Add scripting for cert renewal with certbot

README.md

@@ -71,3 +71,14 @@ SMTP_PASSWORD=smtp_user-password
 ```
 
 7. Test the configuration by sending an email from the end service.
+
+## Renewing Certs
+
+In order to set up certs to autorenew, you can use a cron job. Perform the following steps as the root user. Note that this requires a bind9 DNS server set up for dynamic updates with a `tsig.key` file. See our [bind9](https://gitea.moeny.ai/moeny/bind9) repo for more details on this.
+
+1. Add the content of [renew-mail-certs.sh](renew-mail-certs.sh) at `/usr/local/bin/renew-mail-certs.sh`.
+2. Add the contents of [dns-rfc2136.ini](dns-rfc2136.ini) at `/etc/letsencrypt/dns-rfc2136.ini`. Don't forget to update the file with your own values.
+3. Run `crontab -e` and add the following to it:
+```
+0 2 1 * * /usr/local/bin/renew-mail-certs.sh
+```

etc/letsencrypt/dns-rfc2136.ini

@@ -0,0 +1,10 @@
+# Target DNS server
+dns_rfc2136_server = 100.40.223.166
+# TSIG key name
+dns_rfc2136_name = tsig-key
+# TSIG key secret
+dns_rfc2136_secret = your_secret_here
+# TSIG key algorithm
+dns_rfc2136_algorithm = HMAC-SHA256
+# DNS zone to update
+dns_rfc2136_zone = moeny.ai.

etc/postfix/master.cf

@@ -15,11 +15,6 @@ smtp      inet  n       -       y       -       -       smtpd
 spamassassin unix -     n       n       -       -       pipe
    user=spamd argv=/usr/bin/spamc -f -e
    /usr/sbin/sendmail -oi -f ${sender} ${recipient}
-submission inet n       -       y       -       -       smtpd
-smtps      inet  n       -       y       -       -       smtpd
-  -o syslog_name=postfix/submission
-  -o smtpd_tls_security_level=encrypt
-  -o smtpd_sasl_auth_enable=yes
 #smtp      inet  n       -       y       -       1       postscreen
 #smtpd     pass  -       -       y       -       -       smtpd
 #dnsblog   unix  -       -       y       -       0       dnsblog

usr/local/bin/renew-mail-certs.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+
+# Script: /usr/local/bin/renew-mail-certs.sh
+
+# Set up logging
+LOG_FILE="/var/log/letsencrypt/renewal.log"
+TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')
+
+# Ensure log directory exists
+mkdir -p "$(dirname "$LOG_FILE")"
+
+log() {
+    echo "$TIMESTAMP - $1" >> "$LOG_FILE"
+    echo "$1"
+}
+
+# Function to check if a service is active
+check_service() {
+    if systemctl is-active --quiet "$1"; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+# Function to restart a service safely
+restart_service() {
+    local service=$1
+    log "Attempting to restart $service..."
+    
+    if ! check_service "$service"; then
+        log "WARNING: $service was not running before restart attempt"
+    fi
+    
+    if systemctl restart "$service"; then
+        if check_service "$service"; then
+            log "$service restarted successfully"
+            return 0
+        else
+            log "ERROR: $service failed to start after restart"
+            return 1
+        fi
+    else
+        log "ERROR: Failed to restart $service"
+        return 1
+    fi
+}
+
+# Main execution
+log "Starting certificate renewal process"
+
+# Attempt to renew certificates using RFC2136 (BIND9) DNS challenge
+if CERTBOT_LOG_LEVEL=debug certbot renew --force-renewal --preferred-challenges dns --authenticator dns-rfc2136 --dns-rfc2136-credentials /etc/letsencrypt/dns-rfc2136.ini -v; then
+    log "Certificates were renewed successfully. Restarting services..."
+    
+    # Restart Postfix
+    if ! restart_service postfix; then
+        log "CRITICAL: Postfix restart failed"
+    fi
+
+    # Restart Dovecot
+    if ! restart_service dovecot; then
+        log "CRITICAL: Dovecot restart failed"
+    fi
+    
+    log "Service restart completed"
+else
+    log "ERROR: Certificate renewal failed"
+    exit 1
+fi
+
+log "Certificate renewal process completed"