mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
tests: Refactor LDAP tests to current conventions (#3483)
* tests: Switch to setup helper and conventions * tests: Adapt run command to new conventions - We have two helper methods with implicit `CONTAINER_NAME` reference, which is a bit more DRY and improves readability. - `wc -l` + `assert_output 1` converted to use helper `_should_output_number_of_lines 1` - `DOMAIN` var changed from `my-domain.com` to local testing domain `example.test`. * tests: Refactor `setup_file()` - Test wide ENV defined at the top - OpenLDAP build and run logic grouped together. Added notes, network alias and tty not required. - Extracted out special LDAP Postfix/Dovecot ENV into separate array. LDAP specific provisioning / auth ENV also included, with comments + linebreak to better group related ENV. - Likewise additional ENV to support test cases has been extracted to a separate array with additional comments for context. - Those two arrays are expanded back into the main `CUSTOM_SETUP_ARGUMENTS` that configure hostname and network for the DMS container. * tests: Refactor the LDAP account table query testcase - Covers 3 accounts to test from LDAP. - 2 are the same query against users/aliases/groups tables in Postfix, only differing by account queried (and expected as returned result). - 1 separate test to ensure a difference in config is supported correctly. - Extracted repeated test logic into a helper method. - Added additional context in comments about the creation source of these LDAP accounts and their related Postfix config / interaction. Direct reference to special case PR (since `git blame` will be less useful). * tests: Use iteration for `grep` setting checks More DRY approach. With a bit more helpful failure context via `assert_output` (_and only grepping the key_). Simpler to grok what's being covered. * tests: DRY test email delivery A bit more verbose with the new helper method. `test-email.txt` template is only used by the LDAP test, as is the `sendmail` command. Helper will take two args to support the testcases, but at a later date should be refactored to be consistent with the `_send_email()` helper (_which presently uses `nc` that is required for plain-text mail/auth, otherwise we'd have used `openssl`, bigger refactor required_). * tests: Slight revisions and relocating testcases - Dovecot quota plugin testcase revised to check files exist instead of rely on `ls` failure. - Moved Postfix quota plugin testcase into prior dovecot testcase for quota plugin check. Better error output by only querying the `smtpd_recipient_restrictions` setting (_which should be the only one configured for the service_). - Moved the saslauthd and pflogsumm testcases (_no changes beyond revised comments_) above the `ATTENTION` comment, and one testcase below the comment that belonged to that group. * tests: Simplify openldap `docker build` command - `--no-cache` was creating a new image on the Docker host each time the test is run. Shouldn't be any need to build without cache. - No need to use `pushd` + `popd`, can just provide the path context directly, and the `./Dockerfile` is an implicit default thus `-f` not required either. Additionally removed the old `checking` prefix from testcase names. * tests: Move LDAP specific config into `test/config/ldap/` - No changes to any of these config files, just better isolation as not relevant to any other tests. - Section heading in `setup_file()` added to distinguish the remainder of the function is dedicated to the DMS container setup. - Comment providing some context about the `mv` to maintainers, this should be done after defaults are initialized but before starting up the container. * chore: Appease the lint gods * Apply suggestions from code review
This commit is contained in:
parent
8f97171336
commit
5bada0a83b
|
@ -1,245 +1,313 @@
|
|||
load "${REPOSITORY_ROOT}/test/test_helper/common"
|
||||
load "${REPOSITORY_ROOT}/test/helper/setup"
|
||||
load "${REPOSITORY_ROOT}/test/helper/common"
|
||||
|
||||
BATS_TEST_NAME_PREFIX='[LDAP] '
|
||||
CONTAINER1_NAME='dms-test_ldap'
|
||||
CONTAINER2_NAME='dms-test_ldap_provider'
|
||||
|
||||
function setup_file() {
|
||||
pushd test/docker-openldap/ || return 1
|
||||
docker build -f Dockerfile -t ldap --no-cache .
|
||||
popd || return 1
|
||||
|
||||
export DOMAIN='my-domain.com'
|
||||
export DMS_TEST_NETWORK='test-network-ldap'
|
||||
export DOMAIN='example.test'
|
||||
export FQDN_MAIL="mail.${DOMAIN}"
|
||||
export FQDN_LDAP="ldap.${DOMAIN}"
|
||||
# LDAP is provisioned with two domains (via `.ldif` files) unrelated to the FQDN of DMS:
|
||||
export FQDN_LOCALHOST_A='localhost.localdomain'
|
||||
export FQDN_LOCALHOST_B='localhost.otherdomain'
|
||||
export DMS_TEST_NETWORK='test-network-ldap'
|
||||
|
||||
# Link the test containers to separate network:
|
||||
# NOTE: If the network already exists, test will fail to start.
|
||||
docker network create "${DMS_TEST_NETWORK}"
|
||||
|
||||
docker run -d --name ldap_for_mail \
|
||||
# Setup local openldap service:
|
||||
# NOTE: Building via Dockerfile is required? Image won't accept read-only if it needs to adjust permissions for bootstrap files.
|
||||
# TODO: Upstream image is no longer maintained, may want to migrate?
|
||||
docker build -t dms-openldap test/config/ldap/docker-openldap/
|
||||
|
||||
docker run -d --name "${CONTAINER2_NAME}" \
|
||||
--env LDAP_DOMAIN="${FQDN_LOCALHOST_A}" \
|
||||
--network "${DMS_TEST_NETWORK}" \
|
||||
--network-alias 'ldap' \
|
||||
--hostname "${FQDN_LDAP}" \
|
||||
--tty \
|
||||
ldap # Image name
|
||||
|
||||
# _setup_ldap uses _replace_by_env_in_file with ENV vars like DOVECOT_TLS with a prefix (eg. DOVECOT_ or LDAP_)
|
||||
local PRIVATE_CONFIG
|
||||
PRIVATE_CONFIG=$(duplicate_config_for_container .)
|
||||
docker run -d --name mail_with_ldap \
|
||||
-v "${PRIVATE_CONFIG}:/tmp/docker-mailserver" \
|
||||
-v "$(pwd)/test/test-files:/tmp/docker-mailserver-test:ro" \
|
||||
-e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
|
||||
-e DOVECOT_TLS=no \
|
||||
-e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
|
||||
-e ACCOUNT_PROVISIONER=LDAP \
|
||||
-e PFLOGSUMM_TRIGGER=logrotate \
|
||||
-e ENABLE_SASLAUTHD=1 \
|
||||
-e LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \
|
||||
-e LDAP_BIND_PW=admin \
|
||||
-e LDAP_QUERY_FILTER_ALIAS="(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))" \
|
||||
-e LDAP_QUERY_FILTER_DOMAIN="(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))" \
|
||||
-e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \
|
||||
-e LDAP_QUERY_FILTER_SENDERS="(|(&(mail=%s)(mailEnabled=TRUE))(&(mailGroupMember=%s)(mailEnabled=TRUE))(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))(uniqueIdentifier=some.user.id))" \
|
||||
-e LDAP_QUERY_FILTER_USER="(&(mail=%s)(mailEnabled=TRUE))" \
|
||||
-e LDAP_START_TLS=no \
|
||||
-e LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \
|
||||
-e LDAP_SERVER_HOST=ldap \
|
||||
-e PERMIT_DOCKER=container \
|
||||
-e POSTMASTER_ADDRESS="postmaster@${FQDN_LOCALHOST_A}" \
|
||||
-e REPORT_RECIPIENT=1 \
|
||||
-e SASLAUTHD_MECHANISMS=ldap \
|
||||
-e SPOOF_PROTECTION=1 \
|
||||
-e SSL_TYPE='snakeoil' \
|
||||
--network "${DMS_TEST_NETWORK}" \
|
||||
--hostname "${FQDN_MAIL}" \
|
||||
--tty \
|
||||
"${NAME}" # Image name
|
||||
dms-openldap
|
||||
|
||||
wait_for_smtp_port_in_container mail_with_ldap
|
||||
#
|
||||
# Setup DMS container
|
||||
#
|
||||
|
||||
local ENV_LDAP_CONFIG=(
|
||||
# Configure for LDAP account provisioner and alternative to Dovecot SASL:
|
||||
--env ACCOUNT_PROVISIONER=LDAP
|
||||
--env ENABLE_SASLAUTHD=1
|
||||
--env SASLAUTHD_MECHANISMS=ldap
|
||||
|
||||
# ENV to configure LDAP configs for Dovecot + Postfix:
|
||||
# NOTE: `scripts/startup/setup.d/ldap.sh:_setup_ldap()` uses `_replace_by_env_in_file()` to configure settings (stripping `DOVECOT_` / `LDAP_` prefixes):
|
||||
# Dovecot:
|
||||
--env DOVECOT_PASS_FILTER='(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))'
|
||||
--env DOVECOT_TLS=no
|
||||
--env DOVECOT_USER_FILTER='(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))'
|
||||
# Postfix:
|
||||
--env LDAP_BIND_DN='cn=admin,dc=localhost,dc=localdomain'
|
||||
--env LDAP_BIND_PW='admin'
|
||||
--env LDAP_QUERY_FILTER_ALIAS='(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))'
|
||||
--env LDAP_QUERY_FILTER_DOMAIN='(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))'
|
||||
--env LDAP_QUERY_FILTER_GROUP='(&(mailGroupMember=%s)(mailEnabled=TRUE))'
|
||||
--env LDAP_QUERY_FILTER_SENDERS='(|(&(mail=%s)(mailEnabled=TRUE))(&(mailGroupMember=%s)(mailEnabled=TRUE))(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))(uniqueIdentifier=some.user.id))'
|
||||
--env LDAP_QUERY_FILTER_USER='(&(mail=%s)(mailEnabled=TRUE))'
|
||||
--env LDAP_SEARCH_BASE='ou=people,dc=localhost,dc=localdomain'
|
||||
--env LDAP_SERVER_HOST="${FQDN_LDAP}"
|
||||
--env LDAP_START_TLS=no
|
||||
)
|
||||
|
||||
# Extra ENV needed to support specific testcases:
|
||||
local ENV_SUPPORT=(
|
||||
--env PERMIT_DOCKER=container # Required for attempting SMTP auth on port 25 via nc
|
||||
# Required for openssl commands to be successul:
|
||||
# NOTE: snakeoil cert is created (for `docker-mailserver.invalid`) via Debian post-install script for Postfix package.
|
||||
# TODO: Use proper TLS cert
|
||||
--env SSL_TYPE='snakeoil'
|
||||
|
||||
# TODO; All below are questionable value to LDAP tests?
|
||||
--env POSTMASTER_ADDRESS="postmaster@${FQDN_LOCALHOST_A}" # TODO: Only required because LDAP accounts use unrelated domain part. FQDN_LOCALHOST_A / ldif files can be adjusted to FQDN_MAIL
|
||||
--env PFLOGSUMM_TRIGGER=logrotate
|
||||
--env REPORT_RECIPIENT=1 # TODO: Invalid value, should be a recipient address (if not default postmaster), remove?
|
||||
--env SPOOF_PROTECTION=1
|
||||
)
|
||||
|
||||
local CUSTOM_SETUP_ARGUMENTS=(
|
||||
--hostname "${FQDN_MAIL}"
|
||||
--network "${DMS_TEST_NETWORK}"
|
||||
|
||||
"${ENV_LDAP_CONFIG[@]}"
|
||||
"${ENV_SUPPORT[@]}"
|
||||
)
|
||||
|
||||
# Set default implicit container fallback for helpers:
|
||||
export CONTAINER_NAME=${CONTAINER1_NAME}
|
||||
|
||||
_init_with_defaults
|
||||
# NOTE: `test/config/` has now been duplicated, can move test specific files to host-side `/tmp/docker-mailserver`:
|
||||
mv "${TEST_TMP_CONFIG}/ldap/overrides/"*.cf "${TEST_TMP_CONFIG}/"
|
||||
_common_container_setup 'CUSTOM_SETUP_ARGUMENTS'
|
||||
_wait_for_smtp_port_in_container
|
||||
}
|
||||
|
||||
function teardown_file() {
|
||||
docker rm -f ldap_for_mail mail_with_ldap
|
||||
docker rm -f "${CONTAINER1_NAME}" "${CONTAINER2_NAME}"
|
||||
docker network rm "${DMS_TEST_NETWORK}"
|
||||
}
|
||||
|
||||
# postfix
|
||||
@test "checking postfix: ldap lookup works correctly" {
|
||||
run docker exec mail_with_ldap /bin/sh -c "postmap -q some.user@${FQDN_LOCALHOST_A} ldap:/etc/postfix/ldap-users.cf"
|
||||
assert_success
|
||||
assert_output "some.user@${FQDN_LOCALHOST_A}"
|
||||
run docker exec mail_with_ldap /bin/sh -c "postmap -q postmaster@${FQDN_LOCALHOST_A} ldap:/etc/postfix/ldap-aliases.cf"
|
||||
assert_success
|
||||
assert_output "some.user@${FQDN_LOCALHOST_A}"
|
||||
run docker exec mail_with_ldap /bin/sh -c "postmap -q employees@${FQDN_LOCALHOST_A} ldap:/etc/postfix/ldap-groups.cf"
|
||||
assert_success
|
||||
assert_output "some.user@${FQDN_LOCALHOST_A}"
|
||||
|
||||
# Test of the user part of the domain is not the same as the uniqueIdentifier part in the ldap
|
||||
run docker exec mail_with_ldap /bin/sh -c "postmap -q some.user.email@${FQDN_LOCALHOST_A} ldap:/etc/postfix/ldap-users.cf"
|
||||
assert_success
|
||||
assert_output "some.user.email@${FQDN_LOCALHOST_A}"
|
||||
# NOTE: Each of the 3 user accounts tested below are defined in separate LDIF config files,
|
||||
# Those are bundled into the locally built OpenLDAP Dockerfile.
|
||||
@test "postfix: ldap lookup works correctly" {
|
||||
_should_exist_in_ldap_tables "some.user@${FQDN_LOCALHOST_A}"
|
||||
|
||||
# Test email receiving from a other domain then the primary domain of the mailserver
|
||||
run docker exec mail_with_ldap /bin/sh -c "postmap -q some.other.user@${FQDN_LOCALHOST_B} ldap:/etc/postfix/ldap-users.cf"
|
||||
_should_exist_in_ldap_tables "some.other.user@${FQDN_LOCALHOST_B}"
|
||||
|
||||
# Should not require `uniqueIdentifier` to match the local part of `mail` (`.ldif` defined settings):
|
||||
# REF: https://github.com/docker-mailserver/docker-mailserver/pull/642#issuecomment-313916384
|
||||
# NOTE: This account has no `mailAlias` or `mailGroupMember` defined in it's `.ldif`.
|
||||
local MAIL_ACCOUNT="some.user.email@${FQDN_LOCALHOST_A}"
|
||||
_run_in_container postmap -q "${MAIL_ACCOUNT}" ldap:/etc/postfix/ldap-users.cf
|
||||
assert_success
|
||||
assert_output "some.other.user@${FQDN_LOCALHOST_B}"
|
||||
run docker exec mail_with_ldap /bin/sh -c "postmap -q postmaster@${FQDN_LOCALHOST_B} ldap:/etc/postfix/ldap-aliases.cf"
|
||||
assert_success
|
||||
assert_output "some.other.user@${FQDN_LOCALHOST_B}"
|
||||
run docker exec mail_with_ldap /bin/sh -c "postmap -q employees@${FQDN_LOCALHOST_B} ldap:/etc/postfix/ldap-groups.cf"
|
||||
assert_success
|
||||
assert_output "some.other.user@${FQDN_LOCALHOST_B}"
|
||||
assert_output "${MAIL_ACCOUNT}"
|
||||
}
|
||||
|
||||
@test "checking postfix: ldap custom config files copied" {
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep '# Testconfig for ldap integration' /etc/postfix/ldap-users.cf"
|
||||
assert_success
|
||||
# Custom LDAP config files support:
|
||||
# TODO: Compare to provided configs and if they're just including a test comment,
|
||||
# could just copy the config and append without carrying a separate test config?
|
||||
@test "postfix: ldap custom config files copied" {
|
||||
local LDAP_CONFIGS_POSTFIX=(
|
||||
/etc/postfix/ldap-users.cf
|
||||
/etc/postfix/ldap-groups.cf
|
||||
/etc/postfix/ldap-aliases.cf
|
||||
)
|
||||
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep '# Testconfig for ldap integration' /etc/postfix/ldap-groups.cf"
|
||||
assert_success
|
||||
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep '# Testconfig for ldap integration' /etc/postfix/ldap-aliases.cf"
|
||||
for LDAP_CONFIG in "${LDAP_CONFIGS_POSTFIX[@]}"; do
|
||||
_run_in_container grep '# Testconfig for ldap integration' "${LDAP_CONFIG}"
|
||||
assert_success
|
||||
done
|
||||
}
|
||||
|
||||
@test "checking postfix: ldap config overwrites success" {
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-users.cf"
|
||||
@test "postfix: ldap config overwrites success" {
|
||||
local LDAP_SETTINGS_POSTFIX=(
|
||||
"server_host = ${FQDN_LDAP}"
|
||||
'start_tls = no'
|
||||
'search_base = ou=people,dc=localhost,dc=localdomain'
|
||||
'bind_dn = cn=admin,dc=localhost,dc=localdomain'
|
||||
)
|
||||
|
||||
for LDAP_SETTING in "${LDAP_SETTINGS_POSTFIX[@]}"; do
|
||||
# "${LDAP_SETTING%=*}" is to match only the key portion of the var (helpful for assert_output error messages)
|
||||
# NOTE: `start_tls = no` is a default setting, but the white-space differs when ENV `LDAP_START_TLS` is not set explicitly.
|
||||
_run_in_container grep "${LDAP_SETTING%=*}" /etc/postfix/ldap-users.cf
|
||||
assert_output "${LDAP_SETTING}"
|
||||
assert_success
|
||||
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-users.cf"
|
||||
_run_in_container grep "${LDAP_SETTING%=*}" /etc/postfix/ldap-groups.cf
|
||||
assert_output "${LDAP_SETTING}"
|
||||
assert_success
|
||||
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf"
|
||||
assert_success
|
||||
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf"
|
||||
assert_success
|
||||
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-groups.cf"
|
||||
assert_success
|
||||
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-groups.cf"
|
||||
assert_success
|
||||
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf"
|
||||
assert_success
|
||||
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf"
|
||||
assert_success
|
||||
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-aliases.cf"
|
||||
assert_success
|
||||
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-aliases.cf"
|
||||
assert_success
|
||||
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf"
|
||||
assert_success
|
||||
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf"
|
||||
_run_in_container grep "${LDAP_SETTING%=*}" /etc/postfix/ldap-aliases.cf
|
||||
assert_output "${LDAP_SETTING}"
|
||||
assert_success
|
||||
done
|
||||
}
|
||||
|
||||
# dovecot
|
||||
@test "checking dovecot: ldap imap connection and authentication works" {
|
||||
run docker exec mail_with_ldap /bin/sh -c "nc -w 1 0.0.0.0 143 < /tmp/docker-mailserver-test/auth/imap-ldap-auth.txt"
|
||||
@test "dovecot: ldap imap connection and authentication works" {
|
||||
_run_in_container_bash 'nc -w 1 0.0.0.0 143 < /tmp/docker-mailserver-test/auth/imap-ldap-auth.txt'
|
||||
assert_success
|
||||
}
|
||||
|
||||
@test "checking dovecot: ldap mail delivery works" {
|
||||
run docker exec mail_with_ldap /bin/sh -c "sendmail -f user@external.tld some.user@${FQDN_LOCALHOST_A} < /tmp/docker-mailserver-test/email-templates/test-email.txt"
|
||||
sleep 10
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep -R 'This is a test mail.' /var/mail/${FQDN_LOCALHOST_A}/some.user/new/ | wc -l"
|
||||
assert_success
|
||||
assert_output 1
|
||||
@test "dovecot: ldap mail delivery works" {
|
||||
_should_successfully_deliver_mail_to "some.user@${FQDN_LOCALHOST_A}" "/var/mail/${FQDN_LOCALHOST_A}/some.user/new/"
|
||||
|
||||
# Should support delivering to a local recipient with a different domain (and disjoint mail location):
|
||||
# NOTE: Mail is delivered to location defined in `.ldif` (an account config setting, either `mailHomeDirectory` or `mailStorageDirectory`).
|
||||
# `some.other.user` has been configured to use a mailbox domain different from it's address domain part, hence the difference here:
|
||||
_should_successfully_deliver_mail_to "some.other.user@${FQDN_LOCALHOST_B}" "/var/mail/${FQDN_LOCALHOST_A}/some.other.user/new/"
|
||||
}
|
||||
|
||||
@test "checking dovecot: ldap mail delivery works for a different domain then the mailserver" {
|
||||
run docker exec mail_with_ldap /bin/sh -c "sendmail -f user@external.tld some.other.user@${FQDN_LOCALHOST_B} < /tmp/docker-mailserver-test/email-templates/test-email.txt"
|
||||
sleep 10
|
||||
run docker exec mail_with_ldap /bin/sh -c "ls -A /var/mail/${FQDN_LOCALHOST_A}/some.other.user/new | wc -l"
|
||||
@test "dovecot: ldap config overwrites success" {
|
||||
local LDAP_SETTINGS_DOVECOT=(
|
||||
"uris = ldap://${FQDN_LDAP}"
|
||||
'tls = no'
|
||||
'base = ou=people,dc=localhost,dc=localdomain'
|
||||
'dn = cn=admin,dc=localhost,dc=localdomain'
|
||||
)
|
||||
|
||||
for LDAP_SETTING in "${LDAP_SETTINGS_DOVECOT[@]}"; do
|
||||
_run_in_container grep "${LDAP_SETTING%=*}" /etc/dovecot/dovecot-ldap.conf.ext
|
||||
assert_output "${LDAP_SETTING}"
|
||||
assert_success
|
||||
assert_output 1
|
||||
done
|
||||
}
|
||||
|
||||
@test "checking dovecot: ldap config overwrites success" {
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep 'uris = ldap://ldap' /etc/dovecot/dovecot-ldap.conf.ext"
|
||||
assert_success
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep 'tls = no' /etc/dovecot/dovecot-ldap.conf.ext"
|
||||
assert_success
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep 'base = ou=people,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext"
|
||||
assert_success
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep 'dn = cn=admin,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext"
|
||||
# Requires ENV `POSTMASTER_ADDRESS`
|
||||
# NOTE: Not important to LDAP feature tests?
|
||||
@test "dovecot: postmaster address" {
|
||||
_run_in_container grep "postmaster_address = postmaster@${FQDN_LOCALHOST_A}" /etc/dovecot/conf.d/15-lda.conf
|
||||
assert_success
|
||||
}
|
||||
|
||||
@test "checking dovecot: postmaster address" {
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep 'postmaster_address = postmaster@${FQDN_LOCALHOST_A}' /etc/dovecot/conf.d/15-lda.conf"
|
||||
assert_success
|
||||
}
|
||||
|
||||
@test "checking dovecot: quota plugin is disabled" {
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep '\$mail_plugins quota' /etc/dovecot/conf.d/10-mail.conf"
|
||||
# NOTE: `target/scripts/startup/setup.d/dovecot.sh` should prevent enabling the quotas feature when using LDAP:
|
||||
@test "dovecot: quota plugin is disabled" {
|
||||
# Dovecot configs have not enabled the quota plugins:
|
||||
_run_in_container grep "\$mail_plugins quota" /etc/dovecot/conf.d/10-mail.conf
|
||||
assert_failure
|
||||
run docker exec mail_with_ldap /bin/sh -c "grep '\$mail_plugins imap_quota' /etc/dovecot/conf.d/20-imap.conf"
|
||||
_run_in_container grep "\$mail_plugins imap_quota" /etc/dovecot/conf.d/20-imap.conf
|
||||
assert_failure
|
||||
run docker exec mail_with_ldap ls /etc/dovecot/conf.d/90-quota.conf
|
||||
|
||||
# Dovecot Quota config only present with disabled extension:
|
||||
_run_in_container_bash '[[ -f /etc/dovecot/conf.d/90-quota.conf ]]'
|
||||
assert_failure
|
||||
run docker exec mail_with_ldap ls /etc/dovecot/conf.d/90-quota.conf.disab
|
||||
_run_in_container_bash '[[ -f /etc/dovecot/conf.d/90-quota.conf.disab ]]'
|
||||
assert_success
|
||||
|
||||
# Postfix quotas policy service not configured in `main.cf`:
|
||||
_run_in_container postconf smtpd_recipient_restrictions
|
||||
refute_output --partial 'check_policy_service inet:localhost:65265'
|
||||
}
|
||||
|
||||
@test "saslauthd: sasl ldap authentication works" {
|
||||
_run_in_container testsaslauthd -u some.user -p secret
|
||||
assert_success
|
||||
}
|
||||
|
||||
@test "checking postfix: dovecot quota absent in postconf" {
|
||||
run docker exec mail_with_ldap /bin/bash -c "postconf | grep 'check_policy_service inet:localhost:65265'"
|
||||
assert_failure
|
||||
}
|
||||
# Requires ENV `PFLOGSUMM_TRIGGER=logrotate`
|
||||
@test "pflogsumm delivery" {
|
||||
# Verify default sender is `mailserver-report` when ENV `PFLOGSUMM_SENDER` + `REPORT_SENDER` are unset:
|
||||
# NOTE: Mail is sent from Postfix (configured hostname used as domain part)
|
||||
_run_in_container grep "mailserver-report@${FQDN_MAIL}" /etc/logrotate.d/maillog
|
||||
assert_success
|
||||
|
||||
@test "checking spoofing (with LDAP): rejects sender forging" {
|
||||
wait_for_smtp_port_in_container_to_respond mail_with_ldap
|
||||
run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed.txt | grep 'Sender address rejected: not owned by user'"
|
||||
# When `LOGROTATE_INTERVAL` is unset, the default should be configured as `weekly`:
|
||||
_run_in_container grep 'weekly' /etc/logrotate.d/maillog
|
||||
assert_success
|
||||
}
|
||||
|
||||
# ATTENTION: these tests must come after "checking dovecot: ldap mail delivery works" since they will deliver an email which skews the count in said test, leading to failure
|
||||
@test "checking spoofing: accepts sending as alias (with LDAP)" {
|
||||
run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-alias.txt | grep 'End data with'"
|
||||
assert_success
|
||||
# ATTENTION: Remaining tests must come after "dovecot: ldap mail delivery works" since the below tests would affect the expected count (by delivering extra mail),
|
||||
# Thus not friendly for running testcases in this file in parallel
|
||||
|
||||
# Requires ENV `SPOOF_PROTECTION=1` for the expected assert_output
|
||||
@test "spoofing (with LDAP): rejects sender forging" {
|
||||
_wait_for_smtp_port_in_container_to_respond dms-test_ldap
|
||||
|
||||
_run_in_container_bash 'openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed.txt'
|
||||
assert_output --partial 'Sender address rejected: not owned by user'
|
||||
}
|
||||
@test "checking spoofing: uses senders filter" {
|
||||
|
||||
@test "spoofing (with LDAP): accepts sending as alias" {
|
||||
_run_in_container_bash 'openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-alias.txt'
|
||||
assert_output --partial 'End data with'
|
||||
}
|
||||
|
||||
@test "spoofing (with LDAP): uses senders filter" {
|
||||
# skip introduced with #3006, changing port 25 to 465
|
||||
# Template used has invalid AUTH: https://github.com/docker-mailserver/docker-mailserver/pull/3006#discussion_r1073321432
|
||||
skip 'TODO: This test seems to have been broken from the start (?)'
