maillog_file = /var/log/mail.log

# core options
myhostname = mail.arf20.com
myorigin = /etc/mailname
mydestination = mail.arf20.com, arf20.com, localhost, localhost.localdomain
#relayhost = # do relay (auth)
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

# common smtpd (incoming) options
#   tls options
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.arf20.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.arf20.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_security_level=may
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtpd_tls_protocols = >=TLSv1.2
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, MD5
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_relay_before_recipient_restrictions=no
#   restriction options
#     no client restrictions, allow all hosts to connect (for incoming mail)
#     allow incoming messages from unauthenticated servers
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/protected_destinations, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
#     allow relaying mail only from ARFNET users
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
#     only allow messages to be sent from arf20.com domain
smtpd_sender_restrictions = reject_unknown_sender_domain
#   restrict mailing lists to insiders
smtpd_restriction_classes = insiders_only
insiders_only = check_sender_access hash:/etc/postfix/insiders, reject
#   auth options
smtpd_sasl_auth_enable=yes
smtpd_sasl_type=dovecot
smtpd_sasl_path=private/auth
#   milter options
#   chrooted to /var/spool/postfix/
smtpd_milters=unix:/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

# common smtp (outgoing) options
#   tls options
smtp_tls_cert_file=/etc/letsencrypt/live/mail.arf20.com/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/mail.arf20.com/privkey.pem
smtp_use_tls = yes
smtp_tls_security_level=may
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

local_recipient_maps = proxy:unix:passwd.byname $alias_maps

# for mlmmj
recipient_delimiter = +