Using Cloudron Email with external mail gateway

I am trialling the use of an external mail gateway in front of my Cloudron mail server to gain some benefits I feel I am lacking when comparing it with the "big ones" (M$ etc):

• Advanced spam filtering
• Malware and phishing prevention
• Mail archiving (because compliance)
• Backup in case of server issues

I found EuropeanMX, who are based in Germany and offer transparent pricing and a free 30 day trial. What's your experience with them or other mailgateway's?

I will amend my Cloudron's email server to stop messing up the DNS by turning off domain management by setting it to manual. That's on the mail server only, not the other Cloudrons.

Before I embark on that journey, let me ask what's the "right way" of doing this?

"Good news everyone!"

I am in the unfortunate position to have two powerful, dedicated cloudrons that are only slowly filling up with customer websites, so I have to sell app space at a ridiculously low price to breakeven for now

The servers are EX44s with Hetzner in the FSN1 data center and have IPv4 and 6 connected, with dedicated IPs available for a small surcharge.

If you are looking to host apps - drop me a DM with your requirements and I'll give you a Cloudron Forum Member special price (with invoice, BACS/SEPA/card).

Questions? Fire away, I'll be happy to answer them.

PS: I didn't read the rulez and this is definelty not an ad but, if I shall have summoned the wrath of the mods, please allow me to humbly apologise and offer 5 apps FREE to atone.

Thank you. I am using Option 1 for now, which should stop anyone from abusing the system, right? :-s

Thanks guys

Sorry James, that template is a little unwieldly for a realtively simple issuee that's not a bug or defect.

My version is v8.3.2 (Ubuntu 24.04.3 LTS).

Thanks James!

X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on 65fd54c98676
X-Spam-Status: No, score=-1.5 required=5.0 tests=RCVD_IN_MSPIKE_H4,
	SPF_HELO_NONE autolearn=ham autolearn_force=no version=4.0.0

Just got another junk mail and checked the headers... how is this able to get through?

Why does Spamassasin think it's HAM?!

My Mail ACL:

af32dc754d25b4724678102fd983c597.combined.mail.abusix.zone
zen.spamhaus.org
bl.mailspike.net
noptr.spamrats.com
bl.0spam.org
dnsbl.sorbs.net
black.junkemailfilter.com
all.spamrats.com

My custom spamassassin rules:

# Allow emails from mural.co and muralapp.co domains
# Using whitelist_from_rcvd for secure validation (checks both sender and relay)
whitelist_from_rcvd *@mural.co mural.co
whitelist_from_rcvd *@mural.co *.mural.co
whitelist_from_rcvd *@muralapp.co muralapp.co
whitelist_from_rcvd *@muralapp.co *.muralapp.co

# Fallback header-based rule (if relay validation fails)
header LOCAL_ALLOW_MURAL_FROM From =~ /\@(mural|muralapp)\.co$/i
score LOCAL_ALLOW_MURAL_FROM -5.0
describe LOCAL_ALLOW_MURAL_FROM Email from trusted mural.co or muralapp.co domains

# scoring BAYES
score BAYES_00 -5.0
score BAYES_05 -4.0
score BAYES_20 1.0
score BAYES_40 2.0
score BAYES_50 2.5
score BAYES_60 3.0
score BAYES_80 3.5
score BAYES_95 4.0
score BAYES_99 4.5
score BAYES_999 2.0

# scoring DNSBLs & DNSWLs
score RCVD_IN_BL_SPAMCOP_NET 2.0
score RCVD_IN_DNSWL_BLOCKED 0
score RCVD_IN_DNSWL_HI -6.0
score RCVD_IN_DNSWL_LOW -2.0
score RCVD_IN_DNSWL_MED -4.0
score RCVD_IN_DNSWL_NONE 0.5
score RCVD_IN_HOSTKARMA_BL 2.0
score RCVD_IN_HOSTKARMA_BR 0.5
score RCVD_IN_HOSTKARMA_W -5.0
score RCVD_IN_MSPIKE_BL 0.0
score RCVD_IN_MSPIKE_H2 -0.5
score RCVD_IN_MSPIKE_H3 -0.5
score RCVD_IN_MSPIKE_H4 -2.0
score RCVD_IN_MSPIKE_H5 -3.0
score RCVD_IN_MSPIKE_L3 0.5
score RCVD_IN_MSPIKE_L4 2.0
score RCVD_IN_MSPIKE_L5 3.0
score RCVD_IN_MSPIKE_WL 0.0
score RCVD_IN_MSPIKE_ZBI 2.0
score RCVD_IN_PBL 3.0
score RCVD_IN_SBL 3.0
score RCVD_IN_SBL_CSS 3.0
score RCVD_IN_SPAMRATS_DYNA 2.0
score RCVD_IN_SPAMRATS_NOPTR 2.0
score RCVD_IN_SPAMRATS_SPAM 3.0
score RCVD_IN_XBL 3.0
score RCVD_IN_ZEN_BLOCKED 0.0
score RCVD_IN_ZEN_BLOCKED_OPENDNS 0.0

# scoring URIBLs
score URIBL_ABUSE_SURBL 4.5
score URIBL_BLACK 4.5
score URIBL_CR_SURBL 3.5
score URIBL_CSS 2.0
score URIBL_CSS_A 2.0
score URIBL_DBL_ABUSE_BOTCC 3.0
score URIBL_DBL_ABUSE_MALW 3.0
score URIBL_DBL_ABUSE_PHISH 3.0
score URIBL_DBL_ABUSE_REDIR 1.0
score URIBL_DBL_ABUSE_SPAM 3.0
score URIBL_DBL_BLOCKED 0.0
score URIBL_DBL_BLOCKED_OPENDNS 0.0
score URIBL_DBL_BOTNETCC 3.0
score URIBL_DBL_ERROR 0.0
score URIBL_DBL_MALWARE 3.0
score URIBL_DBL_PHISH 3.0
score URIBL_DBL_SPAM 3.0
score URIBL_GREY 1.0
score URIBL_MW_SURBL 3.5
score URIBL_PH_SURBL 3.5
score URIBL_RED 0.5
score URIBL_RHS_DOB 2.0
score URIBL_SBL 3.0
score URIBL_SBL_A 3.0
score URIBL_ZEN_BLOCKED 0.0
score URIBL_ZEN_BLOCKED_OPENDNS 0.0

# scoring DKIM & SPF
score DKIM_INVALID 1.5
score DKIM_SIGNED 0.0
score DKIM_VALID 0.0
score DKIM_VALID_AU 0.0
score DKIM_VALID_EF 0.0
score DKIM_VERIFIED 0.0
score DKIMWL_BL 3.0
score DKIMWL_WL_HIGH -3.5
score DKIMWL_WL_MED -2.5
score DKIMWL_WL_MEDHI -3.0
score FORGED_SPF_HELO 3.0
score SPF_FAIL 1.5
score SPF_HELO_FAIL 1.5
score SPF_HELO_NEUTRAL 1.0
score SPF_HELO_NONE 0.5
score SPF_HELO_PASS 0.0
score SPF_HELO_SOFTFAIL 1.5
score SPF_NEUTRAL 0.5
score SPF_NONE 0.5
score SPF_PASS 0.0
score SPF_SOFTFAIL 1.5
score USER_IN_DEF_DKIM_WL -5.0

# scoring HTML
score HTML_FONT_LOW_CONTRAST 0.5
score HTML_IMAGE_ONLY_04 1.0
score HTML_IMAGE_ONLY_08 1.0
score HTML_IMAGE_ONLY_12 1.0
score HTML_IMAGE_ONLY_16 1.5
score HTML_IMAGE_ONLY_20 1.5
score HTML_IMAGE_ONLY_24 2.0
score HTML_IMAGE_ONLY_28 2.5
score HTML_IMAGE_ONLY_32 3.0
score HTML_IMAGE_RATIO_02 0.0
score HTML_IMAGE_RATIO_04 0.0
score HTML_IMAGE_RATIO_06 0.0
score HTML_IMAGE_RATIO_08 0.0
score HTML_MESSAGE 0.0
score HTML_MIME_NO_HTML_TAG 0.5
score HTML_SHORT_LINK_IMG_1 2.5
score HTML_SHORT_LINK_IMG_2 1.5
score HTML_SHORT_LINK_IMG_3 0.5

