+#!perl -w
+# Copyright (C) all contributors <meta@public-inbox.org>
+# License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
+use v5.12;
+use Socket qw(IPPROTO_TCP SOL_SOCKET);
+use PublicInbox::TestCommon;
+# IO::Poll and Net::NNTP are part of the standard library, but
+# distros may split them off...
+require_mods(qw(-imapd IO::Socket::SSL Mail::IMAPClient IO::Poll Net::NNTP));
+my $imap_client = 'Mail::IMAPClient';
+$imap_client->can('starttls') or
+ plan skip_all => 'Mail::IMAPClient does not support TLS';
+Net::NNTP->can('starttls') or
+ plan skip_all => 'Net::NNTP does not support TLS';
+my $cert = 'certs/server-cert.pem';
+my $key = 'certs/server-key.pem';
+unless (-r $key && -r $cert) {
+ plan skip_all =>
+ "certs/ missing for $0, run $^X ./create-certs.perl in certs/";
+}
+use_ok 'PublicInbox::TLS';
+use_ok 'IO::Socket::SSL';
+require_git('2.6');
+
+my ($tmpdir, $for_destroy) = tmpdir();
+my $err = "$tmpdir/stderr.log";
+my $out = "$tmpdir/stdout.log";
+my $pi_config;
+my $group = 'test-netd';
+my $addr = $group . '@example.com';
+
+# ensure we have free, low-numbered contiguous FDs from 3.. FD inheritance
+my @pad_pipes;
+for (1..3) {
+ pipe(my ($r, $w)) or xbail "pipe: $!";
+ push @pad_pipes, $r, $w;
+};
+my %srv = map { $_ => tcp_server() } qw(imap nntp imaps nntps);
+my $ibx = create_inbox 'netd', version => 2,
+ -primary_address => $addr, indexlevel => 'basic', sub {
+ my ($im, $ibx) = @_;
+ $im->add(eml_load('t/data/0001.patch')) or BAIL_OUT '->add';
+ $pi_config = "$ibx->{inboxdir}/pi_config";
+ open my $fh, '>', $pi_config or BAIL_OUT "open: $!";
+ print $fh <<EOF or BAIL_OUT "print: $!";
+[publicinbox "netd"]
+ inboxdir = $ibx->{inboxdir}
+ address = $addr
+ indexlevel = basic
+ newsgroup = $group
+EOF
+ close $fh or BAIL_OUT "close: $!\n";
+};
+$pi_config //= "$ibx->{inboxdir}/pi_config";
+my @args = ("--cert=$cert", "--key=$key");
+my $rdr = {};
+my $fd = 3;
+while (my ($k, $v) = each %srv) {
+ push @args, "-l$k://".tcp_host_port($v);
+ $rdr->{$fd++} = $v;
+}
+my $cmd = [ '-netd', '-W0', @args, "--stdout=$out", "--stderr=$err" ];
+my $env = { PI_CONFIG => $pi_config };
+my $td = start_script($cmd, $env, $rdr);
+@pad_pipes = ();
+undef $rdr;
+my %o = (
+ SSL_hostname => 'server.local',
+ SSL_verifycn_name => 'server.local',
+ SSL_verify_mode => SSL_VERIFY_PEER(),
+ SSL_ca_file => 'certs/test-ca.pem',
+);
+{
+ my $c = tcp_connect($srv{imap});
+ my $msg = <$c>;
+ like($msg, qr/IMAP4rev1/, 'connected to IMAP');
+}
+{
+ my $c = tcp_connect($srv{nntp});
+ my $msg = <$c>;
+ like($msg, qr/^201 .*? ready - post via email/, 'connected to NNTP');
+}
+
+# TODO: more tests
+done_testing;