647 lines
24 KiB
Bash
647 lines
24 KiB
Bash
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
source ./lib.sh
|
||
|
||
log "Rspamd + OpenDKIM einrichten …"
|
||
|
||
# ──────────────────────────────────────────────────────────────
|
||
# ENV laden
|
||
# ──────────────────────────────────────────────────────────────
|
||
set +u
|
||
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
|
||
set -u
|
||
|
||
BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
|
||
SYSMAIL_DOMAIN="${SYSMAIL_DOMAIN:-sysmail.${BASE_DOMAIN}}"
|
||
DKIM_ENABLE="${DKIM_ENABLE:-1}"
|
||
DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"
|
||
DKIM_GENERATE="${DKIM_GENERATE:-1}"
|
||
RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
|
||
|
||
# ──────────────────────────────────────────────────────────────
|
||
# Rspamd
|
||
# ──────────────────────────────────────────────────────────────
|
||
install -d -m 0755 /etc/rspamd/local.d
|
||
|
||
if command -v rspamadm >/dev/null 2>&1; then
|
||
RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
|
||
else
|
||
RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
|
||
fi
|
||
|
||
cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
|
||
password = "${RSPAMD_HASH}";
|
||
bind_socket = "127.0.0.1:11334";
|
||
CONF
|
||
|
||
cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
|
||
bind_socket = "127.0.0.1:11332";
|
||
CONF
|
||
|
||
cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
|
||
use = ["authentication-results"];
|
||
header = "Authentication-Results";
|
||
CONF
|
||
|
||
systemctl enable --now rspamd || true
|
||
|
||
# ──────────────────────────────────────────────────────────────
|
||
# OpenDKIM – nur wenn DKIM_ENABLE=1
|
||
# ──────────────────────────────────────────────────────────────
|
||
if [[ "${DKIM_ENABLE}" != "1" ]]; then
|
||
log "DKIM_ENABLE=0 → OpenDKIM wird übersprungen."
|
||
# Stelle sicher, dass Postfix nur Rspamd nutzt:
|
||
/usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332"
|
||
/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
|
||
systemctl reload postfix || true
|
||
exit 0
|
||
fi
|
||
|
||
install -d -m 0755 /etc/opendkim
|
||
install -d -m 0750 /etc/opendkim/keys
|
||
chown -R opendkim:opendkim /etc/opendkim
|
||
chmod 750 /etc/opendkim/keys
|
||
|
||
# TrustedHosts
|
||
cat >/etc/opendkim/TrustedHosts <<'CONF'
|
||
127.0.0.1
|
||
::1
|
||
localhost
|
||
CONF
|
||
chown opendkim:opendkim /etc/opendkim/TrustedHosts
|
||
chmod 640 /etc/opendkim/TrustedHosts
|
||
|
||
KEY_DIR="/etc/opendkim/keys/${SYSMAIL_DOMAIN}"
|
||
KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
|
||
KEY_DNSTXT="${KEY_DIR}/${DKIM_SELECTOR}.txt"
|
||
|
||
install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
|
||
|
||
# Key erzeugen, wenn gewünscht/fehlend
|
||
if [[ ! -s "${KEY_PRIV}" ]]; then
|
||
if [[ "${DKIM_GENERATE}" = "1" ]]; then
|
||
if command -v opendkim-genkey >/dev/null 2>&1; then
|
||
opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${SYSMAIL_DOMAIN}" -D "${KEY_DIR}"
|
||
chown opendkim:opendkim "${KEY_PRIV}" || true
|
||
chmod 600 "${KEY_PRIV}" || true
|
||
else
|
||
echo "[!] opendkim-genkey fehlt – kann DKIM-Key nicht generieren."
|
||
fi
|
||
fi
|
||
fi
|
||
|
||
# Tabellen schreiben (zeigen auf SYSMAIL_DOMAIN)
|
||
cat >/etc/opendkim/KeyTable <<CONF
|
||
${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} ${SYSMAIL_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}
|
||
CONF
|
||
chown opendkim:opendkim /etc/opendkim/KeyTable
|
||
chmod 640 /etc/opendkim/KeyTable
|
||
|
||
cat >/etc/opendkim/SigningTable <<CONF
|
||
*@${SYSMAIL_DOMAIN} ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN}
|
||
CONF
|
||
chown opendkim:opendkim /etc/opendkim/SigningTable
|
||
chmod 640 /etc/opendkim/SigningTable
|
||
|
||
# Hauptkonfiguration
|
||
cat >/etc/opendkim.conf <<'CONF'
|
||
Syslog yes
|
||
UMask 002
|
||
Mode sv
|
||
Socket inet:8891@127.0.0.1
|
||
Canonicalization relaxed/simple
|
||
|
||
On-BadSignature accept
|
||
On-Default accept
|
||
On-KeyNotFound accept
|
||
On-NoSignature accept
|
||
|
||
LogWhy yes
|
||
OversignHeaders From
|
||
|
||
KeyTable /etc/opendkim/KeyTable
|
||
SigningTable refile:/etc/opendkim/SigningTable
|
||
ExternalIgnoreList /etc/opendkim/TrustedHosts
|
||
InternalHosts /etc/opendkim/TrustedHosts
|
||
|
||
UserID opendkim:opendkim
|
||
AutoRestart yes
|
||
AutoRestartRate 10/1h
|
||
Background yes
|
||
DNSTimeout 5
|
||
SignatureAlgorithm rsa-sha256
|
||
CONF
|
||
|
||
# --- Root-Helper zum Einhängen von DKIM-Keys in OpenDKIM ---
|
||
install -d -m 0750 /usr/local/sbin
|
||
cat > /usr/local/sbin/mailwolt-install-dkim <<'EOSH'
|
||
#!/usr/bin/env bash
|
||
set -euo pipefail
|
||
|
||
DOMAIN="$1" # z.B. thinkidoo.at
|
||
SELECTOR="$2" # z.B. dkim / mwl1
|
||
TMP_PRIV="$3" # Pfad: Private-Key PEM (von der App erzeugt)
|
||
TMP_PUBTXT="${4:-}" # optional: Datei mit fertigem DNS-TXT
|
||
|
||
OKDIR="/etc/opendkim"
|
||
KEYDIR="${OKDIR}/keys/${DOMAIN}"
|
||
KEYPRI="${KEYDIR}/${SELECTOR}.private"
|
||
|
||
install -d -m 0750 -o opendkim -g opendkim "${KEYDIR}"
|
||
install -m 0600 -o opendkim -g opendkim "${TMP_PRIV}" "${KEYPRI}"
|
||
|
||
kt="${OKDIR}/KeyTable"
|
||
st="${OKDIR}/SigningTable"
|
||
touch "$kt" "$st"
|
||
chown opendkim:opendkim "$kt" "$st"
|
||
chmod 0640 "$kt" "$st"
|
||
|
||
line_kt="${SELECTOR}._domainkey.${DOMAIN} ${DOMAIN}:${SELECTOR}:${KEYPRI}"
|
||
grep -Fqx "$line_kt" "$kt" || echo "$line_kt" >> "$kt"
|
||
|
||
line_st="*@${DOMAIN} ${SELECTOR}._domainkey.${DOMAIN}"
|
||
grep -Fqx "$line_st" "$st" || echo "$line_st" >> "$st"
|
||
|
||
if [[ -n "${TMP_PUBTXT}" && -s "${TMP_PUBTXT}" ]]; then
|
||
install -d -m 0755 /etc/mailwolt/dns
|
||
cp -f "${TMP_PUBTXT}" "/etc/mailwolt/dns/dkim-${DOMAIN}.txt"
|
||
fi
|
||
|
||
systemctl restart opendkim
|
||
echo "OK"
|
||
EOSH
|
||
chown root:root /usr/local/sbin/mailwolt-install-dkim
|
||
chmod 0750 /usr/local/sbin/mailwolt-install-dkim
|
||
|
||
# Nur starten, wenn der Private Key existiert
|
||
if [[ -s "${KEY_PRIV}" ]]; then
|
||
systemctl enable --now opendkim || true
|
||
systemctl restart opendkim || true
|
||
|
||
# Postfix an beide Milters hängen
|
||
/usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
systemctl reload postfix || true
|
||
|
||
# DNS-Export ablegen (für UI/Hinweis)
|
||
install -d -m 0755 /etc/mailwolt/dns
|
||
[[ -s "${KEY_DNSTXT}" ]] && cp -f "${KEY_DNSTXT}" "/etc/mailwolt/dns/dkim-${SYSMAIL_DOMAIN}.txt" || true
|
||
|
||
echo "[✓] OpenDKIM aktiv für ${SYSMAIL_DOMAIN} (Selector: ${DKIM_SELECTOR})"
|
||
echo " DNS: ${DKIM_SELECTOR}._domainkey.${SYSMAIL_DOMAIN} (siehe ${KEY_DNSTXT})"
|
||
else
|
||
echo "[!] Kein Private Key: ${KEY_PRIV}"
|
||
echo " - Setze DKIM_GENERATE=1 ODER lege Key-Datei manuell ab (opendkim:opendkim, 600)."
|
||
echo " - Postfix bleibt bis dahin nur mit Rspamd-Milter verbunden."
|
||
/usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332"
|
||
/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332"
|
||
systemctl reload postfix || true
|
||
fi
|
||
|
||
|
||
##!/usr/bin/env bash
|
||
#set -euo pipefail
|
||
#source ./lib.sh
|
||
#
|
||
#log "Rspamd + OpenDKIM vorbereiten …"
|
||
#
|
||
## ──────────────────────────────────────────────────────────────────────────────
|
||
## Variablen / Defaults
|
||
## ──────────────────────────────────────────────────────────────────────────────
|
||
#set +u
|
||
#[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
|
||
#set -u
|
||
#
|
||
#BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
|
||
#DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"
|
||
#RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
|
||
#
|
||
## ──────────────────────────────────────────────────────────────────────────────
|
||
## Rspamd
|
||
## ──────────────────────────────────────────────────────────────────────────────
|
||
#install -d -m 0755 /etc/rspamd/local.d
|
||
#
|
||
#if command -v rspamadm >/dev/null 2>&1; then
|
||
# RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
|
||
#else
|
||
# RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
|
||
#fi
|
||
#
|
||
#cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
|
||
#password = "${RSPAMD_HASH}";
|
||
#bind_socket = "127.0.0.1:11334";
|
||
#CONF
|
||
#
|
||
#cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
|
||
#bind_socket = "127.0.0.1:11332";
|
||
#CONF
|
||
#
|
||
#cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
|
||
#use = ["authentication-results"];
|
||
#header = "Authentication-Results";
|
||
#CONF
|
||
#
|
||
#systemctl enable --now rspamd || true
|
||
#
|
||
## ──────────────────────────────────────────────────────────────────────────────
|
||
## OpenDKIM – nur vorbereiten, nicht starten
|
||
## ──────────────────────────────────────────────────────────────────────────────
|
||
#install -d -m 0755 /etc/opendkim
|
||
#install -d -m 0750 /etc/opendkim/keys
|
||
#chown -R opendkim:opendkim /etc/opendkim
|
||
#chmod 750 /etc/opendkim/keys
|
||
#
|
||
#cat >/etc/opendkim/TrustedHosts <<'CONF'
|
||
#127.0.0.1
|
||
#::1
|
||
#localhost
|
||
#CONF
|
||
#chown opendkim:opendkim /etc/opendkim/TrustedHosts
|
||
#chmod 640 /etc/opendkim/TrustedHosts
|
||
#
|
||
#cat >/etc/opendkim.conf <<'CONF'
|
||
#Syslog yes
|
||
#UMask 002
|
||
#Mode sv
|
||
#Socket inet:8891@127.0.0.1
|
||
#Canonicalization relaxed/simple
|
||
#On-BadSignature accept
|
||
#On-Default accept
|
||
#On-KeyNotFound accept
|
||
#On-NoSignature accept
|
||
#LogWhy yes
|
||
#OversignHeaders From
|
||
#KeyTable /etc/opendkim/KeyTable
