Tests
This commit is contained in:
Noah Overcash
parent
a479b2015d
commit
33f82343cc
|
|
@ -57,5 +57,6 @@ function _handle_postfix_aliases_config() {
|
||||||
function _create_aliases() {
|
function _create_aliases() {
|
||||||
_handle_postfix_virtual_config
|
_handle_postfix_virtual_config
|
||||||
_handle_postfix_regexp_config
|
_handle_postfix_regexp_config
|
||||||
|
_handle_postfix_regexp_send_only_config
|
||||||
_handle_postfix_aliases_config
|
_handle_postfix_aliases_config
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
/^user3@localhost.localdomain/ user1@localhost.localdomain
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
From: Not_My_Business <user2@localhost.localdomain>
|
From: test123_alias <test123@localhost.localdomain>
|
||||||
To: Existing Local User <user1@localhost.localdomain>
|
To: Existing Local User <user1@localhost.localdomain>
|
||||||
Date: Sat, 22 May 2010 07:43:25 -0400
|
Date: Sat, 22 May 2010 07:43:25 -0400
|
||||||
Subject: Test Message
|
Subject: Test Message
|
||||||
|
|
@ -0,0 +1,5 @@
|
||||||
|
From: User 1 <user1@localhost.localdomain>
|
||||||
|
To: Existing Local User <user1@localhost.localdomain>
|
||||||
|
Date: Sat, 22 May 2010 07:43:25 -0400
|
||||||
|
Subject: Test Message
|
||||||
|
This is a test mail.
|
||||||
|
|
@ -0,0 +1,5 @@
|
||||||
|
From: User 3 <user3@localhost.localdomain>
|
||||||
|
To: Existing Local User <user3@localhost.localdomain>
|
||||||
|
Date: Sat, 22 May 2010 07:43:25 -0400
|
||||||
|
Subject: Test Message
|
||||||
|
This is a test mail.
|
||||||
|
|
@ -0,0 +1,103 @@
|
||||||
|
load "${REPOSITORY_ROOT}/test/helper/common"
|
||||||
|
load "${REPOSITORY_ROOT}/test/helper/setup"
|
||||||
|
|
||||||
|
BATS_TEST_NAME_PREFIX='[Postfix] (sender spoofing) '
|
||||||
|
CONTAINER_NAME='dms-test_postfix-spoofing'
|
||||||
|
|
||||||
|
function setup_file() {
|
||||||
|
_init_with_defaults
|
||||||
|
|
||||||
|
local CUSTOM_SETUP_ARGUMENTS=(
|
||||||
|
--env SPOOF_PROTECTION=1
|
||||||
|
--env LOG_LEVEL=trace
|
||||||
|
--env SSL_TYPE='snakeoil'
|
||||||
|
)
|
||||||
|
|
||||||
|
_common_container_setup 'CUSTOM_SETUP_ARGUMENTS'
|
||||||
|
|
||||||
|
_wait_for_service postfix
|
||||||
|
_wait_for_smtp_port_in_container_to_respond
|
||||||
|
}
|
||||||
|
|
||||||
|
function teardown_file() { _default_teardown ; }
|
||||||
|
|
||||||
|
# These tests ensure spoofing protection works, and that exceptions are available for aliases.
|
||||||
|
# user1 has aliases configured for the following accounts:
|
||||||
|
# - test\d* via /etc/postfix/regexp
|
||||||
|
# - alias1@localhost via /etc/postfix/virtual
|
||||||
|
# - user3@localhost via /etc/postfix/regexp-send-only
|
||||||
|
|
||||||
|
@test "allows forging as send-only alias" {
|
||||||
|
# An authenticated account should be able to send mail from a send-only alias,
|
||||||
|
# Verifies `main.cf:smtpd_sender_login_maps` includes /etc/postfix/regexp-send-only
|
||||||
|
_send_email \
|
||||||
|
--port 587 -tls --auth PLAIN \
|
||||||
|
--auth-user user1@localhost.localdomain \
|
||||||
|
--auth-password mypassword \
|
||||||
|
--ehlo mail \
|
||||||
|
--from user3@localhost.localdomain \
|
||||||
|
--data 'auth/added-smtp-auth-spoofed-from-user3.txt'
|
||||||
|
assert_success
|
||||||
|
assert_output --partial 'End data with'
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "allows forging as regular alias" {
|
||||||
|
# An authenticated account should be able to send mail from an alias,
|
||||||
|
# Verifies `main.cf:smtpd_sender_login_maps` includes /etc/postfix/virtual
|
||||||
|
_send_email \
|
||||||
|
--port 587 -tls --auth PLAIN \
|
||||||
|
--auth-user user1@localhost.localdomain \
|
||||||
|
--auth-password mypassword \
|
||||||
|
--ehlo mail \
|
||||||
|
--from alias1@localhost.localdomain \
|
||||||
|
--data 'auth/added-smtp-auth-spoofed-from-alias1.txt'
|
||||||
|
assert_success
|
||||||
|
assert_output --partial 'End data with'
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "allows forging as regular (regex) alias" {
|
||||||
|
# An authenticated account should be able to send mail from an alias,
|
||||||
|
# Verifies `main.cf:smtpd_sender_login_maps` includes /etc/postfix/regexp
|
||||||
|
_send_email \
|
||||||
|
--port 587 -tls --auth PLAIN \
|
||||||
|
--auth-user user1@localhost.localdomain \
|
||||||
|
--auth-password mypassword \
|
||||||
|
--ehlo mail \
|
||||||
|
--from test123@localhost.localdomain \
|
||||||
|
--data 'auth/added-smtp-auth-spoofed-from-test123.txt'
|
||||||
|
assert_success
|
||||||
|
assert_output --partial 'End data with'
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "rejects sender forging" {
|
||||||
|
# An authenticated user cannot use an envelope sender (MAIL FROM)
|
||||||
|
# address they do not own according to `main.cf:smtpd_sender_login_maps` lookup
|
||||||
|
_send_email --expect-rejection \
|
||||||
|
--port 587 -tls --auth PLAIN \
|
||||||
|
--auth-user user3@localhost.localdomain \
|
||||||
|
--auth-password mypassword \
|
||||||
|
--ehlo mail \
|
||||||
|
--from user1@localhost.localdomain \
|
||||||
|
--data 'auth/added-smtp-auth-spoofed-from-user1.txt'
|
||||||
|
assert_output --partial 'Sender address rejected: not owned by user'
|
||||||
|
}
|
||||||
|
|
||||||
|
@test "send-only alias does not affect incoming mail" {
|
||||||
|
_send_email \
|
||||||
|
--port 587 -tls --auth PLAIN \
|
||||||
|
--auth-user user1@localhost.localdomain \
|
||||||
|
--auth-password mypassword \
|
||||||
|
--ehlo mail \
|
||||||
|
--from user1@localhost.localdomain \
|
||||||
|
--to user3@localhost.localdomain \
|
||||||
|
--data 'test-email.txt'
|
||||||
|
assert_success
|
||||||
|
assert_output --partial 'End data with'
|
||||||
|
|
||||||
|
_wait_for_empty_mail_queue_in_container
|
||||||
|
|
||||||
|
# would have an orig_to if it got forwarded
|
||||||
|
_service_log_should_contain_string 'mail' ': to=<user3@localhost.localdomain>'
|
||||||
|
assert_output --partial 'status=sent'
|
||||||
|
_should_output_number_of_lines 1
|
||||||
|
}
|
||||||
|
|
@ -281,39 +281,6 @@ EOF
|
||||||
assert_success
|
assert_success
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "spoofing: rejects sender forging" {
|
|
||||||
# rejection of spoofed sender
|
|
||||||
_wait_for_smtp_port_in_container_to_respond
|
|
||||||
|
|
||||||
# An authenticated user cannot use an envelope sender (MAIL FROM)
|
|
||||||
# address they do not own according to `main.cf:smtpd_sender_login_maps` lookup
|
|
||||||
_send_email --expect-rejection \
|
|
||||||
--port 465 -tlsc --auth PLAIN \
|
|
||||||
--auth-user added@localhost.localdomain \
|
|
||||||
--auth-password mypassword \
|
|
||||||
--ehlo mail \
|
|
||||||
--from user2@localhost.localdomain \
|
|
||||||
--data 'auth/added-smtp-auth-spoofed.txt'
|
|
||||||
assert_output --partial 'Sender address rejected: not owned by user'
|
|
||||||
}
|
|
||||||
|
|
||||||
@test "spoofing: accepts sending as alias" {
|
|
||||||
# An authenticated account should be able to send mail from an alias,
|
|
||||||
# Verifies `main.cf:smtpd_sender_login_maps` includes /etc/postfix/virtual
|
|
||||||
# The envelope sender address (MAIL FROM) is the lookup key
|
|
||||||
# to each table. Address is authorized when a result that maps to
|
|
||||||
# the DMS account is returned.
|
|
||||||
_send_email \
|
|
||||||
--port 465 -tlsc --auth PLAIN \
|
|
||||||
--auth-user user1@localhost.localdomain \
|
|
||||||
--auth-password mypassword \
|
|
||||||
--ehlo mail \
|
|
||||||
--from alias1@localhost.localdomain \
|
|
||||||
--data 'auth/added-smtp-auth-spoofed-alias.txt'
|
|
||||||
assert_success
|
|
||||||
assert_output --partial 'End data with'
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Pflogsumm delivery check
|
# Pflogsumm delivery check
|
||||||
#
|
#
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue