steffenfritz / mxcheck Goto Github PK

mxcheck should give more information regarding the provider of the mail service.

More information could be gathered via GeoIP, e.g. https://pkg.go.dev/github.com/oschwald/geoip2-golang#section-readme

** Describe the solution you'd like
mxcheck should check for DMARC DNS entries.

We need a type for it and validation where possible.

• Indicates whether
  strict or relaxed DKIM Identifier Alignment mode is required: adkim
• Indicates whether
  strict or relaxed SPF Identifier Alignment mode is required: aspf
• Failure reporting options: fo
• Requested Mail Receiver policy: p
• Percentage of messages from the Domain Owner's
  mail stream to which the DMARC policy is to be applied: pct
• Format to be used for message-specific failure reports: rf
• Interval requested between aggregate reports: ri
• Addresses to which aggregate feedback is to be sent: rua
• Addresses to which message-specific failure information is to
  be reported: ruf
• Requested Mail Receiver policy for all subdomains: sp
• Version: v

See https://datatracker.ietf.org/doc/html/rfc7489

Describe the bug
When checking a domain with a CNAME'd There is a Go Panic regarding

To Reproduce
Check a domain with a CNAME'd DMARC record
Can be created using: https://mxtoolbox.com/dmarc/dmarc-setup-cname

Expected behavior
DMARC report :-D

Screenshots
user@server:~$ mxcheck -n -s < REDACTED >.nl -S default

INFO: 2024/05/14 15:24:50 == Checking: < REDACTED >.nl ==
INFO: 2024/05/14 15:24:50 Found MX:
INFO: 2024/05/14 15:24:50 < REDACTED >-nl.mail.protection.outlook.com.
INFO: 2024/05/14 15:24:50 == Checking DKIM record ==
INFO: 2024/05/14 15:24:50 DKIM not set or wrong selector
INFO: 2024/05/14 15:24:50 == Checking DMARC record ==
panic: interface conversion: dns.RR is *dns.CNAME, not *dns.TXT

goroutine 1 [running]:
main.getDMARC({0x7fff3566f5fd?, 0xc0000c95d8?}, {0x70ad2f, 0x7})
/home/user/go/pkg/mod/github.com/steffenfritz/[email protected]/dns.go:245 +0x3cc
main.main()
/home/user/go/pkg/mod/github.com/steffenfritz/[email protected]/main.go:167 +0xd56

System (please complete the following information):

• OS: Ubuntu
• Version 22.04

Describe the solution you'd like

mxcheck should be able to return a scan result in the form of Nagios-compatible plugins. Nagios-compatible plugins can be used with Icinga, Checkmk and more.

Describe the solution you'd like

mxcheck, run with a specific flag, should return a string in the following form

0 "My service" myvalue=73;80;90 My output text who may contain spaces

See https://docs.checkmk.com/latest/en/localchecks.html

Add check for SMTP smuggling if possible.

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

Is your feature request related to a problem? Please describe.
mxcheck should check the TLS version and mark v1.2 as yellow and v1.3+ as green

Describe the solution you'd like
mxcheck should check for DKIM DNS entries.

We need a type for it and validation where possible.

• domain d=
• granularity g=
• acceptable algorithms h=
• key type k=
• note field n=
• public key p=
• selector s=
• testing t=
• version v=

See https://www.ietf.org/rfc/rfc6376.txt and updates in RFC 8301 and RFC 8463.

Describe the bug
When a valid rcpt from the mail server's scope is used it may happen that the standard output differs from the tsv written file

To Reproduce
Steps to reproduce the behavior:
Run mxcheck with a valid rcpt from the mail server's scope an dwrite results to file, using -w flag

Expected behavior
The tsv output should show the same and correct result

Is your feature request related to a problem? Please describe.
When a server does not support STARTTLS and a client does not enforce aka has "implicit TLS" it might drop to an insecure connection.

Describe the solution you'd like
mxcheck should check for opportunistic vs implicit TLS. opportunistic should be yellow or red and implicit green.

Describe the solution you'd like
Read at least the server message to get an idea of the used server software.

Describe alternatives you've considered
A better solution would be to include nmap's nmap-service-probe https://raw.githubusercontent.com/nmap/nmap/master/nmap-service-probes

If the SPF entry is too long the result cannot be unpacked because the message is truncated

dns: failed to unpack truncated message

Describe the solution you'd like
mxcheck should show the autonomous system number of the IP address of each mx

Additional context
Team Cymru's service can be used https://team-cymru.com/community-services/ip-asn-mapping/

Is your feature request related to a problem? Please describe.
No.

Describe the solution you'd like
There should be a flag that checks if a new version of mxcheck is available

Is your feature request related to a problem? Please describe.
mxcheck should have DANE support

Describe the solution you'd like
In a first version check if a DANE entry is set and fetch all information. In a second version a validation could be added (then in a new ticket/issue)

Additional context
https://datatracker.ietf.org/doc/html/rfc6698
https://datatracker.ietf.org/doc/html/rfc7218
https://datatracker.ietf.org/doc/html/rfc7672
https://datatracker.ietf.org/doc/html/rfc7673