fi
+####### instructions for icedove #####
+# Incoming mail server: mail.iankelling.org, port 143, username iank, connection security starttls, authentication method normal password
+# we could also just use 127.0.0.1 with no ssl, but todo: disable that in dovecot, so mail is secure from local programs.
+#
+# hamburger -> preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false
+# background: ovecot does not yet have ocsp stapling support
+# reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921
+#######
+
####### begin perstent password instructions ######
# # exim passwords:
# apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
# s sed -i "/^$user:/d" /p/c/filesystem/etc/exim4/passwd
# echo "$user:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd
-# echo "mail.iankelling.org $user $(<$f)" >> /p/c/machine_specific/$user/filesystem/etc/mailpass
+# echo "mail.iankelling.org 587 $user:$(<$f)" >> /p/c/machine_specific/$user/filesystem/etc/mailpass
# # then run this script, or part of it which uses /etc/mailpass
# # dovecot password, i just need 1 as I\'m the only user
# mkdir /p/c/filesystem/etc/dovecot
-# echo "ian:$(doveadm pw -s ssha256)::::::" >/p/c/filesystem/etc/dovecot/users
+# echo "iank:$(doveadm pw -s ssha256)::::::" >/p/c/filesystem/etc/dovecot/users
# conflink
# # 2017-02 spf policies:
# # host -t txt lists.fedoraproject.org
-# # google ~all, hotmail -all, yahoo: ?all, fastmail ?all
+# # google ~all, hotmail ~all, yahoo: ?all, fastmail ?all, outlook ~all
# # i include fastmail\'s settings, per their instructions,
# # and follow their policy. In mail in a box, or similar instructions,
# # I\'ve seen recommended to not use a restrictive policy.
postmaster=$u
mxhost=mail.iankelling.org
-mxport=25
+mxport=587
forward=$u@$mxhost
# old setup. left as comment for example
Type=oneshot
ExecStart=/a/bin/log-quiet/sysd-mail-once offlineimap-sync /a/bin/distro-setup/offlineimap-sync
EOF
+
+ cat >/etc/systemd/system/mailclean.timer <<'EOF'
+[Unit]
+Description=Run mailclean daily
+
+[Timer]
+OnCalendar=monthly
+
+[Install]
+WantedBy=timers.target
+EOF
+
+ cat >/etc/systemd/system/mailclean.service <<EOF
+[Unit]
+Description=Delete and archive old mail files
+After=multi-user.target
+
+[Service]
+User=$u
+Type=oneshot
+ExecStart=/a/bin/log-quiet/sysd-mail-once mailclean /a/bin/distro-setup/mailclean
+EOF
+
systemctl daemon-reload
# wording of question from dpkg-reconfigure exim4-config
# would be unused in that config type.
rm -f /etc/exim4/conf.d/main/000_localmacros # old filename
cat >/etc/exim4/conf.d/main/000_local <<EOF
+# enable 587 in addition to the default 25, so that
+# i can send mail where port 25 is firewalled by isp
+daemon_smtp_ports = 25 : 587
# i don't have ipv6 setup for my vpn tunnel yet.
disable_ipv6 = true
# keep your dkim signature intact but add list- headers.
DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
+# recommended if dns is expected to work
+CHECK_RCPT_VERIFY_SENDER = true
+# seems like a good idea
+CHECK_DATA_VERIFY_HEADER_SENDER = true
+CHECK_RCPT_SPF = true
+CHECK_RCPT_REVERSE_DNS = true
+CHECK_MAIL_HELO_ISSUED = true
EOF
systemctl enable offlineimapsync.timer
systemctl start offlineimapsync.timer
+ systemctl enable mailclean.timer
+ systemctl start mailclean.timer
systemctl restart $vpn_ser@mail
systemctl enable $vpn_ser@mail
systemctl enable dovecot
else # $HOSTNAME != $MAIL_HOST
systemctl disable offlineimapsync.timer &>/dev/null ||:
systemctl stop offlineimapsync.timer &>/dev/null ||:
+ systemctl disable mailclean.timer &>/dev/null ||:
+ systemctl stop mailclean.timer &>/dev/null ||:
systemctl disable $vpn_ser@mail
systemctl stop $vpn_ser@mail
systemctl disable dovecot ||:
# light version of exim does not have sasl auth support.
- pi exim4-daemon-heavy spamassassin
+ pi exim4-daemon-heavy spamassassin spf-tools-perl
iankelling.org / git / distro-setup / blobdiff