diff options
-rw-r--r-- | best_practices.mdwn | 40 |
1 files changed, 24 insertions, 16 deletions
diff --git a/best_practices.mdwn b/best_practices.mdwn index ae85b14..6afd701 100644 --- a/best_practices.mdwn +++ b/best_practices.mdwn @@ -6,34 +6,34 @@ Translations: [[Castellano|best practices_es]] Obviously, every security/privacy level requires that you keep your software up to date to the current knowledge of security issues. -## Mail - -### Exim +## Mail with Exim -#### Level 1 +### Level 1 … -#### Level 2 +### Level 2 [StartTLS-exim](http://aland.burngreave.net/archives/2009/12/30/index.html#e2009-12-30T16_26_49.txt) tls is required with other compliant servers’, certs verified with fingerprint -### Postfix +## Mail with Postfix -#### Level 1 +### Level 1 -##### If the server adds the IP address of a user sending a mail through its service anywhere in the email, the user is informed about this. +#### If the server adds the IP address of a user sending a mail through its service anywhere in the email, the user is informed about this. Not a matter of server configuration: you should use your communication channels to pass this information to your existing users (e.g. newsletter, announcement mailing list). New users should be informed as part of the account signup process. You may additionally explain this on your website. -##### The connections between the user and the server are always encrypted. +#### The connections between the user and the server are always encrypted. * Server Side: [Configure Postfix to use X.509 certificate](http://koti.kapsi.fi/ptk/postfix/postfix-tls-cacert.shtml) retrieved on Apr 3 2013 * Client side: Kindly ask your provider for documentation :) -##### Use (Start)TLS to exchange mails with other servers whenever available +#### Use (Start)TLS to exchange mails with other servers whenever available + +* This is called *opportunistic* encryption. -## The server must have its own X.509 certificate signed by one of a given set of certificate authorities. +#### The server must have its own X.509 certificate signed by one of a given set of certificate authorities. There are many problems with the X.509 ecosystem, partly explained here: http://lair.fifthhorseman.net/~dkg/tls-centralization/ @@ -54,9 +54,11 @@ d. Monkeysphere: You can use openPGP keys (certifications) to authenticate servi * [IPs in headers]( https://we.riseup.net/debian/mail#postfix ) #### TLS is required with other level 2 compliant servers. Certificates are verified with fingerprint. + An equivalent solution is to implement an IPsec link between relevant collectives which makes it unnecessary to use TLS. In order to implement this, you need to know the up-to-date fingerprints of the certificates of the groups that you plan to cooperate with in this way. There are many ways to do this, but it depends too much on social and technical context so we will not detail them here, only state that it is a requirement. Pinning those fingerprints and updating them when changed can be a hassle (unless an automated and secure protocol and implementation for this purpose becomes available). -[Postfix TLS README](http://www.postfix.org/TLS_README.html ) + +* [Postfix TLS README](http://www.postfix.org/TLS_README.html ) ### Level 3 @@ -69,16 +71,22 @@ Client: [torbirdy](https://trac.torproject.org/projects/tor/wiki/torbirdy) is a ### Level 1 * User data that is not publicly accessible is stored encrypted, using a strong passphrase. See best practices documents for details. This includes mails, databases, list archives, restricted websites and others. + In GNU/Linux, cryptsetup: -* How to set up an encrypted filesystem in several easy steps? http://www.debian-administration.org/articles/469 -* Setting up an encrypted Debian system http://madduck.net/docs/cryptdisk/ + +* [How to set up an encrypted filesystem in several easy steps?](http://www.debian-administration.org/articles/469) +* [Setting up an encrypted Debian system](http://madduck.net/docs/cryptdisk/) ### Level 2 -* Swap is stored encrypted. +#### Swap is stored encrypted. + For this you can use said cryptsetup too. -* The operating system and its configuration is stored encrypted with a strong passphrase. See best practices documents for details. + +#### The operating system and its configuration is stored encrypted with a strong passphrase. See best practices documents for details. + Today you can use many OS installers that achieve this: Ubuntu alternative text installer? + Don't rely on hard drives that promote encryption on the disklayer, they are often not properly implemented or come with backdoors for example ### Level 3 |