# Copyright (C) 2019 Ian Kelling
# SPDX-License-Identifier: AGPL-3.0-or-later
+# todo: handle errors like this:
+# Mar 02 12:44:26 kw systemd[1]: exim4.service: Found left-over process 68210 (exim4) in control group while starting unit. Ignoring.
+# Mar 02 12:44:26 kw systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
+
# todo: harden dovecot. need to do some research. one way is for it to only listen on a wireguard vpn interface, so only clients that are on the vpn can access it.
# todo: consider hardening cups listening on 0.0.0.0
# todo: stop/disable local apache, and rpc.mountd, and kdeconnect when not in use.
rm -fv /etc/systemd/system/exim4.service.d/nonroot.conf
;;
*)
- i /etc/systemd/system/exim4.service.d/nonroot.conf <<'EOF'
+ dirs=()
+ for d in /d /m /media /mnt /nocow /o /p /q; do
+ if [[ -d $d ]]; then
+ dirs+=($d)
+ fi
+ done
+ i /etc/systemd/system/exim4.service.d/nonroot.conf <<EOF
[Service]
# see 56.2 Root privilege in exim spec
AmbientCapabilities=CAP_NET_BIND_SERVICE
# note, in t10 systemd, if one of these is an sshfs mountpoint,
# this whole setting doesnt work. tried it with a newer systemd 250 though
# an nspawn, and it worked there.
-InaccessiblePaths=d m media mnt nocow o p q
+InaccessiblePaths=${dirs[@]}
NoNewPrivileges=yes
ProtectSystem=yes
echo|i /etc/exim4/conf.d/rcpt_local_acl
echo|i /etc/exim4/conf.d/router/880_universal_forward
- echo amnimal.ninja > /etc/mailname
-
/a/exe/cedit nn /etc/hosts <<'EOF' || [[ $? == 1 ]]
10.173.8.2 nn.b8.nz
EOF
UPEX4OPTS='-d /etc/myexim4'
EOF
+ echo bk.b8.nz > /etc/mailname
cat >>/etc/exim4/update-exim4.conf.conf <<EOF
# man page: is used to build the local_domains list, together with "localhost"
-dc_other_hostnames='amnimal.ninja;expertpathologyreview.com'
+dc_other_hostnames='amnimal.ninja;expertpathologyreview.com;bk.b8.nz'
EOF
;;
if $bhost_t; then
install -d /bu
- install -d -g $u -o $u -m 771 /bu/md
+ install -d -g Debian-exim -o Debian-exim -m 771 /bu/md
+ if [[ -e /bu/md/cur && $(stat -c %u /bu/md/cur) == 1000 ]]; then
+ chown -R Debian-exim:Debian-exim /bu/md
+ fi
i /etc/exim4/conf.d/transport/30_backup_maildir <<EOF
# modified debian maildir transport
backup_maildir:
directory_mode = 0700
mode = 0644
mode_fail_narrower = false
- user = $u
EOF
i /etc/exim4/conf.d/router/870_backup_local <<'EOF'
#0 * * * * root mailtest-check slow |& log-once -1 mailtest-slow
*/5 * * * * root timeout 290 mailtest-check slow |& log-once -12 mailtest-check
# if a bounce happened yesterday, dont let it slip through the cracks
-8 1 * * * root awk '$5 == "**"' /var/log/exim4/mainlog.1
+8 1 * * * root awk '\$5 == "**"' /var/log/exim4/mainlog.1
EOF
m sudo rsync -ahhi --chown=root:root --chmod=0755 \
/b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
iankelling.org / git / distro-setup / blobdiff