Lists

Purpose

The system provides mailing list services under the lists.cacert.org hostname.

Administration

System Administration

Application Administration

Application

Administrator(s)

Sympa

Jan Dittberner, Mario Lipinski, Ulrich Schröter, Philipp Gühring

Additional People

Jochim Selzer has sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

213.154.225.231

IP Intranet

172.16.2.17

IP Internal

10.0.0.17

MAC address

00:ff:d0:13:9a:22 (eth0)

See also

See Network

DNS

Name

Type

Content

lists.cacert.org.

IN A

213.154.225.231

lists.cacert.org.

IN MX

10 email.cacert.org.

lists.cacert.org.

IN SSHFP

1 1 87F75B9124326B566ED22DCF65A9740EEDE8F0FF

lists.cacert.org.

IN SSHFP

2 1 8D79E68E731ED72667F3D286C477245DF653083B

lists.cacert.org.

IN TXT

“v=spf1 ip4:213.154.225.231 -all”

cert.lists.cacert.org.

IN CNAME

lists.cacert.org.

nocert.lists.cacert.org.

IN CNAME

lists.cacert.org.

lists.intra.cacert.org.

IN A

172.16.2.17

17.2.16.172.in-addr.arpa

IN PTR

lists.intra.cacert.org.

231.225.154.213.in-addr.arpa

IN CNAME

231.224-27.225.154.213.in-addr.arpa.

231.224-27.225.154.213.in-addr.arpa

IN PTR

lists.cacert.org.

Operating System

  • Debian GNU/Linux 7.11

Applicable Documentation

This is the administration documentation.

See also

Wiki EmailListOverview for user documentation

Services

Listening services

Port

Service

Origin | Purpose

22/tcp

ssh

ANY | admin console access

25/tcp

smtp

monitor, email

mail delivery to local MTA/sympa

80/tcp

http

ANY

redirect to https

443/tcp

https

ANY

Sympa mailing list manager and archive

4433/tcp

https

LOCAL

phpmyadmin access via ssh port forwarding

5666/tcp

nrpe

monitor

remote monitoring service

3306/tcp

mysql

local

MySQL database for Sympa

PHPMyAdmin access

Administrators can use ssh to forward the Apache httpd port 4433 to their own machine:

ssh -L 4433:localhost:4433 -l username lists.cacert.org

and access PHPMyAdmin at https://localhost:4433/phpmyadmin

Running services

Service

Usage

Start mechanism

openssh server

ssh daemon for remote administration

init script /etc/init.d/ssh

Apache httpd

Webserver for Sympa

init script /etc/init.d/apache2

cron

job scheduler

init script /etc/init.d/cron

rsyslog

syslog daemon

init script /etc/init.d/syslog

MySQL

MySQL database server for Sympa

init script /etc/init.d/mysql

Postfix

SMTP server for local mail submission and incoming list mail

init script /etc/init.d/postfix

Nagios NRPE server

remote monitoring service queried by Monitor

init script /etc/init.d/nagios-nrpe-server

Sympa mailing list services

mail list handling

init script /etc/init.d/sympa

Databases

RDBMS

Name

Used for

MySQL

sympa

Sympa mailing list management

Connected Systems

Outbound network connections

  • DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3

  • Proxyout as HTTP proxy for APT

  • arbitrary Internet SMTP servers for delivery of list mails

Security

SSH host keys

Algorithm

Fingerprints

RSA

MD5:9a:64:3d:ab:38:91:90:88:2b:73:cb:05:8c:56:f9:c9

DSA

MD5:dd:ab:a6:c2:29:91:e9:81:fa:29:3c:f7:88:76:1f:f6

ECDSA

MD5:3c:8d:f2:a7:e8:75:1c:9a:11:13:11:2a:58:aa:9b:d1

ED25519

-

Todo

setup ED25519 host key (needs update to Jessie)

Non-distribution packages and modifications

  • None

Risk assessments on critical packages

Apache httpd, Postfix and Sympa have a good security track record. Apache httpd is configured with the minimum of required modules. PHPMyAdmin is only reachable via ssh port forwarding.

Critical Configuration items

Keys and X.509 certificates

Server certificate for Apache httpd for Sympa and phpmyadmin and Postfix:

  • Certificate for CN lists.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/certs/ssl-cert-lists-cacert-multialtname.pem

    • private key in file /etc/ssl/private/ssl-cert-lists-cacert-multialtname.pem

  • /usr/share/ca-certificates/cacert.org/cacert.org.crt CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)

Apache httpd configuration

  • /etc/apache2/sites-available/000-default.conf

    default HTTP VirtualHost configuration that redirects to https://lists.cacert.org/

  • /etc/apache2/sites-available/sympa-include.conf

    common configuration for the three Sympa VirtualHost definitions

  • /etc/apache2/sites-available/lists.cacert.org.conf

    HTTPS VirtualHost configuration for https://lists.cacert.org/ that supports optional client certificate authentication

  • /etc/apache2/sites-available/cert.lists.cacert.org.conf

    HTTPS VirtualHost configuration for https://cert.lists.cacert.org/ that requires client certificate authentication

  • /etc/apache2/sites-available/nocert.lists.cacert.org.conf

    HTTPS VirtualHost configuration for https://nocert.lists.cacert.org/ that does not support client certificates

  • /etc/apache2/sites-available/localhost_4433_phpmyadmin.conf

    HTTPS VirtualHost configuration for https://localhost:4433/phpmyadmin

Sympa configuration

Sympa configuration is stored in /etc/sympa/.

  • /etc/sympa/aliases

    generated by Sympa and included in Postfix’s /etc/postfix/main.cf. The file contains alias definitions that pipe list emails into Sympa processes.

  • /etc/sympa/data_sources/

    data sources shared accross lists (things we didn’t want to define more than once). The board data source is defined in /etc/sympa/data_sources/board.incl

    See also

    Sympa manual

  • /etc/sympa/sympa.conf

    main Sympa configuration file. S/MIME configuration items must be set even if they appear to be the default values. Supported_lang must be a subset of the supported system locales (see /usr/lib/sympa/locale/) otherwise user’s cannot change their locale in Sympa.

  • /etc/sympa/wwsympa.conf

    configuration for the Sympa web interface

  • /var/lib/sympa/expl/listname/cert.pem,private_key

    list private key and certificate for listname

  • /var/lib/sympa/x509-user-certs/emailaddress

    user X.509 certificates used by Sympa

Postfix configuration

Postfix configuration is stored in /etc/postfix/

Note

The file /etc/aliases.db must be writable by the sympa group to allow running newaliases when defining new lists.

Tasks

Adding a list

  1. Login to Sympa https://lists.cacert.org/wws using the listmaster@lists.cacert.org (password stored in /root/sympa-listmanagerpassword.txt)

  2. Use the GUI to create the list. Set the list so that support@cacert.org can send email to the list without confirmation using the cacert main web interface, login and validate the list address issue a WoT certificate for the list user export/backup the WoT certificate out of your browser copy the p12 exported certificate to the list server.

  3. use:

    openssl pkcs12 -in cacert-listname\@lists.cacert.org.p12 -nodes
    

    to export the certificate without a password.

  4. copy the certificate and private key to the location described below and setup permissions:

    chown sympa:sympa /var/lib/sympa/expl/<list>/cert.pem
    chown sympa:sympa /var/lib/sympa/expl/<list>/private_key
    chmod 0600 /var/lib/sympa/expl/<list>/private_key
    chmod 0644 /var/lib/sympa/expl/<list>/cert.pem
    
  5. add subscribers/ other owners

Changes

Planned

Todo

upgrade the lists system OS to Debian 9 (Stretch)

Todo

manage the lists system using Puppet

System Future

  • No plans

Additional documentation

References

Apache httpd documentation

http://httpd.apache.org/docs/2.4/

Sympa manual

http://www.sympa.org/manual/

Postfix documentation

http://www.postfix.org/documentation.html

Postfix Debian wiki page

https://wiki.debian.org/Postfix