1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
* DONE Email::Valid does not accept UTF-8 emails adresses (e.g., peace@☮.net).
LDAP doesn't allow UTF-8 in the DNs anyway, so maybe convert the
domains/emails to Punycode internally?
* DONE Better check for existing lists (commands).
- When adding a new alias/mailbox 'test', check for existing alias/mailbox 'test', and list 'test'.
- When adding a new alias/mailbox 'test-request', check for existing alias/mailbox 'test-request', list 'test-request' *and* list 'test'. (The same for other list commands.)
- When adding a new list 'test', check for existing alias/mailbox/list 'test', 'test-request',...
- (Lists of the form 'test-request' are forbidden);
* CANCELED Check for cycles when creating new aliases?
CLOSED: [2012-09-29 Thu 16:12]
- CLOSING NOTE [2012-09-29 Thu 16:12] \\
1/ It is impossible to do it properly since the authenticated user may not have full read access on the graph.
2/ Cycles may also be created by catch-alls or mailbox forwarding, or even externally with another server.
3/ Postfix warns the administrator with a
"unreasonable virtual_alias_maps map nesting for test-loop1@fripost.org"
in the logs if there's a loop in the alias resolution.
* DONE Write a script to check every runmode against the W3 validator.
(Cf. cgiapp_postrun);
* DONE Use FastCGI. References
- http://www.cgi-app.org/index.cgi?FastCGI
- http://stackoverflow.com/questions/11771564/nginx-fastcgi-configuration-for-cgiapplication-app
* TODO Use HTML::Template::Pro. Not sure it's really worth it, though.
* DONE Escape reserved characters in URLs:
http://mark.stosberg.com/blog/2010/12/percent-encoding-uris-in-perl.html
* CANCELED How should we encode the URL for internationalized domain names? Punicode vs. unicode vs. HTML entities?
CLOSED: [2012-09-27 Thu 00:03]
- CLOSING NOTE [2012-09-27 Thu 00:03] \\
It's up to the browser (Firefox supports unicode in URLs).
* CANCELED Forbid UTF8 in the domain part of lists? (Test if the list
managers support it at least.)
CLOSED: [2012-09-27 Thu 03:38]
- CLOSING NOTE [2012-09-27 Thu 03:38] \\
Mailman and Schleuder do not support IDNs, but we convert the list name
into punicode first.
* DONE Give the right for domain postmasters to grant the right
to create aliases and lists.
* TODO Give the right to appoint co owners (for list and aliases).
* TODO Make every service use Kerberos, and remove the passphrase on
their GPG private keys.
* DONE Check list names against mailman's and schleuder's regexps?
* DONE What to do when a list creation fails? Set up a new service
to clean out the pending lists and domains if they have not been fixed
within 24h (daemon).
- CLOSING NOTE [2013-01-22 Thu 01:53] \\
* TODO Automatically generated passwords.
* TODO check if amavis{WhiteBlack}listSender supports catchall @example.org
* TODO Improve the CSS. Examples
http://www.qubesys.com/25-css-form-templates-and-input-styles/
https://github.com/pmcelhaney/semantic-form.css/blob/master/semantic-form.css
http://designshack.net/articles/10-css-form-examples/
http://www.codeproject.com/Tips/170049/Pure-HTML-5-CSS-3-Modal-Dialog-Box-no-JavaScript
http://www.examiner.com/article/html5-best-practices-table-formatting-via-css3
http://coding.smashingmagazine.com/2011/09/19/css3-flexible-box-layout-explained/
http://demo.webtuts.info/popup/
http://cssbutton.com/forms/
http://www.urcss.com/design-css-form-submit-button/
http://css-tricks.com/snippets/css/rounded-corners/
http://files.christophzillgens.com/form-test.html
<label>Username</label>
<input type="text" tabindex="1" class="input" placeholder="Webtuts" required><br><br>
<label>Password</label>
<input type="password" class="input" tabindex="2" required><br><br>
<input type="checkbox" tabindex="3">Keep me logged in
<input type="submit" id="submitbtn" value="Login" tabindex="4">
Nicer buttons:
(darker on hover, depth effect on click)
* TODO Maximum pending entries per user (10).
* TODO Limit what a user can create. Examples
fripostQuota: what limit [group [address]]
fripostQuota: list 3 normal @fripost.org -> users with canCreateList can create at most 3 lists under that domain.
fripostQuota: alias 15 owner owner@fripost.org -> this owner can create at most 15 aliases under that domain
fripostQuota: mailbox 30 postmaster -> the postmaster(s) can create at most 30 mailboxes
* TODO Find a way to grant alias creation to a whole domain except a few
users. (Add new attributes fripostCannotAdd{Domain,Aliases,List}).
* TODO https://en.wikipedia.org/wiki/Tld#Reserved_domains
* TODO Use captions to explain active/pending status and anti-spam
options.
http://www.webdesignerdepot.com/2012/10/creating-a-modal-window-with-html5-and-css3/
http://sixrevisions.com/css/css-only-tooltips/
* TODO Add a a button to allow domains/aliases deletion.
* TODO Redocument the library.
* TODO We need a test-suite for the web application as well. And
ideally, for the whole library.
http://search.cpan.org/~hartzell/Test-WWW-Mechanize-CGIApp-0.05/lib/Test/WWW/Mechanize/CGIApp.pm
http://search.cpan.org/~petdance/Test-WWW-Mechanize-1.44/Mechanize.pm
* TODO Alternative to set user passwords:
http://search.cpan.org/~marschap/perl-ldap-0.52/lib/Net/LDAP/FAQ.pod#..._in_most_LDAP_servers?
http://search.cpan.org/~esskar/Crypt-SaltedHash-0.06/lib/Crypt/SaltedHash.pm
http://search.cpan.org/~zefram/Authen-Passphrase-0.008/lib/Authen/Passphrase.pm
http://www.openldap.org/faq/data/cache/347.html
http://www.zytrax.com/books/ldap/ch6/ppolicy.html
* TODO "A DN containing "[" "]" does not expand correctly.", quote from
http://www.openldap.org/faq/data/cache/1133.html
Try with an example (e.g., canAddAlias)
* TODO Wildcards (attapt the search method):
* => *@*
xy* => xy*@*
*xy => *@*xy
x*y => x*@*y
* TODO: Ensure that the domain and local parts are always lowercase.
(we're doing a naive DN check)
* TODO: check the list commands with recipient_delimiter (-bounces+*,
-confirm+*), cf https://www.gnu.org/software/mailman/mailman-install.txt
* TODO add options -destination/-forward/-catchall to the search methods
to filter on these values as well.
* TODO bug: new user "very.(),:;<>[]\".VERY.\"very@\\ * \"very\".unusual"@☮.net, upon error
- check every unusual mail (maildrop, canAdd{list,alias}, alias, user).
- check injection of code: in forms, upon login (escape forms).
* TODO Close the connection upon error at login and rest. (Maybe with cgiapp_postrun)
* TODO Explore untaint
http://search.cpan.org/~wonko/HTML-Template-2.94/lib/HTML/Template.pm#Error_Detection_Options
http://gunther.web66.com/FAQS/taintmode.html
http://perldoc.perl.org/perlsec.html
* TODO Try to factorize the templates. Maybe with cgiapp_postrun (output_ref)
* TODO Add -welcome options to all add methods, to send welcome mails.
* TODO Hide the SpamAssassin form
http://dev.opera.com/articles/view/css3-show-and-hide/
http://www.webdeveloper.com/forum/showthread.php?168061-Hide-Show-div-on-mouseclick-with-CSS-(no-JS)
http://stackoverflow.com/questions/5593500/html5-and-css3-show-form-hints-on-element-focus
* TODO check selfread access for canAdd{List,Alias} permission
https://www.rfc-editor.org/rfc/rfc3876.txt
* TODO unlock accounts:
ldapmodify -Y EXTERNAL -H ldapi:///
dn: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
changetype: modify
delete: pwdAccountLockedTime
* TODO template filters
http://www.perl.com/pub/2006/11/30/html-template-filters.html
http://comments.gmane.org/gmane.comp.lang.perl.modules.html-template/2004
* TODO domain validation...
https://en.wikipedia.org/wiki/Certificate_authority
|
