now with dnsec

2026-01-19 13:10:13 +01:00 · 2026-01-19 13:10:13 +01:00 · fb22e9cab4
commit fb22e9cab4
parent b006c8f809
118 changed files with 8306 additions and 2337 deletions
--- a/diagnostic.sh
+++ b/diagnostic.sh
@ -343,6 +343,117 @@ checkAcmeLogs() {
  fi
 }

+checkMailSecurity() {
+  printSection "5. Mail Security (DANE/DNSSEC/MTA-STS)"
+
+  if [ -z "$mailcowHostname" ]; then
+    warnStatus "MAILCOW_HOSTNAME not found, skipping mail security checks"
+    return 1
+  fi
+
+  local domainPart
+  domainPart=$(echo "$mailcowHostname" | cut -d. -f2-)
+
+  # Check DNSSEC.
+  echo -e "${yellow}DNSSEC Status:${noColor}"
+  local dsRecords
+  local dnskeyRecords
+  dsRecords=$(dig +short DS "$domainPart" 2>/dev/null | wc -l)
+  dnskeyRecords=$(dig +short DNSKEY "$domainPart" 2>/dev/null | wc -l)
+  if [ "$dsRecords" -gt 0 ] && [ "$dnskeyRecords" -gt 0 ]; then
+    checkStatus "OK" "DNSSEC enabled (${dsRecords} DS, ${dnskeyRecords} DNSKEY records)"
+  else
+    warnStatus "DNSSEC not fully active (DS: ${dsRecords}, DNSKEY: ${dnskeyRecords})"
+  fi
+
+  # Check TLSA/DANE records.
+  echo -e "${yellow}TLSA/DANE Records:${noColor}"
+  local tlsa25
+  local tlsa465
+  local tlsa587
+  tlsa25=$(dig +short TLSA "_25._tcp.${mailcowHostname}" 2>/dev/null | wc -l)
+  tlsa465=$(dig +short TLSA "_465._tcp.${mailcowHostname}" 2>/dev/null | wc -l)
+  tlsa587=$(dig +short TLSA "_587._tcp.${mailcowHostname}" 2>/dev/null | wc -l)
+
+  if [ "$tlsa25" -gt 0 ]; then
+    checkStatus "OK" "TLSA record for port 25 (SMTP)"
+  else
+    warnStatus "TLSA record missing for port 25"
+  fi
+
+  if [ "$tlsa465" -gt 0 ]; then
+    checkStatus "OK" "TLSA record for port 465 (SMTPS)"
+  else
+    warnStatus "TLSA record missing for port 465"
+  fi
+
+  if [ "$tlsa587" -gt 0 ]; then
+    checkStatus "OK" "TLSA record for port 587 (Submission)"
+  else
+    warnStatus "TLSA record missing for port 587"
+  fi
+
+  # Check MTA-STS.
+  echo -e "${yellow}MTA-STS:${noColor}"
+  local mtaStsDns
+  local mtaStsPolicy
+  mtaStsDns=$(dig +short TXT "_mta-sts.${domainPart}" 2>/dev/null | grep -q "STSv1" && echo "OK" || echo "FAIL")
+  mtaStsPolicy=$(curl -sk "https://mta-sts.${domainPart}/.well-known/mta-sts.txt" 2>/dev/null | grep -q "version: STSv1" && echo "OK" || echo "FAIL")
+  checkStatus "$mtaStsDns" "MTA-STS DNS record"
+  checkStatus "$mtaStsPolicy" "MTA-STS policy file accessible"
+
+  # Check TLS-RPT.
+  echo -e "${yellow}TLS-RPT:${noColor}"
+  local tlsRpt
+  tlsRpt=$(dig +short TXT "_smtp._tls.${domainPart}" 2>/dev/null | grep -q "TLSRPTv1" && echo "OK" || echo "FAIL")
+  checkStatus "$tlsRpt" "TLS-RPT DNS record"
+
+  # Check DKIM.
+  echo -e "${yellow}DKIM:${noColor}"
+  local dkimRecord
+  dkimRecord=$(dig +short TXT "default._domainkey.${domainPart}" 2>/dev/null | grep -q "DKIM1" && echo "OK" || echo "FAIL")
+  checkStatus "$dkimRecord" "DKIM DNS record"
+
+  # Check SPF.
+  echo -e "${yellow}SPF:${noColor}"
+  local spfRecord
+  spfRecord=$(dig +short TXT "$domainPart" 2>/dev/null | grep -q "spf1" && echo "OK" || echo "FAIL")
+  checkStatus "$spfRecord" "SPF DNS record"
+
+  # Check DMARC.
+  echo -e "${yellow}DMARC:${noColor}"
+  local dmarcRecord
+  dmarcRecord=$(dig +short TXT "_dmarc.${domainPart}" 2>/dev/null | grep -q "DMARC1" && echo "OK" || echo "FAIL")
+  checkStatus "$dmarcRecord" "DMARC DNS record"
+
+  # Check reverse DNS (PTR).
+  echo -e "${yellow}Reverse DNS (PTR):${noColor}"
+  local ipv4Addr
+  local ipv6Addr
+  ipv4Addr=$(dig +short A "$mailcowHostname" 2>/dev/null | head -1)
+  ipv6Addr=$(dig +short AAAA "$mailcowHostname" 2>/dev/null | head -1)
+
+  if [ -n "$ipv4Addr" ]; then
+    local ptr4
+    ptr4=$(dig +short -x "$ipv4Addr" 2>/dev/null)
+    if echo "$ptr4" | grep -q "$mailcowHostname"; then
+      checkStatus "OK" "IPv4 PTR record points to ${mailcowHostname}"
+    else
+      warnStatus "IPv4 PTR record: ${ptr4:-not found}"
+    fi
+  fi
+
+  if [ -n "$ipv6Addr" ]; then
+    local ptr6
+    ptr6=$(dig +short -x "$ipv6Addr" 2>/dev/null)
+    if echo "$ptr6" | grep -q "$mailcowHostname"; then
+      checkStatus "OK" "IPv6 PTR record points to ${mailcowHostname}"
+    else
+      warnStatus "IPv6 PTR record: ${ptr6:-not found}"
+    fi
+  fi
+}
+
 printSummary() {
  printSection "Summary"
  echo -e "${green}✓${noColor} Services: Most services are running"
@ -400,4 +511,5 @@ checkMailcowServices
 checkSslAndCerts
 checkMailcowConfig
 checkAcmeLogs
+checkMailSecurity
 printSummary