tests: add rate limit tests

deploy-chatmail/src/deploy_chatmail/postfix/main.cf.j2

@@ -29,9 +29,6 @@ myhostname = {{ config.domain_name }}
 alias_maps = hash:/etc/aliases
 alias_database = hash:/etc/aliases
 
-# hard limit, also on internal messages
-smtpd_client_message_rate_limit = 80
-
 # Postfix does not deliver mail for any domain by itself.
 # Primary domain is listed in `virtual_mailbox_domains` instead
 # and handed over to Dovecot.

online-tests/test_0_login.py

@@ -1,6 +1,7 @@
-import pytest
 import smtplib
 
+import pytest
+
 
 def test_login_basic_functioning(imap_or_smtp, gencreds, lp):
     """Test a) that an initial login creates a user automatically
@@ -37,11 +38,128 @@ def test_login_same_password(imap_or_smtp, gencreds):
     imap_or_smtp.login(user2, password1)
 
 
-@pytest.mark.xfail(reason="Only rate limit is internal as well now")
+@pytest.mark.parametrize(
+    ("authenticated", "existing_from", "outside_to", "log_msg"),
+    [
+        (False, False, False, "Sending message with forged FROM of chatmail user to chatmail user"),
+        (False, True, False, "Sending message with forged FROM of outside user to chatmail user"),
+        (False, False, True, "Sending message with forged FROM of chatmail user to outside user"),
+        (False, True, True, "Sending message with forged FROM of outside user to outside user"),
+        (True, False, False, "Sending authenticated message with forged FROM of chatmail user to chatmail user"),
+        (True, True, False, "Sending authenticated message with forged FROM of outside user to chatmail user"),
+        (True, False, True, "Sending authenticated message with forged FROM of chatmail user to outside user"),
+        (True, True, True, "Sending authenticated message with forged FROM of outside user to outside user"),
+    ]
+)
+def test_send_with_forged_from(smtp, gencreds, lp, authenticated, existing_from, outside_to, log_msg):
+    """Test that users can't impersonate each other."""
+    if outside_to:
+        to_addr = "recipient@example.org"
+    else:
+        to_addr, password = gencreds()
+        smtp.connect()
+        smtp.login(to_addr, password)
+        smtp.conn.close()
+
+    if existing_from:
+        from_addr, password = gencreds()
+        smtp.connect()
+        smtp.login(from_addr, password)
+        smtp.conn.close()
+    else:
+        from_addr = f"9d8znohcoimafiilvsjfovaniufsmdj@{smtp.host}"
+
+    smtp.connect()
+    if authenticated:
+        attacker_addr, password = gencreds()
+        smtp.login(attacker_addr, password)
+
+    mail = "\r\n".join([
+        "Subject: ...",
+        f"From: <{from_addr}>",
+        f"To: <{to_addr}>",
+        "Date: Sun, 15 Oct 2023 16:43:21 +0000",
+        "Message-ID: <Mr.UVyJWZmkCKM.hGzNc6glBE_@c2.testrun.org>",
+        "In-Reply-To: <Mr.MvmCz-GQbi_.6FGRkhDf05c@c2.testrun.org>",
+        "References: <Mr.3gckbNy5bch.uK3Hd2Ws6-w@c2.testrun.org>",
+        "\t<Mr.MvmCz-GQbi_.6FGRkhDf05c@c2.testrun.org>",
+        "Chat-Version: 1.0",
+        f"Autocrypt: addr={from_addr}; prefer-encrypt=mutual;",
+        "\tkeydata=xjMEZSwWjhYJKwYBBAHaRw8BAQdAQBEhqeJh0GueHB6kF/DUQqYCxARNBVokg/AzT+7LqH",
+        "\trNFzxiYXJiYXpAYzIudGVzdHJ1bi5vcmc+wosEEBYIADMCGQEFAmUsFo4CGwMECwkIBwYVCAkKCwID",
+        "\tFgIBFiEEFTfUNvVnY3b9F7yHnmme1PfUhX8ACgkQnmme1PfUhX9A4AEAnHWHp49eBCMHK5t66gYPiW",
+        "\tXQuB1mwUjzGfYWB+0RXUoA/0xcQ3FbUNlGKW7Blp6eMFfViv6Mv2d3kNSXACB6nmcMzjgEZSwWjhIK",
+        "\tKwYBBAGXVQEFAQEHQBpY5L2M1XHo0uxf8SX1wNLBp/OVvidoWHQF2Jz+kJsUAwEIB8J4BBgWCAAgBQ",
+        "\tJlLBaOAhsMFiEEFTfUNvVnY3b9F7yHnmme1PfUhX8ACgkQnmme1PfUhX/INgEA37AJaNvruYsJVanP",
