Files @ a48e04e52b25
Branch filter:

Location: majic-ansible-roles/roles/mail_server/molecule/default/tests/test_mandatory.py

a48e04e52b25 6.0 KiB text/x-python Show Annotation Show as Raw Download as Raw
branko
MAR-192: Added support for Debian 12 Bookworm to mail_server role:

- Allow use of older versions of TLS on Bookworm for testing of
related optional parameters.
- Install the IMAP CLI testing tool under its own virtual environment
in order to avoid warnings and errors when trying to install it
globally under Debian 12 Bookworm.
- Update the lists of expected TLS protocols and ciphers.
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
import os

import defusedxml.ElementTree as ElementTree

import pytest

import testinfra.utils.ansible_runner


testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-mandatory')


def test_mailname_file_content(host):
    """
    Tests the system mail name file content.
    """

    mailname = host.file('/etc/mailname')
    hostname = host.run('hostname').stdout.strip()

    assert mailname.content_string == hostname


def test_postfix_main_cf_file_content(host):
    """
    Tests if the Postfix main configuration file content is correct.
    """

    hostname = host.run('hostname').stdout.strip()

    config = host.file('/etc/postfix/main.cf')
    config_lines = config.content_string.split("\n")

    assert "myhostname = %s" % hostname in config_lines
    assert "mydestination = %s, %s, localhost.localdomain, localhost" % (hostname, hostname) in config_lines
    assert "mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128" in config_lines
    assert "smtpd_tls_cert_file = /etc/ssl/certs/%s_smtp.pem" % hostname in config_lines
    assert "smtpd_tls_key_file = /etc/ssl/private/%s_smtp.key" % hostname in config_lines
    assert "reject_rbl" not in config_lines
    assert "smtp_host_lookup = dns, native" in config_lines


def test_dovecot_mailbox_directories(host):
    """
    Tests if mailbox directories are created correctly.
    """

    # Deliver two mails in order to make sure the directory structure is
    # created.
    send = host.run('swaks --suppress-data --to john.doe@domain1 --server localhost')
    assert send.rc == 0
    send = host.run('swaks --suppress-data --to jane.doe@domain2 --server localhost')
    assert send.rc == 0

    with host.sudo():

        for directory_path in ["/var/vmail/domain1",
                               "/var/vmail/domain1/john.doe",
                               "/var/vmail/domain1/john.doe/Maildir",
                               "/var/vmail/domain2",
                               "/var/vmail/domain2/jane.doe",
                               "/var/vmail/domain2/jane.doe/Maildir"]:

            directory = host.file(directory_path)

            assert directory.is_directory
            assert directory.user == "vmail"
            assert directory.group == "vmail"
            assert directory.mode == 0o700


def test_mail_owner(host):
    """
    Tests creation of mail owner group and user.
    """

    group = host.group("vmail")
    assert group.exists
    assert group.gid == 1003

    user = host.user("vmail")
    assert user.exists
    assert user.uid == 1003
    assert user.home == "/var/vmail"
    assert user.group == "vmail"
    assert user.groups == ["vmail"]


@pytest.mark.parametrize("port", [
    143,
    993,
    587,
])
def test_imap_and_smtp_submission_tls_version_and_ciphers(host, port):
    """
    Tests if the correct TLS version and ciphers have been enabled for
    IMAP and SMTP submission.
    """

    distribution_release = host.ansible("setup")["ansible_facts"]["ansible_distribution_release"]

    if distribution_release == "bullseye":
        expected_tls_versions = ["TLSv1.2"]
        expected_tls_ciphers = [
            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
        ]

    else:
        expected_tls_versions = ["TLSv1.2", "TLSv1.3"]
        expected_tls_ciphers = [
            "TLS_AKE_WITH_AES_128_GCM_SHA256",
            "TLS_AKE_WITH_AES_256_GCM_SHA384",
            "TLS_AKE_WITH_CHACHA20_POLY1305_SHA256",
            "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
        ]

    # Run the nmap scanner against the server, and fetch the results.
    nmap = host.run("nmap -sV --script ssl-enum-ciphers -p %s localhost -oX /tmp/report.xml", str(port))
    assert nmap.rc == 0
    report_content = host.file('/tmp/report.xml').content_string

    report_root = ElementTree.fromstring(report_content)

    tls_versions = []
    tls_ciphers = set()

    for child in report_root.findall("./host/ports/port/script/table"):
        tls_versions.append(child.attrib['key'])

    for child in report_root.findall(".//table[@key='ciphers']/table/elem[@key='name']"):
        tls_ciphers.add(child.text)

    tls_versions.sort()
    tls_ciphers = sorted(list(tls_ciphers))

    assert tls_versions == expected_tls_versions
    assert tls_ciphers == expected_tls_ciphers


def test_dovecot_postmaster(host):
    """
    Tests if Dovecot postmaster has been correctly configured.
    """

    with host.sudo():

        config = host.run("doveadm config")
        assert config.rc == 0
        assert "  postmaster_address = postmaster@" in config.stdout


def test_imap_max_user_connections_per_ip(host):
    """
    Tests if Dovecot per-user connection limit has been set-up correctly.
    """

    with host.sudo():

        config = host.run("doveadm config")

        assert config.rc == 0
        assert "  mail_max_userip_connections = 10" in config.stdout


def test_sieve_tls_configuration(host):
    """
    Tests TLS configuration for SIEVE in Dovecot
    """

    # @TODO: Currently not possible to test since nmap and openssl
    # s_client do not support STARTTLS for Sieve.
    pass


def test_mail_message_size_limit(host):
    """
    Tests if the mail message size limit advertised by the SMTP server
    is correct.
    """

    capabilities = host.run("(echo 'ehlo localhost' && sleep 2) | telnet localhost 25")
    begin = capabilities.stdout.find("250-SIZE")
    end = capabilities.stdout.find("\n", begin)
    mail_message_size_limit = capabilities.stdout[begin:end]

    assert mail_message_size_limit == "250-SIZE 10240000"
This site is powered by Kallithea 0.7.0, which is © 2010–2023 by various authors & licensed under GPLv3.