opendkim-signer 4.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165
  1. #!/usr/bin/env bash
  2. #####################################################
  3. # This script require the following DNS SETUP!!!!
  4. # SEE:
  5. # https://git.giaever.org/joachimmg/dnssec-signer)
  6. #
  7. # USAGE:
  8. #
  9. # 1. Make `opendkim-setter` executable:
  10. # chmod +x /path/to/opendkim-setter
  11. #
  12. # 2. Run:
  13. # ./path/to/opendkim-setter <domain.tld>
  14. # 3. Or for every domain already signed by OpenDKIM
  15. # ./path/to/opendkim-setter
  16. #
  17. ######################################################
  18. SELF="$(basename ${0})"
  19. ######################################################
  20. # START OF CONFIG #
  21. ######################################################
  22. # SET YOU SYSTEM SPECIFIC DATA (which systemctl e.g) #
  23. SELF=$(basename $0)
  24. DKIMUSER="opendkim"
  25. DKIMGRP="${DKIMUSER}"
  26. DKIMCONF="/etc/opendkim"
  27. KEYTABLE="${DKIMCONF}/key.table"
  28. SIGNTABLE="${DKIMCONF}/signing.table"
  29. KEYDIR="${DKIMCONF}/keys"
  30. ZONESDIR="/etc/bind/zones"
  31. KEYGEN=/usr/bin/opendkim-genkey
  32. SYSCTL=/bin/systemctl
  33. JOURCTL=/bin/journalctl
  34. LOGGER=/usr/bin/logger
  35. LOGGERFLAGN="-t $(whoami) -p daemon.info"
  36. LOGGERFLAGE="-t $(whoami) -p daemon.err"
  37. RESIGNDNS=1
  38. DNSTOOL=/usr/bin/dnssec-signer
  39. ######################################################
  40. # END OF CONFIG #
  41. ######################################################
  42. function error_msg {
  43. FOR=${1}
  44. ERRMSG="${2}"
  45. echo -e "\e[31m[${SELF}:\e[1m${FOR}\e[21m]:\e[0m ${ERRMSG}"
  46. ${LOGGER} ${LOGGERFLAGE} "[${SELF}:${FOR}]: ${ERRMSG}"
  47. }
  48. function note_msg {
  49. FOR=${1}
  50. NOTEMSG="${2}"
  51. echo -e "\e[32m[${SELF}:\e[1m${FOR}\e[21m]:\e[0m ${NOTEMSG}"
  52. ${LOGGER} ${LOGGERFLAGN} "[${SELF}:${FOR}]: ${NOTEMSG}"
  53. }
  54. if [[ ${EUID} -ne 0 ]]; then
  55. error_msg "${USER}" "Must execute file as root."
  56. exit 1
  57. fi
  58. #function remove_signing_table {
  59. # grep -v "*@${1} " "${SIGNTABLE}" > "${TMPTBL}" && mv "${TMPTBL}" "${SIGNTABLE}"
  60. #}
  61. function update_signing_table {
  62. grep -q "^*@${1}" "${SIGNTABLE}"
  63. if [ $? -ne 0 ]; then
  64. note_msg "${1}" "Added to signing table"
  65. echo "*@${1} ${1}" >> "${SIGNTABLE}"
  66. fi
  67. }
  68. function update_key_table {
  69. grep -q "^${1}" "${KEYTABLE}"
  70. if [ $? -eq 0 ]; then
  71. note_msg "${1}" "Updated key in key table"
  72. sed -i 's,^'"${1}"'[^\n]\+,'"${1}"' '"${1}"':'"${2}"':'"${3}"',' "${KEYTABLE}"
  73. else
  74. note_msg "${1}" "Added key to key table"
  75. echo "${1} ${1}:${2}:${3}" >> "${KEYTABLE}"
  76. fi
  77. }
  78. function dkim {
  79. ENTRY="${1}"
  80. ENTRYDIR="${KEYDIR}/${ENTRY}"
  81. ENTRYZONE="${ZONESDIR}/${ENTRY}/db"
  82. DATE=$(date +%Y%m)
  83. PRIVATEKEY="${ENTRYDIR}/${DATE}.private"
  84. DOMAINKEY="${ENTRYDIR}/${DATE}.txt"
  85. note_msg "${ENTRY}" "DKIM Signing"
  86. if ! [ -w "${ENTRYZONE}" ]; then
  87. error_msg "${ENTRY}" "There is not zone file. Abort"
  88. return 1
  89. fi
  90. if ! [ -d "${ENTRYDIR}" ]; then
  91. note_msg "${ENTRY}" "Creating directory for entry"
  92. mkdir -p "${ENTRYDIR}"
  93. fi
  94. cd "${ENTRYDIR}"
  95. ${KEYGEN} -b 2048 -h rsa-sha256 -r -s "${DATE}" -d "${ENTRY}" -v
  96. if [ $? -ne 0 ]; then
  97. error_msg "${ENTRY}" "Error generating keys"
  98. fi
  99. KEYCONTENT=$(sed -e 's/h\=rsa-sha256/h\=sha256/' "${DOMAINKEY}" | tr '\n' '\r')
  100. ZONE=$(cat "${ENTRYZONE}" | tr '\n' '\r')
  101. grep -Eq "[0-9]{6}._dom" <<< "${ZONE}"
  102. if [ $? -eq 0 ]; then
  103. note_msg "${ENTRY}" "Altering DKIM-record in zone file"
  104. sed -e 's,[0-9]\{6\}._dom.*\-\+\sDKIM[^\r]\+\r\?\+,'"${KEYCONTENT}"',' <<< "${ZONE}" | tr '\r' '\n' > "${ENTRYZONE}"
  105. sed -i '${/^$/d;}' "${ENTRYZONE}"
  106. else
  107. note_msg "${ENTRY}" "Adding DKIM-record in zone file"
  108. echo -e "${ZONE}\r; DKIM for ${DOMAINKEY} start\r${KEYCONTENT}" | tr '\r' '\n' > "${ENTRYZONE}"
  109. fi
  110. update_signing_table "${ENTRY}"
  111. update_key_table "${ENTRY}" "${DATE}" "${PRIVATEKEY}"
  112. note_msg "${ENTRY}" "Signing successful"
  113. }
  114. # Collect arguments (zones)
  115. ENTRIES="${*}"
  116. IFS=' ', read -r -a ENTRIES <<< "${ENTRIES}"
  117. if [ ${#ENTRIES[@]} -ne 0 ]; then
  118. note_msg "date" "$(date)"
  119. note_msg "${#ENTRIES[@]}" "Start signing"
  120. CWDIR=$(pwd)
  121. for ENTRY in "${ENTRIES[@]}"; do
  122. dkim "${ENTRY}"
  123. done
  124. cd "${CWDIR}"
  125. chown -R "${DKIMUSER}:${DKIMGROUP}" "${DKIMCONF}"
  126. chmod -R go-rw "${DKIMCONF}"
  127. if [ "${RESIGNDNS}" -eq 1 ]; then
  128. note_msg "$(basename ${SYSCTL})" "Restarting opendkim.service"
  129. ${SYSCTL} restart "opendkim.service"
  130. if [ $? -ne 0 ]; then
  131. ${JOURCTL} -l 10 --unit "opendkim.service" | xargs -0
  132. fi
  133. ${DNSTOOL} "${ENTRIES[@]}"
  134. fi
  135. else
  136. for ENTRY in $(cat "${SIGNTABLE}"); do
  137. if ! [[ "${ENTRY}" == "*"* ]]; then
  138. ENTRIES[${#ENTRIES[@]}]="${ENTRY}"
  139. fi
  140. done
  141. ${SELF} "${ENTRIES[@]}"
  142. fi