<?php
/*
Software.....: updatecerts.php
License......: Public Domain
Version......: 1.0
Description..: Generate certificates for courier-imap/pop3
Coded by.....: sehh
Updated by...: tandyuk
Donate BTC...: 1P18NPpcYdAVsFfSfr823x6R73KtFipkbN
*/


ini_set('disabled_functions','');
// == Configuration options ==

// Enable debug output (true/false)
$debug = true;

//Set Which mail server you use.
//Should really work this out by ourself!
$courier = false;
$dovecot = true;

// Don't make any changes, just print output only (true/false)
$nochanges = true; //change this to false when you are happy with the results.

// Default cPanel/WHM files & paths (strings, paths end with /)
$ssldomains = "/etc/ssldomains";
$userdomains = "/etc/userdomains";
$keydir = "/etc/ssl/private/";
$certdir = "/etc/ssl/certs/";
$courierimapcfg = "/usr/lib/courier-imap/etc/imapd-ssl";
$courierpop3cfg = "/usr/lib/courier-imap/etc/pop3d-ssl";
$dovecotconf = "/etc/dovecot/dovecot.conf";
$dovecottemplate = "/var/cpanel/templates/dovecot2.2/main.default";
$dovecotlocal = "/var/cpanel/templates/dovecot2.2/main.local";

// == No need to change anything below this point!



// Load domains with SSL certificates
if(file_exists($ssldomains)===true) {
        $domaintmp = file_get_contents($ssldomains);
        $domaintmp = str_replace("\r", "", $domaintmp);
        $domaintmp = str_replace("\n\n", "\n", $domaintmp);
        $domaintmp = preg_replace("/\n$/", "", $domaintmp);
        $domaintmp = explode("\n", $domaintmp);
        foreach($domaintmp as $val){
                list($domain,$ip) = explode(':', $val);
                $domains[trim($domain)] = trim($ip);
        }

        if(sizeof($domains)==0) {
                echo "[ERROR] No SSL domains found\n";
                exit(2);
        }
        if($debug==true)
                echo "[DEBUG] Loaded ".sizeof($domains)." lines from ".$ssldomains."\n";
} else {
        echo "[ERROR] SSL domains file not found\n";
        exit(2);
}

//Load user names for domains
if(file_exists($userdomains)===true) {
        $usertmp = file_get_contents($userdomains);
        $usertmp = str_replace("\r", "", $usertmp);
        $usertmp = str_replace("\n\n", "\n", $usertmp);
        $usertmp = preg_replace("/\n$/", "", $usertmp);
        $usertmp = explode("\n", $usertmp);
        $users = array();
        foreach($usertmp as $val){
                list($domain,$user) = explode(":", $val);
                if(array_key_exists(trim($domain),$domains)){
                        $users[trim($domain)] = trim($user);
                }
        }

        if(sizeof($users)==0) {
                echo "[ERROR] No users found\n";
                exit(2);
        }
        if($debug==true)
                echo "[DEBUG] Loaded ".sizeof($users)." lines from ".$userdomains."\n";
} else {
        echo "[ERROR] " . $userdomains . " file not found\n";
        exit(2);
}


if($debug){
        echo "[DEBUG] Domains: " . var_export($domains,true) . "\n";
        echo "[DEBUG] Users: " . var_export($users,true) . "\n";
}


if($courier){
        // Find the existing system-wide IMAP certificate
        $rc = exec('/bin/grep "^TLS_CERTFILE" '.$imapcfg);
        if(strpos($rc, "TLS_CERTFILE=")===false) {
                echo "[ERROR] IMAP TLS certificate not found\n";
                exit(2);
        }
        $certimap = substr($rc, strpos($rc, "TLS_CERTFILE=")+13);
        $certimappath = dirname($certimap)."/";
        if($debug==true) {
                echo "[DEBUG] System-wide IMAP certificate: ".$certimap."\n";
                echo "[DEBUG] IMAP certificate path: ".$certimappath."\n";
        }

