#!/bin/bash # _____ _ _ # | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___ # | __| _| -_| -_| . | . | | . | . | | -_| # |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___| # # Freedom in the Cloud # # Email functions # # License # ======= # # Copyright (C) 2014-2018 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . # the default email address MY_EMAIL_ADDRESS=$MY_USERNAME@$DEFAULT_DOMAIN_NAME # When sending mail to riseup.net route to this onion address RISEUP_EMAIL_ONION='wy6zk3pmcwiyhiao.onion' # If you want to run a public mailing list specify its name here. # There should be no spaces in the name PUBLIC_MAILING_LIST= # Optional different domain name for the public mailing list PUBLIC_MAILING_LIST_DOMAIN_NAME= # Directory where the public mailing list data is stored PUBLIC_MAILING_LIST_DIRECTORY="/var/spool/mlmmj" # If you want to run an encrypted mailing list specify its name here. # There should be no spaces in the name PRIVATE_MAILING_LIST= GPG_KEYSERVER="hkp://keys.gnupg.net" # whether to encrypt all incoming email with your public key GPG_ENCRYPT_STORED_EMAIL="yes" # optionally you can provide your exported GPG key pair here # Note that the private key file will be deleted after use # If these are unspecified then a new GPG key will be created MY_GPG_PUBLIC_KEY= MY_GPG_PRIVATE_KEY= # optionally specify your public key ID MY_GPG_PUBLIC_KEY_ID= # automatic archiving of email CLEANUP_MAILDIR_REPO="https://github.com/bashrc/cleanup-maildir" CLEANUP_MAILDIR_COMMIT='33241d2e3861f901ba17f5c77ada007e1ec06a86' # email encryption at rest GPGIT_REPO="https://gitlab.com/mikecardwell/gpgit" GPGIT_COMMIT='583dc76119f19420f8a33f606744faa7c8922738' # refresh gpg keys every few hours REFRESH_GPG_KEYS_HOURS=2 exim_version='4.89' function rebuild_exim_with_socks { exim_socks_installed=$(get_completion_param "exim_socks") if [[ "$exim_socks_installed" == 'true' ]]; then return fi # shellcheck disable=SC2154 if [ ! -d "$INSTALL_DIR/exim4" ]; then mkdir -p "$INSTALL_DIR/exim4" fi cd "$INSTALL_DIR/exim4" || exit 3468356 rm -rf "$INSTALL_DIR/exim4/"* apt-get -qy install build-essential fakeroot devscripts apt-get source exim4-daemon-heavy apt-get -qy build-dep exim4-daemon-heavy cd "${INSTALL_DIR}/exim4/exim4-${exim_version}" || exit 356835685 { echo 'Description: Socks proxying'; echo ' Support for socks proxying of outgoing mail'; echo ' This is to support onion email addresses, which require support for SOCKS5'; echo ' .'; echo " exim4 (${exim_version}-2+deb9u3) stretch-security; urgency=high"; echo ' .'; echo ' * Non-maintainer upload by the Security Team.'; echo ' * Fix base64d() buffer size (CVE-2018-6789) (Closes: #890000)'; echo 'Author: Salvatore Bonaccorso '; echo 'Bug-Debian: https://bugs.debian.org/890000'; echo ''; echo '---'; echo 'The information above should follow the Patch Tagging Guidelines, please'; echo 'checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here'; echo 'are templates for supplementary fields that you might want to add:'; echo ''; echo 'Origin: , '; echo 'Bug: '; echo 'Bug-Debian: https://bugs.debian.org/'; echo 'Bug-Ubuntu: https://launchpad.net/bugs/'; echo 'Forwarded: '; echo 'Reviewed-By: '; echo "Last-Update: $(date +%Y-%m-%d)"; echo ''; echo '--- /dev/null'; echo "+++ exim4-${exim_version}/Local/Makefile"; echo '@@ -0,0 +1,32 @@'; echo '+BIN_DIRECTORY=/usr/exim/bin'; echo '+CONFIGURE_FILE=/usr/exim/configure'; echo '+EXIM_USER='; echo '+SPOOL_DIRECTORY=/var/spool/exim'; echo '+ROUTER_ACCEPT=yes'; echo '+ROUTER_DNSLOOKUP=yes'; echo '+ROUTER_IPLITERAL=yes'; echo '+ROUTER_MANUALROUTE=yes'; echo '+ROUTER_QUERYPROGRAM=yes'; echo '+ROUTER_REDIRECT=yes'; echo '+TRANSPORT_APPENDFILE=yes'; echo '+TRANSPORT_AUTOREPLY=yes'; echo '+TRANSPORT_PIPE=yes'; echo '+TRANSPORT_SMTP=yes'; echo '+LOOKUP_DBM=yes'; echo '+LOOKUP_LSEARCH=yes'; echo '+LOOKUP_DNSDB=yes'; echo '+PCRE_CONFIG=yes'; echo '+EXIM_MONITOR=eximon.bin'; echo '+FIXED_NEVER_USERS=root'; echo '+HEADERS_CHARSET="ISO-8859-1"'; echo '+DLOPEN_LOCAL_SCAN=yes'; echo '+LDFLAGS += -rdynamic'; echo '+CFLAGS += -fvisibility=hidden'; echo '+SYSLOG_LOG_PID=yes'; echo '+EXICYCLOG_MAX=10'; echo '+COMPRESS_COMMAND=/usr/bin/gzip'; echo '+COMPRESS_SUFFIX=gz'; echo '+ZCAT_COMMAND=/usr/bin/zcat'; echo '+SUPPORT_SOCKS=yes'; echo '+SYSTEM_ALIASES_FILE=/etc/aliases'; echo '+EXIM_TMPDIR="/tmp"'; } > debian/patches/SOCKS debuild -us -uc cd "$INSTALL_DIR/exim4" || exit 3468356 mv exim4_${exim_version}-*.deb exim4_${exim_version}_all.deb if [ ! -f exim4_${exim_version}_all.deb ]; then ls -l "$INSTALL_DIR/exim4/exim4_"*.deb echo "exim4_${exim_version}_all.deb not found" exit 63857368 fi apt-mark -q unhold exim4 dpkg -i exim4_${exim_version}_all.deb apt-mark -q hold exim4 apt-get -yq remove --purge at systemctl restart exim4 if [[ $(systemctl is-active exim4) != 'active' ]]; then apt-mark -q unhold exim4 apt-get -yq install exim4 --reinstall systemctl restart exim4 fi rm -rf "$INSTALL_DIR/exim4" set_completion_param "exim_socks" "true" } function email_create_template { if [ ! -d /etc/skel/log ]; then mkdir -m 700 /etc/skel/log fi if [ ! -d /etc/skel/Maildir ]; then mkdir -m 700 /etc/skel/.mutt mkdir -m 700 /etc/skel/Maildir mkdir -m 700 /etc/skel/Maildir/new mkdir -m 700 /etc/skel/Maildir/cur mkdir -m 700 /etc/skel/Maildir/Sent mkdir -m 700 /etc/skel/Maildir/Sent/tmp mkdir -m 700 /etc/skel/Maildir/Sent/cur mkdir -m 700 /etc/skel/Maildir/Sent/new mkdir -m 700 /etc/skel/Maildir/.learn-spam mkdir -m 700 /etc/skel/Maildir/.learn-spam/cur mkdir -m 700 /etc/skel/Maildir/.learn-spam/new mkdir -m 700 /etc/skel/Maildir/.learn-spam/tmp mkdir -m 700 /etc/skel/Maildir/.learn-ham mkdir -m 700 /etc/skel/Maildir/.learn-ham/cur mkdir -m 700 /etc/skel/Maildir/.learn-ham/new mkdir -m 700 /etc/skel/Maildir/.learn-ham/tmp ln -s /etc/skel/Maildir/.learn-spam /etc/skel/Maildir/spam ln -s /etc/skel/Maildir/.learn-ham /etc/skel/Maildir/ham fi if [ ! -d "/home/$MY_USERNAME/Maildir" ]; then mkdir -m 700 "/home/$MY_USERNAME/.mutt" mkdir -m 700 "/home/$MY_USERNAME/Maildir" mkdir -m 700 "/home/$MY_USERNAME/Maildir/cur" mkdir -m 700 "/home/$MY_USERNAME/Maildir/tmp" mkdir -m 700 "/home/$MY_USERNAME/Maildir/new" mkdir -m 700 "/home/$MY_USERNAME/Maildir/Sent" mkdir -m 700 "/home/$MY_USERNAME/Maildir/Sent/cur" mkdir -m 700 "/home/$MY_USERNAME/Maildir/Sent/tmp" mkdir -m 700 "/home/$MY_USERNAME/Maildir/Sent/new" mkdir -m 700 "/home/$MY_USERNAME/Maildir/.learn-spam" mkdir -m 700 "/home/$MY_USERNAME/Maildir/.learn-spam/cur" mkdir -m 700 "/home/$MY_USERNAME/Maildir/.learn-spam/new" mkdir -m 700 "/home/$MY_USERNAME/Maildir/.learn-spam/tmp" mkdir -m 700 "/home/$MY_USERNAME/Maildir/.learn-ham" mkdir -m 700 "/home/$MY_USERNAME/Maildir/.learn-ham/cur" mkdir -m 700 "/home/$MY_USERNAME/Maildir/.learn-ham/new" mkdir -m 700 "/home/$MY_USERNAME/Maildir/.learn-ham/tmp" ln -s "/home/$MY_USERNAME/Maildir/.learn-spam" "/home/$MY_USERNAME/Maildir/spam" ln -s "/home/$MY_USERNAME/Maildir/.learn-ham" "/home/$MY_USERNAME/Maildir/ham" chown -R "$MY_USERNAME":"$MY_USERNAME" "/home/$MY_USERNAME/Maildir" fi } function create_email_onion_address { email_hostname='/var/lib/tor/hidden_service_email/hostname' if ! grep -q "hidden_service_email" $ONION_SERVICES_FILE; then { echo 'HiddenServiceDir /var/lib/tor/hidden_service_email/'; echo 'HiddenServiceVersion 3'; echo 'HiddenServicePort 25 127.0.0.1:25'; echo 'HiddenServicePort 587 127.0.0.1:587'; echo 'HiddenServicePort 465 127.0.0.1:465'; } >> $ONION_SERVICES_FILE function_check onion_update onion_update function_check wait_for_onion_service wait_for_onion_service email if [ ! -f $email_hostname ]; then echo $"email onion site hostname not found" systemctl restart tor exit 782352 fi onion_address=$(cat $email_hostname) set_completion_param "email onion domain" "${onion_address}" add_email_hostname "$onion_address" else onion_address=$(cat $email_hostname) fi cp $email_hostname /etc/skel/.email_onion_domain cp $email_hostname "/home/$MY_USERNAME/.email_onion_domain" chown "$MY_USERNAME":"$MY_USERNAME" "/home/$MY_USERNAME/.email_onion_domain" } function configure_email_onion { if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then return fi if [[ "$SYSTEM_TYPE" == "mesh"* ]]; then return fi create_email_onion_address apt-get -yq install perl # MX record should be: # _onion-mx._tcp # 20:$onion_address # 3600 IN SRV 0 5 25 $onion_address # To test the system, on receiving server: # exim -bd -d -oX 25 # On the sensing server: # exim -d -oX 25 -bt username@$onion_address { echo "perl_startup = do '/etc/exim4/perl-routines.pl'"; echo "perl_at_start"; } > /etc/exim4/conf.d/main/00_exim4-config_perl { echo "use Net::DNS::Resolver;"; echo "sub onionLookup {"; echo " my \$hostname = shift;"; echo " my \$res = Net::DNS::Resolver->new(nameservers => [qw(127.0.0.1)],);"; echo " \$res->port(5300);"; echo " my \$query = \$res->search(\$hostname);"; echo " foreach my \$rr (\$query->answer) {"; echo " next unless \$rr->type eq \"A\";"; echo " return \$rr->address;"; echo " }"; echo " return 'no_such_host';"; echo "}"; } > /etc/exim4/perl-routines.pl { echo "riseup:"; echo " driver = manualroute"; echo " domains = riseup.net"; echo " transport = onion_relay"; echo " headers_remove = Received:Message-ID:X-Mailer:User-Agent"; echo " headers_add = Message-ID: <\${lc:\${sha1:\$message_id}}@\$sender_address_domain>"; echo " route_data = \${perl{onionLookup}{$RISEUP_EMAIL_ONION}}" echo " no_more"; } > /etc/exim4/conf.d/router/905_exim4-config-riseup if ! grep -q "*.onion" /etc/exim4/conf.d/router/200_exim4-config_primary; then sed -i 's|domains = ! +local_domains|domains = ! +local_domains : ! *.onion : ! riseup.net|g' /etc/exim4/conf.d/router/200_exim4-config_primary fi { echo "onionrelays:"; echo " driver = manualroute"; echo " domains = *.onion"; echo " transport = onion_relay"; echo " headers_remove = Received:Message-ID:X-Mailer:User-Agent"; echo " headers_add = Message-ID: <\${lc:\${sha1:\$message_id}}@\$sender_address_domain>"; echo " route_data = \${perl{onionLookup}{\$domain}}" echo " no_more"; } > /etc/exim4/conf.d/router/910_exim4-config-onionrelays { echo "onion_relay:"; echo " driver = smtp"; echo " helo_data = \"\$address_data \$original_domain\""; echo " hosts_avoid_tls = *"; echo " socks_proxy = 127.0.0.1 port=9050"; } > /etc/exim4/conf.d/transport/050_exim4-config_onion_relay { echo 'DNSPort 5300'; echo 'DNSListenAddress 127.0.0.1'; echo 'AutomapHostsOnResolve 1'; } > /etc/torrc.d/dns update-exim4.conf.template -r update-exim4.conf dpkg-reconfigure --frontend noninteractive exim4-config systemctl restart tor systemctl restart exim4 mark_completed "${FUNCNAME[0]}" } function check_email_address_exists { read_config_param ONION_ONLY read_config_param MY_USERNAME read_config_param DEFAULT_DOMAIN_NAME read_config_param MY_EMAIL_ADDRESS read_config_param DH_KEYLENGTH if [ ! "$MY_USERNAME" ]; then echo $'No username for email installation' exit 73672 fi if [ ! "$DEFAULT_DOMAIN_NAME" ]; then echo $'No default domain name for email installation' exit 57634 fi my_email="$MY_EMAIL_ADDRESS" if [ ${#my_email} -lt 3 ]; then MY_EMAIL_ADDRESS="${MY_USERNAME}@${DEFAULT_DOMAIN_NAME}" write_config_param "MY_EMAIL_ADDRESS" "$MY_EMAIL_ADDRESS" fi if [[ $ONION_ONLY != 'no' ]]; then my_email=$onion_address MY_EMAIL_ADDRESS="${MY_USERNAME}@$onion_address" write_config_param "MY_EMAIL_ADDRESS" "$MY_EMAIL_ADDRESS" fi } function backup_email { echo '' } function configure_firewall_for_email { if [[ "$INSTALLED_WITHIN_DOCKER" == "yes" ]]; then # docker does its own firewalling return fi if [[ "$ONION_ONLY" != "no" ]]; then return fi firewall_add Email 25 tcp firewall_add Email 587 tcp firewall_add Email 465 tcp firewall_add Imap 993 tcp } function encrypt_incoming_email { # encrypts incoming mail using your GPG public key # so even if an attacker gains access to the data at rest they still need # to know your GPG key password to be able to read anything if [ ! -d /etc/exim4 ]; then return fi # update to the next commit function_check set_repo_commit set_repo_commit "$INSTALL_DIR/gpgit" "gpgit commit" "$GPGIT_COMMIT" "$GPGIT_REPO" if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then return fi if [[ "$GPG_ENCRYPT_STORED_EMAIL" != "yes" ]]; then return fi if [ ! -f /usr/bin/gpgit.pl ]; then apt-get -yq install git libmail-gnupg-perl cd "$INSTALL_DIR" || exit 246824624 function_check git_clone git_clone "$GPGIT_REPO" "$INSTALL_DIR/gpgit" cd "$INSTALL_DIR/gpgit" || exit 7246725474 git checkout "$GPGIT_COMMIT" -b "$GPGIT_COMMIT" set_completion_param "gpgit commit" "$GPGIT_COMMIT" cp gpgit.pl /usr/bin fi # add a procmail rule if ! grep -q "/usr/bin/gpgit.pl" "/home/$MY_USERNAME/.procmailrc"; then { echo ''; echo ':0 f'; echo "| /usr/bin/gpgit.pl --encrypt-mode prefer-inline --inline-flatten $MY_EMAIL_ADDRESS"; } >> "/home/$MY_USERNAME/.procmailrc" chown "$MY_USERNAME":"$MY_USERNAME" "/home/$MY_USERNAME/.procmailrc" { echo ''; echo ':0 f'; echo -n "| /usr/bin/gpgit.pl --encrypt-mode prefer-inline --inline-flatten \$USER@"; echo "$DEFAULT_DOMAIN_NAME"; } >> /etc/skel/.procmailrc fi mark_completed "${FUNCNAME[0]}" } function encrypt_outgoing_email { # encrypts outgoing mail using your GPG public key # so even if an attacker gains access to the data at rest they still need # to know your GPG key password to be able to read sent mail if [ ! -d /etc/exim4 ]; then return fi if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then return fi if [[ "$GPG_ENCRYPT_STORED_EMAIL" != "yes" ]]; then return fi if [ ! -d "/home/$MY_USERNAME/.gnupg" ]; then return fi if [ ! -f "/home/$MY_USERNAME/.muttrc" ]; then return fi # obtain your public key ID if [ ! "$MY_GPG_PUBLIC_KEY_ID" ]; then MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_EMAIL_ADDRESS") if [ ! "$MY_GPG_PUBLIC_KEY_ID" ]; then return fi if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then return fi fi if ! grep -q "pgp_encrypt_only_command" "/home/$MY_USERNAME/.muttrc"; then { echo ''; echo $'# Encrypt items in the Sent folder'; echo "set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --trust-model always --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\""; } >> "/home/$MY_USERNAME/.muttrc" else sed -i "s|set pgp_encrypt_only_command.*|set pgp_encrypt_only_command=\"/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --trust-model always --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" "/home/$MY_USERNAME/.muttrc" fi if ! grep -q "pgp_encrypt_sign_command" "/home/$MY_USERNAME/.muttrc"; then echo "set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --trust-model always --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"" >> "/home/$MY_USERNAME/.muttrc" else sed -i "s|set pgp_encrypt_sign_command.*|set pgp_encrypt_sign_command=\"/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --trust-model always --encrypt-to $MY_GPG_PUBLIC_KEY_ID -- -r %r -- %f\"|g" "/home/$MY_USERNAME/.muttrc" fi mark_completed "${FUNCNAME[0]}" } function encrypt_all_email { if [ ! -d /etc/exim4 ]; then return fi if [[ "$GPG_ENCRYPT_STORED_EMAIL" != "yes" ]]; then return fi if [ -f "/usr/local/bin/${PROJECT_NAME}-encrypt-mail" ]; then if [ ! -f /usr/bin/encmaildir ]; then cp "/usr/local/bin/${PROJECT_NAME}-encrypt-mail" /usr/bin/encmaildir else HASH1=$(sha256sum "/usr/local/bin/${PROJECT_NAME}-encrypt-mail" | awk -F ' ' '{print $1}') HASH2=$(sha256sum /usr/bin/encmaildir | awk -F ' ' '{print $1}') if [[ "$HASH1" != "$HASH2" ]]; then cp "/usr/local/bin/${PROJECT_NAME}-encrypt-mail" /usr/bin/encmaildir fi fi else if [ ! -f /usr/bin/encmaildir ]; then cp "/usr/bin/${PROJECT_NAME}-encrypt-mail" /usr/bin/encmaildir else HASH1=$(sha256sum "/usr/bin/${PROJECT_NAME}-encrypt-mail" | awk -F ' ' '{print $1}') HASH2=$(sha256sum /usr/bin/encmaildir | awk -F ' ' '{print $1}') if [[ "$HASH1" != "$HASH2" ]]; then cp "/usr/bin/${PROJECT_NAME}-encrypt-mail" /usr/bin/encmaildir fi fi fi if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then return fi if [ ! -f "/home/$MY_USERNAME/README" ]; then touch "/home/$MY_USERNAME/README" fi if ! grep -q $"If you have imported legacy email which is not encrypted" "/home/$MY_USERNAME/README"; then { echo ''; echo ''; echo $'# Encrypting legacy email'; echo $'If you have imported legacy email which is not encrypted'; echo $'then it can be encrypted with the command:'; echo ''; echo ' encmaildir'; echo ''; echo $'But be warned that depending upon how much email you have'; echo $'this could take a seriously LONG time on the Beaglebone'; echo $'and may be better done on a faster machine.'; } >> "/home/$MY_USERNAME/README" chown "$MY_USERNAME":"$MY_USERNAME" "/home/$MY_USERNAME/README" chmod 600 "/home/$MY_USERNAME/README" fi mark_completed "${FUNCNAME[0]}" } function email_client { if [ ! -d /etc/exim4 ]; then return fi if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then return fi apt-get -yq install lynx abook urlview mutt if [ ! -f /etc/Muttrc ]; then echo $"ERROR: Mutt does not appear to have installed. $CHECK_MESSAGE" exit 49 fi if [ ! -d "/home/$MY_USERNAME/.mutt" ]; then mkdir "/home/$MY_USERNAME/.mutt" fi echo "text/html; lynx -dump -width=78 -nolist %s | sed ‘s/^ //’; copiousoutput; needsterminal; nametemplate=%s.html" > "/home/$MY_USERNAME/.mutt/mailcap" cp "/home/$MY_USERNAME/.mutt/mailcap" /etc/skel/.mutt chown -R "$MY_USERNAME":"$MY_USERNAME" "/home/$MY_USERNAME/.mutt" chown -R root:root /etc/skel/.mutt { echo 'set mbox_type=Maildir'; echo 'set folder="~/Maildir"'; echo 'set mask="!^\\.[^.]"'; echo 'set mbox="~/Maildir"'; echo 'set record="+Sent"'; echo 'set postponed="+Drafts"'; echo 'set trash="+Trash"'; echo 'set spoolfile="~/Maildir"'; echo 'auto_view text/x-vcard text/html text/enriched'; echo 'set header_cache="+.cache"'; echo 'set markers=no'; echo ''; echo '# ctrl-u to view long URLs'; echo 'macro pager \cu "urlview" "Follow links with urlview"'; echo ''; echo 'macro index S "=.learn-spam" "move to learn-spam"'; echo 'macro pager S "=.learn-spam" "move to learn-spam"'; echo 'macro index H "=.learn-ham" "copy to learn-ham"'; echo 'macro pager H "=.learn-ham" "copy to learn-ham"'; echo ''; echo '# set up the sidebar'; echo 'set sidebar_width=22'; echo 'set sidebar_visible=yes'; echo ''; echo 'set rfc2047_parameters'; echo ''; echo '# Show inbox and sent items'; echo 'mailboxes = =admin =Sent =maybe-spam =spam'; echo ''; echo '# Alter these colours as needed for maximum bling'; echo 'color sidebar_new yellow default'; echo 'color normal white default'; echo 'color hdrdefault brightcyan default'; echo 'color signature green default'; echo 'color attachment brightyellow default'; echo 'color quoted green default'; echo 'color quoted1 white default'; echo 'color tilde blue default'; echo ''; echo '# ctrl-n, ctrl-p to select next, prev folder'; echo '# ctrl-o to open selected folder'; echo 'bind index \Cp sidebar-prev'; echo 'bind index \Cn sidebar-next'; echo 'bind index \Co sidebar-open'; echo 'bind pager \Cp sidebar-prev'; echo 'bind pager \Cn sidebar-next'; echo 'bind pager \Co sidebar-open'; echo ''; echo '# ctrl-b toggles sidebar visibility'; echo "macro index,pager \\Cb 'toggle sidebar_visible' 'toggle sidebar'"; echo ''; echo '# esc-m Mark new messages as read'; echo 'macro index m "T~N;WNT~O;WO\CT~T" "mark all messages read"'; echo ''; echo '# Collapsing threads'; echo 'macro index [ "" "collapse/uncollapse thread"'; echo 'macro index ] "" "collapse/uncollapse all threads"'; echo ''; echo '# threads containing new messages'; echo 'uncolor index "~(~N)"'; echo 'color index brightblue default "~(~N)"'; echo ''; echo '# new messages themselves'; echo 'uncolor index "~N"'; echo 'color index brightyellow default "~N"'; echo ''; echo '# GPG/PGP integration'; echo '# this set the number of seconds to keep in memory the passphrase used to encrypt/sign'; echo 'set pgp_timeout=1800'; echo ''; echo '# automatically sign and encrypt with PGP/MIME'; echo 'set pgp_autosign # autosign all outgoing mails'; echo 'set pgp_autoencrypt # Try to encrypt automatically'; echo 'set pgp_replyencrypt # autocrypt replies to crypted'; echo 'set pgp_replysign # autosign replies to signed'; echo 'set pgp_auto_decode=yes # decode attachments'; echo 'set fcc_clear=no # Keep encrypted copy of sent encrypted mail'; echo 'unset smime_is_default'; echo ''; echo 'set alias_file=~/.mutt-alias'; echo 'source ~/.mutt-alias'; echo 'set query_command= "abook --mutt-query \"%s\""'; echo 'macro index,pager A "abook --add-email-quiet" "add the sender address to abook"'; echo ''; echo '# Optional relay of SMTP via ISP'; echo '#set smtp_url="smtps://username:password@isp_mail_domain:465/"'; } > /etc/Muttrc if [[ "$ONION_ONLY" != 'no' ]]; then # On onion only systems email is onion router anyway, with its # own encryption system, so we don't need the additional pgp layer # except perhaps for some additional confidence sed -i 's|set pgp_autoencrypt|unset pgp_autoencrypt|g' /etc/Muttrc sed -i 's|set pgp_autosign|unset pgp_autosign|g' /etc/Muttrc fi # For viewing long URLs echo 'REGEXP (((http|https|ftp|gopher)|mailto)[.:][^ >"\t]*|www\.[-a-z0-9.]