From fb41f1a199d17b81dae652450eaee574d1e28aaa Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 14 Nov 2012 01:26:32 +0100 Subject: Suggestions. --- todo.org | 82 +++++++++++++++++++++++++++++++++++++++------------------------- 1 file changed, 50 insertions(+), 32 deletions(-) diff --git a/todo.org b/todo.org index 559cb4f..7850c9e 100644 --- a/todo.org +++ b/todo.org @@ -9,14 +9,19 @@ :LOGBOOK: - State "TODO" from "" [2012-10-08 Mon 19:01] :END: +*** [Guilhem, 2012-11-14 01:03:03] What's that? ** TODO Research further solutions (e.g. Gnutiken's) for on line calendars :LOGBOOK: - State "TODO" from "" [2012-10-08 Mon 18:58] :END: +*** We need to choose a machine to host a DAVICal server. +*** A simple client could be offered through a RoundCube plugin. +*** Open a port to let advanced users connect using their favorite client. ** TODO Set up a redundant SMTP-server, using documented configurations :LOGBOOK: - State "TODO" from "" [2012-10-08 Mon 18:56] :END: +*** Round Robin DNS vs. a script that changes ddclient's configuration if mail SMTP server timesout? ** TODO Get Fripost's email configuration data into Thunderbird's database :LOGBOOK: - State "TODO" from "" [2012-10-08 Mon 18:55] @@ -30,9 +35,9 @@ ** TODO Bacula [0/3] *** TODO Make sure that the data is actually replicated with rsync according to the current solution *** TODO Install the storage daemon on benjamin -** TODO Upgrade Roundcube to the version in squeeze-backports -*** TODO Install and try it on zetkin -*** TODO Install it on harvey +** DONE Upgrade Roundcube to the version in squeeze-backports +*** DONE Install and try it on zetkin +*** DONE Install it on harvey ** DONE Fix so that new passwords are hashed with SHA1 CLOSED: [2012-06-14 Thu 19:44] - State "DONE" from "TODO" [2012-06-14 Thu 19:44] @@ -43,6 +48,7 @@ CLOSED: [2012-06-14 Thu 19:44] - CLOSING NOTE [2012-06-14 Thu 19:44] \\ This is not good. ** TODO Convert ikiwiki to use org-mode backend +*** Once this is done, use the wiki to document the admininstrative part. ** TODO Document installation of OSSEC - We will use the standalone rather than client-server solution ** TODO Document how to enable encrypted swap @@ -53,7 +59,8 @@ CLOSED: [2012-06-14 Thu 19:44] ** TODO Fix mounting of raid device on benjamin in accordance with Debian 6.0 Information on this can be found in admin log-file ** TODO Fix so that we can use better value for RC imap auth type (GSSAPI?) -Currently, we have $rcmail_config['imap_auth_type'] = 'plain'; +*** Currently, we have $rcmail_config['imap_auth_type'] = 'plain'; +*** If possible, Kerberos would be preferable. ** CANCELED Determine how we should handle RC identities e.g. $rcmail_config['identities_level'] = 0; is not ideal there should be some sort of verification before emailing, such that a user e.g. cannot email from our webmail using admin@fripost.org @@ -61,32 +68,29 @@ there should be some sort of verification before emailing, such that a user e.g. ** DONE Add link from mail.fripost.org to https://fripost.org CLOSED: [2012-08-22 Wed 20:25] ** TODO Support for mailing lists -*** TODO Install mailman on zetkin -** TODO LDAP Schema Changes -*** DONE Allow for domain aliases -CLOSED: [2012-08-20 Mon 01:25] +*** TODO Install mailman on gnu +** TODO LDAP Schema Changes ** TODO SMTP server - We'll use gnu.friprogramvarusyndikatet.se for this - Should be given priority since users have requested this - Experiment header forging to masquerade the sender's IP. -** TODO How to publish our SSL certificates? MonkeySphere? http://web.monkeysphere.info/ +** TODO Publish our SSL certificates to the MonkeySphere +*** http://web.monkeysphere.info/ ** TODO Make proper certificates on the smarthosts too? +*** CAcert-signed certificate would be good enough. ** TODO lists.fripost.org, www.fripost.org and git.fripost.org should be added to the SN list for fripost.org's SSL certificate. -** DONE Add a CNAME `ldap.fripost.org' -> `mistral.fripost.org'. +** TODO Add A/AAAA records `ldap.fripost.org' -> `mistral.fripost.org'. ** TODO When upgrading to Dovecot v2.x (wait for the next Debian stable - wheezy): -replace the LDA by the new LMTP service. http://wiki2.dovecot.org/LMTP . -** TODO When upgrading to Dovecot v2.x (wait for the next Debian stable - wheezy): -convert the maiboxes from maildir to Dovecot's high performance mdbox format -http://wiki2.dovecot.org/MailboxFormat/dbox . +*** Replace the LDA by the new LMTP service. http://wiki2.dovecot.org/LMTP . +*** Convert the maiboxes from maildir to Dovecot's high performance mdbox format. http://wiki2.dovecot.org/MailboxFormat/dbox ** TODO Do not deliver any content via HTTP (redirect