#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh

log "Rspamd + OpenDKIM einrichten …"

# ──────────────────────────────────────────────────────────────
# ENV laden
# ──────────────────────────────────────────────────────────────
set +u
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
set -u

BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
SYSMAIL_DOMAIN="${SYSMAIL_DOMAIN:-sysmail.${BASE_DOMAIN}}"   # z.B. sysmail.example.com
DKIM_ENABLE="${DKIM_ENABLE:-1}"                               # 1=OpenDKIM aktiv
DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"                        # z.B. mwl1
DKIM_GENERATE="${DKIM_GENERATE:-0}"                           # 1=Key generieren, falls fehlt
RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"

# ──────────────────────────────────────────────────────────────
# Rspamd (Controller + Milter)
# ──────────────────────────────────────────────────────────────
install -d -m 0755 /etc/rspamd/local.d

if command -v rspamadm >/dev/null 2>&1; then
  RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
else
  RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
fi

cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
password = "${RSPAMD_HASH}";
bind_socket = "127.0.0.1:11334";
CONF

cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
bind_socket = "127.0.0.1:11332";
CONF

cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
use = ["authentication-results"];
header = "Authentication-Results";
CONF

systemctl enable --now rspamd || true

# ──────────────────────────────────────────────────────────────
# OpenDKIM – nur wenn DKIM_ENABLE=1
# ──────────────────────────────────────────────────────────────
if [[ "${DKIM_ENABLE}" != "1" ]]; then
  log "DKIM_ENABLE=0 → OpenDKIM wird übersprungen."
  /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332"
  /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
  systemctl reload postfix || true
  exit 0
fi

install -d -m 0755 /etc/opendkim
install -d -m 0750 /etc/opendkim/keys
chown -R opendkim:opendkim /etc/opendkim
chmod 750 /etc/opendkim/keys

# TrustedHosts
cat >/etc/opendkim/TrustedHosts <<'CONF'
127.0.0.1
::1
localhost
CONF
chown opendkim:opendkim /etc/opendkim/TrustedHosts
chmod 640 /etc/opendkim/TrustedHosts

# ── Key-Verzeichnis für SYSMAIL_DOMAIN vorbereiten ───────────────────────────
KEY_DIR="/etc/opendkim/keys/${SYSMAIL_DOMAIN}"
KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
KEY_DNSTXT="${KEY_DIR}/${DKIM_SELECTOR}.txt"
install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"

# ── Key optional generieren (nur wenn gewünscht) ─────────────────────────────
if [[ ! -s "${KEY_PRIV}" && "${DKIM_GENERATE}" = "1" ]]; then
  if command -v opendkim-genkey >/dev/null 2>&1; then
    opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${SYSMAIL_DOMAIN}" -D "${KEY_DIR}"
    chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
    chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
  else
    echo "[!] opendkim-genkey fehlt – kann DKIM-Key nicht generieren."
  fi
fi

# ── Key-/SigningTable nur anlegen, nicht leeren ───────────────────────────────
touch /etc/opendkim/KeyTable /etc/opendkim/SigningTable
chown opendkim:opendkim /etc/opendkim/KeyTable /etc/opendkim/SigningTable
chmod 640 /etc/opendkim/KeyTable /etc/opendkim/SigningTable

if [[ -s "${KEY_PRIV}" && "${BASE_DOMAIN}" != "example.com" ]]; then
  LINE_KT="${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}"
  LINE_ST="*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}"
  grep -Fqx "$LINE_KT" /etc/opendkim/KeyTable     || echo "$LINE_KT" >> /etc/opendkim/KeyTable
  grep -Fqx "$LINE_ST" /etc/opendkim/SigningTable || echo "$LINE_ST" >> /etc/opendkim/SigningTable
else
  echo "[i] Kein Private Key unter ${KEY_PRIV} – App-Helper trägt später ein."
fi

# ── Hauptkonfiguration ───────────────────────────────────────────────────────
cat >/etc/opendkim.conf <<'CONF'
Syslog            yes
UMask             002
Mode              sv
Socket            inet:8891@127.0.0.1
PidFile           /run/opendkim/opendkim.pid
Canonicalization  relaxed/simple

On-BadSignature   accept
On-Default        accept
On-KeyNotFound    accept
On-NoSignature    accept

LogWhy            yes
OversignHeaders   From

KeyTable          /etc/opendkim/KeyTable
SigningTable      refile:/etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts       /etc/opendkim/TrustedHosts

UserID            opendkim:opendkim
AutoRestart       yes
AutoRestartRate   10/1h
Background        yes
DNSTimeout        5
SignatureAlgorithm rsa-sha256
CONF

# ── systemd Drop-in: /run/opendkim sicherstellen ─────────────────────────────
install -d -m 0755 /etc/systemd/system/opendkim.service.d
cat >/etc/systemd/system/opendkim.service.d/override.conf <<'EOF'
[Service]
RuntimeDirectory=opendkim
RuntimeDirectoryMode=0755
EOF

install -d -o opendkim -g opendkim -m 0755 /run/opendkim

# ──────────────────────────────────────────────────────────────
# Root-Helper: DKIM installieren / entfernen + sudoers-Regel
# ──────────────────────────────────────────────────────────────
install -d -m 0750 /usr/local/sbin

# --- mailwolt-install-dkim ------------------------------------
cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH'
#!/usr/bin/env bash
set -euo pipefail

DOMAIN="$1"
SELECTOR="$2"
SRC_PRIV="$3"
SRC_TXT="${4:-}"

OKDIR="/etc/opendkim"
KEYDIR="${OKDIR}/keys/${DOMAIN}"
KEYPRI="${KEYDIR}/${SELECTOR}.private"

install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}"
install -m 0600 -o opendkim -g opendkim "${SRC_PRIV}" "${KEYPRI}"

KT="${OKDIR}/KeyTable"
ST="${OKDIR}/SigningTable"
touch "$KT" "$ST"
chown opendkim:opendkim "$KT" "$ST"
chmod 0640 "$KT" "$ST"

LINE_KT="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}"
LINE_ST="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}"

grep -Fqx "$LINE_KT" "$KT" || echo "$LINE_KT" >> "$KT"
grep -Fqx "$LINE_ST" "$ST" || echo "$LINE_ST" >> "$ST"

if [[ -n "${SRC_TXT}" && -s "${SRC_TXT}" ]]; then
  install -d -m 0755 /etc/mailwolt/dns
  cp -f "${SRC_TXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt"
fi

systemctl is-active --quiet opendkim && systemctl reload opendkim || true
echo "OK"
EOSH
chmod 0750 /usr/local/sbin/mailwolt-install-dkim
chown root:root /usr/local/sbin/mailwolt-install-dkim

# --- 2) mailwolt-remove-dkim ----------------------------------
cat >/usr/local/sbin/mailwolt-remove-dkim <<'EOSH'
#!/usr/bin/env bash
set -euo pipefail

DOMAIN="$1"      # z.B. kunden.tld oder sysmail.example.com
SELECTOR="$2"    # z.B. mwl1

OKDIR="/etc/opendkim"
KEYDIR="${OKDIR}/keys/${DOMAIN}"
KEYPRI="${KEYDIR}/${SELECTOR}.private"
KT="${OKDIR}/KeyTable"
ST="${OKDIR}/SigningTable"

# Key-Datei löschen (falls vorhanden)
[[ -f "${KEYPRI}" ]] && rm -f "${KEYPRI}"

# Zeilen aus KeyTable und SigningTable entfernen
if [[ -f "$KT" ]]; then
  tmp="$(mktemp)"; grep -v -F "${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:" "$KT" >"$tmp" && mv "$tmp" "$KT"
  chown opendkim:opendkim "$KT"; chmod 0640 "$KT"
fi
if [[ -f "$ST" ]]; then
  tmp="$(mktemp)"; grep -v -F "*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}" "$ST" >"$tmp" && mv "$tmp" "$ST"
  chown opendkim:opendkim "$ST"; chmod 0640 "$ST"
fi

# Verzeichnis ggf. aufräumen
rmdir "${KEYDIR}" 2>/dev/null || true

# Dienst neu laden, falls aktiv
if systemctl is-active --quiet opendkim; then
  systemctl reload opendkim || true
fi

echo "OK"
EOSH
chown root:root /usr/local/sbin/mailwolt-remove-dkim
chmod 0750      /usr/local/sbin/mailwolt-remove-dkim

# --- Sudoers für beide Helper sicherstellen -------------------
APP_USER="${APP_USER:-mailwolt}"
cat >/etc/sudoers.d/mailwolt-dkim <<EOF
Defaults! /usr/local/sbin/mailwolt-install-dkim !requiretty
Defaults! /usr/local/sbin/mailwolt-remove-dkim  !requiretty
${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim
${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-remove-dkim
EOF
chmod 440 /etc/sudoers.d/mailwolt-dkim

# --- Sudoers-Regel für App-User --------------------------------
APP_USER="${APP_USER:-mailwolt}"
cat > /etc/sudoers.d/mailwolt-dkim <<EOF
Defaults! /usr/local/sbin/mailwolt-install-dkim !requiretty
Defaults! /usr/local/sbin/mailwolt-remove-dkim  !requiretty
${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim
${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-remove-dkim
EOF
chmod 440 /etc/sudoers.d/mailwolt-dkim

# ── Dienst + Postfix-Milter aktivieren ─────────────────────────
systemctl daemon-reload
systemctl enable --now opendkim || true

/usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
systemctl reload postfix || true

log "[✓] Rspamd + OpenDKIM eingerichtet (läuft; signiert, sobald Keys vorhanden sind)."

##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#log "Rspamd + OpenDKIM einrichten …"
#
## ──────────────────────────────────────────────────────────────
## ENV laden
## ──────────────────────────────────────────────────────────────
#set +u
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
#set -u
#
#BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
#SYSMAIL_DOMAIN="${SYSMAIL_DOMAIN:-sysmail.${BASE_DOMAIN}}"   # z.B. sysmail.example.com
#DKIM_ENABLE="${DKIM_ENABLE:-1}"                               # 1=OpenDKIM aktiv
#DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"                        # z.B. mwl1
#DKIM_GENERATE="${DKIM_GENERATE:-1}"                           # 1=Key generieren, falls fehlt
#RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
#
#
#DKIM_GENERATE="0"
## ──────────────────────────────────────────────────────────────
## Rspamd (Controller + Milter)
## ──────────────────────────────────────────────────────────────
#install -d -m 0755 /etc/rspamd/local.d
#
#if command -v rspamadm >/dev/null 2>&1; then
#  RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
#else
#  RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
#fi
#
#cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
#password = "${RSPAMD_HASH}";
#bind_socket = "127.0.0.1:11334";
#CONF
#
#cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
#bind_socket = "127.0.0.1:11332";
#CONF
#
#cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
#use = ["authentication-results"];
#header = "Authentication-Results";
#CONF
#
#systemctl enable --now rspamd || true
#
## ──────────────────────────────────────────────────────────────
## OpenDKIM – nur wenn DKIM_ENABLE=1
## ──────────────────────────────────────────────────────────────
#if [[ "${DKIM_ENABLE}" != "1" ]]; then
#  log "DKIM_ENABLE=0 → OpenDKIM wird übersprungen."
#  /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332"
#  /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
#  systemctl reload postfix || true
#  exit 0
#fi
#
#install -d -m 0755 /etc/opendkim
#install -d -m 0750 /etc/opendkim/keys
#chown -R opendkim:opendkim /etc/opendkim
#chmod 750 /etc/opendkim/keys
#
## TrustedHosts
#cat >/etc/opendkim/TrustedHosts <<'CONF'
#127.0.0.1
#::1
#localhost
#CONF
#chown opendkim:opendkim /etc/opendkim/TrustedHosts
#chmod 640 /etc/opendkim/TrustedHosts
#
## ── Key-Verzeichnis für SYSMAIL_DOMAIN vorbereiten ───────────────────────────
#KEY_DIR="/etc/opendkim/keys/${SYSMAIL_DOMAIN}"
#KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
#KEY_DNSTXT="${KEY_DIR}/${DKIM_SELECTOR}.txt"
#install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
#
## ── Key optional generieren (damit sofort signiert werden kann) ──────────────
#if [[ ! -s "${KEY_PRIV}" && "${DKIM_GENERATE}" = "1" ]]; then
#  if command -v opendkim-genkey >/dev/null 2>&1; then
#    opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${SYSMAIL_DOMAIN}" -D "${KEY_DIR}"
#    chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
#    chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
#  else
#    echo "[!] opendkim-genkey fehlt – kann DKIM-Key nicht generieren."
#  fi
#fi
#
## ── Key-/SigningTable SAUBER anlegen (Altlasten entfernen) ───────────────────
#touch /etc/opendkim/KeyTable /etc/opendkim/SigningTable
#chown opendkim:opendkim /etc/opendkim/KeyTable /etc/opendkim/SigningTable
#chmod 640             /etc/opendkim/KeyTable /etc/opendkim/SigningTable
#
## Nur eintragen, wenn ein Private Key existiert (sonst übernimmt später der Helper)
#if [[ -s "${KEY_PRIV}" && "${BASE_DOMAIN}" != "example.com" ]]; then
#  LINE_KT="${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}"
#  LINE_ST="*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}"
#  grep -Fqx "$LINE_KT" /etc/opendkim/KeyTable     || echo "$LINE_KT" >> /etc/opendkim/KeyTable
#  grep -Fqx "$LINE_ST" /etc/opendkim/SigningTable || echo "$LINE_ST" >> /etc/opendkim/SigningTable
#else
#  echo "[i] Kein Private Key unter ${KEY_PRIV} – Tabellen bleiben ohne SYSMAIL-Eintrag (App/Helper trägt später ein)."
#fi
##: > /etc/opendkim/KeyTable
##: > /etc/opendkim/SigningTable
##chown opendkim:opendkim /etc/opendkim/KeyTable /etc/opendkim/SigningTable
##chmod 640 /etc/opendkim/KeyTable /etc/opendkim/SigningTable
##
### Eintrag nur setzen, wenn BASE_DOMAIN != example.com (kein Platzhalter)
##if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
##  echo "${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}" \
##    >> /etc/opendkim/KeyTable
##  echo "*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}" \
##    >> /etc/opendkim/SigningTable
##fi
#
## ── Hauptkonfiguration ───────────────────────────────────────────────────────
#cat >/etc/opendkim.conf <<'CONF'
#Syslog            yes
#UMask             002
#Mode              sv
#Socket            inet:8891@127.0.0.1
#PidFile           /run/opendkim/opendkim.pid
#Canonicalization  relaxed/simple
#
#On-BadSignature   accept
#On-Default        accept
#On-KeyNotFound    accept
#On-NoSignature    accept
#
#LogWhy            yes
#OversignHeaders   From
#
#KeyTable          /etc/opendkim/KeyTable
#SigningTable      refile:/etc/opendkim/SigningTable
#ExternalIgnoreList /etc/opendkim/TrustedHosts
#InternalHosts       /etc/opendkim/TrustedHosts
#
#UserID            opendkim:opendkim
#AutoRestart       yes
