#!/usr/libexec/platform-python """ The Nagios plugin to check outgoing mail IP's. Copyright Taras K. version 0.4.3 """ try: from random import choice import sys import re import dns.name import dns.message import dns.query import dns.resolver import dns.reversename except ImportError: print("CRITICAL - Module dns import error.") sys.exit(2) omi_file = '/etc/outgoingmailip' dip_file = '/etc/domainips' is_dedicated = False omi_fd = open(omi_file, 'r') dip_fd = open(dip_file, 'r') omi = omi_fd.readline() omi = omi.rstrip() def only_ip(rrdata, lname_server): ippat = r'\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}' match = re.search(ippat, rrdata) if match: return match.group() else: print("WARNING - Got bad answer from NS: "+lname_server) sys.exit(1) def get_ns(domain): nc_ns = ('216.87.155.33','216.87.152.33') rootns = ('198.41.0.4', '192.228.79.201', '192.33.4.12', '199.7.91.13', '192.203.230.10', '192.5.5.241', '192.112.36.4', '128.63.2.53', '192.58.128.30', '193.0.14.129', '202.12.27.33') check_domain = domain srootns = choice(rootns) cleaned_domain = domain.split('.') if not cleaned_domain[-1].endswith('.'): cleaned_domain.extend('.') cleaned_domain.reverse() if '' in cleaned_domain: cleaned_domain.remove('') # Split into parts in reverse for easier # querying ['.','com.', 'google.com.', www.google.com.'] i = 1 while i < len(cleaned_domain): if i == 1: cleaned_domain[i] = cleaned_domain[i]+cleaned_domain[i-1] else: cleaned_domain[i] = cleaned_domain[i]+'.'+cleaned_domain[i-1] i += 1 additional_ns = [] for domain in cleaned_domain[1:]: name_server = srootns ndomain = dns.name.from_text(check_domain) request = dns.message.make_query(ndomain, dns.rdatatype.NS) if additional_ns: name_server = choice(additional_ns) try: response = dns.query.udp(request, name_server, timeout=10) except dns.exception.Timeout: print("WARNING - Dns query timed out. NS is unreachable.") sys.exit(1) additional_ns = [] # Skip IPv6 for item in response.additional: if 'IN AAAA' not in item.to_text(): ip_ns = only_ip(item.to_text(), name_server) if ip_ns: additional_ns.append(only_ip(ip_ns, name_server)) if additional_ns: LNS = choice(additional_ns) else: LNS = choice(nc_ns) return LNS def check_ptr(ip): result = False try: my_resolver = dns.resolver.Resolver(configure=False) my_resolver.nameservers = ['4.2.2.3', '8.8.8.8', '8.8.4.4'] ip_reverse_name = dns.reversename.from_address(ip) resolved_name = str(my_resolver.query(ip_reverse_name, 'ptr')[0]) resolved_name = resolved_name.rstrip('.') # my_ns = get_ns(resolved_name) # my_resolver.nameservers = [my_ns] a_record = my_resolver.query(resolved_name)[0] if str(a_record) == str(ip): result = True else: result = False except dns.resolver.NXDOMAIN as myNX: print("CRITICAL - There is no A record in DNS") sys.exit(2) except Exception as my_exp: print("WARNING - General exception") sys.exit(1) return result if check_ptr(omi) is False: print("CRITICAL - Outgoing mail IP!!! PTR and A record doesn't match.") sys.exit(2) for line in dip_fd: if '#' not in line: line_splitted = line.split(':') if line_splitted[0] == omi: is_dedicated = True if not is_dedicated: print("OK - Outgoing mail IP is OK") sys.exit(0) else: print("CRITICAL - Outgoing mail IP is owned by client.") sys.exit(2)