#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

MAIL_SSL_DIR="/etc/ssl/mail"
MAIL_CERT="${MAIL_SSL_DIR}/fullchain.pem"
MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem"

log "Postfix konfigurieren …"

# --- TLS-Dateirechte (falls du sie in /etc/mailwolt/ssl spiegelst) -----------
if [[ -e "${MAIL_KEY}" ]]; then
  chgrp -R postfix /etc/mailwolt/ssl || true
  chmod 750 /etc/mailwolt/ssl || true
  chmod 640 /etc/mailwolt/ssl/key.pem /etc/mailwolt/ssl/cert.pem || true
fi

# --- Basiskonfiguration -------------------------------------------------------
/usr/sbin/postconf -e "myhostname = ${MAIL_HOSTNAME}"
/usr/sbin/postconf -e "myorigin = \$myhostname"
/usr/sbin/postconf -e "mydestination = "
/usr/sbin/postconf -e "inet_interfaces = all"
/usr/sbin/postconf -e "inet_protocols = all"
/usr/sbin/postconf -e "smtpd_banner = \$myhostname ESMTP"

# --- TLS ----------------------------------------------------------------------
/usr/sbin/postconf -e "smtpd_tls_cert_file = ${MAIL_CERT}"
/usr/sbin/postconf -e "smtpd_tls_key_file  = ${MAIL_KEY}"
/usr/sbin/postconf -e "smtpd_tls_security_level = may"
/usr/sbin/postconf -e "smtp_tls_security_level  = may"
/usr/sbin/postconf -e "smtpd_tls_received_header = yes"
/usr/sbin/postconf -e "smtpd_tls_protocols = !SSLv2,!SSLv3"
/usr/sbin/postconf -e "smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3"
/usr/sbin/postconf -e "smtpd_tls_loglevel = 1"
/usr/sbin/postconf -e "smtp_tls_loglevel = 1"

# --- SMTP Sicherheit ----------------------------------------------------------
/usr/sbin/postconf -e "disable_vrfy_command = yes"
/usr/sbin/postconf -e "smtpd_helo_required = yes"

# --- Milter -------------------------------------------------------------------
/usr/sbin/postconf -e "milter_default_action = accept"
/usr/sbin/postconf -e "milter_protocol = 6"
/usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"

# --- SASL Auth via Dovecot ----------------------------------------------------
/usr/sbin/postconf -e "smtpd_sasl_type = dovecot"
/usr/sbin/postconf -e "smtpd_sasl_path = private/auth"
/usr/sbin/postconf -e "smtpd_sasl_auth_enable = yes"
/usr/sbin/postconf -e "smtpd_sasl_security_options = noanonymous"

# --- Recipient & Relay Restriction --------------------------------------------
/usr/sbin/postconf -e "smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination"
/usr/sbin/postconf -e "smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination"

# --- Listener / Master.cf Definition ------------------------------------------
/usr/sbin/postconf -M "smtp/inet=smtp inet n - n - - smtpd -o smtpd_peername_lookup=no -o smtpd_timeout=30s"
/usr/sbin/postconf -M "submission/inet=submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_peername_lookup=no -o smtpd_tls_security_level=encrypt -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject"
/usr/sbin/postconf -M "smtps/inet=smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_peername_lookup=no -o smtpd_tls_wrappermode=yes -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject"

# postscreen ggf. deaktivieren
sed -i 's/^[[:space:]]*smtp[[:space:]]\+inet[[:space:]]\+.*postscreen/# &/' /etc/postfix/master.cf || true

# --- SQL Maps (Verzeichnis zuerst!) -------------------------------------------
install -d -o root -g postfix -m 750 /etc/postfix/sql

