Stalwart Mail Server on Cloudron - Secure & Modern All-in-One Mail Server (IMAP, JMAP, POP3, SMTP)

• Main Page: https://stalw.art/
• Git: https://github.com/stalwartlabs/mail-server
• Licence: AGPL v3 & SELv1 for some features
• Docker: Yes
• Documentation: https://stalw.art/docs/install/docker
• Demo: link

---

• Summary: Stalwart Mail Server is an open-source mail server solution with SMTP, JMAP, IMAP4, and POP3 support and a wide range of modern features. It is written in Rust and aims to be secure, fast, robust and scalable.

---

• Notes: Modern Mail server implementation with security features like Encryption at rest with S/MIME or OpenPGP

---

Key features:

• JMAP, IMAP4, POP3 and ManageSieve server:
  • JMAP server with Sieve Scripts, WebSocket, Blob Management and Quotas extensions.
  • IMAP4rev2 and IMAP4rev1 server with support for numerous extensions.
  • POP3 server with extensions, STLS and SASL support.
  • ManageSieve server for managing Sieve scripts.
• SMTP server:
  • Built-in DMARC, DKIM, SPF and ARC support for message authentication.
  • Strong transport security through DANE, MTA-STS and SMTP TLS reporting.
  • Inbound throttling and filtering with granular configuration rules, sieve scripting, MTA hooks and milter integration.
  • Distributed virtual queues with delayed delivery, priority delivery, quotas, routing rules and throttling support.
  • Envelope rewriting and message modification.
• Built-in Spam and Phishing filter:
  • Comprehensive set of filtering rules on par with popular solutions.
  • LLM-driven spam filtering and message analysis.
  • Statistical spam classifier with automatic training capabilities.
  • DNS Blocklists (DNSBLs) checking of IP addresses, domains, and hashes.
  • Collaborative digest-based spam filtering with Pyzor.
  • Phishing protection against homographic URL attacks, sender spoofing and other techniques.
  • Trusted reply tracking to recognize and prioritize genuine e-mail replies.
  • Sender reputation monitoring by IP address, ASN, domain and email address.
  • Greylisting to temporarily defer unknown senders.
  • Spam traps to set up decoy email addresses that catch and analyze spam.
• Flexible and scalable:
  • Pluggable storage backends with RocksDB, FoundationDB, PostgreSQL, mySQL, SQLite, S3-Compatible, Redis and ElasticSearch support.
  • Clustering support with node autodiscovery and partition-tolerant failure detection.
  • Full-text search available in 17 languages.
  • Sieve scripting language with support for all registered extensions.
  • Email aliases, mailing lists, subaddressing and catch-all addresses support.
  • Automatic account configuration and discovery with autoconfig and autodiscover.
  • Multi-tenancy support with domain and tenant isolation.
  • Disk quotas per user and tenant.
• Secure and robust:
  • Encryption at rest with S/MIME or OpenPGP.
  • Automatic TLS certificate provisioning with ACME using TLS-ALPN-01, DNS-01 or HTTP-01 challenges.
  • Automated blocking of IP addresses that attack, abuse or scan the server for exploits.
  • Rate limiting.
  • Security audited (read the report).
  • Memory safe (thanks to Rust).
• Authentication and Authorization:
  • OpenID Connect authentication.
  • OAuth 2.0 authorization with authorization code and device authorization flows.
  • LDAP, OIDC, SQL or built-in authentication backend support.
  • Two-factor authentication with Time-based One-Time Passwords (2FA-TOTP)
  • Application passwords (App Passwords).
  • Roles and permissions.
  • Access Control Lists (ACLs).
• Observability:
  • Logging and tracing with OpenTelemetry, journald, log files and console support.
  • Metrics with OpenTelemetry and Prometheus integration.
  • Webhooks for event-driven automation.
  • Alerts with email and webhook notifications.
  • Live tracing and metrics.
• Web-based administration:
  • Dashboard with real-time statistics and monitoring.
  • Account, domain, group and mailing list management.
  • SMTP queue management for messages and outbound DMARC and TLS reports.
  • Report visualization interface for received DMARC, TLS-RPT and Failure (ARF) reports.
  • Configuration of every aspect of the mail server.
  • Log viewer with search and filtering capabilities.
  • Self-service portal for password reset and encryption-at-rest key management.

---

• Screenshots:

I got photos and auth working. What still needs to be done:

• Make CLI work to increase storage quota
• Set up OTT to be sent via E-Mail
• Implement option to use multiple s3 backends for redundancy
• Check Accounts app

I have a working package of ente for cloudron.

You can use my docker image with andreasdueren/ente-cloudron --tag 0.4.5

Currently these are the limitations/quirks:

• admins need to manually set up Aliases for the following sub domains: family, albums, cast, auth and accounts
• the actual user IP addresses aren't passed into the log by caddy. Right now the Dockerfile installs the Debian-packaged Caddy that ships with cloudron/base:5.0.0, which is why the optional modules aren’t present. If we want http.handlers.realip, we would need to build Caddy ourselves and bundle that binary instead of apt-getting the stock one.
• I have only tested this package with one s3 zone. Replication should be working but I haven't had time to test it.
• In general this application relies heavily on the CLI for user management. This includes increasing storage quota. It should work, but again haven't had much time to test.

@avatar1024 said in Nextcloud Talk high-performance back-end:

I'm just wondering in light of the Jitsi situation (i.e. hard to update), whether it might be worth reviving this thread starting with the package @doodlemania2 made? Or if any other video call app might be simpler to package and maintain on Cloudron (e.g. @Kubernetes made an initial package for MiroTalk but I've got no clue how it compares with Jitsi or NC talk)

For everyone who wants to host it themselves without too much hassle, I have been successfully using this build on a standalone server for some months now: https://github.com/sunweaver/nextcloud-high-performance-backend-setup

I think this is ready for an unstable release: andreasdueren/ente-cloudron:0.5.3

I tested and fixed:

• Upload with the mobile app
• The CLI/increasing storage quota
• httpPorts feature for automatic sub domain setup

Updated Elastic to v9.1.5
https://git.due.ren/andreas/elasticsearch-cloudron/releases/tag/v9.1.5

Looks like they have expanded the documentation for self-hosting: https://help.ente.io/self-hosting/

This is now called Spacebar https://github.com/spacebarchat

I spun up a test instance and it looks really polished and fast. I'm not a developer but seems to be fairly simple with few dependencies. Written in rust, PostgreSQL support.

Absolute extensive feature list, including encryption at rest, E-Mail delivery debugging, telemetry and much more.

Most if not all things can be configured in the GUI after setup. The biggest Problem at that point really is locking down the server against improper use, which is something cloudron already does pretty well. I'd love to see this in the App Store.

Currently attempting to package this. Frontend and backend are loading but not connecting to each other yet. Will have to investigate when I have a little time.

I packaged it and seems to work without issues: https://git.due.ren/andreas/keila-cloudron Happy about testers for feedback.

I could use some help with this packaging attempt (just ignore the messy code). I can not get encryption working for some reason. This may have something to do with my current matrix installation so I'd be interested in someone else's expertise and experience

@girish I know we have talked about this before, you said that a lot of these are hardcoded (Like the app offline page). But it would be nice to be able to modify these without having them overwritten on updates.

• Main Page: https://openobserve.ai
• Git: https://github.com/openobserve/openobserve
• Licence: AGPL-3.0
• Docker: Yes
• Demo

---

Summary: OpenObserve (O2 for short) is a cloud-native observability platform built specifically for logs, metrics, traces, analytics, RUM (Real User Monitoring - Performance, Errors, Session Replay) designed to work at petabyte scale.

---

Notes: Looks like a nice, lightweight logging solution built in rust.

I was able to get a working package going pretty easily (subject to more testing).

---

OpenObserve serves as a seamless replacement for Elasticsearch for users who ingest data using APIs and perform searches. OpenObserve comes with its own user interface, eliminating the need for separate installation.

You can reduce your log storage costs by ~140x compared to Elasticsearch by using OpenObserve. Below, we present the results from pushing logs from our production Kubernetes cluster to both Elasticsearch and OpenObserve using Fluent Bit.

Introduction Video

Features:

• Logs, Metrics, Traces: Comprehensive support for various data types.
• OpenTelemetry Support: Full compatibility with OTLP for logs, metrics, and traces.
• Real User Monitoring (RUM): Includes performance tracking, error logging, and session replay.
• Dashboards, Reports, Alerts: Features over 18 different chart types for comprehensive data visualization for on-the-fly analysis and reporting along with alerting.
• Pipelines: Enrich, redact, reduce, normalize data on the fly. Stream processing for logs to metrics and more.
• Advanced Embedded GUI: Intuitive and user-friendly interface.
• SQL and PromQL Support: Query logs and traces with SQL, and metrics with SQL and PromQL.
• Single Binary or HA Installation: Install using a single binary for small deployments or in HA mode for large deployments.
• Versatile Storage Options: Supports local disk, S3, MinIO, GCS, Azure Blob Storage.
• High Availability and Clustering: Ensures reliable and scalable performance.
• Dynamic Schema: Adapts to your data structure seamlessly.
• Built-in Authentication: Secure and ready to use.
• Ease of Operation: Designed for simplicity and efficiency.
• Seamless Upgrades: Hassle-free updates.
• Multilingual UI: Supports 11 languages, including English, Spanish, German, French, Chinese, and more.

For a full list of features, check the documentation.

Screenshots

Home

Logs

Traces (OpenTelemetry)

Trace details page

Golden metrics based on traces

Visualizations and Dashboards

Front end monitoring

Performance analytics

Session replay

Error tracking

Alerts

Streams

Ingestion

Pipeline

Pipeline

Function

IAM

SSO (Single Sign On)

RBAC (Role Based Access Control)

@scooke said in What's coming in Cloudron 9:

@potemkin_ai For fwiw, I immediately distrust companies passing off other's tech as their own. I'm not sure to what degree you refer to when you ask for whitelabeling. If you sell services someone and they understand you are using Cloudron (who in turn is using other available software), and the whitelabeling you mean refers to them paying to be able to put their Company Name where they need it (because Cloudron licencing and tech has made that possible)... is one thing. But, it's another to present yourself as though whatever-makes-it-run has been made by your own hands and not by the Cloudron team, and customers buy your web service because it's made by your own hands, and they still get to put their own company name on it because you allow them too... that's sneaky. Deceptive. Companies that do this are not trustworthy.

Let me emphasize that I'm using the 3rd person "you", and not specifically you @potemkin_ai, especially since I don't know your approach. I'm just sharing my own personal perspective as consumer.

Adding to what @humptydumpty explained, consider the following scenario as a use case:

You are responsible for IT administration in a small organization, so you set up various services via a cloudron instance. But now you have to explain to people you are onboarding (in addition to all the stuff and how it works) what cloudron is (good luck with that) and what it has to do with the cloud you are using.

Whitelabeling solves this by not adding extra terms to user facing interfaces (i.e. log in with Cloudron).

• Main Page: https://freeradius.org/
• Git: https://github.com/FreeRADIUS/freeradius-server
• Licence: GPL-2.0
• Dockerfile: Yes
• Demo: link

---

• Summary:

The FreeRADIUS Server Project is a high performance and highly configurable multi-protocol policy server, supporting RADIUS, DHCPv4 DHCPv6, DNS, TACACS+ and VMPS. It is available under the terms of the GNU GPLv2. Using RADIUS allows authentication and authorization for a network to be centralized, and minimizes the number of changes that have to be done when adding or deleting new users to a network.

FreeRADIUS can authenticate users on systems such as 802.1x (WiFi), dialup, PPPoE, VPN's, VoIP, and many others. It supports back-end databases such as MySQL, PostgreSQL, Oracle, Microsoft Active Directory, Apache Cassandra, Redis, OpenLDAP, and many more. It is used daily to authenticate the Internet access for hundreds of millions of people, in sites ranging from 10 to 10 million+ users.

---

• Notes: A niche that hasn't been served yet. Could be interesting to bridge between SSO via Cloudron to use RADIUS with LDAP to use the same auth for a business wifi.

---

• Main Page: https://reacher.email/
• Git: https://github.com/reacherhq
• Licence: AGPL-3.0
• Dockerfile: Yes
• Demo: link

---

• Summary: Reacher is an open-source email verification API. You can use Reacher to ensure the deliverability of your emails, clean your email lists, and prevent bounces. The API supports both individual email checks and bulk verification processes.

---

• Notes: good companion app to Listmonk

---

• Alternative to / Libhunt link: e.g. https://selfhosted.libhunt.com/umap-alternatives
• Screenshots: images, brand logo

@ntnsndr You can add 'hide_login_form' => true, to the config file

@osobo Pretty sure that's hardcoded. But you can simply bypass the screen by running occ config:app:set --value=0 user_oidc allow_multiple_user_backends in the terminal

I'm trying to be more intentional about monitoring load on the HPB during calls. I'll update this posts occasionally with some numbers.

Current setup: Hetzner CPX31 VPS.

2 concurrent users with video:
Max CPU Usage: 5.17%
Max Memory Usage: +-0% from idle
Peak Bandwidth: 0.24MB/s sent, 0.27MB/s recieved

4 concurrent users (3 with video):
Max CPU Usage: 8.5%
Max Memory Usage: +-0% from idle
Peak Bandwidth: 0.86MB/s sent, 0.57MB/s recieved