svn/view/checksan.bash

#!/bin/bash
#stage2.0 (legacy)

[[ -z $1 ]] && echo file in hosts format? && exit 1
hostsfile=$1

debug=0

ehlo=`curl -s ip.nethence.com | sed -n 1p | awk '{print $NF}' | sed 's/\.$//'`
echo using $ehlo as EHLO

echo writing to $hostsfile.nossl $hostsfile.nocert $hostsfile.validcn $hostsfile.wrongcn
(( debug == 1 )) && echo
rm -f $hostsfile.nossl $hostsfile.nocert $hostsfile.validcn $hostsfile.wrongcn
cat $hostsfile | while read line; do
        ip=`echo $line | awk '{print $1}'`
        mx=`echo $line | awk '{print $2}'`
        mx=${mx%\.}
        (( debug == 1 )) && echo -n $mx/

        if ! altstr=`echo Q | timeout 0.7 /usr/local/bin/openssl s_client -4 -starttls smtp -name $ehlo -servername $mx -connect $ip:25 -crlf 2>/dev/null`; then
                echo $mx >> $hostsfile.nossl && echo -n .
                continue
        fi
        (( debug == 1 )) && echo -n has ssl/

        #no need to check CN as SAN always contains it as first match
        if ! alt=`echo "$altstr" | /usr/local/bin/openssl x509 -noout -text 2>/dev/null | grep DNS: | sed -r 's/DNS://g; s/,//g'`; then
                echo $mx >> $hostsfile.nocert && echo -n /
                continue
        fi
        unset altstr
        (( debug == 1 )) && echo -n has cert and san/

        got=0
        for sni in $alt; do
                (( debug == 1 )) && echo -n testing sni $sni:
                #we are freaking lucky this condition deals with wildcards
                #e.g. here mxs.mail.ru = *.mail.ru does validate already
                if [[ $mx = $sni ]]; then
                        echo $mx >> $hostsfile.validcn
                        echo -n -
                        got=1
                        break
                fi
        done; unset sni
        (( got != 1 )) && echo $mx >> $hostsfile.wrongcn && echo -n _
        unset got

        (( debug == 1 )) && echo
        unset ip mx
done && echo done
