From b1d025a9e5595e75ae0012cb695ef02b0126a5da 2025-01-22 13:46:13
From: Branko Majic <branko@majic.rs>
Date: 2025-01-22 13:46:13
Subject: [PATCH] MAR-233: Add IPv6 connectivity tests for the mail_server role:

- Include an example of IPv6 address in documentation for the
  smtp_allow_relay_from role parameter (has to have square brackets to
  make it usable with Postfix configuratin).
- Expand the tests and test parameters to ensure IPv6 is properly
  covered.
- Reorder the names in /etc/hosts slightly to ensure the ansible_fqdn
  and inventory_hostname match-up. Code should be revisited to
  probably drop the use of inventory_hostname from both roles and
  tests, and instead rely on ansible_fqdn and ansible_hostname.
- Correct the Dovecot SSL DH parameter specification to use
  ansible_fqdn for consistency purposes.

---

diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index eee6a68a2d2d1c9112443ec53e3c2316d521491d..4633788116a0b7a2246f3b86081564a2e33eefb0 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -1277,7 +1277,8 @@ Parameters
   List of networks from which mail relaying is allowed even without
   authentication. Each item in the list is a string defining a network. The
   format must be compatible with Postfix ``mynetworks`` setting (for example:
-  ``192.168.1.0/24``, ``myhost.example.com`` etc).
+  ``192.168.1.0/24``, ``myhost.example.com``, ``[fd00::192:168:56:21]/128``
+  etc).
 
 
 Distribution compatibility
diff --git a/roles/mail_server/molecule/default/group_vars/parameters-optional.yml b/roles/mail_server/molecule/default/group_vars/parameters-optional.yml
index 3005395f48a769e03aca749797662f76d9cf3082..b6e86e8276f97e1e5e24e3a96994cfe5c68bd612 100644
--- a/roles/mail_server/molecule/default/group_vars/parameters-optional.yml
+++ b/roles/mail_server/molecule/default/group_vars/parameters-optional.yml
@@ -31,8 +31,7 @@ smtp_rbl:
   - zen.spamhaus.org
 
 mail_postmaster: "webmaster@parameters-optional"
-smtp_allow_relay_from:
-  - "{{ release_based_smtp_allow_relay_from[ansible_distribution_release] }}"
+smtp_allow_relay_from: "{{ release_based_smtp_allow_relay_from[ansible_distribution_release] }}"
 mail_message_size_limit: 20480001
 mail_server_smtp_additional_configuration: |
   mail_name = MySMTP
@@ -40,7 +39,9 @@ mail_server_smtp_additional_configuration: |
 
 # Variables dependant on distribution release.
 release_based_smtp_allow_relay_from:
-  bookworm: "192.168.56.21"
+  bookworm:
+    - 192.168.56.21
+    - "[fd00::192:168:56:21]/128"
 
 # common
 ca_certificates:
diff --git a/roles/mail_server/molecule/default/molecule.yml b/roles/mail_server/molecule/default/molecule.yml
index 83a08eca835aa6844fcb5f33534da3c440bae4d9..f5ed5a3924caf053bb86785eba78605b48ced287 100644
--- a/roles/mail_server/molecule/default/molecule.yml
+++ b/roles/mail_server/molecule/default/molecule.yml
@@ -60,6 +60,11 @@ platforms:
         ip: 192.168.56.21
         network_name: private_network
         type: static
+      - auto_config: true
+        ip: fd00::192:168:56:21
+        network_name: private_network
+        netmask: 116
+        type: static
 
   - name: client2-bookworm
     groups:
@@ -75,6 +80,11 @@ platforms:
         ip: 192.168.56.22
         network_name: private_network
         type: static
+      - auto_config: true
+        ip: fd00::192:168:56:22
+        network_name: private_network
+        netmask: 116
+        type: static
 
   - name: parameters-mandatory-bookworm
     groups:
@@ -88,6 +98,11 @@ platforms:
         ip: 192.168.56.31
         network_name: private_network
         type: static
+      - auto_config: true
+        ip: fd00::192:168:56:31
+        network_name: private_network
+        netmask: 116
+        type: static
 
