From 17b4b5f6afb18accc328282d8ce7dcc5513e621d Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Thu, 24 Feb 2022 09:24:58 -0500
Subject: [PATCH] make mail system more robus

---
 mail-setup     | 82 +++++++++++++++++++++++++++++++++++---------------
 mailtest-check |  2 +-
 2 files changed, 59 insertions(+), 25 deletions(-)

diff --git a/mail-setup b/mail-setup
index 28e02ce..4693316 100755
--- a/mail-setup
+++ b/mail-setup
@@ -136,7 +136,7 @@ fi
 
 [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
 
-
+# note, this is hardcoded in /etc/exim4/conf.d/main/000_local
 u=$(id -nu 1000)
 
 
@@ -279,7 +279,10 @@ fi
 i() { # install file
   local tmp tmpdir dest="$1"
   local base="${dest##*/}"
-  mkdir -p ${dest%/*}
+  local dir="${dest%/*}"
+  if [[ $dir != "$base" ]]; then
+    mkdir -p ${dest%/*}
+  fi
   ir=false # i result
   tmpdir=$(mktemp -d)
   cat >$tmpdir/"$base"
@@ -1003,9 +1006,14 @@ if (( ${#files[@]} )); then
     ${files[@]} /etc/exim4
 fi
 
-# by default, only 10 days of logs are kept. increase that.
-m sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
-
+# By default, only 10 days of logs are kept. increase that.
+# And dont compress, I look back at logs too often and
+# dont need the annoyance of decompressing them all the time.
+m sed -ri '/^\s*compress\s*$/d;s/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
+files=(/var/log/exim4/*.gz)
+if (( ${#files[@]} )); then
+  gunzip ${files[@]}
+fi
 
 ## disabled. not using .forward files, but this is still interesting
 ## for reference.
@@ -1015,6 +1023,7 @@ m sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
 # b=userforward_higher_priority
 # # replace the router name so it is unique
 # sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
+rm -fv /etc/exim4/conf.d/router/175_userforward_higher_priority
 
 # todo, consider 'separate' in etc/exim4.conf, could it help on busy systems?
 
@@ -1043,7 +1052,16 @@ EOF
 
 
 rm -vf /etc/exim4/conf.d/main/000_localmacros # old filename
-cat >/etc/exim4/conf.d/main/000_local <<EOF
+
+# separate file so without quoted EOF for convenience
+cat >/etc/exim4/conf.d/main/000_local2 <<EOF
+# normally empty, I set this so I can set the envelope address
+# when doing mail redelivery to invoke filters. Also allows
+# me exiqgrep and stuff.
+MAIN_TRUSTED_GROUPS = $u
+EOF
+
+cat >/etc/exim4/conf.d/main/000_local <<'EOF'
 MAIN_TLS_ENABLE = true
 
 # require tls connections for all smarthosts
@@ -1065,11 +1083,6 @@ MAIN_LOG_SELECTOR = +all
 # Based on spec, seems like a good idea to be nice.
 smtp_return_error_details = true
 
-# normally empty, I set this so I can set the envelope address
-# when doing mail redelivery to invoke filters. Also allows
-# me exiqgrep and stuff.
-MAIN_TRUSTED_GROUPS = $u
-
 # default is 10. when exim has been down for a bit, fsf mailserver
 # will do a big send in one connection, then exim decides to put
 # the messages in the queue instead of delivering them, to avoid
@@ -1088,10 +1101,10 @@ DKIM_SELECTOR = li
 # There could be some circumstance when the
 # from: isnt our domain, but the envelope sender is
 # and so still want to sign, but I cant think of any case.
-DKIM_DOMAIN = \${lc:\${domain:\$rh_from:}}
+DKIM_DOMAIN = ${lc:${domain:$rh_from:}}
 # The file is based on the outgoing domain-name in the from-header.
 # sign if key exists
-DKIM_PRIVATE_KEY = \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}}
+DKIM_PRIVATE_KEY = ${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}}
 
 # most of the ones that gmail seems to use.
 # Exim has horrible default of signing unincluded
@@ -1115,6 +1128,19 @@ hostlist iank_trusted = <; \\
 85.119.82.128 ; 2001:ba8:1f1:f09d::2 ; \\
 # fsf_mit_net fsf_mit_net_ip6 fsf_net fsf_net_ip6 fsf_office_net
 18.4.89.0/24 ; 2603:3005:71a:2e00::/64 ; 209.51.188.0/24 ; 2001:470:142::/48 ; 74.94.156.208/28
+
+
+# this is the default delay_warning_condition, plus matching on local_domains.
+# If I have some problem with my local system that causes delayed delivery,
+# I dont want to send warnings out to non-local domains.
+delay_warning_condition = ${if or {\
+  { !eq{$h_list-id:$h_list-post:$h_list-subscribe:}{} }\
+  { match{$h_precedence:}{(?i)bulk|list|junk} }\
+  { match{$h_auto-submitted:}{(?i)auto-generated|auto-replied} }\
+  { match_domain{$domain}{+local_domains} }\
+  } {no}{yes}}
+
+
 EOF
 
 rm -fv /etc/exim4/rcpt_local_acl # old path
@@ -1174,14 +1200,14 @@ warn
 
 EOF
 
-i /etc/exim4/conf.d/router/900_exim4-config_local_user <<EOF
+i /etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
 ### router/900_exim4-config_local_user
 #################################
 
 # This router matches local user mailboxes. If the router fails, the error
 # message is "Unknown user".
 local_user:
-  debug_print = "R: local_user for \$local_part@\$domain"
+  debug_print = "R: local_user for $local_part@$domain"
   driver = accept
   domains = +local_domains
 # ian: default file except where mentioned.
@@ -1525,7 +1551,7 @@ ssl_cert = </etc/exim4/exim.crt
 ssl_key = </etc/exim4/exim.key
 EOF
       fi
-      cat <<EOF
+      cat <<'EOF'
 # https://ssl-config.mozilla.org
 ssl = required
 # this is the same as the certbot list, in my cert cronjob, I check if that has changed upstream.
@@ -1535,8 +1561,8 @@ ssl_prefer_server_ciphers = no
 
 protocol lmtp {
 #per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
-# default is just \$mail_plugins
-  mail_plugins = \$mail_plugins sieve
+# default is just $mail_plugins
+  mail_plugins = $mail_plugins sieve
 }
 EOF
       if dpkg --compare-versions $(dpkg-query -f='${Version}\n' --show dovecot-core) ge 1:2.3; then
@@ -2370,10 +2396,16 @@ EOF
 # see 56.2 Root privilege in exim spec
 deliver_drop_privilege = true
 EOF
-    # Note: there are other routers that would also fail due to not running as root,
-    # but afaik, the main router will catch all mail. If not, we will see
-    # something in the queue.
-    rm -fv /etc/exim4/conf.d/router/600_exim4-config_userforward
+    files=(
+      300_exim4-config_real_local
+      600_exim4-config_userforward
+      700_exim4-config_procmail
+      800_exim4-config_maildrop
+      mmm_mail4root
+    )
+    for f in ${files[@]}; do
+      echo "# iank: removed due to running nonroot"|i /etc/exim4/conf.d/router/$f
+    done
     ;;
 esac
 
@@ -2800,12 +2832,12 @@ backup_maildir:
   user = $u
 EOF
 
-      i /etc/exim4/conf.d/router/870_backup_local <<EOF
+      i /etc/exim4/conf.d/router/870_backup_local <<'EOF'
 ### router/900_exim4-config_local_user
 #################################
 
 backup_local:
-  debug_print = "R: local_user for \$local_part@\$domain"
+  debug_print = "R: local_user for $local_part@$domain"
   driver = accept
   domains = eximbackup.b8.nz
   transport = backup_maildir
@@ -3069,6 +3101,8 @@ MAILTO=alerts@iankelling.org
 #5-59/5 * * * *   root mailtest-check |& log-once -1 mailtest-check
 #0 * * * *   root mailtest-check slow |& log-once -1 mailtest-slow
 */5 * * * *   root timeout 290 mailtest-check slow |& log-once -12 mailtest-check
+# if a bounce happened yesterday, dont let it slip through the cracks
+8   1 * * *   root awk '$5 == "**"' /var/log/exim4/mainlog.1
 EOF
     m sudo rsync -ahhi --chown=root:root --chmod=0755 \
       /b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
diff --git a/mailtest-check b/mailtest-check
index 8136301..1975dc9 100755
--- a/mailtest-check
+++ b/mailtest-check
@@ -21,7 +21,7 @@ e() { $int || return 0; printf "mailtest-check: %s\n" "$*"; }
 # We run this cronjob along with sending the test email every 5 minutes,
 # so give it 1 minute to arrive, then if the latest email is older than
 # 7 minutes, the last 2 haven't arrived in a reasonable amount of time.
-min_limit=7
+min_limit=8
 
 
 # spamassassin checking takes about 8 seconds. only do that every
-- 
2.30.2