# Domains
cat > /etc/postfix/sql/mysql-virtual-domains.cf <<CONF
hosts = 127.0.0.1
user = ${DB_USER}
password = ${DB_PASS}
dbname = ${DB_NAME}
query = SELECT 1 FROM domains WHERE domain = '%s' AND is_active = 1 LIMIT 1;
CONF
chown root:postfix /etc/postfix/sql/mysql-virtual-domains.cf
chmod 640 /etc/postfix/sql/mysql-virtual-domains.cf

# Mailboxen
cat > /etc/postfix/sql/mysql-virtual-mailbox-maps.cf <<CONF
hosts = 127.0.0.1
user = ${DB_USER}
password = ${DB_PASS}
dbname = ${DB_NAME}
query = SELECT 1 FROM mail_users u JOIN domains d ON d.id = u.domain_id WHERE u.email = '%s' AND u.is_active = 1 AND u.can_login = 1 AND u.password_hash IS NOT NULL AND d.is_active = 1 LIMIT 1;
CONF
chown root:postfix /etc/postfix/sql/mysql-virtual-mailbox-maps.cf
chmod 640 /etc/postfix/sql/mysql-virtual-mailbox-maps.cf

# Aliase
cat > /etc/postfix/sql/mysql-virtual-alias-maps.cf <<CONF
hosts = 127.0.0.1
user = ${DB_USER}
password = ${DB_PASS}
dbname = ${DB_NAME}
query = SELECT COALESCE(mu.email, r.email) AS destination FROM mail_aliases a JOIN domains d ON d.id = a.domain_id JOIN mail_alias_recipients r ON r.alias_id = a.id LEFT JOIN mail_users mu ON mu.id = r.mail_user_id WHERE d.domain = SUBSTRING_INDEX('%s','@',-1) AND a.local  = SUBSTRING_INDEX('%s','@', 1) AND a.is_active = 1 AND d.is_active = 1 AND (mu.email IS NOT NULL OR r.email IS NOT NULL) ORDER BY r.position ASC;
CONF
chown root:postfix /etc/postfix/sql/mysql-virtual-alias-maps.cf
chmod 640 /etc/postfix/sql/mysql-virtual-alias-maps.cf

# Aktivieren
/usr/sbin/postconf -e "virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/mysql-virtual-domains.cf"
/usr/sbin/postconf -e "virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/mysql-virtual-mailbox-maps.cf"
/usr/sbin/postconf -e "virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql-virtual-alias-maps.cf"
/usr/sbin/postconf -e "virtual_transport = lmtp:unix:private/dovecot-lmtp"

# --- Dienst aktivieren & neu laden --------------------------------------------
systemctl enable postfix >/dev/null 2>&1 || true

