added dane/tlsa dns check
This commit is contained in:
parent
4ee3df8d48
commit
f00a57abaf
24
mailcow.yml
24
mailcow.yml
@ -416,6 +416,30 @@
|
||||
backup: yes
|
||||
validate: /bin/bash -n %s
|
||||
|
||||
- name: /usr/local/sbin/runchecks.d/danetlsa.check
|
||||
blockinfile:
|
||||
path: /usr/local/sbin/runchecks.d/danetlsa.check
|
||||
mode: "0400"
|
||||
owner: root
|
||||
group: root
|
||||
create: yes
|
||||
marker: "# {mark} ANSIBLE MANAGED BLOCK"
|
||||
block: |
|
||||
cd ${g_tmp}
|
||||
host=mail.{{inventory_hostname}}
|
||||
openssl s_client -showcerts -connect ${host}:443 < /dev/null 2>/dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/{ if(/BEGIN CERTIFICATE/){a++}; out="cert"a".pem"; print >out}'
|
||||
for cert in *.pem
|
||||
do
|
||||
certname=$(openssl x509 -noout -subject -in ${cert} 2>/dev/null | sed -nE 's/.*CN ?= ?(.*)/\1/; s/[ ,*]/_/g; s/__/_/g; s/_-_/-/; s/^_//g;p' | tr '[:upper:]' '[:lower:]').pem
|
||||
[ "${certname}" != "${host}.pem" ] && continue
|
||||
tlsa=$(openssl x509 -in "${cert}" -noout -pubkey 2>/dev/null | openssl rsa -pubin -outform DER 2>/dev/null | openssl dgst -sha256 -hex 2>/dev/null | cut -d" " -f2)
|
||||
dnstlsa=$(host -t TLSA *._tcp.${host} | cut -d" " -f 8,9 | tr '[:upper:]' '[:lower:]' | sed 's/ //g')
|
||||
[ "${tlsa}" != "${dnstlsa}" ] && g_echo_error "DNS TLSA incorrect! *._tcp.${host} should be ${tlsa} but is ${dnstlsa} (host -t TLSA *._tcp.${host})"
|
||||
done
|
||||
rm *.pem
|
||||
cd - >/dev/null
|
||||
backup: yes
|
||||
validate: /bin/bash -n %s
|
||||
|
||||
handlers:
|
||||
- name: Restart mailcow
|
||||
|
Loading…
Reference in New Issue
Block a user