+# todo: sandbox / harden exim:
+# 1. stop it from running as root. how?
+# https://www.exim.org/exim-html-current/doc/html/spec_html/ch-security_considerations.html
+# * avoid using .forward files, remove that router
+# * set deliver_drop_privilege
+# * set user to run as Debian-exim in systemd
+# * set port to something like 2500, and forward 25 to 2500 with iptables. same for 587.
+# https://superuser.com/questions/710253/allow-non-root-process-to-bind-to-port-80-and-443/1334552#1334552
+# * consider whether other routers like postmaster need modification / removal.
+# 2. restrict its filesystem access from within systemd
+
+# todo: harden dovecot. need to do some research. one way is for it to only listen on a wireguard vpn interface, so only clients that are on the vpn can access it.
+# todo: consider hardening cups listening on 0.0.0.0
+# todo: stop/disable local apache, and rpc.mountd, and kdeconnect when not in use.
+# todo: check that spamd and unbound only listen locally.
+