#!/bin/bash # * intro # Copyright (C) 2019 Ian Kelling # SPDX-License-Identifier: AGPL-3.0-or-later # todo: sandbox / harden exim: # 1. stop it from running as root. how? # https://www.exim.org/exim-html-current/doc/html/spec_html/ch-security_considerations.html # * avoid using .forward files, remove that router # * set deliver_drop_privilege # * set user to run as Debian-exim in systemd # * set port to something like 2500, and forward 25 to 2500 with iptables. same for 587. # https://superuser.com/questions/710253/allow-non-root-process-to-bind-to-port-80-and-443/1334552#1334552 # * consider whether other routers like postmaster need modification / removal. # 2. restrict its filesystem access from within systemd # todo: harden dovecot. need to do some research. one way is for it to only listen on a wireguard vpn interface, so only clients that are on the vpn can access it. # todo: consider hardening cups listening on 0.0.0.0 # todo: stop/disable local apache, and rpc.mountd, and kdeconnect when not in use. # todo: check that spamd and unbound only listen locally. # todo: hosts should only allow external mail that is authed and # destined for backup route. it is a minor issue since traffic is # limited to the wghole network. # todo: emailing info@amnimal.ninja produces a bounce, user doesn't exist # instead of a simple rejection like it should. # todo: auto restart of je on checkrestart # todo: run mailping test after running, or otherwise # clear out terminal alert # todo: reinstall bk with bigger filesystem # todo: on bk, dont send email if mailvpn is not up # todo: mailtest-check should check on bk too # todo: disable postgrey # todo: in testforward-check, we should also look # todo: test that bounces dont help create valid mailtest-check # todo: move mail stuff in distro-end into this file # todo: consider rotating dkim & publishing key so every past email I sent # isnt necessarily signed # todo: consider how to get clamav out of Debian-exim group # so it cant read/write the whole mail spool, for better # security. # todo: create a cronjob to update or warn on expiring dnssec keys # todo: we should test failed mail daily or so # failed cronjob, failed sysd-log-once, # a local bounce from a cronjob, a local bounce # to a bad remote address, perhaps a local failure # when the sending daemon is down. # And send an alert email if no alerts have been sent # in 2 or 3 days or something. todo, test cron mail on li. # todo: look at mailinabox extra dns records, note these changelogs: # - An MTA-STS policy for incoming mail is now published (in DNS and over HTTPS) when the primary hostname and email address domain both have a signed TLS certificate installed, allowing senders to know that an encrypted connection should be enforced. # - The per-IP connection limit to the IMAP server has been doubled to allow more devices to connect at once, especially with multiple users behind a NAT. # # todo: mailtest-check failure on remote hosts is not going to alert me. # sort that out. # todo: test mail failure as well as success. # # todo: validate that mailtest-check is doing dnsbl checks. # background: I want to run exim in a network namespace so it can send # and receive through a vpn. This is needed so it can do ipv6, because # outside the namespace if we dont have ipv6, to send ipv6 through the # vpn, we have to send all our ipv6 through the vpn. I did this for a # long time, it was fine, but it causes various pains, like increased # latency, increased recaptcha because my ip is from a data center, just # various issues I dont want on all the time. The problem with the # namespace is that all kinds of programs want to invoke exim, but they # wont be in the namespace. I could replace exim with a wrapper that # jumps into the namespace, i tried that, it works fine. One remaining # problem was that I would have needed to hook into exim upgrades to # move exim and replace it with my wrapper script. Also, my script to # join the namespace is not super reliable because it uses a pgrep. # Instead, I should have created a systemd service for a process that # will never die and just writes its pid somewhere convenient. # That implementation # is below here: # # sudoers: # user ALL=(ALL) /usr/sbin/exim4 # # move exim4 to eximian, use this script for exim4: # # #!/bin/bash # if ip a show veth1-mail &>/dev/null; then # /usr/sbin/eximian "$@" # exit # fi # dosudo=false # if [[ $USER && $USER != root ]]; then # dosudo=true # fi # pid=$(pgrep -f "/usr/sbin/openvpn .* --config /etc/openvpn/.*mail.conf") # if $dosudo; then # sudo nsenter -t $pid -n -m sudo -u $USER /usr/sbin/eximian "$@" # else # nsenter -t $pid -n -m /usr/sbin/eximian "$@" # fi # ## end script # # an alternate solution: there is a small setguid program for # network namespaces in my bookmarks. # # However, the solution I went with is: have 2 exim # configs. A nonstandard location for the daemon that runs # in the namespace. For all other invocations, it uses # the default config location, which is altered to be # in a smarthost config which sends mail to the deaemon. # # I have a bash function, enn to invoke exim like the daemon is running. # and mailbash to just enter its network namespace. if [ -z "$BASH_VERSION" ]; then echo "error: shell is not bash" >&2; exit 1; fi shopt -s nullglob if [[ -s /usr/local/lib/err ]]; then source /usr/local/lib/err elif [[ -s /a/bin/errhandle/err ]]; then source /a/bin/errhandle/err else err "no err tracing script found" fi source /a/bin/distro-functions/src/identify-distros source /a/bin/distro-functions/src/package-manager-abstractions # has nextcloud_admin_pass in it f=/p/c/machine_specific/$HOSTNAME/mail if [[ -e $f ]]; then # shellcheck source=/p/c/machine_specific/bk/mail source $f fi [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@" u=$(id -nu 1000) usage() { cat < preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false # background: dovecot does not yet have ocsp stapling support # reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921 # # for phone, k9mail, same thing but username alerts, pass in ivy-pass. # also, bk.b8.nz for secondary alerts, username is iank. same alerts pass. # fetching mail settings: folder poll frequency 10 minutes ####### # * perstent password instructions # Note: for cert cron, we need to manually run first to accept known_hosts # # exim passwords: # # for hosts which have all private files I just use the same user # # for other hosts, each one get\'s their own password. # # for generating secure pass, and storing for server too: # f=$(mktemp) # host=tp # apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f # s sed -i "/^$host:/d" /p/c/filesystem/etc/exim4/passwd # echo "$host:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd # #reference: exim4_passwd_client(5) # dir=/p/c/machine_specific/$host/filesystem/etc/exim4 # mkdir -p $dir # echo "mail.iankelling.org:$host:$(<$f)" > $dir/passwd.client # # then run this script # # dovecot password, i just need 1 as I\'m the only user # mkdir /p/c/filesystem/etc/dovecot # echo "iank:$(doveadm pw -s SHA512-CRYPT)::::::" >>/p/c/filesystem/etc/dovecot/users ####### end perstent password instructions ###### # * dkim dns # # Remove 1 level of comments in this section, set the domain var # # for the domain you are setting up, then run this and copy dns settings # # into dns. # domain=iankelling.org # c /p/c/filesystem/etc/exim4 # # this has several bugs addressed in comments, but it was helpful # # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4 # openssl genrsa -out $domain-private.pem 2048 # # Then, to get the public key strings to put in bind: # # selector is needed for having multiple keys for one domain. # # I dun do that, so just use a static one: li # # Debadmin page does not have v=, fastmail does, and this # # says it\'s recommended in 3.6.1, default is DKIM1 anyways. # # https://www.ietf.org/rfc/rfc6376.txt # # Join and print all but first and last line. # # last line: swap hold & pattern, remove newlines, print. # # lines 2+: append to hold space # echo "bind txt record: remember to truncate $domain so its relative to the bind zone" # cat <&2; exit 1; } reload=false # This file is so if we fail in the middle and rerun, we dont lose state if [[ -e /var/local/mail-setup-reload ]]; then reload=true fi i() { # install file local tmp tmpdir dest="$1" local base="${dest##*/}" mkdir -p ${dest%/*} ir=false # i result tmpdir=$(mktemp -d) cat >$tmpdir/"$base" tmp=$(rsync -ic $tmpdir/"$base" "$dest") if [[ $tmp ]]; then printf "%s\n" "$tmp" ir=true if [[ $dest == /etc/systemd/system/* ]]; then touch /var/local/mail-setup-reload reload=true fi fi rm -rf $tmpdir } setini() { key="$1" value="$2" section="$3" file="/etc/radicale/config" sed -ri "/ *\[$section\]/,/^ *\[[^]]+\]/{/^\s*${key}[[:space:]=]/d};/ *\[$section\]/a $key = $value" "$file" } soff () { for service; do # ignore services that dont exist if systemctl cat $service &>/dev/null; then m systemctl disable --now $service fi done } sre() { for service; do m systemctl restart $service m systemctl enable $service; done } mailhost() { [[ $HOSTNAME == "$MAIL_HOST" ]] } e() { printf "%s\n" "$*"; } reifactive() { for service; do if systemctl is-active $service >/dev/null; then m systemctl restart $service fi done } stopifactive() { for service; do if systemctl is-active $service >/dev/null; then m systemctl stop $service fi done } mxhost=mx.iankelling.org mxport=587 forward=$u@$mxhost # old setup. left as comment for example # mxhost=mail.messagingengine.com # mxport=587 # forward=ian@iankelling.org smarthost="$mxhost::$mxport" uhome=$(eval echo ~$u) # Somehow on one machine, a file got written with 664 perms. # just being defensive here. umask 0022 source /a/bin/bash_unpublished/source-state if [[ ! $MAIL_HOST ]]; then err "\$MAIL_HOST not set" fi bhost_t=false case $HOSTNAME in $MAIL_HOST) : ;; kd|frodo|x2|x3|kw|sy) bhost_t=true ;; esac # * Install universal packages # installs epanicclean /a/bin/ds/install-my-scripts if [[ $(debian-codename-compat) == bionic ]]; then cat >/etc/apt/preferences.d/spamassassin <<'EOF' Package: spamassassin sa-compile spamc Pin: release n=focal,o=Ubuntu Pin-Priority: 500 EOF fi # light version of exim does not have sasl auth support. pi-nostart exim4 exim4-daemon-heavy spamassassin openvpn unbound clamav-daemon wireguard # note: pyzor debian readme says you need to run some initialization command # but its outdated. pi spf-tools-perl p0f postgrey pyzor razor jq moreutils certbot # bad packages that sometimes get automatically installed pu openresolv resolvconf soff openvpn if [[ $(debian-codename) == etiona ]]; then # ip6tables stopped loading on boot. openvpn has reduced capability set, # so running iptables as part of openvpn startup wont work. This should do it. pi iptables-persistent cat >/etc/iptables/rules.v6 <<'EOF' *mangle COMMIT *nat COMMIT EOF # load it now. m ip6tables -S >/dev/null fi # our nostart pi fails to avoid enabling # * user forward file case $HOSTNAME in $MAIL_HOST) # afaik, these will get ignored on MAIL_HOST because they are routing to my own # machine, but rm them is safer rm -fv $uhome/.forward /root/.forward ;; *) # this can\'t be a symlink and has permission restrictions # it might work in /etc/aliases, but this seems more proper. e setting $uhome/.forward to $forward install -m 644 {-o,-g}$u <(e $forward) $uhome/.forward ;; esac # * Mail clean cronjob i /etc/systemd/system/mailclean.timer <<'EOF' [Unit] Description=Run mailclean daily [Timer] OnCalendar=monthly [Install] WantedBy=timers.target EOF i /etc/systemd/system/mailclean.service </dev/null; then m systemctl reload apparmor fi fi # note: anything added to nn_progs needs corresponding rm # down below in the host switch nn_progs=(exim4) if mailhost; then # Note dovecots lmtp doesnt need to be in the same nn to accept delivery. # Its in the nn so remote clients can connect to it. nn_progs+=(spamassassin dovecot) fi case $HOSTNAME in $MAIL_HOST) i /etc/systemd/system/unbound.service.d/nn.conf < /sys/kernel/debug/dynamic_debug/control # dmesg -w ;;& $MAIL_HOST|bk) for unit in ${nn_progs[@]}; do i /etc/systemd/system/$unit.service.d/nn.conf <&2 exit 1 fi ;; esac m rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/mail-cert-cron /usr/local/bin i /etc/systemd/system/mailcert.service <<'EOF' [Unit] Description=Mail cert rsync After=multi-user.target [Service] Type=oneshot ExecStart=/usr/local/bin/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron EOF i /etc/systemd/system/mailcert.timer <<'EOF' [Unit] Description=Run mail-cert once a day [Timer] OnCalendar=daily [Install] WantedBy=timers.target EOF wghost=${HOSTNAME}wg.b8.nz if $bhost_t && [[ ! -e /etc/exim4/certs/$wghost/privkey.pem ]]; then certbot -n --manual-public-ip-logging-ok --eff-email --agree-tos -m letsencrypt@iankelling.org \ certonly --manual --preferred-challenges=dns \ --manual-auth-hook /a/bin/ds/le-dns-challenge \ --manual-cleanup-hook /a/bin/ds/le-dns-challenge-cleanup \ --deploy-hook /a/bin/ds/le-exim-deploy -d $wghost fi # * common exim4 config # Make all system users be aliases. preventative # measure for things like cron mail for user without alias awk 'BEGIN { FS = ":" } ; $6 !~ /^\/home/ { print $1 }' /etc/passwd| while read -r user; do if [[ ! $user ]]; then continue fi if ! grep -q "^$user:" /etc/aliases; then echo "$user: root" |m tee -a /etc/aliases fi done if ! grep -q "^ncsoft:" /etc/aliases; then echo "ncsoft: graceq2323@gmail.com" |m tee -a /etc/aliases fi m gpasswd -a iank adm #needed for reading logs ### make local bounces go to normal maildir # local mail that bounces goes to /Maildir or /root/Maildir dirs=(/m/md/bounces/{cur,tmp,new}) m mkdir -p ${dirs[@]} m chown iank:iank /m /m/md m ln -sfT /m/md /m/iank m chmod 771 /m /m/md m chown -R $u:Debian-exim /m/md/bounces m chmod 775 ${dirs[@]} m usermod -a -G Debian-exim $u for d in /Maildir /root/Maildir; do if [[ ! -L $d ]]; then m rm -rf $d fi m ln -sf -T /m/md/bounces $d done # dkim, client passwd file files=(/p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/*) f=/p/c/filesystem/etc/exim4/passwd.client if [[ -e $f ]]; then files+=($f) fi if (( ${#files[@]} )); then m rsync -ahhi --chown=root:Debian-exim --chmod=0640 \ ${files[@]} /etc/exim4 fi # by default, only 10 days of logs are kept. increase that. m sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base ## https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost # i only need .forwards, so just doing that one. cd /etc/exim4/conf.d/router b=userforward_higher_priority # replace the router name so it is unique sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b # todo, consider 'separate' in etc/exim4.conf, could it help on busy systems? # alerts is basically the postmaster address m sed -i --follow-symlinks -f - /etc/aliases </etc/exim4/conf.d/rewrite/34_iank_rewriting <<'EOF' ncsoft@zroe.org graceq2323@gmail.com hE EOF # old name rm -fv /etc/exim4/conf.d/retry/37_retry cat >/etc/exim4/conf.d/retry/17_retry <<'EOF' # Retry fast for my own domains iankelling.org * F,1d,10m;F,14d,1h amnimal.ninja * F,1d,10m;F,14d,1h expertpathologyreview.com * F,1d,10m;F,14d,1h je.b8.nz * F,1d,10m;F,14d,1h zroe.org * F,1d,10m;F,14d,1h eximbackup.b8.nz * F,1d,4m;F,14d,1h EOF rm -vf /etc/exim4/conf.d/main/000_localmacros # old filename cat >/etc/exim4/conf.d/main/000_local < {$max_received_linelength}{998} {1}{0}} .endif .ifdef REMOTE_SMTP_HOSTS_AVOID_TLS hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS .endif .ifdef REMOTE_SMTP_HEADERS_REWRITE headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE .endif .ifdef REMOTE_SMTP_RETURN_PATH return_path = REMOTE_SMTP_RETURN_PATH .endif .ifdef REMOTE_SMTP_HELO_DATA helo_data=REMOTE_SMTP_HELO_DATA .endif .ifdef DKIM_DOMAIN dkim_domain = DKIM_DOMAIN .endif .ifdef DKIM_SELECTOR dkim_selector = DKIM_SELECTOR .endif .ifdef DKIM_PRIVATE_KEY dkim_private_key = DKIM_PRIVATE_KEY .endif .ifdef DKIM_CANON dkim_canon = DKIM_CANON .endif .ifdef DKIM_STRICT dkim_strict = DKIM_STRICT .endif .ifdef DKIM_SIGN_HEADERS dkim_sign_headers = DKIM_SIGN_HEADERS .endif .ifdef TLS_DH_MIN_BITS tls_dh_min_bits = TLS_DH_MIN_BITS .endif .ifdef REMOTE_SMTP_TLS_CERTIFICATE tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE .endif .ifdef REMOTE_SMTP_PRIVATEKEY tls_privatekey = REMOTE_SMTP_PRIVATEKEY .endif .ifdef REMOTE_SMTP_HOSTS_REQUIRE_TLS hosts_require_tls = REMOTE_SMTP_HOSTS_REQUIRE_TLS .endif .ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE .endif interface = <; 10.8.0.4 ; 2600:3c00:e002:3800::4 EOF i /etc/exim4/conf.d/transport/30_smarthost_dkim <<'EOF' # ian: this is remote_smtp_smarthost plus the dkim parts from remote_smtp smarthost_dkim: debug_print = "T: remote_smtp_smarthost for $local_part@$domain" driver = smtp multi_domain .ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}} .endif hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \ {\ ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\ }\ {} \ } .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS .endif .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS .endif .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES .endif .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOST .endif .ifdef REMOTE_SMTP_HEADERS_REWRITE headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE .endif .ifdef REMOTE_SMTP_RETURN_PATH return_path = REMOTE_SMTP_RETURN_PATH .endif .ifdef REMOTE_SMTP_HELO_DATA helo_data=REMOTE_SMTP_HELO_DATA .endif .ifdef TLS_DH_MIN_BITS tls_dh_min_bits = TLS_DH_MIN_BITS .endif .ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE .endif .ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY .endif .ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE .endif .ifdef DKIM_DOMAIN dkim_domain = DKIM_DOMAIN .endif .ifdef DKIM_SELECTOR dkim_selector = DKIM_SELECTOR .endif .ifdef DKIM_PRIVATE_KEY dkim_private_key = DKIM_PRIVATE_KEY .endif .ifdef DKIM_CANON dkim_canon = DKIM_CANON .endif .ifdef DKIM_STRICT dkim_strict = DKIM_STRICT .endif .ifdef DKIM_SIGN_HEADERS dkim_sign_headers = DKIM_SIGN_HEADERS .endif EOF cat >/etc/exim4/update-exim4.conf.conf <<'EOF' # default stuff, i havent checked if its needed dc_minimaldns='false' dc_relay_nets='' CFILEMODE='644' dc_use_split_config='true' dc_mailname_in_oh='true' EOF # * radicale if mailhost; then if ! mountpoint /o; then echo "error /o is not a mountpoint" >&2 exit 1 fi # davx/davdroid setup instructions at the bottom # main docs: # http://radicale.org/user_documentation/ # https://davdroid.bitfire.at/configuration/ # note on debugging: if radicale can't bind to the address, # in the log it just says "Starting Radicale". If you run # it in the foreground, it will give more info. Background # plus debug does not help. # sudo -u radicale radicale -D -f # created password file with: # htpasswd -c /p/c/machine_specific/li/filesystem/etc/caldav-htpasswd # chmod 640 /p/c/machine_specific/li/filesystem/etc/caldav-htpasswd # # setup chgrp www-data in ./conflink pi-nostart radicale i /etc/systemd/system/radicale.service.d/override.conf </etc/dovecot/local.conf ;;& # ** $MAIL_HOST) $MAIL_HOST) # If we changed 90-sieve.conf and removed the active part of the # sieve option, we wouldn\'t need this, but I\'d rather not modify a # default config if not needed. This won\'t work as a symlink in /a/c # unfortunately. m sudo -u $u /a/exe/lnf -T sieve/main.sieve $uhome/.dovecot.sieve if [[ ! -e $uhome/sieve/personal.sieve ]]; then m touch $uhome/sieve/personal{,end}{,test}.sieve fi rm -fv /etc/dovecot/conf.d/20-lmtp.conf # file from prev version cat >>/etc/dovecot/local.conf <>/etc/dovecot/local.conf < $domain $domain Mail $domain mail2.iankelling.org 993 SSL %EMAILADDRESS% password-cleartext mail2.iankelling.org 587 STARTTLS %EMAILADDRESS% password-cleartext true false $domain website. %EMAILADDRESS% EOF done fi # * roundcube setup if [[ $HOSTNAME == bk ]]; then # zip according to /installer # which requires adding a line to /usr/local/lib/roundcubemail/config/config.inc.php # $config['enable_installer'] = true; pi roundcube roundcube-sqlite3 php-zip apache2 php-fpm ### begin composer install # https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md # cd $(mktemp -d) # sum="$(wget -q -O - https://composer.github.io/installer.sig)" # m php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" # if [[ $sum != $(php -r "echo hash_file('sha384', 'composer-setup.php');") ]]; then # echo 'ERROR: Invalid composer installer checksum' >&2 # rm -fv composer-setup.php # exit 1 # fi # m php composer-setup.php --quiet # rm -fv composer-setup.php # m mv composer.phar /usr/local/bin # the above method gets composer2, carddav plugin at least doesnt work with that # yet, it was just released 10-24-2020. m cd /usr/local/bin m wget -nv -N https://getcomposer.org/composer-1.phar chmod +x composer-1.phar ### end composer install rcdirs=(/usr/local/lib/rcexpertpath /usr/local/lib/rcninja) ncdirs=(/var/www/ncexpertpath /var/www/ncninja) # point debian cronjob to our local install, preventing daily cron error # debian's cronjob will fail, remove both paths it uses just to be sure rm -fv /usr/share/roundcube/bin/cleandb.sh /etc/cron.d/roundcube-core #### begin dl roundcube # note, im r2e subbed to https://github.com/roundcube/roundcubemail/releases.atom v=1.4.11; f=roundcubemail-$v-complete.tar.gz cd /a/opt if [[ -e $f ]]; then timestamp=$(stat -c %Y $f) else timestamp=0 fi m wget -nv -N https://github.com/roundcube/roundcubemail/releases/download/$v/$f new_timestamp=$(stat -c %Y $f) for rcdir in ${rcdirs[@]}; do if [[ $timestamp != "$new_timestamp" || ! -e "$rcdir/config/secret" ]]; then m tar -C /usr/local/lib --no-same-owner -zxf $f m rm -rf $rcdir m mv /usr/local/lib/roundcubemail-$v $rcdir fi done #### end dl roundcube for ((i=0; i < ${#bkdomains[@]}; i++)); do domain=${bkdomains[i]} rcdir=${rcdirs[i]} rcbase=${rcdir##*/} ncdir=${ncdirs[i]} # copied from debians cronjob i /etc/cron.d/$rcbase </dev/null EOF m /a/exe/web-conf - apache2 $domain < Options +FollowSymLinks # This is needed to parse $rcdir/.htaccess. AllowOverride