git » chasquid » smarthost » tree

[smarthost] / test / t-19-dkimpy / run.sh 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
#!/bin/bash
#
# Test integration with dkimpy.

set -e
. $(dirname ${0})/../util/lib.sh

init
check_hostaliases

# Check if dkimpy tools are installed in /usr/bin, and driusan/dkim is
# installed somewhere else in $PATH.
#
# Unfortunately we need both because dkimpy's dkimverify lacks the features
# needed to use it in integration testing.
#
# We need to run them and check the help because there are other binaries with
# the same name.
# This is really hacky but the most practical way to handle it, since they
# both have the same binary names.
if ! /usr/bin/dkimsign --help 2>&1 | grep -q -- --identity; then
	skip "/usr/bin/dkimsign is not dkimpy's"
fi
if ! dkimverify --help 2>&1 < /dev/null | grep -q -- "-txt string"; then
	skip "dkimverify is not driusan/dkim's"
fi

generate_certs_for testserver
( mkdir -p .dkimcerts; cd .dkimcerts; dknewkey private > log 2>&1 )

# Some dkimpy versions have a bug where it can't parse the keys generated by
# its own key generator. Detect if that's the case, and if so, skip the test.
# See https://bugs.launchpad.net/dkimpy/+bug/1978835.
if ! /usr/bin/dkimsign \
	testselector1 testserver .dkimcerts/private.key \
	< content 2>&1 | grep -q "DKIM-Signature:"
then
	skip "buggy dkimpy version"
fi

add_user user@testserver secretpassword
add_user someone@testserver secretpassword

mkdir -p .logs
chasquid -v=2 --logfile=.logs/chasquid.log --config_dir=config &
wait_until_ready 1025

# Authenticated: user@testserver -> someone@testserver
# Should be signed.
run_msmtp someone@testserver < content
wait_for_file .mail/someone@testserver
mail_diff content .mail/someone@testserver
if ! grep -q "DKIM-Signature:" .mail/someone@testserver; then
	fail "mail not signed, DKIM-Signature header missing"
fi

# Verify the signature manually, just in case.
# NOTE: This is using driusan/dkim instead of dkimpy, because dkimpy can't be
# overriden to get the DNS information from anywhere else (text file or custom
# DNS server).
dkimverify -txt .dkimcerts/private.dns < .mail/someone@testserver

# Save the signed mail so we can verify it later.
# Drop the first line ("From blah") so it can be used as email contents.
tail -n +2 .mail/someone@testserver > .signed_content

# Not authenticated: someone@testserver -> someone@testserver
smtpc.py --server=localhost:1025 < .signed_content

# Check that the signature fails on modified content.
echo "Added content, invalid and not signed" >> .signed_content
if smtpc.py --server=localhost:1025 < .signed_content 2> /dev/null; then
	fail "DKIM verification succeeded on modified content"
fi

success