add script and example images

3 years ago · a2ee3ca526
4 changed files with 356 additions and 0 deletions
--- a/dkim_selectors.txt
+++ b/dkim_selectors.txt
@ -0,0 +1,10 @@
 s1
 s2
 s3
 s4
 google
 k1
 mxvault
 dkim
 mail
 default
--- a/img/altf8.png
+++ b/img/altf8.png
--- a/img/lemonde.png
+++ b/img/lemonde.png
--- a/mailsecchk.sh
+++ b/mailsecchk.sh
@ -0,0 +1,346 @@
 #!/bin/sh
 # Copyright (c) 2022, Jeffrey Bencteux
 # All rights reserved.
 # This source code is licensed under the GPLv3 license found in the
 # LICENSE file in the root directory of this source tree.
 usage()
 {
    echo "Usage: $0 [OPTIONS]..."
    echo "check mail security of a given domain"
    echo
    echo "arguments:"
    echo "  -d domain to be checked"
    echo "  -h display this help and exit"
    echo "  -l log file to output to"
    exit 0
 }
 log()
 {
 	echo "$1"
 	if [ "$logfile" != "" ]; then
 		echo "$1" >> "$logfile"
 	fi
 }
 print_good()
 {
 	echo "\e[1;32m[+]\e[0m $1"
 	if [ "$logfile" != "" ]; then
 		echo "[+] $1" >> "$logfile"
 	fi
 }
 print_bad()
 {
 	echo "\e[1;31m[-]\e[0m $1"
 	if [ "$logfile" != "" ]; then
 		echo "[-] $1" >> "$logfile"
 	fi
 }
 print_medium()
 {
 	echo "\e[1;33m[~]\e[0m $1"
 	if [ "$logfile" != "" ]; then
 		echo "[~] $1" >> "$logfile"
 	fi
 }
 print_info()
 {
 	echo "\e[1;34m[I]\e[0m $1"
 	if [ "$logfile" != "" ]; then
 		echo "[I] $1" >> "$logfile"
 	fi
 }
 d=""
 dkim_selectors_file="./dkim_selectors.txt"
 m365=0
 while getopts "d:hl:" o; do
    case "${o}" in
 	d)
 	    d="${OPTARG}"
 	    ;;
        h)
            usage
            ;;
 	l)
 	    logfile="${OPTARG}"
 	    ;;
        *)
 	    usage
 	    ;;
    esac
 done
 shift $((OPTIND-1))
 log "  _   .-')      ('-.                         .-')      ('-.                        ('-. .-..-. .-')   "
 log " ( '.( OO )_   ( OO ).-.                    ( OO ).  _(  OO)                      ( OO )  /\\  ( OO )  "
 log " ,--.   ,--.) / . --. /  ,-.-')  ,--.     (_)---\\_)(,------.   .-----.   .-----. ,--. ,--.,--. ,--.  "
 log " |   \`.'   |  | \\-.  \\   |  |OO) |  |.-') /    _ |  |  .---'  '  .--./  '  .--./ |  | |  ||  .'   /  "
 log " |         |.-'-'  |  |  |  |  \\ |  | OO )\\  :\` \`.  |  |      |  |('-.  |  |('-. |   .|  ||      /, " 
 log " |  |'.'|  | \\| |_.'  |  |  |(_/ |  |\`-' | '..\`''.)(|  '--.  /_) |OO  )/_) |OO  )|       ||     ' _) "
 log " |  |   |  |  |  .-.  | ,|  |_.'(|  '---.'.-._)   \\ |  .--'  ||  |\`-'| ||  |\`-'| |  .-.  ||  .   \\   "
 log " |  |   |  |  |  | |  |(_|  |    |      | \\       / |  \`---.(_'  '--'\\(_'  '--'\\ |  | |  ||  |\\   \\  "
 log " \`--'   \`--'  \`--' \`--'  \`--'    \`------'  \`-----'  \`------'   \`-----'   \`-----' \`--' \`--'\`--' '--'  "
 get_mx()
 {
 	domain="$1"
 	mx=$(dig +short mx "$domain")
 }
 has_m365()
 {
 	m365=0
 	if echo "$mx" | grep -q "mail.protection.outlook.com"; then
 		print_info "It looks like domain is using Microsoft 365, including specific tests."
