Tests

target/scripts/helpers/aliases.sh

@@ -57,5 +57,6 @@ function _handle_postfix_aliases_config() {
 function _create_aliases() {
   _handle_postfix_virtual_config
   _handle_postfix_regexp_config
+  _handle_postfix_regexp_send_only_config
   _handle_postfix_aliases_config
 }

test/config/postfix-regexp-send-only.cf

@@ -0,0 +1 @@
+/^user3@localhost.localdomain/ user1@localhost.localdomain

test/files/emails/auth/added-smtp-auth-spoofed-from-test123.txt

@@ -1,4 +1,4 @@
-From: Not_My_Business <user2@localhost.localdomain>
+From: test123_alias <test123@localhost.localdomain>
 To: Existing Local User <user1@localhost.localdomain>
 Date: Sat, 22 May 2010 07:43:25 -0400
 Subject: Test Message

test/files/emails/auth/added-smtp-auth-spoofed-from-user1.txt

@@ -0,0 +1,5 @@
+From: User 1 <user1@localhost.localdomain>
+To: Existing Local User <user1@localhost.localdomain>
+Date: Sat, 22 May 2010 07:43:25 -0400
+Subject: Test Message
+This is a test mail.

test/files/emails/auth/added-smtp-auth-spoofed-from-user3.txt

@@ -0,0 +1,5 @@
+From: User 3 <user3@localhost.localdomain>
+To: Existing Local User <user3@localhost.localdomain>
+Date: Sat, 22 May 2010 07:43:25 -0400
+Subject: Test Message
+This is a test mail.

test/tests/parallel/set2/auth/spoofing.bats

@@ -0,0 +1,103 @@
+load "${REPOSITORY_ROOT}/test/helper/common"
+load "${REPOSITORY_ROOT}/test/helper/setup"
+
+BATS_TEST_NAME_PREFIX='[Postfix] (sender spoofing) '
+CONTAINER_NAME='dms-test_postfix-spoofing'
+
+function setup_file() {
+  _init_with_defaults
+
+  local CUSTOM_SETUP_ARGUMENTS=(
+    --env SPOOF_PROTECTION=1
+    --env LOG_LEVEL=trace
+    --env SSL_TYPE='snakeoil'
+  )
+
+  _common_container_setup 'CUSTOM_SETUP_ARGUMENTS'
+
+  _wait_for_service postfix
+  _wait_for_smtp_port_in_container_to_respond
+}
+
+function teardown_file() { _default_teardown ; }
+
+# These tests ensure spoofing protection works, and that exceptions are available for aliases.
+# user1 has aliases configured for the following accounts:
+# - test\d* via /etc/postfix/regexp
+# - alias1@localhost via /etc/postfix/virtual
+# - user3@localhost via /etc/postfix/regexp-send-only
+
+@test "allows forging as send-only alias" {
+  # An authenticated account should be able to send mail from a send-only alias,
+  # Verifies `main.cf:smtpd_sender_login_maps` includes /etc/postfix/regexp-send-only
+  _send_email \
+    --port 587 -tls --auth PLAIN \
+    --auth-user user1@localhost.localdomain \
+    --auth-password mypassword \
+    --ehlo mail \
+    --from user3@localhost.localdomain \
+    --data 'auth/added-smtp-auth-spoofed-from-user3.txt'
+  assert_success
+  assert_output --partial 'End data with'
+}
+
+@test "allows forging as regular alias" {
+  # An authenticated account should be able to send mail from an alias,
+  # Verifies `main.cf:smtpd_sender_login_maps` includes /etc/postfix/virtual
+  _send_email \
+    --port 587 -tls --auth PLAIN \
+    --auth-user user1@localhost.localdomain \
+    --auth-password mypassword \
+    --ehlo mail \
+    --from alias1@localhost.localdomain \
+    --data 'auth/added-smtp-auth-spoofed-from-alias1.txt'
+  assert_success
+  assert_output --partial 'End data with'
+}
+
+@test "allows forging as regular (regex) alias" {
+  # An authenticated account should be able to send mail from an alias,
+  # Verifies `main.cf:smtpd_sender_login_maps` includes /etc/postfix/regexp
+  _send_email \
+    --port 587 -tls --auth PLAIN \
+    --auth-user user1@localhost.localdomain \
+    --auth-password mypassword \
+    --ehlo mail \
+    --from test123@localhost.localdomain \
+    --data 'auth/added-smtp-auth-spoofed-from-test123.txt'
+  assert_success
+  assert_output --partial 'End data with'
+}
+
+@test "rejects sender forging" {
+  # An authenticated user cannot use an envelope sender (MAIL FROM)
+  # address they do not own according to `main.cf:smtpd_sender_login_maps` lookup
+  _send_email --expect-rejection \
+    --port 587 -tls --auth PLAIN \
+    --auth-user user3@localhost.localdomain \
+    --auth-password mypassword \
+    --ehlo mail \
+    --from user1@localhost.localdomain \
+    --data 'auth/added-smtp-auth-spoofed-from-user1.txt'
+  assert_output --partial 'Sender address rejected: not owned by user'
+}
+
+@test "send-only alias does not affect incoming mail" {
+  _send_email \
+    --port 587 -tls --auth PLAIN \
+    --auth-user user1@localhost.localdomain \
+    --auth-password mypassword \
+    --ehlo mail \
+    --from user1@localhost.localdomain \
+    --to user3@localhost.localdomain \
+    --data 'test-email.txt'
+  assert_success
+  assert_output --partial 'End data with'
+
+  _wait_for_empty_mail_queue_in_container
+
+  # would have an orig_to if it got forwarded
+  _service_log_should_contain_string 'mail' ': to=<user3@localhost.localdomain>'
+  assert_output --partial 'status=sent'
+  _should_output_number_of_lines 1
+}

test/tests/serial/tests.bats

@@ -281,39 +281,6 @@ EOF
   assert_success
 }
 
-@test "spoofing: rejects sender forging" {
-  # rejection of spoofed sender
-  _wait_for_smtp_port_in_container_to_respond
-
-  # An authenticated user cannot use an envelope sender (MAIL FROM)
-  # address they do not own according to `main.cf:smtpd_sender_login_maps` lookup
-  _send_email --expect-rejection \
-    --port 465 -tlsc --auth PLAIN \
-    --auth-user added@localhost.localdomain \
-    --auth-password mypassword \
-    --ehlo mail \
-    --from user2@localhost.localdomain \
-    --data 'auth/added-smtp-auth-spoofed.txt'
-  assert_output --partial 'Sender address rejected: not owned by user'
-}
-
-@test "spoofing: accepts sending as alias" {
-  # An authenticated account should be able to send mail from an alias,
-  # Verifies `main.cf:smtpd_sender_login_maps` includes /etc/postfix/virtual
-  # The envelope sender address (MAIL FROM) is the lookup key
-  # to each table. Address is authorized when a result that maps to
-  # the DMS account is returned.
-  _send_email \
-    --port 465 -tlsc --auth PLAIN \
-    --auth-user user1@localhost.localdomain \
-    --auth-password mypassword \
-    --ehlo mail \
-    --from alias1@localhost.localdomain \
-    --data 'auth/added-smtp-auth-spoofed-alias.txt'
-  assert_success
-  assert_output --partial 'End data with'
-}
-
 #
 # Pflogsumm delivery check
 #