On Wed, Aug 16, 2023 at 07:48:30PM -0400, Viktor Dukhovni wrote:

> Problem found via:
> 
>     danesmtp ()
>     {
>         local host=$1;
>         shift;
>         local opts=(-starttls smtp -connect "$host:25" -verify 9 
> -verify_return_error -dane_ee_no_namechecks -dane_tlsa_domain "$host");
>         set -- $(dig +short +nosplit -t tlsa "_25._tcp.$host" | egrep -i 
> '^[23] [01] [012] [0-9a-f]+$');
>         while [ $# -ge 4 ]; do
>             opts=("${opts[@]}" "-dane_tlsa_rrdata" "$1 $2 $3 $4");
>             shift 4;
>         done;
>         ( sleep 1;
>         printf "QUIT\r\n" ) | openssl s_client -tls1_2 -cipher 'aRSA:aECDSA' 
> "${opts[@]}"
>     }

New/improved "danesmtp" shell (bash) function.  The updated version can
take an optional explicit IP address to connect to, so you can test each
of the IP addresses of a host in turn:

    danesmtp () {
        local OPTIND=1 opt
        local -a rrs sslopts
        local rr i=0 host addr
        while getopts a: opt; do
            case $opt in
                a) addr=$OPTARG
                   case $addr in *:*) addr="[$addr]";; esac;;
                *) printf 'usage: danesmtp [-a addr] host [ssloption ...]\n'
                   return 1;;
            esac
        done
        shift $((OPTIND - 1))
        host=$1
        shift
        if [[ -z "$addr" ]]; then
            addr="$host"
        fi
        sslopts=(-starttls smtp -connect "$addr:25"
                 -verify 9 -verify_return_error
                 -dane_ee_no_namechecks -dane_tlsa_domain "$host")
        rrs=( $(dig +short +nosplit -t tlsa "_25._tcp.$host" |
                grep -Ei '^[23] [01] [012] [0-9a-f]+$') )
        while (( i < ${#rrs[@]} - 3 )); do
            rr=${rrs[@]:$i:4}
            i=$((i+4))
            sslopts=("${sslopts[@]}" "-dane_tlsa_rrdata" "$rr")
        done
        ( sleep 1; printf "QUIT\r\n" ) | openssl s_client -brief 
"${sslopts[@]}" "$@"
    }

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to