diff --git a/.flake8 b/.flake8
index 02142048..80899e90 100644
--- a/.flake8
+++ b/.flake8
@@ -1,2 +1,3 @@
 [flake8]
 extend-ignore = E501, W504, W503, E126
+exclude = lib*, bin
diff --git a/.gitignore b/.gitignore
index 876720ae..da4f8123 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,8 @@
-/test
 cert*
 .*.sw*
 /docs
 /repos
+bin/
+lib*/
+pyvenv.cfg
+CACHEDIR.TAG
diff --git a/.pytest.ini b/.pytest.ini
new file mode 100644
index 00000000..049e247a
--- /dev/null
+++ b/.pytest.ini
@@ -0,0 +1,3 @@
+[pytest]
+testpaths =
+    test
diff --git a/README.md b/README.md
index 80ac9608..c0e7b06b 100644
--- a/README.md
+++ b/README.md
@@ -29,14 +29,17 @@ Section 3: Testing and basic functionality
 
  - In order to verify that singularity is behaving correctly, you should run the test suite.
 
- - You will need to install some host packages needed by the testing script: flake8, shellcheck, jq, and curl.
-On Fedora these packages can be obtained by running `sudo dnf install -y python3-flake8 shellcheck jq curl`.
+ - You will need to install some host packages needed by the tests: shellcheck and jq
 
- - Now you can run `./test.sh`. If you followed the directions, the tests should pass.
+ On Fedora these packages can be obtained by running `sudo dnf install -y ShellCheck jq`
 
- - Note that recent versions of Fedora ship with `curl-minimal` rather than `curl`, and that the former does not support pop3s.
-If, when running the tests, you encounter an error like `"pop3s: protocol not supported"` you can first try `dnf swap libcurl-minimal libcurl`--
-failing that, you may need to run `dnf download libcurl.$(uname -m) && sudo dnf install --allowerasing ./libcurl*.rpm && rm libcurl*.rpm`.
+ - You will need to install some python packages needed by the tests
+
+ - Use a python virtual environment to obtain the correct versions: `virtualenv . && pip install -r requirements.txt`, assuming you have both `virtualenv` and `pip` installed
+
+On Fedora the packages needed to run those last two commands can be obtained by running `sudo dnf install -y python-virtualenv python-pip`
+
+ - Now you can run `pytest`. If you followed the directions, the tests should pass.
 
  - You will not be able to access the services using a normal web browser or email client without one more step as the
 services listening on unix sockets instead of TCP ports.
diff --git a/extenginx/Containerfile b/extenginx/Containerfile
index 82bb2a0f..e4ea34ab 100644
--- a/extenginx/Containerfile
+++ b/extenginx/Containerfile
@@ -5,6 +5,9 @@ RUN apk update && apk upgrade && apk add \
     openssl \
     ;
 
+
+ARG NGINX_HOSTNAME=localhost
+
 RUN mkdir /etc/ssl/nginx && \
 	cd /etc/ssl/nginx && \
 	openssl \
@@ -12,23 +15,25 @@ RUN mkdir /etc/ssl/nginx && \
 		-genparam \
 		-algorithm DH \
 		-pkeyopt dh_paramgen_prime_len:2048 \
-		-out ssl-dhparams.pem \
+		-out ssl-dhparams.pem && \
+	 printf "[req]\n \
+distinguished_name=req\n \
+[ v3_ext ]\n \
+subjectAltName=DNS:${NGINX_HOSTNAME},IP:127.0.0.1\n" > openssl.cnf \
 	&& \
 	:
 
-ARG NGINX_HOSTNAME=localhost
-
 RUN cd /etc/ssl/nginx && \
-	openssl \
-		req \
-		-sha256 \
-		-newkey rsa:4096 \
+	openssl req \
 		-x509 \
+		-nodes \
 		-days 133337 \
-		-subj "/CN=${NGINX_HOSTNAME}" \
-		-noenc \
+		-newkey rsa:2048 \
 		-keyout privkey.pem \
 		-out fullchain.pem \
+		-subj "/CN=${NGINX_HOSTNAME}" \
+		-extensions v3_ext \
+		-config openssl.cnf \
 	&& \
 	:
 
diff --git a/git/admin.sh b/git/admin.sh
index f3a9e46e..bbd5189a 100755
--- a/git/admin.sh
+++ b/git/admin.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 set -e
 
-DOCKER_COMPOSE=${DOCKER_COMPOSE:-podman-compose}
+PODMAN_COMPOSE=${PODMAN_COMPOSE:-podman-compose}
 
-$DOCKER_COMPOSE exec git ./create-repo.sh "$@"
+$PODMAN_COMPOSE exec git ./create-repo.sh "$@"
diff --git a/orbit/warpdrive.sh b/orbit/warpdrive.sh
index 8d92572d..c78e8158 100755
--- a/orbit/warpdrive.sh
+++ b/orbit/warpdrive.sh
@@ -4,6 +4,6 @@
 
 set -e
 
-DOCKER_COMPOSE=${DOCKER_COMPOSE:-podman-compose}
+PODMAN_COMPOSE=${PODMAN_COMPOSE:-podman-compose}
 
-$DOCKER_COMPOSE exec orbit ./hyperspace.py "$@"
+$PODMAN_COMPOSE exec orbit ./hyperspace.py "$@"
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 00000000..6b7ac8b6
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,14 @@
+certifi==2025.1.31
+charset-normalizer==3.4.1
+flake8==7.1.2
+idna==3.10
+iniconfig==2.0.0
+mccabe==0.7.0
+packaging==24.2
+pluggy==1.5.0
+pycodestyle==2.12.1
+pyflakes==3.2.0
+pytest==8.3.4
+requests==2.31.0
+requests-unixsocket==0.3.0
+urllib3==2.3.0
diff --git a/script-lint.sh b/script-lint.sh
index 10cf94fa..ebcec035 100755
--- a/script-lint.sh
+++ b/script-lint.sh
@@ -6,7 +6,6 @@ require shellcheck
 set -ex
 
 shellcheck script-lint.sh
-shellcheck test.sh
 shellcheck orbit/warpdrive.sh
 shellcheck denis/configure.sh
 shellcheck mailman/inspector.sh
diff --git a/test.sh b/test.sh
deleted file mode 100755
index 7e13f23f..00000000
--- a/test.sh
+++ /dev/null
@@ -1,217 +0,0 @@
-#!/usr/bin/env bash
-
-# Testing script for singularity and orbit
-
-# This line:
-# - aborts the script after any pipeline returns nonzero (e)
-# - shows all commands as they are run (x)
-# - sets any dereference of an unset variable to trigger an error (u)
-# - causes the return value of a pipeline to be the nonzero return value
-#   of the furthest right failing command or zero if no command failed (o pipefail)
-set -exuo pipefail
-
-DOCKER=${DOCKER:-podman}
-DOCKER_COMPOSE=${DOCKER_COMPOSE:-podman-compose}
-
-require() { command -v "$1" > /dev/null || { echo "error: $1 command required yet absent" ; exit 1 ; } ; }
-require curl
-require jq
-require flake8
-require "${DOCKER}"
-require "${DOCKER_COMPOSE}"
-
-# Check for shell script style compliance with shellcheck
-./script-lint.sh
-
-# Check python style compliance
-flake8
-
-# Create test dir if it does not exist yet
-mkdir -p test
-
-# Reset the test directory
-rm -f test/*
-
-HOSTNAME_FROM_DOTENV="$(sh -c '
-set -o allexport
-. ./.env
-exec jq -r -n "env.SINGULARITY_HOSTNAME"
-')"
-
-SINGULARITY_HOSTNAME=${SINGULARITY_HOSTNAME:-"${HOSTNAME_FROM_DOTENV}"}
-
-${DOCKER} cp singularity_nginx_1:/etc/ssl/nginx/fullchain.pem test/ca_cert.pem
-
-CURL_OPTS=( \
---verbose \
---cacert test/ca_cert.pem \
---fail \
---no-progress-meter \
-)
-
-# Check that registration fails before user creation
-curl --url "https://$SINGULARITY_HOSTNAME/register" \
-  --unix-socket ./socks/https.sock \
-  "${CURL_OPTS[@]}" \
-  --data "student_id=1234" \
-  | tee test/register_fail_no_user \
-  | grep "msg = no such student"
-
-# Check that login fails before user creation
-curl --url "https://$SINGULARITY_HOSTNAME/login" \
-  --unix-socket ./socks/https.sock \
-  "${CURL_OPTS[@]}" \
-  --data "username=user&password=pass" \
-  | tee test/login_fail_no_user \
-  | grep "msg = authentication failure"
-
-# Check that we can create a user
-orbit/warpdrive.sh -u user -i 1234 -n
-
-# Check that registration fails with incorrect student id
-curl --url "https://$SINGULARITY_HOSTNAME/register" \
-  --unix-socket ./socks/https.sock \
-  "${CURL_OPTS[@]}" \
-  --data "student_id=123" \
-  | tee test/register_fail_wrong \
-  | grep "msg = no such student"
-
-# Check that registration succeeds with correct student id
-curl --url "https://$SINGULARITY_HOSTNAME/register" \
-  --unix-socket ./socks/https.sock \
-  "${CURL_OPTS[@]}" \
-  --data "student_id=1234" \
-  | tee test/register_success \
-  | grep "msg = welcome to the classroom"
-
-REGISTER_PASS="$(sed -nr 's/.*Password: ([^<]*).*/\1/p' < test/register_success | tr -d '\n')"
-
-# Check that registration fails when student id is used for a second time
-curl --url "https://$SINGULARITY_HOSTNAME/register" \
-  --unix-socket ./socks/https.sock \
-  "${CURL_OPTS[@]}" \
-  --data "student_id=1234" \
-  | tee test/register_fail_duplicate \
-  | grep "msg = no such student"
-
-# Check that login fails when credentials are invalid
-curl --url "https://$SINGULARITY_HOSTNAME/login" \
-  --unix-socket ./socks/https.sock \
-  "${CURL_OPTS[@]}" \
-  --data "username=user&password=invalid" \
-  | tee test/login_fail_invalid \
-  | grep "msg = authentication failure"
-
-# Check that login succeeds when credentials are valid
-curl --url "https://$SINGULARITY_HOSTNAME/login" \
-  --unix-socket ./socks/https.sock \
-  "${CURL_OPTS[@]}" \
-  --data "username=user&password=${REGISTER_PASS}" \
-  | tee test/login_success \
-  | grep "msg = user authenticated by password"
-
-# Check that the user can get the empty list of email on the server
-curl --url "pop3s://$SINGULARITY_HOSTNAME" \
-  --unix-socket ./socks/pop3s.sock \
-  "${CURL_OPTS[@]}" \
-  --user "user:${REGISTER_PASS}" \
-  | tee test/pop_get_empty \
-  | diff <(printf '\r\n') /dev/stdin
-
-CR=$(printf "\r")
-# Check that the user can send a message to the server
-(
-curl --url "smtps://$SINGULARITY_HOSTNAME" \
-  --unix-socket ./socks/smtps.sock \
-  "${CURL_OPTS[@]}" \
-  --mail-from "user@$SINGULARITY_HOSTNAME" \
-  --mail-rcpt "other@$SINGULARITY_HOSTNAME" \
-  --upload-file - \
-  --user "user:${REGISTER_PASS}" <<EOF
-Subject: Message Subject$CR
-$CR
-To whom it may concern,$CR
-$CR
-Bottom text$CR
-EOF
-) | tee test/smtp_send_email \
-  | diff <(printf "") /dev/stdin
-
-
-# Verify that no email shows up without the journal being updated
-curl --url "pop3s://$SINGULARITY_HOSTNAME" \
-  --unix-socket ./socks/pop3s.sock \
-  "${CURL_OPTS[@]}" \
-  --user "user:${REGISTER_PASS}" \
-  | tee test/pop_get_empty_no_update \
-  | diff <(printf '\r\n') /dev/stdin
-
-# create a user that will have limited access to the inbox
-orbit/warpdrive.sh -u resu -p ssap -n
-
-# Limit `resu`'s access to the empty inbox
-${DOCKER_COMPOSE} exec denis /usr/local/bin/restrict_access /var/lib/email/journal/journal -d resu
-
-# Update list of email to include new message
-${DOCKER_COMPOSE} exec denis /usr/local/bin/init_journal /var/lib/email/journal/journal /var/lib/email/journal/temp /var/lib/email/mail
-
-# Check that the user can get the most recent message sent to the server
-curl --url "pop3s://$SINGULARITY_HOSTNAME/1" \
-  --unix-socket ./socks/pop3s.sock \
-  "${CURL_OPTS[@]}" \
-  --user "user:${REGISTER_PASS}" \
-  | tee test/pop_get_message \
-  | grep "Bottom text"
-
-# Verify that no email shows up for `resu`
-curl --url "pop3s://$SINGULARITY_HOSTNAME" \
-  --unix-socket ./socks/pop3s.sock \
-  "${CURL_OPTS[@]}" \
-  --user "resu:ssap" \
-  | tee test/pop_get_empty_restricted \
-  | diff <(printf '\r\n') /dev/stdin
-
-
-# Remove limit on `resu`'s access to the inbox
-${DOCKER_COMPOSE} exec denis /usr/local/bin/restrict_access /var/lib/email/journal/journal -a resu
-
-# Check that `resu` can now get the most recent message sent to the server
-curl --url "pop3s://$SINGULARITY_HOSTNAME/1" \
-  --unix-socket ./socks/pop3s.sock \
-  "${CURL_OPTS[@]}" \
-  --user "resu:ssap" \
-  | tee test/pop_unrestricted_get_message \
-  | grep "Bottom text"
-
-# If you get a 429 error from one of the matrix tests, restart the server and try again
-# Synapse has rate-limiting behavior for login requests indicated by this 429 HTTP code
-
-# Check that the user can login to matrix with their orbit ID
-curl --url "https://$SINGULARITY_HOSTNAME/_matrix/client/r0/login" \
-  --unix-socket ./socks/https.sock \
-  "${CURL_OPTS[@]}" \
-  --header "Content-Type: application/json" \
-  --data "{
-        \"type\": \"m.login.password\",
-        \"user\": \"@user:$SINGULARITY_HOSTNAME\",
-        \"password\": \"${REGISTER_PASS}\"
-      }" \
-  | tee test/matrix_login_success \
-  | grep "access_token"
-
-# Check that the user cannot login to matrix with an invalid orbit ID
-curl --url "https://$SINGULARITY_HOSTNAME/_matrix/client/r0/login" \
-  --unix-socket ./socks/https.sock \
-  --verbose \
-  --cacert test/ca_cert.pem \
-  --no-progress-meter \
-  --header "Content-Type: application/json" \
-  --data "{
-        \"type\": \"m.login.password\",
-        \"user\": \"@user:$SINGULARITY_HOSTNAME\",
-        \"password\": \"ssap\"
-      }" \
-  | tee test/matrix_login_invalid \
-  | grep '{"errcode":"M_FORBIDDEN","error":"Invalid username or password"}'
-
-echo "ALL TESTS PASS"
diff --git a/test/diameter.py b/test/diameter.py
new file mode 100644
index 00000000..eb03f38b
--- /dev/null
+++ b/test/diameter.py
@@ -0,0 +1,175 @@
+import subprocess
+import pytest
+import socket
+import smtplib
+import base64
+import os
+import ssl
+import poplib
+import urllib.parse
+import requests_unixsocket
+from requests.adapters import HTTPAdapter
+from pathlib import Path
+from urllib3.connection import HTTPConnection
+from urllib3.connectionpool import HTTPConnectionPool
+from urllib3.util.ssl_ import create_urllib3_context
+
+CERT_PATH = "test/artifacts/ca_cert.pem"
+CREW_OPTS = {
+    "verify": CERT_PATH,
+    "timeout": 10
+}
+HTTPS_SOCKET_PATH = "socks/https.sock"
+POP3S_SOCKET_PATH = "socks/pop3s.sock"
+SMTPS_SOCKET_PATH = "socks/smtps.sock"
+REGISTER_PASS = ""
+
+
+class SSLUnixSocketConnection(HTTPConnection):
+    """Custom HTTPConnection that wraps a Unix socket with SSL."""
+
+    def __init__(self, unix_socket_path, **kwargs):
+        super().__init__("localhost", **kwargs)  # Dummy host (not used)
+        self.unix_socket_path = unix_socket_path
+        self.ssl_context = create_urllib3_context()
+        self.ssl_context.load_verify_locations(CERT_PATH)
+
+    def _new_conn(self):
+        """Create a new wrapped SSL connection over a Unix domain socket."""
+        sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+        sock.connect(self.unix_socket_path)
+        return self.ssl_context.wrap_socket(sock, server_hostname="localhost.localdomain")
+
+
+class SSLUnixSocketConnectionPool(HTTPConnectionPool):
+    """Custom ConnectionPool for Unix socket wrapped with SSL."""
+
+    def __init__(self, socket_path, **kwargs):
+        super().__init__("localhost", **kwargs)  # Dummy host (not used)
+        self.socket_path = socket_path
+
+    def _new_conn(self):
+        return SSLUnixSocketConnection(self.socket_path)
+
+
+class SSLUnixSocketAdapter(HTTPAdapter):
+    """Transport adapter to route requests over a Unix socket with SSL."""
+
+    def __init__(self, socket_path, **kwargs):
+        self.socket_path = socket_path
+        super().__init__(**kwargs)
+
+    def get_connection(self, url, proxies=None):
+        return SSLUnixSocketConnectionPool(self.socket_path)
+
+
+class UnixSocketInstaller():
+    def __init__(self, socket_path, certfile, timeout=30):
+        self.timeout = timeout
+        # Create SSL context and load certificate
+        ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
+        ssl_context.load_verify_locations(certfile)
+
+        # Create and connect Unix domain socket
+        sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+        sock.connect(socket_path)
+        # Wrap with SSL
+        self.sock = ssl_context.wrap_socket(sock, server_hostname='localhost.localdomain')
+        self.file = self.sock.makefile('rb')
+
+
+class UnixSMTP(UnixSocketInstaller, smtplib.SMTP):
+    def __init__(self, user, pass_):
+        super().__init__(SMTPS_SOCKET_PATH, CERT_PATH)
+        smtplib.SMTP.__init__(self)
+
+        self.ehlo('localhost.localdomain')
+        self.docmd('AUTH', 'PLAIN ' + base64.b64encode(('\x00' + user + '\x00' + pass_).encode('utf-8')).decode('ascii'))
+        self.getreply()
+
+
+class UnixPOP3(UnixSocketInstaller, poplib.POP3):
+    def __init__(self, user, pass_, timeout=30):
+        super().__init__(POP3S_SOCKET_PATH, CERT_PATH, timeout=timeout)
+        self._debugging = 0
+        self.user(user)
+        self.pass_(pass_)
+
+    def __len__(self):
+        lst = self.list()[1]
+        print(lst)
+        msg_count = len(lst[1:])
+        return msg_count
+
+
+def require(command):
+    """Ensure a required command is available."""
+    if subprocess.call(["which", command], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) != 0:
+        pytest.exit(f"error: {command} command required yet absent")
+
+
+REQUIRED_COMMANDS = ["jq", "flake8", "podman", "podman-compose"]
+for cmd in REQUIRED_COMMANDS:
+    require(cmd)
+
+
+def run_shell_command(cmd, check=True):
+    """Run a shell command and return its output."""
+    result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
+    if check and result.returncode != 0:
+        pytest.fail(f"Command failed: {cmd}\n---stdout---\n{result.stdout}\n---stderr---\n{result.stderr}")
+    return result.stdout.strip()
+
+
+def get_hostname():
+    """Retrieve SINGULARITY_HOSTNAME from the .env file."""
+    cmd = "set -o allexport; source ./.env; jq -r -n \"env.SINGULARITY_HOSTNAME\""
+    return run_shell_command(cmd)
+
+
+SINGULARITY_HOSTNAME = os.getenv("SINGULARITY_HOSTNAME", get_hostname())
+PODMAN = os.getenv("PODMAN", "podman")
+PODMAN_COMPOSE = os.getenv("PODMAN_COMPOSE", "podman-compose")
+
+
+class RocketCrew():
+    def __init__(self):
+        """Setup before any tests run."""
+        run_shell_command("flake8")
+        run_shell_command("./script-lint.sh")
+
+        self.list = {}
+        self.session = requests_unixsocket.Session()
+        self.session.mount("http+unix://", SSLUnixSocketAdapter(HTTPS_SOCKET_PATH))
+
+        os.makedirs("test/artifacts", exist_ok=True)
+        for file in Path("test/artifacts").glob("*"):
+            file.unlink()
+        run_shell_command(f'{PODMAN} cp singularity_nginx_1:/etc/ssl/nginx/fullchain.pem {CERT_PATH}')
+
+    def post(self, destination, data=None, json=None):
+        """Make a post request to $destnation with optional data cargo (dict)"""
+        url = f"http+unix://{urllib.parse.quote_plus(HTTPS_SOCKET_PATH)}{destination}"
+        return self.session.post(url, data=data, json=json, **CREW_OPTS)
+
+    def mkpop(self, user, pass_=None):
+        return UnixPOP3(user, pass_ if pass_ is not None else self.list.get(user, ''))
+
+    def mksmtp(self, user, pass_=None):
+        return UnixSMTP(user, pass_ if pass_ is not None else self.list.get(user, ''))
+
+    def create_user(self, user, pass_=None, id=None):
+        assert user is not None
+
+        append = f' -u {user}'
+        if pass_ is not None:
+            append += f' -p {pass_}'
+            self.list[user] = pass_
+        if id is not None:
+            append += f' -i {id}'
+
+        run_shell_command(f'orbit/warpdrive.sh -n{append}')
+
+
+def execute_denis(command):
+    run_shell_command(f'{PODMAN_COMPOSE} exec denis sh -c "{command}"')
diff --git a/test/general_test.py b/test/general_test.py
new file mode 100644
index 00000000..d62d36a9
--- /dev/null
+++ b/test/general_test.py
@@ -0,0 +1,93 @@
+from email.message import EmailMessage
+from diameter import RocketCrew, execute_denis, SINGULARITY_HOSTNAME
+
+
+def setup_module():
+    # The RocketCrew pilots the rocket into orbit
+    global crew
+    crew = RocketCrew()
+
+
+def test_registration_fails_before_user_creation():
+    assert "msg = no such student" in crew.post('/register', data={"student_id": "1234"}).text
+
+
+def test_login_fails_before_user_creation():
+    assert "msg = authentication failure" in crew.post('/login', data={"username": "user", "password": "pass"}).text
+
+
+def test_create_user():
+    crew.create_user('user', id='1234')
+
+
+def test_registration_fails_with_wrong_id():
+    assert "msg = no such student" in crew.post('/register', data={"student_id": "123"}).text
+
+
+def test_registration_succeeds():
+    response = crew.post('/register', data={"student_id": "1234"})
+    assert "msg = welcome to the classroom" in response.text
+    crew.list['user'] = response.text.split("Password: ")[1].split("<")[0].strip()
+
+
+def test_registration_fails_when_id_used_again():
+    assert "msg = no such student" in crew.post('/register', data={"student_id": "1234"}).text
+
+
+def test_login_fails_when_credentials_invalid():
+    assert "msg = authentication failure" in crew.post('/login', data={"username": "user", "invalid": crew.list['user']}).text
+
+
+def test_login_succeeds():
+    assert "msg = user authenticated by password" in crew.post('/login', data={"username": "user", "password": crew.list['user']}).text
+
+
+def test_email_empty_list():
+    assert len(crew.mkpop('user')) == 0
+
+
+def test_send_email():
+    smtp = crew.mksmtp('user')
+
+    msg = EmailMessage()
+    msg.set_content("To whom it may concern,\n\nBottom text")
+    msg["Subject"] = "Message Subject"
+    msg["From"] = f"user@{SINGULARITY_HOSTNAME}"
+    msg["To"] = f"other@{SINGULARITY_HOSTNAME}"
+
+    smtp.send_message(msg)
+    smtp.quit()
+
+
+def test_email_empty_list_before_journal_update():
+    assert len(crew.mkpop('user')) == 0
+
+
+def test_restricted_user_cannot_access_messages():
+    crew.create_user('resu', pass_='ssap')
+    execute_denis('/usr/local/bin/restrict_access /var/lib/email/journal/journal -d resu')
+    execute_denis('cat /var/lib/email/patchsets/* | append_journal /var/lib/email/journal/journal')
+
+    assert len(crew.mkpop('resu')) == 0
+
+
+def test_email_retrieval():
+    pop = crew.mkpop('user')
+    assert len(pop) > 0
+    # Check the last line of the first message, whici will be returned in the second entry of an array from POP3.retr()
+    assert "Bottom text" in str(pop.retr(1)[1][-1])
+
+
+def test_freshly_unrestricted_user_obtains_access_to_messages():
+    execute_denis('/usr/local/bin/restrict_access /var/lib/email/journal/journal -a resu')
+    assert len(crew.mkpop('resu')) == 1
+
+
+def test_matrix_login_success():
+    response = crew.post('/_matrix/client/r0/login', json={"type": "m.login.password", "user": f"@user:{SINGULARITY_HOSTNAME}", "password": crew.list['user']})
+    assert "access_token" in response.text
+
+
+def test_matrix_login_invalid():
+    response = crew.post('/_matrix/client/r0/login', json={"type": "m.login.password", "user": f"@user:{SINGULARITY_HOSTNAME}", "password": "wrongpass"})
+    assert "errcode" in response.text and "M_FORBIDDEN" in response.text