Upon installation of a package with a daemon many packages kindly start the daemon as well. A few examples that come to my mind would be openssh-server, apache2, ejabberd, tor, munin and uucp (it adds cron jobs). However in most cases this is not what I want. For example ejabberd is useless in its default configuration, because it cannot peer with any other servers before configuring a domain to work on, so it really should not be started before being configured. Many daemons open a tcp port binding 0.0.0.0 and this is not always intended (binding a private network is often preferred). For most of the daemons I would like to read the documentation before having a some software running of which I do not know how it works. So how can I achieve this?
Daemons are (in policy-conforming packages, which should be all by now) started at installation time by using the invoke-rc.d script in the maintainer scripts. invoke-rc.d itselfs tries to call /usr/bin/policy-rc.d, which is asked if the local policy allows a certain action for some init script.
You can use this mechanism to define a whitelist of services which should be controlled by invoke-rc.d (i.e., everything that you have already installed and configured) and deny all actions for other, unknown, services. This would ensure that unconfigured daemons are not started at installation time. I’m not aware of an existing implementation of this, but it should be easy to implement in a few lines of shell script. You can find the documentation for policy-rc.d in /usr/share/doc/sysv-rc/README.policy-rc.d.gz on any Debian system.