def main(): # If we don't append the trailing dot, the query would try the DNS search # path. fqdn = getfqdn() + '.' try: result = dns_query(fqdn, SSHFP) except DNSException: print('WARNING got no host key fingerprint') exit(1) # Map the host keys in a dictionary using the algorithm and the fingerprint # type as the identifier for fast lookup while comparing them with the keys # from the DNS. output = check_output(['ssh-keygen', '-r', fqdn], universal_newlines=True) host_keys = {(r.algorithm, r.fp_type): r for r in ( dns_from_text(IN, SSHFP, l.split(None, 3)[3]) for l in output.splitlines() )} for record in result.rrset: record_id = (record.algorithm, record.fp_type) if record_id not in host_keys: print('WARNING host key for fingerprint does not exist') exit(1) if record.fingerprint != host_keys[record_id].fingerprint: print('WARNING host key fingerprint is inconsistent') exit(1) print('OK') exit(0)
def lookup_receiver_policy(host): '''Lookup the reciever policy for a host. Returns a ReceiverPolicy. :param str host: The host to query. The *actual* host that is queried has ``_dmarc.`` prepended to it. :returns: The DMARC receiver policy for the host. If there is no published policy then :attr:`gs.dmarc.ReceiverPolicy.noDmarc` is returned. :rtype: A member of the :class:`gs.dmarc.ReceiverPolicy` enumeration. ''' dmarcHost = '_dmarc.{0}'.format(host) retval = ReceiverPolicy.noDmarc try: dnsAnswer = dns_query(dmarcHost, 'TXT') except (NXDOMAIN, NoAnswer): pass # retval = ReceiverPolicy.noDmarc else: answer = str(dnsAnswer[0]) # Check that v= field is the first one in the answer (which is in # double quotes) as per Section 7.1 (5): # In particular, the "v=DMARC1" tag is mandatory and MUST appear # first in the list. Discard any that do not pass this test. # http://tools.ietf.org/html/draft-kucherawy-dmarc-base-04#section-7.1 if answer[:9] == '"v=DMARC1': tags = answer_to_dict(answer) # TODO: check that 'none' is the right assumption? p = tags.get('p', 'none') policy = p if hasattr(ReceiverPolicy, p) else 'noDmarc' retval = ReceiverPolicy[policy] # else: retval = ReceiverPolicy.noDmarc assert isinstance(retval, ReceiverPolicy) return retval
def main(): # If we don't append the trailing dot, the query would try the DNS search # path. fqdn = getfqdn() + '.' try: result = dns_query(fqdn, SSHFP) except DNSException: print('WARNING got no host key fingerprint') exit(1) # Map the host keys in a dictionary using the algorithm and the fingerprint # type as the identifier for fast lookup while comparing them with the keys # from the DNS. output = check_output(['ssh-keygen', '-r', fqdn], universal_newlines=True) host_keys = {(r.algorithm, r.fp_type): r for r in (dns_from_text(IN, SSHFP, l.split(None, 3)[3]) for l in output.splitlines())} for record in result.rrset: record_id = (record.algorithm, record.fp_type) if record_id not in host_keys: print('WARNING host key for fingerprint does not exist') exit(1) if record.fingerprint != host_keys[record_id].fingerprint: print('WARNING host key fingerprint is inconsistent') exit(1) print('OK') exit(0)
def connect_start( self ): global dns_query self._signal.acquire() try: if self._host == '__DUMMY__': self._fatal_error = socket.error( errno.EPIPE, "I need to pretend to fail here" ) return if self._sock is None: if not self._addrinfo: #print "No addresses left to try" self._retry -= 1 if self._retry < 0: #print "Out of retries" self._connecting = None if not self._fatal_error: self._fatal_error = socket.error( errno.EPIPE, "Unknown connection failure." ) self._signal.notify() return try: for p in self._port: if isinstance( p, int ): self._addrinfo += socket.getaddrinfo( self._host, p, socket.AF_UNSPEC, socket.SOCK_STREAM ) elif dns_query is not None: try: answers = dns_query( ('_%s._%s.' % p) + self._host, 'SRV' ) for rdata in answers: self._addrinfo += socket.getaddrinfo( rdata.target, rdata.port, socket.AF_UNSPEC, socket.SOCK_STREAM ) except: pass except socket.gaierror, e: raise socket.error( errno.EPIPE, str(e) ) self._addrinfo.reverse() self._fatal_error = None af, st, pr, cname, sa = self._addrinfo.pop() try: self._sock = socket.socket( af, st, pr ) except socket.error, e: self._fatal_error = self.transform_exception( e, 'socket create' ) if self._fatal_error.args[0] != errno.EAGAIN: return self.connect_start() except: return self.connect_start() if sys.platform != 'symbian_s60': self._sock.setblocking( 0 ) try: #print "Connecting to",`sa` self._connecting = time.time() self._sock.connect( sa ) except socket.error, e: self._fatal_error = self.transform_exception( e, 'connect' ) if self._fatal_error.args[0] != errno.EAGAIN: return self.connect_start()
def validate_email(address_text): is_valid = True if not EMAIL_REGEX.match(address_text): is_valid = False else: # Must have Gmail or Google Apps MX records domain = address_text.split('@')[1] try: answers = dns_query(domain, 'MX') gmail_mx_servers = [ # Google apps for your domain 'aspmx.l.google.com.', 'aspmx2.googlemail.com.', 'aspmx3.googlemail.com.', 'aspmx4.googlemail.com.', 'aspmx5.googlemail.com.', 'alt1.aspmx.l.google.com.', 'alt2.aspmx.l.google.com.', 'alt3.aspmx.l.google.com.', 'alt4.aspmx.l.google.com.', # Gmail 'gmail-smtp-in.l.google.com.', 'alt1.gmail-smtp-in.l.google.com.', 'alt2.gmail-smtp-in.l.google.com.', 'alt3.gmail-smtp-in.l.google.com.', 'alt4.gmail-smtp-in.l.google.com.' ] # All relay servers must be gmail for rdata in answers: if not str(rdata.exchange).lower() in gmail_mx_servers: is_valid = False log.error("Non-Google MX record: %s" % str(rdata.exchange)) except NoNameservers: is_valid = False return dict( valid_for_inbox = is_valid, valid_address = address_text )
def lookup_receiver_policy(host, policyTag='p'): # type: (str, str) -> ReceiverPolicy '''Lookup the reciever policy for a host. Returns a ReceiverPolicy. :param str host: The host to query. The *actual* host that is queried has ``_dmarc.`` prepended to it. :param str policyTag: The *tag* that holds the receiver policy. Must be ``p`` (the default) or ``sp`` (for the subdomain policy). See :rfc:`7489#section-6.3`. :returns: The DMARC receiver policy for the host. If there is no published policy then :attr:`gs.dmarc.ReceiverPolicy.noDmarc` is returned. :rtype: A member of the :class:`gs.dmarc.ReceiverPolicy` enumeration.''' if policyTag not in ('p', 'sp'): raise ValueError('policyTag must be "p" or "sp".') dmarcHost = '_dmarc.{0}'.format(host) retval = ReceiverPolicy.noDmarc try: dnsAnswer = dns_query(dmarcHost, 'TXT') except (NXDOMAIN, NoAnswer, NoNameservers): pass # retval = ReceiverPolicy.noDmarc else: answer = str(dnsAnswer[0]) # Check that v= field is the first one in the answer (which is in # double quotes) as per Section 7.1 (5): # In particular, the "v=DMARC1" tag is mandatory and MUST appear # first in the list. Discard any that do not pass this test. # http://tools.ietf.org/html/draft-kucherawy-dmarc-base-04#section-7.1 if answer[:9] == '"v=DMARC1': tags = answer_to_dict(answer) # TODO: check that 'none' is the right assumption? if policyTag == 'p': p = tags.get('p', 'none') else: # Look up the subdomain policy, falling back to the main policy # <https://tools.ietf.org/html/rfc7489#section-6.3> p = tags.get('sp', tags.get('p', 'none')) policy = p if hasattr(ReceiverPolicy, p) else 'noDmarc' # https://github.com/python/mypy/issues/1381 retval = ReceiverPolicy[policy] # type: ignore return retval
def resolve(self): """ Attempt to resolve this name once, following CNAME chains if necessary. """ ttl = self.min_resolution_delay try: log.debug("Query: %s", self.target) answer = dns_query(self.target, rdtype=A, tcp=True) log.debug("Answer: %s", answer) for item in answer.rrset.items: self.values.add(item.address) log.debug("Resolved %s (%s): %s", self.name, self.target, item.address) ttl = max(ttl, answer.ttl) if self.ttl is None: self.ttl = answer.ttl except NXDOMAIN as e: log.warning("Failed to resolve %s (%s): %s", self.name, self.target, e) self.pending_resolve_count -= 1 self.next_resolution_time = time() + ttl return