#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

MAIL_SSL_DIR="/etc/ssl/mail"
MAIL_CERT="${MAIL_SSL_DIR}/fullchain.pem"
MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem"

log "Dovecot konfigurieren …"

# ──────────────────────────────────────────────────────────────────────────────
# 1) vmail-Benutzer/Gruppe & Mailspool vorbereiten (DYNAMIC UID!)
# ──────────────────────────────────────────────────────────────────────────────

# Sicherstellen, dass die Gruppe 'mail' existiert (auf Debian/Ubuntu idR vorhanden)
getent group mail >/dev/null || groupadd -g 8 mail || true

# vmail anlegen, wenn er fehlt. Bevorzugt UID 109, falls frei – sonst automatisch.
if ! getent passwd vmail >/dev/null; then
  if ! getent passwd 109 >/dev/null; then
    useradd -u 109 -g mail -d /var/mail -M -s /usr/sbin/nologin vmail
  else
    useradd -g mail -d /var/mail -M -s /usr/sbin/nologin vmail
  fi
fi

# Tatsächliche vmail-UID ermitteln (wird unten in die Dovecot-Config geschrieben)
VMAIL_UID="$(id -u vmail)"

# Mailspool-Basis
install -d -m 0770 -o vmail -g mail /var/mail/vhosts

# ──────────────────────────────────────────────────────────────────────────────
# 2) Dovecot Grundgerüst
# ──────────────────────────────────────────────────────────────────────────────

# Hauptdatei
install -d -m 0755 /etc/dovecot/conf.d
cat > /etc/dovecot/dovecot.conf <<'CONF'
!include_try /etc/dovecot/conf.d/*.conf
CONF

# Mail-Location & Namespace + UID-Grenzen
cat > /etc/dovecot/conf.d/10-mail.conf <<CONF
protocols = imap pop3 lmtp
mail_location = maildir:/var/mail/vhosts/%d/%n

namespace inbox {
  inbox = yes
}

mail_privileged_group = mail
mail_access_groups = mail
first_valid_uid = ${VMAIL_UID}
last_valid_uid  = ${VMAIL_UID}
CONF

# Standard-Mailboxen automatisch erstellen/abonnieren
cat > /etc/dovecot/conf.d/15-mailboxes.conf <<'CONF'
namespace inbox {
  inbox = yes

  mailbox Drafts {
    special_use = \Drafts
    auto = subscribe
  }
  mailbox Junk {
    special_use = \Junk
    auto = subscribe
  }
  mailbox Trash {
    special_use = \Trash
    auto = subscribe
  }
  mailbox Sent {
    special_use = \Sent
    auto = subscribe
  }

  # optional: Archive
  mailbox Archive {
    special_use = \Archive
    auto = create
  }
}
CONF

# Auth
cat > /etc/dovecot/conf.d/10-auth.conf <<'CONF'
disable_plaintext_auth = yes
auth_mechanisms = plain login
!include_try auth-sql.conf.ext
CONF

# SQL-Anbindung (Passwörter aus App-DB)
cat > /etc/dovecot/dovecot-sql.conf.ext <<CONF
driver = mysql
connect = host=127.0.0.1 dbname=${DB_NAME} user=${DB_USER} password=${DB_PASS}
default_pass_scheme = BLF-CRYPT
password_query = SELECT u.email AS user, u.password_hash AS password
                 FROM mail_users u
                 JOIN domains d ON d.id = u.domain_id
                 WHERE u.email = '%u'
                   AND u.is_active = 1
                   AND u.can_login = 1
                   AND u.password_hash IS NOT NULL
                   AND d.is_active = 1
                 LIMIT 1;
CONF
chown root:dovecot /etc/dovecot/dovecot-sql.conf.ext
chmod 640 /etc/dovecot/dovecot-sql.conf.ext

# Auth-SQL → userdb static auf vmail:mail (Home unter /var/mail/vhosts/%d/%n)
cat > /etc/dovecot/conf.d/auth-sql.conf.ext <<'CONF'
passdb {
  driver = sql
  args = /etc/dovecot/dovecot-sql.conf.ext
}
userdb {
  driver = static
  args = uid=vmail gid=mail home=/var/mail/vhosts/%d/%n
}
CONF
chown root:dovecot /etc/dovecot/conf.d/auth-sql.conf.ext
chmod 640 /etc/dovecot/conf.d/auth-sql.conf.ext

# Master-Services (LMTP + AUTH + IMAP/POP3 Listener v)
cat > /etc/dovecot/conf.d/10-master.conf <<'CONF'
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    mode = 0600
    user = postfix
    group = postfix
  }
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}
service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}
service pop3-login {
  inet_listener pop3 {
    port = 110
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}
CONF

# SSL – auf stabile Mail-Pfade zeigen
DOVECOT_SSL_CONF="/etc/dovecot/conf.d/10-ssl.conf"
touch "$DOVECOT_SSL_CONF"
grep -q '^ssl\s*=' "$DOVECOT_SSL_CONF" 2>/dev/null || echo "ssl = required" >> "$DOVECOT_SSL_CONF"
if grep -q '^\s*ssl_cert\s*=' "$DOVECOT_SSL_CONF"; then
  sed -i "s|^\s*ssl_cert\s*=.*|ssl_cert = <${MAIL_CERT}|" "$DOVECOT_SSL_CONF"
else
  echo "ssl_cert = <${MAIL_CERT}" >> "$DOVECOT_SSL_CONF"
fi
if grep -q '^\s*ssl_key\s*=' "$DOVECOT_SSL_CONF"; then
  sed -i "s|^\s*ssl_key\s*=.*|ssl_key  = <${MAIL_KEY}|" "$DOVECOT_SSL_CONF"
else
  echo "ssl_key  = <${MAIL_KEY}" >> "$DOVECOT_SSL_CONF"
fi
grep -q '^ssl_min_protocol' "$DOVECOT_SSL_CONF" || echo "ssl_min_protocol = TLSv1.2" >> "$DOVECOT_SSL_CONF"

