Use Redis for DKIM keys, define any selector, auto-merge old keys to Redis and fallback to files
This commit is contained in:
parent
a790c2bdc0
commit
1501df6e42
@ -23,6 +23,8 @@ use_domain = "envelope";
|
|||||||
# Whether to normalise domains to eSLD
|
# Whether to normalise domains to eSLD
|
||||||
use_esld = false;
|
use_esld = false;
|
||||||
# Whether to get keys from Redis
|
# Whether to get keys from Redis
|
||||||
use_redis = false;
|
use_redis = true;
|
||||||
# Hash for DKIM keys in Redis
|
# Hash for DKIM keys in Redis
|
||||||
hash_key = "DKIM_KEYS";
|
key_prefix = "DKIM_PRIV_KEYS";
|
||||||
|
# Selector map
|
||||||
|
selector_map = "redis://DKIM_SELECTORS";
|
||||||
|
@ -190,7 +190,6 @@ $tfa_data = get_tfa();
|
|||||||
<div class="panel panel-default">
|
<div class="panel panel-default">
|
||||||
<div class="panel-heading"><?=$lang['admin']['dkim_keys'];?></div>
|
<div class="panel-heading"><?=$lang['admin']['dkim_keys'];?></div>
|
||||||
<div class="panel-body">
|
<div class="panel-body">
|
||||||
<p style="margin-bottom:40px"><?=$lang['admin']['dkim_key_hint'];?></p>
|
|
||||||
<?php
|
<?php
|
||||||
foreach(mailbox_get_domains() as $domain) {
|
foreach(mailbox_get_domains() as $domain) {
|
||||||
if (!empty($dkim = dkim_get_key_details($domain))) {
|
if (!empty($dkim = dkim_get_key_details($domain))) {
|
||||||
@ -199,6 +198,7 @@ $tfa_data = get_tfa();
|
|||||||
<div class="col-xs-3">
|
<div class="col-xs-3">
|
||||||
<p>Domain: <strong><?=htmlspecialchars($domain);?></strong><br />
|
<p>Domain: <strong><?=htmlspecialchars($domain);?></strong><br />
|
||||||
<span class="label label-success"><?=$lang['admin']['dkim_key_valid'];?></span>
|
<span class="label label-success"><?=$lang['admin']['dkim_key_valid'];?></span>
|
||||||
|
<span class="label label-primary">Selector '<?=$dkim['dkim_selector'];?>'</span>
|
||||||
<span class="label label-info"><?=$dkim['length'];?> bit</span>
|
<span class="label label-info"><?=$dkim['length'];?> bit</span>
|
||||||
</p>
|
</p>
|
||||||
</div>
|
</div>
|
||||||
@ -233,6 +233,7 @@ $tfa_data = get_tfa();
|
|||||||
<div class="col-xs-offset-1 col-xs-2">
|
<div class="col-xs-offset-1 col-xs-2">
|
||||||
<p><small>↳ Alias-Domain: <strong><?=htmlspecialchars($alias_domain);?></strong><br /></small>
|
<p><small>↳ Alias-Domain: <strong><?=htmlspecialchars($alias_domain);?></strong><br /></small>
|
||||||
<span class="label label-success"><?=$lang['admin']['dkim_key_valid'];?></span>
|
<span class="label label-success"><?=$lang['admin']['dkim_key_valid'];?></span>
|
||||||
|
<span class="label label-primary">Selector '<?=$dkim['dkim_selector'];?>'</span>
|
||||||
<span class="label label-info"><?=$dkim['length'];?> bit</span>
|
<span class="label label-info"><?=$dkim['length'];?> bit</span>
|
||||||
</p>
|
</p>
|
||||||
</div>
|
</div>
|
||||||
@ -267,7 +268,11 @@ $tfa_data = get_tfa();
|
|||||||
?>
|
?>
|
||||||
<div class="row">
|
<div class="row">
|
||||||
<div class="col-xs-3">
|
<div class="col-xs-3">
|
||||||
<p>Domain: <strong><?=htmlspecialchars($blind);?></strong><br /><span class="label label-warning"><?=$lang['admin']['dkim_key_unused'];?></span></p>
|
<p>Domain: <strong><?=htmlspecialchars($blind);?></strong><br />
|
||||||
|
<span class="label label-warning"><?=$lang['admin']['dkim_key_unused'];?></span>
|
||||||
|
<span class="label label-primary">Selector '<?=$dkim['dkim_selector'];?>'</span>
