test: Add SPF integration test

This patch adds a new integration test to cover SPF checks. The main
goal is not to cover the SPF parsing, since that's handled by the
library already, but the higher level aspects: that the mails are indeed
rejected, that the DSN looks reasonable, etc.

.gitignore

@@ -19,6 +19,7 @@ cmd/smtp-check/smtp-check
 cmd/spf-check/spf-check
 cmd/mda-lmtp/mda-lmtp
 cmd/dovecot-auth-cli/dovecot-auth-cli
+test/util/minidns
 
 # Test binary, generated during coverage tests.
 chasquid.test

test/t-14-tls_tracking/run.sh

@@ -11,7 +11,7 @@ init
 export GOTAGS="dnsoverride"
 
 # Launch minidns in the background using our configuration.
-minidns --addr=":9053" -zones=zones >> .minidns.log 2>&1 &
+minidns_bg --addr=":9053" -zones=zones >> .minidns.log 2>&1
 
 
 # Two chasquid servers:

test/t-16-spf/A/chasquid.conf

@@ -0,0 +1,10 @@
+smtp_address: ":1025"
+submission_address: ":1587"
+submission_over_tls_address: ":1465"
+monitoring_address: ":1099"
+
+mail_delivery_agent_bin: "test-mda"
+mail_delivery_agent_args: "%to%"
+
+data_dir: "../.data-A"
+mail_log_path: "../.logs-A/mail_log"

test/t-16-spf/B/chasquid.conf

@@ -0,0 +1,10 @@
+smtp_address: ":2025"
+submission_address: ":2587"
+submission_over_tls_address: ":2465"
+monitoring_address: ":2099"
+
+mail_delivery_agent_bin: "test-mda"
+mail_delivery_agent_args: "%to%"
+
+data_dir: "../.data-B"
+mail_log_path: "../.logs-B/mail_log"

test/t-16-spf/config/chasquid.conf

@@ -0,0 +1,10 @@
+smtp_address: ":1025"
+submission_address: ":1587"
+submission_over_tls_address: ":1465"
+monitoring_address: ":1099"
+
+mail_delivery_agent_bin: "test-mda"
+mail_delivery_agent_args: "%to%"
+
+data_dir: "../.data"
+mail_log_path: "../.logs/mail_log"

test/t-16-spf/content

@@ -0,0 +1,4 @@
+Subject: Prueba desde el test
+
+Crece desde el test el futuro
+Crece desde el test

test/t-16-spf/expected_dsn

@@ -0,0 +1,65 @@
+From usera@srv-a
+From: Mail Delivery System <postmaster-dsn@srv-a>
+To: <userA@srv-a>
+Subject: Mail delivery failed: returning message to sender
+Message-ID: <chasquid-dsn-*
+Date: *
+In-Reply-To: 
+References: 
+X-Failed-Recipients: userB@srv-b, 
+Auto-Submitted: auto-replied
+MIME-Version: 1.0
+Content-Type: multipart/report; report-type=delivery-status;
+    boundary="???????????"
+
+
+--???????????
+Content-Type: text/plain; charset="utf-8"
+Content-Disposition: inline
+Content-Description: Notification
+Content-Transfer-Encoding: 8bit
+
+Delivery of your message to the following recipient(s) failed permanently:
+
+  - userB@srv-b
+
+
+Technical details:
+- "userB@srv-b" (EMAIL) failed permanently with error:
+    MAIL+RCPT 550 5.7.23 SPF check failed: matched 'all'
+
+
+--???????????
+Content-Type: message/global-delivery-status
+Content-Description: Delivery Report
+Content-Transfer-Encoding: 8bit
+
+Reporting-MTA: dns; srv-a
+
+Original-Recipient: utf-8; userB@srv-b
+Final-Recipient: utf-8; userB@srv-b
+Action: failed
+Status: 5.0.0
+Diagnostic-Code: smtp; MAIL+RCPT 550 5.7.23 SPF check failed: matched 'all'
+
+
+
+--???????????
+Content-Type: message/rfc822
+Content-Description: Undelivered Message
+Content-Transfer-Encoding: 8bit
+
+Received: from localhost
+	by srv-A (chasquid) with ESMTPSA
+	tls *
+	(over *
+	; *
+From: userA@srv-A
+Date: *
+Subject: Prueba desde el test
+
+Crece desde el test el futuro
+Crece desde el test
+
+
+--???????????--

