maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

implement dmarc to dns-zones; fixes #662

Browse Source 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
2024-01-07 10:58:56 +01:00
parent 284def5832
commit e684de687f
1 changed files with 57 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

108
lib/Froxlor/Dns/Dns.php
View File

@@ -120,18 +120,8 @@ class Dns
if ($domain['isemaildomain'] == '1') { if ($domain['isemaildomain'] == '1') {
self::addRequiredEntry('@', 'MX', $required_entries); self::addRequiredEntry('@', 'MX', $required_entries);
if (Settings::Get('system.dns_createmailentry')) { if (Settings::Get('system.dns_createmailentry')) {
foreach ([ foreach (['imap', 'pop3', 'mail', 'smtp' ] as $record ) {
'imap', foreach (['AAAA', 'A' ] as $type ) {
'pop3',
'mail',
'smtp'
] as $record
) {
foreach ([
'AAAA',
'A'
] as $type
) {
self::addRequiredEntry($record, $type, $required_entries); self::addRequiredEntry($record, $type, $required_entries);
} }
} }
@@ -179,6 +169,10 @@ class Dns
// check for SPF content later // check for SPF content later
self::addRequiredEntry('@SPF@.' . $sub_record, 'TXT', $required_entries); self::addRequiredEntry('@SPF@.' . $sub_record, 'TXT', $required_entries);
} }
if (Settings::Get('dmarc.use_dmarc') == '1') {
// check for DMARC content later
self::addRequiredEntry('@DMARC@.' . $sub_record, 'TXT', $required_entries);
}
if (Settings::Get('antispam.activated') == '1' && $domain['dkim'] == '1') { if (Settings::Get('antispam.activated') == '1' && $domain['dkim'] == '1') {
// check for DKIM content later // check for DKIM content later
self::addRequiredEntry('dkim' . $domain['dkim_id'] . '._domainkey.' . $sub_record, 'TXT', $required_entries); self::addRequiredEntry('dkim' . $domain['dkim_id'] . '._domainkey.' . $sub_record, 'TXT', $required_entries);
@@ -216,6 +210,10 @@ class Dns
// check for SPF content later // check for SPF content later
self::addRequiredEntry('@SPF@', 'TXT', $required_entries); self::addRequiredEntry('@SPF@', 'TXT', $required_entries);
} }
if (Settings::Get('dmarc.use_dmarc') == '1') {
// check for DMARC content later
self::addRequiredEntry('@DMARC@.' . $sub_record, 'TXT', $required_entries);
}
if (Settings::Get('antispam.activated') == '1' && $domain['dkim'] == '1') { if (Settings::Get('antispam.activated') == '1' && $domain['dkim'] == '1') {
// check for DKIM content later // check for DKIM content later
self::addRequiredEntry('dkim' . $domain['dkim_id'] . '._domainkey', 'TXT', $required_entries); self::addRequiredEntry('dkim' . $domain['dkim_id'] . '._domainkey', 'TXT', $required_entries);
@@ -227,63 +225,55 @@ class Dns
// now generate all records and unset the required entries we have // now generate all records and unset the required entries we have
foreach ($dom_entries as $entry) { foreach ($dom_entries as $entry) {
if (array_key_exists($entry['type'], $required_entries) && array_key_exists( if (array_key_exists($entry['type'], $required_entries)
md5($entry['record']), && array_key_exists( md5($entry['record']), $required_entries[$entry['type']])
$required_entries[$entry['type']] ) {
)) {
unset($required_entries[$entry['type']][md5($entry['record'])]); unset($required_entries[$entry['type']][md5($entry['record'])]);
} }
