Homebox features

System features

Runs on Debian

Run on a standard Debian Bookworm, without any third party packages or binary files, main section only. Only one optional feature could be installed using a third party repository, but still receives security updates.

Strong TLS encryption

All the certificates are automatically generated using LetsEncrypt and the safer DNS challenge. The sites automatically benefits the grade A+, with HSTS implemented to prevent man-in-the-middle traffic interception.

πŸ’‘ More details here

Modern DNS server

A DNS server is implemented with state of the art features. Thanks to DNSSEC, each record is signed using a public key infrastructure. CAA records, to certify the origin of your certificates, preventing any other organisation than letsencrypt to create certificates.

SSH fingerprint records

To prevent man in the middle when using SSH connections, the public keys are published on the DNS server, using SSHFP records aka SSH fingerprints. This also allows you to establish SSH connections without having to manage known_hosts file.

Single authentication source

Users are authenticated using the good and reliable OpenLDAP directory as a single source. The initial passwords are automatically generated, and password policies and maximum age are enforced. Finally, users are able to easily change their password using the very simple web interface.

Integrated backup

The system comes with borg backup, configuration to backup emails, as well as calendars and contacts for all the users. Multiple backup destinations can be specified, with multiple frequencies as well. The targets could be a physical attached disk mounted in a directory, or a remote system, using Samba or SFTP.

Security features

AppArmor enforcing

All services running under dedicated AppArmor enforced profiles. This proactively protects the operating system and applications from external or internal threats, even zero-day attacks. It is enforcing good behaviour and preventing both known and unknown application flaws from being exploited.

Automatic updates

Both standard and security updates are automatically installed using the standard Debian method. The services are automatically restarted when required, minimising the maintenance, and increasing security. The system can be also configured to reboot automatically.

Strong Firewall

Both inbound and outbound connections are filtered. For outbound connections, only the necessary traffic is allowed, and a proxy whitelist is used restricting the traffic to the strict necessary. Finally, authentication failures automatically ban IP addresses.

Communication and personal information management

Calendar and contacts

You can access your emails, calendars and contacts, using a computer, a mobile phone, or a web browser thanks to the nice and responsive web interface implemented by SOGo. For additional security, an optional second factor authentication can be added, using the TOTP standard.

πŸ’‘ More details here

Email settings detection

Special DNS records and web settings are generated, allowing any modern email client to detect settings. Works with desktop clients, like Thunderbird, Evolution, Outlook, etc. and mobile clients like K-9 Mail or FairEmail.

πŸ’‘ More details here

Modern antispam

The anstispam chosen is rspamd, which is both powerful and extremely simple to use. Emails recognised as Junk are automatically placed into the Junk folder upon reception. For missed spam emails, moving them into the junk folder automatically train the system. Conversely, moving an email out of the Junk folder, mark the email as valid, aka ham.

πŸ’‘ More details here

Optional antivirus

You can use the excellent Clam-AV antivirus to verify entering emails, as well as the ones sent by the users. Emails entering with viruses can be silently dropped or rejected, while outgoing emails with viruses are bounced.

Advanced mail features

The server comes with advanced features, some of them included by default, some of them optionals. Included by default are quotas, server side filters, privacy controls and automatic copy to the sent folder. The optionals are for instance virtual folders, full text search, master user, etc.

πŸ’‘ More details here

Jabber server

You can also install a Jabber server, which allows you to send messages to anyone using Jabber, on the same server or on other domains. The server supports audio and video calls from mobile phones. Messages can be encrypted using omemo or GPG as well, if your client supports it.

πŸ’‘ More details here

Other features

Personal file storage

The users are allowed to store and backup their personal files, from a computer or from a phone. The protocol used is WebDAV, and the authentication relies on the standard LDAP server.

πŸ’‘ More details here

Full IPv6 support

Fully support IPv4 alone, IPv6 alone, or even a mix of both. The system creates and maintains all the DNS records automatically.

Default site

Generate a default site skeleton for your domain. This let you focus on your site content without having to handle certificates management nor nginx configuration.

Monitoring and alerting

Optional monitoring using Prometheus and pre-configured Grafana dashboards for each major service. Alerts are sent both using email to an external email address and using Jabber as well.

πŸ’‘ More details here: Monitoring / Alerting

GPG Web keys directory

If you are using GPG, Homebox can automatically publish your public key using a web key directory. Your contacts will be able to find and import your public key automatically, and send you encrypted emails more easily.

πŸ’‘ More details here.

Dual storage support

The solution supports two different locations. The first one is dedicated to day-to-day emails, calendars and contacts, perhaps a fast storage. The second one is dedicated to email archives, and the shared files. This helps you to minimise the storage costs.

Development features

Modules on-demand

Most feature can be independantly installed and uninstalled, without breaking the system. For instance, the antivirus can be installed for testing, and then uninstalled.

Developer friendly

One dedicated role to deploy useful tools for diagnostic and development purposes. Each role supports development and debug flags, that generate specific or just verbose logging configuration.

Code quality

To ensure the code quality, each role is checked through ansible-lint before each push, using git-hooks. Any shell deployed on the server is checked using shellcheck as well, to ensure no errors is contained.