Skip to content

Instantly share code, notes, and snippets.

@CodeMouse92
Last active May 4, 2017 00:17
Show Gist options
  • Save CodeMouse92/d6af309db09b7ba168a8587e983279cc to your computer and use it in GitHub Desktop.
Save CodeMouse92/d6af309db09b7ba168a8587e983279cc to your computer and use it in GitHub Desktop.
Renewal Tool for OpenDKIM
example.com
example.net
#!/bin/bash
# Regenerate DKIM keys and parse DNS records.
# AUTHOR(S): Jason C. McDonald
# VERSION: 1.1
# Copyright (c) 2017 MousePaw Media
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# * Neither the name of the <organization> nor the
# names of its contributors may be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Die on error.
set -e
# CHANGE THIS: Set the path to the configuration file.
CONFIG=/opt/scripts/root_scripts/domains.conf
# Get the current year and month.
DATE=`date +%Y%m`
# We'll work in a temporary directory for the moment.
TEMP=/tmp/dkms
mkdir -p $TEMP
PROD=/etc/opendkim/keys
# Function to generate the keys for a domain.
function genkey {
cd $TEMP
opendkim-genkey -b 2048 -h rsa-sha256 -r -s $DATE -d $1.$2 -v
rename "s/$DATE/$1$2/" *.*
}
# Display the text for our DNS update
function displayrecord {
echo ""
echo "===== $1 DNS TXT RECORD====="
echo ""
# Perl regex from kerframil (#bash)
cat $TEMP/$1.txt | grep -Pzo 'v=DKIM1[^)]+(?=" )' | sed 's/h=rsa-sha256;/h=sha256;/' | perl -0e '$x = <>; print $x =~ s/"\s+"//sgr'
echo ""
}
function do_move {
echo "WARNING!"
echo "This will override your current keys. You should test first with the -t flag."
echo "This operation cannot be undone."
read -p "Are you SURE you want to continue? [y/N] " choice
case "$choice" in
y|Y )
# Stop the mail server.
systemctl stop opendkim postfix
# Move the keys
cp $TEMP/*.private $PROD
# Update the key.table
cp /etc/opendkim/key.table /etc/opendkim/key.table.bak
sed -ri 's/[0-9]+/${DATE}/g' key.table
# Change the permissions.
chown opendkim:opendkim $PROD/*
chmod go-rw $PROD/*
# Start the mail server.
systemctl start opendkim postfix
echo "==========FINISHED==========="
echo "Keys have been moved to $PROD"
;;
* )
echo "Cancelled."
;;
esac
}
function do_test {
# For each of the domains we're working with...
while read LINE; do
IFS='.'
set $LINE
# Generate the keys
opendkim-testkey -d $1.$2 -s $DATE -k $TEMP/$1$2.private -vvv
done <"$CONFIG"
echo "Testing complete. If there are errors, DO NOT COPY."
}
function do_gen {
# For each of the domains we're working with...
while read LINE; do
IFS='.'
set $LINE
# Generate the keys
genkey $1 $2
done <"$CONFIG"
echo "==========FINISHED==========="
echo "Keys have been generated at $TEMP"
}
function do_display {
while read LINE; do
IFS='.'
set $LINE
# Display the text records
displayrecord $1$2
done <"$CONFIG"
}
SUCCESS="0"
while getopts ":hdgmt" opt; do
SUCCESS="1"
case $opt in
h)
echo "Automate DKIM key renewal."
echo "-d Display DNS text record values in $TEMP."
echo "-g Generate DKIM keys in $TEMP."
echo "-m Move new keys from $TEMP into place."
echo "-t Test the new keys before moving them."
;;
d)
do_display
;;
g)
do_gen
;;
m)
do_move
;;
t)
do_test
;;
\?)
echo "Invalid option -$OPTARG. See -h for help."
exit 1
;;
esac
done
if [ $SUCCESS -eq "0" ]; then
echo "Option required. See -h for help."
exit 1
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment