{ d }:
{
  hostname = d.extUrl;
  # TLS
  # https://stalw.art/docs/server/tls/overview
  tls = {
    enable = true;
    implicit = false;
    ignore-client-order = true;
  };
  # Listeners
  # https://stalw.art/docs/server/listener
  listener = {
    smtp = {
      bind = [
        "[::]:${toString d.intSMTP}"
        "[::]:40025"
      ];
      protocol = "smtp";
      # Explicit TLS
      tls.implicit = false;
    };
    smtps = {
      bind = "[::]:${toString d.intSMTPS}";
      protocol = "smtp";
      # Implicit TLS
      tls.implicit = true;
    };
    imap = {
      bind = "[::]:${toString d.intIMAP}";
      protocol = "imap";
      # Explicit TLS
      tls.implicit = false;
    };
    imaps = {
      bind = "[::]:${toString d.intIMAPS}";
      protocol = "imap";
      # Implicit TLS
      tls.implicit = true;
    };
    managesieve = {
      bind = "[::]:${toString d.intManageSieve}";
      protocol = "managesieve";
      # Explicit TLS
      tls.implicit = false;
    };
    https = {
      bind = "[::]:${toString d.intHTTPS}";
      protocol = "http";
      # Implicit TLS
      tls.implicit = true;
    };
    http = {
      bind = "[::]:${toString d.intHTTP}";
      protocol = "http";
      # Implicit TLS
      tls.implicit = false;
    };
  };
  # Proxy Protocol from Caddy
  # Only accepts proxy protocol from Tailscale IP Ranges
  # https://tailscale.com/kb/1015/100.x-addresses
  # https://tailscale.com/kb/1033/ip-and-dns-addresses
  proxy.trusted-networks = [
    "fd7a:115c:a1e0::/48"
    "100.64.0.0/10"
    "127.0.0.1/8"
  ];
}