#!/bin/bash
#
# Mail Service

PATH=$HOME/.docker/cli-plugins:/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

config_mail() {
  echo -ne "\n* Configuring /federated/apps/mail container.."
  spin &
  SPINPID=$!

  if [ ! -d "/federated/apps/mail" ]; then
    mkdir -p /federated/apps/mail/data/root/certs &> /dev/null
    mkdir -p /federated/apps/mail/data/var/mail &> /dev/null
    mkdir -p /federated/apps/mail/data/var/mail-state &> /dev/null
    mkdir -p /federated/apps/mail/data/var/log/mail &> /dev/null
    mkdir -p /federated/apps/mail/data/tmp/docker-mailserver &> /dev/null
    cp /federated/certs/certs/$DOMAIN.crt /federated/certs/private/$DOMAIN.key /federated/apps/mail/data/root/certs/
  fi

cat > /federated/apps/mail/docker-compose.yml <<EOF
version: '3.7'

services:
  mail:
    image: docker.io/mailserver/docker-mailserver:\${IMAGE_VERSION}
    container_name: mail
    hostname: mail.$DOMAIN
    domainname: $DOMAIN
    restart: always
    networks:
      federated:
        ipv4_address: 172.99.0.16
    ports:
      - "25:25"
      - "143:143"
      - "465:465"
      - "587:587"
      - "993:993"
    volumes:
      - ./data/root/certs:/root/certs
      - ./data/var/mail:/var/mail/
      - ./data/var/mail-state:/var/mail-state/
      - ./data/var/log/mail:/var/log/mail/
      - ./data/tmp/docker-mailserver:/tmp/docker-mailserver/
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - ./.env
    cap_add:
      - NET_ADMIN
      - SYS_PTRACE

networks:
  federated:
    external: true
EOF

LDAP_SECRET=`cat /federated/apps/ldap/.ldap.secret`

cat > /federated/apps/mail/.env <<EOF
IMAGE_VERSION="11.3.1"
ENABLE_SPAMASSASSIN=1
ENABLE_SPAMASSASSIN_KAM=1
SPAMASSASSIN_SPAM_TO_INBOX=1
ENABLE_CLAMAV=0
ENABLE_FAIL2BAN=1
ENABLE_POSTGREY=1
ONE_DIR=1
DMS_DEBUG=0
LOG_LEVEL=debug
ENABLE_LDAP=1
SSL_TYPE=manual
SSL_CERT_PATH=/root/certs/$DOMAIN.crt
SSL_KEY_PATH=/root/certs/$DOMAIN.key
LDAP_START_TLS=yes
DOVECOT_TLS=yes
SASLAUTHD_LDAP_START_TLS=yes
LDAP_SERVER_HOST=ldap.$DOMAIN
LDAP_SEARCH_BASE=ou=people,dc=federatedcomputer,dc=cloud
LDAP_BIND_DN=cn=admin,dc=federatedcomputer,dc=cloud
LDAP_BIND_PW=$LDAP_SECRET
LDAP_QUERY_FILTER_USER=(&(mail=%s)(mailEnabled=TRUE))
LDAP_QUERY_FILTER_GROUP=(&(mailGroupMember=%s)(mailEnabled=TRUE))
LDAP_QUERY_FILTER_ALIAS=(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=inetOrgPerson)(mailEnabled=TRUE)))
LDAP_QUERY_FILTER_DOMAIN=(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))
# DOVECOT
DOVECOT_PASS_FILTER=(&(objectClass=inetOrgPerson)(uid=%n))
DOVECOT_USER_FILTER=(&(objectClass=inetOrgPerson)(uid=%n))
DOVECOT_USER_ATTRS=homeDirectory=home,=uid=5000,=gid=5000
# SASLAUTHD
ENABLE_SASLAUTHD=1
SASLAUTHD_MECHANISMS=ldap
SASLAUTHD_LDAP_SERVER=ldap.$DOMAIN
SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=federatedcomputer,dc=cloud
SASLAUTHD_LDAP_PASSWORD=$LDAP_SECRET
SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=federatedcomputer,dc=cloud
SASLAUTHD_LDAP_FILTER=(&(objectClass=inetOrgPerson)(uid=%U))
POSTMASTER_ADDRESS=postmaster@localhost.localdomain
POSTFIX_MESSAGE_SIZE_LIMIT=100000000
EOF
chmod 600 /federated/apps/mail/.env

cat > /federated/apps/mail/data/tmp/docker-mailserver/postfix-main.cf <<'EOF'
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, check_policy_service inet:127.0.0.1:10023, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rbl_client zen.spamhaus.org
smtpd_sender_login_maps = ldap:/etc/postfix/ldap-aliases.cf
EOF

  kill -9 $SPINPID &> /dev/null
  echo -ne "done."
}
start_mail() {
  # Grab the container IP from docker-compose above
  SERVICE_IP=`grep ipv4_address /federated/apps/mail/docker-compose.yml | awk '{ print $2 }'`

  # Start service with command to make sure it's up before proceeding
  start_service "mail" "nc -z $SERVICE_IP 25 &> /dev/null"

  # Generate the DKIM DNS key
  docker exec -it mail setup config dkim keysize 2048 domain $DOMAIN &> /dev/null
  [ $? -ne 0 ] && fail "Couldn't generate DKIM record"

  # Insert the DKIM DNS TXT entry into /federated/apps/pdns container
  DKIM_RECORD_STRIP=`cat /federated/apps/mail/data/tmp/docker-mailserver/opendkim/keys/$DOMAIN/mail.txt | sed 's/.*(//'`
  DKIM_RECORD=`echo $DKIM_RECORD_STRIP | sed 's/).*//'`
  docker exec -it pdns pdnsutil add-record $DOMAIN mail._domainkey TXT 86400 "$DKIM_RECORD"
  [ $? -ne 0 ] && fail "Couldn't insert DKIM record into /federated/apps/pdns container"

  # Insert the DMARC DNS TXT entry into /federated/apps/dns container
  docker exec -it pdns pdnsutil add-record $DOMAIN _dmarc TXT 86400 "\"v=DMARC1; p=quarantine; rua=mailto:admin@$DOMAIN; ruf=mailto:admin@$DOMAIN; sp=none; ri=86400\""
  [ $? -ne 0 ] && fail "Couldn't insert DMARC record into /federated/apps/pdns container"

  kill -9 $SPINPID &> /dev/null
  echo -ne "done."
}