Improve system documentation
[cacert-infradocs.git] / docs / systems / lists.rst
1 .. index::
2 single: Systems; Lists
3
4 =====
5 Lists
6 =====
7
8 Purpose
9 =======
10
11 The system provides mailing list services under the lists.cacert.org hostname.
12
13 Application Links
14 -----------------
15
16 * Mailing list management and archives
17
18 https://lists.cacert.org/
19
20
21 Administration
22 ==============
23
24 System Administration
25 ---------------------
26
27 * Primary: :ref:`people_mario`
28 * Secondary: :ref:`people_jandd`
29
30 Application Administration
31 --------------------------
32
33 +--------------+---------------------------------------------+
34 | Application | Administrator(s) |
35 +==============+=============================================+
36 | Sympa | :ref:`people_jandd`, :ref:`people_mario`, |
37 | | :ref:`people_ulrich`, :ref:`people_philipp` |
38 +--------------+---------------------------------------------+
39
40 Contact
41 -------
42
43 * email-admin@cacert.org
44
45 Additional People
46 -----------------
47
48 :ref:`people_jselzer` has :program:`sudo` access on that machine too.
49
50 Basics
51 ======
52
53 Physical Location
54 -----------------
55
56 This system is located in an :term:`LXC` container on physical machine
57 :doc:`infra02`.
58
59 Logical Location
60 ----------------
61
62 :IP Internet: :ip:v4:`213.154.225.231`
63 :IP Intranet: :ip:v4:`172.16.2.17`
64 :IP Internal: :ip:v4:`10.0.0.17`
65 :MAC address: :mac:`00:ff:d0:13:9a:22` (eth0)
66
67 .. seealso::
68
69 See :doc:`../network`
70
71 DNS
72 ---
73
74 .. index::
75 single: DNS records; Lists
76
77 =================================== ======== ============================================
78 Name Type Content
79 =================================== ======== ============================================
80 lists.cacert.org. IN A 213.154.225.231
81 lists.cacert.org. IN MX 10 email.cacert.org.
82 lists.cacert.org. IN SSHFP 1 1 87F75B9124326B566ED22DCF65A9740EEDE8F0FF
83 lists.cacert.org. IN SSHFP 2 1 8D79E68E731ED72667F3D286C477245DF653083B
84 lists.cacert.org. IN TXT "v=spf1 ip4:213.154.225.231 -all"
85 cert.lists.cacert.org. IN CNAME lists.cacert.org.
86 nocert.lists.cacert.org. IN CNAME lists.cacert.org.
87 lists.intra.cacert.org. IN A 172.16.2.17
88 17.2.16.172.in-addr.arpa IN PTR lists.intra.cacert.org.
89 231.225.154.213.in-addr.arpa IN CNAME 231.224-27.225.154.213.in-addr.arpa.
90 231.224-27.225.154.213.in-addr.arpa IN PTR lists.cacert.org.
91 =================================== ======== ============================================
92
93 .. seealso::
94
95 See :wiki:`SystemAdministration/Procedures/DNSChanges`
96
97 Operating System
98 ----------------
99
100 .. index::
101 single: Debian GNU/Linux; Wheezy
102 single: Debian GNU/Linux; 7.11
103
104 * Debian GNU/Linux 7.11
105
106 Applicable Documentation
107 ------------------------
108
109 This is the administration documentation.
110
111 .. seealso::
112
113 :wiki:`EmailListOverview` for user documentation
114
115 Services
116 ========
117
118 Listening services
119 ------------------
120
121 +----------+---------+-----------+-------------------------------------------+
122 | Port | Service | Origin | Purpose |
123 +==========+=========+=================+=====================================+
124 | 22/tcp | ssh | ANY | admin console access |
125 +----------+---------+-----------+-------------------------------------------+
126 | 25/tcp | smtp | monitor, | mail delivery to local MTA/sympa |
127 | | | email | |
128 +----------+---------+-----------+-------------------------------------------+
129 | 80/tcp | http | ANY | redirect to https |
130 +----------+---------+-----------+-------------------------------------------+
131 | 443/tcp | https | ANY | Sympa mailing list manager and archive |
132 +----------+---------+-----------+-------------------------------------------+
133 | 4433/tcp | https | LOCAL | phpmyadmin access via ssh port forwarding |
134 +----------+---------+-----------+-------------------------------------------+
135 | 5666/tcp | nrpe | monitor | remote monitoring service |
136 +----------+---------+-----------+-------------------------------------------+
137 | 3306/tcp | mysql | local | MySQL database for Sympa |
138 +----------+---------+-----------+-------------------------------------------+
139
140 .. topic:: PHPMyAdmin access
141
142 Administrators can use ssh to forward the Apache httpd port 4433 to their
143 own machine:
144
145 .. code-block:: bash
146
147 ssh -L 4433:localhost:4433 -l username lists.cacert.org
148
149 and access PHPMyAdmin at https://localhost:4433/phpmyadmin
150
151 Running services
152 ----------------
153
154 .. index::
155 single: Apache
156 single: MySQL
157 single: Postfix
158 single: Sympa
159 single: cron
160 single: nrpe
161 single: openssh
162 single: rsyslog
163
164 +--------------------+---------------------+----------------------------------------+
165 | Service | Usage | Start mechanism |
166 +====================+=====================+========================================+
167 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
168 | | remote | |
169 | | administration | |
170 +--------------------+---------------------+----------------------------------------+
171 | Apache httpd | Webserver for Sympa | init script |
172 | | | :file:`/etc/init.d/apache2` |
173 +--------------------+---------------------+----------------------------------------+
174 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
175 +--------------------+---------------------+----------------------------------------+
176 | rsyslog | syslog daemon | init script |
177 | | | :file:`/etc/init.d/syslog` |
178 +--------------------+---------------------+----------------------------------------+
179 | MySQL | MySQL database | init script |
180 | | server for Sympa | :file:`/etc/init.d/mysql` |
181 +--------------------+---------------------+----------------------------------------+
182 | Postfix | SMTP server for | init script |
183 | | local mail | :file:`/etc/init.d/postfix` |
184 | | submission and | |
185 | | incoming list mail | |
186 +--------------------+---------------------+----------------------------------------+
187 | Nagios NRPE server | remote monitoring | init script |
188 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
189 | | :doc:`monitor` | |
190 +--------------------+---------------------+----------------------------------------+
191 | Sympa mailing list | mail list handling | init script |
192 | services | | :file:`/etc/init.d/sympa` |
193 +--------------------+---------------------+----------------------------------------+
194
195 Databases
196 ---------
197
198 +-------------+-------+-------------------------------+
199 | RDBMS | Name | Used for |
200 +=============+=======+===============================+
201 | MySQL | sympa | Sympa mailing list management |
202 +-------------+-------+-------------------------------+
203
204 Connected Systems
205 -----------------
206
207 * :doc:`monitor`
208 * :doc:`email`
209
210 Outbound network connections
211 ----------------------------
212
213 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
214 * :doc:`proxyout` as HTTP proxy for APT
215 * arbitrary Internet SMTP servers for delivery of list mails
216
217 Security
218 ========
219
220 .. sshkeys::
221 :RSA: MD5:9a:64:3d:ab:38:91:90:88:2b:73:cb:05:8c:56:f9:c9
222 :DSA: MD5:dd:ab:a6:c2:29:91:e9:81:fa:29:3c:f7:88:76:1f:f6
223 :ECDSA: MD5:3c:8d:f2:a7:e8:75:1c:9a:11:13:11:2a:58:aa:9b:d1
224
225 .. todo:: setup ED25519 host key (needs update to Jessie)
226
227 Non-distribution packages and modifications
228 -------------------------------------------
229
230 * None
231
232 Risk assessments on critical packages
233 -------------------------------------
234
235 Apache httpd, Postfix and Sympa have a good security track record. Apache httpd
236 is configured with the minimum of required modules. PHPMyAdmin is only reachable
237 via ssh port forwarding.
238
239 Critical Configuration items
240 ============================
241
242 Keys and X.509 certificates
243 ---------------------------
244
245 Server certificate for Apache httpd for Sympa and phpmyadmin and Postfix:
246
247 .. sslcert:: lists.cacert.org
248 :altnames: DNS:cert.lists.cacert.org, DNS:lists.cacert.org, DNS:nocert.lists.cacert.org
249 :certfile: /etc/ssl/certs/ssl-cert-lists-cacert-multialtname.pem
250 :keyfile: /etc/ssl/private/ssl-cert-lists-cacert-multialtname.pem
251 :serial: 1381F2
252 :expiration: Mar 16 10:15:10 2020 GMT
253 :sha1fp: 53:D8:D7:96:AC:C6:87:B6:2F:D7:58:A7:F3:F4:33:32:A7:25:02:A9
254 :issuer: CA Cert Signing Authority
255
256 * :file:`/usr/share/ca-certificates/cacert.org/cacert.org.crt`
257 CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for
258 client certificates)
259
260 .. seealso::
