Email

Purpose

This system handles email for @cacert.org addresses. It also provides users of @cacert.org with IMAPs and POP3s access to their accounts. The system provides the API part of the CAcert community self service system.

Administration

System Administration

• Primary: Jan Dittberner

• Secondary: None

Application Administration

Application	Administrator(s)
self service API	Jan Dittberner

Contact

• email-admin@cacert.org

Additional People

No additional people have sudo access on that machine.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet:

213.154.225.228

IP Intranet:

172.16.2.19

IP Internal:

10.0.0.19

IPv6:

2001:7b8:616:162:2::228

MAC address:

00:ff:8f:e0:4a:90 (eth0)

See also

See Network

Monitoring

internal checks:

Monitoring checks for email.infra.cacert.org

DNS

Name	Type	Content
email.cacert.org.	IN A	213.154.225.228
email.cacert.org.	IN AAAA	2001:7b8:616:162:2::228
email.cacert.org.	IN SSHFP	1 1 bf391fd72656a275524d1d25a624c6045b44ae90
email.cacert.org.	IN SSHFP	1 2 c8b68f3eb9a83902391b78686b4885a317fac0f74b0490a78b32ecbbee921df1
email.cacert.org.	IN SSHFP	3 1 5ffbc51c37cdff52db9c488c08b89af9ffee06a0
email.cacert.org.	IN SSHFP	3 2 a114de78fc26bd0dc6fa2206d7c04519ec875023cf203e446d4bbbbc4e24da19
email.cacert.org.	IN SSHFP	4 1 18418515e94817f0624bf0a192331addf878ff66
email.cacert.org.	IN SSHFP	4 2 d4fe3165206ba69baf4643253138561789918688375ed8ab89bcfc4411535221
email.intra.cacert.org.	IN A	172.16.2.19
email.infra.cacert.org.	IN A	10.0.0.19

A DKIM record for cacert.org ist setup but no DKIM signing is active currently.

Todo

setup DKIM properly, see #696 for an older discussion

See also

See Wiki page SystemAdministration/Procedures/DNSChanges

Operating System

• Debian GNU/Linux 11 Bullseye

Services

Listening services

Port	Service	Origin	Purpose
22/tcp	ssh	ANY	admin console access
25/tcp	smtp	ANY	mail receiver for cacert.org
80/tcp	http	ANY	redirect to https
110/tcp	pop3	ANY	POP3 access for cacert.org mail addresses
143/tcp	imap	ANY	IMAP access for cacert.org mail addresses
443/tcp	https	ANY	Webserver for community.cacert.org
465/tcp	smtps	ANY	SMTPS for cacert.org mail addresses
587/tcp	smtp	ANY	mail submission for cacert.org mail addresses
993/tcp	imaps	ANY	IMAPS access for cacert.org mail addresses
995/tcp	pop3s	ANY	POP3S access for cacert.org mail addresses
4190/tcp	sieve	ANY	Manage sieve access for cacert.org mail addresses
3306/tcp	mysql	local	MariaDB database server
5665/tcp	icinga2	monitor	remote monitoring service
9443/tcp	https	community	self service API

Running services

Service	Usage	Start mechanism
cacert-selfservice-api	CAcert community self service API	systemd unit cacert-selffservice-api.service
cron	job scheduler	systemd unit cron.service
dbus-daemon	System message bus daemon	systemd unit dbus.service
dovecot	IMAP(s), POP3(s) and sieve filter daemon	systemd unit dovecot.service
fail2ban	Fail2Ban service	systemd unit fail2ban.service
icinga2	Icinga2 monitoring agent	systemd unit icinga2.service
MariaDB	MariaDB database server for email services	systemd unit mariadb.service
nginx	Web server for community.cacert.org	systemd unit nginx.service
openssh server	ssh daemon for remote administration	systemd unit ssh.service
Postfix	SMTP server for cacert.org	systemd unit postfix.service
Puppet agent	configuration management agent	systemd unit puppet.service
rsyslog	syslog daemon	systemd unit rsyslog.service

Databases

RDBMS	Name	Used for
MariaDB	cacertusers	database for dovecot and postfix

Connected Systems

• Monitor

• Community

• all @cacert.org address owners have access to POP3 (STARTTLS and POP3S), IMAP (STARTTLS and IMAPS), SMTPS, SMTP submission (STARTTLS) and manage sieve

Outbound network connections

• DNS (53) resolver at 10.0.0.1 (Infra02)

• Issue for OTRS mail

• Lists for mailing lists

• Proxyout as HTTP proxy for APT

• Puppet (tcp/8140) as Puppet master

• Webstatic as backend for the community.cacert.org web content

• arbitrary Internet SMTP servers for outgoing mail

Security

SSH host keys

Algorithm	Fingerprints
RSA	SHA256:yLaPPrmoOQI5G3hoa0iFoxf6wPdLBJCnizLsu+6SHfE, MD5:a1:d2:17:53:6b:0f:b6:a4:14:13:46:f7:04:ef:4a:23
DSA	-
ECDSA	SHA256:oRTeePwmvQ3G+iIG18BFGeyHUCPPID5EbUu7vE4k2hk, MD5:16:95:af:c9:71:f4:d8:f7:91:7f:f7:2f:25:b3:f1:63
ED25519	SHA256:1P4xZSBrppuvRkMlMThWF4mRhog3Xtiribz8RBFTUiE, MD5:db:1e:68:3f:dd:b0:bb:68:c8:8b:cb:39:85:7d:f7:40

See also

SSH host key list

Non-distribution packages and modifications

• CAcert community self service system API

  The system runs the CAcert community self service system API developed in the CAcert Git repository cacert-selfservice-api.

  The software is installed from a Debian package that is hosted on Webstatic.

  The software is built on Jenkins via the cacert-selfservice-api Job when there are changes in Git. The Debian package can be built using gbp.

  The software is installed and configured via Puppet.

Building the cacert-selfservice-api Debian package

The cacert-selfservice-api git repository contains a debian branch that can be used to build the package.

The Debian package can be built using gbp. For a clean build environment using sbuild/schroot is recommended.

sudo sbuild-createchroot --arch=amd64 --chroot-prefix=buster-cacert \
  --extra-repository="deb http://deb.debian.org/debian buster-backports main" \
  buster /srv/chroot/buster-cacert-amd64 http://deb.debian.org/debian
gbp buildpackage --git-builder="sbuild --build-dep-resolver=aptitude \
  -d buster-cacert

Uploads can be done via sftp with the debarchive user on Webstatic. You need an ssh public key in the user’s ~/.ssh/authorized_keys file. Packages are only accepted if they are signed with a GPG key whose public key is stored in the keyring of the reprepro installation on Webstatic.

Risk assessments on critical packages

Postfix and Dovecot have very good security reputation. The system is patched regularly.

The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

The CAcert community self service API software is developed using Go which handles a lot of common programming errors at compile time and has a quite good security track record.

The CAcert community self service API system is run as a separate user cacert-selfservice-api and is built as a small self-contained static binary. Access is restricted via https and authenticated with eliptic curve public key cryptography.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.

Keys and X.509 certificates

All keys and certificates are managed in the file hieradata/nodes/email.yaml in the CAcert Git repository cacert-puppet.

Server certificate for SMTP communication from the Internet.

• Certificate for CN email.cacert.org, see details in the certificate list

• certificate in file /etc/ssl/public/email.cacert.org.chain.pem

• private key in file /etc/ssl/private/email.cacert.org.key.pem

Server certificate for community email services (SMTPS, SMTP submission in Postfix and IMAP with STARTTLS, IMAPS, POP3 with STARTTLS, POP3S and pysieved)

• Certificate for CN community.cacert.org, see details in the certificate list

• certificate in file /etc/ssl/public/community.cacert.org.chain.pem

• private key in file /etc/ssl/private/community.cacert.org.key.pem

The server certificate for the CAcert community self service API

• Certificate for CN email.infra.cacert.org, see details in the certificate list

• certificate in file /etc/cacert-selfservice-api/certs/server.crt.pem

• private key in file /etc/cacert-selfservice-api/private/server.key.pem

Note

Postfix uses the email.cacert.org certificate for client authentication if requested by a target server.

See also

• Wiki page SystemAdministration/CertificateList

cacert-selfservice-api configuration

The service configuration is contained in /etc/cacert-selfservice-api/config.yaml and is managed by the Puppet manifest profiles::cacert_selfservice_api.

Dovecot configuration

Dovecot configuration is stored in the /etc/dovecot/ directory. The database settings are stored in dovecot-sql.conf.ext.

Dovecot authentication

There is a special master password so that webmail can do the authentication for dovecot using certificates. This is defined in /etc/dovecot/dovecot-sql.conf.ext.

MariaDB configuration

MariaDB configuration is stored in the /etc/mysql/ directory.

Postfix configuration

Postfix configuration is stored in the /etc/postfix/ directory. The following files are special for this setup:

File	Used for
arbitration	rewrite recipients matching specific regular expressions to support+deletedaccounts@cacert.org and support@issue.cacert.org
cacert-inc-bcc	used as recipient_bcc_maps for specific functional mail addresses
main.cf	the main configuration file
master.cf	adds configuration for the community SMTPS and SMTP submission transports
mysql-*.cf	configuration of several MySQL queries for alias mapping, Postfix operates on views for the user table
transport	forward email for lists.cacert.org to Lists and for issue.cacert.org to Issue

Todo

consider to send all outgoing mail via emailout

Email storage

Mail for user is stored in /home/mailboxes/user/Maildir.

Todo

move mail storage to a separate data volume to allow easier backup and OS upgrades

Tasks

Adding email users

Email admins can create new email user accounts via https://selfservice.cacert.org/create-email-account. The contact email address entered in the web form will receive an email that contains a link to allow setting an initial password. Setting the initial password only works if the user authenticates with a valid client certificate for the contact email address.

Note

• users can reset their password via https://selfservice.cacert.org/password-reset

Setting up mail aliases

There are two types of aliases.

1. The first type are those that are never sent from. e.g. postmaster@cacert.org. All these aliases are defined in /etc/aliases. Don’t forget to run

   postalias /etc/aliases
   

   after any changes. Aliases for issue tracking are installed here as issuetrackingaddress : issuetrackingaddress@issue.cacert.org.

2. The second type are those aliases that are used to send email too, e.g pr@cacert.org. These aliases are recorded in the aliases table on the cacertusers database. The reason for this implementation is to only allow the designated person to send email from this email address.

Client certificate authentication

There were plans for X.509 certificate authentication for mail services, but there is no progress so far.

Changes

Planned

Todo

implement CRL checking

System Future

• No plans

Additional documentation

See also

• Wiki page PostfixConfiguration

• Wiki page SystemAdministration/Systems/Email for some discussion on legal implications related to mail archiving

References

Postfix documentation

http://www.postfix.org/documentation.html

Postfix Debian wiki page

https://wiki.debian.org/Postfix

Dovecot 2.x wiki

http://wiki2.dovecot.org/FrontPage