Mirror of the Rel4tion website/wiki source, view at <http://rel4tion.org>
Clone
HTTPS:
git clone https://vervis.peers.community/repos/yEzqv
SSH:
git clone USERNAME@vervis.peers.community:yEzqv
Branches
Tags
citadel.mdwn
Citadel FAQ, see admin section: http://citadel.org/doku.php?id=faq:start. Especially this item is important: http://citadel.org/doku.php/faq:installation:apacheproxy#how.can.i.install.webcit.so.it.runs.alongside.apache.nginx.lighthttpd.on.port.80.443
Various guides for installing Citadel, try to follow them in parallel. Maybe start by making a summary containing all the points, to make it easier to follow and help me write my own guide.
Also note times - more recent is probably more reliable.
- http://www.linuxjournal.com/article/9357
- http://www.ducky-pond.com/posts/2012/Jul/installing-citadel-on-rpi/
- https://library.linode.com/email/citadel/debian-6-squeeze
- http://linuxaria.com/howto/how-to-install-citadel-collaboration-suite-on-debian-7
- http://www.citadel.org/doku.php/installation:debian
Also, lighttpd seems to mostly use a forum rather than mailing list, but maybe if I register to the Redmine I can make e-mail updates work.
http://redmine.lighttpd.net/projects/lighttpd/boards/2
Translate WebCit to Hebrew: http://citadel.org/doku.php/documentation:customize_webcit#wordingtranslating
My Steps
I currently have exim4-light installed, because some packages require an SMTP server and exim is the default. I think Debian’s reportbug does. Maybe something else too. Anyway, installing Citadel uninstalls Exim.
In addition to IMAP and SMTP I’m going to need a way to insert all the mail from the various providers into my server. I’m going to use a lightweight Fetchmail alternative for this.
Let’s start.
1 WebCit access in lighttpd
Before I start, I’m going to assume WebCit, the web interface for Citadel users, will run locally on port 8081 and lighttpd will be a proxy for it. This allows it to be access on port 80 through lighttpd.
However, lighttpd’s mod_proxy cannot connect to SSL ports, which means that WebCit has to run on the same server lighttpd runs, or there will be no encryption. For now I run them on the same machine anyway, but WebCit will have its own subdomain. For now let’s assume it’s mail. Here’s the example from the lighttpd section in the FAQ linked above:
[[!format perl """ $HTTP["host"] =~ "(^|\.)subdomain\.domain\.tld$" { # domain name regex for vhost # Use $HTTP[“host”] == “subdomain.domain.tld” { if you don’t want to use a regex. proxy.server = ( "" => ( ( # the "" means to forward all file extensions, it’s kind of weird. # If you for some reason have multiple webcit hosts or local webcit processes, you can make more ( “host” => "“,”port" => "" ) entries in here. “host” => “127.0.0.1”, # citadel is likely running locally, note that mod_proxy forces an IP here and you cannot use a hostname. “port” => “8081” # port webcit is running on # Note that you must put the plain HTTP version of webcit here, mod_proxy cannot connect to ssl ports. # If your server has SSL engine enabled, you’ll be able to connect over ssl, but the proxy will not be connecting over ssl. # If webcit is running on another server (and not on the same LAN), # this defeats the purpose of connecting over ssl as it wouldn’t be encrypted past lighttpd. ) ) ) } """]]
See lighttpd.conf for my final setup (includes requiring SSL and mod_proxy enabled using lighty-enable-mod
, i.e. linked in conf.d
.).
Basically it works like this:
[[!format perl """ $HTTP["host"] =~ "^(mail\.partager\.null|mail\.partager\.i2p)$" { proxy.server = ( "" => ( ( “host” => “127.0.0.1”, “port” => “8081” ) ) ) } """]]
Now an I2P server tunnel can be created.
Now an SSL cert for the new domain is needed.
I think we’re ready for installation. I’m choosing a tutorial to follow.
Hostname
I have no idea whether this is needed or why. But I wrote ‘partager.null’ in /etc/hostname and ran service hostname.sh start
. Don’t ask me what it does. I also edited /etc/hosts but I’m not sure it’s needed since regular DNS can be used for this. Anyway, the tutorial says. Maybe Citadel uses it, who knows.
Installation: The tutorial’s command installs spam assassin and amavisd but:
- I need to read about spam fighting first
- I don’t need an anti virus, or at least I hope so
I’m starting with apt-get install citadel-suite citadel-doc
.
It will ask questions. My answers:
- Listen address – 0.0.0.0
- Authentication method – Internal
- Citadel administrator username – Not admin, for security use an alternate username (I used janitor)
- Citadel Administrator Password – Something safe, usual rule to generate a safe password should be used
- Integration with Apache webservers – Internal, since we’ll use Lighttpd
- Webcit HTTP port – 80 if you are not running another web server, 8080 otherwise (I use 8081)
- Webcit HTTPS port – 443 if you are not running another web server, 4343 otherwise (I use 4343)
- Limit Webcit’s login language selection – User Defined (or just choose a language if your users are all from a specific language) (I made it user-defined, but there’s no Hebrew - maybe I should help translate)
You may see erros if you already have a Jabber server, because Citadel will want to use port 5222 which is already taken. In my case I have Prosody, so I’m going to disable Citadel’s Jabber server (at least for now). It can be done in WebCit under “Admin->System Preferences->Network”.
Now edit /etc/default/webcit
and update the port numbers - for some reason they aren’t picked up from the debian configurator.
Edit /etc/mailname to contain the fqdn (mine is partager.null, but again I still don’t know when it is required - perhaps for auto-generated SSL cert or something).
Now we need to take care of SSL. Rename the /etc/ssl/citadel folder into citadel-orig or something, and we’ll make new cert and key with TinyCA. Looks like they need to be placed where the original ones were. Maybe there’s a config for that but we’ll see later. We need a key file and a cer file.
Note that the CN needs to be the fqdn, partager.null. It means yet another one with this CN which is very confusing, so I’ll use some pseudo-comment in one of the fields to make it clear this one is for citadel.
Now let’s customize the login banner in /etc/citadel/messages/hello
. Original content is:
Welcome to ^humannode!
This logon banner resides in ^bbsdir/hello -- please customize it for your site.
Maybe those ^ things are some way to insert variables, e.g. humannode is the human readable name of the Citadel node. Just guessing though. Anyway I’m leaving the first line as is, just removing the second line.
Okay, time to restart Citadel to apply all the config we did:
service citadel restart
service webcit restart
Again the first one brings error because of Prosody running. But now I should be able to go to WebCit and disable the Jabber component.
Now go to the WebCit webpage and login. You can either use localhost:8081 (or 4343) or the I2P tunnel. Using the clearnet with SSL is possible too of course, and is probably the best to do here, but I’m not sure about the subdomain name so the certificate validation will be broken. Let’s try anyway, to make sure it’s the only thing that doesn’t work. Oh wait, I can’t because I also need a DNS record for the subdomain… forget it, I’ll use I2P for now. Of course JS is still needed.
Problem: Both Midori and Epiphany fail to execute the login button JS. Trying Iceweasel too… oh, there it is. My first screenshot was incorrect. A popup is supposed to show up, like in the Linuxaria tutorial. I’m adding a task below to disable the login that uses OpenID, google, yahoo and aol. Disgusting. Maybe OpenID a bit less, but still centralized. I prefer to edit hardcoded HTML than let that stuff be there!
Strange, I can’t log in. It can’t find user ‘janitor’. Same error for ‘admin’. Did debconf read any settings I gave it, at all?
But wait. Before I re-run the configuration, let’s turn off Prosody and see if it helps.
Good news, another tutorial mentions the issue and explains how to solve.
Great, problem solved with the Rpi tutorial. I managed to log in with WebCit.
Now disabling the Jabber. Hmmm can’t find it. Strange. How am I supposed to disable it then?
Oops, I missed it somehow. Here it is.