# scoring HEADER & MISSING
score HEADER_FROM_DIFFERENT_DOMAINS 0.5
score MISSING_DATE 3.0
score MISSING_FROM 1.5
score MISSING_HEADERS 2.0
score MISSING_SUBJECT 1.0

# scoring FREEMAIL
score FREEMAIL_ENVFROM_END_DIGIT 0.5
score FREEMAIL_FORGED_REPLYTO 1.0
score FREEMAIL_FROM 0
score FREEMAIL_REPLY 0.5
score FREEMAIL_REPLYTO 0.5
score FREEMAIL_REPLYTO_END_DIGIT 0.5

# additional scoring tweaks
score HELO_DYNAMIC_SPLIT_IP 3.0
score LOTS_OF_MONEY 0.5
score MPART_ALT_DIFF 0.5
score MPART_ALT_DIFF_COUNT 0.5
score RDNS_NONE 0.5
score T_FILL_THIS_FORM_SHORT 0.5
score UNPARSEABLE_RELAY 0.5

# add JunkEmailFilter HostKarma DNSBL & DNSWL
header __RCVD_IN_HOSTKARMA eval:check_rbl('HOSTKARMA-lastexternal','hostkarma.junkemailfilter.com.')
describe __RCVD_IN_HOSTKARMA Sender listed in JunkEmailFilter
tflags __RCVD_IN_HOSTKARMA net
header RCVD_IN_HOSTKARMA_W eval:check_rbl_sub('HOSTKARMA-lastexternal','127.0.0.1')
describe RCVD_IN_HOSTKARMA_W Sender listed in HOSTKARMA-WHITE
tflags RCVD_IN_HOSTKARMA_W net nice
header RCVD_IN_HOSTKARMA_BL eval:check_rbl_sub('HOSTKARMA-lastexternal','127.0.0.2')
describe RCVD_IN_HOSTKARMA_BL Sender listed in HOSTKARMA-BLACK
tflags RCVD_IN_HOSTKARMA_BL net
header RCVD_IN_HOSTKARMA_BR eval:check_rbl_sub('HOSTKARMA-lastexternal','127.0.0.4')
describe RCVD_IN_HOSTKARMA_BR Sender listed in HOSTKARMA-BROWN
tflags RCVD_IN_HOSTKARMA_BR net

# add Spamrats DNSBL
header __RCVD_IN_SPAMRATS eval:check_rbl('spamrats-lastexternal','all.spamrats.com.')
describe __RCVD_IN_SPAMRATS SPAMRATS: sender is listed in SpamRats
tflags __RCVD_IN_SPAMRATS net
reuse __RCVD_IN_SPAMRATS
header RCVD_IN_SPAMRATS_DYNA eval:check_rbl_sub('spamrats-lastexternal','127.0.0.36')
describe RCVD_IN_SPAMRATS_DYNA RATS-Dyna: sent directly from dynamic IP address
tflags RCVD_IN_SPAMRATS_DYNA net
reuse RCVD_IN_SPAMRATS_DYNA
header RCVD_IN_SPAMRATS_NOPTR eval:check_rbl_sub('spamrats-lastexternal','127.0.0.37')
describe RCVD_IN_SPAMRATS_NOPTR RATS-NoPtr: sender has no reverse DNS
tflags RCVD_IN_SPAMRATS_NOPTR net
reuse RCVD_IN_SPAMRATS_NOPTR
header RCVD_IN_SPAMRATS_SPAM eval:check_rbl_sub('spamrats-lastexternal','127.0.0.38')
describe RCVD_IN_SPAMRATS_SPAM RATS-Spam: sender is a spam source
tflags RCVD_IN_SPAMRATS_SPAM net
reuse RCVD_IN_SPAMRATS_SPAM

Ref. https://docs.cloudron.io/packages/adguard-home/#security

I'm struggling with this and like to only permit VPN clients to connect to adguard. Somehow I am messing this up.

Can somebody (you?) share their examples, please.

My current config is port 53 is open, no blocking of anything in adguard.

I can see one client connecting, which is the internal vpn server IP, and I cannot identify individual clients. I have two clients on the vpn for now.

I want to be able to identify these clients and permit them. I also want to be able to use the private dns option on android although that's not strictly required since I will be on the vpn or at home or office.

My concern is that since 53 is open, people may abuse the service.

I have tried setting the server's IP and the two VPN subnets to the allow list but I was unable to connect to the adguard for resolving dns queries from the vpn clients.

Yes, that did it! Thanks Nebulon.

Platform Version: v8.3.2 (Ubuntu 24.04.3 LTS)

Tried different browsers and clearing cookies. It's the same issue in every app.

What could it be?

Thank you, @joseph. I appreciate that and happy to play guineapig if it helps

Thanks for attaching my license. How can we let the old annual license expire now?

Ha! Yes, and no. Let me explain:

The one plugin to use, which is entirely free(!), is Litespeed caching for WordPress. It works regardless of you running OLS too, bar the direct tie-in to the caching service.

With that and Cloudflare caching, I get to nearly 100% on pagespeed.web.dev, even for crappy sites with terrible themes.

With OLS as a stack, I can probably get a lot more websites onto the same server without impacting on performance. Probably around 40% more according to some research I did.

Interestingly, plain WordPress, with its stock themes and without Redis and Cloudflare get's nearly 100% on pagespeed.web.dev. At least in my testing, it suggests that the quality of the theme and plugins in use play a critical role. If only customers paid attention to that and spent money wisely with decent web devs instead of buying dodgy themes and plugins ;D

What's your experience? Why do you want OLS?

@joseph said in Hot take on upgrading and licensing:

@3246 did I get this right? you set up a subscription first at cloudron.io with name A. But later, you installed a new server with name B. Now, if you had set up the new server with the same name A, there is logic to attach any license automatically. But since the new server name is different, it is just put on the free plan.

Sorry, what? My brain just tied itself in a knot

I created a new server A, logged in and upgraded from free to paid business license.

Then I set up a new server, installed Cloudron, logged in to .io and have no idea how to add the license I have to that new server. The business license covers three servers, so I want to attach it to two more servers.

What I did afterwards, was to reinstall the server and run cloudron-setup --setup-token <token>. However, it reinstalled Cloudron with the free license.

What's the correct way to provision a new, additional server and attach it to the business license?

Thanks @joseph, the domains are different: <servername>.bebraver.net if that makes sense?

Fun fact, it just set up a free license again o.O

I can't see an option to add this new cloudron to my existing license. Why is this so hard!

Not one for reviving dead corpses, I beg your patience and hearing me out in this new post about #OpenLiteSpeed #WordPress and such.

Are you not interested in at least an LAMP stack app variant with OpenLiteSpeed? (please cast your votes below)

I have just finished a docker stack serving as a container for housing WordPress and could apply this to a custom Cloudron app. I have a little experience now after cobbling together a couple earlier this year, and happy to try my hand at turning my docker compose into a Cloudron app.

Hi @girish et al,

I have belatedly signed up for the Business License and getting confused setting up my servers.

I normally install base Ubuntu and run ./cloudron-setup, however when I login to my Cloudron.io account it appears that the 'upgrade' button for its license wants me to sign up to yet another Business License.

Perhaps my neurodiverse brain is too diverse to comprehend this but I expected to just assign my existing license.

I am reinstalling my bare metal server, and will run the suggested ./cloudron-setup --setup-token <licensekey>. Hopefully, this will result in the server being added to the existing license.

Should I have logged-in first and then pressed the blue button in the top right instead?

Hey @scooke are you restoring from backup by any chance? If so, just give it time

If not, you can check the https://docs.cloudron.io/apps/#troubleshooting or https://docs.cloudron.io/troubleshooting/#troubleshooting-tool

Mystery solved! https://forum.cloudron.io/post/35426