User Tools

Site Tools


workparty2010q3

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

workparty2010q3 [2015/06/09 15:23] (current)
Line 1: Line 1:
 +====== Work Party 2010 Q3 (focus on e-mail subsystem) ======
 +
 +===== Goals: =====
 +
 +==== Offload spamassassin functionality ====
 +  * <del> Get Board approval </​del>​
 +  * <del> Sign OCLUG up with Roaring Penguin for Hosted CanIt </​del>​ Dave O'​Neill
 +
 +Other steps:
 +
 +  * Let Dave O'​Neill know what he should configure as the email address for this account (right now, it's him).  An alias for the tech people responsible for managing OCLUG'​s email would be preferable to a single address.
 +  * Someone responsible for email contacts Dave and he'll pass along the admin password for OCLUG'​s Hosted CanIt realm.
 +  * That person plays around with [[https://​antispam.roaringpenguin.com/​canit/​|the interface]] for a bit to see if they'​re comfortable with it.  (More info here on [[http://​www.roaringpenguin.com/​preparing-for-hosted-canit|how to set up our domain with Hosted CanIt]].)
 +  * Disable spam filtering and greylisting on Tux for email relayed via Hosted CanIt'​s MX machines.
 +  * Change MX records for oclug.on.ca and lists.oclug.on.ca to Hosted CanIt'​s server:\\
 +       ​oclug.on.ca. ​ 1d  IN  MX  10 oclug.on.ca.mf.canit.ca.\\
 +       ​oclug.on.ca. ​ 1d  IN  MX  20 oclug.on.ca.mg.canit.ca.\\\
 +\\\
 +       You should avoid publishing MX records that point directly to your back-end mail server; such records will permit spammers ​        to bypass Hosted CanIt completely.
 +  * Firewall off port 25 from the rest of the world.
 +  * Turn off SpamAssassin on Tux, and disable postgrey and other spam-filtering features.
 +
 +==== Optimize mailing lists ====
 +
 +  * Gather and **document** all mailing lists and e-mail addresses, such as Board, SysAdmins, etc.
 +  * Eliminate any unneeded lists
 +
 +==== Postgres ====
 +
 +  * close port on outside interface
 +     * It seems trac is using that interface. ​ I'm going to try to configure trac to use the localhost interface, then close the the outside interface for postgres. ​ --bjb  2010/08/06
 +     * Although postgres opens a port on the outside interface, it is configured to refuse every authentication via that interface. ​ Clearly trac isn't using the outside interface. ​ But why does trac access to the database fail when postgres is configured to stop listening on the outside interface? ​ --bjb 2010/08/06
 +     * DONE.  I turned off postgres listening to any network interface. ​ It does all its work by unix sockets. ​ dump.sh still works, trac still works, django still works. ​ Let me know if anything else is broken. ​ --bjb 2010/08/06
 +     * ah, probably broke sqledger ... I will ask mcr if it is so  --bjb 2010/08/06
  
workparty2010q3.txt ยท Last modified: 2015/06/09 15:23 (external edit)