Systems - Community (Webmail)

Basics

Purpose

The purpose of the community server is to provide webmail for persons with @cacert.org. It gets its name from the domain community.cacert.org.

This machine also supports the board's voting system and a staff list.

Physical Location

This system is located on a Debian Etch vserver on physical machine sun2.

Logical location

IP: 172.16.2.20

Applicable Documentation

  1. CommunityEmail

  2. PolicyDrafts/EmailHandling

  3. EmailAccountPolicy

  4. Communication Policy

Administration

Primary: Markus Warg (was - resigned - probably still has access)

Secondary: Philipp Gühring

Services

Listening services

DNS

Connected Systems

Outbound network connections

Security

Privileged Access: Philipp/ Markus Warg Other Access: All @cacert.org users have HTTPS access

Non-distribution packages

http://www.roundcubemail.net roundcubemail - installed raw tarball in /var/www manage sieve for roundcube - patch over the top of roundcubemail (and as of 0.3+ an official plugin) voting software - installed in /var/www/board{,-test}

Risk assessments on critical packages

Common Tasks

Updating roundcubemail version. (TODO -review - don't 100% trust this - try an install and check file permissions)

  1. unpack it here /var/www
  2. if the are no database changes - SQL/mysql.update.sql skip next three steps
  3. clone current database - create database roundcubemail-0_2beta2. on cmdline  mysqldump --opt -p roundcubemail | mysql -p roundcubemail-0_2beta2 

  4.  GRANT SELECT , INSERT , UPDATE , DELETE ON `roundcubemail-0\_2beta2` . * TO 'roundcube'@'%'; 

  5. run database upgrade instructions SQL/mysql.update.sql.
  6. cd /var/www/roundcubemail-{newversion}
  7. copy config off previous installation cp /var/www/roundcubemail/config/*p config/
  8. change database name in config/db.inc.php if using a new database
  9. compare new features with current config. New features are in config/*dist. Merge where appropriate
  10. chown -R root:safe .
  11. chown -R www-data logs temp
  12. symlink ln -s roundcubemail-{newversion} roundcubemail-test
  13. test basic login works
  14. and svn diff from roundcubemail-svn which is the X509 patch
  15. find . -name \*php -group root -exec chgrp safe {} \;
  16. perform testing on this site including sending one email with an attachment
  17. move the /var/www/roundcube symlink to /var/www/roundcubemail-{version} to complete transition
  18. if this was a critical security update remove older /var/www/roundcubemail versions

Critical Configuration items

/etc/hosts

172.16.2.20 community.cacert.org localhost webmail webmail.cacert.org

# used by webmail configuration
# /var/www/roundcube*/config/*

172.16.2.19 dbserver
172.16.2.19 imapserver
172.16.2.19 smtpserver

Roundcubemail

/var/www/roundcube*/config/*

Changes

Planned

Logging

Need to centralise this.

Protection

Fail2ban to mitigate brute force attempts

Postfix full advantage of dovecot auth

Dovecot can do IP based authentication for a trusted roundcubemail password and this is installed with an additional password authentication mechanism:

/etc/dovecot/dovecont.conf

  passdb sql {
    args = /etc/dovecot/dovecot-sql-masterpassword-webmail.conf
  }

and the SQL is in /etc/dovecot/dovecot-sql-masterpassword-webmail.conf

Dovecot is currently saying password rejected when the non-global password is used as it check against pam before SQL. Still need to tidy the logs up.

Unfortunately postfix doesn't pass the remote IP to dovecot authentication so there is a global password accessible on all services. Lucky its huge and should never be guessed or brute forced. This was reported to Wieste -response was "make a generic patch covering all authentication things for consideration".

SMIME / PGP support

Plugin work underway - http://sourceforge.net/projects/roundcube-crypt


CategorySystems