github-com-docker-mailserver/docker-mailserver
1
0
Fork 0
mirror of https://github.com/docker-mailserver/docker-mailserver.git synced 2024-01-19 02:48:50 +00:00
Code Issues Projects Releases Wiki Activity
docker-mailserver/test/tests/parallel/set1/spam_virus/postgrey_enabled.bats
Brennan Kinney fb82082cf1
tests(refactor): mail_fetchmail.bats + co-locate test cases for processes (#3010) 
* chore: Co-locate process checking and process restart verification

Extract the test cases for checking a process is running and properly restarts from various test files into a single one:

Core (always running):
opendkim, opendmarc, master (postfix)

ENV dependent:
amavi (amavisd-new), clamd, dovecot, fail2ban-server (fail2ban), fetchmail, postgrey, postsrsd, saslauthd

These now run off a single container with the required ENV and call a common function (the revised version in parallel test cases).

* fix(saslauthd): Quote wrap supervisor config vars

`saslauth.conf` calls `-O` option for most commands defined with an ENV that may be empty/null. This would cause the process to silently fail / die.

This doesn't happen if quote wrapping the ENV, which calls `-O` with an empty string.

Not necessary, but since one of `postgrey` ENV were quote wrapped in `supervisor-app.conf`, I've also done the same there.

* fix(postsrsd): Change supervisor `autorestart` policy to `true`

The PR that introduced the config switched from `true` to `unexpected` without any context. That prevents restart working when the process is killed. Setting to `true` instead will correctly restart the service.

* chore: Remove disabled postgrey test file

`mail_with_postgrey_disabled_by_default.bats` only checked the migrated test cases, removed as no longer serving a purpose.

* tests(refactor): Make `_should_restart_when_killed()` more reliable

The previous version did not ensure that the last checks process was actually restarted, only that it was running.

It turns out that `pkill` is only sending the signal, there can be some delay before the original process is actually killed and restarted.

This can be identified with `pgrep --older <seconds>`. First ensure the process is at a specified age, then after killing check that the process is not running that is at least that old, finally check that there is a younger process actually running.. (_could fail if a process doesn't restart, or there is a delay such as imposed by `sleep` in wrapper scripts for postfix and fail2ban_)

The helper method is not used anywhere else now, move it into this test instead. It has been refactored to accomodate the needs for `--older`, and `--list-full` provides some output that can be matched (similar for `pkill --echo`).

* test(docs): Add inline notes about processes

* chore: Compress test cases into single case with loop

Moves the list of processes into array vars to iterate through instead.

If a failure occurs, the process name is visible along with line number in `_should_restart_when_killed()` to identify what went wrong.

* chore: Handle `FETCHMAIL_PARALLEL=1` process checks as well

* tests: Add test case for disabled ENV

Additional coverage to match what other test files were doing before, ensuring that these ENV can prevent their respective service from running.

* chore: Move `clamd` enabled check to it's own test case

Not sure about this.

It reduces the time of CPU activity (sustained full load on a thread) and increase in memory usage (1GB+ loading signatures database), but as a separate test case it also adds 10 seconds without reducing the time of the test case it was extracted from.

* chore: Make `disabled` variant the 1st test case

* fix: Adjust test cases to pass when using slower wrapper scripts

* tests(refactor): `mail_fetchmail.bats` updated to new format

Additionally merges in the parallel test file.

* chore: Move `config/fetchmail.cf` into separate sub-directory

Keep out of the default base config for tests.

* chore: Change `fetchmail.cf` FQDNs to `.test` TLD

Changed the first configs remote and local user values to more clearly document what their values should represent (_and that they don't need to be a full mail address, that's just what our Dovecot is configured with for login_).

Shifted the `here` to the end of the `is` line. It's optional syntax, only intended to contrast with the remote `there` for readability.

Additionally configured imap protocol. Not tested or verified if that's correct configuration for usage with imap protocol instead. The fetchmail feature tests are currently lacking.

Added an inline doc into the fetchmail test to reference a PR about the importance of the trailing `.` in the config. Updated the partial matching to ensure it matches for that in the value as well.

* chore: Finalize `process-check-restart.bats`

Few minor adjustments. The other ENV for clamd doesn't seem to provide any benefit, trim out the noise. Added a note about why it's been split out.

Fetchmail parallel configs are matching the config file path in the process command that is returned. The `.rc` suffix is just to add further clarity to that.
2023-01-18 14:42:55 +13:00

138 lines
5.3 KiB
Bash
Raw Blame History

load "${REPOSITORY_ROOT}/test/helper/setup"
load "${REPOSITORY_ROOT}/test/helper/common"
BATS_TEST_NAME_PREFIX='[Postgrey] (enabled) '
CONTAINER_NAME='dms-test_postgrey_enabled'
function setup_file() {
local CUSTOM_SETUP_ARGUMENTS=(
--env ENABLE_DNSBL=1
--env ENABLE_POSTGREY=1
--env PERMIT_DOCKER=container
--env POSTGREY_AUTO_WHITELIST_CLIENTS=5
--env POSTGREY_DELAY=3
--env POSTGREY_MAX_AGE=35
--env POSTGREY_TEXT="Delayed by Postgrey"
)
init_with_defaults
common_container_setup 'CUSTOM_SETUP_ARGUMENTS'
# Postfix needs to be ready on port 25 for nc usage below:
wait_for_smtp_port_in_container "${CONTAINER_NAME}"
}
function teardown_file() { _default_teardown ; }
@test "should have added Postgrey to 'main.cf:check_policy_service'" {
_run_in_container grep -F 'check_policy_service inet:127.0.0.1:10023' /etc/postfix/main.cf
assert_success
_should_output_number_of_lines 1
}
@test "should have configured /etc/default/postgrey with default values and ENV overrides" {
_run_in_container grep -F 'POSTGREY_OPTS="--inet=127.0.0.1:10023 --delay=3 --max-age=35 --auto-whitelist-clients=5"' /etc/default/postgrey
assert_success
_should_output_number_of_lines 1
_run_in_container grep -F 'POSTGREY_TEXT="Delayed by Postgrey"' /etc/default/postgrey
assert_success
_should_output_number_of_lines 1
}
@test "should initially reject (greylist) mail from 'user@external.tld'" {
# Modify the postfix config in order to ensure that postgrey handles the test e-mail.
# The other spam checks in `main.cf:smtpd_recipient_restrictions` would interfere with testing postgrey.
_run_in_container sed -i \
-e 's/permit_sasl_authenticated.*policyd-spf,$//g' \
-e 's/reject_unauth_pipelining.*reject_unknown_recipient_domain,$//g' \
-e 's/reject_rbl_client.*inet:127\.0\.0\.1:10023$//g' \
-e 's/smtpd_recipient_restrictions =/smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10023/g' \
/etc/postfix/main.cf
_reload_postfix
# Send test mail (it should fail to deliver):
_send_test_mail '/tmp/docker-mailserver-test/email-templates/postgrey.txt' '25'
# Confirm mail was greylisted:
_should_have_log_entry \
'action=greylist' \
'reason=new' \
'client_address=127.0.0.1/32, sender=user@external.tld, recipient=user1@localhost.localdomain'
repeat_until_success_or_timeout 10 _run_in_container grep \
'Recipient address rejected: Delayed by Postgrey' \
/var/log/mail/mail.log
}
# NOTE: This test case depends on the previous one
@test "should accept mail from 'user@external.tld' after POSTGREY_DELAY duration" {
# Wait until `$POSTGREY_DELAY` seconds pass before trying again:
sleep 3
# Retry delivering test mail (it should be trusted this time):
_send_test_mail '/tmp/docker-mailserver-test/email-templates/postgrey.txt' '25'
# Confirm postgrey permitted delivery (triplet is now trusted):
_should_have_log_entry \
'action=pass' \
'reason=triplet found' \
'client_address=127.0.0.1/32, sender=user@external.tld, recipient=user1@localhost.localdomain'
}
# NOTE: These two whitelist tests use `test-files/nc_templates/` instead of `test-files/email-templates`.
# - This allows to bypass the SMTP protocol on port 25, and send data directly to Postgrey instead.
# - Appears to be a workaround due to `client_name=localhost` when sent from Postfix.
# - Could send over port 25 if whitelisting `localhost`,
# - However this does not help verify that the actual client HELO address is properly whitelisted?
# - It'd also cause the earlier greylist test to fail.
# - TODO: Actually confirm whitelist feature works correctly as these test cases are using a workaround:
@test "should whitelist sender 'user@whitelist.tld'" {
_send_test_mail '/tmp/docker-mailserver-test/nc_templates/postgrey_whitelist.txt' '10023'
_should_have_log_entry \
'action=pass' \
'reason=client whitelist' \
'client_address=127.0.0.1/32, sender=test@whitelist.tld, recipient=user1@localhost.localdomain'
}
@test "should whitelist recipient 'user2@otherdomain.tld'" {
_send_test_mail '/tmp/docker-mailserver-test/nc_templates/postgrey_whitelist_recipients.txt' '10023'
_should_have_log_entry \
'action=pass' \
'reason=recipient whitelist' \
'client_address=127.0.0.1/32, sender=test@nonwhitelist.tld, recipient=user2@otherdomain.tld'
}
function _send_test_mail() {
local MAIL_TEMPLATE=$1
local PORT=${2:-25}
# `-w 0` terminates the connection after sending the template, it does not wait for a response.
# This is required for port 10023, otherwise the connection never drops.
# It could increase the number of seconds to wait for port 25 to allow for asserting a response,
# but that would enforce the delay in tests for port 10023.
_run_in_container bash -c "nc -w 0 0.0.0.0 ${PORT} < ${MAIL_TEMPLATE}"
}
function _should_have_log_entry() {
local ACTION=$1
local REASON=$2
local TRIPLET=$3
# Allow some extra time for logs to update to avoids a false-positive failure:
run_until_success_or_timeout 10 docker exec "${CONTAINER_NAME}" grep \
"${ACTION}, ${REASON}," \
/var/log/mail/mail.log
# Log entry matched should be for the expected triplet:
assert_output --partial "${TRIPLET}"
_should_output_number_of_lines 1
}
# `lines` is a special BATS variable updated via `run`:
function _should_output_number_of_lines() {
assert_equal "${#lines[@]}" $1
}
Reference in a new issue View git blame Copy permalink