Postfix TLS Policy Server Update Script

crontab

# Daily check for updates of Postfix TLS Policy Service
# min   hour    mday    month   wday    command
  50    12      *       *       *       /usr/local/sbin/postfix-tlspol-update

postfix-tlspol-update

#!/usr/bin/env bash
# *****************************************************************************
#
# Script to automatically update Postfix TLS-Policy Server
# # See: https://github.com/Zuplu/postfix-tlspol
#
# Edited by Alain Wolf on Wed, 10. Sep 2025 14:00
# *****************************************************************************

# Directory where the source code is located
LOCAL_SRC="/usr/local/src/postfix-tlspol"

set -euo pipefail

# Check for root privileges
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" >&2
   exit 1
fi

# Set PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin

# Check if the current user is also the owner of the source directory
if [ "$(stat -c '%u' "${LOCAL_SRC}")" -ne "$(id -u)" ]; then

    # Check if the directory is already marked as safe in git config
    if ! git config --global --get-all safe.directory | grep -q "^${LOCAL_SRC}$"; then

        # Mark the directory as safe
        # Avoid git warning about insecure directories
        git config --global --add safe.directory "${LOCAL_SRC}"
    fi
fi

cd "${LOCAL_SRC}" || exit 1

# Check if update is needed at all
if git fetch --all --tags --prune && git rev-parse HEAD >/dev/null 2>&1; then

    # Get latest release tag
    LATEST_TAG="$(git describe --tags --abbrev=0 --match 'v*' origin/main 2>/dev/null)"

    # Get current checked out commit
    LOCAL_COMMIT="$(git rev-parse HEAD)"

    # Get commit of latest release tag
    RELEASE_COMMIT="$(git rev-parse "${LATEST_TAG}")"

    if [ "$LOCAL_COMMIT" = "$RELEASE_COMMIT" ]; then

        # Local source tree is already on latest release tag"
        exit 0
    fi
else
    echo "Fetch release tags from repository failed, aborting."
    exit 1
fi

# Check installed version of postfix-tlspol
if command -v postfix-tlspol > /dev/null 2>&1; then
    INSTALLED_VERSION="$(postfix-tlspol -version 2>/dev/null | head -n1 | awk '{print $2}')"
else
    INSTALLED_VERSION="none"
fi

# Check latest version available
LATEST_VERSION="${LATEST_TAG#v}"

# Compare versions
if [ "$INSTALLED_VERSION" = "$LATEST_VERSION" ]; then

    # Silenence is golden
    # echo "No update needed, already at latest version ($INSTALLED_VERSION)."
    exit 0
fi

# Perform the update
echo "Updating Postfix TLS-Policy Server from version $INSTALLED_VERSION to $LATEST_VERSION..."
if [ -d "${LOCAL_SRC}/.git" ]; then

    # Create/switch to a branch for the latest release
    RELEASE_BRANCH="release-${LATEST_TAG}"

    # Check if branch already exists, if not create it
    if git show-ref --verify --quiet "refs/heads/${RELEASE_BRANCH}"; then
        git checkout "${RELEASE_BRANCH}"
    else
        git checkout -b "${RELEASE_BRANCH}" "${LATEST_TAG}"
    fi

    # Build the new version
    if ! ./scripts/build.sh systemd; then
        echo "Build failed, aborting update."
        exit 1
    else
        echo "Update to version $LATEST_VERSION completed successfully."
        # echo "You can check the installed version with: postfix-tlspol -version"
    fi
fi