mostly start using prometheus

[distro-setup] / mailtest-check

#!/bin/bash

# Usage: mail-test-check [slow] [anything]
#
# slow: do slow checks, like spamassassin
#
# anything: consider non-interactive, dont print unless something went
# wrong


source /b/errhandle/err

[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"

shopt -s nullglob

e() { $int || return 0; printf "mailtest-check: %s\n" "$*"; }


## Minutes before we give error.
# We run this cronjob along with sending the test email every 5 minutes,
# so give it 1 minute to arrive, then if the latest email is older than
# 7 minutes, the last 2 haven't arrived in a reasonable amount of time.
min_limit=7


# spamassassin checking takes about 8 seconds. only do that every
# once in a while.
slow=false
if [[ $1 == slow ]]; then
  slow=true
  shift
fi

int=false
if [[ $SUDO_USER || $SSH_CONNECTION ]]; then
  int=true
fi

if [[ $1 == int ]]; then
  int=true
fi

if [[ $1 == nonint ]]; then
  int=false
fi


if ! $int; then
  sleep 60
fi

# avoid errors like this:
# Nov  8 08:16:05.439 [6080] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/WLBLEval.pm: lib/Mail/SpamAssassin/Plugin/WLBLEval.pm: Permission denied at (eval 59) line 1.
#Nov  8 08:16:05.439 [6080] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/VBounce.pm: lib/Mail/SpamAssassin/Plugin/VBounce.pm: Permission denied at (eval 60) line 1.
# i dont know why, i just found the solution online
cd /m/md

case $HOSTNAME in
  bk)
    folders=(/m/md/{expertpathologyreview.com,amnimal.ninja}/testignore)
    froms=(ian@iankelling.org z@zroe.org testignore@je.b8.nz iank@gnu.org)
    ;;
  je)
    froms=(ian@iankelling.org z@zroe.org testignore@expertpathologyreview.com testignore@amnimal.ninja)
    folders=(/m/md/je.b8.nz/testignore)
    ;;
  *)
    folders=(/m/md/l/testignore)
    froms=(testignore@je.b8.nz testignore@expertpathologyreview.com testignore@amnimal.ninja ian@iankelling.org z@zroe.org iank@gnu.org)
    if ! $int; then
      timeout 120 rsync --chown iank:iank -e "ssh -oIdentitiesOnly=yes -F /dev/null -i /root/.ssh/jtuttle" -t --inplace -r 'jtuttle@fencepost.gnu.org:/home/j/jtuttle/Maildir/new/' /m/md/l/testignore/new
    fi
    ;;
esac

getspamdpid() {
  if [[ ! $spamdpid || ! -d /proc/$spamdpid ]]; then
    spamdpid=$(systemctl show --property MainPID --value spamassassin | sed 's/^1$//' ||:)
  fi
}
getspamdpid
pr() {
  cat >>/var/lib/prometheus/node-exporter/mailtest-check.prom.$$
}
pr <<EOF
mailtest_check_found_spamd_pid_bool $(( ${spamdpid:-0} > 0 ))
EOF
e spamdpid: $spamdpid
if [[ ! $spamdpid ]]; then
  echo $HOSTNAME mailtest spamd pid not found. systemctl status spamassassin:
  systemctl status spamassassin
fi
tmpfile=$(mktemp)
declare -i unexpected=0
for folder in ${folders[@]}; do
  for from in ${froms[@]}; do
    latest=
    last_sec=0

    if ! grep -rlFx "From: $from" $folder/{new,cur} >$tmpfile; then
      e "no message found from: $from"
      continue
    fi
    # webmail sends them to cur it seems
    while read -r file; do
      if [[ $file -nt $latest ]]; then
        latest=$file
      fi
    done <$tmpfile

    if [[ ! $latest ]]; then
      # 10 is an arbitrary bad value
      unexpected+=10
    else
      to=$(awk '/^Envelope-to: / {print $2}' $latest)
      last_sec=$(awk '/^Subject: / {print $4}' $latest)

      if $slow; then
        if ! $int; then
          find $folder/new $folder/cur -type f -mmin +1080 -delete
        fi
        getspamdpid
        if [[ $spamdpid ]]; then
          if [[ $(readlink /proc/$$/ns/net) != "$(readlink /proc/$spamdpid/ns/net)" ]]; then
            spamcpre="nsenter -t $spamdpid -n -m"
          fi

          declare -A results
          # pyzor fails for our test message, so dont put useless load on their
          # servers.
          # example line that sed is parsing:
          # (-0.1 / 5.0 requ) DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,SPF_HELO_PASS=-0.001,SPF_PASS=-0.001,TVD_SPACE_RATIO=0.001 autolearn=_AUTOLEARN
          for r in $($spamcpre sudo -u Debian-exim spamassassin -t --cf='score PYZOR_CHECK 0' <"$latest" | tail -n2 | head -n1 | sed -r 's/^\([^)]*\) *//;s/=[^, ]*([, ]|$)/ /g'); do
            case $r in
              # got this in an update 2022-01. dun care
              T_SCC_BODY_TEXT_LINE|SCC_BODY_SINGLE_WORD) : ;;
              # we have a new domain, ignore this.
              # it seems like some versions of spamassassin do BODY_SINGLE_WORD, others dont, we dun care.
              # bayes_00 is a new one indicating ham, we dont care if its missing.
              BAYES_00|BODY_SINGLE_WORD|FROM_FMBLA_NEWDOM*|autolearn) : ;;
              SPF_HELO_NEUTRAL)
                # some of my domains use neutral spf, treat them the same.
                results[SPF_HELO_PASS]=t
                ;;
              *)
                results[$r]=t
                ;;
            esac
          done
          # debugging
          # e results = ${!results[@]}
          missing=()

          keys=(DKIM_SIGNED DKIM_VALID{,_AU,_EF} SPF_HELO_PASS SPF_PASS TVD_SPACE_RATIO)
          if [[ $to == *@gnu.org && $from == *@gnu.org ]]; then
            keys=(ALL_TRUSTED TVD_SPACE_RATIO)
          elif [[ $to == *@gnu.org ]]; then
            # eggs has RCVD_IN_DNSWL_MED
            keys+=(RCVD_IN_DNSWL_MED)
          elif [[ $from == *@gnu.org ]]; then
            # eggs has these
            keys+=(RCVD_IN_DNSWL_MED DKIMWL_WL_HIGH)
          fi

          for t in  ${keys[@]}; do
            if [[ ${results[$t]} ]]; then
              unset "results[$t]"
            elif [[ $t == DKIM_VALID_EF && $from == *@[^.]*.[^.]*.[^.]* ]]; then
              :
              # third level domains dont hit this. its because
              # /usr/share/perl5/Mail/SpamAssassin/Plugin/DKIM.pm checks
              # if its signed with the registryboundaries domain. afaik:
              # we need the actual domain to sign it, this would result in
              # a second signature. I only use second level domains for
              # testing atm, fsf doesnt use them for anything but the
              # forum and I dont expect that to have any deliverability
              # problems.  So, not bothering atm.
            else
              missing+=($t)
            fi
          done
          if (( ${#results[@]} || ${#missing[@]} )); then
            printf "$HOSTNAME spamtest %s/%s\n" "$latest"
            if (( ${#results[@]} )); then
              printf "unexpected %s" "${!results[*]} "
            fi
            if (( ${#missing[@]} )); then
              printf "missing %s" "${missing[*]}"
            fi
            echo
            echo mailtest-check: cat $latest:
            cat $latest
            echo mailtest-check: end of cat
            printf "$(tput setaf 5 2>/dev/null ||:)█$(tput sgr0 2>/dev/null||:)%.0s" $(eval echo "{1..${COLUMNS:-60}}")
          fi
        fi # if spamdpid
      fi # if $slow
    fi # if [[ $latest ]]

    now=$(date +%s)
    limit=$(( now - 60 * min_limit ))
    age_sec=$(( now - last_sec ))
    e $((age_sec / 60)):$(( age_sec % 60 )) ago. to:$to from:$from $latest

    if (( last_sec <= limit )); then
      echo $HOSTNAME mailtest $folder $from $(date -d @$last_sec +'%a %m-%d %H:%M')
    fi
    # usec = unix seconds
    pr <<EOF
mailtest_check_last_usec{folder="$folder",from="$from"} $last_sec
EOF
  done
done
if $slow; then
  pr <<EOF
mailtest_check_unexpected_spamd_results $unexpected
EOF
fi
mv /var/lib/prometheus/node-exporter/mailtest-check.prom.$$ /var/lib/prometheus/node-exporter/mailtest-check.prom