Monitoring DKIM records, SPF and DMARC from Centreon

Print Friendly, PDF & Email

Well, Well, Well… We're back with Centreon! Today a post to keep track of public records related to the email service. So if we don't want to have mail problems, we will make sure that the DKIM record, SPF and DMARC exist in our domain.

If we want to have a perfectly configured email service, we know that we have to have the DKIM records perfectly configured, SPF and DMARC, for this we have multiple pages that will help us create them, validate them and ensure that we meet the standards, We get a good reputation and we won't be penalized by the anti-spam systems of other organizations. As said, the mythical website of https://www.mail-tester.com It will help us in having the optimal configuration.

Once this work is done, From the monitoring team we can simply confirm that these records exist and are not lost, since there are so many things that we have to consider in an organization, What better than someone to look at every critical point of the organization.

DKIM

Total, txapas apart, In this post we are going to get that through a couple of scripts we can integrate them into Centreon to know that the records are valid, We start with 'check_dkim', We install the requirements and download the script:

Yum Install Python36-Devel PiP3.6 Install PyCrypto PiP3.6 Install DNSpython cd /usr/lib/centreon/plugins/ git clone https://github.com/countsudoku/check_dkim.git cd check_dkim/

And we test the operation directly from shell, each one obviously with its name in the public domain:

/usr/bin/python3.6 /usr/lib/centreon/plugins/check_dkim/check_dkim.py -d bujarra.com -s default DKIM OK - DKIM key is there

SPF

The same, We install requirements, We download the script 'check_spf_record_match.rb', We make it executable:

Yum install Ruby -y wget HTTPS://raw.githubusercontent.com/garymoon/nagios-check-spf-record-match/master/check_spf_record_match.rb chmod +x check_spf_record_match.rb

And we tried it:

/usr/lib/centreon/plugins/check_spf_record_match.rb --domains bujarra.com --debug Options: {:debug=>True, :domains=>["bujarra.com"]}
record for bujarra.com: v=spf1 include:_spf.srv.cat +a +mx include:pepipost.net ~all OK: All records in sync.

DMARC

Para usar este script nos basamos en el script anterior de SPF, creamos el de DMARC haciendo una copia del fichero actual y vamos a crear uno para nosotros.

cp ./check_spf_record_match.rb ./check_dmarc_record_match.rb

Y le hacemos los siguientes cambios:

  • Sustituimos la palabra spf por dmarc
  • Sustituimos la palabra SPF por DMARC
  • On the line 50
    • of: records = dns.getresources(domain, Resolv::DNS::Resource::IN::TXT)
    • a: records = dns.getresources(‘_dmarc.’ + domain, Resolv::DNS::Resource::IN::TXT)
  • On the line 65
    • of: dmarc_record_n = txt_strings.index{|s| s.downcase.include?’DMARC’}
    • a: dmarc_record_n = txt_strings.index{|s| s.include? ‘DMARC’}
  • On the line 70
    • of: puts txt_strings.index{|s| s.downcase.include?’DMARC’}
    • a: puts txt_strings.index{|s| s.include?’DMARC’}
And we tried:
/usr/lib/centreon/plugins/check_dmarc_record_match.rb --domains bujarra.com --debug Options: {:debug=>True, :domains=>["bujarra.com"]}
record for bujarra.com:  v=DMARC1; p=none OK: All records in sync.

As usual, Once we know that the commands work, it will be time to register the Commandos in our Centreon, since “Configuration” > “Commands” > “Checks”. We will create in this case 3 Commands, one for each check-up, The only thing we will do is take into account to remove the '–Debug’ used in the examples we have seen; and if we want and have several domains to check, We can change that for some argument.
And once we have the Commands it's time to create the Services from “Configuration” > “Services” > “Services by Host” , in this case as well, Do 3 services, one for DKIM check, one for SPF and one for DMARC. We can upload the default check to this type of service, To maybe 1440 minutes to run once a day… to taste.
Remember to save and export the Centreon settings and if we have done everything right, we will be able to verify that the checks are valid and we will make sure that these important TXT records never disappear from the public DNS server.
Hoping that this type of topics will generate interest or ideas to be able to try to cover any critical need in the company and may affect the service of the business.

Recommended Posts

Monitoring our firewall's web UTM rules thanks to Centreon
Read
Monitorizando Tareas programadas con Centreon
Read
Monitoring Proxmox EV with Centreon
Read
Monitoring Crowdsec with Centreon
Read

Author

by Héctor Herrero 
nheobug@bujarra.com
Autor del blog Bujarra.com Cualquier necesidad que tengas, Do not hesitate to contact me, I will try to help you whenever I can, Sharing is living ;) . Enjoy documents!!!

A Podcast for IT - Kubernetes Day 1

14 June de 2021

Earning an A+ in SSLABS on published sites with NetScaler

29 June de 2021