Skynet/misc_nixos-mailserver
7
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

tests: test for the expected maildir and index dir locations

Browse source 
These are not ideal yet, but we should make them a fixture, so that we
are always aware what they are for the different supported setups.
This commit is contained in:
Martin Weinelt 2025-06-20 04:56:09 +02:00
parent f25495cabf
commit 3c1cff431c
No known key found for this signature in database
GPG key ID: 87C1E9888F856759
2 changed files with 214 additions and 193 deletions
Download patch file Download diff file Expand all files Collapse all files

213
tests/internal.nix
View file

@ -100,117 +100,128 @@ in
vmailGroupName = "vmail"; vmailGroupName = "vmail";
vmailUID = 5000; vmailUID = 5000;
indexDir = "/var/lib/dovecot/indices";
enableImap = false; enableImap = false;
}; };
}; };
}; };
testScript = '' testScript =
machine.start() {
machine.wait_for_unit("multi-user.target") nodes,
...
}:
''
machine.start()
machine.wait_for_unit("multi-user.target")
# Regression test for https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/205 # Regression test for https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/issues/205
with subtest("mail forwarded can are locally kept"): with subtest("mail forwarded can are locally kept"):
# A mail sent to user2@example.com is in the user1@example.com mailbox # A mail sent to user2@example.com is in the user1@example.com mailbox
machine.succeed( machine.succeed(
" ".join( " ".join(
[ [
"mail-check send-and-read", "mail-check send-and-read",
"--smtp-port 587", "--smtp-port 587",
"--smtp-starttls", "--smtp-starttls",
"--smtp-host localhost", "--smtp-host localhost",
"--imap-host localhost", "--imap-host localhost",
"--imap-username user1@example.com", "--imap-username user1@example.com",
"--from-addr user1@example.com", "--from-addr user1@example.com",
"--to-addr user2@example.com", "--to-addr user2@example.com",
"--src-password-file ${passwordFile}", "--src-password-file ${passwordFile}",
"--dst-password-file ${passwordFile}", "--dst-password-file ${passwordFile}",
"--ignore-dkim-spf", "--ignore-dkim-spf",
] ]
) )
) )
# A mail sent to user2@example.com is in the user2@example.com mailbox # A mail sent to user2@example.com is in the user2@example.com mailbox
machine.succeed( machine.succeed(
" ".join( " ".join(
[ [
"mail-check send-and-read", "mail-check send-and-read",
"--smtp-port 587", "--smtp-port 587",
"--smtp-starttls", "--smtp-starttls",
"--smtp-host localhost", "--smtp-host localhost",
"--imap-host localhost", "--imap-host localhost",
"--imap-username user2@example.com", "--imap-username user2@example.com",
"--from-addr user1@example.com", "--from-addr user1@example.com",
"--to-addr user2@example.com", "--to-addr user2@example.com",
"--src-password-file ${passwordFile}", "--src-password-file ${passwordFile}",
"--dst-password-file ${passwordFile}", "--dst-password-file ${passwordFile}",
"--ignore-dkim-spf", "--ignore-dkim-spf",
] ]
) )
) )
with subtest("regex email alias are received"): with subtest("regex email alias are received"):
# A mail sent to user2-regex-alias@domain.com is in the user2@example.com mailbox # A mail sent to user2-regex-alias@domain.com is in the user2@example.com mailbox
machine.succeed( machine.succeed(
" ".join( " ".join(
[ [
"mail-check send-and-read", "mail-check send-and-read",
"--smtp-port 587", "--smtp-port 587",
"--smtp-starttls", "--smtp-starttls",
"--smtp-host localhost", "--smtp-host localhost",
"--imap-host localhost", "--imap-host localhost",
"--imap-username user2@example.com", "--imap-username user2@example.com",
"--from-addr user1@example.com", "--from-addr user1@example.com",
"--to-addr user2-regex-alias@domain.com", "--to-addr user2-regex-alias@domain.com",
"--src-password-file ${passwordFile}", "--src-password-file ${passwordFile}",
"--dst-password-file ${passwordFile}", "--dst-password-file ${passwordFile}",
"--ignore-dkim-spf", "--ignore-dkim-spf",
] ]
) )
) )
with subtest("user can send from regex email alias"): with subtest("user can send from regex email alias"):
# A mail sent from user2-regex-alias@domain.com, using user2@example.com credentials is received # A mail sent from user2-regex-alias@domain.com, using user2@example.com credentials is received
machine.succeed( machine.succeed(
" ".join( " ".join(
[ [
"mail-check send-and-read", "mail-check send-and-read",
"--smtp-port 587", "--smtp-port 587",
"--smtp-starttls", "--smtp-starttls",
"--smtp-host localhost", "--smtp-host localhost",
"--imap-host localhost", "--imap-host localhost",
"--smtp-username user2@example.com", "--smtp-username user2@example.com",
"--from-addr user2-regex-alias@domain.com", "--from-addr user2-regex-alias@domain.com",
"--to-addr user1@example.com", "--to-addr user1@example.com",
"--src-password-file ${passwordFile}", "--src-password-file ${passwordFile}",
"--dst-password-file ${passwordFile}", "--dst-password-file ${passwordFile}",
"--ignore-dkim-spf", "--ignore-dkim-spf",
] ]
) )
) )
with subtest("vmail gid is set correctly"): with subtest("vmail gid is set correctly"):
machine.succeed("getent group vmail | grep 5000") machine.succeed("getent group vmail | grep 5000")
with subtest("mail to send only accounts is rejected"): with subtest("Check dovecot maildir and index locations"):
machine.wait_for_open_port(25) # If these paths change we need a migration
# TODO put this blocking into the systemd units machine.succeed("doveadm user -f home user1@example.com | grep ${nodes.machine.config.mailserver.mailDirectory}/example.com/user1")
machine.wait_until_succeeds( machine.succeed("doveadm user -f mail user1@example.com | grep 'maildir:~/mail:INDEX=${nodes.machine.config.mailserver.indexDir}/example.com/user1'")
"set +e; timeout 1 nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
)
machine.succeed(
"cat ${sendMail} | nc localhost 25 | grep -q '554 5.5.0 Error'"
)
with subtest("rspamd controller serves web ui"): with subtest("mail to send only accounts is rejected"):
machine.succeed( machine.wait_for_open_port(25)
"set +o pipefail; curl --unix-socket /run/rspamd/worker-controller.sock http://localhost/ | grep -q '<body>'" # TODO put this blocking into the systemd units
) machine.wait_until_succeeds(
"set +e; timeout 1 nc -U /run/rspamd/rspamd-milter.sock < /dev/null; [ $? -eq 124 ]"
)
machine.succeed(
"cat ${sendMail} | nc localhost 25 | grep -q '554 5.5.0 Error'"
)
with subtest("imap port 143 is closed and imaps is serving SSL"): with subtest("rspamd controller serves web ui"):
machine.wait_for_closed_port(143) machine.succeed(
machine.wait_for_open_port(993) "set +o pipefail; curl --unix-socket /run/rspamd/worker-controller.sock http://localhost/ | grep -q '<body>'"
machine.succeed( )
"echo | openssl s_client -connect localhost:993 | grep 'New, TLS'"
) with subtest("imap port 143 is closed and imaps is serving SSL"):
''; machine.wait_for_closed_port(143)
machine.wait_for_open_port(993)
machine.succeed(
"echo | openssl s_client -connect localhost:993 | grep 'New, TLS'"
)
'';
} }

194
tests/ldap.nix
View file

@ -90,6 +90,7 @@ in
fqdn = "mail.example.com"; fqdn = "mail.example.com";
domains = [ "example.com" ]; domains = [ "example.com" ];
localDnsResolver = false; localDnsResolver = false;
indexDir = "/var/lib/dovecot/indices";
ldap = { ldap = {
enable = true; enable = true;
@ -115,107 +116,116 @@ in
}; };
}; };
}; };
testScript = '' testScript =
import sys {
import re nodes,
...
}:
''
import sys
import re
machine.start() machine.start()
machine.wait_for_unit("multi-user.target") machine.wait_for_unit("multi-user.target")
# This function retrieves the ldap table file from a postconf # This function retrieves the ldap table file from a postconf
# command. # command.
# A key lookup is achived and the returned value is compared # A key lookup is achived and the returned value is compared
# to the expected value. # to the expected value.
def test_lookup(postconf_cmdline, key, expected): def test_lookup(postconf_cmdline, key, expected):
conf = machine.succeed(postconf_cmdline).rstrip() conf = machine.succeed(postconf_cmdline).rstrip()
ldap_table_path = re.match('.* =.*ldap:(.*)', conf).group(1) ldap_table_path = re.match('.* =.*ldap:(.*)', conf).group(1)
value = machine.succeed(f"postmap -q {key} ldap:{ldap_table_path}").rstrip() value = machine.succeed(f"postmap -q {key} ldap:{ldap_table_path}").rstrip()
try: try:
assert value == expected assert value == expected
except AssertionError: except AssertionError:
print(f"Expected {conf} lookup for key '{key}' to return '{expected}, but got '{value}'", file=sys.stderr) print(f"Expected {conf} lookup for key '{key}' to return '{expected}, but got '{value}'", file=sys.stderr)
raise raise
with subtest("Test postmap lookups"): with subtest("Test postmap lookups"):
test_lookup("postconf virtual_mailbox_maps", "alice@example.com", "alice@example.com") test_lookup("postconf virtual_mailbox_maps", "alice@example.com", "alice@example.com")
test_lookup("postconf -P submission/inet/smtpd_sender_login_maps", "alice@example.com", "alice@example.com") test_lookup("postconf -P submission/inet/smtpd_sender_login_maps", "alice@example.com", "alice@example.com")
test_lookup("postconf virtual_mailbox_maps", "bob@example.com", "bob@example.com") test_lookup("postconf virtual_mailbox_maps", "bob@example.com", "bob@example.com")
test_lookup("postconf -P submission/inet/smtpd_sender_login_maps", "bob@example.com", "bob@example.com") test_lookup("postconf -P submission/inet/smtpd_sender_login_maps", "bob@example.com", "bob@example.com")
with subtest("Test doveadm lookups"): with subtest("Test doveadm lookups"):
machine.succeed("doveadm user -u alice@example.com") machine.succeed("doveadm user -u alice@example.com")
machine.succeed("doveadm user -u bob@example.com") machine.succeed("doveadm user -u bob@example.com")
with subtest("Files containing secrets are only readable by root"): with subtest("Files containing secrets are only readable by root"):
machine.succeed("ls -l /run/postfix/*.cf | grep -e '-rw------- 1 root root'") machine.succeed("ls -l /run/postfix/*.cf | grep -e '-rw------- 1 root root'")
machine.succeed("ls -l /run/dovecot2/dovecot-ldap.conf.ext | grep -e '-rw------- 1 root root'") machine.succeed("ls -l /run/dovecot2/dovecot-ldap.conf.ext | grep -e '-rw------- 1 root root'")
with subtest("Test account/mail address binding"): with subtest("Test account/mail address binding"):
machine.fail(" ".join([ machine.fail(" ".join([
"mail-check send-and-read", "mail-check send-and-read",
"--smtp-port 587", "--smtp-port 587",
"--smtp-starttls", "--smtp-starttls",
"--smtp-host localhost", "--smtp-host localhost",
"--smtp-username alice@example.com", "--smtp-username alice@example.com",
"--imap-host localhost", "--imap-host localhost",
"--imap-username bob@example.com", "--imap-username bob@example.com",
"--from-addr bob@example.com", "--from-addr bob@example.com",
"--to-addr aliceb@example.com", "--to-addr aliceb@example.com",
"--src-password-file <(echo '${alicePassword}')", "--src-password-file <(echo '${alicePassword}')",
"--dst-password-file <(echo '${bobPassword}')", "--dst-password-file <(echo '${bobPassword}')",
"--ignore-dkim-spf" "--ignore-dkim-spf"
])) ]))
machine.succeed("journalctl -u postfix | grep -q 'Sender address rejected: not owned by user alice@example.com'") machine.succeed("journalctl -u postfix | grep -q 'Sender address rejected: not owned by user alice@example.com'")
with subtest("Test mail delivery"): with subtest("Test mail delivery"):
machine.succeed(" ".join([ machine.succeed(" ".join([
"mail-check send-and-read", "mail-check send-and-read",
"--smtp-port 587", "--smtp-port 587",
"--smtp-starttls", "--smtp-starttls",
"--smtp-host localhost", "--smtp-host localhost",
"--smtp-username alice@example.com", "--smtp-username alice@example.com",
"--imap-host localhost", "--imap-host localhost",
"--imap-username bob@example.com", "--imap-username bob@example.com",
"--from-addr alice@example.com", "--from-addr alice@example.com",
"--to-addr bob@example.com", "--to-addr bob@example.com",
"--src-password-file <(echo '${alicePassword}')", "--src-password-file <(echo '${alicePassword}')",
"--dst-password-file <(echo '${bobPassword}')", "--dst-password-file <(echo '${bobPassword}')",
"--ignore-dkim-spf" "--ignore-dkim-spf"
])) ]))
with subtest("Test mail forwarding works"): with subtest("Test mail forwarding works"):
machine.succeed(" ".join([ machine.succeed(" ".join([
"mail-check send-and-read", "mail-check send-and-read",
"--smtp-port 587", "--smtp-port 587",
"--smtp-starttls", "--smtp-starttls",
"--smtp-host localhost", "--smtp-host localhost",
"--smtp-username alice@example.com", "--smtp-username alice@example.com",
"--imap-host localhost", "--imap-host localhost",
"--imap-username bob@example.com", "--imap-username bob@example.com",
"--from-addr alice@example.com", "--from-addr alice@example.com",
"--to-addr bob_fw@example.com", "--to-addr bob_fw@example.com",
"--src-password-file <(echo '${alicePassword}')", "--src-password-file <(echo '${alicePassword}')",
"--dst-password-file <(echo '${bobPassword}')", "--dst-password-file <(echo '${bobPassword}')",
"--ignore-dkim-spf" "--ignore-dkim-spf"
])) ]))
with subtest("Test cannot send mail from forwarded address"): with subtest("Test cannot send mail from forwarded address"):
machine.fail(" ".join([ machine.fail(" ".join([
"mail-check send-and-read", "mail-check send-and-read",
"--smtp-port 587", "--smtp-port 587",
"--smtp-starttls", "--smtp-starttls",
"--smtp-host localhost", "--smtp-host localhost",
"--smtp-username bob@example.com", "--smtp-username bob@example.com",
"--imap-host localhost", "--imap-host localhost",
"--imap-username alice@example.com", "--imap-username alice@example.com",
"--from-addr bob_fw@example.com", "--from-addr bob_fw@example.com",
"--to-addr alice@example.com", "--to-addr alice@example.com",
"--src-password-file <(echo '${bobPassword}')", "--src-password-file <(echo '${bobPassword}')",
"--dst-password-file <(echo '${alicePassword}')", "--dst-password-file <(echo '${alicePassword}')",
"--ignore-dkim-spf" "--ignore-dkim-spf"
])) ]))
machine.succeed("journalctl -u postfix | grep -q 'Sender address rejected: not owned by user bob@example.com'") machine.succeed("journalctl -u postfix | grep -q 'Sender address rejected: not owned by user bob@example.com'")
''; with subtest("Check dovecot mail and index locations"):
# If these paths change we need a migration
machine.succeed("doveadm user -f home bob@example.com | grep ${nodes.machine.config.mailserver.mailDirectory}/ldap/bob@example.com")
machine.succeed("doveadm user -f mail bob@example.com | grep 'maildir:~/mail:INDEX=${nodes.machine.config.mailserver.indexDir}/ldap/bob@example.com'")
'';
} }