majic-ansible-roles Changeset

Changeset - e0dc1c1cfaa8

Parent rev.

Child rev.

[Not reviewed]

0 7 0

Branko Majic (branko) - 2 years ago 2023-12-07 22:13:06
branko@majic.rs

MAR-189: Added support for Debian 11 Bullseye to mail_server role:

- Shorten the backup client username so it would be under 32
characters.
- Switch all helper VMs to using the Debian 11 Bullseye as well.
- Drop the architecture suffix from hostnames.
- Update the hostname for client VMs.
- Fix the incorrect format for the message ID used in various mail
delivery tests.

7 files changed with 190 insertions and 23 deletions:

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

roles/mail_server/molecule/default/host_vars/ldap-server.yml

roles/mail_server/molecule/default/molecule.yml

roles/mail_server/molecule/default/prepare.yml

roles/mail_server/molecule/default/templates/helper_smtp_main.cf.j2

roles/mail_server/molecule/default/tests/test_default.py

roles/mail_server/molecule/default/tests/test_optional.py

0 comments (0 inline, 0 general)

roles/mail_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ @@ -34,20 +34,21 @@ mail_server_smtp_additional_configuration: | @@
   smtpd_banner = $myhostname ESMTP My SMTP Server
   smtp_skip_5xx_greeting = no
 # Variables dependant on distribution release.
 release_based_smtp_allow_relay_from:
   buster: "192.168.56.21"
   bullseye: "192.168.56.41"
 # common
 ca_certificates:
   testca: "{{ lookup('file', 'tests/data/x509/ca/level1.cert.pem') }}"
-# backup_client (backup username should end in -b64 for Buster).
 # backup_client
 enable_backup: true
-backup_client_username: "bak-parameters-optional-{{ ansible_distribution_release[0] }}64"
+backup_client_username: "bak-param-optional-{{ ansible_distribution_release }}"
 backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"
 backup_server: ldap-server
 backup_server_host_ssh_public_keys:
   - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"
   - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"
   - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"

roles/mail_server/molecule/default/host_vars/ldap-server.yml

➞

Show inline comments

@@ @@ -40,9 +40,13 @@ ldap_client_config: @@
 backup_host_ssh_private_keys:
   rsa: "{{ lookup('file', 'tests/data/ssh/server_rsa') }}"
   ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}"
   ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"
 backup_clients:
-  - server: parameters-optional-b64
+  - server: param-optional-buster
     ip: 192.168.56.32
     public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
   - server: param-optional-bullseye
     ip: 192.168.56.52
     public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"

roles/mail_server/molecule/default/molecule.yml

➞

Show inline comments

@@ @@ -16,34 +16,42 @@ lint: @@
   name: yamllint
   options:
     config-file: ../../.yamllint.yml
 platforms:
   # Helpers
   # =======
   - name: clamav-database
-    box: debian/contrib-buster64
+    box: debian/bullseye64
     memory: 512
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 192.168.56.11
         network_name: private_network
         type: static
     config_options:
       synced_folder: true
   - name: ldap-server
-    box: debian/contrib-buster64
+    box: debian/bullseye64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 192.168.56.12
         network_name: private_network
         type: static
   # Debian 10 Buster
   # ================
   - name: client1-buster
     groups:
       - client
       - client-relay-allowed
       - buster
       - smtp-server-requiring-tls
@@ @@ -68,38 +76,99 @@ platforms: @@
     interfaces:
       - auto_config: true
         ip: 192.168.56.22
         network_name: private_network
         type: static
-  - name: parameters-mandatory-buster64
+  - name: parameters-mandatory-buster
     groups:
       - parameters-mandatory
       - buster
     box: debian/contrib-buster64
     memory: 2048
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 192.168.56.31
         network_name: private_network
         type: static
-  - name: parameters-optional-buster64
+  - name: parameters-optional-buster
     groups:
       - parameters-optional
       - buster
     box: debian/contrib-buster64
     memory: 2048
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 192.168.56.32
         network_name: private_network
         type: static
   # Debian 11 Bullseye
   # ================
   - name: client1-bullseye
     groups:
       - client
       - client-relay-allowed
       - bullseye
       - smtp-server-requiring-tls
     box: debian/bullseye64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 192.168.56.41
         network_name: private_network
         type: static
   - name: client2-bullseye
     groups:
       - client
       - client-relay-forbidden
       - bullseye
       - smtp-server-refusing-tls
     box: debian/bullseye64
     memory: 256
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 192.168.56.42
         network_name: private_network
         type: static
   - name: parameters-mandatory-bullseye
     groups:
       - parameters-mandatory
       - bullseye
     box: debian/bullseye64
     memory: 2048
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 192.168.56.51
         network_name: private_network
         type: static
   - name: parameters-optional-bullseye
     groups:
       - parameters-optional
       - bullseye
     box: debian/bullseye64
     memory: 2048
     cpus: 1
     interfaces:
       - auto_config: true
         ip: 192.168.56.52
         network_name: private_network
         type: static
 provisioner:
   name: ansible
   playbooks:
     cleanup: cleanup.yml
   config_options:
     defaults:

