-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Indicate known certificates in sent mails #88
Comments
@AGWA: If you modify my text please also explain why. The two components to identify a private key are modulus and exponent. Modulus alone should be enough to identify a matching private key for the given purpose. If you want to be 100% exact it's modulus and exponent (Can be output with -text). |
@stoecker I am keen to know about the email notifications you configured. did you use sendmail or any other MTA to send emails? Would you mind sharing your email settings of course with masking all your private information. And how are you monitoring the certspotter continuously? Have you created the service for it? |
In /etc/systemd/system/certspotter.service
in /etc/certspotter email_recipients, keylist, watchlist The file needs a modification with email address. I was to lazy yet to move that into a config file ;-) I use a local running postfix with opendkim as signature service. If wanted I can describe that setup here, but that's a bit harder to describe and setup and it needs a bit knowledge about mail server setup to do it right. Operating a proper mail server is no easy task nowadays, On the mail receiving server side is used dovecot with server side filtering with sieve to sort mails into the corresponding mail folders. Due the amount of domains I monitor getting the mails is enough to see if service is running. Usually there are Let'sEncrypt renewals every week, so there is no special monitor service beside systemd daemon handling. |
If mail server knowledge is missing something like this can help: https://phoenixnap.com/kb/postfix-smtp - Configure postfix to relay any mail to submission port of another server with username/password. Here it's not so important to setup all details right, as the target server has to do all the proper email stuff, the local postfix acts as MDA. |
I have about 50 entries in my watchlist (heavily using subdomains) and separating mails for legitimate use and fraud is hard.
Please add a check whether the certificate matches a known private key
I.e. by adding the modulus of the private key: "openssl rsa -in private.key -modulus -noout" in a knownkeyslist and check the certificates again this: "openssl x509 -in cert.pem -modulus --noout"[editor's note: comparing by modulus only is not correct]. When it matches the mail subject could then include a "known" or another keyword.This way it would be much easier to find bad certificates.
The text was updated successfully, but these errors were encountered: