myhostname = ${POSTFIX_HOST}
mydomain = ${POSTFIX_DOMAIN}
myorigin = ${POSTFIX_DOMAIN}
mynetworks = 127.0.0.0/8 10.64.0.0/12 10.96.10.10/32 10.96.10.254/32
mydestination = ${POSTFIX_HOST} localhost

biff = no
bounce_queue_lifetime = 1d
broken_sasl_auth_clients = no
compatibility_level = 3.6

header_checks = pcre:/config/header_checks.pcre

inet_interfaces = all
inet_protocols = ipv4

# Not needed, lmtp uses unix socket
# lmtp_tls_loglevel = 1
# lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
# lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
# lmtp_tls_security_level = none
# lmtp_tls_wrappermode = no
# lmtp_use_tls = no

local_recipient_maps =
local_transport = local:${POSTFIX_HOST}

mailbox_size_limit = 51200000
maillog_file = /dev/stdout
maximal_queue_lifetime = 1d
message_size_limit = 51200000
mime_header_checks = pcre:/config/header_checks.pcre

# Milters
milter_protocol = 6
milter_default_action = accept
smtpd_milters = unix:/socket/dkim
non_smtpd_milters = unix:/socket/dkim

postscreen_access_list =
postscreen_denylist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_allowlist_threshold = -1
postscreen_dnsbl_sites =
    zen.spamhaus.org=127.0.1.[2..254]*3,
    ix.dnsbl.manitu.net*3,
    bl.spamcop.net,
    b.barracudacentral.org,
    safe.dnsbl.sorbs.net,
    swl.spamhaus.org*-10,
postscreen_dnsbl_threshold = 3
postscreen_greet_action = ignore
postscreen_greet_banner =
postscreen_upstream_proxy_protocol =

# proxy_interfaces = x.x.x.x # Set with postconf during startup
recipient_delimiter = +
relay_domains =
relayhost =
sender_dependent_relayhost_maps =

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps =
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane

smtpd_banner = ${POSTFIX_HOST} ESMTP

# SASL - SMTPS sasl settings specified in master.cf

smtpd_sasl_auth_enable = no

# SPF

policyd-spf_time_limit = 3600

# SMTPD restrictions

smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_client_restrictions = 
    reject_unknown_reverse_client_hostname
smtpd_helo_restrictions = 
    reject_unknown_helo_hostname, 
    reject_non_fqdn_helo_hostname, 
    reject_invalid_helo_hostname
smtpd_sender_restrictions = 
    reject_non_fqdn_sender, 
    reject_unknown_sender_domain
smtpd_relay_before_recipient_restrictions = yes
smtpd_relay_restrictions = 
    permit_auth_destination,
    reject_unauth_destination,
    check_policy_service unix:private/spf
smtpd_recipient_restrictions = 
    reject_non_fqdn_recipient, 
    reject_unlisted_recipient
smtpd_data_restrictions = 
    reject_unauth_pipelining, 
    reject_multi_recipient_bounce

# client , reject_rbl_client zen.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org
# helo , reject_rhsbl_helo dbl.spamhaus.org
# sender , reject_rhsbl_sender dbl.spamhaus.org

smtpd_tls_cert_file=/cert/tls.crt
smtpd_tls_key_file=/cert/tls.key
smtpd_tls_dh1024_param_file = /dh/dhparams.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_security_level = encrypt

tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = no
tls_ssl_options = NO_COMPRESSION

unverified_recipient_reject_code = 577

virtual_alias_maps = ldap:/config/ldap_aliases.cf
virtual_mailbox_base =
virtual_mailbox_domains = ${POSTFIX_DOMAIN}
virtual_mailbox_maps = ldap:/config/ldap_aliases.cf
virtual_transport = lmtp:unix:/socket/lmtp

# External IP templated at container start
proxy_interfaces=${PUBLIC_IP}

disable_dns_lookups = no
smtp_dns_support_level = enabled
smtp_host_lookup = dns
smtpd_peername_lookup = yes