Mini Shell
#!/opt/imh-python/bin/python3
from argparse import ArgumentParser, ArgumentTypeError as BadArg
import random
import re
import subprocess
import sys
import ipaddress
from typing import Literal
from collections.abc import Iterator
import dns.name
import dns.resolver
import dns.reversename
import dns.query
import dns.message
from dns.rcode import Rcode
from dns.rdatatype import RdataType
import rads
from rads.color import red, green, yellow as warn, blue as info
from cpapis import whmapi1
IMH_NS = {
"74.124.210.242",
"173.231.218.151",
"70.39.150.2",
"213.165.240.102",
"173.231.218.41",
"213.165.240.101",
"70.39.146.236",
"216.194.168.112",
"173.231.218.110",
}
WHH_NS = {"173.205.127.4", "209.182.197.185"}
if rads.IMH_ROLE != "shared":
print(
red("This script is meant for shared servers."),
red("Assuming this is a non-res IMH server."),
)
def iter_system_ips():
stdout = subprocess.check_output(
["ip", "addr", "show", "scope", "global"], encoding="utf-8"
)
for line in stdout.splitlines():
line = line.strip()
if not line.startswith("inet "):
continue
addr = line.split()[1].split("/")[0]
try:
ipaddr = ipaddress.IPv4Address(addr)
except ValueError:
continue
if ipaddr.is_global:
yield addr
SYSTEM_IPS = set(iter_system_ips())
PTR_SHARED = {x: True for x in SYSTEM_IPS}
if rads.IMH_CLASS == "hub":
THIS_BRAND = WHH_NS
WRONG_BRAND = IMH_NS
elif rads.IMH_CLASS == "reseller":
THIS_BRAND = IMH_NS | SYSTEM_IPS
WRONG_BRAND = WHH_NS
else:
THIS_BRAND = IMH_NS
WRONG_BRAND = WHH_NS
SHARED_RE = re.compile(
r"(?:(?:ec|ams)?(biz|ld|res|ngx)(?:dev)?\d+\."
r"(?:inmotionhosting|servconfig)|[ew]hub(?:dev)?\d+"
r"\.webhostinghub)\.com$"
)
PROPOSED = []
def cpuser_safe_arg(user: str) -> str:
"""Argparse type: checks rads.cpuser_safe"""
if not rads.cpuser_safe(user):
raise BadArg("user does not exist or is restricted")
return user
def parse_args() -> tuple[bool, dict[str, set[str]]]:
parser = ArgumentParser(description=__doc__)
parser.add_argument('--verbose', action='store_true')
parser.add_argument('--reseller', '-r', action='store_true', help='Enable reseller mode')
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('--domain', '-d', nargs='+', dest='domains')
group.add_argument(
'--user', '-u', nargs='+', type=cpuser_safe_arg, dest='users'
)
args = parser.parse_args()
allusers = []
if args.reseller:
for user in args.users:
allusers.append(user)
allusers.extend(rads.get_children(user))
else:
allusers = args.users
if args.users:
domains = {}
for user in allusers:
udata = rads.UserData(user)
domains[udata.primary.domain] = {x.domain for x in udata.subs}
for dom in [x.domain for x in udata.addons + udata.parked]:
if dom not in domains:
domains[dom] = set()
return args.verbose, domains
return args.verbose, {x: set() for x in args.domains}
def get_ns_ips(domain: str, verbose: bool) -> tuple[str, dict[str, str]]:
name = dns.name.from_text(domain)
depth = 2
default = dns.resolver.get_default_resolver()
resolver = random.choice(default.nameservers)
ns_ips = {}
last_split = False
last_success = ""
while not last_split:
name_split = name.split(depth)
last_split = name_split[0].to_unicode() == "@"
sub_name = name_split[1]
if verbose:
print(f"Looking up {sub_name} on {resolver}")
query = dns.message.make_query(sub_name, RdataType.NS)
response = dns.query.udp(query, resolver)
rcode = response.rcode()
if rcode != Rcode.NOERROR:
if rcode == Rcode.NXDOMAIN:
raise RuntimeError(f"{sub_name} dosn't appear to be registered")
raise RuntimeError(f"Error looking up {sub_name}: {Rcode.to_text(rcode)}")
if len(response.authority) > 0:
results = response.authority[0]
else:
results = response.answer[0]
if not getattr(results[0], "target", None):
if verbose:
print(f"Stopped at {name}. last lookup {sub_name} gave none")
return last_success, ns_ips
last_success = sub_name
ns_ips.clear()
for result in results:
hostname = result.target
ipaddr = default.resolve(hostname).rrset[0].to_text()
ns_ips[ipaddr] = hostname
if last_split:
return last_success, ns_ips
depth += 1
raise RuntimeError(f"{domain} dosn't appear to be registered")
def get_zone(domain: str) -> dict:
return whmapi1("dumpzone", {"domain": domain}, check=True)["data"]["zone"][0][
"record"
]
def check_spf_local(domain: str) -> bool:
found = False
try:
zone_file = get_zone(domain)
except Exception:
print(warn(f"Unable to find zone for {domain}"))
return False
txt_records = [
record
for record in zone_file
if record["type"] == "TXT" and record["name"] == f"{domain}."
