#!/bin/bash
set -x
-# Copyright (C) 2016 Ian Kelling
+# Copyright (C) 2019 Ian Kelling
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
####### end persistent dkim instructions #########
-# misc exim notes:
-# useful exim docs:
-# /usr/share/doc/exim4-base/README.Debian.gz
-# /usr/share/doc/exim4-base/spec.txt.gz
-
-# routers, transports, and authenticators are sections, and you define
-# driver instances in those sections, and the manual calls them driver
-# types but there is also a more specific "type" of driver, which is specified
-# with the driver = some_module setting in the driver.
-
-# the driver option must precede and private options (options that are
-# specific to that driver), so follow example of putting it at beginning.
-
-# The full list of option settings for any particular driver instance,
-# including all the defaulted values, can be extracted by making use of
-# the -bP command line option.
-# exim -bP config_file to see what config file it used
-# exim -bP config to see
-
-# exim clear out message queue. as root:
-# adapted from somewhere on stackoverflow.
-# ser stop exim4; sleep 1; exim -bp | exiqgrep -i | xargs exim -Mrm; ser start exim4
-
-# fastmail has changed their smtp server, but the old one still works,
-# I see no reason to bother changing.
-# New one is smtp.fastmail.com
-
-# test delivery & rewrite settings:
-#exim4 -bt iank@localhost
-
e() { printf "%s\n" "$*"; }
pi() { # package install
vpn_ser=openvpn
fi
-if [[ $HOSTNAME == $MAIL_HOST ]]; then
+if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
# afaik, these will get ignored because they are routing to my own
# machine, but rm them is safer
rm -f $(eval echo ~$u)/.forward /root/.forward
mkdir -p /etc/exim4/conf.d/{main,transport,auth,router}
cat >/etc/exim4/rcpt_local_acl <<'EOF'
-# Only hosts we control send to mail.iankelling.org, so make sure
+# Only hosts we control send to @mail.iankelling.org, so make sure
# they are all authed.
# Note, if we wanted authed senders for all domains,
# we could make this condition in acl_check_mail
# suggested in official docs, and 100k in the wiki example because
# those docs are rather old and I see a 110k spam message
# pretty quickly looking through my spam folder.
- warn
- condition = ${if < {$message_size}{2000K}}
- spam = Debian-exim:true
- add_header = X-Spam_score: $spam_score\n\
- X-Spam_score_int: $spam_score_int\n\
- X-Spam_bar: $spam_bar\n\
- X-Spam_report: $spam_report
+warn
+ condition = ${if < {$message_size}{2000K}}
+ spam = Debian-exim:true
+ add_header = X-Spam_score: $spam_score\n\
+ X-Spam_score_int: $spam_score_int\n\
+ X-Spam_bar: $spam_bar\n\
+ X-Spam_report: $spam_report
+
+#accept
+# spf = pass:fail:softfail:none:neutral:permerror:temperror
+# dmarc_status = reject:quarantine
+# add_header = Reply-to: dmarctest@iankelling.org
EOF
cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
batch_max = 200
EOF
+cat >/etc/exim4/host_local_deny_exceptions <<'EOF'
+mail.fsf.org
+*.posteo.de
+EOF
+
cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
# smarthost for fsf mail
# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
if [[ -e $f ]]; then
source $f
fi
-if [[ $HOSTNAME == $MAIL_HOST ]]; then
+if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
local_mx=mail.iankelling.org
rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/"
${rsync_common}fullchain.pem /etc/exim4/exim.crt
EOF
-if [[ $HOSTNAME == $MAIL_HOST ]]; then
+if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
# mail.iankelling.org so local imap clients can connect with tls and
# when they happen to not be local.
sed -ri -f - /etc/hosts <<'EOF'
-/^127\.0\.1\.1.* mail\.iankelling\.org\b/q
+/^127\.0\.1\.1.* mail\.iankelling\.org\b/{p;d}
/^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/
EOF
/a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]]
CHECK_RCPT_SPF = true
CHECK_RCPT_REVERSE_DNS = true
CHECK_MAIL_HELO_ISSUED = true
+
+MAIN_LOG_SELECTOR = +all
+
+# testing dmarc
+#dmarc_tld_file = /etc/public_suffix_list.dat
+EOF
+
+ f=/etc/cron.daily/refresh-dmarc-tld-file
+ cat >$f <<'EOF'
