1449 lines
54 KiB
Bash
1449 lines
54 KiB
Bash
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
source ./lib.sh
|
||
|
||
log "Rspamd + OpenDKIM einrichten …"
|
||
|
||
# ──────────────────────────────────────────────────────────────
|
||
# ENV laden
|
||
# ──────────────────────────────────────────────────────────────
|
||
set +u
|
||
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
|
||
set -u
|
||
|
||
BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
|
||
SYSMAIL_DOMAIN="${SYSMAIL_DOMAIN:-sysmail.${BASE_DOMAIN}}" # z.B. sysmail.example.com
|
||
DKIM_ENABLE="${DKIM_ENABLE:-1}" # 1=OpenDKIM aktiv
|
||
DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}" # z.B. mwl1
|
||
DKIM_GENERATE="${DKIM_GENERATE:-0}" # 1=Key generieren, falls fehlt
|
||
RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
|
||
|
||
# ──────────────────────────────────────────────────────────────
|
||
# Rspamd (Controller + Milter)
|
||
# ──────────────────────────────────────────────────────────────
|
||
install -d -m 0755 /etc/rspamd/local.d
|
||
|
||
if command -v rspamadm >/dev/null 2>&1; then
|
||
RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
|
||
else
|
||
RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
|
||
fi
|
||
|
||
cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
|
||
password = "${RSPAMD_HASH}";
|
||
bind_socket = "127.0.0.1:11334";
|
||
CONF
|
||
|
||
cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
|
||
bind_socket = "127.0.0.1:11332";
|
||
CONF
|
||
|
||
cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
|
||
use = ["authentication-results"];
|
||
header = "Authentication-Results";
|
||
CONF
|
||
|
||
systemctl enable --now rspamd || true
|
||
|
||
# ──────────────────────────────────────────────────────────────
|
||
# OpenDKIM – nur wenn DKIM_ENABLE=1
|
||
# ──────────────────────────────────────────────────────────────
|
||
if [[ "${DKIM_ENABLE}" != "1" ]]; then
|
||
log "DKIM_ENABLE=0 → OpenDKIM wird übersprungen."
|
||
/usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332"
|
||
/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
|
||
systemctl reload postfix || true
|
||
exit 0
|
||
fi
|
||
|
||
install -d -m 0755 /etc/opendkim
|
||
install -d -m 0750 /etc/opendkim/keys
|
||
chown -R opendkim:opendkim /etc/opendkim
|
||
chmod 750 /etc/opendkim/keys
|
||
|
||
# TrustedHosts
|
||
cat >/etc/opendkim/TrustedHosts <<'CONF'
|
||
127.0.0.1
|
||
::1
|
||
localhost
|
||
CONF
|
||
chown opendkim:opendkim /etc/opendkim/TrustedHosts
|
||
chmod 640 /etc/opendkim/TrustedHosts
|
||
|
||
# ── Key-Verzeichnis für SYSMAIL_DOMAIN vorbereiten ───────────────────────────
|
||
KEY_DIR="/etc/opendkim/keys/${SYSMAIL_DOMAIN}"
|
||
KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
|
||
KEY_DNSTXT="${KEY_DIR}/${DKIM_SELECTOR}.txt"
|
||
install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
|
||
|
||
# ── Key optional generieren (nur wenn gewünscht) ─────────────────────────────
|
||
if [[ ! -s "${KEY_PRIV}" && "${DKIM_GENERATE}" = "1" ]]; then
|
||
if command -v opendkim-genkey >/dev/null 2>&1; then
|
||
opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${SYSMAIL_DOMAIN}" -D "${KEY_DIR}"
|
||
chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
|
||
chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
|
||
else
|
||
echo "[!] opendkim-genkey fehlt – kann DKIM-Key nicht generieren."
|
||
fi
|
||
fi
|
||
|
||
# ── Key-/SigningTable nur anlegen, nicht leeren ───────────────────────────────
|
||
touch /etc/opendkim/KeyTable /etc/opendkim/SigningTable
|
||
chown opendkim:opendkim /etc/opendkim/KeyTable /etc/opendkim/SigningTable
|
||
chmod 640 /etc/opendkim/KeyTable /etc/opendkim/SigningTable
|
||
|
||
if [[ -s "${KEY_PRIV}" && "${BASE_DOMAIN}" != "example.com" ]]; then
|
||
LINE_KT="${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}"
|
||
LINE_ST="*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}"
|
||
grep -Fqx "$LINE_KT" /etc/opendkim/KeyTable || echo "$LINE_KT" >> /etc/opendkim/KeyTable
|
||
grep -Fqx "$LINE_ST" /etc/opendkim/SigningTable || echo "$LINE_ST" >> /etc/opendkim/SigningTable
|
||
else
|
||
echo "[i] Kein Private Key unter ${KEY_PRIV} – App-Helper trägt später ein."
|
||
fi
|
||
|
||
# ── Hauptkonfiguration ───────────────────────────────────────────────────────
|
||
cat >/etc/opendkim.conf <<'CONF'
|
||
Syslog yes
|
||
UMask 002
|
||
Mode sv
|
||
Socket inet:8891@127.0.0.1
|
||
PidFile /run/opendkim/opendkim.pid
|
||
Canonicalization relaxed/simple
|
||
|
||
On-BadSignature accept
|
||
On-Default accept
|
||
On-KeyNotFound accept
|
||
On-NoSignature accept
|
||
|
||
LogWhy yes
|
||
OversignHeaders From
|
||
|
||
KeyTable /etc/opendkim/KeyTable
|
||
SigningTable refile:/etc/opendkim/SigningTable
|
||
ExternalIgnoreList /etc/opendkim/TrustedHosts
|
||
InternalHosts /etc/opendkim/TrustedHosts
|
||
|
||
UserID opendkim:opendkim
|
||
AutoRestart yes
|
||
AutoRestartRate 10/1h
|
||
Background yes
|
||
DNSTimeout 5
|
||
SignatureAlgorithm rsa-sha256
|
||
CONF
|
||
|
||
# ── systemd Drop-in: /run/opendkim sicherstellen ─────────────────────────────
|
||
install -d -m 0755 /etc/systemd/system/opendkim.service.d
|
||
cat >/etc/systemd/system/opendkim.service.d/override.conf <<'EOF'
|
||
[Service]
|
||
RuntimeDirectory=opendkim
|
||
RuntimeDirectoryMode=0755
|
||
EOF
|
||
|
||
install -d -o opendkim -g opendkim -m 0755 /run/opendkim
|
||
|
||
# ──────────────────────────────────────────────────────────────
|
||
# Root-Helper: DKIM installieren / entfernen + sudoers-Regel
|
||
# ──────────────────────────────────────────────────────────────
|
||
install -d -m 0750 /usr/local/sbin
|
||
|
||
# --- mailwolt-install-dkim ------------------------------------
|
||
cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH'
|
||
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
|
||
DOMAIN="$1"
|
||
SELECTOR="$2"
|
||
SRC_PRIV="$3"
|
||
SRC_TXT="${4:-}"
|
||
|
||
OKDIR="/etc/opendkim"
|
||
KEYDIR="${OKDIR}/keys/${DOMAIN}"
|
||
KEYPRI="${KEYDIR}/${SELECTOR}.private"
|
||
|
||
install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}"
|
||
install -m 0600 -o opendkim -g opendkim "${SRC_PRIV}" "${KEYPRI}"
|
||
|
||
KT="${OKDIR}/KeyTable"
|
||
ST="${OKDIR}/SigningTable"
|
||
touch "$KT" "$ST"
|
||
chown opendkim:opendkim "$KT" "$ST"
