On Wed, Aug 16, 2023 at 07:48:30PM -0400, Viktor Dukhovni wrote:
> Problem found via:
>
> danesmtp ()
> {
> local host=$1;
> shift;
> local opts=(-starttls smtp -connect "$host:25" -verify 9
> -verify_return_error -dane_ee_no_namechecks -dane_tlsa_domain "$host");
> set -- $(dig +short +nosplit -t tlsa "_25._tcp.$host" | egrep -i
> '^[23] [01] [012] [0-9a-f]+$');
> while [ $# -ge 4 ]; do
> opts=("${opts[@]}" "-dane_tlsa_rrdata" "$1 $2 $3 $4");
> shift 4;
> done;
> ( sleep 1;
> printf "QUIT\r\n" ) | openssl s_client -tls1_2 -cipher 'aRSA:aECDSA'
> "${opts[@]}"
> }
New/improved "danesmtp" shell (bash) function. The updated version can
take an optional explicit IP address to connect to, so you can test each
of the IP addresses of a host in turn:
danesmtp () {
local OPTIND=1 opt
local -a rrs sslopts
local rr i=0 host addr
while getopts a: opt; do
case $opt in
a) addr=$OPTARG
case $addr in *:*) addr="[$addr]";; esac;;
*) printf 'usage: danesmtp [-a addr] host [ssloption ...]\n'
return 1;;
esac
done
shift $((OPTIND - 1))
host=$1
shift
if [[ -z "$addr" ]]; then
addr="$host"
fi
sslopts=(-starttls smtp -connect "$addr:25"
-verify 9 -verify_return_error
-dane_ee_no_namechecks -dane_tlsa_domain "$host")
rrs=( $(dig +short +nosplit -t tlsa "_25._tcp.$host" |
grep -Ei '^[23] [01] [012] [0-9a-f]+$') )
while (( i < ${#rrs[@]} - 3 )); do
rr=${rrs[@]:$i:4}
i=$((i+4))
sslopts=("${sslopts[@]}" "-dane_tlsa_rrdata" "$rr")
done
( sleep 1; printf "QUIT\r\n" ) | openssl s_client -brief
"${sslopts[@]}" "$@"
}
--
Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
