{...}:
/*
Known issues:

- when the acme cert gets refreshed, you need to manually restart dovecot
- when restarting dovecot, it might hang, in that case do:
      systemctl --job-mode=ignore-dependencies restart dovecot2 postfix
*/
{
  mailserver = {
    enable = true;
    monitoring = {
      enable = true;
      alertAddress = "bsima@icloud.com";
    };
    fqdn = "bensima.com";
    domains = ["bensima.com" "simatime.com" "bsima.me"];
    certificateScheme = "acme-nginx"; # let's encrypt, using named scheme instead of number
    enableImap = true;
    enablePop3 = true;
    enableImapSsl = true;
    enablePop3Ssl = true;
    enableManageSieve = true;
    virusScanning = false; # ur on ur own
    localDnsResolver = true;

    # Define proper virtual aliases instead of placeholder
    extraVirtualAliases = {
      "blocked@bensima.com" = "ben@bensima.com";

      # forward old addresses to new domain
      "ben@bsima.me" = "ben@bensima.com";
      "ben@simatime.com" = "ben@bensima.com";
    };

    loginAccounts = {
      "ben@bensima.com" = {
        hashedPasswordFile = "/home/ben/hashed-mail-password";
        aliases = [
          # my old emails
          "ben@simatime.com"
          "ben@bsima.me"
          # admin stuff, necessary i think?
          "postmaster@bensima.com"
          "abuse@bensima.com"
        ];
        catchAll = ["bensima.com" "simatime.com" "bsima.me"];
        quota = "10G";
      };
      "dev@bensima.com" = {
        hashedPasswordFile = "/home/ben/hashed-mail-password";
        aliases = ["dev@simatime.com" "dev@bsima.me"];
        quota = "10G";
      };
      "monica@bensima.com" = {
        hashedPasswordFile = "/home/ben/hashed-mail-password";
        quota = "1G";
      };
    };
  };

  # Configure Postfix to block unwanted domains using the NixOS services.postfix.headerChecks option
  services.postfix.headerChecks = [
    # Block perfora.net
    {
      pattern = "/^Received:.*perfora\\.net/";
      action = "REJECT Domain perfora.net is blocked";
    }
    {
      pattern = "/^From:.*perfora\\.net/";
      action = "REJECT Domain perfora.net is blocked";
    }

    # Block novastells.com.es domain
    {
      pattern = "/^Received:.*novastells\\.com\\.es/";
      action = "REJECT Domain novastells.com.es is blocked";
    }
    {
      pattern = "/^From:.*novastells\\.com\\.es/";
      action = "REJECT Domain novastells.com.es is blocked";
    }
    {
      pattern = "/^Return-Path:.*novastells\\.com\\.es/";
      action = "REJECT Domain novastells.com.es is blocked";
    }
    {
      pattern = "/^Sender:.*novastells\\.com\\.es/";
      action = "REJECT Domain novastells.com.es is blocked";
    }

    # Block optaltechtld.com domain
    {
      pattern = "/^Received:.*optaltechtld\\.com/";
      action = "REJECT Domain optaltechtld.com is blocked";
    }
    {
      pattern = "/^From:.*optaltechtld\\.com/";
      action = "REJECT Domain optaltechtld.com is blocked";
    }
    {
      pattern = "/^Return-Path:.*optaltechtld\\.com/";
      action = "REJECT Domain optaltechtld.com is blocked";
    }
    {
      pattern = "/^Sender:.*optaltechtld\\.com/";
      action = "REJECT Domain optaltechtld.com is blocked";
    }
  ];
}