majic-ansible-roles Changeset

Changeset - b1d025a9e559

Parent rev.

Child rev.

[Not reviewed]

0 7 0

Branko Majic (branko) - 2 months ago 2025-01-22 13:46:13
branko@majic.rs

MAR-233: Add IPv6 connectivity tests for the mail_server role:

- Include an example of IPv6 address in documentation for the
smtp_allow_relay_from role parameter (has to have square brackets to
make it usable with Postfix configuratin).
- Expand the tests and test parameters to ensure IPv6 is properly
covered.
- Reorder the names in /etc/hosts slightly to ensure the ansible_fqdn
and inventory_hostname match-up. Code should be revisited to
probably drop the use of inventory_hostname from both roles and
tests, and instead rely on ansible_fqdn and ansible_hostname.
- Correct the Dovecot SSL DH parameter specification to use
ansible_fqdn for consistency purposes.

7 files changed with 37 insertions and 10 deletions:

docs/rolereference.rst

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

roles/mail_server/molecule/default/molecule.yml

roles/mail_server/molecule/default/prepare.yml

roles/mail_server/molecule/default/tests/test_client2.py

roles/mail_server/molecule/default/tests/test_optional.py

roles/mail_server/templates/99-local.conf.j2

0 comments (0 inline, 0 general) First comment

docs/rolereference.rst

➞

Show inline comments

@@ @@ -1277,7 +1277,8 @@ Parameters @@
   List of networks from which mail relaying is allowed even without
   authentication. Each item in the list is a string defining a network. The
   format must be compatible with Postfix ``mynetworks`` setting (for example:
   ``192.168.1.0/24``, ``myhost.example.com`` etc).
   ``192.168.1.0/24``, ``myhost.example.com``, ``[fd00::192:168:56:21]/128``
   etc).
 Distribution compatibility

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ @@ -31,8 +31,7 @@ smtp_rbl: @@
   - zen.spamhaus.org
 mail_postmaster: "webmaster@parameters-optional"
 smtp_allow_relay_from:
   - "{{ release_based_smtp_allow_relay_from[ansible_distribution_release] }}"
 smtp_allow_relay_from: "{{ release_based_smtp_allow_relay_from[ansible_distribution_release] }}"
 mail_message_size_limit: 20480001
 mail_server_smtp_additional_configuration: |
   mail_name = MySMTP
@@ @@ -40,7 +39,9 @@ mail_server_smtp_additional_configuration: | @@
 # Variables dependant on distribution release.
 release_based_smtp_allow_relay_from:
   bookworm: "192.168.56.21"
   bookworm:
     - 192.168.56.21
     - "[fd00::192:168:56:21]/128"
 # common
 ca_certificates:

roles/mail_server/molecule/default/molecule.yml

➞

Show inline comments

@@ @@ -60,6 +60,11 @@ platforms: @@
         ip: 192.168.56.21
         network_name: private_network
         type: static
       - auto_config: true
         ip: fd00::192:168:56:21
         network_name: private_network
         netmask: 116
         type: static
   - name: client2-bookworm
     groups:
@@ @@ -75,6 +80,11 @@ platforms: @@
         ip: 192.168.56.22
         network_name: private_network
         type: static
       - auto_config: true
         ip: fd00::192:168:56:22
         network_name: private_network
         netmask: 116
         type: static
   - name: parameters-mandatory-bookworm
     groups:
@@ @@ -88,6 +98,11 @@ platforms: @@
         ip: 192.168.56.31
         network_name: private_network
         type: static
       - auto_config: true
         ip: fd00::192:168:56:31
         network_name: private_network
         netmask: 116
         type: static
   - name: parameters-optional-bookworm
     groups:
@@ @@ -101,6 +116,11 @@ platforms: @@
         ip: 192.168.56.32
         network_name: private_network
         type: static
       - auto_config: true
         ip: fd00::192:168:56:32
         network_name: private_network
         netmask: 116
         type: static
 provisioner:

roles/mail_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -197,8 +197,12 @@ @@
 .168.56.12: "ldap-server backup-server"
 .168.56.21: "client1 smtp-server-requiring-tls"
 .168.56.22: "client2 smtp-server-refusing-tls"
 .168.56.31: "parameters-mandatory parameters-mandatory-bookworm"
 .168.56.32: "parameters-optional parameters-optional-bookworm"
 .168.56.31: "parameters-mandatory-bookworm parameters-mandatory"
 .168.56.32: "parameters-optional-bookworm parameters-optional"
         fd00::192:168:56:21: "client1 smtp-server-requiring-tls"
         fd00::192:168:56:22: "client2 smtp-server-refusing-tls"
         fd00::192:168:56:31: "parameters-mandatory-bookworm parameters-mandatory"
         fd00::192:168:56:32: "parameters-optional-bookworm parameters-optional"
 - name: Prepare, helpers
   hosts: client

roles/mail_server/molecule/default/tests/test_client2.py

➞

Show inline comments

@@ @@ -288,13 +288,14 @@ def test_sieve_authentication_requires_tls(host): @@
 ,
 ])
 def test_connectivity(host, server, port):
 @pytest.mark.parametrize('ip_protocol', [4, 6])
 def test_connectivity(host, server, port, ip_protocol):
     """
     Tests connectivity to the mail server (ports that should be reachable).
     """
     with host.sudo():
-        scan = host.run('nmap -4 -p %s -oG - %s', str(port), server)
+        scan = host.run('nmap -%s -p %s -oG - %s', str(ip_protocol), str(port), server)
         assert scan.rc == 0
         assert "Ports: %d/open/tcp//" % port in scan.stdout

roles/mail_server/molecule/default/tests/test_optional.py

➞

Show inline comments

@@ @@ -41,7 +41,7 @@ def test_postfix_main_cf_file_content(host): @@
     assert "myhostname = %s" % hostname in config_lines
     assert "mydestination = %s, %s, localhost.localdomain, localhost" % (hostname, hostname) in config_lines
     assert "mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 %s" % allow_relay_from_ip in config_lines
+    assert "mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 %s" % " ".join(allow_relay_from_ip) in config_lines
     assert "smtpd_tls_cert_file = /etc/ssl/certs/%s_smtp.pem" % hostname in config_lines
     assert "smtpd_tls_key_file = /etc/ssl/private/%s_smtp.key" % hostname in config_lines
     assert "  reject_rbl_client bl.spamcop.net" in config_lines

roles/mail_server/templates/99-local.conf.j2

➞

Show inline comments

@@ @@ -31,7 +31,7 @@ service auth { @@
 # TLS configuration.
 ssl_cert = </etc/ssl/certs/{{ ansible_fqdn }}_imap.pem
 ssl_key = </etc/ssl/private/{{ ansible_fqdn }}_imap.key
-ssl_dh=</etc/ssl/private/{{ inventory_hostname }}_imap.dh.pem
+ssl_dh=</etc/ssl/private/{{ ansible_fqdn }}_imap.dh.pem
 ssl_min_protocol = {{ mail_server_minimum_tls_protocol }}
 ssl_cipher_list = {{ mail_server_tls_ciphers }}
 ssl = required

0 comments (0 inline, 0 general) First comment