# When you specify a dollar delimiter before a string, it allows you
# to refer back to the field specified in the delimiter, like a 
# symbolic link. This makes for tidier, consistent code.


# line 78: uncomment to make sure only postfix handles mail transfers
mail_owner = postfix

# line 94: uncomment and specify subdomain AND domain
myhostname = mx.yourwebsite.org

# line 102: uncomment and specify domainname
mydomain = yourwebsite.org

# line 123: uncomment - this is how your outgoing emails will appear
myorigin = $mydomain

# line 137: uncomment - this is how postfix will listen in on connections.
# the correct application of this setting can be validated using
# ss -tlnp. It should be all zeroes prior to the port number, ex. 0.0.0.0:587
inet_interfaces = all

# line 185: uncomment - this is where any email sent to postfix will wind up
# so if I sent an email to you@lol.yourwebsite.org, if lol is not below,
# it will not make it. Add alternate domains here, too
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, alt.domain1, alt.domain2

# line 228: uncomment - because we are using PAM, this refers to the list
# of users that are on the endpoint. So if root and you are users, but thatguy
is not, then sending email to thatguy@yourwebsite.org will FAIL
local_recipient_maps = unix:passwd.byname $alias_maps


# line 270: uncomment - I send email from behind the Wireguard LAN
mynetworks_style = subnet

# line 287: add your local network. Specify the endpoint IP you are using too. Addresses not in this list cannot send through this relay.
# adding networks to this list that you do not have accountable control of is dangerous and can run the risk of ruining your relay's reputation.
mynetworks = 127.0.0.0/8, 172.16.79.0/27, EndpointPublicIP/32, AccountablePublicIP/32, LocalSubnet2/28

# line 407: uncomment - you will need to edit this file to match the users
# you would like to enable email for. Otherwise they cannot sign in.
# Comment out lines to deactivate.
alias_maps = hash:/etc/aliases

# line 418: uncomment - it seems redundant but could one add $alias_maps
# as the string, too? Try it
alias_database = hash:/etc/aliases

# line 440: uncomment - this is where your inbox gets stored. When backing
# up emails, this directory must always be included. And yes, you can use
# NFS to deliver this from behind the NAT. Just make sure you have the same
# user and UID on both machines.
home_mailbox = Maildir/

# line 576: modify. If you run multiple postfix instances modify the
# parentheses value to tell them apart. The prepared always run 
# more than one.
smtpd_banner = $myhostname ESMTP $mail_name (Hostname1 Endpoint)

# line 650: add
sendmail_path = /usr/sbin/postfix

# line 655: add
newaliases_path = /usr/bin/newaliases

# line 660: add
mailq_path = /usr/bin/mailq

# line 666: add - it enumerates which group is allowed to see mailboxes
setgid_group = postdrop

# line 670: comment out
#html_directory =

# line 674: comment out
#manpage_directory =

# line 679: comment out
#sample_directory =

# line 683: comment out
#readme_directory =

# add to the end: limit an email size to 10M

message_size_limit = 10485760

# Specify mailbox size - default value is 1 GB.
mailbox_size_limit = 1073741824

# SMTP-Auth settings - otherwise SASL will not work. Some deviations from
# the server-world tutorial exist due to different configuration needs.
# I owe you a working configuration and any [***] that is below is actually 
# MY configuration. Do not copy those asterisks, by the way.

# Because we will be using Dovecot, this must be specified. Default is cyrus.
smtpd_sasl_type = dovecot
# this refers to a daemon listed in /etc/postfix/master.cf
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
# This prevents your server from being used as an open relay.
# Protect your reputation from sphincters everywhere
smtpd_sasl_security_options = noanonymous
# Gotta know what you are protecting.
smtpd_sasl_local_domain = $myhostname
# Gotta know what is allowed and what is not. You can add more stuff here
# once you have the hang of all this. I sure will.
smtpd_recipient_restrictions = permit_mynetworks, permit_auth_destination, reject_unauth_destination

# I strongly suggest you enable TLS. "Don't be a fool."
smtpd_use_tls = yes
# Use the latest protocols only
smtp_tls_mandatory_protocols = TLSv1.2, TLSv1.3 [***]
smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.3 [***]
# Point these to where you are storing the certificate and private
# keys for your domain.
# You can use NFS for this, too!
smtpd_tls_cert_file = /etc/letsencrypt/live/mx.yourwebsite.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mx.yourwebsite.org/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# these lines are needed if you want to authenticate over port 465 - this will improve your delivery to Outlook inboxes!
smtpd_tls_security_level = encrypt
smtp_tls_security_level = encrypt
# these lines are for transport hardening and preferring higher encryption algos
tls_ssl_options = NO_COMPRESSION, PRIORITIZE_CHACHA