smtpd.conf

table aliases db:/usr/local/etc/mail/aliases.db
table domains { example.org redacted }
table secrets db:/usr/local/etc/mail/secrets.db

# Define keys and certs
pki example.org certificate "/etc/ssl/certs/www.example.org.cer"
pki example.org key "/etc/ssl/priv/www.example.org.key"

# Inbound mail smtp, smtps, deliver
listen on em0 port  25 tls \
       pki example.org hostname example.org auth-optional
listen on em0 port 465 smtps \
       pki example.org hostname example.org auth mask-source
listen on em0 port 587 tls-require \
       pki example.org hostname example.org auth mask-source
# Receive scanned mails from amavisd-new
listen on em0 port 10025 tag Scanned
# Receive DKIM signed mails from amavisd
listen on em0 port 10027 tag DKIM-Signed

# Deliver locally messages coming back in from scanner
accept tagged Scanned from 192.168.2.5 \
       deliver to maildir
#       for domain <domains> alias <aliases> \
#       deliver to lmtp "/var/run/dovecot/lmtp"

# Forward all mail received for local domains to amavis
accept tagged !Scanned from any \
       for domain <domains> \
       relay via "smtp://192.168.2.5:10024"
# Mails return from amavisd on 10025

### DKIM config ###
# Relay messages that are already signed
accept tagged DKIM-Signed \
       for any \
       relay via tls+auth://qsp@smtp.qsp.nl:587 auth <secrets>

# Forward local deliver mails to DKIM signing service
accept from local \
       for any \
       relay via "smtp://192.168.2.2:10026"

# accept for local alias <aliases> deliver to mbox