X-Git-Url: https://iankelling.org/git/?p=distro-setup;a=blobdiff_plain;f=mail-setup;h=fdb4c219d4eb2b9154c500c93fe6d751fe962113;hp=db4daa7615c4508a3eaa3aae09b6b6244b380e33;hb=f7a2fe0e56e14b55818245a2e3a2eb68f1cd23de;hpb=f7cd81f49aa5d7a4581db63bed053e66e692972e

diff --git a/mail-setup b/mail-setup
index db4daa7..fdb4c21 100755
--- a/mail-setup
+++ b/mail-setup
@@ -1,4 +1,6 @@
-#!/bin/bash -l
+#!/bin/bash
+set -x
+
 # Copyright (C) 2016 Ian Kelling
 
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -13,6 +15,136 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
+
+usage() {
+    cat <<EOF
+Usage: ${0##*/} exim4|postfix
+Setup exim4 / postfix / dovecot
+
+The minimal assumption we have is that /etc/mailpass exists
+
+
+I\'ve had problems with postfix on debian:
+on stretch, a startup ordering issue caused all mail to fail.
+postfix changed defaults to only use ipv6 dns, causing all my mail to fail.
+I haven\'t gotten around to getting a non-debian exim
+setup.
+
+-h|--help  Print help and exit.
+EOF
+    exit $1
+}
+
+type=$1
+postfix() { [[ $type == postfix ]]; }
+exim() { [[ $type == exim4 ]]; }
+
+if ! exim && ! postfix; then
+    usage 1
+fi
+
+if [[ ! $SUDO_USER ]]; then
+    echo "$0: error: requires running as nonroot or sudo"
+fi
+u=$SUDO_USER
+
+
+####### begin perstent password instructions ######
+# # exim passwords:
+# # for hosts which have all private files I just use the same user
+# # for other hosts, each one get\'s their own password.
+# # for generating secure pass, and storing for server too:
+# # user=USUALLY_SAME_AS_HOSTNAME
+# user=li
+# f=$(mktemp)
+# apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
+# s sed -i "/^$user:/d" /p/c/filesystem/etc/exim4/passwd
+# echo "$user:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd
+# echo "mail.iankelling.org $user $(<$f)" >> /p/c/machine_specific/$user/filesystem/etc/mailpass
+# # then run this script, or part of it which uses /etc/mailpass
+
+# # dovecot password, i just need 1 as I\'m the only user
+# mkdir /p/c/filesystem/etc/dovecot
+# echo "ian:$(doveadm pw -s ssha256)::::::" >/p/c/filesystem/etc/dovecot/users
+# conflink
+
+
+
+# # for ad-hoc testing of some random new host sending mail:
+# user=li # client host username & hostname
+# f=$(mktemp)
+# apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
+# s sed -i "/^$user:/d" /etc/exim4/passwd
+# echo "$user:$(mkpasswd -m sha-512 -s <$f)" | s tee -a /etc/exim4/passwd
+# echo "mail.iankelling.org:$user:$(<$f)" | ssh root@$user dd of=/etc/exim4/passwd.client
+####### end perstent password instructions ######
+
+
+####### begin persistent dkim/dns instructions #########
+# # Remove 1 level of comments in this section, set the domain var
+# # for the domain you are setting up, then run this and copy dns settings
+# # into dns.
+# domain=iankelling.org
+# c /p/c/filesystem/etc/exim4
+# # this has several bugs addressed in comments, but it was helpful
+# # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
+
+# openssl genrsa -out $domain-private.pem 2048 -outform PEM
+# openssl rsa -in $domain-private.pem -out $domain.pem -pubout -outform PEM
+# # selector is needed for having multiple keys for one domain.
+# # I dun do that, so just use a static one: li
+# echo "txt record name: li._domainkey.$domain"
+# # Debadmin page does not have v=, fastmail does, and this
+# # says it\'s recommended in 3.6.1, default is DKIM1 anyways.
+# # https://www.ietf.org/rfc/rfc6376.txt
+# # Join and print all but first and last line.
+# # last line: swap hold & pattern, remove newlines, print.
+# # lines 2+: append to hold space
+# echo "txt record contents:"
+# echo "v=DKIM1; k=rsa; p=$(sed -n '${x;s/\n//gp};2,$H' $domain.pem)"
+# chmod 644 $domain.pem
+# chmod 640 $domain-private.pem
+# # in conflink, we chown these to group debian
+# conflink
+# # selector was also put into /etc/exim4/conf.d/main/000_localmacros,
+# # via the mail-setup scripts
+
+# # 2017-02 dmarc policies:
+# # host -t txt _dmarc.gmail.com
+# # yahoo: p=reject, hotmail: p=none, gmail: p=none, fastmail none for legacy reasons
+# # there were articles claiming gmail would be  changing
+# # to p=reject, in early 2017, which didn\'t happen. I see no sources on them. It\'s
+# # expected to cause problems
+# # with a few old mailing lists, copying theirs for now.
+#
+# echo "dmarc dns, name: _dmarc value: v=DMARC1; p=none; rua=mailto:mailauth-reports@$domain"
+
+# # 2017-02 spf policies:
+# # host -t txt lists.fedoraproject.org
+# # google ~all, hotmail -all, yahoo: ?all, fastmail ?all
+# # i include fastmail\'s settings, per their instructions,
+# # and follow their policy. In mail in a box, or similar instructions,
+# # I\'ve seen recommended to not use a restrictive policy.
+# echo "spf dns: name is empty, value: v=spf1 a include:spf.messagingengine.com ?all"
+
+# # to check if dns has updated, you do
+# host -a mesmtp._domainkey.$domain
+
+# # mx records,
+# # setting it to iankelling.org would work the same, but this
+# # is more flexible, I could change where mail.iankelling.org pointed.
+# cat <<'EOF'
+# mx records, 2 records each, for * and empty domain
+# pri 10 mail.iankelling.org
+# pri 20 in1-smtp.messagingengine.com
+# pri 30 in2-smtp.messagingengine.com
+# EOF
+####### end  persistent dkim instructions #########
+
 
 # misc exim notes:
 # useful exim docs:
@@ -30,6 +162,8 @@
 # The full list of option settings for any particular driver instance,
 # including all the defaulted values, can be extracted by making use of
 # the -bP command line option.
+# exim -bP config_file to see what config file it used
+# exim -bP config to see
 
 # exim clear out message queue. as root:
 # adapted from somewhere on stackoverflow.
@@ -40,62 +174,70 @@
 # New one is smtp.fastmail.com
 
 # test delivery & rewrite settings:
-#exim4 -bt ian@localhost
-
-
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-type=$1
-postfix() { [[ $type == postfix ]]; }
-exim() { [[ $type == exim4 ]]; }
-if ! exim && ! postfix; then
-    echo "$1: error: expected exim4 or postfix as first arg"
-    exit 1
+#exim4 -bt iank@localhost
+
+
+postconfin() {
+    local MAPFILE
+    mapfile -t
+    local s
+    postconf -ev "${MAPFILE[@]}"
+}
+e() { printf "%s\n" "$*"; }
+
+postmaster=$u
+mxhost=mail.iankelling.org
+mxport=25
+forward=$u@$mxhost
+
+# old setup. left as comment for example
+# mxhost=mail.messagingengine.com
+# mxport=587
+# forward=ian@iankelling.org
+
+relayhost="[$mxhost]:$mxport" # postfix
+smarthost="$mxhost::$mxport" # exim
+
+# trisquel 8 = openvpn, debian stretch = openvpn-client
+vpn_ser=openvpn-client
+if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
+    vpn_ser=openvpn
 fi
 
-if private-host; then
-    host=mail.messagingengine.com
-    forward=$HOSTNAME@$PERSONAL_DOMAIN
+if [[ $HOSTNAME == $MAIL_HOST ]]; then
+    # afaik, these will get ignored because they are routing to my own
+    # machine, but rm them is safer
+    rm -f $(eval echo ~$postmaster)/.forward /root/.forward
 else
-    # ses initially suggests port 25, but I had problems connecting to that.
-    host=email-smtp.us-west-2.amazonaws.com
-    forward=$HOSTNAME@$IMPERSONAL_DOMAIN
+    # this can\'t be a symlink and has permission restrictions
+    # it might work in /etc/aliases, but this seems more proper.
+    install -m 644 {-o,-g}$postmaster <(e $forward) $(eval echo ~$postmaster)/.forward
 fi
 
-relayhost="[$host]:587" # postfix
-smarthost="$host::587" # exim
-
-# background: This also works instead of ~/.forward
-# s sed -i --follow-symlinks '/^root/d' /etc/aliases ||:
-#echo "root: $HOSTNAME@$SOME_DOMAIN" | s tee -a /etc/aliases
-# this can't be a symlink and has permission restrictions
-# it might work in /etc/aliases, but this seems more proper.
-e $forward > ~/.forward
-e $forward | s tee /root/.forward
-
-
 # offlineimap uses this too, it is much easier to use one location than to
-# condition it's config and postfix's config
-case $distro in
-    fedora) s lnf -T ca-certificates.crt /etc/ssl/ca-bundle.trust.crt ;;
-    *) :
-esac
+# condition it\'s config and postfix\'s config
+if [[ -f /etc/fedora-release ]]; then
+    /a/exe/lnf -T ca-certificates.crt /etc/ssl/ca-bundle.trust.crt
+fi
 
-read -r domain pass < <(s cat /etc/mailpass)
 if postfix; then
     # dunno why, but debian installed postfix with builddep emacs
     # but I will just explicitly install it here since
     # I use it for sending mail in emacs.
-    if isdeb; then
-        s debconf-set-selections <<EOF
+    if command -v apt-get &> /dev/null; then
+        debconf-set-selections <<EOF
 postfix postfix/main_mailer_type select Satellite system
 postfix postfix/mailname string $HOSTNAME
 postfix postfix/relayhost string $relayhost
+postfix postfix/root_address string $postmaster
 EOF
-
-        pi postfix
+        if dpkg -s postfix &>/dev/null; then
+            dpkg-reconfigure -u -fnoninteractive postfix
+        else
+            apt-get -y install --purge --auto-remove postfix
+        fi
     else
+        source /a/bin/distro-functions/src/package-manager-abstractions
         pi postfix
         # Settings from reading the output when installing on debian,
         # then seeing which were different in a default install on arch.
@@ -107,10 +249,10 @@ relayhost = $relayhost
 inet_interfaces = loopback-only
 EOF
 
-        s systemctl enable postfix
-        s systemctl start postfix
+        systemctl enable postfix
+        systemctl start postfix
     fi
-    # i'm assuming mail just won't work on systems without the sasl_passwd.
+    # i\'m assuming mail just won\'t work on systems without the sasl_passwd.
     postconfin <<'EOF'
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
@@ -121,20 +263,78 @@ smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 inet_protocols = ipv4
 EOF
     # msg_size_limit: I ran into a log file not sending cuz of size. double from 10 to 20 meg limit
-    # inet_protocols: without this, postfix tries an ipv6 lookup then gives
-    # up and fails. snippet from syslog: type=AAAA: Host not found, try again
+    # inet_protocols: without this, I\'ve had postfix try an ipv6 lookup then gives
+    # up and fail forever. snippet from syslog: type=AAAA: Host not found, try again
 
 
-    # mailpass is just a name i made up, since postfix and
-    # exim both use a slightly crazy format to translate to
-    # each other, it's easier to use my own format.
     f=/etc/postfix/sasl_passwd
-    s touch $f
-    s chmod 600 $f
-    echo "[$domain]:587 ${pass/@/#}" | s dd of=/etc/postfix/sasl_passwd >/dev/null
-    s postmap hash:/etc/postfix/sasl_passwd
-    s service postfix reload
-else
+    install -m 600 /dev/null $f
+    cat /etc/mailpass| while read -r domain port pass; do
+        # format: domain port user:pass
+        # mailpass is just a name i made up, since postfix and
+        # exim both use a slightly crazy format to translate to
+        # each other, it\'s easier to use my own format.
+        printf "[%s]:%s %s" "$domain" "$port" "${pass/@/#}" >>$f
+    done
+    postmap hash:/etc/postfix/sasl_passwd
+    # need restart instead of reload when changing
+    # inet_protocols
+    service postfix restart
+
+else # begin exim. has debian specific stuff for now
+
+    if ! dpkg -s openvpn &>/dev/null; then
+        apt-get -y install --purge --auto-remove openvpn
+    fi
+
+    if [[ -e /p/c/filesystem ]]; then
+        # to put the hostname in the known hosts
+        ssh -o StrictHostKeyChecking=no root@li.iankelling.org :
+        /a/exe/vpn-mk-client-cert -b mail -n mail li.iankelling.org
+    fi
+
+    cat >/etc/systemd/system/mailroute.service <<EOF
+[Unit]
+# this unit is configured to start and stop whenever $vpn_ser@mail.service
+# does
+Description=Routing for email vpn
+After=network.target
+BindsTo=$vpn_ser@mail.service
+After=$vpn_ser@mail.service
+
+[Service]
+Type=oneshot
+ExecStart=/a/bin/distro-setup/mail-route start
+ExecStop=/a/bin/distro-setup/mail-route stop
+RemainAfterExit=yes
+
+[Install]
+RequiredBy=$vpn_ser@mail.service
+EOF
+
+    cat >/etc/systemd/system/offlineimapsync.timer <<'EOF'
+[Unit]
+Description=Run offlineimap-sync once every 5 mins
+
+[Timer]
+OnCalendar=*:0/5
+
+[Install]
+WantedBy=timers.target
+EOF
+
+    cat >/etc/systemd/system/offlineimapsync.service <<EOF
+[Unit]
+Description=Offlineimap sync
+After=multi-user.target
+
+[Service]
+User=$u
+Type=oneshot
+ExecStart=/a/bin/log-quiet/sysd-mail-once offlineimap-sync /a/bin/distro-setup/offlineimap-sync
+EOF
+    systemctl daemon-reload
+    systemctl enable mailroute
 
