settings.yml missing from web file manager

@james said in settings.yml missing from web file manager:

Hello @user123456
We looked into it.
Someone has disabled the SFTP service on the demo Cloudron Demo Server along with other services.

Request: Passkeys support for the Cloudron login

@humptydumpty said in Best practices for email security?:

I just read that some vulnerability exposed “millions” of Gmail users. I just read the title so please don’t ask for details. But, it got me thinking about our CR mail servers. How can we best protect them?

This „breach“ has nothing to do with Google.

However, as the company explained in a series of posts on Monday, Gmail did not suffer a breach, and the compromised accounts were actually from a compilation of credentials stolen by information-stealing malware and other attacks over the years.
…
"The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web. It's not reflective of a new attack aimed at any one person, tool, or platform."

https://www.bleepingcomputer.com/news/security/google-disputes-false-claims-of-massive-gmail-data-breach/

So before you take measures that effectively render mail unusable (POP3), rather enable the usual security measures (Passkey, 2FA, a decent password manager, etc.) and you should be ok as an average person.

@cresdamo109
Hmm, no one who is not authenticated should be able to use the Cloudron mail system to send mails.
Cloudron and the mail system have several security features, see

• https://docs.cloudron.io/email#security
• https://docs.cloudron.io/security

Is that what you're asking?

• Main Page: https://www.aliasvault.net/
• Git: https://github.com/aliasvault/aliasvault
• Licence: AGPL-3.0
• Dockerfile: Yes (Official All-in-One Docker image available)
• Demo: https://www.aliasvault.net/ (Cloud Version)

---

• Summary:
  • AliasVault is a privacy-first, open-source, end-to-end encrypted password and email alias manager. It goes beyond simple credential storage by acting as a complete identity management system. It allows you to create alternative identities, passwords, and email addresses for every website you use.
  • Unlike traditional password managers, AliasVault includes a built-in email server. This means you don't just generate aliases; you have an integrated reception capability to receive emails directly in your vault without exposing your real address.

---

• Key Features:
  • Full Identity Management: Manage credentials, emails, and personas in one place.
  • End-to-End Encryption: Zero-knowledge architecture (Argon2id + AES-256-GCM).
  • Built-in Email Server: Generate random email aliases and receive emails directly.
  • Passkey Support: Secure, passwordless login support.
  • 2FA/TOTP Generator: Integrated authenticator for your accounts.
  • Identity Generation: Create unique personas (name, birthdate, etc.) for anonymous sign-ups.

---

• Available Platforms:
  AliasVault offers native apps and extensions for all major platforms:
  • Mobile: iOS (App Store), Android (Google Play & F-Droid)
  • Browser Extensions: Chrome, Firefox, Edge, Safari, Brave
  • Web: Universal Web App

---

• Migration Options:
  It supports importing credentials from many popular password managers:
  • Bitwarden & Vaultwarden
  • 1Password
  • Proton Pass
  • KeePass & KeePassXC
  • Dashlane
  • Strongbox
  • Dropbox Passwords
  • Chrome & Firefox built-in managers

---

• Notes:
  This looks like a a comprehensive "all-in-one" privacy stack. It combines the functionality of a password manager (like Vaultwarden) with an email aliasing service (like SimpleLogin) into a single self-hosted interface.

---

• Transparency & Roadmap:
  • Fully Open Source: A huge plus for transparency enthusiasts—unlike many other projects, AliasVault is 100% open source. This applies to both the clients and the server-side code.
  • Roadmap: While feature-rich (including Passkeys and 2FA), Password Sharing is not yet available but is officially planned for a future release.
  • The project recently introduced an "All-in-One" Docker image, which should simplify the packaging process for Cloudron significantly.

---

• Data Synchronization:
  Clients can switch between:
  • Self-Hosted Instance: Sync directly to your own server (e.g. on Cloudron) for 100% data sovereignty.
  • Official Cloud: Sync via the official EU-based managed service (GDPR).

---

• Alternative to / Libhunt link: https://selfhosted.libhunt.com/aliasvault-alternatives (Alternative to Bitwarden, Vaultwarden, SimpleLogin, AnonAddy)
• Screenshots:
  

Great!
Please put this in a pastebin or so
It not readable / copyable.

What does cloudron-support --troubleshoot (in a terminal on the server) say, just to be sure?

Thanks for heads up. It’s a switch to „source available“ and technically similar to a BUSL license.

Same applies to e.g Hashicorp Vault, n8n, etc. on Cloudron as mentioned before. Other examples with similar licenses are MongoDB, Kibana, Elasticsearch, Redis…

What is not allowed anymore: If you‘re running Cloudron and let your users use NocoDB (and even let the, pay for such access / use), you‘re making available the software as a service - in direct competition to NocoDB itself, btw, who provide such paid access / use themselves.

Sad to read why it happened here (from your link), partly because AI makes it so easy:

Bad actors take our work and sell it as their own, with no intention of complying with AGPLv3. Our engineers have been consulted innumerable times now to help on what appear to be private forks, where code that should be open remains hidden. The approach itself has been so maligned that they withheld that its a private fork until the last moment. And it is not only small players. Companies with significant resources, backed by reputable investors, have chosen this path too. We have prompted them about the license. It has been of no use. With the advent of coding LLMs, exploitation no longer requires any technical skill for a repo. It requires only bad intention. The burden of proving, fighting, and funding that battle falls entirely upon us.

The local agent sounds pretty cool…
And anything that can provide a meaningful search experience for all mails hosted on Cloudron. Search functionality on all self-hosted webmailer‘s is terrible.

I think you’re on the wrong forum. This is not a general forum on Vultr / Ubuntu / Docker or firewall configuration but on the cloudron.io platform.
I‘d rather ask on a Vultr support forum, e.g. https://community.vultr.com/general

@svtx said in Comm App - Self-Hosted Alternative to Signal, Wire, WhatsApp, Telegram:

Also End-to-End encrption is officially DEAD with the new so-called "AI assistants" that are now running on people's devices. There's just no point in pretending it's not.

?

@james said in Linkding: Disable login, force OIDC:

Hello @necrevistonnezr
Thanks for sharing this.
Do you think we should set this initially when OIDC is selected by the User?
But a soft configuration so a user can override it?

I think that’s a good idea as it avoids confusion in such case

FYI: The latest version, already available on Cloudron, allows to hide the login form.

• The PR: https://github.com/sissbruecker/linkding/pull/1269
• The docs entry: https://linkding.link/options/#ld_disable_login_form

How to on Cloudron:

• Edit env.sh in the file manager
• add export LD_DISABLE_LOGIN_FORM=True
• Restart app

Screenshots:

What a bunch of AI generated slop.

@charlesnw said in CIS Benchmark Compliance:

Do you use hardened Docker base images?

See the discussion here: https://forum.cloudron.io/topic/14762/docker-hardened-images In short: No, for good reasons (maintenance and standards)

Did you ever find out?

@timconsidine Something for your installer?

• Roundcube regularly fixes security issues, see: https://github.com/roundcube/roundcubemail/blob/master/CHANGELOG.md; a new version 1.7 is in the works
• Roundcube has been part of Nextcloud since 2023 (https://roundcube.net/news/2023/11/30/nextcloud-the-new-home-for-roundcube) and is part of their enterprise offering (https://nextcloud.com/roundcube/)
• Snappymail (fork of Rainloop) is the fastest of the bunch but effectively dead: https://github.com/the-djmaze/snappymail/issues/1911

That being said, all webmail clients are terrible IMHO as they usually neglect their search features (e.g. fulltext search is slow, you can’t search across folders; Cloudron‘s „virtuall all mail folder“ could help but throws off iOS mail) or have the plugin disease (essential features like MFA are outsourced to a plugin, see Roundcube).

It‘s a sad state of affairs. For my personal mail, I either rely on desktop software / a mobile device or - if I need to have access to my mail the web when I’m not at home, I use Vivaldi Mail in a local Ubuntu Container to which I connect via Apache Guacamole.

What happened to this app?

@james said in chrome-headless zombie processes:

This might be a known issue: https://github.com/prerender/prerender/issues/539

That’s an issue from 2018?!