False positive on SpamHause

Cloudron keeps saying that my IP is in they database, but SpamHause says it 'has no issues'.

The issue has been noticed like a week ago and is still there.

Cloudron - both 8.2.3 and 8.2.4

How can I troubleshoot / collect more information?

@girish could you please, also add e-mail configuration issue? That helps in the cases, when your server's IP ends up in Spam list, for some reason.

fixed by removing IPv6 IP address from Hetzner completely and cleaning up old AAA entries from DNS - they seems like confused Outlook servers.

Got the same issue again, with Outlook servers again. IPv6 is disabled on Cloudron settings and on OS level.

@necrevistonnezr my installation is quite old - that's correct. Thanks for checking in!

@girish , thank you for the doc's reference! Guess it might make sense to stress that during the installation, as well as an offer to increase KDF up to 2 mln (as per Bitwarden docs as well).

@scooke I have an idea, that people who will use Cloudron (and god forbid - understand how it works) and people who just need business services - it's a different set of people, buying different things.

It's one of the engineering's curses, I believe: you don't just buy shiny cool smartphone with AI on it, that you hope will make your life better - you buy A20 chip with 32Gb, Llama 3.1 and cool new OS shell with an API that was finally made available.

Cloudron's whitelabeling is for the later (engineers) who sell it to the former (business users).

@scooke which means you won't be a customer. And since you are on that forum - it's just another confirmation.

Unless I'm stating I've build something on my own and instead, I just rewrapped Cloudron - it's bad, yes.

As long as I'm selling platform services, for example: "Potemkin & Co Services" - I'm perfectly fine.
And usually resellers pay a bit more for that: not too much, as the platform keeper holds the licenses and benefits from higher licenses use, but certainly higher than to the end users, as I'm selling something, that eases my work.

And yeah, when you access gmail, you are not accessing Linux+Kubernetes+Go/C/Python Engine with JS+Chrome/Firefox - you are just accessing / using e-mail.

@girish it's a pity.

When speaking about 'many' I guess, you would need to separate end users and VAS/resellers and few resellers are much more impactful than a few end-users, I think.

While Cloudron believes everything is Ok

I'm getting the following error when trying to send mail to Outlook:

Failure Reason: Error: Too many failures (Upstream error: 450 4.7.25 Service unavailable, sending IPv6 address [$MyIPv6Address] must have reverse DNS record (S820). [DU2PEPF00028CFF.eurprd03.prod.outlook.com 2025-01-14T10:52:08.920Z 08DD32C9AA1BC14F])

Any chance to remove Cloudron in the parts where it won't be whitelabeled?

For anyone following that in a future - that is the post.

@girish , thanks, got it! Hope that will be a smooth update!

here is an official doc, just in case: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token

One more thing:

You are using a plain text ADMIN_TOKEN which is insecure.
Please generate a secure Argon2 PHC string by using vaultwarden hash or argon2.

Admin token - which enables full access - is indeed stored plain text and accessible for cloudron admin.

@jdaviescoates it was not in case of my server setup, and I didn't touch a thing since it was installed!

@msbt , thank you!
@nebulon , would you mind to reconsider that pattern, please?

Vaultwarden is installed by default with non-secure kdf iterations settings - would you please, set it up to 600.000 as a minimum please? Ideally - have it set up till 2.000.000

There is currently no way to figure out an exact timestamp of the event - only a date.

Would you please, add / show time as well?

@potemkin_ai said in Dump user's password to try to crack them:

@nebulon Thank you! Would you mind helping with selecting proper resulting encryption, please?

It'something at that page: https://hashcat.net/wiki/doku.php?id=example_hashes and I though it shall be 7300, but it isn't...

P.S. Yeah, forcing some password complexity would be nice!

@nebulon , @girish , (or anyone else, actually) I offload the task from my radars for now, but as soon as you want me to run a brute-force attack of the algorithms you've chosen using modern GPU HW, please, let me know the function from hashcat to run.

For my or any other reference, here are the steps to do:

mysql -uroot -ppassword box -e "select username,password,salt from users;" > users.list # note salt field - it's a must

Use hashcat -m $mode $password:$salt then to try if it will be accepted.
$mode to be taken from example hashes table above, better also verify if with hashcat -m $mode --example-hash - the later will show the hash structure expected by hashcat.

Once appropriate mode found (hashcat starts checking the hashes) - this could be offloaded to GPU for a much faster checks and verification against various dictionaries, etc.

I had to do some other password recovery task now and I was unpleasantly surprised with the speed of the brute force efficiency (with john just on modern CPU).

Shall my time permit, I will return here some time in the future; otherwise would be glad to pick up this task once Cloudron's resulting hash will be matched with hashcat's one (or a new mode created).

Length > Complexity. Always.

Yeah, that helps for the password to appear on monitors as a 3M sticks