Nextcloud Talk high-performance back-end

@avatar1024 said in Nextcloud Talk high-performance back-end:

I'm just wondering in light of the Jitsi situation (i.e. hard to update), whether it might be worth reviving this thread starting with the package @doodlemania2 made? Or if any other video call app might be simpler to package and maintain on Cloudron (e.g. @Kubernetes made an initial package for MiroTalk but I've got no clue how it compares with Jitsi or NC talk)

For everyone who wants to host it themselves without too much hassle, I have been successfully using this build on a standalone server for some months now: https://github.com/sunweaver/nextcloud-high-performance-backend-setup

Looks like they have expanded the documentation for self-hosting: https://help.ente.io/self-hosting/

• Main Page: https://stalw.art/
• Git: https://github.com/stalwartlabs/mail-server
• Licence: AGPL v3 & SELv1 for some features
• Docker: Yes
• Documentation: https://stalw.art/docs/install/docker
• Demo: link

---

• Summary: Stalwart Mail Server is an open-source mail server solution with SMTP, JMAP, IMAP4, and POP3 support and a wide range of modern features. It is written in Rust and aims to be secure, fast, robust and scalable.

---

• Notes: Modern Mail server implementation with security features like Encryption at rest with S/MIME or OpenPGP

---

Key features:

• JMAP, IMAP4, POP3 and ManageSieve server:
  • JMAP server with Sieve Scripts, WebSocket, Blob Management and Quotas extensions.
  • IMAP4rev2 and IMAP4rev1 server with support for numerous extensions.
  • POP3 server with extensions, STLS and SASL support.
  • ManageSieve server for managing Sieve scripts.
• SMTP server:
  • Built-in DMARC, DKIM, SPF and ARC support for message authentication.
  • Strong transport security through DANE, MTA-STS and SMTP TLS reporting.
  • Inbound throttling and filtering with granular configuration rules, sieve scripting, MTA hooks and milter integration.
  • Distributed virtual queues with delayed delivery, priority delivery, quotas, routing rules and throttling support.
  • Envelope rewriting and message modification.
• Built-in Spam and Phishing filter:
  • Comprehensive set of filtering rules on par with popular solutions.
  • LLM-driven spam filtering and message analysis.
  • Statistical spam classifier with automatic training capabilities.
  • DNS Blocklists (DNSBLs) checking of IP addresses, domains, and hashes.
  • Collaborative digest-based spam filtering with Pyzor.
  • Phishing protection against homographic URL attacks, sender spoofing and other techniques.
  • Trusted reply tracking to recognize and prioritize genuine e-mail replies.
  • Sender reputation monitoring by IP address, ASN, domain and email address.
  • Greylisting to temporarily defer unknown senders.
  • Spam traps to set up decoy email addresses that catch and analyze spam.
• Flexible and scalable:
  • Pluggable storage backends with RocksDB, FoundationDB, PostgreSQL, mySQL, SQLite, S3-Compatible, Redis and ElasticSearch support.
  • Clustering support with node autodiscovery and partition-tolerant failure detection.
  • Full-text search available in 17 languages.
  • Sieve scripting language with support for all registered extensions.
  • Email aliases, mailing lists, subaddressing and catch-all addresses support.
  • Automatic account configuration and discovery with autoconfig and autodiscover.
  • Multi-tenancy support with domain and tenant isolation.
  • Disk quotas per user and tenant.
• Secure and robust:
  • Encryption at rest with S/MIME or OpenPGP.
  • Automatic TLS certificate provisioning with ACME using TLS-ALPN-01, DNS-01 or HTTP-01 challenges.
  • Automated blocking of IP addresses that attack, abuse or scan the server for exploits.
  • Rate limiting.
  • Security audited (read the report).
  • Memory safe (thanks to Rust).
• Authentication and Authorization:
  • OpenID Connect authentication.
  • OAuth 2.0 authorization with authorization code and device authorization flows.
  • LDAP, OIDC, SQL or built-in authentication backend support.
  • Two-factor authentication with Time-based One-Time Passwords (2FA-TOTP)
  • Application passwords (App Passwords).
  • Roles and permissions.
  • Access Control Lists (ACLs).
• Observability:
  • Logging and tracing with OpenTelemetry, journald, log files and console support.
  • Metrics with OpenTelemetry and Prometheus integration.
  • Webhooks for event-driven automation.
  • Alerts with email and webhook notifications.
  • Live tracing and metrics.
• Web-based administration:
  • Dashboard with real-time statistics and monitoring.
  • Account, domain, group and mailing list management.
  • SMTP queue management for messages and outbound DMARC and TLS reports.
  • Report visualization interface for received DMARC, TLS-RPT and Failure (ARF) reports.
  • Configuration of every aspect of the mail server.
  • Log viewer with search and filtering capabilities.
  • Self-service portal for password reset and encryption-at-rest key management.

---

• Screenshots:

@girish I know we have talked about this before, you said that a lot of these are hardcoded (Like the app offline page). But it would be nice to be able to modify these without having them overwritten on updates.

This is now called Spacebar https://github.com/spacebarchat

I found it to be pretty easy to get my IPs whitelisted after receiving fresh ones from Hetzner. Just write the admins every time an email fails to pass and let them know you just purchased it

I’m using it in Nextcloud with collabora which works well

@girish personally I would enjoy the option to limit the E-Mail manager to the groups they are part of. For example some clients use so little resources like only a website with E-Mail that it doesn’t make sense to give them a dedicated server but instead put a few on the same.

Now it would be nice if they could configure their own emails without being able to see let alone change the configuration of others.

@jadudm Fair and not a problem. I'm just a little bit disappointed by the lack of communication. If it won't get packaged for a while then a short note would have been sufficient instead of letting people like me guessing whats planned next.

@girish said in Improved global E-Mail signatures:

Is the idea to extend our current global signature to use template/variables (from the authenticated user sending the mail)?

Practically, yes that would be amazing! Variables I would like to be able to use:

First Name
Last Name
Email
Company (Could come from the cloudron branding name)
Job Titles (This would require an addition to the user database
Profile Photo or image url for static images like logos etc.

Commenting because we are probably switching from OpenProject to Leantime.

@girish said in Outline - a Notion-like open source app:

@matbrgz I think we are almost there. With 7.4, we introduce OIDC. In theory, outline supports OIDC but we have to check.

OIDC support in Outlook Outline itself - the situation is quite unclear to me, since it's not documented anywhere clearly. Do you know anything about this?

I was able to get OIDC working without any problems with an instance outside of cloudron using their documentation in the env.example:

# To configure generic OIDC auth, you'll need some kind of identity provider.
# See documentation for whichever IdP you use to acquire the following info:
# Redirect URI is https://<URL>/auth/oidc.callback
OIDC_CLIENT_ID=
OIDC_CLIENT_SECRET=
OIDC_AUTH_URI=
OIDC_TOKEN_URI=
OIDC_USERINFO_URI=

# Specify which claims to derive user information from
# Supports any valid JSON path with the JWT payload
OIDC_USERNAME_CLAIM=preferred_username

# Display name for OIDC authentication
OIDC_DISPLAY_NAME=OpenID Connect

# Space separated auth scopes.
OIDC_SCOPES=openid profile email

What's not working for you?

F*cking finally lol

@timconsidine I'm currently looking more into shlink which ticks a lot of boxes. It looks like this could potentially run in a lamp stack if no one ports it for cloudron it seems

---

Edit: Seems to run well in a lamp stack. Now my only Problem is that there is no public facing UI and user accounts

@nebulon Thats strange since that is not a suggested env and it's properly rendered on the rallly.co website. I opened a github issue.

@girish said in Customizing static Cloudron pages:

@andreasdueren See https://docs.cloudron.io/branding/#custom-pages to keep things persistent.

What about serving these sites via a surfer instance?

@manngobaum I prefer this client over element as well.

@girish said in How to update/change a package.json in /app/code:

Documented here - https://docs.cloudron.io/apps/directus/#custom-modules

I'd like to propose a change in the documentation here:

Add export EXTENSIONS_PATH="/app/data/node_modules" to the .env
then

# cd /app/data
# HOME=/app/data/ npm i directus-extension-here

then reboot directus

This seems to work fairly reliably. Only one extension I was not able to get to run this way.

@jayonrails I've used these:

Endpoint: fsn1.your-objectstorage.com
Bucket: Bucket Name
Region: left empty
Access Key and secret access key: as per Hetzner
Storage Format: rsync
Encryption password: yes
Encrypt filenames: no

Are there plans to bring ERPNext to cloudron soon so I can use those resources or do I have to set up and pay for another virtual machine? Because my Time is kind of running out on this one and I would rather not migrate again.