From b51550de1120ffdb63c299c64f6837004442de80 Mon Sep 17 00:00:00 2001
From: bilogic <946010+bilogic@users.noreply.github.com>
Date: Fri, 5 Jan 2024 15:56:41 +0800
Subject: [PATCH] allow a custom dkim selector

---
 management/dns_update.py | 6 +++---
 setup/dkim.sh            | 4 ++--
 setup/migrate.py         | 2 +-
 setup/start.sh           | 1 +
 4 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/management/dns_update.py b/management/dns_update.py
index 9a768ea85..cd7d52b31 100755
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -297,7 +297,7 @@ def has_rec(qname, rtype, prefix=None):
 
 		# Append the DKIM TXT record to the zone as generated by OpenDKIM.
 		# Skip if the user has set a DKIM record already.
-		opendkim_record_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.txt')
+		opendkim_record_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/' + env['DKIM_SELECTOR'] + '.txt')
 		with open(opendkim_record_file) as orf:
 			m = re.match(r'(\S+)\s+IN\s+TXT\s+\( ((?:"[^"]+"\s+)+)\)', orf.read(), re.S)
 			val = "".join(re.findall(r'"([^"]+)"', m.group(2)))
@@ -764,7 +764,7 @@ def write_opendkim_tables(domains, env):
 	# Append a record to OpenDKIM's KeyTable and SigningTable for each domain
 	# that we send mail from (zones and all subdomains).
 
-	opendkim_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.private')
+	opendkim_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/' + env['DKIM_SELECTOR'] + '.private')
 
 	if not os.path.exists(opendkim_key_file):
 		# Looks like OpenDKIM is not installed.
@@ -789,7 +789,7 @@ def write_opendkim_tables(domains, env):
 		# signing domain must match the sender's From: domain.
 		"KeyTable":
 			"".join(
-				"{domain} {domain}:mail:{key_file}\n".format(domain=domain, key_file=opendkim_key_file)
+				"{domain} {domain}:{selector}:{key_file}\n".format(domain=domain, selector=env['DKIM_SELECTOR'], key_file=opendkim_key_file)
 				for domain in domains
 			),
 	}
diff --git a/setup/dkim.sh b/setup/dkim.sh
index d99c78a79..523afc957 100755
--- a/setup/dkim.sh
+++ b/setup/dkim.sh
@@ -52,8 +52,8 @@ fi
 # A 1024-bit key is seen as a minimum standard by several providers
 # such as Google. But they and others use a 2048 bit key, so we'll
 # do the same. Keys beyond 2048 bits may exceed DNS record limits.
-if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then
-	opendkim-genkey -b 2048 -r -s mail -D $STORAGE_ROOT/mail/dkim
+if [ ! -f "$STORAGE_ROOT/mail/dkim/$DKIM_SELECTOR.private" ]; then
+	opendkim-genkey -b 2048 -r -s $DKIM_SELECTOR -D $STORAGE_ROOT/mail/dkim
 fi
 
 # Ensure files are owned by the opendkim user and are private otherwise.
diff --git a/setup/migrate.py b/setup/migrate.py
index 9065cf40f..25d9a73c5 100755
--- a/setup/migrate.py
+++ b/setup/migrate.py
@@ -99,7 +99,7 @@ def migration_8(env):
 	# Delete DKIM keys. We had generated 1024-bit DKIM keys.
 	# By deleting the key file we'll automatically generate
 	# a new key, which will be 2048 bits.
-	os.unlink(os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.private'))
+	os.unlink(os.path.join(env['STORAGE_ROOT'], 'mail/dkim/' + env['DKIM_SELECTOR'] + '.private'))
 
 def migration_9(env):
 	# Add a column to the aliases table to store permitted_senders,
diff --git a/setup/start.sh b/setup/start.sh
index 459dc7e3e..c3e21deec 100755
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -104,6 +104,7 @@ PUBLIC_IPV6=$PUBLIC_IPV6
 PRIVATE_IP=$PRIVATE_IP
 PRIVATE_IPV6=$PRIVATE_IPV6
 MTA_STS_MODE=${DEFAULT_MTA_STS_MODE:-enforce}
+DKIM_SELECTOR=${DEFAULT_DKIM_SELECTOR:-mail}
 EOF
 
 # Start service configuration.