Mailcow-TLSA-Record-Updater is a Bash script designed to automatically generate and update TLSA (Transport Layer Security Authentication) records for your Mailcow mail server. It supports creating TLSA records using SHA-256 and SHA-512 hashes and updates the records if there are any changes in the certificate hashes. The script utilizes DNSControl to push the updates to your DNS provider.
- Generates TLSA 3 1 1 and TLSA 3 1 2 records
- Checks for changes in certificate hashes and updates the JSON file accordingly
- Executes DNSControl to push changes when updates are detected
- Debug mode for detailed logging
openssl
: Used to generate certificate hashesjq
: Used to parse and update JSON filesdocker
: Used to run DNSControlDNSControl
: DNS management tool by StackExchange
-
Clone the Repository
git clone https://github.com/yourusername/Mailcow-TLSA-Record-Updater.git cd Mailcow-TLSA-Record-Updater
-
Install Required Tools
Ensure openssl, jq, docker, and DNSControl are installed on your system. Use your package manager to install them if necessary. For example, on Debian-based systems:
sudo apt install openssl jq
For DNSControl, follow the installation instructions from the DNSControl documentation.
-
Edit settings.env
Create and edit the settings.env file in the project directory with your settings:
# activate debug debug=false # Directory in which the script works tlsaScriptDir="/path/to/Mailcow-TLSA-Record-Updater" # Domain for which the TLSA entries are to be created tlsaScriptMailcowDomain="your.mailcow.domain" # Path to the main certificate of your domain tlsaScriptMailcowCert="/path/to/mailcow/data/assets/ssl/cert.pem"
-
Ensure Permissions
Ensure the script has executable permissions:
chmod +x tlsa_check.sh
Run the script manually:
./tlsa_check.sh
Or set up a cron job to run it periodically. For example, to run the script every day at midnight, add the following line to your crontab:
*/15 * * * * /path/to/Mailcow-TLSA-Record-Updater/tlsa_check.sh > /path/to/Mailcow-TLSA-Record-Updater/tlsa_check.log
Alternatively, use inotifywait
to monitor the certificate file and run the script whenever the certificate changes:
while inotifywait -e close_write /path/to/mailcow/data/assets/ssl/cert.pem; do
/path/to/Mailcow-TLSA-Record-Updater/tlsa_check.sh >> /path/to/Mailcow-TLSA-Record-Updater/tlsa_check.log
done
To enable debugging, set the debug variable to true in the script or export it as an environment variable before running the script:
- Set the variable
debug
totrue
in settings.env to activate debugging
- Fork the repository.
- Create a new branch (git checkout -b feature-branch).
- Make your changes.
- Commit your changes (git commit -am 'Add some feature').
- Push to the branch (git push origin feature-branch).
- Create a new Pull Request.
This project is licensed under the GNU GENERAL PUBLIC LICENSE v3 License. See the LICENSE file for details.