Port 25 inbound connection timeout and missing email

Ok @james. I’ll do more accurate research

@james Thanks a lot for your question.

IOPS it seems to be good...

Block Size | 4k            (IOPS) | 64k           (IOPS)
  ------   | ---            ----  | ----           ---- 
Read       | 510.82 MB/s (127.7k) | 870.43 MB/s  (13.6k)
Write      | 512.17 MB/s (128.0k) | 875.01 MB/s  (13.6k)
Total      | 1.02 GB/s   (255.7k) | 1.74 GB/s    (27.2k)
           |                      |                     
Block Size | 512k          (IOPS) | 1m            (IOPS)
  ------   | ---            ----  | ----           ---- 
Read       | 595.93 MB/s   (1.1k) | 1.49 GB/s     (1.4k)
Write      | 627.60 MB/s   (1.2k) | 1.59 GB/s     (1.5k)
Total      | 1.22 GB/s     (2.3k) | 3.09 GB/s     (3.0k)

Hi @james I’m still managing this problem. There is a way to manage Haraka timeout to avoid this Connection timed out issue, eg. making longer timeout?

@girish Thanks a lot, this is a great great news!

@crazybrad Yes, plugin isolation is one of the most powerful things ... actually plugins access to all core functions of WP...

I didn’t see yet the Playground, but I would like to see if platform is lighter than WP.

@robi It seems that some parts are required, eg. Cloudflare Workers.

@crazybrad with pleasure. Let see if this can be self-hosted and implemented in Cloudron... but I don’t think so...

@james Yes, interesting concept of isolation but I think this is somethings that have to depend from Cloudflare services... cannot be, eg, self-hosted... or not?

EmDash is a full-stack TypeScript CMS based on Astro; the spiritual successor to WordPress

A full-stack TypeScript CMS built on Astro and Cloudflare. EmDash takes the ideas that made WordPress dominant -- extensibility, admin UX, a plugin ecosystem -- and rebuilds them on serverless, type-safe foundations. Plugins run in sandboxed Worker isolates, solving the fundamental security problem with WordPress's plugin architecture.

• https://blog.cloudflare.com/emdash-wordpress/
• https://github.com/emdash-cms/emdash

@robi Amazing!!!

Something like a “bridge” that every day take from the source and update Cloudron block list...

@robi Thanks a lot.

I found and applied specific rules in Wordpress .htaccess:

• 8G Firewall
• Ultimate Block List to Stop AI Bots

I think is a good start.

Both filters it seems working fine. Of course, it would better to manage and deploy centrally.

Thanks again for your advices Robi.

@riankellyit thanks a lot for your advices, I’ll go to try to better understand, but actually problem seems to be resolved, so as @nebulon, problem seems to be S3 side. Thanks again for your patience and efforts.

@robi Thanks for advice.

I don’t know where and if Wordfence has a public list, but I think that blocklists has a lot of data that can be huge to handle from CPU.

@jdaviescoates Thanks, it seems that they don’t block AI bots...

Hi all,

I’m on Cloudron 9.1.5, Ubuntu 24.04.4 LTS Linux 6.8.0-106-generic

Last day Exo scale service had problems.

Now service seems to work again, but I still have this error:

Backup endpoint is not active: Error listing objects. code: undefined message: HTTP: undefined

This is part of the log:

Apr 01 10:50:51 efined message: HTTP: undefined","reason":"External Error"},"percent":100}
Apr 01 10:50:51 tasks: updating task 17741 with: {"completed":true,"result":null,"error":{"message":"Backup endpoint is not active: Error listing objects. code: undefined message: HTTP: undefined","reason":"External Error"},"percent":100}

I rebooted Cloudron instance, I restarted box, I cleaned up backups (and it worked), but problem still there.

Last run date and time is updated, but backup it was not done.

I saw that @girish fixed a similar bug on 9.0 beta, maybe something similar need to be fixed?

Thanks a lot

@jdaviescoates @joseph Thanks, I wouldn't want to rely on outside services.

@fbartels Yes, Robots.txt, .htaccess, all good... but it could be great to manage rules in a central (and simple) way, special on Cloudron instances with multiple apps installed.

It seems to be little bit complicated for my skills. I had a look on this post.

Are you using Crowdsec?

@timconsidine Great, I’m glad that I’m not alone. I also saw your posts in this discussion related to specific problem of DDOS attacks.

I started to approach to this problem examining how VPS resources are “wasted” on daily bases when migrated from bare metal to VPS... In some peaks, I had a connection timeout on incoming 25 port, and then slowly I saw what was going on... most of accesses on that time they weren’t “human”...

Only recently I realized that about 20% of my Cloudron instances’ resources are being “given away” to various parties.

Once upon a time, only search engines accessed sitemaps, but now web-facing instances – like WordPress – are constantly bombarded.

At this point, I took action to block these requests, and where possible, I worked at the .htaccess level (again, WordPress).

Nevertheless, I realized that it might be better to take a centralized approach and have a single point of control.

I don’t want to be forced to use external applications (like Cloudflare).

How could this aspect be improved on Cloudron?

This consideration might also be useful for adding one or more feature requests to Cloudron, given how the web is evolving, to improve existing blocking features.

In the meantime, I had thought of using Fail2Ban and setting rules to read the various logs of specific installed apps, and from there, setting limitations.

I’ve already read about all limitations about Fail2Ban on Cloudron, but, for example, in WordPress, I would block all 404 requests originating from requests like xyz.php pages. Or I would block access from very aggressive bots like AhrefsBot, Semrush, MJ12bot, Sentibot.

I’d be interested in understanding how you block anomalous requests centrally (not on individual apps).

Thanks a lot for your patience.

@james Thanks a lot, I didn’t have any crash of Mail service and also RAM is ok. I’ll take a proper look to IOPS. Thanks for your advices.

Can heavy CPU usage during peak load times cause problems with email reception, to the point where emails are “not handled” because port 25 is unreachable from outside the network, bringing to “25: Connection timed out” and to Undelivered Mail Returned to Sender.

I'm asking this question because I've had a similar problem and I'd like to know how to mitigate it.

I've already limited maximum CPU usage to 80% of every single app hosted on Cloudron, but I'd like to understand how the overall load is being managed, to the point where 25 port stops responding.

No any log on Cloudron (Server, Mail) about ”not handled” email.

Edit: allocated Ram show that every app and service has enough Ram. My question also is: there is a way to assign maximum CPU usage to each service, to “keep alive” essential one?

Edit2: Peak was caused from an high number of web pages served and a lot of incoming email received in very short time, like a time frame of 10-15 minutes.

Thanks a lot