51 files changed, 146 insertions, 90 deletions

diff --git a/tests/auth-login/t b/tests/auth-login/t
index 7fd83d5..38e2028 100644
--- a/tests/auth-login/t
+++ b/tests/auth-login/t
@@ -9,4 +9,4 @@ grep -Fx "remote: C: xxx LOGIN [REDACTED]" <"$STDERR" || error
 
 check_mailbox_status "INBOX"
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/auth-logindisabled/t b/tests/auth-logindisabled/t
index 0bcd0d6..402355f 100644
--- a/tests/auth-logindisabled/t
+++ b/tests/auth-logindisabled/t
@@ -13,4 +13,4 @@ grep -Fx "LOGINDISABLED" <"$TMPDIR/capabilities" || error
 grep -Fx "remote: ERROR: Logins are disabled."   <"$STDERR" || error
 ! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/auth-noplaintext/t b/tests/auth-noplaintext/t
index 11d7d4d..862bc8d 100644
--- a/tests/auth-noplaintext/t
+++ b/tests/auth-noplaintext/t
@@ -12,4 +12,4 @@ tr " " "\\n" <"$TMPDIR/capability" >"$TMPDIR/capabilities"
 grep -Fx "remote: ERROR: Server did not advertise STARTTLS capability." <"$STDERR" || error
 ! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) "                        <"$STDERR" || error
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/auth-sasl-plain-no-ir/t b/tests/auth-sasl-plain-no-ir/t
index 17aa9e6..f236ac7 100644
--- a/tests/auth-sasl-plain-no-ir/t
+++ b/tests/auth-sasl-plain-no-ir/t
@@ -23,4 +23,4 @@ xcgrep "$n" -E "^remote(\(INBOX\))?: C: [0-9]+ APPEND INBOX .* \{[0-9]+\}$" <"$S
 
 check_mailbox_status "INBOX"
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/auth-sasl-plain/t b/tests/auth-sasl-plain/t
index 68f71a9..c5cb024 100644
--- a/tests/auth-sasl-plain/t
+++ b/tests/auth-sasl-plain/t
@@ -9,4 +9,4 @@ grep -Fx "remote: C: xxx AUTHENTICATE PLAIN [REDACTED]" <"$STDERR" || error
 
 check_mailbox_status "INBOX"
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/certs/generate b/tests/certs/generate
index de379a0..f449764 100755
--- a/tests/certs/generate
+++ b/tests/certs/generate
@@ -8,13 +8,26 @@ BASEDIR="$(dirname -- "$0")"
 OU="InterIMAP test suite"
 cd "$BASEDIR"
 
+OPENSSL_CONF="./openssl.cnf"
+export OPENSSL_CONF
+
 cadir="$(mktemp --tmpdir --directory)"
 trap 'rm -rf -- "$cadir"' EXIT INT TERM
+genpkey() {
+    local key="$1"
+    shift
+    openssl genpkey -out "$key" "$@" 2>&1
+}
 
 # generate CA (we intentionally throw away the private key and serial
 # file to avoid reuse)
-openssl genpkey -algorithm RSA -out "$cadir/ca.key"
-openssl req -new -x509 -rand /dev/urandom -subj "/OU=$OU/CN=Fake Root CA" -key "$cadir/ca.key" -out ./ca.crt
+genpkey "$cadir/ca.key" -algorithm RSA
+openssl req -new -x509 -rand /dev/urandom \
+    -subj "/OU=$OU/CN=Fake Root CA" \
+    -addext subjectKeyIdentifier="hash" \
+    -addext authorityKeyIdentifier="keyid:always,issuer" \
+    -addext basicConstraints="critical,CA:TRUE" \
+    -key "$cadir/ca.key" -out ./ca.crt
 
 SERIAL=1
 new() {
@@ -31,14 +44,14 @@ new() {
         printf "subjectAltName = %s\\n" "$3" >>"$cadir/new-ext.cnf"
     fi
     openssl x509 -req -in "$cadir/new.csr" -CA ./ca.crt -CAkey "$cadir/ca.key" \
-        -CAserial "$cadir/ca.srl" -CAcreateserial -extfile "$cadir/new-ext.cnf"
+        -CAserial "$cadir/ca.srl" -CAcreateserial -extfile "$cadir/new-ext.cnf" 2>&1
 }
 
-openssl genpkey -algorithm RSA -out ./dovecot.rsa.key
+genpkey ./dovecot.rsa.key -algorithm RSA
 new ./dovecot.rsa.key "localhost" "DNS:localhost,DNS:ip6-localhost,IP:127.0.0.1,IP:::1" >./dovecot.rsa.crt
 
-openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve -out ./dovecot.ecdsa.key
+genpkey ./dovecot.ecdsa.key -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve
 new ./dovecot.ecdsa.key "localhost" >./dovecot.ecdsa.crt
 
-openssl genpkey -algorithm RSA -out ./dovecot.rsa2.key
+genpkey ./dovecot.rsa2.key -algorithm RSA
 new ./dovecot.rsa2.key "imap.example.net" "DNS:imap.example.net,DNS:localhost" >./dovecot.rsa2.crt
diff --git a/tests/certs/openssl.cnf b/tests/certs/openssl.cnf
new file mode 100644
index 0000000..b1af7b8
--- /dev/null
+++ b/tests/certs/openssl.cnf
@@ -0,0 +1,4 @@
+[ req ]
+distinguished_name = req_distinguished_name
+
+[ req_distinguished_name ]
diff --git a/tests/compress/t b/tests/compress/t
index 5625761..0a04a73 100644
--- a/tests/compress/t
+++ b/tests/compress/t
@@ -16,4 +16,4 @@ echo "compress = no" >>"$XDG_CONFIG_HOME/interimap/config"
 interimap --debug || error
 ! grep -E "^remote: C: [^[:blank:]]+ COMPRESS DEFLATE$" <"$STDERR" || error
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/condstore/t b/tests/condstore/t
index 1963b2b..b30ca36 100644
--- a/tests/condstore/t
+++ b/tests/condstore/t
@@ -47,4 +47,4 @@ for f in "${FLAGS[@]}"; do
         error "UID list differs for keyword '$f'"
 done
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/config/dovecot/ssl.conf b/tests/config/dovecot/ssl.conf
index 3fd99d5..1f3a698 100644
--- a/tests/config/dovecot/ssl.conf
+++ b/tests/config/dovecot/ssl.conf
@@ -2,4 +2,5 @@ ssl = required
 ssl_cert = <dovecot.rsa.crt
 ssl_key = <dovecot.rsa.key
 ssl_dh = <dhparams.pem
-ssl_min_protocol = TLSv1
+ssl_min_protocol = TLSv1.2
+ssl_cipher_list = DEFAULT@SECLEVEL=2
diff --git a/tests/db-exclusive-lock/t b/tests/db-exclusive-lock/t
index c2df4b5..0d0badb 100644
--- a/tests/db-exclusive-lock/t
+++ b/tests/db-exclusive-lock/t
@@ -10,7 +10,7 @@ sleep .5
 # subsequent runs fail as we can't acquire the exclusive lock
 ! interimap || error
 
-grep -Fx "DBD::SQLite::db do failed: database is locked at ./interimap line 176." <"$STDERR" \
-    || error "Is \$DBH->do(\"PRAGMA locking_mode = EXCLUSIVE\"); at line 176?"
+grep -Ex "DBD::SQLite::db do failed: database is locked at (\S+/)?interimap line 181\." <"$STDERR" \
+    || error "Is \$DBH->do(\"PRAGMA locking_mode = EXCLUSIVE\"); at line 181?"
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/db-migration-0-1-foreign-key-violation/t b/tests/db-migration-0-1-foreign-key-violation/t
index 35e5be5..fa4afb4 100644
--- a/tests/db-migration-0-1-foreign-key-violation/t
+++ b/tests/db-migration-0-1-foreign-key-violation/t
@@ -18,4 +18,4 @@ EOF
 grep -Fx "Upgrading database version from 0" <"$STDERR" || error "DB upgrade not attempted"
 grep -Fx "database: ERROR: Broken referential integrity! Refusing to commit changes." <"$STDERR" || error "DB upgrade successful despite broken refint"
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/db-no-create--watch/t b/tests/db-no-create--watch/t
index a8ea07e..3097558 100644
--- a/tests/db-no-create--watch/t
+++ b/tests/db-no-create--watch/t
@@ -1,6 +1,6 @@
 ! interimap --watch=60 || error
 
-grep -Ex "DBI connect\(.*\) failed: unable to open database file at \./interimap line 172\." <"$STDERR" || error
+grep -Ex "DBI connect\(.*\) failed: unable to open database file at (\S+/)?interimap line 177\." <"$STDERR" || error
 test \! -e "$XDG_DATA_HOME/interimap/remote.db" || error
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/db-upgrade-0-1-delim-mismatch/t b/tests/db-upgrade-0-1-delim-mismatch/t
index d133437..c15927c 100644
--- a/tests/db-upgrade-0-1-delim-mismatch/t
+++ b/tests/db-upgrade-0-1-delim-mismatch/t
@@ -4,4 +4,4 @@ sqlite3 "$XDG_DATA_HOME/interimap/remote.db" <"$TESTDIR/before.sql" || error "Co
 
 grep -Fx 'ERROR: Local and remote hierachy delimiters differ (local "\"", remote "^"), refusing to update table `mailboxes`.' <"$STDERR" || error
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/db-upgrade-0-1/t b/tests/db-upgrade-0-1/t
index 088008e..2baafe6 100644
--- a/tests/db-upgrade-0-1/t
+++ b/tests/db-upgrade-0-1/t
@@ -31,4 +31,4 @@ diff -u --label="a/dump.sql" --label="b/dump.sql" \
     "$TMPDIR/dump-expected.sql" "$TMPDIR/dump.sql" \
     || error "DB dumps differ"
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/delete/t b/tests/delete/t
index c38d4d3..84fc55f 100644
--- a/tests/delete/t
+++ b/tests/delete/t
@@ -92,4 +92,4 @@ check_mailbox_list
 check_mailboxes_status "INBOX"
 step_done
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/delimiter-change/t b/tests/delimiter-change/t
index 3f96953..c49dd66 100644
--- a/tests/delimiter-change/t
+++ b/tests/delimiter-change/t
@@ -34,4 +34,4 @@ run "." "."
 n="$(doveadm -u "local" search all | wc -l)"
 [ "$n" -eq 64 ] || error "$n != 64"
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/ignore-mailbox/t b/tests/ignore-mailbox/t
index f90227c..0b8d553 100644
--- a/tests/ignore-mailbox/t
+++ b/tests/ignore-mailbox/t
@@ -59,4 +59,4 @@ EOF
 
 check_mailboxes_status "virtual" "virtual.bar" || error
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/list b/tests/interimap.list
index d1058ba..559daed 100644
--- a/tests/list
+++ b/tests/interimap.list
@@ -61,6 +61,3 @@ split-set   Split large sets to avoid extra-long command lines
     sync-live-crippled   local/remote simulation (crippled remote)
     sync-live-tls        local/remote simulation (TLS remote)
     sync-live-multi      local/remote1+remote2+remote3 simulation (3 local namespaces)
-
-. pullimap
-    ... pullimap
diff --git a/tests/largeint/t b/tests/largeint/t
index b0877d5..c3f349e 100644
--- a/tests/largeint/t
+++ b/tests/largeint/t
@@ -36,4 +36,4 @@ doveadm -u "remote" mailbox update --min-next-uid 2147483648 --min-highest-modse
 
 run
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/list-mailbox/t b/tests/list-mailbox/t
index e905537..a1168a6 100644
--- a/tests/list-mailbox/t
+++ b/tests/list-mailbox/t
@@ -54,4 +54,4 @@ for v in '""' '"f o o""bar"' '"f o o" "bar" "baz\" x'; do
     grep -xF "Invalid value for list-mailbox: $v" <"$STDERR"
 done
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/list-reference/t b/tests/list-reference/t
index a2cc9c7..12e112b 100644
--- a/tests/list-reference/t
+++ b/tests/list-reference/t
@@ -44,4 +44,4 @@ verify
 ! doveadm -u "local"  mailbox status uidvalidity "foobaz" || error
 ! doveadm -u "remote" mailbox status uidvalidity "foobar" || error
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/list-select-opts/t b/tests/list-select-opts/t
index 98acb43..30c3fe9 100644
--- a/tests/list-select-opts/t
+++ b/tests/list-select-opts/t
@@ -53,4 +53,4 @@ grep -Fx "remote: Created mailbox foo"   <"$STDERR" || error
 check_mailbox_list
 check_mailboxes_status "INBOX" "foo" "foo.bar" "bar" "baz"
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/preauth-plaintext/t b/tests/preauth-plaintext/t
index bc287dd..2f3071f 100644
--- a/tests/preauth-plaintext/t
+++ b/tests/preauth-plaintext/t
@@ -16,4 +16,4 @@ interimap --debug || true
 
