pennocktech / smtpdane Goto Github PK
View Code? Open in Web Editor NEWSMTP DANE testing tool
License: MIT License
SMTP DANE testing tool
License: MIT License
In the code, wherever we currently reference .CommonName
, that was a short-cut because I didn't want to write a full name construction function.
As of Go 1.10, per release notes:
crypto/x509/pkix
Name
now implements aString
method that formats the X.509 distinguished name in the standard RFC 2253 format.
We should switch to using this and make sure the results still look sane.
The Golang OCSP lib uses ResponseError in constructed responses and the OCSP status parsing we're doing is assuming those codes (.TryLater
etc) instead of the in-response status values (.Revoked
etc).
While the issue in #4 was accurate, it shouldn't have been seen because the DNS resolver shouldn't have been used. So a real issue was reported, but it is a bug that it was found to be reported.
Adding a debug to the resolver iteration inner loop, just before the exchange, shows we hit all the resolvers. This should not be.
$ git log --oneline --no-decorate -1
1632cba CI: adjust for GHActions deprecations [tread-water]
$ go build
$ ./smtpdane mx3.molgen.mpg.de
error securely resolving "mx3.molgen.mpg.de"
not AD set for results from 141.14.16.1:53 for "mx3.molgen.mpg.de."/AAAA query
not AD set for results from 141.14.16.1:53 for "mx3.molgen.mpg.de."/A query
no results found
./smtpdane: encountered 1 errors
$ more /etc/resolv.conf
search molgen.mpg.de
nameserver 127.0.0.1
nameserver 141.14.16.1
$ dig mx3.molgen.mpg.de
; <<>> DiG 9.9.6-P1 <<>> mx3.molgen.mpg.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47299
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mx3.molgen.mpg.de. IN A
;; ANSWER SECTION:
mx3.molgen.mpg.de. 7129 IN A 141.14.17.11
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jul 13 05:45:40 CEST 2023
;; MSG SIZE rcvd: 62
$ unbound -V
Version 1.13.1
Configure line: --prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/libexec --sysconfdir=/etc --sharedstatedir=/var --localstatedir=/var --libdir=/usr/lib --includedir=/usr/include --datarootdir=/usr/share --datadir=/usr/share --infodir=/usr/share/info --localedir=/usr/share/locale --mandir=/usr/share/man --docdir=/usr/share/doc/unbound --exec-prefix=/usr --disable-static --enable-systemd --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key
Linked libs: mini-event internal (it uses select), OpenSSL 1.1.1t 7 Feb 2023
Linked modules: dns64 respip validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to [email protected] or https://github.com/NLnetLabs/unbound/issues
Hi,
It would be awesome to be able to use a defined DNS name server.
Because for my specific uses my servers can query smtp.domain.tld internally and it returns an internal IP.
But from the outside world it gives the public IP.
Either allow unsecure DNS results, but thats a bit sad:
error securely resolving "mx1.mails.domain.tld"
not AD set for results from 10.10.18.1:53 for "mx1.mails.domain.tld."/AAAA query, skipping any remaining resolvers
not AD set for results from 10.10.18.1:53 for "mx1.mails.domain.tld."/A query, skipping any remaining resolvers
no results found
Or support using another resolver. That could allow the user to do checks with different resolvers to monitor if results do not differ
PS: this project is awesome, and having .deb releases is great !
Hi!
If I call smtpdane with -mx option it seems to add the domain as hostname as well into the list of hostnames to check.
For example:
# ./smtpdane -mx univie.ac.at
found 4 MX records for "univie.ac.at" across 1 preference levels
"univie.ac.at" MX preference 10: [zidmx4.univie.ac.at. zidmx3.univie.ac.at. zidmx2.univie.ac.at. zidmx1.univie.ac.at.]
found 2 secure addresses for "zidmx1.univie.ac.at.": [2001:62a:4:25::25:100 131.130.3.100]
found 2 TLSA records for "_25._tcp.zidmx1.univie.ac.at."
3 1 1 c0578936f55c1800aa6ac8f74116da06c0f8910f8081732cae8f0967ef320425
2 1 1 f3ae75c0490c907e5fb6268ba79ee8aa6c772874c5cc3829ed97895d1d13a01b
[zidmx1.univie.ac.at. 131.130.3.100] issuing STARTTLS [port 25]
[zidmx1.univie.ac.at. 131.130.3.100] TLSA DANE-EE(3) match: 3 1 1 ...ae8f0967ef320425
[zidmx1.univie.ac.at. 131.130.3.100] 1 chains to TA; first length 2, is: ["zidmx1.univie.ac.at" "TERENA SSL CA 3"]
[zidmx1.univie.ac.at. 131.130.3.100] no valid TA chains for hostname "univie.ac.at"
[zidmx1.univie.ac.at. 131.130.3.100] TLSA DANE-TA(2) match against chain position 2: 2 1 1 ...ed97895d1d13a01b
....
This results in
...no valid TA chains for hostname "univie.ac.at"
messages. Should "univie.ac.at" be tested in this setting? IMO no, or do I miss something?
The same happens with "-submission(s)" and "-srv".
$ smtpdane -show-cert-info -srv -submissions wdes.fr
error resolving SRV "_-submissions._tcp.wdes.fr":
no results found
The generated record makes no sense, I was thinking that submissions and friends would be a sub category
But it turns out that I need to remove -srv
to use -submissions
or it will create a very wrong record.
I did end up into this because I first tried -srv and then realised it needed one more, so I just added -submissions and a ๐ was born
Other than that, thank you so much for considering SRV !
At present, using smtpdane -srv submission $DOMAIN
without also specifying -tls-on-connect
will result in a hang.
(The -submissions
shortcut implicitly sets the -tls-on-connect
flag.)
We should handle this more gracefully. Hanging forever is not acceptable.
It is acceptable to spot the TLS-on-connect and issue a warning and continue.
It is acceptable to spot the TLS-on-connect and error.
It is acceptable to just have a timeout over the whole handshake and abort when that is exceeded.
At present, we do have the -connect-timeout
flag, but that doesn't apply once the connection has been established.
Spotted while investigating #7
I would like to check SRV records, but in my domain scheme SRV records have different names than MX records.
And the SRV records have no TSLA records. It would be nice to be able to disable TSLA checks for example.
I have TSLA setup only for MX records:
But SRV have values like:
Test command: smtpdane -show-cert-info -submissions wdes.fr
One last thing, I was thinking -nocertnames
would shut it up and check TSLA post connect, but it looks like that's not true ๐ค
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.