134
edits
(→Certs) |
(→Certs) |
||
(5 intermediate revisions by the same user not shown) | |||
Line 39: | Line 39: | ||
== Special DNS entries == | == Special DNS entries == | ||
For CAA: | |||
{| class="wikitable" | |||
!Type !! Name !! Flag !! Tag !! Value | |||
|- | |||
|CAA || @ || 0 || issue || letsencrypt.org | |||
|- | |||
|CAA || @ || 0 || iodef || admin@feministwiki.org | |||
|} | |||
For email: | |||
{| class="wikitable" | {| class="wikitable" | ||
Line 51: | Line 61: | ||
|- | |- | ||
|TXT || _dmarc || v=DMARC1; p=reject; rua=<nowiki>mailto:admin</nowiki>@feministwiki.org || DMARC | |TXT || _dmarc || v=DMARC1; p=reject; rua=<nowiki>mailto:admin</nowiki>@feministwiki.org || DMARC | ||
|} | |||
For XMPP: | |||
{| class="wikitable" | |||
!Type !! Service !! Protocol !! Name !! Destination !! Port | |||
|- | |||
|SRV || _xmpp-client || _tcp || @ || xmpp.feministwiki.org || 5222 | |||
|- | |- | ||
| | |SRV || _xmpp-server || _tcp || @ || xmpp.feministwiki.org || 5269 | ||
|} | |} | ||
Google Site Verification: | |||
{| class="wikitable" | {| class="wikitable" | ||
! | !Type !! Host !! Data | ||
|- | |- | ||
| | |TXT || @ || google-site-verification=<key> | ||
|- | |||
|} | |} | ||
Line 79: | Line 95: | ||
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication. | The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication. | ||
To ease use of the letsencrypt command, the file <code>/root/etc/domains</code> contains all the FQDNs used by the FeministWiki, one per line. Given that, the preferred way to populate the <code>/etc/letsencrypt/live/feministwiki.org</code> directory with fresh certs is to run the following | To ease use of the letsencrypt command, the file <code>/root/etc/domains</code> contains all the FQDNs used by the FeministWiki, one per line. Given that, the preferred way to populate the <code>/etc/letsencrypt/live/feministwiki.org</code> directory with fresh certs is to run the following commands while TCP port 80 is free (e.g. stop Apache first): | ||
# Use $() to eliminate the terminating newline, if any. | |||
domains=$(cat /root/etc/domains) | |||
domains=$(printf '%s' "$domains" | tr '\n' ',') | |||
letsencrypt certonly --authenticator standalone -d "$domains" | |||
Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file: | Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file: | ||
Line 198: | Line 219: | ||
Host: smtp.feministwiki.org <br/> | Host: smtp.feministwiki.org <br/> | ||
Software: Postfix | Software: Postfix, OpenDKIM | ||
FeministMail uses the [http://www.postfix.org/ Postfix] SMTP server, using SASL authentication through Dovecot, LDAP-based virtual mail boxes under <code>/home/vmail</code>, and DKIM signing via OpenDKIM. Send a mail to a Gmail account and use the "Show original" feature of Gmail to see if the mail passes SPF, DKIM, and DMARC tests. | |||
There are also various tools on the web to automatically test the DNS settings for correctness, to check if the domain/IP is on blacklists, etc., which you can find via Google. All in all, FeministMail is probably the most complicated service of the FeministWiki, as far as technical background goes. | |||
=== XMPP === | === XMPP === |