2017-01-10 13:15:41 +00:00
load 'test_helper/bats-support/load'
load 'test_helper/bats-assert/load'
2016-10-30 11:42:29 +00:00
#
# configuration checks
#
@test "checking configuration: hostname/domainname" {
run docker run `docker inspect --format '{{ .Config.Image }}' mail`
2017-01-10 13:15:41 +00:00
assert_failure
2016-10-30 11:42:29 +00:00
}
2017-01-20 22:30:29 +00:00
@test "checking configuration: hostname/domainname override" {
run docker exec mail_smtponly /bin/bash -c "cat /etc/mailname | grep my-domain.com"
assert_success
}
2017-02-13 10:07:30 +00:00
@test "checking configuration: hostname/domainname override: check container hostname is applied correctly" {
2017-04-27 15:59:28 +00:00
run docker exec mail_override_hostname /bin/bash -c "hostname | grep mail.my-domain.com"
2017-02-13 10:07:30 +00:00
assert_success
}
@test "checking configuration: hostname/domainname override: check overriden hostname is applied to all configs" {
run docker exec mail_override_hostname /bin/bash -c "cat /etc/mailname | grep my-domain.com"
assert_success
run docker exec mail_override_hostname /bin/bash -c "postconf -n | grep mydomain | grep my-domain.com"
assert_success
run docker exec mail_override_hostname /bin/bash -c "postconf -n | grep myhostname | grep mail.my-domain.com"
assert_success
run docker exec mail_override_hostname /bin/bash -c "doveconf | grep hostname | grep mail.my-domain.com"
assert_success
run docker exec mail_override_hostname /bin/bash -c "cat /etc/opendmarc.conf | grep AuthservID | grep mail.my-domain.com"
assert_success
run docker exec mail_override_hostname /bin/bash -c "cat /etc/opendmarc.conf | grep TrustedAuthservIDs | grep mail.my-domain.com"
assert_success
run docker exec mail_override_hostname /bin/bash -c "cat /etc/amavis/conf.d/05-node_id | grep myhostname | grep mail.my-domain.com"
assert_success
}
@test "checking configuration: hostname/domainname override: check hostname in postfix HELO message" {
run docker exec mail_override_hostname /bin/bash -c "nc -w 1 0.0.0.0 25 | grep mail.my-domain.com"
assert_success
}
@test "checking configuration: hostname/domainname override: check headers of received mail" {
run docker exec mail_override_hostname /bin/sh -c "ls -A /var/mail/localhost.localdomain/user1/new | wc -l | grep 1"
assert_success
run docker exec mail_override_hostname /bin/sh -c "cat /var/mail/localhost.localdomain/user1/new/* | grep mail.my-domain.com"
assert_success
# test whether the container hostname is not found in received mail
run docker exec mail_override_hostname /bin/sh -c "cat /var/mail/localhost.localdomain/user1/new/* | grep unknown.domain.tld"
assert_failure
}
2016-02-24 23:17:01 +00:00
#
# processes
#
@test "checking process: postfix" {
2017-04-27 15:59:28 +00:00
run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/lib/postfix/sbin/master'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
@test "checking process: clamd" {
run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
@test "checking process: new" {
run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/amavisd-new'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
@test "checking process: opendkim" {
run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/opendkim'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
@test "checking process: opendmarc" {
run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/opendmarc'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
2016-03-31 10:33:47 +00:00
@test "checking process: fail2ban (disabled in default configuration)" {
2017-04-27 15:59:28 +00:00
run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/bin/python3 /usr/bin/fail2ban-server'"
2017-01-10 13:15:41 +00:00
assert_failure
2016-03-31 10:33:47 +00:00
}
@test "checking process: fail2ban (fail2ban server enabled)" {
2017-04-27 15:59:28 +00:00
run docker exec mail_fail2ban /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/bin/python3 /usr/bin/fail2ban-server'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
2016-08-21 20:13:13 +00:00
@test "checking process: fetchmail (disabled in default configuration)" {
run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/bin/fetchmail'"
2017-01-10 13:15:41 +00:00
assert_failure
2016-08-21 20:13:13 +00:00
}
@test "checking process: fetchmail (fetchmail server enabled)" {
run docker exec mail_fetchmail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/bin/fetchmail'"
2017-01-10 13:15:41 +00:00
assert_success
2016-08-21 20:13:13 +00:00
}
2016-12-25 21:54:37 +00:00
@test "checking process: clamav (clamav disabled by ENABLED_CLAMAV=0)" {
run docker exec mail_disabled_clamav_spamassassin /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'"
2017-01-10 13:15:41 +00:00
assert_failure
2016-08-04 19:04:26 +00:00
}
2016-10-30 13:11:36 +00:00
@test "checking process: saslauthd (saslauthd server enabled)" {
run docker exec mail_with_ldap /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/saslauthd'"
2017-01-10 13:15:41 +00:00
assert_success
2016-10-30 13:11:36 +00:00
}
2017-01-03 09:55:03 +00:00
2017-02-06 09:21:18 +00:00
#
# postgrey
#
@test "checking process: postgrey (disabled in default configuration)" {
2017-04-27 15:59:28 +00:00
run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep 'postgrey'"
2017-02-06 09:21:18 +00:00
assert_failure
}
@test "checking postgrey: /etc/postfix/main.cf correctly edited" {
run docker exec mail_with_postgrey /bin/bash -c "grep 'bl.spamcop.net, check_policy_service inet:127.0.0.1:10023' /etc/postfix/main.cf | wc -l"
assert_success
assert_output 1
}
@test "checking postgrey: /etc/default/postgrey correctly edited and has the default values" {
2017-04-12 17:45:47 +00:00
run docker exec mail_with_postgrey /bin/bash -c "grep '^POSTGREY_OPTS=\"--inet=127.0.0.1:10023 --delay=15 --max-age=35\"$' /etc/default/postgrey | wc -l"
2017-02-06 09:21:18 +00:00
assert_success
assert_output 1
run docker exec mail_with_postgrey /bin/bash -c "grep '^POSTGREY_TEXT=\"Delayed by postgrey\"$' /etc/default/postgrey | wc -l"
assert_success
assert_output 1
}
@test "checking process: postgrey (postgrey server enabled)" {
2017-04-27 15:59:28 +00:00
run docker exec mail_with_postgrey /bin/bash -c "ps aux --forest | grep -v grep | grep 'postgrey'"
2017-02-06 09:21:18 +00:00
assert_success
}
@test "checking postgrey: there should be a log entry about a new greylisted e-mail user@external.tld in /var/log/mail/mail.log" {
#editing the postfix config in order to ensure that postgrey handles the test e-mail. The other spam checks at smtpd_recipient_restrictionswould interfere with it.
2017-03-14 16:21:17 +00:00
run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/permit_sasl_authenticated.*policyd-spf,$//g' /etc/postfix/main.cf"
2017-02-06 09:21:18 +00:00
run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/reject_unauth_pipelining.*reject_unknown_recipient_domain,$//g' /etc/postfix/main.cf"
run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/reject_rbl_client.*inet:127\.0\.0\.1:10023$//g' /etc/postfix/main.cf"
2018-02-07 20:33:07 +00:00
run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/smtpd_recipient_restrictions =/smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10023/g' /etc/postfix/main.cf"
2017-03-03 17:27:22 +00:00
2017-02-06 09:21:18 +00:00
run docker exec mail_with_postgrey /bin/sh -c "/etc/init.d/postfix reload"
run docker exec mail_with_postgrey /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/postgrey.txt"
sleep 5 #ensure that the information has been written into the log
run docker exec mail_with_postgrey /bin/bash -c "grep -i 'action=greylist.*user@external\.tld' /var/log/mail/mail.log | wc -l"
assert_success
assert_output 1
}
@test "checking postgrey: there should be a log entry about the retried and passed e-mail user@external.tld in /var/log/mail/mail.log" {
sleep 20 #wait 20 seconds so that postgrey would accept the message
run docker exec mail_with_postgrey /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/postgrey.txt"
sleep 8
run docker exec mail_with_postgrey /bin/sh -c "grep -i 'action=pass, reason=triplet found.*user@external\.tld' /var/log/mail/mail.log | wc -l"
assert_success
assert_output 1
}
2017-04-12 15:59:04 +00:00
@test "checking postgrey: there should be a log entry about the whitelisted and passed e-mail user@whitelist.tld in /var/log/mail/mail.log" {
2017-12-31 11:33:48 +00:00
run docker exec mail_with_postgrey /bin/sh -c "nc -w 8 0.0.0.0 10023 < /tmp/docker-mailserver-test/nc_templates/postgrey_whitelist.txt"
2017-04-12 15:59:04 +00:00
run docker exec mail_with_postgrey /bin/sh -c "grep -i 'action=pass, reason=client whitelist' /var/log/mail/mail.log | wc -l"
assert_success
assert_output 1
}
2016-02-24 23:17:01 +00:00
#
# imap
#
2016-04-13 21:16:46 +00:00
@test "checking process: dovecot imaplogin (enabled in default configuration)" {
run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/dovecot'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-29 22:52:10 +00:00
}
2016-04-13 21:16:46 +00:00
@test "checking process: dovecot imaplogin (disabled using SMTP_ONLY)" {
run docker exec mail_smtponly /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/dovecot'"
2017-01-10 13:15:41 +00:00
assert_failure
2016-02-29 22:52:10 +00:00
}
2016-02-24 23:17:01 +00:00
@test "checking imap: server is ready with STARTTLS" {
2016-04-22 15:51:14 +00:00
run docker exec mail /bin/bash -c "nc -w 2 0.0.0.0 143 | grep '* OK' | grep 'STARTTLS' | grep 'ready'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
@test "checking imap: authentication works" {
2016-04-20 23:08:14 +00:00
run docker exec mail /bin/sh -c "nc -w 1 0.0.0.0 143 < /tmp/docker-mailserver-test/auth/imap-auth.txt"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
2017-10-10 06:15:18 +00:00
@test "checking imap: added user authentication works" {
run docker exec mail /bin/sh -c "nc -w 1 0.0.0.0 143 < /tmp/docker-mailserver-test/auth/added-imap-auth.txt"
assert_success
}
2016-02-24 23:17:01 +00:00
#
# pop
#
@test "checking pop: server is ready" {
run docker exec mail_pop3 /bin/bash -c "nc -w 1 0.0.0.0 110 | grep '+OK'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
@test "checking pop: authentication works" {
2016-04-20 23:08:14 +00:00
run docker exec mail_pop3 /bin/sh -c "nc -w 1 0.0.0.0 110 < /tmp/docker-mailserver-test/auth/pop3-auth.txt"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
2017-10-10 06:15:18 +00:00
@test "checking pop: added user authentication works" {
run docker exec mail_pop3 /bin/sh -c "nc -w 1 0.0.0.0 110 < /tmp/docker-mailserver-test/auth/added-pop3-auth.txt"
assert_success
}
2016-02-24 23:17:01 +00:00
#
# sasl
#
2016-04-17 10:01:05 +00:00
@test "checking sasl: doveadm auth test works with good password" {
run docker exec mail /bin/sh -c "doveadm auth test -x service=smtp user2@otherdomain.tld mypassword | grep 'auth succeeded'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
2016-04-17 10:01:05 +00:00
@test "checking sasl: doveadm auth test fails with bad password" {
run docker exec mail /bin/sh -c "doveadm auth test -x service=smtp user2@otherdomain.tld BADPASSWORD | grep 'auth failed'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
2016-11-15 19:48:09 +00:00
@test "checking sasl: sasl_passwd exists" {
run docker exec mail [ -f /etc/postfix/sasl_passwd ]
2017-01-10 13:15:41 +00:00
assert_success
2016-03-18 19:12:18 +00:00
}
2016-04-07 22:23:12 +00:00
#
# logs
#
@test "checking logs: mail related logs should be located in a subdirectory" {
2017-12-31 11:33:48 +00:00
run docker exec mail /bin/sh -c "ls -1 /var/log/mail/ | grep -E 'clamav|freshclam|mail.log'|wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 3
2016-04-07 22:23:12 +00:00
}
2016-02-24 23:17:01 +00:00
#
# smtp
#
@test "checking smtp: authentication works with good password (plain)" {
2016-04-20 23:08:14 +00:00
run docker exec mail /bin/sh -c "nc -w 5 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/smtp-auth-plain.txt | grep 'Authentication successful'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
@test "checking smtp: authentication fails with wrong password (plain)" {
2016-04-20 23:08:14 +00:00
run docker exec mail /bin/sh -c "nc -w 20 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/smtp-auth-plain-wrong.txt | grep 'authentication failed'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
@test "checking smtp: authentication works with good password (login)" {
2016-04-20 23:08:14 +00:00
run docker exec mail /bin/sh -c "nc -w 5 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login.txt | grep 'Authentication successful'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
@test "checking smtp: authentication fails with wrong password (login)" {
2016-04-20 23:08:14 +00:00
run docker exec mail /bin/sh -c "nc -w 20 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt | grep 'authentication failed'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
2017-10-10 06:15:18 +00:00
@test "checking smtp: added user authentication works with good password (plain)" {
run docker exec mail /bin/sh -c "nc -w 5 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/added-smtp-auth-plain.txt | grep 'Authentication successful'"
assert_success
}
@test "checking smtp: added user authentication fails with wrong password (plain)" {
run docker exec mail /bin/sh -c "nc -w 20 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/added-smtp-auth-plain-wrong.txt | grep 'authentication failed'"
assert_success
}
@test "checking smtp: added user authentication works with good password (login)" {
run docker exec mail /bin/sh -c "nc -w 5 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/added-smtp-auth-login.txt | grep 'Authentication successful'"
assert_success
}
@test "checking smtp: added user authentication fails with wrong password (login)" {
run docker exec mail /bin/sh -c "nc -w 20 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/added-smtp-auth-login-wrong.txt | grep 'authentication failed'"
assert_success
}
2016-02-24 23:17:01 +00:00
@test "checking smtp: delivers mail to existing account" {
2016-10-24 13:03:08 +00:00
run docker exec mail /bin/sh -c "grep 'postfix/lmtp' /var/log/mail/mail.log | grep 'status=sent' | grep ' Saved)' | wc -l"
2017-01-10 13:15:41 +00:00
assert_success
2017-10-10 06:15:18 +00:00
assert_output 10
2016-02-24 23:17:01 +00:00
}
@test "checking smtp: delivers mail to existing alias" {
2016-04-01 15:18:13 +00:00
run docker exec mail /bin/sh -c "grep 'to=<user1@localhost.localdomain>, orig_to=<alias1@localhost.localdomain>' /var/log/mail/mail.log | grep 'status=sent' | wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 1
2016-02-24 23:17:01 +00:00
}
2017-03-03 17:27:22 +00:00
@test "checking smtp: delivers mail to existing alias with recipient delimiter" {
run docker exec mail /bin/sh -c "grep 'to=<user1~test@localhost.localdomain>, orig_to=<alias1~test@localhost.localdomain>' /var/log/mail/mail.log | grep 'status=sent' | wc -l"
assert_success
assert_output 1
run docker exec mail /bin/sh -c "grep 'to=<user1~test@localhost.localdomain>' /var/log/mail/mail.log | grep 'status=bounced'"
assert_failure
}
2016-07-23 21:42:18 +00:00
@test "checking smtp: delivers mail to existing catchall" {
run docker exec mail /bin/sh -c "grep 'to=<user1@localhost.localdomain>, orig_to=<wildcard@localdomain2.com>' /var/log/mail/mail.log | grep 'status=sent' | wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 1
2016-07-23 21:42:18 +00:00
}
2016-05-24 04:30:22 +00:00
@test "checking smtp: delivers mail to regexp alias" {
run docker exec mail /bin/sh -c "grep 'to=<user1@localhost.localdomain>, orig_to=<test123@localhost.localdomain>' /var/log/mail/mail.log | grep 'status=sent' | wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 1
2016-05-24 04:30:22 +00:00
}
2017-03-03 17:27:22 +00:00
@test "checking smtp: user1 should have received 6 mails" {
2016-02-24 23:17:01 +00:00
run docker exec mail /bin/sh -c "ls -A /var/mail/localhost.localdomain/user1/new | wc -l"
2017-01-10 13:15:41 +00:00
assert_success
2017-03-03 17:27:22 +00:00
assert_output 6
2016-02-24 23:17:01 +00:00
}
@test "checking smtp: rejects mail to unknown user" {
2016-04-01 15:18:13 +00:00
run docker exec mail /bin/sh -c "grep '<nouser@localhost.localdomain>: Recipient address rejected: User unknown in virtual mailbox table' /var/log/mail/mail.log | wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 1
2016-02-24 23:17:01 +00:00
}
2016-05-24 04:30:22 +00:00
@test "checking smtp: redirects mail to external aliases" {
2016-04-01 15:18:13 +00:00
run docker exec mail /bin/sh -c "grep -- '-> <external1@otherdomain.tld>' /var/log/mail/mail.log | wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 2
2016-02-24 23:17:01 +00:00
}
@test "checking smtp: rejects spam" {
2018-02-06 07:11:57 +00:00
run docker exec mail /bin/sh -c "grep 'Blocked SPAM' /var/log/mail/mail.log | grep external.tld=spam@my-domain.com | wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 1
2016-02-24 23:17:01 +00:00
}
@test "checking smtp: rejects virus" {
2018-02-06 07:11:57 +00:00
run docker exec mail /bin/sh -c "grep 'Blocked INFECTED' /var/log/mail/mail.log | grep external.tld=virus@my-domain.com | wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 1
2016-02-24 23:17:01 +00:00
}
2017-04-26 12:56:33 +00:00
@test "checking smtp_only: mail send should work" {
run docker exec mail_smtponly /bin/sh -c "postconf -e smtp_host_lookup=no"
assert_success
run docker exec mail_smtponly /bin/sh -c "/etc/init.d/postfix reload"
assert_success
run docker exec mail_smtponly /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/smtp-only.txt"
assert_success
run docker exec mail_smtponly /bin/sh -c 'grep -cE "to=<user2\@external.tld>.*status\=sent" /var/log/mail/mail.log'
[ "$status" -ge 0 ]
}
2017-07-03 11:16:16 +00:00
2016-02-24 23:17:01 +00:00
#
# accounts
#
@test "checking accounts: user accounts" {
2016-04-17 10:01:05 +00:00
run docker exec mail doveadm user '*'
2017-01-10 13:15:41 +00:00
assert_success
2016-04-17 10:01:05 +00:00
[ "${lines[0]}" = "user1@localhost.localdomain" ]
[ "${lines[1]}" = "user2@otherdomain.tld" ]
2017-10-10 06:15:18 +00:00
[ "${lines[2]}" = "added@localhost.localdomain" ]
2016-02-24 23:17:01 +00:00
}
@test "checking accounts: user mail folders for user1" {
2016-04-17 18:10:09 +00:00
run docker exec mail /bin/bash -c "ls -A /var/mail/localhost.localdomain/user1 | grep -E '.Drafts|.Sent|.Trash|cur|new|subscriptions|tmp' | wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 7
2016-02-24 23:17:01 +00:00
}
@test "checking accounts: user mail folders for user2" {
2016-04-17 18:10:09 +00:00
run docker exec mail /bin/bash -c "ls -A /var/mail/otherdomain.tld/user2 | grep -E '.Drafts|.Sent|.Trash|cur|new|subscriptions|tmp' | wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 7
2016-02-24 23:17:01 +00:00
}
2017-10-10 06:15:18 +00:00
@test "checking accounts: user mail folders for added user" {
run docker exec mail /bin/bash -c "ls -A /var/mail/localhost.localdomain/added | grep -E '.Drafts|.Sent|.Trash|cur|new|subscriptions|tmp' | wc -l"
assert_success
assert_output 7
}
2017-03-28 08:59:02 +00:00
@test "checking accounts: comments are not parsed" {
run docker exec mail /bin/bash -c "ls /var/mail | grep 'comment'"
assert_failure
}
2016-02-24 23:17:01 +00:00
#
# postfix
#
@test "checking postfix: vhost file is correct" {
run docker exec mail cat /etc/postfix/vhost
2017-01-10 13:15:41 +00:00
assert_success
2016-07-23 21:42:18 +00:00
[ "${lines[0]}" = "localdomain2.com" ]
[ "${lines[1]}" = "localhost.localdomain" ]
[ "${lines[2]}" = "otherdomain.tld" ]
2016-02-24 23:17:01 +00:00
}
2016-03-18 19:07:58 +00:00
@test "checking postfix: main.cf overrides" {
2016-04-17 10:01:05 +00:00
run docker exec mail grep -q 'max_idle = 600s' /tmp/docker-mailserver/postfix-main.cf
2017-01-10 13:15:41 +00:00
assert_success
2016-04-17 10:01:05 +00:00
run docker exec mail grep -q 'readme_directory = /tmp' /tmp/docker-mailserver/postfix-main.cf
2017-01-10 13:15:41 +00:00
assert_success
2016-03-18 19:07:58 +00:00
}
2017-06-13 11:20:25 +00:00
@test "checking postfix: master.cf overrides" {
run docker exec mail grep -q 'submission/inet/smtpd_sasl_security_options=noanonymous' /tmp/docker-mailserver/postfix-master.cf
assert_success
}
2016-05-29 20:36:06 +00:00
#
# dovecot
#
@test "checking dovecot: config additions" {
run docker exec mail grep -q 'mail_max_userip_connections = 69' /tmp/docker-mailserver/dovecot.cf
2017-01-10 13:15:41 +00:00
assert_success
2016-05-29 20:36:06 +00:00
run docker exec mail /bin/sh -c "doveconf | grep 'mail_max_userip_connections = 69'"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 'mail_max_userip_connections = 69'
2016-05-29 20:36:06 +00:00
}
2016-02-24 23:17:01 +00:00
#
# spamassassin
#
2016-12-25 21:54:37 +00:00
@test "checking spamassassin: should be listed in amavis when enabled" {
run docker exec mail /bin/sh -c "grep -i 'ANTI-SPAM-SA code' /var/log/mail/mail.log | grep 'NOT loaded'"
2017-01-10 13:15:41 +00:00
assert_failure
2016-12-25 21:54:37 +00:00
}
@test "checking spamassassin: should not be listed in amavis when disabled" {
run docker exec mail_disabled_clamav_spamassassin /bin/sh -c "grep -i 'ANTI-SPAM-SA code' /var/log/mail/mail.log | grep 'NOT loaded'"
2017-01-10 13:15:41 +00:00
assert_success
2016-12-25 21:54:37 +00:00
}
2016-02-24 23:17:01 +00:00
@test "checking spamassassin: docker env variables are set correctly (default)" {
run docker exec mail_pop3 /bin/sh -c "grep '\$sa_tag_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 2.0'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
run docker exec mail_pop3 /bin/sh -c "grep '\$sa_tag2_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 6.31'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
run docker exec mail_pop3 /bin/sh -c "grep '\$sa_kill_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 6.31'"
2017-01-10 13:15:41 +00:00
assert_success
2017-06-23 19:50:01 +00:00
run docker exec mail_pop3 /bin/sh -c "grep '\$sa_spam_subject_tag' /etc/amavis/conf.d/20-debian_defaults | grep '= .\*\*\*SPAM\*\*\* .'"
assert_success
2016-02-24 23:17:01 +00:00
}
@test "checking spamassassin: docker env variables are set correctly (custom)" {
2017-04-18 12:18:42 +00:00
run docker exec mail /bin/sh -c "grep '\$sa_tag_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= -5.0'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
run docker exec mail /bin/sh -c "grep '\$sa_tag2_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 2.0'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
run docker exec mail /bin/sh -c "grep '\$sa_kill_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 3.0'"
2017-01-10 13:15:41 +00:00
assert_success
2017-06-23 19:50:01 +00:00
run docker exec mail /bin/sh -c "grep '\$sa_spam_subject_tag' /etc/amavis/conf.d/20-debian_defaults | grep '= .SPAM: .'"
assert_success
2018-03-02 21:38:57 +00:00
run docker exec mail_undef_spam_subject /bin/sh -c "grep '\$sa_spam_subject_tag' /etc/amavis/conf.d/20-debian_defaults | grep '= undef'"
assert_success
2016-02-24 23:17:01 +00:00
}
2017-04-18 12:18:42 +00:00
@test "checking spamassassin: all registered domains should see spam headers" {
run docker exec mail /bin/sh -c "grep -ir 'X-Spam-' /var/mail/localhost.localdomain/user1/new"
assert_success
run docker exec mail /bin/sh -c "grep -ir 'X-Spam-' /var/mail/otherdomain.tld/user2/new"
assert_success
}
2016-12-25 14:41:02 +00:00
#
# clamav
#
@test "checking clamav: should be listed in amavis when enabled" {
run docker exec mail grep -i 'Found secondary av scanner ClamAV-clamscan' /var/log/mail/mail.log
2017-01-10 13:15:41 +00:00
assert_success
2016-12-25 14:41:02 +00:00
}
@test "checking clamav: should not be listed in amavis when disabled" {
2016-12-25 21:54:37 +00:00
run docker exec mail_disabled_clamav_spamassassin grep -i 'Found secondary av scanner ClamAV-clamscan' /var/log/mail/mail.log
2017-01-10 13:15:41 +00:00
assert_failure
2016-12-25 14:41:02 +00:00
}
@test "checking clamav: should not be called when disabled" {
2016-12-25 21:54:37 +00:00
run docker exec mail_disabled_clamav_spamassassin grep -i 'connect to /var/run/clamav/clamd.ctl failed' /var/log/mail/mail.log
2017-01-10 13:15:41 +00:00
assert_failure
2016-12-25 14:41:02 +00:00
}
2016-02-24 23:17:01 +00:00
#
# opendkim
#
@test "checking opendkim: /etc/opendkim/KeyTable should contain 2 entries" {
run docker exec mail /bin/sh -c "cat /etc/opendkim/KeyTable | wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 2
2016-02-24 23:17:01 +00:00
}
2017-06-07 13:35:42 +00:00
@test "checking opendkim: /etc/opendkim/KeyTable dummy file generated without keys provided" {
run docker exec mail_smtponly_without_config /bin/bash -c "cat /etc/opendkim/KeyTable"
assert_success
}
2016-02-24 23:17:01 +00:00
@test "checking opendkim: /etc/opendkim/keys/ should contain 2 entries" {
run docker exec mail /bin/sh -c "ls -l /etc/opendkim/keys/ | grep '^d' | wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 2
2016-02-24 23:17:01 +00:00
}
2018-03-03 08:20:23 +00:00
# this set of tests is of low quality. It does not test the RSA-Key size properly via openssl or similar
# Instead it tests the file-size (here 511) - which may differ with a different domain names
# This test may be re-used as a global test to provide better test coverage.
@test "checking opendkim: generator creates default keys size" {
# Prepare default key size 2048
rm -rf "$(pwd)/test/config/keyDefault" && mkdir -p "$(pwd)/test/config/keyDefault"
run docker run --rm \
-v "$(pwd)/test/config/keyDefault/":/tmp/docker-mailserver/ \
-v "$(pwd)/test/config/postfix-accounts.cf":/tmp/docker-mailserver/postfix-accounts.cf \
-v "$(pwd)/test/config/postfix-virtual.cf":/tmp/docker-mailserver/postfix-virtual.cf \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'generate-dkim-config | wc -l'
assert_success
assert_output 6
run docker run --rm \
-v "$(pwd)/test/config/keyDefault/opendkim":/etc/opendkim \
`docker inspect --format '{{ .Config.Image }}' mail` \
/bin/sh -c 'stat -c%s /etc/opendkim/keys/localhost.localdomain/mail.txt'
assert_success
assert_output 511
}
# this set of tests is of low quality. It does not test the RSA-Key size properly via openssl or similar
# Instead it tests the file-size (here 511) - which may differ with a different domain names
# This test may be re-used as a global test to provide better test coverage.
@test "checking opendkim: generator creates key size 2048" {
# Prepare set key size 2048
rm -rf "$(pwd)/test/config/key2048" && mkdir -p "$(pwd)/test/config/key2048"
run docker run --rm \
-v "$(pwd)/test/config/key2048/":/tmp/docker-mailserver/ \
-v "$(pwd)/test/config/postfix-accounts.cf":/tmp/docker-mailserver/postfix-accounts.cf \
-v "$(pwd)/test/config/postfix-virtual.cf":/tmp/docker-mailserver/postfix-virtual.cf \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'generate-dkim-config 2048 | wc -l'
assert_success
assert_output 6
run docker run --rm \
-v "$(pwd)/test/config/key2048/opendkim":/etc/opendkim \
`docker inspect --format '{{ .Config.Image }}' mail` \
/bin/sh -c 'stat -c%s /etc/opendkim/keys/localhost.localdomain/mail.txt'
assert_success
assert_output 511
}
# this set of tests is of low quality. It does not test the RSA-Key size properly via openssl or similar
# Instead it tests the file-size (here 329) - which may differ with a different domain names
# This test may be re-used as a global test to provide better test coverage.
@test "checking opendkim: generator creates key size 1024" {
# Prepare set key size 1024
rm -rf "$(pwd)/test/config/key1024" && mkdir -p "$(pwd)/test/config/key1024"
run docker run --rm \
-v "$(pwd)/test/config/key1024/":/tmp/docker-mailserver/ \
-v "$(pwd)/test/config/postfix-accounts.cf":/tmp/docker-mailserver/postfix-accounts.cf \
-v "$(pwd)/test/config/postfix-virtual.cf":/tmp/docker-mailserver/postfix-virtual.cf \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'generate-dkim-config 1024 | wc -l'
assert_success
assert_output 6
run docker run --rm \
-v "$(pwd)/test/config/key1024/opendkim":/etc/opendkim \
`docker inspect --format '{{ .Config.Image }}' mail` \
/bin/sh -c 'stat -c%s /etc/opendkim/keys/localhost.localdomain/mail.txt'
assert_success
assert_output 329
}
2016-04-20 23:08:14 +00:00
@test "checking opendkim: generator creates keys, tables and TrustedHosts" {
2016-04-21 09:42:41 +00:00
rm -rf "$(pwd)/test/config/empty" && mkdir -p "$(pwd)/test/config/empty"
2016-04-20 21:01:32 +00:00
run docker run --rm \
2016-04-21 09:42:41 +00:00
-v "$(pwd)/test/config/empty/":/tmp/docker-mailserver/ \
-v "$(pwd)/test/config/postfix-accounts.cf":/tmp/docker-mailserver/postfix-accounts.cf \
-v "$(pwd)/test/config/postfix-virtual.cf":/tmp/docker-mailserver/postfix-virtual.cf \
2016-05-29 20:36:06 +00:00
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'generate-dkim-config | wc -l'
2017-01-10 13:15:41 +00:00
assert_success
assert_output 6
2016-04-21 09:42:41 +00:00
# Check keys for localhost.localdomain
run docker run --rm \
-v "$(pwd)/test/config/empty/opendkim":/etc/opendkim \
2016-05-29 20:36:06 +00:00
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'ls -1 /etc/opendkim/keys/localhost.localdomain/ | wc -l'
2017-01-10 13:15:41 +00:00
assert_success
assert_output 2
2016-04-21 09:42:41 +00:00
# Check keys for otherdomain.tld
run docker run --rm \
-v "$(pwd)/test/config/empty/opendkim":/etc/opendkim \
2016-05-29 20:36:06 +00:00
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'ls -1 /etc/opendkim/keys/otherdomain.tld | wc -l'
2017-01-10 13:15:41 +00:00
assert_success
assert_output 2
2016-04-21 09:42:41 +00:00
# Check presence of tables and TrustedHosts
run docker run --rm \
-v "$(pwd)/test/config/empty/opendkim":/etc/opendkim \
2016-05-29 20:36:06 +00:00
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c "ls -1 etc/opendkim | grep -E 'KeyTable|SigningTable|TrustedHosts|keys'|wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 4
2016-04-20 21:01:32 +00:00
}
2016-08-24 08:06:59 +00:00
@test "checking opendkim: generator creates keys, tables and TrustedHosts without postfix-accounts.cf" {
rm -rf "$(pwd)/test/config/without-accounts" && mkdir -p "$(pwd)/test/config/without-accounts"
run docker run --rm \
-v "$(pwd)/test/config/without-accounts/":/tmp/docker-mailserver/ \
-v "$(pwd)/test/config/postfix-virtual.cf":/tmp/docker-mailserver/postfix-virtual.cf \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'generate-dkim-config | wc -l'
2017-01-10 13:15:41 +00:00
assert_success
assert_output 5
2016-08-24 08:06:59 +00:00
# Check keys for localhost.localdomain
run docker run --rm \
-v "$(pwd)/test/config/without-accounts/opendkim":/etc/opendkim \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'ls -1 /etc/opendkim/keys/localhost.localdomain/ | wc -l'
2017-01-10 13:15:41 +00:00
assert_success
assert_output 2
2016-08-24 08:06:59 +00:00
# Check keys for otherdomain.tld
# run docker run --rm \
# -v "$(pwd)/test/config/without-accounts/opendkim":/etc/opendkim \
# `docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'ls -1 /etc/opendkim/keys/otherdomain.tld | wc -l'
2017-01-10 13:15:41 +00:00
# assert_success
2016-08-24 08:06:59 +00:00
# [ "$output" -eq 0 ]
# Check presence of tables and TrustedHosts
run docker run --rm \
-v "$(pwd)/test/config/without-accounts/opendkim":/etc/opendkim \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c "ls -1 etc/opendkim | grep -E 'KeyTable|SigningTable|TrustedHosts|keys'|wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 4
2016-08-24 08:06:59 +00:00
}
@test "checking opendkim: generator creates keys, tables and TrustedHosts without postfix-virtual.cf" {
rm -rf "$(pwd)/test/config/without-virtual" && mkdir -p "$(pwd)/test/config/without-virtual"
run docker run --rm \
-v "$(pwd)/test/config/without-virtual/":/tmp/docker-mailserver/ \
-v "$(pwd)/test/config/postfix-accounts.cf":/tmp/docker-mailserver/postfix-accounts.cf \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'generate-dkim-config | wc -l'
2017-01-10 13:15:41 +00:00
assert_success
assert_output 5
2016-08-24 08:06:59 +00:00
# Check keys for localhost.localdomain
run docker run --rm \
-v "$(pwd)/test/config/without-virtual/opendkim":/etc/opendkim \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'ls -1 /etc/opendkim/keys/localhost.localdomain/ | wc -l'
2017-01-10 13:15:41 +00:00
assert_success
assert_output 2
2016-08-24 08:06:59 +00:00
# Check keys for otherdomain.tld
run docker run --rm \
-v "$(pwd)/test/config/without-virtual/opendkim":/etc/opendkim \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'ls -1 /etc/opendkim/keys/otherdomain.tld | wc -l'
2017-01-10 13:15:41 +00:00
assert_success
assert_output 2
2016-08-24 08:06:59 +00:00
# Check presence of tables and TrustedHosts
run docker run --rm \
-v "$(pwd)/test/config/without-virtual/opendkim":/etc/opendkim \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c "ls -1 etc/opendkim | grep -E 'KeyTable|SigningTable|TrustedHosts|keys'|wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 4
2016-08-24 08:06:59 +00:00
}
2017-12-07 18:27:31 +00:00
@test "checking opendkim: generator creates keys, tables and TrustedHosts using domain name" {
2017-08-12 16:09:11 +00:00
rm -rf "$(pwd)/test/config/with-domain" && mkdir -p "$(pwd)/test/config/with-domain"
run docker run --rm \
-v "$(pwd)/test/config/with-domain/":/tmp/docker-mailserver/ \
-v "$(pwd)/test/config/postfix-accounts.cf":/tmp/docker-mailserver/postfix-accounts.cf \
-v "$(pwd)/test/config/postfix-virtual.cf":/tmp/docker-mailserver/postfix-virtual.cf \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'generate-dkim-config | wc -l'
assert_success
assert_output 6
# Generate key using domain name
run docker run --rm \
-v "$(pwd)/test/config/with-domain/":/tmp/docker-mailserver/ \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'generate-dkim-domain testdomain.tld | wc -l'
assert_success
assert_output 1
# Check keys for localhost.localdomain
run docker run --rm \
-v "$(pwd)/test/config/with-domain/opendkim":/etc/opendkim \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'ls -1 /etc/opendkim/keys/localhost.localdomain/ | wc -l'
assert_success
assert_output 2
# Check keys for otherdomain.tld
run docker run --rm \
-v "$(pwd)/test/config/with-domain/opendkim":/etc/opendkim \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'ls -1 /etc/opendkim/keys/otherdomain.tld | wc -l'
assert_success
assert_output 2
# Check keys for testdomain.tld
run docker run --rm \
-v "$(pwd)/test/config/with-domain/opendkim":/etc/opendkim \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'ls -1 /etc/opendkim/keys/testdomain.tld | wc -l'
assert_success
assert_output 2
# Check presence of tables and TrustedHosts
run docker run --rm \
-v "$(pwd)/test/config/with-domain/opendkim":/etc/opendkim \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c "ls -1 /etc/opendkim | grep -E 'KeyTable|SigningTable|TrustedHosts|keys' | wc -l"
assert_success
assert_output 4
# Check valid entries actually present in KeyTable
run docker run --rm \
-v "$(pwd)/test/config/with-domain/opendkim":/etc/opendkim \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c \
"egrep 'localhost.localdomain|otherdomain.tld|localdomain2.com|testdomain.tld' /etc/opendkim/KeyTable | wc -l"
assert_success
assert_output 4
# Check valid entries actually present in SigningTable
run docker run --rm \
-v "$(pwd)/test/config/with-domain/opendkim":/etc/opendkim \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c \
"egrep 'localhost.localdomain|otherdomain.tld|localdomain2.com|testdomain.tld' /etc/opendkim/SigningTable | wc -l"
assert_success
assert_output 4
}
2016-02-24 23:17:01 +00:00
#
2016-04-26 17:39:08 +00:00
# ssl
2016-02-24 23:17:01 +00:00
#
2016-04-26 17:39:08 +00:00
@test "checking ssl: generated default cert works correctly" {
run docker exec mail /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 0 (ok)'"
2017-01-10 13:15:41 +00:00
assert_success
2016-04-26 17:39:08 +00:00
}
2016-12-23 22:56:39 +00:00
@test "checking ssl: lets-encrypt-x3-cross-signed.pem is installed" {
run docker exec mail grep 'BEGIN CERTIFICATE' /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
2016-04-26 17:39:08 +00:00
@test "checking ssl: letsencrypt configuration is correct" {
run docker exec mail_pop3 /bin/sh -c 'grep -ir "/etc/letsencrypt/live/mail.my-domain.com/" /etc/postfix/main.cf | wc -l'
2017-01-10 13:15:41 +00:00
assert_success
assert_output 2
2016-04-26 17:39:08 +00:00
run docker exec mail_pop3 /bin/sh -c 'grep -ir "/etc/letsencrypt/live/mail.my-domain.com/" /etc/dovecot/conf.d/10-ssl.conf | wc -l'
2017-01-10 13:15:41 +00:00
assert_success
assert_output 2
2016-04-26 17:39:08 +00:00
}
2016-02-24 23:17:01 +00:00
2016-04-26 17:39:08 +00:00
@test "checking ssl: letsencrypt cert works correctly" {
2016-07-23 16:20:19 +00:00
run docker exec mail_pop3 /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 10 (certificate has expired)'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
2016-08-31 13:15:39 +00:00
@test "checking ssl: manual configuration is correct" {
run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/cert" /etc/postfix/main.cf | wc -l'
2017-01-10 13:15:41 +00:00
assert_success
assert_output 1
2016-08-31 13:15:39 +00:00
run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/cert" /etc/dovecot/conf.d/10-ssl.conf | wc -l'
2017-01-10 13:15:41 +00:00
assert_success
assert_output 1
2016-08-31 13:15:39 +00:00
run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/key" /etc/postfix/main.cf | wc -l'
2017-01-10 13:15:41 +00:00
assert_success
assert_output 1
2016-08-31 13:15:39 +00:00
run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/key" /etc/dovecot/conf.d/10-ssl.conf | wc -l'
2017-01-10 13:15:41 +00:00
assert_success
assert_output 1
2016-08-31 13:15:39 +00:00
}
@test "checking ssl: manual configuration copied files correctly " {
run docker exec mail_manual_ssl /bin/sh -c 'cmp -s /etc/postfix/ssl/cert /tmp/docker-mailserver/letsencrypt/mail.my-domain.com/fullchain.pem'
2017-01-10 13:15:41 +00:00
assert_success
2016-08-31 13:15:39 +00:00
run docker exec mail_manual_ssl /bin/sh -c 'cmp -s /etc/postfix/ssl/key /tmp/docker-mailserver/letsencrypt/mail.my-domain.com/privkey.pem'
2017-01-10 13:15:41 +00:00
assert_success
2016-08-31 13:15:39 +00:00
}
@test "checking ssl: manual cert works correctly" {
run docker exec mail_manual_ssl /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 10 (certificate has expired)'"
2017-01-10 13:15:41 +00:00
assert_success
2016-08-31 13:15:39 +00:00
}
2018-03-18 19:15:06 +00:00
#
# postsrsd
#
@test "checking SRS: main.cf entries" {
run docker exec mail grep "sender_canonical_maps = tcp:localhost:10001" /etc/postfix/main.cf
assert_success
run docker exec mail grep "sender_canonical_classes = envelope_sender" /etc/postfix/main.cf
assert_success
run docker exec mail grep "recipient_canonical_maps = tcp:localhost:10002" /etc/postfix/main.cf
assert_success
run docker exec mail grep "recipient_canonical_classes = envelope_recipient,header_recipient" /etc/postfix/main.cf
assert_success
}
@test "checking SRS: postsrsd running" {
run docker exec mail /bin/sh -c "ps aux | grep ^postsrsd"
assert_success
}
2016-02-24 23:17:01 +00:00
#
# fail2ban
#
2016-04-17 20:59:35 +00:00
@test "checking fail2ban: localhost is not banned because ignored" {
2016-04-23 10:09:28 +00:00
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*127.0.0.1'"
2017-01-10 13:15:41 +00:00
assert_failure
2016-04-17 20:59:35 +00:00
run docker exec mail_fail2ban /bin/sh -c "grep 'ignoreip = 127.0.0.1/8' /etc/fail2ban/jail.conf"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
2017-12-07 18:27:31 +00:00
@test "checking fail2ban: fail2ban-fail2ban.cf overrides" {
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get loglevel | grep DEBUG"
assert_success
}
2016-06-02 23:22:16 +00:00
@test "checking fail2ban: fail2ban-jail.cf overrides" {
2016-06-04 00:46:33 +00:00
FILTERS=(sshd postfix dovecot postfix-sasl)
2016-06-04 01:12:18 +00:00
for FILTER in "${FILTERS[@]}"; do
2016-06-04 00:46:33 +00:00
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER bantime"
2017-01-10 13:15:41 +00:00
assert_output 1234
2016-06-04 00:46:33 +00:00
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER findtime"
2017-01-10 13:15:41 +00:00
assert_output 321
2016-06-04 00:46:33 +00:00
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER maxretry"
2017-01-10 13:15:41 +00:00
assert_output 2
2016-06-04 00:46:33 +00:00
done
2016-06-02 23:22:16 +00:00
}
2016-02-24 23:17:01 +00:00
@test "checking fail2ban: ban ip on multiple failed login" {
2016-04-17 20:59:35 +00:00
# Getting mail_fail2ban container IP
MAIL_FAIL2BAN_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' mail_fail2ban)
2016-06-04 00:53:44 +00:00
Introducing Postscreen (#799)
* Introduced Postscreen
cheaper, earlier and simpler blocking of zombies/spambots.
