+[Service]
+User=$u
+Type=oneshot
+ExecStart=/a/bin/log-quiet/sysd-mail-once mailclean /a/bin/distro-setup/mailclean
+EOF
+
+systemctl daemon-reload
+
+# wording of question from dpkg-reconfigure exim4-config
+# 1. internet site; mail is sent and received directly using SMTP
+# 2. mail sent by smarthost; received via SMTP or fetchmail
+# 3. mail sent by smarthost; no local mail
+# 4. local delivery only; not on a network
+# 5. no configuration at this time
+#
+# Note, I have used option 2 in the past for receiving mail
+# from lan hosts, sending external mail via another smtp server.
+#
+# Note, other than configtype, we could set all the options in
+# both types of configs without harm, they would either be
+# ignored or be disabled by other settings, but the default
+# local_interfaces definitely makes things more secure.
+
+# most of these settings get translated into settings
+# in /etc/exim4/update-exim4.conf.conf
+# how /etc/exim4/update-exim4.conf.conf translates into actual exim settings is
+# documented in man update-exim4.conf, which outputs to the config that
+# exim actually reads. except the man page is not perfect, for example,
+# it doesn't document that it sets
+# DCconfig_${dc_eximconfig_configtype}" "1"
+# which is a line from update-exim4.conf, which is a relatively short bash script.
+# mailname setting sets /etc/mailname
+
+debconf-set-selections <<EOF
+exim4-config exim4/use_split_config boolean true
+EOF
+
+source /a/bin/bash_unpublished/source-semi-priv
+mkdir -p /etc/exim4/conf.d/{main,transport,auth,router}
+
+cat >/etc/exim4/rcpt_local_acl <<'EOF'
+# Only hosts we control send to mail.iankelling.org, so make sure
+# they are all authed.
+# Note, if we wanted authed senders for all domains,
+# we could make this condition in acl_check_mail
+deny
+ message = ian trusted domain recepient but no auth
+ !authenticated = *
+ domains = mail.iankelling.org
+EOF
+cat >/etc/exim4/data_local_acl <<'EOF'
+# Except for the "condition =", this was
+# a comment in the check_data acl. The comment about this not
+# being suitable is mostly bs. The only thing related I found was to
+# add the condition =, cuz spamassassin has problems with big
+# messages and spammers don't bother with big messages,
+# but I've increased the size from 10k
+# suggested in official docs, and 100k in the wiki example because
+# those docs are rather old and I see a 110k spam message
+# pretty quickly looking through my spam folder.
+ warn
+ condition = ${if < {$message_size}{2000K}}
+ spam = Debian-exim:true
+ add_header = X-Spam_score: $spam_score\n\
+ X-Spam_score_int: $spam_score_int\n\
+ X-Spam_bar: $spam_bar\n\
+ X-Spam_report: $spam_report
+
+EOF
+cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+# from 30_exim4-config_examples
+
+plain_server:
+driver = plaintext
+public_name = PLAIN
+server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
+server_set_id = $auth2
+server_prompts = :
+.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+.endif
+EOF