+#!/bin/bash
+cd /etc
+wget -q -N https://publicsuffix.org/list/public_suffix_list.dat
EOF
+ chmod 755 $f
+ sed -i --follow-symlinks -f - /etc/aliases <<EOF
+\$a root: $postmaster
+/^root:/d
+EOF
####### begin dovecot setup ########
# based on a little google and package search, just the dovecot
# internet. I was torn about whether to do this or not, meh.
pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
+ for f in /p/c/subdir_files/sieve/*sieve /a/c/subdir_files/sieve/*sieve; do
+ sudo -u $u /a/exe/lnf -T $f $(eval echo ~$u)/sieve/${f##*/}
+ done
# if we changed 90-sieve.conf and removed the active part of the
# sieve option, we wouldn\'t need this, but I\'d rather not modify a
# default config if not needed. This won\'t work as a symlink in /a/c
EOF
- cat >/etc/dovecot/local.conf <<'EOF'
+ cat >/etc/dovecot/local.conf <<EOF
# so I can use a different login that my shell login for mail. this is
# worth doing solely for the reason that if this login is compromised,
# it won't also compromise my shell password.
mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
-mail_uid = iank
-mail_gid = iank
+mail_uid = $u
+mail_gid = $u
# for debugging info, uncomment these.
# logs go to syslog and to /var/log/mail.log
StartLimitInterval=0
EOF
+
+
systemctl enable mailclean.timer
systemctl start mailclean.timer
systemctl restart $vpn_ser@mail
cat >>/etc/exim4/update-exim4.conf.conf <<EOF
dc_eximconfig_configtype='satellite'
dc_smarthost='$smarthost'
-dc_readhost='$(hostname -f)'
-# i dunno if this would ever get used.
+# The manpage incorrectly states this will do header rewriting, but
+# that only happens if we have dc_hide_mailname is set.
+dc_readhost='iankelling.org'
+# Only used in case of bounces.
dc_localdelivery='maildir_home'
-dc_hide_mailname=''
EOF
hostname -f > /etc/mailname
+ # We set this to alerts on MAIL_HOST, but using a user that doesn't exist elsewhere
+ # is no good.
+ sed -i --follow-symlinks -f - /etc/aliases <<EOF
+\$a root:
+/^root:/d
+EOF
+
fi # end $HOSTNAME != $MAIL_HOST
systemctl reload exim4
# Multiple user names need to be separated by spaces.
# Root and postmaster mail recipient:
-if [[ $postmaster != root ]]; then
- sed -i --follow-symlinks -f - /etc/aliases <<EOF
-\$a root: $postmaster
-/^root:/d
-EOF
- newaliases
-fi
+# local mail that bounces goes to /Maildir or /root/Maildir
+dirs=(/m/md/bounces/{cur,tmp,new})
+mkdir -p ${dirs[@]}
+chown -R $u:Debian-exim /m/md/bounces
+chmod 775 ${dirs[@]}
+usermod -a -G Debian-exim $u
+for d in /Maildir /root/Maildir; do
+ if [[ ! -L $d ]]; then
+ rm -rf $d
+ fi
+ ln -sf -T /m/md/bounces $d
+done
+
+sudo -u $u ln -sf -T /m/.mu /home/$u/.mu
# put spool dir in directory that spans multiple distros.
# based on http://www.postfix.org/qmgr.8.html and my notes in gnus
fi
fi
+
+
systemctl restart exim4
systemctl enable exim4
-if [[ $HOSTNAME == $MAIL_HOST ]]; then
- cat >/etc/cron.d/mailtest <<'EOF'
-*/10 * * * * iank echo body_test | mail -s "primary_test $(date +%s) $(date +%Y-%m-%dT%H:%M:%S%z)" iank@posteo.de
-2/10 * * * * root /usr/local/bin/mailtest-check
+if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
+ f=/usr/local/bin/send-test-forward
+ cat >$f <<'EOF'
+#!/bin/bash
+echo body_test | mail -s "primary_test $(date +%s) $(date +%Y-%m-%dT%H:%M:%S%z)" iank@posteo.de
+EOF
+ chmod +x $f
+
+ cat >/etc/cron.d/mailtest <<EOF
+SHELL=/bin/bash
+# running as user just because no need to run as root
+*/10 * * * * $u $f 2>&1 | /usr/local/bin/log-once send-test-forward
+*/10 * * * * $u /usr/local/bin/mailtest-check 2>&1 | /usr/local/bin/log-once -1 send-test-forward
+*/10 * * * * root chmod -R g+rw /m/md/bounces 2>&1 | /usr/local/bin/log-once -1 bounces-chmod
EOF
cp /a/bin/distro-setup/filesystem/usr/local/bin/mailtest-check /usr/local/bin
else
# for when MAIL_HOST changes, so radicale gets the synced files and
# does not stop us from remounting /o.
if dpkg -s radicale &>/dev/null; then
- if [[ $HOSTNAME == $MAIL_HOST ]]; then
+ if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
systemctl restart radicale
systemctl enable radicale
if [[ -e /etc/logrotate.d/radicale.disabled ]]; then
iankelling.org / git / distro-setup / blobdiff