Add sslcert directive for email certificate
[cacert-infradocs.git] / docs / systems / email.rst
1 .. index::
2 single: Systems; Email
3
4 =====
5 Email
6 =====
7
8 Purpose
9 =======
10
11 This system handles email for @cacert.org addresses. It also provides users of
12 @cacert.org with IMAPs and POP3s access to their accounts.
13
14 The database on this container is used by :doc:`webmail` too.
15
16 Administration
17 ==============
18
19 System Administration
20 ---------------------
21
22 * Primary: :ref:`people_jselzer`
23 * Secondary: :ref:`people_jandd`
24
25 Contact
26 -------
27
28 * email-admin@cacert.org
29
30 Additional People
31 -----------------
32
33 :ref:`people_mario` has :program:`sudo` access on that machine too.
34
35 Basics
36 ======
37
38 Physical Location
39 -----------------
40
41 This system is located in an :term:`LXC` container on physical machine
42 :doc:`infra02`.
43
44 Logical Location
45 ----------------
46
47 :IP Internet: :ip:v4:`213.154.225.228`
48 :IP Intranet: :ip:v4:`172.16.2.19`
49 :IP Internal: :ip:v4:`10.0.0.19`
50 :MAC address: :mac:`00:ff:8f:e0:4a:90` (eth0)
51
52 .. seealso::
53
54 See :doc:`../network`
55
56 DNS
57 ---
58
59 .. index::
60 single: DNS records; Email
61
62 ======================= ======== ============================================
63 Name Type Content
64 ======================= ======== ============================================
65 email.cacert.org. IN A 213.154.225.228
66 email.cacert.org. IN SSHFP 1 1 BF391FD72656A275524D1D25A624C6045B44AE90
67 email.cacert.org. IN SSHFP 2 1 73B0D8ACB492A7187016DD3C5FC1519B309A550F
68 email.intra.cacert.org. IN A 172.16.2.19
69 ======================= ======== ============================================
70
71 A DKIM record for cacert.org ist setup but no DKIM signing is active currently.
72
73 .. todo:: setup DKIM properly, see :bug:`696` for an older discussion
74
75 .. todo:: setup SPF records when the system is ready, see :bug:`492` for an
76 older discussion
77
78 .. seealso::
79
80 See :wiki:`SystemAdministration/Procedures/DNSChanges`
81
82 Operating System
83 ----------------
84
85 .. index::
86 single: Debian GNU/Linux; Lenny
87 single: Debian GNU/Linux; 5.0.10
88
89 * Debian GNU/Linux 5.0.10
90
91 Applicable Documentation
92 ------------------------
93
94 This is it :-)
95
96 Services
97 ========
98
99 Listening services
100 ------------------
101
102 +----------+---------+----------------+-----------------------------------------------+
103 | Port | Service | Origin | Purpose |
104 +==========+=========+================+===============================================+
105 | 22/tcp | ssh | ANY | admin console access |
106 +----------+---------+----------------+-----------------------------------------------+
107 | 25/tcp | smtp | ANY | mail receiver for cacert.org |
108 +----------+---------+----------------+-----------------------------------------------+
109 | 110/tcp | pop3 | ANY | POP3 access for cacert.org mail addresses |
110 +----------+---------+----------------+-----------------------------------------------+
111 | 143/tcp | imap | ANY | IMAP access for cacert.org mail addresses |
112 +----------+---------+----------------+-----------------------------------------------+
113 | 465/tcp | smtps | ANY | SMTPS for cacert.org mail addresses |
114 +----------+---------+----------------+-----------------------------------------------+
115 | 587/tcp | smtp | ANY | mail submission for cacert.org mail addresses |
116 +----------+---------+----------------+-----------------------------------------------+
117 | 993/tcp | imaps | ANY | IMAPS access for cacert.org mail addresses |
118 +----------+---------+----------------+-----------------------------------------------+
119 | 995/tcp | pop3s | ANY | POP3S access for cacert.org mail addresses |
120 +----------+---------+----------------+-----------------------------------------------+
121 | 2000/tcp | sieve | ANY | Sieve access for cacert.org mail addresses |
122 +----------+---------+----------------+-----------------------------------------------+
123 | 2001/tcp | sieve | :doc:`webmail` | Sieve access for cacert.org mail |
124 | | | | addresses without TLS, accessible from |
125 | | | | ``172.16.2.20`` only |
126 +----------+---------+----------------+-----------------------------------------------+
127 | 3306/tcp | mysql | local | MySQL database server |