#AutoRestartRate   10/1h
#Background        yes
#DNSTimeout        5
#SignatureAlgorithm rsa-sha256
#CONF
#
#
## ──────────────────────────────────────────────────────────────
## Root-Helper: DKIM installieren / entfernen
## ──────────────────────────────────────────────────────────────
#install -d -m 0750 /usr/local/sbin
#
## --- 1) mailwolt-install-dkim ---------------------------------
#cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH'
##!/usr/bin/env bash
#set -euo pipefail
#
#DOMAIN="$1"         # z.B. kunden.tld oder sysmail.example.com
#SELECTOR="$2"       # z.B. mwl1
#SRC_PRIV="$3"       # absoluter Pfad zum Private-Key
#SRC_TXT="${4:-}"    # optional: TXT-Datei mit 'v=DKIM1; k=rsa; p=...'
#
#OKDIR="/etc/opendkim"
#KEYDIR="${OKDIR}/keys/${DOMAIN}"
#KEYPRI="${KEYDIR}/${SELECTOR}.private"
#
#install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}"
#install -m 0600 -o opendkim -g opendkim "${SRC_PRIV}" "${KEYPRI}"
#
#KT="${OKDIR}/KeyTable"
#ST="${OKDIR}/SigningTable"
#touch "$KT" "$ST"
#chown opendkim:opendkim "$KT" "$ST"
#chmod 0640 "$KT" "$ST"
#
#LINE_KT="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}"
#LINE_ST="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}"
#
#grep -Fqx "$LINE_KT" "$KT" || echo "$LINE_KT" >> "$KT"
#grep -Fqx "$LINE_ST" "$ST" || echo "$LINE_ST" >> "$ST"
#
#if [[ -n "${SRC_TXT}" && -s "${SRC_TXT}" ]]; then
#  install -d -m 0755 /etc/mailwolt/dns
#  cp -f "${SRC_TXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt"
#fi
#
#if systemctl is-active --quiet opendkim; then
#  systemctl reload opendkim || true
#fi
#
#echo "OK"
#EOSH
#chown root:root /usr/local/sbin/mailwolt-install-dkim
#chmod 0750 /usr/local/sbin/mailwolt-install-dkim
#
## --- 2) mailwolt-remove-dkim ----------------------------------
#cat > /usr/local/sbin/mailwolt-remove-dkim <<'EOSH'
##!/usr/bin/env bash
#set -euo pipefail
#
#DOMAIN="$1"
#SELECTOR="$2"
#
#OKDIR="/etc/opendkim"
#KEYDIR="${OKDIR}/keys/${DOMAIN}"
#KEYPRI="${KEYDIR}/${SELECTOR}.private"
#KT="${OKDIR}/KeyTable"
#ST="${OKDIR}/SigningTable"
#
## Key-Datei löschen, wenn vorhanden
#[[ -f "${KEYPRI}" ]] && rm -f "${KEYPRI}"
#
## Tabellenzeilen entfernen
#if [[ -f "$KT" ]]; then
#  TMP="$(mktemp)"
#  grep -v -F "${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:" "$KT" > "$TMP" && mv "$TMP" "$KT"
#fi
#if [[ -f "$ST" ]]; then
#  TMP="$(mktemp)"
#  grep -v -F "*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}" "$ST" > "$TMP" && mv "$TMP" "$ST"
#fi
#
#rmdir "${KEYDIR}" 2>/dev/null || true
#
#if systemctl is-active --quiet opendkim; then
#  systemctl reload opendkim || true
#fi
#
#echo "OK"
#EOSH
#chown root:root /usr/local/sbin/mailwolt-remove-dkim
#chmod 0750 /usr/local/sbin/mailwolt-remove-dkim
#
## --- 3) Sudoers-Regel für App-User (z. B. mailwolt) ----------
#APP_USER="${APP_USER:-mailwolt}"
#cat > /etc/sudoers.d/mailwolt-dkim <<EOF
#Defaults! /usr/local/sbin/mailwolt-install-dkim !requiretty
#Defaults! /usr/local/sbin/mailwolt-remove-dkim  !requiretty
#${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim
#${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-remove-dkim
#EOF
#chmod 440 /etc/sudoers.d/mailwolt-dkim
#
## ── systemd Drop-in: /run/opendkim sicherstellen ─────────────────────────────
#install -d -m 0755 /etc/systemd/system/opendkim.service.d
#cat >/etc/systemd/system/opendkim.service.d/override.conf <<'EOF'
#[Service]
#RuntimeDirectory=opendkim
#RuntimeDirectoryMode=0755
#EOF
#
## Laufzeitverzeichnis sofort anlegen (erste Startphase im Installer)
#install -d -o opendkim -g opendkim -m 0755 /run/opendkim
#
## ── Root-Helper: DKIM-Keys später aus der App installieren ───────────────────
#install -d -m 0750 /usr/local/sbin
#cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH'
##!/usr/bin/env bash
#set -euo pipefail
#DOMAIN="$1"
#SELECTOR="$2"
#TMP_PRIV="$3"
#TMP_PUBTXT="${4:-}"
#
#OKDIR="/etc/opendkim"
#KEYDIR="${OKDIR}/keys/${DOMAIN}"
#KEYPRI="${KEYDIR}/${SELECTOR}.private"
#
#install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}"
#install -m 0600 -o opendkim -g opendkim "${TMP_PRIV}" "${KEYPRI}"
#
#kt="${OKDIR}/KeyTable"
#st="${OKDIR}/SigningTable"
#touch "$kt" "$st"
#chown opendkim:opendkim "$kt" "$st"
#chmod 0640 "$kt" "$st"
#
#line_kt="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}"
#grep -Fqx "$line_kt" "$kt" || echo "$line_kt" >> "$kt"
#
#line_st="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}"
#grep -Fqx "$line_st" "$st" || echo "$line_st" >> "$st"
#
#if [[ -n "${TMP_PUBTXT}" && -s "${TMP_PUBTXT}" ]]; then
#  install -d -m 0755 /etc/mailwolt/dns
#  cp -f "${TMP_PUBTXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt"
#fi
#
## Dienst läuft evtl. schon – reload reicht
#if systemctl is-active --quiet opendkim; then
#  systemctl reload opendkim || true
#fi
#echo "OK"
#EOSH
#chown root:root /usr/local/sbin/mailwolt-install-dkim
#chmod 0750      /usr/local/sbin/mailwolt-install-dkim
#
## ── Dienst + Postfix-Milter: IMMER aktivieren (signiert nur, wenn Key vorhanden) ──
#systemctl daemon-reload
#systemctl enable --now opendkim || true
#
#/usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
#/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
#systemctl reload postfix || true
#
#log "[✓] Rspamd + OpenDKIM eingerichtet (OpenDKIM läuft; signiert, sobald Keys vorhanden sind)."
#


