From 350d05bb8f45991dba7b305a76c8474df05a7a30 Mon Sep 17 00:00:00 2001 From: Christoph Date: Fri, 4 Jan 2019 05:03:26 +0100 Subject: [PATCH] create_opendkim_key.sh: support of creation of DNS delegation if needed. --- conf/create_opendkim_key.conf.sample | 44 +++++ create_opendkim_key.sh | 244 ++++++++++++++++++++++++--- 2 files changed, 268 insertions(+), 20 deletions(-) diff --git a/conf/create_opendkim_key.conf.sample b/conf/create_opendkim_key.conf.sample index 01c2ec8..56659b0 100644 --- a/conf/create_opendkim_key.conf.sample +++ b/conf/create_opendkim_key.conf.sample @@ -77,6 +77,50 @@ dns_server="b.ns.oopen.de" #key_name= +# ---------- +# Access Credentials DNS Server +# ---------- + +# - dns_ssh_user +# - +# - Defaults to 'manage-bind' +# - +#dns_ssh_user="manage-bind" + +# - dns_ssh_port +# - +# - Defaults to '22' +# - +#dns_ssh_port=22 + +# - dns_ssh_key +# - +# - Defaults to '/root/.ssh/id_rsa-opendkim' +# - +#dns_ssh_key="/root/.ssh/id_rsa-opendkim" + + +# ---------- +# Scripts envoked at DNS Server +# ---------- + +# - set_new_serial_script +# - +# - Script increases the serial for a given domain or a given +# - hostname's concerning domain. +# - +# - Defaults to /root/bin/bind/bind_set_new_serial.sh +# - +#set_new_serial_script="/root/bin/bind/bind_set_new_serial.sh" + +# - create_dkim_delegation_script +# - +# - Script adds DKIM subdomain delegation for a given domain +# - +#create_dkim_delegation_script="bind_create_dkim_delegation.sh" + + + # ---------- # OpenDKIM Installation # ---------- diff --git a/create_opendkim_key.sh b/create_opendkim_key.sh index cb02657..f818825 100755 --- a/create_opendkim_key.sh +++ b/create_opendkim_key.sh @@ -20,6 +20,14 @@ BATCH_MODE=false DEFAULT_key_algo="hmac-sha256" DEFAULT_ttl="43200" +DEFAULT_dns_ssh_user="manage-bind" +DEFAULT_dns_ssh_port=22 +DEFAULT_dns_ssh_key="/root/.ssh/id_rsa-opendkim" + +DEFAULT_set_new_serial_script="/root/bin/bind/bind_set_new_serial.sh" +DEFAULT_create_dkim_delegation_script="/root/bin/bind/bind_create_dkim_delegation.sh" +#DEFAULT_ + opendkim_dir="/etc/opendkim" signing_table_file="${opendkim_dir}/signing.table" @@ -405,8 +413,10 @@ if $update_dns && [[ -z "$update_zone" ]] && ! $BATCH_MODE ; then update_zone="_domainkey.${dkim_domain}" fi elif $update_dns && $terminal ; then - echo -e "\033[32m--\033[m" - info "Zone \033[37m\033[1m$update_zone\033[m is used for DKIM TXT record" + if [[ -n "$update_zone" ]]; then + echo -e "\033[32m--\033[m" + info "Zone \033[37m\033[1m${update_zone}\033[m is used for DKIM TXT record" + fi fi @@ -493,6 +503,16 @@ fi if $update_dns ; then cname_record="*._domainkey.${dkim_domain}. IN CNAME ${dkim_domain}.${update_zone}." fi + +# Access Credentials DNS Server +[[ -z "$dns_ssh_user" ]] && dns_ssh_user="$DEFAULT_dns_ssh_user" +[[ -z "$dns_ssh_port" ]] && dns_ssh_port="$DEFAULT_dns_ssh_port" +[[ -z "$dns_ssh_key" ]] && dns_ssh_key="$DEFAULT_dns_ssh_key" + +#Scripts envoked at DNS Server +[[ -z "$set_new_serial_script" ]] && set_new_serial_script="$DEFAULT_set_new_serial_script" +[[ -z "$create_dkim_delegation_script" ]] && create_dkim_delegation_script="$DEFAULT_create_dkim_delegation_script" + blank_line @@ -546,37 +566,221 @@ key_dir=${key_base_dir}/${dkim_domain} dkim_domain_shortname="${dkim_domain%.