More power to Mail-in-a-box (fork showcase)

Working well on Debian 10, but after having updated to Debian 11 I am getting a python module error that I have failed to resolve after a few hours googling :-/

Wondered if you had any possible reasons for the failure?

Thanks

FAILED: /usr/local/lib/mailinabox/env/bin/pip install --upgrade pip

Fatal Python error: initfsencoding: Unable to get the locale encoding
ModuleNotFoundError: No module named 'encodings'

I’ve released a patch for that bug, see Python error and issue after updating to Bullseye · Issue #42 · ddavness/power-mailinabox · GitHub and Release v56.1 · ddavness/power-mailinabox · GitHub

2 Likes

Nice! It has some features that I’m dying for… I already have a MIAB instance running. Can I use the same one or is this for brand-new installation only?

I think someone was able to create a backup, move it to a new box where Power Mail-in-a-Box is supported (Debian 10, Debian 11 or Ubuntu 20.04), unpack said backup and run the Power MIAB installation script there (makes sense given most of this fork should be forward-compatible with MIAB). This said, it’s not something that I can personally guarantee to work.

However it’s something I can look into when MIAB finally moves to 22.04, so that folks wanting to cross over can perform an in-place “sideways upgrade”.

Hi David,

Firstly thanks for the fork, I have been looking for a solution to configure MIAB to relay outbound emails via 3rd party service due to port 25 being blocked on pretty much all major cloud service providers.

Now, I have installed your Power-MIAB on a vm on GCP and attempting to configure email relay via Sendinblue. There are some issues I came across that prevented me from completing the relay configuration, I wonder if you could shed some light on them.

  1. Sendinblue requires setting DKIM record mail._domainkey.example.com to the value they specified. I cannot however do it because MIAB has already setup this specific record. When I attempted to set the mail._domainkey.example.com in “SMTP relays” page, I got error message that “mail._domainkey.example.com” has already existed and cannot be modified.

  2. Sendinblue requires setting DMARC record _dmarc.example.domain to a specific value. Your “SMTP relays” web page doesn’t provide any mean to configure it. And again MIAB has already configured its own DMARC record which I suspect again won’t let me change.

In short, Sendinblue requires configuring DKIM, SPF, DMARC and one additional TXT records as per “Customise your DKIM signature”. your “SMTP relays” web page only allows configuring SPF and DKIM, missing the DMARC. Plus it appears that user cannot change what MIAB has already configured, specifically the DKIM record mail._domainkey.example.com and DMARC record _dmarc.example.com.

Any thoughts?

Update after I changed 3rd party SMTP relay service from Sendinblue to Mailjet

I signed up with Mailjet for testing purpose, also because they allow 200 emails per day on free plan, same amount as Sendinblue.

Funny enough, Mailjet only requires two DNS records to be set, the SPF TXT record and DKIM record. More importantly Mailjet don’t insist on creating the mail._domainkey.example.com DKIM record, instead they require mailjet._domainkey.example.com DKIM record, which doesn’t clash with what MIAB has already put in place. Therefore I was able to configure the DKIM record correctly.

Configuring the SPF record however wasn’t as smooth. David, your “SMTP relays” web page doesn’t allow me to manipulate the SPF TXT record myself, rather it asks me what sender’s domain should be included, then I guess you have script behind the scene to configure the SPF record based on the input. This didn’t work well for me. Specifically I needed the SPF record to be:

v=spf1 include:spf.mailjet.com mx a:spf.mailjet.com -all

What I could do on the “SMTP relays” web page was to enter “spf.mailjet.com” into the section named “Add your SPF configuration/authorized servers here”, then your script will setup the SPF record as:

v=spf1 mx a:spf.mailjet.com -all

I tried many times and could never get it to put the “include:spf.mailjet.com” part into the SPF record.

At the end I had to create a custom DNS record that matches what was required by Mailjet, and it has started working since.

end of update

Regards.
Johnmen

1 Like

Hi - there’s a way to actually change the mail DKIM selector to something else, as I figured out something like that would happen. Unfortunately, I didn’t document it as I wanted to include such setting in the admin panel in some shape or form. For now though, that hasn’t materialized yet.

However, the most user-friendly way to do this is make MIAB “get out of the way” and change it’s own DKIM selector should a conflict happen. Since it causes issues, I’ll treat this as a bug and will be working on a release fix.

For DMARC, most providers will accept whatever you have there as long as it’s reasonable (which in the case of MIAB, it is) - that’s why I didn’t put a configuration part on the form; but should you need to add the record manually, you can just use the Custom DNS page for it - MIAB will actually honor your custom DMARC record and “overwrite” the old one.

For SPF, I modified the syntax to make it a bit easier for non-technical folks to understand (and do the conversion server-side to the actual syntax).
Buuuuuuuuut you’re right that the form should also understand when the actual record is just pasted in and take it at face value. Same thing, I’ll take that as a bug and work on the respective fix.

Thanks for giving a shot!

v56.2 (Full Release Notes)

Some patches, some bug-fixing, not really much new to the table.

Notably, I’ve made some changes to the SMTP Relays feature to improve UX in relation to the feedback of the latest comment:

  • The form now allows you to paste an entire SPF record if the provider gave you one, and the box will not change it;
  • You can now use mail as a DKIM selector, the box will just change it’s own DKIM selector to something else - I’ve picked mailorigin as the fallback selector. If you stop using the relay or no longer use the mail selector, the box will take it back.

Other goodies:

  • Some setup fixes;
  • I’ve updated the TLS configuration for Postfix, it should be slightly more secure now;
  • Nextcloud plugins have been updated;

With any luck, you’ll feel the improvement, so go ahead and give it a try!
And you know who to complain if stuff breaks - totally not me!!!

1 Like

Hi all - wanted to give you an update on how things are sailing so far.

Some research, and wanted to know your opinion

Lastly, I am planning to do some major architectural changes on the architecture Power Mail-in-a-Box. Essentially, I’m looking at the possibility of splitting the components into plugins, in practice making them optional to install. You can read more about it here. Feel free to comment what you think about it there.

Big updates incoming

Currently I’m doing some epic housekeeping on the admin panel - Bootstrap (the CSS library powering the admin panel) has released it’s newest major version (v5.x.x) a couple of months ago, and I’ve migrated the entire frontend to that new library version.

Among a lot of goodies, I’ve reimplemented dark mode from scratch. I reckon the navigation within the admin panel should be more friendly, both on desktop but especially on mobile devices. Admin panel refactoring by ddavness · Pull Request #41 · ddavness/power-mailinabox · GitHub

Currently I am working on doing a deeper refactoring on the admin panel itself so that both the API interface, the front-end code and the backend code are consistent across the entire codebase. Think about this as laying foundations to make future work on the project easier. Admin panel refactoring: Electric Boogaloo by ddavness · Pull Request #43 · ddavness/power-mailinabox · GitHub

Heads-up: There will be breaking changes on the API interface. This should only affect you if you’ve written scripts that interface with the API itself. I’ll document these later.

I foresee these updates to arrive within a month or two.

2 Likes

Also commented on Github, but I love the idea of a core and then a set of core-maintained extensions, so that unused components are not installed/running

1 Like

v56.3 (Full Release Notes)

As the release of Ubuntu 22.04 creeps in, this release brings some stuff I’ve been working on for a while. Not much in quantity, but a lot of effort, love and care.

A new dawn for the control panel

Reviewed and taken care of from top to bottom. The new control panel feels different. Different, but still familiar.

A consistent look

Everything feels less crammed, and there’s more space to breathe.

Eye Candy

Dark mode is back, better than ever

No more burning the eyes! :fire:

Designed from the ground up, everything has been reviewed so that it’s just as nice to use. You also get the ability to switch from light theme to dark, and vice-versa, to your heart’s content!

More eye Candy

Up to date!

Of course, some plugins and software were updated, but the highlight here goes to NextCloud, as we jump from version 20.0.14 (in fact, NC 20 is actually no longer supported!) all the way to the latest version - 23.0.3!

Going out with a bang! :boom:

This is (probably) the last release that will be supporting Debian 10 (buster). This is because:

  • Ubuntu 22.04 ships with PHP 8.1.
  • There are no releases of NextCloud supporting PHP 8.1 yet…
  • But NextCloud 24 (to be released at the end of April) will support PHP 8.1
  • But it will require at least PHP 7.4 - and Debian 10 comes with PHP 7.3.

As the first release supporting Ubuntu 22.04 will need to ship with NextCloud 24, it cannot support Debian 10.

If your Power Mail-in-a-Box is running Debian 10 (buster), you can perform an in-place upgrade to Debian 11 (bullseye):

  1. Make a backup and make sure you have access to it outside the box - just in case something goes wrong in the process;
  2. Edit /etc/apt/sources.list with your favorite editor (You’ll need to use sudo):
    2.1. There should be multiple lines looking like this: Where you find buster, replace with bullseye.
# /etc/apt/sources.list (old)
deb https://example.com/debian buster main
deb https://example.com/debian buster-updates main

# /etc/apt/sources.list (new)
deb https://example.com/debian bullseye main
deb https://example.com/debian bullseye-updates main
  1. Update the packages list. It will probably tell you that there are a lot of packages needing upgrading:
sudo apt update
  1. Perform the upgrade, then reboot:
sudo apt upgrade --without-new-pkgs # Optional, but Debian maintainers recommend it
sudo apt full-upgrade
sudo reboot
  1. Re-run the setup:
curl -L https://power-mailinabox.net/setup.sh | sudo bash
2 Likes

Just trying this out. Wanted to say thanks for all the efforts!

However I tried it on a Debian 11 container and it rapidly became apparent that it’s not currently suited for it. There are things attempted that require server access:
swap space, ntpd and haveged I noticed in the system setup script.
The specific error I ran into was it couldn’t start the named systemd resolver daemon seemingly because it didn’t have permission to do an ntpd time sync

@davness If I were to spend some time trying to get it to work, do you want to support an ‘install to unprivileged container’ option? There is a chance it will be taken up by TurnKey Linux as an appliance. Then it really will be mail in a box (container)!

It is tough because Mail-in-a-Box was not exactly made with containerization in mind (and neither is the fork). The main weakness here is that the MiaB setup scripts have business to do in the kernel-space so that they can ensure the box runs properly:

  • Swap allocation only happens if you have ~1.855GB of RAM or less; therefore allocating at least 2GB to the container will skip this step entirely;
  • NTP is important because the box wants to ensure that the clock is synchronized properly - otherwise TLS certificates may break unexpectedly;
  • haveged used to be a tool used to make sure the RNG (/dev/urandom) on the machine is “random” enough to make cryptographic keys secure enough; this is important because some virtualized environments may not have enough entropy. However later versions of the Linux kernel already do this, and therefore it’s no longer needed - this tool will be removed starting the first version supported by Ubuntu 22.04.

Therefore - swap can solve itself if you allocate enough memory to it; haveged will be removed soon, but we still have ntp to deal with.

I’ve already started a new branch which separates these things off and asks for the platform type. Seems to work but needs more testing. I’ll submit a PR once I’m done.

1 Like

v56.5 (Full Release Notes)

Ok, in the end I guess I lied about v56.3 being the last release supporting Debian 10. This is mostly a maintenance release - a couple bug fixes and some software updates:

  • Fixed the tools/owncloud-unlockadmin.sh script so that it… actually works;
  • Fixed some stuff on the setup process so that Nextcloud doesn’t complain about not being able to write files - also you’ll be able to install this fork on a machine without a SSH server (who needs remote access anyway?);
  • Updated Nextcloud to version 23.0.5;

That’s all for now - Ubuntu 22.04 support is relying right now on Roundcube 1.6 being released and a Z-Push version to be out (both codebases are being updated to be able to run on PHP 8.1).

That’s all for now :slight_smile:

3 Likes

So I’m almost there, but I’m getting this error because of HSTS and the initial self-signed certificate.
Is there a way to kick off letsencrypt to issue the MIAB certificate as part of start.sh?

Screen Shot 2022-06-10 at 19.15.45

Should be fixed by clear the browser cache for the domain/IP address.

The letsencrypt certificate has not been requested yet. I think this is done automatically on the first request, but chrome won’t even go there once. Really it should be done in the setup script though. Working on it. Seems to need a management/ssl_certificates.py run but not working either.

The setup registers the ACME account with LE but doesn’t actually request a certificate right away - honestly I’m not even sure whether this is by design or not as I haven’t actually modified that behavior.

To get around this, you can use the IP address instead: https://0.0.0.0/admin, since there isn’t an HSTS policy for IP addresses.

I think it’s by design. I think I found that the certificates are checked and issued every night by the cron job, but probably only if they have already been issued once manually through the admin interface. I guess they want the Let’s Encrypt T&Cs to be accepted before any certs are requested.

My LXC PR adds a line at the end of the setup to ensure the MIAB hostname has a Let’s Encrypt certificate.

v60.0 (Full Release Notes)

And oh boy was it a whale of an update!

Guess that at this point that everybody knows the news: Mail-in-a-Box moved to Ubuntu 22.04!
And guess who also moved to 22.04?.. rethorical question I guess :sweat_smile:

So after a bit catching up to the latest version and fighting a a bit too many merge conflicts, along with squashing a few bugs that I let stack up on the issue tracker (oops…), here are the highlights for this release:

Goodbye Buster; Hello Jammy

In the dance of distribution support, because of issues that I’ve already mentioned… regarding PHP, that is, I’ve had to drop support for Debian 10 (buster).

There’s a guide on how to move to Debian 11 (bullseye) - under this fork in-place upgrades ARE supported (you do not need to make a backup, install Debian 11 from scratch, restore the backup and run the setup). Read more here: https://power-mailinabox.net/buster-eol

On the other hand, Ubuntu 22.04 (Jammy Jellyfish) is now supported! If you’re on Ubuntu 20.04 (Focal Fossa), you can either upgrade or not. That’s up to you, the fork will remain supported for the time being. Likewise, you can also upgrade in-place.

Nextcloud twenty-four

Or 24 to be exact. Since we’re still locking you to Contacts + Calendar by default, unless you like messing with that, then there’s not much to explore here. But everything’s up to date now!

Executing Bugs :bug:

Those pesky bugs! I’ve been working in squashing a few of these - some deeper than others.


That took longer than expected to get out - but it’s finally out! I’ve had a lot on my plate, hence why I could not get this out sooner.

You know who to complain to if a bug pops up. I’ll be hiding somewhere!

2 Likes