kimboslice99 · August 25, 2024 01:45
diff --git a/tlsa_checkup.ps1 b/tlsa_checkup.ps1
 #A powershell script to verify tlsa records and fire off an email with the result - OS agnostic
 # choco install -y bind-toolsonly - why wouldnt they keep building dig tools for windows? boo >:(
 # also runs on linux provided you have dig and openssl available
 # your root domain, we will look up the mx record within this script
 $domainToCheck = "domain.tld"
 $portsToCheck = @{
    25 = 'tcp'
    587 = 'tcp'
 }
 # notify settings
 $to = "[email protected]"
 $from = "[email protected]"
 $smtpServer = "127.0.0.1"
 $smtpPort = 25

 # check that we have dig and openssl available
 if ((Get-Command "dig" -ErrorAction SilentlyContinue) -eq $null) {
    throw "couldnt find dig!"
 }

 if ((Get-Command "openssl" -ErrorAction SilentlyContinue) -eq $null) {
    throw "couldnt find openssl!"
 }

 function verify_tlsa($domain, $port, $rrdata){
    switch($port)
    {
        25 {$option = "smtp";$starttls = "-starttls"}
        465 {$option = "";$starttls = ""}
        587 {$option = "smtp";$starttls = "-starttls"}
    }
    if($IsLinux){
        # unsure if powershell under linux has the same error redirection issues
        $output = Write-Output "Q" | openssl s_client -brief $starttls $option -dane_tlsa_domain $domain -verify 9 -verify_return_error -dane_ee_no_namechecks -dane_tlsa_rrdata $rrdata -connect $domain`:$port 2>&1
    } else {
        $output = Write-Output "Q" | openssl s_client -brief $starttls $option -dane_tlsa_domain $domain -verify 9 -verify_return_error -dane_ee_no_namechecks -dane_tlsa_rrdata $rrdata -connect $domain`:$port 2>&1 | ForEach-Object {
            if ($_ -is [System.Management.Automation.ErrorRecord]) {
                $_.Exception.Message
            } else {
                $_
            }
        }
    }
    return $output -split "`r`n"
 }

 function digtlsa {
    param (
        [int]$port,
        [string]$protocol,
        [string]$mx
    )
    
    $serviceName = "_$port._$protocol.$mx"
    return & dig $serviceName tlsa +short
 }

 $mx_records = $(dig $domainToCheck mx +short) -replace "(^\d+|\s|\.$)"
 # do work
 $error = $false
 $data = @()
 foreach ($mx in $mx_records) {
    foreach($port in $portsToCheck.GetEnumerator()){
        $verified = $false
        $rrd = digtlsa $port.Key $port.Value $mx
        # if there is no tlsa record, we shouldnt bother attempting verification
        if(!$rrd){
            $verified = $true
            $text = "no record found for _$($port.Key)._$($port.Value).$mx"
            Write-Host $text
            $verify_tlsa = $text
        } else {
            $verify_tlsa = verify_tlsa $mx $port.Key $rrd
            if($verify_tlsa -contains "Verification: OK"){
                $verified = $true
            } else {
                $error = $true
            }
        }
        $data += @{
            Data = $verify_tlsa
            Verified = $verified
            Port = $port
            MxRecord = $mx
        }
    }
 }

 $htmlEncodedOutput = '<!doctype html><html lang="en"><body>'
 # Build the test report
 foreach ($item in $data) {
    Write-Host "Verifying TLSA Record for $($item['MxRecord']) on port $($item['Port'])"
    $htmlEncodedOutput += "<i>Verifying TLSA Record for $($item['MxRecord']) on port $($item['Port'])</i><br><table>"
    $lines = $item['Data'] -split "`r`n"
    foreach ($line in $lines) {
        # skip empty lines
        if(!$line){
            continue
        }
        if ($item['Verified']) {
            Write-Host $line -ForegroundColor Green
            $htmlEncodedOutput += "<tr><td><span style=`"color:green`">$line</span></td></tr>"
        } else {
            Write-Host $line -ForegroundColor Red
            $htmlEncodedOutput +=  "<tr><td><span style=`"color:red`">$line</span></td></tr>"
        }
    }
    Write-Host ""
    $htmlEncodedOutput += "</table><br>"
 }
 $htmlEncodedOutput += "</body></html>";
 # nag $to if error
 if($error){
    $i = 0
    while($i -le 3)
    {
        Send-MailMessage -To $to -From $from  -Subject "TLSA Record Error!" -Body $htmlEncodedOutput -BodyAsHtml -SmtpServer $smtpServer -Port $smtpPort
        Start-Sleep -Seconds 600
        $i++
    }
 } else {
    Send-MailMessage -To $to -From $from  -Subject "TLSA Record Checkup Complete" -Body $htmlEncodedOutput -BodyAsHtml -SmtpServer $smtpServer -Port $smtpPort
 }
	#A powershell script to verify tlsa records and fire off an email with the result - OS agnostic
	# choco install -y bind-toolsonly - why wouldnt they keep building dig tools for windows? boo >:(
	# also runs on linux provided you have dig and openssl available
	# your root domain, we will look up the mx record within this script
	$domainToCheck = "domain.tld"
	$portsToCheck = @{
	25 = 'tcp'
	587 = 'tcp'
	}
	# notify settings
	$to = "[email protected]"
	$from = "[email protected]"
	$smtpServer = "127.0.0.1"
	$smtpPort = 25

