test(default): add inspec for base and maps

Signed-off-by: Felipe Zipitria <[email protected]>

test/integration/default/controls/postfix_maps_spec.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+control 'Postfix maps' do
+  title 'maps have been generated properly'
+
+  describe command('postmap -q example.com /etc/postfix/transport') do
+    its('stdout') { should eq "10.1.1.1\n" }
+    its('exit_status') { should eq 0 }
+  end
+
+  describe command('postmap -q example.com /etc/postfix/tls_policy') do
+    its('stdout') { should eq "encrypt\n" }
+    its('exit_status') { should eq 0 }
+  end
+
+  describe command('postmap -q .example.com /etc/postfix/tls_policy') do
+    its('stdout') { should eq "encrypt\n" }
+    its('exit_status') { should eq 0 }
+  end
+end

test/integration/default/controls/postfix_mysql.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+control 'Postfix mysql' do
+  title 'should be installed'
+
+  describe port(25) do
+    it { should be_listening }
+  end
+end

test/integration/default/controls/postfix_spec.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+control 'Postfix config' do
+  title 'config is generated correctly'
+
+  describe postfix_conf do
+    its('biff') { should cmp 'no' }
+    its('compatibility_level') { should cmp '2' }
+    its('append_dot_mydomain') { should cmp 'no' }
+    its('readme_directory') { should cmp 'no' }
+    its('smtpd_sasl_auth_enable') { should cmp 'yes' }
+    its('smtpd_sasl_path') { should cmp '/var/run/dovecot/auth-client' }
+    its('smtpd_sasl_type') { should cmp 'dovecot' }
+    its('smtpd_sasl_security_options') { should cmp 'noanonymous' }
+    its('smtpd_sasl_tls_security_options') { should cmp '$smtpd_sasl_security_options' }
+    its('smtpd_tls_auth_only') { should cmp 'yes' }
+    its('smtpd_use_tls') { should cmp 'yes' }
+    its('smtpd_tls_loglevel') { should cmp '1' }
+    its('smtpd_tls_security_level') { should cmp 'may' }
+    its('smtp_tls_CApath') { should cmp '/etc/ssl/certs' }
+    its('smtpd_tls_cert_file') { should cmp '/etc/postfix/ssl/server-cert.crt' }
+    its('smtpd_tls_key_file') { should cmp '/etc/postfix/ssl/server-cert.key' }
+    its('smtpd_tls_session_cache_database') do
+      should cmp 'btree:${data_directory}/smtpd_scache'
+    end
+    its('smtpd_tls_mandatory_ciphers') { should cmp 'high' }
+    its('tls_preempt_cipherlist') { should cmp 'yes' }
+    its('smtp_tls_loglevel') { should cmp '1' }
+    its('smtp_tls_security_level') { should cmp 'may' }
+    its('smtp_tls_session_cache_database') do
+      should cmp 'btree:${data_directory}/smtp_scache'
+    end
+    its('myhostname') { should cmp 'localhost' }
+    its('alias_maps') { should cmp 'hash:/etc/aliases' }
+    its('alias_database') { should cmp 'hash:/etc/aliases' }
+    its('mydestination') { should cmp 'localhost, localhost.localdomain' }
+    its('relayhost') { should cmp '' }
+    its('mynetworks') { should cmp '127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128' }
+    its('mailbox_size_limit') { should cmp '0' }
+    its('recipient_delimiter') { should cmp '+' }
+    its('inet_interfaces') { should cmp 'all' }
+    its('inet_protocols') { should cmp 'all' }
+    its('message_size_limit') { should cmp '41943040' }
+    its('smtpd_recipient_restrictions') do
+      should cmp 'permit_mynetworks,'\
+                 ' permit_sasl_authenticated,'\
+                 ' reject_unauth_destination'
+    end
+    its('transport_maps') { should cmp 'hash:/etc/postfix/transport' }
+    its('smtp_tls_policy_maps') { should cmp 'hash:/etc/postfix/tls_policy' }
+    its('smtp_sasl_password_maps') { should cmp 'hash:/etc/postfix/sasl_passwd' }
+    its('sender_canonical_maps') { should cmp 'hash:/etc/postfix/sender_canonical' }
+    its('relay_recipient_maps') { should cmp 'hash:/etc/postfix/relay_domains' }
+    its('virtual_alias_maps') { should cmp 'hash:/etc/postfix/virtual' }
+    its('local_transport') { should cmp 'virtual' }
+    its('local_recipient_maps') { should cmp '$virtual_mailbox_maps' }
+    its('smtpd_relay_restrictions') do
+      should cmp 'permit_mynetworks, '\
+                 'permit_sasl_authenticated, '\
+                 'reject_unauth_destination'
+    end
+    its('smtpd_sasl_local_domain') { should cmp '$mydomain' }
+    its('smtpd_tls_session_cache_timeout') { should cmp '3600s' }
+    its('relay_domains') { should cmp '$mydestination' }
+    its('smtp_use_tls') { should cmp 'yes' }
+    its('smtp_tls_cert_file') do
+      should cmp '/etc/postfix/ssl/example.com-relay-client-cert.crt'
+    end
+    its('smtp_tls_key_file') do
+      should cmp '/etc/postfix/ssl/example.com-relay-client-cert.key'
+    end
+  end
+end

test/salt/pillar/default.sls

@@ -0,0 +1,159 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+---
+postfix:
+  manage_master_config: true
+  master_config:
+    # Preferred way of managing services/processes. This allows for finegrained
+    # control over each service. See postfix/services.yaml for defaults that can
+    # be overridden.
+    services:
+      smtp:
+        # Limit to no more than 10 smtp processes
+        maxproc: 10
+      # Enable oldstyle TLS wrapped SMTP
+      smtps:
+        enable: true
+      # Enable submission service on port 587/tcp with custom options
+      submission:
+        enable: true
+        args:
+          - "-o smtpd_tls_security_level=encrypt"
+          - "-o smtpd_sasl_auth_enable=yes"
+          - "-o smtpd_client_restrictions: permit_sasl_authenticated,reject"
+      tlsproxy:
+        enable: true
+        chroot: true
+
+    # Backwards compatible definition of dovecot delivery in master.cf
+    enable_dovecot: false
+    # Backwards compatible definition of submission listener in master.cf
+    enable_submission: false
+
+  enable_service: true
+  reload_service: true
+
+  config:
+    smtpd_banner: $myhostname ESMTP $mail_name
+    smtp_tls_CApath: /etc/ssl/certs
+    biff: 'no'
+    append_dot_mydomain: 'no'
+    readme_directory: 'no'
+    myhostname: localhost
+    mydestination: localhost, localhost.localdomain
+    relayhost: ''
+    mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+    mailbox_size_limit: 0
+    recipient_delimiter: +
+    inet_interfaces: all
+    inet_protocols: all
+
+    # Alias
+    alias_maps: hash:/etc/aliases
+    # This is the list of files for the newaliases
+    # cmd to process (see postconf(5) for details).
+    # Only local hash/btree/dbm files:
+    alias_database: hash:/etc/aliases
+
+    local_transport: virtual
+    local_recipient_maps: $virtual_mailbox_maps
+    transport_maps: hash:/etc/postfix/transport
+
+    # SMTP server
+    smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache
+    smtpd_use_tls: 'yes'
+    smtpd_sasl_auth_enable: 'yes'
+    smtpd_sasl_type: dovecot
+    smtpd_sasl_path: /var/run/dovecot/auth-client
+    smtpd_recipient_restrictions: >-
+      permit_mynetworks,
+      permit_sasl_authenticated,
+      reject_unauth_destination
+    smtpd_relay_restrictions: >-
+      permit_mynetworks,
+      permit_sasl_authenticated,
+      reject_unauth_destination
+    smtpd_sasl_security_options: noanonymous
+    smtpd_sasl_tls_security_options: $smtpd_sasl_security_options
+    smtpd_tls_auth_only: 'yes'
+    smtpd_sasl_local_domain: $mydomain
+    smtpd_tls_loglevel: 1
+    smtpd_tls_session_cache_timeout: 3600s
+
+    relay_domains: '$mydestination'
+
+    # SMTP server certificate and key (from pillar data)
+    smtpd_tls_cert_file: /etc/postfix/ssl/server-cert.crt
+    smtpd_tls_key_file: /etc/postfix/ssl/server-cert.key
+
+    # SMTP client
+    smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache
+    smtp_use_tls: 'yes'
+    smtp_tls_cert_file: /etc/postfix/ssl/example.com-relay-client-cert.crt
+    smtp_tls_key_file: /etc/postfix/ssl/example.com-relay-client-cert.key
+    smtp_tls_policy_maps: hash:/etc/postfix/tls_policy
+
+    smtp_sasl_password_maps: hash:/etc/postfix/sasl_passwd
+    sender_canonical_maps: hash:/etc/postfix/sender_canonical
+    relay_recipient_maps: hash:/etc/postfix/relay_domains
+    virtual_alias_maps: hash:/etc/postfix/virtual
+
+  aliases:
+    # manage single aliases
+    # this uses the aliases file defined in the minion config, /etc/aliases by default
+    use_file: false
+    present:
+      root: [email protected]
+    absent:
+      - root
+
+  certificates:
+    server-cert:
+      public_cert: |
+        -----BEGIN CERTIFICATE-----
+        (Your primary SSL certificate: smtp.example.com.crt)
+        -----END CERTIFICATE-----
+        -----BEGIN CERTIFICATE-----
+        (Your intermediate certificate: example-ca.crt)
+        -----END CERTIFICATE-----
+        -----BEGIN CERTIFICATE-----
+        (Your root certificate: trusted-root.crt)
+        -----END CERTIFICATE-----
+      private_key: |
+        -----BEGIN RSA PRIVATE KEY-----
+        (Your Private key)
+        -----END RSA PRIVATE KEY-----
+
+    example.com-relay-client-cert:
+      public_cert: |
+        -----BEGIN CERTIFICATE-----
+        (Your primary SSL certificate: smtp.example.com.crt)
+        -----END CERTIFICATE-----
+      private_key: |
+        -----BEGIN RSA PRIVATE KEY-----
+        (Your Private key)
+        -----END RSA PRIVATE KEY-----
+
+  mapping:
+    transport_maps:
+      - example.com: '10.1.1.1'
+
+    smtp_tls_policy_maps:
+      - example.com: encrypt
+      - .example.com: encrypt
+
+    smtp_sasl_password_maps:
+      - smtp.example.com: myaccount:somepassword
+
+    sender_canonical_maps:
+      - root: [email protected]
+      - nagios: [email protected]
+
+    relay_recipient_maps:
+      - example.com: OK
+
+    virtual_alias_maps:
+      - groupaliasexample:
+          - [email protected]
+          - [email protected]
+      - singlealiasexample: [email protected]