{ config, lib, pkgs, ... }:
{
  services.postfix = {
    enable = true;
    enableSmtp = false;
    enableSubmission = false;
    setSendmail = true;
    networksStyle = "host";
    hostname = "sif.midgard.yggdrasil";
    destination = [];
    recipientDelimiter = "+";
    config = {
      mydomain = "yggdrasil.li";

      local_transport = "error:5.1.1 No local delivery";
      alias_database = [];
      alias_maps = [];
      local_recipient_maps = [];

      inet_interfaces = "loopback-only";

      message_size_limit = "0";

      authorized_submit_users = "inline:{ gkleen= }";
      authorized_flush_users = "inline:{ gkleen= }";
      authorized_mailq_users = "inline:{ gkleen= }";

      smtp_generic_maps = "inline:{ root=root+sif }";

      mynetworks = ["127.0.0.0/8" "[::1]/128"];
      smtpd_client_restrictions = ["permit_mynetworks" "reject"];
      smtpd_relay_restrictions = ["permit_mynetworks" "reject"];

      sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
        /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
        /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
        /@math(ematik)?\.(lmu|uni-muenchen)\.de$/ smtps:smtp.math.lmu.de:465
        /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
      ''}'';
      sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
        /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
        /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
      ''}'';
      relayhost = "[surtr.yggdrasil.li]:465";
      default_transport = "relay";

      smtp_sasl_auth_enable = true;
      smtp_sender_dependent_authentication = true;
      smtp_sasl_tls_security_options = "noanonymous";
      smtp_sasl_mechanism_filter = ["plain"];
      smtp_sasl_password_maps = "regexp:/run/credentials/postfix.service/sasl_passwd";
      smtp_cname_overrides_servername = false;
      smtp_always_send_ehlo = true;
      smtp_tls_security_level = "dane";

      smtp_tls_loglevel = "1";
      smtp_dns_support_level = "dnssec";
    };
    masterConfig = {
      submission = {
        type = "inet";
        private = false;
        command = "smtpd";
        args = [
          "-o" "syslog_name=postfix/$service_name"
        ];
      };
      smtp = { };
      smtps = {
        type = "unix";
        private = true;
        privileged = true;
        chroot = false;
        command = "smtp";
        args = [
          "-o" "smtp_tls_wrappermode=yes"
          "-o" "smtp_tls_security_level=encrypt"
        ];
      };
      relay = {
        command = "smtp";
        args = [
          "-o" "smtp_fallback_relay="
          "-o" "smtp_tls_security_level=verify"
          "-o" "smtp_tls_wrappermode=yes"
          "-o" "smtp_tls_cert_file=${./relay.crt}"
          "-o" "smtp_tls_key_file=/run/credentials/postfix.service/relay.key"
        ];
      };
    };
  };

  systemd.services.postfix = {
    serviceConfig.LoadCredential = [
      "sasl_passwd:${config.sops.secrets."postfix-sasl-passwd".path}"
      "relay.key:${config.sops.secrets."relay-key".path}"
    ];
  };

  sops.secrets = {
    postfix-sasl-passwd = {
      key = "sasl-passwd";
      sopsFile = ./secrets.yaml;
    };
    relay-key = {
      format = "binary";
      sopsFile = ./relay.key;
    };
  };
}