On Wed, Aug 16, 2023 at 07:48:30PM -0400, Viktor Dukhovni wrote: > Problem found via: > > danesmtp () > { > local host=$1; > shift; > local opts=(-starttls smtp -connect "$host:25" -verify 9 > -verify_return_error -dane_ee_no_namechecks -dane_tlsa_domain "$host"); > set -- $(dig +short +nosplit -t tlsa "_25._tcp.$host" | egrep -i > '^[23] [01] [012] [0-9a-f]+$'); > while [ $# -ge 4 ]; do > opts=("${opts[@]}" "-dane_tlsa_rrdata" "$1 $2 $3 $4"); > shift 4; > done; > ( sleep 1; > printf "QUIT\r\n" ) | openssl s_client -tls1_2 -cipher 'aRSA:aECDSA' > "${opts[@]}" > }
New/improved "danesmtp" shell (bash) function. The updated version can take an optional explicit IP address to connect to, so you can test each of the IP addresses of a host in turn: danesmtp () { local OPTIND=1 opt local -a rrs sslopts local rr i=0 host addr while getopts a: opt; do case $opt in a) addr=$OPTARG case $addr in *:*) addr="[$addr]";; esac;; *) printf 'usage: danesmtp [-a addr] host [ssloption ...]\n' return 1;; esac done shift $((OPTIND - 1)) host=$1 shift if [[ -z "$addr" ]]; then addr="$host" fi sslopts=(-starttls smtp -connect "$addr:25" -verify 9 -verify_return_error -dane_ee_no_namechecks -dane_tlsa_domain "$host") rrs=( $(dig +short +nosplit -t tlsa "_25._tcp.$host" | grep -Ei '^[23] [01] [012] [0-9a-f]+$') ) while (( i < ${#rrs[@]} - 3 )); do rr=${rrs[@]:$i:4} i=$((i+4)) sslopts=("${sslopts[@]}" "-dane_tlsa_rrdata" "$rr") done ( sleep 1; printf "QUIT\r\n" ) | openssl s_client -brief "${sslopts[@]}" "$@" } -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org