Created
March 16, 2015 15:51
-
-
Save pierky/f428b1f16ec25c50d0d1 to your computer and use it in GitHub Desktop.
Bash script to analyze STARTTLS support on a list of domains MX servers, used on my "Italian Government mail servers STARTTLS support" blog post
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # support script for blog post: | |
| # http://blog.pierky.com/italian-government-mail-servers-starttls-support | |
| # REQUIRES: list of domains on ./domains file, one domain on each line | |
| # ./output directory | |
| rm domains-mx &>/dev/null | |
| for D in `cat domains` | |
| do | |
| MXes=`dig +short -t MX $D | cut -d' ' -f 2` | |
| for MX in $MXes | |
| do | |
| echo $D $MX >> domains-mx | |
| done | |
| done | |
| cat domains-mx | cut -d' ' -f 2 | sort | uniq > unique-mx | |
| function OpenSSLTests() { | |
| cat unique-mx | \ | |
| xargs -I '{}' bash -c \ | |
| 'echo "Testing {} ..." ; echo QUIT | /usr/bin/openssl s_client -crlf -starttls smtp -bugs -serverpref -status -CApath /etc/ssl/certs/ -connect {}:25 &> output/{}' | |
| # SSL3 | |
| grep -l SSL-Session output/*. | \ | |
| cut -d'/' -f 2 | | |
| xargs -I '{}' bash -c \ | |
| 'echo "Testing SSL3 only {} ..." ; echo QUIT | /usr/bin/openssl s_client -crlf -starttls smtp -bugs -serverpref -status -CApath /etc/ssl/certs/ -connect {}:25 -ssl3 &> output/{}.ssl3' | |
| # TLS1 | |
| grep -l SSL-Session output/*. | \ | |
| cut -d'/' -f 2 | | |
| xargs -I '{}' bash -c \ | |
| 'echo "Testing TLS1 only {} ..." ; echo QUIT | /usr/bin/openssl s_client -crlf -starttls smtp -bugs -serverpref -status -CApath /etc/ssl/certs/ -connect {}:25 -tls1 &> output/{}.tls1' | |
| # TLS1.1 | |
| grep -l SSL-Session output/*. | \ | |
| cut -d'/' -f 2 | | |
| xargs -I '{}' bash -c \ | |
| 'echo "Testing TLS1.1 only {} ..." ; echo QUIT | /usr/bin/openssl s_client -crlf -starttls smtp -bugs -serverpref -status -CApath /etc/ssl/certs/ -connect {}:25 -tls1_1 &> output/{}.tls1_1' | |
| # TLS1.2 | |
| grep -l SSL-Session output/*. | \ | |
| cut -d'/' -f 2 | | |
| xargs -I '{}' bash -c \ | |
| 'echo "Testing TLS1.2 only {} ..." ; echo QUIT | /usr/bin/openssl s_client -crlf -starttls smtp -bugs -serverpref -status -CApath /etc/ssl/certs/ -connect {}:25 -tls1_2 &> output/{}.tls1_2' | |
| } | |
| function TestProtocol() { | |
| grep ":error:" $1.$2 &>/dev/null | |
| if [ $? -eq 0 ]; then | |
| TestProtocol_Res=No | |
| else | |
| #TestProtocol_Res=`cat $1.$2 | egrep "Cipher\s+:" | cut -d':' -f 2 | xargs` | |
| TestProtocol_Res=Yes | |
| fi | |
| } | |
| OpenSSLTests | |
| for F in output/*. | |
| do | |
| MX=`echo $F | cut -d '/' -f 2` | |
| grep "connect:errno" $F &>/dev/null | |
| if [ $? -eq 0 ]; then | |
| Status="ConnErr" | |
| else | |
| grep "didn't found starttls in server response" $F &>/dev/null | |
| if [ $? -eq 0 ]; then | |
| Status="No STARTTLS" | |
| else | |
| Status="STARTTLS OK" | |
| PublicKeyLenght=`cat $F | grep "Server public key is" | cut -d' ' -f 5` | |
| VerifyReturnCode=`cat $F | grep "Verify return code" | cut -d':' -f 2 | xargs` | |
| TestProtocol "$F" ssl3 | |
| SSL3=$TestProtocol_Res | |
| TestProtocol "$F" tls1 | |
| TLS1=$TestProtocol_Res | |
| TestProtocol "$F" tls1_1 | |
| TLS1_1=$TestProtocol_Res | |
| TestProtocol "$F" tls1_2 | |
| TLS1_2=$TestProtocol_Res | |
| fi | |
| fi | |
| if [ "$Status" == "STARTTLS OK" ]; then | |
| echo $MX,$Status,$PublicKeyLenght,$VerifyReturnCode,$SSL3,$TLS1,$TLS1_1,$TLS1_2 | |
| else | |
| echo $MX,$Status | |
| fi | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment