test: Add TLS tracking integration test

This patch adds a new test, which verifies the TLS tracking.

Because we need to simulate SPF records, and Go does not support fully
intercepting DNS lookups yet, this test relies on dnsmasq to provide a
DNS resolver.

In the future, once Go supports DNS lookup interception, we can get rid
of this additional dependency.

dnsoverride.go

@@ -0,0 +1,36 @@
+// Support for overriding DNS lookups, for testing purposes.
+// This is only used in tests, when the "dnsoverride" tag is active.
+// It requires Go >= 1.8.
+//
+// +build dnsoverride
+
+package main
+
+import (
+	"context"
+	"flag"
+	"net"
+	"time"
+)
+
+var (
+	dnsAddr = flag.String("testing__dns_addr", "127.0.0.1:9053",
+		"DNS server address to use, for testing purposes only")
+)
+
+var dialer = &net.Dialer{
+	// We're going to talk to localhost, so have a short timeout so we fail
+	// fast. Otherwise the callers might hang indefinitely when trying to
+	// dial the DNS server.
+	Timeout: 2 * time.Second,
+}
+
+func dial(ctx context.Context, network, address string) (net.Conn, error) {
+	return dialer.DialContext(ctx, network, *dnsAddr)
+}
+
+func init() {
+	// Override the resolver to talk with our local server for testing.
+	net.DefaultResolver.PreferGo = true
+	net.DefaultResolver.Dial = dial
+}

test/Dockerfile

@@ -29,6 +29,10 @@ RUN apt-get install -y -q gettext-base dovecot-imapd
 RUN apt-get install -y -q exim4-daemon-light
 RUN cd test/t-02-exim && mkdir -p .exim4 && ln -s /usr/sbin/exim4 .exim4/
 
+# Packages for the (optional) TLS tracking test.
+RUN apt-get install -y -q dnsmasq
+
+
 RUN go get -d ./...
 RUN go install ./...
 

test/cover.sh

@@ -42,6 +42,8 @@ go run "${UTILDIR}/gocovcat.go" .coverage/*.out \
 go tool cover -func="$COVER_DIR/all.out" | sort -k 3 -n > "$COVER_DIR/func.txt"
 go tool cover -html="$COVER_DIR/all.out" -o "$COVER_DIR/chasquid.html"
 
+echo
+grep total .coverage/func.txt
 echo
 echo "Coverage report can be found in:"
 echo file://$COVER_DIR/chasquid.html

test/t-14-tls_tracking/A/chasquid.conf

@@ -0,0 +1,10 @@
+smtp_address: ":1025"
+submission_address: ":1587"
+submission_over_tls_address: ":1465"
+monitoring_address: ":1099"
+
+mail_delivery_agent_bin: "test-mda"
+mail_delivery_agent_args: "%to%"
+
+data_dir: "../.data-A"
+mail_log_path: "../.logs-A/mail_log"

test/t-14-tls_tracking/B/chasquid.conf

@@ -0,0 +1,10 @@
+smtp_address: ":2025"
+submission_address: ":2587"
+submission_over_tls_address: ":2465"
+monitoring_address: ":2099"
+
+mail_delivery_agent_bin: "test-mda"
+mail_delivery_agent_args: "%to%"
+
+data_dir: "../.data-B"
+mail_log_path: "../.logs-B/mail_log"

test/t-14-tls_tracking/config/chasquid.conf

@@ -0,0 +1,10 @@
+smtp_address: ":1025"
+submission_address: ":1587"
+submission_over_tls_address: ":1465"
+monitoring_address: ":1099"
+
+mail_delivery_agent_bin: "test-mda"
+mail_delivery_agent_args: "%to%"
+
+data_dir: "../.data"
+mail_log_path: "../.logs/mail_log"

test/t-14-tls_tracking/content

@@ -0,0 +1,4 @@
+Subject: Prueba desde el test
+
+Crece desde el test el futuro
+Crece desde el test

test/t-14-tls_tracking/dnsmasq.conf

@@ -0,0 +1,24 @@
+# Configuration for dnsmasq, for testing purposes.
+
+interface=lo
+port=9053
+no-resolv
+no-poll
+no-hosts
+
+log-queries
+
+# Note we need both ipv4 and ipv6 A record because some test environments may
+# not support one or the other.
+
+# srv-a zone
+address=/srv-a/::1
+address=/srv-a/127.0.0.1
+mx-host=srv-a,srv-a,10
+txt-record=srv-a,"v=spf1 a"
+
+# srv-b zone
+address=/srv-b/::1
+address=/srv-b/127.0.0.1
+mx-host=srv-b,srv-b,10
+txt-record=srv-b,"v=spf1 a"

test/t-14-tls_tracking/hosts

@@ -0,0 +1,2 @@
+srv-A localhost
+srv-B localhost

test/t-14-tls_tracking/msmtprc

@@ -0,0 +1,14 @@
+account default
+
+host srv-A
+port 1587
+
+tls on
+tls_trust_file A/certs/srv-A/fullchain.pem
+
+from userA@srv-A
+
+auth on
+user userA@srv-A
+password userA
+

test/t-14-tls_tracking/run.sh

@@ -0,0 +1,83 @@
+#!/bin/bash
+
+# Test TLS tracking features, which require faking SPF.
+
+set -e
+. $(dirname ${0})/../util/lib.sh
+
+init
+
+if ! dnsmasq --version > /dev/null; then
+        skip "dnsmasq binary is not functional"
+        exit 0
+fi
+
+# To fake SPF we need to override the resolver, which is only supported in Go
+# >= 1.8, so this test depends on that version.
+# TODO: remove this once we only support go >= 1.8.
+MAJOR=$(go version | sed 's/.*go\([0-9]\)\..*/\1/')
+MINOR=$(go version | sed 's/.*go[0-9]\.\([0-9]\+\).*/\1/')
+DEVEL=$(go version | sed 's/.* devel .*/devel/g')
+if [ "$DEVEL" != "devel" ] && [ "$MAJOR" -eq 1 ] && [ "$MINOR" -le 7 ]; then
+	skip "go version ($MAJOR.$MINOR) too old to run this test"
+fi
+
+# Build with the DNS override, so we can fake DNS records.
+export GOTAGS="dnsoverride"
+
+# Launch dnsmasq in the background using our configuration.
+# We run with -d as it takes care of a lot of options (log file, pid file,
+# etc.) for our use case.
+# It listens on localhost:9053 as  configuration.
+dnsmasq --conf-file=dnsmasq.conf -d >> .dnsmasq.log 2>&1 &
+
+
+# Two chasquid servers:
+# A - listens on :1025, hosts srv-A
+# B - listens on :2025, hosts srv-B
+
+CONFDIR=A generate_certs_for srv-A
+CONFDIR=A add_user userA@srv-A userA
+
+CONFDIR=B generate_certs_for srv-B
+CONFDIR=B add_user userB@srv-B userB
+
+rm -rf .data-A .data-B .mail .certs
+mkdir -p .logs-A .logs-B .mail .certs
+
+# Put public certs in .certs, and use it as our trusted cert dir.
+cp A/certs/srv-A/fullchain.pem .certs/srv-a.pem
+cp B/certs/srv-B/fullchain.pem .certs/srv-b.pem
+export SSL_CERT_DIR=$PWD/.certs/
+
+chasquid -v=2 --logfile=.logs-A/chasquid.log --config_dir=A \
+	--testing__dns_addr=127.0.0.1:9053 \
+	--testing__max_received_headers=5 \
+	--testing__outgoing_smtp_port=2025 &
+chasquid -v=2 --logfile=.logs-B/chasquid.log --config_dir=B \
+	--testing__dns_addr=127.0.0.1:9053 \
+	--testing__outgoing_smtp_port=1025 &
+
+wait_until_ready 1025
+wait_until_ready 2025
+wait_until_ready 9053
+
+run_msmtp userB@srv-B < content
+
+wait_for_file .mail/userb@srv-b
+mail_diff content .mail/userb@srv-b
+
+# A should have a secure outgoing connection to srv-b.
+if ! grep -q "outgoing_sec_level: TLS_SECURE" ".data-A/domaininfo/s:srv-b";
+then
+	fail "A is missing the domaininfo for srv-b"
+fi
+
+# B should have a secure incoming connection from srv-a.
+if ! grep -q "incoming_sec_level: TLS_CLIENT" ".data-B/domaininfo/s:srv-a";
+then
+	fail "B is missing the domaininfo for srv-a"
+fi
+
+success
+

test/util/lib.sh

@@ -11,7 +11,7 @@ function init() {
 	cd ${TBASE}
 
 	if [ "${RACE}" == "1" ]; then
-		RACE="-race"
+		GOFLAGS="$GOFLAGS -race"
 	fi
 
 	# Remove the directory where test-mda will deliver mail, so previous
@@ -30,7 +30,7 @@ function chasquid() {
 		return
 	fi
 
-	( cd ${TBASE}/../../; go build ${RACE} . )
+	( cd ${TBASE}/../../; go build $GOFLAGS -tags="$GOTAGS" . )
 
 	# HOSTALIASES: so we "fake" hostnames.
 	# PATH: so chasquid can call test-mda without path issues.
@@ -45,7 +45,8 @@ function chasquid_cover() {
 	# Build the coverage-enabled binary.
 	# See coverage_test.go for more details.
 	( cd ${TBASE}/../../;
-	  go test -covermode=count -coverpkg=./... -c -tags coveragebin )
+	  go test -covermode=count -coverpkg=./... -c \
+		  -tags="coveragebin $GOTAGS" $GOFLAGS )
 
 	# Run the coverage-enabled binary, named "chasquid.test" for hacky
 	# reasons.  See the chasquid function above for details on the