feat: add pytest tests, GitHub Actions CI, STARTTLS, DKIM/DMARC docs

margbug01-cyber · margbug01-cyber · commit 7f9e20f0368f · 2026-04-05T18:08:36.000+08:00
- Add 25+ pytest test cases covering all API endpoints (accounts,
  token, messages, batch, domains, auth edge cases)
- Add GitHub Actions CI workflow (ruff lint + pytest)
- Add SMTP STARTTLS support with optional TLS cert/key mounting
- Add DKIM/DMARC DNS configuration guide to both READMEs
- Add ruff.toml for consistent linting config
- Add requirements-dev.txt for test dependencies
diff --git a/.env.example b/.env.example
@@ -11,6 +11,10 @@ API_PORT=8080
 SMTP_PORT=25
 MESSAGE_TTL_DAYS=3
 
+# TLS / STARTTLS (optional - mount certs in docker-compose.yml)
+# SMTP_TLS_CERT=/certs/fullchain.pem
+# SMTP_TLS_KEY=/certs/privkey.pem
+
 # ============================================================
 # Mail Viewer (Web UI)
 # ============================================================
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,46 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install ruff
+        run: pip install ruff
+
+      - name: Lint mail-service
+        run: ruff check mail-service/
+
+      - name: Lint mail-viewer
+        run: ruff check mail-viewer/app.py
+
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: mail-service
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install dependencies
+        run: pip install -r requirements-dev.txt
+
+      - name: Run tests
+        run: pytest tests/ -v --tb=short
diff --git a/README.md b/README.md
@@ -123,10 +123,18 @@ yourdomain.com.       IN  MX   10  mail.yourdomain.com.
 ; A record — points to your server IP
 mail.yourdomain.com.  IN  A        <your-server-ip>
 
-; SPF record (recommended)
+; SPF record — declares which IPs may send for your domain
 yourdomain.com.       IN  TXT      "v=spf1 ip4:<your-server-ip> -all"
+
+; DKIM record — email signature verification (generate key pair first)
+default._domainkey.yourdomain.com.  IN  TXT  "v=DKIM1; k=rsa; p=<your-public-key>"
+
+; DMARC record — policy for failed SPF/DKIM checks
+_dmarc.yourdomain.com.  IN  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com"
 ```
 
+> **STARTTLS**: ManyMail supports STARTTLS. Mount your TLS certificate and key via `docker-compose.yml` and set `SMTP_TLS_CERT` / `SMTP_TLS_KEY` in `.env`. See `.env.example` for details.
+
 <br>
 
 ## API Reference
diff --git a/README_CN.md b/README_CN.md
@@ -123,10 +123,18 @@ yourdomain.com.       IN  MX   10  mail.yourdomain.com.
 ; A 记录 — 指向你的服务器 IP
 mail.yourdomain.com.  IN  A        <你的服务器IP>
 
-; SPF 记录（推荐，防止伪造发件人）
+; SPF 记录 — 声明哪些 IP 可以代表你的域名发信
 yourdomain.com.       IN  TXT      "v=spf1 ip4:<你的服务器IP> -all"
+
+; DKIM 记录 — 邮件签名验证（需先生成密钥对）
+default._domainkey.yourdomain.com.  IN  TXT  "v=DKIM1; k=rsa; p=<你的公钥>"
+
+; DMARC 记录 — SPF/DKIM 验证失败时的处理策略
+_dmarc.yourdomain.com.  IN  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com"
 ```
 
+> **STARTTLS**：ManyMail 支持 STARTTLS 加密传输。在 `docker-compose.yml` 中挂载 TLS 证书，并在 `.env` 中设置 `SMTP_TLS_CERT` / `SMTP_TLS_KEY`。详见 `.env.example`。
+
 <br>
 
 ## API 参考
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -49,6 +49,12 @@ services:
       - SMTP_GREYLIST_ENABLED=0
       - SMTP_GREYLIST_DELAY_SECONDS=60
       - SMTP_GREYLIST_TTL_SECONDS=3600
+      - SMTP_TLS_CERT=${SMTP_TLS_CERT:-}
+      - SMTP_TLS_KEY=${SMTP_TLS_KEY:-}
+    # Uncomment to mount TLS certificates for STARTTLS:
+    # volumes:
+    #   - /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem:/certs/fullchain.pem:ro
+    #   - /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem:/certs/privkey.pem:ro
     depends_on:
       mongodb:
         condition: service_healthy
diff --git a/mail-service/app.py b/mail-service/app.py
@@ -40,6 +40,8 @@
 _SEED_DOMAINS = [d.strip().lower() for d in os.getenv("DOMAINS", "").split(",") if d.strip()]
 API_PORT = int(os.getenv("API_PORT", "8080"))
 SMTP_PORT = int(os.getenv("SMTP_PORT", "25"))
+SMTP_TLS_CERT = os.getenv("SMTP_TLS_CERT", "")  # path to TLS certificate (PEM)
+SMTP_TLS_KEY = os.getenv("SMTP_TLS_KEY", "")    # path to TLS private key (PEM)
 MESSAGE_TTL_DAYS = int(os.getenv("MESSAGE_TTL_DAYS", "3"))
 
 
@@ -910,18 +912,37 @@ async def handle_DATA(self, server, session, envelope):
             return "451 Requested action aborted: error in processing"
 