The full list of ports: http://citadel.org/doku.php/faq:favoriteclient:general_configuring. Right now I choose to open just these in the router:
- Port 25 for local delivery of mail from outside to my users
- Port 587 for users to send mail via StartTLS
- Port 995 for POP via SSL
- Port 143 for IMAP either unencrypted or StartTLS
There’s an issue with the mailing lists: It looks like new users get their fresh email address instead of just subscribing to “rooms”. If there’s no way to change that, the only solution is to turn off Citadel’s mailing and make it just a BBS. Then I’ll need Exim and Dovecot. I need to decide how useful those rooms really are - while they do provide a forum-like UI, can’t the same be done with other software with more configurable UI and features?
Anyway, adding MX record. Also looks like I need PTR to bypass spam filters, but reg.for.free doesn’t offer it so I’m adding just to my own DNS. MX goes to both. Okay, done with that.
I checked the BBS again, looks like it could be nicer to have a hackable solution that integrates with mailing lists. But wait a second, it actually seems now that I just missed some features. Look:
If this is fully functional mailing lists, it’s okay. But I still want to try the following:
- Use Syndie forums, try them again - because it’s distributed
- See if I can make ikiwiki easy for users to use as a forum with mail notifications support and mail replies (e.g. write scripts to implement that)
- Read about forum and BBS software and mailing lists - e.g. looks like Sympa has integrated web view of the mailing list
By the way, WebCit also relies on JS which I don’t like. And the only other way is a console client most people won’t handle.
Now, last step - I need to feed my IMAP server with input from my existing mail accounts. A lightweight fetchmail alternative.
I chose and installed mpop when I found this, which is integrated into Citadel: http://www.citadel.org/doku.php/faq:favoriteclient:how_do_i_retrieve. It means Citadel can download mail with POP3 from other mailboxes and insert it into any room I choose - in particular the Mail room. Let’s try with fr33domlover at inventati.
I also added an RSS feed there - nice bonus since then I get the feeds remotely from anywhere.
POTENTIAL PROBLEM: I can’t find an option to control use of SSL/TLS for this thing. mpop can handle it, but what does Citadel do? Guess the port? I don’t like this. TODO. If I don’t find a solution, I’ll ask. If no good answer, I’ll use mpop instead (but can still use the RSS feature, it’s nice).
One more thing, I want to ask a question on Citadel’s own BBS - why not connect to them with my own Citadel? See how it’s done exactly and safely. I want to avoid making a new account and using my own local user+pass to post there.
Another issue, how do filtering rules work now? Can’t share them between clients. On the other hand I’d depend on WebCit’s JS for this… but fine. Another way is to keep them on single client (home). Just make sure it can properly edit the folder contents, and later other clients (work, mobile) get updated content. Procmail can’t be a global solution, at least not from commandline, unless mail users get SSH access to the server for editing their procmail config. Actually, there it is - WebCit lets you configure server side mail filtering. But if it can be done from Claws, it’s better.
Alias
[[DONE|TODO/CLOSED]] consider whether akrasner should be alias of fr33domlover or a separate account. If I use filtering into IMAP folders, I’ll either need to make is an alias or configure fr33domlover’s folders to be shared with akrasner - see if possible. DECISION: I’ll try to make them aliases. One account will receive the email and the other will be just for sending, i.e. configured with same password and with SMTP but without POP/IMAP at all (I can e.g. use POP and just leave the server empty and remove it from GetMail so it’s never used).
I don’t have any answers yet but I managed to connect with POP to mail new mailbox and the RSS aggregation works too. Unfortunately it’s very unconfigurable, e.g. I can’t choose how many messages to prefetch. But maybe it won’t matter. For now it just works.
In the mailing list config the URL for subscription is wrong in my case. The real one is http://mail.partager.i2p/listsub or the clearnet counterpart. This is what I should publish on the wiki.
TODO:
- Make the POP aggregation work with StartTLS or SSL by using mpop
- Make the mail alias work, i.e. SMTP with akrasner - check again if works now
- OUTGOING PORT 25 MAY BE FAILING - check it and maybe contact ISP to solve this