add TLS-RPT basic checks

3 years ago · 4aba30319f
2 changed files with 46 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -35,6 +35,8 @@ arguments:
 * MTA-STS DNS record presence
 * MTA-STS DNS record version
 * MTA-STS HTTPS policy presence
+* TLS-RPT DNS record presence
+* TLS-RPT version

 Checks for specific mail providers:

--- a/mailsecchk.sh
+++ b/mailsecchk.sh
@ -530,6 +530,39 @@ mta_sts_policy()
 	fi
 }

+get_tls_rpt()
+{
+	local domain="$1"
+
+	tls_rpt=$(dig +short txt "_smtp._tls.$domain")
+}
+
+has_tls_rpt()
+{
+	tls_rpt="$1"
+
+	if [ "$tls_rpt" = "" ]; then
+		print_medium "TLS-RPT record not defined"
+	else
+		print_good "TLS-RPT record found"
+	fi
+}
+
+tls_rpt_version()
+{
+	tls_rpt="$1"
+
+	if [ "$tls_rpt" = "" ]; then
+		return
+	fi
+
+	if echo "$tls_rpt" | grep -q "v=TLSRPTv1"; then
+		print_good "TLS-RPT version is correct"
+	else
+		print_bad "TLS-RPT version incorrect"
+	fi
+}
+
 if [ "$d" = "" ]; then
 	echo "No domain provided."
 	usage
@ -622,3 +655,14 @@ log ""
 has_mta_sts "$mta_sts"
 mta_sts_version "$mta_sts"
 mta_sts_policy "$d"
+
+log ""
+
+# TLS-RPT checks
+get_tls_rpt "$d"
+
+log "TLS-RPT: $tls_rpt"
+log ""
+
+has_tls_rpt "$tls_rpt"
+tls_rpt_version "$tls_rpt"