{ config, ... }:
{
  # Postfix relay configuration, see: https://www.postfix.org/STANDARD_CONFIGURATION_README.html#backup
  services.postfix = {
    enable = true;
    hostname = "mail-2.grzb.de";
    relayDomains = [
      "grzb.de"
      "nekover.se"
    ];
    sslCert = "${config.security.acme.certs."mail-2.grzb.de".directory}/fullchain.pem";
    sslKey = "${config.security.acme.certs."mail-2.grzb.de".directory}/key.pem";
    extraConfig = ''
      message_size_limit = 20971520
      smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
      proxy_interfaces = 217.160.117.160
      relay_recipient_maps =
      smtp_tls_ciphers = high
      smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
      smtp_tls_mandatory_ciphers = high
      smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
      smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
      smtp_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
      smtpd_tls_auth_only = yes
      smtpd_tls_ciphers = high
      smtpd_tls_eecdh_grade = ultra
      smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
      smtpd_tls_loglevel = 1
      smtpd_tls_mandatory_ciphers = high
      smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
      smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
      smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
      tls_preempt_cipherlist = yes
      tls_random_source = dev:/dev/urandom
    '';
  };
}