diff options
| author | Jan Dittberner <jandd@cacert.org> | 2020-06-06 23:23:47 +0200 |
|---|---|---|
| committer | Jan Dittberner <jandd@cacert.org> | 2020-06-07 00:15:56 +0200 |
| commit | 37480b609f9439b55b66372b2a558ab9681490f5 (patch) | |
| tree | d7cbddcbabac295c7a40cec70af66f6110cf23a3 | |
| parent | 717777ec9aa733a4e8b31aaf59a10ad394534e08 (diff) | |
| download | cacert-infradocs-37480b609f9439b55b66372b2a558ab9681490f5.tar.gz cacert-infradocs-37480b609f9439b55b66372b2a558ab9681490f5.tar.xz cacert-infradocs-37480b609f9439b55b66372b2a558ab9681490f5.zip | |
Update documentation for email systems
- document move of webmail service to community
- remove retired webmail system documentation and references to it
- update email account creation documentation
- update OS version information on community, email and emailout
- remove todo items that have been resolved
- document nginx for community.cacert.org running on email
- document how to build the Debian packages for cacert-selfservice and
cacert-selfservice API
- move the primary location of the community.cacert.org certificate to
the email system documentation
| -rw-r--r-- | docs/systems.rst | 1 | ||||
| -rw-r--r-- | docs/systems/community.rst | 76 | ||||
| -rw-r--r-- | docs/systems/email.rst | 87 | ||||
| -rw-r--r-- | docs/systems/emailout.rst | 52 | ||||
| -rw-r--r-- | docs/systems/motion.rst | 2 | ||||
| -rw-r--r-- | docs/systems/webmail.rst | 356 |
6 files changed, 136 insertions, 438 deletions
diff --git a/docs/systems.rst b/docs/systems.rst index 06001b5..41a3f16 100644 --- a/docs/systems.rst +++ b/docs/systems.rst @@ -34,7 +34,6 @@ administrator team. systems/testmgr systems/translations systems/web - systems/webmail systems/webstatic systems/wiki diff --git a/docs/systems/community.rst b/docs/systems/community.rst index ca49866..9f38456 100644 --- a/docs/systems/community.rst +++ b/docs/systems/community.rst @@ -8,14 +8,17 @@ Community Purpose ======= -This system provides the community self service system and will replace the -:doc:`webmail` system in the future. +This system provides the community self service system and the webmail +interface for the community email service. Application Links ----------------- - Community self service - https://selfservice.cacert.org/ +Community self service + https://selfservice.cacert.org/ + +Webmail + https://webmail.cacert.org/ Administration @@ -99,9 +102,9 @@ Operating System .. index:: single: Debian GNU/Linux; Buster - single: Debian GNU/Linux; 10.3 + single: Debian GNU/Linux; 10.4 -* Debian GNU/Linux 10.3 +* Debian GNU/Linux 10.4 Services ======== @@ -183,7 +186,9 @@ Outbound network connections ---------------------------- * DNS (53) resolver at 10.0.0.1 (:doc:`infra02`) -* :doc:`email` for self service API access +* :doc:`email` for self service API access as well as IMAP (110/tcp), IMAPS + (993/tcp), Manage Sieve (2001/tcp), SMTPS (465/tcp) and SMTP Submission + (587/tcp) for the webmail system * :doc:`emailout` as SMTP relay * :doc:`puppet` (tcp/8140) as Puppet master * :doc:`proxyout` as HTTP proxy for APT and Puppet @@ -212,13 +217,33 @@ Non-distribution packages and modifications The software is installed from a Debian package that is hosted on :doc:`webstatic`. The software is built on :doc:`jenkins` via the `cacert-selfservice Job`_ - when there are changes in Git. The Debian package can be built using - :program:`gbp`. + when there are changes in Git. The software is installed and configured via Puppet. .. _cacert-selfservice Job: https://jenkins.cacert.org/job/cacert-selfservice/ - .. todo:: describe build and deployment of Debian package for self-service + +Building the cacert-selfservice Debian package +---------------------------------------------- + +The cacert-selfservice git repository contains a debian branch that can be used +to build the package. + +The Debian package can be built using :program:`gbp`. For a clean build +environment using sbuild/schroot is recommended. + +.. code-block:: bash + + sudo sbuild-createchroot --arch=amd64 --chroot-prefix=buster-cacert \ + --extra-repository="deb http://deb.debian.org/debian buster-backports main" \ + buster /srv/chroot/buster-cacert-amd64 http://deb.debian.org/debian + gbp buildpackage --git-builder="sbuild --build-dep-resolver=aptitude \ + -d buster-cacert + +Uploads can be done via sftp with the debarchive user on :doc:`webstatic`. You +need an ssh public key in the user's :file:`~/.ssh/authorized_keys` file. +Packages are only accepted if they are signed with a GPG key whose public key +is stored in the keyring of the reprepro installation on :doc:`webstatic`. Risk assessments on critical packages ------------------------------------- @@ -244,6 +269,15 @@ configuration items outside of the :cacertgit:`cacert-puppet`. Keys and X.509 certificates --------------------------- +.. sslcert:: webmail.cacert.org + :altnames: DNS:community.cacert.org, DNS:webmail.cacert.org + :certfile: /etc/ssl/public/webmail.cacert.org.crt.pem + :keyfile: /etc/ssl/private/webmail.cacert.org.key.pem + :serial: 02E37C + :expiration: Jun 06 11:10:41 2022 GMT + :sha1fp: 70:EF:DA:32:E7:F9:86:F4:0C:85:54:71:A7:90:E8:68:0A:9F:8D:FD + :issuer: CAcert Class 3 Root + .. sslcert:: selfservice.cacert.org :altnames: DNS:selfservice.cacert.org :certfile: /etc/cacert-selfservice/certs/server.crt.pem @@ -258,6 +292,8 @@ Keys and X.509 certificates * :file:`/etc/cacert-selfservice/certs/client_cas.pem` contains the CAcert.org Class 1 and Class 3 CA certificates that are used to validate client certificates for the CAcert community self service system +* :file:`/etc/ssl/public/webmail.cacert.org.chain.pem` contains the certificate + for ``webmail.cacert.org`` concatenated with the CA chain. The certificates are rolled out by Puppet. All changes to the certificates need to be made to the file :file:`hieradata/nodes/community.yaml` in the @@ -267,6 +303,21 @@ to be made to the file :file:`hieradata/nodes/community.yaml` in the * :wiki:`SystemAdministration/CertificateList` +:file:`/etc/hosts` +------------------ + +Defines an alias for :doc:`email` that is required by the Roundcube +installation to reach the email system via its internal IP address with the +correct hostname. + +.. index:: + pair: Roundcube; configuration + +Roundcube configuration +----------------------- + +Roundcube configuration is managed by Puppet. + .. index:: pair: cacert-selfservice; configuration @@ -287,14 +338,9 @@ Changes Planned ------- -.. todo:: finish the roundcube setup on :doc:`community` to allow - decommisioning of :doc:`webmail`. - System Future ------------- -* Become the replacement for :doc:`webmail` - Additional documentation ======================== diff --git a/docs/systems/email.rst b/docs/systems/email.rst index 47249b6..df527b0 100644 --- a/docs/systems/email.rst +++ b/docs/systems/email.rst @@ -12,8 +12,6 @@ This system handles email for @cacert.org addresses. It also provides users of @cacert.org with IMAPs and POP3s access to their accounts. The system provides the API part of the CAcert community self service system. -The database on this container is used by :doc:`webmail` too. - Administration ============== @@ -118,9 +116,9 @@ Operating System .. index:: single: Debian GNU/Linux; Buster - single: Debian GNU/Linux; 10.3 + single: Debian GNU/Linux; 10.4 -* Debian GNU/Linux 10.3 +* Debian GNU/Linux 10.4 Services ======== @@ -135,12 +133,16 @@ Listening services +----------+---------+-----------+-------------------------------------+ | 25/tcp | smtp | ANY | mail receiver for cacert.org | +----------+---------+-----------+-------------------------------------+ +| 80/tcp | http | ANY | redirect to https | ++----------+---------+-----------+-------------------------------------+ | 110/tcp | pop3 | ANY | POP3 access for cacert.org mail | | | | | addresses | +----------+---------+-----------+-------------------------------------+ | 143/tcp | imap | ANY | IMAP access for cacert.org mail | | | | | addresses | +----------+---------+-----------+-------------------------------------+ +| 443/tcp | https | ANY | Webserver for community.cacert.org | ++----------+---------+-----------+-------------------------------------+ | 465/tcp | smtps | ANY | SMTPS for cacert.org mail addresses | +----------+---------+-----------+-------------------------------------+ | 587/tcp | smtp | ANY | mail submission for cacert.org mail | @@ -172,6 +174,7 @@ Running services single: dovecot single: icinga2 single: mariadb + single: nginx single: openssh single: postfix single: puppet @@ -192,6 +195,8 @@ Running services +------------------------+--------------------------------------------+--------------------------------------------------+ | MariaDB | MariaDB database server for email services | systemd unit ``mariadb.service`` | +------------------------+--------------------------------------------+--------------------------------------------------+ +| nginx | Web server for community.cacert.org | systemd unit ``nginx.service`` | ++------------------------+--------------------------------------------+--------------------------------------------------+ | openssh server | ssh daemon for remote administration | systemd unit ``ssh.service`` | +------------------------+--------------------------------------------+--------------------------------------------------+ | Postfix | SMTP server for cacert.org | systemd unit ``postfix.service`` | @@ -209,14 +214,11 @@ Databases +=========+===============+==================================+ | MariaDB | cacertusers | database for dovecot and postfix | +---------+---------------+----------------------------------+ -| MariaDB | roundcubemail | roundcube on :doc:`webmail` | -+---------+---------------+----------------------------------+ Connected Systems ----------------- * :doc:`monitor` -* :doc:`webmail` * :doc:`community` * all @cacert.org address owners have access to POP3 (STARTTLS and POP3S), IMAP (STARTTLS and IMAPS), SMTPS, SMTP submission (STARTTLS) and manage sieve @@ -229,6 +231,8 @@ Outbound network connections * :doc:`lists` for mailing lists * :doc:`proxyout` as HTTP proxy for APT * :doc:`puppet` (tcp/8140) as Puppet master +* :doc:`webstatic` as backend for the community.cacert.org web content + * arbitrary Internet SMTP servers for outgoing mail Security @@ -256,7 +260,28 @@ Non-distribution packages and modifications The software is installed and configured via Puppet. .. _cacert-selfservice-api Job: https://jenkins.cacert.org/job/cacert-selfservice-api/ - .. todo:: describe build and deployment of Debian package for self-service-api + +Building the cacert-selfservice-api Debian package +-------------------------------------------------- + +The cacert-selfservice-api git repository contains a debian branch that can be +used to build the package. + +The Debian package can be built using :program:`gbp`. For a clean build +environment using sbuild/schroot is recommended. + +.. code-block:: bash + + sudo sbuild-createchroot --arch=amd64 --chroot-prefix=buster-cacert \ + --extra-repository="deb http://deb.debian.org/debian buster-backports main" \ + buster /srv/chroot/buster-cacert-amd64 http://deb.debian.org/debian + gbp buildpackage --git-builder="sbuild --build-dep-resolver=aptitude \ + -d buster-cacert + +Uploads can be done via sftp with the debarchive user on :doc:`webstatic`. You +need an ssh public key in the user's :file:`~/.ssh/authorized_keys` file. +Packages are only accepted if they are signed with a GPG key whose public key +is stored in the keyring of the reprepro installation on :doc:`webstatic`. Risk assessments on critical packages ------------------------------------- @@ -303,12 +328,21 @@ Server certificate for community email services (SMTPS, SMTP submission in Postfix and IMAP with STARTTLS, IMAPS, POP3 with STARTTLS, POP3S and pysieved) .. sslcert:: community.cacert.org - :certfile: /etc/ssl/certs/ssl-cert-community-cacert.pem - :keyfile: /etc/ssl/private/ssl-cert-community-cacert.key + :altnames: DNS:cert.community.cacert.org, DNS:cert.email.cacert.org, DNS:community.cacert.org, DNS:email.cacert.org, DNS:nocert.community.cacert.org, DNS:nocert.email.cacert.org + :certfile: /etc/ssl/certs/ssl-cert-community-cacert.crt + :keyfile: /etc/ssl/private/ssl-cert-community-cacert.key + :serial: 147CB0 + :expiration: Feb 18 11:39:53 2022 GMT + :sha1fp: B2:90:DE:4D:8D:D9:3A:FE:22:3A:67:95:E2:CD:F7:30:55:4B:38:AC + :issuer: CA Cert Signing Authority + +.. sslcert:: community.cacert.org + :certfile: /etc/ssl/public/community.cacert.org.crt.pem + :keyfile: /etc/ssl/private/community.cacert.org.key.pem :serial: 147CB0 :secondary: -Server certificate for the CAcert community self service API +The server certificate for the CAcert community self service API .. sslcert:: email.infra.cacert.org :altnames: DNS:email.infra.cacert.org @@ -420,34 +454,17 @@ Tasks Adding email users ------------------ -1. create user in the database table ``cacertusers.user``: - - .. code-block:: bash - - mysql -p cacertusers - - .. code-block:: sql - - INSERT INTO user (username, fullnamealias, realname, password) - VALUES ('user', 'user.name', 'User Name', '$1$salt$passwordhash') - -2. create the user's home directory and Maildir: - - :samp:`install -o {user} -g {user} -m 0755 -d /home/{user}/Maildir` +Email admins can create new email user accounts via +https://selfservice.cacert.org/create-email-account. The contact email address +entered in the web form will receive an email that contains a link to allow +setting an initial password. Setting the initial password only works if the +user authenticates with a valid client certificate for the contact email +address. .. note:: - * a valid password hash for the password ``secret`` is - ``$1$caea3837$gPafod/Do/8Jj5M9HehhM.`` * users can reset their password via - https://community.cacert.org/password.php on :doc:`webmail` - * use the :download:`mail template - <../downloads/template_new_community_mailaddress.rfc822>` to send out to a - user's non-cacert.org mail account and make sure to encrypt the mail to a - known public key of that user - -.. todo:: - implement tooling to automate password salt generation and user creation + https://selfservice.cacert.org/password-reset Setting up mail aliases ----------------------- diff --git a/docs/systems/emailout.rst b/docs/systems/emailout.rst index 92eede4..495b87e 100644 --- a/docs/systems/emailout.rst +++ b/docs/systems/emailout.rst @@ -98,9 +98,9 @@ Operating System .. index:: single: Debian GNU/Linux; Buster - single: Debian GNU/Linux; 10.0 + single: Debian GNU/Linux; 10.4 -* Debian GNU/Linux 10.0 +* Debian GNU/Linux 10.4 Applicable Documentation ------------------------ @@ -140,31 +140,26 @@ Running services single: puppet agent single: rsyslog -+----------------+--------------------------+-----------------------------------+ -| Service | Usage | Start mechanism | -+================+==========================+===================================+ -| cron | job scheduler | systemd unit ``cron.service`` | -+----------------+--------------------------+-----------------------------------+ -| dbus-daemon | System message bus | systemd unit ``dbus.service`` | -| | daemon | | -+----------------+--------------------------+-----------------------------------+ -| icinga2 | Icinga2 monitoring agent | systemd unit ``icinga2.service`` | -+----------------+--------------------------+-----------------------------------+ -| OpenDKIM | DKIM signing daemon | systemd unit ``opendkim.service`` | -+----------------+--------------------------+-----------------------------------+ -| openssh server | ssh daemon for remote | systemd unit ``ssh.service`` | -| | administration | | -+----------------+--------------------------+-----------------------------------+ -| Postfix | SMTP server for | systemd unit ``postfix.service`` | -| | local mail submission, | | -| | and mail relay for | | -| | infrastructure systems | | -+----------------+--------------------------+-----------------------------------+ -| Puppet agent | configuration | systemd unit ``puppet.service`` | -| | management agent | | -+----------------+--------------------------+-----------------------------------+ -| rsyslog | syslog daemon | systemd unit ``rsyslog.service`` | -+----------------+--------------------------+-----------------------------------+ ++----------------+-------------------------------------------+-----------------------------------+ +| Service | Usage | Start mechanism | ++================+===========================================+===================================+ +| cron | job scheduler | systemd unit ``cron.service`` | ++----------------+-------------------------------------------+-----------------------------------+ +| dbus-daemon | System message bus daemon | systemd unit ``dbus.service`` | ++----------------+-------------------------------------------+-----------------------------------+ +| icinga2 | Icinga2 monitoring agent | systemd unit ``icinga2.service`` | ++----------------+-------------------------------------------+-----------------------------------+ +| OpenDKIM | DKIM signing daemon | systemd unit ``opendkim.service`` | ++----------------+-------------------------------------------+-----------------------------------+ +| openssh server | ssh daemon for remote administration | systemd unit ``ssh.service`` | ++----------------+-------------------------------------------+-----------------------------------+ +| Postfix | SMTP server for local mail submission, | systemd unit ``postfix.service`` | +| | and mail relay for infrastructure systems | | ++----------------+-------------------------------------------+-----------------------------------+ +| Puppet agent | configuration management agent | systemd unit ``puppet.service`` | ++----------------+-------------------------------------------+-----------------------------------+ +| rsyslog | syslog daemon | systemd unit ``rsyslog.service`` | ++----------------+-------------------------------------------+-----------------------------------+ Connected Systems ----------------- @@ -176,7 +171,6 @@ Outbound network connections ---------------------------- * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3 -* :doc:`emailout` as SMTP relay * :doc:`proxyout` as HTTP proxy for APT * :doc:`puppet` (tcp/8140) as Puppet master * SMTP (25/tcp) to :doc:`email`, :doc:`issue` and :doc:`lists` @@ -344,8 +338,6 @@ Changes Planned ------- -.. todo:: upgrade to Debian 10 (when Puppet is available) - System Future ------------- diff --git a/docs/systems/motion.rst b/docs/systems/motion.rst index c6a0cc4..6be9617 100644 --- a/docs/systems/motion.rst +++ b/docs/systems/motion.rst @@ -9,7 +9,7 @@ Purpose ======= This system provides the CAcert board motion system. The system replaced the -board voting system that had been provided on :doc:`webmail` at +board voting system that had been provided on the old `webmail` system at https://community.cacert.org/board/. Application Links diff --git a/docs/systems/webmail.rst b/docs/systems/webmail.rst deleted file mode 100644 index a984273..0000000 --- a/docs/systems/webmail.rst +++ /dev/null @@ -1,356 +0,0 @@ -.. index:: - single: Systems; Webmail - -=================== -Webmail (Community) -=================== - -Purpose -======= - -This container hosts the webmail system available at -https://community.cacert.org/ that provides web based mail access to users with -a @cacert.org email address. - -The system also hosts the `board voting system`_, `staff list`_ and `email -password reset`_. - -.. todo:: move `board voting system`_ to a separate container - -.. todo:: - move `staff list`_ to a separate container or integrate it into some - new self service system - -.. _board voting system: https://community.cacert.org/board -.. _staff list: https://community.cacert.org/staff.php -.. _email password reset: https://community.cacert.org/password.php - -Application Links ------------------ - -Webmail URL - https://community.cacert.org/ (redirects to - https://community.cacert.org/roundcubemail/) - -Board Voting System URL - https://community.cacert.org/board/ - -Password reset - https://community.cacert.org/password.php - -Staff list - https://community.cacert.org/staff.php - - -Administration -============== - -System Administration ---------------------- - -* Primary: None -* Secondary: None - -.. todo:: find admins for webmail - -Application Administration --------------------------- - -+---------------------+-----------------------+ -| Application | Administrators | -+=====================+=======================+ -| Webmail | :ref:`people_ulrich`, | -| | :ref:`people_jselzer` | -+---------------------+-----------------------+ -| Board voting system | :ref:`people_jandd` | -+---------------------+-----------------------+ -| Staff list | None | -+---------------------+-----------------------+ -| Password reset | None | -+---------------------+-----------------------+ - -Contact -------- - -* webmail-admin@cacert.org - -Additional People ------------------ - -:ref:`people_jandd`, :ref:`people_mario` and :ref:`people_jselzer` have -:program:`sudo` access on that machine. - -Basics -====== - -Physical Location ------------------ - -This system is located in an :term:`LXC` container on physical machine -:doc:`infra02`. - -Logical Location ----------------- - -:IP Internet: :ip:v4:`213.154.225.228` -:IP Intranet: :ip:v4:`172.16.2.20` -:IP Internal: :ip:v4:`10.0.0.120` -:MAC address: :mac:`00:ff:9a:a7:64:78` (eth0) - -.. seealso:: - - See :doc:`../network` - -DNS ---- - -.. index:: - single: DNS records; Webmail - single: DNS records; Community - -===================== ======== ================ -Name Type Content -===================== ======== ================ -community.cacert.org. IN CNAME email.cacert.org -===================== ======== ================ - -.. seealso:: - - See :wiki:`SystemAdministration/Procedures/DNSChanges` - -Operating System ----------------- - -.. index:: - single: Debian GNU/Linux; Etch - single: Debian GNU/Linux; 4.0 - -* Debian GNU/Linux 4.0 - -Applicable Documentation ------------------------- - -This is it :-) - -.. seealso:: - - * :wiki:`CommunityEmail` - * :wiki:`EmailAccountPolicy` - -Services -======== - -Listening services ------------------- - -+----------+---------+---------+---------------------------+ -| Port | Service | Origin | Purpose | -+==========+=========+=========+===========================+ -| 22/tcp | ssh | ANY | admin console access | -+----------+---------+---------+---------------------------+ -| 443/tcp | https | ANY | Web server | -+----------+---------+---------+---------------------------+ -| 5666/tcp | nrpe | monitor | remote monitoring service | -+----------+---------+---------+---------------------------+ - -.. note:: - - The ssh port is reachable via NAT on email.cacert.org:12022 - -Running services ----------------- - -.. index:: - single: openssh - single: Apache - single: cron - single: Postfix - single: nrpe - -+--------------------+--------------------+----------------------------------------+ -| Service | Usage | Start mechanism | -+====================+====================+========================================+ -| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` | -| | remote | | -| | administration | | -+--------------------+--------------------+----------------------------------------+ -| Apache httpd | Webserver for | init script | -| | Applications | :file:`/etc/init.d/apache2` | -+--------------------+--------------------+----------------------------------------+ -| cron | job scheduler | init script :file:`/etc/init.d/cron` | -+--------------------+--------------------+----------------------------------------+ -| Postfix | SMTP server for | init script | -| | local mail | :file:`/etc/init.d/postfix` | -| | submission | | -+--------------------+--------------------+----------------------------------------+ -| Nagios NRPE server | remote monitoring | init script | -| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` | -| | :doc:`monitor` | | -+--------------------+--------------------+----------------------------------------+ - -Connected Systems ------------------ - -* :doc:`monitor` - -Outbound network connections ----------------------------- - -* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3 -* :doc:`emailout` as SMTP relay -* archive.debian.org as Debian mirror -* :doc:`email` for MySQL (3306/tcp) for webmail, password reset and staff list -* :doc:`email` IMAP (110/tcp), IMAPS (993/tcp), Manage Sieve (2001/tcp), SMTPS - (465/tcp) and SMTP Submission (587/tcp) for the webmail system - -Security -======== - -.. sshkeys:: - :RSA: 82:91:22:22:10:75:ab:0e:55:05:9a:f9:98:cb:94:48 - :DSA: 6b:6e:59:37:41:83:a5:89:2a:18:04:23:51:53:5d:cd - -.. warning:: - - The system is too old to support ECDSA or ED25519 keys. - -Non-distribution packages and modifications -------------------------------------------- - -:file:`/var/www/roundcubemail` contains a `Roundcube`_ 0.2.1 installation, -probably with patches. - -.. todo:: - - Research wether Roundcube has been patched or not - -:file:`/var/www/staff.php` is a custom built PHP script to show a list of -people with cacert.org email addresses. - -:file:`/var/www/password.php` is a custom build PHP script to allow users to -reset their email password. - -:file:`/var/www/board` contains the board voting system. - -.. _Roundcube: https://roundcube.net/ - -Risk assessments on critical packages -------------------------------------- - -The whole system is outdated, the PHP version is ancient, Roundcube is old. -Needs to be replaced as soon as possible. - -Critical Configuration items -============================ - -Keys and X.509 certificates ---------------------------- - -.. sslcert:: community.cacert.org - :altnames: DNS:cert.community.cacert.org, DNS:cert.email.cacert.org, DNS:community.cacert.org, DNS:email.cacert.org, DNS:nocert.community.cacert.org, DNS:nocert.email.cacert.org - :certfile: /etc/ssl/certs/ssl-cert-community-cacert.crt - :keyfile: /etc/ssl/private/ssl-cert-community-cacert.key - :serial: 147CB0 - :expiration: Feb 18 11:39:53 2022 GMT - :sha1fp: B2:90:DE:4D:8D:D9:3A:FE:22:3A:67:95:E2:CD:F7:30:55:4B:38:AC - :issuer: CA Cert Signing Authority - -* :file:`/usr/share/ca-certificates/cacert.org/` directory containing the - CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for - client authentication and certificate chain for server certificate) with - symbolic links with the :command:`openssl` hashed certificate names - -.. seealso:: - - * :wiki:`SystemAdministration/CertificateList` - -.. index:: - pair: Apache httpd; configuration - -Apache httpd configuration --------------------------- - -The Apache httpd configuration is stored in -:file:`/etc/apache2/sites-available/webmail`. - -:file:`/etc/hosts` ------------------- - -Defines some aliases for :doc:`email` that are used by Roundcube, the password -reset script and the staff list script. - -.. index:: - pair: Roundcube; configuration - -Roundcube configuration ------------------------ - -The Roundcube configuration is stored in files in the -:file:`/var/www/roundcubemail/config/` directory. - - -Staff list script ------------------ - -The staff list contains its configuration in :file:`/var/www/staff.php` itself. - -.. todo:: - - Put the staff list script in a git repository - -Password reset script ---------------------- - -The password reset script contains it configuration in -:file:`/var/www/password.php` itself. - -.. todo:: - - Put the password reset script in a git repository - -Board voting system configuration ---------------------------------- - -The board voting system uses a SQLite database in -:file:`/var/www/board/database.sqlite`. - -.. warning:: - - The board voting system software seems to be checked out from a Subversion - repository at https://svn.cacert.cl/Software/Voting/vote that does not exist - anymore - -.. todo:: - - Put the current version of the board voting system in a git repository - -Tasks -===== - -Changes -======= - -Planned -------- - -.. todo:: implement CRL checking - -System Future -------------- - -.. todo:: - The system has to be replaced with a new system using a current operating - system version - -Additional documentation -======================== - -.. seealso:: - - * :wiki:`PostfixConfiguration` - -References ----------- - -Wiki page for this system - :wiki:`SystemAdministration/Systems/Community` |