From cc7e229522f3fe6303582b13e4828ecb81073b7f Mon Sep 17 00:00:00 2001 From: Philippe Parage Date: Fri, 5 Jul 2024 15:23:32 +0200 Subject: [PATCH 1/3] frontend conversion; --- testing/templates/check_email.html | 30 ++++++--- testing/templates/check_file.html | 65 ++++++++++++------- testing/templates/check_infra.html | 17 ++++- testing/templates/check_website.html | 3 +- testing/templates/email_policy_generator.html | 2 +- 5 files changed, 80 insertions(+), 37 deletions(-) diff --git a/testing/templates/check_email.html b/testing/templates/check_email.html index 6fb6463f..8897b23c 100644 --- a/testing/templates/check_email.html +++ b/testing/templates/check_email.html @@ -1,6 +1,21 @@ {% extends "base.html" %} {% load tags %} {% block content %} +
+
+
+
+
+

E-Mail Security Checker

+
+

Assess the security of your email setup (SPF and DMARC DNS records, DNSSEC deployment, etc.)!

+
+
+

+ Assess the security of your email setup (SPF and DMARC DNS records, DNSSEC deployment, etc.)

+
+
+
{% else %} @@ -78,7 +75,7 @@

Overview of {{ result.domain }}

SPF record
- {% if result.dmarc.valid %} + {% if result.dmarc_valid %} {% else %} @@ -97,30 +94,8 @@

Overview of {{ result.domain }}

{% endif %} Signed Domain Name (DNSSEC)
- -
- {% if result.dkim %} + +
-->
@@ -154,192 +128,134 @@

Vulnerability

-
- + - - -
-
-
- {% if result.spf.valid %} - +
+
+
+ {% if result.spf_valid %} + + {% else %} + + {% endif %} + SPF Record +
+
+

The Sender Policy Framework (SPF) is an email validation protocol that helps detect and block email spoofing. Email spoofing is a common technique used in phishing and spam emails. SPF allows the receiving mail server to verify that incoming mail from a domain comes from a host authorized by that domain’s administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records.

+
+ {% if result.spf_valid %} + {% else %} - + {% endif %} - SPF Record -
- -
-

The Sender Policy Framework (SPF) is an email validation protocol that helps - detect and block email spoofing. Email spoofing is a common technique used in - phishing and spam emails. SPF allows the receiving mail server to verify that - incoming mail from a domain comes from a host authorized by that domain’s - administrators. The list of authorized sending hosts for a domain is published - in the Domain Name System (DNS) records.

-
- {% if result.spf.valid %} - - {% else %} - - {% endif %} -
-
-

SPF Record

- {{ result.spf.record }} -

Valid: - {% if result.spf.valid %} - - {% else %} - - {% endif %} -

-
+
+
+

SPF Record

+ {{ result.spf }} +

Valid: + {% if result.spf_valid %} + + {% else %} + + {% endif %} +

-
- -
-
-

Create and publish an SPF record in your DNS settings for your domain. - The SPF record specifies which email servers are authorized to send - emails - on behalf of your domain.

-

Identify the IP addresses of your legitimate email servers and include - them in your SPF record. This ensures that only authorized servers can - send emails using your domain name.

-

Configure your SPF record with a "hard fail" mechanism (-all) to - explicitly - reject any emails that do not originate from authorized IP addresses. - This helps prevent unauthorized sources from sending emails on behalf of - your domain.

-

Consider implementing SPF alignment mechanisms, such as DMARC - (Domain-based Message Authentication, Reporting, and Conformance), - to further strengthen email authentication and protect against domain - spoofing.

-
+
+
+ +
+
+

Create and publish an SPF record in your DNS settings for your domain. The SPF record specifies which email servers are authorized to send emails on behalf of your domain name. Identify the IP addresses of your legitimate email servers and include them in your SPF record. This ensures that only authorized servers can send emails using your domain name. Configure your SPF record with a "hard fail" mechanism (-all) to explicitly reject any emails that do not originate from authorized IP addresses. This helps prevent unauthorized sources from sending emails on behalf of your domain. Consider implementing SPF alignment mechanisms, such as DMARC (Domain-based Message Authentication, Reporting, and Conformance), to further strengthen email authentication and protect against domain spoofing.

