#!/bin/bash
-set -x
-
+# -*- eval: (outline-minor-mode); -*-
+# * intro
# Copyright (C) 2019 Ian Kelling
+# SPDX-License-Identifier: AGPL-3.0-or-later
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
+if [ -z "$BASH_VERSION" ]; then echo "error: shell is not bash" >&2; exit 1; fi
-# http://www.apache.org/licenses/LICENSE-2.0
+pre="${0##*/}:"
+m() { printf "$pre %s\n" "$*"; "$@"; }
+e() { printf "$pre %s\n" "$*"; }
+err() { echo "[$(date +'%Y-%m-%d %H:%M:%S%z')]: $0: $*" >&2; }
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
# TODO: copy dkim keys from within this file. its now done in conflink.
# TODO: fix dkim key to b chmod 640, group Debian-exim
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+if [[ -s /usr/local/lib/err ]]; then
+ source /usr/local/lib/err
+elif [[ -s /a/bin/errhandle/err ]]; then
+ source /a/bin/errhandle/err
+else
+ err "no err tracing script found"
+ exit 1
+fi
[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
if [[ ! $SUDO_USER ]]; then
#######
-####### begin perstent password instructions ######
+# * perstent password instructions
# # exim passwords:
# # for hosts which have all private files I just use the same user
# # for other hosts, each one get\'s their own password.
####### end perstent password instructions ######
-####### begin persistent dkim/dns instructions #########
+# * persistent dkim/dns instructions
# # Remove 1 level of comments in this section, set the domain var
# # for the domain you are setting up, then run this and copy dns settings
# # into dns.
# chmod 640 $domain-private.pem
# # in conflink, we chown these to group debian
# conflink
-# # selector was also put into /etc/exim4/conf.d/main/000_localmacros,
+# # selector was also put into /etc/exim4/conf.d/main/000_local,
# # via the mail-setup scripts
# # 2017-02 dmarc policies:
# # i include fastmail\'s settings, per their instructions,
# # and follow their policy. In mail in a box, or similar instructions,
# # I\'ve seen recommended to not use a restrictive policy.
-# echo "spf dns: name is empty, value: v=spf1 a include:spf.messagingengine.com ?all"
# # to check if dns has updated, you do
# host -a mesmtp._domainkey.$domain
# cat <<'EOF'
# mx records, 2 records each, for * and empty domain
# pri 10 mail.iankelling.org
-# pri 20 in1-smtp.messagingengine.com
-# pri 30 in2-smtp.messagingengine.com
# EOF
####### end persistent dkim instructions #########
-
+# * functions constants
e() { printf "%s\n" "$*"; }
pi() { # package install
local f
while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done
f=/var/cache/apt/pkgcache.bin;
if [[ ! -r $f ]] || (( $(( $(date +%s) - $(stat -c %Y $f ) )) > 60*60*12 )); then
- apt-get update
+ m apt-get update
fi
- apt-get -y install --purge --auto-remove "$@"
+ DEBIAN_FRONTEND=noninteractive m apt-get -y install --purge --auto-remove "$@"
}
postmaster=alerts
# mxport=587
# forward=ian@iankelling.org
-smarthost="$mxhost::$mxport" # exim
+smarthost="$mxhost::$mxport"
+
+## * Install packages
+# light version of exim does not have sasl auth support.
+pi exim4-daemon-heavy spamassassin spf-tools-perl openvpn dnsmasq
# trisquel 8 = openvpn, debian stretch = openvpn-client
vpn_ser=openvpn-client
vpn_ser=openvpn
fi
+uhome=$(eval echo ~$u)
+### * user forward file
if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
# afaik, these will get ignored because they are routing to my own
# machine, but rm them is safer
- rm -f $(eval echo ~$u)/.forward /root/.forward
+ rm -fv $uhome/.forward /root/.forward
else
# this can\'t be a symlink and has permission restrictions
# it might work in /etc/aliases, but this seems more proper.
- install -m 644 {-o,-g}$u <(e $forward) $(eval echo ~$u)/.forward
+ e setting $uhome/.forward to $forward
+ install -m 644 {-o,-g}$u <(e $forward) $uhome/.forward
fi
+# * Mail clean cronjob
+
+cat >/etc/systemd/system/mailclean.timer <<'EOF'
+[Unit]
+Description=Run mailclean daily
+
+[Timer]
+OnCalendar=monthly
+
+[Install]
+WantedBy=timers.target
+EOF
+
+cat >/etc/systemd/system/mailclean.service <<EOF
+[Unit]
+Description=Delete and archive old mail files
+After=multi-user.target
+
+[Service]
+User=$u
+Type=oneshot
+ExecStart=/a/bin/log-quiet/sysd-mail-once mailclean /a/bin/distro-setup/mailclean
+EOF
+
+systemctl daemon-reload
+
+
+# * spamassassin
+
+if [[ $HOSTNAME != "$MAIL_HOST" ]]; then
+ m systemctl stop spamassassin
+ m systemctl disable spamassassin
+else
+
+ # per readme.debian
+ sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
+ e CRON=1 >>/etc/default/spamassassin
+ # just noticed this in the config file, seems like a good idea.
+ sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
+ e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin
+
+ m systemctl enable spamassassin
+ m systemctl start spamassassin
+ m systemctl reload spamassassin
+
+ cat >/etc/systemd/system/spamddnsfix.service <<'EOF'
+[Unit]
+Description=spamd dns bug fix cronjob
+
+[Service]
+Type=oneshot
+ExecStart=/a/bin/distro-setup/spamd-dns-fix
+EOF
+ # 2017-09, debian closed the bug on this saying upstream had fixed it.
+ # remove this when i\'m using the newer package, ie, debian 10, or maybe
+ # ubuntu 18.04.
+ cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
+[Unit]
+Description=run spamd bug fix script every 10 minutes
+
+[Timer]
+OnActiveSec=60
+# the script looks back 9 minutes into the journal,
+# it takes a second to run,
+# so lets run every 9 minutes and 10 seconds.
+OnUnitActiveSec=550
+
+[Install]
+WantedBy=timers.target
+EOF
+ m systemctl daemon-reload
+ m systemctl restart spamddnsfix.timer
+ m systemctl enable spamddnsfix.timer
+
+fi # [[ $HOSTNAME != "$MAIL_HOST" ]]
+##### end spamassassin config
-pi openvpn
+# * Update mail cert
if [[ -e /p/c/filesystem ]]; then
# allow failure of these commands when our internet is down, they are likely not needed,
# we check that a valid cert is there already.
# systemd, buuut it can remake the tun device unexpectedly, i got this in the log
# after my internet was down for a bit:
# NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
- /a/exe/vpn-mk-client-cert -b mail -n mail -s /b/ds/mail-route li.iankelling.org
+ m /a/exe/vpn-mk-client-cert -b mail -n mail -s /b/ds/mail-route li.iankelling.org
fi
fi
-cat >/etc/systemd/system/mailclean.timer <<'EOF'
-[Unit]
-Description=Run mailclean daily
-[Timer]
-OnCalendar=monthly
+f=/usr/local/bin/mail-cert-cron
+cat >$f <<'EOF'
+#!/bin/bash
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-[Install]
-WantedBy=timers.target
+[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
+
+f=/a/bin/bash_unpublished/source-state
+if [[ -e $f ]]; then
+ source $f
+fi
+if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
+ local_mx=mail.iankelling.org
+ rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/"
+ ${rsync_common}fullchain.pem /etc/exim4/exim.crt
+ ret=$?
+ ${rsync_common}privkey.pem /etc/exim4/exim.key
+ new_ret=$?
+ if [[ $ret != $new_ret ]]; then
+ echo "$0: error: differing rsync returns, $ret, $new_ret"
+ exit 1
+ fi
+fi
+if [[ $new_ret != 0 ]]; then
+ if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then
+ echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
+ exit 1
+ fi
+fi
+exit 0
EOF
+m chmod 755 $f
-cat >/etc/systemd/system/mailclean.service <<EOF
+cat >/etc/systemd/system/mailcert.service <<'EOF'
[Unit]
-Description=Delete and archive old mail files
+Description=Mail cert rsync
After=multi-user.target
[Service]
-User=$u
Type=oneshot
-ExecStart=/a/bin/log-quiet/sysd-mail-once mailclean /a/bin/distro-setup/mailclean
+ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
EOF
-systemctl daemon-reload
+cat >/etc/systemd/system/mailcert.timer <<'EOF'
+[Unit]
+Description=Run mail-cert once a day
+
+[Timer]
+OnCalendar=daily
+
+[Install]
+WantedBy=timers.target
+EOF
+m systemctl daemon-reload
+m systemctl start mailcert
+m systemctl restart mailcert.timer
+m systemctl enable mailcert.timer
+
+# * common exim4 config
source /a/bin/bash_unpublished/source-state
-mkdir -p /etc/exim4/conf.d/{main,transport,auth,router}
-cat >/etc/exim4/rcpt_local_acl <<'EOF'
+
+### make local bounces go to normal maildir
+# local mail that bounces goes to /Maildir or /root/Maildir
+dirs=(/m/md/bounces/{cur,tmp,new})
+m mkdir -p ${dirs[@]}
+m chown -R $u:Debian-exim /m/md/bounces
+m chmod 775 ${dirs[@]}
+m usermod -a -G Debian-exim $u
+for d in /Maildir /root/Maildir; do
+ if [[ ! -L $d ]]; then
+ m rm -rf $d
+ fi
+ m ln -sf -T /m/md/bounces $d
+done
+
+
+### begin setup passwd.client
+f=/etc/exim4/passwd.client
+rm -fv /etc/exim4/passwd.client
+m install -m 640 -g Debian-exim /dev/null $f
+while read -r domain _ pass; do
+ # reference: exim4_passwd_client(5)
+ printf "%s:%s\n" "$domain" "$pass" >>$f
+done </etc/mailpass
+### end setup passwd.client
+
+# by default, only 10 days of logs are kept. increase that.
+m sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
+
+
+## https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
+# i only need .forwards, so just doing that one.
+cd /etc/exim4/conf.d/router
+b=userforward_higher_priority
+# replace the router name so it is unique
+sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
+
+
+rm -vf /etc/exim4/conf.d/main/000_localmacros # old filename
+cat >/etc/exim4/conf.d/main/000_local <<EOF
+MAIN_TLS_ENABLE = true
+
+# debian exim config added this in 2016 or so?
+# it's part of the smtp spec, to limit lines to 998 chars
+# but a fair amount of legit mail does not adhere to it. I don't think
+# this should be default, like it says in
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
+# todo: the bug for introducing this was about headers, but
+# the fix maybe is for all lines? one says gmail rejects, the
+# other says gmail does not reject. figure out and open a new bug.
+IGNORE_SMTP_LINE_LENGTH_LIMIT = true
+
+# more verbose logs
+MAIN_LOG_SELECTOR = +all
+
+
+# normally empty, I set this so I can set the envelope address
+# when doing mail redelivery to invoke filters. Also allows
+# me exiqgrep and stuff.
+MAIN_TRUSTED_GROUPS = $u
+EOF
+
+rm -fv /etc/exim4/rcpt_local_acl # old path
+cat >/etc/exim4/conf.d/rcpt_local_acl <<'EOF'
# Only hosts we control send to @mail.iankelling.org, so make sure
# they are all authed.
# Note, if we wanted authed senders for all domains,
!authenticated = *
domains = mail.iankelling.org
EOF
-cat >/etc/exim4/data_local_acl <<'EOF'
+rm -fv /etc/exim4/data_local_acl # old path
+cat >/etc/exim4/conf.d/data_local_acl <<'EOF'
# Except for the "condition =", this was
# a comment in the check_data acl. The comment about this not
# being suitable is mostly bs. The only thing related I found was to
EOF
-#### begin mail cert setup ###
-f=/usr/local/bin/mail-cert-cron
-cat >$f <<'EOF'
-#!/bin/bash
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
-
-f=/a/bin/bash_unpublished/source-state
-if [[ -e $f ]]; then
- source $f
-fi
-if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
- local_mx=mail.iankelling.org
- rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/"
- ${rsync_common}fullchain.pem /etc/exim4/exim.crt
- ret=$?
- ${rsync_common}privkey.pem /etc/exim4/exim.key
- new_ret=$?
- if [[ $ret != $new_ret ]]; then
- echo "$0: error: differing rsync returns, $ret, $new_ret"
- exit 1
- fi
-fi
-if [[ $new_ret != 0 ]]; then
- if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then
- echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
- exit 1
- fi
-fi
-exit 0
-EOF
-chmod 755 $f
-
-cat >/etc/systemd/system/mailcert.service <<'EOF'
-[Unit]
-Description=Mail cert rsync
-After=multi-user.target
-
-[Service]
-Type=oneshot
-ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
-EOF
-
-cat >/etc/systemd/system/mailcert.timer <<'EOF'
-[Unit]
-Description=Run mail-cert once a day
-
-[Timer]
-OnCalendar=daily
-
-[Install]
-WantedBy=timers.target
-EOF
-systemctl daemon-reload
-systemctl start mailcert
-systemctl restart mailcert.timer
-systemctl enable mailcert.timer
-
-##### end mailcert setup #####
-
-# comon stuff
cat >/etc/exim4/update-exim4.conf.conf <<'EOF'
# default stuff, i havent checked if its needed
dc_minimaldns='false'
dc_mailname_in_oh='true'
EOF
-
+# * if MAIL_HOST
if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
+ # ** dovecot
+ ####### begin dovecot setup ########
+ # based on a little google and package search, just the dovecot
+ # packages we need instead of dovecot-common.
+ #
+ # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
+ # directly. The reason to do this is to use dovecot\'s sieve, which
+ # has extensions that allow it to be almost equivalent to exim\'s
+ # filter capabilities, some ways probably better, some worse, and
+ # sieve has the benefit of being supported in postfix and
+ # proprietary/weird environments, so there is more examples on the
+ # internet. I was torn about whether to do this or not, meh.
+ pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
- # mail.iankelling.org so local imap clients can connect with tls and
- # when they happen to not be local.
- sed -ri -f - /etc/hosts <<'EOF'
-/^127\.0\.1\.1.* mail\.iankelling\.org\b/{p;d}
-/^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/
-EOF
- /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]]
-server=/mail.iankelling.org/127.0.1.1
-EOF
- systemctl reload dnsmasq
+ for f in /p/c/subdir_files/sieve/*sieve /a/c/subdir_files/sieve/*sieve; do
+ m sudo -u $u /a/exe/lnf -T $f $uhome/sieve/${f##*/}
+ done
+ # if we changed 90-sieve.conf and removed the active part of the
+ # sieve option, we wouldn\'t need this, but I\'d rather not modify a
+ # default config if not needed. This won\'t work as a symlink in /a/c
+ # unfortunately.
+ m sudo -u $u /a/exe/lnf -T sieve/main.sieve $uhome/.dovecot.sieve
- # I used to use debconf-set-selections + dpkg-reconfigure,
- # which then updates this file
- # but the process is slower than updating it directly and then I want to set other things in
- # update-exim4.conf.conf, so there's no point.
- # The file is documented in man update-exim4.conf,
- # except the man page is not perfect, read the bash script to be sure about things.
+ # we set this later in local.conf
+ sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
+/^\s*mail_location\s*=/d
+EOF
+
+ cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
+protocol lmtp {
+#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
+ mail_plugins = \$mail_plugins sieve
+# default was
+ #mail_plugins = \$mail_plugins
+
+# For a normal setup with exim, we need something like this, which
+# removes the domain part
+# auth_username_format = %Ln
+#
+# or else # Exim says something like
+# "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
+# Dovecot verbose log says something like
+# "auth-worker(9048): passwd(someuser@somedomain): unknown user"
+# reference: http://wiki.dovecot.org/LMTP/Exim
+#
+# However, I use this to direct all mail to the same inbox.
+# A normal way to do this, which I did at first is to have
+# a router in exim almost at the end, eg 950,
+#local_catchall:
+# debug_print = "R: catchall for \$local_part@\$domain"
+# driver = redirect
+# domains = +local_domains
+# data = $u
+# based on
+# http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
+# with superflous options removed.
+# However, this causes the envelope to be rewritten,
+# which makes filtering into mailboxes a little less robust or more complicated,
+# so I've done it this way instead. it also requires
+# modifying the local router in exim.
+ auth_username_format = $u
+}
+
+EOF
+
+
+ cat >/etc/dovecot/local.conf <<EOF
+# so I can use a different login that my shell login for mail. this is
+# worth doing solely for the reason that if this login is compromised,
+# it won't also compromise my shell password.
+!include conf.d/auth-passwdfile.conf.ext
+
+# settings derived from wiki and 10-ssl.conf
+ssl = required
+ssl_cert = </etc/exim4/exim.crt
+ssl_key = </etc/exim4/exim.key
+# https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
+# in my cert cronjob, I check if that has changed upstream.
+ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+
+# ian: added this, more secure, per google etc
+ssl_prefer_server_ciphers = yes
+
+
+mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
+mail_uid = $u
+mail_gid = $u
+
+# for debugging info, uncomment these.
+# logs go to syslog and to /var/log/mail.log
+# auth_verbose=yes
+#mail_debug=yes
+EOF
+ ####### end dovecot setup ########
+
+ # ** exim
+
+ # mail.iankelling.org so local imap clients can connect with tls and
+ # when they happen to not be local.
+ sed -ri -f - /etc/hosts <<'EOF'
+/^127\.0\.1\.1.* mail\.iankelling\.org\b/{p;d}
+/^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/
+EOF
+ /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]]
+server=/mail.iankelling.org/127.0.1.1
+EOF
+ if systemctl is-active dnsmasq >/dev/null; then
+ m systemctl reload dnsmasq
+ fi
+
+ # I used to use debconf-set-selections + dpkg-reconfigure,
+ # which then updates this file
+ # but the process is slower than updating it directly and then I want to set other things in
+ # update-exim4.conf.conf, so there's no point.
+ # The file is documented in man update-exim4.conf,
+ # except the man page is not perfect, read the bash script to be sure about things.
# The debconf questions output is additional documentation that is not
# easily accessible, but super long, along with the initial default comment in this
# MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
# smarthost config type, not sure. all other settings
# would be unused in that config type.
- rm -f /etc/exim4/conf.d/main/000_localmacros # old filename
- cat >/etc/exim4/conf.d/main/000_local <<EOF
+ cat >>/etc/exim4/conf.d/main/000_local <<EOF
# enable 587 in addition to the default 25, so that
# i can send mail where port 25 is firewalled by isp
daemon_smtp_ports = 25 : 587
-# i don't have ipv6 setup for my vpn tunnel yet.
-disable_ipv6 = true
-
-MAIN_TLS_ENABLE = true
DKIM_CANON = relaxed
DKIM_SELECTOR = li
# Seems logical for this to be the same as mailname.
MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.iankelling.org
-# normally empty, I set this so I can set the envelope address
-# when doing mail redelivery to invoke filters
-MAIN_TRUSTED_GROUPS = $u
-
LOCAL_DELIVERY = dovecot_lmtp
# options exim has to avoid having to alter the default config files
-CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/rcpt_local_acl
-CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/data_local_acl
-
-# debian exim config added this in 2016 or so?
-# it's part of the smtp spec, to limit lines to 998 chars
-# but a fair amount of legit mail does not adhere to it. I don't think
-# this should be default, like it says in
-# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
-# todo: the bug for introducing this was about headers, but
-# the fix maybe is for all lines? one says gmail rejects, the
-# other says gmail does not reject. figure out and open a new bug.
-IGNORE_SMTP_LINE_LENGTH_LIMIT = true
+CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/conf.d/rcpt_local_acl
+CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/conf.d/data_local_acl
# most of the ones that gmail seems to use.
# Exim has horrible default of signing unincluded
CHECK_RCPT_REVERSE_DNS = true
CHECK_MAIL_HELO_ISSUED = true
-MAIN_LOG_SELECTOR = +all
-
# testing dmarc
#dmarc_tld_file = /etc/public_suffix_list.dat
EOF
cd /etc
wget -q -N https://publicsuffix.org/list/public_suffix_list.dat
EOF
- chmod 755 $f
+ m chmod 755 $f
sed -i --follow-symlinks -f - /etc/aliases <<EOF
\$a root: $postmaster
/^root:/d
EOF
- ####### begin dovecot setup ########
- # based on a little google and package search, just the dovecot
- # packages we need instead of dovecot-common.
- #
- # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
- # directly. The reason to do this is to use dovecot\'s sieve, which
- # has extensions that allow it to be almost equivalent to exim\'s
- # filter capabilities, some ways probably better, some worse, and
- # sieve has the benefit of being supported in postfix and
- # proprietary/weird environments, so there is more examples on the
- # internet. I was torn about whether to do this or not, meh.
- pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
-
- for f in /p/c/subdir_files/sieve/*sieve /a/c/subdir_files/sieve/*sieve; do
- sudo -u $u /a/exe/lnf -T $f $(eval echo ~$u)/sieve/${f##*/}
- done
- # if we changed 90-sieve.conf and removed the active part of the
- # sieve option, we wouldn\'t need this, but I\'d rather not modify a
- # default config if not needed. This won\'t work as a symlink in /a/c
- # unfortunately.
- sudo -u $u /a/exe/lnf -T sieve/main.sieve $(eval echo ~$u)/.dovecot.sieve
-
- # we set this later in local.conf
- sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
-/^\s*mail_location\s*=/d
-EOF
-
- cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
-protocol lmtp {
-#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
- mail_plugins = \$mail_plugins sieve
-# default was
- #mail_plugins = \$mail_plugins
-
-# For a normal setup with exim, we need something like this, which
-# removes the domain part
-# auth_username_format = %Ln
-#
-# or else # Exim says something like
-# "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
-# Dovecot verbose log says something like
-# "auth-worker(9048): passwd(someuser@somedomain): unknown user"
-# reference: http://wiki.dovecot.org/LMTP/Exim
-#
-# However, I use this to direct all mail to the same inbox.
-# A normal way to do this, which I did at first is to have
-# a router in exim almost at the end, eg 950,
-#local_catchall:
-# debug_print = "R: catchall for \$local_part@\$domain"
-# driver = redirect
-# domains = +local_domains
-# data = $u
-# based on
-# http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
-# with superflous options removed.
-# However, this causes the envelope to be rewritten,
-# which makes filtering into mailboxes a little less robust or more complicated,
-# so I've done it this way instead. it also requires
-# modifying the local router in exim.
- auth_username_format = $u
-}
-
-EOF
-
-
- cat >/etc/dovecot/local.conf <<EOF
-# so I can use a different login that my shell login for mail. this is
-# worth doing solely for the reason that if this login is compromised,
-# it won't also compromise my shell password.
-!include conf.d/auth-passwdfile.conf.ext
-
-# settings derived from wiki and 10-ssl.conf
-ssl = required
-ssl_cert = </etc/exim4/exim.crt
-ssl_key = </etc/exim4/exim.key
-# https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
-# in my cert cronjob, I check if that has changed upstream.
-ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
-
-# ian: added this, more secure, per google etc
-ssl_prefer_server_ciphers = yes
-
-
-mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
-mail_uid = $u
-mail_gid = $u
-
-# for debugging info, uncomment these.
-# logs go to syslog and to /var/log/mail.log
-# auth_verbose=yes
-#mail_debug=yes
-EOF
- ####### end dovecot setup ########
# https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
- d=/etc/systemd/system/openvpn@mail
- mkdir -p $d
+ d=/etc/systemd/system/openvpn@mail.service.d
+ m mkdir -p $d
cat >$d/override.conf <<'EOF'
[Service]
Restart=always
# StartLimitIntervalSec in recent systemd versions
StartLimitInterval=0
EOF
+ if ! systemctl cat openvpn@mail.service|grep -xF StartLimitInterval=0 &>/dev/null; then
+ # needed for the above config to go into effect
+ m systemctl daemon-reexec
+ fi
+ m systemctl enable mailclean.timer
+ m systemctl start mailclean.timer
+ m systemctl restart $vpn_ser@mail
+ m systemctl enable $vpn_ser@mail
+ m systemctl enable dovecot
+ m systemctl restart dovecot
- systemctl enable mailclean.timer
- systemctl start mailclean.timer
- systemctl restart $vpn_ser@mail
- systemctl enable $vpn_ser@mail
- systemctl enable dovecot
- systemctl restart dovecot
-
+ # * not MAIL_HOST
else # $HOSTNAME != $MAIL_HOST
# remove mail. 2 lines to properly remove whitespace
sed -ri -f - /etc/hosts <<'EOF'
EOF
echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]]
- systemctl reload dnsmasq
-
- systemctl disable mailclean.timer &>/dev/null ||:
- systemctl stop mailclean.timer &>/dev/null ||:
- systemctl disable $vpn_ser@mail
- systemctl stop $vpn_ser@mail
- systemctl disable dovecot ||:
- systemctl stop dovecot ||:
+ if systemctl is-active dnsmasq >/dev/null; then
+ m systemctl reload dnsmasq
+ fi
+
+ m systemctl disable mailclean.timer &>/dev/null ||:
+ m systemctl stop mailclean.timer &>/dev/null ||:
+ m systemctl disable $vpn_ser@mail
+ m systemctl stop $vpn_ser@mail
+ m systemctl disable dovecot ||:
+ m systemctl stop dovecot ||:
#
#
# would only exist because I wrote it i the previous condition,
# it\'s not part of exim
- rm -f /etc/exim4/conf.d/main/000_localmacros
+ rm -fv /etc/exim4/conf.d/main/000_localmacros
cat >>/etc/exim4/update-exim4.conf.conf <<EOF
-dc_eximconfig_configtype='satellite'
+dc_eximconfig_configtype='smarthost'
dc_smarthost='$smarthost'
# The manpage incorrectly states this will do header rewriting, but
# that only happens if we have dc_hide_mailname is set.
dc_localdelivery='maildir_home'
EOF
- hostname -f > /etc/mailname
+ hostname -f >/etc/mailname
- # We set this to alerts on MAIL_HOST, but using a user that doesn't exist elsewhere
+ # This ends up at alerts mailbox on MAIL_HOST, but using a user that doesn't exist elsewhere
# is no good.
sed -i --follow-symlinks -f - /etc/aliases <<EOF
-\$a root:
+\$a root: root@mail.iankelling.org
/^root:/d
EOF
fi # end $HOSTNAME != $MAIL_HOST
-systemctl reload exim4
-
-# i have the spool directory be common to distro multi-boot, so
-# we need the uid to be the same. 608 cuz it's kind of in the middle
-# of the free system uids.
-IFS=:; read _ _ uid _ < <(getent passwd Debian-exim ||:) ||:; unset IFS
-IFS=:; read _ _ gid _ < <(getent group Debian-exim ||:) ||:; unset IFS
-if [[ ! $uid ]]; then
- # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
- adduser --uid 608 --system --group --quiet --home /var/spool/exim4 \
- --no-create-home --disabled-login --force-badname Debian-exim
-elif [[ $uid != 608 ]]; then
- systemctl stop exim4 ||:
- usermod -u 608 Debian-exim
- groupmod -g 608 Debian-exim
- usermod -g 608 Debian-exim
- find / /nocow -xdev -uid $uid -exec chown -h 608 {} +
- find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} +
-fi
-
-
-# light version of exim does not have sasl auth support.
-pi exim4-daemon-heavy spamassassin spf-tools-perl
-
-
-
-##### begin spamassassin config
-systemctl enable spamassassin
-# per readme.debian
-sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
-e CRON=1 >>/etc/default/spamassassin
-# just noticed this in the config file, seems like a good idea.
-sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
-e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin
-systemctl start spamassassin
-systemctl reload spamassassin
-
-cat >/etc/systemd/system/spamddnsfix.service <<'EOF'
-[Unit]
-Description=spamd dns bug fix cronjob
-
-[Service]
-Type=oneshot
-ExecStart=/a/bin/distro-setup/spamd-dns-fix
-EOF
-# 2017-09, debian closed the bug on this saying upstream had fixed it.
-# remove this when i\'m using the newer package, ie, debian 10, or maybe
-# ubuntu 18.04.
-cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
-[Unit]
-Description=run spamd bug fix script every 10 minutes
-
-[Timer]
-OnActiveSec=60
-# the script looks back 9 minutes into the journal,
-# it takes a second to run,
-# so lets run every 9 minutes and 10 seconds.
-OnUnitActiveSec=550
-
-[Install]
-WantedBy=timers.target
-EOF
-systemctl daemon-reload
-systemctl restart spamddnsfix.timer
-systemctl enable spamddnsfix.timer
-#
-##### end spamassassin config
-
-
-
-
-
-# https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
-# i only need .forwards, so just doing that one.
-cd /etc/exim4/conf.d/router
-b=userforward_higher_priority
-# replace the router name so it is unique
-sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
-
-# begin setup passwd.client
-f=/etc/exim4/passwd.client
-rm -f /etc/exim4/passwd.client
-install -m 640 -g Debian-exim /dev/null $f
-while read -r domain _ pass; do
- # reference: exim4_passwd_client(5)
- printf "%s:%s\n" "$domain" "$pass" >>$f
-done </etc/mailpass
-# end setup passwd.client
-
-# by default, only 10 days of logs are kept. increase that.
-sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
-
-systemctl restart exim4
-
-
-
-# /etc/alias setup is debian specific, and exim postinst script sets up
-# an /etc/alias from root to the postmaster, based on the question
-# exim4-config exim4/dc_postmaster, as long as there exists an entry for
-# root, or there was no preexisting aliases file. postfix won\'t set up
-# a root to $postmaster alias if it\'s already installed. Easiest to
-# just set it ourselves.
-
-# debconf question for postmaster:
-# Mail for the 'postmaster', 'root', and other system accounts needs to be redirected
-# to the user account of the actual system administrator.
-# If this value is left empty, such mail will be saved in /var/mail/mail, which is not
-# recommended.
-# Note that postmaster\'s mail should be read on the system to which it is directed,
-# rather than being forwarded elsewhere, so (at least one of) the users listed here
-# should not redirect their mail off this machine. A 'real-' prefix can be used to
-# force local delivery.
-# Multiple user names need to be separated by spaces.
-# Root and postmaster mail recipient:
-
-# local mail that bounces goes to /Maildir or /root/Maildir
-dirs=(/m/md/bounces/{cur,tmp,new})
-mkdir -p ${dirs[@]}
-chown -R $u:Debian-exim /m/md/bounces
-chmod 775 ${dirs[@]}
-usermod -a -G Debian-exim $u
-for d in /Maildir /root/Maildir; do
- if [[ ! -L $d ]]; then
- rm -rf $d
- fi
- ln -sf -T /m/md/bounces $d
-done
-
-sudo -u $u ln -sf -T /m/.mu /home/$u/.mu
+# * spool dir setup
+# ** bind mount setup
# put spool dir in directory that spans multiple distros.
# based on http://www.postfix.org/qmgr.8.html and my notes in gnus
#
# so, im trying a bind mount to get rid of that.
if [[ -e /nocow ]]; then
if ! grep -Fx "/nocow/exim4 /var/spool/exim4 none bind 0 0" /etc/fstab; then
- echo "/nocow/exim4 /var/spool/exim4 none bind 0 0" >> /etc/fstab
+ echo "/nocow/exim4 /var/spool/exim4 none bind 0 0" >>/etc/fstab
fi
if ! mountpoint -q $sdir; then
- systemctl stop exim4
+ m systemctl stop exim4
if [[ -L $sdir ]]; then
- rm $sdir
+ m rm $sdir
fi
if [[ ! -e $dir && -d $sdir ]]; then
- mv $sdir $dir
+ m mv $sdir $dir
fi
if [[ ! -d $sdir ]]; then
- mkdir $sdir
- chmod 000 $sdir # only want it to be used when its mounted
+ m mkdir $sdir
+ m chmod 000 $sdir # only want it to be used when its mounted
fi
- mount $sdir
+ m mount $sdir
fi
fi
-systemctl restart exim4
-systemctl enable exim4
+# ** exim/spool uid setup
+# i have the spool directory be common to distro multi-boot, so
+# we need the uid to be the same. 608 cuz it's kind of in the middle
+# of the free system uids.