+)[^ .,;\t>">\):]' > "/home/$MY_USERNAME/.urlview" echo 'COMMAND lynx -dump -width=78 -nolist %s' >> "/home/$MY_USERNAME/.urlview" cp -f /etc/Muttrc "/home/$MY_USERNAME/.muttrc" cp -f /etc/Muttrc /etc/skel/.muttrc cp -f "/home/$MY_USERNAME/.urlview" /etc/skel/.urlview touch "/home/$MY_USERNAME/.mutt-alias" cp "/home/$MY_USERNAME/.mutt-alias" /etc/skel/.mutt-alias chown "$MY_USERNAME":"$MY_USERNAME" "/home/$MY_USERNAME/.muttrc" chown "$MY_USERNAME":"$MY_USERNAME" "/home/$MY_USERNAME/.mutt-alias" # default user on generic images if [ -d "/home/${GENERIC_IMAGE_USERNAME}" ]; then cp -f /etc/Muttrc "/home/${GENERIC_IMAGE_USERNAME}/.muttrc" chown "${GENERIC_IMAGE_USERNAME}":"${GENERIC_IMAGE_USERNAME}" "/home/${GENERIC_IMAGE_USERNAME}/.muttrc" touch "/home/${GENERIC_IMAGE_USERNAME}/.mutt-alias" chown "${GENERIC_IMAGE_USERNAME}":"${GENERIC_IMAGE_USERNAME}" "/home/${GENERIC_IMAGE_USERNAME}/.mutt-alias" fi mark_completed "${FUNCNAME[0]}" } function email_archiving { if [ ! -d /etc/exim4 ]; then return fi # ensure that the mail archive script is up to date if [ -f "/usr/local/bin/${PROJECT_NAME}-archive-mail" ]; then if [ ! -f /etc/cron.daily/archivemail ]; then cp "/usr/local/bin/${PROJECT_NAME}-archive-mail" /etc/cron.daily/archivemail chmod +x /etc/cron.daily/archivemail else HASH1=$(sha256sum "/usr/local/bin/${PROJECT_NAME}-archive-mail" | awk -F ' ' '{print $1}') HASH2=$(sha256sum /etc/cron.daily/archivemail | awk -F ' ' '{print $1}') if [[ "$HASH1" != "$HASH2" ]]; then cp "/usr/local/bin/${PROJECT_NAME}-archive-mail" /etc/cron.daily/archivemail chmod +x /etc/cron.daily/archivemail fi fi else if [ -f "/usr/bin/${PROJECT_NAME}-archive-mail" ]; then if [ ! -f /etc/cron.daily/archivemail ]; then cp "/usr/bin/${PROJECT_NAME}-archive-mail" /etc/cron.daily/archivemail chmod +x /etc/cron.daily/archivemail else HASH1=$(sha256sum "/usr/local/bin/${PROJECT_NAME}-archive-mail" | awk -F ' ' '{print $1}') HASH2=$(sha256sum /etc/cron.daily/archivemail | awk -F ' ' '{print $1}') if [[ "$HASH1" != "$HASH2" ]]; then cp "/usr/local/bin/${PROJECT_NAME}-archive-mail" /etc/cron.daily/archivemail chmod +x /etc/cron.daily/archivemail fi fi else echo "/usr/bin/${PROJECT_NAME}-archive-mail was not found. ${PROJECT_NAME} might not have fully installed." exit 62379 fi fi # update to the next commit function_check set_repo_commit set_repo_commit "$INSTALL_DIR/cleanup-maildir" "cleanup-maildir commit" "$CLEANUP_MAILDIR_COMMIT" "$CLEANUP_MAILDIR_REPO" if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then return fi if [ ! -d "$INSTALL_DIR" ]; then mkdir "$INSTALL_DIR" fi cd "$INSTALL_DIR" || exit 246824245242 function_check git_clone git_clone "$CLEANUP_MAILDIR_REPO" "$INSTALL_DIR/cleanup-maildir" cd "$INSTALL_DIR/cleanup-maildir" || exit 6887242572 git checkout $CLEANUP_MAILDIR_COMMIT -b $CLEANUP_MAILDIR_COMMIT set_completion_param "cleanup-maildir commit" "$CLEANUP_MAILDIR_COMMIT" if [ ! -f /usr/bin/cleanup-maildir ]; then cp "$INSTALL_DIR/cleanup-maildir/cleanup-maildir" /usr/bin else HASH1=$(sha256sum "$INSTALL_DIR/cleanup-maildir/cleanup-maildir" | awk -F ' ' '{print $1}') HASH2=$(sha256sum /usr/bin/cleanup-maildir | awk -F ' ' '{print $1}') if [[ "$HASH1" != "$HASH2" ]]; then cp "$INSTALL_DIR/cleanup-maildir/cleanup-maildir" /usr/bin fi fi mark_completed "${FUNCNAME[0]}" } # Ensure that the from field is correct when sending email from Mutt function email_from_address { if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then return fi if [ ! -f "/home/$MY_USERNAME/.muttrc" ]; then return fi if grep -q "set from=" "/home/$MY_USERNAME/.muttrc"; then sed -i "s|set from=.*|set from='$MY_NAME <$MY_EMAIL_ADDRESS>'|g" "/home/$MY_USERNAME/.muttrc" else echo "set from='$MY_NAME <$MY_EMAIL_ADDRESS>'" >> "/home/$MY_USERNAME/.muttrc" fi mark_completed "${FUNCNAME[0]}" } function create_public_mailing_list { if [ ! -d /etc/exim4 ]; then return fi if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then return fi if [ ! "$PUBLIC_MAILING_LIST" ]; then return fi # does the mailing list have a separate domain name? if [ ! "$PUBLIC_MAILING_LIST_DOMAIN_NAME" ]; then PUBLIC_MAILING_LIST_DOMAIN_NAME="$DEFAULT_DOMAIN_NAME" fi PUBLIC_MAILING_LIST_USER="mlmmj" apt-get -yq install mlmmj adduser --system "$PUBLIC_MAILING_LIST_USER" addgroup "$PUBLIC_MAILING_LIST_USER" adduser "$PUBLIC_MAILING_LIST_USER" "$PUBLIC_MAILING_LIST_USER" echo '' echo $"Creating the $PUBLIC_MAILING_LIST mailing list" echo '' # create the list mlmmj-make-ml -a -L "$PUBLIC_MAILING_LIST" -c "$PUBLIC_MAILING_LIST_USER" { echo 'SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe'; echo "SYSTEM_ALIASES_USER = $PUBLIC_MAILING_LIST_USER"; echo "SYSTEM_ALIASES_GROUP = $PUBLIC_MAILING_LIST_USER"; } > /etc/exim4/conf.d/main/000_localmacros # router { echo 'mlmmj_router:'; echo " debug_print = \"R: mlmmj_router for \$local_part@\$domain\""; echo ' driver = accept'; echo ' domains = +mlmmj_domains'; echo " #require_files = MLMMJ_HOME/\${lc::\$local_part}"; echo ' # Use this instead, if you dont want to give Exim rx rights to mlmmj spool.'; echo ' # Exim will then spawn a new process running under the UID of "mlmmj".'; echo " require_files = mlmmj:MLMMJ_HOME/\${lc::\$local_part}"; echo ' local_part_suffix = +*'; echo ' local_part_suffix_optional'; echo ' headers_remove = Delivered-To'; echo " headers_add = Delivered-To: \$local_part\$local_part_suffix@\$domain"; echo ' transport = mlmmj_transport'; } > /etc/exim4/conf.d/router/750_exim4-config_mlmmj # transport { echo 'mlmmj_transport:'; echo " debug_print = \"T: mlmmj_transport for \$local_part@\$domain\""; echo ' driver = pipe'; echo ' return_path_add'; echo ' user = mlmmj'; echo ' group = mlmmj'; echo ' home_directory = MLMMJ_HOME'; echo ' current_directory = MLMMJ_HOME'; echo " command = /usr/bin/mlmmj-receive -F -L MLMMJ_HOME/\${lc:\$local_part}"; } > /etc/exim4/conf.d/transport/40_exim4-config_mlmmj if ! grep -q "MLMMJ_HOME=/var/spool/mlmmj" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then sed -i '/MAIN CONFIGURATION SETTINGS/a\MLMMJ_HOME=/var/spool/mlmmj' /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs fi if ! grep -q "domainlist mlmmj_domains =" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then sed -i "/MLMMJ_HOME/a\\domainlist mlmmj_domains = $PUBLIC_MAILING_LIST_DOMAIN_NAME" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs fi if ! grep -q "delay_warning_condition =" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then sed -i "/domainlist mlmmj_domains =/a\\delay_warning_condition = \${if match_domain{\$domain}{+mlmmj_domains}{no}{yes}}" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs fi if ! grep -q ": +mlmmj_domains" /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs; then sed -i 's/domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS/domainlist relay_to_domains = MAIN_RELAY_TO_DOMAINS : +mlmmj_domains/g' /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs fi if ! grep -q "! +mlmmj_domains" /etc/exim4/conf.d/router/200_exim4-config_primary; then sed -i 's/domains = ! +local_domains/domains = ! +mlmmj_domains : ! +local_domains/g' /etc/exim4/conf.d/router/200_exim4-config_primary fi update-exim4.conf.template -r update-exim4.conf systemctl restart exim4 if ! grep -q $"$PUBLIC_MAILING_LIST mailing list" "/home/$MY_USERNAME/README"; then { echo ''; echo ''; echo $"$PUBLIC_MAILING_LIST mailing list"; echo '================================='; echo $"To subscribe to the $PUBLIC_MAILING_LIST mailing list send a"; echo $"cleartext email to $PUBLIC_MAILING_LIST+subscribe@$DEFAULT_DOMAIN_NAME"; } >> "/home/$MY_USERNAME/README" chown "$MY_USERNAME":"$MY_USERNAME" "/home/$MY_USERNAME/README" chmod 600 "/home/$MY_USERNAME/README" fi "${PROJECT_NAME}-addlist" -u "$MY_USERNAME" -l "$PUBLIC_MAILING_LIST" -s "$PUBLIC_MAILING_LIST" mark_completed "${FUNCNAME[0]}" } function split_gpg_key_into_fragments { # split the gpg key into fragments if social key management is enabled if [[ "$ENABLE_SOCIAL_KEY_MANAGEMENT" == "yes" ]]; then if [ "$IMAGE_PASSWORD_FILE" ]; then if [ -f "$IMAGE_PASSWORD_FILE" ]; then "${PROJECT_NAME}-splitkey" -u "$MY_USERNAME" -e "$MY_EMAIL_ADDRESS" --fullname "$MY_NAME" --passwordfile "$IMAGE_PASSWORD_FILE" return fi fi echo 'Splitting GPG key. You may need to enter your passphrase.' "${PROJECT_NAME}-splitkey" -u "$MY_USERNAME" -e "$MY_EMAIL_ADDRESS" --fullname "$MY_NAME" if [ ! -d "/home/$MY_USERNAME/.gnupg_fragments" ]; then echo 'Yhe GPG key could not be split' exit 86548 fi fi } function import_email { if [ ! -d /etc/exim4 ]; then return fi EMAIL_COMPLETE_MSG=$" *** ${PROJECT_NAME} mailbox installation is complete *** Now on your internet router forward ports 25, 587, 465, 993 and 2222 to the ${PROJECT_NAME} " if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then if [[ "$SYSTEM_TYPE" == "mail"* ]]; then function_check backup_to_friends_servers backup_to_friends_servers function_check install_tripwire install_tripwire function_check split_gpg_key_into_fragments split_gpg_key_into_fragments clear echo '' echo "$EMAIL_COMPLETE_MSG" if [ -d "$USB_MOUNT" ]; then umount "$USB_MOUNT" rm -rf "$USB_MOUNT" echo $' You can now remove the USB drive' fi exit 0 fi return fi mark_completed "${FUNCNAME[0]}" if [[ "$SYSTEM_TYPE" == "mail"* ]]; then function_check backup_to_friends_servers backup_to_friends_servers function_check install_tripwire install_tripwire function_check split_gpg_key_into_fragments split_gpg_key_into_fragments # unmount any attached usb drive clear echo '' echo "$EMAIL_COMPLETE_MSG" echo '' if [ -d "$USB_MOUNT" ]; then umount "$USB_MOUNT" rm -rf "$USB_MOUNT" echo $' You can now remove the USB drive' fi exit 0 fi } function remove_email { echo '' } function install_email_basic { apt-get -yq remove postfix apt-get -yq install exim4 sasl2-bin swaks libnet-ssleay-perl procmail if [ ! -d /etc/exim4 ]; then echo $"ERROR: Exim does not appear to have installed. $CHECK_MESSAGE" exit 48 fi # configure for Maildir format sed -i 's/MAIL_DIR/#MAIL_DIR/g' /etc/login.defs sed -i 's|#MAIL_FILE.*|MAIL_FILE Maildir/|g' /etc/login.defs if ! grep -q "export MAIL" /etc/profile; then echo 'export MAIL=~/Maildir' >> /etc/profile fi sed -i 's|pam_mail.so standard|pam_mail.so dir=~/Maildir standard|g' /etc/pam.d/login sed -i 's|pam_mail.so standard noenv|pam_mail.so dir=~/Maildir standard|g' /etc/pam.d/sshd sed -i 's|pam_mail.so nopen|pam_mail.so dir=~/Maildir nopen|g' /etc/pam.d/su echo "dc_eximconfig_configtype='internet'" > /etc/exim4/update-exim4.conf.conf if [[ $ONION_ONLY == 'no' ]]; then echo "dc_other_hostnames='${DEFAULT_DOMAIN_NAME};mail.${DEFAULT_DOMAIN_NAME}'" >> /etc/exim4/update-exim4.conf.conf else echo "dc_other_hostnames='${onion_address}'" >> /etc/exim4/update-exim4.conf.conf fi { echo "dc_local_interfaces=''"; echo "dc_readhost=''"; echo "dc_relay_domains=''"; echo "dc_minimaldns='false'"; } >> /etc/exim4/update-exim4.conf.conf IPv4_address=$(get_ipv4_address) IPv4_address_base=$(echo "$IPv4_address" | awk -F '.' '{print $1"."$2"."$3}') RELAY_NETS="${IPv4_address_base}.0/24" if [ "$LOCAL_NETWORK_STATIC_IP_ADDRESS" ]; then RELAY_NETS=$(awk "$LOCAL_NETWORK_STATIC_IP_ADDRESS" -F '.' '{print $1 "." $2 "." $3 ".0/24"}') fi { echo "dc_relay_nets='$RELAY_NETS'"; echo "dc_smarthost=''"; echo "CFILEMODE='644'"; echo "dc_use_split_config='false'"; echo "dc_hide_mailname=''"; echo "dc_mailname_in_oh='true'"; echo "dc_localdelivery='maildir_home'"; echo "dc_main_log_selector=-all"; } >> /etc/exim4/update-exim4.conf.conf echo "chunking_advertise_hosts =" > /etc/exim4/conf.d/main/04_exim4-config_chunking update-exim4.conf sed -i "s/START=no/START=yes/g" /etc/default/saslauthd systemctl start saslauthd email_install_tls adduser "$MY_USERNAME" sasl addgroup Debian-exim sasl systemctl restart exim4 email_create_template if [ -f /usr/sbin/exim ]; then chmod u+s /usr/sbin/exim fi if [ -f /usr/sbin/exim4 ]; then chmod u+s /usr/sbin/exim4 fi function_check configure_firewall_for_email configure_firewall_for_email dpkg-reconfigure --frontend noninteractive exim4-config systemctl restart exim4 } function email_change_relay { curr_ip_address="$1" email_relay_base=$(echo "$curr_ip_address" | awk -F '.' '{print $1"."$2"."$3}') RELAY_NETS="${email_relay_base}.0/24" sed -i "s|dc_relay_nets=.*|dc_relay_nets='$RELAY_NETS'|g" /etc/exim4/update-exim4.conf.conf dpkg-reconfigure --frontend noninteractive exim4-config } function create_procmail { if [ ! -d /etc/exim4 ]; then return fi if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then return fi if [ ! -f "/home/$MY_USERNAME/.procmailrc" ]; then { echo "MAILDIR=\$HOME/Maildir"; echo "DEFAULT=\$MAILDIR/"; echo "LOGFILE=\$HOME/log/procmail.log"; echo 'LOGABSTRACT=all'; echo ''; echo '# Test for an empty or missing subject line'; echo "SUBJ_=\$(formail -xSubject: \\"; echo " | expand | sed -e 's/^[ ]*//g' -e 's/[ ]*\$//g')"; echo ':0'; echo ' * SUBJ_ ?? ^^^^'; echo '/dev/null'; echo ''; echo $"# Tripwire reports which have no violations don't need to be logged"; echo ':0 BD:'; } > "/home/$MY_USERNAME/.procmailrc" TRIPWIRE_VIOLATIONS_STR=$'Total violations found: 0' { echo " * .*$TRIPWIRE_VIOLATIONS_STR"; echo '/dev/null'; echo ''; } >> "/home/$MY_USERNAME/.procmailrc" chown "$MY_USERNAME":"$MY_USERNAME" "/home/$MY_USERNAME/.procmailrc" fi mkdir -p "/home/$MY_USERNAME/Maildir/admin/new" mkdir -p "/home/$MY_USERNAME/Maildir/admin/cur" chown -R "$MY_USERNAME":"$MY_USERNAME" "/home/$MY_USERNAME/Maildir/admin" if [ ! -f /etc/skel/.procmailrc ]; then cp "/home/$MY_USERNAME/.procmailrc" /etc/skel/.procmailrc chown root:root /etc/skel/.procmailrc fi if [ -f /usr/bin/procmail ]; then chmod 6755 /usr/bin/procmail fi mark_completed "${FUNCNAME[0]}" } function handle_admin_emails { # keep emails for root in a separate folder if [ -d "/home/$MY_USERNAME/Maildir/admin" ]; then return fi "${PROJECT_NAME}-addemail" -u "$MY_USERNAME" -e "root@$DEFAULT_DOMAIN_NAME" -g admin --public no } function spam_filtering { if [ ! -d /etc/exim4 ]; then return fi if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then return fi apt-get -yq install exim4-daemon-heavy apt-get -yq install spamassassin if [ ! -f /etc/default/spamassassin ]; then echo 'Spamassassin was not installed' exit 72570 fi sa-update -v sed -i 's/ENABLED=0/ENABLED=1/g' /etc/default/spamassassin sed -i 's/# spamd_address = 127.0.0.1 783/spamd_address = 127.0.0.1 783/g' /etc/exim4/exim4.conf.template # This configuration is based on https://wiki.debian.org/DebianSpamAssassin sed -i 's/local_parts = postmaster/local_parts = postmaster:abuse/g' /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt sed -i '/domains = +local_domains : +relay_to_domains/a\ set acl_m0 = rfcnames' /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt # This prevents .onion domains from being accepted #sed -i "s/accept/accept condition = \${if eq{\$acl_m0}{rfcnames} {1}{0}}/g" /etc/exim4/conf.d/acl/40_exim4-config_check_data { echo "warn message = X-Spam-Score: \$spam_score (\$spam_bar)"; echo ' spam = nobody:true'; echo 'warn message = X-Spam-Flag: YES'; echo ' spam = nobody'; echo "warn message = X-Spam-Report: \$spam_report"; echo ' spam = nobody'; echo '# reject spam at high scores (> 12)'; echo "deny message = This message scored \$spam_score spam points."; echo ' spam = nobody:true'; echo " condition = \${if >{\$spam_score_int}{120}{1}{0}}"; } >> /etc/exim4/conf.d/acl/40_exim4-config_check_data # procmail configuration { echo '# get spamassassin to check emails'; echo ':0fw: .spamassassin.lock'; echo ' * < 256000'; echo '| spamc'; echo '# strong spam are discarded'; echo ':0'; echo ' * ^X-Spam-Level: \*\*\*\*\*\*'; echo '/dev/null'; echo '# weak spam are kept just in case - clear this out every now and then'; echo ':0'; echo ' * ^X-Spam-Level: \*\*\*\*\*'; echo 'maybe-spam/'; echo '# otherwise, marginal spam goes here for revision'; echo ':0'; echo ' * ^X-Spam-Level: \*\*'; echo 'spam/'; } >> "/home/$MY_USERNAME/.procmailrc" chown "$MY_USERNAME":"$MY_USERNAME" "/home/$MY_USERNAME/.procmailrc" { echo '# get spamassassin to check emails'; echo ':0fw: .spamassassin.lock'; echo ' * < 256000'; echo '| spamc'; echo '# strong spam are discarded'; echo ':0'; echo ' * ^X-Spam-Level: \*\*\*\*\*\*'; echo '/dev/null'; echo '# weak spam are kept just in case - clear this out every now and then'; echo ':0'; echo ' * ^X-Spam-Level: \*\*\*\*\*'; echo 'maybe-spam/'; echo '# otherwise, marginal spam goes here for revision'; echo ':0'; echo ' * ^X-Spam-Level: \*\*'; echo 'spam/'; } >> /etc/skel/.procmailrc # filtering scripts { echo '#!/bin/bash'; echo 'for d in /home/*/ ; do'; echo " USERNAME=\$(echo \"\$d\" | awk -F '/' '{print \$3}')"; echo " if [[ \$USERNAME != \"git\" && $USERNAME != \"go\" && \$USERNAME != \"gogs\" && \$USERNAME != \"sync\" && \$USERNAME != \"tahoelafs\" ]]; then"; echo " MAILDIR=/home/\$USERNAME/Maildir/.learn-spam"; echo " if [ ! -d \"\$MAILDIR\" ]; then"; echo ' exit'; echo ' fi'; echo " for f in \$(ls \$MAILDIR/cur)"; echo ' do'; echo " spamc -L spam < \"\$MAILDIR/cur/\$f\" > /dev/null"; echo " rm \"\$MAILDIR/cur/\$f\""; echo ' done'; echo " for f in \$(ls \$MAILDIR/new)"; echo ' do'; echo " spamc -L spam < \"\$MAILDIR/new/\$f\" > /dev/null"; echo " rm \"\$MAILDIR/new/\$f\""; echo ' done'; echo ' fi'; echo 'done'; echo 'exit 0'; } > /usr/bin/filterspam { echo '#!/bin/bash'; echo 'for d in /home/*/ ; do'; echo " USERNAME=\$(echo \"\$d\" | awk -F '/' '{print \$3}')"; echo " if [[ \$USERNAME != \"git\" && \$USERNAME != \"go\" && \$USERNAME != \"gogs\" && \$USERNAME != \"sync\" && \$USERNAME != \"tahoelafs\" ]]; then"; echo " MAILDIR=/home/\$USERNAME/Maildir/.learn-ham"; echo " if [ ! -d \"\$MAILDIR\" ]; then"; echo ' exit'; echo ' fi'; echo " for f in \$(ls \$MAILDIR/cur)"; echo ' do'; echo " spamc -L ham < \"\$MAILDIR/cur/\$f\" > /dev/null"; echo " rm \"\$MAILDIR/cur/\$f\""; echo ' done'; echo " for f in \$(ls \$MAILDIR/new)"; echo ' do'; echo " spamc -L ham < \"\$MAILDIR/new/\$f\" > /dev/null"; echo " rm \"\$MAILDIR/new/\$f\""; echo ' done'; echo ' fi'; echo 'done'; echo 'exit 0'; } > /usr/bin/filterham function_check cron_add_mins cron_add_mins 3 '/usr/bin/timeout 120 /usr/bin/filterspam' cron_add_mins 3 '/usr/bin/timeout 120 /usr/bin/filterham' chmod 655 /usr/bin/filterspam /usr/bin/filterham sed -i 's/# use_bayes 1/use_bayes 1/g' /etc/mail/spamassassin/local.cf sed -i 's/# bayes_auto_learn 1/bayes_auto_learn 1/g' /etc/mail/spamassassin/local.cf # user preferences if [ ! -d "/home/$MY_USERNAME/.spamassassin" ]; then mkdir "/home/$MY_USERNAME/.spamassassin" { echo $'# How many points before a mail is considered spam.'; echo '# required_score 5'; echo ''; echo $'# Whitelist and blacklist addresses are now file-glob-style patterns, so'; echo $'# "friend@somewhere.com", "*@isp.com", or "*.domain.net" will all work.'; echo '# whitelist_from someone@somewhere.com'; echo ''; echo $'# Add your own customised scores for some tests below. The default scores are'; echo $'# read from the installed spamassassin rules files, but you can override them'; echo $'# here. To see the list of tests and their default scores, go to'; echo '# http://spamassassin.apache.org/tests.html .'; echo '#'; echo '# score SYMBOLIC_TEST_NAME n.nn'; echo ''; echo $'# Speakers of Asian languages, like Chinese, Japanese and Korean, will almost'; echo $'# definitely want to uncomment the following lines. They will switch off some'; echo $'# rules that detect 8-bit characters, which commonly trigger on mails using CJK'; echo $'# character sets, or that assume a western-style charset is in use. '; echo '# '; echo '# score HTML_COMMENT_8BITS 0'; echo '# score UPPERCASE_25_50 0'; echo '# score UPPERCASE_50_75 0'; echo '# score UPPERCASE_75_100 0'; echo '# score OBSCURED_EMAIL 0'; echo ''; echo $'# Speakers of any language that uses non-English, accented characters may wish'; echo $'# to uncomment the following lines. They turn off rules that fire on'; echo $'# misformatted messages generated by common mail apps in contravention of the'; echo $'# email RFCs.'; echo ''; echo '# score SUBJ_ILLEGAL_CHARS 0'; } > "/home/$MY_USERNAME/.spamassassin/user_prefs" fi # this must be accessible by root chown -R "$MY_USERNAME":root "/home/$MY_USERNAME/.spamassassin" # script to keep spamassassin running # There is a systemd script from the debian package, but it doesn't restart on failure # and also doesn't ensure start after networking is up. If that is eventually fixed # then this script and the cron job which runs it can be removed. script_name=/usr/bin/run-spamassassin { echo '#!/bin/bash'; echo "current_state=\$(systemctl status spamassassin)"; echo "if [[ \"\$current_state\" != *\"(running)\"* ]]; then"; echo ' systemctl restart spamassassin'; echo 'fi'; echo 'exit 0'; } > $script_name chmod +x $script_name systemctl start spamassassin systemctl restart exim4 systemctl restart cron function_check cron_add_mins cron_add_mins 10 "$script_name 2> /dev/null" mark_completed "${FUNCNAME[0]}" } function configure_imap { if [ ! -d /etc/exim4 ]; then return fi if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then return fi apt-get -yq install dovecot-imapd if [ ! -d /etc/dovecot ]; then echo $"ERROR: Dovecot does not appear to have installed. $CHECK_MESSAGE" exit 48 fi if [[ "$(cert_exists dovecot)" == "0" ]]; then "${PROJECT_NAME}-addcert" -h dovecot --dhkey "$DH_KEYLENGTH" CHECK_HOSTNAME=dovecot check_certificates dovecot fi chmod 600 /etc/shadow chmod 600 /etc/gshadow groupadd default usermod -g default dovecot chmod 0000 /etc/shadow chmod 0000 /etc/gshadow chown root:default /etc/ssl/certs/dovecot.* chown root:default /etc/ssl/private/dovecot.