> On Feb 10, 2025, at 01:59, Viktor Dukhovni via Postfix-users > <postfix-users@postfix.org> wrote: > > On Mon, Feb 10, 2025 at 12:22:44AM -0800, Dan Mahoney via Postfix-users wrote: > >> I’d like to turn this into a check in our internal monitoring, since we >> do occasionally roll the cert on our MXes (which need to be “real” OV >> certs due to some customer requirements — I don’t make the rules). >> >> Viktor, do you have that code up somewhere? (Obviously, I’d make it >> single-target) > > The highly parallel engine, which scans over 1k domains/sec is not what > you're looking for. Rather, I have multiple times posted a link to a > much simpler bash function that uses openssl-s_client(1). > > > https://list.sys4.de/hyperkitty/list/dane-us...@list.sys4.de/thread/NKDBQABSTAAWLTHSZKC7P3HALF7VE5QY/
Followon question, related to openSSL versus Postfix, but relevant for those of us trying to understand the monitoring. So we check DANE using s_client -starttls smtp -connect $host:25 -verify 9 -verify_return_error -dane_ee_no_namechecks -dane_tlsa_domain $host -dane_tlsa_rrdata $rr And if we parse the output, the two lines in the output we’re looking for are: Verification: OK DANE TLSA 3 1 1 ...4aab479b6279fe7044a0fa89 matched EE certificate at depth 0 (Plus the openssl exit code of zero). Correct? Is either of these more “canonical" than the others? (I know that for different values in the TLSA record, the text won’t be exactly that). Is there some reason that the TLSA record openssl prints is shortened? There are definitely longer lines in the openssl output, such as "Resumption PSK”, so it’s not like OpenSSL has an arbitrary wrap-length. -Dan _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
