if [[ -e /var/local/mail-setup-reload ]]; then
reload=true
fi
-i() { # install file
+u() { # update file. note: duplicated in brc
local tmp tmpdir dest="$1"
local base="${dest##*/}"
local dir="${dest%/*}"
# dest has a directory component
mkdir -p "$dir"
fi
- ir=false # i result
+ ur=false # u result
tmpdir=$(mktemp -d)
cat >$tmpdir/"$base"
tmp=$(rsync -ic $tmpdir/"$base" "$dest")
if [[ $tmp ]]; then
printf "%s\n" "$tmp"
- ir=true
+ ur=true
if [[ $dest == /etc/systemd/system/* ]]; then
touch /var/local/mail-setup-reload
reload=true
# * Mail clean cronjob
-i /etc/systemd/system/mailclean.timer <<'EOF'
+u /etc/systemd/system/mailclean.timer <<'EOF'
[Unit]
Description=Run mailclean daily
WantedBy=timers.target
EOF
-i /etc/systemd/system/mailclean.service <<EOF
+u /etc/systemd/system/mailclean.service <<EOF
[Unit]
Description=Delete and archive old mail files
After=multi-user.target
# * postgrey
-i /etc/default/postgrey <<'EOF'
+u /etc/default/postgrey <<'EOF'
POSTGREY_OPTS="--exim --unix=/var/run/postgrey/postgrey.sock --retry-window=4 --max-age=60"
EOF
m usermod -a -G Debian-exim clamav
-i /etc/systemd/system/clamav-daemon.service.d/fix.conf <<EOF
+u /etc/systemd/system/clamav-daemon.service.d/fix.conf <<EOF
[Service]
ExecStartPre=-/bin/mkdir -p /var/run/clamav
ExecStartPre=/bin/chown clamav /var/run/clamav
case $HOSTNAME in
li) : ;;
*)
- i /etc/systemd/system/wg-quick@wgmail.service.d/override.conf <<EOF
+ u /etc/systemd/system/wg-quick@wgmail.service.d/override.conf <<EOF
[Unit]
Requires=mailnn.service
JoinsNamespaceOf=mailnn.service
# https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
-i /etc/systemd/system/mailvpn.service <<EOF
+u /etc/systemd/system/mailvpn.service <<EOF
[Unit]
Description=OpenVPN tunnel for mail
After=syslog.target network-online.target mailnn.service
WantedBy=multi-user.target
EOF
-i /etc/systemd/system/mailnnroute.service <<'EOF'
+u /etc/systemd/system/mailnnroute.service <<'EOF'
[Unit]
Description=Network routing for mailnn
After=syslog.target network-online.target mailnn.service
EOF
#
-i /etc/systemd/system/mailnn.service <<'EOF'
+u /etc/systemd/system/mailnn.service <<'EOF'
[Unit]
Description=Network Namespace for mail vpn service that will live forever and cant fail
After=syslog.target network-online.target
WantedBy=multi-user.target
EOF
-i /etc/systemd/system/mailbindwatchdog.service <<EOF
+u /etc/systemd/system/mailbindwatchdog.service <<EOF
[Unit]
Description=Watchdog to restart services relying on systemd-resolved dir
After=syslog.target network-online.target
# If we ever notice this change, chattr +i on it
# trust-ad is used in t10+, glibc 2.31
-i /etc/127.0.0.1-resolv/stub-resolv.conf <<'EOF'
+u /etc/127.0.0.1-resolv/stub-resolv.conf <<'EOF'
nameserver 127.0.0.1
options edns0 trust-ad
EOF
-i /etc/127.0.0.53-resolv/stub-resolv.conf <<'EOF'
+u /etc/127.0.0.53-resolv/stub-resolv.conf <<'EOF'
nameserver 127.0.0.53
options edns0 trust-ad
EOF
-i /etc/10.173.8.1-resolv/stub-resolv.conf <<'EOF'
+u /etc/10.173.8.1-resolv/stub-resolv.conf <<'EOF'
nameserver 10.173.8.1
options edns0 trust-ad
EOF
case $HOSTNAME in
$MAIL_HOST)
# todo, should this be after vpn service
- i /etc/systemd/system/unbound.service.d/nn.conf <<EOF
+ u /etc/systemd/system/unbound.service.d/nn.conf <<EOF
[Unit]
After=mailnn.service
JoinsNamespaceOf=mailnn.service
;;&
$MAIL_HOST|bk)
for unit in ${nn_progs[@]}; do
- i /etc/systemd/system/$unit.service.d/nn.conf <<EOF
+ u /etc/systemd/system/$unit.service.d/nn.conf <<EOF
[Unit]
# Wants appears better than requires because with requires,
# * wghole (another mail vpn)
if $bhost_t; then
- i /etc/systemd/system/wg-quick@wghole.service.d/override.conf <<'EOF'
+ u /etc/systemd/system/wg-quick@wghole.service.d/override.conf <<'EOF'
[Unit]
StartLimitIntervalSec=0
fi
# * spamassassin config
-i /etc/sysctl.d/80-iank-mail.conf <<'EOF'
+u /etc/sysctl.d/80-iank-mail.conf <<'EOF'
# see exim spec
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 120
EOF
-if $ir; then
+if $ur; then
m sysctl -p
fi
-i /etc/spamassassin/mylocal.cf <<'EOF'
+u /etc/spamassassin/mylocal.cf <<'EOF'
# this is mylocal.cf because the normal local.cf has a bunch of upstream stuff i dont want to mess with
# /usr/share/doc/exim4-base/README.Debian.gz:
# 2020-10-19 remove old file. remove this when all hosts updated
rm -fv /etc/systemd/system/spamddnsfix.{timer,service}
-i /etc/default/spamassassin <<'EOF'
+u /etc/default/spamassassin <<'EOF'
# defaults plus debugging flags for an issue im having
OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
PIDFILE="/var/run/spamd.pid"
m rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/mail-cert-cron /usr/local/bin
-i /etc/systemd/system/mailcert.service <<'EOF'
+u /etc/systemd/system/mailcert.service <<'EOF'
[Unit]
Description=Mail cert rsync
After=multi-user.target
Type=oneshot
ExecStart=/usr/local/bin/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
EOF
-i /etc/systemd/system/mailcert.timer <<'EOF'
+u /etc/systemd/system/mailcert.timer <<'EOF'
[Unit]
Description=Run mail-cert once a day
sed 's/^ *before *= *iptables-common.conf/before = iptables-common-exim.conf/' \
/etc/fail2ban/action.d/iptables-multiport.conf| i /etc/fail2ban/action.d/iptables-exim.conf
-i /etc/fail2ban/action.d/iptables-common-exim.conf <<'EOF'
+u /etc/fail2ban/action.d/iptables-common-exim.conf <<'EOF'
# iank: same as iptables-common, except iptables is iptables-exim, ip6tables is ip6tables-exim
# Fail2Ban configuration file
iptables = /usr/local/bin/ip6tables-exim <lockingopt>
EOF
-i /etc/fail2ban/jail.d/exim.local <<'EOF'
+u /etc/fail2ban/jail.d/exim.local <<'EOF'
[exim]
enabled = true
port = 25,587
# 10.173.8.1 = non-nn net
ignoreip = 209.51.188.13 2001:470:142::13 209.51.188.92 2001:470:142:3::10 72.14.176.105 2600:3c00:e000:280::2 10.173.8.1
EOF
-if $ir; then
+if $ur; then
m systemctl restart fail2ban
fi
rm -fv /etc/exim4/rcpt_local_acl # old path
-i /etc/exim4/conf.d/local_deny_exceptions_acl <<'EOF'
+u /etc/exim4/conf.d/local_deny_exceptions_acl <<'EOF'
