mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
ab55343d8e
* outsourcing env variable setup This commit contains major parts of the work of refactoring the setup and usage of environment variables. It outsources the setup into its own script and provides dedicated functions to be executed at a later point in time. A **new** env variable was added: `USER_PROVISIONG` which provides a better way of defining which method / protocol to use when it comes to setting up users. This way, the `ENABLE_LDAP` variable is deprecated, but all of this is backwards compatible due to a "compatibility layer", a function provided by the new variables script. This is not a breaking change. It mostly refators internal scripts. The only change facing the user-side is the deprecation of `ENABLE_LDAP`. We can prolong the period of deprecation for this variable as long as we want, because the new function that ensures backwards compatibility provides a clean interface for the future. Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Co-authored-by: Casper <casperklein@users.noreply.github.com>
259 lines
12 KiB
Bash
259 lines
12 KiB
Bash
load 'test_helper/common'
|
|
|
|
function setup_file() {
|
|
pushd test/docker-openldap/ || return 1
|
|
docker build -f Dockerfile -t ldap --no-cache .
|
|
popd || return 1
|
|
|
|
export DOMAIN='my-domain.com'
|
|
export FQDN_MAIL="mail.${DOMAIN}"
|
|
export FQDN_LDAP="ldap.${DOMAIN}"
|
|
export FQDN_LOCALHOST_A='localhost.localdomain'
|
|
export FQDN_LOCALHOST_B='localhost.otherdomain'
|
|
export DMS_TEST_NETWORK='test-network-ldap'
|
|
|
|
# NOTE: If the network already exists, test will fail to start.
|
|
docker network create "${DMS_TEST_NETWORK}"
|
|
|
|
docker run -d --name ldap_for_mail \
|
|
--env LDAP_DOMAIN="${FQDN_LOCALHOST_A}" \
|
|
--network "${DMS_TEST_NETWORK}" \
|
|
--network-alias 'ldap' \
|
|
--hostname "${FQDN_LDAP}" \
|
|
--tty \
|
|
ldap # Image name
|
|
|
|
# _setup_ldap uses configomat with .ext files and ENV vars like DOVECOT_TLS with a prefix (eg DOVECOT_ or LDAP_)
|
|
local PRIVATE_CONFIG
|
|
PRIVATE_CONFIG=$(duplicate_config_for_container .)
|
|
docker run -d --name mail_with_ldap \
|
|
-v "${PRIVATE_CONFIG}:/tmp/docker-mailserver" \
|
|
-v "$(pwd)/test/test-files:/tmp/docker-mailserver-test:ro" \
|
|
-e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
|
|
-e DOVECOT_TLS=no \
|
|
-e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
|
|
-e ACCOUNT_PROVISIONER=LDAP \
|
|
-e PFLOGSUMM_TRIGGER=logrotate \
|
|
-e ENABLE_SASLAUTHD=1 \
|
|
-e LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \
|
|
-e LDAP_BIND_PW=admin \
|
|
-e LDAP_QUERY_FILTER_ALIAS="(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))" \
|
|
-e LDAP_QUERY_FILTER_DOMAIN="(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))" \
|
|
-e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \
|
|
-e LDAP_QUERY_FILTER_SENDERS="(|(&(mail=%s)(mailEnabled=TRUE))(&(mailGroupMember=%s)(mailEnabled=TRUE))(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))(uniqueIdentifier=some.user.id))" \
|
|
-e LDAP_QUERY_FILTER_USER="(&(mail=%s)(mailEnabled=TRUE))" \
|
|
-e LDAP_START_TLS=no \
|
|
-e LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \
|
|
-e LDAP_SERVER_HOST=ldap \
|
|
-e PERMIT_DOCKER=container \
|
|
-e POSTMASTER_ADDRESS="postmaster@${FQDN_LOCALHOST_A}" \
|
|
-e REPORT_RECIPIENT=1 \
|
|
-e SASLAUTHD_MECHANISMS=ldap \
|
|
-e SPOOF_PROTECTION=1 \
|
|
-e SSL_TYPE='snakeoil' \
|
|
--network "${DMS_TEST_NETWORK}" \
|
|
--hostname "${FQDN_MAIL}" \
|
|
--tty \
|
|
"${NAME}" # Image name
|
|
|
|
wait_for_smtp_port_in_container mail_with_ldap
|
|
}
|
|
|
|
function teardown_file() {
|
|
docker rm -f ldap_for_mail mail_with_ldap
|
|
docker network rm "${DMS_TEST_NETWORK}"
|
|
}
|
|
|
|
# processes
|
|
|
|
@test "checking process: saslauthd (saslauthd server enabled)" {
|
|
run docker exec mail_with_ldap /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/saslauthd'"
|
|
assert_success
|
|
}
|
|
|
|
# postfix
|
|
@test "checking postfix: ldap lookup works correctly" {
|
|
run docker exec mail_with_ldap /bin/sh -c "postmap -q some.user@${FQDN_LOCALHOST_A} ldap:/etc/postfix/ldap-users.cf"
|
|
assert_success
|
|
assert_output "some.user@${FQDN_LOCALHOST_A}"
|
|
run docker exec mail_with_ldap /bin/sh -c "postmap -q postmaster@${FQDN_LOCALHOST_A} ldap:/etc/postfix/ldap-aliases.cf"
|
|
assert_success
|
|
assert_output "some.user@${FQDN_LOCALHOST_A}"
|
|
run docker exec mail_with_ldap /bin/sh -c "postmap -q employees@${FQDN_LOCALHOST_A} ldap:/etc/postfix/ldap-groups.cf"
|
|
assert_success
|
|
assert_output "some.user@${FQDN_LOCALHOST_A}"
|
|
|
|
# Test of the user part of the domain is not the same as the uniqueIdentifier part in the ldap
|
|
run docker exec mail_with_ldap /bin/sh -c "postmap -q some.user.email@${FQDN_LOCALHOST_A} ldap:/etc/postfix/ldap-users.cf"
|
|
assert_success
|
|
assert_output "some.user.email@${FQDN_LOCALHOST_A}"
|
|
|
|
# Test email receiving from a other domain then the primary domain of the mailserver
|
|
run docker exec mail_with_ldap /bin/sh -c "postmap -q some.other.user@${FQDN_LOCALHOST_B} ldap:/etc/postfix/ldap-users.cf"
|
|
assert_success
|
|
assert_output "some.other.user@${FQDN_LOCALHOST_B}"
|
|
run docker exec mail_with_ldap /bin/sh -c "postmap -q postmaster@${FQDN_LOCALHOST_B} ldap:/etc/postfix/ldap-aliases.cf"
|
|
assert_success
|
|
assert_output "some.other.user@${FQDN_LOCALHOST_B}"
|
|
run docker exec mail_with_ldap /bin/sh -c "postmap -q employees@${FQDN_LOCALHOST_B} ldap:/etc/postfix/ldap-groups.cf"
|
|
assert_success
|
|
assert_output "some.other.user@${FQDN_LOCALHOST_B}"
|
|
}
|
|
|
|
@test "checking postfix: ldap custom config files copied" {
|
|
run docker exec mail_with_ldap /bin/sh -c "grep '# Testconfig for ldap integration' /etc/postfix/ldap-users.cf"
|
|
assert_success
|
|
|
|
run docker exec mail_with_ldap /bin/sh -c "grep '# Testconfig for ldap integration' /etc/postfix/ldap-groups.cf"
|
|
assert_success
|
|
|
|
run docker exec mail_with_ldap /bin/sh -c "grep '# Testconfig for ldap integration' /etc/postfix/ldap-aliases.cf"
|
|
assert_success
|
|
}
|
|
|
|
@test "checking postfix: ldap config overwrites success" {
|
|
run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-users.cf"
|
|
assert_success
|
|
|
|
run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-users.cf"
|
|
assert_success
|
|
|
|
run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf"
|
|
assert_success
|
|
|
|
run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-users.cf"
|
|
assert_success
|
|
|
|
run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-groups.cf"
|
|
assert_success
|
|
|
|
run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-groups.cf"
|
|
assert_success
|
|
|
|
run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf"
|
|
assert_success
|
|
|
|
run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-groups.cf"
|
|
assert_success
|
|
|
|
run docker exec mail_with_ldap /bin/sh -c "grep 'server_host = ldap' /etc/postfix/ldap-aliases.cf"
|
|
assert_success
|
|
|
|
run docker exec mail_with_ldap /bin/sh -c "grep 'start_tls = no' /etc/postfix/ldap-aliases.cf"
|
|
assert_success
|
|
|
|
run docker exec mail_with_ldap /bin/sh -c "grep 'search_base = ou=people,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf"
|
|
assert_success
|
|
|
|
run docker exec mail_with_ldap /bin/sh -c "grep 'bind_dn = cn=admin,dc=localhost,dc=localdomain' /etc/postfix/ldap-aliases.cf"
|
|
assert_success
|
|
}
|
|
|
|
# dovecot
|
|
@test "checking dovecot: ldap imap connection and authentication works" {
|
|
run docker exec mail_with_ldap /bin/sh -c "nc -w 1 0.0.0.0 143 < /tmp/docker-mailserver-test/auth/imap-ldap-auth.txt"
|
|
assert_success
|
|
}
|
|
|
|
@test "checking dovecot: ldap mail delivery works" {
|
|
run docker exec mail_with_ldap /bin/sh -c "sendmail -f user@external.tld some.user@${FQDN_LOCALHOST_A} < /tmp/docker-mailserver-test/email-templates/test-email.txt"
|
|
sleep 10
|
|
run docker exec mail_with_ldap /bin/sh -c "ls -A /var/mail/${FQDN_LOCALHOST_A}/some.user/new | wc -l"
|
|
assert_success
|
|
assert_output 1
|
|
}
|
|
|
|
@test "checking dovecot: ldap mail delivery works for a different domain then the mailserver" {
|
|
run docker exec mail_with_ldap /bin/sh -c "sendmail -f user@external.tld some.other.user@${FQDN_LOCALHOST_B} < /tmp/docker-mailserver-test/email-templates/test-email.txt"
|
|
sleep 10
|
|
run docker exec mail_with_ldap /bin/sh -c "ls -A /var/mail/${FQDN_LOCALHOST_A}/some.other.user/new | wc -l"
|
|
assert_success
|
|
assert_output 1
|
|
}
|
|
|
|
@test "checking dovecot: ldap config overwrites success" {
|
|
run docker exec mail_with_ldap /bin/sh -c "grep 'uris = ldap://ldap' /etc/dovecot/dovecot-ldap.conf.ext"
|
|
assert_success
|
|
run docker exec mail_with_ldap /bin/sh -c "grep 'tls = no' /etc/dovecot/dovecot-ldap.conf.ext"
|
|
assert_success
|
|
run docker exec mail_with_ldap /bin/sh -c "grep 'base = ou=people,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext"
|
|
assert_success
|
|
run docker exec mail_with_ldap /bin/sh -c "grep 'dn = cn=admin,dc=localhost,dc=localdomain' /etc/dovecot/dovecot-ldap.conf.ext"
|
|
assert_success
|
|
}
|
|
|
|
@test "checking dovecot: postmaster address" {
|
|
run docker exec mail_with_ldap /bin/sh -c "grep 'postmaster_address = postmaster@${FQDN_LOCALHOST_A}' /etc/dovecot/conf.d/15-lda.conf"
|
|
assert_success
|
|
}
|
|
|
|
@test "checking dovecot: quota plugin is disabled" {
|
|
run docker exec mail_with_ldap /bin/sh -c "grep '\$mail_plugins quota' /etc/dovecot/conf.d/10-mail.conf"
|
|
assert_failure
|
|
run docker exec mail_with_ldap /bin/sh -c "grep '\$mail_plugins imap_quota' /etc/dovecot/conf.d/20-imap.conf"
|
|
assert_failure
|
|
run docker exec mail_with_ldap ls /etc/dovecot/conf.d/90-quota.conf
|
|
assert_failure
|
|
run docker exec mail_with_ldap ls /etc/dovecot/conf.d/90-quota.conf.disab
|
|
assert_success
|
|
}
|
|
|
|
@test "checking postfix: dovecot quota absent in postconf" {
|
|
run docker exec mail_with_ldap /bin/bash -c "postconf | grep 'check_policy_service inet:localhost:65265'"
|
|
assert_failure
|
|
}
|
|
|
|
@test "checking spoofing (with LDAP): rejects sender forging" {
|
|
wait_for_smtp_port_in_container_to_respond mail_with_ldap
|
|
run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed.txt | grep 'Sender address rejected: not owned by user'"
|
|
assert_success
|
|
}
|
|
|
|
# ATTENTION: these tests must come after "checking dovecot: ldap mail delivery works" since they will deliver an email which skews the count in said test, leading to failure
|
|
@test "checking spoofing: accepts sending as alias (with LDAP)" {
|
|
run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-alias.txt | grep 'End data with'"
|
|
assert_success
|
|
}
|
|
@test "checking spoofing: uses senders filter" {
|
|
run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-sender-with-filter-exception.txt | grep 'End data with'"
|
|
assert_success
|
|
}
|
|
|
|
# saslauthd
|
|
@test "checking saslauthd: sasl ldap authentication works" {
|
|
run docker exec mail_with_ldap bash -c "testsaslauthd -u some.user -p secret"
|
|
assert_success
|
|
}
|
|
|
|
@test "checking saslauthd: ldap smtp authentication" {
|
|
run docker exec mail_with_ldap /bin/sh -c "nc -w 5 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'"
|
|
assert_success
|
|
run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'"
|
|
assert_success
|
|
run docker exec mail_with_ldap /bin/sh -c "openssl s_client -quiet -starttls smtp -connect 0.0.0.0:587 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt | grep 'Authentication successful'"
|
|
assert_success
|
|
}
|
|
|
|
#
|
|
# Pflogsumm delivery check
|
|
#
|
|
|
|
@test "checking pflogsum delivery" {
|
|
# checking default sender is correctly set when env variable not defined
|
|
run docker exec mail_with_ldap grep "mailserver-report@${FQDN_MAIL}" /etc/logrotate.d/maillog
|
|
assert_success
|
|
|
|
# checking default logrotation setup
|
|
run docker exec mail_with_ldap grep "weekly" /etc/logrotate.d/maillog
|
|
assert_success
|
|
}
|
|
|
|
#
|
|
# supervisor
|
|
#
|
|
|
|
@test "checking restart of process: saslauthd (saslauthd server enabled)" {
|
|
run docker exec mail_with_ldap /bin/bash -c "pkill saslauthd && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/sbin/saslauthd'"
|
|
assert_success
|
|
}
|