134
edits
(→Forum) |
(→Certs) |
||
(10 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
== Hosts == | == Hosts == | ||
The following table documents the DNS configuration, and can be used as part of the <code>/etc/hosts</code> file on each server to obviate the need for DNS lookups when connecting to one another. | The following table documents the basic DNS configuration, and can be used as part of the <code>/etc/hosts</code> file on each server to obviate the need for DNS lookups when connecting to one another. | ||
{| class="wikitable" | {| class="wikitable" | ||
Line 36: | Line 36: | ||
(As you can see, all services are on the same server for now.) | (As you can see, all services are on the same server for now.) | ||
== Special DNS entries == | |||
For CAA: | |||
{| class="wikitable" | |||
!Type !! Name !! Flag !! Tag !! Value | |||
|- | |||
|CAA || @ || 0 || issue || letsencrypt.org | |||
|- | |||
|CAA || @ || 0 || iodef || admin@feministwiki.org | |||
|} | |||
For email: | |||
{| class="wikitable" | |||
!Type !! Host !! Data !! Purpose | |||
|- | |||
|MX || @ || smtp.feministwiki.org || Mail server | |||
|- | |||
|TXT || @ || v=spf1 mx -all || SPF | |||
|- | |||
|TXT || mail._domainkey || v=DKIM1; k=rsa; p=<pubkey> || DKIM | |||
|- | |||
|TXT || _dmarc || v=DMARC1; p=reject; rua=<nowiki>mailto:admin</nowiki>@feministwiki.org || DMARC | |||
|} | |||
For XMPP: | |||
{| class="wikitable" | |||
!Type !! Service !! Protocol !! Name !! Destination !! Port | |||
|- | |||
|SRV || _xmpp-client || _tcp || @ || xmpp.feministwiki.org || 5222 | |||
|- | |||
|SRV || _xmpp-server || _tcp || @ || xmpp.feministwiki.org || 5269 | |||
|} | |||
Google Site Verification: | |||
{| class="wikitable" | |||
!Type !! Host !! Data | |||
|- | |||
|TXT || @ || google-site-verification=<key> | |||
|} | |||
== SSH access == | == SSH access == | ||
Line 51: | Line 95: | ||
The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication. | The FeministWiki uses LetsEncrypt to acquire digital certificates for encrypted communication. | ||
To ease use of the letsencrypt command, the file <code>/root/etc/domains</code> contains all the FQDNs used by the FeministWiki, one per line. Given that, the preferred way to populate the <code>/etc/letsencrypt/live/feministwiki.org</code> directory with fresh certs is to run the following | To ease use of the letsencrypt command, the file <code>/root/etc/domains</code> contains all the FQDNs used by the FeministWiki, one per line. Given that, the preferred way to populate the <code>/etc/letsencrypt/live/feministwiki.org</code> directory with fresh certs is to run the following commands while TCP port 80 is free (e.g. stop Apache first): | ||
# Use $() to eliminate the terminating newline, if any. | |||
domains=$(cat /root/etc/domains) | |||
domains=$(printf '%s' "$domains" | tr '\n' ',') | |||
letsencrypt certonly --authenticator standalone -d "$domains" | |||
Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file: | Additionally, for programs that require a cert file and its private key in a single combined <code>.pem</code> file, run the following commands to generate such a file: | ||
Line 69: | Line 118: | ||
Note that the letsencrypt command doesn't work well on a "dumb" terminal such as an Emacs shell buffer. Make sure to run it from within a proper terminal emulator. | Note that the letsencrypt command doesn't work well on a "dumb" terminal such as an Emacs shell buffer. Make sure to run it from within a proper terminal emulator. | ||
=== Readability of the key files === | |||
To ensure that processes running under unprivileged users can read key files, ensure that the users they run under are members of the <code>ssl-cert</code> group, which should have read access to the files in <code>/etc/letsencrypt/live/feministwiki.org</code>. | |||
== Services == | == Services == | ||
Line 166: | Line 219: | ||
Host: smtp.feministwiki.org <br/> | Host: smtp.feministwiki.org <br/> | ||
Software: Postfix | Software: Postfix, OpenDKIM | ||
FeministMail uses the [http://www.postfix.org/ Postfix] SMTP server, using SASL authentication through Dovecot, LDAP-based virtual mail boxes under <code>/home/vmail</code>, and DKIM signing via OpenDKIM. Send a mail to a Gmail account and use the "Show original" feature of Gmail to see if the mail passes SPF, DKIM, and DMARC tests. | |||
There are also various tools on the web to automatically test the DNS settings for correctness, to check if the domain/IP is on blacklists, etc., which you can find via Google. All in all, FeministMail is probably the most complicated service of the FeministWiki, as far as technical background goes. | |||
=== XMPP === | === XMPP === |