From 78cfad580473d7465d17b48127dea9c951dd926e Mon Sep 17 00:00:00 2001
From: tyranron <tyranron@gmail.com>
Date: Wed, 25 Jan 2017 11:31:04 +0200
Subject: [PATCH] Add Nmap tests of PCI compliance for Postfix and Dovecot

---
 test/tests.bats | 40 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)

diff --git a/test/tests.bats b/test/tests.bats
index d69fc253..b602a83e 100644
--- a/test/tests.bats
+++ b/test/tests.bats
@@ -919,8 +919,8 @@ load 'test_helper/bats-assert/load'
 # Postfix VIRTUAL_TRANSPORT
 #
 @test "checking postfix-lmtp: virtual_transport config is set" {
-    run docker exec mail_lmtp_ip /bin/sh -c "grep 'virtual_transport = lmtp:127.0.0.1:24' /etc/postfix/main.cf"
-    assert_success
+  run docker exec mail_lmtp_ip /bin/sh -c "grep 'virtual_transport = lmtp:127.0.0.1:24' /etc/postfix/main.cf"
+  assert_success
 }
 
 @test "checking postfix-lmtp: delivers mail to existing account" {
@@ -928,3 +928,39 @@ load 'test_helper/bats-assert/load'
   assert_success
   assert_output 1
 }
+
+#
+# PCI compliance
+#
+
+# dovecot
+@test "checking dovecot: only A grade TLS ciphers are used" {
+  run docker run --rm -i --link mail:dovecot \
+    --entrypoint sh instrumentisto/nmap -c \
+      'nmap --script ssl-enum-ciphers -p 993 dovecot | grep "least strength: A"'
+  assert_success
+}
+
+@test "checking dovecot: nmap produces no warnings on TLS ciphers verifying" {
+  run docker run --rm -i --link mail:dovecot \
+    --entrypoint sh instrumentisto/nmap -c \
+      'nmap --script ssl-enum-ciphers -p 993 dovecot | grep "warnings" | wc -l'
+  assert_success
+  assert_output 0
+}
+
+# postfix
+@test "checking postfix: only A grade TLS ciphers are used" {
+  run docker run --rm -i --link mail:postfix \
+    --entrypoint sh instrumentisto/nmap -c \
+      'nmap --script ssl-enum-ciphers -p 587 postfix | grep "least strength: A"'
+  assert_success
+}
+
+@test "checking postfix: nmap produces no warnings on TLS ciphers verifying" {
+  run docker run --rm -i --link mail:postfix \
+    --entrypoint sh instrumentisto/nmap -c \
+      'nmap --script ssl-enum-ciphers -p 587 postfix | grep "warnings" | wc -l'
+  assert_success
+  assert_output 0
+}