docker-mailserver · georglauterbach · Feb 18, 2022 · Feb 10, 2022 · Feb 10, 2022 · Feb 10, 2022
diff --git a/docs/content/config/advanced/auth-ldap.md b/docs/content/config/advanced/auth-ldap.md
@@ -96,7 +96,7 @@ Set this to `yes` to enable authentication binds ([more details in the dovecot d
 
 ### `SASLAUTHD_LDAP_FILTER`
 
-This filter is used for `saslauthd`, which is called by postfix when someone is authenticating through SMTP (assuming that `SASLAUTHD_MECHANISMS=ldap` is being used). Note that you'll need to set up the LDAP server for saslauthd seperately from postfix.
+This filter is used for `saslauthd`, which is called by postfix when someone is authenticating through SMTP (assuming that `SASLAUTHD_MECHANISMS=ldap` is being used). Note that you'll need to set up the LDAP server for saslauthd separately from postfix.
 
 The filter variables are explained in detail [in the `LDAP_SASLAUTHD` file](https://github.com/winlibs/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD#L121), but unfortunately, this method doesn't really support domains right now - that means that `%U` is the only token that makes sense in this variable.
 

diff --git a/docs/content/config/environment.md b/docs/content/config/environment.md
@@ -415,7 +415,7 @@ Note: activate this only if you are confident in your bayes database for identif
 ##### FETCHMAIL_PARALLEL
 
   **0** => `fetchmail` runs with a single config file `/etc/fetchmailrc`
-  **1** => `/etc/fetchmailrc` is split per poll entry. For every poll entry a seperate fetchmail instance is started  to allow having multiple imap idle configurations defined.
+  **1** => `/etc/fetchmailrc` is split per poll entry. For every poll entry a separate fetchmail instance is started  to allow having multiple imap idle configurations defined.
 
 Note: The defaults of your fetchmailrc file need to be at the top of the file. Otherwise it won't be added correctly to all separate `fetchmail` instances.
 

diff --git a/target/scripts/check-for-changes.sh b/target/scripts/check-for-changes.sh
@@ -40,6 +40,8 @@ _obtain_hostname_and_domainname
 PM_ADDRESS="${POSTMASTER_ADDRESS:=postmaster@${DOMAINNAME}}"
 _notify 'inf' "${LOG_DATE} Using postmaster address ${PM_ADDRESS}"
 
+REGEX_NEVER_MATCH="(?\!)"
+
 # Change detection delayed during startup to avoid conflicting writes
 sleep 10
 
@@ -65,10 +67,24 @@ do
     # Also note that changes are performed in place and are not atomic
     # We should fix that and write to temporary files, stop, swap and start
 
+    if [[ ${SSL_TYPE} == 'manual' ]]
+    then
+      # only run the SSL setup again if certificates have really changed.
+      if [[ ${CHANGED} =~ ${SSL_CERT_PATH:-${REGEX_NEVER_MATCH}} ]]     \
+      || [[ ${CHANGED} =~ ${SSL_KEY_PATH:-${REGEX_NEVER_MATCH}} ]]      \
+      || [[ ${CHANGED} =~ ${SSL_ALT_CERT_PATH:-${REGEX_NEVER_MATCH}} ]] \
+      || [[ ${CHANGED} =~ ${SSL_ALT_KEY_PATH:-${REGEX_NEVER_MATCH}} ]]
+      then
+        _notify 'inf' "Manual certificates have changed, extracting certs.."
+        # we need to run the SSL setup again, because the
+        # certificates DMS is working with are copies of
+        # the (now changed) files
+        _setup_ssl
+      fi
     # `acme.json` is only relevant to Traefik, and is where it stores the certificates it manages.
     # When a change is detected it's assumed to be a possible cert renewal that needs to be
     # extracted for `docker-mailserver` services to adjust to.
-    if [[ ${CHANGED} =~ /etc/letsencrypt/acme.json ]]
+    elif [[ ${CHANGED} =~ /etc/letsencrypt/acme.json ]]
     then
       _notify 'inf' "'/etc/letsencrypt/acme.json' has changed, extracting certs.."
 

diff --git a/target/scripts/helper-functions.sh b/target/scripts/helper-functions.sh
@@ -1,5 +1,9 @@
 #! /bin/bash
 
+# TODO this file may be split up in the future
+#      into separate files under `target/scripts/helper/`
+#      which is a more fitting place
+
 # These helpers are used by `setup-stack.sh` and `check-for-changes.sh`,
 # not by anything within `helper-functions.sh` itself:
 # shellcheck source=target/scripts/helpers/index.sh
@@ -9,6 +13,10 @@ DMS_DEBUG="${DMS_DEBUG:=0}"
 SCRIPT_NAME="$(basename "$0")" # This becomes the sourcing script name (Example: check-for-changes.sh)
 LOCK_ID="$(uuid)" # Used inside of lock files to identify them and prevent removal by other instances of docker-mailserver
 
