Manage emailout and issue with puppet
[cacert-infradocs.git] / docs / systems / emailout.rst
1 .. index::
2 single: Systems; Emailout
3
4 ========
5 Emailout
6 ========
7
8 Purpose
9 =======
10
11 This system is used as outgoing mail relay for other infrastructure services.
12
13 Administration
14 ==============
15
16 System Administration
17 ---------------------
18
19 * Primary: :ref:`people_jandd`
20 * Secondary: :ref:`people_jselzer`
21
22 Contact
23 -------
24
25 * emailout-admin@cacert.org
26
27 Additional People
28 -----------------
29
30 :ref:`people_mario` has :program:`sudo` access on that machine too.
31
32 Basics
33 ======
34
35 Physical Location
36 -----------------
37
38 This system is located in an :term:`LXC` container on physical machine
39 :doc:`infra02`.
40
41 Logical Location
42 ----------------
43
44 :IP Internet: :ip:v4:`213.154.225.239`
45 :IP Intranet: :ip:v4:`172.16.2.10` (outbound SNAT) and :ip:v4:`172.16.2.32`
46 :IP Internal: :ip:v4:`10.0.0.32`
47 :MAC address: :mac:`00:ff:12:01:65:02` (eth0)
48
49 .. seealso::
50
51 See :doc:`../network`
52
53 DNS
54 ---
55
56 .. index::
57 single: DNS records; Emailout
58
59 ========================== ======== ====================================================================
60 Name Type Content
61 ========================== ======== ====================================================================
62 emailout.cacert.org. IN A 213.154.225.239
63 emailout.cacert.org. IN SSHFP 1 1 1ba1ab632911e8a68a69521130120695086d858c
64 emailout.cacert.org. IN SSHFP 1 2 6e50d5b2034006b69eb7ba19d3f3fd2c48015bea2bb3d5e2a0f8cf25ff030055
65 emailout.cacert.org. IN SSHFP 2 1 0e8888352604dbd1cc4d201bc1e985d80b9cf752
66 emailout.cacert.org. IN SSHFP 2 2 a7402f014b47b805663c904dabbc9590db7d8d0f350cea6d9f63e12bc27bac0c
67 emailout.cacert.org. IN SSHFP 3 1 527004f2091d2cef2c28b5f8241fc0e76307b2ba
68 emailout.cacert.org. IN SSHFP 3 2 9094dcf8860523a83542ec4cc46fbcfed396f5525bc202cfecf42d1a7044136d
69 emailout.intra.cacert.org. IN A 172.16.2.32
70 ========================== ======== ====================================================================
71
72 .. seealso::
73
74 See :wiki:`SystemAdministration/Procedures/DNSChanges`
75
76 Operating System
77 ----------------
78
79 .. index::
80 single: Debian GNU/Linux; Stretch
81 single: Debian GNU/Linux; 9.4
82
83 * Debian GNU/Linux 9.4
84
85 Applicable Documentation
86 ------------------------
87
88 The following packages where installed after the container setup::
89
90 apt-get install vim-nox screen aptitude git etckeeper postfix \
91 postfix-pcre opendkim opendkim-tools man-db rsyslog logrotate \
92 heirloom-mailx netcat-openbsd swaks
93
94 Services
95 ========
96
97 Listening services
98 ------------------
99
100 +----------+-----------+-----------+-----------------------------------------+
101 | Port | Service | Origin | Purpose |
102 +==========+===========+===========+=========================================+
103 | 22/tcp | ssh | ANY | admin console access |
104 +----------+-----------+-----------+-----------------------------------------+
105 | 25/tcp | smtp | intranet | mail delivery from intranet MTAs |
106 +----------+-----------+-----------+-----------------------------------------+
107 | 5666/tcp | nrpe | monitor | remote monitoring service |
108 +----------+-----------+-----------+-----------------------------------------+
109
110 Running services
111 ----------------
112
113 .. index::
114 single: OpenDKIM
115 single: Postfix
116 single: cron
117 single: nrpe
118 single: openssh
119 single: puppet agent
120 single: rsyslog
121
122 +--------------------+--------------------+----------------------------------------+
123 | Service | Usage | Start mechanism |
124 +====================+====================+========================================+
125 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
126 | | remote | |
127 | | administration | |
128 +--------------------+--------------------+----------------------------------------+
129 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
130 +--------------------+--------------------+----------------------------------------+
131 | rsyslog | syslog daemon | init script |
132 | | | :file:`/etc/init.d/syslog` |
133 +--------------------+--------------------+----------------------------------------+
134 | OpenDKIM | DKIM signing | init script |
135 | | daemon | :file:`/etc/init.d/opendkim` |
136 +--------------------+--------------------+----------------------------------------+
137 | Postfix | SMTP server for | init script |
138 | | local mail | :file:`/etc/init.d/postfix` |
139 | | submission, and | |
140 | | mail relay for | |
141 | | infrastructure | |
142 | | systems | |
143 +--------------------+--------------------+----------------------------------------+
144 | Nagios NRPE server | remote monitoring | init script |
145 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
146 | | :doc:`monitor` | |
147 +--------------------+--------------------+----------------------------------------+
148 | Puppet agent | configuration | init script :file:`/etc/init.d/puppet` |
149 | | management agent | |
150 +--------------------+--------------------+----------------------------------------+
151
152 Connected Systems
153 -----------------
154
155 * :doc:`monitor`
156 * SMTP (25/tcp) from other infrastructure systems
157
158 Outbound network connections
159 ----------------------------
160
161 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
162 * :doc:`emailout` as SMTP relay
163 * :doc:`proxyout` as HTTP proxy for APT
164 * :doc:`puppet` (tcp/8140) as Puppet master
165 * SMTP (25/tcp) to :doc:`email`, :doc:`issue` and :doc:`lists`
166
167 Security
168 ========
169
170 .. sshkeys::
171 :RSA: SHA256:blDVsgNABraet7oZ0/P9LEgBW+ors9XioPjPJf8DAFU MD5:56:09:89:92:af:3c:15:e4:a3:06:11:63:0e:be:b6:a2
172 :DSA: SHA256:p0AvAUtHuAVmPJBNq7yVkNt9jQ81DOptn2PhK8J7rAw MD5:6c:8d:31:c4:92:de:f0:a8:95:eb:fe:20:83:91:ca:07
173 :ECDSA: SHA256:kJTc+IYFI6g1QuxMxG+8/tOW9VJbwgLP7PQtGnBEE20 MD5:cb:3c:69:c5:a1:90:c6:8e:55:40:83:6c:10:3f:09:b4
174 :ED25519: SHA256:TOtIitF+p8jbFh/fM1fic9LqH+W+GDeUqs18S/36qKU MD5:04:ca:72:d0:21:0a:4a:8b:a5:f7:a2:2f:10:e5:3f:92
175
176 Non-distribution packages and modifications
177 -------------------------------------------
178
179 * None
180
181 Risk assessments on critical packages
182 -------------------------------------
183
184 Postfix has a very good security reputation. The system is patched regularly.
185
186 Critical Configuration items
187 ============================
188
189 Keys and X.509 certificates
190 ---------------------------
191
192 .. todo:: setup a proper certificate for incoming STARTTLS
193
194 .. index::
195 pair: DKIM; Private Key
196 see: DKIM; OpenDKIM
197
198 * :file:`/etc/dkim/2015.private` contains the RSA private key to be used for
199 :term:`DKIM` signing by OpenDKIM.
200
201 .. index::
202 pair: DKIM; DNS
203 see: DNS; OpenDKIM
204
205 * :file:`/etc/dkim/2015.txt` contains a textual DNS record representation for
206 the public component of the DKIM signing key
207
208 .. seealso::
209
210 * :wiki:`SystemAdministration/CertificateList`
211
212 .. index::
213 pair: Postfix; configuration
214
215 Postfix configuration
216 ---------------------
217
218 Postfix has been configured as outgoing email relay with very little changes to
219 the default configuration.
220
221 The mailname has been set to ``cacert.org`` in :file:`/etc/mailname`.
222
223 Postfix configuration file:`/etc/postfix/main.cf` and :file:`/etc/postfix/dynamic_maps.cf` have been modified to:
224
225 * set infrastructure related host and network parameters
226 * allow regular expressions in maps
227 * activate opportunistic TLS
228 * prepare for DKIM support
229 * disable local delivery
230
231 .. literalinclude:: ../configdiff/emailout/postfix-main.cf
232 :language: text
233
234 Emails sent to specific intranet hostnames are rewritten to their respective
235 admin addresses in :file:`/etc/postfix/canonical_maps`:
236
237 .. literalinclude:: ../configdiff/emailout/canonical_maps
238 :language: text
239
240 Emails sent to specific cacert.org hostnames are forwarded via
241 :file:`/etc/postfix/transport`:
242
243 .. literalinclude:: ../configdiff/emailout/transport
244 :language: text
245
246 :file:`/etc/postfix/transport` has to be rehashed if it is changed because
247 Postfix uses a binary representation in :file:`/etc/postfix/transport.db`. To
248 perform the rehashing and restart Postfix use::
249
250 postmap hash:/etc/postfix/transport
251 service postfix restart
252
253 .. index::
254 pair: OpenDKIM; configuration
255
256 OpenDKIM configuration
257 ----------------------
258
259 .. todo::
260 enable OpenDKIM in Postfix configuration when the DNS record is in place and
261 :doc:`email` is ready for DKIM too or is configured to send mail via
262 emailout.
263
264 The OpenDKIM configuration is stored in :file:`/etc/opendkim.conf`. The
265 following lines have been added:
266
267 .. code:: diff
268
269 --- opendkim.conf.dpkg-dist 2017-09-04 00:17:50.000000000 +0000
270 +++ opendkim.conf 2018-02-16 13:38:55.545110292 +0000
271 @@ -13,6 +13,11 @@
272 #Domain example.com
273 #KeyFile /etc/dkimkeys/dkim.key
274 #Selector 2007
275 +Domain cacert.org
276 +KeyFile /etc/dkim/2015.private
277 +Selector 2015
278 +
279 +InternalHosts /etc/dkim/internalhosts
280
281 # Commonly-used options; the commented-out versions show the defaults.
282 #Canonicalization simple
283 @@ -31,7 +36,7 @@
284 # ## local:/path/to/socket to listen on a UNIX domain socket
285 #
286 #Socket inet:8892@localhost
287 -Socket local:/var/run/opendkim/opendkim.sock
288 +Socket local:/var/spool/postfix/opendkim/opendkim.sock
289
290 ## PidFile filename
291 ### default (none)
292
293 The key has been generated with::
294
295 mkdir /etc/dkim
296 cd /etc/dkim
297 opendkim-genkey -d cacert.org -s 2015
298
299 Internal networks have been defined in :file:`/etc/dkim/internalhosts` as::
300
301 127.0.0.1
302 10.0.0.0/24
303 172.16.2.0/24
304
305
306 Tasks
307 =====
308
309 Planned
310 -------
311
312 .. todo:: setup IPv6
313
314 Changes
315 =======
316
317 System Future
318 -------------
319
320 * No plans
321
322 Additional documentation
323 ========================
324
325 .. seealso::
326
327 * :wiki:`PostfixConfiguration`
328
329 References
330 ----------
331
332 Postfix documentation
333 http://www.postfix.org/documentation.html
334 Postfix Debian wiki page
335 https://wiki.debian.org/Postfix
336 OpenDKIM documentation
337 http://www.opendkim.org/docs.html