github-com-docker-mailserver/docker-mailserver
1
0
Fork 0
mirror of https://github.com/docker-mailserver/docker-mailserver.git synced 2024-01-19 02:48:50 +00:00
Code Issues Projects Releases Wiki Activity
docker-mailserver/test/mail_tls_dhparams.bats
Brennan Kinney 08cd4d3371
fix: Enable DH parameters (ffdhe4096) by default (#2192) 
This feature was originally introduced by the PR: https://github.com/docker-mailserver/docker-mailserver/pull/1463

- Assign default DH params to use via Dockerfile build instead of copy and update at runtime.
- Parameterized service names and paths.
- Refactor postfix and dovecot dh methods to wrap shared dh logic
- I don't see any value in checking the alternative service for dh params file to copy over, so that's now dropped too.
- Another conditional check is dropped and the default fallback message for existing DH params file is no longer relevant.
- Improved the remaining `_notify` messages. Collapsing the warning into a single logged message also seemed relevant.
- There is no apparent need for special handling with `ONE_DIR=1`. Dropped it.

- Refactor DH params  tests
- Combine custom and default DH param tests into single test file
- docs: Add instructions to use custom DH params

There is no official documented support for custom DH parameters. As no guarantee is provided, this is considered an internal change, not a breaking one.
2021-09-15 20:28:04 +12:00

143 lines
4.8 KiB
Bash
Raw Blame History

load 'test_helper/common'
# Test case
# ---------
# By default, this image is using audited FFDHE groups (https://github.com/docker-mailserver/docker-mailserver/pull/1463)
#
# This test case covers the described case against both boolean states for `ONE_DIR`.
#
# Description:
# 1. Verify that the file `ffdhe4096.pem` has not been modified (checksum verification).
# 2. Verify Postfix and Dovecot are using the default `ffdhe4096.pem` from Dockerfile build.
# 3. When custom DHE parameters are supplied by the user as `/tmp/docker-mailserver/dhparams.pem`:
# - Verify Postfix and Dovecot use the custom `custom-dhe-params.pem` (contents is actually `ffdhe2048.pem`).
# - A warning is raised about usage of potentially insecure parameters.
function setup() {
run_setup_file_if_necessary
}
function teardown() {
docker rm -f mail_dhparams
run_teardown_file_if_necessary
}
function setup_file() {
# Delegated container setup to common_container_setup
# DRY - Explicit config changes between tests are more apparent this way.
# Global scope
# Copies all of `./test/config/` to specific directory for testing
# `${PRIVATE_CONFIG}` becomes `$(pwd)/test/duplicate_configs/<bats test filename>`
export PRIVATE_CONFIG
export DMS_ONE_DIR=1 # default
local DH_DEFAULT_PARAMS
export DH_DEFAULT_CHECKSUM
export DH_CUSTOM_PARAMS
export DH_CUSTOM_CHECKSUM
DH_DEFAULT_PARAMS="$(pwd)/target/shared/ffdhe4096.pem"
DH_DEFAULT_CHECKSUM="$(sha512sum "${DH_DEFAULT_PARAMS}" | awk '{print $1}')"
DH_CUSTOM_PARAMS="$(pwd)/test/test-files/ssl/custom-dhe-params.pem"
DH_CUSTOM_CHECKSUM="$(sha512sum "${DH_CUSTOM_PARAMS}" | awk '{print $1}')"
}
# Not used
# function teardown_file() {
# }
@test "first" {
skip 'this test must come first to reliably identify when to run setup_file'
}
@test "testing tls: DH Parameters - Verify integrity of Default (ffdhe4096)" {
# Reference used (22/04/2020):
# https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
run echo "${DH_DEFAULT_CHECKSUM}"
refute_output '' # checksum must not be empty
# Verify the FFDHE params file has not been modified (equivalent to `target/shared/ffdhe4096.pem.sha512sum`):
local DH_MOZILLA_CHECKSUM
DH_MOZILLA_CHECKSUM="$(curl https://ssl-config.mozilla.org/ffdhe4096.txt -s | sha512sum | awk '{print $1}')"
assert_equal "${DH_DEFAULT_CHECKSUM}" "${DH_MOZILLA_CHECKSUM}"
}
@test "testing tls: DH Parameters - Default [ONE_DIR=0]" {
PRIVATE_CONFIG="$(duplicate_config_for_container . mail_dhparams_default_0)"
DMS_ONE_DIR=0
common_container_setup
should_have_valid_checksum "${DH_DEFAULT_CHECKSUM}"
}
@test "testing tls: DH Parameters - Default [ONE_DIR=1]" {
PRIVATE_CONFIG="$(duplicate_config_for_container . mail_dhparams_default_1)"
common_container_setup
should_have_valid_checksum "${DH_DEFAULT_CHECKSUM}"
}
@test "testing tls: DH Parameters - Custom [ONE_DIR=0]" {
PRIVATE_CONFIG="$(duplicate_config_for_container . mail_dhparams_custom_0)"
# shellcheck disable=SC2030
DMS_ONE_DIR=0
cp "${DH_CUSTOM_PARAMS}" "${PRIVATE_CONFIG}/dhparams.pem"
common_container_setup
should_have_valid_checksum "${DH_CUSTOM_CHECKSUM}"
should_emit_warning
}
@test "testing tls: DH Parameters - Custom [ONE_DIR=1]" {
# shellcheck disable=SC2030
PRIVATE_CONFIG="$(duplicate_config_for_container . mail_dhparams_custom_1)"
cp "${DH_CUSTOM_PARAMS}" "${PRIVATE_CONFIG}/dhparams.pem"
common_container_setup
should_have_valid_checksum "${DH_CUSTOM_CHECKSUM}"
should_emit_warning
}
@test "last" {
skip 'this test is only there to reliably mark the end for the teardown_file'
}
function common_container_setup() {
# shellcheck disable=SC2031
docker run -d --name mail_dhparams \
-v "${PRIVATE_CONFIG}:/tmp/docker-mailserver" \
-v "$(pwd)/test/test-files:/tmp/docker-mailserver-test:ro" \
-e DMS_DEBUG=0 \
-e ONE_DIR="${DMS_ONE_DIR}" \
-h mail.my-domain.com \
--tty \
"${NAME}"
wait_for_finished_setup_in_container mail_dhparams
}
# Ensures the docker image services (Postfix and Dovecot) have the intended DH files
function should_have_valid_checksum() {
local DH_CHECKSUM=$1
local DH_CHECKSUM_DOVECOT
DH_CHECKSUM_DOVECOT=$(docker exec mail_dhparams sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
assert_equal "${DH_CHECKSUM_DOVECOT}" "${DH_CHECKSUM}"
local DH_CHECKSUM_POSTFIX
DH_CHECKSUM_POSTFIX=$(docker exec mail_dhparams sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
assert_equal "${DH_CHECKSUM_POSTFIX}" "${DH_CHECKSUM}"
}
function should_emit_warning() {
run sh -c "docker logs mail_dhparams | grep 'Using self-generated dhparams is considered insecure.'"
assert_success
}
Reference in a new issue View git blame Copy permalink