{ pkgs, ... }@all: with all; {
  # Postfix: The SMTP server (MTA)
  # Handles sending, receiving, and local delivery routing.
  services.postfix = {
    enable = true;
    enableSubmission = true;
    enableSubmissions = true;
    
    # main.cf configuration
    settings.main = {
      hostname = "mail.${hyper.domain}";
      domain = hyper.domain;

      # Allow local services (like CalDAV) to send mail without authentication
      networks = [ "127.0.0.0/8" "[::1]/128" ];
      # TLS settings - using ACME certs from proxy.nix
      smtpd_tls_security_level = "may";
      smtpd_tls_auth_only = "yes";
      smtpd_tls_cert_file = "/var/lib/acme/${hyper.domain}/fullchain.pem";
      smtpd_tls_key_file = "/var/lib/acme/${hyper.domain}/key.pem";
      
      # Use Dovecot for authentication (SASL)
      smtpd_sasl_type = "dovecot";
      smtpd_sasl_path = "/var/spool/postfix/auth";
      smtpd_sasl_auth_enable = "yes";
      smtpd_sasl_security_options = "noanonymous";
      
      # Use Dovecot for delivery (LMTP)
      virtual_transport = "lmtp:unix:/var/spool/postfix/dovecot-lmtp";
      virtual_mailbox_domains = [ hyper.domain ];
      mailbox_transport = "lmtp:unix:/var/spool/postfix/dovecot-lmtp";
      
      
      # Basic relay restrictions
      smtpd_recipient_restrictions = [
        "permit_mynetworks"
        "permit_sasl_authenticated"
        "reject_unauth_destination"
      ];

      # master.cf configuration: Enable submission (port 587) for mail clients
      # submission-options = {
      #   type = "inet";
      #   private = false;
      #   command = "smtpd";
      #   args = [
      #     "-o smtpd_tls_security_level=encrypt"
      #     "-o smtpd_sasl_auth_enable=yes"
      #     "-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject"
      #     "-o milter_macro_daemon_name=ORIGINATING"
      #   ];
      # };
    };
  };
  # create socket ala wiki
  users.users."postfix" = {
    createHome = true;
    home = "/var/spool/postfix";
  };
}