Cloudron Forum

@nebulon said in Why running dovecot as root?:

@necrevistonnezr this may be more of a case of slightly different priorities and taste, servers running software (and exposed to the internet) are never 100% secure, so hardening is always a bit of an ongoing process which can be as detailed as one wants. We try to strike some balance on Cloudron side, to keep things maintainable and updatable also.

Thanks again - that makes perfect sense.
If I may ask - did you consider other alternatives? If so - what did you rejected and why? Would you choose Dovecot again now?

Feel free to ignore my questions - that's definitely outside of the scope of the platform, would appreciate if you could share some piece of wisdom thought!

@Klaus Which email provider are you testing with? We can try to implement it.

This doesn't affect Cloudron as such but the upcoming mail addon update contains the fix.

The only message was only related to PTR. And there was no other message. Maybe it was a special case or a problem with the request and the question was whether from my server or on the provider's side.

After I clicked sync DNS, I left it for another 24 hours just to be sure, because the proprogation could have been prolonged. After 24 hours there was still a problem , then I did a record analysis and noticed as I wrote above one record A was not updated.

In general, the situation embraced. You can close the topic 😄 only waiting for the improvement of the results from PTR. Generally I have changed but FCrDNS has not been updated.

Looks like that was the fix, now it doesn't change the A and AAAA records of the email server, and Cloudron can still use my External SMTP connection while having the Mail Server Location set to "cloudron.blockbluemedia.com".

Hello, correct, it is the subdomain.

This all seems to have been solved by restarting the app

@timbo I have practically zero spam with the rules mentioned in my post and abusix DSNBL (https://abusix.com/) - the free tier is sufficient.
Do you have catch-all enabled?

Ah the Cloudron is on version 7.5.2 which had a bug here. This is fixed with v8.0 already

@girish must be private. I can't view that with my account.

@nebulon , thanks for reply.
in the first post, I copied a undeliverable testmail from spamhoaus to cloudron, b/c it was denieing the reception.

here a little oversight:
2024-07-03_12-50_CLDRN_mail_deliv-Fail.png

and they all look similar…

2024-07-03_12-52_CLDRN_mail-deniedy.png

all these hosts are N.O.T. blacklisted. I checked.
also, false positives…

Please see https://docs.cloudron.io/email/#server-status . Specifically https://docs.cloudron.io/email/#ptr-record and https://docs.cloudron.io/email/#outbound-smtp

@girish That's very nice! I already have the paid version, so no problem for me, was just wondering 🙂

@girish said in Dynamic DNS and Mail Server Location:

@gerard that's quite brave to run a mail server with dynamic IP

@girish Yeah it's silly and unreliable 😉 But not meant for any serious usage.

Thank you for fixing it.

The fix is for solr showing the incorrect status. Let's re-test once the update is out.

Thanks - that sounds interesting. Didn't know that - but this is a reason to rethink my approach.

@JOduMonT an email server (without email relays) requires a public IP. There is no way around this. Even if you add a second IP, the second IP will be exposed and one can always access your Cloudron dashboard via that IP address. Just have to put an entry in /etc/hosts on my laptop and point that floating IP to my.domain.com and that's it.

I guess you are looking for a way to "sandbox" mail server to a specific IP somehow. We don't have a way to do this in Cloudron. I can move this to Feature Requests.

But also, it might be easier to just create another VM and run mail on the other VM? Security wise , this is the easiest and cleanest instead of writing a lot of code to make sure mail server and dashboard despite being on the same server don't step on each other (networking wise).

This was a regression in Cloudron 7.7. Thanks for reporting @AartJansen

Fixed in https://git.cloudron.io/cloudron/box/-/commit/1afa2e87ec93881ebcd1f79d83d4477467b40770

@AartJansen '+' is the default qualifier. So, it is redundant in +a:my.friendwholesale.co.nz . You can remove it.

Worthwhile reads - ``Reply-To'' Munging Considered Harmful and Reply-to-List, or Reply-to-All?