Replace IP reference with literal value
[cacert-infradocs.git] / docs / systems / email.rst
1 .. index::
2 single: Systems; Email
3
4 =====
5 Email
6 =====
7
8 Purpose
9 =======
10
11 This system handles email for @cacert.org addresses. It also provides users of
12 @cacert.org with IMAPs and POP3s access to their accounts.
13
14 The database on this container is used by :doc:`webmail` too.
15
16 Administration
17 ==============
18
19 System Administration
20 ---------------------
21
22 * Primary: :ref:`people_jselzer`
23 * Secondary: :ref:`people_jandd`
24
25 Contact
26 -------
27
28 * email-admin@cacert.org
29
30 Additional People
31 -----------------
32
33 :ref:`people_mario` has :program:`sudo` access on that machine too.
34
35 Basics
36 ======
37
38 Physical Location
39 -----------------
40
41 This system is located in an :term:`LXC` container on physical machine
42 :doc:`infra02`.
43
44 Logical Location
45 ----------------
46
47 :IP Internet: :ip:v4:`213.154.225.228`
48 :IP Intranet: :ip:v4:`172.16.2.19`
49 :IP Internal: :ip:v4:`10.0.0.19`
50 :MAC address: :mac:`00:ff:8f:e0:4a:90` (eth0)
51
52 .. seealso::
53
54 See :doc:`../network`
55
56 DNS
57 ---
58
59 .. index::
60 single: DNS records; Email
61
62 ======================= ======== ============================================
63 Name Type Content
64 ======================= ======== ============================================
65 email.cacert.org. IN A 213.154.225.228
66 email.cacert.org. IN SSHFP 1 1 BF391FD72656A275524D1D25A624C6045B44AE90
67 email.cacert.org. IN SSHFP 2 1 73B0D8ACB492A7187016DD3C5FC1519B309A550F
68 email.intra.cacert.org. IN A 172.16.2.19
69 ======================= ======== ============================================
70
71 A DKIM record for cacert.org ist setup but no DKIM signing is active currently.
72
73 .. todo:: setup DKIM properly, see :bug:`696` for an older discussion
74
75 .. todo:: setup SPF records when the system is ready, see :bug:`492` for an
76 older discussion
77
78 .. seealso::
79
80 See :wiki:`SystemAdministration/Procedures/DNSChanges`
81
82 Operating System
83 ----------------
84
85 .. index::
86 single: Debian GNU/Linux; Lenny
87 single: Debian GNU/Linux; 5.0.10
88
89 * Debian GNU/Linux 5.0.10
90
91 Applicable Documentation
92 ------------------------
93
94 This is it :-)
95
96 Services
97 ========
98
99 Listening services
100 ------------------
101
102 .. use the values from this table or add new lines if applicable
103
104 +----------+---------+----------------+-----------------------------------------------+
105 | Port | Service | Origin | Purpose |
106 +==========+=========+================+===============================================+
107 | 22/tcp | ssh | ANY | admin console access |
108 +----------+---------+----------------+-----------------------------------------------+
109 | 25/tcp | smtp | ANY | mail receiver for cacert.org |
110 +----------+---------+----------------+-----------------------------------------------+
111 | 110/tcp | pop3 | ANY | POP3 access for cacert.org mail addresses |
112 +----------+---------+----------------+-----------------------------------------------+
113 | 143/tcp | imap | ANY | IMAP access for cacert.org mail addresses |
114 +----------+---------+----------------+-----------------------------------------------+
115 | 465/tcp | smtps | ANY | SMTPS for cacert.org mail addresses |
116 +----------+---------+----------------+-----------------------------------------------+
117 | 587/tcp | smtp | ANY | mail submission for cacert.org mail addresses |
118 +----------+---------+----------------+-----------------------------------------------+
119 | 993/tcp | imaps | ANY | IMAPS access for cacert.org mail addresses |
120 +----------+---------+----------------+-----------------------------------------------+
121 | 995/tcp | pop3s | ANY | POP3S access for cacert.org mail addresses |
122 +----------+---------+----------------+-----------------------------------------------+
123 | 2000/tcp | sieve | ANY | Sieve access for cacert.org mail addresses |
124 +----------+---------+----------------+-----------------------------------------------+
125 | 2001/tcp | sieve | :doc:`webmail` | Sieve access for cacert.org mail |
126 | | | | addresses without TLS, accessible from |
127 | | | | ``172.16.2.20`` only |
128 +----------+---------+----------------+-----------------------------------------------+
129 | 3306/tcp | mysql | local | MySQL database server |
