steffenfritz / mxcheck Goto Github PK

View Code? Open in Web Editor NEW

50.0 4.0 6.0 2.84 MB

mxcheck is an info and security scanner for e-mail servers.

Home Page: https://mxcheck.fritz.wtf

License: GNU General Public License v3.0

Go 91.56% Makefile 2.92% Roff 5.52%

security mailserver smtpd dns mail email infosec dmarc itsecurity scanner smtp

mxcheck's Introduction

mxcheck is an info scanner for e-mail servers.

It checks

DNS records: A, MX, PTR, SPF, MTA-STS, DKIM, DMARC
AS Number and AS Country
the support of StartTLS and the certificate
open ports: 25, 465, 587
if the service is listed by blacklists
if it leaks information by server string and VRFY command
and if the server is an open relay

You can set mailFrom, mailTo, the DNS server, DKIM selector and output a report in tsv format.

-b, --blacklist          Check if the service is on blacklists
-d, --dnsserver string   The dns server to be requested (default "8.8.8.8")
-f, --mailfrom string    Set the mailFrom address (default "[email protected]")
-t, --mailto string      Set the mailTo address (default "[email protected]")
-n, --no-prompt          Answer yes to all questions
-s, --service string     The service host to check (mandatory flag)
-S, --dkim-selector      The DKIM selector. If set a dkim check is performed on the provided service domain
-v, --version            Version and license
-u, --updatecheck        Check if a new version of mxcheck is available
-w, --write-tsv          Write tsv formated report to file

Version

v1.6.1

Installation

go install github.com/steffenfritz/mxcheck

download a pre-compiled binary.

Usage Example

./mxcheck -s 2600.com
./mxcheck -s 2600.com -v
./mxcheck -s 2600.com -d 8.8.8.8
./mxcheck -s 2600.com -n -f [email protected] -t [email protected] -w -S default
./mxcheck -s 2600.com -n -f [email protected] -t [email protected] -w -S default -b

Check for authentication

There is no check whether the server needs authentication. However, you can do two runs:

The first one uses a from and to address outside the mail server's scope, e.g.:

./mxcheck -s example.com -f [email protected] -t [email protected]

The second one uses a from and a to address from the mail server's scope, e.g.:

./mxcheck -s example.com -f [email protected] -t [email protected]

If the first one returns Server is not an open relay and the second one returns Server is probably an open relay the server is not an open relay, but you can send mails from local to local addresses without authentication.

Documentation and contact

mxcheck has a man page :)

Furthermore, you can find a documentation and contact information here: https://mxcheck.fritz.wtf

The logo was created by Alex/Lignum5. Thanks, mate :)

mxcheck's People

Contributors

Stargazers

Watchers

Forkers

shammishailaj sudds65 opfour darealdemayo itsharex simhaonline

mxcheck's Issues

Check if update available

Is your feature request related to a problem? Please describe.
No.

Describe the solution you'd like
There should be a flag that checks if a new version of mxcheck is available

DKIM check

Describe the solution you'd like
mxcheck should check for DKIM DNS entries.

We need a type for it and validation where possible.

domain d=
granularity g=
acceptable algorithms h=
key type k=
note field n=
public key p=
selector s=
testing t=
version v=

See https://www.ietf.org/rfc/rfc6376.txt and updates in RFC 8301 and RFC 8463.

Add Nagios-compatible reporting

Describe the solution you'd like

mxcheck should be able to return a scan result in the form of Nagios-compatible plugins. Nagios-compatible plugins can be used with Icinga, Checkmk and more.

Describe the solution you'd like

mxcheck, run with a specific flag, should return a string in the following form

0 "My service" myvalue=73;80;90 My output text who may contain spaces

See https://docs.checkmk.com/latest/en/localchecks.html

Add EICAR send test

mxcheck should be able to send the EICAR test virus to a recipient to check the capabilities of virus filters.

