vdns-stack/bin/vdns-audit-dkim.sh

101 lines
3.6 KiB
Bash
Raw Normal View History

2024-02-22 15:02:16 -08:00
#!/bin/bash
#
# vdns-stack
# https://git.stack-source.com/msb/vdns-stack
# Copyright (c) 2024 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# load include file
source $(dirname $0)/vdns.sh
help()
{
echo "Audit Vmail domains for DKIM records."
echo ""
echo "usage: $thisfilename [-d <domain>] [-h]"
echo ""
echo " -h Print this help."
echo " -d <domain> Optional, domain to audit."
echo " If domain not specified all Vmail domains on this server will be audited."
}
vdns:getoptions "$@"
# check for zone (domain)
if [[ -n $zone ]]; then
vmaildomains=($(/usr/local/bin/vmail-domains-get.sh -d $zone -c -t|cut -d , -f 1))
else
vmaildomains=($(/usr/local/bin/vmail-domains-get.sh -c -t|cut -d , -f 1|tr '\n' ' '))
fi
if [[ ${#vmaildomains[@]} > 0 ]]; then
for domain in "${vmaildomains[@]}"; do
# get nameservers for domain
nameservers=(`/usr/bin/dig $domain ns +short`)
# check number of nameservers returned
if [[ ${#nameservers[@]} = 0 ]]; then
# domain returns zero nameservers (either unregistered, or registered but no NS entries configured in DNS)
echo ERROR: no nameservers found for $domain
continue
elif [[ ${#nameservers[@]} -gt 0 ]]; then
usesours=FALSE
if [[ " ${nameservers[*]} " =~ " $zone_default_ns. " ]]; then
usesours=TRUE
fi
else
echo ERROR: unexpected nameserver count for $domain
continue
fi
# check for existing DKIM
if [[ -f /etc/ssl/dkim/$domain.dns ]]; then
if [[ -f /etc/ssl/dkim/$domain.selector ]]; then
SELECTOR=`cat /etc/ssl/dkim/$domain.selector`
# awk returns last field split on = (records starting with "k=rsa; p=" or "v=DKIM1; k=rsa; p=" are both valid)
# sed removes spaces, then removes quotes
DNSDKIM=`/usr/bin/dig $SELECTOR._domainkey.$domain TXT +short|awk -F= '{print $NF}'|sed 's/ //'|sed 's/"//g'`
FILEDKIM=`cat /etc/ssl/dkim/$domain.dkim`
if [[ $DNSDKIM = $FILEDKIM ]]; then
echo SUCCESS: DKIM for $domain verified
elif [[ $DNSDKIM = '' ]]; then
if [[ $usesours = TRUE ]]; then
dnsname=`cat /etc/ssl/dkim/$domain.selector`
dnsname="$dnsname._domainkey.$domain"
dnsrecord=`cat /etc/ssl/dkim/$domain.dkim`
dnsrecord="k=rsa; p=$dnsrecord"
echo vdns-rr-rep.sh -z $domain -n $dnsname -t TXT -r \'$dnsrecord\'
else
NOTICE: $domain does not use our nameservers. Manually add the following DNS record:
cat /etc/ssl/dkim/$domain.dns
fi
else
echo "WARNING: DKIM for $domain failed verification. Do manual checks."
fi
else
echo WARNING: $domain is missing selector file /etc/ssl/dkim/$domain.selector.
fi
else
if [[ $usesours = TRUE ]]; then
# domain needs DKIM, uses our nameservers
echo vmail-dkim-add.sh -d $domain
else
# domain uses other nameservers than ours
unset mxrecord
mxrecord=`/usr/bin/dig $domain mx +short|cut -d ' ' -f 2`
if [[ $mxrecord = mail.$domain. ]]; then
unset mxarecord
mxarecord=`/usr/bin/dig mail.$domain +short`
echo NOTICE: $domain does not use our nameservers - $mxrecord - $mxarecord
else
echo NOTICE: $domain does not use our nameservers - $mxrecord
fi
fi
fi
done
else
if [[ -n $zone ]]; then
echo "Vmail domain $zone not found."
else
echo "No Vmail domains found."
fi
fi