mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
3b4f44e837
* tests(fix): Increase some timeouts Running tests locally via a VM these tests would fail sometimes due to the time from being queued and Amavis actually processing being roughly around 30 seconds. There should be no harm in raising this to 60 seconds, other than delaying a failure case which will ripple through other time sensitive tests. It's better to pass when functionality is actually correct but just needs a bit longer to complete. * tests(fix): Don't setup an invalid hostname During container startup `helpers/dns.sh` would panic with `hostname -f` failing. Dropping `--domainname` for this container is fine and does not affect the point of it's test. --- It's unclear why this does not occur in CI. Possibly changes within the docker daemon since as CI runs docker on Ubuntu 20.04? (2020). For clarity, this may be equivalent to setting a hostname of `domain.com.domain.com`, or `--hostname` value truncated the NIS domain (`--domainname`) of the same value. IIRC, it would still fail with both options using different values if `--hostname` was multi-label. I believe I've documented how non-deterministic these options can be across different environments. `--hostname` should be preferred. There doesn't seem to be any reason to actually need `--domainname` (which is NIS domain name, unrelated to the DNS domain name). We still need to properly investigate reworking our ENV support that `dns.sh` manages. --- Containers were also not removing themselves after failures either (missing teardown). Which would cause problems when running tests again. * chore: Normalize white-space Sets a consistent indent size of 2 spaces. Previously this varied a fair bit, sometimes with tabs or mixed tabs and spaces. Some formatting with blank lines. Easier to review with white-space in diff ignored. Some minor edits besides blank lines, but no change in functionality. * fix: `setup.sh` target container under test Some of the `setup.sh` commands did not specify the container which was problematic if another `docker-mailserver` container was running, causing test failures. This probably doesn't help with `test/no_container.bats`, but at least prevents `test/tests.bats` failing at this point.
162 lines
5.8 KiB
Bash
162 lines
5.8 KiB
Bash
load 'test_helper/common'
|
|
|
|
function setup_file() {
|
|
local PRIVATE_CONFIG
|
|
PRIVATE_CONFIG=$(duplicate_config_for_container .)
|
|
docker run --rm -d --name mail_fail2ban \
|
|
-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
|
|
-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
|
|
-e ENABLE_FAIL2BAN=1 \
|
|
-e POSTSCREEN_ACTION=ignore \
|
|
--cap-add=NET_ADMIN \
|
|
-h mail.my-domain.com -t "${NAME}"
|
|
|
|
# Create a container which will send wrong authentications and should get banned
|
|
docker run --name fail-auth-mailer \
|
|
-e MAIL_FAIL2BAN_IP="$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' mail_fail2ban)" \
|
|
-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test \
|
|
-d "${NAME}" \
|
|
tail -f /var/log/faillog
|
|
|
|
wait_for_finished_setup_in_container mail_fail2ban
|
|
}
|
|
|
|
function teardown_file() {
|
|
docker rm -f mail_fail2ban fail-auth-mailer
|
|
}
|
|
|
|
#
|
|
# processes
|
|
#
|
|
|
|
@test "checking process: fail2ban (fail2ban server enabled)" {
|
|
run docker exec mail_fail2ban /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/bin/python3 /usr/bin/fail2ban-server'"
|
|
assert_success
|
|
}
|
|
|
|
#
|
|
# fail2ban
|
|
#
|
|
|
|
@test "checking fail2ban: localhost is not banned because ignored" {
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*127.0.0.1'"
|
|
assert_failure
|
|
run docker exec mail_fail2ban /bin/sh -c "grep 'ignoreip = 127.0.0.1/8' /etc/fail2ban/jail.conf"
|
|
assert_success
|
|
}
|
|
|
|
@test "checking fail2ban: fail2ban-fail2ban.cf overrides" {
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get loglevel | grep DEBUG"
|
|
assert_success
|
|
}
|
|
|
|
@test "checking fail2ban: fail2ban-jail.cf overrides" {
|
|
FILTERS=(dovecot postfix postfix-sasl)
|
|
|
|
for FILTER in "${FILTERS[@]}"; do
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get ${FILTER} bantime"
|
|
assert_output 1234
|
|
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get ${FILTER} findtime"
|
|
assert_output 321
|
|
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get ${FILTER} maxretry"
|
|
assert_output 2
|
|
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'dovecot', 'addaction', 'nftables-multiport']\""
|
|
assert_output "['set', 'dovecot', 'addaction', 'nftables-multiport']"
|
|
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix', 'addaction', 'nftables-multiport']\""
|
|
assert_output "['set', 'postfix', 'addaction', 'nftables-multiport']"
|
|
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix-sasl', 'addaction', 'nftables-multiport']\""
|
|
assert_output "['set', 'postfix-sasl', 'addaction', 'nftables-multiport']"
|
|
done
|
|
}
|
|
|
|
@test "checking fail2ban: ban ip on multiple failed login" {
|
|
# can't pipe the file as usual due to postscreen. (respecting postscreen_greet_wait time and talking in turn):
|
|
# shellcheck disable=SC1004
|
|
for _ in {1,2}
|
|
do
|
|
docker exec fail-auth-mailer /bin/bash -c \
|
|
'exec 3<>/dev/tcp/${MAIL_FAIL2BAN_IP}/25 && \
|
|
while IFS= read -r cmd; do \
|
|
head -1 <&3; \
|
|
[[ ${cmd} == "EHLO"* ]] && sleep 6; \
|
|
echo ${cmd} >&3; \
|
|
done < "/tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt"'
|
|
done
|
|
|
|
sleep 5
|
|
|
|
FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer)
|
|
# Checking that FAIL_AUTH_MAILER_IP is banned in mail_fail2ban
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep '${FAIL_AUTH_MAILER_IP}'"
|
|
assert_success
|
|
|
|
# Checking that FAIL_AUTH_MAILER_IP is banned by nftables and blocktype set to DROP
|
|
run docker exec mail_fail2ban /bin/sh -c "nft list set inet f2b-table addr-set-postfix-sasl 2>/dev/null"
|
|
assert_output --regexp "${FAIL_AUTH_MAILER_IP}"
|
|
}
|
|
|
|
@test "checking fail2ban: unban ip works" {
|
|
FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer)
|
|
docker exec mail_fail2ban fail2ban-client set postfix-sasl unbanip "${FAIL_AUTH_MAILER_IP}"
|
|
|
|
sleep 5
|
|
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*${FAIL_AUTH_MAILER_IP}'"
|
|
assert_failure
|
|
|
|
# Checking that FAIL_AUTH_MAILER_IP is unbanned by nftables
|
|
run docker exec mail_fail2ban /bin/sh -c "nft list set inet f2b-table addr-set-postfix-sasl 2>/dev/null"
|
|
refute_output "${FAIL_AUTH_MAILER_IP}"
|
|
}
|
|
|
|
@test "checking fail2ban ban" {
|
|
run docker exec mail_fail2ban fail2ban ban 192.0.66.7
|
|
assert_success
|
|
assert_output "Banned custom IP: 1"
|
|
|
|
run docker exec mail_fail2ban fail2ban
|
|
assert_success
|
|
assert_output --regexp "Banned in custom:.*192\.0\.66\.7"
|
|
|
|
run docker exec mail_fail2ban fail2ban unban 192.0.66.7
|
|
assert_success
|
|
assert_output --partial "Unbanned IP from custom: 1"
|
|
}
|
|
|
|
@test "checking setup.sh: setup.sh fail2ban" {
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.4"
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.5"
|
|
|
|
sleep 10
|
|
|
|
run ./setup.sh -c mail_fail2ban fail2ban
|
|
assert_output --regexp '^Banned in dovecot:.*192\.0\.66\.4'
|
|
assert_output --regexp '^Banned in dovecot:.*192\.0\.66\.5'
|
|
|
|
run ./setup.sh -c mail_fail2ban fail2ban unban 192.0.66.4
|
|
assert_output --partial "Unbanned IP from dovecot: 1"
|
|
|
|
run ./setup.sh -c mail_fail2ban fail2ban
|
|
assert_output --regexp "^Banned in dovecot:.*192\.0\.66\.5"
|
|
|
|
run ./setup.sh -c mail_fail2ban fail2ban unban 192.0.66.5
|
|
assert_output --partial "Unbanned IP from dovecot: 1"
|
|
|
|
run ./setup.sh -c mail_fail2ban fail2ban unban
|
|
assert_output --partial "You need to specify an IP address: Run"
|
|
}
|
|
|
|
#
|
|
# supervisor
|
|
#
|
|
|
|
@test "checking restart of process: fail2ban (fail2ban server enabled)" {
|
|
run docker exec mail_fail2ban /bin/bash -c "pkill fail2ban && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/bin/python3 /usr/bin/fail2ban-server'"
|
|
assert_success
|
|
}
|