mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
test dhparams ONE_DIR both cases
This commit is contained in:
parent
03b8f87ffc
commit
4d031f73e3
2
Makefile
2
Makefile
|
@ -155,4 +155,4 @@ clean:
|
||||||
sudo rm -rf test/config ;\
|
sudo rm -rf test/config ;\
|
||||||
mv testconfig.bak test/config ;\
|
mv testconfig.bak test/config ;\
|
||||||
fi
|
fi
|
||||||
-sudo rm -rf test/onedir test/alias test/quota test/relay test/config/dovecot-lmtp/userdb test/config/key* test/config/opendkim/keys/domain.tld/ test/config/opendkim/keys/example.com/ test/config/opendkim/keys/localdomain2.com/ test/config/postfix-aliases.cf test/config/postfix-receive-access.cf test/config/postfix-receive-access.cfe test/config/dovecot-quotas.cf test/config/postfix-send-access.cf test/config/postfix-send-access.cfe test/config/relay-hosts/chksum test/config/relay-hosts/postfix-aliases.cf
|
-sudo rm -rf test/onedir test/alias test/quota test/relay test/config/dovecot-lmtp/userdb test/config/key* test/config/opendkim/keys/domain.tld/ test/config/opendkim/keys/example.com/ test/config/opendkim/keys/localdomain2.com/ test/config/postfix-aliases.cf test/config/postfix-receive-access.cf test/config/postfix-receive-access.cfe test/config/dovecot-quotas.cf test/config/postfix-send-access.cf test/config/postfix-send-access.cfe test/config/relay-hosts/chksum test/config/relay-hosts/postfix-aliases.cf test/config/dhparams.pem
|
||||||
|
|
67
test/mail_dhparams_default.bats
Normal file
67
test/mail_dhparams_default.bats
Normal file
|
@ -0,0 +1,67 @@
|
||||||
|
load 'test_helper/common'
|
||||||
|
|
||||||
|
function setup() {
|
||||||
|
run_setup_file_if_necessary
|
||||||
|
}
|
||||||
|
|
||||||
|
function teardown() {
|
||||||
|
run_teardown_file_if_necessary
|
||||||
|
}
|
||||||
|
|
||||||
|
function setup_file() {
|
||||||
|
docker run -d --name mail_default_dhparams_one_dir \
|
||||||
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
||||||
|
-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
|
||||||
|
-e DMS_DEBUG=0 \
|
||||||
|
-e ONE_DIR=1 \
|
||||||
|
-h mail.my-domain.com -t ${NAME}
|
||||||
|
|
||||||
|
docker run -d --name mail_default_dhparams_not_one_dir \
|
||||||
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
||||||
|
-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
|
||||||
|
-e DMS_DEBUG=0 \
|
||||||
|
-e ONE_DIR=0 \
|
||||||
|
-h mail.my-domain.com -t ${NAME}
|
||||||
|
|
||||||
|
wait_for_finished_setup_in_container mail_default_dhparams_one_dir
|
||||||
|
wait_for_finished_setup_in_container mail_default_dhparams_not_one_dir
|
||||||
|
}
|
||||||
|
|
||||||
|
function teardown_file() {
|
||||||
|
docker rm -f mail_default_dhparams_one_dir
|
||||||
|
docker rm -f mail_default_dhparams_not_one_dir
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "first" {
|
||||||
|
skip 'this test must come first to reliably identify when to run setup_file'
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "checking ssl: checking dhe params are sufficient" {
|
||||||
|
# reference used: (22/04/2020) https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
|
||||||
|
|
||||||
|
# check ffdhe params are inchanged
|
||||||
|
repo_checksum=$(sha512sum "$(pwd)/target/shared/ffdhe4096.pem" | awk '{print $1}')
|
||||||
|
mozilla_checksum=$(curl https://ssl-config.mozilla.org/ffdhe4096.txt -s | sha512sum | awk '{print $1}')
|
||||||
|
assert_equal "$repo_checksum" "$mozilla_checksum"
|
||||||
|
run echo "$repo_checksum"
|
||||||
|
refute_output '' # checksum must not be empty
|
||||||
|
|
||||||
|
# by default, ffdhe4096 should be used
|
||||||
|
|
||||||
|
# ONE_DIR=1
|
||||||
|
docker_dovecot_checksum_one_dir=$(docker exec mail_default_dhparams_one_dir sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
|
||||||
|
docker_postfix_checksum_one_dir=$(docker exec mail_default_dhparams_one_dir sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