 		m365=1
 	fi
 }
 get_spf()
 {
 	domain="$1"
 	spf=$(dig +short txt "$domain" | grep 'spf')
 }
 has_spf()
 {
 	spf="$1"
 	if [ "$spf" = "" ]; then
 		print_bad "No SPF for domain"
 	else
 		print_good "domain has a SPF record"
 	fi
 }
 loose_spf()
 {
 	spf="$1"
 	if [ "$spf" = "" ]; then
 		return
 	fi
 	if echo "$spf" | grep -vq "\-all"; then
 		print_bad "SPF not in FAIL mode (\"-all\")"
 	else
 		print_good "SPF is in FAIL mode (\"-all\")"
 	fi
 }
 spf_include_m365()
 {
 	spf="$1"
 	if [ "$spf" = "" ]; then
 		return
 	fi
 	if [ $m365 -eq 1 ]; then
 		if echo "$spf" | grep -vq "include:spf.protection.outlook.com"; then
 			print_medium "Microsoft 365 SPF not in includes"
 		else
 			print_good "SPF includes Microsoft 365 one"
 		fi
 	fi
 }
 # DMARC checks
 get_dmarc()
 {
 	domain="$1"
 	dmarc=$(dig +short txt "_dmarc.$domain")
 }
 has_dmarc()
 {
 	dmarc="$1"
 	if [ "$dmarc" = "" ]; then
 		print_bad "No dmarc for domain"
 	else
 		print_good "domain has a DMARC record"
 	fi
 }
 loose_dmarc_policy()
 {
 	dmarc="$1"
 	if [ "$dmarc" = "" ]; then
 		return
 	fi
 	if echo "$dmarc" | grep -Eq "[ ;]p=(reject|quarantine)"; then
 		print_good "DMARC policy is correct"
 	else
 		print_bad "DMARC policy not set to \"reject\" or \"quarantine\""
 	fi
 }
 loose_dmarc_subpolicy()
 {
 	dmarc="$1"
 	if [ "$dmarc" = "" ]; then
 		return
 	fi
 	if echo "$dmarc" | grep "sp=" | grep -vEq "sp=(reject|quarantine)"; then
 		print_bad "DMARC subpolicy not set to \"reject\" or \"quarantine\""
 	else
 		print_good "DMARC subpolicy is correct"
 	fi
 }
 dmarc_pct()
 {
 	dmarc="$1"
 	if [ "$dmarc" = "" ]; then
 		return
 	fi
 	if echo "$dmarc" | grep "pct=" | grep -vEq "pct=100"; then
 		print_bad "DMARC sample percentage not set to 100"
 	fi
 }
 dmarc_rua_ruf()
 {
 	dmarc="$1"
 	if [ "$dmarc" = "" ]; then
 		return
 	fi
 	rua=$(echo "$dmarc" | grep -oE "rua=[^ ]+";)
 	ruf=$(echo "$dmarc" | grep -oE "ruf=[^ ]+";)
 	if [ "$rua" = "" ]; then
 		print_medium "DMARC no aggregate report URI (RUA) defined"
 	else
 		if echo "$rua" | grep -Eo "@[^ ,\"]+" | grep -vq "$d"; then
 			print_medium "DMARC RUA is external to the domain, please review manually"
 		fi
 	fi
 	if [ "$ruf" = "" ]; then
 		print_medium "DMARC no forensic report URI (RUF) defined"
 	else
 		if echo "$ruf" | grep -Eo "@[^ ,\"]+" | grep -vq "$d"; then
 			print_medium "DMARC RUF is external to the domain, please review manually"
 		fi
 	fi
 }
 dkim_m365()
 {
 	if [ $m365 -eq 0 ]; then
 		return
 	fi
 	s1=$(dig +short txt "selector1._domainkey.$d" | grep "v=DKIM")
 	s2=$(dig +short txt "selector2._domainkey.$d" | grep "v=DKIM")
 	if [ "$s1" != "" ] || [ "$s2" != "" ]; then
 		print_good "DKIM Microsoft 365 selector set: $s1 $s2"
 	else
 		print_bad "DKIM Microsoft 365 selectors not set while MS365 is used"
 	fi
 }
 dkim_well_known()
 {
 	log "Trying well-known selectors..."
 	while read -r s; do
 		print_info "$s"
 		dkim=$(dig +short txt $s._domainkey.$d | grep "v=DKIM")
 		if [ "$dkim" != "" ]; then
 			print_good "DKIM found with selector $s: $dkim"
 			return
 		fi
 	done < "$dkim_selectors_file"
 	print_medium "DKIM could not be found, try obtaining a valid selector for manual review."
 }
 if [ "$d" = "" ]; then
 	echo "No domain provided."
 	usage
 	exit 1
 fi
 echo "Checking \e[1;32m$d\e[0m"
 echo
 # Preliminary checks
 get_mx "$d"
 if [ "$mx" = "" ]; then
 	log "No MX record for domain, are you sure it is used for mail communications?"
 else
 	log "MX: $mx"
 fi
 log ""
 has_m365 "$d"
 log ""
 # SPF checks
 get_spf "$d"
 log "SPF: $spf"
 log ""
 has_spf "$spf"
 loose_spf "$spf"
 spf_include_m365 "$spf"
 log ""
 # DMARC checks
 get_dmarc "$d"
 log "DMARC: $dmarc"
 log ""
 has_dmarc "$dmarc"
 loose_dmarc_policy "$dmarc"
 loose_dmarc_subpolicy "$dmarc"
 dmarc_pct "$dmarc"
 dmarc_rua_ruf "$dmarc"
 log ""
 # DKIM checks
 log "DKIM:"
 log ""
 dkim_m365
 if [ "$m365" -eq 0 ]; then
 	dkim_well_known
 fi