From 22322f5d5f20a744c9408a6ec6fe97dca8588ae9 Mon Sep 17 00:00:00 2001
From: bilogic <946010+bilogic@users.noreply.github.com>
Date: Sun, 21 Apr 2024 17:01:52 +0800
Subject: [PATCH 1/4] auto formatting, no change in logic

---
 setup/start.sh | 48 ++++++++++++++++++++++++------------------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/setup/start.sh b/setup/start.sh
index dbf1c16c..995e1ac6 100755
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -14,9 +14,9 @@ source setup/preflight.sh
 # Python may not be able to read/write files. This is also
 # in the management daemon startup script and the cron script.
 
-if ! locale -a | grep en_US.utf8 > /dev/null; then
-    # Generate locale if not exists
-    hide_output locale-gen en_US.UTF-8
+if ! locale -a | grep en_US.utf8 >/dev/null; then
+	# Generate locale if not exists
+	hide_output locale-gen en_US.UTF-8
 fi
 
 export LANGUAGE=en_US.UTF-8
@@ -35,7 +35,7 @@ if [ -f /etc/mailinabox.conf ]; then
 
 	# Load the old .conf file to get existing configuration options loaded
 	# into variables with a DEFAULT_ prefix.
-	cat /etc/mailinabox.conf | sed s/^/DEFAULT_/ > /tmp/mailinabox.prev.conf
+	cat /etc/mailinabox.conf | sed s/^/DEFAULT_/ >/tmp/mailinabox.prev.conf
 	source /tmp/mailinabox.prev.conf
 	rm -f /tmp/mailinabox.prev.conf
 else
@@ -44,7 +44,7 @@ fi
 
 # Put a start script in a global location. We tell the user to run 'mailinabox'
 # in the first dialog prompt, so we should do this before that starts.
-cat > /usr/local/bin/mailinabox << EOF;
+cat >/usr/local/bin/mailinabox <<EOF
 #!/bin/bash
 cd $PWD
 source setup/start.sh
@@ -61,9 +61,9 @@ source setup/questions.sh
 # Skip on existing installs since we don't want this to block the ability to
 # upgrade, and these checks are also in the control panel status checks.
 if [ -z "${DEFAULT_PRIMARY_HOSTNAME:-}" ]; then
-if [ -z "${SKIP_NETWORK_CHECKS:-}" ]; then
-	source setup/network-checks.sh
-fi
+	if [ -z "${SKIP_NETWORK_CHECKS:-}" ]; then
+		source setup/network-checks.sh
+	fi
 fi
 
 # Create the STORAGE_USER and STORAGE_ROOT directory if they don't already exist.
@@ -82,9 +82,12 @@ if [ ! -d "$STORAGE_ROOT" ]; then
 	mkdir -p "$STORAGE_ROOT"
 fi
 f=$STORAGE_ROOT
-while [[ $f != / ]]; do chmod a+rx "$f"; f=$(dirname "$f"); done;
+while [[ $f != / ]]; do
+	chmod a+rx "$f"
+	f=$(dirname "$f")
+done
 if [ ! -f "$STORAGE_ROOT/mailinabox.version" ]; then
-	setup/migrate.py --current > "$STORAGE_ROOT/mailinabox.version"
+	setup/migrate.py --current >"$STORAGE_ROOT/mailinabox.version"
 	chown "$STORAGE_USER:$STORAGE_USER" "$STORAGE_ROOT/mailinabox.version"
 fi
 
@@ -92,7 +95,7 @@ fi
 # tools know where to look for data. The default MTA_STS_MODE setting
 # is blank unless set by an environment variable, but see web.sh for
 # how that is interpreted.
-cat > /etc/mailinabox.conf << EOF;
+cat >/etc/mailinabox.conf <<EOF
 STORAGE_USER=$STORAGE_USER
 STORAGE_ROOT=$STORAGE_ROOT
 PRIMARY_HOSTNAME=$PRIMARY_HOSTNAME
@@ -120,8 +123,7 @@ source setup/management.sh
 source setup/munin.sh
 
