Fresh snap install is sending notification emails from a third-party provider

So, I made a fresh, official installation of nextcloud 17.0.3 via snap, then opened an http port, ran installation wizard, enabled https and voila. It’s working.

But as soon as I made a new user, I received an email from a third-party provider, telling me that my account has been created, and for all other similar matters, like changing passwords etc. I allowed for the possibility that my installation got hacked, and re-installed the service, only to face the same confusion. This only happens when https is enabled. I checked the logs, and nothing at all important comes up.

Is this my security issue or a nextcloud installation feature? Any advice would be warmly appreciated.

that sounds a bit too theoretical…

a few questions for you: where did you get your “official” snap from?
how did you install it exactly?
what exactly does this email tell you? who exactly was sending it?

as soon as https comes in play you’d need certificates… even a self-signed one or - better - a official one (say by letsencrypt)

toots

$ apt install snapd
$ snap install nextcloud
$ snap list

Name          Version      Rev    Tracking  Publisher       Notes
nextcloud     17.0.3snap1  19299  stable    nextcloud✓      -

$ snap set nextcloud ports.http=8080 ports.https=8443

Then I changed datadirectory in autoconfig, ran installation wizard at :8080 and used nextcloud.enable-https letsencrypt to generate an ssl certificate. A haproxy :443 frontend entry is made to match the domain by SNI and point to send tcp packets to another machine at port :8443.

The email was sent from dsc935@physicsfoundation.org and the contents of the letter are plain HTML:

https://pastebin.com/QL4MGauT

If you can trigger a password reset on your system and you get the password reset email from this other system, I think it’s safe to assume there must be some connection and not a hack.

For the record, this would not be considered normal behavior for the snap or any other installation.

Do you know this domain it’s coming from? Check the email header and see if you can verify whether your system sent it. Do you have your NC configured to send email through another system that could be overwriting the sender domain?

Yes, password reset does work. And as much as I can read email headers, it originates from my nextcloud service. I am not familiar with this domain (physicsfoundation), though.

My NC isn’t configured at all, though it works behind a load balancer that is on another machine.

Edit: issue at nextcloud/nextcloud-snap