Updated the app icons on all apps running in my Cloudron instance for fun

Well, I gave myself a fun little short project (took maybe 30 minutes) today where I replaced every app icon in the Dashboard of Cloudron. Here's what it looks like:

I used FlatIcon's website, filtering to Free icons and for Linear Colour as the style. I was surprised at how many fairly accurate icons I could find, even one for my email 'autoconfig' app which I had doubted I'd be able to find a good icon replacement for. Even found separate ones for the two websites which aren't really websites at all but just redirect visitors to another externally hosted website on a different domain (two clients are realtors who just wanted their own short marketing domain name for email and then having the web address forward to their actual realtor's webpage for their own listings), so they're literally just the LAMP app with a single html file which does an immediate redirect.

I may make further changes, or heck I may even revert back to the default app icons in the future, but I thought this was a nice little distraction to change the overall look of the Dashboard by replacing all the app icons with new ones, and ensuring a bit of consistency where possible between them all too so that none of them stood out from others. I think it went fairly well. Just wanted to share to maybe inspire others if they think they'd benefit from some extra bit of flair in their Dashboard.

As Radicale isn't the most RFC-compliant (they even state that's not their goal), it'd be nice to have a more compliant CardDAV and CalDAV server to use as an alternative to Radicale, SOGo, and Nextcloud.

A good one I have seen recommended often is "sabre/dav". It's also updated more often than Radicale too from what I can tell. I think this would be a great addition for those people who want a more pure CalDAV and CardDAV server.

https://sabre.io/dav/
https://github.com/sabre-io/dav

@jdaviescoates Great idea! I'd definitely love to be a part of something like that.

What I do:
I do freelance web & tech services as a side business, and that includes hosting a bunch of things for customers which I do on Cloudron. Specifically WordPress websites for roughly 15 clients, and recently even some SFTP servers for one client too. Also a nodeBB forum for a client, Bitwarden password manager, email hosting of course, webmail apps, all that jazz. WordPress and email is the vast majority of what I host for my clients, but I get to dabble in other areas too which I like. Oh and web analytics too of course as that's bundled with my web hosting plan I sell to them, and to my surprise many of them actually really like seeing the emailed report from Matomo where they see all the results from each city, country, dates and times of busy traffic, etc. When I started offering it I honestly didn't think too many people would care, but most of them really like that part. I guess it sort of helps justify to them why they have a website in the first place so they can see how many people they're effectively reaching and such too in one area.

I don't necessarily market my services as a Saas-Cloudron or anything like that, just to be clear in case that's kind of what you were asking earlier, but I am very open in spreading the word of Cloudron (sounds like I'm in a cult, lol) to any of my clients that want to learn more about how I manage things, and even link to Cloudron from my website, so generally the customers that actually care to know that stuff all know I'm using Cloudron as the platform for everything.

Quick side story about the SFTP server I recently setup, just because I think it's really cool, haha:
Using Surfer, I setup an SFTP server to bridge a medical clinic (client of mine) administering COVID-19 tests and the lab they hired to actually process the tests. Before, they were emailing constantly between clinic and lab and it was a hassle for them to keep track of everything... and we later found out that the lab they contracted actually had a script which they use for their larger clients I guess - it polls the SFTP server every 5 minutes for a CSV file which the clinic fills it out and saves to the SFTP server for each patient, each patient being it's own row on the CSV. It's streamlined their entire process now - just that one thing alone - to the point where they get their results much faster now from the lab and can then forward that to the patients much quicker than before as it's way less overhead in communications between the lab and clinic. Once I heard about this and set it up for them and learned how much better it made things for them, honestly I was humbled in a way, I consider myself fortunate to have been a very very very tiny part of that process to ensure people can get their COVID-19 test results sooner. It really wasn't much work on my part at all, Cloudron made it easy to implement! It was still cool to be a part of an improvement to this essential service in my region none-the-less.

Sorry I'm rambling on now, lol, the answer to your original question is "Yes, I offer services to my clients that I host using Cloudron". haha.

I've been spending a long time lately on spam improvements on the Cloudron mail server. I've made a ton of improvements and while still not perfect (it never will be) it's a giant leap over how it was a few weeks ago.

I already made some updates in the other post on DNSBLs, for anyone who hasn't seen that already.

I've also improved the spam classifications for anything that gets past the DNSBLs. It was already pretty decent at classifying spam that was spam with no false-positives, however there was still a good amount getting to the inbox for some users in particular. I've trained them to use the spam folder and archive folder accordingly to train the filter for their account, but I also made a whole bunch of tweaks in the custom rules to overwrite scoring server-wide.

Tip: You can easily override the default SpamAssassin scores or even create your own rules using the Custom Spam Filtering Rules feature in Cloudron.

I thought I'd share what I have currently which adds in a few new providers as well as increasing the scores from their defaults. Here is what I've got currently and it seems to be working very well for me and my users with no false-positives that I can find and much more in the spam box where they should be. Feel free to adapt of course for your own servers.

The main highlights of the changes I made was the following:

• Increasing the scores for various DNSBLs where appropriate from their defaults
• Increasing the scores for SPF failures but keeping them still reasonable as not ever mail server has setup SPF correctly even if legitimate
• Modifying the scores for the BAYES_ learning ones, scoring them according to their confidence levels (and a bit above the default in most cases)
• Added three new DNSBLs for SpamAssassin (seen at the bottom of the list) which when combined with the overall scoring changes for DNSBLs built-in has provided a noticeable improvement in spam recognition

# scoring DNSBLs (blocklists & allowlists)
score RCVD_IN_BL_SPAMCOP_NET 2.0
score RCVD_IN_DNSWL_NONE 0.5
score RCVD_IN_DNSWL_LOW -0.5
score RCVD_IN_DNSWL_MED -2.5
score RCVD_IN_DNSWL_HI -5.0
score RCVD_IN_GBUDB 4.0
score RCVD_IN_JMF_BL 3.0
score RCVD_IN_MSPIKE_H3 -2.0
score RCVD_IN_MSPIKE_H4 -3.0
score RCVD_IN_MSPIKE_H5 -3.5
score RCVD_IN_MSPIKE_L3 2.0
score RCVD_IN_MSPIKE_L4 3.0
score RCVD_IN_MSPIKE_L5 3.5
score RCVD_IN_MSPIKE_WL 0
score RCVD_IN_MSPIKE_ZBI 4.0
score RCVD_IN_SBL 3.0
score RCVD_IN_SORBS_BLOCK 2.0
score RCVD_IN_SORBS_DUL 2.0
score RCVD_IN_SORBS_HTTP 2.0
score RCVD_IN_SORBS_MISC 2.0
score RCVD_IN_SORBS_SMTP 2.0
score RCVD_IN_SORBS_SOCKS 2.0
score RCVD_IN_SORBS_SPAM 2.0
score RCVD_IN_SORBS_WEB 2.0
score RCVD_IN_SORBS_ZOMBIE 2.0
score RCVD_IN_SPAMRATS 4.0
score RCVD_IN_XBL 3.5
score RCVD_IN_PBL 3.5
score RCVD_IN_SBL_CSS 3.5
score RCVD_IN_ZEN_BLOCKED_OPENDNS 0.5
score RCVD_IN_ZEN_BLOCKED 0.5

# scoring URIBLs
score URIBL_ABUSE_SURBL 3.0
score URIBL_BLACK 3.0
score URIBL_CR_SURBL 3.0
score URIBL_CSS 2.0
score URIBL_CSS_A 2.0
score URIBL_DBL_ABUSE_BOTCC 2.0
score URIBL_DBL_ABUSE_MALW  2.0
score URIBL_DBL_ABUSE_PHISH 2.0
score URIBL_DBL_ABUSE_REDIR 2.0
score URIBL_DBL_ABUSE_SPAM 2.0
score URIBL_DBL_BLOCKED 2.0
score URIBL_DBL_BLOCKED_OPENDNS 2.0
score URIBL_DBL_BOTNETCC 2.0
score URIBL_DBL_ERROR 2.0
score URIBL_DBL_MALWARE 2.0
score URIBL_DBL_PHISH 2.0
score URIBL_DBL_SPAM 2.0
score URIBL_GREY 1.5
score URIBL_MW_SURBL 2.0
score URIBL_PH_SURBL 2.0
score URIBL_RED 2.5
score URIBL_RHS_DOB 2.0
score URIBL_SBL 2.0
score URIBL_SBL_A 2.0
score URIBL_WS_SURBL 2.0
score URIBL_ZEN_BLOCKED 2.0
score URIBL_ZEN_BLOCKED_OPENDNS 2.0

# scoring SPF & DKIM
score DKIM_INVALID 1.0
score DKIM_SIGNED -0.5
score DKIM_VALID -0.5
score DKIM_VALID_AU -0.5
score DKIM_VALID_EF -0.5
score DKIM_VERIFIED -1.0
score SPF_FAIL 2.0
score SPF_HELO_FAIL 2.0
score SPF_HELO_NEUTRAL 0.5
score SPF_HELO_NONE 0.5
score SPF_HELO_PASS -0.5
score SPF_HELO_SOFTFAIL 1.0
score SPF_NEUTRAL 0.5
score SPF_NONE 0.5
score SPF_PASS -0.5
score SPF_SOFTFAIL 1.5

# scoring BAYES
score BAYES_00 -1.5
score BAYES_05  -1.0
score BAYES_20  -0.5
score BAYES_40  0.5
score BAYES_50  1.0
score BAYES_60  1.5
score BAYES_80  2.0
score BAYES_95  3.0
score BAYES_99  4.5
score BAYES_999 5.0

# additional scoring tweaks
score BILLION_DOLLARS 2.0
score FREEMAIL_FROM 0.5
score HEADER_FROM_DIFFERENT_DOMAINS 3.5
score HTML_FONT_LOW_CONTRAST 2.0
score HTML_MESSAE 0.5
score LOTS_OF_MONEY 1.5
score MISSING_HEADERS 1.0

# add GDUB TRUNCATE DNSBL
header RCVD_IN_GBUDB eval:check_rbl('gbudb', 'truncate.gbudb.net.')
describe RCVD_IN_GBUDB Listed in truncate.gbudb.net
tflags RCVD_IN_GBUDB net

# add JMF-Black DNSBL
header RCVD_IN_JMF_BL eval:check_rbl('jmfbl', 'black.junkemailfilter.com.')
describe RCVD_IN_JMF_BL Listed in black.junkemailfilter.com
tflags RCVD_IN_JMF_BL net

# add Spamrats DNSBL
header RCVD_IN_SPAMRATS eval:check_rbl('spamrats', 'all.spamrats.com.')
describe RCVD_IN_SPAMRATS Sender listed in all.spamrats.com
tflags RCVD_IN_SPAMRATS net

@imc67 I definitely agree, lots of areas for improvements.

I do have one item of your post I wanted to share my two cents on though...

Wordfence imho needs to be installed by default in Wordpress

This is just my personal view so take it with a grain of salt of course, I don't think there's really any right or wrong way to it. My two cents...

I have the belief that we should aim to keep all apps (WordPress included) about as close to default as the developer intended for the app, leaving Cloudron to just handle the default user and mail config for the app, etc. I think it's a bit of a slippery slope to add in all these extras regardless of how important they may be for certain use-cases, because the line needs to be drawn somewhere of course and deciding where that line is isn't particularly clear. In such a case, I'd ere on the side of "keep it as close to default as possible as intended by the developer" to stay free of any tightrope walking so-to-speak. haha.

For WordPress in particular, there's practically hundreds of thousands of plugins available, some of which are "default installs" in my environments where I have a template setup with the ones I use all the time for example, but I would never want to force my defaults on others because what works for me or the plugins I prefer to use may not work or be preferred by other users. Security plugins are one area where there's a ton of them, and there was a similar discussion not too long ago I had regarding a suggestion for including a caching plugin by default too.

And that's kind of the slippery slope I am referring too... what is the criteria for when a "default plugin suggestion" gets approved, and when would one get denied?

I just really want to see apps be as close to default as possible. But of course that's just my two cents. I'm sure many might disagree with me. haha.

I totally agree with the rest of your suggestions though, I would love to see the improvements for additional security in the Cloudron server itself. I completely forgot about the GEO-blocking request for countries, that'd be pretty great to have!

Just thought I'd check-in on the status of 6.3.0.

It'd be great to have the ability to add comments to backups, particularly app backups.

My example use-case: I have a WordPress app running, which I am working on some performance-projects. I'm making backups after each different plugin change for example to be able to easily restore back to baseline and after certain plugin changes. After making so many app backups, it can be difficult to later remember which one was the baseline, which one was for any particular plugin change, etc.

Having the ability to add notes to app backups would be a great way to handle that type of use-case.

I picture the UI with a small icon next to each backup to easily add notes. Then to view them, it'd be great to have it either pop-up when hovering over a backup or to perhaps have a short accordion effect to expand the notes applied to the backup. The latter would be more mobile-friendly as mobile devices don't really have the ability to "hover" over items.

These apps serve different purposes, so I don't think one can really answer the question without knowing the use-case.

My suggestion is if you only care about webmail, then Rainloop wins. It's quicker, nicer interface (IMO), intuitive, etc. If you however also want to manage a calendar and contacts, then SOGo is likely the better one as Rainloop does mail and contacts only, no calendar or anything like that. And even for contacts, it's differently managed - Rainloop simply stores them, but SOGo "hosts" them so they're also accessible via CardDAV protocols into apps like Contacts on macOS or iOS, Calendar on macOS, etc.

Basically, Rainloop is a webmail client whereas SOGo is what's called "groupware" as it will sync contacts, calendars, tasks, etc. in addition to the mail client role.

If you elaborate on your use-case, then people can probably give you a more accurate answer. Hopefully the above helps in the meantime.

Wooo! Finally the big mail-focused release I (and many others) have been waiting for! Looking forward to it. Any way I can help, just let me know.

I think it'd be really useful to have an alternative LAMP app using the LEMP stack instead (basically just replacing Apache with Nginx). If this is possible, it'd be great to see this in the Cloudron App Store alongside the LAMP app.

For context... this thread is what made me want to suggest this idea more formally: https://forum.cloudron.io/topic/5784/apache-vulnerabilities/

In some cases, Nginx can be much more performant than Apache too particularly under heavier loads, so it'd be good to have Nginx as an option instead of only Apache for those who want to really eek out a bit more performance of their web servers.

Some external references supporting this idea of Nginx being a better performer than Apache:

https://hackr.io/blog/nginx-vs-apache - "NGINX performs 2.5 times faster than Apache according to a benchmark test performed by running up to 1,000 simultaneous connections. Another benchmark running with 512 simultaneous connections, showed that NGINX is about twice as fast and consumed less memory. Undoubtedly, NGINX has an advantage over Apache with static content. So if you need to serve concurrent static content, NGINX is a preferred choice."

https://kinsta.com/blog/nginx-vs-apache/ - "In short, Apache uses processes for every connection (and with worker mpm it uses threads). As traffic rises, it quickly becomes too expensive. [...] Event mpm goes a bit further in terms of optimization, but some tests show that it can’t outrun Nginx. Especially when we talk about static files, where Nginx serves as much as double the requests that Apache does. Nginx ideally has one worker process per CPU/core. The difference of Nginx worker processes is that each one can handle hundreds of thousands of incoming network connections per worker. There is no need to create new threads or processes for each connection. This is the reason why major Content Delivery Networks, like Cloudflare, MaxCDN, and our partner KeyCDN — or websites like Netflix — find Nginx crucial for their content delivery.

