# Copyright (C) 2019 Ian Kelling
# SPDX-License-Identifier: AGPL-3.0-or-later
+# todo: sandbox / harden exim:
+# 1. stop it from running as root. how?
+# https://www.exim.org/exim-html-current/doc/html/spec_html/ch-security_considerations.html
+# * avoid using .forward files, remove that router
+# * set deliver_drop_privilege
+# * set user to run as Debian-exim in systemd
+# * set port to something like 2500, and forward 25 to 2500 with iptables. same for 587.
+# https://superuser.com/questions/710253/allow-non-root-process-to-bind-to-port-80-and-443/1334552#1334552
+# * consider whether other routers like postmaster need modification / removal.
+# 2. restrict its filesystem access from within systemd
+
+# todo: harden dovecot. need to do some research. one way is for it to only listen on a wireguard vpn interface, so only clients that are on the vpn can access it.
+# todo: consider hardening cups listening on 0.0.0.0
+# todo: stop/disable local apache, and rpc.mountd, and kdeconnect when not in use.
+# todo: check that spamd and unbound only listen locally.
+
# todo: hosts should only allow external mail that is authed and
# destined for backup route. it is a minor issue since traffic is
# limited to the wghole network.
m systemctl enable $service;
done
}
-sstart() {
- for service; do
- m systemctl enable --now $service;
- done
-}
mailhost() {
[[ $HOSTNAME == "$MAIL_HOST" ]]
}
WantedBy=multi-user.target
EOF
+i /etc/systemd/system/mailbindwatchdog.service <<EOF
+[Unit]
+Description=Watchdog to restart services relying on systemd-resolved dir
+After=syslog.target network-online.target
+Wants=network-online.target
+BindsTo=mailnn.service
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/mailbindwatchdog $vpnser ${nn_progs[@]} unbound.service radicale.service
+Restart=always
+# time to sleep before restarting a service
+RestartSec=1
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
# old service name
m systemctl daemon-reload
fi
-sstart epanicclean.timer
+m systemctl --now enable epanicclean.timer
case $HOSTNAME in
je)
ln -sf 127.0.0.1-resolv/stub-resolv.conf /etc/resolv.conf
;;&
$MAIL_HOST|bk)
- sstart mailnn mailnnroute
+ m systemctl --now enable mailnn mailnnroute
;;&
$MAIL_HOST)
# we use dns to start wg
if $reload; then
sre unbound
else
- sstart unbound
+ m systemctl --now enable unbound
fi
;;&
$MAIL_HOST|bk)
if $reload; then
sre $vpnser
else
- sstart $vpnser
+ m systemctl --now enable $vpnser
fi
if ! systemctl is-active clamav-daemon >/dev/null; then
- sstart clamav-daemon
+ m systemctl --now enable clamav-daemon
out=$(rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/filesystem/etc/systemd/system/epanicclean.{timer,service} /etc/systemd/system)
if [[ $out ]]; then
reload=true
# need to wait a bit before restarting exim, else I
# get a paniclog entry like: spam acl condition: all spamd servers failed
sleep 3
- sstart mailclean.timer
+ m systemctl --now enable mailclean.timer
;;&
$MAIL_HOST)
# < 2.1 (eg: in t9), uses a different data format which required manual
# migration. dont start if we are running an old version.
if dpkg --compare-versions $(dpkg -s radicale | awk '$1 == "Version:" { print $2 }') ge 2.1; then
- sstart radicale
+ m systemctl --now enable radicale
fi
;;&
esac
sre exim4
+case $HOSTNAME in
+ $MAIL_HOST)
+ m systemctl --now enable mailbindwatchdog
+ ;;
+ *)
+ soff mailbindwatchdog
+ ;;
+esac
+
+
case $HOSTNAME in
bk) sre exim4in ;;
esac
cat >/usr/local/bin/send-test-forward <<'EOF'
#!/bin/bash
olds=(
-/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$')
+$(/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$')
+)
if (( ${#olds[@]} )); then
/sbin/exim -Mrm "${olds[@]}" >/dev/null
fi