X-Git-Url: https://iankelling.org/git/?p=distro-setup;a=blobdiff_plain;f=mail-setup;h=b3cb092539fc6b6ccd079c0c102ce74980a77d0f;hp=9b9a97c04589f8a356c65d0b0b80260df06dc010;hb=602a1874cc11a7d371890cdae4c0dc982267ea89;hpb=8fc333f8c2d69d0792f3742d4f4351e7acb07d9e

diff --git a/mail-setup b/mail-setup
index 9b9a97c..b3cb092 100755
--- a/mail-setup
+++ b/mail-setup
@@ -3,6 +3,8 @@
 # Copyright (C) 2019 Ian Kelling
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
+# todo: max line length macro changed in t11. look into it
+# todo: check that all macros we use are still valid in t11
 
 # todo: setup an alert for bouncing test emails.
 
@@ -460,7 +462,7 @@ m usermod -a -G Debian-exim clamav
 
 i /etc/systemd/system/clamav-daemon.service.d/fix.conf <<EOF
 [Service]
-ExecStartPre=-/bin/mkdir /var/run/clamav
+ExecStartPre=-/bin/mkdir -p /var/run/clamav
 ExecStartPre=/bin/chown clamav /var/run/clamav
 EOF
 
@@ -794,6 +796,19 @@ EOF
     ;;
 esac
 
+# * wghole (another mail vpn)
+
+if $bhost_t; then
+  i /etc/systemd/system/wg-quick@wghole.service.d/override.conf <<'EOF'
+[Unit]
+StartLimitIntervalSec=0
+
+[Service]
+Restart=on-failure
+RestartSec=20
+EOF
+fi
+
 # * spamassassin config
 i /etc/sysctl.d/80-iank-mail.conf <<'EOF'
 # see exim spec
@@ -1149,6 +1164,22 @@ cat >/etc/exim4/conf.d/main/000_local2 <<EOF
 MAIN_TRUSTED_GROUPS = $u
 EOF
 
+cd /etc/exim4
+{
+  for f in *-private.pem; do
+    echo ${f%-private.pem}
+  done
+} | i /etc/exim4/conf.d/my-dkim-domains
+
+cat >/etc/exim4/conf.d/transport/11_iank <<'EOF'
+# This unsets the default macro defined in on t11 in
+# /etc/exim4/conf.d/transport/10_exim4-config_transport-macros
+# It seems like a very odd choice that this has become
+# the default in t11. Normal smarthost clients use username/password
+# auth. Oh well.
+REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS ==
+EOF
+
 cat >/etc/exim4/conf.d/main/000_local <<'EOF'
 MAIN_TLS_ENABLE = true
 
@@ -1183,13 +1214,17 @@ smtp_accept_queue_per_connection = 500
 DKIM_CANON = relaxed
 DKIM_SELECTOR = li
 
-# from comments in
+# From comments in
 # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
 # and its best for this to align https://tools.ietf.org/html/rfc7489#page-8
 # There could be some circumstance when the
 # from: isnt our domain, but the envelope sender is
 # and so still want to sign, but I cant think of any case.
-DKIM_DOMAIN = ${lc:${domain:$rh_from:}}
+#DKIM_DOMAIN = ${lc:${domain:$rh_from:}}
+# In t11, we cant do the above anymore because this is tainted data used in a file lookup.
+# /usr/share/doc/exim4/NEWS.Debian.gz suggests to use lookups to untaint data.
+DKIM_DOMAIN = ${lookup {${domain:$rh_from:}}lsearch,ret=key{/etc/exim4/conf.d/my-dkim-domains}}
+
 # The file is based on the outgoing domain-name in the from-header.
 # sign if key exists
 DKIM_PRIVATE_KEY = ${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}}
@@ -2475,9 +2510,17 @@ UPEX4OPTS='-o /etc/exim4/my.conf'
 # i use epanic-clean for alerting if there are bad paniclog entries
 E4BCD_WATCH_PANICLOG='no'
 EOF
+    # make exim be a nonroot setuid program.
     chown Debian-exim:Debian-exim /usr/sbin/exim4
     # needs guid set in order to become Debian-exim
     chmod g+s,u+s /usr/sbin/exim4
+    # need this to avoid error on service reload:
+    # 2022-08-07 18:44:34.005 [892491] pid 892491: SIGHUP received: re-exec daemon
+    # 2022-08-07 18:44:34.036 [892491] cwd=/var/spool/exim4 5 args: /usr/sbin/exim4 -bd -q30m -C /etc/exim4/my.conf
+    # 2022-08-07 18:44:34.043 [892491] socket bind() to port 25 for address (any IPv6) failed: Permission denied: waiting 30s before trying again (9 more tries)
+    # note: the daemon gives up and dies after retrying those 9 times.
+    # I came upon this by guessing and trial and error.
+    setcap CAP_NET_BIND_SERVICE+ei /usr/sbin/exim4
     i /etc/exim4/trusted_configs <<'EOF'
 /etc/exim4/my.conf
 EOF
@@ -2517,7 +2560,10 @@ ProtectHome=yes
 # this whole setting doesnt work. tried it with a newer systemd 250 though
 # an nspawn, and it worked there.
 InaccessiblePaths=${dirs[@]}
-NoNewPrivileges=yes
+# this gives us the permission denied error:
+# socket bind() to port 25 for address (any IPv6) failed: Permission denied
+# but we also have to set the file capabilities to avoid the error.
+#NoNewPrivileges=yes
 ProtectSystem=yes
 
 # when we get newer systemd
@@ -2966,7 +3012,7 @@ EOF
     echo | /a/exe/cedit nn /etc/hosts || [[ $? == 1 ]]
     echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]]
 
-
+    # note: condition duplicated at else
     if $bhost_t; then
       install -d /bu
       install -d -g Debian-exim -o Debian-exim -m 771 /bu/md
@@ -3014,7 +3060,7 @@ Restart=always
 RestartSec=20
 EOF
 
-    else
+    else  # if $bhost_t; then
       cat >>/etc/exim4/update-exim4.conf.conf <<EOF
 # Note: If theres like a temporary problem where mail gets sent to
 # one of these hosts, if exim isnt listening, it will be a temporary error
@@ -3046,12 +3092,14 @@ esac
 case $HOSTNAME in
   $MAIL_HOST|bk)
     # config for the non-nn exim
-    m rsync -ra --delete /etc/exim4/ /etc/myexim4
-    cat >>/etc/myexim4/conf.d/main/000_local-nn <<'EOF'
+    m rsync -ra --delete --delete-excluded --exclude=/conf.d/main/000_local-nn /etc/exim4/ /etc/myexim4
+    cat >>/etc/myexim4/conf.d/main/000_local <<'EOF'
 # this makes it easier to see which exim is doing what
 log_file_path = /var/log/exim4/my%s
 EOF
 
+
+
     cat >/etc/logrotate.d/myexim <<'EOF'
 /var/log/exim4/mymain /var/log/exim4/myreject {
 	daily
@@ -3167,6 +3215,12 @@ if $reload; then
   m systemctl daemon-reload
 fi
 
+# checking bhost_t is redundant, but could help us catch errors.
+if $bhost_t || [[ -e /etc/wireguard/wghole.conf ]]; then
+  # todo: in mail-setup, we have a static list of backup hosts, not *y
+  m systemctl --now enable wg-quick@wghole
+fi
+
 sysd-prom-fail-install epanicclean
 m systemctl --now enable epanicclean