# Postfix-Socket-Verzeichnis sicherstellen
mkdir -p /var/spool/postfix/private
chown root:root /var/spool/postfix
chmod 0755     /var/spool/postfix
chown postfix:postfix /var/spool/postfix/private
chmod 0755            /var/spool/postfix/private

# Nur aktivieren – Start/Reload später
systemctl enable dovecot >/dev/null 2>&1 || true

##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#MAIL_SSL_DIR="/etc/ssl/mail"
#MAIL_CERT="${MAIL_SSL_DIR}/fullchain.pem"
#MAIL_KEY="${MAIL_SSL_DIR}/privkey.pem"
#
#log "Dovecot konfigurieren …"
#
## Hauptdatei
#cat > /etc/dovecot/dovecot.conf <<'CONF'
#!include_try /etc/dovecot/conf.d/*.conf
#CONF
#
## Mail-Location & Namespace
#cat > /etc/dovecot/conf.d/10-mail.conf <<'CONF'
#protocols = imap pop3 lmtp
#mail_location = maildir:/var/mail/vhosts/%d/%n
#
#namespace inbox {
#  inbox = yes
#}
#
#mail_privileged_group = mail
#first_valid_uid = 109
#last_valid_uid  = 109
#CONF
#
## Auth
#cat > /etc/dovecot/conf.d/10-auth.conf <<'CONF'
#disable_plaintext_auth = yes
#auth_mechanisms = plain login
#!include_try auth-sql.conf.ext
#CONF
#
## SQL-Anbindung
#cat > /etc/dovecot/dovecot-sql.conf.ext <<CONF
#driver = mysql
#connect = host=127.0.0.1 dbname=${DB_NAME} user=${DB_USER} password=${DB_PASS}
#default_pass_scheme = BLF-CRYPT
#password_query = SELECT email AS user, password_hash AS password FROM mail_users WHERE email = '%u' AND is_active = 1 LIMIT 1;
#CONF
#chown root:dovecot /etc/dovecot/dovecot-sql.conf.ext
#chmod 640 /etc/dovecot/dovecot-sql.conf.ext
#
## Auth-SQL Einbindung
#cat > /etc/dovecot/conf.d/auth-sql.conf.ext <<'CONF'
#passdb {
#  driver = sql
#  args = /etc/dovecot/dovecot-sql.conf.ext
#}
#userdb {
#  driver = static
#  args = uid=vmail gid=mail home=/var/mail/vhosts/%d/%n
#}
#CONF
#chown root:dovecot /etc/dovecot/conf.d/auth-sql.conf.ext
#chmod 640 /etc/dovecot/conf.d/auth-sql.conf.ext
#
## Master-Services (LMTP + AUTH + Listener)
#cat > /etc/dovecot/conf.d/10-master.conf <<'CONF'
#service lmtp {
#  unix_listener /var/spool/postfix/private/dovecot-lmtp {
#    mode = 0600
#    user = postfix
#    group = postfix
#  }
#}
#service auth {
#  unix_listener /var/spool/postfix/private/auth {
#    mode = 0660
#    user = postfix
#    group = postfix
#  }
#}
#service imap-login {
#  inet_listener imap  {
#    port = 143
#  }
#  inet_listener imaps {
#    port = 993
#    ssl = yes
#  }
#}
#service pop3-login {
#  inet_listener pop3  {
#    port = 110
#  }
#  inet_listener pop3s {
#    port = 995
#    ssl = yes
#  }
#}
#CONF
#
## SSL – stabile Mail-Pfade
#DOVECOT_SSL_CONF="/etc/dovecot/conf.d/10-ssl.conf"
#grep -q '^ssl\s*=' "$DOVECOT_SSL_CONF" 2>/dev/null || echo "ssl = required" >> "$DOVECOT_SSL_CONF"
#if grep -q '^\s*ssl_cert\s*=' "$DOVECOT_SSL_CONF"; then
#  sed -i "s|^\s*ssl_cert\s*=.*|ssl_cert = <${MAIL_CERT}|" "$DOVECOT_SSL_CONF"
#else
#  echo "ssl_cert = <${MAIL_CERT}" >> "$DOVECOT_SSL_CONF"
#fi
#if grep -q '^\s*ssl_key\s*=' "$DOVECOT_SSL_CONF"; then
#  sed -i "s|^\s*ssl_key\s*=.*|ssl_key  = <${MAIL_KEY}|" "$DOVECOT_SSL_CONF"
#else
#  echo "ssl_key  = <${MAIL_KEY}" >> "$DOVECOT_SSL_CONF"
#fi
#
## Postfix-Socket-Verzeichnis sicherstellen
#mkdir -p /var/spool/postfix/private
#chown root:root /var/spool/postfix
#chmod 0755     /var/spool/postfix
#chown postfix:postfix /var/spool/postfix/private
#chmod 0755            /var/spool/postfix/private
#
## Nur aktivieren – Start/Reload erst nach App/DB in 90-services.sh
#systemctl enable dovecot >/dev/null 2>&1 || true