##!/usr/bin/env bash

#set -euo pipefail
#source ./lib.sh
#
#log "Rspamd + OpenDKIM einrichten …"
#
## ──────────────────────────────────────────────────────────────
## ENV laden
## ──────────────────────────────────────────────────────────────
#set +u
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
#set -u
#
#BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
#SYSMAIL_DOMAIN="${SYSMAIL_DOMAIN:-sysmail.${BASE_DOMAIN}}"   # z.B. sysmail.example.com
#DKIM_ENABLE="${DKIM_ENABLE:-1}"                               # 1=OpenDKIM aktiv
#DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"                        # z.B. mwl1
#DKIM_GENERATE="${DKIM_GENERATE:-1}"                           # 1=Key generieren, falls fehlt
#RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
#
## ──────────────────────────────────────────────────────────────
## Rspamd (Controller + Milter)
## ──────────────────────────────────────────────────────────────
#install -d -m 0755 /etc/rspamd/local.d
#
#if command -v rspamadm >/dev/null 2>&1; then
#  RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
#else
#  RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
#fi
#
#cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
#password = "${RSPAMD_HASH}";
#bind_socket = "127.0.0.1:11334";
#CONF
#
#cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
#bind_socket = "127.0.0.1:11332";
#CONF
#
#cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
#use = ["authentication-results"];
#header = "Authentication-Results";
#CONF
#
#systemctl enable --now rspamd || true
#
## ──────────────────────────────────────────────────────────────
## OpenDKIM – nur wenn DKIM_ENABLE=1
## ──────────────────────────────────────────────────────────────
#if [[ "${DKIM_ENABLE}" != "1" ]]; then
#  log "DKIM_ENABLE=0 → OpenDKIM wird übersprungen."
#  /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332"
#  /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
#  systemctl reload postfix || true
#  exit 0
#fi
#
#install -d -m 0755 /etc/opendkim
#install -d -m 0750 /etc/opendkim/keys
#chown -R opendkim:opendkim /etc/opendkim
#chmod 750 /etc/opendkim/keys
#
## TrustedHosts
#cat >/etc/opendkim/TrustedHosts <<'CONF'
#127.0.0.1
#::1
#localhost
#CONF
#chown opendkim:opendkim /etc/opendkim/TrustedHosts
#chmod 640 /etc/opendkim/TrustedHosts
#
#KEY_DIR="/etc/opendkim/keys/${SYSMAIL_DOMAIN}"
#KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
#KEY_DNSTXT="${KEY_DIR}/${DKIM_SELECTOR}.txt"
#
#install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
#
## Falls kein Key da: optional generieren (auf SYSMAIL_DOMAIN)
#if [[ ! -s "${KEY_PRIV}" && "${DKIM_GENERATE}" = "1" ]]; then
#  if command -v opendkim-genkey >/dev/null 2>&1; then
#    opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${SYSMAIL_DOMAIN}" -D "${KEY_DIR}"
#    chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
#    chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
#  else
#    echo "[!] opendkim-genkey fehlt – kann DKIM-Key nicht generieren."
#  fi
#fi
#
## Tabellen schreiben (zeigen auf SYSMAIL_DOMAIN)
#cat >/etc/opendkim/KeyTable <<CONF
#${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}
#CONF
#chown opendkim:opendkim /etc/opendkim/KeyTable
#chmod 640 /etc/opendkim/KeyTable
#
#cat >/etc/opendkim/SigningTable <<CONF
#*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}
#CONF
#chown opendkim:opendkim /etc/opendkim/SigningTable
#chmod 640 /etc/opendkim/SigningTable
#
#
## Hauptkonfiguration
#cat >/etc/opendkim.conf <<'CONF'
#Syslog            yes
#UMask             002
#Mode              sv
#Socket            inet:8891@127.0.0.1
#PidFile           /run/opendkim/opendkim.pid
#Canonicalization  relaxed/simple
#
#On-BadSignature   accept
#On-Default        accept
#On-KeyNotFound    accept
#On-NoSignature    accept
#
#LogWhy            yes
#OversignHeaders   From
#
#KeyTable          /etc/opendkim/KeyTable
#SigningTable      refile:/etc/opendkim/SigningTable
#ExternalIgnoreList /etc/opendkim/TrustedHosts
#InternalHosts       /etc/opendkim/TrustedHosts
#
#UserID            opendkim:opendkim
#AutoRestart       yes
#AutoRestartRate   10/1h
#Background        yes
#DNSTimeout        5
#SignatureAlgorithm rsa-sha256
#CONF
#
#
## ──────────────────────────────────────────────────────────────
## systemd Drop-in: sorgt dafür, dass /run/opendkim existiert
## ──────────────────────────────────────────────────────────────
#install -d -m 0755 /etc/systemd/system/opendkim.service.d
#cat >/etc/systemd/system/opendkim.service.d/override.conf <<'EOF'
#[Service]
#RuntimeDirectory=opendkim
#RuntimeDirectoryMode=0755
#EOF
#
## Laufzeitverzeichnis sofort anlegen (damit der Start im Installer klappt)
#install -d -o opendkim -g opendkim -m 0755 /run/opendkim
#
## Root-Helper zum nachträglichen Installieren von DKIM-Keys (aus der App)
#install -d -m 0750 /usr/local/sbin
#cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH'
##!/usr/bin/env bash
#set -euo pipefail
#
#DOMAIN="$1"         # z.B. sysmail.example.com ODER kunden.tld
#SELECTOR="$2"       # z.B. dkim / mwl1
#TMP_PRIV="$3"       # private PEM (von App)
#TMP_PUBTXT="${4:-}" # optional: fertiger TXT-String-Dateipfad
#
#OKDIR="/etc/opendkim"
#KEYDIR="${OKDIR}/keys/${DOMAIN}"
#KEYPRI="${KEYDIR}/${SELECTOR}.private"
#
#install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}"
#install -m 0600 -o opendkim -g opendkim "${TMP_PRIV}" "${KEYPRI}"
#
#kt="${OKDIR}/KeyTable"
#st="${OKDIR}/SigningTable"
#touch "$kt" "$st"
#chown opendkim:opendkim "$kt" "$st"
#chmod 0640 "$kt" "$st"
#
#line_kt="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}"
#grep -Fqx "$line_kt" "$kt" || echo "$line_kt" >> "$kt"
#
#line_st="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}"
#grep -Fqx "$line_st" "$st" || echo "$line_st" >> "$st"
#
#if [[ -n "${TMP_PUBTXT}" && -s "${TMP_PUBTXT}" ]]; then
#  install -d -m 0755 /etc/mailwolt/dns
#  cp -f "${TMP_PUBTXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt"
#fi
#
#if systemctl is-active --quiet opendkim; then
#  systemctl reload opendkim || true
#fi
#
#echo "OK"
#EOSH
#chown root:root /usr/local/sbin/mailwolt-install-dkim
#chmod 0750      /usr/local/sbin/mailwolt-install-dkim
#
#KEY_DIR="/etc/opendkim/keys/${SYSMAIL_DOMAIN}"
#KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
#KEY_DNSTXT="${KEY_DIR}/${DKIM_SELECTOR}.txt"
#
#  if [[ -s "${KEY_PRIV}" ]]; then
#    systemctl enable opendkim >/dev/null 2>&1 || true
#    if systemctl is-active --quiet opendkim; then
#      systemctl reload opendkim || true
#    fi
#    /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
#    /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
#    #systemctl reload postfix || true
#  else
#    echo "[i] Noch kein Private Key unter ${KEY_PRIV} – OpenDKIM bleibt aus."
#    /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332"
#    /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
#    #systemctl reload postfix || true
#  fi


