Jump to content

FeministWiki:Technical documentation: Difference between revisions

FeministWiki:Technical documentation (view source)

Revision as of 18:36, 13 October 2018

2,137 bytes added ,  13 October 2018
→‎Certs
(10 intermediate revisions by the same user not shown)
Line 3: Line 3:
== Hosts ==
== Hosts ==


The following table documents the DNS configuration, and can be used as part of the <code>/etc/hosts</code> file on each server to obviate the need for DNS lookups when connecting to one another.
The following table documents the basic DNS configuration, and can be used as part of the <code>/etc/hosts</code> file on each server to obviate the need for DNS lookups when connecting to one another.


{| class="wikitable"
{| class="wikitable"
Line 36: Line 36:


(As you can see, all services are on the same server for now.)
(As you can see, all services are on the same server for now.)
== Special DNS entries ==
For CAA:
{| class="wikitable"
!Type !! Name !! Flag !! Tag  !! Value         
|-
|CAA  || @    || 0    || issue || letsencrypt.org
|-
|CAA  || @    || 0    || iodef || admin@feministwiki.org
|}
For email:
{| class="wikitable"
!Type !! Host            !! Data                                                                  !! Purpose
|-
|MX  || @              || smtp.feministwiki.org                                                  || Mail server
|-
|TXT  || @              || v=spf1 mx -all                                                        || SPF
|-
|TXT  || mail._domainkey || v=DKIM1; k=rsa; p=<pubkey>                                            || DKIM
|-
|TXT  || _dmarc          || v=DMARC1; p=reject; rua=<nowiki>mailto:admin</nowiki>@feministwiki.org || DMARC
|}
For XMPP:
{| class="wikitable"
!Type !! Service      !! Protocol !! Name !! Destination          !! Port
|-
|SRV  || _xmpp-client || _tcp    || @    || xmpp.feministwiki.org || 5222
|-
|SRV  || _xmpp-server || _tcp    || @    || xmpp.feministwiki.org || 5269
|}
Google Site Verification:
{| class="wikitable"
!Type !! Host            !! Data
|-
|TXT  || @              || google-site-verification=<key>
|}


== SSH access ==
== SSH access ==
Line 51: Line 95:
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication.
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication.


To ease use of the letsencrypt command, the file <code>/root/etc/domains</code> contains all the FQDNs used by the FeministWiki, one per line.  Given that, the preferred way to populate the <code>/etc/letsencrypt/live/feministwiki.org</code> directory with fresh certs is to run the following command while TCP port 80 is free (e.g. stop Apache first):
To ease use of the letsencrypt command, the file <code>/root/etc/domains</code> contains all the FQDNs used by the FeministWiki, one per line.  Given that, the preferred way to populate the <code>/etc/letsencrypt/live/feministwiki.org</code> directory with fresh certs is to run the following commands while TCP port 80 is free (e.g. stop Apache first):


letsencrypt certonly --authenticator standalone -d "$(tr '\n' ',' < /root/etc/domains)"
  # Use $() to eliminate the terminating newline, if any.
  domains=$(cat /root/etc/domains)
 
  domains=$(printf '%s' "$domains" | tr '\n' ',')
 
  letsencrypt certonly --authenticator standalone -d "$domains"


Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file:
Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file:
Line 69: Line 118:


Note that the letsencrypt command doesn't work well on a "dumb" terminal such as an Emacs shell buffer.  Make sure to run it from within a proper terminal emulator.
Note that the letsencrypt command doesn't work well on a "dumb" terminal such as an Emacs shell buffer.  Make sure to run it from within a proper terminal emulator.
=== Readability of the key files ===
To ensure that processes running under unprivileged users can read key files, ensure that the users they run under are members of the <code>ssl-cert</code> group, which should have read access to the files in <code>/etc/letsencrypt/live/feministwiki.org</code>.


== Services ==
== Services ==
Line 166: Line 219:


Host: smtp.feministwiki.org <br/>
Host: smtp.feministwiki.org <br/>
Software: Postfix
Software: Postfix, OpenDKIM
 
FeministMail uses the [http://www.postfix.org/ Postfix] SMTP server, using SASL authentication through Dovecot, LDAP-based virtual mail boxes under <code>/home/vmail</code>, and DKIM signing via OpenDKIM.  Send a mail to a Gmail account and use the "Show original" feature of Gmail to see if the mail passes SPF, DKIM, and DMARC tests.


FeministMail uses the [http://www.postfix.org/ Postfix] SMTP server, using SASL authentication through Dovecot and LDAP-based virtual mail boxes under <code>/home/vmail</code>.
There are also various tools on the web to automatically test the DNS settings for correctness, to check if the domain/IP is on blacklists, etc., which you can find via Google. All in all, FeministMail is probably the most complicated service of the FeministWiki, as far as technical background goes.


=== XMPP ===
=== XMPP ===
Retrieved from "https://feministwiki.org/wiki/Special:MobileDiff/97...124"