mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2025-04-04 00:17:06 +00:00
1f0d2ddb92
This commit will: 1. Change the user account database from sqlite to OpenLDAP 2. Add policyd-spf to postfix for SPF validation 3. Add a test runner with some automated test suites Notes: User account password hashes are preserved. There is a new Roundcube contact list called "Directory" that lists the users in LDAP (MiaB users), similar to what Google Suite does. Users can still change their password in Roundcube. OpenLDAP is configured with TLS, but all remote access is blocked by firewall rules. Manual changes are required to open it for remote access (eg. "ufw allow proto tcp from <HOST> to any port ldaps"). The test runner is started by executing tests/runner.sh. Be aware that it will make changes to your system, including adding new users, domains, mailboxes, start/stop services, etc. It is highly unadvised to run it on a production system! The LDAP schema that supports mail delivery with postfix and dovecot is located in conf/postfix.schema. This file is copied verbatim from the LdapAdmin project (GPL, ldapadmin.org). Instead of including the file in git, it could be referenced by URL and downloaded by the setup script if GPL is an issue or apply for a PEN from IANA. Mangement console and other services should not appear or behave any differently than before.
142 lines
4.0 KiB
Bash
142 lines
4.0 KiB
Bash
# -*- indent-tabs-mode: t; tab-width: 4; -*-
|
|
|
|
|
|
test_permitted_sender_fail() {
|
|
# a user may not send MAIL FROM someone else, when not permitted
|
|
test_start "permitted-sender-fail"
|
|
# create standard users alice, bob, and mary
|
|
local alice="alice@somedomain.com"
|
|
local bob="bob@anotherdomain.com"
|
|
local mary="mary@anotherdomain.com"
|
|
create_user "$alice" "alice"
|
|
create_user "$bob" "bob"
|
|
create_user "$mary" "mary"
|
|
|
|
# login as mary, send from bob, to alice
|
|
start_log_capture
|
|
record "[Mailing to alice from bob as mary]"
|
|
local output
|
|
output="$($PYMAIL -f $bob -to $alice alice $PRIVATE_IP $mary mary 2>&1)"
|
|
if ! assert_python_failure $? "$output" SMTPRecipientsRefused
|
|
then
|
|
# additional "color"
|
|
test_failure "user should not be permitted to send as another user"
|
|
fi
|
|
|
|
# expect errors, so don't assert
|
|
check_logs
|
|
|
|
delete_user "$alice"
|
|
delete_user "$bob"
|
|
delete_user "$mary"
|
|
test_end
|
|
}
|
|
|
|
|
|
test_permitted_sender_alias() {
|
|
# a user may send MAIL FROM one of their own aliases
|
|
test_start "permitted-sender-alias"
|
|
# create standard users alice and bob
|
|
local alice="alice@somedomain.com"
|
|
local bob="bob@anotherdomain.com"
|
|
local mary="mary@anotherdomain.com"
|
|
local jane="jane@google.com"
|
|
create_user "$alice" "alice"
|
|
create_user "$bob" "bob"
|
|
local bob_dn="$ATTR_DN"
|
|
|
|
# add mary as one of bob's aliases - to bob's 'mail' attribute
|
|
add_alias $bob_dn $mary user
|
|
|
|
# add jane as one of bob's aliases - to jane's alias group
|
|
create_alias_group $jane $bob_dn
|
|
|
|
# login as bob, send from mary, to alice
|
|
start_log_capture
|
|
record "[Mailing to alice from mary as bob]"
|
|
local output
|
|
output="$($PYMAIL -f $mary -to $alice alice $PRIVATE_IP $bob bob 2>&1)"
|
|
if ! assert_python_success $? "$output"; then
|
|
# additional "color"
|
|
test_failure "bob should be permitted to MAIL FROM $mary, his own alias: $(python_error "$output")"
|
|
fi
|
|
|
|
assert_check_logs
|
|
|
|
# login as bob, send from jane, to alice
|
|
start_log_capture
|
|
record "[Mailing to alice from jane as bob]"
|
|
local output
|
|
output="$($PYMAIL -f $jane -to $alice alice $PRIVATE_IP $bob bob 2>&1)"
|
|
if ! assert_python_success $? "$output"; then
|
|
# additional "color"
|
|
test_failure "bob should be permitted to MAIL FROM $jane, his own alias: $(python_error "$output")"
|
|
fi
|
|
|
|
assert_check_logs
|
|
|
|
delete_user "$alice"
|
|
delete_user "$bob"
|
|
delete_alias_group "$jane"
|
|
test_end
|
|
}
|
|
|
|
|
|
test_permitted_sender_explicit() {
|
|
# a user may send MAIL FROM an address that is explicitly allowed
|
|
# by a permitted-senders group
|
|
# a user may not send MAIL FROM an address that has a permitted
|
|
# senders list which they are not a member, even if they are an
|
|
# alias group member
|
|
test_start "permitted-sender-explicit"
|
|
|
|
# create standard users alice and bob
|
|
local alice="alice@somedomain.com"
|
|
local bob="bob@anotherdomain.com"
|
|
create_user "$alice" "alice"
|
|
local alice_dn="$ATTR_DN"
|
|
create_user "$bob" "bob"
|
|
local bob_dn="$ATTR_DN"
|
|
|
|
# create an alias that forwards to bob and alice
|
|
local alias="mary@anotherdomain.com"
|
|
create_alias_group $alias $bob_dn $alice_dn
|
|
|
|
# create a permitted-senders group with only alice in it
|
|
create_permitted_senders_group $alias $alice_dn
|
|
|
|
# login as alice, send from alias to bob
|
|
start_log_capture
|
|
record "[Mailing to bob from alice as alias/mary]"
|
|
local output
|
|
output="$($PYMAIL -f $alias -to $bob bob $PRIVATE_IP $alice alice 2>&1)"
|
|
if ! assert_python_success $? "$output"; then
|
|
test_failure "user should be allowed to MAIL FROM a user for which they are a permitted sender: $(python_error "$output")"
|
|
fi
|
|
assert_check_logs
|
|
|
|
# login as bob, send from alias to alice
|
|
# expect failure because bob is not a permitted-sender
|
|
start_log_capture
|
|
record "[Mailing to alice from bob as alias/mary]"
|
|
output="$($PYMAIL -f $alias -to $alice alice $PRIVATE_IP $bob bob 2>&1)"
|
|
assert_python_failure $? "$output" "SMTPRecipientsRefused" "not owned by user"
|
|
check_logs
|
|
|
|
delete_user $alice
|
|
delete_user $bob
|
|
delete_permitted_senders_group $alias
|
|
create_alias_group $alias
|
|
test_end
|
|
}
|
|
|
|
|
|
|
|
suite_start "mail-from"
|
|
|
|
test_permitted_sender_fail
|
|
test_permitted_sender_alias
|
|
test_permitted_sender_explicit
|
|
|
|
suite_end
|