 # Wait for the management daemon to start...
-until nc -z -w 4 127.0.0.1 10222
-do
+until nc -z -w 4 127.0.0.1 10222; do
 	echo "Waiting for the Mail-in-a-Box management daemon to start..."
 	sleep 2
 done
@@ -143,13 +145,13 @@ source setup/firstuser.sh
 # run in the recommended curl-pipe-to-bash method there is no TTY and
 # certbot will fail if it tries to ask.
 if [ ! -d "$STORAGE_ROOT/ssl/lets_encrypt/accounts/acme-v02.api.letsencrypt.org/" ]; then
-echo
-echo "-----------------------------------------------"
-echo "Mail-in-a-Box uses Let's Encrypt to provision free SSL/TLS certificates"
-echo "to enable HTTPS connections to your box. We're automatically"
-echo "agreeing you to their subscriber agreement. See https://letsencrypt.org."
-echo
-certbot register --register-unsafely-without-email --agree-tos --config-dir "$STORAGE_ROOT/ssl/lets_encrypt"
+	echo
+	echo "-----------------------------------------------"
+	echo "Mail-in-a-Box uses Let's Encrypt to provision free SSL/TLS certificates"
+	echo "to enable HTTPS connections to your box. We're automatically"
+	echo "agreeing you to their subscriber agreement. See https://letsencrypt.org."
+	echo
+	certbot register --register-unsafely-without-email --agree-tos --config-dir "$STORAGE_ROOT/ssl/lets_encrypt"
 fi
 
 # Done.
@@ -166,16 +168,14 @@ if management/status_checks.py --check-primary-hostname; then
 	echo
 	echo "If you have a DNS problem put the box's IP address in the URL"
 	echo "(https://$PUBLIC_IP/admin) but then check the TLS fingerprint:"
-	openssl x509 -in "$STORAGE_ROOT/ssl/ssl_certificate.pem" -noout -fingerprint -sha256\
-        	| sed "s/SHA256 Fingerprint=//i"
+	openssl x509 -in "$STORAGE_ROOT/ssl/ssl_certificate.pem" -noout -fingerprint -sha256 | sed "s/SHA256 Fingerprint=//i"
 else
 	echo "https://$PUBLIC_IP/admin"
 	echo
 	echo "You will be alerted that the website has an invalid certificate. Check that"
 	echo "the certificate fingerprint matches:"
 	echo
-	openssl x509 -in "$STORAGE_ROOT/ssl/ssl_certificate.pem" -noout -fingerprint -sha256\
-        	| sed "s/SHA256 Fingerprint=//i"
+	openssl x509 -in "$STORAGE_ROOT/ssl/ssl_certificate.pem" -noout -fingerprint -sha256 | sed "s/SHA256 Fingerprint=//i"
 	echo
 	echo "Then you can confirm the security exception and continue."
 	echo

From a7beb721680d405f86567ba001caecdb5eb2fe7e Mon Sep 17 00:00:00 2001
From: bilogic <946010+bilogic@users.noreply.github.com>
Date: Sun, 21 Apr 2024 17:26:30 +0800
Subject: [PATCH 2/4] override with config in storage root if it exists

---
 setup/start.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/setup/start.sh b/setup/start.sh
index 995e1ac6..7bca5e9a 100755
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -38,6 +38,13 @@ if [ -f /etc/mailinabox.conf ]; then
 	cat /etc/mailinabox.conf | sed s/^/DEFAULT_/ >/tmp/mailinabox.prev.conf
 	source /tmp/mailinabox.prev.conf
 	rm -f /tmp/mailinabox.prev.conf
+
+	# Since this is a second run, attempt to read overridden settings from $STORAGE_ROOT/mailinabox.conf
+	if [ -f $DEFAULT_STORAGE_ROOT/mailinabox.conf ]; then
+		cat $DEFAULT_STORAGE_ROOT/mailinabox.conf | sed s/^/DEFAULT_/ >/tmp/mailinabox.prev.conf
+		source /tmp/mailinabox.prev.conf
+		rm -f /tmp/mailinabox.prev.conf
+	fi
 else
 	FIRST_TIME_SETUP=1
 fi

From 09fb6d0ad8de41e189bc6aef7d377bfe2d75dd2e Mon Sep 17 00:00:00 2001
From: bilogic <946010+bilogic@users.noreply.github.com>
Date: Sun, 21 Apr 2024 18:04:40 +0800
Subject: [PATCH 3/4] auto formatting, no change in logic

---
 setup/dkim.sh | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/setup/dkim.sh b/setup/dkim.sh
index e4def11f..2be668f0 100755
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@@ -6,7 +6,7 @@
 #
 # The DNS configuration for DKIM is done in the management daemon.
 
-source setup/functions.sh # load our functions
+source setup/functions.sh   # load our functions
 source /etc/mailinabox.conf # load global vars
 
 # Install DKIM...
@@ -14,12 +14,12 @@ echo "Installing OpenDKIM/OpenDMARC..."
 apt_install opendkim opendkim-tools opendmarc
 
 # Make sure configuration directories exist.
-mkdir -p /etc/opendkim;
+mkdir -p /etc/opendkim
 mkdir -p "$STORAGE_ROOT/mail/dkim"
 
 # Used in InternalHosts and ExternalIgnoreList configuration directives.
 # Not quite sure why.
-echo "127.0.0.1" > /etc/opendkim/TrustedHosts
+echo "127.0.0.1" >/etc/opendkim/TrustedHosts
 
 # We need to at least create these files, since we reference them later.
 # Otherwise, opendkim startup will fail
@@ -30,7 +30,7 @@ if grep -q "ExternalIgnoreList" /etc/opendkim.conf; then
 	true # already done #NODOC
 else
 	# Add various configuration options to the end of `opendkim.conf`.
-	cat >> /etc/opendkim.conf << EOF;
+	cat >>/etc/opendkim.conf <<EOF
 Canonicalization		relaxed/simple
 MinimumKeyBits          1024
 ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
@@ -71,7 +71,7 @@ tools/editconf.py /etc/opendmarc.conf -s \
 # used by spamassassin to evaluate the mail for spamminess.
 
 tools/editconf.py /etc/opendmarc.conf -s \
-        "SPFIgnoreResults=true"
+	"SPFIgnoreResults=true"
 
 # SPFSelfValidate causes the filter to perform a fallback SPF check itself
 # when it can find no SPF results in the message header. If SPFIgnoreResults
@@ -80,13 +80,13 @@ tools/editconf.py /etc/opendmarc.conf -s \
 # spamassassin to evaluate the mail for spamminess.
 
 tools/editconf.py /etc/opendmarc.conf -s \
-        "SPFSelfValidate=true"
+	"SPFSelfValidate=true"
 
 # Disables generation of failure reports for sending domains that publish a
 # "none" policy.
 
 tools/editconf.py /etc/opendmarc.conf -s \
-        "FailureReportsOnNone=false"
+	"FailureReportsOnNone=false"
 
 # AlwaysAddARHeader Adds an "Authentication-Results:" header field even to
 # unsigned messages from domains with no "signs all" policy. The reported DKIM
@@ -95,7 +95,7 @@ tools/editconf.py /etc/opendmarc.conf -s \
 # is used by spamassassin to evaluate the mail for spamminess.
 
 tools/editconf.py /etc/opendkim.conf -s \
-        "AlwaysAddARHeader=true"
+	"AlwaysAddARHeader=true"
 
 # Add OpenDKIM and OpenDMARC as milters to postfix, which is how OpenDKIM
 # intercepts outgoing mail to perform the signing (by adding a mail header)
@@ -110,7 +110,7 @@ tools/editconf.py /etc/opendkim.conf -s \
 # configuring smtpd_milters there to only list the OpenDKIM milter
 # (see mail-postfix.sh).
 tools/editconf.py /etc/postfix/main.cf \
-	"smtpd_milters=inet:127.0.0.1:8891 inet:127.0.0.1:8893"\
+	"smtpd_milters=inet:127.0.0.1:8891 inet:127.0.0.1:8893" \
 	non_smtpd_milters=\$smtpd_milters \
 	milter_default_action=accept
 
@@ -121,4 +121,3 @@ hide_output systemctl enable opendmarc
 restart_service opendkim
 restart_service opendmarc
 restart_service postfix
-

From 12f1486141be961af7af9a1872552388a549d045 Mon Sep 17 00:00:00 2001
From: bilogic <946010+bilogic@users.noreply.github.com>
Date: Sun, 21 Apr 2024 18:05:58 +0800
Subject: [PATCH 4/4] allow a custom dkim selector

---
 management/dns_update.py | 7 ++++---
 setup/dkim.sh            | 4 ++--
 setup/start.sh           | 1 +
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/management/dns_update.py b/management/dns_update.py
index 599f27b1..9a91342e 100755
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -291,7 +291,7 @@ def build_zone(domain, domain_properties, additional_records, env, is_zone=True)
 
 		# Append the DKIM TXT record to the zone as generated by OpenDKIM.
 		# Skip if the user has set a DKIM record already.
-		opendkim_record_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.txt')
+		opendkim_record_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/' + env['DKIM_SELECTOR'] + '.txt')
 		with open(opendkim_record_file, encoding="utf-8") as orf:
 			m = re.match(r'(\S+)\s+IN\s+TXT\s+\( ((?:"[^"]+"\s+)+)\)', orf.read(), re.S)
 			val = "".join(re.findall(r'"([^"]+)"', m.group(2)))
@@ -752,12 +752,13 @@ def write_opendkim_tables(domains, env):
 	# Append a record to OpenDKIM's KeyTable and SigningTable for each domain
 	# that we send mail from (zones and all subdomains).
 
-	opendkim_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.private')
+	opendkim_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/' + env['DKIM_SELECTOR'] + '.private')
 
 	if not os.path.exists(opendkim_key_file):
 		# Looks like OpenDKIM is not installed.
 		return False
 
+	selector=env['DKIM_SELECTOR']
 	config = {
 		# The SigningTable maps email addresses to a key in the KeyTable that
 		# specifies signing information for matching email addresses. Here we
@@ -777,7 +778,7 @@ def write_opendkim_tables(domains, env):
 		# signing domain must match the sender's From: domain.
 		"KeyTable":
 			"".join(
-				f"{domain} {domain}:mail:{opendkim_key_file}\n"
+				f"{domain} {domain}:{selector}:{opendkim_key_file}\n"
 				for domain in domains
 			),
 	}
diff --git a/setup/dkim.sh b/setup/dkim.sh
index 2be668f0..3afa7463 100755
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@@ -52,8 +52,8 @@ fi
 # A 1024-bit key is seen as a minimum standard by several providers
 # such as Google. But they and others use a 2048 bit key, so we'll
 # do the same. Keys beyond 2048 bits may exceed DNS record limits.
-if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then
-	opendkim-genkey -b 2048 -r -s mail -D "$STORAGE_ROOT/mail/dkim"
+if [ ! -f "$STORAGE_ROOT/mail/dkim/$DKIM_SELECTOR.private" ]; then
+	opendkim-genkey -b 2048 -r -s $DKIM_SELECTOR -D $STORAGE_ROOT/mail/dkim
 fi
 
 # Ensure files are owned by the opendkim user and are private otherwise.
diff --git a/setup/start.sh b/setup/start.sh
index 7bca5e9a..38f7451d 100755
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -111,6 +111,7 @@ PUBLIC_IPV6=$PUBLIC_IPV6
 PRIVATE_IP=$PRIVATE_IP
 PRIVATE_IPV6=$PRIVATE_IPV6
 MTA_STS_MODE=${DEFAULT_MTA_STS_MODE:-enforce}
+DKIM_SELECTOR=${DEFAULT_DKIM_SELECTOR:-mail}
 EOF
 
 # Start service configuration.