 grep -Fx "remote: S: * STATUS INBOX (UIDNEXT 1 UIDVALIDITY 1 HIGHESTMODSEQ 1)" <"$STDERR" || error
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/pullimap.list b/tests/pullimap.list
new file mode 100644
index 0000000..f4304b9
--- /dev/null
+++ b/tests/pullimap.list
@@ -0,0 +1,2 @@
+. pullimap
+    ... pullimap
diff --git a/tests/pullimap/t b/tests/pullimap/t
index 0dfe634..e508784 100644
--- a/tests/pullimap/t
+++ b/tests/pullimap/t
@@ -6,6 +6,24 @@ step_start "\`pullimap --idle\` refuses to create the state file"
 ! pullimap --idle "remote" || error
 step_done
 
+step_start "\`pullimap\` creates statefile with mode 0600"
+pullimap "remote" || error
+if ! st="$(stat -c"%#a" -- "$XDG_DATA_HOME/pullimap/remote")" || [ "$st" != "0600" ]; then
+    error "$XDG_DATA_HOME/pullimap/remote has mode $st != 0600"
+fi
+step_done
+
+step_start "\`pullimap\` locks its statefile"
+pullimap --idle "remote" & PID=$!
+trap "ptree_abort $PID" EXIT INT TERM
+# wait a short while so we have time to lock the database (ugly and racy...)
+sleep .5
+! pullimap "remote" || error
+grep -F "Can't lock $XDG_DATA_HOME/pullimap/remote: Resource temporarily unavailable at " <"$STDERR" || error
+ptree_abort $PID
+trap - EXIT INT TERM
+step_done
+
 # compare mailboxes (can't compare the RFC 3501 TEXT as the LMTPd inconditionally
 # adds a Return-Path: header -- and also Delivered-To: and Received: to by default)
 list_mails_sha256() {
@@ -104,29 +122,31 @@ doveadm -u "remote" search mailbox "$MAILBOX" unseen >"$TMPDIR/unseen"
 step_done
 
 
-step_start "--idle (${TIMEOUT}s)"
+if [ $TIMEOUT -gt 0 ]; then
+    step_start "--idle (${TIMEOUT}s)"
 
-pullimap --idle "remote" & PID=$!
-trap "ptree_abort $PID" EXIT INT TERM
+    pullimap --idle "remote" & PID=$!
+    trap "ptree_abort $PID" EXIT INT TERM
+
+    timer=$(( $(date +%s) + TIMEOUT ))
+    while [ $(date +%s) -le $timer ]; do
+        n="$(shuf -n1 -i1-5)"
+        for (( i=0; i < n; i++)); do
+            sample_message | deliver -u "remote"  -- -m "$MAILBOX"
+        done
 
-timer=$(( $(date +%s) + TIMEOUT ))
-while [ $(date +%s) -le $timer ]; do
-    n="$(shuf -n1 -i1-5)"
-    for (( i=0; i < n; i++)); do
-        sample_message | deliver -u "remote"  -- -m "$MAILBOX"
+        s=$(shuf -n1 -i1-1500)
+        [ $s -ge 1000 ] && s="$(printf "1.%03d" $((s-1000)))" || s="$(printf "0.%03d" $s)"
+        sleep "$s"
     done
 
-    s=$(shuf -n1 -i1-1500)
-    [ $s -ge 1000 ] && s="$(printf "1.%03d" $((s-1000)))" || s="$(printf "0.%03d" $s)"
-    sleep "$s"
-done
+    sleep 5
+    ptree_abort $PID
+    trap - EXIT INT TERM
 
-sleep 5
-ptree_abort $PID
-trap - EXIT INT TERM
-
-check
-step_done
+    check
+    step_done
+fi
 
 
 step_start "Purging"
@@ -140,4 +160,4 @@ doveadm -u "remote" search mailbox "$MAILBOX" all >"$TMPDIR/messages"
 [ ! -s "$TMPDIR/messages" ] || error "messages left"
 step_done
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/rename-exists-db/t b/tests/rename-exists-db/t
index cb6cfcd..63d7ba0 100644
--- a/tests/rename-exists-db/t
+++ b/tests/rename-exists-db/t
@@ -11,4 +11,4 @@ doveadm -u "remote" mailbox delete "t\\o"
 ! interimap --rename "root.from" "t.o" || error
 grep -Fx 'database: ERROR: Mailbox t.o exists. Run `interimap --target=database --delete t.o` to delete.' <"$STDERR" || error
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/rename-exists-local/t b/tests/rename-exists-local/t
index 190f49a..33c7da7 100644
--- a/tests/rename-exists-local/t
+++ b/tests/rename-exists-local/t
@@ -10,4 +10,4 @@ doveadm -u "remote" mailbox delete "t\\o"
 ! interimap --rename "root.from" "t.o" || error
 grep -Fx 'local: ERROR: Mailbox t.o exists. Run `interimap --target=local --delete t.o` to delete.' <"$STDERR" || error
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/rename-exists-remote/t b/tests/rename-exists-remote/t
index be16a12..2e87053 100644
--- a/tests/rename-exists-remote/t
+++ b/tests/rename-exists-remote/t
@@ -10,4 +10,4 @@ doveadm -u "local" mailbox delete "t.o"
 ! interimap --rename "root.from" "t.o" || error
 grep -Fx 'remote: ERROR: Mailbox t\o exists. Run `interimap --target=remote --delete t.o` to delete.' <"$STDERR" || remote
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/rename-inferiors/t b/tests/rename-inferiors/t
index 9267e6f..9166230 100644
--- a/tests/rename-inferiors/t
+++ b/tests/rename-inferiors/t
@@ -97,4 +97,4 @@ check_mailbox_list
 check_mailboxes_status "from.root" "from.root.child" "from.root.child2" "from.root.child.grandchild" \
     "newroot.sibbling" "newroot.sibbling.grandchild" "root2" "INBOX"
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/rename-simple/t b/tests/rename-simple/t
index 6ebee9a..df9d84c 100644
--- a/tests/rename-simple/t
+++ b/tests/rename-simple/t
@@ -58,4 +58,4 @@ grep -Fx "database: Created mailbox INBOX" <"$STDERR"
 check_mailbox_list
 check_mailboxes_status "INBOX" "bar" "baz"
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/repair/t b/tests/repair/t
index 6b205ea..10fab0d 100644
--- a/tests/repair/t
+++ b/tests/repair/t
@@ -104,4 +104,4 @@ check_mailboxes_status "baz" "foo.bar"
 interimap || error
 check_mailboxes_status "baz" "foo.bar" "INBOX"
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/resume/t b/tests/resume/t
index a281ef3..d7b9b53 100644
--- a/tests/resume/t
+++ b/tests/resume/t
@@ -95,4 +95,4 @@ diff -u --label="a/count" --label="b/count" "$TMPDIR/count" - <<-EOF
 	9
 EOF
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/run b/tests/run
index 1eaad54..eed77df 100755
--- a/tests/run
+++ b/tests/run
@@ -38,6 +38,12 @@ fi
 # cleanup environment
 unset OPENSSL_CONF SSL_CERT_FILE SSL_CERT_DIR
 
+if [ -z "${INTERIMAP_PATH+x}" ]; then
+    INTERIMAP_PATH="./"
+elif [ -n "$INTERIMAP_PATH" ]; then
+    INTERIMAP_PATH="${INTERIMAP_PATH%/}/"
+fi
+
 ROOTDIR="$(mktemp --tmpdir="${TMPDIR:-/dev/shm}" --directory "$1.XXXXXXXXXX")"
 declare -a DOVECOT_SERVER=()
 trap cleanup EXIT INT TERM
@@ -206,26 +212,32 @@ prepare
 interimap() { _interimap_cmd "interimap" "$@"; }
 pullimap()  { _interimap_cmd "pullimap"  "$@"; }
 _interimap_cmd() {
-    declare -a ENVIRON=()
+    declare -a ENVIRON=() args=()
     local script="$1" rv=0
     shift
     environ_set "local"
     [ -z "${OPENSSL_CONF+x}" ]  || ENVIRON+=( OPENSSL_CONF="$OPENSSL_CONF" )
     [ -z "${SSL_CERT_FILE+x}" ] || ENVIRON+=( SSL_CERT_FILE="$SSL_CERT_FILE" )
     [ -z "${SSL_CERT_DIR+x}" ]  || ENVIRON+=( SSL_CERT_DIR="$SSL_CERT_DIR" )
-    env -i "${ENVIRON[@]}" perl -I./lib -T "./$script" "$@" 2>"$STDERR" || rv=$?
+    [ -z "${INTERIMAP_I:+x}" ] || args+=( perl -I"$INTERIMAP_I" -T )
+    args+=( "$INTERIMAP_PATH$script" "$@" )
+    #printf "I: Running \`%s\`\\n" "${args[*]}" >&3
+    env -i "${ENVIRON[@]}" "${args[@]}" 2>"$STDERR" || rv=$?
     cat <"$STDERR" >&2
     return $rv
 }
 interimap_init() {
     local u="${1-remote}"
-    local db="$XDG_DATA_HOME/interimap/$u.db"
+    local db="$XDG_DATA_HOME/interimap/$u.db" st
     local cfg="config${u#remote}"
 
     test \! -e "$db"          || error "Database already exists" 1
     interimap --config "$cfg" || error "Couldn't initialize interimap" 1
     test -f "$db"             || error "Database is still missing" 1
     grep -Fx "Creating new schema in database file $db" <"$STDERR" || error "DB wasn't created" 1
+    if ! st="$(stat -c"%#a" -- "$db")" || [ "$st" != "0600" ]; then
+        error "$db has mode $st != 0600" 1
+    fi
 }
 doveadm() {
     if [ $# -le 2 ] || [ "$1" != "-u" ]; then
@@ -449,7 +461,7 @@ passed() {
 # Run test in a sub-shell
 declare -a ENVIRON=()
 environ_set "local"
-export TMPDIR TESTDIR STDERR "${ENVIRON[@]}"
+export TMPDIR TESTDIR INTERIMAP_PATH INTERIMAP_I STDERR "${ENVIRON[@]}"
 export -f environ_set doveadm interimap interimap_init pullimap _interimap_cmd
 export -f sqlite3 sample_message deliver ptree_abort step_start step_done passed
 export -f check_mailbox_status check_mailbox_status_values check_mailbox_status2
diff --git a/tests/run-all b/tests/run-all
index d13f689..79e62d1 100755
--- a/tests/run-all
+++ b/tests/run-all
@@ -24,6 +24,7 @@ export PATH
 
 BASEDIR="$(dirname -- "$0")"
 RUN="$BASEDIR/run"
+list="$1"
 
 failed=0
 
@@ -54,7 +55,7 @@ while IFS="" read -r x; do
     fi
 
     INDENT="$indent" "$RUN" "$t" ${desc+"$desc"} || failed=$(( failed+1 ))
-done <"$BASEDIR/list"
+done <"$BASEDIR/$list"
 
 if [ $failed -eq 0 ]; then
     printf "All tests passed.\\n"
diff --git a/tests/split-set/t b/tests/split-set/t
index 5e8ea52..d8cf948 100644
--- a/tests/split-set/t
+++ b/tests/split-set/t
@@ -40,4 +40,4 @@ done
 interimap || error
 check_mailbox_status "INBOX"
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/starttls-injection/t b/tests/starttls-injection/t
index d57aa7a..023baff 100644
--- a/tests/starttls-injection/t
+++ b/tests/starttls-injection/t
@@ -13,4 +13,4 @@ grep -Fx 'remote: WARNING: Truncating non-empty output buffer (unauthenticated r
 ! grep -Fx 'remote: ERROR: Logins are disabled.' <"$STDERR" || error "injected capability wasn't ignored"
 grep -Fx 'remote: ERROR: Server did not advertise ENABLE (RFC 5161) capability.' <"$STDERR" || error "injected capability wasn't ignored"
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/starttls-logindisabled/t b/tests/starttls-logindisabled/t
index 0ac7465..b2bf87b 100644
--- a/tests/starttls-logindisabled/t
+++ b/tests/starttls-logindisabled/t
@@ -16,4 +16,4 @@ grep -Fx "remote: C: 000001 CAPABILITY" <"$STDERR" || error
 # can't go further as the capability string still has the manually
 # enforced 'LOGINDISABLED'
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/starttls/t b/tests/starttls/t
index 62b2151..7b76469 100644
--- a/tests/starttls/t
+++ b/tests/starttls/t
@@ -1,5 +1,5 @@
 X509_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \
-    | openssl x509 -noout -fingerprint -sha256 \
+    | openssl x509 -in /dev/stdin -noout -fingerprint -sha256 \
     | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]")"
 
 for ((i = 0; i < 32; i++)); do
@@ -27,4 +27,4 @@ grep "^remote: SSL cipher: " <"$STDERR" || error
 
 check_mailbox_status "INBOX"
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/sync-live-multi/t b/tests/sync-live-multi/t
index ba7f326..b91cedc 100644
--- a/tests/sync-live-multi/t
+++ b/tests/sync-live-multi/t
@@ -124,4 +124,4 @@ for m in "${MAILBOXES[@]}"; do
     check_mailbox_status2 "$blob" "$m" "$u" "$mr"
 done
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/sync-live/t b/tests/sync-live/t
index 5f5b291..1d50b00 100644
--- a/tests/sync-live/t
+++ b/tests/sync-live/t
@@ -73,4 +73,4 @@ trap - EXIT INT TERM
 check_mailbox_list
 check_mailboxes_status "${MAILBOXES[@]}"
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/sync-mailbox-list/t b/tests/sync-mailbox-list/t
index ea80fbf..d1567fb 100644
--- a/tests/sync-mailbox-list/t
+++ b/tests/sync-mailbox-list/t
@@ -90,4 +90,4 @@ EOF
 [ $(< "$TMPDIR/count") -eq 0 ] || error
 step_done
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/tls-ciphers/t b/tests/tls-ciphers/t
index 0dfc771..ca0e610 100644
--- a/tests/tls-ciphers/t
+++ b/tests/tls-ciphers/t
@@ -28,4 +28,4 @@ EOF
 interimap --debug || error
 grep -Fx "remote: SSL cipher: TLS_CHACHA20_POLY1305_SHA256 (256 bits)" <"$STDERR" || error
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/tls-pin-fingerprint/t b/tests/tls-pin-fingerprint/t
index 883a887..6c045a1 100644
--- a/tests/tls-pin-fingerprint/t
+++ b/tests/tls-pin-fingerprint/t
@@ -1,5 +1,6 @@
 PKEY_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \
-    | openssl x509 -pubkey | openssl pkey -pubin -outform DER \
+    | openssl x509 -in /dev/stdin -pubkey \
+    | openssl pkey -in /dev/stdin -pubin -outform DER \
     | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}")"
 INVALID_FPR="sha256\$deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
 INVALID_FPR2="sha256\$deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbee2"
@@ -74,4 +75,4 @@ EOF
 interimap --debug || error
 grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_SHA256" <"$STDERR" || error
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/tls-protocols/openssl.cnf b/tests/tls-protocols/openssl.cnf
index 980097d..3d9769d 100644
--- a/tests/tls-protocols/openssl.cnf
+++ b/tests/tls-protocols/openssl.cnf
@@ -11,4 +11,4 @@ system_default = system_default_sect
 
 [system_default_sect]
 MinProtocol = None
-CipherString = DEFAULT
+CipherString = DEFAULT@SECLEVEL=0
diff --git a/tests/tls-protocols/remote.conf b/tests/tls-protocols/remote.conf
index 6029749..96b3713 120000..100644
--- a/tests/tls-protocols/remote.conf
+++ b/tests/tls-protocols/remote.conf
@@ -1 +1,4 @@
-../tls/remote.conf
\ No newline at end of file
+!include conf.d/imapd.conf
+!include conf.d/ssl.conf
+ssl_min_protocol = TLSv1
+ssl_cipher_list = DEFAULT@SECLEVEL=0
diff --git a/tests/tls-protocols/t b/tests/tls-protocols/t
index 72f7db2..b78dd69 100644
--- a/tests/tls-protocols/t
+++ b/tests/tls-protocols/t
@@ -96,4 +96,4 @@ grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error
 ! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error
 grep -Fx "remote: IMAP traffic (bytes): recv 0 sent 0" <"$STDERR" || error
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/tls-rsa+ecdsa/t b/tests/tls-rsa+ecdsa/t
index c9f5b96..16ec9d9 100644
--- a/tests/tls-rsa+ecdsa/t
+++ b/tests/tls-rsa+ecdsa/t
@@ -2,11 +2,12 @@ doveconf_remote() {
     doveconf -c "$HOME_remote/.dovecot/config" -hx "$1"
 }
 pkey_sha256() {
-    openssl x509 -pubkey | openssl pkey -pubin -outform DER \
+    openssl x509 -in /dev/stdin -pubkey \
+    | openssl pkey -in /dev/stdin -pubin -outform DER \
     | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}"
 }
 x509_sha256() {
-    openssl x509 -noout -fingerprint -sha256 \
+    openssl x509 -in /dev/stdin -noout -fingerprint -sha256 \
     | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]"
 }
 
