Quoting Joseph Nahmias (2022-03-30 15:02:56) > Package: wnpp > Severity: wishlist > X-Debbugs-Cc: j...@nahmias.net, postfix-us...@dukhovni.org, > debian-hask...@lists.debian.org > > * Package name : danecheck > Version : 1.1.0 > Upstream Author : Viktor Dukhovni <postfix-us...@dukhovni.org> > * URL : https://github.com/vdukhovni/danecheck > * License : BSD > Programming Lang: Haskell > Description : DANE SMTP checker > > This is a tool to check DANE TLSA security for SMTP. > > Features: > * Test the local resolver configuration by verifying the validity of the > root zone DNSKEY and SOA RRSets. > * Test whether DNSSEC is enabled for a given TLD. > * Check whether an email domain is fully protected (across all of its MX > hosts) by DANE TLSA records, and whether these match the actual > certificate chains seen at each IP address of each MX host. > * Perform certificate chain verification at a time offset from the current > time to ensure that that certificates are not about to expire too soon. > > A non-zero exit status is returned if any DNS lookups fail or if the MX > records > or MX hosts are in an unsigned zone, or if for one of the MX hosts no > associated secure TLSA records are found. A non-zero exit status is also > returned if any of the SMTP connections fail to establish a TLS connection or > yield a certificate chain that does not match the TLSA records. > > > Packaging note: > > I do not know haskell, so wouldn't really be a good maintainer, thus > submitting > this as an RFP.
This tool looks interesting. Until available a related yet simpler tool is danetool part of Debian package gnutls-bin. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
