|author||Guilhem Moulin <firstname.lastname@example.org>||2012-11-14 01:26:32 +0100|
|committer||Guilhem Moulin <email@example.com>||2012-11-14 01:26:32 +0100|
1 files changed, 50 insertions, 32 deletions
@@ -9,14 +9,19 @@
- State "TODO" from "" [2012-10-08 Mon 19:01]
+*** [Guilhem, 2012-11-14 01:03:03] What's that?
** TODO Research further solutions (e.g. Gnutiken's) for on line calendars
- State "TODO" from "" [2012-10-08 Mon 18:58]
+*** We need to choose a machine to host a DAVICal server.
+*** A simple client could be offered through a RoundCube plugin.
+*** Open a port to let advanced users connect using their favorite client.
** TODO Set up a redundant SMTP-server, using documented configurations
- State "TODO" from "" [2012-10-08 Mon 18:56]
+*** Round Robin DNS vs. a script that changes ddclient's configuration if mail SMTP server timesout?
** TODO Get Fripost's email configuration data into Thunderbird's database
- State "TODO" from "" [2012-10-08 Mon 18:55]
@@ -30,9 +35,9 @@
** TODO Bacula [0/3]
*** TODO Make sure that the data is actually replicated with rsync according to the current solution
*** TODO Install the storage daemon on benjamin
-** TODO Upgrade Roundcube to the version in squeeze-backports
-*** TODO Install and try it on zetkin
-*** TODO Install it on harvey
+** DONE Upgrade Roundcube to the version in squeeze-backports
+*** DONE Install and try it on zetkin
+*** DONE Install it on harvey
** DONE Fix so that new passwords are hashed with SHA1
CLOSED: [2012-06-14 Thu 19:44]
- State "DONE" from "TODO" [2012-06-14 Thu 19:44]
@@ -43,6 +48,7 @@ CLOSED: [2012-06-14 Thu 19:44]
- CLOSING NOTE [2012-06-14 Thu 19:44] \\
This is not good.
** TODO Convert ikiwiki to use org-mode backend
+*** Once this is done, use the wiki to document the admininstrative part.
** TODO Document installation of OSSEC
- We will use the standalone rather than client-server solution
** TODO Document how to enable encrypted swap
@@ -53,7 +59,8 @@ CLOSED: [2012-06-14 Thu 19:44]
** TODO Fix mounting of raid device on benjamin in accordance with Debian 6.0
Information on this can be found in admin log-file
** TODO Fix so that we can use better value for RC imap auth type (GSSAPI?)
-Currently, we have $rcmail_config['imap_auth_type'] = 'plain';
+*** Currently, we have $rcmail_config['imap_auth_type'] = 'plain';
+*** If possible, Kerberos would be preferable.
** CANCELED Determine how we should handle RC identities
e.g. $rcmail_config['identities_level'] = 0; is not ideal
there should be some sort of verification before emailing, such that a user e.g. cannot email from our webmail using firstname.lastname@example.org
@@ -61,32 +68,29 @@ there should be some sort of verification before emailing, such that a user e.g.
** DONE Add link from mail.fripost.org to https://fripost.org
CLOSED: [2012-08-22 Wed 20:25]
** TODO Support for mailing lists
-*** TODO Install mailman on zetkin
-** TODO LDAP Schema Changes
-*** DONE Allow for domain aliases
-CLOSED: [2012-08-20 Mon 01:25]
+*** TODO Install mailman on gnu
+** TODO LDAP Schema Changes
** TODO SMTP server
- We'll use gnu.friprogramvarusyndikatet.se for this
- Should be given priority since users have requested this
- Experiment header forging to masquerade the sender's IP.
-** TODO How to publish our SSL certificates? MonkeySphere? http://web.monkeysphere.info/
+** TODO Publish our SSL certificates to the MonkeySphere
** TODO Make proper certificates on the smarthosts too?
+*** CAcert-signed certificate would be good enough.
** TODO lists.fripost.org, www.fripost.org and git.fripost.org should be added to the SN list for fripost.org's SSL certificate.
-** DONE Add a CNAME `ldap.fripost.org' -> `mistral.fripost.org'.
+** TODO Add A/AAAA records `ldap.fripost.org' -> `mistral.fripost.org'.
** TODO When upgrading to Dovecot v2.x (wait for the next Debian stable - wheezy):
-replace the LDA by the new LMTP service. http://wiki2.dovecot.org/LMTP .
-** TODO When upgrading to Dovecot v2.x (wait for the next Debian stable - wheezy):
-convert the maiboxes from maildir to Dovecot's high performance mdbox format
+*** Replace the LDA by the new LMTP service. http://wiki2.dovecot.org/LMTP .
+*** Convert the maiboxes from maildir to Dovecot's high performance mdbox format. http://wiki2.dovecot.org/MailboxFormat/dbox
** TODO Do not deliver any content via HTTP (redirect everything to https://).
+*** Ideally, but sadly X.509 certificates are not cheap.
** TODO Should we log every single change made to the LDAP directory?
-for 3 days
-** Offer GSSAPI (Kerberos) authentication to our IMAP and SMTP server.
+*** For 3 days only
+** TODO Offer GSSAPI (Kerberos) authentication to our IMAP and SMTP server.
* New propositions, waiting for approval
** Shouldn't we obfuscate our logs (e.g., successuful IMAP/SASL authentication)?
* Deferred projects
** Move the wiki to fripost.org/wiki
** Monitoring - Munin
@@ -97,41 +101,55 @@ ljo already uses Munin, so we could look at his configuration
improvements over v1.x, see http://wiki2.dovecot.org/Pigeonhole/Sieve .
Wait for the next Debian stable (wheezy)?
** Spamassassin (opt-in)
-- one idea for handling the opt-in feature is: have people opt-in by creating a
- spamfolder. make it clear that if they create a spam folder, they are opting
- in automatically. check ljos text at sac.se/it
+*** Install amavisd-new (backport version) on mistral (we need to know who the final recipient is to have per-user filtering)
+*** Create a MySQL database to store the (per-recipient) bayes tokens and white list
+*** Add an auxiliary ObjectClass to user entries in the LDAP directory, using http://www.ijs.si/software/amavisd/LDAP.schema
+*** Offer full SpamAssassin configuration through the web-panel
+*** Every e-mail, just before being handed over to Dovecot by Postfix, goes through amavisd-new, which runs Spamassassin (or not) based on the user configuration
+*** Bayes correction (false positives and false negatives) can be made possible with two new attributes in the LDAP entry and an automatic script. (Global SPAM/HAM folder may make sa-learn too busy.)
+*** Should be done on the outgoing SMTP side, but then it's hard to know who is the sender.
+*** Solution, sign every single outgoing e-mail? Does it make sense to sign it with a key outside fripost.org? (We need the private key anyway.)
+*** Not much to do:
+dig fripost.org +short TXT "v=spf1 redirect:smtp.fripost.org"
+dig smtp.fripost.org +short TXT "v=spf1 A -all"
+*** Tell our users to add a similar first TXT record:
+dig example.org +short TXT "v=spf1 redirect:smtp.fripost.org"
** Central log server using rsyslogd
+*** The server needs to be as deep as possible in our network topology (probably along with the LDAP master directory).
*** Hardware is needed
** Distributed storage for backups
-- Tahoe FS/LAFS.
+- Tahoe FS/LAFS seems very promising, but isn't ready yet for production.
+- Ozux suggested Gluster, which is used in the company he's working for. Other possibilities include Ceph and Lustre.
** DONE Implement quotas
-Can probably wait until December 23, 2012.
+- Can probably wait until December 23, 2012.
+- The new LDAP schema supports quotas, there's only need to use a Dovecot plugin to make them active.
** Write a policy for our PGP-keys
+*** We should also sign each other and sign our servers (densify the WoT would make MonkeySphere validation happy), and why not end activity days with a mini-keysigning party.
** Evaluate cfengine vs. chef vs. puppet
** DONE fripost-adduser should not allow user to be added if there is an alias by that name
CLOSED: [2012-06-14 Thu 19:56]
- State "DONE" from "" [2012-06-14 Thu 19:56]
** Add greylisting to all receiving smarthosts
+*** Should the smarthosts syncronise their database? Use SQL? Otherwise, a UNIX socket would be faster.
+** SELinux [Was Discarded]
+Reason for discarding: Not feasible at this point, too much overhead, not always obvious what causes problems etc.
+[Guilhem, 2012-11-14 00:42:55 Did anyone tried: looks awesome to me. AppArmor could be an alternative, also.]
+** Use a patched kernel? (grsecurity/PaX)
** Create a mail gateway to change settings
** Set up an Asterisk server (VoIP)
** Evaluate SSH-tunnels vs VPN
-** Evaluating changing Apache to nginx
+** Evaluating changing Apache to nginx
* Discarded ideas
** Improve logcheck rules (increase signal to noise ratio)
Reason for discarding: not very concrete
-Reason for discarding: Not feasible at this point, too much overhead, not always obvious what causes problems etc.
** Apaches mod_security
Reason for discarding: Does only a subset of what OSSEC already does.
Reason for discarding: Does only a subset of what OSSEC already does.
* Org-mode settings