+systemctl daemon-reload
+systemctl start mailcert
+systemctl restart mailcert.timer
+systemctl enable mailcert.timer
+
+
+
+# * common exim4 config
+source /a/bin/bash_unpublished/source-state
+
+
+### make local bounces go to normal maildir
+# local mail that bounces goes to /Maildir or /root/Maildir
+dirs=(/m/md/bounces/{cur,tmp,new})
+mkdir -p ${dirs[@]}
+chown -R $u:Debian-exim /m/md/bounces
+chmod 775 ${dirs[@]}
+usermod -a -G Debian-exim $u
+for d in /Maildir /root/Maildir; do
+ if [[ ! -L $d ]]; then
+ rm -rf $d
+ fi
+ ln -sf -T /m/md/bounces $d
+done
+
+
+### begin setup passwd.client
+f=/etc/exim4/passwd.client
+rm -f /etc/exim4/passwd.client
+install -m 640 -g Debian-exim /dev/null $f
+while read -r domain _ pass; do
+ # reference: exim4_passwd_client(5)
+ printf "%s:%s\n" "$domain" "$pass" >>$f
+done </etc/mailpass
+### end setup passwd.client
+
+# by default, only 10 days of logs are kept. increase that.
+sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
+
+
+## https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
+# i only need .forwards, so just doing that one.
+cd /etc/exim4/conf.d/router
+b=userforward_higher_priority
+# replace the router name so it is unique
+sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
+
+
+rm -f /etc/exim4/conf.d/main/000_localmacros # old filename
+cat >/etc/exim4/conf.d/main/000_local <<EOF
+MAIN_TLS_ENABLE = true
+
+
+# debian exim config added this in 2016 or so?
+# it's part of the smtp spec, to limit lines to 998 chars
+# but a fair amount of legit mail does not adhere to it. I don't think
+# this should be default, like it says in
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
+# todo: the bug for introducing this was about headers, but
+# the fix maybe is for all lines? one says gmail rejects, the
+# other says gmail does not reject. figure out and open a new bug.
+IGNORE_SMTP_LINE_LENGTH_LIMIT = true
+
+# more verbose logs
+MAIN_LOG_SELECTOR = +all
+
+EOF
+
+rm -f /etc/exim4/rcpt_local_acl # old path
+cat >/etc/exim4/conf.d/rcpt_local_acl <<'EOF'
+# Only hosts we control send to @mail.iankelling.org, so make sure
+# they are all authed.
+# Note, if we wanted authed senders for all domains,
+# we could make this condition in acl_check_mail
+deny
+ message = ian trusted domain recepient but no auth
+ !authenticated = *
+ domains = mail.iankelling.org
+EOF
+rm -f /etc/exim4/data_local_acl # old path
+cat >/etc/exim4/conf.d/data_local_acl <<'EOF'
+# Except for the "condition =", this was
+# a comment in the check_data acl. The comment about this not
+# being suitable is mostly bs. The only thing related I found was to
+# add the condition =, cuz spamassassin has problems with big
+# messages and spammers don't bother with big messages,
+# but I've increased the size from 10k
+# suggested in official docs, and 100k in the wiki example because
+# those docs are rather old and I see a 110k spam message
+# pretty quickly looking through my spam folder.
+warn
+ condition = ${if < {$message_size}{2000K}}
+ spam = Debian-exim:true
+ add_header = X-Spam_score: $spam_score\n\
+ X-Spam_score_int: $spam_score_int\n\
+ X-Spam_bar: $spam_bar\n\
+ X-Spam_report: $spam_report
+
+#accept
+# spf = pass:fail:softfail:none:neutral:permerror:temperror
+# dmarc_status = reject:quarantine
+# add_header = Reply-to: dmarctest@iankelling.org
+
+EOF
+cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+# from 30_exim4-config_examples
+
+plain_server:
+driver = plaintext
+public_name = PLAIN
+server_condition = "${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{CONFDIR/passwd}{$value}{*:*}}}}}{1}{0}}"
+server_set_id = $auth2
+server_prompts = :
+.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
+server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
+.endif
+EOF
+
+cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
+### router/900_exim4-config_local_user
+#################################
+
+# This router matches local user mailboxes. If the router fails, the error
+# message is "Unknown user".
+
+local_user:
+ debug_print = "R: local_user for $local_part@$domain"
+ driver = accept
+ domains = +local_domains
+# ian: commented this, in conjunction with a dovecot lmtp
+# change so I get mail for all users.
+# check_local_user
+ local_parts = ! root
+ transport = LOCAL_DELIVERY
+ cannot_route_message = Unknown user
+EOF
+cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
+dovecot_lmtp:
+ driver = lmtp
+ socket = /var/run/dovecot/lmtp
+ #maximum number of deliveries per batch, default 1
+ batch_max = 200
+EOF
+
+cat >/etc/exim4/host_local_deny_exceptions <<'EOF'
+mail.fsf.org
+*.posteo.de
+EOF
+
+cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
+# smarthost for fsf mail
+# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
+# replaced DCsmarthost with mail.fsf.org
+fsfsmarthost:
+ debug_print = "R: smarthost for $local_part@$domain"
+ driver = manualroute
+ domains = ! +local_domains
+ senders = *@fsf.org
+ transport = remote_smtp_smarthost
+ route_list = * mail.fsf.org byname
+ host_find_failed = ignore
+ same_domain_copy_routing = yes
+ no_more
+EOF
+
+
+cat >/etc/exim4/update-exim4.conf.conf <<'EOF'
+# default stuff, i havent checked if its needed
+dc_minimaldns='false'
+dc_relay_nets=''
+CFILEMODE='644'
+dc_use_split_config='true'
+dc_local_interfaces=''
+dc_mailname_in_oh='true'
+EOF
+
+# * if MAIL_HOST
+if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
+ # ** dovecot
+ ####### begin dovecot setup ########
+ # based on a little google and package search, just the dovecot
+ # packages we need instead of dovecot-common.
+ #
+ # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
+ # directly. The reason to do this is to use dovecot\'s sieve, which
+ # has extensions that allow it to be almost equivalent to exim\'s
+ # filter capabilities, some ways probably better, some worse, and
+ # sieve has the benefit of being supported in postfix and
+ # proprietary/weird environments, so there is more examples on the
+ # internet. I was torn about whether to do this or not, meh.
+ pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
+
+ for f in /p/c/subdir_files/sieve/*sieve /a/c/subdir_files/sieve/*sieve; do
+ sudo -u $u /a/exe/lnf -T $f $(eval echo ~$u)/sieve/${f##*/}
+ done
+ # if we changed 90-sieve.conf and removed the active part of the
+ # sieve option, we wouldn\'t need this, but I\'d rather not modify a
+ # default config if not needed. This won\'t work as a symlink in /a/c
+ # unfortunately.
+ sudo -u $u /a/exe/lnf -T sieve/main.sieve $(eval echo ~$u)/.dovecot.sieve
+
+ # we set this later in local.conf
+ sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
+/^\s*mail_location\s*=/d
+EOF
+
+ cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
+protocol lmtp {
+#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
+ mail_plugins = \$mail_plugins sieve
+# default was
+ #mail_plugins = \$mail_plugins
+
+# For a normal setup with exim, we need something like this, which
+# removes the domain part
+# auth_username_format = %Ln
+#
+# or else # Exim says something like
+# "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
+# Dovecot verbose log says something like
+# "auth-worker(9048): passwd(someuser@somedomain): unknown user"
+# reference: http://wiki.dovecot.org/LMTP/Exim
+#
+# However, I use this to direct all mail to the same inbox.
+# A normal way to do this, which I did at first is to have
+# a router in exim almost at the end, eg 950,
+#local_catchall:
+# debug_print = "R: catchall for \$local_part@\$domain"
+# driver = redirect
+# domains = +local_domains
+# data = $u
+# based on
+# http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
+# with superflous options removed.
+# However, this causes the envelope to be rewritten,
+# which makes filtering into mailboxes a little less robust or more complicated,
+# so I've done it this way instead. it also requires
+# modifying the local router in exim.
+ auth_username_format = $u
+}
+
+EOF
+
+
+ cat >/etc/dovecot/local.conf <<EOF
+# so I can use a different login that my shell login for mail. this is
+# worth doing solely for the reason that if this login is compromised,
+# it won't also compromise my shell password.
+!include conf.d/auth-passwdfile.conf.ext