+m sudo gpasswd -a iank adm #needed for reading logs
+
+
+### make local bounces go to normal maildir
+# local mail that bounces goes to /Maildir or /root/Maildir
+dirs=(/m/md/bounces/{cur,tmp,new})
+m mkdir -p ${dirs[@]}
+m chown iank:iank /m /m/md
+m ln -sfT /m/md /m/iank
+m chmod 700 /m /m/md
+m chown -R $u:Debian-exim /m/md/bounces
+m chmod 775 ${dirs[@]}
+m usermod -a -G Debian-exim $u
+for d in /Maildir /root/Maildir; do
+ if [[ ! -L $d ]]; then
+ m rm -rf $d
+ fi
+ m ln -sf -T /m/md/bounces $d
+done
+
+# Note, even the server needs permissions of this file right
+# if it exists, so do this up here.
+f=/p/c/filesystem/etc/exim4/passwd.client
+if [[ ! -e $f ]]; then
+ f=/p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/passwd.client
+fi
+m sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 $f /etc/exim4/
+
+# by default, only 10 days of logs are kept. increase that.
+m sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
+
+
+## https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
+# i only need .forwards, so just doing that one.
+cd /etc/exim4/conf.d/router
+b=userforward_higher_priority
+# replace the router name so it is unique
+sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
+
+
+rm -vf /etc/exim4/conf.d/main/000_localmacros # old filename
+cat >/etc/exim4/conf.d/main/000_local <<EOF
+MAIN_TLS_ENABLE = true
+
+# debian exim config added this in 2016 or so?
+# it's part of the smtp spec, to limit lines to 998 chars
+# but a fair amount of legit mail does not adhere to it. I don't think
+# this should be default, like it says in
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
+# todo: the bug for introducing this was about headers, but
+# the fix maybe is for all lines? one says gmail rejects, the
+# other says gmail does not reject. figure out and open a new bug.
+IGNORE_SMTP_LINE_LENGTH_LIMIT = true
+
+# more verbose logs
+MAIN_LOG_SELECTOR = +all
+
+
+# normally empty, I set this so I can set the envelope address
+# when doing mail redelivery to invoke filters. Also allows
+# me exiqgrep and stuff.
+MAIN_TRUSTED_GROUPS = $u
+
+# default is 10. when exim has been down for a bit, fsf mailserver
+# will do a big send in one connection, then exim decides to put
+# the messages in the queue instead of delivering them, to avoid
+# spawning too many delivery processes. Pretty sure my system
+# can handle a lot more, but lets go with this.
+smtp_accept_queue_per_connection = 100
+
+
+DKIM_CANON = relaxed
+DKIM_SELECTOR = li
+
+# from comments in
+# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
+
+# The file is based on the outgoing domain-name in the from-header.
+DKIM_DOMAIN = \${lc:\${domain:\$h_from:}}
+# sign if key exists
+DKIM_PRIVATE_KEY= \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}}
+
+# most of the ones that gmail seems to use.
+# Exim has horrible default of signing unincluded
+# list- headers since they got mentioned in an
+# rfc, but this messes up mailing lists, like gnu/debian which want to
+# keep your dkim signature intact but add list- headers.
+DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
+EOF
+
+rm -fv /etc/exim4/rcpt_local_acl # old path
+cat >/etc/exim4/conf.d/rcpt_local_acl <<'EOF'
+# Only hosts we control send to @mail.iankelling.org, so make sure
+# they are all authed.
+# Note, if we wanted authed senders for all domains,
+# we could make this condition in acl_check_mail
+deny
+ message = ian trusted domain recepient but no auth
+ !authenticated = *
+ domains = mail.iankelling.org
+EOF
+rm -fv /etc/exim4/data_local_acl # old path
+cat >/etc/exim4/conf.d/data_local_acl <<'EOF'
+# Except for the "condition =", this was
+# a comment in the check_data acl. The comment about this not
+# being suitable is mostly bs. The only thing related I found was to
+# add the condition =, cuz spamassassin has problems with big
+# messages and spammers don't bother with big messages,
+# but I've increased the size from 10k
+# suggested in official docs, and 100k in the wiki example because
+# those docs are rather old and I see a 110k spam message
+# pretty quickly looking through my spam folder.
+warn
+ condition = ${if < {$message_size}{2000K}}
+ spam = Debian-exim:true
+ add_header = X-Spam_score: $spam_score\n\
+ X-Spam_score_int: $spam_score_int\n\
+ X-Spam_bar: $spam_bar\n\
+ X-Spam_report: $spam_report
+
+#accept
+# spf = pass:fail:softfail:none:neutral:permerror:temperror
+# dmarc_status = reject:quarantine
+# add_header = Reply-to: dmarctest@iankelling.org
+
+EOF
+cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+# from 30_exim4-config_examples
+
+plain_server:
+driver = plaintext
+public_name = PLAIN
+server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
+server_set_id = $auth2
+server_prompts = :
+.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+.endif
+EOF
+
+cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
+### router/900_exim4-config_local_user
+#################################
+
+# This router matches local user mailboxes. If the router fails, the error
+# message is "Unknown user".
+
+local_user:
+ debug_print = "R: local_user for $local_part@$domain"
+ driver = accept
+ domains = +local_domains
+# ian: commented this, in conjunction with a dovecot lmtp
+# change so I get mail for all users.
+# check_local_user
+ local_parts = ! root
+ transport = LOCAL_DELIVERY
+ cannot_route_message = Unknown user
+EOF
+cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
+dovecot_lmtp:
+ driver = lmtp
+ socket = /var/run/dovecot/lmtp
+ #maximum number of deliveries per batch, default 1
+ batch_max = 200
+EOF