|
||||
|
||||
run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-sender-with-filter-exception.txt | grep 'Sender address rejected: not owned by user'"
|
||||
assert_success
|
||||
_run_in_container_bash 'openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-sender-with-filter-exception.txt'
|
||||
assert_output --partial 'Sender address rejected: not owned by user'
|
||||
}
|
||||
|
||||
# saslauthd
|
||||
@test "checking saslauthd: sasl ldap authentication works" {
|
||||
run docker exec mail_with_ldap bash -c "testsaslauthd -u some.user -p secret"
|
||||
assert_success
|
||||
}
|
||||
@test "saslauthd: ldap smtp authentication" {
|
||||
# Requires ENV `PERMIT_DOCKER=container`
|
||||
_send_email 'auth/sasl-ldap-smtp-auth' '-w 5 0.0.0.0 25'
|
||||
assert_output --partial 'Error: authentication not enabled'
|
||||
|
||||
@test "checking saslauthd: ldap smtp authentication" {
|
||||
run docker exec mail_with_ldap /bin/sh -c "nc -w 5 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Error: authentication not enabled'"
|
||||
assert_success
|
||||
run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'"
|
||||
assert_success
|
||||
run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -starttls smtp -connect 0.0.0.0:587 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'"
|
||||
assert_success
|
||||
_run_in_container_bash 'openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt'
|
||||
assert_output --partial 'Authentication successful'
|
||||
|
||||
_run_in_container_bash 'openssl s_client -quiet -starttls smtp -connect 0.0.0.0:587 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt'
|
||||
assert_output --partial 'Authentication successful'
|
||||
}
|
||||
|
||||
#
|
||||
# Pflogsumm delivery check
|
||||
# Test helper methods:
|
||||
#
|
||||
|
||||
@test "checking pflogsum delivery" {
|
||||
# checking default sender is correctly set when env variable not defined
|
||||
run docker exec mail_with_ldap grep "mailserver-report@${FQDN_MAIL}" /etc/logrotate.d/maillog
|
||||
assert_success
|
||||
function _should_exist_in_ldap_tables() {
|
||||
local MAIL_ACCOUNT=${1:?Mail account is required}
|
||||
local DOMAIN_PART="${MAIL_ACCOUNT#*@}"
|
||||
|
||||
# checking default logrotation setup
|
||||
run docker exec mail_with_ldap grep "weekly" /etc/logrotate.d/maillog
|
||||
# Each LDAP config file sets `query_filter` to lookup a key in LDAP (values defined in `.ldif` test files)
|
||||
# `mail` (ldap-users), `mailAlias` (ldap-aliases), `mailGroupMember` (ldap-groups)
|
||||
# `postmap` is queried with the mail account address, and the LDAP service should respond with
|
||||
# `result_attribute` which is the LDAP `mail` value (should match what we'r'e quering `postmap` with)
|
||||
|
||||
_run_in_container postmap -q "${MAIL_ACCOUNT}" ldap:/etc/postfix/ldap-users.cf
|
||||
assert_success
|
||||
assert_output "${MAIL_ACCOUNT}"
|
||||
|
||||
# Check which account has the `postmaster` virtual alias:
|
||||
_run_in_container postmap -q "postmaster@${DOMAIN_PART}" ldap:/etc/postfix/ldap-aliases.cf
|
||||
assert_success
|
||||
assert_output "${MAIL_ACCOUNT}"
|
||||
|
||||
_run_in_container postmap -q "employees@${DOMAIN_PART}" ldap:/etc/postfix/ldap-groups.cf
|
||||
assert_success
|
||||
assert_output "${MAIL_ACCOUNT}"
|
||||
}
|
||||
|
||||
# NOTE: `test-email.txt` is only used for these two LDAP tests with `sendmail` command.
|
||||
# The file excludes sender/recipient addresses, thus not usable with `_send_email()` helper (`nc` command)?
|
||||
# TODO: Could probably adapt?
|
||||
function _should_successfully_deliver_mail_to() {
|
||||
local SENDER_ADDRESS='user@external.tld'
|
||||
local RECIPIENT_ADDRESS=${1:?Recipient address is required}
|
||||
local MAIL_STORAGE_RECIPIENT=${2:?Recipient storage location is required}
|
||||
local MAIL_TEMPLATE='/tmp/docker-mailserver-test/email-templates/test-email.txt'
|
||||
|
||||
_run_in_container_bash "sendmail -f ${SENDER_ADDRESS} ${RECIPIENT_ADDRESS} < ${MAIL_TEMPLATE}"
|
||||
_wait_for_empty_mail_queue_in_container
|
||||
|
||||
_run_in_container grep -R 'This is a test mail.' "${MAIL_STORAGE_RECIPIENT}"
|
||||
assert_success
|
||||
_should_output_number_of_lines 1
|
||||
|
||||
# NOTE: Prevents compatibility for running testcases in parallel (for same container) when the count could become racey:
|
||||
_count_files_in_directory_in_container "${MAIL_STORAGE_RECIPIENT}" 1
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue