101 lines
3.6 KiB
Bash
Executable File
101 lines
3.6 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# vdns-stack
|
|
# https://git.stack-source.com/msb/vdns-stack
|
|
# Copyright (c) 2024 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
# load include file
|
|
source $(dirname $0)/vdns.sh
|
|
|
|
help()
|
|
{
|
|
echo "Audit Vmail domains for DKIM records."
|
|
echo ""
|
|
echo "usage: $thisfilename [-d <domain>] [-h]"
|
|
echo ""
|
|
echo " -h Print this help."
|
|
echo " -d <domain> Optional, domain to audit."
|
|
echo " If domain not specified all Vmail domains on this server will be audited."
|
|
}
|
|
|
|
vdns:getoptions "$@"
|
|
|
|
# check for zone (domain)
|
|
if [[ -n $zone ]]; then
|
|
vmaildomains=($(/usr/local/bin/vmail-domains-get.sh -d $zone -c -t|cut -d , -f 1))
|
|
else
|
|
vmaildomains=($(/usr/local/bin/vmail-domains-get.sh -c -t|cut -d , -f 1|tr '\n' ' '))
|
|
fi
|
|
|
|
if [[ ${#vmaildomains[@]} > 0 ]]; then
|
|
for domain in "${vmaildomains[@]}"; do
|
|
# get nameservers for domain
|
|
nameservers=(`/usr/bin/dig $domain ns +short`)
|
|
# check number of nameservers returned
|
|
if [[ ${#nameservers[@]} = 0 ]]; then
|
|
# domain returns zero nameservers (either unregistered, or registered but no NS entries configured in DNS)
|
|
echo ERROR: no nameservers found for $domain
|
|
continue
|
|
elif [[ ${#nameservers[@]} -gt 0 ]]; then
|
|
usesours=FALSE
|
|
if [[ " ${nameservers[*]} " =~ " $zone_default_ns. " ]]; then
|
|
usesours=TRUE
|
|
fi
|
|
else
|
|
echo ERROR: unexpected nameserver count for $domain
|
|
continue
|
|
fi
|
|
# check for existing DKIM
|
|
if [[ -f /etc/ssl/dkim/$domain.dns ]]; then
|
|
if [[ -f /etc/ssl/dkim/$domain.selector ]]; then
|
|
SELECTOR=`cat /etc/ssl/dkim/$domain.selector`
|
|
# awk returns last field split on = (records starting with "k=rsa; p=" or "v=DKIM1; k=rsa; p=" are both valid)
|
|
# sed removes spaces, then removes quotes
|
|
DNSDKIM=`/usr/bin/dig $SELECTOR._domainkey.$domain TXT +short|awk -F= '{print $NF}'|sed 's/ //'|sed 's/"//g'`
|
|
FILEDKIM=`cat /etc/ssl/dkim/$domain.dkim`
|
|
if [[ $DNSDKIM = $FILEDKIM ]]; then
|
|
echo SUCCESS: DKIM for $domain verified
|
|
elif [[ $DNSDKIM = '' ]]; then
|
|
if [[ $usesours = TRUE ]]; then
|
|
dnsname=`cat /etc/ssl/dkim/$domain.selector`
|
|
dnsname="$dnsname._domainkey.$domain"
|
|
dnsrecord=`cat /etc/ssl/dkim/$domain.dkim`
|
|
dnsrecord="k=rsa; p=$dnsrecord"
|
|
echo vdns-rr-rep.sh -z $domain -n $dnsname -t TXT -r \'$dnsrecord\'
|
|
else
|
|
NOTICE: $domain does not use our nameservers. Manually add the following DNS record:
|
|
cat /etc/ssl/dkim/$domain.dns
|
|
fi
|
|
else
|
|
echo "WARNING: DKIM for $domain failed verification. Do manual checks."
|
|
fi
|
|
else
|
|
echo WARNING: $domain is missing selector file /etc/ssl/dkim/$domain.selector.
|
|
fi
|
|
else
|
|
if [[ $usesours = TRUE ]]; then
|
|
# domain needs DKIM, uses our nameservers
|
|
echo vmail-dkim-add.sh -d $domain
|
|
else
|
|
# domain uses other nameservers than ours
|
|
unset mxrecord
|
|
mxrecord=`/usr/bin/dig $domain mx +short|cut -d ' ' -f 2`
|
|
if [[ $mxrecord = mail.$domain. ]]; then
|
|
unset mxarecord
|
|
mxarecord=`/usr/bin/dig mail.$domain +short`
|
|
echo NOTICE: $domain does not use our nameservers - $mxrecord - $mxarecord
|
|
else
|
|
echo NOTICE: $domain does not use our nameservers - $mxrecord
|
|
fi
|
|
fi
|
|
fi
|
|
done
|
|
else
|
|
if [[ -n $zone ]]; then
|
|
echo "Vmail domain $zone not found."
|
|
else
|
|
echo "No Vmail domains found."
|
|
fi
|
|
fi
|