Skip to content

dnstlsarr.1

Jump to bottom
Manvendra Bhangui edited this page Feb 25, 2024 · 5 revisions

NAME

dnstlsarr - DANE/TLSA RR Tester. Display TLSA RR record for a host

SYNOPSIS

dnstlsarr [-v level] [-p port] [-c timeoutconn] [-t timeoutcdata] [-m] [-s] host

DESCRIPTION

dnstlsarr fetches and display the TLSA RR records for host. With the -s option, it can perform a DANE verification and display the result.

OPTIONS

-v level

0 - Normal
1 - Display DANE Verification Result
2 - Everything including SMTP conversation

-m
Do a MX query for host host and then query the MX hosts for TLSA Resource Records

-s
Issue STARTTLS command and attemtp DANE verification

-c timeoutconn
Number of seconds dnstlsarr will wait for the remote SMTP server to accept a connection. Default: 60. The kernel normally imposes a 75-second upper limit.

-t timeoutdata
Number of seconds dnstlsarr will wait for each response from the remote SMTP server. Default: 300.

EXAMPLE USAGE

Example 1
$ dnstlsarr postino.cesnet.cz
terenasslca3ta.cesnet.cz ttl=3282 2 0 1 be6a0d9e1d115f2293f6abf11b3ec8e882e24426eeeb09aaa503597993e77a25
terenasslca3ta.cesnet.cz ttl=3282 2 0 1 beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8

Example 2 
$ dnstlsarr -v 2 -s mail.ietf.org
checking mail.ietf.org
TLSARR[0]:_25._tcp.mail.ietf.org IN TLSA ( 3 1 1 0c72ac70b745ac19998811b131d662c9ac69dbdbe7cb23e5b514b56664c5d3d6 )
220 ietfa.amsl.com ESMTP
Client: EHLO argos
250-ietfa.amsl.com
250-PIPELINING
250-SIZE 67108864
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250 8BITMIME
Client: STARTTLS
220 2.0.0 Ready to start TLS
matched sha256 fingerprint [0c72ac70b745ac19998811b131d662c9ac69dbdbe7cb23e5b514b56664c5d3d6] of subjectPublicKeyInfo
Client: QUIT
221 2.0.0 Bye

Example 3 - querying the MX record to get the TLSA RR
$ dnstlsarr -v 2 -s postino.cesnet.cz
checking postino.cesnet.cz
TLSARR[0]:terenasslca3ta.cesnet.cz IN TLSA ( 2 0 1 be6a0d9e1d115f2293f6abf11b3ec8e882e24426eeeb09aaa503597993e77a25 )
TLSARR[1]:terenasslca3ta.cesnet.cz IN TLSA ( 2 0 1 beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8 )
220 postino.cesnet.cz ESMTP
Client: EHLO argos
250-postino.cesnet.cz
250-PIPELINING
250-SIZE 41943040
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
Client: STARTTLS
220 2.0.0 Ready to start TLS
failed  sha256 fingerprint [be6a0d9e1d115f2293f6abf11b3ec8e882e24426eeeb09aaa503597993e77a25] of full certificate
matched sha256 fingerprint [beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8] of full certificate
Client: QUIT
221 2.0.0 Bye

Example 4 - getting TLSA RR by giving the domain name
$ dnstlsarr -m cesnet.cz
MX postino.cesnet.cz IPv6 2001:718:1:101::144:24210
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 be6a0d9e1d115f2293f6abf11b3ec8e882e24426eeeb09aaa503597993e77a25
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8
MX postino.cesnet.cz IPv4 195.113.144.24210
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 be6a0d9e1d115f2293f6abf11b3ec8e882e24426eeeb09aaa503597993e77a25
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8
MX cartero.cesnet.cz IPv6 2001:718:ff05:202::1650
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 be6a0d9e1d115f2293f6abf11b3ec8e882e24426eeeb09aaa503597993e77a25
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8
MX cartero.cesnet.cz IPv4 78.128.216.1650
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 be6a0d9e1d115f2293f6abf11b3ec8e882e24426eeeb09aaa503597993e77a25
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8
MX mail.cesnet.cz IPv4 195.113.144.234100
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 be6a0d9e1d115f2293f6abf11b3ec8e882e24426eeeb09aaa503597993e77a25
terenasslca3ta.cesnet.cz ttl=2974 2 0 1 beb8efe9b1a73c841b375a90e5fff8048848e3a2af66f6c4dd7b938d6fe8c5d8

dnstlsarr by default looks at /etc/indimail/control for all control files. This path can be changed by defining the CONTROLDIR environment variable.

helohost
Current host name, for use solely in saying hello to the remote SMTP server. Default: me, if that is supplied;

tlsclientmethod
The TLS protocol list. Accepted values are SSLv23, SSLv3, TLSv1, TLSv1_1, TLSv1_2, TLSv1_3. The default is TLSv1_2 for OpenSSL Version < 1.0.1. Without this control file OpenSSL Version >= 1.0.1 uses TLS_client_method(3ossl) where the actual protocol version used will be negotiated to the highest version mutually supported by the client and the server. The supported protocols are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3. The default location of /etc/indimail/control can be overridden by environment variable CONTROLDIR.

tlsclientciphers
A set of OpenSSL client cipher strings. Multiple ciphers contained in a string should be separated by a colon. The default location of /etc/indimail/control can be overridden by environment variable CONTROLDIR

notlhosts
domains for which qmail-remote will not initiate TLS sesson. This file in /etc/indimail/control or directory defined by the CONTROLDIR envirnoment variable, shouldn't be confused with /etc/indimail/certs/notlshosts directory in the directory or the directory defined by the CERTDIR environment variable.

For TLS sessions, the default location of /etc/indimail/certs can be overridden by environment variable CERTDIR. This affects the location of below files/directories clientcert.pem, servercert.pem, tlshosts/<FQDN>.pem, tlshosts/exhaustivelist, notlshosts/<FQDN>, notlshosts/host.

clientcert.pem
SSL certificate that is used to authenticate with the remote server during a TLS session. If clientcert.pem does not exist, qmail-remote will not negotiate TLS. The default location of /etc/indimail/certs can be overridden by environment variable CERTDIR. clientcert.pem can be overridden by environment variable CLIENTCERT.

tlshosts/<FQDN>.pem
qmail-remote requires TLS authentication from servers for which this file exists (<FQDN> is the fully-qualified domain name of the remote SMTP server). One of the dNSName or the CommonName attributes have to match. The file contains the trusted CA certificates. The default location of /etc/indimail/certs can be overridden by environment variable CERTDIR.

tlshosts/exhaustivelist
if this file exists no TLS will be tried on hosts other than those for which a file tlshosts/<FQDN>.pem exists. The default location of /etc/indimail/certs can be overridden by environment variable CERTDIR.

WARNING: this option may cause mail to be delayed, bounced, doublebounced, or lost.

notlshosts/<FQDN>
dnstlsarr will not try TLS on servers for which this file exists (<FQDN> is the fully-qualified domain name of the remote SMTP server). (tlshosts/<FQDN>.pem takes precedence over this file however). The default location of /etc/indimail/certs can be overridden by environment variable CERTDIR.

notlshosts/host
dnstlsarr will not try TLS on servers for which this file exists (host is the domain name of the recipient). (tlshosts/<FQDN>.pem takes precedence over this file however). The default location of /etc/indimail/certs can be overridden by environment variable CERTDIR.

tlsadomains
file having the list of MX hosts for which TLSA records needs to be verified. If this control file is present, TLSA verification will be skipped for all domains not in this file. If a file with the name tlsadomains.cdb exists, dnstlsarr will use cdb(3) lookup in addition to the normal in-memory search in a table of tlsa verification enforced domains.

RETURN VALUE

0 for success 1 for failure in getting TLSA Resource Records or DANE verification failure (-s option)

SEE ALSO

qdane(8) qmail-daned(8), tlsacheck(3), qmail-remote(8),

Clone this wiki locally