{ pkgs
, lib
, config
, ...
}:
{
  # Header checks file for validating email headers
  environment.etc."postfix/header_checks".text = ''
    # Warn about missing critical headers (but don't reject from localhost)
    # These help identify misconfigured applications
    /^$/  WARN Missing headers detected
  '';

  services.postfix = {
    enable = true;
    hostname = "amzebs-01.amz.at";
    domain = "amz.at";

    config = {
      # Explicitly set hostname to prevent "localhost" HELO issues
      myhostname = "amzebs-01.amz.at";

      # Set proper HELO name for outgoing SMTP connections
      smtp_helo_name = "amzebs-01.amz.at";

      # Professional SMTP banner (prevents appearing as default/misconfigured)
      smtpd_banner = "$myhostname ESMTP";

      # Listen only on localhost for security
      # Laravel will send via localhost, no external access needed
      inet_interfaces = "loopback-only";

      # Compatibility
      compatibility_level = "2";

      # Only accept mail from localhost
      mynetworks = "127.0.0.0/8 [::1]/128";

      # Larger message size limits for attachments
      mailbox_size_limit = "202400000"; # ~200MB
      message_size_limit = "51200000";  # ~50MB

      # Ensure proper header handling
      # Reject mail that's missing critical headers
      header_checks = "regexp:/etc/postfix/header_checks";

      # Rate limiting to prevent spam-like behavior
      # Allow reasonable sending rates for applications
      smtpd_client_message_rate_limit = "100";
      smtpd_client_recipient_rate_limit = "200";

      # Milter configuration is handled automatically by rspamd.postfix.enable
    };
  };
}