diff --git a/Makefile b/Makefile index e1aece17..749a99eb 100644 --- a/Makefile +++ b/Makefile @@ -5,11 +5,10 @@ all-fast: build backup generate-accounts run generate-accounts-after-run fixture no-build: backup generate-accounts run generate-accounts-after-run fixtures tests clean build-no-cache: - cd test/docker-openldap/ && docker build -f Dockerfile -t ldap --no-cache . + export DOCKER_MAIL_DOCKER_BUILD_NO_CACHE=--no-cache docker build --no-cache -t $(NAME) . build: - cd test/docker-openldap/ && docker build -f Dockerfile -t ldap . docker build -t $(NAME) . backup: @@ -49,41 +48,6 @@ run: -e DMS_DEBUG=0 \ -h mail.my-domain.com -t $(NAME) sleep 15 - docker run --rm -d --name mail_privacy \ - -v "`pwd`/test/config":/tmp/docker-mailserver \ - -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ - -e ENABLE_CLAMAV=1 \ - -e ENABLE_SPAMASSASSIN=1 \ - -e SA_TAG=-5.0 \ - -e SA_TAG2=2.0 \ - -e SA_KILL=3.0 \ - -e SA_SPAM_SUBJECT="SPAM: " \ - -e VIRUSMAILS_DELETE_DELAY=7 \ - -e SASL_PASSWD="external-domain.com username:password" \ - -e ENABLE_MANAGESIEVE=1 \ - --cap-add=SYS_PTRACE \ - -e PERMIT_DOCKER=host \ - -e DMS_DEBUG=0 \ - -h mail.my-domain.com -t $(NAME) - sleep 15 - docker run --rm -d --name mail_pop3 \ - -v "`pwd`/test/config":/tmp/docker-mailserver \ - -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ - -v "`pwd`/test/config/letsencrypt":/etc/letsencrypt/live \ - -e ENABLE_POP3=1 \ - -e DMS_DEBUG=0 \ - -e SSL_TYPE=letsencrypt \ - -h mail.my-domain.com -t $(NAME) - sleep 15 - docker run --rm -d --name mail_smtponly \ - -v "`pwd`/test/config":/tmp/docker-mailserver \ - -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ - -e SMTP_ONLY=1 \ - -e PERMIT_DOCKER=network \ - -e DMS_DEBUG=0 \ - -e OVERRIDE_HOSTNAME=mail.my-domain.com \ - -t $(NAME) - sleep 15 docker run --rm -d --name mail_smtponly_without_config \ -e SMTP_ONLY=1 \ -e ENABLE_LDAP=1 \ @@ -122,22 +86,6 @@ run: -h unknown.domain.tld \ -t $(NAME) sleep 15 - docker run --rm -d --name mail_fail2ban \ - -v "`pwd`/test/config":/tmp/docker-mailserver \ - -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ - -e ENABLE_FAIL2BAN=1 \ - -e POSTSCREEN_ACTION=ignore \ - --cap-add=NET_ADMIN \ - -h mail.my-domain.com -t $(NAME) - sleep 15 - docker run --rm -d --name mail_fetchmail \ - -v "`pwd`/test/config":/tmp/docker-mailserver \ - -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ - -e ENABLE_FETCHMAIL=1 \ - --cap-add=NET_ADMIN \ - -e DMS_DEBUG=0 \ - -h mail.my-domain.com -t $(NAME) - sleep 15 docker run --rm -d --name mail_disabled_clamav_spamassassin \ -v "`pwd`/test/config":/tmp/docker-mailserver \ -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ @@ -146,48 +94,6 @@ run: -e DMS_DEBUG=0 \ -h mail.my-domain.com -t $(NAME) sleep 15 - docker run --rm -d --name mail_manual_ssl \ - -v "`pwd`/test/config":/tmp/docker-mailserver \ - -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ - -e SSL_TYPE=manual \ - -e SSL_CERT_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/fullchain.pem \ - -e SSL_KEY_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/privkey.pem \ - -e DMS_DEBUG=0 \ - -h mail.my-domain.com -t $(NAME) - sleep 15 - docker run --rm -d --name ldap_for_mail \ - -e LDAP_DOMAIN="localhost.localdomain" \ - -h ldap.my-domain.com -t ldap - sleep 15 - docker run --rm -d --name mail_with_ldap \ - -v "`pwd`/test/config":/tmp/docker-mailserver \ - -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ - -e ENABLE_LDAP=1 \ - -e LDAP_SERVER_HOST=ldap \ - -e LDAP_START_TLS=no \ - -e SPOOF_PROTECTION=1 \ - -e LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \ - -e LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \ - -e LDAP_BIND_PW=admin \ - -e LDAP_QUERY_FILTER_USER="(&(mail=%s)(mailEnabled=TRUE))" \ - -e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \ - -e LDAP_QUERY_FILTER_ALIAS="(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))" \ - -e LDAP_QUERY_FILTER_DOMAIN="(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))" \ - -e DOVECOT_TLS=no \ - -e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \ - -e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \ - -e REPORT_RECIPIENT=1 \ - -e ENABLE_SASLAUTHD=1 \ - -e SASLAUTHD_MECHANISMS=ldap \ - -e SASLAUTHD_LDAP_SERVER=ldap \ - -e SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \ - -e SASLAUTHD_LDAP_PASSWORD=admin \ - -e SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \ - -e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \ - -e DMS_DEBUG=0 \ - --link ldap_for_mail:ldap \ - -h mail.my-domain.com -t $(NAME) - sleep 15 generate-accounts-after-run: docker run --rm -e MAIL_USER=added@localhost.localdomain -e MAIL_PASS=mypassword -t $(NAME) /bin/sh -c 'echo "$$MAIL_USER|$$(doveadm pw -s SHA512-CRYPT -u $$MAIL_USER -p $$MAIL_PASS)"' >> test/config/postfix-accounts.cf @@ -220,7 +126,6 @@ fixtures: docker exec mail_disabled_clamav_spamassassin /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user1.txt" docker exec mail /bin/sh -c "sendmail root < /tmp/docker-mailserver-test/email-templates/root-email.txt" # postfix virtual transport lmtp - docker exec mail_privacy /bin/sh -c "openssl s_client -quiet -starttls smtp -connect 0.0.0.0:587 < /tmp/docker-mailserver-test/email-templates/send-privacy-email.txt" docker exec mail_override_hostname /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user1.txt" # Wait for mails to be analyzed sleep 80 diff --git a/test/mail_fail2ban.bats b/test/mail_fail2ban.bats new file mode 100644 index 00000000..7b213c24 --- /dev/null +++ b/test/mail_fail2ban.bats @@ -0,0 +1,149 @@ +load 'test_helper/common' + +function setup() { + run_setup_file_if_necessary +} + +function teardown() { + run_teardown_file_if_necessary +} + +function setup_file() { + docker run --rm -d --name mail_fail2ban \ + -v "`pwd`/test/config":/tmp/docker-mailserver \ + -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ + -e ENABLE_FAIL2BAN=1 \ + -e POSTSCREEN_ACTION=ignore \ + --cap-add=NET_ADMIN \ + -h mail.my-domain.com -t ${NAME} + + # Create a container which will send wrong authentications and should get banned + docker run --name fail-auth-mailer \ + -e MAIL_FAIL2BAN_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' mail_fail2ban) \ + -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test \ + -d ${NAME} \ + tail -f /var/log/faillog + + wait_for_finished_setup_in_container mail_fail2ban + +} + +function teardown_file() { + docker rm -f mail_fail2ban fail-auth-mailer +} + +@test "first" { + skip 'this test must come first to reliably identify when to run setup_file' +} + +# +# processes +# + +@test "checking process: fail2ban (fail2ban server enabled)" { + run docker exec mail_fail2ban /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/bin/python3 /usr/bin/fail2ban-server'" + assert_success +} + +# +# fail2ban +# + +@test "checking fail2ban: localhost is not banned because ignored" { + run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*127.0.0.1'" + assert_failure + run docker exec mail_fail2ban /bin/sh -c "grep 'ignoreip = 127.0.0.1/8' /etc/fail2ban/jail.conf" + assert_success +} + +@test "checking fail2ban: fail2ban-fail2ban.cf overrides" { + run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get loglevel | grep DEBUG" + assert_success +} + +@test "checking fail2ban: fail2ban-jail.cf overrides" { + FILTERS=(sshd postfix dovecot postfix-sasl) + + for FILTER in "${FILTERS[@]}"; do + run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER bantime" + assert_output 1234 + + run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER findtime" + assert_output 321 + + run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER maxretry" + assert_output 2 + done +} + +@test "checking fail2ban: ban ip on multiple failed login" { + # can't pipe the file as usual due to postscreen. (respecting postscreen_greet_wait time and talking in turn): + for i in {1,2}; do + docker exec fail-auth-mailer /bin/bash -c \ + 'exec 3<>/dev/tcp/$MAIL_FAIL2BAN_IP/25 && \ + while IFS= read -r cmd; do \ + head -1 <&3; \ + [[ "$cmd" == "EHLO"* ]] && sleep 6; \ + echo $cmd >&3; \ + done < "/tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt"' + done + + sleep 5 + + FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer) + # Checking that FAIL_AUTH_MAILER_IP is banned in mail_fail2ban + run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep '$FAIL_AUTH_MAILER_IP'" + assert_success + + # Checking that FAIL_AUTH_MAILER_IP is banned by iptables + run docker exec mail_fail2ban /bin/sh -c "iptables -L f2b-postfix-sasl -n | grep REJECT | grep '$FAIL_AUTH_MAILER_IP'" + assert_success +} + +@test "checking fail2ban: unban ip works" { + + FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer) + docker exec mail_fail2ban fail2ban-client set postfix-sasl unbanip $FAIL_AUTH_MAILER_IP + + sleep 5 + + run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*$FAIL_AUTH_MAILER_IP'" + assert_failure + + # Checking that FAIL_AUTH_MAILER_IP is unbanned by iptables + run docker exec mail_fail2ban /bin/sh -c "iptables -L f2b-postfix-sasl -n | grep REJECT | grep '$FAIL_AUTH_MAILER_IP'" + assert_failure +} + +# +# debug +# + +@test "checking setup.sh: setup.sh debug fail2ban" { + + run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.4" + run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.5" + sleep 10 + run ./setup.sh -c mail_fail2ban debug fail2ban + assert_output --regexp "^Banned in dovecot: 192.0.66.5 192.0.66.4.*" + run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.4 + assert_output --partial "unbanned IP from dovecot: 192.0.66.4" + run ./setup.sh -c mail_fail2ban debug fail2ban + assert_output --regexp "^Banned in dovecot: 192.0.66.5.*" + run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.5 + run ./setup.sh -c mail_fail2ban debug fail2ban unban + assert_output --partial "You need to specify an IP address. Run" +} + +# +# supervisor +# + +@test "checking restart of process: fail2ban (fail2ban server enabled)" { + run docker exec mail_fail2ban /bin/bash -c "pkill fail2ban && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/bin/python3 /usr/bin/fail2ban-server'" + assert_success +} + +@test "last" { + skip 'this test is only there to reliably mark the end for the teardown_file' +} \ No newline at end of file diff --git a/test/mail_fetchmail.bats b/test/mail_fetchmail.bats new file mode 100644 index 00000000..bb6d4d8b --- /dev/null +++ b/test/mail_fetchmail.bats @@ -0,0 +1,64 @@ +load 'test_helper/common' + +function setup() { + run_setup_file_if_necessary +} + +function teardown() { + run_teardown_file_if_necessary +} + +function setup_file() { + docker run -d --name mail_fetchmail \ + -v "`pwd`/test/config":/tmp/docker-mailserver \ + -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ + -e ENABLE_FETCHMAIL=1 \ + --cap-add=NET_ADMIN \ + -e DMS_DEBUG=0 \ + -h mail.my-domain.com -t ${NAME} + wait_for_finished_setup_in_container mail_fetchmail +} + +function teardown_file() { + docker rm -f mail_fetchmail +} + +@test "first" { + skip 'this test must come first to reliably identify when to run setup_file' +} + +# +# processes +# + +@test "checking process: fetchmail (fetchmail server enabled)" { + run docker exec mail_fetchmail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/bin/fetchmail'" + assert_success +} + +# +# fetchmail +# + +@test "checking fetchmail: gerneral options in fetchmailrc are loaded" { + run docker exec mail_fetchmail grep 'set syslog' /etc/fetchmailrc + assert_success +} + +@test "checking fetchmail: fetchmail.cf is loaded" { + run docker exec mail_fetchmail grep 'pop3.example.com' /etc/fetchmailrc + assert_success +} + +# +# supervisor +# + +@test "checking restart of process: fetchmail" { + run docker exec mail_fetchmail /bin/bash -c "pkill fetchmail && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/bin/fetchmail'" + assert_success +} + +@test "last" { + skip 'this test is only there to reliably mark the end for the teardown_file' +} \ No newline at end of file diff --git a/test/mail_manual_ssl.bats b/test/mail_manual_ssl.bats new file mode 100644 index 00000000..00465ebd --- /dev/null +++ b/test/mail_manual_ssl.bats @@ -0,0 +1,60 @@ +load 'test_helper/common' + +function setup() { + run_setup_file_if_necessary +} + +function teardown() { + run_teardown_file_if_necessary +} + +function setup_file() { + docker run -d --name mail_manual_ssl \ + -v "`pwd`/test/config":/tmp/docker-mailserver \ + -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ + -e SSL_TYPE=manual \ + -e SSL_CERT_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/fullchain.pem \ + -e SSL_KEY_PATH=/tmp/docker-mailserver/letsencrypt/mail.my-domain.com/privkey.pem \ + -e DMS_DEBUG=0 \ + -h mail.my-domain.com -t ${NAME} + wait_for_finished_setup_in_container mail_manual_ssl +} + +function teardown_file() { + docker rm -f mail_manual_ssl +} + +@test "first" { + skip 'this test must come first to reliably identify when to run setup_file' +} + +@test "checking ssl: manual configuration is correct" { + run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/cert" /etc/postfix/main.cf | wc -l' + assert_success + assert_output 1 + run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/cert" /etc/dovecot/conf.d/10-ssl.conf | wc -l' + assert_success + assert_output 1 + run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/key" /etc/postfix/main.cf | wc -l' + assert_success + assert_output 1 + run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/key" /etc/dovecot/conf.d/10-ssl.conf | wc -l' + assert_success + assert_output 1 +} + +@test "checking ssl: manual configuration copied files correctly " { + run docker exec mail_manual_ssl /bin/sh -c 'cmp -s /etc/postfix/ssl/cert /tmp/docker-mailserver/letsencrypt/mail.my-domain.com/fullchain.pem' + assert_success + run docker exec mail_manual_ssl /bin/sh -c 'cmp -s /etc/postfix/ssl/key /tmp/docker-mailserver/letsencrypt/mail.my-domain.com/privkey.pem' + assert_success +} + +@test "checking ssl: manual cert works correctly" { + run docker exec mail_manual_ssl /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 10 (certificate has expired)'" + assert_success +} + +@test "last" { + skip 'this test is only there to reliably mark the end for the teardown_file' +} \ No newline at end of file diff --git a/test/mail_pop3.bats b/test/mail_pop3.bats new file mode 100644 index 00000000..45bbea27 --- /dev/null +++ b/test/mail_pop3.bats @@ -0,0 +1,115 @@ +load 'test_helper/common' + +function setup() { + run_setup_file_if_necessary +} + +function teardown() { + run_teardown_file_if_necessary +} + +function setup_file() { + docker run -d --name mail_pop3 \ + -v "`pwd`/test/config":/tmp/docker-mailserver \ + -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ + -v "`pwd`/test/config/letsencrypt":/etc/letsencrypt/live \ + -e ENABLE_POP3=1 \ + -e DMS_DEBUG=0 \ + -e SSL_TYPE=letsencrypt \ + -h mail.my-domain.com -t ${NAME} + + wait_for_finished_setup_in_container mail_pop3 + +} + +function teardown_file() { + docker rm -f mail_pop3 +} + +@test "first" { + skip 'this test must come first to reliably identify when to run setup_file' +} + +# +# pop +# + +@test "checking pop: server is ready" { + run docker exec mail_pop3 /bin/bash -c "nc -w 1 0.0.0.0 110 | grep '+OK'" + assert_success +} + +@test "checking pop: authentication works" { + run docker exec mail_pop3 /bin/sh -c "nc -w 1 0.0.0.0 110 < /tmp/docker-mailserver-test/auth/pop3-auth.txt" + assert_success +} + +@test "checking pop: added user authentication works" { + run docker exec mail_pop3 /bin/sh -c "nc -w 1 0.0.0.0 110 < /tmp/docker-mailserver-test/auth/added-pop3-auth.txt" + assert_success +} + +# +# spamassassin +# + +@test "checking spamassassin: docker env variables are set correctly (default)" { + run docker exec mail_pop3 /bin/sh -c "grep '\$sa_tag_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 2.0'" + assert_success + run docker exec mail_pop3 /bin/sh -c "grep '\$sa_tag2_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 6.31'" + assert_success + run docker exec mail_pop3 /bin/sh -c "grep '\$sa_kill_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 6.31'" + assert_success + run docker exec mail_pop3 /bin/sh -c "grep '\$sa_spam_subject_tag' /etc/amavis/conf.d/20-debian_defaults | grep '= .\*\*\*SPAM\*\*\* .'" + assert_success +} + +# +# ssl +# + +@test "checking ssl: letsencrypt configuration is correct" { + run docker exec mail_pop3 /bin/sh -c 'grep -ir "/etc/letsencrypt/live/mail.my-domain.com/" /etc/postfix/main.cf | wc -l' + assert_success + assert_output 2 + run docker exec mail_pop3 /bin/sh -c 'grep -ir "/etc/letsencrypt/live/mail.my-domain.com/" /etc/dovecot/conf.d/10-ssl.conf | wc -l' + assert_success + assert_output 2 +} + +@test "checking ssl: letsencrypt cert works correctly" { + run docker exec mail_pop3 /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 10 (certificate has expired)'" + assert_success +} + +# +# system +# + +@test "checking system: /var/log/mail/mail.log is error free" { + run docker exec mail_pop3 grep 'non-null host address bits in' /var/log/mail/mail.log + assert_failure + run docker exec mail_pop3 grep ': error:' /var/log/mail/mail.log + assert_failure +} + +# +# sieve +# + +@test "checking manage sieve: disabled per default" { + run docker exec mail_pop3 /bin/bash -c "nc -z 0.0.0.0 4190" + assert_failure +} + +# +# PERMIT_DOCKER mynetworks +# +@test "checking PERMIT_DOCKER: my network value" { + run docker exec mail_pop3 /bin/sh -c "postconf | grep '^mynetworks =' | egrep '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/32'" + assert_success +} + +@test "last" { + skip 'this test is only there to reliably mark the end for the teardown_file' +} \ No newline at end of file diff --git a/test/mail_privacy.bats b/test/mail_privacy.bats new file mode 100644 index 00000000..2169a6fb --- /dev/null +++ b/test/mail_privacy.bats @@ -0,0 +1,62 @@ +load 'test_helper/common' + +function setup() { + run_setup_file_if_necessary +} + +function teardown() { + run_teardown_file_if_necessary +} + +function setup_file() { + docker run -d --name mail_privacy \ + -v "`pwd`/test/config":/tmp/docker-mailserver \ + -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ + -e ENABLE_CLAMAV=1 \ + -e ENABLE_SPAMASSASSIN=1 \ + -e SA_TAG=-5.0 \ + -e SA_TAG2=2.0 \ + -e SA_KILL=3.0 \ + -e SA_SPAM_SUBJECT="SPAM: " \ + -e VIRUSMAILS_DELETE_DELAY=7 \ + -e SASL_PASSWD="external-domain.com username:password" \ + -e ENABLE_MANAGESIEVE=1 \ + --cap-add=SYS_PTRACE \ + -e PERMIT_DOCKER=host \ + -e DMS_DEBUG=0 \ + -h mail.my-domain.com -t ${NAME} + + wait_for_amavis_port_in_container mail_privacy + wait_for_smtp_port_in_container mail_privacy +} + +function teardown_file() { + docker rm -f mail_privacy +} + +@test "first" { + skip 'this test must come first to reliably identify when to run setup_file' +} + +# +# LDAP +# + +# postfix + +@test "checking postfix: remove privacy details of the sender" { + docker exec mail_privacy /bin/sh -c "openssl s_client -quiet -starttls smtp -connect 0.0.0.0:587 < /tmp/docker-mailserver-test/email-templates/send-privacy-email.txt" + repeat_until_success_or_timeout 120 docker exec mail_privacy /bin/sh -c '[ $(ls /var/mail/localhost.localdomain/user1/new | wc -l) -eq 1 ]' + docker logs mail_privacy + run docker exec mail_privacy /bin/sh -c "ls /var/mail/localhost.localdomain/user1/new | wc -l" + assert_success + assert_output 1 + run docker exec mail_privacy /bin/sh -c "grep -rE "^User-Agent:" /var/mail/localhost.localdomain/user1/new | wc -l" + assert_success + assert_output 0 +} + + +@test "last" { + skip 'this test is only there to reliably mark the end for the teardown_file' +} \ No newline at end of file diff --git a/test/mail_smtponly.bats b/test/mail_smtponly.bats new file mode 100644 index 00000000..fbbca9ee --- /dev/null +++ b/test/mail_smtponly.bats @@ -0,0 +1,78 @@ +load 'test_helper/common' + +function setup() { + run_setup_file_if_necessary +} + +function teardown() { + run_teardown_file_if_necessary +} + +function setup_file() { + docker run --rm -d --name mail_smtponly \ + -v "`pwd`/test/config":/tmp/docker-mailserver \ + -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ + -e SMTP_ONLY=1 \ + -e PERMIT_DOCKER=network \ + -e DMS_DEBUG=0 \ + -e OVERRIDE_HOSTNAME=mail.my-domain.com \ + -t ${NAME} + + wait_for_finished_setup_in_container mail_smtponly +} + +function teardown_file() { + docker rm -f mail_smtponly +} + +@test "first" { + skip 'this test must come first to reliably identify when to run setup_file' +} + +# +# configuration checks +# + +@test "checking configuration: hostname/domainname override" { + run docker exec mail_smtponly /bin/bash -c "cat /etc/mailname | grep my-domain.com" + assert_success +} + +# +# imap +# + +@test "checking process: dovecot imaplogin (disabled using SMTP_ONLY)" { + run docker exec mail_smtponly /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/dovecot'" + assert_failure +} + +# +# smtp +# + +@test "checking smtp_only: mail send should work" { + run docker exec mail_smtponly /bin/sh -c "postconf -e smtp_host_lookup=no" + assert_success + run docker exec mail_smtponly /bin/sh -c "/etc/init.d/postfix reload" + assert_success + run docker exec mail_smtponly /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/smtp-only.txt" + assert_success + run docker exec mail_smtponly /bin/sh -c 'grep -cE "to=.*status\=sent" /var/log/mail/mail.log' + [ "$status" -ge 0 ] +} + +# +# PERMIT_DOCKER=network +# + +@test "checking PERMIT_DOCKER=network: opendmarc/opendkim config" { + run docker exec mail_smtponly /bin/sh -c "cat /etc/opendmarc/ignore.hosts | grep '172.16.0.0/12'" + assert_success + run docker exec mail_smtponly /bin/sh -c "cat /etc/opendkim/TrustedHosts | grep '172.16.0.0/12'" + assert_success +} + +@test "last" { + skip 'this test is only there to reliably mark the end for the teardown_file' +} \ No newline at end of file diff --git a/test/mail_with_ldap.bats b/test/mail_with_ldap.bats new file mode 100644 index 00000000..2525f11a --- /dev/null +++ b/test/mail_with_ldap.bats @@ -0,0 +1,222 @@ +load 'test_helper/common' + +function setup() { + run_setup_file_if_necessary +} + +function teardown() { + run_teardown_file_if_necessary +} + +function setup_file() { + pushd test/docker-openldap/ + docker build -f Dockerfile -t ldap $DOCKER_MAIL_DOCKER_BUILD_NO_CACHE . + popd + + docker run -d --name ldap_for_mail \ + -e LDAP_DOMAIN="localhost.localdomain" \ + -h ldap.my-domain.com -t ldap + + docker run -d --name mail_with_ldap \ + -v "`pwd`/test/config":/tmp/docker-mailserver \ + -v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \ + -e ENABLE_LDAP=1 \ + -e LDAP_SERVER_HOST=ldap \ + -e LDAP_START_TLS=no \ + -e SPOOF_PROTECTION=1 \ + -e LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \ + -e LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \ + -e LDAP_BIND_PW=admin \ + -e LDAP_QUERY_FILTER_USER="(&(mail=%s)(mailEnabled=TRUE))" \ + -e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \ + -e LDAP_QUERY_FILTER_ALIAS="(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))" \ + -e LDAP_QUERY_FILTER_DOMAIN="(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))" \ + -e DOVECOT_TLS=no \ + -e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \ + -e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \ + -e REPORT_RECIPIENT=1 \ + -e ENABLE_SASLAUTHD=1 \ + -e SASLAUTHD_MECHANISMS=ldap \ + -e SASLAUTHD_LDAP_SERVER=ldap \ + -e SASLAUTHD_LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \ + -e SASLAUTHD_LDAP_PASSWORD=admin \ + -e SASLAUTHD_LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \ + -e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \ + -e DMS_DEBUG=0 \ + --link ldap_for_mail:ldap \ + -h mail.my-domain.com -t ${NAME} + wait_for_smtp_port_in_container mail_with_ldap +} + +function teardown_file() { + docker rm -f ldap_for_mail mail_with_ldap +} + +@test "first" { + # this test must come first to reliably identify when to run setup_file +} + +# processes + +@test "checking process: saslauthd (saslauthd server enabled)" { + run docker exec mail_with_ldap /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/saslauthd'" + assert_success +} + +# postfix +@test "checking postfix: ldap lookup works correctly" { + run docker exec mail_with_ldap /bin/sh -c "postmap -q some.user@localhost.localdomain ldap:/etc/postfix/ldap-users.cf" + assert_success + assert_output "some.user@localhost.localdomain" + run docker exec mail_with_ldap /bin/sh -c "postmap -q postmaster@localhost.localdomain ldap:/etc/postfix/ldap-aliases.cf" + assert_success + assert_output "some.user@localhost.localdomain" + run docker exec mail_with_ldap /bin/sh -c "postmap -q employees@localhost.localdomain ldap:/etc/postfix/ldap-groups.cf" + assert_success + assert_output "some.user@localhost.localdomain" + + # Test of the user part of the domain is not the same as the uniqueIdentifier part in the ldap + run docker exec mail_with_ldap /bin/sh -c "postmap -q some.user.email@localhost.localdomain ldap:/etc/postfix/ldap-users.cf" + assert_success + assert_output "some.user.email@localhost.localdomain" + + # Test email receiving from a other domain then the primary domain of the mailserver + run docker exec mail_with_ldap /bin/sh -c "postmap -q some.other.user@localhost.otherdomain ldap:/etc/postfix/ldap-users.cf" + assert_success + assert_output "some.other.user@localhost.otherdomain" + run docker exec mail_with_ldap /bin/sh -c "postmap -q postmaster@localhost.otherdomain ldap:/etc/postfix/ldap-aliases.cf" + assert_success + assert_output "some.other.user@localhost.otherdomain" + run docker exec mail_with_ldap /bin/sh -c "postmap -q employees@localhost.otherdomain ldap:/etc/postfix/ldap-groups.cf" + assert_success + assert_output "some.other.user@localhost.otherdomain" +} + +@test "checking postfix: ldap custom config files copied" { + run docker exec mail_with_ldap /bin/sh -c "grep '# Testconfig for ldap integration' /etc/postfix/ldap-users.cf" + assert_success + run docker exec mail_with_ldap /bin/sh -c "grep '# Testconfig for ldap integration' /etc/postfix/ldap-groups.cf" + assert_success + run docker exec mail_with_ldap /bin/sh -c "grep '# Testconfig for ldap integration' /etc/postfix/ldap-aliases.cf" + assert_success +} + +@test "checking postfix: ldap config overwrites success" { + run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-users.cf" + assert_success + run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-users.cf" + assert_success + run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf" + assert_success + run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf" + assert_success + + run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-groups.cf" + assert_success + run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-groups.cf" + assert_success + run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf" + assert_success + run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf" + assert_success + + run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-aliases.cf" + assert_success + run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-aliases.cf" + assert_success + run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf" + assert_success + run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf" + assert_success +} + +# dovecot +@test "checking dovecot: ldap imap connection and authentication works" { + run docker exec mail_with_ldap /bin/sh -c "nc -w 1 0.0.0.0 143 < /tmp/docker-mailserver-test/auth/imap-ldap-auth.txt" + assert_success +} + +@test "checking dovecot: ldap mail delivery works" { + run docker exec mail_with_ldap /bin/sh -c "sendmail -f user@external.tld some.user@localhost.localdomain < /tmp/docker-mailserver-test/email-templates/test-email.txt" + sleep 10 + run docker exec mail_with_ldap /bin/sh -c "ls -A /var/mail/localhost.localdomain/some.user/new | wc -l" + assert_success + assert_output 1 +} + +@test "checking dovecot: ldap mail delivery works for a different domain then the mailserver" { + run docker exec mail_with_ldap /bin/sh -c "sendmail -f user@external.tld some.other.user@localhost.otherdomain < /tmp/docker-mailserver-test/email-templates/test-email.txt" + sleep 10 + run docker exec mail_with_ldap /bin/sh -c "ls -A /var/mail/localhost.localdomain/some.other.user/new | wc -l" + assert_success + assert_output 1 +} + +@test "checking dovecot: ldap config overwrites success" { + run docker exec mail_with_ldap /bin/sh -c "grep 'hosts = ldap' /etc/dovecot/dovecot-ldap.conf.ext" + assert_success + run docker exec mail_with_ldap /bin/sh -c "grep 'tls = no' /etc/dovecot/dovecot-ldap.conf.ext" + assert_success + run docker exec mail_with_ldap /bin/sh -c "grep 'base = ou=people,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext" + assert_success + run docker exec mail_with_ldap /bin/sh -c "grep 'dn = cn=admin,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext" + assert_success +} + +@test "checking dovecot: postmaster address" { + run docker exec mail_with_ldap /bin/sh -c "grep 'postmaster_address = postmaster@localhost.localdomain' /etc/dovecot/conf.d/15-lda.conf" + assert_success +} + +@test "checking spoofing: rejects sender forging" { + run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed.txt | grep 'Sender address rejected: not owned by user'" + assert_success +} + +# ATTENTION: this test must come after "checking dovecot: ldap mail delivery works" since it will deliver an email which skews the count in said test, leading to failure +@test "checking spoofing: accepts sending as alias" { + run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-alias.txt | grep 'End data with'" + assert_success +} + +# saslauthd +@test "checking saslauthd: sasl ldap authentication works" { + run docker exec mail_with_ldap bash -c "testsaslauthd -u some.user -p secret" + assert_success +} + +@test "checking saslauthd: ldap smtp authentication" { + run docker exec mail_with_ldap /bin/sh -c "nc -w 5 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'" + assert_success + run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'" + assert_success + run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -starttls smtp -connect 0.0.0.0:587 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'" + assert_success +} + +# +# Pflogsumm delivery check +# + +@test "checking pflogsum delivery" { + # checking default sender is correctly set when env variable not defined + run docker exec mail_with_ldap grep "mailserver-report@mail.my-domain.com" /etc/logrotate.d/maillog + assert_success + + # checking default logrotation setup + run docker exec mail_with_ldap grep "daily" /etc/logrotate.d/maillog + assert_success +} + +# +# supervisor +# + +@test "checking restart of process: saslauthd (saslauthd server enabled)" { + run docker exec mail_with_ldap /bin/bash -c "pkill saslauthd && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/sbin/saslauthd'" + assert_success +} + +@test "last" { + # this test is only there to reliably mark the end for the teardown_file +} \ No newline at end of file diff --git a/test/test-files/auth/ldap-smtp-auth-spoofed-alias.txt b/test/test-files/auth/ldap-smtp-auth-spoofed-alias.txt index 663abb53..007b0f99 100644 --- a/test/test-files/auth/ldap-smtp-auth-spoofed-alias.txt +++ b/test/test-files/auth/ldap-smtp-auth-spoofed-alias.txt @@ -9,7 +9,7 @@ From: alias_address To: Existing Local User Date: Sat, 22 May 2010 07:43:25 -0400 Subject: Test Message -This is a test mail. +This is a test mail from ldap-smtp-auth-spoofed-alias.txt . QUIT diff --git a/test/test_helper/common.bash b/test/test_helper/common.bash index 00d1635f..eeb27a13 100644 --- a/test/test_helper/common.bash +++ b/test/test_helper/common.bash @@ -25,9 +25,20 @@ function repeat_until_success_or_timeout { done } +# @param $1 port +# @param $2 container name +function wait_for_tcp_port_in_container() { + repeat_until_success_or_timeout $TEST_TIMEOUT_IN_SECONDS docker exec $2 /bin/sh -c "nc -z 0.0.0.0 $1" +} + # @param $1 name of the postfix container function wait_for_smtp_port_in_container() { - repeat_until_success_or_timeout $TEST_TIMEOUT_IN_SECONDS docker exec $1 /bin/sh -c "nc -z 0.0.0.0 25" + wait_for_tcp_port_in_container 25 $1 +} + +# @param $1 name of the postfix container +function wait_for_amavis_port_in_container() { + wait_for_tcp_port_in_container 10024 $1 } # @param $1 name of the postfix container diff --git a/test/tests.bats b/test/tests.bats index 54ee1acb..c130c46f 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -32,11 +32,6 @@ function count_processed_changes() { assert_success } -@test "checking configuration: hostname/domainname override" { - run docker exec mail_smtponly /bin/bash -c "cat /etc/mailname | grep my-domain.com" - assert_success -} - @test "checking configuration: hostname/domainname override: check container hostname is applied correctly" { run docker exec mail_override_hostname /bin/bash -c "hostname | grep unknown.domain.tld" assert_success @@ -109,31 +104,16 @@ function count_processed_changes() { assert_failure } -@test "checking process: fail2ban (fail2ban server enabled)" { - run docker exec mail_fail2ban /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/bin/python3 /usr/bin/fail2ban-server'" - assert_success -} - @test "checking process: fetchmail (disabled in default configuration)" { run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/bin/fetchmail'" assert_failure } -@test "checking process: fetchmail (fetchmail server enabled)" { - run docker exec mail_fetchmail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/bin/fetchmail'" - assert_success -} - @test "checking process: clamav (clamav disabled by ENABLED_CLAMAV=0)" { run docker exec mail_disabled_clamav_spamassassin /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'" assert_failure } -@test "checking process: saslauthd (saslauthd server enabled)" { - run docker exec mail_with_ldap /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/saslauthd'" - assert_success -} - # # imap # @@ -143,11 +123,6 @@ function count_processed_changes() { assert_success } -@test "checking process: dovecot imaplogin (disabled using SMTP_ONLY)" { - run docker exec mail_smtponly /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/dovecot'" - assert_failure -} - @test "checking imap: server is ready with STARTTLS" { run docker exec mail /bin/bash -c "nc -w 2 0.0.0.0 143 | grep '* OK' | grep 'STARTTLS' | grep 'ready'" assert_success @@ -163,25 +138,6 @@ function count_processed_changes() { assert_success } -# -# pop -# - -@test "checking pop: server is ready" { - run docker exec mail_pop3 /bin/bash -c "nc -w 1 0.0.0.0 110 | grep '+OK'" - assert_success -} - -@test "checking pop: authentication works" { - run docker exec mail_pop3 /bin/sh -c "nc -w 1 0.0.0.0 110 < /tmp/docker-mailserver-test/auth/pop3-auth.txt" - assert_success -} - -@test "checking pop: added user authentication works" { - run docker exec mail_pop3 /bin/sh -c "nc -w 1 0.0.0.0 110 < /tmp/docker-mailserver-test/auth/added-pop3-auth.txt" - assert_success -} - # # sasl # @@ -318,17 +274,6 @@ function count_processed_changes() { assert_output 1 } -@test "checking smtp_only: mail send should work" { - run docker exec mail_smtponly /bin/sh -c "postconf -e smtp_host_lookup=no" - assert_success - run docker exec mail_smtponly /bin/sh -c "/etc/init.d/postfix reload" - assert_success - run docker exec mail_smtponly /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/smtp-only.txt" - assert_success - run docker exec mail_smtponly /bin/sh -c 'grep -cE "to=.*status\=sent" /var/log/mail/mail.log' - [ "$status" -ge 0 ] -} - @test "checking smtp: not advertising smtputf8" { # Dovecot does not support SMTPUTF8, so while we can send we cannot receive # Better disable SMTPUTF8 support entirely if we can't handle it correctly @@ -422,17 +367,6 @@ function count_processed_changes() { assert_success } -@test "checking spamassassin: docker env variables are set correctly (default)" { - run docker exec mail_pop3 /bin/sh -c "grep '\$sa_tag_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 2.0'" - assert_success - run docker exec mail_pop3 /bin/sh -c "grep '\$sa_tag2_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 6.31'" - assert_success - run docker exec mail_pop3 /bin/sh -c "grep '\$sa_kill_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 6.31'" - assert_success - run docker exec mail_pop3 /bin/sh -c "grep '\$sa_spam_subject_tag' /etc/amavis/conf.d/20-debian_defaults | grep '= .\*\*\*SPAM\*\*\* .'" - assert_success -} - @test "checking spamassassin: all registered domains should see spam headers" { run docker exec mail /bin/sh -c "grep -ir 'X-Spam-' /var/mail/localhost.localdomain/user1/new" assert_success @@ -711,47 +645,6 @@ function count_processed_changes() { assert_success } -@test "checking ssl: letsencrypt configuration is correct" { - run docker exec mail_pop3 /bin/sh -c 'grep -ir "/etc/letsencrypt/live/mail.my-domain.com/" /etc/postfix/main.cf | wc -l' - assert_success - assert_output 2 - run docker exec mail_pop3 /bin/sh -c 'grep -ir "/etc/letsencrypt/live/mail.my-domain.com/" /etc/dovecot/conf.d/10-ssl.conf | wc -l' - assert_success - assert_output 2 -} - -@test "checking ssl: letsencrypt cert works correctly" { - run docker exec mail_pop3 /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 10 (certificate has expired)'" - assert_success -} - -@test "checking ssl: manual configuration is correct" { - run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/cert" /etc/postfix/main.cf | wc -l' - assert_success - assert_output 1 - run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/cert" /etc/dovecot/conf.d/10-ssl.conf | wc -l' - assert_success - assert_output 1 - run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/key" /etc/postfix/main.cf | wc -l' - assert_success - assert_output 1 - run docker exec mail_manual_ssl /bin/sh -c 'grep -ir "/etc/postfix/ssl/key" /etc/dovecot/conf.d/10-ssl.conf | wc -l' - assert_success - assert_output 1 -} - -@test "checking ssl: manual configuration copied files correctly " { - run docker exec mail_manual_ssl /bin/sh -c 'cmp -s /etc/postfix/ssl/cert /tmp/docker-mailserver/letsencrypt/mail.my-domain.com/fullchain.pem' - assert_success - run docker exec mail_manual_ssl /bin/sh -c 'cmp -s /etc/postfix/ssl/key /tmp/docker-mailserver/letsencrypt/mail.my-domain.com/privkey.pem' - assert_success -} - -@test "checking ssl: manual cert works correctly" { - run docker exec mail_manual_ssl /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 10 (certificate has expired)'" - assert_success -} - # # postsrsd # @@ -791,101 +684,6 @@ function count_processed_changes() { assert_success } -# -# fail2ban -# - -@test "checking fail2ban: localhost is not banned because ignored" { - run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*127.0.0.1'" - assert_failure - run docker exec mail_fail2ban /bin/sh -c "grep 'ignoreip = 127.0.0.1/8' /etc/fail2ban/jail.conf" - assert_success -} - -@test "checking fail2ban: fail2ban-fail2ban.cf overrides" { - run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get loglevel | grep DEBUG" - assert_success -} - -@test "checking fail2ban: fail2ban-jail.cf overrides" { - FILTERS=(sshd postfix dovecot postfix-sasl) - - for FILTER in "${FILTERS[@]}"; do - run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER bantime" - assert_output 1234 - - run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER findtime" - assert_output 321 - - run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get $FILTER maxretry" - assert_output 2 - done -} - -@test "checking fail2ban: ban ip on multiple failed login" { - # Getting mail_fail2ban container IP - MAIL_FAIL2BAN_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' mail_fail2ban) - - # Create a container which will send wrong authentications and should get banned - docker run --name fail-auth-mailer \ - -e MAIL_FAIL2BAN_IP=$MAIL_FAIL2BAN_IP \ - -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test \ - -d $(docker inspect --format '{{ .Config.Image }}' mail) \ - tail -f /var/log/faillog - - # can't pipe the file as usual due to postscreen. (respecting postscreen_greet_wait time and talking in turn): - for i in {1,2}; do - docker exec fail-auth-mailer /bin/bash -c \ - 'exec 3<>/dev/tcp/$MAIL_FAIL2BAN_IP/25 && \ - while IFS= read -r cmd; do \ - head -1 <&3; \ - [[ "$cmd" == "EHLO"* ]] && sleep 6; \ - echo $cmd >&3; \ - done < "/tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt"' - done - - sleep 5 - - # Checking that FAIL_AUTH_MAILER_IP is banned in mail_fail2ban - FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer) - - run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep '$FAIL_AUTH_MAILER_IP'" - assert_success - - # Checking that FAIL_AUTH_MAILER_IP is banned by iptables - run docker exec mail_fail2ban /bin/sh -c "iptables -L f2b-postfix-sasl -n | grep REJECT | grep '$FAIL_AUTH_MAILER_IP'" - assert_success -} - -@test "checking fail2ban: unban ip works" { - FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer) - - docker exec mail_fail2ban fail2ban-client set postfix-sasl unbanip $FAIL_AUTH_MAILER_IP - - sleep 5 - - run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*$FAIL_AUTH_MAILER_IP'" - assert_failure - - # Checking that FAIL_AUTH_MAILER_IP is unbanned by iptables - run docker exec mail_fail2ban /bin/sh -c "iptables -L f2b-postfix-sasl -n | grep REJECT | grep '$FAIL_AUTH_MAILER_IP'" - assert_failure -} - -# -# fetchmail -# - -@test "checking fetchmail: gerneral options in fetchmailrc are loaded" { - run docker exec mail_fetchmail grep 'set syslog' /etc/fetchmailrc - assert_success -} - -@test "checking fetchmail: fetchmail.cf is loaded" { - run docker exec mail_fetchmail grep 'pop3.example.com' /etc/fetchmailrc - assert_success -} - # # system # @@ -938,10 +736,6 @@ function count_processed_changes() { assert_failure run docker exec mail grep -i 'connect to 127.0.0.1:10023: Connection refused' /var/log/mail/mail.log assert_failure - run docker exec mail_pop3 grep 'non-null host address bits in' /var/log/mail/mail.log - assert_failure - run docker exec mail_pop3 grep ': error:' /var/log/mail/mail.log - assert_failure } @test "checking system: /var/log/auth.log is error free" { @@ -988,11 +782,6 @@ function count_processed_changes() { assert_success } -@test "checking manage sieve: disabled per default" { - run docker exec mail_pop3 /bin/bash -c "nc -z 0.0.0.0 4190" - assert_failure -} - @test "checking sieve: user2 should have piped 1 email to /tmp/" { run docker exec mail /bin/sh -c "ls -A /tmp/pipe-test.out | wc -l" assert_success @@ -1104,18 +893,9 @@ function count_processed_changes() { assert_success } -@test "checking PERMIT_DOCKER: opendmarc/opendkim config" { - run docker exec mail_smtponly /bin/sh -c "cat /etc/opendmarc/ignore.hosts | grep '172.16.0.0/12'" - assert_success - run docker exec mail_smtponly /bin/sh -c "cat /etc/opendkim/TrustedHosts | grep '172.16.0.0/12'" - assert_success -} - @test "checking PERMIT_DOCKER: my network value" { run docker exec mail /bin/sh -c "postconf | grep '^mynetworks =' | egrep '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.0\.0/16'" assert_success - run docker exec mail_pop3 /bin/sh -c "postconf | grep '^mynetworks =' | egrep '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}/32'" - assert_success } # @@ -1317,21 +1097,6 @@ function count_processed_changes() { run ./setup.sh -c mail debug login ls assert_success } -@test "checking setup.sh: setup.sh debug fail2ban" { - - run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.4" - run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.5" - sleep 10 - run ./setup.sh -c mail_fail2ban debug fail2ban - assert_output --regexp "^Banned in dovecot: 192.0.66.5 192.0.66.4.*" - run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.4 - assert_output --partial "unbanned IP from dovecot: 192.0.66.4" - run ./setup.sh -c mail_fail2ban debug fail2ban - assert_output --regexp "^Banned in dovecot: 192.0.66.5.*" - run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.5 - run ./setup.sh -c mail_fail2ban debug fail2ban unban - assert_output --partial "You need to specify an IP address. Run" -} @test "checking setup.sh: setup.sh relay add-domain" { mkdir -p ./test/relay/config && echo -n > ./test/relay/config/postfix-relaymap.cf @@ -1378,121 +1143,11 @@ function count_processed_changes() { # # postfix -@test "checking postfix: ldap lookup works correctly" { - run docker exec mail_with_ldap /bin/sh -c "postmap -q some.user@localhost.localdomain ldap:/etc/postfix/ldap-users.cf" - assert_success - assert_output "some.user@localhost.localdomain" - run docker exec mail_with_ldap /bin/sh -c "postmap -q postmaster@localhost.localdomain ldap:/etc/postfix/ldap-aliases.cf" - assert_success - assert_output "some.user@localhost.localdomain" - run docker exec mail_with_ldap /bin/sh -c "postmap -q employees@localhost.localdomain ldap:/etc/postfix/ldap-groups.cf" - assert_success - assert_output "some.user@localhost.localdomain" - - # Test of the user part of the domain is not the same as the uniqueIdentifier part in the ldap - run docker exec mail_with_ldap /bin/sh -c "postmap -q some.user.email@localhost.localdomain ldap:/etc/postfix/ldap-users.cf" - assert_success - assert_output "some.user.email@localhost.localdomain" - - # Test email receiving from a other domain then the primary domain of the mailserver - run docker exec mail_with_ldap /bin/sh -c "postmap -q some.other.user@localhost.otherdomain ldap:/etc/postfix/ldap-users.cf" - assert_success - assert_output "some.other.user@localhost.otherdomain" - run docker exec mail_with_ldap /bin/sh -c "postmap -q postmaster@localhost.otherdomain ldap:/etc/postfix/ldap-aliases.cf" - assert_success - assert_output "some.other.user@localhost.otherdomain" - run docker exec mail_with_ldap /bin/sh -c "postmap -q employees@localhost.otherdomain ldap:/etc/postfix/ldap-groups.cf" - assert_success - assert_output "some.other.user@localhost.otherdomain" -} - -@test "checking postfix: ldap custom config files copied" { - run docker exec mail_with_ldap /bin/sh -c "grep '# Testconfig for ldap integration' /etc/postfix/ldap-users.cf" - assert_success - run docker exec mail_with_ldap /bin/sh -c "grep '# Testconfig for ldap integration' /etc/postfix/ldap-groups.cf" - assert_success - run docker exec mail_with_ldap /bin/sh -c "grep '# Testconfig for ldap integration' /etc/postfix/ldap-aliases.cf" - assert_success -} - -@test "checking postfix: ldap config overwrites success" { - run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-users.cf" - assert_success - run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-users.cf" - assert_success - run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf" - assert_success - run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf" - assert_success - - run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-groups.cf" - assert_success - run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-groups.cf" - assert_success - run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf" - assert_success - run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf" - assert_success - - run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-aliases.cf" - assert_success - run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-aliases.cf" - assert_success - run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf" - assert_success - run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf" - assert_success -} - -@test "checking postfix: remove privacy details of the sender" { - run docker exec mail_privacy /bin/sh -c "ls /var/mail/localhost.localdomain/user1/new | wc -l" - assert_success - assert_output 1 - run docker exec mail_privacy /bin/sh -c "grep -rE "^User-Agent:" /var/mail/localhost.localdomain/user1/new | wc -l" - assert_success - assert_output 0 -} - -# dovecot -@test "checking dovecot: ldap imap connection and authentication works" { - run docker exec mail_with_ldap /bin/sh -c "nc -w 1 0.0.0.0 143 < /tmp/docker-mailserver-test/auth/imap-ldap-auth.txt" - assert_success -} - -@test "checking dovecot: ldap mail delivery works" { - run docker exec mail_with_ldap /bin/sh -c "sendmail -f user@external.tld some.user@localhost.localdomain < /tmp/docker-mailserver-test/email-templates/test-email.txt" - sleep 10 - run docker exec mail_with_ldap /bin/sh -c "ls -A /var/mail/localhost.localdomain/some.user/new | wc -l" - assert_success - assert_output 1 -} - -@test "checking dovecot: ldap mail delivery works for a different domain then the mailserver" { - run docker exec mail_with_ldap /bin/sh -c "sendmail -f user@external.tld some.other.user@localhost.otherdomain < /tmp/docker-mailserver-test/email-templates/test-email.txt" - sleep 10 - run docker exec mail_with_ldap /bin/sh -c "ls -A /var/mail/localhost.localdomain/some.other.user/new | wc -l" - assert_success - assert_output 1 -} - -@test "checking dovecot: ldap config overwrites success" { - run docker exec mail_with_ldap /bin/sh -c "grep 'hosts = ldap' /etc/dovecot/dovecot-ldap.conf.ext" - assert_success - run docker exec mail_with_ldap /bin/sh -c "grep 'tls = no' /etc/dovecot/dovecot-ldap.conf.ext" - assert_success - run docker exec mail_with_ldap /bin/sh -c "grep 'base = ou=people,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext" - assert_success - run docker exec mail_with_ldap /bin/sh -c "grep 'dn = cn=admin,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext" - assert_success -} @test "checking dovecot: postmaster address" { run docker exec mail /bin/sh -c "grep 'postmaster_address = postmaster@my-domain.com' /etc/dovecot/conf.d/15-lda.conf" assert_success - run docker exec mail_with_ldap /bin/sh -c "grep 'postmaster_address = postmaster@localhost.localdomain' /etc/dovecot/conf.d/15-lda.conf" - assert_success - run docker exec mail_override_hostname /bin/sh -c "grep 'postmaster_address = postmaster@my-domain.com' /etc/dovecot/conf.d/15-lda.conf" assert_success } @@ -1501,33 +1156,12 @@ function count_processed_changes() { # checking rejection of spoofed sender run docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/added-smtp-auth-spoofed.txt | grep 'Sender address rejected: not owned by user'" assert_success - # checking ldap - run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed.txt | grep 'Sender address rejected: not owned by user'" - assert_success } @test "checking spoofing: accepts sending as alias" { run docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/added-smtp-auth-spoofed-alias.txt | grep 'End data with'" assert_success - # checking ldap alias - run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-alias.txt | grep 'End data with'" - assert_success -} - -# saslauthd -@test "checking saslauthd: sasl ldap authentication works" { - run docker exec mail_with_ldap bash -c "testsaslauthd -u some.user -p secret" - assert_success -} - -@test "checking saslauthd: ldap smtp authentication" { - run docker exec mail_with_ldap /bin/sh -c "nc -w 5 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'" - assert_success - run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'" - assert_success - run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -starttls smtp -connect 0.0.0.0:587 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'" - assert_success } # @@ -1546,13 +1180,6 @@ function count_processed_changes() { # check sender is not the default one. run docker exec mail grep "From: mailserver-report@mail.my-domain.com" /var/mail/localhost.localdomain/user1/new/ -R assert_failure - - # checking default sender is correctly set when env variable not defined - run docker exec mail_with_ldap grep "mailserver-report@mail.my-domain.com" /etc/logrotate.d/maillog - assert_success - # checking default logrotation setup - run docker exec mail_with_ldap grep "daily" /etc/logrotate.d/maillog - assert_success } @@ -1638,26 +1265,11 @@ function count_processed_changes() { assert_success } -@test "checking restart of process: fail2ban (fail2ban server enabled)" { - run docker exec mail_fail2ban /bin/bash -c "pkill fail2ban && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/bin/python3 /usr/bin/fail2ban-server'" - assert_success -} - -@test "checking restart of process: fetchmail" { - run docker exec mail_fetchmail /bin/bash -c "pkill fetchmail && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/bin/fetchmail'" - assert_success -} - @test "checking restart of process: clamav (clamav disabled by ENABLED_CLAMAV=0)" { run docker exec mail_disabled_clamav_spamassassin /bin/bash -c "pkill -f clamd && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'" assert_failure } -@test "checking restart of process: saslauthd (saslauthd server enabled)" { - run docker exec mail_with_ldap /bin/bash -c "pkill saslauthd && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/sbin/saslauthd'" - assert_success -} - # # root mail delivery #