From 2a61498fa440b2eef26849c2b0bc2dadf27b2dee Mon Sep 17 00:00:00 2001 From: Felipe Zipitria Date: Sat, 23 May 2020 19:04:07 -0300 Subject: [PATCH] test(default): add inspec for base and maps Signed-off-by: Felipe Zipitria --- .../default/controls/postfix_maps_spec.rb | 20 +++ .../default/controls/postfix_mysql.rb | 9 + .../default/controls/postfix_spec.rb | 73 ++++++++ test/salt/pillar/default.sls | 159 +++++++++++++++++ test/salt/pillar/postgrey.sls | 164 ++++++++++++++++++ 5 files changed, 425 insertions(+) create mode 100644 test/integration/default/controls/postfix_maps_spec.rb create mode 100644 test/integration/default/controls/postfix_mysql.rb create mode 100644 test/integration/default/controls/postfix_spec.rb create mode 100644 test/salt/pillar/postgrey.sls diff --git a/test/integration/default/controls/postfix_maps_spec.rb b/test/integration/default/controls/postfix_maps_spec.rb new file mode 100644 index 0000000..a03105e --- /dev/null +++ b/test/integration/default/controls/postfix_maps_spec.rb @@ -0,0 +1,20 @@ +# frozen_string_literal: true + +control 'Postfix maps' do + title 'maps have been generated properly' + + describe command('postmap -q example.com /etc/postfix/transport') do + its('stdout') { should eq "10.1.1.1\n" } + its('exit_status') { should eq 0 } + end + + describe command('postmap -q example.com /etc/postfix/tls_policy') do + its('stdout') { should eq "encrypt\n" } + its('exit_status') { should eq 0 } + end + + describe command('postmap -q .example.com /etc/postfix/tls_policy') do + its('stdout') { should eq "encrypt\n" } + its('exit_status') { should eq 0 } + end +end diff --git a/test/integration/default/controls/postfix_mysql.rb b/test/integration/default/controls/postfix_mysql.rb new file mode 100644 index 0000000..6ded085 --- /dev/null +++ b/test/integration/default/controls/postfix_mysql.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +control 'Postfix mysql' do + title 'should be installed' + + describe port(25) do + it { should be_listening } + end +end diff --git a/test/integration/default/controls/postfix_spec.rb b/test/integration/default/controls/postfix_spec.rb new file mode 100644 index 0000000..1e45a18 --- /dev/null +++ b/test/integration/default/controls/postfix_spec.rb @@ -0,0 +1,73 @@ +# frozen_string_literal: true + +control 'Postfix config' do + title 'config is generated correctly' + + describe postfix_conf do + its('biff') { should cmp 'no' } + its('compatibility_level') { should cmp '2' } + its('append_dot_mydomain') { should cmp 'no' } + its('readme_directory') { should cmp 'no' } + its('smtpd_sasl_auth_enable') { should cmp 'yes' } + its('smtpd_sasl_path') { should cmp '/var/run/dovecot/auth-client' } + its('smtpd_sasl_type') { should cmp 'dovecot' } + its('smtpd_sasl_security_options') { should cmp 'noanonymous' } + its('smtpd_sasl_tls_security_options') { should cmp '$smtpd_sasl_security_options' } + its('smtpd_tls_auth_only') { should cmp 'yes' } + its('smtpd_use_tls') { should cmp 'yes' } + its('smtpd_tls_loglevel') { should cmp '1' } + its('smtpd_tls_security_level') { should cmp 'may' } + its('smtp_tls_CApath') { should cmp '/etc/ssl/certs' } + its('smtpd_tls_cert_file') { should cmp '/etc/postfix/ssl/server-cert.crt' } + its('smtpd_tls_key_file') { should cmp '/etc/postfix/ssl/server-cert.key' } + its('smtpd_tls_session_cache_database') do + should cmp 'btree:${data_directory}/smtpd_scache' + end + its('smtpd_tls_mandatory_ciphers') { should cmp 'high' } + its('tls_preempt_cipherlist') { should cmp 'yes' } + its('smtp_tls_loglevel') { should cmp '1' } + its('smtp_tls_security_level') { should cmp 'may' } + its('smtp_tls_session_cache_database') do + should cmp 'btree:${data_directory}/smtp_scache' + end + its('myhostname') { should cmp 'localhost' } + its('alias_maps') { should cmp 'hash:/etc/aliases' } + its('alias_database') { should cmp 'hash:/etc/aliases' } + its('mydestination') { should cmp 'localhost, localhost.localdomain' } + its('relayhost') { should cmp '' } + its('mynetworks') { should cmp '127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128' } + its('mailbox_size_limit') { should cmp '0' } + its('recipient_delimiter') { should cmp '+' } + its('inet_interfaces') { should cmp 'all' } + its('inet_protocols') { should cmp 'all' } + its('message_size_limit') { should cmp '41943040' } + its('smtpd_recipient_restrictions') do + should cmp 'permit_mynetworks,'\ + ' permit_sasl_authenticated,'\ + ' reject_unauth_destination' + end + its('transport_maps') { should cmp 'hash:/etc/postfix/transport' } + its('smtp_tls_policy_maps') { should cmp 'hash:/etc/postfix/tls_policy' } + its('smtp_sasl_password_maps') { should cmp 'hash:/etc/postfix/sasl_passwd' } + its('sender_canonical_maps') { should cmp 'hash:/etc/postfix/sender_canonical' } + its('relay_recipient_maps') { should cmp 'hash:/etc/postfix/relay_domains' } + its('virtual_alias_maps') { should cmp 'hash:/etc/postfix/virtual' } + its('local_transport') { should cmp 'virtual' } + its('local_recipient_maps') { should cmp '$virtual_mailbox_maps' } + its('smtpd_relay_restrictions') do + should cmp 'permit_mynetworks, '\ + 'permit_sasl_authenticated, '\ + 'reject_unauth_destination' + end + its('smtpd_sasl_local_domain') { should cmp '$mydomain' } + its('smtpd_tls_session_cache_timeout') { should cmp '3600s' } + its('relay_domains') { should cmp '$mydestination' } + its('smtp_use_tls') { should cmp 'yes' } + its('smtp_tls_cert_file') do + should cmp '/etc/postfix/ssl/example.com-relay-client-cert.crt' + end + its('smtp_tls_key_file') do + should cmp '/etc/postfix/ssl/example.com-relay-client-cert.key' + end + end +end diff --git a/test/salt/pillar/default.sls b/test/salt/pillar/default.sls index e69de29..8fd852e 100644 --- a/test/salt/pillar/default.sls +++ b/test/salt/pillar/default.sls @@ -0,0 +1,159 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- +postfix: + manage_master_config: true + master_config: + # Preferred way of managing services/processes. This allows for finegrained + # control over each service. See postfix/services.yaml for defaults that can + # be overridden. + services: + smtp: + # Limit to no more than 10 smtp processes + maxproc: 10 + # Enable oldstyle TLS wrapped SMTP + smtps: + enable: true + # Enable submission service on port 587/tcp with custom options + submission: + enable: true + args: + - "-o smtpd_tls_security_level=encrypt" + - "-o smtpd_sasl_auth_enable=yes" + - "-o smtpd_client_restrictions: permit_sasl_authenticated,reject" + tlsproxy: + enable: true + chroot: true + + # Backwards compatible definition of dovecot delivery in master.cf + enable_dovecot: false + # Backwards compatible definition of submission listener in master.cf + enable_submission: false + + enable_service: true + reload_service: true + + config: + smtpd_banner: $myhostname ESMTP $mail_name + smtp_tls_CApath: /etc/ssl/certs + biff: 'no' + append_dot_mydomain: 'no' + readme_directory: 'no' + myhostname: localhost + mydestination: localhost, localhost.localdomain + relayhost: '' + mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 + mailbox_size_limit: 0 + recipient_delimiter: + + inet_interfaces: all + inet_protocols: all + + # Alias + alias_maps: hash:/etc/aliases + # This is the list of files for the newaliases + # cmd to process (see postconf(5) for details). + # Only local hash/btree/dbm files: + alias_database: hash:/etc/aliases + + local_transport: virtual + local_recipient_maps: $virtual_mailbox_maps + transport_maps: hash:/etc/postfix/transport + + # SMTP server + smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache + smtpd_use_tls: 'yes' + smtpd_sasl_auth_enable: 'yes' + smtpd_sasl_type: dovecot + smtpd_sasl_path: /var/run/dovecot/auth-client + smtpd_recipient_restrictions: >- + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination + smtpd_relay_restrictions: >- + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination + smtpd_sasl_security_options: noanonymous + smtpd_sasl_tls_security_options: $smtpd_sasl_security_options + smtpd_tls_auth_only: 'yes' + smtpd_sasl_local_domain: $mydomain + smtpd_tls_loglevel: 1 + smtpd_tls_session_cache_timeout: 3600s + + relay_domains: '$mydestination' + + # SMTP server certificate and key (from pillar data) + smtpd_tls_cert_file: /etc/postfix/ssl/server-cert.crt + smtpd_tls_key_file: /etc/postfix/ssl/server-cert.key + + # SMTP client + smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache + smtp_use_tls: 'yes' + smtp_tls_cert_file: /etc/postfix/ssl/example.com-relay-client-cert.crt + smtp_tls_key_file: /etc/postfix/ssl/example.com-relay-client-cert.key + smtp_tls_policy_maps: hash:/etc/postfix/tls_policy + + smtp_sasl_password_maps: hash:/etc/postfix/sasl_passwd + sender_canonical_maps: hash:/etc/postfix/sender_canonical + relay_recipient_maps: hash:/etc/postfix/relay_domains + virtual_alias_maps: hash:/etc/postfix/virtual + + aliases: + # manage single aliases + # this uses the aliases file defined in the minion config, /etc/aliases by default + use_file: false + present: + root: info@example.com + absent: + - root + + certificates: + server-cert: + public_cert: | + -----BEGIN CERTIFICATE----- + (Your primary SSL certificate: smtp.example.com.crt) + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + (Your intermediate certificate: example-ca.crt) + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + (Your root certificate: trusted-root.crt) + -----END CERTIFICATE----- + private_key: | + -----BEGIN RSA PRIVATE KEY----- + (Your Private key) + -----END RSA PRIVATE KEY----- + + example.com-relay-client-cert: + public_cert: | + -----BEGIN CERTIFICATE----- + (Your primary SSL certificate: smtp.example.com.crt) + -----END CERTIFICATE----- + private_key: | + -----BEGIN RSA PRIVATE KEY----- + (Your Private key) + -----END RSA PRIVATE KEY----- + + mapping: + transport_maps: + - example.com: '10.1.1.1' + + smtp_tls_policy_maps: + - example.com: encrypt + - .example.com: encrypt + + smtp_sasl_password_maps: + - smtp.example.com: myaccount:somepassword + + sender_canonical_maps: + - root: servers@example.com + - nagios: alerts@example.com + + relay_recipient_maps: + - example.com: OK + + virtual_alias_maps: + - groupaliasexample: + - someuser_1@example.com + - someuser_2@example.com + - singlealiasexample: someuser_3@example.com diff --git a/test/salt/pillar/postgrey.sls b/test/salt/pillar/postgrey.sls new file mode 100644 index 0000000..f127c79 --- /dev/null +++ b/test/salt/pillar/postgrey.sls @@ -0,0 +1,164 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- +postfix: + manage_master_config: true + master_config: + # Preferred way of managing services/processes. This allows for finegrained + # control over each service. See postfix/services.yaml for defaults that can + # be overridden. + services: + smtp: + # Limit to no more than 10 smtp processes + maxproc: 10 + # Enable oldstyle TLS wrapped SMTP + smtps: + enable: true + # Enable submission service on port 587/tcp with custom options + submission: + enable: true + args: + - "-o smtpd_tls_security_level=encrypt" + - "-o smtpd_sasl_auth_enable=yes" + - "-o smtpd_client_restrictions: permit_sasl_authenticated,reject" + tlsproxy: + enable: true + chroot: true + + # Backwards compatible definition of dovecot delivery in master.cf + enable_dovecot: false + # Backwards compatible definition of submission listener in master.cf + enable_submission: false + + enable_service: true + reload_service: true + + postgrey: + enabled: true + enable_service: true + location: inet:127.0.0.1:10030 + + config: + smtpd_banner: $myhostname ESMTP $mail_name + smtp_tls_CApath: /etc/ssl/certs + biff: 'no' + append_dot_mydomain: 'no' + readme_directory: 'no' + myhostname: localhost + mydestination: localhost, localhost.localdomain + relayhost: '' + mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 + mailbox_size_limit: 0 + recipient_delimiter: + + inet_interfaces: all + inet_protocols: all + + # Alias + alias_maps: hash:/etc/aliases + # This is the list of files for the newaliases + # cmd to process (see postconf(5) for details). + # Only local hash/btree/dbm files: + alias_database: hash:/etc/aliases + + local_transport: virtual + local_recipient_maps: $virtual_mailbox_maps + transport_maps: hash:/etc/postfix/transport + + # SMTP server + smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache + smtpd_use_tls: 'yes' + smtpd_sasl_auth_enable: 'yes' + smtpd_sasl_type: dovecot + smtpd_sasl_path: /var/run/dovecot/auth-client + smtpd_recipient_restrictions: >- + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination + smtpd_relay_restrictions: >- + permit_mynetworks, + permit_sasl_authenticated, + reject_unauth_destination + smtpd_sasl_security_options: noanonymous + smtpd_sasl_tls_security_options: $smtpd_sasl_security_options + smtpd_tls_auth_only: 'yes' + smtpd_sasl_local_domain: $mydomain + smtpd_tls_loglevel: 1 + smtpd_tls_session_cache_timeout: 3600s + + relay_domains: '$mydestination' + + # SMTP server certificate and key (from pillar data) + smtpd_tls_cert_file: /etc/postfix/ssl/server-cert.crt + smtpd_tls_key_file: /etc/postfix/ssl/server-cert.key + + # SMTP client + smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache + smtp_use_tls: 'yes' + smtp_tls_cert_file: /etc/postfix/ssl/example.com-relay-client-cert.crt + smtp_tls_key_file: /etc/postfix/ssl/example.com-relay-client-cert.key + smtp_tls_policy_maps: hash:/etc/postfix/tls_policy + + smtp_sasl_password_maps: hash:/etc/postfix/sasl_passwd + sender_canonical_maps: hash:/etc/postfix/sender_canonical + relay_recipient_maps: hash:/etc/postfix/relay_domains + virtual_alias_maps: hash:/etc/postfix/virtual + + aliases: + # manage single aliases + # this uses the aliases file defined in the minion config, /etc/aliases by default + use_file: false + present: + root: info@example.com + absent: + - root + + certificates: + server-cert: + public_cert: | + -----BEGIN CERTIFICATE----- + (Your primary SSL certificate: smtp.example.com.crt) + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + (Your intermediate certificate: example-ca.crt) + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + (Your root certificate: trusted-root.crt) + -----END CERTIFICATE----- + private_key: | + -----BEGIN RSA PRIVATE KEY----- + (Your Private key) + -----END RSA PRIVATE KEY----- + + example.com-relay-client-cert: + public_cert: | + -----BEGIN CERTIFICATE----- + (Your primary SSL certificate: smtp.example.com.crt) + -----END CERTIFICATE----- + private_key: | + -----BEGIN RSA PRIVATE KEY----- + (Your Private key) + -----END RSA PRIVATE KEY----- + + mapping: + transport_maps: + - example.com: '10.1.1.1' + + smtp_tls_policy_maps: + - example.com: encrypt + - .example.com: encrypt + + smtp_sasl_password_maps: + - smtp.example.com: myaccount:somepassword + + sender_canonical_maps: + - root: servers@example.com + - nagios: alerts@example.com + + relay_recipient_maps: + - example.com: OK + + virtual_alias_maps: + - groupaliasexample: + - someuser_1@example.com + - someuser_2@example.com + - singlealiasexample: someuser_3@example.com