tests(chore): Move some serial tests into parallel sets

Additionally with the `tls.bash` helper for the `letsencrypt` tests.
2025-08-04 01:55:29 +02:00 · 2022-12-24 21:15:23 +13:00 · 2022-12-24 21:15:23 +13:00 · a81de22819
commit a81de22819
parent 26ac48f34a
13 changed files with 0 additions and 0 deletions
--- a/test/tests/parallel/set2/spam_bounced.bats
+++ b/test/tests/parallel/set2/spam_bounced.bats
@ -1,36 +0,0 @@
-load "${REPOSITORY_ROOT}/test/helper/setup"
-load "${REPOSITORY_ROOT}/test/helper/common"
-
-TEST_NAME_PREFIX='spam (Amavis):'
-CONTAINER_NAME='dms-test-spam_bounced'
-
-function setup_file() {
-  init_with_defaults
-
-  local CUSTOM_SETUP_ARGUMENTS=(
-    --env ENABLE_AMAVIS=1
-    --env ENABLE_SPAMASSASSIN=1
-    --env PERMIT_DOCKER=container
-    --env SPAMASSASSIN_SPAM_TO_INBOX=0
-  )
-
-  common_container_setup 'CUSTOM_SETUP_ARGUMENTS'
-  wait_for_smtp_port_in_container_to_respond "${CONTAINER_NAME}"
-}
-
-function teardown_file() { _default_teardown ; }
-
-# Test case
-# ---------
-# When SPAMASSASSIN_SPAM_TO_INBOX=0, spam messages must be bounced (rejected).
-# SPAMASSASSIN_SPAM_TO_INBOX=1 is covered in `mail_spam_junk_folder.bats`.
-# Original test PR: https://github.com/docker-mailserver/docker-mailserver/pull/1485
-@test "${TEST_NAME_PREFIX} spam message is bounced (rejected)" {
-  # send a spam message
-  _run_in_container /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/email-templates/amavis-spam.txt"
-  assert_success
-
-  # message will be added to a queue with varying delay until amavis receives it
-  run repeat_until_success_or_timeout 60 sh -c "docker logs ${CONTAINER_NAME} | grep 'Blocked SPAM {NoBounceInbound,Quarantined}'"
-  assert_success
-}
--- a/test/tests/parallel/set2/tls/tls_cipherlists.bats
+++ b/test/tests/parallel/set2/tls/tls_cipherlists.bats
@ -0,0 +1,218 @@
+#!/usr/bin/env bats
+load "${REPOSITORY_ROOT}/test/test_helper/common"
+# Globals ${BATS_TMPDIR} and ${NAME}
+# `${NAME}` defaults to `mailserver-testing:ci`
+
+function teardown() {
+  docker rm -f tls_test_cipherlists
+}
+
+function setup_file() {
+  export DOMAIN="example.test"
+  export NETWORK="test-network"
+
+  # Shared config for TLS testing (read-only)
+  export TLS_CONFIG_VOLUME
+  TLS_CONFIG_VOLUME="$(pwd)/test/test-files/ssl/${DOMAIN}/:/config/ssl/:ro"
+  # `${BATS_TMPDIR}` maps to `/tmp`
+  export TLS_RESULTS_DIR="${BATS_TMPDIR}/results"
+
+  # NOTE: If the network already exists, test will fail to start.
+  docker network create "${NETWORK}"
+
+  # Copies all of `./test/config/` to specific directory for testing
+  # `${PRIVATE_CONFIG}` becomes `$(pwd)/test/duplicate_configs/<bats test filename>`
+  export PRIVATE_CONFIG
+  PRIVATE_CONFIG=$(duplicate_config_for_container .)
+
+  # Pull `testssl.sh` image in advance to avoid it interfering with the `run` captured output.
+  # Only interferes (potential test failure) with `assert_output` not `assert_success`?
+  docker pull drwetter/testssl.sh:3.1dev
+}
+
+function teardown_file() {
+  docker network rm "${NETWORK}"
+}
+
+@test "checking tls: cipher list - rsa intermediate" {
+  check_ports 'rsa' 'intermediate'
+}
+
+@test "checking tls: cipher list - rsa modern" {
+  check_ports 'rsa' 'modern'
+}
+
+@test "checking tls: cipher list - ecdsa intermediate" {
+  check_ports 'ecdsa' 'intermediate'
+}
+
+@test "checking tls: cipher list - ecdsa modern" {
+  check_ports 'ecdsa' 'modern'
+}
+
+
+# Only ECDSA with RSA fallback is tested.
+# There isn't a situation where RSA with ECDSA fallback would make sense.
+@test "checking tls: cipher list - ecdsa intermediate, with rsa fallback" {
+  check_ports 'ecdsa' 'intermediate' 'rsa'
+}
+
+@test "checking tls: cipher list - ecdsa modern, with rsa fallback" {
+  check_ports 'ecdsa' 'modern' 'rsa'
+}
+
+function check_ports() {
+  local KEY_TYPE=$1
+  local TLS_LEVEL=$2
+  local ALT_KEY_TYPE=$3 # Optional parameter
+
+  local KEY_TYPE_LABEL="${KEY_TYPE}"
+  # This is just to add a `_` delimiter between the two key types for readability
+  if [[ -n ${ALT_KEY_TYPE} ]]
+  then
+    KEY_TYPE_LABEL="${KEY_TYPE}_${ALT_KEY_TYPE}"
+  fi
+  local RESULTS_PATH="${KEY_TYPE_LABEL}/${TLS_LEVEL}"
+
+  collect_cipherlist_data
+
+  # SMTP: Opportunistic STARTTLS Explicit(25)
+  # Needs to test against cipher lists specific to Port 25 ('_p25' parameter)
+  check_cipherlists "${RESULTS_PATH}/port_25.json" '_p25'
+
+  # SMTP Submission: Mandatory STARTTLS Explicit(587) and Implicit(465) TLS
+  check_cipherlists "${RESULTS_PATH}/port_587.json"
+  check_cipherlists "${RESULTS_PATH}/port_465.json"
+
+  # IMAP: Mandatory STARTTLS Explicit(143) and Implicit(993) TLS
+  check_cipherlists "${RESULTS_PATH}/port_143.json"
+  check_cipherlists "${RESULTS_PATH}/port_993.json"
+
+  # POP3: Mandatory STARTTLS Explicit(110) and Implicit(995)
+  check_cipherlists "${RESULTS_PATH}/port_110.json"
+  check_cipherlists "${RESULTS_PATH}/port_995.json"
+}
+
+function collect_cipherlist_data() {
+  local ALT_CERT=()
+  local ALT_KEY=()
+
+  if [[ -n ${ALT_KEY_TYPE} ]]
+  then
+    ALT_CERT=(--env SSL_ALT_CERT_PATH="/config/ssl/cert.${ALT_KEY_TYPE}.pem")
+    ALT_KEY=(--env SSL_ALT_KEY_PATH="/config/ssl/key.${ALT_KEY_TYPE}.pem")
+  fi
+
+  run docker run -d --name tls_test_cipherlists \
+    --volume "${PRIVATE_CONFIG}/:/tmp/docker-mailserver/" \
+    --volume "${TLS_CONFIG_VOLUME}" \
+    --env ENABLE_POP3=1 \
+    --env SSL_TYPE="manual" \
+    --env SSL_CERT_PATH="/config/ssl/cert.${KEY_TYPE}.pem" \
+    --env SSL_KEY_PATH="/config/ssl/key.${KEY_TYPE}.pem" \
+    "${ALT_CERT[@]}" \
+    "${ALT_KEY[@]}" \
+    --env TLS_LEVEL="${TLS_LEVEL}" \
+    --network "${NETWORK}" \
+    --network-alias "${DOMAIN}" \
+    --hostname "mail.${DOMAIN}" \
+    --tty \
+    "${NAME}" # Image name
+
+  assert_success
+
+  wait_for_tcp_port_in_container 25 tls_test_cipherlists
+  # NOTE: An rDNS query for the container IP will resolve to `<container name>.<network name>.`
+
+  # Make directory with test user ownership. Avoids Docker creating with root ownership.
+  # TODO: Can switch to filename prefix for JSON output when this is resolved: https://github.com/drwetter/testssl.sh/issues/1845
+  mkdir -p "${TLS_RESULTS_DIR}/${RESULTS_PATH}"
+
+  # For non-CI test runs, instead of removing prior test files after this test suite completes,
+  # they're retained and overwritten by future test runs instead. Useful for inspection.
+  # `--preference` reduces the test scope to the cipher suites reported as supported by the server. Completes in ~35% of the time.
+  local TESTSSL_CMD=(--quiet --file "/config/ssl/testssl.txt" --mode parallel --overwrite --preference)
+  # NOTE: Batch testing ports via `--file` doesn't properly bubble up failure.
+  # If the failure for a test is misleading consider testing a single port with:
+  # local TESTSSL_CMD=(--quiet --jsonfile-pretty "${RESULTS_PATH}/port_${PORT}.json" --starttls smtp "${DOMAIN}:${PORT}")
+  # TODO: Can use `jq` to check for failure when this is resolved: https://github.com/drwetter/testssl.sh/issues/1844
+
+  # `--user "<uid>:<gid>"` is a workaround: Avoids `permission denied` write errors for json output, uses `id` to match user uid & gid.
+  run docker run --rm \
+    --user "$(id -u):$(id -g)" \
+    --network "${NETWORK}" \
+    --volume "${TLS_CONFIG_VOLUME}" \
+    --volume "${TLS_RESULTS_DIR}/${RESULTS_PATH}/:/output" \
+    --workdir "/output" \
+    drwetter/testssl.sh:3.1dev "${TESTSSL_CMD[@]}"
+
+  assert_success
+}
+
+# Use `jq` to extract a specific cipher list from the target`testssl.sh` results json output file
+function compare_cipherlist() {
+  local TARGET_CIPHERLIST=$1
+  local RESULTS_FILE=$2
+  local EXPECTED_CIPHERLIST=$3
+
+  run jq '.scanResult[0].serverPreferences[] | select(.id=="'"${TARGET_CIPHERLIST}"'") | .finding' "${TLS_RESULTS_DIR}/${RESULTS_FILE}"
+  assert_success
+  assert_output "${EXPECTED_CIPHERLIST}"
+}
+
+# Compares the expected cipher lists against logged test results from `testssl.sh`
+function check_cipherlists() {
+  local RESULTS_FILE=$1
+  local p25=$2 # optional suffix
+
+  compare_cipherlist "cipherorder_TLSv1_2" "${RESULTS_FILE}" "$(get_cipherlist "TLSv1_2${p25}")"
+  compare_cipherlist "cipherorder_TLSv1_3" "${RESULTS_FILE}" "$(get_cipherlist 'TLSv1_3')"
+}
+
+# Expected cipher lists. Should match `TLS_LEVEL` cipher lists set in `scripts/helpers/ssl.sh`.
+# Excluding Port 25 which uses defaults from Postfix after applying `smtpd_tls_exclude_ciphers` rules.
+# NOTE: If a test fails, look at the `check_ports` params, then update the corresponding associative key's value
+# with the `actual` error value (assuming an update needs to be made, and not a valid security issue to look into).
+function get_cipherlist() {
+  local TLS_VERSION=$1
+
+  if [[ ${TLS_VERSION} == "TLSv1_3" ]]
+  then
+    # TLS v1.3 cipher suites are not user defineable and not unique to the available certificate(s).
+    # They do not support server enforced order either.
+    echo '"TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256"'
+  else
+    # Associative array for easy querying of required cipher list
+    declare -A CIPHER_LIST
+
+    CIPHER_LIST["rsa_intermediate_TLSv1_2"]='"ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256"'
+    CIPHER_LIST["rsa_modern_TLSv1_2"]='"ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384"'
+
+    # ECDSA:
+    CIPHER_LIST["ecdsa_intermediate_TLSv1_2"]='"ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384"'
+    CIPHER_LIST["ecdsa_modern_TLSv1_2"]='"ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305"'
+
+    # ECDSA + RSA fallback, dual cert support:
+    CIPHER_LIST["ecdsa_rsa_intermediate_TLSv1_2"]='"ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA384 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256"'
+    CIPHER_LIST["ecdsa_rsa_modern_TLSv1_2"]='"ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384"'
+
+
+    # Port 25
+    # TLSv1_2 has different server order and also includes ARIA, CCM, DHE+CHACHA20-POLY1305 cipher suites:
+    CIPHER_LIST["rsa_intermediate_TLSv1_2_p25"]='"ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM ECDHE-ARIA256-GCM-SHA384 DHE-RSA-ARIA256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256 ARIA256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-CCM8 DHE-RSA-AES128-CCM ECDHE-ARIA128-GCM-SHA256 DHE-RSA-ARIA128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA256 ARIA128-GCM-SHA256"'
+    # Port 25 is unaffected by `TLS_LEVEL` profiles, it has the same TLS v1.2 cipher list under both:
+    CIPHER_LIST["rsa_modern_TLSv1_2_p25"]=${CIPHER_LIST["rsa_intermediate_TLSv1_2_p25"]}
+
+    # ECDSA (Port 25):
+    CIPHER_LIST["ecdsa_intermediate_TLSv1_2_p25"]='"ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CCM8 ECDHE-ECDSA-AES256-CCM ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-CCM8 ECDHE-ECDSA-AES128-CCM ECDHE-ECDSA-ARIA128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256"'
+    CIPHER_LIST["ecdsa_modern_TLSv1_2_p25"]=${CIPHER_LIST["ecdsa_intermediate_TLSv1_2_p25"]}
+
+    # ECDSA + RSA fallback, dual cert support (Port 25):
+    CIPHER_LIST["ecdsa_rsa_intermediate_TLSv1_2_p25"]='"ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CCM8 ECDHE-ECDSA-AES256-CCM DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDHE-ARIA256-GCM-SHA384 DHE-RSA-ARIA256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256 ARIA256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-CCM8 ECDHE-ECDSA-AES128-CCM DHE-RSA-AES128-CCM8 DHE-RSA-AES128-CCM ECDHE-ECDSA-ARIA128-GCM-SHA256 ECDHE-ARIA128-GCM-SHA256 DHE-RSA-ARIA128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA256 ARIA128-GCM-SHA256"'
+    CIPHER_LIST["ecdsa_rsa_modern_TLSv1_2_p25"]=${CIPHER_LIST["ecdsa_rsa_intermediate_TLSv1_2_p25"]}
+
+
+    local TARGET_QUERY="${KEY_TYPE_LABEL}_${TLS_LEVEL}_${TLS_VERSION}"
+    echo "${CIPHER_LIST[${TARGET_QUERY}]}"
+  fi
+}
--- a/test/tests/parallel/set2/tls/tls_letsencrypt.bats
+++ b/test/tests/parallel/set2/tls/tls_letsencrypt.bats
@ -0,0 +1,308 @@
+load "${REPOSITORY_ROOT}/test/test_helper/common"
+load "${REPOSITORY_ROOT}/test/test_helper/tls"
+
+# Globals referenced from `test_helper/common`:
+# TEST_NAME TEST_FQDN TEST_TMP_CONFIG
+
+# Requires maintenance (TODO): Yes
+# Can run tests in parallel?: No
+
+# Not parallelize friendly when TEST_NAME is static,
+# presently name of test file: `mail_ssl_letsencrypt`.
+#
+# Also shares a common TEST_TMP_CONFIG local folder,
+# Instead of individual PRIVATE_CONFIG copies.
+# For this test that is a non-issue, unless run in parallel.
+
+
+# Applies to all tests:
+function setup_file() {
+  init_with_defaults
+
+  # Override default to match the hostname we want to test against instead:
+  export TEST_FQDN='mail.example.test'
+
+  # Prepare certificates in the letsencrypt supported file structure:
+  # Note Certbot uses `privkey.pem`.
+  # `fullchain.pem` is currently what's detected, but we're actually providing the equivalent of `cert.pem` here.
+  # TODO: Verify format/structure is supported for nginx-proxy + acme-companion (uses `acme.sh` to provision).
+
+  # `mail.example.test` (Only this FQDN is supported by this certificate):
+  _copy_to_letsencrypt_storage 'example.test/with_ca/ecdsa/cert.ecdsa.pem' 'mail.example.test/fullchain.pem'
+  _copy_to_letsencrypt_storage 'example.test/with_ca/ecdsa/key.ecdsa.pem' "mail.example.test/privkey.pem"
+
+  # `example.test` (Only this FQDN is supported by this certificate):
+  _copy_to_letsencrypt_storage 'example.test/with_ca/ecdsa/cert.rsa.pem' 'example.test/fullchain.pem'
+  _copy_to_letsencrypt_storage 'example.test/with_ca/ecdsa/key.rsa.pem' 'example.test/privkey.pem'
+}
+
+# Not used
+# function teardown_file() {
+# }
+
+function teardown() {
+  docker rm -f "${TEST_NAME}"
+}
+
+# Should detect and choose the cert for FQDN `mail.example.test` (HOSTNAME):
+@test "ssl(letsencrypt): Should default to HOSTNAME (mail.example.test)" {
+  local TARGET_DOMAIN='mail.example.test'
+
+  local TEST_DOCKER_ARGS=(
+    --volume "${TEST_TMP_CONFIG}/letsencrypt/${TARGET_DOMAIN}/:/etc/letsencrypt/live/${TARGET_DOMAIN}/:ro"
+    --env PERMIT_DOCKER='container'
+    --env SSL_TYPE='letsencrypt'
+  )
+
+  common_container_setup 'TEST_DOCKER_ARGS'
+
+  #test hostname has certificate files
+  _should_have_valid_config "${TARGET_DOMAIN}" 'privkey.pem' 'fullchain.pem'
+  _should_succesfully_negotiate_tls "${TARGET_DOMAIN}"
+  _should_not_support_fqdn_in_cert 'example.test'
+}
+
+
+# Should detect and choose cert for FQDN `example.test` (DOMAINNAME),
+# as fallback when no cert for FQDN `mail.example.test` (HOSTNAME) exists:
+@test "ssl(letsencrypt): Should fallback to DOMAINNAME (example.test)" {
+  local TARGET_DOMAIN='example.test'
+
+  local TEST_DOCKER_ARGS=(
+    --volume "${TEST_TMP_CONFIG}/letsencrypt/${TARGET_DOMAIN}/:/etc/letsencrypt/live/${TARGET_DOMAIN}/:ro"
+    --env PERMIT_DOCKER='container'
+    --env SSL_TYPE='letsencrypt'
+  )
+
+  common_container_setup 'TEST_DOCKER_ARGS'
+
+  #test domain has certificate files
+  _should_have_valid_config "${TARGET_DOMAIN}" 'privkey.pem' 'fullchain.pem'
+  _should_succesfully_negotiate_tls "${TARGET_DOMAIN}"
+  _should_not_support_fqdn_in_cert 'mail.example.test'
+}
+
+# When using `acme.json` (Traefik) - a wildcard cert `*.example.test` (SSL_DOMAIN)
+# should be extracted and be chosen over an existing FQDN `mail.example.test` (HOSTNAME):
+#
+# NOTE: Currently all of the `acme.json` configs have the FQDN match a SAN value,
+# all Subject CN (`main` in acme.json) are `Smallstep Leaf` which is not an FQDN.
+# While valid for that field, it does mean there is no test coverage against `main`.
+@test "ssl(letsencrypt): Traefik 'acme.json' (*.example.test)" {
+  # This test group changes to certs signed with an RSA Root CA key,
+  # These certs all support both FQDNs: `mail.example.test` and `example.test`,
+  # Except for the wildcard cert `*.example.test`, which intentionally excluded `example.test` when created.
+  # We want to maintain the same FQDN (mail.example.test) between the _acme_ecdsa and _acme_rsa tests.
+  local LOCAL_BASE_PATH="${PWD}/test/test-files/ssl/example.test/with_ca/rsa"
+
+  # Change default Root CA cert used for verifying chain of trust with openssl:
+  # shellcheck disable=SC2034
+  local TEST_CA_CERT="${TEST_FILES_CONTAINER_PATH}/ssl/example.test/with_ca/rsa/ca-cert.rsa.pem"
+
+  function _prepare() {
+    # Default `acme.json` for _acme_ecdsa test:
+    cp "${LOCAL_BASE_PATH}/ecdsa.acme.json" "${TEST_TMP_CONFIG}/letsencrypt/acme.json"
+
+    # TODO: Provision wildcard certs via Traefik to inspect if `example.test` non-wildcard is also added to the cert.
+    # shellcheck disable=SC2034
+    local TEST_DOCKER_ARGS=(
+      --volume "${TEST_TMP_CONFIG}/letsencrypt/acme.json:/etc/letsencrypt/acme.json:ro"
+      --env LOG_LEVEL='trace'
+      --env PERMIT_DOCKER='container'
+      --env SSL_DOMAIN='*.example.test'
+      --env SSL_TYPE='letsencrypt'
+    )
+
+    common_container_setup 'TEST_DOCKER_ARGS'
+    wait_for_service "${TEST_NAME}" 'changedetector'
+
+    # Wait until the changedetector service startup delay is over:
+    repeat_until_success_or_timeout 20 sh -c "$(_get_service_logs 'changedetector') | grep 'Changedetector is ready'"
+  }
+
+  # Test `acme.json` extraction works at container startup:
+  # It should have already extracted `mail.example.test` from the original mounted `acme.json`.
+  function _acme_ecdsa() {
+    _should_have_succeeded_at_extraction 'mail.example.test'
+
+    # SSL_DOMAIN set as ENV, but startup should not have match in `acme.json`:
+    _should_have_failed_at_extraction '*.example.test' 'mailserver'
+    _should_have_valid_config 'mail.example.test' 'key.pem' 'fullchain.pem'
+
+    local ECDSA_KEY_PATH="${LOCAL_BASE_PATH}/key.ecdsa.pem"
+    local ECDSA_CERT_PATH="${LOCAL_BASE_PATH}/cert.ecdsa.pem"
+    _should_have_expected_files 'mail.example.test' "${ECDSA_KEY_PATH}" "${ECDSA_CERT_PATH}"
+  }
+
+  # Test `acme.json` extraction is triggered via change detection:
+  # The updated `acme.json` roughly emulates a renewal, but changes from an ECDSA cert to an RSA one.
+  # It should replace the cert files in the existing `letsencrypt/live/mail.example.test/` folder.
+  function _acme_rsa() {
+    _should_extract_on_changes 'mail.example.test' "${LOCAL_BASE_PATH}/rsa.acme.json"
+    _should_have_service_reload_count '1'
+
+    local RSA_KEY_PATH="${LOCAL_BASE_PATH}/key.rsa.pem"
+    local RSA_CERT_PATH="${LOCAL_BASE_PATH}/cert.rsa.pem"
+    _should_have_expected_files 'mail.example.test' "${RSA_KEY_PATH}" "${RSA_CERT_PATH}"
+  }
+
+  # Test that `acme.json` also works with wildcard certificates:
+  # Additionally tests that SSL_DOMAIN is prioritized when `letsencrypt/live/` already has a HOSTNAME dir available.
+  # Wildcard `*.example.test` should extract to `example.test/` in `letsencrypt/live/`:
+  function _acme_wildcard() {
+    _should_extract_on_changes 'example.test' "${LOCAL_BASE_PATH}/wildcard/rsa.acme.json"
+    _should_have_service_reload_count '2'
+
+    # As the FQDN has changed since startup, the Postfix + Dovecot configs should be updated:
+    _should_have_valid_config 'example.test' 'key.pem' 'fullchain.pem'
+
+    local WILDCARD_KEY_PATH="${LOCAL_BASE_PATH}/wildcard/key.rsa.pem"
+    local WILDCARD_CERT_PATH="${LOCAL_BASE_PATH}/wildcard/cert.rsa.pem"
+    _should_have_expected_files 'example.test' "${WILDCARD_KEY_PATH}" "${WILDCARD_CERT_PATH}"
+
+    # These two tests will confirm wildcard support is working, the supported SANs changed:
+    # Before (_acme_rsa cert):      `DNS:example.test, DNS:mail.example.test`
+    # After  (_acme_wildcard cert): `DNS:*.example.test`
+    # The difference in support is:
+    # - `example.test` should no longer be valid.
+    # - `mail.example.test` should remain valid, but also allow any other subdomain/hostname.
+    _should_succesfully_negotiate_tls 'mail.example.test'
+    _should_support_fqdn_in_cert 'fake.example.test'
+    _should_not_support_fqdn_in_cert 'example.test'
+  }
+
+  _prepare
+
+  # Unleash the `acme.json` tests!
+  # TODO: Extract methods to separate test cases.
+  _acme_ecdsa
+  _acme_rsa
+  _acme_wildcard
+}
+
+#
+# Test Methods
+#
+
+
+# Check that Dovecot and Postfix are configured to use a cert for the expected FQDN:
+function _should_have_valid_config() {
+  local EXPECTED_FQDN=${1}
+  local LE_KEY_PATH="/etc/letsencrypt/live/${EXPECTED_FQDN}/${2}"
+  local LE_CERT_PATH="/etc/letsencrypt/live/${EXPECTED_FQDN}/${3}"
+
+  _has_matching_line 'postconf' "smtpd_tls_chain_files = ${LE_KEY_PATH} ${LE_CERT_PATH}"
+  _has_matching_line 'doveconf' "ssl_cert = <${LE_CERT_PATH}"
+  # `-P` is required to prevent redacting secrets
+  _has_matching_line 'doveconf -P' "ssl_key = <${LE_KEY_PATH}"
+}
+
+# CMD ${1} run in container with output checked to match value of ${2}:
+function _has_matching_line() {
+  run docker exec "${TEST_NAME}" sh -c "${1} | grep '${2}'"
+  assert_output "${2}"
+}
+
+
+#
+# Traefik `acme.json` specific
+#
+
+
+# It should log success of extraction for the expected domain and restart Postfix.
+function _should_have_succeeded_at_extraction() {
+  local EXPECTED_DOMAIN=${1}
+  local SERVICE=${2}
+
+  run $(_get_service_logs "${SERVICE}")
+  assert_output --partial "_extract_certs_from_acme | Certificate successfully extracted for '${EXPECTED_DOMAIN}'"
+}
+
+function _should_have_failed_at_extraction() {
+  local EXPECTED_DOMAIN=${1}
+  local SERVICE=${2}
+
+  run $(_get_service_logs "${SERVICE}")
+  assert_output --partial "_extract_certs_from_acme | Unable to find key and/or cert for '${EXPECTED_DOMAIN}' in '/etc/letsencrypt/acme.json'"
+}
+
+# Replace the mounted `acme.json` and wait to see if changes were detected.
+function _should_extract_on_changes() {
+  local EXPECTED_DOMAIN=${1}
+  local ACME_JSON=${2}
+
+  cp "${ACME_JSON}" "${TEST_TMP_CONFIG}/letsencrypt/acme.json"
+  # Change detection takes a little over 5 seconds to complete (restart services)
+  sleep 10
+
+  # Expected log lines from the changedetector service:
+  run $(_get_service_logs 'changedetector')
+  assert_output --partial 'Change detected'
+  assert_output --partial "'/etc/letsencrypt/acme.json' has changed - extracting certificates"
+  assert_output --partial "_extract_certs_from_acme | Certificate successfully extracted for '${EXPECTED_DOMAIN}'"
+  assert_output --partial 'Reloading services due to detected changes'
+  assert_output --partial 'Completed handling of detected change'
+}
+
+# Ensure change detection is not mistakenly validating against previous change events:
+function _should_have_service_reload_count() {
+  local NUM_RELOADS=${1}
+
+  # Count how many times processes (like Postfix and Dovecot) have been reloaded by the `changedetector` service:
+  run docker exec "${TEST_NAME}" sh -c "grep -c 'Completed handling of detected change' /var/log/supervisor/changedetector.log"
+  assert_output "${NUM_RELOADS}"
+}
+
+# Extracted cert files from `acme.json` have content matching the expected reference files:
+function _should_have_expected_files() {
+  local LE_BASE_PATH="/etc/letsencrypt/live/${1}"
+  local LE_KEY_PATH="${LE_BASE_PATH}/key.pem"
+  local LE_CERT_PATH="${LE_BASE_PATH}/fullchain.pem"
+  local EXPECTED_KEY_PATH=${2}
+  local EXPECTED_CERT_PATH=${3}
+
+  _should_be_equal_in_content "${LE_KEY_PATH}" "${EXPECTED_KEY_PATH}"
+  _should_be_equal_in_content "${LE_CERT_PATH}" "${EXPECTED_CERT_PATH}"
+}
+
+
+#
+# Misc
+#
+
+
+# Rename test certificate files to match the expected file structure for letsencrypt:
+function _copy_to_letsencrypt_storage() {
+  local SRC=${1}
+  local DEST=${2}
+
+  local FQDN_DIR
+  FQDN_DIR=$(echo "${DEST}" | cut -d '/' -f1)
+  mkdir -p "${TEST_TMP_CONFIG}/letsencrypt/${FQDN_DIR}"
+
+  cp "${PWD}/test/test-files/ssl/${SRC}" "${TEST_TMP_CONFIG}/letsencrypt/${DEST}"
+}
+
+function _should_be_equal_in_content() {
+  local CONTAINER_PATH=${1}
+  local LOCAL_PATH=${2}
+
+  run docker exec "${TEST_NAME}" sh -c "cat ${CONTAINER_PATH}"
+  assert_output "$(cat "${LOCAL_PATH}")"
+  assert_success
+}
+
+function _get_service_logs() {
+  local SERVICE=${1:-'mailserver'}
+
+  local CMD_LOGS=(docker exec "${TEST_NAME}" "supervisorctl tail -2200 ${SERVICE}")
+
+  # As the `mailserver` service logs are not stored in a file but output to stdout/stderr,
+  # The `supervisorctl tail` command won't work; we must instead query via `docker logs`:
+  if [[ ${SERVICE} == 'mailserver' ]]
+  then
+    CMD_LOGS=(docker logs "${TEST_NAME}")
+  fi
+
+  echo "${CMD_LOGS[@]}"
+}
--- a/test/tests/parallel/set2/tls/tls_manual.bats
+++ b/test/tests/parallel/set2/tls/tls_manual.bats
@ -0,0 +1,111 @@
+#!/usr/bin/env bats
+load "${REPOSITORY_ROOT}/test/test_helper/common"
+
+function setup_file() {
+  # Internal copies made by `start-mailserver.sh`:
+  export PRIMARY_KEY='/etc/dms/tls/key'
+  export PRIMARY_CERT='/etc/dms/tls/cert'
+  export FALLBACK_KEY='/etc/dms/tls/fallback_key'
+  export FALLBACK_CERT='/etc/dms/tls/fallback_cert'
+
+  # Volume mounted certs:
+  export SSL_KEY_PATH='/config/ssl/key.ecdsa.pem'
+  export SSL_CERT_PATH='/config/ssl/cert.ecdsa.pem'
+  export SSL_ALT_KEY_PATH='/config/ssl/key.rsa.pem'
+  export SSL_ALT_CERT_PATH='/config/ssl/cert.rsa.pem'
+
+  local PRIVATE_CONFIG
+  export DOMAIN_SSL_MANUAL='example.test'
+  PRIVATE_CONFIG=$(duplicate_config_for_container .)
+
+  docker run -d --name mail_manual_ssl \
+    --volume "${PRIVATE_CONFIG}/:/tmp/docker-mailserver/" \
+    --volume "$(pwd)/test/test-files/ssl/${DOMAIN_SSL_MANUAL}/with_ca/ecdsa/:/config/ssl/:ro" \
+    --env LOG_LEVEL='trace' \
+    --env SSL_TYPE='manual' \
+    --env TLS_LEVEL='modern' \
+    --env SSL_KEY_PATH="${SSL_KEY_PATH}" \
+    --env SSL_CERT_PATH="${SSL_CERT_PATH}" \
+    --env SSL_ALT_KEY_PATH="${SSL_ALT_KEY_PATH}" \
+    --env SSL_ALT_CERT_PATH="${SSL_ALT_CERT_PATH}" \
+    --hostname "mail.${DOMAIN_SSL_MANUAL}" \
+    --tty \
+    "${NAME}" # Image name
+
+  wait_for_finished_setup_in_container mail_manual_ssl
+}
+
+function teardown_file() {
+  docker rm -f mail_manual_ssl
+}
+
+@test "checking ssl: ENV vars provided are valid files" {
+  assert docker exec mail_manual_ssl [ -f "${SSL_CERT_PATH}" ]
+  assert docker exec mail_manual_ssl [ -f "${SSL_KEY_PATH}" ]
+  assert docker exec mail_manual_ssl [ -f "${SSL_ALT_CERT_PATH}" ]
+  assert docker exec mail_manual_ssl [ -f "${SSL_ALT_KEY_PATH}" ]
+}
+
+@test "checking ssl: manual configuration is correct" {
+  local DOVECOT_CONFIG_SSL='/etc/dovecot/conf.d/10-ssl.conf'
+
+  run docker exec mail_manual_ssl grep '^smtpd_tls_chain_files =' '/etc/postfix/main.cf'
+  assert_success
+  assert_output "smtpd_tls_chain_files = ${PRIMARY_KEY} ${PRIMARY_CERT} ${FALLBACK_KEY} ${FALLBACK_CERT}"
+
+  run docker exec mail_manual_ssl grep '^ssl_key =' "${DOVECOT_CONFIG_SSL}"
+  assert_success
+  assert_output "ssl_key = <${PRIMARY_KEY}"
+
+  run docker exec mail_manual_ssl grep '^ssl_cert =' "${DOVECOT_CONFIG_SSL}"
+  assert_success
+  assert_output "ssl_cert = <${PRIMARY_CERT}"
+
+  run docker exec mail_manual_ssl grep '^ssl_alt_key =' "${DOVECOT_CONFIG_SSL}"
+  assert_success
+  assert_output "ssl_alt_key = <${FALLBACK_KEY}"
+
+  run docker exec mail_manual_ssl grep '^ssl_alt_cert =' "${DOVECOT_CONFIG_SSL}"
+  assert_success
+  assert_output "ssl_alt_cert = <${FALLBACK_CERT}"
+}
+
+@test "checking ssl: manual configuration copied files correctly " {
+  run docker exec mail_manual_ssl cmp -s "${PRIMARY_KEY}" "${SSL_KEY_PATH}"
+  assert_success
+  run docker exec mail_manual_ssl cmp -s "${PRIMARY_CERT}" "${SSL_CERT_PATH}"
+  assert_success
+
+  # Fallback cert
+  run docker exec mail_manual_ssl cmp -s "${FALLBACK_KEY}" "${SSL_ALT_KEY_PATH}"
+  assert_success
+  run docker exec mail_manual_ssl cmp -s "${FALLBACK_CERT}" "${SSL_ALT_CERT_PATH}"
+  assert_success
+}
+
+@test "checking ssl: manual cert works correctly" {
+  wait_for_tcp_port_in_container 587 mail_manual_ssl
+
+  local TEST_COMMAND=(timeout 1 openssl s_client -connect mail.example.test:587 -starttls smtp)
+  local RESULT
+
+  # Should fail as a chain of trust is required to verify successfully:
+  RESULT=$(docker exec mail_manual_ssl "${TEST_COMMAND[@]}" | grep 'Verification error:')
+  assert_equal "${RESULT}" 'Verification error: unable to verify the first certificate'
+
+  # Provide the Root CA cert for successful verification:
+  local CA_CERT='/config/ssl/ca-cert.ecdsa.pem'
+  assert docker exec mail_manual_ssl [ -f "${CA_CERT}" ]
+  RESULT=$(docker exec mail_manual_ssl "${TEST_COMMAND[@]}" -CAfile "${CA_CERT}" | grep 'Verification: OK')
+  assert_equal "${RESULT}" 'Verification: OK'
+}
+
+@test "checking ssl: manual cert changes are picked up by check-for-changes" {
+  printf '%s' 'someThingsChangedHere' \
+    >>"$(pwd)/test/test-files/ssl/${DOMAIN_SSL_MANUAL}/with_ca/ecdsa/key.ecdsa.pem"
+
+  run timeout 15 docker exec mail_manual_ssl bash -c "tail -F /var/log/supervisor/changedetector.log | sed '/Manual certificates have changed/ q'"
+  assert_success
+
+  sed -i '/someThingsChangedHere/d' "$(pwd)/test/test-files/ssl/${DOMAIN_SSL_MANUAL}/with_ca/ecdsa/key.ecdsa.pem"
+}