 
+def _build_tls_context():
+    """Build SSLContext for STARTTLS if cert/key are configured."""
+    if not SMTP_TLS_CERT or not SMTP_TLS_KEY:
+        return None
+    import ssl
+    ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+    ctx.minimum_version = ssl.TLSVersion.TLSv1_2
+    ctx.load_cert_chain(SMTP_TLS_CERT, SMTP_TLS_KEY)
+    logger.info(f"TLS context loaded: cert={SMTP_TLS_CERT}")
+    return ctx
+
+
 def start_smtp_server():
-    """启动 SMTP 服务器 (后台守护线程)"""
+    """启动 SMTP 服务器 (后台守护线程)，支持 STARTTLS"""
     handler = MailHandler()
-    controller = Controller(
-        handler,
+    tls_ctx = _build_tls_context()
+
+    kwargs = dict(
         hostname="0.0.0.0",
         port=SMTP_PORT,
         server_hostname=SMTP_HOSTNAME,
         data_size_limit=10 * 1024 * 1024,  # 10MB
     )
+    if tls_ctx:
+        kwargs["tls_context"] = tls_ctx
+        kwargs["require_starttls"] = False  # offer but don't require
+
+    controller = Controller(handler, **kwargs)
     controller.start()
-    logger.info(f"SMTP server started on port {SMTP_PORT}")
+    tls_status = "STARTTLS enabled" if tls_ctx else "no TLS"
+    logger.info(f"SMTP server started on port {SMTP_PORT} ({tls_status})")
     logger.info(f"Accepting mail for domains: {get_active_domains()} (dynamic from DB)")
 
 
diff --git a/mail-service/requirements-dev.txt b/mail-service/requirements-dev.txt
@@ -0,0 +1,5 @@
+-r requirements.txt
+pytest>=7.0
+httpx>=0.24.0
+mongomock>=4.1.0
+ruff>=0.4.0
diff --git a/mail-service/tests/__init__.py b/mail-service/tests/__init__.py
diff --git a/mail-service/tests/conftest.py b/mail-service/tests/conftest.py
@@ -0,0 +1,105 @@
+"""
+Shared pytest fixtures for mail-service tests.
+
+Uses mongomock to avoid requiring a real MongoDB instance.
+"""
+
+import os
+
+# Set test environment BEFORE importing app
+os.environ.update({
+    "MONGO_URL": "mongomock://localhost",
+    "DB_NAME": "test_mailserver",
+    "JWT_SECRET": "test-secret-key-for-ci",
+    "API_KEY": "test-api-key",
+    "SMTP_HOSTNAME": "mail.test.local",
+    "DOMAINS": "test.local,example.test",
+    "ENVIRONMENT": "development",
+    "RATE_LIMIT_MAX": "0",  # disable rate limiting in tests
+})
+
+import pytest
+from unittest.mock import patch, MagicMock
+import mongomock
+from fastapi.testclient import TestClient
+
+
+@pytest.fixture(autouse=True)
+def mock_mongo():
+    """Replace pymongo with mongomock for all tests."""
+    mock_client = mongomock.MongoClient()
+    mock_db = mock_client["test_mailserver"]
+
+    with patch("app.mongo_client", mock_client), \
+         patch("app.db", mock_db):
+        # Re-init indexes
+        from app import init_db
+        init_db()
+        yield mock_db
+
+    mock_client.close()
+
+
+@pytest.fixture(autouse=True)
+def mock_smtp():
+    """Prevent SMTP server from actually starting during tests."""
+    with patch("app.start_smtp_server"):
+        yield
+
+
+@pytest.fixture
+def client(mock_mongo, mock_smtp):
+    """FastAPI test client."""
+    from app import app
+    with TestClient(app) as c:
+        yield c
+
+
+@pytest.fixture
+def test_account(client):
+    """Create a test account and return (address, password, token)."""
+    address = "testuser@test.local"
+    password = "testpass123"
+
+    resp = client.post("/accounts", json={"address": address, "password": password})
+    assert resp.status_code == 201
+
+    resp = client.post("/token", json={"address": address, "password": password})
+    assert resp.status_code == 200
+    token = resp.json()["token"]
+
+    return address, password, token
+
+
+@pytest.fixture
+def auth_header(test_account):
+    """Authorization header for authenticated requests."""
+    _, _, token = test_account
+    return {"Authorization": f"Bearer {token}"}
+
+
+@pytest.fixture
+def sample_message(mock_mongo, test_account):
+    """Insert a sample message into the DB and return its ID."""
+    from datetime import datetime, timezone
+    from bson import ObjectId
+
+    address = test_account[0]
+    msg_id = ObjectId()
+    mock_mongo.messages.insert_one({
+        "_id": msg_id,
+        "to_addresses": [address],
+        "from": {"address": "sender@external.com", "name": "Test Sender"},
+        "to": [{"address": address, "name": ""}],
+        "subject": "Test Subject",
+        "intro": "This is a test email preview",
+        "text": "Hello, this is a test email body.",
+        "html": "<p>Hello, this is a <b>test</b> email body.</p>",
+        "has_attachments": False,
+        "seen": False,
+        "is_deleted": False,
+        "size": 256,
+        "created_at": datetime.now(timezone.utc),
+        "updated_at": datetime.now(timezone.utc),
+    })
+    return str(msg_id)
diff --git a/mail-service/tests/test_api.py b/mail-service/tests/test_api.py
diff --git a/ruff.toml b/ruff.toml