261
262 * :wiki:`SystemAdministration/CertificateList`
263
264 Apache httpd configuration
265 --------------------------
266
267 * :file:`/etc/apache2/sites-available/000-default.conf`
268
269 default HTTP VirtualHost configuration that redirects to
270 https://lists.cacert.org/
271
272 * :file:`/etc/apache2/sites-available/sympa-include.conf`
273
274 common configuration for the three Sympa VirtualHost definitions
275
276 * :file:`/etc/apache2/sites-available/lists.cacert.org.conf`
277
278 HTTPS VirtualHost configuration for https://lists.cacert.org/ that supports
279 optional client certificate authentication
280
281 * :file:`/etc/apache2/sites-available/cert.lists.cacert.org.conf`
282
283 HTTPS VirtualHost configuration for https://cert.lists.cacert.org/ that
284 requires client certificate authentication
285
286 * :file:`/etc/apache2/sites-available/nocert.lists.cacert.org.conf`
287
288 HTTPS VirtualHost configuration for https://nocert.lists.cacert.org/ that
289 does not support client certificates
290
291 * :file:`/etc/apache2/sites-available/localhost_4433_phpmyadmin.conf`
292
293 HTTPS VirtualHost configuration for https://localhost:4433/phpmyadmin
294
295 Sympa configuration
296 -------------------
297
298 Sympa configuration is stored in :file:`/etc/sympa/`.
299
300 * :file:`/etc/sympa/aliases`
301
302 generated by Sympa and included in Postfix's :file:`/etc/postfix/main.cf`.
303 The file contains alias definitions that pipe list emails into Sympa
304 processes.
305
306 * :file:`/etc/sympa/data_sources/`
307
308 data sources shared accross lists (things we didn't want to define more than
309 once). The `board` data source is defined in
310 :file:`/etc/sympa/data_sources/board.incl`
311
312 .. seealso::
313
314 `Sympa manual`_
315
316 * :file:`/etc/sympa/sympa.conf`
317
318 main Sympa configuration file. S/MIME configuration items must be set even if
319 they appear to be the default values. Supported_lang must be a subset of the
320 supported system locales (see :file:`/usr/lib/sympa/locale/`) otherwise user's
321 cannot change their locale in Sympa.
322
323 * :file:`/etc/sympa/wwsympa.conf`
324
325 configuration for the Sympa web interface
326
327 * :file:`/var/lib/sympa/expl/{listname}/{cert.pem,private_key}`
328
329 list private key and certificate for `listname`
330
331 * :file:`/var/lib/sympa/x509-user-certs/{emailaddress}`
332
333 user X.509 certificates used by Sympa
334
335
336 Postfix configuration
337 ---------------------
338
339 Postfix configuration is stored in :file:`/etc/postfix/`
340
341 .. note::
342
343 The file :file:`/etc/aliases.db` must be writable by the `sympa` group to
344 allow running :program:`newaliases` when defining new lists.
345
346 Tasks
347 =====
348
349 Adding a list
350 -------------
351
352 1. Login to Sympa https://lists.cacert.org/wws using the
353 listmaster@lists.cacert.org (password stored in
354 :file:`/root/sympa-listmanagerpassword.txt`)
355
356 2. Use the GUI to create the list. Set the list so that support@cacert.org can
357 send email to the list without confirmation using the cacert main web
358 interface, login and validate the list address issue a WoT certificate for
359 the list user export/backup the WoT certificate out of your browser copy the
360 p12 exported certificate to the list server.
361
362 3. use::
363
364 openssl pkcs12 -in cacert-listname\@lists.cacert.org.p12 -nodes
365
366 to export the certificate without a password.
367
368 4. copy the certificate and private key to the location described below and
369 setup permissions::
370
371 chown sympa:sympa /var/lib/sympa/expl/<list>/cert.pem
372 chown sympa:sympa /var/lib/sympa/expl/<list>/private_key
373 chmod 0600 /var/lib/sympa/expl/<list>/private_key
374 chmod 0644 /var/lib/sympa/expl/<list>/cert.pem
375
376 5. add subscribers/ other owners
377
378 Changes
379 =======
380
381 Planned
382 -------
383
384 .. todo:: upgrade the lists system OS to Debian 9 (Stretch)
385 .. todo:: manage the lists system using Puppet
386
387 System Future
388 -------------
389
390 * No plans
391
392 Additional documentation
393 ========================
394
395 .. seealso::
396
397 * :wiki:`PostfixConfiguration`
398
399 References
400 ----------
401
402 Apache httpd documentation
403 http://httpd.apache.org/docs/2.4/
404 Sympa manual
405 http://www.sympa.org/manual/
406 Postfix documentation
407 http://www.postfix.org/documentation.html
408 Postfix Debian wiki page
409 https://wiki.debian.org/Postfix
410
411 .. _Sympa manual: http://www.sympa.org/manual/list-definition#data_inclusion_file