RE: Sharing custom SpamAssassin Rules

Latest round of SpamAssassin rules I'm using, if anyone is interested.

The highlights here are just a couple of things:

• A few new sources which come with new rules
• Slight scoring tweaks on just a few rules

Of course, as they say... YMMV.

# scoring DNSBLs (blocklists & allowlists)
score RCVD_IN_BL_SPAMCOP_NET 2.5
score RCVD_IN_DNSWL_HI -5.0
score RCVD_IN_DNSWL_LOW -0.5
score RCVD_IN_DNSWL_MED -2.5
score RCVD_IN_DNSWL_NONE 0.5
score RCVD_IN_GBUDB 4.5
score RCVD_IN_IADB_DK -0.5
score RCVD_IN_IADB_DOPTIN_GT50 -0.5
score RCVD_IN_IADB_DOPTIN_LT50 -0.5
score RCVD_IN_IADB_EDDB -0.5
score RCVD_IN_IADB_EPIA -0.5
score RCVD_IN_IADB_GOODMAIL -0.5
score RCVD_IN_IADB_LISTED -0.5
score RCVD_IN_IADB_LOOSE -0.5
score RCVD_IN_IADB_MI_CPEAR 0
score RCVD_IN_IADB_MI_CPR_30 0
score RCVD_IN_IADB_MI_CPR_MAT 0.0
score RCVD_IN_IADB_NOCONTROL -0.5
score RCVD_IN_IADB_OOO -0.5
score RCVD_IN_IADB_OPTIN -0.5
score RCVD_IN_IADB_OPTIN_GT50 -0.5
score RCVD_IN_IADB_OPTIN_LT50 -0.5
score RCVD_IN_IADB_OPTOUTONLY -0.5
score RCVD_IN_IADB_RDNS -0.5
score RCVD_IN_IADB_SENDERID -0.5
score RCVD_IN_IADB_SPF -0.5
score RCVD_IN_IADB_UNVERIFIED_1 -0.5
score RCVD_IN_IADB_UNVERIFIED_2 -0.5
score RCVD_IN_IADB_UT_CPEAR 0
score RCVD_IN_IADB_UT_CPR_30 0
score RCVD_IN_IADB_UT_CPR_MAT 0
score RCVD_IN_JMF_BL 2.5
score RCVD_IN_MSPIKE_BL 0.0
score RCVD_IN_MSPIKE_H2 0.0
score RCVD_IN_MSPIKE_H3 -0.5
score RCVD_IN_MSPIKE_H4 -2.0
score RCVD_IN_MSPIKE_H5 -3.0
score RCVD_IN_MSPIKE_L2 1.5
score RCVD_IN_MSPIKE_L3 3.5
score RCVD_IN_MSPIKE_L4 4.5
score RCVD_IN_MSPIKE_L5 5.0
score RCVD_IN_MSPIKE_WL 0.0
score RCVD_IN_MSPIKE_ZBI 4.0
score RCVD_IN_PBL 3.5
score RCVD_IN_SBL 3.5
score RCVD_IN_SBL_CSS 3.5
score RCVD_IN_SEM_BACKSCATTER 1.5
score RCVD_IN_SEM_BLACK 3.5
score RCVD_IN_SEM_NET_BLACK 2.5
score RCVD_IN_SORBS_BLOCK 2.5
score RCVD_IN_SORBS_DUL 2.5
score RCVD_IN_SORBS_HTTP 2.5
score RCVD_IN_SORBS_MISC 2.5
score RCVD_IN_SORBS_SMTP 2.5
score RCVD_IN_SORBS_SOCKS 2.5
score RCVD_IN_SORBS_SPAM 2.5
score RCVD_IN_SORBS_WEB 2.5
score RCVD_IN_SORBS_ZOMBIE 2.5
score RCVD_IN_SPAMRATS 2.5
score RCVD_IN_XBL 3.5
score RCVD_IN_ZEN_BLOCKED 0.0
score RCVD_IN_ZEN_BLOCKED_OPENDNS 0.0

# scoring URIBLs
score URIBL_ABUSE_SURBL 4.0
score URIBL_BLACK 4.5
score URIBL_CR_SURBL 4.0
score URIBL_CSS 2.0
score URIBL_CSS_A 2.0
score URIBL_DBL_ABUSE_BOTCC 3.5
score URIBL_DBL_ABUSE_MALW  3.5
score URIBL_DBL_ABUSE_PHISH 3.5
score URIBL_DBL_ABUSE_REDIR 3.5
score URIBL_DBL_ABUSE_SPAM 3.5
score URIBL_DBL_BLOCKED 0.0
score URIBL_DBL_BLOCKED_OPENDNS 0.0
score URIBL_DBL_BOTNETCC 3.5
score URIBL_DBL_ERROR 3.5
score URIBL_DBL_MALWARE 3.5
score URIBL_DBL_PHISH 3.5
score URIBL_DBL_SPAM 3.5
score URIBL_GREY 1.0
score URIBL_MW_SURBL 4.0
score URIBL_PH_SURBL 4.0
score URIBL_RED 1.5
score URIBL_RHS_DOB 2.0
score URIBL_SBL 2.0
score URIBL_SBL_A 2.0
score URIBL_SEM 3.0
score URIBL_SEM_FRESH30 1.5
score URIBL_WS_SURBL 3.0
score URIBL_ZEN_BLOCKED 0.0
score URIBL_ZEN_BLOCKED_OPENDNS 0.0

# scoring DKIM & SPF
score DKIM_INVALID 1.5
score DKIM_SIGNED 0.0
score DKIM_VALID 0.0
score DKIM_VALID_AU 0.0
score DKIM_VALID_EF 0.0
score DKIM_VERIFIED 0.0
score DKIMWL_BL 3.0
score DKIMWL_WL_HIGH -3.5
score DKIMWL_WL_MED -1.5
score DKIMWL_WL_MEDHI -2.5
score FORGED_SPF_HELO 3.0
score SPF_FAIL 1.5
score SPF_HELO_FAIL 1.5
score SPF_HELO_NEUTRAL 1.0
score SPF_HELO_NONE 0.5
score SPF_HELO_PASS 0.0
score SPF_HELO_SOFTFAIL 1.5
score SPF_NEUTRAL 0.5
score SPF_NONE 0.5
score SPF_PASS 0.0
score SPF_SOFTFAIL 1.5

# scoring BAYES
score BAYES_00 -3.0
score BAYES_05  -1.5
score BAYES_20  0.5
score BAYES_40  1.5
score BAYES_50  2.0
score BAYES_60  3.0
score BAYES_80  4.0
score BAYES_95  4.5
score BAYES_99  5.0
score BAYES_999 1.5

# scoring HTML
score HTML_FONT_LOW_CONTRAST 0.5
score HTML_IMAGE_ONLY_04 1.5
score HTML_IMAGE_ONLY_08 2.0
score HTML_IMAGE_ONLY_12 2.0
score HTML_IMAGE_ONLY_16 2.0
score HTML_IMAGE_ONLY_20 2.0
score HTML_IMAGE_ONLY_24 2.5
score HTML_IMAGE_ONLY_28 2.5
score HTML_IMAGE_ONLY_32 3.0
score HTML_IMAGE_RATIO_02 0.0
score HTML_IMAGE_RATIO_04 0.0
score HTML_IMAGE_RATIO_06 0.0
score HTML_IMAGE_RATIO_08 0.0
score HTML_MESSAGE 0.0

# scoring HEADER & MISSING
score HEADER_FROM_DIFFERENT_DOMAINS 0.5
score HEADER_SPAM 2.5
score MISSING_DATE 3.0
score MISSING_FROM 1.5
score MISSING_HB_SEP 0.0
score MISSING_HEADERS 1.5
score MISSING_MID 1.0
score MISSING_MIMEOLE 2.0
score MISSING_SUBJECT 2.0

# scoring FREEMAIL
score FORGED_GMAIL_RCVD 2.5
score FORGED_YAHOO_RCVD 2.5
score FREEMAIL_ENVFROM_END_DIGIT 0.5
score FREEMAIL_FORGED_REPLYTO 1.5
score FREEMAIL_FROM 0
score FREEMAIL_REPLY 1.0
score FREEMAIL_REPLYTO 1.0
score FREEMAIL_REPLYTO_END_DIGIT 0.5
score MALFORMED_FREEMAIL 4.0

# additional scoring tweaks
score BILLION_DOLLARS 2.0
score BODY_URI_ONLY 1.5
score EMPTY_MESSAGE 1.5
score HELO_DYNAMIC_SPLIT_IP 2.0
score HK_RANDOM_ENVFROM 0.5
score HK_RANDOM_FROM 0.5
score LOTS_OF_MONEY 0.5
score MPART_ALT_DIFF 1.0
score MPART_ALT_DIFF_COUNT 1.5
score NO_DNS_FOR_FROM 0.5
score PDS_TONAME_EQ_TOLOCAL 0.5
score PDS_TONAME_EQ_TOLOCAL_VSHORT 0.5
score RDNS_NONE 1.5
score REPLYTO_WITHOUT_TO_CC 2.5
score UNPARSEABLE_RELAY 0.5
score URI_DQ_UNSUB 2.0

# add GDUB TRUNCATE DNSBL
header RCVD_IN_GBUDB eval:check_rbl('gbudb', 'truncate.gbudb.net.')
describe RCVD_IN_GBUDB Listed in truncate.gbudb.net
tflags RCVD_IN_GBUDB net

# add JMF-Black DNSBL
header RCVD_IN_JMF_BL eval:check_rbl('jmf', 'black.junkemailfilter.com.')
describe RCVD_IN_JMF_BL Listed in black.junkemailfilter.com
tflags RCVD_IN_JMF_BL net

# add Spamrats DNSBL
header RCVD_IN_SPAMRATS eval:check_rbl('spamrats', 'all.spamrats.com.')
describe RCVD_IN_SPAMRATS Sender listed in all.spamrats.com
tflags RCVD_IN_SPAMRATS net

# add SpamEatingMonkey backscatter DNSBL
header RCVD_IN_SEM_BACKSCATTER eval:check_rbl('sem', 'backscatter.spameatingmonkey.net')
tflags RCVD_IN_SEM_BACKSCATTER net
describe RCVD_IN_SEM_BACKSCATTER Received from an IP listed by SEM-BACKSCATTER

# add SpamEatingMonkey network blacklist DNSBL
header RCVD_IN_SEM_NET_BLACK eval:check_rbl('sem', 'netbl.spameatingmonkey.net')
tflags RCVD_IN_SEM_NET_BLACK net
describe RCVD_IN_SEM_NET_BLACK Received from an IP listed by SpamEatingMonkeys

# add SpamEatingMonkey blacklist DNSBL
header RCVD_IN_SEM_BLACK eval:check_rbl('sem', 'bl.spameatingmonkey.net')
tflags RCVD_IN_SEM_BLACK net
describe RCVD_IN_SEM_BLACK Received from an IP listed by SpamEatingMonkeys

# add SpamEatingMonkey URIBL
urirhssub URIBL_SEM uribl.spameatingmonkey.net. A 2
body URIBL_SEM eval:check_uridnsbl('URIBL_SEM')
describe URIBL_SEM Contains a URI listed by SpamEatingMonkeys
tflags URIBL_SEM net

# add SpamEatingMonkey fresh domain URIBL
urirhssub URIBL_SEM_FRESH30 fresh30.spameatingmonkey.net. A 2
body URIBL_SEM_FRESH30 eval:check_uridnsbl('URIBL_SEM_FRESH30')
describe URIBL_SEM_FRESH30 From a domain registered less than 30 days ago
tflags URIBL_SEM_FRESH30 net

It's been quite a long time since 7.3.2 came out and it seems there are a number of important fixes in 7.3.3 that many are waiting for but I still don't see that out even as a beta release. Is there any ETA for when that will arrive by any chance?

I don't mean to sound like a broken record on it nor do I mean to rush it, I'm just eager to see 7.3.3 as it contains some important fixes and just surprised it hasn't been released yet.

