tests: Use swaks instead of nc for sending mail (#3732)

See associated `CHANGELOG.md` entry for details.

---------

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
This commit is contained in:
Georg Lauterbach 2024-01-03 01:17:54 +01:00 committed by GitHub
parent 0889b0ff06
commit 9e81517fe3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
119 changed files with 355 additions and 455 deletions

View file

@ -24,11 +24,13 @@ function teardown_file() { _default_teardown ; }
}
@test 'authentication works' {
_send_email 'auth/pop3-auth' '-w 1 0.0.0.0 110'
_nc_wrapper 'auth/pop3-auth' '-w 1 0.0.0.0 110'
assert_success
}
@test 'added user authentication works' {
_send_email 'auth/added-pop3-auth' '-w 1 0.0.0.0 110'
_nc_wrapper 'auth/added-pop3-auth' '-w 1 0.0.0.0 110'
assert_success
}
@test '/var/log/mail/mail.log is error-free' {

View file

@ -21,7 +21,8 @@ function setup_file() {
function teardown_file() { _default_teardown ; }
@test '(Dovecot) LDAP RIMAP connection and authentication works' {
_send_email 'auth/imap-auth' '-w 1 0.0.0.0 143'
_nc_wrapper 'auth/imap-auth' '-w 1 0.0.0.0 143'
assert_success
}
@test '(SASLauthd) SASL RIMAP authentication works' {
@ -30,13 +31,30 @@ function teardown_file() { _default_teardown ; }
}
@test '(SASLauthd) RIMAP SMTP authentication works' {
_send_email 'auth/smtp-auth-login' '-w 5 0.0.0.0 25'
assert_output --partial 'Error: authentication not enabled'
_send_email \
--auth LOGIN \
--auth-user user1@localhost.localdomain \
--auth-password mypassword \
--quit-after AUTH
assert_failure
assert_output --partial 'Host did not advertise authentication'
_send_email 'auth/smtp-auth-login' '-w 5 0.0.0.0 465'
_send_email \
--port 465 \
--auth LOGIN \
--auth-user user1@localhost.localdomain \
--auth-password mypassword \
--quit-after AUTH
assert_success
assert_output --partial 'Authentication successful'
_send_email 'auth/smtp-auth-login' '-w 5 0.0.0.0 587'
_send_email \
--port 587 \
--auth LOGIN \
--auth-user user1@localhost.localdomain \
--auth-password mypassword \
--quit-after AUTH
assert_success
assert_output --partial 'Authentication successful'
}

View file

@ -122,7 +122,6 @@ function setup_file() {
# Extra ENV needed to support specific test-cases:
local ENV_SUPPORT=(
--env PERMIT_DOCKER=container # Required for attempting SMTP auth on port 25 via nc
# Required for openssl commands to be successul:
# NOTE: snakeoil cert is created (for `docker-mailserver.invalid`) via Debian post-install script for Postfix package.
# TODO: Use proper TLS cert
@ -249,7 +248,7 @@ function teardown() {
# dovecot
@test "dovecot: ldap imap connection and authentication works" {
_run_in_container_bash 'nc -w 1 0.0.0.0 143 < /tmp/docker-mailserver-test/auth/imap-ldap-auth.txt'
_nc_wrapper 'auth/imap-ldap-auth' '-w 1 0.0.0.0 143'
assert_success
}
@ -327,12 +326,25 @@ function teardown() {
@test "spoofing (with LDAP): rejects sender forging" {
_wait_for_smtp_port_in_container_to_respond dms-test_ldap
_run_in_container_bash 'openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed.txt'
_send_email \
--port 465 -tlsc --auth LOGIN \
--auth-user some.user@localhost.localdomain \
--auth-password secret \
--ehlo mail \
--from ldap@localhost.localdomain \
--data 'auth/ldap-smtp-auth-spoofed'
assert_output --partial 'Sender address rejected: not owned by user'
}
@test "spoofing (with LDAP): accepts sending as alias" {
_run_in_container_bash 'openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-alias.txt'
_send_email \
--port 465 -tlsc --auth LOGIN \
--auth-user some.user@localhost.localdomain \
--auth-password secret \
--ehlo mail \
--from postmaster@localhost.localdomain \
--to some.user@localhost.localdomain \
--data 'auth/ldap-smtp-auth-spoofed-alias'
assert_output --partial 'End data with'
}
@ -341,19 +353,42 @@ function teardown() {
# Template used has invalid AUTH: https://github.com/docker-mailserver/docker-mailserver/pull/3006#discussion_r1073321432
skip 'TODO: This test seems to have been broken from the start (?)'
_run_in_container_bash 'openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-sender-with-filter-exception.txt'
_send_email \
--port 465 -tlsc --auth LOGIN \
--auth-user some.user.email@localhost.localdomain \
--auth-password secret \
--ehlo mail \
--from randomspoofedaddress@localhost.localdomain \
--to some.user@localhost.localdomain \
--data 'auth/ldap-smtp-auth-spoofed-sender-with-filter-exception'
assert_output --partial 'Sender address rejected: not owned by user'
}
@test "saslauthd: ldap smtp authentication" {
# Requires ENV `PERMIT_DOCKER=container`
_send_email 'auth/sasl-ldap-smtp-auth' '-w 5 0.0.0.0 25'
assert_output --partial 'Error: authentication not enabled'
_send_email \
--auth LOGIN \
--auth-user some.user@localhost.localdomain \
--auth-password wrongpassword \
--quit-after AUTH
assert_failure
assert_output --partial 'Host did not advertise authentication'
_run_in_container_bash 'openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt'
_send_email \
--port 465 -tlsc \
--auth LOGIN \
--auth-user some.user@localhost.localdomain \
--auth-password secret \
--quit-after AUTH
assert_success
assert_output --partial 'Authentication successful'
_run_in_container_bash 'openssl s_client -quiet -starttls smtp -connect 0.0.0.0:587 < /tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt'
_send_email \
--port 587 -tls \
--auth LOGIN \
--auth-user some.user@localhost.localdomain \
--auth-password secret \
--quit-after AUTH
assert_success
assert_output --partial 'Authentication successful'
}
@ -391,7 +426,7 @@ function _should_successfully_deliver_mail_to() {
local SENDER_ADDRESS='user@external.tld'
local RECIPIENT_ADDRESS=${1:?Recipient address is required}
local MAIL_STORAGE_RECIPIENT=${2:?Recipient storage location is required}
local MAIL_TEMPLATE='/tmp/docker-mailserver-test/email-templates/test-email.txt'
local MAIL_TEMPLATE='/tmp/docker-mailserver-test/emails/test-email.txt'
_run_in_container_bash "sendmail -f ${SENDER_ADDRESS} ${RECIPIENT_ADDRESS} < ${MAIL_TEMPLATE}"
_wait_for_empty_mail_queue_in_container

View file

@ -13,7 +13,7 @@ setup_file() {
PRIVATE_CONFIG=$(duplicate_config_for_container . mail_smtponly_second_network)
docker create --name mail_smtponly_second_network \
-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
-v "$(pwd)/test/files":/tmp/docker-mailserver-test:ro \
-e SMTP_ONLY=1 \
-e PERMIT_DOCKER=connected-networks \
-e OVERRIDE_HOSTNAME=mail.my-domain.com \
@ -26,7 +26,7 @@ setup_file() {
PRIVATE_CONFIG=$(duplicate_config_for_container . mail_smtponly_second_network_sender)
docker run -d --name mail_smtponly_second_network_sender \
-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
-v "$(pwd)/test/files":/tmp/docker-mailserver-test:ro \
-e SMTP_ONLY=1 \
-e PERMIT_DOCKER=connected-networks \
-e OVERRIDE_HOSTNAME=mail.my-domain.com \
@ -39,7 +39,7 @@ setup_file() {
# create another container that enforces authentication even on local connections
docker run -d --name mail_smtponly_force_authentication \
-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
-v "$(pwd)/test/files":/tmp/docker-mailserver-test:ro \
-e SMTP_ONLY=1 \
-e PERMIT_DOCKER=none \
-e OVERRIDE_HOSTNAME=mail.my-domain.com \
@ -68,7 +68,7 @@ teardown_file() {
_reload_postfix mail_smtponly_second_network
# we should be able to send from the other container on the second network!
run docker exec mail_smtponly_second_network_sender /bin/sh -c "nc mail_smtponly_second_network 25 < /tmp/docker-mailserver-test/email-templates/smtp-only.txt"
run docker exec mail_smtponly_second_network_sender /bin/sh -c "nc mail_smtponly_second_network 25 < /tmp/docker-mailserver-test/emails/nc_raw/smtp-only.txt"
assert_output --partial "250 2.0.0 Ok: queued as "
repeat_in_container_until_success_or_timeout 60 mail_smtponly_second_network /bin/sh -c 'grep -cE "to=<user2\@external.tld>.*status\=sent" /var/log/mail/mail.log'
}
@ -80,7 +80,7 @@ teardown_file() {
_reload_postfix mail_smtponly_force_authentication
# the mailserver should require authentication and a protocol error should occur when using TLS
run docker exec mail_smtponly_force_authentication /bin/sh -c "nc localhost 25 < /tmp/docker-mailserver-test/email-templates/smtp-only.txt"
run docker exec mail_smtponly_force_authentication /bin/sh -c "nc localhost 25 < /tmp/docker-mailserver-test/emails/nc_raw/smtp-only.txt"
assert_output --partial "550 5.5.1 Protocol error"
[[ ${status} -ge 0 ]]
}

View file

@ -171,7 +171,7 @@ BATS_TEST_NAME_PREFIX='test helper functions:'
# enable ClamAV to make message delivery slower, so we can detect it
CONTAINER_NAME=$(docker run -d --rm \
-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
-v "$(pwd)/test/files":/tmp/docker-mailserver-test:ro \
-e ENABLE_CLAMAV=1 \
-h mail.my-domain.com \
-t "${NAME}")
@ -186,7 +186,7 @@ BATS_TEST_NAME_PREFIX='test helper functions:'
[[ ${SECONDS} -lt 5 ]]
# fill the queue with a message
docker exec "${CONTAINER_NAME}" /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/amavis-virus.txt"
docker exec "${CONTAINER_NAME}" /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/emails/amavis-virus.txt"
# that should still be stuck in the queue
! TEST_TIMEOUT_IN_SECONDS=0 wait_for_empty_mail_queue_in_container "${CONTAINER_NAME}"
@ -203,7 +203,7 @@ BATS_TEST_NAME_PREFIX='test helper functions:'
# enable ClamAV to make message delivery slower, so we can detect it
CONTAINER_NAME=$(docker run -d --rm \
-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
-v "$(pwd)/test/files":/tmp/docker-mailserver-test:ro \
-e ENABLE_CLAMAV=1 \
-h mail.my-domain.com \
-t "${NAME}")
@ -213,7 +213,7 @@ BATS_TEST_NAME_PREFIX='test helper functions:'
wait_for_smtp_port_in_container "${CONTAINER_NAME}" || docker logs "${CONTAINER_NAME}"
# fill the queue with a message
docker exec "${CONTAINER_NAME}" /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/amavis-virus.txt"
docker exec "${CONTAINER_NAME}" /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/emails/amavis-virus.txt"
# give it some time to clear the queue
SECONDS=0

View file

@ -80,11 +80,13 @@ function teardown_file() { _default_teardown ; }
}
@test "imap: authentication works" {
_send_email 'auth/imap-auth' '-w 1 0.0.0.0 143'
_nc_wrapper 'auth/imap-auth' '-w 1 0.0.0.0 143'
assert_success
}
@test "imap: added user authentication works" {
_send_email 'auth/added-imap-auth' '-w 1 0.0.0.0 143'
_nc_wrapper 'auth/added-imap-auth' '-w 1 0.0.0.0 143'
assert_success
}
#
@ -288,13 +290,34 @@ EOF
@test "spoofing: rejects sender forging" {
# rejection of spoofed sender
_wait_for_smtp_port_in_container_to_respond
_run_in_container_bash "openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/added-smtp-auth-spoofed.txt"
# An authenticated user cannot use an envelope sender (MAIL FROM)
# address they do not own according to `main.cf:smtpd_sender_login_maps` lookup
_send_email \
--port 465 -tlsc --auth LOGIN \
--auth-user added@localhost.localdomain \
--auth-password mypassword \
--ehlo mail \
--from user2@localhost.localdomain \
--data 'auth/added-smtp-auth-spoofed'
assert_output --partial 'Sender address rejected: not owned by user'
}
@test "spoofing: accepts sending as alias" {
_run_in_container_bash "openssl s_client -quiet -connect 0.0.0.0:465 < /tmp/docker-mailserver-test/auth/added-smtp-auth-spoofed-alias.txt | grep 'End data with'"
# An authenticated account should be able to send mail from an alias,
# Verifies `main.cf:smtpd_sender_login_maps` includes /etc/postfix/virtual
# The envelope sender address (MAIL FROM) is the lookup key
# to each table. Address is authorized when a result that maps to
# the DMS account is returned.
_send_email \
--port 465 -tlsc --auth LOGIN \
--auth-user user1@localhost.localdomain \
--auth-password mypassword \
--ehlo mail \
--from alias1@localhost.localdomain \
--data 'auth/added-smtp-auth-spoofed-alias'
assert_success
assert_output --partial 'End data with'
}
#

View file

@ -20,7 +20,7 @@ function setup_file() {
function teardown_file() { _default_teardown ; }
@test 'should successfully deliver mail' {
_send_email 'email-templates/existing-user1'
_send_email --data 'existing/user1'
_wait_for_empty_mail_queue_in_container
# Should be successfully sent (received) by Postfix: