PERMIT_DOCKER=none as new default value (#2424)

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>

test/mail_lmtp_ip.bats

@@ -5,13 +5,14 @@ setup_file() {
     PRIVATE_CONFIG="$(duplicate_config_for_container .)"
     PRIVATE_ETC="$(duplicate_config_for_container dovecot-lmtp/ mail_lmtp_ip_dovecot-lmtp)"
     docker run -d --name mail_lmtp_ip \
-		-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
-		-v "${PRIVATE_ETC}":/etc/dovecot \
-		-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
-		-e ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1 \
-		-e POSTFIX_DAGENT=lmtp:127.0.0.1:24 \
-		-e DMS_DEBUG=0 \
-		-h mail.my-domain.com -t "${NAME}"
+    -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
+    -v "${PRIVATE_ETC}":/etc/dovecot \
+    -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
+    -e DMS_DEBUG=0 \
+    -e ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1 \
+    -e POSTFIX_DAGENT=lmtp:127.0.0.1:24 \
+    -e PERMIT_DOCKER=container \
+    -h mail.my-domain.com -t "${NAME}"
     wait_for_finished_setup_in_container mail_lmtp_ip
 }
 

test/mail_pop3.bats

@@ -4,11 +4,12 @@ function setup_file() {
     local PRIVATE_CONFIG
     PRIVATE_CONFIG="$(duplicate_config_for_container .)"
     docker run -d --name mail_pop3 \
-		-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
-		-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
-		-e ENABLE_POP3=1 \
-		-e DMS_DEBUG=0 \
-		-h mail.my-domain.com -t "${NAME}"
+    -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
+    -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
+    -e DMS_DEBUG=0 \
+    -e ENABLE_POP3=1 \
+    -e PERMIT_DOCKER=container \
+    -h mail.my-domain.com -t "${NAME}"
 
     wait_for_finished_setup_in_container mail_pop3
 }

test/mail_spam_bounced.bats

@@ -27,6 +27,7 @@ function setup_file() {
   # shellcheck disable=SC2034
   local TEST_DOCKER_ARGS=(
     --env ENABLE_SPAMASSASSIN=1
+    --env PERMIT_DOCKER=container
     --env SPAMASSASSIN_SPAM_TO_INBOX=0
   )
 

test/mail_spam_junk_folder.bats

@@ -11,9 +11,10 @@ load 'test_helper/common'
               -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
               -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
               -e ENABLE_SPAMASSASSIN=1 \
-              -e SPAMASSASSIN_SPAM_TO_INBOX=1 \
               -e MOVE_SPAM_TO_JUNK=1 \
+              -e PERMIT_DOCKER=container \
               -e SA_SPAM_SUBJECT="SPAM: " \
+              -e SPAMASSASSIN_SPAM_TO_INBOX=1 \
               -h mail.my-domain.com -t "${NAME}"
 
   teardown() { docker rm -f mail_spam_moved_junk; }
@@ -39,9 +40,10 @@ load 'test_helper/common'
             -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
             -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
             -e ENABLE_SPAMASSASSIN=1 \
-            -e SPAMASSASSIN_SPAM_TO_INBOX=1 \
             -e MOVE_SPAM_TO_JUNK=0 \
+            -e PERMIT_DOCKER=container \
             -e SA_SPAM_SUBJECT="SPAM: " \
+            -e SPAMASSASSIN_SPAM_TO_INBOX=1 \
             -h mail.my-domain.com -t "${NAME}"
 
   teardown() { docker rm -f mail_spam_moved_new; }

test/mail_ssl_letsencrypt.bats

@@ -50,6 +50,7 @@ function teardown() {
 
   local TEST_DOCKER_ARGS=(
     --volume "${TEST_TMP_CONFIG}/letsencrypt/${TARGET_DOMAIN}/:/etc/letsencrypt/live/${TARGET_DOMAIN}/:ro"
+    --env PERMIT_DOCKER='container'
     --env SSL_TYPE='letsencrypt'
   )
 
@@ -69,6 +70,7 @@ function teardown() {
 
   local TEST_DOCKER_ARGS=(
     --volume "${TEST_TMP_CONFIG}/letsencrypt/${TARGET_DOMAIN}/:/etc/letsencrypt/live/${TARGET_DOMAIN}/:ro"
+    --env PERMIT_DOCKER='container'
     --env SSL_TYPE='letsencrypt'
   )
 
@@ -107,9 +109,10 @@ function teardown() {
     # shellcheck disable=SC2034
     local TEST_DOCKER_ARGS=(
       --volume "${TEST_TMP_CONFIG}/letsencrypt/acme.json:/etc/letsencrypt/acme.json:ro"
-      --env SSL_TYPE='letsencrypt'
-      --env SSL_DOMAIN='*.example.test'
       --env DMS_DEBUG=1
+      --env PERMIT_DOCKER='container'
+      --env SSL_DOMAIN='*.example.test'
+      --env SSL_TYPE='letsencrypt'
     )
 
     common_container_setup 'TEST_DOCKER_ARGS'

test/mail_with_imap.bats

@@ -5,14 +5,15 @@ setup_file() {
     local PRIVATE_CONFIG
     PRIVATE_CONFIG="$(duplicate_config_for_container .)"
     docker run -d --name mail_with_imap \
-		-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
-		-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
-		-e ENABLE_SASLAUTHD=1 \
-		-e SASLAUTHD_MECHANISMS=rimap \
-		-e SASLAUTHD_MECH_OPTIONS=127.0.0.1 \
-		-e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \
-		-e DMS_DEBUG=0 \
-		-h mail.my-domain.com -t "${NAME}"
+    -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
+    -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
+    -e DMS_DEBUG=0 \
+    -e ENABLE_SASLAUTHD=1 \
+    -e POSTMASTER_ADDRESS=postmaster@localhost.localdomain \
+    -e SASLAUTHD_MECH_OPTIONS=127.0.0.1 \
+    -e SASLAUTHD_MECHANISMS=rimap \
+    -e PERMIT_DOCKER=container \
+    -h mail.my-domain.com -t "${NAME}"
     wait_for_smtp_port_in_container mail_with_imap
 }
 

test/mail_with_ldap.bats

@@ -28,26 +28,27 @@ function setup_file() {
   docker run -d --name mail_with_ldap \
     -v "${PRIVATE_CONFIG}:/tmp/docker-mailserver" \
     -v "$(pwd)/test/test-files:/tmp/docker-mailserver-test:ro" \
-    -e SPOOF_PROTECTION=1 \
+    -e DMS_DEBUG=0 \
+    -e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
+    -e DOVECOT_TLS=no \
+    -e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
     -e ENABLE_LDAP=1 \
-    -e LDAP_SERVER_HOST=ldap \
-    -e LDAP_START_TLS=no \
-    -e LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \
+    -e ENABLE_SASLAUTHD=1 \
     -e LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \
     -e LDAP_BIND_PW=admin \
-    -e LDAP_QUERY_FILTER_USER="(&(mail=%s)(mailEnabled=TRUE))" \
-    -e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \
     -e LDAP_QUERY_FILTER_ALIAS="(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))" \
     -e LDAP_QUERY_FILTER_DOMAIN="(|(&(mail=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailGroupMember=*@%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE))(&(mailalias=*@%s)(objectClass=PostfixBookMailForward)))" \
+    -e LDAP_QUERY_FILTER_GROUP="(&(mailGroupMember=%s)(mailEnabled=TRUE))" \
     -e LDAP_QUERY_FILTER_SENDERS="(|(&(mail=%s)(mailEnabled=TRUE))(&(mailGroupMember=%s)(mailEnabled=TRUE))(|(&(mailAlias=%s)(objectClass=PostfixBookMailForward))(&(mailAlias=%s)(objectClass=PostfixBookMailAccount)(mailEnabled=TRUE)))(uniqueIdentifier=some.user.id))" \
-    -e DOVECOT_TLS=no \
-    -e DOVECOT_PASS_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
-    -e DOVECOT_USER_FILTER="(&(objectClass=PostfixBookMailAccount)(uniqueIdentifier=%n))" \
-    -e REPORT_RECIPIENT=1 \
-    -e ENABLE_SASLAUTHD=1 \
-    -e SASLAUTHD_MECHANISMS=ldap \
+    -e LDAP_QUERY_FILTER_USER="(&(mail=%s)(mailEnabled=TRUE))" \
+    -e LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \
+    -e LDAP_SERVER_HOST=ldap \
+    -e LDAP_START_TLS=no \
+    -e PERMIT_DOCKER=container \
     -e POSTMASTER_ADDRESS="postmaster@${FQDN_LOCALHOST_A}" \
-    -e DMS_DEBUG=0 \
+    -e REPORT_RECIPIENT=1 \
+    -e SASLAUTHD_MECHANISMS=ldap \
+    -e SPOOF_PROTECTION=1 \
     -e SSL_TYPE='snakeoil' \
     --network "${DMS_TEST_NETWORK}" \
     --hostname "${FQDN_MAIL}" \
@@ -190,14 +191,14 @@ function teardown_file() {
   assert_failure
 }
 
-@test "checking spoofing: rejects sender forging" {
+@test "checking spoofing (with LDAP): rejects sender forging" {
   wait_for_smtp_port_in_container_to_respond mail_with_ldap
   run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed.txt | grep 'Sender address rejected: not owned by user'"
   assert_success
 }
 
 # ATTENTION: these tests must come after "checking dovecot: ldap mail delivery works" since they will deliver an email which skews the count in said test, leading to failure
-@test "checking spoofing: accepts sending as alias" {
+@test "checking spoofing: accepts sending as alias (with LDAP)" {
   run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-alias.txt | grep 'End data with'"
   assert_success
 }

test/mail_with_postgrey.bats

@@ -6,13 +6,14 @@ function setup_file() {
     docker run -d --name mail_with_postgrey \
               -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
               -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
+              -e DMS_DEBUG=0 \
+              -e ENABLE_DNSBL=1 \
               -e ENABLE_POSTGREY=1 \
+              -e PERMIT_DOCKER=container \
+              -e POSTGREY_AUTO_WHITELIST_CLIENTS=5 \
               -e POSTGREY_DELAY=15 \
               -e POSTGREY_MAX_AGE=35 \
-              -e POSTGREY_AUTO_WHITELIST_CLIENTS=5 \
               -e POSTGREY_TEXT="Delayed by Postgrey" \
-              -e ENABLE_DNSBL=1 \
-              -e DMS_DEBUG=0 \
               -h mail.my-domain.com -t "${NAME}"
     # using postfix availability as start indicator, this might be insufficient for postgrey
     wait_for_smtp_port_in_container mail_with_postgrey

test/tests.bats

@@ -19,9 +19,9 @@ setup_file() {
     -e ENABLE_MANAGESIEVE=1 \
     -e ENABLE_QUOTAS=1 \
     -e ENABLE_SPAMASSASSIN=1 \
-    -e SPAMASSASSIN_SPAM_TO_INBOX=0 \
     -e ENABLE_SRS=1 \
     -e ENABLE_UPDATE_CHECK=0 \
+    -e PERMIT_DOCKER=container \
     -e PERMIT_DOCKER=host \
     -e REPORT_RECIPIENT=user1@localhost.localdomain \
     -e REPORT_SENDER=report1@mail.my-domain.com \
@@ -30,6 +30,7 @@ setup_file() {
     -e SA_TAG=-5.0 \
     -e SA_TAG2=2.0 \
     -e SASL_PASSWD="external-domain.com username:password" \
+    -e SPAMASSASSIN_SPAM_TO_INBOX=0 \
     -e SPOOF_PROTECTION=1 \
     -e SSL_TYPE='snakeoil' \
     -e VIRUSMAILS_DELETE_DELAY=7 \