On Mon, Jul 17, 2023 at 10:11:08AM +0200, Niels Dettenbach via Exim-users wrote:
> helpful for pro-actively watching / monitoring different aspects of a
> DANE / TLSA setup per Nagios (as "compatible" monitoring systems):
> https://github.com/matteocorti/check_ssl_cert
>
> which is very flexible and (til now) well maintained.
Thanks for the tooling link. If anyone is looking for something much
simpler/smaller. I can offer up the below bash function, whose exit
status indicates success or failure to find a matching DANE TLSA record:
danesmtp ()
{
local host=$1;
shift;
local opts=(-starttls smtp -connect "$host:25" -verify 9 -verify_return_error -brief -dane_ee_no_namechecks -dane_tlsa_domain "$host");
set -- $(dig +short +nosplit -t tlsa "_25._tcp.$host" | grep -Ei '^[23] [01] [012] [0-9a-f]+$');
while [ $# -ge 4 ]; do
opts=("${opts[@]}" "-dane_tlsa_rrdata" "$1 $2 $3 $4");
shift 4;
done;
( sleep 1; printf "QUIT\r\n" ) | openssl s_client "${opts[@]}"
}
Of course that leaves the task of integrating the above probe into a
monitoring process up to the reader.
--
Viktor.
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
