+cat >/etc/exim4/host_local_deny_exceptions <<'EOF'
+mail.fsf.org
+*.posteo.de
+EOF
+
+cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
+# smarthost for fsf mail
+# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
+# replaced DCsmarthost with mail.fsf.org
+fsfsmarthost:
+ debug_print = "R: smarthost for $local_part@$domain"
+ driver = manualroute
+ domains = ! +local_domains
+ senders = *@fsf.org
+ transport = remote_smtp_smarthost
+ route_list = * mail.fsf.org byname
+ host_find_failed = ignore
+ same_domain_copy_routing = yes
+ no_more
+EOF
+
+
+cat >/etc/exim4/update-exim4.conf.conf <<'EOF'
+# default stuff, i havent checked if its needed
+dc_minimaldns='false'
+dc_relay_nets=''
+CFILEMODE='644'
+dc_use_split_config='true'
+dc_local_interfaces=''
+dc_mailname_in_oh='true'
+EOF
+
+# * if MAIL_HOST
+if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
+ # ** dovecot
+ ####### begin dovecot setup ########
+ # based on a little google and package search, just the dovecot
+ # packages we need instead of dovecot-common.
+ #
+ # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
+ # directly. The reason to do this is to use dovecot\'s sieve, which
+ # has extensions that allow it to be almost equivalent to exim\'s
+ # filter capabilities, some ways probably better, some worse, and
+ # sieve has the benefit of being supported in postfix and
+ # proprietary/weird environments, so there is more examples on the
+ # internet. I was torn about whether to do this or not, meh.
+ pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
+
+ for f in /p/c/subdir_files/sieve/*sieve /a/c/subdir_files/sieve/*sieve; do
+ sudo -u $u /a/exe/lnf -T $f $(eval echo ~$u)/sieve/${f##*/}
+ done
+ # if we changed 90-sieve.conf and removed the active part of the
+ # sieve option, we wouldn\'t need this, but I\'d rather not modify a
+ # default config if not needed. This won\'t work as a symlink in /a/c
+ # unfortunately.
+ sudo -u $u /a/exe/lnf -T sieve/main.sieve $(eval echo ~$u)/.dovecot.sieve
+
+ # we set this later in local.conf
+ sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
+/^\s*mail_location\s*=/d
+EOF
+
+ cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
+protocol lmtp {
+#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
+ mail_plugins = \$mail_plugins sieve
+# default was
+ #mail_plugins = \$mail_plugins
+
+# For a normal setup with exim, we need something like this, which
+# removes the domain part
+# auth_username_format = %Ln
+#
+# or else # Exim says something like
+# "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
+# Dovecot verbose log says something like
+# "auth-worker(9048): passwd(someuser@somedomain): unknown user"
+# reference: http://wiki.dovecot.org/LMTP/Exim
+#
+# However, I use this to direct all mail to the same inbox.
+# A normal way to do this, which I did at first is to have
+# a router in exim almost at the end, eg 950,
+#local_catchall:
+# debug_print = "R: catchall for \$local_part@\$domain"
+# driver = redirect
+# domains = +local_domains
+# data = $u
+# based on
+# http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
+# with superflous options removed.
+# However, this causes the envelope to be rewritten,
+# which makes filtering into mailboxes a little less robust or more complicated,
+# so I've done it this way instead. it also requires
+# modifying the local router in exim.
+ auth_username_format = $u
+}
+
+EOF
+
+
+ cat >/etc/dovecot/local.conf <<EOF
+# so I can use a different login that my shell login for mail. this is
+# worth doing solely for the reason that if this login is compromised,
+# it won't also compromise my shell password.
+!include conf.d/auth-passwdfile.conf.ext
+
+# settings derived from wiki and 10-ssl.conf
+ssl = required
+ssl_cert = </etc/exim4/exim.crt
+ssl_key = </etc/exim4/exim.key
+# https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
+# in my cert cronjob, I check if that has changed upstream.
+ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+
+# ian: added this, more secure, per google etc
+ssl_prefer_server_ciphers = yes
+
+
+mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
+mail_uid = $u
+mail_gid = $u
+
+# for debugging info, uncomment these.
+# logs go to syslog and to /var/log/mail.log
+# auth_verbose=yes
+#mail_debug=yes
+EOF
+ ####### end dovecot setup ########
+
+ # ** exim
+
+ # mail.iankelling.org so local imap clients can connect with tls and
+ # when they happen to not be local.
+ sed -ri -f - /etc/hosts <<'EOF'
+/^127\.0\.1\.1.* mail\.iankelling\.org\b/{p;d}
+/^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/
+EOF
+ /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]]
+server=/mail.iankelling.org/127.0.1.1
+EOF
+ systemctl reload dnsmasq
+
+ # I used to use debconf-set-selections + dpkg-reconfigure,
+ # which then updates this file
+ # but the process is slower than updating it directly and then I want to set other things in
+ # update-exim4.conf.conf, so there's no point.
+ # The file is documented in man update-exim4.conf,
+ # except the man page is not perfect, read the bash script to be sure about things.
+
+ # The debconf questions output is additional documentation that is not
+ # easily accessible, but super long, along with the initial default comment in this
+ # file, so I've saved that into ./mail-notes.conf.
+
+ cat >>/etc/exim4/update-exim4.conf.conf <<EOF
+# note: some things we don't set that are here by default because they are unused.