* chown root:default "/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.*" chown root:default "/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.*" if [ ! -f /etc/dovecot/conf.d/10-ssl.conf ]; then echo $'Unable to find /etc/dovecot/conf.d/10-ssl.conf' exit 83629 fi sed -i 's|#ssl =.*|ssl = no|g' /etc/dovecot/conf.d/10-ssl.conf sed -i 's|ssl =.*|ssl = no|g' /etc/dovecot/conf.d/10-ssl.conf sed -i "s|#ssl_cert =.*|ssl_cert = > /etc/dovecot/conf.d/10-ssl.conf if [ ! -f /etc/dovecot/conf.d/10-master.conf ]; then echo $'Unable to find /etc/dovecot/conf.d/10-master.conf' exit 49259 fi sed -i 's/#process_limit =.*/process_limit = 100/g' /etc/dovecot/conf.d/10-master.conf if [ ! -f /etc/dovecot/conf.d/10-logging.conf ]; then echo $'Unable to find /etc/dovecot/conf.d/10-logging.conf' exit 48936 fi sed -i 's/#auth_verbose.*/auth_verbose = yes/g' /etc/dovecot/conf.d/10-logging.conf if [ ! -f /etc/dovecot/dovecot.conf ]; then echo $'Unable to find /etc/dovecot/dovecot.conf' exit 43890 fi sed -i 's/#listen =.*/listen = */g' /etc/dovecot/dovecot.conf if [ ! -f /etc/dovecot/conf.d/10-auth.conf ]; then echo $'Unable to find /etc/dovecot/conf.d/10-auth.conf' exit 843256 fi sed -i 's/#disable_plaintext_auth =.*/disable_plaintext_auth = no/g' /etc/dovecot/conf.d/10-auth.conf sed -i 's/auth_mechanisms =.*/auth_mechanisms = plain login/g' /etc/dovecot/conf.d/10-auth.conf if [ ! -f /etc/dovecot/conf.d/10-mail.conf ]; then echo $'Unable to find /etc/dovecot/conf.d/10-mail.conf' exit 42036 fi sed -i 's|mail_location =.*|mail_location = maildir:~/Maildir:LAYOUT=fs|g' /etc/dovecot/conf.d/10-mail.conf # This long notify interval makes the system more suited for use with # battery powered mobile devices sed -i 's|#imap_idle_notify_interval =.*|imap_idle_notify_interval = 29|g' /etc/dovecot/conf.d/20-imap.conf if [ -f /var/lib/dovecot/ssl-parameters.dat ]; then rm /var/lib/dovecot/ssl-parameters.dat fi if [ -f /etc/systemd/system/sockets.target.wants/dovecot.socket ]; then rm /etc/systemd/system/sockets.target.wants/dovecot.socket fi # Separate logging, otherwise syslog is used if ! grep -q "# logging" /etc/dovecot/dovecot.conf; then { echo ''; echo '# logging'; echo 'log_path = /var/log/dovecot.log'; echo 'info_log_path = /var/log/dovecot-info.log'; echo 'debug_log_path = /var/log/dovecot-debug.log'; } >> /etc/dovecot/dovecot.conf fi systemctl restart dovecot mark_completed "${FUNCNAME[0]}" } function configure_imap_client_certs { if [ ! -d /etc/exim4 ]; then return fi if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then return fi # http://strange.systems/certificate-based-auth-with-dovecot-sendmail/ sed -i 's|#default_process_limit =.*|default_process_limit = 100|g' /etc/dovecot/conf.d/10-master.conf sed -i 's/disable_plaintext_auth =.*/disable_plaintext_auth = yes/g' /etc/dovecot/conf.d/10-auth.conf sed -i 's|#auth_ssl_require_client_cert =.*|auth_ssl_require_client_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf sed -i 's|#auth_ssl_username_from_cert =.*|auth_ssl_username_from_cert = yes|g' /etc/dovecot/conf.d/10-auth.conf sed -i "s|#ssl_ca =.*|ssl_ca = /etc/ssl/certs/ca-$DEFAULT_DOMAIN_NAME.crt|g" /etc/dovecot/conf.d/10-ssl.conf sed -i 's|#ssl_cert_username_field =.*|ssl_cert_username_field = commonName|g' /etc/dovecot/conf.d/10-ssl.conf sed -i 's|#ssl_verify_client_cert =.*|ssl_verify_client_cert = yes|g' /etc/dovecot/conf.d/10-ssl.conf if ! grep -q "passdb {" /etc/dovecot/conf.d/10-auth.conf; then { echo ''; echo 'passdb {'; echo ' driver = passwd-file'; echo ' args = /etc/dovecot/passwd-file'; echo ' deny = no'; echo ' master = no'; echo ' pass = no'; echo '}'; } >> /etc/dovecot/conf.d/10-auth.conf fi if [[ "$ONION_ONLY" == "no" ]]; then # make a CA cert if [ ! -f "/etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key" ]; then if [[ "$LETSENCRYPT_ENABLED" != "yes" ]]; then "${PROJECT_NAME}-addcert" -h "$DEFAULT_DOMAIN_NAME" --ca "" --dhkey "$DH_KEYLENGTH" else "${PROJECT_NAME}-addcert" -e "$DEFAULT_DOMAIN_NAME" -s "$LETSENCRYPT_SERVER" --ca "" --dhkey "$DH_KEYLENGTH" --email "$MY_EMAIL_ADDRESS" fi fi fi # CA configuration { echo '[ ca ]'; echo "default_ca = dovecot-ca"; echo ''; echo '[ crl_ext ]'; echo 'authorityKeyIdentifier=keyid:always'; echo ''; echo '[ dovecot-ca ]'; echo 'new_certs_dir = .'; echo 'unique_subject = no'; echo "certificate = /etc/ssl/certs/ca-$DEFAULT_DOMAIN_NAME.crt"; echo 'database = ssldb'; echo "private_key = /etc/ssl/private/ca-$DEFAULT_DOMAIN_NAME.key"; echo 'serial = sslserial'; echo 'default_days = 3650'; echo 'default_md = sha256'; echo 'default_bits = 2048'; echo 'policy = dovecot-ca_policy'; echo 'x509_extensions = dovecot-ca_extensions'; echo ''; echo '[ dovecot-ca_policy ]'; echo 'commonName = supplied'; echo 'stateOrProvinceName = supplied'; echo 'countryName = supplied'; echo 'emailAddress = optional'; echo 'organizationName = supplied'; echo 'organizationalUnitName = optional'; echo ''; echo '[ dovecot-ca_extensions ]'; echo 'basicConstraints = CA:false'; echo 'subjectKeyIdentifier = hash'; echo 'authorityKeyIdentifier = keyid:always'; echo 'keyUsage = digitalSignature,keyEncipherment'; echo 'extendedKeyUsage = clientAuth'; } > /etc/ssl/dovecot-ca.cnf if [ -f /etc/ssl/ssldb ]; then rm /etc/ssl/ssldb fi if [ -f /etc/ssl/sslserial ]; then rm /etc/ssl/sslserial fi touch /etc/ssl/ssldb echo 0001 > /etc/ssl/sslserial #${PROJECT_NAME}-clientcert -u $MY_USERNAME systemctl restart dovecot mark_completed "${FUNCNAME[0]}" } function create_gpg_subkey { # Note: currently not used if [ ! -d /etc/exim4 ]; then return fi if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then return fi apt-get -yq install gnupg GPG_KEY_USAGE=$1 if [[ "$GPG_KEY_USAGE" != "sign" && "$GPG_KEY_USAGE" != "auth" && "$GPG_KEY_USAGE" != "encrypt" ]]; then echo $"Unknown subkey usage: $GPG_KEY_USAGE" echo $'Available types: sign|auth|encrypt' exit 14783 fi KEYGRIP=$(gpg --fingerprint --fingerprint "$MY_EMAIL_ADDRESS" | grep fingerprint | tail -1 | cut -d= -f2 | sed -e 's/ //g') # Generate a GPG subkey { echo 'Key-Type: eddsa'; echo 'Key-Curve: Ed25519'; echo "Key-Grip: $KEYGRIP"; echo 'Subkey-Type: eddsa'; echo "subkey-Usage: $GPG_KEY_USAGE"; echo "Name-Real: $MY_NAME"; echo "Name-Email: $MY_EMAIL_ADDRESS"; echo "Name-Comment: $GPG_KEY_USAGE"; echo 'Expire-Date: 0'; echo "Passphrase: $PROJECT_NAME"; } > "/home/$MY_USERNAME/gpg-genkey.conf" chown "$MY_USERNAME":"$MY_USERNAME" "/home/$MY_USERNAME/gpg-genkey.conf" su -m root -c "gpg --homedir /home/$MY_USERNAME/.gnupg --batch --full-gen-key /home/$MY_USERNAME/gpg-genkey.conf" - "$MY_USERNAME" chown -R "$MY_USERNAME":"$MY_USERNAME" "/home/$MY_USERNAME/.gnupg" shred -zu "/home/$MY_USERNAME/gpg-genkey.conf" # shellcheck disable=SC2034 MY_GPG_SUBKEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_EMAIL_ADDRESS") mark_completed "${FUNCNAME[0]}" } function gpg_key_exists { key_owner_username="$1" key_search_text="$2" if [[ $key_owner_username != "root" ]]; then KEY_EXISTS=$(su -c "gpg --list-keys \"${key_search_text}\"" - "$key_owner_username") else KEY_EXISTS=$(gpg --list-keys "${key_search_text}") fi if [ ! "$KEY_EXISTS" ]; then echo "no" return fi if [[ "$KEY_EXISTS" == *"error"* ]]; then echo "no" return fi echo "yes" } function configure_gpg { if [ ! -d /etc/exim4 ]; then return fi if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then return fi apt-get -yq install gnupg dirmngr printf '%%Assuan%%\nsocket=/dev/shm/S.dirmngr\n' > ~/.gnupg/S.dirmngr check_email_address_exists gpg_dir="/home/$MY_USERNAME/.gnupg" # if gpg keys directory was previously imported from usb if [ -d "$gpg_dir" ]; then echo $'GPG directory exists' else echo $"GPG directory $gpg_dir was not found" fi if [ -d "$gpg_dir" ]; then echo $'GPG keys were imported' sed -i "s|keyserver hkp://keys.gnupg.net|keyserver $GPG_KEYSERVER|g" "$gpg_dir/gpg.conf" MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_EMAIL_ADDRESS") if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then echo $'GPG public key ID could not be obtained' else if [[ "$MY_GPG_PUBLIC_KEY_ID" == *'error'* ]]; then echo $"Can't locate gpg key" else chown -R "$MY_USERNAME":"$MY_USERNAME" "$gpg_dir" chmod 700 "$gpg_dir" chmod 600 "$gpg_dir/"* printf '%%Assuan%%\nsocket=/dev/shm/S.dirmngr\n' > "/home/$MY_USERNAME/.gnupg/S.dirmngr" if [ -d "/home/$MY_USERNAME/.gnupg/crls.d" ]; then chmod +x "/home/$MY_USERNAME/.gnupg/crls.d" fi mark_completed "${FUNCNAME[0]}" return fi fi fi if [ ! -d "$gpg_dir" ]; then mkdir "$gpg_dir" echo "keyserver $GPG_KEYSERVER" >> "$gpg_dir/gpg.conf" echo 'keyserver-options auto-key-retrieve' >> "$gpg_dir/gpg.conf" fi sed -i "s|keyserver hkp://keys.gnupg.net|keyserver $GPG_KEYSERVER|g" "$gpg_dir/gpg.conf" gpg_agent_setup root gpg_agent_setup "$MY_USERNAME" if ! grep -q "# default preferences" "$gpg_dir/gpg.conf"; then { echo ''; echo '# default preferences'; echo 'personal-digest-preferences SHA256'; echo 'cert-digest-algo SHA256'; echo 'default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed'; } >> "$gpg_dir/gpg.conf" fi chown -R "$MY_USERNAME":"$MY_USERNAME" "$gpg_dir" chmod 700 "$gpg_dir" chmod 600 "$gpg_dir/"* printf '%%Assuan%%\nsocket=/dev/shm/S.dirmngr\n' > "$gpg_dir/S.dirmngr" if [ -d "$gpg_dir/crls.d" ]; then chmod +x "$gpg_dir/crls.d" fi if [[ "$MY_GPG_PUBLIC_KEY" && "$MY_GPG_PRIVATE_KEY" ]]; then echo $'Importing GPG keys from file' echo $"Public key: $MY_GPG_PUBLIC_KEY" echo $"Private key: $MY_GPG_PRIVATE_KEY" # use your existing GPG keys which were exported if [ ! -f $MY_GPG_PUBLIC_KEY ]; then echo $"GPG public key file $MY_GPG_PUBLIC_KEY was not found" exit 2483 fi if [ ! -f $MY_GPG_PRIVATE_KEY ]; then echo $"GPG private key file $MY_GPG_PRIVATE_KEY was not found" exit 5383 fi gpg_import_public_key "$MY_USERNAME" "$MY_GPG_PUBLIC_KEY" gpg_import_private_key "$MY_USERNAME" "$MY_GPG_PRIVATE_KEY" KEY_EXISTS=$(gpg_key_exists "$MY_USERNAME" "$MY_EMAIL_ADDRESS") if [[ $KEY_EXISTS == "no" ]]; then echo $"The GPG key for $MY_EMAIL_ADDRESS could not be imported" exit 13821 fi # for security ensure that the private key file doesn't linger around shred -zu $MY_GPG_PRIVATE_KEY MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_EMAIL_ADDRESS") if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then echo $'GPG public key ID could not be obtained' fi else # Generate a GPG key if [ -f "$IMAGE_PASSWORD_FILE" ]; then gpg_create_key "$MY_USERNAME" "$(printf "%s" "$(cat "$IMAGE_PASSWORD_FILE")")" else gpg_create_key "$MY_USERNAME" "$PROJECT_NAME" fi MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_EMAIL_ADDRESS") MY_GPG_PUBLIC_KEY=/tmp/public_key.gpg gpg_export_public_key "$MY_USERNAME" "$MY_GPG_PUBLIC_KEY_ID" "$MY_GPG_PUBLIC_KEY" fi if [ ! -d /root/.gnupg ]; then cp -r "/home/$MY_USERNAME/.gnupg" /root/ chmod 700 /root/.gnupg chmod 600 /root/.gnupg/* printf '%%Assuan%%\nsocket=/dev/shm/S.dirmngr\n' > /root/.gnupg/S.dirmngr if [ -d /root/.gnupg/crls.d ]; then chmod +x /root/.gnupg/crls.d fi fi mark_completed "${FUNCNAME[0]}" } function refresh_gpg_keys { REFRESH_GPG_KEYS_SCRIPT=/tmp/update-gpg-keys { echo '#!/bin/bash'; echo "if [ -f /usr/local/bin/${PROJECT_NAME}-sec ]; then"; echo " /usr/bin/timeout 600 /usr/local/bin/${PROJECT_NAME}-sec --refresh yes"; echo 'else'; echo " /usr/bin/timeout 600 /usr/bin/${PROJECT_NAME}-sec --refresh yes"; echo 'fi'; echo 'exit 0'; } > "$REFRESH_GPG_KEYS_SCRIPT" chmod +x "$REFRESH_GPG_KEYS_SCRIPT" if [ ! -f /usr/bin/update-gpg-keys ]; then cp "$REFRESH_GPG_KEYS_SCRIPT" /usr/bin/update-gpg-keys else HASH1=$(sha256sum "$REFRESH_GPG_KEYS_SCRIPT" | awk -F ' ' '{print $1}') HASH2=$(sha256sum /usr/bin/update-gpg-keys | awk -F ' ' '{print $1}') if [[ "$HASH1" != "$HASH2" ]]; then cp $REFRESH_GPG_KEYS_SCRIPT /usr/bin/update-gpg-keys fi rm $REFRESH_GPG_KEYS_SCRIPT fi REFRESH_GPG_KEYS_SCRIPT=/usr/bin/update-gpg-keys if grep -q "${PROJECT_NAME}-sec" /etc/crontab; then sed -i "/${PROJECT_NAME}-sec /d" /etc/crontab fi if ! grep -q "$REFRESH_GPG_KEYS_SCRIPT" /etc/crontab; then GPG_REFRESH_TIME=$(( RANDOM % 60 )) echo "$GPG_REFRESH_TIME */$REFRESH_GPG_KEYS_HOURS * * * root cronic $REFRESH_GPG_KEYS_SCRIPT" >> /etc/crontab systemctl restart cron else if ! grep "root cronic $REFRESH_GPG_KEYS_SCRIPT" /etc/crontab; then sed -i "s|root $REFRESH_GPG_KEYS_SCRIPT.*|root cronic $REFRESH_GPG_KEYS_SCRIPT|g" /etc/crontab fi fi } function prevent_mail_process_overrun { # This prevents any large buildup of exim processes, perhaps due to # Tor unavailability, from disabling the server { echo '#!/bin/bash'; echo "exim_ctr=\$(pgrep \"exim4\" | wc -l)"; echo "if [ \"\$exim_ctr\" -gt 5 ]; then"; echo ' systemctl stop exim4'; echo ' exim -bp | exiqgrep -i | xargs exim -Mrm 2> /dev/null'; echo ' systemctl start exim4'; echo 'fi'; } > /usr/bin/exim_check chmod +x /usr/bin/exim_check cron_add_mins 5 '/usr/bin/exim_check' } function install_email { if [[ $SYSTEM_TYPE == "mesh"* ]]; then return fi if [[ $(is_completed "${FUNCNAME[0]}") == "1" ]]; then return fi create_email_onion_address check_email_address_exists install_email_basic configure_email_onion prevent_mail_process_overrun mark_completed "${FUNCNAME[0]}" } function remove_ip_addresses_from_email_logs { { echo '#!/bin/bash'; echo ''; echo 'if grep -q "= /dev/null" /etc/php/7.0/fpm/php-fpm.conf; then'; echo ' if [ -f /var/log/exim4/mainlog ]; then'; echo ' rm /var/log/exim4/mainlog'; echo ' fi'; echo ' if [ -f /var/log/exim4/rejectlog ]; then'; echo ' rm /var/log/exim4/rejectlog'; echo ' fi'; echo 'else'; echo ' if [ -f /var/log/exim4/mainlog ]; then'; echo " if grep -q '\\[' /var/log/exim4/mainlog; then"; echo " tail -n 50 /var/log/exim4/mainlog | sed 's/\\[[^][]*\\]//g' > /tmp/.exim4_mainlog"; echo ' chown Debian-exim:adm /tmp/.exim4_mainlog'; echo ' mv /tmp/.exim4_mainlog /var/log/exim4/mainlog'; echo ' fi'; echo ' fi'; echo ' if [ -f /var/log/exim4/rejectlog ]; then'; echo " if grep -q '\\[' /var/log/exim4/rejectlog; then"; echo " tail -n 50 /var/log/exim4/rejectlog | sed 's/\\[[^][]*\\]//g' > /tmp/.exim4_rejectlog"; echo ' chown Debian-exim:adm /tmp/.exim4_rejectlog'; echo ' mv /tmp/.exim4_rejectlog /var/log/exim4/rejectlog'; echo ' fi'; echo ' fi'; echo 'fi'; } > /usr/bin/exim_log_tidy chmod +x /usr/bin/exim_log_tidy cron_add_mins 1 '/usr/bin/exim_log_tidy' } # NOTE: deliberately no exit 0