Hardening TLS ciphers (#492)

* Hardening Dovecot TLS ciphers
* Mitigate Logjam vulnerability on Dovecot
* Mitigate Logjam vulnerability on Postfix
* Add Nmap tests of PCI compliance for Postfix and Dovecot
* Increase sleep duration on Makefile steps to avoid races

test/tests.bats

@@ -919,8 +919,8 @@ load 'test_helper/bats-assert/load'
 # Postfix VIRTUAL_TRANSPORT
 #
 @test "checking postfix-lmtp: virtual_transport config is set" {
-    run docker exec mail_lmtp_ip /bin/sh -c "grep 'virtual_transport = lmtp:127.0.0.1:24' /etc/postfix/main.cf"
-    assert_success
+  run docker exec mail_lmtp_ip /bin/sh -c "grep 'virtual_transport = lmtp:127.0.0.1:24' /etc/postfix/main.cf"
+  assert_success
 }
 
 @test "checking postfix-lmtp: delivers mail to existing account" {
@@ -928,3 +928,39 @@ load 'test_helper/bats-assert/load'
   assert_success
   assert_output 1
 }
+
+#
+# PCI compliance
+#
+
+# dovecot
+@test "checking dovecot: only A grade TLS ciphers are used" {
+  run docker run --rm -i --link mail:dovecot \
+    --entrypoint sh instrumentisto/nmap -c \
+      'nmap --script ssl-enum-ciphers -p 993 dovecot | grep "least strength: A"'
+  assert_success
+}
+
+@test "checking dovecot: nmap produces no warnings on TLS ciphers verifying" {
+  run docker run --rm -i --link mail:dovecot \
+    --entrypoint sh instrumentisto/nmap -c \
+      'nmap --script ssl-enum-ciphers -p 993 dovecot | grep "warnings" | wc -l'
+  assert_success
+  assert_output 0
+}
+
+# postfix
+@test "checking postfix: only A grade TLS ciphers are used" {
+  run docker run --rm -i --link mail:postfix \
+    --entrypoint sh instrumentisto/nmap -c \
+      'nmap --script ssl-enum-ciphers -p 587 postfix | grep "least strength: A"'
+  assert_success
+}
+
+@test "checking postfix: nmap produces no warnings on TLS ciphers verifying" {
+  run docker run --rm -i --link mail:postfix \
+    --entrypoint sh instrumentisto/nmap -c \
+      'nmap --script ssl-enum-ciphers -p 587 postfix | grep "warnings" | wc -l'
+  assert_success
+  assert_output 0
+}