Files
@ 17cf34f73ca6
Branch filter:
Location: majic-ansible-roles/roles/mail_server/tests/test_default.py
17cf34f73ca6
10.5 KiB
text/x-python
MAR-28: Implemented additional tests for mail_server role:
- Deploy a number of tools on clients in order to test SMTP, IMAP, and Sieve
services.
- Added one more user to LDAP directory for testing group restrictions.
- Deploy CA certificate on all testing machines for TLS validation purposes.
- Use different custom-configured cipher for mail server ciphers.
- Fixed invalid postmaster address for parameters-optional host.
- Deploy configuration files for use with Imap-CLI on client test machines.
- Updated testing of SMTP server to include checks for users that do not belong
to mail group.
- Extended some SMTP-related tests to cover both test servers.
- Some small fixes in SMTP-related tests for expected output from commands.
- Implemented tests covering Dovecot (IMAP + Sieve) functionality.
- Implemented tests for running/enabled services.
- Implemented tests for ClamAV.
- Implemented tests for firewall and connectivity.
- Implemented tests for Postfix TLS configuration.
- TODO: Tests for Sieve TLS configuration have not been written yet due to
limitation of available tools.
- Deploy a number of tools on clients in order to test SMTP, IMAP, and Sieve
services.
- Added one more user to LDAP directory for testing group restrictions.
- Deploy CA certificate on all testing machines for TLS validation purposes.
- Use different custom-configured cipher for mail server ciphers.
- Fixed invalid postmaster address for parameters-optional host.
- Deploy configuration files for use with Imap-CLI on client test machines.
- Updated testing of SMTP server to include checks for users that do not belong
to mail group.
- Extended some SMTP-related tests to cover both test servers.
- Some small fixes in SMTP-related tests for expected output from commands.
- Implemented tests covering Dovecot (IMAP + Sieve) functionality.
- Implemented tests for running/enabled services.
- Implemented tests for ClamAV.
- Implemented tests for firewall and connectivity.
- Implemented tests for Postfix TLS configuration.
- TODO: Tests for Sieve TLS configuration have not been written yet due to
limitation of available tools.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 | import re
import testinfra.utils.ansible_runner
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
'.molecule/ansible_inventory').get_hosts(['parameters-mandatory', 'parameters-optiona'])
def test_installed_packages(Package):
"""
Tests if the necessary packages have been installed.
"""
assert Package('rsync').is_installed
assert Package('dovecot-imapd').is_installed
assert Package('dovecot-ldap').is_installed
assert Package('dovecot-sieve').is_installed
assert Package('dovecot-managesieved').is_installed
assert Package('postfix').is_installed
assert Package('postfix-ldap').is_installed
assert Package('swaks').is_installed
assert Package('clamav-milter').is_installed
def test_removed_packages(Package):
"""
Tests if certain packages have been removed from the system.
"""
assert not Package('exim4').is_installed
def test_postfix_user(User):
"""
Tests if Postfix user has been added to correct group for traversing the TLS
private key directory.
"""
assert "ssl-cert" in User('postfix').groups
def test_dovecot_user(User):
"""
Tests if Dovecot user has been added to correct group for traversing the TLS
private key directory.
"""
assert "ssl-cert" in User('dovecot').groups
def test_clamav_milter_configuration(File):
"""
Tests if ClamAV Milter configuration has been deployed correctly.
"""
config = File('/etc/clamav/clamav-milter.conf')
assert config.is_file
assert config.user == 'root'
assert config.group == 'root'
assert config.mode == 0o644
def test_clamav_milter(Command):
"""
Tests if ClamAV milter is blocking viruses.
"""
server_did_not_accept_mail = 26
eicar = 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
send_mail = Command("swaks --to john.doe@domain1 --server localhost --attach '%s'" % eicar)
assert send_mail.rc == server_did_not_accept_mail
assert 'Your message has been rejected due to a possible virus' in send_mail.stdout
def test_postfix_chroot_directories(File):
"""
Tests if Postfix chroot directories have been set-up with correct
permissions.
"""
directory = File('/var/spool/postfix/var')
assert directory.is_directory
assert directory.user == 'root'
assert directory.group == 'root'
assert directory.mode == 0o755
directory = File('/var/spool/postfix/var/run')
assert directory.is_directory
assert directory.user == 'root'
assert directory.group == 'root'
assert directory.mode == 0o755
directory = File('/var/spool/postfix/var/run/clamav')
assert directory.is_directory
assert directory.user == 'clamav'
assert directory.group == 'clamav'
assert directory.mode == 0o755
def test_ldap_tls_truststore_file(File):
"""
Tests if the LDAP TLS truststore file has been deployed correctly.
"""
tls_file = File('/etc/ssl/certs/mail_ldap_tls_truststore.pem')
assert tls_file.is_file
assert tls_file.user == 'root'
assert tls_file.group == 'root'
assert tls_file.mode == 0o644
assert tls_file.content == open("tests/data/x509/ca.cert.pem", "r").read().rstrip()
tls_file = File('/var/spool/postfix/etc/ssl/certs/mail_ldap_tls_truststore.pem')
assert tls_file.is_file
assert tls_file.user == 'root'
assert tls_file.group == 'root'
assert tls_file.mode == 0o644
assert tls_file.content == open("tests/data/x509/ca.cert.pem", "r").read().rstrip()
def test_mailname_file(File):
"""
Tests the system mail name file permissions.
"""
mailname = File('/etc/mailname')
assert mailname.is_file
assert mailname.user == 'root'
assert mailname.group == 'root'
assert mailname.mode == 0o644
def test_postfix_ldap_configuration_files(File):
"""
Tests if Postfix LDAP configuration files have been deployed correctly.
"""
for config_file_path in ['/etc/postfix/ldap-virtual-alias-maps.cf',
'/etc/postfix/ldap-virtual-mailbox-domains.cf',
'/etc/postfix/ldap-virtual-mailbox-maps.cf']:
config = File(config_file_path)
assert config.is_file
assert config.user == 'root'
assert config.group == 'postfix'
assert config.mode == 0o640
def test_postfix_ldap_configuration(Command, Sudo):
"""
Tests if LDAP configuration can be used to fetch correct query results.
"""
with Sudo():
# Test for valid domains.
command = Command("postmap -q domain1 ldap:/etc/postfix/ldap-virtual-mailbox-domains.cf")
assert command.rc == 0
assert command.stdout == "domain1"
command = Command("postmap -q domain2 ldap:/etc/postfix/ldap-virtual-mailbox-domains.cf")
assert command.rc == 0
assert command.stdout == "domain2"
# Test for invalid domains.
command = Command("postmap -q domain3 ldap:/etc/postfix/ldap-virtual-mailbox-domains.cf")
assert command.rc == 1
assert command.stdout == ""
# Test for valid mail addresses.
command = Command("postmap -q 'john.doe@domain1' ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf")
assert command.rc == 0
assert command.stdout == 'john.doe@domain1'
command = Command("postmap -q 'jane.doe@domain2' ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf")
assert command.rc == 0
assert command.stdout == 'jane.doe@domain2'
# Test for invalid mail addresses.
command = Command("postmap -q 'jane.doe@domain1' ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf")
assert command.rc == 1
assert command.stdout == ''
command = Command("postmap -q 'john.doe@domain2' ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf")
assert command.rc == 1
assert command.stdout == ''
# Test for valid mail address that's not allowed by LDAP group membership.
command = Command("postmap -q 'nomail@domain1' ldap:/etc/postfix/ldap-virtual-mailbox-maps.cf")
assert command.rc == 1
assert command.stdout == ''
# Test for valid mail aliases.
command = Command("postmap -q postmaster@domain1 ldap:/etc/postfix/ldap-virtual-alias-maps.cf")
assert command.rc == 0
assert command.stdout == "john.doe@domain1"
command = Command("postmap -q webmaster@domain2 ldap:/etc/postfix/ldap-virtual-alias-maps.cf")
assert command.rc == 0
assert command.stdout == "jane.doe@domain2"
# Test for invalid mail aliases.
command = Command("postmap -q postmaster@domain2 ldap:/etc/postfix/ldap-virtual-alias-maps.cf")
assert command.rc == 1
assert command.stdout == ""
command = Command("postmap -q webmaster@domain1 ldap:/etc/postfix/ldap-virtual-alias-maps.cf")
assert command.rc == 1
assert command.stdout == ""
def test_postfix_main_cf_file(File):
"""
Tests Postfix main configuration file permissions.
"""
config = File('/etc/postfix/main.cf')
assert config.is_file
assert config.user == 'root'
assert config.group == 'root'
assert config.mode == 0o644
def test_postfix_delivery_to_dovecot(Command, File, Sudo):
"""
Tests if mail received by Postfix is properly delivered to Dovecot.
"""
# Virtual account.
send = Command('swaks --suppress-data --to john.doe@domain1 --server parameters-mandatory')
assert send.rc == 0
message_id = re.search('Ok: queued as (.*)', send.stdout).group(1)
with Sudo():
mail_log = File('/var/log/mail.log')
pattern = "dovecot: lda\(john.doe@domain1\): msgid=<[^.]*.%s@[^>]*>: saved mail to INBOX" % message_id
assert re.search(pattern, mail_log.content) is not None
def test_dovecot_system_authentication_is_disabled(File):
"""
Tests if Dovecot system-based authentication has been disabled.
"""
config = File("/etc/dovecot/conf.d/10-auth.conf")
assert "!include auth-system.conf.ext" not in config.content
def test_dovecot_overrides_configuration_file(File):
"""
Tests if Dovecot configuration file with overrides has been deployed and has
correct permissions.
"""
config = File("/etc/dovecot/conf.d/99-local.conf")
assert config.is_file
assert config.user == 'root'
assert config.group == 'root'
assert config.mode == 0o644
def test_dovecot_imap_ldap_configuration(Command, Sudo):
"""
Tests if Dovecot LDAP configuration is correct.
"""
with Sudo():
user_does_not_exist = 67
# Test for valid mail addresses.
command = Command("doveadm user john.doe@domain1")
assert command.rc == 0
command = Command("doveadm user jane.doe@domain2")
assert command.rc == 0
# Test for invalid mail addresses.
command = Command("doveadm user john.doe@domain2")
assert command.rc == user_does_not_exist
command = Command("doveadm user jane.doe@domain1")
assert command.rc == user_does_not_exist
# Test for mail addresses present in LDAP, but entry not in mail group.
command = Command("doveadm user nomail@domain1")
assert command.rc == user_does_not_exist
def test_postfix_master_file(File):
"""
Tests permissions for Postfix master.cf configuration file.
"""
config = File('/etc/postfix/master.cf')
assert config.is_file
assert config.user == 'root'
assert config.group == 'root'
assert config.mode == 0o644
def test_services(Service):
"""
Tests if all the mail-related servieces are up and running.
"""
for service_name in ["clamav-daemon",
"clamav-freshclam",
"clamav-milter",
"postfix",
"dovecot"]:
service = Service(service_name)
assert service.is_running
assert service.is_enabled
def test_clamav_database_presence(File):
"""
Tests if ClamAV database is present.
"""
for database_file in ["/var/lib/clamav/bytecode.cvd",
"/var/lib/clamav/daily.cld",
"/var/lib/clamav/main.cvd"]:
database = File(database_file)
assert database.is_file
def test_firewall_configuration_file(File, Sudo):
"""
Tests if firewall configuration file has been deployed correctly.
"""
with Sudo():
config = File('/etc/ferm/conf.d/20-mail.conf')
assert config.is_file
assert config.user == 'root'
assert config.group == 'root'
assert config.mode == 0o640
|