Categories
Small Organisation Server

Small Organisation Server – the Target

The end goal of the Small Organisation Server project is a system which can provide everything needed for a small organisation, such as the Ambridge Garden Club, to have a presence on the Internet, with transparent accounting for how it is funded. The organisation should be able to own its data and systems. Although it will have to pay for hosting, as it should – there is no such thing as a free lunch – that hosting should be on a standard platform which does not lock the organisation into any particular vendor.

Simplicity of Administration

Small organisations should not need to have more than a minimal knowledge of computer administration.

Automatic updates

The software should update with the minimum attention needed from the administrator, who should not need to deal with a different update system for each component.

Modular

Not every small organisation will want every facility, for example a choir might want some form of music repository, and a garden club might not have a use for that.

Simple to use

Single identity and password

Federation and other organisations

Many people have multiple interests, and the system should not try to be the only one they use.

Stability

There is a clash between a desire to have the latest and greatest, and having a system which focuses on continuity. Although the organisation will be interested in keeping up to date with what it is interested in, e.g. gardening, that does not mean that it should need the very latest software.

Non-goals

All designs involve compromises, trade offs between, for example complexity and power. These are the choices I believe to be appropriate for the target types of Small Organisation.

Extreme privacy and security.

Hosting on a base you do not own, such as a hosted virtual computer (or even a real computer in a data centre) requires a level of trust in your host. There is a theoretical possibility, for example, that your hosting provider can read all of your data. The same applies to government level agencies, well funded criminal gangs etc. However such operations are expensive, and if that is a concern then you are in a different category of organisation.

Scaling to enormous sizes

Some software or systems do not scale to support thousands, or millions of people on the same platform. This causes them to be dismissed by people who want to be able to run huge systems. If you are expecting to grow to those sort of sizes you should be planning for some paid dedicated IT staff.

Applications – what can it do ?

The purpose of a Server is to serve, to serve the needs of the people who own it (Also true for the servers which belong to Facebook, Twitter, Google, Amazon etc). Here I put some of the things which might be useful to a Small Organisation on the Internet.

Mail

One of the key building blocks of the internet, and also often now used as a proxy for identity. It should be possible for members of the organisation to contact each other through email, and possibly at their choice have their emails forwarded to another system, or read to write emails from the server. This should be compliant with technical standards for mail authentication, such as DMARC, without needing the administrators to have to understand the technicalities. Ideally it should support filtering via Sieve, and reading and writing mail either through a web interface or standard email client programs.

Mailing lists

Sending emails to large numbers of recipients is a specialist area, particularly if there are doubts about whether they want the emails or not, and if the small organisation wants to do that type of thing they should pay a specialist. However for cases like contacting committee members, or possibly, for example a small charity to update previous donors (who are willing to be contacted) a mailing list manager can be useful.

Web pages

These are the public face of the organisation, and it should be relatively easy for those members of the organisation who represent it to update them. This will probably not be every member, and it should be clear, at least internally, who said what. Some form of content management system, such as WordPress or Drupal, integrated with the rest of the user administration should be possible.

Surveys

Some form of Survey software may prove useful, but it does not have to be Google Forms, or Microsoft Forms or SurveyMonkey – it may be well be that LimeSurvey will do the job.

Videos

If the organisation creates video content they should be able to decide whether to pay to host it, and allow others to view it without advertising, or to have someone else host it for ‘free’ paid for by advertising, which may not align with their ideals.

Note that, probably, this is not a large a risk as it might seem. Although a Temperance Society might in theory find it’s videos interrupted by advertisements for alcoholic beverages this would not be an effective use of the advertiser’s spend.

It is still an area where groups should have more choice about whether to host their own video content, and being able to run Peertube on their own server would allow this. This also allows the ability to publish content only available to members, should they want, and to live stream meetings.

Chat/Instant messaging

There are a number of options for this, depending on requirements. Some of them keep a permanent record of everything which has been said, such as Matrix, which might be wanted for important decisions, but overkill for general chat. The established standard in this area is XMPP, a Federated chat protocol which was the basis for Facebook Messenger and Google Talk before they decided to only allow it be used within their own communities. It can, but does not have too, keep a record of chats on the server.

Social media (microblogs)

Some organisations may want to produce small snippets of information, similar to Tweets, intended for public consumption. They may also want their members to be able to do this, but may want to distinguish between an official view and member’s opinions. Software based around the ActivityPub standard works for this.

Social networking

Some groups may want members to be able to create small amounts of content primarily for sharing with friends, for which something like Diaspora may be more appropriate.

Calendars and events

People will probably want to know when the next meeting is and similar needs. Organisations can host their own calendars and do not need to Google or Microsoft to host them, which means that they do not have to require their members to have Google or Microsoft accounts.

These calendars can be added to smartphones or integrated into calendar programs on a PC, such as Thunderbird or Outlook, which saves members from having to add them manually.

Video conferencing/virtual meetings

Organisations should be able, if they wish, to run meetings and conferencing on systems they own and operate themselves, using a system such as Jitsi, or BigBlueButton (more suitable for a larger organisation).

Status

At present all of the components exist, and someone with an interest in computers can put forward such a system, as has been done at least in part for Debian and Wikipedia, but there is a scarcity of information making it simple for someone without computer skills to put such a system together.

Systems like FreedomBox have a similar aim, but targeted towards individuals hosting on their own hardware. Yunohost is also based on Debian, and is the closest I can find to a Small Organisation Server. The aspect I don’t know about is it’s stability across Debian upgrades. It’s installation instructions are still based on Debian version 10, whereas Debian’s stable release is now version 11, and I know the upgrade was fairly painless. Their Use Cases for NGOs is quite similar to this post.

Categories
Small Organisation Server

It is good to be a tree

Some small social organisations exist naturally in a tree, even if they largely operate independently. For example scout troups, guide companies, Phab clubs, some churches and so on. In these cases the activity the organisation is known for, such as bring people of all abilities to come together on equal terms, in the case of Phab clubs.

Oxford Phab club is one of about 140 clubs in England and Wales which is affiliated to the national Phab organisation, which has a Domain Name of phab.org.uk, whereas Oxford Phab has registered a Domain Name of oxfordphab.org.uk, and those other Phab clubs which do have a presence on the internet all have individually registered Doman Names, some of which contain the word phab.

Large companies have no excuse, but in many many cases the parent organisation is actually small, often less than a dozen people, and do not have the kind of systems administrator needed at present to deal with such matters. Making DNS delegation simpler to manage, while retaining flexibility is a valuable goal. For example when a Phab club affiliates to the national body it should be possible to that club to be offered a delegated DNS zone for its use, so that that club could use, for example oxford.phab.org.uk for its web site, email, social media etc.

On the wider internet this explosion of names is not good for anybody. Companies spend huge amounts on building trust in their brand, and then dilute it by registering random domain names which happen to have their name somewhere in it, and are then disclaim any responsibility when their customers are scammed by going to bigcorpticket.example.com, when the ‘official’ site was bigcorptickets.example.com. No scammer can register tickets.bigcorp.example.com (I have used the example reserved domain because nobody can register under that, and any other short domain name is probably registered). Phishing attacks could be hugely reduced if more people understood the hierarchical nature of the DNS. See the Equifax section below for a real life example.

Domain delegation, being your own primary delegated domain and being a secondary for another small organisation are technical goals for a small organisation server, even if they will never be used by, for example the Ambridge Garden Club.

Trees and Trust – some examples

The UK National Health service is generally good at using nhs.uk as a top level domain, and web sites for real NHS facilities tend to end in .nhs.uk – for example https://ouh.nhs.uk/ is the Oxford University Hospitals NHS Foundation Trust, which works closely with Oxford University for research aspects. Genuine web sites about such research almost always have a form like https://www.ndm.ox.ac.uk/ – again Oxford University, and the UK academic community in general, understands the domain system.

This consistency is slightly diluted by some use of nhs.net, some some emails may end in @nhs.net, as well as those which end @nhs.uk, or @somedepartment.nhs.uk

NHS services are being outsourced, and diluting the brand, so some patient letters now come from @drdoctor.co.uk – an NHS private provider, but the patient letters are reached by clicking on a link from https://nhs.my (where the .my ending would suggest the services were being provided from Malaysia – possibly by the Ministry of Health Malaysia). As DrDoctor is being trusted with patient appointment information, they should have access to an nhs subdomain – only to be used for purposes under that contract, and if a URL shortening service really is needed, then, for example u.nhs.net is as short as tinyurl.com.

The 2017 Equifax data breach – not using the DNS tree

When Equifax, a company whose sole purpose is to be a holder of a large quantity of personal financial information, had a data breach, due to their failure to follow good practice in managing their computer systems. This was the 2017 Equifax data breach. Their reaction to the problem was made worse by their failure to understand the potential benefits of being a tree. They set up a new web site – www.equifaxsecurity2017.com, to consumers could find out if their data was at risk. To prove their identity to the web site, consumers had to provide some private information, their last name and the last six digits of their social security number. Knowledge of this was supposed to be enough for Equifax to tell which consumer you were.

The problem with this approach is that Equifax knew that they had set up this name, and so felt consumers should trust it with their personal information because it had Equifax in the name. A security researcher, Nick Sweeting, demonstrated the risks of this by creating a domain www.securityequifax2017.com – as a parody of the official Equifax one. Due to confusion between the site names the Equifax help desk was sending people to the fake site rather than their real one. As he, and anyone else who understands the internet, will try to explain; this could not happen if their web site had been called security2017.equifax.com – or any other name which ends in .equifax.com

There is more on the problems of proving identity on the internet at The Proof of Identity Problem.

Being your own tree

Even for a small organisation there are advantages to being aware of the tree-like structure of the DNS. Suppose, for example, that Ambridge Garden Club ran an email newsletter as a mailing list which club members, or any interested people could join. Creating a subdomain newsletter.ambridge-garden-club.org.uk would keep the email for the newsletter distinct from the email for club members themselves. For a medium sized organisation this could be out sourced to a bulk mail specialist, and this is more easily done if it has its own subdomain. For a small organisation, such as the Ambridge Garden Club it could be handled on their server by specialist list management software such as Sympa or Mailman.

Preparing for parenting

For a small organisation, setting out on the Internet for the first time, the thought that there may be child organisations which would benefit from a degree of independence may seem far away, but the decision about where you buy your DNS from may affect your ability to have children (in a DNS sense).

Quite a few popular DNS registrars (vendors) do not have a facility, through their web control panel, to facilitate delegating a subdomain.

When a tree based name might not be appropriate.

There can be a good reason for not using a subdomain. You might have a product or service which you hope will flourish and could become an independent entity. Sitting ‘under’ your main organisation name will make that harder.

Embedded brand names are usually a mistake.

If you see a domain name like equifaxsecurity2017.com which contains a name of a brand or company this is a strong indicator of trouble for that brand.

  1. The name is owned by the company, and they do not understand how the internet works.
  2. The name has been registered by criminals pretending to be that company, and want to dupe that companies customers. (or security researchers wanting to make a point)
  3. The name was registered by a group of lawyers who are starting a class action against the company
  4. The name was registered by an advocacy or consumer group who want to complain about you – a domain called yourbrandname-sucks is, unless you manufacture vacuum cleaners, unlikely to be complimentary.
Categories
Small Organisation Server

Ambridge Garden Club – email

Electronic mail was the first Federated service carried over the Internet, and in some ways it pre-dated the IP based system we think of as the Internet today, as it was possible to send emails for example from systems connected via UUCP to others using DECmail a long time (in internet terms) before the creation of the Web.

Ambridge Garden Club members want to be able to communicate with each other over email, using, if they wish email addresses like lynda_snell@ambridge-garden-club.org.uk, and these should be, at the choice of the member, accessible using the club mail system as a store and messaging system – using the “Internet Mail Access Protocol”, or a web interface to that; or they should be forwarded on to another email system of their choice. They will want email addresses for key roles such as treasurer@ambridge-garden-club.org.uk, and for groups of people such as committee@ambridge-garden-club.org.uk.

Unwanted emails (spam) should be rejected, as far as possible, while ensuring that wanted email reception and delivery are reliable.

Setting up email – an overview

Actually setting up the email for Ambridge Garden Club was more convoluted than ordering the domain or purchasing the server, so there is no step by step guide. The components used are capable of scaling up to deal with many thousands of users, so have many options for configuring them, and there were other possibilities for the components as well. The ones below should be suitable for a small organisation and they should be susceptible to automated installation and configuration for future purposes.

User Database – LDAP

Information about the members of the Garden Club are stored in a Lightweight Directory Access Protocol (LDAP) database. This holds their names, and other information, such as their email address. There are many tools available for manipulating the database through web interfaces, and many of the services our club members will want to use, email, instant messaging, web page publishing and so on can use LDAP as a store of information.

Mail Transport Agent – Postfix

Postfix handles mail receiving and sending to any address which ends in @ambridge-garden-club.org.uk. Some members want their mail to be forwarded to another mail system, and this is handled by a combination of postfix-ldap to find their addresses in LDAP and postsrsd, which ensures that the email forwarding is Sender Rewriting Scheme friendly.

Other options would be Exim or Sendmail.

Mail Server – Dovecot

The mail which is not forwarded is delivered into Dovecot. This will allow members to access their mail via their choice of email clients, such as Thunderbird, or K9mail, or the Roundcube web front end.

Other options would be Courier.

Mail Filtering – Sieve

Sieve allows mail to be sorted into folders as it is delivered, or unwanted messages to be rejected, under the control of the person using the mail account.

Web Frontend – Roundcube

Roundcube provides a fairly simple web interface to an IMAP server. The implementation at Ambridge Garden Club is configured to only access its local server, and to have the sieve plugin to manage mail

Other options would be SOGo

Categories
Small Organisation Server

Ambridge Garden Club – initial server purchase

Following on from registering the ambridge-garden-club.org.uk domain, the Ambridge Garden Club needs a server to provide the services it will need.

Ordering the Server – Step by step

I am using Mythic Beasts, but as described in registering the domain, there are many alternatives, and by providing an alternative to Facebook and the advertising supported model for small organisations, I hope this can boost the independent Internet Hosting provider market.

The Garden Club treasurer should log in to their account at https://www.mythic-beasts.com/ and click on the Servers dropdown at the top, and then select ‘Virtual servers’, and they will see a screen like this.

If they select ‘Pay yearly’ and ‘Order now’ they will see a screen like this. Pay yearly was chosen as cheaper, and for many small clubs keeping the administrative work down is important.

The lowest specification server was chosen, and HDD (hard disks) rather than SSD (Solid State disks) to get more disk space for the money, and I do not, initially at least, expect disk performance to be an issue. IPv4 was left selected. This is the old type of internet address, as at present it is quite likely that there will still be Ambridge Garden Club members who do not have the new IPv6.

The annual cost is £82.80.

On accepting the order a confirmation screen is displayed:

Here you have options to say where your virtual computer should be, and what its ‘Service name’ should be. This name should be between 3 and 10 characters long, and will show up as the name of your computer in the Mythic Beasts control panel, and in the actual name of your computer on the internet. The Ambridge Garden Club decided to have their computer in London, and that the Service name should be agc. The actual computer on the internet is called ‘agc.vs.mythic-beasts.com’. At a subsequent stage I will arrange for it to be seen as ‘ambridge-garden-club.org.uk’. Once you confirm your options you will see a confirmation screen similar to the following:

This shows what is about to be purchased in a different format. Press Pay to continue, to another payment screen, for filling in the usual details, and once they have been entered you should see a screen like:

You now have a computer (albeit a virtual one) out on the Internet, but before it can do anything useful you will need to install an ‘Operating system‘ and some software. This will be covered in the next post.

Categories
Small Organisation Server

Ambridge Garden Club – registering the domain

At the heart of the Internet is the Domain Name System, or DNS. The first thing the Ambridge Garden Club needed to do was to register a domain name. There are many sites on the Internet which provide Domain Registration, but I went with a company which also provides ‘Internet hosting’, that is the ability to rent a computer, or a virtual computer, from the same company to simplify billing.

Choice of supplier

There are companies from which you can buy combinations of a domain name and Web Hosting often with some specific interface to make it easy to build web sites. Some will also forward email, or even host email, but for an example Small Organisation Server I wanted some flexibility and to be able to select ‘best of breed’ components, hence the generic decision to go down the Hosting Provider route, for a company which provides the kind of system from which the rest of the services the Ambridge Garden Club needs.

There is quite a large choice in such systems, and at this stage it is worth doing some research, but I chose ‘Mythic Beasts‘ – an Internet Service Provider I have dealt with before, and their service and supports has been prompt and knowledgeable. Their pricing is also open and transparent. There a many places where you can register a domain on the internet very cheaply for the first year, but have to pay much more for subsequent years, or find you are automatically paying for ‘options’ such as security certificates from them that you did not necessarily want (or at least not from them)

The cost to register ‘ambridge-garden-club.org.uk’ was £7.20 for the first year, and the same for subsequent years, including VAT.

Step by step

First the Ambridge Garden Club Treasurer should to go https://www.mythic-beasts.com/ and sign up as a customer. They will need an email address, a real postal address etc, and can set up a separate billing address.

They should log in to their account and click on Domains, and then on ‘New Registration’ where they will see a screen like this

If you know the domain you want to use you can register it directly, or you can search for domains and see some options. Different types of domains have different costs, so a domain that ends .london for example, is more expensive than one that ends .org.uk

The system will check if the domain you want is available, and if so you will see how much it will cost.

Here you enter the details of the person, and organisation who is registering the domain.

You are unlikely to see the ‘held for manual review’ section, in red – my personal setup is much more complicated than most, but you will see the requirement to comply with the terms and conditions.

Having entered, or confirmed some billing details – you can pay by credit card, or direct debit, you should see a screen similar to the above.

Congratulations, your organisation is now the proud owner of a domain and you have started your journey towards an Internet presence.

Other options

I will not go into these in detail, but might expand on them, or add more at a later date.

Contabo

Another hosting provider worth checking out.

Amazon Web Services Lightsail

Amazon has a bewildering choice of Web services, and even, this, their simplest option, requires an unfeasible amount of computer understanding for a garden club to manage. Other big cloud service providers also tend to aimed at buyers with an IT department or whose interests tend more towards computing than gardening (or knitting, model railways, croquet, local archeology or whatever)

Linode

A venerable hosting provider, note that they do not provide a Domain Registration Service, so you would have to shop for that separately.

An umbrella organisation

Some small organisations are part of a larger organisation, for example Scout troups and Guide companies in the UK come under the umbrella of the Scout Association or Girlguiding UK respectively. Similarly Phab Clubs, such as Oxford Phab, are affiliated to National Phab. Although Oxford Phab has a registered DNS name of oxfordphab.org.uk, if the phab.org.uk domain was administered for it, it would be possible to delegate oxford.phab.org.uk to a system controlled by the club. See the post ‘It is good to be a Tree‘ for more on this.

Categories
Small Organisation Server

The Ambridge Garden Club

The Ambridge Garden Club does not exist, but I am presenting it as Small Organisation Server example, for how a hypothetical small organisation, a group of a couple of dozen to a couple of hundred people with similar interests can set up an Internet presence which meets their needs, without resorting to the alternative ‘Big Social Media’ model of advertising. I will demonstrate how the services it uses are paid for, and show how it was set up. It is also ‘federated’, so that it should work well with similar organisations.

The village of Ambridge does not exist, it is a fictional village in the long running radio soap opera The Archers. My parents listened every day, but I am no longer in touch with what is going on, but its characters provide a range of non technical people, who might well come to see the value of doing some things on the Internet, but as a tool, not as the central thing in their lives.

I am providing this as an example for several audiences. For small organisations such as gardening clubs, for software developers, and for Internet hosting providers.

For Small Organisations

These could be

  • Garden clubs
  • Model Railway societies
  • Parish councils

I hope to provide a step by step model of what I actually did to set up the Ambridge Garden Club system, from some of the options for renting the computers needed, to exactly what needs to be done for each step. I also hope the end site will provide an example of what can be achieved.

For their treasurer I want to show how much it cost. Everything has a cost, even the things which are apparently free. By providing options where the costs are explicit I hope to increase people’s choices, even if they decide the advertising supported route is better for them.

For Software Developers

I hope to give a model of how a small organisation, as described above, might want to bring together the various diverse pieces of software they use, with the things which could be improved to make it simpler for a non technical user base.

To get an idea of the target user base, ideally it should be possible to set up, administrate, and use the system on an iPad or similar, without the need to know about console logins or the command line at all. I know this is not possible at present, but there is no fundamental reason why this should not be a goal. It should be possible to understand how all the components work, but it should not be necessary.

For Internet Hosting Providers

I hope to show the types of services which might be useful for a group of people as described above, to enable them to target their offerings and provide transparent, easily understandable pricing. (not every garden club treasurer knows how many cores a server should have).

Feedback and community

The first version of this is likely to be more complex and technical than I would like, but having an open model allows the parts to be improved.

Categories
Small Organisation Server

Why Sharing Federated Social Media Systems is Important

If you are are a non technical person – or more importantly a group of people – as being social on your own is not much fun – and you are looking for a place on the Internet to get together your choices are pretty limited. Everybody in your group is probably on WhatsApp, and Facebook, and it is easy to set up free Zoom accounts, and then you only need somebody, or a couple of people to have a paid account and you are are all set.

If you want to avoid that route your choices are much more limited. In fact if you are not technical they are pretty much non-existent.

If you are purchasing a large piece of commercial software they often have an example user to show how things can be set up. For example OracleTutorial.com have the example of a “a global fictitious company that sells computer hardware including storage, motherboard, RAM, video card, and CPU.” This gives you an idea of their target market.

I will use the example of a small (say 20-50 members) Gardening Club. Suppose they want to chat, but some of their members do not have a smartphone, or for some other reason they do not want to use WhatsApp (this is a Gardening Club – software freedom, privacy and such like are less important to them than effective defenses against carrot fly, or whether to over-winter dahlias in the shed). There is a protocol called Jabber or XMPP, which has been around for a well over a decade, which does everything which is needed, but it has never really taken off in the ‘real’ world. One reason for that is that there is not much reward for running an XMPP server for public use. There have been several attempts at mass-XMPP – Google Talk used to be proper federated XMPP, Duck Duck Go had a free XMPP service, there are numerous free XMPP services which are not accepting new accounts.

There is a cost to running a service – somebody has to pay for the hosting, network use etc – and running one, free, as a business does not make sense, and generously offering the service to strangers will exhaust anybody’s resources. Our Gardening Club could – if they knew about it – go to https://account.conversations.im/domain/ and pay to have their XMPP hosted there, but if they also wanted to have a web site, for example using WordPress, they would have to go somewhere else.

If federated social media systems are to take off then our Gardening Club needs a simple recipe for what they can do, preferably go to a provider, pay a small, understandable fee (paid for out of their membership subscriptions, the same way they are now paying for their Zoom accounts) follow a simple set up process and get communicating.

The nearest to this route at the moment is probably hosting a FreedomBox on an virtual, or hosted real system on the internet, although their attention is more towards onion routing than onion sets. There is a community around FreedomBox, as there is around many of the other federated social media projects, but it is a technically oriented community.

If the barriers to entry for Federated Social Media systems are such that only people who are capable of, and have the inclination to, install their own system from scratch can participate then the main topic of the Fediverse will be itself, which is not a healthy state.

Our hypothetical Gardening Club, knitting group, model railway society, dentists association, primary school, needs tools built around their interests, which can federate and accommodate the keen gardener, communicating with her fellow dentists professionally, knitting and working on her model railway when the weather is not suitable for gardening, and making jam for her children’s primary school summer fair.