|
||
chmod 0640 "$KT" "$ST"
|
||
|
||
LINE_KT="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}"
|
||
LINE_ST="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}"
|
||
|
||
grep -Fqx "$LINE_KT" "$KT" || echo "$LINE_KT" >> "$KT"
|
||
grep -Fqx "$LINE_ST" "$ST" || echo "$LINE_ST" >> "$ST"
|
||
|
||
if [[ -n "${SRC_TXT}" && -s "${SRC_TXT}" ]]; then
|
||
install -d -m 0755 /etc/mailwolt/dns
|
||
cp -f "${SRC_TXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt"
|
||
fi
|
||
|
||
systemctl is-active --quiet opendkim && systemctl reload opendkim || true
|
||
echo "OK"
|
||
EOSH
|
||
chmod 0750 /usr/local/sbin/mailwolt-install-dkim
|
||
chown root:root /usr/local/sbin/mailwolt-install-dkim
|
||
|
||
# --- 2) mailwolt-remove-dkim ----------------------------------
|
||
cat >/usr/local/sbin/mailwolt-remove-dkim <<'EOSH'
|
||
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
|
||
DOMAIN="$1" # z.B. kunden.tld oder sysmail.example.com
|
||
SELECTOR="$2" # z.B. mwl1
|
||
|
||
OKDIR="/etc/opendkim"
|
||
KEYDIR="${OKDIR}/keys/${DOMAIN}"
|
||
KEYPRI="${KEYDIR}/${SELECTOR}.private"
|
||
KT="${OKDIR}/KeyTable"
|
||
ST="${OKDIR}/SigningTable"
|
||
|
||
# Key-Datei löschen (falls vorhanden)
|
||
[[ -f "${KEYPRI}" ]] && rm -f "${KEYPRI}"
|
||
|
||
# Zeilen aus KeyTable und SigningTable entfernen
|
||
if [[ -f "$KT" ]]; then
|
||
tmp="$(mktemp)"; grep -v -F "${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:" "$KT" >"$tmp" && mv "$tmp" "$KT"
|
||
chown opendkim:opendkim "$KT"; chmod 0640 "$KT"
|
||
fi
|
||
if [[ -f "$ST" ]]; then
|
||
tmp="$(mktemp)"; grep -v -F "*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}" "$ST" >"$tmp" && mv "$tmp" "$ST"
|
||
chown opendkim:opendkim "$ST"; chmod 0640 "$ST"
|
||
fi
|
||
|
||
# Verzeichnis ggf. aufräumen
|
||
rmdir "${KEYDIR}" 2>/dev/null || true
|
||
|
||
# Dienst neu laden, falls aktiv
|
||
if systemctl is-active --quiet opendkim; then
|
||
systemctl reload opendkim || true
|
||
fi
|
||
|
||
echo "OK"
|
||
EOSH
|
||
chown root:root /usr/local/sbin/mailwolt-remove-dkim
|
||
chmod 0750 /usr/local/sbin/mailwolt-remove-dkim
|
||
|
||
# --- Sudoers für beide Helper sicherstellen -------------------
|
||
APP_USER="${APP_USER:-mailwolt}"
|
||
cat >/etc/sudoers.d/mailwolt-dkim <<EOF
|
||
Defaults! /usr/local/sbin/mailwolt-install-dkim !requiretty
|
||
Defaults! /usr/local/sbin/mailwolt-remove-dkim !requiretty
|
||
${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim
|
||
${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-remove-dkim
|
||
EOF
|
||
chmod 440 /etc/sudoers.d/mailwolt-dkim
|
||
|
||
# --- Sudoers-Regel für App-User --------------------------------
|
||
APP_USER="${APP_USER:-mailwolt}"
|
||
cat > /etc/sudoers.d/mailwolt-dkim <<EOF
|
||
Defaults! /usr/local/sbin/mailwolt-install-dkim !requiretty
|
||
Defaults! /usr/local/sbin/mailwolt-remove-dkim !requiretty
|
||
${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim
|
||
${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-remove-dkim
|
||
EOF
|
||
chmod 440 /etc/sudoers.d/mailwolt-dkim
|
||
|
||
# ── Dienst + Postfix-Milter aktivieren ─────────────────────────
|
||
systemctl daemon-reload
|
||
systemctl enable --now opendkim || true
|
||
|
||
/usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
systemctl reload postfix || true
|
||
|
||
log "[✓] Rspamd + OpenDKIM eingerichtet (läuft; signiert, sobald Keys vorhanden sind)."
|
||
|
||
##!/usr/bin/env bash
|
||
#set -euo pipefail
|
||
#source ./lib.sh
|
||
#
|
||
#log "Rspamd + OpenDKIM einrichten …"
|
||
#
|
||
## ──────────────────────────────────────────────────────────────
|
||
## ENV laden
|
||
## ──────────────────────────────────────────────────────────────
|
||
#set +u
|
||
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
|
||
#set -u
|
||
#
|
||
#BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
|
||
#SYSMAIL_DOMAIN="${SYSMAIL_DOMAIN:-sysmail.${BASE_DOMAIN}}" # z.B. sysmail.example.com
|
||
#DKIM_ENABLE="${DKIM_ENABLE:-1}" # 1=OpenDKIM aktiv
|
||
#DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}" # z.B. mwl1
|
||
#DKIM_GENERATE="${DKIM_GENERATE:-1}" # 1=Key generieren, falls fehlt
|
||
#RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
|
||
#
|
||
#
|
||
#DKIM_GENERATE="0"
|
||
## ──────────────────────────────────────────────────────────────
|
||
## Rspamd (Controller + Milter)
|
||
## ──────────────────────────────────────────────────────────────
|
||
#install -d -m 0755 /etc/rspamd/local.d
|
||
#
|
||
#if command -v rspamadm >/dev/null 2>&1; then
|
||
# RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
|
||
#else
|
||
# RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
|
||
#fi
|
||
#
|
||
#cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
|
||
#password = "${RSPAMD_HASH}";
|
||
#bind_socket = "127.0.0.1:11334";
|
||
#CONF
|
||
#
|
||
#cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
|
||
#bind_socket = "127.0.0.1:11332";
|
||
#CONF
|
||
#
|
||
#cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
|
||
#use = ["authentication-results"];
|
||
#header = "Authentication-Results";
|
||
#CONF
|
||
#
|
||
#systemctl enable --now rspamd || true
|
||
#
|
||
## ──────────────────────────────────────────────────────────────
|
||
## OpenDKIM – nur wenn DKIM_ENABLE=1
|
||
## ──────────────────────────────────────────────────────────────
|
||
#if [[ "${DKIM_ENABLE}" != "1" ]]; then
|
||
# log "DKIM_ENABLE=0 → OpenDKIM wird übersprungen."
|
||
# /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332"
|
||
# /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
|
||
# systemctl reload postfix || true
|
||
# exit 0
|
||
#fi
|
||
#
|
||
#install -d -m 0755 /etc/opendkim
|
||
#install -d -m 0750 /etc/opendkim/keys
|
||
#chown -R opendkim:opendkim /etc/opendkim
|
||
#chmod 750 /etc/opendkim/keys
|
||
#
|
||
## TrustedHosts
|
||
#cat >/etc/opendkim/TrustedHosts <<'CONF'
|
||
#127.0.0.1
|
||
#::1
|
||
#localhost
|
||
#CONF
|
||
#chown opendkim:opendkim /etc/opendkim/TrustedHosts
|
||
#chmod 640 /etc/opendkim/TrustedHosts
|
||
#
|
||
## ── Key-Verzeichnis für SYSMAIL_DOMAIN vorbereiten ───────────────────────────
|
||
#KEY_DIR="/etc/opendkim/keys/${SYSMAIL_DOMAIN}"
|
||
#KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
|
||
#KEY_DNSTXT="${KEY_DIR}/${DKIM_SELECTOR}.txt"
