services:
  mail-relay:
    image: ${MAIL_RELAY_IMAGE}
    container_name: mail-relay
    pull_policy: always
    restart: unless-stopped
    environment:
      TZ: ${TZ}
      LOG_FORMAT: ${MAIL_RELAY_LOG_FORMAT}

      # Hostname del relay
      POSTFIX_myhostname: ${MAIL_RELAY_HOSTNAME}

      # Solo clientes internos del stack de correo
      POSTFIX_mynetworks: ${MAIL_RELAY_MYNETWORKS}

      # Dominios permitidos para el sender
      ALLOWED_SENDER_DOMAINS: ${MAIL_RELAY_ALLOWED_SENDER_DOMAINS}

      # Reescritura de dominio para hosts internos
      MASQUERADED_DOMAINS: ${MAIL_RELAY_MASQUERADED_DOMAINS}

      # Relay SMTP externo
      RELAYHOST: ${MAIL_RELAY_SMARTHOST}
      RELAYHOST_USERNAME: ${MAIL_RELAY_SMARTHOST_USERNAME}
      RELAYHOST_PASSWORD_FILE: /run/secrets/relayhost_password
      POSTFIX_smtp_tls_security_level: ${MAIL_RELAY_SMTP_TLS_SECURITY_LEVEL}

      # DKIM
      DKIM_AUTOGENERATE: ${MAIL_RELAY_DKIM_AUTOGENERATE}
      DKIM_SELECTOR: ${MAIL_RELAY_DKIM_SELECTOR}

    volumes:
      - /opt/mail-relay/queue:/var/spool/postfix:Z
      - /opt/mail-relay/opendkim:/etc/opendkim/keys:Z
      - /opt/mail-relay/secrets/relayhost_password:/run/secrets/relayhost_password:ro,Z

    networks:
      mail_internal:
        ipv4_address: ${MAIL_RELAY_IPV4}

    # No publicar puertos al exterior para uso interno entre contenedores.
    # Descomenta para pruebas desde el host:
    # ports:
    #   - "127.0.0.1:1587:587"

networks:
  mail_internal:
    name: ${MAIL_RELAY_NETWORK_NAME}
    driver: bridge
    ipam:
      config:
        - subnet: ${MAIL_RELAY_SUBNET}