letsencrypt & traefik wildcard support

set SSL_DOMAIN=*.example.com to extract a wildcard certificate from traefiks acme.json store

target/check-for-changes.sh

@@ -64,7 +64,11 @@ if [[ $chksum == *"FAIL"* ]]; then
           flock -e 200
 
   if [[ $chksum == *"/etc/letsencrypt/acme.json: FAILED"* ]]; then
-    (extractCertsFromAcmeJson "$HOSTNAME" || extractCertsFromAcmeJson "$DOMAINNAME")
+    for certdomain in $SSL_DOMAIN $HOSTNAME $DOMAINNAME; do
+      if extractCertsFromAcmeJson "$certdomain"; then
+        break
+      fi
+    done
   fi
 
 	#regen postix aliases.

test/config/dovecot-lmtp/conf.d/10-auth.conf

@@ -7,7 +7,7 @@
 # matches the local IP (ie. you're connecting from the same computer), the
 # connection is considered secure and plaintext authentication is allowed.
 # See also ssl=required setting.
-#disable_plaintext_auth = yes
+disable_plaintext_auth = no
 
 # Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
 # bsdauth, PAM and vpopmail require cache_key to be set for caching to be used.
@@ -121,7 +121,7 @@ auth_mechanisms = plain login
 
 #!include auth-system.conf.ext
 #!include auth-sql.conf.ext
-######!include auth-ldap.conf.ext
+#######!include auth-ldap.conf.ext
 !include auth-passwdfile.inc
 #!include auth-checkpassword.conf.ext
 #!include auth-vpopmail.conf.ext

test/config/dovecot-lmtp/conf.d/10-ssl.conf

@@ -3,7 +3,7 @@
 ##
 
 # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
-ssl = required
+ssl = yes
 
 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
 # dropping root privileges, so keep the key file unreadable by anyone but

test/config/dovecot-lmtp/conf.d/15-lda.conf

@@ -4,11 +4,11 @@
 
 # Address to use when sending rejection mails.
 # Default is postmaster@<your domain>. %d expands to recipient domain.
-postmaster_address = postmaster@domain.com
+postmaster_address = postmaster@my-domain.com
 
 # Hostname to use in various parts of sent mails (e.g. in Message-Id) and
 # in LMTP replies. Default is the system's real hostname@domain.
-#hostname = 
+hostname = mail.my-domain.com
 
 # If user is over quota, return with temporary failure instead of
 # bouncing the mail.

test/config/dovecot-lmtp/conf.d/90-quota.conf

@@ -15,7 +15,7 @@
 # to give additional 100 MB when saving to Trash:
 
 plugin {
-  #quota_rule = *:storage=1G
+  #quota_rule = *:storage=0
   #quota_rule2 = Trash:storage=+100M
 
   # LDA/LMTP allows saving the last mail to bring user from under quota to
@@ -75,6 +75,6 @@ plugin {
 plugin {
   #quota = dict:user::proxy::quota
   #quota2 = dict:domain:%d:proxy::quota_domain
-  #quota_rule = *:storage=102400
+  #quota_rule = *:storage=0
   #quota2_rule = *:storage=1048576
 }

