• SystemAdministration
• Systems
• Email

Basics

Purpose

The email server receives email for @cacert.org and @lists.cacert.org addresses. It also provides users of @cacert.org with IMAPs and POP3s access to their accounts.

Physical Location

This system is located on a Debian Etch vserver on physical machine X.

Logical location

IP: 172.16.2.19

POP3/IMAP: via Tunix port forwarding associated with community.cacert.org

Applicable Documentation

1. CommunityEmail

2. PolicyDrafts/EmailHandling

3. EmailAccountPolicy

4. Communication Policy

Administration

• Primary: Daniel Black
• Secondary: Philipp Gühring
• Limited: Guillaume Romagny can reset passwords of users

Services

Listening services

• port	service	access origin	purpose
  25	SMTP entry	Tunix gateway	Entry point for external email
  110future	POP3	all	POP access over TLS for authenticated @cacert.org users
  143future	IMAP	all	IMAP
  465	SMTP-SSL	all	For authenticated @cacert.org users to send email
  465	SMTP-SSL	Community webmail	For sending email via webmail
  587	SMTP authenticated	all	For authenticated @cacert.org users to send email (TLS only)
  993	IMAPS	all	IMAP access over SSL for authenticated @cacert.org users
  993	IMAPS	Community webmail	IMAP access over SSL delivery via wemail
  995	POP3S	all	POP3 access over SSL for authenticated @cacert.org users
  not public	SSH	sysadmin IP addresses	SSH access for remote administration
  3306	Mysql	Community Webmail	Provide database access for webmail cache information
  4433	https	localhost	Serves phpmyadmin for database management ease. (mainly adding users/aliases)
  5434	amavis	localhost	allows flexable spam filtering on email server (currently disabled)
  10031	postfix policy filter	localhost	allows flexable black/whitelisting on email server (currently disabled)

DNS

• MX - goes through Tunix server

• SPF - see #head-b691e69c064abf15bcae00d20a58c883935c7757

• DKIM - All email is digitally signed - the public key is mail._domainkey.cacert.org and comes from /etc/mail/

Connected Systems

• lists.cacert.org Email for lists@cacert.org is directly relayed

• Community Webmail Webmail uses the imap service to show email. It also uses the database to cache some information.

Outbound network connections

• DNS (53) resolving nameserver 172.28.50.1
• SMTP (25) to any mailserver

• SMTP (25) to lists (internal IP)

• HTTP (80) package update http://ftp.nl.debian.org/, http://www.backports.org and http://security.debian.org/

Security

Privileged Access: Daniel/Philipp Other Access: All @cacert.org users have POP3S/IMAPS/SMTP-TLS/SMTP-SSL access

Non-distribution packages

dkim-milter - installed from deb-src - copied from lists.cacert.org

Risk assessments on critical packages

• postfix - good reputation - low number of vulnerabilites
• dkim-milter - higher risk - input is largely filtered postfix's milter API
• dovecot - good reputation - low number of vulnerabilites

Common Tasks

Adding Users

1. Create the user in the database cacertusers - table users

2. manually create the directory mkdir -p /home/user/Maildir

3. chown -R user:user /home/user

Aliases

There are two types of aliases.

First type is ones that are never sent from. e.g. postmaster@cacert.org. All these aliases are in /etc/aliases. Don't forget to run postalias /etc/aliases after any changes.

For aliases for which email is sent, e.g. pr@cacert.org, the alias is recorded in the aliases table on the cacertusers database. This is so the designated person, and only the designated person can send email under this role.

Critical Configuration items

/etc/dovecot/dovecot.conf

Main dovecot configuration defining the authentication for IMAP/POP3 and SMTPS

Dovecot authentication

/etc/dovecot/dovecot.conf refers to pam mail.Pam mail is defined /etc/pam.d/mail. System users are defined by NSS which is a combination of /etc/password (for root and non-imap/pop users) and /etc/libnss-mysql*.

There is a special master password so webmail can do the authentication for dovecot using certificates (still in progress 20080713). This is defined in /etc/dovecot/dovecot-sql-masterpassword-webmail.conf. This special password is restricted to the IP of Community.

/etc/postfix/*

Postfix configuration

/etc/mysql/*cnf

Mysql passwords

/home/{username}/Maildir

Where email is stored.

Changes

Planned

main.cf is a mess

Probably because it was deployed against design. Needs a cleanup.

Blocking @cacert.org emails that come through the front door

This is going to be because of people not using the AUTH SMTP sending mechanism. A return path of returns@cacert.org will be allowed to correspond to other system generated email services. (sender_restrictions)

password brute force attempts

Something like fail2ban on the primary host.

Logging

Need to centralise this and put something like mailgraph on it

X509 Authentication

Daniel is working on dovecot patches.

postfix also needs work - cert authentication there is more server orientated rather than user submission. (unstarted - hope to reuse dovecot work).

Certificate based relay for community and lists

So system messages aren't lost. Community user emails are sent via authenticated 465 so this doesn't matter

Direct internet

Ready system for direct internet connection without Tunix. It only 1/2 done is due to rushed install without a clear final plan.

DKIM

Signing and verifying

There are two instances running so it needs a cleanout of /usr/local/

SPF

• Deploy SPF authoritive "-all" record
• Need to document all @cacert.org senders notably the www servers

MANAGESIEVE

This isn't a standard debian package and requires hacks to work.

Changelog

2008-08-17 - Changed to use dovecot local delivery - mailbox_command=/usr/lib/dovecot/deliver in postfix's main.cf

---

CategorySystems