+
+dc_eximconfig_configtype='internet'
+
+# man page: is used to build the local_domains list, together with “localhost”
+# iank.bid is for testing
+# mail.iankelling.org is for machines i own
+dc_other_hostnames='*.iankelling.org;iankelling.org;*iank.bid;iank.bid;*zroe.org;zroe.org;*.b8.nz;b8.nz'
+
+# from man page:
+# Is a list of domains for which we accept mail from anywhere on the Internet but which are not delivered locally, e.g.
+# because this machine serves as secondary MX for these domains. Sets MAIN_RELAY_TO_DOMAINS.
+# todo: we should not accept from anywhere, only the mx for fsf.
+dc_relay_domains='*.fsf.org;fsf.org'
+EOF
+
+
+ # the debconf output about mailname is as follows:
+ # The 'mail name' is the domain name used to 'qualify' mail addresses without a domain
+ # name.
+ # This name will also be used by other programs. It should be the single, fully
+ # qualified domain name (FQDN).
+ # Thus, if a mail address on the local host is foo@example.org, the correct value for
+ # this option would be example.org.
+ # This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
+
+ echo mail.iankelling.org > /etc/mailname
+
+ # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
+ # smarthost config type, not sure. all other settings
+ # would be unused in that config type.
+ cat >>/etc/exim4/conf.d/main/000_local <<EOF
+# enable 587 in addition to the default 25, so that
+# i can send mail where port 25 is firewalled by isp
+daemon_smtp_ports = 25 : 587
+# i don't have ipv6 setup properly yet
+disable_ipv6 = true
+
+DKIM_CANON = relaxed
+DKIM_SELECTOR = li
+
+# from comments in
+# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
+
+# The file is based on the outgoing domain-name in the from-header.
+DKIM_DOMAIN = \${lc:\${domain:\$h_from:}}
+# sign if key exists
+DKIM_PRIVATE_KEY= \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}}
+
+
+# failing message on mail-tester.com:
+# We check if there is a server (A Record) behind your hostname kd.
+# You may want to publish a DNS record (A type) for the hostname kd or use a different hostname in your mail software
+# https://serverfault.com/questions/46545/how-do-i-change-exim4s-primary-hostname-on-a-debian-box
+# and this one seemed appropriate from grepping config.
+# I originally set this to li.iankelling.org, but then ended up with errors when li tried to send
+# mail to kd, so this should basically be a name that no host has as their
+# canonical hostname since the actual host sits behind a nat and changes.
+# Seems logical for this to be the same as mailname.
+MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.iankelling.org
+
+# normally empty, I set this so I can set the envelope address
+# when doing mail redelivery to invoke filters
+MAIN_TRUSTED_GROUPS = $u
+
+LOCAL_DELIVERY = dovecot_lmtp
+
+# options exim has to avoid having to alter the default config files
+CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/conf.d/rcpt_local_acl
+CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/conf.d/data_local_acl
+
+# most of the ones that gmail seems to use.
+# Exim has horrible default of signing unincluded
+# list- headers since they got mentioned in an
+# rfc, but this messes up mailing lists, like gnu/debian which want to
+# keep your dkim signature intact but add list- headers.
+DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
+
+# recommended if dns is expected to work
+CHECK_RCPT_VERIFY_SENDER = true
+# seems like a good idea
+CHECK_DATA_VERIFY_HEADER_SENDER = true
+CHECK_RCPT_SPF = true
+CHECK_RCPT_REVERSE_DNS = true
+CHECK_MAIL_HELO_ISSUED = true
+
+# testing dmarc
+#dmarc_tld_file = /etc/public_suffix_list.dat
+EOF
+
+ f=/etc/cron.daily/refresh-dmarc-tld-file
+ cat >$f <<'EOF'
+#!/bin/bash
+cd /etc
+wget -q -N https://publicsuffix.org/list/public_suffix_list.dat
+EOF
+ chmod 755 $f
+
+ sed -i --follow-symlinks -f - /etc/aliases <<EOF
+\$a root: $postmaster
+/^root:/d
+EOF
+
+
+ # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
+ d=/etc/systemd/system/openvpn@mail.service.d
+ mkdir -p $d
+ cat >$d/override.conf <<'EOF'
+[Service]
+Restart=always
+# time to sleep before restarting a service
+RestartSec=1
+
+[Unit]
+# StartLimitIntervalSec in recent systemd versions
+StartLimitInterval=0
+EOF
+ if ! systemctl cat openvpn@mail.service|grep -xF StartLimitInterval=0 &>/dev/null; then
+ # needed for the above config to go into effect
+ systemctl daemon-reexec
+ fi
+
+
+ systemctl enable mailclean.timer
+ systemctl start mailclean.timer
+ systemctl restart $vpn_ser@mail
+ systemctl enable $vpn_ser@mail
+ systemctl enable dovecot
+ systemctl restart dovecot
+
+ # * not MAIL_HOST
+else # $HOSTNAME != $MAIL_HOST
+ # remove mail. 2 lines to properly remove whitespace
+ sed -ri -f - /etc/hosts <<'EOF'
+s#^(127\.0\.1\.1 .*) +mail\.iankelling\.org$#\1#
+s#^(127\.0\.1\.1 .*)mail\.iankelling\.org +(.*)#\1\2#
+EOF