summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2020-06-06 23:23:47 +0200
committerJan Dittberner <jandd@cacert.org>2020-06-07 00:15:56 +0200
commit37480b609f9439b55b66372b2a558ab9681490f5 (patch)
treed7cbddcbabac295c7a40cec70af66f6110cf23a3
parent717777ec9aa733a4e8b31aaf59a10ad394534e08 (diff)
downloadcacert-infradocs-master.tar.gz
cacert-infradocs-master.tar.xz
cacert-infradocs-master.zip
Update documentation for email systemsHEADmaster
- document move of webmail service to community - remove retired webmail system documentation and references to it - update email account creation documentation - update OS version information on community, email and emailout - remove todo items that have been resolved - document nginx for community.cacert.org running on email - document how to build the Debian packages for cacert-selfservice and cacert-selfservice API - move the primary location of the community.cacert.org certificate to the email system documentation
-rw-r--r--docs/systems.rst1
-rw-r--r--docs/systems/community.rst76
-rw-r--r--docs/systems/email.rst87
-rw-r--r--docs/systems/emailout.rst52
-rw-r--r--docs/systems/motion.rst2
-rw-r--r--docs/systems/webmail.rst356
6 files changed, 136 insertions, 438 deletions
diff --git a/docs/systems.rst b/docs/systems.rst
index 06001b5..41a3f16 100644
--- a/docs/systems.rst
+++ b/docs/systems.rst
@@ -34,7 +34,6 @@ administrator team.
systems/testmgr
systems/translations
systems/web
- systems/webmail
systems/webstatic
systems/wiki
diff --git a/docs/systems/community.rst b/docs/systems/community.rst
index ca49866..9f38456 100644
--- a/docs/systems/community.rst
+++ b/docs/systems/community.rst
@@ -8,14 +8,17 @@ Community
Purpose
=======
-This system provides the community self service system and will replace the
-:doc:`webmail` system in the future.
+This system provides the community self service system and the webmail
+interface for the community email service.
Application Links
-----------------
- Community self service
- https://selfservice.cacert.org/
+Community self service
+ https://selfservice.cacert.org/
+
+Webmail
+ https://webmail.cacert.org/
Administration
@@ -99,9 +102,9 @@ Operating System
.. index::
single: Debian GNU/Linux; Buster
- single: Debian GNU/Linux; 10.3
+ single: Debian GNU/Linux; 10.4
-* Debian GNU/Linux 10.3
+* Debian GNU/Linux 10.4
Services
========
@@ -183,7 +186,9 @@ Outbound network connections
----------------------------
* DNS (53) resolver at 10.0.0.1 (:doc:`infra02`)
-* :doc:`email` for self service API access
+* :doc:`email` for self service API access as well as IMAP (110/tcp), IMAPS
+ (993/tcp), Manage Sieve (2001/tcp), SMTPS (465/tcp) and SMTP Submission
+ (587/tcp) for the webmail system
* :doc:`emailout` as SMTP relay
* :doc:`puppet` (tcp/8140) as Puppet master
* :doc:`proxyout` as HTTP proxy for APT and Puppet
@@ -212,13 +217,33 @@ Non-distribution packages and modifications
The software is installed from a Debian package that is hosted on :doc:`webstatic`.
The software is built on :doc:`jenkins` via the `cacert-selfservice Job`_
- when there are changes in Git. The Debian package can be built using
- :program:`gbp`.
+ when there are changes in Git.
The software is installed and configured via Puppet.
.. _cacert-selfservice Job: https://jenkins.cacert.org/job/cacert-selfservice/
- .. todo:: describe build and deployment of Debian package for self-service
+
+Building the cacert-selfservice Debian package
+----------------------------------------------
+
+The cacert-selfservice git repository contains a debian branch that can be used
+to build the package.
+
+The Debian package can be built using :program:`gbp`. For a clean build
+environment using sbuild/schroot is recommended.
+
+.. code-block:: bash
+
+ sudo sbuild-createchroot --arch=amd64 --chroot-prefix=buster-cacert \
+ --extra-repository="deb http://deb.debian.org/debian buster-backports main" \
+ buster /srv/chroot/buster-cacert-amd64 http://deb.debian.org/debian
+ gbp buildpackage --git-builder="sbuild --build-dep-resolver=aptitude \
+ -d buster-cacert
+
+Uploads can be done via sftp with the debarchive user on :doc:`webstatic`. You
+need an ssh public key in the user's :file:`~/.ssh/authorized_keys` file.
+Packages are only accepted if they are signed with a GPG key whose public key
+is stored in the keyring of the reprepro installation on :doc:`webstatic`.
Risk assessments on critical packages
-------------------------------------
@@ -244,6 +269,15 @@ configuration items outside of the :cacertgit:`cacert-puppet`.
Keys and X.509 certificates
---------------------------
+.. sslcert:: webmail.cacert.org
+ :altnames: DNS:community.cacert.org, DNS:webmail.cacert.org
+ :certfile: /etc/ssl/public/webmail.cacert.org.crt.pem
+ :keyfile: /etc/ssl/private/webmail.cacert.org.key.pem
+ :serial: 02E37C
+ :expiration: Jun 06 11:10:41 2022 GMT
+ :sha1fp: 70:EF:DA:32:E7:F9:86:F4:0C:85:54:71:A7:90:E8:68:0A:9F:8D:FD
+ :issuer: CAcert Class 3 Root
+
.. sslcert:: selfservice.cacert.org
:altnames: DNS:selfservice.cacert.org
:certfile: /etc/cacert-selfservice/certs/server.crt.pem
@@ -258,6 +292,8 @@ Keys and X.509 certificates
* :file:`/etc/cacert-selfservice/certs/client_cas.pem` contains the CAcert.org
Class 1 and Class 3 CA certificates that are used to validate client
certificates for the CAcert community self service system
+* :file:`/etc/ssl/public/webmail.cacert.org.chain.pem` contains the certificate
+ for ``webmail.cacert.org`` concatenated with the CA chain.
The certificates are rolled out by Puppet. All changes to the certificates need
to be made to the file :file:`hieradata/nodes/community.yaml` in the
@@ -267,6 +303,21 @@ to be made to the file :file:`hieradata/nodes/community.yaml` in the
* :wiki:`SystemAdministration/CertificateList`
+:file:`/etc/hosts`
+------------------
+
+Defines an alias for :doc:`email` that is required by the Roundcube
+installation to reach the email system via its internal IP address with the
+correct hostname.
+
+.. index::
+ pair: Roundcube; configuration
+
+Roundcube configuration
+-----------------------
+
+Roundcube configuration is managed by Puppet.
+
.. index::
pair: cacert-selfservice; configuration
@@ -287,14 +338,9 @@ Changes
Planned
-------
-.. todo:: finish the roundcube setup on :doc:`community` to allow
- decommisioning of :doc:`webmail`.
-
System Future
-------------
-* Become the replacement for :doc:`webmail`
-
Additional documentation
========================
diff --git a/docs/systems/email.rst b/docs/systems/email.rst
index 47249b6..df527b0 100644
--- a/docs/systems/email.rst
+++ b/docs/systems/email.rst
@@ -12,8 +12,6 @@ This system handles email for @cacert.org addresses. It also provides users of
@cacert.org with IMAPs and POP3s access to their accounts. The system provides
the API part of the CAcert community self service system.
-The database on this container is used by :doc:`webmail` too.
