* Package name : danecheck
Version : 1.1.0
Upstream Author : Viktor Dukhovni <postfix-users@dukhovni.org>
* URL : https://github.com/vdukhovni/danecheck
* License : BSD
Programming Lang: Haskell
Description : DANE SMTP checker
This is a tool to check DANE TLSA security for SMTP.
Features:
* Test the local resolver configuration by verifying the validity of the
root zone DNSKEY and SOA RRSets.
* Test whether DNSSEC is enabled for a given TLD.
* Check whether an email domain is fully protected (across all of its MX
hosts) by DANE TLSA records, and whether these match the actual
certificate chains seen at each IP address of each MX host.
* Perform certificate chain verification at a time offset from the current
time to ensure that that certificates are not about to expire too soon.
A non-zero exit status is returned if any DNS lookups fail or if the MX records
or MX hosts are in an unsigned zone, or if for one of the MX hosts no
associated secure TLSA records are found. A non-zero exit status is also
returned if any of the SMTP connections fail to establish a TLS connection or
yield a certificate chain that does not match the TLSA records.
Packaging note:
I do not know haskell, so wouldn't really be a good maintainer, thus submitting
this as an RFP.
Hi Joseph, this package sounds useful. I know Haskell and Debian packaging aspects since I used to maintain ghc-mod in Debian (it's been a couple of releases though :). I would be happy to co-maintain this but unless you already have a sponsor in mind we'd still have to find one as I'm not a DD.
Hi Joseph, this package sounds useful. I know Haskell and Debian packaging aspects since I used to maintain ghc-mod in Debian (it's been a couple of releases though :). I would be happy to co-maintain this but unless you already have a sponsor in mind we'd still have to find one as I'm not a DD.
Hi Daniel, I'm a DD, but entirely unfamiliar with Haskell, let alone how it's packaged within Debian. Do you think that between the two of us we can make this work?
Quoting Joseph Nahmias (2022-03-30 15:02:56) This tool looks interesting. Until available a related yet simpler tool is danetool part of Debian package gnutls-bin. - Jonas
Hi Joe, Yeah that would work :) I did a quick review of danechek's dependencies to see how much packaging work we're in for and things don't actually look too bad. The only thing that's missing is conduit-combinators and the haskell package package plan seems to suggest that got deprecated by 'combinators' itself and indeed just removing the dependency it builds just fine. I don't have time to do the full debianization right now I'll try to get around to it some time next weekend feel free to ping if you don't hear back ;)