128 +----------+---------+----------------+-----------------------------------------------+
129 | 4433/tcp | http | internal | Apache httpd with phpmyadmin |
130 +----------+---------+----------------+-----------------------------------------------+
131 | 5666/tcp | nrpe | monitor | remote monitoring service |
132 +----------+---------+----------------+-----------------------------------------------+
133
134 Running services
135 ----------------
136
137 .. index::
138 single: Apache
139 single: MySQL
140 single: Postfix
141 single: cron
142 single: dovecot
143 single: nrpe
144 single: openssh
145 single: pysieved
146 single: rsyslog
147 single: xinetd
148
149 +--------------------+---------------------+----------------------------------------+
150 | Service | Usage | Start mechanism |
151 +====================+=====================+========================================+
152 | Apache httpd | Webserver for | init script |
153 | | phpmyadmin | :file:`/etc/init.d/apache2` |
154 +--------------------+---------------------+----------------------------------------+
155 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
156 +--------------------+---------------------+----------------------------------------+
157 | dovecot | IMAP(s) and POP3(s) | init script |
158 | | daemon | :file:`/etc/init.d/dovecot` |
159 +--------------------+---------------------+----------------------------------------+
160 | MySQL | MySQL database | init script |
161 | | server for email | :file:`/etc/init.d/mysql` |
162 | | services | |
163 +--------------------+---------------------+----------------------------------------+
164 | Nagios NRPE server | remote monitoring | init script |
165 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
166 | | :doc:`monitor` | |
167 +--------------------+---------------------+----------------------------------------+
168 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
169 | | remote | |
170 | | administration | |
171 +--------------------+---------------------+----------------------------------------+
172 | Postfix | SMTP server for | init script |
173 | | cacert.org | :file:`/etc/init.d/postfix` |
174 +--------------------+---------------------+----------------------------------------+
175 | rsyslog | syslog daemon | init script |
176 | | | :file:`/etc/init.d/syslog` |
177 +--------------------+---------------------+----------------------------------------+
178 | xinetd | socket listener | init script |
179 | | for pysieved | :file:`/etc/init.d/xinetd` |
180 +--------------------+---------------------+----------------------------------------+
181
182 Databases
183 ---------
184
185 +-------+----------------+----------------------------------+
186 | RDBMS | Name | Used for |
187 +=======+================+==================================+
188 | MySQL | cacertusers | database for dovecot and postfix |
189 +-------+----------------+----------------------------------+
190 | MySQL | postfixpolicyd | empty database |
191 +-------+----------------+----------------------------------+
192 | MySQL | roundcubemail | roundcube on :doc:`webmail` |
193 +-------+----------------+----------------------------------+
194
195 .. todo:: check whether the empty postfixpolicyd database is required
196
197 .. todo:: consider moving the databases to a new central MySQL service
198
199 Connected Systems
200 -----------------
201
202 * :doc:`monitor`
203 * :doc:`webmail`
204
205 Outbound network connections
206 ----------------------------
207
208 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
209 * archive.debian.org as Debian mirror
210 * :doc:`issue` for OTRS mail
211 * :doc:`lists` for mailing lists
212 * arbitrary internet smtp servers for outgoing mail
213
214 Security
215 ========
216
217 SSH host keys
218 -------------
219
220 +-----------+-----------------------------------------------------+
221 | Algorithm | Fingerprint |
222 +===========+=====================================================+
223 | RSA | ``a1:d2:17:53:6b:0f:b6:a4:14:13:46:f7:04:ef:4a:23`` |
224 +-----------+-----------------------------------------------------+
225 | DSA | ``f4:eb:0a:36:40:1c:55:6b:75:a2:26:34:ea:18:7e:91`` |
226 +-----------+-----------------------------------------------------+
227 | ECDSA | \- |
228 +-----------+-----------------------------------------------------+
229 | ED25519 | \- |
230 +-----------+-----------------------------------------------------+
231
232 .. warning::
233
234 The system is too old to support ECDSA or ED25519 keys.
235
236 .. seealso::
237
238 See :doc:`../sshkeys`
239
240 Non-distribution packages and modifications
241 -------------------------------------------
242
243 Tlslite in :file:`/usr/local/lib/tlslite-0.3.8/` has been patched to handle
244 GeneratorExit exceptions. The original tlslite 0.3.8 is stored in
245 :file:`/usr/local/lib/tlslite-0.3.8-orig/`.
246
247 Pysieved in :file:`/usr/local/lib/pysieved.neale/` seems to be a git clone from
248 2009 originating from http://woozle.org/~neale/repos/pysieved at commit
249 ``d9b67036387a9a7aca954a17ff6fec44a8d309e0`` with no local modifications.
250
251 :file:`/usr/local/lib/pysieved` is a symbolic link to
252 :file:`/usr/local/lib/pysieved.neale/`.
253
254 .. todo:: use pysieved, python-tlslite and dovecot-sieve from distribution
255 packages after OS upgrade
256
257
258 Risk assessments on critical packages
259 -------------------------------------
260
261 The whole system is outdated, it needs to be replaced as soon as possible.
262
263 Critical Configuration items
264 ============================
265
266 Keys and X.509 certificates
267 ---------------------------
268
269 Server certificate for SMTP communication from the Internet and PHPMyAdmin.
270
271 .. sslcert:: email.cacert.org
272 :certfile: /etc/ssl/certs/ssl-cert-email-cacert.pem
273 :keyfile: /etc/ssl/private/ssl-cert-email-cacert.key
274 :serial: 11e84a
275 :expiration: Mar 31 19:50:03 2018 GMT
276 :sha1fp: 49:5E:55:35:F4:D5:69:B1:BD:92:14:94:38:CD:40:6D:97:A7:2A:0A
277 :issuer: CAcert.org Class 1 Root CA
278
279 Server certificate for community email services (SMTPS, SMTP submission in
280 Postfix and IMAP with STARTTLS, IMAPS, POP3 with STARTTLS, POP3S and pysieved)
281
282 * :file:`/etc/ssl/certs/ssl-cert-community-cacert.pem` server certificate for
283 community email services (SMTPS, SMTP submission in Postfix and IMAP with
284 STARTTLS, IMAPS, POP3 with STARTTLS, POP3S and pysieved)
285 * :file:`/etc/ssl/private/ssl-cert-community-cacert.key` server key
286
287 * :file:`/etc/postfix/dh_1024.pem` and :file:`/etc/postfix/dh_512.pem`
288 Diffie-Hellman parameter files for Postfix
289
290 .. seealso::
291
292 * :doc:`../certlist`
293 * :wiki:`SystemAdministration/CertificateList`
294
295 Apache configuration
296 --------------------
297
298 :file:`/etc/apache2/sites-available/adminssl` configures a VirtualHost that
299 allows dedicated users to access a PHPMyAdmin instance. The allowed users are
300 authenticated by client certificates and are authorized by an entry in
301 :file:`/etc/apache2/phpmyadmin.passwd`.
302
303 .. note::
304
305 to authorize a user you need the subject distinguished name of the user's
306 client certificate which can be extracted with::
307
308 openssl x509 -noout -subject -in certificate.crt
309
310 A line with the subject distinguished name and the fake password
311 ``xxj31ZMTZzkVA`` separated by colon have to be added to
312 :file:`/etc/apache2/phpmyadmin.passwd`::
313
314 /CN=Example User/emailAddress=example@cacert.org:xxj31ZMTZzkVA
315
316 .. seealso::
317
318 FakeBasicAuth option of the `SSLOptions
319 <https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions>`_
320 directive in the mod_ssl reference documentation.
321
322 MySQL configuration
323 -------------------
324
325 MySQL configuration is stored in the :file:`/etc/mysql/` directory.
326
327 NSS configuration
328 -----------------
329
330 The libc name service switch is configured to use MySQL lookups for passwd,
331 group and shadow via :file:`/etc/nsswitch.conf`. The queries are configured in
332 :file:`/etc/libnss-mysql.cfg` and the root user for reading shadow information
333 is configured in :file:`/etc/libnss-mysql-root.cfg`.
334
335 PHPMyAdmin configuration
336 ------------------------
337
338 PHPMyAdmin configuration is stored in the :file:`/etc/phpmyadmin/` directory.
339
340 Dovecot configuration
341 ---------------------
342
343 Dovecot configuration is stored in the :file:`/etc/dovecot/` directory. The
344 database settings are stored in
345 :file:`dovecot-sql-masterpassword-webmail.conf`.
346
347 Postfix configuration
348 ---------------------
349
350 Postfix configuration is stored in the :file:`/etc/postfix/` directory. The
351 following files are special for this setup:
352
353 +----------------+-------------------------------------------------------------+
354 | File | Used for |
355 +================+=============================================================+
356 | arbitration | rewrite recipients matching specific regular expressions to |
357 | | support+deletedaccounts@cacert.org and |
358 | | support@issue.cacert.org |
359 +----------------+-------------------------------------------------------------+
360 | cacert-inc-bcc | used as recipient_bcc_maps for specific functional mail |
361 | | addresses |
362 +----------------+-------------------------------------------------------------+
363 | main.cf | the main configuration file |
364 +----------------+-------------------------------------------------------------+
365 | master.cf | adds configuration for the community SMTPS and SMTP |
366 | | submission transports |
367 +----------------+-------------------------------------------------------------+
368 | mysql-\*.cf | configuration of several MySQL queries for alias mapping, |
369 | | Postfix operates on views for the user table |
370 +----------------+-------------------------------------------------------------+
371 | transport | forward email for lists.cacert.org to :doc:`lists` and for |
372 | | issue.cacert.org to :doc:`issue` |
373 +----------------+-------------------------------------------------------------+
374
375 .. todo:: consider to send all outgoing mail via :doc:`emailout`
376
377 .. todo:: remove unused transports from :file:`master.cf`
378
379 PySieved configuration
380 ----------------------
381
382 :file:`/usr/local/etc/pysieved.ini` and
383 :file:`/usr/local/etc/pysieved-notls.ini`. Pysieved uses dovecot for
384 authentication.
385
386 Rsyslog configuration
387 ---------------------
388
389 Rsyslog is configured in :file:`/etc/rsyslog.conf` which includes files in
390 :file:`/etc/rsyslog.d/`. Consumption of kernel log messages and network input
391 is disabled. :file:`/etc/rsyslog.d/postfix.conf` configures a separate unix
392 socket to receive log messages from postfix and
393 :file:`/etc/rsyslog.d/remotelog.conf` contains commented settings for a
394 non-existant remote syslog server.
395
396 .. todo:: setup remote logging when a central logging container is available
397
398 Xinetd configuration
399 --------------------
400
401 Xinetd listens on tcp ports 2000 and 2001 and spawn pysieved. Configuration for
402 these listeners is stored in :file:`/etc/xinetd.d/pysieved` and
403 :file:`/etc/xinetd.d/pysieved-notls`.
404
405 Tasks
406 =====
407
408 Planned
409 -------
410
411 .. todo:: implement CRL checking
412
413 .. todo:: setup IPv6
414
415 Changes
416 =======
417
418 System Future
419 -------------
420
421 .. todo::
422 The system has to be replaced with a new system using a current operating
423 system version
424
425 Additional documentation
426 ========================
427
428 .. seealso::
429
430 * :wiki:`PostfixConfiguration`
431
432 References
433 ----------
434
435 Wiki page for this system
436 :wiki:`SystemAdministration/Systems/Email`