   - name: parameters-optional-bookworm
     groups:
@@ -101,6 +116,11 @@ platforms:
         ip: 192.168.56.32
         network_name: private_network
         type: static
+      - auto_config: true
+        ip: fd00::192:168:56:32
+        network_name: private_network
+        netmask: 116
+        type: static
 
 
 provisioner:
diff --git a/roles/mail_server/molecule/default/prepare.yml b/roles/mail_server/molecule/default/prepare.yml
index 37e2dd82d0eebface544561bca3f23952e64d450..b4fda6d382aadc595d31e889f5d6d65ed45feab2 100644
--- a/roles/mail_server/molecule/default/prepare.yml
+++ b/roles/mail_server/molecule/default/prepare.yml
@@ -197,8 +197,12 @@
         192.168.56.12: "ldap-server backup-server"
         192.168.56.21: "client1 smtp-server-requiring-tls"
         192.168.56.22: "client2 smtp-server-refusing-tls"
-        192.168.56.31: "parameters-mandatory parameters-mandatory-bookworm"
-        192.168.56.32: "parameters-optional parameters-optional-bookworm"
+        192.168.56.31: "parameters-mandatory-bookworm parameters-mandatory"
+        192.168.56.32: "parameters-optional-bookworm parameters-optional"
+        fd00::192:168:56:21: "client1 smtp-server-requiring-tls"
+        fd00::192:168:56:22: "client2 smtp-server-refusing-tls"
+        fd00::192:168:56:31: "parameters-mandatory-bookworm parameters-mandatory"
+        fd00::192:168:56:32: "parameters-optional-bookworm parameters-optional"
 
 - name: Prepare, helpers
   hosts: client
diff --git a/roles/mail_server/molecule/default/tests/test_client2.py b/roles/mail_server/molecule/default/tests/test_client2.py
index 2a2cd32906bfdf432d3979775150ab2fd3932953..4c1759ee3f378b88a1fa0144dae975d7a654e10d 100644
--- a/roles/mail_server/molecule/default/tests/test_client2.py
+++ b/roles/mail_server/molecule/default/tests/test_client2.py
@@ -288,13 +288,14 @@ def test_sieve_authentication_requires_tls(host):
     993,
     4190
 ])
-def test_connectivity(host, server, port):
+@pytest.mark.parametrize('ip_protocol', [4, 6])
+def test_connectivity(host, server, port, ip_protocol):
     """
     Tests connectivity to the mail server (ports that should be reachable).
     """
 
     with host.sudo():
-        scan = host.run('nmap -4 -p %s -oG - %s', str(port), server)
+        scan = host.run('nmap -%s -p %s -oG - %s', str(ip_protocol), str(port), server)
         assert scan.rc == 0
         assert "Ports: %d/open/tcp//" % port in scan.stdout
 
diff --git a/roles/mail_server/molecule/default/tests/test_optional.py b/roles/mail_server/molecule/default/tests/test_optional.py
index 56059f9056bf582bcc1a339ed81c7a110c71b208..d430d184313a926f101d1209927199b6a2643882 100644
--- a/roles/mail_server/molecule/default/tests/test_optional.py
+++ b/roles/mail_server/molecule/default/tests/test_optional.py
@@ -41,7 +41,7 @@ def test_postfix_main_cf_file_content(host):
 
     assert "myhostname = %s" % hostname in config_lines
     assert "mydestination = %s, %s, localhost.localdomain, localhost" % (hostname, hostname) in config_lines
-    assert "mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 %s" % allow_relay_from_ip in config_lines
+    assert "mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 %s" % " ".join(allow_relay_from_ip) in config_lines
     assert "smtpd_tls_cert_file = /etc/ssl/certs/%s_smtp.pem" % hostname in config_lines
     assert "smtpd_tls_key_file = /etc/ssl/private/%s_smtp.key" % hostname in config_lines
     assert "  reject_rbl_client bl.spamcop.net" in config_lines
diff --git a/roles/mail_server/templates/99-local.conf.j2 b/roles/mail_server/templates/99-local.conf.j2
index e5178291718081b59771dbcc7acb132fa204936a..9fb92985ebb9e8d70efa536f7872e97836bdbe89 100644
--- a/roles/mail_server/templates/99-local.conf.j2
+++ b/roles/mail_server/templates/99-local.conf.j2
@@ -31,7 +31,7 @@ service auth {
 # TLS configuration.
 ssl_cert = </etc/ssl/certs/{{ ansible_fqdn }}_imap.pem
 ssl_key = </etc/ssl/private/{{ ansible_fqdn }}_imap.key
-ssl_dh=</etc/ssl/private/{{ inventory_hostname }}_imap.dh.pem
+ssl_dh=</etc/ssl/private/{{ ansible_fqdn }}_imap.dh.pem
 ssl_min_protocol = {{ mail_server_minimum_tls_protocol }}
 ssl_cipher_list = {{ mail_server_tls_ciphers }}
 ssl = required