`mccarthy.hcoop.net` is our first Debian Jessie VM, and is intended to run mail services and the member portal. == The Ugly == ServerDeleuze decided to start dying one day so a few evils were committed in moving services. === Exim === Installed `exim4-daemon-heavy procmail spf-tools-perl`, merged deleuze's config onto the current Debian base exim4 config. No config package has been created. History is lost from deleuze at the moment (diff -ur ...). Added /etc/ferm/service.d/... ==== Exim Notes ==== Blockers: * WTF is up with conf.d/30_exim4_examples hcoop_plain + hcoop_login drivers? Are we using sasldaemon for auth?! * Running on deleuze with args: `saslauthd -a pam -c -n 5` * {{{ account sufficient pam_unix.so account required pam_ldap.so account required pam_krb5.so debug}}} * Can users not in slapd actually not send mail? Doesn't seem like it, I can send mail fine when slapd isn't running. * Delivery to mailman not on localhost does not work. Need a condition for checking if we are the mailman host, and using something like remote_smtp_smarthost to relay to the mailman host if needed (which is for now with deleuze). * I think `conf.d/router/470_exim4-config_mailman` is the right place (set a different transport if we are not the mailman host) Things that need review in the config: * `dc_other_hostnames`, `dc_relay_nets`, `unix_domains` look like they could be unified, simplifying the config * DomTool overrides `local_domains`, and we replace `local_domains` with `unix_domains` almost everywhere. domtool should probably generate another domainlist, and we should modify the few places where we need to check user hosted domains (idea for a descriptive name: `hosted_domains`). * I think we're doing sender verification wrong * Do we want to check `CHECK_RCPT_DOMAIN_DNSBLS` in addition to `IP_DNSBLS`? * Load limits do not appear to cause major problems, but review them because they were made for when deleuze was seriously overloaded * Similarly, retry/30_exim4_config has weird retry times because afs used to time out on deleuze from overloaded. Revisit. * We gain tokens in various places by setting an arbitrary environment variable and using side effects of `$run{}`. There has got to be a better way to grab afs tokens when needed. Misc Changes from Debian: * /etc/mailname to hcoop.net * We drop rather than warn for domains in `CHECK_RCPT_IP_DNSBLS` Major changes of note from deleuze: * SPF checking will deny and not just warn * DKIM checking is on * `dev_null` router not included (unused) * `trouble_user` logic not included (one time problem, years ago...) * Using official hcoop cert == Setup Issues == * Fix fail2ban * ferm resets rules ever time it reloads. Add a ferm hook to reload fail2ban on firewall reload * `sudo $command > file` does not work, piping does however. Probably a new sudo option to detect output redirection and squelch output. * systemd work: * domtool unit files seem to work OK so far * ferm is likely starting earlier than it should be, and may fail if the generated config references any pts users * dnscache-run starts very late by virtue of daemontools starting late. Either hack daemontools to be `WantedBy=nss-lookup.target` (systemd equiv of LSB `$named` service), or make dnscache-run a native systemd service. * Hacked momentarily by adding Google DNS servers as backups ---- CategorySystemAdministration