2022-10-17 10:40:09 +02:00
|
|
|
#!/bin/bash
|
2021-02-18 10:29:34 +01:00
|
|
|
|
2022-03-26 09:30:09 +01:00
|
|
|
# shellcheck source=../scripts/helpers/index.sh
|
|
|
|
|
source /usr/local/bin/helpers/index.sh
|
|
|
|
|
|
2023-05-24 09:06:59 +02:00
|
|
|
if [[ -f /etc/dms-settings ]] && [[ $(_get_dms_env_value 'ENABLE_RSPAMD') -eq 1 ]]; then
|
2023-09-13 10:42:52 +02:00
|
|
|
if [[ $(_get_dms_env_value 'ENABLE_OPENDKIM') -eq 1 ]]; then
|
2024-02-20 21:33:04 +13:00
|
|
|
_log 'warn' "Conflicting DKIM support, both Rspamd and OpenDKIM enabled - OpenDKIM will manage DKIM keys"
|
2023-09-13 10:42:52 +02:00
|
|
|
else
|
|
|
|
|
/usr/local/bin/rspamd-dkim "${@}"
|
|
|
|
|
exit
|
|
|
|
|
fi
|
2023-05-03 08:30:49 +02:00
|
|
|
fi
|
|
|
|
|
|
2025-03-31 22:27:28 +13:00
|
|
|
function _main() {
|
|
|
|
|
# Default parameters (updated by `_parse_arguments()`):
|
|
|
|
|
local KEYSIZE=2048
|
|
|
|
|
local SELECTOR=mail
|
|
|
|
|
local DMS_DOMAINS=
|
|
|
|
|
|
|
|
|
|
_require_n_parameters_or_print_usage 0 "${@}"
|
|
|
|
|
_parse_arguments "${@}"
|
|
|
|
|
|
|
|
|
|
_generate_dkim_keys
|
|
|
|
|
}
|
2021-02-18 10:29:34 +01:00
|
|
|
|
2023-05-26 01:01:41 +02:00
|
|
|
function __usage() {
|
2022-05-10 17:50:33 +02:00
|
|
|
printf '%s' "${PURPLE}OPEN-DKIM${RED}(${YELLOW}8${RED})
|
2021-02-18 10:29:34 +01:00
|
|
|
|
2022-05-10 17:50:33 +02:00
|
|
|
${ORANGE}NAME${RESET}
|
chore: Change `setup config dkim` default key size to `2048` (`open-dkim`) (#3508)
* chore: Adjust default DKIM size (`open-dkim`) from 4096-bit to 2048-bit
4096-bit is excessive in size for DKIM key. 2048-bit is plenty.
* chore: Additional revisions to `open-dkim` command help output
- The examples use `keysize 2048`, but as that's the new default it makes sense to change that.
- Other help text was also revised.
- Last example for domains did not need to demonstrate the other options. Changed example domains to more appropriate values.
* docs: Revise DKIM docs
Primarily for the change in default key size, but does revise some text to better communicate to the user.
- While the referenced RFC advises 512-bit to 2048-bit key size, we now explicitly discourage `512-bit` as it's not secure. `1024-bit` is still likely safe for most, but `2048-bit` is a good default for those not rotating their keys.
- Adjusted the domains example to match the new `setup config dkim domain` domains example.
- Tip for changing default key size changed to "info" with added clarity of lowering security or increasing it (excessively).
- Rspamd section is minor formatting changes, with the exception of clarifying the "main domain" for the mail accounts is assumed as the DMS FQDN with any subdomain (like `mail.`) stripped away. This is not great, but a legacy issue that needs to be addressed in future.
- `docs-rspamd-override-d` ref removed, and usage replaced with equivalent ref `docs-rspamd-config-dropin`, while `docs-rspamd-config-declarative` ref was not in use and also removed.
- Revised the `<selector>.txt` DNS formatting info section to better communicate with the reader. Additionally it had mixed usage of default `mail` and custom `dkim-rsa` selectors (_file content and output_).
* docs: Sync DKIM commands help messages and update DKIM docs for LDAP
- Adopt the help options format style from the `rspamd-dkim` into `open-dkim` command. And convert `./setup.sh` to `setup`. `selector` option has been implemented. for a while now.
- Update `rspamd-dkim` examples help output to align with `open-dkim` command examples.
- Give both DKIM command tools a consistent description. The two tools differ in support for the `domain` option (_implicit domain sourcing for default account provisioner, and support for multiple domains as input_).
- DKIM docs for LDAP domain support revised to better communicate when explicit domain config is necessary.
* tests: Adjust test-cases for `setup config dkim` change
`rspamd_dkim.bats`:
- Update assert for command help output.
- Don't bother creating a DKIM key at 512-bit size.
`setup_cli.bats`:
- Update assert for command help output of the `setup config dkim` (OpenDKIM) command.
* docs: Update DKIM section for large keys to newer RFC
The linked discussion from 2021 does mention this updated RFC over the original. That removes outdated advice about `512-bit` key length support.
The discussion link is still kept to reference a comment for the reader to better understand the security strength of 2048-bit RSA keys and why larger keys are not worthwhile, especially for DKIM.
* docs: Extract out common DKIM generation command from content tabs
Should be fine to be DRY here, not specific to `open-dkim` or `rspamd` generation/support. Previously rspamd lacked support of an equivalent command in DMS.
* docs: DKIM refactoring
- Shifted out the info admonition on key size advice out of the content tabs as it's now generic information.
- Indented the 4096-bit warning into this, which is less of a concern as the default for our DKIM generation tools is consistently 2048-bit now.
- Reworked the LDAP and Rspamd multi-domain advice. To avoid causing a bad diff, these sections haven't been moved/merged yet.
* docs: Revise DKIM docs
Advice for managing domains individually with LDAP and Rspamd extracted out of the content tabs. Default domain behaviour explained with extra info about OpenDKIM + FILE provisioner sourcing extra domains implicitly.
2023-08-29 09:40:02 +12:00
|
|
|
open-dkim - Configure DKIM (DomainKeys Identified Mail)
|
2021-02-18 10:29:34 +01:00
|
|
|
|
2022-05-10 17:50:33 +02:00
|
|
|
${ORANGE}SYNOPSIS${RESET}
|
chore: Change `setup config dkim` default key size to `2048` (`open-dkim`) (#3508)
* chore: Adjust default DKIM size (`open-dkim`) from 4096-bit to 2048-bit
4096-bit is excessive in size for DKIM key. 2048-bit is plenty.
* chore: Additional revisions to `open-dkim` command help output
- The examples use `keysize 2048`, but as that's the new default it makes sense to change that.
- Other help text was also revised.
- Last example for domains did not need to demonstrate the other options. Changed example domains to more appropriate values.
* docs: Revise DKIM docs
Primarily for the change in default key size, but does revise some text to better communicate to the user.
- While the referenced RFC advises 512-bit to 2048-bit key size, we now explicitly discourage `512-bit` as it's not secure. `1024-bit` is still likely safe for most, but `2048-bit` is a good default for those not rotating their keys.
- Adjusted the domains example to match the new `setup config dkim domain` domains example.
- Tip for changing default key size changed to "info" with added clarity of lowering security or increasing it (excessively).
- Rspamd section is minor formatting changes, with the exception of clarifying the "main domain" for the mail accounts is assumed as the DMS FQDN with any subdomain (like `mail.`) stripped away. This is not great, but a legacy issue that needs to be addressed in future.
- `docs-rspamd-override-d` ref removed, and usage replaced with equivalent ref `docs-rspamd-config-dropin`, while `docs-rspamd-config-declarative` ref was not in use and also removed.
- Revised the `<selector>.txt` DNS formatting info section to better communicate with the reader. Additionally it had mixed usage of default `mail` and custom `dkim-rsa` selectors (_file content and output_).
* docs: Sync DKIM commands help messages and update DKIM docs for LDAP
- Adopt the help options format style from the `rspamd-dkim` into `open-dkim` command. And convert `./setup.sh` to `setup`. `selector` option has been implemented. for a while now.
- Update `rspamd-dkim` examples help output to align with `open-dkim` command examples.
- Give both DKIM command tools a consistent description. The two tools differ in support for the `domain` option (_implicit domain sourcing for default account provisioner, and support for multiple domains as input_).
- DKIM docs for LDAP domain support revised to better communicate when explicit domain config is necessary.
* tests: Adjust test-cases for `setup config dkim` change
`rspamd_dkim.bats`:
- Update assert for command help output.
- Don't bother creating a DKIM key at 512-bit size.
`setup_cli.bats`:
- Update assert for command help output of the `setup config dkim` (OpenDKIM) command.
* docs: Update DKIM section for large keys to newer RFC
The linked discussion from 2021 does mention this updated RFC over the original. That removes outdated advice about `512-bit` key length support.
The discussion link is still kept to reference a comment for the reader to better understand the security strength of 2048-bit RSA keys and why larger keys are not worthwhile, especially for DKIM.
* docs: Extract out common DKIM generation command from content tabs
Should be fine to be DRY here, not specific to `open-dkim` or `rspamd` generation/support. Previously rspamd lacked support of an equivalent command in DMS.
* docs: DKIM refactoring
- Shifted out the info admonition on key size advice out of the content tabs as it's now generic information.
- Indented the 4096-bit warning into this, which is less of a concern as the default for our DKIM generation tools is consistently 2048-bit now.
- Reworked the LDAP and Rspamd multi-domain advice. To avoid causing a bad diff, these sections haven't been moved/merged yet.
* docs: Revise DKIM docs
Advice for managing domains individually with LDAP and Rspamd extracted out of the content tabs. Default domain behaviour explained with extra info about OpenDKIM + FILE provisioner sourcing extra domains implicitly.
2023-08-29 09:40:02 +12:00
|
|
|
setup config dkim [ OPTIONS${RED}...${RESET} ]
|
2021-02-18 10:29:34 +01:00
|
|
|
|
2022-05-10 17:50:33 +02:00
|
|
|
${ORANGE}DESCRIPTION${RESET}
|
chore: Change `setup config dkim` default key size to `2048` (`open-dkim`) (#3508)
* chore: Adjust default DKIM size (`open-dkim`) from 4096-bit to 2048-bit
4096-bit is excessive in size for DKIM key. 2048-bit is plenty.
* chore: Additional revisions to `open-dkim` command help output
- The examples use `keysize 2048`, but as that's the new default it makes sense to change that.
- Other help text was also revised.
- Last example for domains did not need to demonstrate the other options. Changed example domains to more appropriate values.
* docs: Revise DKIM docs
Primarily for the change in default key size, but does revise some text to better communicate to the user.
- While the referenced RFC advises 512-bit to 2048-bit key size, we now explicitly discourage `512-bit` as it's not secure. `1024-bit` is still likely safe for most, but `2048-bit` is a good default for those not rotating their keys.
- Adjusted the domains example to match the new `setup config dkim domain` domains example.
- Tip for changing default key size changed to "info" with added clarity of lowering security or increasing it (excessively).
- Rspamd section is minor formatting changes, with the exception of clarifying the "main domain" for the mail accounts is assumed as the DMS FQDN with any subdomain (like `mail.`) stripped away. This is not great, but a legacy issue that needs to be addressed in future.
- `docs-rspamd-override-d` ref removed, and usage replaced with equivalent ref `docs-rspamd-config-dropin`, while `docs-rspamd-config-declarative` ref was not in use and also removed.
- Revised the `<selector>.txt` DNS formatting info section to better communicate with the reader. Additionally it had mixed usage of default `mail` and custom `dkim-rsa` selectors (_file content and output_).
* docs: Sync DKIM commands help messages and update DKIM docs for LDAP
- Adopt the help options format style from the `rspamd-dkim` into `open-dkim` command. And convert `./setup.sh` to `setup`. `selector` option has been implemented. for a while now.
- Update `rspamd-dkim` examples help output to align with `open-dkim` command examples.
- Give both DKIM command tools a consistent description. The two tools differ in support for the `domain` option (_implicit domain sourcing for default account provisioner, and support for multiple domains as input_).
- DKIM docs for LDAP domain support revised to better communicate when explicit domain config is necessary.
* tests: Adjust test-cases for `setup config dkim` change
`rspamd_dkim.bats`:
- Update assert for command help output.
- Don't bother creating a DKIM key at 512-bit size.
`setup_cli.bats`:
- Update assert for command help output of the `setup config dkim` (OpenDKIM) command.
* docs: Update DKIM section for large keys to newer RFC
The linked discussion from 2021 does mention this updated RFC over the original. That removes outdated advice about `512-bit` key length support.
The discussion link is still kept to reference a comment for the reader to better understand the security strength of 2048-bit RSA keys and why larger keys are not worthwhile, especially for DKIM.
* docs: Extract out common DKIM generation command from content tabs
Should be fine to be DRY here, not specific to `open-dkim` or `rspamd` generation/support. Previously rspamd lacked support of an equivalent command in DMS.
* docs: DKIM refactoring
- Shifted out the info admonition on key size advice out of the content tabs as it's now generic information.
- Indented the 4096-bit warning into this, which is less of a concern as the default for our DKIM generation tools is consistently 2048-bit now.
- Reworked the LDAP and Rspamd multi-domain advice. To avoid causing a bad diff, these sections haven't been moved/merged yet.
* docs: Revise DKIM docs
Advice for managing domains individually with LDAP and Rspamd extracted out of the content tabs. Default domain behaviour explained with extra info about OpenDKIM + FILE provisioner sourcing extra domains implicitly.
2023-08-29 09:40:02 +12:00
|
|
|
Creates DKIM keys and configures them within DMS for OpenDKIM.
|
|
|
|
|
OPTIONS can be used when your requirements are not met by the defaults.
|
|
|
|
|
When not using 'ACCOUNT_PROVISIONER=FILE' (default), you may need to explicitly
|
|
|
|
|
use the 'domain' option to generate DKIM keys for your mail account domains.
|
2021-02-18 10:29:34 +01:00
|
|
|
|
2022-05-10 17:50:33 +02:00
|
|
|
${ORANGE}OPTIONS${RESET}
|
|
|
|
|
${BLUE}Generic Program Information${RESET}
|
chore: Change `setup config dkim` default key size to `2048` (`open-dkim`) (#3508)
* chore: Adjust default DKIM size (`open-dkim`) from 4096-bit to 2048-bit
4096-bit is excessive in size for DKIM key. 2048-bit is plenty.
* chore: Additional revisions to `open-dkim` command help output
- The examples use `keysize 2048`, but as that's the new default it makes sense to change that.
- Other help text was also revised.
- Last example for domains did not need to demonstrate the other options. Changed example domains to more appropriate values.
