Self-hosted /e/ Cloud is quite simple to install, but there are some manual tuning steps to take care of.
So, I propose to write them down here.
Please feel free to add your thoughts !
Please read installation guide carefully without missing any step !
- if installation fails at any point (for example, a “network glitch”), please restart from beginning with resetting your Cloud server instance
- if you just modified DNS records (forward & PTR), please allow them some time to replicate
about alternate email : it’s a good practice to use a secured, external account (not using the domain you use for your /e/ Cloud). OOTB it is used for :
– sending you an account registration email
– as contact for NextCloud admin account (can be changed)
– as backup contact for drive & welcome email accounts (can be changed)
– as contact for certificates (can be changed, but certificates are to be renewed)
– as login for postfixadmin superadmin (don’t know how complicated it is to change)
- you may need to retrieve the DKIM key, it is stored at
/mnt/repo-base/volumes/mail/dkim/$DOMAIN/mail.public.key. Please be aware that the file includes a unnecessary field (wipe anything including double-quotes between
- you may also want to add some useful records, for example DMARC, MTA_STS, … A good start can be a check for your domain against Domain Health Check - Online Domain Tools - Blacklist, Email, Website, DNS - MxToolBox
At end of installation, you had received a registration link to your alternate email address.
A good practice could be to use this link to create an “admin” account, keeping the ncadmin account for technical usages.
Please avoid using something too common, like … admin
Once you have created an admin account, another good practice is to work with email aliases :
- go to https://mail.yourdomain.tld/list-virtual.php?domain=&tab=alias and edit every alias to the admin account address
- of course, at first change the admin password !
- you may notice that some domains are included to be potentially authorized. You can change that in
/mnt/repo-base/volumes/nextcloud/data/rainloop-storage/_data_/_default_/domainsdirectory (either edit
disabledfile or remove the domain’s file). You can also add some other, of course
/e/ Team will work for an integrated solution, meanwhile you can use this : [HOWTO] Properly backup self-hosted /e/ cloud databases
There is much to say on this subject, at a first step :
- conduct the NextCloud test
- use some web scanner like Website Security Test | Security Scan for GDPR and PCI DSS Compliance
- in the first weeks, periodically review the logs (you can use
docker-compose logs -t)
Personally, I :
- changed the SSH port
- installed ufw
- installed fail2ban
I do not advise to change something in nginx, as it is a Docker image.
If you set-up correctly your email aliases, you may receive some errors from clamav-unofficial-sigs.
The engine into the mailserver2/mailserver Docker image is outdated, and uses curl very poorly
No need to search for an updated image in Docker Hub, this wasn’t improved in latest …
What I did :
docker-compose exec mailserver bashto get a shell into mailserver
apt-get updateto update apt database
apt-get install wgetto install it
- from clamav-unofficial-sigs/INSTALL.md at master · extremeshok/clamav-unofficial-sigs · GitHub, ran “GENERIC INSTALL INSTRUCTIONS” (up to “cron”)
chown -R clamav:clamav /var/lib/clamav-unofficial-sigs/
cat /etc/clamav/unofficial-sigs/user.confto copy SecuriteInfo signature
- exited the shell, then ran
docker cp mailserver:/etc/clamav-unofficial-sigs/user.confto get this file into host OS
- edited this file with SecuriteInfo’s signature
docker cp user.conf mailserver:/etc/clamav-unofficial-sigs/to put the file back into container
- waited some hours to check
Note : this won’t survive a container re-creation ! Of course, you can create an personal updated Docker image from your modified container, but this will break official source inheritage … You’ve been warned !
(more to come)