#+TITLE: TODO for Fripost (internal administration use only) * Current projects ** TODO Create an administration interface :LOGBOOK: - State "TODO" from "" [2012-10-08 Mon 19:00] :END: *** TODO Test that interface :LOGBOOK: - State "TODO" from "" [2012-10-08 Mon 19:01] :END: *** [Guilhem, 2012-11-14 01:03:03] What's that? ** TODO Research further solutions (e.g. Gnutiken's) for on line calendars :LOGBOOK: - State "TODO" from "" [2012-10-08 Mon 18:58] :END: *** We need to choose a machine to host a DAVICal server. *** A simple client could be offered through a RoundCube plugin. *** Open a port to let advanced users connect using their favorite client. ** TODO Set up a redundant SMTP-server, using documented configurations :LOGBOOK: - State "TODO" from "" [2012-10-08 Mon 18:56] :END: *** Round Robin DNS vs. a script that changes ddclient's configuration if mail SMTP server timesout? ** TODO Get Fripost's email configuration data into Thunderbird's database :LOGBOOK: - State "TODO" from "" [2012-10-08 Mon 18:55] :END: ** TODO Make sure our size limit for incoming email is ~50 MB to beat hotmail and gmail : message size 46731757 exceeds size limit 35882577 of server gmail-smtp-in.l.google.com[173.194.71.26] : message size 46731904 exceeds size limit 36909875 of server mx1.hotmail.com[65.55.92.184] [2012-09-17 Mon 00:42] ** TODO Bacula [0/3] *** TODO Make sure that the data is actually replicated with rsync according to the current solution *** TODO Install the storage daemon on benjamin ** DONE Upgrade Roundcube to the version in squeeze-backports *** DONE Install and try it on zetkin *** DONE Install it on harvey ** DONE Fix so that new passwords are hashed with SHA1 CLOSED: [2012-06-14 Thu 19:44] - State "DONE" from "TODO" [2012-06-14 Thu 19:44] ** TODO Add this module to fripost-tools http://www.vboxadm.net/files/lib/VBoxAdm/DovecotPW.ipm ** CANCELED Install PGP module in RoundCube CLOSED: [2012-06-14 Thu 19:44] - CLOSING NOTE [2012-06-14 Thu 19:44] \\ This is not good. ** TODO Convert ikiwiki to use org-mode backend *** Once this is done, use the wiki to document the admininstrative part. ** TODO Document installation of OSSEC - We will use the standalone rather than client-server solution ** TODO Document how to enable encrypted swap - How does this work on a VPS? ** TODO Implement firewall rules on the systems ** TODO Register on http://www.dnswl.org/ - This is done, only the reverse DNS (v6) is missing for smtp.fripost.org ** TODO Fix mounting of raid device on benjamin in accordance with Debian 6.0 Information on this can be found in admin log-file ** TODO Fix so that we can use better value for RC imap auth type (GSSAPI?) *** Currently, we have $rcmail_config['imap_auth_type'] = 'plain'; *** If possible, Kerberos would be preferable. ** CANCELED Determine how we should handle RC identities e.g. $rcmail_config['identities_level'] = 0; is not ideal there should be some sort of verification before emailing, such that a user e.g. cannot email from our webmail using admin@fripost.org - Look into the details of how RoundCube handles identities ** DONE Add link from mail.fripost.org to https://fripost.org CLOSED: [2012-08-22 Wed 20:25] ** TODO Support for mailing lists *** TODO Install mailman on gnu ** TODO LDAP Schema Changes ** TODO SMTP server - We'll use gnu.friprogramvarusyndikatet.se for this - Should be given priority since users have requested this - Experiment header forging to masquerade the sender's IP. ** TODO Publish our SSL certificates to the MonkeySphere *** http://web.monkeysphere.info/ ** TODO Make proper certificates on the smarthosts too? *** CAcert-signed certificate would be good enough. ** TODO lists.fripost.org, www.fripost.org and git.fripost.org should be added to the SN list for fripost.org's SSL certificate. ** TODO Add A/AAAA records `ldap.fripost.org' -> `mistral.fripost.org'. ** TODO When upgrading to Dovecot v2.x (wait for the next Debian stable - wheezy): *** Replace the LDA by the new LMTP service. http://wiki2.dovecot.org/LMTP . *** Convert the maiboxes from maildir to Dovecot's high performance mdbox format. http://wiki2.dovecot.org/MailboxFormat/dbox ** TODO Do not deliver any content via HTTP (redirect everything to https://). *** Ideally, but sadly X.509 certificates are not cheap. ** TODO Should we log every single change made to the LDAP directory? *** http://www.openldap.org/doc/admin24/overlays.html#Audit%20Logging *** For 3 days only ** TODO Offer GSSAPI (Kerberos) authentication to our IMAP and SMTP server. * New propositions, waiting for approval ** Shouldn't we obfuscate our logs (e.g., successuful IMAP/SASL authentication)? * Deferred projects ** Move the wiki to fripost.org/wiki ** Monitoring - Munin *** TODO Give one configuration example so we could decide on what we need to activate ljo already uses Munin, so we could look at his configuration ** User level filtering of emails - We will use sieve, perhaps managesieve? Dovecot v2.x has nice improvements over v1.x, see http://wiki2.dovecot.org/Pigeonhole/Sieve . Wait for the next Debian stable (wheezy)? ** Spamassassin (opt-in) *** Install amavisd-new (backport version) on mistral (we need to know who the final recipient is to have per-user filtering) *** Create a MySQL database to store the (per-recipient) bayes tokens and white list *** Add an auxiliary ObjectClass to user entries in the LDAP directory, using http://www.ijs.si/software/amavisd/LDAP.schema *** Offer full SpamAssassin configuration through the web-panel *** Every e-mail, just before being handed over to Dovecot by Postfix, goes through amavisd-new, which runs Spamassassin (or not) based on the user configuration *** Bayes correction (false positives and false negatives) can be made possible with two new attributes in the LDAP entry and an automatic script. (Global SPAM/HAM folder may make sa-learn too busy.) ** DKIM *** Should be done on the outgoing SMTP side, but then it's hard to know who is the sender. *** Solution, sign every single outgoing e-mail? Does it make sense to sign it with a key outside fripost.org? (We need the private key anyway.) ** SPF *** Not much to do: dig fripost.org +short TXT "v=spf1 redirect:smtp.fripost.org" dig smtp.fripost.org +short TXT "v=spf1 A -all" *** Tell our users to add a similar first TXT record: dig example.org +short TXT "v=spf1 redirect:smtp.fripost.org" ** Central log server using rsyslogd *** The server needs to be as deep as possible in our network topology (probably along with the LDAP master directory). *** Hardware is needed ** Distributed storage for backups - Tahoe FS/LAFS seems very promising, but isn't ready yet for production. - Ozux suggested Gluster, which is used in the company he's working for. Other possibilities include Ceph and Lustre. ** DONE Implement quotas - Can probably wait until December 23, 2012. - The new LDAP schema supports quotas, there's only need to use a Dovecot plugin to make them active. ** Write a policy for our PGP-keys [[http://www.haven-project.org/][Haven Project]] *** We should also sign each other and sign our servers (densify the WoT would make MonkeySphere validation happy), and why not end activity days with a mini-keysigning party. ** Evaluate cfengine vs. chef vs. puppet ** DONE fripost-adduser should not allow user to be added if there is an alias by that name CLOSED: [2012-06-14 Thu 19:56] - State "DONE" from "" [2012-06-14 Thu 19:56] ** Add greylisting to all receiving smarthosts *** Should the smarthosts syncronise their database? Use SQL? Otherwise, a UNIX socket would be faster. ** SELinux [Was Discarded] Reason for discarding: Not feasible at this point, too much overhead, not always obvious what causes problems etc. [Guilhem, 2012-11-14 00:42:55 Did anyone tried: looks awesome to me. AppArmor could be an alternative, also.] ** Use a patched kernel? (grsecurity/PaX) * Maybe ** Create a mail gateway to change settings ** Set up an Asterisk server (VoIP) ** Evaluate SSH-tunnels vs VPN ** Evaluating changing Apache to nginx * Discarded ideas ** Improve logcheck rules (increase signal to noise ratio) Reason for discarding: not very concrete ** Apaches mod_security Reason for discarding: Does only a subset of what OSSEC already does. ** fail2ban Reason for discarding: Does only a subset of what OSSEC already does. * Org-mode settings #+STARTUP: indent #+STARTUP: logdone #+STARTUP: lognotedone