boban
/
mailwolt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mailwolt/app/Services/TlsaService.php

323 lines
11 KiB
PHP
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<?php
namespace App\Services;
use App\Models\Domain;
use App\Models\TlsaRecord;
class TlsaService
{
public function resolveMxHost(): string
{
$base = env('BASE_DOMAIN', 'example.com');
$sub = env('MTA_SUB', 'mx') ?: 'mx';
return "{$sub}.{$base}";
}
private function certCandidates(string $host): array
{
// bevorzugt die vom Deploy-Hook gesetzten, lesbaren Symlinks
$candidates = [
'/etc/ssl/mail/fullchain.pem', // MX
"/etc/letsencrypt/live/{$host}/fullchain.pem", // Fallback
];
return $candidates;
}
public function refreshForMx(string $service = '_25._tcp'): ?\App\Models\TlsaRecord
{
$host = $this->resolveMxHost();
// bevorzugt die als Server markierte Domain
$serverDomain = \App\Models\Domain::where('is_server', true)->first();
// Fallback: Domain über FQDN (mx.<BASE_DOMAIN>) finden
if (!$serverDomain) {
$serverDomain = \App\Models\Domain::where('domain', $host)->first();
}
if (!$serverDomain) {
// Keine passende Domain in der DB → nichts tun
return null;
}
return $this->refreshForServerDomain($serverDomain, $service);
}
private function firstReadableCert(string $host): ?string
{
foreach ($this->certCandidates($host) as $path) {
if (is_file($path) && is_readable($path)) {
return $path;
}
}
return null;
}
public function computeHashFromCert(string $host): ?string
{
$certPath = $this->firstReadableCert($host);
if (!$certPath) return null;
$cmd = "openssl x509 -in ".escapeshellarg($certPath)." -noout -pubkey"
. " | openssl pkey -pubin -outform DER"
. " | openssl dgst -sha256";
$out = shell_exec($cmd.' 2>/dev/null') ?? '';
$hash = preg_replace('/^SHA256\(stdin\)=\s*/', '', trim($out));
return $hash !== '' ? $hash : null;
}
public function refreshForServerDomain(Domain $serverDomain, string $service = '_25._tcp'): ?TlsaRecord
{
$host = $this->resolveMxHost();
$hash = $this->computeHashFromCert($host);
if (!$hash) return null;
$certPath = $this->firstReadableCert($host) ?? '';
$rec = TlsaRecord::updateOrCreate(
['domain_id' => $serverDomain->id, 'host' => $host, 'service' => $service],
[
'usage' => 3,
'selector' => 1,
'matching' => 1,
'hash' => $hash,
'cert_path' => $certPath,
]
);
@mkdir('/etc/mailwolt/dns', 0755, true);
$line = sprintf('%s.%s IN TLSA %d %d %d %s', $service, $host, 3, 1, 1, $hash);
@file_put_contents("/etc/mailwolt/dns/{$host}.tlsa.txt", $line."\n");
return $rec;
}
// public function computeHashFromCert(string $host): ?string
// {
// $certPath = "/etc/letsencrypt/live/{$host}/fullchain.pem";
// if (!is_file($certPath)) {
// // optional: Log für Debug
// logger()->warning("TLSA: Zertifikat nicht gefunden", ['path' => $certPath]);
// return null;
// }
//
// $cmd = "openssl x509 -in ".escapeshellarg($certPath)." -noout -pubkey"
// . " | openssl pkey -pubin -outform DER"
// . " | openssl dgst -sha256";
// $out = shell_exec($cmd.' 2>/dev/null') ?? '';
// $hash = preg_replace('/^SHA256\(stdin\)=\s*/', '', trim($out));
// return $hash !== '' ? $hash : null;
// }
//
// /**
// * TLSA (3 1 1) für den MX-Host der übergebenen Domain erzeugen/aktualisieren.
// * Host kommt DIREKT aus $serverDomain->domain, nicht aus ENV.
// */
// public function refreshForServerDomain(Domain $serverDomain, string $service = '_25._tcp'): ?TlsaRecord
// {
// $host = $serverDomain->domain; // <— wichtig: Domain-Objekt statt ENV
// $hash = $this->computeHashFromCert($host);
// if (!$hash) {
// return null; // Zert (noch) nicht vorhanden
// }
//
// $certPath = "/etc/letsencrypt/live/{$host}/fullchain.pem";
//
// $rec = TlsaRecord::updateOrCreate(
// ['domain_id' => $serverDomain->id, 'host' => $host, 'service' => $service],
// [
// 'usage' => 3, // DANE-EE
// 'selector' => 1, // SPKI
// 'matching' => 1, // SHA-256
// 'hash' => $hash,
// 'cert_path' => $certPath,
// ]
// );
//
// // optional: Datei für Export/Debug
// @mkdir('/etc/mailwolt/dns', 0755, true);
// @file_put_contents("/etc/mailwolt/dns/{$host}.tlsa.txt", sprintf('%s.%s IN TLSA 3 1 1 %s', $service, $host, $hash)."\n");
//
// return $rec;
// }
// public function resolveMxHost(): string
// {
// $base = env('BASE_DOMAIN', 'example.com');
// $sub = env('MTA_SUB', 'mx') ?: 'mx';
// return "{$sub}.{$base}";
// }
//
// public function computeHashFromCert(string $host): ?string
// {
// $certPath = "/etc/letsencrypt/live/{$host}/fullchain.pem";
// if (!is_file($certPath)) return null;
//
// $cmd = "openssl x509 -in ".escapeshellarg($certPath)." -noout -pubkey"
// . " | openssl pkey -pubin -outform DER"
// . " | openssl dgst -sha256";
// $out = shell_exec($cmd.' 2>/dev/null') ?? '';
// $hash = preg_replace('/^SHA256\(stdin\)=\s*/', '', trim($out));
// return $hash !== '' ? $hash : null;
// }
//
// /**
// * Schreibt/aktualisiert TLSA (3 1 1) für den MX-Host in DB
// * und legt zusätzlich /etc/mailwolt/dns/<host>.tlsa.txt ab.
// */
// public function refreshForServerDomain(Domain $serverDomain, string $service = '_25._tcp'): ?TlsaRecord
// {
// $host = $this->resolveMxHost();
// $hash = $this->computeHashFromCert($host);
// if (!$hash) {
// return null; // Zert (noch) nicht vorhanden
// }
//
// $certPath = "/etc/letsencrypt/live/{$host}/fullchain.pem";
//
// $rec = TlsaRecord::updateOrCreate(
// ['domain_id' => $serverDomain->id, 'host' => $host, 'service' => $service],
// [
// 'usage' => 3, // DANE-EE
// 'selector' => 1, // SPKI
// 'matching' => 1, // SHA-256
// 'hash' => $hash,
// 'cert_path' => $certPath,
// ]
// );
//
// // Optional: TXT-Datei für Export/Debug
// @mkdir('/etc/mailwolt/dns', 0755, true);
// $line = sprintf('%s.%s IN TLSA %d %d %d %s', $service, $host, 3, 1, 1, $hash);
// @file_put_contents("/etc/mailwolt/dns/{$host}.tlsa.txt", $line."\n");
//
// return $rec;
// }
}
//class TlsaService
//{
// public function resolveMtaHost(): string
// {
// $base = env('BASE_DOMAIN', 'example.com');
// $sub = env('MTA_SUB', 'mx') ?: 'mx';
// return "{$sub}.{$base}";
// }
//
// public function computeHashFromCert(string $host): ?string
// {
// $certPath = "/etc/letsencrypt/live/{$host}/fullchain.pem";
// if (!is_file($certPath)) return null;
//
// $cmd = "openssl x509 -in ".escapeshellarg($certPath)." -noout -pubkey"
// . " | openssl pkey -pubin -outform DER"
// . " | openssl dgst -sha256";
// $out = shell_exec($cmd.' 2>/dev/null') ?? '';
// $hash = preg_replace('/^SHA256\(stdin\)=\s*/', '', trim($out));
// return $hash !== '' ? $hash : null;
// }
//
// public function refreshForMx(string $service = '_25._tcp'): ?TlsaRecord
// {
// $host = $this->resolveMtaHost();
// $certPath = "/etc/letsencrypt/live/{$host}/fullchain.pem";
// $hash = $this->computeHashFromCert($host);
// if (!$hash) return null;
//
// // DB upsert (global, domain_id = null)
// $rec = TlsaRecord::updateOrCreate(
// ['domain_id' => null, 'host' => $host, 'service' => $service],
// [
// 'usage' => 3, // DANE-EE
// 'selector' => 1, // SPKI
// 'matching' => 1, // SHA-256
// 'hash' => $hash,
// 'cert_path' => $certPath,
// ]
// );
//
// // Datei nur aktualisieren, wenn sich der Hash ändert
// @mkdir('/etc/mailwolt/dns', 0755, true);
// $file = "/etc/mailwolt/dns/{$host}.tlsa.txt";
// $newLine = sprintf('%s.%s IN TLSA %d %d %d %s', $service, $host, 3, 1, 1, $hash);
//
// $needWrite = true;
// if (is_file($file)) {
// $current = trim((string)file_get_contents($file));
// if ($current === $newLine) {
// $needWrite = false;
// }
// }
// if ($needWrite) {
// file_put_contents($file, $newLine."\n");
// }
//
// return $rec;
// }
//}
//
//----
//
//namespace App\Services;
//
//use App\Models\TlsaRecord;
//
//class TlsaService
//{
// public function resolveMtaHost(): string
// {
// $base = env('BASE_DOMAIN', 'example.com');
// $sub = env('MTA_SUB', 'mx') ?: 'mx';
// return "{$sub}.{$base}";
// }
//
// public function computeHashFromCert(string $host): ?string
// {
// $certPath = "/etc/letsencrypt/live/{$host}/fullchain.pem";
// if (!is_file($certPath)) return null;
//
// $cmd = "openssl x509 -in ".escapeshellarg($certPath)." -noout -pubkey"
// . " | openssl pkey -pubin -outform DER"
// . " | openssl dgst -sha256";
// $out = shell_exec($cmd.' 2>/dev/null') ?? '';
// $hash = preg_replace('/^SHA256\(stdin\)=\s*/', '', trim($out));
// return $hash !== '' ? $hash : null;
// }
//
// /**
// * Schreibt/aktualisiert TLSA in DB (global) + Datei unter /etc/mailwolt/dns/.
// * Wir speichern ohne domain_id (global, nur pro Host/Service).
// */
// public function refreshForMx(string $service = '_25._tcp'): ?TlsaRecord
// {
// $host = $this->resolveMtaHost();
// $certPath = "/etc/letsencrypt/live/{$host}/fullchain.pem";
// $hash = $this->computeHashFromCert($host);
// if (!$hash) return null;
//
// // DB upsert (domain_id = null → globaler Eintrag)
// $rec = TlsaRecord::updateOrCreate(
// ['domain_id' => null, 'host' => $host, 'service' => $service],
// [
// 'usage' => 3, // DANE-EE
// 'selector' => 1, // SPKI
// 'matching' => 1, // SHA-256
// 'hash' => $hash,
// 'cert_path' => $certPath,
// ]
// );
//
// // Datei schreiben (für externen DNS-Export etc.)
// @mkdir('/etc/mailwolt/dns', 0755, true);
// $line = sprintf('%s.%s IN TLSA %d %d %d %s',
// $service, $host, 3, 1, 1, $hash);
// file_put_contents("/etc/mailwolt/dns/{$host}.tlsa.txt", $line."\n");
//
// return $rec;
// }
//}
Reference in New Issue View Git Blame Copy Permalink