Lists

Purpose

The system provides mailing list services under the lists.cacert.org hostname.

Administration

System Administration

Todo

find a primary administrator for this system

Application Administration

Application

Administrator(s)

Sympa

Jan Dittberner, Mario Lipinski, Philipp Gühring

Contact

Additional People

No additional people have sudo access on that machine.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet:

213.154.225.231

IP Intranet:

172.16.2.17

IP Internal:

10.0.0.17

MAC address:

00:ff:0d:b5:f5:b0 (eth0)

See also

See Network

DNS

Name

Type

Content

lists.cacert.org.

IN A

213.154.225.231

lists.cacert.org.

IN MX

10 email.cacert.org.

lists.cacert.org.

IN SSHFP

1 1 6ee1070484dcbc1115c4432426f38abd2ea2d086

lists.cacert.org.

IN SSHFP

1 2 6ae15dae1e5a7a63fd2ac408cfa59cb803bd2472c037a98218a74db08f0c3327

lists.cacert.org.

IN SSHFP

3 1 9f52f8ee40399ddff59cee52c119b430fbd9a937

lists.cacert.org.

IN SSHFP

3 2 c14c588a7d8614a5e5b3ac0cb7603ca17d229ef1c218ad61bd8f8f3be1e60c2f

lists.cacert.org.

IN SSHFP

4 1 5478bf8fca2e06e8a52c6fde059d2fb7103cffd1

lists.cacert.org.

IN SSHFP

4 2 3f9e3553911fdb6d71cc018baf71da192d3fbc4bfe89aafb07aea1fe73d773d3

lists.cacert.org.

IN TXT

“v=spf1 ip4:213.154.225.231 -all”

cert.lists.cacert.org.

IN CNAME

lists.cacert.org.

nocert.lists.cacert.org.

IN CNAME

lists.cacert.org.

lists.intra.cacert.org.

IN A

172.16.2.17

17.2.16.172.in-addr.arpa

IN PTR

lists.intra.cacert.org.

231.225.154.213.in-addr.arpa

IN CNAME

231.224-27.225.154.213.in-addr.arpa.

231.224-27.225.154.213.in-addr.arpa

IN PTR

lists.cacert.org.

Operating System

  • Debian GNU/Linux 11 Bullseye

Applicable Documentation

This is the administration documentation.

See also

Wiki page EmailListOverview for user documentation

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

monitor, email

mail delivery to local MTA/sympa

80/tcp

http

ANY

redirect to https

443/tcp

https

ANY

Sympa mailing list manager and archive

5665/tcp

icinga2

monitor

remote monitoring service

3306/tcp

mariadb

local

MariaDB database for Sympa

Running services

Service

Usage

Start mechanism

Apache httpd

Webserver for blog

systemd unit apache2.service

cron

job scheduler

systemd unit cron.service

dbus-daemon

System message bus

systemd unit dbus.service

icinga2

Icinga2 monitoring agent

systemd unit icinga2.service

MariaDB

MariaDB database server for sympa

systemd unit mariadb.service

openssh server

ssh daemon for remote administration

systemd unit ssh.service

Postfix

SMTP server for local mail submission

systemd unit postfix.service

Puppet agent

configuration management agent

systemd unit puppet.service

rsyslog

syslog daemon

systemd unit rsyslog.service

Sympa mailing list services

mail list handling

systemd unit sympa.service`

WWSympa FCGID

WWSympa FCGI handlers for Sympa web interface

systemd unit wwsympa.service

Databases

RDBMS

Name

Used for

MariaDB

sympa

Sympa mailing list management

Connected Systems

Outbound network connections

  • DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3

  • Proxyout as HTTP proxy for APT

  • Puppet (tcp/8140) as Puppet master

  • arbitrary Internet SMTP servers for delivery of list mails

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:auFdrh5aemP9KsQIz6WcuAO9JHLAN6mCGKdNsI8MMyc, MD5:03:be:58:c9:73:2e:ac:7d:1f:e5:bd:f1:59:64:0c:ab

DSA

-

ECDSA

SHA256:wUxYin2GFKXls6wMt2A8oX0invHCGK1hvY+PO+HmDC8, MD5:95:c5:72:f9:bb:6d:74:6c:a5:68:14:06:12:9e:4b:8d

ED25519

SHA256:P541U5Ef221xzAGLr3HaGS0/vEv+iar7B66h/nPXc9M, MD5:5a:59:75:92:4c:e6:65:b9:82:47:58:a3:c6:b9:64:34

Non-distribution packages and modifications

  • None

Risk assessments on critical packages

Apache httpd, Postfix and Sympa have a good security track record. Apache httpd is configured with the minimum of required modules. PHPMyAdmin is only reachable via ssh port forwarding.

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.

Todo

move configuration of lists to Puppet code

Keys and X.509 certificates

Server certificate for Apache httpd for Sympa and phpmyadmin and Postfix:

  • Certificate for CN lists.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/public/lists.cacert.org.chain.pem

    • private key in file /etc/ssl/private/lists.cacert.org.key.pem

  • /etc/ssl/public/lists.cacert.org_client_cas.pem CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)

Apache httpd configuration

  • /etc/apache2/sites-available/000-default.conf

    default HTTP VirtualHost configuration that redirects to https://lists.cacert.org/

  • /etc/apache2/sites-available/sympa-include.conf

    common configuration for the three Sympa VirtualHost definitions

  • /etc/apache2/sites-available/lists.cacert.org.conf

    HTTPS VirtualHost configuration for https://lists.cacert.org/ that supports optional client certificate authentication

  • /etc/apache2/sites-available/cert.lists.cacert.org.conf

    HTTPS VirtualHost configuration for https://cert.lists.cacert.org/ that requires client certificate authentication

  • /etc/apache2/sites-available/nocert.lists.cacert.org.conf

    HTTPS VirtualHost configuration for https://nocert.lists.cacert.org/ that does not support client certificates

Sympa configuration

Sympa configuration is stored in /etc/sympa/ the file structure has been adapted to the official Debian paths documented in https://www.sympa.community/manual/layout.html.

  • /etc/sympa/data_sources/

    data sources shared accross lists (things we didn’t want to define more than once). The board data source is defined in /etc/sympa/data_sources/board.incl

    See also

    Sympa manual

Postfix configuration

Postfix configuration is stored in /etc/postfix/

Tasks

Adding a list

  1. Login to Sympa https://lists.cacert.org/wws as one of the listmasters.

  2. Use the GUI to create the list. Set the list so that support@cacert.org can send email to the list without confirmation using the cacert main web interface, login and validate the list address issue a WoT certificate for the list user export/backup the WoT certificate out of your browser copy the p12 exported certificate to the list server.

  3. use:

    openssl pkcs12 -in cacert-listname\@lists.cacert.org.p12 -nodes
    

    to export the certificate without a password.

  4. copy the certificate and private key to the location described below and setup permissions:

    chown sympa:sympa /var/lib/sympa/list_data/<list>/cert.pem
    chown sympa:sympa /var/lib/sympa/list_data/<list>/private_key
    chmod 0600 /var/lib/sympa/list_data/<list>/private_key
    chmod 0644 /var/lib/sympa/list_data/<list>/cert.pem
    
  5. add subscribers/ other owners

Changes

Planned

  • No plans

System Future

  • No plans

Additional documentation

References

Apache httpd documentation

http://httpd.apache.org/docs/2.4/

Sympa manual

https://www.sympa.community/manual/

Postfix documentation

http://www.postfix.org/documentation.html

Postfix Debian wiki page

https://wiki.debian.org/Postfix