|
||
#install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
|
||
#
|
||
## ── Key optional generieren (damit sofort signiert werden kann) ──────────────
|
||
#if [[ ! -s "${KEY_PRIV}" && "${DKIM_GENERATE}" = "1" ]]; then
|
||
# if command -v opendkim-genkey >/dev/null 2>&1; then
|
||
# opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${SYSMAIL_DOMAIN}" -D "${KEY_DIR}"
|
||
# chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
|
||
# chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
|
||
# else
|
||
# echo "[!] opendkim-genkey fehlt – kann DKIM-Key nicht generieren."
|
||
# fi
|
||
#fi
|
||
#
|
||
## ── Key-/SigningTable SAUBER anlegen (Altlasten entfernen) ───────────────────
|
||
#touch /etc/opendkim/KeyTable /etc/opendkim/SigningTable
|
||
#chown opendkim:opendkim /etc/opendkim/KeyTable /etc/opendkim/SigningTable
|
||
#chmod 640 /etc/opendkim/KeyTable /etc/opendkim/SigningTable
|
||
#
|
||
## Nur eintragen, wenn ein Private Key existiert (sonst übernimmt später der Helper)
|
||
#if [[ -s "${KEY_PRIV}" && "${BASE_DOMAIN}" != "example.com" ]]; then
|
||
# LINE_KT="${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}"
|
||
# LINE_ST="*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}"
|
||
# grep -Fqx "$LINE_KT" /etc/opendkim/KeyTable || echo "$LINE_KT" >> /etc/opendkim/KeyTable
|
||
# grep -Fqx "$LINE_ST" /etc/opendkim/SigningTable || echo "$LINE_ST" >> /etc/opendkim/SigningTable
|
||
#else
|
||
# echo "[i] Kein Private Key unter ${KEY_PRIV} – Tabellen bleiben ohne SYSMAIL-Eintrag (App/Helper trägt später ein)."
|
||
#fi
|
||
##: > /etc/opendkim/KeyTable
|
||
##: > /etc/opendkim/SigningTable
|
||
##chown opendkim:opendkim /etc/opendkim/KeyTable /etc/opendkim/SigningTable
|
||
##chmod 640 /etc/opendkim/KeyTable /etc/opendkim/SigningTable
|
||
##
|
||
### Eintrag nur setzen, wenn BASE_DOMAIN != example.com (kein Platzhalter)
|
||
##if [[ "${BASE_DOMAIN}" != "example.com" ]]; then
|
||
## echo "${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}" \
|
||
## >> /etc/opendkim/KeyTable
|
||
## echo "*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}" \
|
||
## >> /etc/opendkim/SigningTable
|
||
##fi
|
||
#
|
||
## ── Hauptkonfiguration ───────────────────────────────────────────────────────
|
||
#cat >/etc/opendkim.conf <<'CONF'
|
||
#Syslog yes
|
||
#UMask 002
|
||
#Mode sv
|
||
#Socket inet:8891@127.0.0.1
|
||
#PidFile /run/opendkim/opendkim.pid
|
||
#Canonicalization relaxed/simple
|
||
#
|
||
#On-BadSignature accept
|
||
#On-Default accept
|
||
#On-KeyNotFound accept
|
||
#On-NoSignature accept
|
||
#
|
||
#LogWhy yes
|
||
#OversignHeaders From
|
||
#
|
||
#KeyTable /etc/opendkim/KeyTable
|
||
#SigningTable refile:/etc/opendkim/SigningTable
|
||
#ExternalIgnoreList /etc/opendkim/TrustedHosts
|
||
#InternalHosts /etc/opendkim/TrustedHosts
|
||
#
|
||
#UserID opendkim:opendkim
|
||
#AutoRestart yes
|
||
#AutoRestartRate 10/1h
|
||
#Background yes
|
||
#DNSTimeout 5
|
||
#SignatureAlgorithm rsa-sha256
|
||
#CONF
|
||
#
|
||
#
|
||
## ──────────────────────────────────────────────────────────────
|
||
## Root-Helper: DKIM installieren / entfernen
|
||
## ──────────────────────────────────────────────────────────────
|
||
#install -d -m 0750 /usr/local/sbin
|
||
#
|
||
## --- 1) mailwolt-install-dkim ---------------------------------
|
||
#cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH'
|
||
##!/usr/bin/env bash
|
||
#set -euo pipefail
|
||
#
|
||
#DOMAIN="$1" # z.B. kunden.tld oder sysmail.example.com
|
||
#SELECTOR="$2" # z.B. mwl1
|
||
#SRC_PRIV="$3" # absoluter Pfad zum Private-Key
|
||
#SRC_TXT="${4:-}" # optional: TXT-Datei mit 'v=DKIM1; k=rsa; p=...'
|
||
#
|
||
#OKDIR="/etc/opendkim"
|
||
#KEYDIR="${OKDIR}/keys/${DOMAIN}"
|
||
#KEYPRI="${KEYDIR}/${SELECTOR}.private"
|
||
#
|
||
#install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}"
|
||
#install -m 0600 -o opendkim -g opendkim "${SRC_PRIV}" "${KEYPRI}"
|
||
#
|
||
#KT="${OKDIR}/KeyTable"
|
||
#ST="${OKDIR}/SigningTable"
|
||
#touch "$KT" "$ST"
|
||
#chown opendkim:opendkim "$KT" "$ST"
|
||
#chmod 0640 "$KT" "$ST"
|
||
#
|
||
#LINE_KT="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}"
|
||
#LINE_ST="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}"
|
||
#
|
||
#grep -Fqx "$LINE_KT" "$KT" || echo "$LINE_KT" >> "$KT"
|
||
#grep -Fqx "$LINE_ST" "$ST" || echo "$LINE_ST" >> "$ST"
|
||
#
|
||
#if [[ -n "${SRC_TXT}" && -s "${SRC_TXT}" ]]; then
|
||
# install -d -m 0755 /etc/mailwolt/dns
|
||
# cp -f "${SRC_TXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt"
|
||
#fi
|
||
#
|
||
#if systemctl is-active --quiet opendkim; then
|
||
# systemctl reload opendkim || true
|
||
#fi
|
||
#
|
||
#echo "OK"
|
||
#EOSH
|
||
#chown root:root /usr/local/sbin/mailwolt-install-dkim
|
||
#chmod 0750 /usr/local/sbin/mailwolt-install-dkim
|
||
#
|
||
## --- 2) mailwolt-remove-dkim ----------------------------------
|
||
#cat > /usr/local/sbin/mailwolt-remove-dkim <<'EOSH'
|
||
##!/usr/bin/env bash
|
||
#set -euo pipefail
|
||
#
|
||
#DOMAIN="$1"
|
||
#SELECTOR="$2"
|
||
#
|
||
#OKDIR="/etc/opendkim"
|
||
#KEYDIR="${OKDIR}/keys/${DOMAIN}"
|
||
#KEYPRI="${KEYDIR}/${SELECTOR}.private"
|
||
#KT="${OKDIR}/KeyTable"
|
||
#ST="${OKDIR}/SigningTable"
|
||
#
|
||
## Key-Datei löschen, wenn vorhanden
|
||
#[[ -f "${KEYPRI}" ]] && rm -f "${KEYPRI}"
|
||
#
|
||
## Tabellenzeilen entfernen
|
||
#if [[ -f "$KT" ]]; then
|
||
# TMP="$(mktemp)"
|
||
# grep -v -F "${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:" "$KT" > "$TMP" && mv "$TMP" "$KT"
|
||
#fi
|
||
#if [[ -f "$ST" ]]; then
|
||
# TMP="$(mktemp)"
|
||
# grep -v -F "*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}" "$ST" > "$TMP" && mv "$TMP" "$ST"
|
||
#fi
|
||
#
|
||
#rmdir "${KEYDIR}" 2>/dev/null || true
|
||
#
|
||
#if systemctl is-active --quiet opendkim; then
|
||
# systemctl reload opendkim || true
|
||
#fi
|
||
#
|
||
#echo "OK"
|
||
#EOSH
|
||
#chown root:root /usr/local/sbin/mailwolt-remove-dkim
|
||
#chmod 0750 /usr/local/sbin/mailwolt-remove-dkim
|
||
#
|
||
## --- 3) Sudoers-Regel für App-User (z. B. mailwolt) ----------
|
||
#APP_USER="${APP_USER:-mailwolt}"
|
||
#cat > /etc/sudoers.d/mailwolt-dkim <<EOF
|
||
#Defaults! /usr/local/sbin/mailwolt-install-dkim !requiretty
|
||
#Defaults! /usr/local/sbin/mailwolt-remove-dkim !requiretty
|
||
#${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-install-dkim
|
||
#${APP_USER} ALL=(root) NOPASSWD: /usr/local/sbin/mailwolt-remove-dkim
|
||
#EOF
|
||
#chmod 440 /etc/sudoers.d/mailwolt-dkim
|
||
#
|
||
## ── systemd Drop-in: /run/opendkim sicherstellen ─────────────────────────────
|
||
#install -d -m 0755 /etc/systemd/system/opendkim.service.d
|
||
#cat >/etc/systemd/system/opendkim.service.d/override.conf <<'EOF'
|
||
#[Service]
|
||
#RuntimeDirectory=opendkim
|
||
#RuntimeDirectoryMode=0755
|
||
#EOF
|
||
#
|
||
## Laufzeitverzeichnis sofort anlegen (erste Startphase im Installer)
|
||
#install -d -o opendkim -g opendkim -m 0755 /run/opendkim
|
||
#
|
||
## ── Root-Helper: DKIM-Keys später aus der App installieren ───────────────────
|
||
#install -d -m 0750 /usr/local/sbin
|
||
#cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH'
|
||
##!/usr/bin/env bash
|
||
#set -euo pipefail
|
||
#DOMAIN="$1"
|
||
#SELECTOR="$2"
|
||
#TMP_PRIV="$3"
|
||
#TMP_PUBTXT="${4:-}"
|
||
#
|
||
#OKDIR="/etc/opendkim"
|
||
#KEYDIR="${OKDIR}/keys/${DOMAIN}"
|
||
#KEYPRI="${KEYDIR}/${SELECTOR}.private"
|
||
#
|
||
#install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}"
|
||
#install -m 0600 -o opendkim -g opendkim "${TMP_PRIV}" "${KEYPRI}"
|
||
#
|
||
#kt="${OKDIR}/KeyTable"
|
||
#st="${OKDIR}/SigningTable"
|
||
#touch "$kt" "$st"
|
||
#chown opendkim:opendkim "$kt" "$st"
|
||
#chmod 0640 "$kt" "$st"
|
||
#
|
||
#line_kt="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}"
|
||
#grep -Fqx "$line_kt" "$kt" || echo "$line_kt" >> "$kt"
|
||
#
|
||
#line_st="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}"
|
||
#grep -Fqx "$line_st" "$st" || echo "$line_st" >> "$st"
|
||
#
|
||
#if [[ -n "${TMP_PUBTXT}" && -s "${TMP_PUBTXT}" ]]; then
|
||
# install -d -m 0755 /etc/mailwolt/dns
|
||
# cp -f "${TMP_PUBTXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt"
|
||
#fi
|
||
#
|
||
## Dienst läuft evtl. schon – reload reicht
|
||
#if systemctl is-active --quiet opendkim; then
|
||
# systemctl reload opendkim || true
|
||
#fi
|
||
#echo "OK"
|
||
#EOSH
|
||
#chown root:root /usr/local/sbin/mailwolt-install-dkim
|
||
#chmod 0750 /usr/local/sbin/mailwolt-install-dkim
|
||
#
|
||
## ── Dienst + Postfix-Milter: IMMER aktivieren (signiert nur, wenn Key vorhanden) ──
|
||
#systemctl daemon-reload
|
||
#systemctl enable --now opendkim || true
|
||
#
|
||
#/usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
#/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
#systemctl reload postfix || true
|
||
#
|
||
#log "[✓] Rspamd + OpenDKIM eingerichtet (OpenDKIM läuft; signiert, sobald Keys vorhanden sind)."
|
||
#
|
||
|
||
|
||
##!/usr/bin/env bash
|
||
|
||
#set -euo pipefail
|
||
#source ./lib.sh
|
||
#
|
||
#log "Rspamd + OpenDKIM einrichten …"
|
||
#
|
||
## ──────────────────────────────────────────────────────────────
|
||
## ENV laden
|
||
## ──────────────────────────────────────────────────────────────
|
||
#set +u
|
||
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
|
||
#set -u
|
||
#
|
||
#BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
|
||
#SYSMAIL_DOMAIN="${SYSMAIL_DOMAIN:-sysmail.${BASE_DOMAIN}}" # z.B. sysmail.example.com
|
||
#DKIM_ENABLE="${DKIM_ENABLE:-1}" # 1=OpenDKIM aktiv
|
||
#DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}" # z.B. mwl1
|
||
#DKIM_GENERATE="${DKIM_GENERATE:-1}" # 1=Key generieren, falls fehlt
|
||
#RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
|
||
#
|
||
## ──────────────────────────────────────────────────────────────
|
||
## Rspamd (Controller + Milter)
|
||
## ──────────────────────────────────────────────────────────────
|
||
#install -d -m 0755 /etc/rspamd/local.d
|
||
#
|
||
#if command -v rspamadm >/dev/null 2>&1; then
|
||
# RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
|
||
#else
|
||
# RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
|
||
#fi
|
||
#
|
||
#cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
|
||
#password = "${RSPAMD_HASH}";
|
||
#bind_socket = "127.0.0.1:11334";
|
||
#CONF
|
||
#
|
||
#cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
|
||
#bind_socket = "127.0.0.1:11332";
|
||
#CONF
|
||
#
|
||
#cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
|
||
#use = ["authentication-results"];
|
||
#header = "Authentication-Results";
|
||
#CONF
|
||
#
|
||
#systemctl enable --now rspamd || true
|
||
#
|
||
## ──────────────────────────────────────────────────────────────
|
||
## OpenDKIM – nur wenn DKIM_ENABLE=1
|
||
## ──────────────────────────────────────────────────────────────
|
||
#if [[ "${DKIM_ENABLE}" != "1" ]]; then
|
||
# log "DKIM_ENABLE=0 → OpenDKIM wird übersprungen."
|
||
# /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332"
|
||
# /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
|
||
# systemctl reload postfix || true
|
||
# exit 0
|
||
#fi
|
||
#
|
||
#install -d -m 0755 /etc/opendkim
|
||
#install -d -m 0750 /etc/opendkim/keys
|
||
#chown -R opendkim:opendkim /etc/opendkim
|
||
#chmod 750 /etc/opendkim/keys
|
||
#
|
||
## TrustedHosts
|
||
#cat >/etc/opendkim/TrustedHosts <<'CONF'
|
||
#127.0.0.1
|
||
#::1
|
||
#localhost
|
||
#CONF
|
||
#chown opendkim:opendkim /etc/opendkim/TrustedHosts
|
||
#chmod 640 /etc/opendkim/TrustedHosts
|
||
#
|
||
#KEY_DIR="/etc/opendkim/keys/${SYSMAIL_DOMAIN}"
|
||
#KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
|
||
#KEY_DNSTXT="${KEY_DIR}/${DKIM_SELECTOR}.txt"