        // Find the existing system-wide POP3 certificate
        $rc = exec('/bin/grep "^TLS_CERTFILE" '.$pop3cfg);
        if(strpos($rc, "TLS_CERTFILE=")===false) {
                echo "[ERROR] POP3 TLS certificate not found\n";
                exit(2);
        }
        $certpop3 = substr($rc, strpos($rc, "TLS_CERTFILE=")+13);
        $certpop3path = dirname($certpop3)."/";
        if($debug==true) {
                echo "[DEBUG] System-wide POP3 certificate: ".$certpop3."\n";
                echo "[DEBUG] POP3 certificate path: ".$certpop3path."\n";
        }
}


if($dovecot){
        // Find the existing system-wide SSL certificate
        $rc = exec('/bin/grep "^ssl_cert = <" '.$dovecotconf);
        if(strpos($rc, "ssl_cert = <")===false) {
                echo "[ERROR] System-wide SSL certificate not found\n";
                exit(2);
        }
        $systemcert = substr($rc, strpos($rc, "ssl_cert = <")+12);
        $systemcertpath = dirname($systemcert)."/";
        if($debug==true) {
                echo "[DEBUG] System-wide SSL certificate: ".$systemcert."\n";
                echo "[DEBUG] System-wide SSL certificate path: ".$systemcertpath."\n";
        }

        // Find the existing system-wide SSL Key
        $rc = exec('/bin/grep "^ssl_key = <" '.$dovecotconf);
        if(strpos($rc, "ssl_key = <")===false) {
                echo "[ERROR] System-wide SSL key not found\n";
                exit(2);
        }
        $systemkey = substr($rc, strpos($rc, "ssl_key = <")+11);
        $systemkeypath = dirname($systemkey)."/";
        if($debug==true) {
                echo "[DEBUG] System-wide SSL key: ".$systemkey."\n";
                echo "[DEBUG] System-wide SSL key path: ".$systemkeypath."\n";
        }


if($nochanges==false){
        //Clone the default cpanel template
        copy($dovecotlocal,$dovecotlocal . '.1');
        copy($dovecottemplate,$dovecotlocal);
}

}



// Start the conversion for each SSL domain
$convertedips = array();
foreach($domains as $domain=>$ipaddress) {
        // Load domain and the equivalent IP address
        if($debug==true)
                echo "\t[DEBUG] Converting certificates for domain: ".$domain." with IP address: ".$ipaddress."\n";

        // Load existing private key

       $rc = exec('/bin/grep "^sslcertificatekeyfile:" /var/cpanel/userdata/'. $users[$domain] . '/' . $domain . '_SSL');
        if(strpos($rc, "sslcertificatekeyfile:")===false) {
                echo "[ERROR] User SSL key not found\n";
                exit(2);
        }
        $userkey = substr($rc, strpos($rc, "sslcertificatekeyfile: ")+23);
        $userkeypath = dirname($userkey)."/";
        if($debug==true) {
                echo "[DEBUG] User SSL key: ".$userkey."\n";
                echo "[DEBUG] User SSL key path: ".$userkeypath."\n";
        }

        $rc = exec('/bin/grep "^sslcertificatefile:" /var/cpanel/userdata/'. $users[$domain] . '/' . $domain . '_SSL');
        if(strpos($rc, "sslcertificatefile:")===false) {
                echo "[ERROR] User SSL config not found\n";
                exit(2);
        }
        $usercert = substr($rc, strpos($rc, "sslcertificatefile: ")+20);
        $usercertpath = dirname($usercert)."/";
        if($debug==true) {
                echo "[DEBUG] User SSL certificate: ".$usercert."\n";
                echo "[DEBUG] User SSL certificate path: ".$usercertpath."\n";
        }

        $rc = exec('/bin/grep "^sslcacertificatefile:" /var/cpanel/userdata/'. $users[$domain] . '/' . $domain . '_SSL');
        if(strpos($rc, "sslcacertificatefile:")===false) {
                echo "[ERROR] User SSL config not found\n";
                exit(2);
        }
        $usercacert = substr($rc, strpos($rc, "sslcacertificatefile: ")+22);
        $usercacertpath = dirname($usercacert)."/";
        if($debug==true) {
                echo "[DEBUG] User SSL CA certificate: ".$usercacert."\n";
                echo "[DEBUG] User SSL CA certificate path: ".$usercacertpath."\n";
        }



