kimboslice99 · February 8, 2024 18:48
diff --git a/tlsa_checkup.ps1 b/tlsa_checkup.ps1
 # choco install -y bind-toolsonly - why wouldnt they keep building dig tools for windows? boo >:(
 # also runs on linux provided you have dig and openssl available
 # your root domain, we will look up the mx record within this script
 $domain = "domain.tld"
 $to = "webmaster@domain.tld"
 $from = "tlsareport@domain.tld"
 $smtpServer = "127.0.0.1"
 $ports = @{
    25 = 'tcp'
    143 = 'tcp'
    587 = 'tcp'
 }

 # check that we have dig and openssl available
 if ((Get-Command "dig" -ErrorAction SilentlyContinue) -eq $null) {
    Write-Host "couldnt find dig!"
    exit 1
 }

 if ((Get-Command "openssl" -ErrorAction SilentlyContinue) -eq $null) {
    Write-Host "couldnt find openssl!"
    exit 1
 }

 function verify_tlsa($domain, $port, $rrdata){
    switch($port)
    {
        25 {$option = "smtp";$starttls = "-starttls"}
        143 {$option = "imap";$starttls = "-starttls"}
        465 {$option = "";$starttls = ""}
        587 {$option = "smtp";$starttls = "-starttls"}
        993 {$option = "";$starttls = ""}
    }
    if($IsLinux){
        # unsure if powershell under linux has the same error redirection issues
        $output = Write-Output "Q" | openssl s_client -brief $starttls $option -dane_tlsa_domain $domain -verify 9 -verify_return_error -dane_ee_no_namechecks -dane_tlsa_rrdata $rrdata -connect $domain`:$port 2>&1
    } else {
        $output = Write-Output "Q" | openssl s_client -brief $starttls $option -dane_tlsa_domain $domain -verify 9 -verify_return_error -dane_ee_no_namechecks -dane_tlsa_rrdata $rrdata -connect $domain`:$port 2>&1 | ForEach-Object {
            if ($_ -is [System.Management.Automation.ErrorRecord]) {
                $_.Exception.Message
            } else {
                $_
            }
        }
    }
    return $output -split "`r`n"
 }

 function digtlsa {
    param (
        [int]$port,
        [string]$protocol,
        [string]$mx
    )
    
    $serviceName = "_$port._$protocol.$mx"
    return & dig $serviceName tlsa +short
 }

 $mx_records = $(dig $domain mx +short) -replace "(^\d+|\s|\.$)"
 # do work
 $data = @()
 foreach ($mx in $mx_records) {
    foreach($port in $ports.GetEnumerator()){
        $rrd = digtlsa $port.Key $port.Value $mx
        $v = verify_tlsa $mx $port.Key $rrd
        $data += @{
            Data = $v
            Verified = $false # Initialize Verified property to false
            Port = $port
            MxRecord = $mx
        }
    }
 }

 $error = $false
 $htmlEncodedOutput = '<!doctype html><html lang="en"><body>'
 # Build the test report
 foreach ($item in $data) {
    Write-Host "Verifying TLSA Record for $($item['MxRecord']) on port $($item['Port'])"
    $htmlEncodedOutput += "<i>Verifying TLSA Record for $($item['MxRecord']) on port $($item['Port'])</i><br><table>"
    if ($item['Data'] -contains "Verification: OK") {
        $item['Verified'] = $true
    } else {
        $error = $true
    }
    $lines = $item['Data'] -split "`r`n"
    foreach ($line in $lines) {
        # skip empty lines
        if(!$line){
            continue
        }
        if ($item['Verified']) {
            Write-Host $line -ForegroundColor Green
            $htmlEncodedOutput += "<tr><td><span style=`"color:green`">$line</span></td></tr>"
        } else {
            Write-Host $line -ForegroundColor Red
            $htmlEncodedOutput +=  "<tr><td><span style=`"color:red`">$line</span></td></tr>"
        }
    }
    Write-Host ""
    $htmlEncodedOutput += "</table><br>"
 }
 $htmlEncodedOutput += "</body></html>";
 # nag $to if error
 if($error -eq $true){
    $i = 0
    while($i -le 3)
    {
        Send-MailMessage -To $to -From $from  -Subject "TLSA Record Error!" -Body $htmlEncodedOutput -BodyAsHtml -SmtpServer $smtpServer -Port $smtpPort
        Start-Sleep -Seconds 600
        $i++
    }
 } else {
    Send-MailMessage -To $to -From $from  -Subject "TLSA Record Checkup Complete" -Body $htmlEncodedOutput -BodyAsHtml -SmtpServer $smtpServer -Port $smtpPort
 }
	# choco install -y bind-toolsonly - why wouldnt they keep building dig tools for windows? boo >:(
	# also runs on linux provided you have dig and openssl available
	# your root domain, we will look up the mx record within this script
	$domain = "domain.tld"
	$to = "webmaster@domain.tld"
	$from = "tlsareport@domain.tld"
	$smtpServer = "127.0.0.1"
	$ports = @{
	25 = 'tcp'
	143 = 'tcp'
	587 = 'tcp'
	}

	# check that we have dig and openssl available
	if ((Get-Command "dig" -ErrorAction SilentlyContinue) -eq $null) {
	Write-Host "couldnt find dig!"
	exit 1
	}

	if ((Get-Command "openssl" -ErrorAction SilentlyContinue) -eq $null) {
	Write-Host "couldnt find openssl!"
	exit 1
	}

	function verify_tlsa($domain, $port, $rrdata){
	switch($port)
	{
	25 {$option = "smtp";$starttls = "-starttls"}
	143 {$option = "imap";$starttls = "-starttls"}
	465 {$option = "";$starttls = ""}
	587 {$option = "smtp";$starttls = "-starttls"}
	993 {$option = "";$starttls = ""}
	}
	if($IsLinux){
	# unsure if powershell under linux has the same error redirection issues
	$output = Write-Output "Q" \| openssl s_client -brief $starttls $option -dane_tlsa_domain $domain -verify 9 -verify_return_error -dane_ee_no_namechecks -dane_tlsa_rrdata $rrdata -connect $domain`:$port 2>&1
	} else {
	$output = Write-Output "Q" \| openssl s_client -brief $starttls $option -dane_tlsa_domain $domain -verify 9 -verify_return_error -dane_ee_no_namechecks -dane_tlsa_rrdata $rrdata -connect $domain`:$port 2>&1 \| ForEach-Object {
	if ($_ -is [System.Management.Automation.ErrorRecord]) {
	$_.Exception.Message
	} else {
	$_
	}
	}
	}
	return $output -split "`r`n"
	}

	function digtlsa {
	param (
	[int]$port,
	[string]$protocol,
	[string]$mx
	)

	$serviceName = "_$port._$protocol.$mx"
	return & dig $serviceName tlsa +short
	}

	$mx_records = $(dig $domain mx +short) -replace "(^\d+\|\s\|\.$)"
	# do work
	$data = @()
	foreach ($mx in $mx_records) {
	foreach($port in $ports.GetEnumerator()){
	$rrd = digtlsa $port.Key $port.Value $mx
	$v = verify_tlsa $mx $port.Key $rrd
	$data += @{
	Data = $v
	Verified = $false # Initialize Verified property to false
	Port = $port
	MxRecord = $mx
	}
	}
	}

	$error = $false
	$htmlEncodedOutput = '<!doctype html><html lang="en"><body>'
	# Build the test report
	foreach ($item in $data) {
	Write-Host "Verifying TLSA Record for $($item['MxRecord']) on port $($item['Port'])"
	$htmlEncodedOutput += "<i>Verifying TLSA Record for $($item['MxRecord']) on port $($item['Port'])</i><br><table>"
	if ($item['Data'] -contains "Verification: OK") {
	$item['Verified'] = $true
	} else {
	$error = $true
	}
	$lines = $item['Data'] -split "`r`n"
	foreach ($line in $lines) {
	# skip empty lines
	if(!$line){
	continue
	}
	if ($item['Verified']) {
	Write-Host $line -ForegroundColor Green
	$htmlEncodedOutput += "<tr><td><span style=`"color:green`">$line</span></td></tr>"
	} else {
	Write-Host $line -ForegroundColor Red
	$htmlEncodedOutput += "<tr><td><span style=`"color:red`">$line</span></td></tr>"
	}
	}
	Write-Host ""
	$htmlEncodedOutput += "</table><br>"
	}
	$htmlEncodedOutput += "</body></html>";
	# nag $to if error
	if($error -eq $true){
	$i = 0
	while($i -le 3)
	{
	Send-MailMessage -To $to -From $from -Subject "TLSA Record Error!" -Body $htmlEncodedOutput -BodyAsHtml -SmtpServer $smtpServer -Port $smtpPort
	Start-Sleep -Seconds 600
	$i++
	}
	} else {
	Send-MailMessage -To $to -From $from -Subject "TLSA Record Checkup Complete" -Body $htmlEncodedOutput -BodyAsHtml -SmtpServer $smtpServer -Port $smtpPort
	}