1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
|
#+TITLE: TODO for Fripost (internal administration use only)
* Current projects
** TODO Create an administration interface
:LOGBOOK:
- State "TODO" from "" [2012-10-08 Mon 19:00]
:END:
*** TODO Test that interface
*** TODO How to implement limits? How to add domains?
** TODO Research further solutions (e.g. Gnutiken's) for on line calendars
:LOGBOOK:
- State "TODO" from "" [2012-10-08 Mon 18:58]
:END:
*** DONE We need to choose a machine to host a DAVICal server.
CLOSED: [2012-11-19 Mon 18:54]
:LOGBOOK:
- State "DONE" from "" [2012-11-19 Mon 18:54]
:END:
- database: mistral
- frontend: harvey
*** TODO Install RoundCube plugin
:LOGBOOK:
- State "TODO" from "" [2012-11-19 Mon 18:54]
:END:
*** TODO Open a port to let advanced users connect using their favorite client on harvey
:LOGBOOK:
- State "TODO" from "" [2012-11-19 Mon 18:55]
:END:
** TODO Set up a redundant SMTP-server, using documented configurations
:LOGBOOK:
- State "TODO" from "" [2012-10-08 Mon 18:56]
:END:
*** Round Robin DNS vs. a script that changes ddclient's configuration if mail SMTP server timesout?
** TODO Get Fripost's email configuration data into Thunderbird's database
:LOGBOOK:
- State "TODO" from "" [2012-10-08 Mon 18:55]
:END:
*** TODO Add Stians file to Friposts website
** DONE Make sure our size limit on all hosts for incoming email is ~50 MB to beat Hotmail and Gmail
:LOGBOOK:
- State "TODO" from "TODO" [2012-11-19 Mon 19:22]
:END:
<xxxx>: message size 46731757 exceeds size limit 35882577 of
server gmail-smtp-in.l.google.com[173.194.71.26]
<xxxx>: message size 46731904 exceeds size limit 36909875 of
server mx1.hotmail.com[65.55.92.184]
[2012-09-17 Mon 00:42]
** TODO Bacula [1/2]
:LOGBOOK:
- State "TODO" from "TODO" [2012-11-19 Mon 19:22]
:END:
*** DONE Make sure that the data is actually replicated with rsync according to the current solution
CLOSED: [2012-11-19 Mon 18:59]
:LOGBOOK:
- State "DONE" from "TODO" [2012-11-19 Mon 18:59]
:END:
*** TODO Install the storage daemon on benjamin
** TODO Convert ikiwiki to use org-mode backend
:LOGBOOK:
- State "TODO" from "TODO" [2012-11-19 Mon 19:22]
:END:
*** Once this is done, use the wiki to document the admininstrative part.
** TODO Document installation of OSSEC
:LOGBOOK:
- State "TODO" from "TODO" [2012-11-19 Mon 19:22]
:END:
*** We will use the standalone rather than client-server solution
** DEFERRED Document how to enable encrypted swap :DEFERRED:
CLOSED: [2012-11-19 Mon 19:06]
:LOGBOOK:
- State "DEFERRED" from "TODO" [2012-11-19 Mon 19:06] \\
Deferred until we have lab system installed with our configuration. /Board meeting
:END:
How does this work on a VPS?
** DONE Implement firewall rules on the systems
:LOGBOOK:
- State "TODO" from "TODO" [2012-11-19 Mon 19:17]
:END:
** DONE Register on http://www.dnswl.org
** TODO Support for mailing lists
:LOGBOOK:
- State "TODO" from "TODO" [2012-11-19 Mon 19:17]
:END:
*** DONE Install mailman on gnu
** TODO LDAP Schema Changes
:LOGBOOK:
- State "TODO" from "TODO" [2012-11-19 Mon 19:17]
:END:
*** Keep trac of accounting:
**** fripostJoined: 2011-01-01
**** fripostHasPaidYearlyFees: 2011
fripostHasPaidYearlyFees: 2012
*** Solve how to not add overhead.
** TODO Publish our SSL certificates to the MonkeySphere
:LOGBOOK:
- State "TODO" from "TODO" [2012-11-19 Mon 19:17]
:END:
*** http://web.monkeysphere.info/
** TODO Make proper certificates on the smarthosts too?
:LOGBOOK:
- State "TODO" from "TODO" [2012-11-19 Mon 19:17]
:END:
*** CAcert-signed certificate would be good enough.
** TODO lists.fripost.org should perhaps be added to the SN list for fripost.org's SSL certificate
:LOGBOOK:
- State "TODO" from "TODO" [2012-11-19 Mon 19:18]
:END:
** TODO Add A/AAAA records `ldap.fripost.org' -> `mistral.fripost.org'.
:LOGBOOK:
- State "TODO" from "TODO" [2012-11-19 Mon 19:18]
:END:
** DEFERRED When upgrading to Dovecot v2.x (wait for the next Debian stable - wheezy):
:LOGBOOK:
- State "TODO" from "TODO" [2012-11-19 Mon 19:18]
:END:
*** Replace the LDA by the new LMTP service. http://wiki2.dovecot.org/LMTP .
*** Convert the maiboxes from maildir to Dovecot's high performance mdbox format. http://wiki2.dovecot.org/MailboxFormat/dbox
** TODO Do not deliver any content via HTTP (redirect everything to https://).
:LOGBOOK:
- State "TODO" from "TODO" [2012-11-19 Mon 19:18]
:END:
*** Ideally, but sadly X.509 certificates are not cheap.
** TODO Should we log every single change made to the LDAP directory?
:LOGBOOK:
- State "TODO" from "TODO" [2012-11-19 Mon 19:18]
:END:
*** http://www.openldap.org/doc/admin24/overlays.html#Audit%20Logging
*** For 3 days only
** TODO Offer GSSAPI (Kerberos) authentication to our IMAP and SMTP server.
:LOGBOOK:
- State "TODO" from "TODO" [2012-11-19 Mon 19:18]
:END:
** TODO Shouldn't we obfuscate our logs (e.g., successuful IMAP/SASL authentication)?
:LOGBOOK:
- State "TODO" from "TODO" [2012-11-19 Mon 19:18]
:END:
** TODO Replace the SSH tunnels with VPNs.
* New propositions, waiting for approval
* Deferred projects
** Move the wiki to fripost.org/wiki
** Monitoring - Munin
*** TODO Give one configuration example so we could decide on what we need to activate
ljo already uses Munin, so we could look at his configuration
** User level filtering of emails
- We will use sieve, perhaps managesieve? Dovecot v2.x has nice
improvements over v1.x, see http://wiki2.dovecot.org/Pigeonhole/Sieve .
Wait for the next Debian stable (wheezy)?
** DONE Spamassassin (opt-in)
*** Install amavisd-new (backport version) on mistral (we need to know who the final recipient is to have per-user filtering)
*** Create a MySQL database to store the (per-recipient) bayes tokens and white list
*** Add an auxiliary ObjectClass to user entries in the LDAP directory, using http://www.ijs.si/software/amavisd/LDAP.schema
*** Offer full SpamAssassin configuration through the web-panel
*** Every e-mail, just before being handed over to Dovecot by Postfix, goes through amavisd-new, which runs Spamassassin (or not) based on the user configuration
*** Bayes correction (false positives and false negatives) can be made possible with two new attributes in the LDAP entry and an automatic script. (Global SPAM/HAM folder may make sa-learn too busy.)
** DONE DKIM
*** Should be done on the outgoing SMTP side, but then it's hard to know who is the sender.
*** Solution, sign every single outgoing e-mail? Does it make sense to sign it with a key outside fripost.org? (We need the private key anyway.)
** SPF
*** Not much to do:
dig fripost.org +short TXT "v=spf1 redirect:smtp.fripost.org"
dig smtp.fripost.org +short TXT "v=spf1 A -all"
*** Tell our users to add a similar first TXT record:
dig example.org +short TXT "v=spf1 redirect:smtp.fripost.org"
** Central log server using rsyslogd
*** The server needs to be as deep as possible in our network topology (probably along with the LDAP master directory).
*** Hardware is needed
** Distributed storage for backups
- Tahoe FS/LAFS seems very promising, but isn't ready yet for production.
- Ozux suggested Gluster, which is used in the company he's working for. Other possibilities include Ceph and Lustre.
** DONE Implement quotas
- Can probably wait until December 23, 2012.
- The new LDAP schema supports quotas, there's only need to use a Dovecot plugin to make them active.
** Write a policy for our PGP-keys
[[http://www.haven-project.org/][Haven Project]]
*** We should also sign each other and sign our servers (densify the WoT would make MonkeySphere validation happy), and why not end activity days with a mini-keysigning party.
** Write a tutorial for how to generate a good password / how to use a keychain
*** Good master password: http://world.std.com/~reinhold/diceware.html
*** Keychain: http://git.zx2c4.com/password-store with GPG-agent
** Evaluate CFEngine vs. Chef vs. Puppet vs. Ansible
*** https://en.wikipedia.org/wiki/Comparison_of_open_source_configuration_management_software
** DONE fripost-adduser should not allow user to be added if there is an alias by that name
CLOSED: [2012-06-14 Thu 19:56]
- State "DONE" from "" [2012-06-14 Thu 19:56]
** Add greylisting to all receiving smarthosts
*** Should the smarthosts syncronise their database? Use SQL? Otherwise, a UNIX socket would be faster.
** SELinux [Was Discarded]
Reason for discarding: Not feasible at this point, too much overhead, not always obvious what causes problems etc.
[Guilhem, 2012-11-14 00:42:55 Did anyone tried: looks awesome to me. AppArmor could be an alternative, also.]
** Use a patched kernel? (grsecurity/PaX)
* Maybe
** Create a mail gateway to change settings
** Set up an Asterisk server (VoIP)
** Evaluate SSH-tunnels vs VPN
** Evaluating changing Apache to nginx
* Discarded ideas
** Improve logcheck rules (increase signal to noise ratio)
Reason for discarding: not very concrete
** Apaches mod_security
Reason for discarding: Does only a subset of what OSSEC already does.
** fail2ban
Reason for discarding: Does only a subset of what OSSEC already does.
* Org-mode settings
#+STARTUP: indent
#+STARTUP: logdone
#+STARTUP: lognotedone
|