* docs: Revise DKIM docs
Primarily for the change in default key size, but does revise some text to better communicate to the user.
- While the referenced RFC advises 512-bit to 2048-bit key size, we now explicitly discourage `512-bit` as it's not secure. `1024-bit` is still likely safe for most, but `2048-bit` is a good default for those not rotating their keys.
- Adjusted the domains example to match the new `setup config dkim domain` domains example.
- Tip for changing default key size changed to "info" with added clarity of lowering security or increasing it (excessively).
- Rspamd section is minor formatting changes, with the exception of clarifying the "main domain" for the mail accounts is assumed as the DMS FQDN with any subdomain (like `mail.`) stripped away. This is not great, but a legacy issue that needs to be addressed in future.
- `docs-rspamd-override-d` ref removed, and usage replaced with equivalent ref `docs-rspamd-config-dropin`, while `docs-rspamd-config-declarative` ref was not in use and also removed.
- Revised the `<selector>.txt` DNS formatting info section to better communicate with the reader. Additionally it had mixed usage of default `mail` and custom `dkim-rsa` selectors (_file content and output_).
* docs: Sync DKIM commands help messages and update DKIM docs for LDAP
- Adopt the help options format style from the `rspamd-dkim` into `open-dkim` command. And convert `./setup.sh` to `setup`. `selector` option has been implemented. for a while now.
- Update `rspamd-dkim` examples help output to align with `open-dkim` command examples.
- Give both DKIM command tools a consistent description. The two tools differ in support for the `domain` option (_implicit domain sourcing for default account provisioner, and support for multiple domains as input_).
- DKIM docs for LDAP domain support revised to better communicate when explicit domain config is necessary.
* tests: Adjust test-cases for `setup config dkim` change
`rspamd_dkim.bats`:
- Update assert for command help output.
- Don't bother creating a DKIM key at 512-bit size.
`setup_cli.bats`:
- Update assert for command help output of the `setup config dkim` (OpenDKIM) command.
* docs: Update DKIM section for large keys to newer RFC
The linked discussion from 2021 does mention this updated RFC over the original. That removes outdated advice about `512-bit` key length support.
The discussion link is still kept to reference a comment for the reader to better understand the security strength of 2048-bit RSA keys and why larger keys are not worthwhile, especially for DKIM.
* docs: Extract out common DKIM generation command from content tabs
Should be fine to be DRY here, not specific to `open-dkim` or `rspamd` generation/support. Previously rspamd lacked support of an equivalent command in DMS.
* docs: DKIM refactoring
- Shifted out the info admonition on key size advice out of the content tabs as it's now generic information.
- Indented the 4096-bit warning into this, which is less of a concern as the default for our DKIM generation tools is consistently 2048-bit now.
- Reworked the LDAP and Rspamd multi-domain advice. To avoid causing a bad diff, these sections haven't been moved/merged yet.
* docs: Revise DKIM docs
Advice for managing domains individually with LDAP and Rspamd extracted out of the content tabs. Default domain behaviour explained with extra info about OpenDKIM + FILE provisioner sourcing extra domains implicitly.
2023-08-29 09:40:02 +12:00
|
|
|
help Print the usage information.
|
2021-02-18 10:29:34 +01:00
|
|
|
|
2022-05-10 17:50:33 +02:00
|
|
|
${BLUE}Configuration adjustments${RESET}
|
chore: Change `setup config dkim` default key size to `2048` (`open-dkim`) (#3508)
* chore: Adjust default DKIM size (`open-dkim`) from 4096-bit to 2048-bit
4096-bit is excessive in size for DKIM key. 2048-bit is plenty.
* chore: Additional revisions to `open-dkim` command help output
- The examples use `keysize 2048`, but as that's the new default it makes sense to change that.
- Other help text was also revised.
- Last example for domains did not need to demonstrate the other options. Changed example domains to more appropriate values.
* docs: Revise DKIM docs
Primarily for the change in default key size, but does revise some text to better communicate to the user.
- While the referenced RFC advises 512-bit to 2048-bit key size, we now explicitly discourage `512-bit` as it's not secure. `1024-bit` is still likely safe for most, but `2048-bit` is a good default for those not rotating their keys.
- Adjusted the domains example to match the new `setup config dkim domain` domains example.
- Tip for changing default key size changed to "info" with added clarity of lowering security or increasing it (excessively).
- Rspamd section is minor formatting changes, with the exception of clarifying the "main domain" for the mail accounts is assumed as the DMS FQDN with any subdomain (like `mail.`) stripped away. This is not great, but a legacy issue that needs to be addressed in future.
- `docs-rspamd-override-d` ref removed, and usage replaced with equivalent ref `docs-rspamd-config-dropin`, while `docs-rspamd-config-declarative` ref was not in use and also removed.
- Revised the `<selector>.txt` DNS formatting info section to better communicate with the reader. Additionally it had mixed usage of default `mail` and custom `dkim-rsa` selectors (_file content and output_).
* docs: Sync DKIM commands help messages and update DKIM docs for LDAP
- Adopt the help options format style from the `rspamd-dkim` into `open-dkim` command. And convert `./setup.sh` to `setup`. `selector` option has been implemented. for a while now.
- Update `rspamd-dkim` examples help output to align with `open-dkim` command examples.
- Give both DKIM command tools a consistent description. The two tools differ in support for the `domain` option (_implicit domain sourcing for default account provisioner, and support for multiple domains as input_).
- DKIM docs for LDAP domain support revised to better communicate when explicit domain config is necessary.
* tests: Adjust test-cases for `setup config dkim` change
`rspamd_dkim.bats`:
- Update assert for command help output.
- Don't bother creating a DKIM key at 512-bit size.
`setup_cli.bats`:
- Update assert for command help output of the `setup config dkim` (OpenDKIM) command.
* docs: Update DKIM section for large keys to newer RFC
The linked discussion from 2021 does mention this updated RFC over the original. That removes outdated advice about `512-bit` key length support.
The discussion link is still kept to reference a comment for the reader to better understand the security strength of 2048-bit RSA keys and why larger keys are not worthwhile, especially for DKIM.
* docs: Extract out common DKIM generation command from content tabs
Should be fine to be DRY here, not specific to `open-dkim` or `rspamd` generation/support. Previously rspamd lacked support of an equivalent command in DMS.
* docs: DKIM refactoring
- Shifted out the info admonition on key size advice out of the content tabs as it's now generic information.
- Indented the 4096-bit warning into this, which is less of a concern as the default for our DKIM generation tools is consistently 2048-bit now.
- Reworked the LDAP and Rspamd multi-domain advice. To avoid causing a bad diff, these sections haven't been moved/merged yet.
* docs: Revise DKIM docs
Advice for managing domains individually with LDAP and Rspamd extracted out of the content tabs. Default domain behaviour explained with extra info about OpenDKIM + FILE provisioner sourcing extra domains implicitly.
2023-08-29 09:40:02 +12:00
|
|
|
keysize Set the size of the keys to be generated.
|
|
|
|
|
Possible values: 1024, 2048 and 4096
|
|
|
|
|
Default: 2048
|
|
|
|
|
selector Set a manual selector for the key.
|
|
|
|
|
Default: mail
|
|
|
|
|
domain Provide the domain(s) for which to generate keys for.
|
2023-10-04 23:53:32 +13:00
|
|
|
Default: The FQDN assigned to DMS, excluding any subdomain.
|
|
|
|
|
'ACCOUNT_PROVISIONER=FILE' also sources domains from mail accounts.
|
2021-02-18 10:29:34 +01:00
|
|
|
|
2022-05-10 17:50:33 +02:00
|
|
|
${ORANGE}EXAMPLES${RESET}
|
chore: Change `setup config dkim` default key size to `2048` (`open-dkim`) (#3508)
* chore: Adjust default DKIM size (`open-dkim`) from 4096-bit to 2048-bit
4096-bit is excessive in size for DKIM key. 2048-bit is plenty.
* chore: Additional revisions to `open-dkim` command help output
- The examples use `keysize 2048`, but as that's the new default it makes sense to change that.
- Other help text was also revised.
- Last example for domains did not need to demonstrate the other options. Changed example domains to more appropriate values.
* docs: Revise DKIM docs
Primarily for the change in default key size, but does revise some text to better communicate to the user.
- While the referenced RFC advises 512-bit to 2048-bit key size, we now explicitly discourage `512-bit` as it's not secure. `1024-bit` is still likely safe for most, but `2048-bit` is a good default for those not rotating their keys.
- Adjusted the domains example to match the new `setup config dkim domain` domains example.
- Tip for changing default key size changed to "info" with added clarity of lowering security or increasing it (excessively).
- Rspamd section is minor formatting changes, with the exception of clarifying the "main domain" for the mail accounts is assumed as the DMS FQDN with any subdomain (like `mail.`) stripped away. This is not great, but a legacy issue that needs to be addressed in future.
- `docs-rspamd-override-d` ref removed, and usage replaced with equivalent ref `docs-rspamd-config-dropin`, while `docs-rspamd-config-declarative` ref was not in use and also removed.
- Revised the `<selector>.txt` DNS formatting info section to better communicate with the reader. Additionally it had mixed usage of default `mail` and custom `dkim-rsa` selectors (_file content and output_).
* docs: Sync DKIM commands help messages and update DKIM docs for LDAP
- Adopt the help options format style from the `rspamd-dkim` into `open-dkim` command. And convert `./setup.sh` to `setup`. `selector` option has been implemented. for a while now.
- Update `rspamd-dkim` examples help output to align with `open-dkim` command examples.
- Give both DKIM command tools a consistent description. The two tools differ in support for the `domain` option (_implicit domain sourcing for default account provisioner, and support for multiple domains as input_).
- DKIM docs for LDAP domain support revised to better communicate when explicit domain config is necessary.
* tests: Adjust test-cases for `setup config dkim` change
`rspamd_dkim.bats`:
- Update assert for command help output.
- Don't bother creating a DKIM key at 512-bit size.
`setup_cli.bats`:
- Update assert for command help output of the `setup config dkim` (OpenDKIM) command.
* docs: Update DKIM section for large keys to newer RFC
The linked discussion from 2021 does mention this updated RFC over the original. That removes outdated advice about `512-bit` key length support.
The discussion link is still kept to reference a comment for the reader to better understand the security strength of 2048-bit RSA keys and why larger keys are not worthwhile, especially for DKIM.
* docs: Extract out common DKIM generation command from content tabs
Should be fine to be DRY here, not specific to `open-dkim` or `rspamd` generation/support. Previously rspamd lacked support of an equivalent command in DMS.
* docs: DKIM refactoring
- Shifted out the info admonition on key size advice out of the content tabs as it's now generic information.
- Indented the 4096-bit warning into this, which is less of a concern as the default for our DKIM generation tools is consistently 2048-bit now.
- Reworked the LDAP and Rspamd multi-domain advice. To avoid causing a bad diff, these sections haven't been moved/merged yet.
* docs: Revise DKIM docs
Advice for managing domains individually with LDAP and Rspamd extracted out of the content tabs. Default domain behaviour explained with extra info about OpenDKIM + FILE provisioner sourcing extra domains implicitly.
2023-08-29 09:40:02 +12:00
|
|
|
${LWHITE}setup config dkim keysize 4096${RESET}
|
|
|
|
|
Creates keys with their length increased to a size of 4096-bit.
|
|
|
|
|
|
|
|
|
|
${LWHITE}setup config dkim keysize 1024 selector 2023-dkim${RESET}
|
|
|
|
|
Creates 1024-bit sized keys, and changes the DKIM selector to '2023-dkim'.
|
|
|
|
|
|
|
|
|
|
${LWHITE}setup config dkim domain 'example.com,another-example.com'${RESET}
|
|
|
|
|
Only generates DKIM keys for the specified domains: 'example.com' and 'another-example.com'.
|
2021-02-18 10:29:34 +01:00
|
|
|
|
2022-05-10 17:50:33 +02:00
|
|
|
${ORANGE}EXIT STATUS${RESET}
|
2021-02-18 10:29:34 +01:00
|
|
|
Exit status is 0 if command was successful. If wrong arguments are provided or arguments contain
|
2025-03-31 22:27:28 +13:00
|
|
|
errors, the script will exit early with a non-zero exit status.
|
2021-02-18 13:11:45 +01:00
|
|
|
|
2021-02-18 10:29:34 +01:00
|
|
|
"
|
|
|
|
|
}
|
|
|
|
|
|
2025-03-31 22:27:28 +13:00
|
|
|
function _parse_arguments() {
|
|
|
|
|
# Parse the command args through iteration:
|
|
|
|
|
while [[ ${#} -gt 0 ]]; do
|
|
|
|
|
case "${1}" in
|
|
|
|
|
|
|
|
|
|
( 'keysize' )
|
|
|
|
|
if [[ -n ${2:-} ]]; then
|
|
|
|
|
KEYSIZE="${2}"
|
|
|
|
|
_log 'trace' "Keysize set to '${KEYSIZE}'"
|
|
|
|
|
else
|
|
|
|
|
_exit_with_error "No keysize provided after 'keysize' argument"
|
|
|
|
|
fi
|
|
|
|
|
;;
|
|
|
|
|
|
|
|
|
|
( 'selector' )
|
|
|
|
|
if [[ -n ${2:-} ]]; then
|
|
|
|
|
SELECTOR="${2}"
|
|
|
|
|
_log 'trace' "Selector set to '${SELECTOR}'"
|
|
|
|
|
else
|
|
|
|
|
_exit_with_error "No selector provided after 'selector' argument"
|
|
|
|
|
fi
|
|
|
|
|
;;
|
|
|
|
|
|
|
|
|
|
( 'domain' )
|
|
|
|
|
if [[ -n ${2:-} ]]; then
|
|
|
|
|
DMS_DOMAINS="${2}"
|
|
|
|
|
_log 'trace' "Domain(s) set to '${DMS_DOMAINS}'"
|
|
|
|
|
else
|
|
|
|
|
_exit_with_error "No domain(s) provided after 'domain' argument"
|
|
|
|
|
fi
|
|
|
|
|
;;
|
|
|
|
|
|
|
|
|
|
( 'help' )
|
|
|
|
|
__usage
|
|
|
|
|
exit 0
|
|
|
|
|
;;
|
|
|
|
|
|
|
|
|
|
( * )
|
|
|
|
|
__usage
|
|
|
|
|
_exit_with_error "Unknown option(s) ${*}"
|
|
|
|
|
;;
|
|
|
|
|
esac
|
|
|
|
|
|
|
|
|
|
# Discard these two args (option + value) now that they've been processed:
|
|
|
|
|
shift 2
|
|
|
|
|
done
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function _generate_dkim_keys() {
|
|
|
|
|
_generate_domains_config
|
|
|
|
|
if [[ ! -s ${DATABASE_VHOST} ]]; then
|
|
|
|
|
_log 'warn' 'No entries found, no keys to make'
|
|
|
|
|
exit 0
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Initialize OpenDKIM configs if necessary:
|
|
|
|
|
_create_opendkim_configs
|
|
|
|
|
|
|
|
|
|
# Generate a keypair per domain and add reference to OpenDKIM configs:
|
|
|
|
|
local ENTRY_KEY KEY_TABLE_ENTRY SIGNING_TABLE_ENTRY
|
|
|
|
|
while read -r DKIM_DOMAIN; do
|
|
|
|
|
_create_dkim_key "${DKIM_DOMAIN}"
|
|
|
|
|
|
|
|
|
|
# Create / Update OpenDKIM configs with new DKIM key:
|
|
|
|
|
ENTRY_KEY="${SELECTOR}._domainkey.${DKIM_DOMAIN}"
|
|
|
|
|
KEY_TABLE_ENTRY="${ENTRY_KEY} ${DKIM_DOMAIN}:${SELECTOR}:/etc/opendkim/keys/${DKIM_DOMAIN}/${SELECTOR}.private"
|
|
|
|
|
SIGNING_TABLE_ENTRY="*@${DKIM_DOMAIN} ${ENTRY_KEY}"
|
|
|
|
|
|
|
|
|
|
# If no existing entry, add one:
|
|
|
|
|
if ! grep -q "${KEY_TABLE_ENTRY}" "${KEY_TABLE_FILE}"; then
|
|
|
|
|
echo "${KEY_TABLE_ENTRY}" >> "${KEY_TABLE_FILE}"
|
|
|
|
|
fi
|
|
|
|
|
if ! grep -q "${SIGNING_TABLE_ENTRY}" "${SIGNING_TABLE_FILE}"; then
|
|
|
|
|
echo "${SIGNING_TABLE_ENTRY}" >> "${SIGNING_TABLE_FILE}"
|
|
|
|
|
fi
|
|
|
|
|
done < <(_get_valid_lines_from_file "${DATABASE_VHOST}")
|
|
|
|
|
|
|
|
|
|
# No longer needed, remove:
|
|
|
|
|
rm "${DATABASE_VHOST}"
|
|
|
|
|
|
|
|
|
|
# Ensure ownership is consistent for all content belonging to the base directory,
|
|
|
|
|
# During container startup, an internal copy will be made via `_setup_opendkim()`
|
2025-07-11 00:14:39 +02:00
|
|
|
# with ownership we expect, while this chown is for the benefit of the users' ownership.
|
|
|
|
|
# use numerical uid and gid in case the owner of the directory does not exist inside container
|
|
|
|
|
chown -R "$(stat -c '%u:%g' "${OPENDKIM_BASE_DIR}")" "${OPENDKIM_BASE_DIR}"
|
2025-03-31 22:27:28 +13:00
|
|
|
}
|
2021-02-18 10:29:34 +01:00
|
|
|
|
2025-03-31 22:27:28 +13:00
|
|
|
# Prepare a file with one domain per line (iterated via while loop as DKIM_DOMAIN):
|
|
|
|
|
# Depends on methods from `scripts/helpers/postfix.sh`:
|
2022-06-10 10:57:10 +12:00
|
|
|
DATABASE_VHOST='/tmp/vhost.dkim'
|
2023-05-26 01:01:41 +02:00
|
|
|
function _generate_domains_config() {
|
2022-06-10 10:57:10 +12:00
|
|
|
local TMP_VHOST='/tmp/vhost.dkim.tmp'
|
2021-02-18 10:29:34 +01:00
|
|
|
|
2022-06-10 10:57:10 +12:00
|
|
|
# Generate the default vhost (equivalent to /etc/postfix/vhost),
|
2025-03-31 22:27:28 +13:00
|
|
|
# unless CLI arg DMS_DOMAINS provided an alternative list to use instead:
|
|
|
|
|
if [[ -z ${DMS_DOMAINS:-} ]]; then
|
2022-06-10 10:57:10 +12:00
|
|
|
_obtain_hostname_and_domainname
|
|
|
|
|
# uses TMP_VHOST:
|
|
|
|
|
_vhost_collect_postfix_domains
|
|
|
|
|
else
|
2025-03-31 22:27:28 +13:00
|
|
|
tr ',' '\n' <<< "${DMS_DOMAINS}" >"${TMP_VHOST}"
|
2021-02-18 10:29:34 +01:00
|
|
|
fi
|
|
|
|
|
|
2025-03-31 22:27:28 +13:00
|
|
|
# Uses DATABASE_VHOST + TMP_VHOST:
|
2022-06-10 10:57:10 +12:00
|
|
|
_create_vhost
|
|
|
|
|
}
|
2021-02-18 10:29:34 +01:00
|
|
|
|
2025-03-31 22:27:28 +13:00
|
|
|
# `opendkim-genkey` generates two files at the configured `--directory`:
|
|
|
|
|
# - <selector>.private (Private key, PEM encoded)
|
|
|
|
|
# - <selector>.txt (Public key, formatted as a TXT record for a RFC 1035 DNS Zone file)
|
|
|
|
|
function _create_dkim_key() {
|
|
|
|
|
DKIM_DOMAIN=${1?Expected to be provided a domain}
|
2021-02-18 10:29:34 +01:00
|
|
|
|
2025-03-31 22:27:28 +13:00
|
|
|
OPENDKIM_DOMAINKEY_DIR="${OPENDKIM_BASE_DIR}/keys/${DKIM_DOMAIN}"
|
|
|
|
|
mkdir -p "${OPENDKIM_DOMAINKEY_DIR}"
|
2021-02-18 10:29:34 +01:00
|
|
|
|
2025-03-31 22:27:28 +13:00
|
|
|
DKIM_KEY_FILE="${OPENDKIM_DOMAINKEY_DIR}/${SELECTOR}.private"
|
|
|
|
|
if [[ ! -f "${DKIM_KEY_FILE}" ]]; then
|
|
|
|
|
_log 'info' "Creating DKIM private key '${DKIM_KEY_FILE}'"
|
2021-02-18 10:29:34 +01:00
|
|
|
|
2025-03-31 22:27:28 +13:00
|
|
|
# NOTE:
|
|
|
|
|
# --domain only affects a comment in the generated DNS Zone file
|
|
|
|
|
# --subdomains is the default,
|
|
|
|
|
# --nosubdomains would add `t=s` to the DNS TXT record generated
|
|
|
|
|
# http://www.opendkim.org/opendkim-genkey.8.html
|
2021-02-18 10:29:34 +01:00
|
|
|
opendkim-genkey \
|
|
|
|
|
--bits="${KEYSIZE}" \
|
|
|
|
|
--subdomains \
|
2021-10-30 23:10:32 +13:00
|
|
|
--domain="${DKIM_DOMAIN}" \
|
2021-02-22 06:05:35 +09:00
|
|
|
--selector="${SELECTOR}" \
|
2025-03-31 22:27:28 +13:00
|
|
|
--directory="${OPENDKIM_DOMAINKEY_DIR}"
|
2021-02-18 10:29:34 +01:00
|
|
|
fi
|
2025-03-31 22:27:28 +13:00
|
|
|
}
|
2021-02-18 10:29:34 +01:00
|
|
|
|
2025-03-31 22:27:28 +13:00
|
|
|
OPENDKIM_BASE_DIR='/tmp/docker-mailserver/opendkim'
|
|
|
|
|
KEY_TABLE_FILE="${OPENDKIM_BASE_DIR}/KeyTable"
|
|
|
|
|
SIGNING_TABLE_FILE="${OPENDKIM_BASE_DIR}/SigningTable"
|
|
|
|
|
TRUSTED_HOSTS_FILE="${OPENDKIM_BASE_DIR}/TrustedHosts"
|
|
|
|
|
# Create configs if missing:
|
|
|
|
|
function _create_opendkim_configs() {
|
|
|
|
|
mkdir -p "${OPENDKIM_BASE_DIR}"
|
|
|
|
|
local OPENDKIM_CONFIGS=(
|
|
|
|
|
"${KEY_TABLE_FILE}"
|
|
|
|
|
"${SIGNING_TABLE_FILE}"
|
|
|
|
|
"${TRUSTED_HOSTS_FILE}"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
# Only create if the file doesn't exist (avoids modifying mtime):
|
|
|
|
|
for FILE in "${OPENDKIM_CONFIGS[@]}"; do
|
|
|
|
|
if [[ ! -f "${FILE}" ]]; then
|
|
|
|
|
_log 'debug' "Creating OpenDKIM config '${FILE}'"
|
|
|
|
|
touch "${FILE}"
|
2021-02-18 10:29:34 +01:00
|
|
|
fi
|
2025-03-31 22:27:28 +13:00
|
|
|
done
|
2021-02-18 10:29:34 +01:00
|
|
|
|
2025-03-31 22:27:28 +13:00
|
|
|
# If file exists but is empty, add default hosts to trust:
|
|
|
|
|
if [[ ! -s "${TRUSTED_HOSTS_FILE}" ]]; then
|
|
|
|
|
_log 'debug' 'Adding default trust to OpenDKIM TrustedHosts config'
|
|
|
|
|
echo "127.0.0.1" > "${TRUSTED_HOSTS_FILE}"
|
|
|
|
|
echo "localhost" >> "${TRUSTED_HOSTS_FILE}"
|
2021-02-18 10:29:34 +01:00
|
|
|
fi
|
2025-03-31 22:27:28 +13:00
|
|
|
}
|
2021-02-18 10:29:34 +01:00
|
|
|
|
2025-03-31 22:27:28 +13:00
|
|
|
_main "${@}"
|