@molinaire in that case it almost sounds like a hosting side issue.

I think it'd be really useful to have an alternative LAMP app using the LEMP stack instead (basically just replacing Apache with Nginx). If this is possible, it'd be great to see this in the Cloudron App Store alongside the LAMP app.

For context... this thread is what made me want to suggest this idea more formally: https://forum.cloudron.io/topic/5784/apache-vulnerabilities/

In some cases, Nginx can be much more performant than Apache too particularly under heavier loads, so it'd be good to have Nginx as an option instead of only Apache for those who want to really eek out a bit more performance of their web servers.

Some external references supporting this idea of Nginx being a better performer than Apache:

https://hackr.io/blog/nginx-vs-apache - "NGINX performs 2.5 times faster than Apache according to a benchmark test performed by running up to 1,000 simultaneous connections. Another benchmark running with 512 simultaneous connections, showed that NGINX is about twice as fast and consumed less memory. Undoubtedly, NGINX has an advantage over Apache with static content. So if you need to serve concurrent static content, NGINX is a preferred choice."

https://kinsta.com/blog/nginx-vs-apache/ - "In short, Apache uses processes for every connection (and with worker mpm it uses threads). As traffic rises, it quickly becomes too expensive. [...] Event mpm goes a bit further in terms of optimization, but some tests show that it can’t outrun Nginx. Especially when we talk about static files, where Nginx serves as much as double the requests that Apache does. Nginx ideally has one worker process per CPU/core. The difference of Nginx worker processes is that each one can handle hundreds of thousands of incoming network connections per worker. There is no need to create new threads or processes for each connection. This is the reason why major Content Delivery Networks, like Cloudflare, MaxCDN, and our partner KeyCDN — or websites like Netflix — find Nginx crucial for their content delivery.

@girish That'd be awesome, thanks Girish. I'll hope it's ready for this week though for everyone and that should fix it.

@girish out of curiosity, in the event I wanted to try my migration this weekend (I will likely wait for next weekend if 6.4 is out in time), is there a manual way for me to circumvent this issue by regenerating the self-signed certs or something? If it’s far too complicated then no worries, I’m just getting a little anxious having only really two weekends left to make the migration happen excluding this weekend since 6.4 isn’t quite ready yet. Wanted to try and form a backup plan just in case.

Getting excited for 6.4 (especially since it fixes a bug that's currently keeping me locked in-place with my current hosting provider), and all the amazing improvements particularly around email!

Was just wondering if there was an ETA for us. I know I asked about 11 days ago, just really looking forward to it. haha.

Also a slightly selfish reason for asking... it'll save me from having to pay another month of hosting from my current host if I can migrate off before end of this month if that other defect is fixed which is supposed to be fixed with 6.4, not a ton of time left for me to plan it out since it has to be in the middle of the night (i.e. weekends only, 3 weekends left and I'm guessing this weekend will be too soon, so really only 2 weekends left for me to do this migration so I'm getting a bit antsy).

A little unrelated but to the conversation of Apache vs Nginx… it would be a nice idea to have a LEMP stack app too instead of only LAMP.

@timconsidine I voted up both already. But my understanding is that Umami doesn’t yet do reporting which is critical for my customers (they pay for it) so I personally would be required to go with Plausible until Umami picks up some more features like reporting capabilities. If I’ve missed that in Umami though please point me to the right doc.

Definitely another vote for Plausible. Been looking at a possibly more modern Matomo alternative and this seems to fit the bill nicely. That and Umami but Plausible seems more feature-rich especially as it seems to have reporting functionality which is important for my clients.

Just came across this. Looks amazing… upvoted.

@girish thank you so much for looking into this! Will the fix regenerate the self-signed fallback certs or will I need to make some manual changes?