diff --git a/roles/mail_server/molecule.yml b/roles/mail_server/molecule.yml index 84b66db36fe54dec199f899f2f77eb95c4496131..9e44b9c9e8ec016f2af6181f5b83dd2a6caca04f 100644 --- a/roles/mail_server/molecule.yml +++ b/roles/mail_server/molecule.yml @@ -15,7 +15,7 @@ vagrant: - name: virtualbox type: virtualbox options: - memory: 512 + memory: 768 cpus: 1 instances: diff --git a/roles/mail_server/playbook.yml b/roles/mail_server/playbook.yml index 4cfb91819de537602d7b34c947f734cca4269768..52b78cd54881b58153cf7a8c212fb52192b94114 100644 --- a/roles/mail_server/playbook.yml +++ b/roles/mail_server/playbook.yml @@ -21,12 +21,12 @@ parameters-mandatory: 10.31.127.30 parameters-optional: 10.31.127.31 -- hosts: client +- hosts: client1,client2 tasks: - name: Install SWAKS for testing SMTP capability apt: - name: swak + name: swaks state: installed - hosts: ldap-server @@ -93,7 +93,7 @@ - name: postfix password: postfixpassword - name: dovecot - password: dovecotpoassword + password: dovecotpassword state: present ldap_server_domain: "local" @@ -153,8 +153,7 @@ imap_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional_imap.cert.pem') }}" imap_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional_imap.key.pem') }}" local_mail_aliases: - root: - - john.doe@parameters-optional.local + root: "john.doe@domain1" smtp_tls_certificate: "{{ lookup('file', 'tests/data/x509/parameters-optional_smtp.cert.pem') }}" smtp_tls_key: "{{ lookup('file', 'tests/data/x509/parameters-optional_smtp.key.pem') }}" imap_folder_separator: "." diff --git a/roles/mail_server/tasks/main.yml b/roles/mail_server/tasks/main.yml index 1ee9645cbfdfedd1e16a141ae5a3a3a652a913b2..c94c58edf38a500121c08b41a66c13e49632bb2d 100644 --- a/roles/mail_server/tasks/main.yml +++ b/roles/mail_server/tasks/main.yml @@ -27,26 +27,42 @@ user: name=dovecot append=yes groups=ssl-cert - name: Deploy SMTP TLS private key - copy: dest="/etc/ssl/private/{{ ansible_fqdn }}_smtp.key" content="{{ smtp_tls_key }}" - mode=0640 owner=root group=root + copy: + dest: "/etc/ssl/private/{{ ansible_fqdn }}_smtp.key" + content: "{{ smtp_tls_key }}" + mode: 0640 + owner: root + group: root notify: - Restart Postfix - name: Deploy SMTP TLS certificate - copy: dest="/etc/ssl/certs/{{ ansible_fqdn }}_smtp.pem" content="{{ smtp_tls_certificate }}" - mode=0644 owner=root group=root + copy: + dest: "/etc/ssl/certs/{{ ansible_fqdn }}_smtp.pem" + content: "{{ smtp_tls_certificate }}" + mode: 0644 + owner: root + group: root notify: - Restart Postfix - name: Deploy IMAP TLS private key - copy: dest="/etc/ssl/private/{{ ansible_fqdn }}_imap.key" content="{{ imap_tls_key }}" - mode=0640 owner=root group=root + copy: + dest: "/etc/ssl/private/{{ ansible_fqdn }}_imap.key" + content: "{{ imap_tls_key }}" + mode: 0640 + owner: root + group: root notify: - Restart Dovecot - name: Deploy IMAP TLS certificate - copy: dest="/etc/ssl/certs/{{ ansible_fqdn }}_imap.pem" content="{{ imap_tls_certificate }}" - mode=0644 owner=root group=root + copy: + dest: "/etc/ssl/certs/{{ ansible_fqdn }}_imap.pem" + content: "{{ imap_tls_certificate }}" + mode: 0644 + owner: root + group: root notify: - Restart Dovecot @@ -106,7 +122,12 @@ - Restart Postfix - name: Deploy Postfix main configuration - template: src="main.cf.j2" dest="/etc/postfix/main.cf" + template: + src: "main.cf.j2" + dest: "/etc/postfix/main.cf" + owner: root + group: root + mode: 0644 notify: - Restart Postfix diff --git a/roles/mail_server/templates/master.cf.j2 b/roles/mail_server/templates/master.cf.j2 index 1dae98c7339f0b23be5da0a85cc197d7ec3a2e93..445a5b8eb1f46e3f102e16d182f4535f50b827bb 100644 --- a/roles/mail_server/templates/master.cf.j2 +++ b/roles/mail_server/templates/master.cf.j2 @@ -76,7 +76,7 @@ scache unix - - - - 1 scache # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe - flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} + flags=DRhu user={{ mail_user }} argv=/usr/bin/maildrop -d ${recipient} # # ==================================================================== # @@ -124,7 +124,7 @@ mailman unix - n n - - pipe # Delivery via Dovecot. dovecot unix - n n - - pipe - flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient} + flags=DRhu user={{ mail_user }}:{{ mail_user }} argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${recipient} # Submission port with hardened TLS configuration. submission inet n - - - - smtpd diff --git a/roles/mail_server/tests/test_client1.py b/roles/mail_server/tests/test_client1.py new file mode 100644 index 0000000000000000000000000000000000000000..f6aafc89bd8245ad7d150a7ff5c58f64cde66b27 --- /dev/null +++ b/roles/mail_server/tests/test_client1.py @@ -0,0 +1,26 @@ +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + '.molecule/ansible_inventory').get_hosts('client1') + + +def test_open_relay(Command): + """ + Tests if mail server behaves as open relay. + """ + + no_recipients_accepted = 24 + + send = Command('swaks --suppress-data --to root@client1 --server parameters-mandatory') + assert send.rc == no_recipients_accepted + assert "Relay access denied" in send.stdout + + +def test_allowed_relay(Command): + """ + Tests if mail server allows relaying from configured IPs/networks. + """ + + send = Command('swaks --suppress-data --to root@client1 --server parameters-optional') + assert send.rc == 0 + assert "Ok: queued as" in send.stdout diff --git a/roles/mail_server/tests/test_client2.py b/roles/mail_server/tests/test_client2.py new file mode 100644 index 0000000000000000000000000000000000000000..765732a95df4fd2ad2fac69d9506f4bdf4b7954f --- /dev/null +++ b/roles/mail_server/tests/test_client2.py @@ -0,0 +1,136 @@ +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + '.molecule/ansible_inventory').get_hosts('client2') + + +def test_open_relay(Command): + """ + Tests if mail server behaves as open relay. + """ + + no_recipients_accepted = 24 + + send = Command('swaks --suppress-data --to root@client1 --server parameters-mandatory') + assert send.rc == no_recipients_accepted + assert "Relay access denied" in send.stdout + + send = Command('swaks --suppress-data --to root@client1 --server parameters-optional') + assert send.rc == no_recipients_accepted + assert "Relay access denied" in send.stdout + + +def test_mail_delivery(Command): + """ + Tests if mails can be delivered to valid accounts. Has to be run on client + with no unauthenticated relay permissions. + """ + + no_recipients_accepted = 24 + + # Valid accounts. + send = Command('swaks --suppress-data --to john.doe@domain1 --server parameters-mandatory') + assert send.rc == 0 + assert "Ok: queued as" in send.stdout + + send = Command('swaks --suppress-data --to john.doe@domain1 --server parameters-optional') + assert send.rc == 0 + assert "Ok: queued as" in send.stdout + + send = Command('swaks --suppress-data --to jane.doe@domain2 --server parameters-mandatory') + assert send.rc == 0 + assert "Ok: queued as" in send.stdout + + send = Command('swaks --suppress-data --to jane.doe@domain2 --server parameters-optional') + assert send.rc == 0 + assert "Ok: queued as" in send.stdout + + # Invalid accounts. + send = Command('swaks --suppress-data --to john.doe@domain2 --server parameters-mandatory') + assert send.rc == no_recipients_accepted + assert "Recipient address rejected: User unknown in virtual mailbox table" in send.stdout + + send = Command('swaks --suppress-data --to john.doe@domain2 --server parameters-optional') + assert send.rc == no_recipients_accepted + assert "Recipient address rejected: User unknown in virtual mailbox table" in send.stdout + + send = Command('swaks --suppress-data --to jane.doe@domain1 --server parameters-mandatory') + assert send.rc == no_recipients_accepted + assert "Recipient address rejected: User unknown in virtual mailbox table" in send.stdout + + send = Command('swaks --suppress-data --to jane.doe@domain1 --server parameters-optional') + assert send.rc == no_recipients_accepted + assert "Recipient address rejected: User unknown in virtual mailbox table" in send.stdout + + # Valid aliases. + send = Command('swaks --suppress-data --to postmaster@domain1 --server parameters-mandatory') + assert send.rc == 0 + assert "Ok: queued as" in send.stdout + + send = Command('swaks --suppress-data --to postmaster@domain1 --server parameters-optional') + assert send.rc == 0 + assert "Ok: queued as" in send.stdout + + send = Command('swaks --suppress-data --to webmaster@domain2 --server parameters-mandatory') + assert send.rc == 0 + assert "Ok: queued as" in send.stdout + + send = Command('swaks --suppress-data --to webmaster@domain2 --server parameters-optional') + assert send.rc == 0 + assert "Ok: queued as" in send.stdout + + # Invalid aliases. + send = Command('swaks --suppress-data --to postmaster@domain2 --server parameters-mandatory') + assert send.rc == no_recipients_accepted + assert "Recipient address rejected: User unknown in virtual mailbox table" in send.stdout + + send = Command('swaks --suppress-data --to postmaster@domain2 --server parameters-optional') + assert send.rc == no_recipients_accepted + assert "Recipient address rejected: User unknown in virtual mailbox table" in send.stdout + + send = Command('swaks --suppress-data --to webmaster@domain1 --server parameters-mandatory') + assert send.rc == no_recipients_accepted + assert "Recipient address rejected: User unknown in virtual mailbox table" in send.stdout + + send = Command('swaks --suppress-data --to webmaster@domain1 --server parameters-optional') + assert send.rc == no_recipients_accepted + assert "Recipient address rejected: User unknown in virtual mailbox table" in send.stdout + + +def test_smtp_authentication(Command): + """ + Tests if SMTP authentication works via TLS and allows sending mails to + anywhere. + """ + + send = Command('swaks -tls --port 587 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-optional') + assert send.rc == 0 + assert "Ok: queued as" in send.stdout + + +def test_smtp_authentication_requires_tls(Command): + """ + Tests if SMTP authentication requires TLS. + """ + + auth_error = 28 + + send = Command('swaks --port 587 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-optional') + assert send.rc == auth_error + assert "Host did not advertise authentication" in send.stdout + + +def test_smtp_authentication_requires_submission_port(Command): + """ + Tests if SMTP authentication cannot be done on regular SMTP port. + """ + + auth_error = 28 + + send = Command('swaks --port 25 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-optional') + assert send.rc == auth_error + assert "Host did not advertise authentication" in send.stdout + + send = Command('swaks -tls --port 25 --auth-user john.doe@domain1 --auth-password johnpassword --to root@client1 --server parameters-optional') + assert send.rc == auth_error + assert "Host did not advertise authentication" in send.stdout diff --git a/roles/mail_server/tests/test_default.py b/roles/mail_server/tests/test_default.py index ef04a32b8c6dc6cc2738e21edb2cf11d1c0c55c9..99320380e31e37353023abcaf90330ca84bd8ea1 100644 --- a/roles/mail_server/tests/test_default.py +++ b/roles/mail_server/tests/test_default.py @@ -1,12 +1,236 @@ +import re + import testinfra.utils.ansible_runner + testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - '.molecule/ansible_inventory').get_hosts('all') + '.molecule/ansible_inventory').get_hosts(['parameters-mandatory', 'parameters-optiona']) + + +def test_installed_packages(Package): + """ + Tests if the necessary packages have been installed. + """ + + assert Package('rsync').is_installed + assert Package('dovecot-imapd').is_installed + assert Package('dovecot-ldap').is_installed + assert Package('dovecot-sieve').is_installed + assert Package('dovecot-managesieved').is_installed + assert Package('postfix').is_installed + assert Package('postfix-ldap').is_installed + assert Package('swaks').is_installed + assert Package('clamav-milter').is_installed + + +def test_removed_packages(Package): + """ + Tests if certain packages have been removed from the system. + """ + assert not Package('exim4').is_installed + + +def test_postfix_user(User): + """ + Tests if Postfix user has been added to correct group for traversing the TLS + private key directory. + """ + + assert "ssl-cert" in User('postfix').groups + + +def test_dovecot_user(User): + """ + Tests if Dovecot user has been added to correct group for traversing the TLS + private key directory. + """ + + assert "ssl-cert" in User('dovecot').groups + + +def test_clamav_milter_configuration(File): + """ + Tests if ClamAV Milter configuration has been deployed correctly. + """ + + config = File('/etc/clamav/clamav-milter.conf') + + assert config.is_file + assert config.user == 'root' + assert config.group == 'root' + assert config.mode == 0o644 + + +def test_clamav_milter(Command): + """ + Tests if ClamAV milter is blocking viruses. + """ + + server_did_not_accept_mail = 26 + + eicar = 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' + + send_mail = Command("swaks --to john.doe@domain1 --server localhost --attach '%s'" % eicar) + + assert send_mail.rc == server_did_not_accept_mail + assert 'Your message has been rejected due to a possible virus' in send_mail.stdout + + +def test_postfix_chroot_directories(File): + """ + Tests if Postfix chroot directories have been set-up with correct + permissions. + """ + + directory = File('/var/spool/postfix/var') + assert directory.is_directory + assert directory.user == 'root' + assert directory.group == 'root' + assert directory.mode == 0o755 + + directory = File('/var/spool/postfix/var/run') + assert directory.is_directory + assert directory.user == 'root' + assert directory.group == 'root' + assert directory.mode == 0o755 + + directory = File('/var/spool/postfix/var/run/clamav') + assert directory.is_directory + assert directory.user == 'clamav' + assert directory.group == 'clamav' + assert directory.mode == 0o755 + + +def test_ldap_tls_truststore_file(File): + """ + Tests if the LDAP TLS truststore file has been deployed correctly. + """ + + tls_file = File('/etc/ssl/certs/mail_ldap_tls_truststore.pem') + assert tls_file.is_file + assert tls_file.user == 'root' + assert tls_file.group == 'root' + assert tls_file.mode == 0o644 + assert tls_file.content == open("tests/data/x509/ca.cert.pem", "r").read().rstrip() + + tls_file = File('/var/spool/postfix/etc/ssl/certs/mail_ldap_tls_truststore.pem') + assert tls_file.is_file + assert tls_file.user == 'root' + assert tls_file.group == 'root' + assert tls_file.mode == 0o644 + assert tls_file.content == open("tests/data/x509/ca.cert.pem", "r").read().rstrip() + + +def test_mailname_file(File): + """ + Tests the system mail name file permissions. + """ + + mailname = File('/etc/mailname') + + assert mailname.is_file + assert mailname.user == 'root' + assert mailname.group == 'root' + assert mailname.mode == 0o644 + + +def test_postfix_ldap_configuration_files(File): + """ + Tests if Postfix LDAP configuration files have been deployed correctly. + """ + + for config_file_path in ['/etc/postfix/ldap-virtual-alias-maps.cf', + '/etc/postfix/ldap-virtual-mailbox-domains.cf', + '/etc/postfix/ldap-virtual-mailbox-maps.cf']: + + config = File(config_file_path) + assert config.is_file + assert config.user == 'root' + assert config.group == 'postfix' + assert config.mode == 0o640 + + +def test_postfix_ldap_configuration(Command, Sudo): + """ + Tests if LDAP configuration can be used to fetch correct query results. + """ + + with Sudo(): + + # Test for valid domains. + command = Command("postmap -q domain1 ldap:/etc/postfix/ldap-virtual-mailbox-domains.cf") + assert command.rc == 0 + assert command.stdout == "domain1" + + command = Command("postmap -q domain2 ldap:/etc/postfix/ldap-virtual-mailbox-domains.cf") + assert command.rc == 0 + assert command.stdout == "domain2" + + # Test for invalid domains. + command = Command("postmap -q domain3 ldap:/etc/postfix/ldap-virtual-mailbox-domains.cf") + assert command.rc == 1 + assert command.stdout == "" + + # Test for valid mail addresses. + command = Command("postmap -q 'john.doe@domain1' ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf") + assert command.rc == 0 + assert command.stdout == 'john.doe@domain1' + + command = Command("postmap -q 'jane.doe@domain2' ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf") + assert command.rc == 0 + assert command.stdout == 'jane.doe@domain2' + + # Test for invalid mail addresses. + command = Command("postmap -q 'jane.doe@domain1' ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf") + assert command.rc == 1 + assert command.stdout == '' + + command = Command("postmap -q 'john.doe@domain2' ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf") + assert command.rc == 1 + assert command.stdout == '' + + # Test for valid mail aliases. + command = Command("postmap -q postmaster@domain1 ldap:/etc/postfix/ldap-virtual-alias-maps.cf") + assert command.rc == 0 + assert command.stdout == "john.doe@domain1" + + command = Command("postmap -q webmaster@domain2 ldap:/etc/postfix/ldap-virtual-alias-maps.cf") + assert command.rc == 0 + assert command.stdout == "jane.doe@domain2" + + # Test for invalid mail aliases. + command = Command("postmap -q postmaster@domain2 ldap:/etc/postfix/ldap-virtual-alias-maps.cf") + assert command.rc == 1 + assert command.stdout == "" + + command = Command("postmap -q webmaster@domain1 ldap:/etc/postfix/ldap-virtual-alias-maps.cf") + assert command.rc == 1 + assert command.stdout == "" + + +def test_postfix_main_cf_file(File): + """ + Tests Postfix main configuration file permissions. + """ + + config = File('/etc/postfix/main.cf') + assert config.is_file + assert config.user == 'root' + assert config.group == 'root' + assert config.mode == 0o644 + +def test_postfix_delivery_to_dovecot(Command, File, Sudo): + """ + Tests if mail received by Postfix is properly delivered to Dovecot. + """ -def test_hosts_file(File): - f = File('/etc/hosts') + # Virtual account. + send = Command('swaks --suppress-data --to john.doe@domain1 --server parameters-mandatory') + assert send.rc == 0 + message_id = re.search('Ok: queued as (.*)', send.stdout).group(1) - assert f.exists - assert f.user == 'root' - assert f.group == 'root' + with Sudo(): + mail_log = File('/var/log/mail.log') + pattern = "dovecot: lda\(john.doe@domain1\): msgid=<[^.]*.%s@[^>]*>: saved mail to INBOX" % message_id + assert re.search(pattern, mail_log.content) is not None diff --git a/roles/mail_server/tests/test_mandatory.py b/roles/mail_server/tests/test_mandatory.py new file mode 100644 index 0000000000000000000000000000000000000000..847cbbfd95c648500d821f6681bfde1663bd784e --- /dev/null +++ b/roles/mail_server/tests/test_mandatory.py @@ -0,0 +1,87 @@ +import testinfra.utils.ansible_runner + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + '.molecule/ansible_inventory').get_hosts('parameters-mandatory') + + +def test_smtp_tls_files(File, Sudo): + """ + Tests if SMTP TLS private key has been deployed correctly. + """ + + with Sudo(): + + tls_file = File('/etc/ssl/private/parameters-mandatory_smtp.key') + assert tls_file.is_file + assert tls_file.user == 'root' + assert tls_file.group == 'root' + assert tls_file.mode == 0o640 + assert tls_file.content == open("tests/data/x509/parameters-mandatory_smtp.key", "r").read().rstrip() + + tls_file = File('/etc/ssl/certs/parameters-mandatory_smtp.pem') + assert tls_file.is_file + assert tls_file.user == 'root' + assert tls_file.group == 'root' + assert tls_file.mode == 0o644 + assert tls_file.content == open("tests/data/x509/parameters-mandatory_smtp.pem", "r").read().rstrip() + + tls_file = File('/etc/ssl/private/parameters-mandatory_imap.key') + assert tls_file.is_file + assert tls_file.user == 'root' + assert tls_file.group == 'root' + assert tls_file.mode == 0o640 + assert tls_file.content == open("tests/data/x509/parameters-mandatory_imap.key", "r").read().rstrip() + + tls_file = File('/etc/ssl/certs/parameters-mandatory_imap.pem') + assert tls_file.is_file + assert tls_file.user == 'root' + assert tls_file.group == 'root' + assert tls_file.mode == 0o644 + assert tls_file.content == open("tests/data/x509/parameters-mandatory_imap.pem", "r").read().rstrip() + + +def test_certificate_validity_check_configuration(File): + """ + Tests if certificate validity check configuration file has been deployed + correctly. + """ + + config = File('/etc/check_certificate/parameters-mandatory_smtp.conf') + assert config.is_file + assert config.user == 'root' + assert config.group == 'root' + assert config.mode == 0o644 + assert config.content == "/etc/ssl/certs/parameters-mandatory_smtp.pem" + + config = File('/etc/check_certificate/parameters-mandatory_imap.conf') + assert config.is_file + assert config.user == 'root' + assert config.group == 'root' + assert config.mode == 0o644 + assert config.content == "/etc/ssl/certs/parameters-mandatory_imap.pem" + + +def test_mailname_file_content(File): + """ + Tests the system mail name file content. + """ + + mailname = File('/etc/mailname') + + assert mailname.content == "parameters-mandatory" + + +def test_postfix_main_cf_file_content(File): + """ + Tests if the Postfix main configuration file content is correct. + """ + + config = File('/etc/postfix/main.cf') + config_lines = config.content.split("\n") + + assert "myhostname = parameters-mandatory" in config_lines + assert "mydestination = parameters-mandatory, parameters-mandatory, localhost.localdomain, localhost" in config_lines + assert "mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128" in config_lines + assert "smtpd_tls_cert_file = /etc/ssl/certs/parameters-mandatory_smtp.pem" in config_lines + assert "smtpd_tls_key_file = /etc/ssl/private/parameters-mandatory_smtp.key" in config_lines + assert "reject_rbl" not in config_lines diff --git a/roles/mail_server/tests/test_optional.py b/roles/mail_server/tests/test_optional.py new file mode 100644 index 0000000000000000000000000000000000000000..a74b2007b7232263706c974c3a0467f55ccdd5b7 --- /dev/null +++ b/roles/mail_server/tests/test_optional.py @@ -0,0 +1,106 @@ +import re + +import testinfra.utils.ansible_runner + + +testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( + '.molecule/ansible_inventory').get_hosts('parameters-optional') + + +def test_smtp_tls_files(File, Sudo): + """ + Tests if SMTP TLS private key has been deployed correctly. + """ + + with Sudo(): + + tls_file = File('/etc/ssl/private/parameters-optional_smtp.key') + assert tls_file.is_file + assert tls_file.user == 'root' + assert tls_file.group == 'root' + assert tls_file.mode == 0o640 + assert tls_file.content == open("tests/data/x509/parameters-optional_smtp.key.pem", "r").read().rstrip() + + tls_file = File('/etc/ssl/certs/parameters-optional_smtp.pem') + assert tls_file.is_file + assert tls_file.user == 'root' + assert tls_file.group == 'root' + assert tls_file.mode == 0o644 + assert tls_file.content == open("tests/data/x509/parameters-optional_smtp.cert.pem", "r").read().rstrip() + + tls_file = File('/etc/ssl/private/parameters-optional_imap.key') + assert tls_file.is_file + assert tls_file.user == 'root' + assert tls_file.group == 'root' + assert tls_file.mode == 0o640 + assert tls_file.content == open("tests/data/x509/parameters-optional_imap.key.pem", "r").read().rstrip() + + tls_file = File('/etc/ssl/certs/parameters-optional_imap.pem') + assert tls_file.is_file + assert tls_file.user == 'root' + assert tls_file.group == 'root' + assert tls_file.mode == 0o644 + assert tls_file.content == open("tests/data/x509/parameters-optional_imap.cert.pem", "r").read().rstrip() + + +def test_certificate_validity_check_configuration(File): + """ + Tests if certificate validity check configuration file has been deployed + correctly. + """ + + config = File('/etc/check_certificate/parameters-optional_smtp.conf') + assert config.is_file + assert config.user == 'root' + assert config.group == 'root' + assert config.mode == 0o644 + assert config.content == "/etc/ssl/certs/parameters-optional_smtp.pem" + + config = File('/etc/check_certificate/parameters-optional_imap.conf') + assert config.is_file + assert config.user == 'root' + assert config.group == 'root' + assert config.mode == 0o644 + assert config.content == "/etc/ssl/certs/parameters-optional_imap.pem" + + +def test_mailname_file_content(File): + """ + Tests the system mail name file content. + """ + + mailname = File('/etc/mailname') + + assert mailname.content == "parameters-optional" + + +def test_postfix_main_cf_file_content(File): + """ + Tests if the Postfix main configuration file content is correct. + """ + + config = File('/etc/postfix/main.cf') + config_lines = config.content.split("\n") + + assert "myhostname = parameters-optional" in config_lines + assert "mydestination = parameters-optional, parameters-optional, localhost.localdomain, localhost" in config_lines + assert "mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.31.127.20" in config_lines + assert "smtpd_tls_cert_file = /etc/ssl/certs/parameters-optional_smtp.pem" in config_lines + assert "smtpd_tls_key_file = /etc/ssl/private/parameters-optional_smtp.key" in config_lines + assert " reject_rbl bl.spamcop.net" in config_lines + assert " reject_rbl zen.spamhaus.org" in config_lines + + +def test_local_aliases(Command, File, Sudo): + """ + Tests if local aliases are configured correctly. + """ + + send = Command('swaks --suppress-data --to root@localhost') + assert send.rc == 0 + message_id = re.search('Ok: queued as (.*)', send.stdout).group(1) + + with Sudo(): + mail_log = File('/var/log/mail.log') + pattern = "dovecot: lda\(john.doe@domain1\): msgid=<[^.]*.%s@[^>]*>: saved mail to INBOX" % message_id + assert re.search(pattern, mail_log.content) is not None