#!/bin/bash
#
# vdns-stack
# https://git.stack-source.com/msb/vdns-stack
# Copyright (c) 2024 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)

# load include file
source $(dirname $0)/vdns.sh

help()
{
  echo "Audit Vmail domains for DKIM records."
  echo ""
  echo "usage: $thisfilename [-d <domain>] [-h]"
  echo ""
  echo "  -h            Print this help."
  echo "  -d <domain>   Optional, domain to audit."
  echo "                If domain not specified all Vmail domains on this server will be audited."
}

vdns:getoptions "$@"

# check for zone (domain)
if [[ -n $zone ]]; then
  vmaildomains=($(/usr/local/bin/vmail-domains-get.sh -d $zone -c -t|cut -d , -f 1))
else
  vmaildomains=($(/usr/local/bin/vmail-domains-get.sh -c -t|cut -d , -f 1|tr '\n' ' '))
fi

if [[ ${#vmaildomains[@]} > 0 ]]; then
  for domain in "${vmaildomains[@]}"; do
    # get nameservers for domain
    nameservers=(`/usr/bin/dig $domain ns +short`)
    # check number of nameservers returned
    if [[ ${#nameservers[@]} = 0 ]]; then
      # domain returns zero nameservers (either unregistered, or registered but no NS entries configured in DNS)
      echo ERROR: no nameservers found for $domain
      continue
    elif [[ ${#nameservers[@]} -gt 0 ]]; then
      usesours=FALSE
      if [[ " ${nameservers[*]} " =~ " $zone_default_ns. " ]]; then
        usesours=TRUE
      fi
    else
      echo ERROR: unexpected nameserver count for $domain
      continue
    fi
    # check for existing DKIM
    if [[ -f /etc/ssl/dkim/$domain.dns ]]; then
      if [[ -f /etc/ssl/dkim/$domain.selector ]]; then
        SELECTOR=`cat /etc/ssl/dkim/$domain.selector`
        # awk returns last field split on = (records starting with "k=rsa; p=" or "v=DKIM1; k=rsa; p=" are both valid)
        # sed removes spaces, then removes quotes
        DNSDKIM=`/usr/bin/dig $SELECTOR._domainkey.$domain TXT +short|awk -F= '{print $NF}'|sed 's/ //'|sed 's/"//g'`
        FILEDKIM=`cat /etc/ssl/dkim/$domain.dkim`
        if [[ $DNSDKIM = $FILEDKIM ]]; then
          echo SUCCESS: DKIM for $domain verified
        elif [[ $DNSDKIM = '' ]]; then
          if [[ $usesours = TRUE ]]; then
            dnsname=`cat /etc/ssl/dkim/$domain.selector`
            dnsname="$dnsname._domainkey.$domain"
            dnsrecord=`cat /etc/ssl/dkim/$domain.dkim`
            dnsrecord="k=rsa; p=$dnsrecord"
            echo vdns-rr-rep.sh -z $domain -n $dnsname -t TXT -r \'$dnsrecord\'
          else
            NOTICE: $domain does not use our nameservers. Manually add the following DNS record:
            cat /etc/ssl/dkim/$domain.dns
          fi
        else
          echo "WARNING: DKIM for $domain failed verification. Do manual checks."
        fi
      else
        echo WARNING: $domain is missing selector file /etc/ssl/dkim/$domain.selector.
      fi
    else
      if [[ $usesours = TRUE ]]; then
        # domain needs DKIM, uses our nameservers
        echo vmail-dkim-add.sh -d $domain
      else
        # domain uses other nameservers than ours
        unset mxrecord
        mxrecord=`/usr/bin/dig $domain mx +short|cut -d ' ' -f 2`
        if [[ $mxrecord = mail.$domain. ]]; then
          unset mxarecord
          mxarecord=`/usr/bin/dig mail.$domain +short`
          echo NOTICE: $domain does not use our nameservers - $mxrecord - $mxarecord
        else
          echo NOTICE: $domain does not use our nameservers - $mxrecord
        fi
      fi
    fi
  done
else
  if [[ -n $zone ]]; then
    echo "Vmail domain $zone not found."
  else
    echo "No Vmail domains found."
  fi
fi