Emailout

Purpose

This system is used as outgoing mail relay for other infrastructure services.

Administration

System Administration

Additional People

Mario Lipinski has sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

213.154.225.239

IP Intranet

172.16.2.10 (outbound SNAT) and 172.16.2.32

IP Internal

10.0.0.32

IPv6

2001:7b8:616:162:2::239

MAC address

00:ff:12:01:65:02 (eth0)

See also

See Network

DNS

Name

Type

Content

emailout.cacert.org.

IN A

213.154.225.239

emailout.cacert.org.

IN AAAA

2001:7b8:616:162:2::239

emailout.cacert.org.

IN SSHFP

1 1 1ba1ab632911e8a68a69521130120695086d858c

emailout.cacert.org.

IN SSHFP

1 2 6e50d5b2034006b69eb7ba19d3f3fd2c48015bea2bb3d5e2a0f8cf25ff030055

emailout.cacert.org.

IN SSHFP

3 1 527004f2091d2cef2c28b5f8241fc0e76307b2ba

emailout.cacert.org.

IN SSHFP

3 2 9094dcf8860523a83542ec4cc46fbcfed396f5525bc202cfecf42d1a7044136d

emailout.cacert.org.

IN SSHFP

4 1 63f40df8536052d33d2d515eceb111ccb7983619

emailout.cacert.org.

IN SSHFP

4 2 4ceb488ad17ea7c8db161fdf3357e273d2ea1fe5be183794aacd7c4bfdfaa8a5

emailout.intra.cacert.org.

IN A

172.16.2.32

emailout.infra.cacert.org.

IN A

10.0.0.32

Operating System

  • Debian GNU/Linux 10.0

Applicable Documentation

The following packages where installed after the container setup:

apt-get install vim-nox screen git etckeeper postfix postfix-pcre opendkim \
  opendkim-tools man-db rsyslog logrotate \
  heirloom-mailx netcat-openbsd swaks

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

intranet

mail delivery from intranet MTAs

5665/tcp

icinga2

monitor

remote monitoring service

Running services

Service

Usage

Start mechanism

cron

job scheduler

systemd unit cron.service

dbus-daemon

System message bus daemon

systemd unit dbus.service

icinga2

Icinga2 monitoring agent

systemd unit icinga2.service

OpenDKIM

DKIM signing daemon

systemd unit opendkim.service

openssh server

ssh daemon for remote administration

systemd unit ssh.service

Postfix

SMTP server for local mail submission, and mail relay for infrastructure systems

systemd unit postfix.service

Puppet agent

configuration management agent

systemd unit puppet.service

rsyslog

syslog daemon

systemd unit rsyslog.service

Connected Systems

  • Monitor

  • SMTP (25/tcp) from other infrastructure systems

Outbound network connections

  • DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3

  • Emailout as SMTP relay

  • Proxyout as HTTP proxy for APT

  • Puppet (tcp/8140) as Puppet master

  • SMTP (25/tcp) to Email, Issue and Lists

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:blDVsgNABraet7oZ0/P9LEgBW+ors9XioPjPJf8DAFU, MD5:56:09:89:92:af:3c:15:e4:a3:06:11:63:0e:be:b6:a2

DSA

-

ECDSA

SHA256:kJTc+IYFI6g1QuxMxG+8/tOW9VJbwgLP7PQtGnBEE20, MD5:cb:3c:69:c5:a1:90:c6:8e:55:40:83:6c:10:3f:09:b4

ED25519

SHA256:TOtIitF+p8jbFh/fM1fic9LqH+W+GDeUqs18S/36qKU, MD5:04:ca:72:d0:21:0a:4a:8b:a5:f7:a2:2f:10:e5:3f:92

Non-distribution packages and modifications

  • None

Risk assessments on critical packages

Postfix has a very good security reputation. The system is patched regularly.

The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.

Keys and X.509 certificates

Todo

setup a proper certificate for incoming STARTTLS

  • /etc/dkim/2015.private contains the RSA private key to be used for DKIM signing by OpenDKIM.

  • /etc/dkim/2015.txt contains a textual DNS record representation for the public component of the DKIM signing key

Postfix configuration

Postfix has been configured as outgoing email relay with very little changes to the default configuration.