All Require all granted # Protecting basic directories: Options -FollowSymLinks AllowOverride None ### end roundcube settings ### begin nextcloud settings Alias /nextcloud "$ncdir/" Require all granted AllowOverride All Options FollowSymLinks MultiViews Dav off # based on install checker, links to # https://docs.nextcloud.com/server/19/admin_manual/issues/general_troubleshooting.html#service-discovery # their example was a bit wrong, I figured it out by adding # LogLevel warn rewrite:trace5 # then watching the apache logs RewriteEngine on RewriteRule ^/\.well-known/host-meta /nextcloud/public.php?service=host-meta [QSA,L] RewriteRule ^/\.well-known/host-meta\.json /nextcloud/public.php?service=host-meta-json [QSA,L] RewriteRule ^/\.well-known/webfinger /nextcloud/public.php?service=webfinger [QSA,L] RewriteRule ^/\.well-known/carddav /nextcloud/remote.php/dav/ [R=301,L] RewriteRule ^/\.well-known/caldav /nextcloud/remote.php/dav/ [R=301,L] ### end nextcloud settings EOF if [[ ! -e $rcdir/config/secret ]]; then base64 $rcdir/config/secret || [[ $? == 141 || ${PIPESTATUS[0]} == 32 ]] fi secret=$(cat $rcdir/config/secret) rclogdir=/var/log/$rcbase rctmpdir=/var/tmp/$rcbase rcdb=/m/rc/$rcbase.sqlite # config from mailinabox i $rcdir/config/config.inc.php < array( 'verify_peer' => false, 'verify_peer_name' => false, ), ); \$config['imap_timeout'] = 15; \$config['smtp_server'] = 'tls://127.0.0.1'; \$config['smtp_conn_options'] = array( 'ssl' => array( 'verify_peer' => false, 'verify_peer_name' => false, ), ); \$config['product_name'] = 'webmail'; \$config['des_key'] = '$secret'; \$config['plugins'] = array('archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'carddav', 'html5_notifier'); \$config['skin'] = 'elastic'; \$config['login_autocomplete'] = 2; \$config['password_charset'] = 'UTF-8'; \$config['junk_mbox'] = 'Spam'; # disable builtin addressbook \$config['address_book_type'] = ''; ?> EOF m mkdir -p $rclogdir m chmod 750 $rclogdir m chown www-data:adm $rclogdir # note: subscribed to updates: # r2e add rcmcarddav https://github.com/blind-coder/rcmcarddav/commits/master.atom ian@iankelling.org # r2e add roundcube https://github.com/roundcube/roundcubemail/releases.atom ian@iankelling.org m mkdir -p $rctmpdir /m/rc m chown -R www-data.www-data $rctmpdir /m/rc m chmod 750 $rctmpdir # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start. # todo: setup fail2ban # todo: check for other mailinabox things m sudo -u www-data touch $rclogdir/errors.log #### begin carddav install # This is the official roundcube carddav repo. # Install doc suggests downloading with composer, but that # didnt work, it said some ldap package for roundcube was missing, # but I dont want to download some extra ldap thing. # https://github.com/blind-coder/rcmcarddav/blob/master/doc/INSTALL.md verf=$rcdir/plugins/carddav/myversion upgrade=false install=false v=4.0.0 if [[ -e $verf ]]; then if [[ $(cat $verf) != "$v" ]]; then install=true upgrade=true fi else install=true fi if $install; then m rm -rf $rcdir/plugins/carddav tmpd=$(mktemp -d) m wget -nv -O $tmpd/t.tgz https://github.com/blind-coder/rcmcarddav/releases/download/v$v/carddav-v$v.tgz cd $rcdir/plugins tar xzf $tmpd/t.tgz rm -rf $tmpd m chown -R www-data:www-data $rcdir/plugins/carddav m cd $rcdir/plugins/carddav if $upgrade; then m sudo -u www-data composer-1.phar update --no-dev else m sudo -u www-data composer-1.phar install --no-dev fi m chown -R root:root $rcdir/plugins/carddav echo $v >$verf fi # So, strangely, this worked in initial testing, but then # on first run it wouldn't show the existing contacts until # I went into the carddav settings and did "force immediate sync", # which seemed to fix things. Note, some of these settings # get initalized per/addressbook in the db, then need changing # there or through the settings menu. # About categories, see https://www.davx5.com/tested-with/nextcloud # https://github.com/blind-coder/rcmcarddav/blob/master/doc/GROUPS.md i $rcdir/plugins/carddav/config.inc.php < 'Main', 'username' => '%u', // login username 'password' => '%p', // login password 'url' => 'https://$domain/nextcloud/remote.php/dav/addressbooks/users/%u/contacts', 'active' => true, 'readonly' => false, 'refresh_time' => '00:10:00', 'fixed' => array('username','password'), 'use_categories' => false, 'hide' => false, ); ?> EOF #### end carddav install cd $rcdir/plugins if [[ ! -d html5_notifier ]]; then m git clone https://github.com/stremlau/html5_notifier fi cd $rcdir/plugins/html5_notifier m git pull --rebase # todo: try out roundcube plugins: thunderbird labels # Password changing plugin settings cat $rcdir/plugins/password/config.inc.php.dist - >$rcdir/plugins/password/config.inc.php <<'EOF' # following are from mailinabox $config['password_minimum_length'] = 8; $config['password_db_dsn'] = 'sqlite:////m/rc/users.sqlite'; $config['password_query'] = 'UPDATE users SET password=%D WHERE email=%u'; $config['password_dovecotpw'] = '/usr/bin/doveadm pw'; $config['password_dovecotpw_method'] = 'SHA512-CRYPT'; $config['password_dovecotpw_with_method'] = true; EOF # so PHP can use doveadm, for the password changing plugin m usermod -a -G dovecot www-data m usermod -a -G mail $u # so php can update passwords m chown www-data:dovecot /m/rc/users.sqlite m chmod 664 /m/rc/users.sqlite # Run Roundcube database migration script (database is created if it does not exist) m $rcdir/bin/updatedb.sh --dir $rcdir/SQL --package roundcube m chown www-data:www-data $rcdb m chmod 664 $rcdb done # end loop over domains and rcdirs ### begin php setup for rc ### # Enable PHP modules. m phpenmod -v php mcrypt imap # dpkg says this is required m a2enmod proxy_fcgi setenvif fpm=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* (php[^ ]*-fpm)( .