@@ -28,7 +29,7 @@ interimap_init
 check_mailbox_status "INBOX"
 
 interimap --debug || error
-# which peer certificate is used is up to libssl 
+# which peer certificate is used is up to libssl
 grep -Fx -e "remote: Peer certificate fingerprint: sha256\$$X509_SHA256" \
          -e "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" \
          <"$STDERR" || error
@@ -53,4 +54,4 @@ interimap --debug || error
 grep -Fx "remote: Peer certificate fingerprint: sha256\$$X509_ALT_SHA256" <"$STDERR" || error
 grep -Fx "remote: Peer certificate matches pinned SPKI digest sha256\$$PKEY_ALT_SHA256" <"$STDERR" || error
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/tls-sni/t b/tests/tls-sni/t
index f18b8b0..0565e49 100644
--- a/tests/tls-sni/t
+++ b/tests/tls-sni/t
@@ -1,9 +1,9 @@
 SERVERNAME="imap.example.net" # cf local_name{} section in the dovecot config
 X509_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \
-    | openssl x509 -noout -fingerprint -sha256 \
+    | openssl x509 -in /dev/stdin -noout -fingerprint -sha256 \
     | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]")"
 X509_2_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -f lname="$SERVERNAME" -hx ssl_cert \
-    | openssl x509 -noout -fingerprint -sha256 \
+    | openssl x509 -in /dev/stdin -noout -fingerprint -sha256 \
     | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]")"
 
 # check that empty SSL_hostname disables SNI
@@ -63,4 +63,4 @@ echo "SSL_CAfile = $HOME/.dovecot/conf.d/ca.crt" >>"$XDG_CONFIG_HOME/interimap/c
 interimap --debug || error
 sni_ok
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/tls-verify-peer/t b/tests/tls-verify-peer/t
index 8326521..ee4cd88 100644
--- a/tests/tls-verify-peer/t
+++ b/tests/tls-verify-peer/t
@@ -1,8 +1,9 @@
 X509_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \
-    | openssl x509 -noout -fingerprint -sha256 \
+    | openssl x509 -in /dev/stdin -noout -fingerprint -sha256 \
     | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]")"
 PKEY_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \
-    | openssl x509 -pubkey | openssl pkey -pubin -outform DER \
+    | openssl x509 -in /dev/stdin -pubkey \
+    | openssl pkey -in /dev/stdin -pubin -outform DER \
     | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}")"
 
 unverified_peer() {
@@ -146,4 +147,4 @@ done
 
 step_done
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :
diff --git a/tests/tls/t b/tests/tls/t
index a674b28..aee0678 100644
--- a/tests/tls/t
+++ b/tests/tls/t
@@ -1,5 +1,5 @@
 X509_SHA256="$(doveconf -c "$HOME_remote/.dovecot/config" -hx ssl_cert \
-    | openssl x509 -noout -fingerprint -sha256 \
+    | openssl x509 -in /dev/stdin -noout -fingerprint -sha256 \
     | sed -rn "/^.*=\\s*/ {s///p;q}" | tr -d : | tr "[A-Z]" "[a-z]")"
 
 for ((i = 0; i < 32; i++)); do
@@ -14,4 +14,4 @@ grep "^remote: SSL cipher: " <"$STDERR" || error
 
 check_mailbox_status "INBOX"
 
-# vim: set filetype=sh :
+# vim: set filetype=bash :