|
||
#
|
||
#install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
|
||
#
|
||
## Falls kein Key da: optional generieren (auf SYSMAIL_DOMAIN)
|
||
#if [[ ! -s "${KEY_PRIV}" && "${DKIM_GENERATE}" = "1" ]]; then
|
||
# if command -v opendkim-genkey >/dev/null 2>&1; then
|
||
# opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${SYSMAIL_DOMAIN}" -D "${KEY_DIR}"
|
||
# chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
|
||
# chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
|
||
# else
|
||
# echo "[!] opendkim-genkey fehlt – kann DKIM-Key nicht generieren."
|
||
# fi
|
||
#fi
|
||
#
|
||
## Tabellen schreiben (zeigen auf SYSMAIL_DOMAIN)
|
||
#cat >/etc/opendkim/KeyTable <<CONF
|
||
#${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}
|
||
#CONF
|
||
#chown opendkim:opendkim /etc/opendkim/KeyTable
|
||
#chmod 640 /etc/opendkim/KeyTable
|
||
#
|
||
#cat >/etc/opendkim/SigningTable <<CONF
|
||
#*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}
|
||
#CONF
|
||
#chown opendkim:opendkim /etc/opendkim/SigningTable
|
||
#chmod 640 /etc/opendkim/SigningTable
|
||
#
|
||
#
|
||
## Hauptkonfiguration
|
||
#cat >/etc/opendkim.conf <<'CONF'
|
||
#Syslog yes
|
||
#UMask 002
|
||
#Mode sv
|
||
#Socket inet:8891@127.0.0.1
|
||
#PidFile /run/opendkim/opendkim.pid
|
||
#Canonicalization relaxed/simple
|
||
#
|
||
#On-BadSignature accept
|
||
#On-Default accept
|
||
#On-KeyNotFound accept
|
||
#On-NoSignature accept
|
||
#
|
||
#LogWhy yes
|
||
#OversignHeaders From
|
||
#
|
||
#KeyTable /etc/opendkim/KeyTable
|
||
#SigningTable refile:/etc/opendkim/SigningTable
|
||
#ExternalIgnoreList /etc/opendkim/TrustedHosts
|
||
#InternalHosts /etc/opendkim/TrustedHosts
|
||
#
|
||
#UserID opendkim:opendkim
|
||
#AutoRestart yes
|
||
#AutoRestartRate 10/1h
|
||
#Background yes
|
||
#DNSTimeout 5
|
||
#SignatureAlgorithm rsa-sha256
|
||
#CONF
|
||
#
|
||
#
|
||
## ──────────────────────────────────────────────────────────────
|
||
## systemd Drop-in: sorgt dafür, dass /run/opendkim existiert
|
||
## ──────────────────────────────────────────────────────────────
|
||
#install -d -m 0755 /etc/systemd/system/opendkim.service.d
|
||
#cat >/etc/systemd/system/opendkim.service.d/override.conf <<'EOF'
|
||
#[Service]
|
||
#RuntimeDirectory=opendkim
|
||
#RuntimeDirectoryMode=0755
|
||
#EOF
|
||
#
|
||
## Laufzeitverzeichnis sofort anlegen (damit der Start im Installer klappt)
|
||
#install -d -o opendkim -g opendkim -m 0755 /run/opendkim
|
||
#
|
||
## Root-Helper zum nachträglichen Installieren von DKIM-Keys (aus der App)
|
||
#install -d -m 0750 /usr/local/sbin
|
||
#cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH'
|
||
##!/usr/bin/env bash
|
||
#set -euo pipefail
|
||
#
|
||
#DOMAIN="$1" # z.B. sysmail.example.com ODER kunden.tld
|
||
#SELECTOR="$2" # z.B. dkim / mwl1
|
||
#TMP_PRIV="$3" # private PEM (von App)
|
||
#TMP_PUBTXT="${4:-}" # optional: fertiger TXT-String-Dateipfad
|
||
#
|
||
#OKDIR="/etc/opendkim"
|
||
#KEYDIR="${OKDIR}/keys/${DOMAIN}"
|
||
#KEYPRI="${KEYDIR}/${SELECTOR}.private"
|
||
#
|
||
#install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}"
|
||
#install -m 0600 -o opendkim -g opendkim "${TMP_PRIV}" "${KEYPRI}"
|
||
#
|
||
#kt="${OKDIR}/KeyTable"
|
||
#st="${OKDIR}/SigningTable"
|
||
#touch "$kt" "$st"
|
||
#chown opendkim:opendkim "$kt" "$st"
|
||
#chmod 0640 "$kt" "$st"
|
||
#
|
||
#line_kt="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}"
|
||
#grep -Fqx "$line_kt" "$kt" || echo "$line_kt" >> "$kt"
|
||
#
|
||
#line_st="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}"
|
||
#grep -Fqx "$line_st" "$st" || echo "$line_st" >> "$st"
|
||
#
|
||
#if [[ -n "${TMP_PUBTXT}" && -s "${TMP_PUBTXT}" ]]; then
|
||
# install -d -m 0755 /etc/mailwolt/dns
|
||
# cp -f "${TMP_PUBTXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt"
|
||
#fi
|
||
#
|
||
#if systemctl is-active --quiet opendkim; then
|
||
# systemctl reload opendkim || true
|
||
#fi
|
||
#
|
||
#echo "OK"
|
||
#EOSH
|
||
#chown root:root /usr/local/sbin/mailwolt-install-dkim
|
||
#chmod 0750 /usr/local/sbin/mailwolt-install-dkim
|
||
#
|
||
#KEY_DIR="/etc/opendkim/keys/${SYSMAIL_DOMAIN}"
|
||
#KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
|
||
#KEY_DNSTXT="${KEY_DIR}/${DKIM_SELECTOR}.txt"
|
||
#
|
||
# if [[ -s "${KEY_PRIV}" ]]; then
|
||
# systemctl enable opendkim >/dev/null 2>&1 || true
|
||
# if systemctl is-active --quiet opendkim; then
|
||
# systemctl reload opendkim || true
|
||
# fi
|
||
# /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
# /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
# #systemctl reload postfix || true
|
||
# else
|
||
# echo "[i] Noch kein Private Key unter ${KEY_PRIV} – OpenDKIM bleibt aus."
|
||
# /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332"
|
||
# /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
|
||
# #systemctl reload postfix || true
|
||
# fi
|
||
|
||
|
||
# OpenDKIM nur starten, wenn Key vorhanden – sonst nur Rspamd aktiv lassen
|
||
#if [[ -s "${KEY_PRIV}" ]]; then
|
||
# systemctl enable --now opendkim || true
|
||
# systemctl restart opendkim || true
|
||
# /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
# /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
# systemctl reload postfix || true
|
||
#
|
||
# install -d -m 0755 /etc/mailwolt/dns
|
||
# [[ -s "${KEY_DNSTXT}" ]] && cp -f "${KEY_DNSTXT}" "/etc/mailwolt/dns/dkim-${SYSMAIL_DOMAIN}.txt" || true
|
||
#
|
||
# echo "[✓] OpenDKIM aktiv für ${SYSMAIL_DOMAIN} (Selector: ${DKIM_SELECTOR})"
|
||
# echo " DNS: ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} (siehe ${KEY_DNSTXT})"
|
||
#else
|
||
# echo "[i] Noch kein Private Key unter ${KEY_PRIV} – OpenDKIM bleibt aus."
|
||
# /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332"
|
||
# /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
|
||
# systemctl reload postfix || true
|
||
#fi
|
||
|
||
|
||
##!/usr/bin/env bash
|
||
#set -euo pipefail
|
||
#source ./lib.sh
|
||
#
|
||
#log "Rspamd + OpenDKIM einrichten …"
|
||
#
|
||
## ──────────────────────────────────────────────────────────────
|
||
## ENV laden
|
||
## ──────────────────────────────────────────────────────────────
|
||
#set +u
|
||
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
|
||
#set -u
|
||
#
|
||
#BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
|
||
#SYSMAIL_DOMAIN="${SYSMAIL_DOMAIN:-sysmail.${BASE_DOMAIN}}"
|
||
#DKIM_ENABLE="${DKIM_ENABLE:-1}"
|
||
#DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"
|
||
#DKIM_GENERATE="${DKIM_GENERATE:-1}"
|
||
#RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
|
||
#
|
||
## ──────────────────────────────────────────────────────────────
|
||
## Rspamd
|
||
## ──────────────────────────────────────────────────────────────
|
||
#install -d -m 0755 /etc/rspamd/local.d
|
||
#
|
||
#if command -v rspamadm >/dev/null 2>&1; then
|
||
# RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
|
||
#else
|
||
# RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
|
||
#fi
|
||
#
|
||
#cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
|
||
#password = "${RSPAMD_HASH}";
|
||
#bind_socket = "127.0.0.1:11334";
|
||
#CONF
|
||
#
|
||
#cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
|
||
#bind_socket = "127.0.0.1:11332";
|
||
#CONF
|
||
#
|
||
#cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
|
||
#use = ["authentication-results"];
|
||
#header = "Authentication-Results";
|
||
#CONF
|
||
#
|
||
#systemctl enable --now rspamd || true
|
||
#
|
||
## ──────────────────────────────────────────────────────────────
|
||
## OpenDKIM – nur wenn DKIM_ENABLE=1
|
||
## ──────────────────────────────────────────────────────────────
|
||
#if [[ "${DKIM_ENABLE}" != "1" ]]; then
|
||
# log "DKIM_ENABLE=0 → OpenDKIM wird übersprungen."
|
||
# # Stelle sicher, dass Postfix nur Rspamd nutzt:
|
||
# /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332"
|
||
# /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
|
||
# systemctl reload postfix || true
|
||
# exit 0
|
||
#fi
|
||
#
|
||
#install -d -m 0755 /etc/opendkim
|
||
#install -d -m 0750 /etc/opendkim/keys
|
||
#chown -R opendkim:opendkim /etc/opendkim
|
||
#chmod 750 /etc/opendkim/keys
|
||
#
|
||
## TrustedHosts
|
||
#cat >/etc/opendkim/TrustedHosts <<'CONF'
|
||
#127.0.0.1
|
||
#::1
|
||
#localhost
|
||
#CONF
|
||
#chown opendkim:opendkim /etc/opendkim/TrustedHosts
|
||
#chmod 640 /etc/opendkim/TrustedHosts
|
||
#
|
||
#KEY_DIR="/etc/opendkim/keys/${SYSMAIL_DOMAIN}"
|
||
#KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
|
||
#KEY_DNSTXT="${KEY_DIR}/${DKIM_SELECTOR}.txt"
|
||
#
|
||
#install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
|
||
#
|
||
## Key erzeugen, wenn gewünscht/fehlend
|
||
#if [[ ! -s "${KEY_PRIV}" ]]; then
|
||
# if [[ "${DKIM_GENERATE}" = "1" ]]; then
|
||
# if command -v opendkim-genkey >/dev/null 2>&1; then
|
||
# opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${SYSMAIL_DOMAIN}" -D "${KEY_DIR}"
|
||
# chown opendkim:opendkim "${KEY_PRIV}" || true
|
||
# chmod 600 "${KEY_PRIV}" || true
|
||
# else
|
||
# echo "[!] opendkim-genkey fehlt – kann DKIM-Key nicht generieren."
|
||
# fi
|
||
# fi
|
||
#fi
|
||
#
|
||
## Tabellen schreiben (zeigen auf SYSMAIL_DOMAIN)
|
||
#cat >/etc/opendkim/KeyTable <<CONF
|
||
#${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}
|
||
#CONF
|
||
#chown opendkim:opendkim /etc/opendkim/KeyTable
|
||
#chmod 640 /etc/opendkim/KeyTable
|
||
#
|
||
#cat >/etc/opendkim/SigningTable <<CONF
|
||
#*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}
|
||
#CONF
|
||
#chown opendkim:opendkim /etc/opendkim/SigningTable
|
||
#chmod 640 /etc/opendkim/SigningTable
|
||
#
|
||
## Hauptkonfiguration
|
||
#cat >/etc/opendkim.conf <<'CONF'
|
||
#Syslog yes
|
||
#UMask 002
|
||
#Mode sv
|
||
#Socket inet:8891@127.0.0.1
|
||
#Canonicalization relaxed/simple
|
||
#
|
||
#On-BadSignature accept
|
||
#On-Default accept
|
||
#On-KeyNotFound accept
|
||
#On-NoSignature accept
|
||
#
|
||
#LogWhy yes
|
||
#OversignHeaders From
|
||
#
|
||
#KeyTable /etc/opendkim/KeyTable
|
||
#SigningTable refile:/etc/opendkim/SigningTable
|
||
#ExternalIgnoreList /etc/opendkim/TrustedHosts
|
||
#InternalHosts /etc/opendkim/TrustedHosts
|
||
#
|
||
#UserID opendkim:opendkim
|
||
#AutoRestart yes
|
||
#AutoRestartRate 10/1h
|
||
#Background yes
|
||
#DNSTimeout 5
|
||
#SignatureAlgorithm rsa-sha256
|
||
#CONF
|
||
#
|
||
## --- Root-Helper zum Einhängen von DKIM-Keys in OpenDKIM ---
|
||
#install -d -m 0750 /usr/local/sbin
|
||
#cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH'
|
||
##!/usr/bin/env bash
|
||
#set -euo pipefail
|
||
#
|
||
#DOMAIN="$1" # z.B. thinkidoo.at
|
||
#SELECTOR="$2" # z.B. dkim / mwl1
|
||
#TMP_PRIV="$3" # Pfad: Private-Key PEM (von der App erzeugt)
|
||
#TMP_PUBTXT="${4:-}" # optional: Datei mit fertigem DNS-TXT
|
||
#
|
||
#OKDIR="/etc/opendkim"
|
||
#KEYDIR="${OKDIR}/keys/${DOMAIN}"
|
||
#KEYPRI="${KEYDIR}/${SELECTOR}.private"
|
||
#
|
||
#install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}"
|
||
#install -m 0600 -o opendkim -g opendkim "${TMP_PRIV}" "${KEYPRI}"
|
||
#
|
||
#kt="${OKDIR}/KeyTable"
|
||
#st="${OKDIR}/SigningTable"
|
||
#touch "$kt" "$st"
|
||
#chown opendkim:opendkim "$kt" "$st"
|
||
#chmod 0640 "$kt" "$st"
|
||
#
|
||
#line_kt="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}"
|
||
#grep -Fqx "$line_kt" "$kt" || echo "$line_kt" >> "$kt"
|
||
#
|
||
#line_st="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}"
|
||
#grep -Fqx "$line_st" "$st" || echo "$line_st" >> "$st"
|
||
#
|
||
#if [[ -n "${TMP_PUBTXT}" && -s "${TMP_PUBTXT}" ]]; then
|
||
# install -d -m 0755 /etc/mailwolt/dns
|
||
# cp -f "${TMP_PUBTXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt"
|
||
#fi
|
||
#
|
||
#systemctl restart opendkim
|
||
#echo "OK"
|
||
#EOSH
|
||
#chown root:root /usr/local/sbin/mailwolt-install-dkim
|
||
#chmod 0750 /usr/local/sbin/mailwolt-install-dkim
|
||
#
|
||
## Nur starten, wenn der Private Key existiert
|
||
#if [[ -s "${KEY_PRIV}" ]]; then
|
||
# systemctl enable --now opendkim || true
|
||
# systemctl restart opendkim || true
|
||
#
|
||
# # Postfix an beide Milters hängen
|
||
# /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
# /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
# systemctl reload postfix || true
|
||
#
|
||
# # DNS-Export ablegen (für UI/Hinweis)
|
||
# install -d -m 0755 /etc/mailwolt/dns
|
||
# [[ -s "${KEY_DNSTXT}" ]] && cp -f "${KEY_DNSTXT}" "/etc/mailwolt/dns/dkim-${SYSMAIL_DOMAIN}.txt" || true
|
||
#
|
||
# echo "[✓] OpenDKIM aktiv für ${SYSMAIL_DOMAIN} (Selector: ${DKIM_SELECTOR})"
|
||
# echo " DNS: ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} (siehe ${KEY_DNSTXT})"
|
||
#else
|
||
# echo "[!] Kein Private Key: ${KEY_PRIV}"
|
||
# echo " - Setze DKIM_GENERATE=1 ODER lege Key-Datei manuell ab (opendkim:opendkim, 600)."
|
||
# echo " - Postfix bleibt bis dahin nur mit Rspamd-Milter verbunden."
|
||
# /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332"
|
||
# /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
|
||
# systemctl reload postfix || true
|
||
#fi
|
||
|
||
|
||
##!/usr/bin/env bash
|
||
#set -euo pipefail
|
||
#source ./lib.sh
|
||
#
|
||
#log "Rspamd + OpenDKIM vorbereiten …"
|
||
#
|
||
## ──────────────────────────────────────────────────────────────────────────────
|
||
## Variablen / Defaults
|
||
## ──────────────────────────────────────────────────────────────────────────────
|
||
#set +u
|
||
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
|
||
#set -u
|
||
#
|
||
#BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
|
||
#DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"
|
||
#RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
|
||
#
|
||
## ──────────────────────────────────────────────────────────────────────────────
|
||
## Rspamd
|
||
## ──────────────────────────────────────────────────────────────────────────────
|
||
#install -d -m 0755 /etc/rspamd/local.d
|
||
#
|
||
#if command -v rspamadm >/dev/null 2>&1; then
|
||
# RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
|
||
#else
|
||
# RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
|
||
#fi
|
||
#
|
||
#cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
|
||
#password = "${RSPAMD_HASH}";
|
||
#bind_socket = "127.0.0.1:11334";
|
||
#CONF
|
||
#
|
||
#cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
|
||
#bind_socket = "127.0.0.1:11332";
|
||
#CONF
|
||
#
|
||
#cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
|
||
#use = ["authentication-results"];
|
||
#header = "Authentication-Results";
|
||
#CONF
|
||
#
|
||
#systemctl enable --now rspamd || true
|
||
#
|
||
## ──────────────────────────────────────────────────────────────────────────────
|
||
## OpenDKIM – nur vorbereiten, nicht starten
|
||
## ──────────────────────────────────────────────────────────────────────────────
|
||
#install -d -m 0755 /etc/opendkim
|
||
#install -d -m 0750 /etc/opendkim/keys
|
||
#chown -R opendkim:opendkim /etc/opendkim
|
||
#chmod 750 /etc/opendkim/keys
|
||
#
|
||
#cat >/etc/opendkim/TrustedHosts <<'CONF'
|
||
#127.0.0.1
|
||
#::1
|
||
#localhost
|
||
#CONF
|
||
#chown opendkim:opendkim /etc/opendkim/TrustedHosts
|
||
#chmod 640 /etc/opendkim/TrustedHosts
|
||
#
|
||
#cat >/etc/opendkim.conf <<'CONF'
|
||
#Syslog yes
|
||
#UMask 002
|
||
#Mode sv
|
||
#Socket inet:8891@127.0.0.1
|
||
#Canonicalization relaxed/simple
|
||
#On-BadSignature accept
|
||
#On-Default accept
|
||
#On-KeyNotFound accept
|
||
#On-NoSignature accept
|
||
#LogWhy yes
|
||
#OversignHeaders From
|
||
#KeyTable /etc/opendkim/KeyTable
|
||
#SigningTable refile:/etc/opendkim/SigningTable
|
||
#ExternalIgnoreList /etc/opendkim/TrustedHosts
|
||
#InternalHosts /etc/opendkim/TrustedHosts
|
||
#UserID opendkim:opendkim
|
||
#AutoRestart yes
|
||
#AutoRestartRate 10/1h
|
||
#Background yes
|
||
#DNSTimeout 5
|
||
#SignatureAlgorithm rsa-sha256
|
||
#CONF
|
||
#
|
||
#cat >/etc/default/opendkim <<'CONF'
|
||
#RUNDIR=/run/opendkim
|
||
#SOCKET="inet:8891@127.0.0.1"
|
||
#USER=opendkim
|
||
#GROUP=opendkim
|
||
#PIDFILE=/run/opendkim/opendkim.pid
|
||
#CONF
|
||
#
|
||
#systemctl disable --now opendkim >/dev/null 2>&1 || true
|
||
#
|
||
#echo "[i] OpenDKIM wurde vorbereitet, aber nicht gestartet."
|
||
#echo "[i] Es wird nach dem Seeder aktiviert, sobald der erste DKIM-Key existiert."
|
||
#
|
||
###!/usr/bin/env bash
|
||
##set -euo pipefail
|
||
##source ./lib.sh
|
||
##
|
||
##log "Rspamd + OpenDKIM einrichten …"
|
||
##
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
### Variablen / Defaults
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
##set +u
|
||
##[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
|
||
##set -u
|
||
##
|
||
##BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
|
||
##DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"
|
||
##DKIM_GENERATE="${DKIM_GENERATE:-0}" # 1 = Key erzeugen, falls fehlt
|
||
##RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
|
||
##
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
### Rspamd: Controller + Milter
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
##install -d -m 0755 /etc/rspamd/local.d
|
||
##
|
||
### Controller-Passwort (gehasht, sonst Klartext als Fallback)
|
||
##if command -v rspamadm >/dev/null 2>&1; then
|
||
## RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
|
||
##else
|
||
## RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
|
||
##fi
|
||
##
|
||
##cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
|
||
##password = "${RSPAMD_HASH}";
|
||
##bind_socket = "127.0.0.1:11334";
|
||
##CONF
|
||
##
|
||
### Normal-Worker (Milter-Port für Postfix)
|
||
##cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
|
||
##bind_socket = "127.0.0.1:11332";
|
||
##CONF
|
||
##
|
||
### Authentication-Results Header (hilfreich zum Debuggen)
|
||
##cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
|
||
##use = ["authentication-results"];
|
||
##header = "Authentication-Results";
|
||
##CONF
|
||
##
|
||
##systemctl enable --now rspamd || true
|
||
##
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
### OpenDKIM Grund-Setup
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
##install -d -m 0755 /etc/opendkim
|
||
##install -d -m 0750 /etc/opendkim/keys
|
||
##chown -R opendkim:opendkim /etc/opendkim
|
||
##chmod 750 /etc/opendkim/keys
|
||
##
|
||
### Trusted Hosts (wer signieren darf)
|
||
##cat >/etc/opendkim/TrustedHosts <<'CONF'
|
||
##127.0.0.1
|
||
##::1
|
||
##localhost
|
||
##CONF
|
||
##chown opendkim:opendkim /etc/opendkim/TrustedHosts
|
||
##chmod 640 /etc/opendkim/TrustedHosts
|
||
##
|
||
### Key-/Signing-Tabellen
|
||
##KEY_DIR="/etc/opendkim/keys/${BASE_DOMAIN}"
|
||
##KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
|
||
##install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
|
||
##
|
||
### Optional: Key erzeugen, falls gewünscht und nicht vorhanden
|
||
##if [[ "${DKIM_GENERATE}" = "1" && ! -s "${KEY_PRIV}" ]]; then
|
||
## if command -v opendkim-genkey >/dev/null 2>&1; then
|
||
## opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${BASE_DOMAIN}" -D "${KEY_DIR}"
|
||
## chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
|
||
## chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
|
||
## fi
|
||
##fi
|
||
##
|
||
### KeyTable
|
||
##cat >/etc/opendkim/KeyTable <<CONF
|
||
##${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN} ${BASE_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}
|
||
##CONF
|
||
##chown opendkim:opendkim /etc/opendkim/KeyTable
|
||
##chmod 640 /etc/opendkim/KeyTable
|
||
##
|
||
### SigningTable
|
||
##cat >/etc/opendkim/SigningTable <<CONF
|
||
##*@${BASE_DOMAIN} ${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN}
|
||
##CONF
|
||
##chown opendkim:opendkim /etc/opendkim/SigningTable
|
||
##chmod 640 /etc/opendkim/SigningTable
|
||
##
|
||
### Hauptkonfiguration
|
||
##cat >/etc/opendkim.conf <<'CONF'
|
||
##Syslog yes
|
||
##UMask 002
|
||
##Mode sv
|
||
##Socket inet:8891@127.0.0.1
|
||
##Canonicalization relaxed/simple
|
||
##
|
||
##On-BadSignature accept
|
||
##On-Default accept
|
||
##On-KeyNotFound accept
|
||
##On-NoSignature accept
|
||
##
|
||
##LogWhy yes
|
||
##OversignHeaders From
|
||
##
|
||
##KeyTable /etc/opendkim/KeyTable
|
||
##SigningTable refile:/etc/opendkim/SigningTable
|
||
##ExternalIgnoreList /etc/opendkim/TrustedHosts
|
||
##InternalHosts /etc/opendkim/TrustedHosts
|
||
##
|
||
##UserID opendkim:opendkim
|
||
##AutoRestart yes
|
||
##AutoRestartRate 10/1h
|
||
##Background yes
|
||
##DNSTimeout 5
|
||
##SignatureAlgorithm rsa-sha256
|
||
##CONF
|
||
##
|
||
##systemctl enable --now opendkim || true
|
||
##systemctl restart opendkim || true
|
||
##systemctl restart rspamd || true
|
||
##
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
### Postfix: Milter-Anbindung (nur setzen, wenn leer)
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
##need_set() {
|
||
## local key="$1"
|
||
## local cur
|
||
## cur="$(postconf -h "$key" 2>/dev/null || true)"
|
||
## [[ -z "$cur" ]]
|
||
##}
|
||
##
|
||
##if need_set smtpd_milters; then
|
||
## /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
##fi
|
||
##if need_set non_smtpd_milters; then
|
||
## /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
##fi
|
||
##
|
||
##systemctl reload postfix || true
|
||
##
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
### Hinweis
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
##if [[ ! -s "${KEY_PRIV}" ]]; then
|
||
## echo "[!] OpenDKIM: Kein Private Key gefunden unter: ${KEY_PRIV}"
|
||
## echo " - Lege dort den Private Key ab (opendkim:opendkim, 600) ODER"
|
||
## echo " - setze DKIM_GENERATE=1 und starte dieses Skript erneut."
|
||
##fi
|
||
##
|
||
##echo "[✓] Rspamd + OpenDKIM fertig. Postfix ist an Rspamd (11332) und OpenDKIM (8891) angebunden."
|
||
##
|
||
####!/usr/bin/env bash
|
||
###set -euo pipefail
|
||
###source ./lib.sh
|
||
###
|
||
###log "Rspamd + OpenDKIM einrichten …"
|
||
###
|
||
#### ---------------------------
|
||
#### Variablen / Defaults
|
||
#### ---------------------------
|
||
#### Installer-Variablen laden, falls vorhanden
|
||
###set +u
|
||
###[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
|
||
###set -u
|
||
###
|
||
###BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
|
||
###DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"
|
||
###DKIM_GENERATE="${DKIM_GENERATE:-0}" # 1 = Key erzeugen, falls fehlt
|
||
###RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
|
||
###
|
||
#### ---------------------------
|
||
#### Rspamd: Controller + Milter
|
||
#### ---------------------------
|
||
###install -d -m 0755 /etc/rspamd/local.d
|
||
###
|
||
#### Controller-Passwort gehasht schreiben
|
||
###if command -v rspamadm >/dev/null 2>&1; then
|
||
### RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
|
||
###else
|
||
### # Fallback: falls rspamadm noch nicht verfügbar ist (sollte selten sein)
|
||
### # schreibe Klartext, damit Rspamd danach startbar ist; Hashen kann im nächsten Lauf erfolgen.
|
||
### RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
|
||
###fi
|
||
###
|
||
###cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
|
||
###password = "${RSPAMD_HASH}";
|
||
###bind_socket = "127.0.0.1:11334";
|
||
###CONF
|
||
###
|
||
#### Normal-Worker (Milter-Port für Postfix)
|
||
###cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
|
||
###bind_socket = "127.0.0.1:11332";
|
||
###CONF
|
||
###
|
||
#### Authentication-Results Header schreiben (praktisch zum Debuggen)
|
||
###cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
|
||
###use = ["authentication-results"];
|
||
###header = "Authentication-Results";
|
||
###CONF
|
||
###
|
||
###systemctl enable --now rspamd || true
|
||
###
|
||
#### ---------------------------
|
||
#### OpenDKIM Grund-Setup
|
||
#### ---------------------------
|
||
###install -d -m 0755 /etc/opendkim
|
||
###install -d -m 0750 /etc/opendkim/keys
|
||
###chown -R opendkim:opendkim /etc/opendkim
|
||
###chmod 750 /etc/opendkim/keys
|
||
###
|
||
#### TrustedHosts (wer signieren darf)
|
||
###cat >/etc/opendkim/TrustedHosts <<'CONF'
|
||
###127.0.0.1
|
||
###::1
|
||
###localhost
|
||
###CONF
|
||
###chown opendkim:opendkim /etc/opendkim/TrustedHosts
|
||
###chmod 640 /etc/opendkim/TrustedHosts
|
||
###
|
||
#### Key-/Signing-Tabellen vorbereiten
|
||
###KEY_DIR="/etc/opendkim/keys/${BASE_DOMAIN}"
|
||
###KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
|
||
###
|
||
###install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
|
||
###
|
||
#### Falls gewünscht: fehlenden Key erzeugen
|
||
###if [[ "${DKIM_GENERATE}" = "1" && ! -s "${KEY_PRIV}" ]]; then
|
||
### if command -v opendkim-genkey >/dev/null 2>&1; then
|
||
### opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${BASE_DOMAIN}" -D "${KEY_DIR}"
|
||
### # opendkim legt .private und .txt an (Selector.*)
|
||
### chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
|
||
### chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
|
||
### fi
|
||
###fi
|
||
###
|
||
#### KeyTable (Selector → Keydatei)
|
||
###cat >/etc/opendkim/KeyTable <<CONF
|
||
###${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN} ${BASE_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}
|
||
###CONF
|
||
###chown opendkim:opendkim /etc/opendkim/KeyTable
|
||
###chmod 640 /etc/opendkim/KeyTable
|
||
###
|
||
#### SigningTable (welche From:-Domains werden womit signiert)
|
||
###cat >/etc/opendkim/SigningTable <<CONF
|
||
###*@${BASE_DOMAIN} ${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN}
|
||
###CONF
|
||
###chown opendkim:opendkim /etc/opendkim/SigningTable
|
||
###chmod 640 /etc/opendkim/SigningTable
|
||
###
|
||
#### Hauptkonfiguration
|
||
###cat >/etc/opendkim.conf <<'CONF'
|
||
###Syslog yes
|
||
###UMask 002
|
||
###Mode sv
|
||
###Socket inet:8891@127.0.0.1
|
||
###Canonicalization relaxed/simple
|
||
###
|
||
#### Nicht blockieren, wenn mal was fehlt
|
||
###On-BadSignature accept
|
||
###On-Default accept
|
||
###On-KeyNotFound accept
|
||
###On-NoSignature accept
|
||
###
|
||
###LogWhy yes
|
||
###OversignHeaders From
|
||
###
|
||
#### Tabellen/Listen
|
||
###KeyTable /etc/opendkim/KeyTable
|
||
###SigningTable refile:/etc/opendkim/SigningTable
|
||
###ExternalIgnoreList /etc/opendkim/TrustedHosts
|
||
###InternalHosts /etc/opendkim/TrustedHosts
|
||
###
|
||
###UserID opendkim:opendkim
|
||
###AutoRestart yes
|
||
###AutoRestartRate 10/1h
|
||
###Background yes
|
||
###DNSTimeout 5
|
||
###SignatureAlgorithm rsa-sha256
|
||
###CONF
|
||
###
|
||
###systemctl enable --now opendkim || true
|
||
###systemctl restart opendkim || true
|
||
###systemctl restart rspamd || true
|
||
###
|
||
#### ---------------------------
|
||
#### Postfix: Milter-Anbindung prüfen/setzen (nur ergänzen, nicht zerstören)
|
||
#### ---------------------------
|
||
#### Diese Werte setzt dein Postfix-Skript normalerweise bereits.
|
||
#### Hier nur als Absicherung, falls noch leer.
|
||
###need_set() {
|
||
### local key="$1"
|
||
### local cur
|
||
### cur="$(postconf -h "$key" 2>/dev/null || true)"
|
||
### [[ -z "$cur" ]]
|
||
###}
|
||
###
|
||
###if need_set smtpd_milters; then
|
||
### /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
###fi
|
||
###if need_set non_smtpd_milters; then
|
||
### /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
###fi
|
||
###
|
||
###systemctl reload postfix || true
|
||
###
|
||
#### ---------------------------
|
||
#### Hinweise (einmalig, nicht kritisch)
|
||
#### ---------------------------
|
||
###if [[ ! -s "${KEY_PRIV}" ]]; then
|
||
### echo "[!] OpenDKIM: Kein Private Key gefunden unter: ${KEY_PRIV}"
|
||
### echo " - Wenn deine App die Keys verwaltet, lege die Private-Key-Datei genau dort ab"
|
||
### echo " (Owner: opendkim:opendkim, Mode: 600) und passe ggf. DKIM_SELECTOR/BASIS_DOMAIN an."
|
||
### echo " - Oder setze DKIM_GENERATE=1 und starte dieses Skript erneut, um einen Key zu erzeugen."
|
||
###fi
|
||
###
|
||
###echo "[✓] Rspamd + OpenDKIM fertig. Postfix ist an Rspamd (11332) und OpenDKIM (8891) angebunden."
|
||
###
|
||
#####!/usr/bin/env bash
|
||
####set -euo pipefail
|
||
####source ./lib.sh
|
||
####
|
||
####log "Rspamd + OpenDKIM …"
|
||
####
|
||
####cat > /etc/rspamd/local.d/worker-controller.inc <<'CONF'
|
||
####password = "admin";
|
||
####bind_socket = "127.0.0.1:11334";
|
||
####CONF
|
||
####systemctl enable --now rspamd || true
|
||
####
|
||
####cat > /etc/opendkim.conf <<'CONF'
|
||
####Syslog yes
|
||
####UMask 002
|
||
####Mode sv
|
||
####Socket inet:8891@127.0.0.1
|
||
####Canonicalization relaxed/simple
|
||
####On-BadSignature accept
|
||
####On-Default accept
|
||
####On-KeyNotFound accept
|
||
####On-NoSignature accept
|
||
####LogWhy yes
|
||
####OversignHeaders From
|
||
####CONF
|
||
####systemctl enable --now opendkim || true
|