From 1b659a5574170a9183827c3e26df1336c6b8886c Mon Sep 17 00:00:00 2001
From: Nicholas Pepper <webmaster@neuralproductions.com>
Date: Tue, 12 May 2020 03:36:46 +0000
Subject: [PATCH] Modified letsencrypt support to add domain name checking in
 addition to hostname checking.  Added necessary tests and renamed original
 manual ssl test to a name that supports adding the other SSL tests.

---
 target/start-mailserver.sh                    | 64 ++++++++------
 .../config/letsencrypt/my-domain.com/cert.pem | 30 +++++++
 .../letsencrypt/my-domain.com/chain.pem       | 27 ++++++
 .../letsencrypt/my-domain.com/fullchain.pem   | 57 +++++++++++++
 test/config/letsencrypt/my-domain.com/key.pem | 28 +++++++
 test/mail_pop3.bats                           | 21 -----
 test/mail_ssl_letsencrypt.bats                | 84 +++++++++++++++++++
 ...l_manual_ssl.bats => mail_ssl_manual.bats} |  0
 8 files changed, 265 insertions(+), 46 deletions(-)
 create mode 100644 test/config/letsencrypt/my-domain.com/cert.pem
 create mode 100644 test/config/letsencrypt/my-domain.com/chain.pem
 create mode 100644 test/config/letsencrypt/my-domain.com/fullchain.pem
 create mode 100644 test/config/letsencrypt/my-domain.com/key.pem
 create mode 100644 test/mail_ssl_letsencrypt.bats
 rename test/{mail_manual_ssl.bats => mail_ssl_manual.bats} (100%)

diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh
index 8178844d..43b71c9e 100644
--- a/target/start-mailserver.sh
+++ b/target/start-mailserver.sh
@@ -1043,34 +1043,48 @@ function _setup_ssl() {
 	# SSL certificate Configuration
 	case $SSL_TYPE in
 		"letsencrypt" )
-			# letsencrypt folders and files mounted in /etc/letsencrypt
-			if [ -e "/etc/letsencrypt/live/$HOSTNAME/fullchain.pem" ]; then
-				KEY=""
-				if [ -e "/etc/letsencrypt/live/$HOSTNAME/privkey.pem" ]; then
-					KEY="privkey"
-				elif [ -e "/etc/letsencrypt/live/$HOSTNAME/key.pem" ]; then
-					KEY="key"
-				else
-					notify 'err' "Cannot access '/etc/letsencrypt/live/"$HOSTNAME"/privkey.pem' nor 'key.pem'"
-				fi
-				if [ -n "$KEY" ]; then
-					notify 'inf' "Adding $HOSTNAME SSL certificate"
+      notify 'inf' "Configuring SSL using 'letsecnrypt'"
+      # letsencrypt folders and files mounted in /etc/letsencrypt
+      local LETSENCRYPT_DOMAIN=""
+      local LETSENCRYPT_KEY=""
 
-					# Postfix configuration
-					sed -i -r 's~smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem~smtpd_tls_cert_file=/etc/letsencrypt/live/'$HOSTNAME'/fullchain.pem~g' /etc/postfix/main.cf
-					sed -i -r 's~smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key~smtpd_tls_key_file=/etc/letsencrypt/live/'$HOSTNAME'/'"$KEY"'\.pem~g' /etc/postfix/main.cf
-
-					# Dovecot configuration
-					sed -i -e 's~ssl_cert = </etc/dovecot/ssl/dovecot\.pem~ssl_cert = </etc/letsencrypt/live/'$HOSTNAME'/fullchain\.pem~g' /etc/dovecot/conf.d/10-ssl.conf
-					sed -i -e 's~ssl_key = </etc/dovecot/ssl/dovecot\.key~ssl_key = </etc/letsencrypt/live/'$HOSTNAME'/'"$KEY"'\.pem~g' /etc/dovecot/conf.d/10-ssl.conf
-
-					notify 'inf' "SSL configured with 'letsencrypt' certificates"
-				else
-					notify 'err' "Key filename not set!"
