8bf2aabeac627c67c7a412b7356a1ece28a8c262
[cacert-infradocs.git] / docs / systems / emailout.rst
1 .. index::
2 single: Systems; Emailout
3
4 ========
5 Emailout
6 ========
7
8 Purpose
9 =======
10
11 This system is used as outgoing mail relay for other infrastructure services.
12
13 Administration
14 ==============
15
16 System Administration
17 ---------------------
18
19 * Primary: :ref:`people_jandd`
20 * Secondary: :ref:`people_jselzer`
21
22 Contact
23 -------
24
25 * emailout-admin@cacert.org
26
27 Additional People
28 -----------------
29
30 :ref:`people_mario` has :program:`sudo` access on that machine too.
31
32 Basics
33 ======
34
35 Physical Location
36 -----------------
37
38 This system is located in an :term:`LXC` container on physical machine
39 :doc:`infra02`.
40
41 Logical Location
42 ----------------
43
44 :IP Internet: :ip:v4:`213.154.225.239`
45 :IP Intranet: :ip:v4:`172.16.2.10` (outbound SNAT) and :ip:v4:`172.16.2.32`
46 :IP Internal: :ip:v4:`10.0.0.32`
47 :MAC address: :mac:`00:ff:12:01:65:02` (eth0)
48
49 .. seealso::
50
51 See :doc:`../network`
52
53 DNS
54 ---
55
56 .. index::
57 single: DNS records; Emailout
58
59 ========================== ======== ====================================================================
60 Name Type Content
61 ========================== ======== ====================================================================
62 emailout.cacert.org. IN A 213.154.225.239
63 emailout.cacert.org. IN SSHFP 1 1 1ba1ab632911e8a68a69521130120695086d858c
64 emailout.cacert.org. IN SSHFP 1 2 6e50d5b2034006b69eb7ba19d3f3fd2c48015bea2bb3d5e2a0f8cf25ff030055
65 emailout.cacert.org. IN SSHFP 2 1 0e8888352604dbd1cc4d201bc1e985d80b9cf752
66 emailout.cacert.org. IN SSHFP 2 2 a7402f014b47b805663c904dabbc9590db7d8d0f350cea6d9f63e12bc27bac0c
67 emailout.cacert.org. IN SSHFP 3 1 527004f2091d2cef2c28b5f8241fc0e76307b2ba
68 emailout.cacert.org. IN SSHFP 3 2 9094dcf8860523a83542ec4cc46fbcfed396f5525bc202cfecf42d1a7044136d
69 emailout.intra.cacert.org. IN A 172.16.2.32
70 ========================== ======== ====================================================================
71
72 .. seealso::
73
74 See :wiki:`SystemAdministration/Procedures/DNSChanges`
75
76 Operating System
77 ----------------
78
79 .. index::
80 single: Debian GNU/Linux; Wheezy
81 single: Debian GNU/Linux; 7.11
82
83 * Debian GNU/Linux 7.11
84
85 Applicable Documentation
86 ------------------------
87
88 The following packages where installed after the container setup::
89
90 apt-get install vim-nox screen aptitude git etckeeper postfix \
91 postfix-pcre opendkim opendkim-tools man-db rsyslog logrotate \
92 heirloom-mailx netcat-openbsd swaks
93
94 Services
95 ========
96
97 Listening services
98 ------------------
99
100 +----------+-----------+-----------+-----------------------------------------+
101 | Port | Service | Origin | Purpose |
102 +==========+===========+===========+=========================================+
103 | 22/tcp | ssh | ANY | admin console access |
104 +----------+-----------+-----------+-----------------------------------------+
105 | 25/tcp | smtp | intranet | mail delivery from intranet MTAs |
106 +----------+-----------+-----------+-----------------------------------------+
107 | 5666/tcp | nrpe | monitor | remote monitoring service |
108 +----------+-----------+-----------+-----------------------------------------+
109
110 Running services
111 ----------------
112
113 .. index::
114 single: OpenDKIM
115 single: Postfix
116 single: cron
117 single: nrpe
118 single: openssh
119 single: rsyslog
120
121 +--------------------+--------------------+----------------------------------------+
122 | Service | Usage | Start mechanism |
123 +====================+====================+========================================+
124 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
125 | | remote | |
126 | | administration | |
127 +--------------------+--------------------+----------------------------------------+
128 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
129 +--------------------+--------------------+----------------------------------------+
130 | rsyslog | syslog daemon | init script |
131 | | | :file:`/etc/init.d/syslog` |
132 +--------------------+--------------------+----------------------------------------+
133 | OpenDKIM | DKIM signing | init script |
134 | | daemon | :file:`/etc/init.d/opendkim` |
135 +--------------------+--------------------+----------------------------------------+
136 | Postfix | SMTP server for | init script |
137 | | local mail | :file:`/etc/init.d/postfix` |
138 | | submission, and | |
139 | | mail relay for | |
140 | | infrastructure | |
141 | | systems | |
142 +--------------------+--------------------+----------------------------------------+
143 | Nagios NRPE server | remote monitoring | init script |
144 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
145 | | :doc:`monitor` | |
146 +--------------------+--------------------+----------------------------------------+
147
148 Connected Systems
149 -----------------
150
151 * :doc:`monitor`
152 * SMTP (25/tcp) from other infrastructure systems
153
154 Outbound network connections
155 ----------------------------
156
157 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
158 * :doc:`emailout` as SMTP relay
159 * ftp.nl.debian.org as Debian mirror
160 * security.debian.org for Debian security updates
161 * SMTP (25/tcp) to :doc:`email`, :doc:`issue` and :doc:`lists`
162
163 Security
164 ========
165
166 .. sshkeys::
167 :RSA: 56:09:89:92:af:3c:15:e4:a3:06:11:63:0e:be:b6:a2
168 :DSA: 6c:8d:31:c4:92:de:f0:a8:95:eb:fe:20:83:91:ca:07
169 :ECDSA: cb:3c:69:c5:a1:90:c6:8e:55:40:83:6c:10:3f:09:b4
170
171 .. todo:: setup ED25519 ssh host key
172
173 Non-distribution packages and modifications
174 -------------------------------------------
175
176 * None
177
178 Risk assessments on critical packages
179 -------------------------------------
180
181 Postfix has a very good security reputation. The system is patched regularly.
182
183 Critical Configuration items
184 ============================
185
186 Keys and X.509 certificates
187 ---------------------------
188
189 .. todo:: setup a proper certificate for incoming STARTTLS
190
191 .. use the sslcert directive to have certificates added to the certificate list
192 automatically
193
194 .. .. sslcert:: template.cacert.org
195 :altnames:
196 :certfile:
197 :keyfile:
198 :serial:
199 :expiration:
200 :sha1fp:
201 :issuer:
202
203 .. * `/etc/apache2/ssl/cacert-certs.pem` CAcert.org Class 1 and Class 3 CA
204 certificates (allowed CA certificates for client certificates)
205 * `/etc/apache2/ssl/cacert-chain.pem` CAcert.org Class 1 certificate
206 (certificate chain for server certificate)
207
208 .. index::
209 pair: DKIM; Private Key
210 see: DKIM; OpenDKIM
211
212 * :file:`/etc/dkim/2015.private` contains the RSA private key to be used for
213 :term:`DKIM` signing by OpenDKIM.
214
215 .. index::
216 pair: DKIM; DNS
217 see: DNS; OpenDKIM
218
219 * :file:`/etc/dkim/2015.txt` contains a textual DNS record representation for
220 the public component of the DKIM signing key
221
222 .. seealso::
223
224 * :wiki:`SystemAdministration/CertificateList`
225
226 .. index::
227 pair: Postfix; configuration
228
229 Postfix configuration
230 ---------------------
231
232 Postfix has been configured as outgoing email relay with very little changes to
233 the default configuration.
234
235 The mailname has been set to ``cacert.org`` in :file:`/etc/mailname`.
236
237 Postfix configuration file:`/etc/postfix/main.cf` and :file:`/etc/postfix/dynamic_maps.cf` have been modified to:
238
239 * set infrastructure related host and network parameters
240 * allow regular expressions in maps
241 * activate oportunistic TLS
242 * prepare for DKIM support
243 * disable local delivery
244
245 .. literalinclude:: ../configdiff/emailout/postfix.diff
246 :language: diff
247
248 Emails sent to specific intranet hostnames are rewritten to their respective
249 admin addresses in :file:`/etc/postfix/canonical_maps`:
250
251 .. literalinclude:: ../configdiff/emailout/canonical_maps
252 :language: text
253
254 Emails sent to specific cacert.org hostnames are forwarded via
255 :file:`/etc/postfix/transport`:
256
257 .. literalinclude:: ../configdiff/emailout/transport
258 :language: text
259
260 :file:`/etc/postfix/transport` has to be rehashed if it is changed because
261 Postfix uses a binary representation in :file:`/etc/postfix/transport.db`. To
262 perform the rehashing and restart Postfix use::
263
264 postmap hash:/etc/postfix/transport
265 service postfix restart
266
267 .. index::
268 pair: OpenDKIM; configuration
269
270 OpenDKIM configuration
271 ----------------------
272
273 .. todo::
274 enable OpenDKIM in Postfix configuration when the DNS record is in place and
275 :doc:`email` is ready for DKIM too or is configured to send mail via
276 emailout.
277
278 The OpenDKIM configuration is stored in :file:`/etc/opendkim.conf`. The
279 following lines have been added:
280
281 .. code:: diff
282
283 --- wheezy-chroot/etc/opendkim.conf 2013-01-09 04:10:46.000000000 +0100
284 +++ vm-emailout/rootfs/etc/opendkim.conf 2015-02-02 15:47:58.161884259 +0100
285 @@ -13,6 +13,12 @@
286 #Domain example.com
287 #KeyFile /etc/mail/dkim.key
288 #Selector 2007
289 +Domain cacert.org
290 +KeyFile /etc/dkim/2015.private
291 +Selector 2015
292 +
293 +Socket /var/spool/postfix/opendkim/opendkim.sock
294 +InternalHosts /etc/dkim/internalhosts
295
296 # Commonly-used options; the commented-out versions show the defaults.
297 #Canonicalization simple
298
299 The key has been generated with::
300
301 mkdir /etc/dkim
302 cd /etc/dkim
303 opendkim-genkey -d cacert.org -s 2015
304
305 Internal networks have been defined in :file:`/etc/dkim/internalhosts` as::
306
307 127.0.0.1
308 10.0.0.0/24
309 172.16.2.0/24
310
311
312 Tasks
313 =====
314
315 Planned
316 -------
317
318 .. todo:: update the system to Debian Jessie
319 .. todo:: setup IPv6
320
321 Changes
322 =======
323
324 System Future
325 -------------
326
327 * No plans
328
329 Additional documentation
330 ========================
331
332 .. seealso::
333
334 * :wiki:`PostfixConfiguration`
335
336 References
337 ----------
338
339 Postfix documentation
340 http://www.postfix.org/documentation.html
341 Postfix Debian wiki page
342 https://wiki.debian.org/Postfix
343 OpenDKIM documentation
344 http://www.opendkim.org/docs.html