#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
# shellcheck source=/dev/null
source "$SCRIPT_DIR/libenv.sh"

log() { printf '[limristem-mail-deliverability] %s\n' "$*"; }

load_env() {
  limristem_mail_load_env_file "$LIMRISTEM_MAIL_CONFIG_DIR/limristem-mail.env"
}

DOMAIN=${1:-}
MAIL_HOST=${2:-}
PUBLIC_IP=${3:-}
DKIM_SELECTOR=${4:-default}
MTA_STS_HOST=${5:-}

load_env

DOMAIN=${DOMAIN:-${LIMRISTEM_MAIL_PRIMARY_DOMAIN:-}}
MAIL_HOST=${MAIL_HOST:-${LIMRISTEM_MAIL_HOSTNAME:-}}
PUBLIC_IP=${PUBLIC_IP:-}
MTA_STS_HOST=${MTA_STS_HOST:-${LIMRISTEM_MAIL_MTA_STS_HOST:-mta-sts.${DOMAIN}}}

if [[ -z "$DOMAIN" || -z "$MAIL_HOST" ]]; then
  log "Uso: deliverability-check.sh <domain> <mail-host> [public-ip] [dkim-selector] [mta-sts-host]"
  exit 1
fi

if ! command -v dig >/dev/null 2>&1; then
  log "Installa dnsutils per usare questo script."
  exit 1
fi

printf 'Deliverability check for %s via %s\n' "$DOMAIN" "$MAIL_HOST"
printf '========================================\n'
printf '\nDNS records\n'
printf '-----------\n'
printf 'MX: %s\n' "$(dig +short MX "$DOMAIN" | tr '\n' ' ')"
printf 'A/AAAA mail host: %s %s\n' "$(dig +short A "$MAIL_HOST" | tr '\n' ' ')" "$(dig +short AAAA "$MAIL_HOST" | tr '\n' ' ')"
printf 'SPF: %s\n' "$(dig +short TXT "$DOMAIN" | tr '\n' ' ')"
printf 'DMARC: %s\n' "$(dig +short TXT "_dmarc.${DOMAIN}" | tr '\n' ' ')"
printf 'DKIM: %s\n' "$(dig +short TXT "${DKIM_SELECTOR}._domainkey.${DOMAIN}" | tr '\n' ' ')"
printf 'MTA-STS: %s\n' "$(dig +short TXT "_mta-sts.${DOMAIN}" | tr '\n' ' ')"
printf 'TLS-RPT: %s\n' "$(dig +short TXT "_smtp._tls.${DOMAIN}" | tr '\n' ' ')"

if [[ -n "$PUBLIC_IP" ]]; then
  printf 'PTR: %s\n' "$(host "$PUBLIC_IP" 2>/dev/null | tr '\n' ' ')"
fi

printf '\nHTTPS and policy\n'
printf '----------------\n'
curl -fsS -m 10 "https://${MTA_STS_HOST}/.well-known/mta-sts.txt" || true
printf '\n'
curl -fsS -m 10 "https://${MAIL_HOST}/health" || true
printf '\n'

printf '\nSMTP STARTTLS certificate\n'
printf '-------------------------\n'
openssl s_client -starttls smtp -connect "${MAIL_HOST}:25" -servername "${MAIL_HOST}" </dev/null 2>/dev/null \
  | openssl x509 -noout -subject -issuer -dates || true

printf '\nHTTPS certificate for MTA-STS/API host\n'
printf '--------------------------------------\n'
openssl s_client -connect "${MTA_STS_HOST}:443" -servername "${MTA_STS_HOST}" </dev/null 2>/dev/null \
  | openssl x509 -noout -subject -issuer -dates || true