• SystemAdministration
• Systems
• Community

Basics

Purpose

The of the community server is to provide webmail for persons with @cacert.org.

Physical Location

This system is located on a Debian Etch vserver on physical machine X.

Logical location

IP: 172.16.2.20

Applicable Documentation

1. CommunityEmail

2. PolicyDrafts/EmailHandling

3. EmailAccountPolicy

4. Communication Policy

Administration

Primary: Daniel Black

Secondary: Philipp Gühring

Services

Listening services

• port	service	access origin	purpose
  not public	SSH	sysadmin IP addresses	SSH access for remote administration
  443	https	all	Proves https access to webmail.

DNS

• community.cacert.org needs to exist as an A record. Port forwarding by Tunix handles forwarding to the right internal IP

Connected Systems

• Email IMAPS - Email is used as a IMAPS (993) server to provide mail access show email.

• Email MySQL database - The webmail software uses the database to cache some information. Passwordresets also directly interact with the database.

Outbound network connections

• SMTP (25) to Email for system messages and password reset messages.

• DNS (53) resolving nameserver 172.28.50.1
• IMAPS (993) to (imapserver as per /etc/hosts)
• SMTPS (465) to (smtpserver as per /etc/hosts)
• Database (3306) to (dbserver as per /etc/hosts)

• package update http://ftp.nl.debian.org/ and http://security.debian.org/

Security

Privileged Access: Daniel/Philipp Other Access: All @cacert.org users have HTTPS access

Non-distribution packages

http://www.roundcubemail.net roundcubemail - installed raw tarball in /var/www

Risk assessments on critical packages

• apache - good reputation - low number of vulnerabilities
• php - not a great record, more in the application domain, which is why this is a separate VM with limited access
• roundcubemail - higher risk - new application. Configured with tight php restrictions on it.

Common Tasks

Updating roundcubemail version.

1. unpack it outside of /var/www in e.g. /root/roundcubemail
2. copy config off previous installation /var/www/roundcubemail/config/*p
3. compare new features with current config. New features are in config/*dist. Merge where appropriate
4. chown -R root:safe /root/roundcubemail
5. chown -R www-data /root/roundcubemail/{logs,temp}
6. make the following code change as we don't have a late version of PHP MIME module or something.

   • program/steps/mail/sendmail.inc     2008-04-05 12:49:21.000000000 +0000
     @@ -365,7 +365,11 @@
     
        // append message to sent box
        if ($store_folder)
     -    $saved = $IMAP->save_message($CONFIG[$store_target], $MAIL_MIME->getMessage());
     +    {
     +    $header_str = $MAIL_MIME->txtHeaders($headers);
     +    $msg_body = $header_str."\r\n".$MAIL_MIME->get($message_param);
     +    $saved = $IMAP->save_message($CONFIG[$store_target], $msg_body);
     +    }

7. copy this to /var/www/roundcubemail-{version}
8. perform testing on this site including sending one email
9. move the /var/www/roundcube symlink to /var/www/roundcubemail-{version} to complete transition
10. if this was a security update remove older /var/www/roundcubemail versions

Critical Configuration items

/etc/hosts

172.16.2.20 community.cacert.org localhost webmail webmail.cacert.org

# used by webmail configuration
# /var/www/roundcube*/config/*

172.16.2.19 dbserver
172.16.2.19 imapserver
172.16.2.19 smtpserver

Roundcubemail

/var/www/roundcube*/config/*

Changes

Planned

Logging

Need to centralise this.

Protection

Fail2ban to mitigate brute force attempts

Spelling

Next release will have pspell support.

X509 Authentication

Roundcubemail patch has been done. Waiting for upstream to assess it a bit more.

Dovecot can do IP based authentication for a trusted roundcubemail password and this is installed with an additional password authentication mechanism:

/etc/dovecot/dovecont.conf

  passdb sql {
    args = /etc/dovecot/dovecot-sql-masterpassword-webmail.conf
  }

and the SQL is in /etc/dovecot/dovecot-sql-masterpassword-webmail.conf

Dovecot is currently saying password rejected when the non-global password is used as it check against pam before SQL. Still need to tidy the logs up.

Unfortunately postfix doesn't pass the remote IP to dovecot authentication so there is a global password accessible on all services. Lucky its huge and should never be guessed or brute forced.

SMIME / PGP support

• users to send and receive S/MIME & GPG signed/encrypted messages

• interface for looking up S/MIME, GPG keys for recipients

Last logged in

• "Last logged in from (HTTPS,POPs,IMAPs)" display -- TODO search/make a feature request

S/KEY

• for those use dodgy internet kiosks -- TODO search/make a feature request

---

CategorySystems