boban
/
mailwolt-installer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Laudende Default seite entfernen

main
boksbc 2025-10-18 09:43:36 +02:00
parent d41a132fbb
commit c7bcf3306d
1 changed files with 389 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

425
scripts/60-rspamd-opendkim.sh
View File

@ -15,11 +15,9 @@ BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
SYSMAIL_DOMAIN="${SYSMAIL_DOMAIN:-sysmail.${BASE_DOMAIN}}" # z.B. sysmail.example.com SYSMAIL_DOMAIN="${SYSMAIL_DOMAIN:-sysmail.${BASE_DOMAIN}}" # z.B. sysmail.example.com
DKIM_ENABLE="${DKIM_ENABLE:-1}" # 1=OpenDKIM aktiv DKIM_ENABLE="${DKIM_ENABLE:-1}" # 1=OpenDKIM aktiv
DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}" # z.B. mwl1 DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}" # z.B. mwl1
DKIM_GENERATE="${DKIM_GENERATE:-1}" # 1=Key generieren, falls fehlt DKIM_GENERATE="${DKIM_GENERATE:-0}" # 1=Key generieren, falls fehlt
RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}" RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
DKIM_GENERATE="0"
# ────────────────────────────────────────────────────────────── # ──────────────────────────────────────────────────────────────
# Rspamd (Controller + Milter) # Rspamd (Controller + Milter)
# ────────────────────────────────────────────────────────────── # ──────────────────────────────────────────────────────────────
@ -78,7 +76,7 @@ KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
KEY_DNSTXT="${KEY_DIR}/${DKIM_SELECTOR}.txt" KEY_DNSTXT="${KEY_DIR}/${DKIM_SELECTOR}.txt"
install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}" install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
# ── Key optional generieren (damit sofort signiert werden kann) ────────────── # ── Key optional generieren (nur wenn gewünscht) ─────────────────────────────
if [[ ! -s "${KEY_PRIV}" && "${DKIM_GENERATE}" = "1" ]]; then if [[ ! -s "${KEY_PRIV}" && "${DKIM_GENERATE}" = "1" ]]; then
if command -v opendkim-genkey >/dev/null 2>&1; then if command -v opendkim-genkey >/dev/null 2>&1; then
opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${SYSMAIL_DOMAIN}" -D "${KEY_DIR}" opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${SYSMAIL_DOMAIN}" -D "${KEY_DIR}"
@ -89,18 +87,18 @@ if [[ ! -s "${KEY_PRIV}" && "${DKIM_GENERATE}" = "1" ]]; then
fi fi
fi fi
# ── Key-/SigningTable SAUBER anlegen (Altlasten entfernen) ─────────────────── # ── Key-/SigningTable nur anlegen, nicht leeren ───────────────────────────────
: > /etc/opendkim/KeyTable touch /etc/opendkim/KeyTable /etc/opendkim/SigningTable
: > /etc/opendkim/SigningTable
chown opendkim:opendkim /etc/opendkim/KeyTable /etc/opendkim/SigningTable chown opendkim:opendkim /etc/opendkim/KeyTable /etc/opendkim/SigningTable
chmod 640 /etc/opendkim/KeyTable /etc/opendkim/SigningTable chmod 640 /etc/opendkim/KeyTable /etc/opendkim/SigningTable
# Eintrag nur setzen, wenn BASE_DOMAIN != example.com (kein Platzhalter) if [[ -s "${KEY_PRIV}" && "${BASE_DOMAIN}" != "example.com" ]]; then
if [[ "${BASE_DOMAIN}" != "example.com" ]]; then LINE_KT="${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}"
echo "${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}" \ LINE_ST="*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}"
>> /etc/opendkim/KeyTable grep -Fqx "$LINE_KT" /etc/opendkim/KeyTable || echo "$LINE_KT" >> /etc/opendkim/KeyTable
echo "*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}" \ grep -Fqx "$LINE_ST" /etc/opendkim/SigningTable || echo "$LINE_ST" >> /etc/opendkim/SigningTable
>> /etc/opendkim/SigningTable else
echo "[i] Kein Private Key unter ${KEY_PRIV} App-Helper trägt später ein."
