From 1765d304eb3f42816b21545047040997fd02d8e4 Mon Sep 17 00:00:00 2001
From: Fernando Alegre <fernando@mail.alemor.org>
Date: Sat, 6 Jun 2020 18:38:50 +0000
Subject: [PATCH 1/4] Modified config to conform to alemor policy

---
 src/mailsrv/assets/bin/mkvirt        | 14 ++------------
 src/mailsrv/assets/postfix/main.cf   |  6 +++---
 src/mailsrv/assets/postfix/master.cf |  2 --
 3 files changed, 5 insertions(+), 17 deletions(-)

diff --git a/src/mailsrv/assets/bin/mkvirt b/src/mailsrv/assets/bin/mkvirt
index 607f1ef..975ec5d 100755
--- a/src/mailsrv/assets/bin/mkvirt
+++ b/src/mailsrv/assets/bin/mkvirt
@@ -15,17 +15,7 @@ postmap /etc/postfix/users
 
 ### Aliases ###
 
-# make self-referential users list
-# this is needed for the reject_sender_login_mismatch restriction to work,
-# otherwise users cannot send emails as their own address
-mkdir -p /vol/db/aliases_out.d
-cd /vol/db/aliases_out.d
-echo "# This file is autogenerated by mkvirt. Don't edit it manually." > self.list
-cat /vol/db/users | cut -d':' -f1 | perl -pe 's/(.*)/\1\@brbytes.org \1\n\1\@mail.brbytes.org \1/' >> self.list
-
 # copy aliases to postifx config
 cd /etc/postfix
-cat /vol/db/aliases_out.d/*.list > aliases_out
-postmap aliases_out
-cat /vol/db/aliases_in.d/*.list > aliases_in
-postmap aliases_in
+cat /vol/db/aliases.d/*.list > aliases
+postmap aliases
diff --git a/src/mailsrv/assets/postfix/main.cf b/src/mailsrv/assets/postfix/main.cf
index 9e1d182..40cd54b 100644
--- a/src/mailsrv/assets/postfix/main.cf
+++ b/src/mailsrv/assets/postfix/main.cf
@@ -17,18 +17,18 @@ compatibility_level = 2
 
 ### Domains ###
 # primary name of server
-myhostname = mail.brbytes.org
+myhostname = mail.alemor.org
 myorigin = $mydomain
 # domains to consider primary (local) endpoints
 mydestination = $myhostname, $mydomain, localhost.localdomain, localhost
 # domains to consider secondary (virtual) endpoints
-#virtual_alias_domains = info.brbytes.org
+virtual_alias_domains = epic.alemor.org, mail.alemor.org, home.alemor.org, alegre.alemor.org, daniel.alemor.org, fernando.alemor.org, juana.alemor.org, mario.alemor.org, moreno.alemor.org, mbox.alemor.org, pirealps.org
 
 ### Users ###
 # get list of valid users from here instead of /etc/passwd
 local_recipient_maps = hash:/etc/postfix/users
 # get list of user aliases from this file
-virtual_alias_maps = hash:/etc/postfix/aliases_in
+virtual_alias_maps = hash:/etc/postfix/aliases
 # Address tag delimiter. If an email is sent to ${user}${delimiter}*,
 # the email is sent to ${user} if that address is not already explicitly defined.
 recipient_delimiter = -
diff --git a/src/mailsrv/assets/postfix/master.cf b/src/mailsrv/assets/postfix/master.cf
index 9f516ed..1705474 100644
--- a/src/mailsrv/assets/postfix/master.cf
+++ b/src/mailsrv/assets/postfix/master.cf
@@ -16,8 +16,6 @@ submission inet n       -       y       -       -       smtpd
   -o smtpd_sasl_security_options=noanonymous
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
-  -o smtpd_sender_login_maps=hash:/etc/postfix/aliases_out
-  -o smtpd_sender_restrictions=reject_sender_login_mismatch
 
 # Local services
 # ==========================================================================

From f4599a75903b99f8723d5b5be596525cb826ae36 Mon Sep 17 00:00:00 2001
From: fernando <fernando@mail.alemor.org>
Date: Sat, 6 Jun 2020 14:36:45 -0500
Subject: [PATCH 2/4] Added some extra instruc tions

---
 src/mailsrv/docs/Deploy.md | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/src/mailsrv/docs/Deploy.md b/src/mailsrv/docs/Deploy.md
index 1c2cf54..61a0eaf 100644
--- a/src/mailsrv/docs/Deploy.md
+++ b/src/mailsrv/docs/Deploy.md
@@ -3,18 +3,34 @@
 ## create dirs
 
 ```
-mkdir -p /srv/volumes/mailserver/{db,mail,ssl}
-chown -R 5000:5000 /srv/volumes/mailserver
-chmod go-rwx /srv/volumes/mailserver/ssl
+sudo mkdir -p /srv/vol/mailsrv/{db,mail,ssl}
+sudo chown -R 5000:5000 /srv/vol/mailsrv
+sudo chmod go-rwx /srv/vol/mailsrv/ssl
 ```
 put your `users` and `aliases.d` in the `db` directory. Mail will go in the `mail` directory.
 