*|$)/\1/p') # eg: php7.3-fpm phpver=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* php([^ ]*)-fpm( .*|$)/\1/p') m a2enconf $fpm # 3 useless guides on php fpm fcgi debian 10 later, i figure out from reading # /etc/apache2/conf-enabled/php7.3-fpm.conf m a2dismod php$phpver # according to /install, we should set date.timezone, # but that is dumb, the system already has the right zone in # $rclogdir/errors.log # todo: consider other settings in # /a/opt/mailinabox/setup/nextcloud.sh i /etc/php/$phpver/cli/conf.d/30-local.ini <<'EOF' apc.enable_cli = 1 EOF i /etc/php/$phpver/fpm/conf.d/30-local.ini <<'EOF' date.timezone = "America/New_York" # for nextcloud upload_max_filesize = 2000M post_max_size = 2000M # install checker, nextcloud/settings/admin/overview memory_limit = 512M EOF m systemctl restart $fpm # dunno if reload/restart is needed m systemctl reload apache2 # note bk backups are defined in crontab outside this file ### end php setup for rc ### fi # end roundcube setup # * nextcloud setup if [[ $HOSTNAME == bk ]]; then # from install checker, nextcloud/settings/admin/overview and # https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html # curl from the web installer requirement, but i switched to cli # it recommends php-file info, but that is part of php7.3-common, already got installed # with roundcube. m pi php-curl php-bz2 php-gmp php-bcmath php-imagick php-apcu # https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html cat >/etc/php/$phpver/fpm/pool.d/localwww.conf <<'EOF' [www] clear_env = no EOF for ((i=0; i < ${#bkdomains[@]}; i++)); do domain=${bkdomains[i]} ncdir=${ncdirs[i]} ncbase=${ncdir##*/} m cd /var/www if [[ ! -e $ncdir/index.php ]]; then # if we wanted to only install a specific version, use something like # file=latest-22.zip file=latest.zip m wget -nv -N https://download.nextcloud.com/server/releases/$file m rm -rf nextcloud m unzip -q $file m rm -f $file m chown -R www-data.www-data nextcloud m mv nextcloud $ncdir m cd $ncdir m sudo -u www-data php occ maintenance:install --database sqlite --admin-user iank --admin-pass $nextcloud_admin_pass fi # note, strange this happend where updater did not increment the version var, # mine was stuck on 20. I manually updated it. m cd $ncdir/config if [[ ! -e config.php-orig ]]; then m cp -a config.php config.php-orig fi cat config.php-orig - >tmp.php < 'OC_User_IMAP','arguments' => array('127.0.0.1', 143, null),),); # based on installer check # https://docs.nextcloud.com/server/19/admin_manual/configuration_server/caching_configuration.html \$CONFIG['memcache.local'] = '\OC\Memcache\APCu'; \$CONFIG['overwrite.cli.url'] = 'https://$domain/nextcloud'; \$CONFIG['htaccess.RewriteBase'] = '/nextcloud'; \$CONFIG['trusted_domains'] = array ( 0 => '$domain', ); #\$CONFIG[''] = ''; fwrite(STDOUT, "config.php m rm tmp.php m sudo -u www-data php $ncdir/occ maintenance:update:htaccess list=$(sudo -u www-data php $ncdir/occ --output=json_pretty app:list) # user_external not compaible with nc 23 for app in contacts calendar; do if [[ $(printf "%s\n" "$list"| jq ".enabled.$app") == null ]]; then m sudo -u www-data php $ncdir/occ app:install $app fi done i /etc/systemd/system/$ncbase.service <&2; exit 1; fi shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4 set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR ncbase=$1 if ! php /var/www/$ncbase/updater/updater.phar -n; then echo failed nextcloud update for $ncbase >&2 /sbin/exim -t <>/etc/exim4/conf.d/rcpt_local_acl <<'EOF' deny message = invalid recipient domains = +local_domains !verify = recipient/callout=no_cache EOF i /etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF' dovecot_plain: driver = dovecot public_name = PLAIN server_socket = /var/run/dovecot/auth-client server_set_id = $auth1 EOF ;; esac if $bhost_t; then i /etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF' # from 30_exim4-config_examples plain_server: driver = plaintext public_name = PLAIN server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}" server_set_id = $auth2 server_prompts = : .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} .endif EOF fi # ** main daemon use non-default config file case $HOSTNAME in bk|$MAIL_HOST) # to see the default comments in /etc/default/exim4: # s update-exim4defaults --force --init # which will overwrite any existing file i /etc/default/exim4 <<'EOF' QUEUERUNNER='combined' QUEUEINTERVAL='30m' COMMONOPTIONS='-C /etc/exim4/my.conf' UPEX4OPTS='-o /etc/exim4/my.conf' #E4BCD_PANICLOG_NOISE='malware acl condition: clamd /var/run/clamav/clamd\.ctl : unable to connect to UNIX socket' EOF i /etc/exim4/trusted_configs <<'EOF' /etc/exim4/my.conf EOF ;; *) # default file i /etc/default/exim4 <<'EOF' QUEUERUNNER='combined' QUEUEINTERVAL='30m' EOF ;; esac case $HOSTNAME in # ** $MAIL_HOST|bk|je) $MAIL_HOST|bk|je) echo|i /etc/exim4/conf.d/router/870_backup_local cat >>/etc/exim4/update-exim4.conf.conf <>/etc/exim4/conf.d/main/000_local <>/etc/exim4/conf.d/main/000_local <> /etc/exim4/conf.d/data_local_acl <<'EOF' deny malware = */defer_ok !condition = ${if match {$malware_name}{\N^Heuristic\N}} message = This message was detected as possible malware ($malware_name). EOF cat >/etc/exim4/conf.d/main/000_local-nn < {$max_received_linelength}{998} {1}{0}} .endif hosts_require_auth = * hosts_try_auth = * return_path = alerts@iankelling.org envelope_to_add # manual return path because we dont want it to be the envelope sender # we got not the one we are using in this smtp transport headers_add = "Return-path: $sender_address" .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS .endif .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS .endif .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES .endif .ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOST .endif .ifdef REMOTE_SMTP_HEADERS_REWRITE headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE .endif .ifdef REMOTE_SMTP_HELO_DATA helo_data=REMOTE_SMTP_HELO_DATA .endif .ifdef TLS_DH_MIN_BITS tls_dh_min_bits = TLS_DH_MIN_BITS .endif .ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE .endif .ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY .endif .ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE .endif EOF # this avoids some error. i cant remember what. todo: # test it out and document why/if its needed. i /etc/exim4/host_local_deny_exceptions <<'EOF' mail.fsf.org *.posteo.de EOF # cron email from smarthost hosts will automatically be to # USER@FQDN. I redirect that to alerts@, on the smarthosts, but in # case that doesn't work, we still want to accept that mail, but not # from any host except the smarthosts. local_hostnames and this rule # is for that purpose. i /etc/exim4/conf.d/rcpt_local_acl <<'EOF' deny !authenticated = * domains = +local_hostnames message = no relay EOF echo|i /etc/exim4/conf.d/router/880_universal_forward # for iank@fsf.org, i have mail.fsf.org forward it to fsf@iankelling.org. # and also have mail.iankelling.org whitelisted as a relay domain. # I could avoid that if I changed this to submit to 587 with a # password like a standard mua. i /etc/exim4/conf.d/router/188_exim4-config_smarthost <<'EOF' # ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and # replaced DCsmarthost with hostname fsfsmarthost: debug_print = "R: smarthost for $local_part@$domain" driver = manualroute domains = ! +local_domains senders = *@fsf.org transport = remote_smtp_smarthost route_list = * mail.fsf.org::587 byname host_find_failed = ignore same_domain_copy_routing = yes no_more posteosmarthost: debug_print = "R: smarthost for $local_part@$domain" driver = manualroute domains = ! +local_domains senders = *@posteo.net transport = remote_smtp_smarthost route_list = * posteo.de::587 byname host_find_failed = ignore same_domain_copy_routing = yes no_more EOF # Greping /etc/exim4, unqualified mails this would end up as # a return path, so it should go somewhere we will see. # The debconf output about mailname is as follows: # The 'mail name' is the domain name used to 'qualify' mail addresses without a domain # name. # This name will also be used by other programs. It should be the single, fully # qualified domain name (FQDN). # Thus, if a mail address on the local host is foo@example.org, the correct value for # this option would be example.org. # This name won\'t appear on From: lines of outgoing messages if rewriting is enabled. echo iankelling.org > /etc/mailname # mail.iankelling.org so local imap clients can connect with tls and # when they happen to not be local. # todo: this should be 10.8.0.4 /a/exe/cedit nn /etc/hosts <<'EOF' || [[ $? == 1 ]] # note: i put nn.b8.nz into bind for good measure 10.173.8.2 nn.b8.nz mx.iankelling.org EOF # note: systemd-resolved will consult /etc/hosts, dnsmasq wont. this assumes # weve configured this file in dnsmasq if we are using it. /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]] server=/mx.iankelling.org/127.0.1.1 EOF # I used to use debconf-set-selections + dpkg-reconfigure, # which then updates this file # but the process is slower than updating it directly and then I want to set other things in # update-exim4.conf.conf, so there's no point. # The file is documented in man update-exim4.conf, # except the man page is not perfect, read the bash script to be sure about things. # The debconf questions output is additional documentation that is not # easily accessible, but super long, along with the initial default comment in this # file, so I've saved that into ./mail-notes.conf. cat >>/etc/exim4/update-exim4.conf.conf <$f <<'EOF' #!/bin/bash cd /etc wget -q -N https://publicsuffix.org/list/public_suffix_list.dat EOF m chmod 755 $f ;; # ** bk ## we use this host to monitor MAIL_HOST and host a mail server for someone bk) echo|i /etc/exim4/conf.d/rcpt_local_acl echo|i /etc/exim4/conf.d/router/880_universal_forward echo amnimal.ninja > /etc/mailname /a/exe/cedit nn /etc/hosts <<'EOF' || [[ $? == 1 ]] 10.173.8.2 nn.b8.nz EOF sed -r -f - /etc/init.d/exim4 <<'EOF' | i /etc/init.d/exim4in s,/etc/default/exim4,/etc/default/exim4in,g s,/run/exim4/exim.pid,/run/exim4/eximin.pid,g s,(^[ #]*Provides:).*,\1 exim4in, s,(^[ #]*NAME=).*,\1"exim4in", EOF chmod +x /etc/init.d/exim4in i /etc/systemd/system/exim4in.service.d/alwaysrestart.conf <<'EOF' [Unit] # needed to continually restart StartLimitIntervalSec=0 [Service] Restart=always # time to sleep before restarting a service RestartSec=1 EOF i /etc/default/exim4in <<'EOF' # defaults but no queue runner and alternate config dir QUEUERUNNER='no' COMMONOPTIONS='-oP /run/exim4/eximin.pid' UPEX4OPTS='-d /etc/myexim4' EOF cat >>/etc/exim4/update-exim4.conf.conf < /etc/mailname cat >>/etc/exim4/update-exim4.conf.conf <>/etc/exim4/conf.d/main/000_local <>/etc/exim4/update-exim4.conf.conf <>/etc/exim4/update-exim4.conf.conf <>/etc/exim4/update-exim4.conf.conf <>/etc/exim4/update-exim4.conf.conf <>/etc/myexim4/update-exim4.conf.conf <<'EOF' dc_eximconfig_configtype='smarthost' dc_smarthost='nn.b8.nz' EOF ;;& bk) # config for the non-nn exim cat >/etc/myexim4/conf.d/main/000_local-nn <<'EOF' MAIN_HARDCODE_PRIMARY_HOSTNAME = mail2.iankelling.org EOF ;; $MAIL_HOST) # for bk, we have a exim4in.service that will do this for us. m update-exim4.conf -d /etc/myexim4 ;; esac # * spool dir setup # ** bind mount setup # put spool dir in directory that spans multiple distros. # based on http://www.postfix.org/qmgr.8.html and my notes in gnus # dir=/nocow/exim4 sdir=/var/spool/exim4 # we only do this if our system has $dir # this used to do a symlink, but, in the boot logs, /nocow would get mounted succesfully, # about 2 seconds later, exim starts, and immediately puts into paniclog: # honVi-0000u3-82 Failed to create directory "/var/spool/exim4/input": No such file or directory # so, im trying a bind mount to get rid of that. if [[ -e /nocow ]]; then if ! grep -Fx "/nocow/exim4 /var/spool/exim4 none bind 0 0" /etc/fstab; then echo "/nocow/exim4 /var/spool/exim4 none bind 0 0" >>/etc/fstab fi i /etc/systemd/system/exim4.service.d/override.conf <<'EOF' [Unit] # without local-fs on exim, we get these kind of errors in paniclog on shutdown: # Failed to create spool file /var/spool/exim4//input//1jCLxz-0008V4-V9-D: Permission denied After=local-fs.target EOF if ! mountpoint -q $sdir; then stopifactive exim4 exim4in if [[ -L $sdir ]]; then m rm $sdir fi if [[ ! -e $dir && -d $sdir ]]; then m mv $sdir $dir fi if [[ ! -d $sdir ]]; then m mkdir $sdir m chmod 000 $sdir # only want it to be used when its mounted fi m mount $sdir fi fi # ** exim/spool uid setup # i have the spool directory be common to distro multi-boot, so # we need the uid to be the same. 608 cuz it's kind of in the middle # of the free system uids. IFS=:; read -r _ _ uid _ < <(getent passwd Debian-exim ||:) ||:; unset IFS IFS=:; read -r _ _ gid _ < <(getent group Debian-exim ||:) ||:; unset IFS if [[ ! $uid ]]; then # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options m adduser --uid 608 --system --group --quiet --home /var/spool/exim4 \ --no-create-home --disabled-login --force-badname Debian-exim elif [[ $uid != 608 ]]; then stopifactive exim4 exim4in m usermod -u 608 Debian-exim m groupmod -g 608 Debian-exim m usermod -g 608 Debian-exim m find / /nocow -path ./var/tmp -prune -o -xdev -uid $uid -execdir chown -h 608 {} + m find / /nocow -path ./var/tmp -prune -o -xdev -gid $gid -execdir chgrp -h 608 {} + fi # * start / stop services reifactive dnsmasq nscd if $reload; then m systemctl daemon-reload fi m systemctl --now enable epanicclean.timer case $HOSTNAME in je) /a/exe/web-conf apache2 je.b8.nz ;; bk) /a/exe/web-conf apache2 mail2.iankelling.org ;; esac m /a/bin/ds/mail-cert-cron -1 sre mailcert.timer case $HOSTNAME in bk) # todo, this should be done in distro-begin soff systemd-resolved ln -sf 127.0.0.1-resolv/stub-resolv.conf /etc/resolv.conf ;;& $MAIL_HOST|bk) m systemctl --now enable mailnn mailnnroute ;;& $MAIL_HOST) # we use dns to start wg if $reload; then sre unbound else m systemctl --now enable unbound fi ;;& $MAIL_HOST|bk) # If these have changes, id rather manually restart it, id rather # not restart and cause temporary errors if $reload; then sre $vpnser else m systemctl --now enable $vpnser fi if ! systemctl is-active clamav-daemon >/dev/null; then m systemctl --now enable clamav-daemon out=$(rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/filesystem/etc/systemd/system/epanicclean.{timer,service} /etc/systemd/system) if [[ $out ]]; then reload=true fi # note, this will cause paniclog entries because it takes like 45 # seconds for clamav to start, i use ./epanic-clean to remove # them. fi ;;& $MAIL_HOST|bk|je) # start spamassassin/dovecot before exim. sre dovecot spamassassin # need to wait a bit before restarting exim, else I # get a paniclog entry like: spam acl condition: all spamd servers failed sleep 3 m systemctl --now enable mailclean.timer ;;& $MAIL_HOST) # < 2.1 (eg: in t9), uses a different data format which required manual # migration. dont start if we are running an old version. if dpkg --compare-versions $(dpkg -s radicale | awk '$1 == "Version:" { print $2 }') ge 2.1; then m systemctl --now enable radicale fi ;;& esac # last use of $reload happens in previous block rm -f /var/local/mail-setup-reload case $HOSTNAME in $MAIL_HOST|bk|je) : ;; *) soff radicale mailclean.timer dovecot spamassassin $vpnser mailnn clamav-daemon ;; esac sre exim4 case $HOSTNAME in $MAIL_HOST) m systemctl --now enable mailbindwatchdog ;; *) soff mailbindwatchdog ;; esac case $HOSTNAME in bk) sre exim4in ;; esac # * mail monitoring / testing # note, to test clamav, send an email with body that only contains # https://en.wikipedia.org/wiki/EICAR_test_file # which set malware_name to Eicar-Signature case $HOSTNAME in $MAIL_HOST|bk|je) # note: cronjob "ian" also does some important monitoring # todo: this will sometimes cause an alert because mailtest-check will run # before we have setup network namespace and spamassassin cat >/etc/cron.d/mailtest <>/etc/cron.d/mailtest </usr/local/bin/send-test-forward <<'EOF' #!/bin/bash olds=( $(/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$') ) if (( ${#olds[@]} )); then /sbin/exim -Mrm "${olds[@]}" >/dev/null fi EOF for test_from in ${test_froms[@]}; do cat >>/usr/local/bin/send-test-forward <