Personally I'm really looking forward to this section of the changelog (though there's plenty of other changes in the list too):

* remove external df module
* Show remaining disk space in usage graph
* Make users and groups available for the new app link dialog
* Show swaps in disk graphs
* disk usage: run once a day
* mail: fix 100% cpu use with unreachable servers
* security: do not password reset mail to cloudron owned mail domain
* logrotate: only keep 14 days of logs
* mail: fix dnsbl count when all servers are removed
* applink: make users and groups available for the new app link dialog

A side note: It may just be me here, but for what it's worth I'm wondering if a bit more frequent release cycle with smaller releases may be helpful here so bug fixes & quality-of-life improvements can get out quicker to users. New features can of course be held back / reserved for more 'major' releases as they'd require more thorough testing. Just something to ponder if you may have been considering that already as I see more and more apps go to that sort of development cycle so that upgrades are less risky for admins while everyone benefits from more frequent bug fixes.

I've been spending a long time lately on spam improvements on the Cloudron mail server. I've made a ton of improvements and while still not perfect (it never will be) it's a giant leap over how it was a few weeks ago.

I already made some updates in the other post on DNSBLs, for anyone who hasn't seen that already.

I've also improved the spam classifications for anything that gets past the DNSBLs. It was already pretty decent at classifying spam that was spam with no false-positives, however there was still a good amount getting to the inbox for some users in particular. I've trained them to use the spam folder and archive folder accordingly to train the filter for their account, but I also made a whole bunch of tweaks in the custom rules to overwrite scoring server-wide.

Tip: You can easily override the default SpamAssassin scores or even create your own rules using the Custom Spam Filtering Rules feature in Cloudron.

I thought I'd share what I have currently which adds in a few new providers as well as increasing the scores from their defaults. Here is what I've got currently and it seems to be working very well for me and my users with no false-positives that I can find and much more in the spam box where they should be. Feel free to adapt of course for your own servers.

The main highlights of the changes I made was the following:

• Increasing the scores for various DNSBLs where appropriate from their defaults
• Increasing the scores for SPF failures but keeping them still reasonable as not ever mail server has setup SPF correctly even if legitimate
• Modifying the scores for the BAYES_ learning ones, scoring them according to their confidence levels (and a bit above the default in most cases)
• Added three new DNSBLs for SpamAssassin (seen at the bottom of the list) which when combined with the overall scoring changes for DNSBLs built-in has provided a noticeable improvement in spam recognition

# scoring DNSBLs (blocklists & allowlists)
score RCVD_IN_BL_SPAMCOP_NET 2.0
score RCVD_IN_DNSWL_NONE 0.5
score RCVD_IN_DNSWL_LOW -0.5
score RCVD_IN_DNSWL_MED -2.5
score RCVD_IN_DNSWL_HI -5.0
score RCVD_IN_GBUDB 4.0
score RCVD_IN_JMF_BL 3.0
score RCVD_IN_MSPIKE_H3 -2.0
score RCVD_IN_MSPIKE_H4 -3.0
score RCVD_IN_MSPIKE_H5 -3.5
score RCVD_IN_MSPIKE_L3 2.0
score RCVD_IN_MSPIKE_L4 3.0
score RCVD_IN_MSPIKE_L5 3.5
score RCVD_IN_MSPIKE_WL 0
score RCVD_IN_MSPIKE_ZBI 4.0
score RCVD_IN_SBL 3.0
score RCVD_IN_SORBS_BLOCK 2.0
score RCVD_IN_SORBS_DUL 2.0
score RCVD_IN_SORBS_HTTP 2.0
score RCVD_IN_SORBS_MISC 2.0
score RCVD_IN_SORBS_SMTP 2.0
score RCVD_IN_SORBS_SOCKS 2.0
score RCVD_IN_SORBS_SPAM 2.0
score RCVD_IN_SORBS_WEB 2.0
score RCVD_IN_SORBS_ZOMBIE 2.0
score RCVD_IN_SPAMRATS 4.0
score RCVD_IN_XBL 3.5
score RCVD_IN_PBL 3.5
score RCVD_IN_SBL_CSS 3.5
score RCVD_IN_ZEN_BLOCKED_OPENDNS 0.5
score RCVD_IN_ZEN_BLOCKED 0.5

# scoring URIBLs
score URIBL_ABUSE_SURBL 3.0
score URIBL_BLACK 3.0
score URIBL_CR_SURBL 3.0
score URIBL_CSS 2.0
score URIBL_CSS_A 2.0
score URIBL_DBL_ABUSE_BOTCC 2.0
score URIBL_DBL_ABUSE_MALW  2.0
score URIBL_DBL_ABUSE_PHISH 2.0
score URIBL_DBL_ABUSE_REDIR 2.0
score URIBL_DBL_ABUSE_SPAM 2.0
score URIBL_DBL_BLOCKED 2.0
score URIBL_DBL_BLOCKED_OPENDNS 2.0
score URIBL_DBL_BOTNETCC 2.0
score URIBL_DBL_ERROR 2.0
score URIBL_DBL_MALWARE 2.0
score URIBL_DBL_PHISH 2.0
score URIBL_DBL_SPAM 2.0
score URIBL_GREY 1.5
score URIBL_MW_SURBL 2.0
score URIBL_PH_SURBL 2.0
score URIBL_RED 2.5
score URIBL_RHS_DOB 2.0
score URIBL_SBL 2.0
score URIBL_SBL_A 2.0
score URIBL_WS_SURBL 2.0
score URIBL_ZEN_BLOCKED 2.0
score URIBL_ZEN_BLOCKED_OPENDNS 2.0

# scoring SPF & DKIM
score DKIM_INVALID 1.0
score DKIM_SIGNED -0.5
score DKIM_VALID -0.5
score DKIM_VALID_AU -0.5
score DKIM_VALID_EF -0.5
score DKIM_VERIFIED -1.0
score SPF_FAIL 2.0
score SPF_HELO_FAIL 2.0
score SPF_HELO_NEUTRAL 0.5
score SPF_HELO_NONE 0.5
score SPF_HELO_PASS -0.5
score SPF_HELO_SOFTFAIL 1.0
score SPF_NEUTRAL 0.5
score SPF_NONE 0.5
score SPF_PASS -0.5
score SPF_SOFTFAIL 1.5

# scoring BAYES
score BAYES_00 -1.5
score BAYES_05  -1.0
score BAYES_20  -0.5
score BAYES_40  0.5
score BAYES_50  1.0
score BAYES_60  1.5
score BAYES_80  2.0
score BAYES_95  3.0
score BAYES_99  4.5
score BAYES_999 5.0

# additional scoring tweaks
score BILLION_DOLLARS 2.0
score FREEMAIL_FROM 0.5
score HEADER_FROM_DIFFERENT_DOMAINS 3.5
score HTML_FONT_LOW_CONTRAST 2.0
score HTML_MESSAE 0.5
score LOTS_OF_MONEY 1.5
score MISSING_HEADERS 1.0

# add GDUB TRUNCATE DNSBL
header RCVD_IN_GBUDB eval:check_rbl('gbudb', 'truncate.gbudb.net.')
describe RCVD_IN_GBUDB Listed in truncate.gbudb.net
tflags RCVD_IN_GBUDB net

# add JMF-Black DNSBL
header RCVD_IN_JMF_BL eval:check_rbl('jmfbl', 'black.junkemailfilter.com.')
describe RCVD_IN_JMF_BL Listed in black.junkemailfilter.com
tflags RCVD_IN_JMF_BL net

# add Spamrats DNSBL
header RCVD_IN_SPAMRATS eval:check_rbl('spamrats', 'all.spamrats.com.')
describe RCVD_IN_SPAMRATS Sender listed in all.spamrats.com
tflags RCVD_IN_SPAMRATS net

I think it'd be great if we could have users connect to mail.<theirDomain> instead of mail.<mainCloudronDomain>. Right now, they need to connect to something like mail.<mainCloudronDomain> instead of their own, which can create confusion and isn't as nice as it could be.

Setting up a CNAME alone isn't doable because the certificate shown by Cloudron mail.<mainCloudronDomain> needs to include the hostnames (via SNI I believe?) that matches the one they'd use in their mail clients such as mail.<theirDomain>.

Would love to see that functionality added to Cloudron along with setting up the CNAME records in all domains which aren't the primary domain so that each user on exampleA.com can connect to mail.exampleA.com instead of mail.<mainCloudronDomain>.

@girish said in What's coming in 7.3:

Updated the changelog if anyone is interested - https://git.cloudron.io/cloudron/box/-/blob/master/CHANGES#L2511

This may be minor, but may I suggest the changelogs be sorted alphabetically so that we can see related changes easier per function (i.e. mail)?

If we did that, not only would it make it easier for admins to read and parse, but the development team could detect duplicate entries in the changelog easier

Note that there are two duplicate entries such as the following:

• mail: fix issue where signature was appended to text attachments
• mail: catch all address can be any domain

Sorted alphabetically:

* Applinks - app bookmarks in dashboard
* IPv6: initial support for ipv6 only server
* Proxied apps
* Randomize certificate generation cronjob to lighten load on Let's Encrypt servers
* UI: fix issue where mailbox display name was not init correctly
* User directory: Cloudron connector uses 2FA auth
* acme: Randomize certificate renewal check over a whole day
* backups: Fix precondition check which was not erroring if mount is missing
* backups: allow space in label name
* backups: optional encryption of backup file names
* eventlog: add event for impersonated user login
* filemanager: add split view
* graphs: cgroup v2 support
* graphs: show app disk usage graphs
* ldap & user directory: Remove virtual user and admin groups
* ldap: remove virtual user and admin groups to ldap user records
* mail: accept only STARTTLS servers for relay
* mail: add queue management API and UI
* mail: add storage quota support
* mail: allow aliases to have wildcard
* mail: catch all address can be any domain
* mail: catch all address can be any domain
* mail: fix crash when solr is enabled on Ubuntu 22 (cgroup v2 detection fix)
* mail: fix issue where certificate renewal did not restart the mail container properly
* mail: fix issue where signature was appended to text attachments
* mail: fix issue where signature was appended to text attachments
* nginx: fix zero length certs when out of disk space
* notification: Fix crash when backupId is null
* port bindings: add read only flag
* proxyAuth: add supportsBearerAuth flag
* redis: restart button will now rebuild if the container is missing
* wasabi: add singapore and sydney regions

Well, I gave myself a fun little short project (took maybe 30 minutes) today where I replaced every app icon in the Dashboard of Cloudron. Here's what it looks like:

I used FlatIcon's website, filtering to Free icons and for Linear Colour as the style. I was surprised at how many fairly accurate icons I could find, even one for my email 'autoconfig' app which I had doubted I'd be able to find a good icon replacement for. Even found separate ones for the two websites which aren't really websites at all but just redirect visitors to another externally hosted website on a different domain (two clients are realtors who just wanted their own short marketing domain name for email and then having the web address forward to their actual realtor's webpage for their own listings), so they're literally just the LAMP app with a single html file which does an immediate redirect.

I may make further changes, or heck I may even revert back to the default app icons in the future, but I thought this was a nice little distraction to change the overall look of the Dashboard by replacing all the app icons with new ones, and ensuring a bit of consistency where possible between them all too so that none of them stood out from others. I think it went fairly well. Just wanted to share to maybe inspire others if they think they'd benefit from some extra bit of flair in their Dashboard.

I think it'd be really useful to have an alternative LAMP app using the LEMP stack instead (basically just replacing Apache with Nginx). If this is possible, it'd be great to see this in the Cloudron App Store alongside the LAMP app.

For context... this thread is what made me want to suggest this idea more formally: https://forum.cloudron.io/topic/5784/apache-vulnerabilities/

In some cases, Nginx can be much more performant than Apache too particularly under heavier loads, so it'd be good to have Nginx as an option instead of only Apache for those who want to really eek out a bit more performance of their web servers.

Some external references supporting this idea of Nginx being a better performer than Apache:

https://hackr.io/blog/nginx-vs-apache - "NGINX performs 2.5 times faster than Apache according to a benchmark test performed by running up to 1,000 simultaneous connections. Another benchmark running with 512 simultaneous connections, showed that NGINX is about twice as fast and consumed less memory. Undoubtedly, NGINX has an advantage over Apache with static content. So if you need to serve concurrent static content, NGINX is a preferred choice."

https://kinsta.com/blog/nginx-vs-apache/ - "In short, Apache uses processes for every connection (and with worker mpm it uses threads). As traffic rises, it quickly becomes too expensive. [...] Event mpm goes a bit further in terms of optimization, but some tests show that it can’t outrun Nginx. Especially when we talk about static files, where Nginx serves as much as double the requests that Apache does. Nginx ideally has one worker process per CPU/core. The difference of Nginx worker processes is that each one can handle hundreds of thousands of incoming network connections per worker. There is no need to create new threads or processes for each connection. This is the reason why major Content Delivery Networks, like Cloudflare, MaxCDN, and our partner KeyCDN — or websites like Netflix — find Nginx crucial for their content delivery.

There is a channel I subscribe to on YouTube and just over an hour ago they uploaded one with running FreeScout on Cloudron. Thought that was pretty neat! Hopefully more and more people publicize the Cloudron product.

Youtube Video

I haven’t seen too many of his videos (and I confess I didn’t watch this whole video either because I am not yet interested in FreeScout), but stumbled across a few videos of his for another software tool I was using for WordPress. Not trying to promote him at all here haha, but just trying to say he has a decent bit of clout at 17.9k subscribers, which I think that just makes it all the more awesome for Cloudron that he did one involving the Cloudron platform. The work here is being noticed beyond just us old frequently seen Cloudron users. Haha.

As Radicale isn't the most RFC-compliant (they even state that's not their goal), it'd be nice to have a more compliant CardDAV and CalDAV server to use as an alternative to Radicale, SOGo, and Nextcloud.

A good one I have seen recommended often is "sabre/dav". It's also updated more often than Radicale too from what I can tell. I think this would be a great addition for those people who want a more pure CalDAV and CardDAV server.

https://sabre.io/dav/
https://github.com/sabre-io/dav

@imc67 I definitely agree, lots of areas for improvements.

I do have one item of your post I wanted to share my two cents on though...

Wordfence imho needs to be installed by default in Wordpress

This is just my personal view so take it with a grain of salt of course, I don't think there's really any right or wrong way to it. My two cents...

I have the belief that we should aim to keep all apps (WordPress included) about as close to default as the developer intended for the app, leaving Cloudron to just handle the default user and mail config for the app, etc. I think it's a bit of a slippery slope to add in all these extras regardless of how important they may be for certain use-cases, because the line needs to be drawn somewhere of course and deciding where that line is isn't particularly clear. In such a case, I'd ere on the side of "keep it as close to default as possible as intended by the developer" to stay free of any tightrope walking so-to-speak. haha.

For WordPress in particular, there's practically hundreds of thousands of plugins available, some of which are "default installs" in my environments where I have a template setup with the ones I use all the time for example, but I would never want to force my defaults on others because what works for me or the plugins I prefer to use may not work or be preferred by other users. Security plugins are one area where there's a ton of them, and there was a similar discussion not too long ago I had regarding a suggestion for including a caching plugin by default too.

And that's kind of the slippery slope I am referring too... what is the criteria for when a "default plugin suggestion" gets approved, and when would one get denied?

I just really want to see apps be as close to default as possible. But of course that's just my two cents. I'm sure many might disagree with me. haha.

I totally agree with the rest of your suggestions though, I would love to see the improvements for additional security in the Cloudron server itself. I completely forgot about the GEO-blocking request for countries, that'd be pretty great to have!

@girish said in Cloudron not removing expired backups from deleted apps:

Note that if an app was updated and then later deleted, the quirk of the backup system is that the backups that got created during the app backup are still retained for 3 weeks. Could this be the case?

I don't think it'd have been that because the backups went as far back as November 2022, well over the 3 weeks.

@girish said in Cloudron not removing expired backups from deleted apps:

If you run the 'Cleanup backups' manually, can you check the logs why those specific backups are getting retained ?

This may be difficult as I had run through and manually removed them when I reported the issue (sorry about that). I did it now though and don't see ay errors, but may be because I already removed a lot of the outdated ones earlier.

I'm not sure if this is intentional or not, but it seems "wrong" to me so wanted to raise this. I noticed in reviewing my backups recently that it still had many from way past the retention period and the commonality in them all were they were apps that had been removed (i.e. running for a week or so to test things then deleted from Cloudron), so it seems like Cloudron is not deleting backups after the retention policy expires for previously deleted applications.

@xarp ah so what I provided earlier was to be added in a filter in Roundcube for example. The interface for server-side rules with regards to filters is done via webmail. What you did was try the code in the SpamAssassin rules but that isn’t the right spot.

You can do this in SpamAssassin too but it doesn’t reject it, it simply guarantees that it is thrown into the junk folder. The filter method from earlier would be the way to do it in a way that it doesn’t even get to junk mail folder either.

With SpamAssassin method though to always throw a message from someone into the junk folder in a way that is essentially guaranteed would look like this:

blacklist_from userIDontWantEmailFrom@example.com

@nebulon oh it’s definitely not concerning to me at all. It’s just an area where I think it can be improved. To me 20% of a single core is very different than 20% of the system CPU.

Seeing most of the apps at basically 0% except for the odd spike of above 20% of a single core on an 8-core system just seems like noise to me.

I’d have thought it’d just be ideal if it was graphed as 20% of the system CPU instead of a single core CPU for which apps make the cut into the graph.

Maybe I’m all alone on that view though

I'm curious... I have 8 CPU cores on my dedicated server at OVH and my graphs commonly look like the image below.

I'm thinking that the graph would be much more helpful if it was the arbitrary 20% of full system CPU rather than just 20% of one CPU core. Because 20% of just one CPU core in an 8-core system (or even a 4-core system) is hardly anything to be concerned about, generally speaking of course.

Would anyone else like to see this perhaps be 20% of full system CPU instead of just 20% of a single core?

I recently had a customer want to administrate their own mailboxes across their domain. In testing, I realized giving anyone the Mail Manager role means they have access to the full system's mail capabilities not just their own domain. I realized that users aren't really coped to domain though, so it'd be nice if we somehow could have a way in the future to allow a user to manage emails but limited/scoped to specific domains which the admin would set first.

I too have noticed this. Strangely I feel this wasn't an issue before but suddenly became an issue in recent versions (7.3?). I've noticed this with regards to the SpamAssassin rule loading and such as well if it's still loading and I hit the edit icon it loads a blank pop-up.

@marcusquinn I haven’t noticed that myself but been using tgz the whole time and it’s been quite fast overall so far.

@girish okay I’ll try that, thanks for looking into it Girish! It’s definitely odd and I’m surprised I only recently discovered this concern. Some of them definitely existed before Cloudron days and came over as part of the “all in one migration” plugin which I have a feeling overwrite the database to match the original source, so likely is part of the reason there. Some newer ones also have it though but thinking further I think it’s because it was an issue in the template one I spun up new site builds from.

I’ll try converting and hopefully that’ll help with some stuff. Will report back on whether it’s successful or not

Hello. I noticed in looking at the databases of various websites (trying to cleanup some old plugin data) that I have a mixture of MyISAM and InnoDB table types. Some are MyISAM type and some are InnoDB type.

I assume they should all be InnoDB as I tried deploying a fresh instance of WordPress and used PHPMyAdmin to verify that they are all InnoDB by default, so I am presuming I should be converting the MyISAM to InnoDB.

Any thoughts on how to fix this all to InnoDB? Is this something I should just ignore? My concern is this may be an issue down the road and so if I can be proactive then I'd rather be proactive.

Screenshots below...

Older install (notice the mix of InnoDB and MyISAM types):

Fresh install (notice the InnoDB is the type used for all tables):