tests: Refactor LDAP tests to current conventions (#3483)

* tests: Switch to setup helper and conventions

* tests: Adapt run command to new conventions

- We have two helper methods with implicit `CONTAINER_NAME` reference, which is a bit more DRY and improves readability.
- `wc -l` + `assert_output 1` converted to use helper `_should_output_number_of_lines 1`
- `DOMAIN` var changed from `my-domain.com` to local testing domain `example.test`.

* tests: Refactor `setup_file()`

- Test wide ENV defined at the top
- OpenLDAP build and run logic grouped together. Added notes, network alias and tty not required.
- Extracted out special LDAP Postfix/Dovecot ENV into separate array. LDAP specific provisioning / auth ENV also included, with comments + linebreak to better group related ENV.
- Likewise additional ENV to support test cases has been extracted to a separate array with additional comments for context.
- Those two arrays are expanded back into the main `CUSTOM_SETUP_ARGUMENTS` that configure hostname and network for the DMS container.

* tests: Refactor the LDAP account table query testcase

- Covers 3 accounts to test from LDAP.
  - 2 are the same query against users/aliases/groups tables in Postfix, only differing by account queried (and expected as returned result).
  - 1 separate test to ensure a difference in config is supported correctly.
- Extracted repeated test logic into a helper method.
- Added additional context in comments about the creation source of these LDAP accounts and their related Postfix config / interaction. Direct reference to special case PR (since `git blame` will be less useful).

* tests: Use iteration for `grep` setting checks

More DRY approach. With a bit more helpful failure context via `assert_output` (_and only grepping the key_). Simpler to grok what's being covered.

* tests: DRY test email delivery

A bit more verbose with the new helper method. `test-email.txt` template is only used by the LDAP test, as is the `sendmail` command.

Helper will take two args to support the testcases, but at a later date should be refactored to be consistent with the `_send_email()` helper (_which presently uses `nc` that is required for plain-text mail/auth, otherwise we'd have used `openssl`, bigger refactor required_).

* tests: Slight revisions and relocating testcases

- Dovecot quota plugin testcase revised to check files exist instead of rely on `ls` failure.
- Moved Postfix quota plugin testcase into prior dovecot testcase for quota plugin check. Better error output by only querying the `smtpd_recipient_restrictions` setting (_which should be the only one configured for the service_).
- Moved the saslauthd and pflogsumm testcases (_no changes beyond revised comments_) above the `ATTENTION` comment, and one testcase below the comment that belonged to that group.

* tests: Simplify openldap `docker build` command

- `--no-cache` was creating a new image on the Docker host each time the test is run. Shouldn't be any need to build without cache.
- No need to use `pushd` + `popd`, can just provide the path context directly, and the `./Dockerfile` is an implicit default thus `-f` not required either.

Additionally removed the old `checking` prefix from testcase names.

* tests: Move LDAP specific config into `test/config/ldap/`

- No changes to any of these config files, just better isolation as not relevant to any other tests.
- Section heading in `setup_file()` added to distinguish the remainder of the function is dedicated to the DMS container setup.
- Comment providing some context about the `mv` to maintainers, this should be done after defaults are initialized but before starting up the container.

* chore: Appease the lint gods

* Apply suggestions from code review
This commit is contained in:
Brennan Kinney 2023-08-17 14:33:34 +12:00 committed by GitHub
parent 8f97171336
commit 5bada0a83b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 247 additions and 179 deletions

View file

@ -1,245 +1,313 @@
load "${REPOSITORY_ROOT}/test/test_helper/common"
load "${REPOSITORY_ROOT}/test/helper/setup"
load "${REPOSITORY_ROOT}/test/helper/common"
BATS_TEST_NAME_PREFIX='[LDAP] '
CONTAINER1_NAME='dms-test_ldap'
CONTAINER2_NAME='dms-test_ldap_provider'
function setup_file() {
pushd test/docker-openldap/ || return 1
docker build -f Dockerfile -t ldap --no-cache .
popd || return 1
export DOMAIN='my-domain.com'
export DMS_TEST_NETWORK='test-network-ldap'
export DOMAIN='example.test'
export FQDN_MAIL="mail.${DOMAIN}"
export FQDN_LDAP="ldap.${DOMAIN}"
# LDAP is provisioned with two domains (via `.ldif` files) unrelated to the FQDN of DMS:
export FQDN_LOCALHOST_A='localhost.localdomain'
export FQDN_LOCALHOST_B='localhost.otherdomain'
export DMS_TEST_NETWORK='test-network-ldap'
# Link the test containers to separate network:
# NOTE: If the network already exists, test will fail to start.
docker network create "${DMS_TEST_NETWORK}"
docker run -d --name ldap_for_mail \
# Setup local openldap service:
# NOTE: Building via Dockerfile is required? Image won't accept read-only if it needs to adjust permissions for bootstrap files.
# TODO: Upstream image is no longer maintained, may want to migrate?
docker build -t dms-openldap test/config/ldap/docker-openldap/
docker run -d --name "${CONTAINER2_NAME}" \
--env LDAP_DOMAIN="${FQDN_LOCALHOST_A}" \
--network "${DMS_TEST_NETWORK}" \
--network-alias 'ldap' \
--hostname "${FQDN_LDAP}" \
--tty \
ldap # Image name
# _setup_ldap uses _replace_by_env_in_file with ENV vars like DOVECOT_TLS with a prefix (eg. DOVECOT_ or LDAP_)
local PRIVATE_CONFIG
PRIVATE_CONFIG=$(duplicate_config_for_container .)
docker run -d --name mail_with_ldap \
-v "${PRIVATE_CONFIG}:/tmp/docker-mailserver" \
-v "$(pwd)/test/test-files:/tmp/docker-mailserver-test:ro" \
-e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
-e DOVECOT_TLS=no \
-e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
-e ACCOUNT_PROVISIONER=LDAP \
-e PFLOGSUMM_TRIGGER=logrotate \
-e ENABLE_SASLAUTHD=1 \
-e LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \
-e LDAP_BIND_PW=admin \
-e LDAP_QUERY_FILTER_ALIAS="(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))" \
-e LDAP_QUERY_FILTER_DOMAIN="(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))" \
-e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \
-e LDAP_QUERY_FILTER_SENDERS="(|(&(mail=%s)(mailEnabled=TRUE))(&(mailGroupMember=%s)(mailEnabled=TRUE))(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))(uniqueIdentifier=some.user.id))" \
-e LDAP_QUERY_FILTER_USER="(&(mail=%s)(mailEnabled=TRUE))" \
-e LDAP_START_TLS=no \
-e LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \
-e LDAP_SERVER_HOST=ldap \
-e PERMIT_DOCKER=container \
-e POSTMASTER_ADDRESS="postmaster@${FQDN_LOCALHOST_A}" \
-e REPORT_RECIPIENT=1 \
-e SASLAUTHD_MECHANISMS=ldap \
-e SPOOF_PROTECTION=1 \
-e SSL_TYPE='snakeoil' \
--network "${DMS_TEST_NETWORK}" \
--hostname "${FQDN_MAIL}" \
--tty \
"${NAME}" # Image name
dms-openldap
wait_for_smtp_port_in_container mail_with_ldap
#
# Setup DMS container
#
local ENV_LDAP_CONFIG=(
# Configure for LDAP account provisioner and alternative to Dovecot SASL:
--env ACCOUNT_PROVISIONER=LDAP
--env ENABLE_SASLAUTHD=1
--env SASLAUTHD_MECHANISMS=ldap
# ENV to configure LDAP configs for Dovecot + Postfix:
# NOTE: `scripts/startup/setup.d/ldap.sh:_setup_ldap()` uses `_replace_by_env_in_file()` to configure settings (stripping `DOVECOT_` / `LDAP_` prefixes):
# Dovecot:
--env DOVECOT_PASS_FILTER='(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))'
--env DOVECOT_TLS=no
--env DOVECOT_USER_FILTER='(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))'
# Postfix:
--env LDAP_BIND_DN='cn=admin,dc=localhost,dc=localdomain'
--env LDAP_BIND_PW='admin'
--env LDAP_QUERY_FILTER_ALIAS='(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))'
--env LDAP_QUERY_FILTER_DOMAIN='(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))'
--env LDAP_QUERY_FILTER_GROUP='(&(mailGroupMember=%s)(mailEnabled=TRUE))'
--env LDAP_QUERY_FILTER_SENDERS='(|(&(mail=%s)(mailEnabled=TRUE))(&(mailGroupMember=%s)(mailEnabled=TRUE))(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))(uniqueIdentifier=some.user.id))'
--env LDAP_QUERY_FILTER_USER='(&(mail=%s)(mailEnabled=TRUE))'
--env LDAP_SEARCH_BASE='ou=people,dc=localhost,dc=localdomain'
--env LDAP_SERVER_HOST="${FQDN_LDAP}"
--env LDAP_START_TLS=no
)
# Extra ENV needed to support specific testcases:
local ENV_SUPPORT=(
--env PERMIT_DOCKER=container # Required for attempting SMTP auth on port 25 via nc
# Required for openssl commands to be successul:
# NOTE: snakeoil cert is created (for `docker-mailserver.invalid`) via Debian post-install script for Postfix package.
# TODO: Use proper TLS cert
--env SSL_TYPE='snakeoil'
# TODO; All below are questionable value to LDAP tests?
--env POSTMASTER_ADDRESS="postmaster@${FQDN_LOCALHOST_A}" # TODO: Only required because LDAP accounts use unrelated domain part. FQDN_LOCALHOST_A / ldif files can be adjusted to FQDN_MAIL
--env PFLOGSUMM_TRIGGER=logrotate
--env REPORT_RECIPIENT=1 # TODO: Invalid value, should be a recipient address (if not default postmaster), remove?
--env SPOOF_PROTECTION=1
)
local CUSTOM_SETUP_ARGUMENTS=(
--hostname "${FQDN_MAIL}"
--network "${DMS_TEST_NETWORK}"
"${ENV_LDAP_CONFIG[@]}"
"${ENV_SUPPORT[@]}"
)
# Set default implicit container fallback for helpers:
export CONTAINER_NAME=${CONTAINER1_NAME}
_init_with_defaults
# NOTE: `test/config/` has now been duplicated, can move test specific files to host-side `/tmp/docker-mailserver`:
mv "${TEST_TMP_CONFIG}/ldap/overrides/"*.cf "${TEST_TMP_CONFIG}/"
_common_container_setup 'CUSTOM_SETUP_ARGUMENTS'
_wait_for_smtp_port_in_container
}
function teardown_file() {
docker rm -f ldap_for_mail mail_with_ldap
docker rm -f "${CONTAINER1_NAME}" "${CONTAINER2_NAME}"
docker network rm "${DMS_TEST_NETWORK}"
}
# postfix
@test "checking postfix: ldap lookup works correctly" {
run docker exec mail_with_ldap /bin/sh -c "postmap -q some.user@${FQDN_LOCALHOST_A} ldap:/etc/postfix/ldap-users.cf"
assert_success
assert_output "some.user@${FQDN_LOCALHOST_A}"
run docker exec mail_with_ldap /bin/sh -c "postmap -q postmaster@${FQDN_LOCALHOST_A} ldap:/etc/postfix/ldap-aliases.cf"
assert_success
assert_output "some.user@${FQDN_LOCALHOST_A}"
run docker exec mail_with_ldap /bin/sh -c "postmap -q employees@${FQDN_LOCALHOST_A} ldap:/etc/postfix/ldap-groups.cf"
assert_success
assert_output "some.user@${FQDN_LOCALHOST_A}"
# Test of the user part of the domain is not the same as the uniqueIdentifier part in the ldap
run docker exec mail_with_ldap /bin/sh -c "postmap -q some.user.email@${FQDN_LOCALHOST_A} ldap:/etc/postfix/ldap-users.cf"
assert_success
assert_output "some.user.email@${FQDN_LOCALHOST_A}"
# NOTE: Each of the 3 user accounts tested below are defined in separate LDIF config files,
# Those are bundled into the locally built OpenLDAP Dockerfile.
@test "postfix: ldap lookup works correctly" {
_should_exist_in_ldap_tables "some.user@${FQDN_LOCALHOST_A}"
# Test email receiving from a other domain then the primary domain of the mailserver
run docker exec mail_with_ldap /bin/sh -c "postmap -q some.other.user@${FQDN_LOCALHOST_B} ldap:/etc/postfix/ldap-users.cf"
_should_exist_in_ldap_tables "some.other.user@${FQDN_LOCALHOST_B}"
# Should not require `uniqueIdentifier` to match the local part of `mail` (`.ldif` defined settings):
# REF: https://github.com/docker-mailserver/docker-mailserver/pull/642#issuecomment-313916384
# NOTE: This account has no `mailAlias` or `mailGroupMember` defined in it's `.ldif`.
local MAIL_ACCOUNT="some.user.email@${FQDN_LOCALHOST_A}"
_run_in_container postmap -q "${MAIL_ACCOUNT}" ldap:/etc/postfix/ldap-users.cf
assert_success
assert_output "some.other.user@${FQDN_LOCALHOST_B}"
run docker exec mail_with_ldap /bin/sh -c "postmap -q postmaster@${FQDN_LOCALHOST_B} ldap:/etc/postfix/ldap-aliases.cf"
assert_success
assert_output "some.other.user@${FQDN_LOCALHOST_B}"
run docker exec mail_with_ldap /bin/sh -c "postmap -q employees@${FQDN_LOCALHOST_B} ldap:/etc/postfix/ldap-groups.cf"
assert_success
assert_output "some.other.user@${FQDN_LOCALHOST_B}"
assert_output "${MAIL_ACCOUNT}"
}
@test "checking postfix: ldap custom config files copied" {
run docker exec mail_with_ldap /bin/sh -c "grep '# Testconfig for ldap integration' /etc/postfix/ldap-users.cf"
assert_success
# Custom LDAP config files support:
# TODO: Compare to provided configs and if they're just including a test comment,
# could just copy the config and append without carrying a separate test config?
@test "postfix: ldap custom config files copied" {
local LDAP_CONFIGS_POSTFIX=(
/etc/postfix/ldap-users.cf
/etc/postfix/ldap-groups.cf
/etc/postfix/ldap-aliases.cf
)
run docker exec mail_with_ldap /bin/sh -c "grep '# Testconfig for ldap integration' /etc/postfix/ldap-groups.cf"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep '# Testconfig for ldap integration' /etc/postfix/ldap-aliases.cf"
for LDAP_CONFIG in "${LDAP_CONFIGS_POSTFIX[@]}"; do
_run_in_container grep '# Testconfig for ldap integration' "${LDAP_CONFIG}"
assert_success
done
}
@test "checking postfix: ldap config overwrites success" {
run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-users.cf"
@test "postfix: ldap config overwrites success" {
local LDAP_SETTINGS_POSTFIX=(
"server_host = ${FQDN_LDAP}"
'start_tls = no'
'search_base = ou=people,dc=localhost,dc=localdomain'
'bind_dn = cn=admin,dc=localhost,dc=localdomain'
)
for LDAP_SETTING in "${LDAP_SETTINGS_POSTFIX[@]}"; do
# "${LDAP_SETTING%=*}" is to match only the key portion of the var (helpful for assert_output error messages)
# NOTE: `start_tls = no` is a default setting, but the white-space differs when ENV `LDAP_START_TLS` is not set explicitly.
_run_in_container grep "${LDAP_SETTING%=*}" /etc/postfix/ldap-users.cf
assert_output "${LDAP_SETTING}"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-users.cf"
_run_in_container grep "${LDAP_SETTING%=*}" /etc/postfix/ldap-groups.cf
assert_output "${LDAP_SETTING}"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-groups.cf"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-groups.cf"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-aliases.cf"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-aliases.cf"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf"
_run_in_container grep "${LDAP_SETTING%=*}" /etc/postfix/ldap-aliases.cf
assert_output "${LDAP_SETTING}"
assert_success
done
}
# dovecot
@test "checking dovecot: ldap imap connection and authentication works" {
run docker exec mail_with_ldap /bin/sh -c "nc -w 1 0.0.0.0 143 < /tmp/docker-mailserver-test/auth/imap-ldap-auth.txt"
@test "dovecot: ldap imap connection and authentication works" {
_run_in_container_bash 'nc -w 1 0.0.0.0 143 < /tmp/docker-mailserver-test/auth/imap-ldap-auth.txt'
assert_success
}
@test "checking dovecot: ldap mail delivery works" {
run docker exec mail_with_ldap /bin/sh -c "sendmail -f user@external.tld some.user@${FQDN_LOCALHOST_A} < /tmp/docker-mailserver-test/email-templates/test-email.txt"
sleep 10
run docker exec mail_with_ldap /bin/sh -c "grep -R 'This is a test mail.' /var/mail/${FQDN_LOCALHOST_A}/some.user/new/ | wc -l"
assert_success
assert_output 1
@test "dovecot: ldap mail delivery works" {
_should_successfully_deliver_mail_to "some.user@${FQDN_LOCALHOST_A}" "/var/mail/${FQDN_LOCALHOST_A}/some.user/new/"
# Should support delivering to a local recipient with a different domain (and disjoint mail location):
# NOTE: Mail is delivered to location defined in `.ldif` (an account config setting, either `mailHomeDirectory` or `mailStorageDirectory`).
# `some.other.user` has been configured to use a mailbox domain different from it's address domain part, hence the difference here:
_should_successfully_deliver_mail_to "some.other.user@${FQDN_LOCALHOST_B}" "/var/mail/${FQDN_LOCALHOST_A}/some.other.user/new/"
}
@test "checking dovecot: ldap mail delivery works for a different domain then the mailserver" {
run docker exec mail_with_ldap /bin/sh -c "sendmail -f user@external.tld some.other.user@${FQDN_LOCALHOST_B} < /tmp/docker-mailserver-test/email-templates/test-email.txt"
sleep 10
run docker exec mail_with_ldap /bin/sh -c "ls -A /var/mail/${FQDN_LOCALHOST_A}/some.other.user/new | wc -l"
@test "dovecot: ldap config overwrites success" {
local LDAP_SETTINGS_DOVECOT=(
"uris = ldap://${FQDN_LDAP}"
'tls = no'
'base = ou=people,dc=localhost,dc=localdomain'
'dn = cn=admin,dc=localhost,dc=localdomain'
)
for LDAP_SETTING in "${LDAP_SETTINGS_DOVECOT[@]}"; do
_run_in_container grep "${LDAP_SETTING%=*}" /etc/dovecot/dovecot-ldap.conf.ext
assert_output "${LDAP_SETTING}"
assert_success
assert_output 1
done
}
@test "checking dovecot: ldap config overwrites success" {
run docker exec mail_with_ldap /bin/sh -c "grep 'uris = ldap://ldap' /etc/dovecot/dovecot-ldap.conf.ext"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'tls = no' /etc/dovecot/dovecot-ldap.conf.ext"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'base = ou=people,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext"
assert_success
run docker exec mail_with_ldap /bin/sh -c "grep 'dn = cn=admin,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext"
# Requires ENV `POSTMASTER_ADDRESS`
# NOTE: Not important to LDAP feature tests?
@test "dovecot: postmaster address" {
_run_in_container grep "postmaster_address = postmaster@${FQDN_LOCALHOST_A}" /etc/dovecot/conf.d/15-lda.conf
assert_success
}
@test "checking dovecot: postmaster address" {
run docker exec mail_with_ldap /bin/sh -c "grep 'postmaster_address = postmaster@${FQDN_LOCALHOST_A}' /etc/dovecot/conf.d/15-lda.conf"
assert_success
}
@test "checking dovecot: quota plugin is disabled" {
run docker exec mail_with_ldap /bin/sh -c "grep '\$mail_plugins quota' /etc/dovecot/conf.d/10-mail.conf"
# NOTE: `target/scripts/startup/setup.d/dovecot.sh` should prevent enabling the quotas feature when using LDAP:
@test "dovecot: quota plugin is disabled" {
# Dovecot configs have not enabled the quota plugins:
_run_in_container grep "\$mail_plugins quota" /etc/dovecot/conf.d/10-mail.conf
assert_failure
run docker exec mail_with_ldap /bin/sh -c "grep '\$mail_plugins imap_quota' /etc/dovecot/conf.d/20-imap.conf"
_run_in_container grep "\$mail_plugins imap_quota" /etc/dovecot/conf.d/20-imap.conf
assert_failure
run docker exec mail_with_ldap ls /etc/dovecot/conf.d/90-quota.conf
# Dovecot Quota config only present with disabled extension:
_run_in_container_bash '[[ -f /etc/dovecot/conf.d/90-quota.conf ]]'
assert_failure
run docker exec mail_with_ldap ls /etc/dovecot/conf.d/90-quota.conf.disab
_run_in_container_bash '[[ -f /etc/dovecot/conf.d/90-quota.conf.disab ]]'
assert_success
# Postfix quotas policy service not configured in `main.cf`:
_run_in_container postconf smtpd_recipient_restrictions
refute_output --partial 'check_policy_service inet:localhost:65265'
}
@test "saslauthd: sasl ldap authentication works" {
_run_in_container testsaslauthd -u some.user -p secret
assert_success
}
@test "checking postfix: dovecot quota absent in postconf" {
run docker exec mail_with_ldap /bin/bash -c "postconf | grep 'check_policy_service inet:localhost:65265'"
assert_failure
}
# Requires ENV `PFLOGSUMM_TRIGGER=logrotate`
@test "pflogsumm delivery" {
# Verify default sender is `mailserver-report` when ENV `PFLOGSUMM_SENDER` + `REPORT_SENDER` are unset:
# NOTE: Mail is sent from Postfix (configured hostname used as domain part)
_run_in_container grep "mailserver-report@${FQDN_MAIL}" /etc/logrotate.d/maillog
assert_success
@test "checking spoofing (with LDAP): rejects sender forging" {
wait_for_smtp_port_in_container_to_respond mail_with_ldap
run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed.txt | grep 'Sender address rejected: not owned by user'"
# When `LOGROTATE_INTERVAL` is unset, the default should be configured as `weekly`:
_run_in_container grep 'weekly' /etc/logrotate.d/maillog
assert_success
}
# ATTENTION: these tests must come after "checking dovecot: ldap mail delivery works" since they will deliver an email which skews the count in said test, leading to failure
@test "checking spoofing: accepts sending as alias (with LDAP)" {
run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-alias.txt | grep 'End data with'"
assert_success
# ATTENTION: Remaining tests must come after "dovecot: ldap mail delivery works" since the below tests would affect the expected count (by delivering extra mail),
# Thus not friendly for running testcases in this file in parallel
# Requires ENV `SPOOF_PROTECTION=1` for the expected assert_output
@test "spoofing (with LDAP): rejects sender forging" {
_wait_for_smtp_port_in_container_to_respond dms-test_ldap
_run_in_container_bash 'openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed.txt'
assert_output --partial 'Sender address rejected: not owned by user'
}
@test "checking spoofing: uses senders filter" {
@test "spoofing (with LDAP): accepts sending as alias" {
_run_in_container_bash 'openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-alias.txt'
assert_output --partial 'End data with'
}
@test "spoofing (with LDAP): uses senders filter" {
# skip introduced with #3006, changing port 25 to 465
# Template used has invalid AUTH: https://github.com/docker-mailserver/docker-mailserver/pull/3006#discussion_r1073321432
skip 'TODO: This test seems to have been broken from the start (?)'
run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-sender-with-filter-exception.txt | grep 'Sender address rejected: not owned by user'"
assert_success
_run_in_container_bash 'openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-sender-with-filter-exception.txt'
assert_output --partial 'Sender address rejected: not owned by user'
}
# saslauthd
@test "checking saslauthd: sasl ldap authentication works" {
run docker exec mail_with_ldap bash -c "testsaslauthd -u some.user -p secret"
assert_success
}
@test "saslauthd: ldap smtp authentication" {
# Requires ENV `PERMIT_DOCKER=container`
_send_email 'auth/sasl-ldap-smtp-auth' '-w 5 0.0.0.0 25'
assert_output --partial 'Error: authentication not enabled'
@test "checking saslauthd: ldap smtp authentication" {
run docker exec mail_with_ldap /bin/sh -c "nc -w 5 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Error: authentication not enabled'"
assert_success
run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'"
assert_success
run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -starttls smtp -connect 0.0.0.0:587 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'"
assert_success
_run_in_container_bash 'openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt'
assert_output --partial 'Authentication successful'
_run_in_container_bash 'openssl s_client -quiet -starttls smtp -connect 0.0.0.0:587 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt'
assert_output --partial 'Authentication successful'
}
#
# Pflogsumm delivery check
# Test helper methods:
#
@test "checking pflogsum delivery" {
# checking default sender is correctly set when env variable not defined
run docker exec mail_with_ldap grep "mailserver-report@${FQDN_MAIL}" /etc/logrotate.d/maillog
assert_success
function _should_exist_in_ldap_tables() {
local MAIL_ACCOUNT=${1:?Mail account is required}
local DOMAIN_PART="${MAIL_ACCOUNT#*@}"
# checking default logrotation setup
run docker exec mail_with_ldap grep "weekly" /etc/logrotate.d/maillog
# Each LDAP config file sets `query_filter` to lookup a key in LDAP (values defined in `.ldif` test files)
# `mail` (ldap-users), `mailAlias` (ldap-aliases), `mailGroupMember` (ldap-groups)
# `postmap` is queried with the mail account address, and the LDAP service should respond with
# `result_attribute` which is the LDAP `mail` value (should match what we'r'e quering `postmap` with)
_run_in_container postmap -q "${MAIL_ACCOUNT}" ldap:/etc/postfix/ldap-users.cf
assert_success
assert_output "${MAIL_ACCOUNT}"
# Check which account has the `postmaster` virtual alias:
_run_in_container postmap -q "postmaster@${DOMAIN_PART}" ldap:/etc/postfix/ldap-aliases.cf
assert_success
assert_output "${MAIL_ACCOUNT}"
_run_in_container postmap -q "employees@${DOMAIN_PART}" ldap:/etc/postfix/ldap-groups.cf
assert_success
assert_output "${MAIL_ACCOUNT}"
}
# NOTE: `test-email.txt` is only used for these two LDAP tests with `sendmail` command.
# The file excludes sender/recipient addresses, thus not usable with `_send_email()` helper (`nc` command)?
# TODO: Could probably adapt?
function _should_successfully_deliver_mail_to() {
local SENDER_ADDRESS='user@external.tld'
local RECIPIENT_ADDRESS=${1:?Recipient address is required}
local MAIL_STORAGE_RECIPIENT=${2:?Recipient storage location is required}
local MAIL_TEMPLATE='/tmp/docker-mailserver-test/email-templates/test-email.txt'
_run_in_container_bash "sendmail -f ${SENDER_ADDRESS} ${RECIPIENT_ADDRESS} < ${MAIL_TEMPLATE}"
_wait_for_empty_mail_queue_in_container
_run_in_container grep -R 'This is a test mail.' "${MAIL_STORAGE_RECIPIENT}"
assert_success
_should_output_number_of_lines 1
# NOTE: Prevents compatibility for running testcases in parallel (for same container) when the count could become racey:
_count_files_in_directory_in_container "${MAIL_STORAGE_RECIPIENT}" 1
}