]
if not txt_records:
print(f"No SPF records Found for {domain}")
return False
for record in txt_records:
txt: str = record["txtdata"]
if not txt.startswith("v=spf1 "):
continue
print("Found SPF record:", txt)
found = True
try:
parsed = SpfRecord(txt)
except Exception as exc:
print(red(f"Failed to parse above SPF record: {exc}"))
continue
if errs := parsed.errors | parsed.fatal:
print(red("Errors in above SPF record:"))
for err in errs:
print(red(f" - {err}"))
continue
if parsed.orig_had_mailchan:
print(green("SPF include found"))
else:
print(warn("SPF include not found"))
if not parsed.fatal and str(parsed).split() != txt.split():
print(warn("Suggested SPF record change:"))
print(f"Old: {txt}")
new = str(parsed)
print(f"New: {new}")
PROPOSED.append(
{
"domain": domain,
"record": "@",
"data": new,
"execute": lambda: whmapi1(
"editzonerecord",
{
"domain": domain,
"line": record["Line"],
"type": "TXT",
"txtdata": new,
},
check=True,
),
}
)
if not found:
print(f"No SPF records Found for {domain}")
return found
def check_auth_local(domain: str, require: bool):
if rads.IMH_CLASS == "hub":
auth = "v=mc1 auth=webhostinghub"
else:
auth = "v=mc1 auth=inmotionhosting"
found = False
name = f"_mailchannels.{domain}."
try:
zone_file = get_zone(domain)
except Exception:
if require:
print(warn(f"{name} not found"))
else:
print(f"{name} not found (OK: no SPF either)")
return
txt_records = [
record
for record in zone_file
if record["type"] == "TXT" and record["name"] == name
]
for record in txt_records:
txt: str = record["txtdata"].strip('"')
found = True
if txt == auth:
print(green("_mailchannels auth matches:"), auth)
else:
print(red("_mailchannels has unexpected auth:"), auth)
print(f"Expected: {auth}")
if not found:
if require:
print(warn(f"{name} not found"))
PROPOSED.append(
{
"domain": domain,
"record": "_mailchannels",
"data": auth,
"execute": lambda: whmapi1(
"addzonerecord",
{
"domain": domain,
"name": "_mailchannels",
"type": "TXT",
"txtdata": auth,
},
check=True,
),
}
)
else:
print(f"{name} not found (OK: no SPF either)")
class SpfRecord:
"""Parses an SPF record"""
def __init__(self, line: str):
self.errors = set()
self.fatal = set()
self.orig_had_mailchan = False
items = line.split()
if items[0] != "v=spf1":
self.errors.add("Invalid or missing SPF version")
items.insert(0, "v=spf1")
self._items = []
for item in items[1:]:
if "v=spf" in item:
self.errors.add("v=spf1 must be in the beginning only")
continue
try:
spf_item = SpfItem(self, item)
except Exception as exc:
self.fatal.add(f"Error parsing {item}: {exc}")
else:
self._items.append(spf_item)
self.pre_check()
self.orig_had_mailchan = self.has_mailchan()
if not self.fatal:
self.fix()
self.post_check()
def pre_check(self):
"""Pre self.fix() validation checks"""
if len([x for x in self._items if x.mechanism == "include"]) > 10:
self.errors.add("exceeds 10 include statements")
if not self._items:
raise ValueError("No clauses in SPF record")
if len(str(self)) > 255:
self.errors.add("SPF record length is too long")
if len([x for x in self._items if x.mechanism == "all"]) > 1:
self.errors.add("More than one 'all' clause")
if self._items[-1].mechanism != "all":
self.errors.add("Last statement is not an 'all' clause")
def post_check(self):
"""Post self.fix() validation checks"""
if len(str(self)) > 255:
self.fatal.add("Post auto-fix SPF length is too long")
if len([x for x in self._items if x.mechanism == "include"]) > 10:
self.fatal.add("exceeds 10 include statements")
def _iter_str_rules(self):
for item in self._items:
yield str(item)
def __str__(self) -> str:
return f"v=spf1 {' '.join(self._iter_str_rules())}"
def fix(self):
"""Try to fix the SPF record shared -> mailchannels"""
for index, item in enumerate(self._items):
if item.is_shared():
self._items[index] = SpfItem(self, "include:relay.mailchannels.net")
self._items = list(self._dedupe(self._fix_alls(self._add_record(self._items))))
def _dedupe(self, items: Iterator["SpfItem"]):
found = set()
for item in items:
if item.mechanism == "ptr":
self.errors.add("The 'ptr' clause is no longer in the SPF spec")
continue
val = str(item)
if val in found:
continue
yield item
found.add(val)
def _fix_alls(self, items: Iterator["SpfItem"]):
first_all = None
for item in items:
item: SpfItem
if item.mechanism == "all":
if first_all is None:
first_all = item
continue
yield item
if first_all is None:
# This is a soft fail. Ideally it should be a hard fail, -all, but
# when editing customer records, let's be more cautious.
yield SpfItem(self, "~all")
return
first_all: SpfItem
if first_all.qualifier not in "-~":
self.errors.add(f"{str(first_all)} would allow all")
first_all.qualifier = "~"
yield first_all
def _add_record(self, items: Iterator["SpfItem"]):
# We want to add it last, but before any "all" statements
added = False
for item in items:
if item.mechanism == "all":
yield SpfItem(self, "include:relay.mailchannels.net")
added = True
yield item
if not added:
yield SpfItem(self, "include:relay.mailchannels.net")
def has_mailchan(self) -> bool:
"""Return whether this SPF record contains the mailchan include"""
for item in self._items:
if str(item) == "include:relay.mailchannels.net":
return True
return False
class SpfItem:
"""Parses an SPF record column"""
qualifier: Literal["", "+", "-", "~", "?"]
mechanism: Literal[""]
extra: str
def __init__(self, parent: "SpfRecord", data: str):
# Qualifier:
# "+" Pass
# "-" Fail
# "~" SoftFail
# "?" Neutral
self.parent = parent
self.mechanism = ""
self.extra = ""
if data[0] in "+-~?":
self.qualifier = data[0]
data = data[1:]
else:
# unspecified means '?' but we're not looking to edit those
self.qualifier = ""
# Mechanism:
if data.startswith("a/"):
# a/<prefix-length>
self.mechanism = "a"
self.extra = data[1:]
return
if data.startswith("mx/"):
# mx/<prefix-length>
self.mechanism = "mx"
self.extra = data[2:]
return
for bare_mech in ("all", "mx", "a", "ptr"):
# mechanisms that can be specified with nothing following
if data == bare_mech:
self.mechanism = data
self.extra = ""
return
# mx:<domain>
# mx:<domain>/<prefix-length>
# a:<domain>
# a:<domain>/<prefix-length>
# ip4:<ip4-address>
# ip4:<ip4-network>/<prefix-length>
# ip6:<ip6-address>
# ip6:<ip6-network>/<prefix-length>
# include:<domain>
# exists:<domain>
# ptr:<domain> (deprecated)
mechanism_re = re.compile(r"(exists|include|ip4|ip6|a|mx)(:[^\s]+)$")
# exp=<domain>
# redirect=<domain>
modifier_re = re.compile(r"(exp|redirect)(=[^\s]+)")
for regex in (mechanism_re, modifier_re):
if match := regex.match(data):
self.mechanism, self.extra = match.groups()
if self.mechanism in ("exp", "redirect"):
# Qualitifiers are invalid here.
self.qualifier = ""
if (
self.mechanism == "include" and self.extra == ":relay.mailchannels.net"
) and self.qualifier != "":
self.parent.errors.add(
"include:relay.mailchannels.net should not have a prefix"
)
self.qualifier = ""
if self.mechanism == "include" and self.qualifier not in ("", "?"):
if self.extra != ":smtp.servconfig.com":
self.parent.errors.add(
f"{self.qualifier} is not a valid prefix for include:"
)
self.qualifier = ""
elif self.mechanism is None:
raise ValueError("Unknown mechanism")
def __str__(self) -> str:
return f"{self.qualifier}{self.mechanism}{self.extra}"
def is_shared(self) -> bool:
"""Return True if this SPF rule looks like it's pointing to a shared
server"""
if self.mechanism in ("a", "include"):
host = self.extra.lower().rstrip(".")
if host in (
":servconfig.com",
":smtp.servconfig.com",
):
return True
if self.mechanism == "a" and self.extra.startswith(":"):
try:
host = self.extra.lower()[1:]
except IndexError:
host = None
if host and SHARED_RE.match(host):
return True
if self.mechanism == "ip4" and self.extra.startswith(":"):
try:
ipaddr = self.extra[1:]
except IndexError:
ipaddr = None
if ipaddr and ptr_is_shared(ipaddr):
return True
if self.mechanism == "mx" and self.extra.startswith(":"):
try:
host = self.extra.lower()[1:]
except IndexError:
host = None
if host:
if SHARED_RE.match(host):
return True
if host.endswith("inmotionhosting.com"):
return True
if host.endswith("servconfig.com"):
return True
return False
def ptr_is_shared(ipaddr: str) -> bool:
"""Check if an IP has the PTR of a shared server"""
try:
rev = dns.reversename.from_address(ipaddr)
for result in dns.resolver.resolve(rev, "PTR"):
host = str(result).rstrip(".")
if SHARED_RE.match(host):
PTR_SHARED[ipaddr] = True
return True
except Exception:
pass
PTR_SHARED[ipaddr] = False
return False
def main():
verbose, domains = parse_args()
for domain, subdomains in domains.items():
# use IPs for ns here becasue of vanity nameservers
print(info(f"== Checking domain: {domain} =="))
try:
check_ns(domain, verbose)
except Exception as exc:
print(red(str(exc)))
continue
check_records(domain)
for subdomain in subdomains:
print(info(f"== Checking subdomain: {subdomain} =="))
check_records(subdomain)
if PROPOSED:
print("PROPOSED CHANGES")
for proposed in PROPOSED:
domain = proposed["domain"]
record = proposed["record"]
data = proposed["data"]
print(f"{domain} {record} {data}")
print("Approve & commit DNS changes? (y/n): ")
if input().lower().startswith("y"):
for proposed in PROPOSED:
print(proposed["execute"]())
def check_ns(domain: str, verbose: bool):
ns_dom, ns_ips = get_ns_ips(domain, verbose)
for ns_ip, ns_name in ns_ips.items():
if ns_ip in THIS_BRAND:
print(green(f"{ns_dom} has correct ns - {ns_name} ({ns_ip})"))
elif ns_ip in WRONG_BRAND:
print(red(f"{ns_dom} has ns of wrong brand - {ns_name} ({ns_ip})"))
else:
print(warn(f"{ns_dom} has external ns - {ns_name} ({ns_ip})"))
def check_records(zone: str):
try:
has_spf = check_spf_local(zone)
except Exception as exc:
print(red(f"Could not lookup TXT records for {zone}: {exc}"))
return
try:
check_auth_local(zone, require=has_spf)
except Exception as exc:
print(red(f"Error looking up _mailchannels auth for {zone}: {exc}"))
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
print("Exited on SIGINT", file=sys.stderr)
except BrokenPipeError:
print("Exited with broken pipe", file=sys.stderr)
Zerion Mini Shell 1.0