Merge pull request #1463 from youtous/pr-fix-dhe
Fix issue #1461- use a recommended dh group instead of a self-generated one
This commit is contained in:
Erik Wramner
GitHub
commit
4a1cbd705b
|
|
@ -163,6 +163,9 @@ RUN chmod 755 /etc/init.d/postgrey && \
|
|||
# Copy PostSRSd Config
|
||||
COPY target/postsrsd/postsrsd /etc/default/postsrsd
|
||||
|
||||
# Copy shared ffdhe params
|
||||
COPY target/shared/ffdhe4096.pem /etc/postfix/shared/ffdhe4096.pem
|
||||
|
||||
# Enables Amavis
|
||||
COPY target/amavis/conf.d/* /etc/amavis/conf.d/
|
||||
RUN sed -i -r 's/#(@| \\%)bypass/\1bypass/g' /etc/amavis/conf.d/15-content_filter_mode && \
|
||||
|
|
|
|||
2
Makefile
2
Makefile
|
|
@ -155,4 +155,4 @@ clean:
|
|||
sudo rm -rf test/config ;\
|
||||
mv testconfig.bak test/config ;\
|
||||
fi
|
||||
-sudo rm -rf test/onedir test/alias test/quota test/relay test/config/dovecot-lmtp/userdb test/config/key* test/config/opendkim/keys/domain.tld/ test/config/opendkim/keys/example.com/ test/config/opendkim/keys/localdomain2.com/ test/config/postfix-aliases.cf test/config/postfix-receive-access.cf test/config/postfix-receive-access.cfe test/config/dovecot-quotas.cf test/config/postfix-send-access.cf test/config/postfix-send-access.cfe test/config/relay-hosts/chksum test/config/relay-hosts/postfix-aliases.cf
|
||||
-sudo rm -rf test/onedir test/alias test/quota test/relay test/config/dovecot-lmtp/userdb test/config/key* test/config/opendkim/keys/domain.tld/ test/config/opendkim/keys/example.com/ test/config/opendkim/keys/localdomain2.com/ test/config/postfix-aliases.cf test/config/postfix-receive-access.cf test/config/postfix-receive-access.cfe test/config/dovecot-quotas.cf test/config/postfix-send-access.cf test/config/postfix-send-access.cfe test/config/relay-hosts/chksum test/config/relay-hosts/postfix-aliases.cf test/config/dhparams.pem
|
||||
|
|
|
|||
|
|
@ -43,9 +43,8 @@ ssl_key = </etc/dovecot/ssl/dovecot.key
|
|||
#ssl_cert_username_field = commonName
|
||||
|
||||
# SSL DH parameters
|
||||
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
|
||||
# Or migrate from old ssl-parameters.dat file with the command dovecot
|
||||
# gives on startup when ssl_dh is unset.
|
||||
# Since v2.3.3+ Diffie-Hellman parameters have been made optional, and you are encouraged to disable non-ECC DH algorithms completely.
|
||||
# `docker-mailserver` is configured to use the recommended pre-defined 4096-bit DHE Group at https://github.com/internetstandards/dhe_groups
|
||||
ssl_dh = </etc/dovecot/dh.pem
|
||||
|
||||
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
|
||||
|
|
|
|||
|
|
@ -0,0 +1,13 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
|
||||
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
|
||||
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
|
||||
8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
|
||||
iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
|
||||
zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
|
||||
-----END DH PARAMETERS-----
|
||||
|
|
@ -0,0 +1 @@
|
|||
716a462baecb43520fb1ba6f15d288ba8df4d612bf9d450474b4a1c745b64be01806e5ca4fb2151395fd4412a98831b77ea8dfd389fe54a9c768d170b9565a25 ffdhe4096.pem
|
||||
|
|
@ -1364,15 +1364,16 @@ function _setup_postfix_dhparam() {
|
|||
if [ "$ONE_DIR" = 1 ];then
|
||||
DHPARAMS_FILE=/var/mail-state/lib-shared/dhparams.pem
|
||||
if [ ! -f $DHPARAMS_FILE ]; then
|
||||
notify 'inf' "Generate new shared dhparams (postfix)"
|
||||
mkdir -p $(dirname "$DHPARAMS_FILE")
|
||||
openssl dhparam -out $DHPARAMS_FILE 2048
|
||||
notify 'inf' "Use ffdhe4096 for dhparams (postfix)"
|
||||
rm -f /etc/postfix/dhparams.pem && cp /etc/postfix/shared/ffdhe4096.pem /etc/postfix/dhparams.pem
|
||||
else
|
||||
notify 'inf' "Use postfix dhparams that was generated previously"
|
||||
fi
|
||||
notify 'warn' "Using self-generated dhparams is considered as insecure."
|
||||
notify 'warn' "Unless you known what you are doing, please remove /var/mail-state/lib-shared/dhparams.pem."
|
||||
|
||||
# Copy from the state directory to the working location
|
||||
rm -f /etc/postfix/dhparams.pem && cp $DHPARAMS_FILE /etc/postfix/dhparams.pem
|
||||
# Copy from the state directory to the working location
|
||||
rm -f /etc/postfix/dhparams.pem && cp $DHPARAMS_FILE /etc/postfix/dhparams.pem
|
||||
fi
|
||||
else
|
||||
if [ ! -f /etc/postfix/dhparams.pem ]; then
|
||||
if [ -f /etc/dovecot/dh.pem ]; then
|
||||
|
|
@ -1380,13 +1381,17 @@ function _setup_postfix_dhparam() {
|
|||
cp /etc/dovecot/dh.pem /etc/postfix/dhparams.pem
|
||||
elif [ -f /tmp/docker-mailserver/dhparams.pem ]; then
|
||||
notify 'inf' "Copy pre-generated dhparams to postfix"
|
||||
notify 'warn' "Using self-generated dhparams is considered as insecure."
|
||||
notify 'warn' "Unless you known what you are doing, please remove /var/mail-state/lib-shared/dhparams.pem."
|
||||
cp /tmp/docker-mailserver/dhparams.pem /etc/postfix/dhparams.pem
|
||||
else
|
||||
notify 'inf' "Generate new dhparams for postfix"
|
||||
openssl dhparam -out /etc/postfix/dhparams.pem 2048
|
||||
notify 'inf' "Use ffdhe4096 for dhparams (postfix)"
|
||||
cp /etc/postfix/shared/ffdhe4096.pem /etc/postfix/dhparams.pem
|
||||
fi
|
||||
else
|
||||
notify 'inf' "Use existing postfix dhparams"
|
||||
notify 'warn' "Using self-generated dhparams is considered as insecure."
|
||||
notify 'warn' "Unless you known what you are doing, please remove /etc/postfix/dhparams.pem."
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
|
@ -1396,15 +1401,16 @@ function _setup_dovecot_dhparam() {
|
|||
if [ "$ONE_DIR" = 1 ];then
|
||||
DHPARAMS_FILE=/var/mail-state/lib-shared/dhparams.pem
|
||||
if [ ! -f $DHPARAMS_FILE ]; then
|
||||
notify 'inf' "Generate new shared dhparams (dovecot)"
|
||||
mkdir -p $(dirname "$DHPARAMS_FILE")
|
||||
openssl dhparam -out $DHPARAMS_FILE 2048
|
||||
notify 'inf' "Use ffdhe4096 for dhparams (dovecot)"
|
||||
rm -f /etc/dovecot/dh.pem && cp /etc/postfix/shared/ffdhe4096.pem /etc/dovecot/dh.pem
|
||||
else
|
||||
notify 'inf' "Use dovecot dhparams that was generated previously"
|
||||
fi
|
||||
notify 'warn' "Using self-generated dhparams is considered as insecure."
|
||||
notify 'warn' "Unless you known what you are doing, please remove /var/mail-state/lib-shared/dhparams.pem."
|
||||
|
||||
# Copy from the state directory to the working location
|
||||
rm -f /etc/dovecot/dh.pem && cp $DHPARAMS_FILE /etc/dovecot/dh.pem
|
||||
# Copy from the state directory to the working location
|
||||
rm -f /etc/dovecot/dh.pem && cp $DHPARAMS_FILE /etc/dovecot/dh.pem
|
||||
fi
|
||||
else
|
||||
if [ ! -f /etc/dovecot/dh.pem ]; then
|
||||
if [ -f /etc/postfix/dhparams.pem ]; then
|
||||
|
|
@ -1412,13 +1418,17 @@ function _setup_dovecot_dhparam() {
|
|||
cp /etc/postfix/dhparams.pem /etc/dovecot/dh.pem
|
||||
elif [ -f /tmp/docker-mailserver/dhparams.pem ]; then
|
||||
notify 'inf' "Copy pre-generated dhparams to dovecot"
|
||||
notify 'warn' "Using self-generated dhparams is considered as insecure."
|
||||
notify 'warn' "Unless you known what you are doing, please remove /tmp/docker-mailserver/dhparams.pem."
|
||||
cp /tmp/docker-mailserver/dhparams.pem /etc/dovecot/dh.pem
|
||||
else
|
||||
notify 'inf' "Generate new dhparams for dovecot"
|
||||
openssl dhparam -out /etc/dovecot/dh.pem 2048
|
||||
notify 'inf' "Use ffdhe4096 for dhparams (dovecot)"
|
||||
cp /etc/postfix/shared/ffdhe4096.pem /etc/dovecot/dh.pem
|
||||
fi
|
||||
else
|
||||
notify 'inf' "Use existing dovecot dhparams"
|
||||
notify 'warn' "Using self-generated dhparams is considered as insecure."
|
||||
notify 'warn' "Unless you known what you are doing, please remove /etc/dovecot/dh.pem."
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
|
@ -1461,8 +1471,8 @@ function _setup_security_stack() {
|
|||
fi
|
||||
|
||||
test -e /tmp/docker-mailserver/spamassassin-rules.cf && cp /tmp/docker-mailserver/spamassassin-rules.cf /etc/spamassassin/
|
||||
|
||||
|
||||
|
||||
|
||||
if [ "$SPAMASSASSIN_SPAM_TO_INBOX" = "1" ]; then
|
||||
notify 'inf' "Configure Spamassassin/Amavis to put SPAM inbox"
|
||||
bannedbouncecheck=`egrep "final_banned_destiny.*D_BOUNCE" /etc/amavis/conf.d/20-debian_defaults`
|
||||
|
|
@ -1470,7 +1480,7 @@ function _setup_security_stack() {
|
|||
then
|
||||
sed -i "/final_banned_destiny/ s|D_BOUNCE|D_REJECT|" /etc/amavis/conf.d/20-debian_defaults
|
||||
fi
|
||||
|
||||
|
||||
finalbouncecheck=`egrep "final_spam_destiny.*D_BOUNCE" /etc/amavis/conf.d/20-debian_defaults`
|
||||
if [ -n "$finalbouncecheck" ] ;
|
||||
then
|
||||
|
|
|
|||
|
|
@ -1,8 +0,0 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEAlYgX/PXMu60WVkgKXOqnT562wd2F3l1WDwyn7DLWDqb9rCI6SAB8
|
||||
8uDkImAeoRFQycL77fXBqO9KKVk5x569Qjltacbw4/taOhWPAq/+6Wf5bZsUEp5g
|
||||
wD+hLvgYn/0pdGkjiAJ+jlRBxarF9lJac4QPztqw3qJPtVdIKbmo58hoxERIthD2
|
||||
f/ZkGjaZXzOIvD8Ai0NQ+H4k5DK5dLlFI78XbrsH161t4Jcspq+v5VUdUyUMAvti
|
||||
4peK0RgHw47h90kkee+qIf5F+WWSw28tjkbILWx2ld/bN59eZj4itb3UUw/OZRpC
|
||||
Y0pOBOvl1wp5PS+pUJAMsg6PR50yPNYREwIBAg==
|
||||
-----END DH PARAMETERS-----
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEAlYgX/PXMu60WVkgKXOqnT562wd2F3l1WDwyn7DLWDqb9rCI6SAB8
|
||||
8uDkImAeoRFQycL77fXBqO9KKVk5x569Qjltacbw4/taOhWPAq/+6Wf5bZsUEp5g
|
||||
wD+hLvgYn/0pdGkjiAJ+jlRBxarF9lJac4QPztqw3qJPtVdIKbmo58hoxERIthD2
|
||||
f/ZkGjaZXzOIvD8Ai0NQ+H4k5DK5dLlFI78XbrsH161t4Jcspq+v5VUdUyUMAvti
|
||||
4peK0RgHw47h90kkee+qIf5F+WWSw28tjkbILWx2ld/bN59eZj4itb3UUw/OZRpC
|
||||
Y0pOBOvl1wp5PS+pUJAMsg6PR50yPNYREwIBAg==
|
||||
-----END DH PARAMETERS-----
|
||||
|
|
@ -1,8 +0,0 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEAlYgX/PXMu60WVkgKXOqnT562wd2F3l1WDwyn7DLWDqb9rCI6SAB8
|
||||
8uDkImAeoRFQycL77fXBqO9KKVk5x569Qjltacbw4/taOhWPAq/+6Wf5bZsUEp5g
|
||||
wD+hLvgYn/0pdGkjiAJ+jlRBxarF9lJac4QPztqw3qJPtVdIKbmo58hoxERIthD2
|
||||
f/ZkGjaZXzOIvD8Ai0NQ+H4k5DK5dLlFI78XbrsH161t4Jcspq+v5VUdUyUMAvti
|
||||
4peK0RgHw47h90kkee+qIf5F+WWSw28tjkbILWx2ld/bN59eZj4itb3UUw/OZRpC
|
||||
Y0pOBOvl1wp5PS+pUJAMsg6PR50yPNYREwIBAg==
|
||||
-----END DH PARAMETERS-----
|
||||
|
|
@ -0,0 +1,78 @@
|
|||
load 'test_helper/common'
|
||||
|
||||
# Test case
|
||||
# ---------
|
||||
# By default, this image is using audited FFDHE groups (https://github.com/tomav/docker-mailserver/pull/1463)
|
||||
#
|
||||
# This test case covers the described case against both boolean states for `ONE_DIR`.
|
||||
#
|
||||
# Description:
|
||||
# - When no DHE parameters are supplied by the user:
|
||||
# ~ The file `ffdhe4096.pem` has not been modified (checksum verification).
|
||||
# ~ `ffdhe4096.pem` is copied to the configuration directories for postfix and dovecot.
|
||||
|
||||
|
||||
function setup() {
|
||||
run_setup_file_if_necessary
|
||||
}
|
||||
|
||||
function teardown() {
|
||||
run_teardown_file_if_necessary
|
||||
}
|
||||
|
||||
function setup_file() {
|
||||
docker run -d --name mail_default_dhparams_one_dir \
|
||||
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
||||
-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
|
||||
-e DMS_DEBUG=0 \
|
||||
-e ONE_DIR=1 \
|
||||
-h mail.my-domain.com -t ${NAME}
|
||||
wait_for_finished_setup_in_container mail_default_dhparams_one_dir
|
||||
|
||||
docker run -d --name mail_default_dhparams_not_one_dir \
|
||||
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
||||
-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
|
||||
-e DMS_DEBUG=0 \
|
||||
-e ONE_DIR=0 \
|
||||
-h mail.my-domain.com -t ${NAME}
|
||||
wait_for_finished_setup_in_container mail_default_dhparams_not_one_dir
|
||||
}
|
||||
|
||||
function teardown_file() {
|
||||
docker rm -f mail_default_dhparams_one_dir
|
||||
docker rm -f mail_default_dhparams_not_one_dir
|
||||
}
|
||||
|
||||
@test "first" {
|
||||
skip 'this test must come first to reliably identify when to run setup_file'
|
||||
}
|
||||
|
||||
@test "checking ssl: checking dhe params are sufficient" {
|
||||
# reference used: (22/04/2020) https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls
|
||||
|
||||
# check ffdhe params are inchanged
|
||||
repo_checksum=$(sha512sum "$(pwd)/target/shared/ffdhe4096.pem" | awk '{print $1}')
|
||||
mozilla_checksum=$(curl https://ssl-config.mozilla.org/ffdhe4096.txt -s | sha512sum | awk '{print $1}')
|
||||
assert_equal "$repo_checksum" "$mozilla_checksum"
|
||||
run echo "$repo_checksum"
|
||||
refute_output '' # checksum must not be empty
|
||||
|
||||
# by default, ffdhe4096 should be used
|
||||
|
||||
# ONE_DIR=1
|
||||
docker_dovecot_checksum_one_dir=$(docker exec mail_default_dhparams_one_dir sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
|
||||
docker_postfix_checksum_one_dir=$(docker exec mail_default_dhparams_one_dir sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
|
||||
assert_equal "$docker_dovecot_checksum_one_dir" "$repo_checksum"
|
||||
assert_equal "$docker_postfix_checksum_one_dir" "$repo_checksum"
|
||||
|
||||
# ONE_DIR=0
|
||||
docker_dovecot_checksum_not_one_dir=$(docker exec mail_default_dhparams_not_one_dir sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
|
||||
docker_postfix_checksum_not_one_dir=$(docker exec mail_default_dhparams_not_one_dir sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
|
||||
assert_equal "$docker_dovecot_checksum_not_one_dir" "$repo_checksum"
|
||||
assert_equal "$docker_postfix_checksum_not_one_dir" "$repo_checksum"
|
||||
}
|
||||
|
||||
|
||||
@test "last" {
|
||||
skip 'this test is only there to reliably mark the end for the teardown_file'
|
||||
}
|
||||
|
|
@ -0,0 +1,64 @@
|
|||
load 'test_helper/common'
|
||||
|
||||
# Test case
|
||||
# ---------
|
||||
# By default, this image is using audited FFDHE groups (https://github.com/tomav/docker-mailserver/pull/1463)
|
||||
#
|
||||
# This test case covers the described case when `ONE_DIR=0`.
|
||||
#
|
||||
# Description:
|
||||
# - When custom DHE parameters are supplied by the user:
|
||||
# ~ User supplied DHE parameters are copied to the configuration directories for postfix and dovecot.
|
||||
# ~ A warning is raised about usage of insecure parameters.
|
||||
|
||||
|
||||
function setup() {
|
||||
run_setup_file_if_necessary
|
||||
}
|
||||
|
||||
function teardown() {
|
||||
run_teardown_file_if_necessary
|
||||
}
|
||||
|
||||
function setup_file() {
|
||||
# copy the custom DHE params in local config
|
||||
cp `pwd`/test/test-files/ssl/custom-dhe-params.pem `pwd`/test/config/dhparams.pem
|
||||
|
||||
docker run -d --name mail_manual_dhparams_not_one_dir \
|
||||
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
||||
-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
|
||||
-e DMS_DEBUG=0 \
|
||||
-e ONE_DIR=0 \
|
||||
-h mail.my-domain.com -t ${NAME}
|
||||
wait_for_finished_setup_in_container mail_manual_dhparams_not_one_dir
|
||||
}
|
||||
|
||||
function teardown_file() {
|
||||
# remove custom dhe file
|
||||
rm `pwd`/test/config/dhparams.pem
|
||||
docker rm -f mail_manual_dhparams_not_one_dir
|
||||
}
|
||||
|
||||
@test "first" {
|
||||
skip 'this test must come first to reliably identify when to run setup_file'
|
||||
}
|
||||
|
||||
@test "checking dhparams: ONE_DIR=0 check manual dhparams is used" {
|
||||
test_checksum=$(sha512sum "$(pwd)/test/test-files/ssl/custom-dhe-params.pem" | awk '{print $1}')
|
||||
run echo "$test_checksum"
|
||||
refute_output '' # checksum must not be empty
|
||||
|
||||
docker_dovecot_checksum=$(docker exec mail_manual_dhparams_not_one_dir sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
|
||||
docker_postfix_checksum=$(docker exec mail_manual_dhparams_not_one_dir sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
|
||||
assert_equal "$docker_dovecot_checksum" "$test_checksum"
|
||||
assert_equal "$docker_postfix_checksum" "$test_checksum"
|
||||
}
|
||||
|
||||
@test "checking dhparams: ONE_DIR=0 check warning output when using manual dhparams" {
|
||||
run sh -c "docker logs mail_manual_dhparams_not_one_dir | grep 'Using self-generated dhparams is considered as insecure'"
|
||||
assert_success
|
||||
}
|
||||
|
||||
@test "last" {
|
||||
skip 'this test is only there to reliably mark the end for the teardown_file'
|
||||
}
|
||||
|
|
@ -0,0 +1,59 @@
|
|||
load 'test_helper/common'
|
||||
|
||||
# Test case
|
||||
# ---------
|
||||
# By default, this image is using audited FFDHE groups (https://github.com/tomav/docker-mailserver/pull/1463)
|
||||
#
|
||||
# This test case covers the described case when `ONE_DIR=1`.
|
||||
#
|
||||
# Description:
|
||||
# - When custom DHE parameters are supplied by the user:
|
||||
# ~ User supplied DHE parameters are copied to the configuration directories for postfix and dovecot.
|
||||
# ~ A warning is raised about usage of insecure parameters.
|
||||
|
||||
function setup() {
|
||||
run_setup_file_if_necessary
|
||||
}
|
||||
|
||||
function teardown() {
|
||||
run_teardown_file_if_necessary
|
||||
}
|
||||
|
||||
function setup_file() {
|
||||
docker run -d --name mail_manual_dhparams_one_dir \
|
||||
-v "`pwd`/test/config":/tmp/docker-mailserver \
|
||||
-v "`pwd`/test/test-files":/tmp/docker-mailserver-test:ro \
|
||||
-v "`pwd`/test/test-files/ssl/custom-dhe-params.pem":/var/mail-state/lib-shared/dhparams.pem:ro \
|
||||
-e DMS_DEBUG=0 \
|
||||
-e ONE_DIR=1 \
|
||||
-h mail.my-domain.com -t ${NAME}
|
||||
wait_for_finished_setup_in_container mail_manual_dhparams_one_dir
|
||||
}
|
||||
|
||||
function teardown_file() {
|
||||
docker rm -f mail_manual_dhparams_one_dir
|
||||
}
|
||||
|
||||
@test "first" {
|
||||
skip 'this test must come first to reliably identify when to run setup_file'
|
||||
}
|
||||
|
||||
@test "checking dhparams: ONE_DIR=1 check manual dhparams is used" {
|
||||
test_checksum=$(sha512sum "$(pwd)/test/test-files/ssl/custom-dhe-params.pem" | awk '{print $1}')
|
||||
run echo "$test_checksum"
|
||||
refute_output '' # checksum must not be empty
|
||||
|
||||
docker_dovecot_checksum=$(docker exec mail_manual_dhparams_one_dir sha512sum /etc/dovecot/dh.pem | awk '{print $1}')
|
||||
docker_postfix_checksum=$(docker exec mail_manual_dhparams_one_dir sha512sum /etc/postfix/dhparams.pem | awk '{print $1}')
|
||||
assert_equal "$docker_dovecot_checksum" "$test_checksum"
|
||||
assert_equal "$docker_postfix_checksum" "$test_checksum"
|
||||
}
|
||||
|
||||
@test "checking dhparams: ONE_DIR=1 check warning output when using manual dhparams" {
|
||||
run sh -c "docker logs mail_manual_dhparams_one_dir | grep 'Using self-generated dhparams is considered as insecure'"
|
||||
assert_success
|
||||
}
|
||||
|
||||
@test "last" {
|
||||
skip 'this test is only there to reliably mark the end for the teardown_file'
|
||||
}
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
|
||||
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
|
||||
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
|
||||
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
|
||||
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
|
||||
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
|
||||
-----END DH PARAMETERS-----
|
||||
|
|
@ -1243,6 +1243,8 @@ EOF
|
|||
# Dovecot has been restarted, but this test often fails so presumably it may not be ready
|
||||
# Add a short sleep to see if that helps to make the test more stable
|
||||
# Alternatively we could login with a known good user to make sure that the service is up
|
||||
wait_for_service mail postfix
|
||||
wait_for_service mail dovecot
|
||||
sleep 5
|
||||
|
||||
run docker exec mail /bin/bash -c "doveadm auth test -x service=smtp setup_email_add@example.com 'test_password' | grep 'passdb'"
|
||||
|
|
|
|||
Loading…
Reference in New Issue