|
||||||
|
assert_equal "$docker_dovecot_checksum_one_dir" "$repo_checksum"
|
||||||
|
assert_equal "$docker_postfix_checksum_one_dir" "$repo_checksum"
|
||||||
|
|
||||||
|
# ONE_DIR=0
|
||||||
|
docker_dovecot_checksum_not_one_dir=$(docker exec mail_default_dhparams_not_one_dir sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
|
||||||
|
docker_postfix_checksum_not_one_dir=$(docker exec mail_default_dhparams_not_one_dir sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
|
||||||
|
assert_equal "$docker_dovecot_checksum_not_one_dir" "$repo_checksum"
|
||||||
|
assert_equal "$docker_postfix_checksum_not_one_dir" "$repo_checksum"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@test "last" {
|
||||||
|
skip 'this test is only there to reliably mark the end for the teardown_file'
|
||||||
|
}
|
53
test/mail_dhparams_manual_not_one_dir.bats
Normal file
53
test/mail_dhparams_manual_not_one_dir.bats
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
load 'test_helper/common'
|
||||||
|
|
||||||
|
function setup() {
|
||||||
|
run_setup_file_if_necessary
|
||||||
|
}
|
||||||
|
|
||||||
|
function teardown() {
|
||||||
|
run_teardown_file_if_necessary
|
||||||
|
}
|
||||||
|
|
||||||
|
function setup_file() {
|
||||||
|
# copy the custom DHE params in local config
|
||||||
|
cp `pwd`/test/test-files/ssl/ffdhe2048.pem `pwd`/test/config/dhparams.pem
|
||||||
|
|
||||||
|
docker run -d --name mail_manual_dhparams_not_one_dir \
|
||||||
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
||||||
|
-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
|
||||||
|
-e DMS_DEBUG=0 \
|
||||||
|
-e ONE_DIR=0 \
|
||||||
|
-h mail.my-domain.com -t ${NAME}
|
||||||
|
|
||||||
|
wait_for_finished_setup_in_container mail_manual_dhparams_not_one_dir
|
||||||
|
}
|
||||||
|
|
||||||
|
function teardown_file() {
|
||||||
|
# remove custom dhe file
|
||||||
|
rm `pwd`/test/config/dhparams.pem
|
||||||
|
docker rm -f mail_manual_dhparams_not_one_dir
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "first" {
|
||||||
|
skip 'this test must come first to reliably identify when to run setup_file'
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "checking dhparams: ONE_DIR=0 check manual dhparams is used" {
|
||||||
|
test_checksum=$(sha512sum "$(pwd)/test/test-files/ssl/ffdhe2048.pem" | awk '{print $1}')
|
||||||
|
run echo "$test_checksum"
|
||||||
|
refute_output '' # checksum must not be empty
|
||||||
|
|
||||||
|
docker_dovecot_checksum=$(docker exec mail_manual_dhparams_not_one_dir sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
|
||||||
|
docker_postfix_checksum=$(docker exec mail_manual_dhparams_not_one_dir sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
|
||||||
|
assert_equal "$docker_dovecot_checksum" "$test_checksum"
|
||||||
|
assert_equal "$docker_postfix_checksum" "$test_checksum"
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "checking dhparams: ONE_DIR=0 check warning output when using manual dhparams" {
|
||||||
|
run sh -c "docker logs mail_manual_dhparams_not_one_dir | grep 'Using self-generated dhparams is considered as insecure'"
|
||||||
|
assert_success
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "last" {
|
||||||
|
skip 'this test is only there to reliably mark the end for the teardown_file'
|
||||||
|
}
|
|
@ -9,38 +9,38 @@ function teardown() {
|
||||||
}
|
}
|
||||||
|
|
||||||
function setup_file() {
|
function setup_file() {
|
||||||
docker run -d --name mail_manual_dhparams \
|
docker run -d --name mail_manual_dhparams_one_dir \
|
||||||
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
||||||
-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
|
-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
|
||||||
-v "`pwd`/test/test-files/ssl/ffdhe2048.pem":/var/mail-state/lib-shared/dhparams.pem:ro \
|
-v "`pwd`/test/test-files/ssl/ffdhe2048.pem":/var/mail-state/lib-shared/dhparams.pem:ro \
|
||||||
-e DMS_DEBUG=0 \
|
-e DMS_DEBUG=0 \
|
||||||
-e ONE_DIR=1 \
|
-e ONE_DIR=1 \
|
||||||
-h mail.my-domain.com -t ${NAME}
|
-h mail.my-domain.com -t ${NAME}
|
||||||
wait_for_finished_setup_in_container mail_manual_dhparams
|
|
||||||
|
wait_for_finished_setup_in_container mail_manual_dhparams_one_dir
|
||||||
}
|
}
|
||||||
|
|
||||||
function teardown_file() {
|
function teardown_file() {
|
||||||
skip
|
docker rm -f mail_manual_dhparams_one_dir
|
||||||
docker rm -f mail_manual_dhparams
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "first" {
|
@test "first" {
|
||||||
skip 'this test must come first to reliably identify when to run setup_file'
|
skip 'this test must come first to reliably identify when to run setup_file'
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "checking dhparams: check manual dhparams is used" {
|
@test "checking dhparams: ONE_DIR=1 check manual dhparams is used" {
|
||||||
test_checksum=$(sha512sum "$(pwd)/test/test-files/ssl/ffdhe2048.pem" | awk '{print $1}')
|
test_checksum=$(sha512sum "$(pwd)/test/test-files/ssl/ffdhe2048.pem" | awk '{print $1}')
|
||||||
run echo "$test_checksum"
|
run echo "$test_checksum"
|
||||||
refute_output '' # checksum must not be empty
|
refute_output '' # checksum must not be empty
|
||||||
|
|
||||||
docker_dovecot_checksum=$(docker exec mail_manual_dhparams sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
|
docker_dovecot_checksum=$(docker exec mail_manual_dhparams_one_dir sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
|
||||||
docker_postfix_checksum=$(docker exec mail_manual_dhparams sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
|
docker_postfix_checksum=$(docker exec mail_manual_dhparams_one_dir sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
|
||||||
assert_equal "$docker_dovecot_checksum" "$test_checksum"
|
assert_equal "$docker_dovecot_checksum" "$test_checksum"
|
||||||
assert_equal "$docker_postfix_checksum" "$test_checksum"
|
assert_equal "$docker_postfix_checksum" "$test_checksum"
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "checking dhparams: check warning output when using manual dhparams" {
|
@test "checking dhparams: ONE_DIR=1 check warning output when using manual dhparams" {
|
||||||
run sh -c "docker logs mail_manual_dhparams | grep 'Using self-generated dhparams is considered as insecure'"
|
run sh -c "docker logs mail_manual_dhparams_one_dir | grep 'Using self-generated dhparams is considered as insecure'"
|
||||||
assert_success
|
assert_success
|
||||||
}
|
}
|
||||||
|
|
|
@ -667,23 +667,6 @@ EOF
|
||||||
assert_success
|
assert_success
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "checking ssl: checking dhe params are sufficient" {
|
|
||||||
# reference used: (22/04/2020) https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
|
|
||||||
|
|
||||||
# check ffdhe params are inchanged
|
|
||||||
repo_checksum=$(sha512sum "$(pwd)/target/shared/ffdhe4096.pem" | awk '{print $1}')
|
|
||||||
mozilla_checksum=$(curl https://ssl-config.mozilla.org/ffdhe4096.txt -s | sha512sum | awk '{print $1}')
|
|
||||||
assert_equal "$repo_checksum" "$mozilla_checksum"
|
|
||||||
run echo "$repo_checksum"
|
|
||||||
refute_output '' # checksum must not be empty
|
|
||||||
|
|
||||||
# by default, ffdhe4096 should be used
|
|
||||||
docker_dovecot_checksum=$(docker exec mail sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
|
|
||||||
docker_postfix_checksum=$(docker exec mail sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
|
|
||||||
assert_equal "$docker_dovecot_checksum" "$repo_checksum"
|
|
||||||
assert_equal "$docker_postfix_checksum" "$repo_checksum"
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# postsrsd
|
# postsrsd
|
||||||
#
|
#
|
||||||
|
|
Loading…
Reference in a new issue