strips the headers.
envelope_to_remove = false
return_path_remove = false
EOF
    fi

    # catches things like cronjob email
    u /etc/exim4/conf.d/router/880_universal_forward <<'EOF'
universal_forward:
  driver = redirect
  domains = +local_domains
  data = alerts@iankelling.org
EOF


    for unit in ${nn_progs[@]}; do
      f=/etc/systemd/system/$unit.service.d/nn.conf
      rm -fv $f
    done

    # dont i dont care if defaultnn section gets left, it wont
    # get used.
    echo | /a/exe/cedit nn /etc/hosts || [[ $? == 1 ]]
    echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]]

    # note: condition duplicated at else
    if $bhost_t; then
      install -d /bu
      install -d -g Debian-exim -o Debian-exim -m 771 /bu/md
      if [[ -e /bu/md/cur && $(stat -c %u /bu/md/cur) == 1000 ]]; then
        chown -R Debian-exim:Debian-exim /bu/md
      fi
      u /etc/exim4/conf.d/transport/30_backup_maildir <<EOF
# modified debian maildir transport
backup_maildir:
  driver = appendfile
  directory = /bu/md
  delivery_date_add
  # note, no return path or envelope added
  maildir_format
  directory_mode = 0700
  mode = 0644
  mode_fail_narrower = false
EOF

      u /etc/exim4/conf.d/router/165_backup_local <<'EOF'
### router/900_exim4-config_local_user
#################################

backup_local:
  debug_print = "R: local_user for $local_part@$domain"
  driver = accept
  domains = eximbackup.b8.nz
  transport = backup_maildir
EOF

      # Bind to wghole to receive mailbackup.
      wgholeip=$(sed -rn 's/^ *Address *= *([^/]+).*/\1/p' /etc/wireguard/wghole.conf)
      cat >>/etc/exim4/update-exim4.conf.conf <<EOF
dc_other_hostnames='eximbackup.b8.nz'
dc_local_interfaces='127.0.0.1;::1;$wgholeip'
EOF

      # wghole & thus exim will fail to start without internet connectivity.
      u /etc/systemd/system/exim4.service.d/backup.conf <<'EOF'
[Unit]
StartLimitIntervalSec=0

[Service]
Restart=always
RestartSec=20
EOF

    else  # if $bhost_t; then
      cat >>/etc/exim4/update-exim4.conf.conf <<EOF
# Note: If theres like a temporary problem where mail gets sent to
# one of these hosts, if exim isnt listening, it will be a temporary error
# instead of a permanent 5xx.
dc_local_interfaces='127.0.0.1;::1'
EOF
      rm -fv /etc/systemd/system/exim4.service.d/backup.conf
    fi
    cat >>/etc/exim4/update-exim4.conf.conf <<EOF
dc_eximconfig_configtype='smarthost'
dc_smarthost='$smarthost'
EOF

    hostname -f |u /etc/mailname
    cat >>/etc/exim4/update-exim4.conf.conf <<EOF
# The manpage incorrectly states this will do header rewriting, but
# that only happens if we have dc_hide_mailname is set.
dc_readhost='iankelling.org'
# Only used in case of bounces.
dc_localdelivery='maildir_home'
EOF
    ;;
esac




# ** $MAILHOST|bk, things that belong at the end
case $HOSTNAME in
  $MAIL_HOST|bk)
    # config for the non-nn exim. note, it uses not default dir, but we
    # generate that into the default config file
    m rsync -ra --delete --delete-excluded \
      --exclude=/conf.d/router/161_backup_redir_nn \
      --exclude=/conf.d/router/186_sentarchive_nn \
      --exclude=/conf.d/main/000_local-nn /etc/exim4/ /etc/myexim4
    cat >>/etc/myexim4/conf.d/main/000_local <<'EOF'
# this makes it easier to see which exim is doing what
log_file_path = /var/log/exim4/my%s
EOF



    cat >/etc/logrotate.d/myexim <<'EOF'
/var/log/exim4/mymain /var/log/exim4/myreject {
        daily
        missingok
        rotate 1000
        delaycompress
        notifempty
        nocreate
}
/var/log/exim4/mypanic {
        size 10M
        missingok
        rotate 10
        compress
        delaycompress
        notifempty
        nocreate
}
EOF

    # If we ever wanted to have a separate spool,
    # we could do it like this.
    #     cat >>/etc/exim4/conf.d/main/000_local-nn <<'EOF'
    # spool_directory = /var/spool/myexim4
    # EOF
    cat >>/etc/myexim4/update-exim4.conf.conf <<'EOF'
dc_eximconfig_configtype='smarthost'
dc_smarthost='nn.b8.nz'
EOF
    ;;&
  bk)

