Initial commit

Author: foxcpp

.gitignore

@@ -0,0 +1 @@
+mailsec-check

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright © 2019 Max Mazurov <[email protected]>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,54 @@
+mailsec-check
+===============
+
+Another utility to analyze state of deployment of security-related email
+protocols.
+
+Compilation
+--------------
+
+Needs [Go](https://golang.org) toolchain.
+
+```
+go get github.com/foxcpp/mailsec-check
+```
+
+Usage
+-------
+
+```
+mailsec-check example.org
+```
+
+Example
+---------
+
+```
+$ mailsec-check protonmail.com
+-- Source forgery protection
+[+] DKIM:    _domainkey subdomain present; DNSSEC-signed; 
+[+] SPF:     present; strict; DNSSEC-signed; 
+[+] DMARC:   present; strict; DNSSEC-signed; 
+
+-- TLS enforcement
+[+] MTA-STS: enforced; all MXs match policy; 
+[+] DANE:    present for all MXs; DNSSEC-signed; no validity check done; 
+
+-- DNS consistency
+[+] FCrDNS:     all MXs have forward-confirmed rDNS
+[+] DNSSEC:     A/AAAA and MX records are signed;
+
+$ mailsec-check disroot.org
+-- Source forgery protection
+[+] DKIM:   _domainkey subdomain present; DNSSEC-signed; 
+[+] SPF:    present; strict; DNSSEC-signed; 
+[ ] DMARC:  present; no-op; DNSSEC-signed; 
+
+-- TLS enforcement
+[ ] MTA-STS: not enforced; all MXs match policy; 
+[+] DANE:    present for all MXs; DNSSEC-signed; no validity check done; 
+
+-- DNS consistency
+[ ] FCrDNS:     no MXs with forward-confirmed rDNS
+[+] DNSSEC:     A/AAAA and MX records are signed;
+```

checks.go

@@ -0,0 +1,161 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"strings"
+	"sync"
+
+	"github.com/emersion/go-msgauth/dmarc"
+	"github.com/foxcpp/mailsec-check/dns"
+)
+
+var extR *dns.ExtResolver
+
+type Level int
+
+const (
+	LevelUnknown Level = iota
+	LevelInvalid
+	LevelMissing
+	LevelInsecure
+	LevelSecure
+)
+
+type Results struct {
+	dkim     Level
+	dkimDesc string
+
+	spf     Level
+	spfDesc string
+
+	dmarc     Level
+	dmarcDesc string
+
+	mtasts     Level
+	mtastsDesc string
+
+	dane     Level
+	daneDesc string
+
+	dnssecMX     Level
+	dnssecMXDesc string
+
+	fcrdns     Level
+	fcrdnsDesc string
+}
+
+func evaluateAll(domain string) (Results, error) {
+	res := Results{}
+
+	wg := sync.WaitGroup{}
+
+	wg.Add(7)
+	go func() { evaluateDKIM(domain, &res); wg.Done() }()
+	go func() { evaluateSPF(domain, &res); wg.Done() }()
+	go func() { evaluateDMARC(domain, &res); wg.Done() }()
+	go func() { evaluateMTASTS(domain, &res); wg.Done() }()
+	go func() { evaluateDANE(domain, &res); wg.Done() }()
+	go func() { evaluateDNSSEC(domain, &res); wg.Done() }()
+	go func() { evaluateFCRDNS(domain, &res); wg.Done() }()
+
+	wg.Wait()
+
+	return res, nil
+}
+
+func evaluateDNSSEC(domain string, res *Results) error {
+	ad, addrs, err := extR.AuthLookupHost(context.Background(), domain)
+	if err != nil {
+		return err
+	}
+	if len(addrs) == 0 {
+		return errors.New("domain does not resolve to an IP addr")
+	}
+	if !ad {
+		res.dnssecMX = LevelInsecure
+		res.dnssecMXDesc = "A/AAAA records are not signed;"
+		return nil
+	}
+
+	ad, mxs, err := extR.AuthLookupMX(context.Background(), domain)
+	if err != nil {
+		return err
+	}
+	if len(mxs) == 0 {
+		return errors.New("domain does not have any MX records")
+	}
+	if !ad {
+		res.dnssecMX = LevelInsecure
+		res.dnssecMXDesc = "MX records are not signed;"
+		return nil
+	}
+
+	res.dnssecMX = LevelSecure
+	res.dnssecMXDesc = "A/AAAA and MX records are signed;"
+	return nil
+}
+
+func evaluateDKIM(domain string, res *Results) error {
+	ad, _, err := extR.AuthLookupTXT(context.Background(), "_domainkey."+domain)
+	if err != nil {
+		// Probably NXDOMAIN.
+		// TODO: check for NXDOMAIN.
+		res.dkim = LevelMissing
+		res.dkimDesc = "no _domainkey subdomain"
+		return nil
+	}
+
+	res.dkim = LevelSecure
+	res.dkimDesc += "_domainkey subdomain present; "
+
+	if !ad {
+		res.dkim = LevelInsecure
+		res.dkimDesc += "no DNSSEC; "
+	} else {
+		res.dkimDesc += "DNSSEC-signed; "
+	}
+
+	return nil
+}
+
+func evaluateDMARC(domain string, res *Results) error {
+	res.dmarc = LevelSecure
+
+	ad, txts, err := extR.AuthLookupTXT(context.Background(), "_dmarc."+domain)
+	if err != nil {
+		// Probably NXDOMAIN.
+		// TODO: check for NXDOMAIN.
+		res.dmarc = LevelMissing
+		res.dmarcDesc = "no policy;"
+		return nil
+	}
+
+	txt := strings.Join(txts, "")
+	rec, err := dmarc.Parse(txt)
+	if err != nil {
+		res.dmarc = LevelInvalid
+		res.dmarcDesc = "policy parse error: " + err.Error()
+		return nil
+	}
+
+	res.dmarcDesc += "present; "
+
+	if rec.Policy == dmarc.PolicyNone {
+		res.dmarc = LevelMissing
+		res.dmarcDesc += "no-op; "
+	} else if rec.Percent != nil && *rec.Percent != 100 {
+		res.dmarc = LevelMissing
+		res.dmarcDesc += "applied partially; "
+	} else {
+		res.dmarcDesc += "strict; "
+	}
+	if !ad {
+		res.dmarc = LevelInsecure
+		res.dmarcDesc += "no DNSSEC; "
+	} else {
+		res.dmarcDesc += "DNSSEC-signed; "
+	}
+
+	return nil
+}

