-
-
Notifications
You must be signed in to change notification settings - Fork 2k
feat: Postfix permit DSN (Delivery Status Notification) only on authenticated ports (465 + 587) #3572
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
feat: Postfix permit DSN (Delivery Status Notification) only on authenticated ports (465 + 587) #3572
Changes from all commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
d5bd0e9
add POSTFIX_DSN
e55571e
add tests for POSTFIX_DSN
07bd667
Revert "add POSTFIX_DSN"
c3fff7f
discard DSN requests on unauthenticated ports
5cda279
make tests work with overrides instead of ENV
f791503
Apply suggestions from code review
polarathene f73a0b7
Merge branch 'master' into master
polarathene 4eb59cf
fix test inconsistencies
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| smtpd_discard_ehlo_keywords = |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| submission/inet/smtpd_discard_ehlo_keywords=silent-discard,dsn | ||
| submissions/inet/smtpd_discard_ehlo_keywords=silent-discard,dsn |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| EHLO mail | ||
| AUTH LOGIN dXNlcjFAbG9jYWxob3N0LmxvY2FsZG9tYWlu | ||
| bXlwYXNzd29yZA== | ||
| MAIL FROM: [email protected] | ||
| RCPT TO: [email protected] NOTIFY=success,failure | ||
| DATA | ||
| From: Existing Local User <[email protected]> | ||
| To: Existing Local User <[email protected]> | ||
| Date: Sat, 22 May 2010 07:43:25 -0400 | ||
| Subject: Test Message | ||
| This is a test mail. | ||
|
|
||
| . | ||
| QUIT | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| HELO mail.external.tld | ||
| MAIL FROM: [email protected] | ||
| RCPT TO: [email protected] NOTIFY=success,failure | ||
| DATA | ||
| From: Docker Mail Server <[email protected]> | ||
| To: Existing Local User <[email protected]> | ||
| Date: Sat, 22 May 2010 07:43:25 -0400 | ||
| Subject: Test Message | ||
| This is a test mail. | ||
|
|
||
| . | ||
| QUIT |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| load "${REPOSITORY_ROOT}/test/helper/setup" | ||
| load "${REPOSITORY_ROOT}/test/helper/common" | ||
|
|
||
| BATS_TEST_NAME_PREFIX='[DSN] ' | ||
| CONTAINER1_NAME='dms-test_dsn_send_always' | ||
| CONTAINER2_NAME='dms-test_dsn_send_auth' | ||
| CONTAINER3_NAME='dms-test_dsn_send_none' | ||
| # A similar line is added to the log when a DSN (Delivery Status Notification) is sent: | ||
| # | ||
| # postfix/bounce[1023]: C943BA6B46: sender delivery status notification: DBF86A6B4CO | ||
| # | ||
| LOG_DSN='delivery status notification' | ||
|
|
||
| function setup_file() { | ||
| local CUSTOM_SETUP_ARGUMENTS=( | ||
| # Required only for delivery via nc (_send_email) | ||
| --env PERMIT_DOCKER=container | ||
| ) | ||
|
|
||
| export CONTAINER_NAME=${CONTAINER1_NAME} | ||
| _init_with_defaults | ||
| # Unset `smtpd_discard_ehlo_keywords` to allow DSNs by default on any `smtpd` service: | ||
| cp "${TEST_TMP_CONFIG}/dsn/postfix-main.cf" "${TEST_TMP_CONFIG}/postfix-main.cf" | ||
| _common_container_setup 'CUSTOM_SETUP_ARGUMENTS' | ||
| _wait_for_service postfix | ||
| _wait_for_smtp_port_in_container | ||
|
georglauterbach marked this conversation as resolved.
|
||
|
|
||
| export CONTAINER_NAME=${CONTAINER2_NAME} | ||
| _init_with_defaults | ||
| _common_container_setup 'CUSTOM_SETUP_ARGUMENTS' | ||
| _wait_for_service postfix | ||
| _wait_for_smtp_port_in_container | ||
|
|
||
| export CONTAINER_NAME=${CONTAINER3_NAME} | ||
| _init_with_defaults | ||
| # Mirror default main.cf (disable DSN on ports 465 + 587 too): | ||
| cp "${TEST_TMP_CONFIG}/dsn/postfix-master.cf" "${TEST_TMP_CONFIG}/postfix-master.cf" | ||
| _common_container_setup 'CUSTOM_SETUP_ARGUMENTS' | ||
| _wait_for_service postfix | ||
| _wait_for_smtp_port_in_container | ||
| } | ||
|
|
||
| function teardown_file() { | ||
| docker rm -f "${CONTAINER1_NAME}" "${CONTAINER2_NAME}" "${CONTAINER3_NAME}" | ||
| } | ||
|
|
||
| @test "should always send a DSN when requested" { | ||
| export CONTAINER_NAME=${CONTAINER1_NAME} | ||
|
|
||
|
allddd marked this conversation as resolved.
|
||
| _send_email 'email-templates/dsn-unauthenticated' | ||
| _send_email 'email-templates/dsn-authenticated' '0.0.0.0 465' | ||
| _send_email 'email-templates/dsn-authenticated' '0.0.0.0 587' | ||
| _wait_for_empty_mail_queue_in_container | ||
|
allddd marked this conversation as resolved.
|
||
|
|
||
| _run_in_container grep "${LOG_DSN}" /var/log/mail/mail.log | ||
| _should_output_number_of_lines 3 | ||
| } | ||
|
|
||
| # Defaults test case | ||
| @test "should only send a DSN when requested from ports 465/587" { | ||
|
polarathene marked this conversation as resolved.
|
||
| export CONTAINER_NAME=${CONTAINER2_NAME} | ||
|
|
||
| _send_email 'email-templates/dsn-unauthenticated' | ||
| _wait_for_empty_mail_queue_in_container | ||
|
|
||
| # DSN requests can now only be made on ports 465 and 587, | ||
| # so grep should not find anything. | ||
| # | ||
| # Although external requests are discarded, anyone who has requested a DSN | ||
| # will still receive it, but it will come from the sending mail server, not this one. | ||
| _run_in_container grep "${LOG_DSN}" /var/log/mail/mail.log | ||
| assert_failure | ||
|
|
||
| # These ports are excluded via master.cf. | ||
| _send_email 'email-templates/dsn-authenticated' '0.0.0.0 465' | ||
| _send_email 'email-templates/dsn-authenticated' '0.0.0.0 587' | ||
| _wait_for_empty_mail_queue_in_container | ||
|
|
||
| _run_in_container grep "${LOG_DSN}" /var/log/mail/mail.log | ||
| _should_output_number_of_lines 2 | ||
| } | ||
|
|
||
| @test "should never send a DSN" { | ||
| export CONTAINER_NAME=${CONTAINER3_NAME} | ||
|
|
||
| _send_email 'email-templates/dsn-unauthenticated' | ||
| _send_email 'email-templates/dsn-authenticated' '0.0.0.0 465' | ||
| _send_email 'email-templates/dsn-authenticated' '0.0.0.0 587' | ||
| _wait_for_empty_mail_queue_in_container | ||
|
|
||
| # DSN requests are rejected regardless of origin. | ||
| # This is usually a bad idea, as you won't get them either. | ||
| _run_in_container grep "${LOG_DSN}" /var/log/mail/mail.log | ||
| assert_failure | ||
| } | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Am I right to understand the difference from regular authenticated / unauthenticated templates is effectively only the
NOTIFY=success,failureaddition?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes,
NOTIFY=...should be the only difference here.