diff --git a/scripts/60-rspamd-opendkim.sh b/scripts/60-rspamd-opendkim.sh index 99500bd..7233d4c 100644 --- a/scripts/60-rspamd-opendkim.sh +++ b/scripts/60-rspamd-opendkim.sh @@ -15,11 +15,9 @@ BASE_DOMAIN="${BASE_DOMAIN:-example.com}" SYSMAIL_DOMAIN="${SYSMAIL_DOMAIN:-sysmail.${BASE_DOMAIN}}" # z.B. sysmail.example.com DKIM_ENABLE="${DKIM_ENABLE:-1}" # 1=OpenDKIM aktiv DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}" # z.B. mwl1 -DKIM_GENERATE="${DKIM_GENERATE:-1}" # 1=Key generieren, falls fehlt +DKIM_GENERATE="${DKIM_GENERATE:-0}" # 1=Key generieren, falls fehlt RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}" - -DKIM_GENERATE="0" # ────────────────────────────────────────────────────────────── # Rspamd (Controller + Milter) # ────────────────────────────────────────────────────────────── @@ -78,7 +76,7 @@ KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private" KEY_DNSTXT="${KEY_DIR}/${DKIM_SELECTOR}.txt" install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}" -# ── Key optional generieren (damit sofort signiert werden kann) ────────────── +# ── Key optional generieren (nur wenn gewünscht) ───────────────────────────── if [[ ! -s "${KEY_PRIV}" && "${DKIM_GENERATE}" = "1" ]]; then if command -v opendkim-genkey >/dev/null 2>&1; then opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${SYSMAIL_DOMAIN}" -D "${KEY_DIR}" @@ -89,18 +87,18 @@ if [[ ! -s "${KEY_PRIV}" && "${DKIM_GENERATE}" = "1" ]]; then fi fi -# ── Key-/SigningTable SAUBER anlegen (Altlasten entfernen) ─────────────────── -: > /etc/opendkim/KeyTable -: > /etc/opendkim/SigningTable +# ── Key-/SigningTable nur anlegen, nicht leeren ─────────────────────────────── +touch /etc/opendkim/KeyTable /etc/opendkim/SigningTable chown opendkim:opendkim /etc/opendkim/KeyTable /etc/opendkim/SigningTable chmod 640 /etc/opendkim/KeyTable /etc/opendkim/SigningTable -# Eintrag nur setzen, wenn BASE_DOMAIN != example.com (kein Platzhalter) -if [[ "${BASE_DOMAIN}" != "example.com" ]]; then - echo "${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}" \ - >> /etc/opendkim/KeyTable - echo "*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}" \ - >> /etc/opendkim/SigningTable +if [[ -s "${KEY_PRIV}" && "${BASE_DOMAIN}" != "example.com" ]]; then + LINE_KT="${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}" + LINE_ST="*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}" + grep -Fqx "$LINE_KT" /etc/opendkim/KeyTable || echo "$LINE_KT" >> /etc/opendkim/KeyTable + grep -Fqx "$LINE_ST" /etc/opendkim/SigningTable || echo "$LINE_ST" >> /etc/opendkim/SigningTable +else + echo "[i] Kein Private Key unter ${KEY_PRIV} – App-Helper trägt später ein." fi # ── Hauptkonfiguration ─────────────────────────────────────────────────────── @@ -141,53 +139,96 @@ RuntimeDirectory=opendkim RuntimeDirectoryMode=0755 EOF -# Laufzeitverzeichnis sofort anlegen (erste Startphase im Installer) install -d -o opendkim -g opendkim -m 0755 /run/opendkim -# ── Root-Helper: DKIM-Keys später aus der App installieren ─────────────────── +# ────────────────────────────────────────────────────────────── +# Root-Helper: DKIM installieren / entfernen + sudoers-Regel +# ────────────────────────────────────────────────────────────── install -d -m 0750 /usr/local/sbin + +# --- mailwolt-install-dkim ------------------------------------ cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH' #!/usr/bin/env bash set -euo pipefail + DOMAIN="$1" SELECTOR="$2" -TMP_PRIV="$3" -TMP_PUBTXT="${4:-}" +SRC_PRIV="$3" +SRC_TXT="${4:-}" OKDIR="/etc/opendkim" KEYDIR="${OKDIR}/keys/${DOMAIN}" KEYPRI="${KEYDIR}/${SELECTOR}.private" install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}" -install -m 0600 -o opendkim -g opendkim "${TMP_PRIV}" "${KEYPRI}" +install -m 0600 -o opendkim -g opendkim "${SRC_PRIV}" "${KEYPRI}" -kt="${OKDIR}/KeyTable" -st="${OKDIR}/SigningTable" -touch "$kt" "$st" -chown opendkim:opendkim "$kt" "$st" -chmod 0640 "$kt" "$st" +KT="${OKDIR}/KeyTable" +ST="${OKDIR}/SigningTable" +touch "$KT" "$ST" +chown opendkim:opendkim "$KT" "$ST" +chmod 0640 "$KT" "$ST" -line_kt="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}" -grep -Fqx "$line_kt" "$kt" || echo "$line_kt" >> "$kt" +LINE_KT="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}" +LINE_ST="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}" -line_st="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}" -grep -Fqx "$line_st" "$st" || echo "$line_st" >> "$st" +grep -Fqx "$LINE_KT" "$KT" || echo "$LINE_KT" >> "$KT" +grep -Fqx "$LINE_ST" "$ST" || echo "$LINE_ST" >> "$ST" -if [[ -n "${TMP_PUBTXT}" && -s "${TMP_PUBTXT}" ]]; then +if [[ -n "${SRC_TXT}" && -s "${SRC_TXT}" ]]; then install -d -m 0755 /etc/mailwolt/dns - cp -f "${TMP_PUBTXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt" + cp -f "${SRC_TXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt" fi -# Dienst läuft evtl. schon – reload reicht -if systemctl is-active --quiet opendkim; then - systemctl reload opendkim || true -fi +systemctl is-active --quiet opendkim && systemctl reload opendkim || true echo "OK" EOSH +chmod 0750 /usr/local/sbin/mailwolt-install-dkim chown root:root /usr/local/sbin/mailwolt-install-dkim -chmod 0750 /usr/local/sbin/mailwolt-install-dkim -# ── Dienst + Postfix-Milter: IMMER aktivieren (signiert nur, wenn Key vorhanden) ── +# --- mailwolt-remove-dkim ------------------------------------- +cat > /usr/local/sbin/mailwolt-remove-dkim <<'EOSH' +#!/usr/bin/env bash +set -euo pipefail + +DOMAIN="$1" +SELECTOR="$2" + +OKDIR="/etc/opendkim" +KEYDIR="${OKDIR}/keys/${DOMAIN}" +KEYPRI="${KEYDIR}/${SELECTOR}.private" +KT="${OKDIR}/KeyTable" +ST="${OKDIR}/SigningTable" + +[[ -f "${KEYPRI}" ]] && rm -f "${KEYPRI}" + +if [[ -f "$KT" ]]; then + TMP="$(mktemp)" + grep -v -F "${SELECTOR}._domainkey.${DOMAIN}" "$KT" > "$TMP" && mv "$TMP" "$KT" +fi +if [[ -f "$ST" ]]; then + TMP="$(mktemp)" + grep -v -F "*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}" "$ST" > "$TMP" && mv "$TMP" "$ST" +fi +rmdir "${KEYDIR}" 2>/dev/null || true + +systemctl is-active --quiet opendkim && systemctl reload opendkim || true +echo "OK" +EOSH +chmod 0750 /usr/local/sbin/mailwolt-remove-dkim +chown root:root /usr/local/sbin/mailwolt-remove-dkim + +# --- Sudoers-Regel für App-User -------------------------------- +APP_USER="${APP_USER:-mailwolt}" +cat > /etc/sudoers.d/mailwolt-dkim </dev/null 2>&1; then +# RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")" +#else +# RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}" +#fi +# +#cat >/etc/rspamd/local.d/worker-controller.inc </etc/rspamd/local.d/worker-normal.inc <<'CONF' +#bind_socket = "127.0.0.1:11332"; +#CONF +# +#cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF' +#use = ["authentication-results"]; +#header = "Authentication-Results"; +#CONF +# +#systemctl enable --now rspamd || true +# +## ────────────────────────────────────────────────────────────── +## OpenDKIM – nur wenn DKIM_ENABLE=1 +## ────────────────────────────────────────────────────────────── +#if [[ "${DKIM_ENABLE}" != "1" ]]; then +# log "DKIM_ENABLE=0 → OpenDKIM wird übersprungen." +# /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332" +# /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332" +# systemctl reload postfix || true +# exit 0 +#fi +# +#install -d -m 0755 /etc/opendkim +#install -d -m 0750 /etc/opendkim/keys +#chown -R opendkim:opendkim /etc/opendkim +#chmod 750 /etc/opendkim/keys +# +## TrustedHosts +#cat >/etc/opendkim/TrustedHosts <<'CONF' +#127.0.0.1 +#::1 +#localhost +#CONF +#chown opendkim:opendkim /etc/opendkim/TrustedHosts +#chmod 640 /etc/opendkim/TrustedHosts +# +## ── Key-Verzeichnis für SYSMAIL_DOMAIN vorbereiten ─────────────────────────── +#KEY_DIR="/etc/opendkim/keys/${SYSMAIL_DOMAIN}" +#KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private" +#KEY_DNSTXT="${KEY_DIR}/${DKIM_SELECTOR}.txt" +#install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}" +# +## ── Key optional generieren (damit sofort signiert werden kann) ────────────── +#if [[ ! -s "${KEY_PRIV}" && "${DKIM_GENERATE}" = "1" ]]; then +# if command -v opendkim-genkey >/dev/null 2>&1; then +# opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${SYSMAIL_DOMAIN}" -D "${KEY_DIR}" +# chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true +# chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true +# else +# echo "[!] opendkim-genkey fehlt – kann DKIM-Key nicht generieren." +# fi +#fi +# +## ── Key-/SigningTable SAUBER anlegen (Altlasten entfernen) ─────────────────── +#touch /etc/opendkim/KeyTable /etc/opendkim/SigningTable +#chown opendkim:opendkim /etc/opendkim/KeyTable /etc/opendkim/SigningTable +#chmod 640 /etc/opendkim/KeyTable /etc/opendkim/SigningTable +# +## Nur eintragen, wenn ein Private Key existiert (sonst übernimmt später der Helper) +#if [[ -s "${KEY_PRIV}" && "${BASE_DOMAIN}" != "example.com" ]]; then +# LINE_KT="${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}" +# LINE_ST="*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}" +# grep -Fqx "$LINE_KT" /etc/opendkim/KeyTable || echo "$LINE_KT" >> /etc/opendkim/KeyTable +# grep -Fqx "$LINE_ST" /etc/opendkim/SigningTable || echo "$LINE_ST" >> /etc/opendkim/SigningTable +#else +# echo "[i] Kein Private Key unter ${KEY_PRIV} – Tabellen bleiben ohne SYSMAIL-Eintrag (App/Helper trägt später ein)." +#fi +##: > /etc/opendkim/KeyTable +##: > /etc/opendkim/SigningTable +##chown opendkim:opendkim /etc/opendkim/KeyTable /etc/opendkim/SigningTable +##chmod 640 /etc/opendkim/KeyTable /etc/opendkim/SigningTable +## +### Eintrag nur setzen, wenn BASE_DOMAIN != example.com (kein Platzhalter) +##if [[ "${BASE_DOMAIN}" != "example.com" ]]; then +## echo "${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}" \ +## >> /etc/opendkim/KeyTable +## echo "*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}" \ +## >> /etc/opendkim/SigningTable +##fi +# +## ── Hauptkonfiguration ─────────────────────────────────────────────────────── +#cat >/etc/opendkim.conf <<'CONF' +#Syslog yes +#UMask 002 +#Mode sv +#Socket inet:8891@127.0.0.1 +#PidFile /run/opendkim/opendkim.pid +#Canonicalization relaxed/simple +# +#On-BadSignature accept +#On-Default accept +#On-KeyNotFound accept +#On-NoSignature accept +# +#LogWhy yes +#OversignHeaders From +# +#KeyTable /etc/opendkim/KeyTable +#SigningTable refile:/etc/opendkim/SigningTable +#ExternalIgnoreList /etc/opendkim/TrustedHosts +#InternalHosts /etc/opendkim/TrustedHosts +# +#UserID opendkim:opendkim +#AutoRestart yes +#AutoRestartRate 10/1h +#Background yes +#DNSTimeout 5 +#SignatureAlgorithm rsa-sha256 +#CONF +# +# +## ────────────────────────────────────────────────────────────── +## Root-Helper: DKIM installieren / entfernen +## ────────────────────────────────────────────────────────────── +#install -d -m 0750 /usr/local/sbin +# +## --- 1) mailwolt-install-dkim --------------------------------- +#cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH' +##!/usr/bin/env bash +#set -euo pipefail +# +#DOMAIN="$1" # z.B. kunden.tld oder sysmail.example.com +#SELECTOR="$2" # z.B. mwl1 +#SRC_PRIV="$3" # absoluter Pfad zum Private-Key +#SRC_TXT="${4:-}" # optional: TXT-Datei mit 'v=DKIM1; k=rsa; p=...' +# +#OKDIR="/etc/opendkim" +#KEYDIR="${OKDIR}/keys/${DOMAIN}" +#KEYPRI="${KEYDIR}/${SELECTOR}.private" +# +#install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}" +#install -m 0600 -o opendkim -g opendkim "${SRC_PRIV}" "${KEYPRI}" +# +#KT="${OKDIR}/KeyTable" +#ST="${OKDIR}/SigningTable" +#touch "$KT" "$ST" +#chown opendkim:opendkim "$KT" "$ST" +#chmod 0640 "$KT" "$ST" +# +#LINE_KT="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}" +#LINE_ST="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}" +# +#grep -Fqx "$LINE_KT" "$KT" || echo "$LINE_KT" >> "$KT" +#grep -Fqx "$LINE_ST" "$ST" || echo "$LINE_ST" >> "$ST" +# +#if [[ -n "${SRC_TXT}" && -s "${SRC_TXT}" ]]; then +# install -d -m 0755 /etc/mailwolt/dns +# cp -f "${SRC_TXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt" +#fi +# +#if systemctl is-active --quiet opendkim; then +# systemctl reload opendkim || true +#fi +# +#echo "OK" +#EOSH +#chown root:root /usr/local/sbin/mailwolt-install-dkim +#chmod 0750 /usr/local/sbin/mailwolt-install-dkim +# +## --- 2) mailwolt-remove-dkim ---------------------------------- +#cat > /usr/local/sbin/mailwolt-remove-dkim <<'EOSH' +##!/usr/bin/env bash +#set -euo pipefail +# +#DOMAIN="$1" +#SELECTOR="$2" +# +#OKDIR="/etc/opendkim" +#KEYDIR="${OKDIR}/keys/${DOMAIN}" +#KEYPRI="${KEYDIR}/${SELECTOR}.private" +#KT="${OKDIR}/KeyTable" +#ST="${OKDIR}/SigningTable" +# +## Key-Datei löschen, wenn vorhanden +#[[ -f "${KEYPRI}" ]] && rm -f "${KEYPRI}" +# +## Tabellenzeilen entfernen +#if [[ -f "$KT" ]]; then +# TMP="$(mktemp)" +# grep -v -F "${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:" "$KT" > "$TMP" && mv "$TMP" "$KT" +#fi +#if [[ -f "$ST" ]]; then +# TMP="$(mktemp)" +# grep -v -F "*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}" "$ST" > "$TMP" && mv "$TMP" "$ST" +#fi +# +#rmdir "${KEYDIR}" 2>/dev/null || true +# +#if systemctl is-active --quiet opendkim; then +# systemctl reload opendkim || true +#fi +# +#echo "OK" +#EOSH +#chown root:root /usr/local/sbin/mailwolt-remove-dkim +#chmod 0750 /usr/local/sbin/mailwolt-remove-dkim +# +## --- 3) Sudoers-Regel für App-User (z. B. mailwolt) ---------- +#APP_USER="${APP_USER:-mailwolt}" +#cat > /etc/sudoers.d/mailwolt-dkim </etc/systemd/system/opendkim.service.d/override.conf <<'EOF' +#[Service] +#RuntimeDirectory=opendkim +#RuntimeDirectoryMode=0755 +#EOF +# +## Laufzeitverzeichnis sofort anlegen (erste Startphase im Installer) +#install -d -o opendkim -g opendkim -m 0755 /run/opendkim +# +## ── Root-Helper: DKIM-Keys später aus der App installieren ─────────────────── +#install -d -m 0750 /usr/local/sbin +#cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH' +##!/usr/bin/env bash +#set -euo pipefail +#DOMAIN="$1" +#SELECTOR="$2" +#TMP_PRIV="$3" +#TMP_PUBTXT="${4:-}" +# +#OKDIR="/etc/opendkim" +#KEYDIR="${OKDIR}/keys/${DOMAIN}" +#KEYPRI="${KEYDIR}/${SELECTOR}.private" +# +#install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}" +#install -m 0600 -o opendkim -g opendkim "${TMP_PRIV}" "${KEYPRI}" +# +#kt="${OKDIR}/KeyTable" +#st="${OKDIR}/SigningTable" +#touch "$kt" "$st" +#chown opendkim:opendkim "$kt" "$st" +#chmod 0640 "$kt" "$st" +# +#line_kt="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}" +#grep -Fqx "$line_kt" "$kt" || echo "$line_kt" >> "$kt" +# +#line_st="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}" +#grep -Fqx "$line_st" "$st" || echo "$line_st" >> "$st" +# +#if [[ -n "${TMP_PUBTXT}" && -s "${TMP_PUBTXT}" ]]; then +# install -d -m 0755 /etc/mailwolt/dns +# cp -f "${TMP_PUBTXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt" +#fi +# +## Dienst läuft evtl. schon – reload reicht +#if systemctl is-active --quiet opendkim; then +# systemctl reload opendkim || true +#fi +#echo "OK" +#EOSH +#chown root:root /usr/local/sbin/mailwolt-install-dkim +#chmod 0750 /usr/local/sbin/mailwolt-install-dkim +# +## ── Dienst + Postfix-Milter: IMMER aktivieren (signiert nur, wenn Key vorhanden) ── +#systemctl daemon-reload +#systemctl enable --now opendkim || true +# +#/usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891" +#/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891" +#systemctl reload postfix || true +# +#log "[✓] Rspamd + OpenDKIM eingerichtet (OpenDKIM läuft; signiert, sobald Keys vorhanden sind)." +# + + +##!/usr/bin/env bash + #set -euo pipefail #source ./lib.sh #