Request for Verification and Support: Incoming Mail Setup on NethServer 8 with Maileroo Webhook

Support
,
1

Hello everyone,

Due to severe limitations from the ISP where I work – they have little understanding of PTR records and refuse to open any incoming ports – I was forced to implement a provisional solution to receive email on my NethServer 8. Outgoing mail works fine using Maileroo as a smarthost, but inbound delivery required a workaround.

I would really appreciate the community’s validation of my approach, both for correctness and security.

Background (personal note)

I have been ill for some time and have kept working to be able to afford medicine and food. This project is part of my effort to keep my job and income. I plan to release the final solution on GitHub and, if possible, package it as an app for NethServer 8 (using the NS8 module SDK). Any advice or review from the community would mean a lot to me.

Current environment

  • Version: NethServer 8 (latest stable)

  • Mail module: mail1 installed and running with local users

  • Domain: mydomain.com

  • DNS: MX records point to Maileroo (mx1.maileroo.com, mx2.maileroo.com)

Intended mail flow

  1. External email arrives at user@mydomain.com.

  2. Maileroo receives it and, via Inbound Routing, sends a POST request to a webhook hosted on my NethServer.

  3. The webhook processes the JSON payload and delivers the email to the corresponding local mailbox using ns8-sendmail.

Detailed configuration (to be reviewed)

1. Smarthost configuration (required by ns8-sendmail)

bash

redis-cli hset cluster/smarthost enabled true
redis-cli hset cluster/smarthost host "smtp.maileroo.com"
redis-cli hset cluster/smarthost port 587
redis-cli hset cluster/smarthost username "YOUR_SMTP_USERNAME"
redis-cli hset cluster/smarthost password "YOUR_SMTP_PASSWORD"
redis-cli hset cluster/smarthost encrypt_smtp "starttls"
redis-cli hset cluster/smarthost tls_verify true

2. Restricted sudo access for runagent

I created an unprivileged user mail-distributor and allowed it to run only runagent:

bash

echo "mail-distributor ALL=(root) NOPASSWD: /usr/local/bin/runagent" | sudo tee /etc/sudoers.d/mail-distributor

In the Python script, I use sudo to execute runagent:

python

cmd = [
    'sudo', '/usr/local/bin/runagent', '-m', 'mail1',
    'ns8-sendmail',
    recipient
]

3. Webhook script (simplified)

python

@app.route('/webhook', methods=['POST'])
def handle_webhook():
    if WEBHOOK_TOKEN:
        token = request.headers.get('X-Webhook-Token')
        if not token or token != WEBHOOK_TOKEN:
            return jsonify({"status": "error", "message": "Unauthorized"}), 401
    # ... reconstruct MIME message, pipe to ns8-sendmail ...

Full script will be published on GitHub.

4. systemd service

ini

[Unit]
Description=Mail Distributor Webhook for Maileroo
After=network.target

[Service]
Type=simple
User=mail-distributor
Group=mail-distributor
EnvironmentFile=/etc/mail-distributor/env
ExecStart=/usr/bin/python3 /opt/mail-distributor/webhook_server.py
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

Firewall port 8080 is open, and the service runs without root.

Specific questions to the community

  1. Is this provisional solution viable for production given the ISP restrictions (no PTR, blocked inbound ports)? Could it cause hidden issues (e.g., mail loops, spam classification)?

  2. What security vulnerabilities do you see? I’m especially concerned about the sudo + runagent approach and the exposure of port 8080.

  3. Would you recommend a different architecture (e.g., using fetchmail, or a lightweight MTA like smtpd inside a separate container)?

  4. Has anyone successfully packaged a similar solution as an NS8 module? Any pointers on where to start?

  5. Any advice on making the webhook more robust (rate limiting, queueing, logging)?

Future plans

  • Publish the complete code on GitHub (MIT/GPL).

  • Investigate how to turn it into an official NethServer 8 app (so other users with ISP restrictions can simply install it from the software center).

  • Add HTTPS support via Let’s Encrypt (reverse proxy) to secure the webhook endpoint.

I am aware that this is not a traditional mail setup, but it is the only way I can receive email with my current ISP. Any help, review, or encouragement would be deeply appreciated.

Thank you for your understanding and support.

Feel free to ask for logs or more details. I will respond as quickly as I can.

Files .md

1 Like
2

You could use Imapsync with the INBOX only option as explained in the docs. In this case spam checking doesn’t work but maybe it could be done by maileroo.

Alternatively you could use fetchmail.

This way you won’t need an open port or another user/script.

1 Like