fi fi
# ── Hauptkonfiguration ─────────────────────────────────────────────────────── # ── Hauptkonfiguration ───────────────────────────────────────────────────────
@ -141,53 +139,96 @@ RuntimeDirectory=opendkim
RuntimeDirectoryMode=0755 RuntimeDirectoryMode=0755
EOF EOF
# Laufzeitverzeichnis sofort anlegen (erste Startphase im Installer)
install -d -o opendkim -g opendkim -m 0755 /run/opendkim install -d -o opendkim -g opendkim -m 0755 /run/opendkim
# ── Root-Helper: DKIM-Keys später aus der App installieren ─────────────────── # ──────────────────────────────────────────────────────────────
# Root-Helper: DKIM installieren / entfernen + sudoers-Regel
# ──────────────────────────────────────────────────────────────
install -d -m 0750 /usr/local/sbin install -d -m 0750 /usr/local/sbin
# --- mailwolt-install-dkim ------------------------------------
cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH' cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH'
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
DOMAIN="$1" DOMAIN="$1"
SELECTOR="$2" SELECTOR="$2"
TMP_PRIV="$3" SRC_PRIV="$3"
TMP_PUBTXT="${4:-}" SRC_TXT="${4:-}"
OKDIR="/etc/opendkim" OKDIR="/etc/opendkim"
KEYDIR="${OKDIR}/keys/${DOMAIN}" KEYDIR="${OKDIR}/keys/${DOMAIN}"
KEYPRI="${KEYDIR}/${SELECTOR}.private" KEYPRI="${KEYDIR}/${SELECTOR}.private"
install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}" install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}"
install -m 0600 -o opendkim -g opendkim "${TMP_PRIV}" "${KEYPRI}" install -m 0600 -o opendkim -g opendkim "${SRC_PRIV}" "${KEYPRI}"
kt="${OKDIR}/KeyTable" KT="${OKDIR}/KeyTable"
st="${OKDIR}/SigningTable" ST="${OKDIR}/SigningTable"
touch "$kt" "$st" touch "$KT" "$ST"
chown opendkim:opendkim "$kt" "$st" chown opendkim:opendkim "$KT" "$ST"
chmod 0640 "$kt" "$st" chmod 0640 "$KT" "$ST"
line_kt="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}" LINE_KT="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}"
grep -Fqx "$line_kt" "$kt" || echo "$line_kt" >> "$kt" LINE_ST="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}"
line_st="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}" grep -Fqx "$LINE_KT" "$KT" || echo "$LINE_KT" >> "$KT"
grep -Fqx "$line_st" "$st" || echo "$line_st" >> "$st" grep -Fqx "$LINE_ST" "$ST" || echo "$LINE_ST" >> "$ST"
if [[ -n "${TMP_PUBTXT}" && -s "${TMP_PUBTXT}" ]]; then if [[ -n "${SRC_TXT}" && -s "${SRC_TXT}" ]]; then
install -d -m 0755 /etc/mailwolt/dns install -d -m 0755 /etc/mailwolt/dns
cp -f "${TMP_PUBTXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt" cp -f "${SRC_TXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt"
fi fi
# Dienst läuft evtl. schon reload reicht systemctl is-active --quiet opendkim && systemctl reload opendkim || true
if systemctl is-active --quiet opendkim; then
systemctl reload opendkim || true
fi
echo "OK" echo "OK"
EOSH EOSH
chmod 0750 /usr/local/sbin/mailwolt-install-dkim
chown root:root /usr/local/sbin/mailwolt-install-dkim chown root:root /usr/local/sbin/mailwolt-install-dkim
chmod 0750 /usr/local/sbin/mailwolt-install-dkim
# ── Dienst + Postfix-Milter: IMMER aktivieren (signiert nur, wenn Key vorhanden) ── # --- mailwolt-remove-dkim -------------------------------------
cat > /usr/local/sbin/mailwolt-remove-dkim <<'EOSH'
#!/usr/bin/env bash
set -euo pipefail
DOMAIN="$1"
SELECTOR="$2"
OKDIR="/etc/opendkim"
KEYDIR="${OKDIR}/keys/${DOMAIN}"
KEYPRI="${KEYDIR}/${SELECTOR}.private"
KT="${OKDIR}/KeyTable"
ST="${OKDIR}/SigningTable"
[[ -f "${KEYPRI}" ]] && rm -f "${KEYPRI}"
if [[ -f "$KT" ]]; then
TMP="$(mktemp)"
grep -v -F "${SELECTOR}._domainkey.${DOMAIN}" "$KT" > "$TMP" && mv "$TMP" "$KT"
fi
if [[ -f "$ST" ]]; then
TMP="$(mktemp)"
grep -v -F "*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}" "$ST" > "$TMP" && mv "$TMP" "$ST"
fi
rmdir "${KEYDIR}" 2>/dev/null || true
systemctl is-active --quiet opendkim && systemctl reload opendkim || true
echo "OK"
EOSH
chmod 0750 /usr/local/sbin/mailwolt-remove-dkim
chown root:root /usr/local/sbin/mailwolt-remove-dkim
# --- Sudoers-Regel für App-User --------------------------------
APP_USER="${APP_USER:-mailwolt}"
cat > /etc/sudoers.d/mailwolt-dkim <<EOF
Defaults! /usr/local/sbin/mailwolt-install-dkim !requiretty
Defaults! /usr/local/sbin/mailwolt-remove-dkim !requiretty
${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim
${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-remove-dkim
EOF
chmod 440 /etc/sudoers.d/mailwolt-dkim
# ── Dienst + Postfix-Milter aktivieren ─────────────────────────
systemctl daemon-reload systemctl daemon-reload
systemctl enable --now opendkim || true systemctl enable --now opendkim || true
@ -195,9 +236,321 @@ systemctl enable --now opendkim || true
/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891" /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
systemctl reload postfix || true systemctl reload postfix || true
log "[✓] Rspamd + OpenDKIM eingerichtet (OpenDKIM läuft; signiert, sobald Keys vorhanden sind)." log "[✓] Rspamd + OpenDKIM eingerichtet (läuft; signiert, sobald Keys vorhanden sind)."
##!/usr/bin/env bash ##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#log "Rspamd + OpenDKIM einrichten …"
#
## ──────────────────────────────────────────────────────────────
## ENV laden
## ──────────────────────────────────────────────────────────────
#set +u
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
#set -u
#
#BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
#SYSMAIL_DOMAIN="${SYSMAIL_DOMAIN:-sysmail.${BASE_DOMAIN}}" # z.B. sysmail.example.com
#DKIM_ENABLE="${DKIM_ENABLE:-1}" # 1=OpenDKIM aktiv
#DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}" # z.B. mwl1
#DKIM_GENERATE="${DKIM_GENERATE:-1}" # 1=Key generieren, falls fehlt
#RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
#
#
#DKIM_GENERATE="0"
## ──────────────────────────────────────────────────────────────
## Rspamd (Controller + Milter)
## ──────────────────────────────────────────────────────────────
#install -d -m 0755 /etc/rspamd/local.d
#
#if command -v rspamadm >/dev/null 2>&1; then
# RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
#else
# RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
#fi
#
#cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
#password = "${RSPAMD_HASH}";
#bind_socket = "127.0.0.1:11334";
#CONF
#
#cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
#bind_socket = "127.0.0.1:11332";
#CONF
#
#cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
#use = ["authentication-results"];
#header = "Authentication-Results";
#CONF
#
#systemctl enable --now rspamd || true
#
## ──────────────────────────────────────────────────────────────
## OpenDKIM nur wenn DKIM_ENABLE=1
## ──────────────────────────────────────────────────────────────
#if [[ "${DKIM_ENABLE}" != "1" ]]; then
# log "DKIM_ENABLE=0 → OpenDKIM wird übersprungen."
# /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332"
# /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
# systemctl reload postfix || true
# exit 0
#fi
#
#install -d -m 0755 /etc/opendkim
#install -d -m 0750 /etc/opendkim/keys
#chown -R opendkim:opendkim /etc/opendkim
#chmod 750 /etc/opendkim/keys
#
## TrustedHosts
#cat >/etc/opendkim/TrustedHosts <<'CONF'
#127.0.0.1
#::1
#localhost
#CONF
#chown opendkim:opendkim /etc/opendkim/TrustedHosts
#chmod 640 /etc/opendkim/TrustedHosts
#
## ── Key-Verzeichnis für SYSMAIL_DOMAIN vorbereiten ───────────────────────────
#KEY_DIR="/etc/opendkim/keys/${SYSMAIL_DOMAIN}"
#KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
#KEY_DNSTXT="${KEY_DIR}/${DKIM_SELECTOR}.txt"
