# hamburger -> preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false
# background: ovecot does not yet have ocsp stapling support
# reference: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921
+#
+# for phone, same thing but username alerts, pass in ivy-pass.
#######
# # dovecot password, i just need 1 as I\'m the only user
# mkdir /p/c/filesystem/etc/dovecot
-# echo "iank:$(doveadm pw -s ssha256)::::::" >/p/c/filesystem/etc/dovecot/users
+# echo "iank:$(doveadm pw -s ssha256)::::::" >>/p/c/filesystem/etc/dovecot/users
# conflink
apt-get -y install --purge --auto-remove "$@"
}
-postmaster=$u
+postmaster=alerts
mxhost=mail.iankelling.org
mxport=587
forward=$u@$mxhost
if [[ $HOSTNAME == $MAIL_HOST ]]; then
# afaik, these will get ignored because they are routing to my own
# machine, but rm them is safer
- rm -f $(eval echo ~$postmaster)/.forward /root/.forward
+ rm -f $(eval echo ~$u)/.forward /root/.forward
else
# this can\'t be a symlink and has permission restrictions
# it might work in /etc/aliases, but this seems more proper.
- install -m 644 {-o,-g}$postmaster <(e $forward) $(eval echo ~$postmaster)/.forward
+ install -m 644 {-o,-g}$u <(e $forward) $(eval echo ~$u)/.forward
fi
if [[ $HOSTNAME == $MAIL_HOST ]]; then
+ # mail.iankelling.org so local imap clients can connect with tls and
+ # when they happen to not be local.
+ sed -ri -f - /etc/hosts <<'EOF'
+/^127\.0\.1\.1.* mail\.iankelling\.org\b/q
+/^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/
+EOF
+ /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]]
+server=/mail.iankelling.org/127.0.1.1
+EOF
+ systemctl reload dnsmasq
+
debconf-set-selections <<EOF
# Mail Server configuration
# -------------------------
# sieve option, we wouldn\'t need this, but I\'d rather not modify a
# default config if not needed. This won\'t work as a symlink in /a/c
# unfortunately.
- sudo -u $postmaster /a/exe/lnf -T sieve/main.sieve $(eval echo ~$postmaster)/.dovecot.sieve
+ sudo -u $u /a/exe/lnf -T sieve/main.sieve $(eval echo ~$u)/.dovecot.sieve
+ # we set this later in local.conf
sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
-1i mail_location = maildir:/m/md:LAYOUT=fs:INBOX=/m/md/INBOX
/^\s*mail_location\s*=/d
EOF
ssl_key = </etc/exim4/exim.key
# https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
# in my cert cronjob, I check if that has changed upstream.
-ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
# ian: added this, more secure, per google etc
ssl_prefer_server_ciphers = yes
+
+mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
+mail_uid = iank
+mail_gid = iank
+
# for debugging info, uncomment these.
# logs go to syslog and to /var/log/mail.log
# auth_verbose=yes
systemctl restart dovecot
else # $HOSTNAME != $MAIL_HOST
+ # remove mail. 2 lines to properly remove whitespace
+ sed -ri -f - /etc/hosts <<'EOF'
+s#^(127\.0\.1\.1 .*) +mail\.iankelling\.org$#\1#
+s#^(127\.0\.1\.1 .*)mail\.iankelling\.org +(.*)#\1\2#
+EOF
+
+ echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]]
+ systemctl reload dnsmasq
+
systemctl disable offlineimapsync.timer &>/dev/null ||:
systemctl stop offlineimapsync.timer &>/dev/null ||:
systemctl disable mailclean.timer &>/dev/null ||:
dir=/nocow/exim4
sdir=/var/spool/exim4
# we only do this if our system has $dir
-if [[ -e /nocow && $(readlink -f $sdir) != $dir ]]; then
- systemctl stop exim4
- if [[ ! -e $dir && -d $sdir ]]; then
- mv $sdir $dir
+
+# this used to do a symlink, but, in the boot logs, /nocow would get mounted succesfully,
+# about 2 seconds later, exim starts, and immediately puts into paniclog:
+# honVi-0000u3-82 Failed to create directory "/var/spool/exim4/input": No such file or directory
+# so, im trying a bind mount to get rid of that.
+if [[ -e /nocow ]]; then
+ if ! grep -Fx "/nocow/exim4 /var/spool/exim4 none bind 0 0" /etc/fstab; then
+ echo "/nocow/exim4 /var/spool/exim4 none bind 0 0" >> /etc/fstab
+ fi
+ if ! mountpoint -q $sdir; then
+ systemctl stop exim4
+ if [[ -L $sdir ]]; then
+ rm $sdir
+ fi
+ if [[ ! -e $dir && -d $sdir ]]; then
+ mv $sdir $dir
+ fi
+ if [[ ! -d $sdir ]]; then
+ mkdir $sdir
+ chmod 000 $sdir # only want it to be used when its mounted
+ fi
+ mount $sdir
fi
- /a/exe/lnf -T $dir $sdir
fi
systemctl restart exim4
iankelling.org / git / distro-setup / blobdiff