	# check that we have dig and openssl available
	if ((Get-Command "dig" -ErrorAction SilentlyContinue) -eq $null) {
	throw "couldnt find dig!"
	}

	if ((Get-Command "openssl" -ErrorAction SilentlyContinue) -eq $null) {
	throw "couldnt find openssl!"
	}

	function verify_tlsa($domain, $port, $rrdata){
	switch($port)
	{
	25 {$option = "smtp";$starttls = "-starttls"}
	465 {$option = "";$starttls = ""}
	587 {$option = "smtp";$starttls = "-starttls"}
	}
	if($IsLinux){
	# unsure if powershell under linux has the same error redirection issues
	$output = Write-Output "Q" \| openssl s_client -brief $starttls $option -dane_tlsa_domain $domain -verify 9 -verify_return_error -dane_ee_no_namechecks -dane_tlsa_rrdata $rrdata -connect $domain`:$port 2>&1
	} else {
	$output = Write-Output "Q" \| openssl s_client -brief $starttls $option -dane_tlsa_domain $domain -verify 9 -verify_return_error -dane_ee_no_namechecks -dane_tlsa_rrdata $rrdata -connect $domain`:$port 2>&1 \| ForEach-Object {
	if ($_ -is [System.Management.Automation.ErrorRecord]) {
	$_.Exception.Message
	} else {
	$_
	}
	}
	}
	return $output -split "`r`n"
	}

	function digtlsa {
	param (
	[int]$port,
	[string]$protocol,
	[string]$mx
	)

	$serviceName = "_$port._$protocol.$mx"
	return & dig $serviceName tlsa +short
	}

	$mx_records = $(dig $domainToCheck mx +short) -replace "(^\d+\|\s\|\.$)"
	# do work
	$error = $false
	$data = @()
	foreach ($mx in $mx_records) {
	foreach($port in $portsToCheck.GetEnumerator()){
	$verified = $false
	$rrd = digtlsa $port.Key $port.Value $mx
	# if there is no tlsa record, we shouldnt bother attempting verification
	if(!$rrd){
	$verified = $true
	$text = "no record found for _$($port.Key)._$($port.Value).$mx"
	Write-Host $text
	$verify_tlsa = $text
	} else {
	$verify_tlsa = verify_tlsa $mx $port.Key $rrd
	if($verify_tlsa -contains "Verification: OK"){
	$verified = $true
	} else {
	$error = $true
	}
	}
	$data += @{
	Data = $verify_tlsa
	Verified = $verified
	Port = $port
	MxRecord = $mx
	}
	}
	}

	$htmlEncodedOutput = '<!doctype html><html lang="en"><body>'
	# Build the test report
	foreach ($item in $data) {
	Write-Host "Verifying TLSA Record for $($item['MxRecord']) on port $($item['Port'])"
	$htmlEncodedOutput += "<i>Verifying TLSA Record for $($item['MxRecord']) on port $($item['Port'])</i><br><table>"
	$lines = $item['Data'] -split "`r`n"
	foreach ($line in $lines) {
	# skip empty lines
	if(!$line){
	continue
	}
	if ($item['Verified']) {
	Write-Host $line -ForegroundColor Green
	$htmlEncodedOutput += "<tr><td><span style=`"color:green`">$line</span></td></tr>"
	} else {
	Write-Host $line -ForegroundColor Red
	$htmlEncodedOutput += "<tr><td><span style=`"color:red`">$line</span></td></tr>"
	}
	}
	Write-Host ""
	$htmlEncodedOutput += "</table><br>"
	}
	$htmlEncodedOutput += "</body></html>";
	# nag $to if error
	if($error){
	$i = 0
	while($i -le 3)
	{
	Send-MailMessage -To $to -From $from -Subject "TLSA Record Error!" -Body $htmlEncodedOutput -BodyAsHtml -SmtpServer $smtpServer -Port $smtpPort
	Start-Sleep -Seconds 600
	$i++
	}
	} else {
	Send-MailMessage -To $to -From $from -Subject "TLSA Record Checkup Complete" -Body $htmlEncodedOutput -BodyAsHtml -SmtpServer $smtpServer -Port $smtpPort
	}