aboutsummaryrefslogtreecommitdiffstats
path: root/todo.org
blob: 700ac56a88b28e6c6540eee15f68a013d231bc87 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
#+TITLE: TODO for Fripost (internal administration use only)

* Current projects
** TODO Create an administration interface
:LOGBOOK:
- State "TODO"       from ""           [2012-10-08 Mon 19:00]
:END:
*** TODO Test that interface
:LOGBOOK:
- State "TODO"       from ""           [2012-10-08 Mon 19:01]
:END:
*** [Guilhem, 2012-11-14 01:03:03] What's that?
*** How to implement limits? How to add domains?
** TODO Research further solutions (e.g. Gnutiken's) for on line calendars
:LOGBOOK:
- State "TODO"       from ""           [2012-10-08 Mon 18:58]
:END:
*** We need to choose a machine to host a DAVICal server.
*** A simple client could be offered through a RoundCube plugin.
*** Open a port to let advanced users connect using their favorite client.
** TODO Set up a redundant SMTP-server, using documented configurations
:LOGBOOK:
- State "TODO"       from ""           [2012-10-08 Mon 18:56]
:END:
*** Round Robin DNS vs. a script that changes ddclient's configuration if mail SMTP server timesout?
** TODO Get Fripost's email configuration data into Thunderbird's database
:LOGBOOK:
- State "TODO"       from ""           [2012-10-08 Mon 18:55]
:END:
** TODO Make sure our size limit for incoming email is ~50 MB to beat hotmail and gmail
<xxxx>: message size 46731757 exceeds size limit 35882577 of
    server gmail-smtp-in.l.google.com[173.194.71.26]
<xxxx>: message size 46731904 exceeds size limit 36909875 of
    server mx1.hotmail.com[65.55.92.184]
[2012-09-17 Mon 00:42]
** TODO Bacula [0/3]
*** TODO Make sure that the data is actually replicated with rsync according to the current solution
*** TODO Install the storage daemon on benjamin
** DONE Upgrade Roundcube to the version in squeeze-backports
*** DONE Install and try it on zetkin
*** DONE Install it on harvey
** DONE Fix so that new passwords are hashed with SHA1
CLOSED: [2012-06-14 Thu 19:44]
- State "DONE"       from "TODO"       [2012-06-14 Thu 19:44]
** TODO Add this module to fripost-tools
http://www.vboxadm.net/files/lib/VBoxAdm/DovecotPW.ipm
** CANCELED Install PGP module in RoundCube
CLOSED: [2012-06-14 Thu 19:44]
- CLOSING NOTE [2012-06-14 Thu 19:44] \\
  This is not good.
** TODO Convert ikiwiki to use org-mode backend
*** Once this is done, use the wiki to document the admininstrative part.
** TODO Document installation of OSSEC
- We will use the standalone rather than client-server solution
** TODO Document how to enable encrypted swap
- How does this work on a VPS?
** DONE Implement firewall rules on the systems
CLOSED: [2012-11-22 Thu 00:14]
** TODO Register on http://www.dnswl.org/
- This is done, only the reverse DNS (v6) is missing for smtp.fripost.org
** TODO Fix mounting of raid device on benjamin in accordance with Debian 6.0
Information on this can be found in admin log-file
** TODO Fix so that we can use better value for RC imap auth type (GSSAPI?)
*** Currently, we have $rcmail_config['imap_auth_type'] = 'plain';
*** If possible, Kerberos would be preferable.
** CANCELED Determine how we should handle RC identities
e.g. $rcmail_config['identities_level'] = 0; is not ideal
there should be some sort of verification before emailing, such that a user e.g. cannot email from our webmail using admin@fripost.org
- Look into the details of how RoundCube handles identities
** DONE Add link from mail.fripost.org to https://fripost.org
CLOSED: [2012-08-22 Wed 20:25]
** TODO Support for mailing lists
*** TODO Install mailman on gnu
** TODO LDAP Schema Changes
*** Keep trac of accounting:
**** fripostJoined: 2011-01-01
**** fripostHasPaidYearlyFees: 2011
fripostHasPaidYearlyFees: 2012
** TODO SMTP server
- We'll use gnu.friprogramvarusyndikatet.se for this
- Should be given priority since users have requested this
- Experiment header forging to masquerade the sender's IP.
** TODO Publish our SSL certificates to the MonkeySphere
*** http://web.monkeysphere.info/
** TODO Make proper certificates on the smarthosts too?
*** CAcert-signed certificate would be good enough.
** TODO lists.fripost.org, www.fripost.org and git.fripost.org should be added to the SN list for fripost.org's SSL certificate.
** TODO Add A/AAAA records `ldap.fripost.org' -> `mistral.fripost.org'.
** TODO When upgrading to Dovecot v2.x (wait for the next Debian stable - wheezy):
*** Replace the LDA by the new LMTP service. http://wiki2.dovecot.org/LMTP .
*** Convert the maiboxes from maildir to Dovecot's high performance mdbox format. http://wiki2.dovecot.org/MailboxFormat/dbox
** TODO Do not deliver any content via HTTP (redirect everything to https://).
*** Ideally, but sadly X.509 certificates are not cheap.
** TODO Should we log every single change made to the LDAP directory?
*** http://www.openldap.org/doc/admin24/overlays.html#Audit%20Logging
*** For 3 days only
** TODO Offer GSSAPI (Kerberos) authentication to our IMAP and SMTP server.
** TODO Shouldn't we obfuscate our logs (e.g., successuful IMAP/SASL authentication)?
* New propositions, waiting for approval
* Deferred projects
** Move the wiki to fripost.org/wiki
** Monitoring - Munin
*** TODO Give one configuration example so we could decide on what we need to activate
ljo already uses Munin, so we could look at his configuration
** User level filtering of emails
- We will use sieve, perhaps managesieve? Dovecot v2.x has nice
improvements over v1.x, see http://wiki2.dovecot.org/Pigeonhole/Sieve .
Wait for the next Debian stable (wheezy)?
** Spamassassin (opt-in)
*** Install amavisd-new (backport version) on mistral (we need to know who the final recipient is to have per-user filtering)
*** Create a MySQL database to store the (per-recipient) bayes tokens and white list
*** Add an auxiliary ObjectClass to user entries in the LDAP directory, using http://www.ijs.si/software/amavisd/LDAP.schema
*** Offer full SpamAssassin configuration through the web-panel
*** Every e-mail, just before being handed over to Dovecot by Postfix, goes through amavisd-new, which runs Spamassassin (or not) based on the user configuration
*** Bayes correction (false positives and false negatives) can be made possible with two new attributes in the LDAP entry and an automatic script. (Global SPAM/HAM folder may make sa-learn too busy.)
** DKIM
*** Should be done on the outgoing SMTP side, but then it's hard to know who is the sender.
*** Solution, sign every single outgoing e-mail? Does it make sense to sign it with a key outside fripost.org? (We need the private key anyway.)
** SPF
*** Not much to do:
dig fripost.org +short TXT "v=spf1 redirect:smtp.fripost.org"
dig smtp.fripost.org +short TXT "v=spf1 A -all"
*** Tell our users to add a similar first TXT record:
dig example.org +short TXT "v=spf1 redirect:smtp.fripost.org"
** Central log server using rsyslogd
*** The server needs to be as deep as possible in our network topology (probably along with the LDAP master directory).
*** Hardware is needed
** Distributed storage for backups
- Tahoe FS/LAFS seems very promising, but isn't ready yet for production.
- Ozux suggested Gluster, which is used in the company he's working for. Other possibilities include Ceph and Lustre.
** DONE Implement quotas
- Can probably wait until December 23, 2012.
- The new LDAP schema supports quotas, there's only need to use a Dovecot plugin to make them active.
** Write a policy for our PGP-keys
[[http://www.haven-project.org/][Haven Project]]
*** We should also sign each other and sign our servers (densify the WoT would make MonkeySphere validation happy), and why not end activity days with a mini-keysigning party.
** Write a tutorial for how to generate a good password / how to use a keychain
*** Good master password: http://world.std.com/~reinhold/diceware.html
*** Keychain: http://git.zx2c4.com/password-store with GPG-agent
** Evaluate CFEngine vs. Chef vs. Puppet vs. Ansible
*** https://en.wikipedia.org/wiki/Comparison_of_open_source_configuration_management_software
** DONE fripost-adduser should not allow user to be added if there is an alias by that name
CLOSED: [2012-06-14 Thu 19:56]
- State "DONE"       from ""           [2012-06-14 Thu 19:56]
** Add greylisting to all receiving smarthosts
*** Should the smarthosts syncronise their database? Use SQL? Otherwise, a UNIX socket would be faster.
** SELinux [Was Discarded]
Reason for discarding: Not feasible at this point, too much overhead, not always obvious what causes problems etc.
[Guilhem, 2012-11-14 00:42:55 Did anyone tried: looks awesome to me. AppArmor could be an alternative, also.]
** Use a patched kernel? (grsecurity/PaX)
* Maybe
** Create a mail gateway to change settings
** Set up an Asterisk server (VoIP)
** Evaluate SSH-tunnels vs VPN
** Evaluating changing Apache to nginx 
* Discarded ideas
** Improve logcheck rules (increase signal to noise ratio)
Reason for discarding: not very concrete
** Apaches mod_security
Reason for discarding: Does only a subset of what OSSEC already does.
** fail2ban
Reason for discarding: Does only a subset of what OSSEC already does.
* Org-mode settings
#+STARTUP: indent
#+STARTUP: logdone
#+STARTUP: lognotedone