From 0fe86e796be614af511900caa72a800b02499576 Mon Sep 17 00:00:00 2001 From: Johan Smits Date: Thu, 7 Sep 2017 18:08:25 +0200 Subject: [PATCH] Listen also on the ssl port 465 for clients (#709) --- Dockerfile | 2 +- target/postfix/master.cf | 13 +++++++++++++ test/tests.bats | 24 +++++++++++++++++++++--- 3 files changed, 35 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8fbdecb9..bdd35d51 100644 --- a/Dockerfile +++ b/Dockerfile @@ -193,7 +193,7 @@ RUN chmod +x /usr/local/bin/* # Configure supervisor COPY target/supervisor/* /etc/supervisor/conf.d/ -EXPOSE 25 587 143 993 110 995 4190 +EXPOSE 25 587 143 465 993 110 995 4190 CMD supervisord -c /etc/supervisor/supervisord.conf diff --git a/target/postfix/master.cf b/target/postfix/master.cf index aac77a5b..c5b145f6 100644 --- a/target/postfix/master.cf +++ b/target/postfix/master.cf @@ -22,6 +22,19 @@ submission inet n - n - - smtpd -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING + +smtps inet n - n - - smtpd + -o syslog_name=postfix/smtps + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes + -o smtpd_sasl_type=dovecot + -o smtpd_sasl_path=private/auth + -o smtpd_reject_unlisted_recipient=no + -o smtpd_sasl_authenticated_header=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o smtpd_relay_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING + pickup fifo n - y 60 1 pickup -o content_filter= -o receive_override_options=no_header_body_checks diff --git a/test/tests.bats b/test/tests.bats index e0cbb798..2cc16e20 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -1141,6 +1141,8 @@ load 'test_helper/bats-assert/load' @test "checking saslauthd: ldap smtp authentication" { run docker exec mail_with_ldap /bin/sh -c "nc -w 5 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'" assert_success + run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'" + assert_success run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -starttls smtp -connect 0.0.0.0:587 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'" assert_success } @@ -1201,15 +1203,15 @@ load 'test_helper/bats-assert/load' assert_output 0 } -# postfix -@test "checking postfix: only A grade TLS ciphers are used" { +# postfix submission TLS +@test "checking postfix submission: only A grade TLS ciphers are used" { run docker run --rm -i --link mail:postfix \ --entrypoint sh instrumentisto/nmap -c \ 'nmap --script ssl-enum-ciphers -p 587 postfix | grep "least strength: A"' assert_success } -@test "checking postfix: nmap produces no warnings on TLS ciphers verifying" { +@test "checking postfix submission: nmap produces no warnings on TLS ciphers verifying" { run docker run --rm -i --link mail:postfix \ --entrypoint sh instrumentisto/nmap -c \ 'nmap --script ssl-enum-ciphers -p 587 postfix | grep "warnings" | wc -l' @@ -1217,6 +1219,22 @@ load 'test_helper/bats-assert/load' assert_output 0 } +# postfix smtps SSL +@test "checking postfix smtps: only A grade TLS ciphers are used" { + run docker run --rm -i --link mail:postfix \ + --entrypoint sh instrumentisto/nmap -c \ + 'nmap --script ssl-enum-ciphers -p 465 postfix | grep "least strength: A"' + assert_success +} + +@test "checking postfix smtps: nmap produces no warnings on TLS ciphers verifying" { + run docker run --rm -i --link mail:postfix \ + --entrypoint sh instrumentisto/nmap -c \ + 'nmap --script ssl-enum-ciphers -p 465 postfix | grep "warnings" | wc -l' + assert_success + assert_output 0 +} + # # supervisor