Merge pull request #108 from Perceptyx/add-inspec-tests
test(default): add inspec for base and maps
This commit is contained in:
commit
466c120462
@ -53,7 +53,7 @@ Installs and starts postfix SMTP server
|
|||||||
``postfix.config``
|
``postfix.config``
|
||||||
^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
Manages postfix main.cf and optionally the master.cf configuration file
|
Manages postfix main.cf and optionally the master.cf configuration file. Generates mappings.
|
||||||
|
|
||||||
``postfix.policyd-spf``
|
``postfix.policyd-spf``
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
@ -101,3 +101,49 @@ postfix_{{ domain }}_ssl_key:
|
|||||||
- service: postfix
|
- service: postfix
|
||||||
|
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
|
# manage various mappings
|
||||||
|
{% for mapping, data in salt['pillar.get']('postfix:mapping', {}).items() %}
|
||||||
|
{%- set need_postmap = False %}
|
||||||
|
{%- set file_path = salt['pillar.get']('postfix:config:' ~ mapping) %}
|
||||||
|
{%- if file_path.startswith('proxy:') %}
|
||||||
|
{#- Discard the proxy:-prefix #}
|
||||||
|
{%- set _, file_type, file_path = file_path.split(':') %}
|
||||||
|
{%- elif ':' in file_path %}
|
||||||
|
{%- set file_type, file_path = file_path.split(':') %}
|
||||||
|
{%- else %}
|
||||||
|
{%- set file_type = default_database_type %}
|
||||||
|
{%- endif %}
|
||||||
|
{%- if not file_path.startswith('/') %}
|
||||||
|
{%- set file_path = postfix.config_path ~ '/' ~ file_path %}
|
||||||
|
{%- endif %}
|
||||||
|
{%- if file_type in ("btree", "cdb", "dbm", "hash", "sdbm") %}
|
||||||
|
{%- set need_postmap = True %}
|
||||||
|
{%- endif %}
|
||||||
|
postfix_{{ mapping }}:
|
||||||
|
file.managed:
|
||||||
|
- name: {{ file_path }}
|
||||||
|
- source: salt://postfix/files/mapping.j2
|
||||||
|
- user: root
|
||||||
|
- group: {{ postfix.root_grp }}
|
||||||
|
{%- if mapping.endswith('_sasl_password_maps') %}
|
||||||
|
- mode: 600
|
||||||
|
{%- else %}
|
||||||
|
- mode: 644
|
||||||
|
{%- endif %}
|
||||||
|
- template: jinja
|
||||||
|
- context:
|
||||||
|
data: {{ data|json() }}
|
||||||
|
- require:
|
||||||
|
- pkg: postfix
|
||||||
|
- file: {{ postfix.config_path }}/main.cf
|
||||||
|
{%- if need_postmap %}
|
||||||
|
cmd.wait:
|
||||||
|
- name: {{ postfix.xbin_prefix }}/sbin/postmap {{ file_path }}
|
||||||
|
- cwd: /
|
||||||
|
- watch:
|
||||||
|
- file: {{ file_path }}
|
||||||
|
- watch_in:
|
||||||
|
- service: postfix
|
||||||
|
{%- endif %}
|
||||||
|
{% endfor %}
|
||||||
|
@ -94,48 +94,3 @@ postfix_alias_absent_{{ user }}:
|
|||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
# manage various mappings
|
|
||||||
{% for mapping, data in salt['pillar.get']('postfix:mapping', {}).items() %}
|
|
||||||
{%- set need_postmap = False %}
|
|
||||||
{%- set file_path = salt['pillar.get']('postfix:config:' ~ mapping) %}
|
|
||||||
{%- if file_path.startswith('proxy:') %}
|
|
||||||
{#- Discard the proxy:-prefix #}
|
|
||||||
{%- set _, file_type, file_path = file_path.split(':') %}
|
|
||||||
{%- elif ':' in file_path %}
|
|
||||||
{%- set file_type, file_path = file_path.split(':') %}
|
|
||||||
{%- else %}
|
|
||||||
{%- set file_type = default_database_type %}
|
|
||||||
{%- endif %}
|
|
||||||
{%- if not file_path.startswith('/') %}
|
|
||||||
{%- set file_path = postfix.config_path ~ '/' ~ file_path %}
|
|
||||||
{%- endif %}
|
|
||||||
{%- if file_type in ("btree", "cdb", "dbm", "hash", "sdbm") %}
|
|
||||||
{%- set need_postmap = True %}
|
|
||||||
{%- endif %}
|
|
||||||
postfix_{{ mapping }}:
|
|
||||||
file.managed:
|
|
||||||
- name: {{ file_path }}
|
|
||||||
- source: salt://postfix/files/mapping.j2
|
|
||||||
- user: root
|
|
||||||
- group: {{ postfix.root_grp }}
|
|
||||||
{%- if mapping.endswith('_sasl_password_maps') %}
|
|
||||||
- mode: 600
|
|
||||||
{%- else %}
|
|
||||||
- mode: 644
|
|
||||||
{%- endif %}
|
|
||||||
- template: jinja
|
|
||||||
- context:
|
|
||||||
data: {{ data|json() }}
|
|
||||||
- require:
|
|
||||||
- pkg: postfix
|
|
||||||
{%- if need_postmap %}
|
|
||||||
cmd.wait:
|
|
||||||
- name: {{ postfix.xbin_prefix }}/sbin/postmap {{ file_path }}
|
|
||||||
- cwd: /
|
|
||||||
- watch:
|
|
||||||
- file: {{ file_path }}
|
|
||||||
- watch_in:
|
|
||||||
- service: postfix
|
|
||||||
{%- endif %}
|
|
||||||
{% endfor %}
|
|
||||||
|
20
test/integration/default/controls/postfix_maps_spec.rb
Normal file
20
test/integration/default/controls/postfix_maps_spec.rb
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
control 'Postfix maps' do
|
||||||
|
title 'maps have been generated properly'
|
||||||
|
|
||||||
|
describe command('postmap -q example.com /etc/postfix/transport') do
|
||||||
|
its('stdout') { should eq "10.1.1.1\n" }
|
||||||
|
its('exit_status') { should eq 0 }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe command('postmap -q example.com /etc/postfix/tls_policy') do
|
||||||
|
its('stdout') { should eq "encrypt\n" }
|
||||||
|
its('exit_status') { should eq 0 }
|
||||||
|
end
|
||||||
|
|
||||||
|
describe command('postmap -q .example.com /etc/postfix/tls_policy') do
|
||||||
|
its('stdout') { should eq "encrypt\n" }
|
||||||
|
its('exit_status') { should eq 0 }
|
||||||
|
end
|
||||||
|
end
|
73
test/integration/default/controls/postfix_spec.rb
Normal file
73
test/integration/default/controls/postfix_spec.rb
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
control 'Postfix config' do
|
||||||
|
title 'config is generated correctly'
|
||||||
|
|
||||||
|
describe postfix_conf do
|
||||||
|
its('biff') { should cmp 'no' }
|
||||||
|
its('compatibility_level') { should cmp '2' }
|
||||||
|
its('append_dot_mydomain') { should cmp 'no' }
|
||||||
|
its('readme_directory') { should cmp 'no' }
|
||||||
|
its('smtpd_sasl_auth_enable') { should cmp 'yes' }
|
||||||
|
its('smtpd_sasl_path') { should cmp '/var/run/dovecot/auth-client' }
|
||||||
|
its('smtpd_sasl_type') { should cmp 'dovecot' }
|
||||||
|
its('smtpd_sasl_security_options') { should cmp 'noanonymous' }
|
||||||
|
its('smtpd_sasl_tls_security_options') { should cmp '$smtpd_sasl_security_options' }
|
||||||
|
its('smtpd_tls_auth_only') { should cmp 'yes' }
|
||||||
|
its('smtpd_use_tls') { should cmp 'yes' }
|
||||||
|
its('smtpd_tls_loglevel') { should cmp '1' }
|
||||||
|
its('smtpd_tls_security_level') { should cmp 'may' }
|
||||||
|
its('smtp_tls_CApath') { should cmp '/etc/ssl/certs' }
|
||||||
|
its('smtpd_tls_cert_file') { should cmp '/etc/postfix/ssl/server-cert.crt' }
|
||||||
|
its('smtpd_tls_key_file') { should cmp '/etc/postfix/ssl/server-cert.key' }
|
||||||
|
its('smtpd_tls_session_cache_database') do
|
||||||
|
should cmp 'btree:${data_directory}/smtpd_scache'
|
||||||
|
end
|
||||||
|
its('smtpd_tls_mandatory_ciphers') { should cmp 'high' }
|
||||||
|
its('tls_preempt_cipherlist') { should cmp 'yes' }
|
||||||
|
its('smtp_tls_loglevel') { should cmp '1' }
|
||||||
|
its('smtp_tls_security_level') { should cmp 'may' }
|
||||||
|
its('smtp_tls_session_cache_database') do
|
||||||
|
should cmp 'btree:${data_directory}/smtp_scache'
|
||||||
|
end
|
||||||
|
its('myhostname') { should cmp 'localhost' }
|
||||||
|
its('alias_maps') { should cmp 'hash:/etc/aliases' }
|
||||||
|
its('alias_database') { should cmp 'hash:/etc/aliases' }
|
||||||
|
its('mydestination') { should cmp 'localhost, localhost.localdomain' }
|
||||||
|
its('relayhost') { should cmp '' }
|
||||||
|
its('mynetworks') { should cmp '127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128' }
|
||||||
|
its('mailbox_size_limit') { should cmp '0' }
|
||||||
|
its('recipient_delimiter') { should cmp '+' }
|
||||||
|
its('inet_interfaces') { should cmp '127.0.0.1' }
|
||||||
|
its('inet_protocols') { should cmp 'all' }
|
||||||
|
its('message_size_limit') { should cmp '41943040' }
|
||||||
|
its('smtpd_recipient_restrictions') do
|
||||||
|
should cmp 'permit_mynetworks,'\
|
||||||
|
' permit_sasl_authenticated,'\
|
||||||
|
' reject_unauth_destination'
|
||||||
|
end
|
||||||
|
its('transport_maps') { should cmp 'hash:/etc/postfix/transport' }
|
||||||
|
its('smtp_tls_policy_maps') { should cmp 'hash:/etc/postfix/tls_policy' }
|
||||||
|
its('smtp_sasl_password_maps') { should cmp 'hash:/etc/postfix/sasl_passwd' }
|
||||||
|
its('sender_canonical_maps') { should cmp 'hash:/etc/postfix/sender_canonical' }
|
||||||
|
its('relay_recipient_maps') { should cmp 'hash:/etc/postfix/relay_domains' }
|
||||||
|
its('virtual_alias_maps') { should cmp 'hash:/etc/postfix/virtual' }
|
||||||
|
its('local_transport') { should cmp 'virtual' }
|
||||||
|
its('local_recipient_maps') { should cmp '$virtual_mailbox_maps' }
|
||||||
|
its('smtpd_relay_restrictions') do
|
||||||
|
should cmp 'permit_mynetworks, '\
|
||||||
|
'permit_sasl_authenticated, '\
|
||||||
|
'reject_unauth_destination'
|
||||||
|
end
|
||||||
|
its('smtpd_sasl_local_domain') { should cmp '$mydomain' }
|
||||||
|
its('smtpd_tls_session_cache_timeout') { should cmp '3600s' }
|
||||||
|
its('relay_domains') { should cmp '$mydestination' }
|
||||||
|
its('smtp_use_tls') { should cmp 'yes' }
|
||||||
|
its('smtp_tls_cert_file') do
|
||||||
|
should cmp '/etc/postfix/ssl/example.com-relay-client-cert.crt'
|
||||||
|
end
|
||||||
|
its('smtp_tls_key_file') do
|
||||||
|
should cmp '/etc/postfix/ssl/example.com-relay-client-cert.key'
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
@ -0,0 +1,160 @@
|
|||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
# vim: ft=yaml
|
||||||
|
---
|
||||||
|
postfix:
|
||||||
|
manage_master_config: true
|
||||||
|
master_config:
|
||||||
|
# Preferred way of managing services/processes. This allows for finegrained
|
||||||
|
# control over each service. See postfix/services.yaml for defaults that can
|
||||||
|
# be overridden.
|
||||||
|
services:
|
||||||
|
smtp:
|
||||||
|
# Limit to no more than 10 smtp processes
|
||||||
|
maxproc: 10
|
||||||
|
# Disable oldstyle TLS wrapped SMTP
|
||||||
|
smtps:
|
||||||
|
enable: false
|
||||||
|
# Enable submission service on port 587/tcp with custom options
|
||||||
|
submission:
|
||||||
|
enable: true
|
||||||
|
args:
|
||||||
|
- "-o smtpd_tls_security_level=encrypt"
|
||||||
|
- "-o smtpd_sasl_auth_enable=yes"
|
||||||
|
- "-o smtpd_client_restrictions=permit_sasl_authenticated,reject"
|
||||||
|
tlsproxy:
|
||||||
|
enable: true
|
||||||
|
chroot: true
|
||||||
|
|
||||||
|
# Backwards compatible definition of dovecot delivery in master.cf
|
||||||
|
enable_dovecot: false
|
||||||
|
# Backwards compatible definition of submission listener in master.cf
|
||||||
|
enable_submission: false
|
||||||
|
|
||||||
|
enable_service: true
|
||||||
|
reload_service: true
|
||||||
|
|
||||||
|
config:
|
||||||
|
smtpd_banner: $myhostname ESMTP $mail_name
|
||||||
|
smtp_tls_CApath: /etc/ssl/certs
|
||||||
|
biff: 'no'
|
||||||
|
append_dot_mydomain: 'no'
|
||||||
|
readme_directory: 'no'
|
||||||
|
myhostname: localhost
|
||||||
|
mydestination: localhost, localhost.localdomain
|
||||||
|
relayhost: ''
|
||||||
|
mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
|
||||||
|
mailbox_size_limit: 0
|
||||||
|
recipient_delimiter: +
|
||||||
|
# using all has problems in centos with ipv6
|
||||||
|
inet_interfaces: 127.0.0.1
|
||||||
|
inet_protocols: all
|
||||||
|
|
||||||
|
# Alias
|
||||||
|
alias_maps: hash:/etc/aliases
|
||||||
|
# This is the list of files for the newaliases
|
||||||
|
# cmd to process (see postconf(5) for details).
|
||||||
|
# Only local hash/btree/dbm files:
|
||||||
|
alias_database: hash:/etc/aliases
|
||||||
|
|
||||||
|
local_transport: virtual
|
||||||
|
local_recipient_maps: $virtual_mailbox_maps
|
||||||
|
transport_maps: hash:/etc/postfix/transport
|
||||||
|
|
||||||
|
# SMTP server
|
||||||
|
smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache
|
||||||
|
smtpd_use_tls: 'yes'
|
||||||
|
smtpd_sasl_auth_enable: 'yes'
|
||||||
|
smtpd_sasl_type: dovecot
|
||||||
|
smtpd_sasl_path: /var/run/dovecot/auth-client
|
||||||
|
smtpd_recipient_restrictions: >-
|
||||||
|
permit_mynetworks,
|
||||||
|
permit_sasl_authenticated,
|
||||||
|
reject_unauth_destination
|
||||||
|
smtpd_relay_restrictions: >-
|
||||||
|
permit_mynetworks,
|
||||||
|
permit_sasl_authenticated,
|
||||||
|
reject_unauth_destination
|
||||||
|
smtpd_sasl_security_options: noanonymous
|
||||||
|
smtpd_sasl_tls_security_options: $smtpd_sasl_security_options
|
||||||
|
smtpd_tls_auth_only: 'yes'
|
||||||
|
smtpd_sasl_local_domain: $mydomain
|
||||||
|
smtpd_tls_loglevel: 1
|
||||||
|
smtpd_tls_session_cache_timeout: 3600s
|
||||||
|
|
||||||
|
relay_domains: '$mydestination'
|
||||||
|
|
||||||
|
# SMTP server certificate and key (from pillar data)
|
||||||
|
smtpd_tls_cert_file: /etc/postfix/ssl/server-cert.crt
|
||||||
|
smtpd_tls_key_file: /etc/postfix/ssl/server-cert.key
|
||||||
|
|
||||||
|
# SMTP client
|
||||||
|
smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache
|
||||||
|
smtp_use_tls: 'yes'
|
||||||
|
smtp_tls_cert_file: /etc/postfix/ssl/example.com-relay-client-cert.crt
|
||||||
|
smtp_tls_key_file: /etc/postfix/ssl/example.com-relay-client-cert.key
|
||||||
|
smtp_tls_policy_maps: hash:/etc/postfix/tls_policy
|
||||||
|
|
||||||
|
smtp_sasl_password_maps: hash:/etc/postfix/sasl_passwd
|
||||||
|
sender_canonical_maps: hash:/etc/postfix/sender_canonical
|
||||||
|
relay_recipient_maps: hash:/etc/postfix/relay_domains
|
||||||
|
virtual_alias_maps: hash:/etc/postfix/virtual
|
||||||
|
|
||||||
|
aliases:
|
||||||
|
# manage single aliases
|
||||||
|
# this uses the aliases file defined in the minion config, /etc/aliases by default
|
||||||
|
use_file: false
|
||||||
|
present:
|
||||||
|
root: info@example.com
|
||||||
|
absent:
|
||||||
|
- root
|
||||||
|
|
||||||
|
certificates:
|
||||||
|
server-cert:
|
||||||
|
public_cert: |
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
(Your primary SSL certificate: smtp.example.com.crt)
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
(Your intermediate certificate: example-ca.crt)
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
(Your root certificate: trusted-root.crt)
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
private_key: |
|
||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
(Your Private key)
|
||||||
|
-----END RSA PRIVATE KEY-----
|
||||||
|
|
||||||
|
example.com-relay-client-cert:
|
||||||
|
public_cert: |
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
(Your primary SSL certificate: smtp.example.com.crt)
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
private_key: |
|
||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
(Your Private key)
|
||||||
|
-----END RSA PRIVATE KEY-----
|
||||||
|
|
||||||
|
mapping:
|
||||||
|
transport_maps:
|
||||||
|
- example.com: '10.1.1.1'
|
||||||
|
|
||||||
|
smtp_tls_policy_maps:
|
||||||
|
- example.com: encrypt
|
||||||
|
- .example.com: encrypt
|
||||||
|
|
||||||
|
smtp_sasl_password_maps:
|
||||||
|
- smtp.example.com: myaccount:somepassword
|
||||||
|
|
||||||
|
sender_canonical_maps:
|
||||||
|
- root: servers@example.com
|
||||||
|
- nagios: alerts@example.com
|
||||||
|
|
||||||
|
relay_recipient_maps:
|
||||||
|
- example.com: OK
|
||||||
|
|
||||||
|
virtual_alias_maps:
|
||||||
|
- groupaliasexample:
|
||||||
|
- someuser_1@example.com
|
||||||
|
- someuser_2@example.com
|
||||||
|
- singlealiasexample: someuser_3@example.com
|
Loading…
Reference in New Issue
Block a user