Potential Bug After Restoring Backup – Mail-in-a-Box Used for Sending Spam

22

So what is your sugestion. And please explain it like to a 5-year old.

EDIT: I confirm sendmail is not installed on the latest version and Calendar invites and notifications don’t work.
So this cron job is useless.

EDIT 2: On my other instance with the unofficial MIAB version with quotas version 0cd8e4db62b237c170f4688b7d07ef2f0cbd03a5. Calendar invites DO work. As well as notifications. In this version the nextcloud admin login is not unlocked and both Calendar invites and notifications are sent to nonlocal and local users via postfix. The mail.log also shows the sent invites.

23

EDIT2 it is :wink:

Many MTAs do maintain at least some level of compatibility with sendmail. Postfix, for example, provides a sendmail compatibility interface. That’s because sendmail has been the de facto standard for mail communication on UNIX operating systems since the 1980s, and was the most widely used mail server for mail communication over the Internet in the 1990s. According to Wikipedia, in 1996 about 80% of publicly accessible mail servers on the Internet were running sendmail.

So, as Nextlcoud has done in this case, software can implement the sendmail command even in 2025, and it will mostly just work with popular MTAs.

Yes you’re right, I hadn’t thought about the usecase of sending calendar inventions to external users, in which case Nextcloud will of course also send emails to external addresses.

2 Likes
24

Can anyone confirm invites and calendar events are sent out with the latest version.
I am not sure weather I broke the setup with the admin unlocking of nextcloud (2 years ago) or any latest version addresses nextcloud vulnerability since it uses root access to send via 127.0.0.1 via the symlinked sendmail? I have seen spammers using calendar events by which they populate your calendar with 1000s of links and other junk and send you reminders and drive you crazy. They do this by manipulating the calendar to do Auto Accept and Remind you. Even Snooze doesn’t work Very nasty. Only remedy is to manually purge the calendar.

25

Hmm, I find it hard to believe that this is possible with the default configuration of Nextcloud or the Mail-in-a-Box configuration of Nextcloud, even if the admin interface is enabled. Or let’s say there were probably some other things going on to make this possible…

  • Users may have publicly shared calendars with write access.

  • Users may have set their calendars to automatically accept inventions. Most likely on a client software/device, as I’m not sure this is even possible to configure in Nextcloud directly.

  • Compromised accounts due to leaked passwords / no 2FA

  • Compromised clients / client software

  • A vulnerability in Nextcloud, but I find this hard to believe because I’m quite active in the Nextcloud forums and never seen anyone report anything like this.

  • Security hole introduced by some third party app

  • Security hole introduced by misconfiguration by the admin :wink:

  • other things I can’t think of right now…

26

It was not because of Nextcloud calender. I will post the whole story now.

27

Hello everyone,

Thank you so much for your helpful replies and ideas! After a lot of testing and troubleshooting, I’ve finally discovered the root cause of my previous issues.

The Problem (Initial Setup - Missed Configuration):

The core problem was that my Mail-in-a-Box server (running inside a KVM on Machine A) was incorrectly configured due to being behind an FRP (Fast Reverse Proxy) connection. Additionally, there was an unexpected open relay on my server, which has now been resolved.

To visualize the initial problematic setup:

Internet <--> Machine B (FRP Server - Public IP 2) <--> Machine A (Host - Public IP 1)
                                                                 |
                                                                 +--> Machine C (Mail-in-a-Box KVM - NAT'ed IP from A)

With this FRP setup, while incoming traffic to Machine B could be forwarded to Machine C, the outgoing traffic from Machine C was incorrectly using the public IP of Machine A. This caused various issues with email deliverability and potentially security.

The Solution (New Architecture - WireGuard Network):

I’ve moved away from the FRP setup and have now implemented a WireGuard private network to connect Machine B and Machine C. This allows for proper IP routing and NAT networking configurations.

Here’s a diagram of the new architecture:

Internet
  |
  |
  +--> Machine A (Main Mail-in-a-Box Server - Public IP 1)
  |     (Runs KVM)
  |
  +--> Machine B (WireGuard Gateway - Public IP 2) --- WireGuard Tunnel ---> Machine C (Mail-in-a-Box KVM - Private IP on WireGuard)
         (Handles In/Out Traffic)                                            (NAT'ed internally on Machine A)

Detailed Explanation of the New Setup:

Let’s break down the components and traffic flow:

  • Machine A (Main Mail-in-a-Box Server):

    • Has its own public IP address (let’s call it Public IP 1).
    • Acts as the host for the KVM.
    • The original Mail-in-a-Box instance runs directly on this machine.

  • Machine B (Digital Ocean Droplet - WireGuard Gateway):

    • Has its own distinct public IP address (let’s call it Public IP 2).
    • Acts as the WireGuard gateway for Machine C.
    • Will be configured with iptables rules to handle both incoming and outgoing traffic for Machine C, making it appear as if the traffic originates from Public IP 2.

  • Machine C (Mail-in-a-Box KVM):

    • Runs inside a KVM on Machine A.
    • Is on a private network managed by KVM/NAT on Machine A.
    • Connects to Machine B via a WireGuard tunnel.
    • All outgoing traffic from Machine C is routed through the WireGuard tunnel to Machine B.
    • Incoming traffic destined for the Mail-in-a-Box on Machine C will be forwarded from Machine B through the WireGuard tunnel.

Traffic Flow:

  • Incoming Traffic to Machine C:

    Internet --> Machine B (Public IP 2) --> WireGuard Tunnel --> Machine C (Private IP)

  • Outgoing Traffic from Machine C:

    Machine C (Private IP) --> WireGuard Tunnel --> Machine B (Public IP 2) --> Internet

Current Challenges:

I’m currently working on configuring fail2ban. My plan is to install and configure fail2ban on Machine B (the WireGuard gateway server). This will allow me to monitor and block malicious attempts targeting the Mail-in-a-Box instance running on Machine C, as all relevant traffic will pass through Machine B.

In Summary:

The move to a WireGuard network with proper IP routing and NAT configuration on Machine B should resolve the issue of outgoing traffic using the wrong public IP. By centralizing the external network interface and security measures (like fail2ban) on Machine B, I aim to have a more stable and correctly configured Mail-in-a-Box instance within the KVM.

Finally: The main issue was “SMTP Open Relay” nothing related to sendmail method :sweat_smile:

28

That bloody NAT. Why are you saving public IPs when you are running 2000 mailboxes on the server? Hardly anyone is running MIAB behind a NAT.

29

I honestly don’t care whether Mail-in-a-Box is running behind NAT or not — the issue I faced was NAT loopback, which is blocked by my ISP as part of their standard setup. That prevents users on the same local network from accessing the mail server using its public IP ( or even the domain name ). I tried every known workaround to bypass this limitation, but nothing reliably fixed it.

So I decided to take a different route: I now use a separate public IP via a WireGuard VPN gateway. This not only resolves the NAT loopback problem, but also helps me isolate the Mail-in-a-Box server from other services running on the same machine. That means I’m free to run whatever I want — without interfering with the mail server’s stability or deliverability.

In the end, I built a clean mesh network using WireGuard + iptables forwarding, and it works flawlessly now :smile: