Lists¶
Purpose¶
The system provides mailing list services under the lists.cacert.org hostname.
Application Links¶
Mailing list management and archives
Administration¶
System Administration¶
Primary: Mario Lipinski
Secondary: Jan Dittberner
Application Administration¶
Application |
Administrator(s) |
---|---|
Sympa |
Contact¶
Additional People¶
Jochim Selzer has sudo access on that machine too.
Basics¶
Physical Location¶
This system is located in an LXC container on physical machine Infra02.
Logical Location¶
- IP Internet:
- IP Intranet:
- IP Internal:
- MAC address:
00:ff:d0:13:9a:22
(eth0)
See also
See Network
DNS¶
Name |
Type |
Content |
---|---|---|
lists.cacert.org. |
IN A |
213.154.225.231 |
lists.cacert.org. |
IN MX |
10 email.cacert.org. |
lists.cacert.org. |
IN SSHFP |
1 1 87F75B9124326B566ED22DCF65A9740EEDE8F0FF |
lists.cacert.org. |
IN SSHFP |
2 1 8D79E68E731ED72667F3D286C477245DF653083B |
lists.cacert.org. |
IN TXT |
“v=spf1 ip4:213.154.225.231 -all” |
cert.lists.cacert.org. |
IN CNAME |
lists.cacert.org. |
nocert.lists.cacert.org. |
IN CNAME |
lists.cacert.org. |
lists.intra.cacert.org. |
IN A |
172.16.2.17 |
17.2.16.172.in-addr.arpa |
IN PTR |
lists.intra.cacert.org. |
231.225.154.213.in-addr.arpa |
IN CNAME |
231.224-27.225.154.213.in-addr.arpa. |
231.224-27.225.154.213.in-addr.arpa |
IN PTR |
lists.cacert.org. |
See also
Operating System¶
Debian GNU/Linux 7.11
Applicable Documentation¶
This is the administration documentation.
See also
Wiki page EmailListOverview for user documentation
Services¶
Listening services¶
Port |
Service |
Origin | Purpose |
||
---|---|---|---|---|
22/tcp |
ssh |
ANY | admin console access |
||
25/tcp |
smtp |
monitor, email |
mail delivery to local MTA/sympa |
|
80/tcp |
http |
ANY |
redirect to https |
|
443/tcp |
https |
ANY |
Sympa mailing list manager and archive |
|
4433/tcp |
https |
LOCAL |
phpmyadmin access via ssh port forwarding |
|
5666/tcp |
nrpe |
monitor |
remote monitoring service |
|
3306/tcp |
mysql |
local |
MySQL database for Sympa |
Running services¶
Service |
Usage |
Start mechanism |
---|---|---|
openssh server |
ssh daemon for remote administration |
init script |
Apache httpd |
Webserver for Sympa |
init script
|
cron |
job scheduler |
init script |
rsyslog |
syslog daemon |
init script
|
MySQL |
MySQL database server for Sympa |
init script
|
Postfix |
SMTP server for local mail submission and incoming list mail |
init script
|
Nagios NRPE server |
remote monitoring service queried by Monitor |
init script
|
Sympa mailing list services |
mail list handling |
init script
|
Databases¶
RDBMS |
Name |
Used for |
---|---|---|
MySQL |
sympa |
Sympa mailing list management |
Connected Systems¶
Outbound network connections¶
DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3
Proxyout as HTTP proxy for APT
arbitrary Internet SMTP servers for delivery of list mails
Security¶
SSH host keys¶
Algorithm |
Fingerprints |
---|---|
RSA |
|
DSA |
|
ECDSA |
|
ED25519 |
- |
See also
Todo
setup ED25519 host key (needs update to Jessie)
Non-distribution packages and modifications¶
None
Risk assessments on critical packages¶
Apache httpd, Postfix and Sympa have a good security track record. Apache httpd is configured with the minimum of required modules. PHPMyAdmin is only reachable via ssh port forwarding.
Critical Configuration items¶
Keys and X.509 certificates¶
Server certificate for Apache httpd for Sympa and phpmyadmin and Postfix:
Certificate for CN lists.cacert.org, see details in the certificate list
certificate in file /etc/ssl/certs/ssl-cert-lists-cacert-multialtname.pem
private key in file /etc/ssl/private/ssl-cert-lists-cacert-multialtname.pem
/usr/share/ca-certificates/cacert.org/cacert.org.crt
CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client certificates)
Apache httpd configuration¶
/etc/apache2/sites-available/000-default.conf
default HTTP VirtualHost configuration that redirects to https://lists.cacert.org/
/etc/apache2/sites-available/sympa-include.conf
common configuration for the three Sympa VirtualHost definitions
/etc/apache2/sites-available/lists.cacert.org.conf
HTTPS VirtualHost configuration for https://lists.cacert.org/ that supports optional client certificate authentication
/etc/apache2/sites-available/cert.lists.cacert.org.conf
HTTPS VirtualHost configuration for https://cert.lists.cacert.org/ that requires client certificate authentication
/etc/apache2/sites-available/nocert.lists.cacert.org.conf
HTTPS VirtualHost configuration for https://nocert.lists.cacert.org/ that does not support client certificates
/etc/apache2/sites-available/localhost_4433_phpmyadmin.conf
HTTPS VirtualHost configuration for https://localhost:4433/phpmyadmin
Sympa configuration¶
Sympa configuration is stored in /etc/sympa/
.
/etc/sympa/aliases
generated by Sympa and included in Postfix’s
/etc/postfix/main.cf
. The file contains alias definitions that pipe list emails into Sympa processes./etc/sympa/data_sources/
data sources shared accross lists (things we didn’t want to define more than once). The board data source is defined in
/etc/sympa/data_sources/board.incl
See also
/etc/sympa/sympa.conf
main Sympa configuration file. S/MIME configuration items must be set even if they appear to be the default values. Supported_lang must be a subset of the supported system locales (see
/usr/lib/sympa/locale/
) otherwise user’s cannot change their locale in Sympa./etc/sympa/wwsympa.conf
configuration for the Sympa web interface
/var/lib/sympa/expl/listname/cert.pem,private_key
list private key and certificate for listname
/var/lib/sympa/x509-user-certs/emailaddress
user X.509 certificates used by Sympa
Postfix configuration¶
Postfix configuration is stored in /etc/postfix/
Note
The file /etc/aliases.db
must be writable by the sympa group to
allow running newaliases when defining new lists.
Tasks¶
Adding a list¶
Login to Sympa https://lists.cacert.org/wws using the listmaster@lists.cacert.org (password stored in
/root/sympa-listmanagerpassword.txt
)Use the GUI to create the list. Set the list so that support@cacert.org can send email to the list without confirmation using the cacert main web interface, login and validate the list address issue a WoT certificate for the list user export/backup the WoT certificate out of your browser copy the p12 exported certificate to the list server.
use:
openssl pkcs12 -in cacert-listname\@lists.cacert.org.p12 -nodes
to export the certificate without a password.
copy the certificate and private key to the location described below and setup permissions:
chown sympa:sympa /var/lib/sympa/expl/<list>/cert.pem chown sympa:sympa /var/lib/sympa/expl/<list>/private_key chmod 0600 /var/lib/sympa/expl/<list>/private_key chmod 0644 /var/lib/sympa/expl/<list>/cert.pem
add subscribers/ other owners
Changes¶
Planned¶
Todo
upgrade the lists system OS to Debian 9 (Stretch)
Todo
manage the lists system using Puppet
System Future¶
No plans
Additional documentation¶
See also
References¶
- Apache httpd documentation
- Sympa manual
- Postfix documentation
- Postfix Debian wiki page