Webmail (Community)

Purpose

This container hosts the webmail system available at https://community.cacert.org/ that provides web based mail access to users with a @cacert.org email address.

The system also hosts the board voting system, staff list and email password reset.

Todo

move board voting system to a separate container

Todo

move staff list to a separate container or integrate it into some new self service system

Administration

System Administration

  • Primary: None

  • Secondary: None

Todo

find admins for webmail

Application Administration

Application

Administrators

Webmail

Ulrich Schröter, Jochim Selzer

Board voting system

Jan Dittberner

Staff list

None

Password reset

None

Additional People

Jan Dittberner, Mario Lipinski and Jochim Selzer have sudo access on that machine.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

213.154.225.228

IP Intranet

172.16.2.20

IP Internal

10.0.0.120

MAC address

00:ff:9a:a7:64:78 (eth0)

See also

See Network

DNS

Name

Type

Content

community.cacert.org.

IN CNAME

email.cacert.org

Operating System

  • Debian GNU/Linux 4.0

Applicable Documentation

This is it :-)

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

443/tcp

https

ANY

Web server

5666/tcp

nrpe

monitor

remote monitoring service

Note

The ssh port is reachable via NAT on email.cacert.org:12022

Running services

Service

Usage

Start mechanism

openssh server

ssh daemon for remote administration

init script /etc/init.d/ssh

Apache httpd

Webserver for Applications

init script /etc/init.d/apache2

cron

job scheduler

init script /etc/init.d/cron

Postfix

SMTP server for local mail submission

init script /etc/init.d/postfix

Nagios NRPE server

remote monitoring service queried by Monitor

init script /etc/init.d/nagios-nrpe-server

Connected Systems

Outbound network connections

  • DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3

  • Emailout as SMTP relay

  • archive.debian.org as Debian mirror

  • Email for MySQL (3306/tcp) for webmail, password reset and staff list

  • Email IMAP (110/tcp), IMAPS (993/tcp), Manage Sieve (2001/tcp), SMTPS (465/tcp) and SMTP Submission (587/tcp) for the webmail system

Security

SSH host keys

Algorithm

Fingerprints

RSA

MD5:82:91:22:22:10:75:ab:0e:55:05:9a:f9:98:cb:94:48

DSA

MD5:6b:6e:59:37:41:83:a5:89:2a:18:04:23:51:53:5d:cd

ECDSA

-

ED25519

-

Warning

The system is too old to support ECDSA or ED25519 keys.

Non-distribution packages and modifications

/var/www/roundcubemail contains a Roundcube 0.2.1 installation, probably with patches.

Todo

Research wether Roundcube has been patched or not

/var/www/staff.php is a custom built PHP script to show a list of people with cacert.org email addresses.

/var/www/password.php is a custom build PHP script to allow users to reset their email password.

/var/www/board contains the board voting system.

Risk assessments on critical packages

The whole system is outdated, the PHP version is ancient, Roundcube is old. Needs to be replaced as soon as possible.

Critical Configuration items

Keys and X.509 certificates

  • Certificate for CN community.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/certs/ssl-cert-community-cacert.crt

    • private key in file /etc/ssl/private/ssl-cert-community-cacert.key

  • /usr/share/ca-certificates/cacert.org/ directory containing the CAcert.org Class 1 and Class 3 CA certificates (allowed CA certificates for client authentication and certificate chain for server certificate) with symbolic links with the openssl hashed certificate names

Apache httpd configuration

The Apache httpd configuration is stored in /etc/apache2/sites-available/webmail.

/etc/hosts

Defines some aliases for Email that are used by Roundcube, the password reset script and the staff list script.

Roundcube configuration

The Roundcube configuration is stored in files in the /var/www/roundcubemail/config/ directory.

Staff list script

The staff list contains its configuration in /var/www/staff.php itself.

Todo

Put the staff list script in a git repository

Password reset script

The password reset script contains it configuration in /var/www/password.php itself.

Todo

Put the password reset script in a git repository

Board voting system configuration

The board voting system uses a SQLite database in /var/www/board/database.sqlite.

Warning

The board voting system software seems to be checked out from a Subversion repository at https://svn.cacert.cl/Software/Voting/vote that does not exist anymore

Todo

Put the current version of the board voting system in a git repository

Tasks

Changes

Planned

Todo

implement CRL checking

System Future

Todo

The system has to be replaced with a new system using a current operating system version

Additional documentation

References

Wiki page for this system

Wiki SystemAdministration/Systems/Community