|
||
#SigningTable refile:/etc/opendkim/SigningTable
|
||
#ExternalIgnoreList /etc/opendkim/TrustedHosts
|
||
#InternalHosts /etc/opendkim/TrustedHosts
|
||
#UserID opendkim:opendkim
|
||
#AutoRestart yes
|
||
#AutoRestartRate 10/1h
|
||
#Background yes
|
||
#DNSTimeout 5
|
||
#SignatureAlgorithm rsa-sha256
|
||
#CONF
|
||
#
|
||
#cat >/etc/default/opendkim <<'CONF'
|
||
#RUNDIR=/run/opendkim
|
||
#SOCKET="inet:8891@127.0.0.1"
|
||
#USER=opendkim
|
||
#GROUP=opendkim
|
||
#PIDFILE=/run/opendkim/opendkim.pid
|
||
#CONF
|
||
#
|
||
#systemctl disable --now opendkim >/dev/null 2>&1 || true
|
||
#
|
||
#echo "[i] OpenDKIM wurde vorbereitet, aber nicht gestartet."
|
||
#echo "[i] Es wird nach dem Seeder aktiviert, sobald der erste DKIM-Key existiert."
|
||
#
|
||
###!/usr/bin/env bash
|
||
##set -euo pipefail
|
||
##source ./lib.sh
|
||
##
|
||
##log "Rspamd + OpenDKIM einrichten …"
|
||
##
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
### Variablen / Defaults
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
##set +u
|
||
##[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
|
||
##set -u
|
||
##
|
||
##BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
|
||
##DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"
|
||
##DKIM_GENERATE="${DKIM_GENERATE:-0}" # 1 = Key erzeugen, falls fehlt
|
||
##RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
|
||
##
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
### Rspamd: Controller + Milter
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
##install -d -m 0755 /etc/rspamd/local.d
|
||
##
|
||
### Controller-Passwort (gehasht, sonst Klartext als Fallback)
|
||
##if command -v rspamadm >/dev/null 2>&1; then
|
||
## RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
|
||
##else
|
||
## RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
|
||
##fi
|
||
##
|
||
##cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
|
||
##password = "${RSPAMD_HASH}";
|
||
##bind_socket = "127.0.0.1:11334";
|
||
##CONF
|
||
##
|
||
### Normal-Worker (Milter-Port für Postfix)
|
||
##cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
|
||
##bind_socket = "127.0.0.1:11332";
|
||
##CONF
|
||
##
|
||
### Authentication-Results Header (hilfreich zum Debuggen)
|
||
##cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
|
||
##use = ["authentication-results"];
|
||
##header = "Authentication-Results";
|
||
##CONF
|
||
##
|
||
##systemctl enable --now rspamd || true
|
||
##
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
### OpenDKIM Grund-Setup
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
##install -d -m 0755 /etc/opendkim
|
||
##install -d -m 0750 /etc/opendkim/keys
|
||
##chown -R opendkim:opendkim /etc/opendkim
|
||
##chmod 750 /etc/opendkim/keys
|
||
##
|
||
### Trusted Hosts (wer signieren darf)
|
||
##cat >/etc/opendkim/TrustedHosts <<'CONF'
|
||
##127.0.0.1
|
||
##::1
|
||
##localhost
|
||
##CONF
|
||
##chown opendkim:opendkim /etc/opendkim/TrustedHosts
|
||
##chmod 640 /etc/opendkim/TrustedHosts
|
||
##
|
||
### Key-/Signing-Tabellen
|
||
##KEY_DIR="/etc/opendkim/keys/${BASE_DOMAIN}"
|
||
##KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
|
||
##install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
|
||
##
|
||
### Optional: Key erzeugen, falls gewünscht und nicht vorhanden
|
||
##if [[ "${DKIM_GENERATE}" = "1" && ! -s "${KEY_PRIV}" ]]; then
|
||
## if command -v opendkim-genkey >/dev/null 2>&1; then
|
||
## opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${BASE_DOMAIN}" -D "${KEY_DIR}"
|
||
## chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
|
||
## chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
|
||
## fi
|
||
##fi
|
||
##
|
||
### KeyTable
|
||
##cat >/etc/opendkim/KeyTable <<CONF
|
||
##${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN} ${BASE_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}
|
||
##CONF
|
||
##chown opendkim:opendkim /etc/opendkim/KeyTable
|
||
##chmod 640 /etc/opendkim/KeyTable
|
||
##
|
||
### SigningTable
|
||
##cat >/etc/opendkim/SigningTable <<CONF
|
||
##*@${BASE_DOMAIN} ${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN}
|
||
##CONF
|
||
##chown opendkim:opendkim /etc/opendkim/SigningTable
|
||
##chmod 640 /etc/opendkim/SigningTable
|
||
##
|
||
### Hauptkonfiguration
|
||
##cat >/etc/opendkim.conf <<'CONF'
|
||
##Syslog yes
|
||
##UMask 002
|
||
##Mode sv
|
||
##Socket inet:8891@127.0.0.1
|
||
##Canonicalization relaxed/simple
|
||
##
|
||
##On-BadSignature accept
|
||
##On-Default accept
|
||
##On-KeyNotFound accept
|
||
##On-NoSignature accept
|
||
##
|
||
##LogWhy yes
|
||
##OversignHeaders From
|
||
##
|
||
##KeyTable /etc/opendkim/KeyTable
|
||
##SigningTable refile:/etc/opendkim/SigningTable
|
||
##ExternalIgnoreList /etc/opendkim/TrustedHosts
|
||
##InternalHosts /etc/opendkim/TrustedHosts
|
||
##
|
||
##UserID opendkim:opendkim
|
||
##AutoRestart yes
|
||
##AutoRestartRate 10/1h
|
||
##Background yes
|
||
##DNSTimeout 5
|
||
##SignatureAlgorithm rsa-sha256
|
||
##CONF
|
||
##
|
||
##systemctl enable --now opendkim || true
|
||
##systemctl restart opendkim || true
|
||
##systemctl restart rspamd || true
|
||
##
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
### Postfix: Milter-Anbindung (nur setzen, wenn leer)
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
##need_set() {
|
||
## local key="$1"
|
||
## local cur
|
||
## cur="$(postconf -h "$key" 2>/dev/null || true)"
|
||
## [[ -z "$cur" ]]
|
||
##}
|
||
##
|
||
##if need_set smtpd_milters; then
|
||
## /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
##fi
|
||
##if need_set non_smtpd_milters; then
|
||
## /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
##fi
|
||
##
|
||
##systemctl reload postfix || true
|
||
##
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
### Hinweis
|
||
### ──────────────────────────────────────────────────────────────────────────────
|
||
##if [[ ! -s "${KEY_PRIV}" ]]; then
|
||
## echo "[!] OpenDKIM: Kein Private Key gefunden unter: ${KEY_PRIV}"
|
||
## echo " - Lege dort den Private Key ab (opendkim:opendkim, 600) ODER"
|
||
## echo " - setze DKIM_GENERATE=1 und starte dieses Skript erneut."
|
||
##fi
|
||
##
|
||
##echo "[✓] Rspamd + OpenDKIM fertig. Postfix ist an Rspamd (11332) und OpenDKIM (8891) angebunden."
|
||
##
|
||
####!/usr/bin/env bash
|
||
###set -euo pipefail
|
||
###source ./lib.sh
|
||
###
|
||
###log "Rspamd + OpenDKIM einrichten …"
|
||
###
|
||
#### ---------------------------
|
||
#### Variablen / Defaults
|
||
#### ---------------------------
|
||
#### Installer-Variablen laden, falls vorhanden
|
||
###set +u
|
||
###[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
|
||
###set -u
|
||
###
|
||
###BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
|
||
###DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"
|
||
###DKIM_GENERATE="${DKIM_GENERATE:-0}" # 1 = Key erzeugen, falls fehlt
|
||
###RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
|
||
###
|
||
#### ---------------------------
|
||
#### Rspamd: Controller + Milter
|
||
#### ---------------------------
|
||
###install -d -m 0755 /etc/rspamd/local.d
|
||
###
|
||
#### Controller-Passwort gehasht schreiben
|
||
###if command -v rspamadm >/dev/null 2>&1; then
|
||
### RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
|
||
###else
|
||
### # Fallback: falls rspamadm noch nicht verfügbar ist (sollte selten sein)
|
||
### # schreibe Klartext, damit Rspamd danach startbar ist; Hashen kann im nächsten Lauf erfolgen.
|
||
### RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
|
||
###fi
|
||
###
|
||
###cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
|
||
###password = "${RSPAMD_HASH}";
|
||
###bind_socket = "127.0.0.1:11334";
|
||
###CONF
|
||
###
|
||
#### Normal-Worker (Milter-Port für Postfix)
|
||
###cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
|
||
###bind_socket = "127.0.0.1:11332";
|
||
###CONF
|
||
###
|
||
#### Authentication-Results Header schreiben (praktisch zum Debuggen)
|
||
###cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
|
||
###use = ["authentication-results"];
|
||
###header = "Authentication-Results";
|
||
###CONF
|
||
###
|
||
###systemctl enable --now rspamd || true
|
||
###
|
||
#### ---------------------------
|
||
#### OpenDKIM Grund-Setup
|
||
#### ---------------------------
|
||
###install -d -m 0755 /etc/opendkim
|
||
###install -d -m 0750 /etc/opendkim/keys
|
||
###chown -R opendkim:opendkim /etc/opendkim
|
||
###chmod 750 /etc/opendkim/keys
|
||
###
|
||
#### TrustedHosts (wer signieren darf)
|
||
###cat >/etc/opendkim/TrustedHosts <<'CONF'
|
||
###127.0.0.1
|
||
###::1
|
||
###localhost
|
||
###CONF
|
||
###chown opendkim:opendkim /etc/opendkim/TrustedHosts
|
||
###chmod 640 /etc/opendkim/TrustedHosts
|
||
###
|
||
#### Key-/Signing-Tabellen vorbereiten
|
||
###KEY_DIR="/etc/opendkim/keys/${BASE_DOMAIN}"
|
||
###KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
|
||
###
|
||
###install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
|
||
###
|
||
#### Falls gewünscht: fehlenden Key erzeugen
|
||
###if [[ "${DKIM_GENERATE}" = "1" && ! -s "${KEY_PRIV}" ]]; then
|
||
### if command -v opendkim-genkey >/dev/null 2>&1; then
|
||
### opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${BASE_DOMAIN}" -D "${KEY_DIR}"
|
||
### # opendkim legt .private und .txt an (Selector.*)
|
||
### chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
|
||
### chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
|
||
### fi
|
||
###fi
|
||
###
|
||
#### KeyTable (Selector → Keydatei)
|
||
###cat >/etc/opendkim/KeyTable <<CONF
|
||
###${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN} ${BASE_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}
|
||
###CONF
|
||
###chown opendkim:opendkim /etc/opendkim/KeyTable
|
||
###chmod 640 /etc/opendkim/KeyTable
|
||
###
|
||
#### SigningTable (welche From:-Domains werden womit signiert)
|
||
###cat >/etc/opendkim/SigningTable <<CONF
|
||
###*@${BASE_DOMAIN} ${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN}
|
||
###CONF
|
||
###chown opendkim:opendkim /etc/opendkim/SigningTable
|
||
###chmod 640 /etc/opendkim/SigningTable
|
||
###
|
||
#### Hauptkonfiguration
|
||
###cat >/etc/opendkim.conf <<'CONF'
|
||
###Syslog yes
|
||
###UMask 002
|
||
###Mode sv
|
||
###Socket inet:8891@127.0.0.1
|
||
###Canonicalization relaxed/simple
|
||
###
|
||
#### Nicht blockieren, wenn mal was fehlt
|
||
###On-BadSignature accept
|
||
###On-Default accept
|
||
###On-KeyNotFound accept
|
||
###On-NoSignature accept
|
||
###
|
||
###LogWhy yes
|
||
###OversignHeaders From
|
||
###
|
||
#### Tabellen/Listen
|
||
###KeyTable /etc/opendkim/KeyTable
|
||
###SigningTable refile:/etc/opendkim/SigningTable
|
||
###ExternalIgnoreList /etc/opendkim/TrustedHosts
|
||
###InternalHosts /etc/opendkim/TrustedHosts
|
||
###
|
||
###UserID opendkim:opendkim
|
||
###AutoRestart yes
|
||
###AutoRestartRate 10/1h
|
||
###Background yes
|
||
###DNSTimeout 5
|
||
###SignatureAlgorithm rsa-sha256
|
||
###CONF
|
||
###
|
||
###systemctl enable --now opendkim || true
|
||
###systemctl restart opendkim || true
|
||
###systemctl restart rspamd || true
|
||
###
|
||
#### ---------------------------
|
||
#### Postfix: Milter-Anbindung prüfen/setzen (nur ergänzen, nicht zerstören)
|
||
#### ---------------------------
|
||
#### Diese Werte setzt dein Postfix-Skript normalerweise bereits.
|
||
#### Hier nur als Absicherung, falls noch leer.
|
||
###need_set() {
|
||
### local key="$1"
|
||
### local cur
|
||
### cur="$(postconf -h "$key" 2>/dev/null || true)"
|
||
### [[ -z "$cur" ]]
|
||
###}
|
||
###
|
||
###if need_set smtpd_milters; then
|
||
### /usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
###fi
|
||
###if need_set non_smtpd_milters; then
|
||
### /usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
|
||
###fi
|
||
###
|
||
###systemctl reload postfix || true
|
||
###
|
||
#### ---------------------------
|
||
#### Hinweise (einmalig, nicht kritisch)
|
||
#### ---------------------------
|
||
###if [[ ! -s "${KEY_PRIV}" ]]; then
|
||
### echo "[!] OpenDKIM: Kein Private Key gefunden unter: ${KEY_PRIV}"
|
||
### echo " - Wenn deine App die Keys verwaltet, lege die Private-Key-Datei genau dort ab"
|
||
### echo " (Owner: opendkim:opendkim, Mode: 600) und passe ggf. DKIM_SELECTOR/BASIS_DOMAIN an."
|
||
### echo " - Oder setze DKIM_GENERATE=1 und starte dieses Skript erneut, um einen Key zu erzeugen."
|
||
###fi
|
||
###
|
||
###echo "[✓] Rspamd + OpenDKIM fertig. Postfix ist an Rspamd (11332) und OpenDKIM (8891) angebunden."
|
||
###
|
||
#####!/usr/bin/env bash
|
||
####set -euo pipefail
|
||
####source ./lib.sh
|
||
####
|
||
####log "Rspamd + OpenDKIM …"
|
||
####
|
||
####cat > /etc/rspamd/local.d/worker-controller.inc <<'CONF'
|
||
####password = "admin";
|
||
####bind_socket = "127.0.0.1:11334";
|
||
####CONF
|
||
####systemctl enable --now rspamd || true
|
||
####
|
||
####cat > /etc/opendkim.conf <<'CONF'
|
||
####Syslog yes
|
||
####UMask 002
|
||
####Mode sv
|
||
####Socket inet:8891@127.0.0.1
|
||
####Canonicalization relaxed/simple
|
||
####On-BadSignature accept
|
||
####On-Default accept
|
||
####On-KeyNotFound accept
|
||
####On-NoSignature accept
|
||
####LogWhy yes
|
||
####OversignHeaders From
|
||
####CONF
|
||
####systemctl enable --now opendkim || true
|