#systemctl reload postfix || systemctl restart postfix
##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#MAIL_SSL_DIR="/etc/ssl/mail"
#MAIL_CERT="${MAIL_SSL_DIR}/fullchain.pem"
#MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem"
#
#log "Postfix konfigurieren …"
#
## --- Sicherheit & TLS-Rechte ---------------------------------------------------
#if [[ -e "${MAIL_KEY}" ]]; then
#  chgrp -R postfix /etc/mailwolt/ssl || true
#  chmod 750 /etc/mailwolt/ssl || true
#  chmod 640 /etc/mailwolt/ssl/key.pem /etc/mailwolt/ssl/cert.pem || true
#fi
#
## --- Basiskonfiguration --------------------------------------------------------
#/usr/sbin/postconf -e "myhostname = ${MAIL_HOSTNAME}"
#/usr/sbin/postconf -e "myorigin = \$myhostname"
#/usr/sbin/postconf -e "mydestination = "
#/usr/sbin/postconf -e "inet_interfaces = all"
#/usr/sbin/postconf -e "inet_protocols = ipv4"
#/usr/sbin/postconf -e "smtpd_banner = \$myhostname ESMTP"
#
## --- TLS ----------------------------------------------------------------------
#/usr/sbin/postconf -e "smtpd_tls_cert_file = ${MAIL_CERT}"
#/usr/sbin/postconf -e "smtpd_tls_key_file  = ${MAIL_KEY}"
#/usr/sbin/postconf -e "smtpd_tls_security_level = may"
#/usr/sbin/postconf -e "smtp_tls_security_level  = may"
#/usr/sbin/postconf -e "smtpd_tls_received_header = yes"
#/usr/sbin/postconf -e "smtpd_tls_protocols = !SSLv2,!SSLv3"
#/usr/sbin/postconf -e "smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3"
#/usr/sbin/postconf -e "smtpd_tls_loglevel = 1"
#/usr/sbin/postconf -e "smtp_tls_loglevel = 1"
#
## --- SMTP Sicherheit ----------------------------------------------------------
#/usr/sbin/postconf -e "disable_vrfy_command = yes"
#/usr/sbin/postconf -e "smtpd_helo_required = yes"
#
## --- Milter -------------------------------------------------------------------
#/usr/sbin/postconf -e "milter_default_action = accept"
#/usr/sbin/postconf -e "milter_protocol = 6"
#/usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
#/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
#
## --- SASL Auth via Dovecot ----------------------------------------------------
#/usr/sbin/postconf -e "smtpd_sasl_type = dovecot"
#/usr/sbin/postconf -e "smtpd_sasl_path = private/auth"
#/usr/sbin/postconf -e "smtpd_sasl_auth_enable = yes"
#/usr/sbin/postconf -e "smtpd_sasl_security_options = noanonymous"
#
## --- Recipient & Relay Restriction --------------------------------------------
#/usr/sbin/postconf -e "smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination"
#/usr/sbin/postconf -e "smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination"
#
## --- Listener / Master.cf Definition ------------------------------------------
#/usr/sbin/postconf -M "smtp/inet=smtp inet n - n - - smtpd -o smtpd_peername_lookup=no -o smtpd_timeout=30s"
#/usr/sbin/postconf -M "submission/inet=submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_peername_lookup=no -o smtpd_tls_security_level=encrypt -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject"
#/usr/sbin/postconf -M "smtps/inet=smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_peername_lookup=no -o smtpd_tls_wrappermode=yes -o smtpd_tls_auth_only=yes -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject"
#
## postscreen ggf. deaktivieren (verhindert Port-Konflikte)
#sed -i 's/^[[:space:]]*smtp[[:space:]]\+inet[[:space:]]\+.*postscreen/# &/' /etc/postfix/master.cf || true
#
## --- SQL Maps -----------------------------------------------------------------
#install -d -o root -g postfix -m 750 /etc/postfix/sql
#
#cat > /etc/postfix/sql/mysql-virtual-mailbox-maps.cf <<CONF
#hosts = 127.0.0.1
#user = ${DB_USER}
#password = ${DB_PASS}
#dbname = ${DB_NAME}
#query = SELECT 1
#        FROM mail_users u
#        JOIN domains d ON d.id = u.domain_id
#        WHERE u.email = '%s' AND u.is_active = 1 AND d.is_active = 1
#        LIMIT 1;
#CONF
#chown root:postfix /etc/postfix/sql/mysql-virtual-mailbox-maps.cf
#chmod 640 /etc/postfix/sql/mysql-virtual-mailbox-maps.cf
#
#cat > /etc/postfix/sql/mysql-virtual-alias-maps.cf <<CONF
#hosts = 127.0.0.1
#user = ${DB_USER}
#password = ${DB_PASS}
#dbname = ${DB_NAME}
#query = SELECT destination
#        FROM mail_aliases a
#        JOIN domains d ON d.id = a.domain_id
#        WHERE a.source = '%s' AND a.is_active = 1 AND d.is_active = 1
#        LIMIT 1;
#CONF
#chown root:postfix /etc/postfix/sql/mysql-virtual-alias-maps.cf
#chmod 640 /etc/postfix/sql/mysql-virtual-alias-maps.cf
#
## --- Aktivieren, Start erfolgt später durch 90-services.sh --------------------
#systemctl enable postfix >/dev/null 2>&1 || true