Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Oct 15 22:03
    louis-lau commented #358
  • Oct 15 17:50
    R4Ajeti opened #358
  • Oct 15 06:25
    andris9 commented #357
  • Oct 15 04:06
    kubuntux edited #357
  • Oct 15 03:58
    kubuntux edited #357
  • Oct 15 03:58
    kubuntux edited #357
  • Oct 15 03:57
    kubuntux opened #357
  • Oct 12 20:18

    andris9 on master

    ensure that in-reply-to and mes… (compare)

  • Oct 12 16:36

    andris9 on master

    Increased cursor page size (compare)

  • Oct 11 14:20

    andris9 on master

    bumped commit hashes (compare)

  • Oct 11 14:17

    andris9 on v1.32.3

    (compare)

  • Oct 11 14:17

    andris9 on master

    v1.32.3 (compare)

  • Oct 11 14:14

    andris9 on v1.30.0

    (compare)

  • Oct 11 14:14

    andris9 on master

    v1.30.0 (compare)

  • Oct 11 14:12

    andris9 on v1.36.0

    (compare)

  • Oct 11 14:12

    andris9 on master

    v1.36.0 (compare)

  • Oct 08 14:35

    andris9 on master

    pass loggelf for certificate ha… (compare)

  • Oct 08 14:11

    andris9 on master

    special case for email lines th… (compare)

  • Oct 04 11:06

    andris9 on master

    Forward tracking /filters api endpoint updates (compare)

  • Oct 03 02:36
    altitudems commented #322
Andris Reinman
@andris9
If you are using zonemta with wildduck and everything is upgraded to latest, then you can use the SNI API endpoints to configure TLS certificates. you still need the default certificate as a file though it could be self signed as only the SNI certs must be valid. https://docs.wildduck.email/api/#operation/updateTLSCertificate
2 replies
these SNI certs are valid for WIldDuck (IMAP, POP3, HTTP API) and ZoneMTA (SMTP) but not Haraka
tenninjas
@tenninjas
Ah, OK.
Andris Reinman
@andris9
Tiny product news, probably does not concern many users but wildduck-audit-manager now has proper support for PGP ECC keys. So far only RSA keys actually worked. Haven't checked WildDuck core yet, it has probably similar issues with ECC keys that audit manager had so far.
tenninjas
@tenninjas
Is there any use to the mongo db declaration for wildduck-webmail? It seems to be unused?
Andris Reinman
@andris9
yes, I think it is not used at all anymore
tenninjas
@tenninjas
@louis:laureys.me I have some stuff I'd like to chat with you about re: DuckyPanel when you have a moment; let me know if there's a better place/way for us to do that.
Louis
@louis:laureys.me
[m]
You can send me a private chat on matrix: https://matrix.to/#/@louis:laureys.me
But here, or in a github issue is also fine.
Andris Reinman
@andris9
Product news: first version of ACME managed SNI certificate support is now in the master branch: https://docs.wildduck.email/#/in-depth/acme-certificates
Louis
@louis:laureys.me
[m]
Very cool! I assume Zone is putting the imap server behind completely different load balancers/ip addresses than their webmail?
Andris Reinman
@andris9
actually there is no load balancer in front of these services. instead a single A record resolves into multiple IP addresses, each is a physical server, eg
$ dig +short imap.zone.eu
217.146.64.202
217.146.64.204
217.146.64.205
Louis
@louis:laureys.me
[m]
Ah, dns round robin. Doesn't that fail if one of them goes down?
But, port 80 on those ips isn't used by webmail at least then 😁
Andris Reinman
@andris9
well, yeah each of these servers is for a single purpose. eg an imap server does not server pop3 etc. the new acme thing is yet too experimenal, so it is not actually used but in the end eachs such server is probably going to have acme handler running on port 80 indeed
Louis
@louis:laureys.me
[m]
Make sense :)
Though I want to be sure of my understanding, that way of load balancing won't give high availability right? Just horizontal load scaling.
Andris Reinman
@andris9
yes, you're correct. there are plans for HA but these are not in any way urgent
Louis
@louis:laureys.me
[m]
Great :)
Andris Reinman
@andris9
so far all major issues have been with the DB and not, for example, an imap server burning down or anything, so making application servers more bulletproof has not been a priority
Louis
@louis:laureys.me
[m]
Interesting, anything that would cause the db servers to be more volatile?
Andris Reinman
@andris9
well, there's about 50TB of actual data (~70TB+ virtual data) to manage and there aren't any tutorials to follow to do it "properly". though so far most major issues have been caused by external things like exploding network switches etc
Louis
@louis:laureys.me
[m]
Ah, yeah the 50TB of data doesn't help hahaha
Andris Reinman
@andris9
if different db replica servers do not see eachother anymore due to some faults in network then strange things start to happen
Louis
@louis:laureys.me
[m]
Can't easily just spin up a new one
Ahh, yeah they go read only if they can't reach a quorum right?
Andris Reinman
@andris9
i'm not sure but there's at least 6 replica shards which means 6*3=18 physical servers. in addition there are mongodb mongos servers and configurtion shard (also 3 servers)
if you have 3 member replica set then at least 2 of these must be able to communicate with eachother, otherwise there would be no primary instance anymore (even if there's nothing wrong with current primary, it steps down automatically once it does not have enough votes)
Louis
@louis:laureys.me
[m]
Yeah, that sounds hard to manage. Are you doing 3 data bearing nodes or 2 + 1 arbiter?
Seems more cost effective, but with additional risk
Andris Reinman
@andris9
3 data nodes. 2 in one DC and 1 in 2nd DC. but if the DC with 2 nodes goes offline then the 1 can't process anything anymore as it does not have enough votes. and the system makes so many write operations that using only a replica member is not possible. at first I tried to designed the system in a way where emails would still be readable even if there is no primary member anymore but each read causes several writes (eg. marking unseen emails as seen etc) that it requires an actual primary to be available
there's also separate disks for different kind of data. so messages and user information are stored in a db that is in a fast SSD. attachments (but not attachment indexes) are stored in a very large but slow HDD. so if that HDD becomes inaccessible then most of the system still works, you can log in and read emails etc but you can not download any attachments
so when using IMAP then you can only download messages without attachments. it fails requests agains messages that do have at least one attachment. in webmail attachments are loaded later, so each message can be read (but attachments requests will fail, so no images etc)
Louis
@louis:laureys.me
[m]
I like how you seperated those databases :)
Makes a lot of sense
Andris Reinman
@andris9
yeah, it is much cheaper that way. SSD is quite pricey, and you don't even need to access attachments most of the time
Louis
@louis:laureys.me
[m]
And attachments use the most data as well
People love sending large files over email hahaha
My relatives always complain about the 25mb limit that's basically everywhere, but I know that I don't want a higher limit
Daviesmolly
@Daviesmolly
How to integrate text or simple basic captcha to wildduck-webmail??
Andris Reinman
@andris9
@Daviesmolly wildduck webmail supports reCaptcha but it is disabled by default, https://github.com/nodemailer/wildduck-webmail/blob/3371984a32a7942d7859c3fcde923cf62484e7fa/config/default.toml#L48-L51
Tiny product news. WIldduck Auditing System now generates verification hashes for email downloads (each download is logged and you can later download verification hash for the downloaded file to verify if the downloaded files has been changed or not)
Screenshot 2021-07-03 at 11.49.01.png
Screenshot 2021-07-03 at 11.49.22.png
Louis
@louis:laureys.me
[m]
Cool! What's the exact use case for this?
Andris Reinman
@andris9
Once an email is downloaded as an evidence it must be possible to later validate that the email has not been tampered with and is the same that was in the server
not every download is actually signed. Instead download hash is logged and once you try to download it then the file is put together and signed with server key
Louis
@louis:laureys.me
[m]
Ah, that's pretty cool
Andris Reinman
@andris9
Btw this does not hash actual emails but the container, eg the downloaded zip file. Every time you download emails, be it a single email file or a zipped selection, then that action is logged and you can later go and download signed verifying hash for that download. Would prefer to somehow include the hash with the initial download but the zip files are streamed (can be very large) and there is no way to know the hash of it before it has been actually downloaded
Audit system does not show email contents, only metadata (including subject and to/from addresses). To actually see the email you have to download it and that action is logged.