boban
/
mailwolt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mailwolt/app/Services/TlsaService.php

188 lines
6.1 KiB
PHP
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<?php
namespace App\Services;
use App\Models\Domain;
use App\Models\TlsaRecord;
class TlsaService
{
public function resolveMxHost(): string
{
$base = env('BASE_DOMAIN', 'example.com');
$sub = env('MTA_SUB', 'mx') ?: 'mx';
return "{$sub}.{$base}";
}
public function computeHashFromCert(string $host): ?string
{
$certPath = "/etc/letsencrypt/live/{$host}/fullchain.pem";
if (!is_file($certPath)) return null;
$cmd = "openssl x509 -in ".escapeshellarg($certPath)." -noout -pubkey"
. " | openssl pkey -pubin -outform DER"
. " | openssl dgst -sha256";
$out = shell_exec($cmd.' 2>/dev/null') ?? '';
$hash = preg_replace('/^SHA256\(stdin\)=\s*/', '', trim($out));
return $hash !== '' ? $hash : null;
}
/**
* Schreibt/aktualisiert TLSA (3 1 1) für den MX-Host in DB
* und legt zusätzlich /etc/mailwolt/dns/<host>.tlsa.txt ab.
*/
public function refreshForServerDomain(Domain $serverDomain, string $service = '_25._tcp'): ?TlsaRecord
{
$host = $this->resolveMxHost();
$hash = $this->computeHashFromCert($host);
if (!$hash) {
return null; // Zert (noch) nicht vorhanden
}
$certPath = "/etc/letsencrypt/live/{$host}/fullchain.pem";
$rec = TlsaRecord::updateOrCreate(
['domain_id' => $serverDomain->id, 'host' => $host, 'service' => $service],
[
'usage' => 3, // DANE-EE
'selector' => 1, // SPKI
'matching' => 1, // SHA-256
'hash' => $hash,
'cert_path' => $certPath,
]
);
// Optional: TXT-Datei für Export/Debug
@mkdir('/etc/mailwolt/dns', 0755, true);
$line = sprintf('%s.%s IN TLSA %d %d %d %s', $service, $host, 3, 1, 1, $hash);
@file_put_contents("/etc/mailwolt/dns/{$host}.tlsa.txt", $line."\n");
return $rec;
}
}
//class TlsaService
//{
// public function resolveMtaHost(): string
// {
// $base = env('BASE_DOMAIN', 'example.com');
// $sub = env('MTA_SUB', 'mx') ?: 'mx';
// return "{$sub}.{$base}";
// }
//
// public function computeHashFromCert(string $host): ?string
// {
// $certPath = "/etc/letsencrypt/live/{$host}/fullchain.pem";
// if (!is_file($certPath)) return null;
//
// $cmd = "openssl x509 -in ".escapeshellarg($certPath)." -noout -pubkey"
// . " | openssl pkey -pubin -outform DER"
// . " | openssl dgst -sha256";
// $out = shell_exec($cmd.' 2>/dev/null') ?? '';
// $hash = preg_replace('/^SHA256\(stdin\)=\s*/', '', trim($out));
// return $hash !== '' ? $hash : null;
// }
//
// public function refreshForMx(string $service = '_25._tcp'): ?TlsaRecord
// {
// $host = $this->resolveMtaHost();
// $certPath = "/etc/letsencrypt/live/{$host}/fullchain.pem";
// $hash = $this->computeHashFromCert($host);
// if (!$hash) return null;
//
// // DB upsert (global, domain_id = null)
// $rec = TlsaRecord::updateOrCreate(
// ['domain_id' => null, 'host' => $host, 'service' => $service],
// [
// 'usage' => 3, // DANE-EE
// 'selector' => 1, // SPKI
// 'matching' => 1, // SHA-256
// 'hash' => $hash,
// 'cert_path' => $certPath,
// ]
// );
//
// // Datei nur aktualisieren, wenn sich der Hash ändert
// @mkdir('/etc/mailwolt/dns', 0755, true);
// $file = "/etc/mailwolt/dns/{$host}.tlsa.txt";
// $newLine = sprintf('%s.%s IN TLSA %d %d %d %s', $service, $host, 3, 1, 1, $hash);
//
// $needWrite = true;
// if (is_file($file)) {
// $current = trim((string)file_get_contents($file));
// if ($current === $newLine) {
// $needWrite = false;
// }
// }
// if ($needWrite) {
// file_put_contents($file, $newLine."\n");
// }
//
// return $rec;
// }
//}
//
//----
//
//namespace App\Services;
//
//use App\Models\TlsaRecord;
//
//class TlsaService
//{
// public function resolveMtaHost(): string
// {
// $base = env('BASE_DOMAIN', 'example.com');
// $sub = env('MTA_SUB', 'mx') ?: 'mx';
// return "{$sub}.{$base}";
// }
//
// public function computeHashFromCert(string $host): ?string
// {
// $certPath = "/etc/letsencrypt/live/{$host}/fullchain.pem";
// if (!is_file($certPath)) return null;
//
// $cmd = "openssl x509 -in ".escapeshellarg($certPath)." -noout -pubkey"
// . " | openssl pkey -pubin -outform DER"
// . " | openssl dgst -sha256";
// $out = shell_exec($cmd.' 2>/dev/null') ?? '';
// $hash = preg_replace('/^SHA256\(stdin\)=\s*/', '', trim($out));
// return $hash !== '' ? $hash : null;
// }
//
// /**
// * Schreibt/aktualisiert TLSA in DB (global) + Datei unter /etc/mailwolt/dns/.
// * Wir speichern ohne domain_id (global, nur pro Host/Service).
// */
// public function refreshForMx(string $service = '_25._tcp'): ?TlsaRecord
// {
// $host = $this->resolveMtaHost();
// $certPath = "/etc/letsencrypt/live/{$host}/fullchain.pem";
// $hash = $this->computeHashFromCert($host);
// if (!$hash) return null;
//
// // DB upsert (domain_id = null → globaler Eintrag)
// $rec = TlsaRecord::updateOrCreate(
// ['domain_id' => null, 'host' => $host, 'service' => $service],
// [
// 'usage' => 3, // DANE-EE
// 'selector' => 1, // SPKI
// 'matching' => 1, // SHA-256
// 'hash' => $hash,
// 'cert_path' => $certPath,
// ]
// );
//
// // Datei schreiben (für externen DNS-Export etc.)
// @mkdir('/etc/mailwolt/dns', 0755, true);
// $line = sprintf('%s.%s IN TLSA %d %d %d %s',
// $service, $host, 3, 1, 1, $hash);
// file_put_contents("/etc/mailwolt/dns/{$host}.tlsa.txt", $line."\n");
//
// return $rec;
// }
//}
Reference in New Issue View Git Blame Copy Permalink