1 Topic by dajjhman (edited by dajjhman 2015-05-27 03:11:34)

  • dajjhman
  • Member
  • Offline
  • Registered: 2015-05-27
  • Posts: 1

Topic: DKIM keys added by lower-level users

======== Required information ====
- iRedMail version: 0.9.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL (MariaDB)
- Web server (Apache or Nginx): Apache
- Linux/BSD distribution name and version: CentOS 7
- Related log if you're reporting an issue: No issue, config help
====

I have gotten amavisd and DKIM working fine in general, but I have been trying to find a way to allow non-sudo users to add a new key for domains they add in the web panel (pro panel).
I will allow sudo access to restart or reload a service (and start if it dies), but I do not want to give them further access than that if possible. I have a script that works to generate keys, and currently outputs the lines that need to be added to /etc/amavisd/amavisd.conf , but this file has to be edited with sudo/root, or I have to add users to the group (a no-no since they will have access to other domains private keys potentially or other parts of the server).

Is there a good way to do this? In this case, I would like users who have mail admin capabilities to be able to add their respective domains to have DKIM signing without getting a sysadmin involved.

Below is a copy of the script as it currently lies, but users need to have permissions to edit this file in general. This script is not complete nor safe for production environments, as it does not have protections currently for Command Injection, but it works for QA purposes at the moment.

#!/bin/bash

#
# create dkim key for amavisd (amavisd-new)
# and display the linie to add in amavisd config.
#
# including the txt record for the giving domain
#

echo -e "Hi, please type the domain name we create dkim for: \c "
read domainname

amavisd genrsa /var/lib/dkim/$domainname.pem 2048
chmod 0644 /var/lib/dkim/$domainname.pem

echo "add these lines to /etc/amavisd/amavisd.conf at the relevant location"
echo "search for COMPANY-NAME"
echo "nano /etc/amavisd/amavisd.conf"
echo "****"
echo "dkim_key(\"$domainname\", \"dkim\", \"/var/lib/dkim/$domainname.pem\");"
echo "****"
echo "and"
echo "****"
echo " \"$domainname\"  => { d => \"$domainname\", a => 'rsa-sha256', ttl => 10*24*3600 },"
echo "****"
echo "Then type:"
echo "amavisd -c /etc/amavisd/amavisd.conf showkeys $domainname"

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by 7t3chguy

  • 7t3chguy
  • 7t3chguy
  • Forum Moderator
  • Offline
  • From: United Kingdom
  • Registered: 2015-01-08
  • Posts: 713

Re: DKIM keys added by lower-level users

If you want more dynamic keys, use openDkim for your signing, it allows you to load keys from sql or other sources, dynamically (without restarting services)

7t3chguy's Website

3 Reply by pbf343

  • pbf343
  • Member
  • Offline
  • Registered: 2013-05-30
  • Posts: 243

Re: DKIM keys added by lower-level users

dajjham

FYI:  http://www.iredmail.org/forum/post40864.html#p40864

Did you ever test your script for any bugs or problems? 

Did you try the openDKIM and if so, with what results? 

Cheers