external/mailinabox
1
0
Fork 0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-11-24 02:37:05 +00:00
Code Issues Releases Wiki Activity

migrate existing rsa keys

Browse Source
This commit is contained in:
KiekerJan 2022-12-30 17:08:10 +01:00
parent ec2d38414d
commit b5807fbf8e
2 changed files with 29 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
management/dns_update.py
View File

@ -298,7 +298,7 @@ def build_zone(domain, domain_properties, additional_records, env, is_zone=True)
# Append the DKIM TXT record to the zone as generated by DKIMpy. # Append the DKIM TXT record to the zone as generated by DKIMpy.
# Skip if the user has set a DKIM record already. # Skip if the user has set a DKIM record already.
dkim_record_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/box-rsa.dns') dkim_record_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.dns')
with open(dkim_record_file) as orf: with open(dkim_record_file) as orf:
m = re.match(r'(\S+)\s+IN\s+TXT\s+\( ((?:"[^"]+"\s+)+)\)', orf.read(), re.S) m = re.match(r'(\S+)\s+IN\s+TXT\s+\( ((?:"[^"]+"\s+)+)\)', orf.read(), re.S)
val = "".join(re.findall(r'"([^"]+)"', m.group(2))) val = "".join(re.findall(r'"([^"]+)"', m.group(2)))
@ -773,7 +773,7 @@ def write_dkim_tables(domains, env):
# Append a record to DKIMpy's KeyTable and SigningTable for each domain # Append a record to DKIMpy's KeyTable and SigningTable for each domain
# that we send mail from (zones and all subdomains). # that we send mail from (zones and all subdomains).
dkim_rsa_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/box-rsa.key') dkim_rsa_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.key')
dkim_ed_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/box-ed25519.key') dkim_ed_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/box-ed25519.key')
if not os.path.exists(dkim_rsa_key_file) or not os.path.exists(dkim_ed_key_file): if not os.path.exists(dkim_rsa_key_file) or not os.path.exists(dkim_ed_key_file):
@ -799,7 +799,7 @@ def write_dkim_tables(domains, env):
# signing domain must match the sender's From: domain. # signing domain must match the sender's From: domain.
"KeyTable": "KeyTable":
"".join( "".join(
"{domain} {domain}:box-rsa:{key_file}\n".format(domain=domain, key_file=dkim_rsa_key_file) "{domain} {domain}:mail:{key_file}\n".format(domain=domain, key_file=dkim_rsa_key_file)
for domain in domains for domain in domains
), ),
"KeyTableEd25519": "KeyTableEd25519":

37
setup/dkim.sh
View File

@ -39,26 +39,39 @@ tools/editconf.py /etc/dkimpy-milter/dkimpy-milter.conf -s \
"SigningTable=refile:/etc/dkim/SigningTable" \ "SigningTable=refile:/etc/dkim/SigningTable" \
"Socket=inet:8892@127.0.0.1" "Socket=inet:8892@127.0.0.1"
# Create a new DKIM key. This creates mail.private and mail.txt # Create a new DKIM key. This creates mail.key and mail.dns
# in $STORAGE_ROOT/mail/dkim. The former is the private key and # in $STORAGE_ROOT/mail/dkim. The former is the private key and
# the latter is the suggested DNS TXT entry which we'll include # the latter is the suggested DNS TXT entry which we'll include
# in our DNS setup. Note that the files are named after the # in our DNS setup. Note that the files are named after the
# 'selector' of the key, which we can change later on to support # 'selector' of the key, which we can change later on to support
# key rotation. # key rotation.
if [ ! -f "$STORAGE_ROOT/mail/dkim/box-rsa.key" ]; then if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.key" ]; then
# All defaults are supposed to be ok, default key for rsa is 2048 bit # Check if there is an existing rsa key
dknewkey --ktype rsa $STORAGE_ROOT/mail/dkim/box-rsa if [ -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then
# Change format from pkcs#8 to pkcs#1, dkimpy seemingly is not able to handle the #8 format # Re-use existing key
# See bug https://bugs.launchpad.net/dkimpy/+bug/1978835 cp -f $STORAGE_ROOT/mail/dkim/mail.private $STORAGE_ROOT/mail/dkim/mail.key
openssl pkey -in $STORAGE_ROOT/mail/dkim/box-rsa.key -traditional -out $STORAGE_ROOT/mail/dkim/box-rsa.key.1 cp -f $STORAGE_ROOT/mail/dkim/mail.txt $STORAGE_ROOT/mail/dkim/mail.dns
mv -f $STORAGE_ROOT/mail/dkim/box-rsa.key $STORAGE_ROOT/mail/dkim/box-rsa.key.8 else
cp -f $STORAGE_ROOT/mail/dkim/box-rsa.key.1 $STORAGE_ROOT/mail/dkim/box-rsa.key # All defaults are supposed to be ok, default key for rsa is 2048 bit
dknewkey --ktype rsa $STORAGE_ROOT/mail/dkim/mail
# Change format from pkcs#8 to pkcs#1, dkimpy seemingly is not able to handle the #8 format
# See bug https://bugs.launchpad.net/dkimpy/+bug/1978835
openssl pkey -in $STORAGE_ROOT/mail/dkim/mail.key -traditional -out $STORAGE_ROOT/mail/dkim/mail.key.1
mv -f $STORAGE_ROOT/mail/dkim/mail.key $STORAGE_ROOT/mail/dkim/mail.key.8
cp -f $STORAGE_ROOT/mail/dkim/mail.key.1 $STORAGE_ROOT/mail/dkim/mail.key
# Force dns entry into the format dns_update.py expects
# We use selector mail for the rsa key, to be compatible with earlier installations of Mail-in-a-Box
sed -i 's/v=DKIM1;/mail._domainkey IN TXT ( "v=DKIM1; s=email;/' $STORAGE_ROOT/mail/dkim/mail.dns
echo '" )' >> $STORAGE_ROOT/mail/dkim/mail.dns
fi
fi
if [ ! -f "$STORAGE_ROOT/mail/dkim/box-ed25519.key" ]; then
# Generate ed25519 key
dknewkey --ktype ed25519 $STORAGE_ROOT/mail/dkim/box-ed25519 dknewkey --ktype ed25519 $STORAGE_ROOT/mail/dkim/box-ed25519
# Force them into the format dns_update.py expects # For the ed25519 dns entry, we use selector box-ed25519
sed -i 's/v=DKIM1;/box-rsa._domainkey IN TXT ( "v=DKIM1; s=email;/' $STORAGE_ROOT/mail/dkim/box-rsa.dns
echo '" )' >> $STORAGE_ROOT/mail/dkim/box-rsa.dns
sed -i 's/v=DKIM1;/box-ed25519._domainkey IN TXT ( "v=DKIM1; s=email;/' $STORAGE_ROOT/mail/dkim/box-ed25519.dns sed -i 's/v=DKIM1;/box-ed25519._domainkey IN TXT ( "v=DKIM1; s=email;/' $STORAGE_ROOT/mail/dkim/box-ed25519.dns
echo '" )' >> $STORAGE_ROOT/mail/dkim/box-ed25519.dns echo '" )' >> $STORAGE_ROOT/mail/dkim/box-ed25519.dns
fi fi