{ pkgs
, lib
, config
, ...
}:
let
  headerChecksFile = pkgs.writeText "header_checks" ''
    # Warn about missing critical headers (but don't reject from localhost)
    # These help identify misconfigured applications
    /^$/  WARN Missing headers detected
  '';
in
{
  services.postfix = {
    mapFiles."header_checks" = headerChecksFile;
    enable = true;
    hostname = "amzebs-01.amz.at";
    domain = "amz.at";

    config = {
      # Explicitly set hostname to prevent "localhost" HELO issues
      myhostname = "amzebs-01.amz.at";

      # Set proper HELO name for outgoing SMTP connections
      smtp_helo_name = "amzebs-01.amz.at";

      # Professional SMTP banner (prevents appearing as default/misconfigured)
      smtpd_banner = "$myhostname ESMTP";

      # Listen only on localhost for security
      # Laravel will send via localhost, no external access needed
      inet_interfaces = "loopback-only";

      # Compatibility
      compatibility_level = "2";

      # Only accept mail from localhost
      mynetworks = [ "127.0.0.0/8" "[::1]/128" ];

      # Larger message size limits for attachments
      mailbox_size_limit = 202400000; # ~200MB
      message_size_limit = 51200000;  # ~50MB

      # Ensure proper header handling
      # Reject mail that's missing critical headers
      header_checks = "regexp:/var/lib/postfix/conf/header_checks";

      # Rate limiting to prevent spam-like behavior
      # Allow reasonable sending rates for applications
      smtpd_client_message_rate_limit = 100;
      smtpd_client_recipient_rate_limit = 200;

      # Milter configuration is handled automatically by rspamd.postfix.enable
    };
  };
}