mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
2f9f6b1002
The dovecot-sieve plugin is installed and configured to apply sieve as soon as a .dovecot.sieve file is encountered in the virtual user's home directory (that is /var/mail/${domain}/${username}/.dovecot.sieve). Transport has been changed in the postfix configuration to use Dovecot LDA (see http://wiki.dovecot.org/LDA/Postfix) to actually enable sieve filtering. Tests have been added.
422 lines
15 KiB
Bash
422 lines
15 KiB
Bash
#
|
|
# processes
|
|
#
|
|
|
|
@test "checking process: postfix" {
|
|
run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/lib/postfix/master'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking process: clamd" {
|
|
run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking process: new" {
|
|
run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/amavisd-new'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking process: opendkim" {
|
|
run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/opendkim'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking process: opendmarc" {
|
|
run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/opendmarc'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking process: fail2ban (disabled in default configuration)" {
|
|
run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/bin/python /usr/bin/fail2ban-server'"
|
|
[ "$status" -eq 1 ]
|
|
}
|
|
|
|
@test "checking process: fail2ban (fail2ban server enabled)" {
|
|
run docker exec mail_fail2ban /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/bin/python /usr/bin/fail2ban-server'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
#
|
|
# imap
|
|
#
|
|
|
|
@test "checking process: dovecot imaplogin (enabled in default configuration)" {
|
|
run docker exec mail /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/dovecot'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking process: dovecot imaplogin (disabled using SMTP_ONLY)" {
|
|
run docker exec mail_smtponly /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/dovecot'"
|
|
[ "$status" -eq 1 ]
|
|
}
|
|
|
|
@test "checking imap: server is ready with STARTTLS" {
|
|
run docker exec mail /bin/bash -c "nc -w 2 0.0.0.0 143 | grep '* OK' | grep 'STARTTLS' | grep 'ready'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking imap: authentication works" {
|
|
run docker exec mail /bin/sh -c "nc -w 1 0.0.0.0 143 < /tmp/docker-mailserver-test/auth/imap-auth.txt"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
#
|
|
# pop
|
|
#
|
|
|
|
@test "checking pop: server is ready" {
|
|
run docker exec mail_pop3 /bin/bash -c "nc -w 1 0.0.0.0 110 | grep '+OK'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking pop: authentication works" {
|
|
run docker exec mail_pop3 /bin/sh -c "nc -w 1 0.0.0.0 110 < /tmp/docker-mailserver-test/auth/pop3-auth.txt"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
#
|
|
# sasl
|
|
#
|
|
|
|
@test "checking sasl: doveadm auth test works with good password" {
|
|
run docker exec mail /bin/sh -c "doveadm auth test -x service=smtp user2@otherdomain.tld mypassword | grep 'auth succeeded'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking sasl: doveadm auth test fails with bad password" {
|
|
run docker exec mail /bin/sh -c "doveadm auth test -x service=smtp user2@otherdomain.tld BADPASSWORD | grep 'auth failed'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking sasl: sasl_passwd.db exists" {
|
|
run docker exec mail [ -f /etc/postfix/sasl_passwd.db ]
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
#
|
|
# logs
|
|
#
|
|
|
|
@test "checking logs: mail related logs should be located in a subdirectory" {
|
|
run docker exec mail /bin/sh -c "ls -1 /var/log/mail/ | grep -E 'clamav|freshclam|mail'|wc -l"
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" = 3 ]
|
|
}
|
|
|
|
#
|
|
# smtp
|
|
#
|
|
|
|
@test "checking smtp: authentication works with good password (plain)" {
|
|
run docker exec mail /bin/sh -c "nc -w 5 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/smtp-auth-plain.txt | grep 'Authentication successful'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking smtp: authentication fails with wrong password (plain)" {
|
|
