{ lib, pkgs, config, name, ... }:
{
  config = lib.mkIf config.myServices.mailRelay.enable {
    secrets.keys = [
      {
        dest = "opensmtpd/creds";
        user = "smtpd";
        group = "smtpd";
        permissions = "0400";
        text = ''
          eldiron    ${name}:${config.hostEnv.ldap.password}
          '';
      }
    ];
    users.users.smtpd.extraGroups = [ "keys" ];
    services.opensmtpd = {
      enable = true;
      serverConfiguration = let
        filter-rewrite-from = pkgs.runCommand "filter-rewrite-from.py" {
          buildInputs = [ pkgs.python3 ];
        } ''
          cp ${./filter-rewrite-from.py} $out
          patchShebangs $out
        '';
      in ''
        table creds \
          "${config.secrets.fullPaths."opensmtpd/creds"}"
        # FIXME: filtering requires 6.6, uncomment following lines when
        # upgrading
        # filter "fixfrom" \
        #   proc-exec "${filter-rewrite-from} ${name}@immae.eu"
        # listen on socket filter "fixfrom"
        action "relay-rewrite-from" relay \
          helo ${config.hostEnv.fqdn} \
          host smtp+tls://eldiron@eldiron.immae.eu:587 \
          auth <creds> \
          mail-from ${name}@immae.eu
        action "relay" relay \
          helo ${config.hostEnv.fqdn} \
          host smtp+tls://eldiron@eldiron.immae.eu:587 \
          auth <creds>
        match for any !mail-from "@immae.eu" action "relay-rewrite-from"
        match for any mail-from "@immae.eu" action "relay"
        '';
    };
    environment.systemPackages = [ config.services.opensmtpd.package ];
    services.mail.sendmailSetuidWrapper = {
      program = "sendmail";
      source = "${config.services.opensmtpd.package}/bin/smtpctl";
      setuid = false;
      setgid = false;
    };
    security.wrappers.mailq = {
      program = "mailq";
      source = "${config.services.opensmtpd.package}/bin/smtpctl";
      setuid = false;
      setgid = false;
    };
  };
}