    # config for the non-nn exim
    cat >>/etc/myexim4/conf.d/main/000_local <<'EOF'
MAIN_HARDCODE_PRIMARY_HOSTNAME = mail2.iankelling.org
EOF
    ;;
  $MAIL_HOST)


    u /etc/myexim4/conf.d/router/185_sentarchive <<'EOF'
sentarchive:
  driver = redirect
  domains = ! +local_domains
  senders = <; *@fsf.org ; *@posteo.net
  condition = ${if !bool{${lookup{$local_part@$domain}lsearch{/etc/exim4/ignore-sent}{true}}}}
  data    = vojdedIdNejyebni@b8.nz
  unseen
EOF


    u /etc/myexim4/conf.d/router/160_backup_redir <<'EOF'
backup_redir:
driver = redirect
# i dont email myself from my own machine much, so lets ignore that.
domains = ! +local_domains
senders = <; *@fsf.org ; *@posteo.net
condition = ${if !bool{${lookup{$local_part@$domain}lsearch{/etc/exim4/ignore-sent}{true}}}}
# b is just an arbirary short string
data = b@eximbackup.b8.nz
# note, to test this, i could temporarily allow testignore.
# alerts avoids potential mail loop.
local_parts = ! root : ! testignore : ! alerts : ! daylert
unseen = true
errors_to = alerts@iankelling.org
EOF



    # for bk, we have a exim4in.service that will do this for us.
    m update-exim4.conf -d /etc/myexim4
    ;;
esac

# * spool dir setup

# ** bind mount setup
# put spool dir in directory that spans multiple distros.
# based on http://www.postfix.org/qmgr.8.html and my notes in gnus
#
dir=/nocow/exim4
sdir=/var/spool/exim4
# we only do this if our system has $dir

# this used to do a symlink, but, in the boot logs, /nocow would get mounted succesfully,
# about 2 seconds later, exim starts, and immediately puts into paniclog:
# honVi-0000u3-82 Failed to create directory "/var/spool/exim4/input": No such file or directory
# so, im trying a bind mount to get rid of that.
if [[ -e /nocow ]]; then
  if ! grep -Fx "/nocow/exim4  /var/spool/exim4  none  bind  0 0" /etc/fstab; then
    echo "/nocow/exim4  /var/spool/exim4  none  bind  0 0" >>/etc/fstab
  fi
  u /etc/systemd/system/exim4.service.d/override.conf <<'EOF'
[Unit]
# without local-fs on exim, we get these kind of errors in paniclog on shutdown:
# Failed to create spool file /var/spool/exim4//input//1jCLxz-0008V4-V9-D: Permission denied
After=local-fs.target

[Service]
ExecStartPre=/usr/local/bin/exim-nn-iptables
EOF
  if ! mountpoint -q $sdir; then
    stopifactive exim4 exim4in
    if [[ -L $sdir ]]; then
      m rm $sdir
    fi
    if [[ ! -e $dir && -d $sdir ]]; then
      m mv $sdir $dir
    fi
    if [[ ! -d $sdir ]]; then
      m mkdir $sdir
      m chmod 000 $sdir # only want it to be used when its mounted
    fi
    m mount $sdir
  fi
fi



# ** exim/spool uid setup
# i have the spool directory be common to distro multi-boot, so
# we need the uid to be the same. 608 cuz it's kind of in the middle
# of the free system uids.
IFS=:; read -r _ _ uid _ < <(getent passwd Debian-exim ||:) ||:; unset IFS
IFS=:; read -r _ _ gid _ < <(getent group Debian-exim ||:) ||:; unset IFS
if [[ ! $uid ]]; then
  # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
  m adduser --uid 608 --system --group --quiet --home /var/spool/exim4 \
    --no-create-home --disabled-login --force-badname Debian-exim
elif [[ $uid != 608 ]]; then
  stopifactive exim4 exim4in
  m usermod -u 608 Debian-exim
  m groupmod -g 608 Debian-exim
  m usermod -g 608 Debian-exim
  m find / /nocow -xdev -path ./var/tmp -prune -o -uid $uid -execdir chown -h 608 {} +
  m find / /nocow -xdev -path ./var/tmp -prune -o -gid $gid -execdir chgrp -h 608 {} +
fi

# * start / stop services

reifactive dnsmasq nscd

if $reload; then
  m systemctl daemon-reload
fi

# checking bhost_t is redundant, but could help us catch errors.
if $bhost_t || [[ -e /etc/wireguard/wghole.conf ]]; then
  # todo: in mail-setup, we have a static list of backup hosts, not *y
  m systemctl --now enable wg-quick@wghole
fi

sysd-prom-fail-install epanicclean
m systemctl --now enable epanicclean

case $HOSTNAME in
  je)
    /a/exe/web-conf apache2 je.b8.nz
    ;;
  bk)
    /a/exe/web-conf apache2 mail2.iankelling.org
    ;;
esac

m /a/bin/ds/mail-cert-cron -1
sre mailcert.timer

case $HOSTNAME in
  $MAIL_HOST|bk)
    m systemctl --now enable mailnn mailnnroute
    ;;&
  $MAIL_HOST)
    # we use dns to start wg
    if $reload; then
      sre unbound
    else
      m systemctl --now enable unbound
    fi
    ;;&
  $MAIL_HOST|bk)
    # If these have changes, id rather manually restart it, id rather
    # not restart and cause temporary errors
    if $reload; then
      sre $vpnser
    else
      m systemctl --now enable $vpnser
    fi
    if ! systemctl is-active clamav-daemon >/dev/null; then
      m systemctl --now enable clamav-daemon
      out=$(rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/filesystem/etc/systemd/system/epanicclean.service /etc/systemd/system)
      if [[ $out ]]; then
        reload=true
      fi

      # note, this will cause paniclog entries because it takes like 45
      # seconds for clamav to start, i use ./epanic-clean to remove
      # them.
    fi
    ;;&
  $MAIL_HOST|bk|je)
    # start spamassassin/dovecot before exim.
    sre dovecot spamassassin
    # Wait a bit before restarting exim, else I get a paniclog entry
    # like: spam acl condition: all spamd servers failed. But I'm tired
    # of waiting. I'll deal with this some other way.
    #
    # sleep 3
    m systemctl --now enable mailclean.timer
    ;;&
  $MAIL_HOST)
    # < 2.1 (eg: in t9), uses a different data format which required manual
    # migration. dont start if we are running an old version.
    if dpkg --compare-versions "$(dpkg -s radicale | awk '$1 == "Version:" { print $2 }')" ge 2.1; then
      m systemctl --now enable radicale
    fi
    ;;&
esac

# for debugging dns issues
case $HOSTNAME in
  je|bk)
    systemctl enable --now logrotate-fast.timer
    ;;
esac

# last use of $reload happens in previous block
rm -f /var/local/mail-setup-reload


case $HOSTNAME in
  $MAIL_HOST|bk|je|li)
    # on li, these are never started, except $vpnser
    :
    ;;
  *)
    soff radicale mailclean.timer dovecot spamassassin $vpnser mailnn clamav-daemon
    ;;
esac

sre exim4

case $HOSTNAME in
  $MAIL_HOST)
    m systemctl --now enable mailbindwatchdog
    ;;
  *)
    soff mailbindwatchdog
    ;;
esac


case $HOSTNAME in
  bk) sre exim4in ;;
esac

# * mail monitoring / testing

# note, to test clamav, send an email with body that only contains
# https://en.wikipedia.org/wiki/EICAR_test_file
# which set malware_name to Eicar-Signature
case $HOSTNAME in
  $MAIL_HOST|bk|je)
    # note: cronjob "ian" also does some important monitoring
    # todo: this will sometimes cause an alert because mailtest-check will run
    # before we have setup network namespace and spamassassin
    u /etc/cron.d/mailtest <<EOF
SHELL=/bin/bash
PATH=/usr/bin:/bin:/usr/local/bin
MAILTO=daylert@iankelling.org
*/5  * * * *   $u send-test-forward |& log-once send-test-forward
*/10 * * * *   root chmod -R g+rw /m/md/bounces |& log-once -1 bounces-chmod
# if a bounce happened yesterday, dont let it slip through the cracks
8   1 * * *   root export MAILTO=alerts@iankelling.org; [[ -s /var/log/exim4/mainlog.1 ]] && awk '\$5 == "**"' /var/log/exim4/mainlog.1
EOF


    m sudo rsync -ahhi --chown=root:root --chmod=0755 \
      /b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
    u /etc/systemd/system/mailtest-check.service <<'EOF'
[Unit]
Description=mailtest-check
After=local-fs.target
StartLimitIntervalSec=0

[Service]
Type=simple
ExecStart=/usr/local/bin/mailtest-check slow
Restart=always
RestartSec=60

[Install]
WantedBy=graphical.target
EOF
    sysd-prom-fail-install mailtest-check
    sre mailtest-check
    ;;&
  $MAIL_HOST)
    test_froms=(ian@iankelling.org z@zroe.org iank@gnu.org)
    test_tos=(testignore@expertpathologyreview.com testignore@je.b8.nz testignore@amnimal.ninja jtuttle@gnu.org)

    cat >>/etc/cron.d/mailtest <<EOF
# 10 am friday
0   10 * * 5  root echo "weekly alert. You are not in the matrix."
2   * * * *   root check-remote-mailqs |& log-once check-remote-mailqs
EOF
    ;;&
  bk)
    test_froms=(testignore@amnimal.ninja testignore@expertpathologyreview.com)
    test_tos=(testignore@iankelling.org testignore@je.b8.nz)
    # We dont need to send from different addresses to the same
    # address. this breaks down our nice elegant logic of building up
    # froms and tos , so I just handle expertpath in a special case
    # below and set the to: to be testignore@zroe.org.  If we did sent
    # that way, it would also mess up our mailtest-check logic that
    # finds which messages to check.
    # for example: from testignore@amnimal.ninja to: testignore@iankelling.org testignore@zroe.org
    # that would become 2 messages and we'd only check 1.
    ;;&
  je)
    test_froms=(testignore@je.b8.nz)
    test_tos=(testignore@iankelling.org testignore@zroe.org testignore@expertpathologyreview.com testignore@amnimal.ninja)
    ;;&
  $MAIL_HOST|bk|je)

    # Dont put these test messages into the sent folder or else it will
    # overwhelm it, plus i dont want to save a copy at all.
    # Plus addresses we generally want to ignore.
    u /etc/exim4/ignore-sent <<EOF
$(printf "%s\n" ${test_tos[@]})
vojdedIdNejyebni@b8.nz
b@eximbackup.b8.nz
EOF

    cat >/usr/local/bin/send-test-forward <<'EOF'
#!/bin/bash
# we remove from the queue older than 4.3 minutes since we send every 5 minutes.
olds=(
$(/usr/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$')
)
if (( ${#olds[@]} )); then
  /usr/sbin/exim -Mrm "${olds[@]}" >/dev/null
fi
EOF
    for test_from in ${test_froms[@]}; do

      test_to=${test_tos[0]}
      for t in ${test_tos[@]:1}; do
        test_to+=", $t"
      done
      case $test_from in
        testignore@expertpathologyreview.com)
          test_to=testignore@zroe.org
          ;;
      esac

      cat >>/usr/local/bin/send-test-forward <<EOFOUTER
/usr/sbin/exim -odf -f $test_from -t <<EOF
From: $test_from
To: $test_to
Subject: test \$(date +%Y-%m-%dT%H:%M:%S%z) \$EPOCHSECONDS

/usr/local/bin/send-test-forward
EOF
EOFOUTER
    done
    m chmod +x /usr/local/bin/send-test-forward
    ;;
  *)
    soff mailtest-check.service
    rm -fv /etc/cron.d/mailtest \
       /var/lib/prometheus/node-exporter/mailtest-check.prom* \
       /var/local/cron-errors/check-remote-mailqs*
    ;;
esac



# * misc
m sudo -u $u mkdir -p /home/$u/.cache
set -- /m/mucache /home/$u/.cache/mu /m/.mu /home/$u/.mu
while (($#)); do
  target=$1
  f=$2
  shift 2
  if [[ ! -L $f ]]; then
    if [[ -e $f ]]; then
      rm -rf $f
    fi
    m sudo -u $u ln -sf -T $target $f
  fi
done


# /etc/alias setup is debian specific, and exim postinst script sets up
# an /etc/alias from root to the postmaster, based on the question
# exim4-config exim4/dc_postmaster, as long as there exists an entry for
# root, or there was no preexisting aliases file. postfix won\'t set up
# a root to $postmaster alias if it\'s already installed. Easiest to
# just set it ourselves.

# debconf question for postmaster:
# Mail for the 'postmaster', 'root', and other system accounts needs to be redirected
# to the user account of the actual system administrator.
# If this value is left empty, such mail will be saved in /var/mail/mail, which is not
# recommended.
# Note that postmaster\'s mail should be read on the system to which it is directed,
# rather than being forwarded elsewhere, so (at least one of) the users listed here
# should not redirect their mail off this machine. A 'real-' prefix can be used to
# force local delivery.
# Multiple user names need to be separated by spaces.
# Root and postmaster mail recipient:

m exit 0
:

# Local Variables:
# eval: (outline-minor-mode)
# outline-regexp: "\\( *\\)# [*]\\{1,8\\} "
# End:
# this is combined with defining outline-level in init.el