test/t-16-spf/hosts

@@ -0,0 +1,2 @@
+srv-A localhost
+srv-B localhost

test/t-16-spf/msmtprc

@@ -0,0 +1,14 @@
+account default
+
+host srv-A
+port 1587
+
+tls on
+tls_trust_file A/certs/srv-A/fullchain.pem
+
+from userA@srv-A
+
+auth on
+user userA@srv-A
+password userA
+

test/t-16-spf/run.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+
+# Test SPF resolution, which requires overriding DNS server.
+# Note this aims at providing some general end to end coverage, as well as the
+# main gaps.
+
+set -e
+. $(dirname ${0})/../util/lib.sh
+
+init
+
+# Build with the DNS override, so we can fake DNS records.
+export GOTAGS="dnsoverride"
+
+# Two chasquid servers:
+# A - listens on :1025, hosts srv-A
+# B - listens on :2025, hosts srv-B
+
+CONFDIR=A generate_certs_for srv-A
+CONFDIR=A add_user userA@srv-A userA
+
+CONFDIR=B generate_certs_for srv-B
+CONFDIR=B add_user userB@srv-B userB
+
+rm -rf .data-A .data-B .mail .certs
+mkdir -p .logs-A .logs-B .mail .certs
+
+# Put public certs in .certs, and use it as our trusted cert dir.
+cp A/certs/srv-A/fullchain.pem .certs/srv-a.pem
+cp B/certs/srv-B/fullchain.pem .certs/srv-b.pem
+export SSL_CERT_DIR=$PWD/.certs/
+
+chasquid -v=2 --logfile=.logs-A/chasquid.log --config_dir=A \
+	--testing__dns_addr=127.0.0.1:9053 \
+	--testing__max_received_headers=5 \
+	--testing__outgoing_smtp_port=2025 &
+chasquid -v=2 --logfile=.logs-B/chasquid.log --config_dir=B \
+	--testing__dns_addr=127.0.0.1:9053 \
+	--testing__outgoing_smtp_port=1025 &
+
+wait_until_ready 1025
+wait_until_ready 2025
+
+function launch_minidns() {
+	if [ "$MINIDNS" != "" ]; then
+		kill $MINIDNS
+		wait $MINIDNS || true
+	fi
+	cp $1 .zones
+	minidns_bg --addr=":9053" -zones=.zones >> .minidns.log 2>&1
+	wait_until_ready 9053
+}
+
+# T0: Successful.
+launch_minidns zones.t0
+run_msmtp userB@srv-B < content
+wait_for_file .mail/userb@srv-b
+mail_diff content .mail/userb@srv-b
+
+# T1: A is not permitted to send to B.
+# Check that userA got a DSN about it.
+rm .mail/*
+launch_minidns zones.t1
+run_msmtp userB@srv-B < content
+wait_for_file .mail/usera@srv-a
+mail_diff expected_dsn .mail/usera@srv-a
+
+success

test/t-16-spf/zones.t0

@@ -0,0 +1,11 @@
+# srv-a zone
+srv-a A    127.0.0.1
+srv-a AAAA ::1
+srv-a MX   srv-a
+srv-a TXT  v=spf1 a
+
+# srv-b zone
+srv-b A    127.0.0.1
+srv-b AAAA ::1
+srv-b MX   srv-b
+srv-b TXT  v=spf1 a

test/t-16-spf/zones.t1

@@ -0,0 +1,13 @@
+# srv-a is forbidden from sending mail.
+
+# srv-a zone
+srv-a A    127.0.0.1
+srv-a AAAA ::1
+srv-a MX   srv-a
+srv-a TXT  v=spf1 -all
+
+# srv-b zone
+srv-b A    127.0.0.1
+srv-b AAAA ::1
+srv-b MX   srv-b
+srv-b TXT  v=spf1 a

test/util/lib.sh

@@ -112,8 +112,10 @@ function conngen() {
 	go run ${UTILDIR}/conngen.go "$@"
 }
 
-function minidns() {
+function minidns_bg() {
-	go run ${UTILDIR}/minidns.go "$@"
+	( cd ${UTILDIR}; go build minidns.go )
+	${UTILDIR}/minidns "$@" &
+	MINIDNS=$!
 }
 
 function success() {