+        "\tIXnYw4CKd55UAwl8Zcy+M2diAbkA/0fHHcGV4r78hpbbL1Os52DPOdqYQRauIeJUeG+G6bQO",
+        "MIME-Version: 1.0",
+        'Content-Type: multipart/encrypted; protocol="application/pgp-encrypted";',
+        '\tboundary="YFrteb74qSXmggbOxZL9dRnhymywAi"',
+        "",
+        "",
+        "--YFrteb74qSXmggbOxZL9dRnhymywAi",
+        "Content-Description: PGP/MIME version identification",
+        "Content-Type: application/pgp-encrypted",
+        "",
+        "Version: 1",
+        "",
+        "",
+        "--YFrteb74qSXmggbOxZL9dRnhymywAi",
+        "Content-Description: OpenPGP encrypted message",
+        'Content-Disposition: inline; filename="encrypted.asc";',
+        'Content-Type: application/octet-stream; name="encrypted.asc"',
+        "",
+        "-----BEGIN PGP MESSAGE-----",
+        "",
+        "wU4DhW3gBZ/VvCYSAQdA8bMs2spwbKdGjVsL1ByPkNrqD7frpB73maeL6I6SzDYg",
+        "O5G53tv339RdKq3WRcCtEEvxjHlUx2XNwXzC04BpmfvBTgNfPUyLDzjXnxIBB0Ae",
+        "8ymwGvXMCCimHXN0Dg8Ui62KOi03h0UgheoHWovJSCDF4CKre/xtFr3nL7lq/PKI",
+        "JsjVNz7/RK9FSXF6WwfONtLCyQGEuVAsB/KXfCBEyfKhaMwGHvhujRidGW5uV1no",
+        "lMGl3ODmo29Lgeu2uSE7EpJRZoe6hU6ddmBkqxax61ZtkaFlGFFpdo2K8balNNdz",
+        "ZsJ/9mmI9x3oOJ4/l1nhQbUO9ADbs7gJhFdV5Qkp30b5fCI7bU+aoe1ccBbLe/WM",
+        "YUty1PqcuQT7XjA+XmYuL261tvW8pBetT+i33/E2d8PzzYt2IuK9qeevyS+yxdwA",
+        "kfwejFWzzsUlJaDxs1x4XOxkMgSj+jo+g12dFOb7fyClsAnq23iDb8AuaT/BScAI",
+        "+lO+gher69+6LmM7VGHLG5k762J1jTaQCaKt1s8TAWV99Eo4491vL6fyvk3l/Cfg",
+        "RXSwiWFgj19Pn0Rq7CD9v22UE2vdUMBTcV4aw79mClk1YQ23jbF0y5DCjPdJ62Zo",
+        "tskBgFt3NoWV80jZ76zIBLrrjLwCCll8JjJtFwSkt2GX5RFBsVa4A8IDht9RtEk7",
+        "rrHgbSZQfkauEi/mH3/6CDZoLqSHudUZ7d4MaJwun1TkFYGe2ORwGJd4OBj3oGJp",
+        "H8YBwCpk///L/fKjX0Gg3M8nrpM4wrRFhPKidAgO/kcm25X4+ZHlVkWBTCt5RWKI",
+        "fHh6oLDZCqCfcgMkE1KKmwfIHaUkhq5BPRigwy6i5dh1DM4+1UCLh3dxzVbqE9b9",
+        "61NB19nXdRtDA2sOUnj9ve6m/wEPyCb6/zBQZqvCBYb1/AjdXpUrFT+DbpfyxaXN",
+        "XfhDVb5mNqNM/IVj0V5fvTc6vOfYbzQtPm10H+FdWWfb+rJRfyC3MA2w2IqstFe3",
+        "w3bu2iE6CQvSqRvge+ZqLKt/NqYwOURiUmpuklbl3kPJ97+mfKWoiqk8Iz1VY+bb",
+        "NMUC7aoGv+jcoj+WS6PYO8N6BeRVUUB3ZJSf8nzjgxm1/BcM+UD3BPrlhT11ODRs",
+        "baifGbprMWwt3dhb8cQgRT8GPdpO1OsDkzL6iikMjLHWWiA99GV6ruiHsIPw6boW",
+        "A6/uSOskbDHOROotKmddGTBd0iiHXAoQsJFt1ZjUkt6EHrgWs+GAvrvKpXs1mrz8",
+        "uj3GwEFrHS+Xuf2UDgpszYT3hI2cL/kUtGakVR7m7vVMZqXBUbZdGAEb1PZNPwsI",
+        "E4aMK02+EVB+tSN4Fzj99N2YD0inVYt+oPjr2tHhUS6aSGBNS/48Ki47DOg4Sxkn",
+        "lkOWnEbCD+XTnbDd",
+        "=agR5",
+        "-----END PGP MESSAGE-----",
+        "",
+        "",
+        "--YFrteb74qSXmggbOxZL9dRnhymywAi--",
+        "",
+        "",
+    ]).encode()
+
+    if not authenticated:
+        smtperror = smtplib.SMTPRecipientsRefused
+    else:
+        smtperror = smtplib.SMTPException
+
+    lp.sec(log_msg)
+    with pytest.raises(smtperror):
+        smtp.conn.sendmail(from_addr, to_addr, mail)
+
+
 def test_no_internal_rate_limit(smtp, gencreds):
     """Test that there is no rate limit between accounts on the same chatmail server."""
+    to_addr, password = gencreds()
+    smtp.connect()
+    smtp.login(to_addr, password)
+
     user, password = gencreds()
-    to_addr, = gencreds()
     smtp.connect()
     smtp.login(user, password)
 
@@ -120,6 +238,7 @@ def test_no_internal_rate_limit(smtp, gencreds):
         smtp.conn.sendmail(user, to_addr, mail)
 
 
+@pytest.mark.xfail(reason="No rate limit at the moment")
 def test_exceed_rate_limit(smtp, gencreds):
     """Test that the outbound rate limit is exceeded if we send a lot of messages at once."""
     user, password = gencreds()