Головна сторінка Огляд Довідка
Увійти
mirrors
/
mailcow-dockerized
дзеркало https://github.com/mailcow/mailcow-dockerized
2
0
Відгалуження 0
Файли Проблеми 0 Wiki
Дерево: a89fe53e4a
Гілки Теги
mailcow-dockeri...
/
data
/
Dockerfiles
/
acme
/
functions.sh

functions.sh 4.6 KB
Історія Запис

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132 
  1. #!/bin/bash
    2. 

  2. 

  3. log_f() {
    4. 

  4.   if [[ ${2} == "no_nl" ]]; then
    5. 

  5.     echo -n "$(date) - ${1}"
    6. 

  6.   elif [[ ${2} == "no_date" ]]; then
    7. 

  7.     echo "${1}"
    8. 

  8.   elif [[ ${2} != "redis_only" ]]; then
    9. 

  9.     echo "$(date) - ${1}"
    10. 

  10.   fi
    11. 

  11.   if [[ ${3} == "b64" ]]; then
    12. 

  12.     ${REDIS_CMDLINE} LPUSH ACME_LOG "{\"time\":\"$(date +%s)\",\"message\":\"base64,$(printf '%s' "${MAILCOW_HOSTNAME} - ${1}")\"}" > /dev/null
    13. 

  13.   else
    14. 

  14.     ${REDIS_CMDLINE} LPUSH ACME_LOG "{\"time\":\"$(date +%s)\",\"message\":\"$(printf '%s' "${MAILCOW_HOSTNAME} - ${1}" | \
    15. 

  15.       tr '%&;$"[]{}-\r\n' ' ')\"}" > /dev/null
    16. 

  16.   fi
    17. 

  17. }
    18. 

  18. 

  19. verify_email(){
    20. 

  20.   regex="^(([A-Za-z0-9]+((\.|\-|\_|\+)?[A-Za-z0-9]?)*[A-Za-z0-9]+)|[A-Za-z0-9]+)@(([A-Za-z0-9]+)+((\.|\-|\_)?([A-Za-z0-9]+)+)*)+\.([A-Za-z]{2,})+$"
    21. 

  21.   if [[ $1 =~ ${regex} ]]; then
    22. 

  22.     return 0
    23. 

  23.   else
    24. 

  24.     return 1
    25. 

  25.   fi
    26. 

  26. }
    27. 

  27. 

  28. verify_hash_match(){
    29. 

  29.   CERT_HASH=$(openssl x509 -in "${1}" -noout -pubkey | openssl md5)
    30. 

  30.   KEY_HASH=$(openssl pkey -in "${2}" -pubout | openssl md5)
    31. 

  31.   if [[ ${CERT_HASH} != ${KEY_HASH} ]]; then
    32. 

  32.     log_f "Certificate and key hashes do not match!"
    33. 

  33.     return 1
    34. 

  34.   else
    35. 

  35.     log_f "Verified hashes."
    36. 

  36.     return 0
    37. 

  37.   fi
    38. 

  38. }
    39. 

  39. 

  40. get_ipv4(){
    41. 

  41.   local IPV4=
    42. 

  42.   local IPV4_SRCS=
    43. 

  43.   local TRY=
    44. 

  44.   IPV4_SRCS[0]="ip4.mailcow.email"
    45. 

  45.   IPV4_SRCS[1]="ip4.nevondo.com"
    46. 

  46.   until [[ ! -z ${IPV4} ]] || [[ ${TRY} -ge 10 ]]; do
    47. 

  47.     IPV4=$(curl --connect-timeout 3 -m 10 -L4s ${IPV4_SRCS[$RANDOM % ${#IPV4_SRCS[@]} ]} | grep -E "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$")
    48. 

  48.     [[ ! -z ${TRY} ]] && sleep 1
    49. 

  49.     TRY=$((TRY+1))
    50. 

  50.   done
    51. 

  51.   echo ${IPV4}
    52. 

  52. }
    53. 

  53. 

  54. get_ipv6(){
    55. 

  55.   local IPV6=
    56. 

  56.   local IPV6_SRCS=
    57. 

  57.   local TRY=
    58. 

  58.   IPV6_SRCS[0]="ip6.mailcow.email"
    59. 

  59.   IPV6_SRCS[1]="ip6.nevondo.com"
    60. 

  60.   until [[ ! -z ${IPV6} ]] || [[ ${TRY} -ge 10 ]]; do
    61. 

  61.     IPV6=$(curl --connect-timeout 3 -m 10 -L6s ${IPV6_SRCS[$RANDOM % ${#IPV6_SRCS[@]} ]} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$")
    62. 

  62.     [[ ! -z ${TRY} ]] && sleep 1
    63. 

  63.     TRY=$((TRY+1))
    64. 

  64.   done
    65. 

  65.   echo ${IPV6}
    66. 

  66. }
    67. 

  67. 

  68. check_domain(){
    69. 

  69.     DOMAIN=$1
    70. 

  70.     A_DOMAIN=$(dig A ${DOMAIN} +short | tail -n 1)
    71. 

  71.     AAAA_DOMAIN=$(dig AAAA ${DOMAIN} +short | tail -n 1)
    72. 

  72.     # Hard-fail on CAA errors for MAILCOW_HOSTNAME
    73. 

  73.     PARENT_DOMAIN=$(echo ${DOMAIN} | cut -d. -f2-)
    74. 

  74.     CAAS=( $(dig CAA ${PARENT_DOMAIN} +short | sed -n 's/\d issue "\(.*\)"/\1/p') )
    75. 

  75.     if [[ ! -z ${CAAS} ]]; then
    76. 

  76.       if [[ ${CAAS[@]} =~ "letsencrypt.org" ]]; then
    77. 

  77.         log_f "Validated CAA for parent domain ${PARENT_DOMAIN}"
    78. 

  78.       else
    79. 

  79.         log_f "Lets Encrypt disallowed for ${PARENT_DOMAIN} by CAA record"
    80. 

  80.         return 1
    81. 

  81.       fi
    82. 

  82.     fi
    83. 

  83.     # Check if CNAME without v6 enabled target
    84. 

  84.     if [[ ! -z ${AAAA_DOMAIN} ]] && [[ -z $(echo ${AAAA_DOMAIN} | grep "^\([0-9a-fA-F]\{0,4\}:\)\{1,7\}[0-9a-fA-F]\{0,4\}$") ]]; then
    85. 

  85.       AAAA_DOMAIN=
    86. 

  86.     fi
    87. 

  87.     if [[ ! -z ${AAAA_DOMAIN} ]]; then
    88. 

  88.       log_f "Found AAAA record for ${DOMAIN}: ${AAAA_DOMAIN} - skipping A record check"
    89. 

  89.       if [[ $(expand ${IPV6:-"0000:0000:0000:0000:0000:0000:0000:0000"}) == $(expand ${AAAA_DOMAIN}) ]] || [[ ${SKIP_IP_CHECK} == "y" ]] || [[ ${SNAT6_TO_SOURCE} != "n" ]]; then
    90. 

  90.         if verify_challenge_path "${DOMAIN}" 6; then
    91. 

  91.           log_f "Confirmed AAAA record with IP $(expand ${AAAA_DOMAIN})"
    92. 

  92.           return 0
    93. 

  93.         else
    94. 

  94.           log_f "Confirmed AAAA record with IP $(expand ${AAAA_DOMAIN}), but HTTP validation failed"
    95. 

  95.         fi
    96. 

  96.       else
    97. 

  97.         log_f "Cannot match your IP $(expand ${IPV6:-"0000:0000:0000:0000:0000:0000:0000:0000"}) against hostname ${DOMAIN} (DNS returned $(expand ${AAAA_DOMAIN}))"
    98. 

  98.       fi
    99. 

  99.     elif [[ ! -z ${A_DOMAIN} ]]; then
    100. 

  100.       log_f "Found A record for ${DOMAIN}: ${A_DOMAIN}"
    101. 

  101.       if [[ ${IPV4:-ERR} == ${A_DOMAIN} ]] || [[ ${SKIP_IP_CHECK} == "y" ]] || [[ ${SNAT_TO_SOURCE} != "n" ]]; then
    102. 

  102.         if verify_challenge_path "${DOMAIN}" 4; then
    103. 

  103.           log_f "Confirmed A record ${A_DOMAIN}"
    104. 

  104.           return 0
    105. 

  105.         else
    106. 

  106.           log_f "Confirmed A record with IP ${A_DOMAIN}, but HTTP validation failed"
    107. 

  107.         fi
    108. 

  108.       else
    109. 

  109.         log_f "Cannot match your IP ${IPV4} against hostname ${DOMAIN} (DNS returned ${A_DOMAIN})"
    110. 

  110.       fi
    111. 

  111.     else
    112. 

  112.       log_f "No A or AAAA record found for hostname ${DOMAIN}"
    113. 

  113.     fi
    114. 

  114.     return 1
    115. 

  115. }
    116. 

  116. 

  117. verify_challenge_path(){
    118. 

  118.   if [[ ${SKIP_HTTP_VERIFICATION} == "y" ]]; then
    119. 

  119.     echo '(skipping check, returning 0)'
    120. 

  120.     return 0
    121. 

  121.   fi
    122. 

  122.   # verify_challenge_path URL 4|6
    123. 

  123.   RANDOM_N=${RANDOM}${RANDOM}${RANDOM}
    124. 

  124.   echo ${RANDOM_N} > /var/www/acme/${RANDOM_N}
    125. 

  125.   if [[ "$(curl --insecure -${2} -L http://${1}/.well-known/acme-challenge/${RANDOM_N} --silent)" == "${RANDOM_N}"  ]]; then
    126. 

  126.     rm /var/www/acme/${RANDOM_N}
    127. 

  127.     return 0
    128. 

  128.   else
    129. 

  129.     rm /var/www/acme/${RANDOM_N}
    130. 

  130.     return 1
    131. 

  131.   fi
    132. 

  132. }
    133.