dane.go

@@ -0,0 +1,130 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/emersion/go-smtp"
+	"github.com/miekg/dns"
+)
+
+func evaluateDANE(domain string, res *Results) error {
+	res.dane = LevelSecure
+
+	_, mxs, err := extR.AuthLookupMX(context.Background(), domain)
+	if err != nil {
+		return err
+	}
+	if len(mxs) == 0 {
+		return errors.New("domain does not have any MX records")
+	}
+
+	levelDown := func(to Level) {
+		if res.dane > to {
+			res.dane = to
+		}
+	}
+
+	allAD := true
+	allValid := true
+	allPresent := true
+	for _, mx := range mxs {
+		ad, recs, err := extR.AuthLookupTLSA(context.Background(), "_25._tcp."+mx.Host)
+		if err != nil {
+			allPresent = false
+			levelDown(LevelMissing)
+			res.daneDesc += fmt.Sprintf("no record for %s; ", mx.Host)
+			continue
+		}
+		if !ad {
+			allAD = false
+		}
+		if len(recs) == 0 {
+			allPresent = false
+			levelDown(LevelMissing)
+			res.daneDesc += fmt.Sprintf("no record for %s; ", mx.Host)
+			continue
+		}
+
+		if !(*active) {
+			continue
+		}
+
+		for _, mx := range mxs {
+			if ok := checkTLSA(mx.Host, recs, res); !ok {
+				allValid = false
+			}
+		}
+	}
+
+	if allPresent {
+		res.daneDesc += "present for all MXs; "
+	}
+
+	if !allAD {
+		levelDown(LevelInvalid)
+		res.daneDesc += "no DNSSEC; "
+	} else {
+		res.daneDesc += "DNSSEC-signed; "
+	}
+
+	if !(*active) {
+		res.daneDesc += "no validity check done; "
+		return nil
+	}
+
+	if allValid {
+		res.daneDesc += "valid for all MXs; "
+	}
+
+	return nil
+}
+
+func checkTLSA(mx string, recs []dns.TLSA, res *Results) bool {
+	levelDown := func(to Level) {
+		if res.dane > to {
+			res.dane = to
+		}
+	}
+
+	cl, err := smtp.Dial(mx + ":25")
+	if err != nil {
+		levelDown(LevelUnknown)
+		res.daneDesc += fmt.Sprintf("can't connect to %s: %v; ", mx, err)
+		return false
+	}
+	defer cl.Close()
+
+	if ok, _ := cl.Extension("STARTTLS"); !ok {
+		levelDown(LevelInvalid)
+		res.daneDesc += fmt.Sprintf("%s doesn't support STARTTLS; ", mx)
+		return false
+	}
+
+	if err := cl.StartTLS(nil); err != nil {
+		levelDown(LevelInvalid)
+		res.daneDesc += err.Error()
+		return false
+	}
+
+	state, ok := cl.TLSConnectionState()
+	if !ok {
+		panic("No TLS state returned after STARTTLS")
+	}
+
+	cert := state.PeerCertificates[0]
+	match := false
+	for _, rec := range recs {
+		if rec.Verify(cert) == nil {
+			match = true
+		}
+	}
+
+	if !match {
+		levelDown(LevelInvalid)
+		res.daneDesc += fmt.Sprintf("%v uses wrong cert; ", mx)
+	}
+
+	return true
+}