123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157 |
- #!/usr/bin/env bash
- #####################################################
- # This script require the following DNS SETUP!!!!
- # SEE:
- # https://git.giaever.org/joachimmg/dnssec-signer)
- #
- # USAGE:
- #
- # 1. Make `opendkim-setter` executable:
- # chmod +x /path/to/opendkim-setter
- #
- # 2. Run:
- # ./path/to/opendkim-setter <domain.tld>
- # 3. Or for every domain already signed by OpenDKIM
- # ./path/to/opendkim-setter
- #
- ######################################################
- SELF="$(basename ${0})"
- ######################################################
- # START OF CONFIG #
- ######################################################
- # SET YOU SYSTEM SPECIFIC DATA (which systemctl e.g) #
- SELF=$(basename $0)
- DKIMUSER="opendkim"
- DKIMGRP="${DKIMUSER}"
- DKIMCONF="/etc/opendkim"
- KEYTABLE="${DKIMCONF}/key.table"
- SIGNTABLE="${DKIMCONF}/signing.table"
- KEYDIR="${DKIMCONF}/keys"
- ZONESDIR="/etc/bind/zones"
- KEYGEN=/usr/bin/opendkim-genkey
- LOGGER=/usr/bin/logger
- LOGGERFLAGN="-t $(whoami) -p daemon.info"
- LOGGERFLAGE="-t $(whoami) -p daemon.err"
- RESIGNDNS=1
- DNSTOOL=/usr/bin/dnssec-signer
- ######################################################
- # END OF CONFIG #
- ######################################################
- function error_msg {
- FOR=${1}
- ERRMSG="${2}"
- echo -e "\e[31m[${SELF}:\e[1m${FOR}\e[21m]:\e[0m ${ERRMSG}"
- ${LOGGER} ${LOGGERFLAGE} "[${SELF}:${FOR}]: ${ERRMSG}"
- }
- function note_msg {
- FOR=${1}
- NOTEMSG="${2}"
- echo -e "\e[32m[${SELF}:\e[1m${FOR}\e[21m]:\e[0m ${NOTEMSG}"
- ${LOGGER} ${LOGGERFLAGN} "[${SELF}:${FOR}]: ${NOTEMSG}"
- }
- if [[ ${EUID} -ne 0 ]]; then
- error_msg "${USER}" "Must execute file as root."
- exit 1
- fi
- #function remove_signing_table {
- # grep -v "*@${1} " "${SIGNTABLE}" > "${TMPTBL}" && mv "${TMPTBL}" "${SIGNTABLE}"
- #}
- function update_signing_table {
- grep -q "^*@${1}" "${SIGNTABLE}"
- if [ $? -ne 0 ]; then
- note_msg "${1}" "Added to signing table"
- echo "*@${1} ${1}" >> "${SIGNTABLE}"
- fi
- }
- function update_key_table {
- grep -q "^${1}" "${KEYTABLE}"
- if [ $? -eq 0 ]; then
- note_msg "${1}" "Updated key in key table"
- sed -i 's,^'"${1}"'[^\n]\+,'"${1}"' '"${1}"':'"${2}"':'"${3}"',' "${KEYTABLE}"
- else
- note_msg "${1}" "Added key to key table"
- echo "${1} ${1}:${2}:${3}" >> "${KEYTABLE}"
- fi
- }
- function dkim {
- ENTRY="${1}"
- ENTRYDIR="${KEYDIR}/${ENTRY}"
- ENTRYZONE="${ZONESDIR}/${ENTRY}/db"
- DATE=$(date +%Y%m)
- PRIVATEKEY="${ENTRYDIR}/${DATE}.private"
- DOMAINKEY="${ENTRYDIR}/${DATE}.txt"
- note_msg "${ENTRY}" "DKIM Signing"
- if ! [ -w "${ENTRYZONE}" ]; then
- error_msg "${ENTRY}" "There is not zone file. Abort"
- return 1
- fi
- if ! [ -d "${ENTRYDIR}" ]; then
- note_msg "${ENTRY}" "Creating directory for entry"
- mkdir -p "${ENTRYDIR}"
- fi
-
- cd "${ENTRYDIR}"
- ${KEYGEN} -b 2048 -h rsa-sha256 -r -s "${DATE}" -d "${ENTRY}" -v
- if [ $? -ne 0 ]; then
- error_msg "${ENTRY}" "Error generating keys"
- fi
- KEYCONTENT=$(sed -e 's/h\=rsa-sha256/h\=sha256/' "${DOMAINKEY}" | tr '\n' '\r')
- ZONE=$(cat "${ENTRYZONE}" | tr '\n' '\r')
- grep -Eq "[0-9]{6}._dom" <<< "${ZONE}"
- if [ $? -eq 0 ]; then
- note_msg "${ENTRY}" "Altering DKIM-record in zone file"
- sed -e 's,[0-9]\{6\}._dom.*\-\+\sDKIM[^\r]\+\r\?\+,'"${KEYCONTENT}"',' <<< "${ZONE}" | tr '\r' '\n' > "${ENTRYZONE}"
- sed -i '${/^$/d;}' "${ENTRYZONE}"
- else
- note_msg "${ENTRY}" "Adding DKIM-record in zone file"
- echo -e "${ZONE}\r; DKIM for ${DOMAINKEY} start\r${KEYCONTENT}" | tr '\r' '\n' > "${ENTRYZONE}"
- fi
- update_signing_table "${ENTRY}"
- update_key_table "${ENTRY}" "${DATE}" "${PRIVATEKEY}"
- note_msg "${ENTRY}" "Signing successful"
- }
- # Collect arguments (zones)
- ENTRIES="${*}"
- IFS=' ', read -r -a ENTRIES <<< "${ENTRIES}"
- if [ ${#ENTRIES[@]} -ne 0 ]; then
- note_msg "${#ENTRIES[@]}" "Start signing"
- CWDIR=$(pwd)
- for ENTRY in "${ENTRIES[@]}"; do
- dkim "${ENTRY}"
- done
- cd "${CWDIR}"
- chown -R "${DKIMUSER}:${DKIMGROUP}" "${DKIMCONF}"
- chmod -R go-rw "${DKIMCONF}"
- if [ "${RESIGNDNS}" -eq 1 ]; then
- ${DNSTOOL} "${ENTRIES[@]}"
- fi
- else
- for ENTRY in $(cat "${SIGNTABLE}"); do
- if ! [[ "${ENTRY}" == "*"* ]]; then
- ENTRIES[${#ENTRIES[@]}]="${ENTRY}"
- fi
- done
- ${SELF} "${ENTRIES[@]}"
- fi
|