+
+
+
-
- - - -
-
-
- {% if result.dmarc.valid %} - +
+
+
+ {% if result.dmarc_valid %} + + {% else %} + + {% endif %} + DMARC Record +
+
+

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that provides additional protection against email spoofing and phishing attacks. It uses the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) standards. DMARC enables a domain owner to specify how mail servers should handle messages from their domain that don’t pass SPF or DKIM checks. This adds an extra layer of security

+
+ {% if result.dmarc_valid %} + {% else %} - - {% endif %} - DMARC Record -
-
-

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an - email authentication protocol that provides additional protection against - email spoofing and phishing attacks. It uses the Sender Policy Framework (SPF) - and DomainKeys Identified Mail (DKIM) standards. DMARC enables a domain owner - to specify how mail servers should handle messages from their domain that - don’t pass SPF or DKIM checks. This adds an extra layer of security

-
- {% if result.dmarc.valid %} - - {% else %} - - {% endif %} -
-
-

DMARC Record

- {{ result.dmarc.record }} -

Valid: - {% if result.dmarc.valid %} - - {% else %} - - {% endif %} -

-
+ {% endif %} +
+
+

DMARC Record

+ {{ result.dmarc }} +

Valid: + {% if result.dmarc_valid %} + + {% else %} + + {% endif %} +

+
+
+
-
- -
-
-
- {% if result.dkim %} - - {% elif result.dkim is None %} - - {% else %} - - {% endif %} - DKIM Record -
-
-

DomainKeys Identified Mail (DKIM) is an email authentication method that helps - to verify the authenticity and integrity of email messages. It adds a digital - signature to the email headers, which allows the receiving email server to - verify - that the email has not been tampered with during transit and that it was indeed - sent by the claimed domain.

+ -
-
-
- {% if result.dnssec %} - - {% else %} - - {% endif %} - Signed Domain Name (DNSSEC) -
-
-

DNSSEC (Domain Name System Security Extensions) is a set of cryptographic - protocols - and security measures designed to enhance the security of the Domain Name - System (DNS). By digitally signing DNS data, DNSSEC ensures data integrity - and authenticity, protecting against various forms of DNS attacks like cache - poisoning or DNS spoofing. It uses public key cryptography to verify the - authenticity - of DNS responses and provides a chain of trust from the root DNS - servers down to the individual domain names, ensuring that the DNS information - received by a user is valid and has not been tampered with during - transmission.

-
- {% if result.dnssec %} - - {% else %} - - {% endif %} -
-
- {{ result.dnssec}} -
-
-
-
-
- -
-
-

- IPv6 is the next generation of the Internet Protocol, and it offers a - number of advantages over IPv4, the current version of the protocol. -

-
    -
  • - Address exhaustion: IPv4 is running out of available addresses due to - the rapid growth of connected devices. IPv6 provides a significantly - larger address space, ensuring that there are enough unique IP - addresses - to accommodate the expanding number of devices and services. -
    • -
  • - Future-proofing: As the industry shifts towards IPv6, enabling IPv6 - support ensures compatibility and seamless communication with the - growing number of IPv6-enabled networks and devices. It future-proofs - your infrastructure, avoiding potential connectivity issues and the - need - for costly workarounds. -
    • -
  • - Enhanced functionality: IPv6 offers improvements in areas such as - autoconfiguration, mobility, and quality of service, allowing for - more - efficient and advanced network operations. Enabling IPv6 unlocks these - enhanced functionalities, promoting a better user experience and - enabling innovative applications and services. -
    • -
  • - Global reachability: With IPv6, your services can reach a larger - global - audience, including regions and networks that primarily use IPv6. By - enabling IPv6, you expand your online presence and increase - accessibility to your web services. -
    • -
  • - Security advancements: IPv6 includes built-in security features, such - as - IPsec (Internet Protocol Security), which provides native encryption, - authentication, and data integrity. Enabling IPv6 allows you to - leverage - these security enhancements, improving the confidentiality and - integrity - of your network traffic. -
    • -
- -
-
-
+
--> -
- - - - -
-
-
- Mail Exchanger (MX) Records -
-
-
    - {% for warning in mx.warnings %} -
  • {{ warning }}
    • - {% endfor %} -
- {% for host in result.mx.hosts %} -

{{ host.hostname }}

+
+ +
+
+

+ IPv6 is the next generation of the Internet Protocol, and it offers a number of advantages over IPv4, the current version of the protocol. +

