{pkgs, ...}:
pkgs.nixosTest {
  name = "internal";
  nodes.machine = {...}: {
    imports = [./common/server.nix];
    mailsystem = {
      fqdn = "mail.example.com";
      domains = ["example.com"];
      accounts = {};
      vmailUserName = "vmail";
      vmailGroupName = "vmail";
      vmailUID = 5000;
    };
  };
  testScript = {nodes, ...}: let
    pkgs = nodes.machine.nixpkgs.pkgs;
  in ''
    machine.start()
    machine.wait_for_unit("multi-user.target")

    with subtest("imap is only available via port 993 and is encrypted"):
        machine.wait_for_closed_port(143)
        machine.wait_for_open_port(993)
        machine.succeed(
            "echo | ${pkgs.openssl}/bin/openssl s_client -connect localhost:993 | grep 'New, TLS'"
        )

    with subtest("smtp is only available via port 465 and is encrypted"):
        machine.wait_for_closed_port(587)
        machine.wait_for_open_port(465)
        machine.succeed(
            "echo | ${pkgs.openssl}/bin/openssl s_client -connect localhost:465 | grep 'New, TLS'"
        )

    with subtest("`postfix check` succeeds"):
        machine.succeed(
            "${pkgs.postfix}/bin/postfix check"
        )
  '';
}