Systems - Lists
The purpose of the list server is to provide the send and manage email lists (@lists.cacert.org). This is the sysadm page, user info is located at EmailListsOverview.
This system is located on a Debian Etch vserver on physical machine infra01.
- IP: 172.16.2.17
- IP External (Tunix Managed): lists.cacert.org has address 220.127.116.11
- Primary: Mario
- Secondary: Philipp Gühring (?)
- Listmaster (listmaster access through web only)
- Secondary: Mario
SSH access for remote administration
for receiving email to be distributed
http redirects clients to https
Proves https access to list software for users and admin
Proves phpmyadmin to administer the local database
dkim-milter to sign outgoing messages and verify incoming messages
- lists.cacert.org needs to exist as an A record. Port forwarding by Tunix handles forwarding to the right internal IP
lists.cacert.org needs a MX record. This goes though Tunix and Email before arriving
- lists.cacert.org has a TXT SPF record saying where email will come from for the email return path @lists.cacert.org "v=spf1 ip4:18.104.22.168 -all"
- lists.cacert.org has a TXT DKIM key - defined by its selector in /etc/dkim-filter.conf - as list hence a DNS key in lists._domainkey.cacert.org
Outbound network connections
- DNS (53) resolving nameserver 172.28.50.1
- SMTP (25) to everywhere to deliver email
SMTP (25) to Email so that @cacert.org receive email quickly without double filtering going through Tunix.
- milter (to localhost:5000) for email DKIM signing
Privileged remote access: Mario, Philipp (?) Privileged list management access (Sympa): UlrichSchroeter, Mario
- dkim-milter - installed from deb-src (testing)
- sympa - is a backported package from deb-src (testing)
Risk assessments on critical packages
- apache2 - good reputation - low number of vulnerabilities
- sympa - good security record
commented out $hdr->add('X-no-archive', 'yes'); of /usr/lib/sympa/bin/List.pm (sympa) so archived happen. (upstream bug 1949
bug 3937 - different signing/encryption keys
bug 5930 - load_cert browser hints
bug 5929 - etags, compress, expire
after applying patches make sure the wwsympa.fcgi is sympa:sympa go+s
Stuff we've added through files / scripts
/usr/share/sympa/scenari/send.private_encrypt created to enforce emails to be encrypted
/usr/share/sympa/mail_tt2/authorization_reject.tt2 -> added needs_encryption at bottom
created /usr/share/sympa/scenari/send.private_encrypt to enforce emails to be encrypted to some lists
/usr/share/sympa/scenari/send.public_nobcc -> equal([is_bcc],1) smtp,smime,md5 -> reject, quiet (quietly request bcc spam)
/usr/share/sympa/scenari/send.privateorpublickey add bcc rejection -> equal([is_bcc],1) smtp,md5 -> reject
key person's list
Monthly job to send key person's list to emergency management team.
sudo crontab -l -u sympa Password: # m h dom mon dow command 1 0 1 * 1 ......
Adding a list
Use the GUI to create the list. Set the list so that firstname.lastname@example.org can send email to the list without confirmation
- using the cacert main web interface, login and validate the list address
- issue a WoT certificate for the list user
- export/backup the WoT certificate out of your browser
- copy the p12 exported certificate to the list server.
use openssl pkcs12 -in cacert-listname\@lists.cacert.org.p12 -nodes to export the certificate without a passwird
copy the certificate and private key in the location described below and make ownership sympa:sympa. Private key should be permissions go-rwx
- add subscribers/ other owners
- Sympa logs are in /var/log/sympa.log*
Critical Configuration items
Describes what sympa lists are valid. This is referred to in /etc/postfix/main.cf as an hash alias. The /etc/aliases.db had to have sympa group and write permissions so that running newalias as the sympa user created both alias.db files (etc/aliases.db and /etc/sympa/aliases.db) (upstream bug 5917)
S/MIME configuration items must be set even if they appear to be the default values.
supported_lang must be a subset of /etc/locale.gen (run /usr/sbin/locale-gen after changing this) otherwise user's cannot change their locale in sympa.
The configuration for the webinterface of sympa
This is the private key/X509 key for the list. This determines what is signed an how to decrypt S/MIME encrypted emails for the list.
- httpredirect - redirects 80 to 443
- phpmyadminssl - port 4433 access to database
- sympassl - mailman and sympa configuration
- X509 certificates used by sympa are here
- Data Sources shared accross lists (things we didn't want to define more than once)
the board datasource is defined here as the editors of the cacert-board list Sympa Manual reference
Multiple Email Certificate Extraction bug
(upstream bug) S/MIME validation error when second or subsequent email address of a certificate used
https://lists.cacert.org/test / ocsp code - /usr/lib/sympa/bin/tools.pl
Safari and optional certificate authentication
Is yucky and needs proper Apache configuration.
Friendly to quick subscription by OpenID users. upstream bug 2974
Reduce SMTP chain at front end
We end up bouncing stuff that we could be rejecting.
Dynamic list generation based on other databases
Automatic lists for assurers in area XYZ. Needs to be asked for. suggestions that the webdb is for this purpose.
So the PGP folks feel loved. Allow PGP support for support list upstream bug 4295 http://listes.cru.fr/sympa/arc/sympa-dev/2008-06/msg00017.html