From f60de0c66e3a9a847d5643f45607e032fa7f9ecc Mon Sep 17 00:00:00 2001
From: youtous <contact@youtous.me>
Date: Wed, 22 Apr 2020 00:28:57 +0200
Subject: [PATCH 01/10] init tests cases ffdhe4096

---
 target/shared/ffdhe4096.pem           | 13 +++++++++++++
 target/shared/ffdhe4096.pem.sha512sum |  1 +
 test/tests.bats                       | 10 ++++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 target/shared/ffdhe4096.pem
 create mode 100644 target/shared/ffdhe4096.pem.sha512sum

diff --git a/target/shared/ffdhe4096.pem b/target/shared/ffdhe4096.pem
new file mode 100644
index 00000000..3cf0fcbc
--- /dev/null
+++ b/target/shared/ffdhe4096.pem
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
+8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
+iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
+zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
+-----END DH PARAMETERS-----
diff --git a/target/shared/ffdhe4096.pem.sha512sum b/target/shared/ffdhe4096.pem.sha512sum
new file mode 100644
index 00000000..0b9412b7
--- /dev/null
+++ b/target/shared/ffdhe4096.pem.sha512sum
@@ -0,0 +1 @@
+716a462baecb43520fb1ba6f15d288ba8df4d612bf9d450474b4a1c745b64be01806e5ca4fb2151395fd4412a98831b77ea8dfd389fe54a9c768d170b9565a25  ffdhe4096.pem
diff --git a/test/tests.bats b/test/tests.bats
index 986a2271..d48fb168 100644
--- a/test/tests.bats
+++ b/test/tests.bats
@@ -667,6 +667,16 @@ EOF
   assert_success
 }
 
+@test "checking ssl: checking dhe params are sufficient" {
+  # reference used: (22/04/2020) https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
+  skip 'todo : check checksum same as mozilla'
+  # todo :
+  # - test case mail uses ffdhe by default
+  # - test case mail uses custom dhe ==> SET WARNING IN LOGS
+
+  # todo : remove dhe generation
+}
+
 #
 # postsrsd
 #

From 47fac2706f4228c135bdc60cd1d20752f7032adc Mon Sep 17 00:00:00 2001
From: youtous <contact@youtous.me>
Date: Wed, 22 Apr 2020 11:06:03 +0200
Subject: [PATCH 02/10] use ffdhe4096 for DHE params

use by default ffdhe4096 for DHE params


use by default ffdhe4096 for DHE params
---
 Dockerfile                           |  3 ++
 target/dovecot/10-ssl.conf           |  5 ++-
 target/start-mailserver.sh           | 48 ++++++++++++++++-----------
 test/config/dhparams.pem             |  8 -----
 test/config/dovecot-lmtp/dh.pem      |  8 -----
 test/config/relay-hosts/dhparams.pem |  8 -----
 test/mail_manual_dhparams.bats       | 49 ++++++++++++++++++++++++++++
 test/test-files/ssl/ffdhe2048.pem    |  8 +++++
 test/tests.bats                      | 17 +++++++---
 9 files changed, 103 insertions(+), 51 deletions(-)
 delete mode 100644 test/config/dhparams.pem
 delete mode 100644 test/config/dovecot-lmtp/dh.pem
 delete mode 100644 test/config/relay-hosts/dhparams.pem
 create mode 100644 test/mail_manual_dhparams.bats
 create mode 100644 test/test-files/ssl/ffdhe2048.pem

diff --git a/Dockerfile b/Dockerfile
index af6c4151..bbb90ea3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -163,6 +163,9 @@ RUN chmod 755 /etc/init.d/postgrey && \
 # Copy PostSRSd Config
 COPY target/postsrsd/postsrsd /etc/default/postsrsd
 
+# Copy shared ffdhe params
+COPY target/shared/ffdhe4096.pem /etc/postfix/shared/ffdhe4096.pem
+
 # Enables Amavis
 COPY target/amavis/conf.d/* /etc/amavis/conf.d/
 RUN sed -i -r 's/#(@|   \\%)bypass/\1bypass/g' /etc/amavis/conf.d/15-content_filter_mode && \
diff --git a/target/dovecot/10-ssl.conf b/target/dovecot/10-ssl.conf
index 25213a90..7b4c4ec7 100644
--- a/target/dovecot/10-ssl.conf
+++ b/target/dovecot/10-ssl.conf
@@ -43,9 +43,8 @@ ssl_key = </etc/dovecot/ssl/dovecot.key
 #ssl_cert_username_field = commonName
 
 # SSL DH parameters
-# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
-# Or migrate from old ssl-parameters.dat file with the command dovecot
-# gives on startup when ssl_dh is unset.
+# This parameter will be optional in dovecot 2.3 https://wiki2.dovecot.org/Upgrading/2.3#dhparams
+# Until non-ECC based DH algorithms are dropped, please use recommended pre-defined DHE Groups https://github.com/internetstandards/dhe_groups
 ssl_dh = </etc/dovecot/dh.pem
 
 # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh
index 913ddc6f..b0cb77e4 100644
--- a/target/start-mailserver.sh
+++ b/target/start-mailserver.sh
@@ -1364,15 +1364,16 @@ function _setup_postfix_dhparam() {
 	if [ "$ONE_DIR" = 1 ];then
 		DHPARAMS_FILE=/var/mail-state/lib-shared/dhparams.pem
 		if [ ! -f $DHPARAMS_FILE ]; then
-			notify 'inf' "Generate new shared dhparams (postfix)"
-			mkdir -p $(dirname "$DHPARAMS_FILE")
-			openssl dhparam -out $DHPARAMS_FILE 2048
+			notify 'inf' "Use ffdhe4096 for dhparams (postfix)"
+      rm -f /etc/postfix/dhparams.pem && cp /etc/postfix/shared/ffdhe4096.pem /etc/postfix/dhparams.pem
 		else
 			notify 'inf' "Use postfix dhparams that was generated previously"
-		fi
+      notify 'warn' "Using self-generated dhparams is considered as insecure."
+      notify 'warn' "Unless you known what you are doing, please remove /var/mail-state/lib-shared/dhparams.pem."
 
-		# Copy from the state directory to the working location
-		rm -f /etc/postfix/dhparams.pem && cp $DHPARAMS_FILE /etc/postfix/dhparams.pem
+      # Copy from the state directory to the working location
+      rm -f /etc/postfix/dhparams.pem && cp $DHPARAMS_FILE /etc/postfix/dhparams.pem
+		fi
 	else
                 if [ ! -f /etc/postfix/dhparams.pem ]; then
                         if [ -f /etc/dovecot/dh.pem ]; then
@@ -1380,13 +1381,17 @@ function _setup_postfix_dhparam() {
                                 cp /etc/dovecot/dh.pem /etc/postfix/dhparams.pem
                         elif [ -f /tmp/docker-mailserver/dhparams.pem ]; then
                                 notify 'inf' "Copy pre-generated dhparams to postfix"
+                                notify 'warn' "Using self-generated dhparams is considered as insecure."
+                                notify 'warn' "Unless you known what you are doing, please remove /var/mail-state/lib-shared/dhparams.pem."
                                 cp /tmp/docker-mailserver/dhparams.pem /etc/postfix/dhparams.pem
                         else
-                                notify 'inf' "Generate new dhparams for postfix"
-                                openssl dhparam -out /etc/postfix/dhparams.pem 2048
+			                          notify 'inf' "Use ffdhe4096 for dhparams (postfix)"
+                                cp /etc/postfix/shared/ffdhe4096.pem /etc/postfix/dhparams.pem
                         fi
                 else
                         notify 'inf' "Use existing postfix dhparams"
+                        notify 'warn' "Using self-generated dhparams is considered as insecure."
+                        notify 'warn' "Unless you known what you are doing, please remove /etc/postfix/dhparams.pem."
                 fi
 	fi
 }
@@ -1396,15 +1401,16 @@ function _setup_dovecot_dhparam() {
         if [ "$ONE_DIR" = 1 ];then
                 DHPARAMS_FILE=/var/mail-state/lib-shared/dhparams.pem
                 if [ ! -f $DHPARAMS_FILE ]; then
-                        notify 'inf' "Generate new shared dhparams (dovecot)"
-                        mkdir -p $(dirname "$DHPARAMS_FILE")
-                        openssl dhparam -out $DHPARAMS_FILE 2048
+                        notify 'inf' "Use ffdhe4096 for dhparams (dovecot)"
+                        rm -f /etc/dovecot/dh.pem && cp /etc/postfix/shared/ffdhe4096.pem /etc/dovecot/dh.pem
                 else
                         notify 'inf' "Use dovecot dhparams that was generated previously"
-                fi
+                        notify 'warn' "Using self-generated dhparams is considered as insecure."
+                        notify 'warn' "Unless you known what you are doing, please remove /var/mail-state/lib-shared/dhparams.pem."
 
-                # Copy from the state directory to the working location
-                rm -f /etc/dovecot/dh.pem && cp $DHPARAMS_FILE /etc/dovecot/dh.pem
+                        # Copy from the state directory to the working location
+                        rm -f /etc/dovecot/dh.pem && cp $DHPARAMS_FILE /etc/dovecot/dh.pem
+                fi
         else
                 if [ ! -f /etc/dovecot/dh.pem ]; then
                         if [ -f /etc/postfix/dhparams.pem ]; then
@@ -1412,13 +1418,17 @@ function _setup_dovecot_dhparam() {
                                 cp /etc/postfix/dhparams.pem /etc/dovecot/dh.pem
                         elif [ -f /tmp/docker-mailserver/dhparams.pem ]; then
                                 notify 'inf' "Copy pre-generated dhparams to dovecot"
+                                notify 'warn' "Using self-generated dhparams is considered as insecure."
+                                notify 'warn' "Unless you known what you are doing, please remove /tmp/docker-mailserver/dhparams.pem."
                                 cp /tmp/docker-mailserver/dhparams.pem /etc/dovecot/dh.pem
                         else
-                                notify 'inf' "Generate new dhparams for dovecot"
-                                openssl dhparam -out /etc/dovecot/dh.pem 2048
+			                          notify 'inf' "Use ffdhe4096 for dhparams (dovecot)"
+                                cp /etc/postfix/shared/ffdhe4096.pem /etc/dovecot/dh.pem
                         fi
                 else
                         notify 'inf' "Use existing dovecot dhparams"
+                        notify 'warn' "Using self-generated dhparams is considered as insecure."
+                        notify 'warn' "Unless you known what you are doing, please remove /etc/dovecot/dh.pem."
                 fi
         fi
 }
@@ -1461,8 +1471,8 @@ function _setup_security_stack() {
         fi
 
 		test -e /tmp/docker-mailserver/spamassassin-rules.cf && cp /tmp/docker-mailserver/spamassassin-rules.cf /etc/spamassassin/
-		
-		
+
+
 		if [ "$SPAMASSASSIN_SPAM_TO_INBOX" = "1" ]; then
 				notify 'inf' "Configure Spamassassin/Amavis to put SPAM inbox"
 				bannedbouncecheck=`egrep "final_banned_destiny.*D_BOUNCE" /etc/amavis/conf.d/20-debian_defaults`
@@ -1470,7 +1480,7 @@ function _setup_security_stack() {
 						  then
 									   sed -i "/final_banned_destiny/ s|D_BOUNCE|D_REJECT|" /etc/amavis/conf.d/20-debian_defaults
 							fi
-							
+
 				finalbouncecheck=`egrep "final_spam_destiny.*D_BOUNCE" /etc/amavis/conf.d/20-debian_defaults`
 				  if [ -n "$finalbouncecheck" ] ;
 						  then
diff --git a/test/config/dhparams.pem b/test/config/dhparams.pem
deleted file mode 100644
index 4ebe8dd2..00000000
--- a/test/config/dhparams.pem
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIIBCAKCAQEAlYgX/PXMu60WVkgKXOqnT562wd2F3l1WDwyn7DLWDqb9rCI6SAB8
-8uDkImAeoRFQycL77fXBqO9KKVk5x569Qjltacbw4/taOhWPAq/+6Wf5bZsUEp5g
-wD+hLvgYn/0pdGkjiAJ+jlRBxarF9lJac4QPztqw3qJPtVdIKbmo58hoxERIthD2
-f/ZkGjaZXzOIvD8Ai0NQ+H4k5DK5dLlFI78XbrsH161t4Jcspq+v5VUdUyUMAvti
-4peK0RgHw47h90kkee+qIf5F+WWSw28tjkbILWx2ld/bN59eZj4itb3UUw/OZRpC
-Y0pOBOvl1wp5PS+pUJAMsg6PR50yPNYREwIBAg==
------END DH PARAMETERS-----
diff --git a/test/config/dovecot-lmtp/dh.pem b/test/config/dovecot-lmtp/dh.pem
deleted file mode 100644
index 4ebe8dd2..00000000
--- a/test/config/dovecot-lmtp/dh.pem
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIIBCAKCAQEAlYgX/PXMu60WVkgKXOqnT562wd2F3l1WDwyn7DLWDqb9rCI6SAB8
-8uDkImAeoRFQycL77fXBqO9KKVk5x569Qjltacbw4/taOhWPAq/+6Wf5bZsUEp5g
-wD+hLvgYn/0pdGkjiAJ+jlRBxarF9lJac4QPztqw3qJPtVdIKbmo58hoxERIthD2
-f/ZkGjaZXzOIvD8Ai0NQ+H4k5DK5dLlFI78XbrsH161t4Jcspq+v5VUdUyUMAvti
-4peK0RgHw47h90kkee+qIf5F+WWSw28tjkbILWx2ld/bN59eZj4itb3UUw/OZRpC
-Y0pOBOvl1wp5PS+pUJAMsg6PR50yPNYREwIBAg==
------END DH PARAMETERS-----
diff --git a/test/config/relay-hosts/dhparams.pem b/test/config/relay-hosts/dhparams.pem
deleted file mode 100644
index 4ebe8dd2..00000000
--- a/test/config/relay-hosts/dhparams.pem
+++ /dev/null
@@ -1,8 +0,0 @@
------BEGIN DH PARAMETERS-----
-MIIBCAKCAQEAlYgX/PXMu60WVkgKXOqnT562wd2F3l1WDwyn7DLWDqb9rCI6SAB8
-8uDkImAeoRFQycL77fXBqO9KKVk5x569Qjltacbw4/taOhWPAq/+6Wf5bZsUEp5g
-wD+hLvgYn/0pdGkjiAJ+jlRBxarF9lJac4QPztqw3qJPtVdIKbmo58hoxERIthD2
-f/ZkGjaZXzOIvD8Ai0NQ+H4k5DK5dLlFI78XbrsH161t4Jcspq+v5VUdUyUMAvti
-4peK0RgHw47h90kkee+qIf5F+WWSw28tjkbILWx2ld/bN59eZj4itb3UUw/OZRpC
-Y0pOBOvl1wp5PS+pUJAMsg6PR50yPNYREwIBAg==
------END DH PARAMETERS-----
diff --git a/test/mail_manual_dhparams.bats b/test/mail_manual_dhparams.bats
new file mode 100644
index 00000000..bd068f98
--- /dev/null
+++ b/test/mail_manual_dhparams.bats
@@ -0,0 +1,49 @@
+load 'test_helper/common'
+
+function setup() {
+    run_setup_file_if_necessary
+}
+
+function teardown() {
+    run_teardown_file_if_necessary
+}
+
+function setup_file() {
+    docker run -d --name mail_manual_dhparams \
+		-v "`pwd`/test/config":/tmp/docker-mailserver \
+		-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
+		-v "`pwd`/test/test-files/ssl/ffdhe2048.pem":/var/mail-state/lib-shared/dhparams.pem:ro \
+		-e DMS_DEBUG=0 \
+		-e ONE_DIR=1 \
+		-h mail.my-domain.com -t ${NAME}
+    wait_for_finished_setup_in_container mail_manual_dhparams
+}
+
+function teardown_file() {
+  skip
+    docker rm -f mail_manual_dhparams
+}
+
+@test "first" {
+  skip 'this test must come first to reliably identify when to run setup_file'
+}
+
+@test "checking dhparams: check manual dhparams is used" {
+  test_checksum=$(sha512sum "$(pwd)/test/test-files/ssl/ffdhe2048.pem" | awk '{print $1}')
+  run echo "$test_checksum"
+  refute_output '' # checksum must not be empty
+
+  docker_dovecot_checksum=$(docker exec mail_manual_dhparams sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
+  docker_postfix_checksum=$(docker exec mail_manual_dhparams sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
+  assert_equal "$docker_dovecot_checksum" "$test_checksum"
+  assert_equal "$docker_postfix_checksum" "$test_checksum"
+}
+
+@test "checking dhparams: check warning output when using manual dhparams" {
+  run sh -c "docker logs mail_manual_dhparams | grep 'Using self-generated dhparams is considered as insecure'"
+  assert_success
+}
+
+@test "last" {
+  skip 'this test is only there to reliably mark the end for the teardown_file'
+}
diff --git a/test/test-files/ssl/ffdhe2048.pem b/test/test-files/ssl/ffdhe2048.pem
new file mode 100644
index 00000000..9b182b72
--- /dev/null
+++ b/test/test-files/ssl/ffdhe2048.pem
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
diff --git a/test/tests.bats b/test/tests.bats
index d48fb168..3e57c69d 100644
--- a/test/tests.bats
+++ b/test/tests.bats
@@ -669,12 +669,19 @@ EOF
 
 @test "checking ssl: checking dhe params are sufficient" {
   # reference used: (22/04/2020) https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
-  skip 'todo : check checksum same as mozilla'
-  # todo :
-  # - test case mail uses ffdhe by default
-  # - test case mail uses custom dhe ==> SET WARNING IN LOGS
 
-  # todo : remove dhe generation
+  # check ffdhe params are inchanged
+  repo_checksum=$(sha512sum "$(pwd)/target/shared/ffdhe4096.pem" | awk '{print $1}')
+  mozilla_checksum=$(curl https://ssl-config.mozilla.org/ffdhe4096.txt -s | sha512sum | awk '{print $1}')
+  assert_equal "$repo_checksum" "$mozilla_checksum"
+  run echo "$repo_checksum"
+  refute_output '' # checksum must not be empty
+
+  # by default, ffdhe4096 should be used
+  docker_dovecot_checksum=$(docker exec mail sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
+  docker_postfix_checksum=$(docker exec mail sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
+  assert_equal "$docker_dovecot_checksum" "$repo_checksum"
+  assert_equal "$docker_postfix_checksum" "$repo_checksum"
 }
 
 #

From 03b8f87ffcd174b8318330f3a269810d255307c9 Mon Sep 17 00:00:00 2001
From: youtous <contact@youtous.me>
Date: Sun, 26 Apr 2020 21:34:11 +0200
Subject: [PATCH 03/10] update dovecot conf comment

---
 target/dovecot/10-ssl.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/dovecot/10-ssl.conf b/target/dovecot/10-ssl.conf
index 7b4c4ec7..8652ef19 100644
--- a/target/dovecot/10-ssl.conf
+++ b/target/dovecot/10-ssl.conf
@@ -43,8 +43,8 @@ ssl_key = </etc/dovecot/ssl/dovecot.key
 #ssl_cert_username_field = commonName
 
 # SSL DH parameters
-# This parameter will be optional in dovecot 2.3 https://wiki2.dovecot.org/Upgrading/2.3#dhparams
-# Until non-ECC based DH algorithms are dropped, please use recommended pre-defined DHE Groups https://github.com/internetstandards/dhe_groups
+# Since v2.3.3+ Diffie-Hellman parameters have been made optional, and you are encouraged to disable non-ECC DH algorithms completely.
+# `docker-mailserver` is configured to use the recommended pre-defined 4096-bit DHE Group at https://github.com/internetstandards/dhe_groups
 ssl_dh = </etc/dovecot/dh.pem
 
 # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,

From 4d031f73e309baf93af29bbc90a0ebebc180b30c Mon Sep 17 00:00:00 2001
From: youtous <contact@youtous.me>
Date: Sun, 26 Apr 2020 21:36:03 +0200
Subject: [PATCH 04/10] test dhparams ONE_DIR both cases

---
 Makefile                                      |  2 +-
 test/mail_dhparams_default.bats               | 67 +++++++++++++++++++
 test/mail_dhparams_manual_not_one_dir.bats    | 53 +++++++++++++++
 ...bats => mail_dhparams_manual_one_dir.bats} | 18 ++---
 test/tests.bats                               | 17 -----
 5 files changed, 130 insertions(+), 27 deletions(-)
 create mode 100644 test/mail_dhparams_default.bats
 create mode 100644 test/mail_dhparams_manual_not_one_dir.bats
 rename test/{mail_manual_dhparams.bats => mail_dhparams_manual_one_dir.bats} (58%)

diff --git a/Makefile b/Makefile
index 77fbb165..dcd0e122 100644
--- a/Makefile
+++ b/Makefile
@@ -155,4 +155,4 @@ clean:
 		sudo rm -rf test/config ;\
 		mv testconfig.bak test/config ;\
 	fi
-	-sudo rm -rf test/onedir test/alias test/quota test/relay test/config/dovecot-lmtp/userdb test/config/key* test/config/opendkim/keys/domain.tld/ test/config/opendkim/keys/example.com/ test/config/opendkim/keys/localdomain2.com/ test/config/postfix-aliases.cf test/config/postfix-receive-access.cf test/config/postfix-receive-access.cfe test/config/dovecot-quotas.cf test/config/postfix-send-access.cf test/config/postfix-send-access.cfe test/config/relay-hosts/chksum test/config/relay-hosts/postfix-aliases.cf
+	-sudo rm -rf test/onedir test/alias test/quota test/relay test/config/dovecot-lmtp/userdb test/config/key* test/config/opendkim/keys/domain.tld/ test/config/opendkim/keys/example.com/ test/config/opendkim/keys/localdomain2.com/ test/config/postfix-aliases.cf test/config/postfix-receive-access.cf test/config/postfix-receive-access.cfe test/config/dovecot-quotas.cf test/config/postfix-send-access.cf test/config/postfix-send-access.cfe test/config/relay-hosts/chksum test/config/relay-hosts/postfix-aliases.cf test/config/dhparams.pem
diff --git a/test/mail_dhparams_default.bats b/test/mail_dhparams_default.bats
new file mode 100644
index 00000000..bfc18db2
--- /dev/null
+++ b/test/mail_dhparams_default.bats
@@ -0,0 +1,67 @@
+load 'test_helper/common'
+
+function setup() {
+    run_setup_file_if_necessary
+}
+
+function teardown() {
+    run_teardown_file_if_necessary
+}
+
+function setup_file() {
+    docker run -d --name mail_default_dhparams_one_dir \
+		-v "`pwd`/test/config":/tmp/docker-mailserver \
+		-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
+		-e DMS_DEBUG=0 \
+		-e ONE_DIR=1 \
+		-h mail.my-domain.com -t ${NAME}
+
+    docker run -d --name mail_default_dhparams_not_one_dir \
+		-v "`pwd`/test/config":/tmp/docker-mailserver \
+		-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
+		-e DMS_DEBUG=0 \
+		-e ONE_DIR=0 \
+		-h mail.my-domain.com -t ${NAME}
+
+    wait_for_finished_setup_in_container mail_default_dhparams_one_dir
+    wait_for_finished_setup_in_container mail_default_dhparams_not_one_dir
+}
+
+function teardown_file() {
+    docker rm -f mail_default_dhparams_one_dir
+    docker rm -f mail_default_dhparams_not_one_dir
+}
+
+@test "first" {
+  skip 'this test must come first to reliably identify when to run setup_file'
+}
+
+@test "checking ssl: checking dhe params are sufficient" {
+  # reference used: (22/04/2020) https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
+
+  # check ffdhe params are inchanged
+  repo_checksum=$(sha512sum "$(pwd)/target/shared/ffdhe4096.pem" | awk '{print $1}')
+  mozilla_checksum=$(curl https://ssl-config.mozilla.org/ffdhe4096.txt -s | sha512sum | awk '{print $1}')
+  assert_equal "$repo_checksum" "$mozilla_checksum"
+  run echo "$repo_checksum"
+  refute_output '' # checksum must not be empty
+
+  # by default, ffdhe4096 should be used
+
+  # ONE_DIR=1
+  docker_dovecot_checksum_one_dir=$(docker exec mail_default_dhparams_one_dir sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
+  docker_postfix_checksum_one_dir=$(docker exec mail_default_dhparams_one_dir sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
+  assert_equal "$docker_dovecot_checksum_one_dir" "$repo_checksum"
+  assert_equal "$docker_postfix_checksum_one_dir" "$repo_checksum"
+
+  # ONE_DIR=0
+  docker_dovecot_checksum_not_one_dir=$(docker exec mail_default_dhparams_not_one_dir sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
+  docker_postfix_checksum_not_one_dir=$(docker exec mail_default_dhparams_not_one_dir sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
+  assert_equal "$docker_dovecot_checksum_not_one_dir" "$repo_checksum"
+  assert_equal "$docker_postfix_checksum_not_one_dir" "$repo_checksum"
+}
+
+
+@test "last" {
+  skip 'this test is only there to reliably mark the end for the teardown_file'
+}
diff --git a/test/mail_dhparams_manual_not_one_dir.bats b/test/mail_dhparams_manual_not_one_dir.bats
new file mode 100644
index 00000000..620bec0a
--- /dev/null
+++ b/test/mail_dhparams_manual_not_one_dir.bats
@@ -0,0 +1,53 @@
+load 'test_helper/common'
+
+function setup() {
+    run_setup_file_if_necessary
+}
+
+function teardown() {
+    run_teardown_file_if_necessary
+}
+
+function setup_file() {
+    # copy the custom DHE params in local config
+    cp `pwd`/test/test-files/ssl/ffdhe2048.pem `pwd`/test/config/dhparams.pem
+
+    docker run -d --name mail_manual_dhparams_not_one_dir \
+		-v "`pwd`/test/config":/tmp/docker-mailserver \
+		-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
+		-e DMS_DEBUG=0 \
+		-e ONE_DIR=0 \
+		-h mail.my-domain.com -t ${NAME}
+
+    wait_for_finished_setup_in_container mail_manual_dhparams_not_one_dir
+}
+
+function teardown_file() {
+    # remove custom dhe file
+    rm `pwd`/test/config/dhparams.pem
+    docker rm -f mail_manual_dhparams_not_one_dir
+}
+
+@test "first" {
+  skip 'this test must come first to reliably identify when to run setup_file'
+}
+
+@test "checking dhparams: ONE_DIR=0 check manual dhparams is used" {
+  test_checksum=$(sha512sum "$(pwd)/test/test-files/ssl/ffdhe2048.pem" | awk '{print $1}')
+  run echo "$test_checksum"
+  refute_output '' # checksum must not be empty
+
+  docker_dovecot_checksum=$(docker exec mail_manual_dhparams_not_one_dir sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
+  docker_postfix_checksum=$(docker exec mail_manual_dhparams_not_one_dir sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
+  assert_equal "$docker_dovecot_checksum" "$test_checksum"
+  assert_equal "$docker_postfix_checksum" "$test_checksum"
+}
+
+@test "checking dhparams: ONE_DIR=0 check warning output when using manual dhparams" {
+  run sh -c "docker logs mail_manual_dhparams_not_one_dir | grep 'Using self-generated dhparams is considered as insecure'"
+  assert_success
+}
+
+@test "last" {
+  skip 'this test is only there to reliably mark the end for the teardown_file'
+}
diff --git a/test/mail_manual_dhparams.bats b/test/mail_dhparams_manual_one_dir.bats
similarity index 58%
rename from test/mail_manual_dhparams.bats
rename to test/mail_dhparams_manual_one_dir.bats
index bd068f98..1496172d 100644
--- a/test/mail_manual_dhparams.bats
+++ b/test/mail_dhparams_manual_one_dir.bats
@@ -9,38 +9,38 @@ function teardown() {
 }
 
 function setup_file() {
-    docker run -d --name mail_manual_dhparams \
+    docker run -d --name mail_manual_dhparams_one_dir \
 		-v "`pwd`/test/config":/tmp/docker-mailserver \
 		-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
 		-v "`pwd`/test/test-files/ssl/ffdhe2048.pem":/var/mail-state/lib-shared/dhparams.pem:ro \
 		-e DMS_DEBUG=0 \
 		-e ONE_DIR=1 \
 		-h mail.my-domain.com -t ${NAME}
-    wait_for_finished_setup_in_container mail_manual_dhparams
+
+    wait_for_finished_setup_in_container mail_manual_dhparams_one_dir
 }
 
 function teardown_file() {
-  skip
-    docker rm -f mail_manual_dhparams
+    docker rm -f mail_manual_dhparams_one_dir
 }
 
 @test "first" {
   skip 'this test must come first to reliably identify when to run setup_file'
 }
 
-@test "checking dhparams: check manual dhparams is used" {
+@test "checking dhparams: ONE_DIR=1 check manual dhparams is used" {
   test_checksum=$(sha512sum "$(pwd)/test/test-files/ssl/ffdhe2048.pem" | awk '{print $1}')
   run echo "$test_checksum"
   refute_output '' # checksum must not be empty
 
-  docker_dovecot_checksum=$(docker exec mail_manual_dhparams sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
-  docker_postfix_checksum=$(docker exec mail_manual_dhparams sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
+  docker_dovecot_checksum=$(docker exec mail_manual_dhparams_one_dir sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
+  docker_postfix_checksum=$(docker exec mail_manual_dhparams_one_dir sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
   assert_equal "$docker_dovecot_checksum" "$test_checksum"
   assert_equal "$docker_postfix_checksum" "$test_checksum"
 }
 
-@test "checking dhparams: check warning output when using manual dhparams" {
-  run sh -c "docker logs mail_manual_dhparams | grep 'Using self-generated dhparams is considered as insecure'"
+@test "checking dhparams: ONE_DIR=1 check warning output when using manual dhparams" {
+  run sh -c "docker logs mail_manual_dhparams_one_dir | grep 'Using self-generated dhparams is considered as insecure'"
   assert_success
 }
 
diff --git a/test/tests.bats b/test/tests.bats
index 3e57c69d..986a2271 100644
--- a/test/tests.bats
+++ b/test/tests.bats
@@ -667,23 +667,6 @@ EOF
   assert_success
 }
 
-@test "checking ssl: checking dhe params are sufficient" {
-  # reference used: (22/04/2020) https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
-
-  # check ffdhe params are inchanged
-  repo_checksum=$(sha512sum "$(pwd)/target/shared/ffdhe4096.pem" | awk '{print $1}')
-  mozilla_checksum=$(curl https://ssl-config.mozilla.org/ffdhe4096.txt -s | sha512sum | awk '{print $1}')
-  assert_equal "$repo_checksum" "$mozilla_checksum"
-  run echo "$repo_checksum"
-  refute_output '' # checksum must not be empty
-
-  # by default, ffdhe4096 should be used
-  docker_dovecot_checksum=$(docker exec mail sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
-  docker_postfix_checksum=$(docker exec mail sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
-  assert_equal "$docker_dovecot_checksum" "$repo_checksum"
-  assert_equal "$docker_postfix_checksum" "$repo_checksum"
-}
-
 #
 # postsrsd
 #

From dff7355fa9c03111cdf841bf0662e1a026f43fd5 Mon Sep 17 00:00:00 2001
From: youtous <contact@youtous.me>
Date: Sun, 26 Apr 2020 23:07:34 +0200
Subject: [PATCH 05/10] fix #1459

---
 test/tests.bats | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/test/tests.bats b/test/tests.bats
index 986a2271..05900c64 100644
--- a/test/tests.bats
+++ b/test/tests.bats
@@ -1243,6 +1243,8 @@ EOF
   # Dovecot has been restarted, but this test often fails so presumably it may not be ready
   # Add a short sleep to see if that helps to make the test more stable
   # Alternatively we could login with a known good user to make sure that the service is up
+  wait_for_service mail postfix
+  wait_for_service mail dovecot
   sleep 5
 
   run docker exec mail /bin/bash -c "doveadm auth test -x service=smtp setup_email_add@example.com 'test_password' | grep 'passdb'"

From 149a10272c0e2ea8f030e74b98c5b821fdf8d54a Mon Sep 17 00:00:00 2001
From: youtous <contact@youtous.me>
Date: Mon, 27 Apr 2020 09:57:36 +0200
Subject: [PATCH 06/10] improve dhe tests documentation

---
 test/mail_dhparams_default.bats                 | 12 ++++++++++++
 test/mail_dhparams_manual_not_one_dir.bats      | 17 +++++++++++++++--
 test/mail_dhparams_manual_one_dir.bats          | 16 ++++++++++++++--
 .../{ffdhe2048.pem => custom-dhe-params.pem}    |  0
 4 files changed, 41 insertions(+), 4 deletions(-)
 rename test/test-files/ssl/{ffdhe2048.pem => custom-dhe-params.pem} (100%)

diff --git a/test/mail_dhparams_default.bats b/test/mail_dhparams_default.bats
index bfc18db2..97c081f0 100644
--- a/test/mail_dhparams_default.bats
+++ b/test/mail_dhparams_default.bats
@@ -1,5 +1,17 @@
 load 'test_helper/common'
 
+# Test case
+# ---------
+# By default, this image is using audited FFDHE groups (https://github.com/tomav/docker-mailserver/pull/1463)
+#
+# This test suite cover the described situation for ONE_DIR=1 and for ONE_DIR=0.
+#
+# Description:
+# - when using a default DHE parameters:
+#   ~ repo FFDHE4096 file is unchanged.
+#   ~ ffdhe4096 params file is copied in postfix and dovecot configuration.
+
+
 function setup() {
     run_setup_file_if_necessary
 }
diff --git a/test/mail_dhparams_manual_not_one_dir.bats b/test/mail_dhparams_manual_not_one_dir.bats
index 620bec0a..eb713dfe 100644
--- a/test/mail_dhparams_manual_not_one_dir.bats
+++ b/test/mail_dhparams_manual_not_one_dir.bats
@@ -1,5 +1,18 @@
 load 'test_helper/common'
 
+# Test case
+# ---------
+# By default, this image is using audited FFDHE groups (https://github.com/tomav/docker-mailserver/pull/1463)
+# However, an advanced user could want to supply custom DHE parameters.
+#
+# This test suite cover the described situation when ONE_DIR=0 is set.
+#
+# Description:
+# - when using a CUSTOM DHE parameters:
+#   ~ custom dhe params file is copied in postfix and dovecot configuration.
+#   ~ a warning is raised about usage of insecure parameters.
+
+
 function setup() {
     run_setup_file_if_necessary
 }
@@ -10,7 +23,7 @@ function teardown() {
 
 function setup_file() {
     # copy the custom DHE params in local config
-    cp `pwd`/test/test-files/ssl/ffdhe2048.pem `pwd`/test/config/dhparams.pem
+    cp `pwd`/test/test-files/ssl/custom-dhe-params.pem `pwd`/test/config/dhparams.pem
 
     docker run -d --name mail_manual_dhparams_not_one_dir \
 		-v "`pwd`/test/config":/tmp/docker-mailserver \
@@ -33,7 +46,7 @@ function teardown_file() {
 }
 
 @test "checking dhparams: ONE_DIR=0 check manual dhparams is used" {
-  test_checksum=$(sha512sum "$(pwd)/test/test-files/ssl/ffdhe2048.pem" | awk '{print $1}')
+  test_checksum=$(sha512sum "$(pwd)/test/test-files/ssl/custom-dhe-params.pem" | awk '{print $1}')
   run echo "$test_checksum"
   refute_output '' # checksum must not be empty
 
diff --git a/test/mail_dhparams_manual_one_dir.bats b/test/mail_dhparams_manual_one_dir.bats
index 1496172d..d9ce6d64 100644
--- a/test/mail_dhparams_manual_one_dir.bats
+++ b/test/mail_dhparams_manual_one_dir.bats
@@ -1,5 +1,17 @@
 load 'test_helper/common'
 
+# Test case
+# ---------
+# By default, this image is using audited FFDHE groups (https://github.com/tomav/docker-mailserver/pull/1463)
+# However, an advanced user could want to supply custom DHE parameters.
+#
+# This test suite cover the described situation when ONE_DIR=1 is set.
+#
+# Description:
+# - when using a CUSTOM DHE parameters:
+#   ~ custom dhe params file is copied in postfix and dovecot configuration.
+#   ~ a warning is raised about usage of insecure parameters.
+
 function setup() {
     run_setup_file_if_necessary
 }
@@ -12,7 +24,7 @@ function setup_file() {
     docker run -d --name mail_manual_dhparams_one_dir \
 		-v "`pwd`/test/config":/tmp/docker-mailserver \
 		-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
-		-v "`pwd`/test/test-files/ssl/ffdhe2048.pem":/var/mail-state/lib-shared/dhparams.pem:ro \
+		-v "`pwd`/test/test-files/ssl/custom-dhe-params.pem":/var/mail-state/lib-shared/dhparams.pem:ro \
 		-e DMS_DEBUG=0 \
 		-e ONE_DIR=1 \
 		-h mail.my-domain.com -t ${NAME}
@@ -29,7 +41,7 @@ function teardown_file() {
 }
 
 @test "checking dhparams: ONE_DIR=1 check manual dhparams is used" {
-  test_checksum=$(sha512sum "$(pwd)/test/test-files/ssl/ffdhe2048.pem" | awk '{print $1}')
+  test_checksum=$(sha512sum "$(pwd)/test/test-files/ssl/custom-dhe-params.pem" | awk '{print $1}')
   run echo "$test_checksum"
   refute_output '' # checksum must not be empty
 
diff --git a/test/test-files/ssl/ffdhe2048.pem b/test/test-files/ssl/custom-dhe-params.pem
similarity index 100%
rename from test/test-files/ssl/ffdhe2048.pem
rename to test/test-files/ssl/custom-dhe-params.pem

From e680c349b1698a580ab8406df09fb82f8f48e23d Mon Sep 17 00:00:00 2001
From: youtous <contact@youtous.me>
Date: Mon, 27 Apr 2020 10:28:05 +0200
Subject: [PATCH 07/10] test wait setup for // containers

---
 test/mail_dhparams_default.bats            | 3 +--
 test/mail_dhparams_manual_not_one_dir.bats | 1 -
 test/mail_dhparams_manual_one_dir.bats     | 1 -
 3 files changed, 1 insertion(+), 4 deletions(-)

diff --git a/test/mail_dhparams_default.bats b/test/mail_dhparams_default.bats
index 97c081f0..5d571b9e 100644
--- a/test/mail_dhparams_default.bats
+++ b/test/mail_dhparams_default.bats
@@ -27,6 +27,7 @@ function setup_file() {
 		-e DMS_DEBUG=0 \
 		-e ONE_DIR=1 \
 		-h mail.my-domain.com -t ${NAME}
+    wait_for_finished_setup_in_container mail_default_dhparams_one_dir
 
     docker run -d --name mail_default_dhparams_not_one_dir \
 		-v "`pwd`/test/config":/tmp/docker-mailserver \
@@ -34,8 +35,6 @@ function setup_file() {
 		-e DMS_DEBUG=0 \
 		-e ONE_DIR=0 \
 		-h mail.my-domain.com -t ${NAME}
-
-    wait_for_finished_setup_in_container mail_default_dhparams_one_dir
     wait_for_finished_setup_in_container mail_default_dhparams_not_one_dir
 }
 
diff --git a/test/mail_dhparams_manual_not_one_dir.bats b/test/mail_dhparams_manual_not_one_dir.bats
index eb713dfe..e2604c73 100644
--- a/test/mail_dhparams_manual_not_one_dir.bats
+++ b/test/mail_dhparams_manual_not_one_dir.bats
@@ -31,7 +31,6 @@ function setup_file() {
 		-e DMS_DEBUG=0 \
 		-e ONE_DIR=0 \
 		-h mail.my-domain.com -t ${NAME}
-
     wait_for_finished_setup_in_container mail_manual_dhparams_not_one_dir
 }
 
diff --git a/test/mail_dhparams_manual_one_dir.bats b/test/mail_dhparams_manual_one_dir.bats
index d9ce6d64..a144ffc3 100644
--- a/test/mail_dhparams_manual_one_dir.bats
+++ b/test/mail_dhparams_manual_one_dir.bats
@@ -28,7 +28,6 @@ function setup_file() {
 		-e DMS_DEBUG=0 \
 		-e ONE_DIR=1 \
 		-h mail.my-domain.com -t ${NAME}
-
     wait_for_finished_setup_in_container mail_manual_dhparams_one_dir
 }
 

From 27cbdeeb6a2efed72c8e2016c40d248cf7f2ee8a Mon Sep 17 00:00:00 2001
From: youtous <contact@youtous.me>
Date: Mon, 27 Apr 2020 10:42:24 +0200
Subject: [PATCH 08/10] Update test/mail_dhparams_default.bats

Co-Authored-By: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
---
 test/mail_dhparams_default.bats | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/test/mail_dhparams_default.bats b/test/mail_dhparams_default.bats
index 5d571b9e..9fae1b16 100644
--- a/test/mail_dhparams_default.bats
+++ b/test/mail_dhparams_default.bats
@@ -4,12 +4,12 @@ load 'test_helper/common'
 # ---------
 # By default, this image is using audited FFDHE groups (https://github.com/tomav/docker-mailserver/pull/1463)
 #
-# This test suite cover the described situation for ONE_DIR=1 and for ONE_DIR=0.
+# This test case covers the described case against both boolean states for `ONE_DIR`.
 #
 # Description:
-# - when using a default DHE parameters:
-#   ~ repo FFDHE4096 file is unchanged.
-#   ~ ffdhe4096 params file is copied in postfix and dovecot configuration.
+# - When no DHE parameters are supplied by the user:
+#   ~ The file `ffdhe4096.pem` has not been modified (checksum verification).
+#   ~ `ffdhe4096.pem` is copied to the configuration directories for postfix and dovecot.
 
 
 function setup() {

From 3e3f5d557b9fa7df966acfcd1c251b51bf0c6602 Mon Sep 17 00:00:00 2001
From: youtous <contact@youtous.me>
Date: Mon, 27 Apr 2020 10:42:39 +0200
Subject: [PATCH 09/10] Update test/mail_dhparams_manual_one_dir.bats

Co-Authored-By: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
---
 test/mail_dhparams_manual_one_dir.bats | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/test/mail_dhparams_manual_one_dir.bats b/test/mail_dhparams_manual_one_dir.bats
index a144ffc3..1ce23adc 100644
--- a/test/mail_dhparams_manual_one_dir.bats
+++ b/test/mail_dhparams_manual_one_dir.bats
@@ -3,14 +3,13 @@ load 'test_helper/common'
 # Test case
 # ---------
 # By default, this image is using audited FFDHE groups (https://github.com/tomav/docker-mailserver/pull/1463)
-# However, an advanced user could want to supply custom DHE parameters.
 #
-# This test suite cover the described situation when ONE_DIR=1 is set.
+# This test case covers the described case when `ONE_DIR=1`.
 #
 # Description:
-# - when using a CUSTOM DHE parameters:
-#   ~ custom dhe params file is copied in postfix and dovecot configuration.
-#   ~ a warning is raised about usage of insecure parameters.
+# - When custom DHE parameters are supplied by the user:
+#   ~ User supplied DHE parameters are copied to the configuration directories for postfix and dovecot.
+#   ~ A warning is raised about usage of insecure parameters.
 
 function setup() {
     run_setup_file_if_necessary

From 80bd3a8c857c110f7ac4f1c335def697cce6901c Mon Sep 17 00:00:00 2001
From: youtous <contact@youtous.me>
Date: Mon, 27 Apr 2020 10:42:47 +0200
Subject: [PATCH 10/10] Update test/mail_dhparams_manual_not_one_dir.bats

Co-Authored-By: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
---
 test/mail_dhparams_manual_not_one_dir.bats | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/test/mail_dhparams_manual_not_one_dir.bats b/test/mail_dhparams_manual_not_one_dir.bats
index e2604c73..ae98ccff 100644
--- a/test/mail_dhparams_manual_not_one_dir.bats
+++ b/test/mail_dhparams_manual_not_one_dir.bats
@@ -3,14 +3,13 @@ load 'test_helper/common'
 # Test case
 # ---------
 # By default, this image is using audited FFDHE groups (https://github.com/tomav/docker-mailserver/pull/1463)
-# However, an advanced user could want to supply custom DHE parameters.
 #
-# This test suite cover the described situation when ONE_DIR=0 is set.
+# This test case covers the described case when `ONE_DIR=0`.
 #
 # Description:
-# - when using a CUSTOM DHE parameters:
-#   ~ custom dhe params file is copied in postfix and dovecot configuration.
-#   ~ a warning is raised about usage of insecure parameters.
+# - When custom DHE parameters are supplied by the user:
+#   ~ User supplied DHE parameters are copied to the configuration directories for postfix and dovecot.
+#   ~ A warning is raised about usage of insecure parameters.
 
 
 function setup() {