We need the Matrix Authentication Service (MAS)

I did some digging, this is what I think is needed:

The current package uses:

• Synapse v1.144.0 (which is compatible - MAS requires v1.136.0+)
• Cloudron OIDC for SSO (traditional OIDC provider approach)
• PostgreSQL as the database
• Standard Matrix authentication endpoints

What MAS Integration Requires
MAS is fundamentally different from traditional OIDC - it's not just another identity provider, but a complete replacement for Synapse's internal authentication system per MSC3861. It needs:

1. MAS Service Deployment

• MAS needs to run as a separate service (not just a config change)
• It requires its own separate PostgreSQL database
• It needs its own domain/subdomain (e.g., auth.matrix.example.com)
• Docker image: ghcr.io/element-hq/matrix-authentication-service:latest

2. MAS Configuration Requirements

• Encryption secrets and signing keys (RSA minimum)
• Connection to Synapse via shared secret
• Database configuration for its own PostgreSQL database
• HTTP listener configuration
• Email configuration for password recovery
• Policy configuration (WASM file)

3. Synapse Configuration Changes
Replace traditional OIDC with matrix_authentication_service section:

matrix_authentication_service:
  enabled: true
  endpoint: http://mas-internal:8080/
  secret: "SharedSecretWithMAS"

4. Reverse Proxy Changes
These Matrix endpoints must be routed to MAS (not Synapse):

• /_matrix/client/*/login
• /_matrix/client/*/logout
• /_matrix/client/*/refresh

5. User Migration (For Existing Deployments)
MAS includes syn2mas tool to migrate:

• Existing password hashes (bcrypt → argon2id)
• Sessions and devices
• Access tokens
• Upstream IdP mappings

I packaged the Matrix Signal Bridge

Repo: https://git.due.ren/andreas/mautrix-signal-cloudron
Image: andreasdueren/mautrix-signal:1.0.2

@Eliahou I packaged the signal bridge and now wanted to see how I can make encryption work.

Root Cause: Synapse 1.141+ explicitly blocks appservice users from using /sync. The mautrix bridges were configured to poll /sync for encryption data, which caused HTTP 500 errors.
Solution: Enabled appservice mode for end-to-bridge encryption, which uses MSC3202/MSC2409 to receive encryption data via appservice transactions instead of /sync.

In specific this means:

Changes Made

1. Synapse:
   • Added experimental features to homeserver.yaml:

           experimental_features:
                 msc3202_transaction_extensions: true
                 msc2409_to_device_messages_enabled: true

• Added org.matrix.msc3202: true to both bridge registration files

2. Signal Bridge:
   • Updated start.sh to set encryption.appservice = true
   • Built and deployed andreasdueren/mautrix-signal:1.0.2
3. WhatsApp Bridge:
   • Updated start.sh to set encryption.appservice = true
   • Built and deployed andreasdueren/mautrix-whatsapp:2.0.2

Does anyone know if Bitwarden Lite includes the secrets manager? That would be an argument.

@Grienauer You need to put it into recovery mode, execure the script, take it out of it again

@james this won’t fix the issue of logging everyone out though I assume?

Edit: just saw the newest update.

Should be trivial to package. But what would be the benefits over vaultwarden?

I packaged this so I could test it:

https://git.due.ren/andreas/blinko-cloudron
andreasdueren/blinko-cloudron:20251230-014843-727262a70

Looks like it's a larger upgrade with various issues

• Main Page: https://www.notifuse.com/
• Git: https://github.com/Notifuse/notifuse
• Licence: GNU Affero General Public License v3.0
• Dockerfile: Yes
• Demo: https://demo.notifuse.com/console/signin?email=demo@notifuse.com

---

• Summary: Notifuse is a modern, self-hosted emailing platform that allows you to send newsletters and transactional emails at a fraction of the cost.

---

• Notes: modern go/react implementation of a newsletter software, similar feature set as listmonk but better UI

---

• Alternative to: Mailchimp, Brevo, Mailjet, Listmonk, Mailerlite, Klaviyo...
• Screenshots:

Key Features

Email Marketing

• Visual Email Builder: Drag-and-drop editor with MJML components and real-time preview
• Campaign Management: Create, schedule, and send targeted email campaigns
• A/B Testing: Optimize campaigns with built-in testing for subject lines, content, and send times
• List Management: Advanced subscriber segmentation and list organization
• Contact Profiles: Rich contact management with custom fields and detailed profiles

Developer-Friendly

• Easy Setup: Interactive setup wizard for quick deployment and configuration
• Transactional API: Powerful REST API for automated email delivery
• Webhook Integration: Real-time event notifications and integrations
• Liquid Templating: Dynamic content with variables like {{ contact.first_name }}
• Multi-Provider Support: Connect with Amazon SES, Mailgun, Postmark, Mailjet, SparkPost, and SMTP

Analytics & Insights

• Open & Click Tracking: Detailed engagement metrics and campaign performance
• Real-time Analytics: Monitor delivery rates, opens, clicks, and conversions
• Campaign Reports: Comprehensive reporting and analytics dashboard

Advanced Features

• S3 File Manager: Integrated file management with CDN delivery
• Notification Center: Centralized notification system for your applications
• Responsive Templates: Mobile-optimized email templates
• Custom Fields: Flexible contact data management
• Workspace Management: Multi-tenant support for teams and agencies

️ Architecture

Notifuse follows clean architecture principles with clear separation of concerns:

Backend (Go)

• Domain Layer: Core business logic and entities (internal/domain/)
• Service Layer: Business logic implementation (internal/service/)
• Repository Layer: Data access and storage (internal/repository/)
• HTTP Layer: API handlers and middleware (internal/http/)

Frontend (React)

• Console: Admin interface built with React, Ant Design, and TypeScript (console/)
• Notification Center: Embeddable widget for customer notifications (notification_center/)

It's really a matter of taste. I have also SOGo installed, mainly because it enables active-sync.

@robi didn’t find any when I tried to investigate. But since it’s pretty much stored in plain text on the other side I decided I may as well store it plain text on mine. Encryption and bridges/bots are just not a good fit

@Eliahou unfortunately I can’t really help you with this because I’m running it unencrypted on my side. But yes when I used it a while ago with encryption I had similar errors.

@sponch Is everything working?

@sponch No problem!

@sponch You have to tap the onboarding screen 7 times and then enter your ente server

@girish I think I'm running into the same issue here. Now on 9.0.15 and a few days ago my turn monitor stopped working. I hadn't had time to check why that was but I also noticed another application doesn't process cron based jobs anymore.

Updated Ente Package to use latest upstream images: andreasdueren/ente-cloudron:0.5.9

Still haven't been able to get Ente Locker working but the documentation is basically non-existant.

Updated bridge to v25.12

andreasdueren/mautrix-whatsapp-cloudron:1.2.4

Update to 0.25.7. Image at andreasdueren/affine-cloudron --tag 0.25.7-1