Jump to content

FeministWiki:Technical documentation: Difference between revisions

FeministWiki:Technical documentation (view source)

Revision as of 18:36, 13 October 2018

1,178 bytes added ,  13 October 2018
→‎Certs
(7 intermediate revisions by the same user not shown)
Line 39: Line 39:
== Special DNS entries ==
== Special DNS entries ==


The following entries are used for email:
For CAA:


{| class="wikitable"
{| class="wikitable"
!Type !! Host            !! Data                                                  !! Purpose
!Type !! Name !! Flag !! Tag  !! Value         
|-
|-
|MX  || @               || smtp.feministwiki.org                                 || Mail server
|CAA  || @   || 0    || issue || letsencrypt.org
|-
|-
|TXT || @               || v=spf1 mx -all                                        || SPF
|CAA || @   || 0    || iodef || admin@feministwiki.org
|}
 
For email:
 
{| class="wikitable"
!Type !! Host            !! Data                                                                  !! Purpose
|-
|-
|TXT  || mail._domainkey || v=DKIM1; k=rsa; p=<pubkey>                            || DKIM
|MX  || @              || smtp.feministwiki.org                                                  || Mail server
|-
|-
|TXT  || _dmarc          || v=DMARC1; p=reject; rua=mailto:admin@feministwiki.org || DMARC
|TXT  || @              || v=spf1 mx -all                                                        || SPF
|-
|-
|TXT  || @              || google-site-verification=<key>                       || Google Site Verification
|TXT  || mail._domainkey || v=DKIM1; k=rsa; p=<pubkey>                                            || DKIM
|-
|TXT  || _dmarc          || v=DMARC1; p=reject; rua=<nowiki>mailto:admin</nowiki>@feministwiki.org || DMARC
|}
|}


And the following SRV records for XMPP:
For XMPP:


{| class="wikitable"
{| class="wikitable"
!Service      !! Protocol !! Name !! Destination          !! Port
!Type !! Service      !! Protocol !! Name !! Destination          !! Port
|-
|-
|_xmpp-client || _tcp    || @    || xmpp.feministwiki.org || 5222
|SRV  || _xmpp-client || _tcp    || @    || xmpp.feministwiki.org || 5222
|-
|-
|_xmpp-server || _tcp    || @    || xmpp.feministwiki.org || 5269
|SRV  || _xmpp-server || _tcp    || @    || xmpp.feministwiki.org || 5269
|}
 
Google Site Verification:
 
{| class="wikitable"
!Type !! Host            !! Data
|-
|TXT  || @              || google-site-verification=<key>
|}
|}


Line 79: Line 95:
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication.
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication.


To ease use of the letsencrypt command, the file <code>/root/etc/domains</code> contains all the FQDNs used by the FeministWiki, one per line.  Given that, the preferred way to populate the <code>/etc/letsencrypt/live/feministwiki.org</code> directory with fresh certs is to run the following command while TCP port 80 is free (e.g. stop Apache first):
To ease use of the letsencrypt command, the file <code>/root/etc/domains</code> contains all the FQDNs used by the FeministWiki, one per line.  Given that, the preferred way to populate the <code>/etc/letsencrypt/live/feministwiki.org</code> directory with fresh certs is to run the following commands while TCP port 80 is free (e.g. stop Apache first):


letsencrypt certonly --authenticator standalone -d "$(tr '\n' ',' < /root/etc/domains)"
  # Use $() to eliminate the terminating newline, if any.
  domains=$(cat /root/etc/domains)
 
  domains=$(printf '%s' "$domains" | tr '\n' ',')
 
  letsencrypt certonly --authenticator standalone -d "$domains"


Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file:
Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file:
Line 97: Line 118:


Note that the letsencrypt command doesn't work well on a "dumb" terminal such as an Emacs shell buffer.  Make sure to run it from within a proper terminal emulator.
Note that the letsencrypt command doesn't work well on a "dumb" terminal such as an Emacs shell buffer.  Make sure to run it from within a proper terminal emulator.
=== Readability of the key files ===
To ensure that processes running under unprivileged users can read key files, ensure that the users they run under are members of the <code>ssl-cert</code> group, which should have read access to the files in <code>/etc/letsencrypt/live/feministwiki.org</code>.


== Services ==
== Services ==
Line 194: Line 219:


Host: smtp.feministwiki.org <br/>
Host: smtp.feministwiki.org <br/>
Software: Postfix
Software: Postfix, OpenDKIM
 
FeministMail uses the [http://www.postfix.org/ Postfix] SMTP server, using SASL authentication through Dovecot, LDAP-based virtual mail boxes under <code>/home/vmail</code>, and DKIM signing via OpenDKIM.  Send a mail to a Gmail account and use the "Show original" feature of Gmail to see if the mail passes SPF, DKIM, and DMARC tests.


FeministMail uses the [http://www.postfix.org/ Postfix] SMTP server, using SASL authentication through Dovecot and LDAP-based virtual mail boxes under <code>/home/vmail</code>.
There are also various tools on the web to automatically test the DNS settings for correctness, to check if the domain/IP is on blacklists, etc., which you can find via Google. All in all, FeministMail is probably the most complicated service of the FeministWiki, as far as technical background goes.


=== XMPP ===
=== XMPP ===
Retrieved from "https://feministwiki.org/wiki/Special:MobileDiff/105...124"