[09:57:48]
<ben> Hello all, have a lovely Sunday. Anyone got any information or know where I can find information about the mail setup, for example the spam detection setup? It is kind of bad, it flags lots of email that are legitimate as spam and most real spam goes through. Where can I find information? How can I setup that is adds more than the "X-Spam: Yes" to the header?
[10:04:26]
<ben> rspamd is the thing that learns mails as ham that aren't, so I wonder how that happens.
[10:32:16]
<ben> And there is no really any information [here](https://yunohost.org/en/email).
[11:02:03]
<@err404:matrix.numericore.com> You can use scanmy.email to test and understand what is wrong or no in your config
[11:20:32]
<ben> > You can use scanmy.email to test and understand what is wrong or no in your config
that is not my problem, my problem is more that the setup of Yunohost is not clear, is rspamd just installed with standard setup and I as an admin should set it up as I want?
Then that is easy to do, but it should also be mentioned in the above linked information about the mailstack I think.
[11:23:23]
<ben> > You can use scanmy.email to test and understand what is wrong or no in your config
Also can not ask people using that service to tell me what I need to change on my server to solve the problem. I think the ham detection is just not very well, it would also be useful if the learning would be adjusted if messages are marked not being spam, which also moves them from Junk to Inbox usually.
[11:23:31]
<@err404:matrix.numericore.com> Sorry, I am really beginner about email config
[11:23:42]
<ben> > Sorry, I am really beginner about email config
ah ok, no problem
[11:27:10]
<ben> > Sorry, I am really beginner about email config
besides that services like this are good start to find out what is wrong with an email that is send from the yunohost server.
[15:51:48]
<Tony> does a default YNH install have any safeguards for brute-force login attempts?
[15:51:59]
<Aleks (he/him/il/lui)> yes, it's called fail2ban
[15:52:44]
<Tony> perfect, thanks
[16:00:29]
<Tony> hm, IIUC, fail2ban only bans for 10 minutes - so wouldn't an intelligent attack succeed over time? seems like there isn't a default permanent ban?
[16:03:16]
<Tony> per the docs
> If this address fails several times, it might get banned for a week.
which I guess would help some, but the IP could still try again, IIUC
[16:07:43]
<Aleks (he/him/il/lui)> this is called the "recidive" jail in fail2ban and is configured by default on yunohost as well ...
[16:09:50]
<Tony> yeah, trying to search the docs to understand the setting and whether it's an accelerated ban time increase...
[16:15:46]
<Tony> recidive.conf doesn't seem to make this obvious...
[16:22:50]
<Aleks (he/him/il/lui)> ... what is your actual issue ...
[16:25:11]
<Tony> I'm trying to understand how secure my YNH instance is against brute-force admin password attacks and what the fail2ban configuration is, in particular whether it is configured with an accelerated ban time by default, such that an attacker doesn't just have to set a wait period for e.g. 10 minutes so they can go back, do 10 more attempts, try again in 10 minutes, etc, forever, until they eventually get in
[16:25:39]
<Tony> unfortunately that information is not yet obvious to me through ynh docs, fail2ban docs, or the ynh configs
[16:25:49]
<Tony> I'm sure I'm just missing something
[16:26:27]
<Salamandar> tl;dr anyways fail2ban doesn't really work for ipv6 (and actually there's no real solution. And it's not an issue related to yunohost)
[16:27:30]
<Aleks (he/him/il/lui)> and tl;dr you don't really have to be scared about bruteforce attacks if you picked a secure password, a bot bruteforcing ain't gonna waste literally 3 millions years bruteforcing your specific server
[16:28:18]
<Salamandar> yeah, on the other hand the best security you can have is NOT using your yunohost admin password for another service (that might have its database leaked)
[16:29:12]
<Salamandar> > <@Salamandar:matrix.org> tl;dr anyways fail2ban doesn't really work for ipv6 (and actually there's no real solution. And it's not an issue related to yunohost)
(that is what I mean : https://www.reddit.com/r/ipv6/comments/1bgh67j/comment/kvaxeg0/)
[16:32:03]
<Salamandar> Even when banning huge /56 ipv6 ranges, you get 16 MILLIONS times the total number of existing ipv4 to ban…
[16:32:16]
<Tony> > <@Alekswag:matrix.org> and tl;dr you don't really have to be scared about bruteforce attacks if you picked a secure password, a bot bruteforcing ain't gonna waste literally 3 millions years bruteforcing your specific server
oh, good point - I guess I was concerned about increasing my password complexity but then went the route of trying to understand the brute-force protections, which I guess would still be effective if there isn't an accelerating ban policy
[16:33:20]
<Salamandar> > <@tony:opensourceit.org> oh, good point - I guess I was concerned about increasing my password complexity but then went the route of trying to understand the brute-force protections, which I guess would still be effective if there isn't an accelerating ban policy
Yeah, having a longer password is also the rule n°1 : longer password (+ symbols, if possible) means longer (and practically undoable) brute force
[16:35:15]
<Tony> got it, thanks for the tips Salamandar and Aleks (he/him/il/lui)
[17:26:54]
<Tony> is this an okay channel to ask about issues with common YNH apps, or is there a better place for that? for example, I'm looking at the YNH Synapse Github and YNH forums, I'm not quite sure if anybody has gotten Synapse working with sliding sync for Element X support yet - would be nice to know if somebody has and what they had to do
[17:28:54]
<Tony> I found [this issue tracker](https://github.com/YunoHost-Apps/synapse_ynh/pull/439) but thought maybe you could simply enable it manually
[18:09:50]
<Tony> huh, upgrading to latest ynh_synapse seems to get it to work - shows errors about "no push distributors", but still seem to be sending and receiving messages, so we'll see
[18:25:17]
<Tony> Ah, no push notifications. Not sure if that's related to the sliding sync issue. Will follow up on that issue tracker, I guess