|
||||||
|
<span class="label label-info"><?=$dkim['length'];?> bit</span>
|
||||||
|
</p>
|
||||||
</div>
|
</div>
|
||||||
<div class="col-xs-8">
|
<div class="col-xs-8">
|
||||||
<pre><?=$dkim['dkim_txt'];?></pre>
|
<pre><?=$dkim['dkim_txt'];?></pre>
|
||||||
@ -290,6 +295,10 @@ $tfa_data = get_tfa();
|
|||||||
<label for="domain">Domain</label>
|
<label for="domain">Domain</label>
|
||||||
<input class="form-control" id="domain" name="domain" placeholder="example.org" required>
|
<input class="form-control" id="domain" name="domain" placeholder="example.org" required>
|
||||||
</div>
|
</div>
|
||||||
|
<div class="form-group">
|
||||||
|
<label for="domain">Selector</label>
|
||||||
|
<input class="form-control" id="dkim_selector" name="dkim_selector" value="dkim" required>
|
||||||
|
</div>
|
||||||
<div class="form-group">
|
<div class="form-group">
|
||||||
<select data-width="200px" class="form-control" id="key_size" name="key_size" title="<?=$lang['admin']['dkim_key_length'];?>" required>
|
<select data-width="200px" class="form-control" id="key_size" name="key_size" title="<?=$lang['admin']['dkim_key_length'];?>" required>
|
||||||
<option data-subtext="bits">1024</option>
|
<option data-subtext="bits">1024</option>
|
||||||
|
@ -2357,6 +2357,7 @@ function get_admin_details() {
|
|||||||
function dkim_add_key($postarray) {
|
function dkim_add_key($postarray) {
|
||||||
global $lang;
|
global $lang;
|
||||||
global $pdo;
|
global $pdo;
|
||||||
|
global $redis;
|
||||||
if ($_SESSION['mailcow_cc_role'] != "admin") {
|
if ($_SESSION['mailcow_cc_role'] != "admin") {
|
||||||
$_SESSION['return'] = array(
|
$_SESSION['return'] = array(
|
||||||
'type' => 'danger',
|
'type' => 'danger',
|
||||||
@ -2372,6 +2373,7 @@ function dkim_add_key($postarray) {
|
|||||||
// return false;
|
// return false;
|
||||||
// }
|
// }
|
||||||
$key_length = intval($postarray['key_size']);
|
$key_length = intval($postarray['key_size']);
|
||||||
|
$dkim_selector = (isset($postarray['dkim_selector'])) ? $postarray['dkim_selector'] : 'dkim';
|
||||||
$domain = $postarray['domain'];
|
$domain = $postarray['domain'];
|
||||||
if (!is_valid_domain_name($domain) || !is_numeric($key_length)) {
|
if (!is_valid_domain_name($domain) || !is_numeric($key_length)) {
|
||||||
$_SESSION['return'] = array(
|
$_SESSION['return'] = array(
|
||||||
@ -2381,7 +2383,16 @@ function dkim_add_key($postarray) {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!empty(glob($GLOBALS['MC_DKIM_TXTS'] . '/' . $domain . '.dkim'))) {
|
if (!empty(glob($GLOBALS['MC_DKIM_TXTS'] . '/' . $domain . '.dkim')) ||
|
||||||
|
$redis->hGet('DKIM_PUB_KEYS', $domain)) {
|
||||||
|
$_SESSION['return'] = array(
|
||||||
|
'type' => 'danger',
|
||||||
|
'msg' => sprintf($lang['danger']['dkim_domain_or_sel_invalid'])
|
||||||
|
);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!ctype_alnum($dkim_selector)) {
|
||||||
$_SESSION['return'] = array(
|
$_SESSION['return'] = array(
|
||||||
'type' => 'danger',
|
'type' => 'danger',
|
||||||
'msg' => sprintf($lang['danger']['dkim_domain_or_sel_invalid'])
|
'msg' => sprintf($lang['danger']['dkim_domain_or_sel_invalid'])
|
||||||
@ -2401,10 +2412,14 @@ function dkim_add_key($postarray) {
|
|||||||
explode(PHP_EOL, $key_details['key'])
|
explode(PHP_EOL, $key_details['key'])
|
||||||
), 1, -1)
|
), 1, -1)
|
||||||
);
|
);
|
||||||
// Save public key to file
|
// Save public key and selector to redis
|
||||||
file_put_contents($GLOBALS['MC_DKIM_TXTS'] . '/' . $domain . '.dkim', $pubKey);
|
$redis->hSet('DKIM_PUB_KEYS', $domain, $pubKey);
|
||||||
// Save private key to file
|
$redis->hSet('DKIM_SELECTORS', $domain, $dkim_selector);
|
||||||
openssl_pkey_export_to_file($keypair_ressource, $GLOBALS['MC_DKIM_KEYS'] . '/' . $domain . '.dkim');
|
// Export private key and save private key to redis
|
||||||
|
openssl_pkey_export($keypair_ressource, $privKey);
|
||||||
|
if (isset($privKey) && !empty($privKey)) {
|
||||||
|
$redis->hSet('DKIM_PRIV_KEYS', $dkim_selector . '.' . $domain, trim($privKey));
|
||||||
|
}
|
||||||
$_SESSION['return'] = array(
|
$_SESSION['return'] = array(
|
||||||
'type' => 'success',
|
'type' => 'success',
|
||||||
'msg' => sprintf($lang['success']['dkim_added'])
|
'msg' => sprintf($lang['success']['dkim_added'])
|
||||||
@ -2421,17 +2436,30 @@ function dkim_add_key($postarray) {
|
|||||||
}
|
}
|
||||||
function dkim_get_key_details($domain) {
|
function dkim_get_key_details($domain) {
|
||||||
$data = array();
|
$data = array();
|
||||||
|
global $redis;
|
||||||
if (hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
|
if (hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
|
||||||
$dkim_pubkey_file = escapeshellarg($GLOBALS["MC_DKIM_TXTS"]. "/" . $domain . "." . "dkim");
|
$dkim_pubkey_file = escapeshellarg($GLOBALS["MC_DKIM_TXTS"]. "/" . $domain . "." . "dkim");
|
||||||
if (file_exists(substr($dkim_pubkey_file, 1, -1))) {
|
if (file_exists(substr($dkim_pubkey_file, 1, -1))) {
|
||||||
$data['pubkey'] = file_get_contents($GLOBALS["MC_DKIM_TXTS"]. "/" . $domain . "." . "dkim");
|
$data['pubkey'] = file_get_contents($GLOBALS["MC_DKIM_TXTS"]. "/" . $domain . "." . "dkim");
|
||||||
$data['length'] = (strlen($data['pubkey']) < 391) ? 1024 : 2048;
|
$data['length'] = (strlen($data['pubkey']) < 391) ? 1024 : 2048;
|
||||||
$data['dkim_txt'] = 'v=DKIM1;k=rsa;t=s;s=email;p=' . file_get_contents($GLOBALS["MC_DKIM_TXTS"]. "/" . $domain . "." . "dkim");
|
$data['dkim_txt'] = 'v=DKIM1;k=rsa;t=s;s=email;p=' . file_get_contents($GLOBALS["MC_DKIM_TXTS"]. "/" . $domain . "." . "dkim");
|
||||||
|
$data['dkim_selector'] = 'dkim';
|
||||||
|
// Migrate key to redis
|
||||||
|
$redis->hSet('DKIM_PRIV_KEYS', $data['dkim_selector'] . '.' . $domain, trim(file_get_contents($GLOBALS["MC_DKIM_KEYS"]. "/" . $domain . "." . "dkim")));
|
||||||
|
$redis->hSet('DKIM_PUB_KEYS', $domain, $data['pubkey']);
|
||||||
|
$redis->hSet('DKIM_SELECTORS', $domain, 'dkim');
|
||||||
|
}
|
||||||
|
elseif ($redis_dkim_key_data = $redis->hGet('DKIM_PUB_KEYS', $domain)) {
|
||||||
|
$data['pubkey'] = $redis_dkim_key_data;
|
||||||
|
$data['length'] = (strlen($data['pubkey']) < 391) ? 1024 : 2048;
|
||||||
|
$data['dkim_txt'] = 'v=DKIM1;k=rsa;t=s;s=email;p=' . $redis_dkim_key_data;
|
||||||
|
$data['dkim_selector'] = $redis->hGet('DKIM_SELECTORS', $domain);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return $data;
|
return $data;
|
||||||
}
|
}
|
||||||
function dkim_get_blind_keys() {
|
function dkim_get_blind_keys() {
|
||||||
|
global $redis;
|
||||||
global $lang;
|
global $lang;
|
||||||
if ($_SESSION['mailcow_cc_role'] != "admin") {
|
if ($_SESSION['mailcow_cc_role'] != "admin") {
|
||||||
