services:
  smtp-relay:
    image: boky/postfix:4.4.0-alpine        # lichte, recente Alpine build 
    container_name: smtp-relay
    restart: unless-stopped

    # Alleen intern publiceren (pas IP aan naar de host waar deze stack draait)
    ports:
      - "192.168.2.2:587:587"

    environment:
      TZ: Europe/Amsterdam

      # Hostname in SMTP banner
      POSTFIX_myhostname: relay.japnet.nl

      # Brevo SMTP relay
      RELAYHOST: "[smtp-relay.brevo.com]:587"
      RELAYHOST_USERNAME: "${BREVO_SMTP_USER}"
      RELAYHOST_PASSWORD: "${BREVO_SMTP_PASS}"

      # Alleen jouw domeinen mogen als afzender
      ALLOWED_SENDER_DOMAINS: "japnet.nl,notify.japnet.nl"

      # Alleen jouw LAN/VLANs mogen relayed worden
      POSTFIX_mynetworks: "127.0.0.0/8 192.168.2.0/24 10.0.50.0/24 10.0.60.0/24"

    volumes:
      # Postfix heeft schrijfruimte nodig; die doen we in named volumes
      - mail_spool:/var/spool/postfix
      - mail_etc:/etc/postfix
      - mail_dkim:/etc/opendkim/keys

    # Harden waar het kan
   # read_only: true
    tmpfs:
      - /tmp
      - /var/run
    security_opt:
      - no-new-privileges:true

    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"

    healthcheck:
      test: ["CMD", "postfix", "status"]
      interval: 30s
      timeout: 5s
      retries: 3

volumes:
  mail_spool:
  mail_etc:
  mail_dkim: