From b57ae952d15f79b74eeaf6b6e14c1e2efe72a60a Mon Sep 17 00:00:00 2001
From: Steve Myers <35839355+smyers119@users.noreply.github.com>
Date: Sat, 23 Dec 2023 09:01:20 -0500
Subject: [PATCH 1/5] Update install_all_pkgs.sh

Added certbot
---
 scripts/install_all_pkgs.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/install_all_pkgs.sh b/scripts/install_all_pkgs.sh
index 405f77b..48d309b 100644
--- a/scripts/install_all_pkgs.sh
+++ b/scripts/install_all_pkgs.sh
@@ -10,7 +10,7 @@
 export DEBIAN_FRONTEND='noninteractive'
 
 # Required binary packages.
-PKGS_BASE="apt-transport-https bzip2 cron ca-certificates curl dbus dirmngr gzip openssl python3-apt python3-setuptools rsyslog software-properties-common unzip python3-pymysql python3-psycopg2"
+PKGS_BASE="apt-transport-https bzip2 cron ca-certificates certbot curl dbus dirmngr gzip openssl python3-apt python3-setuptools rsyslog software-properties-common unzip python3-pymysql python3-psycopg2"
 PKGS_MYSQL="mariadb-server"
 PKGS_NGINX="nginx"
 PKGS_PHP_FPM="php-fpm php-cli"

From b81e371db0fed2d0b45faeb4ea11fe2d49d9d779 Mon Sep 17 00:00:00 2001
From: Steve Myers <35839355+smyers119@users.noreply.github.com>
Date: Sat, 23 Dec 2023 14:28:42 -0500
Subject: [PATCH 2/5] Letsencrypt support

Added support for letsencrypt
---
 README.md              |  2 ++
 entrypoints/cron.sh    |  4 ++++
 entrypoints/dovecot.sh | 45 +++++++++++++++++++++++++-----------------
 run_all_in_one.sh      |  1 +
 4 files changed, 34 insertions(+), 18 deletions(-)

diff --git a/README.md b/README.md
index d0fdb0e..42a147b 100644
--- a/README.md
+++ b/README.md
@@ -23,6 +23,7 @@ echo FIRST_MAIL_DOMAIN=mydomain.com >> iredmail-docker.conf
 echo FIRST_MAIL_DOMAIN_ADMIN_PASSWORD=my-secret-password >> iredmail-docker.conf
 echo MLMMJADMIN_API_TOKEN=$(openssl rand -base64 32) >> iredmail-docker.conf
 echo ROUNDCUBE_DES_KEY=$(openssl rand -base64 24) >> iredmail-docker.conf
+echo LETSENCRYPT=true >> iredmail-docker.conf
 ```
 
 Create required directories to store application data:
@@ -60,6 +61,7 @@ docker run \
     -v /iredmail/data/clamav:/var/lib/clamav \
     -v /iredmail/data/sa_rules:/var/lib/spamassassin \
     -v /iredmail/data/postfix_queue:/var/spool/postfix \
+    -v /iredmail/data/ssl:/etc/letsencrypt \
     iredmail/mariadb:stable
 ```
 
diff --git a/entrypoints/cron.sh b/entrypoints/cron.sh
index ef20e74..8847214 100644
--- a/entrypoints/cron.sh
+++ b/entrypoints/cron.sh
@@ -8,4 +8,8 @@
 
 . /docker/entrypoints/functions.sh
 
+echo "1 3 * * * certbot renew --webroot -w /var/www/html --post-hook '/usr/sbin/service postfix restart; /usr/sbin/service nginx restart; /usr/sbin/service dovecot restart'" > /etc/cron.d/letsencrypt
+
+chmod 0644 /etc/cron.d/letsencrypt
+
 set_cron_file_permission
diff --git a/entrypoints/dovecot.sh b/entrypoints/dovecot.sh
index 316a436..b1d3bef 100644
--- a/entrypoints/dovecot.sh
+++ b/entrypoints/dovecot.sh
@@ -39,25 +39,34 @@ for d in ${MAILBOXES_DIR} \
     [[ -d ${d} ]] || mkdir -p ${d}
 done
 
-# Create self-signed ssl cert.
-if [[ ! -f ${SSL_CERT_FILE} ]] || [[ ! -f ${SSL_KEY_FILE} ]]; then
-    LOG "Generating self-signed ssl cert under ${SSL_CERT_DIR}."
-    openssl req -x509 -nodes -sha256 -days 3650 \
-        -subj "/C=${SSL_CERT_COUNTRY}/ST=${SSL_CERT_STATE}/L=${SSL_CERT_CITY}/O=${SSL_CERT_DEPARTMENT}/CN=${HOSTNAME}/emailAddress=${POSTMASTER_EMAIL}" \
-        -newkey rsa:${SSL_KEY_LENGTH} \
-        -out ${SSL_CERT_FILE} \
-        -keyout ${SSL_KEY_FILE} >/dev/null
-
-    cp -f ${SSL_CERT_FILE} ${SSL_COMBINED_FILE}
+if [ "${LETSENCRYPT}"=true ]; then
+	if [ ! -f /etc/letsencrypt/live/${HOSTNAME}/privkey.pem ]; then
+	certbot certonly --staging --standalone --non-interactive --agree-tos -d ${HOSTNAME} -m ${POSTMASTER_EMAIL}
+	fi
+	ln -sf /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /opt/iredmail/ssl/cert.pem
+	ln -sf /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /opt/iredmail/ssl/key.pem
+	ln -sf /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /opt/iredmail/ssl/combined.pem
+
+else
+	# Create self-signed ssl cert.
+	if [[ ! -f ${SSL_CERT_FILE} ]] || [[ ! -f ${SSL_KEY_FILE} ]]; then
+	    LOG "Generating self-signed ssl cert under ${SSL_CERT_DIR}."
+	    openssl req -x509 -nodes -sha256 -days 3650 \
+	        -subj "/C=${SSL_CERT_COUNTRY}/ST=${SSL_CERT_STATE}/L=${SSL_CERT_CITY}/O=${SSL_CERT_DEPARTMENT}/CN=${HOSTNAME}/emailAddress=${POSTMASTER_EMAIL}" \
+	        -newkey rsa:${SSL_KEY_LENGTH} \
+	        -out ${SSL_CERT_FILE} \
+	        -keyout ${SSL_KEY_FILE} >/dev/null
+
+	    cp -f ${SSL_CERT_FILE} ${SSL_COMBINED_FILE}
+	fi
+	chmod 0644 ${SSL_CERT_FILE} ${SSL_KEY_FILE} ${SSL_COMBINED_FILE}
 fi
-chmod 0644 ${SSL_CERT_FILE} ${SSL_KEY_FILE} ${SSL_COMBINED_FILE}
-
-# Create dh param.
-if [[ ! -f ${SSL_DHPARAM2048_FILE} ]]; then
-    LOG "Generating dh param file: ${SSL_DHPARAM2048_FILE}. It make take a long time."
-    openssl dhparam -out ${SSL_DHPARAM2048_FILE} 2048 >/dev/null
-fi
-chmod 0644 ${SSL_DHPARAM2048_FILE}
+	# Create dh param.
+	if [[ ! -f ${SSL_DHPARAM2048_FILE} ]]; then
+	    LOG "Generating dh param file: ${SSL_DHPARAM2048_FILE}. It make take a long time."
+	    openssl dhparam -out ${SSL_DHPARAM2048_FILE} 2048 >/dev/null
+	fi
+	chmod 0644 ${SSL_DHPARAM2048_FILE}
 
 # Make sure mailboxes directory has correct owner/group and permission.
 # Note: If there're many mailboxes, `chown/chmod -R` will take a long time.
diff --git a/run_all_in_one.sh b/run_all_in_one.sh
index d321014..00c3dbb 100755
--- a/run_all_in_one.sh
+++ b/run_all_in_one.sh
@@ -64,4 +64,5 @@ docker run \
     -v ${DATA_DIR}/imapsieve_copy:/var/vmail/imapsieve_copy \
     -v ${DATA_DIR}/sa_rules:/var/lib/spamassassin \
     -v ${DATA_DIR}/postfix_queue:/var/spool/postfix \
+    -v ${DATA_DIR}/ssl:/etc/letsencrypt \
     iredmail/mariadb:nightly

From bf9635c525a262cba60650a09e6d2373daf6e307 Mon Sep 17 00:00:00 2001
From: Steve Myers <35839355+smyers119@users.noreply.github.com>
Date: Sat, 23 Dec 2023 14:31:54 -0500
Subject: [PATCH 3/5] removed staging

removed staging server from certbot
---
 entrypoints/dovecot.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/entrypoints/dovecot.sh b/entrypoints/dovecot.sh
index b1d3bef..2c7330e 100644
--- a/entrypoints/dovecot.sh
+++ b/entrypoints/dovecot.sh
@@ -41,7 +41,7 @@ done
 
 if [ "${LETSENCRYPT}"=true ]; then
 	if [ ! -f /etc/letsencrypt/live/${HOSTNAME}/privkey.pem ]; then
-	certbot certonly --staging --standalone --non-interactive --agree-tos -d ${HOSTNAME} -m ${POSTMASTER_EMAIL}
+	certbot certonly --standalone --non-interactive --agree-tos -d ${HOSTNAME} -m ${POSTMASTER_EMAIL}
 	fi
 	ln -sf /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /opt/iredmail/ssl/cert.pem
 	ln -sf /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /opt/iredmail/ssl/key.pem

From 3d430a39c24630d4698d295dba987bc24fc2e9fe Mon Sep 17 00:00:00 2001
From: Steve Myers <35839355+smyers119@users.noreply.github.com>
Date: Sat, 23 Dec 2023 16:08:30 -0500
Subject: [PATCH 4/5] fix cron bug

Fix cron to conform with iredmail documentation here: https://docs.iredmail.org/letsencrypt.html
---
 entrypoints/cron.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/entrypoints/cron.sh b/entrypoints/cron.sh
index 8847214..5f6bc33 100644
--- a/entrypoints/cron.sh
+++ b/entrypoints/cron.sh
@@ -8,7 +8,7 @@
 
 . /docker/entrypoints/functions.sh
 
-echo "1 3 * * * certbot renew --webroot -w /var/www/html --post-hook '/usr/sbin/service postfix restart; /usr/sbin/service nginx restart; /usr/sbin/service dovecot restart'" > /etc/cron.d/letsencrypt
+echo "1 3 * * * certbot renew --webroot -w /var/www/html --post-hook 'ln -sf /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /opt/iredmail/ssl/key.pem; /usr/sbin/service postfix restart; /usr/sbin/service nginx restart; /usr/sbin/service dovecot restart'" > /etc/cron.d/letsencrypt
 
 chmod 0644 /etc/cron.d/letsencrypt
 

From dcc0d04d75e03bbc3922ab1dab1ce8093387eae7 Mon Sep 17 00:00:00 2001
From: Steve Myers <35839355+smyers119@users.noreply.github.com>
Date: Sat, 23 Dec 2023 16:12:34 -0500
Subject: [PATCH 5/5] fix certificate allocation

fixed certificate allocation.
---
 entrypoints/dovecot.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/entrypoints/dovecot.sh b/entrypoints/dovecot.sh
index 2c7330e..9bef1bc 100644
--- a/entrypoints/dovecot.sh
+++ b/entrypoints/dovecot.sh
@@ -43,7 +43,7 @@ if [ "${LETSENCRYPT}"=true ]; then
 	if [ ! -f /etc/letsencrypt/live/${HOSTNAME}/privkey.pem ]; then
 	certbot certonly --standalone --non-interactive --agree-tos -d ${HOSTNAME} -m ${POSTMASTER_EMAIL}
 	fi
-	ln -sf /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /opt/iredmail/ssl/cert.pem
+	ln -sf /etc/letsencrypt/live/${HOSTNAME}/cert.pem /opt/iredmail/ssl/cert.pem
 	ln -sf /etc/letsencrypt/live/${HOSTNAME}/privkey.pem /opt/iredmail/ssl/key.pem
 	ln -sf /etc/letsencrypt/live/${HOSTNAME}/fullchain.pem /opt/iredmail/ssl/combined.pem