everything to https://). +*** Ideally, but sadly X.509 certificates are not cheap. ** TODO Should we log every single change made to the LDAP directory? -http://www.openldap.org/doc/admin24/overlays.html#Audit%20Logging -for 3 days -** Offer GSSAPI (Kerberos) authentication to our IMAP and SMTP server. - +*** http://www.openldap.org/doc/admin24/overlays.html#Audit%20Logging +*** For 3 days only +** TODO Offer GSSAPI (Kerberos) authentication to our IMAP and SMTP server. * New propositions, waiting for approval ** Shouldn't we obfuscate our logs (e.g., successuful IMAP/SASL authentication)? - * Deferred projects ** Move the wiki to fripost.org/wiki ** Monitoring - Munin @@ -97,41 +101,55 @@ ljo already uses Munin, so we could look at his configuration improvements over v1.x, see http://wiki2.dovecot.org/Pigeonhole/Sieve . Wait for the next Debian stable (wheezy)? ** Spamassassin (opt-in) -- one idea for handling the opt-in feature is: have people opt-in by creating a - spamfolder. make it clear that if they create a spam folder, they are opting - in automatically. check ljos text at sac.se/it +*** Install amavisd-new (backport version) on mistral (we need to know who the final recipient is to have per-user filtering) +*** Create a MySQL database to store the (per-recipient) bayes tokens and white list +*** Add an auxiliary ObjectClass to user entries in the LDAP directory, using http://www.ijs.si/software/amavisd/LDAP.schema +*** Offer full SpamAssassin configuration through the web-panel +*** Every e-mail, just before being handed over to Dovecot by Postfix, goes through amavisd-new, which runs Spamassassin (or not) based on the user configuration +*** Bayes correction (false positives and false negatives) can be made possible with two new attributes in the LDAP entry and an automatic script. (Global SPAM/HAM folder may make sa-learn too busy.) +** DKIM +*** Should be done on the outgoing SMTP side, but then it's hard to know who is the sender. +*** Solution, sign every single outgoing e-mail? Does it make sense to sign it with a key outside fripost.org? (We need the private key anyway.) +** SPF +*** Not much to do: +dig fripost.org +short TXT "v=spf1 redirect:smtp.fripost.org" +dig smtp.fripost.org +short TXT "v=spf1 A -all" +*** Tell our users to add a similar first TXT record: +dig example.org +short TXT "v=spf1 redirect:smtp.fripost.org" ** Central log server using rsyslogd +*** The server needs to be as deep as possible in our network topology (probably along with the LDAP master directory). *** Hardware is needed ** Distributed storage for backups -- Tahoe FS/LAFS. +- Tahoe FS/LAFS seems very promising, but isn't ready yet for production. +- Ozux suggested Gluster, which is used in the company he's working for. Other possibilities include Ceph and Lustre. ** DONE Implement quotas -Can probably wait until December 23, 2012. +- Can probably wait until December 23, 2012. +- The new LDAP schema supports quotas, there's only need to use a Dovecot plugin to make them active. ** Write a policy for our PGP-keys [[http://www.haven-project.org/][Haven Project]] - +*** We should also sign each other and sign our servers (densify the WoT would make MonkeySphere validation happy), and why not end activity days with a mini-keysigning party. ** Evaluate cfengine vs. chef vs. puppet ** DONE fripost-adduser should not allow user to be added if there is an alias by that name CLOSED: [2012-06-14 Thu 19:56] - State "DONE" from "" [2012-06-14 Thu 19:56] ** Add greylisting to all receiving smarthosts - +*** Should the smarthosts syncronise their database? Use SQL? Otherwise, a UNIX socket would be faster. +** SELinux [Was Discarded] +Reason for discarding: Not feasible at this point, too much overhead, not always obvious what causes problems etc. +[Guilhem, 2012-11-14 00:42:55 Did anyone tried: looks awesome to me. AppArmor could be an alternative, also.] +** Use a patched kernel? (grsecurity/PaX) * Maybe ** Create a mail gateway to change settings ** Set up an Asterisk server (VoIP) - ** Evaluate SSH-tunnels vs VPN -** Evaluating changing Apache to nginx - +** Evaluating changing Apache to nginx * Discarded ideas ** Improve logcheck rules (increase signal to noise ratio) Reason for discarding: not very concrete -** SELinux -Reason for discarding: Not feasible at this point, too much overhead, not always obvious what causes problems etc. ** Apaches mod_security Reason for discarding: Does only a subset of what OSSEC already does. ** fail2ban Reason for discarding: Does only a subset of what OSSEC already does. - * Org-mode settings #+STARTUP: indent #+STARTUP: logdone -- cgit v1.2.3