-[Install]
-WantedBy=timers.target
-EOF
-systemctl daemon-reload
-systemctl start mailcert
-systemctl restart mailcert.timer
-systemctl enable mailcert.timer
-
-##### end mailcert setup #####
-
-
-
-if [[ $HOSTNAME == $MAIL_HOST ]]; then
-
- # mail.iankelling.org so local imap clients can connect with tls and
- # when they happen to not be local.
- sed -ri -f - /etc/hosts <<'EOF'
-/^127\.0\.1\.1.* mail\.iankelling\.org\b/q
-/^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/
-EOF
- /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]]
-server=/mail.iankelling.org/127.0.1.1
-EOF
- systemctl reload dnsmasq
-
- debconf-set-selections <<EOF
-# Mail Server configuration
-# -------------------------
-
-# Please select the mail server configuration type that best meets your needs.
-
-# Systems with dynamic IP addresses, including dialup systems, should generally be
-# configured to send outgoing mail to another machine, called a 'smarthost' for
-# delivery because many receiving systems on the Internet block incoming mail from
-# dynamic IP addresses as spam protection.
-
-# A system with a dynamic IP address can receive its own mail, or local delivery can be
-# disabled entirely (except mail for root and postmaster).
-
-# 1. internet site; mail is sent and received directly using SMTP
-# 2. mail sent by smarthost; received via SMTP or fetchmail
-# 3. mail sent by smarthost; no local mail
-# 4. local delivery only; not on a network
-# 5. no configuration at this time
-
-# General type of mail configuration: 1
-exim4-config exim4/dc_eximconfig_configtype select internet site; mail is sent and received directly using SMTP
-
-
-
-# The 'mail name' is the domain name used to 'qualify' mail addresses without a domain
-# name.
-
-# This name will also be used by other programs. It should be the single, fully
-# qualified domain name (FQDN).
-
-# Thus, if a mail address on the local host is foo@example.org, the correct value for
-# this option would be example.org.
-
-# This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
-
-# System mail name:
-# iank: see comment elsewhere on mailname
-exim4-config exim4/mailname string mail.iankelling.org
-
-
-
-
-# Please enter a semicolon-separated list of recipient domains for which this machine
-# should consider itself the final destination. These domains are commonly called
-# 'local domains'. The local hostname (kd.lan) and 'localhost' are always added
-# to the list given here.
-
-# By default all local domains will be treated identically. If both a.example and
-# b.example are local domains, acc@a.example and acc@b.example will be delivered to the
-# same final destination. If different domain names should be treated differently, it
-# is necessary to edit the config files afterwards.
-
-# Other destinations for which mail is accepted:
-# iank.bid is for testing
-# mail.iankelling.org is for machines i own
-exim4-config exim4/dc_other_hostnames string *.iankelling.org;iankelling.org;*iank.bid;iank.bid;*zroe.org;zroe.org;*.b8.nz;b8.nz
-
-
-
-
-# Please enter a semicolon-separated list of IP addresses. The Exim SMTP listener
-# daemon will listen on all IP addresses listed here.
-
-# An empty value will cause Exim to listen for connections on all available network
-# interfaces.
-
-# If this system only receives mail directly from local services (and not from other
-# hosts), it is suggested to prohibit external connections to the local Exim daemon.
-# Such services include e-mail programs (MUAs) which talk to localhost only as well as
-# fetchmail. External connections are impossible when 127.0.0.1 is entered here, as
-# this will disable listening on public network interfaces.
-
-# IP-addresses to listen on for incoming SMTP connections:
-exim4-config exim4/dc_local_interfaces string
-
-
-
-
-# Mail for the 'postmaster', 'root', and other system accounts needs to be redirected
-# to the user account of the actual system administrator.
-
-# If this value is left empty, such mail will be saved in /var/mail/mail, which is not
-# recommended.
-
-# Note that postmaster\'s mail should be read on the system to which it is directed,
-# rather than being forwarded elsewhere, so (at least one of) the users listed here
-# should not redirect their mail off this machine. A 'real-' prefix can be used to
-# force local delivery.
-
-# Multiple user names need to be separated by spaces.
-
-# Root and postmaster mail recipient:
-exim4-config exim4/dc_postmaster string $postmaster
-
-
-
-# Exim is able to store locally delivered email in different formats. The most commonly
-# used ones are mbox and Maildir. mbox uses a single file for the complete mail folder
-# stored in /var/mail/. With Maildir format every single message is stored in a
-# separate file in ~/Maildir/.