# This acl already exists in rcpt, this just makes it more widespread.
# See the comment there for its rationale. The reason it needs to be
# more widespread is that I've turned on sender verification, but cron
rm -fv /etc/exim4/data_local_acl # old path
-i /etc/exim4/conf.d/data_local_acl <<'EOF'
+u /etc/exim4/conf.d/data_local_acl <<'EOF'
# Except for the "condition =", this was
# a comment in the check_data acl. The comment about this not
# being suitable has been changed in newer exim versions. The only thing
# but that is a problem if we change mail host and still have something
# in the queue which was destined for this router, but hosts were
# unreachable, the routers will be reevaluated on the next retry.
-i /etc/exim4/conf.d/router/170_backup_copy <<EOF
+u /etc/exim4/conf.d/router/170_backup_copy <<EOF
### router/900_exim4-config_local_user
#################################
# TODO: copy the defaults into their own file, and setup a cronjob so
# that if file.dpkg-dist shows up, and it is different, we get an alert.
-i /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost <<'EOF'
+u /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost <<'EOF'
### transport/30_exim4-config_remote_smtp_smarthost
#################################
.endif
EOF
-i /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp <<'EOF'
+u /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp <<'EOF'
### transport/30_exim4-config_remote_smtp
#################################
# This transport is used for delivering messages over SMTP connections.
EOF
-i /etc/exim4/conf.d/transport/30_backup_remote <<'EOF'
+u /etc/exim4/conf.d/transport/30_backup_remote <<'EOF'
backup_remote:
driver = smtp
multi_domain
.endif
EOF
-i /etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
+u /etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
### router/900_exim4-config_local_user
#################################
local_part_suffix = +*
local_part_suffix_optional
EOF
-i /etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
+u /etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
dovecot_lmtp:
driver = lmtp
socket = /var/run/dovecot/lmtp
envelope_to_add
EOF
-i /etc/exim4/conf.d/transport/30_remote_smtp_vpn <<'EOF'
+u /etc/exim4/conf.d/transport/30_remote_smtp_vpn <<'EOF'
# same as debians 30_exim4-config_remote_smtp, but
# with interface added at the end.
interface = <; 10.8.0.4 ; 2600:3c00:e002:3800::4
EOF
-i /etc/exim4/conf.d/transport/30_smarthost_dkim <<'EOF'
+u /etc/exim4/conf.d/transport/30_smarthost_dkim <<'EOF'
# ian: this is remote_smtp_smarthost plus the dkim parts from remote_smtp
smarthost_dkim:
pi-nostart radicale
- i /etc/systemd/system/radicale.service.d/override.conf <<EOF
+ u /etc/systemd/system/radicale.service.d/override.conf <<EOF
[Unit]
After=network.target network-online.target mailnn.service $vpnser
done
# https://wiki.dovecot.org/SSL/DovecotConfiguration
- i /etc/dovecot/dhparam <<'EOF'
+ u /etc/dovecot/dhparam <<'EOF'
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAoleil6SBxGqQKk7j0y2vV3Oklv6XupZKn7PkPv485QuFeFagifeS
A+Jz6Wquqk5zhGyCu63Hp4wzGs4TyQqoLjkaWL6Ra/Bw3g3ofPEzMGEsV1Qdqde4
auth_mechanisms = plain login
EOF
- i /etc/dovecot/sieve-spam.sieve <<'EOF'
+ u /etc/dovecot/sieve-spam.sieve <<'EOF'
require ["regex", "fileinto", "imap4flags"];
if allof (header :regex "X-Spam-Status" "^Yes") {
}
EOF
- i /etc/dovecot/local.conf.ext <<'EOF'
+ u /etc/dovecot/local.conf.ext <<'EOF'
passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf.ext
EOF
- i /etc/dovecot/dovecot-sql.conf.ext <<'EOF'
+ u /etc/dovecot/dovecot-sql.conf.ext <<'EOF'
# from mailinabox
driver = sqlite
# for je and bk, populated the testignore users for the relevant domains
dir=/var/www/autoconfig.$domain/html/mail
m mkdir -p $dir
# taken from mailinabox
- i $dir/config-v1.1.xml <<EOF
+ u $dir/config-v1.1.xml <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<clientConfig version="1.1">
<emailProvider id="$domain">
mkdir -p $myncdir
# copied from debians cronjob
- i /etc/cron.d/$rcbase <<EOF
+ u /etc/cron.d/$rcbase <<EOF
# Roundcube database cleaning: finally removes all records that are
# marked as deleted.
0 5 * * * www-data $rcdir/bin/cleandb.sh >/dev/null
rctmpdir=/var/tmp/$rcbase
rcdb=/m/rc/$rcbase.sqlite
# config from mailinabox
- i $rcdir/config/config.inc.php <<EOF
+ u $rcdir/config/config.inc.php <<EOF
<?php
\$config = array();
# debian creates this for us
# About categories, see https://www.davx5.com/tested-with/nextcloud
# https://github.com/blind-coder/rcmcarddav/blob/master/doc/GROUPS.md
- i $rcdir/plugins/carddav/config.inc.php <<EOF;
+ u $rcdir/plugins/carddav/config.inc.php <<EOF;
<?php
\$prefs['_GLOBAL']['hide_preferences'] = false;
\$prefs['davserver'] = array(
# $rclogdir/errors.log
# todo: consider other settings in
# /a/opt/mailinabox/setup/nextcloud.sh
- i /etc/php/$phpver/cli/conf.d/30-local.ini <<'EOF'
+ u /etc/php/$phpver/cli/conf.d/30-local.ini <<'EOF'
apc.enable_cli = 1
EOF
- i /etc/php/$phpver/fpm/conf.d/30-local.ini <<'EOF'
+ u /etc/php/$phpver/fpm/conf.d/30-local.ini <<'EOF'
date.timezone = "America/New_York"
# for nextcloud
upload_max_filesize = 2000M
m sudo -u www-data php occ app:install $app
fi
done
- i /etc/systemd/system/$ncbase.service <<EOF
+ u /etc/systemd/system/$ncbase.service <<EOF
[Unit]
Description=ncup $ncbase
After=multi-user.target
IOSchedulingClass=idle
CPUSchedulingPolicy=idle
EOF
- i /etc/systemd/system/$ncbase.timer <<EOF
+ u /etc/systemd/system/$ncbase.timer <<EOF
[Unit]
Description=ncup $ncbase timer
WantedBy=timers.target
EOF
systemctl enable --now $ncbase.timer
- i /usr/local/bin/ncup <<'EOFOUTER'
+ u /usr/local/bin/ncup <<'EOFOUTER'
#!/bin/bash
source /usr/local/lib/err
mkdir -p /var/www/cron-errors
chown www-data.www-data /var/www/cron-errors
- i /etc/cron.d/$ncbase <<EOF
+ u /etc/cron.d/$ncbase <<EOF
PATH=/usr/sbin:/sbin:/usr/bin:/bin:/usr/local/bin
SHELL=/bin/bash
# https://docs.nextcloud.com/server/20/admin_manual/configuration_server/background_jobs_configuration.html
domains = +local_domains
!verify = recipient/callout=no_cache
EOF
- i /etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+ u /etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
dovecot_plain:
driver = dovecot
public_name = PLAIN
;;
esac
if $bhost_t; then
- i /etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+ u /etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
# from 30_exim4-config_examples
plain_server:
driver = plaintext
# to see the default comments in /etc/default/exim4:
# s update-exim4defaults --force --init
# which will overwrite any existing file
- i /etc/default/exim4 <<'EOF'
+ u /etc/default/exim4 <<'EOF'
QUEUERUNNER='combined'
QUEUEINTERVAL='30m'
COMMONOPTIONS='-C /etc/exim4/my.conf'
# note: the daemon gives up and dies after retrying those 9 times.
# I came upon this by guessing and trial and error.
setcap CAP_NET_BIND_SERVICE+ei /usr/sbin/exim4
- i /etc/exim4/trusted_configs <<'EOF'
+ u /etc/exim4/trusted_configs <<'EOF'
/etc/exim4/my.conf
EOF
;;
*)
# default file
- i /etc/default/exim4 <<'EOF'
+ u /etc/default/exim4 <<'EOF'
QUEUERUNNER='combined'
QUEUEINTERVAL='30m'
EOF
dirs+=($d)
fi
done
- i /etc/systemd/system/exim4.service.d/nonroot.conf <<EOF
+ u /etc/systemd/system/exim4.service.d/nonroot.conf <<EOF
[Service]
# see 56.2 Root privilege in exim spec
AmbientCapabilities=CAP_NET_BIND_SERVICE
# when we get newer systemd
#ProtectDevices=yes
EOF
- i /etc/exim4/conf.d/main/000_local-noroot <<'EOF'
+ u /etc/exim4/conf.d/main/000_local-noroot <<'EOF'
# see 56.2 Root privilege in exim spec
deliver_drop_privilege = true
EOF
# no clamav on je, it has 1.5g memory and clamav uses most of it
- i /etc/exim4/conf.d/clamav_data_acl <<'EOF'
+ u /etc/exim4/conf.d/clamav_data_acl <<'EOF'
warn
!hosts = +iank_trusted
!authenticated = plain_server:login_server
MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem
EOF
- i /etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
+ u /etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
gnusmarthost:
debug_print = "R: smarthost for $local_part@$domain"
driver = manualroute
# ** $MAIL_HOST)
$MAIL_HOST)
- i /etc/exim4/conf.d/router/195_dnslookup_vpn <<'EOF'
+ u /etc/exim4/conf.d/router/195_dnslookup_vpn <<'EOF'
# copied from /etc/exim4/conf.d/router/200_exim4-config_primary, but
# use vpn transport. lower priority so it overrides the default route.
# Use this in case our vpn fails, we dont send anything without it.
# which required using a dedicated user, but realized smtp will be
# more reliable and less fuss. If I ever need that again, see the
# history of this file, and bum in brc2.
- i /etc/exim4/conf.d/router/161_backup_redir_nn <<'EOF'
+ u /etc/exim4/conf.d/router/161_backup_redir_nn <<'EOF'
backup_redir_nn:
driver = redirect
# b is just an arbirary short string
# This allows for forwarded mail to not get most rcpt checks, especially SPF,
# which would incorrectly get denied.
- i /etc/exim4/host_local_deny_exceptions <<'EOF'
+ u /etc/exim4/host_local_deny_exceptions <<'EOF'
mail.fsf.org
*.posteo.de
EOF
# case that doesn't work, we still want to accept that mail, but not
# from any host except the smarthosts. local_hostnames and this rule
# is for that purpose.
- i /etc/exim4/conf.d/rcpt_local_acl <<'EOF'
+ u /etc/exim4/conf.d/rcpt_local_acl <<'EOF'
deny
!authenticated = *
domains = +local_hostnames
EOF
- i /etc/exim4/conf.d/router/186_sentarchive_nn <<'EOF'
+ u /etc/exim4/conf.d/router/186_sentarchive_nn <<'EOF'
# ian: save a copy of sent mail. i thought of other ways to
# do this, for example, to only save sent mail that is not sent
# from my mail client which saves a copy by default, but in the
# and also have mail.iankelling.org whitelisted as a relay domain.
# I could avoid that if I changed this to submit to 587 with a
# password like a standard mua.
- i /etc/exim4/conf.d/router/188_exim4-config_smarthost <<'EOF'
+ u /etc/exim4/conf.d/router/188_exim4-config_smarthost <<'EOF'
# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
# replaced DCsmarthost with hostname
fsfsmarthost:
s,(^[ #]*NAME=).*,\1"exim4in",
EOF
chmod +x /etc/init.d/exim4in
- i /etc/systemd/system/exim4in.service.d/alwaysrestart.conf <<'EOF'
+ u /etc/systemd/system/exim4in.service.d/alwaysrestart.conf <<'EOF'
[Unit]
# needed to continually restart
StartLimitIntervalSec=0
RestartSec=20
EOF
- i /etc/default/exim4in <<'EOF'
+ u /etc/default/exim4in <<'EOF'
# defaults but no queue runner and alternate config dir
QUEUERUNNER='no'
COMMONOPTIONS='-oP /run/exim4/eximin.pid'
fi
# catches things like cronjob email
- i /etc/exim4/conf.d/router/880_universal_forward <<'EOF'
+ u /etc/exim4/conf.d/router/880_universal_forward <<'EOF'
universal_forward:
driver = redirect
domains = +local_domains
if [[ -e /bu/md/cur && $(stat -c %u /bu/md/cur) == 1000 ]]; then
chown -R Debian-exim:Debian-exim /bu/md
fi
- i /etc/exim4/conf.d/transport/30_backup_maildir <<EOF
+ u /etc/exim4/conf.d/transport/30_backup_maildir <<EOF
# modified debian maildir transport
backup_maildir:
driver = appendfile
mode_fail_narrower = false
EOF
- i /etc/exim4/conf.d/router/165_backup_local <<'EOF'
+ u /etc/exim4/conf.d/router/165_backup_local <<'EOF'
### router/900_exim4-config_local_user
#################################
EOF
# wghole & thus exim will fail to start without internet connectivity.
- i /etc/systemd/system/exim4.service.d/backup.conf <<'EOF'
+ u /etc/systemd/system/exim4.service.d/backup.conf <<'EOF'
[Unit]
StartLimitIntervalSec=0
$MAIL_HOST)
- i /etc/myexim4/conf.d/router/185_sentarchive <<'EOF'
+ u /etc/myexim4/conf.d/router/185_sentarchive <<'EOF'
sentarchive:
driver = redirect
domains = ! +local_domains
EOF
- i /etc/myexim4/conf.d/router/160_backup_redir <<'EOF'
+ u /etc/myexim4/conf.d/router/160_backup_redir <<'EOF'
backup_redir:
driver = redirect
# i dont email myself from my own machine much, so lets ignore that.
if ! grep -Fx "/nocow/exim4 /var/spool/exim4 none bind 0 0" /etc/fstab; then
echo "/nocow/exim4 /var/spool/exim4 none bind 0 0" >>/etc/fstab
fi
- i /etc/systemd/system/exim4.service.d/override.conf <<'EOF'
+ u /etc/systemd/system/exim4.service.d/override.conf <<'EOF'
[Unit]
# without local-fs on exim, we get these kind of errors in paniclog on shutdown:
# Failed to create spool file /var/spool/exim4//input//1jCLxz-0008V4-V9-D: Permission denied
# note: cronjob "ian" also does some important monitoring
# todo: this will sometimes cause an alert because mailtest-check will run
# before we have setup network namespace and spamassassin
- i /etc/cron.d/mailtest <<EOF
+ u /etc/cron.d/mailtest <<EOF
SHELL=/bin/bash
PATH=/usr/bin:/bin:/usr/local/bin
MAILTO=daylert@iankelling.org
m sudo rsync -ahhi --chown=root:root --chmod=0755 \
/b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
- i /etc/systemd/system/mailtest-check.service <<'EOF'
+ u /etc/systemd/system/mailtest-check.service <<'EOF'
[Unit]
Description=mailtest-check
After=local-fs.target
# Dont put these test messages into the sent folder or else it will
# overwhelm it, plus i dont want to save a copy at all.
# Plus addresses we generally want to ignore.
- i /etc/exim4/ignore-sent <<EOF
+ u /etc/exim4/ignore-sent <<EOF
$(printf "%s\n" ${test_tos[@]})
vojdedIdNejyebni@b8.nz
b@eximbackup.b8.nz
iankelling.org / git / distro-setup / commitdiff