6a4851ea4e082bd95cbc6fb7570d8712938f13db
[cacert-infradocs.git] / docs / systems / webmail.rst
1 .. index::
2 single: Systems; Webmail
3
4 ===================
5 Webmail (Community)
6 ===================
7
8 Purpose
9 =======
10
11 This container hosts the webmail system available at
12 https://community.cacert.org/ that provides web based mail access to users with
13 a @cacert.org email address.
14
15 The system also hosts the `board voting system`_, `staff list`_ and `email
16 password reset`_.
17
18 .. todo:: move `board voting system`_ to a separate container
19
20 .. todo::
21 move `staff list`_ to a separate container or integrate it into some
22 new self service system
23
24 .. _board voting system: https://community.cacert.org/board
25 .. _staff list: https://community.cacert.org/staff.php
26 .. _email password reset: https://community.cacert.org/password.php
27
28 Application Links
29 -----------------
30
31 Webmail URL
32 https://community.cacert.org/ (redirects to
33 https://community.cacert.org/roundcubemail/)
34
35 Board Voting System URL
36 https://community.cacert.org/board/
37
38 Password reset
39 https://community.cacert.org/password.php
40
41 Staff list
42 https://community.cacert.org/staff.php
43
44
45 Administration
46 ==============
47
48 System Administration
49 ---------------------
50
51 * Primary: None
52 * Secondary: None
53
54 .. todo:: find admins for webmail
55
56 Application Administration
57 --------------------------
58
59 +---------------------+-----------------------+
60 | Application | Administrators |
61 +=====================+=======================+
62 | Webmail | :ref:`people_ulrich`, |
63 | | :ref:`people_jselzer` |
64 +---------------------+-----------------------+
65 | Board voting system | :ref:`people_jandd` |
66 +---------------------+-----------------------+
67 | Staff list | None |
68 +---------------------+-----------------------+
69 | Password reset | None |
70 +---------------------+-----------------------+
71
72 Contact
73 -------
74
75 * webmail-admin@cacert.org
76
77 Additional People
78 -----------------
79
80 :ref:`people_jandd`, :ref:`people_mario` and :ref:`people_jselzer` have
81 :program:`sudo` access on that machine.
82
83 Basics
84 ======
85
86 Physical Location
87 -----------------
88
89 This system is located in an :term:`LXC` container on physical machine
90 :doc:`infra02`.
91
92 Logical Location
93 ----------------
94
95 :IP Internet: :ip:v4:`213.154.225.228`
96 :IP Intranet: :ip:v4:`172.16.2.20`
97 :IP Internal: :ip:v4:`10.0.0.120`
98 :MAC address: :mac:`00:ff:9a:a7:64:78` (eth0)
99
100 .. seealso::
101
102 See :doc:`../network`
103
104 DNS
105 ---
106
107 .. index::
108 single: DNS records; Webmail
109 single: DNS records; Community
110
111 ===================== ======== ================
112 Name Type Content
113 ===================== ======== ================
114 community.cacert.org. IN CNAME email.cacert.org
115 ===================== ======== ================
116
117 .. seealso::
118
119 See :wiki:`SystemAdministration/Procedures/DNSChanges`
120
121 Operating System
122 ----------------
123
124 .. index::
125 single: Debian GNU/Linux; Etch
126 single: Debian GNU/Linux; 4.0
127
128 * Debian GNU/Linux 4.0
129
130 Applicable Documentation
131 ------------------------
132
133 This is it :-)
134
135 .. seealso::
136
137 * :wiki:`CommunityEmail`
138 * :wiki:`EmailAccountPolicy`
139
140 Services
141 ========
142
143 Listening services
144 ------------------
145
146 +----------+---------+---------+---------------------------+
147 | Port | Service | Origin | Purpose |
148 +==========+=========+=========+===========================+
149 | 22/tcp | ssh | ANY | admin console access |
150 +----------+---------+---------+---------------------------+
151 | 443/tcp | https | ANY | Web server |
152 +----------+---------+---------+---------------------------+
153 | 5666/tcp | nrpe | monitor | remote monitoring service |
154 +----------+---------+---------+---------------------------+
155
156 .. note::
157
158 The ssh port is reachable via NAT on email.cacert.org:12022
159
160 Running services
161 ----------------
162
163 .. index::
164 single: openssh
165 single: Apache
166 single: cron
167 single: Postfix
168 single: nrpe
169
170 +--------------------+--------------------+----------------------------------------+
171 | Service | Usage | Start mechanism |
172 +====================+====================+========================================+
173 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
174 | | remote | |
175 | | administration | |
176 +--------------------+--------------------+----------------------------------------+
177 | Apache httpd | Webserver for | init script |
178 | | Applications | :file:`/etc/init.d/apache2` |
179 +--------------------+--------------------+----------------------------------------+
180 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
181 +--------------------+--------------------+----------------------------------------+
182 | Postfix | SMTP server for | init script |
183 | | local mail | :file:`/etc/init.d/postfix` |
184 | | submission | |
185 +--------------------+--------------------+----------------------------------------+
186 | Nagios NRPE server | remote monitoring | init script |
187 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
188 | | :doc:`monitor` | |
189 +--------------------+--------------------+----------------------------------------+
190
191 Connected Systems
192 -----------------
193
194 * :doc:`monitor`
195
196 Outbound network connections
197 ----------------------------
198
199 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
200 * :doc:`emailout` as SMTP relay
201 * archive.debian.org as Debian mirror
202 * :doc:`email` for MySQL (3306/tcp) for webmail, password reset and staff list
203 * :doc:`email` IMAP (110/tcp), IMAPS (993/tcp), Manage Sieve (2001/tcp), SMTPS
204 (465/tcp) and SMTP Submission (587/tcp) for the webmail system
205
206 Security
207 ========
208
209 .. sshkeys::
210 :RSA: 82:91:22:22:10:75:ab:0e:55:05:9a:f9:98:cb:94:48
211 :DSA: 6b:6e:59:37:41:83:a5:89:2a:18:04:23:51:53:5d:cd
212
213 .. warning::
214
215 The system is too old to support ECDSA or ED25519 keys.
216
217 Non-distribution packages and modifications
218 -------------------------------------------
219
220 :file:`/var/www/roundcubemail` contains a `Roundcube`_ 0.2.1 installation,
221 probably with patches.
222
223 .. todo::
224
225 Research wether Roundcube has been patched or not
226
227 :file:`/var/www/staff.php` is a custom built PHP script to show a list of
228 people with cacert.org email addresses.
229
230 :file:`/var/www/password.php` is a custom build PHP script to allow users to
231 reset their email password.
232
233 :file:`/var/www/board` contains the board voting system.
234
235 .. _Roundcube: https://roundcube.net/
236
237 Risk assessments on critical packages
238 -------------------------------------
239
240 The whole system is outdated, the PHP version is ancient, Roundcube is old.
241 Needs to be replaced as soon as possible.
242
243 Critical Configuration items
244 ============================
245
246 Keys and X.509 certificates
247 ---------------------------
248
249 .. sslcert:: community.cacert.org
250 :certfile: /etc/ssl/certs/ssl-cert-community-cacert.crt
251 :keyfile: /etc/ssl/private/ssl-cert-community-cacert.key
252 :serial: 11e846
253 :expiration: Mar 31 18:50:26 2018 GMT
254 :sha1fp: F1:BC:77:BD:12:EA:69:CF:5E:5F:74:C2:6B:AD:3E:43:94:9A:7F:B4
255 :altnames: DNS:community.cacert.org, DNS:nocert.community.cacert.org,
256 DNS:cert.community.cacert.org, DNS:email.cacert.org,
257 DNS:nocert.email.cacert.org, DNS:cert.email.cacert.org
258 :issuer: CAcert.org Class 1 Root CA
259
260 * :file:`/usr/share/ca-certificates/cacert.org/` directory containing the
261 CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for
262 client authentication and certificate chain for server certificate) with
263 symbolic links with the :command:`openssl` hashed certificate names
264
265 .. seealso::
266
267 * :wiki:`SystemAdministration/CertificateList`
268
269 .. index::
270 pair: Apache httpd; configuration
271
272 Apache httpd configuration
273 --------------------------
274
275 The Apache httpd configuration is stored in
276 :file:`/etc/apache2/sites-available/webmail`.
277
278 :file:`/etc/hosts`
279 ------------------
280
281 Defines some aliases for :doc:`email` that are used by Roundcube, the password
282 reset script and the staff list script.
283
284 .. index::
285 pair: Roundcube; configuration
286
287 Roundcube configuration
288 -----------------------
289
290 The Roundcube configuration is stored in files in the
291 :file:`/var/www/roundcubemail/config/` directory.
292
293
294 Staff list script
295 -----------------
296
297 The staff list contains its configuration in :file:`/var/www/staff.php` itself.
298
299 .. todo::
300
301 Put the staff list script in a git repository
302
303 Password reset script
304 ---------------------
305
306 The password reset script contains it configuration in
307 :file:`/var/www/password.php` itself.
308
309 .. todo::
310
311 Put the password reset script in a git repository
312
313 Board voting system configuration
314 ---------------------------------
315
316 The board voting system uses a SQLite database in
317 :file:`/var/www/board/database.sqlite`.
318
319 .. warning::
320
321 The board voting system software seems to be checked out from a Subversion
322 repository at https://svn.cacert.cl/Software/Voting/vote that does not exist
323 anymore
324
325 .. todo::
326
327 Put the current version of the board voting system in a git repository
328
329 Tasks
330 =====
331
332 Planned
333 -------
334
335 .. todo:: implement CRL checking
336
337 Changes
338 =======
339
340 System Future
341 -------------
342
343 .. todo::
344 The system has to be replaced with a new system using a current operating
345 system version
346
347 Additional documentation
348 ========================
349
350 .. seealso::
351
352 * :wiki:`PostfixConfiguration`
353
354 References
355 ----------
356
357 Wiki page for this system
358 :wiki:`SystemAdministration/Systems/Community`