Generated configuration was this:

      - "/mailu/certs:/certs"

Though I think this is more appropriate since Mailu is not supposed to generate certificates in this case on its own, thus read-only access should suffice:

      - "/mailu/certs:/certs:ro"

Hi guys. You didn't hear from me in some years now, but unfortunately I have some bad and urgent news. I've received notice that the demo server has somehow became victim of a botnet. I once donated this small VM to the community years ago and I am still renting it. Access was granted (and used) by a number of contributors in the ./ssh directory, but I haven't actively maintained the server in terms of updates.

I'm also not sure if the host is compromised or if the mail server is used to send spam mail. The latter shouldn't be possible because I remember we were sure to break the outgoing network capabilities of the smtp container. But then again, I don't know what changed over the years.

Dear Mr Tim Mohlmann,

We have received an abuse report from [[email protected]](mailto:[email protected]).

We are automatically forwarding this complaint on to you, for your information. You do not need to respond, but we do expect you to check the report and to resolve any (potential) issues.

Information:

-----
Good morning/afternoon

Recently, Qakbot botnet infrastructure was taken down[1]. Spamhaus is
working with various law enforcement agencies to help remediate
compromised email accounts[2]. We are contacting you because we believe
that Qakbot may have compromised email accounts located on
hetzner.com's network.

What action do you need to take?

- A list of email accounts that we think are affected on
hetzner.com's network is available below.
- The only action required is to change the passwords for all the affected
accounts.
- This is urgent - please do this as quickly as possible. These breached
accounts may have been shared with other criminals for use with
different active botnets for malicious purposes.

See also:
https://www.spamhaus.org/qakbot/


How has this data been compiled?

- The law enforcement agencies have made available the compromised email
account/addresses to Spamhaus.
- Using this data, we have obtained the primary MX record for the
compromised account's domain and the network responsible for the MX's
IP. We hope this network can directly or indirectly assist in these
remediation efforts.


Thank you for your time and willingness to help!


[1] https://www.fbi.gov/news/stories/fbi-partners-dismantle-qakbot-infrastructure-in-multinational-cyber-takedown
[2] https://www.spamhaus.org/news/article/819/qakbot-the-takedown-and-the-remediation


ip, hostname, email

78.47.92.244,test.mailu.io,[[email protected]](mailto:[email protected])

-----

Please note again that this is a notification only, you do not need to respond.

Kind regards

Abuse Team

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen / Germany
Tel: +49 9831 505-0
Fax: +49 9831 505-3
[[email protected]](mailto:[email protected])
www.hetzner.com

Register Court: Registergericht Ansbach, HRB 6089
CEO: Martin Hetzner, Stephan Konvickova, Günther Müller

For the purposes of this communication, we may save some
of your personal data. For information on our data privacy
policy, please see: www.hetzner.com/datenschutzhinweis

As immediate action, I have docker-compose down on the demo server in /opt/infra/demo and disable all cron jobs in /etc/crontab to prevent it from coming up again.

If there is someone around that can investigate further and post back here that would be great.

Downloading the generated files via IPv6 doesn't work. The download times out after two minutes and wget reverts to IPv4.

root@localhost:~# wget https://setup.mailu.io/1.8/file/94e9b53e-f43f-4837-bc4c-e841c53cfa31/docker-compose.yml
--2021-08-23 19:03:10--  https://setup.mailu.io/1.8/file/94e9b53e-f43f-4837-bc4c-e841c53cfa31/docker-compose.yml
Resolving setup.mailu.io (setup.mailu.io)... 2a01:4f8:c2c:f707::1, 78.47.92.244
Connecting to setup.mailu.io (setup.mailu.io)|2a01:4f8:c2c:f707::1|:443... failed: Connection timed out.
Connecting to setup.mailu.io (setup.mailu.io)|78.47.92.244|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2316 (2.3K) [application/text]
Saving to: ‘docker-compose.yml’

docker-compose.yml.2  100%[=========================>]   2.26K  --.-KB/s    in 0s      

2021-08-23 19:05:20 (54.0 MB/s) - ‘docker-compose.yml’ saved [2316/2316]

The server responds to ping on IPv6 so the problem is probably related to the web server configuration.

root@localhost:~# ping setup.mailu.io
PING setup.mailu.io(test.mailu.io (2a01:4f8:c2c:f707::1)) 56 data bytes
64 bytes from test.mailu.io (2a01:4f8:c2c:f707::1): icmp_seq=1 ttl=56 time=4.19 ms

The above commands were run on a standard Linode Ubuntu server.

Mailu master/1.9 now requires a DNSSEC capable resolver.
We must enable unbound on the infra server

Generally restart: unless-stopped is a better default since some may want to stop container temporarily for whatever reason and having it restarting automatically is inconvenient.

Here we shall collect project managers public keys for accessing the docs and setup machine(s).

Please use a specific ssh keypair so that any any attack on the key you publish here can lead to anything else than Mailu being compromised.

Please use rsa (>= 2048), ecds (>=256) or ed25519.

I tried to spin up the setup docker-compose up -d but and the only container that did not start was stable 1.7

so i run it docker-compose up stable and get some python error

File "/usr/local/lib/python3.9/site-packages/flask/blueprints.py", line 195, in init
stable_1 | raise ValueError("'name' may not contain a dot '.' character.")
stable_1 | ValueError: 'name' may not contain a dot '.' character.

the other containers , 'development' and 'testing' are working

I played around with the .env file and putting STABLE=1_7 and fixing the docker-compose.yml to pull the correct image will at least boot. I think the issue is in the python scripts.

  stable:
    image: mailu/setup:1.7

I had /abc/x.y.z/mailu specified as path in setup, but setup refused to accept it. I had to use /mailu and edit it afterwards manually. Would be more convenient if it supported the original path though.