[HOWTO] Self-hosted /e/ Cloud quick start guide for admins

Hi !

Self-hosted /e/ Cloud is quite simple to install, but there are some manual tuning steps to take care of.
So, I propose to write them down here.

Please feel free to add your thoughts !

Installation

Please read installation guide carefully without missing any step !

  • if installation fails at any point (for example, a “network glitch”), please restart from beginning with resetting your Cloud server instance
  • if you just modified DNS records (forward & PTR), please allow them some time to replicate
  • about alternate email : it’s a good practice to use a secured, external account (not using the domain you use for your /e/ Cloud). OOTB it is used for :
    – sending you an account registration email
    – as contact for NextCloud admin account (can be changed)
    – as backup contact for drive & welcome email accounts (can be changed)
    – as contact for certificates (can be changed, but certificates are to be renewed)
    – as login for postfixadmin superadmin (don’t know how complicated it is to change)

DNS

  • you may need to retrieve the DKIM key, it is stored at /mnt/repo-base/volumes/mail/dkim/$DOMAIN/mail.public.key. Please be aware that the file includes a unnecessary field (wipe anything including double-quotes between k=rsa; and p=)
  • you may also want to add some useful records, for example DMARC, MTA_STS, … A good start can be a check for your domain against Domain Health Check - Online Domain Tools - Blacklist, Email, Website, DNS - MxToolBox

Admin account

At end of installation, you had received a registration link to your alternate email address.
A good practice could be to use this link to create an “admin” account, keeping the ncadmin account for technical usages.
Please avoid using something too common, like … admin :smiley:

Email aliases

Once you have created an admin account, another good practice is to work with email aliases :

Rainloop admin

  • of course, at first change the admin password ! :wink:
  • you may notice that some domains are included to be potentially authorized. You can change that in /mnt/repo-base/volumes/nextcloud/data/rainloop-storage/_data_/_default_/domains directory (either edit disabled file or remove the domain’s file). You can also add some other, of course

Backups

/e/ Team will work for an integrated solution, meanwhile you can use this : [HOWTO] Properly backup self-hosted /e/ cloud databases

Security

There is much to say on this subject, at a first step :

Personally, I :

  • changed the SSH port
  • installed ufw
  • installed fail2ban

I do not advise to change something in nginx, as it is a Docker image.

clamav unofficial

If you set-up correctly your email aliases, you may receive some errors from clamav-unofficial-sigs.
The engine into the mailserver2/mailserver Docker image is outdated, and uses curl very poorly :frowning:
No need to search for an updated image in Docker Hub, this wasn’t improved in latest …

What I did :

  • ran cd /mnt/repo-base then docker-compose exec mailserver bash to get a shell into mailserver
  • ran apt-get update to update apt database
  • ran apt-get install wget to install it
  • from clamav-unofficial-sigs/INSTALL.md at master · extremeshok/clamav-unofficial-sigs · GitHub, ran “GENERIC INSTALL INSTRUCTIONS” (up to “cron”)
  • ran chown -R clamav:clamav /var/lib/clamav-unofficial-sigs/
  • ran cat /etc/clamav/unofficial-sigs/user.conf to copy SecuriteInfo signature
  • exited the shell, then ran docker cp mailserver:/etc/clamav-unofficial-sigs/user.conf to get this file into host OS
  • edited this file with SecuriteInfo’s signature
  • ran docker cp user.conf mailserver:/etc/clamav-unofficial-sigs/ to put the file back into container
  • waited some hours to check /var/log/clamav-unofficial-sigs/clamav-unofficial-sigs.log

Note : this won’t survive a container re-creation ! Of course, you can create an personal updated Docker image from your modified container, but this will break official source inheritage … You’ve been warned !

.
.
.

(more to come)

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online servicesphone

4 Likes

Hi @Manoj !

I’m not allowed to use the “howto” tag anymore :frowning:
Could you please assign a proper tag and make this tread user-editable ?
Thanks ! :pray:

Hi @smu44 I have made it editable …thanks for the HOWTO.

1 Like

Update Nov. 9 2021 : added clamav unofficial

1 Like