From 51f9a28f9bd2e65cdaf51062a9586a0f747cf41b Mon Sep 17 00:00:00 2001
From: Christian Heller <c.heller@plomlompom.de>
Date: Tue, 27 Nov 2018 22:53:01 +0100
Subject: [PATCH] WIP.

---
 .../linkable_etc_files/mail/etc/opendkim.conf        |  2 +-
 .../linkable_etc_files/server/etc/iptables/rules.v4  |  3 +++
 all_new_2018/setup_mail.sh                           | 12 ++++++++----
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/all_new_2018/linkable_etc_files/mail/etc/opendkim.conf b/all_new_2018/linkable_etc_files/mail/etc/opendkim.conf
index c7691ea..dbd31b4 100644
--- a/all_new_2018/linkable_etc_files/mail/etc/opendkim.conf
+++ b/all_new_2018/linkable_etc_files/mail/etc/opendkim.conf
@@ -6,7 +6,7 @@
 Syslog			yes
 # Required to use local socket with MTAs that access the socket as a non-
 # privileged user (e.g. Postfix)
-UMask			002
+UMask			007
 
 # Sign for example.com with key in /etc/dkimkeys/dkim.key using
 # selector '2007' (e.g. 2007._domainkey.example.com)
diff --git a/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4 b/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4
index fa4882d..3e518d5 100644
--- a/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4
+++ b/all_new_2018/linkable_etc_files/server/etc/iptables/rules.v4
@@ -8,6 +8,9 @@
 -A INPUT -p icmp -j ACCEPT
 # SSH
 -A INPUT -p tcp --dport 22 -j ACCEPT
+# HTTP; uncomment for creating LetsEncrypt certificates in standalone mode.
+#-A INPUT -p tcp --dport 80 -j ACCEPT
+# SMTP (allowing for STARTTLS); necessary for mail server to mail server banter
 # HTTPS in theory, in practice my second SSH port, see sshd_config
 -A INPUT -p tcp --dport 443 -j ACCEPT
 # SMTP (allowing for STARTTLS); necessary for mail server to mail server banter
diff --git a/all_new_2018/setup_mail.sh b/all_new_2018/setup_mail.sh
index 285ecb6..f19d36e 100755
--- a/all_new_2018/setup_mail.sh
+++ b/all_new_2018/setup_mail.sh
@@ -1,8 +1,8 @@
 #/bin/sh
 set -e
 
-selector=$1
-if [ ! -n "${selector}" ]; then
+dkim_selector=$1
+if [ ! -n "${dkim_selector}" ]; then
     echo "Give DKIM selector argument."
     false
 fi
@@ -12,14 +12,17 @@ mkdir -p /etc/dkimkeys/
 add_dkim_record=0
 if [ ! -f "/etc/dkimkeys/${dkim_selector}.private" ]; then
     add_dkim_record=1
+    set +e
     dpkg -s opendkim-tools &> /dev/null
     preinstalled="$?"
+    set -e
     if [ ! "${preinstalled}" -eq "0" ]; then
         apt install -y opendkim-tools
     fi
     opendkim-genkey -s "${dkim_selector}"
+    mv "${dkim_selector}.private" /etc/dkimkeys/
     if [ ! "${preinstalled}" -eq "0" ]; then
-        apt --purge autoremove opendkim-tools
+        apt -y --purge autoremove opendkim-tools
     fi
 fi
 
@@ -41,7 +44,8 @@ echo "$(hostname -f)" > /etc/mailname
 
 # Everything should now be ready for installations.
 apt install -y postfix dovecot-imapd opendkim
-echo "TODO: Ensure a proper SPF entry for this system in your DNS configuration."
+echo "TODO: Ensure MX entry for your system in your DNS configuration."
+echo "TODO: Ensure a proper SPF entry for this system in your DNS configuration; something like 'v=spf1 a mx -all' mapped to your subdomain."
 if [ "${add_dkim_record}" -eq "1" ]; then
     echo "TODO: Add the following DKIM entry to your DNS configuration (possibly with slightly changed host entry – if your mail domain includes a subdomain, append that with a dot):"
     cat "${dkim_selector}.txt"
-- 
2.30.2