{
  "mx": {
    // provider should define their own custom aliases.
    // these are in *addition* to the standard reserved aliases for root and postmaster, etc.
    "aliases": {},
    // this is the domain that is used for the OpenPGP header
    "key_lookup_domain": "= global.services[:webapp].webapp.domain",
    "dkim": {
      // bit sizes larger than 2048 are not necessarily supported
      "bit_size": 2048,
      "public_key": "= remote_file_path(:dkim_pub_key) { generate_dkim_key(mx.dkim.bit_size) }",
      "private_key": "= remote_file_path(:dkim_priv_key) { generate_dkim_key(mx.dkim.bit_size) }",
      // generate selector based on first ten digits of pub key fingerprint:
      "selector": "= fingerprint(local_file_path(:dkim_pub_key) { generate_dkim_key(mx.dkim.bit_size) }, :mode => :rsa).slice(0,10)"
    }
  },
  "stunnel": {
    "clients": {
      "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
    }
  },
  "couchdb_leap_mx_user": {
    "username": "= global.services[:couchdb].couch.users[:leap_mx].username",
    "password": "= secret :couch_leap_mx_password",
    "salt": "= hex_secret :couch_leap_mx_password_salt, 128"
  },
  "couchdb_port": "= couchdb_port",
  "mynetworks": "= host_ips(nodes)",
  "rbls": ["zen.spamhaus.org"],
  "clamav": {
    "whitelisted_addresses": []
  },
  "x509": {
    "use": true,
    "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
    "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
    "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'"
  },
  "service_type": "user_service",
  "firewall": {
    "mx": {
      "from": "*",
      "to": "= ip_address",
      "port": [25, 465]
    }
  }
}