On Mon, Jul 17, 2023 at 10:11:08AM +0200, Niels Dettenbach via Exim-users wrote:
> helpful for pro-actively watching / monitoring different aspects of a > DANE / TLSA setup per Nagios (as "compatible" monitoring systems): > https://github.com/matteocorti/check_ssl_cert > > which is very flexible and (til now) well maintained. Thanks for the tooling link. If anyone is looking for something much simpler/smaller. I can offer up the below bash function, whose exit status indicates success or failure to find a matching DANE TLSA record: danesmtp () { local host=$1; shift; local opts=(-starttls smtp -connect "$host:25" -verify 9 -verify_return_error -brief -dane_ee_no_namechecks -dane_tlsa_domain "$host"); set -- $(dig +short +nosplit -t tlsa "_25._tcp.$host" | grep -Ei '^[23] [01] [012] [0-9a-f]+$'); while [ $# -ge 4 ]; do opts=("${opts[@]}" "-dane_tlsa_rrdata" "$1 $2 $3 $4"); shift 4; done; ( sleep 1; printf "QUIT\r\n" ) | openssl s_client "${opts[@]}" } Of course that leaves the task of integrating the above probe into a monitoring process up to the reader. -- Viktor. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
