[Cc-webedit] Server work done today

theinnercityhippy at riseup.net theinnercityhippy at riseup.net
Fri Oct 9 18:10:28 BST 2009 

that's brilliant thanks. I'll get on with the certificates as soon as
possible.

I think it worries me that we are putting an extraordinary amount of trust
in nologic, particularly with the two most sensitive parts of the site,
namely the mx and the dns zone file. I am also concerned at having to
request a change rather than being able to edit the zone file directly.
Don't forget that we are a direct action organisation

i think that the alarm bells have gone off for me with the lack of ssl for
webmail, i dread to think who may already have access to the passwords and
with them all of the sensitive mail to the site.

Mx opinion is that the extra hassle in terms of running an mta is worth it
for the additional security, and that we could handle dos ourselves
without having to send what is i'm guessing an unencrypted mail to make a
change?

I'm of course only one opinion though, it would be good to hear what
others think.

Jd

> Yo,
>
> scponly and ssh port proposals are fine by me.
>
> On Fri, 2009-10-09 at 17:08 +0100, Jim Dog wrote:
>> Ok so the second thing I have been doing today is to try and sort out
>> the ssl certificate for the server, but I have reached an impass as I
>> can't receive root mail for the domain www.climatecamp.org.uk
>>
>> There are several ways around this, but all would require my details
>> being added to the MX records for whoever does the mail relaying now
>> (nologic still?) so that I receive mail for one of the following
>> addresses, then someone needs to let me know which asap
>>
>> root
>> hostmaster
>> postmaster
>> admin
>> webmaster
>
> I have set up hostmaster, postmaster, admin and webmaster to forward to
> root. I have then set up root to forward to you and I, as we are the two
> who currently administrate the server. Hope that's okay.
>
>> I would suggest that it is a good idea to get someone other than nologic
>> to receive the mail for all of these addresses anyhow if this has not
>> already been done. Ideally, I think we ought to run our own MX or at
>> least use someone who will make it easier to do stuff like this in a
>> hurry. Who has the logins for the DNS etc? It would make my life a lot
>> easier if I could deal with this directly if the group can get consensus
>> that this is necessary. Therefore I propose that I be given access to
>> the DNS and MX records held with NoLogic as I can't generate a server
>> certificate with CACERT without being able to do this.
>
> Note that it is pretty quick for us to create new email addresses and
> forwards. Neil and I currently have the password for this. I think it's
> good having nologic worry about administrating the mail server for now,
> as that's one less thing for us to have to maintain. However, as we
> discussed at the gathering, there is clearly something to be desired
> with respect to spam filtering and SSL for the webmail. I'd like to hear
> the outcome of Neil's investigations before considering moving our mail
> provider.
>
> The domain and DNS is currently administered by nologic and records can
> be changed on request. Currently *.climatecamp.org.uk points to the
> tachanka server, with specific exceptions (mail.climatecamp.org.uk and
> old.climatecamp.org.uk IIRC). I think this is alright, but if there was
> a strong feeling we should have more direct control over it I wouldn't
> stand in the way.
>
>> The other thing related to certificates is that I ned an up to date list
>> of subdomains that are being used at the moment ie
>> photo.climatecamp.org.uk or foo.clim.... etc
>
> Looking at the Apache config I've got:
>
> bugs.climatecamp.org.uk (redmine)
> code.climatecamp.org.uk (gitweb)
> news.climatecamp.org.uk (unused, we should probably delete)
> photo.climatecamp.org.uk (though I don't think we need SSL for this)
> stats.climatecamp.org.uk
>
> However, I have had in the back of my mind to change "bugs" to "dev" and
> remove "code" as redmine has a perfectly adequate repository browser. So
> it would be good to add "dev" to this certificate.
>
> There's also cms.climatecamp.org.uk for the cms.
>
>> Deeeeeeep breath
>>
>> Hope that makes sense to someone, let me know if anyhting is too
>> baffling
>
> Thanks for your work on this, it made sense :)
>
> Jon
>
>
> _______________________________________________
> Cc-webedit mailing list
> Cc-webedit at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/cc-webedit
>

More information about the Cc-webedit mailing list