imporing the rest of shot1 incl enforce check
checkmx.bash (diff) checksmtp.bash (diff) checksmtp.exp (diff) checkssl.bash (diff)| @@ -0,0 +1,91 @@ | ||
| 1 | +#!/bin/bash | |
| 2 | +set -e | |
| 3 | + | |
| 4 | +debug=1 | |
| 5 | + | |
| 6 | +ehlo=pro5s2.nethence.com | |
| 7 | +#ehlo=`curl -s ip.nethence.com | sed -n 1p | awk '{print $NF}' | sed 's/\.$//'` | |
| 8 | +echo using $ehlo as EHLO | |
| 9 | + | |
| 10 | +sep="sed ':a;s/\B[0-9]\{3\}\>/,&/;ta'" | |
| 11 | + | |
| 12 | +function checkmx { | |
| 13 | + #so far we only take first MX without attemping to query DANE for backup ones | |
| 14 | + primary=`host -4 -t MX $domain | sort --numeric-sort | head -1 | awk '{print $NF}'` | |
| 15 | + primary=${primary%\.} | |
| 16 | + | |
| 17 | + #has no MX record | |
| 18 | + if [[ $primary = record ]]; then | |
| 19 | + (( debug == 1 )) && echo -e $domain\\tnomx | |
| 20 | + elif [[ $primary = "3(NXDOMAIN)" ]]; then | |
| 21 | + (( debug == 1 )) && echo -e $domain\\tnxdomain | |
| 22 | + elif [[ $primary = "2(SERVFAIL)" ]]; then | |
| 23 | + (( debug == 1 )) && echo -e $domain\\tservfail | |
| 24 | + #;; connection timed out; no servers could be reached | |
| 25 | + elif [[ $primary = "reached" ]]; then | |
| 26 | + (( debug == 1 )) && echo -e $domain\\ttimeout | |
| 27 | + elif [[ $domain = $primary ]]; then | |
| 28 | + echo -e $domain\\tmx $primary equals-mx | |
| 29 | + else | |
| 30 | + ip=`host $domain | awk '{print $NF}'` | |
| 31 | + primaryip=`host $primary | awk '{print $NF}'` | |
| 32 | + if [[ $ip = $primaryip ]]; then | |
| 33 | + echo -e $domain\\tmx $primary but-same-ip | |
| 34 | + else | |
| 35 | + echo -e $domain\\tmx $primary | |
| 36 | + fi | |
| 37 | + unset ip primaryip | |
| 38 | + fi | |
| 39 | + unset primary | |
| 40 | +} | |
| 41 | + | |
| 42 | +function parselist { | |
| 43 | + [[ -z $1 ]] && echo error function $0 requires file argument && exit 1 | |
| 44 | + [[ ! -r $1 ]] && echo error function $0 cannot read file $1 && exit 1 | |
| 45 | + | |
| 46 | + echo writing to $1.mx ... | |
| 47 | + for domain in `cat $1`; do | |
| 48 | + checkmx | |
| 49 | + done > $1.mx && echo wrote to $1.mx; unset domain | |
| 50 | +} | |
| 51 | + | |
| 52 | +echo -n entering domains/mx/ ... | |
| 53 | +mkdir -p domains/mx/ | |
| 54 | +cd domains/mx/ && echo done | |
| 55 | + | |
| 56 | +echo -n splitting ptr.unique.nomadness.unique into 22 files... | |
| 57 | +split -a2 -d -nl/22 ../domains.unique domains.unique && echo done | |
| 58 | + | |
| 59 | +#TODO also check PTR FQDNs ptr.unique.nomadness[0-9][0-9] | |
| 60 | +#for input in ptr.unique.nomadness06.domains; do | |
| 61 | +#for input in domains.unique[0-9][0-9]; do | |
| 62 | +for input in domains.unique.moar; do | |
| 63 | + parselist $input & | |
| 64 | +done; unset input | |
| 65 | +jobs | |
| 66 | +cat <<EOF | |
| 67 | + | |
| 68 | +watch with | |
| 69 | + | |
| 70 | + ps auxfww | grep checkmx | |
| 71 | + tail -F domains/mx/*.mx | |
| 72 | + watch ls -lF domains/mx/*.mx | |
| 73 | + | |
| 74 | +EOF | |
| 75 | +time wait | |
| 76 | + | |
| 77 | +echo -n merging defined MX from \*.mx into mx ... | |
| 78 | +cut -f2 *.mx | grep -E '^mx ' | awk '{print $2}' > mx && echo done | |
| 79 | +wc -l mx | eval $sep | |
| 80 | + | |
| 81 | +#used fix on first shot (we did not use 'mx ' for equals and sameip) | |
| 82 | +#grep --no-filename equals-mx$ *.mx | awk '{print $1}' > mx.equals-mx | |
| 83 | +#grep --no-filename but-same-ip$ *.mx | awk '{print $2}' > mx.but-same-ip | |
| 84 | +#cat mx.equals-mx mx.but-same-ip >> mx | |
| 85 | + | |
| 86 | +echo -n unique into mx.unique ... | |
| 87 | +sort --version-sort -u mx > mx.unique && echo done | |
| 88 | +wc -l mx.unique | eval $sep | |
| 89 | + | |
| 90 | +#TODO 2/3rd-level vs all | |
| 91 | + |
| @@ -0,0 +1,33 @@ | ||
| 1 | +#!/bin/bash | |
| 2 | + | |
| 3 | +[[ ! -x `which expect` ]] && echo install expect first && exit 1 | |
| 4 | + | |
| 5 | +#echo -n entering domains/mx/dane/ ... | |
| 6 | +#mkdir -p domains/mx/dane/ | |
| 7 | +#cd domains/mx/dane/ | |
| 8 | + | |
| 9 | +#echo -n splitting mx.unique into 50 pieces... | |
| 10 | +#split -a2 -d -nl/50 ../mx.unique mx.unique && echo done | |
| 11 | + | |
| 12 | +echo -n starting 50 processes to process those... | |
| 13 | +#for piece in mx.unique49; do | |
| 14 | +for piece in mx.unique[0-9][0-9]; do | |
| 15 | + echo writing to $piece.starttls | |
| 16 | + for mx in `cat $piece`; do | |
| 17 | + timeout --preserve-status --kill-after=5s 1m $HOME/masspie/checksmtp.exp $mx | |
| 18 | + done > $piece.starttls 2> $piece.starttls.enforce & | |
| 19 | + unset mx | |
| 20 | +done && echo done; unset piece | |
| 21 | + | |
| 22 | +cat <<EOF | |
| 23 | + | |
| 24 | +watch live with | |
| 25 | + | |
| 26 | + ps auxfww | grep checksmtp | grep -v grep | |
| 27 | + tail -F mx.unique00.starttls | |
| 28 | + tail -F mx.unique00.starttls.enforce | |
| 29 | + | |
| 30 | +EOF | |
| 31 | + | |
| 32 | +time wait | |
| 33 | + |
| @@ -0,0 +1,68 @@ | ||
| 1 | +#!/bin/bash | |
| 2 | +set -e | |
| 3 | + | |
| 4 | +debug=0 | |
| 5 | + | |
| 6 | +[[ ! -f $HOME/masspie/cacert.pem ]] && echo $HOME/masspie/cacert.pem is required && exit 1 | |
| 7 | + | |
| 8 | +ehlo=pro5s2.nethence.com | |
| 9 | +#ehlo=`curl -s ip.nethence.com | sed -n 1p | awk '{print $NF}' | sed 's/\.$//'` | |
| 10 | +echo using $ehlo as EHLO | |
| 11 | + | |
| 12 | +function checkssl { | |
| 13 | + [[ -z $mx ]] && echo function $0 requires \$mx && exit 1 | |
| 14 | + | |
| 15 | + #we only need the last result with 'Verify', as it repeats in parenthesis what 'Verification' said above | |
| 16 | + if raw=`echo Q | timeout --preserve-status -k 5s 10s /usr/local/bin/openssl s_client -4 -showcerts -verify 5 -CAfile $HOME/masspie/cacert.pem -starttls smtp -name $ehlo -servername $mx -connect $mx:25 -crlf 2>/dev/null`; then | |
| 17 | + issuer=`echo "$raw" | grep -E '^issuer='` | |
| 18 | + cipher=`echo "$raw" | grep -E 'Cipher is|^Server public key is'` | |
| 19 | + | |
| 20 | + [[ -n $issuer ]] && echo -e $mx\\t$issuer >> $piece.ssl.issuer | |
| 21 | + [[ -n $cipher ]] && echo -e $mx\\t$cipher >> $piece.ssl.cipher | |
| 22 | + | |
| 23 | + unset issuer cipher | |
| 24 | + fi | |
| 25 | + result=`echo "$raw" | grep -E 'Cipher is|Verify return code'` | |
| 26 | + echo -e $mx\\t$result | |
| 27 | + | |
| 28 | + #-CApath /etc/ssl/certs | |
| 29 | + #-brief | |
| 30 | + #-verify_return_error | |
| 31 | + | |
| 32 | + unset raw result | |
| 33 | +} | |
| 34 | + | |
| 35 | +function processpiece { | |
| 36 | + rm -f $piece.ssl.issuer $piece.ssl.cipher | |
| 37 | + for mx in `cat $piece`; do | |
| 38 | + checkssl | |
| 39 | + done > $piece.ssl && echo $piece done || echo $piece FAIL; unset mx | |
| 40 | +} | |
| 41 | + | |
| 42 | +#echo -n entering domains/mx/dane/ ... | |
| 43 | +#mkdir -p domains/mx/dane/ | |
| 44 | +#cd domains/mx/dane/ | |
| 45 | + | |
| 46 | +#echo -n splitting mx.unique into 50 pieces... | |
| 47 | +#split -a2 -d -nl/50 ../mx.unique mx.unique && echo done | |
| 48 | + | |
| 49 | +#real 392m40.484s | |
| 50 | +#user 195m10.038s | |
| 51 | +#sys 33m7.304s | |
| 52 | +echo -n starting 50 processes to process those... | |
| 53 | +#for piece in mx.unique48; do | |
| 54 | +echo writing to mx.uniqueXX.ssl mx.uniqueXX.ssl.issuer mx.uniqueXX.ssl.cipher | |
| 55 | +for piece in mx.unique[0-9][0-9]; do | |
| 56 | + processpiece & | |
| 57 | +done && echo all pieces processing done || echo all pieces processing FAIL; unset piece | |
| 58 | +cat <<EOF | |
| 59 | + | |
| 60 | +watch live with | |
| 61 | + | |
| 62 | + ps auxfww | grep checkssl | grep -v grep | |
| 63 | + cd mass/splitted/domains/mx/dane/ | |
| 64 | + tail -F *.ssl | |
| 65 | + | |
| 66 | +EOF | |
| 67 | +time wait | |
| 68 | + |
