{ config, pkgs, ... }:

let

  submissionHeaderCleanupRules = pkgs.writeText "submission_header_cleanup_rules" ''
     /^Received:/            ignore
     /^X-Originating-IP:/    ignore
     /^X-Mailer:/            ignore
     /^User-Agent:/          ignore
     /^X-Enigmail:/          ignore
     /^Message-ID:\s+<(.*?)@.*?>/ replace Message-ID: <$1@ktiu.net>
  '';

in {

  networking.firewall.allowedTCPPorts = [
    25  # SMTP
    587 # SMTP w/ TLS
  ];

  security.acme.certs."${config.networking.fqdn}-postfix" = {
    domain = config.networking.fqdn;
    webroot = "/var/lib/acme/.challenges";
    group = config.services.postfix.group;
  };

  services.postfix = {
    enable = true;
    virtual = ''
      @ktiu.net till.straube@t9e.me
      @t9e.me till.straube@t9e.me
    '';

    mapFiles.virtual-mailboxes = pkgs.writeText "postfix-virtual-mailboxes" ''
      @ktiu.net anything
      @t9e.me anything
    '';


    enableSubmission = true;
    submissionOptions = {
      milter_macro_daemon_name = "ORIGINATING";
      cleanup_service_name = "submission-header-cleanup";
      smtpd_tls_security_level = "encrypt";
      smtpd_sasl_auth_enable = "yes";
      smtpd_sasl_type = "dovecot";
      smtpd_sasl_path = "/var/run/dovecot2/auth";
      smtpd_sasl_security_options = "noanonymous";
      smtpd_client_restrictions = "permit_mynetworks,permit_sasl_authenticated,reject";
      smtpd_recipient_restrictions = "reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject";
    };

    settings = {

      main = {
        virtual_mailbox_domains = [ "t9e.me" "ktiu.net" ];
        virtual_mailbox_maps = "hash:/etc/postfix/virtual-mailboxes";
        virtual_transport = "lmtp:unix:/var/run/dovecot2/lmtp";
        smtpd_tls_security_level = "may";
        mydomain = config.networking.domain;
        myhostname = config.networking.fqdn;
        mynetworks = [
          "127.0.0.0/8"
          "[::ffff:127.0.0.0]/104"
          "[::1]/128"
        ];
      };

      master = {
        "submission-header-cleanup" = {
          type = "unix";
          private = false;
          chroot = false;
          maxproc = 0;
          command = "cleanup";
          args = ["-o" "header_checks=pcre:${submissionHeaderCleanupRules}"];
        };
      };

      smtpd_tls_chain_files = [
        "${config.security.acme.certs."${config.networking.fqdn}-postfix".directory + "/key.pem"}"
        "${config.security.acme.certs."${config.networking.fqdn}-postfix".directory + "/cert.pem"}"
      ];

    };
  };
}