[Mailman-Users] GSOC idea: mail server/DNS server/mailing list healthcheck

Rich Kulawiec rsk at gsp.org
Tue Apr 17 10:28:20 EDT 2018 

The idea for this comes from some of the web sites that perform this;
unfortunately most of them are "upgrading" from simple, fast, easy
checks to bloated ones that use a ton of Javascript, can't be scripted,
and are increasingly behind signups/paywalls/etc.

The concept is simple: given a domain, check its DNS, mail, etc.
setup for correctness and consistency.  For example:

	- does it have an A record?
	- is that valid hostname?
	- does it have an AAAA record?
	- is that valid hostname?
	- does it have MX records?
	- are the MX records *not* CNAMEs?
	- are they valid hostnames?
	- do those hostnames resolve to public IP addresses?
	- are any of those MX records duplicates?
	- are all the MX responding?
	- are the MX weights valid?
	- do all MX's pass FCrDNS check?
	- does it have NS records?
	- are they valid hostnames?
	- do they have A, AAAA records?
	- are they in public IP space?
	- are the NS records *not* CNAMEs?
	- do all NS pass FCrDNS check?
	- are any of those NS records duplicates?
	- does the list of NS match the list of authoritative NS?
	- do all the NS return the same list of NS?
	- do all the NS return the same list of MX?
	- do the NS *not* allow recursion?
	- are any of the NS lame?
	- are any of the NS missing?
	- are all the NS responding?
	- is there a working postmaster address?
	- is there a working abuse address?
	- is there a working hostmaster address?
	- if not is there a working address that matches the one in the SOA?
	- is the domain's SOA sane?  (e.g. plausible serial number,
		refresh, retry, etc.)
	- do all the NS return the same SOA with the same serial number?
	- is there ASN diversity among the NS?
	- and so on

Those are the sort of checks that pertain to the operation of any domain
and its nameservers and mail exchangers.  But in addition, if run on a
Mailman 2 or 3 host:

	- what mailing lists are public?
	- what mailing lists are private?
	- does every list have a working -request address?
	- does every list have a working -owner address?
	- does every list have a working -bounces address?
	- if any list supports the optional -subscribe address,
		does it have a -unsubscribe address?
	- if any list supports the optional -join address,
		does it have a -leave address?
	- and so on

Note: command-line tool.  It has to be, because then it can be scripted
and run via cron and so on.  Besides, anyone running name servers,
mail servers, etc., had better be able to work at the command line.

Note: should work on systems that aren't running Mailman: just can't
analyze Mailman then, of course.  This leaves open the door for people
using other MLMs to write checks that work with those.  And maybe that'd
be a nice thing to do.

Note: should have varying levels of verbosity, including one that
explains why something is wrong by referencing RFCs/BCPs/manual by
chapter and verse.

Note: the second set of checks (above) are outside the scope of what
Mailman checks inside itself.  That is, they require correlating
what Mailman thinks should be in place versus what's actually in
place in the MTA.

---rsk

More information about the Mailman-Users mailing list