external
/
mailinabox
mirror of https://github.com/mail-in-a-box/mailinabox.git
1
0
Fork 0
Code Issues Releases Wiki Activity

verify DMARC in addtion to SPF in DNS status checks

This commit is contained in:
Scott Bronson 2016-09-30 17:11:16 -07:00
parent d4301bd424
commit 435a1552a9
1 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
management/status_checks.py
View File

@ -344,7 +344,7 @@ def run_domain_checks_on_domain(domain, rounded_time, env, dns_domains, dns_zone
if domain in dns_domains: if domain in dns_domains:
check_dns_zone_suggestions(domain, env, output, dns_zonefiles, domains_with_a_records) check_dns_zone_suggestions(domain, env, output, dns_zonefiles, domains_with_a_records)
check_spf_domain(domain, domain in mail_domains, env, output) check_deliverability_domain(domain, domain in mail_domains, env, output)
return (domain, output) return (domain, output)
@ -408,7 +408,7 @@ def check_primary_hostname_dns(domain, env, output, dns_domains, dns_zonefiles):
# Check the SPF records. # Check the SPF records.
for ns in ['ns1', 'ns2']: for ns in ['ns1', 'ns2']:
check_spf_domain(ns + '.' + domain, False, env, output) check_deliverability_domain(ns + '.' + domain, False, env, output)
# Check the TLSA record. # Check the TLSA record.
tlsa_qname = "_25._tcp." + domain tlsa_qname = "_25._tcp." + domain
@ -652,16 +652,27 @@ def check_web_domain(domain, rounded_time, ssl_certificates, env, output):
# website for also needs a signed certificate. # website for also needs a signed certificate.
check_ssl_cert(domain, rounded_time, ssl_certificates, env, output) check_ssl_cert(domain, rounded_time, ssl_certificates, env, output)
def check_spf_domain(domain, deliverable, env, output): def check_deliverability_domain(domain, deliverable, env, output):
action = 'allow' if deliverable else 'prevent'
# Ensure the SPF record for this domain either allows or prevents email # Ensure the SPF record for this domain either allows or prevents email
expected = "\"v=spf1 %s-all\"" % ('mx ' if deliverable else '') expected = "\"v=spf1 %s-all\"" % ('mx ' if deliverable else '')
action = 'allow' if deliverable else 'prevent'
values = query_dns(domain, "TXT").split('; ') values = query_dns(domain, "TXT").split('; ')
if expected in values: if expected in values:
output.print_ok("Domain's SPF record %ss mail delivery. [%s%s]" % (action, domain, expected)) output.print_ok("Domain's SPF record %ss mail delivery. [%s%s]" % (action, domain, expected))
else: else:
output.print_error("This domain should %s mail delivery by setting a TXT record: %s%s" % (action, domain, expected)) output.print_error("This domain should %s mail delivery by setting a TXT record: %s%s" % (action, domain, expected))
# ensure the DMARC record specifies the correct action
dmarc_domain = '_dmarc.' + domain
values = query_dns(dmarc_domain, "TXT")
expected = "\"v=DMARC1; p=%s\"" % ('quarantine' if deliverable else 'reject')
if expected == values:
output.print_ok("Domain's DMARC record %ss mail delivery. [%s%s]" % (action, dmarc_domain, expected))
else:
output.print_error("This domain should %s mail delivery by setting a DMARC record: %s%s" % (action, dmarc_domain, expected))
def query_dns(qname, rtype, nxdomain='[Not Set]', at=None): def query_dns(qname, rtype, nxdomain='[Not Set]', at=None):
# Make the qname absolute by appending a period. Without this, dns.resolver.query # Make the qname absolute by appending a period. Without this, dns.resolver.query
# will fall back a failed lookup to a second query with this machine's hostname # will fall back a failed lookup to a second query with this machine's hostname