Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save pierky/f428b1f16ec25c50d0d1 to your computer and use it in GitHub Desktop.
Save pierky/f428b1f16ec25c50d0d1 to your computer and use it in GitHub Desktop.
Bash script to analyze STARTTLS support on a list of domains MX servers, used on my "Italian Government mail servers STARTTLS support" blog post
#!/bin/bash
# support script for blog post:
# http://blog.pierky.com/italian-government-mail-servers-starttls-support
# REQUIRES: list of domains on ./domains file, one domain on each line
# ./output directory
rm domains-mx &>/dev/null
for D in `cat domains`
do
MXes=`dig +short -t MX $D | cut -d' ' -f 2`
for MX in $MXes
do
echo $D $MX >> domains-mx
done
done
cat domains-mx | cut -d' ' -f 2 | sort | uniq > unique-mx
function OpenSSLTests() {
cat unique-mx | \
xargs -I '{}' bash -c \
'echo "Testing {} ..." ; echo QUIT | /usr/bin/openssl s_client -crlf -starttls smtp -bugs -serverpref -status -CApath /etc/ssl/certs/ -connect {}:25 &> output/{}'
# SSL3
grep -l SSL-Session output/*. | \
cut -d'/' -f 2 |
xargs -I '{}' bash -c \
'echo "Testing SSL3 only {} ..." ; echo QUIT | /usr/bin/openssl s_client -crlf -starttls smtp -bugs -serverpref -status -CApath /etc/ssl/certs/ -connect {}:25 -ssl3 &> output/{}.ssl3'
# TLS1
grep -l SSL-Session output/*. | \
cut -d'/' -f 2 |
xargs -I '{}' bash -c \
'echo "Testing TLS1 only {} ..." ; echo QUIT | /usr/bin/openssl s_client -crlf -starttls smtp -bugs -serverpref -status -CApath /etc/ssl/certs/ -connect {}:25 -tls1 &> output/{}.tls1'
# TLS1.1
grep -l SSL-Session output/*. | \
cut -d'/' -f 2 |
xargs -I '{}' bash -c \
'echo "Testing TLS1.1 only {} ..." ; echo QUIT | /usr/bin/openssl s_client -crlf -starttls smtp -bugs -serverpref -status -CApath /etc/ssl/certs/ -connect {}:25 -tls1_1 &> output/{}.tls1_1'
# TLS1.2
grep -l SSL-Session output/*. | \
cut -d'/' -f 2 |
xargs -I '{}' bash -c \
'echo "Testing TLS1.2 only {} ..." ; echo QUIT | /usr/bin/openssl s_client -crlf -starttls smtp -bugs -serverpref -status -CApath /etc/ssl/certs/ -connect {}:25 -tls1_2 &> output/{}.tls1_2'
}
function TestProtocol() {
grep ":error:" $1.$2 &>/dev/null
if [ $? -eq 0 ]; then
TestProtocol_Res=No
else
#TestProtocol_Res=`cat $1.$2 | egrep "Cipher\s+:" | cut -d':' -f 2 | xargs`
TestProtocol_Res=Yes
fi
}
OpenSSLTests
for F in output/*.
do
MX=`echo $F | cut -d '/' -f 2`
grep "connect:errno" $F &>/dev/null
if [ $? -eq 0 ]; then
Status="ConnErr"
else
grep "didn't found starttls in server response" $F &>/dev/null
if [ $? -eq 0 ]; then
Status="No STARTTLS"
else
Status="STARTTLS OK"
PublicKeyLenght=`cat $F | grep "Server public key is" | cut -d' ' -f 5`
VerifyReturnCode=`cat $F | grep "Verify return code" | cut -d':' -f 2 | xargs`
TestProtocol "$F" ssl3
SSL3=$TestProtocol_Res
TestProtocol "$F" tls1
TLS1=$TestProtocol_Res
TestProtocol "$F" tls1_1
TLS1_1=$TestProtocol_Res
TestProtocol "$F" tls1_2
TLS1_2=$TestProtocol_Res
fi
fi
if [ "$Status" == "STARTTLS OK" ]; then
echo $MX,$Status,$PublicKeyLenght,$VerifyReturnCode,$SSL3,$TLS1,$TLS1_1,$TLS1_2
else
echo $MX,$Status
fi
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment