[pmg-api.git] / src / PMG / DKIMSign.pm

package PMG::DKIMSign;

use strict;
use warnings;
use Mail::DKIM::Signer;
use Mail::DKIM::TextWrap;
use Crypt::OpenSSL::RSA;

use PVE::Tools;
use PVE::INotify;
use PVE::SafeSyslog;

use PMG::Utils;
use PMG::Config;
use base qw(Mail::DKIM::Signer);

sub new {
    my ($class, $selector, $sign_all) = @_;

    die "no selector provided\n" if ! $selector;

    my %opts = (
	Algorithm => 'rsa-sha256',
	Method => 'relaxed/relaxed',
	Selector => $selector,
	KeyFile => "/etc/pmg/dkim/$selector.private",
    );

    my $self = $class->SUPER::new(%opts);

    $self->{sign_all} = $sign_all;

    return $self;
}

# MIME::Entity can output to all objects responding to 'print' (and does so in
# chunks) Mail::DKIM::Signer has a 'PRINT' method and expects each line
# terminated with "\r\n"


sub print {
    my ($self, $chunk) = @_;
    $chunk =~ s/\012/\015\012/g;
    $self->PRINT($chunk);
}

sub create_signature {
    my ($self) = @_;

    $self->CLOSE();
    return $self->signature->as_string();
}

#determines which domain should be used for signing based on the e-mailaddress
sub signing_domain {
    my ($self, $sender_email) = @_;

    my @parts = split('@', $sender_email);
    die "no domain in sender e-mail\n" if scalar(@parts) < 2;
    my $input_domain = $parts[-1];

    if ($self->{sign_all}) {
	    $self->domain($input_domain) if $self->{sign_all};
	    return 1;
    }

    # check that input_domain is in/a subdomain of in the
    # dkimdomains, falling back to the relay domains.
    my $dkimdomains = PVE::INotify::read_file('dkimdomains');
    $dkimdomains = PVE::INotify::read_file('domains') if !scalar(%$dkimdomains);

    # Sort domains by length first, so if we have both a sub domain and its parent
    # the correct one will be returned
    foreach my $domain (sort { length($b) <=> length($a) || $a cmp $b} keys %$dkimdomains) {
	if ( $input_domain =~ /\Q$domain\E$/i ) {
	    $self->domain($domain);
	    return 1;
	}
    }

    syslog('info', "not DKIM signing mail from $sender_email");

    return 0;
}


sub sign_entity {
    my ($entity, $selector, $sender, $sign_all) = @_;

    die "no selector provided\n" if ! $selector;

    #oversign certain headers
    my @oversign_headers = (
	'from',
	'to',
	'cc',
	'reply-to',
	'subject',
    );

    my @cond_headers = (
	'content-type',
    );

    push(@oversign_headers, grep { $entity->head->mime_attr($_) } @cond_headers);

    my $extended_headers = { map { $_ => '+' } @oversign_headers };

    my $signer = __PACKAGE__->new($selector, $sign_all);

    $signer->extended_headers($extended_headers);

    if ($signer->signing_domain($sender)) {
	$entity->print($signer);
	my $signature = $signer->create_signature();
	$entity->head->add('DKIM-Signature', $signature, 0);
    }

    return $entity;

}

# key-handling and utility methods
sub get_selector_info {
    my ($selector) = @_;

    die "no selector provided\n" if !defined($selector);
    my ($pubkey, $size);
    eval {
	my $privkeytext = PVE::Tools::file_get_contents("/etc/pmg/dkim/$selector.private");
	my $privkey =  Crypt::OpenSSL::RSA->new_private_key($privkeytext);
	$size = $privkey->size() * 8;

	$pubkey = $privkey->get_public_key_x509_string();
    };
    die "$@\n" if $@;

    $pubkey =~ s/-----(?:BEGIN|END) PUBLIC KEY-----//g;
    $pubkey =~ s/\v//mg;

    # split record into 250 byte chunks for DNS-server compatibility
    # see opendkim-genkey
    my $record = qq{$selector._domainkey\tIN\tTXT\t( "v=DKIM1; h=sha256; k=rsa; "\n\t  "p=};
    my $len = length($pubkey);
    my $cur = 0;
    while ($len > 0) {
	if ($len < 250) {
	    $record .= substr($pubkey, $cur);
	    $len = 0;
	} else {
	    $record .= substr($pubkey, $cur, 250) . qq{"\n\t  "};
	    $cur += 250;
	    $len -= 250;
	}
    }
    $record .= qq{" )  ; ----- DKIM key $selector};

    return ($record, $size);
}

sub set_selector {
    my ($selector, $keysize, $force) = @_;

    die "no selector provided\n" if !defined($selector);
    die "no keysize provided\n" if !defined($keysize);
    die "invalid keysize\n" if ($keysize < 1024);
    my $privkey_file = "/etc/pmg/dkim/$selector.private";

    my $code = sub {
	my $genkey = $force || (! -e $privkey_file);
	if (!$genkey) {
	    my ($privkey, $cursize);
	    eval {
		my $privkeytext = PVE::Tools::file_get_contents($privkey_file);
		$privkey =  Crypt::OpenSSL::RSA->new_private_key($privkeytext);
		$cursize = $privkey->size() * 8;
	    };
	    die "error checking $privkey_file: $@\n" if $@;
	    die "$privkey_file already exists, but has different size ($cursize bits)\n"
		if $cursize != $keysize;
	} else {
	    my $cmd = ['openssl', 'genrsa', '-out', $privkey_file, $keysize];
	    PMG::Utils::run_silent_cmd($cmd);
	}
	my $cfg = PMG::Config->new();
	$cfg->set('admin', 'dkim_selector', $selector);
	$cfg->write();
	PMG::Utils::reload_smtp_filter();
    };

    PMG::Config::lock_config($code, "unable to set DKIM key ($selector - $keysize bits)");
}
1;
Commit	Line	Data
ad6e35cf SI	1	package PMG::DKIMSign;
	2
	3	use strict;
	4	use warnings;
	5	use Mail::DKIM::Signer;
	6	use Mail::DKIM::TextWrap;
	7	use Crypt::OpenSSL::RSA;
	8
	9	use PVE::Tools;
	10	use PVE::INotify;
	11	use PVE::SafeSyslog;
	12
	13	use PMG::Utils;
	14	use PMG::Config;
	15	use base qw(Mail::DKIM::Signer);
	16
	17	sub new {
	18	my ($class, $selector, $sign_all) = @_;
	19
	20	die "no selector provided\n" if ! $selector;
	21
	22	my %opts = (
	23	Algorithm => 'rsa-sha256',
	24	Method => 'relaxed/relaxed',
	25	Selector => $selector,
	26	KeyFile => "/etc/pmg/dkim/$selector.private",
	27	);
	28
	29	my $self = $class->SUPER::new(%opts);
	30
	31	$self->{sign_all} = $sign_all;
	32
	33	return $self;
	34	}
	35
	36	# MIME::Entity can output to all objects responding to 'print' (and does so in
	37	# chunks) Mail::DKIM::Signer has a 'PRINT' method and expects each line
	38	# terminated with "\r\n"
	39
	40
	41	sub print {
	42	my ($self, $chunk) = @_;
	43	$chunk =~ s/\012/\015\012/g;
	44	$self->PRINT($chunk);
	45	}
	46
	47	sub create_signature {
	48	my ($self) = @_;
	49
	50	$self->CLOSE();
	51	return $self->signature->as_string();
	52	}
	53
	54	#determines which domain should be used for signing based on the e-mailaddress
	55	sub signing_domain {
	56	my ($self, $sender_email) = @_;
	57
	58	my @parts = split('@', $sender_email);
	59	die "no domain in sender e-mail\n" if scalar(@parts) < 2;
	60	my $input_domain = $parts[-1];
	61
	62	if ($self->{sign_all}) {
	63	$self->domain($input_domain) if $self->{sign_all};
b8e7dac7	64	return 1;
ad6e35cf SI	65	}
	66
	67	# check that input_domain is in/a subdomain of in the
	68	# dkimdomains, falling back to the relay domains.
	69	my $dkimdomains = PVE::INotify::read_file('dkimdomains');
	70	$dkimdomains = PVE::INotify::read_file('domains') if !scalar(%$dkimdomains);
	71
3caa5927 DB	72	# Sort domains by length first, so if we have both a sub domain and its parent
	73	# the correct one will be returned
	74	foreach my $domain (sort { length($b) <=> length($a) \|\| $a cmp $b} keys %$dkimdomains) {
ad6e35cf SI	75	if ( $input_domain =~ /\Q$domain\E$/i ) {
ad6e35cf SI	76	$self->domain($domain);
b8e7dac7	77	return 1;
ad6e35cf SI	78	}
	79	}
	80
	81	syslog('info', "not DKIM signing mail from $sender_email");
	82
b8e7dac7	83	return 0;
ad6e35cf SI	84	}
	85
	86
	87	sub sign_entity {
	88	my ($entity, $selector, $sender, $sign_all) = @_;
	89
	90	die "no selector provided\n" if ! $selector;
	91
	92	#oversign certain headers
	93	my @oversign_headers = (
	94	'from',
	95	'to',
	96	'cc',
	97	'reply-to',
	98	'subject',
	99	);
	100
	101	my @cond_headers = (
	102	'content-type',
	103	);
	104
	105	push(@oversign_headers, grep { $entity->head->mime_attr($_) } @cond_headers);
	106
	107	my $extended_headers = { map { $_ => '+' } @oversign_headers };
	108
	109	my $signer = __PACKAGE__->new($selector, $sign_all);
	110
	111	$signer->extended_headers($extended_headers);
ad6e35cf	112
b8e7dac7 SI	113	if ($signer->signing_domain($sender)) {
	114	$entity->print($signer);
	115	my $signature = $signer->create_signature();
	116	$entity->head->add('DKIM-Signature', $signature, 0);
	117	}
ad6e35cf SI	118
	119	return $entity;
	120
	121	}
	122
	123	# key-handling and utility methods
	124	sub get_selector_info {
	125	my ($selector) = @_;
	126
	127	die "no selector provided\n" if !defined($selector);
	128	my ($pubkey, $size);
	129	eval {
	130	my $privkeytext = PVE::Tools::file_get_contents("/etc/pmg/dkim/$selector.private");
	131	my $privkey = Crypt::OpenSSL::RSA->new_private_key($privkeytext);
	132	$size = $privkey->size() * 8;
	133
	134	$pubkey = $privkey->get_public_key_x509_string();
	135	};
	136	die "$@\n" if $@;
	137
	138	$pubkey =~ s/-----(?:BEGIN\|END) PUBLIC KEY-----//g;
	139	$pubkey =~ s/\v//mg;
	140
	141	# split record into 250 byte chunks for DNS-server compatibility
	142	# see opendkim-genkey
	143	my $record = qq{$selector._domainkey\tIN\tTXT\t( "v=DKIM1; h=sha256; k=rsa; "\n\t "p=};
	144	my $len = length($pubkey);
	145	my $cur = 0;
	146	while ($len > 0) {
	147	if ($len < 250) {
	148	$record .= substr($pubkey, $cur);
	149	$len = 0;
	150	} else {
	151	$record .= substr($pubkey, $cur, 250) . qq{"\n\t "};
	152	$cur += 250;
	153	$len -= 250;
	154	}
	155	}
	156	$record .= qq{" ) ; ----- DKIM key $selector};
	157
	158	return ($record, $size);
	159	}
	160
	161	sub set_selector {
d95c075a	162	my ($selector, $keysize, $force) = @_;
ad6e35cf SI	163
	164	die "no selector provided\n" if !defined($selector);
	165	die "no keysize provided\n" if !defined($keysize);
	166	die "invalid keysize\n" if ($keysize < 1024);
	167	my $privkey_file = "/etc/pmg/dkim/$selector.private";
	168
d95c075a SI	169	my $code = sub {
	170	my $genkey = $force \|\| (! -e $privkey_file);
	171	if (!$genkey) {
	172	my ($privkey, $cursize);
	173	eval {
	174	my $privkeytext = PVE::Tools::file_get_contents($privkey_file);
	175	$privkey = Crypt::OpenSSL::RSA->new_private_key($privkeytext);
	176	$cursize = $privkey->size() * 8;
	177	};
	178	die "error checking $privkey_file: $@\n" if $@;
	179	die "$privkey_file already exists, but has different size ($cursize bits)\n"
	180	if $cursize != $keysize;
	181	} else {
	182	my $cmd = ['openssl', 'genrsa', '-out', $privkey_file, $keysize];
	183	PMG::Utils::run_silent_cmd($cmd);
	184	}
ad6e35cf SI	185	my $cfg = PMG::Config->new();
	186	$cfg->set('admin', 'dkim_selector', $selector);
	187	$cfg->write();
	188	PMG::Utils::reload_smtp_filter();
	189	};
	190
d95c075a	191	PMG::Config::lock_config($code, "unable to set DKIM key ($selector - $keysize bits)");
ad6e35cf SI	192	}
ad6e35cf SI	193	1;