Metalab Services: Unterschied zwischen den Versionen
KKeine Bearbeitungszusammenfassung |
Pepi (Diskussion | Beiträge) KKeine Bearbeitungszusammenfassung |
||
| (12 dazwischenliegende Versionen von 6 Benutzern werden nicht angezeigt) | |||
| Zeile 3: | Zeile 3: | ||
{{Projekt | {{Projekt | ||
|image=Metalab Atomic ASCII.png | |image=Metalab Atomic ASCII.png | ||
|involved= | |involved= | ||
|startdate=2013-11-18 | |startdate=2013-11-18 | ||
|status= | |status=deceased | ||
|wtf=Fixing, Securing and updating Metalab Services | |wtf=Fixing, Securing and updating Metalab Services | ||
|lastupdate=21.01.2013 <!-- if lastupdate is not set manually, the date will be set automatically to the date of the latest wikiapage --> | |lastupdate=21.01.2013 <!-- if lastupdate is not set manually, the date will be set automatically to the date of the latest wikiapage --> | ||
| Zeile 16: | Zeile 16: | ||
* Website: http(80)/https(443) metalab.at (www.metalab.at) | * Website: http(80)/https(443) metalab.at (www.metalab.at) | ||
* Website: http(80)/https(443) lists.metalab.at | * Website: http(80)/https(443) lists.metalab.at | ||
* XMPP/Jabber: xmpp(5222 | * XMPP/Jabber: xmpp(5222, 5269) jabber.metalab.at | ||
* Incoming Email: SMTP(25) mail.metalab.at (MX 10) | * Incoming Email: SMTP(25) mail.metalab.at (MX 10) | ||
* Outgoing Email: SMTP(25) | * Outgoing Email: SMTP(25) | ||
| Zeile 38: | Zeile 38: | ||
** against [[Benutzer:hop]] | ** against [[Benutzer:hop]] | ||
** against [[Benutzer:mzeltner]] - not because of technical reasons, but ones that I'd prefer Metalab not have infrastructure set up in which someone speaks for or as the organisation. | ** against [[Benutzer:mzeltner]] - not because of technical reasons, but ones that I'd prefer Metalab not have infrastructure set up in which someone speaks for or as the organisation. | ||
** [[Benutzer:reox]] icbw but submission should be used for mailservers that hold mailboxes, not for relays. they should use port 25. only use it if pop/imap is implemented | |||
** for [[Benutzer:reckoner]] - Could be just mail forwarding service without storage attached to mailbox. | |||
* POP(110, 995) or IMAP(143, 993) Services? | * POP(110, 995) or IMAP(143, 993) Services? | ||
** against [[Benutzer:hop]] | ** against [[Benutzer:hop]] | ||
** against [[Benutzer:mzeltner]] - adding complexity | ** against [[Benutzer:mzeltner]] - adding complexity | ||
** for [[Benutzer:red667]] - mailserverice for members, so less people use gmail, hotmail, ... - cryptohardening is useless if the data is at a place without control | |||
** for [[Benutzer:reckoner]] - only in the form of super-encrypted paid-only mailboxes for paranoid members with funds going to Metalab support. | |||
* gitweb.cgi | * gitweb.cgi | ||
** for [[Benutzer:mzeltner]] - give people the option to avoid GitHub? Decentralised structure and all… With <code>git http-push</code> (WebDAV) support that uses the same credentials as the wiki or mos? Because we don't need lots of people with shell access. | ** for [[Benutzer:mzeltner]] - give people the option to avoid GitHub? Decentralised structure and all… With <code>git http-push</code> (WebDAV) support that uses the same credentials as the wiki or mos? Because we don't need lots of people with shell access. | ||
** for [[Benutzer:reox]] | |||
** against [[Benutzer:reckoner]] - using [https://github.com/metalab/ Github Metalab org. account] motivates people to participate in projects, provides better visibility. | |||
* [http://www.exim.org/exim-html-current/doc/html/spec_html/ch-support_for_dkim_domainkeys_identified_mail.html DKIM] | |||
** for [[Benutzer:mzeltner]] | |||
** for [[Benutzer:reox]] | |||
** for [[Benutzer:reckoner]] - and SPF, and DMARC | |||
* LDAP | |||
** for [[Benutzer:red667]] - i now its a pain in the ass but would be beneficial for a lot of other services | |||
** for [[Benutzer:reckoner]] - definitely | |||
* MediaWiki | |||
** for [[Benutzer:reckoner]] - Use MediaWiki as the only CMS for the website, including front-page, calendar and users. Leave MOS as legacy administration backend only. | |||
Anything missing? Please [https://metalab.at/wiki/index.php?title=Metalab_Services&action=edit§ion=1 add] it! | Anything missing? Please [https://metalab.at/wiki/index.php?title=Metalab_Services&action=edit§ion=1 add] it! | ||
| Zeile 56: | Zeile 71: | ||
** wheezy wheezy wheezy see [http://packages.debian.org/wheezy/apache2 this] and [http://ftp-master.metadata.debian.org/changelogs//main/a/apache2/apache2_2.2.22-13_changelog this] - it's hard enough as it is to keep the machine running (thx thx hop) ---[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]]) | ** wheezy wheezy wheezy see [http://packages.debian.org/wheezy/apache2 this] and [http://ftp-master.metadata.debian.org/changelogs//main/a/apache2/apache2_2.2.22-13_changelog this] - it's hard enough as it is to keep the machine running (thx thx hop) ---[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]]) | ||
* Update to eJabberd 13.10 (current as of 2013-11-19) or switch to prosody | * Update to eJabberd 13.10 (current as of 2013-11-19) or switch to prosody | ||
** prosody nightly builds for 0.9 are stable and have reasonable SSL settings --[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]]) | ** prosody nightly builds for 0.9 are stable and have reasonable SSL settings - ah, but: [http://web.jabber.ccc.de/?p=440 Prosody is still single-threaded, which makes it impossible to use for large server deployments] --[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]]) | ||
* Check ALL the Certificates for ALL the services. Acquire certificates for services that do not yet have one. (Basically do not host any unencrypted services anymore) | * Check ALL the Certificates for ALL the services. Acquire certificates for services that do not yet have one. (Basically do not host any unencrypted services anymore) | ||
** I don't think *we* do that (hackerspaces.org does) --[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]]) | ** I don't think *we* do that (hackerspaces.org does) --[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]]) | ||
| Zeile 68: | Zeile 83: | ||
* Add SRV Records to DNS for Jabber/XMPP Server federation and Clients discovery | * Add SRV Records to DNS for Jabber/XMPP Server federation and Clients discovery | ||
* Add SPF/TXT Records to DNS for Email | * Add SPF/TXT Records to DNS for Email | ||
** Keep in mind: some people occasionally send email as core | ** Keep in mind: some people occasionally send email as [[Bild:core.png]] from GMail servers (with regards to my comment from above, yes I don't like that either) --[[Benutzer:Mzeltner|Mzeltner]] ([[Benutzer Diskussion:Mzeltner|Diskussion]]) | ||
* Test all the services, document how to test them | * Test all the services, document how to test them | ||
* Test all the security things, document how to test them | * Test all the security things, document how to test them | ||
* | |||
== Things DONE == | |||
* 2015-07-01: STARTTLS on SMTP supported. Check to see if TLS works on the SMTP service: <code>openssl s_client -starttls smtp -connect mail.metalab.at:25</code> | |||
* Cleaned up most cruft in the DNS - Did [[User:Pepi|I]] break anything? I'm sorry, [[User:Pepi|tell me]] what and why you need it so I can reinstate it! | |||