-
Administration
==============
@@ -118,9 +116,9 @@ Operating System
.. index::
single: Debian GNU/Linux; Buster
- single: Debian GNU/Linux; 10.3
+ single: Debian GNU/Linux; 10.4
-* Debian GNU/Linux 10.3
+* Debian GNU/Linux 10.4
Services
========
@@ -135,12 +133,16 @@ Listening services
+----------+---------+-----------+-------------------------------------+
| 25/tcp | smtp | ANY | mail receiver for cacert.org |
+----------+---------+-----------+-------------------------------------+
+| 80/tcp | http | ANY | redirect to https |
++----------+---------+-----------+-------------------------------------+
| 110/tcp | pop3 | ANY | POP3 access for cacert.org mail |
| | | | addresses |
+----------+---------+-----------+-------------------------------------+
| 143/tcp | imap | ANY | IMAP access for cacert.org mail |
| | | | addresses |
+----------+---------+-----------+-------------------------------------+
+| 443/tcp | https | ANY | Webserver for community.cacert.org |
++----------+---------+-----------+-------------------------------------+
| 465/tcp | smtps | ANY | SMTPS for cacert.org mail addresses |
+----------+---------+-----------+-------------------------------------+
| 587/tcp | smtp | ANY | mail submission for cacert.org mail |
@@ -172,6 +174,7 @@ Running services
single: dovecot
single: icinga2
single: mariadb
+ single: nginx
single: openssh
single: postfix
single: puppet
@@ -192,6 +195,8 @@ Running services
+------------------------+--------------------------------------------+--------------------------------------------------+
| MariaDB | MariaDB database server for email services | systemd unit ``mariadb.service`` |
+------------------------+--------------------------------------------+--------------------------------------------------+
+| nginx | Web server for community.cacert.org | systemd unit ``nginx.service`` |
++------------------------+--------------------------------------------+--------------------------------------------------+
| openssh server | ssh daemon for remote administration | systemd unit ``ssh.service`` |
+------------------------+--------------------------------------------+--------------------------------------------------+
| Postfix | SMTP server for cacert.org | systemd unit ``postfix.service`` |
@@ -209,14 +214,11 @@ Databases
+=========+===============+==================================+
| MariaDB | cacertusers | database for dovecot and postfix |
+---------+---------------+----------------------------------+
-| MariaDB | roundcubemail | roundcube on :doc:`webmail` |
-+---------+---------------+----------------------------------+
Connected Systems
-----------------
* :doc:`monitor`
-* :doc:`webmail`
* :doc:`community`
* all @cacert.org address owners have access to POP3 (STARTTLS and POP3S), IMAP
(STARTTLS and IMAPS), SMTPS, SMTP submission (STARTTLS) and manage sieve
@@ -229,6 +231,8 @@ Outbound network connections
* :doc:`lists` for mailing lists
* :doc:`proxyout` as HTTP proxy for APT
* :doc:`puppet` (tcp/8140) as Puppet master
+* :doc:`webstatic` as backend for the community.cacert.org web content
+
* arbitrary Internet SMTP servers for outgoing mail
Security
@@ -256,7 +260,28 @@ Non-distribution packages and modifications
The software is installed and configured via Puppet.
.. _cacert-selfservice-api Job: https://jenkins.cacert.org/job/cacert-selfservice-api/
- .. todo:: describe build and deployment of Debian package for self-service-api
+
+Building the cacert-selfservice-api Debian package
+--------------------------------------------------
+
+The cacert-selfservice-api git repository contains a debian branch that can be
+used to build the package.
+
+The Debian package can be built using :program:`gbp`. For a clean build
+environment using sbuild/schroot is recommended.
+
+.. code-block:: bash
+
+ sudo sbuild-createchroot --arch=amd64 --chroot-prefix=buster-cacert \
+ --extra-repository="deb http://deb.debian.org/debian buster-backports main" \
+ buster /srv/chroot/buster-cacert-amd64 http://deb.debian.org/debian
+ gbp buildpackage --git-builder="sbuild --build-dep-resolver=aptitude \
+ -d buster-cacert
+
+Uploads can be done via sftp with the debarchive user on :doc:`webstatic`. You
+need an ssh public key in the user's :file:`~/.ssh/authorized_keys` file.
+Packages are only accepted if they are signed with a GPG key whose public key
+is stored in the keyring of the reprepro installation on :doc:`webstatic`.
Risk assessments on critical packages
-------------------------------------
@@ -303,12 +328,21 @@ Server certificate for community email services (SMTPS, SMTP submission in
Postfix and IMAP with STARTTLS, IMAPS, POP3 with STARTTLS, POP3S and pysieved)
.. sslcert:: community.cacert.org
- :certfile: /etc/ssl/certs/ssl-cert-community-cacert.pem
- :keyfile: /etc/ssl/private/ssl-cert-community-cacert.key
+ :altnames: DNS:cert.community.cacert.org, DNS:cert.email.cacert.org, DNS:community.cacert.org, DNS:email.cacert.org, DNS:nocert.community.cacert.org, DNS:nocert.email.cacert.org
+ :certfile: /etc/ssl/certs/ssl-cert-community-cacert.crt
+ :keyfile: /etc/ssl/private/ssl-cert-community-cacert.key
+ :serial: 147CB0
+ :expiration: Feb 18 11:39:53 2022 GMT
+ :sha1fp: B2:90:DE:4D:8D:D9:3A:FE:22:3A:67:95:E2:CD:F7:30:55:4B:38:AC
+ :issuer: CA Cert Signing Authority
+
+.. sslcert:: community.cacert.org
+ :certfile: /etc/ssl/public/community.cacert.org.crt.pem
+ :keyfile: /etc/ssl/private/community.cacert.org.key.pem
:serial: 147CB0
:secondary:
-Server certificate for the CAcert community self service API
+The server certificate for the CAcert community self service API
.. sslcert:: email.infra.cacert.org
:altnames: DNS:email.infra.cacert.org
@@ -420,34 +454,17 @@ Tasks
Adding email users
------------------
-1. create user in the database table ``cacertusers.user``:
-
- .. code-block:: bash
-
- mysql -p cacertusers
-
- .. code-block:: sql
-
- INSERT INTO user (username, fullnamealias, realname, password)
- VALUES ('user', 'user.name', 'User Name', '$1$salt$passwordhash')
-
-2. create the user's home directory and Maildir:
-
- :samp:`install -o {user} -g {user} -m 0755 -d /home/{user}/Maildir`
+Email admins can create new email user accounts via
+https://selfservice.cacert.org/create-email-account. The contact email address
+entered in the web form will receive an email that contains a link to allow
+setting an initial password. Setting the initial password only works if the
+user authenticates with a valid client certificate for the contact email
+address.
.. note::
- * a valid password hash for the password ``secret`` is
- ``$1$caea3837$gPafod/Do/8Jj5M9HehhM.``
* users can reset their password via
- https://community.cacert.org/password.php on :doc:`webmail`
- * use the :download:`mail template
- <../downloads/template_new_community_mailaddress.rfc822>` to send out to a
- user's non-cacert.org mail account and make sure to encrypt the mail to a
- known public key of that user
-
-.. todo::
- implement tooling to automate password salt generation and user creation
+ https://selfservice.cacert.org/password-reset
Setting up mail aliases
-----------------------
diff --git a/docs/systems/emailout.rst b/docs/systems/emailout.rst
index 92eede4..495b87e 100644
--- a/docs/systems/emailout.rst
+++ b/docs/systems/emailout.rst
@@ -98,9 +98,9 @@ Operating System
.. index::
single: Debian GNU/Linux; Buster
- single: Debian GNU/Linux; 10.0
+ single: Debian GNU/Linux; 10.4
-* Debian GNU/Linux 10.0
+* Debian GNU/Linux 10.4
Applicable Documentation
------------------------
@@ -140,31 +140,26 @@ Running services
single: puppet agent
single: rsyslog
-+----------------+--------------------------+-----------------------------------+
-| Service | Usage | Start mechanism |
-+================+==========================+===================================+
-| cron | job scheduler | systemd unit ``cron.service`` |
-+----------------+--------------------------+-----------------------------------+
-| dbus-daemon | System message bus | systemd unit ``dbus.service`` |
-| | daemon | |
-+----------------+--------------------------+-----------------------------------+
-| icinga2 | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
-+----------------+--------------------------+-----------------------------------+
-| OpenDKIM | DKIM signing daemon | systemd unit ``opendkim.service`` |
-+----------------+--------------------------+-----------------------------------+
-| openssh server | ssh daemon for remote | systemd unit ``ssh.service`` |
-| | administration | |
-+----------------+--------------------------+-----------------------------------+
-| Postfix | SMTP server for | systemd unit ``postfix.service`` |
-| | local mail submission, | |
-| | and mail relay for | |
-| | infrastructure systems | |
-+----------------+--------------------------+-----------------------------------+
-| Puppet agent | configuration | systemd unit ``puppet.service`` |
-| | management agent | |
-+----------------+--------------------------+-----------------------------------+
-| rsyslog | syslog daemon | systemd unit ``rsyslog.service`` |
-+----------------+--------------------------+-----------------------------------+
++----------------+-------------------------------------------+-----------------------------------+
+| Service | Usage | Start mechanism |
++================+===========================================+===================================+
+| cron | job scheduler | systemd unit ``cron.service`` |
++----------------+-------------------------------------------+-----------------------------------+
+| dbus-daemon | System message bus daemon | systemd unit ``dbus.service`` |
++----------------+-------------------------------------------+-----------------------------------+
+| icinga2 | Icinga2 monitoring agent | systemd unit ``icinga2.service`` |
++----------------+-------------------------------------------+-----------------------------------+
+| OpenDKIM | DKIM signing daemon | systemd unit ``opendkim.service`` |
++----------------+-------------------------------------------+-----------------------------------+
+| openssh server | ssh daemon for remote administration | systemd unit ``ssh.service`` |
++----------------+-------------------------------------------+-----------------------------------+
+| Postfix | SMTP server for local mail submission, | systemd unit ``postfix.service`` |
+| | and mail relay for infrastructure systems | |
++----------------+-------------------------------------------+-----------------------------------+
+| Puppet agent | configuration management agent | systemd unit ``puppet.service`` |
++----------------+-------------------------------------------+-----------------------------------+
+| rsyslog | syslog daemon | systemd unit ``rsyslog.service`` |
++----------------+-------------------------------------------+-----------------------------------+
Connected Systems
-----------------
@@ -176,7 +171,6 @@ Outbound network connections
----------------------------
* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
-* :doc:`emailout` as SMTP relay
* :doc:`proxyout` as HTTP proxy for APT
* :doc:`puppet` (tcp/8140) as Puppet master
* SMTP (25/tcp) to :doc:`email`, :doc:`issue` and :doc:`lists`
@@ -344,8 +338,6 @@ Changes
Planned
-------
-.. todo:: upgrade to Debian 10 (when Puppet is available)
-
System Future
-------------
diff --git a/docs/systems/motion.rst b/docs/systems/motion.rst
index c6a0cc4..6be9617 100644
--- a/docs/systems/motion.rst
+++ b/docs/systems/motion.rst
@@ -9,7 +9,7 @@ Purpose
=======
This system provides the CAcert board motion system. The system replaced the
-board voting system that had been provided on :doc:`webmail` at
+board voting system that had been provided on the old `webmail` system at
https://community.cacert.org/board/.
Application Links
diff --git a/docs/systems/webmail.rst b/docs/systems/webmail.rst
deleted file mode 100644
index a984273..0000000
--- a/docs/systems/webmail.rst
+++ /dev/null
@@ -1,356 +0,0 @@
-.. index::
- single: Systems; Webmail
-
-===================
-Webmail (Community)
-===================
-
-Purpose
-=======
-
-This container hosts the webmail system available at
-https://community.cacert.org/ that provides web based mail access to users with
-a @cacert.org email address.
-
-The system also hosts the `board voting system`_, `staff list`_ and `email
-password reset`_.
-
-.. todo:: move `board voting system`_ to a separate container
-
-.. todo::
- move `staff list`_ to a separate container or integrate it into some
- new self service system
-
-.. _board voting system: https://community.cacert.org/board
-.. _staff list: https://community.cacert.org/staff.php
-.. _email password reset: https://community.cacert.org/password.php
-
-Application Links
------------------
-
-Webmail URL
- https://community.cacert.org/ (redirects to
- https://community.cacert.org/roundcubemail/)
-
-Board Voting System URL
- https://community.cacert.org/board/
-
-Password reset
- https://community.cacert.org/password.php
-
-Staff list
- https://community.cacert.org/staff.php
-
-
-Administration
-==============
-
-System Administration
----------------------
-
-* Primary: None
-* Secondary: None
-
-.. todo:: find admins for webmail
-
-Application Administration
---------------------------
-
-+---------------------+-----------------------+
-| Application | Administrators |
-+=====================+=======================+
-| Webmail | :ref:`people_ulrich`, |
-| | :ref:`people_jselzer` |
-+---------------------+-----------------------+
-| Board voting system | :ref:`people_jandd` |
-+---------------------+-----------------------+
-| Staff list | None |
-+---------------------+-----------------------+
-| Password reset | None |
-+---------------------+-----------------------+
-
-Contact
--------
-
-* webmail-admin@cacert.org
-
-Additional People
------------------
-
-:ref:`people_jandd`, :ref:`people_mario` and :ref:`people_jselzer` have
-:program:`sudo` access on that machine.
-
-Basics
-======
-
-Physical Location
------------------
-
-This system is located in an :term:`LXC` container on physical machine
-:doc:`infra02`.
-
-Logical Location
-----------------
-
-:IP Internet: :ip:v4:`213.154.225.228`
-:IP Intranet: :ip:v4:`172.16.2.20`
-:IP Internal: :ip:v4:`10.0.0.120`
-:MAC address: :mac:`00:ff:9a:a7:64:78` (eth0)
-
-.. seealso::
-
- See :doc:`../network`
-
-DNS
----
-
-.. index::
- single: DNS records; Webmail
- single: DNS records; Community
-
-===================== ======== ================
-Name Type Content
-===================== ======== ================
-community.cacert.org. IN CNAME email.cacert.org
-===================== ======== ================
-
-.. seealso::
-
- See :wiki:`SystemAdministration/Procedures/DNSChanges`
-
-Operating System
-----------------
-
-.. index::
- single: Debian GNU/Linux; Etch
- single: Debian GNU/Linux; 4.0
-
-* Debian GNU/Linux 4.0
-
-Applicable Documentation
-------------------------
-
-This is it :-)
-
-.. seealso::
-
- * :wiki:`CommunityEmail`
- * :wiki:`EmailAccountPolicy`
-
-Services
-========
-
-Listening services
-------------------
-
-+----------+---------+---------+---------------------------+
-| Port | Service | Origin | Purpose |
-+==========+=========+=========+===========================+
-| 22/tcp | ssh | ANY | admin console access |
-+----------+---------+---------+---------------------------+
-| 443/tcp | https | ANY | Web server |
-+----------+---------+---------+---------------------------+
-| 5666/tcp | nrpe | monitor | remote monitoring service |
-+----------+---------+---------+---------------------------+
-
-.. note::
-
- The ssh port is reachable via NAT on email.cacert.org:12022
-
-Running services
-----------------
-
-.. index::
- single: openssh
- single: Apache
- single: cron
- single: Postfix
- single: nrpe
-
-+--------------------+--------------------+----------------------------------------+
-| Service | Usage | Start mechanism |
-+====================+====================+========================================+
-| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
-| | remote | |
-| | administration | |
-+--------------------+--------------------+----------------------------------------+
-| Apache httpd | Webserver for | init script |
-| | Applications | :file:`/etc/init.d/apache2` |
-+--------------------+--------------------+----------------------------------------+
-| cron | job scheduler | init script :file:`/etc/init.d/cron` |
-+--------------------+--------------------+----------------------------------------+
-| Postfix | SMTP server for | init script |
-| | local mail | :file:`/etc/init.d/postfix` |
-| | submission | |
-+--------------------+--------------------+----------------------------------------+
-| Nagios NRPE server | remote monitoring | init script |
-| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
-| | :doc:`monitor` | |
-+--------------------+--------------------+----------------------------------------+
-
-Connected Systems
------------------
-
-* :doc:`monitor`
-
-Outbound network connections
-----------------------------
-
-* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
-* :doc:`emailout` as SMTP relay
-* archive.debian.org as Debian mirror
-* :doc:`email` for MySQL (3306/tcp) for webmail, password reset and staff list
-* :doc:`email` IMAP (110/tcp), IMAPS (993/tcp), Manage Sieve (2001/tcp), SMTPS
- (465/tcp) and SMTP Submission (587/tcp) for the webmail system
-
-Security
-========
-
-.. sshkeys::
- :RSA: 82:91:22:22:10:75:ab:0e:55:05:9a:f9:98:cb:94:48
- :DSA: 6b:6e:59:37:41:83:a5:89:2a:18:04:23:51:53:5d:cd
-
-.. warning::
-
- The system is too old to support ECDSA or ED25519 keys.
-
-Non-distribution packages and modifications
--------------------------------------------
-
-:file:`/var/www/roundcubemail` contains a `Roundcube`_ 0.2.1 installation,
-probably with patches.
-
-.. todo::
-
- Research wether Roundcube has been patched or not
-
-:file:`/var/www/staff.php` is a custom built PHP script to show a list of
-people with cacert.org email addresses.
-
-:file:`/var/www/password.php` is a custom build PHP script to allow users to
-reset their email password.
-
-:file:`/var/www/board` contains the board voting system.
-
-.. _Roundcube: https://roundcube.net/
-
-Risk assessments on critical packages
--------------------------------------
-
-The whole system is outdated, the PHP version is ancient, Roundcube is old.
-Needs to be replaced as soon as possible.
-
-Critical Configuration items
-============================
-
-Keys and X.509 certificates
----------------------------
-
-.. sslcert:: community.cacert.org
- :altnames: DNS:cert.community.cacert.org, DNS:cert.email.cacert.org, DNS:community.cacert.org, DNS:email.cacert.org, DNS:nocert.community.cacert.org, DNS:nocert.email.cacert.org
- :certfile: /etc/ssl/certs/ssl-cert-community-cacert.crt
- :keyfile: /etc/ssl/private/ssl-cert-community-cacert.key
- :serial: 147CB0
- :expiration: Feb 18 11:39:53 2022 GMT
- :sha1fp: B2:90:DE:4D:8D:D9:3A:FE:22:3A:67:95:E2:CD:F7:30:55:4B:38:AC
- :issuer: CA Cert Signing Authority
-
-* :file:`/usr/share/ca-certificates/cacert.org/` directory containing the
- CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for
- client authentication and certificate chain for server certificate) with
- symbolic links with the :command:`openssl` hashed certificate names
-
-.. seealso::
-
- * :wiki:`SystemAdministration/CertificateList`
-
-.. index::
- pair: Apache httpd; configuration
-
-Apache httpd configuration
---------------------------
-
-The Apache httpd configuration is stored in
-:file:`/etc/apache2/sites-available/webmail`.
-
-:file:`/etc/hosts`
-------------------
-
-Defines some aliases for :doc:`email` that are used by Roundcube, the password
-reset script and the staff list script.
-
-.. index::
- pair: Roundcube; configuration
-
-Roundcube configuration
------------------------
-
-The Roundcube configuration is stored in files in the
-:file:`/var/www/roundcubemail/config/` directory.
-
-
-Staff list script
------------------
-
-The staff list contains its configuration in :file:`/var/www/staff.php` itself.
-
-.. todo::
-
- Put the staff list script in a git repository
-
-Password reset script
----------------------
-
-The password reset script contains it configuration in
-:file:`/var/www/password.php` itself.
-
-.. todo::
-
- Put the password reset script in a git repository
-
-Board voting system configuration
----------------------------------
-
-The board voting system uses a SQLite database in
-:file:`/var/www/board/database.sqlite`.
-
-.. warning::
-
- The board voting system software seems to be checked out from a Subversion
- repository at https://svn.cacert.cl/Software/Voting/vote that does not exist
- anymore
-
-.. todo::
-
- Put the current version of the board voting system in a git repository
-
-Tasks
-=====
-
-Changes
-=======
-
-Planned
--------
-
-.. todo:: implement CRL checking
-
-System Future
--------------
-
-.. todo::
- The system has to be replaced with a new system using a current operating
- system version
-
-Additional documentation
-========================
-
-.. seealso::
-
- * :wiki:`PostfixConfiguration`
-
-References
-----------
-
-Wiki page for this system
- :wiki:`SystemAdministration/Systems/Community`