4 files changed, 23 insertions, 32 deletions
diff --git a/src/leap/bitmask/cli/mail.py b/src/leap/bitmask/cli/mail.py
index f0fa9722..46251313 100644
--- a/src/leap/bitmask/cli/mail.py
+++ b/src/leap/bitmask/cli/mail.py
@@ -32,9 +32,7 @@ SUBCOMMANDS:
    disable              Stop service
    status               Display status about service
    get_token            Returns token for the mail service
-   get_smtp_certificate Downloads a new smtp certificate
 
 '''.format(name=command.appname)
 
-    commands = ['enable', 'disable', 'status', 'get_token',
-                'get_smtp_certificate']
+    commands = ['enable', 'disable', 'status', 'get_token']
diff --git a/src/leap/bitmask/core/dispatcher.py b/src/leap/bitmask/core/dispatcher.py
index 2950896a..4c885ce7 100644
--- a/src/leap/bitmask/core/dispatcher.py
+++ b/src/leap/bitmask/core/dispatcher.py
@@ -182,31 +182,6 @@ class MailCmd(SubCommand):
         d = mail.get_token()
         return d
 
-    @register_method('dict')
-    def do_GET_SMTP_CERTIFICATE(self, mail, *parts, **kw):
-        # TODO move to mail service
-        # TODO should ask for confirmation? like --force or something,
-        # if we already have a valid one. or better just refuse if cert
-        # exists.
-        # TODO how should we pass the userid??
-        # - Keep an 'active' user in bonafide (last authenticated)
-        # (doing it now)
-        # - Get active user from Mail Service (maybe preferred?)
-        # - Have a command/method to set 'active' user.
-
-        @defer.inlineCallbacks
-        def save_cert(cert_data):
-            userid, cert_str = cert_data
-            cert_path = yield mail.do_get_smtp_cert_path(userid)
-            with open(cert_path, 'w') as outf:
-                outf.write(cert_str)
-            defer.returnValue('certificate saved to %s' % cert_path)
-
-        bonafide = kw['bonafide']
-        d = bonafide.do_get_smtp_cert()
-        d.addCallback(save_cert)
-        return d
-
 
 class WebUICmd(SubCommand):
 
diff --git a/src/leap/bitmask/core/mail_services.py b/src/leap/bitmask/core/mail_services.py
index a3cf692e..91d8fcaa 100644
--- a/src/leap/bitmask/core/mail_services.py
+++ b/src/leap/bitmask/core/mail_services.py
@@ -35,6 +35,7 @@ from twisted.python import log
 
 # TODO move to bitmask.common
 from leap.common.service_hooks import HookableService
+from leap.common.files import check_and_fix_urw_only
 from leap.bitmask.bonafide import config
 from leap.bitmask.keymanager import KeyManager
 from leap.bitmask.keymanager.errors import KeyNotFound
@@ -488,6 +489,26 @@ class StandardMailService(service.MultiService, HookableService):
         # TODO --- only start instance if "autostart" is True.
         self.startInstance(userid, soledad, keymanager)
 
+    @defer.inlineCallbacks
+    def hook_on_bonafide_auth(self, **kw):
+        # TODO: if it's expired we should renew it
+        userid = kw['username']
+        username, provider = userid.split('@')
+        cert_path = _get_smtp_client_cert_path(self._basedir, provider,
+                                               username)
+        if os.path.exists(cert_path):
+            return
+
+        bonafide = self.parent.getServiceNamed("bonafide")
+        _, cert_str = yield bonafide.do_get_smtp_cert(userid)
+
+        cert_dir = os.path.dirname(cert_path)
+        if not os.path.exists(cert_dir):
+            os.makedirs(cert_dir, mode=0700)
+        with open(cert_path, 'w') as outf:
+            outf.write(cert_str)
+        check_and_fix_urw_only(cert_path)
+
     # commands
 
     def do_status(self):
@@ -501,10 +522,6 @@ class StandardMailService(service.MultiService, HookableService):
         token = self._service_tokens.get(active_user)
         return defer.succeed({'user': active_user, 'token': token})
 
-    def do_get_smtp_cert_path(self, userid):
-        username, provider = userid.split('@')
-        return _get_smtp_client_cert_path(self._basedir, provider, username)
-
     # access to containers
 
     def get_soledad_session(self, userid):
diff --git a/src/leap/bitmask/core/service.py b/src/leap/bitmask/core/service.py
index bfcf0f2d..27853c09 100644
--- a/src/leap/bitmask/core/service.py
+++ b/src/leap/bitmask/core/service.py
@@ -90,6 +90,7 @@ class BitmaskBackend(configurable.ConfigurableService):
         bf.register_hook('on_passphrase_entry', listener='soledad')
         bf.register_hook('on_bonafide_auth', listener='soledad')
         bf.register_hook('on_bonafide_auth', listener='keymanager')
+        bf.register_hook('on_bonafide_auth', listener='mail')
 
     def init_soledad(self):
         service = mail_services.SoledadService