## * Install packages
# light version of exim does not have sasl auth support.
-pi exim4-daemon-heavy spamassassin spf-tools-perl openvpn dnsmasq
+pi exim4-daemon-heavy spamassassin spf-tools-perl dnsmasq openvpn
+# our nostart pi fails to avoid enabling
+sudo systemctl disable openvpn
# trisquel 8 = openvpn, debian stretch = openvpn-client
vpn_ser=openvpn-client
if [[ -e $f ]]; then
source $f
fi
-if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
- local_mx=mail.iankelling.org
- rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/"
- ${rsync_common}fullchain.pem /etc/exim4/exim.crt
- ret=$?
- ${rsync_common}privkey.pem /etc/exim4/exim.key
- new_ret=$?
- if [[ $ret != $new_ret ]]; then
- echo "$0: error: differing rsync returns, $ret, $new_ret"
- exit 1
- fi
+if [[ $HOSTNAME != "$MAIL_HOST" ]]; then
+ exit 0
fi
-if [[ $new_ret != 0 ]]; then
- if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then
- echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
- exit 1
- fi
+local_mx=mail.iankelling.org
+mkdir -p /etc/letsencrypt/live/$local_mx
+chmod 700 /etc/letsencrypt/live
+rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/"
+# allow for temporary connection issues
+${rsync_common}fullchain.pem /etc/exim4/exim.crt ||:
+${rsync_common}privkey.pem /etc/exim4/exim.key ||:
+if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then
+ echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
+ exit 1
fi
exit 0
EOF
# * common exim4 config
source /a/bin/bash_unpublished/source-state
+if [[ ! $MAIL_HOST ]]; then
+ err "\$MAIL_HOST not set"
+fi
+
+m sudo gpasswd -a iank adm #needed for reading logs
+
### make local bounces go to normal maildir
# local mail that bounces goes to /Maildir or /root/Maildir
m ln -sf -T /m/md/bounces $d
done
+# Note, even the server needs permissions of this file right
+# if it exists, so do this up here.
+f=/p/c/filesystem/etc/exim4/passwd.client
+if [[ ! -e $f ]]; then
+ f=/p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/passwd.client
+fi
+m sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 $f /etc/exim4/
# by default, only 10 days of logs are kept. increase that.
m sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
# The file is based on the outgoing domain-name in the from-header.
DKIM_DOMAIN = \${lc:\${domain:\$h_from:}}
# sign if key exists
-DKIM_PRIVATE_KEY= \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}}
+DKIM_PRIVATE_KEY = \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}}
# most of the ones that gmail seems to use.
# Exim has horrible default of signing unincluded
/^127\.0\.1\.1.* mail\.iankelling\.org\b/{p;d}
/^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/
EOF
+
+ # note: systemd-resolved will consult /etc/hosts, dnsmasq wont. this assumes
+ # weve configured this file in dnsmasq if we are using it.
/a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]]
server=/mail.iankelling.org/127.0.1.1
EOF
if systemctl is-active dnsmasq >/dev/null; then
- m systemctl reload dnsmasq
- m nscd -i hosts
+ m systemctl restart dnsmasq
fi
+ m nscd -i hosts
# I used to use debconf-set-selections + dpkg-reconfigure,
# which then updates this file
;;
# * not MAIL_HOST
*) # $HOSTNAME != $MAIL_HOST
- # remove mail. 2 lines to properly remove whitespace
+ # remove mail. uses 2 lines to properly remove whitespace
sed -ri -f - /etc/hosts <<'EOF'
s#^(127\.0\.1\.1 .*) +mail\.iankelling\.org$#\1#
s#^(127\.0\.1\.1 .*)mail\.iankelling\.org +(.*)#\1\2#
echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]]
if systemctl is-active dnsmasq >/dev/null; then
- m nscd -i hosts
- m systemctl reload dnsmasq
+ m systemctl restart dnsmasq # reload does not ensure new config is used
fi
+ m nscd -i hosts
m systemctl disable mailclean.timer &>/dev/null ||:
m systemctl stop mailclean.timer &>/dev/null ||:
hostname -f >/etc/mailname
+
;;&
## we use this host to monitor MAIL_HOST
l2)
/^root:/d
EOF
;;
+ # not l2 and not MAIL_HOST
*)
- f=/p/c/filesystem/etc/exim4/passwd.client
- if [[ ! -e $f ]]; then
- f=/p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/passwd.client
- fi
- sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 $f /etc/exim4/
# This ends up at alerts mailbox on MAIL_HOST, but using a user that doesn't exist elsewhere
# is no good.
m usermod -u 608 Debian-exim
m groupmod -g 608 Debian-exim
m usermod -g 608 Debian-exim
- m find / /nocow -xdev -uid $uid -exec chown -h 608 {} +
- m find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} +
+ m find / /nocow -path ./var/tmp -prune -o -xdev -uid $uid -execdir chown -h 608 {} +
+ m find / /nocow -path ./var/tmp -prune -o -xdev -gid $gid -execdir chgrp -h 608 {} +
fi