+```
+sudo -i
+cd /srv/vol/mailsrv/db
+mkdir aliases.d
+```
+
+create aliases as needed
+
+```
+vi /srv/vol/mailsrv/db/users
+```
+
+format is like a passwd file with user:passwd (no spaces between)
+
+make sure that all files are owned by 5000:5000
+
 ## make sure mail ports are open
 
-add the following directives to the `myfirewall` chain in `/etc/nftables`:
+add the following directives to the `myfirewall` chain in `/etc/nftables.conf`:
 ```
                 # accept incoming SMTP(s) connections
-                tcp dport {25, 465, 587} accept
+                tcp dport {25, 587} accept
 
                 # accept incoming IMAP(s) connections
                 tcp dport {143, 993} accept

From 6040095c77917cf6d539858d4a7c23a14fe6267c Mon Sep 17 00:00:00 2001
From: fernando <fernando@mail.alemor.org>
Date: Sat, 6 Jun 2020 15:36:58 -0500
Subject: [PATCH 3/4] Changed from certbot to acme

---
 src/mailsrv/docs/Deploy.md | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/src/mailsrv/docs/Deploy.md b/src/mailsrv/docs/Deploy.md
index 61a0eaf..f72b0e5 100644
--- a/src/mailsrv/docs/Deploy.md
+++ b/src/mailsrv/docs/Deploy.md
@@ -37,7 +37,7 @@ add the following directives to the `myfirewall` chain in `/etc/nftables.conf`:
 ```
 then make sure configuration has taken place by running:
 ```
-nft -f /etc/nftables
+nft -f /etc/nftables.conf
 ```
 
 ## set up domain name
@@ -49,18 +49,26 @@ ping ${dnsname:?}
 
 ## get SSL certificates from letsencrypt
 
-install certbot:
+install acme.sh
+
 ```
-apt install certbot
+apt install socat
+git clone https://github.com/acmesh-official/acme.sh.git
+cd acme.sh
+./acme.sh --install --home /usr/local/lib/acme-sh \
+          --config-home /etc/acme-sh \
+          --accountemail letsencrypt@mail.alemor.org
 ```
 
-if you are using a firewall, you need to figure out how to define a temporary rule allowing http access. For nftables, the rule would be `nft insert rule inet myfilter myfirewall tcp dport 80 accept`.
+Then exit and relogin to refresh the bash hash
 
-Get a certificate for your domain by running:
 ```
-certbot certonly --standalone --pre-hook "nft insert rule inet myfilter myfirewall tcp dport 80 accept" --post-hook "nft -f /etc/nftables.conf" --deploy-hook "rsync -vaSHL /etc/letsencrypt/live/${domain:?}/ /srv/volumes/mailsrv/ssl/; chown -R 5000:5000 /srv/volumes/mailsrv/ssl" -d ${domain:?}
+acme.sh --issue --alpn --pre-hook 'systemctl stop haproxy' \
+        --post-hook 'systemctl start haproxy' -d mailtest.alemor.org
+acme.sh --install-cert -d mailtest.alemor.org \
+        --fullchain-file /srv/vol/mailsrv/ssl/fullchain.pem \
+        --key-file /srv/vol/mailsrv/ssl/key.pem
 ```
-the application may ask you a few questions. Answer them as you would like. Including the appropriate hooks in the issue command should ensure that those hooks are also included in subsequent renew commands.
 
 ## make users and aliases
 

From 370a66548c27143fce5582aed83507705071aabc Mon Sep 17 00:00:00 2001
From: Mar Alegre <mar@mar.alemor.org>
Date: Sun, 7 Jun 2020 16:53:09 -0500
Subject: [PATCH 4/4] changed back rsync alias

---
 src/debian/assets/bash.bashrc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/debian/assets/bash.bashrc b/src/debian/assets/bash.bashrc
index 4ca3e5d..e2f1090 100644
--- a/src/debian/assets/bash.bashrc
+++ b/src/debian/assets/bash.bashrc
@@ -83,4 +83,4 @@ fi
 
 alias ls='ls --color=auto'
 alias dir='ls -lFAh'
-alias rsy='rsync -vaSH'
+alias rsyn='rsync -vaSH'