The mailname has been set to cacert.org in /etc/mailname.

Postfix configuration file:/etc/postfix/main.cf and /etc/postfix/dynamic_maps.cf have been modified to:

  • set infrastructure related host and network parameters

  • allow regular expressions in maps

  • activate opportunistic TLS

  • prepare for DKIM support

  • disable local delivery

# Global Postfix configuration file. This file lists only a subset
# of all parameters. For the syntax, and for a complete parameter
# list, see the postconf(5) manual page (command: "man 5 postconf").
#

compatibility_level = 2

mydomain = emailout.intra.cacert.org
myorigin = /etc/mailname

mydestination = emailout.cacert.org, emailout, localhost.localdomain, localhost
myhostname = emailout.intra.cacert.org

mynetworks = 172.16.2.0/24 10.0.0.0/24 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

biff = no

smtp_helo_name = infrastructure.cacert.org

# TLS parameters
#
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# map internal host names to their corresponding admin addresses
canonical_maps = pcre:/etc/postfix/canonical_maps

mailbox_size_limit = 0
recipient_delimiter = +

# DKIM milter
# http://www.postfix.org/MILTER_README.html
# TODO: enable DKIM once the DNS record is in place
#smtpd_milters = unix:/opendkim/opendkim.sock
#non_smtpd_milters = $smtpd_milters

# what to do if the dkim filter fails
#milter_default_action = accept
#milter_command_timeout = 5s
#milter_connect_timeout = $milter_command_timeout
#milter_content_timeout = 45s

transport_maps = hash:/etc/postfix/transport
local_transport = error:local delivery is disabled

Emails sent to specific intranet hostnames are rewritten to their respective admin addresses in /etc/postfix/canonical_maps:

/@(.*).intra.cacert.org$/       $1-admin@cacert.org
/@(.*).infra.cacert.org$/       $1-admin@cacert.org

Emails sent to specific cacert.org hostnames are forwarded via /etc/postfix/transport:

lists.cacert.org    smtp:[lists.intra.cacert.org]
issue.cacert.org    smtp:[issue.intra.cacert.org]
cacert.org          smtp:[email.intra.cacert.org]

/etc/postfix/transport has to be rehashed if it is changed because Postfix uses a binary representation in /etc/postfix/transport.db. To perform the rehashing and restart Postfix use:

postmap hash:/etc/postfix/transport
service postfix restart

OpenDKIM configuration

Todo

enable OpenDKIM in Postfix configuration when the DNS record is in place and Email is ready for DKIM too or is configured to send mail via emailout.

The OpenDKIM configuration is stored in /etc/opendkim.conf. The following lines have been added:

--- opendkim.conf.dpkg-dist     2017-09-04 00:17:50.000000000 +0000
+++ opendkim.conf       2018-02-16 13:38:55.545110292 +0000
@@ -13,6 +13,11 @@
 #Domain                        example.com
 #KeyFile               /etc/dkimkeys/dkim.key
 #Selector              2007
+Domain                  cacert.org
+KeyFile                 /etc/dkim/2015.private
+Selector                2015
+
+InternalHosts           /etc/dkim/internalhosts

 # Commonly-used options; the commented-out versions show the defaults.
 #Canonicalization      simple
@@ -31,7 +36,7 @@
 # ##  local:/path/to/socket       to listen on a UNIX domain socket
 #
 #Socket                  inet:8892@localhost
-Socket                 local:/var/run/opendkim/opendkim.sock
+Socket                  local:/var/spool/postfix/opendkim/opendkim.sock

 ##  PidFile filename
 ###      default (none)

The key has been generated with:

mkdir /etc/dkim
cd /etc/dkim
opendkim-genkey -d cacert.org -s 2015

Internal networks have been defined in /etc/dkim/internalhosts as:

127.0.0.1
10.0.0.0/24
172.16.2.0/24

Tasks

Changes

Planned

Todo

upgrade to Debian 10 (when Puppet is available)

System Future

  • No plans

Additional documentation

References

Postfix documentation

http://www.postfix.org/documentation.html

Postfix Debian wiki page

https://wiki.debian.org/Postfix

OpenDKIM documentation

http://www.opendkim.org/docs.html