-
-# Please note that most mail tools in Debian expect the local delivery method to be
-# mbox in their default.
-
-# 1. mbox format in /var/mail/ 2. Maildir format in home directory
-
-# Delivery method for local mail: 2
-exim4-config exim4/dc_localdelivery select Maildir format in home directory
-EOF
- echo mail.iankelling.org > /etc/mailname
-
- # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
- # smarthost config type, not sure. all other settings
- # would be unused in that config type.
- rm -f /etc/exim4/conf.d/main/000_localmacros # old filename
- cat >/etc/exim4/conf.d/main/000_local <<EOF
-# enable 587 in addition to the default 25, so that
-# i can send mail where port 25 is firewalled by isp
-daemon_smtp_ports = 25 : 587
-# i don't have ipv6 setup for my vpn tunnel yet.
-disable_ipv6 = true
-
-MAIN_TLS_ENABLE = true
-
-DKIM_CANON = relaxed
-DKIM_SELECTOR = li
-
-# from comments in
-# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
-
-# The file is based on the outgoing domain-name in the from-header.
-DKIM_DOMAIN = \${lc:\${domain:\$h_from:}}
-# sign if key exists
-DKIM_PRIVATE_KEY= \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}}
-
-
-# failing message on mail-tester.com:
-# We check if there is a server (A Record) behind your hostname kd.
-# You may want to publish a DNS record (A type) for the hostname kd or use a different hostname in your mail software
-# https://serverfault.com/questions/46545/how-do-i-change-exim4s-primary-hostname-on-a-debian-box
-# and this one seemed appropriate from grepping config.
-# I originally set this to li.iankelling.org, but then ended up with errors when li tried to send
-# mail to kd, so this should basically be a name that no host has as their
-# canonical hostname since the actual host sits behind a nat and changes.
-# Seems logical for this to be the same as mailname.
-MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.iankelling.org
-
-# normally empty, I set this so I can set the envelope address
-# when doing mail redelivery to invoke filters
-MAIN_TRUSTED_GROUPS = $u
-
-LOCAL_DELIVERY = dovecot_lmtp
-
-# options exim has to avoid having to alter the default config files
-CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/rcpt_local_acl
-CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/data_local_acl
-
-# debian exim config added this in 2016 or so?
-# it's part of the smtp spec, to limit lines to 998 chars
-# but a fair amount of legit mail does not adhere to it. I don't think
-# this should be default, like it says in
-# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
-# todo: the bug for introducing this was about headers, but
-# the fix maybe is for all lines? one says gmail rejects, the
-# other says gmail does not reject. figure out and open a new bug.
-IGNORE_SMTP_LINE_LENGTH_LIMIT = true
-
-# most of the ones that gmail seems to use.
-# Exim has horrible default of signing unincluded
-# list- headers since they got mentioned in an
-# rfc, but this messes up mailing lists, like gnu/debian which want to
-# keep your dkim signature intact but add list- headers.
-DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
-
-# recommended if dns is expected to work
-CHECK_RCPT_VERIFY_SENDER = true
-# seems like a good idea
-CHECK_DATA_VERIFY_HEADER_SENDER = true
-CHECK_RCPT_SPF = true
-CHECK_RCPT_REVERSE_DNS = true
-CHECK_MAIL_HELO_ISSUED = true
-EOF
-
-
- ####### begin dovecot setup ########
- # based on a little google and package search, just the dovecot
- # packages we need instead of dovecot-common.
- #
- # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
- # directly. The reason to do this is to use dovecot\'s sieve, which
- # has extensions that allow it to be almost equivalent to exim\'s
- # filter capabilities, some ways probably better, some worse, and
- # sieve has the benefit of being supported in postfix and
- # proprietary/weird environments, so there is more examples on the
- # internet. I was torn about whether to do this or not, meh.
- pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
-
- # if we changed 90-sieve.conf and removed the active part of the
- # sieve option, we wouldn\'t need this, but I\'d rather not modify a
- # default config if not needed. This won\'t work as a symlink in /a/c
- # unfortunately.
- sudo -u $u /a/exe/lnf -T sieve/main.sieve $(eval echo ~$u)/.dovecot.sieve
-
- # we set this later in local.conf
- sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
-/^\s*mail_location\s*=/d