Cloudron 9.0 (beta) bug reports

@nebulon are these the logs you are looking for?

[no timestamp]  [REDACTED] - - [10/Nov/2025:09:09:27 +0000] "GET /login?redirect=/ HTTP/2.0" 200 292170 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Mobile/15E148 Safari/604.1"
[no timestamp]  [REDACTED] - - [10/Nov/2025:09:09:27 +0000] "GET /api/v1/apps/[REDACTED]/icon?1762765767843 HTTP/2.0" 200 14575 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Mobile/15E148 Safari/604.1"
[no timestamp]  [REDACTED] - - [10/Nov/2025:09:09:27 +0000] "GET /api/v1/apps/[REDACTED]/icon HTTP/2.0" 304 0 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Mobile/15E148 Safari/604.1"
[no timestamp]  [REDACTED] - - [10/Nov/2025:09:09:29 +0000] "GET /openid/auth?client_id=[REDACTED]-proxyauth&scope=openid%20profile%20email&response_type=code&redirect_uri=https://[REDACTED]/callback HTTP/2.0" 303 79 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Mobile/15E148 Safari/604.1"
[no timestamp]  [REDACTED] - - [10/Nov/2025:09:09:29 +0000] "GET /openid/interaction/36heYBCBJOx4nnREDACTED3Cde1Ylinxnsxk HTTP/2.0" 200 2325 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Mobile/15E148 Safari/604.1"
[no timestamp]  [REDACTED] - - [10/Nov/2025:09:09:29 +0000] "GET /api/v1/cloudron/avatar HTTP/2.0" 304 0 "https://my.[REDACTED].de/openid/interaction/36heYBCBJOx4nnREDACTED3Cde1Ylinxnsxk" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Mobile/15E148 Safari/604.1"
[no timestamp]  [REDACTED] - - [10/Nov/2025:09:09:29 +0000] "GET /api/v1/apps/[REDACTED]/icon?1762765769473 HTTP/2.0" 200 14575 "https://my.[REDACTED].de/openid/interaction/36heYBCBJOx4nnREDACTED3Cde1Ylinxnsxk" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Mobile/15E148 Safari/604.1"
[no timestamp]  [REDACTED] - - [10/Nov/2025:09:09:31 +0000] "GET /openid/interaction/36heYBCBJOx4nnREDACTED3Cde1Ylinxnsxk/abort HTTP/2.0" 303 0 "https://my.[REDACTED].de/openid/interaction/36heYBCBJOx4nnREDACTED3Cde1Ylinxnsxk" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Mobile/15E148 Safari/604.1"
[no timestamp]  [REDACTED] - - [10/Nov/2025:09:09:31 +0000] "GET /openid/auth/36heYBCBJOx4nnREDACTED3Cde1Ylinxnsxk HTTP/2.0" 303 169 "https://my.[REDACTED].de/openid/interaction/36heYBCBJOx4nnREDACTED3Cde1Ylinxnsxk" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Mobile/15E148 Safari/604.1"
[no timestamp]  [REDACTED] - - [10/Nov/2025:09:09:31 +0000] "GET /callback?error=access_denied&error_description=End-User+aborted+interaction&iss=https%3A%2F%2Fmy.[REDACTED].de%2Fopenid HTTP/2.0" 400 68 "https://my.[REDACTED].de/" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Mobile/15E148 Safari/604.1"
[no timestamp]  [REDACTED] - - [10/Nov/2025:09:09:33 +0000] "GET /callback?error=access_denied&error_description=End-User+aborted+interaction&iss=https%3A%2F%2Fmy.[REDACTED].de%2Fopenid HTTP/2.0" 400 68 "https://my.[REDACTED].de/" "Mozilla/5.0 (iPhone; CPU iPhone OS 18_7 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.1 Mobile/15E148 Safari/604.1"

I think there is something wrong with OID and Safari on iOS since upgrade to Cloudron 9. I cannot login to gitea instance or App Proxy with login requirement. I get error message: "You do not have access" - of course I do.

Error Message in Browser:
{"status":"Bad Request","message":"missing query argument "code""}

When I login on a macos computer there are no issues.

After upgrading to Cloudron 9 I cannot send e-mails with Masquerading-Feature. It got disabled for all Domains, but even after enabling it again, my e-mail client (Apple Mail) still fails to send with another e-mailaddress.

