Browse Source

Added src code

root 6 years ago
parent
commit
2403e41db5
2 changed files with 226 additions and 1 deletions
  1. 69 1
      README.md
  2. 157 0
      opendkim-signer

+ 69 - 1
README.md

@@ -1,3 +1,71 @@
 # opendkim-setter
 
-Generate and maintain DKIM-keys for domains on your setup. This setup relies on the same structure as for dnssec-signer (see: https://git.giaever.org/joachimmg/dnssec-signer)
+Generate and maintain DKIM-keys for domains on your setup. This setup relies on the same structure as for [dnssec-signer](see: https://git.giaever.org/joachimmg/dnssec-signer)
+
+
+# Configuration and installation
+
+Please see the `dnssec-signer`-tool, as this is very similar.
+
+This is a basic configuration that can easily be adapted to suit a standard setup
+
+## Configuration files
+
+Please read them carefully, and read up on OpenDKIM before you continue, so you understand whats going on. This isn't a tutorial.
+
+## FILE: /etc/opendkim.conf
+```
+# Comments remove, read file you got when installing opendkim
+
+# Log to syslog
+Syslog			yes
+# For debugging purpose
+# LogWhy			true
+
+UMask			002
+UserID			opendkim
+
+# Map domains in From addresses to keys used to sign messages
+SigningTable		refile:/etc/opendkim/signing.table
+KeyTable 		/etc/opendkim/key.table
+
+# Host to ignore when verifying signatures
+ExternalIgnoreList	/etc/opendkim/trusted.hosts
+InternalHosts		/etc/opendkim/trusted.hosts
+
+# Commonly-used options;
+Canonicalization	relaxed/simple
+Mode			sv
+SubDomains		yes
+
+AutoRestart		yes
+AutoRestartRate		10/1M
+Background		yes
+
+DNSTimeout		5
+SignatureAlgorithm	rsa-sha256
+
+OversignHeaders		From
+```
+
+### FILE: /etc/opendkim/signing.table
+```
+*@domain.tld		domain.tld
+*@domain2.tld		domain2.tld
+```
+
+### FILE: /etc/opendkim/key.table
+```
+domain.tld 		domain.tld:DDMMYY:/etc/opendkim/keys/domain.tld/DDMMYY.private
+domain2.tld		domain2.tld:DDMMYY:/etc/opendkim/keys/domain2.tld/DDMMYY.private
+```
+
+### FILE: /etc/opendkim/trusted.hosts
+```
+127.0.0.1
+::1
+localhost
+domain.tld
+mail.domain.tld
+```
+Possibly add more domains here, if you are sending through multiple hosts. For my case, every domain sends through `mail.domain.tld`.

+ 157 - 0
opendkim-signer

@@ -0,0 +1,157 @@
+#!/usr/bin/env bash
+
+#####################################################
+# This script require the following DNS SETUP!!!!
+# SEE:
+# https://git.giaever.org/joachimmg/dnssec-signer)
+#
+# USAGE: 
+#
+# 1. Make `opendkim-setter` executable:
+# 	chmod +x /path/to/opendkim-setter
+# 
+# 2. Run:
+# 	./path/to/opendkim-setter <domain.tld>
+# 3. Or for every domain already signed by OpenDKIM
+# 	./path/to/opendkim-setter
+#
+######################################################
+
+SELF="$(basename ${0})"
+
+######################################################
+# 		  START OF CONFIG		     #
+######################################################
+# SET YOU SYSTEM SPECIFIC DATA (which systemctl e.g) #
+SELF=$(basename $0)
+
+DKIMUSER="opendkim"
+DKIMGRP="${DKIMUSER}"
+DKIMCONF="/etc/opendkim"
+KEYTABLE="${DKIMCONF}/key.table"
+SIGNTABLE="${DKIMCONF}/signing.table"
+KEYDIR="${DKIMCONF}/keys"
+ZONESDIR="/etc/bind/zones"
+KEYGEN=/usr/bin/opendkim-genkey
+LOGGER=/usr/bin/logger
+LOGGERFLAGN="-t $(whoami) -p daemon.info"
+LOGGERFLAGE="-t $(whoami) -p daemon.err"
+
+RESIGNDNS=1
+DNSTOOL=/usr/bin/dnssec-signer
+
+######################################################
+# 	   	    END OF CONFIG		     #
+######################################################
+
+function error_msg {
+	FOR=${1}
+	ERRMSG="${2}"
+	echo -e "\e[31m[${SELF}:\e[1m${FOR}\e[21m]:\e[0m ${ERRMSG}"
+	${LOGGER} ${LOGGERFLAGE} "[${SELF}:${FOR}]: ${ERRMSG}"
+}
+
+function note_msg {
+	FOR=${1}
+	NOTEMSG="${2}"
+	echo -e "\e[32m[${SELF}:\e[1m${FOR}\e[21m]:\e[0m ${NOTEMSG}"
+	${LOGGER} ${LOGGERFLAGN} "[${SELF}:${FOR}]: ${NOTEMSG}"
+}
+
+if [[ ${EUID} -ne 0 ]]; then
+	error_msg "${USER}" "Must execute file as root."
+	exit 1
+fi
+
+#function remove_signing_table {
+#	grep -v "*@${1} " "${SIGNTABLE}" > "${TMPTBL}" && mv "${TMPTBL}" "${SIGNTABLE}"
+#}
+
+function update_signing_table {
+	grep -q "^*@${1}" "${SIGNTABLE}"
+	if [ $? -ne 0 ]; then
+		note_msg "${1}" "Added to signing table"
+		echo "*@${1} ${1}" >> "${SIGNTABLE}"
+	fi
+}
+
+function update_key_table {
+	grep -q "^${1}" "${KEYTABLE}"
+	if [ $? -eq 0 ]; then
+		note_msg "${1}" "Updated key in key table"
+		sed -i 's,^'"${1}"'[^\n]\+,'"${1}"' '"${1}"':'"${2}"':'"${3}"',' "${KEYTABLE}"
+	else
+		note_msg "${1}" "Added key to key table"
+		echo "${1} ${1}:${2}:${3}" >> "${KEYTABLE}"
+	fi
+}
+
+function dkim {
+	ENTRY="${1}"
+	ENTRYDIR="${KEYDIR}/${ENTRY}"
+	ENTRYZONE="${ZONESDIR}/${ENTRY}/db"
+	DATE=$(date +%Y%m)
+	PRIVATEKEY="${ENTRYDIR}/${DATE}.private"
+	DOMAINKEY="${ENTRYDIR}/${DATE}.txt"
+	note_msg "${ENTRY}" "DKIM Signing"
+
+	if ! [ -w "${ENTRYZONE}" ]; then
+		error_msg "${ENTRY}" "There is not zone file. Abort"
+		return 1
+	fi 
+
+	if ! [ -d "${ENTRYDIR}" ]; then
+		note_msg "${ENTRY}" "Creating directory for entry"
+		mkdir -p "${ENTRYDIR}"
+	fi
+		
+	cd "${ENTRYDIR}"
+
+	${KEYGEN} -b 2048 -h rsa-sha256 -r -s "${DATE}" -d "${ENTRY}" -v
+
+	if [ $? -ne 0 ]; then
+		error_msg "${ENTRY}" "Error generating keys"
+	fi
+
+	KEYCONTENT=$(sed -e 's/h\=rsa-sha256/h\=sha256/' "${DOMAINKEY}" | tr '\n' '\r')
+	ZONE=$(cat "${ENTRYZONE}" | tr '\n' '\r')
+
+	grep -Eq "[0-9]{6}._dom" <<< "${ZONE}"
+	if [ $? -eq 0 ]; then
+		note_msg "${ENTRY}" "Altering DKIM-record in zone file"
+		sed -e 's,[0-9]\{6\}._dom.*\-\+\sDKIM[^\r]\+\r\?\+,'"${KEYCONTENT}"',' <<< "${ZONE}" | tr '\r' '\n' > "${ENTRYZONE}"
+		sed -i '${/^$/d;}' "${ENTRYZONE}"
+	else
+		note_msg "${ENTRY}" "Adding DKIM-record in zone file"
+		echo -e "${ZONE}\r; DKIM for ${DOMAINKEY} start\r${KEYCONTENT}" | tr '\r' '\n' > "${ENTRYZONE}"
+	fi
+
+	update_signing_table "${ENTRY}"
+	update_key_table "${ENTRY}" "${DATE}" "${PRIVATEKEY}"
+	note_msg "${ENTRY}" "Signing successful"
+}
+
+# Collect arguments (zones)
+ENTRIES="${*}"
+IFS=' ', read -r -a ENTRIES <<< "${ENTRIES}"
+
+if [ ${#ENTRIES[@]} -ne 0 ]; then
+	note_msg "${#ENTRIES[@]}" "Start signing"
+	CWDIR=$(pwd)
+	for ENTRY in "${ENTRIES[@]}"; do
+		dkim "${ENTRY}"
+	done
+	cd "${CWDIR}"
+	chown -R "${DKIMUSER}:${DKIMGROUP}" "${DKIMCONF}"
+	chmod -R go-rw "${DKIMCONF}"
+	if [ "${RESIGNDNS}" -eq 1 ]; then
+		${DNSTOOL} "${ENTRIES[@]}"
+	fi
+else
+	for ENTRY in $(cat "${SIGNTABLE}"); do
+		if ! [[ "${ENTRY}" == "*"* ]]; then
+			ENTRIES[${#ENTRIES[@]}]="${ENTRY}"
+		fi
+	done
+	${SELF} "${ENTRIES[@]}"
+fi