Homebox features
System features
Runs on Debian
Run on a standard Debian Bookworm, without any third party packages or binary files, main section only. Only one optional feature could be installed using a third party repository, but still receives security updates.
Strong TLS encryption
All the certificates are automatically generated using LetsEncrypt and the safer DNS challenge. The sites automatically benefits the grade A+, with HSTS implemented to prevent man-in-the-middle traffic interception.
π‘ More details here
Modern DNS server
A DNS server is implemented with state of the art features. Thanks to DNSSEC, each record is signed using a public key infrastructure. CAA records, to certify the origin of your certificates, preventing any other organisation than letsencrypt to create certificates.
π‘ More details here
SSH fingerprint records
To prevent man in the middle when using SSH connections, the public keys are published on the DNS server, using SSHFP records aka SSH fingerprints. This also allows you to establish SSH connections without having to manage known_hosts file.
Single authentication source
Users are authenticated using the good and reliable OpenLDAP directory as a single source. The initial passwords are automatically generated, and password policies and maximum age are enforced. Finally, users are able to easily change their password using the very simple web interface.
Integrated backup
The system comes with borg backup, configuration to backup emails, as well as calendars and contacts for all the users. Multiple backup destinations can be specified, with multiple frequencies as well. The targets could be a physical attached disk mounted in a directory, or a remote system, using Samba or SFTP.
Security features
AppArmor enforcing
All services running under dedicated AppArmor enforced profiles. This proactively protects the operating system and applications from external or internal threats, even zero-day attacks. It is enforcing good behaviour and preventing both known and unknown application flaws from being exploited.
Automatic updates
Both standard and security updates are automatically installed using the standard Debian method. The services are automatically restarted when required, minimising the maintenance, and increasing security. The system can be also configured to reboot automatically.
Strong Firewall
Both inbound and outbound connections are filtered. For outbound connections, only the necessary traffic is allowed, and a proxy whitelist is used restricting the traffic to the strict necessary. Finally, authentication failures automatically ban IP addresses.
π‘ More details here
Wireguard VPN
You can install a wireguard VPN server, that automatically create multiple configurations for each user. The VPN can be used to enforce all the traffic, or to be restricted to the server access.
π‘ More details here.
Communication and personal information management
Calendar and contacts
You can access your emails, calendars and contacts, using a computer, a mobile phone, or a web browser thanks to the nice and responsive web interface implemented by SOGo. For additional security, an optional second factor authentication can be added, using the TOTP standard.
π‘ More details here
Email settings detection
Special DNS records and web settings are generated, allowing any modern email client to detect settings. Works with desktop clients, like Thunderbird, Evolution, Outlook, etc. and mobile clients like K-9 Mail or FairEmail.
π‘ More details here
Modern antispam
The anstispam chosen is rspamd, which is both powerful and extremely simple to use. Emails recognised as Junk are automatically placed into the Junk folder upon reception. For missed spam emails, moving them into the junk folder automatically train the system. Conversely, moving an email out of the Junk folder, mark the email as valid, aka ham.
π‘ More details here
Optional antivirus
You can use the excellent Clam-AV antivirus to verify entering emails, as well as the ones sent by the users. Emails entering with viruses can be silently dropped or rejected, while outgoing emails with viruses are bounced.
Advanced mail features
The server comes with advanced features, some of them included by default, some of them optionals. Included by default are quotas, server side filters, privacy controls and automatic copy to the sent folder. The optionals are for instance virtual folders, full text search, master user, etc.
π‘ More details here
Jabber server
You can also install a Jabber server, which allows you to send messages to anyone using Jabber, on the same server or on other domains. The server supports audio and video calls from mobile phones. Messages can be encrypted using omemo or GPG as well, if your client supports it.
π‘ More details here
Other features
Personal file storage
The users are allowed to store and backup their personal files, from a computer or from a phone. The protocol used is WebDAV, and the authentication relies on the standard LDAP server.
π‘ More details here
Full IPv6 support
Fully support IPv4 alone, IPv6 alone, or even a mix of both. The system creates and maintains all the DNS records automatically.
Default site
Generate a default site skeleton for your domain. This let you focus on your site content without having to handle certificates management nor nginx configuration.
Monitoring and alerting
Optional monitoring using Prometheus and pre-configured Grafana dashboards for each major service. Alerts are sent both using email to an external email address and using Jabber as well.
π‘ More details here: Monitoring / Alerting
GPG Web keys directory
If you are using GPG, Homebox can automatically publish your public key using a web key directory. Your contacts will be able to find and import your public key automatically, and send you encrypted emails more easily.
π‘ More details here.
Personal git server
Users can install a personal git server, with a dedicated space to store personal projects or dotfiles. The server is secure, minimalist, only accessible via SSH, no web frontend.
π‘ More details here.
Dual storage support
The solution supports two different locations. The first one is dedicated to day-to-day emails, calendars and contacts, perhaps a fast storage. The second one is dedicated to email archives, and the shared files. This helps you to minimise the storage costs.
Development features
Modules on-demand
Most feature can be independantly installed and uninstalled, without breaking the system. For instance, the antivirus can be installed for testing, and then uninstalled.
Developer friendly
One dedicated role to deploy useful tools for diagnostic and development purposes. Each role supports development and debug flags, that generate specific or just verbose logging configuration.
Code quality
To ensure the code quality, each role is checked through ansible-lint before each push, using git-hooks. Any shell deployed on the server is checked using shellcheck as well, to ensure no errors is contained.