Project

General

Profile

ContactAddress » History » Version 20

Denis 'GNUtoo' Carikli, 04/20/2020 04:28 PM

1 1 Denis 'GNUtoo' Carikli
h1. ContactAddress
2
3
h2. Design
4
5 8 Denis 'GNUtoo' Carikli
This system was designed to be as simple as possible:
6 1 Denis 'GNUtoo' Carikli
It was designed in a way that enables it to receive mail but it does not to need to send any mail:
7 9 Denis 'GNUtoo' Carikli
* There is no need of reverse DNS for the IP address.
8
* We don't need to use DKIM. 
9
* It's easier to get the setup right and secure. We don't even need any authentication to receive the mail.
10
* We don't need to make sure that the system cannot be abused to send arbitrary mail to arbitrary address by anyone as it's not supposed to send any mail in the first place.
11 1 Denis 'GNUtoo' Carikli
12 9 Denis 'GNUtoo' Carikli
If we want to send mail we would need to implement all that:
13
* We would need to see with the FSF if they could handle us the control of the reverse DNS for the IP address we use.
14
* For DKIM, we would need to look if Trisquel 8 has DKIM implementations (like dkimproxy) that are easy to integrate with OpenSMTPD.
15
* We would need to make sure that the server configuration cannot be abused to send mails to arbitrary address by anyone else it would ended up being blacklisted by companies and project trying to fight SPAM.
16 1 Denis 'GNUtoo' Carikli
17 7 Denis 'GNUtoo' Carikli
We could also whitelist the servers used by the people receiving this mail through this system, through SPF, if we want people to send mail to the same address they received it from (which is probably not very important).
18
19
The DNS zones are configured to set the MX to the Replicant vm at the FSF.
20 9 Denis 'GNUtoo' Carikli
For more details on how the DNS is hosted, see [[DNS]].
21
22
For now this uses OpenSMTPD just because the person implementing that system initially (GNUtoo) already used OpenSMTPD at home, so it was faster as the configurations could be partially reused and the setup compared.
23
24
For consulting the mail we will use dovecot as the person willing to implement it (GNUtoo) already uses that at home too.
25
26
This will still need some authentication but as it's a separate part it also limit the risk of missconfiguration as for the ability to abuse the system to send mails.
27 6 Denis 'GNUtoo' Carikli
28
h2. Maintenance
29
30 12 Denis 'GNUtoo' Carikli
h3. Adding new people
31 1 Denis 'GNUtoo' Carikli
32 13 Denis 'GNUtoo' Carikli
h4. HOWTO
33
34 12 Denis 'GNUtoo' Carikli
First start by making sure that you have all the required information:
35
* Make sure that the person knows that she will be publicly listed as a person that receives that contact email address
36
* Ask the person for which *lowercase* username they wish to use
37
* Ask the person to run the following command: *@doveadm pw -u <username> -s SHA512-CRYPT@*
38
39
To enable the person to receive mail you will need to:
40
* Add the person to the list of people receiving the address at the "Infrastructure":https://redmine.replicant.us/projects/replicant/wiki/Infrastructure wiki page in the main Replicant wiki.
41
* Create an account inside the vm for the new person. This can be done with the following command:
42
<pre>
43
useradd -m <lowercase_username>
44
</pre>
45 1 Denis 'GNUtoo' Carikli
* Add the lower_case_username to /etc/smtpd/aliases
46 2 Denis 'GNUtoo' Carikli
* run @smtpctl update table aliases@
47 4 Denis 'GNUtoo' Carikli
48 12 Denis 'GNUtoo' Carikli
Then to enable the person to retrieve the mail that are being received, you need to edit the /etc/dovecot/conf.d/secrets/server.passwd file and add a line that uses this format:
49
<pre>
50
<user>:<password_hash>:<uid>:<gid>::<home>::userdb_mail=maildir:<Maildir_path>
51
</pre>
52 13 Denis 'GNUtoo' Carikli
53 19 Denis 'GNUtoo' Carikli
Then it's up to the person to configure her mail client with the following information
54