test/config/dovecot-lmtp/local.conf

@@ -1 +1,2 @@
 mail_max_userip_connections = 69
+recipient_delimiter = ~

test/config/letsencrypt/acme-changed.json

@@ -17,10 +17,8 @@
     "Certificates": [
       {
         "domain": {
-          "main": "mail.my-domain.com",
-          "sans": [
-            "mail2.my-domain.com"
-          ]
+          "main": "example.com",
+          "sans": ["*.example.com"]
         },
         "certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM1RENDQWN5Z0F3SUJBZ0lKQU4vKzNMTVF2bnYxTUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3TmpJNU1qQTFOVEl4V2hjTk1qQXdPREk0TWpBMU5USXhXakFXTVJRdwpFZ1lEVlFRRERBdGxlR0Z0Y0d4bExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DCmdnRUJBTDVVTmc3eWJyWG9DSW5teFErZjM4KytzTEVjZ0c2UDBYK2ZhSDExQnc0N1Z0K21mMXZsdEloN29qTzgKRGVYcUZ4c0dMM1MvWXF5dVhYMFRHSU9oL2Nzam52djFHRUwxVXgwWUNzeUZrdmZsYjhOdVNLVzUyVDBkblVxRgpaRndsZHlrQ3dIblF4bXdZWnhuWmpWRjJZT3IvS21HWnZPNWR4U1RzL3FEdVUwY3AzRkQ0ejJDQkVMTG16aXh2CmZPMkxnazFZbi9IOW1OTE5TS1FhaVNlQ3hJZDVDek5JbG1VSWZuTDB0dWMzbjJmTmlnanVQS09WMkgvN05WVFQKVHJpdVAzODRieDlXVExmWDI5Y24rSG80aEtCYXEydDFXbXoranNXaTFneWExS3JMQU00enpRSEkrdTZyMytqUwozUHNSVnMxY3N5TzJOQ1hxVm8vYnhxZTM4K3NDQXdFQUFhTTVNRGN3Q1FZRFZSMFRCQUl3QURBTEJnTlZIUThFCkJBTUNCZUF3SFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdJR0NDc0dBUVVGQndNQk1BMEdDU3FHU0liM0RRRUIKQ3dVQUE0SUJBUUFrbUhIVGFaOGhpU3RvQS9YWWpHWGtIVDVEQmpqT2hSbTNtbWRDRit4aGJVY2ovZnJ3QlluMAphcEFHZk5TR3ErUEpUZ1Zkc1pVQUMrc09meFJtZTNGalU1Z0Fla2VJRGpPUU1kMVZiZG1jSVd0bkorVHR6OTRGClFtNVY3RGY4a1ZrY3FFNlV2dlh5WDNZRUZqMi9md2I0aHh5eWwvZkFXbDVhY1dUTE5BMm1PS20vZk1oS2V6K2gKM1ZHaEtRNVpHUzBRdCtMZWEzbzdMV3M1ZEg1TGhTdnMzRmU5UFNkZHhhME5idHI0c2ZnZk9JUUpnbzJtQ3ZjaAp1NXpGcTdudkRxZHNtZFp3WU1JY2lucFBXSmdFb1FMSldVL2dXTDJZYSs1a0oxMzdzbVBjWVg3akRTeUJIbGtRCm9BWU9CNjVZbm9XeFZ1UXRLcUhXNmY4bnFEMW53RUJuCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM5ekNDQWQrZ0F3SUJBZ0lKQVAvNDFhc0srSTNCTUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3TmpJNU1qQTFOVEl4V2hjTk1qQXdPREk0TWpBMU5USXhXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCmt6bE9GM1E4d3Q2RzhNOENnKy9VQURsa2JPVW5CbGJDd2xSbnFTcnZyWDdCUmMzN1IxWStLenNNbUdna1BrdkUKY3padVdiT1FVOGdoblFKd1NIVC9BSzFnNWpNYzdtWkxTa0UrdVZNb3I0KzRWZ3Q0a0t2Zmt0emNDSk9mby9xTApYVjJlUFJnVmxIaitwZWlscUhNTThQMDNWUHg2a3E3b1pFMXBCbGg0UXlMejdEWWNQNkFEM0JxL0hTTTVobXZQCmlIYkNIeTZ5ZitRc3VCcWFXQ2VjMXlnYzlHUG55RFhRb0RSQXdsY0EwYVZTU29zYzZIZVZRb0RCUFR6WlVyaU0KcmlxUEszWVQ0TEdFSDZuVHgzUlV0anVHOFpkR3pwZ3V3OS95MHRjY3Q3NzdXTEZJZXVCUWttWmlNRzNYZWl2dQpUYmZIQ2JxSkNPNTNmc2JLMENyekVRSURBUUFCbzFBd1RqQWRCZ05WSFE0RUZnUVV4bzZOWFJpMzlReEpuWlpECnZieGNvK20yVTdZd0h3WURWUjBqQkJnd0ZvQVV4bzZOWFJpMzlReEpuWlpEdmJ4Y28rbTJVN1l3REFZRFZSMFQKQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBT0JLTUcyYWFaK2YyR2F6ZHRxNytJbFJNM1lGdgppbkY1dWFaM2JxQytwS0RiMXdaSkx6V2dIVmdOU0dYZXRIUEthOVFweVFxRWUvYllNSzdhdkpvLy9GbWhnMCszClN3STJnOUJvSVBCZDRqSUJZNDFoL3pyeVRZNFBMeC9OcWFwV1I0LzNuRFBKM1NTTUhaNEpnUDhHVFhsem1GNmoKNFVnd1JyTEZRZDBaWllORFJvOGJaZVVFcVg3MGswRXFZOVF4QmpKZ1V6VnlXWWpQKy9TZVhBQkp5UHY3bHpSTgpudktqM0Y5MWVOZnFmOFkrV2RkdkI4am4zTFhvazRTaUZ6eEVTZkozblZPZ3dwOFNQaGhUU2hiWFFhajQ4Rng4Cm82VEdNOXV0UHROOXFJTnd2cXlySzRsVXdLajZZTHlUa1YxMG9WZ3RKWWh5eUhWVmw3SmhjOFVJTXc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==",
         "key": "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdmxRMkR2SnV0ZWdJaWViRkQ1L2Z6NzZ3c1J5QWJvL1JmNTlvZlhVSERqdFczNlovClcrVzBpSHVpTTd3TjVlb1hHd1l2ZEw5aXJLNWRmUk1ZZzZIOXl5T2UrL1VZUXZWVEhSZ0t6SVdTOStWdncyNUkKcGJuWlBSMmRTb1ZrWENWM0tRTEFlZERHYkJobkdkbU5VWFpnNnY4cVlabTg3bDNGSk96K29PNVRSeW5jVVBqUApZSUVRc3ViT0xHOTg3WXVDVFZpZjhmMlkwczFJcEJxSko0TEVoM2tMTTBpV1pRaCtjdlMyNXplZlo4MktDTzQ4Cm81WFlmL3MxVk5OT3VLNC9memh2SDFaTXQ5ZmIxeWY0ZWppRW9GcXJhM1ZhYlA2T3hhTFdESnJVcXNzQXpqUE4KQWNqNjdxdmY2TkxjK3hGV3pWeXpJN1kwSmVwV2o5dkdwN2Z6NndJREFRQUJBb0lCQVFDdWZoNGhqZm9hSStUUQpLUlk1d09VOFhTTTQvVnh5QU1DZE5OUmpVTXRyTE5QMHIzek1EOGgzNklGSTFQd1k4WWpGYWVKUU1yYVFnanVMCjA5b0J0SjR0Z3piYTRGV2g3YkNKVitWdXBIZWRkbWdFMERNaVhVVGhWeWxCalJINXVRK0tOYytvM3ROTGZ3UG4KR3lFSXNuTWdmMWVucTM4Zk9qRG9MYTgwYzhzOXpYaEh0Wng5SlF6RFViUXIrRE5UUzBSTFA1Mk1JL3BYR0MrZwpUMjI1c1ZWMzl1cVFGY2NIRUNhY0xEYlllNUVoelJpMlBOQTk4Zkh0Ty9sQVA5amp2UWlNY2NyMEtqanpFSGxTCmxvRnMxL3kvdkNBby9rVGhxaEtMLzBUM3FkaUcrWU5zbmUrVGh5Mnh4NVczN1lNR0l0ZTlmKzV5bVRtYitsZ2IKZlU