run docker exec mail /bin/sh -c "nc -w 20 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/smtp-auth-plain-wrong.txt | grep 'authentication failed'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking smtp: authentication works with good password (login)" {
|
|
run docker exec mail /bin/sh -c "nc -w 5 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login.txt | grep 'Authentication successful'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking smtp: authentication fails with wrong password (login)" {
|
|
run docker exec mail /bin/sh -c "nc -w 20 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt | grep 'authentication failed'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking smtp: delivers mail to existing account" {
|
|
run docker exec mail /bin/sh -c "grep 'status=sent (delivered via dovecot service)' /var/log/mail/mail.log | wc -l"
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" -eq 3 ]
|
|
}
|
|
|
|
@test "checking smtp: delivers mail to existing alias" {
|
|
run docker exec mail /bin/sh -c "grep 'to=<user1@localhost.localdomain>, orig_to=<alias1@localhost.localdomain>' /var/log/mail/mail.log | grep 'status=sent' | wc -l"
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" = 1 ]
|
|
}
|
|
|
|
@test "checking smtp: user1 should have received 2 mails" {
|
|
run docker exec mail /bin/sh -c "ls -A /var/mail/localhost.localdomain/user1/new | wc -l"
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" = 2 ]
|
|
}
|
|
|
|
@test "checking smtp: rejects mail to unknown user" {
|
|
run docker exec mail /bin/sh -c "grep '<nouser@localhost.localdomain>: Recipient address rejected: User unknown in virtual mailbox table' /var/log/mail/mail.log | wc -l"
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" = 1 ]
|
|
}
|
|
|
|
@test "checking smtp: redirects mail to external alias" {
|
|
run docker exec mail /bin/sh -c "grep -- '-> <external1@otherdomain.tld>' /var/log/mail/mail.log | wc -l"
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" = 1 ]
|
|
}
|
|
|
|
@test "checking smtp: rejects spam" {
|
|
run docker exec mail /bin/sh -c "grep 'Blocked SPAM' /var/log/mail/mail.log | grep spam@external.tld | wc -l"
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" = 1 ]
|
|
}
|
|
|
|
@test "checking smtp: rejects virus" {
|
|
run docker exec mail /bin/sh -c "grep 'Blocked INFECTED' /var/log/mail/mail.log | grep virus@external.tld | wc -l"
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" = 1 ]
|
|
}
|
|
|
|
#
|
|
# accounts
|
|
#
|
|
|
|
@test "checking accounts: generated 'postfix-accounts.cf' matches template" {
|
|
run diff test/config/example.postfix-accounts.cf test/config/postfix-accounts.cf
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking accounts: user accounts" {
|
|
run docker exec mail doveadm user '*'
|
|
[ "$status" -eq 0 ]
|
|
[ "${lines[0]}" = "user1@localhost.localdomain" ]
|
|
[ "${lines[1]}" = "user2@otherdomain.tld" ]
|
|
}
|
|
|
|
@test "checking accounts: user mail folders for user1" {
|
|
run docker exec mail /bin/bash -c "ls -A /var/mail/localhost.localdomain/user1 | grep -E '.Drafts|.Sent|.Trash|cur|new|subscriptions|tmp' | wc -l"
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" -eq 7 ]
|
|
}
|
|
|
|
@test "checking accounts: user mail folders for user2" {
|
|
run docker exec mail /bin/bash -c "ls -A /var/mail/otherdomain.tld/user2 | grep -E '.Drafts|.Sent|.Trash|cur|new|subscriptions|tmp' | wc -l"
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" -eq 7 ]
|
|
}
|
|
|
|
#
|
|
# postfix
|
|
#
|
|
|
|
@test "checking postfix: vhost file is correct" {
|
|
run docker exec mail cat /etc/postfix/vhost
|
|
[ "$status" -eq 0 ]
|
|
[ "${lines[0]}" = "localhost.localdomain" ]
|
|
[ "${lines[1]}" = "otherdomain.tld" ]
|
|
}
|
|
|
|
@test "checking postfix: main.cf overrides" {
|
|
run docker exec mail grep -q 'max_idle = 600s' /tmp/docker-mailserver/postfix-main.cf
|
|
[ "$status" -eq 0 ]
|
|
run docker exec mail grep -q 'readme_directory = /tmp' /tmp/docker-mailserver/postfix-main.cf
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
#
|
|
# spamassassin
|
|
#
|
|
|
|
@test "checking spamassassin: docker env variables are set correctly (default)" {
|
|
run docker exec mail_pop3 /bin/sh -c "grep '\$sa_tag_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 2.0'"
|
|
[ "$status" -eq 0 ]
|
|
