Cloudron Forum

imc67

First update app, then update plugin

imc67

Yes tried manually on 2 sites and it’s working!
Thanks for the effort and results

imc67

https://wordpress.org/plugins/daggerhart-openid-connect-generic/

Update 3.11.1
After manual update:

OpenID Connect Generic - Security Configuration Required

Your OpenID Connect authentication is using an insecure fallback method. You must configure the JWKS endpoint in plugin settings as soon as possible.

The current insecure fallback will be removed in version 3.12.0. After that update, authentication will fail until the JWKS endpoint is configured.

Common JWKS endpoints:
• Keycloak: https://your-domain/realms/your-realm/protocol/openid-connect/certs
• Auth0: https://your-domain.auth0.com/.well-known/jwks.json
• Okta: https://your-domain.okta.com/oauth2/default/v1/keys
• Azure AD: https://login.microsoftonline.com/your-tenant/discovery/v2.0/keys
• Google: https://www.googleapis.com/oauth2/v3/certs

I tried to manually update within Wordpress Developer app but login got broken, had to restore.

3.11.0

SECURITY RELEASE

Security: Added JWT signature verification using JWKS to prevent token forgery
Security: Enhanced token claim validation (exp, aud, iss, iat, nonce)
Security: Replaced weak state generation with cryptographically secure random_bytes()
Security: Fixed open redirect vulnerability in authentication flow
Security: Restricted SSL verification bypass to local development environments only
Security: Added nonce protection to debug mode to prevent information disclosure
Security: Added SSRF protection by default through use of wp_safe_remote_* functions
Feature: Added JWKS endpoint configuration setting
Feature: Added OpenID Connect discovery document support
Feature: Added customizable login button text setting
Improvement: Migrated to Composer-managed dependencies
Fix: Corrected issuer validation to properly extract base URL from endpoints
Fix: Identity token timestamp tracking

imc67

we're getting closer, this is a part of the scheduled one this morning:

2026-02-06 06:09:31,611 WARNING Could not figure out development release: Distribution data outdated. Please check for an update for distro-info-data. See /usr/share/doc/distro-info-data/README.Debian for details.
2026-02-06 06:09:31,612 INFO Starting unattended upgrades script
2026-02-06 06:09:31,612 INFO Allowed origins are: o=Ubuntu,a=jammy, o=Ubuntu,a=jammy-security, o=UbuntuESMApps,a=jammy-apps-security, o=UbuntuESM,a=jammy-infra-security
2026-02-06 06:09:31,613 INFO Initial blacklist: 
2026-02-06 06:09:31,613 INFO Initial whitelist (not strict): 
2026-02-06 06:09:46,207 INFO Packages that will be upgraded: libc-bin libc-dev-bin libc6 libc6-dev libssl3 linux-generic linux-headers-generic linux-image-generic linux-libc-dev locales mysql-client-8.0 mysql-client-core-8.0 mysql-server-8.0 mysql-server-core-8.0 openssl screen
2026-02-06 06:09:46,208 INFO Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
2026-02-06 06:09:48,505 ERROR Installing the upgrades failed!
2026-02-06 06:09:48,505 ERROR error message: installArchives() failed
2026-02-06 06:09:48,506 ERROR dpkg returned a error! See /var/log/unattended-upgrades/unattended-upgrades-dpkg.log for details
2026-02-06 06:09:48,952 INFO Package libc-bin is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:48,954 INFO Package libc-dev-bin is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:48,956 INFO Package libc6 is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:48,957 INFO Package libc6-dev is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,016 INFO Package libssl3 is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,037 INFO Package linux-generic is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,044 INFO Package linux-headers-generic is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,051 INFO Package linux-image-generic is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,058 INFO Package linux-libc-dev is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,165 INFO Package locales is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,172 INFO Package mysql-client-8.0 is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,174 INFO Package mysql-client-core-8.0 is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,175 INFO Package mysql-server-8.0 is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,177 INFO Package mysql-server-core-8.0 is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,189 INFO Package openssl is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,224 INFO Package screen is kept back because a related package is kept back or due to local apt_preferences(5).