+# file storing the checksums of the monitored files.
+# shellcheck disable=SC2034
+CHKSUM_FILE=/tmp/docker-mailserver-config-chksum
+
 # ? --------------------------------------------- BIN HELPER
 
 function errex
@@ -151,47 +159,6 @@ function _sanitize_ipv4_to_subnet_cidr
 }
 export -f _sanitize_ipv4_to_subnet_cidr
 
-# ? --------------------------------------------- ACME
-
-function _extract_certs_from_acme
-{
-  local CERT_DOMAIN=${1}
-  if [[ -z ${CERT_DOMAIN} ]]
-  then
-    _notify 'err' "_extract_certs_from_acme | CERT_DOMAIN is empty"
-    return 1
-  fi
-
-  local KEY CERT
-  KEY=$(acme_extract /etc/letsencrypt/acme.json "${CERT_DOMAIN}" --key)
-  CERT=$(acme_extract /etc/letsencrypt/acme.json "${CERT_DOMAIN}" --cert)
-
-  if [[ -z ${KEY} ]] || [[ -z ${CERT} ]]
-  then
-    _notify 'warn' "_extract_certs_from_acme | Unable to find key and/or cert for '${CERT_DOMAIN}' in '/etc/letsencrypt/acme.json'"
-    return 1
-  fi
-
-  # Currently we advise SSL_DOMAIN for wildcard support using a `*.example.com` value,
-  # The filepath however should be `example.com`, avoiding the wildcard part:
-  if [[ ${SSL_DOMAIN} == "${CERT_DOMAIN}" ]]
-  then
-    CERT_DOMAIN=$(_strip_wildcard_prefix "${SSL_DOMAIN}")
-  fi
-
-  mkdir -p "/etc/letsencrypt/live/${CERT_DOMAIN}/"
-  echo "${KEY}" | base64 -d > "/etc/letsencrypt/live/${CERT_DOMAIN}/key.pem" || exit 1
-  echo "${CERT}" | base64 -d > "/etc/letsencrypt/live/${CERT_DOMAIN}/fullchain.pem" || exit 1
-
-  _notify 'inf' "_extract_certs_from_acme | Certificate successfully extracted for '${CERT_DOMAIN}'"
-}
-export -f _extract_certs_from_acme
-
-# Remove the `*.` prefix if it exists, else returns the input value
-function _strip_wildcard_prefix {
-  [[ ${1} == "*."* ]] && echo "${1:2}" || echo "${1}"
-}
-
 # ? --------------------------------------------- Notifications
 
 function _notify
@@ -218,43 +185,6 @@ function _notify
 }
 export -f _notify
 
-# ? --------------------------------------------- File Checksums
-
-# file storing the checksums of the monitored files.
-# shellcheck disable=SC2034
-CHKSUM_FILE=/tmp/docker-mailserver-config-chksum
-
-# Compute checksums of monitored files,
-# returned output on `stdout`: hash + filepath tuple on each line
-function _monitored_files_checksums
-{
-  # If a wildcard path pattern (or an empty ENV) would yield an invalid path
-  # or no results, `shopt -s nullglob` prevents it from being added.
-  shopt -s nullglob
-  declare -a CERT_FILES
-
-  # React to any cert changes within the following letsencrypt locations:
-  CERT_FILES=(
-    /etc/letsencrypt/live/"${SSL_DOMAIN}"/*.pem
-    /etc/letsencrypt/live/"${HOSTNAME}"/*.pem
-    /etc/letsencrypt/live/"${DOMAINNAME}"/*.pem
-  )
-
-  if [[ ! -d /tmp/docker-mailserver ]]
-  then
-    return 1
-  fi
-
-  sha512sum 2>/dev/null --                     \
-    /tmp/docker-mailserver/postfix-accounts.cf \
-    /tmp/docker-mailserver/postfix-virtual.cf  \
-    /tmp/docker-mailserver/postfix-aliases.cf  \
-    /tmp/docker-mailserver/dovecot-quotas.cf   \
-    /etc/letsencrypt/acme.json                 \
-    "${CERT_FILES[@]}"
-}
-export -f _monitored_files_checksums
-
 # ? --------------------------------------------- General
 
 # Outputs the DNS label count (delimited by `.`) for the given input string.

diff --git a/target/scripts/helpers/index.sh b/target/scripts/helpers/index.sh
@@ -11,5 +11,6 @@ function _import_scripts
   . "${PATH_TO_SCRIPTS}/aliases.sh"
   . "${PATH_TO_SCRIPTS}/relay.sh"
   . "${PATH_TO_SCRIPTS}/sasl.sh"
+  . "${PATH_TO_SCRIPTS}/ssl.sh"
 }
 _import_scripts