{ lib, pkgs, config, ... }:
{
  imports = [
    ./milters.nix
    ./postfix.nix
    ./dovecot.nix
    ./relay.nix
    ./rspamd.nix
    ./opensmtpd.nix
    ./sympa.nix
  ];
  options.myServices.mail.enable = lib.mkEnableOption "enable Mail services";
  options.myServices.mailRelay.enable = lib.mkEnableOption "enable Mail relay services";
  options.myServices.mailBackup.enable = lib.mkEnableOption "enable MX backup services";

  config = lib.mkIf config.myServices.mail.enable {
    security.acme.certs."mail" = config.myServices.certificates.certConfig // {
      domain = config.hostEnv.fqdn;
      extraDomains = let
        zonesWithMx = builtins.filter (zone:
          lib.attrsets.hasAttr "withEmail" zone && lib.lists.length zone.withEmail > 0
        ) config.myEnv.dns.masterZones;
        mxs = map (zone: "${config.hostEnv.mx.subdomain}.${zone.name}") zonesWithMx;
      in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs);
    };
    # This is for clients that don’t support elliptic curves (e.g.
    # printer)
    security.acme.certs."mail-rsa" = config.myServices.certificates.certConfig // {
      domain = config.hostEnv.fqdn;
      keyType = "rsa4096";
      extraDomains = let
        zonesWithMx = builtins.filter (zone:
          lib.attrsets.hasAttr "withEmail" zone && lib.lists.length zone.withEmail > 0
        ) config.myEnv.dns.masterZones;
        mxs = map (zone: "${config.hostEnv.mx.subdomain}.${zone.name}") zonesWithMx;
      in builtins.listToAttrs (map (mx: lib.attrsets.nameValuePair mx null) mxs);
    };
    systemd.slices.mail = {
      description = "Mail slice";
    };
  };
}