The mentioned /var/log/unattended-upgrades/unattended-upgrades-dpkg.log:

Log started: 2026-02-06  06:09:46
Preconfiguring packages ...
Preconfiguring packages ...
dpkg: unrecoverable fatal error, aborting:
 unknown system group 'netdata' in statoverride file; the system group got removed
before the override, which is most probably a packaging bug, to recover you
can remove the override manually with dpkg-statoverride
E:Sub-process /usr/bin/dpkg returned an error code (2)
Log ended: 2026-02-06  06:09:47

This is a left over of a "total" removing (2 weeks ago) of netdata installation years ago (now we have graphs in Cloudron 9 we don't need it anymore), I did:

sudo dpkg-statoverride --list | grep netdata
root netdata 755 /usr/share/netdata/www
root netdata 755 /var/lib/netdata/www
~# sudo dpkg-statoverride --remove /usr/share/netdata/www
~# sudo dpkg-statoverride --remove /var/lib/netdata/www
~# sudo dpkg-statoverride --list | grep netdata

I'll check tomorrow if the nightly unattended upgrade did work. Thanks @James for pointing the right direction!

imc67

one example (of 3), I think it includes the very high ranked issue with OpenSSL?:

apt list --upgradable | grep "\-security"

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libc-bin/jammy-updates,jammy-security 2.35-0ubuntu3.13 amd64 [upgradable from: 2.35-0ubuntu3.11]
libc-dev-bin/jammy-updates,jammy-security 2.35-0ubuntu3.13 amd64 [upgradable from: 2.35-0ubuntu3.11]
libc6-dev/jammy-updates,jammy-security 2.35-0ubuntu3.13 amd64 [upgradable from: 2.35-0ubuntu3.11]
libc6/jammy-updates,jammy-security 2.35-0ubuntu3.13 amd64 [upgradable from: 2.35-0ubuntu3.11]
libssl3/jammy-updates,jammy-security 3.0.2-0ubuntu1.21 amd64 [upgradable from: 3.0.2-0ubuntu1.20]
linux-generic/jammy-updates,jammy-security 5.15.0.168.159 amd64 [upgradable from: 5.15.0.164.159]
linux-headers-generic/jammy-updates,jammy-security 5.15.0.168.159 amd64 [upgradable from: 5.15.0.164.159]
linux-image-generic/jammy-updates,jammy-security 5.15.0.168.159 amd64 [upgradable from: 5.15.0.164.159]
linux-libc-dev/jammy-updates,jammy-security 5.15.0-168.178 amd64 [upgradable from: 5.15.0-164.174]
locales/jammy-updates,jammy-security 2.35-0ubuntu3.13 all [upgradable from: 2.35-0ubuntu3.11]
mysql-client-8.0/jammy-updates,jammy-security 8.0.45-0ubuntu0.22.04.1 amd64 [upgradable from: 8.0.44-0ubuntu0.22.04.1]
mysql-client-core-8.0/jammy-updates,jammy-security 8.0.45-0ubuntu0.22.04.1 amd64 [upgradable from: 8.0.44-0ubuntu0.22.04.1]
mysql-server-8.0/jammy-updates,jammy-security 8.0.45-0ubuntu0.22.04.1 amd64 [upgradable from: 8.0.44-0ubuntu0.22.04.1]
mysql-server-core-8.0/jammy-updates,jammy-security 8.0.45-0ubuntu0.22.04.1 amd64 [upgradable from: 8.0.44-0ubuntu0.22.04.1]
openssl/jammy-updates,jammy-security 3.0.2-0ubuntu1.21 amd64 [upgradable from: 3.0.2-0ubuntu1.20]
screen/jammy-updates,jammy-security 4.9.0-1ubuntu0.1 amd64 [upgradable from: 4.9.0-1]

cat /etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

Unattended-Upgrade::Package-Blacklist {

};

unattended-upgrades --dry-run
Preconfiguring packages ...
Preconfiguring packages ...
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/locales_2.35-0ubuntu3.13_all.deb 
/usr/bin/dpkg --status-fd 10 --configure --pending 
Preconfiguring packages ...
Preconfiguring packages ...
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/libssl3_3.0.2-0ubuntu1.21_amd64.deb 
/usr/bin/dpkg --status-fd 10 --no-triggers --configure libssl3:amd64 
/usr/bin/dpkg --status-fd 10 --configure --pending 
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure --recursive /tmp/apt-dpkg-install-JHk6R5 
/usr/bin/dpkg --status-fd 10 --configure --pending 
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/linux-libc-dev_5.15.0-168.178_amd64.deb 
/usr/bin/dpkg --status-fd 10 --configure --pending 
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/mysql-client-core-8.0_8.0.45-0ubuntu0.22.04.1_amd64.deb 
/usr/bin/dpkg --status-fd 10 --configure --pending 
Preconfiguring packages ...
Preconfiguring packages ...
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/libc6-dev_2.35-0ubuntu3.13_amd64.deb /var/cache/apt/archives/libc-dev-bin_2.35-0ubuntu3.13_amd64.deb /var/cache/apt/archives/libc6_2.35-0ubuntu3.13_amd64.deb 
/usr/bin/dpkg --status-fd 10 --no-triggers --configure libc6:amd64 
/usr/bin/dpkg --status-fd 10 --configure --pending 
Preconfiguring packages ...
Preconfiguring packages ...
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/mysql-client-8.0_8.0.45-0ubuntu0.22.04.1_amd64.deb /var/cache/apt/archives/mysql-server-8.0_8.0.45-0ubuntu0.22.04.1_amd64.deb /var/cache/apt/archives/mysql-server-core-8.0_8.0.45-0ubuntu0.22.04.1_amd64.deb 
/usr/bin/dpkg --status-fd 10 --configure --pending 
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/screen_4.9.0-1ubuntu0.1_amd64.deb 
/usr/bin/dpkg --status-fd 10 --configure --pending 
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/libc-bin_2.35-0ubuntu3.13_amd64.deb 
/usr/bin/dpkg --status-fd 10 --no-triggers --configure libc-bin:amd64 
/usr/bin/dpkg --status-fd 10 --configure --pending 
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/openssl_3.0.2-0ubuntu1.21_amd64.deb 
/usr/bin/dpkg --status-fd 10 --configure --pending

The output of unattended-upgrades --dry-run --debug was too much but I "asked" Claude to analyse it and it discovered no issues.

imc67

systemctl status unattended-upgrades.service
● unattended-upgrades.service - Unattended Upgrades Shutdown
     Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2025-12-14 06:11:43 UTC; 1 month 23 days ago
       Docs: man:unattended-upgrade(8)
   Main PID: 787 (unattended-upgr)
      Tasks: 2 (limit: 38374)
     Memory: 10.1M
        CPU: 165ms
     CGroup: /system.slice/unattended-upgrades.service
             └─787 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

Notice: journal has been rotated since unit was started, output may be incomplete.

systemctl status unattended-upgrades.service
● unattended-upgrades.service - Unattended Upgrades Shutdown
     Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2025-12-13 05:49:30 UTC; 1 month 24 days ago
       Docs: man:unattended-upgrade(8)
   Main PID: 765 (unattended-upgr)
      Tasks: 2 (limit: 38375)
     Memory: 8.3M
        CPU: 91ms
     CGroup: /system.slice/unattended-upgrades.service
             └─765 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

Notice: journal has been rotated since unit was started, output may be incomplete.

systemctl status unattended-upgrades.service
● unattended-upgrades.service - Unattended Upgrades Shutdown
     Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2025-12-13 05:57:28 UTC; 1 month 24 days ago
       Docs: man:unattended-upgrade(8)
   Main PID: 875 (unattended-upgr)
      Tasks: 2 (limit: 77023)
     Memory: 11.1M
        CPU: 112ms
     CGroup: /system.slice/unattended-upgrades.service
             └─875 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

Notice: journal has been rotated since unit was started, output may be incomplete.

imc67

I noticed that my 3 Cloudron Pro servers are running already for 2 months, while before every month a reboot was needed because of security updates.

SSH tells:
21 of these updates are standard security updates.
35 of these updates are standard security updates.
29 of these updates are standard security updates.

Is Cloudron doing it's job here?

imc67

@luckow the past 2 days I rented a VPS, installed Bunkerweb and played with it but its way to much and way too complicated! I created this https://forum.cloudron.io/topic/14982/feature-request-simple-per-app-waf-with-templates-kiss and hope the @girish and @nebulon will have a look at it?

imc67

Feature Request: Simple per-App WAF with Templates (KISS=Keep It Stupid Simple)

Cloudron is often used to host multiple web applications with very different exposure levels (e.g. public websites, WordPress instances, admin-only tools).
At the moment, most protection is instance-wide, which makes it hard to apply different security policies per app without external tooling.

Community Precedent – Cloudron Forum discussions

Users have repeatedly discussed the need for more granular access control / WAF-like features in Cloudron:

In “Is there a way to rate limit connections to a site for certain user agent strings?”, users talk about using Bunkerweb as a workaround for the lack of built-in request filtering and mention that “Cloudron doesn’t have anything like WAF” and the desire to move away from Cloudflare WAF because Cloudron currently lacks native solutions.
https://forum.cloudron.io/topic/14343/is-there-a-way-to-rate-limit-connections-to-a-site-for-certain-user-agent-strings
Users have explicitly asked about limiting web-based access to individual Cloudron apps (e.g., basic auth, IP-based restrictions), indicating demand for app-level access controls.
https://forum.cloudron.io/topic/8804/limiting-web-based-access-to-cloudron-apps
In “What’s coming in Cloudron 6.3”, I suggested features inspired by Wordfence including blocking by IP/location and geo-blocking, and specifically calls out the idea of geo-blocking of countries as a desirable security improvement.
https://forum.cloudron.io/topic/4723/what-s-coming-in-cloudron-6-3/4
Related support threads show users trying to restrict access to the Cloudron login page by IP while keeping other apps public, again highlighting demand for more granular access controls.
(See posts by user hiyukoim in support category)

I would like to propose a simple, KISS-oriented Web Application Firewall (WAF) on app level, tightly integrated into Cloudron.

Problem

Not all apps should be equally reachable from the internet
Admins often want basic access control (countries, IPs, paths) without deploying a full external WAF
Instance-wide rules are often too coarse

Goals

Per-app access control
Very simple and predictable behavior
No security expertise required
Reusable defaults for admins managing many apps

Proposed Solution

1. Per-app WAF

Each web app can optionally enable its own WAF.

2. App-level rules

Within an app WAF, an admin can configure:

IP whitelist / blacklist
Geo allow / block (noise reduction, not “hard security”)
Path-based rules (extra layer), for example:
- /wp-login.php
- /wp-admin/*
- /api/*

Rules should be path-based only (no complex regex).

3. Instance-level WAF templates

At Cloudron instance level, admins can define WAF templates (profiles), such as:

Public website
WordPress hardened
Admin-only app
Internal / trusted IPs only

For each app:

Select a template
Optionally extend or override it locally

This avoids repetitive configuration and keeps policies consistent.

4. Clear precedence (important for predictability)

Suggested order:

IP whitelist
Geo allow
IP blacklist
Geo block
Path rules

Whitelist rules always take precedence.

Optional (still KISS)

Per-app blocked requests log (read-only)
- Timestamp
- Source IP / country
- Rule type (IP / Geo / Path)
Report-only / dry-run mode for new rules
Temporary disable WAF for this app (emergency switch)

Non-goals (explicitly out of scope)

Full ModSecurity / OWASP CRS
Regex-heavy rules
Deep request inspection (headers, body, users, roles)
Replacing a dedicated enterprise WAF

This feature is intended to cover the 80% use case in a Cloudron-native, admin-friendly way, while keeping configuration minimal and understandable.

imc67

@robi said in Is there a way to rate limit connections to a site for certain user agent strings?:

Curious, why isn't an app level WAF like the ones for WP suitable?

Then you have to find for each app (not only WP) you want to protect a specific WAF plugin?!

imc67

@luckow thanks for the very detailed experiences up to now! I was searching (partly via AI) the web for Cloudflare WAF alternatives and it's really unbelievable they are sooo rare!

As long as Cloudron doesn't have anything like WAF (on app and URL-parts) and one from Europe wants to leave Cloudflare there is not much choice

imc67

@luckow said in Is there a way to rate limit connections to a site for certain user agent strings?:

Bunkerweb acts as a reverse proxy for a Cloudron app that is ‘behind it’. Currently, we only use it in front of our own website (mainly because we are still learning, e.g. what happens when we block bots? Oh, there is no longer support for previews in rocket.chat). In my next spare moment, I'll try out what happens when a complete Cloudron instance is behind Bunkerweb. It should work. From what I've heard, this is the case with Cloudflare, and Bunkerweb is similar (only self-hosted)

Hi @luckow I'm really curious how it went with Bunkerweb in front of Cloudron?

I am moving domains from Cloudflare to deSEC but can't do all because I use Cloudflare WAF for some Cloudron-apps (Geoblocking and/or IP whitelist with DDNS/API on app-level). And because Cloudron doesn't have anything like a WAF a workaround (what a pity) could be Bunkerweb?

imc67

Same here after auto update!

https://forum.cloudron.io/topic/14909/side-effects-cloudron-v-9.0.16-app.immich.cloudronapp@1.95.1

imc67

Same here after auto update of Cloudron!

imc67

@joseph said in Cloudron v9: huge disk I/O is this normal/safe/needed?:

Do you have happen to use nextcloud on the server? I think nextcloud+ldap keeps doing a login request when syncing for each file (which might trigger a login eventlog in mysql)

No there is no Nextcloud on this server

imc67

I enabled this en within seconds the log file was enormous, I asked ChatGPT to analyse it and here is it's observations: (too technical for me):

Some observations after briefly enabling the MySQL general log (Cloudron v9)

I enabled the MySQL general log only for a short time because of disk I/O concerns, but even within a few minutes a clear pattern showed up.

What I’m seeing:

A very high number of
INSERT INTO session (...) and
INSERT ... ON DUPLICATE KEY UPDATE
These happen continuously and come from 172.18.0.1
As far as I understand, this IP is the Docker bridge gateway in Cloudron, so it likely represents multiple apps

I temporarily disabled Matomo to rule that out, but disk I/O and session-related writes did not noticeably decrease, so it does not seem to be the main contributor.

From the log it looks like:

Multiple applications are storing sessions in MySQL
Session rows are updated on almost every request
This can generate a lot of InnoDB redo log and disk I/O, even with low traffic

Nothing looks obviously broken, but I’m trying to understand whether this level of session write activity is:

expected behavior in Cloudron v9
something that can be tuned or configured
or if there are recommended best practices (e.g. Redis for sessions)

Any guidance on how Cloudron expects apps to handle sessions, or how to reduce unnecessary MySQL write I/O, would be much appreciated.

Thanks for looking into this.

imc67

no ...

imc67

@d19dotca said in Sharing custom SpamAssassin Rules:

@imc67 said in Sharing custom SpamAssassin Rules:
@msbt said in Sharing custom SpamAssassin Rules:
Thanks a bunch for the list @d19dotca! Quick question about the rest of the setup though: Do you still have entries in the Email ACL DNSBL Zones or is that empty because everything is handled in the custom rules? Like those:
zen.spamhaus.org
bl.mailspike.net
noptr.spamrats.com
dnsbl.sorbs.net
Or is that empty on your side?
I think this is still a relevant question, @d19dotca your spam-rules are amazing, however you are "calling" ACL DSNBL's that are not default in a Cloudron install (https://docs.cloudron.io/email/#dnsbl) so I guess that they are not working until you add them?

I asked ChatGPT to analyse your latest rules and it advised to add the below ones to the DNSLBL Zones ACL (https://my.domain.com/#/email-settings). Is that in your opinion correct to make them all work?
zen.spamhaus.org
bl.mailspike.net
noptr.spamrats.com
all.spamrats.com
backscatter.spameatingmonkey.net
bl.spameatingmonkey.net
netbl.spameatingmonkey.net
So just to clarify… if you add those to the DNSBL list in Cloudron mail settings, it will completely reject mail that has a hit on any of those services. That mail setting in Cloudron is used by Dovecot/Haraka, not SpamAssassin. The reason you don’t want all those DNSBLs there is because not all of them are super accurate (some are too aggressive), which is why they’re in the SpamAssassin rules instead.

Basically the DNSBL list for Cloudron should only be if you want anything that has a hit to be outright rejected and never arrive in your mailbox (not even the junk folder). I prefer to keep that to just Abusix and SpamHaus myself because they have proven to be very accurate in the sense that they return no false positives, so they’re “safe” in rejecting only the most obvious of spam.

Then everything else that passes through that part will simply be scanned by SpamAssassin against the other DNSBLs in the custom rules and are therefore not rejected but just categorized as either spam or ham. It’s safer that way.

But also totally up to you. If you trust the other DNSBLs, then certainly feel free to add them to the Cloudron DNSBL list, but just know that doing so will most likely result in rejected/dropped messages that you’ll never know about until you look at the mail sever logs.

Ultimately… the DNSBLs in the custom SpamAssassin rule set doesn’t really have anything to do with the DNSBL setting used in Cloudron, as they are different levels of filtering and unrelated to each other.

Hopefully that makes sense. I’m just waking up while writing this so let me know if I can clarify further as I may not be explaining myself perfectly, lol.

WOW thank you very very much for this extraordinary clarification! I expected a necessary connection between the two but it isn’t. Thanks for your great work and explanation!

imc67

@msbt said in Sharing custom SpamAssassin Rules:

Thanks a bunch for the list @d19dotca! Quick question about the rest of the setup though: Do you still have entries in the Email ACL DNSBL Zones or is that empty because everything is handled in the custom rules? Like those:
zen.spamhaus.org
bl.mailspike.net
noptr.spamrats.com
dnsbl.sorbs.net
Or is that empty on your side?

I think this is still a relevant question, @d19dotca your spam-rules are amazing, however you are "calling" ACL DSNBL's that are not default in a Cloudron install (https://docs.cloudron.io/email/#dnsbl) so I guess that they are not working until you add them?

I asked ChatGPT to analyse your latest rules and it advised to add the below ones to the DNSLBL Zones ACL (https://my.domain.com/#/email-settings). Is that in your opinion correct to make them all work?

zen.spamhaus.org
bl.mailspike.net
noptr.spamrats.com
all.spamrats.com
backscatter.spameatingmonkey.net
bl.spameatingmonkey.net
netbl.spameatingmonkey.net

imc67

Ok, thanks for your hints!!

The result was PID 19974

However:

● mysql.service - MySQL Community Server
     Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2025-12-13 05:57:30 UTC; 1 day 5h ago
    Process: 874 ExecStartPre=/usr/share/mysql/mysql-systemd-start pre (code=exited, status=0/SUCCESS)
   Main PID: 910 (mysqld)
     Status: "Server is operational"
      Tasks: 47 (limit: 77023)
     Memory: 601.7M
        CPU: 59min 14.538s
     CGroup: /system.slice/mysql.service
             └─910 /usr/sbin/mysqld

And docker top mysql

UID                 PID                 PPID                C                   STIME               TTY                 TIME                CMD
root                9842                8908                0                   Dec13               ?                   00:00:17            /usr/bin/python3 /usr/bin/supervisord --configuration /etc/supervisor/supervisord.conf --nodaemon -i Mysql
message+            19974               9842                6                   Dec13               ?                   01:56:43            /usr/sbin/mysqld
message+            19976               9842                0                   Dec13               ?                   00:01:31            node /app/code/service.js

So ps uax | grep -i 19974 gives:

message+   19974  6.6  1.8 4249604 1229136 ?     Sl   Dec13 116:48 /usr/sbin/mysqld

So at least we now know that it's the Docker MySQL

Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.