{ config, pkgs, ... }:
{
  services.postfix = {
    enable = true;
    enableSmtp = true;
    enableSubmission = false;
    setSendmail = true;
    networksStyle = "host";
    hostname = "sif.midgard.yggdrasil";
    destination = [];
    relayHost = "uucp:ymir";
    recipientDelimiter = "+";
    masterConfig = {
      uucp = {
        type = "unix";
        private = true;
        privileged = true;
        chroot = false;
        command = "pipe";
        args = [ "flags=Fqhu" "user=uucp" ''argv=${config.security.wrapperDir}/uux -z -a $sender - $nexthop!rmail ($recipient)'' ];
      };
    };
    transport = ''
      odin.asgard.yggdrasil uucp:odin
    '';
    config = {
      always_bcc = "gkleen+sent@odin.asgard.yggdrasil";

      default_transport = "uucp:ymir";

      inet_interfaces = "loopback-only";

      authorized_submit_users = ["!uucp" "static:anyone"];
      message_size_limit = "0";

      sender_dependent_default_transport_maps = ''regexp:${pkgs.writeText "sender_relay" ''
        /@(cip|stud)\.ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtp.ifi.lmu.de
        /@ifi\.(lmu|uni-muenchen)\.de$/ smtp:smtpin1.ifi.lmu.de:587
        /@(campus\.)?lmu\.de$/ smtp:postout.lrz.de
      ''}'';
      sender_bcc_maps = ''regexp:${pkgs.writeText "sender_bcc" ''
        /^uni2work(-[^@]*)?@ifi\.lmu\.de$/ uni2work@ifi.lmu.de
        /@ifi\.lmu\.de$/ gregor.kleen@ifi.lmu.de
      ''}'';

      smtp_sasl_auth_enable = true;
      smtp_sender_dependent_authentication = true;
      smtp_sasl_tls_security_options = "noanonymous";
      smtp_sasl_mechanism_filter = ["plain"];
      smtp_sasl_password_maps = "regexp:/var/db/postfix/sasl_passwd";
      smtp_cname_overrides_servername = false;
      smtp_always_send_ehlo = true;
      smtp_tls_security_level = "dane";

      smtp_tls_loglevel = "1";
      smtp_dns_support_level = "dnssec";
    };
  };

  sops.secrets.postfix-sasl-passwd = {
    key = "sasl-passwd";
    path = "/var/db/postfix/sasl_passwd";
    owner = "postfix";
    sopsFile = ./secrets.yaml;
  };
}