Lists

Purpose

The system provides mailing list services under the lists.cacert.org hostname.

Application Links

• Mailing list management and archives

  https://lists.cacert.org/

Administration

System Administration

• Primary: Mario Lipinski

• Secondary: Jan Dittberner

Application Administration

Application	Administrator(s)
Sympa	Jan Dittberner, Mario Lipinski, Philipp Gühring

Contact

• email-admin@cacert.org

Additional People

Jochim Selzer has sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet:

213.154.225.231

IP Intranet:

172.16.2.17

IP Internal:

10.0.0.17

MAC address:

00:ff:d0:13:9a:22 (eth0)

See also

See Network

DNS

Name	Type	Content
lists.cacert.org.	IN A	213.154.225.231
lists.cacert.org.	IN MX	10 email.cacert.org.
lists.cacert.org.	IN SSHFP	1 1 87F75B9124326B566ED22DCF65A9740EEDE8F0FF
lists.cacert.org.	IN SSHFP	2 1 8D79E68E731ED72667F3D286C477245DF653083B
lists.cacert.org.	IN TXT	“v=spf1 ip4:213.154.225.231 -all”
cert.lists.cacert.org.	IN CNAME	lists.cacert.org.
nocert.lists.cacert.org.	IN CNAME	lists.cacert.org.
lists.intra.cacert.org.	IN A	172.16.2.17
17.2.16.172.in-addr.arpa	IN PTR	lists.intra.cacert.org.
231.225.154.213.in-addr.arpa	IN CNAME	231.224-27.225.154.213.in-addr.arpa.
231.224-27.225.154.213.in-addr.arpa	IN PTR	lists.cacert.org.

See also

See Wiki page SystemAdministration/Procedures/DNSChanges

Operating System

• Debian GNU/Linux 7.11

Applicable Documentation

This is the administration documentation.

See also

Wiki page EmailListOverview for user documentation

Services

Listening services

Port	Service	Origin | Purpose
22/tcp	ssh	ANY | admin console access
25/tcp	smtp	monitor, email	mail delivery to local MTA/sympa
80/tcp	http	ANY	redirect to https
443/tcp	https	ANY	Sympa mailing list manager and archive
4433/tcp	https	LOCAL	phpmyadmin access via ssh port forwarding
5666/tcp	nrpe	monitor	remote monitoring service
3306/tcp	mysql	local	MySQL database for Sympa

PHPMyAdmin access

Administrators can use ssh to forward the Apache httpd port 4433 to their own machine:

ssh -L 4433:localhost:4433 -l username lists.cacert.org

and access PHPMyAdmin at https://localhost:4433/phpmyadmin

Running services

Service	Usage	Start mechanism
openssh server	ssh daemon for remote administration	init script /etc/init.d/ssh
Apache httpd	Webserver for Sympa	init script /etc/init.d/apache2
cron	job scheduler	init script /etc/init.d/cron
rsyslog	syslog daemon	init script /etc/init.d/syslog
MySQL	MySQL database server for Sympa	init script /etc/init.d/mysql
Postfix	SMTP server for local mail submission and incoming list mail	init script /etc/init.d/postfix
Nagios NRPE server	remote monitoring service queried by Monitor	init script /etc/init.d/nagios-nrpe-server
Sympa mailing list services	mail list handling	init script /etc/init.d/sympa

Databases

RDBMS	Name	Used for
MySQL	sympa	Sympa mailing list management

Connected Systems

• Monitor

• Email

Outbound network connections

• DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3

• Proxyout as HTTP proxy for APT

• arbitrary Internet SMTP servers for delivery of list mails

Security

SSH host keys

Algorithm	Fingerprints
RSA	MD5:9a:64:3d:ab:38:91:90:88:2b:73:cb:05:8c:56:f9:c9
DSA	MD5:dd:ab:a6:c2:29:91:e9:81:fa:29:3c:f7:88:76:1f:f6
ECDSA	MD5:3c:8d:f2:a7:e8:75:1c:9a:11:13:11:2a:58:aa:9b:d1
ED25519	-

See also

SSH host key list

Todo

setup ED25519 host key (needs update to Jessie)

Non-distribution packages and modifications

• None

Risk assessments on critical packages

Apache httpd, Postfix and Sympa have a good security track record. Apache httpd is configured with the minimum of required modules. PHPMyAdmin is only reachable via ssh port forwarding.

Critical Configuration items

Keys and X.509 certificates

Server certificate for Apache httpd for Sympa and phpmyadmin and Postfix:

• Certificate for CN lists.cacert.org, see details in the certificate list

• certificate in file /etc/ssl/certs/ssl-cert-lists-cacert-multialtname.pem

• private key in file /etc/ssl/private/ssl-cert-lists-cacert-multialtname.pem

• /usr/share/ca-certificates/cacert.org/cacert.org.crt CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)

See also

• Wiki page SystemAdministration/CertificateList

Apache httpd configuration

• /etc/apache2/sites-available/000-default.conf

  default HTTP VirtualHost configuration that redirects to https://lists.cacert.org/

• /etc/apache2/sites-available/sympa-include.conf

  common configuration for the three Sympa VirtualHost definitions

• /etc/apache2/sites-available/lists.cacert.org.conf

  HTTPS VirtualHost configuration for https://lists.cacert.org/ that supports optional client certificate authentication

• /etc/apache2/sites-available/cert.lists.cacert.org.conf

  HTTPS VirtualHost configuration for https://cert.lists.cacert.org/ that requires client certificate authentication

• /etc/apache2/sites-available/nocert.lists.cacert.org.conf

  HTTPS VirtualHost configuration for https://nocert.lists.cacert.org/ that does not support client certificates

• /etc/apache2/sites-available/localhost_4433_phpmyadmin.conf

  HTTPS VirtualHost configuration for https://localhost:4433/phpmyadmin

Sympa configuration

Sympa configuration is stored in /etc/sympa/.

• /etc/sympa/aliases

  generated by Sympa and included in Postfix’s /etc/postfix/main.cf. The file contains alias definitions that pipe list emails into Sympa processes.

• /etc/sympa/data_sources/

  data sources shared accross lists (things we didn’t want to define more than once). The board data source is defined in /etc/sympa/data_sources/board.incl

  See also

  Sympa manual

• /etc/sympa/sympa.conf

  main Sympa configuration file. S/MIME configuration items must be set even if they appear to be the default values. Supported_lang must be a subset of the supported system locales (see /usr/lib/sympa/locale/) otherwise user’s cannot change their locale in Sympa.

• /etc/sympa/wwsympa.conf

  configuration for the Sympa web interface

• /var/lib/sympa/expl/listname/cert.pem,private_key

  list private key and certificate for listname

• /var/lib/sympa/x509-user-certs/emailaddress

  user X.509 certificates used by Sympa

Postfix configuration

Postfix configuration is stored in /etc/postfix/

Note

The file /etc/aliases.db must be writable by the sympa group to allow running newaliases when defining new lists.

Tasks

Adding a list

1. Login to Sympa https://lists.cacert.org/wws using the listmaster@lists.cacert.org (password stored in /root/sympa-listmanagerpassword.txt)

2. Use the GUI to create the list. Set the list so that support@cacert.org can send email to the list without confirmation using the cacert main web interface, login and validate the list address issue a WoT certificate for the list user export/backup the WoT certificate out of your browser copy the p12 exported certificate to the list server.

3. use:

   openssl pkcs12 -in cacert-listname\@lists.cacert.org.p12 -nodes
   

   to export the certificate without a password.

4. copy the certificate and private key to the location described below and setup permissions:

   chown sympa:sympa /var/lib/sympa/expl/<list>/cert.pem
   chown sympa:sympa /var/lib/sympa/expl/<list>/private_key
   chmod 0600 /var/lib/sympa/expl/<list>/private_key
   chmod 0644 /var/lib/sympa/expl/<list>/cert.pem
   

5. add subscribers/ other owners

Changes

Planned

Todo

upgrade the lists system OS to Debian 9 (Stretch)

Todo

manage the lists system using Puppet

System Future

• No plans

Additional documentation

See also

• Wiki page PostfixConfiguration

References

Apache httpd documentation

http://httpd.apache.org/docs/2.4/

Sympa manual

http://www.sympa.org/manual/

Postfix documentation

http://www.postfix.org/documentation.html

Postfix Debian wiki page

https://wiki.debian.org/Postfix