summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/downloads/template_new_community_mailaddress.rfc82219
-rw-r--r--docs/systems/arbitration.rst22
-rw-r--r--docs/systems/blog.rst14
-rw-r--r--docs/systems/board.rst16
-rw-r--r--docs/systems/email.rst231
-rw-r--r--docs/systems/emailout.rst9
-rw-r--r--docs/systems/infra02.rst14
-rw-r--r--docs/systems/webmail.rst10
8 files changed, 273 insertions, 62 deletions
diff --git a/docs/downloads/template_new_community_mailaddress.rfc822 b/docs/downloads/template_new_community_mailaddress.rfc822
new file mode 100644
index 0000000..3dd8118
--- /dev/null
+++ b/docs/downloads/template_new_community_mailaddress.rfc822
@@ -0,0 +1,19 @@
+Subject: Your new cacert.org address
+Reply-To: email-admin@cacert.org
+
+Hello,
+
+your new address <firstname.lastname>@cacert.org has just been setup in the
+cacert email system.
+
+The initial password is <password>.
+
+Please get a client certificate for this address and reset your password via
+[1] as documented in the wiki [2].
+
+[1] https://community.cacert.org/password.php as documented in
+[2] https://wiki.cacert.org/Technology/TechnicalSupport/EndUserSupport/CommunityE-Mail
+
+
+Best regards
+<mail admin name>
diff --git a/docs/systems/arbitration.rst b/docs/systems/arbitration.rst
index 04aea5c..d2166f6 100644
--- a/docs/systems/arbitration.rst
+++ b/docs/systems/arbitration.rst
@@ -217,10 +217,6 @@ Non-distribution packages and modifications
* some experimental nmp/nodejs/etherpad things in :file:`/home/magu` not
running yet
-..
- or
- * List of non-distribution packages and modifications
-
Risk assessments on critical packages
-------------------------------------
@@ -235,15 +231,21 @@ Keys and X.509 certificates
* No keys or certificates setup yet
..
- * :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid until <datetime>)
- * :file:`/etc/apache2/ssl/<path to server key>` server key
- * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
- * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate (certificate chain for server certificate)
+ * :file:`/etc/apache2/ssl/<path to certificate>` server certificate (valid
+ until <datetime>)
+ * :file:`/etc/apache2/ssl/<path to server key>` server key
+ * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA
+ certificates (allowed CA certificates for client certificates)
+ * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate
+ (certificate chain for server certificate)
.. seealso::
* :wiki:`SystemAdministration/CertificateList`
+.. index::
+ pair: Nginx; configuration
+
Nginx configuration
-------------------
@@ -279,5 +281,5 @@ Additional documentation
References
----------
-Wiki page for this system
- :wiki:`SystemAdministration/Systems/Arbitration`
+nginx Documentation
+ http://nginx.org/en/docs/
diff --git a/docs/systems/blog.rst b/docs/systems/blog.rst
index 3a11d39..bb64d77 100644
--- a/docs/systems/blog.rst
+++ b/docs/systems/blog.rst
@@ -284,8 +284,11 @@ Keys and X.509 certificates
* :wiki:`SystemAdministration/CertificateList`
-Apache configuration
---------------------
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
* :file:`/etc/apache2/cacert/blog.inc.conf`
@@ -312,6 +315,9 @@ The following RewriteRule is used to redirect old blog URLs::
RewriteRule ^/[0-9]{4}/[0-9]{2}/([0-9]+)\.html$ ?p=$1 [R=302,L]
+.. index::
+ pair: Wordpress; configuration
+
Wordpress configuration
-----------------------
@@ -348,5 +354,5 @@ Additional documentation
References
----------
-Wiki page for this system
- :wiki:`SystemAdministration/Systems/Blog`
+Wordpress website
+ https://wordpress.org/
diff --git a/docs/systems/board.rst b/docs/systems/board.rst
index 3e97217..3f0b810 100644
--- a/docs/systems/board.rst
+++ b/docs/systems/board.rst
@@ -294,7 +294,10 @@ Keys and X.509 certificates
* :wiki:`SystemAdministration/CertificateList`
-Apache configuration files
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
--------------------------
* :file:`/etc/apache2/conf.d/openerp-httpd.conf`
@@ -313,11 +316,18 @@ Apache configuration files
Defines the authorized users based on the DN in their client certificate
+.. index::
+ single: cron; CRL
+ single: CRL
+
CRL update job
--------------
:file:`/etc/cron.hourly/update-crls`
+.. index::
+ pair: OpenERP; configuration
+
OpenERP configuration
---------------------
@@ -356,5 +366,5 @@ Additional documentation
References
----------
-Wiki page for this system
- :wiki:`SystemAdministration/Systems/Board`
+OpenERP 7.0 documentation
+ https://doc.odoo.com/
diff --git a/docs/systems/email.rst b/docs/systems/email.rst
index d0b5eb1..b62779e 100644
--- a/docs/systems/email.rst
+++ b/docs/systems/email.rst
@@ -99,37 +99,54 @@ Services
Listening services
------------------
-+----------+---------+----------------+-----------------------------------------------+
-| Port | Service | Origin | Purpose |
-+==========+=========+================+===============================================+
-| 22/tcp | ssh | ANY | admin console access |
-+----------+---------+----------------+-----------------------------------------------+
-| 25/tcp | smtp | ANY | mail receiver for cacert.org |
-+----------+---------+----------------+-----------------------------------------------+
-| 110/tcp | pop3 | ANY | POP3 access for cacert.org mail addresses |
-+----------+---------+----------------+-----------------------------------------------+
-| 143/tcp | imap | ANY | IMAP access for cacert.org mail addresses |
-+----------+---------+----------------+-----------------------------------------------+
-| 465/tcp | smtps | ANY | SMTPS for cacert.org mail addresses |
-+----------+---------+----------------+-----------------------------------------------+
-| 587/tcp | smtp | ANY | mail submission for cacert.org mail addresses |
-+----------+---------+----------------+-----------------------------------------------+
-| 993/tcp | imaps | ANY | IMAPS access for cacert.org mail addresses |
-+----------+---------+----------------+-----------------------------------------------+
-| 995/tcp | pop3s | ANY | POP3S access for cacert.org mail addresses |
-+----------+---------+----------------+-----------------------------------------------+
-| 2000/tcp | sieve | ANY | Sieve access for cacert.org mail addresses |
-+----------+---------+----------------+-----------------------------------------------+
-| 2001/tcp | sieve | :doc:`webmail` | Sieve access for cacert.org mail |
-| | | | addresses without TLS, accessible from |
-| | | | ``172.16.2.20`` only |
-+----------+---------+----------------+-----------------------------------------------+
-| 3306/tcp | mysql | local | MySQL database server |
-+----------+---------+----------------+-----------------------------------------------+
-| 4433/tcp | http | internal | Apache httpd with phpmyadmin |
-+----------+---------+----------------+-----------------------------------------------+
-| 5666/tcp | nrpe | monitor | remote monitoring service |
-+----------+---------+----------------+-----------------------------------------------+
++----------+---------+----------------+----------------------------------------+
+| Port | Service | Origin | Purpose |
++==========+=========+================+========================================+
+| 22/tcp | ssh | ANY | admin console access |
++----------+---------+----------------+----------------------------------------+
+| 25/tcp | smtp | ANY | mail receiver for cacert.org |
++----------+---------+----------------+----------------------------------------+
+| 110/tcp | pop3 | ANY | POP3 access for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 143/tcp | imap | ANY | IMAP access for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 465/tcp | smtps | ANY | SMTPS for cacert.org mail addresses |
++----------+---------+----------------+----------------------------------------+
+| 587/tcp | smtp | ANY | mail submission for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 993/tcp | imaps | ANY | IMAPS access for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 995/tcp | pop3s | ANY | POP3S access for cacert.org mail |
+| | | | addresses |
++----------+---------+----------------+----------------------------------------+
+| 2000/tcp | sieve | ANY | Manage sieve access for cacert.org |
+| | | | mail addresses |
++----------+---------+----------------+----------------------------------------+
+| 2001/tcp | sieve | :doc:`webmail` | Manage sieve access for cacert.org |
+| | | | mail addresses without TLS, accessible |
+| | | | from ``172.16.2.20`` only |
++----------+---------+----------------+----------------------------------------+
+| 3306/tcp | mysql | local | MySQL database server |
++----------+---------+----------------+----------------------------------------+
+| 4433/tcp | http | internal | Apache httpd with phpmyadmin |
++----------+---------+----------------+----------------------------------------+
+| 5666/tcp | nrpe | monitor | remote monitoring service |
++----------+---------+----------------+----------------------------------------+
+
+.. topic:: PHPMyAdmin access
+
+ Administrators can use ssh to forward the Apache httpd HTTPS port to their
+ own machine:
+
+ .. code-block:: bash
+
+ ssh -L 4433:localhost:4433 -l username email.cacert.org
+
+ and access PHPMyAdmin at https://localhost:4443/phpmyadmin
Running services
----------------
@@ -201,6 +218,8 @@ Connected Systems
* :doc:`monitor`
* :doc:`webmail`
+* all @cacert.org address owners have access to POP3 (STARTTLS and POP3S), IMAP
+ (STARTTLS and IMAPS), SMTPS, SMTP submission (STARTTLS) and manage sieve
Outbound network connections
----------------------------
@@ -273,12 +292,24 @@ Postfix and IMAP with STARTTLS, IMAPS, POP3 with STARTTLS, POP3S and pysieved)
* :file:`/etc/postfix/dh_1024.pem` and :file:`/etc/postfix/dh_512.pem`
Diffie-Hellman parameter files for Postfix
+.. note::
+
+ Postfix uses the email.cacert.org certificate for client authentication if
+ requested by a target server.
+
+ .. todo::
+ check whether it makes sense to use a separate certificate for that
+ purpose
+
.. seealso::
* :wiki:`SystemAdministration/CertificateList`
-Apache configuration
---------------------
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
:file:`/etc/apache2/sites-available/adminssl` configures a VirtualHost that
allows dedicated users to access a PHPMyAdmin instance. The allowed users are
@@ -304,11 +335,20 @@ authenticated by client certificates and are authorized by an entry in
<https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions>`_
directive in the mod_ssl reference documentation.
+.. index::
+ pair: MySQL; configuration
+
MySQL configuration
-------------------
MySQL configuration is stored in the :file:`/etc/mysql/` directory.
+.. index::
+ pair: MySQL; NSS
+ single: libnss-mysql
+
+.. _nss:
+
NSS configuration
-----------------
@@ -317,11 +357,17 @@ group and shadow via :file:`/etc/nsswitch.conf`. The queries are configured in
:file:`/etc/libnss-mysql.cfg` and the root user for reading shadow information
is configured in :file:`/etc/libnss-mysql-root.cfg`.
+.. index::
+ pair: PHPMyAdmin; configuration
+
PHPMyAdmin configuration
------------------------
PHPMyAdmin configuration is stored in the :file:`/etc/phpmyadmin/` directory.
+.. index::
+ pair: dovecot; configuration
+
Dovecot configuration
---------------------
@@ -329,6 +375,24 @@ Dovecot configuration is stored in the :file:`/etc/dovecot/` directory. The
database settings are stored in
:file:`dovecot-sql-masterpassword-webmail.conf`.
+.. index::
+ pair: dovecot; authentication
+
+.. topic:: Dovecot authentication
+
+ :file:`/etc/dovecot/dovecot.conf` refers to PAM mail. PAM mail is defined
+ :file:`/etc/pam.d/mail`. System users are defined by NSS which is a
+ combination of :file:`/etc/passwd` (for root and non-imap/pop users) and
+ :file:`/etc/libnss-mysql*` (see `nss`_).
+
+ There is a special master password so that webmail can do the authentication
+ for dovecot using certificates. This is defined in
+ :file:`/etc/dovecot/dovecot-sql-masterpassword-webmail.conf`. This special
+ password is restricted to the IP address of Community.
+
+.. index::
+ pair: Postfix; configuration
+
Postfix configuration
---------------------
@@ -361,12 +425,18 @@ following files are special for this setup:
.. todo:: remove unused transports from :file:`master.cf`
+.. index::
+ pair: pysieved; configuration
+
PySieved configuration
----------------------
-:file:`/usr/local/etc/pysieved.ini` and
-:file:`/usr/local/etc/pysieved-notls.ini`. Pysieved uses dovecot for
-authentication.
+:file:`/usr/local/etc/pysieved.ini` for regular manage sieve access and
+:file:`/usr/local/etc/pysieved-notls.ini` for use with Roundcube webmail.
+Pysieved uses dovecot for authentication.
+
+.. index::
+ pair: rsyslog; configuration
Rsyslog configuration
---------------------
@@ -380,6 +450,9 @@ non-existant remote syslog server.
.. todo:: setup remote logging when a central logging container is available
+.. index::
+ pair: xinetd; configuration
+
Xinetd configuration
--------------------
@@ -387,9 +460,74 @@ Xinetd listens on tcp ports 2000 and 2001 and spawn pysieved. Configuration for
these listeners is stored in :file:`/etc/xinetd.d/pysieved` and
:file:`/etc/xinetd.d/pysieved-notls`.
+Email storage
+-------------
+
+Mail for :samp:`{user}` is stored in :samp:`/home/{user}/Maildir`.
+
+.. todo::
+ move mail storage to a separate data volume to allow easier backup and OS
+ upgrades
+
Tasks
=====
+.. index::
+ single: add email users
+
+Adding email users
+------------------
+
+1. create user in the database table ``cacertusers.user``:
+
+ .. code-block:: bash
+
+ mysql -p cacertusers
+
+ .. code-block:: sql
+
+ INSERT INTO user (username, fullnamealias, realname, password)
+ VALUES ('user', 'user.name', 'User Name', '$1$salt$passwordhash')
+
+2. create the user's home directory and Maildir:
+
+ :samp:`install -o {user} -g {user} -m 0755 -d /home/{user}/Maildir`
+
+.. note::
+
+ * a valid password hash for the password ``secret`` is
+ ``$1$caea3837$gPafod/Do/8Jj5M9HehhM.``
+ * users can reset their password via
+ https://community.cacert.org/password.php on :doc:`webmail`
+ * use the :download:`mail template
+ <../downloads/template_new_community_mailaddress.rfc822>` to send out to a
+ user's non-cacert.org mail account and make sure to encrypt the mail to a
+ known public key of that user
+
+.. todo::
+ implement tooling to automate password salt generation and user creation
+
+Setting up mail aliases
+-----------------------
+
+There are two types of aliases.
+
+1. The first type are those that are never sent from. e.g.
+ postmaster@cacert.org. All these aliases are defined in
+ :file:`/etc/aliases`. Don't forget to run
+
+ .. code-block:: bash
+
+ postalias /etc/aliases
+
+ after any changes. Aliases for issue tracking are installed here as
+ :samp:`{issuetrackingaddress} : {issuetrackingaddress}@issue.cacert.org`.
+
+2. The second type are those aliases that are used to send email too, e.g
+ pr@cacert.org. These aliases are recorded in the aliases table on the
+ cacertusers database. The reason for this implementation is to only allow
+ the designated person to send email from this email address.
+
Planned
-------
@@ -397,6 +535,15 @@ Planned
.. todo:: setup IPv6
+.. todo::
+ throttle brute force attack attempts using fail2ban or similar mechanism
+
+.. todo::
+ consider to use LDAP to consolidate user, password and email information
+
+* there were plans for X.509 certificate authentication for mail services, but
+ there is no progress so far
+
Changes
=======
@@ -413,9 +560,17 @@ Additional documentation
.. seealso::
* :wiki:`PostfixConfiguration`
+ * :wiki:`SystemAdministration/Systems/Email` for some discussion on legal
+ implications related to mail archiving
References
----------
-Wiki page for this system
- :wiki:`SystemAdministration/Systems/Email`
+Postfix documentation
+ http://www.postfix.org/documentation.html
+Postfix Debian wiki page
+ https://wiki.debian.org/Postfix
+Dovecot 1.x wiki
+ http://wiki1.dovecot.org/FrontPage
+Postfix documentation
+ http://www.postfix.org/documentation.html
diff --git a/docs/systems/emailout.rst b/docs/systems/emailout.rst
index ea2eec4..4053955 100644
--- a/docs/systems/emailout.rst
+++ b/docs/systems/emailout.rst
@@ -116,6 +116,7 @@ Running services
single: cron
single: nrpe
single: openssh
+ single: rsyslog
+--------------------+--------------------+----------------------------------------+
| Service | Usage | Start mechanism |
@@ -335,5 +336,9 @@ Additional documentation
References
----------
-* http://www.postfix.org/documentation.html
-* http://www.opendkim.org/docs.html
+Postfix documentation
+ http://www.postfix.org/documentation.html
+Postfix Debian wiki page
+ https://wiki.debian.org/Postfix
+OpenDKIM documentation
+ http://www.opendkim.org/docs.html
diff --git a/docs/systems/infra02.rst b/docs/systems/infra02.rst
index 6306528..cd93c2f 100644
--- a/docs/systems/infra02.rst
+++ b/docs/systems/infra02.rst
@@ -252,7 +252,8 @@ System Future
Critical Configuration items
============================
-.. index:: Ferm
+.. index::
+ pair: Ferm; configuration
Ferm firewall configuration
---------------------------
@@ -260,6 +261,9 @@ Ferm firewall configuration
The `Ferm`_ based firewall setup is located in :file:`/etc/ferm` and its
subdirectories.
+.. index::
+ pair: LXC; configuration
+
Container configuration
-----------------------
@@ -279,5 +283,9 @@ Additional documentation
References
----------
-Wiki page for this system
- :wiki:`SystemAdministration/Systems/Infra02`
+Ferm documentation
+ http://ferm.foo-projects.org/download/2.3/ferm.html
+Ferm Debian Wiki page
+ https://wiki.debian.org/ferm
+LXC Debian Wiki page
+ https://wiki.debian.org/LXC
diff --git a/docs/systems/webmail.rst b/docs/systems/webmail.rst
index 5eab801..6a4851e 100644
--- a/docs/systems/webmail.rst
+++ b/docs/systems/webmail.rst
@@ -266,8 +266,11 @@ Keys and X.509 certificates
* :wiki:`SystemAdministration/CertificateList`
-Apache configuration
---------------------
+.. index::
+ pair: Apache httpd; configuration
+
+Apache httpd configuration
+--------------------------
The Apache httpd configuration is stored in
:file:`/etc/apache2/sites-available/webmail`.
@@ -278,6 +281,9 @@ The Apache httpd configuration is stored in
Defines some aliases for :doc:`email` that are used by Roundcube, the password
reset script and the staff list script.
+.. index::
+ pair: Roundcube; configuration
+
Roundcube configuration
-----------------------