130 +----------+---------+----------------+-----------------------------------------------+
131 | 4433/tcp | http | internal | Apache httpd with phpmyadmin |
132 +----------+---------+----------------+-----------------------------------------------+
133 | 5666/tcp | nrpe | monitor | remote monitoring service |
134 +----------+---------+----------------+-----------------------------------------------+
135
136 Running services
137 ----------------
138
139 .. index::
140 single: Apache
141 single: MySQL
142 single: Postfix
143 single: cron
144 single: dovecot
145 single: nrpe
146 single: openssh
147 single: pysieved
148 single: rsyslog
149 single: xinetd
150
151 +--------------------+---------------------+----------------------------------------+
152 | Service | Usage | Start mechanism |
153 +====================+=====================+========================================+
154 | Apache httpd | Webserver for | init script |
155 | | phpmyadmin | :file:`/etc/init.d/apache2` |
156 +--------------------+---------------------+----------------------------------------+
157 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
158 +--------------------+---------------------+----------------------------------------+
159 | dovecot | IMAP(s) and POP3(s) | init script |
160 | | daemon | :file:`/etc/init.d/dovecot` |
161 +--------------------+---------------------+----------------------------------------+
162 | MySQL | MySQL database | init script |
163 | | server for email | :file:`/etc/init.d/mysql` |
164 | | services | |
165 +--------------------+---------------------+----------------------------------------+
166 | Nagios NRPE server | remote monitoring | init script |
167 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
168 | | :doc:`monitor` | |
169 +--------------------+---------------------+----------------------------------------+
170 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
171 | | remote | |
172 | | administration | |
173 +--------------------+---------------------+----------------------------------------+
174 | Postfix | SMTP server for | init script |
175 | | cacert.org | :file:`/etc/init.d/postfix` |
176 +--------------------+---------------------+----------------------------------------+
177 | rsyslog | syslog daemon | init script |
178 | | | :file:`/etc/init.d/syslog` |
179 +--------------------+---------------------+----------------------------------------+
180 | xinetd | socket listener | init script |
181 | | for pysieved | :file:`/etc/init.d/xinetd` |
182 +--------------------+---------------------+----------------------------------------+
183
184 Databases
185 ---------
186
187 +-------+----------------+----------------------------------+
188 | RDBMS | Name | Used for |
189 +=======+================+==================================+
190 | MySQL | cacertusers | database for dovecot and postfix |
191 +-------+----------------+----------------------------------+
192 | MySQL | postfixpolicyd | empty database |
193 +-------+----------------+----------------------------------+
194 | MySQL | roundcubemail | roundcube on :doc:`webmail` |
195 +-------+----------------+----------------------------------+
196
197 .. todo:: check whether the empty postfixpolicyd database is required
198
199 .. todo:: consider moving the databases to a new central MySQL service
200
201 Connected Systems
202 -----------------
203
204 * :doc:`monitor`
205 * :doc:`webmail`
206
207 Outbound network connections
208 ----------------------------
209
210 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
211 * archive.debian.org as Debian mirror
212 * :doc:`issue` for OTRS mail
213 * :doc:`lists` for mailing lists
214 * arbitrary internet smtp servers for outgoing mail
215
216 Security
217 ========
218
219 SSH host keys
220 -------------
221
222 +-----------+-----------------------------------------------------+
223 | Algorithm | Fingerprint |
224 +===========+=====================================================+
225 | RSA | ``a1:d2:17:53:6b:0f:b6:a4:14:13:46:f7:04:ef:4a:23`` |
226 +-----------+-----------------------------------------------------+
227 | DSA | ``f4:eb:0a:36:40:1c:55:6b:75:a2:26:34:ea:18:7e:91`` |
228 +-----------+-----------------------------------------------------+
229 | ECDSA | \- |
230 +-----------+-----------------------------------------------------+
231 | ED25519 | \- |
232 +-----------+-----------------------------------------------------+
233
234 .. warning::
235
236 The system is too old to support ECDSA or ED25519 keys.
237
238 .. seealso::
239
240 See :doc:`../sshkeys`
241
242 Non-distribution packages and modifications
243 -------------------------------------------
244
245 Tlslite in :file:`/usr/local/lib/tlslite-0.3.8/` has been patched to handle
246 GeneratorExit exceptions. The original tlslite 0.3.8 is stored in
247 :file:`/usr/local/lib/tlslite-0.3.8-orig/`.
248
249 Pysieved in :file:`/usr/local/lib/pysieved.neale/` seems to be a git clone from
250 2009 originating from http://woozle.org/~neale/repos/pysieved at commit
251 ``d9b67036387a9a7aca954a17ff6fec44a8d309e0`` with no local modifications.
252
253 :file:`/usr/local/lib/pysieved` is a symbolic link to
254 :file:`/usr/local/lib/pysieved.neale/`.
255
256 .. todo:: use pysieved, python-tlslite and dovecot-sieve from distribution
257 packages after OS upgrade
258
259
260 Risk assessments on critical packages
261 -------------------------------------
262
263 The whole system is outdated, it needs to be replaced as soon as possible.
264
265 Critical Configuration items
266 ============================
267
268 Keys and X.509 certificates
269 ---------------------------
270
271 * :file:`/etc/ssl/certs/ssl-cert-email-cacert.pem` server certificate for SMTP
272 and phpmyadmin
273 * :file:`/etc/ssl/private/ssl-cert-email-cacert.key` server key
274
275 * :file:`/etc/ssl/certs/ssl-cert-community-cacert.pem` server certificate for
276 community email services (SMTPS, SMTP submission in Postfix and IMAP with
277 STARTTLS, IMAPS, POP3 with STARTTLS, POP3S and pysieved)
278 * :file:`/etc/ssl/private/ssl-cert-community-cacert.key` server key
279
280 * :file:`/etc/postfix/dh_1024.pem` and :file:`/etc/postfix/dh_512.pem`
281 Diffie-Hellman parameter files for Postfix
282
283 .. seealso::
284
285 * :doc:`../certlist`
286 * :wiki:`SystemAdministration/CertificateList`
287
288 Apache configuration
289 --------------------
290
291 :file:`/etc/apache2/sites-available/adminssl` configures a VirtualHost that
292 allows dedicated users to access a PHPMyAdmin instance. The allowed users are
293 authenticated by client certificates and are authorized by an entry in
294 :file:`/etc/apache2/phpmyadmin.passwd`.
295
296 .. note::
297
298 to authorize a user you need the subject distinguished name of the user's
299 client certificate which can be extracted with::
300
301 openssl x509 -noout -subject -in certificate.crt
302
303 A line with the subject distinguished name and the fake password
304 ``xxj31ZMTZzkVA`` separated by colon have to be added to
305 :file:`/etc/apache2/phpmyadmin.passwd`::
306
307 /CN=Example User/emailAddress=example@cacert.org:xxj31ZMTZzkVA
308
309 .. seealso::
310
311 FakeBasicAuth option of the `SSLOptions
312 <https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions>`_
313 directive in the mod_ssl reference documentation.
314
315 MySQL configuration
316 -------------------
317
318 MySQL configuration is stored in the :file:`/etc/mysql/` directory.
319
320 NSS configuration
321 -----------------
322
323 The libc name service switch is configured to use MySQL lookups for passwd,
324 group and shadow via :file:`/etc/nsswitch.conf`. The queries are configured in
325 :file:`/etc/libnss-mysql.cfg` and the root user for reading shadow information
326 is configured in :file:`/etc/libnss-mysql-root.cfg`.
327
328 PHPMyAdmin configuration
329 ------------------------
330
331 PHPMyAdmin configuration is stored in the :file:`/etc/phpmyadmin/` directory.
332
333 Dovecot configuration
334 ---------------------
335
336 Dovecot configuration is stored in the :file:`/etc/dovecot/` directory. The
337 database settings are stored in
338 :file:`dovecot-sql-masterpassword-webmail.conf`.
339
340 Postfix configuration
341 ---------------------
342
343 Postfix configuration is stored in the :file:`/etc/postfix/` directory. The
344 following files are special for this setup:
345
346 +----------------+-------------------------------------------------------------+
347 | File | Used for |
348 +================+=============================================================+
349 | arbitration | rewrite recipients matching specific regular expressions to |
350 | | support+deletedaccounts@cacert.org and |
351 | | support@issue.cacert.org |
352 +----------------+-------------------------------------------------------------+
353 | cacert-inc-bcc | used as recipient_bcc_maps for specific functional mail |
354 | | addresses |
355 +----------------+-------------------------------------------------------------+
356 | main.cf | the main configuration file |
357 +----------------+-------------------------------------------------------------+
358 | master.cf | adds configuration for the community SMTPS and SMTP |
359 | | submission transports |
360 +----------------+-------------------------------------------------------------+
361 | mysql-\*.cf | configuration of several MySQL queries for alias mapping, |
362 | | Postfix operates on views for the user table |
363 +----------------+-------------------------------------------------------------+
364 | transport | forward email for lists.cacert.org to :doc:`lists` and for |
365 | | issue.cacert.org to :doc:`issue` |
366 +----------------+-------------------------------------------------------------+
367
368 .. todo:: consider to send all outgoing mail via :doc:`emailout`
369
370 .. todo:: remove unused transports from :file:`master.cf`
371
372 PySieved configuration
373 ----------------------
374
375 :file:`/usr/local/etc/pysieved.ini` and
376 :file:`/usr/local/etc/pysieved-notls.ini`. Pysieved uses dovecot for
377 authentication.
378
379 Rsyslog configuration
380 ---------------------
381
382 Rsyslog is configured in :file:`/etc/rsyslog.conf` which includes files in
383 :file:`/etc/rsyslog.d/`. Consumption of kernel log messages and network input
384 is disabled. :file:`/etc/rsyslog.d/postfix.conf` configures a separate unix
385 socket to receive log messages from postfix and
386 :file:`/etc/rsyslog.d/remotelog.conf` contains commented settings for a
387 non-existant remote syslog server.
388
389 .. todo:: setup remote logging when a central logging container is available
390
391 Xinetd configuration
392 --------------------
393
394 Xinetd listens on tcp ports 2000 and 2001 and spawn pysieved. Configuration for
395 these listeners is stored in :file:`/etc/xinetd.d/pysieved` and
396 :file:`/etc/xinetd.d/pysieved-notls`.
397
398 Tasks
399 =====
400
401 Planned
402 -------
403
404 .. todo:: implement CRL checking
405
406 .. todo:: setup IPv6
407
408 Changes
409 =======
410
411 System Future
412 -------------
413
414 .. todo::
415 The system has to be replaced with a new system using a current operating
416 system version
417
418 Additional documentation
419 ========================
420
421 .. seealso::
422
423 * :wiki:`PostfixConfiguration`
424
425 References
426 ----------
427
428 Wiki page for this system
429 :wiki:`SystemAdministration/Systems/Email`