dkim_key_gen.sh 2.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778
  1. #!/bin/sh
  2. DOMAIN="$1"
  3. SMTPD="$2"
  4. usage()
  5. {
  6. echo " usage: ${0} <example.com> [haraka username]" 2>&1
  7. echo 2>&1
  8. exit 1
  9. }
  10. if [ -z "$DOMAIN" ]; then
  11. usage
  12. fi
  13. if [ -z "$SMTPD" ]; then
  14. SMTPD="www"
  15. fi
  16. # Create a directory for each DKIM signing domain
  17. mkdir -p "$DOMAIN"
  18. cd "$DOMAIN" || exit
  19. # The selector can be any value that is a valid DNS label
  20. # Create in the common format: mmmYYYY (apr2014)
  21. date '+%h%Y' | tr '[:upper:]' '[:lower:]' > selector
  22. # Generate private and public keys
  23. # - Key length considerations -
  24. # The minimum recommended key length for short duration keys (ones that
  25. # will be replaced within a few months) is 1024. If you are unlikely to
  26. # rotate your keys frequently, choose 2048, at the expense of more CPU.
  27. openssl genrsa -out private 2048
  28. chmod 0400 private
  29. openssl rsa -in private -out public -pubout
  30. DNS_NAME="$(tr -d '\n' < selector)._domainkey"
  31. DNS_ADDRESS="v=DKIM1;p=$(grep -v '^-' public | tr -d '\n')"
  32. # Fold width is arbitrary, any value between 80 and 255 is reasonable
  33. BIND_SPLIT_ADDRESS="$(echo "$DNS_ADDRESS" | fold -w 110 | sed -e 's/^/ "/g; s/$/"/g')"
  34. # Make it really easy to publish the public key in DNS
  35. # by creating a file named 'dns', with instructions
  36. cat > dns <<EO_DKIM_DNS
  37. Add this TXT record to the ${DOMAIN} DNS zone.
  38. ${DNS_NAME} IN TXT ${DNS_ADDRESS}
  39. BIND zone file formatted:
  40. ${DNS_NAME} IN TXT (
  41. ${BIND_SPLIT_ADDRESS}
  42. )
  43. Tell the world that the ONLY mail servers that send mail from this domain are DKIM signed and/or bear our MX and A records.
  44. With SPF:
  45. SPF "v=spf1 mx a -all"
  46. TXT "v=spf1 mx a -all"
  47. With DMARC:
  48. _dmarc TXT "v=DMARC1; p=reject; adkim=s; aspf=r; rua=mailto:dmarc-feedback@${DOMAIN}; ruf=mailto:dmarc-feedback@${DOMAIN}; pct=100"
  49. For more information about DKIM and SPF policy,
  50. the documentation within each plugin contains a longer discussion and links to more detailed information:
  51. haraka -h dkim_sign
  52. haraka -h spf
  53. EO_DKIM_DNS
  54. cd ..