aboutsummaryrefslogtreecommitdiffstats
path: root/todo.org
blob: e337170ecb03d6a5a4bb3640345126c167dcf747 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#+TITLE: TODO for Fripost (internal administration use only)

* Current projects
** TODO Bacula [0/3]
*** TODO Make sure that the data is actually replicated with rsync according to the current solution
*** TODO Install the storage daemon on benjamin
** TODO Upgrade Roundcube to the version in squeeze-backports
*** TODO Install and try it on zetkin
*** TODO Install it on harvey
** DONE Fix so that new passwords are hashed with SHA1
CLOSED: [2012-06-14 Thu 19:44]
- State "DONE"       from "TODO"       [2012-06-14 Thu 19:44]
** TODO Add this module to fripost-tools
http://www.vboxadm.net/files/lib/VBoxAdm/DovecotPW.ipm
** CANCELED Install PGP module in RoundCube
CLOSED: [2012-06-14 Thu 19:44]
- CLOSING NOTE [2012-06-14 Thu 19:44] \\
  This is not good.
** TODO Convert ikiwiki to use org-mode backend
** TODO Document installation of OSSEC
- We will use the standalone rather than client-server solution
** TODO Document how to enable encrypted swap
- How does this work on a VPS?
** TODO Implement firewall rules on the systems
** TODO Register on http://www.dnswl.org/
- This is done, only the reverse DNS (v6) is missing for smtp.fripost.org
** TODO Fix mounting of raid device on benjamin in accordance with Debian 6.0
Information on this can be found in admin log-file
** TODO Fix so that we can use better value for RC imap auth type
Currently, we have $rcmail_config['imap_auth_type'] = 'plain';
** TODO Determine how we should handle RC identities
e.g. $rcmail_config['identities_level'] = 0; is not ideal
there should be some sort of verification before emailing, such that a user e.g. cannot email from our webmail using admin@fripost.org
- Look into the details of how RoundCube handles identities
** DONE Add link from mail.fripost.org to https://fripost.org
CLOSED: [2012-08-22 Wed 20:25]
** TODO Support for mailing lists
*** TODO Install mailman on zetkin
** TODO LDAP Schema Changes 
*** DONE Allow for domain aliases
CLOSED: [2012-08-20 Mon 01:25]
** TODO SMTP server
- We'll use gnu.friprogramvarusyndikatet.se for this
- Should be given priority since users have requested this
- Experiment header forging to masquerade the sender's IP.

* New propositions, to be submitted for approval
** When upgrading to Dovecot v2.x (wait for the next Debian stable - wheezy):
replace the LDA by the new LMTP service. http://wiki2.dovecot.org/LMTP .
** When upgrading to Dovecot v2.x (wait for the next Debian stable - wheezy):
convert the maiboxes from maildir to Dovecot's high performance mdbox format
http://wiki2.dovecot.org/MailboxFormat/dbox .
** Do not deliver any content via HTTP (redirect everything to https://).
** lists.fripost.org and www.fripost.org should be added to the SN list for fripost.org's SSL certificate.
** Set up an Asterisk server?
** Add a CNAME `ldap.fripost.org' -> `mistral.fripost.org'.
** How to publish our SSL certificates? MonkeySphere? http://web.monkeysphere.info/
** Should we log every single change made to the LDAP directory?
http://www.openldap.org/doc/admin24/overlays.html#Audit%20Logging
** Shouldn't we obfuscate our logs (e.g., successuful IMAP/SASL authentication)?
** Make proper certificates on the smarthosts too?

* Deferred projects
** Move the wiki to fripost.org/wiki
** Monitoring - Munin
*** TODO Give one configuration example so we could decide on what we need to activate
ljo already uses Munin, so we could look at his configuration
** User level filtering of emails
- We will use sieve, perhaps managesieve? Dovecot v2.x has nice
improvements over v1.x, see http://wiki2.dovecot.org/Pigeonhole/Sieve .
Wait for the next Debian stable (wheezy)?
** Spamassassin (opt-in)
- one idea for handling the opt-in feature is: have people opt-in by creating a
  spamfolder. make it clear that if they create a spam folder, they are opting
  in automatically. check ljos text at sac.se/it
** Central log server using rsyslogd
*** Hardware is needed
** Distributed storage for backups
- Tahoe FS/LAFS.
** Implement quotas
Can probably wait until December 23, 2012.
** Write a policy for our PGP-keys
[[http://www.haven-project.org/][Haven Project]]

** Evaluate cfengine
** DONE fripost-adduser should not allow user to be added if there is an alias by that name
CLOSED: [2012-06-14 Thu 19:56]
- State "DONE"       from ""           [2012-06-14 Thu 19:56]
** Add greylisting to all receiving smarthosts

* Maybe
** Create a mail gateway to change settings

** Evaluate SSH-tunnels vs VPN
** Evaluating changing Apache to nginx
 
* Discarded ideas
** Improve logcheck rules (increase signal to noise ratio)
Reason for discarding: not very concrete
** SELinux
Reason for discarding: Not feasible at this point, too much overhead, not always obvious what causes problems etc.
** Apaches mod_security
Reason for discarding: Does only a subset of what OSSEC already does.
** fail2ban
Reason for discarding: Does only a subset of what OSSEC already does.

* Org-mode settings
#+STARTUP: indent
#+STARTUP: logdone
#+STARTUP: lognotedone