# OpenDKIM nur starten, wenn Key vorhanden – sonst nur Rspamd aktiv lassen
#if [[ -s "${KEY_PRIV}" ]]; then
#  systemctl enable --now opendkim || true
#  systemctl restart opendkim || true
#  /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
#  /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
#  systemctl reload postfix || true
#
#  install -d -m 0755 /etc/mailwolt/dns
#  [[ -s "${KEY_DNSTXT}" ]] && cp -f "${KEY_DNSTXT}" "/etc/mailwolt/dns/dkim-${SYSMAIL_DOMAIN}.txt" || true
#
#  echo "[✓] OpenDKIM aktiv für ${SYSMAIL_DOMAIN} (Selector: ${DKIM_SELECTOR})"
#  echo "    DNS: ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}  (siehe ${KEY_DNSTXT})"
#else
#  echo "[i] Noch kein Private Key unter ${KEY_PRIV} – OpenDKIM bleibt aus."
#  /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332"
#  /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
#  systemctl reload postfix || true
#fi


##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#log "Rspamd + OpenDKIM einrichten …"
#
## ──────────────────────────────────────────────────────────────
## ENV laden
## ──────────────────────────────────────────────────────────────
#set +u
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
#set -u
#
#BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
#SYSMAIL_DOMAIN="${SYSMAIL_DOMAIN:-sysmail.${BASE_DOMAIN}}"
#DKIM_ENABLE="${DKIM_ENABLE:-1}"
#DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"
#DKIM_GENERATE="${DKIM_GENERATE:-1}"
#RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
#
## ──────────────────────────────────────────────────────────────
## Rspamd
## ──────────────────────────────────────────────────────────────
#install -d -m 0755 /etc/rspamd/local.d
#
#if command -v rspamadm >/dev/null 2>&1; then
#  RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
#else
#  RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
#fi
#
#cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
#password = "${RSPAMD_HASH}";
#bind_socket = "127.0.0.1:11334";
#CONF
#
#cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
#bind_socket = "127.0.0.1:11332";
#CONF
#
#cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
#use = ["authentication-results"];
#header = "Authentication-Results";
#CONF
#
#systemctl enable --now rspamd || true
#
## ──────────────────────────────────────────────────────────────
## OpenDKIM – nur wenn DKIM_ENABLE=1
## ──────────────────────────────────────────────────────────────
#if [[ "${DKIM_ENABLE}" != "1" ]]; then
#  log "DKIM_ENABLE=0 → OpenDKIM wird übersprungen."
#  # Stelle sicher, dass Postfix nur Rspamd nutzt:
#  /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332"
#  /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
#  systemctl reload postfix || true
#  exit 0
#fi
#
#install -d -m 0755 /etc/opendkim
#install -d -m 0750 /etc/opendkim/keys
#chown -R opendkim:opendkim /etc/opendkim
#chmod 750 /etc/opendkim/keys
#
## TrustedHosts
#cat >/etc/opendkim/TrustedHosts <<'CONF'
#127.0.0.1
#::1
#localhost
#CONF
#chown opendkim:opendkim /etc/opendkim/TrustedHosts
#chmod 640 /etc/opendkim/TrustedHosts
#
#KEY_DIR="/etc/opendkim/keys/${SYSMAIL_DOMAIN}"
#KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
#KEY_DNSTXT="${KEY_DIR}/${DKIM_SELECTOR}.txt"
#
#install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
#
## Key erzeugen, wenn gewünscht/fehlend
#if [[ ! -s "${KEY_PRIV}" ]]; then
#  if [[ "${DKIM_GENERATE}" = "1" ]]; then
#    if command -v opendkim-genkey >/dev/null 2>&1; then
#      opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${SYSMAIL_DOMAIN}" -D "${KEY_DIR}"
#      chown opendkim:opendkim "${KEY_PRIV}" || true
#      chmod 600 "${KEY_PRIV}" || true
#    else
#      echo "[!] opendkim-genkey fehlt – kann DKIM-Key nicht generieren."
#    fi
#  fi
#fi
#
## Tabellen schreiben (zeigen auf SYSMAIL_DOMAIN)
#cat >/etc/opendkim/KeyTable <<CONF
#${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}
#CONF
#chown opendkim:opendkim /etc/opendkim/KeyTable
#chmod 640 /etc/opendkim/KeyTable
#
#cat >/etc/opendkim/SigningTable <<CONF
#*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}
#CONF
#chown opendkim:opendkim /etc/opendkim/SigningTable
#chmod 640 /etc/opendkim/SigningTable
#
## Hauptkonfiguration
#cat >/etc/opendkim.conf <<'CONF'
#Syslog            yes
#UMask             002
#Mode              sv
#Socket            inet:8891@127.0.0.1
#Canonicalization  relaxed/simple
#
#On-BadSignature   accept
#On-Default        accept
#On-KeyNotFound    accept
#On-NoSignature    accept
#
#LogWhy            yes
#OversignHeaders   From
#
#KeyTable          /etc/opendkim/KeyTable
#SigningTable      refile:/etc/opendkim/SigningTable
#ExternalIgnoreList /etc/opendkim/TrustedHosts
#InternalHosts       /etc/opendkim/TrustedHosts
#
#UserID            opendkim:opendkim
#AutoRestart       yes
#AutoRestartRate   10/1h
#Background        yes
#DNSTimeout        5
#SignatureAlgorithm rsa-sha256
#CONF
#
## --- Root-Helper zum Einhängen von DKIM-Keys in OpenDKIM ---
#install -d -m 0750 /usr/local/sbin
#cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH'
##!/usr/bin/env bash
#set -euo pipefail
#
#DOMAIN="$1"         # z.B. thinkidoo.at
#SELECTOR="$2"       # z.B. dkim / mwl1
#TMP_PRIV="$3"       # Pfad: Private-Key PEM (von der App erzeugt)
#TMP_PUBTXT="${4:-}" # optional: Datei mit fertigem DNS-TXT
#
#OKDIR="/etc/opendkim"
#KEYDIR="${OKDIR}/keys/${DOMAIN}"
#KEYPRI="${KEYDIR}/${SELECTOR}.private"
#
#install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}"
#install -m 0600 -o opendkim -g opendkim "${TMP_PRIV}" "${KEYPRI}"
#
#kt="${OKDIR}/KeyTable"
#st="${OKDIR}/SigningTable"
#touch "$kt" "$st"
#chown opendkim:opendkim "$kt" "$st"
#chmod 0640 "$kt" "$st"
#
#line_kt="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}"
#grep -Fqx "$line_kt" "$kt" || echo "$line_kt" >> "$kt"
#
#line_st="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}"
#grep -Fqx "$line_st" "$st" || echo "$line_st" >> "$st"
#
#if [[ -n "${TMP_PUBTXT}" && -s "${TMP_PUBTXT}" ]]; then
#  install -d -m 0755 /etc/mailwolt/dns
#  cp -f "${TMP_PUBTXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt"
#fi
#
#systemctl restart opendkim
#echo "OK"
#EOSH
#chown root:root /usr/local/sbin/mailwolt-install-dkim
#chmod 0750      /usr/local/sbin/mailwolt-install-dkim
#
## Nur starten, wenn der Private Key existiert
#if [[ -s "${KEY_PRIV}" ]]; then
#  systemctl enable --now opendkim || true
#  systemctl restart opendkim || true
#
#  # Postfix an beide Milters hängen
#  /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
#  /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
#  systemctl reload postfix || true
#
#  # DNS-Export ablegen (für UI/Hinweis)
#  install -d -m 0755 /etc/mailwolt/dns
#  [[ -s "${KEY_DNSTXT}" ]] && cp -f "${KEY_DNSTXT}" "/etc/mailwolt/dns/dkim-${SYSMAIL_DOMAIN}.txt" || true
#
#  echo "[✓] OpenDKIM aktiv für ${SYSMAIL_DOMAIN} (Selector: ${DKIM_SELECTOR})"
#  echo "    DNS: ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}  (siehe ${KEY_DNSTXT})"
#else
#  echo "[!] Kein Private Key: ${KEY_PRIV}"
#  echo "    - Setze DKIM_GENERATE=1 ODER lege Key-Datei manuell ab (opendkim:opendkim, 600)."
#  echo "    - Postfix bleibt bis dahin nur mit Rspamd-Milter verbunden."
#  /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332"
#  /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
#  systemctl reload postfix || true
#fi


##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#log "Rspamd + OpenDKIM vorbereiten …"
#
## ──────────────────────────────────────────────────────────────────────────────
## Variablen / Defaults
## ──────────────────────────────────────────────────────────────────────────────
#set +u
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
#set -u
#
#BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
#DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"
#RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
#
## ──────────────────────────────────────────────────────────────────────────────
## Rspamd
## ──────────────────────────────────────────────────────────────────────────────
#install -d -m 0755 /etc/rspamd/local.d
#
#if command -v rspamadm >/dev/null 2>&1; then
#  RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
#else
#  RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
#fi
#
#cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
#password = "${RSPAMD_HASH}";
#bind_socket = "127.0.0.1:11334";
#CONF
#
#cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
#bind_socket = "127.0.0.1:11332";
#CONF
#
#cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
#use = ["authentication-results"];
#header = "Authentication-Results";
#CONF
#
#systemctl enable --now rspamd || true
#
## ──────────────────────────────────────────────────────────────────────────────
## OpenDKIM – nur vorbereiten, nicht starten
## ──────────────────────────────────────────────────────────────────────────────
#install -d -m 0755 /etc/opendkim
#install -d -m 0750 /etc/opendkim/keys
#chown -R opendkim:opendkim /etc/opendkim
#chmod 750 /etc/opendkim/keys
#
#cat >/etc/opendkim/TrustedHosts <<'CONF'
#127.0.0.1
#::1
#localhost
#CONF
#chown opendkim:opendkim /etc/opendkim/TrustedHosts
#chmod 640 /etc/opendkim/TrustedHosts
#
#cat >/etc/opendkim.conf <<'CONF'
#Syslog            yes
#UMask             002
#Mode              sv
#Socket            inet:8891@127.0.0.1
#Canonicalization  relaxed/simple
#On-BadSignature   accept
#On-Default        accept
#On-KeyNotFound    accept
#On-NoSignature    accept
#LogWhy            yes
#OversignHeaders   From
#KeyTable          /etc/opendkim/KeyTable
#SigningTable      refile:/etc/opendkim/SigningTable
#ExternalIgnoreList /etc/opendkim/TrustedHosts
#InternalHosts       /etc/opendkim/TrustedHosts
#UserID            opendkim:opendkim
#AutoRestart       yes
#AutoRestartRate   10/1h
#Background        yes
#DNSTimeout        5
#SignatureAlgorithm rsa-sha256
#CONF
#
#cat >/etc/default/opendkim <<'CONF'
#RUNDIR=/run/opendkim
#SOCKET="inet:8891@127.0.0.1"
#USER=opendkim
#GROUP=opendkim
#PIDFILE=/run/opendkim/opendkim.pid
#CONF
#
#systemctl disable --now opendkim >/dev/null 2>&1 || true
#
#echo "[i] OpenDKIM wurde vorbereitet, aber nicht gestartet."
#echo "[i] Es wird nach dem Seeder aktiviert, sobald der erste DKIM-Key existiert."
#
###!/usr/bin/env bash
##set -euo pipefail
##source ./lib.sh
##
##log "Rspamd + OpenDKIM einrichten …"
##
### ──────────────────────────────────────────────────────────────────────────────
### Variablen / Defaults
### ──────────────────────────────────────────────────────────────────────────────
##set +u
##[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
##set -u
##
##BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
##DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"
##DKIM_GENERATE="${DKIM_GENERATE:-0}"             # 1 = Key erzeugen, falls fehlt
##RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
##
### ──────────────────────────────────────────────────────────────────────────────
### Rspamd: Controller + Milter
### ──────────────────────────────────────────────────────────────────────────────
##install -d -m 0755 /etc/rspamd/local.d
##
### Controller-Passwort (gehasht, sonst Klartext als Fallback)
##if command -v rspamadm >/dev/null 2>&1; then
##  RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
##else
##  RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
##fi
##
##cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
##password = "${RSPAMD_HASH}";
##bind_socket = "127.0.0.1:11334";
##CONF
##
### Normal-Worker (Milter-Port für Postfix)
##cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
##bind_socket = "127.0.0.1:11332";
##CONF
##
### Authentication-Results Header (hilfreich zum Debuggen)
##cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
##use = ["authentication-results"];
##header = "Authentication-Results";
##CONF
##
##systemctl enable --now rspamd || true
##
### ──────────────────────────────────────────────────────────────────────────────
### OpenDKIM Grund-Setup
### ──────────────────────────────────────────────────────────────────────────────
##install -d -m 0755 /etc/opendkim
##install -d -m 0750 /etc/opendkim/keys
##chown -R opendkim:opendkim /etc/opendkim
##chmod 750 /etc/opendkim/keys
##
### Trusted Hosts (wer signieren darf)
##cat >/etc/opendkim/TrustedHosts <<'CONF'
##127.0.0.1
##::1
##localhost
##CONF
##chown opendkim:opendkim /etc/opendkim/TrustedHosts
##chmod 640 /etc/opendkim/TrustedHosts
##
### Key-/Signing-Tabellen
##KEY_DIR="/etc/opendkim/keys/${BASE_DOMAIN}"
##KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
##install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
##
### Optional: Key erzeugen, falls gewünscht und nicht vorhanden
##if [[ "${DKIM_GENERATE}" = "1" && ! -s "${KEY_PRIV}" ]]; then
##  if command -v opendkim-genkey >/dev/null 2>&1; then
##    opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${BASE_DOMAIN}" -D "${KEY_DIR}"
##    chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
##    chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
##  fi
##fi
##
### KeyTable
##cat >/etc/opendkim/KeyTable <<CONF
##${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN} ${BASE_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}
##CONF
##chown opendkim:opendkim /etc/opendkim/KeyTable
##chmod 640 /etc/opendkim/KeyTable
##
### SigningTable
##cat >/etc/opendkim/SigningTable <<CONF
##*@${BASE_DOMAIN} ${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN}
##CONF
##chown opendkim:opendkim /etc/opendkim/SigningTable
##chmod 640 /etc/opendkim/SigningTable
##
### Hauptkonfiguration
##cat >/etc/opendkim.conf <<'CONF'
##Syslog            yes
##UMask             002
##Mode              sv
##Socket            inet:8891@127.0.0.1
##Canonicalization  relaxed/simple
##
##On-BadSignature   accept
##On-Default        accept
##On-KeyNotFound    accept
##On-NoSignature    accept
##
##LogWhy            yes
##OversignHeaders   From
##
##KeyTable          /etc/opendkim/KeyTable
##SigningTable      refile:/etc/opendkim/SigningTable
##ExternalIgnoreList /etc/opendkim/TrustedHosts
##InternalHosts       /etc/opendkim/TrustedHosts
##
##UserID            opendkim:opendkim
##AutoRestart       yes
##AutoRestartRate   10/1h
##Background        yes
##DNSTimeout        5
##SignatureAlgorithm rsa-sha256
##CONF
##
##systemctl enable --now opendkim || true
##systemctl restart opendkim || true
##systemctl restart rspamd   || true
##
### ──────────────────────────────────────────────────────────────────────────────
### Postfix: Milter-Anbindung (nur setzen, wenn leer)
### ──────────────────────────────────────────────────────────────────────────────
##need_set() {
