target/smtp_downstream: Add tests

2025-04-06 22:47:37 +03:00 · 2019-11-18 22:06:06 +03:00 · 2019-11-18 22:06:06 +03:00 · 652bbf5d38
commit 652bbf5d38
parent 749906e73f
6 changed files with 513 additions and 56 deletions
--- a/target/smtp_downstream/sasl.go
+++ b/target/smtp_downstream/sasl.go
@ -6,13 +6,13 @@ import (
 	"github.com/foxcpp/maddy/exterrors"
 )

-type saslClientFactory func(downstreamUser, downstreamPass string) (sasl.Client, error)
+type saslClientFactory = func(downstreamUser, downstreamPass string) (sasl.Client, error)

 // saslAuthDirective returns saslClientFactory function used to create sasl.Client.
 // for use in outbound connections.
 //
 // Authentication information of the current client should be passed in arguments.
-func (u *Downstream) saslAuthDirective(m *config.Map, node *config.Node) (interface{}, error) {
+func saslAuthDirective(m *config.Map, node *config.Node) (interface{}, error) {
 	if len(node.Children) != 0 {
 		return nil, m.MatchErr("can't declare a block here")
 	}
@ -28,7 +28,6 @@ func (u *Downstream) saslAuthDirective(m *config.Map, node *config.Node) (interf
 		}
 		return func(downstreamUser, downstreamPass string) (sasl.Client, error) {
 			if downstreamUser == "" || downstreamPass == "" {
-				u.log.Printf("client is not authenticated, can't forward credentials")
 				return nil, &exterrors.SMTPError{
 					Code:         530,
 					EnhancedCode: exterrors.EnhancedCode{5, 7, 0},
--- a/target/smtp_downstream/sasl_test.go
+++ b/target/smtp_downstream/sasl_test.go
@ -0,0 +1,134 @@
+package smtp_downstream
+
+import (
+	"testing"
+
+	"github.com/emersion/go-smtp"
+	"github.com/foxcpp/maddy/config"
+	"github.com/foxcpp/maddy/module"
+	"github.com/foxcpp/maddy/testutils"
+)
+
+func testSaslFactory(t *testing.T, args ...string) saslClientFactory {
+	factory, err := saslAuthDirective(&config.Map{}, &config.Node{
+		Name: "auth",
+		Args: args,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	return factory.(saslClientFactory)
+}
+
+func TestSASL_Plain(t *testing.T) {
+	be, srv := testutils.SMTPServer(t, "127.0.0.1:"+testPort)
+	defer srv.Close()
+	defer testutils.CheckSMTPConnLeak(t, srv)
+
+	mod := &Downstream{
+		hostname: "mx.example.invalid",
+		endpoints: []config.Endpoint{
+			{
+				Scheme: "tcp",
+				Host:   "127.0.0.1",
+				Port:   testPort,
+			},
+		},
+		saslFactory: testSaslFactory(t, "plain", "test", "testpass"),
+		log:         testutils.Logger(t, "smtp_downstream"),
+	}
+
+	testutils.DoTestDelivery(t, mod, "test@example.invalid", []string{"rcpt@example.invalid"})
+	be.CheckMsg(t, 0, "test@example.invalid", []string{"rcpt@example.invalid"})
+	if be.Messages[0].AuthUser != "test" {
+		t.Errorf("Wrong AuthUser: %v", be.Messages[0].AuthUser)
+	}
+	if be.Messages[0].AuthPass != "testpass" {
+		t.Errorf("Wrong AuthPass: %v", be.Messages[0].AuthPass)
+	}
+}
+
+func TestSASL_Plain_AuthFail(t *testing.T) {
+	be, srv := testutils.SMTPServer(t, "127.0.0.1:"+testPort)
+	defer srv.Close()
+	defer testutils.CheckSMTPConnLeak(t, srv)
+
+	be.AuthErr = &smtp.SMTPError{
+		Code:         550,
+		EnhancedCode: smtp.EnhancedCode{5, 1, 2},
+		Message:      "Hey",
+	}
+
+	mod := &Downstream{
+		hostname: "mx.example.invalid",
+		endpoints: []config.Endpoint{
+			{
+				Scheme: "tcp",
+				Host:   "127.0.0.1",
+				Port:   testPort,
+			},
+		},
+		saslFactory: testSaslFactory(t, "plain", "test", "testpass"),
+		log:         testutils.Logger(t, "smtp_downstream"),
+	}
+
+	_, err := testutils.DoTestDeliveryErr(t, mod, "test@example.invalid", []string{"rcpt@example.invalid"})
+	if err == nil {
+		t.Error("Expected an error, got none")
+	}
+}
+
+func TestSASL_Forward(t *testing.T) {
+	be, srv := testutils.SMTPServer(t, "127.0.0.1:"+testPort)
+	defer srv.Close()
+	defer testutils.CheckSMTPConnLeak(t, srv)
+
+	mod := &Downstream{
+		hostname: "mx.example.invalid",
+		endpoints: []config.Endpoint{
+			{
+				Scheme: "tcp",
+				Host:   "127.0.0.1",
+				Port:   testPort,
+			},
+		},
+		saslFactory: testSaslFactory(t, "forward"),
+		log:         testutils.Logger(t, "smtp_downstream"),
+	}
+
+	testutils.DoTestDeliveryMeta(t, mod, "test@example.invalid", []string{"rcpt@example.invalid"}, &module.MsgMetadata{
+		AuthUser:     "test",
+		AuthPassword: "testpass",
+	})
+	be.CheckMsg(t, 0, "test@example.invalid", []string{"rcpt@example.invalid"})
+	if be.Messages[0].AuthUser != "test" {
+		t.Errorf("Wrong AuthUser: %v", be.Messages[0].AuthUser)
+	}
+	if be.Messages[0].AuthPass != "testpass" {
+		t.Errorf("Wrong AuthPass: %v", be.Messages[0].AuthPass)
+	}
+}
+
+func TestSASL_Forward_NoCreds(t *testing.T) {
+	_, srv := testutils.SMTPServer(t, "127.0.0.1:"+testPort)
+	defer srv.Close()
+	defer testutils.CheckSMTPConnLeak(t, srv)
+
+	mod := &Downstream{
+		hostname: "mx.example.invalid",
+		endpoints: []config.Endpoint{
+			{
+				Scheme: "tcp",
+				Host:   "127.0.0.1",
+				Port:   testPort,
+			},
+		},
+		saslFactory: testSaslFactory(t, "forward"),
+		log:         testutils.Logger(t, "smtp_downstream"),
+	}
+
+	_, err := testutils.DoTestDeliveryErr(t, mod, "test@example.invalid", []string{"rcpt@example.invalid"})
+	if err == nil {
+		t.Error("Expected an error, got none")
+	}
+}
--- a/target/smtp_downstream/smtp_downstream.go
+++ b/target/smtp_downstream/smtp_downstream.go
@ -59,7 +59,7 @@ func (u *Downstream) Init(cfg *config.Map) error {
 	//   Pick next server from list each time.
 	cfg.Custom("auth", false, false, func() (interface{}, error) {
 		return nil, nil
-	}, u.saslAuthDirective, &u.saslFactory)
+	}, saslAuthDirective, &u.saslFactory)
 	cfg.Custom("tls_client", true, false, func() (interface{}, error) {
 		return tls.Config{}, nil
 	}, config.TLSClientBlock, &u.tlsConfig)
--- a/target/smtp_downstream/smtp_downstream_test.go
+++ b/target/smtp_downstream/smtp_downstream_test.go
@ -0,0 +1,239 @@
+package smtp_downstream
+
+import (
+	"flag"
+	"math/rand"
+	"os"
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/emersion/go-smtp"
+	"github.com/foxcpp/maddy/config"
+	"github.com/foxcpp/maddy/exterrors"
+	"github.com/foxcpp/maddy/testutils"
+)
+
+var testPort string
+
+func TestDownstreamDelivery(t *testing.T) {
+	be, srv := testutils.SMTPServer(t, "127.0.0.1:"+testPort)
+	defer srv.Close()
+	defer testutils.CheckSMTPConnLeak(t, srv)
+
+	tarpit := testutils.FailOnConn(t, "127.0.0.2:"+testPort)
+	defer tarpit.Close()
+
+	mod := &Downstream{
+		hostname: "mx.example.invalid",
+		endpoints: []config.Endpoint{
+			{
+				Scheme: "tcp",
+				Host:   "127.0.0.1",
+				Port:   testPort,
+			},
+			{
+				Scheme: "tcp",
+				Host:   "127.0.0.2",
+				Port:   testPort,
+			},
+		},
+		log: testutils.Logger(t, "smtp_downstream"),
+	}
+
+	testutils.DoTestDelivery(t, mod, "test@example.invalid", []string{"rcpt@example.invalid"})
+	be.CheckMsg(t, 0, "test@example.invalid", []string{"rcpt@example.invalid"})
+}
+
+func TestDownstreamDelivery_Fallback(t *testing.T) {
+	be, srv := testutils.SMTPServer(t, "127.0.0.2:"+testPort)
+	defer srv.Close()
+	defer testutils.CheckSMTPConnLeak(t, srv)
+
+	mod := &Downstream{
+		hostname: "mx.example.invalid",
+		endpoints: []config.Endpoint{
+			{
+				Scheme: "tcp",
+				Host:   "127.0.0.1",
+				Port:   testPort,
+			},
+			{
+				Scheme: "tcp",
+				Host:   "127.0.0.2",
+				Port:   testPort,
+			},
+		},
+		log: testutils.Logger(t, "smtp_downstream"),
+	}
+
+	testutils.DoTestDelivery(t, mod, "test@example.invalid", []string{"rcpt@example.invalid"})
+	be.CheckMsg(t, 0, "test@example.invalid", []string{"rcpt@example.invalid"})
+}
+
+func TestDownstreamDelivery_MAILErr(t *testing.T) {
+	be, srv := testutils.SMTPServer(t, "127.0.0.1:"+testPort)
+	defer srv.Close()
+	defer testutils.CheckSMTPConnLeak(t, srv)
+
+	be.MailErr = &smtp.SMTPError{
+		Code:         550,
+		EnhancedCode: smtp.EnhancedCode{5, 1, 2},
+		Message:      "Hey",
+	}
+
+	mod := &Downstream{
+		hostname: "mx.example.invalid",
+		endpoints: []config.Endpoint{
+			{
+				Scheme: "tcp",
+				Host:   "127.0.0.1",
+				Port:   testPort,
+			},
+		},
+		log: testutils.Logger(t, "smtp_downstream"),
+	}
+
+	_, err := testutils.DoTestDeliveryErr(t, mod, "test@example.invalid", []string{"rcpt@example.invalid"})
+	testutils.CheckSMTPErr(t, err, 550, exterrors.EnhancedCode{5, 1, 2}, "Hey")
+}
+
+func TestDownstreamDelivery_AttemptTLS(t *testing.T) {
+	clientCfg, be, srv := testutils.SMTPServerSTARTTLS(t, "127.0.0.1:"+testPort)
+	defer srv.Close()
+	defer testutils.CheckSMTPConnLeak(t, srv)
+
+	mod := &Downstream{
+		hostname: "mx.example.invalid",
+		endpoints: []config.Endpoint{
+			{
+				Scheme: "tcp",
+				Host:   "127.0.0.1",
+				Port:   testPort,
+			},
+		},
+		tlsConfig:       *clientCfg.Clone(),
+		attemptStartTLS: true,
+		log:             testutils.Logger(t, "smtp_downstream"),
+	}
+
+	testutils.DoTestDelivery(t, mod, "test@example.invalid", []string{"rcpt@example.invalid"})
+	be.CheckMsg(t, 0, "test@example.invalid", []string{"rcpt@example.invalid"})
+	if !be.Messages[0].State.TLS.HandshakeComplete {
+		t.Error("Expected TLS to be used, but it was not")
+	}
+}
+
+func TestDownstreamDelivery_AttemptTLS_Fallback(t *testing.T) {
+	be, srv := testutils.SMTPServer(t, "127.0.0.1:"+testPort)
+	defer srv.Close()
+	defer testutils.CheckSMTPConnLeak(t, srv)
+
+	mod := &Downstream{
+		hostname: "mx.example.invalid",
+		endpoints: []config.Endpoint{
+			{
+				Scheme: "tcp",
+				Host:   "127.0.0.1",
+				Port:   testPort,
+			},
+		},
+		attemptStartTLS: true,
+		log:             testutils.Logger(t, "smtp_downstream"),
+	}
+
+	testutils.DoTestDelivery(t, mod, "test@example.invalid", []string{"rcpt@example.invalid"})
+	be.CheckMsg(t, 0, "test@example.invalid", []string{"rcpt@example.invalid"})
+}
+
+func TestDownstreamDelivery_RequireTLS(t *testing.T) {
+	clientCfg, be, srv := testutils.SMTPServerSTARTTLS(t, "127.0.0.1:"+testPort)
+	defer srv.Close()
+	defer testutils.CheckSMTPConnLeak(t, srv)
+
+	mod := &Downstream{
+		hostname: "mx.example.invalid",
+		endpoints: []config.Endpoint{
+			{
+				Scheme: "tcp",
+				Host:   "127.0.0.1",
+				Port:   testPort,
+			},
+		},
+		tlsConfig:       *clientCfg.Clone(),
+		attemptStartTLS: true,
+		requireTLS:      true,
+		log:             testutils.Logger(t, "smtp_downstream"),
+	}
+
+	testutils.DoTestDelivery(t, mod, "test@example.invalid", []string{"rcpt@example.invalid"})
+	be.CheckMsg(t, 0, "test@example.invalid", []string{"rcpt@example.invalid"})
+	if !be.Messages[0].State.TLS.HandshakeComplete {
+		t.Error("Expected TLS to be used, but it was not")
+	}
+}
+
+func TestDownstreamDelivery_RequireTLS_Implicit(t *testing.T) {
+	clientCfg, be, srv := testutils.SMTPServerTLS(t, "127.0.0.1:"+testPort)
+	defer srv.Close()
+	defer testutils.CheckSMTPConnLeak(t, srv)
+
+	mod := &Downstream{
+		hostname: "mx.example.invalid",
+		endpoints: []config.Endpoint{
+			{
+				Scheme: "tls",
+				Host:   "127.0.0.1",
+				Port:   testPort,
+			},
+		},
+		tlsConfig:       *clientCfg.Clone(),
+		attemptStartTLS: true,
+		requireTLS:      true,
+		log:             testutils.Logger(t, "smtp_downstream"),
+	}
+
+	testutils.DoTestDelivery(t, mod, "test@example.invalid", []string{"rcpt@example.invalid"})
+	be.CheckMsg(t, 0, "test@example.invalid", []string{"rcpt@example.invalid"})
+	if !be.Messages[0].State.TLS.HandshakeComplete {
+		t.Error("Expected TLS to be used, but it was not")
+	}
+}
+
+func TestDownstreamDelivery_RequireTLS_Fail(t *testing.T) {
+	_, srv := testutils.SMTPServer(t, "127.0.0.1:"+testPort)
+	defer srv.Close()
+	defer testutils.CheckSMTPConnLeak(t, srv)
+
+	mod := &Downstream{
+		hostname: "mx.example.invalid",
+		endpoints: []config.Endpoint{
+			{
+				Scheme: "tcp",
+				Host:   "127.0.0.1",
+				Port:   testPort,
+			},
+		},
+		attemptStartTLS: true,
+		requireTLS:      true,
+		log:             testutils.Logger(t, "smtp_downstream"),
+	}
+
+	_, err := testutils.DoTestDeliveryErr(t, mod, "test@example.invalid", []string{"rcpt@example.invalid"})
+	if err == nil {
+		t.Error("Expected an error, got none")
+	}
+}
+
+func TestMain(m *testing.M) {
+	remoteSmtpPort := flag.String("test.smtpport", "random", "(maddy) SMTP port to use for connections in tests")
+	flag.Parse()
+
+	if *remoteSmtpPort == "random" {
+		rand.Seed(time.Now().UnixNano())
+		*remoteSmtpPort = strconv.Itoa(rand.Intn(65536-10000) + 10000)
+	}
+
+	testPort = *remoteSmtpPort
+	os.Exit(m.Run())
+}
--- a/testutils/smtp_server.go
+++ b/testutils/smtp_server.go
@ -16,28 +16,38 @@ import (
 	"github.com/foxcpp/maddy/exterrors"
 )

-// Test server runner, based on emersion/go-smtp tests.
-
 type SMTPMessage struct {
-	From string
-	To   []string
-	Data []byte
+	From     string
+	To       []string
+	Data     []byte
+	State    *smtp.ConnectionState
+	AuthUser string
+	AuthPass string
 }

 type SMTPBackend struct {
 	Messages []*SMTPMessage

+	AuthErr error
 	MailErr error
 	RcptErr map[string]error
 	DataErr error
 }

-func (be *SMTPBackend) Login(_ *smtp.ConnectionState, username, password string) (smtp.Session, error) {
-	return &session{backend: be}, nil
+func (be *SMTPBackend) Login(state *smtp.ConnectionState, username, password string) (smtp.Session, error) {
+	if be.AuthErr != nil {
+		return nil, be.AuthErr
+	}
+	return &session{
+		backend:  be,
+		user:     username,
+		password: password,
+		state:    state,
+	}, nil
 }

-func (be *SMTPBackend) AnonymousLogin(_ *smtp.ConnectionState) (smtp.Session, error) {
-	return &session{backend: be, anonymous: true}, nil
+func (be *SMTPBackend) AnonymousLogin(state *smtp.ConnectionState) (smtp.Session, error) {
+	return &session{backend: be, state: state}, nil
 }

 func (be *SMTPBackend) CheckMsg(t *testing.T, indx int, from string, rcptTo []string) {
@ -63,10 +73,11 @@ func (be *SMTPBackend) CheckMsg(t *testing.T, indx int, from string, rcptTo []st
 }

 type session struct {
-	backend   *SMTPBackend
-	anonymous bool
-
-	msg *SMTPMessage
+	backend  *SMTPBackend
+	user     string
+	password string
+	state    *smtp.ConnectionState
+	msg      *SMTPMessage
 }

 func (s *session) Reset() {
@ -106,6 +117,9 @@ func (s *session) Data(r io.Reader) error {
 		return err
 	}
 	s.msg.Data = b
+	s.msg.State = s.state
+	s.msg.AuthUser = s.user
+	s.msg.AuthPass = s.password
 	s.backend.Messages = append(s.backend.Messages, s.msg)
 	return nil
 }
@ -157,41 +171,42 @@ func SMTPServer(t *testing.T, addr string, fn ...SMTPServerConfigureFunc) (*SMTP
 	return be, s
 }

-// RSA 1024, valid for *.example.invalid
-// until Nov 13 16:59:41 2029 GMT.
+// RSA 1024, valid for *.example.invalid, 127.0.0.1, 127.0.0.2,, 127.0.0.3
+// until Nov 18 17:13:45 2029 GMT.
 const testServerCert = `-----BEGIN CERTIFICATE-----
-MIIB/TCCAWagAwIBAgIRAJPNJW5c73AaVF29mMs6UjowDQYJKoZIhvcNAQELBQAw
-EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0xOTExMTYxNjU5NDFaFw0yOTExMTMxNjU5
-NDFaMBIxEDAOBgNVBAoTB0FjbWUgQ28wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
-AoGBAMbIZsgWGfbSzolrL+pfG7JejKzTUpJRZ1y5mr0tqo3RIdEVz56SacfjXVUb
-33u2+wbJr6GgGlt910sdwHh/exl0WpBpXC/4Wcz3eK5VC+HcaiMRnlchG7hOazFH
-wsxUEcQtVXhFreotoUQrjrKB4n6qMhGif7Iy45oWJLkbNI1rAgMBAAGjUzBRMA4G
+MIICDzCCAXigAwIBAgIRAJ1x+qCW7L+Hs6sRU8BHmWkwDQYJKoZIhvcNAQELBQAw
+EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0xOTExMTgxNzEzNDVaFw0yOTExMTUxNzEz
+NDVaMBIxEDAOBgNVBAoTB0FjbWUgQ28wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
+AoGBAPINKMyuu3AvzndLDS2/BroA+DRUcAhWPBxMxG1b1BkkHisAZWteKajKmwdO
+O13N8HHBRPPOD56AAPLZGNxYLHn6nel7AiH8k40/xC5tDOthqA82+00fwJHDFCnW
+oDLOLcO17HulPvfCSWfefc+uee4kajPa+47hutqZH2bGMTXhAgMBAAGjZTBjMA4G
 A1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAA
-MBwGA1UdEQQVMBOCESouZXhhbXBsZS5pbnZhbGlkMA0GCSqGSIb3DQEBCwUAA4GB
-AMMVhLupUgeewIQ1UFDtMIj3GaKFdb6WVnptLLS55ZWtUPNuJH5BzPaFHTqcHW8p
-h0awjmghQoQY0ECBvbEmjlnyRL64FUTpibMvv/K6QKz1XuRWN4S9RQX3++X5I0vR
-R2+SAXHyOiKIa0M9jdP+6DscciM2lk32xCcr6WhNcD2q
+MC4GA1UdEQQnMCWCESouZXhhbXBsZS5pbnZhbGlkhwR/AAABhwR/AAAChwR/AAAD
+MA0GCSqGSIb3DQEBCwUAA4GBAGRn3C2NbwR4cyQmTRm5jcaqi1kAYyEu6U8Q9PJW
+Q15BXMKUTx2lw//QScK9MH2JpKxDuzWDSvaxZMnTxgri2uiplqpe8ydsWj6Wl0q9
+2XMGJ9LIxTZk5+cyZP2uOolvmSP/q8VFTyk9Udl6KUZPQyoiiDq4rBFUIxUyb+bX
+pHkR
 -----END CERTIFICATE-----`

 const testServerKey = `-----BEGIN PRIVATE KEY-----
-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAMbIZsgWGfbSzolr
-L+pfG7JejKzTUpJRZ1y5mr0tqo3RIdEVz56SacfjXVUb33u2+wbJr6GgGlt910sd
-wHh/exl0WpBpXC/4Wcz3eK5VC+HcaiMRnlchG7hOazFHwsxUEcQtVXhFreotoUQr
-jrKB4n6qMhGif7Iy45oWJLkbNI1rAgMBAAECgYEAsuT/uupJC5zES1+vi5l0b54v
-tAmqsguYnhZbcA19BIxFhsm+Q9M4Z6/y+vlOsyQF3iH8cdSIY/Zony1zXf48ZSCt
-ujIWpJnpEicQkMDKkP6eCcxEDU4OfykGYW8MAcmu3DCKVV4goJZoB3wzUTGwnGBb
-n/euDGe8c9fp/qssHaECQQDPy+pBoNON6O/bsET+xMzhD4jbwMlsjYr9V3f7CPFl
-9FgTMw3DNg7oA6yKi4u6K44f/0z/2mxQNOy3PB7trd3nAkEA9OUz3PffZBRF2g58
-DBOCddiCK/Gd8mG1R3giR8n7Dz0MIOl2BL4bp1wlvAPf56KZlnA6P09U5Uzc0amI
-bdJ73QJAAhbn1R8b4XptJwVfvDwYX077rlIC9H973U5K25BcdQz+8bp6sfLSNY0L
-6By9G/MiK7oyeQQmQKw3kSQen383EwJBAN6isK+mONSHCanfmS5xXh08o7rHgcwk
-v+UldiTFnxSPb0NMexp8qi9QOo3fB+NRk0eM56c+u/NqGSYSdhFBVZECQH4A14fb
-DDiDLYv/gUliRlSs9Ua3Ez7kmvZ710TclMgbMRhq5mqZTvC2J4OGp9wehQd5yeAk
-jcHIGpj/jkvmxck=
+MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAPINKMyuu3AvzndL
+DS2/BroA+DRUcAhWPBxMxG1b1BkkHisAZWteKajKmwdOO13N8HHBRPPOD56AAPLZ
+GNxYLHn6nel7AiH8k40/xC5tDOthqA82+00fwJHDFCnWoDLOLcO17HulPvfCSWfe
+fc+uee4kajPa+47hutqZH2bGMTXhAgMBAAECgYEAgPjSDH3uEdDnSlkLJJzskJ+D
+oR58s3R/gvTElSCg2uSLzo3ffF4oBHAwOqxMpabdvz8j5mSdne7Gkp9qx72TtEG2
+wt6uX1tZhm2UTAkInH8IQDthj98P8vAWQsS6HHEIMErsrW2CyUrAt/+o1BRg/hWW
+zixA3CLTthhZTJkaUCECQQD5EM16UcTAKfhr3IZppgq+ZsAOMkeCl3XVV9gHo32i
+DL6UFAb27BAYyjfcZB1fPou4RszX0Ryu9yU0P5qm6N47AkEA+MpdAPkaPziY0ok4
+e9Tcee6P0mIR+/AHk9GliVX2P74DDoOHyMXOSRBwdb+z2tYjrdjkNEL1Txe+sHny
+k/EukwJBAOBqlmqPwNNRPeiaRHZvSSD0XjqsbSirJl48D4gadPoNt66fOQNGAt8D
+Xj/z6U9HgQdiq/IOFmVEhT5FzSh1jL8CQQD3Myth8iGQO84tM0c6U3CWfuHMqsEv
+0XnV+HNAmHdLMqOa4joi1dh4ZKs5dDdi828UJ/PnsbhI1FEWzLSpJvWdAkAkVWqf
+AC/TvWvEZLA6Z5CllyNzZJ7XvtIaNOosxHDolyZ1HMWMlfEb2K2ZXWLy5foKPeoY
+Xi3olS9rB0J+Rvjz
 -----END PRIVATE KEY-----`

-// SMTPServerSTARTTLS starts a server listening on the specified addr with STARTTLS
-// extension supported.
+// SMTPServerSTARTTLS starts a server listening on the specified addr with the
+// STARTTLS extension supported.
 //
 // Returned *tls.Config is for the client and is set to trust the server
 // certificate.
@ -225,7 +240,65 @@ func SMTPServerSTARTTLS(t *testing.T, addr string, fn ...SMTPServerConfigureFunc
 	clientCfg := &tls.Config{
 		ServerName: "127.0.0.1",
 		Time: func() time.Time {
-			return time.Date(2019, time.November, 16, 16, 59, 41, 0, time.UTC)
+			return time.Date(2019, time.November, 18, 17, 59, 41, 0, time.UTC)
+		},
+		RootCAs: pool,
+	}
+
+	go func() {
+		if err := s.Serve(l); err != nil {
+			if strings.Contains(err.Error(), "use of closed network connection") {
+				return
+			}
+			t.Error(err)
+		}
+	}()
+
+	// Dial it once it make sure Server completes its initialization before
+	// we try to use it. Notably, if test fails before connecting to the server,
+	// it will call Server.Close which will call Server.listener.Close with a
+	// nil Server.listener (Serve sets it to a non-nil value, so it is racy and
+	// happens only sometimes).
+	testConn, err := net.Dial("tcp", addr)
+	if err != nil {
+		t.Fatal(err)
+	}
+	testConn.Close()
+
+	return clientCfg, be, s
+}
+
+// SMTPServerTLS starts a SMTP server listening on the specified addr with
+// Implicit TLS.
+func SMTPServerTLS(t *testing.T, addr string, fn ...SMTPServerConfigureFunc) (*tls.Config, *SMTPBackend, *smtp.Server) {
+	t.Helper()
+
+	cert, err := tls.X509KeyPair([]byte(testServerCert), []byte(testServerKey))
+	if err != nil {
+		panic(err)
+	}
+
+	l, err := tls.Listen("tcp", addr, &tls.Config{
+		Certificates: []tls.Certificate{cert},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	be := new(SMTPBackend)
+	s := smtp.NewServer(be)
+	s.Domain = "localhost"
+	for _, f := range fn {
+		f(s)
+	}
+
+	pool := x509.NewCertPool()
+	pool.AppendCertsFromPEM([]byte(testServerCert))
+
+	clientCfg := &tls.Config{
+		ServerName: "127.0.0.1",
+		Time: func() time.Time {
+			return time.Date(2019, time.November, 18, 17, 59, 41, 0, time.UTC)
 		},
 		RootCAs: pool,
 	}
@ -254,6 +327,8 @@ func SMTPServerSTARTTLS(t *testing.T, addr string, fn ...SMTPServerConfigureFunc
 }

 func CheckSMTPConnLeak(t *testing.T, srv *smtp.Server) {
+	t.Helper()
+
 	// Connection closure is handled asynchronously, so before failing
 	// wait a bit for handleQuit in go-smtp to do its work.
 	for i := 0; i < 10; i++ {
@ -272,11 +347,15 @@ func CheckSMTPConnLeak(t *testing.T, srv *smtp.Server) {
 // FailOnConn fails the test if attempt is made to connect the
 // specified endpoint.
 func FailOnConn(t *testing.T, addr string) net.Listener {
+	t.Helper()
+
 	tarpit, err := net.Listen("tcp", addr)
 	if err != nil {
 		t.Fatal(err)
 	}
 	go func() {
+		t.Helper()
+
 		_, err := tarpit.Accept()
 		if err == nil {
 			t.Error("No connection expected")
@ -286,6 +365,8 @@ func FailOnConn(t *testing.T, addr string) net.Listener {
 }

 func CheckSMTPErr(t *testing.T, err error, code int, enchCode exterrors.EnhancedCode, msg string) {
+	t.Helper()
+
 	if err == nil {
 		t.Error("Expected an error, got none")
 		return
--- a/testutils/target.go
+++ b/testutils/target.go
@ -162,18 +162,20 @@ func (dtd *testTargetDelivery) Commit() error {
 }

 func DoTestDelivery(t *testing.T, tgt module.DeliveryTarget, from string, to []string) string {
+	return DoTestDeliveryMeta(t, tgt, from, to, &module.MsgMetadata{})
+}
+
+func DoTestDeliveryMeta(t *testing.T, tgt module.DeliveryTarget, from string, to []string, msgMeta *module.MsgMetadata) string {
 	t.Helper()

 	IDRaw := sha1.Sum([]byte(t.Name()))
 	encodedID := hex.EncodeToString(IDRaw[:])

 	body := buffer.MemoryBuffer{Slice: []byte("foobar\r\n")}
-	ctx := module.MsgMetadata{
-		DontTraceSender: true,
-		ID:              encodedID,
-	}
+	msgMeta.DontTraceSender = true
+	msgMeta.ID = encodedID
 	t.Log("-- tgt.Start", from)
-	delivery, err := tgt.Start(&ctx, from)
+	delivery, err := tgt.Start(msgMeta, from)
 	if err != nil {
 		t.Fatalf("unexpected Start err: %v %+v", err, exterrors.Fields(err))
 	}
@ -239,18 +241,20 @@ const DeliveryData = "A: 1\n" +
 	"foobar\n"

 func DoTestDeliveryErr(t *testing.T, tgt module.DeliveryTarget, from string, to []string) (string, error) {
+	return DoTestDeliveryErrMeta(t, tgt, from, to, &module.MsgMetadata{})
+}
+
+func DoTestDeliveryErrMeta(t *testing.T, tgt module.DeliveryTarget, from string, to []string, msgMeta *module.MsgMetadata) (string, error) {
 	t.Helper()

 	IDRaw := sha1.Sum([]byte(t.Name()))
 	encodedID := hex.EncodeToString(IDRaw[:])

 	body := buffer.MemoryBuffer{Slice: []byte("foobar\r\n")}
-	ctx := module.MsgMetadata{
-		DontTraceSender: true,
-		ID:              encodedID,
-	}
+	msgMeta.DontTraceSender = true
+	msgMeta.ID = encodedID
 	t.Log("-- tgt.Start", from)
-	delivery, err := tgt.Start(&ctx, from)
+	delivery, err := tgt.Start(msgMeta, from)
 	if err != nil {
 		return encodedID, err
 	}