|
Size: 1220
Comment: note things done to get exim up
|
Size: 3075
Comment: the exim config makes me unhappy, as it has ages. Writing it down might do something about it. Later.
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 9: | Line 9: |
| Installed `exim4-daemon-heavy procmail`, merged deleuze's config onto the current Debian base exim4 config. No config package has been created. | Installed `exim4-daemon-heavy procmail spf-tools-perl`, merged deleuze's config onto the current Debian base exim4 config. No config package has been created. History is lost from deleuze at the moment (diff -ur ...). |
| Line 13: | Line 13: |
| ==== Exim Notes ==== Blockers: * WTF is up with conf.d/30_exim4_examples hcoop_plain + hcoop_login drivers? Are we using sasldaemon for auth?! * Running on deleuze with args: `saslauthd -a pam -c -n 5` * {{{ account sufficient pam_unix.so account required pam_ldap.so account required pam_krb5.so debug}}} * Can users not in slapd actually not send mail? Doesn't seem like it, I can send mail fine when slapd isn't running. * Delivery to mailman not on localhost does not work. Need a condition for checking if we are the mailman host, and using something like remote_smtp_smarthost to relay to the mailman host if needed (which is for now with deleuze). Things that need review in the config: * `dc_other_hostnames`, `dc_relay_nets`, `unix_domains` look like they could be unified, simplifying the config * DomTool overrides `local_domains`, and we replace `local_domains` with `unix_domains` almost everywhere. domtool should probably generate another domainlist, and we should modify the few places where we need to check user hosted domains (idea for a descriptive name: `hosted_domains`). * I think we're doing sender verification wrong * Do we want to check `CHECK_RCPT_DOMAIN_DNSBLS` in addition to `IP_DNSBLS`? * Load limits do not appear to cause major problems, but review them because they were made for when deleuze was seriously overloaded * Similarly, retry/30_exim4_config has weird retry times because afs used to time out on deleuze from overloaded. Revisit. Misc Changes from Debian: * /etc/mailname to hcoop.net * We drop rather than warn for domains in `CHECK_RCPT_IP_DNSBLS` Major changes of note from deleuze: * SPF checking will deny and not just warn * DKIM checking is on * |
mccarthy.hcoop.net is our first Debian Jessie VM, and is intended to run mail services and the member portal.
1. The Ugly
ServerDeleuze decided to start dying one day so a few evils were committed in moving services.
1.1. Exim
Installed exim4-daemon-heavy procmail spf-tools-perl, merged deleuze's config onto the current Debian base exim4 config. No config package has been created. History is lost from deleuze at the moment (diff -ur ...).
Added /etc/ferm/service.d/...
1.1.1. Exim Notes
Blockers:
- WTF is up with conf.d/30_exim4_examples hcoop_plain + hcoop_login drivers? Are we using sasldaemon for auth?!
Running on deleuze with args: saslauthd -a pam -c -n 5
account sufficient pam_unix.so account required pam_ldap.so account required pam_krb5.so debug
- Can users not in slapd actually not send mail? Doesn't seem like it, I can send mail fine when slapd isn't running.
- Delivery to mailman not on localhost does not work. Need a condition for checking if we are the mailman host, and using something like remote_smtp_smarthost to relay to the mailman host if needed (which is for now with deleuze).
Things that need review in the config:
dc_other_hostnames, dc_relay_nets, unix_domains look like they could be unified, simplifying the config
DomTool overrides local_domains, and we replace local_domains with unix_domains almost everywhere. domtool should probably generate another domainlist, and we should modify the few places where we need to check user hosted domains (idea for a descriptive name: hosted_domains).
- I think we're doing sender verification wrong
Do we want to check CHECK_RCPT_DOMAIN_DNSBLS in addition to IP_DNSBLS?
- Load limits do not appear to cause major problems, but review them because they were made for when deleuze was seriously overloaded
- Similarly, retry/30_exim4_config has weird retry times because afs used to time out on deleuze from overloaded. Revisit.
Misc Changes from Debian:
- /etc/mailname to hcoop.net
We drop rather than warn for domains in CHECK_RCPT_IP_DNSBLS
Major changes of note from deleuze:
- SPF checking will deny and not just warn
- DKIM checking is on
2. Setup Issues
- Fix fail2ban
- ferm resets rules ever time it reloads. Add a ferm hook to reload fail2ban on firewall reload
sudo $command > file does not work, piping does however. Probably a new sudo option to detect output redirection and squelch output.
- systemd work:
- domtool unit files seem to work OK so far
- ferm is likely starting earlier than it should be, and may fail if the generated config references any pts users
dnscache-run starts very late by virtue of daemontools starting late. Either hack daemontools to be WantedBy=nss-lookup.target (systemd equiv of LSB $named service), or make dnscache-run a native systemd service.
- Hacked momentarily by adding Google DNS servers as backups