-				fi
+      # first determine the letsencrypt domain by checking both the full hostname or just the domainname if a SAN is used in the cert
+      if [ -e "/etc/letsencrypt/live/$HOSTNAME/fullchain.pem" ]; then
+        LETSENCRYPT_DOMAIN=$HOSTNAME
+      elif [ -e "/etc/letsencrypt/live/$DOMAINNAME/fullchain.pem" ]; then
+        LETSENCRYPT_DOMAIN=$DOMAINNAME
 			else
-				notify 'err' "Cannot access '/etc/letsencrypt/live/"$HOSTNAME"/fullchain.pem'"
+				notify 'err' "Cannot access '/etc/letsencrypt/live/"$HOSTNAME"/fullchain.pem' or '/etc/letsencrypt/live/"$DOMAINNAME"/fullchain.pem'"
+        return 1
 			fi
+
+      # then determine the keyfile to use
+			if [ -n "$LETSENCRYPT_DOMAIN" ]; then
+				if [ -e "/etc/letsencrypt/live/$LETSENCRYPT_DOMAIN/privkey.pem" ]; then
+					LETSENCRYPT_KEY="privkey"
+				elif [ -e "/etc/letsencrypt/live/$LETSENCRYPT_DOMAIN/key.pem" ]; then
+					LETSENCRYPT_KEY="key"
+				else
+					notify 'err' "Cannot access '/etc/letsencrypt/live/"$LETSENCRYPT_DOMAIN"/privkey.pem' nor 'key.pem'"
+          return 1
+				fi
+      fi
+
+      # finally, make the changes to the postfix and dovecot configurations
+      if [ -n "$LETSENCRYPT_KEY" ]; then
+        notify 'inf' "Adding $LETSENCRYPT_DOMAIN SSL certificate to the postfix and dovecot configuration"
+
+        # Postfix configuration
+        sed -i -r 's~smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem~smtpd_tls_cert_file=/etc/letsencrypt/live/'$LETSENCRYPT_DOMAIN'/fullchain.pem~g' /etc/postfix/main.cf
+        sed -i -r 's~smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key~smtpd_tls_key_file=/etc/letsencrypt/live/'$LETSENCRYPT_DOMAIN'/'"$LETSENCRYPT_KEY"'\.pem~g' /etc/postfix/main.cf
+
+        # Dovecot configuration
+        sed -i -e 's~ssl_cert = </etc/dovecot/ssl/dovecot\.pem~ssl_cert = </etc/letsencrypt/live/'$LETSENCRYPT_DOMAIN'/fullchain\.pem~g' /etc/dovecot/conf.d/10-ssl.conf
+        sed -i -e 's~ssl_key = </etc/dovecot/ssl/dovecot\.key~ssl_key = </etc/letsencrypt/live/'$LETSENCRYPT_DOMAIN'/'"$LETSENCRYPT_KEY"'\.pem~g' /etc/dovecot/conf.d/10-ssl.conf
+
+        notify 'inf' "SSL configured with 'letsencrypt' certificates"
+      fi
+      return 0
 		;;
 	"custom" )
 		# Adding CA signed SSL certificate if provided in 'postfix/ssl' folder
diff --git a/test/config/letsencrypt/my-domain.com/cert.pem b/test/config/letsencrypt/my-domain.com/cert.pem
new file mode 100644
index 00000000..1e391e01
--- /dev/null
+++ b/test/config/letsencrypt/my-domain.com/cert.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFGTCCBAGgAwIBAgISA50jj6A/ilExMla41PwSejyBMA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA0MTkxOTA1MDBaFw0x
+NjA3MTgxOTA1MDBaMBUxEzARBgNVBAMTCmlmdXNpby5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCcClf+Pee1EItdnjagOUQuwA4SLLiKCf5T+2Ec
+BPnwMGKtDb/TBWc8KEHQGxYCdtamFciT+OXUlJGjPGEna4DAKANi5njmq+TQFb7J
+ipA7pfQ4fp/2OqG3e6SwNvWurJlHIigiLe1lbc+7rt/5hon7Jwn260x/XaPHXRkU
+Aiy5FSDVeXnnCL5QOu5srnHrdTlWpEnz9WUvYCj3DMR38gxojnmpj48aMRRtrBAO
+NlxT9TssHoKvDXI1bEbeb2tpmC/+kRPusIukiucc3Fo9R/sHXjFkD7mK2UMb0ULE
+BG2D4wwEINUSG3B3wsu0eywAlkpX1UcFzdFTtsjU7V2a06jBAgMBAAGjggIsMIIC
+KDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
+MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOKqRnKTd2adWD+SndSZVFPsLVJkMB8G
+A1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEBBGQwYjAv
+BggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8w
+LwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcv
+MDYGA1UdEQQvMC2CCmlmdXNpby5jb22CD21haWwuaWZ1c2lvLmNvbYIOd3d3Lmlm
+dXNpby5jb20wgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEB
+MIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYI
+KwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGll
+ZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNl
+IHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xl
+dHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAgzf9
+DVCdVtKvlmGeT2puHU5ULf3t/JD6NL3ocuBMsDQPOHxa6kkyd6xqdBAelNSfEYv+
+BVfQp6Wox2IGrwfqqvNNzPGTHLxSpK94Gk0eeg7YhcxjoOryv4FgowQOax5J0OSS
+WIdAFVykPs87WKyHNY8W1zle/Ye9yjS6bjHdjqnOiG/7qDQ/DDYGn7ILHAHmUZYy
+1QQ0EdffNkLpkmCnTnotgBUpqmDt7pMNZRuYFTQq631ihe7jRXjSkgWS7tTfUT15
+SesUIo1NbjCJmBceFd2c/srgVlbWc2LXt7Qf5yxWJyhT16r/M7ok0btH25D5azk2
+TKdnq/QFhHWVZUr3hg==
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/test/config/letsencrypt/my-domain.com/chain.pem b/test/config/letsencrypt/my-domain.com/chain.pem
new file mode 100644
index 00000000..edb593bc
--- /dev/null
+++ b/test/config/letsencrypt/my-domain.com/chain.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
+SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
+GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
+q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
+SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
+Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
+a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
+/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
+AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
+CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
+bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
+c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
+VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
+ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
+MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
+Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
+AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
+uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
+wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
+X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
+PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
+KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/test/config/letsencrypt/my-domain.com/fullchain.pem b/test/config/letsencrypt/my-domain.com/fullchain.pem
new file mode 100644
index 00000000..9060829b
--- /dev/null
+++ b/test/config/letsencrypt/my-domain.com/fullchain.pem
@@ -0,0 +1,57 @@
+-----BEGIN CERTIFICATE-----
+MIIFGTCCBAGgAwIBAgISA50jj6A/ilExMla41PwSejyBMA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA0MTkxOTA1MDBaFw0x
+NjA3MTgxOTA1MDBaMBUxEzARBgNVBAMTCmlmdXNpby5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCcClf+Pee1EItdnjagOUQuwA4SLLiKCf5T+2Ec
+BPnwMGKtDb/TBWc8KEHQGxYCdtamFciT+OXUlJGjPGEna4DAKANi5njmq+TQFb7J
+ipA7pfQ4fp/2OqG3e6SwNvWurJlHIigiLe1lbc+7rt/5hon7Jwn260x/XaPHXRkU
+Aiy5FSDVeXnnCL5QOu5srnHrdTlWpEnz9WUvYCj3DMR38gxojnmpj48aMRRtrBAO
+NlxT9TssHoKvDXI1bEbeb2tpmC/+kRPusIukiucc3Fo9R/sHXjFkD7mK2UMb0ULE
+BG2D4wwEINUSG3B3wsu0eywAlkpX1UcFzdFTtsjU7V2a06jBAgMBAAGjggIsMIIC
+KDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
+MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOKqRnKTd2adWD+SndSZVFPsLVJkMB8G
+A1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEBBGQwYjAv
+BggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8w
+LwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcv
+MDYGA1UdEQQvMC2CCmlmdXNpby5jb22CD21haWwuaWZ1c2lvLmNvbYIOd3d3Lmlm
+dXNpby5jb20wgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEB
+MIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYI
+KwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGll
+ZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNl
+IHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xl
+dHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAgzf9
+DVCdVtKvlmGeT2puHU5ULf3t/JD6NL3ocuBMsDQPOHxa6kkyd6xqdBAelNSfEYv+
+BVfQp6Wox2IGrwfqqvNNzPGTHLxSpK94Gk0eeg7YhcxjoOryv4FgowQOax5J0OSS
+WIdAFVykPs87WKyHNY8W1zle/Ye9yjS6bjHdjqnOiG/7qDQ/DDYGn7ILHAHmUZYy
+1QQ0EdffNkLpkmCnTnotgBUpqmDt7pMNZRuYFTQq631ihe7jRXjSkgWS7tTfUT15
+SesUIo1NbjCJmBceFd2c/srgVlbWc2LXt7Qf5yxWJyhT16r/M7ok0btH25D5azk2
+TKdnq/QFhHWVZUr3hg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
+SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
+GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
+q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
+SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
+Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
+a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
+/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
+AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
+CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
+bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
+c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
+VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
+ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
+MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
+Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
+AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
+uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
+wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
+X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
+PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
+KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/test/config/letsencrypt/my-domain.com/key.pem b/test/config/letsencrypt/my-domain.com/key.pem
new file mode 100644
index 00000000..54394e92
--- /dev/null
+++ b/test/config/letsencrypt/my-domain.com/key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCcClf+Pee1EItd
+njagOUQuwA4SLLiKCf5T+2EcBPnwMGKtDb/TBWc8KEHQGxYCdtamFciT+OXUlJGj
+PGEna4DAKANi5njmq+TQFb7JipA7pfQ4fp/2OqG3e6SwNvWurJlHIigiLe1lbc+7
+rt/5hon7Jwn260x/XaPHXRkUAiy5FSDVeXnnCL5QOu5srnHrdTlWpEnz9WUvYCj3
+DMR38gxojnmpj48aMRRtrBAONlxT9TssHoKvDXI1bEbeb2tpmC/+kRPusIukiucc
+3Fo9R/sHXjFkD7mK2UMb0ULEBG2D4wwEINUSG3B3wsu0eywAlkpX1UcFzdFTtsjU
+7V2a06jBAgMBAAECggEAM+cA49FljAWHxckFdH/33PEG/Sag71FppjecUnyZQjpl
+6BgFsUQ/1XOyiG0qAgHTXgUq5YVJtU8BrmE8E6efeMsWbUQp/Ng6ULia8GDFnwGR
+XWVJAdb4yZY37mEpkUNZ7J5A6TWLnExNZ6lAWLhWlxKiLt6PYGIeQwcFe3FJvPn0
+GUSFYXYLJq9lIirQvl6lVzljpP6qvFQEqa4dgWqBOrC2/jL4amKK71N23sFnz0sQ
+UqjP72c7Nr+4xMOhsGetV1mYgPqAoR5W3XZRqDPeZ6f0FJ7L5xG69YJeo7MrXhKl
+N9kLhbGR/FH3IHdo7tRb2oGmHDLNJf9z/mBEerSW0QKBgQDPHCc59tCwmF1UV4eV
+fhRoq4Qyp8wF2ItJTMd12LJOX67eNJy6v93AhuaPgKp/kRMul5ZjL90UV1ISl/lz
+eYzgreMttCtRhZxUSvBo6w32NSacoiKcZojyTdyZPuOeAG2RxNHh+n+NZ7NjIWvG
+7xlW9HXQOPi8xlHpDfDs+7EgXQKBgQDA4AJlor22dExGuDOLlO0et+TVhErqXFSZ
+CtRmwsL+XTeSKyngZcyu1YnyoNOA9vGyOk26AW+WV9N9U6rwVs8CVczee5eKPZJN
+xQZjUo+fep3xIFvBpgnadfrodxjD8XMpHcb0I/ZRICZKqIVv9q+FzEXqE+HsfD3B
+kBfZ8GZztQKBgEVSdw6/vjpdxV9lrMws10fxoN4TrAaI5JY0TM71KTlybWWS1qLr
+dZ3riWCfAHKSbIk70+p/KtCUKbRvid9M4AqUKWYy2A0BW8IbEz0K8DFouPPUkSEo
+cM4poZzpn+ZS3lncNyQcZHVAMJsNpLWBcknYqVZ4u0j0WJZZRDsOQ8tBAoGBAK2p
+BH9+iFI/ZG5IbCDBdr6x1NhqxQk/GOyzU4sy0V81j1OMiagCAMlqe0p6g/UaY4SV
++mX/5Pj5GvM84iyD/N+dYVjw7wEJbzGWtKm5LJfrT0pMWFGDrluE3uVwVlwWihn7
+NaecuatRxyhxk7O76U4PHuQkAsdrFi+yDcetLJIBAoGBAJHUMttKQ9/sc6EYgdym
+u8hMi/WGrt5eOOAJ17lY53eRZLci7s1mfsWIF9b0N50iE60SaFADQiMRAUtkJXNI
+a55qdpalVHsAE4Wwh7nlKLkaDEartx5X1qSTFw4fTMyKNOveiggQ/i9LZpFxsz22
+3V+7jPJaCNyPbmOevXGhBEjr
+-----END PRIVATE KEY-----
\ No newline at end of file
diff --git a/test/mail_pop3.bats b/test/mail_pop3.bats
index 45bbea27..5f183fea 100644
--- a/test/mail_pop3.bats
+++ b/test/mail_pop3.bats
@@ -12,14 +12,11 @@ function setup_file() {
     docker run -d --name mail_pop3 \
 		-v "`pwd`/test/config":/tmp/docker-mailserver \
 		-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
-		-v "`pwd`/test/config/letsencrypt":/etc/letsencrypt/live \
 		-e ENABLE_POP3=1 \
 		-e DMS_DEBUG=0 \
-		-e SSL_TYPE=letsencrypt \
 		-h mail.my-domain.com -t ${NAME}
 
     wait_for_finished_setup_in_container mail_pop3
-    
 }
 
 function teardown_file() {
@@ -64,24 +61,6 @@ function teardown_file() {
   assert_success
 }
 
-#
-# ssl
-#
-
-@test "checking ssl: letsencrypt configuration is correct" {
-  run docker exec mail_pop3 /bin/sh -c 'grep -ir "/etc/letsencrypt/live/mail.my-domain.com/" /etc/postfix/main.cf | wc -l'
-  assert_success
-  assert_output 2
-  run docker exec mail_pop3 /bin/sh -c 'grep -ir "/etc/letsencrypt/live/mail.my-domain.com/" /etc/dovecot/conf.d/10-ssl.conf | wc -l'
-  assert_success
-  assert_output 2
-}
-
-@test "checking ssl: letsencrypt cert works correctly" {
-  run docker exec mail_pop3 /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 10 (certificate has expired)'"
-  assert_success
-}
-
 #
 # system
 #
diff --git a/test/mail_ssl_letsencrypt.bats b/test/mail_ssl_letsencrypt.bats
new file mode 100644
index 00000000..01c7a742
--- /dev/null
+++ b/test/mail_ssl_letsencrypt.bats
@@ -0,0 +1,84 @@
+load 'test_helper/common'
+
+function setup() {
+  run_setup_file_if_necessary
+}
+
+function teardown() {
+  run_teardown_file_if_necessary
+}
+
+function setup_file() {
+  docker run -d --name mail_lets_domain \
+  -v "`pwd`/test/config":/tmp/docker-mailserver \
+  -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
+  -v "`pwd`/test/config/letsencrypt/my-domain.com":/etc/letsencrypt/live/my-domain.com \
+  -e DMS_DEBUG=0 \
+  -e SSL_TYPE=letsencrypt \
+  -h mail.my-domain.com -t ${NAME}
+  wait_for_finished_setup_in_container mail_lets_domain
+
+  docker run -d --name mail_lets_hostname \
+  -v "`pwd`/test/config":/tmp/docker-mailserver \
+  -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
+  -v "`pwd`/test/config/letsencrypt/mail.my-domain.com":/etc/letsencrypt/live/mail.my-domain.com \
+  -e DMS_DEBUG=0 \
+  -e SSL_TYPE=letsencrypt \
+  -h mail.my-domain.com -t ${NAME}
+  wait_for_finished_setup_in_container mail_lets_hostname
+}
+
+function teardown_file() {
+  docker rm -f mail_lets_domain
+  docker rm -f mail_lets_hostname
+}
+
+# this test must come first to reliably identify when to run setup_file
+@test "first" {
+  skip 'Starting testing of letsencrypt SSL'
+}
+
+@test "checking ssl: letsencrypt configuration is correct" {
+  #test domain has certificate files
+  run docker exec mail_lets_domain /bin/sh -c 'postconf | grep "smtpd_tls_cert_file = /etc/letsencrypt/live/my-domain.com/fullchain.pem" | wc -l'
+  assert_success
+  assert_output 1
+  run docker exec mail_lets_domain /bin/sh -c 'postconf | grep "smtpd_tls_key_file = /etc/letsencrypt/live/my-domain.com/key.pem" | wc -l'
+  assert_success
+  assert_output 1
+  run docker exec mail_lets_domain /bin/sh -c 'doveconf | grep "ssl_cert = </etc/letsencrypt/live/my-domain.com/fullchain.pem" | wc -l'
+  assert_success
+  assert_output 1
+  run docker exec mail_lets_domain /bin/sh -c 'doveconf -P | grep "ssl_key = </etc/letsencrypt/live/my-domain.com/key.pem" | wc -l'
+  assert_success
+  assert_output 1
+  #test hostname has certificate files
+  run docker exec mail_lets_hostname /bin/sh -c 'postconf | grep "smtpd_tls_cert_file = /etc/letsencrypt/live/mail.my-domain.com/fullchain.pem" | wc -l'
+  assert_success
+  assert_output 1
+  run docker exec mail_lets_hostname /bin/sh -c 'postconf | grep "smtpd_tls_key_file = /etc/letsencrypt/live/mail.my-domain.com/privkey.pem" | wc -l'
+  assert_success
+  assert_output 1
+  run docker exec mail_lets_hostname /bin/sh -c 'doveconf | grep "ssl_cert = </etc/letsencrypt/live/mail.my-domain.com/fullchain.pem" | wc -l'
+  assert_success
+  assert_output 1
+  run docker exec mail_lets_hostname /bin/sh -c 'doveconf -P | grep "ssl_key = </etc/letsencrypt/live/mail.my-domain.com/privkey.pem" | wc -l'
+  assert_success
+  assert_output 1
+}
+
+@test "checking ssl: letsencrypt cert works correctly" {
+  run docker exec mail_lets_domain /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 10 (certificate has expired)'"
+  assert_success
+  run docker exec mail_lets_domain /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:465 -CApath /etc/ssl/certs/ | grep 'Verify return code: 10 (certificate has expired)'"
+  assert_success
+  run docker exec mail_lets_hostname /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 10 (certificate has expired)'"
+  assert_success
+  run docker exec mail_lets_hostname /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:465 -CApath /etc/ssl/certs/ | grep 'Verify return code: 10 (certificate has expired)'"
+  assert_success
+}
+
+ # this test is only there to reliably mark the end for the teardown_file
+@test "last" {
+  skip 'Finished testing of letsencrypt SSL'
+}
diff --git a/test/mail_manual_ssl.bats b/test/mail_ssl_manual.bats
similarity index 100%
rename from test/mail_manual_ssl.bats
rename to test/mail_ssl_manual.bats