diff options
| author | Jan Dittberner <jandd@cacert.org> | 2016-05-08 01:53:10 +0200 |
|---|---|---|
| committer | Jan Dittberner <jandd@cacert.org> | 2016-05-08 01:53:10 +0200 |
| commit | 90cacc99121ff4c77d1b117e0da3e7034d09dff3 (patch) | |
| tree | bcb5ab3cf219f4b43e4f837658a0b9f6f367c74f | |
| parent | bc7d3ddbd1da9c12c776330c0d93e2c8fe207e4e (diff) | |
| download | cacert-infradocs-90cacc99121ff4c77d1b117e0da3e7034d09dff3.tar.gz cacert-infradocs-90cacc99121ff4c77d1b117e0da3e7034d09dff3.tar.xz cacert-infradocs-90cacc99121ff4c77d1b117e0da3e7034d09dff3.zip | |
Document the emailout container
This commit adds documentation for emailout. The documentation is taken
from
https://wiki.cacert.org/SystemAdministration/Systems/Emailout?action=recall&rev=3
and data gathered from the actual system and a reference Debian Wheezy
chroot on infra02.
| -rw-r--r-- | docs/configdiff/emailout/canonical_maps | 2 | ||||
| -rw-r--r-- | docs/configdiff/emailout/postfix.diff | 61 | ||||
| -rw-r--r-- | docs/configdiff/emailout/transport | 3 | ||||
| -rw-r--r-- | docs/systems/emailout.rst | 333 |
4 files changed, 399 insertions, 0 deletions
diff --git a/docs/configdiff/emailout/canonical_maps b/docs/configdiff/emailout/canonical_maps new file mode 100644 index 0000000..4b8c021 --- /dev/null +++ b/docs/configdiff/emailout/canonical_maps @@ -0,0 +1,2 @@ +/@(.*).intra.cacert.org$/ $1-admin@cacert.org +/@(.*).infra.cacert.org$/ $1-admin@cacert.org diff --git a/docs/configdiff/emailout/postfix.diff b/docs/configdiff/emailout/postfix.diff new file mode 100644 index 0000000..1e1d759 --- /dev/null +++ b/docs/configdiff/emailout/postfix.diff @@ -0,0 +1,61 @@ +diff -urwN wheezy-chroot/etc/postfix/dynamicmaps.cf vm-emailout/rootfs/etc/postfix/dynamicmaps.cf +--- wheezy-chroot/etc/postfix/dynamicmaps.cf 2016-05-08 00:51:54.738716333 +0200 ++++ vm-emailout/rootfs/etc/postfix/dynamicmaps.cf 2015-02-02 13:58:10.151038663 +0100 +@@ -4,3 +4,4 @@ + #==== ================================ ============= ============ + tcp /usr/lib/postfix/dict_tcp.so dict_tcp_open + sqlite /usr/lib/postfix/dict_sqlite.so dict_sqlite_open ++pcre /usr/lib/postfix/dict_pcre.so dict_pcre_open +diff -urwN wheezy-chroot/etc/postfix/main.cf vm-emailout/rootfs/etc/postfix/main.cf +--- wheezy-chroot/etc/postfix/main.cf 2016-05-08 00:51:55.514721219 +0200 ++++ vm-emailout/rootfs/etc/postfix/main.cf 2015-02-02 19:13:43.370652677 +0100 +@@ -5,6 +5,8 @@ + # line of that file to be used as the name. The Debian default + # is /etc/mailname. + #myorigin = /etc/mailname ++mydomain = emailout.intra.cacert.org ++smtp_helo_name = infrastructure.cacert.org + + smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) + biff = no +@@ -24,16 +26,37 @@ + smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache + smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + ++smtp_tls_security_level = may ++ ++# map internal host names to their corresponding admin addresses ++canonical_maps = pcre:/etc/postfix/canonical_maps ++ + # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for + # information on enabling SSL in the smtp client. + +-myhostname = infra02.intra.cacert.org ++myhostname = emailout.intra.cacert.org + alias_maps = hash:/etc/aliases + alias_database = hash:/etc/aliases + myorigin = /etc/mailname +-mydestination = infra02.intra.cacert.org, localhost.intra.cacert.org, , localhost ++mydestination = emailout.cacert.org, emailout, localhost.localdomain, localhost + relayhost = +-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 ++mynetworks = 172.16.2.0/24 10.0.0.0/24 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 + mailbox_size_limit = 0 + recipient_delimiter = + + inet_interfaces = all ++inet_protocols = all ++ ++# DKIM milter ++# http://www.postfix.org/MILTER_README.html ++# TODO: enable DKIM once the DNS record is in place ++#smtpd_milters = unix:/opendkim/opendkim.sock ++#non_smtpd_milters = $smtpd_milters ++ ++# what to do if the dkim filter fails ++#milter_default_action = accept ++#milter_command_timeout = 5s ++#milter_connect_timeout = $milter_command_timeout ++#milter_content_timeout = 45s ++ ++transport_maps = hash:/etc/postfix/transport ++local_transport = error:local delivery is disabled diff --git a/docs/configdiff/emailout/transport b/docs/configdiff/emailout/transport new file mode 100644 index 0000000..8c4f3d1 --- /dev/null +++ b/docs/configdiff/emailout/transport @@ -0,0 +1,3 @@ +lists.cacert.org smtp:[lists.intra.cacert.org] +issue.cacert.org smtp:[issue.intra.cacert.org] +cacert.org smtp:[email.intra.cacert.org] diff --git a/docs/systems/emailout.rst b/docs/systems/emailout.rst index a6fb000..ec84e50 100644 --- a/docs/systems/emailout.rst +++ b/docs/systems/emailout.rst @@ -3,3 +3,336 @@ Emailout ======== + +Purpose +======= + +This system is used as outgoing mail relay for other infrastructure services. + +Administration +============== + +System Administration +--------------------- + +* Primary: :ref:`people_jandd` +* Secondary: :ref:`people_jselzer` + +Contact +------- + +* emailout-admin@cacert.org + +Additional People +----------------- + +:ref:`people_mario` has :program:`sudo` access on that machine too. + +Basics +====== + +Physical Location +----------------- + +This system is located in an :term:`LXC` container on physical machine +:doc:`infra02`. + +Logical Location +---------------- + +:IP Internet: :ip:v4:`213.154.225.239` +:IP Intranet: :ip:v4:`172.16.2.10` (outbound SNAT) and :ip:v4:`172.16.2.32` +:IP Internal: :ip:v4:`10.0.0.32` +:MAC address: :mac:`00:ff:12:01:65:02` (eth0) + +.. seealso:: + + See :doc:`../network` + +DNS +--- + +.. index:: + single: DNS records; Emailout + +========================== ======== ==================================================================== +Name Type Content +========================== ======== ==================================================================== +emailout.cacert.org. IN A 213.154.225.239 +emailout.cacert.org. IN SSHFP 1 1 1ba1ab632911e8a68a69521130120695086d858c +emailout.cacert.org. IN SSHFP 1 2 6e50d5b2034006b69eb7ba19d3f3fd2c48015bea2bb3d5e2a0f8cf25ff030055 +emailout.cacert.org. IN SSHFP 2 1 0e8888352604dbd1cc4d201bc1e985d80b9cf752 +emailout.cacert.org. IN SSHFP 2 2 a7402f014b47b805663c904dabbc9590db7d8d0f350cea6d9f63e12bc27bac0c +emailout.cacert.org. IN SSHFP 3 1 527004f2091d2cef2c28b5f8241fc0e76307b2ba +emailout.cacert.org. IN SSHFP 3 2 9094dcf8860523a83542ec4cc46fbcfed396f5525bc202cfecf42d1a7044136d +emailout.intra.cacert.org. IN A 172.16.2.32 +========================== ======== ==================================================================== + +.. seealso:: + + See :wiki:`SystemAdministration/Procedures/DNSChanges` + +Operating System +---------------- + +.. index:: + single: Debian GNU/Linux; Wheezy + single: Debian GNU/Linux; 7.10 + +* Debian GNU/Linux 7.10 + +Applicable Documentation +------------------------ + +The following packages where installed after the container setup:: + + apt-get install vim-nox screen aptitude git etckeeper postfix \ + postfix-pcre opendkim opendkim-tools man-db rsyslog logrotate \ + heirloom-mailx netcat-openbsd swaks + +Services +======== + +Listening services +------------------ + ++----------+-----------+-----------+-----------------------------------------+ +| Port | Service | Origin | Purpose | ++==========+===========+===========+=========================================+ +| 22/tcp | ssh | ANY | admin console access | ++----------+-----------+-----------+-----------------------------------------+ +| 25/tcp | smtp | intranet | mail delivery from intranet MTAs | ++----------+-----------+-----------+-----------------------------------------+ +| 5666/tcp | nrpe | monitor | remote monitoring service | ++----------+-----------+-----------+-----------------------------------------+ + +Running services +---------------- + +.. index:: + single: OpenDKIM + single: Postfix + single: cron + single: nrpe + single: openssh + ++--------------------+--------------------+----------------------------------------+ +| Service | Usage | Start mechanism | ++====================+====================+========================================+ +| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` | +| | remote | | +| | administration | | ++--------------------+--------------------+----------------------------------------+ +| cron | job scheduler | init script :file:`/etc/init.d/cron` | ++--------------------+--------------------+----------------------------------------+ +| rsyslog | syslog daemon | init script | +| | | :file:`/etc/init.d/syslog` | ++--------------------+--------------------+----------------------------------------+ +| OpenDKIM | DKIM signing | init script | +| | daemon | :file:`/etc/init.d/opendkim` | ++--------------------+--------------------+----------------------------------------+ +| Postfix | SMTP server for | init script | +| | local mail | :file:`/etc/init.d/postfix` | +| | submission, and | | +| | mail relay for | | +| | infrastructure | | +| | systems | | ++--------------------+--------------------+----------------------------------------+ +| Nagios NRPE server | remote monitoring | init script | +| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` | +| | :doc:`monitor` | | ++--------------------+--------------------+----------------------------------------+ + +Connected Systems +----------------- + +* :doc:`monitor` +* SMTP (25/tcp) from other infrastructure systems + +Outbound