compatibility_level = 3.6
# Identitas dasar
myhostname = mail.dakarash.co.id
mydomain = dakarash.co.id
myorigin = $mydomain

# Listener & protokol
inet_interfaces = all
inet_protocols  = all

# TLS untuk server (587 & 465)
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.dakarash.co.id-0001/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.dakarash.co.id-0001/privkey.pem

smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_auth_only = yes

# TLS untuk client (kirim keluar)
smtp_tls_security_level = may
smtp_tls_loglevel = 1
# smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt   # (biasanya otomatis)

# SASL (AUTH) via Dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

# === CargoChains SEND-AS (submission) ===
# Map sender domain -> akun login SMTP yang diizinkan
#smtpd_sender_login_maps = hash:/etc/postfix/sender_login_maps

# Tolak jika MAIL FROM tidak sesuai login SASL (kecuali diizinkan oleh sender_login_maps)
#smtpd_sender_restrictions = reject_sender_login_mismatch

# Kebijakan relay umum (587/465 di-override di master.cf)
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

# Kualitas hidup
smtpd_helo_required = yes
mynetworks = 127.0.0.0/8, [::1]/128

mydestination = $myhostname, localhost.$mydomain, localhost
smtpd_banner = $myhostname ESMTP Postfix
virtual_mailbox_domains = dakarash.co.id
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_alias_maps = hash:/etc/postfix/virtual
milter_default_action = accept
smtpd_milters = inet:localhost:12301
non_smtpd_milters = inet:localhost:12301