if (Settings::Get('system.dns_createcaaentry') == '1' && $entry['type'] == 'CAA' && strtolower(substr( if (Settings::Get('system.dns_createcaaentry') == '1'
$entry['content'], && $entry['type'] == 'CAA'
0, && strtolower(substr($entry['content'], 0, 7 )) == '"v=caa1'
7 ) {
)) == '"v=caa1') {
// unset special CAA required-entry // unset special CAA required-entry
unset($required_entries[$entry['type']][md5("@CAA@")]); unset($required_entries[$entry['type']][md5("@CAA@")]);
} }
if (Settings::Get('spf.use_spf') == '1' && $entry['type'] == 'TXT' && $entry['record'] == '@' && (strtolower(substr( if (Settings::Get('spf.use_spf') == '1'
$entry['content'], && $entry['type'] == 'TXT'
0, && $entry['record'] == '@'
7 && (strtolower(substr($entry['content'], 0, 7)) == '"v=spf1' || strtolower(substr($entry['content'], 0, 6)) == 'v=spf1')
)) == '"v=spf1' || strtolower(substr($entry['content'], 0, 6)) == 'v=spf1')) { ) {
// unset special spf required-entry // unset special spf required-entry
unset($required_entries[$entry['type']][md5("@SPF@")]); unset($required_entries[$entry['type']][md5("@SPF@")]);
} }
if (Settings::Get('dmarc.use_dmarc') == '1'
&& $entry['type'] == 'TXT'
&& $entry['record'] == '@'
&& (strtolower(substr($entry['content'], 0, 9)) == '"v=dmarc1' || strtolower(substr($entry['content'], 0, 8)) == 'v=dmarc1')
) {
// unset special dmarc required-entry
unset($required_entries[$entry['type']][md5("@DMARC@")]);
}
if (empty($primary_ns) && $entry['record'] == '@' && $entry['type'] == 'NS') { if (empty($primary_ns) && $entry['record'] == '@' && $entry['type'] == 'NS') {
// use the first NS entry pertaining to the current domain as primary ns // use the first NS entry pertaining to the current domain as primary ns
$primary_ns = $entry['content']; $primary_ns = $entry['content'];
} }
// check for CNAME on @, www- or wildcard-Alias and remove A/AAAA record accordingly // check for CNAME on @, www- or wildcard-Alias and remove A/AAAA record accordingly
foreach ([ foreach (['@', 'www', '*'] as $crecord) {
'@', if ($entry['type'] == 'CNAME'
'www', && $entry['record'] == '@'
'*' && (array_key_exists(md5($crecord), $required_entries['A']) || array_key_exists(md5($crecord), $required_entries['AAAA']))
] as $crecord
) { ) {
if ($entry['type'] == 'CNAME' && $entry['record'] == '@' && (array_key_exists(
md5($crecord),
$required_entries['A']
) || array_key_exists(md5($crecord), $required_entries['AAAA']))) {
unset($required_entries['A'][md5($crecord)]); unset($required_entries['A'][md5($crecord)]);
unset($required_entries['AAAA'][md5($crecord)]); unset($required_entries['AAAA'][md5($crecord)]);
} }
} }
// also allow overriding of auto-generated values (imap,pop3,mail,smtp) if enabled in the settings // also allow overriding of auto-generated values (imap,pop3,mail,smtp) if enabled in the settings
if (Settings::Get('system.dns_createmailentry')) { if (Settings::Get('system.dns_createmailentry')) {
foreach ([ foreach (['imap', 'pop3', 'mail', 'smtp'] as $crecord) {
'imap', if ($entry['type'] == 'CNAME'
'pop3', && $entry['record'] == $crecord
'mail', && (array_key_exists(md5($crecord), $required_entries['A']) || array_key_exists(md5($crecord), $required_entries['AAAA']))
'smtp'
] as $crecord
) { ) {
if ($entry['type'] == 'CNAME' && $entry['record'] == $crecord && (array_key_exists(
md5($crecord),
$required_entries['A']
) || array_key_exists(
md5($crecord),
$required_entries['AAAA']
))) {
unset($required_entries['A'][md5($crecord)]); unset($required_entries['A'][md5($crecord)]);
unset($required_entries['AAAA'][md5($crecord)]); unset($required_entries['AAAA'][md5($crecord)]);
} }
@@ -320,11 +310,7 @@ class Dns
foreach ($records as $record) { foreach ($records as $record) {
if ($type == 'A' && filter_var($ip['ip'], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) !== false) { if ($type == 'A' && filter_var($ip['ip'], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) !== false) {
$zonerecords[] = new DnsEntry($record, 'A', $ip['ip']); $zonerecords[] = new DnsEntry($record, 'A', $ip['ip']);
} elseif ($type == 'AAAA' && filter_var( } elseif ($type == 'AAAA' && filter_var($ip['ip'], FILTER_VALIDATE_IP, FILTER_FLAG_IPV6 ) !== false) {
$ip['ip'],
FILTER_VALIDATE_IP,
FILTER_FLAG_IPV6
) !== false) {
$zonerecords[] = new DnsEntry($record, 'AAAA', $ip['ip']); $zonerecords[] = new DnsEntry($record, 'AAAA', $ip['ip']);
} }
} }
@@ -403,6 +389,15 @@ class Dns
$txt_content = Settings::Get('spf.spf_entry'); $txt_content = Settings::Get('spf.spf_entry');
$sub_record = substr($record, 6); $sub_record = substr($record, 6);
$zonerecords[] = new DnsEntry($sub_record, 'TXT', self::encloseTXTContent($txt_content)); $zonerecords[] = new DnsEntry($sub_record, 'TXT', self::encloseTXTContent($txt_content));
} elseif ($record == '@DMARC@') {
// dmarc for main-domain
$txt_content = Settings::Get('dmarc.dmarc_entry');
$zonerecords[] = new DnsEntry('@', 'TXT', self::encloseTXTContent($txt_content));
} elseif (strlen($record) > 8 && substr($record, 0, 8) == '@DMARC@.') {
// dmarc for subdomain
$txt_content = Settings::Get('dmarc.dmarc_entry');
$sub_record = substr($record, 8);
$zonerecords[] = new DnsEntry($sub_record, 'TXT', self::encloseTXTContent($txt_content));
} elseif (!empty($dkim_entries)) { } elseif (!empty($dkim_entries)) {
// DKIM entries // DKIM entries
$dkim_record = 'dkim' . $domain['dkim_id'] . '._domainkey'; $dkim_record = 'dkim' . $domain['dkim_id'] . '._domainkey';
@@ -414,7 +409,7 @@ class Dns
$multiline = true; $multiline = true;
} }
$zonerecords[] = new DnsEntry($record, 'TXT', self::encloseTXTContent($dkim_entries[0], $multiline)); $zonerecords[] = new DnsEntry($record, 'TXT', self::encloseTXTContent($dkim_entries[0], $multiline));
} elseif (strlen($record) > strlen($dkim_record) && substr($record, 0, strlen($dkim_record)+1) == $dkim_record . '.') { } elseif (strlen($record) > strlen($dkim_record) && substr($record, 0, strlen($dkim_record) + 1) == $dkim_record . '.') {
// dkim for subdomain-domain // dkim for subdomain-domain
// check for multiline entry // check for multiline entry
$multiline = false; $multiline = false;
@@ -482,10 +477,7 @@ class Dns
if (!$isMainButSubTo) { if (!$isMainButSubTo) {
$date = date('Ymd'); $date = date('Ymd');
$domain['bindserial'] = (preg_match( $domain['bindserial'] = (preg_match('/^' . $date . '/', $domain['bindserial']) ? $domain['bindserial'] + 1 : $date . '00');
'/^' . $date . '/',
$domain['bindserial']
) ? $domain['bindserial'] + 1 : $date . '00');
if (!$froxlorhostname) { if (!$froxlorhostname) {
$upd_stmt = Database::prepare(" $upd_stmt = Database::prepare("
UPDATE `" . TABLE_PANEL_DOMAINS . "` SET UPDATE `" . TABLE_PANEL_DOMAINS . "` SET