majic-ansible-roles Changeset

Changeset - a48e04e52b25

Parent rev.

Child rev.

[Not reviewed]

0 9 0

Branko Majic (branko) - 2 months ago 2024-03-01 00:29:54
branko@majic.rs

MAR-192: Added support for Debian 12 Bookworm to mail_server role:

- Allow use of older versions of TLS on Bookworm for testing of
related optional parameters.
- Install the IMAP CLI testing tool under its own virtual environment
in order to avoid warnings and errors when trying to install it
globally under Debian 12 Bookworm.
- Update the lists of expected TLS protocols and ciphers.

9 files changed with 291 insertions and 41 deletions:

docs/rolereference.rst

roles/mail_server/meta/main.yml

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

roles/mail_server/molecule/default/host_vars/ldap-server.yml

roles/mail_server/molecule/default/molecule.yml

roles/mail_server/molecule/default/prepare.yml

roles/mail_server/molecule/default/tests/test_default.py

roles/mail_server/molecule/default/tests/test_mandatory.py

roles/mail_server/molecule/default/tests/test_optional.py

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1248,12 +1248,13 @@ Parameters @@
 Distribution compatibility
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 Role is compatible with the following distributions:
 - Debian 11 (Bullseye)
 - Debian 12 (Bookworm)
 Examples
 ~~~~~~~~
 Here is an example configuration for setting-up XMPP server using Prosody:

roles/mail_server/meta/main.yml

➞

Show inline comments

@@ @@ -14,6 +14,7 @@ galaxy_info: @@
   license: BSD
   min_ansible_version: 2.9
   platforms:
     - name: Debian
       versions:
         - 11
         - 12

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ @@ -32,12 +32,13 @@ mail_server_smtp_additional_configuration: | @@
   mail_name = MySMTP
   smtp_skip_5xx_greeting = no
 # Variables dependant on distribution release.
 release_based_smtp_allow_relay_from:
   bullseye: "192.168.56.41"
   bookworm: "192.168.56.21"
 # common
 ca_certificates:
   testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"
 # backup_client

roles/mail_server/molecule/default/host_vars/ldap-server.yml

➞

Show inline comments

@@ @@ -43,6 +43,10 @@ backup_host_ssh_private_keys: @@
   ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"
 backup_clients:
   - server: param-optional-bullseye
     ip: 192.168.56.52
     public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
   - server: param-optional-bookworm
     ip: 192.168.56.32
     public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"

roles/mail_server/molecule/default/molecule.yml

➞

Show inline comments

@@ @@ -21,13 +21,13 @@ platforms: @@
   # Helpers
   # =======
   - name: clamav-database
-    box: debian/bullseye64
+    box: debian/bookworm64
     memory: 512
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
@@ @@ -35,13 +35,13 @@ platforms: @@
         network_name: private_network
         type: static
     config_options:
       synced_folder: true
   - name: ldap-server
-    box: debian/bullseye64
+    box: debian/bookworm64
     memory: 256
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
@@ @@ -115,12 +115,80 @@ platforms: @@
       - auto_config: true
         ip: 192.168.56.52
         network_name: private_network
         type: static
   # Debian 11 Bookworm
   # ==================
   - name: client1-bookworm
     groups:
       - client
       - client-relay-allowed
       - bookworm
       - smtp-server-requiring-tls
     box: debian/bookworm64
     memory: 256
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.21
         network_name: private_network
         type: static
   - name: client2-bookworm
     groups:
       - client
       - client-relay-forbidden
       - bookworm
       - smtp-server-refusing-tls
     box: debian/bookworm64
     memory: 256
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.22
         network_name: private_network
         type: static
   - name: parameters-mandatory-bookworm
     groups:
       - parameters-mandatory
       - bookworm
     box: debian/bookworm64
     memory: 2048
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.31
         network_name: private_network
         type: static
   - name: parameters-optional-bookworm
     groups:
       - parameters-optional
       - bookworm
     box: debian/bookworm64
     memory: 2048
     cpus: 1
     provider_raw_config_args:
       - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"
     interfaces:
       - auto_config: true
         ip: 192.168.56.32
         network_name: private_network
         type: static
 provisioner:
   name: ansible
   playbooks:
     cleanup: cleanup.yml
   config_options:
     defaults:

roles/mail_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -35,12 +35,21 @@ @@
           fqdn: parameters-mandatory-bullseye
         - name: parameters-optional-bullseye_imap
           fqdn: parameters-optional-bullseye
         - name: parameters-optional-bullseye_smtp
           fqdn: parameters-optional-bullseye
         - name: parameters-mandatory-bookworm_imap
           fqdn: parameters-mandatory-bookworm
         - name: parameters-mandatory-bookworm_smtp
           fqdn: parameters-mandatory-bookworm
         - name: parameters-optional-bookworm_imap
           fqdn: parameters-optional-bookworm
         - name: parameters-optional-bookworm_smtp
           fqdn: parameters-optional-bookworm
     - name: Set-up link to generated X.509 material
       file:
         src: ".gimmecert"
         dest: "tests/data/x509"
         state: link
@@ @@ -192,30 +201,101 @@ @@
 .168.56.12: "ldap-server backup-server"
 .168.56.41: "client1 smtp-server-requiring-tls"
 .168.56.42: "client2 smtp-server-refusing-tls"
 .168.56.51: "parameters-mandatory parameters-mandatory-bullseye"
 .168.56.52: "parameters-optional parameters-optional-bullseye"
 - hosts: bookworm
   become: true
   tasks:
     - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter
       blockinfile:
         path: "/etc/ssl/openssl.cnf"
         block: |
           [openssl_init]
           ssl_conf = ssl_sect
           [ssl_sect]
           system_default = system_default_sect
           [system_default_sect]
           MinProtocol = TLSv1.1
           CipherString = DEFAULT@SECLEVEL=0
         owner: root
         group: root
         mode: 0644
         state: present
     - name: Set-up the hosts file
       lineinfile:
         path: /etc/hosts
         regexp: "^{{ item.key }}"
         line: "{{ item.key }} {{ item.value }}"
         owner: root
         group: root
         mode: 0644
         state: present
       with_dict:
         # Force mail servers to use local ClamAV database mirror.
 .168.56.11: "db.local.clamav.net database.clamav.net"
 .168.56.12: "ldap-server backup-server"
 .168.56.21: "client1 smtp-server-requiring-tls"
 .168.56.22: "client2 smtp-server-refusing-tls"
 .168.56.31: "parameters-mandatory parameters-mandatory-bookworm"
 .168.56.32: "parameters-optional parameters-optional-bookworm"
 - hosts: client
   become: true
   tasks:
-    - name: Install SWAKS for testing SMTP capability
+    - name: Install tool for testing SMTP capability
       apt:
         name: swaks
         state: present
     - name: Install pip
       apt:
         name: python3-pip
         state: present
     - name: Install tool for testing IMAP
       block:
     - name: Install IMAP CLI tool
       pip:
         name: Imap-CLI==0.7
         state: present
         - name: Install required system packages
           apt:
             name: python3-venv
             state: present
         - name: Set-up dedicated Python virtual environment for running the tool
           command: "python3 -m venv /opt/imap-cli"
           args:
             creates: /opt/imap-cli/bin/python
         - name: Install IMAP CLI
           pip:
             name:
               - Imap-CLI==0.7
               - six
             state: present
             virtualenv: /opt/imap-cli
         - name: Set-up symlinks for running the tool
           file:
             src: "/opt/imap-cli/bin/{{ item }}"
             dest: "/usr/local/bin/{{ item }}"
             owner: root
             group: root
             state: link
           with_items:
             - imapcli
             - imap-cli-flag
             - imap-cli-delete
             - imap-cli-copy
             - imap-api
             - imap-shell
             - imap-notify
             - imap-cli-status
             - imap-cli-search
             - imap-cli-read
             - imap-cli-list
     - name: Install tool for testing SIEVE
       apt:
         name: sieve-connect
         state: present

roles/mail_server/molecule/default/tests/test_default.py

➞

Show inline comments

@@ @@ -629,16 +629,17 @@ def test_certificate_validity_check_configuration(host): @@
 def test_smtp_default_port_tls_version_and_ciphers(host):
     """
     Tests TLS configuration for SMTP default port (needs to be less
     restrictive for interoperability purposes).
     """
-    expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
+    distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     expected_tls_ciphers = {
         "bullseye": [
     if distribution_release == "bullseye":
         expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2"]
         expected_tls_ciphers = [
             'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
             'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',
             'TLS_DHE_RSA_WITH_AES_128_CCM',
             'TLS_DHE_RSA_WITH_AES_128_CCM_8',
             'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
             'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',
@@ @@ -693,15 +694,75 @@ def test_smtp_default_port_tls_version_and_ciphers(host): @@
             'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',
             'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',
             'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256',
             'TLS_RSA_WITH_SEED_CBC_SHA',
+        ]
+    }
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     else:
         expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"]
         expected_tls_ciphers = [
             'TLS_AKE_WITH_AES_128_GCM_SHA256',
             'TLS_AKE_WITH_AES_256_GCM_SHA384',
             'TLS_AKE_WITH_CHACHA20_POLY1305_SHA256',
             'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
             'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',
             'TLS_DHE_RSA_WITH_AES_128_CCM',
             'TLS_DHE_RSA_WITH_AES_128_CCM_8',
             'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
             'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',
             'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',
             'TLS_DHE_RSA_WITH_AES_256_CCM',
             'TLS_DHE_RSA_WITH_AES_256_CCM_8',
             'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
             'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256',
             'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384',
             'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA',
             'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA',
             'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256',
             'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
             'TLS_DH_anon_WITH_AES_128_CBC_SHA',
             'TLS_DH_anon_WITH_AES_128_CBC_SHA256',
             'TLS_DH_anon_WITH_AES_128_GCM_SHA256',
             'TLS_DH_anon_WITH_AES_256_CBC_SHA',
             'TLS_DH_anon_WITH_AES_256_CBC_SHA256',
             'TLS_DH_anon_WITH_AES_256_GCM_SHA384',
             'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA',
             'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA',
             'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256',
             'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
             'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
             'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
             'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
             'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
             'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
             'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256',
             'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384',
             'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384',
             'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
             'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',
             'TLS_ECDH_anon_WITH_AES_256_CBC_SHA',
             'TLS_RSA_WITH_AES_128_CBC_SHA',
             'TLS_RSA_WITH_AES_128_CBC_SHA256',
             'TLS_RSA_WITH_AES_128_CCM',
             'TLS_RSA_WITH_AES_128_CCM_8',
             'TLS_RSA_WITH_AES_128_GCM_SHA256',
             'TLS_RSA_WITH_AES_256_CBC_SHA',
             'TLS_RSA_WITH_AES_256_CBC_SHA256',
             'TLS_RSA_WITH_AES_256_CCM',
             'TLS_RSA_WITH_AES_256_CCM_8',
             'TLS_RSA_WITH_AES_256_GCM_SHA384',
             'TLS_RSA_WITH_ARIA_128_GCM_SHA256',
             'TLS_RSA_WITH_ARIA_256_GCM_SHA384',
             'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',
             'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',
             'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256',
+        ]
     # Run the nmap scanner against the server, and fetch the results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p 25 localhost -oX /tmp/report.xml")
     assert nmap.rc == 0
     report_content = host.file('/tmp/report.xml').content_string
@@ @@ -717,13 +778,13 @@ def test_smtp_default_port_tls_version_and_ciphers(host): @@
         tls_ciphers.add(child.text)
     tls_versions.sort()
     tls_ciphers = sorted(list(tls_ciphers))
     assert tls_versions == expected_tls_versions
-    assert tls_ciphers == expected_tls_ciphers[distribution_release]
     assert tls_ciphers == expected_tls_ciphers
 def test_dovecot_warnings(host):
     """
     Tests if Dovecot is reporting any warnings.
     """

roles/mail_server/molecule/default/tests/test_mandatory.py

➞

Show inline comments

@@ @@ -95,22 +95,38 @@ def test_mail_owner(host): @@
 def test_imap_and_smtp_submission_tls_version_and_ciphers(host, port):
     """
     Tests if the correct TLS version and ciphers have been enabled for
     IMAP and SMTP submission.
     """
     expected_tls_versions = ["TLSv1.2"]
     expected_tls_ciphers = [
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+    ]
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     if distribution_release == "bullseye":
         expected_tls_versions = ["TLSv1.2"]
         expected_tls_ciphers = [
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+        ]
     else:
         expected_tls_versions = ["TLSv1.2", "TLSv1.3"]
         expected_tls_ciphers = [
             "TLS_AKE_WITH_AES_128_GCM_SHA256",
             "TLS_AKE_WITH_AES_256_GCM_SHA384",
             "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+        ]
     # Run the nmap scanner against the server, and fetch the results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s localhost -oX /tmp/report.xml", str(port))
     assert nmap.rc == 0
     report_content = host.file('/tmp/report.xml').content_string

roles/mail_server/molecule/default/tests/test_optional.py

➞

Show inline comments

@@ @@ -120,25 +120,43 @@ def test_mail_owner(host): @@
 def test_imap_and_smtp_submission_tls_version_and_ciphers(host, port):
     """
     Tests if the correct TLS version and ciphers have been enabled for
     IMAP and SMTP submission.
     """
     expected_tls_versions = ["TLSv1.1", "TLSv1.2"]
     expected_tls_ciphers = [
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
         "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
         "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
         "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+    ]
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     if distribution_release == "bullseye":
         expected_tls_versions = ["TLSv1.1", "TLSv1.2"]
         expected_tls_ciphers = [
             "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        ]
     else:
         expected_tls_versions = ["TLSv1.1", "TLSv1.2", "TLSv1.3"]
         expected_tls_ciphers = [
             "TLS_AKE_WITH_AES_128_GCM_SHA256",
             "TLS_AKE_WITH_AES_256_GCM_SHA384",
             "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
             "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
             "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
             "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
             "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        ]
     # Run the nmap scanner against the server, and fetch the results.
     nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s localhost -oX /tmp/report.xml", str(port))
     assert nmap.rc == 0
     report_content = host.file('/tmp/report.xml').content_string

0 comments (0 inline, 0 general)