diff --git a/roles/mail_forwarder/molecule/default/prepare.yml b/roles/mail_forwarder/molecule/default/prepare.yml index 55241e8a781ee8705af81f74bdca332cbccff801..eec9c578e7b0d39e181ded29cdedd0754f33fe48 100644 --- a/roles/mail_forwarder/molecule/default/prepare.yml +++ b/roles/mail_forwarder/molecule/default/prepare.yml @@ -38,6 +38,11 @@ 10.31.127.31: "parameters-optional-stretch64" 10.31.127.32: "parameters-no-incoming-stretch64" + - name: Install tools for testing + apt: + name: gnutls-bin + state: present + - hosts: clients become: true tasks: diff --git a/roles/mail_forwarder/molecule/default/tests/test_default.py b/roles/mail_forwarder/molecule/default/tests/test_default.py index b3d162bce9047d3d391d68243ee5cf74bed3da21..2356291fa18eea98986a0b62395cbca621a98ea2 100644 --- a/roles/mail_forwarder/molecule/default/tests/test_default.py +++ b/roles/mail_forwarder/molecule/default/tests/test_default.py @@ -84,3 +84,44 @@ def test_firewall_configuration_file(host): assert config.user == 'root' assert config.group == 'root' assert config.mode == 0o640 + + +def test_smtp_server_dh_parameter_file(host): + """ + Tests if the Diffie-Helman parameter file has been generated + correctly. + """ + + hostname = host.run('hostname').stdout.strip() + dhparam_file_path = '/etc/ssl/private/%s_smtp.dh.pem' % hostname + + with host.sudo(): + dhparam_file = host.file(dhparam_file_path) + assert dhparam_file.is_file + assert dhparam_file.user == 'root' + assert dhparam_file.group == 'root' + assert dhparam_file.mode == 0o640 + + dhparam_info = host.run("openssl dhparam -noout -text -in %s", dhparam_file_path) + + assert "DH Parameters: (2048 bit)" in dhparam_info.stdout + + +def test_smtp_server_uses_correct_dh_parameters(host): + """ + Tests if the SMTP server uses the generated Diffie-Helman parameter. + """ + + hostname = host.run('hostname').stdout.strip() + + with host.sudo(): + expected_dhparam = host.file('/etc/ssl/private/%s_smtp.dh.pem' % hostname).content_string.rstrip() + + connection = host.run("gnutls-cli --no-ca-verification --starttls-proto=smtp --port 25 --priority 'NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA384:+DHE-RSA:+SHA384:+AEAD:+AES-256-GCM' --verbose localhost") + + output = connection.stdout + begin_marker = "-----BEGIN DH PARAMETERS-----" + end_marker = "-----END DH PARAMETERS-----" + used_dhparam = output[output.find(begin_marker):output.find(end_marker) + len(end_marker)] + + assert used_dhparam == expected_dhparam diff --git a/roles/mail_forwarder/tasks/main.yml b/roles/mail_forwarder/tasks/main.yml index 3d8362ce49cdd13558151b5f6ea3e0231d5f9a7f..a6bde5bb0f30e2da8d432fae9c84f13e8b80f467 100644 --- a/roles/mail_forwarder/tasks/main.yml +++ b/roles/mail_forwarder/tasks/main.yml @@ -24,6 +24,16 @@ group: root mode: 0644 +- name: Generate the SMTP server Diffie-Helman parameter + openssl_dhparam: + owner: root + group: root + mode: 0640 + path: "/etc/ssl/private/{{ ansible_fqdn }}_smtp.dh.pem" + size: 2048 + notify: + - Restart Postfix + - name: Configure visible mail name of the system copy: content: "{{ inventory_hostname }}" diff --git a/roles/mail_forwarder/templates/main.cf.j2 b/roles/mail_forwarder/templates/main.cf.j2 index 3d8464d1455b98479df6ef75aee3f7708c8f61e5..35f1f0a704341ed634f26121c5bb78c1aa626a96 100644 --- a/roles/mail_forwarder/templates/main.cf.j2 +++ b/roles/mail_forwarder/templates/main.cf.j2 @@ -20,6 +20,8 @@ readme_directory = no # TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_tls_dh1024_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem +smtpd_tls_dh512_param_file = /etc/ssl/private/{{ inventory_hostname }}_smtp.dh.pem smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache