On Tue, Dec 24, 2024 at 09:08:41PM -0800, Randy Bush via Postfix-users wrote:
> > Randy, I'm disappointed
>
> And I embarrassed. clearly I blew it when creating the new mx target.
I am glad you took the friendly jibe in stride.
> > I' like to suggest some serious attention to monitoring
>
> but is there a script in can install and run nightly to which i can feed
> the list of smtpd/dane sites to be checked without going down the
> haskell and stack rabbit hole? for TLS, i.e. https: imaps: etc, i use a
> symple python hack, `tls-expiration-monitor`, which i think i got
> via/from sra some years back.
Yes, I'm in the habit of pointing folks at my simple "openssl s_client" probe
https://list.sys4.de/hyperkitty/list/dane-us...@list.sys4.de/thread/NKDBQABSTAAWLTHSZKC7P3HALF7VE5QY/
which you can loop over each IP address (v4 and v6 as applicable) of
each MX host. For those adventurous enough to have multiple (one each
of ECDSA and RSA), I have an as yet unpublished variant that also
chooses appropriate signature algorithms, but most users don't need
that.
My message reporting the problem on "Mon, 24 Jun 2024 13:35:29 +0000"
included a link to that monitoring code. But, sadly, most recipients
just read the subject line, quickly repair the server, and ignore the
links to the advice that might help them **avoid** future problems.
Thus many sites that fail a first time, end up failing repeatedly, until
after ~5 separate failures resulting notices, I stop nagging them, and
leave them to their own devices... :-(
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
