#!/bin/bash

#/etc/dovecot/dovecot.conf
#remove
sudo sed -i '/^!include_try \/usr\/share\|^protocols =\|^postmaster_address =/d' /etc/dovecot/dovecot.conf
#add start with line 22
sudo sed -i '22i\
!include_try /usr/share/dovecot/protocols.d/*.protocol\
protocols = imap pop3 lmtp\
postmaster_address = postmaster@domainReplace\
 ' /etc/dovecot/dovecot.conf

#/etc/dovecot/conf.d/10-mail.conf
#remove
sudo sed -i '/^mail_location =\|^mail_privileged_group =/d' /etc/dovecot/conf.d/10-mail.conf
#add start with line 31
sudo sed -i '31i\
mail_location = maildir:/var/mail/vhosts/%d/%n/\
mail_privileged_group = mail\
 ' /etc/dovecot/conf.d/10-mail.conf


#/etc/dovecot/conf.d/10-auth.conf
#remove
sudo sed -i '/^disable_plaintext_auth =\|^auth_mechanisms =\|^!include auth-system.conf.ext\|^!include auth-sql.conf.ext/d' /etc/dovecot/conf.d/10-auth.conf
#add start with line 10
sudo sed -i '10i\
disable_plaintext_auth = yes\
auth_mechanisms = plain login\
!include auth-system.conf.ext\
!include auth-sql.conf.ext' /etc/dovecot/conf.d/10-auth.conf

#/etc/dovecot/conf.d/10-ssl.conf
#remove
sudo sed -i '/^ssl =\|^ssl_cert =\|^ssl_key =/d' /etc/dovecot/conf.d/10-ssl.conf
#add start with line 10
sudo sed -i '10i\
ssl = required\
ssl_cert = </etc/letsencrypt/live/domainReplace/fullchain.pem\
ssl_key = </etc/letsencrypt/live/domainReplace/privkey.pem' /etc/dovecot/conf.d/10-ssl.conf

#/etc/dovecot/dovecot-sql.conf.ext
#remove
sudo sed -i '/^driver =\|^connect =\|^default_pass_scheme =\|^password_query =/d' /etc/dovecot/dovecot-sql.conf.ext
#add start with line 32
sudo sed -i '32i\
driver = mysql\
connect = host=127.0.0.1 dbname=dbNmeReplace user=dbUserReplace password=dbPasswordReplace\
default_pass_scheme = SHA512-CRYPT' /etc/dovecot/dovecot-sql.conf.ext
sudo sed -i "35ipassword_query = SELECT email as user, password FROM virtual_users WHERE email='%u';" /etc/dovecot/dovecot-sql.conf.ext


sudo mkdir -p /var/mail/vhosts/domainReplace
sudo groupadd -g 5000 vmail
sudo useradd -g vmail -u 5000 vmail -d /var/mail
sudo chown -R vmail:vmail /var/mail


##################################/etc/dovecot/conf.d/auth-sql.conf.ext############################################
auth_sql="$(cat <<-EOF
# Authentication for SQL users. Included from 10-auth.conf.
#
# <doc/wiki/AuthDatabase.SQL.txt>

passdb {
  driver = sql

  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext
  args = /etc/dovecot/dovecot-sql.conf.ext
}

# "prefetch" user database means that the passdb already provided the
# needed information and there's no need to do a separate userdb lookup.
# <doc/wiki/UserDatabase.Prefetch.txt>
#userdb {
#  driver = prefetch
#}

userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/mail/vhosts/%d/%n
}

#userdb {
#  driver = sql
#  args = /etc/dovecot/dovecot-sql.conf.ext
#}

# If you don't have any user-specific settings, you can avoid the user_query
# by using userdb static instead of userdb sql, for example:
# <doc/wiki/UserDatabase.Static.txt>
EOF
)"

sudo echo "$auth_sql" > /etc/dovecot/conf.d/auth-sql.conf.ext


################################/etc/dovecot/conf.d/10-master.conf##############################################
ten_master="$(cat <<-EOF
#default_process_limit = 100
#default_client_limit = 1000

# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M

# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull

# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot

service imap-login {
  inet_listener imap {
     port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }

  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1

  # Number of processes to always keep waiting for more connections.
  #process_min_avail = 0

  # If you set service_count=0, you probably need to grow this.
  #vsz_limit = $default_vsz_limit
}

service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
     port = 995
     ssl = yes
  }
}

service submission-login {
  inet_listener submission {
    #port = 587
  }
}

service lmtp {
  #unix_listener lmtp {
    #mode = 0666
  #}

  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    #mode = 0666i
    mode = 0600
    user = postfix
    group = postfix
  }

  # Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
    #port =
  #}
}

service imap {
  # Most of the memory goes to mmap()ing files. You may need to increase this
  # limit if you have huge mailboxes.
  #vsz_limit = $default_vsz_limit

  # Max. number of IMAP processes (connections)
  #process_limit = 1024
}

service pop3 {
  # Max. number of POP3 processes (connections)
  #process_limit = 1024
}

service submission {
  # Max. number of SMTP Submission processes (connections)
  #process_limit = 1024
}

service auth {
  # auth_socket_path points to this userdb socket by default. It's typically
  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
  # full permissions to this socket are able to get a list of all usernames and
  # get the results of everyone's userdb lookups.
  #
  # The default 0666 mode allows anyone to connect to the socket, but the
  # userdb lookups will succeed only if the userdb returns an "uid" field that
  # matches the caller process's UID. Also if caller's uid or gid matches the
  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
  #
  # To give the caller full permissions to lookup all users, set the mode to
  # something else than 0666 and Dovecot lets the kernel enforce the
  # permissions (e.g. 0777 allows everyone full permissions).

  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }

  unix_listener auth-userdb {
    mode = 0600
    user = vmail
  }

  user = dovecot

  # Postfix smtp-auth
  #unix_listener /var/spool/postfix/private/auth {
  #  mode = 0666
  #}

  # Auth process is run as this user.
  #user = $default_internal_user
}

service auth-worker {
  # Auth worker process is run as root by default, so that it can access
  # /etc/shadow. If this isn't necessary, the user should be changed to
  # $default_internal_user.
  #user = root
  user = vmail
}

service dict {
  # If dict proxy is used, mail processes should have access to its socket.
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict {
    #mode = 0600
    #user =
    #group =
  }
}
EOF
)"

sudo echo "$ten_master" > /etc/dovecot/conf.d/10-master.conf

sudo chown -R vmail:dovecot /etc/dovecot
sudo chmod -R o-rwx /etc/dovecot

sudo systemctl restart postfix dovecot