Fix minor issues in system template
[cacert-infradocs.git] / docs / systems / webmail.rst
1 .. index::
2 single: Systems; Webmail
3
4 ===================
5 Webmail (Community)
6 ===================
7
8 Purpose
9 =======
10
11 This container hosts the webmail system available at
12 https://community.cacert.org/ that provides web based mail access to users with
13 a @cacert.org email address.
14
15 The system also hosts the `board voting system`_, `staff list`_ and `email
16 password reset`_.
17
18 .. todo:: move `board voting system`_ to a separate container
19
20 .. todo::
21 move `staff list`_ to a separate container or integrate it into some
22 new self service system
23
24 .. _board voting system: https://community.cacert.org/board
25 .. _staff list: https://community.cacert.org/staff.php
26 .. _email password reset: https://community.cacert.org/password.php
27
28 Administration
29 ==============
30
31 System Administration
32 ---------------------
33
34 * Primary: None
35 * Secondary: None
36
37 .. todo:: find admins for webmail
38
39 Application Administration
40 --------------------------
41
42 +---------------------+-----------------------+
43 | Application | Administrators |
44 +=====================+=======================+
45 | Webmail | :ref:`people_ulrich`, |
46 | | :ref:`people_jselzer` |
47 +---------------------+-----------------------+
48 | Board voting system | :ref:`people_jandd` |
49 +---------------------+-----------------------+
50 | Staff list | None |
51 +---------------------+-----------------------+
52 | Password reset | None |
53 +---------------------+-----------------------+
54
55 Contact
56 -------
57
58 * webmail-admin@cacert.org
59
60 Additional People
61 -----------------
62
63 :ref:`people_jandd`, :ref:`people_mario` and :ref:`people_jselzer` have
64 :program:`sudo` access on that machine.
65
66 Basics
67 ======
68
69 Physical Location
70 -----------------
71
72 This system is located in an :term:`LXC` container on physical machine
73 :doc:`infra02`.
74
75 Logical Location
76 ----------------
77
78 :IP Internet: :ip:v4:`213.154.225.228`
79 :IP Intranet: :ip:v4:`172.16.2.20`
80 :IP Internal: :ip:v4:`10.0.0.120`
81 :MAC address: :mac:`00:ff:9a:a7:64:78` (eth0)
82
83 .. seealso::
84
85 See :doc:`../network`
86
87 DNS
88 ---
89
90 .. index::
91 single: DNS records; Webmail
92 single: DNS records; Community
93
94 ===================== ======== ================
95 Name Type Content
96 ===================== ======== ================
97 community.cacert.org. IN CNAME email.cacert.org
98 ===================== ======== ================
99
100 .. seealso::
101
102 See https://wiki.cacert.org/SystemAdministration/Procedures/DNSChanges
103
104 Operating System
105 ----------------
106
107 .. index::
108 single: Debian GNU/Linux; Etch
109 single: Debian GNU/Linux; 4.0
110
111 * Debian GNU/Linux 4.0
112
113 Applicable Documentation
114 ------------------------
115
116 This is it :-)
117
118 .. seealso::
119
120 * `Community Email Wiki Page <https://wiki.cacert.org/CommunityEmail>`_
121 * `Email Account Policy <https://wiki.cacert.org/EmailAccountPolicy>`_
122
123 Services
124 ========
125
126 Listening services
127 ------------------
128
129 .. use the values from this table or add new lines if applicable
130
131 +----------+---------+---------+---------------------------+
132 | Port | Service | Origin | Purpose |
133 +==========+=========+=========+===========================+
134 | 22/tcp | ssh | ANY | admin console access |
135 +----------+---------+---------+---------------------------+
136 | 443/tcp | https | ANY | Web server |
137 +----------+---------+---------+---------------------------+
138 | 5666/tcp | nrpe | monitor | remote monitoring service |
139 +----------+---------+---------+---------------------------+
140
141 .. note::
142
143 The ssh port is reachable via NAT on email.cacert.org:12022
144
145 Running services
146 ----------------
147
148 +--------------------+--------------------+----------------------------------------+
149 | Service | Usage | Start mechanism |
150 +====================+====================+========================================+
151 | openssh server | ssh daemon for | init script :file:`/etc/init.d/ssh` |
152 | | remote | |
153 | | administration | |
154 +--------------------+--------------------+----------------------------------------+
155 | Apache httpd | Webserver for | init script |
156 | | Applications | :file:`/etc/init.d/apache2` |
157 +--------------------+--------------------+----------------------------------------+
158 | cron | job scheduler | init script :file:`/etc/init.d/cron` |
159 +--------------------+--------------------+----------------------------------------+
160 | Postfix | SMTP server for | init script |
161 | | local mail | :file:`/etc/init.d/postfix` |
162 | | submission | |
163 +--------------------+--------------------+----------------------------------------+
164 | Nagios NRPE server | remote monitoring | init script |
165 | | service queried by | :file:`/etc/init.d/nagios-nrpe-server` |
166 | | :doc:`monitor` | |
167 +--------------------+--------------------+----------------------------------------+
168
169 Connected Systems
170 -----------------
171
172 * :doc:`monitor`
173
174 Outbound network connections
175 ----------------------------
176
177 * DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
178 * :doc:`emailout` as SMTP relay
179 * archive.debian.org as Debian mirror
180 * :doc:`email` for MySQL (3306/tcp) for webmail, password reset and staff list
181 * :doc:`email` IMAP (110/tcp), IMAPS (993/tcp), Manage Sieve (2001/tcp), SMTPS
182 (465/tcp) and SMTP Submission (587/tcp) for the webmail system
183
184 Security
185 ========
186
187 SSH host keys
188 -------------
189
190 +-----------+-----------------------------------------------------+
191 | Algorithm | Fingerprint |
192 +===========+=====================================================+
193 | RSA | ``82:91:22:22:10:75:ab:0e:55:05:9a:f9:98:cb:94:48`` |
194 +-----------+-----------------------------------------------------+
195 | DSA | ``6b:6e:59:37:41:83:a5:89:2a:18:04:23:51:53:5d:cd`` |
196 +-----------+-----------------------------------------------------+
197 | ECDSA | \- |
198 +-----------+-----------------------------------------------------+
199 | ED25519 | \- |
200 +-----------+-----------------------------------------------------+
201
202 .. warning::
203
204 The system is too old to support ECDSA or ED25519 keys.
205
206 .. seealso::
207
208 See :doc:`../sshkeys`
209
210 Non-distribution packages and modifications
211 -------------------------------------------
212
213 :file:`/var/www/roundcubemail` contains a `Roundcube`_ 0.2.1 installation,
214 probably with patches.
215
216 .. todo::
217
218 Research wether Roundcube has been patched or not
219
220 :file:`/var/www/staff.php` is a custom built PHP script to show a list of
221 people with cacert.org email addresses.
222
223 :file:`/var/www/password.php` is a custom build PHP script to allow users to
224 reset their email password.
225
226 :file:`/var/www/board` contains the board voting system.
227
228 .. _Roundcube: https://roundcube.net/
229
230 Risk assessments on critical packages
231 -------------------------------------
232
233 The whole system is outdated, the PHP version is ancient, Roundcube is old.
234 Needs to be replaced as soon as possible.
235
236 Critical Configuration items
237 ============================
238
239 Keys and X.509 certificates
240 ---------------------------
241
242 * :file:`/etc/ssl/certs/ssl-cert-community-cacert.crt` server certificate
243 * :file:`/etc/ssl/private/ssl-cert-community-cacert.key` server key
244 * :file:`/usr/share/ca-certificates/cacert.org/` directory containing the
245 CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for
246 client authentication and certificate chain for server certificate) with
247 symbolic links with the :command:`openssl` hashed certificate names
248
249 .. seealso::
250
251 * :doc:`../certlist`
252 * https://wiki.cacert.org/SystemAdministration/CertificateList
253
254 Apache configuration
255 --------------------
256
257 The Apache httpd configuration is stored in
258 :file:`/etc/apache2/sites-available/webmail`.
259
260 :file:`/etc/hosts`
261 ------------------
262
263 Defines some aliases for :doc:`email` that are used by Roundcube, the password
264 reset script and the staff list script.
265
266 Roundcube configuration
267 -----------------------
268
269 The Roundcube configuration is stored in files in the
270 :file:`/var/www/roundcubemail/config/` directory.
271
272
273 Staff list script
274 -----------------
275
276 The staff list contains its configuration in :file:`/var/www/staff.php` itself.
277
278 .. todo::
279
280 Put the staff list script in a git repository
281
282 Password reset script
283 ---------------------
284
285 The password reset script contains it configuration in
286 :file:`/var/www/password.php` itself.
287
288 .. todo::
289
290 Put the password reset script in a git repository
291
292 Board voting system configuration
293 ---------------------------------
294
295 The board voting system uses a SQLite database in
296 :file:`/var/www/board/database.sqlite`.
297
298 .. warning::
299
300 The board voting system software seems to be checked out from a Subversion
301 repository at https://svn.cacert.cl/Software/Voting/vote that does not exist
302 anymore
303
304 .. todo::
305
306 Put the current version of the board voting system in a git repository
307
308 Tasks
309 =====
310
311 Planned
312 -------
313
314 .. todo:: implement CRL checking
315
316 Changes
317 =======
318
319 System Future
320 -------------
321
322 .. todo::
323 The system has to be replaced with a new system using a current operating
324 system version
325
326 Additional documentation
327 ========================
328
329 .. seealso:
330
331 * https://wiki.cacert.org/PostfixConfiguration
332
333 References
334 ----------
335
336 Webmail URL
337 https://community.cacert.org/ (redirects to
338 https://community.cacert.org/roundcubemail/)
339
340 Board Voting System URL
341 https://community.cacert.org/board/
342
343 Password reset
344 https://community.cacert.org/password.php
345
346 Staff list
347 https://community.cacert.org/staff.php
348
349 Wiki page for this system
350 https://wiki.cacert.org/SystemAdministration/Systems/Community