fi
+####### instructions for icedove #####
+# Incoming mail server: mail.iankelling.org, port 143, username iank, connection security starttls, authentication method normal password
+# we could also just use 127.0.0.1 with no ssl, but todo: disable that in dovecot, so mail is secure from local programs.
+#
+# hamburger -> preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false
+# background: ovecot does not yet have ocsp stapling support
+# reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921
+#######
+
####### begin perstent password instructions ######
# # exim passwords:
# apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
# s sed -i "/^$user:/d" /p/c/filesystem/etc/exim4/passwd
# echo "$user:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd
-# echo "mail.iankelling.org $user $(<$f)" >> /p/c/machine_specific/$user/filesystem/etc/mailpass
+# echo "mail.iankelling.org 587 $user:$(<$f)" >> /p/c/machine_specific/$user/filesystem/etc/mailpass
# # then run this script, or part of it which uses /etc/mailpass
# # dovecot password, i just need 1 as I\'m the only user
# mkdir /p/c/filesystem/etc/dovecot
-# echo "ian:$(doveadm pw -s ssha256)::::::" >/p/c/filesystem/etc/dovecot/users
+# echo "iank:$(doveadm pw -s ssha256)::::::" >/p/c/filesystem/etc/dovecot/users
# conflink
# # 2017-02 spf policies:
# # host -t txt lists.fedoraproject.org
-# # google ~all, hotmail -all, yahoo: ?all, fastmail ?all
+# # google ~all, hotmail ~all, yahoo: ?all, fastmail ?all, outlook ~all
# # i include fastmail\'s settings, per their instructions,
# # and follow their policy. In mail in a box, or similar instructions,
# # I\'ve seen recommended to not use a restrictive policy.
postmaster=$u
mxhost=mail.iankelling.org
-mxport=25
+mxport=587
forward=$u@$mxhost
# old setup. left as comment for example
if command -v apt-get &> /dev/null; then
debconf-set-selections <<EOF
postfix postfix/main_mailer_type select Satellite system
-postfix postfix/mailname string $HOSTNAME
+postfix postfix/mailname string $(hostname -f)
postfix postfix/relayhost string $relayhost
postfix postfix/root_address string $postmaster
EOF
Type=oneshot
ExecStart=/a/bin/log-quiet/sysd-mail-once offlineimap-sync /a/bin/distro-setup/offlineimap-sync
EOF
+
+ cat >/etc/systemd/system/mailclean.timer <<'EOF'
+[Unit]
+Description=Run mailclean daily
+
+[Timer]
+OnCalendar=monthly
+
+[Install]
+WantedBy=timers.target
+EOF
+
+ cat >/etc/systemd/system/mailclean.service <<EOF
+[Unit]
+Description=Delete and archive old mail files
+After=multi-user.target
+
+[Service]
+User=$u
+Type=oneshot
+ExecStart=/a/bin/log-quiet/sysd-mail-once mailclean /a/bin/distro-setup/mailclean
+EOF
+
systemctl daemon-reload
# wording of question from dpkg-reconfigure exim4-config
EOF
source /a/bin/bash_unpublished/source-semi-priv
- mkdir -p /etc/exim4/conf.d/main
+ mkdir -p /etc/exim4/conf.d/{main,transport,auth,router}
+
+ cat >/etc/exim4/rcpt_local_acl <<'EOF'
+# Only hosts we control send to mail.iankelling.org, so make sure
+# they are all authed.
+# Note, if we wanted authed senders for all domains,
+# we could make this condition in acl_check_mail
+deny
+ message = ian trusted domain recepient but no auth
+ !authenticated = *
+ domains = mail.iankelling.org
+EOF
+ cat >/etc/exim4/data_local_acl <<'EOF'
+# Except for the "condition =", this was
+# a comment in the check_data acl. The comment about this not
+# being suitable is mostly bs. The only thing related I found was to
+# add the condition =, cuz spamassassin has problems with big
+# messages and spammers don't bother with big messages,
+# but I've increased the size from 10k
+# suggested in official docs, and 100k in the wiki example because
+# those docs are rather old and I see a 110k spam message
+# pretty quickly looking through my spam folder.
+ warn
+ condition = ${if < {$message_size}{2000K}}
+ spam = Debian-exim:true
+ add_header = X-Spam_score: $spam_score\n\
+ X-Spam_score_int: $spam_score_int\n\
+ X-Spam_bar: $spam_bar\n\
+ X-Spam_report: $spam_report
+
+EOF
+ cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+# from 30_exim4-config_examples
+plain_server:
+driver = plaintext
+public_name = PLAIN
+server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
+server_set_id = $auth2
+server_prompts = :
+.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+.endif
+EOF
+
+ cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
+### router/900_exim4-config_local_user
+#################################
+
+# This router matches local user mailboxes. If the router fails, the error
+# message is "Unknown user".
+
+local_user:
+ debug_print = "R: local_user for $local_part@$domain"
+ driver = accept
+ domains = +local_domains
+# ian: commented this, in conjunction with a dovecot lmtp
+# change so I get mail for all users.
+# check_local_user
+ local_parts = ! root
+ transport = LOCAL_DELIVERY
+ cannot_route_message = Unknown user
+EOF
+ cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
+dovecot_lmtp:
+ driver = lmtp
+ socket = /var/run/dovecot/lmtp
+ #maximum number of deliveries per batch, default 1
+ batch_max = 200
+EOF
+
+ cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
+# smarthost for fsf mail
+# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
+# replaced DCsmarthost with mail.fsf.org
+fsfsmarthost:
+ debug_print = "R: smarthost for $local_part@$domain"
+ driver = manualroute
+ domains = ! +local_domains
+ senders = *@fsf.org
+ transport = remote_smtp_smarthost
+ route_list = * mail.fsf.org byname
+ host_find_failed = ignore
+ same_domain_copy_routing = yes
+ no_more
+EOF
#### begin mail cert setup ###
fi
if [[ $HOSTNAME == $MAIL_HOST ]]; then
local_mx=mail.iankelling.org
- rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li:/etc/letsencrypt/live/$local_mx/"
+ rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/"
${rsync_common}fullchain.pem /etc/exim4/exim.crt
ret=$?
${rsync_common}privkey.pem /etc/exim4/exim.key
# This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
# System mail name:
+# iank: see comment elsewhere on mailname
exim4-config exim4/mailname string mail.iankelling.org
# Delivery method for local mail: 2
exim4-config exim4/dc_localdelivery select Maildir format in home directory
EOF
+ echo mail.iankelling.org > /etc/mailname
+
# MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
# smarthost config type, not sure. all other settings
# would be unused in that config type.
- cat >/etc/exim4/conf.d/main/000_localmacros <<EOF
+ rm -f /etc/exim4/conf.d/main/000_localmacros # old filename
+ cat >/etc/exim4/conf.d/main/000_local <<EOF
+# enable 587 in addition to the default 25, so that
+# i can send mail where port 25 is firewalled by isp
+daemon_smtp_ports = 25 : 587
# i don't have ipv6 setup for my vpn tunnel yet.
disable_ipv6 = true
# keep your dkim signature intact but add list- headers.
DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
+# recommended if dns is expected to work
+CHECK_RCPT_VERIFY_SENDER = true
+# seems like a good idea
+CHECK_DATA_VERIFY_HEADER_SENDER = true
+CHECK_RCPT_SPF = true
+CHECK_RCPT_REVERSE_DNS = true
+CHECK_MAIL_HELO_ISSUED = true
EOF
EOF
####### end dovecot setup ########
+ # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
+ d=/etc/systemd/system/openvpn@mail
+ mkdir -p $d
+ cat >$d/override.conf <<'EOF'
+[Service]
+Restart=always
+# time to sleep before restarting a service
+RestartSec=1
+
+[Unit]
+# StartLimitIntervalSec in recent systemd versions
+StartLimitInterval=0
+EOF
systemctl enable offlineimapsync.timer
systemctl start offlineimapsync.timer
+ systemctl enable mailclean.timer
+ systemctl start mailclean.timer
systemctl restart $vpn_ser@mail
systemctl enable $vpn_ser@mail
systemctl enable dovecot
else # $HOSTNAME != $MAIL_HOST
systemctl disable offlineimapsync.timer &>/dev/null ||:
systemctl stop offlineimapsync.timer &>/dev/null ||:
+ systemctl disable mailclean.timer &>/dev/null ||:
+ systemctl stop mailclean.timer &>/dev/null ||:
systemctl disable $vpn_ser@mail
systemctl stop $vpn_ser@mail
systemctl disable dovecot ||:
debconf-set-selections <<EOF
exim4-config exim4/dc_eximconfig_configtype select mail sent by smarthost; no local mail
exim4-config exim4/dc_smarthost string $smarthost
-# the default, i think is from /etc/mailname. better to set it to
-# whatever the current fqdn is.
+# afaik, on dpkg-reconfigure noninteractive, this sets /etc/mailname if it does not exist.
+# if it does exist, it immediately changes the value to whats in /etc/mailname.
+# So, I don't think there's any point in setting it, but might as well since
+# ignoring what I set here is brain dead and might change.
exim4-config exim4/mailname string $(hostname -f)
EOF
+ hostname -f > /etc/mailname
fi # end $HOSTNAME != $MAIL_HOST
find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} +
fi
- # light version of exim does not have sasl auth support.
- pi exim4-daemon-heavy spamassassin
+ # light version of exim does not have sasl auth support.
+ pi exim4-daemon-heavy spamassassin spf-tools-perl
- cat >/etc/exim4/rcpt_local_acl <<'EOF'
-# Only hosts we control send to mail.iankelling.org, so make sure
-# they are all authed.
-# Note, if we wanted authed senders for all domains,
-# we could make this condition in acl_check_mail
-deny
- message = ian trusted domain recepient but no auth
- !authenticated = *
- domains = mail.iankelling.org
-EOF
- cat >/etc/exim4/data_local_acl <<'EOF'
-# Except for the "condition =", this was
-# a comment in the check_data acl. The comment about this not
-# being suitable is mostly bs. The only thing related I found was to
-# add the condition =, cuz spamassassin has problems with big
-# messages and spammers don't bother with big messages,
-# but I've increased the size from 10k
-# suggested in official docs, and 100k in the wiki example because
-# those docs are rather old and I see a 110k spam message
-# pretty quickly looking through my spam folder.
- warn
- condition = ${if < {$message_size}{2000K}}
- spam = Debian-exim:true
- add_header = X-Spam_score: $spam_score\n\
- X-Spam_score_int: $spam_score_int\n\
- X-Spam_bar: $spam_bar\n\
- X-Spam_report: $spam_report
-
-EOF
- cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
-# from 30_exim4-config_examples
-
-plain_server:
-driver = plaintext
-public_name = PLAIN
-server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
-server_set_id = $auth2
-server_prompts = :
-.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
-server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
-.endif
-EOF
-
- cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
-### router/900_exim4-config_local_user
-#################################
-
-# This router matches local user mailboxes. If the router fails, the error
-# message is "Unknown user".
-
-local_user:
- debug_print = "R: local_user for $local_part@$domain"
- driver = accept
- domains = +local_domains
-# ian: commented this, in conjunction with a dovecot lmtp
-# change so I get mail for all users.
-# check_local_user
- local_parts = ! root
- transport = LOCAL_DELIVERY
- cannot_route_message = Unknown user
-EOF
- cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
-dovecot_lmtp:
- driver = lmtp
- socket = /var/run/dovecot/lmtp
- #maximum number of deliveries per batch, default 1
- batch_max = 200
-EOF
-
- cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
-# smarthost for fsf mail
-# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
-# replaced DCsmarthost with mail.fsf.org
-fsfsmarthost:
- debug_print = "R: smarthost for $local_part@$domain"
- driver = manualroute
- domains = ! +local_domains
- senders = *@fsf.org
- transport = remote_smtp_smarthost
- route_list = * mail.fsf.org byname
- host_find_failed = ignore
- same_domain_copy_routing = yes
- no_more
-EOF
-
# https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
# i only need .forwards, so just doing that one.
cd /etc/exim4/conf.d/router
iankelling.org / git / distro-setup / blobdiff