diff options
| -rw-r--r-- | docs/client/bundle-testing.md | 101 | ||||
| -rw-r--r-- | docs/client/en.md | 20 | ||||
| -rw-r--r-- | docs/client/known-issues.md | 30 | ||||
| -rw-r--r-- | docs/client/user-install.md | 28 | ||||
| -rw-r--r-- | docs/design/soledad.md | 2 | ||||
| -rw-r--r-- | docs/get-involved/communication.haml | 17 | ||||
| -rw-r--r-- | docs/get-involved/source.haml | 19 | ||||
| -rw-r--r-- | docs/platform/development.md | 7 | ||||
| -rw-r--r-- | docs/platform/guide.md | 42 | ||||
| -rw-r--r-- | docs/platform/known-issues.md | 11 | ||||
| -rw-r--r-- | docs/platform/quick-start.md | 35 | ||||
| -rw-r--r-- | docs/platform/troubleshooting.md | 79 | ||||
| -rw-r--r-- | docs/tech/hard-problems/en.md | 14 | ||||
| -rw-r--r-- | menu.txt | 2 |
14 files changed, 336 insertions, 71 deletions
diff --git a/docs/client/bundle-testing.md b/docs/client/bundle-testing.md new file mode 100644 index 0000000..69e01b9 --- /dev/null +++ b/docs/client/bundle-testing.md @@ -0,0 +1,101 @@ +@nav_title = "Bundle QA" +@title = "Guidelines for bundle QA" + +Recommended setup +----------------- + +VirtualBox (or similar) with virtual machines installed for supported OSs + +For each system that you are going to test, you should do: + +- Install the VM +- Restart the VM and check that the process is finished. +- Turn it off and make a snapshot named 'fresh install' or similar. + +The OS should be installed with the default settings and no extra packages. However, you can choose your language, username, timezone, etc + + +Test process +------------ + +- roll back the virtual machine to its *fresh install* state, to make sure that you're testing against a reproducible environment. +- download the bundle, verify signature (if apply), extract and run the app +- test the application (see next section) + + +Tests to do +----------- + +- **check if the version number is the same as the current bundle version** + - 'Help->About Bitmask' + - `./bitmask --version` +- **correct installation of files to 'better protect privacy'** + - `/etc/leap/resolv-update` + - `/usr/share/polkit-1/actions/net.openvpn.gui.leap.policy` + + You should check that they get copied when the user says 'yes' and they don't get copied if the user says 'no'. +- **installation of tun/tap in Windows and MAC** + TODO: explain more here + +- **account creation** + + Recommended username template: test_bundleversion_os_arch, that way you avoid conflicts between test iterations. + e.g.: 'test_036_debian7_64', 'test_036_win7_32', etc + + If you need to create extra users in order to test a bug or whatever, you can use 'test_036_ubuntu1204_32a', 'test_036_ubuntu1204_32b', etc + + In case of being a lot of users testing a version you may want to use your username instead of test, e.g.: 'johndoe_036_ubuntu1204_32'. +- **eip connection** + + You can check if the vpn is working entering to the site: http://wtfismyip.com + + or using the console: + `shell> wget -qO- wtfismyip.com/json` +- **Soledad key generation** +- **Thunderbird configuration manually and using add-on** +- **Send and receive mail** + + You need to test communication between inside and outside users, e.g.: someuser@bitmask.net and otheruser@gmail.com + + A good thing to do is to subscribe to a mailing list that have a lot of activity. + +- **Check if the account data is correctly synced.** + + After the account creation, have everything working and the app closed: + - remove the configuration files created by the app (`~/.config/leap` in linux) + - log in with your recently created credentials and check that everything is working and your mails are there too. + + +Problems report +--------------- + +You should to create an issue with the followinw information: + +- OS, version, architecture, desktop environment (if relevant). +- bitmask.log file located in the root folder of the uncompressed bundle +- steps to reproduce + +If you find a problem, try to reproduce and take note of the steps needed to get the same error. + +Also, in some cases, a failure appears but if you run again is not there anymore (e.g.: some initialization issue), please report that too. + +For more details look at [Reporting bugs](client/testers-howto) section. + + +Utils +----- + +Download, extract and run helper script for linux: + + shell> ./download-extract-run-bitmask.sh + +Script contents: + + #!/bin/bash + HOST="https://downloads.leap.se/client/linux/" + VERSION="0.3.7" + # FOLDER="Bitmask-linux32-${VERSION}" + FOLDER="Bitmask-linux64-${VERSION}" + FILE="${FOLDER}.tar.bz2" + + wget ${HOST}${FILE} && tar xjf ${FILE} && cd ${FOLDER} && ./bitmask diff --git a/docs/client/en.md b/docs/client/en.md index 3bfe3f1..0436ec2 100644 --- a/docs/client/en.md +++ b/docs/client/en.md @@ -19,7 +19,7 @@ User Guide ---------- * [Installing Bitmask](client/user-install) * [Running Bitmask](client/user-running) - + Tester Guide ------------ @@ -27,7 +27,7 @@ This part of the documentation details how to fetch the last development version and how to report bugs. * [Howto for testers](client/testers-howto) - + Hackers Guide ------------- @@ -35,9 +35,23 @@ If you want to contribute to the project, we wrote this for you. * [Setting up a development environment](client/dev-environment) - + <!-- * [Running latest code](client/bleeding-edge) * [Getting started with development](client/dev-guide) * [Configuration](client/configuration) * [Client API](client/client-api) --> + + +Supported OSs +------------- + +Currently supported OSs (32 and 64 bits) are: + +* Debian 7 (32bits lxde and 64 bits gnome3) +* Ubuntu 12.04 (LTS, unity) +* Ubuntu 13.10 (latest, unity) +* Mac OSX >= 10.8 +* Windows 7 (32 bits only) +* Windows 8 (planned) + diff --git a/docs/client/known-issues.md b/docs/client/known-issues.md new file mode 100644 index 0000000..04b8070 --- /dev/null +++ b/docs/client/known-issues.md @@ -0,0 +1,30 @@ +@title = 'Bitmask known issues' +@nav_title = 'Known issues' +@summary = 'Known issues in Bitmask.' +@toc = true + +Here you can find documentation about known issues and potential work-arounds in the current Leap Platform release. + +0.5 +=== + +In this release the following issues are known, work-arounds are noted when available. + +General Issues +-------------- + +- If you have received a big ammount of mails (tested with more than 400), you may experience that Thunderbird won't respond. + +That problem does not happen if you have the client open and Thunderbird loading mails while are reaching your inbox. + +- You may get the error: "Unable to connect: Problem with provider" in situations when the problem is the network instead of the provider. (see: https://leap.se/code/issues/4023) + +- Opening the same account from more than one box at the same time will possibly break your account. + +- Managing a huge ammount of mails (e.g.: moving mails to a folder) will block the UI (see https://leap.se/code/issues/4837) + +Special Environments +-------------------- + +- You may experience problems related to an Unavailable polkit agent in gnome3. (see https://leap.se/code/issues/4144) + diff --git a/docs/client/user-install.md b/docs/client/user-install.md index 77e9b1a..e29d63e 100644 --- a/docs/client/user-install.md +++ b/docs/client/user-install.md @@ -47,15 +47,8 @@ For the signature verification you can use : Asuming that you downloaded the linux 64 bits bundle. -Debian package --------------- - -> **warning** -> -> The debian package that you can currently find in the leap -> repositories is from the stable, 0.2.0 release, which is now outdated. -> You are encouraged to install the development version or the -> standalone bundles while we upload the newest packages. +Debian / Ubuntu packages +------------------------ First, you need to bootstrap your apt-key: @@ -64,9 +57,11 @@ First, you need to bootstrap your apt-key: # gpg --list-sigs 0x485B12FA218E81EB # gpg -a --export 0x1E34A1828E207901 | sudo apt-key add - -Add the archive to your sources.list: +Add the archive to your sources.list, replace <suite> below with your Debian or +Ubuntu suite, which you can find by typing 'lsb_release -c' in a terminal. +Currently the following are available: sid, jessie, trusty, saucy, raring, quantal - # echo "deb http://deb.leap.se/debian unstable main" >> /etc/apt/sources.list + # echo "deb http://deb.leap.se/debian <suite> main" >> /etc/apt/sources.list # apt-get update # apt-get install leap-keyring @@ -105,10 +100,15 @@ Or from the github mirror : $ git clone https://github.com/leapcode/bitmask_client.git Once you have grabbed a copy of the sources, and installed all the base -dependencies, you can install it into your site-packages easily : +dependencies, the recommended way to proceed is to install things in a virtualenv. + + $ virtualenv bitmask && source bitmask/bin/activate + $ make # compile the resources + $ python2 setup.py install + +Or you can install it into your global site-packages easily : $ make # compile the resources $ sudo python2 setup.py install -Although, like always, it is a better idea to install things in a -virtualenv. +WARNING: installing a package in the global site-packages can be harmful because the dependency installation can overwrite some of the existing packages. diff --git a/docs/design/soledad.md b/docs/design/soledad.md index f119020..1e83541 100644 --- a/docs/design/soledad.md +++ b/docs/design/soledad.md @@ -60,6 +60,8 @@ Related software [U1DB](http://pythonhosted.org/u1db/) - Similar API as Soledad, without encryption. +[Firefox Sync](https://wiki.mozilla.org/Services/Sync) - A client-encrypted data sync from Mozilla, designed to securely synchronize bookmarks and other browser settings. + Soledad protocol =================================== diff --git a/docs/get-involved/communication.haml b/docs/get-involved/communication.haml index 9af874b..b2e0ac7 100644 --- a/docs/get-involved/communication.haml +++ b/docs/get-involved/communication.haml @@ -8,7 +8,15 @@ %p Probably the fastest and most reliable way to contact anyone involved with LEAP. Don't despair if you don't get a reply right away, we are all in different time zones and we all are able to read the scrollback history, so someone will reply eventually. .well - \#leap-dev on irc.freenode.net + %p + %code #leap on irc.freednode.net + %br/ + General discussion and anything related to LEAP. + + %p + %code #leap-dev on irc.freenode.net + %br/ + Topics related to coding, bugs, and development issues. %h3 Mailing lists @@ -18,3 +26,10 @@ %ul %li To subscribe, send mail to <code>discuss-subscribe@leap.se</code> %li To unsubscribe, send mail to <code>discuss-unsubscribe@leap.se</code> + +%h3 Email + +To contact someone from LEAP, you can send an email to: + +.well + info@leap.se diff --git a/docs/get-involved/source.haml b/docs/get-involved/source.haml index 66b9dbe..fa4e39d 100644 --- a/docs/get-involved/source.haml +++ b/docs/get-involved/source.haml @@ -14,12 +14,13 @@ %td bitmask_client %td The Bitmask desktop client application, supporting encrypted internet proxy, secure email, and secure chat (coming soon). The client is written in Python, runs on Linux, Mac, and Windows, and is licensed under the GPLv3. %td - =# link 'https://leap.se/git/bitmask_client' + = link 'https://leap.se/git/bitmask_client.git' = link 'https://github.com/leapcode/bitmask_client' %tr %td bitmask_android %td Android version of the Bitmask client, supporting encrypted internet proxy. Future development will include support for secure email. Licensed under the GPLv3. %td + = link 'https://leap.se/git/bitmask_android.git' = link 'https://github.com/leapcode/bitmask_android' %h3 Service provider platform @@ -29,27 +30,28 @@ %td leap_platform %td Server automation recipes for running secure communication services via the LEAP Platform. Written mostly using puppet, and licensed under the GPLv3. %td - = link 'https://leap.se/git/leap_platform' + = link 'https://leap.se/git/leap_platform.git' = link 'https://github.com/leapcode/leap_platform' %tr %td leap_cli %td Command line interface for managing a service provider running the LEAP platform. Written in Ruby and released under the GPLv3. %td - = link 'https://leap.se/git/leap_cli' + = link 'https://leap.se/git/leap_cli.git' = link 'https://github.com/leapcode/leap_cli' %tr %td soledad %td Soledad (Synchronization of Locally Encrypted Data Among Devices) provides a synchronized, client-encrypted document database. Written in Python. %td + = link 'https://leap.se/git/soledad.git' = link 'https://github.com/leapcode/soledad' %tr %td nickserver %td Nickserver is a daemon supporting nicknym, a protocol to map user nicknames to public keys. Written in Ruby, released under the GPLv3. %td - = link 'https://leap.se/git/nickserver' + = link 'https://leap.se/git/nickserver.git' = link 'https://github.com/leapcode/nickserver' @@ -60,25 +62,26 @@ %td leap_web %td Web application for the LEAP platform, providing user management, tickets, billing, and REST API. %td - = link 'https://leap.se/git/leap_web' + = link 'https://leap.se/git/leap_web.git' = link 'https://github.com/leapcode/leap_web' %tr %td leap_website %td This website %td - = link 'https://leap.se/git/leap_website' + = link 'https://leap.se/git/leap_website.git' %tr %td leap_doc %td LEAP Documentation (everything under leap.se/docs including this page) - %td= link 'https://leap.se/git/leap_doc' + %td= link 'https://leap.se/git/leap_doc.git' %tr %td srp_js %td Secure Remote Password (SRP) library for Javascript. %td - = link 'https://leap.se/git/srp_js' + = link 'https://leap.se/git/srp_js.git' = link 'https://github.com/leapcode/srp_js' %tr %td ruby_srp %td Secure Remote Password (SRP) library for Ruby. %td + = link 'https://leap.se/git/ruby_srp.git' = link 'https://github.com/leapcode/ruby_srp'
\ No newline at end of file diff --git a/docs/platform/development.md b/docs/platform/development.md index 264c647..386b703 100644 --- a/docs/platform/development.md +++ b/docs/platform/development.md @@ -154,10 +154,11 @@ You can connect to your local nodes just like you do with normal LEAP nodes, by However, if you cannot connect to your local node, because the networking is not setup properly, or you have deployed a firewall that locks you out, you may need to access the graphical console. -In order to do that, you will need to configure Vagrant to launch a graphical console and then you can login as root there to diagnose the networking problem. To do this, add the following to you -$HOME/.leaprc: +In order to do that, you will need to configure Vagrant to launch a graphical console and then you can login as root there to diagnose the networking problem. To do this, add the following to your $HOME/.leaprc: - @custom_vagrant_vm_line = 'config.vm.boot_mode = :gui' + @custom_vagrant_vm_line = 'config.vm.provider "virtualbox" do |v| + v.gui = true + end' and then start, or restart, your local Vagrant node. You should get a VirtualBox graphical interface presented to you showing you the bootup and eventually the login. diff --git a/docs/platform/guide.md b/docs/platform/guide.md index 52c3b2f..99147a8 100644 --- a/docs/platform/guide.md +++ b/docs/platform/guide.md @@ -1,7 +1,7 @@ @title = "LEAP Platform Guide" @nav_title = "Guide" -Services +Node types ================================ Every node has one or more services that determines the node's function within your provider's infrastructure. @@ -24,6 +24,27 @@ Brief overview of the services: * **tor**: Sets up a tor exit node, unconnected to any other service. * **dns**: Not yet implemented. +webapp +----------------------------------- + +The webapp node is responsible for both the user face web application and the API that the client interacts with. + +Some users can be "admins" with special powers to answer tickets and close accounts. To make an account into an administrator, you need to configure the `webapp.admins` property with an array of user names. + +For example, to make users `alice` and `bob` into admins, create a file `services/webapp.json` with the following content: + + { + "webapp": { + "admins": ["bob", "alice"] + } + } + +And then redeploy to all webapp nodes: + + leap deploy webapp + +By putting this in `services/webapp.json`, you will ensure that all webapp nodes inherit the value for `webapp.admins`. + Locations ================================ @@ -264,3 +285,22 @@ There are a few cases when we must gather internal data from a node before we ca Run `leap help facts update` for more information. The file `facts.json` should be committed to source control. You might not have a `facts.json` if one is not required for your provider. + +Disabling Nodes +===================================== + +There are two ways to temporarily disable a node: + +**Option 1: enabled == false** + +If a node has a property `enabled` set to false, then the `leap` command will skip over the node and pretend that it does not exist. For example: + + { + "ip_address": "1.1.1.1", + "services": ["openvpn"], + "enabled": false + } + +**Options 2: no-deploy** + +If the file `/etc/leap/no-deploy` exists on a node, then when you run the commmand `leap deploy` it will halt and prevent a deploy from going through (if the node was going to be included in the deploy). diff --git a/docs/platform/known-issues.md b/docs/platform/known-issues.md index 90515e3..46a77de 100644 --- a/docs/platform/known-issues.md +++ b/docs/platform/known-issues.md @@ -5,6 +5,15 @@ Here you can find documentation about known issues and potential work-arounds in the current Leap Platform release. +0.5.0rc1 +======== + +Service separation +------------------ + +. You can't deploy all services to one single node. You need at least to seperate the mx and the webapp node. The reason is because they both use haproxy to query the couch db, and haproxy still doesn't have a way to split up its config files in a .d directory (see: https://leap.se/code/issues/3839) + + 0.2.2 ===== @@ -56,8 +65,6 @@ Deploying . When running a deploy at a verbosity level of 2 and above, you will notice puppet deprecation warnings, these are known and we are working on fixing them -. Currently, the Webapp node needs to be deployed *after* the couchdb node (see https://leap.se/code/issues/3599) - Special Environments -------------------- diff --git a/docs/platform/quick-start.md b/docs/platform/quick-start.md index 3b5f33c..3171674 100644 --- a/docs/platform/quick-start.md +++ b/docs/platform/quick-start.md @@ -74,9 +74,9 @@ NOTE: leap_cli should work with ruby1.8, but has only been tested using ruby1.9. Install the LEAP command-line utility ---------------------- +------------------------------------------------- -<!--Install the `leap` command as a gem: +Install the `leap` command from rubygems.org: $ sudo gem install leap_cli @@ -85,38 +85,27 @@ Alternately, you can install `leap` from source: $ git clone https://leap.se/git/leap_cli $ cd leap_cli $ rake build ---> - -Install `leap` command from source: - - $ git clone https://leap.se/git/leap_cli - $ cd leap_cli - $ rake build - -Then, install as root user (recommended): - $ sudo rake install -Or, install as unprivileged user: +You can also install from source as an unprivileged user, if you want. For example, instead of `sudo rake install` you can do something like this: $ rake install # watch out for the directory leap is installed to, then i.e. $ sudo ln -s ~/.gem/ruby/1.9.1/bin/leap /usr/local/bin/leap -With both methods, you can use now /usr/local/bin/leap, which in most cases will be in your $PATH. +With either `rake install` or `sudo rake install`, you can use now /usr/local/bin/leap, which in most cases will be in your $PATH. -If you have successfully installed the LEAP cli, then you should be able to do the following: +If you have successfully installed the `leap` command, then you should be able to do the following: $ leap --help -and be presented with the command-line help options. If you receive an error when doing this, please read through the README.md in the LEAP cli source to try and resolve any problems before going forwards. - +This will list the command-line help options. If you receive an error when doing this, please read through the README.md in the `leap_cli` source to try and resolve any problems before going forwards. Check out the platform ----------------------- +-------------------------- The LEAP Platform is a series of puppet recipes and modules that will be used to configure your provider. You will need a local copy of the platform that will be used to setup your nodes and manage your services. To begin with, you will not need to modify the LEAP Platform. -Until we have a up to date stable release we recommend using the `develop` branch of the platform for all features of LEAP. +Until we have a up to date stable release we recommend using the `develop` branch of the platform for all features of LEAP. First we'll create a directory for LEAP things, and then we'll check out the platform code and initalize the modules: @@ -138,12 +127,12 @@ A provider instance is a directory tree, usually stored in git, that contains ev Bootstrap the provider ----------------------- -Now, we will initialize this directory to make it a provider instance. Your provider instance will need to know where it can find the local copy of the git repository leap_platform, which we setup in the previous step. +Now, we will initialize this directory to make it a provider instance. Your provider instance will need to know where it can find the local copy of the git repository leap_platform, which we setup in the previous step. $ cd ~/leap/example $ leap new . -NOTES: +NOTES: . make sure you include that trailing dot! The `leap new` command will ask you for several required values: @@ -288,7 +277,7 @@ Note that currently, nodes must be deployed in a certain order. The underlying c $ leap deploy couch1 -Watch the output for any errors (in red), if everything worked fine, you should now have your first running node. If you do have errors, try doing the deploy again. +Watch the output for any errors (in red), if everything worked fine, you should now have your first running node. If you do have errors, try doing the deploy again. However, to deploy our three-node openvpn setup, we need the database and LEAP web application requires a database to run, so let's deploy to the couchdb and openvpn nodes: @@ -319,7 +308,7 @@ You can run `leap -v2 deploy` to see exactly what commands are being executed. Test that things worked correctly ================================= -You should now have three machines with the LEAP platform deployed to them, one for the web application, one for the database and one for the OpenVPN gateway. +You should now have three machines with the LEAP platform deployed to them, one for the web application, one for the database and one for the OpenVPN gateway. Access the web application diff --git a/docs/platform/troubleshooting.md b/docs/platform/troubleshooting.md index 61149a0..1d1234b 100644 --- a/docs/platform/troubleshooting.md +++ b/docs/platform/troubleshooting.md @@ -8,8 +8,8 @@ General * Please increase verbosity when debugging / filing issues in our issue tracker. You can do this with adding i.e. `-v 5` after the `leap` cmd, i.e. `leap -v 2 deploy`. -Webapp node -=========== +Webapp +====== Places to look for errors ------------------------- @@ -27,12 +27,17 @@ Is haproxy ok ? Is couchdb accessible through stunnel ? --------------------------------------- +* Depending on how many couch nodes you have, increase the port for every test + (see /etc/haproxy/haproxy.cfg for the server/port mapping): + curl -s -X GET "http://127.0.0.1:4000" + curl -s -X GET "http://127.0.0.1:4001" + ... -Check couchdb acl ------------------ +Check couchdb acl as admin +-------------------------- mkdir /etc/couchdb cat /srv/leap/webapp/config/couchdb.yml.admin # see username and password @@ -41,6 +46,17 @@ Check couchdb acl curl -s --netrc-file /etc/couchdb/couchdb-admin.netrc -X GET "http://127.0.0.1:4096" curl -s --netrc-file /etc/couchdb/couchdb-admin.netrc -X GET "http://127.0.0.1:4096/_all_dbs" + +Check couchdb acl as unpriviledged user +--------------------------------------- + + cat /srv/leap/webapp/config/couchdb.yml # see username and password + echo "machine 127.0.0.1 login webapp password <PASSWORD>" > /etc/couchdb/couchdb-webapp.netrc + chmod 600 /etc/couchdb/couchdb-webapp.netrc + + curl -s --netrc-file /etc/couchdb/couchdb-webapp.netrc -X GET "http://127.0.0.1:4096" + curl -s --netrc-file /etc/couchdb/couchdb-webapp.netrc -X GET "http://127.0.0.1:4096/_all_dbs" + Check client config files ------------------------- @@ -51,8 +67,14 @@ Check client config files https://example.net/1/config/eip-service.json -Couchdb node -============ +Soledad +======= + + /var/log/soledad.log + + +Couchdb +======= Places to look for errors ------------------------- @@ -67,14 +89,17 @@ Bigcouch membership * All nodes configured for the provider should appear here: - +<pre> curl -s --netrc-file /etc/couchdb/couchdb.netrc -X GET 'http://127.0.0.1:5986/nodes/_all_docs' +</pre> * All configured nodes should show up under "cluster_nodes", and the ones online and communicating with each other should appear under "all_nodes". This example output shows the configured cluster nodes `couch1.bitmask.net` and `couch2.bitmask.net`, but `couch2.bitmask.net` is currently not accessible from `couch1.bitmask.net` +<pre> curl -s --netrc-file /etc/couchdb/couchdb.netrc 'http://127.0.0.1:5984/_membership' {"all_nodes":["bigcouch@couch1.bitmask.net"],"cluster_nodes":["bigcouch@couch1.bitmask.net","bigcouch@couch2.bitmask.net"]} +</pre> * Sometimes a `/etc/init.d/bigcouch restart` on all nodes is needed, to register new nodes @@ -83,9 +108,11 @@ Databases * Following output shows all neccessary DBs that should be present. Note that the `user-0123456....` DBs are the data stores for a particular user. - +<pre> curl -s --netrc-file /etc/couchdb/couchdb.netrc -X GET 'http://127.0.0.1:5984/_all_dbs' ["customers","identities","sessions","shared","tickets","tokens","user-0","user-9d34680b01074c75c2ec58c7321f540c","user-9d34680b01074c75c2ec58c7325fb7ff","users"] +</pre> + @@ -95,12 +122,14 @@ Design Documents * Is User `_design doc` available ? +<pre> curl -s --netrc-file /etc/couchdb/couchdb.netrc -X GET "http://127.0.0.1:5984/users/_design/User" +</pre> -MX node -======= +MX +== Places to look for errors ------------------------- @@ -116,15 +145,18 @@ Query leap-mx * for useraccount +<pre> postmap -v -q "joe@dev.bitmask.net" tcp:localhost:2244 ... postmap: dict_tcp_lookup: send: get jow@dev.bitmask.net postmap: dict_tcp_lookup: recv: 200 ... +</pre> * for mailalias +<pre> postmap -v -q "joe@dev.bitmask.net" tcp:localhost:4242 ... postmap: dict_tcp_lookup: send: get joe@dev.bitmask.net @@ -132,7 +164,23 @@ Query leap-mx postmap: dict_tcp_lookup: found: f01bc1c70de7d7d80bc1ad77d987e73a f01bc1c70de7d7d80bc1ad77d987e73a ... +</pre> + + +Check couchdb acl as unpriviledged user +--------------------------------------- + + + cat /etc/leap/mx.conf # see username and password + echo "machine 127.0.0.1 login leap_mx password <PASSWORD>" > /etc/couchdb/couchdb-leap_mx.netrc + chmod 600 /etc/couchdb/couchdb-leap_mx.netrc + + curl -s --netrc-file /etc/couchdb/couchdb-leap_mx.netrc -X GET "http://127.0.0.1:4096/_all_dbs" # pick one "user-<hash>" db + curl -s --netrc-file /etc/couchdb/couchdb-leap_mx.netrc -X GET "http://127.0.0.1:4096/user-de9c77a3d7efbc779c6c20da88e8fb9c" + + +* you may check multiple times, cause 127.0.0.1:4096 is haproxy load-balancing the different couchdb nodes Mailspool @@ -142,13 +190,16 @@ Mailspool +<pre> ls -la /var/mail/vmail/Maildir/cur/ +</pre> * Any mails in postfix mailspool longer than a few seconds ? - - +<pre> mailq +</pre> + Testing mail delivery @@ -159,8 +210,8 @@ Testing mail delivery swaks -f alice@example.org -t bob@example.net -s mx1.example.net --port 587 --tls -VPN node -======== +VPN +=== Places to look for errors ------------------------- diff --git a/docs/tech/hard-problems/en.md b/docs/tech/hard-problems/en.md index d8a748e..635ae16 100644 --- a/docs/tech/hard-problems/en.md +++ b/docs/tech/hard-problems/en.md @@ -30,6 +30,8 @@ The problem: If proper key validation is a precondition for secure communication, but it is too difficult for most users, what hope do we have? We have developed a unique federated system called [Nicknym](/nicknym) that automatically discovers and validates public keys allowing the user to take advantage of public key cryptography without knowing anything about keys or signatures. +The standard protocol that exists today to solve this problem is [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities). DANE might be the better option in the long run, but currently DANE is complex to set up, complex for clients to consume, leaks association information to a network observer, and relies on trusting the DNS root zone and TLD zones. + ### Meta-data problem The problem: @@ -66,7 +68,7 @@ In the short term, we are layering forward secret transport for email and chat r This approach is potentially effective against external network observers, but does not achieve forward secrecy from the service providers themselves. -In the long term, we plan to work with other groups to create new encryption protocol standards that can be both asynchronous and forward secret. : +In the long term, we plan to work with other groups to create new encryption protocol standards that can be both asynchronous and forward secret: * [Forward Secrecy Extensions for OpenPGP](http://tools.ietf.org/html/draft-brown-pgp-pfs-03) * [Triple elliptical curve Diffie-Hellman handshake](https://whispersystems.org/blog/simplifying-otr-deniability/) @@ -81,6 +83,8 @@ We have a lot of ideas, but we don't have any solutions yet to fix this. Essenti Most of the interesting work in this area has been done by companies working on secure file backup/sync/sharing, such as Wuala and Spideroak. Unfortunately, there are not yet any good open protocols or free software packages that can handle group cryptography. +At the moment, probably the best approach is the simple approach: a protocol where the client encrypts each message to each recipient individually, and has some mechanism to verify the transcript to ensure that all parties received the same messages. + There is some free software work on some of interesting building blocks that could be useful in building group cryptography. For example: * [Proxy re-encryption](https://en.wikipedia.org/wiki/Proxy_re-encryption): This allows the server to re-encrypt to new recipients without gaining access to the cleartext. The [SELS mailing list manager](http://sels.ncsa.illinois.edu/) uses OpenPGP to implement a [clever scheme for proxy re-encryption](http://spar.isi.jhu.edu/~mgreen/proxy.pdf). @@ -104,10 +108,16 @@ The problem: > People want to smoothly switch devices, and restore their data if they lose a device, but this very difficult to do securely. -Users today demand the ability to access their data on multiple devices and to have piece of mind that there data will not be lost forever if they lose a device. In the free software world, only Firefox has addressed this problem adequately and in a secure way (with Firefox Sync). +Users today demand the ability to access their data on multiple devices and to have piece of mind that their data will not be lost forever if they lose a device. In the free software world, only Firefox has addressed this problem adequately and in a secure way (with Firefox Sync). At LEAP, we have worked to solve the availability problem with a system we call [Soledad](/soledad) (for Synchronization of Locally Encrypted Documents Among Devices). Soledad gives the client application an encrypted, synchronized, searchable document database. All data is client encrypted, both when it is stored on the local device and synced with the cloud. As far as we know, there is nothing else like it, either in the free software or commercial world. +Soledad tries to solve the problem of general data availability, but other initiatives have tried to tackle the more narrow problem of availability of private keys and discovered public keys. These initiatives include: + +* Ben Laurie's [proposed protocol for storing secrets in the cloud](http://www.links.org/files/nigori/nigori-protocol-01.html) +* Experimental [code for similar cloud storage of keys](https://github.com/mettle/nilcat) +* Phillip Hallam-Baker's [thoughts along similar lines](http://tools.ietf.org/html/draft-hallambaker-prismproof-key-00) + ### Update problem The problem: @@ -27,4 +27,6 @@ docs user-install user-running testers-howto + bundle-testing dev-environment + known-issues |