    -
  • Preference: {{ host.preference }}
    • -
  • StartTLS: - {% if host.starttls %} - - {% elif not host.starttls %} - - {% endif %} +
  • + Address exhaustion: IPv4 is running out of available addresses due to the rapid growth of connected devices. IPv6 provides a significantly larger address space, ensuring that there are enough unique IP addresses to accommodate the expanding number of devices and services.
    • -
  • TLS: - {% if host.tls %} - - {% elif not host.tls %} - - {%endif%} +
  • + Future-proofing: As the industry shifts towards IPv6, enabling IPv6 support ensures compatibility and seamless communication with the growing number of IPv6-enabled networks and devices. It future-proofs your infrastructure, avoiding potential connectivity issues and the need for costly workarounds. +
    • +
  • + Enhanced functionality: IPv6 offers improvements in areas such as auto-configuration, mobility, and quality of service, allowing for more efficient and advanced network operations. Enabling IPv6 unlocks these enhanced functionalities, promoting a better user experience and enabling innovative applications and services.
    • -
  • Addresses:
    • -
  • -
      - {% if result.host.addresses %} - {% for address in result.host.addresses %} -
    • {{ address }}
      • - {% endfor %} - {% else %} -
    • No addresses available
      • - {% endif %} -
    +
  • + Global reachability: With IPv6, your services can reach a larger global audience, including regions and networks that primarily use IPv6. By enabling IPv6, you expand your online presence and increase accessibility to your web services. +
    • +
  • + Security advancements: IPv6 includes built-in security features, such as IPsec (Internet Protocol Security), which provides native encryption, authentication, and data integrity. Enabling IPv6 allows you to leverage these security enhancements, improving the confidentiality and integrity of your network traffic.
- {% endfor %} +
+
+
+
- -
-
-
- Mailserver settings test for: {{ result.domain }} -
-
-

Base Domain: {{ result.base_domain }}

-

Name Servers

+
+
+
+ Mail Exchanger (MX) Records +
+
+
    + {% for warning in result.mx.warnings %} +
  • {{ warning }}
    • + {% endfor %} +
+ {% for host in result.mx.servers %} +

{{ host }}

    - {% for hostname in result.ns.hostnames %} -
  • {{ hostname }}
    • - {% endfor %} +
  • TLS: + {% if result.mx.tls.host %} + + {% else %} + + {% endif %} +
-
+ {% endfor %} +
+
+
- {% endif %} - - - {% endblock %} diff --git a/testing/views.py b/testing/views.py index cfdb5210..6211c688 100644 --- a/testing/views.py +++ b/testing/views.py @@ -29,6 +29,12 @@ ipv6_check, tls_version_check, web_server_check, + check_dnssec, + check_mx, + check_spf, + check_dmarc, + check_tls, + check_dkim ) from .models import DMARCRecord, DMARCReport, MailDomain @@ -164,10 +170,10 @@ def email_test(request): context = {} if request.method == "POST": try: - nb_tests = int(request.COOKIES["nb_tests"]) - except KeyError: + nb_tests = int(request.COOKIES.get("nb_tests", 0)) + except ValueError: nb_tests = 0 - if nb_tests == 3 and not request.user.is_authenticated: + if nb_tests >= 3 and not request.user.is_authenticated: messages.error( request, "You reached the maximum number of tests. Please create an account.", @@ -177,33 +183,16 @@ def email_test(request): if not check_soa_record(target): context = {"status": False, "statusmessage": "The given domain is invalid!"} else: - email_result = email_check(target) - context.update(email_result) - # messages.info(request, "Analyzed SPF/DMARC config") - context.update(check_dkim_public_key(target, [])) - # messages.info(request, "Analyzed DKIM config") - # context.update(ipv6_check(target, None)) - # messages.info(request, "Analyzed IPv6 configuration") - context["tls_result"] = {} - context["tls_lowest_sec_level"] = {} - # messages.info(request, f"Found {len(email_result['mx']['hosts'])} MX hosts.") - # for host in email_result["mx"]["hosts"]: - # try: - # tls_result = tls_version_check(host["hostname"], "mail") - # context["tls_result"][host["hostname"]] = tls_result["result"] - # context["tls_lowest_sec_level"][host["hostname"]] = tls_result[ - # "lowest_sec_level" - # ] - # except Exception: - # continue - # messages.info(request, f"MX host scanned.") - - # context.update({"status": True}) - # host["hostname"], None - # ) - # context["tls_mx"] = tls_version_check( - # host["hostname"] - # ) + dkim_selector = "default" # You may want to allow user input for this + + context['domain'] = target + context['dnssec'] = check_dnssec(target) + mx_servers = check_mx(target) + context['mx'] = {'servers': mx_servers, 'tls': check_tls(mx_servers)} + context['spf'], context['spf_valid'] = check_spf(target) + context['dmarc'], context['dmarc_valid'] = check_dmarc(target) + context['dkim'], context['dkim_valid'] = check_dkim(target, dkim_selector) + nb_tests += 1 response = render(request, "check_email.html", {"result": context}) response.set_cookie("nb_tests", nb_tests)