From 4d5e01691573bcf0893fd5afef126eab6742a092 Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Thu, 26 Dec 2002 01:09:05 +0000 Subject: Add new area doc for chunks of more or less structured knowledge related to the scripts and configfiles. --- doc/Certificates.txt | 27 ++++++++++++++++++++ doc/Email.txt | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 99 insertions(+) create mode 100644 doc/Certificates.txt create mode 100644 doc/Email.txt (limited to 'doc') diff --git a/doc/Certificates.txt b/doc/Certificates.txt new file mode 100644 index 0000000..8c7acf7 --- /dev/null +++ b/doc/Certificates.txt @@ -0,0 +1,27 @@ +Certificate Authority +--------------------- +CA Certificate is placed in /etc/ssl/certs/ and name closely to CN of +organisation ( s/ /_/g ) appended "_CA.crt". + +CA Key is located in /etc/ssl/private/ named similarly appended +"_CA.key". + +Certificate is symlinked to "/etc/ssl/certs/cacert.pem" for easy +locating by scripts. + +Hosts +----- +Host certificates are placed in /etc/ssl/certs/ either named by the +service they provide appended ".pem", or symlinked with that name from +hostname.key or whatever makes best sense in the situation, either with +the key embedded or the key at the same place. + +The script /usr/share/local/localmksslcerts can be used to make +self-signed certificates with embedded keys. + +Users +----- +Have a look at this web page: +http://www.cise.ufl.edu/help/secure-access/ssl-mail-setup.shtml + +The script is at /usr/share/local/mycert - adapted to Debian GNU/Linux. diff --git a/doc/Email.txt b/doc/Email.txt new file mode 100644 index 0000000..5adfca6 --- /dev/null +++ b/doc/Email.txt @@ -0,0 +1,72 @@ +Mail Transport Agents (MTA) +--------------------------- +Postfix is generally used currently. + +A pool of Mail eXchange servers are registered in the file +/etc/local-COMMON/postfix/permit_mx_backup_networks +(/etc/local-COMMON/postfix/mx_networks is deprecated!). + +The script /etc/local-COMMON/postfix/anti-uce.sh started as an antispam +autoconfig script, but is evolving into a catch-all script for StartTLS, +MX backup pool, (maybe) pop-before-smtp and other tweaks. + +Postfix 2.0.1 has just come out, with improved responses when emails are +blocked by RBLs: http://www.rfc-ignorant.org/how_to_domain.php + +Read this about generally encrypting emails between MTAs whenever +possible: http://www.homeport.org/~adam/starttls.html + +Mail Delivery Agents (MDA) +-------------------------- +Here's a thread on optimally building a flexible auto-responder using +procmail (the post chosen gives the best result, but lacks explanation): +http://www.rosat.mpe-garching.mpg.de/mailing-lists/procmail/1999-09/msg00254.html + +The script /usr/local/sbin/userforward adds (or optionally overwrites) +a .forward and forwards email cruft lying in the incoming spool. + +The script is deliberately kept free from interactive dialogs to support +remote triggering from an email, sms or similar. + +POP/IMAP daemons +---------------- +UW IMAP and POP3 daemons are currently the best/easiest to integrate +with a heterogenous environment. + +dovecot just arrived as Debian package is a promising alternative once +mature - it is ekstremely streamlined and delivers to ~/home by default. + +Recent Debian packages are compiled with cleartext passwords turned off +by default. We are not quite ready yet for this move, so here's what +needs to be done to circumvent it: Create the file /etc/c-client.cf and +add the following lines: + +I accept the risk for IMAP toolkit 4.1. +set disable-plaintext nil + +(Remember the final dot in the first line! - even though I think they +have relaxed on that now and don't even need the correct version now). + +hile you are at it, consider adding this one as well (but then make +sure that the ~/mail directory then always exists!): + +set mail-subdirectory mail + +The script /usr/local/sbin/user-init checks (among alot of other stuff) +for the existense of that directory - when enabled in the hint file +/etc/local/users.conf + +Mail User Agents (MUA) +---------------------- +/usr/local/bin/spine and /usr/local/bin/xmutt fires up your favourite +low-tech MUA even in a hi-tech environment :-) + +If debugging StartTLS and SASL avoid using Evolution: It leaves a small +daemon running and not releaing SASL from memory (which might be causing +some of the frustrations about getting SASL to work). Run the command +`lsof | grep sasl` to make sure. + +------------ +Have a look here for an overview of interaction between the above agents +and daemons: +http://lists.samba.org/pipermail/linux/1999-September/003605.html -- cgit v1.2.3