Systems - Lists

Basics

Purpose

The purpose of the list server is to provide the send and manage email lists (@lists.cacert.org). This is the sysadm page, user info is located at EmailListsOverview.

Physical Location

This system is located on a Debian Etch vserver on physical machine infra01.

Logical location

Applicable Documentation

  1. EmailListsOverview

Administration

Services

Listening services

DNS

Connected Systems

Outbound network connections

Security

Privileged remote access: Mario, Philipp (?) Privileged list management access (Sympa): UlrichSchroeter, Mario

Non-distribution packages

Risk assessments on critical packages

Ugly Hacks

after applying patches make sure the wwsympa.fcgi is sympa:sympa go+s

Customisations

Stuff we've added through files / scripts

Scenarios

key person's list

Monthly job to send key person's list to emergency management team.

sudo crontab -l -u sympa
Password:
# m h  dom mon dow   command
1   0  1   *   1     ......

Common Tasks

Adding a list

  1. Login to sympa https://lists.cacert.org/wws using the listmaster@lists.cacert.org (password stored in /root/sympa-listmanagerpassword.txt)

  2. Use the GUI to create the list. Set the list so that support@cacert.org can send email to the list without confirmation

  3. using the cacert main web interface, login and validate the list address
  4. issue a WoT certificate for the list user
  5. export/backup the WoT certificate out of your browser
  6. copy the p12 exported certificate to the list server.
  7. use openssl pkcs12 -in cacert-listname\@lists.cacert.org.p12 -nodes to export the certificate without a passwird

  8. copy the certificate and private key in the location described below and make ownership sympa:sympa. Private key should be permissions go-rwx

  9. add subscribers/ other owners

Sympa logs

Critical Configuration items

/etc/sympa/aliases

Describes what sympa lists are valid. This is referred to in /etc/postfix/main.cf as an hash alias. The /etc/aliases.db had to have sympa group and write permissions so that running newalias as the sympa user created both alias.db files (etc/aliases.db and /etc/sympa/aliases.db) (upstream bug 5917)

/etc/sympa/sympa.conf

S/MIME configuration items must be set even if they appear to be the default values.

supported_lang must be a subset of /etc/locale.gen (run /usr/sbin/locale-gen after changing this) otherwise user's cannot change their locale in sympa.

/etc/sympa/wwsympa.conf

The configuration for the webinterface of sympa

/var/lib/sympa/expl/{listname}/{cert.pem,private_key}

This is the private key/X509 key for the list. This determines what is signed an how to decrypt S/MIME encrypted emails for the list.

/etc/apache2/sites-available/

/var/lib/sympa/x509-user-certs/{emailaddress}

/etc/sympa/data_sources

Changes

Planned

Multiple Email Certificate Extraction bug

OCSP support

https://bugs.cacert.org/view.php?id=732

/usr/lib/cgi-bin/sympa/wwsympa-test.fcgi

https://lists.cacert.org/test / ocsp code - /usr/lib/sympa/bin/tools.pl

Safari and optional certificate authentication

Is yucky and needs proper Apache configuration.

OpenID authentication/access

Friendly to quick subscription by OpenID users. upstream bug 2974

Reduce SMTP chain at front end

We end up bouncing stuff that we could be rejecting.

Dynamic list generation based on other databases

Automatic lists for assurers in area XYZ. Needs to be asked for. suggestions that the webdb is for this purpose.

PGP support

So the PGP folks feel loved. Allow PGP support for support list upstream bug 4295 http://listes.cru.fr/sympa/arc/sympa-dev/2008-06/msg00017.html


CategorySystems

SystemAdministration/Systems/Lists (last edited 2012-04-21 12:13:56 by UlrichSchroeter)