Skip to content

Update email automated test infra to not depend on self-signed certificates

Hi @sysadmin-team,

Here's a request on behalf of FT, after discussing this topic with @boyska.

Since Run our own email (IMAP/POP3/SMTP) server for a... (#12277 - closed) we run a mail server on each isotester, using self-signed certificates. Rationale: we wanted to make the Thunderbird automated tests more robust than the previous setup (connecting to Riseup's production email infra), which was fragile (tails#11890 (closed)).

This setup is used by the automated Thunderbird tests. Since the beginning, we've had hacks to convince Thunderbird to trust the self-signed certificate of the local email server. Unfortunately, these hacks stopped working and our initial attempt to adjust them was not sufficient. As a consequence we had to disable the Thunderbird automated tests a few months ago. We were hoping to find time to come back to this and fix this on the test suite side, but did not manage to, so we figured it would be better if you fixed it on the infra side.

We have 2 ideas:

  • Short-term workaround: move back to using a real email server on the Internet
    • This will probably bring back flakiness but at least we'll have some automated testing of Thunderbird.
    • Regarding what account(s) to use:
      • We can't use a Riseup account: tails#16856 (closed)
      • I believe 1 single email account, used by all isotesters, would do the job.
    • This used to be configured in YAML files shipped via the tails_secrets_jenkins module. I did not check where Jenkins' custom test suite configuration lives nowadays.
  • Longer-term fix: replace the "1 test email server per isotester with self-signed certificate" setup with 1 single test email server on our infra, that uses a valid certificate (as in: Thunderbird will trust it out of the box)
    • Regarding DNS, routing, firewalling:
      • I assume we need an Internet FQDN, not whatever.lizard, in order to get a valid cert.
      • I believe Thunderbird (via Chutney) will use the same DNS resolution mechanism of the isotester the Tails-under-test runs on.

But if you have other ideas about how to fix this, we're all ears 😄

Blocks tails#19193 (closed)

To do

  • Install a VM to run a test email server in Iguana
  • Route public ports 80, 25, 110, 143, 465, 587, 993, 995 to the new VM
  • Restrict access to mail ports to ISO workers
  • Create a valid TLS certificate for a public domain
  • Configure the valid TLS certificate for all mail services
  • Ask @foundations-team to test whether it works as intented
  • Consider improvements to the implemented setup (DNAT in workers and code refactoring)
Edited by Zen Fu
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information