run docker exec mail_pop3 /bin/sh -c "grep '\$sa_tag2_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 6.31'"
|
|
[ "$status" -eq 0 ]
|
|
run docker exec mail_pop3 /bin/sh -c "grep '\$sa_kill_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 6.31'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking spamassassin: docker env variables are set correctly (custom)" {
|
|
run docker exec mail /bin/sh -c "grep '\$sa_tag_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 1.0'"
|
|
[ "$status" -eq 0 ]
|
|
run docker exec mail /bin/sh -c "grep '\$sa_tag2_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 2.0'"
|
|
[ "$status" -eq 0 ]
|
|
run docker exec mail /bin/sh -c "grep '\$sa_kill_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 3.0'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
#
|
|
# opendkim
|
|
#
|
|
|
|
@test "checking opendkim: /etc/opendkim/KeyTable should contain 2 entries" {
|
|
run docker exec mail /bin/sh -c "cat /etc/opendkim/KeyTable | wc -l"
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" -eq 2 ]
|
|
}
|
|
|
|
@test "checking opendkim: /etc/opendkim/keys/ should contain 2 entries" {
|
|
run docker exec mail /bin/sh -c "ls -l /etc/opendkim/keys/ | grep '^d' | wc -l"
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" -eq 2 ]
|
|
}
|
|
|
|
@test "checking opendkim: generator creates keys, tables and TrustedHosts" {
|
|
rm -rf "$(pwd)/test/config/empty" && mkdir -p "$(pwd)/test/config/empty"
|
|
run docker run --rm \
|
|
-v "$(pwd)/test/config/empty/":/tmp/docker-mailserver/ \
|
|
-v "$(pwd)/test/config/postfix-accounts.cf":/tmp/docker-mailserver/postfix-accounts.cf \
|
|
-v "$(pwd)/test/config/postfix-virtual.cf":/tmp/docker-mailserver/postfix-virtual.cf \
|
|
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'generate-dkim-config | wc -l'
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" -eq 5 ]
|
|
# Check keys for localhost.localdomain
|
|
run docker run --rm \
|
|
-v "$(pwd)/test/config/empty/opendkim":/etc/opendkim \
|
|
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'ls -1 /etc/opendkim/keys/localhost.localdomain/ | wc -l'
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" -eq 2 ]
|
|
# Check keys for otherdomain.tld
|
|
run docker run --rm \
|
|
-v "$(pwd)/test/config/empty/opendkim":/etc/opendkim \
|
|
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c 'ls -1 /etc/opendkim/keys/otherdomain.tld | wc -l'
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" -eq 2 ]
|
|
# Check presence of tables and TrustedHosts
|
|
run docker run --rm \
|
|
-v "$(pwd)/test/config/empty/opendkim":/etc/opendkim \
|
|
`docker inspect --format '{{ .Config.Image }}' mail` /bin/sh -c "ls -1 etc/opendkim | grep -E 'KeyTable|SigningTable|TrustedHosts|keys'|wc -l"
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" -eq 4 ]
|
|
}
|
|
|
|
#
|
|
# opendmarc
|
|
#
|
|
|
|
@test "checking opendkim: server fqdn should be added to /etc/opendmarc.conf as AuthservID" {
|
|
run docker exec mail grep ^AuthservID /etc/opendmarc.conf
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" = "AuthservID mail.my-domain.com" ]
|
|
}
|
|
|
|
@test "checking opendkim: server fqdn should be added to /etc/opendmarc.conf as TrustedAuthservIDs" {
|
|
run docker exec mail grep ^TrustedAuthservID /etc/opendmarc.conf
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" = "TrustedAuthservIDs mail.my-domain.com" ]
|
|
}
|
|
|
|
#
|
|
# ssl
|
|
#
|
|
|
|
@test "checking ssl: generated default cert works correctly" {
|
|
run docker exec mail /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 0 (ok)'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking ssl: lets-encrypt-x1-cross-signed.pem is installed" {
|
|
run docker exec mail grep 'BEGIN CERTIFICATE' /etc/ssl/certs/lets-encrypt-x1-cross-signed.pem
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking ssl: lets-encrypt-x2-cross-signed.pem is installed" {
|
|
run docker exec mail grep 'BEGIN CERTIFICATE' /etc/ssl/certs/lets-encrypt-x2-cross-signed.pem
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking ssl: letsencrypt configuration is correct" {
|
|
run docker exec mail_pop3 /bin/sh -c 'grep -ir "/etc/letsencrypt/live/mail.my-domain.com/" /etc/postfix/main.cf | wc -l'
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" -eq 2 ]
|
|
run docker exec mail_pop3 /bin/sh -c 'grep -ir "/etc/letsencrypt/live/mail.my-domain.com/" /etc/dovecot/conf.d/10-ssl.conf | wc -l'
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" -eq 2 ]
|
|
}
|
|
|
|
@test "checking ssl: letsencrypt combined.pem generated correctly" {
|
|
run docker exec mail_pop3 ls -1 /etc/letsencrypt/live/mail.my-domain.com/combined.pem
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking ssl: letsencrypt cert works correctly" {
|
|
run docker exec mail_pop3 /bin/sh -c "timeout 1 openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 0 (ok)'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
#
|
|
# fail2ban
|
|
#
|
|
|
|
@test "checking fail2ban: localhost is not banned because ignored" {
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*127.0.0.1'"
|
|
[ "$status" -eq 1 ]
|
|
run docker exec mail_fail2ban /bin/sh -c "grep 'ignoreip = 127.0.0.1/8' /etc/fail2ban/jail.conf"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking fail2ban: ban ip on multiple failed login" {
|
|
# Getting mail_fail2ban container IP
|
|
MAIL_FAIL2BAN_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' mail_fail2ban)
|
|
# Create a container which will send wront authentications and should banned
|
|
docker run --name fail-auth-mailer -e MAIL_FAIL2BAN_IP=$MAIL_FAIL2BAN_IP -v "$(pwd)/test":/tmp/docker-mailserver-test -d `docker inspect --format '{{ .Config.Image }}' mail` tail -f /var/log/faillog
|
|
docker exec fail-auth-mailer /bin/sh -c 'nc $MAIL_FAIL2BAN_IP 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt'
|
|
docker exec fail-auth-mailer /bin/sh -c 'nc $MAIL_FAIL2BAN_IP 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt'
|
|
docker exec fail-auth-mailer /bin/sh -c 'nc $MAIL_FAIL2BAN_IP 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt'
|
|
sleep 5
|
|
# Checking that FAIL_AUTH_MAILER_IP is banned in mail_fail2ban
|
|
FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer)
|
|
run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && fail2ban-client status postfix-sasl | grep '$FAIL_AUTH_MAILER_IP'"
|
|
[ "$status" -eq 0 ]
|
|
# Checking that FAIL_AUTH_MAILER_IP is banned in /etc/hosts.deny
|
|
run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && iptables -L | grep 'REJECT all -- $FAIL_AUTH_MAILER_IP'"
|
|
[ "$status" -eq 0 ]
|
|
}
|
|
|
|
@test "checking fail2ban: unban ip works" {
|
|
FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer)
|
|
docker exec mail_fail2ban fail2ban-client set postfix-sasl unbanip $FAIL_AUTH_MAILER_IP
|
|
sleep 5
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*$FAIL_AUTH_MAILER_IP'"
|
|
[ "$status" -eq 1 ]
|
|
# Checking that FAIL_AUTH_MAILER_IP is unbanned in /etc/hosts.deny
|
|
run docker exec mail_fail2ban /bin/sh -c "export FAIL_AUTH_MAILER_IP=$FAIL_AUTH_MAILER_IP && iptables -L | grep 'REJECT all -- $FAIL_AUTH_MAILER_IP'"
|
|
[ "$status" -eq 1 ]
|
|
}
|
|
|
|
#
|
|
# system
|
|
#
|
|
|
|
@test "checking system: freshclam cron is enabled" {
|
|
run docker exec mail crontab -l
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" = "0 0,6,12,18 * * * /usr/bin/freshclam --quiet" ]
|
|
}
|
|
|
|
@test "checking system: /var/log/mail/mail.log is error free" {
|
|
run docker exec mail grep 'non-null host address bits in' /var/log/mail/mail.log
|
|
[ "$status" -eq 1 ]
|
|
run docker exec mail grep ': error:' /var/log/mail/mail.log
|
|
[ "$status" -eq 1 ]
|
|
run docker exec mail_pop3 grep 'non-null host address bits in' /var/log/mail/mail.log
|
|
[ "$status" -eq 1 ]
|
|
run docker exec mail_pop3 grep ': error:' /var/log/mail/mail.log
|
|
[ "$status" -eq 1 ]
|
|
}
|
|
|
|
@test "checking system: sets the server fqdn" {
|
|
run docker exec mail hostname
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" = "mail.my-domain.com" ]
|
|
}
|
|
|
|
@test "checking system: sets the server domain name in /etc/mailname" {
|
|
run docker exec mail cat /etc/mailname
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" = "my-domain.com" ]
|
|
}
|
|
|
|
#
|
|
# sieve
|
|
#
|
|
|
|
@test "checking sieve: user1 should have received 1 in folder INBOX.spam" {
|
|
run docker exec mail /bin/sh -c "ls -A /var/mail/localhost.localdomain/user1/.INBOX.spam/new | wc -l"
|
|
[ "$status" -eq 0 ]
|
|
[ "$output" = 1 ]
|
|
}
|