{
  config,
  lib,
  pkgs,
  ...
}:
let
  mkThunderbirdAutoconfig = domain:
    pkgs.writeText "autoconfig-${domain}.xml" ''
      <?xml version="1.0" encoding="UTF-8"?>
      <clientConfig version="1.1">
        <emailProvider id="${domain}">
          <domain>${domain}</domain>
          <displayName>${domain}</displayName>
          <displayShortName>${domain}</displayShortName>

          <incomingServer type="imap">
            <hostname>${config.mailserver.fqdn}</hostname>
            <port>993</port>
            <socketType>SSL</socketType>
            <username>%EMAILADDRESS%</username>
            <authentication>password-cleartext</authentication>
          </incomingServer>

          <outgoingServer type="smtp">
            <hostname>${config.mailserver.fqdn}</hostname>
            <port>587</port>
            <socketType>STARTTLS</socketType>
            <username>%EMAILADDRESS%</username>
            <authentication>password-cleartext</authentication>
          </outgoingServer>
        </emailProvider>
      </clientConfig>
    '';

  mkOutlookAutodiscover = domain:
    pkgs.writeText "autodiscover-${domain}.xml" ''
      <?xml version="1.0" encoding="utf-8"?>
      <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
        <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
          <Account>
            <AccountType>email</AccountType>
            <Action>settings</Action>

            <Protocol>
              <Type>IMAP</Type>
              <Server>${config.mailserver.fqdn}</Server>
              <Port>993</Port>
              <LoginName>%EMAILADDRESS%</LoginName>
              <SSL>on</SSL>
              <AuthRequired>on</AuthRequired>
            </Protocol>

            <Protocol>
              <Type>SMTP</Type>
              <Server>${config.mailserver.fqdn}</Server>
              <Port>587</Port>
              <LoginName>%EMAILADDRESS%</LoginName>
              <SSL>on</SSL>
              <Encryption>TLS</Encryption>
              <AuthRequired>on</AuthRequired>
              <UsePOPAuth>off</UsePOPAuth>
            </Protocol>
          </Account>
        </Response>
      </Autodiscover>
    '';

  mailDiscoveryVirtualHosts =
    lib.listToAttrs (
      lib.concatMap (
        domain:
        let
          autoconfigXml = mkThunderbirdAutoconfig domain;
          autodiscoverXml = mkOutlookAutodiscover domain;
        in
        [
          {
            name = "autoconfig.${domain}";
            value = {
              enableACME = true;
              forceSSL = true;
              locations."= /mail/config-v1.1.xml".extraConfig = ''
                default_type application/xml;
                alias ${autoconfigXml};
              '';
            };
          }
          {
            name = "autodiscover.${domain}";
            value = {
              enableACME = true;
              forceSSL = true;
              locations."= /autodiscover/autodiscover.xml".extraConfig = ''
                default_type application/xml;
                alias ${autodiscoverXml};
              '';
            };
          }
        ]
      ) config.mailserver.domains
    );
in
{
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.nginx.virtualHosts = mailDiscoveryVirtualHosts // {
    ${config.mailserver.fqdn}.enableACME = true;
  };
}