Logfile of email service:

Nov 08 20:45:33 [NOTICE] [1BC2F871-D6E6-46D3-888B-3E7A2D3C716D] [core] connect ip=****** port=51653 local_ip=***** local_port=2587
Nov 08 20:45:34 [INFO] [1BC2F871-D6E6-46D3-888B-3E7A2D3C716D] [dns-list] pass:******.combined.mail.abusix.zone
Nov 08 20:45:34 [INFO] [1BC2F871-D6E6-46D3-888B-3E7A2D3C716D] [helo.checks] helo_host: smtpclient.apple, pass:bare_ip, dynamic, valid_hostname, host_mismatch, literal_mismatch, fail:rdns_match
Nov 08 20:45:34 [INFO] [1BC2F871-D6E6-46D3-888B-3E7A2D3C716D] [spf] identity=helo ip=***** domain="smtpclient.apple" mfrom=<postmaster@smtpclient.apple> result=None
Nov 08 20:45:34 [INFO] [1BC2F871-D6E6-46D3-888B-3E7A2D3C716D] [spf] scope: helo, result: None, domain: smtpclient.apple
Nov 08 20:45:34 [INFO] [1BC2F871-D6E6-46D3-888B-3E7A2D3C716D] [tls] secured: cipher=ECDHE-ECDSA-AES128-GCM-SHA256 version=TLSv1.2 verified=false
Nov 08 20:45:34 [INFO] [1BC2F871-D6E6-46D3-888B-3E7A2D3C716D] [core] hook=unrecognized_command plugin=tls function=upgrade_connection params=STARTTLS retval=OK msg=""
Nov 08 20:45:34 [INFO] [1BC2F871-D6E6-46D3-888B-3E7A2D3C716D] [helo.checks] helo_host: smtpclient.apple, pass:bare_ip, dynamic, valid_hostname, host_mismatch, literal_mismatch, fail:rdns_match
Nov 08 20:45:34 [INFO] [1BC2F871-D6E6-46D3-888B-3E7A2D3C716D] [cloudron] Authenticated as MYUSER@SOMEDOMAIN.COM
Nov 08 20:45:34 [INFO] [1BC2F871-D6E6-46D3-888B-3E7A2D3C716D] [core] hook=unrecognized_command plugin=cloudron function=hook_unrecognized_command params=AUTH retval=OK msg=""
Nov 08 20:45:34 [INFO] [1BC2F871-D6E6-46D3-888B-3E7A2D3C716D.1] [core] hook=mail plugin=cloudron function=authorize_mail_from params=<MASKED@SOMEDOMAIN.COM> retval=DENY msg="Authenticated user MYUSER@SOMEDOMAIN.COM cannot send mail as MASKED@SOMEDOMAIN.COM"
Nov 08 20:45:34 [NOTICE] [1BC2F871-D6E6-46D3-888B-3E7A2D3C716D.1] [core] sender <MASKED@SOMEDOMAIN.COM> code=DENY msg="Authenticated user MYUSER@SOMEDOMAIN.COM cannot send mail as MASKED@SOMEDOMAIN.COM"
Nov 08 20:45:34 [NOTICE] [1BC2F871-D6E6-46D3-888B-3E7A2D3C716D.1] [core] disconnect ip=***** rdns=****.t-ipconnect.de helo=smtpclient.apple relay=Y early=N esmtp=Y tls=Y pipe=N errors=0 txns=1 rcpts=0/0/0 msgs=0/0/0 bytes=0 lr="550 Authenticated user MYUSER@SOMEDOMAIN.COM cannot send mail as MASKED@SOMEDOMAIN.COM" time=1.764

I just did the update to Cloudron 9 successfully. Everything went smoothly. Only thing I would have wished would be some more visible progress during the upgrade.

I had to restart Gitea to get it working with OpenID Login again.

@robi No, I can't see it anywhere there. In Cloudron 8 it is close to the app search, but in Cloudron 9 I can't find it there and not in the list of apps.

@girish has App Proxy been removed from 9.0 generally, or is the functionality somewhere else now?

@josephcosta I agree with you and I don't like ASP.NET because I am not familiar with it. But however, if the developer knows his stuff, I am okay with it.

@necrevistonnezr I agree with you, index and search for attachments would be great. Maybe it will be added sometime later? I also think the fuzzy search in Openarchiver is something I miss in Mailarchiver.

Maybe to add, that my experience with oepnarchiver was that it took much longer to archive new emails, because the crawling through all emails was slow. This is much faster with mailarchiver for me.

@joseph mailarchiver is using IMAP

Hi everyone,

I’ve been running Cloudron for almost 3 years now, and I just wanted to take a moment to say thank you to the Cloudron team.

In all this time I have not had a single outage or disruption. Cloudron not only runs very reliably, it also has all sorts of useful features that I keep discovering along the way.

A recent example: I wanted to use Immich with my 250 GB photo library. My vServer running Cloudron is somewhat limited in terms of storage and performance, so I set up another server with Docker to run Immich there. With a firewall in place, only my Cloudron server is allowed to talk to the Immich server. On the Immich server I used Traefik to provide HTTPS, and then on Cloudron I could simply expose this via the App Proxy.

And the best part: thanks to OpenID, I can even allow my Cloudron users to access Immich without having to manage a separate user base. Everything just works flawlessly. Immich has already processed and analyzed all 250 GB of photos in less than 12 hours.

Once again: thank you Cloudron team for this great product and all the incredibly useful features!
Looking forward to discovering even more features in the years to come!

@necrevistonnezr I like the Search in OpenArchiver, but overall I like Mail-Archiver a bit more. However, thanks for adding to the thread.

@timconsidine No, but I did deploy on my server at home via docker compose.

Hi everyone,

Since there are frequent questions here about email archiving solutions, I’d like to share a small but very practical open-source project that I’ve been using for about a week now:

Project: Mail-Archiver on GitHub

I’ve been running Mail-Archiver locally and I’m extremely satisfied so far.
The setup was straightforward, the interface is clean, and the archiving works reliably and efficiently. For me, this tool fills exactly the gap I’ve been looking to solve, without adding unnecessary complexity.

Maybe this will be interesting for some of you as well.
If anyone has questions about the setup or integration, I’m happy to help.

Best,
Michael

@Jorradezk The approach you described leaves a security gap. If IP filtering is only applied on “Server A” in front of the Cloudron Proxy App, an attacker could potentially bypass it by connecting directly to the Cloudron server’s public IP or any other exposed port.

Just a quick update, since I am using this since March.

I didn't had any issues with that kind of storage usage for the Docker during normal operations.

As I didn't have an situation with restore or bare metal recovery, I still don't have any experience for these use cases.

So far, I am pretty happy to offload the Docker Images to the Hetzner Volume.

@james I would love to have this enhancement. This would be a game changer for custom (unsupported) Apps

@d19dotca Thanks for sharing your solution — it’s a solid and pragmatic setup! Just two key points to consider:

1. Docker Subnet Might Change in Future

Your script currently hardcodes 172.18.0.0/16 as the Docker subnet. While this is the default for Cloudron, it’s technically subject to change — either through manual config changes or future Cloudron updates. To make your script more robust, you could dynamically retrieve the subnet like this:

CLOUDRON_SUBNET=$(docker network inspect cloudron --format '{{ (index .IPAM.Config 0).Subnet }}')

This ensures your SNAT rule always uses the correct range.

2. Host-Level Traffic Still Uses Default IP

Your setup correctly SNATs all container traffic, but be aware that outbound connections from the Cloudron host itself (e.g. system updates, wget, DNS lookups) will still use the primary server IP unless you apply a similar SNAT rule for host traffic. If consistency across all outbound traffic matters (e.g. for whitelisting or compliance), you might want to extend the approach accordingly.

@timconsidine Sounds very interesting as I am looking for something pretty lightweight - without any maps or so. I did send you a private message.

Thanks for your efforts with PinMe!

Chatmail can already be used on Cloudron — since Cloudron provides a full-featured mail server out of the box, you can easily connect it to a Chatmail-compatible client like Delta Chat using your existing Cloudron e-mail account.

There’s no need for a separate Chatmail-specific app on Cloudron — the infrastructure is already there. Just point Delta Chat (or another compatible client) to your Cloudron mail server credentials, and you’re good to go with end-to-end encrypted messaging.