#!/bin/bash
set -e

FQDN=$(hostname -f)
DOM=$(hostname -f | cut -f 2- -d.)

echo "=== CLEANUP ==="
systemctl stop postfix dovecot || true

apt -y purge postfix postfix-* dovecot-core dovecot-imapd dovecot-lmtpd dovecot-* mailutils || true
apt -y autoremove
apt -y autoclean

rm -rf /etc/postfix
rm -rf /etc/dovecot
rm -rf /var/spool/postfix
rm -rf /var/mail
rm -rf /etc/skel/Maildir

echo "=== MAILDIR ==="
mkdir -p /etc/skel/Maildir/{cur,new,tmp}
grep -q MAILDIR /etc/skel/.bashrc || echo 'export MAIL=$HOME/Maildir' >> /etc/skel/.bashrc

echo "=== INSTALL ==="
apt update

echo "postfix postfix/mailname string $FQDN" | debconf-set-selections
echo "postfix postfix/main_mailer_type string Internet Site" | debconf-set-selections

DEBIAN_FRONTEND=noninteractive apt -y install postfix dovecot-core dovecot-imapd dovecot-lmtpd mailutils

echo "$FQDN" > /etc/mailname

echo "=== POSTFIX ==="
cat <<EOF > /etc/postfix/main.cf
smtpd_banner = ESMTP
compatibility_level = 3.6

myhostname = $FQDN
myorigin = /etc/mailname
mydestination = $FQDN, localhost.$DOM, $DOM, localhost

inet_interfaces = all
inet_protocols = all

mynetworks = 127.0.0.0/8 [::1]/128

home_mailbox = Maildir/

# TLS
smtpd_tls_cert_file = /etc/ssl/own.crt
smtpd_tls_key_file = /etc/ssl/own.key

# MX (Port 25)
smtpd_tls_security_level = may
smtp_tls_security_level = may

# HARDENING
smtpd_tls_mandatory_protocols = TLSv1.2 TLSv1.3
smtpd_tls_mandatory_ciphers = high
smtpd_tls_preempt_cipherlist = yes

# AUTH
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
EOF

cat <<EOF > /etc/postfix/master.cf
smtp      inet  n       -       y       -       -       smtpd

pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr

local     unix  -       n       n       -       -       local

# SMTPS 465 ONLY
smtps     inet  n       -       y       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
EOF

echo "=== DOVECOT ==="

cat <<EOF > /etc/dovecot/conf.d/10-mail.conf
mail_driver = maildir
mail_home = /home/%{user | username}
mail_path = %{home}/Maildir

namespace inbox {
  inbox = yes
}
EOF

cat <<EOF > /etc/dovecot/conf.d/10-auth.conf
disable_plaintext_auth = yes
auth_mechanisms = plain login
EOF

cat <<EOF > /etc/dovecot/conf.d/10-master.conf
service imap-login {
  inet_listener imap {
    port = 0
  }

  inet_listener imaps {
  }
}

service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}
EOF

cat <<EOF > /etc/dovecot/conf.d/10-ssl.conf
ssl = required
ssl_server_cert_file = /etc/ssl/own.crt
ssl_server_key_file = /etc/ssl/own.key
ssl_min_protocol = TLSv1.2
EOF

echo "=== CERT HANDLING ==="

cat <<EOF > /etc/ssl/own.crt
-----BEGIN CERTIFICATE-----
MIIFDzCCAvegAwIBAgIUNoGnreAwkoQqp3TK/ARqG9YzCFgwDQYJKoZIhvcNAQEL
BQAwETEPMA0GA1UEAwwGY2EuY3J0MB4XDTI1MDYyNjA3MTcxMFoXDTI3MDYyNjA3
MTcxMFowFjEUMBIGA1UEAwwLKi5pdDIxMy5pbnQwggIiMA0GCSqGSIb3DQEBAQUA
A4ICDwAwggIKAoICAQCOXnGlGRDzo8m/BgNa+oW5h6e6lwYQIrkECVEXlJhqP9bw
WeP2UFWiSJXmLYIkHlWW5xwY448WjZlOOoERvZP46XjD+9cWTvKX03p0CRuMZqm0
+wrUGKFf1Q3eHaRv8rK+IdNgMkoEYZbl1B8JtK8mXDsTExqnRnVJoWeDjkDN/uIQ
ex8i8EielNx5U2ztf5dVMbKICp1eKxPIkDphsb4fEuJrUO97eYcAUuhPxNGkVY3G
SEccbmsrX17Fq6UrRMOUd30sVRnOyA0OJ2ZRTrr9JLwLb1a+Snl11thIzgAY8xbE
+ntVVNMFCifXhNBfYafGxhQ3LagVrXR/3jKVqZQdqVCai0jILaNJNMJkxSxtlLyX
H/OraVJskJx9CagA6ipqWN4AFM45C5KcpN0SseS4sT4Ukke4VKonWi+At9gPgSD1
eTLRZXnxkPY6bVqxbs1FCFV7qN+wvQXKELx98CYx+OE2QPQagA0gvb0d9VQ/4lsv
Kl9sBzthaMrj7A/s16Lx8uvNnt1tEH/5GZXU9Fsg4bNv/hj6oXKQ9xxlCLErwQs5
b20CBc0wBNtgZTerfVZz9nzXx1oPk28CvCMCobMDhcEMgnDSy/WrMTPDiELoD5yU
XfT2dYZEpI34eMWx+tVVY57i6p11WUp79uo+VH95O3N3r8C0vkuxbHX9J1OJgwID
AQABo1owWDAWBgNVHREEDzANggsqLml0MjEzLmludDAdBgNVHQ4EFgQUxT8e4euj
q1vgGcURcuC+oQl60hkwHwYDVR0jBBgwFoAUQBYyH7acj+9rY82XWP1oMitZWp8w
DQYJKoZIhvcNAQELBQADggIBAEbd8TJq2M1FiKz+WaoxrHRzcNZcfIbHF98BX7SM
ngFmE/oEFkBpKM94D7z50B2tsM8j3AvDVj9DTajBtwElAU8hqr+/Nxto7S7mYANk
BSRqyMJkrg5BDKpPyCIHTU3jZRJeGGGHPoXPt7nxqy+i2EarIDEabuLST8cQGwLS
QVF24JLPXtYfQJgk1xFlvQ8+qxt/df9TLeETTSx7GCjuBwJe792tvTgvNTFZGD0B
ipa7CMpN/mF+4wzNqX/kPf7ijijjABbToIasOWQkMtbod0GwaxiHcvvbxAk4Jj1p
ZQeJljlB6GQQHFqkF+CWE8pkxw8Ofl99UPIOKaCw15mfZk/fiML/1Fp2YRrzjmVb
ZiPmEujClXGKXYs3oCfqM0qxeNeepZqbF74mciXoA8qQvDOS9NSf+P6yeg49h3m1
iXNMQM1WGi2QpA8pV9OtflhZqKTLrRo/cQ42EX0ID71PCJkl5t0lph8n29Hq33qB
/1sR1mfQIXuTOQ/zHEogu2GI7AZ8qMrA80uegL/1xrHBmT+caxSKKYTBd9K4IXid
oS4LUPdccGOexrSzuGDrLSzFrwfnpmSdhq7Y4J8ujaygc7SOQgzA27sK8ZJ/2Qut
su/rZHCLra8PAyvpZO9aMC3Mp/icGsxs/8j0sr5be6U6rEZCSyPDXZywfEuq64sl
KT89
-----END CERTIFICATE-----
EOF
fi

if [ ! -f /etc/ssl/own.key ]; then
cat <<EOF > /etc/ssl/own.key
-----BEGIN PRIVATE KEY-----
DEIN ORIGINAL KEY HIER EINFÜGEN (vollständig wie oben)
-----END PRIVATE KEY-----
EOF
fi

chown root:root /etc/ssl/own.key
chmod 600 /etc/ssl/own.key
chmod 644 /etc/ssl/own.crt

echo "=== ALIASES ==="
newaliases

echo "=== START ==="
systemctl restart postfix
systemctl restart dovecot

echo "=== DONE ==="