From 8a0118ef00d0d8524d991d7ff90269387b7e6497 Mon Sep 17 00:00:00 2001
From: vp1100 <125098655+vp1100@users.noreply.github.com>
Date: Thu, 8 Aug 2024 23:12:12 +0200
Subject: [PATCH 1/6] Update ssl.sh

Extracting certificate for multiple domain for SNI support
---
 target/scripts/helpers/ssl.sh | 36 +++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/target/scripts/helpers/ssl.sh b/target/scripts/helpers/ssl.sh
index 6a7610ad..fdf866e4 100644
--- a/target/scripts/helpers/ssl.sh
+++ b/target/scripts/helpers/ssl.sh
@@ -127,6 +127,42 @@ function _setup_ssl() {
       fi
 
       _log 'trace' "letsencrypt (acme.json) extracted certificate using ${EXTRACTED_DOMAIN[0]}: '${EXTRACTED_DOMAIN[1]}'"
+
+      # Extracting certificates for SNI support
+      if [[ -n ${SSL_SNI_DOMAINS} ]] ; then
+        # add empty dovecot & postfix config
+        echo -n "" > /etc/dovecot/conf.d/10-sni.conf
+        echo -n "" > /etc/postfix/sni.map
+        
+        # add tls_server_sni_maps if not exist
+        local SNI_MAPS="tls_server_sni_maps = hash:/etc/postfix/sni.map"
+        grep -qxF -- "${SNI_MAPS}" "/etc/postfix/main.cf" || echo ${SNI_MAPS} >> /etc/postfix/main.cf
+        
+        for SNI_DOMAIN in ${SSL_SNI_DOMAINS//,/ }
+        do
+          if _extract_certs_from_acme "${SNI_DOMAIN}"; then
+            local PRIVATE_KEY="/etc/letsencrypt/live/${SNI_DOMAIN}/key.pem"
+            local CERT_CHAIN="/etc/letsencrypt/live/${SNI_DOMAIN}/fullchain.pem"
+            
+            # add domain certificate to postfix
+            echo "${SNI_DOMAIN} ${PRIVATE_KEY} ${CERT_CHAIN}" >> /etc/postfix/sni.map
+            
+            # add domain certificate to dovecot
+            echo "local_name ${SNI_DOMAIN} {" >> /etc/dovecot/conf.d/10-sni.conf
+            echo "  ssl_cert = <${CERT_CHAIN}" >> /etc/dovecot/conf.d/10-sni.conf
+            echo "  ssl_key = <${PRIVATE_KEY}" >> /etc/dovecot/conf.d/10-sni.conf
+            echo "}" >> /etc/dovecot/conf.d/10-sni.conf
+            
+            _log 'trace' "SNI: extracted domain: ${SNI_DOMAIN}"
+          else
+            _log 'warn' "SNI: letsencrypt (acme.json) failed to extract SNI domain: ${SNI_DOMAIN}"
+          fi
+        done
+        
+        # create postfix SNI table
+        postmap -F hash:/etc/postfix/sni.map
+        _log 'trace' "SNI: creating postfix db (sni.map.db)"
+      fi
     fi
   }
 

From 2cabc0e81bbfe9b9065053097de2db0b3bb808ee Mon Sep 17 00:00:00 2001
From: vp1100 <125098655+vp1100@users.noreply.github.com>
Date: Thu, 8 Aug 2024 23:31:00 +0200
Subject: [PATCH 2/6] Update environment.md

---
 docs/content/config/environment.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/content/config/environment.md b/docs/content/config/environment.md
index 0a65b1e4..e2f672c5 100644
--- a/docs/content/config/environment.md
+++ b/docs/content/config/environment.md
@@ -191,6 +191,12 @@ In the majority of cases, you want `letsencrypt` or `manual`.
 
 Please read [the SSL page in the documentation][docs-tls] for more information.
 
+##### SSL_SNI_DOMAINS
+
+Comma separated list of domains.
+
+Certificates will be exported for each domain from traefik `acme.json` and added to Postfix and Dovecot for SNI support.
+
 ##### TLS_LEVEL
 
 - **empty** => modern

From 9273326709e8caea8144e027f84b6162a783cddc Mon Sep 17 00:00:00 2001
From: vp1100 <125098655+vp1100@users.noreply.github.com>
Date: Thu, 8 Aug 2024 23:39:02 +0200
Subject: [PATCH 3/6] Update mailserver.env

---
 mailserver.env | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mailserver.env b/mailserver.env
index 77b863ff..e0b496f9 100644
--- a/mailserver.env
+++ b/mailserver.env
@@ -240,6 +240,9 @@ SMTP_ONLY=
 # self-signed => Enables self-signed certificates
 SSL_TYPE=
 
+# Provide a comma separated list of domains to additionally export the certificate from acme.json
+SSL_SNI_DOMAINS=
+
 # These are only supported with `SSL_TYPE=manual`.
 # Provide the path to your cert and key files that you've mounted access to within the container.
 SSL_CERT_PATH=

From 3e619a341f7e267bdf9b5eacc4a6ddc4dd370224 Mon Sep 17 00:00:00 2001
From: svg <svg@macbook-air-svg.local>
Date: Thu, 8 Aug 2024 23:52:13 +0200
Subject: [PATCH 4/6] #

---
 target/scripts/helpers/ssl.sh | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/target/scripts/helpers/ssl.sh b/target/scripts/helpers/ssl.sh
index fdf866e4..8bf6a43b 100644
--- a/target/scripts/helpers/ssl.sh
+++ b/target/scripts/helpers/ssl.sh
@@ -133,32 +133,34 @@ function _setup_ssl() {
         # add empty dovecot & postfix config
         echo -n "" > /etc/dovecot/conf.d/10-sni.conf
         echo -n "" > /etc/postfix/sni.map
-        
+
         # add tls_server_sni_maps if not exist
         local SNI_MAPS="tls_server_sni_maps = hash:/etc/postfix/sni.map"
-        grep -qxF -- "${SNI_MAPS}" "/etc/postfix/main.cf" || echo ${SNI_MAPS} >> /etc/postfix/main.cf
-        
+        grep -qxF -- "${SNI_MAPS}" "/etc/postfix/main.cf" || echo "${SNI_MAPS}" >> /etc/postfix/main.cf
+
         for SNI_DOMAIN in ${SSL_SNI_DOMAINS//,/ }
         do
           if _extract_certs_from_acme "${SNI_DOMAIN}"; then
             local PRIVATE_KEY="/etc/letsencrypt/live/${SNI_DOMAIN}/key.pem"
             local CERT_CHAIN="/etc/letsencrypt/live/${SNI_DOMAIN}/fullchain.pem"
-            
+
             # add domain certificate to postfix
             echo "${SNI_DOMAIN} ${PRIVATE_KEY} ${CERT_CHAIN}" >> /etc/postfix/sni.map
-            
+
             # add domain certificate to dovecot
-            echo "local_name ${SNI_DOMAIN} {" >> /etc/dovecot/conf.d/10-sni.conf
-            echo "  ssl_cert = <${CERT_CHAIN}" >> /etc/dovecot/conf.d/10-sni.conf
-            echo "  ssl_key = <${PRIVATE_KEY}" >> /etc/dovecot/conf.d/10-sni.conf
-            echo "}" >> /etc/dovecot/conf.d/10-sni.conf
-            
+            {
+              echo "local_name ${SNI_DOMAIN} {"
+              echo "  ssl_cert = <${CERT_CHAIN}"
+              echo "  ssl_key = <${PRIVATE_KEY}"
+              echo "}"
+            } >> /etc/dovecot/conf.d/10-sni.conf
+
             _log 'trace' "SNI: extracted domain: ${SNI_DOMAIN}"
           else
             _log 'warn' "SNI: letsencrypt (acme.json) failed to extract SNI domain: ${SNI_DOMAIN}"
           fi
         done
-        
+
         # create postfix SNI table
         postmap -F hash:/etc/postfix/sni.map
         _log 'trace' "SNI: creating postfix db (sni.map.db)"

From d7672c53769b388e98c2edca8106d36b1d1f9fd9 Mon Sep 17 00:00:00 2001
From: svg <svg@macbook-air-svg.local>
Date: Thu, 8 Aug 2024 23:58:49 +0200
Subject: [PATCH 5/6] #

---
 target/scripts/helpers/ssl.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/scripts/helpers/ssl.sh b/target/scripts/helpers/ssl.sh
index 8bf6a43b..0bf27a06 100644
--- a/target/scripts/helpers/ssl.sh
+++ b/target/scripts/helpers/ssl.sh
@@ -131,7 +131,7 @@ function _setup_ssl() {
       # Extracting certificates for SNI support
       if [[ -n ${SSL_SNI_DOMAINS} ]] ; then
         # add empty dovecot & postfix config
-        echo -n "" > /etc/dovecot/conf.d/10-sni.conf
+        echo -n "" > /etc/dovecot/conf.d/20-sni.conf
         echo -n "" > /etc/postfix/sni.map
 
         # add tls_server_sni_maps if not exist
@@ -153,7 +153,7 @@ function _setup_ssl() {
               echo "  ssl_cert = <${CERT_CHAIN}"
               echo "  ssl_key = <${PRIVATE_KEY}"
               echo "}"
-            } >> /etc/dovecot/conf.d/10-sni.conf
+            } >> /etc/dovecot/conf.d/20-sni.conf
 
             _log 'trace' "SNI: extracted domain: ${SNI_DOMAIN}"
           else

From b8d4350cc236e8c3a60069572909aee4bd6da2ba Mon Sep 17 00:00:00 2001
From: svg <svg@macbook-air-svg.local>
Date: Fri, 9 Aug 2024 00:04:33 +0200
Subject: [PATCH 6/6] #

---
 target/scripts/helpers/ssl.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/target/scripts/helpers/ssl.sh b/target/scripts/helpers/ssl.sh
index 0bf27a06..66dd3d0d 100644
--- a/target/scripts/helpers/ssl.sh
+++ b/target/scripts/helpers/ssl.sh
@@ -134,7 +134,7 @@ function _setup_ssl() {
         echo -n "" > /etc/dovecot/conf.d/20-sni.conf
         echo -n "" > /etc/postfix/sni.map
 
-        # add tls_server_sni_maps if not exist
+        # add tls_server_sni_maps yo main.cf if not exist
         local SNI_MAPS="tls_server_sni_maps = hash:/etc/postfix/sni.map"
         grep -qxF -- "${SNI_MAPS}" "/etc/postfix/main.cf" || echo "${SNI_MAPS}" >> /etc/postfix/main.cf
 
@@ -144,10 +144,10 @@ function _setup_ssl() {
             local PRIVATE_KEY="/etc/letsencrypt/live/${SNI_DOMAIN}/key.pem"
             local CERT_CHAIN="/etc/letsencrypt/live/${SNI_DOMAIN}/fullchain.pem"
 
-            # add domain certificate to postfix
+            # add certificate to postfix
             echo "${SNI_DOMAIN} ${PRIVATE_KEY} ${CERT_CHAIN}" >> /etc/postfix/sni.map
 
-            # add domain certificate to dovecot
+            # add certificate to dovecot
             {
               echo "local_name ${SNI_DOMAIN} {"
               echo "  ssl_cert = <${CERT_CHAIN}"
@@ -157,7 +157,7 @@ function _setup_ssl() {
 
             _log 'trace' "SNI: extracted domain: ${SNI_DOMAIN}"
           else
-            _log 'warn' "SNI: letsencrypt (acme.json) failed to extract SNI domain: ${SNI_DOMAIN}"
+            _log 'warn' "SNI: letsencrypt (acme.json) failed to extract domain: ${SNI_DOMAIN}"
           fi
         done