From http://postfix.cs.utah.edu/POSTSCREEN_README.html :
As a first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as cheap as possible.
Things we need to consider:
- Do we need a whitelist/backlist file? (http://postfix.cs.utah.edu/postconf.5.html#postscreen_access_list)
- Via introducing an optional config/postfix-access.cidr
- The only permanent whitelisting I could imagine are monitoring services(which might (still?) behave weird/hastely) or blacklisting backup servers(since no traffic should be coming from them anyway)
- Do we need deep inspections? They are desireable, but these tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. Considered tests are:
- postscreen_bare_newline_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_bare_newline_action)
- postscreen_non_smtp_command_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_non_smtp_command_action)
- postscreen_pipelining_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_pipelining_action)
- Do we need to make the blacklisting via dnsblocking configurable? It's currently set and weighted as follows, where a score of 3 results in blocking, a score of -1 results in whitelisting:
(*: adds the specified weight to the SMTP client's DNSBL score. Specify a negative number for whitelisting.)
(http://postfix.cs.utah.edu/postconf.5.html#postscreen_dnsbl_sites)
- zen.spamhaus.org*3
- bl.mailspike.net
- b.barracudacentral.org*2
- bl.spameatingmonkey.net
- bl.spamcop.net
- dnsbl.sorbs.net
- psbl.surriel.com
- list.dnswl.org=127.0.[0..255].0*-2
- list.dnswl.org=127.0.[0..255].1*-3
- list.dnswl.org=127.0.[0..255].[2..3]*-4
- What to do when blacklisting? I currently set it to drop. We could
- ignore: Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
- enforce: Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
- drop: Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
In the end I think we could drop postgrey support. Postscreen replaces postgrey in its entirety, while being more selective and not delaying mail. Especially if we consider using the deep inspection options of postscreen.
Hope that wasn't too much to read! ;)
* main.cf got misformatted..
Don't know how, should be ok now.
* fixed malformatted main.cf & repaired master.cf
* reenabled rbl stuff.. It's cached, therefore doesn't hurt
* fixed tests
* added tests, repaired tests, added info, introduced new Variable POSTSCREEN_ACTION, fixes
2018-02-04 20:31:08 +00:00
# Create a container which will send wrong authentications and should get banned
2016-06-04 00:53:44 +00:00
docker run --name fail-auth-mailer -e MAIL_FAIL2BAN_IP=$MAIL_FAIL2BAN_IP -v "$(pwd)/test":/tmp/docker-mailserver-test -d $(docker inspect --format '{{ .Config.Image }}' mail) tail -f /var/log/faillog
2018-02-13 07:31:12 +00:00
Introducing Postscreen (#799)
* Introduced Postscreen
cheaper, earlier and simpler blocking of zombies/spambots.
From http://postfix.cs.utah.edu/POSTSCREEN_README.html :
As a first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as cheap as possible.
Things we need to consider:
- Do we need a whitelist/backlist file? (http://postfix.cs.utah.edu/postconf.5.html#postscreen_access_list)
- Via introducing an optional config/postfix-access.cidr
- The only permanent whitelisting I could imagine are monitoring services(which might (still?) behave weird/hastely) or blacklisting backup servers(since no traffic should be coming from them anyway)
- Do we need deep inspections? They are desireable, but these tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. Considered tests are:
- postscreen_bare_newline_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_bare_newline_action)
- postscreen_non_smtp_command_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_non_smtp_command_action)
- postscreen_pipelining_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_pipelining_action)
- Do we need to make the blacklisting via dnsblocking configurable? It's currently set and weighted as follows, where a score of 3 results in blocking, a score of -1 results in whitelisting:
(*: adds the specified weight to the SMTP client's DNSBL score. Specify a negative number for whitelisting.)
(http://postfix.cs.utah.edu/postconf.5.html#postscreen_dnsbl_sites)
- zen.spamhaus.org*3
- bl.mailspike.net
- b.barracudacentral.org*2
- bl.spameatingmonkey.net
- bl.spamcop.net
- dnsbl.sorbs.net
- psbl.surriel.com
- list.dnswl.org=127.0.[0..255].0*-2
- list.dnswl.org=127.0.[0..255].1*-3
- list.dnswl.org=127.0.[0..255].[2..3]*-4
- What to do when blacklisting? I currently set it to drop. We could
- ignore: Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
- enforce: Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
- drop: Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
In the end I think we could drop postgrey support. Postscreen replaces postgrey in its entirety, while being more selective and not delaying mail. Especially if we consider using the deep inspection options of postscreen.
Hope that wasn't too much to read! ;)
* main.cf got misformatted..
Don't know how, should be ok now.
* fixed malformatted main.cf & repaired master.cf
* reenabled rbl stuff.. It's cached, therefore doesn't hurt
* fixed tests
* added tests, repaired tests, added info, introduced new Variable POSTSCREEN_ACTION, fixes
2018-02-04 20:31:08 +00:00
# can't pipe the file as usual due to postscreen. (respecting postscreen_greet_wait time and talking in turn):
2018-02-13 07:31:12 +00:00
for i in {1,2}; do
Introducing Postscreen (#799)
* Introduced Postscreen
cheaper, earlier and simpler blocking of zombies/spambots.
From http://postfix.cs.utah.edu/POSTSCREEN_README.html :
As a first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as cheap as possible.
Things we need to consider:
- Do we need a whitelist/backlist file? (http://postfix.cs.utah.edu/postconf.5.html#postscreen_access_list)
- Via introducing an optional config/postfix-access.cidr
- The only permanent whitelisting I could imagine are monitoring services(which might (still?) behave weird/hastely) or blacklisting backup servers(since no traffic should be coming from them anyway)
- Do we need deep inspections? They are desireable, but these tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. Considered tests are:
- postscreen_bare_newline_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_bare_newline_action)
- postscreen_non_smtp_command_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_non_smtp_command_action)
- postscreen_pipelining_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_pipelining_action)
- Do we need to make the blacklisting via dnsblocking configurable? It's currently set and weighted as follows, where a score of 3 results in blocking, a score of -1 results in whitelisting:
(*: adds the specified weight to the SMTP client's DNSBL score. Specify a negative number for whitelisting.)
(http://postfix.cs.utah.edu/postconf.5.html#postscreen_dnsbl_sites)
- zen.spamhaus.org*3
- bl.mailspike.net
- b.barracudacentral.org*2
- bl.spameatingmonkey.net
- bl.spamcop.net
- dnsbl.sorbs.net
- psbl.surriel.com
- list.dnswl.org=127.0.[0..255].0*-2
- list.dnswl.org=127.0.[0..255].1*-3
- list.dnswl.org=127.0.[0..255].[2..3]*-4
- What to do when blacklisting? I currently set it to drop. We could
- ignore: Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
- enforce: Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
- drop: Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
In the end I think we could drop postgrey support. Postscreen replaces postgrey in its entirety, while being more selective and not delaying mail. Especially if we consider using the deep inspection options of postscreen.
Hope that wasn't too much to read! ;)
* main.cf got misformatted..
Don't know how, should be ok now.
* fixed malformatted main.cf & repaired master.cf
* reenabled rbl stuff.. It's cached, therefore doesn't hurt
* fixed tests
* added tests, repaired tests, added info, introduced new Variable POSTSCREEN_ACTION, fixes
2018-02-04 20:31:08 +00:00
docker exec fail-auth-mailer /bin/bash -c \
'exec 3<>/dev/tcp/$MAIL_FAIL2BAN_IP/25 && \
while IFS= read -r cmd; do \
head -1 <&3; \
[[ "$cmd" == "EHLO"* ]] && sleep 6; \
echo $cmd >&3; \
done < "/tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt"'
done
2016-06-04 00:53:44 +00:00
2016-04-17 21:16:13 +00:00
sleep 5
2016-06-04 00:53:44 +00:00
2016-04-17 20:59:35 +00:00
# Checking that FAIL_AUTH_MAILER_IP is banned in mail_fail2ban
2016-04-17 21:16:13 +00:00
FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer)
2016-06-04 00:53:44 +00:00
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep '$FAIL_AUTH_MAILER_IP'"
2017-01-10 13:15:41 +00:00
assert_success
2016-06-04 00:53:44 +00:00
# Checking that FAIL_AUTH_MAILER_IP is banned by iptables
run docker exec mail_fail2ban /bin/sh -c "iptables -L f2b-postfix-sasl -n | grep REJECT | grep '$FAIL_AUTH_MAILER_IP'"
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
@test "checking fail2ban: unban ip works" {
2016-04-17 21:44:41 +00:00
FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer)
2016-06-04 00:53:44 +00:00
2016-04-23 10:09:28 +00:00
docker exec mail_fail2ban fail2ban-client set postfix-sasl unbanip $FAIL_AUTH_MAILER_IP
2016-06-04 00:53:44 +00:00
2016-02-24 23:17:01 +00:00
sleep 5
2016-06-04 00:53:44 +00:00
2016-04-23 10:09:28 +00:00
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*$FAIL_AUTH_MAILER_IP'"
2017-01-10 13:15:41 +00:00
assert_failure
2016-06-04 00:53:44 +00:00
# Checking that FAIL_AUTH_MAILER_IP is unbanned by iptables
run docker exec mail_fail2ban /bin/sh -c "iptables -L f2b-postfix-sasl -n | grep REJECT | grep '$FAIL_AUTH_MAILER_IP'"
2017-01-10 13:15:41 +00:00
assert_failure
2016-02-24 23:17:01 +00:00
}
Introducing Postscreen (#799)
* Introduced Postscreen
cheaper, earlier and simpler blocking of zombies/spambots.
From http://postfix.cs.utah.edu/POSTSCREEN_README.html :
As a first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as cheap as possible.
Things we need to consider:
- Do we need a whitelist/backlist file? (http://postfix.cs.utah.edu/postconf.5.html#postscreen_access_list)
- Via introducing an optional config/postfix-access.cidr
- The only permanent whitelisting I could imagine are monitoring services(which might (still?) behave weird/hastely) or blacklisting backup servers(since no traffic should be coming from them anyway)
- Do we need deep inspections? They are desireable, but these tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. Considered tests are:
- postscreen_bare_newline_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_bare_newline_action)
- postscreen_non_smtp_command_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_non_smtp_command_action)
- postscreen_pipelining_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_pipelining_action)
- Do we need to make the blacklisting via dnsblocking configurable? It's currently set and weighted as follows, where a score of 3 results in blocking, a score of -1 results in whitelisting:
(*: adds the specified weight to the SMTP client's DNSBL score. Specify a negative number for whitelisting.)
(http://postfix.cs.utah.edu/postconf.5.html#postscreen_dnsbl_sites)
- zen.spamhaus.org*3
- bl.mailspike.net
- b.barracudacentral.org*2
- bl.spameatingmonkey.net
- bl.spamcop.net
- dnsbl.sorbs.net
- psbl.surriel.com
- list.dnswl.org=127.0.[0..255].0*-2
- list.dnswl.org=127.0.[0..255].1*-3
- list.dnswl.org=127.0.[0..255].[2..3]*-4
- What to do when blacklisting? I currently set it to drop. We could
- ignore: Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
- enforce: Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
- drop: Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
In the end I think we could drop postgrey support. Postscreen replaces postgrey in its entirety, while being more selective and not delaying mail. Especially if we consider using the deep inspection options of postscreen.
Hope that wasn't too much to read! ;)
* main.cf got misformatted..
Don't know how, should be ok now.
* fixed malformatted main.cf & repaired master.cf
* reenabled rbl stuff.. It's cached, therefore doesn't hurt
* fixed tests
* added tests, repaired tests, added info, introduced new Variable POSTSCREEN_ACTION, fixes
2018-02-04 20:31:08 +00:00
#
# postscreen
#
@test "checking postscreen" {
# Getting mail container IP
MAIL_POSTSCREEN_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' mail_postscreen)
2018-02-13 07:31:12 +00:00
Introducing Postscreen (#799)
* Introduced Postscreen
cheaper, earlier and simpler blocking of zombies/spambots.
From http://postfix.cs.utah.edu/POSTSCREEN_README.html :
As a first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as cheap as possible.
Things we need to consider:
- Do we need a whitelist/backlist file? (http://postfix.cs.utah.edu/postconf.5.html#postscreen_access_list)
- Via introducing an optional config/postfix-access.cidr
- The only permanent whitelisting I could imagine are monitoring services(which might (still?) behave weird/hastely) or blacklisting backup servers(since no traffic should be coming from them anyway)
- Do we need deep inspections? They are desireable, but these tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. Considered tests are:
- postscreen_bare_newline_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_bare_newline_action)
- postscreen_non_smtp_command_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_non_smtp_command_action)
- postscreen_pipelining_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_pipelining_action)
- Do we need to make the blacklisting via dnsblocking configurable? It's currently set and weighted as follows, where a score of 3 results in blocking, a score of -1 results in whitelisting:
(*: adds the specified weight to the SMTP client's DNSBL score. Specify a negative number for whitelisting.)
(http://postfix.cs.utah.edu/postconf.5.html#postscreen_dnsbl_sites)
- zen.spamhaus.org*3
- bl.mailspike.net
- b.barracudacentral.org*2
- bl.spameatingmonkey.net
- bl.spamcop.net
- dnsbl.sorbs.net
- psbl.surriel.com
- list.dnswl.org=127.0.[0..255].0*-2
- list.dnswl.org=127.0.[0..255].1*-3
- list.dnswl.org=127.0.[0..255].[2..3]*-4
- What to do when blacklisting? I currently set it to drop. We could
- ignore: Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
- enforce: Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
- drop: Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
In the end I think we could drop postgrey support. Postscreen replaces postgrey in its entirety, while being more selective and not delaying mail. Especially if we consider using the deep inspection options of postscreen.
Hope that wasn't too much to read! ;)
* main.cf got misformatted..
Don't know how, should be ok now.
* fixed malformatted main.cf & repaired master.cf
* reenabled rbl stuff.. It's cached, therefore doesn't hurt
* fixed tests
* added tests, repaired tests, added info, introduced new Variable POSTSCREEN_ACTION, fixes
2018-02-04 20:31:08 +00:00
# talk too fast:
docker exec fail-auth-mailer /bin/sh -c "nc $MAIL_POSTSCREEN_IP 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login.txt"
sleep 5
2018-02-13 07:31:12 +00:00
Introducing Postscreen (#799)
* Introduced Postscreen
cheaper, earlier and simpler blocking of zombies/spambots.
From http://postfix.cs.utah.edu/POSTSCREEN_README.html :
As a first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as cheap as possible.
Things we need to consider:
- Do we need a whitelist/backlist file? (http://postfix.cs.utah.edu/postconf.5.html#postscreen_access_list)
- Via introducing an optional config/postfix-access.cidr
- The only permanent whitelisting I could imagine are monitoring services(which might (still?) behave weird/hastely) or blacklisting backup servers(since no traffic should be coming from them anyway)
- Do we need deep inspections? They are desireable, but these tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. Considered tests are:
- postscreen_bare_newline_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_bare_newline_action)
- postscreen_non_smtp_command_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_non_smtp_command_action)
- postscreen_pipelining_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_pipelining_action)
- Do we need to make the blacklisting via dnsblocking configurable? It's currently set and weighted as follows, where a score of 3 results in blocking, a score of -1 results in whitelisting:
(*: adds the specified weight to the SMTP client's DNSBL score. Specify a negative number for whitelisting.)
(http://postfix.cs.utah.edu/postconf.5.html#postscreen_dnsbl_sites)
- zen.spamhaus.org*3
- bl.mailspike.net
- b.barracudacentral.org*2
- bl.spameatingmonkey.net
- bl.spamcop.net
- dnsbl.sorbs.net
- psbl.surriel.com
- list.dnswl.org=127.0.[0..255].0*-2
- list.dnswl.org=127.0.[0..255].1*-3
- list.dnswl.org=127.0.[0..255].[2..3]*-4
- What to do when blacklisting? I currently set it to drop. We could
- ignore: Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
- enforce: Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
- drop: Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
In the end I think we could drop postgrey support. Postscreen replaces postgrey in its entirety, while being more selective and not delaying mail. Especially if we consider using the deep inspection options of postscreen.
Hope that wasn't too much to read! ;)
* main.cf got misformatted..
Don't know how, should be ok now.
* fixed malformatted main.cf & repaired master.cf
* reenabled rbl stuff.. It's cached, therefore doesn't hurt
* fixed tests
* added tests, repaired tests, added info, introduced new Variable POSTSCREEN_ACTION, fixes
2018-02-04 20:31:08 +00:00
run docker exec mail_postscreen grep 'COMMAND PIPELINING' /var/log/mail/mail.log
assert_success
2018-02-13 07:31:12 +00:00
Introducing Postscreen (#799)
* Introduced Postscreen
cheaper, earlier and simpler blocking of zombies/spambots.
From http://postfix.cs.utah.edu/POSTSCREEN_README.html :
As a first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as cheap as possible.
Things we need to consider:
- Do we need a whitelist/backlist file? (http://postfix.cs.utah.edu/postconf.5.html#postscreen_access_list)
- Via introducing an optional config/postfix-access.cidr
- The only permanent whitelisting I could imagine are monitoring services(which might (still?) behave weird/hastely) or blacklisting backup servers(since no traffic should be coming from them anyway)
- Do we need deep inspections? They are desireable, but these tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. Considered tests are:
- postscreen_bare_newline_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_bare_newline_action)
- postscreen_non_smtp_command_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_non_smtp_command_action)
- postscreen_pipelining_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_pipelining_action)
- Do we need to make the blacklisting via dnsblocking configurable? It's currently set and weighted as follows, where a score of 3 results in blocking, a score of -1 results in whitelisting:
(*: adds the specified weight to the SMTP client's DNSBL score. Specify a negative number for whitelisting.)
(http://postfix.cs.utah.edu/postconf.5.html#postscreen_dnsbl_sites)
- zen.spamhaus.org*3
- bl.mailspike.net
- b.barracudacentral.org*2
- bl.spameatingmonkey.net
- bl.spamcop.net
- dnsbl.sorbs.net
- psbl.surriel.com
- list.dnswl.org=127.0.[0..255].0*-2
- list.dnswl.org=127.0.[0..255].1*-3
- list.dnswl.org=127.0.[0..255].[2..3]*-4
- What to do when blacklisting? I currently set it to drop. We could
- ignore: Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
- enforce: Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
- drop: Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
In the end I think we could drop postgrey support. Postscreen replaces postgrey in its entirety, while being more selective and not delaying mail. Especially if we consider using the deep inspection options of postscreen.
Hope that wasn't too much to read! ;)
* main.cf got misformatted..
Don't know how, should be ok now.
* fixed malformatted main.cf & repaired master.cf
* reenabled rbl stuff.. It's cached, therefore doesn't hurt
* fixed tests
* added tests, repaired tests, added info, introduced new Variable POSTSCREEN_ACTION, fixes
2018-02-04 20:31:08 +00:00
# positive test. (respecting postscreen_greet_wait time and talking in turn):
2018-02-13 07:31:12 +00:00
for i in {1,2}; do
Introducing Postscreen (#799)
* Introduced Postscreen
cheaper, earlier and simpler blocking of zombies/spambots.
From http://postfix.cs.utah.edu/POSTSCREEN_README.html :
As a first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as cheap as possible.
Things we need to consider:
- Do we need a whitelist/backlist file? (http://postfix.cs.utah.edu/postconf.5.html#postscreen_access_list)
- Via introducing an optional config/postfix-access.cidr
- The only permanent whitelisting I could imagine are monitoring services(which might (still?) behave weird/hastely) or blacklisting backup servers(since no traffic should be coming from them anyway)
- Do we need deep inspections? They are desireable, but these tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. Considered tests are:
- postscreen_bare_newline_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_bare_newline_action)
- postscreen_non_smtp_command_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_non_smtp_command_action)
- postscreen_pipelining_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_pipelining_action)
- Do we need to make the blacklisting via dnsblocking configurable? It's currently set and weighted as follows, where a score of 3 results in blocking, a score of -1 results in whitelisting:
(*: adds the specified weight to the SMTP client's DNSBL score. Specify a negative number for whitelisting.)
(http://postfix.cs.utah.edu/postconf.5.html#postscreen_dnsbl_sites)
- zen.spamhaus.org*3
- bl.mailspike.net
- b.barracudacentral.org*2
- bl.spameatingmonkey.net
- bl.spamcop.net
- dnsbl.sorbs.net
- psbl.surriel.com
- list.dnswl.org=127.0.[0..255].0*-2
- list.dnswl.org=127.0.[0..255].1*-3
- list.dnswl.org=127.0.[0..255].[2..3]*-4
- What to do when blacklisting? I currently set it to drop. We could
- ignore: Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
- enforce: Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
- drop: Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
In the end I think we could drop postgrey support. Postscreen replaces postgrey in its entirety, while being more selective and not delaying mail. Especially if we consider using the deep inspection options of postscreen.
Hope that wasn't too much to read! ;)
* main.cf got misformatted..
Don't know how, should be ok now.
* fixed malformatted main.cf & repaired master.cf
* reenabled rbl stuff.. It's cached, therefore doesn't hurt
* fixed tests
* added tests, repaired tests, added info, introduced new Variable POSTSCREEN_ACTION, fixes
2018-02-04 20:31:08 +00:00
docker exec fail-auth-mailer /bin/bash -c \
'exec 3<>/dev/tcp/'$MAIL_POSTSCREEN_IP'/25 && \
while IFS= read -r cmd; do \
head -1 <&3; \
[[ "$cmd" == "EHLO"* ]] && sleep 6; \
echo $cmd >&3; \
done < "/tmp/docker-mailserver-test/auth/smtp-auth-login.txt"'
done
2018-02-13 07:31:12 +00:00
Introducing Postscreen (#799)
* Introduced Postscreen
cheaper, earlier and simpler blocking of zombies/spambots.
From http://postfix.cs.utah.edu/POSTSCREEN_README.html :
As a first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as cheap as possible.
Things we need to consider:
- Do we need a whitelist/backlist file? (http://postfix.cs.utah.edu/postconf.5.html#postscreen_access_list)
- Via introducing an optional config/postfix-access.cidr
- The only permanent whitelisting I could imagine are monitoring services(which might (still?) behave weird/hastely) or blacklisting backup servers(since no traffic should be coming from them anyway)
- Do we need deep inspections? They are desireable, but these tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. Considered tests are:
- postscreen_bare_newline_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_bare_newline_action)
- postscreen_non_smtp_command_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_non_smtp_command_action)
- postscreen_pipelining_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_pipelining_action)
- Do we need to make the blacklisting via dnsblocking configurable? It's currently set and weighted as follows, where a score of 3 results in blocking, a score of -1 results in whitelisting:
(*: adds the specified weight to the SMTP client's DNSBL score. Specify a negative number for whitelisting.)
(http://postfix.cs.utah.edu/postconf.5.html#postscreen_dnsbl_sites)
- zen.spamhaus.org*3
- bl.mailspike.net
- b.barracudacentral.org*2
- bl.spameatingmonkey.net
- bl.spamcop.net
- dnsbl.sorbs.net
- psbl.surriel.com
- list.dnswl.org=127.0.[0..255].0*-2
- list.dnswl.org=127.0.[0..255].1*-3
- list.dnswl.org=127.0.[0..255].[2..3]*-4
- What to do when blacklisting? I currently set it to drop. We could
- ignore: Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
- enforce: Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
- drop: Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
In the end I think we could drop postgrey support. Postscreen replaces postgrey in its entirety, while being more selective and not delaying mail. Especially if we consider using the deep inspection options of postscreen.
Hope that wasn't too much to read! ;)
* main.cf got misformatted..
Don't know how, should be ok now.
* fixed malformatted main.cf & repaired master.cf
* reenabled rbl stuff.. It's cached, therefore doesn't hurt
* fixed tests
* added tests, repaired tests, added info, introduced new Variable POSTSCREEN_ACTION, fixes
2018-02-04 20:31:08 +00:00
sleep 5
2018-02-13 07:31:12 +00:00
Introducing Postscreen (#799)
* Introduced Postscreen
cheaper, earlier and simpler blocking of zombies/spambots.
From http://postfix.cs.utah.edu/POSTSCREEN_README.html :
As a first layer, postscreen(8) blocks connections from zombies and other spambots that are responsible for about 90% of all spam. It is implemented as a single process to make this defense as cheap as possible.
Things we need to consider:
- Do we need a whitelist/backlist file? (http://postfix.cs.utah.edu/postconf.5.html#postscreen_access_list)
- Via introducing an optional config/postfix-access.cidr
- The only permanent whitelisting I could imagine are monitoring services(which might (still?) behave weird/hastely) or blacklisting backup servers(since no traffic should be coming from them anyway)
- Do we need deep inspections? They are desireable, but these tests are expensive: a good client must disconnect after it passes the test, before it can talk to a real Postfix SMTP server. Considered tests are:
- postscreen_bare_newline_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_bare_newline_action)
- postscreen_non_smtp_command_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_non_smtp_command_action)
- postscreen_pipelining_enable (http://postfix.cs.utah.edu/postconf.5.html#postscreen_pipelining_action)
- Do we need to make the blacklisting via dnsblocking configurable? It's currently set and weighted as follows, where a score of 3 results in blocking, a score of -1 results in whitelisting:
(*: adds the specified weight to the SMTP client's DNSBL score. Specify a negative number for whitelisting.)
(http://postfix.cs.utah.edu/postconf.5.html#postscreen_dnsbl_sites)
- zen.spamhaus.org*3
- bl.mailspike.net
- b.barracudacentral.org*2
- bl.spameatingmonkey.net
- bl.spamcop.net
- dnsbl.sorbs.net
- psbl.surriel.com
- list.dnswl.org=127.0.[0..255].0*-2
- list.dnswl.org=127.0.[0..255].1*-3
- list.dnswl.org=127.0.[0..255].[2..3]*-4
- What to do when blacklisting? I currently set it to drop. We could
- ignore: Ignore the failure of this test. Allow other tests to complete. Repeat this test the next time the client connects. This option is useful for testing and collecting statistics without blocking mail.
- enforce: Allow other tests to complete. Reject attempts to deliver mail with a 550 SMTP reply, and log the helo/sender/recipient information. Repeat this test the next time the client connects.
- drop: Drop the connection immediately with a 521 SMTP reply. Repeat this test the next time the client connects.
In the end I think we could drop postgrey support. Postscreen replaces postgrey in its entirety, while being more selective and not delaying mail. Especially if we consider using the deep inspection options of postscreen.
Hope that wasn't too much to read! ;)
* main.cf got misformatted..
Don't know how, should be ok now.
* fixed malformatted main.cf & repaired master.cf
* reenabled rbl stuff.. It's cached, therefore doesn't hurt
* fixed tests
* added tests, repaired tests, added info, introduced new Variable POSTSCREEN_ACTION, fixes
2018-02-04 20:31:08 +00:00
run docker exec mail_postscreen grep 'PASS NEW ' /var/log/mail/mail.log
assert_success
}
2016-08-21 20:13:13 +00:00
#
# fetchmail
#
@test "checking fetchmail: gerneral options in fetchmailrc are loaded" {
run docker exec mail_fetchmail grep 'set syslog' /etc/fetchmailrc
2017-01-10 13:15:41 +00:00
assert_success
2016-08-21 20:13:13 +00:00
}
@test "checking fetchmail: fetchmail.cf is loaded" {
run docker exec mail_fetchmail grep 'pop3.example.com' /etc/fetchmailrc
2017-01-10 13:15:41 +00:00
assert_success
2016-08-21 20:13:13 +00:00
}
2016-02-24 23:17:01 +00:00
#
# system
#
@test "checking system: freshclam cron is enabled" {
2017-07-23 19:31:41 +00:00
run docker exec mail bash -c "grep '/usr/bin/freshclam' -r /etc/cron.d"
2017-01-10 13:15:41 +00:00
assert_success
2016-10-08 17:02:47 +00:00
}
@test "checking amavis: virusmail wiper cron exists" {
2017-01-11 09:52:39 +00:00
run docker exec mail bash -c "crontab -l | grep '/usr/local/bin/virus-wiper'"
2017-01-10 13:15:41 +00:00
assert_success
2016-10-08 17:02:47 +00:00
}
@test "checking amavis: VIRUSMAILS_DELETE_DELAY override works as expected" {
2016-12-30 19:06:44 +00:00
run docker run -ti --rm -e VIRUSMAILS_DELETE_DELAY=2 `docker inspect --format '{{ .Config.Image }}' mail` /bin/bash -c 'echo $VIRUSMAILS_DELETE_DELAY | grep 2'
2017-01-10 13:15:41 +00:00
assert_success
2016-10-08 17:02:47 +00:00
}
@test "checking amavis: old virusmail is wipped by cron" {
docker exec mail bash -c 'touch -d "`date --date=2000-01-01`" /var/lib/amavis/virusmails/should-be-deleted'
2017-01-11 09:52:39 +00:00
run docker exec -ti mail bash -c '/usr/local/bin/virus-wiper'
2017-01-10 13:15:41 +00:00
assert_success
2016-10-08 17:02:47 +00:00
run docker exec mail bash -c 'ls -la /var/lib/amavis/virusmails/ | grep should-be-deleted'
2017-01-10 13:15:41 +00:00
assert_failure
2016-10-08 17:02:47 +00:00
}
@test "checking amavis: recent virusmail is not wipped by cron" {
docker exec mail bash -c 'touch -d "`date`" /var/lib/amavis/virusmails/should-not-be-deleted'
2017-01-11 09:52:39 +00:00
run docker exec -ti mail bash -c '/usr/local/bin/virus-wiper'
2017-01-10 13:15:41 +00:00
assert_success
2016-10-08 17:02:47 +00:00
run docker exec mail bash -c 'ls -la /var/lib/amavis/virusmails/ | grep should-not-be-deleted'
2017-01-10 13:15:41 +00:00
assert_success
2016-02-24 23:17:01 +00:00
}
2016-04-01 15:18:13 +00:00
@test "checking system: /var/log/mail/mail.log is error free" {
run docker exec mail grep 'non-null host address bits in' /var/log/mail/mail.log
2017-01-10 13:15:41 +00:00
assert_failure
2016-07-23 19:01:01 +00:00
run docker exec mail grep 'mail system configuration error' /var/log/mail/mail.log
2017-01-10 13:15:41 +00:00
assert_failure
2016-04-01 15:18:13 +00:00
run docker exec mail grep ': error:' /var/log/mail/mail.log
2017-01-10 13:15:41 +00:00
assert_failure
2016-09-11 12:26:04 +00:00
run docker exec mail grep -i 'is not writable' /var/log/mail/mail.log
2017-01-10 13:15:41 +00:00
assert_failure
2016-09-11 12:26:04 +00:00
run docker exec mail grep -i 'permission denied' /var/log/mail/mail.log
2017-01-10 13:15:41 +00:00
assert_failure
2016-12-23 22:56:39 +00:00
run docker exec mail grep -i '(!)connect' /var/log/mail/mail.log
2017-01-10 13:15:41 +00:00
assert_failure
2017-05-22 07:28:32 +00:00
run docker exec mail grep -i 'backwards-compatible default setting chroot=y' /var/log/mail/mail.log
assert_failure
run docker exec mail grep -i 'connect to 127.0.0.1:10023: Connection refused' /var/log/mail/mail.log
assert_failure
2016-04-01 15:18:13 +00:00
run docker exec mail_pop3 grep 'non-null host address bits in' /var/log/mail/mail.log
2017-01-10 13:15:41 +00:00
assert_failure
2016-04-01 15:18:13 +00:00
run docker exec mail_pop3 grep ': error:' /var/log/mail/mail.log
2017-01-10 13:15:41 +00:00
assert_failure
2016-02-24 23:17:01 +00:00
}
2016-12-17 20:53:09 +00:00
@test "checking system: /var/log/auth.log is error free" {
run docker exec mail grep 'Unable to open env file: /etc/default/locale' /var/log/auth.log
2017-01-10 13:15:41 +00:00
assert_failure
2016-12-17 20:53:09 +00:00
}
2016-02-24 23:17:01 +00:00
@test "checking system: sets the server fqdn" {
run docker exec mail hostname
2017-01-10 13:15:41 +00:00
assert_success
assert_output "mail.my-domain.com"
2016-02-24 23:17:01 +00:00
}
@test "checking system: sets the server domain name in /etc/mailname" {
run docker exec mail cat /etc/mailname
2017-01-10 13:15:41 +00:00
assert_success
assert_output "my-domain.com"
2016-02-24 23:17:01 +00:00
}
2016-04-28 06:57:50 +00:00
2016-09-23 06:22:57 +00:00
@test "checking system: postfix should not log to syslog" {
run docker exec mail grep 'postfix' /var/log/syslog
2017-01-10 13:15:41 +00:00
assert_failure
2016-09-23 06:22:57 +00:00
}
2017-08-07 15:37:16 +00:00
@test "checking system: amavis decoders installed and available" {
run docker exec mail /bin/sh -c "grep -E '.*(Internal decoder|Found decoder) for\s+\.(mail|Z|gz|bz2|xz|lzma|lrz|lzo|lz4|rpm|cpio|tar|deb|rar|arj|arc|zoo|doc|cab|tnef|zip|kmz|7z|jar|swf|lha|iso|exe).*' /var/log/mail/mail.log|wc -l"
assert_success
assert_output 28
}
2016-04-28 06:57:50 +00:00
#
# sieve
#
2016-04-28 08:25:11 +00:00
@test "checking sieve: user1 should have received 1 email in folder INBOX.spam" {
2016-04-28 06:57:50 +00:00
run docker exec mail /bin/sh -c "ls -A /var/mail/localhost.localdomain/user1/.INBOX.spam/new | wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 1
2016-04-28 06:57:50 +00:00
}
2016-04-29 13:24:10 +00:00
2016-04-29 15:09:48 +00:00
@test "checking manage sieve: server is ready when ENABLE_MANAGESIEVE has been set" {
2016-04-29 13:24:10 +00:00
run docker exec mail /bin/bash -c "nc -z 0.0.0.0 4190"
2017-01-10 13:15:41 +00:00
assert_success
2016-04-29 13:24:10 +00:00
}
@test "checking manage sieve: disabled per default" {
run docker exec mail_pop3 /bin/bash -c "nc -z 0.0.0.0 4190"
2017-01-10 13:15:41 +00:00
assert_failure
2016-04-29 13:24:10 +00:00
}
2016-06-14 14:17:06 +00:00
2017-05-10 07:54:02 +00:00
@test "checking sieve: user2 should have piped 1 email to /tmp/" {
run docker exec mail /bin/sh -c "ls -A /tmp/pipe-test.out | wc -l"
assert_success
assert_output 1
}
2016-06-14 14:17:06 +00:00
#
# accounts
#
@test "checking accounts: user3 should have been added to /tmp/docker-mailserver/postfix-accounts.cf" {
docker exec mail /bin/sh -c "addmailuser user3@domain.tld mypassword"
2016-12-30 19:06:44 +00:00
run docker exec mail /bin/sh -c "grep '^user3@domain\.tld|' -i /tmp/docker-mailserver/postfix-accounts.cf"
2017-01-10 13:15:41 +00:00
assert_success
2016-06-14 14:17:06 +00:00
[ ! -z "$output" ]
}
2016-12-30 19:06:44 +00:00
@test "checking accounts: auser3 should have been added to /tmp/docker-mailserver/postfix-accounts.cf" {
docker exec mail /bin/sh -c "addmailuser auser3@domain.tld mypassword"
run docker exec mail /bin/sh -c "grep '^auser3@domain\.tld|' -i /tmp/docker-mailserver/postfix-accounts.cf"
2017-01-10 13:15:41 +00:00
assert_success
2016-12-30 19:06:44 +00:00
[ ! -z "$output" ]
}
@test "checking accounts: a.ser3 should have been added to /tmp/docker-mailserver/postfix-accounts.cf" {
docker exec mail /bin/sh -c "addmailuser a.ser3@domain.tld mypassword"
run docker exec mail /bin/sh -c "grep '^a\.ser3@domain\.tld|' -i /tmp/docker-mailserver/postfix-accounts.cf"
2017-01-10 13:15:41 +00:00
assert_success
2016-12-30 19:06:44 +00:00
[ ! -z "$output" ]
}
@test "checking accounts: user3 should have been removed from /tmp/docker-mailserver/postfix-accounts.cf but not auser3" {
2018-03-14 19:00:38 +00:00
docker exec mail /bin/sh -c "delmailuser -y user3@domain.tld"
2016-06-14 14:17:06 +00:00
2016-12-30 19:06:44 +00:00
run docker exec mail /bin/sh -c "grep '^user3@domain\.tld' -i /tmp/docker-mailserver/postfix-accounts.cf"
2017-01-10 13:15:41 +00:00
assert_failure
2016-06-14 14:17:06 +00:00
[ -z "$output" ]
2016-12-30 19:06:44 +00:00
run docker exec mail /bin/sh -c "grep '^auser3@domain\.tld' -i /tmp/docker-mailserver/postfix-accounts.cf"
2017-01-10 13:15:41 +00:00
assert_success
2016-12-30 19:06:44 +00:00
[ ! -z "$output" ]
2016-06-14 14:17:06 +00:00
}
2016-08-21 20:10:13 +00:00
2016-12-21 19:12:05 +00:00
@test "checking user updating password for user in /tmp/docker-mailserver/postfix-accounts.cf" {
2016-12-30 19:06:44 +00:00
docker exec mail /bin/sh -c "addmailuser user4@domain.tld mypassword"
2016-12-21 19:12:05 +00:00
2016-12-30 19:06:44 +00:00
initialpass=$(run docker exec mail /bin/sh -c "grep '^user4@domain\.tld' -i /tmp/docker-mailserver/postfix-accounts.cf")
2016-12-21 19:12:05 +00:00
sleep 2
2016-12-30 19:06:44 +00:00
docker exec mail /bin/sh -c "updatemailuser user4@domain.tld mynewpassword"
2016-12-21 19:12:05 +00:00
sleep 2
2016-12-30 19:06:44 +00:00
changepass=$(run docker exec mail /bin/sh -c "grep '^user4@domain\.tld' -i /tmp/docker-mailserver/postfix-accounts.cf")
2016-12-21 19:12:05 +00:00
if [ initialpass != changepass ]; then
status="0"
else
status="1"
fi
2018-03-14 19:00:38 +00:00
docker exec mail /bin/sh -c "delmailuser -y auser3@domain.tld"
2016-12-21 19:12:05 +00:00
2017-01-10 13:15:41 +00:00
assert_success
2016-12-21 19:12:05 +00:00
}
2016-08-29 11:44:36 +00:00
@test "checking accounts: listmailuser" {
run docker exec mail /bin/sh -c "listmailuser | head -n 1"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 'user1@localhost.localdomain'
2016-08-29 11:44:36 +00:00
}
2016-08-24 08:06:59 +00:00
@test "checking accounts: no error is generated when deleting a user if /tmp/docker-mailserver/postfix-accounts.cf is missing" {
run docker run --rm \
-v "$(pwd)/test/config/without-accounts/":/tmp/docker-mailserver/ \
2018-03-14 19:00:38 +00:00
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'delmailuser -y user3@domain.tld'
2017-01-10 13:15:41 +00:00
assert_success
2016-08-24 08:06:59 +00:00
[ -z "$output" ]
}
@test "checking accounts: user3 should have been added to /tmp/docker-mailserver/postfix-accounts.cf even when that file does not exist" {
run docker run --rm \
-v "$(pwd)/test/config/without-accounts/":/tmp/docker-mailserver/ \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'addmailuser user3@domain.tld mypassword'
2017-01-10 13:15:41 +00:00
assert_success
2016-08-24 08:06:59 +00:00
run docker run --rm \
-v "$(pwd)/test/config/without-accounts/":/tmp/docker-mailserver/ \
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'grep user3@domain.tld -i /tmp/docker-mailserver/postfix-accounts.cf'
2017-01-10 13:15:41 +00:00
assert_success
2016-08-24 08:06:59 +00:00
[ ! -z "$output" ]
}
2016-08-21 20:10:13 +00:00
#
# PERMIT_DOCKER mynetworks
#
2016-08-24 08:06:59 +00:00
2016-08-21 20:10:13 +00:00
@test "checking PERMIT_DOCKER: can get container ip" {
run docker exec mail /bin/sh -c "ip addr show eth0 | grep 'inet ' | sed 's/[^0-9\.\/]*//g' | cut -d '/' -f 1 | egrep '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}'"
2017-01-10 13:15:41 +00:00
assert_success
2016-08-21 20:10:13 +00:00
}
@test "checking PERMIT_DOCKER: opendmarc/opendkim config" {
run docker exec mail_smtponly /bin/sh -c "cat /etc/opendmarc/ignore.hosts | grep '172.16.0.0/12'"
2017-01-10 13:15:41 +00:00
assert_success
2016-08-21 20:10:13 +00:00
run docker exec mail_smtponly /bin/sh -c "cat /etc/opendkim/TrustedHosts | grep '172.16.0.0/12'"
2017-01-10 13:15:41 +00:00
assert_success
2016-08-21 20:10:13 +00:00
}
@test "checking PERMIT_DOCKER: my network value" {
run docker exec mail /bin/sh -c "postconf | grep '^mynetworks =' | egrep '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.0\.0/16'"
2017-01-10 13:15:41 +00:00
assert_success
2016-08-21 20:10:13 +00:00
run docker exec mail_pop3 /bin/sh -c "postconf | grep '^mynetworks =' | egrep '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/32'"
2017-01-10 13:15:41 +00:00
assert_success
2016-08-21 20:10:13 +00:00
}
2016-09-01 10:10:23 +00:00
2016-09-02 07:08:41 +00:00
#
# amavis
#
@test "checking amavis: config overrides" {
run docker exec mail /bin/sh -c "grep 'Test Verification' /etc/amavis/conf.d/50-user | wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 1
2016-09-02 07:08:41 +00:00
}
2016-09-01 10:10:23 +00:00
#
# setup.sh
#
# CLI interface
@test "checking setup.sh: Without arguments: status 1, show help text" {
2016-09-02 07:08:41 +00:00
run ./setup.sh
2017-01-10 13:15:41 +00:00
assert_failure
2016-09-01 10:10:23 +00:00
[ "${lines[0]}" = "Usage: ./setup.sh [-i IMAGE_NAME] [-c CONTAINER_NAME] <subcommand> <subcommand> [args]" ]
}
@test "checking setup.sh: Wrong arguments" {
run ./setup.sh lol troll
2017-01-10 13:15:41 +00:00
assert_failure
2016-09-01 10:10:23 +00:00
[ "${lines[0]}" = "Usage: ./setup.sh [-i IMAGE_NAME] [-c CONTAINER_NAME] <subcommand> <subcommand> [args]" ]
}
# email
@test "checking setup.sh: setup.sh email add " {
run ./setup.sh -c mail email add lorem@impsum.org dolorsit
2017-01-10 13:15:41 +00:00
assert_success
2016-09-01 10:10:23 +00:00
value=$(cat ./config/postfix-accounts.cf | grep lorem@impsum.org | awk -F '|' '{print $1}')
[ "$value" = "lorem@impsum.org" ]
