Lists¶
Purpose¶
The system provides mailing list services under the lists.cacert.org hostname.
Application Links¶
Mailing list management and archives
Administration¶
System Administration¶
Primary: None
Secondary: Jan Dittberner
Todo
find a primary administrator for this system
Application Administration¶
Application |
Administrator(s) |
---|---|
Sympa |
Contact¶
Additional People¶
No additional people have sudo access on that machine.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet:
- IP Intranet:
- IP Internal:
- MAC address:
00:ff:0d:b5:f5:b0
(eth0)
See also
See Network
DNS¶
Name |
Type |
Content |
---|---|---|
lists.cacert.org. |
IN A |
213.154.225.231 |
lists.cacert.org. |
IN MX |
10 email.cacert.org. |
lists.cacert.org. |
IN SSHFP |
1 1 6ee1070484dcbc1115c4432426f38abd2ea2d086 |
lists.cacert.org. |
IN SSHFP |
1 2 6ae15dae1e5a7a63fd2ac408cfa59cb803bd2472c037a98218a74db08f0c3327 |
lists.cacert.org. |
IN SSHFP |
3 1 9f52f8ee40399ddff59cee52c119b430fbd9a937 |
lists.cacert.org. |
IN SSHFP |
3 2 c14c588a7d8614a5e5b3ac0cb7603ca17d229ef1c218ad61bd8f8f3be1e60c2f |
lists.cacert.org. |
IN SSHFP |
4 1 5478bf8fca2e06e8a52c6fde059d2fb7103cffd1 |
lists.cacert.org. |
IN SSHFP |
4 2 3f9e3553911fdb6d71cc018baf71da192d3fbc4bfe89aafb07aea1fe73d773d3 |
lists.cacert.org. |
IN TXT |
“v=spf1 ip4:213.154.225.231 -all” |
cert.lists.cacert.org. |
IN CNAME |
lists.cacert.org. |
nocert.lists.cacert.org. |
IN CNAME |
lists.cacert.org. |
lists.intra.cacert.org. |
IN A |
172.16.2.17 |
17.2.16.172.in-addr.arpa |
IN PTR |
lists.intra.cacert.org. |
231.225.154.213.in-addr.arpa |
IN CNAME |
231.224-27.225.154.213.in-addr.arpa. |
231.224-27.225.154.213.in-addr.arpa |
IN PTR |
lists.cacert.org. |
See also
Operating System¶
Debian GNU/Linux 11 Bullseye
Applicable Documentation¶
This is the administration documentation.
See also
Wiki page EmailListOverview for user documentation
Services¶
Listening services¶
Port |
Service |
Origin |
Purpose |
---|---|---|---|
22/tcp |
ssh |
ANY |
admin console access |
25/tcp |
smtp |
monitor, email |
mail delivery to local MTA/sympa |
80/tcp |
http |
ANY |
redirect to https |
443/tcp |
https |
ANY |
Sympa mailing list manager and archive |
5665/tcp |
icinga2 |
monitor |
remote monitoring service |
3306/tcp |
mariadb |
local |
MariaDB database for Sympa |
Running services¶
Service |
Usage |
Start mechanism |
---|---|---|
Apache httpd |
Webserver for blog |
systemd unit |
cron |
job scheduler |
systemd unit |
dbus-daemon |
System message bus |
systemd unit |
icinga2 |
Icinga2 monitoring agent |
systemd unit |
MariaDB |
MariaDB database server for sympa |
systemd unit |
openssh server |
ssh daemon for remote administration |
systemd unit |
Postfix |
SMTP server for local mail submission |
systemd unit |
Puppet agent |
configuration management agent |
systemd unit |
rsyslog |
syslog daemon |
systemd unit |
Sympa mailing list services |
mail list handling |
systemd unit |
WWSympa FCGID |
WWSympa FCGI handlers for Sympa web interface |
systemd unit |
Databases¶
RDBMS |
Name |
Used for |
---|---|---|
MariaDB |
sympa |
Sympa mailing list management |
Connected Systems¶
Outbound network connections¶
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
---|---|
RSA |
|
DSA |
- |
ECDSA |
|
ED25519 |
|
See also
Non-distribution packages and modifications¶
None
Risk assessments on critical packages¶
Apache httpd, Postfix and Sympa have a good security track record. Apache httpd is configured with the minimum of required modules. PHPMyAdmin is only reachable via ssh port forwarding.
Critical Configuration items¶
The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.
Todo
move configuration of lists to Puppet code
Keys and X.509 certificates¶
Server certificate for Apache httpd for Sympa and phpmyadmin and Postfix:
Certificate for CN lists.cacert.org, see details in the certificate list
certificate in file /etc/ssl/public/lists.cacert.org.chain.pem
private key in file /etc/ssl/private/lists.cacert.org.key.pem
/etc/ssl/public/lists.cacert.org_client_cas.pem
CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
Apache httpd configuration¶
/etc/apache2/sites-available/000-default.conf
default HTTP VirtualHost configuration that redirects to https://lists.cacert.org/
/etc/apache2/sites-available/sympa-include.conf
common configuration for the three Sympa VirtualHost definitions
/etc/apache2/sites-available/lists.cacert.org.conf
HTTPS VirtualHost configuration for https://lists.cacert.org/ that supports optional client certificate authentication
/etc/apache2/sites-available/cert.lists.cacert.org.conf
HTTPS VirtualHost configuration for https://cert.lists.cacert.org/ that requires client certificate authentication
/etc/apache2/sites-available/nocert.lists.cacert.org.conf
HTTPS VirtualHost configuration for https://nocert.lists.cacert.org/ that does not support client certificates
Sympa configuration¶
Sympa configuration is stored in /etc/sympa/
the file structure has
been adapted to the official Debian paths documented in
https://www.sympa.community/manual/layout.html.
/etc/sympa/data_sources/
data sources shared accross lists (things we didn’t want to define more than once). The board data source is defined in
/etc/sympa/data_sources/board.incl
See also
Postfix configuration¶
Postfix configuration is stored in /etc/postfix/
Tasks¶
Adding a list¶
Login to Sympa https://lists.cacert.org/wws as one of the listmasters.
Use the GUI to create the list. Set the list so that support@cacert.org can send email to the list without confirmation using the cacert main web interface, login and validate the list address issue a WoT certificate for the list user export/backup the WoT certificate out of your browser copy the p12 exported certificate to the list server.
use:
openssl pkcs12 -in cacert-listname\@lists.cacert.org.p12 -nodes
to export the certificate without a password.
copy the certificate and private key to the location described below and setup permissions:
chown sympa:sympa /var/lib/sympa/list_data/<list>/cert.pem chown sympa:sympa /var/lib/sympa/list_data/<list>/private_key chmod 0600 /var/lib/sympa/list_data/<list>/private_key chmod 0644 /var/lib/sympa/list_data/<list>/cert.pem
add subscribers/ other owners
Changes¶
Planned¶
No plans
System Future¶
No plans
Additional documentation¶
See also
References¶
- Apache httpd documentation
- Sympa manual
- Postfix documentation
- Postfix Debian wiki page