Weird email log probably spam attack?

You can also follow this great guide and set up an automated blocklist update:
https://forum.cloudron.io/topic/3795/firewall-spamassassin-automatic-list-update/41?_=1740739173375

Might mitigate some (few) of these annoying spam attacks.

@joseph said in glauth ldap backend:

@NCKNE were you able to run that command? trying to see if we can fix the code to simply auto-detect this and disable paging automatically (instead of adding an option) . my understanding is that paging is optional to ldap servers.

That's a great idea! I ran the command but got the following response:

root@ldap-wrapper-r90:~# ldapsearch -x -s base -b "" supportedControl -H ldap://localhost:13389
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedControl 
#

# domain.de
dn: dc=domain,dc=de

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Yes, although I am not using glauth for LDAP, the server does not support paging. There seem to be various configurations that do not support paging, so an option to disable it in the Cloudron LDAP sync config would be nice.

Update: Changing all occurrences of

paged: true

to

paged: false

in

/home/yellowtent/box/src/externalldap.js

Makes LDAP Sync work. Maybe adding a GUI option for paging in the LDAP sync configuration settings would be a good idea?

I am encountering the same error ("missing paged control") when connecting to a ldapjs server:

2025-02-25T07:37:57.542Z box:taskworker Starting task 10372. Logs are at /home/yellowtent/platformdata/logs/tasks/10372.log
2025-02-25T07:37:57.566Z box:taskworker Running task of type syncExternalLdap
2025-02-25T07:37:57.566Z box:tasks update 10372: {"percent":10,"message":"Starting ldap user sync"}
2025-02-25T07:37:59.860Z box:taskworker Task took 2.366 seconds
2025-02-25T07:37:59.860Z box:tasks setCompleted - 10372: {"result":null,"error":{"stack":"BoxError: missing paged control\n    at SearchPager.<anonymous> (/home/yellowtent/box/src/externalldap.js:162:48)\n    at SearchPager.emit (node:events:519:28)\n    at SearchPager.emit (/home/yellowtent/box/node_modules/ldapjs/lib/corked_emitter.js:44:33)\n    at SearchPager._onEnd (/home/yellowtent/box/node_modules/ldapjs/lib/client/search_pager.js:103:12)\n    at EventEmitter.emit (node:events:519:28)\n    at sendResult (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1194:22)\n    at messageCallback (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1222:16)\n    at Parser.onMessage (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:888:14)\n    at Parser.emit (node:events:519:28)\n    at Parser.write (/home/yellowtent/box/node_modules/ldapjs/lib/messages/parser.js:107:8)","name":"BoxError","reason":"External Error","details":{},"message":"missing paged control","nestedError":{"stack":"PagedError: missing paged control\n    at SearchPager._onEnd (/home/yellowtent/box/node_modules/ldapjs/lib/client/search_pager.js:93:17)\n    at EventEmitter.emit (node:events:519:28)\n    at sendResult (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1194:22)\n    at messageCallback (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1222:16)\n    at Parser.onMessage (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:888:14)\n    at Parser.emit (node:events:519:28)\n    at Parser.write (/home/yellowtent/box/node_modules/ldapjs/lib/messages/parser.js:107:8)\n    at end (/home/yellowtent/box/node_modules/ldapjs/lib/messages/parser.js:62:36)\n    at Parser.write (/home/yellowtent/box/node_modules/ldapjs/lib/messages/parser.js:108:10)\n    at Socket.onData (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:875:22)","name":"PagedError","message":"missing paged control"}}}
2025-02-25T07:37:59.861Z box:tasks update 10372: {"percent":100,"result":null,"error":{"stack":"BoxError: missing paged control\n    at SearchPager.<anonymous> (/home/yellowtent/box/src/externalldap.js:162:48)\n    at SearchPager.emit (node:events:519:28)\n    at SearchPager.emit (/home/yellowtent/box/node_modules/ldapjs/lib/corked_emitter.js:44:33)\n    at SearchPager._onEnd (/home/yellowtent/box/node_modules/ldapjs/lib/client/search_pager.js:103:12)\n    at EventEmitter.emit (node:events:519:28)\n    at sendResult (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1194:22)\n    at messageCallback (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1222:16)\n    at Parser.onMessage (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:888:14)\n    at Parser.emit (node:events:519:28)\n    at Parser.write (/home/yellowtent/box/node_modules/ldapjs/lib/messages/parser.js:107:8)","name":"BoxError","reason":"External Error","details":{},"message":"missing paged control","nestedError":{"stack":"PagedError: missing paged control\n    at SearchPager._onEnd (/home/yellowtent/box/node_modules/ldapjs/lib/client/search_pager.js:93:17)\n    at EventEmitter.emit (node:events:519:28)\n    at sendResult (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1194:22)\n    at messageCallback (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1222:16)\n    at Parser.onMessage (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:888:14)\n    at Parser.emit (node:events:519:28)\n    at Parser.write (/home/yellowtent/box/node_modules/ldapjs/lib/messages/parser.js:107:8)\n    at end (/home/yellowtent/box/node_modules/ldapjs/lib/messages/parser.js:62:36)\n    at Parser.write (/home/yellowtent/box/node_modules/ldapjs/lib/messages/parser.js:108:10)\n    at Socket.onData (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:875:22)","name":"PagedError","message":"missing paged control"}}}
BoxError: missing paged control
    at SearchPager.<anonymous> (/home/yellowtent/box/src/externalldap.js:162:48)
    at SearchPager.emit (node:events:519:28)
    at SearchPager.emit (/home/yellowtent/box/node_modules/ldapjs/lib/corked_emitter.js:44:33)
    at SearchPager._onEnd (/home/yellowtent/box/node_modules/ldapjs/lib/client/search_pager.js:103:12)
    at EventEmitter.emit (node:events:519:28)
    at sendResult (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1194:22)
    at messageCallback (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:1222:16)
    at Parser.onMessage (/home/yellowtent/box/node_modules/ldapjs/lib/client/client.js:888:14)
    at Parser.emit (node:events:519:28)
    at Parser.write (/home/yellowtent/box/node_modules/ldapjs/lib/messages/parser.js:107:8)

The ldapjs server that is being queried logs the following in debug mode:

DEBUG: 2025-02-25T07:37:59.816Z:  %s: sending: %j 1.2.3.4:54938 { status: 0, matchedDN: '', diagnosticMessage: '', referrals: [] }
TRACE: 2025-02-25T07:37:59.883Z:  %s shutdown 1.2.3.4:54938
TRACE: 2025-02-25T07:37:59.884Z:  %s close; had_err=%j 1.2.3.4:54938 false

Could this be related to paging? Can paging be disabled in Cloudron to test if that is the cause?

@joseph said in EntraID / AzureAD LDAP wrapper:

@NCKNE said in EntraID / AzureAD LDAP wrapper:

Entra ID / Azure AD is not LDAP

TIL Had no clue, ignore my previous comment then. Just read about it a little more and it seems you need something called Azure AD DS per https://www.reddit.com/r/sysadmin/comments/120e71z/ldaps_with_azure_ad_tenant_bundled_with_office_365/

Yeah, but the Azure AD DS you mentioned is very complex and expensive (licensing costs). I just thought since the topic had come up a few time, native support of Entra ID / Azure AD might be something to consider for the future.

@joseph said in EntraID / AzureAD LDAP wrapper:

AD support seems to be something we should add directly to Cloudron's existing LDAP server, if this is deemed useful. Incidentally, Cloudron's ldap server is also based on ldapjs.

Entra ID / Azure AD is not LDAP… that’s why either a wrapper like above is needed or Cloudron could natively implement Entra ID support (as many other apps do) and connect it to the Cloudron internal directory.

The topic has come up several times in the forum in the past: Is there an easy way to connect the Cloudron user directory to Microsoft Entra ID (formerly Azure AD) for a same signin scenario? Microsoft offers the Entra ID Domain Services with LDAP, but it involves a very complex and cost intensive setup.

I have been using the "Azure AD LDAP Wrapper" in the past which uses the Microsoft Graph API and provides an LDAP endpoint for Entra ID:
https://ahaenggli.github.io/AzureAD-LDAP-wrapper/installation/run-ldap-wrapper/

The project is quite simple and easy to install using docker or nodejs directly. I am currently running it on a seperate server with firewall rules to allow only specific ip addresses to access the LDAP port. Now, wouldn't be great if this could run as a Cloudron app itself? If it was published on the app store, one would only need to provide the Azure App registration data in an env-file and could bind the Cloudron directory to a local (private) LDAP port on the same server.

Well, I am new to packaging apps for Cloudron and have no idea how to package an app without a web interface. Heath checks would need to check the LDAP port and not HTTP, etc. Is this even a scenario wanted by the @staff?

If so, I could give packaging a try and do some testing, but would need some pointers if this can/should be realized as an app within Cloudron as it would need to expose a custom LDAP port to the internal docker stack.

If SRS is not an option (or not obeyed by Gmail) you can look into some advanced sieve stuff:

https://doc.dovecot.org/2.3/configuration_manual/sieve/configuring_auto_forward_sender_address/

@marcusquinn You‘re welcome. We are using openwebui with RAG (our own documents aka knowledge) for the IT support team. We are using it on cloudron together with the private IONOS AI Hub. Great service if you are serving EU customers.

I am pretty happy with this in openwebui:

But I will take a look at librechat, just had no desire to look for something else so far.

I am also confused about how this is different from openwebui where you can create a custom model that is enriched with your own knowledge (aka you own documents) and share that model with other to chat with. I am no expert here though and have just used openwebui so far. Works great.

@avatar1024 said in Email delivery issues with double forwarding to external addresses:

Does it work fine with your set-up?

Yes, using an external SMTP relay it works for me. And Google finally accepts incoming mails right away instead of delaying them for hours or even days...

Not sure if this might be due to some SRS (https://en.wikipedia.org/wiki/Sender_Rewriting_Scheme) misinterpretation? I have set up similar scenarios on Cloudron, but switched to an external SMTP relay server - so not comparable per se. If not using SRS, you would run into SPF problems when forwarding the mails aka using a distribution group.

The "Error: bare <LF> received" message might hint at some other cause though, maybe the Haraka mail server used by Cloudron formatted something in a non-conforming way.

I am pretty happy with the MS-01 „workstation“ from MinisForum. It has options for more than one NVME so you can run a software RAID and has solid hardware specs. Pricing is much higher than used mini PC systems off eBay, but if you are looking for powerful, silent, and small hardware this might be an option to consider (if it fits the budget).
https://store.minisforum.com/products/minisforum-ms-01

Thanks guys, thant‘s exactly the use case I was thinking about. The Hakara MTA used by cloudron seems to be very flexible in regards to the outbound configuration (https://haraka.github.io/core/Outbound). While I am no expert on this subject, it might not be too difficult to implement a failback using an SMTP relay.

We had some good experiences with self hosted mail servers and using SMTP relays (CSA listed). I just don’t want to send all mail messages through an SMTP relay (costs, logs not on Cloudron, etc.), just the ones that stay in the queue for too long. Shouldn’t be too difficult to implement, but I don’t know if there is a need for it for others. We‘ve had all messages delivered so far (even to Gmail, etc.), but I am annoyed by the delays because of 4xx rejections from the large providers.

Sometimes, mail providers such als Gmail/Yahoo/AOL can be picky when accepting incoming mails from self-hosted mail servers, even if they come from a reputable IP address of a cloud hosting provider. Mails are being temporarily rejected with a 4xx error code and it can take a long time for them to be accepted, if at all.
Would it be possible to have a configuration in Cloudron to use an external SMTP relay service for mails only in case a mail stays in the queue for a (configurable) time, e.g. 30 minutes?
Cloudron could continuously monitor the outgoing mail queue and if a mail is in the main queue for a certain amount of time without being delivered, it could move it to a secondary queue, configured with an external SMTP relay (mailgun, rapidmail, etc.) to ensure delivery of the mail.
Any thoughts on this? Would this be possible?

Most likely related to https://forum.cloudron.io/post/91353. Reported upstream: https://github.com/alextselegidis/easyappointments/issues/1587#issue-2465769537

You may also check this post if you are technically skilled with wireguard and a public VPS.