+IFS=:; read _ _ uid _ < <(getent passwd Debian-exim ||:) ||:; unset IFS
+IFS=:; read _ _ gid _ < <(getent group Debian-exim ||:) ||:; unset IFS
+if [[ ! $uid ]]; then
+ # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
+ m adduser --uid 608 --system --group --quiet --home /var/spool/exim4 \
+ --no-create-home --disabled-login --force-badname Debian-exim
+elif [[ $uid != 608 ]]; then
+ m systemctl stop exim4 ||:
+ m usermod -u 608 Debian-exim
+ m groupmod -g 608 Debian-exim
+ m usermod -g 608 Debian-exim
+ m find / /nocow -xdev -uid $uid -exec chown -h 608 {} +
+ m find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} +
+fi
+
+
+
+# * reload exim
+if systemctl is-active exim4 >/dev/null; then
+ m systemctl reload exim4
+else
+ m systemctl start exim4
+fi
+
+
+# * mail monitoring / testing
if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
f=/usr/local/bin/send-test-forward
- cat >$f <<'EOF'
+ cat >$f <<'EOFOUTER'
#!/bin/bash
-echo body_test | mail -s "primary_test $(date +%s) $(date +%Y-%m-%dT%H:%M:%S%z)" iank@posteo.de
+/usr/sbin/exim -t <<EOF
+From: ian@iankelling.org
+To: iank@posteo.de
+Subject: primary_test $(date +%s) $(date +%Y-%m-%dT%H:%M:%S%z)
+
+eom
EOF
- chmod +x $f
+EOFOUTER
+ m chmod +x $f
cat >/etc/cron.d/mailtest <<EOF
SHELL=/bin/bash
# running as user just because no need to run as root
*/10 * * * * $u $f 2>&1 | /usr/local/bin/log-once send-test-forward
-*/10 * * * * $u /usr/local/bin/mailtest-check 2>&1 | /usr/local/bin/log-once -1 send-test-forward
+*/10 * * * * $u /usr/local/bin/mailtest-check 2>&1 | /usr/local/bin/log-once -1 mailtest-check
*/10 * * * * root chmod -R g+rw /m/md/bounces 2>&1 | /usr/local/bin/log-once -1 bounces-chmod
EOF
- cp /a/bin/distro-setup/filesystem/usr/local/bin/mailtest-check /usr/local/bin
+ m cp /a/bin/distro-setup/filesystem/usr/local/bin/mailtest-check /usr/local/bin
else
- rm -f /etc/cron.d/mailtest
+ rm -fv /etc/cron.d/mailtest
fi
+
+# * Radicale
+
# MAIL_HOST also does radicale, and easier to start and stop it here
# for when MAIL_HOST changes, so radicale gets the synced files and
# does not stop us from remounting /o.
if dpkg -s radicale &>/dev/null; then
if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
- systemctl restart radicale
- systemctl enable radicale
+ m systemctl restart radicale
+ m systemctl enable radicale
if [[ -e /etc/logrotate.d/radicale.disabled ]]; then
- mv /etc/logrotate.d/radicale{.disabled,}
+ m mv /etc/logrotate.d/radicale{.disabled,}
fi
else
- systemctl stop radicale
- systemctl disable radicale
+ m systemctl stop radicale
+ m systemctl disable radicale
# weekly logrotate tries to restart radicale even if it's a disabled service in flidas.
if [[ -e /etc/logrotate.d/radicale ]]; then
- mv /etc/logrotate.d/radicale{,.disabled}
+ m mv /etc/logrotate.d/radicale{,.disabled}
fi
fi
fi
+
+# * misc
+m sudo -u $u ln -sf -T /m/.mu /home/$u/.mu
+
+
+# /etc/alias setup is debian specific, and exim postinst script sets up
+# an /etc/alias from root to the postmaster, based on the question
+# exim4-config exim4/dc_postmaster, as long as there exists an entry for
+# root, or there was no preexisting aliases file. postfix won\'t set up
+# a root to $postmaster alias if it\'s already installed. Easiest to
+# just set it ourselves.
+
+# debconf question for postmaster:
+# Mail for the 'postmaster', 'root', and other system accounts needs to be redirected
+# to the user account of the actual system administrator.
+# If this value is left empty, such mail will be saved in /var/mail/mail, which is not
+# recommended.
+# Note that postmaster\'s mail should be read on the system to which it is directed,
+# rather than being forwarded elsewhere, so (at least one of) the users listed here
+# should not redirect their mail off this machine. A 'real-' prefix can be used to
+# force local delivery.
+# Multiple user names need to be separated by spaces.
+# Root and postmaster mail recipient:
+
+
exit 0
:
iankelling.org / git / distro-setup / blobdiff