mail_user_uid: 5000

mail_user_gid: 5000

imap_max_user_connections_per_ip: 2

imap_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_imap.cert.pem') }}"

imap_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_imap.key.pem') }}"

local_mail_aliases:

  root: "john.doe@domain1"

smtp_tls_certificate: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_smtp.cert.pem') }}"

smtp_tls_key: "{{ lookup('file', 'tests/data/x509/server/{{ inventory_hostname }}_smtp.key.pem') }}"

imap_folder_separator: "."

smtp_rbl:

  - bl.spamcop.net

  - zen.spamhaus.org

mail_postmaster: "webmaster@parameters-optional"

smtp_allow_relay_from:

  - "{{ release_based_smtp_allow_relay_from[ansible_distribution_release] }}"

mail_message_size_limit: 20480001

mail_server_smtp_additional_configuration: |

  mail_name = MySMTP

  smtp_skip_5xx_greeting = no

# Variables dependant on distribution release.

release_based_smtp_allow_relay_from:

  bookworm: "192.168.56.21"

# common

ca_certificates:

  testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"

# backup_client

enable_backup: true

backup_client_username: "bak-param-optional-{{ ansible_distribution_release }}"

backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"

backup_server: ldap-server

backup_server_host_ssh_public_keys:

  - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"

  - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"

backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional' ) }}"

  testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"

# ldap_client

ldap_client_config:

  - comment: CA truststore

    option: TLS_CACERT

    value: /etc/ssl/certs/testca.cert.pem

  - comment: Ensure TLS is enforced

    option: TLS_REQCERT

    value: demand

  - comment: Base DN

    option: BASE

    value: dc=local

  - comment: URI

    option: URI

    value: ldapi:///

# backup_server role

backup_host_ssh_private_keys:

  rsa: "{{ lookup('file', 'tests/data/ssh/server_rsa') }}"

  ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}"

  ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"

backup_clients:

  - server: param-optional-bookworm

    ip: 192.168.56.32

    public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"

    cpus: 1

    provider_raw_config_args:

      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"

    interfaces:

      - auto_config: true

        ip: 192.168.56.11

        network_name: private_network

        type: static

    config_options:

      synced_folder: true

  - name: ldap-server

    box: debian/bookworm64

    memory: 384

    cpus: 1

    provider_raw_config_args:

      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"

    interfaces:

      - auto_config: true

        ip: 192.168.56.12

        network_name: private_network

        type: static

  # Debian 11 Bookworm

  # ==================

  - name: client1-bookworm

    groups:

      - client

      - client-relay-allowed

      - bookworm

      - smtp-server-requiring-tls

    box: debian/bookworm64

    memory: 256

    cpus: 1

    provider_raw_config_args:

      - "customize ['modifyvm', :id, '--paravirtprovider', 'minimal']"

    interfaces:

      - auto_config: true

        ip: 192.168.56.21

        network_name: private_network

        type: static

  - name: client2-bookworm

    groups:

      - client

      - client-relay-forbidden

    - name: Initialise CA hierarchy

      command: "gimmecert init"

      args:

        creates: ".gimmecert/ca/level1.cert.pem"

        chdir: "tests/data/"

    - name: Generate server private keys and certificates

      command:

      args:

        chdir: "tests/data/"

        creates: ".gimmecert/server/{{ item.name }}.cert.pem"

        argv:

          - "gimmecert"

          - "server"

          - "{{ item.name }}"

          - "{{ item.fqdn }}"

          - "{{ item.fqdn[:item.fqdn.rfind('-')] }}"

      with_items:

        - name: clamav-database_https

          fqdn: database.clamav.net

        - name: ldap-server_ldap

          fqdn: ldap-server

        - name: parameters-mandatory-bookworm_imap

          fqdn: parameters-mandatory-bookworm

        - name: parameters-mandatory-bookworm_smtp

          fqdn: parameters-mandatory-bookworm

        - name: parameters-optional-bookworm_imap

          fqdn: parameters-optional-bookworm

        - name: parameters-optional-bookworm_smtp

          fqdn: parameters-optional-bookworm

    - name: Set-up link to generated X.509 material

      file:

        src: ".gimmecert"

        dest: "tests/data/x509"

        state: link

- name: Prepare

  hosts: all

  gather_facts: false

  tasks:

    - name: Install python for Ansible

      raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal)

      become: true

      changed_when: false

        content: "{{ clamav_database_http_server_tls_certificate }}"

        mode: 0644

        owner: root

        group: root

      notify:

        - Restart nginx

    - name: Deploy nginx configuration for serving the ClamAV database files

      copy:

        src: clamav-database-nginx.conf

        dest: /etc/nginx/sites-available/default

        owner: root

        group: root

        mode: 0644

      notify:

        - Restart nginx

  handlers:

    - name: Restart nginx

      service:

        name: nginx

        state: restarted

- hosts: bookworm

  become: true

  tasks:

    - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the web_server_tls_protocols parameter

      blockinfile:

        path: "/etc/ssl/openssl.cnf"

        block: |

          [openssl_init]

          ssl_conf = ssl_sect

          [ssl_sect]

          system_default = system_default_sect

          [system_default_sect]

          MinProtocol = TLSv1.1

          CipherString = DEFAULT@SECLEVEL=0

        owner: root

        group: root

        mode: 0644

        state: present

    - name: Set-up the hosts file

      lineinfile:

    hostname = host.run('hostname').stdout.strip()

    config = host.file('/etc/check_certificate/%s_smtp.conf' % hostname)

    assert config.is_file

    assert config.user == 'root'

    assert config.group == 'root'

    assert config.mode == 0o644

    assert config.content_string == "/etc/ssl/certs/%s_smtp.pem" % hostname

    config = host.file('/etc/check_certificate/%s_imap.conf' % hostname)

    assert config.is_file

    assert config.user == 'root'

    assert config.group == 'root'

    assert config.mode == 0o644

    assert config.content_string == "/etc/ssl/certs/%s_imap.pem" % hostname

def test_smtp_default_port_tls_version_and_ciphers(host):

    """

    Tests TLS configuration for SMTP default port (needs to be less

    restrictive for interoperability purposes).

    """

    expected_tls_versions = ["TLSv1.0", "TLSv1.1", "TLSv1.2", "TLSv1.3"]

    expected_tls_ciphers = [

        'TLS_AKE_WITH_AES_128_GCM_SHA256',

        'TLS_AKE_WITH_AES_256_GCM_SHA384',

        'TLS_AKE_WITH_CHACHA20_POLY1305_SHA256',

        'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',

        'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',

        'TLS_DHE_RSA_WITH_AES_128_CCM',

        'TLS_DHE_RSA_WITH_AES_128_CCM_8',

        'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',

        'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',

        'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',

        'TLS_DHE_RSA_WITH_AES_256_CCM',

        'TLS_DHE_RSA_WITH_AES_256_CCM_8',

        'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',

        'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256',

        'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384',

        'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA',

        'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',

        'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA',

        'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256',

        'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256',

        'TLS_DH_anon_WITH_AES_128_CBC_SHA',

        'TLS_DH_anon_WITH_AES_128_CBC_SHA256',

    group = host.group("vmail")

    assert group.exists

    assert group.gid == 1003

    user = host.user("vmail")

    assert user.exists

    assert user.uid == 1003

    assert user.home == "/var/vmail"

    assert user.group == "vmail"

    assert user.groups == ["vmail"]

@pytest.mark.parametrize("port", [

    143,

    993,

    587,

])

def test_imap_and_smtp_submission_tls_version_and_ciphers(host, port):

    """

    Tests if the correct TLS version and ciphers have been enabled for

    IMAP and SMTP submission.

    """

    expected_tls_versions = ["TLSv1.2", "TLSv1.3"]

    expected_tls_ciphers = [

        "TLS_AKE_WITH_AES_128_GCM_SHA256",

        "TLS_AKE_WITH_AES_256_GCM_SHA384",

        "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",

        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

        "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

        "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",

    ]

    # Run the nmap scanner against the server, and fetch the results.

    nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s localhost -oX /tmp/report.xml", str(port))

    assert nmap.rc == 0

    report_content = host.file('/tmp/report.xml').content_string

    report_root = ElementTree.fromstring(report_content)

    tls_versions = []

    tls_ciphers = set()

    for child in report_root.findall("./host/ports/port/script/table"):

    group = host.group("virtmail")

    assert group.exists

    assert group.gid == 5000

    user = host.user("virtmail")

    assert user.exists

    assert user.uid == 5000

    assert user.home == "/var/virtmail"

    assert user.group == "virtmail"

    assert user.groups == ["virtmail"]

@pytest.mark.parametrize("port", [

    143,

    993,

    587,

])

def test_imap_and_smtp_submission_tls_version_and_ciphers(host, port):

    """

    Tests if the correct TLS version and ciphers have been enabled for

    IMAP and SMTP submission.

    """

    expected_tls_versions = ["TLSv1.1", "TLSv1.2", "TLSv1.3"]

    expected_tls_ciphers = [

        "TLS_AKE_WITH_AES_128_GCM_SHA256",

        "TLS_AKE_WITH_AES_256_GCM_SHA384",

        "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",

        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",

        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",

        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",

        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",

        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",

        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",

        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",

        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",

    ]

    # Run the nmap scanner against the server, and fetch the results.

    nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s localhost -oX /tmp/report.xml", str(port))

    assert nmap.rc == 0

    report_content = host.file('/tmp/report.xml').content_string

    report_root = ElementTree.fromstring(report_content)

    tls_versions = []

# Text shown to connecting clients as part of SMTP greeting.

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

# Listen on all network interfaces and all protocols.

inet_interfaces = all

inet_protocols = all

# Fall-back to using native lookups (/etc/hosts etc) if DNS lookup

# fails. Useful for local overrides of mail servers.

smtp_host_lookup = dns, native

# Recipient delimeter for separating user name from its extension.

recipient_delimiter = +

# Deliver undeliverable bounces to domain's postmaster. Helps with application

# misconfigurations.

notify_classes = resource, software, 2bounce

# Explicitly set maximum allowed mail size that should be accepted.

message_size_limit = {{ mail_message_size_limit }}

# Disable output of Postfix README file paths when invoking postconf.

readme_directory = no

# Use whitelist/blacklist instead of allowlist/denylist in log

# entries.

respectful_logging = no

# Compatibility level for default values. For more details, see:

#     https://www.postfix.org/COMPATIBILITY_README.html

compatibility_level = 3.6

# Local mailbox delivery

# ======================

# List of domains for local transport deliveries.

mydestination = {{ inventory_hostname }}, {{ inventory_hostname_short }}, localhost.localdomain, localhost

# Alias maps for local deliveries (to system accounts).

alias_maps = hash:/etc/aliases

# Alias database that gets updated when invoking "newaliases" command.

alias_database = hash:/etc/aliases

# Disable size limits for local user mailboxes.

mailbox_size_limit = 0

# Disable use of biff service for new mail notifications to local

# users (improves performance).

biff = no