//add some links
//check and remove
if($nochanges==false){

$pem = $certdir . $domain . '.pem';

exec("touch ".$pem);
exec("chown root:wheel ".$pem);
exec("chmod u+rw-x,g+wr-x,o-wrx ".$pem);
exec("cat ".$userkey." > ".$pem);
exec('echo "" >> '.$pem);
exec("cat ".$usercert." >> ".$pem);
exec('echo "" >> '.$pem);
exec("cat ".$usercacert." >> ".$pem);

}




if($courier){
        // Generate the final PEM files (courier IMAP/POP3)
        $pemimap = $certimap.".".$ipaddress;
        if($debug==true)
                echo "\t[DEBUG] IMAP PEM file for domain ".$domain.": ".$pemimap."\n";
        $pempop3 = $certpop3.".".$ipaddress;
        if($debug==true)
                echo "\t[DEBUG] POP3 PEM file for domain ".$domain.": ".$pempop3."\n";



        if($nochanges==false) {
                // Generate IMAP PEM file
                exec("rm -rf ".$pemimap);
                exec("touch ".$pemimap);
                exec("chown root:wheel ".$pemimap);
                exec("chmod u+rw-x,g+wr-x,o-wrx ".$pemimap);
                exec("cat ".$key." > ".$pemimap);
                exec("cat ".$cert." >> ".$pemimap);

                // Generate POP PEM file
                exec("rm -rf ".$pempop3);
                exec("touch ".$pempop3);
                exec("chown root:wheel ".$pempop3);
                exec("chmod u+rw-x,g+wr-x,o-wrx ".$pempop3);
                exec("cat ".$key." > ".$pempop3);
                exec("cat ".$cert." >> ".$pempop3);
        }
        if($debug==true)
                echo "\t[DEBUG] Combine ".$key." and ".$cert." into ".$pemimap." and ".$pempop3."\n";
}



if($dovecot){

exec('echo "local '.$ipaddress.' {" >> '.$dovecotlocal);
exec('echo "  protocol imap {" >> '.$dovecotlocal);
exec('echo "    ssl_cert = <'.$pem.'" >> '.$dovecotlocal);
exec('echo "    ssl_key  = <'.$pem.'" >> '.$dovecotlocal);
exec('echo "  }" >> '.$dovecotlocal);
exec('echo "  protocol pop3 {" >> '.$dovecotlocal);
exec('echo "    ssl_cert = <'.$pem.'" >> '.$dovecotlocal);
exec('echo "    ssl_key  = <'.$pem.'" >> '.$dovecotlocal);
exec('echo "  }" >> '.$dovecotlocal);
exec('echo "}" >> '.$dovecotlocal);




}


        // Store the processed IP address
        $convertedips[] = $ipaddress;

        echo "\t\n";
}
if($debug==true)
        echo "[DEBUG] Converted a total of ".sizeof($convertedips)." domains\n";
/*
// Scanning for stale PEM files
if($handle = opendir($certimappath)) {
        while(false!==($file = readdir($handle))) {
                $pos = strpos($file, "imapd.pem.");
                if($pos!==false && $pos===0) {
                        $ip = substr($file, 10);
                        if(strlen($ip)>0 && in_array($ip, $convertedips)==false) {
                                if($nochanges==false)
                                        exec("rm -rf ".$certimappath.$file);
                                if($debug==true)
                                        echo "[DEBUG] Found stale IMAP PEM file: ".$certimappath.$file."\n";
                        }
                }
        }
        closedir($handle);
}

// Scanning for stale POP3 PEM files
if($handle = opendir($certpop3path)) {
        while(false!==($file = readdir($handle))) {
                $pos = strpos($file, "pop3d.pem.");
                if($pos!==false && $pos===0) {
                        $ip = substr($file, 10);
                        if(strlen($ip)>0 && in_array($ip, $convertedips)==false) {
                                if($nochanges==false)
                                        exec("rm -rf ".$certpop3path.$file);
                                if($debug==true)
                                        echo "[DEBUG] Found stale POP3 PEM file: ".$certpop3path.$file."\n";
                        }
                }
        }
        closedir($handle);
}
*/





//restart services

exec('/usr/local/cpanel/scripts/builddovecotconf');
exec('/usr/local/cpanel/scripts/restartsrv_dovecot');




?>