     # wording of question from dpkg-reconfigure exim4-config
     # 1. internet site; mail is sent and received directly using SMTP
@@ -142,58 +342,612 @@ else
     # 3. mail sent by smarthost; no local mail
     # 4. local delivery only; not on a network
     # 5. no configuration at this time
+    #
+    # Note, I have used option 2 in the past for receiving mail
+    # from lan hosts, sending external mail via another smtp server.
+    #
+    # Note, other than configtype, we could set all the options in
+    # both types of configs without harm, they would either be
+    # ignored or be disabled by other settings, but the default
+    # local_interfaces definitely makes things more secure.
+
+    # most of these settings get translated into settings
+    # in /etc/exim4/update-exim4.conf.conf
+    # how /etc/exim4/update-exim4.conf.conf translates into actual exim settings is
+    # documented in man update-exim4.conf, which outputs to the config that
+    # exim actually reads. except the man page is not perfect, for example,
+    # it doesn't document that it sets
+    # DCconfig_${dc_eximconfig_configtype}" "1"
+    # which is a line from update-exim4.conf, which is a relatively short bash script.
+    # mailname setting sets /etc/mailname
+
+    debconf-set-selections <<EOF
+exim4-config exim4/use_split_config boolean true
+EOF
+
+    source /a/bin/bash_unpublished/source-semi-priv
+    exim_main_dir=/etc/exim4/conf.d/main
+    mkdir -p $exim_main_dir
+
+
+
+    #### begin mail cert setup ###
+    f=/usr/local/bin/mail-cert-cron
+    cat >$f <<'EOF'
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+[[ $EUID == 0 ]] || exec sudo "$BASH_SOURCE" "$@"
+
+f=/a/bin/bash_unpublished/source-semi-priv
+if [[ -e $f ]]; then
+    source $f
+fi
+if [[ $HOSTNAME == $MAIL_HOST ]]; then
+    local_mx=mail.iankelling.org
+    rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li:/etc/letsencrypt/live/$local_mx/"
+    ${rsync_common}fullchain.pem /etc/exim4/exim.crt
+    ${rsync_common}privkey.pem /etc/exim4/exim.key
+fi
+EOF
+    chmod 755 $f
+
+    cat >/etc/systemd/system/mailcert.service <<'EOF'
+[Unit]
+Description=Mail cert rsync
+After=multi-user.target
+
+[Service]
+Type=oneshot
+ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
+EOF
+
+    cat >/etc/systemd/system/mailcert.timer <<'EOF'
+[Unit]
+Description=Run mail-cert once a day
+
+[Timer]
+OnCalendar=daily
+
+[Install]
+WantedBy=timers.target
+EOF
+    systemctl daemon-reload
+    systemctl start mailcert
+    systemctl restart mailcert.timer
+    systemctl enable mailcert.timer
+
+    ##### end mailcert setup #####
+
+
+
+    if [[ $HOSTNAME == $MAIL_HOST ]]; then
+
+        debconf-set-selections <<EOF
+# Mail Server configuration
+# -------------------------
+
+# Please select the mail server configuration type that best meets your needs.
+
+# Systems with dynamic IP addresses, including dialup systems, should generally be
+# configured to send outgoing mail to another machine, called a 'smarthost' for
+# delivery because many receiving systems on the Internet block incoming mail from
+# dynamic IP addresses as spam protection.
+
+# A system with a dynamic IP address can receive its own mail, or local delivery can be
+# disabled entirely (except mail for root and postmaster).
+
+#   1. internet site; mail is sent and received directly using SMTP
+#   2. mail sent by smarthost; received via SMTP or fetchmail
+#   3. mail sent by smarthost; no local mail
+#   4. local delivery only; not on a network
+#   5. no configuration at this time
+
+# General type of mail configuration: 1
+exim4-config exim4/dc_eximconfig_configtype select internet site; mail is sent and received directly using SMTP
+
+
+
+# The 'mail name' is the domain name used to 'qualify' mail addresses without a domain
+# name.
+
+# This name will also be used by other programs. It should be the single, fully
+# qualified domain name (FQDN).
+
+# Thus, if a mail address on the local host is foo@example.org, the correct value for
+# this option would be example.org.
+
+# This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
 
-    # default mailname is $HOSTNAME.lan,
-    # mailname makes addresses like "root" be root@mailname
-    # and a qualified domain does not get forwarded per
-    # .forward. whatever, this fixes that.
-    s debconf-set-selections <<EOF
+# System mail name:
+exim4-config exim4/mailname string mail.iankelling.org
+
+
+
+
+# Please enter a semicolon-separated list of recipient domains for which this machine
+# should consider itself the final destination. These domains are commonly called
+# 'local domains'. The local hostname (treetowl.lan) and 'localhost' are always added
+# to the list given here.
+
+# By default all local domains will be treated identically. If both a.example and
+# b.example are local domains, acc@a.example and acc@b.example will be delivered to the
+# same final destination. If different domain names should be treated differently, it
+# is necessary to edit the config files afterwards.
+
+# Other destinations for which mail is accepted:
+# iank.bid is for testing
+# mail.iankelling.org is for machines i own
+exim4-config exim4/dc_other_hostnames string *.iankelling.org;iankelling.org;*iank.bid;iank.bid;*zroe.org;zroe.org;*.b8.nz;b8.nz
+
+
+
+
+# Please enter a semicolon-separated list of IP addresses. The Exim SMTP listener
+# daemon will listen on all IP addresses listed here.
+
+# An empty value will cause Exim to listen for connections on all available network
+# interfaces.
+
+# If this system only receives mail directly from local services (and not from other
+# hosts), it is suggested to prohibit external connections to the local Exim daemon.
+# Such services include e-mail programs (MUAs) which talk to localhost only as well as
+# fetchmail. External connections are impossible when 127.0.0.1 is entered here, as
+# this will disable listening on public network interfaces.
+
+# IP-addresses to listen on for incoming SMTP connections:
+exim4-config exim4/dc_local_interfaces	string
+
+
+
+
+# Mail for the 'postmaster', 'root', and other system accounts needs to be redirected
+# to the user account of the actual system administrator.
+
+# If this value is left empty, such mail will be saved in /var/mail/mail, which is not
+# recommended.
+
+# Note that postmaster\'s mail should be read on the system to which it is directed,
+# rather than being forwarded elsewhere, so (at least one of) the users listed here
+# should not redirect their mail off this machine. A 'real-' prefix can be used to
+# force local delivery.
+
+# Multiple user names need to be separated by spaces.
+
+# Root and postmaster mail recipient:
+exim4-config exim4/dc_postmaster string $postmaster
+
+
+
+# Exim is able to store locally delivered email in different formats. The most commonly
+# used ones are mbox and Maildir. mbox uses a single file for the complete mail folder
+# stored in /var/mail/. With Maildir format every single message is stored in a
+# separate file in ~/Maildir/.
+
+# Please note that most mail tools in Debian expect the local delivery method to be
+# mbox in their default.
+
+#   1. mbox format in /var/mail/  2. Maildir format in home directory
+
+# Delivery method for local mail: 2
+exim4-config exim4/dc_localdelivery select Maildir format in home directory
+EOF
+        # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
+        # smarthost config type, not sure. all other settings
+        # would be unused in that config type.
+        cat >$exim_main_dir/000_localmacros <<EOF
+# i don't have ipv6 setup for my tunnel yet.
+disable_ipv6 = true
+
+MAIN_TLS_ENABLE = true
+
+DKIM_CANON = relaxed
+DKIM_SELECTOR = li
+
+# from comments in
+# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
+
+# The file is based on the outgoing domain-name in the from-header.
+DKIM_DOMAIN = \${lc:\${domain:\$h_from:}}
+# sign if key exists
+DKIM_PRIVATE_KEY= \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}}
+
+
+# failing message on mail-tester.com:
+# We check if there is a server (A Record) behind your hostname treetowl.
+# You may want to publish a DNS record (A type) for the hostname treetowl or use a different hostname in your mail software
+# https://serverfault.com/questions/46545/how-do-i-change-exim4s-primary-hostname-on-a-debian-box
+# and this one seemed appropriate from grepping config.
+# I originally set this to li.iankelling.org, but then ended up with errors when li tried to send
+# mail to treetowl, so this should basically be a name that no host has as their
+# canonical hostname since the actual host sits behind a nat and changes.
+# Seems logical for this to be the same as mailname.
+MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.iankelling.org
+
+# normally empty, I set this so I can set the envelope address
+# when doing mail redelivery to invoke filters
+MAIN_TRUSTED_GROUPS = $u
+
+LOCAL_DELIVERY = dovecot_lmtp
+
+# options exim has to avoid having to alter the default config files
+CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/rcpt_local_acl
+CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/data_local_acl
+
+# debian exim config added this in 2016 or so?
+# it's part of the smtp spec, to limit lines to 998 chars
+# but a fair amount of legit mail does not adhere to it. I don't think
+# this should be default, like it says in
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
+# todo: the bug for introducing this was about headers, but
+# the fix maybe is for all lines? one says gmail rejects, the
+# other says gmail does not reject. figure out and open a new bug.
+IGNORE_SMTP_LINE_LENGTH_LIMIT = true
+
+# most of the ones that gmail seems to use.
+# Exim has horrible default of signing unincluded
+# list- headers since they got mentioned in an
+# rfc, but this messes up mailing lists, like gnu/debian which want to
+# keep your dkim signature intact but add list- headers.
+DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
+
+EOF
+
+
+        ####### begin dovecot setup ########
+        # based on a little google and package search, just the dovecot
+        # packages we need instead of dovecot-common.
+        #
+        # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
+        # directly.  The reason to do this is to use dovecot\'s sieve, which
+        # has extensions that allow it to be almost equivalent to exim\'s
+        # filter capabilities, some ways probably better, some worse, and
+        # sieve has the benefit of being supported in postfix and
+        # proprietary/weird environments, so there is more examples on the
+        # internet. I was torn about whether to do this or not, meh.
+        apt-get -y install --purge --auto-remove \
+                dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
+
+        # if we changed 90-sieve.conf and removed the active part of the
+        # sieve option, we wouldn\'t need this, but I\'d rather not modify a
+        # default config if not needed. This won\'t work as a symlink in /a/c
+        # unfortunately.
+        sudo -u $postmaster /a/exe/lnf -T sieve/main.sieve $(eval echo ~$postmaster)/.dovecot.sieve
+
+        sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
+1i mail_location = maildir:/m/md:LAYOUT=fs:INBOX=/m/md/INBOX
+/^\s*mail_location\s*=/d
+EOF
+
+        cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
+protocol lmtp {
+#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
+  mail_plugins = \$mail_plugins sieve
+# default was
+  #mail_plugins = \$mail_plugins
+
+# For a normal setup with exim, we need something like this, which
+# removes the domain part
+#  auth_username_format = %Ln
+#
+#  or else # Exim says something like
+#  "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
+# Dovecot verbose log says something like
+# "auth-worker(9048): passwd(someuser@somedomain): unknown user"
+# reference: http://wiki.dovecot.org/LMTP/Exim
+#
+# However, I use this to direct all mail to the same inbox.
+# A normal way to do this, which I did at first is to have
+# a router in exim almost at the end, eg 950,
+#local_catchall:
+#  debug_print = "R: catchall for \$local_part@\$domain"
+#  driver = redirect
+#  domains = +local_domains
+#  data = $u
+# based on
+# http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
+# with superflous options removed.
+# However, this causes the envelope to be rewritten,
+# which makes filtering into mailboxes a little less robust or more complicated,
+# so I've done it this way instead. it also requires
+# modifying the local router in exim.
+  auth_username_format = $u
+}
+
+EOF
+
+
+        cat >/etc/dovecot/local.conf <<'EOF'
+# so I can use a different login that my shell login for mail.  this is
+# worth doing solely for the reason that if this login is compromised,
+# it won't also compromise my shell password.
+!include conf.d/auth-passwdfile.conf.ext
+
+# settings derived from wiki and 10-ssl.conf
+ssl = required
+ssl_cert = </etc/exim4/exim.crt
+ssl_key = </etc/exim4/exim.key
+# https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
+# in my cert cronjob, I check if that has changed upstream.
+ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+
+# ian: added this, more secure, per google etc
+ssl_prefer_server_ciphers = yes
+
+# for debugging info, uncomment these.
+# logs go to syslog and to /var/log/mail.log
+# auth_verbose=yes
+#mail_debug=yes
+EOF
+        ####### end dovecot setup ########
+
+
+        systemctl enable offlineimapsync.timer
+        systemctl start offlineimapsync.timer
+        systemctl restart $vpn_ser@mail
+        systemctl enable $vpn_ser@mail
+        systemctl enable dovecot
+        systemctl restart dovecot
+
+    else # $HOSTNAME != $MAIL_HOST
+        systemctl disable offlineimapsync.timer &>/dev/null ||:
+        systemctl stop offlineimapsync.timer &>/dev/null ||:
+        systemctl disable $vpn_ser@mail
+        systemctl stop $vpn_ser@mail
+        systemctl disable dovecot ||:
+        systemctl stop dovecot ||:
+        #
+        #
+        # would only exist because I wrote it i the previous condition,
+        # it\'s not part of exim
+        rm -f $exim_main_dir/000_localmacros
+        debconf-set-selections <<EOF
 exim4-config exim4/dc_eximconfig_configtype select mail sent by smarthost; no local mail
 exim4-config exim4/dc_smarthost string $smarthost
-exim4-config exim4/use_split_config boolean true
-exim4-config exim4/mailname string $HOSTNAME
+# the default, i think is from /etc/mailname. better to set it to
+# whatever the current fqdn is.
+exim4-config exim4/mailname string $(hostname -f)
 EOF
-    # light version does not have sasl auth support.
-    pi exim4-daemon-heavy
 
-    f=/etc/exim4/passwd.client
-    s touch $f
-    s chmod 640 $f # before writing sensitive info
-    echo "$domain:${pass/:/::}" | s dd of=$f >/dev/null
-    # https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
-    # i only need .forwards, so just doing that one.
-    cd /etc/exim4/conf.d/router
-    a=userforward
-    b=${a}_higher_priority
-    tmp=$(mktemp)
-    of=175_$b
-    # sed to make the router name unique
-    sed -r s/^\\S+:/$b:/ 600_exim4-config_$a >$tmp
-    if diff -q >/dev/null $tmp $of; then
-        s dd if=$tmp of=$of >/dev/null
-        ser restart exim4
+    fi # end $HOSTNAME != $MAIL_HOST
+
+    # if we already have it installed, need to reconfigure, without being prompted
+    if dpkg -s exim4-config &>/dev/null; then
+        # gotta remove this, otherwise the set-selections are completely
+        # ignored. It woulda been nice if this was documented somewhere!
+        rm -f /etc/exim4/update-exim4.conf.conf
+        dpkg-reconfigure -u -fnoninteractive exim4-config
     fi
-fi
 
-# linode image has a root alias. completely useless, remove it.
-sudo sed -i '/^root:/d' /etc/aliases
+    # i have the spool directory be common to distro multi-boot, so
+    # we need the uid to be the same. 608 cuz it's kind of in the middle
+    # of the free system uids.
+    IFS=:; read _ _ uid _ < <(getent passwd Debian-exim ); unset IFS
+    IFS=:; read _ _ gid _ < <(getent group Debian-exim ); unset IFS
+    if [[ ! $uid ]]; then
+        # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
+	adduser --uid 608 --gid 608 --system --group --quiet --home /var/spool/exim4 \
+	        --no-create-home --disabled-login --force-badname Debian-exim
+    elif [[ $uid != 608 ]]; then
+        systemctl stop exim4 ||:
+        usermod -u 608 Debian-exim
+        groupmod -g 608 Debian-exim
+        usermod -g 608 Debian-exim
+        find / /nocow -xdev -uid $uid -exec chown -h 608 {} +
+        find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} +
+    fi
+
+    # light version of exim does not have sasl auth support.
+    apt-get -y install --purge --auto-remove exim4-daemon-heavy spamassassin
+
+
 
-s newaliases
 
+    ##### begin spamassassin config
+    systemctl enable spamassassin
+    # per readme.debian
+    sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
+    e CRON=1 >>/etc/default/spamassassin
+    # just noticed this in the config file, seems like a good idea.
+    sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
+    e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin
+    systemctl start spamassassin
+    systemctl reload spamassassin
+
+    cat >/etc/systemd/system/spamddnsfix.service <<'EOF'
+[Unit]
+Description=spamd dns bug fix cronjob
+
+[Service]
+Type=oneshot
+ExecStart=/a/bin/distro-setup/spamd-dns-fix
+EOF
+    # 2017-09, debian closed the bug on this saying upstream had fixed it.
+    # remove this when i\'m using the newer package, ie, debian 10, or maybe
+    # ubuntu 18.04.
+    cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
+[Unit]
+Description=run spamd bug fix script every 10 minutes
+
+[Timer]
+OnActiveSec=60
+# the script looks back 9 minutes into the journal,
+# it takes a second to run,
+# so lets run every 9 minutes and 10 seconds.
+OnUnitActiveSec=550
+
+[Install]
+WantedBy=timers.target
+EOF
+    systemctl daemon-reload
+    systemctl restart spamddnsfix.timer
+    systemctl enable spamddnsfix.timer
+    #
+    #####   end spamassassin config
+
+
+
+
+
+    cat >/etc/exim4/rcpt_local_acl <<'EOF'
+# Only hosts we control send to mail.iankelling.org, so make sure
+# they are all authed.
+# Note, if we wanted authed senders for all domains,
+# we could make this condition in acl_check_mail
+deny
+  message = ian trusted domain recepient but no auth
+  !authenticated = *
+  domains = mail.iankelling.org
+EOF
+    cat >/etc/exim4/data_local_acl <<'EOF'
+# Except for the "condition =", this was
+# a comment in the check_data acl. The comment about this not
+# being suitable is mostly bs. The only thing related I found was to
+# add the condition =, cuz spamassassin has problems with big
+# messages and spammers don't bother with big messages,
+# but I've increased the size from 10k
+# suggested in official docs, and 100k in the wiki example because
+# those docs are rather old and I see a 110k spam message
+# pretty quickly looking through my spam folder.
+  warn
+    condition = ${if < {$message_size}{2000K}}
+    spam = Debian-exim:true
+    add_header = X-Spam_score: $spam_score\n\
+              X-Spam_score_int: $spam_score_int\n\
+              X-Spam_bar: $spam_bar\n\
+              X-Spam_report: $spam_report
 
+EOF
+    cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+# from 30_exim4-config_examples
+
+plain_server:
+driver = plaintext
+public_name = PLAIN
+server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
+server_set_id = $auth2
+server_prompts = :
+.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+.endif
+EOF
+
+    cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
+### router/900_exim4-config_local_user
+#################################
+
+# This router matches local user mailboxes. If the router fails, the error
+# message is "Unknown user".
+
+local_user:
+  debug_print = "R: local_user for $local_part@$domain"
+  driver = accept
+  domains = +local_domains
+# ian: commented this, in conjunction with a dovecot lmtp
+# change so I get mail for all users.
+#  check_local_user
+  local_parts = ! root
+  transport = LOCAL_DELIVERY
+  cannot_route_message = Unknown user
+EOF
+    cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
+dovecot_lmtp:
+        driver = lmtp
+        socket = /var/run/dovecot/lmtp
+        #maximum number of deliveries per batch, default 1
+        batch_max = 200
+EOF
+
+    cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
+# smarthost for fsf mail
+# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
+# replaced DCsmarthost with mail.fsf.org
+fsfsmarthost:
+  debug_print = "R: smarthost for $local_part@$domain"
+  driver = manualroute
+  domains = ! +local_domains
+  senders = *@fsf.org
+  transport = remote_smtp_smarthost
+  route_list = * mail.fsf.org byname
+  host_find_failed = ignore
+  same_domain_copy_routing = yes
+  no_more
+EOF
+
+    # https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
+    # i only need .forwards, so just doing that one.
+    cd /etc/exim4/conf.d/router
+    b=userforward_higher_priority
+    # replace the router name so it is unique
+    sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
+
+    # begin setup passwd.client
+    f=/etc/exim4/passwd.client
+    rm -f /etc/exim4/passwd.client
+    install -m 640 -g Debian-exim /dev/null $f
+    cat /etc/mailpass| while read -r domain port pass; do
+        # reference: exim4_passwd_client(5)
+        printf "%s:%s\n" "$domain" "$pass" >>$f
+    done
+    # end setup passwd.client
+
+    systemctl restart exim4
+
+fi  #### end if exim4
+
+# /etc/alias setup is debian specific, and
+# exim config sets up an /etc/alias from root to the postmaster, which i
+# config to ian, as long as there exists an entry for root, or there was
+# no preexisting aliases file. based on the postinst file. postfix
+# won\'t set up a root to $postmaster alias if it\'s already installed.
+# Since postfix is not the greatest, just set it ourselves.
+if [[ $postmaster != root ]]; then
+    sed -i --follow-symlinks -f - /etc/aliases <<EOF
+\$a root: $postmaster
+/^root:/d
+EOF
+    newaliases
+fi
+
+# put spool dir in directory that spans multiple distros.
 # based on http://www.postfix.org/qmgr.8.html and my notes in gnus
+#
+# todo: I\'m suspicious of uids for Debian-exim being the same across
+# distros. It would be good to test this.
 dir=/nocow/$type
 sdir=/var/spool/$type
-if [[ $(readlink -f $sdir) != $dir ]]; then
-    ser stop $type
+# we only do this if our system has $dir
+if [[ -e /nocow && $(readlink -f $sdir) != $dir ]]; then
+    systemctl stop $type
     if [[ ! -e $dir && -d $sdir ]]; then
-        s mv $sdir $dir
+        mv $sdir $dir
     fi
-    s lnf -T $dir $sdir
+    /a/exe/lnf -T $dir $sdir
 fi
 
-sgo $type
-
+systemctl restart $type
+systemctl enable $type
+
+# MAIL_HOST also does radicale, and easier to start and stop it here
+# for when MAIL_HOST changes, so radicale gets the synced files and
+# does not stop us from remounting /o.
+if dpkg -s radicale &>/dev/null; then
+    if [[ $HOSTNAME == $MAIL_HOST ]]; then
+        systemctl restart radicale
+        systemctl enable radicale
+        if [[ -e /etc/logrotate.d/radicale.disabled ]]; then
+            mv /etc/logrotate.d/radicale{.disabled,}
+        fi
+    else
+        systemctl stop radicale
+        systemctl disable radicale
+        # weekly logrotate tries to restart radicale even if it's a disabled service in flidas.
+        if [[ -e /etc/logrotate.d/radicale ]]; then
+            mv /etc/logrotate.d/radicale{,.disabled}
+        fi
+    fi
+fi
+exit 0
 
 # if I wanted the from address to be renamed and sent to a different address,
 # echo "sdx@localhost development@localhost" | sudo dd of=/etc/postfix/recipient_canonical