+# For a normal setup with exim, we need something like this, which
+# removes the domain part
+# auth_username_format = %Ln
+#
+# or else # Exim says something like
+# "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
+# Dovecot verbose log says something like
+# "auth-worker(9048): passwd(someuser@somedomain): unknown user"
+# reference: http://wiki.dovecot.org/LMTP/Exim
+#
+# However, I use this to direct all mail to the same inbox.
+# A normal way to do this, which I did at first is to have
+# a router in exim almost at the end, eg 950,
+#local_catchall:
+# debug_print = "R: catchall for \$local_part@\$domain"
+# driver = redirect
+# domains = +local_domains
+# data = $u
+# based on
+# http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
+# with superflous options removed.
+# However, this causes the envelope to be rewritten,
+# which makes filtering into mailboxes a little less robust or more complicated,
+# so I've done it this way instead. it also requires
+# modifying the local router in exim.
+ auth_username_format = $u
+}
+
+EOF
+
+
+ cat >/etc/dovecot/local.conf <<EOF
+# so I can use a different login that my shell login for mail. this is
+# worth doing solely for the reason that if this login is compromised,
+# it won't also compromise my shell password.
+!include conf.d/auth-passwdfile.conf.ext
+
+# settings derived from wiki and 10-ssl.conf
+ssl = required
+ssl_cert = </etc/exim4/exim.crt
+ssl_key = </etc/exim4/exim.key
+# https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
+# in my cert cronjob, I check if that has changed upstream.
+ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+
+# ian: added this, more secure, per google etc
+ssl_prefer_server_ciphers = yes
+
+
+mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
+mail_uid = $u
+mail_gid = $u
+
+# for debugging info, uncomment these.
+# logs go to syslog and to /var/log/mail.log
+# auth_verbose=yes
+#mail_debug=yes
+EOF
+ ####### end dovecot setup ########
+
+ # ** exim
+
+ # mail.iankelling.org so local imap clients can connect with tls and
+ # when they happen to not be local.
+ sed -ri -f - /etc/hosts <<'EOF'
+/^127\.0\.1\.1.* mail\.iankelling\.org\b/{p;d}
+/^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/
+EOF
+ /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]]
+server=/mail.iankelling.org/127.0.1.1
+EOF
+ if systemctl is-active dnsmasq >/dev/null; then
+ m systemctl reload dnsmasq
+ fi
+
+ # I used to use debconf-set-selections + dpkg-reconfigure,
+ # which then updates this file
+ # but the process is slower than updating it directly and then I want to set other things in
+ # update-exim4.conf.conf, so there's no point.
+ # The file is documented in man update-exim4.conf,
+ # except the man page is not perfect, read the bash script to be sure about things.
+
+ # The debconf questions output is additional documentation that is not
+ # easily accessible, but super long, along with the initial default comment in this
+ # file, so I've saved that into ./mail-notes.conf.
+
+ cat >>/etc/exim4/update-exim4.conf.conf <<EOF
+# note: some things we don't set that are here by default because they are unused.
+
+dc_eximconfig_configtype='internet'
+
+# man page: is used to build the local_domains list, together with “localhost”
+# iank.bid is for testing