More power to Mail-in-a-box (fork showcase)

I have came across Mail-in-a-Box for a while since I have got ahold of two domain names (I don’t want to stick to my @gmail.com forever, plus it’s very awkward to spell davness to a bank clerk or anything similar).

But as a developer, I don’t want to just host mail. Sure, other solutions exist, but MIAB is by far the easiest to get going.

Of course, though, as someone who wants the most power per buck (or we can say, the most bang per VM as per the Clown Computing Initiative), I want to host a website, and a private link shortener, too.

MIAB in it’s vanilla form doesn’t allow me such a thing, so I have decided to fork and tune the Mail-in-a-Box project to my needs… yielding very positive results so far.

Here’s what I could do until now:

It supports Ubuntu LTS 20.04 and Debian 10

Why? Because I’m a madman. If I am going to work on this, then it’s not a bad idea to use up-to-date software. So I made it work with Ubuntu 20.04, too.

And because I am a madman, Debian gets support too. Because why not?

Support for Ubuntu 18.04 LTS was dropped.

Some love to the admin panel

Not that I actually meant to do a facelift to the admin panel, but it’s never a bad idea to update Bootstrap and JQuery (they were a major version behind) that it used. JQuery was fortunately a drop-in replacement. Bootstrap, not so much - it required some work to restore some of the functionalities.

However, after some polishing, I can argue that the admin panel now looks gorgeous :heart_eyes:

Pictures (hidden to reduce bloat)


Port 25 blocked? No problem (I guess)

As you know, there are providers that block port 25 outbound (for example, Microsoft Azure and recently, Digital Ocean). If you happen to get across one of those, don’t think about switching cloud providers just yet!

There are third-party services like Sendgrid that you can use to actually deliver your mail. You could already do this on vanilla MIAB using a manual configuration, but I guess I’d make the process slightly easier by creating a menu for it in the admin panel:

Hidden to reduce bloat

Under the hood, it roughly just adjusts the postfix settings so that all mail is sent via the relay. I’m not entirely sure it works 100% correctly!

Dot-nginx.conf files

To the people who want to run their PHP-based websites (or anything more complicated, really), they’ll find out that Mail-in-a-Box will outright refuse to cooperate: Even if you change the local.conf nginx file, it’s just a matter of time until the MiaB daemon reverses these changes. Here’s a solution for this issue:

On the non-default web folders (/home/user-data/www/some.domain.tld), there will be an .nginx.conf file, that you can change freely (This doesn’t apply to domains under default). When the daemon updates, it uses that file to build the final local.conf file.

If you wish to revert to revert the file to it’s “original” status, delete it and do an web-update on the admin panel: It will be regenerated.

Use cases for this feature? Infinite!

Disclaimer: /home/user-data/www/default ignores this feature.

Other goodies (and planned ideas)

  • Nextcloud has been updated to the latest available/stable version (19.0.0)

Ideas on the table

  • Making it easier to implement TSIG AXFR transfers;
  • Encrypt backups with a public PGP key provided by you;
  • Expand DNS customization (more record types, etc.);
  • Further webmail customization on the admin panel (Quotas, attachment limits, etc.)

Can I use it?

It’s free software, so yes! :smiley: I am using it on my own box (currently testing stability, and it’s going great). However, if you prefer the maximum stability/support possible, maybe it’s best to stick to the vanilla Mail-in-a-Box. (because there is more support and less things to break) Though, if it breaks, you get to keep the pieces! :stuck_out_tongue:

If you have any other weird ideas that you think are kind of out-of-scope of the mainline MiaB project, hit me up!

10 Likes

Just for hosting a website with scripts, there is a possibility to include a nginx.conf file for every domain.

i’ve a few (2) wordpress sites running.

1 Like

I am very new to miab and am happy with it so far.

Congrats on some interesting changes and definitely some that are of great interest to me.

