boban
/
mailwolt-installer
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mailwolt-installer/scripts/60-rspamd-opendkim.sh

193 lines
5.6 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
source ./lib.sh
log "Rspamd + OpenDKIM einrichten …"
# ---------------------------
# Variablen / Defaults
# ---------------------------
# Installer-Variablen laden, falls vorhanden
set +u
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
set -u
BASE_DOMAIN="${BASE_DOMAIN:-example.com}"
DKIM_SELECTOR="${DKIM_SELECTOR:-mwl1}"
DKIM_GENERATE="${DKIM_GENERATE:-0}" # 1 = Key erzeugen, falls fehlt
RSPAMD_CONTROLLER_PASSWORD="${RSPAMD_CONTROLLER_PASSWORD:-admin}"
# ---------------------------
# Rspamd: Controller + Milter
# ---------------------------
install -d -m 0755 /etc/rspamd/local.d
# Controller-Passwort gehasht schreiben
if command -v rspamadm >/dev/null 2>&1; then
RSPAMD_HASH="$(rspamadm pw -p "${RSPAMD_CONTROLLER_PASSWORD}")"
else
# Fallback: falls rspamadm noch nicht verfügbar ist (sollte selten sein)
# schreibe Klartext, damit Rspamd danach startbar ist; Hashen kann im nächsten Lauf erfolgen.
RSPAMD_HASH="${RSPAMD_CONTROLLER_PASSWORD}"
fi
cat >/etc/rspamd/local.d/worker-controller.inc <<CONF
password = "${RSPAMD_HASH}";
bind_socket = "127.0.0.1:11334";
CONF
# Normal-Worker (Milter-Port für Postfix)
cat >/etc/rspamd/local.d/worker-normal.inc <<'CONF'
bind_socket = "127.0.0.1:11332";
CONF
# Authentication-Results Header schreiben (praktisch zum Debuggen)
cat >/etc/rspamd/local.d/milter_headers.conf <<'CONF'
use = ["authentication-results"];
header = "Authentication-Results";
CONF
systemctl enable --now rspamd || true
# ---------------------------
# OpenDKIM Grund-Setup
# ---------------------------
install -d -m 0755 /etc/opendkim
install -d -m 0750 /etc/opendkim/keys
chown -R opendkim:opendkim /etc/opendkim
chmod 750 /etc/opendkim/keys
# TrustedHosts (wer signieren darf)
cat >/etc/opendkim/TrustedHosts <<'CONF'
127.0.0.1
::1
localhost
CONF
chown opendkim:opendkim /etc/opendkim/TrustedHosts
chmod 640 /etc/opendkim/TrustedHosts
# Key-/Signing-Tabellen vorbereiten
KEY_DIR="/etc/opendkim/keys/${BASE_DOMAIN}"
KEY_PRIV="${KEY_DIR}/${DKIM_SELECTOR}.private"
install -d -m 0750 -o opendkim -g opendkim "${KEY_DIR}"
# Falls gewünscht: fehlenden Key erzeugen
if [[ "${DKIM_GENERATE}" = "1" && ! -s "${KEY_PRIV}" ]]; then
if command -v opendkim-genkey >/dev/null 2>&1; then
opendkim-genkey -b 2048 -s "${DKIM_SELECTOR}" -d "${BASE_DOMAIN}" -D "${KEY_DIR}"
# opendkim legt .private und .txt an (Selector.*)
chown opendkim:opendkim "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
chmod 600 "${KEY_DIR}/${DKIM_SELECTOR}.private" || true
fi
fi
# KeyTable (Selector → Keydatei)
cat >/etc/opendkim/KeyTable <<CONF
${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN} ${BASE_DOMAIN}:${DKIM_SELECTOR}:${KEY_PRIV}
CONF
chown opendkim:opendkim /etc/opendkim/KeyTable
chmod 640 /etc/opendkim/KeyTable
# SigningTable (welche From:-Domains werden womit signiert)
cat >/etc/opendkim/SigningTable <<CONF
*@${BASE_DOMAIN} ${DKIM_SELECTOR}._domainkey.${BASE_DOMAIN}
CONF
chown opendkim:opendkim /etc/opendkim/SigningTable
chmod 640 /etc/opendkim/SigningTable
# Hauptkonfiguration
cat >/etc/opendkim.conf <<'CONF'
Syslog yes
UMask 002
Mode sv
Socket inet:8891@127.0.0.1
Canonicalization relaxed/simple
# Nicht blockieren, wenn mal was fehlt
On-BadSignature accept
On-Default accept
On-KeyNotFound accept
On-NoSignature accept
LogWhy yes
OversignHeaders From
# Tabellen/Listen
KeyTable /etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts /etc/opendkim/TrustedHosts
UserID opendkim:opendkim
AutoRestart yes
AutoRestartRate 10/1h
Background yes
DNSTimeout 5
SignatureAlgorithm rsa-sha256
CONF
systemctl enable --now opendkim || true
systemctl restart opendkim || true
systemctl restart rspamd || true
# ---------------------------
# Postfix: Milter-Anbindung prüfen/setzen (nur ergänzen, nicht zerstören)
# ---------------------------
# Diese Werte setzt dein Postfix-Skript normalerweise bereits.
# Hier nur als Absicherung, falls noch leer.
need_set() {
local key="$1"
local cur
cur="$(postconf -h "$key" 2>/dev/null || true)"
[[ -z "$cur" ]]
}
if need_set smtpd_milters; then
/usr/sbin/postconf -e "smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
fi
if need_set non_smtpd_milters; then
/usr/sbin/postconf -e "non_smtpd_milters = inet:127.0.0.1:11332, inet:127.0.0.1:8891"
fi
systemctl reload postfix || true
# ---------------------------
# Hinweise (einmalig, nicht kritisch)
# ---------------------------
if [[ ! -s "${KEY_PRIV}" ]]; then
echo "[!] OpenDKIM: Kein Private Key gefunden unter: ${KEY_PRIV}"
echo " - Wenn deine App die Keys verwaltet, lege die Private-Key-Datei genau dort ab"
echo " (Owner: opendkim:opendkim, Mode: 600) und passe ggf. DKIM_SELECTOR/BASIS_DOMAIN an."
echo " - Oder setze DKIM_GENERATE=1 und starte dieses Skript erneut, um einen Key zu erzeugen."
fi
echo "[✓] Rspamd + OpenDKIM fertig. Postfix ist an Rspamd (11332) und OpenDKIM (8891) angebunden."
##!/usr/bin/env bash
#set -euo pipefail
#source ./lib.sh
#
#log "Rspamd + OpenDKIM …"
#
#cat > /etc/rspamd/local.d/worker-controller.inc <<'CONF'
#password = "admin";
#bind_socket = "127.0.0.1:11334";
#CONF
#systemctl enable --now rspamd || true
#
#cat > /etc/opendkim.conf <<'CONF'
#Syslog yes
#UMask 002
#Mode sv
#Socket inet:8891@127.0.0.1
#Canonicalization relaxed/simple
#On-BadSignature accept
#On-Default accept
#On-KeyNotFound accept
#On-NoSignature accept
#LogWhy yes
#OversignHeaders From
#CONF
#systemctl enable --now opendkim || true
Reference in New Issue View Git Blame Copy Permalink