{
  isAuthenticated,
  otherwise,
  ifThen,
}:
# MTA Settings
# https://stalw.art/docs/mta/overview
{
  # Inbound
  # https://stalw.art/docs/mta/inbound/overview
  # # EHLO Stage
  # # https://stalw.art/docs/mta/inbound/ehlo
  ehlo = {
    require = true;
    reject-non-fqdn = [
      (ifThen "protocol = 'smtp'" true)
      (otherwise false)
    ];
  };
  # # RCPT Stage
  # # https://stalw.art/docs/mta/inbound/rcpt
  rcpt = {
    relay = [
      (isAuthenticated true)
      (otherwise false)
    ];
    subaddressing = true;
  };
  auth = {
    mechanisms = [
      (ifThen "local_port != 40025 && is_tls" "[plain, login, oauthbearer, xoauth2]")
      (ifThen "local_port != 40025" "[oauthbearer, xoauth2]")
      (otherwise false)
    ];
    directory = "'default'";
    require = [
      (ifThen "local_port != 40025" true)
      (otherwise false)
    ];
    must-match-sender = true;
  };
  extensions =
    let
      ifAuthed = [
        (isAuthenticated true)
        (otherwise false)
      ];
    in
    {
      pipelining = true;
      chunking = true;
      requiretls = true;
      no-soliciting = "";
      dsn = ifAuthed;
      deliver-by = [
        (isAuthenticated "15d")
        (otherwise false)
      ];
      mt-priority = false;
      vrfy = ifAuthed;
      expn = ifAuthed;
    };
}