Subnetze und IP Adressen extrahieren aus SPF Records (z.B. Office365 oder Google Apps for Business)

Wenn man bei Office365 oder Google Apps for Business einen eigenen Mailserver (Postfix) vorschalten möchte beim versenden/empfangen muss man die Mailserver von Microsoft/Google Whitelisten in den mynetworks bei Postfix.

Das Script löst alle SPF Record includes auf und generiert CIDR Maps die sich in Postfix einbinden lassen.

Beispiel:

max@dev1:~$ python get_subnets_of_spf_record_mynetwoks.py
Working on job office365
Working on job google

Es werden 2 Files erzeugt:

max@dev1:~$ cat /etc/postfix/networks/google 
64.18.0.0/20 OK
64.233.160.0/19 OK
66.102.0.0/20 OK
66.249.80.0/20 OK
72.14.192.0/18 OK
74.125.0.0/16 OK
108.177.8.0/21 OK
173.194.0.0/16 OK
207.126.144.0/20 OK
209.85.128.0/17 OK
216.58.192.0/19 OK
216.239.32.0/19 OK
[2001:4860:4000::]/36 OK
[2404:6800:4000::]/36 OK
[2607:f8b0:4000::]/36 OK
[2800:3f0:4000::]/36 OK
[2a00:1450:4000::]/36 OK
[2c0f:fb50:4000::]/36 OK
172.217.0.0/19 OK
108.177.96.0/19 OK
max@dev1:~/test$ cat /etc/postfix/networks/office365
207.46.101.128/26 OK
207.46.100.0/24 OK
207.46.163.0/24 OK
65.55.169.0/24 OK
157.56.110.0/23 OK
157.55.234.0/24 OK
213.199.154.0/24 OK
213.199.180.0/24 OK
157.56.112.0/24 OK
207.46.51.64/26 OK
157.55.158.0/23 OK
64.4.22.64/26 OK
40.92.0.0/14 OK
40.107.0.0/17 OK
40.107.128.0/17 OK
134.170.140.0/24 OK
[2a01:111:f400::]/48 OK
23.103.128.0/19 OK
23.103.198.0/23 OK
65.55.88.0/24 OK
104.47.0.0/17 OK
23.103.200.0/21 OK
23.103.208.0/21 OK
23.103.191.0/24 OK
216.32.180.0/23 OK
94.245.120.64/26 OK
[2001:489a:2202::]/48 OK

In Posftix werden sie in der main.cf eingebunden:

# ----------------------------------------------------------------------
# My Networks
# ----------------------------------------------------------------------
mynetworks =
        cidr:/etc/postfix/networks/local
        cidr:/etc/postfix/networks/other
        cidr:/etc/postfix/networks/google
        cidr:/etc/postfix/networks/office365

Da sich zwischendurch die Records auch mal ändern können empfiehlt es sich einen Cronjob dafür einzurichten. Ich habe eine Variante mit diff die nur patcht wenn das Resultat nicht null ist.

Das Script lässt sich auch noch für andere Dienste / etc. anpassen:

lookup_spf = {
# Google Apps for Business
"google": {
          "domain": "google.com",
          "file"  : "/etc/postfix/networks/google",
          },

# Office365
"office365": {
          "domain": "spf.protection.outlook.com",
          "file"  : "/etc/postfix/networks/office365",
          },

# Example
"example": {
          "domain": "example.com",
          "file"  : "/etc/postfix/networks/example",
          },

}

Sourcecode:

#!/usr/bin/env python

#
# get_subnets_of_spf_record_mynetwoks.py
# Resolve all known ip addresses from spf record and generate cidr map for postfix
#
# Version 1.0
# Written by Maximilian Thoma (http://www.lanbugs.de)
#
# The generated files can be used in postfix config with for example mynetworks = cidr:/etc/postfix/<generated_file>
#
# This program is free software; you can redistribute it and/or modify it under the terms of the
# GNU General Public License as published by the Free Software Foundation;
# either version 2 of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with this program;
# if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, 
# MA 02110, USA
#

#
# Requirements:
# dnspython module  -> pip install dnspython
#

import dns.resolver
from dns.exception import DNSException
import re
import sys

# Look for DNS Record at:
#
# "jobname": {
#            "domain": "domainname",
#            "file": "output_file",
#            }
#

# 

lookup_spf = {
# Google Apps for Business
"google": {
          "domain": "google.com",
          "file"  : "/etc/postfix/networks/google",
          },

# Office365
"office365": {
          "domain": "spf.protection.outlook.com",
          "file"  : "/etc/postfix/networks/office365",
          },
}

############################################################################################

def getspf(record, filehandler):
    # Init Resolver
    myResolver = dns.resolver.Resolver()

    try:
        # Try to lookup TXT record
        myAnswer = myResolver.query(record,"TXT")

    except DNSException:
        sys.stderr.write("Failed to query record, SPF broken.")
        return

    results = []

    for rdata in myAnswer:
        # Get string out of records
        for txt_string in rdata.strings:
            # Append to SPF Records buffer if "spf" in string
            if "spf" in txt_string:
                results.append(txt_string)

    # If results >=1
    if len(results) >= 1:
        # Work on records
        for spf in results:
            # Split parts
            parts = spf.split(" ")
            # Check parts
            for part in parts:

                s_include = re.match(r"^include:(?P<domain>.*)$", part)
                s_ip4 = re.match(r"^ip4:(?P<ip4>.*)$", part)
                s_ip6 = re.match(r"^ip6:(?P<ip6>.*)$", part)

                # If in part "include" found, next round
                if s_include:
                    getspf(s_include.group('domain'), filehandler)
                # elif ip4 found
                elif s_ip4:
                    filehandler.write(s_ip4.group('ip4') + " OK\n")
                # elif ip6 found
                elif s_ip6:
                    filehandler.write("[" + s_ip6.group('ip6').replace("/","]/") + " OK\n")
                # else no valid record
                else:
                    pass
    # no results 
    else:
        sys.stderr.write("No results")
        pass

def main():
    # Working on jobs
    for jobname, config in lookup_spf.iteritems():

        print "Working on job %s" % jobname

        # open file
        filehandler = open(config['file'], 'w')
        # start query spf records
        getspf(config['domain'], filehandler)
        # close file
        filehandler.close()


#getspf(lookup_spf)

if __name__ == "__main__":
    main()

 

Postfix Mails aus der Queue von bestimmten Absendern löschen

Mit diesen Kommandos lassen sich aus der Postfix Queue Mails löschen die dort wegen Zustellungsproblemen liegengeblieben sind. Besonders wenn man einen Kunden drauf hat mit Malware Infektion und man die Reste aus der Queue beseitigen möchte.

Für die komplette Domain:

postqueue -p | tail -n +2 | awk 'BEGIN { RS = "" } /@example\.com/ { print $1 }' | tr -d '*!' | postsuper -d -

Für einen einzelnen Absender:

postqueue -p | tail -n +2 | awk 'BEGIN { RS = "" } /mail@example\.com/ { print $1 }' | tr -d '*!' | postsuper -d -

 

HP Server Tools für Debian/Ubuntu

HP stellt für verschiedene Linux Distributionen seine eigenen Tools bereit. Unteranderem System Health Application and Command line Utilities, iLO Online Configuration Utilities und die Insight Management Agents.

HP SDR (Software Delivery Repository): http://downloads.linux.hpe.com/SDR/index.html

Repository für Debian 8 (jessie) hinzufügen

/etc/apt/sources.list.d/HP-mcp.list anlegen

deb http://downloads.linux.hpe.com/SDR/repo/mcp jessie/current non-free

Alternativ Repository für Ubuntu 16.04 LTS hinzufügen

/etc/apt/sources.list.d/HP-mcp.list anlegen

deb http://downloads.linux.hpe.com/SDR/repo/mcp xenial/current non-free

Repository PGP Keys importieren (curl wird benötigt)

curl http://downloads.linux.hpe.com/SDR/hpPublicKey1024.pub | apt-key add -
curl http://downloads.linux.hpe.com/SDR/hpPublicKey2048.pub | apt-key add -
curl http://downloads.linux.hpe.com/SDR/hpPublicKey2048_key1.pub | apt-key add -
curl http://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub | apt-key add -

Paketquellen updaten

apt update

Pakete installieren (hp-health, hponcfg, hp-snmp-agents)

apt install hp-health hponcfg hp-snmp-agents

HP-Health (hpasmcli)

Das Kommando für die Health Tools ist hpasmcli.

root@rzm-srv01e13:~# hpasmcli
HPE management CLI for Linux (v2.0)
Copyright 2015 Hewlett Packard Enterprise Development LP.

--------------------------------------------------------------------------
NOTE: Some hpasmcli commands may not be supported on all Proliant servers.
      Type 'help' to get a list of all top level commands.
--------------------------------------------------------------------------
hpasmcli> 

Beispiele

show server

hpasmcli> show server
System        : ProLiant DL360 G7
Serial No.    : XXXXXXXXXX      
ROM version   : P68 08/16/2015
UEFI Support  : No
iLo present   : Yes
Embedded NICs : 4
  NIC1 MAC: d8:9d:67:aa:aa:aa
  NIC2 MAC: d8:9d:67:bb:bb:bb
  NIC3 MAC: d8:9d:67:cc:cc:cc
  NIC4 MAC: d8:9d:67:dd:dd:dd

Processor: 0
  Name         : Intel(R) Xeon(R) CPU E5640 @ 2.67GHz            
  Stepping     : 2
  Speed        : 2667 MHz
  Bus          : 133 MHz
  Core         : 4
  Thread       : 8
  Socket       : 1
  Level1 Cache : 128 KBytes
  Level2 Cache : 1024 KBytes
  Level3 Cache : 12288 KBytes
  Status       : Ok

Processor: 1
  Name         : Intel(R) Xeon(R) CPU E5640 @ 2.67GHz            
  Stepping     : 2
  Speed        : 2667 MHz
  Bus          : 133 MHz
  Core         : 4
  Thread       : 8
  Socket       : 2
  Level1 Cache : 128 KBytes
  Level2 Cache : 1024 KBytes
  Level3 Cache : 12288 KBytes
  Status       : Ok

Processor total  : 2

Memory installed : 49152 MBytes
ECC supported    : Yes

show temp

hpasmcli>  show temp         
Sensor   Location              Temp       Threshold
------   --------              ----       ---------
#1        AMBIENT              22C/71F    42C/107F 
#2        PROCESSOR_ZONE       40C/104F   82C/179F 
#3        PROCESSOR_ZONE       40C/104F   82C/179F 
#4        MEMORY_BD            35C/95F    87C/188F 
#5        MEMORY_BD            38C/100F   78C/172F 
#6        MEMORY_BD            35C/95F    87C/188F 
#7        MEMORY_BD            36C/96F    78C/172F 
#8        MEMORY_BD            38C/100F   87C/188F 
#9        MEMORY_BD            37C/98F    78C/172F 
#10       MEMORY_BD            37C/98F    87C/188F 
#11       MEMORY_BD            37C/98F    78C/172F 
#12       POWER_SUPPLY_BAY     39C/102F   59C/138F 
#13       POWER_SUPPLY_BAY     50C/122F   73C/163F 
#14       MEMORY_BD            32C/89F    72C/161F 
#15       PROCESSOR_ZONE       35C/95F    73C/163F 
#16       PROCESSOR_ZONE       34C/93F    64C/147F 
#17       MEMORY_BD            35C/95F    63C/145F 
#18       PROCESSOR_ZONE       43C/109F   69C/156F 
#19       SYSTEM_BD            39C/102F   69C/156F 
#20       SYSTEM_BD            43C/109F   71C/159F 
#21       SYSTEM_BD            50C/122F   65C/149F 
#22       SYSTEM_BD            52C/125F   71C/159F 
#23       SYSTEM_BD            45C/113F   69C/156F 
#24       SYSTEM_BD            50C/122F   69C/156F 
#25       SYSTEM_BD            39C/102F   63C/145F 
#26       SYSTEM_BD            49C/120F   66C/150F 
#27       SCSI_BACKPLANE_ZONE  50C/122F   60C/140F 
#28       SYSTEM_BD            72C/161F   110C/230F

