nixos/tests/postfix: add sasl authentication tests

this was tricky to get set up correctly. hopefully having it documented in the tests will be helpful to future users (and help ensure it keeps working for me).
2025-11-09 16:18:34 +01:00 · 2025-09-06 11:22:42 -04:00 · 2025-09-06 11:22:42 -04:00 · 2b50f4e4d5
parent a771b27d21
commit 2b50f4e4d5
1 changed files with 61 additions and 0 deletions
--- a/nixos/tests/postfix.nix
+++ b/nixos/tests/postfix.nix
@ -19,6 +19,19 @@ import ./make-test-python.nix {
            certs.${domain}.key
            certs.${domain}.cert
          ];
+          smtpd_sasl_auth_enable = "yes";
+          cyrus_sasl_config_path =
+            let
+              smtpdConf = pkgs.writeTextFile {
+                name = "smtpd.conf";
+                destination = "/etc/sasl2/smtpd.conf";
+                text = ''
+                  pwcheck_method: saslauthd
+                  mech_list: PLAIN LOGIN
+                '';
+              };
+            in
+            "${smtpdConf}/etc/sasl2";
        };
        submissionsOptions = {
          smtpd_sasl_auth_enable = "yes";
@ -26,10 +39,17 @@ import ./make-test-python.nix {
          milter_macro_daemon_name = "ORIGINATING";
        };
      };
+      services.saslauthd.enable = true;

      security.pki.certificateFiles = [
        certs.ca.cert
      ];
+      security.pam.services = {
+        # note: no 'd' on the end!
+        smtp = {
+          name = "smtp";
+        };
+      };

      networking.extraHosts = ''
        127.0.0.1 ${domain}
@ -72,11 +92,49 @@ import ./make-test-python.nix {
                              'Subject: Test SMTPS\n\nTest data.')
                smtp.quit()
          '';
+
+          auth = pkgs.writers.writePython3Bin "auth" { } ''
+            import smtplib
+
+            with smtplib.SMTP('${domain}') as smtp:
+                smtp.ehlo()
+                smtp.login("alice", "foobar")
+                smtp.quit()
+          '';
+
+          authStarttls = pkgs.writers.writePython3Bin "authStarttls" { } ''
+            import smtplib
+            import ssl
+
+            ctx = ssl.create_default_context()
+
+            with smtplib.SMTP('${domain}') as smtp:
+                smtp.ehlo()
+                smtp.starttls(context=ctx)
+                smtp.ehlo()
+                smtp.login("alice", "foobar")
+                smtp.quit()
+          '';
+
+          authSmtps = pkgs.writers.writePython3Bin "authSmtps" { } ''
+            import smtplib
+            import ssl
+
+            ctx = ssl.create_default_context()
+
+            with smtplib.SMTP_SSL('${domain}', context=ctx) as smtp:
+                smtp.ehlo()
+                smtp.login("alice", "foobar")
+                smtp.quit()
+          '';
        in
        [
          sendTestMail
          sendTestMailStarttls
          sendTestMailSmtps
+          auth
+          authStarttls
+          authSmtps
        ];
    };

@ -85,5 +143,8 @@ import ./make-test-python.nix {
    machine.succeed("send-testmail")
    machine.succeed("send-testmail-starttls")
    machine.succeed("send-testmail-smtps")
+    machine.succeed("auth")
+    machine.succeed("authStarttls")
+    machine.succeed("authSmtps")
  '';
 }