. '''To [[SystemAdministration/Systems|Systems Overview]]''' ---- = Systems - Community (Webmail) = = Basics = == Purpose == The purpose of the community server is to provide webmail for persons with @cacert.org. It gets its name from the domain community.cacert.org. This machine also supports the [[https://community.cacert.org/board|board's voting system]] and a [[https://community.cacert.org/staff.php|staff list]]. == Physical Location == This system is located on a Debian Etch vserver on physical machine sun2. == Logical location == IP: 172.16.2.20 == Applicable Documentation == 1. CommunityEmail 1. PolicyDrafts/EmailHandling 1. EmailAccountPolicy 1. [[http://svn.cacert.org/CAcert/Policies/CAcertCommunicationPolicy.html|Communication Policy]] == Administration == Primary: Markus Warg (was - resigned - probably still has access) Secondary: Philipp Gühring = Services = == Listening services == || port || service || access origin || purpose || || 22 || SSH || [[SystemAdministration/Systems/Hopper|hopper]] || SSH access for remote administration || || 443 || https || all || Proves https access to webmail. || == DNS == * community.cacert.org needs to exist as an A record. Port forwarding by Tunix handles forwarding to the right internal IP == Connected Systems == * [[SystemAdministration/Systems/Email|Email]] IMAPS - Email is used as a IMAPS (993) server to provide mail access show email. * [[SystemAdministration/Systems/Email|Email]] MySQL database - The webmail software uses the database to cache some information. [[https://community.cacert.org/password.php|Password]]resets also directly interact with the database. === Outbound network connections === * SMTP (25) to [[SystemAdministration/Systems/Email|Email]] for system messages and password reset messages. * DNS (53) resolving nameserver 172.28.50.1 * IMAP (110) to (imapserver as per /etc/hosts) (eventunally) * IMAPS (993) to (imapserver as per /etc/hosts) * Manage Sieve (2001) to (smtpserver as per /etc/hosts) * SMTPS (465) to (smtpserver as per /etc/hosts) * SMTP-TLS (587) to (smtpserver as per /etc/hosts) * Database (3306) to (dbserver as per /etc/hosts) * package update http://ftp.nl.debian.org/ and http://security.debian.org/ * svn access to https://svn.roundcube.net * svn access to https://dev.cacert.org (certificate authentication plugin) * svn access to https://svn.cacert.cl (board voting system) = Security = Privileged Access: Philipp/ Markus Warg Other Access: All @cacert.org users have HTTPS access == Non-distribution packages == [[http://www.roundcubemail.net roundcubemail]] - installed raw tarball in /var/www [[http://alec.pl/roundcube/managesieve/|manage sieve for roundcube]] - patch over the top of roundcubemail (and as of 0.3+ an official plugin) [[https://svn.cacert.cl/Software/Voting/vote/|voting software]] - installed in /var/www/board{,-test} == Risk assessments on critical packages == * apache - good reputation - low number of vulnerabilities * php - not a great record, more in the application domain, which is why this is a separate VM with limited access * roundcubemail - higher risk - new application. Configured with tight php restrictions on it. = Common Tasks = Updating roundcubemail version. (TODO -review - don't 100% trust this - try an install and check file permissions) 1. unpack it here /var/www 1. if the are no database changes - SQL/mysql.update.sql skip next three steps 1. clone current database - create database roundcubemail-0_2beta2. on cmdline {{{ mysqldump --opt -p roundcubemail | mysql -p roundcubemail-0_2beta2 }}} 1. {{{ GRANT SELECT , INSERT , UPDATE , DELETE ON `roundcubemail-0\_2beta2` . * TO 'roundcube'@'%'; }}} 1. run database upgrade instructions SQL/mysql.update.sql. 1. cd /var/www/roundcubemail-{newversion} 1. copy config off previous installation cp /var/www/roundcubemail/config/*p config/ 1. change database name in config/db.inc.php if using a new database 1. compare new features with current config. New features are in config/*dist. Merge where appropriate 1. chown -R root:safe . 1. chown -R www-data logs temp 1. symlink ln -s roundcubemail-{newversion} roundcubemail-test 1. test basic login works 1. and svn diff from roundcubemail-svn which is the X509 patch 1. find . -name \*php -group root -exec chgrp safe {} \; 1. perform testing on this site including sending one email with an attachment 1. move the /var/www/roundcube symlink to /var/www/roundcubemail-{version} to complete transition 1. if this was a critical security update remove older /var/www/roundcubemail versions == Critical Configuration items == === /etc/hosts === {{{ 172.16.2.20 community.cacert.org localhost webmail webmail.cacert.org # used by webmail configuration # /var/www/roundcube*/config/* 172.16.2.19 dbserver 172.16.2.19 imapserver 172.16.2.19 smtpserver }}} === Roundcubemail === /var/www/roundcube*/config/* = Changes = == Planned == === Logging === Need to centralise this. === Protection === Fail2ban to mitigate brute force attempts === Postfix full advantage of dovecot auth === Dovecot can do IP based authentication for a trusted roundcubemail password and this is installed with an additional password authentication mechanism: /etc/dovecot/dovecont.conf {{{ passdb sql { args = /etc/dovecot/dovecot-sql-masterpassword-webmail.conf } }}} and the SQL is in {{{/etc/dovecot/dovecot-sql-masterpassword-webmail.conf}}} Dovecot is currently saying password rejected when the non-global password is used as it check against pam before SQL. Still need to tidy the logs up. Unfortunately postfix doesn't pass the remote IP to dovecot authentication so there is a global password accessible on all services. Lucky its huge and should never be guessed or brute forced. This was reported to Wieste -response was "make a generic patch covering all authentication things for consideration". === SMIME / PGP support === Plugin work underway - http://sourceforge.net/projects/roundcube-crypt * users to send and receive [[ http://trac.roundcube.net/ticket/1484725 | S/MIME ]] & [[ http://trac.roundcube.net/ticket/1440396 | GPG ]] signed/encrypted messages * interface for looking up S/MIME, GPG keys for recipients ---- CategorySystems