Allow manual domains for dkim generator (#1753)

* Allow manual domains for dkim generator * Document the DKIM manual mode * Remove unnecessary quotes * updating default value usage and "" in [[ ]] * Change parameter expansion * Add test for manual dkim domains * Remove obsolete script * Add manual dkim mode to usage * Move manual dkim guide into quickstart section * Cover case that key for domain already exists * Set default dkim key size to 4096 Co-authored-by: Frederic Werner <20406381+wernerfred@users.noreply.github.com> Co-authored-by: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com>
2021-01-27 14:09:24 +01:00 · 2021-01-27 14:09:24 +01:00 · 4616894fbf
parent 23984e3f07
commit 4616894fbf
5 changed files with 93 additions and 85 deletions
--- a/README.md
+++ b/README.md
@ -119,6 +119,14 @@ docker-compose up -d mail
 ./setup.sh -Z config dkim
 ```

+If you are using a LDAP setup the setup looks a bit different as you do not add user accounts directly. Therefore `postfix` doesn't know your domain(s) and you need to provide it when configuring `dkim`:
+
+``` BASH
+docker-compose up -d mail
+
+./setup.sh config dkim <key-size> <domain.tld>[,<domain2.tld>]
+```
+
 ### Miscellaneous

 #### DNS - DKIM
--- a/setup.sh
+++ b/setup.sh
@ -142,7 +142,7 @@ SUBCOMMANDS:

  config:

-    ${0} config dkim <keysize> (default: 2048)
+    ${0} config dkim <keysize> (default: 4096) <domain> (optional - for LDAP systems)
    ${0} config ssl <fqdn>

  relay:
@ -317,13 +317,13 @@ function _main
      shift ; case ${1:-} in
        set      ) shift ; _docker_image setquota "${@}" ;;
        del      ) shift ; _docker_image delquota "${@}" ;;
-        *        )   _usage ;;
+        *        ) _usage ;;
      esac
      ;;

    config)
      shift ; case ${1:-} in
-        dkim     ) _docker_image generate-dkim-config "${2:-2048}" ;;
+        dkim     ) _docker_image generate-dkim-config "${2:-4096}" "${3:-}" ;;
        ssl      ) _docker_image generate-ssl-certificate "${2}" ;;
        *        ) _usage ;;
      esac
--- a/target/bin/generate-dkim-config
+++ b/target/bin/generate-dkim-config
@ -3,30 +3,37 @@
 touch /tmp/vhost.tmp

 # if no keysize is provided, 2048 is default.
-KEYSIZE=${1:-2048}
+KEYSIZE=${1:-4096}
+# optional domain names
+DOMAINS=${2:-}

-# Getting domains FROM mail accounts
-if [[ -f /tmp/docker-mailserver/postfix-accounts.cf ]]
+if [[ -z ${DOMAINS} ]]
 then
-  # shellcheck disable=SC2034
-  while IFS=$'|' read -r LOGIN PASS
-  do
-    DOMAIN=$(echo "${LOGIN}" | cut -d @ -f2)
-    echo "${DOMAIN}" >>/tmp/vhost.tmp
-  done < <(grep -v "^\s*$\|^\s*\#" /tmp/docker-mailserver/postfix-accounts.cf || true)
-fi
+    # getting domains FROM mail accounts
+    if [[ -f /tmp/docker-mailserver/postfix-accounts.cf ]]
+    then
+        # shellcheck disable=SC2034
+        while IFS=$'|' read -r LOGIN PASS
+        do
+            DOMAIN=$(echo "${LOGIN}" | cut -d @ -f2)
+            echo "${DOMAIN}" >>/tmp/vhost.tmp
+        done < <(grep -v "^\s*$\|^\s*\#" /tmp/docker-mailserver/postfix-accounts.cf || true)
+    fi

-# Getting domains FROM mail aliases
-if [[ -f /tmp/docker-mailserver/postfix-virtual.cf ]]
-then
-  # shellcheck disable=SC2034
-  while read -r FROM TO
-  do
-    UNAME=$(echo "${FROM}" | cut -d @ -f1)
-    DOMAIN=$(echo "${FROM}" | cut -d @ -f2)
+        # Getting domains FROM mail aliases
+    if [[ -f /tmp/docker-mailserver/postfix-virtual.cf ]]
+    then
+        # shellcheck disable=SC2034
+        while read -r FROM TO
+        do
+            UNAME=$(echo "${FROM}" | cut -d @ -f1)
+            DOMAIN=$(echo "${FROM}" | cut -d @ -f2)

-    test "${UNAME}" != "${DOMAIN}" && echo "${DOMAIN}" >>/tmp/vhost.tmp
-  done < <(grep -v "^\s*$\|^\s*\#" /tmp/docker-mailserver/postfix-virtual.cf || true)
+            test "${UNAME}" != "${DOMAIN}" && echo "${DOMAIN}" >>/tmp/vhost.tmp
+        done < <(grep -v "^\s*$\|^\s*\#" /tmp/docker-mailserver/postfix-virtual.cf || true)
+    fi
+else
+    tr ',' '\n' <<<"${DOMAINS}" > /tmp/vhost.tmp
 fi

 # keeping unique entries
--- a/target/bin/generate-dkim-domain
+++ b/target/bin/generate-dkim-domain
@ -1,44 +0,0 @@
-#! /bin/bash
-
-set -e
-
-if [[ ${#} -ne 1 ]]
-then
-  echo "${0}: usage: generate-dkim-domain domain"
-  exit 1
-fi
-
-DOMAINNAME=${1}
-mkdir -p "/tmp/docker-mailserver/opendkim/keys/${DOMAINNAME}"
-
-if [[ ! -f "/tmp/docker-mailserver/opendkim/keys/${DOMAINNAME}/mail.private" ]]
-then
-  echo "Creating DKIM private key /tmp/docker-mailserver/opendkim/keys/${DOMAINNAME}/mail.private"
-  opendkim-genkey --subdomains --domain="${DOMAINNAME}" --selector=mail -D "/tmp/docker-mailserver/opendkim/keys/${DOMAINNAME}"
-fi
-
-# Write to KeyTable if necessary
-KEYTABLEENTRY="mail._domainkey.${DOMAINNAME} ${DOMAINNAME}:mail:/etc/opendkim/keys/${DOMAINNAME}/mail.private"
-if [[ ! -f "/tmp/docker-mailserver/opendkim/KeyTable" ]]
-then
-  echo "Creating DKIM KeyTable"
-  echo "${KEYTABLEENTRY}" > /tmp/docker-mailserver/opendkim/KeyTable
-else
-  if ! grep -q "${KEYTABLEENTRY}" "/tmp/docker-mailserver/opendkim/KeyTable"
-  then
-    echo "${KEYTABLEENTRY}" >> /tmp/docker-mailserver/opendkim/KeyTable
-  fi
-fi
-
-# Write to SigningTable if necessary
-SIGNINGTABLEENTRY="*@${DOMAINNAME} mail._domainkey.${DOMAINNAME}"
-if [[ ! -f /tmp/docker-mailserver/opendkim/SigningTable ]]
-then
-  echo "Creating DKIM SigningTable"
-  echo "*@${DOMAINNAME} mail._domainkey.${DOMAINNAME}" > /tmp/docker-mailserver/opendkim/SigningTable
-else
-  if ! grep -q "${SIGNINGTABLEENTRY}" "/tmp/docker-mailserver/opendkim/SigningTable"
-  then
-    echo "${SIGNINGTABLEENTRY}" >>/tmp/docker-mailserver/opendkim/SigningTable
-  fi
-fi
--- a/test/tests.bats
+++ b/test/tests.bats
@ -461,12 +461,12 @@ EOF


 # this set of tests is of low quality. It does not test the RSA-Key size properly via openssl or similar
-# Instead it tests the file-size (here 511) - which may differ with a different domain names
+# Instead it tests the file-size (here 861) - which may differ with a different domain names
