diff --git a/roles/mail_server/molecule/default/group_vars/parameters-optional.yml b/roles/mail_server/molecule/default/group_vars/parameters-optional.yml index 89fdffed8090b6ce448092721f1f3a7ce4d493f0..247bcf7c5b0ebed71808fd75a0ecb8908dc2ec09 100644 --- a/roles/mail_server/molecule/default/group_vars/parameters-optional.yml +++ b/roles/mail_server/molecule/default/group_vars/parameters-optional.yml @@ -37,14 +37,15 @@ mail_server_smtp_additional_configuration: | # Variables dependant on distribution release. release_based_smtp_allow_relay_from: buster: "192.168.56.21" + bullseye: "192.168.56.41" # common ca_certificates: testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}" -# backup_client (backup username should end in -b64 for Buster). +# backup_client enable_backup: true -backup_client_username: "bak-parameters-optional-{{ ansible_distribution_release[0] }}64" +backup_client_username: "bak-param-optional-{{ ansible_distribution_release }}" backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}" backup_server: ldap-server backup_server_host_ssh_public_keys: diff --git a/roles/mail_server/molecule/default/host_vars/ldap-server.yml b/roles/mail_server/molecule/default/host_vars/ldap-server.yml index 58d7e2fa1950907b7d36d7195b64c474654dc39b..61affd87f11d66acc4a88ce9574ccd7f99071709 100644 --- a/roles/mail_server/molecule/default/host_vars/ldap-server.yml +++ b/roles/mail_server/molecule/default/host_vars/ldap-server.yml @@ -43,6 +43,10 @@ backup_host_ssh_private_keys: ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}" backup_clients: - - server: parameters-optional-b64 + - server: param-optional-buster ip: 192.168.56.32 public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}" + + - server: param-optional-bullseye + ip: 192.168.56.52 + public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}" diff --git a/roles/mail_server/molecule/default/molecule.yml b/roles/mail_server/molecule/default/molecule.yml index 459f5d17b188dd8cf1ba2d69c70a468f75997f90..c7e1b62fe5c69ee43fb388ad3cef74b5f59bbfe6 100644 --- a/roles/mail_server/molecule/default/molecule.yml +++ b/roles/mail_server/molecule/default/molecule.yml @@ -19,8 +19,12 @@ lint: platforms: + + # Helpers + # ======= + - name: clamav-database - box: debian/contrib-buster64 + box: debian/bullseye64 memory: 512 cpus: 1 interfaces: @@ -32,7 +36,7 @@ platforms: synced_folder: true - name: ldap-server - box: debian/contrib-buster64 + box: debian/bullseye64 memory: 256 cpus: 1 interfaces: @@ -41,6 +45,10 @@ platforms: network_name: private_network type: static + + # Debian 10 Buster + # ================ + - name: client1-buster groups: - client @@ -71,7 +79,7 @@ platforms: network_name: private_network type: static - - name: parameters-mandatory-buster64 + - name: parameters-mandatory-buster groups: - parameters-mandatory - buster @@ -84,7 +92,7 @@ platforms: network_name: private_network type: static - - name: parameters-optional-buster64 + - name: parameters-optional-buster groups: - parameters-optional - buster @@ -97,6 +105,67 @@ platforms: network_name: private_network type: static + + # Debian 11 Bullseye + # ================ + + - name: client1-bullseye + groups: + - client + - client-relay-allowed + - bullseye + - smtp-server-requiring-tls + box: debian/bullseye64 + memory: 256 + cpus: 1 + interfaces: + - auto_config: true + ip: 192.168.56.41 + network_name: private_network + type: static + + - name: client2-bullseye + groups: + - client + - client-relay-forbidden + - bullseye + - smtp-server-refusing-tls + box: debian/bullseye64 + memory: 256 + cpus: 1 + interfaces: + - auto_config: true + ip: 192.168.56.42 + network_name: private_network + type: static + + - name: parameters-mandatory-bullseye + groups: + - parameters-mandatory + - bullseye + box: debian/bullseye64 + memory: 2048 + cpus: 1 + interfaces: + - auto_config: true + ip: 192.168.56.51 + network_name: private_network + type: static + + - name: parameters-optional-bullseye + groups: + - parameters-optional + - bullseye + box: debian/bullseye64 + memory: 2048 + cpus: 1 + interfaces: + - auto_config: true + ip: 192.168.56.52 + network_name: private_network + type: static + + provisioner: name: ansible playbooks: diff --git a/roles/mail_server/molecule/default/prepare.yml b/roles/mail_server/molecule/default/prepare.yml index 80068905ba876a6a7953e530cea802e4206367e7..ca521eaf18d2eeb2c96df3b6dac7ec89155d7c57 100644 --- a/roles/mail_server/molecule/default/prepare.yml +++ b/roles/mail_server/molecule/default/prepare.yml @@ -28,14 +28,24 @@ fqdn: database.clamav.net - name: ldap-server_ldap fqdn: ldap-server - - name: parameters-mandatory-buster64_imap - fqdn: parameters-mandatory-buster64 - - name: parameters-mandatory-buster64_smtp - fqdn: parameters-mandatory-buster64 - - name: parameters-optional-buster64_imap - fqdn: parameters-optional-buster64 - - name: parameters-optional-buster64_smtp - fqdn: parameters-optional-buster64 + + - name: parameters-mandatory-buster_imap + fqdn: parameters-mandatory-buster + - name: parameters-mandatory-buster_smtp + fqdn: parameters-mandatory-buster + - name: parameters-optional-buster_imap + fqdn: parameters-optional-buster + - name: parameters-optional-buster_smtp + fqdn: parameters-optional-buster + + - name: parameters-mandatory-bullseye_imap + fqdn: parameters-mandatory-bullseye + - name: parameters-mandatory-bullseye_smtp + fqdn: parameters-mandatory-bullseye + - name: parameters-optional-bullseye_imap + fqdn: parameters-optional-bullseye + - name: parameters-optional-bullseye_smtp + fqdn: parameters-optional-bullseye - name: Set-up link to generated X.509 material file: @@ -191,8 +201,30 @@ 192.168.56.12: "ldap-server backup-server" 192.168.56.21: "client1 smtp-server-requiring-tls" 192.168.56.22: "client2 smtp-server-refusing-tls" - 192.168.56.31: "parameters-mandatory parameters-mandatory-buster64" - 192.168.56.32: "parameters-optional parameters-optional-buster64" + 192.168.56.31: "parameters-mandatory parameters-mandatory-buster" + 192.168.56.32: "parameters-optional parameters-optional-buster" + +- hosts: bullseye + become: true + tasks: + + - name: Set-up the hosts file + lineinfile: + path: /etc/hosts + regexp: "^{{ item.key }}" + line: "{{ item.key }} {{ item.value }}" + owner: root + group: root + mode: 0644 + state: present + with_dict: + # Force mail servers to use local ClamAV database mirror. + 192.168.56.11: "db.local.clamav.net database.clamav.net" + 192.168.56.12: "ldap-server backup-server" + 192.168.56.41: "client1 smtp-server-requiring-tls" + 192.168.56.42: "client2 smtp-server-refusing-tls" + 192.168.56.51: "parameters-mandatory parameters-mandatory-bullseye" + 192.168.56.52: "parameters-optional parameters-optional-bullseye" - hosts: client become: true diff --git a/roles/mail_server/molecule/default/templates/helper_smtp_main.cf.j2 b/roles/mail_server/molecule/default/templates/helper_smtp_main.cf.j2 index edcfeaa76d07c22915852df263400ffc98d03a2c..079d7634de3963c19c5e1cb3f3839e086b6cd7e5 100644 --- a/roles/mail_server/molecule/default/templates/helper_smtp_main.cf.j2 +++ b/roles/mail_server/molecule/default/templates/helper_smtp_main.cf.j2 @@ -35,7 +35,7 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # information on enabling SSL in the smtp client. smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination -myhostname = contrib-buster.localdomain +myhostname = client.localdomain alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname diff --git a/roles/mail_server/molecule/default/tests/test_default.py b/roles/mail_server/molecule/default/tests/test_default.py index abd135c20b0aab821fb54f3a2ce824bd71a14f1d..e9cba75f2a1afb978ef69fd8314d6f93cf678f30 100644 --- a/roles/mail_server/molecule/default/tests/test_default.py +++ b/roles/mail_server/molecule/default/tests/test_default.py @@ -236,7 +236,7 @@ def test_postfix_delivery_to_dovecot(host): hostname = host.run('hostname').stdout.strip() - message_id = str(uuid.uuid4()) + message_id = "%s@localhost" % str(uuid.uuid4()) # Virtual account. send = host.run('swaks --header %s --suppress-data --to john.doe@domain1 --server %s', "Message-Id: <%s>" % message_id, hostname) @@ -513,7 +513,7 @@ def test_postfix_local_delivery(host): account's mail spool. """ - message_id = str(uuid.uuid4()) + message_id = "%s@localhost" % str(uuid.uuid4()) send = host.run('swaks --header %s --suppress-data --to localuser@localhost --server localhost', "Message-Id: <%s>" % message_id) assert send.rc == 0 @@ -542,7 +542,7 @@ def test_postfix_sends_mails_without_tls_when_unavailable(host): assert send.rc == 29 assert "Host did not advertise STARTTLS" in send.stderr - message_id = str(uuid.uuid4()) + message_id = "%s@localhost" % str(uuid.uuid4()) send = host.run('swaks --header %s --suppress-data --to root@smtp-server-refusing-tls --server localhost', "Message-Id: <%s>" % message_id) assert send.rc == 0 @@ -570,7 +570,7 @@ def test_postfix_sends_mails_over_tls_when_available(host): assert send.rc == 23 assert "Must issue a STARTTLS command first" in send.stdout - message_id = str(uuid.uuid4()) + message_id = "%s@localhost" % str(uuid.uuid4()) send = host.run('swaks --tls --header %s --suppress-data --to root@smtp-server-requiring-tls --server localhost', "Message-Id: <%s>" % message_id) assert send.rc == 0 @@ -679,6 +679,67 @@ def test_smtp_default_port_tls_version_and_ciphers(host): 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA', 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256', 'TLS_RSA_WITH_SEED_CBC_SHA', + ], + "bullseye": [ + 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', + 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256', + 'TLS_DHE_RSA_WITH_AES_128_CCM', + 'TLS_DHE_RSA_WITH_AES_128_CCM_8', + 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', + 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256', + 'TLS_DHE_RSA_WITH_AES_256_CCM', + 'TLS_DHE_RSA_WITH_AES_256_CCM_8', + 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256', + 'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384', + 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA', + 'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256', + 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA', + 'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256', + 'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256', + 'TLS_DHE_RSA_WITH_SEED_CBC_SHA', + 'TLS_DH_anon_WITH_AES_128_CBC_SHA', + 'TLS_DH_anon_WITH_AES_128_CBC_SHA256', + 'TLS_DH_anon_WITH_AES_128_GCM_SHA256', + 'TLS_DH_anon_WITH_AES_256_CBC_SHA', + 'TLS_DH_anon_WITH_AES_256_CBC_SHA256', + 'TLS_DH_anon_WITH_AES_256_GCM_SHA384', + 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA', + 'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256', + 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA', + 'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256', + 'TLS_DH_anon_WITH_SEED_CBC_SHA', + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', + 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', + 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256', + 'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384', + 'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256', + 'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384', + 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', + 'TLS_ECDH_anon_WITH_AES_128_CBC_SHA', + 'TLS_ECDH_anon_WITH_AES_256_CBC_SHA', + 'TLS_RSA_WITH_AES_128_CBC_SHA', + 'TLS_RSA_WITH_AES_128_CBC_SHA256', + 'TLS_RSA_WITH_AES_128_CCM', + 'TLS_RSA_WITH_AES_128_CCM_8', + 'TLS_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_RSA_WITH_AES_256_CBC_SHA', + 'TLS_RSA_WITH_AES_256_CBC_SHA256', + 'TLS_RSA_WITH_AES_256_CCM', + 'TLS_RSA_WITH_AES_256_CCM_8', + 'TLS_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_RSA_WITH_ARIA_128_GCM_SHA256', + 'TLS_RSA_WITH_ARIA_256_GCM_SHA384', + 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA', + 'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256', + 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA', + 'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256', + 'TLS_RSA_WITH_SEED_CBC_SHA', ] } diff --git a/roles/mail_server/molecule/default/tests/test_optional.py b/roles/mail_server/molecule/default/tests/test_optional.py index 268120e1d6a80124963eee0806b16cad3fe188ec..8e893c59feaeb88c0227723ab3c31582ebf06ecd 100644 --- a/roles/mail_server/molecule/default/tests/test_optional.py +++ b/roles/mail_server/molecule/default/tests/test_optional.py @@ -54,7 +54,7 @@ def test_local_aliases(host): Tests if local aliases are configured correctly. """ - message_id = str(uuid.uuid4()) + message_id = "%s@localhost" % str(uuid.uuid4()) send = host.run('swaks --header %s --suppress-data --to root@localhost', "Message-Id: <%s>" % message_id) time.sleep(1)