{...}:
/*
Known issues:

- when the acme cert gets refreshed, you need to manually restart dovecot
- when restarting dovecot, it might hang, in that case do:
      systemctl --job-mode=ignore-dependencies restart dovecot2 postfix
*/
{
  mailserver = {
    enable = true;
    monitoring = {
      enable = false;
      alertAddress = "bsima@me.com";
    };
    fqdn = "simatime.com";
    domains = ["simatime.com" "bsima.me"];
    certificateScheme = "acme-nginx"; # let's encrypt, using named scheme instead of number
    enableImap = true;
    enablePop3 = true;
    enableImapSsl = true;
    enablePop3Ssl = true;
    enableManageSieve = true;
    virusScanning = false; # ur on ur own
    localDnsResolver = true;

    # Define proper virtual aliases instead of placeholder
    extraVirtualAliases = {
      "blocked@simatime.com" = "ben@simatime.com";
    };

    loginAccounts = {
      "ben@simatime.com" = {
        hashedPasswordFile = "/home/ben/hashed-mail-password";
        aliases = [
          # my default email
          "ben@bsima.me"
          # admin stuff
          "postmaster@simatime.com"
          "abuse@simatime.com"
        ];
        catchAll = ["simatime.com" "bsima.me"];
        quota = "10G";
      };
      "dev@simatime.com" = {
        hashedPasswordFile = "/home/ben/hashed-mail-password";
        aliases = ["dev@bsima.me"];
        quota = "10G";
      };
      "nick@simatime.com" = {
        hashedPassword = "$6$31P/Mg8k8Pezy1e$Fn1tDyssf.1EgxmLYFsQpSq6RP4wbEvP/UlBlXQhyKA9FnmFtJteXsbJM1naa8Kyylo8vZM9zmeoSthHS1slA1";
        aliases = ["nicolai@simatime.com"];
        quota = "1G";
      };
      "monica@simatime.com" = {
        hashedPasswordFile = "/home/ben/hashed-mail-password";
        quota = "1G";
      };
    };
  };

  # Configure Postfix to block unwanted domains using the NixOS services.postfix.headerChecks option
  services.postfix.headerChecks = [
    # Block perfora.net
    {
      pattern = "/^Received:.*perfora\\.net/";
      action = "REJECT Domain perfora.net is blocked";
    }
    {
      pattern = "/^From:.*perfora\\.net/";
      action = "REJECT Domain perfora.net is blocked";
    }
    
    # Block novastells.com.es domain
    {
      pattern = "/^Received:.*novastells\\.com\\.es/";
      action = "REJECT Domain novastells.com.es is blocked";
    }
    {
      pattern = "/^From:.*novastells\\.com\\.es/";
      action = "REJECT Domain novastells.com.es is blocked";
    }
    {
      pattern = "/^Return-Path:.*novastells\\.com\\.es/";
      action = "REJECT Domain novastells.com.es is blocked";
    }
    {
      pattern = "/^Sender:.*novastells\\.com\\.es/";
      action = "REJECT Domain novastells.com.es is blocked";
    }
  ];
}