1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
#+TITLE: TODO for Fripost (internal administration use only)
* Current projects
** TODO Create an administration interface
:LOGBOOK:
- State "TODO" from "" [2012-10-08 Mon 19:00]
:END:
*** TODO Test that interface
:LOGBOOK:
- State "TODO" from "" [2012-10-08 Mon 19:01]
:END:
** TODO Research further solutions (e.g. Gnutiken's) for on line calendars
:LOGBOOK:
- State "TODO" from "" [2012-10-08 Mon 18:58]
:END:
** TODO Set up a redundant SMTP-server, using documented configurations
:LOGBOOK:
- State "TODO" from "" [2012-10-08 Mon 18:56]
:END:
** TODO Get Fripost's email configuration data into Thunderbird's database
:LOGBOOK:
- State "TODO" from "" [2012-10-08 Mon 18:55]
:END:
** TODO Make sure our size limit for incoming email is ~50 MB to beat hotmail and gmail
<xxxx>: message size 46731757 exceeds size limit 35882577 of
server gmail-smtp-in.l.google.com[173.194.71.26]
<xxxx>: message size 46731904 exceeds size limit 36909875 of
server mx1.hotmail.com[65.55.92.184]
[2012-09-17 Mon 00:42]
** TODO Bacula [0/3]
*** TODO Make sure that the data is actually replicated with rsync according to the current solution
*** TODO Install the storage daemon on benjamin
** TODO Upgrade Roundcube to the version in squeeze-backports
*** TODO Install and try it on zetkin
*** TODO Install it on harvey
** DONE Fix so that new passwords are hashed with SHA1
CLOSED: [2012-06-14 Thu 19:44]
- State "DONE" from "TODO" [2012-06-14 Thu 19:44]
** TODO Add this module to fripost-tools
http://www.vboxadm.net/files/lib/VBoxAdm/DovecotPW.ipm
** CANCELED Install PGP module in RoundCube
CLOSED: [2012-06-14 Thu 19:44]
- CLOSING NOTE [2012-06-14 Thu 19:44] \\
This is not good.
** TODO Convert ikiwiki to use org-mode backend
** TODO Document installation of OSSEC
- We will use the standalone rather than client-server solution
** TODO Document how to enable encrypted swap
- How does this work on a VPS?
** TODO Implement firewall rules on the systems
** TODO Register on http://www.dnswl.org/
- This is done, only the reverse DNS (v6) is missing for smtp.fripost.org
** TODO Fix mounting of raid device on benjamin in accordance with Debian 6.0
Information on this can be found in admin log-file
** TODO Fix so that we can use better value for RC imap auth type (GSSAPI?)
Currently, we have $rcmail_config['imap_auth_type'] = 'plain';
** CANCELED Determine how we should handle RC identities
e.g. $rcmail_config['identities_level'] = 0; is not ideal
there should be some sort of verification before emailing, such that a user e.g. cannot email from our webmail using admin@fripost.org
- Look into the details of how RoundCube handles identities
** DONE Add link from mail.fripost.org to https://fripost.org
CLOSED: [2012-08-22 Wed 20:25]
** TODO Support for mailing lists
*** TODO Install mailman on zetkin
** TODO LDAP Schema Changes
*** DONE Allow for domain aliases
CLOSED: [2012-08-20 Mon 01:25]
** TODO SMTP server
- We'll use gnu.friprogramvarusyndikatet.se for this
- Should be given priority since users have requested this
- Experiment header forging to masquerade the sender's IP.
** TODO How to publish our SSL certificates? MonkeySphere? http://web.monkeysphere.info/
** TODO Make proper certificates on the smarthosts too?
** TODO lists.fripost.org, www.fripost.org and git.fripost.org should be added to the SN list for fripost.org's SSL certificate.
** DONE Add a CNAME `ldap.fripost.org' -> `mistral.fripost.org'.
** TODO When upgrading to Dovecot v2.x (wait for the next Debian stable - wheezy):
replace the LDA by the new LMTP service. http://wiki2.dovecot.org/LMTP .
** TODO When upgrading to Dovecot v2.x (wait for the next Debian stable - wheezy):
convert the maiboxes from maildir to Dovecot's high performance mdbox format
http://wiki2.dovecot.org/MailboxFormat/dbox .
** TODO Do not deliver any content via HTTP (redirect everything to https://).
** TODO Should we log every single change made to the LDAP directory?
http://www.openldap.org/doc/admin24/overlays.html#Audit%20Logging
for 3 days
** Offer GSSAPI (Kerberos) authentication to our IMAP and SMTP server.
* New propositions, waiting for approval
** Shouldn't we obfuscate our logs (e.g., successuful IMAP/SASL authentication)?
* Deferred projects
** Move the wiki to fripost.org/wiki
** Monitoring - Munin
*** TODO Give one configuration example so we could decide on what we need to activate
ljo already uses Munin, so we could look at his configuration
** User level filtering of emails
- We will use sieve, perhaps managesieve? Dovecot v2.x has nice
improvements over v1.x, see http://wiki2.dovecot.org/Pigeonhole/Sieve .
Wait for the next Debian stable (wheezy)?
** Spamassassin (opt-in)
- one idea for handling the opt-in feature is: have people opt-in by creating a
spamfolder. make it clear that if they create a spam folder, they are opting
in automatically. check ljos text at sac.se/it
** Central log server using rsyslogd
*** Hardware is needed
** Distributed storage for backups
- Tahoe FS/LAFS.
** DONE Implement quotas
Can probably wait until December 23, 2012.
** Write a policy for our PGP-keys
[[http://www.haven-project.org/][Haven Project]]
** Evaluate cfengine vs. chef vs. puppet
** DONE fripost-adduser should not allow user to be added if there is an alias by that name
CLOSED: [2012-06-14 Thu 19:56]
- State "DONE" from "" [2012-06-14 Thu 19:56]
** Add greylisting to all receiving smarthosts
* Maybe
** Create a mail gateway to change settings
** Set up an Asterisk server (VoIP)
** Evaluate SSH-tunnels vs VPN
** Evaluating changing Apache to nginx
* Discarded ideas
** Improve logcheck rules (increase signal to noise ratio)
Reason for discarding: not very concrete
** SELinux
Reason for discarding: Not feasible at this point, too much overhead, not always obvious what causes problems etc.
** Apaches mod_security
Reason for discarding: Does only a subset of what OSSEC already does.
** fail2ban
Reason for discarding: Does only a subset of what OSSEC already does.
* Org-mode settings
#+STARTUP: indent
#+STARTUP: logdone
#+STARTUP: lognotedone
|
