tests(chore): Move some serial tests into parallel sets

Additionally with the `tls.bash` helper for the `letsencrypt` tests.
2025-08-04 01:55:29 +02:00 · 2022-12-24 21:15:23 +13:00 · 2022-12-24 21:15:23 +13:00 · a81de22819
commit a81de22819
parent 26ac48f34a
13 changed files with 0 additions and 0 deletions
--- a/test/tests/parallel/set1/spam_virus/clamav.bats
+++ b/test/tests/parallel/set1/spam_virus/clamav.bats
--- a/test/tests/parallel/set1/spam_virus/disabled_clamav_spamassassin.bats
+++ b/test/tests/parallel/set1/spam_virus/disabled_clamav_spamassassin.bats
@ -0,0 +1,48 @@
+load "${REPOSITORY_ROOT}/test/test_helper/common"
+
+setup_file() {
+  local PRIVATE_CONFIG
+  PRIVATE_CONFIG=$(duplicate_config_for_container .)
+
+  docker run --rm -d --name mail_disabled_clamav_spamassassin \
+    -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
+    -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
+    -e ENABLE_CLAMAV=0 \
+    -e ENABLE_SPAMASSASSIN=0 \
+    -e AMAVIS_LOGLEVEL=2 \
+    -h mail.my-domain.com -t "${NAME}"
+
+    # TODO: find a better way to know when we have waited long enough
+    #       for ClamAV to should have come up, if it were enabled
+    wait_for_smtp_port_in_container mail_disabled_clamav_spamassassin
+    docker exec mail_disabled_clamav_spamassassin /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/existing-user1.txt"
+}
+
+teardown_file() {
+    docker rm -f mail_disabled_clamav_spamassassin
+}
+
+@test "checking process: ClamAV (ClamAV disabled by ENABLED_CLAMAV=0)" {
+  run docker exec mail_disabled_clamav_spamassassin /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'"
+  assert_failure
+}
+
+@test "checking spamassassin: should not be listed in amavis when disabled" {
+  run docker exec mail_disabled_clamav_spamassassin /bin/sh -c "grep -i 'ANTI-SPAM-SA code' /var/log/mail/mail.log | grep 'NOT loaded'"
+  assert_success
+}
+
+@test "checking ClamAV: should not be listed in amavis when disabled" {
+  run docker exec mail_disabled_clamav_spamassassin grep -i 'Found secondary av scanner ClamAV-clamscan' /var/log/mail/mail.log
+  assert_failure
+}
+
+@test "checking ClamAV: should not be called when disabled" {
+  run docker exec mail_disabled_clamav_spamassassin grep -i 'connect to /var/run/clamav/clamd.ctl failed' /var/log/mail/mail.log
+  assert_failure
+}
+
+@test "checking restart of process: ClamAV (ClamAV disabled by ENABLED_CLAMAV=0)" {
+  run docker exec mail_disabled_clamav_spamassassin /bin/bash -c "pkill -f clamd && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'"
+  assert_failure
+}
--- a/test/tests/parallel/set1/spam_virus/dnsbl.bats
+++ b/test/tests/parallel/set1/spam_virus/dnsbl.bats
@ -0,0 +1,61 @@
+load "${REPOSITORY_ROOT}/test/test_helper/common"
+
+CONTAINER="mail_dnsbl_enabled"
+CONTAINER2="mail_dnsbl_disabled"
+
+function setup_file() {
+  local PRIVATE_CONFIG
+  PRIVATE_CONFIG=$(duplicate_config_for_container . "${CONTAINER}")
+
+  docker run --rm -d --name "${CONTAINER}" \
+    -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
+    -e ENABLE_DNSBL=1 \
+    -h mail.my-domain.com \
+    -t "${NAME}"
+
+  docker run --rm -d --name "${CONTAINER2}" \
+    -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
+    -e ENABLE_DNSBL=0 \
+    -h mail.my-domain.com \
+    -t "${NAME}"
+
+  wait_for_smtp_port_in_container "${CONTAINER}"
+  wait_for_smtp_port_in_container "${CONTAINER2}"
+}
+
+# ENABLE_DNSBL=1
+@test "checking enabled postfix DNS block list zen.spamhaus.org" {
+  run docker exec "${CONTAINER}" postconf smtpd_recipient_restrictions
+  assert_output --partial 'reject_rbl_client zen.spamhaus.org'
+}
+
+@test "checking enabled postscreen DNS block lists --> postscreen_dnsbl_action" {
+  run docker exec "${CONTAINER}" postconf postscreen_dnsbl_action
+  assert_output 'postscreen_dnsbl_action = enforce'
+}
+
+@test "checking enabled postscreen DNS block lists --> postscreen_dnsbl_sites" {
+  run docker exec "${CONTAINER}" postconf postscreen_dnsbl_sites
+  assert_output 'postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 bl.mailspike.net=127.0.0.[2;14;13;12;11;10] b.barracudacentral.org*2 bl.spameatingmonkey.net=127.0.0.2 dnsbl.sorbs.net psbl.surriel.com list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4'
+}
+
+# ENABLE_DNSBL=0
+@test "checking disabled postfix DNS block list zen.spamhaus.org" {
+  run docker exec "${CONTAINER2}" postconf smtpd_recipient_restrictions
+  refute_output --partial 'reject_rbl_client zen.spamhaus.org'
+}
+
+@test "checking disabled postscreen DNS block lists --> postscreen_dnsbl_action" {
+  run docker exec "${CONTAINER2}" postconf postscreen_dnsbl_action
+  assert_output 'postscreen_dnsbl_action = ignore'
+}
+
+@test "checking disabled postscreen DNS block lists --> postscreen_dnsbl_sites" {
+  run docker exec "${CONTAINER2}" postconf postscreen_dnsbl_sites
+  assert_output 'postscreen_dnsbl_sites ='
+}
+
+# cleanup
+function teardown_file() {
+    docker rm -f "${CONTAINER}" "${CONTAINER2}"
+}
--- a/test/tests/parallel/set1/spam_virus/fail2ban.bats
+++ b/test/tests/parallel/set1/spam_virus/fail2ban.bats
@ -0,0 +1,200 @@
+load "${REPOSITORY_ROOT}/test/test_helper/common"
+
+function setup_file() {
+  local PRIVATE_CONFIG
+  PRIVATE_CONFIG=$(duplicate_config_for_container .)
+  docker run --rm -d --name mail_fail2ban \
+    -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
+    -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
+    -e ENABLE_FAIL2BAN=1 \
+    -e POSTSCREEN_ACTION=ignore \
+    --cap-add=NET_ADMIN \
+    --hostname mail.my-domain.com \
+    --tty \
+    --ulimit "nofile=$(ulimit -Sn):$(ulimit -Hn)" \
+    "${NAME}"
+
+  # Create a container which will send wrong authentications and should get banned
+  docker run --name fail-auth-mailer \
+    -e MAIL_FAIL2BAN_IP="$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' mail_fail2ban)" \
+    -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test \
+    -d "${NAME}" \
+    tail -f /var/log/faillog
+
+  wait_for_finished_setup_in_container mail_fail2ban
+}
+
+function teardown_file() {
+  docker rm -f mail_fail2ban fail-auth-mailer
+}
+
+#
+# processes
+#
+
+@test "checking process: fail2ban (fail2ban server enabled)" {
+  run docker exec mail_fail2ban /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/bin/python3 /usr/bin/fail2ban-server'"
+  assert_success
+}
+
+#
+# fail2ban
+#
+
+@test "checking fail2ban: localhost is not banned because ignored" {
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*127.0.0.1'"
+  assert_failure
+  run docker exec mail_fail2ban /bin/sh -c "grep 'ignoreip = 127.0.0.1/8' /etc/fail2ban/jail.conf"
+  assert_success
+}
+
+@test "checking fail2ban: fail2ban-fail2ban.cf overrides" {
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get loglevel | grep DEBUG"
+  assert_success
+}
+
+@test "checking fail2ban: fail2ban-jail.cf overrides" {
+  FILTERS=(dovecot postfix postfix-sasl)
+
+  for FILTER in "${FILTERS[@]}"; do
+    run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get ${FILTER} bantime"
+    assert_output 1234
+
+    run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get ${FILTER} findtime"
+    assert_output 321
+
+    run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get ${FILTER} maxretry"
+    assert_output 2
+
+    run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'dovecot', 'addaction', 'nftables-multiport']\""
+    assert_output "['set', 'dovecot', 'addaction', 'nftables-multiport']"
+
+    run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix', 'addaction', 'nftables-multiport']\""
+    assert_output "['set', 'postfix', 'addaction', 'nftables-multiport']"
+
+    run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix-sasl', 'addaction', 'nftables-multiport']\""
+    assert_output "['set', 'postfix-sasl', 'addaction', 'nftables-multiport']"
+  done
+}
+
+@test "checking fail2ban: ban ip on multiple failed login" {
+  # can't pipe the file as usual due to postscreen. (respecting postscreen_greet_wait time and talking in turn):
+  # shellcheck disable=SC1004
+  for _ in {1,2}
+  do
+    docker exec fail-auth-mailer /bin/bash -c \
+    'exec 3<>/dev/tcp/${MAIL_FAIL2BAN_IP}/25 && \
+    while IFS= read -r cmd; do \
+      head -1 <&3; \
+      [[ ${cmd} == "EHLO"* ]] && sleep 6; \
+      echo ${cmd} >&3; \
+    done < "/tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt"'
+  done
+
+  sleep 5
+
+  FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer)
+  # Checking that FAIL_AUTH_MAILER_IP is banned in mail_fail2ban
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep '${FAIL_AUTH_MAILER_IP}'"
+  assert_success
+
+  # Checking that FAIL_AUTH_MAILER_IP is banned by nftables
+  run docker exec mail_fail2ban /bin/sh -c "nft list set inet f2b-table addr-set-postfix-sasl"
+  assert_output --partial "elements = { ${FAIL_AUTH_MAILER_IP} }"
+}
+
+@test "checking fail2ban: unban ip works" {
+  FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer)
+  docker exec mail_fail2ban fail2ban-client set postfix-sasl unbanip "${FAIL_AUTH_MAILER_IP}"
+
+  sleep 5
+
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*${FAIL_AUTH_MAILER_IP}'"
+  assert_failure
+
+  # Checking that FAIL_AUTH_MAILER_IP is unbanned by nftables
+  run docker exec mail_fail2ban /bin/sh -c "nft list set inet f2b-table addr-set-postfix-sasl"
+  refute_output --partial "${FAIL_AUTH_MAILER_IP}"
+}
+
+@test "checking fail2ban ban" {
+  # Ban single IP address
+  run docker exec mail_fail2ban fail2ban ban 192.0.66.7
+  assert_success
+  assert_output "Banned custom IP: 1"
+
+  run docker exec mail_fail2ban fail2ban
+  assert_success
+  assert_output --regexp "Banned in custom:.*192\.0\.66\.7"
+
+  run docker exec mail_fail2ban nft list set inet f2b-table addr-set-custom
+  assert_success
+  assert_output --partial "elements = { 192.0.66.7 }"
+
+  run docker exec mail_fail2ban fail2ban unban 192.0.66.7
+  assert_success
+  assert_output --partial "Unbanned IP from custom: 1"
+
+  run docker exec mail_fail2ban nft list set inet f2b-table addr-set-custom
+  refute_output --partial "192.0.66.7"
+
+  # Ban IP network
+  run docker exec mail_fail2ban fail2ban ban 192.0.66.0/24
+  assert_success
+  assert_output "Banned custom IP: 1"
+
+  run docker exec mail_fail2ban fail2ban
+  assert_success
+  assert_output --regexp "Banned in custom:.*192\.0\.66\.0/24"
+
+  run docker exec mail_fail2ban nft list set inet f2b-table addr-set-custom
+  assert_success
+  assert_output --partial "elements = { 192.0.66.0/24 }"
+
+  run docker exec mail_fail2ban fail2ban unban 192.0.66.0/24
+  assert_success
+  assert_output --partial "Unbanned IP from custom: 1"
+
+  run docker exec mail_fail2ban nft list set inet f2b-table addr-set-custom
+  refute_output --partial "192.0.66.0/24"
+}
+
+@test "checking FAIL2BAN_BLOCKTYPE is really set to drop" {
+  run docker exec mail_fail2ban bash -c 'nft list table inet f2b-table'
+  assert_success
+  assert_output --partial 'tcp dport { 110, 143, 465, 587, 993, 995, 4190 } ip saddr @addr-set-dovecot drop'
+  assert_output --partial 'tcp dport { 25, 110, 143, 465, 587, 993, 995 } ip saddr @addr-set-postfix-sasl drop'
+  assert_output --partial 'tcp dport { 25, 110, 143, 465, 587, 993, 995, 4190 } ip saddr @addr-set-custom drop'
+}
+
+@test "checking setup.sh: setup.sh fail2ban" {
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.4"
+  run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.5"
+
+  sleep 10
+
+  run ./setup.sh -c mail_fail2ban fail2ban
+  assert_output --regexp '^Banned in dovecot:.*192\.0\.66\.4'
+  assert_output --regexp '^Banned in dovecot:.*192\.0\.66\.5'
+
+  run ./setup.sh -c mail_fail2ban fail2ban unban 192.0.66.4
+  assert_output --partial "Unbanned IP from dovecot: 1"
+
+  run ./setup.sh -c mail_fail2ban fail2ban
+  assert_output --regexp "^Banned in dovecot:.*192\.0\.66\.5"
+
+  run ./setup.sh -c mail_fail2ban fail2ban unban 192.0.66.5
+  assert_output --partial "Unbanned IP from dovecot: 1"
+
+  run ./setup.sh -c mail_fail2ban fail2ban unban
+  assert_output --partial "You need to specify an IP address: Run"
+}
+
+#
+# supervisor
+#
+
+@test "checking restart of process: fail2ban (fail2ban server enabled)" {
+  run docker exec mail_fail2ban /bin/bash -c "pkill fail2ban && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/bin/python3 /usr/bin/fail2ban-server'"
+  assert_success
+}
--- a/test/tests/parallel/set1/spam_virus/postgrey_enabled.bats
+++ b/test/tests/parallel/set1/spam_virus/postgrey_enabled.bats
@ -0,0 +1,92 @@
+load "${REPOSITORY_ROOT}/test/test_helper/common"
+
+function setup_file() {
+  local PRIVATE_CONFIG
+  PRIVATE_CONFIG=$(duplicate_config_for_container .)
+
+  docker run -d --name mail_with_postgrey \
+    -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
+    -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
+    -e ENABLE_DNSBL=1 \
+    -e ENABLE_POSTGREY=1 \
+    -e PERMIT_DOCKER=container \
+    -e POSTGREY_AUTO_WHITELIST_CLIENTS=5 \
+    -e POSTGREY_DELAY=15 \
+    -e POSTGREY_MAX_AGE=35 \
+    -e POSTGREY_TEXT="Delayed by Postgrey" \
+    -h mail.my-domain.com -t "${NAME}"
+
+  # using postfix availability as start indicator, this might be insufficient for postgrey
+  wait_for_smtp_port_in_container mail_with_postgrey
+}
+
+function teardown_file() {
+  docker rm -f mail_with_postgrey
+}
+
+@test "checking postgrey: /etc/postfix/main.cf correctly edited" {
+  run docker exec mail_with_postgrey /bin/bash -c "grep -F 'zen.spamhaus.org=127.0.0.[2..11], check_policy_service inet:127.0.0.1:10023' /etc/postfix/main.cf | wc -l"
+  assert_success
+  assert_output 1
+}
+
+@test "checking postgrey: /etc/default/postgrey correctly edited and has the default values" {
+  run docker exec mail_with_postgrey /bin/bash -c "grep '^POSTGREY_OPTS=\"--inet=127.0.0.1:10023 --delay=15 --max-age=35 --auto-whitelist-clients=5\"$' /etc/default/postgrey | wc -l"
+  assert_success
+  assert_output 1
+
+  run docker exec mail_with_postgrey /bin/bash -c "grep '^POSTGREY_TEXT=\"Delayed by Postgrey\"$' /etc/default/postgrey | wc -l"
+  assert_success
+  assert_output 1
+}
+
+@test "checking process: postgrey (postgrey server enabled)" {
+  run docker exec mail_with_postgrey /bin/bash -c "ps aux --forest | grep -v grep | grep 'postgrey'"
+  assert_success
+}
+
+@test "checking postgrey: there should be a log entry about a new greylisted e-mail user@external.tld in /var/log/mail/mail.log" {
+  #editing the postfix config in order to ensure that postgrey handles the test e-mail. The other spam checks at smtpd_recipient_restrictions would interfere with it.
+  run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/permit_sasl_authenticated.*policyd-spf,$//g' /etc/postfix/main.cf"
+  run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/reject_unauth_pipelining.*reject_unknown_recipient_domain,$//g' /etc/postfix/main.cf"
+  run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/reject_rbl_client.*inet:127\.0\.0\.1:10023$//g' /etc/postfix/main.cf"
+  run docker exec mail_with_postgrey /bin/sh -c "sed -ie 's/smtpd_recipient_restrictions =/smtpd_recipient_restrictions = check_policy_service inet:127.0.0.1:10023/g' /etc/postfix/main.cf"
+
+  run docker exec mail_with_postgrey /bin/sh -c "/etc/init.d/postfix reload"
+  run docker exec mail_with_postgrey /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/postgrey.txt"
+  sleep 5 #ensure that the information has been written into the log
+  run docker exec mail_with_postgrey /bin/bash -c "grep -i 'action=greylist.*user@external\.tld' /var/log/mail/mail.log | wc -l"
+  assert_success
+  assert_output 1
+}
+
+@test "checking postgrey: there should be a log entry about the retried and passed e-mail user@external.tld in /var/log/mail/mail.log" {
+  sleep 20 #wait 20 seconds so that postgrey would accept the message
+  run docker exec mail_with_postgrey /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/postgrey.txt"
+  sleep 8
+
+  run docker exec mail_with_postgrey /bin/sh -c "grep -i 'action=pass, reason=triplet found.*user@external\.tld' /var/log/mail/mail.log | wc -l"
+  assert_success
+  assert_output 1
+}
+
+@test "checking postgrey: there should be a log entry about the whitelisted and passed e-mail user@whitelist.tld in /var/log/mail/mail.log" {
+  run docker exec mail_with_postgrey /bin/sh -c "nc -w 8 0.0.0.0 10023 < /tmp/docker-mailserver-test/nc_templates/postgrey_whitelist.txt"
+  run docker exec mail_with_postgrey /bin/sh -c "grep -i 'action=pass, reason=client whitelist' /var/log/mail/mail.log | wc -l"
+  assert_success
+  assert_output 1
+}
+
+@test "checking postgrey: there should be a log entry about the whitelisted local and passed e-mail user@whitelistlocal.tld in /var/log/mail/mail.log" {
+  run docker exec mail_with_postgrey /bin/sh -c "nc -w 8 0.0.0.0 10023 < /tmp/docker-mailserver-test/nc_templates/postgrey_whitelist_local.txt"
+  run docker exec mail_with_postgrey /bin/sh -c "grep -i 'action=pass, reason=client whitelist' /var/log/mail/mail.log | wc -l"
+  assert_success
+  assert_output 1
+}
+
+@test "checking postgrey: there should be a log entry about the whitelisted recipient user2@otherdomain.tld in /var/log/mail/mail.log" {
+  run docker exec mail_with_postgrey /bin/sh -c "nc -w 8 0.0.0.0 10023 < /tmp/docker-mailserver-test/nc_templates/postgrey_whitelist_recipients.txt"
+  run docker exec mail_with_postgrey /bin/sh -c "grep -i 'action=pass, reason=recipient whitelist' /var/log/mail/mail.log | wc -l"
+  assert_success
+  assert_output 1
+}
--- a/test/tests/parallel/set1/spam_virus/postscreen.bats
+++ b/test/tests/parallel/set1/spam_virus/postscreen.bats
@ -0,0 +1,52 @@
+load "${REPOSITORY_ROOT}/test/test_helper/common"
+
+setup() {
+  # Getting mail container IP
+  MAIL_POSTSCREEN_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' mail_postscreen)
+}
+
+setup_file() {
+  local PRIVATE_CONFIG
+  PRIVATE_CONFIG=$(duplicate_config_for_container .)
+
+  docker run -d --name mail_postscreen \
+    -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
+    -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
+    -e POSTSCREEN_ACTION=enforce \
+    --cap-add=NET_ADMIN \
+    -h mail.my-domain.com -t "${NAME}"
+
+  docker run --name mail_postscreen_sender \
+    -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
+    -d "${NAME}" \
+    tail -f /var/log/faillog
+
+  wait_for_smtp_port_in_container mail_postscreen
+}
+
+teardown_file() {
+  docker rm -f mail_postscreen mail_postscreen_sender
+}
+
+@test "checking postscreen: talk too fast" {
+  docker exec mail_postscreen_sender /bin/sh -c "nc ${MAIL_POSTSCREEN_IP} 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login.txt"
+
+  repeat_until_success_or_timeout 10 run docker exec mail_postscreen grep 'COMMAND PIPELINING' /var/log/mail/mail.log
+  assert_success
+}
+
+@test "checking postscreen: positive test (respecting postscreen_greet_wait time and talking in turn)" {
+  for _ in {1,2}; do
+    # shellcheck disable=SC1004
+    docker exec mail_postscreen_sender /bin/bash -c \
+    'exec 3<>/dev/tcp/'"${MAIL_POSTSCREEN_IP}"'/25 && \
+    while IFS= read -r cmd; do \
+      head -1 <&3; \
+      [[ ${cmd} == "EHLO"* ]] && sleep 6; \
+      echo ${cmd} >&3; \
+    done < "/tmp/docker-mailserver-test/auth/smtp-auth-login.txt"'
+  done
+
+  repeat_until_success_or_timeout 10 run docker exec mail_postscreen grep 'PASS NEW ' /var/log/mail/mail.log
+  assert_success
+}
--- a/test/tests/parallel/set1/spam_virus/spam_bounced.bats
+++ b/test/tests/parallel/set1/spam_virus/spam_bounced.bats
@ -0,0 +1,36 @@
+load "${REPOSITORY_ROOT}/test/helper/setup"
+load "${REPOSITORY_ROOT}/test/helper/common"
+
+TEST_NAME_PREFIX='spam (Amavis):'
+CONTAINER_NAME='dms-test-spam_bounced'
+
+function setup_file() {
+  init_with_defaults
+
+  local CUSTOM_SETUP_ARGUMENTS=(
+    --env ENABLE_AMAVIS=1
+    --env ENABLE_SPAMASSASSIN=1
+    --env PERMIT_DOCKER=container
+    --env SPAMASSASSIN_SPAM_TO_INBOX=0
+  )
+
+  common_container_setup 'CUSTOM_SETUP_ARGUMENTS'
+  wait_for_smtp_port_in_container_to_respond "${CONTAINER_NAME}"
+}
+
+function teardown_file() { _default_teardown ; }
+
+# Test case
+# ---------
+# When SPAMASSASSIN_SPAM_TO_INBOX=0, spam messages must be bounced (rejected).
+# SPAMASSASSIN_SPAM_TO_INBOX=1 is covered in `mail_spam_junk_folder.bats`.
+# Original test PR: https://github.com/docker-mailserver/docker-mailserver/pull/1485
+@test "${TEST_NAME_PREFIX} spam message is bounced (rejected)" {
+  # send a spam message
+  _run_in_container /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/amavis-spam.txt"
+  assert_success
+
+  # message will be added to a queue with varying delay until amavis receives it
+  run repeat_until_success_or_timeout 60 sh -c "docker logs ${CONTAINER_NAME} | grep 'Blocked SPAM {NoBounceInbound,Quarantined}'"
+  assert_success
+}
--- a/test/tests/parallel/set1/spam_virus/spam_junk_folder.bats
+++ b/test/tests/parallel/set1/spam_virus/spam_junk_folder.bats
@ -0,0 +1,67 @@
+load "${REPOSITORY_ROOT}/test/test_helper/common"
+
+# Test case
+# ---------
+# When SPAMASSASSIN_SPAM_TO_INBOX=1, spam messages must be delivered and eventually (MOVE_SPAM_TO_JUNK=1) moved to the Junk folder.
+
+@test "checking amavis: spam message is delivered and moved to the Junk folder (MOVE_SPAM_TO_JUNK=1)" {
+  local PRIVATE_CONFIG
+  PRIVATE_CONFIG=$(duplicate_config_for_container . mail_spam_moved_junk)
+
+  docker run -d --name mail_spam_moved_junk \
+    -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
+    -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
+    -e ENABLE_SPAMASSASSIN=1 \
+    -e MOVE_SPAM_TO_JUNK=1 \
+    -e PERMIT_DOCKER=container \
+    -e SA_SPAM_SUBJECT="SPAM: " \
+    -e SPAMASSASSIN_SPAM_TO_INBOX=1 \
+    -h mail.my-domain.com -t "${NAME}"
+
+  teardown() { docker rm -f mail_spam_moved_junk; }
+
+  wait_for_smtp_port_in_container mail_spam_moved_junk
+
+  # send a spam message
+  run docker exec mail_spam_moved_junk /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/amavis-spam.txt"
+  assert_success
+
+  # message will be added to a queue with varying delay until amavis receives it
+  run repeat_until_success_or_timeout 60 sh -c "docker logs mail_spam_moved_junk | grep 'Passed SPAM {RelayedTaggedInbound,Quarantined}'"
+  assert_success
+
+  # spam moved to Junk folder
+  run repeat_until_success_or_timeout 20 sh -c "docker exec mail_spam_moved_junk sh -c 'grep \"Subject: SPAM: \" /var/mail/localhost.localdomain/user1/.Junk/new/ -R'"
+  assert_success
+}
+
+@test "checking amavis: spam message is delivered to INBOX (MOVE_SPAM_TO_JUNK=0)" {
+  local PRIVATE_CONFIG
+  PRIVATE_CONFIG=$(duplicate_config_for_container . mail_spam_moved_new)
+
+  docker run -d --name mail_spam_moved_new \
+    -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
+    -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
+    -e ENABLE_SPAMASSASSIN=1 \
+    -e MOVE_SPAM_TO_JUNK=0 \
+    -e PERMIT_DOCKER=container \
+    -e SA_SPAM_SUBJECT="SPAM: " \
+    -e SPAMASSASSIN_SPAM_TO_INBOX=1 \
+    -h mail.my-domain.com -t "${NAME}"
+
+  teardown() { docker rm -f mail_spam_moved_new; }
+
+  wait_for_smtp_port_in_container mail_spam_moved_new
+
+  # send a spam message
+  run docker exec mail_spam_moved_new /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/amavis-spam.txt"
+  assert_success
+
+  # message will be added to a queue with varying delay until amavis receives it
+  run repeat_until_success_or_timeout 60 sh -c "docker logs mail_spam_moved_new | grep 'Passed SPAM {RelayedTaggedInbound,Quarantined}'"
+  assert_success
+
+  # spam moved to INBOX
+  run repeat_until_success_or_timeout 20 sh -c "docker exec mail_spam_moved_new sh -c 'grep \"Subject: SPAM: \" /var/mail/localhost.localdomain/user1/new/ -R'"
+  assert_success
+}
--- a/test/tests/parallel/set1/spam_virus/undef_spam_subject.bats
+++ b/test/tests/parallel/set1/spam_virus/undef_spam_subject.bats
@ -0,0 +1,64 @@
+load "${REPOSITORY_ROOT}/test/test_helper/common"
+
+function setup() {
+  local PRIVATE_CONFIG
+
+  PRIVATE_CONFIG=$(duplicate_config_for_container .)
+  docker run -d --name mail_undef_spam_subject \
+    -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
+    -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
+    -e ENABLE_SPAMASSASSIN=1 \
+    -e SA_SPAM_SUBJECT="undef" \
+    --hostname mail.my-domain.com \
+    --tty \
+    "${NAME}"
+
+  CONTAINER='mail_undef_spam_subject_2'
+  PRIVATE_CONFIG=$(duplicate_config_for_container . "${CONTAINER}")
+  docker run -d \
+    -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
+    -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
+    -v "$(pwd)/test/onedir":/var/mail-state \
+    -e ENABLE_CLAMAV=1 \
+    -e SPOOF_PROTECTION=1 \
+    -e ENABLE_SPAMASSASSIN=1 \
+    -e REPORT_RECIPIENT=user1@localhost.localdomain \
+    -e REPORT_SENDER=report1@mail.my-domain.com \
+    -e SA_TAG=-5.0 \
+    -e SA_TAG2=2.0 \
+    -e SA_KILL=3.0 \
+    -e SA_SPAM_SUBJECT="SPAM: " \
+    -e VIRUSMAILS_DELETE_DELAY=7 \
+    -e ENABLE_SRS=1 \
+    -e ENABLE_MANAGESIEVE=1 \
+    -e PERMIT_DOCKER=host \
+    --name "${CONTAINER}" \
+    --hostname mail.my-domain.com \
+    --tty \
+    --ulimit "nofile=$(ulimit -Sn):$(ulimit -Hn)" \
+    "${NAME}"
+
+  wait_for_finished_setup_in_container mail_undef_spam_subject
+  wait_for_finished_setup_in_container "${CONTAINER}"
+}
+
+function teardown() {
+  docker rm -f mail_undef_spam_subject "${CONTAINER}"
+}
+
+@test "checking spamassassin: docker env variables are set correctly (custom)" {
+  run docker exec "${CONTAINER}" /bin/sh -c "grep '\$sa_tag_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= -5.0'"
+  assert_success
+
+  run docker exec "${CONTAINER}" /bin/sh -c "grep '\$sa_tag2_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 2.0'"
+  assert_success
+
+  run docker exec "${CONTAINER}" /bin/sh -c "grep '\$sa_kill_level_deflt' /etc/amavis/conf.d/20-debian_defaults | grep '= 3.0'"
+  assert_success
+
+  run docker exec "${CONTAINER}" /bin/sh -c "grep '\$sa_spam_subject_tag' /etc/amavis/conf.d/20-debian_defaults | grep '= .SPAM: .'"
+  assert_success
+
+  run docker exec mail_undef_spam_subject /bin/sh -c "grep '\$sa_spam_subject_tag' /etc/amavis/conf.d/20-debian_defaults | grep '= undef'"
+  assert_success
+}