wibble

1 files changed, 54 insertions, 57 deletions

diff --git a/fripost-docs.org b/fripost-docs.org
index d73b83f..6ecc47c 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -443,8 +443,8 @@ threads to 8. (The default, 16, is fine for 4- and 8-core systems.)
 
 
 2. It may be a good idea to modify DB_CONFIG, depending on the output
-of 
-  
+of
+
   db4.8_stat -m -h /var/lib/ldap/ | head -16
 
 (For optimal performance, the Requested pages found in the cache
@@ -529,8 +529,8 @@ Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html).
              |    isActive: TRUE
              |
              `- mailTarget=user1-alias@fripost.org
-     
-     
+
+
 
   :: /etc/ldap/fripost/fripost.ldif
 
@@ -1142,7 +1142,7 @@ http://www.tehinterweb.co.uk/roundcube/#pisieverules
 sudo mkdir -p /home/mail/virtual/fripost.org/
 
  :: ldapadd -xWD cn=admin,dc=fripost,dc=org
- 
+
     dn: dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
     objectClass: virtualDomain
     isActive: TRUE
@@ -1342,44 +1342,41 @@ TODO: add the necessary configuration files
 
 sudo aptitude install postfix postfix-ldap
 
-*** Configuring the Mail Submission Agent (MSA)
-
-We offer a SMTP relay for authenticated users (via SASL). Currently the MSA and
-MTA are hosted on the same machine (gnu).
-
-Firewall: The MSA needs 587/TCP in, and the MTA 25/TCP both in and out.
-
-**** Install packages
+:: /etc/postfix/main.cf
 
-sudo apt-get install sasl2-bin libsasl2-modules
+smtp_bind_address               = 88.80.16.139
+smtp_bind_address6              = 2A00:16B0:242:13F::1
+[...]
+smtp_tls_security_level         = may
+smtp_tls_note_starttls_offer    = yes
 
-(Scrictly speaking sasl2-bin is not necessary, but it offers some programs to
-test our installation.)
+(Note: Ideally, the IPv4 and IPv6 address above should resolve to our
+hostname, namely `smtp.fripost.org' here.)
 
-In the rest of this section, we assume there is a tunnel from the master
-LDAP server to the machine that hosts SASLauthd (i.e., ldap://127.0.0.1:3890 on
-this machine actually speaks to the master).
+We don't want to force the SMTP client to use encrypted connection
+regardless, as some servers may not support it :-/
 
-**** Relay emails from trusted hosts.
+**** Relay emails from trusted hosts
 
   :: /etc/postfix/main.cf
 
     relay_clientcerts = hash:$config_directory/relay_clientcerts
     [...]
     smtpd_tls_fingerprint_digest = sha1
+    [...]
     smtpd_recipient_restrictions =
         [...]
         permit_mynetworks
         permit_tls_clientcerts
         [...]
 
-/etc/postfix/relay_clientcerts lists (SHA1) fingerprints and hostnames
+/etc/postfix/relay_clientcerts lists (SHA-1) fingerprints and hostnames
 of our trusted hosts. Fingerprints can be obtained with
 
   openssl x509 -fingerprint -sha1 -noout -in /path/to/pubkey.pem
 
     :: /etc/postfix/relay_clientcerts
-    E0:3C:E7:05:2D:2E:99:7B:EF:A1:D0:5A:A7:79:2C:6D:0B:66:FD:17 luxemburg.fripost.org
+    E0:3C:E7:05:2D:2E:99:7B:EF:A1:D0:5A:A7:79:2C:6D:0B:66:FD:17 luxemburg
     [...]
 
 Do not forget do update this file if the you change the hostname or certificate of the
@@ -1394,7 +1391,7 @@ the mailhub. For instance on mx1.fripost.org,
   :: /etc/postfix/main.cf
     [...]
     smtp_tls_security_level = may
-    smtp_tls_policy_maps = hash:$config_directory/tls_policy
+    smtp_tls_policy_maps    = hash:$config_directory/tls_policy
     smtp_tls_cert_file      = /path/to/pubkey.pem
     smtp_tls_key_file       = /path/to/privkey.key
     [...]
@@ -1510,16 +1507,16 @@ What the user type is here emphasized and prefixed with a `*'
   :: openssl s_client -connect localhost:25 -starttls smtp -CApath /etc/ssl/
      [...]
          Verify return code: 0 (ok)
-     ---            
+     ---
      250 DSN
   *  EHLO localhost.localdomain
      [...]
-     250-ETRN       
+     250-ETRN
      250-AUTH LOGIN PLAIN
      250-AUTH=LOGIN PLAIN
      250-ENHANCEDSTATUSCODES
-     250-8BITMIME   
-     250 DSN        
+     250-8BITMIME
+     250 DSN
   *  AUTH PLAIN AHVzZXJAZnJpcG9zdC5vcmcAdXNlcg==
      235 2.7.0 Authentication successful
   *  mail from:<user@fripost.org>
@@ -1528,11 +1525,11 @@ What the user type is here emphasized and prefixed with a `*'
      250 2.1.5 Ok
   *  DATA
      354 End data with <CR><LF>.<CR><LF>
-  *  Subject: test  
+  *  Subject: test
   *  \o/
-  *  .              
+  *  .
      250 2.0.0 Ok: queued as 3D7767B4BD
-     
+
 Where "AHVzZXJAZnJpcG9zdC5vcmcAdXNlcg==" is a base-64 encoding of the user's,
 credentials, in our case login "user@fripost.org" and password "user", which
 can be obtained by the command
@@ -1540,7 +1537,7 @@ can be obtained by the command
     echo -ne '\000user@fripost.org\000user' | openssl base64
 
 or slightly better (does not write password in your ~/.bash_history)
-    
+
     read U PW; echo -ne "\000$U\000$PW" | openssl base64
 
 **** Anonymize the senders
@@ -1773,7 +1770,7 @@ in
 :: /usr/share/roundcube/skins/default/templates/login.html
 
 make
-    
+
     <roundcube:object name="logo" src="/images/roundcube_logo.png" id="logo" border="0" style="margin:0 11px" />
 
 into an anchor element:
@@ -2027,36 +2024,36 @@ Reference: http://www.postfix.org/MULTI_INSTANCE_README.html
     master_service_disable =
     queue_directory = /var/spool/postfix-lists
     mail_owner = postfix
-    multi_instance_group = mta      
+    multi_instance_group = mta
     multi_instance_name = postfix-lists
-    multi_instance_enable = yes     
-    
+    multi_instance_enable = yes
+
     readme_directory = no
     data_directory = /var/lib/postfix-lists
-         
+
     smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
-    myorigin     = /etc/mailname    
+    myorigin     = /etc/mailname
     myhostname   = lists.fripost.org
-    
+
     mydestination    = $myhostname
     mynetworks       = 127.0.0.0/8 [::FFFF:127.0.0.0]/104 [::1]/128
     inet_interfaces  = loopback-only
     inet_protocols   = all
-    
+
     default_database_type = cdb
-    
-    recipient_delimiter  = +        
-    alias_database       =          
-    alias_maps           = 
+
+    recipient_delimiter  = +
+    alias_database       =
+    alias_maps           =
     local_recipient_maps = $transport_maps
-    
+
     virtual_mailbox_domains = pcre:$config_directory/virtual_domains.pcre
     virtual_alias_maps      = pcre:$config_directory/virtual_aliases.pcre
-    virtual_mailbox_maps    =       
-    
+    virtual_mailbox_maps    =
+
     virtual_transport = error:5.1.1 Virtual transport unavailable
     default_transport = smtp:[127.0.0.1]
-    
+
     relay_domains                         = $myhostname
     transport_maps                        = cdb:$config_directory/transport_mailman
                                             cdb:$config_directory/transport_schleuder
@@ -2102,7 +2099,7 @@ instance, for instance:
     test-mailman-request#fripost.org@lists.fripost.org         mailman:
     test-mailman-subscribe#fripost.org@lists.fripost.org       mailman:
     test-mailman-unsubscribe#fripost.org@lists.fripost.org     mailman:
-    
+
   :: /etc/postfix-lists/transport_schleuder
     test-schleuder#fripost.org@lists.fripost.org            schleuder:
     test-schleuder-bounces#fripost.org@lists.fripost.org    schleuder:
@@ -2159,7 +2156,7 @@ References:
 - http://mail.python.org/pipermail/mailman-users/2010-January/068571.html
 - for Mailman 3: http://wiki.list.org/display/DEV/Mailman+3.0
 
-  
+
   cd $HOME && wget http://www.msapiro.net/mm/2.1.13-1_vhost.patch
   cd /var/lib/mailman
   sudo patch -p1 < $HOME/2.1.13-1_vhost.patch
@@ -2201,11 +2198,11 @@ We now need to pin mailman to avoid our patches being overwritten by an apt-get
     DEFAULT_URL_HOST   = 'smtp.fripost.org' # TODO: change that to lists.fripost.org once the A record is changed
     MTA = None
     DEB_LISTMASTER = 'listmaster@lists.fripost.org'
-    ACCEPTABLE_LISTNAME_CHARACTERS = '[-+_.=a-z0-9@]'
+    ACCEPTABLE_LISTNAME_CHARACTERS = '[-_.=a-z0-9@]'
     PUBLIC_ARCHIVE_URL = 'http://%(hostname)s/pipermail/%(listname)s/'
     DEFAULT_MSG_FOOTER = """_______________________________________________
     %(real_name)s mailing list
-    %(real_name)s@%(host_name)s 
+    %(real_name)s@%(host_name)s
     %(web_page_url)slistinfo%(cgiext)s/%(real_name)s@%(host_name)s"""
     DEFAULT_CHARSET = 'UTF-8'
     add_language('en', 'English', 'utf-8')
@@ -2255,7 +2252,7 @@ dirty fix is to use a RewriteRule:
     location = / {
         rewrite ^ /mailman/listinfo permanent;
     }
-    
+
     # Mailman
     location ^~ /mailman/ {
         location ^~ /mailman/create { return 403; }
@@ -2265,10 +2262,10 @@ dirty fix is to use a RewriteRule:
         include fastcgi/params;
 #        include fastcgi/ssl; #TODO
         fastcgi_pass unix:/var/run/fcgiwrap.socket;
-    }                            
+    }
     location ^~ /images/mailman/ {
         alias /var/lib/mailman/icons/;
-    }                       
+    }
     location ^~ /pipermail/ {
         rewrite ^/pipermail/([^@/]+)@([^@/]+)/?(.*)$ /pipermail/$2/$1/$3 last;
         index index.html;
@@ -2316,7 +2313,7 @@ We now need to pin schleuder to avoid our patches being overwritten by an update
     Explanation: We applied custom patches to /usr/bin/schleuder, /usr/bin/schleuder-newlist,
     Explanation: and /usr/lib/ruby/1.8/schleuder/list.rb
     Package: schleuder
-    Pin: version *      
+    Pin: version *
     Pin-Priority: -30000
 
 **** Configuration
@@ -2394,14 +2391,14 @@ A test server (for testing/debugging/development purposes only) can be started w
   sudo chown 'schleuder:schleuder' /var/run/webschleuder/
 
   :: /etc/thin/webschleuder.yml
-    --- 
+    ---
     rackup: config.ru
     pid: /var/run/webschleuder/pid
     timeout: 30
     log: /var/log/schleuder/webschleuder.log
     max_conns: 1024
     require: []
-    
+
     max_persistent_conns: 512
     environment: production
     user: schleuder