pennocktech / smtpdane Goto Github PK
View Code? Open in Web Editor NEWSMTP DANE testing tool
License: MIT License
smtpdane's People
Contributors
Stargazers
Watchers
Forkers
alexmtvsmtpdane's Issues
`crypto/x509/pkix.Name` now implements `String() string`, use it
In the code, wherever we currently reference .CommonName, that was a short-cut because I didn't want to write a full name construction function.
As of Go 1.10, per release notes:
crypto/x509/pkix
Namenow implements aStringmethod that formats the X.509 distinguished name in the standard RFC 2253 format.
We should switch to using this and make sure the results still look sane.
Mis-parsing OCSP status
The Golang OCSP lib uses ResponseError in constructed responses and the OCSP status parsing we're doing is assuming those codes (.TryLater etc) instead of the in-response status values (.Revoked etc).
DNS resolver iteration is always using all resolvers
While the issue in #4 was accurate, it shouldn't have been seen because the DNS resolver shouldn't have been used. So a real issue was reported, but it is a bug that it was found to be reported.
Adding a debug to the resolver iteration inner loop, just before the exchange, shows we hit all the resolvers. This should not be.
Fails with `not AD set for results from 141.14.16.1:53 for "mx3.molgen.mpg.de."/A query`
$ git log --oneline --no-decorate -1
1632cba CI: adjust for GHActions deprecations [tread-water]
$ go build
$ ./smtpdane mx3.molgen.mpg.de
error securely resolving "mx3.molgen.mpg.de"
not AD set for results from 141.14.16.1:53 for "mx3.molgen.mpg.de."/AAAA query
not AD set for results from 141.14.16.1:53 for "mx3.molgen.mpg.de."/A query
no results found
./smtpdane: encountered 1 errors
$ more /etc/resolv.conf
search molgen.mpg.de
nameserver 127.0.0.1
nameserver 141.14.16.1
$ dig mx3.molgen.mpg.de
; <<>> DiG 9.9.6-P1 <<>> mx3.molgen.mpg.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47299
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mx3.molgen.mpg.de. IN A
;; ANSWER SECTION:
mx3.molgen.mpg.de. 7129 IN A 141.14.17.11
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jul 13 05:45:40 CEST 2023
;; MSG SIZE rcvd: 62
$ unbound -V
Version 1.13.1
Configure line: --prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/libexec --sysconfdir=/etc --sharedstatedir=/var --localstatedir=/var --libdir=/usr/lib --includedir=/usr/include --datarootdir=/usr/share --datadir=/usr/share --infodir=/usr/share/info --localedir=/usr/share/locale --mandir=/usr/share/man --docdir=/usr/share/doc/unbound --exec-prefix=/usr --disable-static --enable-systemd --with-pidfile=/run/unbound.pid --with-rootkey-file=/var/lib/unbound/root.key
Linked libs: mini-event internal (it uses select), OpenSSL 1.1.1t 7 Feb 2023
Linked modules: dns64 respip validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to [email protected] or https://github.com/NLnetLabs/unbound/issues
Use an alternative DNS server
Hi,
It would be awesome to be able to use a defined DNS name server.
Because for my specific uses my servers can query smtp.domain.tld internally and it returns an internal IP.
But from the outside world it gives the public IP.
Either allow unsecure DNS results, but thats a bit sad:
error securely resolving "mx1.mails.domain.tld"
not AD set for results from 10.10.18.1:53 for "mx1.mails.domain.tld."/AAAA query, skipping any remaining resolvers
not AD set for results from 10.10.18.1:53 for "mx1.mails.domain.tld."/A query, skipping any remaining resolvers
no results found
Or support using another resolver. That could allow the user to do checks with different resolvers to monitor if results do not differ
PS: this project is awesome, and having .deb releases is great !
MX domain is added to list of hostnames
Hi!
If I call smtpdane with -mx option it seems to add the domain as hostname as well into the list of hostnames to check.
For example:
# ./smtpdane -mx univie.ac.at
found 4 MX records for "univie.ac.at" across 1 preference levels
"univie.ac.at" MX preference 10: [zidmx4.univie.ac.at. zidmx3.univie.ac.at. zidmx2.univie.ac.at. zidmx1.univie.ac.at.]
found 2 secure addresses for "zidmx1.univie.ac.at.": [2001:62a:4:25::25:100 131.130.3.100]
found 2 TLSA records for "_25._tcp.zidmx1.univie.ac.at."
3 1 1 c0578936f55c1800aa6ac8f74116da06c0f8910f8081732cae8f0967ef320425
2 1 1 f3ae75c0490c907e5fb6268ba79ee8aa6c772874c5cc3829ed97895d1d13a01b
[zidmx1.univie.ac.at. 131.130.3.100] issuing STARTTLS [port 25]
[zidmx1.univie.ac.at. 131.130.3.100] TLSA DANE-EE(3) match: 3 1 1 ...ae8f0967ef320425
[zidmx1.univie.ac.at. 131.130.3.100] 1 chains to TA; first length 2, is: ["zidmx1.univie.ac.at" "TERENA SSL CA 3"]
[zidmx1.univie.ac.at. 131.130.3.100] no valid TA chains for hostname "univie.ac.at"
[zidmx1.univie.ac.at. 131.130.3.100] TLSA DANE-TA(2) match against chain position 2: 2 1 1 ...ed97895d1d13a01b
....
This results in
...no valid TA chains for hostname "univie.ac.at"
messages. Should "univie.ac.at" be tested in this setting? IMO no, or do I miss something?
The same happens with "-submission(s)" and "-srv".
Incompatible or non friendly behavior of -srv and friends
$ smtpdane -show-cert-info -srv -submissions wdes.fr
error resolving SRV "_-submissions._tcp.wdes.fr":
no results found
The generated record makes no sense, I was thinking that submissions and friends would be a sub category
But it turns out that I need to remove -srv to use -submissions or it will create a very wrong record.
I did end up into this because I first tried -srv and then realised it needed one more, so I just added -submissions and a ๐ was born
Other than that, thank you so much for considering SRV !
Using non-TLS-on-connect against TLS-on-connect port should error cleanly, or handle
At present, using smtpdane -srv submission $DOMAIN without also specifying -tls-on-connect will result in a hang.
(The -submissions shortcut implicitly sets the -tls-on-connect flag.)
We should handle this more gracefully. Hanging forever is not acceptable.
It is acceptable to spot the TLS-on-connect and issue a warning and continue.
It is acceptable to spot the TLS-on-connect and error.
It is acceptable to just have a timeout over the whole handshake and abort when that is exceeded.
At present, we do have the -connect-timeout flag, but that doesn't apply once the connection has been established.
Spotted while investigating #7
Add an option to disable TSLA check ?
I would like to check SRV records, but in my domain scheme SRV records have different names than MX records.
And the SRV records have no TSLA records. It would be nice to be able to disable TSLA checks for example.
I have TSLA setup only for MX records:
- mx1.provider.tld
- mx2.provider.tld
But SRV have values like:
- imap.provider.tld
- smtp.
- pop3.
Test command: smtpdane -show-cert-info -submissions wdes.fr
One last thing, I was thinking -nocertnames would shut it up and check TSLA post connect, but it looks like that's not true ๐ค
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.