Files
@ 17cf34f73ca6
Branch filter:
Location: majic-ansible-roles/roles/common/templates/00-base.conf.j2 - annotation
17cf34f73ca6
3.3 KiB
text/plain
MAR-28: Implemented additional tests for mail_server role:
- Deploy a number of tools on clients in order to test SMTP, IMAP, and Sieve
services.
- Added one more user to LDAP directory for testing group restrictions.
- Deploy CA certificate on all testing machines for TLS validation purposes.
- Use different custom-configured cipher for mail server ciphers.
- Fixed invalid postmaster address for parameters-optional host.
- Deploy configuration files for use with Imap-CLI on client test machines.
- Updated testing of SMTP server to include checks for users that do not belong
to mail group.
- Extended some SMTP-related tests to cover both test servers.
- Some small fixes in SMTP-related tests for expected output from commands.
- Implemented tests covering Dovecot (IMAP + Sieve) functionality.
- Implemented tests for running/enabled services.
- Implemented tests for ClamAV.
- Implemented tests for firewall and connectivity.
- Implemented tests for Postfix TLS configuration.
- TODO: Tests for Sieve TLS configuration have not been written yet due to
limitation of available tools.
- Deploy a number of tools on clients in order to test SMTP, IMAP, and Sieve
services.
- Added one more user to LDAP directory for testing group restrictions.
- Deploy CA certificate on all testing machines for TLS validation purposes.
- Use different custom-configured cipher for mail server ciphers.
- Fixed invalid postmaster address for parameters-optional host.
- Deploy configuration files for use with Imap-CLI on client test machines.
- Updated testing of SMTP server to include checks for users that do not belong
to mail group.
- Extended some SMTP-related tests to cover both test servers.
- Some small fixes in SMTP-related tests for expected output from commands.
- Implemented tests covering Dovecot (IMAP + Sieve) functionality.
- Implemented tests for running/enabled services.
- Implemented tests for ClamAV.
- Implemented tests for firewall and connectivity.
- Implemented tests for Postfix TLS configuration.
- TODO: Tests for Sieve TLS configuration have not been written yet due to
limitation of available tools.
7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 941f4f372672 7df70ebc439c 941f4f372672 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 941f4f372672 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 7df70ebc439c 941f4f372672 941f4f372672 941f4f372672 | # IPv4
domain ip {
table filter {
chain INPUT {
policy DROP;
interface lo ACCEPT;
# Make sure not to allow flooding via ICMP ping packages by sending them
# to flood chain before state module kicks in.
proto icmp icmp-type echo-request jump flood;
mod state state (ESTABLISHED RELATED) ACCEPT;
# For TCP packages we perform floods checks after state module took care
# of established and related connections.
proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;
# Accept some common incoming connections.
proto icmp icmp-type echo-request ACCEPT;
proto tcp dport 22 ACCEPT;
}
# The flood chain is used for controlling the rate of the incoming connections.
chain flood {
# Rate-limit the ping requests.
proto icmp icmp-type echo-request {
mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
hashlimit-mode srcip hashlimit-name icmp RETURN;
DROP;
}
# Rate-limit the TCP connections.
proto tcp tcp-flags (FIN SYN RST ACK) SYN {
mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
hashlimit-mode srcip hashlimit-name icmp RETURN;
LOG;
DROP;
}
}
}
}
# IPv6, same as IPv4 config, with addition of a couple of ICMP packets.
domain ip6 {
table filter {
chain INPUT {
policy DROP;
interface lo ACCEPT;
# Make sure not to allow flooding via ICMP ping packages by sending them
# to flood chain before state module kicks in.
proto icmp icmp-type echo-request jump flood;
mod state state (ESTABLISHED RELATED) ACCEPT;
# For TCP packages we perform floods checks after state module took care
# of established and related connections.
proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;
# ICMPv6 packets required for proper functioning of IPv6.
proto icmp icmp-type router-advertisement ACCEPT;
proto icmp icmp-type neighbor-solicitation ACCEPT;
proto icmp icmp-type neighbor-advertisement ACCEPT;
# Accept some common incoming connections.
proto icmp icmp-type echo-request ACCEPT;
proto tcp dport 22 ACCEPT;
}
# The flood chain is used for controlling the rate of the incoming connections.
chain flood {
# Rate-limit the ping requests.
proto icmp icmp-type echo-request {
mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
hashlimit-mode srcip hashlimit-name icmp RETURN;
DROP;
}
# Rate-limit the TCP connections.
proto tcp tcp-flags (FIN SYN RST ACK) SYN {
mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
hashlimit-mode srcip hashlimit-name icmp RETURN;
LOG;
DROP;
}
}
}
}
|