From 2b50f4e4d59df3d3117303d4eb8c8519ca8e8598 Mon Sep 17 00:00:00 2001
From: Matt McHenry <github@matt.mchenryfamily.org>
Date: Sat, 6 Sep 2025 11:22:42 -0400
Subject: [PATCH] nixos/tests/postfix: add sasl authentication tests

this was tricky to get set up correctly.  hopefully having it
documented in the tests will be helpful to future users (and help
ensure it keeps working for me).
---
 nixos/tests/postfix.nix | 61 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

diff --git a/nixos/tests/postfix.nix b/nixos/tests/postfix.nix
index 8bd4afe1ba8b..4a20a99b28f6 100644
--- a/nixos/tests/postfix.nix
+++ b/nixos/tests/postfix.nix
@@ -19,6 +19,19 @@ import ./make-test-python.nix {
             certs.${domain}.key
             certs.${domain}.cert
           ];
+          smtpd_sasl_auth_enable = "yes";
+          cyrus_sasl_config_path =
+            let
+              smtpdConf = pkgs.writeTextFile {
+                name = "smtpd.conf";
+                destination = "/etc/sasl2/smtpd.conf";
+                text = ''
+                  pwcheck_method: saslauthd
+                  mech_list: PLAIN LOGIN
+                '';
+              };
+            in
+            "${smtpdConf}/etc/sasl2";
         };
         submissionsOptions = {
           smtpd_sasl_auth_enable = "yes";
@@ -26,10 +39,17 @@ import ./make-test-python.nix {
           milter_macro_daemon_name = "ORIGINATING";
         };
       };
+      services.saslauthd.enable = true;
 
       security.pki.certificateFiles = [
         certs.ca.cert
       ];
+      security.pam.services = {
+        # note: no 'd' on the end!
+        smtp = {
+          name = "smtp";
+        };
+      };
 
       networking.extraHosts = ''
         127.0.0.1 ${domain}
@@ -72,11 +92,49 @@ import ./make-test-python.nix {
                               'Subject: Test SMTPS\n\nTest data.')
                 smtp.quit()
           '';
+
+          auth = pkgs.writers.writePython3Bin "auth" { } ''
+            import smtplib
+
+            with smtplib.SMTP('${domain}') as smtp:
+                smtp.ehlo()
+                smtp.login("alice", "foobar")
+                smtp.quit()
+          '';
+
+          authStarttls = pkgs.writers.writePython3Bin "authStarttls" { } ''
+            import smtplib
+            import ssl
+
+            ctx = ssl.create_default_context()
+
+            with smtplib.SMTP('${domain}') as smtp:
+                smtp.ehlo()
+                smtp.starttls(context=ctx)
+                smtp.ehlo()
+                smtp.login("alice", "foobar")
+                smtp.quit()
+          '';
+
+          authSmtps = pkgs.writers.writePython3Bin "authSmtps" { } ''
+            import smtplib
+            import ssl
+
+            ctx = ssl.create_default_context()
+
+            with smtplib.SMTP_SSL('${domain}', context=ctx) as smtp:
+                smtp.ehlo()
+                smtp.login("alice", "foobar")
+                smtp.quit()
+          '';
         in
         [
           sendTestMail
           sendTestMailStarttls
           sendTestMailSmtps
+          auth
+          authStarttls
+          authSmtps
         ];
     };
 
@@ -85,5 +143,8 @@ import ./make-test-python.nix {
     machine.succeed("send-testmail")
     machine.succeed("send-testmail-starttls")
     machine.succeed("send-testmail-smtps")
+    machine.succeed("auth")
+    machine.succeed("authStarttls")
+    machine.succeed("authSmtps")
   '';
 }