Hi !

Self-hosted /e/ Cloud is quite simple to install, but there are some manual tuning steps to take care of.
So, I propose to write them down here.

Please feel free to add your thoughts !

Installation

Please read installation guide carefully without missing any step !

• if installation fails at any point (for example, a “network glitch”), please restart from beginning with resetting your Cloud server instance
• if you just modified DNS records (forward & PTR), please allow them some time to replicate
• about alternate email : it’s a good practice to use a secured, external account (not using the domain you use for your /e/ Cloud). OOTB it is used for :
  – sending you an account registration email
  – as contact for NextCloud admin account (can be changed)
  – as backup contact for drive & welcome email accounts (can be changed)
  – as contact for certificates (can be changed, but certificates are to be renewed)
  – as login for postfixadmin superadmin (don’t know how complicated it is to change)

DNS

• you may need to retrieve the DKIM key, it is stored at /mnt/repo-base/volumes/mail/dkim/$DOMAIN/mail.public.key. Please be aware that the file includes a unnecessary field (wipe anything including double-quotes between k=rsa; and p=)
• you may also want to add some useful records, for example DMARC, MTA_STS, … A good start can be a check for your domain against https://mxtoolbox.com/emailhealth/

Admin account

At end of installation, you had received a registration link to your alternate email address.
A good practice could be to use this link to create an “admin” account, keeping the ncadmin account for technical usages.
Please avoid using something too common, like … admin

Email aliases

Once you have created an admin account, another good practice is to work with email aliases :

• go to https://mail.yourdomain.tld/list-virtual.php?domain=&tab=alias and edit every alias to the admin account address

Rainloop admin

• of course, at first change the admin password !
• you may notice that some domains are included to be potentially authorized. You can change that in /mnt/repo-base/volumes/nextcloud/data/rainloop-storage/_data_/_default_/domains directory (either edit disabled file or remove the domain’s file). You can also add some other, of course

Backups

/e/ Team will work for an integrated solution, meanwhile you can use this : [HOWTO] Properly backup self-hosted /e/ cloud databases

Security

There is much to say on this subject, at a first step :

• conduct the NextCloud test
• use some web scanner like https://www.immuniweb.com/websec/
• in the first weeks, periodically review the logs (you can use docker-compose logs -t)

Personally, I :

• changed the SSH port
• installed ufw
• installed fail2ban

I do not advise to change something in nginx, as it is a Docker image.

clamav unofficial

If you set-up correctly your email aliases, you may receive some errors from clamav-unofficial-sigs.
The engine into the mailserver2/mailserver Docker image is outdated, and uses curl very poorly
No need to search for an updated image in Docker Hub, this wasn’t improved in latest …

What I did :

• ran cd /mnt/repo-base then docker-compose exec mailserver bash to get a shell into mailserver
• ran apt-get update to update apt database
• ran apt-get install wget to install it
• from https://github.com/extremeshok/clamav-unofficial-sigs/blob/master/INSTALL.md, ran “GENERIC INSTALL INSTRUCTIONS” (up to “cron”)
• ran chown -R clamav:clamav /var/lib/clamav-unofficial-sigs/
• ran cat /etc/clamav/unofficial-sigs/user.conf to copy SecuriteInfo signature
• exited the shell, then ran docker cp mailserver:/etc/clamav-unofficial-sigs/user.conf to get this file into host OS
• edited this file with SecuriteInfo’s signature
• ran docker cp user.conf mailserver:/etc/clamav-unofficial-sigs/ to put the file back into container
• waited some hours to check /var/log/clamav-unofficial-sigs/clamav-unofficial-sigs.log

Note : this won’t survive a container re-creation ! Of course, you can create an personal updated Docker image from your modified container, but this will break official source inheritage … You’ve been warned !

.
.
.

(more to come)

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online services

Hi @Manoj !

I’m not allowed to use the “howto” tag anymore
Could you please assign a proper tag and make this tread user-editable ?
Thanks !

Hi @smu44 I have made it editable …thanks for the HOWTO.

Update Nov. 9 2021 : added clamav unofficial