*Username*: The lower case username
55
*Password*: The secret password that was used to generate the password hash.
56
*Hostname*: imap.replicant.us
57
*Port*: 143
58
*Protocol*: TLSv1.3, imaps
59
60 13 Denis 'GNUtoo' Carikli
h4. Example
61
62
Let's take a potentially fictional person named Yoko Tsuno that started contributing a lot to Replicant and that for some reasons needs to receive mails from the Replicant contact address (for instance for applying to some NLnet grants).
63
64
First we make sure that the person agrees to be listed on the Infrastructure wiki page as explained before.
65
66
Then the person comes up with a lowercase useranme (yokotsuno) and give us the following information
67
* Username: yokotsuno
68 14 Denis 'GNUtoo' Carikli
* password hash:
69
<pre>
70
{SHA512-CRYPT}$6$v.YlRHeVQpNmheHv$yaqUhQ5xnyFzV2SNbfdYWmeQT3Gg4fZ/7AC.rixBHpUaqT9XsXSU2CSQKLyyghHovDo.p1hnveki4DnoE1GJL/
71
</pre>
72 1 Denis 'GNUtoo' Carikli
73 14 Denis 'GNUtoo' Carikli
We start by enabling Yoko Tsuno to receive mail:
74 13 Denis 'GNUtoo' Carikli
<pre>
75 14 Denis 'GNUtoo' Carikli
# useradd -m yokotsuno
76
# vim /etc/smtpd/aliases
77 1 Denis 'GNUtoo' Carikli
</pre>
78
79 14 Denis 'GNUtoo' Carikli
If we had something like that in /etc/smtpd/aliases
80 1 Denis 'GNUtoo' Carikli
<pre>
81 14 Denis 'GNUtoo' Carikli
contact: gnutoo, putti
82 15 Denis 'GNUtoo' Carikli
</pre>
83 14 Denis 'GNUtoo' Carikli
84
Then we make it become something like that:
85
<pre>
86
contact: gnutoo, putti, yototsuno
87 16 Denis 'GNUtoo' Carikli
</pre>
88 14 Denis 'GNUtoo' Carikli
89
Then we update the table alias
90
<pre>
91
# smtpctl update table aliases
92
</pre>
93
94
Then we enable Yoko Tsuno to actually retrieve the mail:
95
96
<pre>
97 13 Denis 'GNUtoo' Carikli
# gpasswd add yokotsuno mail
98 1 Denis 'GNUtoo' Carikli
# id yokotsuno
99 13 Denis 'GNUtoo' Carikli
uid=1010(yokotsuno) gid=1010(yokotsuno) groups=8(mail),1010(yokotsuno)
100 1 Denis 'GNUtoo' Carikli
# vim /etc/dovecot/conf.d/secrets/server.passwd
101 13 Denis 'GNUtoo' Carikli
</pre>
102 14 Denis 'GNUtoo' Carikli
103 1 Denis 'GNUtoo' Carikli
And add the following line:
104 14 Denis 'GNUtoo' Carikli
<pre>
105 13 Denis 'GNUtoo' Carikli
yokotsuno:{SHA512-CRYPT}$6$v.YlRHeVQpNmheHv$yaqUhQ5xnyFzV2SNbfdYWmeQT3Gg4fZ/7AC.rixBHpUaqT9XsXSU2CSQKLyyghHovDo.p1hnveki4DnoE1GJL/:1010:1010::/home/yokotsuno::userdb_mail=maildir:/home/yokotsuno/Maildir
106 14 Denis 'GNUtoo' Carikli
</pre>
107 1 Denis 'GNUtoo' Carikli
108 17 Denis 'GNUtoo' Carikli
Then Yoko Tsuno needs to setup a mail client to retrieve the mail with the following details:
109
110
*Username*: yokotsuno
111
*Password*: The secret password that was used to generate the password hash.
112
*Hostname*: imap.replicant.us
113
*Port*: 143
114
*Protocol*: TLSv1.3, imaps
115 5 Denis 'GNUtoo' Carikli
116 20 Denis 'GNUtoo' Carikli
Example for the fdm mail fetch program:
117
118
.fdm.conf:
119
<pre>
120
account "imap.replicant.us" imaps server "imap.replicant.us" port 143
121
set lock-file "%h/.local/.fdm.imap.replicant.us.lock"
122
action "user-maildir" maildir "%h/.local/Maildir"
123
match all action "user-maildir"
124
set proxy "socks5://127.0.0.1:9050/" # Use Tor
125
set verify-certificates
126
</pre>
127
128
.netrc:
129
<pre>
130
machine imap.replicant.us login yokotsuno password theultrasecretpassphrase
131
</pre>
132
133
134 18 Denis 'GNUtoo' Carikli
h4. Notes
135
136 5 Denis 'GNUtoo' Carikli
* The Maildir directory is created automatically when receiving the first mail
137 1 Denis 'GNUtoo' Carikli
* There is no need to setup a password for the account
138 6 Denis 'GNUtoo' Carikli
* I didn't look how much we can lock down the accounts and still make openstmtpd work.
139
140
h3. Switching to more recent OpenSMTPD
141
142
The configuration format changed in newer OpenSMTPD.
143
144
We will probably have to migrate the configuration when switching to to Trisquel 9.
145
146 1 Denis 'GNUtoo' Carikli
TODO: Document the format change.