{...}:
/*
Known issues:

- when the acme cert gets refreshed, you need to manually restart dovecot
- when restarting dovecot, it might hang, in that case do:
      systemctl --job-mode=ignore-dependencies restart dovecot2 postfix
*/
{
  mailserver = {
    enable = true;
    monitoring = {
      enable = true;
      alertAddress = "bsima@icloud.com";
    };
    fqdn = "bensima.com";
    domains = ["bensima.com" "simatime.com" "bsima.me"];
    certificateScheme = "acme-nginx"; # let's encrypt, using named scheme instead of number
    enableImap = true;
    enablePop3 = true;
    enableImapSsl = true;
    enablePop3Ssl = true;
    enableManageSieve = true;
    virusScanning = false; # ur on ur own
    localDnsResolver = true;
    dmarcReporting = {
      enable = true;
      organizationName = "Ben Sima";
      domain = "bensima.com";
      localpart = "dmarc";
    };

    # Define proper virtual aliases instead of placeholder
    extraVirtualAliases = {
      "blocked@bensima.com" = "ben@bensima.com";

      # forward old addresses to new domain
      "ben@bsima.me" = "ben@bensima.com";
      "ben@simatime.com" = "ben@bensima.com";
    };

    loginAccounts = {
      "ben@bensima.com" = {
        hashedPasswordFile = "/home/ben/hashed-mail-password";
        aliases = [
          # my old emails
          "ben@simatime.com"
          "ben@bsima.me"
          # admin stuff, necessary i think?
          "postmaster@bensima.com"
          "abuse@bensima.com"
        ];
        catchAll = ["bensima.com" "simatime.com" "bsima.me"];
        quota = "10G";
      };
      "dev@bensima.com" = {
        hashedPasswordFile = "/home/ben/hashed-mail-password";
        aliases = ["dev@simatime.com" "dev@bsima.me"];
        quota = "10G";
      };
      "monica@bensima.com" = {
        hashedPasswordFile = "/home/ben/hashed-mail-password";
        quota = "1G";
      };
    };
  };

  # Configure Postfix to block unwanted domains using the NixOS services.postfix.headerChecks option
  services.postfix.headerChecks = [
    # Block perfora.net
    {
      pattern = "^Received:.*perfora\\.net";
      action = "REJECT Domain perfora.net is blocked";
    }
    {
      pattern = "^From:.*perfora\\.net";
      action = "REJECT Domain perfora.net is blocked";
    }

    # Block novastells.com.es domain
    {
      pattern = "^Received:.*novastells\\.com\\.es";
      action = "REJECT Domain novastells.com.es is blocked";
    }
    {
      pattern = "^From:.*novastells\\.com\\.es";
      action = "REJECT Domain novastells.com.es is blocked";
    }
    {
      pattern = "^Return-Path:.*novastells\\.com\\.es";
      action = "REJECT Domain novastells.com.es is blocked";
    }
    {
      pattern = "^Sender:.*novastells\\.com\\.es";
      action = "REJECT Domain novastells.com.es is blocked";
    }

    # Block optaltechtld.com domain
    {
      pattern = "^Received:.*optaltechtld\\.com";
      action = "REJECT Domain optaltechtld.com is blocked";
    }
    {
      pattern = "^From:.*optaltechtld\\.com";
      action = "REJECT Domain optaltechtld.com is blocked";
    }
    {
      pattern = "^Return-Path:.*optaltechtld\\.com";
      action = "REJECT Domain optaltechtld.com is blocked";
    }
    {
      pattern = "^Sender:.*optaltechtld\\.com";
      action = "REJECT Domain optaltechtld.com is blocked";
    }
  ];

  # Increase memory limits for mbsync, otherwise it runs out of space trying to
  # sync large mailboxes (like dev/INBOX)
  services.dovecot2.extraConfig = ''
    service imap {
      vsz_limit = 4G
    }
    service quota-status {
      vsz_limit = 4G
    }
  '';
}