2018-04-02 14:55:54 +00:00
# don't know why, but the test suite needs to delete the (non existant) user prior succeeding in adding him again.
# when executed directly against the container this workaround is not neccessary.
run docker exec mail delmailuser -y pass@localhorst.localdomain
assert_success
docker exec mail addmailuser pass@localhost.localdomain 'may be \a `p^a.*ssword'
sleep 30
docker exec mail doveadm auth test -x service=smtp pass@localhost.localdomain 'may be \a `p^a.*ssword' | grep 'auth succeeded'
assert_success
2016-09-01 10:10:23 +00:00
}
2018-04-02 14:55:54 +00:00
2016-09-01 10:10:23 +00:00
@test "checking setup.sh: setup.sh email list" {
run ./setup.sh -c mail email list
2017-01-10 13:15:41 +00:00
assert_success
2016-09-01 10:10:23 +00:00
}
2018-04-02 14:55:54 +00:00
2016-12-21 19:12:05 +00:00
@test "checking setup.sh: setup.sh email update" {
2017-01-09 22:53:09 +00:00
initialpass=$(cat ./config/postfix-accounts.cf | grep lorem@impsum.org | awk -F '|' '{print $2}')
run ./setup.sh -c mail email update lorem@impsum.org consectetur
updatepass=$(cat ./config/postfix-accounts.cf | grep lorem@impsum.org | awk -F '|' '{print $2}')
2018-03-14 19:00:38 +00:00
[ "$initialpass" != "$changepass" ]
2018-04-02 14:55:54 +00:00
docker exec mail /bin/sh -c "updatemailuser pass@localhost.localdomain 'my other password'"
sleep 30
docker exec mail /bin/sh -c "doveadm auth test -x service=smtp pass@localhost.localdomain 'my other password' | grep 'auth succeeded'"
assert_success
2016-12-21 19:12:05 +00:00
}
2018-04-02 14:55:54 +00:00
2016-09-01 10:10:23 +00:00
@test "checking setup.sh: setup.sh email del" {
2018-03-14 19:00:38 +00:00
run ./setup.sh -c mail email del -y lorem@impsum.org
2017-01-10 13:15:41 +00:00
assert_success
2018-03-14 19:00:38 +00:00
run docker exec mail ls /var/mail/impsum.org/lorem
assert_failure
run grep lorem@impsum.org ./config/postfix-accounts.cf
assert_failure
2016-09-01 10:10:23 +00:00
}
2018-02-07 20:33:07 +00:00
@test "checking setup.sh: setup.sh email restrict" {
2018-02-13 07:31:12 +00:00
run ./setup.sh -c mail email restrict
2018-02-07 20:33:07 +00:00
assert_failure
run ./setup.sh -c mail email restrict add
assert_failure
./setup.sh -c mail email restrict add send lorem@impsum.org
run ./setup.sh -c mail email restrict list send
assert_output --regexp "^lorem@impsum.org.*REJECT"
run ./setup.sh -c mail email restrict del send lorem@impsum.org
assert_success
run ./setup.sh -c mail email restrict list send
assert_output --partial "Everyone is allowed"
2018-02-13 07:31:12 +00:00
2018-02-07 20:33:07 +00:00
./setup.sh -c mail email restrict add receive rec_lorem@impsum.org
run ./setup.sh -c mail email restrict list receive
assert_output --regexp "^rec_lorem@impsum.org.*REJECT"
run ./setup.sh -c mail email restrict del receive rec_lorem@impsum.org
assert_success
}
2017-04-17 16:27:28 +00:00
# alias
@test "checking setup.sh: setup.sh alias list" {
echo "test@example.org test@forward.com" > ./config/postfix-virtual.cf
run ./setup.sh -c mail alias list
assert_success
}
@test "checking setup.sh: setup.sh alias add" {
echo "" > ./config/postfix-virtual.cf
./setup.sh -c mail alias add test1@example.org test1@forward.com
./setup.sh -c mail alias add test1@example.org test2@forward.com
2018-03-14 19:00:38 +00:00
run /bin/sh -c 'cat ./config/postfix-virtual.cf | grep "test1@example.org test1@forward.com,test2@forward.com" | wc -l | grep 1'
2017-04-17 16:27:28 +00:00
assert_success
}
@test "checking setup.sh: setup.sh alias del" {
2018-03-19 19:26:10 +00:00
echo -e 'test1@example.org test1@forward.com,test2@forward.com\ntest2@example.org test1@forward.com' > ./config/postfix-virtual.cf
2017-04-17 16:27:28 +00:00
./setup.sh -c mail alias del test1@example.org test1@forward.com
2018-03-19 19:26:10 +00:00
run grep "test1@forward.com" ./config/postfix-virtual.cf
assert_output --regexp "^test2@example.org +test1@forward.com$"
run grep "test2@forward.com" ./config/postfix-virtual.cf
assert_output --regexp "^test1@example.org +test2@forward.com$"
2017-04-17 16:27:28 +00:00
./setup.sh -c mail alias del test1@example.org test2@forward.com
2018-03-19 19:26:10 +00:00
run grep "test1@example.org" ./config/postfix-virtual.cf
assert_failure
run grep "test2@example.org" ./config/postfix-virtual.cf
2017-04-17 16:27:28 +00:00
assert_success
2018-03-19 19:26:10 +00:00
./setup.sh -c mail alias del test2@example.org test1@forward.com
run grep "test2@example.org" ./config/postfix-virtual.cf
assert_failure
2017-04-17 16:27:28 +00:00
}
2016-09-01 10:10:23 +00:00
# config
@test "checking setup.sh: setup.sh config dkim" {
run ./setup.sh -c mail config dkim
2017-01-10 13:15:41 +00:00
assert_success
2016-09-01 10:10:23 +00:00
}
# TODO: To create a test generate-ssl-certificate must be non interactive
#@test "checking setup.sh: setup.sh config ssl" {
# run ./setup.sh -c mail_ssl config ssl
2017-01-10 13:15:41 +00:00
# assert_success
2016-09-01 10:10:23 +00:00
#}
# debug
@test "checking setup.sh: setup.sh debug fetchmail" {
run ./setup.sh -c mail debug fetchmail
[ "$status" -eq 5 ]
# TODO: Fix output check
# [ "$output" = "fetchmail: no mailservers have been specified." ]
}
@test "checking setup.sh: setup.sh debug inspect" {
run ./setup.sh -c mail debug inspect
2017-01-10 13:15:41 +00:00
assert_success
2016-09-01 10:10:23 +00:00
[ "${lines[0]}" = "Image: tvial/docker-mailserver:testing" ]
[ "${lines[1]}" = "Container: mail" ]
}
@test "checking setup.sh: setup.sh debug login ls" {
run ./setup.sh -c mail debug login ls
2017-01-10 13:15:41 +00:00
assert_success
2016-09-01 10:10:23 +00:00
}
2018-01-31 21:25:29 +00:00
@test "checking setup.sh: setup.sh debug fail2ban" {
2018-02-13 07:31:12 +00:00
2018-01-31 21:25:29 +00:00
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.4"
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.5"
sleep 10
run ./setup.sh -c mail_fail2ban debug fail2ban
2018-02-13 07:31:12 +00:00
assert_output --regexp "^Banned in dovecot: 192.0.66.5 192.0.66.4.*"
2018-01-31 21:25:29 +00:00
run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.4
assert_output --partial "unbanned IP from dovecot: 192.0.66.4"
run ./setup.sh -c mail_fail2ban debug fail2ban
2018-02-13 07:31:12 +00:00
assert_output --regexp "^Banned in dovecot: 192.0.66.5.*"
2018-01-31 21:25:29 +00:00
run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.5
run ./setup.sh -c mail_fail2ban debug fail2ban unban
assert_output --partial "You need to specify an IP address. Run"
}
2016-10-30 13:11:36 +00:00
2018-04-02 08:45:58 +00:00
@test "checking setup.sh: setup.sh relay add-domain" {
echo -n > ./config/postfix-relaymap.cf
./setup.sh -c mail relay add-domain example1.org smtp.relay1.com 2525
./setup.sh -c mail relay add-domain example2.org smtp.relay2.com
./setup.sh -c mail relay add-domain example3.org smtp.relay3.com 2525
./setup.sh -c mail relay add-domain example3.org smtp.relay.com 587
# check adding
run /bin/sh -c 'cat ./config/postfix-relaymap.cf | grep -e "^@example1.org\s\+\[smtp.relay1.com\]:2525" | wc -l | grep 1'
assert_success
# test default port
run /bin/sh -c 'cat ./config/postfix-relaymap.cf | grep -e "^@example2.org\s\+\[smtp.relay2.com\]:25" | wc -l | grep 1'
assert_success
# test modifying
run /bin/sh -c 'cat ./config/postfix-relaymap.cf | grep -e "^@example3.org\s\+\[smtp.relay.com\]:587" | wc -l | grep 1'
assert_success
}
@test "checking setup.sh: setup.sh relay add-auth" {
echo -n > ./config/postfix-sasl-password.cf
./setup.sh -c mail relay add-auth example.org smtp_user smtp_pass
./setup.sh -c mail relay add-auth example2.org smtp_user2 smtp_pass2
./setup.sh -c mail relay add-auth example2.org smtp_user2 smtp_pass_new
# test adding
run /bin/sh -c 'cat ./config/postfix-sasl-password.cf | grep -e "^@example.org\s\+smtp_user:smtp_pass" | wc -l | grep 1'
assert_success
# test updating
run /bin/sh -c 'cat ./config/postfix-sasl-password.cf | grep -e "^@example2.org\s\+smtp_user2:smtp_pass_new" | wc -l | grep 1'
assert_success
}
@test "checking setup.sh: setup.sh relay exclude-domain" {
echo -n > ./config/postfix-relaymap.cf
./setup.sh -c mail relay exclude-domain example.org
run /bin/sh -c 'cat ./config/postfix-relaymap.cf | grep -e "^@example.org\s*$" | wc -l | grep 1'
assert_success
}
2016-10-30 13:11:36 +00:00
#
# LDAP
#
# postfix
@test "checking postfix: ldap lookup works correctly" {
run docker exec mail_with_ldap /bin/sh -c "postmap -q some.user@localhost.localdomain ldap:/etc/postfix/ldap-users.cf"
2017-01-10 13:15:41 +00:00
assert_success
assert_output "some.user@localhost.localdomain"
2016-10-30 13:11:36 +00:00
run docker exec mail_with_ldap /bin/sh -c "postmap -q postmaster@localhost.localdomain ldap:/etc/postfix/ldap-aliases.cf"
2017-01-10 13:15:41 +00:00
assert_success
assert_output "some.user@localhost.localdomain"
2016-10-30 13:11:36 +00:00
run docker exec mail_with_ldap /bin/sh -c "postmap -q employees@localhost.localdomain ldap:/etc/postfix/ldap-groups.cf"
2017-01-10 13:15:41 +00:00
assert_success
assert_output "some.user@localhost.localdomain"
2017-08-19 08:32:00 +00:00
# Test of the user part of the domain is not the same as the uniqueIdentifier part in the ldap
run docker exec mail_with_ldap /bin/sh -c "postmap -q some.user.email@localhost.localdomain ldap:/etc/postfix/ldap-users.cf"
assert_success
assert_output "some.user.email@localhost.localdomain"
# Test email receiving from a other domain then the primary domain of the mailserver
run docker exec mail_with_ldap /bin/sh -c "postmap -q some.other.user@localhost.otherdomain ldap:/etc/postfix/ldap-users.cf"
assert_success
assert_output "some.other.user@localhost.otherdomain"
run docker exec mail_with_ldap /bin/sh -c "postmap -q postmaster@localhost.otherdomain ldap:/etc/postfix/ldap-aliases.cf"
assert_success
assert_output "some.other.user@localhost.otherdomain"
run docker exec mail_with_ldap /bin/sh -c "postmap -q employees@localhost.otherdomain ldap:/etc/postfix/ldap-groups.cf"
assert_success
assert_output "some.other.user@localhost.otherdomain"
2016-10-30 13:11:36 +00:00
}
2017-04-26 12:56:09 +00:00
@test "checking postfix: ldap custom config files copied" {
2017-07-03 11:16:16 +00:00
run docker exec mail_with_ldap /bin/sh -c "grep '# Testconfig for ldap integration' /etc/postfix/ldap-users.cf"
2017-04-26 12:56:09 +00:00
assert_success
2017-07-03 11:16:16 +00:00
run docker exec mail_with_ldap /bin/sh -c "grep '# Testconfig for ldap integration' /etc/postfix/ldap-groups.cf"
2017-04-26 12:56:09 +00:00
assert_success
2017-07-03 11:16:16 +00:00
run docker exec mail_with_ldap /bin/sh -c "grep '# Testconfig for ldap integration' /etc/postfix/ldap-aliases.cf"
2017-04-26 12:56:09 +00:00
assert_success
}
@test "checking postfix: ldap config overwrites success" {
2017-07-03 11:16:16 +00:00
run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-users.cf"
2017-04-26 12:56:09 +00:00
assert_success
2018-01-25 21:38:41 +00:00
run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-users.cf"
assert_success
2017-07-03 11:16:16 +00:00
run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf"
2017-04-26 12:56:09 +00:00
assert_success
2017-07-03 11:16:16 +00:00
run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf"
2017-04-26 12:56:09 +00:00
assert_success
2017-07-03 11:16:16 +00:00
run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-groups.cf"
2017-04-26 12:56:09 +00:00
assert_success
2018-01-25 21:38:41 +00:00
run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-groups.cf"
assert_success
2017-07-03 11:16:16 +00:00
run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf"
2017-04-26 12:56:09 +00:00
assert_success
2017-07-03 11:16:16 +00:00
run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf"
2017-04-26 12:56:09 +00:00
assert_success
2017-07-03 11:16:16 +00:00
run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-aliases.cf"
2017-04-26 12:56:09 +00:00
assert_success
2018-01-25 21:38:41 +00:00
run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-aliases.cf"
assert_success
2017-07-03 11:16:16 +00:00
run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf"
2017-04-26 12:56:09 +00:00
assert_success
2017-07-03 11:16:16 +00:00
run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf"
2017-04-26 12:56:09 +00:00
assert_success
2017-08-09 21:19:00 +00:00
}
@test "checking postfix: remove privacy details of the sender" {
2017-12-31 11:33:48 +00:00
run docker exec mail_privacy /bin/sh -c "ls /var/mail/localhost.localdomain/user1/new | wc -l"
2017-08-09 21:19:00 +00:00
assert_success
2017-12-31 11:33:48 +00:00
assert_output 1
run docker exec mail_privacy /bin/sh -c "grep -rE "^User-Agent:" /var/mail/localhost.localdomain/user1/new | wc -l"
2017-08-09 21:19:00 +00:00
assert_success
assert_output 0
2017-04-26 12:56:09 +00:00
}
2016-10-30 13:11:36 +00:00
# dovecot
@test "checking dovecot: ldap imap connection and authentication works" {
run docker exec mail_with_ldap /bin/sh -c "nc -w 1 0.0.0.0 143 < /tmp/docker-mailserver-test/auth/imap-ldap-auth.txt"
2017-01-10 13:15:41 +00:00
assert_success
2016-10-30 13:11:36 +00:00
}
2017-07-03 11:16:16 +00:00
@test "checking dovecot: ldap mail delivery works" {
2016-10-30 13:11:36 +00:00
run docker exec mail_with_ldap /bin/sh -c "sendmail -f user@external.tld some.user@localhost.localdomain < /tmp/docker-mailserver-test/email-templates/test-email.txt"
sleep 10
run docker exec mail_with_ldap /bin/sh -c "ls -A /var/mail/localhost.localdomain/some.user/new | wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 1
2017-08-19 08:32:00 +00:00
}
@test "checking dovecot: ldap mail delivery works for a different domain then the mailserver" {
run docker exec mail_with_ldap /bin/sh -c "sendmail -f user@external.tld some.other.user@localhost.otherdomain < /tmp/docker-mailserver-test/email-templates/test-email.txt"
sleep 10
run docker exec mail_with_ldap /bin/sh -c "ls -A /var/mail/localhost.localdomain/some.other.user/new | wc -l"
assert_success
assert_output 1
2016-10-30 13:11:36 +00:00
}
2017-07-03 11:16:16 +00:00
@test "checking dovecot: ldap config overwrites success" {
run docker exec mail_with_ldap /bin/sh -c "grep 'hosts = ldap' /etc/dovecot/dovecot-ldap.conf.ext"
assert_success
2018-01-25 21:38:41 +00:00
run docker exec mail_with_ldap /bin/sh -c "grep 'tls = no' /etc/dovecot/dovecot-ldap.conf.ext"
assert_success
2017-07-03 11:16:16 +00:00
run docker exec mail_with_ldap /bin/sh -c "grep 'base = ou=people,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'dn = cn=admin,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext"
assert_success
}
2018-02-27 19:44:45 +00:00
@test "checking dovecot: postmaster address" {
run docker exec mail /bin/sh -c "grep 'postmaster_address = postmaster@domain.com' /etc/dovecot/conf.d/15-lda.conf"
assert_success
2018-03-07 18:33:43 +00:00
2018-02-27 19:44:45 +00:00
run docker exec mail_with_ldap /bin/sh -c "grep 'postmaster_address = postmaster@localhost.localdomain' /etc/dovecot/conf.d/15-lda.conf"
assert_success
}
2018-03-07 18:33:43 +00:00
@test "checking spoofing: rejects sender forging" {
# checking rejection of spoofed sender
run docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/added-smtp-auth-spoofed.txt | grep 'Sender address rejected: not owned by user'"
assert_success
# checking ldap
run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed.txt | grep 'Sender address rejected: not owned by user'"
assert_success
}
@test "checking spoofing: accepts sending as alias" {
run docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/added-smtp-auth-spoofed-alias.txt | grep 'End data with'"
assert_success
# checking ldap alias
run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-alias.txt | grep 'End data with'"
assert_success
}
2016-10-30 13:11:36 +00:00
# saslauthd
@test "checking saslauthd: sasl ldap authentication works" {
run docker exec mail_with_ldap bash -c "testsaslauthd -u some.user -p secret"
2017-01-10 13:15:41 +00:00
assert_success
2016-10-30 13:11:36 +00:00
}
@test "checking saslauthd: ldap smtp authentication" {
run docker exec mail_with_ldap /bin/sh -c "nc -w 5 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'"
2017-01-10 13:15:41 +00:00
assert_success
2017-09-07 16:08:25 +00:00
run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'"
assert_success
2017-08-19 08:32:47 +00:00
run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -starttls smtp -connect 0.0.0.0:587 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'"
assert_success
2016-10-30 13:11:36 +00:00
}
2017-01-03 09:55:03 +00:00
2017-04-26 12:56:09 +00:00
2017-01-03 09:55:03 +00:00
#
# RIMAP
#
# dovecot
@test "checking dovecot: ldap rimap connection and authentication works" {
run docker exec mail_with_imap /bin/sh -c "nc -w 1 0.0.0.0 143 < /tmp/docker-mailserver-test/auth/imap-auth.txt"
2017-01-10 13:15:41 +00:00
assert_success
2017-01-03 09:55:03 +00:00
}
# saslauthd
@test "checking saslauthd: sasl rimap authentication works" {
run docker exec mail_with_imap bash -c "testsaslauthd -u user1@localhost.localdomain -p mypassword"
2017-01-10 13:15:41 +00:00
assert_success
2017-01-03 09:55:03 +00:00
}
@test "checking saslauthd: rimap smtp authentication" {
run docker exec mail_with_imap /bin/sh -c "nc -w 5 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login.txt | grep 'Authentication successful'"
2017-01-10 13:15:41 +00:00
assert_success
2017-01-03 09:55:03 +00:00
}
2017-01-09 22:52:36 +00:00
#
# Postfix VIRTUAL_TRANSPORT
#
@test "checking postfix-lmtp: virtual_transport config is set" {
2017-01-25 13:10:40 +00:00
run docker exec mail_lmtp_ip /bin/sh -c "grep 'virtual_transport = lmtp:127.0.0.1:24' /etc/postfix/main.cf"
assert_success
2017-01-09 22:52:36 +00:00
}
@test "checking postfix-lmtp: delivers mail to existing account" {
run docker exec mail_lmtp_ip /bin/sh -c "grep 'postfix/lmtp' /var/log/mail/mail.log | grep 'status=sent' | grep ' Saved)' | wc -l"
2017-01-10 13:15:41 +00:00
assert_success
assert_output 1
2017-01-09 22:52:36 +00:00
}
2017-01-25 13:10:40 +00:00
2018-03-18 18:52:28 +00:00
#
# Pflogsumm delivery check
#
@test "checking pflogsum delivery" {
# checking logrotation working and report being sent
docker exec mail logrotate --force /etc/logrotate.d/maillog
sleep 10
run docker exec mail grep "Subject: Postfix Summary for " /var/mail/localhost.localdomain/user1/new/ -R
assert_success
# checking default logrotation setup
run docker exec mail_with_ldap grep "daily" /etc/logrotate.d/maillog
assert_success
}
2017-01-25 13:10:40 +00:00
#
# PCI compliance
#
# dovecot
@test "checking dovecot: only A grade TLS ciphers are used" {
run docker run --rm -i --link mail:dovecot \
--entrypoint sh instrumentisto/nmap -c \
'nmap --script ssl-enum-ciphers -p 993 dovecot | grep "least strength: A"'
assert_success
}
@test "checking dovecot: nmap produces no warnings on TLS ciphers verifying" {
run docker run --rm -i --link mail:dovecot \
--entrypoint sh instrumentisto/nmap -c \
'nmap --script ssl-enum-ciphers -p 993 dovecot | grep "warnings" | wc -l'
assert_success
assert_output 0
}
2017-09-07 16:08:25 +00:00
# postfix submission TLS
@test "checking postfix submission: only A grade TLS ciphers are used" {
2017-01-25 13:10:40 +00:00
run docker run --rm -i --link mail:postfix \
--entrypoint sh instrumentisto/nmap -c \
'nmap --script ssl-enum-ciphers -p 587 postfix | grep "least strength: A"'
assert_success
}
2017-09-07 16:08:25 +00:00
@test "checking postfix submission: nmap produces no warnings on TLS ciphers verifying" {
2017-01-25 13:10:40 +00:00
run docker run --rm -i --link mail:postfix \
--entrypoint sh instrumentisto/nmap -c \
'nmap --script ssl-enum-ciphers -p 587 postfix | grep "warnings" | wc -l'
assert_success
assert_output 0
}
2017-08-07 15:39:40 +00:00
2017-09-07 16:08:25 +00:00
# postfix smtps SSL
@test "checking postfix smtps: only A grade TLS ciphers are used" {
run docker run --rm -i --link mail:postfix \
--entrypoint sh instrumentisto/nmap -c \
'nmap --script ssl-enum-ciphers -p 465 postfix | grep "least strength: A"'
assert_success
}
@test "checking postfix smtps: nmap produces no warnings on TLS ciphers verifying" {
run docker run --rm -i --link mail:postfix \
--entrypoint sh instrumentisto/nmap -c \
'nmap --script ssl-enum-ciphers -p 465 postfix | grep "warnings" | wc -l'
assert_success
assert_output 0
}
2017-08-07 15:39:40 +00:00
#
# supervisor
#
@test "checking restart of process: postfix" {
run docker exec mail /bin/bash -c "pkill master && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/lib/postfix/sbin/master'"
assert_success
}
@test "checking restart of process: clamd" {
run docker exec mail /bin/bash -c "pkill clamd && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'"
assert_success
}
@test "checking restart of process: amavisd-new" {
2017-10-10 06:15:18 +00:00
run docker exec mail /bin/bash -c "pkill amavi && sleep 12 && ps aux --forest | grep -v grep | grep '/usr/sbin/amavisd-new (master)'"
2017-08-07 15:39:40 +00:00
assert_success
}
@test "checking restart of process: opendkim" {
run docker exec mail /bin/bash -c "pkill opendkim && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/sbin/opendkim'"
assert_success
}
@test "checking restart of process: opendmarc" {
run docker exec mail /bin/bash -c "pkill opendmarc && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/sbin/opendmarc'"
assert_success
}
@test "checking restart of process: fail2ban (fail2ban server enabled)" {
run docker exec mail_fail2ban /bin/bash -c "pkill fail2ban && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/bin/python3 /usr/bin/fail2ban-server'"
assert_success
}
@test "checking restart of process: fetchmail" {
run docker exec mail_fetchmail /bin/bash -c "pkill fetchmail && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/bin/fetchmail'"
assert_success
}
@test "checking restart of process: clamav (clamav disabled by ENABLED_CLAMAV=0)" {
run docker exec mail_disabled_clamav_spamassassin /bin/bash -c "pkill -f clamd && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'"
assert_failure
}
@test "checking restart of process: saslauthd (saslauthd server enabled)" {
run docker exec mail_with_ldap /bin/bash -c "pkill saslauthd && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/sbin/saslauthd'"
assert_success
}
2018-04-02 08:45:58 +00:00
#
# relay hosts
#
@test "checking relay hosts: default mapping is added from env vars" {
run docker exec mail_with_relays /bin/sh -c 'cat /etc/postfix/relayhost_map | grep -e "^@domainone.tld\s\+\[default.relay.com\]:2525" | wc -l | grep 1'
assert_success
}
@test "checking relay hosts: custom mapping is added from file" {
run docker exec mail_with_relays /bin/sh -c 'cat /etc/postfix/relayhost_map | grep -e "^@domaintwo.tld\s\+\[other.relay.com\]:587" | wc -l | grep 1'
assert_success
}
@test "checking relay hosts: ignored domain is not added" {
run docker exec mail_with_relays /bin/sh -c 'cat /etc/postfix/relayhost_map | grep -e "^@domainthree.tld\s\+\[any.relay.com\]:25" | wc -l | grep 0'
assert_success
}
@test "checking relay hosts: auth entry is added" {
run docker exec mail_with_relays /bin/sh -c 'cat /etc/postfix/sasl_passwd | grep -e "^@domaintwo.tld\s\+smtp_user_2:smtp_password_2" | wc -l | grep 1'
assert_success
}
@test "checking relay hosts: default auth entry is added" {
run docker exec mail_with_relays /bin/sh -c 'cat /etc/postfix/sasl_passwd | grep -e "^\[default.relay.com\]:2525\s\+smtp_user:smtp_password" | wc -l | grep 1'
assert_success
}