Laudende Default seite entfernen

2025-10-18 09:43:36 +02:00 · 2025-10-18 09:43:36 +02:00 · c7bcf3306d
parent d41a132fbb
commit c7bcf3306d
1 changed files with 389 additions and 36 deletions
--- a/scripts/60-rspamd-opendkim.sh
+++ b/scripts/60-rspamd-opendkim.sh
@ -15,11 +15,9 @@ BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
 SYSMAIL_DOMAIN="${SYSMAIL_DOMAIN:-sysmail.${BASE_DOMAIN}}"   # z.B. sysmail.example.com
 DKIM_ENABLE="${DKIM_ENABLE:-1}"                               # 1=OpenDKIM aktiv
 DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"                        # z.B. mwl1
-DKIM_GENERATE="${DKIM_GENERATE:-1}"                           # 1=Key generieren, falls fehlt
+DKIM_GENERATE="${DKIM_GENERATE:-0}"                           # 1=Key generieren, falls fehlt
 RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"

-
-DKIM_GENERATE="0"
 # ──────────────────────────────────────────────────────────────
 # Rspamd (Controller + Milter)
 # ──────────────────────────────────────────────────────────────
@ -78,7 +76,7 @@ KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
 KEY_DNSTXT="${KEY_DIR}/${DKIM_SELECTOR}.txt"
 install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"

-# ── Key optional generieren (damit sofort signiert werden kann) ──────────────
+# ── Key optional generieren (nur wenn gewünscht) ─────────────────────────────
 if [[ ! -s "${KEY_PRIV}" && "${DKIM_GENERATE}" = "1" ]]; then
  if command -v opendkim-genkey >/dev/null 2>&1; then
    opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${SYSMAIL_DOMAIN}" -D "${KEY_DIR}"
@ -89,18 +87,18 @@ if [[ ! -s "${KEY_PRIV}" && "${DKIM_GENERATE}" = "1" ]]; then
  fi
 fi

-# ── Key-/SigningTable SAUBER anlegen (Altlasten entfernen) ───────────────────
-: > /etc/opendkim/KeyTable
-: > /etc/opendkim/SigningTable
+# ── Key-/SigningTable nur anlegen, nicht leeren ───────────────────────────────
+touch /etc/opendkim/KeyTable /etc/opendkim/SigningTable
 chown opendkim:opendkim /etc/opendkim/KeyTable /etc/opendkim/SigningTable
 chmod 640 /etc/opendkim/KeyTable /etc/opendkim/SigningTable

-# Eintrag nur setzen, wenn BASE_DOMAIN != example.com (kein Platzhalter)
-if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
-  echo "${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}" \
-    >> /etc/opendkim/KeyTable
-  echo "*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}" \
-    >> /etc/opendkim/SigningTable
+if [[ -s "${KEY_PRIV}" && "${BASE_DOMAIN}" != "example.com" ]]; then
+  LINE_KT="${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}"
+  LINE_ST="*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}"
+  grep -Fqx "$LINE_KT" /etc/opendkim/KeyTable     || echo "$LINE_KT" >> /etc/opendkim/KeyTable
+  grep -Fqx "$LINE_ST" /etc/opendkim/SigningTable || echo "$LINE_ST" >> /etc/opendkim/SigningTable
+else
+  echo "[i] Kein Private Key unter ${KEY_PRIV} – App-Helper trägt später ein."
 fi

 # ── Hauptkonfiguration ───────────────────────────────────────────────────────
@ -141,53 +139,96 @@ RuntimeDirectory=opendkim
 RuntimeDirectoryMode=0755
 EOF

-# Laufzeitverzeichnis sofort anlegen (erste Startphase im Installer)
 install -d -o opendkim -g opendkim -m 0755 /run/opendkim

-# ── Root-Helper: DKIM-Keys später aus der App installieren ───────────────────
+# ──────────────────────────────────────────────────────────────
+# Root-Helper: DKIM installieren / entfernen + sudoers-Regel
+# ──────────────────────────────────────────────────────────────
 install -d -m 0750 /usr/local/sbin
+
+# --- mailwolt-install-dkim ------------------------------------
 cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH'
 #!/usr/bin/env bash
 set -euo pipefail
+
 DOMAIN="$1"
 SELECTOR="$2"
-TMP_PRIV="$3"
-TMP_PUBTXT="${4:-}"
+SRC_PRIV="$3"
+SRC_TXT="${4:-}"

 OKDIR="/etc/opendkim"
 KEYDIR="${OKDIR}/keys/${DOMAIN}"
 KEYPRI="${KEYDIR}/${SELECTOR}.private"

 install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}"
-install -m 0600 -o opendkim -g opendkim "${TMP_PRIV}" "${KEYPRI}"
+install -m 0600 -o opendkim -g opendkim "${SRC_PRIV}" "${KEYPRI}"

-kt="${OKDIR}/KeyTable"
-st="${OKDIR}/SigningTable"
-touch "$kt" "$st"
-chown opendkim:opendkim "$kt" "$st"
-chmod 0640 "$kt" "$st"
+KT="${OKDIR}/KeyTable"
+ST="${OKDIR}/SigningTable"
+touch "$KT" "$ST"
+chown opendkim:opendkim "$KT" "$ST"
+chmod 0640 "$KT" "$ST"

-line_kt="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}"
-grep -Fqx "$line_kt" "$kt" || echo "$line_kt" >> "$kt"
+LINE_KT="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}"
+LINE_ST="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}"

-line_st="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}"
-grep -Fqx "$line_st" "$st" || echo "$line_st" >> "$st"
+grep -Fqx "$LINE_KT" "$KT" || echo "$LINE_KT" >> "$KT"
+grep -Fqx "$LINE_ST" "$ST" || echo "$LINE_ST" >> "$ST"

-if [[ -n "${TMP_PUBTXT}" && -s "${TMP_PUBTXT}" ]]; then
+if [[ -n "${SRC_TXT}" && -s "${SRC_TXT}" ]]; then
  install -d -m 0755 /etc/mailwolt/dns
-  cp -f "${TMP_PUBTXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt"
+  cp -f "${SRC_TXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt"
 fi

-# Dienst läuft evtl. schon – reload reicht
-if systemctl is-active --quiet opendkim; then
-  systemctl reload opendkim || true
-fi
+systemctl is-active --quiet opendkim && systemctl reload opendkim || true
 echo "OK"
 EOSH
+chmod 0750 /usr/local/sbin/mailwolt-install-dkim
 chown root:root /usr/local/sbin/mailwolt-install-dkim
-chmod 0750      /usr/local/sbin/mailwolt-install-dkim

-# ── Dienst + Postfix-Milter: IMMER aktivieren (signiert nur, wenn Key vorhanden) ──
+# --- mailwolt-remove-dkim -------------------------------------
+cat > /usr/local/sbin/mailwolt-remove-dkim <<'EOSH'
+#!/usr/bin/env bash
+set -euo pipefail
+
+DOMAIN="$1"
+SELECTOR="$2"
+
+OKDIR="/etc/opendkim"
+KEYDIR="${OKDIR}/keys/${DOMAIN}"
+KEYPRI="${KEYDIR}/${SELECTOR}.private"
+KT="${OKDIR}/KeyTable"
+ST="${OKDIR}/SigningTable"
+
+[[ -f "${KEYPRI}" ]] && rm -f "${KEYPRI}"
+
+if [[ -f "$KT" ]]; then
+  TMP="$(mktemp)"
+  grep -v -F "${SELECTOR}._domainkey.${DOMAIN}" "$KT" > "$TMP" && mv "$TMP" "$KT"
+fi
+if [[ -f "$ST" ]]; then
+  TMP="$(mktemp)"
+  grep -v -F "*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}" "$ST" > "$TMP" && mv "$TMP" "$ST"
+fi
+rmdir "${KEYDIR}" 2>/dev/null || true
+
+systemctl is-active --quiet opendkim && systemctl reload opendkim || true
+echo "OK"
+EOSH
+chmod 0750 /usr/local/sbin/mailwolt-remove-dkim
+chown root:root /usr/local/sbin/mailwolt-remove-dkim
+
+# --- Sudoers-Regel für App-User --------------------------------
+APP_USER="${APP_USER:-mailwolt}"
+cat > /etc/sudoers.d/mailwolt-dkim <<EOF
+Defaults! /usr/local/sbin/mailwolt-install-dkim !requiretty
+Defaults! /usr/local/sbin/mailwolt-remove-dkim  !requiretty
+${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim
+${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-remove-dkim
+EOF
+chmod 440 /etc/sudoers.d/mailwolt-dkim
+
+# ── Dienst + Postfix-Milter aktivieren ─────────────────────────
 systemctl daemon-reload
 systemctl enable --now opendkim || true

@ -195,9 +236,321 @@ systemctl enable --now opendkim || true
 /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
 systemctl reload postfix || true

-log "[✓] Rspamd + OpenDKIM eingerichtet (OpenDKIM läuft; signiert, sobald Keys vorhanden sind)."
+log "[✓] Rspamd + OpenDKIM eingerichtet (läuft; signiert, sobald Keys vorhanden sind)."

 ##!/usr/bin/env bash
+#set -euo pipefail
+#source ./lib.sh
+#
+#log "Rspamd + OpenDKIM einrichten …"
+#
+## ──────────────────────────────────────────────────────────────
+## ENV laden
+## ──────────────────────────────────────────────────────────────
+#set +u
+#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
+#set -u
+#
+#BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
+#SYSMAIL_DOMAIN="${SYSMAIL_DOMAIN:-sysmail.${BASE_DOMAIN}}"   # z.B. sysmail.example.com
+#DKIM_ENABLE="${DKIM_ENABLE:-1}"                               # 1=OpenDKIM aktiv
+#DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"                        # z.B. mwl1
+#DKIM_GENERATE="${DKIM_GENERATE:-1}"                           # 1=Key generieren, falls fehlt
+#RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
+#
+#
+#DKIM_GENERATE="0"
+## ──────────────────────────────────────────────────────────────
+## Rspamd (Controller + Milter)
+## ──────────────────────────────────────────────────────────────
+#install -d -m 0755 /etc/rspamd/local.d
+#
+#if command -v rspamadm >/dev/null 2>&1; then
+#  RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
+#else
+#  RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
+#fi
+#
+#cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
+#password = "${RSPAMD_HASH}";
+#bind_socket = "127.0.0.1:11334";
+#CONF
+#
+#cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
+#bind_socket = "127.0.0.1:11332";
+#CONF
+#
+#cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
+#use = ["authentication-results"];
+#header = "Authentication-Results";
+#CONF
+#
+#systemctl enable --now rspamd || true
+#
+## ──────────────────────────────────────────────────────────────
+## OpenDKIM – nur wenn DKIM_ENABLE=1
+## ──────────────────────────────────────────────────────────────
+#if [[ "${DKIM_ENABLE}" != "1" ]]; then
+#  log "DKIM_ENABLE=0 → OpenDKIM wird übersprungen."
+#  /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332"
+#  /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
+#  systemctl reload postfix || true
+#  exit 0
+#fi
+#
+#install -d -m 0755 /etc/opendkim
+#install -d -m 0750 /etc/opendkim/keys
+#chown -R opendkim:opendkim /etc/opendkim
+#chmod 750 /etc/opendkim/keys
+#
+## TrustedHosts
+#cat >/etc/opendkim/TrustedHosts <<'CONF'
+#127.0.0.1
+#::1
+#localhost
+#CONF
+#chown opendkim:opendkim /etc/opendkim/TrustedHosts
+#chmod 640 /etc/opendkim/TrustedHosts
+#
+## ── Key-Verzeichnis für SYSMAIL_DOMAIN vorbereiten ───────────────────────────
+#KEY_DIR="/etc/opendkim/keys/${SYSMAIL_DOMAIN}"
+#KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
+#KEY_DNSTXT="${KEY_DIR}/${DKIM_SELECTOR}.txt"
+#install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
+#
+## ── Key optional generieren (damit sofort signiert werden kann) ──────────────
+#if [[ ! -s "${KEY_PRIV}" && "${DKIM_GENERATE}" = "1" ]]; then
+#  if command -v opendkim-genkey >/dev/null 2>&1; then
+#    opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${SYSMAIL_DOMAIN}" -D "${KEY_DIR}"
+#    chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
+#    chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
+#  else
+#    echo "[!] opendkim-genkey fehlt – kann DKIM-Key nicht generieren."
+#  fi
+#fi
+#
+## ── Key-/SigningTable SAUBER anlegen (Altlasten entfernen) ───────────────────
+#touch /etc/opendkim/KeyTable /etc/opendkim/SigningTable
+#chown opendkim:opendkim /etc/opendkim/KeyTable /etc/opendkim/SigningTable
+#chmod 640             /etc/opendkim/KeyTable /etc/opendkim/SigningTable
+#
+## Nur eintragen, wenn ein Private Key existiert (sonst übernimmt später der Helper)
+#if [[ -s "${KEY_PRIV}" && "${BASE_DOMAIN}" != "example.com" ]]; then
+#  LINE_KT="${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}"
+#  LINE_ST="*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}"
+#  grep -Fqx "$LINE_KT" /etc/opendkim/KeyTable     || echo "$LINE_KT" >> /etc/opendkim/KeyTable
+#  grep -Fqx "$LINE_ST" /etc/opendkim/SigningTable || echo "$LINE_ST" >> /etc/opendkim/SigningTable
+#else
+#  echo "[i] Kein Private Key unter ${KEY_PRIV} – Tabellen bleiben ohne SYSMAIL-Eintrag (App/Helper trägt später ein)."
+#fi
+##: > /etc/opendkim/KeyTable
+##: > /etc/opendkim/SigningTable
+##chown opendkim:opendkim /etc/opendkim/KeyTable /etc/opendkim/SigningTable
+##chmod 640 /etc/opendkim/KeyTable /etc/opendkim/SigningTable
+##
+### Eintrag nur setzen, wenn BASE_DOMAIN != example.com (kein Platzhalter)
+##if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
+##  echo "${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}" \
+##    >> /etc/opendkim/KeyTable
+##  echo "*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}" \
+##    >> /etc/opendkim/SigningTable
+##fi
+#
+## ── Hauptkonfiguration ───────────────────────────────────────────────────────
+#cat >/etc/opendkim.conf <<'CONF'
+#Syslog            yes
+#UMask             002
+#Mode              sv
+#Socket            inet:8891@127.0.0.1
+#PidFile           /run/opendkim/opendkim.pid
+#Canonicalization  relaxed/simple
+#
+#On-BadSignature   accept
+#On-Default        accept
+#On-KeyNotFound    accept
+#On-NoSignature    accept
+#
+#LogWhy            yes
+#OversignHeaders   From
+#
+#KeyTable          /etc/opendkim/KeyTable
+#SigningTable      refile:/etc/opendkim/SigningTable
+#ExternalIgnoreList /etc/opendkim/TrustedHosts
+#InternalHosts       /etc/opendkim/TrustedHosts
+#
+#UserID            opendkim:opendkim
+#AutoRestart       yes
+#AutoRestartRate   10/1h
+#Background        yes
+#DNSTimeout        5
+#SignatureAlgorithm rsa-sha256
+#CONF
+#
+#
+## ──────────────────────────────────────────────────────────────
+## Root-Helper: DKIM installieren / entfernen
+## ──────────────────────────────────────────────────────────────
+#install -d -m 0750 /usr/local/sbin
+#
+## --- 1) mailwolt-install-dkim ---------------------------------
+#cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH'
+##!/usr/bin/env bash
+#set -euo pipefail
+#
+#DOMAIN="$1"         # z.B. kunden.tld oder sysmail.example.com
+#SELECTOR="$2"       # z.B. mwl1
+#SRC_PRIV="$3"       # absoluter Pfad zum Private-Key
+#SRC_TXT="${4:-}"    # optional: TXT-Datei mit 'v=DKIM1; k=rsa; p=...'
+#
+#OKDIR="/etc/opendkim"
+#KEYDIR="${OKDIR}/keys/${DOMAIN}"
+#KEYPRI="${KEYDIR}/${SELECTOR}.private"
+#
+#install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}"
+#install -m 0600 -o opendkim -g opendkim "${SRC_PRIV}" "${KEYPRI}"
+#
+#KT="${OKDIR}/KeyTable"
+#ST="${OKDIR}/SigningTable"
+#touch "$KT" "$ST"
+#chown opendkim:opendkim "$KT" "$ST"
+#chmod 0640 "$KT" "$ST"
+#
+#LINE_KT="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}"
+#LINE_ST="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}"
+#
+#grep -Fqx "$LINE_KT" "$KT" || echo "$LINE_KT" >> "$KT"
+#grep -Fqx "$LINE_ST" "$ST" || echo "$LINE_ST" >> "$ST"
+#
+#if [[ -n "${SRC_TXT}" && -s "${SRC_TXT}" ]]; then
+#  install -d -m 0755 /etc/mailwolt/dns
+#  cp -f "${SRC_TXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt"
+#fi
+#
+#if systemctl is-active --quiet opendkim; then
+#  systemctl reload opendkim || true
+#fi
+#
+#echo "OK"
+#EOSH
+#chown root:root /usr/local/sbin/mailwolt-install-dkim
+#chmod 0750 /usr/local/sbin/mailwolt-install-dkim
+#
+## --- 2) mailwolt-remove-dkim ----------------------------------
+#cat > /usr/local/sbin/mailwolt-remove-dkim <<'EOSH'
+##!/usr/bin/env bash
+#set -euo pipefail
+#
+#DOMAIN="$1"
+#SELECTOR="$2"
+#
+#OKDIR="/etc/opendkim"
+#KEYDIR="${OKDIR}/keys/${DOMAIN}"
+#KEYPRI="${KEYDIR}/${SELECTOR}.private"
+#KT="${OKDIR}/KeyTable"
+#ST="${OKDIR}/SigningTable"
+#
+## Key-Datei löschen, wenn vorhanden
+#[[ -f "${KEYPRI}" ]] && rm -f "${KEYPRI}"
+#
+## Tabellenzeilen entfernen
+#if [[ -f "$KT" ]]; then
+#  TMP="$(mktemp)"
+#  grep -v -F "${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:" "$KT" > "$TMP" && mv "$TMP" "$KT"
+#fi
+#if [[ -f "$ST" ]]; then
+#  TMP="$(mktemp)"
+#  grep -v -F "*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}" "$ST" > "$TMP" && mv "$TMP" "$ST"
+#fi
+#
+#rmdir "${KEYDIR}" 2>/dev/null || true
+#
+#if systemctl is-active --quiet opendkim; then
+#  systemctl reload opendkim || true
+#fi
+#
+#echo "OK"
+#EOSH
+#chown root:root /usr/local/sbin/mailwolt-remove-dkim
+#chmod 0750 /usr/local/sbin/mailwolt-remove-dkim
+#
+## --- 3) Sudoers-Regel für App-User (z. B. mailwolt) ----------
+#APP_USER="${APP_USER:-mailwolt}"
+#cat > /etc/sudoers.d/mailwolt-dkim <<EOF
+#Defaults! /usr/local/sbin/mailwolt-install-dkim !requiretty
+#Defaults! /usr/local/sbin/mailwolt-remove-dkim  !requiretty
+#${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim
+#${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-remove-dkim
+#EOF
+#chmod 440 /etc/sudoers.d/mailwolt-dkim
+#
+## ── systemd Drop-in: /run/opendkim sicherstellen ─────────────────────────────
+#install -d -m 0755 /etc/systemd/system/opendkim.service.d
+#cat >/etc/systemd/system/opendkim.service.d/override.conf <<'EOF'
+#[Service]
+#RuntimeDirectory=opendkim
+#RuntimeDirectoryMode=0755
+#EOF
+#
+## Laufzeitverzeichnis sofort anlegen (erste Startphase im Installer)
+#install -d -o opendkim -g opendkim -m 0755 /run/opendkim
+#
+## ── Root-Helper: DKIM-Keys später aus der App installieren ───────────────────
+#install -d -m 0750 /usr/local/sbin
+#cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH'
+##!/usr/bin/env bash
+#set -euo pipefail
+#DOMAIN="$1"
+#SELECTOR="$2"
+#TMP_PRIV="$3"
+#TMP_PUBTXT="${4:-}"
+#
+#OKDIR="/etc/opendkim"
+#KEYDIR="${OKDIR}/keys/${DOMAIN}"
+#KEYPRI="${KEYDIR}/${SELECTOR}.private"
+#
+#install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}"
+#install -m 0600 -o opendkim -g opendkim "${TMP_PRIV}" "${KEYPRI}"
+#
+#kt="${OKDIR}/KeyTable"
+#st="${OKDIR}/SigningTable"
+#touch "$kt" "$st"
+#chown opendkim:opendkim "$kt" "$st"
+#chmod 0640 "$kt" "$st"
+#
+#line_kt="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}"
+#grep -Fqx "$line_kt" "$kt" || echo "$line_kt" >> "$kt"
+#
+#line_st="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}"
+#grep -Fqx "$line_st" "$st" || echo "$line_st" >> "$st"
+#
+#if [[ -n "${TMP_PUBTXT}" && -s "${TMP_PUBTXT}" ]]; then
+#  install -d -m 0755 /etc/mailwolt/dns
+#  cp -f "${TMP_PUBTXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt"
+#fi
+#
+## Dienst läuft evtl. schon – reload reicht
+#if systemctl is-active --quiet opendkim; then
+#  systemctl reload opendkim || true
+#fi
+#echo "OK"
+#EOSH
+#chown root:root /usr/local/sbin/mailwolt-install-dkim
+#chmod 0750      /usr/local/sbin/mailwolt-install-dkim
+#
+## ── Dienst + Postfix-Milter: IMMER aktivieren (signiert nur, wenn Key vorhanden) ──
+#systemctl daemon-reload
+#systemctl enable --now opendkim || true
+#
+#/usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
+#/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
+#systemctl reload postfix || true
+#
+#log "[✓] Rspamd + OpenDKIM eingerichtet (OpenDKIM läuft; signiert, sobald Keys vorhanden sind)."
+#
+
+
+##!/usr/bin/env bash
+
 #set -euo pipefail
 #source ./lib.sh
 #