Cloudron Forum

@nebulon here's what an AI found: Tarball Permissions The tarball contains files with ownership/permissions the process can’t replicate (e.g., root-owned files). Example: Extraction fails when tar.extract preserves original ownership. SELinux/AppArmor Security policies block filesystem operations despite correct permissions. Tar Library Behavior: The tar library (likely tar-fs) might try to preserve file permissions from the tarball. If the tarball contains files owned by root and the app runs as yellowtent, extraction fails unless permissions are ignored. Fix: Modify the code to ignore permissions: javascript const tarStream = tar.extract({ cwd: destinationPath, ignore: () => true }); Debugging Steps Check Permissions: javascript console.log('Source:', fs.statSync(sourcePath).mode.toString(8)); console.log('Dest:', fs.statSync(destinationPath).mode.toString(8)); Ensure Directory Exists: javascript if (!fs.existsSync(destinationPath)) fs.mkdirSync(destinationPath, { recursive: true }); fs.accessSync(destinationPath, fs.constants.W_OK); Add Error Logging: javascript const readStream = fs.createReadStream(sourcePath).on('error', (err) => console.error('Read:', err)); const unzipStream = zlib.createGunzip().on('error', (err) => console.error('Gunzip:', err)); const tarStream = tar.extract({ cwd: destinationPath }).on('error', (err) => console.error('Tar:', err)); Potential Fixes Ignore Tar Permissions: javascript const tarStream = tar.extract({ cwd: destinationPath, ignore: () => true }); Test with Logging: Run the modified code with error handlers. async function tarExtract(sourcePath, destinationPath) { ensureSafePath(sourcePath); ensureSafePath(destinationPath); console.log('Source:', sourcePath, fs.statSync(sourcePath)); console.log('Dest:', destinationPath, fs.existsSync(destinationPath) ? fs.statSync(destinationPath) : 'does not exist'); const readStream = fs.createReadStream(sourcePath) .on('error', (err) => console.error('Read error:', err)); const unzipStream = zlib.createGunzip() .on('error', (err) => console.error('Gunzip error:', err)); const tarStream = tar.extract({ cwd: destinationPath }) .on('error', (err) => console.error('Tar error:', err)); readStream.pipe(unzipStream).pipe(tarStream); await streamPromise(tarStream); } Conclusion The error is likely a mismatch between the Cloudron app’s user permissions and the filesystem.

@David-0 said in Use Cloudron Mailserver but have different Webhosting?: Would it be possible to use Cloudron as a mail server for mail@new.com while the domain new.com (or even subdomain.new.com) is hosted somewhere else? yes, the DNS records for a mail server (MX record) and webhosting (A records) are entirely different. It's totally normal and safe to host web and mail of the same domain on totally different systems.

It worked! Thanks!

For anyone wondering on the same question as I did: Dovecot seems to be a standard IMAP server for now, which seems to be used on majority of servers. It claims to be written with security in mind, which doesn't seem to help to avoid privileges escalations, buffer overflow, crashes (on the same page - below). Given the dominance of that mail server on the internet, it seems to be a go-to solution for many, just like Ubuntu, referred here above, is; so I wouldn't expect it to be replaced on Cloudron anytime soon. Given the self-confidence of the authors, that claims that running from root is not a big deal and not providing any easily ready to use solution, I doubt that many will go extra mile to implement that on they own; given Cloudron limited resources and luck of advertising and hence focus to be security first platform, dovecot processes will remain to be running as root. From the positive side, root owned processes are not opening any network port, so direct exploitation would be problematic. Hope that would be of help.

@Klaus Which email provider are you testing with? We can try to implement it.

This doesn't affect Cloudron as such but the upcoming mail addon update contains the fix.

The only message was only related to PTR. And there was no other message. Maybe it was a special case or a problem with the request and the question was whether from my server or on the provider's side. After I clicked sync DNS, I left it for another 24 hours just to be sure, because the proprogation could have been prolonged. After 24 hours there was still a problem , then I did a record analysis and noticed as I wrote above one record A was not updated. In general, the situation embraced. You can close the topic only waiting for the improvement of the results from PTR. Generally I have changed but FCrDNS has not been updated.

Looks like that was the fix, now it doesn't change the A and AAAA records of the email server, and Cloudron can still use my External SMTP connection while having the Mail Server Location set to "cloudron.blockbluemedia.com".

Hello, correct, it is the subdomain. This all seems to have been solved by restarting the app

@timbo I have practically zero spam with the rules mentioned in my post and abusix DSNBL (https://abusix.com/) - the free tier is sufficient. Do you have catch-all enabled?

Ah the Cloudron is on version 7.5.2 which had a bug here. This is fixed with v8.0 already

Hello @iamthefij Did this ever get resolved? Did you get access to the mail-addon repo? Is assistance still required?

@nebulon , thanks for reply. in the first post, I copied a undeliverable testmail from spamhoaus to cloudron, b/c it was denieing the reception. here a little oversight: [image: 1720004240958-2024-07-03_12-50_cldrn_mail_deliv-fail.png] and they all look similar… [image: 1720004260697-2024-07-03_12-52_cldrn_mail-deniedy.png] all these hosts are N.O.T. blacklisted. I checked. also, false positives…

Please see https://docs.cloudron.io/email/#server-status . Specifically https://docs.cloudron.io/email/#ptr-record and https://docs.cloudron.io/email/#outbound-smtp

@girish That's very nice! I already have the paid version, so no problem for me, was just wondering

@girish said in Dynamic DNS and Mail Server Location: @gerard that's quite brave to run a mail server with dynamic IP @girish Yeah it's silly and unreliable But not meant for any serious usage. Thank you for fixing it.

@james I can't presently reproduce the issue I had previously so I guess this is solved.

Thanks - that sounds interesting. Didn't know that - but this is a reason to rethink my approach.

Hi and thanks. This is how I did it - as mentioned above doing that in Cloudron mail settings would be great.

@JOduMonT an email server (without email relays) requires a public IP. There is no way around this. Even if you add a second IP, the second IP will be exposed and one can always access your Cloudron dashboard via that IP address. Just have to put an entry in /etc/hosts on my laptop and point that floating IP to my.domain.com and that's it. I guess you are looking for a way to "sandbox" mail server to a specific IP somehow. We don't have a way to do this in Cloudron. I can move this to Feature Requests. But also, it might be easier to just create another VM and run mail on the other VM? Security wise , this is the easiest and cleanest instead of writing a lot of code to make sure mail server and dashboard despite being on the same server don't step on each other (networking wise).