reject policy dmarc

not generating disabled zones
DKIM stuff with our own selector
2025-09-29 19:06:10 +02:00 · 2025-09-26 13:01:26 +02:00 · 2025-09-25 11:16:48 +02:00 · 2025-09-25 09:40:40 +02:00
2 changed files with 64 additions and 38 deletions
--- a/lib/Froxlor/Cron/Dns/DnsBase.php
+++ b/lib/Froxlor/Cron/Dns/DnsBase.php
@@ -132,18 +132,16 @@ abstract class DnsBase
 			");

 			while ($domain = $result_domains_stmt->fetch(PDO::FETCH_ASSOC)) {
-				$privkey_filename = FileDir::makeCorrectFile(Settings::Get('dkim.dkim_prefix') . '/dkim' . $domain['dkim_id'] . Settings::Get('dkim.privkeysuffix'));
-				$pubkey_filename = FileDir::makeCorrectFile(Settings::Get('dkim.dkim_prefix') . '/dkim' . $domain['dkim_id'] . '.public');
+				$privkey_filename = FileDir::makeCorrectFile(Settings::Get('dkim.dkim_prefix') . '/mx.' . $domain['domain'] . '.' . Settings::Get('dkim.privkeysuffix'));
+				$pubkey_filename = FileDir::makeCorrectFile(Settings::Get('dkim.dkim_prefix') . '/mx.' . $domain['domain'] . '.public');

 				if ($domain['dkim_privkey'] == '' || $domain['dkim_pubkey'] == '') {
 					$max_dkim_id_stmt = Database::query("SELECT MAX(`dkim_id`) as `max_dkim_id` FROM `" . TABLE_PANEL_DOMAINS . "`");
 					$max_dkim_id = $max_dkim_id_stmt->fetch(PDO::FETCH_ASSOC);
 					$domain['dkim_id'] = (int)$max_dkim_id['max_dkim_id'] + 1;
-					$privkey_filename = FileDir::makeCorrectFile(Settings::Get('dkim.dkim_prefix') . '/dkim' . $domain['dkim_id'] . Settings::Get('dkim.privkeysuffix'));
 					FileDir::safe_exec('openssl genrsa -out ' . escapeshellarg($privkey_filename) . ' ' . Settings::Get('dkim.dkim_keylength'));
 					$domain['dkim_privkey'] = file_get_contents($privkey_filename);
 					FileDir::safe_exec("chmod 0640 " . escapeshellarg($privkey_filename));
-					$pubkey_filename = FileDir::makeCorrectFile(Settings::Get('dkim.dkim_prefix') . '/dkim' . $domain['dkim_id'] . '.public');
 					FileDir::safe_exec('openssl rsa -in ' . escapeshellarg($privkey_filename) . ' -pubout -outform pem -out ' . escapeshellarg($pubkey_filename));
 					$domain['dkim_pubkey'] = file_get_contents($pubkey_filename);
 					FileDir::safe_exec("chmod 0664 " . escapeshellarg($pubkey_filename));
@@ -217,7 +215,7 @@ abstract class DnsBase
 				`" . TABLE_PANEL_DOMAINS . "` `d`
 			LEFT JOIN `" . TABLE_PANEL_CUSTOMERS . "` `c` USING(`customerid`)
 			WHERE
-				`d`.`isbinddomain` = '1'
+				`d`.`isbinddomain` = '1' aND `d`.`deactivated` = '0'
 			ORDER BY
 				`d`.`domain` ASC
 		");
--- a/lib/Froxlor/Dns/Dns.php
+++ b/lib/Froxlor/Dns/Dns.php
@@ -22,7 +22,6 @@
 * @author     Froxlor team <team@froxlor.org>
 * @license    https://files.froxlor.org/misc/COPYING.txt GPLv2
 */
-
 namespace Froxlor\Dns;