$_SESSION['return'] = array(
|
$_SESSION['return'] = array(
|
||||||
@ -2446,9 +2474,13 @@ function dkim_get_blind_keys() {
|
|||||||
foreach($dnstxt_files as $file) {
|
foreach($dnstxt_files as $file) {
|
||||||
$domains[] = substr($file, 0, -5);
|
$domains[] = substr($file, 0, -5);
|
||||||
}
|
}
|
||||||
|
foreach ($redis->hKeys('DKIM_PUB_KEYS') as $redis_dkim_domain) {
|
||||||
|
$domains[] = $redis_dkim_domain;
|
||||||
|
}
|
||||||
return array_diff($domains, array_merge(mailbox_get_domains(), mailbox_get_alias_domains()));
|
return array_diff($domains, array_merge(mailbox_get_domains(), mailbox_get_alias_domains()));
|
||||||
}
|
}
|
||||||
function dkim_delete_key($postarray) {
|
function dkim_delete_key($postarray) {
|
||||||
|
global $redis;
|
||||||
global $lang;
|
global $lang;
|
||||||
$domain = $postarray['domain'];
|
$domain = $postarray['domain'];
|
||||||
|
|
||||||
@ -2473,7 +2505,29 @@ function dkim_delete_key($postarray) {
|
|||||||
);
|
);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
exec('rm ' . escapeshellarg($GLOBALS['MC_DKIM_TXTS'] . '/' . $domain . '.dkim'), $out, $return);
|
foreach (array('DKIM_PUB_KEYS', 'DKIM_SELECTORS',) as $hash) {
|
||||||
|
if (!$redis->hDel($hash, $domain)) {
|
||||||
|
$_SESSION['return'] = array(
|
||||||
|
'type' => 'danger',
|
||||||
|
'msg' => sprintf($lang['danger']['dkim_remove_failed'])
|
||||||
|
);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (!empty($key_details = dkim_get_key_details($domain))) {
|
||||||
|
if (!$redis->hDel($hash . $key_details['dkim_selector'], $domain)) {
|
||||||
|
$_SESSION['return'] = array(
|
||||||
|
'type' => 'danger',
|
||||||
|
'msg' => sprintf($lang['danger']['dkim_remove_failed'])
|
||||||
|
);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$redis->hDel('DKIM_PUB_KEYS', $domain);
|
||||||
|
$redis->hDel('DKIM_PRIV_KEYS', $domain);
|
||||||
|
$redis->hDel('DKIM_SELECTORS', $domain);
|
||||||
|
exec('rm -f ' . escapeshellarg($GLOBALS['MC_DKIM_TXTS'] . '/' . $domain . '.dkim'), $out, $return);
|
||||||
if ($return != "0") {
|
if ($return != "0") {
|
||||||
$_SESSION['return'] = array(
|
$_SESSION['return'] = array(
|
||||||
'type' => 'danger',
|
'type' => 'danger',
|
||||||
@ -2481,7 +2535,7 @@ function dkim_delete_key($postarray) {
|
|||||||
);
|
);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
exec('rm ' . escapeshellarg($GLOBALS['MC_DKIM_KEYS'] . '/' . $domain . '.dkim'), $out, $return);
|
exec('rm -f ' . escapeshellarg($GLOBALS['MC_DKIM_KEYS'] . '/' . $domain . '.dkim'), $out, $return);
|
||||||
if ($return != "0") {
|
if ($return != "0") {
|
||||||
$_SESSION['return'] = array(
|
$_SESSION['return'] = array(
|
||||||
'type' => 'danger',
|
'type' => 'danger',
|
||||||
|
@ -29,6 +29,10 @@ require_once 'inc/lib/vendor/autoload.php';
|
|||||||
$u2f = new u2flib_server\U2F('https://' . $_SERVER['SERVER_NAME']);
|
$u2f = new u2flib_server\U2F('https://' . $_SERVER['SERVER_NAME']);
|
||||||
$tfa = new RobThree\Auth\TwoFactorAuth('mailcow UI');
|
$tfa = new RobThree\Auth\TwoFactorAuth('mailcow UI');
|
||||||
|
|
||||||
|
// Redis
|
||||||
|
$redis = new Redis();
|
||||||
|
$redis->connect('redis-mailcow', 6379);
|
||||||
|
|
||||||
// PDO
|
// PDO
|
||||||
// Calculate offset
|
// Calculate offset
|
||||||
$now = new DateTime();
|
$now = new DateTime();
|
||||||
|
Loading…
Reference in New Issue
Block a user