vdns-stack/bin/vdns-audit-dmarc.sh
Matthew Saunders Brown f9c1038f79 initial commit
2024-02-22 15:02:16 -08:00

88 lines
3.0 KiB
Bash
Executable File

#!/bin/bash
#
# vdns-stack
# https://git.stack-source.com/msb/vdns-stack
# Copyright (c) 2024 Matthew Saunders Brown <matthewsaundersbrown@gmail.com>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
# load include file
source $(dirname $0)/vdns.sh
help()
{
echo "Audit Vmail domains for DMARC records."
echo ""
echo "usage: $thisfilename [-d <domain>] [-h]"
echo ""
echo " -h Print this help."
echo " -d <domain> Optional, domain to audit."
echo " If domain not specified all Vmail domains on this server will be audited."
}
vdns:getoptions "$@"
# check for zone (domain)
if [[ -n $zone ]]; then
vmaildomains=($(/usr/local/bin/vmail-domains-get.sh -d $zone -c -t|cut -d , -f 1))
else
vmaildomains=($(/usr/local/bin/vmail-domains-get.sh -c -t|cut -d , -f 1|tr '\n' ' '))
fi
if [[ ${#vmaildomains[@]} > 0 ]]; then
for domain in "${vmaildomains[@]}"; do
# get nameservers for domain
nameservers=(`/usr/bin/dig $domain ns +short`)
# check number of nameservers returned
if [[ ${#nameservers[@]} = 0 ]]; then
# domain returns zero nameservers (either unregistered, or registered but no NS entries configured in DNS)
echo ERROR: no nameservers found for $domain
elif [[ ${#nameservers[@]} -gt 0 ]]; then
usesours=FALSE
if [[ " ${nameservers[*]} " =~ " $zone_default_ns. " ]]; then
usesours=TRUE
fi
if [[ $usesours = TRUE ]]; then
# domain uses our nameservers, check for SPF records
dmarcrecord=`/usr/bin/dig _dmarc.$domain txt +short @$zone_default_ns|grep -i v=DMARC1|wc -l`
if [[ $dmarcrecord = 0 ]]; then
# no dmarc, add one
txtrecordcount=(`/usr/bin/dig _dmarc.$domain txt +short @$zone_default_ns|wc -l`)
# echo "$domain txtrecordcount = $txtrecordcount"
if [[ $txtrecordcount -gt 0 ]]; then
echo WARNING: _dmarc.$domain has existing TXT records. Manually add \"v=DMARC1; p=none;\" to DNS.
else
zone_exists=$(/usr/local/bin/vdns-zone-ext.sh -z $domain)
if [[ $zone_exists = "true" ]]; then
echo vdns-rr-rep.sh -z $domain -n _dmarc.$domain -t TXT -r '"v=DMARC1; p=none;"'
else
echo NOTICE: $domain uses our nameservers, but is not tied to this server. Manually add TXT record '"v=DMARC1; p=none;"' for _dmarc.$domain to DNS.
fi
fi
elif [[ $dmarcrecord = 1 ]]; then
echo SUCCESS: $domain has existing DMARC record
else
#unexpected result
echo ERROR: unexpected DMARC lookup count for $domain = $dmarcrecord
fi
else
# domain uses our nameservers
echo NOTICE: $domain does not use our nameservers, not checking DMARC
fi
else
# error getting nameservers
echo ERROR: unexpected nameserver count for $domain
fi
done
else
if [[ -n $zone ]]; then
echo "Vmail domain $zone not found."
else
echo "No Vmail domains found."
fi
fi