 # This test may be re-used as a global test to provide better test coverage.
@test "checking opendkim: generator creates default keys size" {
    local PRIVATE_CONFIG
    PRIVATE_CONFIG="$(duplicate_config_for_container . mail_default_key_size)"
-    # Prepare default key size 2048
+    # Prepare default key size 4096
    rm -rf "${PRIVATE_CONFIG}/keyDefault"
    mkdir -p "${PRIVATE_CONFIG}/keyDefault"

@ -484,10 +484,36 @@ EOF
    /bin/sh -c 'stat -c%s /etc/opendkim/keys/localhost.localdomain/mail.txt'

  assert_success
-  assert_output 511
+  assert_output 861
 }

 # this set of tests is of low quality. It does not test the RSA-Key size properly via openssl or similar
+# this set of tests is of low quality. It does not test the RSA-Key size properly via openssl or similar
+# Instead it tests the file-size (here 861) - which may differ with a different domain names
+# This test may be re-used as a global test to provide better test coverage.
+@test "checking opendkim: generator creates key size 4096" {
+    local PRIVATE_CONFIG
+    PRIVATE_CONFIG="$(duplicate_config_for_container . mail_key_size_4096)"
+    # Prepare set key size 4096
+    rm -rf "${PRIVATE_CONFIG}/key4096"
+    mkdir -p "${PRIVATE_CONFIG}/config/key4096"
+    run docker run --rm \
+      -v "${PRIVATE_CONFIG}/key2048/":/tmp/docker-mailserver/ \
+      -v "${PRIVATE_CONFIG}/postfix-accounts.cf":/tmp/docker-mailserver/postfix-accounts.cf \
+      -v "${PRIVATE_CONFIG}/postfix-virtual.cf":/tmp/docker-mailserver/postfix-virtual.cf \
+      "${IMAGE_NAME:?}" /bin/sh -c 'generate-dkim-config 4096 | wc -l'
+    assert_success
+    assert_output 6
+
+  run docker run --rm \
+    -v "${PRIVATE_CONFIG}/key2048/opendkim":/etc/opendkim \
+    "${IMAGE_NAME:?}" \
+    /bin/sh -c 'stat -c%s /etc/opendkim/keys/localhost.localdomain/mail.txt'
+
+  assert_success
+  assert_output 861
+}
+
 # Instead it tests the file-size (here 511) - which may differ with a different domain names
 # This test may be re-used as a global test to provide better test coverage.
@test "checking opendkim: generator creates key size 2048" {
@ -633,39 +659,50 @@ EOF
  assert_output 4
 }

-@test "checking opendkim: generator creates keys, tables and TrustedHosts using domain name" {
+@test "checking opendkim: generator creates keys, tables and TrustedHosts using manual provided domain name" {
  local PRIVATE_CONFIG
  PRIVATE_CONFIG="$(duplicate_config_for_container . "${BATS_TEST_NAME}")"
  rm -rf "${PRIVATE_CONFIG}/with-domain" && mkdir -p "${PRIVATE_CONFIG}/with-domain"
+  # Generate first key
  run docker run --rm \
    -v "${PRIVATE_CONFIG}/with-domain/":/tmp/docker-mailserver/ \
-    -v "${PRIVATE_CONFIG}/postfix-accounts.cf":/tmp/docker-mailserver/postfix-accounts.cf \
-    -v "${PRIVATE_CONFIG}/postfix-virtual.cf":/tmp/docker-mailserver/postfix-virtual.cf \
-    "${IMAGE_NAME:?}" /bin/sh -c 'generate-dkim-config | wc -l'
+    "${IMAGE_NAME:?}" /bin/sh -c 'generate-dkim-config 2048 domain1.tld| wc -l'
  assert_success
-  assert_output 6
-  # Generate key using domain name
+  assert_output 4
+  # Generate two additional keys different to the previous one
  run docker run --rm \
    -v "${PRIVATE_CONFIG}/with-domain/":/tmp/docker-mailserver/ \
-    "${IMAGE_NAME:?}" /bin/sh -c 'generate-dkim-domain testdomain.tld | wc -l'
+    "${IMAGE_NAME:?}" /bin/sh -c 'generate-dkim-config 2048 'domain2.tld,domain3.tld' | wc -l'
+  assert_success
+  assert_output 2
+  # Generate an additional key whilst providing already existing domains
+  run docker run --rm \
+    -v "${PRIVATE_CONFIG}/with-domain/":/tmp/docker-mailserver/ \
+    "${IMAGE_NAME:?}" /bin/sh -c 'generate-dkim-config 2048 'domain3.tld,domain4.tld' | wc -l'
  assert_success
  assert_output 1
-  # Check keys for localhost.localdomain
+  # Check keys for domain1.tld
  run docker run --rm \
    -v "${PRIVATE_CONFIG}/with-domain/opendkim":/etc/opendkim \
-    "${IMAGE_NAME:?}" /bin/sh -c 'ls -1 /etc/opendkim/keys/localhost.localdomain/ | wc -l'
+    "${IMAGE_NAME:?}" /bin/sh -c 'ls -1 /etc/opendkim/keys/domain1.tld/ | wc -l'
  assert_success
  assert_output 2
-  # Check keys for otherdomain.tld
+  # Check keys for domain2.tld
  run docker run --rm \
    -v "${PRIVATE_CONFIG}/with-domain/opendkim":/etc/opendkim \
-    "${IMAGE_NAME:?}" /bin/sh -c 'ls -1 /etc/opendkim/keys/otherdomain.tld | wc -l'
+    "${IMAGE_NAME:?}" /bin/sh -c 'ls -1 /etc/opendkim/keys/domain2.tld | wc -l'
  assert_success
  assert_output 2
-  # Check keys for testdomain.tld
+  # Check keys for domain3.tld
  run docker run --rm \
    -v "${PRIVATE_CONFIG}/with-domain/opendkim":/etc/opendkim \
-    "${IMAGE_NAME:?}" /bin/sh -c 'ls -1 /etc/opendkim/keys/testdomain.tld | wc -l'
+    "${IMAGE_NAME:?}" /bin/sh -c 'ls -1 /etc/opendkim/keys/domain3.tld | wc -l'
+  assert_success
+  assert_output 2
+  # Check keys for domain4.tld
+  run docker run --rm \
+    -v "${PRIVATE_CONFIG}/with-domain/opendkim":/etc/opendkim \
+    "${IMAGE_NAME:?}" /bin/sh -c 'ls -1 /etc/opendkim/keys/domain4.tld | wc -l'
  assert_success
  assert_output 2
  # Check presence of tables and TrustedHosts
@ -678,14 +715,14 @@ EOF
  run docker run --rm \
    -v "${PRIVATE_CONFIG}/with-domain/opendkim":/etc/opendkim \
    "${IMAGE_NAME:?}" /bin/sh -c \
-    "egrep 'localhost.localdomain|otherdomain.tld|localdomain2.com|testdomain.tld' /etc/opendkim/KeyTable | wc -l"
+    "egrep 'domain1.tld|domain2.tld|domain3.tld|domain4.tld' /etc/opendkim/KeyTable | wc -l"
  assert_success
  assert_output 4
  # Check valid entries actually present in SigningTable
  run docker run --rm \
    -v "${PRIVATE_CONFIG}/with-domain/opendkim":/etc/opendkim \
    "${IMAGE_NAME:?}" /bin/sh -c \
-    "egrep 'localhost.localdomain|otherdomain.tld|localdomain2.com|testdomain.tld' /etc/opendkim/SigningTable | wc -l"
+    "egrep 'domain1.tld|domain2.tld|domain3.tld|domain4.tld' /etc/opendkim/SigningTable | wc -l"
  assert_success
  assert_output 4
 }