Rel4tion-Wiki/maint/admin/citadel.mdwn

Citadel FAQ, see admin section: <http://citadel.org/doku.php?id=faq:start>.
Especially this item is important: <http://citadel.org/doku.php/faq:installation:apacheproxy#how.can.i.install.webcit.so.it.runs.alongside.apache.nginx.lighthttpd.on.port.80.443>

Various guides for installing Citadel, try to follow them in parallel. Maybe
start by making a summary containing all the points, to make it easier to follow
and help me write my own guide.

Also note times - more recent is probably more reliable.

- <http://www.linuxjournal.com/article/9357>
- <http://www.ducky-pond.com/posts/2012/Jul/installing-citadel-on-rpi/>
- <https://library.linode.com/email/citadel/debian-6-squeeze>
- <http://linuxaria.com/howto/how-to-install-citadel-collaboration-suite-on-debian-7>
- <http://www.citadel.org/doku.php/installation:debian>

Also, lighttpd seems to mostly use a forum rather than mailing list, but maybe
if I register to the Redmine I can make e-mail updates work.

<http://redmine.lighttpd.net/projects/lighttpd/boards/2>

Translate WebCit to Hebrew: <http://citadel.org/doku.php/documentation:customize_webcit#wordingtranslating>

# My Steps

I currently have exim4-light installed, because some packages require an SMTP
server and exim is the default. I think Debian's reportbug does. Maybe something
else too. Anyway, installing Citadel uninstalls Exim.

In addition to IMAP and SMTP I'm going to need a way to insert all the mail from
the various providers into my server. I'm going to use a lightweight Fetchmail
alternative for this.

Let's start.

## 1 WebCit access in lighttpd

Before I start, I'm going to assume WebCit, the web interface for Citadel users,
will run *locally* on port 8081 and lighttpd will be a proxy for it. This allows
it to be access on port 80 through lighttpd.

However, lighttpd's mod_proxy cannot connect to SSL ports, which means that
WebCit has to run on the same server lighttpd runs, or there will be no
encryption. For now I run them on the same machine anyway, but WebCit will have
its own subdomain. For now let's assume it's *mail*. Here's the example from the
lighttpd section in the FAQ linked above:

[[!format perl """
$HTTP["host"] =~ "(^|\.)subdomain\.domain\.tld$" { # domain name regex for vhost
  # Use $HTTP["host"] == "subdomain.domain.tld" { if you don't want to use a regex.
  proxy.server = ( "" => ( ( # the "" means to forward all file extensions, it's kind of weird.
    # If you for some reason have multiple webcit hosts or local webcit processes, you can make more ( "host" => "", "port" => "" ) entries in here.
    "host" => "127.0.0.1", # citadel is likely running locally, note that mod_proxy forces an IP here and you cannot use a hostname.
    "port" => "8081" # port webcit is running on
    # Note that you must put the plain HTTP version of webcit here, mod_proxy cannot connect to ssl ports.
    # If your server has SSL engine enabled, you'll be able to connect over ssl, but the proxy will not be connecting over ssl.
    # If webcit is running on another server (and not on the same LAN), 
    # this defeats the purpose of connecting over ssl as it wouldn't be encrypted past lighttpd.
  ) ) )
}
"""]]

See lighttpd.conf for my final setup (includes requiring SSL and mod_proxy
enabled using `lighty-enable-mod`, i.e. linked in `conf.d`.).

Basically it works like this:

[[!format perl """
$HTTP["host"] =~ "^(mail\.partager\.null|mail\.partager\.i2p)$" {
    proxy.server = ( "" => ( ( "host" => "127.0.0.1", "port" => "8081" ) ) )
}
"""]]

Now an I2P server tunnel can be created.

Now an SSL cert for the new domain is needed.

I think we're ready for installation. I'm choosing a tutorial to follow.

# Hostname

I have no idea whether this is needed or why. But I wrote 'partager.null' in
/etc/hostname and ran `service hostname.sh start`. Don't ask me what it does.
I also edited /etc/hosts but I'm not sure it's needed since regular DNS can be
used for this. Anyway, the tutorial says. Maybe Citadel uses it, who knows.

Installation: The tutorial's command installs spam assassin and amavisd but:

1. I need to read about spam fighting first
2. I don't need an anti virus, or at least I hope so

I'm starting with `apt-get install citadel-suite citadel-doc`.

It will ask questions. My answers:

- Listen address – 0.0.0.0
- Authentication method – Internal
- Citadel administrator username – Not admin, for security use an alternate username (I used janitor)
- Citadel Administrator Password – Something safe, usual rule to generate a safe password should be used
- Integration with Apache webservers – Internal, since we'll use Lighttpd
- Webcit HTTP port – 80 if you are not running another web server, 8080 otherwise (I use 8081)
- Webcit HTTPS port – 443 if you are not running another web server, 4343 otherwise (I use 4343)
- Limit Webcit’s login language selection  – User Defined (or just choose a language if your users are all from a specific language) (I made it user-defined, but there's no Hebrew - maybe I should help translate)

You may see erros if you already have a Jabber server, because Citadel will want
to use port 5222 which is already taken. In my case I have Prosody, so I'm going
to disable Citadel's Jabber server (at least for now). It can be done in WebCit
under "Admin->System Preferences->Network".

Now edit `/etc/default/webcit` and update the port numbers - for some reason
they aren't picked up from the debian configurator.

Edit /etc/mailname to contain the fqdn (mine is partager.null, but again I still
don't know when it is required - perhaps for auto-generated SSL cert or
something).

Now we need to take care of SSL. Rename the /etc/ssl/citadel folder into
citadel-orig or something, and we'll make new cert and key with TinyCA. Looks
like they need to be placed where the original ones were. Maybe there's a config
for that but we'll see later. We need a key file and a cer file.

Note that the CN needs to be the fqdn, partager.null. It means yet another one
with this CN which is very confusing, so I'll use some pseudo-comment in one of
the fields to make it clear this one is for citadel.

Now let's customize the login banner in `/etc/citadel/messages/hello`. Original
content is:

	Welcome to ^humannode!
	
	This logon banner resides in ^bbsdir/hello -- please customize it for your site.

Maybe those ^ things are some way to insert variables, e.g. humannode is the
human readable name of the Citadel node. Just guessing though. Anyway I'm
leaving the first line as is, just removing the second line.

Okay, time to restart Citadel to apply all the config we did:

	service citadel restart
	service webcit restart

Again the first one brings error because of Prosody running. But now I should be
able to go to WebCit and disable the Jabber component.

Now go to the WebCit webpage and login. You can either use localhost:8081
(or 4343) or the I2P tunnel. Using the clearnet with SSL is possible too of
course, and is probably the best to do here, but I'm not sure about the
subdomain name so the certificate validation will be broken. Let's try anyway,
to make sure it's the only thing that doesn't work. Oh wait, I can't because I
also need a DNS record for the subdomain... forget it, I'll use I2P for now. Of
course JS is still needed.

Problem: Both Midori and Epiphany fail to execute the login button JS. Trying
Iceweasel too... oh, there it is. My first screenshot was incorrect. A popup
is supposed to show up, like in the Linuxaria tutorial. I'm adding a task below
to disable the login that uses OpenID, google, yahoo and aol. Disgusting. Maybe
OpenID a bit less, but still centralized. I prefer to edit hardcoded HTML than
let that stuff be there!

Strange, I can't log in. It can't find user 'janitor'. Same error for 'admin'.
Did debconf read *any* settings I gave it, at all?

But wait. Before I re-run the configuration, let's turn off Prosody and see if
it helps.

Good news, another tutorial mentions the issue and explains how to solve.

Great, problem solved with the Rpi tutorial. I managed to log in with WebCit.

Now disabling the Jabber. Hmmm can't find it. Strange. How am I supposed to
disable it then?

Oops, I missed it somehow. Here it is.

The full list of ports:
<http://citadel.org/doku.php/faq:favoriteclient:general_configuring>. Right now
I choose to open just these in the router:

- Port 25 for local delivery of mail from outside to my users
- Port 587 for users to send mail via StartTLS
- Port 995 for POP via SSL
- Port 143 for IMAP either unencrypted or StartTLS

There's an issue with the mailing lists: It looks like new users get their fresh
email address instead of just subscribing to "rooms". If there's no way to
change that, the only solution is to turn off Citadel's mailing and make it just
a BBS. Then I'll need Exim and Dovecot. I need to decide how useful those rooms
really are - while they do provide a forum-like UI, can't the same be done with
other software with more configurable UI and features?

Anyway, adding MX record. Also looks like I need PTR to bypass spam filters, but
reg.for.free doesn't offer it so I'm adding just to my own DNS. MX goes to both.
Okay, done with that.

I checked the BBS again, looks like it could be nicer to have a hackable
solution that integrates with mailing lists. But wait a second, it actually
seems now that I just missed some features. Look:

<http://citadel.org/doku.php/faq:everydayuse:what_if_someone_wants_to_make_a_room_into_a_mailing_list_can_we_do_that#how.do.i.create.a.mailing.list.or.distribution.list>

If this is fully functional mailing lists, it's okay. But I still want to try
the following:

1. Use Syndie forums, try them again - because it's distributed
2. See if I can make ikiwiki easy for users to use as a forum with mail
   notifications support and mail replies (e.g. write scripts to implement that)
3. Read about forum and BBS software and mailing lists - e.g. looks like Sympa
   has integrated web view of the mailing list

By the way, WebCit also relies on JS which I don't like. And the only other way
is a console client most people won't handle.

Now, last step - I need to feed my IMAP server with input from my existing mail
accounts. A lightweight fetchmail alternative.

I chose and installed mpop when I found this, which is integrated into Citadel:
<http://www.citadel.org/doku.php/faq:favoriteclient:how_do_i_retrieve>. It means
Citadel can download mail with POP3 from other mailboxes and insert it into any
room I choose - in particular the Mail room. Let's try with fr33domlover at
inventati.

I also added an RSS feed there - nice bonus since then I get the feeds remotely
from anywhere.

POTENTIAL PROBLEM: I can't find an option to control use of SSL/TLS for this
thing. mpop can handle it, but what does Citadel do? Guess the port? I don't
like this. __TODO__. If I don't find a solution, I'll ask. If no good answer,
I'll use mpop instead (but can still use the RSS feature, it's nice).

One more thing, I want to ask a question on Citadel's own BBS - why not connect
to them with my own Citadel? See how it's done exactly and safely. I want to
avoid making a new account and using my own local user+pass to post there.

Another issue, how do filtering rules work now? Can't share them between
clients. On the other hand I'd depend on WebCit's JS for this... but fine.
Another way is to keep them on single client (home). Just make sure it can
properly edit the folder contents, and later other clients (work, mobile) get
updated content. Procmail can't be a global solution, at least not from
commandline, unless mail users get SSH access to the server for editing their
procmail config. Actually, there it is - WebCit lets you configure server side
mail filtering. But if it can be done from Claws, it's better.

# Alias

[[DONE|TODO/CLOSED]] consider whether akrasner should be alias of fr33domlover or a
separate account. If I use filtering into IMAP folders, I'll either need to make
is an alias or configure fr33domlover's folders to be shared with akrasner - see
if possible. __DECISION__: I'll try to make them aliases. One account will
receive the email and the other will be just for sending, i.e. configured with
same password and with SMTP but without POP/IMAP at all (I can e.g. use POP and
just leave the server empty and remove it from GetMail so it's never used).

-------------------------

I don't have any answers yet but I managed to connect with POP to mail new
mailbox and the RSS aggregation works too. Unfortunately it's very
unconfigurable, e.g. I can't choose how many messages to prefetch. But maybe it
won't matter. For now it just works.

In the mailing list config the URL for subscription is wrong in my case. The
real one is <http://mail.partager.i2p/listsub> or the clearnet counterpart. This
is what I should publish on the wiki.

__TODO__:

- Make the POP aggregation work with StartTLS or SSL by using mpop
- Make the mail alias work, i.e. SMTP with akrasner - check again if works now
- OUTGOING PORT 25 MAY BE FAILING - check it and maybe contact ISP to solve this