added dane/tlsa dns check
This commit is contained in:
parent
4ee3df8d48
commit
f00a57abaf
24
mailcow.yml
24
mailcow.yml
@ -416,6 +416,30 @@
|
|||||||
backup: yes
|
backup: yes
|
||||||
validate: /bin/bash -n %s
|
validate: /bin/bash -n %s
|
||||||
|
|
||||||
|
- name: /usr/local/sbin/runchecks.d/danetlsa.check
|
||||||
|
blockinfile:
|
||||||
|
path: /usr/local/sbin/runchecks.d/danetlsa.check
|
||||||
|
mode: "0400"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
create: yes
|
||||||
|
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||||
|
block: |
|
||||||
|
cd ${g_tmp}
|
||||||
|
host=mail.{{inventory_hostname}}
|
||||||
|
openssl s_client -showcerts -connect ${host}:443 < /dev/null 2>/dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}'
|
||||||
|
for cert in *.pem
|
||||||
|
do
|
||||||
|
certname=$(openssl x509 -noout -subject -in ${cert} 2>/dev/null | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem
|
||||||
|
[ "${certname}" != "${host}.pem" ] && continue
|
||||||
|
tlsa=$(openssl x509 -in "${cert}" -noout -pubkey 2>/dev/null | openssl rsa -pubin -outform DER 2>/dev/null | openssl dgst -sha256 -hex 2>/dev/null | cut -d" " -f2)
|
||||||
|
dnstlsa=$(host -t TLSA *._tcp.${host} | cut -d" " -f 8,9 | tr '[:upper:]' '[:lower:]' | sed 's/ //g')
|
||||||
|
[ "${tlsa}" != "${dnstlsa}" ] && g_echo_error "DNS TLSA incorrect! *._tcp.${host} should be ${tlsa} but is ${dnstlsa} (host -t TLSA *._tcp.${host})"
|
||||||
|
done
|
||||||
|
rm *.pem
|
||||||
|
cd - >/dev/null
|
||||||
|
backup: yes
|
||||||
|
validate: /bin/bash -n %s
|
||||||
|
|
||||||
handlers:
|
handlers:
|
||||||
- name: Restart mailcow
|
- name: Restart mailcow
|
||||||
|
Loading…
Reference in New Issue
Block a user