# inter-mx with postscreen on 25/tcp
smtp       inet  n       -       n       -       1       postscreen
10025      inet  n       -       n       -       1       postscreen
  -o postscreen_upstream_proxy_protocol=haproxy
  -o syslog_name=haproxy
smtpd      pass  -       -       n       -       -       smtpd
  -o smtpd_helo_restrictions=permit_mynetworks,reject_non_fqdn_helo_hostname
  -o smtpd_sasl_auth_enable=no
  -o smtpd_sender_restrictions=permit_mynetworks,reject_unlisted_sender,reject_unknown_sender_domain

# smtpd tls-wrapped (smtps) on 465/tcp
# TLS protocol can be modified by setting smtps_smtpd_tls_mandatory_protocols in extra.cf
smtps    inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols
  -o tls_preempt_cipherlist=yes
  -o cleanup_service_name=smtp_sender_cleanup
  -o syslog_name=postfix/smtps
10465    inet  n       -       n       -       -       smtpd
  -o smtpd_upstream_proxy_protocol=haproxy
  -o smtpd_tls_wrappermode=yes
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_tls_mandatory_protocols=$smtps_smtpd_tls_mandatory_protocols
  -o tls_preempt_cipherlist=yes
  -o cleanup_service_name=smtp_sender_cleanup
  -o syslog_name=postfix/smtps-haproxy

# smtpd with starttls on 587/tcp
# TLS protocol can be modified by setting submission_smtpd_tls_mandatory_protocols in extra.cf
submission inet n       -       n       -       -       smtpd
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_enforce_tls=yes
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols
  -o tls_preempt_cipherlist=yes
  -o cleanup_service_name=smtp_sender_cleanup
  -o syslog_name=postfix/submission
10587      inet n       -       n       -       -       smtpd
  -o smtpd_upstream_proxy_protocol=haproxy
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_enforce_tls=yes
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_mandatory_protocols=$submission_smtpd_tls_mandatory_protocols
  -o tls_preempt_cipherlist=yes
  -o cleanup_service_name=smtp_sender_cleanup
  -o syslog_name=postfix/submission-haproxy

# used by SOGo
# smtpd_sender_restrictions should match main.cf, but with check_sasl_access prepended for login-as-mailbox-user function
588 inet n      -       n       -       -       smtpd
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_tls_auth_only=no
  -o smtpd_sender_restrictions=check_sasl_access,regexp:/opt/postfix/conf/allow_mailcow_local.regexp,reject_authenticated_sender_login_mismatch,permit_mynetworks,permit_sasl_authenticated,reject_unlisted_sender,reject_unknown_sender_domain
  -o cleanup_service_name=smtp_sender_cleanup
  -o syslog_name=postfix/sogo

# used to reinject quarantine mails
590 inet n      -       n       -       -       smtpd
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_tls_auth_only=no
  -o smtpd_milters=
  -o non_smtpd_milters=
  -o syslog_name=postfix/quarantine

# used to send bcc mails
591 inet n      -       n       -       -       smtpd
  -o smtpd_helo_restrictions=
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_tls_auth_only=no
  -o smtpd_milters=
  -o non_smtpd_milters=
  -o syslog_name=postfix/bcc

# enforced smtp connector
smtp_enforced_tls      unix  -       -       n       -       -       smtp
  -o smtp_tls_security_level=encrypt
  -o syslog_name=enforced-tls-smtp
  -o smtp_delivery_status_filter=pcre:/opt/postfix/conf/smtp_dsn_filter

# smtp connector used, when a transport map matched
# this helps to have different sasl maps than we have with sender dependent transport maps
smtp_via_transport_maps      unix  -       -       n       -       -       smtp
  -o smtp_sasl_password_maps=proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps_transport_maps.cf

tlsproxy   unix  -       -       n       -       0       tlsproxy
dnsblog    unix  -       -       n       -       0       dnsblog
pickup     fifo  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       fifo  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
maildrop   unix  -       n       n       -       -       pipe flags=DRhu
    user=vmail argv=/usr/bin/maildrop -d ${recipient}

# used to anonymize sender IP
smtp_sender_cleanup unix n - y - 0 cleanup
  -o header_checks=$smtp_header_checks

# start whitelist_fwd
127.0.0.1:10027 inet n n n - 0 spawn user=nobody argv=/usr/local/bin/whitelist_forwardinghosts.sh
# end whitelist_fwd

# start watchdog-specific
# logs to local7 (hidden)
589 inet n      -       n       -       -       smtpd
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o syslog_name=watchdog
  -o syslog_facility=local7
  -o smtpd_milters=
  -o cleanup_service_name=watchdog_cleanup
  -o non_smtpd_milters=
watchdog_cleanup unix  n       -       n       -       0       cleanup
  -o syslog_name=watchdog
  -o syslog_facility=local7
  -o queue_service_name=watchdog_qmgr
watchdog_qmgr fifo  n       -       n       300     1       qmgr
  -o syslog_facility=local7
  -o syslog_name=watchdog
  -o rewrite_service_name=watchdog_rewrite
watchdog_rewrite    unix  -       -       n       -       -       trivial-rewrite
   -o syslog_facility=local7
   -o syslog_name=watchdog
   -o local_transport=watchdog_discard
watchdog_discard    unix  -       -       n       -       -       discard
   -o syslog_facility=local7
   -o syslog_name=watchdog
# end watchdog-specific