From 7c1b29cd6c11c6400582b4a696c205ecdee794ae Mon Sep 17 00:00:00 2001
From: Florin Buffet <73933252+FlorinBuffet@users.noreply.github.com>
Date: Sat, 22 Feb 2025 10:25:47 +0100
Subject: [PATCH 1/4] Added how to use Caddy Certificate for Postal

sources:
https://github.com/orgs/postalserver/discussions/1572
https://github.com/orgs/postalserver/discussions/2673
---
 content/3.features/smtp-tls.md | 98 ++++++++++++++++++++++++++++++++++
 1 file changed, 98 insertions(+)

diff --git a/content/3.features/smtp-tls.md b/content/3.features/smtp-tls.md
index 1ae3b77..c3222c7 100644
--- a/content/3.features/smtp-tls.md
+++ b/content/3.features/smtp-tls.md
@@ -21,6 +21,104 @@ You can use the command below to generate a self-signed certificate.
 openssl req -x509 -newkey rsa:4096 -keyout /opt/postal/config/smtp.key -out /opt/postal/config/smtp.cert -sha256 -days 365 -nodes
 ```
 
+### Using Caddy certificate for TLS
+
+#### Setting up Caddy to issue RSA certificate
+
+Caddy doesn't issue RSA certificates by default, so first we have to setup caddy to issue RSA certificate. This is done by adding following lines to the start of `/opt/postal/config/Caddyfile`:
+```yaml
+# Force Caddy to generate RSA certificates
+# https://github.com/postalserver/postal/discussions/1572#discussioncomment-1410343
+{
+  key_type rsa4096
+}
+```
+
+#### Setup automatic copying from Caddy to Postal
+
+To remove the need of the manual mainenance task to copy the certificate from Caddy to Postal we can automate this. The original discussion and author can be found [here](https://github.com/orgs/postalserver/discussions/2673).
+
+##### Install inotify-tools
+
+Install the toolset which provides `inotifywait`, used to monitor certificate changes.
+
+```bash
+sudo apt-get update
+sudo apt-get install inotify-tools
+```
+
+##### Create Monitoring Script
+
+Create a script named `monitor_certs.sh`:
+```bash
+nano /opt/postal/monitor_certs.sh
+```
+Add following code to the script file:
+```bash
+#!/bin/bash
+
+CERT_DIR="/opt/postal/caddy-data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/YOURDOMAIN/"
+CERT_FILE="${CERT_DIR}YOURDOMAIN.crt"
+KEY_FILE="${CERT_DIR}YOURDOMAIN.key"
+
+while true; do
+    inotifywait -e modify "$CERT_FILE" "$KEY_FILE"
+
+    # Copy the certificates to Postal's configuration directory
+    cp "$CERT_FILE" /opt/postal/config/smtp.cert
+    cp "$KEY_FILE" /opt/postal/config/smtp.key
+
+    # Adjust permissions to ensure Postal can read the certificates
+    chmod o+r /opt/postal/config/smtp.*
+
+    # Restart Postal to use the new certificates
+    postal stop && sleep 15 && postal start
+done
+```
+
+Make the script executable:
+```bash
+chmod +x /opt/postal/monitor_certs.sh
+```
+##### Create a systemd Service
+
+Make a systemd service file:
+```bash
+sudo nano /etc/systemd/system/monitor_certs.service
+```
+Insert the following content:
+```yaml
+[Unit]
+Description=Monitor Caddy Certificates for Postal
+
+[Service]
+ExecStart=/opt/postal/monitor_certs.sh
+Restart=always
+User=your_username 
+Group=your_groupname
+
+[Install]
+WantedBy=multi-user.target
+```
+
+##### Activate the Service
+Reload the systemd daemons:
+```bash
+sudo systemctl daemon-reload
+```
+Enable and start the service:
+```bash
+sudo systemctl enable monitor_certs.service
+sudo systemctl start monitor_certs.service
+```
+##### Initial Manual Certificate Copy
+Before the monitoring script takes over, you should manually copy the certificates for the first time:
+```bash
+cp /opt/postal/caddy-data/caddy/certificates/acme.zerossl.com-v2-dv90/YOURDOMAIN/YOURDOMAIN.crt /opt/postal/config/smtp.cert
+cp /opt/postal/caddy-data/caddy/certificates/acme.zerossl.com-v2-dv90/YOURDOMAIN/YOURDOMAIN.key /opt/postal/config/smtp.key
+chmod o+r /opt/postal/config/smtp.*
+```
+
 ## Configuration
 
 Once you have a key and certificate you will need to enable TLS in the configuration file (`/opt/postal/config/postal.yml`). Additional options are available too.

From 67eb67a3e9c879317573671c43688ae633510c13 Mon Sep 17 00:00:00 2001
From: Florin Buffet <73933252+FlorinBuffet@users.noreply.github.com>
Date: Sun, 23 Feb 2025 14:18:29 +0100
Subject: [PATCH 2/4] Optimized Scripts

use postal restart instead of more complex postal stop && postal start
fixed directory in manual certificate copy
---
 content/3.features/smtp-tls.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/content/3.features/smtp-tls.md b/content/3.features/smtp-tls.md
index c3222c7..f327955 100644
--- a/content/3.features/smtp-tls.md
+++ b/content/3.features/smtp-tls.md
@@ -72,7 +72,7 @@ while true; do
     chmod o+r /opt/postal/config/smtp.*
 
     # Restart Postal to use the new certificates
-    postal stop && sleep 15 && postal start
+    postal restart
 done
 ```
 
@@ -114,8 +114,8 @@ sudo systemctl start monitor_certs.service
 ##### Initial Manual Certificate Copy
 Before the monitoring script takes over, you should manually copy the certificates for the first time:
 ```bash
-cp /opt/postal/caddy-data/caddy/certificates/acme.zerossl.com-v2-dv90/YOURDOMAIN/YOURDOMAIN.crt /opt/postal/config/smtp.cert
-cp /opt/postal/caddy-data/caddy/certificates/acme.zerossl.com-v2-dv90/YOURDOMAIN/YOURDOMAIN.key /opt/postal/config/smtp.key
+cp /opt/postal/caddy-data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/YOURDOMAIN/YOURDOMAIN.crt /opt/postal/config/smtp.cert
+cp /opt/postal/caddy-data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/YOURDOMAIN/YOURDOMAIN.key /opt/postal/config/smtp.key
 chmod o+r /opt/postal/config/smtp.*
 ```
 

From f47885410268e94e3306e3ff51619bf12babaf4c Mon Sep 17 00:00:00 2001
From: Florin Buffet <florin.buffet@buffetitservices.ch>
Date: Tue, 25 Feb 2025 09:15:47 +0100
Subject: [PATCH 3/4] Removed unneccessary RSA4096 for Caddy

---
 content/3.features/smtp-tls.md | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/content/3.features/smtp-tls.md b/content/3.features/smtp-tls.md
index f327955..934637f 100644
--- a/content/3.features/smtp-tls.md
+++ b/content/3.features/smtp-tls.md
@@ -23,17 +23,6 @@ openssl req -x509 -newkey rsa:4096 -keyout /opt/postal/config/smtp.key -out /opt
 
 ### Using Caddy certificate for TLS
 
-#### Setting up Caddy to issue RSA certificate
-
-Caddy doesn't issue RSA certificates by default, so first we have to setup caddy to issue RSA certificate. This is done by adding following lines to the start of `/opt/postal/config/Caddyfile`:
-```yaml
-# Force Caddy to generate RSA certificates
-# https://github.com/postalserver/postal/discussions/1572#discussioncomment-1410343
-{
-  key_type rsa4096
-}
-```
-
 #### Setup automatic copying from Caddy to Postal
 
 To remove the need of the manual mainenance task to copy the certificate from Caddy to Postal we can automate this. The original discussion and author can be found [here](https://github.com/orgs/postalserver/discussions/2673).

From 24680de2c1df04eb9f2d8ed3bb217ea4ca374a56 Mon Sep 17 00:00:00 2001
From: Will Power <1619102+willpower232@users.noreply.github.com>
Date: Mon, 3 Mar 2025 09:14:30 +0000
Subject: [PATCH 4/4] Apply suggestions from code review

---
 content/3.features/smtp-tls.md | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/content/3.features/smtp-tls.md b/content/3.features/smtp-tls.md
index 934637f..6d7b0bf 100644
--- a/content/3.features/smtp-tls.md
+++ b/content/3.features/smtp-tls.md
@@ -25,7 +25,7 @@ openssl req -x509 -newkey rsa:4096 -keyout /opt/postal/config/smtp.key -out /opt
 
 #### Setup automatic copying from Caddy to Postal
 
-To remove the need of the manual mainenance task to copy the certificate from Caddy to Postal we can automate this. The original discussion and author can be found [here](https://github.com/orgs/postalserver/discussions/2673).
+To remove the need of the manual maintenance task to copy the certificate from Caddy to Postal, we can automate this. The original discussion and author can be found [here](https://github.com/orgs/postalserver/discussions/2673).
 
 ##### Install inotify-tools
 
@@ -39,10 +39,13 @@ sudo apt-get install inotify-tools
 ##### Create Monitoring Script
 
 Create a script named `monitor_certs.sh`:
+
 ```bash
 nano /opt/postal/monitor_certs.sh
 ```
+
 Add following code to the script file:
+
 ```bash
 #!/bin/bash
 
@@ -69,13 +72,17 @@ Make the script executable:
 ```bash
 chmod +x /opt/postal/monitor_certs.sh
 ```
+
 ##### Create a systemd Service
 
 Make a systemd service file:
+
 ```bash
 sudo nano /etc/systemd/system/monitor_certs.service
 ```
+
 Insert the following content:
+
 ```yaml
 [Unit]
 Description=Monitor Caddy Certificates for Postal
@@ -91,17 +98,24 @@ WantedBy=multi-user.target
 ```
 
 ##### Activate the Service
+
 Reload the systemd daemons:
+
 ```bash
 sudo systemctl daemon-reload
 ```
+
 Enable and start the service:
+
 ```bash
 sudo systemctl enable monitor_certs.service
 sudo systemctl start monitor_certs.service
 ```
+
 ##### Initial Manual Certificate Copy
+
 Before the monitoring script takes over, you should manually copy the certificates for the first time:
+
 ```bash
 cp /opt/postal/caddy-data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/YOURDOMAIN/YOURDOMAIN.crt /opt/postal/config/smtp.cert
 cp /opt/postal/caddy-data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/YOURDOMAIN/YOURDOMAIN.key /opt/postal/config/smtp.key