Bug#1008676: RFP: danecheck -- DANE SMTP checker
Hi Joe, On Wed, Mar 30, 2022 at 09:56:13AM -0400, Joe Nahmias wrote: > I'm a DD, but entirely unfamiliar with Haskell, let alone how it's packaged > within Debian. Do you think that between the two of us we can make this work? Yeah that would work :) I did a quick review of danechek's dependencies to see how much packaging work we're in for and things don't actually look too bad. The only thing that's missing is conduit-combinators and the haskell package package plan seems to suggest that got deprecated by 'combinators' itself and indeed just removing the dependency it builds just fine. I don't have time to do the full debianization right now I'll try to get around to it some time next weekend feel free to ping if you don't hear back ;) --Daniel
Bug#1008676: RFP: danecheck -- DANE SMTP checker
Quoting Joseph Nahmias (2022-03-30 15:02:56) > Package: wnpp > Severity: wishlist > X-Debbugs-Cc: j...@nahmias.net, postfix-us...@dukhovni.org, > debian-hask...@lists.debian.org > > * Package name: danecheck > Version : 1.1.0 > Upstream Author : Viktor Dukhovni > * URL : https://github.com/vdukhovni/danecheck > * License : BSD > Programming Lang: Haskell > Description : DANE SMTP checker > > This is a tool to check DANE TLSA security for SMTP. > > Features: > * Test the local resolver configuration by verifying the validity of the > root zone DNSKEY and SOA RRSets. > * Test whether DNSSEC is enabled for a given TLD. > * Check whether an email domain is fully protected (across all of its MX > hosts) by DANE TLSA records, and whether these match the actual > certificate chains seen at each IP address of each MX host. > * Perform certificate chain verification at a time offset from the current > time to ensure that that certificates are not about to expire too soon. > > A non-zero exit status is returned if any DNS lookups fail or if the MX > records > or MX hosts are in an unsigned zone, or if for one of the MX hosts no > associated secure TLSA records are found. A non-zero exit status is also > returned if any of the SMTP connections fail to establish a TLS connection or > yield a certificate chain that does not match the TLSA records. > > > Packaging note: > > I do not know haskell, so wouldn't really be a good maintainer, thus > submitting > this as an RFP. This tool looks interesting. Until available a related yet simpler tool is danetool part of Debian package gnutls-bin. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#1008676: RFP: danecheck -- DANE SMTP checker
Hi Daniel, I'm a DD, but entirely unfamiliar with Haskell, let alone how it's packaged within Debian. Do you think that between the two of us we can make this work? --Joe On Wed, Mar 30, 2022 at 03:32:04PM +0200, Daniel Gröber wrote: > Hi Joseph, > > this package sounds useful. I know Haskell and Debian packaging aspects > since I used to maintain ghc-mod in Debian (it's been a couple of releases > though :). I would be happy to co-maintain this but unless you already have > a sponsor in mind we'd still have to find one as I'm not a DD. > > --Daniel > > On Wed, Mar 30, 2022 at 09:02:56AM -0400, Joseph Nahmias wrote: > > Package: wnpp > > Severity: wishlist > > X-Debbugs-Cc: j...@nahmias.net, postfix-us...@dukhovni.org, > > debian-hask...@lists.debian.org > > > > * Package name: danecheck > > Version : 1.1.0 > > Upstream Author : Viktor Dukhovni > > * URL : https://github.com/vdukhovni/danecheck > > * License : BSD > > Programming Lang: Haskell > > Description : DANE SMTP checker > > > > This is a tool to check DANE TLSA security for SMTP. > > > > Features: > > * Test the local resolver configuration by verifying the validity of the > > root zone DNSKEY and SOA RRSets. > > * Test whether DNSSEC is enabled for a given TLD. > > * Check whether an email domain is fully protected (across all of its MX > > hosts) by DANE TLSA records, and whether these match the actual > > certificate chains seen at each IP address of each MX host. > > * Perform certificate chain verification at a time offset from the current > > time to ensure that that certificates are not about to expire too soon. > > > > A non-zero exit status is returned if any DNS lookups fail or if the MX > > records > > or MX hosts are in an unsigned zone, or if for one of the MX hosts no > > associated secure TLSA records are found. A non-zero exit status is also > > returned if any of the SMTP connections fail to establish a TLS connection > > or > > yield a certificate chain that does not match the TLSA records. > > > > > > Packaging note: > > > > I do not know haskell, so wouldn't really be a good maintainer, thus > > submitting > > this as an RFP. > >
Bug#1008676: RFP: danecheck -- DANE SMTP checker
Hi Joseph, this package sounds useful. I know Haskell and Debian packaging aspects since I used to maintain ghc-mod in Debian (it's been a couple of releases though :). I would be happy to co-maintain this but unless you already have a sponsor in mind we'd still have to find one as I'm not a DD. --Daniel On Wed, Mar 30, 2022 at 09:02:56AM -0400, Joseph Nahmias wrote: > Package: wnpp > Severity: wishlist > X-Debbugs-Cc: j...@nahmias.net, postfix-us...@dukhovni.org, > debian-hask...@lists.debian.org > > * Package name: danecheck > Version : 1.1.0 > Upstream Author : Viktor Dukhovni > * URL : https://github.com/vdukhovni/danecheck > * License : BSD > Programming Lang: Haskell > Description : DANE SMTP checker > > This is a tool to check DANE TLSA security for SMTP. > > Features: > * Test the local resolver configuration by verifying the validity of the > root zone DNSKEY and SOA RRSets. > * Test whether DNSSEC is enabled for a given TLD. > * Check whether an email domain is fully protected (across all of its MX > hosts) by DANE TLSA records, and whether these match the actual > certificate chains seen at each IP address of each MX host. > * Perform certificate chain verification at a time offset from the current > time to ensure that that certificates are not about to expire too soon. > > A non-zero exit status is returned if any DNS lookups fail or if the MX > records > or MX hosts are in an unsigned zone, or if for one of the MX hosts no > associated secure TLSA records are found. A non-zero exit status is also > returned if any of the SMTP connections fail to establish a TLS connection or > yield a certificate chain that does not match the TLSA records. > > > Packaging note: > > I do not know haskell, so wouldn't really be a good maintainer, thus > submitting > this as an RFP. > signature.asc Description: PGP signature
Bug#1008676: RFP: danecheck -- DANE SMTP checker
Package: wnpp Severity: wishlist X-Debbugs-Cc: j...@nahmias.net, postfix-us...@dukhovni.org, debian-hask...@lists.debian.org * Package name: danecheck Version : 1.1.0 Upstream Author : Viktor Dukhovni * URL : https://github.com/vdukhovni/danecheck * License : BSD Programming Lang: Haskell Description : DANE SMTP checker This is a tool to check DANE TLSA security for SMTP. Features: * Test the local resolver configuration by verifying the validity of the root zone DNSKEY and SOA RRSets. * Test whether DNSSEC is enabled for a given TLD. * Check whether an email domain is fully protected (across all of its MX hosts) by DANE TLSA records, and whether these match the actual certificate chains seen at each IP address of each MX host. * Perform certificate chain verification at a time offset from the current time to ensure that that certificates are not about to expire too soon. A non-zero exit status is returned if any DNS lookups fail or if the MX records or MX hosts are in an unsigned zone, or if for one of the MX hosts no associated secure TLSA records are found. A non-zero exit status is also returned if any of the SMTP connections fail to establish a TLS connection or yield a certificate chain that does not match the TLSA records. Packaging note: I do not know haskell, so wouldn't really be a good maintainer, thus submitting this as an RFP.