##  local key="$1"
##  local cur
##  cur="$(postconf -h "$key" 2>/dev/null || true)"
##  [[ -z "$cur" ]]
##}
##
##if need_set smtpd_milters; then
##  /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
##fi
##if need_set non_smtpd_milters; then
##  /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
##fi
##
##systemctl reload postfix || true
##
### ──────────────────────────────────────────────────────────────────────────────
### Hinweis
### ──────────────────────────────────────────────────────────────────────────────
##if [[ ! -s "${KEY_PRIV}" ]]; then
##  echo "[!] OpenDKIM: Kein Private Key gefunden unter: ${KEY_PRIV}"
##  echo "    - Lege dort den Private Key ab (opendkim:opendkim, 600) ODER"
##  echo "    - setze DKIM_GENERATE=1 und starte dieses Skript erneut."
##fi
##
##echo "[✓] Rspamd + OpenDKIM fertig. Postfix ist an Rspamd (11332) und OpenDKIM (8891) angebunden."
##
####!/usr/bin/env bash
###set -euo pipefail
###source ./lib.sh
###
###log "Rspamd + OpenDKIM einrichten …"
###
#### ---------------------------
#### Variablen / Defaults
#### ---------------------------
#### Installer-Variablen laden, falls vorhanden
###set +u
###[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
###set -u
###
###BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
###DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"
###DKIM_GENERATE="${DKIM_GENERATE:-0}"             # 1 = Key erzeugen, falls fehlt
###RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
###
#### ---------------------------
#### Rspamd: Controller + Milter
#### ---------------------------
###install -d -m 0755 /etc/rspamd/local.d
###
#### Controller-Passwort gehasht schreiben
###if command -v rspamadm >/dev/null 2>&1; then
###  RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
###else
###  # Fallback: falls rspamadm noch nicht verfügbar ist (sollte selten sein)
###  # schreibe Klartext, damit Rspamd danach startbar ist; Hashen kann im nächsten Lauf erfolgen.
###  RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
###fi
###
###cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
###password = "${RSPAMD_HASH}";
###bind_socket = "127.0.0.1:11334";
###CONF
###
#### Normal-Worker (Milter-Port für Postfix)
###cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
###bind_socket = "127.0.0.1:11332";
###CONF
###
#### Authentication-Results Header schreiben (praktisch zum Debuggen)
###cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
###use = ["authentication-results"];
###header = "Authentication-Results";
###CONF
###
###systemctl enable --now rspamd || true
###
#### ---------------------------
#### OpenDKIM Grund-Setup
#### ---------------------------
###install -d -m 0755 /etc/opendkim
###install -d -m 0750 /etc/opendkim/keys
###chown -R opendkim:opendkim /etc/opendkim
###chmod 750 /etc/opendkim/keys
###
#### TrustedHosts (wer signieren darf)
###cat >/etc/opendkim/TrustedHosts <<'CONF'
###127.0.0.1
###::1
###localhost
###CONF
###chown opendkim:opendkim /etc/opendkim/TrustedHosts
###chmod 640 /etc/opendkim/TrustedHosts
###
#### Key-/Signing-Tabellen vorbereiten
###KEY_DIR="/etc/opendkim/keys/${BASE_DOMAIN}"
###KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
###
###install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
###
#### Falls gewünscht: fehlenden Key erzeugen
###if [[ "${DKIM_GENERATE}" = "1" && ! -s "${KEY_PRIV}" ]]; then
###  if command -v opendkim-genkey >/dev/null 2>&1; then
###    opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${BASE_DOMAIN}" -D "${KEY_DIR}"
###    # opendkim legt .private und .txt an (Selector.*)
###    chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
###    chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
###  fi
###fi
###
#### KeyTable (Selector → Keydatei)
###cat >/etc/opendkim/KeyTable <<CONF
###${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN} ${BASE_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}
###CONF
###chown opendkim:opendkim /etc/opendkim/KeyTable
###chmod 640 /etc/opendkim/KeyTable
###
#### SigningTable (welche From:-Domains werden womit signiert)
###cat >/etc/opendkim/SigningTable <<CONF
###*@${BASE_DOMAIN} ${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN}
###CONF
###chown opendkim:opendkim /etc/opendkim/SigningTable
###chmod 640 /etc/opendkim/SigningTable
###
#### Hauptkonfiguration
###cat >/etc/opendkim.conf <<'CONF'
###Syslog            yes
###UMask             002
###Mode              sv
###Socket            inet:8891@127.0.0.1
###Canonicalization  relaxed/simple
###
#### Nicht blockieren, wenn mal was fehlt
###On-BadSignature   accept
###On-Default        accept
###On-KeyNotFound    accept
###On-NoSignature    accept
###
###LogWhy            yes
###OversignHeaders   From
###
#### Tabellen/Listen
###KeyTable          /etc/opendkim/KeyTable
###SigningTable      refile:/etc/opendkim/SigningTable
###ExternalIgnoreList /etc/opendkim/TrustedHosts
###InternalHosts       /etc/opendkim/TrustedHosts
###
###UserID            opendkim:opendkim
###AutoRestart       yes
###AutoRestartRate   10/1h
###Background        yes
###DNSTimeout        5
###SignatureAlgorithm rsa-sha256
###CONF
###
###systemctl enable --now opendkim || true
###systemctl restart opendkim || true
###systemctl restart rspamd   || true
###
#### ---------------------------
#### Postfix: Milter-Anbindung prüfen/setzen (nur ergänzen, nicht zerstören)
#### ---------------------------
#### Diese Werte setzt dein Postfix-Skript normalerweise bereits.
#### Hier nur als Absicherung, falls noch leer.
###need_set() {
###  local key="$1"
###  local cur
###  cur="$(postconf -h "$key" 2>/dev/null || true)"
###  [[ -z "$cur" ]]
###}
###
###if need_set smtpd_milters; then
###  /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
###fi
###if need_set non_smtpd_milters; then
###  /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
###fi
###
###systemctl reload postfix || true
###
#### ---------------------------
#### Hinweise (einmalig, nicht kritisch)
#### ---------------------------
###if [[ ! -s "${KEY_PRIV}" ]]; then
###  echo "[!] OpenDKIM: Kein Private Key gefunden unter: ${KEY_PRIV}"
###  echo "    - Wenn deine App die Keys verwaltet, lege die Private-Key-Datei genau dort ab"
###  echo "      (Owner: opendkim:opendkim, Mode: 600) und passe ggf. DKIM_SELECTOR/BASIS_DOMAIN an."
###  echo "    - Oder setze DKIM_GENERATE=1 und starte dieses Skript erneut, um einen Key zu erzeugen."
###fi
###
###echo "[✓] Rspamd + OpenDKIM fertig. Postfix ist an Rspamd (11332) und OpenDKIM (8891) angebunden."
###
#####!/usr/bin/env bash
####set -euo pipefail
####source ./lib.sh
####
####log "Rspamd + OpenDKIM …"
####
####cat > /etc/rspamd/local.d/worker-controller.inc <<'CONF'
####password = "admin";
####bind_socket = "127.0.0.1:11334";
####CONF
####systemctl enable --now rspamd || true
####
####cat > /etc/opendkim.conf <<'CONF'
####Syslog           yes
####UMask            002
####Mode             sv
####Socket           inet:8891@127.0.0.1
####Canonicalization relaxed/simple
####On-BadSignature  accept
####On-Default       accept
####On-KeyNotFound   accept
####On-NoSignature   accept
####LogWhy           yes
####OversignHeaders  From
####CONF
####systemctl enable --now opendkim || true