[Cc-webedit] Server work done today
Jon Leighton
j at jonathanleighton.com
Sat Oct 10 12:29:22 BST 2009
I think these are quite valid concerns on the whole, but I'd really like
to see whether they will agree to implement SSL first. Neil, do you have
an update on that?
I'm not against us getting more control over the domain. Presumably we
have a DNS server at tachanka we could use? I'm currently not aware who
is even paying for the domain, but I think it would be useful for us to
get direct access to the registrar. Any objections to pursuing this?
I think we can trust the nologic admin(s) in the same way as we trust
tachanka admins - and we have a track record with nologic going back
years. But their infrastructure is clearly lacking something and we do
need to address this.
Cheers
On Fri, 2009-10-09 at 10:10 -0700, theinnercityhippy at riseup.net wrote:
> that's brilliant thanks. I'll get on with the certificates as soon as
> possible.
>
> I think it worries me that we are putting an extraordinary amount of trust
> in nologic, particularly with the two most sensitive parts of the site,
> namely the mx and the dns zone file. I am also concerned at having to
> request a change rather than being able to edit the zone file directly.
> Don't forget that we are a direct action organisation
>
> i think that the alarm bells have gone off for me with the lack of ssl for
> webmail, i dread to think who may already have access to the passwords and
> with them all of the sensitive mail to the site.
>
> Mx opinion is that the extra hassle in terms of running an mta is worth it
> for the additional security, and that we could handle dos ourselves
> without having to send what is i'm guessing an unencrypted mail to make a
> change?
>
> I'm of course only one opinion though, it would be good to hear what
> others think.
>
> Jd
>
> > Yo,
> >
> > scponly and ssh port proposals are fine by me.
> >
> > On Fri, 2009-10-09 at 17:08 +0100, Jim Dog wrote:
> >> Ok so the second thing I have been doing today is to try and sort out
> >> the ssl certificate for the server, but I have reached an impass as I
> >> can't receive root mail for the domain www.climatecamp.org.uk
> >>
> >> There are several ways around this, but all would require my details
> >> being added to the MX records for whoever does the mail relaying now
> >> (nologic still?) so that I receive mail for one of the following
> >> addresses, then someone needs to let me know which asap
> >>
> >> root
> >> hostmaster
> >> postmaster
> >> admin
> >> webmaster
> >
> > I have set up hostmaster, postmaster, admin and webmaster to forward to
> > root. I have then set up root to forward to you and I, as we are the two
> > who currently administrate the server. Hope that's okay.
> >
> >> I would suggest that it is a good idea to get someone other than nologic
> >> to receive the mail for all of these addresses anyhow if this has not
> >> already been done. Ideally, I think we ought to run our own MX or at
> >> least use someone who will make it easier to do stuff like this in a
> >> hurry. Who has the logins for the DNS etc? It would make my life a lot
> >> easier if I could deal with this directly if the group can get consensus
> >> that this is necessary. Therefore I propose that I be given access to
> >> the DNS and MX records held with NoLogic as I can't generate a server
> >> certificate with CACERT without being able to do this.
> >
> > Note that it is pretty quick for us to create new email addresses and
> > forwards. Neil and I currently have the password for this. I think it's
> > good having nologic worry about administrating the mail server for now,
> > as that's one less thing for us to have to maintain. However, as we
> > discussed at the gathering, there is clearly something to be desired
> > with respect to spam filtering and SSL for the webmail. I'd like to hear
> > the outcome of Neil's investigations before considering moving our mail
> > provider.
> >
> > The domain and DNS is currently administered by nologic and records can
> > be changed on request. Currently *.climatecamp.org.uk points to the
> > tachanka server, with specific exceptions (mail.climatecamp.org.uk and
> > old.climatecamp.org.uk IIRC). I think this is alright, but if there was
> > a strong feeling we should have more direct control over it I wouldn't
> > stand in the way.
> >
> >> The other thing related to certificates is that I ned an up to date list
> >> of subdomains that are being used at the moment ie
> >> photo.climatecamp.org.uk or foo.clim.... etc
> >
> > Looking at the Apache config I've got:
> >
> > bugs.climatecamp.org.uk (redmine)
> > code.climatecamp.org.uk (gitweb)
> > news.climatecamp.org.uk (unused, we should probably delete)
> > photo.climatecamp.org.uk (though I don't think we need SSL for this)
> > stats.climatecamp.org.uk
> >
> > However, I have had in the back of my mind to change "bugs" to "dev" and
> > remove "code" as redmine has a perfectly adequate repository browser. So
> > it would be good to add "dev" to this certificate.
> >
> > There's also cms.climatecamp.org.uk for the cms.
> >
> >> Deeeeeeep breath
> >>
> >> Hope that makes sense to someone, let me know if anyhting is too
> >> baffling
> >
> > Thanks for your work on this, it made sense :)
> >
> > Jon
> >
> >
> > _______________________________________________
> > Cc-webedit mailing list
> > Cc-webedit at lists.aktivix.org
> > https://lists.aktivix.org/mailman/listinfo/cc-webedit
> >
>
>
>
> _______________________________________________
> Cc-webedit mailing list
> Cc-webedit at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/cc-webedit
More information about the Cc-webedit
mailing list