test(default): add inspec for base and maps

Signed-off-by: Felipe Zipitria <fzipitria@perceptyx.com>
This commit is contained in:
Felipe Zipitria 2020-05-23 19:04:07 -03:00
parent 474a59be65
commit 2a61498fa4
No known key found for this signature in database
GPG Key ID: A5D3A8FAF97BF212
5 changed files with 425 additions and 0 deletions

View File

@ -0,0 +1,20 @@
# frozen_string_literal: true
control 'Postfix maps' do
title 'maps have been generated properly'
describe command('postmap -q example.com /etc/postfix/transport') do
its('stdout') { should eq "10.1.1.1\n" }
its('exit_status') { should eq 0 }
end
describe command('postmap -q example.com /etc/postfix/tls_policy') do
its('stdout') { should eq "encrypt\n" }
its('exit_status') { should eq 0 }
end
describe command('postmap -q .example.com /etc/postfix/tls_policy') do
its('stdout') { should eq "encrypt\n" }
its('exit_status') { should eq 0 }
end
end

View File

@ -0,0 +1,9 @@
# frozen_string_literal: true
control 'Postfix mysql' do
title 'should be installed'
describe port(25) do
it { should be_listening }
end
end

View File

@ -0,0 +1,73 @@
# frozen_string_literal: true
control 'Postfix config' do
title 'config is generated correctly'
describe postfix_conf do
its('biff') { should cmp 'no' }
its('compatibility_level') { should cmp '2' }
its('append_dot_mydomain') { should cmp 'no' }
its('readme_directory') { should cmp 'no' }
its('smtpd_sasl_auth_enable') { should cmp 'yes' }
its('smtpd_sasl_path') { should cmp '/var/run/dovecot/auth-client' }
its('smtpd_sasl_type') { should cmp 'dovecot' }
its('smtpd_sasl_security_options') { should cmp 'noanonymous' }
its('smtpd_sasl_tls_security_options') { should cmp '$smtpd_sasl_security_options' }
its('smtpd_tls_auth_only') { should cmp 'yes' }
its('smtpd_use_tls') { should cmp 'yes' }
its('smtpd_tls_loglevel') { should cmp '1' }
its('smtpd_tls_security_level') { should cmp 'may' }
its('smtp_tls_CApath') { should cmp '/etc/ssl/certs' }
its('smtpd_tls_cert_file') { should cmp '/etc/postfix/ssl/server-cert.crt' }
its('smtpd_tls_key_file') { should cmp '/etc/postfix/ssl/server-cert.key' }
its('smtpd_tls_session_cache_database') do
should cmp 'btree:${data_directory}/smtpd_scache'
end
its('smtpd_tls_mandatory_ciphers') { should cmp 'high' }
its('tls_preempt_cipherlist') { should cmp 'yes' }
its('smtp_tls_loglevel') { should cmp '1' }
its('smtp_tls_security_level') { should cmp 'may' }
its('smtp_tls_session_cache_database') do
should cmp 'btree:${data_directory}/smtp_scache'
end
its('myhostname') { should cmp 'localhost' }
its('alias_maps') { should cmp 'hash:/etc/aliases' }
its('alias_database') { should cmp 'hash:/etc/aliases' }
its('mydestination') { should cmp 'localhost, localhost.localdomain' }
its('relayhost') { should cmp '' }
its('mynetworks') { should cmp '127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128' }
its('mailbox_size_limit') { should cmp '0' }
its('recipient_delimiter') { should cmp '+' }
its('inet_interfaces') { should cmp 'all' }
its('inet_protocols') { should cmp 'all' }
its('message_size_limit') { should cmp '41943040' }
its('smtpd_recipient_restrictions') do
should cmp 'permit_mynetworks,'\
' permit_sasl_authenticated,'\
' reject_unauth_destination'
end
its('transport_maps') { should cmp 'hash:/etc/postfix/transport' }
its('smtp_tls_policy_maps') { should cmp 'hash:/etc/postfix/tls_policy' }
its('smtp_sasl_password_maps') { should cmp 'hash:/etc/postfix/sasl_passwd' }
its('sender_canonical_maps') { should cmp 'hash:/etc/postfix/sender_canonical' }
its('relay_recipient_maps') { should cmp 'hash:/etc/postfix/relay_domains' }
its('virtual_alias_maps') { should cmp 'hash:/etc/postfix/virtual' }
its('local_transport') { should cmp 'virtual' }
its('local_recipient_maps') { should cmp '$virtual_mailbox_maps' }
its('smtpd_relay_restrictions') do
should cmp 'permit_mynetworks, '\
'permit_sasl_authenticated, '\
'reject_unauth_destination'
end
its('smtpd_sasl_local_domain') { should cmp '$mydomain' }
its('smtpd_tls_session_cache_timeout') { should cmp '3600s' }
its('relay_domains') { should cmp '$mydestination' }
its('smtp_use_tls') { should cmp 'yes' }
its('smtp_tls_cert_file') do
should cmp '/etc/postfix/ssl/example.com-relay-client-cert.crt'
end
its('smtp_tls_key_file') do
should cmp '/etc/postfix/ssl/example.com-relay-client-cert.key'
end
end
end

View File

@ -0,0 +1,159 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
postfix:
manage_master_config: true
master_config:
# Preferred way of managing services/processes. This allows for finegrained
# control over each service. See postfix/services.yaml for defaults that can
# be overridden.
services:
smtp:
# Limit to no more than 10 smtp processes
maxproc: 10
# Enable oldstyle TLS wrapped SMTP
smtps:
enable: true
# Enable submission service on port 587/tcp with custom options
submission:
enable: true
args:
- "-o smtpd_tls_security_level=encrypt"
- "-o smtpd_sasl_auth_enable=yes"
- "-o smtpd_client_restrictions: permit_sasl_authenticated,reject"
tlsproxy:
enable: true
chroot: true
# Backwards compatible definition of dovecot delivery in master.cf
enable_dovecot: false
# Backwards compatible definition of submission listener in master.cf
enable_submission: false
enable_service: true
reload_service: true
config:
smtpd_banner: $myhostname ESMTP $mail_name
smtp_tls_CApath: /etc/ssl/certs
biff: 'no'
append_dot_mydomain: 'no'
readme_directory: 'no'
myhostname: localhost
mydestination: localhost, localhost.localdomain
relayhost: ''
mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit: 0
recipient_delimiter: +
inet_interfaces: all
inet_protocols: all
# Alias
alias_maps: hash:/etc/aliases
# This is the list of files for the newaliases
# cmd to process (see postconf(5) for details).
# Only local hash/btree/dbm files:
alias_database: hash:/etc/aliases
local_transport: virtual
local_recipient_maps: $virtual_mailbox_maps
transport_maps: hash:/etc/postfix/transport
# SMTP server
smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache
smtpd_use_tls: 'yes'
smtpd_sasl_auth_enable: 'yes'
smtpd_sasl_type: dovecot
smtpd_sasl_path: /var/run/dovecot/auth-client
smtpd_recipient_restrictions: >-
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
smtpd_relay_restrictions: >-
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_security_options: noanonymous
smtpd_sasl_tls_security_options: $smtpd_sasl_security_options
smtpd_tls_auth_only: 'yes'
smtpd_sasl_local_domain: $mydomain
smtpd_tls_loglevel: 1
smtpd_tls_session_cache_timeout: 3600s
relay_domains: '$mydestination'
# SMTP server certificate and key (from pillar data)
smtpd_tls_cert_file: /etc/postfix/ssl/server-cert.crt
smtpd_tls_key_file: /etc/postfix/ssl/server-cert.key
# SMTP client
smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache
smtp_use_tls: 'yes'
smtp_tls_cert_file: /etc/postfix/ssl/example.com-relay-client-cert.crt
smtp_tls_key_file: /etc/postfix/ssl/example.com-relay-client-cert.key
smtp_tls_policy_maps: hash:/etc/postfix/tls_policy
smtp_sasl_password_maps: hash:/etc/postfix/sasl_passwd
sender_canonical_maps: hash:/etc/postfix/sender_canonical
relay_recipient_maps: hash:/etc/postfix/relay_domains
virtual_alias_maps: hash:/etc/postfix/virtual
aliases:
# manage single aliases
# this uses the aliases file defined in the minion config, /etc/aliases by default
use_file: false
present:
root: info@example.com
absent:
- root
certificates:
server-cert:
public_cert: |
-----BEGIN CERTIFICATE-----
(Your primary SSL certificate: smtp.example.com.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your intermediate certificate: example-ca.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your root certificate: trusted-root.crt)
-----END CERTIFICATE-----
private_key: |
-----BEGIN RSA PRIVATE KEY-----
(Your Private key)
-----END RSA PRIVATE KEY-----
example.com-relay-client-cert:
public_cert: |
-----BEGIN CERTIFICATE-----
(Your primary SSL certificate: smtp.example.com.crt)
-----END CERTIFICATE-----
private_key: |
-----BEGIN RSA PRIVATE KEY-----
(Your Private key)
-----END RSA PRIVATE KEY-----
mapping:
transport_maps:
- example.com: '10.1.1.1'
smtp_tls_policy_maps:
- example.com: encrypt
- .example.com: encrypt
smtp_sasl_password_maps:
- smtp.example.com: myaccount:somepassword
sender_canonical_maps:
- root: servers@example.com
- nagios: alerts@example.com
relay_recipient_maps:
- example.com: OK
virtual_alias_maps:
- groupaliasexample:
- someuser_1@example.com
- someuser_2@example.com
- singlealiasexample: someuser_3@example.com

View File

@ -0,0 +1,164 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
postfix:
manage_master_config: true
master_config:
# Preferred way of managing services/processes. This allows for finegrained
# control over each service. See postfix/services.yaml for defaults that can
# be overridden.
services:
smtp:
# Limit to no more than 10 smtp processes
maxproc: 10
# Enable oldstyle TLS wrapped SMTP
smtps:
enable: true
# Enable submission service on port 587/tcp with custom options
submission:
enable: true
args:
- "-o smtpd_tls_security_level=encrypt"
- "-o smtpd_sasl_auth_enable=yes"
- "-o smtpd_client_restrictions: permit_sasl_authenticated,reject"
tlsproxy:
enable: true
chroot: true
# Backwards compatible definition of dovecot delivery in master.cf
enable_dovecot: false
# Backwards compatible definition of submission listener in master.cf
enable_submission: false
enable_service: true
reload_service: true
postgrey:
enabled: true
enable_service: true
location: inet:127.0.0.1:10030
config:
smtpd_banner: $myhostname ESMTP $mail_name
smtp_tls_CApath: /etc/ssl/certs
biff: 'no'
append_dot_mydomain: 'no'
readme_directory: 'no'
myhostname: localhost
mydestination: localhost, localhost.localdomain
relayhost: ''
mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit: 0
recipient_delimiter: +
inet_interfaces: all
inet_protocols: all
# Alias
alias_maps: hash:/etc/aliases
# This is the list of files for the newaliases
# cmd to process (see postconf(5) for details).
# Only local hash/btree/dbm files:
alias_database: hash:/etc/aliases
local_transport: virtual
local_recipient_maps: $virtual_mailbox_maps
transport_maps: hash:/etc/postfix/transport
# SMTP server
smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache
smtpd_use_tls: 'yes'
smtpd_sasl_auth_enable: 'yes'
smtpd_sasl_type: dovecot
smtpd_sasl_path: /var/run/dovecot/auth-client
smtpd_recipient_restrictions: >-
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
smtpd_relay_restrictions: >-
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_security_options: noanonymous
smtpd_sasl_tls_security_options: $smtpd_sasl_security_options
smtpd_tls_auth_only: 'yes'
smtpd_sasl_local_domain: $mydomain
smtpd_tls_loglevel: 1
smtpd_tls_session_cache_timeout: 3600s
relay_domains: '$mydestination'
# SMTP server certificate and key (from pillar data)
smtpd_tls_cert_file: /etc/postfix/ssl/server-cert.crt
smtpd_tls_key_file: /etc/postfix/ssl/server-cert.key
# SMTP client
smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache
smtp_use_tls: 'yes'
smtp_tls_cert_file: /etc/postfix/ssl/example.com-relay-client-cert.crt
smtp_tls_key_file: /etc/postfix/ssl/example.com-relay-client-cert.key
smtp_tls_policy_maps: hash:/etc/postfix/tls_policy
smtp_sasl_password_maps: hash:/etc/postfix/sasl_passwd
sender_canonical_maps: hash:/etc/postfix/sender_canonical
relay_recipient_maps: hash:/etc/postfix/relay_domains
virtual_alias_maps: hash:/etc/postfix/virtual
aliases:
# manage single aliases
# this uses the aliases file defined in the minion config, /etc/aliases by default
use_file: false
present:
root: info@example.com
absent:
- root
certificates:
server-cert:
public_cert: |
-----BEGIN CERTIFICATE-----
(Your primary SSL certificate: smtp.example.com.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your intermediate certificate: example-ca.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your root certificate: trusted-root.crt)
-----END CERTIFICATE-----
private_key: |
-----BEGIN RSA PRIVATE KEY-----
(Your Private key)
-----END RSA PRIVATE KEY-----
example.com-relay-client-cert:
public_cert: |
-----BEGIN CERTIFICATE-----
(Your primary SSL certificate: smtp.example.com.crt)
-----END CERTIFICATE-----
private_key: |
-----BEGIN RSA PRIVATE KEY-----
(Your Private key)
-----END RSA PRIVATE KEY-----
mapping:
transport_maps:
- example.com: '10.1.1.1'
smtp_tls_policy_maps:
- example.com: encrypt
- .example.com: encrypt
smtp_sasl_password_maps:
- smtp.example.com: myaccount:somepassword
sender_canonical_maps:
- root: servers@example.com
- nagios: alerts@example.com
relay_recipient_maps:
- example.com: OK
virtual_alias_maps:
- groupaliasexample:
- someuser_1@example.com
- someuser_2@example.com
- singlealiasexample: someuser_3@example.com