compatibility_level = 3.9

# Generic stuff
mail_owner = postfix
myhostname = mydomain.com
mydomain = mydomain.com <- this and the above line should be identical, not a typo!
myorigin = $mydomain
inet_interfaces = all
biff = no
message_size_limit = 0 <- this is unlimited, you might want to set a mail size limit here
disable_vrfy_command = yes
syslog_facility = mail
syslog_name = postfix

# Protection from lost mail
soft_bounce = yes <- switch to no in production
unknown_local_recipient_reject_code = 450 <- switch to 550 in production

# Important to keep as is to avoid delivery loops with the virtual domains
mydestination = localhost.localdomain
mynetworks_style = host

# Local delivery is actually managed by virtual delivery
local_transport = virtual
local_recipient_maps = $virtual_mailbox_maps

# Manage postfix virtual delivery mechanism via dovecot lmtp service
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_mailbox_domains = sqlite:/etc/postfix/sql/virtual_mailbox_domains.cf
virtual_mailbox_maps = sqlite:/etc/postfix/sql/virtual_mailbox_maps.cf
virtual_alias_maps = sqlite:/etc/postfix/sql/virtual_alias_maps.cf

# SMTPD (server) SASL + TLS setup
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = no
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/casa.gardiol.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/casa.gardiol.org/privkey.pem
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache

# Generic access rules
strict_rfc821_envelopes = yes
smtpd_helo_required = yes
smtpd_reject_unlisted_sender = yes

# Client connection (do not put "reject" here or nobody will be able to send you emails)
smtpd_client_restrictions = permit_sasl_authenticated
# HELO / EHLO filtering
smtpd_helo_restrictions = permit_sasl_authenticated, reject_unknown_helo_hostname
# MAIL FROM
smtpd_sender_restrictions = permit_sasl_authenticated, reject_unknown_sender_domain
# RCPT TO: (before recipient)
smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
# DATA
smtpd_data_restrictions = reject_unauth_pipelining
# R *   smtpd_milters         = unix:/run/opendkim/opendkim.sock
 *   non_smtpd_milters = unix:/run/opendkim/opendkim.sockCPT TO: (after relay) add here spam checks (blacklists etc)
smtpd_recipient_restrictions = permit_sasl_authenticated check_policy_service unix:private/policy-spf

# OpenDKIM & OpenDMARC setup
smtpd_milters     = unix:/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock
non_smtpd_milters = unix:/run/opendkim/opendkim.sock,unix:/var/run/opendmarc/opendmarc.sock
milter_default_action = accept