Emailout¶
Purpose¶
This system is used as outgoing mail relay for other infrastructure services.
Administration¶
System Administration¶
Primary: Jan Dittberner
Secondary: None
Contact¶
Additional People¶
No additional people have sudo access on that machine.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet:
- IP Intranet:
172.16.2.10(outbound SNAT) and172.16.2.32- IP Internal:
- IPv6:
- MAC address:
00:ff:12:01:65:02(eth0)
See also
See Network
Monitoring¶
- internal checks:
DNS¶
Name |
Type |
Content |
|---|---|---|
emailout.cacert.org. |
IN A |
213.154.225.239 |
emailout.cacert.org. |
IN AAAA |
2001:7b8:616:162:2::239 |
emailout.cacert.org. |
IN SSHFP |
1 1 1ba1ab632911e8a68a69521130120695086d858c |
emailout.cacert.org. |
IN SSHFP |
1 2 6e50d5b2034006b69eb7ba19d3f3fd2c48015bea2bb3d5e2a0f8cf25ff030055 |
emailout.cacert.org. |
IN SSHFP |
3 1 527004f2091d2cef2c28b5f8241fc0e76307b2ba |
emailout.cacert.org. |
IN SSHFP |
3 2 9094dcf8860523a83542ec4cc46fbcfed396f5525bc202cfecf42d1a7044136d |
emailout.cacert.org. |
IN SSHFP |
4 1 63f40df8536052d33d2d515eceb111ccb7983619 |
emailout.cacert.org. |
IN SSHFP |
4 2 4ceb488ad17ea7c8db161fdf3357e273d2ea1fe5be183794aacd7c4bfdfaa8a5 |
emailout.intra.cacert.org. |
IN A |
172.16.2.32 |
emailout.infra.cacert.org. |
IN A |
10.0.0.32 |
See also
Operating System¶
Debian GNU/Linux 11 Bullseye
Applicable Documentation¶
The following packages where installed after the container setup:
apt-get install vim-nox screen git etckeeper postfix postfix-pcre opendkim \
opendkim-tools man-db rsyslog logrotate \
heirloom-mailx netcat-openbsd swaks
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
|---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
intranet |
mail delivery from intranet MTAs |
5665/tcp |
icinga2 |
monitor |
remote monitoring service |
Running services¶
Service |
Usage |
Start mechanism |
|---|---|---|
cron |
job scheduler |
systemd unit |
dbus-daemon |
System message bus daemon |
systemd unit |
icinga2 |
Icinga2 monitoring agent |
systemd unit |
OpenDKIM |
DKIM signing daemon |
systemd unit |
openssh server |
ssh daemon for remote administration |
systemd unit |
Postfix |
SMTP server for local mail submission, and mail relay for infrastructure systems |
systemd unit |
Puppet agent |
configuration management agent |
systemd unit |
rsyslog |
syslog daemon |
systemd unit |
Connected Systems¶
SMTP (25/tcp) from other infrastructure systems
Outbound network connections¶
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
|---|---|
RSA |
|
DSA |
- |
ECDSA |
|
ED25519 |
|
See also
Non-distribution packages and modifications¶
None
Risk assessments on critical packages¶
Postfix has a very good security reputation. The system is patched regularly.
The Puppet agent package and a few dependencies are installed from the official Puppet APT repository because the versions in Debian are too old to use modern Puppet features.
Critical Configuration items¶
The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.
Keys and X.509 certificates¶
All keys and certificates are managed in the file
hieradata/nodes/emailout.yaml in the CAcert Git repository cacert-puppet.
Server certificate for STARTTLS connection encryption.
Certificate for CN emailout.cacert.org, see details in the certificate list
certificate in file /etc/ssl/public/emailout.cacert.org.chain.pem
private key in file /etc/ssl/private/emailout.cacert.org.key.pem
/etc/dkim/2015.privatecontains the RSA private key to be used for DKIM signing by OpenDKIM.
/etc/dkim/2015.txtcontains a textual DNS record representation for the public component of the DKIM signing key
Postfix configuration¶
Postfix has been configured as outgoing email relay with very little changes to the default configuration.
The mailname has been set to cacert.org in /etc/mailname.
Postfix configuration file:/etc/postfix/main.cf and /etc/postfix/dynamic_maps.cf have been modified to:
set infrastructure related host and network parameters
allow regular expressions in maps
activate opportunistic TLS
prepare for DKIM support
disable local delivery
# Global Postfix configuration file. This file lists only a subset
# of all parameters. For the syntax, and for a complete parameter
# list, see the postconf(5) manual page (command: "man 5 postconf").
#
compatibility_level = 2
mydomain = emailout.intra.cacert.org
myorigin = /etc/mailname
mydestination = emailout.cacert.org, emailout, localhost.localdomain, localhost
myhostname = emailout.intra.cacert.org
mynetworks = 172.16.2.0/24 10.0.0.0/24 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
smtp_helo_name = infrastructure.cacert.org
# TLS parameters
#
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level=may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# map internal host names to their corresponding admin addresses
canonical_maps = pcre:/etc/postfix/canonical_maps
mailbox_size_limit = 0
recipient_delimiter = +
# DKIM milter
# http://www.postfix.org/MILTER_README.html
# TODO: enable DKIM once the DNS record is in place
#smtpd_milters = unix:/opendkim/opendkim.sock
#non_smtpd_milters = $smtpd_milters
# what to do if the dkim filter fails
#milter_default_action = accept
#milter_command_timeout = 5s
#milter_connect_timeout = $milter_command_timeout
#milter_content_timeout = 45s
transport_maps = hash:/etc/postfix/transport
local_transport = error:local delivery is disabled
Emails sent to specific intranet hostnames are rewritten to their respective
admin addresses in /etc/postfix/canonical_maps:
/@(.*).intra.cacert.org$/ $1-admin@cacert.org
/@(.*).infra.cacert.org$/ $1-admin@cacert.org
Emails sent to specific cacert.org hostnames are forwarded via
/etc/postfix/transport:
lists.cacert.org smtp:[lists.intra.cacert.org]
issue.cacert.org smtp:[issue.intra.cacert.org]
cacert.org smtp:[email.intra.cacert.org]
/etc/postfix/transport has to be rehashed if it is changed because
Postfix uses a binary representation in /etc/postfix/transport.db. To
perform the rehashing and restart Postfix use:
postmap hash:/etc/postfix/transport
service postfix restart
OpenDKIM configuration¶
Todo
enable OpenDKIM in Postfix configuration when the DNS record is in place and email is ready for DKIM too or is configured to send mail via emailout.
The OpenDKIM configuration is stored in /etc/opendkim.conf. The
following lines have been added:
--- opendkim.conf.dpkg-dist 2017-09-04 00:17:50.000000000 +0000
+++ opendkim.conf 2018-02-16 13:38:55.545110292 +0000
@@ -13,6 +13,11 @@
#Domain example.com
#KeyFile /etc/dkimkeys/dkim.key
#Selector 2007
+Domain cacert.org
+KeyFile /etc/dkim/2015.private
+Selector 2015
+
+InternalHosts /etc/dkim/internalhosts
# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization simple
@@ -31,7 +36,7 @@
# ## local:/path/to/socket to listen on a UNIX domain socket
#
#Socket inet:8892@localhost
-Socket local:/var/run/opendkim/opendkim.sock
+Socket local:/var/spool/postfix/opendkim/opendkim.sock
## PidFile filename
### default (none)
The key has been generated with:
mkdir /etc/dkim
cd /etc/dkim
opendkim-genkey -d cacert.org -s 2015
Internal networks have been defined in /etc/dkim/internalhosts as:
127.0.0.1
10.0.0.0/24
172.16.2.0/24
Tasks¶
Changes¶
Planned¶
System Future¶
No plans
Additional documentation¶
See also
References¶
- Postfix documentation
- Postfix Debian wiki page
- OpenDKIM documentation
