# {{ ansible_managed }}
pki {{ server_domain }} cert "/etc/ssl/{{ server_domain }}.fullchain.pem"
pki {{ server_domain }} key "/etc/ssl/private/{{ server_domain }}.key"

table aliases file:/etc/mail/aliases
table users passwd:/etc/mail/accounts
table virtuals file:/etc/mail/virtuals

filter dkimsign_rsa proc-exec "filter-dkimsign -d {{ server_domain }} -s selector1 \
    -k /etc/mail/dkim/{{ server_domain }}.key" user _dkimsign group _dkimsign

listen on socket filter dkimsign_rsa
listen on all tls pki {{ server_domain }}
listen on all port submission tls-require pki {{ server_domain }} auth <users> filter dkimsign_rsa
listen on all port smtps tls-require pki {{ server_domain }} auth <users> filter dkimsign_rsa

action "local_mail" lmtp "/var/dovecot/lmtp" rcpt-to virtual <virtuals>
action "outbound" relay

{% for domain in mail_receive_domains %}
match from any for domain {{ domain }} action "local_mail"
{% endfor %}
match from local for local action "local_mail"
match from local for any action "outbound"
match auth from any for any action "outbound"