roles/mail_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -25,20 +25,30 @@ @@
           - "{{ item.fqdn[:item.fqdn.rfind('-')] }}"
       with_items:
         - name: clamav-database_https
           fqdn: database.clamav.net
         - name: ldap-server_ldap
           fqdn: ldap-server
         - name: parameters-mandatory-buster64_imap
           fqdn: parameters-mandatory-buster64
         - name: parameters-mandatory-buster64_smtp
           fqdn: parameters-mandatory-buster64
         - name: parameters-optional-buster64_imap
           fqdn: parameters-optional-buster64
         - name: parameters-optional-buster64_smtp
           fqdn: parameters-optional-buster64
         - name: parameters-mandatory-buster_imap
           fqdn: parameters-mandatory-buster
         - name: parameters-mandatory-buster_smtp
           fqdn: parameters-mandatory-buster
         - name: parameters-optional-buster_imap
           fqdn: parameters-optional-buster
         - name: parameters-optional-buster_smtp
           fqdn: parameters-optional-buster
         - name: parameters-mandatory-bullseye_imap
           fqdn: parameters-mandatory-bullseye
         - name: parameters-mandatory-bullseye_smtp
           fqdn: parameters-mandatory-bullseye
         - name: parameters-optional-bullseye_imap
           fqdn: parameters-optional-bullseye
         - name: parameters-optional-bullseye_smtp
           fqdn: parameters-optional-bullseye
     - name: Set-up link to generated X.509 material
       file:
         src: ".gimmecert"
         dest: "tests/data/x509"
         state: link
@@ @@ -188,14 +198,36 @@ @@
       with_dict:
         # Force mail servers to use local ClamAV database mirror.
 .168.56.11: "db.local.clamav.net database.clamav.net"
 .168.56.12: "ldap-server backup-server"
 .168.56.21: "client1 smtp-server-requiring-tls"
 .168.56.22: "client2 smtp-server-refusing-tls"
 .168.56.31: "parameters-mandatory parameters-mandatory-buster64"
 .168.56.32: "parameters-optional parameters-optional-buster64"
 .168.56.31: "parameters-mandatory parameters-mandatory-buster"
 .168.56.32: "parameters-optional parameters-optional-buster"
 - hosts: bullseye
   become: true
   tasks:
     - name: Set-up the hosts file
       lineinfile:
         path: /etc/hosts
         regexp: "^{{ item.key }}"
         line: "{{ item.key }} {{ item.value }}"
         owner: root
         group: root
         mode: 0644
         state: present
       with_dict:
         # Force mail servers to use local ClamAV database mirror.
 .168.56.11: "db.local.clamav.net database.clamav.net"
 .168.56.12: "ldap-server backup-server"
 .168.56.41: "client1 smtp-server-requiring-tls"
 .168.56.42: "client2 smtp-server-refusing-tls"
 .168.56.51: "parameters-mandatory parameters-mandatory-bullseye"
 .168.56.52: "parameters-optional parameters-optional-bullseye"
 - hosts: client
   become: true
   tasks:
     - name: Install SWAKS for testing SMTP capability

roles/mail_server/molecule/default/templates/helper_smtp_main.cf.j2

➞

Show inline comments

@@ @@ -32,13 +32,13 @@ smtpd_tls_security_level = {{ smtpd_tls_security_level }} @@
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 # information on enabling SSL in the smtp client.
 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-myhostname = contrib-buster.localdomain
+myhostname = client.localdomain
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 myorigin = /etc/mailname
 mydestination = $myhostname, localhost.localdomain, localhost, {{ extra_mydestination }}
 relayhost =
 mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