network connections +---------------------------- + +* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3 +* :doc:`emailout` as SMTP relay +* ftp.nl.debian.org as Debian mirror +* security.debian.org for Debian security updates +* SMTP (25/tcp) to :doc:`email`, :doc:`issue` and :doc:`lists` + +Security +======== + +.. sshkeys:: + :RSA: 56:09:89:92:af:3c:15:e4:a3:06:11:63:0e:be:b6:a2 + :DSA: 6c:8d:31:c4:92:de:f0:a8:95:eb:fe:20:83:91:ca:07 + :ECDSA: cb:3c:69:c5:a1:90:c6:8e:55:40:83:6c:10:3f:09:b4 + +.. todo:: setup ED25519 ssh host key + +Non-distribution packages and modifications +------------------------------------------- + +* None + +Risk assessments on critical packages +------------------------------------- + +Postfix has a very good security reputation. The system is patched regularly. + +Critical Configuration items +============================ + +Keys and X.509 certificates +--------------------------- + +.. todo:: setup a proper certificate for incoming STARTTLS + +.. use the sslcert directive to have certificates added to the certificate list + automatically + +.. .. sslcert:: template.cacert.org + :altnames: + :certfile: + :keyfile: + :serial: + :expiration: + :sha1fp: + :issuer: + +.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA + certificates (allowed CA certificates for client certificates) + * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate + (certificate chain for server certificate) + +.. index:: + pair: DKIM; Private Key + see: DKIM; OpenDKIM + +* :file:`/etc/dkim/2015.private` contains the RSA private key to be used for + :term:`DKIM` signing by OpenDKIM. + +.. index:: + pair: DKIM; DNS + see: DNS; OpenDKIM + +* :file:`/etc/dkim/2015.txt` contains a textual DNS record representation for + the public component of the DKIM signing key + +.. seealso:: + + * :wiki:`SystemAdministration/CertificateList` + +.. index:: + pair: Postfix; configuration + +Postfix configuration +--------------------- + +Postfix has been configured as outgoing email relay with very little changes to +the default configuration. + +The mailname has been set to ``cacert.org`` in :file:`/etc/mailname`. + +Postfix configuration file:`/etc/postfix/main.cf` and :file:`/etc/postfix/dynamic_maps.cf` have been modified to: + +* set infrastructure related host and network parameters +* allow regular expressions in maps +* activate oportunistic TLS +* prepare for DKIM support +* disable local delivery + +.. literalinclude:: ../configdiff/emailout/postfix.diff + :language: diff + +Emails sent to specific intranet hostnames are rewritten to their respective +admin addresses in :file:`/etc/postfix/canonical_maps`: + +.. literalinclude:: ../configdiff/emailout/canonical_maps + :language: text + +Emails sent to specific cacert.org hostnames are forwarded via +:file:`/etc/postfix/transport`: + +.. literalinclude:: ../configdiff/emailout/transport + :language: text + +:file:`/etc/postfix/transport` has to be rehashed if it is changed because +Postfix uses a binary representation in :file:`/etc/postfix/transport.db`. To +perform the rehashing and restart Postfix use:: + + postmap hash:/etc/postfix/transport + service postfix restart + +.. index:: + pair: OpenDKIM; configuration + +OpenDKIM configuration +---------------------- + +.. todo:: + enable OpenDKIM in Postfix configuration when the DNS record is in place and + :doc:`email` is ready for DKIM too or is configured to send mail via + emailout. + +The OpenDKIM configuration is stored in :file:`/etc/opendkim.conf`. The +following lines have been added: + +.. code:: diff + + --- wheezy-chroot/etc/opendkim.conf 2013-01-09 04:10:46.000000000 +0100 + +++ vm-emailout/rootfs/etc/opendkim.conf 2015-02-02 15:47:58.161884259 +0100 + @@ -13,6 +13,12 @@ + #Domain example.com + #KeyFile /etc/mail/dkim.key + #Selector 2007 + +Domain cacert.org + +KeyFile /etc/dkim/2015.private + +Selector 2015 + + + +Socket /var/spool/postfix/opendkim/opendkim.sock + +InternalHosts /etc/dkim/internalhosts + + # Commonly-used options; the commented-out versions show the defaults. + #Canonicalization simple + +The key has been generated with:: + + mkdir /etc/dkim + cd /etc/dkim + opendkim-genkey -d cacert.org -s 2015 + +Internal networks have been defined in :file:`/etc/dkim/internalhosts` as:: + + 127.0.0.1 + 10.0.0.0/24 + 172.16.2.0/24 + + +Tasks +===== + +Planned +------- + +.. todo:: update the system to Debian Jessie +.. todo:: setup IPv6 + +Changes +======= + +System Future +------------- + +* No plans + +Additional documentation +======================== + +.. seealso:: + + * :wiki:`PostfixConfiguration` + +References +---------- + +* http://www.postfix.org/documentation.html +* http://www.opendkim.org/docs.html |