DMARC check

** Describe the solution you'd like
mxcheck should check for DMARC DNS entries.

We need a type for it and validation where possible.

Indicates whether
strict or relaxed DKIM Identifier Alignment mode is required: adkim
Indicates whether
strict or relaxed SPF Identifier Alignment mode is required: aspf
Failure reporting options: fo
Requested Mail Receiver policy: p
Percentage of messages from the Domain Owner's
mail stream to which the DMARC policy is to be applied: pct
Format to be used for message-specific failure reports: rf
Interval requested between aggregate reports: ri
Addresses to which aggregate feedback is to be sent: rua
Addresses to which message-specific failure information is to
be reported: ruf
Requested Mail Receiver policy for all subdomains: sp
Version: v

See https://datatracker.ietf.org/doc/html/rfc7489

Check for SMTP Smuggling

Add check for SMTP smuggling if possible.

https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/

CNAME DMARC not working

Describe the bug
When checking a domain with a CNAME'd There is a Go Panic regarding

To Reproduce
Check a domain with a CNAME'd DMARC record
Can be created using: https://mxtoolbox.com/dmarc/dmarc-setup-cname

Expected behavior
DMARC report :-D

Screenshots
user@server:~$ mxcheck -n -s < REDACTED >.nl -S default

INFO: 2024/05/14 15:24:50 == Checking: < REDACTED >.nl ==
INFO: 2024/05/14 15:24:50 Found MX:
INFO: 2024/05/14 15:24:50 < REDACTED >-nl.mail.protection.outlook.com.
INFO: 2024/05/14 15:24:50 == Checking DKIM record ==
INFO: 2024/05/14 15:24:50 DKIM not set or wrong selector
INFO: 2024/05/14 15:24:50 == Checking DMARC record ==
panic: interface conversion: dns.RR is *dns.CNAME, not *dns.TXT

goroutine 1 [running]:
main.getDMARC({0x7fff3566f5fd?, 0xc0000c95d8?}, {0x70ad2f, 0x7})
/home/user/go/pkg/mod/github.com/steffenfritz/[email protected]/dns.go:245 +0x3cc
main.main()
/home/user/go/pkg/mod/github.com/steffenfritz/[email protected]/main.go:167 +0xd56

System (please complete the following information):

OS: Ubuntu
Version 22.04

Add DANE support

Is your feature request related to a problem? Please describe.
mxcheck should have DANE support

Describe the solution you'd like
In a first version check if a DANE entry is set and fetch all information. In a second version a validation could be added (then in a new ticket/issue)

Additional context
https://datatracker.ietf.org/doc/html/rfc6698
https://datatracker.ietf.org/doc/html/rfc7218
https://datatracker.ietf.org/doc/html/rfc7672
https://datatracker.ietf.org/doc/html/rfc7673

Add OPENSSF patches

Add CODEOWNER file
Add release notes for every release in a release notes file
Add tests for most functions and code paths
Establish CI with testing
Proof of tests for major changes
Add dynamic code testing

Add more provider/ISP information

mxcheck should give more information regarding the provider of the mail service.

More information could be gathered via GeoIP, e.g. https://pkg.go.dev/github.com/oschwald/geoip2-golang#section-readme

Show Autonomous System Number of MX IP

Describe the solution you'd like
mxcheck should show the autonomous system number of the IP address of each mx

Additional context
Team Cymru's service can be used https://team-cymru.com/community-services/ip-asn-mapping/

TSV report differs from standard output when rcpt is accepted

Describe the bug
When a valid rcpt from the mail server's scope is used it may happen that the standard output differs from the tsv written file

To Reproduce
Steps to reproduce the behavior:
Run mxcheck with a valid rcpt from the mail server's scope an dwrite results to file, using -w flag

Expected behavior
The tsv output should show the same and correct result

SPF test result wrong if TXT too long

If the SPF entry is too long the result cannot be unpacked because the message is truncated

dns: failed to unpack truncated message