diff --git a/README.md b/README.md index 7172c91..e882604 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # mailsecchk -A simple POSIX script for mail security checks against domain names. +A simple shell script (almost) POSIX(1) for mail security checks against domain names. ``` Usage: ./mailsecchk.sh [OPTIONS]... @@ -14,6 +14,8 @@ arguments: -r SPF recursive tests ``` +(1): not POSIX anymore as keyword "local" is used, but it should work on most UNIX. + ## Current checks * SPF DNS record presence diff --git a/mailsecchk.sh b/mailsecchk.sh index 44350c5..e80b348 100755 --- a/mailsecchk.sh +++ b/mailsecchk.sh @@ -119,8 +119,8 @@ get_mx() has_mx_specific() { name="$1" - full_name="$2" - mx_dn="$3" + local full_name="$2" + local mx_dn="$3" if echo "$mx" | grep -q "$mx_dn"; then print_info "It looks like domain is using $full_name, including specific tests." @@ -130,14 +130,14 @@ has_mx_specific() get_spf() { - domain="$1" + local domain="$1" spf=$(dig +short txt "$domain" | grep 'spf') } has_spf() { - spf="$1" + local spf="$1" if [ "$spf" = "" ]; then print_bad "No SPF for domain" @@ -148,7 +148,7 @@ has_spf() loose_spf() { - spf="$1" + local spf="$1" if [ "$spf" = "" ]; then return @@ -163,13 +163,13 @@ loose_spf() spf_include_domain() { - spf_local="$1" - name="$2" - full_name="$3" - include_local="$4" - found_in_mx=$5 + local spf="$1" + local name="$2" + local full_name="$3" + local include="$4" + local found_in_mx=$5 - if [ "$spf_local" = "" ]; then + if [ "$spf" = "" ]; then return fi @@ -177,28 +177,28 @@ spf_include_domain() return fi - if echo "$spf_local" | grep -q "include:$include_local"; then - print_good "SPF includes $name one ($include_local)" + if echo "$spf" | grep -q "include:$include"; then + print_good "SPF includes $name one ($include)" spf_specific_found=1 fi } spf_includes_recursive() { - spf_local="$1" - domain="$2" - specific="$3" + local spf="$1" + local domain="$2" + local specific="$3" if [ "$spf_recursive" -eq 0 ]; then return fi - if [ "$spf_local" = "" ]; then + if [ "$spf" = "" ]; then return fi # Unsure this weak parsing catches all cases - spf_includes=$(echo "$spf_local" | grep -Eo "include:[^ ]+" | sed 's/include://g') + spf_includes=$(echo "$spf" | grep -Eo "include:[^ ]+" | sed 's/include://g') if [ "$spf_includes" != "" ]; then print_info "SPF recursive check for $domain" @@ -222,14 +222,14 @@ spf_includes_recursive() # DMARC checks get_dmarc() { - domain="$1" + local domain="$1" dmarc=$(dig +short txt "_dmarc.$domain") } has_dmarc() { - dmarc="$1" + local dmarc="$1" if [ "$dmarc" = "" ]; then print_bad "No dmarc for domain" @@ -240,7 +240,7 @@ has_dmarc() loose_dmarc_policy() { - dmarc="$1" + local dmarc="$1" if [ "$dmarc" = "" ]; then return @@ -255,7 +255,7 @@ loose_dmarc_policy() loose_dmarc_subpolicy() { - dmarc="$1" + local dmarc="$1" if [ "$dmarc" = "" ]; then return @@ -271,7 +271,7 @@ loose_dmarc_subpolicy() dmarc_pct() { - dmarc="$1" + local dmarc="$1" if [ "$dmarc" = "" ]; then return @@ -284,7 +284,7 @@ dmarc_pct() dmarc_rua_ruf() { - dmarc="$1" + local dmarc="$1" if [ "$dmarc" = "" ]; then return @@ -312,16 +312,16 @@ dmarc_rua_ruf() dkim_specific() { - name="$1" - full_name="$2" - selectors="$3" + local name="$1" + local full_name="$2" + local selectors="$3" if [ "$specific" != "$name" ]; then return fi for s in $selectors; do - curr=$(dig +short txt "$s._domainkey.$d" | grep "v=DKIM") + local curr=$(dig +short txt "$s._domainkey.$d" | grep "v=DKIM") if [ "$curr" != "" ]; then print_good "DKIM $full_name set ($s)" @@ -340,8 +340,8 @@ dkim_m365() return fi - s1=$(dig +short txt "selector1._domainkey.$d" | grep "v=DKIM") - s2=$(dig +short txt "selector2._domainkey.$d" | grep "v=DKIM") + local s1=$(dig +short txt "selector1._domainkey.$d" | grep "v=DKIM") + local s2=$(dig +short txt "selector2._domainkey.$d" | grep "v=DKIM") if [ "$s1" != "" ]; then print_good "DKIM Microsoft 365 selector set: $s1 $s2" @@ -380,7 +380,7 @@ dkim_extract_key() return fi - dkim_p=$(echo "$dkim" | grep -Eo 'p=[^;]+' | sed 's/p=//g' | sed 's/[ "]//g') + local dkim_p=$(echo "$dkim" | grep -Eo 'p=[^;]+' | sed 's/p=//g' | sed 's/[ "]//g') print_info "Extracting DKIM public key..." @@ -399,7 +399,7 @@ dkim_crypto_keysize() return fi - keysize=$(echo "$dkim_parsed_key" | grep -E 'Public-Key:[ ]+\([0-9]+[ ]+bit\)' | grep -Eo '[0-9]+') + local keysize=$(echo "$dkim_parsed_key" | grep -E 'Public-Key:[ ]+\([0-9]+[ ]+bit\)' | grep -Eo '[0-9]+') if [ "$keysize" -lt $dkim_key_minsize ]; then print_medium "DKIM public key size is < $dkim_key_minsize bits ($keysize bits)"