• SystemAdministration
• Systems
• Email

• To Systems Overview

---

Systems - Email

Basics

Purpose

The email server receives email for @cacert.org addresses. It also provides users of @cacert.org with IMAPs and POP3s access to their accounts. It hopefully meets these requirements.

The database on this server provided as a cache for the webmail.

Physical Location

This system is located on a Debian Etch vserver on physical machine sun2.

Logical location

IP: 172.16.2.19 (email.intra.cacert.org)

POP3/IMAP: via Tunix port forwarding associated with community.cacert.org

Applicable Documentation

1. User/organisation requirements

2. organisation requirements for account use

3. Communication Policy

4. User documentation

Administration

• Primary: Christopher Hoth
• Secondary: Philipp Gühring
• Limited: Mario can reset passwords of users

Services

Listening services

• port	service	access origin	purpose
  22	SSH	centralised access server	SSH access for remote administration
  25	SMTP entry	Tunix gateway	Entry point for external email
  110	POP3	all	POP access after TLS for authenticated @cacert.org users
  143	IMAP	all	IMAP access after TLS for authenticated @cacert.org users
  465	SMTP-SSL	all	For authenticated @cacert.org users to send email
  465	SMTP-SSL	Community webmail	For sending email via webmail
  587	SMTP authenticated	all	For authenticated @cacert.org users to send email (TLS only)
  993	IMAPS	all	IMAP access over SSL for authenticated @cacert.org users
  993	IMAPS	Community webmail	IMAP access over SSL delivery via wemail
  995	POP3S	all	POP3 access over SSL for authenticated @cacert.org users
  2000	managesieve	all	Manage Sieve server side scripts for authenticated @cacert.org users after TLS
  2001	managesieve	webmail	Manage Sieve server side scripts for authenticated @cacert.org users (no TLS as roundcube (specifically PEAR Net-Sieve) interaction with it crashes)
  3306	Mysql	Community Webmail	Provide database access for webmail cache information
  4433	https	localhost	Serves phpmyadmin for database management ease. (mainly adding users/aliases)

DNS

• MX - goes through Tunix server

• no SPF - see https://bugs.cacert.org/view.php?id=492

• DKIM TODO - All email is digitally signed - the public key is mail._domainkey.cacert.org and comes from /etc/mail/

Running Services

• Service	Started from
  cron	/etc/init.d/cron
  syslog	/etc/init.d/syslog
  postfix	/etc/init.d/postfix
  dovecot-auth	/etc/init.d/dovecot
  dovecot-pop3/imap	/etc/init.d/dovecot
  mysql	/etc/init.d/mysql
  manage-sieve	xinetd
  xinetd	/etc/init.d/xinetd
  ssh	/etc/init.d/ssh
  dkim-filter	/etc/init.d/dkim-filter
  apache2	/etc/init.d/apache2

Connected Systems

• lists.cacert.org Email for lists@cacert.org is directly sent to that server rather than being spam checked by Tunix.

• Community Webmail Webmail uses the imap service to show email. It also uses the database to cache some information.

• Issue Tracking Email to issue tracking email address is aliases in /etc/aliases and transported /etc/postfix/transport directly to the issue virtual server server.

Outbound network connections

• DNS (53) resolving nameserver 172.28.50.1
• SMTP (25) to any mailserver

• SMTP (25) to lists (internal IP)

• HTTP (80) package update http://ftp.nl.debian.org/, http://www.backports.org and http://security.debian.org/

Security

Privileged Access: Daniel/Philipp Other Access: All @cacert.org users have POP3(S|TLS)/IMAP(S-TLS)/SMTP(TLS/SSL)/Managesieve access

Non-distribution packages

• neale's pysieved /usr/local/lib/pysieve-neale (symlink pysieve) and configuration in /usr/local/etc/pysieve.ini

• tlslite installed in /usr/local/lib/tlslite-{version} and patched with this patch. /usr/local/lib/pysieve* has tlslite symlink to /usr/local/lib/tlslite-{version}/tlslite

• backup copy of a fork manage sieve installed in /usr/local/lib/pysieve-philippe)

Risk assessments on critical packages

• postfix - good reputation - low number of vulnerabilities
• dkim-milter - higher risk - input is largely filtered postfix's milter API. Runs at low privileges
• dovecot - good reputation - low number of vulnerabilities

Common Tasks

Adding Users

1. Create the user in the database cacertusers - table users

2. manually create the directory mkdir -p /home/user/Maildir

3. chown -R user:user /home/user

Practical Example

• mysql> use cacertusers

  mysql> insert into users (username,fullnamealias,realname,password) values ('thenewuser','thenew.user','The New User','$1$caea3837$gPafod/Do/8Jj5M9HehhM.');

sets up a new user with password 'secret'. Now use https://community.cacert.org/password.php to set the user's password to a better value.

Aliases

There are two types of aliases.

First type is ones that are never sent from. e.g. postmaster@cacert.org. All these aliases are in /etc/aliases. Don't forget to run postalias /etc/aliases after any changes. Aliases for issue tracking are installed here as {issuetrackingaddress} : {issuetrackingaddress}@issue.cacert.org.

For aliases for which email is sent, e.g. pr@cacert.org, the alias is recorded in the aliases table on the cacertusers database. This is so the designated person, and only the designated person can send email under this role.

Critical Configuration items

/etc/dovecot/dovecot.conf

Main dovecot configuration defining the authentication for IMAP/POP3 and SMTPS

Dovecot authentication

/etc/dovecot/dovecot.conf refers to PAM mail.PAM mail is defined /etc/pam.d/mail. System users are defined by NSS which is a combination of /etc/password (for root and non-imap/pop users) and /etc/libnss-mysql*.

There is a special master password so webmail can do the authentication for dovecot using certificates. This is defined in /etc/dovecot/dovecot-sql-masterpassword-webmail.conf. This special password is restricted to the IP of Community.

Manage Sieve

Configuration is stored "/usr/local/etc/pysieve.ini" Started by xinetd - "/etc/xinet.d/pysieved"

/etc/postfix/*

Postfix configuration

/etc/mysql/*cnf

Mysql passwords

/home/{username}/Maildir

Where email is stored.

Changes

Planned

cacert.net/cacert.org

• configure so that only hostmaster and other rfc email addresses on this.

Archiving Email

Problem

The Threat of Legal Discovery is an emerging disaster in USA litigation, and is also spreading to other anglo countries. The basic model is to use the courts to force the delivery of all data on an issue, spread over many different events. Each event costs money (a full legal "act" might cost from $5k to $1m).

Considerations

Normally, most people use their own emails because the use of business and private stuff is hard to separate. Most people keep and store their email on their laptops (which may then become subject of seizure orders for examination by opposition counsel).

Solution

Employing of CAcert email addresses and server for all official businesses allows escrow into a black hole (unreadable store). In the event of a discovery motion, an Arbitrator can compel the opening of the store and the delivery of the documents. See Threats/LegalDiscovery for more.

Policy consideration is that as much business for CAcert as possible should go through CAcert email addresses. This means that all roles (or officers) should use the addressess.

Permission & Tracking

As CAcert is effectively then tracking the email of Members, there will need to be permission and clear information / notification as to what is being done. E.g., check this, the applicable laws, TELECOMMUNICATIONS (INTERCEPTION AND ACCESS) ACT 1979 http://www.austlii.edu.au/au/legis/cth/consol_act/taaa1979410/ cannot intercept email inbound until it has completed http://www.efa.org.au/Issues/Privacy/tia.html. Ok checked - entirely not applicable (Daniel - 02 May 2009 - section 5(5) - telecommmunication system isn't in Australia)

Tech

Need an address to archive archive@cacert.org with bcc there on sending/receiving.

password brute force attempts

Something like fail2ban on the primary host.

Logging

something like mailgraph on logs (or pflog)

X509 Authentication

Daniel may get around to working on dovecot patches.

postfix also needs work - cert authentication there is more server orientated rather than user submission. (unstarted - hope to reuse dovecot work).

Direct internet

Ready system for direct Internet connection inbound without Tunix. It only 1/2 done is due to rushed install without a clear final plan.

DSPAM Imap folder spam setup

User's control spam filtering

Move to Lenny

DKIM

use opendkim as dkim-milter is unmaintained.

LDAP

LDAP will be a more useful database of user stuff than MYSQL. May consider exporting this publicly.

Public fold of mailing lists

Put public mailing lists in public folder

---

CategorySystems