• SystemAdministration
• Systems
• Lists

• To Systems Overview

---

Systems - Lists

Basics

Purpose

The purpose of the list server is to provide the send and manage email lists (@lists.cacert.org). This is the sysadm page, user info is located at EmailListsOverview.

Physical Location

This system is located on a Debian Etch vserver on physical machine infra01.

Logical location

• IP: 172.16.2.17
• IP External (Tunix Managed): lists.cacert.org has address 213.154.225.231

Applicable Documentation

1. EmailListsOverview

Administration

• Primary: Mario
• Secondary: Philipp Gühring (?)
• Listmaster (listmaster access through web only)

  • Primary: UlrichSchroeter

  • Secondary: Mario

Services

Listening services

• port	service	access origin	purpose
  22	SSH	Hopper	SSH access for remote administration
  25	smtp	tunix/Email	for receiving email to be distributed
  80	http	all	http redirects clients to https
  443	https	all	Proves https access to list software for users and admin
  4433	https	localhost	Proves phpmyadmin to administer the local database
  5000	milter	localhost	dkim-milter to sign outgoing messages and verify incoming messages

DNS

• lists.cacert.org needs to exist as an A record. Port forwarding by Tunix handles forwarding to the right internal IP

• lists.cacert.org needs a MX record. This goes though Tunix and Email before arriving

• lists.cacert.org has a TXT SPF record saying where email will come from for the email return path @lists.cacert.org "v=spf1 ip4:213.154.225.228 -all"
• lists.cacert.org has a TXT DKIM key - defined by its selector in /etc/dkim-filter.conf - as list hence a DNS key in lists._domainkey.cacert.org

Connected Systems

• None

Outbound network connections

• DNS (53) resolving nameserver 172.28.50.1
• SMTP (25) to everywhere to deliver email

• SMTP (25) to Email so that @cacert.org receive email quickly without double filtering going through Tunix.

• HTTP (80) package update http://ftp.nl.debian.org/, http://www.backports.org and http://security.debian.org/

• milter (to localhost:5000) for email DKIM signing

Security

Privileged remote access: Mario, Philipp (?) Privileged list management access (Sympa): UlrichSchroeter, Mario

Non-distribution packages

• dkim-milter - installed from deb-src (testing)
• sympa - is a backported package from deb-src (testing)

Risk assessments on critical packages

• apache2 - good reputation - low number of vulnerabilities
• sympa - good security record

Ugly Hacks

• commented out  $hdr->add('X-no-archive', 'yes');  of /usr/lib/sympa/bin/List.pm (sympa) so archived happen. (upstream bug 1949

• bug 3937 - different signing/encryption keys

• bug 5930 - load_cert browser hints

• bug 5929 - etags, compress, expire

after applying patches make sure the wwsympa.fcgi is sympa:sympa go+s

Customisations

Stuff we've added through files / scripts

Scenarios

• /usr/share/sympa/scenari/send.private_encrypt created to enforce emails to be encrypted

• /usr/share/sympa/mail_tt2/authorization_reject.tt2 -> added needs_encryption at bottom

• created /usr/share/sympa/scenari/send.private_encrypt to enforce emails to be encrypted to some lists

• /usr/share/sympa/scenari/send.public_nobcc -> equal([is_bcc],1) smtp,smime,md5 -> reject, quiet (quietly request bcc spam)

• /usr/share/sympa/scenari/send.privateorpublickey add bcc rejection -> equal([is_bcc],1) smtp,md5 -> reject

key person's list

Monthly job to send key person's list to emergency management team.

sudo crontab -l -u sympa
Password:
# m h  dom mon dow   command
1   0  1   *   1     ......

Common Tasks

Adding a list

1. Login to sympa https://lists.cacert.org/wws using the listmaster@lists.cacert.org (password stored in /root/sympa-listmanagerpassword.txt)

2. Use the GUI to create the list. Set the list so that support@cacert.org can send email to the list without confirmation

3. using the cacert main web interface, login and validate the list address
4. issue a WoT certificate for the list user
5. export/backup the WoT certificate out of your browser
6. copy the p12 exported certificate to the list server.

7. use openssl pkcs12 -in cacert-listname\@lists.cacert.org.p12 -nodes to export the certificate without a passwird

8. copy the certificate and private key in the location described below and make ownership sympa:sympa. Private key should be permissions go-rwx

9. add subscribers/ other owners

Sympa logs

• Sympa logs are in /var/log/sympa.log*

Critical Configuration items

/etc/sympa/aliases

Describes what sympa lists are valid. This is referred to in /etc/postfix/main.cf as an hash alias. The /etc/aliases.db had to have sympa group and write permissions so that running newalias as the sympa user created both alias.db files (etc/aliases.db and /etc/sympa/aliases.db) (upstream bug 5917)

/etc/sympa/sympa.conf

S/MIME configuration items must be set even if they appear to be the default values.

supported_lang must be a subset of /etc/locale.gen (run /usr/sbin/locale-gen after changing this) otherwise user's cannot change their locale in sympa.

/etc/sympa/wwsympa.conf

The configuration for the webinterface of sympa

/var/lib/sympa/expl/{listname}/{cert.pem,private_key}

This is the private key/X509 key for the list. This determines what is signed an how to decrypt S/MIME encrypted emails for the list.

/etc/apache2/sites-available/

• httpredirect - redirects 80 to 443
• phpmyadminssl - port 4433 access to database
• sympassl - mailman and sympa configuration

/var/lib/sympa/x509-user-certs/{emailaddress}

• X509 certificates used by sympa are here

/etc/sympa/data_sources

• Data Sources shared accross lists (things we didn't want to define more than once)

• the board datasource is defined here as the editors of the cacert-board list Sympa Manual reference

Changes

Planned

Multiple Email Certificate Extraction bug

• (upstream bug) S/MIME validation error when second or subsequent email address of a certificate used

OCSP support

https://bugs.cacert.org/view.php?id=732

/usr/lib/cgi-bin/sympa/wwsympa-test.fcgi

https://lists.cacert.org/test / ocsp code - /usr/lib/sympa/bin/tools.pl

Safari and optional certificate authentication

Is yucky and needs proper Apache configuration.

OpenID authentication/access

Friendly to quick subscription by OpenID users. upstream bug 2974

Reduce SMTP chain at front end

We end up bouncing stuff that we could be rejecting.

Dynamic list generation based on other databases

Automatic lists for assurers in area XYZ. Needs to be asked for. suggestions that the webdb is for this purpose.

PGP support

So the PGP folks feel loved. Allow PGP support for support list upstream bug 4295 http://listes.cru.fr/sympa/arc/sympa-dev/2008-06/msg00017.html

---

CategorySystems