Some of the things like upgrades to existing libraries etc, can’t help but feel that would be better incorporated into this project, to stay up with security patches etc?

NC 19 and allowing the roundcube 2FA plugin would be great, but I was rather hoping 2FA would get incorporated in miab at some stage.

Giving it a try in a local vm at the moment…thanks

3 Likes

This is an interesting fork, @davness - thanks. Particularly since you’ve built it around the latest release of NextCloud - something my wife and I have grown particularly fond and reliant on. We have a lot of NextCloud apps installed & use NextCloud to backup photos/videos on our phone, rather than some 3rd party provider. I also make heavy use of OnlyOffice (and draw.io) now and have canceled my Microsoft Office subscriptions shortly after setting that all up a couple of years ago. But it’s always bugged me that MiaB runs so far behind the latest NextCloud releases. For us, if we’re going to host our own Email and DNS - why not host everything one can? And we’ve been living that philosophy for many years now.

After the last major upgrade to Ubuntu 18, I took the decision to migrate my data files to a separate vDisk to make future OS migrations “easier”. I host my own XCP-NG clown-computing stack (hehe) on a NUC and use backup & snapshot facilities included in XCP-NG, so using MiaB’s backup feature has no use for me (so its disabled). The data vDisk mounts at /home/user-data, so it facilitates easy OS upgrades without having to copy or backup massive data-sets inside the OS.

Currently, our MiAB OS vDisk is pretty bog-standard except for some fine tuning performance tweaks I had to make, but our Data vDisk is about 250GB. My wife and I’s email files are around 28 GB in total. (I’ve been running my own email servers from home since about 1997.)

Which leads me to my next question… have you changed in thing that would affect / negatively impact the ability to migrate back and forth between MiaB and PowerMiaB, if I wanted to take it for a test drive?

Kudos on the move to support Debian 10; most of the other VM’s on my box are Debian already.

As for weird ideas that I’d be interested in seeing: I’ve always wondered why Josh didn’t just use one of the NextCloud email client apps or make his own NextCloud MiaB Mail client App instead? If one looks at the description on NextCloud of the “Mail” app, they seem to give him a very nice shout-out " We don’t have to reimplement this as you could set up Mail-in-a-Box!" - so I naturally wondered about mutual cooperation between both projects to facilitate this? (I also admit, there’s more to this than I currently know, I’m sure.)

For the sake of security, I think there’s no need to expose the Admin login page to anyone who doesn’t need it. After every upgrade, I find myself having to check to see if my restrictions to the admin panel in Nginx have been changed. During the install process, I’ve always thought it would be nice to have the installer ask if this should be restricted to an IP range, and what are those ranges? If not provided, than it defaults to being reachable by all. Even for those who host at DO or somewhere else, they could restrict admin access to say just their home, work and GSM IP ranges, and reduce potential attack surface a bit. (I’m the guy that reported a PHP vulnerability last year to Josh which resulted in him shutting down access to upgrades for a few days while he rushed to fix it, and suggested to others, to restrict web access if they could, until an update could be rolled out.)

Also from a security perspective, I think it still offers some value to reduce / eliminate product and version banners and indicators. Once someone’s logged in, fine, show all the branding you want. It would be nice if (Power)MiaB didn’t overwrite someone’s custom postfix greeting banner and the same on the login pages. It would be even more convenient if people were given a “stealth mode” option that would even enable this feature, and give them an option to define what they want (i.e.- “IBM AS/400 Sendmail”, “Welcome to PowerMail on Plan-9 OS”, “WebStar v3 HTTP/S on Macintosh System 7.5”, etc. - or - “I’m sorry Davness, I can not do that.”)

I’ll be following your fork closely, and look forward to seeing it develop.
\o/ Yay OpenSource! :slight_smile:

1 Like

Hello everyone, I have been somewhat busy lately so it took a while to come back here and compose an answer. Anyway :smiley:

*Takes a second look at the web_update.py*

Ah crap, guess I kinda committed some kind of effort duplication. But apparently those customizations offered in the vanilla MiaB cannot override some of the default settings applied (for example, the /mail endpoint - sometimes theres a legitimate interest in hiding those pages on some domains hosted on your box) - please correct me if I’m wrong!

There’s already a PR for NC18 for more than 6 months and it was kind of put off. It wasn’t actually my intention to actually update them in the first place, but NC17 didn’t work with PHP 7.4 (packaged in Ubuntu LTS 20.04), so I had to update.

About introducing 2FA, I’m still not dead-set on going forward - this is because the most widely plugin for 2FA on Roundcube, alexandregz/twofactor_gauthenticator, seems to be completely unaware of versioning, so that we’re forced to use master, and it doesn’t look to integrate very well with Roundcube’s default theme - see this issue.

Thanks for using it! Then tell me how it went! :smiley:

So for like at least 4 years before I was born. Guess I’m a youngling in this community :sweat_smile:

MiaB and PowerMiaB support different distros (MiaB supports Ubuntu 18.04, PowerMiaB supports Ubuntu 20.04 + Debian 10), so if you wanted to switch you would at least need to reinstall the operating system/deploy another VM/whatever fits best for you. I don’t think I have pulled anything out of the /home/user-data folder, but I don’t have the resources to test a MiaB → PowerMiaB migration (it’s definitely harder than a simple MiaB upgrade) - so I am curious to know, too. Of course, standard disclaimer to do backups!

Glad it was of use! ^-^

From what I can see, the “Mail” app is basically an IMAP app, so you can choose either to use it, use something else (like Outlook) or not use it at all (stick with Roundcube) ¯\_(ツ)_/¯

Sounds like a cool idea - I’m also not very fond of the admin page potentially being accessed by everyone by just typing /admin in front of the domain. However, I prefer this setting to be done on the admin panel itself - It becomes easier to adjust these settings if, for example, you move out to another city, etc. How does that sound?

I guess this is doable. Again, something that the admin panel could handle. I was thinking of more horrendous names like “Fear me, I mix spaces and tabs”, though :joy:

1 Like

Update Notice

In the very-remote case anyone is using this (according to Chodan/Censys, at least one person besides me), and also following this thread: I have pushed a somewhat critical update, please update as soon as you can.

v0.46.POWER.4

  • Process pools at status_checks.py will now be properly terminated. Up to this point, they were not. The symptoms included that daily_tasks.sh wouldn’t actually finish because the kernel would wait until all the child processes were terminated. Other much serious side effect was that those processes would pile up over the days, causing a memory leak. The same patch has been submitted to the mainline MIAB.
  • I have done some code cleanup - now we no longer change files within the mailinabox bootstrap folder, which could cause issues with future updates;
  • I have added a feature that allows you to forcefully initiate backups from the admin panel (if they are enabled). This was already ready in the development branch before the other issues were noticed and as such was included in this update.

Update instructions

It’s a good idea to reboot the machine after the update, to clean up said unclean processes that may eventually have piled up.

# Discard all changes made on setup
sudo su
# If you manually cloned the repository, use that instead
cd /root/mailinabox && git reset --hard # 
exit

# Do the update normally
curl -L "https://dvn.pt/powermiab" | sudo bash
# Just to clean dirty, unfinished cron jobs, reboot.
sudo reboot
4 Likes

I’m not using it but I do appreciate the fact that when you identified an error you updated it and came back to post it in this thread!

1 Like

Hello everyone, another small but still important update. (Not as critical as the other one, but fixes some important stuff)

v0.46.POWER.5

  • Setup script will now work on Ubuntu point releases (for example, Ubuntu 20.04.1 LTS);
  • Because dnspython released a new major version, we were now using a deprecated function resolver.query(). This produced some unnecessary warnings, and as such this release also updates the deprecated function with the new alternative (resolver.resolve())

Release Notes

That’s all - if anything is broken, please tell me ASAP. Thank you!

1 Like

Hello everyone, it’s been a while since the latest version has been out (Imported security fixes from v0.47) - and here’s what’s in the roadmap for now:

  • Currently, backups are encrypted with a symmetric key that is in the machine itself (aka, the key to encrypt and the key to decrypt are the same). The plan is to give you guys the option to provide your public PGP key and use that key to encrypt the backups.
    • There might be more uses for PGP keys and so uploading them will be done in a separate page on the admin panel.
  • User self-service page and 2FA: This one is slightly trickier as apparently IMAP doesn’t support 2FA :pensive: - anyway. This self-service page is a minimal version of the admin panel where you can:
    • Change your password; manage 2FA;
    • View aliases;
    • Manage IMAP “authorization” passwords (more on this later);
    • Other stuff that might pop up later;
  • System-wide privacy settings, in particular:
    • SMTP banners
    • IP restrictions for the admin panel (only these ip’s will be able to access the page)

If any of you have any suggestions, concerns or anything else, hit me up or file an issue on GitHub’s issue tracker. Thank you!

Edit: Here’s an in-progress mockup of the PGP Keyring management panel:

3 Likes

I think MIB should also support Debian 10 natively and some options while installing like what not to install -Nextcloud, custom login page for admin and webmail.

I got you covered on this one, it’s in big bold letters:

I can’t say the same about mainline MIAB, though - and I doubt that Debian will have support from them anytime soon.

I want to do this but I’m holding a little bit back here because a pull request exactly for that is open at the moment (#1646), and I’m not very fond of doing something only to some time later a PR this big appears into master (and I somehow have to merge it into my fork) so uh… @JoshData what can we expect about this?

I can look into this but not a priority.

Also, so that we’re on the same page - these changes do not carry to the vanilla Mail-in-a-Box (because for many, they’re not that needed). They only apply to my fork :eyes:

1 Like

By custom login page I meant custom url for login and webmail. To reduce brute force attempts.

I wondered if it was possible to allow only one email address to send via your new smtp proxy config?

I’d like one address to send via sendmail and the rest via miab-power directly?

cheers

I’m not sure I understand what you mean:

The SMTP relay configuration is meant for when for some reason you cannot use the box directly (either because port 25 is blocked or you were unlucky enough to be on Spamhaus).

These settings are applied to Postfix directly - I don’t think we can make the box deliver mail differently according to what email you’re sending from. Or at least I imagine it’d be hard to configure Postfix’s behavior with such granularity.

But I’m still curious - what’s your use case for that?

I would love to see setting custom login for admin and webmail
Admin Example: domain.com/vcgvm9cm684n14x98mzqgtub099tfiym

I can look at that, though I have a similar feature in the backlog to restrict admin access to certain IP’s.

I was reading this blog post -> https://www.linuxbabe.com/mail-server/microsoft-outlook-ip-blacklist and realised that being able to configure which address used which SMTP Relay could be a really useful feature and one that might not mean many changes here, as I would imagine you are already modifying the postfix configs already?

OH, I see. You mean "we’ll use this third party relay service if and if only we’re sending to emails ending in @some.domain.com". Seems like a good idea if you want to keep the service usage as low as possible.

I’ll take a look and eventually place it on the roadmap. However, feel free to send a PR if you feel like it, as I’m also busy with other features :eyes:

1 Like

I dont have a mail server yet but I ll definitely go with your solution. Default mib is not customizable, kinda like apple, controlled software. Cannot chose what not to install (NextCloud / ActiveSync) dont need both of these. No way to define custom admin and webmail directory for security purpose.

1 Like

Since the MIAB is running on more and more instances (according to this post Someone here using this service to spam scam victims!), would it make a sens to incorporate either this one: Honeypot as a Service (HaaS) https://haas.nic.cz/ or similar project into the PowerMIAB?