2L2kydGhBb0dCQVBPNlVydDUwaDN2SjJtLytNRkNrb2tjYTE5NWs5c1lPMVJNa1RZSFBaNW40K25UdTMybwpSREt1L0t3T2dseTljcDAwUW44WEljRGk3TXV0OE1LN1JHdjFXeVpWbGJYMStMMzFGVCtjL045NnJIQmE1U0hJCm5oZFRMQkxQVG1iNk9PUFNXWEVIbDAwdnNsdEFsdXRJcnVmanpvd0V0Z3B0T2hZTzhhNjA4aWh2QW9HQkFNZnAKa2l1LzBibDdjUWdZZmdmSWZ5YzJpTU9aU0RseVRFRThxZmhWa1NWNFg3bDNycXk3eUNQNEc1MXBaQ1dWcDl6WQo4UzNtYmlDM3hYVjZpTzVQeGVoS1ZmdnFySXF6MnpaWDhTRjFhMUwzekRGQ3BFNkdmUHB5Uk1uK01hLy84b3haCmRwdGV6WlRCMVJtUDd6UndIVGJrSXhjU3NuYkVUOWNuZDc1ck9OSkZBb0dCQU0wQm0xZFFONW13TU5HMWhQSmkKSWNtc212QTYzbEE2eUtTMnBxbndXemNqb2NScnNWZ1hzZzJEdk1xb2hhU21RWUxUazE4OVFNbnkxa1RZY1J3SwowcG1RVG5Rbkp2OWYvek1ndEJmRzM3akdnY2NiM1lHV01zdmh6TCtobWd2cVN2SHVYQWRENEZNdlhIRi9HYktjCmQycGI1cjlGc3kyQUJJekxVeVNsMU02SEFvR0FCQUxneHZYelhGaG92VFBZbTRsZlc4Y1JXWE5pNnB3cmdZZVoKRlgyS0N3bHVTa2RuZnRuSnUwY0lMdEZsakFlRHRiKzRueVluZ1lxT2NMd0RzVnh5YVNYTXNlQlVrL2ZsNXlJKwptV0JFeGdabzEzZ3gyYzJEQm5keWYrY1UwaVk5bEtsYTR1VTFGTTRLMjVkeXdrZVpubmRYYU9nY0lwdnZ5aTVsCmpiR1RFMDBDZ1lBVCtVTm9tcDhKbW01YXFDME1kc050OW13T0tMVnRDazFZei9YODVQbVNpU1p4eG11cThVNXUKYThvYUovTm1tTXBZc1JHOXB5NW1JZ0RXSDFicnlPWlA3YVB0T0lWWnBZSDc3cU1ySjR2RmJ6MkphQTFiMWlySgoyMkhkajFYRDdMdjJ1cXQ3UVVsYU5RY3VrSkZJSE94WVJOWUNobEpuSUVmMmU3MGpkbEN4TGc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=",

test/mail_ssl_letsencrypt.bats

@@ -34,6 +34,7 @@ function setup_file() {
     -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
     -e DMS_DEBUG=0 \
     -e SSL_TYPE=letsencrypt \
+    -e "SSL_DOMAIN=*.example.com" \
     -h mail.my-domain.com -t ${NAME}
 
   wait_for_finished_setup_in_container mail_lets_acme_json
@@ -114,7 +115,7 @@ function teardown_file() {
   cp "`pwd`/test/config/letsencrypt/acme-changed.json" "`pwd`/test/config/acme.json"
   sleep 11
   run docker exec mail_lets_acme_json /bin/bash -c "supervisorctl tail changedetector"
-  assert_output --partial "Cert found in /etc/letsencrypt/acme.json for mail.my-domain.com"
+  assert_output --partial "Cert found in /etc/letsencrypt/acme.json for *.example.com"
   assert_output --partial "postfix: stopped"
   assert_output --partial "postfix: started"
   assert_output --partial "Update checksum"