#+TITLE: TODO for Fripost (internal administration use only) * Current projects ** TODO Create an administration interface :LOGBOOK: - State "TODO" from "" [2012-10-08 Mon 19:00] :END: *** TODO Test that interface *** TODO How to implement limits? How to add domains? ** TODO Research further solutions (e.g. Gnutiken's) for on line calendars :LOGBOOK: - State "TODO" from "" [2012-10-08 Mon 18:58] :END: *** DONE We need to choose a machine to host a DAVICal server. CLOSED: [2012-11-19 Mon 18:54] :LOGBOOK: - State "DONE" from "" [2012-11-19 Mon 18:54] :END: - database: mistral - frontend: harvey *** TODO Install RoundCube plugin :LOGBOOK: - State "TODO" from "" [2012-11-19 Mon 18:54] :END: *** TODO Open a port to let advanced users connect using their favorite client on harvey :LOGBOOK: - State "TODO" from "" [2012-11-19 Mon 18:55] :END: ** TODO Set up a redundant SMTP-server, using documented configurations :LOGBOOK: - State "TODO" from "" [2012-10-08 Mon 18:56] :END: *** Round Robin DNS vs. a script that changes ddclient's configuration if mail SMTP server timesout? ** TODO Get Fripost's email configuration data into Thunderbird's database :LOGBOOK: - State "TODO" from "" [2012-10-08 Mon 18:55] :END: *** TODO Add Stians file to Friposts website ** DONE Make sure our size limit on all hosts for incoming email is ~50 MB to beat Hotmail and Gmail :LOGBOOK: - State "TODO" from "TODO" [2012-11-19 Mon 19:22] :END: : message size 46731757 exceeds size limit 35882577 of server gmail-smtp-in.l.google.com[173.194.71.26] : message size 46731904 exceeds size limit 36909875 of server mx1.hotmail.com[65.55.92.184] [2012-09-17 Mon 00:42] ** TODO Bacula [1/2] :LOGBOOK: - State "TODO" from "TODO" [2012-11-19 Mon 19:22] :END: *** DONE Make sure that the data is actually replicated with rsync according to the current solution CLOSED: [2012-11-19 Mon 18:59] :LOGBOOK: - State "DONE" from "TODO" [2012-11-19 Mon 18:59] :END: *** TODO Install the storage daemon on benjamin ** TODO Convert ikiwiki to use org-mode backend :LOGBOOK: - State "TODO" from "TODO" [2012-11-19 Mon 19:22] :END: *** Once this is done, use the wiki to document the admininstrative part. ** TODO Document installation of OSSEC :LOGBOOK: - State "TODO" from "TODO" [2012-11-19 Mon 19:22] :END: *** We will use the standalone rather than client-server solution ** DEFERRED Document how to enable encrypted swap :DEFERRED: CLOSED: [2012-11-19 Mon 19:06] :LOGBOOK: - State "DEFERRED" from "TODO" [2012-11-19 Mon 19:06] \\ Deferred until we have lab system installed with our configuration. /Board meeting :END: How does this work on a VPS? ** DONE Implement firewall rules on the systems :LOGBOOK: - State "TODO" from "TODO" [2012-11-19 Mon 19:17] :END: ** DONE Register on http://www.dnswl.org ** TODO Support for mailing lists :LOGBOOK: - State "TODO" from "TODO" [2012-11-19 Mon 19:17] :END: *** DONE Install mailman on gnu ** TODO LDAP Schema Changes :LOGBOOK: - State "TODO" from "TODO" [2012-11-19 Mon 19:17] :END: *** Keep trac of accounting: **** fripostJoined: 2011-01-01 **** fripostHasPaidYearlyFees: 2011 fripostHasPaidYearlyFees: 2012 *** Solve how to not add overhead. ** TODO Publish our SSL certificates to the MonkeySphere :LOGBOOK: - State "TODO" from "TODO" [2012-11-19 Mon 19:17] :END: *** http://web.monkeysphere.info/ ** TODO Make proper certificates on the smarthosts too? :LOGBOOK: - State "TODO" from "TODO" [2012-11-19 Mon 19:17] :END: *** CAcert-signed certificate would be good enough. ** TODO lists.fripost.org should perhaps be added to the SN list for fripost.org's SSL certificate :LOGBOOK: - State "TODO" from "TODO" [2012-11-19 Mon 19:18] :END: ** TODO Add A/AAAA records `ldap.fripost.org' -> `mistral.fripost.org'. :LOGBOOK: - State "TODO" from "TODO" [2012-11-19 Mon 19:18] :END: ** DEFERRED When upgrading to Dovecot v2.x (wait for the next Debian stable - wheezy): :LOGBOOK: - State "TODO" from "TODO" [2012-11-19 Mon 19:18] :END: *** Replace the LDA by the new LMTP service. http://wiki2.dovecot.org/LMTP . *** Convert the maiboxes from maildir to Dovecot's high performance mdbox format. http://wiki2.dovecot.org/MailboxFormat/dbox ** TODO Do not deliver any content via HTTP (redirect everything to https://). :LOGBOOK: - State "TODO" from "TODO" [2012-11-19 Mon 19:18] :END: *** Ideally, but sadly X.509 certificates are not cheap. ** TODO Should we log every single change made to the LDAP directory? :LOGBOOK: - State "TODO" from "TODO" [2012-11-19 Mon 19:18] :END: *** http://www.openldap.org/doc/admin24/overlays.html#Audit%20Logging *** For 3 days only ** TODO Offer GSSAPI (Kerberos) authentication to our IMAP and SMTP server. :LOGBOOK: - State "TODO" from "TODO" [2012-11-19 Mon 19:18] :END: ** TODO Shouldn't we obfuscate our logs (e.g., successuful IMAP/SASL authentication)? :LOGBOOK: - State "TODO" from "TODO" [2012-11-19 Mon 19:18] :END: ** TODO Replace the SSH tunnels with VPNs. * New propositions, waiting for approval * Deferred projects ** Move the wiki to fripost.org/wiki ** Monitoring - Munin *** TODO Give one configuration example so we could decide on what we need to activate ljo already uses Munin, so we could look at his configuration ** User level filtering of emails - We will use sieve, perhaps managesieve? Dovecot v2.x has nice improvements over v1.x, see http://wiki2.dovecot.org/Pigeonhole/Sieve . Wait for the next Debian stable (wheezy)? ** DONE Spamassassin (opt-in) *** Install amavisd-new (backport version) on mistral (we need to know who the final recipient is to have per-user filtering) *** Create a MySQL database to store the (per-recipient) bayes tokens and white list *** Add an auxiliary ObjectClass to user entries in the LDAP directory, using http://www.ijs.si/software/amavisd/LDAP.schema *** Offer full SpamAssassin configuration through the web-panel *** Every e-mail, just before being handed over to Dovecot by Postfix, goes through amavisd-new, which runs Spamassassin (or not) based on the user configuration *** Bayes correction (false positives and false negatives) can be made possible with two new attributes in the LDAP entry and an automatic script. (Global SPAM/HAM folder may make sa-learn too busy.) ** DONE DKIM *** Should be done on the outgoing SMTP side, but then it's hard to know who is the sender. *** Solution, sign every single outgoing e-mail? Does it make sense to sign it with a key outside fripost.org? (We need the private key anyway.) ** SPF *** Not much to do: dig fripost.org +short TXT "v=spf1 redirect:smtp.fripost.org" dig smtp.fripost.org +short TXT "v=spf1 A -all" *** Tell our users to add a similar first TXT record: dig example.org +short TXT "v=spf1 redirect:smtp.fripost.org" ** Central log server using rsyslogd *** The server needs to be as deep as possible in our network topology (probably along with the LDAP master directory). *** Hardware is needed ** Distributed storage for backups - Tahoe FS/LAFS seems very promising, but isn't ready yet for production. - Ozux suggested Gluster, which is used in the company he's working for. Other possibilities include Ceph and Lustre. ** DONE Implement quotas - Can probably wait until December 23, 2012. - The new LDAP schema supports quotas, there's only need to use a Dovecot plugin to make them active. ** Write a policy for our PGP-keys [[http://www.haven-project.org/][Haven Project]] *** We should also sign each other and sign our servers (densify the WoT would make MonkeySphere validation happy), and why not end activity days with a mini-keysigning party. ** Write a tutorial for how to generate a good password / how to use a keychain *** Good master password: http://world.std.com/~reinhold/diceware.html *** Keychain: http://git.zx2c4.com/password-store with GPG-agent ** Evaluate CFEngine vs. Chef vs. Puppet vs. Ansible *** https://en.wikipedia.org/wiki/Comparison_of_open_source_configuration_management_software ** DONE fripost-adduser should not allow user to be added if there is an alias by that name CLOSED: [2012-06-14 Thu 19:56] - State "DONE" from "" [2012-06-14 Thu 19:56] ** Add greylisting to all receiving smarthosts *** Should the smarthosts syncronise their database? Use SQL? Otherwise, a UNIX socket would be faster. ** SELinux [Was Discarded] Reason for discarding: Not feasible at this point, too much overhead, not always obvious what causes problems etc. [Guilhem, 2012-11-14 00:42:55 Did anyone tried: looks awesome to me. AppArmor could be an alternative, also.] ** Use a patched kernel? (grsecurity/PaX) * Maybe ** Create a mail gateway to change settings ** Set up an Asterisk server (VoIP) ** Evaluate SSH-tunnels vs VPN ** Evaluating changing Apache to nginx * Discarded ideas ** Improve logcheck rules (increase signal to noise ratio) Reason for discarding: not very concrete ** Apaches mod_security Reason for discarding: Does only a subset of what OSSEC already does. ** fail2ban Reason for discarding: Does only a subset of what OSSEC already does. * Org-mode settings #+STARTUP: indent #+STARTUP: logdone #+STARTUP: lognotedone