# -*- indent-tabs-mode: t; tab-width: 4; -*- # _test_greylisting_x() { # helper function sends mail and checks that it was greylisted local email_to="$1" local email_from="$2" start_log_capture start_mail_capture "$email_to" record "[Send mail anonymously TO $email_to FROM $email_from]" local output output="$($PYMAIL -no-delete -f $email_from -to $email_to '' $PRIVATE_IP '' '' 2>&1)" local code=$? if [ $code -eq 0 ]; then wait_mail local file=( $(get_captured_mail_files) ) record "[Check captured mail for X-Greylist header]" if ! grep "X-Greylist: delayed" <"$file" >/dev/null; then record "not found" test_failure "message not greylisted - X-Greylist header missing" record_captured_mail else record "found" fi else assert_python_failure $code "$output" "SMTPRecipientsRefused" "Greylisted" fi check_logs } postgrey_reset() { # when postgrey receives a message for processing that is suspect, # it will: # 1. initally reject it # 2. after a delay, permit delivery (end entity must resend), # but with a X-Greyist header # 3. subsequent deliveries will succeed with no header # modifications # # because of #3, reset postgrey to establish a "clean" greylisting # testing scenario # record "[Reset postgrey]" if [ ! -d "/var/lib/postgrey" ]; then die "Postgrey database directory /var/lib/postgrey does not exist!" fi systemctl stop postgrey >>$TEST_OF 2>&1 || die "unble to stop postgrey" if ! rm -f /var/lib/postgrey/* >>$TEST_OF 2>&1; then systemctl start postgrey >>$TEST_OF 2>&1 die "unable to remove the postgrey database files" fi systemctl start postgrey >>$TEST_OF 2>&1 || die "unble to start postgrey" } test_greylisting() { # test that mail is delayed by greylisting test_start "greylisting" # reset postgrey's database to start the cycle over postgrey_reset # create standard user alice local alice="alice@somedomain.com" create_user "$alice" "alice" # IMPORTANT: bob's domain must be from one that has no SPF record # in DNS. At the time of creation of this script, yahoo.com did # not... local bob="bob@yahoo.com" # send to alice anonymously from bob _test_greylisting_x "$alice" "$bob" delete_user "$alice" test_end } test_relay_prohibited() { # test that the server does not relay test_start "relay-prohibited" start_log_capture record "[Attempt relaying mail anonymously]" local output output="$($PYMAIL -no-delete -f joe@badguy.com -to naive@gmail.com '' $PRIVATE_IP '' '' 2>&1)" assert_python_failure $? "$output" "SMTPRecipientsRefused" "Relay access denied" check_logs test_end } test_spf() { # test mail rejection due to SPF policy of FROM address test_start "spf" # create standard user alice local alice="alice@somedomain.com" create_user "$alice" "alice" # who we will impersonate local from="test@google.com" local domain=$(awk -F@ '{print $2}' <<<"$from") # send to alice anonymously from imposter start_log_capture start_mail_capture "$alice" record "[Test SPF for $domain FROM $from TO $alice]" local output output="$($PYMAIL -no-delete -f $from -to $alice '' $PRIVATE_IP '' '' 2>&1)" local code=$? if ! assert_python_failure $code "$output" "SMTPRecipientsRefused" "SPF" && [ $code -eq 0 ] then wait_mail record_captured_mail fi check_logs delete_user "$alice" test_end } test_mailbox_pipe() { # postfix allows piped commands in aliases for local processing, # which is a serious security issue. test that pipes are not # permitted or don't work test_start "mailbox-pipe" # create standard user alice local alice="alice@somedomain.com" create_user "$alice" "alice" local alice_dn="$ATTR_DN" # create the program to handle piped mail local cmd="/tmp/pipedrop.$$.sh" local outfile="/tmp/pipedrop.$$.out" cat 2>>$TEST_OF >$cmd < $outfile EOF chmod 755 $cmd rm -f $outfile # add a piped maildrop record "[Add pipe command as alice's maildrop]" ldapmodify -H $LDAP_URL -x -D "$LDAP_ADMIN_DN" -w "$LDAP_ADMIN_PASSWORD" >>$TEST_OF 2>&1 <