summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2016-05-08 01:53:10 +0200
committerJan Dittberner <jandd@cacert.org>2016-05-08 01:53:10 +0200
commit90cacc99121ff4c77d1b117e0da3e7034d09dff3 (patch)
treebcb5ab3cf219f4b43e4f837658a0b9f6f367c74f /docs
parentbc7d3ddbd1da9c12c776330c0d93e2c8fe207e4e (diff)
downloadcacert-infradocs-90cacc99121ff4c77d1b117e0da3e7034d09dff3.tar.gz
cacert-infradocs-90cacc99121ff4c77d1b117e0da3e7034d09dff3.tar.xz
cacert-infradocs-90cacc99121ff4c77d1b117e0da3e7034d09dff3.zip
Document the emailout container
This commit adds documentation for emailout. The documentation is taken from https://wiki.cacert.org/SystemAdministration/Systems/Emailout?action=recall&rev=3 and data gathered from the actual system and a reference Debian Wheezy chroot on infra02.
Diffstat (limited to 'docs')
-rw-r--r--docs/configdiff/emailout/canonical_maps2
-rw-r--r--docs/configdiff/emailout/postfix.diff61
-rw-r--r--docs/configdiff/emailout/transport3
-rw-r--r--docs/systems/emailout.rst333
4 files changed, 399 insertions, 0 deletions
diff --git a/docs/configdiff/emailout/canonical_maps b/docs/configdiff/emailout/canonical_maps
new file mode 100644
index 0000000..4b8c021
--- /dev/null
+++ b/docs/configdiff/emailout/canonical_maps
@@ -0,0 +1,2 @@
+/@(.*).intra.cacert.org$/ $1-admin@cacert.org
+/@(.*).infra.cacert.org$/ $1-admin@cacert.org
diff --git a/docs/configdiff/emailout/postfix.diff b/docs/configdiff/emailout/postfix.diff
new file mode 100644
index 0000000..1e1d759
--- /dev/null
+++ b/docs/configdiff/emailout/postfix.diff
@@ -0,0 +1,61 @@
+diff -urwN wheezy-chroot/etc/postfix/dynamicmaps.cf vm-emailout/rootfs/etc/postfix/dynamicmaps.cf
+--- wheezy-chroot/etc/postfix/dynamicmaps.cf 2016-05-08 00:51:54.738716333 +0200
++++ vm-emailout/rootfs/etc/postfix/dynamicmaps.cf 2015-02-02 13:58:10.151038663 +0100
+@@ -4,3 +4,4 @@
+ #==== ================================ ============= ============
+ tcp /usr/lib/postfix/dict_tcp.so dict_tcp_open
+ sqlite /usr/lib/postfix/dict_sqlite.so dict_sqlite_open
++pcre /usr/lib/postfix/dict_pcre.so dict_pcre_open
+diff -urwN wheezy-chroot/etc/postfix/main.cf vm-emailout/rootfs/etc/postfix/main.cf
+--- wheezy-chroot/etc/postfix/main.cf 2016-05-08 00:51:55.514721219 +0200
++++ vm-emailout/rootfs/etc/postfix/main.cf 2015-02-02 19:13:43.370652677 +0100
+@@ -5,6 +5,8 @@
+ # line of that file to be used as the name. The Debian default
+ # is /etc/mailname.
+ #myorigin = /etc/mailname
++mydomain = emailout.intra.cacert.org
++smtp_helo_name = infrastructure.cacert.org
+
+ smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+ biff = no
+@@ -24,16 +26,37 @@
+ smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
++smtp_tls_security_level = may
++
++# map internal host names to their corresponding admin addresses
++canonical_maps = pcre:/etc/postfix/canonical_maps
++
+ # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+ # information on enabling SSL in the smtp client.
+
+-myhostname = infra02.intra.cacert.org
++myhostname = emailout.intra.cacert.org
+ alias_maps = hash:/etc/aliases
+ alias_database = hash:/etc/aliases
+ myorigin = /etc/mailname
+-mydestination = infra02.intra.cacert.org, localhost.intra.cacert.org, , localhost
++mydestination = emailout.cacert.org, emailout, localhost.localdomain, localhost
+ relayhost =
+-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
++mynetworks = 172.16.2.0/24 10.0.0.0/24 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+ mailbox_size_limit = 0
+ recipient_delimiter = +
+ inet_interfaces = all
++inet_protocols = all
++
++# DKIM milter
++# http://www.postfix.org/MILTER_README.html
++# TODO: enable DKIM once the DNS record is in place
++#smtpd_milters = unix:/opendkim/opendkim.sock
++#non_smtpd_milters = $smtpd_milters
++
++# what to do if the dkim filter fails
++#milter_default_action = accept
++#milter_command_timeout = 5s
++#milter_connect_timeout = $milter_command_timeout
++#milter_content_timeout = 45s
++
++transport_maps = hash:/etc/postfix/transport
++local_transport = error:local delivery is disabled
diff --git a/docs/configdiff/emailout/transport b/docs/configdiff/emailout/transport
new file mode 100644
index 0000000..8c4f3d1
--- /dev/null
+++ b/docs/configdiff/emailout/transport
@@ -0,0 +1,3 @@
+lists.cacert.org smtp:[lists.intra.cacert.org]
+issue.cacert.org smtp:[issue.intra.cacert.org]
+cacert.org smtp:[email.intra.cacert.org]
diff --git a/docs/systems/emailout.rst b/docs/systems/emailout.rst
index a6fb000..ec84e50 100644
--- a/docs/systems/emailout.rst
+++ b/docs/systems/emailout.rst
@@ -3,3 +3,336 @@
Emailout
========
+
+Purpose
+=======
+
+This system is used as outgoing mail relay for other infrastructure services.
+
+Administration
+==============
+
+System Administration
+---------------------
+
+* Primary: :ref:`people_jandd`
+* Secondary: :ref:`people_jselzer`
+
+Contact
+-------
+
+* emailout-admin@cacert.org
+
+Additional People
+-----------------
+
+:ref:`people_mario` has :program:`sudo` access on that machine too.
+
+Basics
+======
+
+Physical Location
+-----------------
+
+This system is located in an :term:`LXC` container on physical machine
+:doc:`infra02`.
+
+Logical Location
+----------------
+
+:IP Internet: :ip:v4:`213.154.225.239`
+:IP Intranet: :ip:v4:`172.16.2.10` (outbound SNAT) and :ip:v4:`172.16.2.32`
+:IP Internal: :ip:v4:`10.0.0.32`
+:MAC address: :mac:`00:ff:12:01:65:02` (eth0)
+
+.. seealso::
+
+ See :doc:`../network`
+
+DNS
+---
+
+.. index::
+ single: DNS records; Emailout
+
+========================== ======== ====================================================================
+Name Type Content
+========================== ======== ====================================================================
+emailout.cacert.org. IN A 213.154.225.239
+emailout.cacert.org. IN SSHFP 1 1 1ba1ab632911e8a68a69521130120695086d858c
+emailout.cacert.org. IN SSHFP 1 2 6e50d5b2034006b69eb7ba19d3f3fd2c48015bea2bb3d5e2a0f8cf25ff030055
+emailout.cacert.org. IN SSHFP 2 1 0e8888352604dbd1cc4d201bc1e985d80b9cf752
+emailout.cacert.org. IN SSHFP 2 2 a7402f014b47b805663c904dabbc9590db7d8d0f350cea6d9f63e12bc27bac0c
+emailout.cacert.org. IN SSHFP 3 1 527004f2091d2cef2c28b5f8241fc0e76307b2ba
+emailout.cacert.org. IN SSHFP 3 2 9094dcf8860523a83542ec4cc46fbcfed396f5525bc202cfecf42d1a7044136d
+emailout.intra.cacert.org. IN A 172.16.2.32
+========================== ======== ====================================================================
+
+.. seealso::
+
+ See :wiki:`SystemAdministration/Procedures/DNSChanges`
+
+Operating System
+----------------
+
+.. index::
+ single: Debian GNU/Linux; Wheezy
+ single: Debian GNU/Linux; 7.10
+
+* Debian GNU/Linux 7.10
+
+Applicable Documentation
+------------------------
+
+The following packages where installed after the container setup::
+
+ apt-get install vim-nox screen aptitude git etckeeper postfix \
+ postfix-pcre opendkim opendkim-tools man-db rsyslog logrotate \
+ heirloom-mailx netcat-openbsd swaks
+
+Services
+========
+
+Listening services
+------------------
+
++----------+-----------+-----------+-----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+===========+===========+=========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+-----------+-----------+-----------------------------------------+
+| 25/tcp | smtp | intranet | mail delivery from intranet MTAs |
++----------+-----------+-----------+-----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+-----------+-----------+-----------------------------------------+
+
+Running services
+----------------
+
+.. index::
+ single: OpenDKIM
+ single: Postfix
+ single: cron
+ single: nrpe
+ single: openssh
+
++--------------------+--------------------+----------------------------------------+
+| Service | Usage | Start mechanism |
++====================+====================+========================================+
+| openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
+| | remote | |
+| | administration | |
++--------------------+--------------------+----------------------------------------+
+| cron | job scheduler | init script :file:`/etc/init.d/cron` |
++--------------------+--------------------+----------------------------------------+
+| rsyslog | syslog daemon | init script |
+| | | :file:`/etc/init.d/syslog` |
++--------------------+--------------------+----------------------------------------+
+| OpenDKIM | DKIM signing | init script |
+| | daemon | :file:`/etc/init.d/opendkim` |
++--------------------+--------------------+----------------------------------------+
+| Postfix | SMTP server for | init script |
+| | local mail | :file:`/etc/init.d/postfix` |
+| | submission, and | |
+| | mail relay for | |
+| | infrastructure | |
+| | systems | |
++--------------------+--------------------+----------------------------------------+
+| Nagios NRPE server | remote monitoring | init script |
+| | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
+| | :doc:`monitor` | |
++--------------------+--------------------+----------------------------------------+
+
+Connected Systems
+-----------------
+
+* :doc:`monitor`
+* SMTP (25/tcp) from other infrastructure systems
+
+Outbound network connections
+----------------------------
+
+* DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
+* :doc:`emailout` as SMTP relay
+* ftp.nl.debian.org as Debian mirror
+* security.debian.org for Debian security updates
+* SMTP (25/tcp) to :doc:`email`, :doc:`issue` and :doc:`lists`
+
+Security
+========
+
+.. sshkeys::
+ :RSA: 56:09:89:92:af:3c:15:e4:a3:06:11:63:0e:be:b6:a2
+ :DSA: 6c:8d:31:c4:92:de:f0:a8:95:eb:fe:20:83:91:ca:07
+ :ECDSA: cb:3c:69:c5:a1:90:c6:8e:55:40:83:6c:10:3f:09:b4
+
+.. todo:: setup ED25519 ssh host key
+
+Non-distribution packages and modifications
+-------------------------------------------
+
+* None
+
+Risk assessments on critical packages
+-------------------------------------
+
+Postfix has a very good security reputation. The system is patched regularly.
+
+Critical Configuration items
+============================
+
+Keys and X.509 certificates
+---------------------------
+
+.. todo:: setup a proper certificate for incoming STARTTLS
+
+.. use the sslcert directive to have certificates added to the certificate list
+ automatically
+
+.. .. sslcert:: template.cacert.org
+ :altnames:
+ :certfile:
+ :keyfile:
+ :serial:
+ :expiration:
+ :sha1fp:
+ :issuer:
+
+.. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA
+ certificates (allowed CA certificates for client certificates)
+ * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate
+ (certificate chain for server certificate)
+
+.. index::
+ pair: DKIM; Private Key
+ see: DKIM; OpenDKIM
+
+* :file:`/etc/dkim/2015.private` contains the RSA private key to be used for
+ :term:`DKIM` signing by OpenDKIM.
+
+.. index::
+ pair: DKIM; DNS
+ see: DNS; OpenDKIM
+
+* :file:`/etc/dkim/2015.txt` contains a textual DNS record representation for
+ the public component of the DKIM signing key
+
+.. seealso::
+
+ * :wiki:`SystemAdministration/CertificateList`
+
+.. index::
+ pair: Postfix; configuration
+
+Postfix configuration
+---------------------
+
+Postfix has been configured as outgoing email relay with very little changes to
+the default configuration.
+
+The mailname has been set to ``cacert.org`` in :file:`/etc/mailname`.
+
+Postfix configuration file:`/etc/postfix/main.cf` and :file:`/etc/postfix/dynamic_maps.cf` have been modified to:
+
+* set infrastructure related host and network parameters
+* allow regular expressions in maps
+* activate oportunistic TLS
+* prepare for DKIM support
+* disable local delivery
+
+.. literalinclude:: ../configdiff/emailout/postfix.diff
+ :language: diff
+
+Emails sent to specific intranet hostnames are rewritten to their respective
+admin addresses in :file:`/etc/postfix/canonical_maps`:
+
+.. literalinclude:: ../configdiff/emailout/canonical_maps
+ :language: text
+
+Emails sent to specific cacert.org hostnames are forwarded via
+:file:`/etc/postfix/transport`:
+
+.. literalinclude:: ../configdiff/emailout/transport
+ :language: text
+
+:file:`/etc/postfix/transport` has to be rehashed if it is changed because
+Postfix uses a binary representation in :file:`/etc/postfix/transport.db`. To
+perform the rehashing and restart Postfix use::
+
+ postmap hash:/etc/postfix/transport
+ service postfix restart
+
+.. index::
+ pair: OpenDKIM; configuration
+
+OpenDKIM configuration
+----------------------
+
+.. todo::
+ enable OpenDKIM in Postfix configuration when the DNS record is in place and
+ :doc:`email` is ready for DKIM too or is configured to send mail via
+ emailout.
+
+The OpenDKIM configuration is stored in :file:`/etc/opendkim.conf`. The
+following lines have been added:
+
+.. code:: diff
+
+ --- wheezy-chroot/etc/opendkim.conf 2013-01-09 04:10:46.000000000 +0100
+ +++ vm-emailout/rootfs/etc/opendkim.conf 2015-02-02 15:47:58.161884259 +0100
+ @@ -13,6 +13,12 @@
+ #Domain example.com
+ #KeyFile /etc/mail/dkim.key
+ #Selector 2007
+ +Domain cacert.org
+ +KeyFile /etc/dkim/2015.private
+ +Selector 2015
+ +
+ +Socket /var/spool/postfix/opendkim/opendkim.sock
+ +InternalHosts /etc/dkim/internalhosts
+
+ # Commonly-used options; the commented-out versions show the defaults.
+ #Canonicalization simple
+
+The key has been generated with::
+
+ mkdir /etc/dkim
+ cd /etc/dkim
+ opendkim-genkey -d cacert.org -s 2015
+
+Internal networks have been defined in :file:`/etc/dkim/internalhosts` as::
+
+ 127.0.0.1
+ 10.0.0.0/24
+ 172.16.2.0/24
+
+
+Tasks
+=====
+
+Planned
+-------
+
+.. todo:: update the system to Debian Jessie
+.. todo:: setup IPv6
+
+Changes
+=======
+
+System Future
+-------------
+
+* No plans
+
+Additional documentation
+========================
+
+.. seealso::
+
+ * :wiki:`PostfixConfiguration`
+
+References
+----------
+
+* http://www.postfix.org/documentation.html
+* http://www.opendkim.org/docs.html