appyl PR feedback

2023-12-31 13:00:34 +01:00 · 2023-12-31 13:00:34 +01:00 · 394eace02b
parent 9e29a54a5a
commit 394eace02b
13 changed files with 74 additions and 62 deletions
--- a/docs/content/config/security/ssl.md
+++ b/docs/content/config/security/ssl.md
@ -880,7 +880,7 @@ Despite this, if you must use non-standard DH parameters or you would like to sw
 [docs-faq-baredomain]: ../../faq.md#can-i-use-a-nakedbare-domain-ie-no-hostname

 [github-file-compose]: https://github.com/docker-mailserver/docker-mailserver/blob/master/compose.yaml
-[github-file::tls-readme]: https://github.com/docker-mailserver/docker-mailserver/blob/3b8059f2daca80d967635e04d8d81e9abb755a4d/test/files/ssl/example.test/README.md
+[github-file::tls-readme]: https://github.com/docker-mailserver/docker-mailserver/blob/3b8059f2daca80d967635e04d8d81e9abb755a4d/test/test-files/ssl/example.test/README.md
 [hanscees-renewcerts]: https://github.com/hanscees/dockerscripts/blob/master/scripts/tomav-renew-certs

 [traefik::github]: https://github.com/containous/traefik
--- a/test/files/nc/postgrey_whitelist.txt
+++ b/test/files/nc/postgrey_whitelist.txt
@ -6,3 +6,4 @@ client_name=whitelist.tld
 helo_name=whitelist.tld
 sender=test@whitelist.tld
 recipient=user1@localhost.localdomain
+
--- a/test/helper/common.bash
+++ b/test/helper/common.bash
@ -480,7 +480,7 @@ function _nc_wrapper() {

  [[ -v CONTAINER_NAME ]] || return 1

-  _run_in_container_bash "nc ${NC_PARAMETERS} < ${FILE}"
+  _run_in_container_bash "nc ${NC_PARAMETERS} < /tmp/docker-mailserver-test/${FILE}"
 }

 # ? << Miscellaneous helper functions
--- a/test/helper/sending.bash
+++ b/test/helper/sending.bash
@ -12,10 +12,7 @@
 # and provide `<TEST FILE>` as an argument to this function.
 #
 # @param ${1} = template file (path) name without .txt suffix
-#               and without path prefix before the emails directory
-# @param ${2} = config file path name without .cfg suffix
-#               and without path prefix before the emails directory
-#               [OPTIONAL] (default: ${1})
+# @param ...  = options that `swaks` accepts
 #
 # ## Attention
 #
@ -29,7 +26,7 @@ function _send_email() {
  [[ -v CONTAINER_NAME ]] || return 1

  local HELO='mail.external.tld'
-  local FROM='example-user@example.test'
+  local FROM='user@external.tld'
  local TO='user1@localhost.localdomain'
  local SERVER='0.0.0.0'
  local PORT=25
--- a/test/tests/parallel/set1/dovecot/special_use_folders.bats
+++ b/test/tests/parallel/set1/dovecot/special_use_folders.bats
@ -27,7 +27,7 @@ function teardown_file() { _default_teardown ; }
 }

@test "(IMAP) special-use folders should be created when necessary" {
-  _nc_wrapper '/tmp/docker-mailserver-test/nc/imap_special_use_folders.txt' '-w 8 0.0.0.0 143'
+  _nc_wrapper 'nc/imap_special_use_folders.txt' '-w 8 0.0.0.0 143'
  assert_output --partial 'Drafts'
  assert_output --partial 'Junk'
  assert_output --partial 'Trash'
--- a/test/tests/parallel/set1/spam_virus/fail2ban.bats
+++ b/test/tests/parallel/set1/spam_virus/fail2ban.bats
@ -73,8 +73,8 @@ function teardown_file() {
@test "ban ip on multiple failed login" {
  CONTAINER1_IP=$(_get_container_ip "${CONTAINER1_NAME}")
  # Trigger a ban by failing to login twice:
-  CONTAINER_NAME=${CONTAINER2_NAME} _nc_wrapper '/tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt' "${CONTAINER1_IP} 465"
-  CONTAINER_NAME=${CONTAINER2_NAME} _nc_wrapper '/tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt' "${CONTAINER1_IP} 465"
+  CONTAINER_NAME=${CONTAINER2_NAME} _nc_wrapper 'auth/smtp-auth-login-wrong.txt' "${CONTAINER1_IP} 465"
+  CONTAINER_NAME=${CONTAINER2_NAME} _nc_wrapper 'auth/smtp-auth-login-wrong.txt' "${CONTAINER1_IP} 465"

  # Checking that CONTAINER2_IP is banned in "${CONTAINER1_NAME}"
  CONTAINER2_IP=$(_get_container_ip "${CONTAINER2_NAME}")
--- a/test/tests/parallel/set1/spam_virus/postgrey_enabled.bats
+++ b/test/tests/parallel/set1/spam_virus/postgrey_enabled.bats
@ -85,7 +85,7 @@ function teardown_file() { _default_teardown ; }
 #   - It'd also cause the earlier greylist test to fail.
 # - TODO: Actually confirm whitelist feature works correctly as these test cases are using a workaround:
@test "should whitelist sender 'user@whitelist.tld'" {
-  _nc_wrapper '/tmp/docker-mailserver-test/nc/postgrey_whitelist.txt' '-w 0 0.0.0.0 10023'
+  _nc_wrapper 'nc/postgrey_whitelist.txt' '-w 0 0.0.0.0 10023'

  _should_have_log_entry \
    'action=pass' \
@ -94,7 +94,7 @@ function teardown_file() { _default_teardown ; }
 }

@test "should whitelist recipient 'user2@otherdomain.tld'" {
-  _nc_wrapper '/tmp/docker-mailserver-test/nc/postgrey_whitelist_recipients.txt' '-w 0 0.0.0.0 10023'
+  _nc_wrapper 'nc/postgrey_whitelist_recipients.txt' '-w 0 0.0.0.0 10023'

  _should_have_log_entry \
    'action=pass' \
--- a/test/tests/parallel/set1/spam_virus/postscreen.bats
+++ b/test/tests/parallel/set1/spam_virus/postscreen.bats
@ -13,37 +13,51 @@ function setup_file() {
  export CONTAINER_NAME

  CONTAINER_NAME=${CONTAINER1_NAME}
-  local CUSTOM_SETUP_ARGUMENTS=(--env POSTSCREEN_ACTION=enforce)
+  local CUSTOM_SETUP_ARGUMENTS=(
+    --env POSTSCREEN_ACTION=enforce
+  )
  _init_with_defaults
  _common_container_setup 'CUSTOM_SETUP_ARGUMENTS'
  _wait_for_smtp_port_in_container

+  # A standard DMS instance to send mail from:
+  # NOTE: None of DMS is actually used for this (just bash + nc).
  CONTAINER_NAME=${CONTAINER2_NAME}
  _init_with_defaults
-  local CUSTOM_SETUP_ARGUMENTS=(--env PERMIT_DOCKER=host)
-  _common_container_setup 'CUSTOM_SETUP_ARGUMENTS'
-  _wait_for_smtp_port_in_container
+  # No need to wait for DMS to be ready for this container:
+  _common_container_create
+  run docker start "${CONTAINER_NAME}"
+  assert_success
+
+  # Set default implicit container fallback for helpers:
+  CONTAINER_NAME=${CONTAINER_NAME}
 }

 function teardown_file() {
  docker rm -f "${CONTAINER1_NAME}" "${CONTAINER2_NAME}"
 }

-# Sending mail here is done in a dirty way intentionally.
+# `POSTSCREEN_ACTION=enforce` (DMS default) should reject delivery with a 550 SMTP reply
+# A legitimate mail client should speak SMTP by waiting it's turn,
+# Use `nc` to send all SMTP commands at once instead (misbehaving client that should be rejected)
@test 'should fail send when talking out of turn' {
-  CONTAINER_NAME=${CONTAINER1_NAME}
-  _run_in_container_bash "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/emails/nc_raw/postscreen.txt"
+  CONTAINER_NAME=${CONTAINER2_NAME} _nc_wrapper 'emails/nc_raw/postscreen.txt' "${CONTAINER1_IP} 25"
+  # Expected postscreen log entry:
  assert_output --partial 'Protocol error'

-  _run_in_container cat /var/log/mail/mail.log
-  assert_output --partial 'COMMAND PIPELINING'
-  assert_output --partial 'DATA without valid RCPT'
+  _service_log_should_contain_string 'mail' 'COMMAND PIPELINING'
+  _service_log_should_contain_string 'mail' 'DATA without valid RCPT'
 }

@test "should successfully pass postscreen and get postfix greeting message (respecting postscreen_greet_wait time)" {
-  CONTAINER_NAME=${CONTAINER2_NAME}
-  local MAIL_ID=$(_send_email_and_get_id 'postscreen')
+  # Send from mail client container (CONTAINER2_NAME) to DMS server container (CONTAINER1_NAME):
+  CONTAINER_NAME=${CONTAINER2_NAME} _send_email --server "${CONTAINER1_IP}" 'postscreen'
+  assert_success

-  _print_mail_log_for_id "${MAIL_ID}"
-  assert_output --partial "stored mail into mailbox 'INBOX'"
+    # TODO: Implement support for separate client and server containers:
+  # local MAIL_ID=$(_send_email_and_get_id 'postscreen')
+  # _print_mail_log_for_id "${MAIL_ID}"
+  # assert_output --partial "stored mail into mailbox 'INBOX'"
+
+  _service_log_should_contain_string 'mail' 'PASS NEW'
 }
--- a/test/tests/parallel/set1/spam_virus/rspamd_full.bats
+++ b/test/tests/parallel/set1/spam_virus/rspamd_full.bats
@ -256,7 +256,7 @@ function teardown_file() { _default_teardown ; }

  # Move an email to the "Junk" folder from "INBOX"; the first email we
  # sent should pass fine, hence we can now move it.
-  _nc_wrapper '/tmp/docker-mailserver-test/nc/rspamd_imap_move_to_junk.txt' '0.0.0.0 143'
+  _nc_wrapper 'nc/rspamd_imap_move_to_junk.txt' '0.0.0.0 143'
  sleep 1 # wait for the transaction to finish

  _run_in_container cat /var/log/mail/mail.log
@ -270,7 +270,7 @@ function teardown_file() { _default_teardown ; }
  # Move an email to the "INBOX" folder from "Junk"; there should be two mails
  # in the "Junk" folder, since the second email we sent during setup should
  # have landed in the Junk folder already.
-  _nc_wrapper '/tmp/docker-mailserver-test/nc/rspamd_imap_move_to_inbox.txt' '0.0.0.0 143'
+  _nc_wrapper 'nc/rspamd_imap_move_to_inbox.txt' '0.0.0.0 143'
  sleep 1 # wait for the transaction to finish

  _run_in_container cat /var/log/mail/mail.log
--- a/test/tests/parallel/set3/mta/dsn.bats
+++ b/test/tests/parallel/set3/mta/dsn.bats
@ -47,9 +47,9 @@ function teardown_file() {
@test "should always send a DSN when requested" {
  export CONTAINER_NAME=${CONTAINER1_NAME}

-  _nc_wrapper '/tmp/docker-mailserver-test/emails/nc_raw/dsn/unauthenticated.txt'
-  _nc_wrapper '/tmp/docker-mailserver-test/emails/nc_raw/dsn/authenticated.txt' '0.0.0.0 465'
-  _nc_wrapper '/tmp/docker-mailserver-test/emails/nc_raw/dsn/authenticated.txt' '0.0.0.0 587'
+  _nc_wrapper 'emails/nc_raw/dsn/unauthenticated.txt'
+  _nc_wrapper 'emails/nc_raw/dsn/authenticated.txt' '0.0.0.0 465'
+  _nc_wrapper 'emails/nc_raw/dsn/authenticated.txt' '0.0.0.0 587'
  _wait_for_empty_mail_queue_in_container

  _run_in_container grep "${LOG_DSN}" /var/log/mail/mail.log
@ -60,7 +60,7 @@ function teardown_file() {
@test "should only send a DSN when requested from ports 465/587" {
  export CONTAINER_NAME=${CONTAINER2_NAME}

-  _nc_wrapper '/tmp/docker-mailserver-test/emails/nc_raw/dsn/unauthenticated.txt'
+  _nc_wrapper 'emails/nc_raw/dsn/unauthenticated.txt'
  _wait_for_empty_mail_queue_in_container

  # DSN requests can now only be made on ports 465 and 587,
@ -72,8 +72,8 @@ function teardown_file() {
  assert_failure

  # These ports are excluded via master.cf.
-  _nc_wrapper '/tmp/docker-mailserver-test/emails/nc_raw/dsn/authenticated.txt' '0.0.0.0 465'
-  _nc_wrapper '/tmp/docker-mailserver-test/emails/nc_raw/dsn/authenticated.txt' '0.0.0.0 587'
+  _nc_wrapper 'emails/nc_raw/dsn/authenticated.txt' '0.0.0.0 465'
+  _nc_wrapper 'emails/nc_raw/dsn/authenticated.txt' '0.0.0.0 587'
  _wait_for_empty_mail_queue_in_container

  _run_in_container grep "${LOG_DSN}" /var/log/mail/mail.log
@ -83,9 +83,9 @@ function teardown_file() {
@test "should never send a DSN" {
  export CONTAINER_NAME=${CONTAINER3_NAME}

-  _nc_wrapper '/tmp/docker-mailserver-test/emails/nc_raw/dsn/unauthenticated.txt'
-  _nc_wrapper '/tmp/docker-mailserver-test/emails/nc_raw/dsn/authenticated.txt' '0.0.0.0 465'
-  _nc_wrapper '/tmp/docker-mailserver-test/emails/nc_raw/dsn/authenticated.txt' '0.0.0.0 587'
+  _nc_wrapper 'emails/nc_raw/dsn/unauthenticated.txt'
+  _nc_wrapper 'emails/nc_raw/dsn/authenticated.txt' '0.0.0.0 465'
+  _nc_wrapper 'emails/nc_raw/dsn/authenticated.txt' '0.0.0.0 587'
  _wait_for_empty_mail_queue_in_container

  # DSN requests are rejected regardless of origin.
--- a/test/tests/parallel/set3/mta/smtp_delivery.bats
+++ b/test/tests/parallel/set3/mta/smtp_delivery.bats
@ -66,30 +66,30 @@ function setup_file() {
  # _send_email 'amavis-virus'

  # Required for 'delivers mail to existing alias':
-  _send_email --from user@external.tld --to alias1@localhost.localdomain 'existing/alias-external'
+  _send_email --to alias1@localhost.localdomain 'existing/alias-external'
  # Required for 'delivers mail to existing alias with recipient delimiter':
-  _send_email --from user@external.tld --to alias1~test@localhost.localdomain 'existing/alias-recipient-delimiter'
+  _send_email --to alias1~test@localhost.localdomain 'existing/alias-recipient-delimiter'
  # Required for 'delivers mail to existing catchall':
-  _send_email --from user@external.tld --to wildcard@localdomain2.com 'existing/catchall-local'
+  _send_email --to wildcard@localdomain2.com 'existing/catchall-local'
  # Required for 'delivers mail to regexp alias':
-  _send_email --from user@external.tld --to test123@localhost.localdomain 'existing/regexp-alias-local'
+  _send_email --to test123@localhost.localdomain 'existing/regexp-alias-local'

  # Required for 'rejects mail to unknown user':
-  _send_email --from user@external.tld --to nouser@localhost.localdomain 'non-existing-user'
+  _send_email --to nouser@localhost.localdomain 'non-existing-user'
  # Required for 'redirects mail to external aliases':
-  _send_email --from user@external.tld --to bounce-always@localhost.localdomain 'existing/regexp-alias-external'
-  _send_email --from user@external.tld --to alias2@localhost.localdomain 'existing/alias-local'
+  _send_email --to bounce-always@localhost.localdomain 'existing/regexp-alias-external'
+  _send_email --to alias2@localhost.localdomain 'existing/alias-local'
  # Required for 'rejects spam':
  _send_email 'amavis/spam'

  # Required for 'delivers mail to existing account':
  _send_email 'existing/user1'
-  _send_email --from user@external.tld --to user2@otherdomain.tld 'existing/user2'
-  _send_email --from user@external.tld --to user3@localhost.localdomain 'existing/user3'
-  _send_email --from user@external.tld --to added@localhost.localdomain 'existing/added'
-  _send_email --from user@external.tld --to user1@localhost.localdomain 'existing/user-and-cc-local-alias'
-  _send_email --from user@external.tld 'sieve/spam-folder'
-  _send_email --from user@external.tld --to user2@otherdomain.tld 'sieve/pipe'
+  _send_email --to user2@otherdomain.tld 'existing/user2'
+  _send_email --to user3@localhost.localdomain 'existing/user3'
+  _send_email --to added@localhost.localdomain 'existing/added'
+  _send_email --to user1@localhost.localdomain 'existing/user-and-cc-local-alias'
+  _send_email 'sieve/spam-folder'
+  _send_email --to user2@otherdomain.tld 'sieve/pipe'
  _run_in_container_bash 'sendmail root < /tmp/docker-mailserver-test/emails/sendmail/root-email.txt'
 }

@ -103,43 +103,43 @@ function setup_file() {
 }

@test "should successfully authenticate with good password (plain)" {
-  _nc_wrapper '/tmp/docker-mailserver-test/auth/smtp-auth-plain.txt' '-w 5 0.0.0.0 465'
+  _nc_wrapper 'auth/smtp-auth-plain.txt' '-w 5 0.0.0.0 465'
  assert_output --partial 'Authentication successful'
 }

@test "should fail to authenticate with wrong password (plain)" {
-  _nc_wrapper '/tmp/docker-mailserver-test/auth/smtp-auth-plain-wrong.txt' '-w 20 0.0.0.0 465'
+  _nc_wrapper 'auth/smtp-auth-plain-wrong.txt' '-w 20 0.0.0.0 465'
  assert_output --partial 'authentication failed'
 }

@test "should successfully authenticate with good password (login)" {
-  _nc_wrapper '/tmp/docker-mailserver-test/auth/smtp-auth-login.txt' '-w 5 0.0.0.0 465'
+  _nc_wrapper 'auth/smtp-auth-login.txt' '-w 5 0.0.0.0 465'
  assert_output --partial 'Authentication successful'
 }

@test "should fail to authenticate with wrong password (login)" {
-  _nc_wrapper '/tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt' '-w 20 0.0.0.0 465'
+  _nc_wrapper 'auth/smtp-auth-login-wrong.txt' '-w 20 0.0.0.0 465'
  assert_output --partial 'authentication failed'
 }

@test "[user: 'added'] should successfully authenticate with good password (plain)" {
-  _nc_wrapper '/tmp/docker-mailserver-test/auth/added-smtp-auth-plain.txt' '-w 5 0.0.0.0 465'
+  _nc_wrapper 'auth/added-smtp-auth-plain.txt' '-w 5 0.0.0.0 465'
  assert_output --partial 'Authentication successful'
 }

@test "[user: 'added'] should fail to authenticate with wrong password (plain)" {
-  _nc_wrapper '/tmp/docker-mailserver-test/auth/added-smtp-auth-plain-wrong.txt' '-w 20 0.0.0.0 465'
+  _nc_wrapper 'auth/added-smtp-auth-plain-wrong.txt' '-w 20 0.0.0.0 465'
  assert_output --partial 'authentication failed'
 }

@test "[user: 'added'] should successfully authenticate with good password (login)" {
-  _nc_wrapper '/tmp/docker-mailserver-test/auth/added-smtp-auth-login.txt' '-w 5 0.0.0.0 465'
+  _nc_wrapper 'auth/added-smtp-auth-login.txt' '-w 5 0.0.0.0 465'
  assert_success
  assert_output --partial 'Authentication successful'
 }

@test "[user: 'added'] should fail to authenticate with wrong password (login)" {
-  _nc_wrapper '/tmp/docker-mailserver-test/auth/added-smtp-auth-login-wrong.txt' '-w 20 0.0.0.0 465'
+  _nc_wrapper 'auth/added-smtp-auth-login-wrong.txt' '-w 20 0.0.0.0 465'
  assert_output --partial 'authentication failed'
 }

--- a/test/tests/serial/mail_with_imap.bats
+++ b/test/tests/serial/mail_with_imap.bats
@ -30,13 +30,13 @@ function teardown_file() { _default_teardown ; }
 }

@test '(SASLauthd) RIMAP SMTP authentication works' {
-  _nc_wrapper '/tmp/docker-mailserver-test/auth/smtp-auth-login.txt' '-w 5 0.0.0.0 25'
+  _nc_wrapper 'auth/smtp-auth-login.txt' '-w 5 0.0.0.0 25'
  assert_output --partial 'Error: authentication not enabled'

-  _nc_wrapper '/tmp/docker-mailserver-test/auth/smtp-auth-login.txt' '-w 5 0.0.0.0 465'
+  _nc_wrapper 'auth/smtp-auth-login.txt' '-w 5 0.0.0.0 465'
  assert_output --partial 'Authentication successful'

-  _nc_wrapper '/tmp/docker-mailserver-test/auth/smtp-auth-login.txt' '-w 5 0.0.0.0 587'
+  _nc_wrapper 'auth/smtp-auth-login.txt' '-w 5 0.0.0.0 587'
  assert_output --partial 'Authentication successful'
 }

--- a/test/tests/serial/mail_with_ldap.bats
+++ b/test/tests/serial/mail_with_ldap.bats
@ -348,7 +348,7 @@ function teardown() {
@test "saslauthd: ldap smtp authentication" {
  # do not use _send_email here
  # Requires ENV `PERMIT_DOCKER=container`
-  _nc_wrapper '/tmp/docker-mailserver-test/auth/sasl-ldap-smtp-auth.txt' '-w 5 0.0.0.0 25'
+  _nc_wrapper 'auth/sasl-ldap-smtp-auth.txt' '-w 5 0.0.0.0 25'
  assert_output --partial 'Error: authentication not enabled'

  # do not use _send_email here