| 1 |
#!/bin/bash |
| 2 |
set -e |
| 3 |
|
| 4 |
debug=0 |
| 5 |
|
| 6 |
ehlo=pro5s2.nethence.com |
| 7 |
#ehlo=`curl -s ip.nethence.com | sed -n 1p | awk '{print $NF}' | sed 's/\.$//'` |
| 8 |
echo using $ehlo as EHLO |
| 9 |
|
| 10 |
function checkdane { |
| 11 |
#no need for backspace as we are going to pass $rrdata without double-quotes |
| 12 |
#also the carriage-return becomes a space when ever there are multiple lines |
| 13 |
# |
| 14 |
#note: grabbing all the lines here, not only the first one |
| 15 |
rrdataraw=`host -4 -t TLSA _25._tcp.$mx` |
| 16 |
|
| 17 |
#single line output if it's an alias |
| 18 |
#_25._tcp.lsmhosting.com is an alias for lsmhosting.com. |
| 19 |
#_25._tcp.mx1.sleepingamongstdragons.com is an alias for link.sleepingamongstdragons.com. |
| 20 |
tmp=`echo "$rrdataraw" | grep ' is an alias for '` |
| 21 |
if [[ -n $tmp ]]; then |
| 22 |
thatalias=`echo $tmp | awk '{print $NF}'` |
| 23 |
echo -en "$mx\talias $thatalias\t" |
| 24 |
#some are truly doing TLSA on aliases. therefore we need to re-process those |
| 25 |
rrdataraw=`host -4 -t TLSA $thatalias` |
| 26 |
fi |
| 27 |
unset tmp |
| 28 |
rrdata=`echo "$rrdataraw" | cut -d' ' -f5- | tr -dc '[\n\r 0-9A-Fa-f]'` |
| 29 |
|
| 30 |
#Host _25._tcp.mxhost1.obacks.com not found: 3(NXDOMAIN) |
| 31 |
if [[ $rrdata = 3DA ]]; then |
| 32 |
#most of the hosts will respond that |
| 33 |
(( debug == 1 )) && echo -e "$mx\tnxdomain" |
| 34 |
#Host _25._tcp.tamucc-edu.mail.protection.outlook.com not found: 2(SERVFAIL) |
| 35 |
elif [[ $rrdata = 2EFA ]]; then |
| 36 |
(( debug == 1 )) && echo -e "$mx\tservfail" |
| 37 |
#;; connection timed out; no servers could be reached |
| 38 |
elif [[ "$rrdata" = " ee cd be eaced" ]]; then |
| 39 |
echo -e "$mx\ttimeout" |
| 40 |
#_25._tcp.ip-104-238-92-85.ip.secureserver.net has no TLSA record |
| 41 |
elif [[ $rrdata = ecd ]]; then |
| 42 |
echo -e "$mx\tnotlsa" |
| 43 |
elif (( `echo "$rrdata" | head -1 | cut -f4 -d' ' | wc -c` == 57 )); then |
| 44 |
echo -e "$mx\tTHIS-LOOKS-LIKE-DANE" |
| 45 |
echo -e "$mx\tTHIS-LOOKS-LIKE-DANE" >> $piece.dane.results |
| 46 |
rraddon=`echo "$rrdata" | sed 's/^/-dane_tlsa_rrdata "/; s/$/"/'` |
| 47 |
result=`echo Q | eval /usr/local/bin/openssl s_client -verify_depth 5 \ |
| 48 |
-starttls smtp -name $ehlo -connect $mx:25 \ |
| 49 |
-crlf -dane_tlsa_domain $mx $rraddon -dane_ee_no_namechecks 2>/dev/null | grep -E 'Verif|^DANE'` |
| 50 |
echo "$result" | grep 'Verify return code' >> $piece.dane.results |
| 51 |
echo -e "$result\n$rrdata\n" >> $piece.dane.results |
| 52 |
unset rraddon |
| 53 |
else |
| 54 |
echo -e "$mx\tSOME-WEIRD-SHIT" |
| 55 |
echo -e "$mx\tSOME-WEIRD-SHIT" >> $piece.dane.weird |
| 56 |
echo "$rrdata" >> $piece.dane.weird |
| 57 |
fi |
| 58 |
|
| 59 |
unset rrdata |
| 60 |
[[ -n $thatalias ]] && unset thatalias |
| 61 |
} |
| 62 |
|
| 63 |
function processpiece { |
| 64 |
echo writing to $piece.dane |
| 65 |
for mx in `cat $piece`; do |
| 66 |
checkdane |
| 67 |
done > $piece.dane; unset mx |
| 68 |
} |
| 69 |
|
| 70 |
#echo -n entering domains/mx/dane/ ... |
| 71 |
#mkdir -p domains/mx/dane/ |
| 72 |
#cd domains/mx/dane/ |
| 73 |
|
| 74 |
#echo -n splitting mx.unique into 50 pieces... |
| 75 |
#split -a2 -d -nl/50 ../mx.unique mx.unique && echo done |
| 76 |
|
| 77 |
#real 206m52.516s |
| 78 |
#user 81m7.876s |
| 79 |
#sys 31m9.614s |
| 80 |
echo -n starting 50 processes to process those... |
| 81 |
#for piece in test; do |
| 82 |
for piece in mx.unique[0-9][0-9]; do |
| 83 |
processpiece & |
| 84 |
done && echo done; unset piece |
| 85 |
ps auxfww | grep checkdane | grep -v grep |
| 86 |
cat <<EOF |
| 87 |
|
| 88 |
watch live with |
| 89 |
|
| 90 |
ps auxfww | grep checkdane | grep -v grep |
| 91 |
cd mass/splitted/domains/mx/dane/ |
| 92 |
tail -F *.dane |
| 93 |
|
| 94 |
EOF |
| 95 |
time wait |
| 96 |
|
Parent Directory
Revision Log