Merge pull request #108 from Perceptyx/add-inspec-tests
test(default): add inspec for base and maps
This commit is contained in:
commit
466c120462
@ -53,7 +53,7 @@ Installs and starts postfix SMTP server
|
||||
``postfix.config``
|
||||
^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Manages postfix main.cf and optionally the master.cf configuration file
|
||||
Manages postfix main.cf and optionally the master.cf configuration file. Generates mappings.
|
||||
|
||||
``postfix.policyd-spf``
|
||||
^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
@ -101,3 +101,49 @@ postfix_{{ domain }}_ssl_key:
|
||||
- service: postfix
|
||||
|
||||
{% endfor %}
|
||||
|
||||
# manage various mappings
|
||||
{% for mapping, data in salt['pillar.get']('postfix:mapping', {}).items() %}
|
||||
{%- set need_postmap = False %}
|
||||
{%- set file_path = salt['pillar.get']('postfix:config:' ~ mapping) %}
|
||||
{%- if file_path.startswith('proxy:') %}
|
||||
{#- Discard the proxy:-prefix #}
|
||||
{%- set _, file_type, file_path = file_path.split(':') %}
|
||||
{%- elif ':' in file_path %}
|
||||
{%- set file_type, file_path = file_path.split(':') %}
|
||||
{%- else %}
|
||||
{%- set file_type = default_database_type %}
|
||||
{%- endif %}
|
||||
{%- if not file_path.startswith('/') %}
|
||||
{%- set file_path = postfix.config_path ~ '/' ~ file_path %}
|
||||
{%- endif %}
|
||||
{%- if file_type in ("btree", "cdb", "dbm", "hash", "sdbm") %}
|
||||
{%- set need_postmap = True %}
|
||||
{%- endif %}
|
||||
postfix_{{ mapping }}:
|
||||
file.managed:
|
||||
- name: {{ file_path }}
|
||||
- source: salt://postfix/files/mapping.j2
|
||||
- user: root
|
||||
- group: {{ postfix.root_grp }}
|
||||
{%- if mapping.endswith('_sasl_password_maps') %}
|
||||
- mode: 600
|
||||
{%- else %}
|
||||
- mode: 644
|
||||
{%- endif %}
|
||||
- template: jinja
|
||||
- context:
|
||||
data: {{ data|json() }}
|
||||
- require:
|
||||
- pkg: postfix
|
||||
- file: {{ postfix.config_path }}/main.cf
|
||||
{%- if need_postmap %}
|
||||
cmd.wait:
|
||||
- name: {{ postfix.xbin_prefix }}/sbin/postmap {{ file_path }}
|
||||
- cwd: /
|
||||
- watch:
|
||||
- file: {{ file_path }}
|
||||
- watch_in:
|
||||
- service: postfix
|
||||
{%- endif %}
|
||||
{% endfor %}
|
||||
|
@ -94,48 +94,3 @@ postfix_alias_absent_{{ user }}:
|
||||
{%- endfor %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
# manage various mappings
|
||||
{% for mapping, data in salt['pillar.get']('postfix:mapping', {}).items() %}
|
||||
{%- set need_postmap = False %}
|
||||
{%- set file_path = salt['pillar.get']('postfix:config:' ~ mapping) %}
|
||||
{%- if file_path.startswith('proxy:') %}
|
||||
{#- Discard the proxy:-prefix #}
|
||||
{%- set _, file_type, file_path = file_path.split(':') %}
|
||||
{%- elif ':' in file_path %}
|
||||
{%- set file_type, file_path = file_path.split(':') %}
|
||||
{%- else %}
|
||||
{%- set file_type = default_database_type %}
|
||||
{%- endif %}
|
||||
{%- if not file_path.startswith('/') %}
|
||||
{%- set file_path = postfix.config_path ~ '/' ~ file_path %}
|
||||
{%- endif %}
|
||||
{%- if file_type in ("btree", "cdb", "dbm", "hash", "sdbm") %}
|
||||
{%- set need_postmap = True %}
|
||||
{%- endif %}
|
||||
postfix_{{ mapping }}:
|
||||
file.managed:
|
||||
- name: {{ file_path }}
|
||||
- source: salt://postfix/files/mapping.j2
|
||||
- user: root
|
||||
- group: {{ postfix.root_grp }}
|
||||
{%- if mapping.endswith('_sasl_password_maps') %}
|
||||
- mode: 600
|
||||
{%- else %}
|
||||
- mode: 644
|
||||
{%- endif %}
|
||||
- template: jinja
|
||||
- context:
|
||||
data: {{ data|json() }}
|
||||
- require:
|
||||
- pkg: postfix
|
||||
{%- if need_postmap %}
|
||||
cmd.wait:
|
||||
- name: {{ postfix.xbin_prefix }}/sbin/postmap {{ file_path }}
|
||||
- cwd: /
|
||||
- watch:
|
||||
- file: {{ file_path }}
|
||||
- watch_in:
|
||||
- service: postfix
|
||||
{%- endif %}
|
||||
{% endfor %}
|
||||
|
20
test/integration/default/controls/postfix_maps_spec.rb
Normal file
20
test/integration/default/controls/postfix_maps_spec.rb
Normal file
@ -0,0 +1,20 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
control 'Postfix maps' do
|
||||
title 'maps have been generated properly'
|
||||
|
||||
describe command('postmap -q example.com /etc/postfix/transport') do
|
||||
its('stdout') { should eq "10.1.1.1\n" }
|
||||
its('exit_status') { should eq 0 }
|
||||
end
|
||||
|
||||
describe command('postmap -q example.com /etc/postfix/tls_policy') do
|
||||
its('stdout') { should eq "encrypt\n" }
|
||||
its('exit_status') { should eq 0 }
|
||||
end
|
||||
|
||||
describe command('postmap -q .example.com /etc/postfix/tls_policy') do
|
||||
its('stdout') { should eq "encrypt\n" }
|
||||
its('exit_status') { should eq 0 }
|
||||
end
|
||||
end
|
73
test/integration/default/controls/postfix_spec.rb
Normal file
73
test/integration/default/controls/postfix_spec.rb
Normal file
@ -0,0 +1,73 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
control 'Postfix config' do
|
||||
title 'config is generated correctly'
|
||||
|
||||
describe postfix_conf do
|
||||
its('biff') { should cmp 'no' }
|
||||
its('compatibility_level') { should cmp '2' }
|
||||
its('append_dot_mydomain') { should cmp 'no' }
|
||||
its('readme_directory') { should cmp 'no' }
|
||||
its('smtpd_sasl_auth_enable') { should cmp 'yes' }
|
||||
its('smtpd_sasl_path') { should cmp '/var/run/dovecot/auth-client' }
|
||||
its('smtpd_sasl_type') { should cmp 'dovecot' }
|
||||
its('smtpd_sasl_security_options') { should cmp 'noanonymous' }
|
||||
its('smtpd_sasl_tls_security_options') { should cmp '$smtpd_sasl_security_options' }
|
||||
its('smtpd_tls_auth_only') { should cmp 'yes' }
|
||||
its('smtpd_use_tls') { should cmp 'yes' }
|
||||
its('smtpd_tls_loglevel') { should cmp '1' }
|
||||
its('smtpd_tls_security_level') { should cmp 'may' }
|
||||
its('smtp_tls_CApath') { should cmp '/etc/ssl/certs' }
|
||||
its('smtpd_tls_cert_file') { should cmp '/etc/postfix/ssl/server-cert.crt' }
|
||||
its('smtpd_tls_key_file') { should cmp '/etc/postfix/ssl/server-cert.key' }
|
||||
its('smtpd_tls_session_cache_database') do
|
||||
should cmp 'btree:${data_directory}/smtpd_scache'
|
||||
end
|
||||
its('smtpd_tls_mandatory_ciphers') { should cmp 'high' }
|
||||
its('tls_preempt_cipherlist') { should cmp 'yes' }
|
||||
its('smtp_tls_loglevel') { should cmp '1' }
|
||||
its('smtp_tls_security_level') { should cmp 'may' }
|
||||
its('smtp_tls_session_cache_database') do
|
||||
should cmp 'btree:${data_directory}/smtp_scache'
|
||||
end
|
||||
its('myhostname') { should cmp 'localhost' }
|
||||
its('alias_maps') { should cmp 'hash:/etc/aliases' }
|
||||
its('alias_database') { should cmp 'hash:/etc/aliases' }
|
||||
its('mydestination') { should cmp 'localhost, localhost.localdomain' }
|
||||
its('relayhost') { should cmp '' }
|
||||
its('mynetworks') { should cmp '127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128' }
|
||||
its('mailbox_size_limit') { should cmp '0' }
|
||||
its('recipient_delimiter') { should cmp '+' }
|
||||
its('inet_interfaces') { should cmp '127.0.0.1' }
|
||||
its('inet_protocols') { should cmp 'all' }
|
||||
its('message_size_limit') { should cmp '41943040' }
|
||||
its('smtpd_recipient_restrictions') do
|
||||
should cmp 'permit_mynetworks,'\
|
||||
' permit_sasl_authenticated,'\
|
||||
' reject_unauth_destination'
|
||||
end
|
||||
its('transport_maps') { should cmp 'hash:/etc/postfix/transport' }
|
||||
its('smtp_tls_policy_maps') { should cmp 'hash:/etc/postfix/tls_policy' }
|
||||
its('smtp_sasl_password_maps') { should cmp 'hash:/etc/postfix/sasl_passwd' }
|
||||
its('sender_canonical_maps') { should cmp 'hash:/etc/postfix/sender_canonical' }
|
||||
its('relay_recipient_maps') { should cmp 'hash:/etc/postfix/relay_domains' }
|
||||
its('virtual_alias_maps') { should cmp 'hash:/etc/postfix/virtual' }
|
||||
its('local_transport') { should cmp 'virtual' }
|
||||
its('local_recipient_maps') { should cmp '$virtual_mailbox_maps' }
|
||||
its('smtpd_relay_restrictions') do
|
||||
should cmp 'permit_mynetworks, '\
|
||||
'permit_sasl_authenticated, '\
|
||||
'reject_unauth_destination'
|
||||
end
|
||||
its('smtpd_sasl_local_domain') { should cmp '$mydomain' }
|
||||
its('smtpd_tls_session_cache_timeout') { should cmp '3600s' }
|
||||
its('relay_domains') { should cmp '$mydestination' }
|
||||
its('smtp_use_tls') { should cmp 'yes' }
|
||||
its('smtp_tls_cert_file') do
|
||||
should cmp '/etc/postfix/ssl/example.com-relay-client-cert.crt'
|
||||
end
|
||||
its('smtp_tls_key_file') do
|
||||
should cmp '/etc/postfix/ssl/example.com-relay-client-cert.key'
|
||||
end
|
||||
end
|
||||
end
|
@ -0,0 +1,160 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
# vim: ft=yaml
|
||||
---
|
||||
postfix:
|
||||
manage_master_config: true
|
||||
master_config:
|
||||
# Preferred way of managing services/processes. This allows for finegrained
|
||||
# control over each service. See postfix/services.yaml for defaults that can
|
||||
# be overridden.
|
||||
services:
|
||||
smtp:
|
||||
# Limit to no more than 10 smtp processes
|
||||
maxproc: 10
|
||||
# Disable oldstyle TLS wrapped SMTP
|
||||
smtps:
|
||||
enable: false
|
||||
# Enable submission service on port 587/tcp with custom options
|
||||
submission:
|
||||
enable: true
|
||||
args:
|
||||
- "-o smtpd_tls_security_level=encrypt"
|
||||
- "-o smtpd_sasl_auth_enable=yes"
|
||||
- "-o smtpd_client_restrictions=permit_sasl_authenticated,reject"
|
||||
tlsproxy:
|
||||
enable: true
|
||||
chroot: true
|
||||
|
||||
# Backwards compatible definition of dovecot delivery in master.cf
|
||||
enable_dovecot: false
|
||||
# Backwards compatible definition of submission listener in master.cf
|
||||
enable_submission: false
|
||||
|
||||
enable_service: true
|
||||
reload_service: true
|
||||
|
||||
config:
|
||||
smtpd_banner: $myhostname ESMTP $mail_name
|
||||
smtp_tls_CApath: /etc/ssl/certs
|
||||
biff: 'no'
|
||||
append_dot_mydomain: 'no'
|
||||
readme_directory: 'no'
|
||||
myhostname: localhost
|
||||
mydestination: localhost, localhost.localdomain
|
||||
relayhost: ''
|
||||
mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
||||
mailbox_size_limit: 0
|
||||
recipient_delimiter: +
|
||||
# using all has problems in centos with ipv6
|
||||
inet_interfaces: 127.0.0.1
|
||||
inet_protocols: all
|
||||
|
||||
# Alias
|
||||
alias_maps: hash:/etc/aliases
|
||||
# This is the list of files for the newaliases
|
||||
# cmd to process (see postconf(5) for details).
|
||||
# Only local hash/btree/dbm files:
|
||||
alias_database: hash:/etc/aliases
|
||||
|
||||
local_transport: virtual
|
||||
local_recipient_maps: $virtual_mailbox_maps
|
||||
transport_maps: hash:/etc/postfix/transport
|
||||
|
||||
# SMTP server
|
||||
smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache
|
||||
smtpd_use_tls: 'yes'
|
||||
smtpd_sasl_auth_enable: 'yes'
|
||||
smtpd_sasl_type: dovecot
|
||||
smtpd_sasl_path: /var/run/dovecot/auth-client
|
||||
smtpd_recipient_restrictions: >-
|
||||
permit_mynetworks,
|
||||
permit_sasl_authenticated,
|
||||
reject_unauth_destination
|
||||
smtpd_relay_restrictions: >-
|
||||
permit_mynetworks,
|
||||
permit_sasl_authenticated,
|
||||
reject_unauth_destination
|
||||
smtpd_sasl_security_options: noanonymous
|
||||
smtpd_sasl_tls_security_options: $smtpd_sasl_security_options
|
||||
smtpd_tls_auth_only: 'yes'
|
||||
smtpd_sasl_local_domain: $mydomain
|
||||
smtpd_tls_loglevel: 1
|
||||
smtpd_tls_session_cache_timeout: 3600s
|
||||
|
||||
relay_domains: '$mydestination'
|
||||
|
||||
# SMTP server certificate and key (from pillar data)
|
||||
smtpd_tls_cert_file: /etc/postfix/ssl/server-cert.crt
|
||||
smtpd_tls_key_file: /etc/postfix/ssl/server-cert.key
|
||||
|
||||
# SMTP client
|
||||
smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache
|
||||
smtp_use_tls: 'yes'
|
||||
smtp_tls_cert_file: /etc/postfix/ssl/example.com-relay-client-cert.crt
|
||||
smtp_tls_key_file: /etc/postfix/ssl/example.com-relay-client-cert.key
|
||||
smtp_tls_policy_maps: hash:/etc/postfix/tls_policy
|
||||
|
||||
smtp_sasl_password_maps: hash:/etc/postfix/sasl_passwd
|
||||
sender_canonical_maps: hash:/etc/postfix/sender_canonical
|
||||
relay_recipient_maps: hash:/etc/postfix/relay_domains
|
||||
virtual_alias_maps: hash:/etc/postfix/virtual
|
||||
|
||||
aliases:
|
||||
# manage single aliases
|
||||
# this uses the aliases file defined in the minion config, /etc/aliases by default
|
||||
use_file: false
|
||||
present:
|
||||
root: info@example.com
|
||||
absent:
|
||||
- root
|
||||
|
||||
certificates:
|
||||
server-cert:
|
||||
public_cert: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
(Your primary SSL certificate: smtp.example.com.crt)
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
(Your intermediate certificate: example-ca.crt)
|
||||
-----END CERTIFICATE-----
|
||||
-----BEGIN CERTIFICATE-----
|
||||
(Your root certificate: trusted-root.crt)
|
||||
-----END CERTIFICATE-----
|
||||
private_key: |
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
(Your Private key)
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
||||
example.com-relay-client-cert:
|
||||
public_cert: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
(Your primary SSL certificate: smtp.example.com.crt)
|
||||
-----END CERTIFICATE-----
|
||||
private_key: |
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
(Your Private key)
|
||||
-----END RSA PRIVATE KEY-----
|
||||
|
||||
mapping:
|
||||
transport_maps:
|
||||
- example.com: '10.1.1.1'
|
||||
|
||||
smtp_tls_policy_maps:
|
||||
- example.com: encrypt
|
||||
- .example.com: encrypt
|
||||
|
||||
smtp_sasl_password_maps:
|
||||
- smtp.example.com: myaccount:somepassword
|
||||
|
||||
sender_canonical_maps:
|
||||
- root: servers@example.com
|
||||
- nagios: alerts@example.com
|
||||
|
||||
relay_recipient_maps:
|
||||
- example.com: OK
|
||||
|
||||
virtual_alias_maps:
|
||||
- groupaliasexample:
|
||||
- someuser_1@example.com
|
||||
- someuser_2@example.com
|
||||
- singlealiasexample: someuser_3@example.com
|
Loading…
Reference in New Issue
Block a user