show fan

hpasmcli>  show fan 
Fan  Location        Present Speed  of max  Redundant  Partner  Hot-pluggable
---  --------        ------- -----  ------  ---------  -------  -------------
#1   SYSTEM          Yes     NORMAL  29%     Yes        0        No            
#2   SYSTEM          Yes     NORMAL  29%     Yes        0        No            
#3   SYSTEM          Yes     NORMAL  29%     Yes        0        No            
#4   SYSTEM          Yes     NORMAL  29%     Yes        0        No            

show powersupply

hpasmcli> show powersupply
Power supply #1
  Present  : Yes
  Redundant: No
  Condition: Ok
  Hotplug  : Supported
  Power    : 110 Watts
Power supply #2
  Present  : Yes
  Redundant: No
  Condition: FAILED
  Hotplug  : Supported

Kommandos lassen sich auch ohne die interaktive hpasmcli ausführen.

root@rzm-srv01e13:~# hpasmcli -s "show fan; show powersupply"

Fan  Location        Present Speed  of max  Redundant  Partner  Hot-pluggable
---  --------        ------- -----  ------  ---------  -------  -------------
#1   SYSTEM          Yes     NORMAL  30%     Yes        0        No            
#2   SYSTEM          Yes     NORMAL  30%     Yes        0        No            
#3   SYSTEM          Yes     NORMAL  30%     Yes        0        No            
#4   SYSTEM          Yes     NORMAL  30%     Yes        0        No            


Power supply #1
  Present  : Yes
  Redundant: No
  Condition: Ok
  Hotplug  : Supported
  Power    : 115 Watts
Power supply #2
  Present  : Yes
  Redundant: No
  Condition: FAILED
  Hotplug  : Supported

hponcfg (Online iLO Configuration Utility)

Über hponcfg lässt sich das iLO ohne Systemneustart konfigurieren.

root@rzm-srv01e13:~# hponcfg 
HP Lights-Out Online Configuration utility
Version 4.6.0 Date 09/28/2015 (c) Hewlett-Packard Company, 2015
Firmware Revision = 1.87 Device type = iLO 3 Driver name = hpilo

USAGE:
  hponcfg  -?
  hponcfg  -h
  hponcfg  -m minFw
  hponcfg  -r [-m minFw ]
  hponcfg  [-a] -w filename [-m minFw]
  hponcfg  -g [-m minFw]
  hponcfg  -f filename [-l filename] [-s namevaluepair] [-v] [-m minFw]
  hponcfg  -i [-l filename] [-s namevaluepair] [-v] [-m minFw]

  -h,  --help           Display this message
  -?                    Display this message
  -r,  --reset          Reset the Management Processor to factory defaults
  -b,  --reboot         Reboot Management Processor without changing any setting
  -f,  --file           Get/Set Management Processor configuration from "filename" 
  -i,  --input          Get/Set Management Processor configuration from the XML input 
                        received through the standard input stream.
  -w,  --writeconfig    Write the Management Processor configuration to "filename"
  -a,  --all            Capture complete Management Processor configuration to the file.
                        This should be used along with '-w' option
  -l,  --log            Log replies to "filename"
  -v,  --xmlverbose     Display all the responses from Management Processor
  -s,  --substitute     Substitute variables present in input config file
                        with values specified in "namevaluepairs"
  -g,  --get_hostinfo   Get the Host information
  -m,  --minfwlevel     Minimum firmware level

hp-snmp-agents (SNMP Erweiterungen für HP Sensoren)

HP liefert ein Konfigurationstool mit das Menügeführt einen durch das Grundsetup durchführt.

/sbin/hpsnmpconfig

Ich habe nur die Read/Write und ReadOnly Community geändert und alles andere auf Default lassen.

Anschließend habe ich noch Korrekturen durchgeführt in der /etc/snmp/snmpd.conf

# Anpassung der Communitys
# Schreiben nur von Loopback aus
rwcommunity supergeheim 127.0.0.1
# Lesezugriff fuer Monitoring
rocommunity public 10.10.10.200

# Listener angepasst das er nur auf der Management NW Karte erreichbar ist
agentAddress  udp:10.10.10.1:161

Restart des SNMP Daemons nicht vergessen:

service snmpd restart

 

 

Check_MK: Agent Monitoring via SSH

Falls eine unverschlüsselte Abfrage des Check_MK Agemten nicht in Frage kommt ist es möglich den Agenten über SSH abzurufen.

SSH Key erzeugen in der OMD Umgebung

OMD[dev1]:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/omd/sites/dev1/.ssh/id_rsa): 
Created directory '/omd/sites/dev1/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /omd/sites/dev1/.ssh/id_rsa.
Your public key has been saved in /omd/sites/dev1/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:1Gxpgs9G9f4nK5uIvhe1iKU8xII1UzxFGZ7aApkYsNI dev1@cmkdev.m.local
The key's randomart image is:
+---[RSA 2048]----+
|  ...  o.o=o     |
| . . o++o=.+     |
|. E .o=++.O .    |
| .  . .*o*...    |
|       +S+.o..   |
|       .=.o ..   |
|         . .  o .|
|         ..... + |
|       .+o. oo.  |
+----[SHA256]-----+

Auf Zielsystem User anlegen, per sudo auf den Agenten berechtigen und SSH Publickey anlegen

User monitoring anlegen

root@target:~# adduser monitoring
Lege Benutzer »monitoring« an ...
Lege neue Gruppe »monitoring« (1003) an ...
Lege neuen Benutzer »monitoring« (1002) mit Gruppe »monitoring« an ...
Erstelle Home-Verzeichnis »/home/monitoring« ...
Kopiere Dateien aus »/etc/skel« ...
Geben Sie ein neues UNIX-Passwort ein: 
Geben Sie das neue UNIX-Passwort erneut ein: 
passwd: password updated successfully
Changing the user information for monitoring
Enter the new value, or press ENTER for the default
  Full Name []: Monitoring
  Room Number []: 
  Work Phone []: 
  Home Phone []: 
  Other []: 
Sind diese Informationen korrekt? [J/n] j

/etc/sudoers File anpassen

monitoring     ALL = NOPASSWD: /usr/bin/check_mk_agent

/home/monitoring/.ssh/authorized_keys anlegen

command="sudo /usr/bin/check_mk_agent" ssh-rsa AAAAB3NzaC..................GOXzCLX dev1@cmkdev.m.local

Rechte anpassen

chmod 640 /home/monitoring/.ssh/
chmod 600 /home/monitoring/.ssh/authorized_keys

xinetd Port 6556 abschalten

/etc/xinetd.d/check_mk anpassen

disable = yes

Anschließend „service xinetd restart“

Check_MK bekannt machen das Agent per SSH abgefragt werden muss

In WATO muss hierfür eine Regel angelegt werden.

Zu finden unter: Host & Service Parameters -> Datasource Programs -> Individual program call instead of agent access

Command line to execute:

ssh -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no monitoring@$HOSTADDRESS$

Speichern und Regeln deployen, danach kann man mit WATO die Services suchen, etc.

Viel Spaß 😉