*}" declare -a generated_files_arr=() +_create_delegation=false _wait=false if $update_dns && [[ "$dkim_domain" != "$update_zone" ]] ; then - if ! $BATCH_MODE ; then - if [[ -z "$(dig +short ${update_zone}. NS)" ]] ; then + if [[ -z "$(dig +short ${update_zone}. NS)" ]] ; then + + warn "No Subdomain delegation for zone '$update_zone' found!" - _tmp_string="; ----- Delegation DKIM Keys ${dkim_domain}" - for _server in $(dig +short ${dkim_domain} NS) ; do - _tmp_string="$_tmp_string\n${update_zone}. IN NS $_server" - done - - - blank_line - todo "Create a delegation for zone \033[1m${update_zone}.\033[m\n\n$_tmp_string" - _wait=true + if ! $BATCH_MODE ; then echo "" - echo -e " After adjusting your nameserver continue with this script" + echo -e "\033[32m--\033[m" echo "" - echo -en " \033[33mType to continue or +C to abort:\033[m " - read OK - echo + echononl "Create Subdomain delegation for zone '$update_zone'? (yes/no) [yes]: " + read _create_delegation + if [[ -z "$(trim $_create_delegation)" ]] ; then + _create_delegation=true + elif [[ "${_create_delegation,,}" = "yes" ]] || [[ "${_create_delegation,,}" = "true" ]] ; then + _create_delegation=true + else + _create_delegation=false + fi + if ! $_create_delegation ; then + _tmp_string="; ----- Delegation DKIM Keys ${dkim_domain}" + for _server in $(dig +short ${dkim_domain} NS) ; do + _tmp_string="$_tmp_string\n${update_zone}. IN NS $_server" + done + + + blank_line + todo "Create a delegation for zone \033[1m${update_zone}.\033[m\n\n$_tmp_string" + _wait=true + + echo "" + echo -e " After adjusting your nameserver continue with this script" + echo "" + echo -en " \033[33mType to continue or +C to abort:\033[m " + read OK + echo + fi + else + _create_delegation=true fi else - if [[ -z "$(dig +short ${update_zone}. NS)" ]] ; then - fatal "No NS Record found for zone \033[1m${update_zone}.\033[m" - fi + _create_delegation=false fi fi +if $_create_delegation ; then + + # - Generate Subdomain delegation for zone update_zone + # - + if $terminal ; then + echo "" + echo -e " \033[32mGenerate Subdomain delegation for zone \033[37m\033[1m${update_zone}\033[m" + echo "" + fi + + echononl "Determin DNS master of '${dkim_domain}'.." + _dns_master="$(dig +short ${dkim_domain} SOA 2>/dev/null | awk '{print$1}' | sed 's/\.$//')" + if [[ -z "$_dns_master" ]]; then + echo_failed + fatal "Determin DNS master of '${dkim_domain}' failed!" + else + echo_ok + fi + + # - Check if Nameserver is accessable via ssh + # - + echononl "Check if Nameserver '$_dns_master' is accessable via ssh .." + ssh -q -p $dns_ssh_port \ + -o BatchMode=yes \ + -o StrictHostKeyChecking=no \ + -i $dns_ssh_key \ + $dns_ssh_user@$_dns_master "ls" > /dev/null 2>&1 + if [[ $? -gt 0 ]] ;then + echo_failed + fatal "Nameserver \"$_dns_master\" is not reachable vis ssh!" + else + echo_ok + fi + + # - Check if Script '$set_new_serial_script' is accessable via ssh .." + echononl "Check if Script '$set_new_serial_script' .." + ssh -q -p $dns_ssh_port \ + -o BatchMode=yes \ + -o StrictHostKeyChecking=no \ + -i $dns_ssh_key \ + $dns_ssh_user@$_dns_master "sudo $set_new_serial_script check" > /dev/null 2>&1 + if [[ $? -gt 0 ]] ;then + echo_failed + fatal "Script '$set_new_serial_script' is NOT accessable via ssh!" + else + echo_ok + fi + + # - Check if Script '$create_dkim_delegation_script' is accessable via ssh .." + echononl "Check if Script '$create_dkim_delegation_script'.." + ssh -q -p $dns_ssh_port \ + -o BatchMode=yes \ + -o StrictHostKeyChecking=no \ + -i $dns_ssh_key \ + $dns_ssh_user@$_dns_master "sudo $create_dkim_delegation_script check" > /dev/null 2>&1 + if [[ $? -gt 0 ]] ;then + echo_failed + fatal "Script '$create_dkim_delegation_script' is NOT accessable via ssh!" + else + echo_ok + fi + + blank_line + + echononl "Create NS Record (delegation) for '$update_zone'.." + ssh -q -p $dns_ssh_port \ + -o BatchMode=yes \ + -o StrictHostKeyChecking=no \ + -i $dns_ssh_key \ + $dns_ssh_user@$_dns_master "sudo $create_dkim_delegation_script $dkim_domain" > /dev/null 2>&1 + ret_val=$? + case $ret_val in + 0) $terminal && echo_skipped + if $terminal ; then + info "DKIM subdomain delegation for \033[1m${update_zone}\033[m already exists." + else + echo "" + echo " [ Info ] DKIM subdomain delegation for ${update_zone} already exists." + echo "" + + fi + ;; + 1) $terminal && echo_ok + if $terminal ; then + info "DKIM subdomain delegation for \033[1m${update_zone}\033[m added." + else + echo "" + echo " [ Info ] DKIM subdomain delegation for ${update_zone} successfully added." + echo "" + + fi + ;; + 11) $terminal && echo_failed + fatal "No zonefile for domain '$dkim_domain' found!" + ;; + 15) $terminal && echo_failed + fatal "Domain '$dkim_domain' not supported!" + ;; + 16) $terminal && echo_failed + fatal "Determin nameservers for domain '$dkim_domain' failed!" + ;; + 21) $terminal && echo_failed + fatal "Adding NS Record for subdomain delegation failed!" + ;; + 99) $terminal && echo_failed + fatal "Fatal error!" + ;; + *) $terminal && echo_failed + fatal "Unknown exit code from remote script \"$create_dkim_delegation_script\"!" + ;; + esac + + + echononl "Increase serial an reload zone ($dkim_domain).." + ssh -q -p $dns_ssh_port \ + -o BatchMode=yes \ + -o StrictHostKeyChecking=no \ + -i $dns_ssh_key \ + $dns_ssh_user@$_dns_master "sudo $set_new_serial_script $dkim_domain" > /dev/null 2>&1 + ret_val=$? + case $ret_val in + 0) $terminal && echo_ok + if $terminal ; then + info "Serial is replaced and Zone is reloaded (\033[1m${update_zone}\033[m)." + else + echo "" + echo " [ Info ] Serial is replaced and Zone is reloaded (${update_zone})." + echo "" + + fi + ;; + 10) $terminal && echo_failed + fatal "Invalid Hostname/Domain given!" + ;; + 11) $terminal && echo_failed + fatal "No zonefile found!" + ;; + 12) $terminal && echo_failed + fatal "Determin new Serial failed!" + ;; + 13) $terminal && echo_failed + fatal "Increasing Serial failed!" + ;; + 14) $terminal && echo_failed + fatal "Reloading Zone failed!" + ;; + 15) $terminal && echo_failed + fatal "Hostname/Domain not supported!" + ;; + 99) $terminal && echo_failed + fatal "Fatal error!" + ;; + *) $terminal && echo_failed + fatal "Unknown exit code from remote script \"$create_dkim_delegation_script\"!" + ;; + + esac + + +fi + + +if [[ -z "$(dig +short ${update_zone}. NS)" ]] ; then + fatal "No NS Record found for zone \033[1m${update_zone}.\033[m" +fi + # - Generate private/public keys # - if $terminal ; then