#install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
#
## ── Key optional generieren (damit sofort signiert werden kann) ──────────────
#if [[ ! -s "${KEY_PRIV}" && "${DKIM_GENERATE}" = "1" ]]; then
# if command -v opendkim-genkey >/dev/null 2>&1; then
# opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${SYSMAIL_DOMAIN}" -D "${KEY_DIR}"
# chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
# chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
# else
# echo "[!] opendkim-genkey fehlt kann DKIM-Key nicht generieren."
# fi
#fi
#
## ── Key-/SigningTable SAUBER anlegen (Altlasten entfernen) ───────────────────
#touch /etc/opendkim/KeyTable /etc/opendkim/SigningTable
#chown opendkim:opendkim /etc/opendkim/KeyTable /etc/opendkim/SigningTable
#chmod 640 /etc/opendkim/KeyTable /etc/opendkim/SigningTable
#
## Nur eintragen, wenn ein Private Key existiert (sonst übernimmt später der Helper)
#if [[ -s "${KEY_PRIV}" && "${BASE_DOMAIN}" != "example.com" ]]; then
# LINE_KT="${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}"
# LINE_ST="*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}"
# grep -Fqx "$LINE_KT" /etc/opendkim/KeyTable || echo "$LINE_KT" >> /etc/opendkim/KeyTable
# grep -Fqx "$LINE_ST" /etc/opendkim/SigningTable || echo "$LINE_ST" >> /etc/opendkim/SigningTable
#else
# echo "[i] Kein Private Key unter ${KEY_PRIV} Tabellen bleiben ohne SYSMAIL-Eintrag (App/Helper trägt später ein)."
#fi
##: > /etc/opendkim/KeyTable
##: > /etc/opendkim/SigningTable
##chown opendkim:opendkim /etc/opendkim/KeyTable /etc/opendkim/SigningTable
##chmod 640 /etc/opendkim/KeyTable /etc/opendkim/SigningTable
##
### Eintrag nur setzen, wenn BASE_DOMAIN != example.com (kein Platzhalter)
##if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
## echo "${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}" \
## >> /etc/opendkim/KeyTable
## echo "*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}" \
## >> /etc/opendkim/SigningTable
##fi
#
## ── Hauptkonfiguration ───────────────────────────────────────────────────────
#cat >/etc/opendkim.conf <<'CONF'
#Syslog yes
#UMask 002
#Mode sv
#Socket inet:8891@127.0.0.1
#PidFile /run/opendkim/opendkim.pid
#Canonicalization relaxed/simple
#
#On-BadSignature accept
#On-Default accept
#On-KeyNotFound accept
#On-NoSignature accept
#
#LogWhy yes
#OversignHeaders From
#
#KeyTable /etc/opendkim/KeyTable
#SigningTable refile:/etc/opendkim/SigningTable
#ExternalIgnoreList /etc/opendkim/TrustedHosts
#InternalHosts /etc/opendkim/TrustedHosts
#
#UserID opendkim:opendkim
#AutoRestart yes
#AutoRestartRate 10/1h
#Background yes
#DNSTimeout 5
#SignatureAlgorithm rsa-sha256
#CONF
#
#
## ──────────────────────────────────────────────────────────────
## Root-Helper: DKIM installieren / entfernen
## ──────────────────────────────────────────────────────────────
#install -d -m 0750 /usr/local/sbin
#
## --- 1) mailwolt-install-dkim ---------------------------------
#cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH'
##!/usr/bin/env bash
#set -euo pipefail
#
#DOMAIN="$1" # z.B. kunden.tld oder sysmail.example.com
#SELECTOR="$2" # z.B. mwl1
#SRC_PRIV="$3" # absoluter Pfad zum Private-Key
#SRC_TXT="${4:-}" # optional: TXT-Datei mit 'v=DKIM1; k=rsa; p=...'
#
#OKDIR="/etc/opendkim"
#KEYDIR="${OKDIR}/keys/${DOMAIN}"
#KEYPRI="${KEYDIR}/${SELECTOR}.private"
#
#install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}"
#install -m 0600 -o opendkim -g opendkim "${SRC_PRIV}" "${KEYPRI}"
#
#KT="${OKDIR}/KeyTable"
#ST="${OKDIR}/SigningTable"
#touch "$KT" "$ST"
#chown opendkim:opendkim "$KT" "$ST"
#chmod 0640 "$KT" "$ST"
#
#LINE_KT="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}"
#LINE_ST="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}"
#
#grep -Fqx "$LINE_KT" "$KT" || echo "$LINE_KT" >> "$KT"
#grep -Fqx "$LINE_ST" "$ST" || echo "$LINE_ST" >> "$ST"
#
#if [[ -n "${SRC_TXT}" && -s "${SRC_TXT}" ]]; then
# install -d -m 0755 /etc/mailwolt/dns
# cp -f "${SRC_TXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt"
#fi
#
#if systemctl is-active --quiet opendkim; then
# systemctl reload opendkim || true
#fi
#
#echo "OK"
#EOSH
#chown root:root /usr/local/sbin/mailwolt-install-dkim
#chmod 0750 /usr/local/sbin/mailwolt-install-dkim
#
## --- 2) mailwolt-remove-dkim ----------------------------------
#cat > /usr/local/sbin/mailwolt-remove-dkim <<'EOSH'
##!/usr/bin/env bash
#set -euo pipefail
#
#DOMAIN="$1"
#SELECTOR="$2"
#
#OKDIR="/etc/opendkim"
#KEYDIR="${OKDIR}/keys/${DOMAIN}"
#KEYPRI="${KEYDIR}/${SELECTOR}.private"
#KT="${OKDIR}/KeyTable"
#ST="${OKDIR}/SigningTable"
#
## Key-Datei löschen, wenn vorhanden
#[[ -f "${KEYPRI}" ]] && rm -f "${KEYPRI}"
#
## Tabellenzeilen entfernen
#if [[ -f "$KT" ]]; then
# TMP="$(mktemp)"
# grep -v -F "${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:" "$KT" > "$TMP" && mv "$TMP" "$KT"
#fi
#if [[ -f "$ST" ]]; then
# TMP="$(mktemp)"
# grep -v -F "*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}" "$ST" > "$TMP" && mv "$TMP" "$ST"
#fi
#
#rmdir "${KEYDIR}" 2>/dev/null || true
#
#if systemctl is-active --quiet opendkim; then
# systemctl reload opendkim || true
#fi
#
#echo "OK"
#EOSH
#chown root:root /usr/local/sbin/mailwolt-remove-dkim
#chmod 0750 /usr/local/sbin/mailwolt-remove-dkim
#
## --- 3) Sudoers-Regel für App-User (z. B. mailwolt) ----------
#APP_USER="${APP_USER:-mailwolt}"
#cat > /etc/sudoers.d/mailwolt-dkim <<EOF
#Defaults! /usr/local/sbin/mailwolt-install-dkim !requiretty
#Defaults! /usr/local/sbin/mailwolt-remove-dkim !requiretty
#${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim
#${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-remove-dkim
#EOF
#chmod 440 /etc/sudoers.d/mailwolt-dkim
#
## ── systemd Drop-in: /run/opendkim sicherstellen ─────────────────────────────
#install -d -m 0755 /etc/systemd/system/opendkim.service.d
#cat >/etc/systemd/system/opendkim.service.d/override.conf <<'EOF'
#[Service]
#RuntimeDirectory=opendkim
#RuntimeDirectoryMode=0755
#EOF
#
## Laufzeitverzeichnis sofort anlegen (erste Startphase im Installer)
#install -d -o opendkim -g opendkim -m 0755 /run/opendkim
#
## ── Root-Helper: DKIM-Keys später aus der App installieren ───────────────────
#install -d -m 0750 /usr/local/sbin
#cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH'
##!/usr/bin/env bash
#set -euo pipefail
#DOMAIN="$1"
#SELECTOR="$2"
#TMP_PRIV="$3"
#TMP_PUBTXT="${4:-}"
#
#OKDIR="/etc/opendkim"
#KEYDIR="${OKDIR}/keys/${DOMAIN}"
#KEYPRI="${KEYDIR}/${SELECTOR}.private"
#
#install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}"
#install -m 0600 -o opendkim -g opendkim "${TMP_PRIV}" "${KEYPRI}"
#
#kt="${OKDIR}/KeyTable"
#st="${OKDIR}/SigningTable"
#touch "$kt" "$st"
#chown opendkim:opendkim "$kt" "$st"
#chmod 0640 "$kt" "$st"
#
#line_kt="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}"
#grep -Fqx "$line_kt" "$kt" || echo "$line_kt" >> "$kt"
#
#line_st="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}"
#grep -Fqx "$line_st" "$st" || echo "$line_st" >> "$st"
#
#if [[ -n "${TMP_PUBTXT}" && -s "${TMP_PUBTXT}" ]]; then
# install -d -m 0755 /etc/mailwolt/dns
# cp -f "${TMP_PUBTXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt"
#fi
#
## Dienst läuft evtl. schon reload reicht
#if systemctl is-active --quiet opendkim; then
# systemctl reload opendkim || true
#fi
#echo "OK"
#EOSH
#chown root:root /usr/local/sbin/mailwolt-install-dkim
#chmod 0750 /usr/local/sbin/mailwolt-install-dkim
#
## ── Dienst + Postfix-Milter: IMMER aktivieren (signiert nur, wenn Key vorhanden) ──
#systemctl daemon-reload
#systemctl enable --now opendkim || true
#
#/usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
#/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
#systemctl reload postfix || true
#
#log "[✓] Rspamd + OpenDKIM eingerichtet (OpenDKIM läuft; signiert, sobald Keys vorhanden sind)."
#
##!/usr/bin/env bash
#set -euo pipefail #set -euo pipefail
#source ./lib.sh #source ./lib.sh
# #