roles/mail_server/molecule/default/tests/test_default.py

➞

Show inline comments

@@ @@ -233,13 +233,13 @@ def test_postfix_delivery_to_dovecot(host): @@
     """
     Tests if mail received by Postfix is properly delivered to Dovecot.
     """
     hostname = host.run('hostname').stdout.strip()
     message_id = str(uuid.uuid4())
+    message_id = "%s@localhost" % str(uuid.uuid4())
     # Virtual account.
     send = host.run('swaks --header %s --suppress-data --to john.doe@domain1 --server %s', "Message-Id: <%s>" % message_id, hostname)
     assert send.rc == 0
     with host.sudo():
@@ @@ -510,13 +510,13 @@ def test_smtp_tls_connectivity(host): @@
 def test_postfix_local_delivery(host):
     """
     Tests if mail received by Postfix is properly delivered to local
     account's mail spool.
     """
     message_id = str(uuid.uuid4())
+    message_id = "%s@localhost" % str(uuid.uuid4())
     send = host.run('swaks --header %s --suppress-data --to localuser@localhost --server localhost', "Message-Id: <%s>" % message_id)
     assert send.rc == 0
     with host.sudo():
         mail_log = host.file('/var/log/mail.log')
     # Verify that the remote host refuses to accept mails over TLS first.
     send = host.run('swaks --tls --suppress-data --to root@smtp-server-refusing-tls --server smtp-server-refusing-tls')
     assert send.rc == 29
     assert "Host did not advertise STARTTLS" in send.stderr
     message_id = str(uuid.uuid4())
+    message_id = "%s@localhost" % str(uuid.uuid4())
     send = host.run('swaks --header %s --suppress-data --to root@smtp-server-refusing-tls --server localhost', "Message-Id: <%s>" % message_id)
     assert send.rc == 0
     with host.sudo():
         mail_log = host.file('/var/log/mail.log')
     # Verify that the remote host refuses to accept mails without TLS first.
     send = host.run('swaks --suppress-data --to root@smtp-server-requiring-tls --server smtp-server-requiring-tls')
     assert send.rc == 23
     assert "Must issue a STARTTLS command first" in send.stdout
     message_id = str(uuid.uuid4())
+    message_id = "%s@localhost" % str(uuid.uuid4())
     send = host.run('swaks --tls --header %s --suppress-data --to root@smtp-server-requiring-tls --server localhost', "Message-Id: <%s>" % message_id)
     assert send.rc == 0
     with host.sudo():
         mail_log = host.file('/var/log/mail.log')
@@ @@ -676,12 +676,73 @@ def test_smtp_default_port_tls_version_and_ciphers(host): @@
             'TLS_RSA_WITH_ARIA_256_GCM_SHA384',
             'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',
             'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',
             'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256',
             'TLS_RSA_WITH_SEED_CBC_SHA',
         ],
         "bullseye": [
             'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
             'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256',
             'TLS_DHE_RSA_WITH_AES_128_CCM',
             'TLS_DHE_RSA_WITH_AES_128_CCM_8',
             'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
             'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',
             'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256',
             'TLS_DHE_RSA_WITH_AES_256_CCM',
             'TLS_DHE_RSA_WITH_AES_256_CCM_8',
             'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
             'TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256',
             'TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384',
             'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA',
             'TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA',
             'TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256',
             'TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
             'TLS_DHE_RSA_WITH_SEED_CBC_SHA',
             'TLS_DH_anon_WITH_AES_128_CBC_SHA',
             'TLS_DH_anon_WITH_AES_128_CBC_SHA256',
             'TLS_DH_anon_WITH_AES_128_GCM_SHA256',
             'TLS_DH_anon_WITH_AES_256_CBC_SHA',
             'TLS_DH_anon_WITH_AES_256_CBC_SHA256',
             'TLS_DH_anon_WITH_AES_256_GCM_SHA384',
             'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA',
             'TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA',
             'TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256',
             'TLS_DH_anon_WITH_SEED_CBC_SHA',
             'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
             'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
             'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
             'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
             'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
             'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
             'TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256',
             'TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384',
             'TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384',
             'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256',
             'TLS_ECDH_anon_WITH_AES_128_CBC_SHA',
             'TLS_ECDH_anon_WITH_AES_256_CBC_SHA',
             'TLS_RSA_WITH_AES_128_CBC_SHA',
             'TLS_RSA_WITH_AES_128_CBC_SHA256',
             'TLS_RSA_WITH_AES_128_CCM',
             'TLS_RSA_WITH_AES_128_CCM_8',
             'TLS_RSA_WITH_AES_128_GCM_SHA256',
             'TLS_RSA_WITH_AES_256_CBC_SHA',
             'TLS_RSA_WITH_AES_256_CBC_SHA256',
             'TLS_RSA_WITH_AES_256_CCM',
             'TLS_RSA_WITH_AES_256_CCM_8',
             'TLS_RSA_WITH_AES_256_GCM_SHA384',
             'TLS_RSA_WITH_ARIA_128_GCM_SHA256',
             'TLS_RSA_WITH_ARIA_256_GCM_SHA384',
             'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA',
             'TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256',
             'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA',
             'TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256',
             'TLS_RSA_WITH_SEED_CBC_SHA',
+        ]
+    }
     distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]
     # Run the nmap scanner against the server, and fetch the results.

roles/mail_server/molecule/default/tests/test_optional.py

➞

Show inline comments

@@ @@ -51,13 +51,13 @@ def test_postfix_main_cf_file_content(host): @@
 def test_local_aliases(host):
     """
     Tests if local aliases are configured correctly.
     """
     message_id = str(uuid.uuid4())
+    message_id = "%s@localhost" % str(uuid.uuid4())
     send = host.run('swaks --header %s --suppress-data --to root@localhost', "Message-Id: <%s>" % message_id)
     time.sleep(1)
     assert send.rc == 0
     with host.sudo():

0 comments (0 inline, 0 general)