e17ab5201a071102c366de9bae6f1da32028cd6a
[cacert-infradocs.git] / docs / systems / emailout.rst
1 .. index::
2 single: Systems; Emailout
3
4 ========
5 Emailout
6 ========
7
8 Purpose
9 =======
10
11 This system is used as outgoing mail relay for other infrastructure services.
12
13 Administration
14 ==============
15
16 System Administration
17 ---------------------
18
19 * Primary: :ref:`people_jandd`
20 * Secondary: :ref:`people_jselzer`
21
22 Contact
23 -------
24
25 * emailout-admin@cacert.org
26
27 Additional People
28 -----------------
29
30 :ref:`people_mario` has :program:`sudo` access on that machine too.
31
32 Basics
33 ======
34
35 Physical Location
36 -----------------
37
38 This system is located in an :term:`LXC` container on physical machine
39 :doc:`infra02`.
40
41 Logical Location
42 ----------------
43
44 :IP Internet: :ip:v4:`213.154.225.239`
45 :IP Intranet: :ip:v4:`172.16.2.10` (outbound SNAT) and :ip:v4:`172.16.2.32`
46 :IP Internal: :ip:v4:`10.0.0.32`
47 :MAC address: :mac:`00:ff:12:01:65:02` (eth0)
48
49 .. seealso::
50
51 See :doc:`../network`
52
53 DNS
54 ---
55
56 .. index::
57 single: DNS records; Emailout
58
59 ========================== ======== ====================================================================
60 Name Type Content
61 ========================== ======== ====================================================================
62 emailout.cacert.org. IN A 213.154.225.239
63 emailout.cacert.org. IN SSHFP 1 1 1ba1ab632911e8a68a69521130120695086d858c
64 emailout.cacert.org. IN SSHFP 1 2 6e50d5b2034006b69eb7ba19d3f3fd2c48015bea2bb3d5e2a0f8cf25ff030055
65 emailout.cacert.org. IN SSHFP 2 1 0e8888352604dbd1cc4d201bc1e985d80b9cf752
66 emailout.cacert.org. IN SSHFP 2 2 a7402f014b47b805663c904dabbc9590db7d8d0f350cea6d9f63e12bc27bac0c
67 emailout.cacert.org. IN SSHFP 3 1 527004f2091d2cef2c28b5f8241fc0e76307b2ba
68 emailout.cacert.org. IN SSHFP 3 2 9094dcf8860523a83542ec4cc46fbcfed396f5525bc202cfecf42d1a7044136d
69 emailout.intra.cacert.org. IN A 172.16.2.32
70 ========================== ======== ====================================================================
71
72 .. seealso::
73
74 See :wiki:`SystemAdministration/Procedures/DNSChanges`
75
76 Operating System
77 ----------------
78
79 .. index::
80 single: Debian GNU/Linux; Stretch
81 single: Debian GNU/Linux; 9.3
82
83 * Debian GNU/Linux 9.3
84
85 Applicable Documentation
86 ------------------------
87
88 The following packages where installed after the container setup::
89
90 apt-get install vim-nox screen aptitude git etckeeper postfix \
91 postfix-pcre opendkim opendkim-tools man-db rsyslog logrotate \
92 heirloom-mailx netcat-openbsd swaks
93
94 Services
95 ========
96
97 Listening services
98 ------------------
99
100 +----------+-----------+-----------+-----------------------------------------+
101 | Port | Service | Origin | Purpose |
102 +==========+===========+===========+=========================================+
103 | 22/tcp | ssh | ANY | admin console access |
104 +----------+-----------+-----------+-----------------------------------------+
105 | 25/tcp | smtp | intranet | mail delivery from intranet MTAs |
106 +----------+-----------+-----------+-----------------------------------------+
107 | 5666/tcp | nrpe | monitor | remote monitoring service |
108 +----------+-----------+-----------+-----------------------------------------+
109
110 Running services
111 ----------------
112
113 .. index::
114 single: OpenDKIM
115 single: Postfix
116 single: cron
117 single: nrpe
118 single: openssh
119 single: rsyslog
120
121 +--------------------+--------------------+----------------------------------------+
122 | Service | Usage | Start mechanism |
123 +====================+====================+========================================+
124 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
125 | | remote | |
126 | | administration | |
127 +--------------------+--------------------+----------------------------------------+
128 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
129 +--------------------+--------------------+----------------------------------------+
130 | rsyslog | syslog daemon | init script |
131 | | | :file:`/etc/init.d/syslog` |
132 +--------------------+--------------------+----------------------------------------+
133 | OpenDKIM | DKIM signing | init script |
134 | | daemon | :file:`/etc/init.d/opendkim` |
135 +--------------------+--------------------+----------------------------------------+
136 | Postfix | SMTP server for | init script |
137 | | local mail | :file:`/etc/init.d/postfix` |
138 | | submission, and | |
139 | | mail relay for | |
140 | | infrastructure | |
141 | | systems | |
142 +--------------------+--------------------+----------------------------------------+
143 | Nagios NRPE server | remote monitoring | init script |
144 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
145 | | :doc:`monitor` | |
146 +--------------------+--------------------+----------------------------------------+
147
148 Connected Systems
149 -----------------
150
151 * :doc:`monitor`
152 * SMTP (25/tcp) from other infrastructure systems
153
154 Outbound network connections
155 ----------------------------
156
157 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
158 * :doc:`emailout` as SMTP relay
159 * :doc:`proxyout` as HTTP proxy for APT
160 * SMTP (25/tcp) to :doc:`email`, :doc:`issue` and :doc:`lists`
161
162 Security
163 ========
164
165 .. sshkeys::
166 :RSA: SHA256:blDVsgNABraet7oZ0/P9LEgBW+ors9XioPjPJf8DAFU MD5:56:09:89:92:af:3c:15:e4:a3:06:11:63:0e:be:b6:a2
167 :DSA: SHA256:p0AvAUtHuAVmPJBNq7yVkNt9jQ81DOptn2PhK8J7rAw MD5:6c:8d:31:c4:92:de:f0:a8:95:eb:fe:20:83:91:ca:07
168 :ECDSA: SHA256:kJTc+IYFI6g1QuxMxG+8/tOW9VJbwgLP7PQtGnBEE20 MD5:cb:3c:69:c5:a1:90:c6:8e:55:40:83:6c:10:3f:09:b4
169 :ED25519: SHA256:TOtIitF+p8jbFh/fM1fic9LqH+W+GDeUqs18S/36qKU MD5:04:ca:72:d0:21:0a:4a:8b:a5:f7:a2:2f:10:e5:3f:92
170
171 Non-distribution packages and modifications
172 -------------------------------------------
173
174 * None
175
176 Risk assessments on critical packages
177 -------------------------------------
178
179 Postfix has a very good security reputation. The system is patched regularly.
180
181 Critical Configuration items
182 ============================
183
184 Keys and X.509 certificates
185 ---------------------------
186
187 .. todo:: setup a proper certificate for incoming STARTTLS
188
189 .. index::
190 pair: DKIM; Private Key
191 see: DKIM; OpenDKIM
192
193 * :file:`/etc/dkim/2015.private` contains the RSA private key to be used for
194 :term:`DKIM` signing by OpenDKIM.
195
196 .. index::
197 pair: DKIM; DNS
198 see: DNS; OpenDKIM
199
200 * :file:`/etc/dkim/2015.txt` contains a textual DNS record representation for
201 the public component of the DKIM signing key
202
203 .. seealso::
204
205 * :wiki:`SystemAdministration/CertificateList`
206
207 .. index::
208 pair: Postfix; configuration
209
210 Postfix configuration
211 ---------------------
212
213 Postfix has been configured as outgoing email relay with very little changes to
214 the default configuration.
215
216 The mailname has been set to ``cacert.org`` in :file:`/etc/mailname`.
217
218 Postfix configuration file:`/etc/postfix/main.cf` and :file:`/etc/postfix/dynamic_maps.cf` have been modified to:
219
220 * set infrastructure related host and network parameters
221 * allow regular expressions in maps
222 * activate opportunistic TLS
223 * prepare for DKIM support
224 * disable local delivery
225
226 .. literalinclude:: ../configdiff/emailout/postfix-main.cf
227 :language: text
228
229 Emails sent to specific intranet hostnames are rewritten to their respective
230 admin addresses in :file:`/etc/postfix/canonical_maps`:
231
232 .. literalinclude:: ../configdiff/emailout/canonical_maps
233 :language: text
234
235 Emails sent to specific cacert.org hostnames are forwarded via
236 :file:`/etc/postfix/transport`:
237
238 .. literalinclude:: ../configdiff/emailout/transport
239 :language: text
240
241 :file:`/etc/postfix/transport` has to be rehashed if it is changed because
242 Postfix uses a binary representation in :file:`/etc/postfix/transport.db`. To
243 perform the rehashing and restart Postfix use::
244
245 postmap hash:/etc/postfix/transport
246 service postfix restart
247
248 .. index::
249 pair: OpenDKIM; configuration
250
251 OpenDKIM configuration
252 ----------------------
253
254 .. todo::
255 enable OpenDKIM in Postfix configuration when the DNS record is in place and
256 :doc:`email` is ready for DKIM too or is configured to send mail via
257 emailout.
258
259 The OpenDKIM configuration is stored in :file:`/etc/opendkim.conf`. The
260 following lines have been added:
261
262 .. code:: diff
263
264 --- opendkim.conf.dpkg-dist 2017-09-04 00:17:50.000000000 +0000
265 +++ opendkim.conf 2018-02-16 13:38:55.545110292 +0000
266 @@ -13,6 +13,11 @@
267 #Domain example.com
268 #KeyFile /etc/dkimkeys/dkim.key
269 #Selector 2007
270 +Domain cacert.org
271 +KeyFile /etc/dkim/2015.private
272 +Selector 2015
273 +
274 +InternalHosts /etc/dkim/internalhosts
275
276 # Commonly-used options; the commented-out versions show the defaults.
277 #Canonicalization simple
278 @@ -31,7 +36,7 @@
279 # ## local:/path/to/socket to listen on a UNIX domain socket
280 #
281 #Socket inet:8892@localhost
282 -Socket local:/var/run/opendkim/opendkim.sock
283 +Socket local:/var/spool/postfix/opendkim/opendkim.sock
284
285 ## PidFile filename
286 ### default (none)
287
288 The key has been generated with::
289
290 mkdir /etc/dkim
291 cd /etc/dkim
292 opendkim-genkey -d cacert.org -s 2015
293
294 Internal networks have been defined in :file:`/etc/dkim/internalhosts` as::
295
296 127.0.0.1
297 10.0.0.0/24
298 172.16.2.0/24
299
300
301 Tasks
302 =====
303
304 Planned
305 -------
306
307 .. todo:: setup IPv6
308
309 Changes
310 =======
311
312 System Future
313 -------------
314
315 * No plans
316
317 Additional documentation
318 ========================
319
320 .. seealso::
321
322 * :wiki:`PostfixConfiguration`
323
324 References
325 ----------
326
327 Postfix documentation
328 http://www.postfix.org/documentation.html
329 Postfix Debian wiki page
330 https://wiki.debian.org/Postfix
331 OpenDKIM documentation
332 http://www.opendkim.org/docs.html