 use Froxlor\Database\Database;
@@ -183,7 +182,10 @@ class Dns
 					}
 					if (Settings::Get('dkim.use_dkim') == '1') {
 						// check for DKIM content later
-						self::addRequiredEntry('dkim' . $domain['dkim_id'] . '._domainkey.' . $sub_record, 'TXT', $required_entries);
+						//self::addRequiredEntry('dkim' . $domain['dkim_id'] . '._domainkey.' . $sub_record, 'TXT', $required_entries);
+					    self::addRequiredEntry('mx._domainkey.' . $sub_record, 'TXT', $required_entries);
+					    //Also add dmarc
+					    self::addRequiredEntry('_dmarc' . $sub_record, 'TXT', $required_entries);
 					}
 				}
 			}
@@ -220,7 +222,10 @@ class Dns
 			}
 			if (Settings::Get('dkim.use_dkim') == '1') {
 				// check for DKIM content later
-				self::addRequiredEntry('dkim' . $domain['dkim_id'] . '._domainkey', 'TXT', $required_entries);
+				//self::addRequiredEntry('dkim' . $domain['dkim_id'] . '._domainkey', 'TXT', $required_entries);
+				self::addRequiredEntry('mx._domainkey', 'TXT', $required_entries);
+				//Also add dmarc
+				self::addRequiredEntry('_dmarc', 'TXT', $required_entries);
 			}
 		}

@@ -378,10 +383,13 @@ class Dns
 			if (array_key_exists("TXT", $required_entries)) {
 				if (Settings::Get('dkim.use_dkim') == '1') {
 					$dkim_entries = self::generateDkimEntries($domain);
+					$dmarc_entries = self::generateDmarcEntries($domain);
 				}

 				foreach ($required_entries as $type => $records) {
 					if ($type == 'TXT') {
+					    //$dkim_record = 'dkim' . $domain['dkim_id'] . '._domainkey';
+					    $dkim_record = 'mx._domainkey';
 						foreach ($records as $record) {
 							if ($record == '@SPF@') {
 								// spf for main-domain
@@ -392,9 +400,8 @@ class Dns
 								$txt_content = Settings::Get('spf.spf_entry');
 								$sub_record = substr($record, 6);
 								$zonerecords[] = new DnsEntry($sub_record, 'TXT', self::encloseTXTContent($txt_content));
-							} elseif (!empty($dkim_entries)) {
+							} elseif (!empty($dkim_entries) && $record == $dkim_record ) {
 								// DKIM entries
-								$dkim_record = 'dkim' . $domain['dkim_id'] . '._domainkey';
 								if ($record == $dkim_record) {
 									// dkim for main-domain
 									// check for multiline entry
@@ -412,7 +419,10 @@ class Dns
 									}
 									$zonerecords[] = new DnsEntry($record, 'TXT', self::encloseTXTContent($dkim_entries[0], $multiline));
 								}
+							} elseif ($record == '_dmarc' && !empty($dmarc_entries) && $domain['isemaildomain'] == '1') {
+							    $zonerecords[] = new DnsEntry($record, 'TXT', self::encloseTXTContent($dmarc_entries[0]));
 							}
+							
 						}
 					}
 				}
@@ -523,7 +533,7 @@ class Dns
 	 * @param array $domain
 	 * @return array
 	 */
-	private static function generateDkimEntries(array $domain): array
+	/** private static function generateDkimEntries(array $domain): array
 	{
 		$zone_dkim = [];

@@ -569,43 +579,61 @@ class Dns
 		}

 		return $zone_dkim;
-	}
-
+	} */
+	private static function generateDkimEntries(array $domain): array
+	{
+    $zone_dkim = [];
+    if (Settings::Get('dkim.use_dkim') == '1' && $domain['dkim'] == '1' && $domain['dkim_pubkey'] != '') {
+        // start
+        $dkim_txt = 'v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAosq0CmLqEzJJxIHkQwG1Xwk6CSyHHWSDXL9BHCKzY9lJXH7a23PogVlLvUBYaAgBtFOpsKuUCBl+/g6rOqgVXKg0OpYdpgTxZyz1i4NcubGFLifQGnF8ZKpIEDqIzmLI6SbH+9DKwYA319sXAR6feZI4g5bWqF07t/kzA5LN+2V5QnDQ3th++GPRl5rmWF6uoidIRD85UZVEX4s3J1hce0k6tRb2aEozCJaSXHUwyarmbbX/5rky467QQ+45Uy0q9CNaMMu1IX5eybhLRxYXK1k0TfIRJv4FH1UFLlq2QoGC7d+KvLrUabhzQ5wbdZkWuVgLFZ7CL2NegfzO6YeEcQIDAQAB';
+        $zone_dkim[] = $dkim_txt;
+    }
+    return $zone_dkim;
+}
+    private static function generateDmarcEntries(array $domain): array
+    {
+        $zone_dmarc = [];
+        if (Settings::Get('dkim.use_dkim') == '1' && $domain['dkim'] == '1' ){
+            $dmarc_txt = 'v=DMARC1; p=reject; ruf=mailto:dmarc@'. $domain['domain'] . '; rua=mailto:dmarc@'. $domain['domain'] . '; fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=345600;';
+            $zone_dmarc[] = $dmarc_txt;
+        }
+        return $zone_dmarc;
+    }
 	/**
 	 * @param string $txt_content
 	 * @param bool $isMultiLine
 	 * @return string
 	 */
 	public static function encloseTXTContent(string $txt_content, bool $isMultiLine = false): string
-	{
-		// check that TXT content is enclosed in " "
-		if (!$isMultiLine && Settings::Get('system.dns_server') != 'PowerDNS') {
-			if (substr($txt_content, 0, 1) != '"') {
-				$txt_content = '"' . $txt_content;
-			}
-			if (substr($txt_content, -1) != '"') {
-				$txt_content .= '"';
-			}
-		}
-		if (Settings::Get('system.dns_server') == 'PowerDNS') {
-			// no quotation for PowerDNS
-			if (substr($txt_content, 0, 1) == '"') {
-				$txt_content = substr($txt_content, 1);
-			}
-			if (substr($txt_content, -1) == '"') {
-				$txt_content = substr($txt_content, 0, -1);
-			}
-		}
-		return $txt_content;
-	}
+    {
+        // check that TXT content is enclosed in " "
+        if (! $isMultiLine && Settings::Get('system.dns_server') != 'PowerDNS') {
+            if (substr($txt_content, 0, 1) != '"') {
+                $txt_content = '"' . $txt_content;
+            }
+            if (substr($txt_content, - 1) != '"') {
+                $txt_content .= '"';
+            }
+        }
+        if (Settings::Get('system.dns_server') == 'PowerDNS') {
+            // no quotation for PowerDNS
+            if (substr($txt_content, 0, 1) == '"') {
+                $txt_content = substr($txt_content, 1);
+            }
+            if (substr($txt_content, - 1) == '"') {
+                $txt_content = substr($txt_content, 0, - 1);
+            }
+        }
+        return $txt_content;
+    }

 	/**
 	 * @param string $email
 	 * @return string
 	 */
 	private static function escapeSoaAdminMail(string $email): string
-	{
-		$mail_parts = explode("@", $email);
-		return str_replace(".", "\.", $mail_parts[0]) . "." . $mail_parts[1] . ".";
-	}
+    {
+        $mail_parts = explode("@", $email);
+        return str_replace(".", "\.", $mail_parts[0]) . "." . $mail_parts[1] . ".";
+    }
 }
Author	SHA1	Message	Date
Udo Waechter	d7a3568506	reject policy dmarc	2025-09-29 19:06:10 +02:00
Udo Waechter	10c13bc5b1	not generating disabled zones	2025-09-26 13:01:26 +02:00
Udo Waechter	dcb3f6f568	DKIM stuff with our own selector	2025-09-25 11:16:48 +02:00
Udo Waechter	7566def0d1	TODO: This is a dkim hack	2025-09-25 09:40:40 +02:00