DANE Monitoring with posttls-finger in XYMON

Abstract

Monitoring DANE enabled mail servers is important. Testing with posttls-finger and unbound in XYMON is easy. I wrote a little script that does all the magic.

Here is a small experimental XYMON client script for checking maildomains validation via DANE.

The script requires Viktor Dukhovnies tool posttls-finger to test DANE enabled servers. posttls-finger comes with Postfix 2.11.x, but it might not always be bundled with your distribution, since it has been marked expermental. This said, you also need a DNSSEC cabable and DNSSEC enabled resolver, such as unbound. If you run Ubuntu Trusty these softwares should all be available.

Add the following code as /usr/lib/xymon/client/ext/danecheck i.e on your XYMON server:

#!/bin/bash
COLUMN=danecheck
COLOR=green
MSG="danecheck status"
MSERV=`grep -v ^# <<!
sys4.de
bund.de
!`
for i in $MSERV
do
RESULT=`posttls-finger -a ipv4 -c -l dane -L summary $i`
if ! echo "$RESULT" | egrep "Verified TLS connection established";
then
COLOR=yellow
MSG2=`echo "$RESULT"`
else
MSG2=`echo "$MSERV"`
fi
done
#send the results to hobbit so it can be graphed
$BB $BBDISP "status $MACHINE.$COLUMN $COLOR `date`
${MSG}
${MSG2}
"
exit 0

Next, activate the script with /etc/xymon/tasks.d/danecheck.cfg:

[danecheck]
       ENVFILE /etc/xymon/xymonclient.cfg
       CMD $XYMONCLIENTHOME/ext/danecheck
       LOGFILE /var/log/xymon/danecheck.log
       INTERVAL 5m

Finally restart XYMON server, watch your servers danecheck.log.

Note

I wrote this script in a few minutes. It didn't undergo long and through testing (yet). Though I don't believe it will cause problems, you probably want to keep an eye on it at the beginning. ;) You should only monitor your own maildomains, cause you might get blacklisted elsewhere.

Robert Schetterer, 28. October 2014