From e20f50fafc314174a0c8a18c0756b4c6626ada34 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Sun, 17 Sep 2017 14:38:05 +0200
Subject: [PATCH 01/84] [Web] Fix spacing

---
 data/web/admin.php | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/data/web/admin.php b/data/web/admin.php
index 714a31d2..1a84d410 100644
--- a/data/web/admin.php
+++ b/data/web/admin.php
@@ -149,10 +149,10 @@ $tfa_data = get_tfa();
             <div class="row">
               <div class="col-xs-1"><input type="checkbox" data-id="dkim" name="multi_select" value="<?=$domain;?>" /></div>
               <div class="col-xs-2">
-                <p>Domain: <strong><?=htmlspecialchars($domain);?></strong><br />
-                  <span class="label label-success"><?=$lang['admin']['dkim_key_valid'];?></span>
-                  <span class="label label-primary">Selector '<?=$dkim['dkim_selector'];?>'</span>
-                  <span class="label label-info"><?=$dkim['length'];?> bit</span>
+                <p>Domain: <strong><?=htmlspecialchars($domain);?></strong>
+                  <p><span class="label label-success"><?=$lang['admin']['dkim_key_valid'];?></span></p>
+                  <p><span class="label label-primary">Selector '<?=$dkim['dkim_selector'];?>'</span></p>
+                  <p><span class="label label-info"><?=$dkim['length'];?> bit</span></p>
                 </p>
               </div>
               <div class="col-xs-9">
@@ -179,10 +179,10 @@ $tfa_data = get_tfa();
               <div class="row">
               <div class="col-xs-1"><input type="checkbox" data-id="dkim" name="multi_select" value="<?=$alias_domain;?>" /></div>
                 <div class="col-xs-1 col-xs-offset-1">
-                  <p><small>↳ Alias-Domain: <strong><?=htmlspecialchars($alias_domain);?></strong><br /></small>
-                    <span class="label label-success"><?=$lang['admin']['dkim_key_valid'];?></span>
-                    <span class="label label-primary">Selector '<?=$dkim['dkim_selector'];?>'</span>
-                    <span class="label label-info"><?=$dkim['length'];?> bit</span>
+                  <p><small>↳ Alias-Domain: <strong><?=htmlspecialchars($alias_domain);?></strong></small>
+                    <p><span class="label label-success"><?=$lang['admin']['dkim_key_valid'];?></span></p>
+                    <p><span class="label label-primary">Selector '<?=$dkim['dkim_selector'];?>'</span></p>
+                    <p><span class="label label-info"><?=$dkim['length'];?> bit</span></p>
                 </p>
                 </div>
                 <div class="col-xs-9">
@@ -211,10 +211,10 @@ $tfa_data = get_tfa();
             <div class="row">
               <div class="col-xs-1"><input type="checkbox" data-id="dkim" name="multi_select" value="<?=$blind;?>" /></div>
               <div class="col-xs-2">
-                <p>Domain: <strong><?=htmlspecialchars($blind);?></strong><br />
-                  <span class="label label-warning"><?=$lang['admin']['dkim_key_unused'];?></span>
-                  <span class="label label-primary">Selector '<?=$dkim['dkim_selector'];?>'</span>
-                  <span class="label label-info"><?=$dkim['length'];?> bit</span>
+                <p>Domain: <strong><?=htmlspecialchars($blind);?></strong>
+                  <p><span class="label label-warning"><?=$lang['admin']['dkim_key_unused'];?></span></p>
+                  <p><span class="label label-primary">Selector '<?=$dkim['dkim_selector'];?>'</span></p>
+                  <p><span class="label label-info"><?=$dkim['length'];?> bit</span></p>
                 </p>
                 </div>
                 <div class="col-xs-9">

From e07f84d0f0d3fe800b341581322ec619b072e80d Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Sun, 17 Sep 2017 14:39:10 +0200
Subject: [PATCH 02/84] [Web] Update phpmailer, always use correct path for
 vars.inc.php

---
 data/web/inc/lib/composer.lock                |  11 +-
 .../inc/lib/vendor/composer/installed.json    |  13 +-
 .../phpmailer/.github/ISSUE_TEMPLATE.md       |   1 +
 .../.github/PULL_REQUEST_TEMPLATE.md          |   1 +
 .../lib/vendor/phpmailer/phpmailer/VERSION    |   2 +-
 .../phpmailer/phpmailer/class.phpmailer.php   |  23 +--
 .../vendor/phpmailer/phpmailer/class.pop3.php |   2 +-
 .../vendor/phpmailer/phpmailer/class.smtp.php |  65 +++++---
 .../vendor/phpmailer/phpmailer/composer.json  |   1 +
 .../phpmailer/examples/code_generator.phps    | 141 +++++++++---------
 .../phpmailer/phpmailer/examples/gmail.phps   |  24 +++
 .../phpmailer/examples/gmail_xoauth.phps      |   4 +-
 .../phpmailer/phpmailer/extras/README.md      |   8 +-
 .../phpmailer/language/phpmailer.lang-ba.php  |  26 ++++
 .../phpmailer/language/phpmailer.lang-nb.php  |  32 ++--
 .../language/phpmailer.lang-pt_br.php         |   3 +-
 ...iler.lang-sr.php => phpmailer.lang-rs.php} |   2 +-
 .../phpmailer/language/phpmailer.lang-tr.php  |   3 +-
 .../language/phpmailer.lang-zh_cn.php         |   7 +-
 data/web/inc/prerequisites.inc.php            |   2 +-
 20 files changed, 232 insertions(+), 139 deletions(-)
 create mode 100644 data/web/inc/lib/vendor/phpmailer/phpmailer/.github/ISSUE_TEMPLATE.md
 create mode 100644 data/web/inc/lib/vendor/phpmailer/phpmailer/.github/PULL_REQUEST_TEMPLATE.md
 create mode 100644 data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-ba.php
 rename data/web/inc/lib/vendor/phpmailer/phpmailer/language/{phpmailer.lang-sr.php => phpmailer.lang-rs.php} (96%)

diff --git a/data/web/inc/lib/composer.lock b/data/web/inc/lib/composer.lock
index b8f2c262..7199acc9 100644
--- a/data/web/inc/lib/composer.lock
+++ b/data/web/inc/lib/composer.lock
@@ -8,19 +8,20 @@
     "packages": [
         {
             "name": "phpmailer/phpmailer",
-            "version": "v5.2.23",
+            "version": "v5.2.25",
             "source": {
                 "type": "git",
                 "url": "https://github.com/PHPMailer/PHPMailer.git",
-                "reference": "7115df4a6f76281109ebe352900c42403b728bb4"
+                "reference": "2baf20b01690fba8cf720c1ebcf9b988eda50915"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/7115df4a6f76281109ebe352900c42403b728bb4",
-                "reference": "7115df4a6f76281109ebe352900c42403b728bb4",
+                "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/2baf20b01690fba8cf720c1ebcf9b988eda50915",
+                "reference": "2baf20b01690fba8cf720c1ebcf9b988eda50915",
                 "shasum": ""
             },
             "require": {
+                "ext-ctype": "*",
                 "php": ">=5.0.0"
             },
             "require-dev": {
@@ -80,7 +81,7 @@
                 }
             ],
             "description": "PHPMailer is a full-featured email creation and transfer class for PHP",
-            "time": "2017-03-15T19:32:56+00:00"
+            "time": "2017-08-28T11:12:07+00:00"
         },
         {
             "name": "robthree/twofactorauth",
diff --git a/data/web/inc/lib/vendor/composer/installed.json b/data/web/inc/lib/vendor/composer/installed.json
index 25c6c914..790d0662 100644
--- a/data/web/inc/lib/vendor/composer/installed.json
+++ b/data/web/inc/lib/vendor/composer/installed.json
@@ -91,20 +91,21 @@
     },
     {
         "name": "phpmailer/phpmailer",
-        "version": "v5.2.23",
-        "version_normalized": "5.2.23.0",
+        "version": "v5.2.25",
+        "version_normalized": "5.2.25.0",
         "source": {
             "type": "git",
             "url": "https://github.com/PHPMailer/PHPMailer.git",
-            "reference": "7115df4a6f76281109ebe352900c42403b728bb4"
+            "reference": "2baf20b01690fba8cf720c1ebcf9b988eda50915"
         },
         "dist": {
             "type": "zip",
-            "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/7115df4a6f76281109ebe352900c42403b728bb4",
-            "reference": "7115df4a6f76281109ebe352900c42403b728bb4",
+            "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/2baf20b01690fba8cf720c1ebcf9b988eda50915",
+            "reference": "2baf20b01690fba8cf720c1ebcf9b988eda50915",
             "shasum": ""
         },
         "require": {
+            "ext-ctype": "*",
             "php": ">=5.0.0"
         },
         "require-dev": {
@@ -130,7 +131,7 @@
         "suggest": {
             "league/oauth2-google": "Needed for Google XOAUTH2 authentication"
         },
-        "time": "2017-03-15T19:32:56+00:00",
+        "time": "2017-08-28T11:12:07+00:00",
         "type": "library",
         "installation-source": "dist",
         "autoload": {
diff --git a/data/web/inc/lib/vendor/phpmailer/phpmailer/.github/ISSUE_TEMPLATE.md b/data/web/inc/lib/vendor/phpmailer/phpmailer/.github/ISSUE_TEMPLATE.md
new file mode 100644
index 00000000..97776f1c
--- /dev/null
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/.github/ISSUE_TEMPLATE.md
@@ -0,0 +1 @@
+Non-security issues and pull requests are no longer being accepted for the legacy PHPMailer 5.2 branch. Migrate to PHPMailer 6.0 (or later) and report your issue there.
\ No newline at end of file
diff --git a/data/web/inc/lib/vendor/phpmailer/phpmailer/.github/PULL_REQUEST_TEMPLATE.md b/data/web/inc/lib/vendor/phpmailer/phpmailer/.github/PULL_REQUEST_TEMPLATE.md
new file mode 100644
index 00000000..97776f1c
--- /dev/null
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1 @@
+Non-security issues and pull requests are no longer being accepted for the legacy PHPMailer 5.2 branch. Migrate to PHPMailer 6.0 (or later) and report your issue there.
\ No newline at end of file
diff --git a/data/web/inc/lib/vendor/phpmailer/phpmailer/VERSION b/data/web/inc/lib/vendor/phpmailer/phpmailer/VERSION
index 3ace8b4b..f23b9706 100644
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/VERSION
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/VERSION
@@ -1 +1 @@
-5.2.23
+5.2.25
diff --git a/data/web/inc/lib/vendor/phpmailer/phpmailer/class.phpmailer.php b/data/web/inc/lib/vendor/phpmailer/phpmailer/class.phpmailer.php
index 1b31ec14..8042b384 100644
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/class.phpmailer.php
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/class.phpmailer.php
@@ -31,7 +31,7 @@ class PHPMailer
      * The PHPMailer Version number.
      * @var string
      */
-    public $Version = '5.2.23';
+    public $Version = '5.2.25';
 
     /**
      * Email priority.
@@ -440,9 +440,9 @@ class PHPMailer
      *
      * Parameters:
      *   boolean $result        result of the send action
-     *   string  $to            email address of the recipient
-     *   string  $cc            cc email addresses
-     *   string  $bcc           bcc email addresses
+     *   array   $to            email addresses of the recipients
+     *   array   $cc            cc email addresses
+     *   array   $bcc           bcc email addresses
      *   string  $subject       the subject
      *   string  $body          the email body
      *   string  $from          email address of sender
@@ -1622,8 +1622,13 @@ class PHPMailer
 
         foreach ($hosts as $hostentry) {
             $hostinfo = array();
-            if (!preg_match('/^((ssl|tls):\/\/)*([a-zA-Z0-9\.-]*):?([0-9]*)$/', trim($hostentry), $hostinfo)) {
+            if (!preg_match(
+                '/^((ssl|tls):\/\/)*([a-zA-Z0-9\.-]*|\[[a-fA-F0-9:]+\]):?([0-9]*)$/',
+                trim($hostentry),
+                $hostinfo
+            )) {
                 // Not a valid host entry
+                $this->edebug('Ignoring invalid host: ' . $hostentry);
                 continue;
             }
             // $hostinfo[2]: optional ssl or tls prefix
@@ -1742,6 +1747,7 @@ class PHPMailer
             'dk' => 'da',
             'no' => 'nb',
             'se' => 'sv',
+            'sr' => 'rs'
         );
 
         if (isset($renamed_langcodes[$langcode])) {
@@ -2024,10 +2030,7 @@ class PHPMailer
     {
         $result = '';
 
-        if ($this->MessageDate == '') {
-            $this->MessageDate = self::rfcDate();
-        }
-        $result .= $this->headerLine('Date', $this->MessageDate);
+        $result .= $this->headerLine('Date', $this->MessageDate == '' ? self::rfcDate() : $this->MessageDate);
 
         // To be created automatically by mail()
         if ($this->SingleTo) {
@@ -4033,7 +4036,7 @@ class phpmailerException extends Exception
      */
     public function errorMessage()
     {
-        $errorMsg = '<strong>' . $this->getMessage() . "</strong><br />\n";
+        $errorMsg = '<strong>' . htmlspecialchars($this->getMessage()) . "</strong><br />\n";
         return $errorMsg;
     }
 }
diff --git a/data/web/inc/lib/vendor/phpmailer/phpmailer/class.pop3.php b/data/web/inc/lib/vendor/phpmailer/phpmailer/class.pop3.php
index c464f90c..f2c4e374 100644
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/class.pop3.php
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/class.pop3.php
@@ -34,7 +34,7 @@ class POP3
      * @var string
      * @access public
      */
-    public $Version = '5.2.23';
+    public $Version = '5.2.25';
 
     /**
      * Default POP3 port number.
diff --git a/data/web/inc/lib/vendor/phpmailer/phpmailer/class.smtp.php b/data/web/inc/lib/vendor/phpmailer/phpmailer/class.smtp.php
index 01cee820..d8af427e 100644
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/class.smtp.php
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/class.smtp.php
@@ -30,7 +30,7 @@ class SMTP
      * The PHPMailer SMTP version number.
      * @var string
      */
-    const VERSION = '5.2.23';
+    const VERSION = '5.2.25';
 
     /**
      * SMTP line break constant.
@@ -81,7 +81,7 @@ class SMTP
      * @deprecated Use the `VERSION` constant instead
      * @see SMTP::VERSION
      */
-    public $Version = '5.2.23';
+    public $Version = '5.2.25';
 
     /**
      * SMTP server port number.
@@ -151,9 +151,8 @@ class SMTP
     public $Timelimit = 300;
 
     /**
-     * @var array patterns to extract smtp transaction id from smtp reply
-     * Only first capture group will be use, use non-capturing group to deal with it
-     * Extend this class to override this property to fulfil your needs.
+     * @var array Patterns to extract an SMTP transaction id from reply to a DATA command.
+     * The first capture group in each regex will be used as the ID.
      */
     protected $smtp_transaction_id_patterns = array(
         'exim' => '/[0-9]{3} OK id=(.*)/',
@@ -161,6 +160,12 @@ class SMTP
         'postfix' => '/[0-9]{3} 2.0.0 Ok: queued as (.*)/'
     );
 
+    /**
+     * @var string The last transaction ID issued in response to a DATA command,
+     * if one was detected
+     */
+    protected $last_smtp_transaction_id;
+
     /**
      * The socket for the server connection.
      * @var resource
@@ -227,7 +232,7 @@ class SMTP
                 break;
             case 'html':
                 //Cleans up output a bit for a better looking, HTML-safe output
-                echo htmlentities(
+                echo gmdate('Y-m-d H:i:s') . ' ' . htmlentities(
                     preg_replace('/[\r\n]+/', '', $str),
                     ENT_QUOTES,
                     'UTF-8'
@@ -709,6 +714,7 @@ class SMTP
         $savetimelimit = $this->Timelimit;
         $this->Timelimit = $this->Timelimit * 2;
         $result = $this->sendCommand('DATA END', '.', 250);
+        $this->recordLastTransactionID();
         //Restore timelimit
         $this->Timelimit = $savetimelimit;
         return $result;
@@ -989,7 +995,10 @@ class SMTP
     public function client_send($data)
     {
         $this->edebug("CLIENT -> SERVER: $data", self::DEBUG_CLIENT);
-        return fwrite($this->smtp_conn, $data);
+        set_error_handler(array($this, 'errorHandler'));
+        $result = fwrite($this->smtp_conn, $data);
+        restore_error_handler();
+        return $result;
     }
 
     /**
@@ -1089,8 +1098,10 @@ class SMTP
             $this->edebug("SMTP -> get_lines(): \$data is \"$data\"", self::DEBUG_LOWLEVEL);
             $this->edebug("SMTP -> get_lines(): \$str is  \"$str\"", self::DEBUG_LOWLEVEL);
             $data .= $str;
-            // If 4th character is a space, we are done reading, break the loop, micro-optimisation over strlen
-            if ((isset($str[3]) and $str[3] == ' ')) {
+            // If response is only 3 chars (not valid, but RFC5321 S4.2 says it must be handled),
+            // or 4th character is a space, we are done reading, break the loop,
+            // string array access is a micro-optimisation over strlen
+            if (!isset($str[3]) or (isset($str[3]) and $str[3] == ' ')) {
                 break;
             }
             // Timed-out? Log and break
@@ -1226,26 +1237,40 @@ class SMTP
     }
 
     /**
-     * Will return the ID of the last smtp transaction based on a list of patterns provided
-     * in SMTP::$smtp_transaction_id_patterns.
+     * Extract and return the ID of the last SMTP transaction based on
+     * a list of patterns provided in SMTP::$smtp_transaction_id_patterns.
+     * Relies on the host providing the ID in response to a DATA command.
      * If no reply has been received yet, it will return null.
-     * If no pattern has been matched, it will return false.
+     * If no pattern was matched, it will return false.
      * @return bool|null|string
      */
-    public function getLastTransactionID()
+    protected function recordLastTransactionID()
     {
         $reply = $this->getLastReply();
 
         if (empty($reply)) {
-            return null;
-        }
-
-        foreach ($this->smtp_transaction_id_patterns as $smtp_transaction_id_pattern) {
-            if (preg_match($smtp_transaction_id_pattern, $reply, $matches)) {
-                return $matches[1];
+            $this->last_smtp_transaction_id = null;
+        } else {
+            $this->last_smtp_transaction_id = false;
+            foreach ($this->smtp_transaction_id_patterns as $smtp_transaction_id_pattern) {
+                if (preg_match($smtp_transaction_id_pattern, $reply, $matches)) {
+                    $this->last_smtp_transaction_id = $matches[1];
+                }
             }
         }
 
-        return false;
+        return $this->last_smtp_transaction_id;
+    }
+
+    /**
+     * Get the queue/transaction ID of the last SMTP transaction
+     * If no reply has been received yet, it will return null.
+     * If no pattern was matched, it will return false.
+     * @return bool|null|string
+     * @see recordLastTransactionID()
+     */
+    public function getLastTransactionID()
+    {
+        return $this->last_smtp_transaction_id;
     }
 }
diff --git a/data/web/inc/lib/vendor/phpmailer/phpmailer/composer.json b/data/web/inc/lib/vendor/phpmailer/phpmailer/composer.json
index f3611470..a0ac2964 100644
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/composer.json
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/composer.json
@@ -20,6 +20,7 @@
         }
     ],
     "require": {
+        "ext-ctype": "*",
         "php": ">=5.0.0"
     },
     "require-dev": {
diff --git a/data/web/inc/lib/vendor/phpmailer/phpmailer/examples/code_generator.phps b/data/web/inc/lib/vendor/phpmailer/phpmailer/examples/code_generator.phps
index 23458561..2182663d 100644
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/examples/code_generator.phps
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/examples/code_generator.phps
@@ -58,46 +58,53 @@ class phpmailerAppException extends phpmailerException
 $example_code .= "\n\nclass phpmailerAppException extends phpmailerException {}";
 $example_code .= "\n\ntry {";
 
+// Convert a string to its JavaScript representation.
+function JSString($s) {
+  static $from = array("\\", "/", "\n", "\t", "\r", "\b", "\f", '"');
+  static $to = array('\\\\', '\\/', '\\n', '\\t', '\\r', '\\b', '\\f', '\\"');
+  return is_null($s)? 'null': '"' . str_replace($from, $to, "$s") . '"';
+}
+
 try {
     if (isset($_POST["submit"]) && $_POST['submit'] == "Submit") {
-        $to = $_POST['To_Email'];
+        $to = $to_email;
         if (!PHPMailer::validateAddress($to)) {
             throw new phpmailerAppException("Email address " . $to . " is invalid -- aborting!");
         }
 
-        $example_code .= "\n\$to = '{$_POST['To_Email']}';";
+        $example_code .= "\n\$to = '" . addslashes($to_email) . "';";
         $example_code .= "\nif(!PHPMailer::validateAddress(\$to)) {";
         $example_code .= "\n  throw new phpmailerAppException(\"Email address \" . " .
             "\$to . \" is invalid -- aborting!\");";
         $example_code .= "\n}";
 
-        switch ($_POST['test_type']) {
+        switch ($test_type) {
             case 'smtp':
                 $mail->isSMTP(); // telling the class to use SMTP
-                $mail->SMTPDebug = (integer)$_POST['smtp_debug'];
-                $mail->Host = $_POST['smtp_server']; // SMTP server
-                $mail->Port = (integer)$_POST['smtp_port']; // set the SMTP port
-                if ($_POST['smtp_secure']) {
-                    $mail->SMTPSecure = strtolower($_POST['smtp_secure']);
+                $mail->SMTPDebug = (integer)$smtp_debug;
+                $mail->Host = $smtp_server; // SMTP server
+                $mail->Port = (integer)$smtp_port; // set the SMTP port
+                if ($smtp_secure) {
+                    $mail->SMTPSecure = strtolower($smtp_secure);
                 }
                 $mail->SMTPAuth = array_key_exists('smtp_authenticate', $_POST); // enable SMTP authentication?
                 if (array_key_exists('smtp_authenticate', $_POST)) {
-                    $mail->Username = $_POST['authenticate_username']; // SMTP account username
-                    $mail->Password = $_POST['authenticate_password']; // SMTP account password
+                    $mail->Username = $authenticate_username; // SMTP account username
+                    $mail->Password = $authenticate_password; // SMTP account password
                 }
 
                 $example_code .= "\n\$mail->isSMTP();";
-                $example_code .= "\n\$mail->SMTPDebug  = " . $_POST['smtp_debug'] . ";";
-                $example_code .= "\n\$mail->Host       = \"" . $_POST['smtp_server'] . "\";";
-                $example_code .= "\n\$mail->Port       = \"" . $_POST['smtp_port'] . "\";";
-                $example_code .= "\n\$mail->SMTPSecure = \"" . strtolower($_POST['smtp_secure']) . "\";";
+                $example_code .= "\n\$mail->SMTPDebug  = " . (integer) $smtp_debug . ";";
+                $example_code .= "\n\$mail->Host       = \"" . addslashes($smtp_server) . "\";";
+                $example_code .= "\n\$mail->Port       = \"" . addslashes($smtp_port) . "\";";
+                $example_code .= "\n\$mail->SMTPSecure = \"" . addslashes(strtolower($smtp_secure)) . "\";";
                 $example_code .= "\n\$mail->SMTPAuth   = " . (array_key_exists(
                     'smtp_authenticate',
                     $_POST
                 ) ? 'true' : 'false') . ";";
                 if (array_key_exists('smtp_authenticate', $_POST)) {
-                    $example_code .= "\n\$mail->Username   = \"" . $_POST['authenticate_username'] . "\";";
-                    $example_code .= "\n\$mail->Password   = \"" . $_POST['authenticate_password'] . "\";";
+                    $example_code .= "\n\$mail->Username   = \"" . addslashes($authenticate_username) . "\";";
+                    $example_code .= "\n\$mail->Password   = \"" . addslashes($authenticate_password) . "\";";
                 }
                 break;
             case 'mail':
@@ -118,59 +125,59 @@ try {
 
         try {
             if ($_POST['From_Name'] != '') {
-                $mail->addReplyTo($_POST['From_Email'], $_POST['From_Name']);
-                $mail->setFrom($_POST['From_Email'], $_POST['From_Name']);
+                $mail->addReplyTo($from_email, $from_name);
+                $mail->setFrom($from_email, $from_name);
 
                 $example_code .= "\n\$mail->addReplyTo(\"" .
-                    $_POST['From_Email'] . "\", \"" . $_POST['From_Name'] . "\");";
+                    addslashes($from_email) . "\", \"" . addslashes($from_name) . "\");";
                 $example_code .= "\n\$mail->setFrom(\"" .
-                    $_POST['From_Email'] . "\", \"" . $_POST['From_Name'] . "\");";
+                    addslashes($from_email) . "\", \"" . addslashes($from_name) . "\");";
             } else {
-                $mail->addReplyTo($_POST['From_Email']);
-                $mail->setFrom($_POST['From_Email'], $_POST['From_Email']);
+                $mail->addReplyTo($from_email);
+                $mail->setFrom($from_email, $from_email);
 
-                $example_code .= "\n\$mail->addReplyTo(\"" . $_POST['From_Email'] . "\");";
+                $example_code .= "\n\$mail->addReplyTo(\"" . addslashes($from_email) . "\");";
                 $example_code .= "\n\$mail->setFrom(\"" .
-                    $_POST['From_Email'] . "\", \"" . $_POST['From_Email'] . "\");";
+                    addslashes($from_email) . "\", \"" . addslashes($from_email) . "\");";
             }
 
             if ($_POST['To_Name'] != '') {
-                $mail->addAddress($to, $_POST['To_Name']);
-                $example_code .= "\n\$mail->addAddress(\"$to\", \"" . $_POST['To_Name'] . "\");";
+                $mail->addAddress($to, $to_name);
+                $example_code .= "\n\$mail->addAddress(\"$to\", \"" . addslashes($to_name) . "\");";
             } else {
                 $mail->addAddress($to);
                 $example_code .= "\n\$mail->addAddress(\"$to\");";
             }
 
             if ($_POST['bcc_Email'] != '') {
-                $indiBCC = explode(" ", $_POST['bcc_Email']);
+                $indiBCC = explode(" ", $bcc_email);
                 foreach ($indiBCC as $key => $value) {
                     $mail->addBCC($value);
-                    $example_code .= "\n\$mail->addBCC(\"$value\");";
+                    $example_code .= "\n\$mail->addBCC(\"" . addslashes($value) . "\");";
                 }
             }
 
             if ($_POST['cc_Email'] != '') {
-                $indiCC = explode(" ", $_POST['cc_Email']);
+                $indiCC = explode(" ", $cc_Email);
                 foreach ($indiCC as $key => $value) {
                     $mail->addCC($value);
-                    $example_code .= "\n\$mail->addCC(\"$value\");";
+                    $example_code .= "\n\$mail->addCC(\"" . addslashes($value) . "\");";
                 }
             }
         } catch (phpmailerException $e) { //Catch all kinds of bad addressing
             throw new phpmailerAppException($e->getMessage());
         }
-        $mail->Subject = $_POST['Subject'] . ' (PHPMailer test using ' . strtoupper($_POST['test_type']) . ')';
-        $example_code .= "\n\$mail->Subject  = \"" . $_POST['Subject'] .
-            ' (PHPMailer test using ' . strtoupper($_POST['test_type']) . ')";';
+        $mail->Subject = $subject . ' (PHPMailer test using ' . strtoupper($test_type) . ')';
+        $example_code .= "\n\$mail->Subject  = \"" . addslashes($subject) .
+            ' (PHPMailer test using ' . addslashes(strtoupper($test_type)) . ')";';
 
         if ($_POST['Message'] == '') {
             $body = file_get_contents('contents.html');
         } else {
-            $body = $_POST['Message'];
+            $body = $message;
         }
 
-        $example_code .= "\n\$body = <<<'EOT'\n" . htmlentities($body) . "\nEOT;";
+        $example_code .= "\n\$body = <<<'EOT'\n$body\nEOT;";
 
         $mail->WordWrap = 78; // set word wrap to the RFC2822 limit
         $mail->msgHTML($body, dirname(__FILE__), true); //Create message bodies and embed images
@@ -187,7 +194,7 @@ try {
         $example_code .= "\n\ntry {";
         $example_code .= "\n  \$mail->send();";
         $example_code .= "\n  \$results_messages[] = \"Message has been sent using " .
-            strtoupper($_POST['test_type']) . "\";";
+            addslashes(strtoupper($test_type)) . "\";";
         $example_code .= "\n}";
         $example_code .= "\ncatch (phpmailerException \$e) {";
         $example_code .= "\n  throw new phpmailerAppException('Unable to send to: ' . \$to. ': '.\$e->getMessage());";
@@ -195,7 +202,7 @@ try {
 
         try {
             $mail->send();
-            $results_messages[] = "Message has been sent using " . strtoupper($_POST["test_type"]);
+            $results_messages[] = "Message has been sent using " . strtoupper($test_type);
         } catch (phpmailerException $e) {
             throw new phpmailerAppException("Unable to send to: " . $to . ': ' . $e->getMessage());
         }
@@ -309,22 +316,22 @@ $example_code .= "\n}";
 
         function startAgain() {
             var post_params = {
-                "From_Name": "<?php echo $from_name; ?>",
-                "From_Email": "<?php echo $from_email; ?>",
-                "To_Name": "<?php echo $to_name; ?>",
-                "To_Email": "<?php echo $to_email; ?>",
-                "cc_Email": "<?php echo $cc_email; ?>",
-                "bcc_Email": "<?php echo $bcc_email; ?>",
-                "Subject": "<?php echo $subject; ?>",
-                "Message": "<?php echo $message; ?>",
-                "test_type": "<?php echo $test_type; ?>",
-                "smtp_debug": "<?php echo $smtp_debug; ?>",
-                "smtp_server": "<?php echo $smtp_server; ?>",
-                "smtp_port": "<?php echo $smtp_port; ?>",
-                "smtp_secure": "<?php echo $smtp_secure; ?>",
-                "smtp_authenticate": "<?php echo $smtp_authenticate; ?>",
-                "authenticate_username": "<?php echo $authenticate_username; ?>",
-                "authenticate_password": "<?php echo $authenticate_password; ?>"
+                "From_Name": <?php echo JSString($from_name); ?>,
+                "From_Email": <?php echo JSString($from_email); ?>,
+                "To_Name": <?php echo JSString($to_name); ?>,
+                "To_Email": <?php echo JSString($to_email); ?>,
+                "cc_Email": <?php echo JSString($cc_email); ?>,
+                "bcc_Email": <?php echo JSString($bcc_email); ?>,
+                "Subject": <?php echo JSString($subject); ?>,
+                "Message": <?php echo JSString($message); ?>,
+                "test_type": <?php echo JSString($test_type); ?>,
+                "smtp_debug": <?php echo JSString($smtp_debug); ?>,
+                "smtp_server": <?php echo JSString($smtp_server); ?>,
+                "smtp_port": <?php echo JSString($smtp_port); ?>,
+                "smtp_secure": <?php echo JSString($smtp_secure); ?>,
+                "smtp_authenticate": <?php echo JSString($smtp_authenticate); ?>,
+                "authenticate_username": <?php echo JSString($authenticate_username); ?>,
+                "authenticate_password": <?php echo JSString($authenticate_password); ?>
             };
 
             var resetForm = document.createElement("form");
@@ -374,7 +381,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") {
     echo "<button type=\"submit\" onclick=\"startAgain();\">Start Over</button><br>\n";
     echo "<br><span>Script:</span>\n";
     echo "<pre class=\"brush: php;\">\n";
-    echo $example_code;
+    echo htmlentities($example_code);
     echo "\n</pre>\n";
     echo "\n<hr style=\"margin: 3em;\">\n";
 }
@@ -390,7 +397,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") {
                             <label for="From_Name"><strong>From</strong> Name</label>
                         </td>
                         <td class="colrite">
-                            <input type="text" id="From_Name" name="From_Name" value="<?php echo $from_name; ?>"
+                            <input type="text" id="From_Name" name="From_Name" value="<?php echo htmlentities($from_name); ?>"
                                    style="width:95%;" autofocus placeholder="Your Name">
                         </td>
                     </tr>
@@ -399,7 +406,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") {
                             <label for="From_Email"><strong>From</strong> Email Address</label>
                         </td>
                         <td class="colrite">
-                            <input type="text" id="From_Email" name="From_Email" value="<?php echo $from_email; ?>"
+                            <input type="text" id="From_Email" name="From_Email" value="<?php echo htmlentities($from_email); ?>"
                                    style="width:95%;" required placeholder="Your.Email@example.com">
                         </td>
                     </tr>
@@ -408,7 +415,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") {
                             <label for="To_Name"><strong>To</strong> Name</label>
                         </td>
                         <td class="colrite">
-                            <input type="text" id="To_Name" name="To_Name" value="<?php echo $to_name; ?>"
+                            <input type="text" id="To_Name" name="To_Name" value="<?php echo htmlentities($to_name); ?>"
                                    style="width:95%;" placeholder="Recipient's Name">
                         </td>
                     </tr>
@@ -417,7 +424,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") {
                             <label for="To_Email"><strong>To</strong> Email Address</label>
                         </td>
                         <td class="colrite">
-                            <input type="text" id="To_Email" name="To_Email" value="<?php echo $to_email; ?>"
+                            <input type="text" id="To_Email" name="To_Email" value="<?php echo htmlentities($to_email); ?>"
                                    style="width:95%;" required placeholder="Recipients.Email@example.com">
                         </td>
                     </tr>
@@ -428,7 +435,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") {
                             </label>
                         </td>
                         <td class="colrite">
-                            <input type="text" id="cc_Email" name="cc_Email" value="<?php echo $cc_email; ?>"
+                            <input type="text" id="cc_Email" name="cc_Email" value="<?php echo htmlentities($cc_email); ?>"
                                    style="width:95%;" placeholder="cc1@example.com, cc2@example.com">
                         </td>
                     </tr>
@@ -439,7 +446,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") {
                             </label>
                         </td>
                         <td class="colrite">
-                            <input type="text" id="bcc_Email" name="bcc_Email" value="<?php echo $bcc_email; ?>"
+                            <input type="text" id="bcc_Email" name="bcc_Email" value="<?php echo htmlentities($bcc_email); ?>"
                                    style="width:95%;" placeholder="bcc1@example.com, bcc2@example.com">
                         </td>
                     </tr>
@@ -448,7 +455,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") {
                             <label for="Subject"><strong>Subject</strong></label>
                         </td>
                         <td class="colrite">
-                            <input type="text" name="Subject" id="Subject" value="<?php echo $subject; ?>"
+                            <input type="text" name="Subject" id="Subject" value="<?php echo htmlentities($subject); ?>"
                                    style="width:95%;" placeholder="Email Subject">
                         </td>
                     </tr>
@@ -460,7 +467,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") {
                         </td>
                         <td class="colrite">
                             <textarea name="Message" id="Message" style="width:95%;height:5em;"
-                                      placeholder="Body of your email"><?php echo $message; ?></textarea>
+                                      placeholder="Body of your email"><?php echo htmlentities($message); ?></textarea>
                         </td>
                     </tr>
                 </table>
@@ -531,7 +538,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") {
                             <td class="colleft"><label for="smtp_server">SMTP Server</label></td>
                             <td class="colrite">
                                 <input type="text" id="smtp_server" name="smtp_server"
-                                       value="<?php echo $smtp_server; ?>" style="width:95%;"
+                                       value="<?php echo htmlentities($smtp_server); ?>" style="width:95%;"
                                        placeholder="smtp.server.com">
                             </td>
                         </tr>
@@ -539,7 +546,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") {
                             <td class="colleft" style="width: 5em;"><label for="smtp_port">SMTP Port</label></td>
                             <td class="colrite">
                                 <input type="text" name="smtp_port" id="smtp_port" size="3"
-                                       value="<?php echo $smtp_port; ?>" placeholder="Port">
+                                       value="<?php echo htmlentities($smtp_port); ?>" placeholder="Port">
                             </td>
                         </tr>
                         <tr>
@@ -560,14 +567,14 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") {
 <?php if ($smtp_authenticate != '') {
     echo "checked";
 } ?>
-                                       value="<?php echo $smtp_authenticate; ?>">
+                                       value="true">
                             </td>
                         </tr>
                         <tr>
                             <td class="colleft"><label for="authenticate_username">Authenticate Username</label></td>
                             <td class="colrite">
                                 <input type="text" id="authenticate_username" name="authenticate_username"
-                                       value="<?php echo $authenticate_username; ?>" style="width:95%;"
+                                       value="<?php echo htmlentities($authenticate_username); ?>" style="width:95%;"
                                        placeholder="SMTP Server Username">
                             </td>
                         </tr>
@@ -575,7 +582,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") {
                             <td class="colleft"><label for="authenticate_password">Authenticate Password</label></td>
                             <td class="colrite">
                                 <input type="password" name="authenticate_password" id="authenticate_password"
-                                       value="<?php echo $authenticate_password; ?>" style="width:95%;"
+                                       value="<?php echo htmlentities($authenticate_password); ?>" style="width:95%;"
                                        placeholder="SMTP Server Password">
                             </td>
                         </tr>
diff --git a/data/web/inc/lib/vendor/phpmailer/phpmailer/examples/gmail.phps b/data/web/inc/lib/vendor/phpmailer/phpmailer/examples/gmail.phps
index b3cc02d5..121ca70a 100644
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/examples/gmail.phps
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/examples/gmail.phps
@@ -1,6 +1,7 @@
 <?php
 /**
  * This example shows settings to use when sending via Google's Gmail servers.
+ * The IMAP section shows how to save this message to the 'Sent Mail' folder using IMAP commands.
  */
 
 //SMTP needs accurate times, and the PHP time zone MUST be set
@@ -72,4 +73,27 @@ if (!$mail->send()) {
     echo "Mailer Error: " . $mail->ErrorInfo;
 } else {
     echo "Message sent!";
+    //Section 2: IMAP
+    //Uncomment these to save your message in the 'Sent Mail' folder.
+    #if (save_mail($mail)) {
+    #    echo "Message saved!";
+    #}
+}
+
+//Section 2: IMAP
+//IMAP commands requires the PHP IMAP Extension, found at: https://php.net/manual/en/imap.setup.php
+//Function to call which uses the PHP imap_*() functions to save messages: https://php.net/manual/en/book.imap.php
+//You can use imap_getmailboxes($imapStream, '/imap/ssl') to get a list of available folders or labels, this can
+//be useful if you are trying to get this working on a non-Gmail IMAP server.
+function save_mail($mail) {
+    //You can change 'Sent Mail' to any other folder or tag
+    $path = "{imap.gmail.com:993/imap/ssl}[Gmail]/Sent Mail";
+
+    //Tell your server to open an IMAP connection using the same username and password as you used for SMTP
+    $imapStream = imap_open($path, $mail->Username, $mail->Password);
+
+    $result = imap_append($imapStream, $path, $mail->getSentMIMEMessage());
+    imap_close($imapStream);
+
+    return $result;
 }
diff --git a/data/web/inc/lib/vendor/phpmailer/phpmailer/examples/gmail_xoauth.phps b/data/web/inc/lib/vendor/phpmailer/phpmailer/examples/gmail_xoauth.phps
index d64483a4..2aec1814 100644
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/examples/gmail_xoauth.phps
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/examples/gmail_xoauth.phps
@@ -43,8 +43,8 @@ $mail->SMTPAuth = true;
 //Set AuthType
 $mail->AuthType = 'XOAUTH2';
 
-//User Email to use for SMTP authentication - Use the same Email used in Google Developer Console
-$mail->oauthUserEmail = "someone@gmail.com";
+//User Email to use for SMTP authentication - user who gave consent to our app
+$mail->oauthUserEmail = "from@gmail.com";
 
 //Obtained From Google Developer Console
 $mail->oauthClientId = "RANDOMCHARS-----duv1n2.apps.googleusercontent.com";
diff --git a/data/web/inc/lib/vendor/phpmailer/phpmailer/extras/README.md b/data/web/inc/lib/vendor/phpmailer/phpmailer/extras/README.md
index dac79e05..df8ca092 100644
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/extras/README.md
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/extras/README.md
@@ -1,17 +1,17 @@
-#PHPMailer Extras
+# PHPMailer Extras
 
 These classes provide optional additional functions to PHPMailer.
 
 These are not loaded by the PHPMailer autoloader, so in some cases you may need to `require` them yourself before using them.
 
-##EasyPeasyICS
+## EasyPeasyICS
 
 This class was originally written by Manuel Reinhard and provides a simple means of generating ICS/vCal files that are used in sending calendar events. PHPMailer does not use it directly, but you can use it to generate content appropriate for placing in the `Ical` property of PHPMailer. The PHPMailer project is now its official home as Manuel has given permission for that and is no longer maintaining it himself.
 
-##htmlfilter
+## htmlfilter
 
 This class by Konstantin Riabitsev and Jim Jagielski implements HTML filtering to remove potentially malicious tags, such as `<script>` or `onclick=` attributes that can result in XSS attacks. This is a simple filter and is not as comprehensive as [HTMLawed](http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/) or [HTMLPurifier](http://htmlpurifier.org), but it's easier to use and considerably better than nothing! PHPMailer does not use it directly, but you may want to apply it to user-supplied HTML before using it as a message body.
 
-##NTLM_SASL_client
+## NTLM_SASL_client
 
 This class by Manuel Lemos (bundled with permission) adds the ability to authenticate with Microsoft Windows mail servers that use NTLM-based authentication. It is used by PHPMailer if you send via SMTP and set the `AuthType` property to `NTLM`; you will also need to use the `Realm` and `Workstation` properties. The original source is [here](http://www.phpclasses.org/browse/file/7495.html).
diff --git a/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-ba.php b/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-ba.php
new file mode 100644
index 00000000..095dee3e
--- /dev/null
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-ba.php
@@ -0,0 +1,26 @@
+<?php
+/**
+ * Bosnian PHPMailer language file: refer to English translation for definitive list
+ * @package PHPMailer
+ * @author Ermin Islamagić <ermin@islamagic.com>
+ */
+
+$PHPMAILER_LANG['authenticate']         = 'SMTP Greška: Neuspjela prijava.';
+$PHPMAILER_LANG['connect_host']         = 'SMTP Greška: Ne moguće se spojiti sa SMTP serverom.';
+$PHPMAILER_LANG['data_not_accepted']    = 'SMTP Greška: Podatci nisu prihvaćeni.';
+$PHPMAILER_LANG['empty_message']        = 'Sadržaj poruke je prazan.';
+$PHPMAILER_LANG['encoding']             = 'Nepoznata kriptografija: ';
+$PHPMAILER_LANG['execute']              = 'Nije moguće izvršiti naredbu: ';
+$PHPMAILER_LANG['file_access']          = 'Nije moguće pristupiti datoteci: ';
+$PHPMAILER_LANG['file_open']            = 'Nije moguće otvoriti datoteku: ';
+$PHPMAILER_LANG['from_failed']          = 'SMTP Greška: Slanje sa navedenih e-mail adresa nije uspjelo: ';
+$PHPMAILER_LANG['recipients_failed']    = 'SMTP Greška: Slanje na navedene e-mail adrese nije uspjelo: ';
+$PHPMAILER_LANG['instantiate']          = 'Ne mogu pokrenuti mail funkcionalnost.';
+$PHPMAILER_LANG['invalid_address']      = 'E-mail nije poslan. Neispravna e-mail adresa: ';
+$PHPMAILER_LANG['mailer_not_supported'] = ' mailer nije podržan.';
+$PHPMAILER_LANG['provide_address']      = 'Definišite barem jednu adresu primaoca.';
+$PHPMAILER_LANG['signing']              = 'Greška prilikom prijave: ';
+$PHPMAILER_LANG['smtp_connect_failed']  = 'Spajanje na SMTP server nije uspjelo.';
+$PHPMAILER_LANG['smtp_error']           = 'SMTP greška: ';
+$PHPMAILER_LANG['variable_set']         = 'Nije moguće postaviti varijablu ili je vratiti nazad: ';
+$PHPMAILER_LANG['extension_missing']    = 'Nedostaje ekstenzija: ';
\ No newline at end of file
diff --git a/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-nb.php b/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-nb.php
index 383dd516..44610542 100644
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-nb.php
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-nb.php
@@ -1,25 +1,25 @@
 <?php
 /**
- * Norwegian PHPMailer language file: refer to English translation for definitive list
+ * Norwegian Bokmål PHPMailer language file: refer to English translation for definitive list
  * @package PHPMailer
  */
 
 $PHPMAILER_LANG['authenticate']         = 'SMTP Feil: Kunne ikke autentisere.';
 $PHPMAILER_LANG['connect_host']         = 'SMTP Feil: Kunne ikke koble til SMTP tjener.';
-$PHPMAILER_LANG['data_not_accepted']    = 'SMTP Feil: Data ble ikke akseptert.';
-$PHPMAILER_LANG['empty_message']        = 'Meldingsinnholdet er tomt';
-$PHPMAILER_LANG['encoding']             = 'Ukjent tegnkoding: ';
+$PHPMAILER_LANG['data_not_accepted']    = 'SMTP Feil: Datainnhold ikke akseptert.';
+$PHPMAILER_LANG['empty_message']        = 'Melding kropp tomt';
+$PHPMAILER_LANG['encoding']             = 'Ukjent koding: ';
 $PHPMAILER_LANG['execute']              = 'Kunne ikke utføre: ';
 $PHPMAILER_LANG['file_access']          = 'Får ikke tilgang til filen: ';
-$PHPMAILER_LANG['file_open']            = 'Fil feil: Kunne ikke åpne filen: ';
-$PHPMAILER_LANG['from_failed']          = 'Følgende avsenderadresse feilet: ';
-$PHPMAILER_LANG['instantiate']          = 'Kunne ikke initialisere mailfunksjonen.';
-$PHPMAILER_LANG['invalid_address']      = 'Meldingen ble ikke sendt, følgende adresse er ugyldig: ';
-$PHPMAILER_LANG['provide_address']      = 'Du må angi minst en mottakeradresse.';
-$PHPMAILER_LANG['mailer_not_supported'] = ' mailer er ikke supportert.';
-$PHPMAILER_LANG['recipients_failed']    = 'SMTP Feil: Følgende mottagere feilet: ';
-$PHPMAILER_LANG['signing']              = 'Signeringsfeil: ';
-$PHPMAILER_LANG['smtp_connect_failed']  = 'SMTP Connect() feilet.';
-$PHPMAILER_LANG['smtp_error']           = 'SMTP-serverfeil: ';
-$PHPMAILER_LANG['variable_set']         = 'Kan ikke sette eller resette variabelen: ';
-//$PHPMAILER_LANG['extension_missing']    = 'Extension missing: ';
+$PHPMAILER_LANG['file_open']            = 'Fil Feil: Kunne ikke åpne filen: ';
+$PHPMAILER_LANG['from_failed']          = 'Følgende Frå adresse feilet: ';
+$PHPMAILER_LANG['instantiate']          = 'Kunne ikke initialisere post funksjon.';
+$PHPMAILER_LANG['invalid_address']      = 'Ugyldig adresse: ';
+$PHPMAILER_LANG['mailer_not_supported'] = ' sender er ikke støttet.';
+$PHPMAILER_LANG['provide_address']      = 'Du må opppgi minst en mottakeradresse.';
+$PHPMAILER_LANG['recipients_failed']    = 'SMTP Feil: Følgende mottakeradresse feilet: ';
+$PHPMAILER_LANG['signing']              = 'Signering Feil: ';
+$PHPMAILER_LANG['smtp_connect_failed']  = 'SMTP connect() feilet.';
+$PHPMAILER_LANG['smtp_error']           = 'SMTP server feil: ';
+$PHPMAILER_LANG['variable_set']         = 'Kan ikke skrive eller omskrive variabel: ';
+$PHPMAILER_LANG['extension_missing']    = 'Utvidelse mangler: ';
diff --git a/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-pt_br.php b/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-pt_br.php
index fecbbe34..4ec10f77 100644
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-pt_br.php
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-pt_br.php
@@ -5,6 +5,7 @@
  * @author Paulo Henrique Garcia <paulo@controllerweb.com.br>
  * @author Lucas Guimarães <lucas@lucasguimaraes.com>
  * @author Phelipe Alves <phelipealvesdesouza@gmail.com>
+ * @author Fabio Beneditto <fabiobeneditto@gmail.com>
  */
 
 $PHPMAILER_LANG['authenticate']         = 'Erro de SMTP: Não foi possível autenticar.';
@@ -15,7 +16,7 @@ $PHPMAILER_LANG['encoding']             = 'Codificação desconhecida: ';
 $PHPMAILER_LANG['execute']              = 'Não foi possível executar: ';
 $PHPMAILER_LANG['file_access']          = 'Não foi possível acessar o arquivo: ';
 $PHPMAILER_LANG['file_open']            = 'Erro de Arquivo: Não foi possível abrir o arquivo: ';
-$PHPMAILER_LANG['from_failed']          = 'Os seguintes remententes falharam: ';
+$PHPMAILER_LANG['from_failed']          = 'Os seguintes remetentes falharam: ';
 $PHPMAILER_LANG['instantiate']          = 'Não foi possível instanciar a função mail.';
 $PHPMAILER_LANG['invalid_address']      = 'Endereço de e-mail inválido: ';
 $PHPMAILER_LANG['mailer_not_supported'] = ' mailer não é suportado.';
diff --git a/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-sr.php b/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-rs.php
similarity index 96%
rename from data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-sr.php
rename to data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-rs.php
index ed95ca6e..0502f021 100644
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-sr.php
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-rs.php
@@ -23,4 +23,4 @@ $PHPMAILER_LANG['signing']              = 'Грешка приликом при
 $PHPMAILER_LANG['smtp_connect_failed']  = 'Повезивање са SMTP сервером није успело.';
 $PHPMAILER_LANG['smtp_error']           = 'Грешка SMTP сервера: ';
 $PHPMAILER_LANG['variable_set']         = 'Није могуће задати променљиву, нити је вратити уназад: ';
-//$PHPMAILER_LANG['extension_missing']    = 'Extension missing: ';
+$PHPMAILER_LANG['extension_missing']    = 'Недостаје проширење: ';
diff --git a/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-tr.php b/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-tr.php
index 323fb4b5..cfe8eaae 100644
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-tr.php
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-tr.php
@@ -6,6 +6,7 @@
  * @author Can Yılmaz
  * @author Mehmet Benlioğlu
  * @author @yasinaydin
+ * @author Ogün Karakuş
  */
 
 $PHPMAILER_LANG['authenticate']         = 'SMTP Hatası: Oturum açılamadı.';
@@ -26,4 +27,4 @@ $PHPMAILER_LANG['signing']              = 'İmzalama hatası: ';
 $PHPMAILER_LANG['smtp_connect_failed']  = 'SMTP connect() fonksiyonu başarısız.';
 $PHPMAILER_LANG['smtp_error']           = 'SMTP sunucu hatası: ';
 $PHPMAILER_LANG['variable_set']         = 'Değişken ayarlanamadı ya da sıfırlanamadı: ';
-//$PHPMAILER_LANG['extension_missing']    = 'Extension missing: ';
+$PHPMAILER_LANG['extension_missing']    = 'Eklenti bulunamadı: ';
diff --git a/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-zh_cn.php b/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-zh_cn.php
index d85a0b1a..37537802 100644
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-zh_cn.php
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-zh_cn.php
@@ -4,13 +4,14 @@
  * @package PHPMailer
  * @author liqwei <liqwei@liqwei.com>
  * @author young <masxy@foxmail.com>
+ * @author Teddysun <i@teddysun.com>
  */
 
 $PHPMAILER_LANG['authenticate']         = 'SMTP 错误：登录失败。';
 $PHPMAILER_LANG['connect_host']         = 'SMTP 错误：无法连接到 SMTP 主机。';
 $PHPMAILER_LANG['data_not_accepted']    = 'SMTP 错误：数据不被接受。';
 $PHPMAILER_LANG['empty_message']        = '邮件正文为空。';
-$PHPMAILER_LANG['encoding']             = '未知编码: ';
+$PHPMAILER_LANG['encoding']             = '未知编码：';
 $PHPMAILER_LANG['execute']              = '无法执行：';
 $PHPMAILER_LANG['file_access']          = '无法访问文件：';
 $PHPMAILER_LANG['file_open']            = '文件错误：无法打开文件：';
@@ -22,6 +23,6 @@ $PHPMAILER_LANG['provide_address']      = '必须提供至少一个收件人地
 $PHPMAILER_LANG['recipients_failed']    = 'SMTP 错误：收件人地址错误：';
 $PHPMAILER_LANG['signing']              = '登录失败：';
 $PHPMAILER_LANG['smtp_connect_failed']  = 'SMTP服务器连接失败。';
-$PHPMAILER_LANG['smtp_error']           = 'SMTP服务器出错: ';
+$PHPMAILER_LANG['smtp_error']           = 'SMTP服务器出错：';
 $PHPMAILER_LANG['variable_set']         = '无法设置或重置变量：';
-//$PHPMAILER_LANG['extension_missing']    = 'Extension missing: ';
+$PHPMAILER_LANG['extension_missing']    = '丢失模块 Extension：';
diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php
index 0ba894f7..eef9dbd9 100644
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@@ -1,5 +1,5 @@
 <?php
-require_once 'inc/vars.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/vars.inc.php';
 $default_autodiscover_config = $autodiscover_config;
 if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/inc/vars.local.inc.php')) {
   include_once $_SERVER['DOCUMENT_ROOT'] . '/inc/vars.local.inc.php';

From 67056dc3d1d98850b1c9639277ef8b5a4414c945 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 18 Sep 2017 08:24:24 +0200
Subject: [PATCH 03/84] [Postfix] Less strict smtpd_tls_mandatory_protocols

---
 data/conf/postfix/main.cf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index cbdb2837..62deaa09 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -73,7 +73,7 @@ smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtp_tls_protocols = !SSLv2, !SSLv3
 lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 lmtp_tls_protocols = !SSLv2, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 #, !TLSv1, !TLSv1.1
 smtpd_tls_protocols = !SSLv2, !SSLv3
 smtpd_tls_mandatory_ciphers = high
 smtpd_tls_security_level = may

From 719aa1a391b858ed08ce826adcce0eac71d2ed6b Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 18 Sep 2017 10:59:45 +0200
Subject: [PATCH 04/84] [Postfix] Fix protocols

---
 data/conf/postfix/main.cf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index 62deaa09..3ee6e59c 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -73,7 +73,7 @@ smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 smtp_tls_protocols = !SSLv2, !SSLv3
 lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
 lmtp_tls_protocols = !SSLv2, !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 #, !TLSv1, !TLSv1.1
+smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtpd_tls_protocols = !SSLv2, !SSLv3
 smtpd_tls_mandatory_ciphers = high
 smtpd_tls_security_level = may

From a8fb1d3f4fe88a136bc8e4dbc410af64c09a1162 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 20 Sep 2017 10:56:49 +0200
Subject: [PATCH 05/84] Add experimental watchdog

---
 data/Dockerfiles/watchdog/Dockerfile     |  22 ++
 data/Dockerfiles/watchdog/watchdog.sh    | 281 +++++++++++++++++++++++
 data/conf/rspamd/dynmaps/index.html      |   2 +
 data/conf/rspamd/local.d/composites.conf |   4 +
 data/conf/rspamd/local.d/metrics.conf    |  17 ++
 data/conf/rspamd/local.d/mx_check.conf   |   2 +-
 docker-compose.yml                       |  17 ++
 generate_config.sh                       |   3 +
 update.sh                                |   2 +-
 9 files changed, 348 insertions(+), 2 deletions(-)
 create mode 100644 data/Dockerfiles/watchdog/Dockerfile
 create mode 100755 data/Dockerfiles/watchdog/watchdog.sh
 create mode 100644 data/conf/rspamd/dynmaps/index.html
 create mode 100644 data/conf/rspamd/local.d/composites.conf

diff --git a/data/Dockerfiles/watchdog/Dockerfile b/data/Dockerfiles/watchdog/Dockerfile
new file mode 100644
index 00000000..b6d52fe9
--- /dev/null
+++ b/data/Dockerfiles/watchdog/Dockerfile
@@ -0,0 +1,22 @@
+FROM alpine:3.6
+
+LABEL maintainer "André Peters <andre.peters@servercow.de>"
+
+# Installation
+RUN apk add --update \
+	&& apk add --no-cache nagios-plugins-smtp \
+	nagios-plugins-tcp \
+	nagios-plugins-http \
+	nagios-plugins-ping \
+	curl \
+	bash \
+	jq \
+	fcgi \
+	nagios-plugins-mysql \
+	nagios-plugins-dns \
+	bind-tools
+
+COPY watchdog.sh /watchdog.sh
+
+# Less verbose
+CMD /watchdog.sh 2> /dev/null
diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
new file mode 100755
index 00000000..3abd13b8
--- /dev/null
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -0,0 +1,281 @@
+#!/bin/bash
+
+trap "exit" INT TERM
+trap "kill 0" EXIT
+PARENT_PID=$$
+
+# Prepare
+BACKGROUND_TASKS=()
+
+# Skip watchdog?
+if [[ "${USE_WATCHDOG}" =~ ^([nN][oO])+$ ]]; then
+  echo "Skipping watchdog, sleeping..."
+  sleep 365d
+  exit 0
+fi
+
+# Checks pipe their corresponding container name in this pipe
+if [[ ! -p /tmp/com_pipe ]]; then
+  mkfifo /tmp/com_pipe
+fi
+
+# Common functions
+progress() {
+  SERVICE=${1}
+  TOTAL=${2}
+  CURRENT=${3}
+  DIFF=${4}
+  [[ -z ${DIFF} ]] && DIFF=0
+  [[ -z ${TOTAL} || -z ${CURRENT} ]] && return
+  [[ ${CURRENT} -gt ${TOTAL} ]] && return
+  [[ ${CURRENT} -lt 0 ]] && CURRENT=0
+  percent=$(( 200 * ${CURRENT} / ${TOTAL} % 2 + 100 * ${CURRENT} / ${TOTAL} ))
+  completed=$(( ${percent} / 2 ))
+  remaining=$(( 50 - ${completed} ))
+  echo -ne "$(date) Health level: "
+  echo -n "["
+  printf "%0.s>" $(seq ${completed})
+  [[ ${remaining} != 0 ]] && printf "%0.s." $(seq ${remaining})
+  echo -en "] ${percent}% - Service: ${SERVICE}, health trend: "
+  [[ ${DIFF} =~ ^-[1-9] ]] && echo -en "\e[31mnegative \e[0m" || echo -en "\e[32mpositive \e[0m"
+  echo "(${DIFF})"
+}
+
+# Check functions
+nginx_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=16
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_ping -H nginx-mailcow -w 2000,10% -c 4000,100% -p2 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_http -H nginx-mailcow -u / -p 8081 1>&2; err_count=$(( ${err_count} + $? ))
+    sleep $(( ( RANDOM % 30 )  + 10 ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "Nginx" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+  done
+  return 1
+}
+
+mysql_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=12
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_mysql -H mysql-mailcow -P 3306 -u ${DBUSER} -p ${DBPASS} -d ${DBNAME} 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_mysql_query -H mysql-mailcow -P 3306 -u ${DBUSER} -p ${DBPASS} -d ${DBNAME} -q "SELECT COUNT(*) FROM information_schema.tables" 1>&2; err_count=$(( ${err_count} + $? ))
+    sleep $(( ( RANDOM % 30 )  + 10 ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "MySQL/MariaDB" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+  done
+  return 1
+}
+
+sogo_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=20
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_http -H sogo-mailcow -u /WebServerResources/css/theme-default.css -p 9192 -R md-default-theme 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_http -H sogo-mailcow -u /SOGo.index/ -p 20000 -R "SOGo\sGroupware" 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_http -H nginx-mailcow -u /SOGo/ -p 443 --ssl -R "Bad Gateway" --invert-regex 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_http -H nginx-mailcow -u /SOGo/ -p 80 -R "Bad Gateway" --invert-regex 1>&2; err_count=$(( ${err_count} + $? ))
+    sleep $(( ( RANDOM % 30 )  + 10 ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "SOGo" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+  done
+  return 1
+}
+
+postfix_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=16
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_smtp -H postfix-mailcow -p 25 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_smtp -H postfix-mailcow -p 588 -f watchdog -C "RCPT TO:null@localhost" -C DATA -C . -R 250 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_smtp -H postfix-mailcow -p 587 -S 1>&2; err_count=$(( ${err_count} + $? ))
+    sleep $(( ( RANDOM % 30 )  + 10 ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "Postfix" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+  done
+  return 1
+}
+
+dovecot_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=24
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_smtp -H dovecot-mailcow -p 24 -f "watchdog" -C "RCPT TO:<watchdog@invalid>" -L -R "User doesn't exist" 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_imap -H dovecot-mailcow -p 993 -S -e "OK " 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_imap -H dovecot-mailcow -p 143 -e "OK " 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_tcp -H dovecot-mailcow -p 10001 -e "VERSION" 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_tcp -H dovecot-mailcow -p 4190 -e "Dovecot ready" 1>&2; err_count=$(( ${err_count} + $? ))
+    sleep $(( ( RANDOM % 30 )  + 10 ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "Dovecot" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+  done
+  return 1
+}
+
+phpfpm_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=12
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    err_c_cur=${err_count}
+    cgi-fcgi -bind -connect php-fpm-mailcow:9000 | grep PHP 1>&2; err_count=$(( ${err_count} + ($? * 2)))
+    /usr/lib/nagios/plugins/check_ping -H php-fpm-mailcow -w 2000,10% -c 4000,100% -p2 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_http -H nginx-mailcow -u /settings.php -p 8081 -r "settings \{" 1>&2; err_count=$(( ${err_count} + ($? * 2)))
+    sleep $(( ( RANDOM % 30 )  + 10 ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "PHP-FPM" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+  done
+  return 1
+}
+
+dns_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=28
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    err_c_cur=${err_count}
+    /usr/lib/nagios/plugins/check_dns -H google.com 1>&2; err_count=$(( ${err_count} + ($? * 2)))
+    /usr/lib/nagios/plugins/check_dns -s $(dig unbound-mailcow +short A) -H google.com 1>&2; err_count=$(( ${err_count} + ($? * 2)))
+    /usr/lib/nagios/plugins/check_dns -s $(dig unbound-mailcow +short AAAA) -H google.com 1>&2; err_count=$(( ${err_count} + ($? * 2)))
+    dig +dnssec org. @172.22.1.254 | grep -E 'flags:.+ad' 1>&2; err_count=$(( ${err_count} + ($? * 2)))
+    sleep $(( ( RANDOM % 30 )  + 10 ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "Unbound" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+  done
+  return 1
+}
+
+# Create watchdog agents
+(
+while true; do
+  if ! nginx_checks; then
+    echo -e "\e[31m$(date) - Nginx hit error limit\e[0m"
+    echo nginx-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+BACKGROUND_TASKS+=($!)
+
+(
+while true; do
+  if ! mysql_checks; then
+    echo -e "\e[31m$(date) - MySQL hit error limit\e[0m"
+    echo mysql-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+BACKGROUND_TASKS+=($!)
+
+(
+while true; do
+  if ! phpfpm_checks; then
+    echo -e "\e[31m$(date) - PHP-FPM hit error limit\e[0m"
+    echo php-fpm-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+BACKGROUND_TASKS+=($!)
+
+(
+while true; do
+  if ! sogo_checks; then
+    echo -e "\e[31m$(date) - SOGo hit error limit\e[0m"
+    echo sogo-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+BACKGROUND_TASKS+=($!)
+
+(
+while true; do
+  if ! postfix_checks; then
+    echo -e "\e[31m$(date) - Postfix hit error limit\e[0m"
+    echo postfix-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+BACKGROUND_TASKS+=($!)
+
+(
+while true; do
+  if ! dovecot_checks; then
+    echo -e "\e[31m$(date) - Dovecot hit error limit\e[0m"
+    echo dovecot-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+BACKGROUND_TASKS+=($!)
+
+(
+while true; do
+  if ! dns_checks; then
+    echo -e "\e[31m$(date) - Unbound hit error limit\e[0m"
+    echo unbound-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+BACKGROUND_TASKS+=($!)
+
+# Monitor watchdog agents, stop script when agents fails and wait for respawn by Docker (restart:always:n)
+(
+while true; do
+  for bg_task in ${BACKGROUND_TASKS[*]}; do
+    if ! kill -0 ${bg_task} 21>&2; then
+      echo "Worker ${bg_task} died, stopping watchdog and waiting for respawn..."
+      kill -TERM ${PARENT_PID}
+    fi
+    sleep 1
+  done
+done
+) &
+
+# Restart container when threshold limit reached
+while true; do
+  CONTAINER_ID=
+  read com_pipe_answer </tmp/com_pipe
+  if [[ ${com_pipe_answer} =~ .+-mailcow ]]; then
+    kill -STOP ${BACKGROUND_TASKS[*]}
+    sleep 3
+    CONTAINER_ID=$(curl --silent --unix-socket /var/run/docker.sock http/containers/json?all=1 | jq -rc "map(select(.Names[] | contains (\"${com_pipe_answer}\"))) | .[] .Id")
+    if [[ ! -z ${CONTAINER_ID} ]]; then
+      echo "Sending restart command to ${CONTAINER_ID}..."
+      curl --silent --unix-socket /var/run/docker.sock -XPOST http/containers/${CONTAINER_ID}/restart
+    fi
+    echo "Wait for restarted container to settle and continue watching..."
+    sleep 30s
+    kill -CONT ${BACKGROUND_TASKS[*]}
+    kill -USR1 ${BACKGROUND_TASKS[*]}
+  fi
+done
diff --git a/data/conf/rspamd/dynmaps/index.html b/data/conf/rspamd/dynmaps/index.html
new file mode 100644
index 00000000..90531a4b
--- /dev/null
+++ b/data/conf/rspamd/dynmaps/index.html
@@ -0,0 +1,2 @@
+<html>
+</html>
diff --git a/data/conf/rspamd/local.d/composites.conf b/data/conf/rspamd/local.d/composites.conf
new file mode 100644
index 00000000..e895fb0f
--- /dev/null
+++ b/data/conf/rspamd/local.d/composites.conf
@@ -0,0 +1,4 @@
+MX_IMPLICIT {
+    expression = "MX_GOOD and MX_MISSING";
+    score = -0.01;
+}
diff --git a/data/conf/rspamd/local.d/metrics.conf b/data/conf/rspamd/local.d/metrics.conf
index 4fd0953c..b3afa78c 100644
--- a/data/conf/rspamd/local.d/metrics.conf
+++ b/data/conf/rspamd/local.d/metrics.conf
@@ -17,3 +17,20 @@ group "bayes" {
 		description = "Message probably ham, probability: ";
 	}
 }
+group "MX" {
+	symbol "MX_INVALID" {
+	  score = 0.5;
+	  description = "No connectable MX";
+	  one_shot = "true";
+	}
+	symbol "MX_MISSING" {
+	  score = 2.0;
+	  description = "No MX record";
+	  one_shot = "true";
+	}
+	symbol "MX_GOOD" {
+	  score = -0.01;
+	  description = "MX was ok";
+	  one_shot = "true";
+	}
+}
diff --git a/data/conf/rspamd/local.d/mx_check.conf b/data/conf/rspamd/local.d/mx_check.conf
index 6a775a21..22fcedf1 100644
--- a/data/conf/rspamd/local.d/mx_check.conf
+++ b/data/conf/rspamd/local.d/mx_check.conf
@@ -1,4 +1,4 @@
-timeout = 1.0;
+timeout = 8.0;
 symbol_bad_mx = "MX_INVALID";
 symbol_no_mx = "MX_MISSING";
 symbol_good_mx = "MX_GOOD";
diff --git a/docker-compose.yml b/docker-compose.yml
index f0cf0e30..2ec2d8ef 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -307,6 +307,23 @@ services:
       volumes:
         - /lib/modules:/lib/modules:ro
 
+    watchdog-mailcow:
+      image: mailcow/watchdog:1.0
+      build: ./data/Dockerfiles/watchdog
+      init: false
+      volumes:
+        - /var/run/docker.sock:/var/run/docker.sock:ro
+      restart: always
+      environment:
+        - DBNAME=${DBNAME}
+        - DBUSER=${DBUSER}
+        - DBPASS=${DBPASS}
+        - USE_WATCHDOG=${USE_WATCHDOG:-n}
+      networks:
+        mailcow-network:
+          aliases:
+            - watchdog
+
     ipv6nat:
       image: robbertkl/ipv6nat
       restart: always
diff --git a/generate_config.sh b/generate_config.sh
index 2d03891e..a7e52ebe 100755
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -96,6 +96,9 @@ SKIP_FAIL2BAN=n
 # To never run clamd-mailcow
 SKIP_CLAMD=n
 
+# Enable watchdog to restart unhealthy containers (experimental)
+USE_WATCHDOG=n
+
 EOF
 
 mkdir -p data/assets/ssl
diff --git a/update.sh b/update.sh
index 4e9a1a96..f38c47a0 100755
--- a/update.sh
+++ b/update.sh
@@ -4,7 +4,7 @@ for bin in curl docker-compose docker git awk sha1sum; do
 	if [[ -z $(which ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi
 done
 
-CONFIG_ARRAY=("SKIP_LETS_ENCRYPT" "SKIP_CLAMD" "SKIP_IP_CHECK" "SKIP_FAIL2BAN" "ADDITIONAL_SAN" "DOVEADM_PORT")
+CONFIG_ARRAY=("SKIP_LETS_ENCRYPT" "USE_WATCHDOG" "SKIP_CLAMD" "SKIP_IP_CHECK" "SKIP_FAIL2BAN" "ADDITIONAL_SAN" "DOVEADM_PORT")
 echo >> mailcow.conf
 for option in ${CONFIG_ARRAY[@]}; do
 	if [[ ${option} == "ADDITIONAL_SAN" ]]; then

From e70d5b9206542d170b87fde6f74bcda8b37c1922 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 20 Sep 2017 11:05:23 +0200
Subject: [PATCH 06/84] Fix watchdog

---
 data/Dockerfiles/watchdog/watchdog.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
index 3abd13b8..47f13bd7 100755
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -8,7 +8,7 @@ PARENT_PID=$$
 BACKGROUND_TASKS=()
 
 # Skip watchdog?
-if [[ "${USE_WATCHDOG}" =~ ^([nN][oO])+$ ]]; then
+if [[ "${USE_WATCHDOG}" =~ ^([nN][oO]|[nN])+$ ]]; then
   echo "Skipping watchdog, sleeping..."
   sleep 365d
   exit 0

From df5c79c3f11007f00fa0f3f35bf1a8515de78bdc Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 20 Sep 2017 12:27:24 +0200
Subject: [PATCH 07/84] Fixes for watchdog!

---
 data/Dockerfiles/watchdog/watchdog.sh | 69 +++++++++++++++------------
 1 file changed, 39 insertions(+), 30 deletions(-)

diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
index 47f13bd7..917553ba 100755
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -7,13 +7,6 @@ PARENT_PID=$$
 # Prepare
 BACKGROUND_TASKS=()
 
-# Skip watchdog?
-if [[ "${USE_WATCHDOG}" =~ ^([nN][oO]|[nN])+$ ]]; then
-  echo "Skipping watchdog, sleeping..."
-  sleep 365d
-  exit 0
-fi
-
 # Checks pipe their corresponding container name in this pipe
 if [[ ! -p /tmp/com_pipe ]]; then
   mkfifo /tmp/com_pipe
@@ -41,17 +34,30 @@ progress() {
   echo "(${DIFF})"
 }
 
+get_container_ip() {
+  # ${1} is container
+  CONTAINER_ID=
+  CONTAINER_IP=
+  until [[ ${CONTAINER_IP} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; do
+    sleep 1
+    CONTAINER_ID=$(curl --silent --unix-socket /var/run/docker.sock http/containers/json?all=1 | jq -rc "map(select(.Names[] | contains (\"${1}\"))) | .[] .Id")
+    CONTAINER_IP=$(curl --silent --unix-socket /var/run/docker.sock http/containers/${CONTAINER_ID}/json | jq -r '.NetworkSettings.Networks[].IPAddress')
+  done
+  echo ${CONTAINER_IP}
+}
+
 # Check functions
 nginx_checks() {
   err_count=0
   diff_c=0
+  HOST_IP=$(get_container_ip nginx-mailcow)
   THRESHOLD=16
   # Reduce error count by 2 after restarting an unhealthy container
   trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
   while [ ${err_count} -lt ${THRESHOLD} ]; do
     err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_ping -H nginx-mailcow -w 2000,10% -c 4000,100% -p2 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_http -H nginx-mailcow -u / -p 8081 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_ping -4 -H ${HOST_IP} -w 2000,10% -c 4000,100% -p2 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_http -4 -H ${HOST_IP} -u / -p 8081 1>&2; err_count=$(( ${err_count} + $? ))
     sleep $(( ( RANDOM % 30 )  + 10 ))
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
@@ -63,13 +69,14 @@ nginx_checks() {
 mysql_checks() {
   err_count=0
   diff_c=0
+  HOST_IP=$(get_container_ip mysql-mailcow)
   THRESHOLD=12
   # Reduce error count by 2 after restarting an unhealthy container
   trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
   while [ ${err_count} -lt ${THRESHOLD} ]; do
     err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_mysql -H mysql-mailcow -P 3306 -u ${DBUSER} -p ${DBPASS} -d ${DBNAME} 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_mysql_query -H mysql-mailcow -P 3306 -u ${DBUSER} -p ${DBPASS} -d ${DBNAME} -q "SELECT COUNT(*) FROM information_schema.tables" 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_mysql -H ${HOST_IP} -P 3306 -u ${DBUSER} -p ${DBPASS} -d ${DBNAME} 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_mysql_query -H ${HOST_IP} -P 3306 -u ${DBUSER} -p ${DBPASS} -d ${DBNAME} -q "SELECT COUNT(*) FROM information_schema.tables" 1>&2; err_count=$(( ${err_count} + $? ))
     sleep $(( ( RANDOM % 30 )  + 10 ))
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
@@ -81,15 +88,14 @@ mysql_checks() {
 sogo_checks() {
   err_count=0
   diff_c=0
+  HOST_IP=$(get_container_ip sogo-mailcow)
   THRESHOLD=20
   # Reduce error count by 2 after restarting an unhealthy container
   trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
   while [ ${err_count} -lt ${THRESHOLD} ]; do
     err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_http -H sogo-mailcow -u /WebServerResources/css/theme-default.css -p 9192 -R md-default-theme 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_http -H sogo-mailcow -u /SOGo.index/ -p 20000 -R "SOGo\sGroupware" 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_http -H nginx-mailcow -u /SOGo/ -p 443 --ssl -R "Bad Gateway" --invert-regex 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_http -H nginx-mailcow -u /SOGo/ -p 80 -R "Bad Gateway" --invert-regex 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_http -4 -H ${HOST_IP} -u /WebServerResources/css/theme-default.css -p 9192 -R md-default-theme 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_http -4 -H ${HOST_IP} -u /SOGo.index/ -p 20000 -R "SOGo\sGroupware" 1>&2; err_count=$(( ${err_count} + $? ))
     sleep $(( ( RANDOM % 30 )  + 10 ))
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
@@ -101,14 +107,15 @@ sogo_checks() {
 postfix_checks() {
   err_count=0
   diff_c=0
+  HOST_IP=$(get_container_ip postfix-mailcow)
   THRESHOLD=16
   # Reduce error count by 2 after restarting an unhealthy container
   trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
   while [ ${err_count} -lt ${THRESHOLD} ]; do
     err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_smtp -H postfix-mailcow -p 25 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_smtp -H postfix-mailcow -p 588 -f watchdog -C "RCPT TO:null@localhost" -C DATA -C . -R 250 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_smtp -H postfix-mailcow -p 587 -S 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_smtp -4 -H ${HOST_IP} -p 25 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_smtp -4 -H ${HOST_IP} -p 588 -f watchdog -C "RCPT TO:null@localhost" -C DATA -C . -R 250 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_smtp -4 -H ${HOST_IP} -p 587 -S 1>&2; err_count=$(( ${err_count} + $? ))
     sleep $(( ( RANDOM % 30 )  + 10 ))
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
@@ -120,16 +127,17 @@ postfix_checks() {
 dovecot_checks() {
   err_count=0
   diff_c=0
+  HOST_IP=$(get_container_ip dovecot-mailcow)
   THRESHOLD=24
   # Reduce error count by 2 after restarting an unhealthy container
   trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
   while [ ${err_count} -lt ${THRESHOLD} ]; do
     err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_smtp -H dovecot-mailcow -p 24 -f "watchdog" -C "RCPT TO:<watchdog@invalid>" -L -R "User doesn't exist" 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_imap -H dovecot-mailcow -p 993 -S -e "OK " 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_imap -H dovecot-mailcow -p 143 -e "OK " 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_tcp -H dovecot-mailcow -p 10001 -e "VERSION" 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_tcp -H dovecot-mailcow -p 4190 -e "Dovecot ready" 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_smtp -4 -H ${HOST_IP} -p 24 -f "watchdog" -C "RCPT TO:<watchdog@invalid>" -L -R "User doesn't exist" 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_imap -4 -H ${HOST_IP} -p 993 -S -e "OK " 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_imap -4 -H ${HOST_IP} -p 143 -e "OK " 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_tcp -4 -H ${HOST_IP} -p 10001 -e "VERSION" 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_tcp -4 -H ${HOST_IP} -p 4190 -e "Dovecot ready" 1>&2; err_count=$(( ${err_count} + $? ))
     sleep $(( ( RANDOM % 30 )  + 10 ))
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
@@ -141,14 +149,14 @@ dovecot_checks() {
 phpfpm_checks() {
   err_count=0
   diff_c=0
+  HOST_IP=$(get_container_ip php-fpm-mailcow)
   THRESHOLD=12
   # Reduce error count by 2 after restarting an unhealthy container
   trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
   while [ ${err_count} -lt ${THRESHOLD} ]; do
     err_c_cur=${err_count}
-    cgi-fcgi -bind -connect php-fpm-mailcow:9000 | grep PHP 1>&2; err_count=$(( ${err_count} + ($? * 2)))
-    /usr/lib/nagios/plugins/check_ping -H php-fpm-mailcow -w 2000,10% -c 4000,100% -p2 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_http -H nginx-mailcow -u /settings.php -p 8081 -r "settings \{" 1>&2; err_count=$(( ${err_count} + ($? * 2)))
+    cgi-fcgi -bind -connect ${HOST_IP}:9000 | grep PHP 1>&2; err_count=$(( ${err_count} + ($? * 2)))
+    /usr/lib/nagios/plugins/check_ping -4 -H ${HOST_IP} -w 2000,10% -c 4000,100% -p2 1>&2; err_count=$(( ${err_count} + $? ))
     sleep $(( ( RANDOM % 30 )  + 10 ))
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
@@ -160,15 +168,15 @@ phpfpm_checks() {
 dns_checks() {
   err_count=0
   diff_c=0
+  HOST_IP=$(get_container_ip unbound-mailcow)
   THRESHOLD=28
   # Reduce error count by 2 after restarting an unhealthy container
   trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
   while [ ${err_count} -lt ${THRESHOLD} ]; do
     err_c_cur=${err_count}
     /usr/lib/nagios/plugins/check_dns -H google.com 1>&2; err_count=$(( ${err_count} + ($? * 2)))
-    /usr/lib/nagios/plugins/check_dns -s $(dig unbound-mailcow +short A) -H google.com 1>&2; err_count=$(( ${err_count} + ($? * 2)))
-    /usr/lib/nagios/plugins/check_dns -s $(dig unbound-mailcow +short AAAA) -H google.com 1>&2; err_count=$(( ${err_count} + ($? * 2)))
-    dig +dnssec org. @172.22.1.254 | grep -E 'flags:.+ad' 1>&2; err_count=$(( ${err_count} + ($? * 2)))
+    /usr/lib/nagios/plugins/check_dns -s ${HOST_IP} -H google.com 1>&2; err_count=$(( ${err_count} + ($? * 2)))
+    dig +dnssec org. @${HOST_IP} | grep -E 'flags:.+ad' 1>&2; err_count=$(( ${err_count} + ($? * 2)))
     sleep $(( ( RANDOM % 30 )  + 10 ))
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
@@ -242,7 +250,7 @@ BACKGROUND_TASKS+=($!)
 while true; do
   if ! dns_checks; then
     echo -e "\e[31m$(date) - Unbound hit error limit\e[0m"
-    echo unbound-mailcow > /tmp/com_pipe
+    #echo unbound-mailcow > /tmp/com_pipe
   fi
 done
 ) &
@@ -279,3 +287,4 @@ while true; do
     kill -USR1 ${BACKGROUND_TASKS[*]}
   fi
 done
+

From b6e84fac3ab6ef7a87c4ad1156b634addfe97eb8 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 20 Sep 2017 12:50:50 +0200
Subject: [PATCH 08/84] Sleep instead of stopping containers to prevent
 restarts

---
 data/Dockerfiles/acme/docker-entrypoint.sh | 2 +-
 data/Dockerfiles/clamd/bootstrap.sh        | 1 +
 data/Dockerfiles/fail2ban/logwatch.py      | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/data/Dockerfiles/acme/docker-entrypoint.sh b/data/Dockerfiles/acme/docker-entrypoint.sh
index 6715f791..36a31cf3 100755
--- a/data/Dockerfiles/acme/docker-entrypoint.sh
+++ b/data/Dockerfiles/acme/docker-entrypoint.sh
@@ -80,7 +80,7 @@ fi
 while true; do
 	if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
 		echo "SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt..."
-		sleep 3650d
+		sleep 365d
 		exec $(readlink -f "$0")
 	fi
 	if [[ "${SKIP_IP_CHECK}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
diff --git a/data/Dockerfiles/clamd/bootstrap.sh b/data/Dockerfiles/clamd/bootstrap.sh
index 21b09788..d815214b 100755
--- a/data/Dockerfiles/clamd/bootstrap.sh
+++ b/data/Dockerfiles/clamd/bootstrap.sh
@@ -4,6 +4,7 @@ chown -R clamav:clamav /var/log/clamav/
 
 if [[ "${SKIP_CLAMD}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
 	echo "SKIP_CLAMD=y, skipping ClamAV..."
+	sleep 365d
 	exit 0
 fi
 
diff --git a/data/Dockerfiles/fail2ban/logwatch.py b/data/Dockerfiles/fail2ban/logwatch.py
index 9615d53a..6fc852ac 100644
--- a/data/Dockerfiles/fail2ban/logwatch.py
+++ b/data/Dockerfiles/fail2ban/logwatch.py
@@ -15,6 +15,7 @@ import json
 yes_regex = re.compile(r'([yY][eE][sS]|[yY])+$')
 if re.search(yes_regex, os.getenv('SKIP_FAIL2BAN', 0)):
 	print "Skipping Fail2ban container..."
+	time.sleep(31536000)
 	raise SystemExit
 
 r = redis.StrictRedis(host='172.22.1.249', decode_responses=True, port=6379, db=0)

From 3ec18619eee5979a49ecd5034809a1dd4a3262f3 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 20 Sep 2017 12:56:04 +0200
Subject: [PATCH 09/84] [Compose] Push new images

---
 docker-compose.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 2ec2d8ef..6ca310be 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -60,9 +60,9 @@ services:
             - redis
 
     clamd-mailcow:
-      image: mailcow/clamd:1.3
+      image: mailcow/clamd:1.4
       build: ./data/Dockerfiles/clamd
-      restart: on-failure
+      restart: always
       environment:
         - SKIP_CLAMD=${SKIP_CLAMD:-n}
       init: true
@@ -259,7 +259,7 @@ services:
     acme-mailcow:
       depends_on:
         - nginx-mailcow
-      image: mailcow/acme:1.17
+      image: mailcow/acme:1.18
       build: ./data/Dockerfiles/acme
       init: true
       dns:
@@ -279,14 +279,14 @@ services:
         - ./data/assets/ssl-example:/var/lib/ssl-example/:ro
         - /var/run/docker.sock:/var/run/docker.sock:ro
       # do not restart the container too often. Things get worse when we hit let's encrypt's ratelimit.
-      restart: on-failure:1
+      restart: always
       networks:
         mailcow-network:
           aliases:
             - acme
 
     fail2ban-mailcow:
-      image: mailcow/fail2ban:1.6
+      image: mailcow/fail2ban:1.7
       build: ./data/Dockerfiles/fail2ban
       depends_on:
         - dovecot-mailcow

From a411a357b92966e9f785f23ff3f845969deef48e Mon Sep 17 00:00:00 2001
From: Michael Kuron <mkuron@users.noreply.github.com>
Date: Wed, 20 Sep 2017 15:19:43 +0200
Subject: [PATCH 10/84] rspamd: exclude Mail Flow monitoring from logs and
 stats

---
 data/conf/rspamd/lua/rspamd.local.lua | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/data/conf/rspamd/lua/rspamd.local.lua b/data/conf/rspamd/lua/rspamd.local.lua
index 62383707..d44f0feb 100644
--- a/data/conf/rspamd/lua/rspamd.local.lua
+++ b/data/conf/rspamd/lua/rspamd.local.lua
@@ -107,4 +107,16 @@ rspamd_config:register_symbol({
     return true
   end,
   priority = 20
-})
\ No newline at end of file
+})
+
+rspamd_config:register_symbol({
+  name = 'NO_LOG_STAT_MAILFLOW',
+  type = 'postfilter',
+  callback = function(task)
+    local sender = task:get_header('From')
+    if sender == 'monitoring-system@everycloudtech.us' then
+      task:set_flag('no_log')
+      task:set_flag('no_stat')
+    end
+  end
+})

From 38649cca3d1c47090fe1a5c509a5ed5f39abfdff Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 20 Sep 2017 23:22:38 +0200
Subject: [PATCH 11/84] [Compose] Remove dns_search

---
 docker-compose.yml | 16 ++--------------
 1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 6ca310be..74114be2 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -38,7 +38,6 @@ services:
       restart: always
       dns:
         - 172.22.1.254
-      dns_search: mailcow-network
       networks:
         mailcow-network:
           ipv4_address: 172.22.1.250
@@ -52,7 +51,6 @@ services:
       restart: always
       dns:
         - 172.22.1.254
-      dns_search: mailcow-network
       networks:
         mailcow-network:
           ipv4_address: 172.22.1.249
@@ -68,7 +66,6 @@ services:
       init: true
       dns:
         - 172.22.1.254
-      dns_search: mailcow-network
       networks:
         mailcow-network:
           aliases:
@@ -91,7 +88,6 @@ services:
       init: true
       dns:
         - 172.22.1.254
-      dns_search: mailcow-network
       hostname: rspamd
       networks:
         mailcow-network:
@@ -125,7 +121,6 @@ services:
       restart: always
       dns:
         - 172.22.1.254
-      dns_search: mailcow-network
       networks:
         mailcow-network:
           aliases:
@@ -145,7 +140,6 @@ services:
       restart: always
       dns:
         - 172.22.1.254
-      dns_search: mailcow-network
       networks:
         mailcow-network:
           ipv4_address: 172.22.1.252
@@ -180,7 +174,6 @@ services:
           hard: 40000
       dns:
         - 172.22.1.254
-      dns_search: mailcow-network
       hostname: ${MAILCOW_HOSTNAME}
       networks:
         mailcow-network:
@@ -206,7 +199,6 @@ services:
       restart: always
       dns:
         - 172.22.1.254
-      dns_search: mailcow-network
       hostname: ${MAILCOW_HOSTNAME}
       networks:
         mailcow-network:
@@ -218,7 +210,6 @@ services:
       restart: always
       dns:
         - 172.22.1.254
-      dns_search: mailcow-network
       networks:
         mailcow-network:
           aliases:
@@ -249,7 +240,6 @@ services:
       restart: always
       dns:
         - 172.22.1.254
-      dns_search: mailcow-network
       networks:
         mailcow-network:
           ipv4_address: 172.22.1.251
@@ -264,7 +254,6 @@ services:
       init: true
       dns:
         - 172.22.1.254
-      dns_search: mailcow-network
       environment:
         - ADDITIONAL_SAN=${ADDITIONAL_SAN}
         - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
@@ -278,7 +267,6 @@ services:
         - ./data/assets/ssl:/var/lib/acme/:rw
         - ./data/assets/ssl-example:/var/lib/ssl-example/:ro
         - /var/run/docker.sock:/var/run/docker.sock:ro
-      # do not restart the container too often. Things get worse when we hit let's encrypt's ratelimit.
       restart: always
       networks:
         mailcow-network:
@@ -299,11 +287,10 @@ services:
       init: true
       environment:
         - TZ=${TZ}
-        - SKIP_FAIL2BAN=${SKIP_FAIL2BAN:-no}
+        - SKIP_FAIL2BAN=${SKIP_FAIL2BAN:-n}
       network_mode: "host"
       dns:
         - 172.22.1.254
-      dns_search: mailcow-network
       volumes:
         - /lib/modules:/lib/modules:ro
 
@@ -313,6 +300,7 @@ services:
       init: false
       volumes:
         - /var/run/docker.sock:/var/run/docker.sock:ro
+        - vmail-vol-1:/vmail:ro
       restart: always
       environment:
         - DBNAME=${DBNAME}

From ea5aa261c9ae303a24225f4af96bf5bcdba36f30 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 20 Sep 2017 23:23:11 +0200
Subject: [PATCH 12/84] [Unbound] Define mailcow ip6 as private

---
 data/conf/unbound/unbound.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/data/conf/unbound/unbound.conf b/data/conf/unbound/unbound.conf
index e32e0f41..a668d0d8 100644
--- a/data/conf/unbound/unbound.conf
+++ b/data/conf/unbound/unbound.conf
@@ -19,6 +19,7 @@ server:
   private-address: 169.254.0.0/16
   private-address: fd00::/8
   private-address: fe80::/10
+  private-address: fd4d:6169:6c63:6f77::/64
   root-hints: "/etc/unbound/root.hints"
   hide-identity: yes
   hide-version: yes

From fd1955edcad2862ff4c1d3a5f3f0cc4d9546ea63 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 20 Sep 2017 23:24:39 +0200
Subject: [PATCH 13/84] [Fail2ban] Add variable name

---
 data/Dockerfiles/fail2ban/logwatch.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/Dockerfiles/fail2ban/logwatch.py b/data/Dockerfiles/fail2ban/logwatch.py
index 6fc852ac..f1954489 100644
--- a/data/Dockerfiles/fail2ban/logwatch.py
+++ b/data/Dockerfiles/fail2ban/logwatch.py
@@ -14,7 +14,7 @@ import json
 
 yes_regex = re.compile(r'([yY][eE][sS]|[yY])+$')
 if re.search(yes_regex, os.getenv('SKIP_FAIL2BAN', 0)):
-	print "Skipping Fail2ban container..."
+	print "SKIP_FAIL2BAN=y, Skipping Fail2ban container..."
 	time.sleep(31536000)
 	raise SystemExit
 

From f511cb0f6341cb7f402d615fc5645af3c9fb7fa2 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 20 Sep 2017 23:24:56 +0200
Subject: [PATCH 14/84] [Watchdog] More fixes and or changes

---
 data/Dockerfiles/watchdog/Dockerfile  |  1 +
 data/Dockerfiles/watchdog/watchdog.sh | 85 +++++++++++++--------------
 2 files changed, 41 insertions(+), 45 deletions(-)
 mode change 100755 => 100644 data/Dockerfiles/watchdog/watchdog.sh

diff --git a/data/Dockerfiles/watchdog/Dockerfile b/data/Dockerfiles/watchdog/Dockerfile
index b6d52fe9..945f3929 100644
--- a/data/Dockerfiles/watchdog/Dockerfile
+++ b/data/Dockerfiles/watchdog/Dockerfile
@@ -14,6 +14,7 @@ RUN apk add --update \
 	fcgi \
 	nagios-plugins-mysql \
 	nagios-plugins-dns \
+    nagios-plugins-disk \
 	bind-tools
 
 COPY watchdog.sh /watchdog.sh
diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
old mode 100755
new mode 100644
index 917553ba..77ea1a4d
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -22,15 +22,9 @@ progress() {
   [[ -z ${TOTAL} || -z ${CURRENT} ]] && return
   [[ ${CURRENT} -gt ${TOTAL} ]] && return
   [[ ${CURRENT} -lt 0 ]] && CURRENT=0
-  percent=$(( 200 * ${CURRENT} / ${TOTAL} % 2 + 100 * ${CURRENT} / ${TOTAL} ))
-  completed=$(( ${percent} / 2 ))
-  remaining=$(( 50 - ${completed} ))
-  echo -ne "$(date) Health level: "
-  echo -n "["
-  printf "%0.s>" $(seq ${completed})
-  [[ ${remaining} != 0 ]] && printf "%0.s." $(seq ${remaining})
-  echo -en "] ${percent}% - Service: ${SERVICE}, health trend: "
-  [[ ${DIFF} =~ ^-[1-9] ]] && echo -en "\e[31mnegative \e[0m" || echo -en "\e[32mpositive \e[0m"
+  PERCENT=$(( 200 * ${CURRENT} / ${TOTAL} % 2 + 100 * ${CURRENT} / ${TOTAL} ))
+  echo -ne "$(date) - ${SERVICE} health level: \e[7m${PERCENT}%\e[0m (${CURRENT}/${TOTAL}), health trend: "
+  [[ ${DIFF} =~ ^-[1-9] ]] && echo -en '[\e[41m  \e[0m] ' || echo -en '[\e[42m  \e[0m] '
   echo "(${DIFF})"
 }
 
@@ -38,30 +32,32 @@ get_container_ip() {
   # ${1} is container
   CONTAINER_ID=
   CONTAINER_IP=
-  until [[ ${CONTAINER_IP} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; do
+  LOOP_C=1
+  until [[ ${CONTAINER_IP} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] || [[ ${LOOP_C} -gt 5 ]]; do
     sleep 1
     CONTAINER_ID=$(curl --silent --unix-socket /var/run/docker.sock http/containers/json?all=1 | jq -rc "map(select(.Names[] | contains (\"${1}\"))) | .[] .Id")
     CONTAINER_IP=$(curl --silent --unix-socket /var/run/docker.sock http/containers/${CONTAINER_ID}/json | jq -r '.NetworkSettings.Networks[].IPAddress')
+    LOOP_C=$((LOOP_C + 1))
   done
-  echo ${CONTAINER_IP}
+  [[ ${LOOP_C} -gt 5 ]] && echo 240.0.0.0 || echo ${CONTAINER_IP}
 }
 
 # Check functions
 nginx_checks() {
   err_count=0
   diff_c=0
-  HOST_IP=$(get_container_ip nginx-mailcow)
   THRESHOLD=16
   # Reduce error count by 2 after restarting an unhealthy container
   trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
   while [ ${err_count} -lt ${THRESHOLD} ]; do
+    host_ip=$(get_container_ip nginx-mailcow)
     err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_ping -4 -H ${HOST_IP} -w 2000,10% -c 4000,100% -p2 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_http -4 -H ${HOST_IP} -u / -p 8081 1>&2; err_count=$(( ${err_count} + $? ))
-    sleep $(( ( RANDOM % 30 )  + 10 ))
+    /usr/lib/nagios/plugins/check_ping -4 -H ${host_ip} -w 2000,10% -c 4000,100% -p2 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_http -4 -H ${host_ip} -u / -p 8081 1>&2; err_count=$(( ${err_count} + $? ))
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
     progress "Nginx" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    sleep $(( ( RANDOM % 30 )  + 10 ))
   done
   return 1
 }
@@ -69,18 +65,18 @@ nginx_checks() {
 mysql_checks() {
   err_count=0
   diff_c=0
-  HOST_IP=$(get_container_ip mysql-mailcow)
   THRESHOLD=12
   # Reduce error count by 2 after restarting an unhealthy container
   trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
   while [ ${err_count} -lt ${THRESHOLD} ]; do
+    host_ip=$(get_container_ip mysql-mailcow)
     err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_mysql -H ${HOST_IP} -P 3306 -u ${DBUSER} -p ${DBPASS} -d ${DBNAME} 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_mysql_query -H ${HOST_IP} -P 3306 -u ${DBUSER} -p ${DBPASS} -d ${DBNAME} -q "SELECT COUNT(*) FROM information_schema.tables" 1>&2; err_count=$(( ${err_count} + $? ))
-    sleep $(( ( RANDOM % 30 )  + 10 ))
+    /usr/lib/nagios/plugins/check_mysql -H ${host_ip} -P 3306 -u ${DBUSER} -p ${DBPASS} -d ${DBNAME} 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_mysql_query -H ${host_ip} -P 3306 -u ${DBUSER} -p ${DBPASS} -d ${DBNAME} -q "SELECT COUNT(*) FROM information_schema.tables" 1>&2; err_count=$(( ${err_count} + $? ))
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
     progress "MySQL/MariaDB" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    sleep $(( ( RANDOM % 30 )  + 10 ))
   done
   return 1
 }
@@ -88,18 +84,18 @@ mysql_checks() {
 sogo_checks() {
   err_count=0
   diff_c=0
-  HOST_IP=$(get_container_ip sogo-mailcow)
   THRESHOLD=20
   # Reduce error count by 2 after restarting an unhealthy container
   trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
   while [ ${err_count} -lt ${THRESHOLD} ]; do
+    host_ip=$(get_container_ip sogo-mailcow)
     err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_http -4 -H ${HOST_IP} -u /WebServerResources/css/theme-default.css -p 9192 -R md-default-theme 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_http -4 -H ${HOST_IP} -u /SOGo.index/ -p 20000 -R "SOGo\sGroupware" 1>&2; err_count=$(( ${err_count} + $? ))
-    sleep $(( ( RANDOM % 30 )  + 10 ))
+    /usr/lib/nagios/plugins/check_http -4 -H ${host_ip} -u /WebServerResources/css/theme-default.css -p 9192 -R md-default-theme 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_http -4 -H ${host_ip} -u /SOGo.index/ -p 20000 -R "SOGo\sGroupware" 1>&2; err_count=$(( ${err_count} + $? ))
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
     progress "SOGo" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    sleep $(( ( RANDOM % 30 )  + 10 ))
   done
   return 1
 }
@@ -107,19 +103,19 @@ sogo_checks() {
 postfix_checks() {
   err_count=0
   diff_c=0
-  HOST_IP=$(get_container_ip postfix-mailcow)
   THRESHOLD=16
   # Reduce error count by 2 after restarting an unhealthy container
   trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
   while [ ${err_count} -lt ${THRESHOLD} ]; do
+  host_ip=$(get_container_ip postfix-mailcow)
     err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_smtp -4 -H ${HOST_IP} -p 25 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_smtp -4 -H ${HOST_IP} -p 588 -f watchdog -C "RCPT TO:null@localhost" -C DATA -C . -R 250 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_smtp -4 -H ${HOST_IP} -p 587 -S 1>&2; err_count=$(( ${err_count} + $? ))
-    sleep $(( ( RANDOM % 30 )  + 10 ))
+    /usr/lib/nagios/plugins/check_smtp -4 -H ${host_ip} -p 25 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_smtp -4 -H ${host_ip} -p 588 -f watchdog -C "RCPT TO:null@localhost" -C DATA -C . -R 250 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_smtp -4 -H ${host_ip} -p 587 -S 1>&2; err_count=$(( ${err_count} + $? ))
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
     progress "Postfix" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    sleep $(( ( RANDOM % 30 )  + 10 ))
   done
   return 1
 }
@@ -127,21 +123,21 @@ postfix_checks() {
 dovecot_checks() {
   err_count=0
   diff_c=0
-  HOST_IP=$(get_container_ip dovecot-mailcow)
   THRESHOLD=24
   # Reduce error count by 2 after restarting an unhealthy container
   trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
   while [ ${err_count} -lt ${THRESHOLD} ]; do
+    host_ip=$(get_container_ip dovecot-mailcow)
     err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_smtp -4 -H ${HOST_IP} -p 24 -f "watchdog" -C "RCPT TO:<watchdog@invalid>" -L -R "User doesn't exist" 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_imap -4 -H ${HOST_IP} -p 993 -S -e "OK " 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_imap -4 -H ${HOST_IP} -p 143 -e "OK " 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_tcp -4 -H ${HOST_IP} -p 10001 -e "VERSION" 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_tcp -4 -H ${HOST_IP} -p 4190 -e "Dovecot ready" 1>&2; err_count=$(( ${err_count} + $? ))
-    sleep $(( ( RANDOM % 30 )  + 10 ))
+    /usr/lib/nagios/plugins/check_smtp -4 -H ${host_ip} -p 24 -f "watchdog" -C "RCPT TO:<watchdog@invalid>" -L -R "User doesn't exist" 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_imap -4 -H ${host_ip} -p 993 -S -e "OK " 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_imap -4 -H ${host_ip} -p 143 -e "OK " 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_tcp -4 -H ${host_ip} -p 10001 -e "VERSION" 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_tcp -4 -H ${host_ip} -p 4190 -e "Dovecot ready" 1>&2; err_count=$(( ${err_count} + $? ))
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
     progress "Dovecot" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    sleep $(( ( RANDOM % 30 )  + 10 ))
   done
   return 1
 }
@@ -149,18 +145,18 @@ dovecot_checks() {
 phpfpm_checks() {
   err_count=0
   diff_c=0
-  HOST_IP=$(get_container_ip php-fpm-mailcow)
-  THRESHOLD=12
+  THRESHOLD=10
   # Reduce error count by 2 after restarting an unhealthy container
   trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
   while [ ${err_count} -lt ${THRESHOLD} ]; do
+    host_ip=$(get_container_ip php-fpm-mailcow)
     err_c_cur=${err_count}
-    cgi-fcgi -bind -connect ${HOST_IP}:9000 | grep PHP 1>&2; err_count=$(( ${err_count} + ($? * 2)))
-    /usr/lib/nagios/plugins/check_ping -4 -H ${HOST_IP} -w 2000,10% -c 4000,100% -p2 1>&2; err_count=$(( ${err_count} + $? ))
-    sleep $(( ( RANDOM % 30 )  + 10 ))
+    cgi-fcgi -bind -connect ${host_ip}:9000 | grep PHP 1>&2; err_count=$(( ${err_count} + ($? * 2)))
+    /usr/lib/nagios/plugins/check_ping -4 -H ${host_ip} -w 2000,10% -c 4000,100% -p2 1>&2; err_count=$(( ${err_count} + $? ))
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
     progress "PHP-FPM" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    sleep $(( ( RANDOM % 30 )  + 10 ))
   done
   return 1
 }
@@ -168,19 +164,19 @@ phpfpm_checks() {
 dns_checks() {
   err_count=0
   diff_c=0
-  HOST_IP=$(get_container_ip unbound-mailcow)
   THRESHOLD=28
   # Reduce error count by 2 after restarting an unhealthy container
   trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
   while [ ${err_count} -lt ${THRESHOLD} ]; do
+    host_ip=$(get_container_ip unbound-mailcow)
     err_c_cur=${err_count}
     /usr/lib/nagios/plugins/check_dns -H google.com 1>&2; err_count=$(( ${err_count} + ($? * 2)))
-    /usr/lib/nagios/plugins/check_dns -s ${HOST_IP} -H google.com 1>&2; err_count=$(( ${err_count} + ($? * 2)))
-    dig +dnssec org. @${HOST_IP} | grep -E 'flags:.+ad' 1>&2; err_count=$(( ${err_count} + ($? * 2)))
-    sleep $(( ( RANDOM % 30 )  + 10 ))
+    /usr/lib/nagios/plugins/check_dns -s ${host_ip} -H google.com 1>&2; err_count=$(( ${err_count} + ($? * 2)))
+    dig +dnssec org. @${host_ip} | grep -E 'flags:.+ad' 1>&2; err_count=$(( ${err_count} + ($? * 2)))
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
     progress "Unbound" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    sleep $(( ( RANDOM % 30 )  + 10 ))
   done
   return 1
 }
@@ -287,4 +283,3 @@ while true; do
     kill -USR1 ${BACKGROUND_TASKS[*]}
   fi
 done
-

From 41d2a1657176ac75eee6c19df49286a7abf7eb46 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 20 Sep 2017 23:36:04 +0200
Subject: [PATCH 15/84] [Watchdog] Script was not executable

---
 data/Dockerfiles/watchdog/watchdog.sh | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 data/Dockerfiles/watchdog/watchdog.sh

diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
old mode 100644
new mode 100755

From ab850dc901eddf26f9a6f2852efb037206c823d8 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Thu, 21 Sep 2017 09:46:09 +0200
Subject: [PATCH 16/84] [ACME] Detect and fix invalid registration

---
 data/Dockerfiles/acme/docker-entrypoint.sh | 36 ++++++++++++++--------
 docker-compose.yml                         |  2 +-
 2 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/data/Dockerfiles/acme/docker-entrypoint.sh b/data/Dockerfiles/acme/docker-entrypoint.sh
index 36a31cf3..2cfe8224 100755
--- a/data/Dockerfiles/acme/docker-entrypoint.sh
+++ b/data/Dockerfiles/acme/docker-entrypoint.sh
@@ -1,4 +1,6 @@
 #!/bin/bash
+set -o pipefail
+exec 5>&1
 
 ACME_BASE=/var/lib/acme
 SSL_EXAMPLE=/var/lib/ssl-example
@@ -66,6 +68,7 @@ else
 			echo "Restoring previous acme certificate and restarting script..."
 			cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
 			cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+      # Restarting with env var set to trigger a restart,
 			exec env TRIGGER_RESTART=1 $(readlink -f "$0")
 		fi
 	ISSUER="mailcow"
@@ -183,12 +186,12 @@ while true; do
 		cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/acme/private/${DATE}.bak/ # Keep key for TLSA 3 1 1 records
 	fi
 
-	acme-client \
-		-v -e -b -N -n \
-		-f ${ACME_BASE}/acme/private/account.key \
-		-k ${ACME_BASE}/acme/private/privkey.pem \
-		-c ${ACME_BASE}/acme \
-		${ALL_VALIDATED[*]}
+  ACME_RESPONSE=$(acme-client \
+    -v -e -b -N -n \
+    -f ${ACME_BASE}/acme/private/account.key \
+    -k ${ACME_BASE}/acme/private/privkey.pem \
+    -c ${ACME_BASE}/acme \
+    ${ALL_VALIDATED[*]} 2>&1 | tee /dev/fd/5)
 
 	case "$?" in
 		0) # new certs
@@ -205,12 +208,18 @@ while true; do
 			restart_containers ${CONTAINERS_RESTART[*]}
 			;;
 		1) # failure
-			if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then
+      if [[ $ACME_RESPONSE =~ "No registration exists" ]]; then
+        echo "Registration keys are invalid, deleting old keys and restarting..."
+        rm ${ACME_BASE}/acme/private/account.key
+        rm ${ACME_BASE}/acme/private/privkey.pem
+        exec $(readlink -f "$0")
+      fi
+      if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then
 				echo "Error requesting certificate, restoring previous certificate from backup and restarting containers...."
 				cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
 				cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
 				TRIGGER_RESTART=1
-            elif [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
+      elif [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
 				echo "Error requesting certificate, restoring from previous acme request and restarting containers..."
 				cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
 				cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
@@ -226,20 +235,21 @@ while true; do
 			echo "Retrying in 30 minutes..."
 			sleep 30m
 			exec $(readlink -f "$0")
-            ;;
+      ;;
 		2) # no change
 			if ! diff ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem; then
 				echo "Certificate was not changed, but active certificate does not match the verified certificate, fixing and restarting containers..."
 				cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
 				cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
-				restart_containers ${CONTAINERS_RESTART[*]}
+				TRIGGER_RESTART=1
 			fi
 			if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
 				echo "Certificate was not changed, but hashes do not match, restoring from previous acme request and restarting containers..."
 				cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
 				cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
-				restart_containers ${CONTAINERS_RESTART[*]}
+				TRIGGER_RESTART=1
 			fi
+			[[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
 			;;
 		*) # unspecified
 			if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then
@@ -260,7 +270,9 @@ while true; do
 				TRIGGER_RESTART=1
 			fi
 			[[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
-			sleep 3650d
+			echo "Retrying in 30 minutes..."
+			sleep 30m
+			exec $(readlink -f "$0")
 			;;
 	esac
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 74114be2..62f0af86 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -249,7 +249,7 @@ services:
     acme-mailcow:
       depends_on:
         - nginx-mailcow
-      image: mailcow/acme:1.18
+      image: mailcow/acme:1.19
       build: ./data/Dockerfiles/acme
       init: true
       dns:

From 9a58bb16202a8d17a47869615bfb9f37ae37d5df Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Thu, 21 Sep 2017 19:23:51 +0200
Subject: [PATCH 17/84] [Compose] New image versions due to watchdog

---
 docker-compose.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 62f0af86..28c566ef 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -72,7 +72,7 @@ services:
             - clamd
 
     rspamd-mailcow:
-      image: mailcow/rspamd:1.8
+      image: mailcow/rspamd:1.9
       build: ./data/Dockerfiles/rspamd
       command: "/usr/bin/rspamd -f -u _rspamd -g _rspamd"
       depends_on:
@@ -181,7 +181,7 @@ services:
             - dovecot
 
     postfix-mailcow:
-      image: mailcow/postfix:1.4
+      image: mailcow/postfix:1.5
       build: ./data/Dockerfiles/postfix
       volumes:
         - ./data/conf/postfix:/opt/postfix/conf
@@ -295,7 +295,7 @@ services:
         - /lib/modules:/lib/modules:ro
 
     watchdog-mailcow:
-      image: mailcow/watchdog:1.0
+      image: mailcow/watchdog:1.1
       build: ./data/Dockerfiles/watchdog
       init: false
       volumes:

From fd3b2e5f168d2fad2f2109c43441d64e82e75c11 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Thu, 21 Sep 2017 19:25:17 +0200
Subject: [PATCH 18/84] [Rspamd] Changes to ignore watchdog checks

---
 data/conf/rspamd/dynmaps/settings.php | 12 ++++++++++++
 data/conf/rspamd/lua/rspamd.local.lua |  6 +++---
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/data/conf/rspamd/dynmaps/settings.php b/data/conf/rspamd/dynmaps/settings.php
index 552918e1..335c0c66 100644
--- a/data/conf/rspamd/dynmaps/settings.php
+++ b/data/conf/rspamd/dynmaps/settings.php
@@ -97,6 +97,18 @@ function ucl_rcpts($object, $type) {
 }
 ?>
 settings {
+	watchdog {
+		priority = 10;
+		rcpt = "/null@localhost/i";
+		from = "/watchdog@localhost/i";
+		apply "default" {
+			actions {
+				reject = 9999.0;
+				greylist = 9998.0;
+				"add header" = 9997.0;
+			}
+		}
+	}
 <?php
 
 /*
diff --git a/data/conf/rspamd/lua/rspamd.local.lua b/data/conf/rspamd/lua/rspamd.local.lua
index d44f0feb..c1a8f48f 100644
--- a/data/conf/rspamd/lua/rspamd.local.lua
+++ b/data/conf/rspamd/lua/rspamd.local.lua
@@ -110,11 +110,11 @@ rspamd_config:register_symbol({
 })
 
 rspamd_config:register_symbol({
-  name = 'NO_LOG_STAT_MAILFLOW',
+  name = 'NO_LOG_STAT',
   type = 'postfilter',
   callback = function(task)
-    local sender = task:get_header('From')
-    if sender == 'monitoring-system@everycloudtech.us' then
+    local from = task:get_header('From')
+    if from and (from == 'monitoring-system@everycloudtech.us' or from == 'watchdog@localhost') then
       task:set_flag('no_log')
       task:set_flag('no_stat')
     end

From edb2be979bb9dc16c2f3536974abe695c77c66af Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Thu, 21 Sep 2017 19:25:43 +0200
Subject: [PATCH 19/84] [Postfix] Changes to ignore watchdog checks

---
 data/conf/postfix/master.cf | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/data/conf/postfix/master.cf b/data/conf/postfix/master.cf
index 955728d1..d494637c 100644
--- a/data/conf/postfix/master.cf
+++ b/data/conf/postfix/master.cf
@@ -44,6 +44,8 @@ anvil      unix  -       -       n       -       1       anvil
 scache     unix  -       -       n       -       1       scache
 maildrop   unix  -       n       n       -       -       pipe flags=DRhu
     user=vmail argv=/usr/bin/maildrop -d ${recipient}
+
+# start zeyple
 zeyple    unix  -       n       n       -       -       pipe
   user=zeyple argv=/usr/local/bin/zeyple.py ${recipient}
 127.0.0.1:10026 inet  n       -       n       -       10      smtpd
@@ -55,5 +57,21 @@ zeyple    unix  -       n       n       -       -       pipe
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks=127.0.0.0/8
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8
+# end zeyple
 
+# start whitelist_fwd
 127.0.0.1:10027 inet n n n - 0 spawn user=nobody argv=/usr/local/bin/whitelist_forwardinghosts.sh
+# end whitelist_fwd
+
+# start watchdog-specific
+589 inet n      -       n       -       -       smtpd
+  -o smtpd_client_restrictions=permit_mynetworks,reject
+  -o syslog_name=watchdog
+  -o smtpd_milters=
+  -o non_smtpd_milters=
+  -o queue_service_name=watchdog_qmgr
+  -o local_transport=discard
+  -o default_transport=discard
+watchdog_qmgr fifo  n       -       n       300     1       qmgr
+  -o syslog_facility=local0
+# end watchdog-specific

From 62524150d280954ba8a214ae89c4a11175dde27e Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Thu, 21 Sep 2017 19:30:03 +0200
Subject: [PATCH 20/84] [ACME] Add timestamps, check if acme account key is
 valid [Postfix] Ignore local0 [Watchdog] Add Rspamd checks

---
 data/Dockerfiles/acme/docker-entrypoint.sh | 114 +++++++++++----------
 data/Dockerfiles/postfix/syslog-ng.conf    |   2 +
 data/Dockerfiles/watchdog/watchdog.sh      |  45 +++++++-
 3 files changed, 103 insertions(+), 58 deletions(-)

diff --git a/data/Dockerfiles/acme/docker-entrypoint.sh b/data/Dockerfiles/acme/docker-entrypoint.sh
index 2cfe8224..02aae4f6 100755
--- a/data/Dockerfiles/acme/docker-entrypoint.sh
+++ b/data/Dockerfiles/acme/docker-entrypoint.sh
@@ -16,14 +16,18 @@ restart_containers(){
 	done
 }
 
+log_f() {
+  echo "$(date) - ${1}"
+}
+
 verify_hash_match(){
 	CERT_HASH=$(openssl x509 -noout -modulus -in "${1}" | openssl md5)
 	KEY_HASH=$(openssl rsa -noout -modulus -in "${2}" | openssl md5)
 	if [[ ${CERT_HASH} != ${KEY_HASH} ]]; then
-		echo "Certificate and key hashes do not match!"
+		log_f "Certificate and key hashes do not match!"
 		return 1
 	else
-		echo "Verified hashes."
+		log_f "Verified hashes."
 		return 0
 	fi
 }
@@ -33,7 +37,7 @@ get_ipv4(){
   local IPV4_SRCS=
   local TRY=
   IPV4_SRCS[0]="api.ipify.org"
-  IPV4_SRCS[1]="ifconfig.co"
+  IPV4_SRCS[1]="ifconfig.co"-
   IPV4_SRCS[2]="icanhazip.com"
   IPV4_SRCS[3]="v4.ident.me"
   IPV4_SRCS[4]="ipecho.net/plain"
@@ -51,7 +55,7 @@ get_ipv4(){
 if [[ -f ${ACME_BASE}/cert.pem ]] && [[ -f ${ACME_BASE}/key.pem ]]; then
 	ISSUER=$(openssl x509 -in ${ACME_BASE}/cert.pem -noout -issuer)
 	if [[ ${ISSUER} != *"Let's Encrypt"* && ${ISSUER} != *"mailcow"* ]]; then
-		echo "Found certificate with issuer other than mailcow snake-oil CA and Let's Encrypt, skipping ACME client..."
+		log_f "Found certificate with issuer other than mailcow snake-oil CA and Let's Encrypt, skipping ACME client..."
 		sleep 3650d
 		exec $(readlink -f "$0")
 	else
@@ -59,21 +63,21 @@ if [[ -f ${ACME_BASE}/cert.pem ]] && [[ -f ${ACME_BASE}/key.pem ]]; then
 		SAN_NAMES=$(openssl x509 -noout -text -in ${ACME_BASE}/cert.pem | awk '/X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0); print}' | tr -d "DNS:")
 		if [[ ! -z ${SAN_NAMES} ]]; then
 			IFS=',' read -a SAN_ARRAY_NOW <<< ${SAN_NAMES}
-			echo "Found Let's Encrypt or mailcow snake-oil CA issued certificate with SANs: ${SAN_ARRAY_NOW[*]}"
+			log_f "Found Let's Encrypt or mailcow snake-oil CA issued certificate with SANs: ${SAN_ARRAY_NOW[*]}"
 		fi
 	fi
 else
 	if [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
 		if verify_hash_match ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/privkey.pem; then
-			echo "Restoring previous acme certificate and restarting script..."
+			log_f "Restoring previous acme certificate and restarting script..."
 			cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
 			cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
-      # Restarting with env var set to trigger a restart,
+			# Restarting with env var set to trigger a restart,
 			exec env TRIGGER_RESTART=1 $(readlink -f "$0")
 		fi
 	ISSUER="mailcow"
 	else
-		echo "Restoring mailcow snake-oil certificates and restarting script..."
+		log_f "Restoring mailcow snake-oil certificates and restarting script..."
 		cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
 		cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
 		exec env TRIGGER_RESTART=1 $(readlink -f "$0")
@@ -82,7 +86,7 @@ fi
 
 while true; do
 	if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-		echo "SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt..."
+		log_f "SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt..."
 		sleep 365d
 		exec $(readlink -f "$0")
 	fi
@@ -110,42 +114,42 @@ while true; do
 	for SQL_DOMAIN in "${SQL_DOMAIN_ARR[@]}"; do
 		A_CONFIG=$(dig A autoconfig.${SQL_DOMAIN} +short | tail -n 1)
 		if [[ ! -z ${A_CONFIG} ]]; then
-			echo "Found A record for autoconfig.${SQL_DOMAIN}: ${A_CONFIG}"
+			log_f "Found A record for autoconfig.${SQL_DOMAIN}: ${A_CONFIG}"
 			if [[ ${IPV4:-ERR} == ${A_CONFIG} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
-				echo "Confirmed A record autoconfig.${SQL_DOMAIN}"
+				log_f "Confirmed A record autoconfig.${SQL_DOMAIN}"
 				VALIDATED_CONFIG_DOMAINS+=("autoconfig.${SQL_DOMAIN}")
 			else
-				echo "Cannot match your IP ${IPV4} against hostname autoconfig.${SQL_DOMAIN} (${A_CONFIG})"
+				log_f "Cannot match your IP ${IPV4} against hostname autoconfig.${SQL_DOMAIN} (${A_CONFIG})"
 			fi
 		else
-			echo "No A record for autoconfig.${SQL_DOMAIN} found"
+			log_f "No A record for autoconfig.${SQL_DOMAIN} found"
 		fi
 
         A_DISCOVER=$(dig A autodiscover.${SQL_DOMAIN} +short | tail -n 1)
 		if [[ ! -z ${A_DISCOVER} ]]; then
-			echo "Found A record for autodiscover.${SQL_DOMAIN}: ${A_DISCOVER}"
+			log_f "Found A record for autodiscover.${SQL_DOMAIN}: ${A_DISCOVER}"
 			if [[ ${IPV4:-ERR} == ${A_DISCOVER} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
-				echo "Confirmed A record autodiscover.${SQL_DOMAIN}"
+				log_f "Confirmed A record autodiscover.${SQL_DOMAIN}"
 				VALIDATED_CONFIG_DOMAINS+=("autodiscover.${SQL_DOMAIN}")
 			else
-				echo "Cannot match your IP ${IPV4} against hostname autodiscover.${SQL_DOMAIN} (${A_DISCOVER})"
+				log_f "Cannot match your IP ${IPV4} against hostname autodiscover.${SQL_DOMAIN} (${A_DISCOVER})"
 			fi
 		else
-			echo "No A record for autodiscover.${SQL_DOMAIN} found"
+			log_f "No A record for autodiscover.${SQL_DOMAIN} found"
 		fi
 	done
 
 	A_MAILCOW_HOSTNAME=$(dig A ${MAILCOW_HOSTNAME} +short | tail -n 1)
 	if [[ ! -z ${A_MAILCOW_HOSTNAME} ]]; then
-		echo "Found A record for ${MAILCOW_HOSTNAME}: ${A_MAILCOW_HOSTNAME}"
+		log_f "Found A record for ${MAILCOW_HOSTNAME}: ${A_MAILCOW_HOSTNAME}"
 		if [[ ${IPV4:-ERR} == ${A_MAILCOW_HOSTNAME} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
-			echo "Confirmed A record ${MAILCOW_HOSTNAME}"
+			log_f "Confirmed A record ${MAILCOW_HOSTNAME}"
 			VALIDATED_MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
 		else
-			echo "Cannot match your IP ${IPV4} against hostname ${MAILCOW_HOSTNAME} (${A_MAILCOW_HOSTNAME}) "
+			log_f "Cannot match your IP ${IPV4} against hostname ${MAILCOW_HOSTNAME} (${A_MAILCOW_HOSTNAME}) "
 		fi
 	else
-		echo "No A record for ${MAILCOW_HOSTNAME} found"
+		log_f "No A record for ${MAILCOW_HOSTNAME} found"
 	fi
 
 	for SAN in "${ADDITIONAL_SAN_ARR[@]}"; do
@@ -154,23 +158,23 @@ while true; do
 		fi
 		A_SAN=$(dig A ${SAN} +short | tail -n 1)
 		if [[ ! -z ${A_SAN} ]]; then
-			echo "Found A record for ${SAN}: ${A_SAN}"
+			log_f "Found A record for ${SAN}: ${A_SAN}"
 			if [[ ${IPV4:-ERR} == ${A_SAN} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
-				echo "Confirmed A record ${SAN}"
+				log_f "Confirmed A record ${SAN}"
 				ADDITIONAL_VALIDATED_SAN+=("${SAN}")
 			else
-				echo "Cannot match your IP against hostname ${SAN}"
+				log_f "Cannot match your IP against hostname ${SAN}"
 			fi
 		else
-			echo "No A record for ${SAN} found"
+			log_f "No A record for ${SAN} found"
 		fi
 	done
 
   # Unique elements
 	ALL_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
 	if [[ -z ${ALL_VALIDATED[*]} ]]; then
-		echo "Cannot validate hostnames, skipping Let's Encrypt for 1 hour."
-		echo "Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently."
+		log_f "Cannot validate hostnames, skipping Let's Encrypt for 1 hour."
+		log_f "Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently."
 		sleep 1h
 		exec $(readlink -f "$0")
 	fi
@@ -178,7 +182,7 @@ while true; do
 	ORPHANED_SAN=($(echo ${SAN_ARRAY_NOW[*]} ${ALL_VALIDATED[*]} | tr ' ' '\n' | sort | uniq -u ))
 	if [[ ! -z ${ORPHANED_SAN[*]} ]] && [[ ${ISSUER} != *"mailcow"* ]]; then
 		DATE=$(date +%Y-%m-%d_%H_%M_%S)
-		echo "Found orphaned SAN ${ORPHANED_SAN[*]} in certificate, moving old files to ${ACME_BASE}/acme/private/${DATE}.bak/, keeping key file..."
+		log_f "Found orphaned SAN ${ORPHANED_SAN[*]} in certificate, moving old files to ${ACME_BASE}/acme/private/${DATE}.bak/, keeping key file..."
 		mkdir -p ${ACME_BASE}/acme/private/${DATE}.bak/
 		[[ -f ${ACME_BASE}/acme/private/account.key ]] && mv ${ACME_BASE}/acme/private/account.key ${ACME_BASE}/acme/private/${DATE}.bak/
 		[[ -f ${ACME_BASE}/acme/fullchain.pem ]] && mv ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/${DATE}.bak/
@@ -186,12 +190,12 @@ while true; do
 		cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/acme/private/${DATE}.bak/ # Keep key for TLSA 3 1 1 records
 	fi
 
-  ACME_RESPONSE=$(acme-client \
-    -v -e -b -N -n \
-    -f ${ACME_BASE}/acme/private/account.key \
-    -k ${ACME_BASE}/acme/private/privkey.pem \
-    -c ${ACME_BASE}/acme \
-    ${ALL_VALIDATED[*]} 2>&1 | tee /dev/fd/5)
+	ACME_RESPONSE=$(acme-client \
+		-v -e -b -N -n \
+		-f ${ACME_BASE}/acme/private/account.key \
+		-k ${ACME_BASE}/acme/private/privkey.pem \
+		-c ${ACME_BASE}/acme \
+		${ALL_VALIDATED[*]} 2>&1 | tee /dev/fd/5)
 
 	case "$?" in
 		0) # new certs
@@ -201,50 +205,50 @@ while true; do
 
 			# restart docker containers
 			if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
-				echo "Certificate was successfully requested, but key and certificate have non-matching hashes, restoring mailcow snake-oil and restarting containers..."
+				log_f "Certificate was successfully requested, but key and certificate have non-matching hashes, restoring mailcow snake-oil and restarting containers..."
 				cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
 				cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
 			fi
 			restart_containers ${CONTAINERS_RESTART[*]}
 			;;
 		1) # failure
-      if [[ $ACME_RESPONSE =~ "No registration exists" ]]; then
-        echo "Registration keys are invalid, deleting old keys and restarting..."
-        rm ${ACME_BASE}/acme/private/account.key
-        rm ${ACME_BASE}/acme/private/privkey.pem
-        exec $(readlink -f "$0")
-      fi
-      if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then
-				echo "Error requesting certificate, restoring previous certificate from backup and restarting containers...."
+			if [[ $ACME_RESPONSE =~ "No registration exists" ]]; then
+				log_f "Registration keys are invalid, deleting old keys and restarting..."
+				rm ${ACME_BASE}/acme/private/account.key
+				rm ${ACME_BASE}/acme/private/privkey.pem
+				exec $(readlink -f "$0")
+			fi
+			if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then
+				log_f "Error requesting certificate, restoring previous certificate from backup and restarting containers...."
 				cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
 				cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
 				TRIGGER_RESTART=1
-      elif [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
-				echo "Error requesting certificate, restoring from previous acme request and restarting containers..."
+			elif [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
+				log_f "Error requesting certificate, restoring from previous acme request and restarting containers..."
 				cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
 				cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
 				TRIGGER_RESTART=1
 			fi
 			if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
-				echo "Error verifying certificates, restoring mailcow snake-oil and restarting containers..."
+				log_f "Error verifying certificates, restoring mailcow snake-oil and restarting containers..."
 				cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
 				cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
 				TRIGGER_RESTART=1
 			fi
 			[[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
-			echo "Retrying in 30 minutes..."
+			log_f "Retrying in 30 minutes..."
 			sleep 30m
 			exec $(readlink -f "$0")
-      ;;
+			;;
 		2) # no change
 			if ! diff ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem; then
-				echo "Certificate was not changed, but active certificate does not match the verified certificate, fixing and restarting containers..."
+				log_f "Certificate was not changed, but active certificate does not match the verified certificate, fixing and restarting containers..."
 				cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
 				cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
 				TRIGGER_RESTART=1
 			fi
 			if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
-				echo "Certificate was not changed, but hashes do not match, restoring from previous acme request and restarting containers..."
+				log_f "Certificate was not changed, but hashes do not match, restoring from previous acme request and restarting containers..."
 				cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
 				cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
 				TRIGGER_RESTART=1
@@ -253,30 +257,30 @@ while true; do
 			;;
 		*) # unspecified
 			if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then
-				echo "Error requesting certificate, restoring previous certificate from backup and restarting containers...."
+				log_f "Error requesting certificate, restoring previous certificate from backup and restarting containers...."
 				cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
 				cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
 				TRIGGER_RESTART=1
             elif [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
-				echo "Error requesting certificate, restoring from previous acme request and restarting containers..."
+				log_f "Error requesting certificate, restoring from previous acme request and restarting containers..."
 				cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
 				cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
 				TRIGGER_RESTART=1
 			fi
 			if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
-				echo "Error verifying certificates, restoring mailcow snake-oil..."
+				log_f "Error verifying certificates, restoring mailcow snake-oil..."
 				cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
 				cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
 				TRIGGER_RESTART=1
 			fi
 			[[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
-			echo "Retrying in 30 minutes..."
+			log_f "Retrying in 30 minutes..."
 			sleep 30m
 			exec $(readlink -f "$0")
 			;;
 	esac
 
-	echo "ACME certificate validation done. Sleeping for another day."
+	log_f "ACME certificate validation done. Sleeping for another day."
 	sleep 1d
 
 done
diff --git a/data/Dockerfiles/postfix/syslog-ng.conf b/data/Dockerfiles/postfix/syslog-ng.conf
index cfb76a16..bf5509c0 100644
--- a/data/Dockerfiles/postfix/syslog-ng.conf
+++ b/data/Dockerfiles/postfix/syslog-ng.conf
@@ -39,8 +39,10 @@ destination d_redis_cleanup {
   );
 };
 filter f_mail { facility(mail); };
+filter f_skip_local { facility (local0, local1, local2, local3, local4, local5, local6, local7); };
 log {
   source(s_src);
+  filter(f_skip_local);
   destination(d_stdout);
   filter(f_mail);
   destination(d_redis_ui_log);
diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
index 77ea1a4d..a1f7a096 100755
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -109,9 +109,8 @@ postfix_checks() {
   while [ ${err_count} -lt ${THRESHOLD} ]; do
   host_ip=$(get_container_ip postfix-mailcow)
     err_c_cur=${err_count}
-    /usr/lib/nagios/plugins/check_smtp -4 -H ${host_ip} -p 25 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_smtp -4 -H ${host_ip} -p 588 -f watchdog -C "RCPT TO:null@localhost" -C DATA -C . -R 250 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_smtp -4 -H ${host_ip} -p 587 -S 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_smtp -4 -H ${host_ip} -p 589 -f watchdog -C "RCPT TO:null@localhost" -C DATA -C . -R 250 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_smtp -4 -H ${host_ip} -p 589 -S 1>&2; err_count=$(( ${err_count} + $? ))
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
     progress "Postfix" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
@@ -161,6 +160,36 @@ phpfpm_checks() {
   return 1
 }
 
+rspamd_checks() {
+  err_count=0
+  diff_c=0
+  THRESHOLD=10
+  # Reduce error count by 2 after restarting an unhealthy container
+  trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
+  while [ ${err_count} -lt ${THRESHOLD} ]; do
+    host_ip=$(get_container_ip rspamd-mailcow)
+    err_c_cur=${err_count}
+    SCORE=$(curl --silent ${host_ip}:11333/scan -d '
+To: null@localhost
+From: watchdog@localhost
+
+Empty
+' | jq -rc .required_score)
+    if [[ ${SCORE} != "9999" ]]; then
+      echo "Rspamd settings check failed" 1>&2
+      err_count=$(( ${err_count} + 1))
+    else
+      echo "Rspamd settings check succeeded" 1>&2
+    fi
+    /usr/lib/nagios/plugins/check_ping -4 -H ${host_ip} -w 2000,10% -c 4000,100% -p2 1>&2; err_count=$(( ${err_count} + $? ))
+    [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
+    [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
+    progress "Rspamd" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    sleep $(( ( RANDOM % 30 )  + 10 ))
+  done
+  return 1
+}
+
 dns_checks() {
   err_count=0
   diff_c=0
@@ -252,6 +281,16 @@ done
 ) &
 BACKGROUND_TASKS+=($!)
 
+(
+while true; do
+  if ! rspamd_checks; then
+    echo -e "\e[31m$(date) - Rspamd hit error limit\e[0m"
+    echo rspamd-mailcow > /tmp/com_pipe
+  fi
+done
+) &
+BACKGROUND_TASKS+=($!)
+
 # Monitor watchdog agents, stop script when agents fails and wait for respawn by Docker (restart:always:n)
 (
 while true; do

From f257ed92f5783079bfd55a2dfd55f686a948e6bf Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Thu, 21 Sep 2017 22:21:11 +0200
Subject: [PATCH 21/84] [Rspamd] Add missing ratelimit.conf

---
 data/conf/rspamd/override.d/ratelimit.conf | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 data/conf/rspamd/override.d/ratelimit.conf

diff --git a/data/conf/rspamd/override.d/ratelimit.conf b/data/conf/rspamd/override.d/ratelimit.conf
new file mode 100644
index 00000000..3c0a55c3
--- /dev/null
+++ b/data/conf/rspamd/override.d/ratelimit.conf
@@ -0,0 +1,14 @@
+rates {
+    # Format: "1 / 1h" or "20 / 1m" etc. - global ratelimits are disabled by default
+    to = "100 / 1s";
+    to_ip = "100 / 1s";
+    to_ip_from = "100 / 1s";
+    bounce_to = "100 / 1s";
+    bounce_to_ip = "100 / 1s";
+    user = "100 / 1s";
+}
+whitelisted_rcpts = "postmaster,mailer-daemon";
+max_rcpt = 5;
+custom_keywords = "/etc/rspamd/custom/ratelimit.lua";
+user_keywords = ["user", "customrl"];
+dynamic_rates = { customrl = "customrl"}

From 337c9e350ef96652893f4f6b6f6fd709222479cc Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Fri, 22 Sep 2017 16:40:02 +0200
Subject: [PATCH 22/84] [Watchdog] Reset diff, new image

---
 data/Dockerfiles/watchdog/watchdog.sh | 8 ++++++++
 docker-compose.yml                    | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
index a1f7a096..b02e19c8 100755
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -57,6 +57,7 @@ nginx_checks() {
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
     progress "Nginx" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    diff_c=0
     sleep $(( ( RANDOM % 30 )  + 10 ))
   done
   return 1
@@ -76,6 +77,7 @@ mysql_checks() {
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
     progress "MySQL/MariaDB" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    diff_c=0
     sleep $(( ( RANDOM % 30 )  + 10 ))
   done
   return 1
@@ -95,6 +97,7 @@ sogo_checks() {
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
     progress "SOGo" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    diff_c=0
     sleep $(( ( RANDOM % 30 )  + 10 ))
   done
   return 1
@@ -114,6 +117,7 @@ postfix_checks() {
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
     progress "Postfix" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    diff_c=0
     sleep $(( ( RANDOM % 30 )  + 10 ))
   done
   return 1
@@ -136,6 +140,7 @@ dovecot_checks() {
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
     progress "Dovecot" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    diff_c=0
     sleep $(( ( RANDOM % 30 )  + 10 ))
   done
   return 1
@@ -155,6 +160,7 @@ phpfpm_checks() {
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
     progress "PHP-FPM" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    diff_c=0
     sleep $(( ( RANDOM % 30 )  + 10 ))
   done
   return 1
@@ -185,6 +191,7 @@ Empty
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
     progress "Rspamd" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    diff_c=0
     sleep $(( ( RANDOM % 30 )  + 10 ))
   done
   return 1
@@ -205,6 +212,7 @@ dns_checks() {
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
     progress "Unbound" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
+    diff_c=0
     sleep $(( ( RANDOM % 30 )  + 10 ))
   done
   return 1
diff --git a/docker-compose.yml b/docker-compose.yml
index 28c566ef..e7c2c43d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -295,7 +295,7 @@ services:
         - /lib/modules:/lib/modules:ro
 
     watchdog-mailcow:
-      image: mailcow/watchdog:1.1
+      image: mailcow/watchdog:1.2
       build: ./data/Dockerfiles/watchdog
       init: false
       volumes:

From c731a18f661d4c782e09104cecb3744fd023e874 Mon Sep 17 00:00:00 2001
From: Michael Kuron <m.kuron@gmx.de>
Date: Tue, 26 Sep 2017 22:11:01 +0200
Subject: [PATCH 23/84] =?UTF-8?q?Preliminary=20support=20for=20Outlook=202?=
 =?UTF-8?q?016=E2=80=99s=20autodiscover.json?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 data/conf/nginx/site.conf      | 16 ++++++++++++++++
 data/web/autodiscover-json.php | 23 +++++++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 data/web/autodiscover-json.php

diff --git a/data/conf/nginx/site.conf b/data/conf/nginx/site.conf
index 5e47aa8b..1b5a8a3e 100644
--- a/data/conf/nginx/site.conf
+++ b/data/conf/nginx/site.conf
@@ -86,6 +86,14 @@ server {
     try_files /autodiscover.php =404;
   }
 
+  location ~* ^/Autodiscover/Autodiscover.json {
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_pass phpfpm:9000;
+    include /etc/nginx/fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    try_files /autodiscover-json.php =404;
+  }
+
   location ~ /(?:m|M)ail/(?:c|C)onfig-v1.1.xml {
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
     fastcgi_pass phpfpm:9000;
@@ -233,6 +241,14 @@ server {
     try_files /autodiscover.php =404;
   }
 
+  location ~* ^/Autodiscover/Autodiscover.json {
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_pass phpfpm:9000;
+    include /etc/nginx/fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    try_files /autodiscover-json.php =404;
+  }
+
   location ~ /(?:m|M)ail/(?:c|C)onfig-v1.1.xml {
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
     fastcgi_pass phpfpm:9000;
diff --git a/data/web/autodiscover-json.php b/data/web/autodiscover-json.php
new file mode 100644
index 00000000..fea21593
--- /dev/null
+++ b/data/web/autodiscover-json.php
@@ -0,0 +1,23 @@
+<?php
+require_once 'inc/vars.inc.php';
+require_once 'inc/functions.inc.php';
+$default_autodiscover_config = $autodiscover_config;
+if(file_exists('inc/vars.local.inc.php')) {
+  include_once 'inc/vars.local.inc.php';
+}
+$autodiscover_config = array_merge($default_autodiscover_config, $autodiscover_config);
+
+header('Content-type: application/json');
+
+$domain_dot = strpos($_SERVER['HTTP_HOST'], '.');
+$domain = substr($_SERVER['HTTP_HOST'], $domain_dot+1);
+
+if ($_GET['Protocol'] == 'ActiveSync') {
+  echo '{"Protocol":"ActiveSync","Url":"' . $autodiscover_config['activesync']['url'] . '"}';
+} elseif ($_GET['Protocol'] == 'AutodiscoverV1') {
+  echo '{"Protocol":"AutodiscoverV1","Url":"https://autodiscover.' . $domain . '/autodiscover/autodiscover.xml"}';
+} else {
+  http_response_code(400);
+  echo '{"ErrorCode":"InvalidProtocol","ErrorMessage":"The given protocol value \u0027' . $_GET['Protocol'] . '\u0027 is invalid. Supported values are \u0027ActiveSync,AutodiscoverV1\u0027"}';
+}
+?>
\ No newline at end of file

From ae79445ec05a243666ec42232db775560ba665a5 Mon Sep 17 00:00:00 2001
From: Michael Kuron <m.kuron@gmx.de>
Date: Wed, 27 Sep 2017 19:48:25 +0200
Subject: [PATCH 24/84] ACME needs to wait for MySQL to be ready

---
 data/Dockerfiles/acme/docker-entrypoint.sh | 5 +++++
 docker-compose.yml                         | 3 ++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/data/Dockerfiles/acme/docker-entrypoint.sh b/data/Dockerfiles/acme/docker-entrypoint.sh
index 2cfe8224..f5830ce0 100755
--- a/data/Dockerfiles/acme/docker-entrypoint.sh
+++ b/data/Dockerfiles/acme/docker-entrypoint.sh
@@ -80,6 +80,11 @@ else
 	fi
 fi
 
+while ! mysqladmin ping --host mysql -u${DBUSER} -p${DBPASS} --silent; do
+	echo "Waiting for database to come up..."
+	sleep 2
+done
+
 while true; do
 	if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
 		echo "SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt..."
diff --git a/docker-compose.yml b/docker-compose.yml
index 62f0af86..28847e8e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -249,7 +249,8 @@ services:
     acme-mailcow:
       depends_on:
         - nginx-mailcow
-      image: mailcow/acme:1.19
+        - mysql-mailcow
+      image: mailcow/acme:1.20
       build: ./data/Dockerfiles/acme
       init: true
       dns:

From 7cb3c416cbe6c6cebeb7ea20e0d1b16043ae275f Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Sun, 1 Oct 2017 20:34:37 +0200
Subject: [PATCH 25/84] Merge fix for prereq path

---
 data/web/inc/prerequisites.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php
index eef9dbd9..1f92e1fb 100644
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@@ -74,4 +74,4 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/triggers.inc.php';
 init_db_schema();
 if (isset($_SESSION['mailcow_cc_role'])) {
   set_acl();
-}
\ No newline at end of file
+}

From a837c9ab531b20adb9b2e2c7dfbbf7b5904c01d1 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 2 Oct 2017 15:58:55 +0200
Subject: [PATCH 26/84] [Web] Better fkey handling in init_db; set body font
 size to 11pt instead of 14px; Changes to autodiscover functions

---
 data/web/autodiscover.php    | 24 ++++++++++++++----------
 data/web/css/mailcow.css     |  3 +++
 data/web/inc/init_db.inc.php | 18 ++++++++++--------
 data/web/inc/vars.inc.php    |  6 ++++--
 4 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php
index 551cc6dc..e7c5f969 100644
--- a/data/web/autodiscover.php
+++ b/data/web/autodiscover.php
@@ -15,16 +15,20 @@ error_reporting(0);
 
 $data = trim(file_get_contents("php://input"));
 
-// Desktop client needs IMAP, unless it's Outlook 2013 or higher on Windows
-if (strpos($data, 'autodiscover/outlook/responseschema') !== false) { // desktop client
-  $autodiscover_config['autodiscoverType'] = 'imap';
-  if ($autodiscover_config['useEASforOutlook'] == 'yes' &&
-    // Office for macOS does not support EAS
-    strpos($_SERVER['HTTP_USER_AGENT'], 'Mac') === false &&
-    // Outlook 2013 (version 15) or higher
-    preg_match('/(Outlook|Office).+1[5-9]\./', $_SERVER['HTTP_USER_AGENT'])
-  ) {
-    $autodiscover_config['autodiscoverType'] = 'activesync';
+if ($autodiscover_config['autodiscoverType'] == 'activesync') {
+  if (preg_match("/Outlook/i", $_SERVER['HTTP_USER_AGENT'])) {
+    if ($autodiscover_config['useEASforOutlook'] == 'yes') {
+      preg_match("/^((?!.*Mac).)*(Outlook|Office).+1[5-9].*/i", $_SERVER['HTTP_USER_AGENT'], $supported_outlook);
+      if (empty($supported_outlook)) {
+        $autodiscover_config['autodiscoverType'] = 'imap';
+      }
+    }
+    else {
+      $autodiscover_config['autodiscoverType'] = 'imap';
+    }
+  }
+  if (preg_match("/emClient/i", $_SERVER['HTTP_USER_AGENT'])) {
+    $autodiscover_config['autodiscoverType'] = 'imap';
   }
 }
 
diff --git a/data/web/css/mailcow.css b/data/web/css/mailcow.css
index eeade3c7..e3356ee7 100644
--- a/data/web/css/mailcow.css
+++ b/data/web/css/mailcow.css
@@ -83,6 +83,9 @@ body.modal-open {
   overflow: inherit;
   padding-right: inherit !important;
 }
+body {
+  font-size:11pt;
+}
 #mailcow-alert {
   position: fixed;
   bottom: 8px;
diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index 32418534..e2d18517 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -3,7 +3,7 @@ function init_db_schema() {
   try {
     global $pdo;
 
-    $db_version = "15092017_0754";
+    $db_version = "02102017_0748";
 
     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'"); 
     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -498,6 +498,13 @@ function init_db_schema() {
       $stmt = $pdo->query("SHOW TABLES LIKE '" . $table . "'"); 
       $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
       if ($num_results != 0) {
+        $stmt = $pdo->prepare("SELECT CONCAT('ALTER TABLE ', `table_schema`, '.', `table_name`, ' DROP FOREIGN KEY ', `constraint_name`, ';') AS `FKEY_DROP` FROM `information_schema`.`table_constraints`
+          WHERE `constraint_type` = 'FOREIGN KEY' AND `table_name` = :table;");
+        $stmt->execute(array(':table' => $table));
+        $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+        while ($row = array_shift($rows)) {
+          $pdo->query($row['FKEY_DROP']);
+        }
         foreach($properties['cols'] as $column => $type) {
           $stmt = $pdo->query("SHOW COLUMNS FROM `" . $table . "` LIKE '" . $column . "'"); 
           $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -542,7 +549,7 @@ function init_db_schema() {
               $stmt = $pdo->query("SHOW KEYS FROM `" . $table . "` WHERE Key_name = '" . $key_name . "'"); 
               $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
               if ($num_results != 0) {
-                $pdo->query("ALTER TABLE `" . $table . "` DROP FOREIGN KEY `" . $key_name . "`");
+                $pdo->query("ALTER TABLE `" . $table . "` DROP INDEX `" . $key_name . "`");
               }
               @list($table_ref, $field_ref) = explode('.', $key_values['ref']);
               $pdo->query("ALTER TABLE `" . $table . "` ADD FOREIGN KEY `" . $key_name . "` (" . $key_values['col'] . ") REFERENCES `" . $table_ref . "` (`" . $field_ref . "`)
@@ -582,12 +589,7 @@ function init_db_schema() {
         // Step 2: Drop all vanished indexes
         while ($row = array_shift($keys_in_table)) {
           if (!in_array($row['Key_name'], $keys_to_exist)) {
-            try {
-              $pdo->query("ALTER TABLE `" . $table . "` DROP FOREIGN KEY `" . $row['Key_name'] . "`");
-            }
-            finally {
-              $pdo->query("ALTER TABLE `" . $table . "` DROP INDEX `" . $row['Key_name'] . "`");
-            }
+            $pdo->query("ALTER TABLE `" . $table . "` DROP INDEX `" . $row['Key_name'] . "`");
           }
         }
         // Step 3: Drop all vanished primary keys
diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php
index dfb40bea..76448a0d 100644
--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@@ -30,10 +30,12 @@ if ($https_port === FALSE) {
 //$https_port = 1234;
 // Other settings =>
 $autodiscover_config = array(
-  // Enable the autodiscover service for Outlook desktop clients
-  'useEASforOutlook' => 'yes',
   // General autodiscover service type: "activesync" or "imap"
+  // emClient uses autodiscover, but does not support ActiveSync. mailcow excludes emClient from ActiveSync.
   'autodiscoverType' => 'activesync',
+  // If autodiscoverType => activesync, also use ActiveSync (EAS) for Outlook desktop clients (>= Outlook 2013 on Windows)
+  // Outlook for Mac does not support ActiveSync
+  'useEASforOutlook' => 'yes',
   // Please don't use STARTTLS-enabled service ports in the "port" variable.
   // The autodiscover service will always point to SMTPS and IMAPS (TLS-wrapped services).
   // The autoconfig service will additionally announce the STARTTLS-enabled ports, specified in the "tlsport" variable.

From 64c9691798338bf3930c3a67b6b99ac410f5b9fc Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 2 Oct 2017 19:07:14 +0200
Subject: [PATCH 27/84] [Web] Autodiscover fixes

---
 data/web/autodiscover.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php
index e7c5f969..2ee6b4bb 100644
--- a/data/web/autodiscover.php
+++ b/data/web/autodiscover.php
@@ -27,7 +27,7 @@ if ($autodiscover_config['autodiscoverType'] == 'activesync') {
       $autodiscover_config['autodiscoverType'] = 'imap';
     }
   }
-  if (preg_match("/emClient/i", $_SERVER['HTTP_USER_AGENT'])) {
+  if (preg_match("/eM Client/i", $_SERVER['HTTP_USER_AGENT'])) {
     $autodiscover_config['autodiscoverType'] = 'imap';
   }
 }

From 9c37cd76e5d11eb7150d4afbdf39db1bc461a468 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 2 Oct 2017 21:47:31 +0200
Subject: [PATCH 28/84] [Web] Autodiscover logs

---
 data/web/admin.php                            |  19 +++
 data/web/autodiscover.php                     |  60 ++++++++-
 .../inc/functions.autoconfiguration.inc.php   | 119 ++++++++++++++++++
 data/web/inc/functions.inc.php                |   8 ++
 data/web/js/admin.js                          |  51 ++++++++
 data/web/json_api.php                         |  14 +++
 6 files changed, 269 insertions(+), 2 deletions(-)
 create mode 100644 data/web/inc/functions.autoconfiguration.inc.php

diff --git a/data/web/admin.php b/data/web/admin.php
index 1a84d410..6347cd7e 100644
--- a/data/web/admin.php
+++ b/data/web/admin.php
@@ -24,6 +24,7 @@ $tfa_data = get_tfa();
     <li role="presentation"><a href="#tab-sogo-logs" aria-controls="tab-sogo-logs" role="tab" data-toggle="tab">SOGo</a></li>
     <li role="presentation"><a href="#tab-fail2ban-logs" aria-controls="tab-fail2ban-logs" role="tab" data-toggle="tab">Fail2ban</a></li>
     <li role="presentation"><a href="#tab-rspamd-history" aria-controls="tab-rspamd-history" role="tab" data-toggle="tab">Rspamd</a></li>
+    <li role="presentation"><a href="#tab-autodiscover-logs" aria-controls="tab-autodiscover-logs" role="tab" data-toggle="tab">Autodiscover</a></li>
     </ul>
     </li>
   </ul>
@@ -469,6 +470,24 @@ XYZ
     </div>
   </div>
 
+  <div role="tabpanel" class="tab-pane" id="tab-autodiscover-logs">
+    <div class="panel panel-default">
+      <div class="panel-heading">Autodiscover
+        <div class="btn-group pull-right">
+          <a class="btn btn-xs btn-default dropdown-toggle" data-toggle="dropdown" href="#"><?=$lang['admin']['action'];?> <span class="caret"></span></a>
+          <ul class="dropdown-menu">
+            <li><a href="#" id="refresh_autodiscover_log"><?=$lang['admin']['refresh'];?></a></li>
+          </ul>
+        </div>
+      </div>
+      <div class="panel-body">
+        <div class="table-responsive">
+          <table class="table table-striped table-condensed" id="autodiscover_log"></table>
+        </div>
+      </div>
+    </div>
+  </div>
+
   </div>
 </div> <!-- /container -->
 <?php
diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php
index 2ee6b4bb..69324f8b 100644
--- a/data/web/autodiscover.php
+++ b/data/web/autodiscover.php
@@ -16,7 +16,7 @@ error_reporting(0);
 $data = trim(file_get_contents("php://input"));
 
 if ($autodiscover_config['autodiscoverType'] == 'activesync') {
-  if (preg_match("/Outlook/i", $_SERVER['HTTP_USER_AGENT'])) {
+  if (preg_match("/(Outlook|Office)/i", $_SERVER['HTTP_USER_AGENT'])) {
     if ($autodiscover_config['useEASforOutlook'] == 'yes') {
       preg_match("/^((?!.*Mac).)*(Outlook|Office).+1[5-9].*/i", $_SERVER['HTTP_USER_AGENT'], $supported_outlook);
       if (empty($supported_outlook)) {
@@ -43,6 +43,25 @@ $login_user = strtolower(trim($_SERVER['PHP_AUTH_USER']));
 $login_role = check_login($login_user, $_SERVER['PHP_AUTH_PW']);
 
 if (!isset($_SERVER['PHP_AUTH_USER']) OR $login_role !== "user") {
+  try {
+    $json = json_encode(
+      array(
+        "time" => time(),
+        "ua" => $_SERVER['HTTP_USER_AGENT'],
+        "user" => "none",
+        "service" => "Error: must be authenticated"
+      )
+    );
+    $redis->lPush('AUTODISCOVER_LOG', $json);
+    $redis->lTrim('AUTODISCOVER_LOG', 0, 100);
+  }
+  catch (RedisException $e) {
+    $_SESSION['return'] = array(
+      'type' => 'danger',
+      'msg' => 'Redis: '.$e
+    );
+    return false;
+  }
   header('WWW-Authenticate: Basic realm=""');
   header('HTTP/1.0 401 Unauthorized');
   exit(0);
@@ -56,6 +75,25 @@ else {
 <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
 <?php
       if(!$data) {
+        try {
+          $json = json_encode(
+            array(
+              "time" => time(),
+              "ua" => $_SERVER['HTTP_USER_AGENT'],
+              "user" => $_SERVER['PHP_AUTH_USER'],
+              "service" => "Error: invalid or missing request data"
+            )
+          );
+          $redis->lPush('AUTODISCOVER_LOG', $json);
+          $redis->lTrim('AUTODISCOVER_LOG', 0, 100);
+        }
+        catch (RedisException $e) {
+          $_SESSION['return'] = array(
+            'type' => 'danger',
+            'msg' => 'Redis: '.$e
+          );
+          return false;
+        }
         list($usec, $sec) = explode(' ', microtime());
 ?>
   <Response>
@@ -91,7 +129,25 @@ else {
       else {
         $displayname = $email;
       }
-
+      try {
+        $json = json_encode(
+          array(
+            "time" => time(),
+            "ua" => $_SERVER['HTTP_USER_AGENT'],
+            "user" => $_SERVER['PHP_AUTH_USER'],
+            "service" => $autodiscover_config['autodiscoverType']
+          )
+        );
+        $redis->lPush('AUTODISCOVER_LOG', $json);
+        $redis->lTrim('AUTODISCOVER_LOG', 0, 100);
+      }
+      catch (RedisException $e) {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => 'Redis: '.$e
+        );
+        return false;
+      }
       if ($autodiscover_config['autodiscoverType'] == 'imap') {
 ?>
   <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
diff --git a/data/web/inc/functions.autoconfiguration.inc.php b/data/web/inc/functions.autoconfiguration.inc.php
new file mode 100644
index 00000000..772475c7
--- /dev/null
+++ b/data/web/inc/functions.autoconfiguration.inc.php
@@ -0,0 +1,119 @@
+<?php
+function autoconfiguration($_action, $_type, $_data = null) {
+	global $pdo;
+	global $lang;
+  switch ($_action) {
+    case 'edit':
+      if (!isset($_SESSION['acl']['eas_autoconfig']) || $_SESSION['acl']['eas_autoconfig'] != "1" ) {
+        $_SESSION['return'] = array(
+        'type' => 'danger',
+        'msg' => sprintf($lang['danger']['access_denied'])
+        );
+        return false;
+      }
+      switch ($_type) {
+        case 'autodiscover':
+          $objects = (array)$_data['object'];
+          foreach ($objects as $object) {
+            if (is_valid_domain_name($object) && hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)) {
+              $exclude_regex = (isset($_data['exclude_regex'])) ? $_data['exclude_regex'] : null;
+              $exclude_regex = (isset($_data['exclude_regex'])) ? $_data['exclude_regex'] : null;
+              try {
+                $stmt = $pdo->prepare("SELECT COUNT(`domain`) AS `domain_c` FROM `autodiscover`
+                  WHERE `domain` = :domain");
+                $stmt->execute(array(':domain' => $object));
+                $num_results = $stmt->fetchColumn();
+                if ($num_results > 0) {
+                  $stmt = $pdo->prepare("SELECT COUNT(`domain`) AS `domain_c` FROM `autodiscover`
+                    WHERE `domain` = :domain");
+                }
+              }
+              catch(PDOException $e) {
+                $_SESSION['return'] = array(
+                  'type' => 'danger',
+                  'msg' => 'MySQL: '.$e
+                );
+                return false;
+              }
+            }
+            elseif (filter_var($object, FILTER_VALIDATE_EMAIL) === true && hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $object)) {
+
+            }
+          }
+          $_SESSION['return'] = array(
+            'type' => 'success',
+            'msg' => sprintf($lang['success']['domain_modified'], htmlspecialchars(implode(', ', $objects)))
+          );
+        break;
+      }
+    break;
+    case 'get':
+      switch ($_type) {
+        case 'autodiscover':
+          $autodiscover = array();
+            if (is_valid_domain_name($_data) && hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+              try {
+                $stmt = $pdo->prepare("SELECT * FROM `autodiscover`
+                  WHERE `domain` = :domain");
+                $stmt->execute(array(':domain' => $_data));
+                $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+                while($row = array_shift($rows)) {
+                  $autodiscover['mailbox'] = $row['mailbox'];
+                  $autodiscover['domain'] = $row['domain'];
+                  $autodiscover['service'] = $row['service'];
+                  $autodiscover['exclude_regex'] = $row['exclude_regex'];
+                  $autodiscover['created'] = $row['created'];
+                  $autodiscover['modified'] = $row['modified'];
+                }
+              }
+              catch(PDOException $e) {
+                $_SESSION['return'] = array(
+                  'type' => 'danger',
+                  'msg' => 'MySQL: '.$e
+                );
+                return false;
+              }
+            }
+            elseif (filter_var($_data, FILTER_VALIDATE_EMAIL) === true && hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+              try {
+                $stmt = $pdo->prepare("SELECT * FROM `autodiscover`
+                  WHERE `mailbox` = :mailbox");
+                $stmt->execute(array(':mailbox' => $_data));
+                $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+                while($row = array_shift($rows)) {
+                  $autodiscover['mailbox'] = $row['mailbox'];
+                  $autodiscover['domain'] = $row['domain'];
+                  $autodiscover['service'] = $row['service'];
+                  $autodiscover['exclude_regex'] = $row['exclude_regex'];
+                  $autodiscover['created'] = $row['created'];
+                  $autodiscover['modified'] = $row['modified'];
+                }
+              }
+              catch(PDOException $e) {
+                $_SESSION['return'] = array(
+                  'type' => 'danger',
+                  'msg' => 'MySQL: '.$e
+                );
+                return false;
+              }
+            }
+          return $autodiscover;
+        break;
+      }
+    break;
+    case 'reset':
+      switch ($_type) {
+        case 'autodiscover':
+          if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin") {
+            return false;
+          }
+        break;
+      }
+    break;
+  }
+}
+$miau = "Microsoft Office/15.0 (Windows NT 5.1; macOS Outlook 16.0.4734; Pro)";
+preg_match("/^((?!.*Mac|.*emClient).)*(Outlook|Office).+1[5-9].*/i", $miau, $output_array);
+if (empty($output_array)) {
+  echo "imap";
+}
\ No newline at end of file
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 79f3c6dc..817b9c71 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -900,6 +900,14 @@ function get_logs($container, $lines = 100) {
       return $data_array;
     }
   }
+  if ($container == "autodiscover-mailcow") {
+    if ($data = $redis->lRange('AUTODISCOVER_LOG', 0, $lines)) {
+      foreach ($data as $json_line) {
+        $data_array[] = json_decode($json_line, true);
+      }
+      return $data_array;
+    }
+  }
   if ($container == "rspamd-history") {
     $curl = curl_init();
     curl_setopt($curl, CURLOPT_URL,"http://rspamd-mailcow:11334/history");
diff --git a/data/web/js/admin.js b/data/web/js/admin.js
index 7628da82..c6b3b22c 100644
--- a/data/web/js/admin.js
+++ b/data/web/js/admin.js
@@ -124,6 +124,10 @@ jQuery(function($){
     e.preventDefault();
     draw_postfix_logs();
   });
+  $("#refresh_autodiscover_log").on('click', function(e) {
+    e.preventDefault();
+    draw_autodiscover_logs();
+  });
   $("#refresh_dovecot_log").on('click', function(e) {
     e.preventDefault();
     draw_dovecot_logs();
@@ -192,6 +196,52 @@ jQuery(function($){
       }
     });
   }
+  function draw_autodiscover_logs() {
+    ft_autodiscover_logs = FooTable.init('#autodiscover_log', {
+      "columns": [
+        {"name":"time","formatter":function unix_time_format(tm) { var date = new Date(tm ? tm * 1000 : 0); return date.toLocaleString();},"title":lang.time,"style":{"width":"170px"}},
+        {"name":"ua","title":"User-Agent","style":{"min-width":"200px"}},
+        {"name":"user","title":"Username","style":{"min-width":"200px"}},
+        {"name":"service","title":"Service"},
+      ],
+      "rows": $.ajax({
+        dataType: 'json',
+        url: '/api/v1/get/logs/autodiscover/100',
+        jsonp: false,
+        error: function () {
+          console.log('Cannot draw autodiscover log table');
+        },
+        success: function (data) {
+          $.each(data, function (i, item) {
+            item.ua = '<span style="font-size:small">' + item.ua + '</span>';
+            if (item.service == "activesync") {
+              item.service = '<span class="label label-info">ActiveSync</span>';
+            }
+            else if (item.service == "imap") {
+              item.service = '<span class="label label-success">IMAP, SMTP, Cal-/CardDAV</span>';
+            }
+            else {
+              item.service = '<span class="label label-danger">' + item.service + '</span>';
+            }
+          });
+        }
+      }),
+      "empty": lang.empty,
+      "paging": {
+        "enabled": true,
+        "limit": 5,
+        "size": log_pagination_size
+      },
+      "filtering": {
+        "enabled": true,
+        "position": "left",
+        "placeholder": lang.filter_table
+      },
+      "sorting": {
+        "enabled": true
+      }
+    });
+  }
   function draw_fail2ban_logs() {
     ft_fail2ban_logs = FooTable.init('#fail2ban_log', {
       "columns": [
@@ -637,6 +687,7 @@ jQuery(function($){
     });
   }
   draw_postfix_logs();
+  draw_autodiscover_logs();
   draw_dovecot_logs();
   draw_sogo_logs();
   draw_fail2ban_logs();
diff --git a/data/web/json_api.php b/data/web/json_api.php
index ec7899c7..167567b5 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -768,6 +768,20 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
                 else {
                   echo '{}';
                 }
+              case "autodiscover":
+                if (isset($extra) && !empty($extra)) {
+                  $extra = intval($extra);
+                  $logs = get_logs('autodiscover-mailcow', $extra);
+                }
+                else {
+                  $logs = get_logs('autodiscover-mailcow', -1);
+                }
+                if (isset($logs) && !empty($logs)) {
+                  echo json_encode($logs, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT);
+                }
+                else {
+                  echo '{}';
+                }
               break;
               case "sogo":
                 if (isset($extra) && !empty($extra)) {

From 5e69decd7b65ebcc2dbf5c1c61f39a500b746ad4 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 2 Oct 2017 22:19:20 +0200
Subject: [PATCH 29/84] [Web] Temp. workaround for em Client which sends an
 empty user-agent

---
 data/web/autodiscover.php | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php
index 69324f8b..e191aa42 100644
--- a/data/web/autodiscover.php
+++ b/data/web/autodiscover.php
@@ -15,6 +15,8 @@ error_reporting(0);
 
 $data = trim(file_get_contents("php://input"));
 
+file_put_contents('/tmp/dsa', json_encode($_SERVER), FILE_APPEND);
+
 if ($autodiscover_config['autodiscoverType'] == 'activesync') {
   if (preg_match("/(Outlook|Office)/i", $_SERVER['HTTP_USER_AGENT'])) {
     if ($autodiscover_config['useEASforOutlook'] == 'yes') {
@@ -27,7 +29,7 @@ if ($autodiscover_config['autodiscoverType'] == 'activesync') {
       $autodiscover_config['autodiscoverType'] = 'imap';
     }
   }
-  if (preg_match("/eM Client/i", $_SERVER['HTTP_USER_AGENT'])) {
+  if (preg_match("/eM Client/i", $_SERVER['HTTP_USER_AGENT']) || !isset($_SERVER['HTTP_USER_AGENT'])) {
     $autodiscover_config['autodiscoverType'] = 'imap';
   }
 }
@@ -62,7 +64,7 @@ if (!isset($_SERVER['PHP_AUTH_USER']) OR $login_role !== "user") {
     );
     return false;
   }
-  header('WWW-Authenticate: Basic realm=""');
+  header('WWW-Authenticate: Basic realm="' . $_SERVER['HTTP_HOST'] . '"');
   header('HTTP/1.0 401 Unauthorized');
   exit(0);
 }

From bc33465b41a3f670667e49956b09a1c7f4cf1b3d Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 2 Oct 2017 22:46:55 +0200
Subject: [PATCH 30/84] [Web] Autodiscover fixex (DAV path)

---
 data/web/autodiscover.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php
index e191aa42..8c240926 100644
--- a/data/web/autodiscover.php
+++ b/data/web/autodiscover.php
@@ -183,13 +183,13 @@ else {
       </Protocol>
       <Protocol>
         <Type>CalDAV</Type>
-        <Server>https://<?=$autodiscover_config['caldav']['server'];?><?php if ($autodiscover_config['caldav']['port'] != 443) echo ':'.$autodiscover_config['caldav']['port']; ?>/SOGo/dav/<?=$email;?>/Calendar</Server>
+        <Server>https://<?=$autodiscover_config['caldav']['server'];?><?php if ($autodiscover_config['caldav']['port'] != 443) echo ':'.$autodiscover_config['caldav']['port']; ?>/SOGo/dav/<?=$email;?>/</Server>
         <DomainRequired>off</DomainRequired>
         <LoginName><?=$email;?></LoginName>
       </Protocol>
       <Protocol>
         <Type>CardDAV</Type>
-        <Server>https://<?=$autodiscover_config['carddav']['server'];?><?php if ($autodiscover_config['caldav']['port'] != 443) echo ':'.$autodiscover_config['carddav']['port']; ?>/SOGo/dav/<?=$email;?>/Contacts</Server>
+        <Server>https://<?=$autodiscover_config['carddav']['server'];?><?php if ($autodiscover_config['caldav']['port'] != 443) echo ':'.$autodiscover_config['carddav']['port']; ?>/SOGo/dav/<?=$email;?>/</Server>
         <DomainRequired>off</DomainRequired>
         <LoginName><?=$email;?></LoginName>
       </Protocol>

From e1ee1e848fd9afc19a0338243e6cff46a434c75e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Peters?= <andre.peters@debinux.de>
Date: Mon, 2 Oct 2017 23:22:53 +0200
Subject: [PATCH 31/84] Update autodiscover-json.php

HTTP_HOST is okay.
Syntax for consistency. :-)
---
 data/web/autodiscover-json.php | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/data/web/autodiscover-json.php b/data/web/autodiscover-json.php
index fea21593..decfe3c3 100644
--- a/data/web/autodiscover-json.php
+++ b/data/web/autodiscover-json.php
@@ -8,16 +8,14 @@ if(file_exists('inc/vars.local.inc.php')) {
 $autodiscover_config = array_merge($default_autodiscover_config, $autodiscover_config);
 
 header('Content-type: application/json');
-
-$domain_dot = strpos($_SERVER['HTTP_HOST'], '.');
-$domain = substr($_SERVER['HTTP_HOST'], $domain_dot+1);
-
 if ($_GET['Protocol'] == 'ActiveSync') {
   echo '{"Protocol":"ActiveSync","Url":"' . $autodiscover_config['activesync']['url'] . '"}';
-} elseif ($_GET['Protocol'] == 'AutodiscoverV1') {
-  echo '{"Protocol":"AutodiscoverV1","Url":"https://autodiscover.' . $domain . '/autodiscover/autodiscover.xml"}';
-} else {
+}
+elseif ($_GET['Protocol'] == 'AutodiscoverV1') {
+  echo '{"Protocol":"AutodiscoverV1","Url":"https://' . $_SERVER['HTTP_HOST'] . '/autodiscover/autodiscover.xml"}';
+}
+else {
   http_response_code(400);
   echo '{"ErrorCode":"InvalidProtocol","ErrorMessage":"The given protocol value \u0027' . $_GET['Protocol'] . '\u0027 is invalid. Supported values are \u0027ActiveSync,AutodiscoverV1\u0027"}';
 }
-?>
\ No newline at end of file
+?>

From 8c646f64b5eb6f3e5bdba945fc7738c8a7352f39 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 2 Oct 2017 23:37:57 +0200
Subject: [PATCH 32/84] [Web] Autodiscover: Disable utf8_encode for displayname

---
 data/web/autodiscover.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php
index 8c240926..1e52c4d7 100644
--- a/data/web/autodiscover.php
+++ b/data/web/autodiscover.php
@@ -126,7 +126,7 @@ else {
         die("Failed to determine name from SQL");
       }
       if (!empty($MailboxData['name'])) {
-        $displayname = utf8_encode($MailboxData['name']);
+        $displayname = $MailboxData['name'];
       }
       else {
         $displayname = $email;

From 68d7fa150432ce23cbf00230a07584e95a543dcd Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Tue, 3 Oct 2017 12:05:38 +0200
Subject: [PATCH 33/84] [Watchdog] Skip when use_watchdog=n

---
 data/Dockerfiles/watchdog/watchdog.sh | 6 ++++++
 docker-compose.yml                    | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
index b02e19c8..5c486b15 100755
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -7,6 +7,12 @@ PARENT_PID=$$
 # Prepare
 BACKGROUND_TASKS=()
 
+if [[ "${USE_WATCHDOG}" =~ ^([nN][oO]|[nN])+$ ]]; then
+  log_f "USE_WATCHDOG=n, skipping watchdog..."
+  sleep 365d
+  exec $(readlink -f "$0")
+fi
+
 # Checks pipe their corresponding container name in this pipe
 if [[ ! -p /tmp/com_pipe ]]; then
   mkfifo /tmp/com_pipe
diff --git a/docker-compose.yml b/docker-compose.yml
index fb74337d..0be95fca 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -296,7 +296,7 @@ services:
         - /lib/modules:/lib/modules:ro
 
     watchdog-mailcow:
-      image: mailcow/watchdog:1.2
+      image: mailcow/watchdog:1.3
       build: ./data/Dockerfiles/watchdog
       init: false
       volumes:

From c59d03fcb3d9966cc601198ff9fc612c3180a95c Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Tue, 3 Oct 2017 12:07:48 +0200
Subject: [PATCH 34/84] [Watchdog] Skip when use_watchdog=n

---
 data/Dockerfiles/watchdog/watchdog.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
index 5c486b15..d704672b 100755
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -8,7 +8,7 @@ PARENT_PID=$$
 BACKGROUND_TASKS=()
 
 if [[ "${USE_WATCHDOG}" =~ ^([nN][oO]|[nN])+$ ]]; then
-  log_f "USE_WATCHDOG=n, skipping watchdog..."
+  echo -e "$(date) - USE_WATCHDOG=n, skipping watchdog..."
   sleep 365d
   exec $(readlink -f "$0")
 fi

From 6287a395b53341af01146d506094c5dca34c7289 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Tue, 3 Oct 2017 16:48:33 +0200
Subject: [PATCH 35/84] [Web] Revert some autodiscover changes, fix json_api
 for Postfix logs

---
 data/web/autodiscover.php | 23 +++++++++--------------
 data/web/json_api.php     |  1 +
 2 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php
index 1e52c4d7..14036433 100644
--- a/data/web/autodiscover.php
+++ b/data/web/autodiscover.php
@@ -17,20 +17,15 @@ $data = trim(file_get_contents("php://input"));
 
 file_put_contents('/tmp/dsa', json_encode($_SERVER), FILE_APPEND);
 
-if ($autodiscover_config['autodiscoverType'] == 'activesync') {
-  if (preg_match("/(Outlook|Office)/i", $_SERVER['HTTP_USER_AGENT'])) {
-    if ($autodiscover_config['useEASforOutlook'] == 'yes') {
-      preg_match("/^((?!.*Mac).)*(Outlook|Office).+1[5-9].*/i", $_SERVER['HTTP_USER_AGENT'], $supported_outlook);
-      if (empty($supported_outlook)) {
-        $autodiscover_config['autodiscoverType'] = 'imap';
-      }
-    }
-    else {
-      $autodiscover_config['autodiscoverType'] = 'imap';
-    }
-  }
-  if (preg_match("/eM Client/i", $_SERVER['HTTP_USER_AGENT']) || !isset($_SERVER['HTTP_USER_AGENT'])) {
-    $autodiscover_config['autodiscoverType'] = 'imap';
+if (strpos($data, 'autodiscover/outlook/responseschema') !== false) {
+  $autodiscover_config['autodiscoverType'] = 'imap';
+  if ($autodiscover_config['useEASforOutlook'] == 'yes' &&
+    // Office for macOS does not support EAS
+    strpos($_SERVER['HTTP_USER_AGENT'], 'Mac') === false &&
+    // Outlook 2013 (version 15) or higher
+    preg_match('/(Outlook|Office).+15\./', $_SERVER['HTTP_USER_AGENT'])
+  ) {
+    $autodiscover_config['autodiscoverType'] = 'activesync';
   }
 }
 
diff --git a/data/web/json_api.php b/data/web/json_api.php
index 167567b5..7673f294 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -768,6 +768,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
                 else {
                   echo '{}';
                 }
+              break;
               case "autodiscover":
                 if (isset($extra) && !empty($extra)) {
                   $extra = intval($extra);

From da987e5b48d4d0d716c891a86b72c7869399a44b Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Tue, 3 Oct 2017 16:54:18 +0200
Subject: [PATCH 36/84] [Postfix] Forgot 'not' in filter

---
 data/Dockerfiles/postfix/syslog-ng.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/Dockerfiles/postfix/syslog-ng.conf b/data/Dockerfiles/postfix/syslog-ng.conf
index bf5509c0..9aa45e3a 100644
--- a/data/Dockerfiles/postfix/syslog-ng.conf
+++ b/data/Dockerfiles/postfix/syslog-ng.conf
@@ -39,7 +39,7 @@ destination d_redis_cleanup {
   );
 };
 filter f_mail { facility(mail); };
-filter f_skip_local { facility (local0, local1, local2, local3, local4, local5, local6, local7); };
+filter f_skip_local { not facility (local0, local1, local2, local3, local4, local5, local6, local7); };
 log {
   source(s_src);
   filter(f_skip_local);

From 24af77f41c4d0bbc3c2865a0d86587c2320e4ec9 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Tue, 3 Oct 2017 17:18:04 +0200
Subject: [PATCH 37/84] [Web] Revert some autodiscover changes

---
 data/web/autodiscover.php | 2 --
 1 file changed, 2 deletions(-)

diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php
index 14036433..5e0ccf30 100644
--- a/data/web/autodiscover.php
+++ b/data/web/autodiscover.php
@@ -15,8 +15,6 @@ error_reporting(0);
 
 $data = trim(file_get_contents("php://input"));
 
-file_put_contents('/tmp/dsa', json_encode($_SERVER), FILE_APPEND);
-
 if (strpos($data, 'autodiscover/outlook/responseschema') !== false) {
   $autodiscover_config['autodiscoverType'] = 'imap';
   if ($autodiscover_config['useEASforOutlook'] == 'yes' &&

From 4915375500754b327457924576dc8c271c5cc6bf Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Tue, 3 Oct 2017 22:39:58 +0200
Subject: [PATCH 38/84] [Web] Fix duplicate key as result of race-condition
 when recreating mailbox while authentication in IMAP is cached and a mail
 arrives

---
 data/web/inc/functions.mailbox.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 1e674e44..1e86b3ee 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -755,7 +755,7 @@ function mailbox($_action, $_type, $_data = null) {
               ':active' => $active
             ));
             $stmt = $pdo->prepare("INSERT INTO `quota2` (`username`, `bytes`, `messages`)
-              VALUES (:username, '0', '0')");
+              VALUES (:username, '0', '0') ON DUPLICATE KEY UPDATE `bytes` = '0', `messages` = '0';");
             $stmt->execute(array(':username' => $username));
             $stmt = $pdo->prepare("INSERT INTO `alias` (`address`, `goto`, `domain`, `active`)
               VALUES (:username1, :username2, :domain, :active)");

From 6f91d094e264a71e30b93d463f116fdfe7e7f6f9 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 4 Oct 2017 13:03:25 +0200
Subject: [PATCH 39/84] [Compose] Update SOGo and PHP-FPM

---
 docker-compose.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 0be95fca..f39dbbe4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -96,7 +96,7 @@ services:
             - rspamd
 
     php-fpm-mailcow:
-      image: mailcow/phpfpm:1.1
+      image: mailcow/phpfpm:1.2
       build: ./data/Dockerfiles/phpfpm
       command: "php-fpm -d date.timezone=${TZ}"
       depends_on:
@@ -105,6 +105,7 @@ services:
         - ./data/web:/web:ro
         - ./data/conf/rspamd/dynmaps:/dynmaps:ro
         - dkim-vol-1:/data/dkim
+        - /var/run/docker.sock:/var/run/docker.sock:ro
       environment:
         - DBNAME=${DBNAME}
         - DBUSER=${DBUSER}
@@ -127,7 +128,7 @@ services:
             - phpfpm
 
     sogo-mailcow:
-      image: mailcow/sogo:1.8
+      image: mailcow/sogo:1.9
       build: ./data/Dockerfiles/sogo
       environment:
         - DBNAME=${DBNAME}

From 9b4ed6b21c00b9f96eeadc7d209c2fee5138ca02 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 4 Oct 2017 13:04:15 +0200
Subject: [PATCH 40/84] [PHP-FPM] Include Docker api for better SOGo status
 handling and future changes

---
 data/Dockerfiles/phpfpm/docker-entrypoint.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/data/Dockerfiles/phpfpm/docker-entrypoint.sh b/data/Dockerfiles/phpfpm/docker-entrypoint.sh
index 8c986335..65e33424 100755
--- a/data/Dockerfiles/phpfpm/docker-entrypoint.sh
+++ b/data/Dockerfiles/phpfpm/docker-entrypoint.sh
@@ -82,4 +82,16 @@ if [[ ! -z ${DOMAIN_ARRAY} ]]; then
  done
 fi
 
+# Socket access
+DOCKER_SOCKET=/var/run/docker.sock
+DOCKER_GROUP=docker
+REGULAR_USER=www-data
+
+if [ -S ${DOCKER_SOCKET} ]; then
+    DOCKER_GID=$(stat -c '%g' ${DOCKER_SOCKET})
+    delgroup $(stat -c '%G' ${DOCKER_SOCKET})
+    addgroup -g ${DOCKER_GID} ${DOCKER_GROUP}
+    adduser ${REGULAR_USER} ${DOCKER_GROUP}
+fi
+
 exec "$@"

From 82ac5fa063a02747ae042734446ca2ac0279906e Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 4 Oct 2017 13:04:35 +0200
Subject: [PATCH 41/84] [SOGo] Remove supervisord API

---
 data/Dockerfiles/sogo/supervisord.conf | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/data/Dockerfiles/sogo/supervisord.conf b/data/Dockerfiles/sogo/supervisord.conf
index 4c611a39..2a889560 100644
--- a/data/Dockerfiles/sogo/supervisord.conf
+++ b/data/Dockerfiles/sogo/supervisord.conf
@@ -1,5 +1,6 @@
 [supervisord]
 nodaemon=true
+user=root
 
 [program:syslog-ng]
 command=/usr/sbin/syslog-ng --foreground  --no-caps
@@ -32,12 +33,3 @@ priority=3
 startretries=10
 autorestart=true
 stopwaitsecs=120
-
-[inet_http_server]
-port=9191
-
-[rpcinterface:supervisor]
-supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
-
-[supervisorctl]
-serverurl=http://localhost:9191

From cc2f2afc6274907b23ff381f757a1f50bfc23f4c Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 4 Oct 2017 13:04:58 +0200
Subject: [PATCH 42/84] [Web] Use Docker API for SOGo restart

---
 data/web/inc/call_sogo_ctrl.php | 143 +++++++++++++++++++++++++-------
 1 file changed, 114 insertions(+), 29 deletions(-)

diff --git a/data/web/inc/call_sogo_ctrl.php b/data/web/inc/call_sogo_ctrl.php
index 990defa2..7ecbd048 100644
--- a/data/web/inc/call_sogo_ctrl.php
+++ b/data/web/inc/call_sogo_ctrl.php
@@ -5,36 +5,121 @@ if (!isset($_SESSION['mailcow_cc_role']) OR !in_array($_SESSION['mailcow_cc_role
 	echo "Not allowed." . PHP_EOL;
 	exit();
 }
-if ($_GET['ACTION'] == "start") {
-	$request = xmlrpc_encode_request("supervisor.startProcess", 'bootstrap-sogo', array('encoding'=>'utf-8'));
-	$context = stream_context_create(array('http' => array(
-	'method' => "POST",
-	'header' => "Content-Length: " . strlen($request),
-	'content' => $request
-	)));
-	$file = @file_get_contents("http://sogo:9191/RPC2", false, $context) or die("Cannot connect to $remote_server:$listener_port");
-	$response = xmlrpc_decode($file);
-	if (isset($response['faultString'])) {
-		echo '<b><span class="pull-right text-warning">' . $response['faultString'] . '</span></b>';
-	}
-  else {
-    echo '<b><span class="pull-right text-success">OK</span></b>';
+
+function docker($service_name, $action, $post_action = null, $post_fields = null) {
+  $curl = curl_init();
+  curl_setopt($curl, CURLOPT_HTTPHEADER,array( 'Content-Type: application/json' ));
+  switch($action) {
+    case 'get_id':
+      curl_setopt($curl, CURLOPT_UNIX_SOCKET_PATH, "/var/run/docker.sock");
+      curl_setopt($curl, CURLOPT_URL, 'http:/v1.26/containers/json?all=1');
+      curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
+      curl_setopt($curl, CURLOPT_POST, 0);
+      $response = curl_exec($curl);
+      if ($response === false) {
+        $err = curl_error($curl);
+        curl_close($curl);
+        return $err;
+      }
+      else {
+        curl_close($curl);
+        $containers = json_decode($response, true);
+        if (!empty($containers)) {
+          foreach ($containers as $container) {
+            if ($container['Labels']['com.docker.compose.service'] == $service_name) {
+              return trim($container['Id']);
+            }
+          }
+        }
+      }
+      return false;
+    break;
+    case 'info':
+      curl_setopt($curl, CURLOPT_UNIX_SOCKET_PATH, "/var/run/docker.sock");
+      $container_id = docker($service_name, 'get_id');
+      if (ctype_xdigit($container_id)) {
+        curl_setopt($curl, CURLOPT_UNIX_SOCKET_PATH, "/var/run/docker.sock");
+        curl_setopt($curl, CURLOPT_URL, 'http/containers/' . $container_id . '/json');
+        curl_setopt($curl, CURLOPT_POST, 0);
+        curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
+        $response = curl_exec($curl);
+        if ($response === false) {
+          $err = curl_error($curl);
+          curl_close($curl);
+          return $err;
+        }
+        else {
+          curl_close($curl);
+          if (empty($response)) {
+            return true;
+          }
+          else {
+            return json_decode($response, true);
+          }
+        }
+      }
+      else {
+        return false;
+      }
+    break;
+    case 'post':
+      if (!empty($post_action)) {
+        $container_id = docker($service_name, 'get_id');
+        if (ctype_xdigit($container_id)) {
+          curl_setopt($curl, CURLOPT_UNIX_SOCKET_PATH, "/var/run/docker.sock");
+          curl_setopt($curl, CURLOPT_URL, 'http/containers/' . $container_id . '/' . $post_action);
+          curl_setopt($curl, CURLOPT_POST, 1);
+          if (!empty($post_fields)) {
+            curl_setopt( $curl, CURLOPT_POSTFIELDS, json_encode($post_fields));
+          }
+          curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
+          $response = curl_exec($curl);
+          if ($response === false) {
+            $err = curl_error($curl);
+            curl_close($curl);
+            return $err;
+          }
+          else {
+            curl_close($curl);
+            if (empty($response)) {
+              return true;
+            }
+            else {
+              return $response;
+            }
+          }
+        }
+      }
+    break;
   }
 }
-elseif ($_GET['ACTION'] == "stop") {
-	$request = xmlrpc_encode_request("supervisor.stopProcess", 'bootstrap-sogo', array('encoding'=>'utf-8'));
-	$context = stream_context_create(array('http' => array(
-	'method' => "POST",
-	'header' => "Content-Length: " . strlen($request),
-	'content' => $request
-	)));
-	$file = @file_get_contents("http://sogo:9191/RPC2", false, $context) or die("Cannot connect to $remote_server:$listener_port");
-	$response = xmlrpc_decode($file);
-	if (isset($response['faultString'])) {
-		echo '<b><span class="pull-right text-warning">' . $response['faultString'] . '</span></b>';
-	}
-	else {
-      echo '<b><span class="pull-right text-success">OK</span></b>';
-	}
+
+if ($_GET['ACTION'] == "start") {
+  $retry = 0;
+  while (!docker('sogo-mailcow', 'info')['State']['Running'] && $retry <= 3) {
+    $response = docker('sogo-mailcow', 'post', 'start');
+    $last_response = ($response === true) ? '<b><span class="pull-right text-success">OK</span></b>' : '<b><span class="pull-right text-warning">Error: ' . $response . '</span></b>';
+    if ($response === true) {
+      break;
+    }
+    usleep(1500000);
+    $retry++;
+  }
+  echo $last_response;
 }
+
+if ($_GET['ACTION'] == "stop") {
+  $retry = 0;
+  while (docker('sogo-mailcow', 'info')['State']['Running'] && $retry <= 3) {
+    $response = docker('sogo-mailcow', 'post', 'stop');
+    $last_response = ($response === true) ? '<b><span class="pull-right text-success">OK</span></b>' : '<b><span class="pull-right text-warning">Error: ' . $response . '</span></b>';
+    if ($response === true) {
+      break;
+    }
+    usleep(1500000);
+    $retry++;
+  }
+  echo $last_response;
+}
+
 ?>

From 3de01afce01e49c4937de113b3047c3d792eb07e Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 4 Oct 2017 19:01:46 +0200
Subject: [PATCH 43/84] [Web] Fixes #650

---
 data/web/inc/functions.policy.inc.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/web/inc/functions.policy.inc.php b/data/web/inc/functions.policy.inc.php
index 2de1c6e2..9609d5e1 100644
--- a/data/web/inc/functions.policy.inc.php
+++ b/data/web/inc/functions.policy.inc.php
@@ -32,7 +32,7 @@ function policy($_action, $_scope, $_data = null) {
             $object_list = "whitelist_from";
           }
           $object_from = preg_replace('/\.+/', '.', rtrim(preg_replace("/\.\*/", "*", trim(strtolower($_data['object_from']))), '.'));
-          if (!ctype_alnum(str_replace(array('@', '.', '-', '*'), '', $object_from))) {
+          if (!ctype_alnum(str_replace(array('@', '_', '.', '-', '*'), '', $object_from))) {
             $_SESSION['return'] = array(
               'type' => 'danger',
               'msg' => sprintf($lang['danger']['policy_list_from_invalid'])
@@ -112,7 +112,7 @@ function policy($_action, $_scope, $_data = null) {
             $object_list = "whitelist_from";
           }
           $object_from = preg_replace('/\.+/', '.', rtrim(preg_replace("/\.\*/", "*", trim(strtolower($_data['object_from']))), '.'));
-          if (!ctype_alnum(str_replace(array('@', '.', '-', '*'), '', $object_from))) {
+          if (!ctype_alnum(str_replace(array('@', '_', '.', '-', '*'), '', $object_from))) {
             $_SESSION['return'] = array(
               'type' => 'danger',
               'msg' => sprintf($lang['danger']['policy_list_from_invalid'])

From 2dc8306b6921d24f985d668775c12caf31f47866 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 4 Oct 2017 23:15:26 +0200
Subject: [PATCH 44/84] [Postfix] Remove old socket

---
 data/Dockerfiles/postfix/supervisord.conf | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/data/Dockerfiles/postfix/supervisord.conf b/data/Dockerfiles/postfix/supervisord.conf
index 55e76a95..b5ae6b54 100644
--- a/data/Dockerfiles/postfix/supervisord.conf
+++ b/data/Dockerfiles/postfix/supervisord.conf
@@ -1,5 +1,6 @@
 [supervisord]
 nodaemon=true
+user=root
 
 [program:syslog-ng]
 command=/usr/sbin/syslog-ng --foreground  --no-caps
@@ -12,14 +13,3 @@ autostart=true
 [program:postfix]
 command=/opt/postfix.sh
 autorestart=true
-
-[unix_http_server]
-file=/var/tmp/supervisord.sock  
-chmod=0770  
-chown=nobody:nogroup
-
-[supervisorctl]
-serverurl=unix:///var/tmp/supervisord.sock
-
-[rpcinterface:supervisor]
-supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

From 405c49fb0ad7a742a9705baf9e2daa4062365ed4 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 4 Oct 2017 23:15:45 +0200
Subject: [PATCH 45/84] [Postfix] Remove old socket

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index f39dbbe4..3ce44f90 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -182,7 +182,7 @@ services:
             - dovecot
 
     postfix-mailcow:
-      image: mailcow/postfix:1.5
+      image: mailcow/postfix:1.6
       build: ./data/Dockerfiles/postfix
       volumes:
         - ./data/conf/postfix:/opt/postfix/conf

From 073c6c6e7352a4fa9a1d4b67429e99a0a61998ca Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 4 Oct 2017 23:16:39 +0200
Subject: [PATCH 46/84] [Postfix/Rspamd] Do not reject unauthenticated sender
 mismatches but rewrite their subject and assign symbol SPOOFED_SENDER with
 score 1.0

---
 data/conf/postfix/main.cf                   |  2 +-
 data/conf/rspamd/local.d/force_actions.conf |  7 ++++++-
 data/conf/rspamd/local.d/metrics.conf       |  4 ++++
 data/conf/rspamd/local.d/multimap.conf      | 17 ++++++++++++-----
 data/conf/rspamd/lua/rspamd.local.lua       |  3 +++
 5 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index 3ee6e59c..edf5c6d5 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -62,7 +62,7 @@ smtpd_sasl_authenticated_header = yes
 smtpd_sasl_path = inet:dovecot:10001
 smtpd_sasl_type = dovecot
 smtpd_sender_login_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_sender_acl.cf
-smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_unlisted_sender, reject_unknown_sender_domain
+smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, permit_mynetworks, permit_sasl_authenticated, reject_unlisted_sender, reject_unknown_sender_domain
 smtpd_soft_error_limit = 3
 smtpd_tls_auth_only = yes
 smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem
diff --git a/data/conf/rspamd/local.d/force_actions.conf b/data/conf/rspamd/local.d/force_actions.conf
index 3373ce15..956402f5 100644
--- a/data/conf/rspamd/local.d/force_actions.conf
+++ b/data/conf/rspamd/local.d/force_actions.conf
@@ -2,7 +2,7 @@ rules {
   DKIM_FAIL {
     action = "add header";
     expression = "R_DKIM_REJECT & !MAILLIST & !MAILCOW_WHITE & !MAILCOW_BLACK";
-    require_action = ["no action", "greylist"];
+    require_action = ["no action", "greylist", "soft reject"];
   }
   VIRUS_FOUND {
     action = "reject";
@@ -19,4 +19,9 @@ rules {
     expression = "WHITELISTED_FWD_HOST";
     require_action = ["greylist", "soft reject"];
   }
+  ADD_UNAUTH_SUBJ {
+    action = "rewrite subject";
+    subject = "[Unauth] %s";
+    expression = "SPOOFED_SENDER";
+  }
 }
diff --git a/data/conf/rspamd/local.d/metrics.conf b/data/conf/rspamd/local.d/metrics.conf
index b3afa78c..d3eb2657 100644
--- a/data/conf/rspamd/local.d/metrics.conf
+++ b/data/conf/rspamd/local.d/metrics.conf
@@ -34,3 +34,7 @@ group "MX" {
 	  one_shot = "true";
 	}
 }
+symbol "SPOOFED_SENDER" {
+	description = "Sender is not authenticated but part of mailcow managed domains";
+	score = 1.0;
+}
diff --git a/data/conf/rspamd/local.d/multimap.conf b/data/conf/rspamd/local.d/multimap.conf
index d524264e..d9dd88ce 100644
--- a/data/conf/rspamd/local.d/multimap.conf
+++ b/data/conf/rspamd/local.d/multimap.conf
@@ -1,22 +1,29 @@
 RCPT_MAILCOW_DOMAIN {
   type = "rcpt";
-  filter = "email:domain"
-  map = "redis://DOMAIN_MAP"
+  filter = "email:domain";
+  map = "redis://DOMAIN_MAP";
 }
 
 RCPT_WANTS_SUBJECT_TAG {
   type = "rcpt";
   filter = "email:addr"
-  map = "redis://RCPT_WANTS_SUBJECT_TAG"
+  map = "redis://RCPT_WANTS_SUBJECT_TAG";
 }
 
 WHITELISTED_FWD_HOST {
   type = "ip";
-  map = "redis://WHITELISTED_FWD_HOST"
+  map = "redis://WHITELISTED_FWD_HOST";
 }
 
 KEEP_SPAM {
   type = "ip";
-  map = "redis://KEEP_SPAM"
+  map = "redis://KEEP_SPAM";
   action = "accept";
 }
+
+SPOOFED_SENDER {
+  type = "rcpt";
+  filter = "email:domain";
+  map = "redis://DOMAIN_MAP";
+  require_symbols = "AUTH_NA | !RCVD_VIA_SMTP_AUTH";
+}
diff --git a/data/conf/rspamd/lua/rspamd.local.lua b/data/conf/rspamd/lua/rspamd.local.lua
index c1a8f48f..3d515bf0 100644
--- a/data/conf/rspamd/lua/rspamd.local.lua
+++ b/data/conf/rspamd/lua/rspamd.local.lua
@@ -58,6 +58,9 @@ rspamd_config:register_symbol({
     local redis_params = rspamd_parse_redis_server('dyn_rl')
     local rspamd_logger = require "rspamd_logger"
     local envfrom = task:get_from(1)
+    if not envfrom then
+      return false
+    end
     local env_from_domain = envfrom[1].domain:lower() -- get smtp from domain in lower case
     local env_from_addr = envfrom[1].addr:lower() -- get smtp from addr in lower case
 

From 9860d44d0429d1947535edde2abb8cc7eaf16621 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 4 Oct 2017 23:18:51 +0200
Subject: [PATCH 47/84] [Watchdog] Do also log errors to Redis if availble

---
 data/Dockerfiles/watchdog/Dockerfile  |  3 ++-
 data/Dockerfiles/watchdog/watchdog.sh | 14 ++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/data/Dockerfiles/watchdog/Dockerfile b/data/Dockerfiles/watchdog/Dockerfile
index 945f3929..2acc19cb 100644
--- a/data/Dockerfiles/watchdog/Dockerfile
+++ b/data/Dockerfiles/watchdog/Dockerfile
@@ -15,7 +15,8 @@ RUN apk add --update \
 	nagios-plugins-mysql \
 	nagios-plugins-dns \
     nagios-plugins-disk \
-	bind-tools
+	bind-tools \
+	redis
 
 COPY watchdog.sh /watchdog.sh
 
diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
index d704672b..686e875c 100755
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -34,6 +34,10 @@ progress() {
   echo "(${DIFF})"
 }
 
+log_to_redis() {
+	redis-cli -h redis LPUSH WATCHDOG_LOG "{\"time\":\"$(date +%s)\",\"message\":\"$(printf '%s' "${1}")\"}"
+}
+
 get_container_ip() {
   # ${1} is container
   CONTAINER_ID=
@@ -228,6 +232,7 @@ dns_checks() {
 (
 while true; do
   if ! nginx_checks; then
+    log_to_redis "Nginx hit error limit"
     echo -e "\e[31m$(date) - Nginx hit error limit\e[0m"
     echo nginx-mailcow > /tmp/com_pipe
   fi
@@ -238,6 +243,7 @@ BACKGROUND_TASKS+=($!)
 (
 while true; do
   if ! mysql_checks; then
+    log_to_redis "MySQL hit error limit"
     echo -e "\e[31m$(date) - MySQL hit error limit\e[0m"
     echo mysql-mailcow > /tmp/com_pipe
   fi
@@ -248,6 +254,7 @@ BACKGROUND_TASKS+=($!)
 (
 while true; do
   if ! phpfpm_checks; then
+    log_to_redis "PHP-FPM hit error limit"
     echo -e "\e[31m$(date) - PHP-FPM hit error limit\e[0m"
     echo php-fpm-mailcow > /tmp/com_pipe
   fi
@@ -258,6 +265,7 @@ BACKGROUND_TASKS+=($!)
 (
 while true; do
   if ! sogo_checks; then
+    log_to_redis "SOGo hit error limit"
     echo -e "\e[31m$(date) - SOGo hit error limit\e[0m"
     echo sogo-mailcow > /tmp/com_pipe
   fi
@@ -268,6 +276,7 @@ BACKGROUND_TASKS+=($!)
 (
 while true; do
   if ! postfix_checks; then
+    log_to_redis "Postfix hit error limit"
     echo -e "\e[31m$(date) - Postfix hit error limit\e[0m"
     echo postfix-mailcow > /tmp/com_pipe
   fi
@@ -278,6 +287,7 @@ BACKGROUND_TASKS+=($!)
 (
 while true; do
   if ! dovecot_checks; then
+    log_to_redis "Dovecot hit error limit"
     echo -e "\e[31m$(date) - Dovecot hit error limit\e[0m"
     echo dovecot-mailcow > /tmp/com_pipe
   fi
@@ -288,6 +298,7 @@ BACKGROUND_TASKS+=($!)
 (
 while true; do
   if ! dns_checks; then
+    log_to_redis "Unbound hit error limit"
     echo -e "\e[31m$(date) - Unbound hit error limit\e[0m"
     #echo unbound-mailcow > /tmp/com_pipe
   fi
@@ -298,6 +309,7 @@ BACKGROUND_TASKS+=($!)
 (
 while true; do
   if ! rspamd_checks; then
+    log_to_redis "Rspamd hit error limit"
     echo -e "\e[31m$(date) - Rspamd hit error limit\e[0m"
     echo rspamd-mailcow > /tmp/com_pipe
   fi
@@ -311,6 +323,7 @@ while true; do
   for bg_task in ${BACKGROUND_TASKS[*]}; do
     if ! kill -0 ${bg_task} 21>&2; then
       echo "Worker ${bg_task} died, stopping watchdog and waiting for respawn..."
+      log_to_redis "Worker ${bg_task} died, stopping watchdog and waiting for respawn..."
       kill -TERM ${PARENT_PID}
     fi
     sleep 1
@@ -327,6 +340,7 @@ while true; do
     sleep 3
     CONTAINER_ID=$(curl --silent --unix-socket /var/run/docker.sock http/containers/json?all=1 | jq -rc "map(select(.Names[] | contains (\"${com_pipe_answer}\"))) | .[] .Id")
     if [[ ! -z ${CONTAINER_ID} ]]; then
+      log_to_redis "Sending restart command to ${CONTAINER_ID}..."
       echo "Sending restart command to ${CONTAINER_ID}..."
       curl --silent --unix-socket /var/run/docker.sock -XPOST http/containers/${CONTAINER_ID}/restart
     fi

From fc18d153cdc5d93f254b43a572d190d360ca7a01 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Thu, 5 Oct 2017 23:38:33 +0200
Subject: [PATCH 48/84] [Compose, DockerAPI, Web, Watchdog] Watchdog may send
 notification mails (todo: docs), DockerAPI via Flesk for limited access

---
 data/Dockerfiles/dockerapi/Dockerfile  |  8 +++++
 data/Dockerfiles/dockerapi/server.py   | 41 ++++++++++++++++++++++++++
 data/Dockerfiles/watchdog/Dockerfile   | 10 ++++++-
 data/Dockerfiles/watchdog/watchdog.sh  | 28 ++++++++++++++++++
 data/conf/rspamd/local.d/multimap.conf |  2 +-
 data/web/api.php                       | 32 ++++++++++++++++++++
 data/web/inc/call_sogo_ctrl.php        | 30 ++++++++-----------
 docker-compose.yml                     | 16 ++++++++--
 update.sh                              |  7 ++++-
 9 files changed, 152 insertions(+), 22 deletions(-)
 create mode 100644 data/Dockerfiles/dockerapi/Dockerfile
 create mode 100644 data/Dockerfiles/dockerapi/server.py
 create mode 100644 data/web/api.php

diff --git a/data/Dockerfiles/dockerapi/Dockerfile b/data/Dockerfiles/dockerapi/Dockerfile
new file mode 100644
index 00000000..a5b3301d
--- /dev/null
+++ b/data/Dockerfiles/dockerapi/Dockerfile
@@ -0,0 +1,8 @@
+FROM python:2-alpine
+LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
+
+RUN apk add -U --no-cache iptables ip6tables
+RUN pip install docker flask flask-restful
+
+COPY server.py /
+CMD ["python2", "-u", "/server.py"]
diff --git a/data/Dockerfiles/dockerapi/server.py b/data/Dockerfiles/dockerapi/server.py
new file mode 100644
index 00000000..b4f7d287
--- /dev/null
+++ b/data/Dockerfiles/dockerapi/server.py
@@ -0,0 +1,41 @@
+from flask import Flask
+from flask_restful import Resource, Api
+from docker import APIClient
+
+dockercli = APIClient(base_url='unix://var/run/docker.sock')
+app = Flask(__name__)
+api = Api(app)
+
+class Containers(Resource):
+    def get(self):
+        return dockercli.containers(all=True)
+
+class ContainerInfo(Resource):
+    def get(self, container_id):
+        return dockercli.containers(all=True, filters={"id": container_id})
+
+class ContainerStart(Resource):
+    def post(self, container_id):
+        try:
+            dockercli.start(container_id);
+        except:
+            return 'Error'
+        else:
+            return 'OK'
+
+class ContainerStop(Resource):
+    def post(self, container_id):
+        try:
+            dockercli.stop(container_id);
+        except: 
+            return 'Error'
+        else:
+            return 'OK'
+
+api.add_resource(Containers, '/info/container/all')
+api.add_resource(ContainerInfo, '/info/container/<string:container_id>')
+api.add_resource(ContainerStop, '/stop/container/<string:container_id>')
+api.add_resource(ContainerStart, '/start/container/<string:container_id>')
+
+if __name__ == '__main__':
+    app.run(debug=False, host='0.0.0.0', port='8080')
diff --git a/data/Dockerfiles/watchdog/Dockerfile b/data/Dockerfiles/watchdog/Dockerfile
index 2acc19cb..457169de 100644
--- a/data/Dockerfiles/watchdog/Dockerfile
+++ b/data/Dockerfiles/watchdog/Dockerfile
@@ -16,7 +16,15 @@ RUN apk add --update \
 	nagios-plugins-dns \
     nagios-plugins-disk \
 	bind-tools \
-	redis
+	redis \
+	perl \
+	perl-io-socket-ssl \
+	perl-socket \
+	perl-socket6 \
+	perl-mime-lite \
+	perl-term-readkey \
+	&& curl https://raw.githubusercontent.com/mludvig/smtp-cli/v3.8/smtp-cli -o /smtp-cli \
+	&& chmod +x smtp-cli
 
 COPY watchdog.sh /watchdog.sh
 
diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
index 686e875c..bad567e2 100755
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -38,6 +38,26 @@ log_to_redis() {
 	redis-cli -h redis LPUSH WATCHDOG_LOG "{\"time\":\"$(date +%s)\",\"message\":\"$(printf '%s' "${1}")\"}"
 }
 
+function mail_error() {
+  [[ -z ${1} ]] && return 1
+  [[ -z ${2} ]] && return 2
+  RCPT_DOMAIN=$(echo ${1} | awk -F @ {'print $NF'})
+  RCPT_MX=$(dig +short ${RCPT_DOMAIN} mx | sort -n | awk '{print $2; exit}')
+  if [[ -z ${RCPT_MX} ]]; then
+    log_to_redis "Cannot determine MX for ${1}, skipping email notification..."
+    echo "Cannot determine MX for ${1}"
+    return 1
+  fi
+  ./smtp-cli --missing-modules-ok \
+    --subject="Watchdog: ${2} service hit the error rate limit" \
+    --body-plain="Service was restarted, please check your mailcow installation." \
+    --to=${1} \
+    --from="watchdog@${MAILCOW_HOSTNAME}" \
+    --server="${RCPT_MX}" \
+    --hello-host=${MAILCOW_HOSTNAME}
+}
+
+
 get_container_ip() {
   # ${1} is container
   CONTAINER_ID=
@@ -233,6 +253,7 @@ dns_checks() {
 while true; do
   if ! nginx_checks; then
     log_to_redis "Nginx hit error limit"
+    [[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && mail_error "${WATCHDOG_NOTIFY_EMAIL}" "nginx-mailcow"
     echo -e "\e[31m$(date) - Nginx hit error limit\e[0m"
     echo nginx-mailcow > /tmp/com_pipe
   fi
@@ -244,6 +265,7 @@ BACKGROUND_TASKS+=($!)
 while true; do
   if ! mysql_checks; then
     log_to_redis "MySQL hit error limit"
+    [[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && mail_error "${WATCHDOG_NOTIFY_EMAIL}" "mysql-mailcow"
     echo -e "\e[31m$(date) - MySQL hit error limit\e[0m"
     echo mysql-mailcow > /tmp/com_pipe
   fi
@@ -255,6 +277,7 @@ BACKGROUND_TASKS+=($!)
 while true; do
   if ! phpfpm_checks; then
     log_to_redis "PHP-FPM hit error limit"
+    [[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && mail_error "${WATCHDOG_NOTIFY_EMAIL}" "php-fpm-mailcow"
     echo -e "\e[31m$(date) - PHP-FPM hit error limit\e[0m"
     echo php-fpm-mailcow > /tmp/com_pipe
   fi
@@ -266,6 +289,7 @@ BACKGROUND_TASKS+=($!)
 while true; do
   if ! sogo_checks; then
     log_to_redis "SOGo hit error limit"
+    [[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && mail_error "${WATCHDOG_NOTIFY_EMAIL}" "sogo-mailcow"
     echo -e "\e[31m$(date) - SOGo hit error limit\e[0m"
     echo sogo-mailcow > /tmp/com_pipe
   fi
@@ -277,6 +301,7 @@ BACKGROUND_TASKS+=($!)
 while true; do
   if ! postfix_checks; then
     log_to_redis "Postfix hit error limit"
+    [[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && mail_error "${WATCHDOG_NOTIFY_EMAIL}" "postfix-mailcow"
     echo -e "\e[31m$(date) - Postfix hit error limit\e[0m"
     echo postfix-mailcow > /tmp/com_pipe
   fi
@@ -288,6 +313,7 @@ BACKGROUND_TASKS+=($!)
 while true; do
   if ! dovecot_checks; then
     log_to_redis "Dovecot hit error limit"
+    [[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && mail_error "${WATCHDOG_NOTIFY_EMAIL}" "dovecot-mailcow"
     echo -e "\e[31m$(date) - Dovecot hit error limit\e[0m"
     echo dovecot-mailcow > /tmp/com_pipe
   fi
@@ -299,6 +325,7 @@ BACKGROUND_TASKS+=($!)
 while true; do
   if ! dns_checks; then
     log_to_redis "Unbound hit error limit"
+    [[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && mail_error "${WATCHDOG_NOTIFY_EMAIL}" "unbound-mailcow"
     echo -e "\e[31m$(date) - Unbound hit error limit\e[0m"
     #echo unbound-mailcow > /tmp/com_pipe
   fi
@@ -310,6 +337,7 @@ BACKGROUND_TASKS+=($!)
 while true; do
   if ! rspamd_checks; then
     log_to_redis "Rspamd hit error limit"
+    [[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && mail_error "${WATCHDOG_NOTIFY_EMAIL}" "rspamd-mailcow"
     echo -e "\e[31m$(date) - Rspamd hit error limit\e[0m"
     echo rspamd-mailcow > /tmp/com_pipe
   fi
diff --git a/data/conf/rspamd/local.d/multimap.conf b/data/conf/rspamd/local.d/multimap.conf
index d9dd88ce..fa4163dc 100644
--- a/data/conf/rspamd/local.d/multimap.conf
+++ b/data/conf/rspamd/local.d/multimap.conf
@@ -23,7 +23,7 @@ KEEP_SPAM {
 
 SPOOFED_SENDER {
   type = "rcpt";
-  filter = "email:domain";
+  filter = "email:domain:tld";
   map = "redis://DOMAIN_MAP";
   require_symbols = "AUTH_NA | !RCVD_VIA_SMTP_AUTH";
 }
diff --git a/data/web/api.php b/data/web/api.php
new file mode 100644
index 00000000..d250929d
--- /dev/null
+++ b/data/web/api.php
@@ -0,0 +1,32 @@
+<?php
+set_time_limit (0);
+
+$address = '0.0.0.0';
+
+$port = 7777;
+$con = 1;
+$word = "";
+
+$sock = socket_create(AF_INET, SOCK_STREAM, 0);
+$bind = socket_bind($sock, $address, $port);
+
+socket_listen($sock);
+
+while ($con == 1)
+{
+    $client = socket_accept($sock);
+    $input = socket_read($client, 2024);
+
+    if ($input == 'exit') 
+    {
+        $close = socket_close($sock);
+        $con = 0;
+    }
+
+    if($con == 1)
+    {
+        $word .= $input;
+    }
+}
+
+echo $word;
diff --git a/data/web/inc/call_sogo_ctrl.php b/data/web/inc/call_sogo_ctrl.php
index 7ecbd048..88f50419 100644
--- a/data/web/inc/call_sogo_ctrl.php
+++ b/data/web/inc/call_sogo_ctrl.php
@@ -11,8 +11,7 @@ function docker($service_name, $action, $post_action = null, $post_fields = null
   curl_setopt($curl, CURLOPT_HTTPHEADER,array( 'Content-Type: application/json' ));
   switch($action) {
     case 'get_id':
-      curl_setopt($curl, CURLOPT_UNIX_SOCKET_PATH, "/var/run/docker.sock");
-      curl_setopt($curl, CURLOPT_URL, 'http:/v1.26/containers/json?all=1');
+      curl_setopt($curl, CURLOPT_URL, 'http://dockerapi:8080/info/container/all');
       curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
       curl_setopt($curl, CURLOPT_POST, 0);
       $response = curl_exec($curl);
@@ -35,13 +34,11 @@ function docker($service_name, $action, $post_action = null, $post_fields = null
       return false;
     break;
     case 'info':
-      curl_setopt($curl, CURLOPT_UNIX_SOCKET_PATH, "/var/run/docker.sock");
       $container_id = docker($service_name, 'get_id');
       if (ctype_xdigit($container_id)) {
-        curl_setopt($curl, CURLOPT_UNIX_SOCKET_PATH, "/var/run/docker.sock");
-        curl_setopt($curl, CURLOPT_URL, 'http/containers/' . $container_id . '/json');
-        curl_setopt($curl, CURLOPT_POST, 0);
+        curl_setopt($curl, CURLOPT_URL, 'http://dockerapi:8080/info/container/' . $container_id);
         curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
+        curl_setopt($curl, CURLOPT_POST, 0);
         $response = curl_exec($curl);
         if ($response === false) {
           $err = curl_error($curl);
@@ -65,9 +62,8 @@ function docker($service_name, $action, $post_action = null, $post_fields = null
     case 'post':
       if (!empty($post_action)) {
         $container_id = docker($service_name, 'get_id');
-        if (ctype_xdigit($container_id)) {
-          curl_setopt($curl, CURLOPT_UNIX_SOCKET_PATH, "/var/run/docker.sock");
-          curl_setopt($curl, CURLOPT_URL, 'http/containers/' . $container_id . '/' . $post_action);
+        if (ctype_xdigit($container_id) && ctype_alnum($post_action)) {
+          curl_setopt($curl, CURLOPT_URL, 'http://dockerapi:8080/' . $post_action . '/container/' . $container_id);
           curl_setopt($curl, CURLOPT_POST, 1);
           if (!empty($post_fields)) {
             curl_setopt( $curl, CURLOPT_POSTFIELDS, json_encode($post_fields));
@@ -96,30 +92,30 @@ function docker($service_name, $action, $post_action = null, $post_fields = null
 
 if ($_GET['ACTION'] == "start") {
   $retry = 0;
-  while (!docker('sogo-mailcow', 'info')['State']['Running'] && $retry <= 3) {
+  while (docker('sogo-mailcow', 'info')[0]['State'] != "running" && $retry <= 3) {
     $response = docker('sogo-mailcow', 'post', 'start');
-    $last_response = ($response === true) ? '<b><span class="pull-right text-success">OK</span></b>' : '<b><span class="pull-right text-warning">Error: ' . $response . '</span></b>';
-    if ($response === true) {
+    $last_response = (trim($response) == "\"OK\"") ? '<b><span class="pull-right text-success">OK</span></b>' : '<b><span class="pull-right text-danger">Error: ' . $response . '</span></b>';
+    if (trim($response) == "\"OK\"") {
       break;
     }
     usleep(1500000);
     $retry++;
   }
-  echo $last_response;
+  echo (!isset($last_response)) ? '<b><span class="pull-right text-warning">Not running</span></b>' : $last_response;
 }
 
 if ($_GET['ACTION'] == "stop") {
   $retry = 0;
-  while (docker('sogo-mailcow', 'info')['State']['Running'] && $retry <= 3) {
+  while (docker('sogo-mailcow', 'info')[0]['State'] == "running" && $retry <= 3) {
     $response = docker('sogo-mailcow', 'post', 'stop');
-    $last_response = ($response === true) ? '<b><span class="pull-right text-success">OK</span></b>' : '<b><span class="pull-right text-warning">Error: ' . $response . '</span></b>';
-    if ($response === true) {
+    $last_response = (trim($response) == "\"OK\"") ? '<b><span class="pull-right text-success">OK</span></b>' : '<b><span class="pull-right text-danger">Error: ' . $response . '</span></b>';
+    if (trim($response) == "\"OK\"") {
       break;
     }
     usleep(1500000);
     $retry++;
   }
-  echo $last_response;
+  echo (!isset($last_response)) ? '<b><span class="pull-right text-warning">Not running</span></b>' : $last_response;
 }
 
 ?>
diff --git a/docker-compose.yml b/docker-compose.yml
index 3ce44f90..44875f62 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -105,7 +105,6 @@ services:
         - ./data/web:/web:ro
         - ./data/conf/rspamd/dynmaps:/dynmaps:ro
         - dkim-vol-1:/data/dkim
-        - /var/run/docker.sock:/var/run/docker.sock:ro
       environment:
         - DBNAME=${DBNAME}
         - DBUSER=${DBUSER}
@@ -297,7 +296,7 @@ services:
         - /lib/modules:/lib/modules:ro
 
     watchdog-mailcow:
-      image: mailcow/watchdog:1.3
+      image: mailcow/watchdog:1.4
       build: ./data/Dockerfiles/watchdog
       init: false
       volumes:
@@ -309,11 +308,24 @@ services:
         - DBUSER=${DBUSER}
         - DBPASS=${DBPASS}
         - USE_WATCHDOG=${USE_WATCHDOG:-n}
+        - WATCHDOG_NOTIFY_EMAIL=${WATCHDOG_NOTIFY_EMAIL}
+        - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
       networks:
         mailcow-network:
           aliases:
             - watchdog
 
+    dockerapi-mailcow:
+      image: mailcow/dockerapi:1.0
+      build: ./data/Dockerfiles/dockerapi
+      init: false
+      volumes:
+        - /var/run/docker.sock:/var/run/docker.sock:ro
+      networks:
+        mailcow-network:
+          aliases:
+            - dockerapi
+
     ipv6nat:
       image: robbertkl/ipv6nat
       restart: always
diff --git a/update.sh b/update.sh
index f38c47a0..461b2a2a 100755
--- a/update.sh
+++ b/update.sh
@@ -4,7 +4,7 @@ for bin in curl docker-compose docker git awk sha1sum; do
 	if [[ -z $(which ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi
 done
 
-CONFIG_ARRAY=("SKIP_LETS_ENCRYPT" "USE_WATCHDOG" "SKIP_CLAMD" "SKIP_IP_CHECK" "SKIP_FAIL2BAN" "ADDITIONAL_SAN" "DOVEADM_PORT")
+CONFIG_ARRAY=("SKIP_LETS_ENCRYPT" "USE_WATCHDOG" "WATCHDOG_NOTIFY_EMAIL" "SKIP_CLAMD" "SKIP_IP_CHECK" "SKIP_FAIL2BAN" "ADDITIONAL_SAN" "DOVEADM_PORT")
 echo >> mailcow.conf
 for option in ${CONFIG_ARRAY[@]}; do
 	if [[ ${option} == "ADDITIONAL_SAN" ]]; then
@@ -22,6 +22,11 @@ for option in ${CONFIG_ARRAY[@]}; do
 			echo "Adding new option \"${option}\" to mailcow.conf"
 			echo "DOVEADM_PORT=127.0.0.1:19991" >> mailcow.conf
 		fi
+	elif [[ ${option} == "WATCHDOG_NOTIFY_EMAIL" ]]; then
+		if ! grep -q ${option} mailcow.conf; then
+			echo "Adding new option \"${option}\" to mailcow.conf"
+			echo "WATCHDOG_NOTIFY_EMAIL=" >> mailcow.conf
+		fi
 	elif ! grep -q ${option} mailcow.conf; then
 		echo "Adding new option \"${option}\" to mailcow.conf"
 		echo "${option}=n" >> mailcow.conf

From 3ae0b16845fb63d277d79456975f78edb538350b Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Fri, 6 Oct 2017 10:20:40 +0200
Subject: [PATCH 49/84] [Web, DockerAPI] Be more like official Docker API

---
 data/Dockerfiles/dockerapi/server.py | 63 +++++++++++++++++-----------
 data/web/inc/call_sogo_ctrl.php      | 14 +++----
 2 files changed, 45 insertions(+), 32 deletions(-)

diff --git a/data/Dockerfiles/dockerapi/server.py b/data/Dockerfiles/dockerapi/server.py
index b4f7d287..22eb8508 100644
--- a/data/Dockerfiles/dockerapi/server.py
+++ b/data/Dockerfiles/dockerapi/server.py
@@ -1,41 +1,54 @@
 from flask import Flask
 from flask_restful import Resource, Api
-from docker import APIClient
+from flask import jsonify
+import docker
 
-dockercli = APIClient(base_url='unix://var/run/docker.sock')
+docker_client = docker.DockerClient(base_url='unix://var/run/docker.sock')
 app = Flask(__name__)
 api = Api(app)
 
-class Containers(Resource):
+class containers_get(Resource):
     def get(self):
-        return dockercli.containers(all=True)
+        containers = {}
+        for container in docker_client.containers.list(all=True):
+            containers.update({container.attrs['Id']: container.attrs})
+        return containers
 
-class ContainerInfo(Resource):
+class container_get(Resource):
     def get(self, container_id):
-        return dockercli.containers(all=True, filters={"id": container_id})
-
-class ContainerStart(Resource):
-    def post(self, container_id):
-        try:
-            dockercli.start(container_id);
-        except:
-            return 'Error'
+        if container_id and container_id.isalnum():
+            for container in docker_client.containers.list(all=True, filters={"id": container_id}):
+                return container.attrs            
         else:
-            return 'OK'
+		    return jsonify(message='No or invalid id defined')
 
-class ContainerStop(Resource):
-    def post(self, container_id):
-        try:
-            dockercli.stop(container_id);
-        except: 
-            return 'Error'
+class container_post(Resource):
+    def post(self, container_id, post_action):
+        if container_id and container_id.isalnum() and post_action:
+            if post_action == 'stop':
+                try:
+                    for container in docker_client.containers.list(all=True, filters={"id": container_id}):
+                        container.stop()
+                except:
+                    return 'Error'
+                else:
+                    return 'OK'
+            elif post_action == 'start':
+                try:
+                    for container in docker_client.containers.list(all=True, filters={"id": container_id}):
+                        container.start()
+                except:
+                    return 'Error'
+                else:
+                    return 'OK'
+            else:
+                return jsonify(message='Invalid action')
         else:
-            return 'OK'
+            return jsonify(message='Invalid container id or missing action')
 
-api.add_resource(Containers, '/info/container/all')
-api.add_resource(ContainerInfo, '/info/container/<string:container_id>')
-api.add_resource(ContainerStop, '/stop/container/<string:container_id>')
-api.add_resource(ContainerStart, '/start/container/<string:container_id>')
+api.add_resource(containers_get, '/containers/json')
+api.add_resource(container_get, '/containers/<string:container_id>/json')
+api.add_resource(container_post, '/containers/<string:container_id>/<string:post_action>')
 
 if __name__ == '__main__':
     app.run(debug=False, host='0.0.0.0', port='8080')
diff --git a/data/web/inc/call_sogo_ctrl.php b/data/web/inc/call_sogo_ctrl.php
index 88f50419..c54a0a5a 100644
--- a/data/web/inc/call_sogo_ctrl.php
+++ b/data/web/inc/call_sogo_ctrl.php
@@ -11,7 +11,7 @@ function docker($service_name, $action, $post_action = null, $post_fields = null
   curl_setopt($curl, CURLOPT_HTTPHEADER,array( 'Content-Type: application/json' ));
   switch($action) {
     case 'get_id':
-      curl_setopt($curl, CURLOPT_URL, 'http://dockerapi:8080/info/container/all');
+      curl_setopt($curl, CURLOPT_URL, 'http://dockerapi:8080/containers/json');
       curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
       curl_setopt($curl, CURLOPT_POST, 0);
       $response = curl_exec($curl);
@@ -25,7 +25,7 @@ function docker($service_name, $action, $post_action = null, $post_fields = null
         $containers = json_decode($response, true);
         if (!empty($containers)) {
           foreach ($containers as $container) {
-            if ($container['Labels']['com.docker.compose.service'] == $service_name) {
+            if ($container['Config']['Labels']['com.docker.compose.service'] == $service_name) {
               return trim($container['Id']);
             }
           }
@@ -36,7 +36,7 @@ function docker($service_name, $action, $post_action = null, $post_fields = null
     case 'info':
       $container_id = docker($service_name, 'get_id');
       if (ctype_xdigit($container_id)) {
-        curl_setopt($curl, CURLOPT_URL, 'http://dockerapi:8080/info/container/' . $container_id);
+        curl_setopt($curl, CURLOPT_URL, 'http://dockerapi:8080/containers/' . $container_id . '/json');
         curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
         curl_setopt($curl, CURLOPT_POST, 0);
         $response = curl_exec($curl);
@@ -63,7 +63,7 @@ function docker($service_name, $action, $post_action = null, $post_fields = null
       if (!empty($post_action)) {
         $container_id = docker($service_name, 'get_id');
         if (ctype_xdigit($container_id) && ctype_alnum($post_action)) {
-          curl_setopt($curl, CURLOPT_URL, 'http://dockerapi:8080/' . $post_action . '/container/' . $container_id);
+          curl_setopt($curl, CURLOPT_URL, 'http://dockerapi:8080/containers/' . $container_id . '/' . $post_action);
           curl_setopt($curl, CURLOPT_POST, 1);
           if (!empty($post_fields)) {
             curl_setopt( $curl, CURLOPT_POSTFIELDS, json_encode($post_fields));
@@ -92,7 +92,7 @@ function docker($service_name, $action, $post_action = null, $post_fields = null
 
 if ($_GET['ACTION'] == "start") {
   $retry = 0;
-  while (docker('sogo-mailcow', 'info')[0]['State'] != "running" && $retry <= 3) {
+  while (docker('sogo-mailcow', 'info')['State']['Running'] != 1 && $retry <= 3) {
     $response = docker('sogo-mailcow', 'post', 'start');
     $last_response = (trim($response) == "\"OK\"") ? '<b><span class="pull-right text-success">OK</span></b>' : '<b><span class="pull-right text-danger">Error: ' . $response . '</span></b>';
     if (trim($response) == "\"OK\"") {
@@ -101,12 +101,12 @@ if ($_GET['ACTION'] == "start") {
     usleep(1500000);
     $retry++;
   }
-  echo (!isset($last_response)) ? '<b><span class="pull-right text-warning">Not running</span></b>' : $last_response;
+  echo (!isset($last_response)) ? '<b><span class="pull-right text-warning">Already running</span></b>' : $last_response;
 }
 
 if ($_GET['ACTION'] == "stop") {
   $retry = 0;
-  while (docker('sogo-mailcow', 'info')[0]['State'] == "running" && $retry <= 3) {
+  while (docker('sogo-mailcow', 'info')['State']['Running'] == 1 && $retry <= 3) {
     $response = docker('sogo-mailcow', 'post', 'stop');
     $last_response = (trim($response) == "\"OK\"") ? '<b><span class="pull-right text-success">OK</span></b>' : '<b><span class="pull-right text-danger">Error: ' . $response . '</span></b>';
     if (trim($response) == "\"OK\"") {

From ef9953898c2cf840fdd5fb68d1a6a066ba4a6f28 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Fri, 6 Oct 2017 13:32:49 +0200
Subject: [PATCH 50/84] [ACME, Watchdog, DockerAPI] Use only limited Docker API

---
 data/Dockerfiles/acme/docker-entrypoint.sh | 6 ++----
 data/Dockerfiles/dockerapi/server.py       | 8 ++++++++
 data/Dockerfiles/watchdog/watchdog.sh      | 8 ++++----
 docker-compose.yml                         | 6 ++----
 4 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/data/Dockerfiles/acme/docker-entrypoint.sh b/data/Dockerfiles/acme/docker-entrypoint.sh
index 618bffe9..25023819 100755
--- a/data/Dockerfiles/acme/docker-entrypoint.sh
+++ b/data/Dockerfiles/acme/docker-entrypoint.sh
@@ -10,9 +10,7 @@ mkdir -p ${ACME_BASE}/acme/private
 restart_containers(){
 	for container in $*; do
 		echo "Restarting ${container}..."
-		curl -X POST \
-			--unix-socket /var/run/docker.sock \
-			"http/containers/${container}/restart"
+		curl -X POST http://dockerapi:8080/containers/${container}/restart
 	done
 }
 
@@ -107,7 +105,7 @@ while true; do
 	IFS=',' read -r -a ADDITIONAL_SAN_ARR <<< "${ADDITIONAL_SAN}"
 	IPV4=$(get_ipv4)
 	# Container ids may have changed
-	CONTAINERS_RESTART=($(curl --silent --unix-socket /var/run/docker.sock http/containers/json | jq -rc 'map(select(.Names[] | contains ("nginx-mailcow") or contains ("postfix-mailcow") or contains ("dovecot-mailcow"))) | .[] .Id' | tr "\n" " "))
+	CONTAINERS_RESTART=($(curl --silent http://dockerapi:8080/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | contains("nginx-mailcow") or contains("postfix-mailcow") or contains("dovecot-mailcow")) | .id' | tr "\n" " "))
 
 	while read domain; do
 		SQL_DOMAIN_ARR+=("${domain}")
diff --git a/data/Dockerfiles/dockerapi/server.py b/data/Dockerfiles/dockerapi/server.py
index 22eb8508..a021ab54 100644
--- a/data/Dockerfiles/dockerapi/server.py
+++ b/data/Dockerfiles/dockerapi/server.py
@@ -41,6 +41,14 @@ class container_post(Resource):
                     return 'Error'
                 else:
                     return 'OK'
+            elif post_action == 'restart':
+                try:
+                    for container in docker_client.containers.list(all=True, filters={"id": container_id}):
+                        container.restart()
+                except:
+                    return 'Error'
+                else:
+                    return 'OK'
             else:
                 return jsonify(message='Invalid action')
         else:
diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
index bad567e2..546fba64 100755
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -65,8 +65,8 @@ get_container_ip() {
   LOOP_C=1
   until [[ ${CONTAINER_IP} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] || [[ ${LOOP_C} -gt 5 ]]; do
     sleep 1
-    CONTAINER_ID=$(curl --silent --unix-socket /var/run/docker.sock http/containers/json?all=1 | jq -rc "map(select(.Names[] | contains (\"${1}\"))) | .[] .Id")
-    CONTAINER_IP=$(curl --silent --unix-socket /var/run/docker.sock http/containers/${CONTAINER_ID}/json | jq -r '.NetworkSettings.Networks[].IPAddress')
+    CONTAINER_ID=$(curl --silent http://dockerapi:8080/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], id: .Id}" | jq -rc "select( .name | contains(\"${1}\")) | .id")
+    CONTAINER_IP=$(curl --silent http://dockerapi:8080/containers/${CONTAINER_ID}/json | jq -r '.NetworkSettings.Networks[].IPAddress')
     LOOP_C=$((LOOP_C + 1))
   done
   [[ ${LOOP_C} -gt 5 ]] && echo 240.0.0.0 || echo ${CONTAINER_IP}
@@ -366,11 +366,11 @@ while true; do
   if [[ ${com_pipe_answer} =~ .+-mailcow ]]; then
     kill -STOP ${BACKGROUND_TASKS[*]}
     sleep 3
-    CONTAINER_ID=$(curl --silent --unix-socket /var/run/docker.sock http/containers/json?all=1 | jq -rc "map(select(.Names[] | contains (\"${com_pipe_answer}\"))) | .[] .Id")
+    CONTAINER_ID=$(curl --silent http://dockerapi:8080/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], id: .Id}" | jq -rc "select( .name | contains(\"${com_pipe_answer}\")) | .id")
     if [[ ! -z ${CONTAINER_ID} ]]; then
       log_to_redis "Sending restart command to ${CONTAINER_ID}..."
       echo "Sending restart command to ${CONTAINER_ID}..."
-      curl --silent --unix-socket /var/run/docker.sock -XPOST http/containers/${CONTAINER_ID}/restart
+      curl --silent -XPOST http://dockerapi:8080/containers/${CONTAINER_ID}/restart
     fi
     echo "Wait for restarted container to settle and continue watching..."
     sleep 30s
diff --git a/docker-compose.yml b/docker-compose.yml
index 44875f62..c351b588 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -250,7 +250,7 @@ services:
       depends_on:
         - nginx-mailcow
         - mysql-mailcow
-      image: mailcow/acme:1.20
+      image: mailcow/acme:1.21
       build: ./data/Dockerfiles/acme
       init: true
       dns:
@@ -267,7 +267,6 @@ services:
         - ./data/web/.well-known/acme-challenge:/var/www/acme:rw
         - ./data/assets/ssl:/var/lib/acme/:rw
         - ./data/assets/ssl-example:/var/lib/ssl-example/:ro
-        - /var/run/docker.sock:/var/run/docker.sock:ro
       restart: always
       networks:
         mailcow-network:
@@ -296,11 +295,10 @@ services:
         - /lib/modules:/lib/modules:ro
 
     watchdog-mailcow:
-      image: mailcow/watchdog:1.4
+      image: mailcow/watchdog:1.5
       build: ./data/Dockerfiles/watchdog
       init: false
       volumes:
-        - /var/run/docker.sock:/var/run/docker.sock:ro
         - vmail-vol-1:/vmail:ro
       restart: always
       environment:

From 7db587764410771cce9e26d82de23219fc10409b Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Sat, 7 Oct 2017 22:08:08 +0200
Subject: [PATCH 51/84] [Web] Fixes #657

---
 data/web/edit.php           |  1 +
 data/web/modals/mailbox.php |  7 ++++
 mailcow-setup-relayhost.sh  | 76 -------------------------------------
 3 files changed, 8 insertions(+), 76 deletions(-)
 delete mode 100755 mailcow-setup-relayhost.sh

diff --git a/data/web/edit.php b/data/web/edit.php
index fbbda18d..fd6682ff 100644
--- a/data/web/edit.php
+++ b/data/web/edit.php
@@ -614,6 +614,7 @@ if (isset($_SESSION['mailcow_cc_role'])) {
           <form class="form-horizontal" data-id="editsyncjob" role="form" method="post">
             <input type="hidden" value="0" name="delete2duplicates">
             <input type="hidden" value="0" name="delete1">
+            <input type="hidden" value="0" name="delete2">
             <input type="hidden" value="0" name="active">
             <div class="form-group">
               <label class="control-label col-sm-2" for="host1"><?=$lang['edit']['hostname'];?></label>
diff --git a/data/web/modals/mailbox.php b/data/web/modals/mailbox.php
index b726ca6e..c81ffcb8 100644
--- a/data/web/modals/mailbox.php
+++ b/data/web/modals/mailbox.php
@@ -406,6 +406,13 @@ if (!isset($_SESSION['mailcow_cc_role'])) {
 							</div>
 						</div>
 					</div>
+          <div class="form-group">
+						<div class="col-sm-offset-2 col-sm-10">
+							<div class="checkbox">
+							<label><input type="checkbox" value="1" name="delete2"> <?=$lang['add']['delete2'];?></label>
+							</div>
+						</div>
+					</div>
 					<div class="form-group">
 						<div class="col-sm-offset-2 col-sm-10">
 							<div class="checkbox">
diff --git a/mailcow-setup-relayhost.sh b/mailcow-setup-relayhost.sh
deleted file mode 100755
index 283590df..00000000
--- a/mailcow-setup-relayhost.sh
+++ /dev/null
@@ -1,76 +0,0 @@
-#/bin/bash
-if [[ ! -f mailcow.conf ]]; then
-        echo "Cannot find mailcow.conf, make sure this script is run from within the mailcow folder."
-        exit 1
-fi
-
-echo -n "Checking Postfix service... "
-docker-compose ps -q postfix-mailcow > /dev/null 2>&1
-
-if [[ $? -ne 0 ]]; then
-        echo "failed"
-        echo "Postfix (postifx-mailcow) is not up and running, exiting..."
-        exit 1
-fi
-
-echo "OK"
-
-if [[ -z ${1} ]]; then
-    echo "Usage:"
-	echo
-	echo "Setup a relayhost:"
-	echo "${0} relayhost port (username) (password)"
-    echo "Username and password are optional parameters."
-	echo
-	echo "Reset to defaults:"
-	echo "${0} reset"
-    exit 1
-fi
-
-if [[ ${1} == "reset" ]]; then
-	# Reset modified values to their defaults
-	sed -i "s/^relayhost\ \=.*/relayhost\ \=/" data/conf/postfix/main.cf
-	sed -i "s/^smtp\_sasl\_password\_maps.*/smtp\_sasl\_password\_maps\ \=/" data/conf/postfix/main.cf
-	sed -i "s/^smtp\_sasl\_security\_options.*/smtp\_sasl\_security\_options\ \=\ noplaintext\,\ noanonymous/" data/conf/postfix/main.cf
-	sed -i "s/^smtp\_sasl\_auth\_enable.*/smtp\_sasl\_auth\_enable\ \=\ no/" data/conf/postfix/main.cf
-	# Also delete the plaintext password file
-	rm -f data/conf/postfix/smarthost_passwd*
-	docker-compose exec postfix-mailcow postfix reload
-	# Exit with dc exit code
-	exit $?
-else
-	# Try a simple connection to host:port but don't recieve any data
-	# Abort after 3 seconds
-	if ! nc -z -v -w3 ${1} ${2} 2>/dev/null; then
-		echo "Connection to relayhost ${1} failed, aborting..."
-		exit 1
-	fi
-	# Use exact hostname as relayhost, don't lookup the MX record of relayhost
-	sed -i "s/relayhost\ \=.*/relayhost\ \=\ \[${1}\]\:${2}/" data/conf/postfix/main.cf
-	if grep -q "smtp_sasl_password_maps" data/conf/postfix/main.cf
-	then
-		sed -i "s/^smtp\_sasl\_password\_maps.*/smtp\_sasl\_password\_maps\ \=\ hash\:\/opt\/postfix\/conf\/smarthost\_passwd/" data/conf/postfix/main.cf
-	else
-		echo "smtp_sasl_password_maps = hash:/opt/postfix/conf/smarthost_passwd" >>  data/conf/postfix/main.cf
-	fi
-	if grep -q "smtp_sasl_auth_enable" data/conf/postfix/main.cf
-	then
-		sed -i "s/^smtp\_sasl\_auth\_enable.*/smtp\_sasl\_auth\_enable\ \=\ yes/" data/conf/postfix/main.cf
-	else
-		echo "smtp_sasl_auth_enable = yes" >>  data/conf/postfix/main.cf
-	fi
-	if grep -q "smtp_sasl_security_options" data/conf/postfix/main.cf
-	then
-		sed -i "s/^smtp\_sasl\_security\_options.*/smtp\_sasl\_security\_options\ \=/" data/conf/postfix/main.cf
-	else
-		echo "smtp_sasl_security_options =" >>  data/conf/postfix/main.cf
-	fi
-	if [[ ! -z ${3} ]]; then
-		echo ${1} ${3}:${4} > data/conf/postfix/smarthost_passwd
-		docker-compose exec postfix-mailcow postmap /opt/postfix/conf/smarthost_passwd
-	fi
-	docker-compose exec postfix-mailcow chown root:postfix /opt/postfix/conf/smarthost_passwd /opt/postfix/conf/smarthost_passwd.db
-	docker-compose exec postfix-mailcow chmod 660 /opt/postfix/conf/smarthost_passwd /opt/postfix/conf/smarthost_passwd.db
-	docker-compose exec postfix-mailcow postfix reload
-	exit $?
-fi

From 72995ff98ef199cae3ac118c7058532fde76b91f Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Sun, 8 Oct 2017 22:47:52 +0200
Subject: [PATCH 52/84] [PHP-FPM] Include more modules for upcoming features
 and Nextcloud support, drop ro flag; [Watchdog] Some fixes and changes

---
 data/Dockerfiles/phpfpm/Dockerfile           | 38 +++++++++++++++++---
 data/Dockerfiles/phpfpm/docker-entrypoint.sh | 12 -------
 data/Dockerfiles/watchdog/watchdog.sh        |  4 ++-
 docker-compose.yml                           |  7 ++--
 4 files changed, 40 insertions(+), 21 deletions(-)

diff --git a/data/Dockerfiles/phpfpm/Dockerfile b/data/Dockerfiles/phpfpm/Dockerfile
index bd1837ec..c447e727 100644
--- a/data/Dockerfiles/phpfpm/Dockerfile
+++ b/data/Dockerfiles/phpfpm/Dockerfile
@@ -1,8 +1,16 @@
 FROM php:7.1-fpm-alpine
 LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
 
+ENV REDIS_PECL 3.1.4
+ENV MEMCACHED_PECL 3.0.3
+ENV APCU_PECL 5.1.8
+
 RUN apk add -U --no-cache libxml2-dev \
 	icu-dev \
+	imap-dev \
+	libmemcached-dev \
+	cyrus-sasl-dev \
+	pcre-dev \
 	icu-libs \
 	redis \
 	mysql-client \
@@ -11,13 +19,33 @@ RUN apk add -U --no-cache libxml2-dev \
 	g++ \
 	make \
 	openssl \
-	&& pecl install redis \
+	openssl-dev \
+	samba-client \
+	libpng \
+	libpng-dev \
+	libjpeg-turbo-dev \
+	libwebp-dev \
+	zlib-dev \
+	libxpm-dev \
+	c-client \
+	&& pecl install redis-${REDIS_PECL} memcached-${MEMCACHED_PECL} APCu-${APCU_PECL} \
+	&& docker-php-ext-enable redis apcu memcached \
 	&& pecl clear-cache \
 	&& docker-php-ext-configure intl \
-	&& docker-php-ext-install intl pdo pdo_mysql xmlrpc \
-	&& docker-php-ext-enable redis \
-	&& pear install channel://pear.php.net/Net_IDNA2-0.1.1 Auth_SASL Net_IMAP NET_SMTP Net_IDNA2 Mail_mime \
-	&& apk del autoconf g++ make libxml2-dev icu-dev
+    && docker-php-ext-install intl pdo pdo_mysql xmlrpc gd zip pcntl opcache \
+    && docker-php-ext-configure imap --with-imap --with-imap-ssl \
+	&& docker-php-ext-install imap \
+	&& pear install channel://pear.php.net/Net_IDNA2-0.1.1 Auth_SASL2 Net_IMAP NET_SMTP Net_IDNA2 Mail_mime \
+	&& apk del autoconf g++ make libxml2-dev icu-dev imap-dev openssl-dev cyrus-sasl-dev pcre-dev libpng-dev libpng-dev libjpeg-turbo-dev libwebp-dev zlib-dev \
+	&& { \
+  echo 'opcache.enable=1'; \
+  echo 'opcache.enable_cli=1'; \
+  echo 'opcache.interned_strings_buffer=8'; \
+  echo 'opcache.max_accelerated_files=10000'; \
+  echo 'opcache.memory_consumption=128'; \
+  echo 'opcache.save_comments=1'; \
+  echo 'opcache.revalidate_freq=1'; \
+} > /usr/local/etc/php/conf.d/opcache-recommended.ini
 
 COPY ./docker-entrypoint.sh /
 
diff --git a/data/Dockerfiles/phpfpm/docker-entrypoint.sh b/data/Dockerfiles/phpfpm/docker-entrypoint.sh
index 65e33424..8c986335 100755
--- a/data/Dockerfiles/phpfpm/docker-entrypoint.sh
+++ b/data/Dockerfiles/phpfpm/docker-entrypoint.sh
@@ -82,16 +82,4 @@ if [[ ! -z ${DOMAIN_ARRAY} ]]; then
  done
 fi
 
-# Socket access
-DOCKER_SOCKET=/var/run/docker.sock
-DOCKER_GROUP=docker
-REGULAR_USER=www-data
-
-if [ -S ${DOCKER_SOCKET} ]; then
-    DOCKER_GID=$(stat -c '%g' ${DOCKER_SOCKET})
-    delgroup $(stat -c '%G' ${DOCKER_SOCKET})
-    addgroup -g ${DOCKER_GID} ${DOCKER_GROUP}
-    adduser ${REGULAR_USER} ${DOCKER_GROUP}
-fi
-
 exec "$@"
diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
index 546fba64..c7692da4 100755
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -66,7 +66,9 @@ get_container_ip() {
   until [[ ${CONTAINER_IP} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] || [[ ${LOOP_C} -gt 5 ]]; do
     sleep 1
     CONTAINER_ID=$(curl --silent http://dockerapi:8080/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], id: .Id}" | jq -rc "select( .name | contains(\"${1}\")) | .id")
-    CONTAINER_IP=$(curl --silent http://dockerapi:8080/containers/${CONTAINER_ID}/json | jq -r '.NetworkSettings.Networks[].IPAddress')
+    if [[ ! -z ${CONTAINER_ID} ]]; then
+    	CONTAINER_IP=$(curl --silent http://dockerapi:8080/containers/${CONTAINER_ID}/json | jq -r '.NetworkSettings.Networks[].IPAddress')
+	fi
     LOOP_C=$((LOOP_C + 1))
   done
   [[ ${LOOP_C} -gt 5 ]] && echo 240.0.0.0 || echo ${CONTAINER_IP}
diff --git a/docker-compose.yml b/docker-compose.yml
index c351b588..78ef16c0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -96,13 +96,13 @@ services:
             - rspamd
 
     php-fpm-mailcow:
-      image: mailcow/phpfpm:1.2
+      image: mailcow/phpfpm:1.3
       build: ./data/Dockerfiles/phpfpm
       command: "php-fpm -d date.timezone=${TZ}"
       depends_on:
         - redis-mailcow
       volumes:
-        - ./data/web:/web:ro
+        - ./data/web:/web:rw
         - ./data/conf/rspamd/dynmaps:/dynmaps:ro
         - dkim-vol-1:/data/dkim
       environment:
@@ -295,8 +295,9 @@ services:
         - /lib/modules:/lib/modules:ro
 
     watchdog-mailcow:
-      image: mailcow/watchdog:1.5
+      image: mailcow/watchdog:1.6
       build: ./data/Dockerfiles/watchdog
+      command: /watchdog.sh
       init: false
       volumes:
         - vmail-vol-1:/vmail:ro

From aa245cbda52bc0d712e35b8b256f92ede96a1ac3 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Sun, 8 Oct 2017 22:48:56 +0200
Subject: [PATCH 53/84] [Config] Add WATCHDOG_NOTIFY_EMAIL to gen_config,
 slightly better parameter descriptions

---
 generate_config.sh | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/generate_config.sh b/generate_config.sh
index a7e52ebe..ecf5723a 100755
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -16,10 +16,10 @@ if [ -z "$MAILCOW_HOSTNAME" ]; then
   read -p "Hostname (FQDN): " -ei "mx.example.org" MAILCOW_HOSTNAME
 fi
 
-if [[ -a /etc/timezone ]]; then 
- TZ=$(cat /etc/timezone) 
+if [[ -a /etc/timezone ]]; then
+  TZ=$(cat /etc/timezone)
 elif  [[ -a /etc/localtime ]]; then
- TZ=$(readlink /etc/localtime|sed -n 's|^.*zoneinfo/||p')
+   TZ=$(readlink /etc/localtime|sed -n 's|^.*zoneinfo/||p')
 fi
 
 if [ -z "$TZ" ]; then
@@ -84,20 +84,22 @@ COMPOSE_PROJECT_NAME=mailcow-dockerized
 # Additional SAN for the certificate
 ADDITIONAL_SAN=
 
-# To never run acme-mailcow for Let's Encrypt, set this to y
-SKIP_LETS_ENCRYPT=n
 
-# Skip IPv4 check in ACME container
+# Skip running ACME (acme-mailcow, Let's Encrypt certs) - y/n
+SKIP_LETS_ENCRYPT=n
+# Skip IPv4 check in ACME container - y/n
 SKIP_IP_CHECK=n
 
-# To never run fail2ban-mailcow
+# Skip Fail2ban implementation (fail2ban-mailcow) - y/n
 SKIP_FAIL2BAN=n
 
-# To never run clamd-mailcow
+# Skip ClamAV (clamd-mailcow) anti-virus (Rspamd will auto-detect a missing ClamAV container) - y/n
 SKIP_CLAMD=n
 
-# Enable watchdog to restart unhealthy containers (experimental)
+# Enable watchdog (watchdog-mailcow) to restart unhealthy containers (experimental)
 USE_WATCHDOG=n
+# Send notifications by mail (no DKIM signature, sent from watchdog@MAILCOW_HOSTNAME)
+#WATCHDOG_NOTIFY_EMAIL=
 
 EOF
 

From 874aac3c5ed799ee4b6c457213b44c78be127a61 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Sun, 8 Oct 2017 22:57:34 +0200
Subject: [PATCH 54/84] [Nginx, PHP-FPM] Do not expose PHP version, example for
 nextcloud site, include custom locations to site (add site.something.custom
 to data/conf/nginx)

---
 data/assets/site.nextcloud.custom | 41 +++++++++++++++++++++++++++++++
 data/conf/nginx/site.conf         | 16 ++++++++++--
 docker-compose.yml                |  2 +-
 3 files changed, 56 insertions(+), 3 deletions(-)
 create mode 100644 data/assets/site.nextcloud.custom

diff --git a/data/assets/site.nextcloud.custom b/data/assets/site.nextcloud.custom
new file mode 100644
index 00000000..c28700b0
--- /dev/null
+++ b/data/assets/site.nextcloud.custom
@@ -0,0 +1,41 @@
+  location ^~ /nextcloud {
+    location /nextcloud {
+      rewrite ^ /nextcloud/index.php$uri;
+    }
+    location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+      deny all;
+    }
+    location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
+      deny all;
+    }
+    location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
+      fastcgi_split_path_info ^(.+\.php)(/.*)$;
+      include fastcgi_params;
+      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+      fastcgi_param PATH_INFO $fastcgi_path_info;
+      fastcgi_param HTTPS on;
+      fastcgi_param modHeadersAvailable true;
+      fastcgi_param front_controller_active true;
+      fastcgi_pass phpfpm:9000;
+      fastcgi_intercept_errors on;
+      fastcgi_request_buffering off;
+    }
+    location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) {
+      try_files $uri/ =404;
+      index index.php;
+    }
+    location ~ \.(?:css|js|woff|svg|gif)$ {
+      try_files $uri /nextcloud/index.php$uri$is_args$args;
+      add_header Cache-Control "public, max-age=15778463";
+      add_header X-Content-Type-Options nosniff;
+      add_header X-XSS-Protection "1; mode=block";
+      add_header X-Robots-Tag none;
+      add_header X-Download-Options noopen;
+      add_header X-Permitted-Cross-Domain-Policies none;
+      access_log off;
+    }
+    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
+      try_files $uri /nextcloud/index.php$uri$is_args$args;
+      access_log off;
+    }
+  }
diff --git a/data/conf/nginx/site.conf b/data/conf/nginx/site.conf
index 1b5a8a3e..71424174 100644
--- a/data/conf/nginx/site.conf
+++ b/data/conf/nginx/site.conf
@@ -22,11 +22,15 @@ server {
   ssl_protocols TLSv1.2;
   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
   ssl_prefer_server_ciphers on;
-  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
   ssl_session_cache shared:SSL:50m;
   ssl_session_timeout 1d;
   ssl_session_tickets off;
-  add_header Strict-Transport-Security max-age=15768000;
+  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Robots-Tag none;
+  add_header X-Download-Options noopen;
+  add_header X-Permitted-Cross-Domain-Policies none;
 
   index index.php index.html;
   include /etc/nginx/conf.d/server_name.active;
@@ -177,6 +181,8 @@ server {
     proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
     #alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
   }
+
+  include /etc/nginx/conf.d/site.*.custom;
 }
 server {
   include /etc/nginx/conf.d/listen_plain.active;
@@ -189,6 +195,11 @@ server {
   access_log /var/log/nginx/access.log;
   absolute_redirect off;
   root /web;
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Robots-Tag none;
+  add_header X-Download-Options noopen;
+  add_header X-Permitted-Cross-Domain-Policies none;
 
   location ~ ^/api/v1/(.*)$ {
     try_files $uri $uri/ /json_api.php?query=$1;
@@ -333,4 +344,5 @@ server {
     #alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
   }
 
+  include /etc/nginx/conf.d/site.*.custom;
 }
diff --git a/docker-compose.yml b/docker-compose.yml
index 78ef16c0..7a1c5e81 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -98,7 +98,7 @@ services:
     php-fpm-mailcow:
       image: mailcow/phpfpm:1.3
       build: ./data/Dockerfiles/phpfpm
-      command: "php-fpm -d date.timezone=${TZ}"
+      command: "php-fpm -d date.timezone=${TZ} expose_php=0"
       depends_on:
         - redis-mailcow
       volumes:

From d4f395271df43468915f2583827995e8ae61bc1e Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Sun, 8 Oct 2017 22:59:04 +0200
Subject: [PATCH 55/84] More ignores for git

---
 .gitignore | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.gitignore b/.gitignore
index 9de43f40..cf504b4b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,14 +7,17 @@ data/conf/nginx/listen*active
 data/conf/nginx/server_name.active
 data/conf/postfix/sql
 data/conf/dovecot/sql
+data/conf/nextcloud-*.bak
 data/web/inc/vars.local.inc.php
 data/assets/ssl/*
 .vscode/*
 data/web/.well-known/acme-challenge
+data/web/nextcloud/
 data/conf/rspamd/local.d/*
 data/conf/rspamd/override.d/*
 !data/conf/nginx/dynmaps.conf
 !data/conf/nginx/site.conf
 data/conf/nginx/*.conf
+data/conf/nginx/*.custom
 data/conf/dovecot/extra.conf
 data/conf/rspamd/custom/*

From 6110ac386fa78c01a4cf26acf09ea32930649a71 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 9 Oct 2017 15:45:48 +0200
Subject: [PATCH 56/84] [SOGo] Use official nightly; [PHP-FPM] Fix expose=off

---
 data/Dockerfiles/sogo/Dockerfile | 4 ++--
 docker-compose.yml               | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/data/Dockerfiles/sogo/Dockerfile b/data/Dockerfiles/sogo/Dockerfile
index a9cefc47..1bfca949 100644
--- a/data/Dockerfiles/sogo/Dockerfile
+++ b/data/Dockerfiles/sogo/Dockerfile
@@ -28,8 +28,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 RUN mkdir /usr/share/doc/sogo \
 	&& touch /usr/share/doc/sogo/empty.sh \
-	&& apt-key adv --keyserver sks.labs.nic.cz --recv-key A04BE668 \
-	&& echo "deb http://www.axis.cz/linux/debian stretch sogo-v3" > /etc/apt/sources.list.d/sogo.list \
+	&& apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4 \
+	&& echo "deb http://packages.inverse.ca/SOGo/nightly/3/debian/ stretch stretch" > /etc/apt/sources.list.d/sogo.list \
 	&& apt-get update && apt-get install -y --force-yes \
 		sogo \
 		sogo-activesync \
diff --git a/docker-compose.yml b/docker-compose.yml
index 7a1c5e81..a68649b0 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -98,7 +98,7 @@ services:
     php-fpm-mailcow:
       image: mailcow/phpfpm:1.3
       build: ./data/Dockerfiles/phpfpm
-      command: "php-fpm -d date.timezone=${TZ} expose_php=0"
+      command: "php-fpm -d date.timezone=${TZ} -d expose_php=0"
       depends_on:
         - redis-mailcow
       volumes:
@@ -127,7 +127,7 @@ services:
             - phpfpm
 
     sogo-mailcow:
-      image: mailcow/sogo:1.9
+      image: mailcow/sogo:1.10
       build: ./data/Dockerfiles/sogo
       environment:
         - DBNAME=${DBNAME}

From 2862b43c81b2585c23455b4f50dcb51232a2f8a9 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 9 Oct 2017 15:54:54 +0200
Subject: [PATCH 57/84] [Watchdog] Fix watchdog to fit non-exposed PHP

---
 data/Dockerfiles/watchdog/watchdog.sh | 2 +-
 docker-compose.yml                    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
index c7692da4..51528136 100755
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -187,7 +187,7 @@ phpfpm_checks() {
   while [ ${err_count} -lt ${THRESHOLD} ]; do
     host_ip=$(get_container_ip php-fpm-mailcow)
     err_c_cur=${err_count}
-    cgi-fcgi -bind -connect ${host_ip}:9000 | grep PHP 1>&2; err_count=$(( ${err_count} + ($? * 2)))
+    cgi-fcgi -bind -connect ${host_ip}:9000 | grep "Content-type" 1>&2; err_count=$(( ${err_count} + ($? * 2)))
     /usr/lib/nagios/plugins/check_ping -4 -H ${host_ip} -w 2000,10% -c 4000,100% -p2 1>&2; err_count=$(( ${err_count} + $? ))
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
diff --git a/docker-compose.yml b/docker-compose.yml
index a68649b0..1992b892 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -295,7 +295,7 @@ services:
         - /lib/modules:/lib/modules:ro
 
     watchdog-mailcow:
-      image: mailcow/watchdog:1.6
+      image: mailcow/watchdog:1.7
       build: ./data/Dockerfiles/watchdog
       command: /watchdog.sh
       init: false

From bf2be8410d24dc8865c4bf96f30e76e9b140c6d5 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 9 Oct 2017 20:30:45 +0200
Subject: [PATCH 58/84] Create helper-scripts directory for future scripts

---
 helper-scripts/mailcow-reset-admin.sh | 36 +++++++++++++++++++++++++++
 mailcow-reset-admin.sh                | 36 ---------------------------
 2 files changed, 36 insertions(+), 36 deletions(-)
 create mode 100755 helper-scripts/mailcow-reset-admin.sh
 delete mode 100755 mailcow-reset-admin.sh

diff --git a/helper-scripts/mailcow-reset-admin.sh b/helper-scripts/mailcow-reset-admin.sh
new file mode 100755
index 00000000..5fa30f68
--- /dev/null
+++ b/helper-scripts/mailcow-reset-admin.sh
@@ -0,0 +1,36 @@
+#/bin/bash
+[[ -f mailcow.conf ]] && source mailcow.conf
+[[ -f ../mailcow.conf ]] && source ../mailcow.conf
+
+if [[ -z ${DBUSER} ]] || [[ -z ${DBPASS} ]] || [[ -z ${DBNAME} ]]; then
+	echo "Cannot find mailcow.conf, make sure this script is run from within the mailcow folder."
+	exit 1
+fi
+
+echo -n "Checking MySQL service... "
+if [[ -z $(docker ps -qf name=mysql-mailcow) ]]; then
+	echo "failed"
+	echo "MySQL (mysql-mailcow) is not up and running, exiting..."
+	exit 1
+fi
+
+echo "OK"
+read -r -p "Are you sure you want to reset the mailcow administrator account? [y/N] " response
+response=${response,,}    # tolower
+if [[ "$response" =~ ^(yes|y)$ ]]; then
+	echo -e "\nWorking, please wait..."
+	docker exec -it $(docker ps -qf name=mysql-mailcow) mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DELETE FROM admin;"
+	docker exec -it $(docker ps -qf name=mysql-mailcow) mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "INSERT INTO admin (username, password, superadmin, created, modified, active) VALUES ('admin', '{SSHA256}K8eVJ6YsZbQCfuJvSUbaQRLr0HPLz5rC9IAp0PAFl0tmNDBkMDc0NDAyOTAxN2Rk', 1, NOW(), NOW(), 1);"
+	docker exec -it $(docker ps -qf name=mysql-mailcow) mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DELETE FROM domain_admins WHERE username='admin';"
+	docker exec -it $(docker ps -qf name=mysql-mailcow) mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "INSERT INTO domain_admins (username, domain, created, active) VALUES ('admin', 'ALL', NOW(), 1);"
+	docker exec -it $(docker ps -qf name=mysql-mailcow) mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DELETE FROM tfa WHERE username='admin';"
+	echo "
+Reset credentials:
+---
+Username: admin
+Password: moohoo
+TFA: none
+"
+else
+	echo "Operation canceled."
+fi
diff --git a/mailcow-reset-admin.sh b/mailcow-reset-admin.sh
deleted file mode 100755
index 7ce1def8..00000000
--- a/mailcow-reset-admin.sh
+++ /dev/null
@@ -1,36 +0,0 @@
-#/bin/bash
-if [[ ! -f mailcow.conf ]]; then
-        echo "Cannot find mailcow.conf, make sure this script is run from within the mailcow folder."
-        exit 1
-fi
-
-echo -n "Checking MySQL service... "
-docker-compose ps -q mysql-mailcow > /dev/null 2>&1
-
-if [[ $? -ne 0 ]]; then
-        echo "failed"
-        echo "MySQL (mysql-mailcow) is not up and running, exiting..."
-        exit 1
-fi
-
-echo "OK"
-read -r -p "Are you sure you want to reset the mailcow administrator account? [y/N] " response
-response=${response,,}    # tolower
-if [[ "$response" =~ ^(yes|y)$ ]]; then
-        echo -e "\nWorking, please wait..."
-        source mailcow.conf
-        docker-compose exec -T mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DELETE FROM admin;"
-        docker-compose exec -T mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "INSERT INTO admin (username, password, superadmin, created, modified, active) VALUES ('admin', '{SSHA256}K8eVJ6YsZbQCfuJvSUbaQRLr0HPLz5rC9IAp0PAFl0tmNDBkMDc0NDAyOTAxN2Rk', 1, NOW(), NOW(), 1);"
-        docker-compose exec -T mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DELETE FROM domain_admins WHERE username='admin';"
-        docker-compose exec -T mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "INSERT INTO domain_admins (username, domain, created, active) VALUES ('admin', 'ALL', NOW(), 1);"
-        docker-compose exec -T mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DELETE FROM tfa WHERE username='admin';"
-        echo "
-Reset credentials:
----
-Username: admin
-Password: moohoo
-TFA: none
-"
-else
-        echo "Operation canceled."
-fi

From 490e1c5001f01e4365141fcb0f8b0ae90baacf77 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 9 Oct 2017 20:31:08 +0200
Subject: [PATCH 59/84] [Web] Escape : in relayhosts

---
 data/web/inc/functions.relayhost.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/data/web/inc/functions.relayhost.inc.php b/data/web/inc/functions.relayhost.inc.php
index 249dacc3..233ca0ad 100644
--- a/data/web/inc/functions.relayhost.inc.php
+++ b/data/web/inc/functions.relayhost.inc.php
@@ -27,7 +27,7 @@ function relayhost($_action, $_data = null) {
         $stmt->execute(array(
           ':hostname' => $hostname,
           ':username' => $username,
-          ':password' => $password,
+          ':password' => str_replace(':', '\:', $password),
           ':active' => '1'
         ));
       }

From 77745e0f79029c310031b253ec608dd1f0f0a78a Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 11 Oct 2017 11:18:58 +0200
Subject: [PATCH 60/84] [Compose] Add fixed ip for watchdog, remove temp.
 watchdog command, push new Postfix and Dovecot versions

---
 docker-compose.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 1992b892..157c0da8 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -147,7 +147,7 @@ services:
             - sogo
 
     dovecot-mailcow:
-      image: mailcow/dovecot:1.8
+      image: mailcow/dovecot:1.9
       build: ./data/Dockerfiles/dovecot
       volumes:
         - ./data/conf/dovecot:/usr/local/etc/dovecot
@@ -181,7 +181,7 @@ services:
             - dovecot
 
     postfix-mailcow:
-      image: mailcow/postfix:1.6
+      image: mailcow/postfix:1.7
       build: ./data/Dockerfiles/postfix
       volumes:
         - ./data/conf/postfix:/opt/postfix/conf
@@ -297,7 +297,6 @@ services:
     watchdog-mailcow:
       image: mailcow/watchdog:1.7
       build: ./data/Dockerfiles/watchdog
-      command: /watchdog.sh
       init: false
       volumes:
         - vmail-vol-1:/vmail:ro
@@ -311,6 +310,7 @@ services:
         - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
       networks:
         mailcow-network:
+          ipv4_address: 172.22.1.248
           aliases:
             - watchdog
 

From ec1e23ca7159d29fba0c3c6115bd134f4ebb9859 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 11 Oct 2017 11:20:48 +0200
Subject: [PATCH 61/84] [Assets] Move nextcloud files to subfolder nextcloud

---
 data/assets/nextcloud/nextcloud.conf          | 186 ++++++++++++++++++
 data/assets/nextcloud/occ                     |   2 +
 .../{ => nextcloud}/site.nextcloud.custom     |   0
 3 files changed, 188 insertions(+)
 create mode 100644 data/assets/nextcloud/nextcloud.conf
 create mode 100755 data/assets/nextcloud/occ
 rename data/assets/{ => nextcloud}/site.nextcloud.custom (100%)

diff --git a/data/assets/nextcloud/nextcloud.conf b/data/assets/nextcloud/nextcloud.conf
new file mode 100644
index 00000000..49a585d2
--- /dev/null
+++ b/data/assets/nextcloud/nextcloud.conf
@@ -0,0 +1,186 @@
+map $http_x_forwarded_proto $client_req_scheme_nc {
+     default $scheme;
+     https https;
+}
+
+server {
+  include /etc/nginx/conf.d/listen_ssl.active;
+  include /etc/nginx/mime.types;
+  charset utf-8;
+  override_charset on;
+
+  ssl on;
+  ssl_certificate /etc/ssl/mail/cert.pem;
+  ssl_certificate_key /etc/ssl/mail/key.pem;
+  ssl_protocols TLSv1.2;
+  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+  ssl_prefer_server_ciphers on;
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_timeout 1d;
+  ssl_session_tickets off;
+  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Robots-Tag none;
+  add_header X-Download-Options noopen;
+  add_header X-Permitted-Cross-Domain-Policies none;
+
+  server_name NC_SERVER_SUB;
+
+  root /web/nextcloud/;
+
+  location = /robots.txt {
+    allow all;
+    log_not_found off;
+    access_log off;
+  }
+
+  location = /.well-known/carddav {
+    return 301 $client_req_scheme_nc://$host/remote.php/dav;
+  }
+  location = /.well-known/caldav {
+    return 301 $client_req_scheme_nc://$host/remote.php/dav;
+  }
+
+  gzip on;
+  gzip_vary on;
+  gzip_comp_level 4;
+  gzip_min_length 256;
+  gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+  gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+  set_real_ip_from 172.22.1.1;
+  real_ip_header X-Forwarded-For;
+  real_ip_recursive on;
+
+  location / {
+    rewrite ^ /index.php$uri;
+  }
+
+  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+    deny all;
+  }
+
+  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+    deny all;
+  }
+
+  location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
+    fastcgi_split_path_info ^(.+\.php)(/.*)$;
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_param PATH_INFO $fastcgi_path_info;
+    #Avoid sending the security headers twice
+    fastcgi_param modHeadersAvailable true;
+    fastcgi_param front_controller_active true;
+    fastcgi_pass phpfpm:9000;
+    fastcgi_intercept_errors on;
+    fastcgi_request_buffering off;
+  }
+
+  location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+    try_files $uri/ =404;
+    index index.php;
+  }
+
+  location ~ \.(?:css|js|woff|svg|gif)$ {
+    try_files $uri /index.php$uri$is_args$args;
+    add_header Cache-Control "public, max-age=15778463";
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Robots-Tag none;
+    add_header X-Download-Options noopen;
+    add_header X-Permitted-Cross-Domain-Policies none;
+    access_log off;
+  }
+
+  location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
+    try_files $uri /index.php$uri$is_args$args;
+    access_log off;
+  }
+}
+server {
+  include /etc/nginx/conf.d/listen_ssl.active;
+  include /etc/nginx/mime.types;
+  charset utf-8;
+  override_charset on;
+
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Robots-Tag none;
+  add_header X-Download-Options noopen;
+  add_header X-Permitted-Cross-Domain-Policies none;
+
+  server_name NC_SERVER_SUB;
+
+  root /web/nextcloud/;
+
+  location = /robots.txt {
+    allow all;
+    log_not_found off;
+    access_log off;
+  }
+
+  location = /.well-known/carddav {
+    return 301 $client_req_scheme_nc://$host/remote.php/dav;
+  }
+  location = /.well-known/caldav {
+    return 301 $client_req_scheme_nc://$host/remote.php/dav;
+  }
+
+  gzip on;
+  gzip_vary on;
+  gzip_comp_level 4;
+  gzip_min_length 256;
+  gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+  gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+  set_real_ip_from 172.22.1.1;
+  real_ip_header X-Forwarded-For;
+  real_ip_recursive on;
+
+  location / {
+    rewrite ^ /index.php$uri;
+  }
+
+  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+    deny all;
+  }
+
+  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+    deny all;
+  }
+
+  location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
+    fastcgi_split_path_info ^(.+\.php)(/.*)$;
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_param PATH_INFO $fastcgi_path_info;
+    fastcgi_param modHeadersAvailable true;
+    fastcgi_param front_controller_active true;
+    fastcgi_pass phpfpm:9000;
+    fastcgi_intercept_errors on;
+    fastcgi_request_buffering off;
+  }
+
+  location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+    try_files $uri/ =404;
+    index index.php;
+  }
+
+  location ~ \.(?:css|js|woff|svg|gif)$ {
+    try_files $uri /index.php$uri$is_args$args;
+    add_header Cache-Control "public, max-age=15778463";
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Robots-Tag none;
+    add_header X-Download-Options noopen;
+    add_header X-Permitted-Cross-Domain-Policies none;
+    access_log off;
+  }
+
+  location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
+    try_files $uri /index.php$uri$is_args$args;
+    access_log off;
+  }
+}
diff --git a/data/assets/nextcloud/occ b/data/assets/nextcloud/occ
new file mode 100755
index 00000000..2ae08001
--- /dev/null
+++ b/data/assets/nextcloud/occ
@@ -0,0 +1,2 @@
+#!/bin/bash
+docker exec -it -u www-data $(docker ps -f name=php-fpm-mailcow -q) /web/nextcloud/occ ${@}
diff --git a/data/assets/site.nextcloud.custom b/data/assets/nextcloud/site.nextcloud.custom
similarity index 100%
rename from data/assets/site.nextcloud.custom
rename to data/assets/nextcloud/site.nextcloud.custom

From 57484e4a45cee3fdc0e89387dd8e556e629844e7 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 11 Oct 2017 11:21:41 +0200
Subject: [PATCH 62/84] [Postfix] Log all watchdog activities to local7
 facility

---
 data/conf/postfix/master.cf | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/data/conf/postfix/master.cf b/data/conf/postfix/master.cf
index d494637c..77790d56 100644
--- a/data/conf/postfix/master.cf
+++ b/data/conf/postfix/master.cf
@@ -67,11 +67,24 @@ zeyple    unix  -       n       n       -       -       pipe
 589 inet n      -       n       -       -       smtpd
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o syslog_name=watchdog
+  -o syslog_facility=local7
   -o smtpd_milters=
+  -o cleanup_service_name=watchdog_cleanup
   -o non_smtpd_milters=
+watchdog_cleanup unix  n       -       n       -       0       cleanup
+  -o syslog_name=watchdog
+  -o syslog_facility=local7
   -o queue_service_name=watchdog_qmgr
-  -o local_transport=discard
-  -o default_transport=discard
 watchdog_qmgr fifo  n       -       n       300     1       qmgr
-  -o syslog_facility=local0
+  -o syslog_facility=local7
+  -o syslog_name=watchdog
+  -o rewrite_service_name=watchdog_rewrite
+watchdog_rewrite    unix  -       -       n       -       -       trivial-rewrite
+   -o syslog_facility=local7
+   -o syslog_name=watchdog
+   -o local_transport=watchdog_discard
+watchdog_discard    unix  -       -       n       -       -       discard
+   -o syslog_facility=local7
+   -o syslog_name=watchdog
+
 # end watchdog-specific

From e107cbef5e4d0674df4d4de3836f1c72b84beccc Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 11 Oct 2017 11:22:48 +0200
Subject: [PATCH 63/84] [Postfix] Fix sending as alias, when alias is in alias
 domains, cleanup

---
 data/Dockerfiles/postfix/postfix.sh | 122 ++++++++++++++++++++++++----
 1 file changed, 105 insertions(+), 17 deletions(-)

diff --git a/data/Dockerfiles/postfix/postfix.sh b/data/Dockerfiles/postfix/postfix.sh
index 2456f3d9..326a6d18 100755
--- a/data/Dockerfiles/postfix/postfix.sh
+++ b/data/Dockerfiles/postfix/postfix.sh
@@ -4,8 +4,8 @@ trap "postfix stop" EXIT
 
 [[ ! -d /opt/postfix/conf/sql/ ]] && mkdir -p /opt/postfix/conf/sql/
 if [[ -z $(grep null /etc/aliases) ]]; then
-	echo null: /dev/null >> /etc/aliases;
-	newaliases;
+  echo null: /dev/null >> /etc/aliases;
+  newaliases;
 fi
 
 cat <<EOF > /opt/postfix/conf/sql/mysql_relay_recipient_maps.cf
@@ -13,7 +13,17 @@ user = ${DBUSER}
 password = ${DBPASS}
 hosts = mysql
 dbname = ${DBNAME}
-query = SELECT DISTINCT CASE WHEN '%d' IN (SELECT domain FROM domain WHERE relay_all_recipients=1 AND domain='%d' AND backupmx=1) THEN '%s' ELSE (SELECT goto FROM alias WHERE address='%s' AND active='1') END AS result;
+query = SELECT DISTINCT
+  CASE WHEN '%d' IN (
+    SELECT domain FROM domain
+      WHERE relay_all_recipients=1
+        AND domain='%d'
+        AND backupmx=1
+  )
+  THEN '%s' ELSE (
+    SELECT goto FROM alias WHERE address='%s' AND active='1'
+  )
+  END AS result;
 EOF
 
 cat <<EOF > /opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf
@@ -21,7 +31,16 @@ user = ${DBUSER}
 password = ${DBPASS}
 hosts = mysql
 dbname = ${DBNAME}
-query = SELECT IF( EXISTS( SELECT 'TLS_ACTIVE' FROM alias LEFT OUTER JOIN mailbox ON mailbox.username = alias.goto WHERE (address='%s' OR address IN (SELECT CONCAT('%u', '@', target_domain) FROM alias_domain WHERE alias_domain='%d')) AND mailbox.tls_enforce_in = '1' AND mailbox.active = '1'), 'reject_plaintext_session', NULL) AS 'tls_enforce_in';
+query = SELECT IF(EXISTS(
+  SELECT 'TLS_ACTIVE' FROM alias
+    LEFT OUTER JOIN mailbox ON mailbox.username = alias.goto
+      WHERE (address='%s'
+        OR address IN (
+          SELECT CONCAT('%u', '@', target_domain) FROM alias_domain
+            WHERE alias_domain='%d'
+        )
+      ) AND mailbox.tls_enforce_in = '1' AND mailbox.active = '1'
+  ), 'reject_plaintext_session', NULL) AS 'tls_enforce_in';
 EOF
 
 cat <<EOF > /opt/postfix/conf/sql/mysql_sender_dependent_default_transport_maps.cf
@@ -31,9 +50,26 @@ hosts = mysql
 dbname = ${DBNAME}
 query = SELECT GROUP_CONCAT(transport SEPARATOR '') AS transport_maps
   FROM (
-    SELECT IF(EXISTS(SELECT 'smtp_type' FROM alias LEFT OUTER JOIN mailbox ON mailbox.username = alias.goto WHERE (address = '%s' OR address IN (SELECT CONCAT('%u', '@', target_domain) FROM alias_domain WHERE alias_domain = '%d')) AND mailbox.tls_enforce_out = '1' AND mailbox.active = '1'), 'smtp_enforced_tls:', 'smtp:') AS 'transport'
+    SELECT IF(EXISTS(SELECT 'smtp_type' FROM alias
+      LEFT OUTER JOIN mailbox ON mailbox.username = alias.goto
+        WHERE (address = '%s'
+          OR address IN (
+            SELECT CONCAT('%u', '@', target_domain) FROM alias_domain
+              WHERE alias_domain = '%d'
+          )
+        )
+        AND mailbox.tls_enforce_out = '1'
+        AND mailbox.active = '1'
+    ), 'smtp_enforced_tls:', 'smtp:') AS 'transport'
     UNION ALL
-    SELECT hostname AS transport FROM relayhosts LEFT OUTER JOIN domain ON domain.relayhost = relayhosts.id WHERE relayhosts.active = '1' AND domain = '%d' OR domain IN (SELECT target_domain FROM alias_domain WHERE alias_domain = '%d')
+    SELECT hostname AS transport FROM relayhosts
+      LEFT OUTER JOIN domain ON domain.relayhost = relayhosts.id
+        WHERE relayhosts.active = '1'
+          AND domain = '%d'
+          OR domain IN (
+            SELECT target_domain FROM alias_domain
+              WHERE alias_domain = '%d'
+          )
   )
   AS transport_view;
 EOF
@@ -43,7 +79,11 @@ user = ${DBUSER}
 password = ${DBPASS}
 hosts = mysql
 dbname = ${DBNAME}
-query = SELECT CONCAT_WS(':', username, password) AS auth_data FROM relayhosts WHERE id IN (SELECT relayhost FROM domain WHERE CONCAT('@', domain) = '%s');
+query = SELECT CONCAT_WS(':', username, password) AS auth_data FROM relayhosts
+  WHERE id IN (
+    SELECT relayhost FROM domain
+      WHERE CONCAT('@', domain) = '%s'
+  );
 EOF
 
 cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_alias_domain_catchall_maps.cf
@@ -51,7 +91,10 @@ user = ${DBUSER}
 password = ${DBPASS}
 hosts = mysql
 dbname = ${DBNAME}
-query = SELECT goto FROM alias,alias_domain WHERE alias_domain.alias_domain = '%d' and alias.address = CONCAT('@', alias_domain.target_domain) AND alias.active = 1 AND alias_domain.active='1'
+query = SELECT goto FROM alias, alias_domain
+  WHERE alias_domain.alias_domain = '%d'
+    AND alias.address = CONCAT('@', alias_domain.target_domain)
+    AND alias.active = 1 AND alias_domain.active='1'
 EOF
 
 cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_alias_domain_maps.cf
@@ -59,7 +102,11 @@ user = ${DBUSER}
 password = ${DBPASS}
 hosts = mysql
 dbname = ${DBNAME}
-query = SELECT username FROM mailbox,alias_domain WHERE alias_domain.alias_domain = '%d' and mailbox.username = CONCAT('%u', '@', alias_domain.target_domain) AND mailbox.active = 1 AND alias_domain.active='1'
+query = SELECT username FROM mailbox, alias_domain
+  WHERE alias_domain.alias_domain = '%d'
+    AND mailbox.username = CONCAT('%u', '@', alias_domain.target_domain)
+    AND mailbox.active = '1'
+    AND alias_domain.active='1'
 EOF
 
 cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_alias_maps.cf
@@ -67,7 +114,9 @@ user = ${DBUSER}
 password = ${DBPASS}
 hosts = mysql
 dbname = ${DBNAME}
-query = SELECT goto FROM alias WHERE address='%s' AND active='1';
+query = SELECT goto FROM alias
+  WHERE address='%s'
+    AND active='1';
 EOF
 
 cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_domains_maps.cf
@@ -75,7 +124,12 @@ user = ${DBUSER}
 password = ${DBPASS}
 hosts = mysql
 dbname = ${DBNAME}
-query          = SELECT alias_domain from alias_domain WHERE alias_domain='%s' AND active='1' UNION SELECT domain FROM domain WHERE domain='%s' AND active = '1' AND backupmx = '0'
+query = SELECT alias_domain from alias_domain WHERE alias_domain='%s' AND active='1'
+  UNION
+  SELECT domain FROM domain
+    WHERE domain='%s'
+      AND active = '1'
+      AND backupmx = '0'
 EOF
 
 cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_mailbox_maps.cf
@@ -99,7 +153,39 @@ user = ${DBUSER}
 password = ${DBPASS}
 hosts = mysql
 dbname = ${DBNAME}
-query = SELECT goto FROM alias WHERE address='%s' AND active='1' AND (domain IN (SELECT domain FROM domain WHERE domain='%d' AND active='1') OR domain in (SELECT target_domain FROM alias_domain WHERE alias_domain='%d' AND active='1')) UNION SELECT logged_in_as FROM sender_acl WHERE send_as='@%d' OR send_as='%s' OR send_as IN ( SELECT CONCAT ('@',target_domain) FROM alias_domain WHERE alias_domain = '%d') OR send_as IN ( SELECT CONCAT ('%u','@',target_domain) FROM alias_domain WHERE alias_domain = '%d' ) AND logged_in_as NOT IN (SELECT goto FROM alias WHERE address='%s') UNION SELECT username FROM mailbox,alias_domain WHERE alias_domain.alias_domain = '%d' AND mailbox.username = CONCAT('%u','@',alias_domain.target_domain) AND mailbox.active ='1' AND alias_domain.active='1'
+# First select queries domain and alias_domain to determine if domains are active.
+query = SELECT goto FROM alias
+  WHERE address='%s'
+    AND active='1'
+    AND (domain IN
+      (SELECT domain FROM domain
+        WHERE domain='%d'
+          AND active='1')
+      OR domain in (
+        SELECT alias_domain FROM alias_domain
+          WHERE alias_domain='%d'
+            AND active='1'
+      )
+    )
+  UNION
+  SELECT logged_in_as FROM sender_acl
+    WHERE send_as='@%d'
+      OR send_as='%s'
+      OR send_as IN (
+        SELECT CONCAT('@',target_domain) FROM alias_domain
+          WHERE alias_domain = '%d')
+      OR send_as IN (
+        SELECT CONCAT('%u','@',target_domain) FROM alias_domain
+          WHERE alias_domain = '%d')
+      AND logged_in_as NOT IN (
+        SELECT goto FROM alias
+          WHERE address='%s')
+  UNION
+  SELECT username FROM mailbox, alias_domain
+    WHERE alias_domain.alias_domain = '%d'
+      AND mailbox.username = CONCAT('%u','@',alias_domain.target_domain)
+      AND mailbox.active ='1'
+      AND alias_domain.active='1'
 EOF
 
 cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_spamalias_maps.cf
@@ -107,7 +193,9 @@ user = ${DBUSER}
 password = ${DBPASS}
 hosts = mysql
 dbname = ${DBNAME}
-query = SELECT goto FROM spamalias WHERE address='%s' AND validity >= UNIX_TIMESTAMP()
+query = SELECT goto FROM spamalias
+  WHERE address='%s'
+    AND validity >= UNIX_TIMESTAMP()
 EOF
 
 # Reset GPG key permissions
@@ -124,9 +212,9 @@ postfix set-permissions
 postconf -c /opt/postfix/conf
 
 if [[ $? != 0 ]]; then
-	echo "Postfix configuration error, refusing to start."
-	exit 1
+  echo "Postfix configuration error, refusing to start."
+  exit 1
 else
-	postfix -c /opt/postfix/conf start
-	sleep 126144000
+  postfix -c /opt/postfix/conf start
+  sleep 126144000
 fi

From 7c46d6548b471e6f1cc16fda9b2aff808bf92152 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 11 Oct 2017 11:23:20 +0200
Subject: [PATCH 64/84] [Dovecot] Ignore watchdog IP in logs, filter by
 syslog-ng

---
 data/Dockerfiles/dovecot/syslog-ng.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/data/Dockerfiles/dovecot/syslog-ng.conf b/data/Dockerfiles/dovecot/syslog-ng.conf
index 292efc7d..216111f2 100644
--- a/data/Dockerfiles/dovecot/syslog-ng.conf
+++ b/data/Dockerfiles/dovecot/syslog-ng.conf
@@ -39,12 +39,13 @@ destination d_redis_cleanup {
   );
 };
 filter f_mail { facility(mail); };
+filter f_not_watchdog { not message("172\.22\.1\.248"); };
 log {
   source(s_src);
+  filter(f_not_watchdog);
   destination(d_stdout);
   filter(f_mail);
   destination(d_redis_ui_log);
   destination(d_redis_f2b_channel);
   destination(d_redis_cleanup);
-
 };

From c5054ae7eddec34ceb42863c2653504dd1ee6359 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Wed, 11 Oct 2017 11:23:51 +0200
Subject: [PATCH 65/84] [Watchdog] Ignore null name in jq [Nginx] Merge sites
 [Scripts] Nextcloud helper script (testing!)

---
 data/Dockerfiles/watchdog/watchdog.sh |   6 +-
 data/conf/nginx/site.conf             | 171 +-------------------------
 helper-scripts/nextcloud.sh           | 112 +++++++++++++++++
 3 files changed, 120 insertions(+), 169 deletions(-)
 create mode 100755 helper-scripts/nextcloud.sh

diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
index 51528136..03b2b4fb 100755
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -65,7 +65,7 @@ get_container_ip() {
   LOOP_C=1
   until [[ ${CONTAINER_IP} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] || [[ ${LOOP_C} -gt 5 ]]; do
     sleep 1
-    CONTAINER_ID=$(curl --silent http://dockerapi:8080/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], id: .Id}" | jq -rc "select( .name | contains(\"${1}\")) | .id")
+    CONTAINER_ID=$(curl --silent http://dockerapi:8080/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"${1}\")) | .id")
     if [[ ! -z ${CONTAINER_ID} ]]; then
     	CONTAINER_IP=$(curl --silent http://dockerapi:8080/containers/${CONTAINER_ID}/json | jq -r '.NetworkSettings.Networks[].IPAddress')
 	fi
@@ -142,7 +142,7 @@ postfix_checks() {
   # Reduce error count by 2 after restarting an unhealthy container
   trap "[ ${err_count} -gt 1 ] && err_count=$(( ${err_count} - 2 ))" USR1
   while [ ${err_count} -lt ${THRESHOLD} ]; do
-  host_ip=$(get_container_ip postfix-mailcow)
+	host_ip=$(get_container_ip postfix-mailcow)
     err_c_cur=${err_count}
     /usr/lib/nagios/plugins/check_smtp -4 -H ${host_ip} -p 589 -f watchdog -C "RCPT TO:null@localhost" -C DATA -C . -R 250 1>&2; err_count=$(( ${err_count} + $? ))
     /usr/lib/nagios/plugins/check_smtp -4 -H ${host_ip} -p 589 -S 1>&2; err_count=$(( ${err_count} + $? ))
@@ -368,7 +368,7 @@ while true; do
   if [[ ${com_pipe_answer} =~ .+-mailcow ]]; then
     kill -STOP ${BACKGROUND_TASKS[*]}
     sleep 3
-    CONTAINER_ID=$(curl --silent http://dockerapi:8080/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], id: .Id}" | jq -rc "select( .name | contains(\"${com_pipe_answer}\")) | .id")
+    CONTAINER_ID=$(curl --silent http://dockerapi:8080/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"${com_pipe_answer}\")) | .id")
     if [[ ! -z ${CONTAINER_ID} ]]; then
       log_to_redis "Sending restart command to ${CONTAINER_ID}..."
       echo "Sending restart command to ${CONTAINER_ID}..."
diff --git a/data/conf/nginx/site.conf b/data/conf/nginx/site.conf
index 71424174..58e4e7f8 100644
--- a/data/conf/nginx/site.conf
+++ b/data/conf/nginx/site.conf
@@ -1,9 +1,6 @@
 server_tokens off;
-
-# includes to http {
 proxy_cache_path /tmp levels=1:2 keys_zone=sogo:10m inactive=24h  max_size=1g;
 server_names_hash_bucket_size 64;
-# }
 
 map $http_x_forwarded_proto $client_req_scheme {
      default $scheme;
@@ -11,7 +8,6 @@ map $http_x_forwarded_proto $client_req_scheme {
 }
 
 server {
-  include /etc/nginx/conf.d/listen_ssl.active;
   include /etc/nginx/mime.types;
   charset utf-8;
   override_charset on;
@@ -25,6 +21,7 @@ server {
   ssl_session_cache shared:SSL:50m;
   ssl_session_timeout 1d;
   ssl_session_tickets off;
+
   add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
   add_header X-Content-Type-Options nosniff;
   add_header X-XSS-Protection "1; mode=block";
@@ -33,7 +30,11 @@ server {
   add_header X-Permitted-Cross-Domain-Policies none;
 
   index index.php index.html;
+
+  include /etc/nginx/conf.d/listen_plain.active;
+  include /etc/nginx/conf.d/listen_ssl.active;
   include /etc/nginx/conf.d/server_name.active;
+
   error_log  /var/log/nginx/error.log;
   access_log /var/log/nginx/access.log;
   absolute_redirect off;
@@ -184,165 +185,3 @@ server {
 
   include /etc/nginx/conf.d/site.*.custom;
 }
-server {
-  include /etc/nginx/conf.d/listen_plain.active;
-  include /etc/nginx/mime.types;
-  charset utf-8;
-  override_charset on;
-  index index.php index.html;
-  include /etc/nginx/conf.d/server_name.active;
-  error_log  /var/log/nginx/error.log;
-  access_log /var/log/nginx/access.log;
-  absolute_redirect off;
-  root /web;
-  add_header X-Content-Type-Options nosniff;
-  add_header X-XSS-Protection "1; mode=block";
-  add_header X-Robots-Tag none;
-  add_header X-Download-Options noopen;
-  add_header X-Permitted-Cross-Domain-Policies none;
-
-  location ~ ^/api/v1/(.*)$ {
-    try_files $uri $uri/ /json_api.php?query=$1;
-  }
-
-  location ^~ /.well-known/acme-challenge/ {
-    allow all;
-    default_type "text/plain";
-  }
-
-  # If behind reverse proxy, forwards the correct IP
-  set_real_ip_from 172.22.1.1;
-  real_ip_header X-Forwarded-For;
-  real_ip_recursive on;
-
-  rewrite ^/.well-known/caldav$ /SOGo/dav/ permanent;
-  rewrite ^/.well-known/carddav$ /SOGo/dav/ permanent;
-
-  location ^~ /principals {
-    return 301 /SOGo/dav;
-  }
-
-  location ~ \.php$ {
-    try_files $uri =404;
-    fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass phpfpm:9000;
-    fastcgi_index index.php;
-    include /etc/nginx/fastcgi_params;
-    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-    fastcgi_param PATH_INFO $fastcgi_path_info;
-    fastcgi_param PHP_VALUE "max_execution_time = 1200
-                             max_input_time = 1200
-                             memory_limit = 64M";
-    fastcgi_read_timeout 1200;
-  }
-
-  location /rspamd/ {
-    proxy_pass       http://172.22.1.253:11334/;
-    proxy_set_header Host      $http_host;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_redirect off;
-  }
-
-  location ~* ^/Autodiscover/Autodiscover.xml {
-    fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass phpfpm:9000;
-    include /etc/nginx/fastcgi_params;
-    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-    try_files /autodiscover.php =404;
-  }
-
-  location ~* ^/Autodiscover/Autodiscover.json {
-    fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass phpfpm:9000;
-    include /etc/nginx/fastcgi_params;
-    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-    try_files /autodiscover-json.php =404;
-  }
-
-  location ~ /(?:m|M)ail/(?:c|C)onfig-v1.1.xml {
-    fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass phpfpm:9000;
-    include /etc/nginx/fastcgi_params;
-    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-    try_files /autoconfig.php =404;
-  }
-
-  location ^~ /Microsoft-Server-ActiveSync {
-    proxy_pass http://172.22.1.252:20000/SOGo/Microsoft-Server-ActiveSync;
-    proxy_connect_timeout 1000;
-    proxy_next_upstream timeout error;
-    proxy_send_timeout 1000;
-    proxy_read_timeout 1000;
-    proxy_buffer_size 8k;
-    proxy_buffers 4 32k;
-    proxy_temp_file_write_size 64k;
-    proxy_busy_buffers_size 64k;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header Host $http_host;
-    proxy_set_header x-webobjects-server-protocol HTTP/1.0;
-    proxy_set_header x-webobjects-remote-host $remote_addr;
-    proxy_set_header x-webobjects-server-name $server_name;
-    proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
-    proxy_set_header x-webobjects-server-port $server_port;
-    client_body_buffer_size 128k;
-    client_max_body_size 0;
-  }
-
-  location ^~ /SOGo {
-    proxy_pass http://172.22.1.252:20000;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header Host $http_host;
-    proxy_set_header x-webobjects-server-protocol HTTP/1.0;
-    proxy_set_header x-webobjects-remote-host $remote_addr;
-    proxy_set_header x-webobjects-server-name $server_name;
-    proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
-    proxy_set_header x-webobjects-server-port $server_port;
-    client_body_buffer_size 128k;
-    client_max_body_size 0;
-    break;
-  }
-
-  location /SOGo.woa/WebServerResources/ {
-    proxy_pass http://172.22.1.252:9192/WebServerResources/;
-    proxy_set_header Host $http_host;
-    proxy_cache sogo;
-    proxy_cache_valid 200 1d;
-    proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
-    #alias /usr/lib/GNUstep/SOGo/WebServerResources/;
-    allow all;
-  }
-
-  location /.woa/WebServerResources/ {
-    proxy_pass http://172.22.1.252:9192/WebServerResources/;
-    proxy_set_header Host $http_host;
-    proxy_cache sogo;
-    proxy_cache_valid 200 1d;
-    proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
-    #alias /usr/lib/GNUstep/SOGo/WebServerResources/;
-    allow all;
-  }
-
-  location /SOGo/WebServerResources/ {
-    proxy_pass http://172.22.1.252:9192/WebServerResources/;
-    proxy_set_header Host $http_host;
-    proxy_cache sogo;
-    proxy_cache_valid 200 1d;
-    proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
-    #alias /usr/lib/GNUstep/SOGo/WebServerResources/;
-    allow all;
-  }
-
-  location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$ {
-    proxy_pass http://172.22.1.252:9192/$1.SOGo/Resources/$2;
-    proxy_set_header Host $http_host;
-    proxy_cache sogo;
-    proxy_cache_valid 200 1d;
-    proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
-    #alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
-  }
-
-  include /etc/nginx/conf.d/site.*.custom;
-}
diff --git a/helper-scripts/nextcloud.sh b/helper-scripts/nextcloud.sh
new file mode 100755
index 00000000..b3c23e23
--- /dev/null
+++ b/helper-scripts/nextcloud.sh
@@ -0,0 +1,112 @@
+#!/bin/bash
+
+[[ -z ${1} ]] && { echo "No parameters given"; exit 1; }
+
+while [ "$1" != '' ]; do
+  case "${1}" in
+    -p|--purge) NC_PURGE=y && shift;;
+    -i|--install) NC_INSTALL=y && shift;;
+    *) echo "Unknown parameter: ${1}" && shift;;
+  esac
+done
+
+[[ ${NC_PURGE} == "y" ]] && [[ ${NC_INSTALL} == "y" ]] && { echo "Cannot use -p and -i at the same time"; }
+
+source ./mailcow.conf
+
+if [[ ${NC_PURGE} == "y" ]]; then
+
+	docker exec -it $(docker ps -f name=mysql-mailcow -q) mysql -uroot -p${DBROOT} -e \
+	  "$(docker exec -it $(docker ps -f name=mysql-mailcow -q) mysql -uroot -p${DBROOT} -e "SELECT GROUP_CONCAT('DROP TABLE ', TABLE_SCHEMA, '.', TABLE_NAME SEPARATOR ';') FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE 'nc_%' AND TABLE_SCHEMA = '${DBNAME}';" -BN)"
+	docker exec -it $(docker ps -f name=redis-mailcow -q) /bin/sh -c 'redis-cli KEYS "*nextcloud*" | xargs redis-cli DEL'
+	if [ -d ./data/web/nextcloud/config ]; then
+	  mv ./data/web/nextcloud/config/ ./data/conf/nextcloud-config-folder-$(date +%s).bak
+	fi
+	[[ -d ./data/web/nextcloud ]] && rm -rf ./data/web/nextcloud
+
+	[[ -f ./data/conf/nginx/site.nextcloud.custom ]] && mv ./data/conf/nginx/site.nextcloud.custom ./data/conf/nginx/site.nextcloud.custom-$(date +%s).bak
+	[[ -f ./data/conf/nginx/nextcloud.conf ]] && mv ./data/conf/nginx/nextcloud.conf ./data/conf/nginx/nextcloud.conf-$(date +%s).bak
+
+	docker-compose restart nginx-mailcow
+
+elif [[ ${NC_INSTALL} == "y" ]]; then
+
+	NC_TYPE=
+	while [[ ! ${NC_TYPE} =~ ^subfolder$|^subdomain$ ]]; do
+		read -p "Configure as subdomain or subfolder? [subdomain/subfolder] " NC_TYPE
+	done
+
+
+	if [[ ${NC_TYPE} == "subdomain" ]]; then
+		NC_SUBD=
+	    while [[ -z ${NC_SUBD} ]]; do
+    	    read -p "Which subdomain? [format: nextcloud.domain.tld] " NC_SUBD
+    	done
+		if ! ping -q -c2 ${NC_SUBD} > /dev/null 2>&1 ; then
+			read -p "Cannot ping subdomain, continue anyway? [y|N] " NC_CONT_FAIL
+			[[ ! ${NC_CONT_FAIL,,} =~ ^(yes|y)$ ]] && { echo "Ok, exiting..."; exit 1; }
+		fi
+	fi
+
+	ADMIN_NC_PASS=$(</dev/urandom tr -dc A-Za-z0-9 | head -c 28)
+	NEXTCLOUD_VERSION=$(curl -s https://www.servercow.de/nextcloud/latest.php)
+
+	[[ -z ${NEXTCLOUD_VERSION} ]] && { echo "Error, cannot determine nextcloud version, exiting..."; exit 1; }
+
+	curl -L# -o nextcloud.tar.bz2 "https://download.nextcloud.com/server/releases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2" \
+	  && curl -L# -o nextcloud.tar.bz2.asc "https://download.nextcloud.com/server/releases/nextcloud-${NEXTCLOUD_VERSION}.tar.bz2.asc" \
+	  && export GNUPGHOME="$(mktemp -d)" \
+	  && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 28806A878AE423A28372792ED75899B9A724937A \
+	  && gpg --batch --verify nextcloud.tar.bz2.asc nextcloud.tar.bz2 \
+	  && rm -r "$GNUPGHOME" nextcloud.tar.bz2.asc \
+	  && tar -xjf nextcloud.tar.bz2 -C ./data/web/ \
+	  && rm nextcloud.tar.bz2 \
+	  && rm -rf ./data/web/nextcloud/updater \
+	  && mkdir -p ./data/web/nextcloud/data \
+	  && mkdir -p ./data/web/nextcloud/custom_apps \
+	  && chmod +x ./data/web/nextcloud/occ
+
+	docker exec -it $(docker ps -f name=php-fpm-mailcow -q) /bin/bash -c "chown -R www-data:www-data /web/nextcloud/data /web/nextcloud/config /web/nextcloud/apps /web/nextcloud/custom_apps"
+	docker exec -it -u www-data $(docker ps -f name=php-fpm-mailcow -q) /web/nextcloud/occ maintenance:install \
+	  --database mysql \
+	  --database-host mysql \
+	  --database-name ${DBNAME} \
+	  --database-user ${DBUSER} \
+	  --database-pass ${DBPASS} \
+	  --database-table-prefix nc_ \
+	  --admin-user admin \
+	  --admin-pass ${ADMIN_NC_PASS} \
+      --data-dir /web/nextcloud/data
+
+	docker exec -it -u www-data $(docker ps -f name=php-fpm-mailcow -q) bash -c "/web/nextcloud/occ config:system:set redis host --value=redis --type=string; \
+	  /web/nextcloud/occ config:system:set redis port --value=6379 --type=integer; \
+	  /web/nextcloud/occ config:system:set memcache.locking --value='\OC\Memcache\Redis' --type=string; \
+	  /web/nextcloud/occ config:system:set memcache.local --value='\OC\Memcache\Redis' --type=string; \
+	  /web/nextcloud/occ config:system:set trusted_proxies 0 --value=fd4d:6169:6c63:6f77::1; \
+	  /web/nextcloud/occ config:system:set trusted_proxies 1 --value=172.22.1.0/24; \
+	  /web/nextcloud/occ config:system:set overwritewebroot --value=/nextcloud; \
+	  /web/nextcloud/occ config:system:set overwritehost --value=${MAILCOW_HOSTNAME}; \
+	  /web/nextcloud/occ config:system:set mail_smtpmode --value=smtp; \
+	  /web/nextcloud/occ config:system:set mail_smtpauthtype --value=LOGIN; \
+	  /web/nextcloud/occ config:system:set mail_from_address --value=nextcloud; \
+	  /web/nextcloud/occ config:system:set mail_domain --value=${MAILCOW_HOSTNAME}; \
+	  /web/nextcloud/occ config:system:set mail_smtphost --value=postfix; \
+	  /web/nextcloud/occ config:system:set mail_smtpport --value=588
+	  /web/nextcloud/occ app:enable user_external
+	  /web/nextcloud/occ config:system:set user_backends 0 arguments 0 --value={dovecot:143/imap/tls/novalidate-cert}
+	  /web/nextcloud/occ config:system:set user_backends 0 class --value=OC_User_IMAP"
+
+	if [[ ${NC_TYPE} == "subdomain" ]]; then
+		docker exec -it -u www-data $(docker ps -f name=php-fpm-mailcow -q) /web/nextcloud/occ config:system:set overwritewebroot --value=/
+		docker exec -it -u www-data $(docker ps -f name=php-fpm-mailcow -q) /web/nextcloud/occ config:system:set overwritehost --value=nextcloud.develcow.de
+		cp ./data/assets/nextcloud/nextcloud.conf ./data/conf/nginx/
+		sed sed -i 's/NC_SUBD/${NC_SUBD}/g' ./data/assets/nextcloud/nextcloud.conf
+	elif [[ ${NC_TYPE} == "subfolder" ]]; then
+		cp ./data/assets/nextcloud/site.nextcloud.custom ./data/conf/nginx/
+	fi
+
+	docker-compose restart nginx-mailcow
+
+	echo "Login as admin with password: ${ADMIN_NC_PASS}"
+
+fi

From 27772cfcbcae834f6529ed7c0740eb4c4dd7e946 Mon Sep 17 00:00:00 2001
From: root <root@barn1.mailcow.email>
Date: Thu, 12 Oct 2017 08:36:47 +0200
Subject: [PATCH 66/84] Add gitignore for bak files in nginx conf dir

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index cf504b4b..0d081fc4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -19,5 +19,6 @@ data/conf/rspamd/override.d/*
 !data/conf/nginx/site.conf
 data/conf/nginx/*.conf
 data/conf/nginx/*.custom
+data/conf/nginx/*.bak
 data/conf/dovecot/extra.conf
 data/conf/rspamd/custom/*

From a3e966696f6bcc8b871a76ed7811cc465171627d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@debinux.de>
Date: Thu, 12 Oct 2017 08:37:48 +0200
Subject: [PATCH 67/84] [Nginx] Revert to site splitting

---
 data/conf/nginx/site.conf | 169 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 168 insertions(+), 1 deletion(-)

diff --git a/data/conf/nginx/site.conf b/data/conf/nginx/site.conf
index 58e4e7f8..89572eff 100644
--- a/data/conf/nginx/site.conf
+++ b/data/conf/nginx/site.conf
@@ -7,6 +7,174 @@ map $http_x_forwarded_proto $client_req_scheme {
      https https;
 }
 
+server {
+  include /etc/nginx/mime.types;
+  charset utf-8;
+  override_charset on;
+
+  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
+  add_header X-Content-Type-Options nosniff;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Robots-Tag none;
+  add_header X-Download-Options noopen;
+  add_header X-Permitted-Cross-Domain-Policies none;
+
+  index index.php index.html;
+
+  include /etc/nginx/conf.d/listen_plain.active;
+  include /etc/nginx/conf.d/server_name.active;
+
+  error_log  /var/log/nginx/error.log;
+  access_log /var/log/nginx/access.log;
+  absolute_redirect off;
+  root /web;
+
+  location ~ ^/api/v1/(.*)$ {
+    try_files $uri $uri/ /json_api.php?query=$1;
+  }
+
+  location ^~ /.well-known/acme-challenge/ {
+    allow all;
+    default_type "text/plain";
+  }
+
+  # If behind reverse proxy, forwards the correct IP
+  set_real_ip_from 172.22.1.1;
+  real_ip_header X-Forwarded-For;
+  real_ip_recursive on;
+
+  rewrite ^/.well-known/caldav$ /SOGo/dav/ permanent;
+  rewrite ^/.well-known/carddav$ /SOGo/dav/ permanent;
+
+  location ^~ /principals {
+        return 301 /SOGo/dav;
+  }
+
+  location ~ \.php$ {
+    try_files $uri =404;
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_pass phpfpm:9000;
+    fastcgi_index index.php;
+    include /etc/nginx/fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_param PATH_INFO $fastcgi_path_info;
+    fastcgi_param PHP_VALUE "max_execution_time = 1200
+                             max_input_time = 1200
+                             memory_limit = 64M";
+    fastcgi_read_timeout 1200;
+  }
+
+  location /rspamd/ {
+    proxy_pass       http://172.22.1.253:11334/;
+    proxy_set_header Host      $http_host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_redirect off;
+  }
+
+  location ~* ^/Autodiscover/Autodiscover.xml {
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_pass phpfpm:9000;
+    include /etc/nginx/fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    try_files /autodiscover.php =404;
+  }
+
+  location ~* ^/Autodiscover/Autodiscover.json {
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_pass phpfpm:9000;
+    include /etc/nginx/fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    try_files /autodiscover-json.php =404;
+  }
+
+  location ~ /(?:m|M)ail/(?:c|C)onfig-v1.1.xml {
+    fastcgi_split_path_info ^(.+\.php)(/.+)$;
+    fastcgi_pass phpfpm:9000;
+    include /etc/nginx/fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    try_files /autoconfig.php =404;
+  }
+
+  location ^~ /Microsoft-Server-ActiveSync {
+    proxy_pass http://172.22.1.252:20000/SOGo/Microsoft-Server-ActiveSync;
+    proxy_connect_timeout 1000;
+    proxy_next_upstream timeout error;
+    proxy_send_timeout 1000;
+    proxy_read_timeout 1000;
+    proxy_buffer_size 8k;
+    proxy_buffers 4 32k;
+    proxy_temp_file_write_size 64k;
+    proxy_busy_buffers_size 64k;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    proxy_set_header x-webobjects-server-protocol HTTP/1.0;
+    proxy_set_header x-webobjects-remote-host $remote_addr;
+    proxy_set_header x-webobjects-server-name $server_name;
+    proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
+    proxy_set_header x-webobjects-server-port $server_port;
+    client_body_buffer_size 128k;
+    client_max_body_size 0;
+  }
+
+  location ^~ /SOGo {
+    proxy_pass http://172.22.1.252:20000;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $http_host;
+    proxy_set_header x-webobjects-server-protocol HTTP/1.0;
+    proxy_set_header x-webobjects-remote-host $remote_addr;
+    proxy_set_header x-webobjects-server-name $server_name;
+    proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
+    proxy_set_header x-webobjects-server-port $server_port;
+    client_body_buffer_size 128k;
+    client_max_body_size 0;
+    break;
+  }
+
+  location /SOGo.woa/WebServerResources/ {
+    proxy_pass http://172.22.1.252:9192/WebServerResources/;
+    proxy_set_header Host $http_host;
+    proxy_cache sogo;
+    proxy_cache_valid 200 1d;
+    proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
+    #alias /usr/lib/GNUstep/SOGo/WebServerResources/;
+    allow all;
+  }
+
+  location /.woa/WebServerResources/ {
+    proxy_pass http://172.22.1.252:9192/WebServerResources/;
+    proxy_set_header Host $http_host;
+    proxy_cache sogo;
+    proxy_cache_valid 200 1d;
+    proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
+    #alias /usr/lib/GNUstep/SOGo/WebServerResources/;
+    allow all;
+  }
+
+  location /SOGo/WebServerResources/ {
+    proxy_pass http://172.22.1.252:9192/WebServerResources/;
+    proxy_set_header Host $http_host;
+    proxy_cache sogo;
+    proxy_cache_valid 200 1d;
+    proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
+    #alias /usr/lib/GNUstep/SOGo/WebServerResources/;
+    allow all;
+  }
+
+  location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$ {
+    proxy_pass http://172.22.1.252:9192/$1.SOGo/Resources/$2;
+    proxy_set_header Host $http_host;
+    proxy_cache sogo;
+    proxy_cache_valid 200 1d;
+    proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
+    #alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
+  }
+
+  include /etc/nginx/conf.d/site.*.custom;
+}
+
 server {
   include /etc/nginx/mime.types;
   charset utf-8;
@@ -31,7 +199,6 @@ server {
 
   index index.php index.html;
 
-  include /etc/nginx/conf.d/listen_plain.active;
   include /etc/nginx/conf.d/listen_ssl.active;
   include /etc/nginx/conf.d/server_name.active;
 

From 33b0167bcc82299f21b165d4a33ab1aae532d31c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@debinux.de>
Date: Sat, 14 Oct 2017 08:34:55 +0200
Subject: [PATCH 68/84] [Web] Accept empty values for sync jobs, fixes #663

---
 data/web/inc/functions.mailbox.inc.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 1e86b3ee..9deb6ef0 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1291,10 +1291,10 @@ function mailbox($_action, $_type, $_data = null) {
               $port1 = (!empty($_data['port1'])) ? $_data['port1'] : $is_now['port1'];
               $password1 = (!empty($_data['password1'])) ? $_data['password1'] : $is_now['password1'];
               $host1 = (!empty($_data['host1'])) ? $_data['host1'] : $is_now['host1'];
-              $subfolder2 = (!empty($_data['subfolder2'])) ? $_data['subfolder2'] : $is_now['subfolder2'];
+              $subfolder2 = (!empty($_data['subfolder2'])) ? $_data['subfolder2'] : '';
               $enc1 = (!empty($_data['enc1'])) ? $_data['enc1'] : $is_now['enc1'];
               $mins_interval = (!empty($_data['mins_interval'])) ? $_data['mins_interval'] : $is_now['mins_interval'];
-              $exclude = (!empty($_data['exclude'])) ? $_data['exclude'] : $is_now['exclude'];
+              $exclude = (!empty($_data['exclude'])) ? $_data['exclude'] : '';
               $maxage = (!empty($_data['maxage'])) ? $_data['maxage'] : $is_now['maxage'];
             }
             else {

From 331cedd12f0a8a694e7131147da7befa9b36ffac Mon Sep 17 00:00:00 2001
From: Michael Kuron <m.kuron@gmx.de>
Date: Sat, 14 Oct 2017 13:18:44 +0200
Subject: [PATCH 69/84] Update rspamd

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 157c0da8..870e8288 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -72,7 +72,7 @@ services:
             - clamd
 
     rspamd-mailcow:
-      image: mailcow/rspamd:1.9
+      image: mailcow/rspamd:1.10
       build: ./data/Dockerfiles/rspamd
       command: "/usr/bin/rspamd -f -u _rspamd -g _rspamd"
       depends_on:

From a4ccd780c6be369d5336b77d7d98bfee74e7cbd9 Mon Sep 17 00:00:00 2001
From: Michael Kuron <m.kuron@gmx.de>
Date: Sat, 14 Oct 2017 16:40:44 +0200
Subject: [PATCH 70/84] rspamd: disable greylisting for forwarding hosts

---
 data/conf/rspamd/dynmaps/forwardinghosts.php | 31 +++++++++++++-------
 data/conf/rspamd/local.d/greylist.conf       |  1 +
 2 files changed, 22 insertions(+), 10 deletions(-)
 create mode 100644 data/conf/rspamd/local.d/greylist.conf

diff --git a/data/conf/rspamd/dynmaps/forwardinghosts.php b/data/conf/rspamd/dynmaps/forwardinghosts.php
index cbc82ee7..522a21f9 100644
--- a/data/conf/rspamd/dynmaps/forwardinghosts.php
+++ b/data/conf/rspamd/dynmaps/forwardinghosts.php
@@ -28,17 +28,28 @@ function in_net($addr, $net) {
   return substr($addr_bin, 0, $mask) == substr($net_bin, 0, $mask);
 }
 
-try {
-  foreach ($redis->hGetAll('WHITELISTED_FWD_HOST') as $host => $source) {
-    if (in_net($_GET['host'], $host)) {
-      echo '200 PERMIT';
-      exit;
+if (isset($_GET['host'])) {
+  try {
+    foreach ($redis->hGetAll('WHITELISTED_FWD_HOST') as $host => $source) {
+      if (in_net($_GET['host'], $host)) {
+        echo '200 PERMIT';
+        exit;
+      }
+    }
+    echo '200 DUNNO';
+  }
+  catch (RedisException $e) {
+    echo '200 DUNNO';
+    exit;
+  }
+} else {
+  try {
+    foreach ($redis->hGetAll('WHITELISTED_FWD_HOST') as $host => $source) {
+      echo $host . "\n";
     }
   }
-  echo '200 DUNNO';
-}
-catch (RedisException $e) {
-  echo '200 DUNNO';
-  exit;
+  catch (RedisException $e) {
+    exit;
+  }
 }
 ?>
diff --git a/data/conf/rspamd/local.d/greylist.conf b/data/conf/rspamd/local.d/greylist.conf
new file mode 100644
index 00000000..9acf6f28
--- /dev/null
+++ b/data/conf/rspamd/local.d/greylist.conf
@@ -0,0 +1 @@
+whitelisted_ip = "http://172.22.1.251:8081/forwardinghosts.php";

From c5dd30b058961dac520d71d07e5b6eed924a900c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@debinux.de>
Date: Sat, 14 Oct 2017 23:25:29 +0200
Subject: [PATCH 71/84] [ClamAV] Use tini, check if background procs are
 running, use pipe to output to stdout

---
 data/Dockerfiles/clamd/Dockerfile   |  6 +++--
 data/Dockerfiles/clamd/bootstrap.sh | 36 ++++++++++++++++++++++-------
 2 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/data/Dockerfiles/clamd/Dockerfile b/data/Dockerfiles/clamd/Dockerfile
index aa50b807..ec56bf1d 100644
--- a/data/Dockerfiles/clamd/Dockerfile
+++ b/data/Dockerfiles/clamd/Dockerfile
@@ -7,7 +7,7 @@ COPY dl_files.sh bootstrap.sh ./
 
 # Installation
 RUN apk add --update \
-	&& apk add --no-cache clamav clamav-libunrar curl bash \
+	&& apk add --no-cache clamav clamav-libunrar curl bash tini \
 	&& chmod +x /dl_files.sh \
 	&& set -ex; /bin/bash /dl_files.sh \
 	&& mkdir /run/clamav \
@@ -15,12 +15,14 @@ RUN apk add --update \
 	&& chmod 750 /run/clamav \
 	&& sed -i '/Foreground yes/s/^#//g' /etc/clamav/clamd.conf \
 	&& sed -i '/TCPSocket 3310/s/^#//g' /etc/clamav/clamd.conf \
+  && sed -i 's#LogFile /var/log/clamav/clamd.log#LogFile /tmp/logpipe_clamd#g' /etc/clamav/clamd.conf \
 	&& sed -i 's/#PhishingSignatures yes/PhishingSignatures no/g' /etc/clamav/clamd.conf \
 	&& sed -i 's/#PhishingScanURLs yes/PhishingScanURLs no/g' /etc/clamav/clamd.conf \
+  && sed -i 's#UpdateLogFile /var/log/clamav/freshclam.log#UpdateLogFile /tmp/logpipe_freshclam#g' /etc/clamav/freshclam.conf \
 	&& sed -i '/Foreground yes/s/^#//g' /etc/clamav/freshclam.conf
 
 # Port provision
 EXPOSE 3310
 
 # AV daemon bootstrapping
-CMD ["/bootstrap.sh"]
+CMD ["/sbin/tini", "-g", "--", "/bootstrap.sh"]
diff --git a/data/Dockerfiles/clamd/bootstrap.sh b/data/Dockerfiles/clamd/bootstrap.sh
index d815214b..ffe582c9 100755
--- a/data/Dockerfiles/clamd/bootstrap.sh
+++ b/data/Dockerfiles/clamd/bootstrap.sh
@@ -1,14 +1,34 @@
 #!/bin/bash
-touch /var/log/clamav/clamd.log /var/log/clamav/freshclam.log
-chown -R clamav:clamav /var/log/clamav/
 
 if [[ "${SKIP_CLAMD}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-	echo "SKIP_CLAMD=y, skipping ClamAV..."
-	sleep 365d
-	exit 0
+  echo "SKIP_CLAMD=y, skipping ClamAV..."
+  sleep 365d
+  exit 0
 fi
 
-freshclam -d &
-clamd &
+# Create log pipes
+touch /var/log/clamav/clamd.log /var/log/clamav/freshclam.log
+mkfifo -m 600 /tmp/logpipe_clamd
+mkfifo -m 600 /tmp/logpipe_freshclam
+chown -R clamav:clamav /var/log/clamav/ /tmp/logpipe_*
+cat <> /tmp/logpipe_clamd 1>&2 &
+cat <> /tmp/logpipe_freshclam 1>&2 &
 
-tail -f /var/log/clamav/clamd.log /var/log/clamav/freshclam.log
+# Prepare
+BACKGROUND_TASKS=()
+
+freshclam -d &
+BACKGROUND_TASKS+=($!)
+
+clamd &
+BACKGROUND_TASKS+=($!)
+
+while true; do
+  for bg_task in ${BACKGROUND_TASKS[*]}; do
+    if ! kill -0 ${bg_task} 1>&2; then
+      echo "Worker ${bg_task} died, stopping container waiting for respawn..."
+      kill -TERM 1
+    fi
+    sleep 10
+  done
+done

From ac413058c127fb47332eb8695034aca71d0105a7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@debinux.de>
Date: Sat, 14 Oct 2017 23:26:08 +0200
Subject: [PATCH 72/84] [Watchdog] Fix kill -0 check, use tini and send kill
 request to tini instead of parent pid, sleep longer

---
 data/Dockerfiles/watchdog/Dockerfile  |   3 ++-
 data/Dockerfiles/watchdog/tini        | Bin 0 -> 19968 bytes
 data/Dockerfiles/watchdog/watchdog.sh |   7 +++----
 3 files changed, 5 insertions(+), 5 deletions(-)
 create mode 100755 data/Dockerfiles/watchdog/tini

diff --git a/data/Dockerfiles/watchdog/Dockerfile b/data/Dockerfiles/watchdog/Dockerfile
index 457169de..9eb88335 100644
--- a/data/Dockerfiles/watchdog/Dockerfile
+++ b/data/Dockerfiles/watchdog/Dockerfile
@@ -1,5 +1,4 @@
 FROM alpine:3.6
-
 LABEL maintainer "André Peters <andre.peters@servercow.de>"
 
 # Installation
@@ -23,10 +22,12 @@ RUN apk add --update \
 	perl-socket6 \
 	perl-mime-lite \
 	perl-term-readkey \
+  tini \
 	&& curl https://raw.githubusercontent.com/mludvig/smtp-cli/v3.8/smtp-cli -o /smtp-cli \
 	&& chmod +x smtp-cli
 
 COPY watchdog.sh /watchdog.sh
 
+ENTRYPOINT ["/sbin/tini", "-g", "--"]
 # Less verbose
 CMD /watchdog.sh 2> /dev/null
diff --git a/data/Dockerfiles/watchdog/tini b/data/Dockerfiles/watchdog/tini
new file mode 100755
index 0000000000000000000000000000000000000000..6556c966f4221a108f2e6d57fd0b16c4e8ac465c
GIT binary patch
literal 19968
zcmeHve|S{Yng2~lAS7WD6l{uEjv63n5)vddqS2Wo6J|6dF`1y2VltVTB%_m=ICCe6
zWi@tybvneRYHhpQZPV7r+SX@Ft!-g!OB5Ar?YF4aFVt>DQF{mcfkKh3)!EN`eoQU{
z+1+RNdA`s04-d?o`~H5<d){;Ix#!%;?e^A|+?*Uum0ax#jYDT!IZAwM+GLC3&@`)7
zug%8ydD=p4CeZo#C_byaQuRrxTGa(o%?#9e_|)eLM18K6U#NPaK*NG4%0sHj-c+&5
zOHprMB|uec8si9(BVS9e;2`Q=exd3w%o6ygWv%4MJ(8=Caurfe)%&Dls#fizw$aBW
z+vm!)0wUN-mDbF^r)uJ*((#7wrR&xe97Jv97plHjpfy!1xoaRte*Sk$sbuVw_NI%=
zQQ1CKOHf-L@b|4+xjf*l3iyN3TdHoUUsbhgWpyM}y@I!!^b_xzwr*}o#gPFbpXcF2
zIY9LF3zzJ?X8pX;<IM;1H#pB5{@00H56lJae0+$PVp=+0%GTy=pII@ZjF6*Rg~ke4
z-fUJ|Fzc-5Tt>X*_$<X|89tTx)Zjzq5_~8v>Ip!(OjM_QUk>P-JLjkNf3*GDr6pT0
zJp97D7RL*9V>jLYPn%af@xfWU#@@3${OENruKHe8?7+>}Eqwas_|p$veP}Xy=<dx=
zzVPMm-#EMJC0G9JwU<uZdc4v8;#<$&`LhF;zMoiFJnyw{y?TH1_m)(wEcxT_4t?vA
zzL(#gv-)dA73XbV_-<K`>V{K%A>ar2oOK#j#N<r)1qk+;@ZM?kTnc`62K~REhM!`0
zCjGBYga67j_z$MRUp)=}x@qvUr)lr6rfFC6G<vG0!FNuBzj7LU(KPr2)8NmV#{aKP
z!~ctE@O2ni47BVL1>#Ko_1HA{?@WV#dK&!ZY4Cm1`18&*{4~Fx$<MFz_*k?Z=Uc&n
zF)ZiNJk)1t7EB-l&%j4zoy3opSvkB};+JtfCEC491)dY}^)m2twNGnSTQ5glohK-H
zoZq5N%(ZgF=cS(cfaYoov<L0I9530mw>f{2Hc?{bc=bhc<mc!@f$x@jz98{OKO^u-
z*)F<2mO_6*>Q{P}Oa2<E$1Vxa0zVfL6S7^(pJP(b{wzK7WPFZZDC{n$$roh@=l`^(
z$v6ls<{8PaEwFM_nIvqMcs5_)zYTdR)V@;0Gu!_$;3*DF>X`v~Dm(C@cuq<`)qQi3
z<R6#qlI)sO+C6xlmBh6|X*YzL`f;VLm*Z6&4k^1*kB?I|?dKA&$@R@e68|vp40^KT
z@Fmd6&xtHQmrH*p&#`h1KY=_ixG#F>Hn>WQ=;4TeAm|Qgp<&%0^lJT~@J$*}!{Lx;
z$Q|L={r*58;?uPOpFZsOYBvESK|K`EJnlds<k5!19vwLUfNyA6-$cAUJ-%=_80rDl
zt@}ek5{3!j`-j8+px)o(8H94(8;a^$|8P|IXu1c2!vo=Ajn}XQ8DDUOxS)*Gdwtvy
z-z`4R$gtMGG3?iUgm-(mjg4+U_YfG}KjiZgOrAnI6ozSPcTYrjhxMKzw?C-$xg)-y
zd&tLIMuz*tKA+<AM4~<Y{-9qQc84Rr9&)6|=~~+ZUwi}pi0%u!);0w~L7&Ur7l4${
z>(<?xqV+_gePN$_*caAXolW+(E_+YF7t}nVV84GL8us<TM}$2hwY$Ru5slpKaR<FU
z=!A{#uvhZHAyO?I2QV-c3d&aWz@>Ivd;P(lXvF7Lw#;on6A*SE`nIR1FA|Yz!oG+e
zGPyy%_S_m8>ht^H6ZH_H<?#h0i0`m_V^Hh4YNV%AHoPg|jzqvG8i=0sd2W(I(TIBh
z!Jt5?P@EDbe<T!e>psZ%172-StFy7GXGQfT)hjdCE2`^|q`C6n)YbGD8h?sPQwCk<
znEss#nJGDE;G{JnNzhy&ivDT;Y+4C^35Ez4T|jWIb{`o=IeBF-uV>;Lvwo(i@t6<H
z<r%D&nV$(yYe7}iJVSVjfhuLzUVcf-el>&%!AyAR3g@dZ;VB-f)R^#U4kB8;2~TZM
z#cIN59yvgCnDA;&B$*Bq9s$af>rD8<3|7;6O?X<Hs4{567b_&{VH19i34e<TUt+?K
zn((SGiF~ICPiuHp#!Yzh{r>AF{Mm{b^@Ise&kCwMXu{JyS(P0o{5cAVdZ!8hDHDFu
zgvYF(DNmd53o=+u+h@X`Yr^k0;b|?S%0UzUJcUGUnDC2C_@gE~GvOVvw+bAI{IxYq
zb8MZ|^9@?KIATu}>=8`qx<-)Fi<|LXvdD@nf(MD1I+#XTyqaK2?bJRFuOOIGIyK4R
ziwK@U@D2`NKrp3nYJ$TH2&Q3^8t3p?1XC)fMmbzaFr{#6n8UdQQ|hLAIsCWffGK5D
z9UOk2U`o}LmBWV#rW8%paQHQXDK%4!!+#{0QZiM_;pYjq5Ug?d8G<P_Q%64rV)5ey
zQ%a@|ayUuwT!Qy;_+f%61yhq8{vpAXdZ`^8{w~3ka;XUp{}aKKYN>G!-%T*3SZb8R
zUm}=ND>cmFFA_}4rBpA6ZzY&gEY-o`Fu{~sDJzF>B$!evRm0)FYNqv%1LnnX$6I%z
zvm9fs<?|e4uJW?I&E-4}sOM3y8lOX~kr~AaARKo*LEL+4Cyg$I80c9$iRs9jj<H9|
zt&}=r_m&?-y=w{3j`#<TxL#i27}Lwyu^&0&|5u`2<uw4uwv<m2*VyKAt0UfA&WvB9
zU$#z0e`MIX_ULzwZ=&ZM3BA0GoGT_)W>EHQoh;cJM0Yq6o6F0LZ6Br6VB&PEQIFmt
zx*K$mfz``PjXv}dVXp=@wi%7oe-~@mj$q8#I2&y%O)Ub!2tbn~(eTC!ro|siK3rkd
zeoYNTgYQQ49Emx<1tm%0=J?%zSZ39X0Zyvh0n%>DJfj6#j{K0uOYPgv_;WWn;;%Vk
zuOIDjIrmP|%G0s;F~+OC^c-L;1^e;-l10s!PrhdF)w&&3<ER|5lNLw(jgfPALMI=d
zb2scJLi!+>w-8d>u!pSlS1b6}MDKRo@eWt;*vB)Vz!5*{c+9xck@J+}xsUbv8Er*M
zTgf8m5%xzL=Aso^bZ$2U4T|uFr}96pWm?WLZfQ5Wf*iY2i{>A>2XYx@?~y=y--gt!
zkeTwQ%aQnO?emWKhr4M?Fn;%8I!&GMRRE4eq@ecs-IV&q8yp`!AGlKBDE*D+B=2_s
ztcUSY)SB^IV9`NdxP%V6A5l~t^xogmf7?M$)Ej@rb&_3VMG8I!?p5GcY|nt?NYq^j
zl<2H)K!j)U`aS*Q#!W(h-s$?kLi#I({;!h$qv(6+Kk_Za!MH@oJ&V~X%dhK6?)cxh
zUmHlyA^b{t5UH-(6SZmM9H0@FJKv!e?t-S;bo?n}5*J%1<9qaw@iT}!;(HQW?Bu6Q
zw#-6G#!k-E`;1=^KGCr5bgPHR(aVgtP$mD3a*YR~3XC!kk5XP6zXTo8m=C;&Mgkh+
z`!n&beL2=Ja52+zM-Ceu!q{&xp`eM+m_k3owaoc3D9IYA6=P!p?KG|y2JQt(7`O;p
zj{J+tSL4Hf=Pe+5R@}~qr149T(VvTPo&1GpMrtMErsT=Ly%)j1l5H(O8xIL}i%<9Q
zdG7t3BJ!~!<Kr;-_<c^QJBrCb__z&PQYSE~$8Fs<moxrRcb7AM+!23~ZkNV`V5i=y
zK?L<+tYHo8=fwAnv>VmJ`uCv-jhSznJzU&G!x$*eL~%I}kS)GHxgYj1xzq^{f*B9;
zpeeoqB)S)`-(dT^O^kH#{syxJX5RTk5qYb~m_J(M?;3aVY>K|(Ok7^x8h`WA+o_|!
z2ZcuPB&E@llt#IFY3$@2o&-B@14Bvkej`NWL_>ja-#oUy3hBf@XvV*wCjY_pS{0fS
zpG@YOS{Vcx*|ZlV5y%E;jPFl<mgWRLzZpfs#{FQ)>hD_e@YxS|f7fwE4Yz>{iJN@i
zlxu~;h9_g=07Q5k_zjp_nVNsPyBzUjj`&Bs<K6|QZD+y7d^990l;e*0D+ueuJT~td
z&wwdeBY1c>3GzLX{3DQoA+H9(BnOkBbMk>C-Ka(O*FwFqR-(%@=p7I;R!KBHK?v^s
zgkB`kv<WECS|!j061_Tuwi5b1?#Y2<Z3aC`=s!yIc^R~mJlVt1e-_>HzzJ%^fg~*>
zgrNcA`L<}=u2BHVolwSUh|PV1z(E_2^{y`y&q?rryphPrMn_!eU%w&M3=4E;O3bfb
zN`3h6!VGPPrRu@1#&0a0Yg^}xpRjd1<1gA=xQYC(EB;|?VoAxCSK(apA(&~6pNPL=
zJP(brlj)Kzb7}T7u8f`h>_(O@f3kNux^pjhk;98{Q>k-a%pmd?BM0NxG(K!M;2xsI
z^1rbJqxHxG@_rJ_Uk3J^Blk%-G5<Euai2egK|STOu?5!m+PRf%ouh<>-Jd{$?8Y%Z
zr(w0i{?BN(NL|S1FnFH0tzcIn6#V*IXz8&BO191h1;fh&HmPM7Wo+_6&{coTgf}AP
zX$?zpj=yqoLp`}%09~=YISx<SICvbIwoW?Zc1^$3;hA3s`mz_CV=G^(eSYi9C3ii=
zmo3FFIpW3p9I?l9E`8zlqYlr@j=g#NsY$hysmH-#Tu*8e4eu{IZN%RGSCAKgj2SwH
zYj8aaE*cvZRa4$x$4PZR0ZF9aQiurm-7tV&nHsM&PIpuO8FwG!-s`hs`P(3wvzs!`
z*etR0lZE8s2}gXdQ2}-F{Kw0goG$l_Pw7kKUj^YVEGp;JzHGj)O^VK?foaTw0)C^t
z*=U9SSp7M;*OqLVB-(m1m}od&aa!x|poU*2Zlhaq4X*zKE^7S_Q|mv+Np(L3Nwj_$
zGzw2JU&k6|!|xd-+ipNd8t=T%)eHz@=GEssu4T?zP?A$4`$-B(ihEeMB4glbXyFet
zv@ZE)p>m~AX`0jJ{htfZnNNDV&|VRh>)^lf6`}WU7{9{tVbZ%3J!Xn8`imYJiXo~Q
z%fS#knWLA}io3XWa`$4w{s36IUnTMvUC8LpvoVbB_!K6LvOVKii5KVS#}fH7Km%9G
zIQ$-uK@4UQ$wO$N%KB2_s~?mk?Yj$KSuK2hgSWD-E#vDGq=hV~b>lrkZLv^mUcBsr
ztl<I~S^O)mr{PVS17Q82sUPnaCVmT&2#1?Q@~^&tX{kzdp18l+*3nFM0y7y_4PAJ;
z+D9R{53IE8{Y<W=?aeDM01iRR%R}uL`+RvGfPx}{ES`nBb<A5{4rJ*}ft;6*`d3n{
zjGpU3Tu3Wt)QnckM~a30#Kn%-p1k-wv<?`TRvm~{>!pXHhn$IXTI27Cm3Y%p;nJfJ
zCLd~QCwHAq*YQ`5Iq+=ug#rh3(-H^kBk(#C>-hZ6m+Pyf@LeE-P)ZX&U$dVl2wNT_
zF$MsGV%Or+hE5AS!yNl<P)zrrYnP!X&*h}LEg*?7|LtAy-th#*F?;51hLJ~!oM>>J
zZsb*%H#UQeetiSi$;Hr*UIq6OaI36Jaxd%7&KQhCgj<qU#p;XSKH%Tg!rto`wMY=t
zcrtDl&3%R_siXzQl!<GFi5;MbHZ36~XKK^9apWD|o-L>Ap9?L<Lm;C)^KqR#fw6)1
zq%P+7fGr3R;_)LPkF?14?>X-IoQps)1^o*6nc9XyE%K);$!xtEmQ1lHMji1tjR4f~
zyKVx?6D!MOAJ5fqiZ!?v(USWgA3*;n=D&`i8-L}4SGGQ1()^+E3?wj+yNnzXt;Yi>
zrqU<LwNl~Q4~YHL(5-@Ncv!g-RkF95x9Ug_U&+N9QlH_b4nYI0hTj^cXA`Vv-$tCo
z6H%W2X6$5<{;Kg~!X+9UryF<?reWaEsFJ0^02paLQhoGO?p$3lP@<2%NXlSNB%PW^
z68WElKN!nfLNsAF2#YUa63CjYJY3(LUxJcc4By3MRS(-ny)gA1kc6pEK@0A-i%8><
zw|E=8LZf+}nkzJ3MH)*p8i&z;#+%%Yy5$*-Pm&fmUpq<BYDVzy5qgVH*SibCcv3LV
z7i~FwKBKHk-T}obIQI$tzXwTp?1MIBLn@86&MEhAKJgvz;tTFlej7;A6tWvlOB=t3
z6q1P&;t?Qm7hv@KHtRgP1ODSCFe2?rac{%}jognw|1aeI|5H#eJraEgTQ$Y;$78SE
zUb2<m8HqLg2K1bfYmA4F@W5RRAK|_E*=s+{mi)Z6d=9$2806$m^nz;IqdYEk$C+x{
zm!OA?l>Gb&TRg8^JiBD}SB#56j@1_;^`ahf{wkQq?YoKEw_LdJAaub6^X<EvTbXkg
zD5k!<kNWN+;Xowgz-(wq9peilkY7H`o23h#=J_TEf@=Md&y_T^fs6WX+|<B7a;NGp
z$>{$9Y0QqZ5fOIY!obe*{Tp1toaaF?`Tl+KJt%bl0wj?aYqNBZ8|MnW_X@q{e714n
zhFghpAi2|&ZcByQ-i+E4DTL%><l6XHW6tF{w?$$N&o7{EzrlDEB=qY_q2Ju?ufj5I
z|Hb}tyI~hzSinW`F--AEa#Gzf3~SMbI5Z}(*@zsA9UisC=ar`}fobC!Vd*d!p~BP?
zVkH&kdglBV<YYOrTMT%HrxRn1FtH<JVhOdUl-gsv7AuB$nzk8Q#}@zj9EQ!iu_~&u
z<8T7cM6Ju-z(6i=JoeEHquoGTx4x}o)TrmD*7#vO9yLQldfuOK>(6mukQ_$$%1r~?
z4YnThdidBL8f4H14qW0)Dpy<IVsqJA8P1UXtYWc$*#@Rgaaq6HAMklsv&9i@eY3r>
zd(A0anNwdgADu#*VLI@IycxCL+1Ap|PEiGhip7y-g<4Z+Xb9)146l9p7#(bff|1pQ
zg&Jd3fz_;QFtiaQez?hq&3B7muP)T=!4ZEr6ddvebvEJ-`{`Jhi@BU_&YrIB#!kDf
z!``WJaGkxgvAxUbx?ZcQ8u8%}9Y@@YBZb;vWMm+qt#@_Wn(U`Ir_N4&UgnN4e*DR%
z&WP7vYwN_oJ0*Pn0eSGAY4*~^k)>0|;3l-6qt%(ci2(i<9)6~W7*3pV<jcC8Yg}l<
zG=%nUt<&f6`A6U=IGY@;%~}VJd;P%yCeEx^Gww%QNVWo+`9ZrGK_|n|gY$2%<l5-h
z2N_-;AZfU3N6evewWJOrCe#f$!qy;1XVYX*hKV1QGkP82)TV)#$`rqB8XH8n27KWx
z?kv9c?rHc=Psw12>G~#C5xR-uNOAW0yvu}j?BA&u7c%z1ABlPfnb$XhJey9giw@Q^
z0peOC5guHoq9uYQ4e{)d$;N7`Ygbj*vMM%!<gM}b_j@n-tmNyaGk6+rY<)Y93)<Vd
zHn5J)_BEZhwXCX&t+#cq0cJC<r7{c+Dt3&rsP1EKYT-cGJ;b6xyzRjBK_8lfR~bh9
zl;<qe50(*k!0%=Ba)F2kJm-TCsxZuyW;xoF)27h|d*B<C4Emry!UlbTVK(H8ko)F=
z3BJf`rUnoVAMT+CoKr)HRfK&vNBwxOfwj`xp6rSShSv&~VPHdkWHnpk3;M!%^?(i0
zAb>}Gp$KM&sE(IUs-b<@=hj(tm^%0p3`F<=QC=XAMD4;W6mkSah>4=Y^K)q=6M=zn
zC_1dfV0ZEV+;1L7lJD~A+?Mdzk2DPUMtlKQ;q~>qqX8Wq?ZupjGBwiqTRFU~KD2fd
z!+a{o61`|52e8)B+0$ir^)xx0t<6*O8$(Y-gYFSb8#DtlbU5#wVZ65iJww&ZhWKp?
zMOl<j3g&2E$>TNUhk6C%3{xJzA8>Y)-<USke36+OnOoPx{yrq866p^5ZW;D@Fj+AE
zW)HHEIwteVk7{2Ny<>v8DS~kby&DI8L5c*uS~E49!G+WGotaaq)$H^-5!B(f#%DfK
zMiIvBmWeI3Y%Sg~l3^Ef8^ioNgucN{!Us5BMbe`*;{8i$GC7@JaEa+piU@#a;LQAU
zx*T~E4c-(CZ45HRG=iJce^Q1QSUL6fPwM|s97@j>@iYF5`0e;F=+ni2Vj8(|iFeVW
z3!^p|(pfkf3{pNK={uawtd`HC{zz~sNb>D13>!X$X01W03qQwS|5B3~Cen>~(~oQI
z^Fg`_FT!DM1aZuMWV4b*LQK3fMp-sYb~lE|)JCk|sta8q*6+WCPhPm8U@jS|#GK*d
zh^mNOm@%X(-uL53ykmFT3XGk)`Xbw^A>4^GwxyD^A`}@89*b)9ZqB(gE*nQZ7a#rK
z(&;~;cD<5L|8j<=J#sLeehBa*ucp)Vj_n^_OQ$PQ>#wKNt*BSNnNEKb^&@{tr|I3+
zKcIdc_3K!Px8{P5CAt^&y?FH4j{1H)P(6a$i!F&t=)WJ^QeM=5z&`AsP&Z>wyF5?)
z&H!e$oLf7!oLfqB&Mlr*FrG83lwR=Q@9V&?i-<uM^{&yW{NlF-#6SM0bb25B(k!Jd
zma?l#iZ&LEYF93}?4nD`FCZ24WYLVzgV4)}&t@r&<>sy_v=lgsayOuADgu_<4xpYu
zJor1bg70gb5BOGmw&TMNrPKV~(nd?^SZ<@GZ2OF63)_}wvsA?Lud>wSh6^nfHVd;^
z%D~ZRDX<r{1Jh!{w2;9{e5gOh5pVu(H0*85g;Z?DRTehGont9;T1sse+QXzmaVUoW
z2j57i%Q!}S(HgQGcmsI;F0b8EdRMO9QZ_cjZeiQWuWk9wmYUei+-rnq@L71)T$Jm~
zLOF^)pM|mW=m`7UVP_n9U?<bfmeO3SrGVmlKk!cj&)=zDL-B=P3hx(D@z#odpghu$
zKm1)`MD13P8;f##Rg6ikj?Zyw5BT`I*zol(it}mhSz{T^o#DtSwA8flh-cc>Qk3ff
z7A;3VWU%%k3P3h*qimkG5_SW~-x}mGf480Y|J9c9oLuApbp*n7Bd%I_%YKZjCTg4u
za`!`y_Ne$f-0*ih_2V|mi&$QZrDmki!kR2)P>6I`Q#4~ed^RI;kswpBNJpNJe}~@j
zm(ywf&ifk6czzI(vI&nVrx#*e9mU3`57!#(ewpHQ7xnvCUZbUAd%nX`vu&osQXiYO
z)?y7?>TNtKji#vZyrOYhhVcq>pOjA`@JR$diNGfj_#^_KMBx8}2<$uC%DvbjYvmFx
zrKqU7Sb&+|z0nKWRMhY6)I0U+_to@*GZnSIRPWZ8UD3<&d@XLG|MlZ^hzMWLwNjP&
z&3DIa0n@=dmC+eiUd!zy?YnYOq1IVy?Mlbu=7J@NDArzHtF_34yrA_j6*}#wLhp_7
zGRMj*g`X%EuxeK?r)v0pyeP^(j*EDEh9y6aqd2VMiDeas-!HOC$^SQ%`W<_=wU<hS
zA8*R~gsf+l3j8^;ULxyNvTl*}I$8J2dPLUSWPP8kACUFWW&M<_Uy}8kvOXc}nRBIm
zSuc_GDp|M4dY!EMWj!M6ZL-d8?{u*0A4Mlv{Z^E4F6>mUb-J)GD$YDA04yskYzhr;
z3i}5Jbyne7##YqS)-l&$2)pd8Jsi5#6JnR^9JGcwSlu7KqOh>T7asECGyuDTe8)EI
z>)XVzS4{f?m5hErN87`mLF_a7D(PX}9o)pQb&M@27V6WnBgS_pm<PrS!O6E4BcXmB
zyK-XF7iSG2j~|<tUgiyXqI4X?e?f@71f0jP3fgzQpi4?zu#6kQ{$8NaPaBmu-cZVD
z^9<X&*e<|N0R8+If|b}R^aP@O`%jSr{vp4#K;k?ikwSQmt%^$SXC=0bz5f19sC~Ry
z!_mHgKQdU!y!aiU*qg*&2qAfZD{0eZIp5a^1Pako{HBhgV)l;nP<#*@*q0&V8_OFJ
z^;38e>B9bKI0%zs^Tmtfg%G!RBep?F3#sl8;kTF@DZKcVp%=$1;?&CplDjW7g5By&
zhhwLR&LwC&UhM5o^{OOA2C+}cu<s)R2D|=XA)!=ruxk_T!v<zh_qzjZI27jgvYT05
zSm<)tSyy|D3nyH5=Io-Ah;`0pdo#Ph)&=;2N_MT&<!JAAF>rL++FaMO_7-MqyPjR`
zY-_G$_Uk%2?Ok20y|d7{wxiW)2hQ2n)Y{$bY+J(`A=lQ9+;$?Vq14sR$e>i^v_r0i
zt+jVHIiT6r=xoK2U1ed5)73^gTiQFBjdj>MUCyTNR$C|Q=<e)j@3O;uGt{=>jIk3|
z>}&09u4-5Xj@j1%U|kMdYb%*5v~|P#PV$d6wRc?K>0IM*F-LoAvmMArJ3O;Bw%Ua$
zG^(l9=3HCJnr&-sYskA!)($P5g~TSjW7j(Dgd%%3{BNQo9BM{WdmEiAx+>AiPFF_s
zT4$HNlG!?)T@;X(&i1vHg%nOmKs%H`uFWpAP^fu;GCcwo3RpK9t$bn4c3UfSp?lg+
z>Avd1HBC*cSw(kWG^j^eUG>W9nyOV%4%Oa<^QfAYIB^kpnow5Ntg5+G)2btb^mAc%
zpH_|EmHO~I+iGN)uNn=m(%l0R8VE+K`=Z#fufi{Xs|muP;GkCR-4u*$8WOc078H4&
zbPCV|TG$tGlYqP$4(MbOzkjX9W%WP^7rO5jeDfdnR)<6UH@nro!Jd8`clmk-y-=bc
zA=={(huxcmgu1@b12&j(5BWXtA*7RfVCV<H)%cCAR_(zFG$t-JBmeJeS|`w)uI~T!
zxmG|^f0stBOE?l=+4qC9fups6l6U1=0ny)i;g!ZjmHE!gT#1YGQJLlSTq`H&Ql9p^
z%q3fXC5U+0IHc^W_0rcR!jQuGvR3O9rSl40Pz;p3T2GD21=2n#Nb4<XyOLMynik-Q
zRmrRMS%+Kzsr49Gc*%}m8?dw%Qu1p3^S)fbZI*J%f5oTj^`O(*O2KM<H7pmXHBvs?
ze~H#^#0AAv$*c9;gp}`<jLLp?`zZ}czESdNa($@D1@VMbO!5@7Z28-OqnN1mtol0=
z6D2^RsCBY{ge`SV^(K7G@{@9%HYw%#UbRVpUQDB+>Mgi7%a6<T(Kv15qbPp`bUHi+
zf>~bu-HZt-|9;lOTiI3m?#Yr@&ky%56&z|Et@yL^{~J<1(|=2?oOMFV|4=;`NCiyR
zs`?Ht$bTiT{?3y6`%CvKMp<Xu|8bW5!4+1{d2odgcqsFrA>izI?gH9^k785LOX}}2
zW%FmlPePWuTFI;DsWKYaDB1kk@N?jy_A7b%`5+bc-;{p|yp+32UOi8!zn7)*Pvy6=
zukzqd$eQh|-}|2w$KBKVuk^f<C9hd~fkCnIZ|$V0GT%y0)dnbL`<ks+@Y+O`$m(z=
z(3$Uda7DUQ`_<niNZ18SeTGw9uq^l(V6tD6g;(-4zncs3QZd)cwxEdb-O~Qw%}A4+
GLjMPAa2l)t

literal 0
HcmV?d00001

diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
index 03b2b4fb..470025de 100755
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -2,7 +2,6 @@
 
 trap "exit" INT TERM
 trap "kill 0" EXIT
-PARENT_PID=$$
 
 # Prepare
 BACKGROUND_TASKS=()
@@ -351,12 +350,12 @@ BACKGROUND_TASKS+=($!)
 (
 while true; do
   for bg_task in ${BACKGROUND_TASKS[*]}; do
-    if ! kill -0 ${bg_task} 21>&2; then
+    if ! kill -0 ${bg_task} 1>&2; then
       echo "Worker ${bg_task} died, stopping watchdog and waiting for respawn..."
       log_to_redis "Worker ${bg_task} died, stopping watchdog and waiting for respawn..."
-      kill -TERM ${PARENT_PID}
+      kill -TERM 1
     fi
-    sleep 1
+    sleep 10
   done
 done
 ) &

From c3e36be576d0890f9e86b7310be7e93d9caa3e7a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@debinux.de>
Date: Sat, 14 Oct 2017 23:26:47 +0200
Subject: [PATCH 73/84] [Compose] Start to replace init

---
 docker-compose.yml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 870e8288..cc0a13e4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -58,12 +58,11 @@ services:
             - redis
 
     clamd-mailcow:
-      image: mailcow/clamd:1.4
+      image: mailcow/clamd:1.5
       build: ./data/Dockerfiles/clamd
       restart: always
       environment:
         - SKIP_CLAMD=${SKIP_CLAMD:-n}
-      init: true
       dns:
         - 172.22.1.254
       networks:
@@ -295,9 +294,8 @@ services:
         - /lib/modules:/lib/modules:ro
 
     watchdog-mailcow:
-      image: mailcow/watchdog:1.7
+      image: mailcow/watchdog:1.8
       build: ./data/Dockerfiles/watchdog
-      init: false
       volumes:
         - vmail-vol-1:/vmail:ro
       restart: always

From 6b6470fe54672c478cef79ba175504a22401479a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@debinux.de>
Date: Sun, 15 Oct 2017 09:31:19 +0200
Subject: [PATCH 74/84] [Rspamd] Use tini

---
 data/Dockerfiles/rspamd/Dockerfile           |   3 ++-
 data/Dockerfiles/rspamd/docker-entrypoint.sh |   2 +-
 data/Dockerfiles/rspamd/tini                 | Bin 0 -> 19968 bytes
 3 files changed, 3 insertions(+), 2 deletions(-)
 create mode 100755 data/Dockerfiles/rspamd/tini

diff --git a/data/Dockerfiles/rspamd/Dockerfile b/data/Dockerfiles/rspamd/Dockerfile
index 2913cefb..eb9238e1 100644
--- a/data/Dockerfiles/rspamd/Dockerfile
+++ b/data/Dockerfiles/rspamd/Dockerfile
@@ -22,7 +22,8 @@ COPY settings.conf /etc/rspamd/modules.d/settings.conf
 #COPY ratelimit.lua /usr/share/rspamd/lua/ratelimit.lua
 #COPY lua_util.lua /usr/share/rspamd/lib/lua_util.lua
 COPY docker-entrypoint.sh /docker-entrypoint.sh
+COPY tini /sbin/tini
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 
-CMD /usr/bin/rspamd -f -u _rspamd -g _rspamd
+CMD ["/usr/bin/rspamd", "-f", "-u", "_rspamd", "-g", "_rspamd"]
diff --git a/data/Dockerfiles/rspamd/docker-entrypoint.sh b/data/Dockerfiles/rspamd/docker-entrypoint.sh
index c6903311..ae216570 100755
--- a/data/Dockerfiles/rspamd/docker-entrypoint.sh
+++ b/data/Dockerfiles/rspamd/docker-entrypoint.sh
@@ -2,4 +2,4 @@
 
 chown -R _rspamd:_rspamd /var/lib/rspamd
 
-exec "$@"
+exec /sbin/tini -- "$@"
diff --git a/data/Dockerfiles/rspamd/tini b/data/Dockerfiles/rspamd/tini
new file mode 100755
index 0000000000000000000000000000000000000000..6556c966f4221a108f2e6d57fd0b16c4e8ac465c
GIT binary patch
literal 19968
zcmeHve|S{Yng2~lAS7WD6l{uEjv63n5)vddqS2Wo6J|6dF`1y2VltVTB%_m=ICCe6
zWi@tybvneRYHhpQZPV7r+SX@Ft!-g!OB5Ar?YF4aFVt>DQF{mcfkKh3)!EN`eoQU{
z+1+RNdA`s04-d?o`~H5<d){;Ix#!%;?e^A|+?*Uum0ax#jYDT!IZAwM+GLC3&@`)7
zug%8ydD=p4CeZo#C_byaQuRrxTGa(o%?#9e_|)eLM18K6U#NPaK*NG4%0sHj-c+&5
zOHprMB|uec8si9(BVS9e;2`Q=exd3w%o6ygWv%4MJ(8=Caurfe)%&Dls#fizw$aBW
z+vm!)0wUN-mDbF^r)uJ*((#7wrR&xe97Jv97plHjpfy!1xoaRte*Sk$sbuVw_NI%=
zQQ1CKOHf-L@b|4+xjf*l3iyN3TdHoUUsbhgWpyM}y@I!!^b_xzwr*}o#gPFbpXcF2
zIY9LF3zzJ?X8pX;<IM;1H#pB5{@00H56lJae0+$PVp=+0%GTy=pII@ZjF6*Rg~ke4
z-fUJ|Fzc-5Tt>X*_$<X|89tTx)Zjzq5_~8v>Ip!(OjM_QUk>P-JLjkNf3*GDr6pT0
zJp97D7RL*9V>jLYPn%af@xfWU#@@3${OENruKHe8?7+>}Eqwas_|p$veP}Xy=<dx=
zzVPMm-#EMJC0G9JwU<uZdc4v8;#<$&`LhF;zMoiFJnyw{y?TH1_m)(wEcxT_4t?vA
zzL(#gv-)dA73XbV_-<K`>V{K%A>ar2oOK#j#N<r)1qk+;@ZM?kTnc`62K~REhM!`0
zCjGBYga67j_z$MRUp)=}x@qvUr)lr6rfFC6G<vG0!FNuBzj7LU(KPr2)8NmV#{aKP
z!~ctE@O2ni47BVL1>#Ko_1HA{?@WV#dK&!ZY4Cm1`18&*{4~Fx$<MFz_*k?Z=Uc&n
zF)ZiNJk)1t7EB-l&%j4zoy3opSvkB};+JtfCEC491)dY}^)m2twNGnSTQ5glohK-H
zoZq5N%(ZgF=cS(cfaYoov<L0I9530mw>f{2Hc?{bc=bhc<mc!@f$x@jz98{OKO^u-
z*)F<2mO_6*>Q{P}Oa2<E$1Vxa0zVfL6S7^(pJP(b{wzK7WPFZZDC{n$$roh@=l`^(
z$v6ls<{8PaEwFM_nIvqMcs5_)zYTdR)V@;0Gu!_$;3*DF>X`v~Dm(C@cuq<`)qQi3
z<R6#qlI)sO+C6xlmBh6|X*YzL`f;VLm*Z6&4k^1*kB?I|?dKA&$@R@e68|vp40^KT
z@Fmd6&xtHQmrH*p&#`h1KY=_ixG#F>Hn>WQ=;4TeAm|Qgp<&%0^lJT~@J$*}!{Lx;
z$Q|L={r*58;?uPOpFZsOYBvESK|K`EJnlds<k5!19vwLUfNyA6-$cAUJ-%=_80rDl
zt@}ek5{3!j`-j8+px)o(8H94(8;a^$|8P|IXu1c2!vo=Ajn}XQ8DDUOxS)*Gdwtvy
z-z`4R$gtMGG3?iUgm-(mjg4+U_YfG}KjiZgOrAnI6ozSPcTYrjhxMKzw?C-$xg)-y
zd&tLIMuz*tKA+<AM4~<Y{-9qQc84Rr9&)6|=~~+ZUwi}pi0%u!);0w~L7&Ur7l4${
z>(<?xqV+_gePN$_*caAXolW+(E_+YF7t}nVV84GL8us<TM}$2hwY$Ru5slpKaR<FU
z=!A{#uvhZHAyO?I2QV-c3d&aWz@>Ivd;P(lXvF7Lw#;on6A*SE`nIR1FA|Yz!oG+e
zGPyy%_S_m8>ht^H6ZH_H<?#h0i0`m_V^Hh4YNV%AHoPg|jzqvG8i=0sd2W(I(TIBh
z!Jt5?P@EDbe<T!e>psZ%172-StFy7GXGQfT)hjdCE2`^|q`C6n)YbGD8h?sPQwCk<
znEss#nJGDE;G{JnNzhy&ivDT;Y+4C^35Ez4T|jWIb{`o=IeBF-uV>;Lvwo(i@t6<H
z<r%D&nV$(yYe7}iJVSVjfhuLzUVcf-el>&%!AyAR3g@dZ;VB-f)R^#U4kB8;2~TZM
z#cIN59yvgCnDA;&B$*Bq9s$af>rD8<3|7;6O?X<Hs4{567b_&{VH19i34e<TUt+?K
zn((SGiF~ICPiuHp#!Yzh{r>AF{Mm{b^@Ise&kCwMXu{JyS(P0o{5cAVdZ!8hDHDFu
zgvYF(DNmd53o=+u+h@X`Yr^k0;b|?S%0UzUJcUGUnDC2C_@gE~GvOVvw+bAI{IxYq
zb8MZ|^9@?KIATu}>=8`qx<-)Fi<|LXvdD@nf(MD1I+#XTyqaK2?bJRFuOOIGIyK4R
ziwK@U@D2`NKrp3nYJ$TH2&Q3^8t3p?1XC)fMmbzaFr{#6n8UdQQ|hLAIsCWffGK5D
z9UOk2U`o}LmBWV#rW8%paQHQXDK%4!!+#{0QZiM_;pYjq5Ug?d8G<P_Q%64rV)5ey
zQ%a@|ayUuwT!Qy;_+f%61yhq8{vpAXdZ`^8{w~3ka;XUp{}aKKYN>G!-%T*3SZb8R
zUm}=ND>cmFFA_}4rBpA6ZzY&gEY-o`Fu{~sDJzF>B$!evRm0)FYNqv%1LnnX$6I%z
zvm9fs<?|e4uJW?I&E-4}sOM3y8lOX~kr~AaARKo*LEL+4Cyg$I80c9$iRs9jj<H9|
zt&}=r_m&?-y=w{3j`#<TxL#i27}Lwyu^&0&|5u`2<uw4uwv<m2*VyKAt0UfA&WvB9
zU$#z0e`MIX_ULzwZ=&ZM3BA0GoGT_)W>EHQoh;cJM0Yq6o6F0LZ6Br6VB&PEQIFmt
zx*K$mfz``PjXv}dVXp=@wi%7oe-~@mj$q8#I2&y%O)Ub!2tbn~(eTC!ro|siK3rkd
zeoYNTgYQQ49Emx<1tm%0=J?%zSZ39X0Zyvh0n%>DJfj6#j{K0uOYPgv_;WWn;;%Vk
zuOIDjIrmP|%G0s;F~+OC^c-L;1^e;-l10s!PrhdF)w&&3<ER|5lNLw(jgfPALMI=d
zb2scJLi!+>w-8d>u!pSlS1b6}MDKRo@eWt;*vB)Vz!5*{c+9xck@J+}xsUbv8Er*M
zTgf8m5%xzL=Aso^bZ$2U4T|uFr}96pWm?WLZfQ5Wf*iY2i{>A>2XYx@?~y=y--gt!
zkeTwQ%aQnO?emWKhr4M?Fn;%8I!&GMRRE4eq@ecs-IV&q8yp`!AGlKBDE*D+B=2_s
ztcUSY)SB^IV9`NdxP%V6A5l~t^xogmf7?M$)Ej@rb&_3VMG8I!?p5GcY|nt?NYq^j
zl<2H)K!j)U`aS*Q#!W(h-s$?kLi#I({;!h$qv(6+Kk_Za!MH@oJ&V~X%dhK6?)cxh
zUmHlyA^b{t5UH-(6SZmM9H0@FJKv!e?t-S;bo?n}5*J%1<9qaw@iT}!;(HQW?Bu6Q
zw#-6G#!k-E`;1=^KGCr5bgPHR(aVgtP$mD3a*YR~3XC!kk5XP6zXTo8m=C;&Mgkh+
z`!n&beL2=Ja52+zM-Ceu!q{&xp`eM+m_k3owaoc3D9IYA6=P!p?KG|y2JQt(7`O;p
zj{J+tSL4Hf=Pe+5R@}~qr149T(VvTPo&1GpMrtMErsT=Ly%)j1l5H(O8xIL}i%<9Q
zdG7t3BJ!~!<Kr;-_<c^QJBrCb__z&PQYSE~$8Fs<moxrRcb7AM+!23~ZkNV`V5i=y
zK?L<+tYHo8=fwAnv>VmJ`uCv-jhSznJzU&G!x$*eL~%I}kS)GHxgYj1xzq^{f*B9;
zpeeoqB)S)`-(dT^O^kH#{syxJX5RTk5qYb~m_J(M?;3aVY>K|(Ok7^x8h`WA+o_|!
z2ZcuPB&E@llt#IFY3$@2o&-B@14Bvkej`NWL_>ja-#oUy3hBf@XvV*wCjY_pS{0fS
zpG@YOS{Vcx*|ZlV5y%E;jPFl<mgWRLzZpfs#{FQ)>hD_e@YxS|f7fwE4Yz>{iJN@i
zlxu~;h9_g=07Q5k_zjp_nVNsPyBzUjj`&Bs<K6|QZD+y7d^990l;e*0D+ueuJT~td
z&wwdeBY1c>3GzLX{3DQoA+H9(BnOkBbMk>C-Ka(O*FwFqR-(%@=p7I;R!KBHK?v^s
zgkB`kv<WECS|!j061_Tuwi5b1?#Y2<Z3aC`=s!yIc^R~mJlVt1e-_>HzzJ%^fg~*>
zgrNcA`L<}=u2BHVolwSUh|PV1z(E_2^{y`y&q?rryphPrMn_!eU%w&M3=4E;O3bfb
zN`3h6!VGPPrRu@1#&0a0Yg^}xpRjd1<1gA=xQYC(EB;|?VoAxCSK(apA(&~6pNPL=
zJP(brlj)Kzb7}T7u8f`h>_(O@f3kNux^pjhk;98{Q>k-a%pmd?BM0NxG(K!M;2xsI
z^1rbJqxHxG@_rJ_Uk3J^Blk%-G5<Euai2egK|STOu?5!m+PRf%ouh<>-Jd{$?8Y%Z
zr(w0i{?BN(NL|S1FnFH0tzcIn6#V*IXz8&BO191h1;fh&HmPM7Wo+_6&{coTgf}AP
zX$?zpj=yqoLp`}%09~=YISx<SICvbIwoW?Zc1^$3;hA3s`mz_CV=G^(eSYi9C3ii=
zmo3FFIpW3p9I?l9E`8zlqYlr@j=g#NsY$hysmH-#Tu*8e4eu{IZN%RGSCAKgj2SwH
zYj8aaE*cvZRa4$x$4PZR0ZF9aQiurm-7tV&nHsM&PIpuO8FwG!-s`hs`P(3wvzs!`
z*etR0lZE8s2}gXdQ2}-F{Kw0goG$l_Pw7kKUj^YVEGp;JzHGj)O^VK?foaTw0)C^t
z*=U9SSp7M;*OqLVB-(m1m}od&aa!x|poU*2Zlhaq4X*zKE^7S_Q|mv+Np(L3Nwj_$
zGzw2JU&k6|!|xd-+ipNd8t=T%)eHz@=GEssu4T?zP?A$4`$-B(ihEeMB4glbXyFet
zv@ZE)p>m~AX`0jJ{htfZnNNDV&|VRh>)^lf6`}WU7{9{tVbZ%3J!Xn8`imYJiXo~Q
z%fS#knWLA}io3XWa`$4w{s36IUnTMvUC8LpvoVbB_!K6LvOVKii5KVS#}fH7Km%9G
zIQ$-uK@4UQ$wO$N%KB2_s~?mk?Yj$KSuK2hgSWD-E#vDGq=hV~b>lrkZLv^mUcBsr
ztl<I~S^O)mr{PVS17Q82sUPnaCVmT&2#1?Q@~^&tX{kzdp18l+*3nFM0y7y_4PAJ;
z+D9R{53IE8{Y<W=?aeDM01iRR%R}uL`+RvGfPx}{ES`nBb<A5{4rJ*}ft;6*`d3n{
zjGpU3Tu3Wt)QnckM~a30#Kn%-p1k-wv<?`TRvm~{>!pXHhn$IXTI27Cm3Y%p;nJfJ
zCLd~QCwHAq*YQ`5Iq+=ug#rh3(-H^kBk(#C>-hZ6m+Pyf@LeE-P)ZX&U$dVl2wNT_
zF$MsGV%Or+hE5AS!yNl<P)zrrYnP!X&*h}LEg*?7|LtAy-th#*F?;51hLJ~!oM>>J
zZsb*%H#UQeetiSi$;Hr*UIq6OaI36Jaxd%7&KQhCgj<qU#p;XSKH%Tg!rto`wMY=t
zcrtDl&3%R_siXzQl!<GFi5;MbHZ36~XKK^9apWD|o-L>Ap9?L<Lm;C)^KqR#fw6)1
zq%P+7fGr3R;_)LPkF?14?>X-IoQps)1^o*6nc9XyE%K);$!xtEmQ1lHMji1tjR4f~
zyKVx?6D!MOAJ5fqiZ!?v(USWgA3*;n=D&`i8-L}4SGGQ1()^+E3?wj+yNnzXt;Yi>
zrqU<LwNl~Q4~YHL(5-@Ncv!g-RkF95x9Ug_U&+N9QlH_b4nYI0hTj^cXA`Vv-$tCo
z6H%W2X6$5<{;Kg~!X+9UryF<?reWaEsFJ0^02paLQhoGO?p$3lP@<2%NXlSNB%PW^
z68WElKN!nfLNsAF2#YUa63CjYJY3(LUxJcc4By3MRS(-ny)gA1kc6pEK@0A-i%8><
zw|E=8LZf+}nkzJ3MH)*p8i&z;#+%%Yy5$*-Pm&fmUpq<BYDVzy5qgVH*SibCcv3LV
z7i~FwKBKHk-T}obIQI$tzXwTp?1MIBLn@86&MEhAKJgvz;tTFlej7;A6tWvlOB=t3
z6q1P&;t?Qm7hv@KHtRgP1ODSCFe2?rac{%}jognw|1aeI|5H#eJraEgTQ$Y;$78SE
zUb2<m8HqLg2K1bfYmA4F@W5RRAK|_E*=s+{mi)Z6d=9$2806$m^nz;IqdYEk$C+x{
zm!OA?l>Gb&TRg8^JiBD}SB#56j@1_;^`ahf{wkQq?YoKEw_LdJAaub6^X<EvTbXkg
zD5k!<kNWN+;Xowgz-(wq9peilkY7H`o23h#=J_TEf@=Md&y_T^fs6WX+|<B7a;NGp
z$>{$9Y0QqZ5fOIY!obe*{Tp1toaaF?`Tl+KJt%bl0wj?aYqNBZ8|MnW_X@q{e714n
zhFghpAi2|&ZcByQ-i+E4DTL%><l6XHW6tF{w?$$N&o7{EzrlDEB=qY_q2Ju?ufj5I
z|Hb}tyI~hzSinW`F--AEa#Gzf3~SMbI5Z}(*@zsA9UisC=ar`}fobC!Vd*d!p~BP?
zVkH&kdglBV<YYOrTMT%HrxRn1FtH<JVhOdUl-gsv7AuB$nzk8Q#}@zj9EQ!iu_~&u
z<8T7cM6Ju-z(6i=JoeEHquoGTx4x}o)TrmD*7#vO9yLQldfuOK>(6mukQ_$$%1r~?
z4YnThdidBL8f4H14qW0)Dpy<IVsqJA8P1UXtYWc$*#@Rgaaq6HAMklsv&9i@eY3r>
zd(A0anNwdgADu#*VLI@IycxCL+1Ap|PEiGhip7y-g<4Z+Xb9)146l9p7#(bff|1pQ
zg&Jd3fz_;QFtiaQez?hq&3B7muP)T=!4ZEr6ddvebvEJ-`{`Jhi@BU_&YrIB#!kDf
z!``WJaGkxgvAxUbx?ZcQ8u8%}9Y@@YBZb;vWMm+qt#@_Wn(U`Ir_N4&UgnN4e*DR%
z&WP7vYwN_oJ0*Pn0eSGAY4*~^k)>0|;3l-6qt%(ci2(i<9)6~W7*3pV<jcC8Yg}l<
zG=%nUt<&f6`A6U=IGY@;%~}VJd;P%yCeEx^Gww%QNVWo+`9ZrGK_|n|gY$2%<l5-h
z2N_-;AZfU3N6evewWJOrCe#f$!qy;1XVYX*hKV1QGkP82)TV)#$`rqB8XH8n27KWx
z?kv9c?rHc=Psw12>G~#C5xR-uNOAW0yvu}j?BA&u7c%z1ABlPfnb$XhJey9giw@Q^
z0peOC5guHoq9uYQ4e{)d$;N7`Ygbj*vMM%!<gM}b_j@n-tmNyaGk6+rY<)Y93)<Vd
zHn5J)_BEZhwXCX&t+#cq0cJC<r7{c+Dt3&rsP1EKYT-cGJ;b6xyzRjBK_8lfR~bh9
zl;<qe50(*k!0%=Ba)F2kJm-TCsxZuyW;xoF)27h|d*B<C4Emry!UlbTVK(H8ko)F=
z3BJf`rUnoVAMT+CoKr)HRfK&vNBwxOfwj`xp6rSShSv&~VPHdkWHnpk3;M!%^?(i0
zAb>}Gp$KM&sE(IUs-b<@=hj(tm^%0p3`F<=QC=XAMD4;W6mkSah>4=Y^K)q=6M=zn
zC_1dfV0ZEV+;1L7lJD~A+?Mdzk2DPUMtlKQ;q~>qqX8Wq?ZupjGBwiqTRFU~KD2fd
z!+a{o61`|52e8)B+0$ir^)xx0t<6*O8$(Y-gYFSb8#DtlbU5#wVZ65iJww&ZhWKp?
zMOl<j3g&2E$>TNUhk6C%3{xJzA8>Y)-<USke36+OnOoPx{yrq866p^5ZW;D@Fj+AE
zW)HHEIwteVk7{2Ny<>v8DS~kby&DI8L5c*uS~E49!G+WGotaaq)$H^-5!B(f#%DfK
zMiIvBmWeI3Y%Sg~l3^Ef8^ioNgucN{!Us5BMbe`*;{8i$GC7@JaEa+piU@#a;LQAU
zx*T~E4c-(CZ45HRG=iJce^Q1QSUL6fPwM|s97@j>@iYF5`0e;F=+ni2Vj8(|iFeVW
z3!^p|(pfkf3{pNK={uawtd`HC{zz~sNb>D13>!X$X01W03qQwS|5B3~Cen>~(~oQI
z^Fg`_FT!DM1aZuMWV4b*LQK3fMp-sYb~lE|)JCk|sta8q*6+WCPhPm8U@jS|#GK*d
zh^mNOm@%X(-uL53ykmFT3XGk)`Xbw^A>4^GwxyD^A`}@89*b)9ZqB(gE*nQZ7a#rK
z(&;~;cD<5L|8j<=J#sLeehBa*ucp)Vj_n^_OQ$PQ>#wKNt*BSNnNEKb^&@{tr|I3+
zKcIdc_3K!Px8{P5CAt^&y?FH4j{1H)P(6a$i!F&t=)WJ^QeM=5z&`AsP&Z>wyF5?)
z&H!e$oLf7!oLfqB&Mlr*FrG83lwR=Q@9V&?i-<uM^{&yW{NlF-#6SM0bb25B(k!Jd
zma?l#iZ&LEYF93}?4nD`FCZ24WYLVzgV4)}&t@r&<>sy_v=lgsayOuADgu_<4xpYu
zJor1bg70gb5BOGmw&TMNrPKV~(nd?^SZ<@GZ2OF63)_}wvsA?Lud>wSh6^nfHVd;^
z%D~ZRDX<r{1Jh!{w2;9{e5gOh5pVu(H0*85g;Z?DRTehGont9;T1sse+QXzmaVUoW
z2j57i%Q!}S(HgQGcmsI;F0b8EdRMO9QZ_cjZeiQWuWk9wmYUei+-rnq@L71)T$Jm~
zLOF^)pM|mW=m`7UVP_n9U?<bfmeO3SrGVmlKk!cj&)=zDL-B=P3hx(D@z#odpghu$
zKm1)`MD13P8;f##Rg6ikj?Zyw5BT`I*zol(it}mhSz{T^o#DtSwA8flh-cc>Qk3ff
z7A;3VWU%%k3P3h*qimkG5_SW~-x}mGf480Y|J9c9oLuApbp*n7Bd%I_%YKZjCTg4u
za`!`y_Ne$f-0*ih_2V|mi&$QZrDmki!kR2)P>6I`Q#4~ed^RI;kswpBNJpNJe}~@j
zm(ywf&ifk6czzI(vI&nVrx#*e9mU3`57!#(ewpHQ7xnvCUZbUAd%nX`vu&osQXiYO
z)?y7?>TNtKji#vZyrOYhhVcq>pOjA`@JR$diNGfj_#^_KMBx8}2<$uC%DvbjYvmFx
zrKqU7Sb&+|z0nKWRMhY6)I0U+_to@*GZnSIRPWZ8UD3<&d@XLG|MlZ^hzMWLwNjP&
z&3DIa0n@=dmC+eiUd!zy?YnYOq1IVy?Mlbu=7J@NDArzHtF_34yrA_j6*}#wLhp_7
zGRMj*g`X%EuxeK?r)v0pyeP^(j*EDEh9y6aqd2VMiDeas-!HOC$^SQ%`W<_=wU<hS
zA8*R~gsf+l3j8^;ULxyNvTl*}I$8J2dPLUSWPP8kACUFWW&M<_Uy}8kvOXc}nRBIm
zSuc_GDp|M4dY!EMWj!M6ZL-d8?{u*0A4Mlv{Z^E4F6>mUb-J)GD$YDA04yskYzhr;
z3i}5Jbyne7##YqS)-l&$2)pd8Jsi5#6JnR^9JGcwSlu7KqOh>T7asECGyuDTe8)EI
z>)XVzS4{f?m5hErN87`mLF_a7D(PX}9o)pQb&M@27V6WnBgS_pm<PrS!O6E4BcXmB
zyK-XF7iSG2j~|<tUgiyXqI4X?e?f@71f0jP3fgzQpi4?zu#6kQ{$8NaPaBmu-cZVD
z^9<X&*e<|N0R8+If|b}R^aP@O`%jSr{vp4#K;k?ikwSQmt%^$SXC=0bz5f19sC~Ry
z!_mHgKQdU!y!aiU*qg*&2qAfZD{0eZIp5a^1Pako{HBhgV)l;nP<#*@*q0&V8_OFJ
z^;38e>B9bKI0%zs^Tmtfg%G!RBep?F3#sl8;kTF@DZKcVp%=$1;?&CplDjW7g5By&
zhhwLR&LwC&UhM5o^{OOA2C+}cu<s)R2D|=XA)!=ruxk_T!v<zh_qzjZI27jgvYT05
zSm<)tSyy|D3nyH5=Io-Ah;`0pdo#Ph)&=;2N_MT&<!JAAF>rL++FaMO_7-MqyPjR`
zY-_G$_Uk%2?Ok20y|d7{wxiW)2hQ2n)Y{$bY+J(`A=lQ9+;$?Vq14sR$e>i^v_r0i
zt+jVHIiT6r=xoK2U1ed5)73^gTiQFBjdj>MUCyTNR$C|Q=<e)j@3O;uGt{=>jIk3|
z>}&09u4-5Xj@j1%U|kMdYb%*5v~|P#PV$d6wRc?K>0IM*F-LoAvmMArJ3O;Bw%Ua$
zG^(l9=3HCJnr&-sYskA!)($P5g~TSjW7j(Dgd%%3{BNQo9BM{WdmEiAx+>AiPFF_s
zT4$HNlG!?)T@;X(&i1vHg%nOmKs%H`uFWpAP^fu;GCcwo3RpK9t$bn4c3UfSp?lg+
z>Avd1HBC*cSw(kWG^j^eUG>W9nyOV%4%Oa<^QfAYIB^kpnow5Ntg5+G)2btb^mAc%
zpH_|EmHO~I+iGN)uNn=m(%l0R8VE+K`=Z#fufi{Xs|muP;GkCR-4u*$8WOc078H4&
zbPCV|TG$tGlYqP$4(MbOzkjX9W%WP^7rO5jeDfdnR)<6UH@nro!Jd8`clmk-y-=bc
zA=={(huxcmgu1@b12&j(5BWXtA*7RfVCV<H)%cCAR_(zFG$t-JBmeJeS|`w)uI~T!
zxmG|^f0stBOE?l=+4qC9fups6l6U1=0ny)i;g!ZjmHE!gT#1YGQJLlSTq`H&Ql9p^
z%q3fXC5U+0IHc^W_0rcR!jQuGvR3O9rSl40Pz;p3T2GD21=2n#Nb4<XyOLMynik-Q
zRmrRMS%+Kzsr49Gc*%}m8?dw%Qu1p3^S)fbZI*J%f5oTj^`O(*O2KM<H7pmXHBvs?
ze~H#^#0AAv$*c9;gp}`<jLLp?`zZ}czESdNa($@D1@VMbO!5@7Z28-OqnN1mtol0=
z6D2^RsCBY{ge`SV^(K7G@{@9%HYw%#UbRVpUQDB+>Mgi7%a6<T(Kv15qbPp`bUHi+
zf>~bu-HZt-|9;lOTiI3m?#Yr@&ky%56&z|Et@yL^{~J<1(|=2?oOMFV|4=;`NCiyR
zs`?Ht$bTiT{?3y6`%CvKMp<Xu|8bW5!4+1{d2odgcqsFrA>izI?gH9^k785LOX}}2
zW%FmlPePWuTFI;DsWKYaDB1kk@N?jy_A7b%`5+bc-;{p|yp+32UOi8!zn7)*Pvy6=
zukzqd$eQh|-}|2w$KBKVuk^f<C9hd~fkCnIZ|$V0GT%y0)dnbL`<ks+@Y+O`$m(z=
z(3$Uda7DUQ`_<niNZ18SeTGw9uq^l(V6tD6g;(-4zncs3QZd)cwxEdb-O~Qw%}A4+
GLjMPAa2l)t

literal 0
HcmV?d00001


From a35bf76154a9f18d3f6353db6aba054312bde568 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@debinux.de>
Date: Sun, 15 Oct 2017 09:42:51 +0200
Subject: [PATCH 75/84] [Compose] Remove init where possible or replace init by
 tini, set grace periods

---
 docker-compose.yml | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index cc0a13e4..4f595cde 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,7 +5,6 @@ services:
       image: mailcow/unbound:1.0
       build: ./data/Dockerfiles/unbound
       command: /usr/sbin/unbound
-      init: true
       depends_on:
         mysql-mailcow:
           condition: service_healthy
@@ -34,7 +33,6 @@ services:
         - MYSQL_DATABASE=${DBNAME}
         - MYSQL_USER=${DBUSER}
         - MYSQL_PASSWORD=${DBPASS}
-      init: true
       restart: always
       dns:
         - 172.22.1.254
@@ -73,7 +71,7 @@ services:
     rspamd-mailcow:
       image: mailcow/rspamd:1.10
       build: ./data/Dockerfiles/rspamd
-      command: "/usr/bin/rspamd -f -u _rspamd -g _rspamd"
+      stop_grace_period: 30s
       depends_on:
         - nginx-mailcow
       volumes:
@@ -84,7 +82,6 @@ services:
         - dkim-vol-1:/data/dkim
         - rspamd-vol-1:/var/lib/rspamd
       restart: always
-      init: true
       dns:
         - 172.22.1.254
       hostname: rspamd
@@ -251,7 +248,6 @@ services:
         - mysql-mailcow
       image: mailcow/acme:1.21
       build: ./data/Dockerfiles/acme
-      init: true
       dns:
         - 172.22.1.254
       environment:
@@ -275,6 +271,7 @@ services:
     fail2ban-mailcow:
       image: mailcow/fail2ban:1.7
       build: ./data/Dockerfiles/fail2ban
+      stop_grace_period: 30s
       depends_on:
         - dovecot-mailcow
         - postfix-mailcow
@@ -283,7 +280,6 @@ services:
         - redis-mailcow
       restart: always
       privileged: true
-      init: true
       environment:
         - TZ=${TZ}
         - SKIP_FAIL2BAN=${SKIP_FAIL2BAN:-n}
@@ -314,8 +310,8 @@ services:
 
     dockerapi-mailcow:
       image: mailcow/dockerapi:1.0
+      stop_grace_period: 3s
       build: ./data/Dockerfiles/dockerapi
-      init: false
       volumes:
         - /var/run/docker.sock:/var/run/docker.sock:ro
       networks:

From 81775765d8c6ea6b4946f03d4ac9666697d854c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@debinux.de>
Date: Sat, 21 Oct 2017 10:07:06 +0200
Subject: [PATCH 76/84] [Web] Customize app menu and logo; Fix #671

---
 data/web/admin.php                       |  81 +++++++++-
 data/web/css/admin.css                   |   4 +
 data/web/css/mailcow.css                 |   9 ++
 data/web/inc/footer.inc.php              |   7 +
 data/web/inc/functions.customize.inc.php | 180 +++++++++++++++++++++++
 data/web/inc/functions.mailbox.inc.php   |   4 +-
 data/web/inc/header.inc.php              |  10 +-
 data/web/inc/prerequisites.inc.php       |   1 +
 data/web/inc/sessions.inc.php            |   1 +
 data/web/inc/triggers.inc.php            |  10 ++
 data/web/index.php                       |  10 +-
 data/web/js/admin.js                     |  20 ++-
 data/web/js/api.js                       |   5 +-
 data/web/js/bootstrap-filestyle.min.js   |  10 ++
 data/web/json_api.php                    |  42 ++++++
 data/web/lang/lang.de.php                |  11 ++
 data/web/lang/lang.en.php                |  12 ++
 17 files changed, 407 insertions(+), 10 deletions(-)
 create mode 100644 data/web/inc/functions.customize.inc.php
 create mode 100644 data/web/js/bootstrap-filestyle.min.js

diff --git a/data/web/admin.php b/data/web/admin.php
index 6347cd7e..a2ec3d94 100644
--- a/data/web/admin.php
+++ b/data/web/admin.php
@@ -129,6 +129,7 @@ $tfa_data = get_tfa();
         <a href="#fwdhosts" class="list-group-item"><?=$lang['admin']['forwarding_hosts'];?></a>
         <a href="#f2bparams" class="list-group-item"><?=$lang['admin']['f2b_parameters'];?></a>
         <a href="#relayhosts" class="list-group-item">Relayhosts</a>
+        <a href="#customize" class="list-group-item"><?=$lang['admin']['customize'];?></a>
         <a href="#top" class="list-group-item" style="border-top:1px dashed #dadada">↸ <?=$lang['admin']['to_top'];?></a>
       </div>
     </div>
@@ -260,9 +261,7 @@ $tfa_data = get_tfa();
           </div>
           <div class="form-group">
             <label for="private_key_file"><?=$lang['admin']['private_key'];?>:</label>
-            <textarea class="form-control" rows="5" name="private_key_file" id="private_key_file" required placeholder="-----BEGIN RSA PRIVATE KEY-----
-XYZ
------END RSA PRIVATE KEY-----"></textarea>
+            <textarea class="form-control" rows="5" name="private_key_file" id="private_key_file" required placeholder="-----BEGIN RSA KEY-----"></textarea>
           </div>
           <button class="btn btn-default" id="add_item" data-id="dkim_import" data-api-url='add/dkim_import' data-api-attr='{}' href="#"><span class="glyphicon glyphicon-plus"></span> <?=$lang['admin']['import'];?></button>
         </form>
@@ -376,6 +375,82 @@ XYZ
         </form>
       </div>
     </div>
+
+    <span class="anchor" id="customize"></span>
+    <div class="panel panel-default">
+      <div class="panel-heading"><?=$lang['admin']['customize'];?></div>
+      <div class="panel-body">
+        <legend><?=$lang['admin']['change_logo'];?></legend>
+        <p class="help-block"><?=$lang['admin']['logo_info'];?></p>
+        <form class="form-inline" role="form" method="post" enctype="multipart/form-data">
+          <p>
+            <input type="file" name="main_logo" class="filestyle" data-buttonName="btn-default" data-buttonText="Select" accept="image/gif, image/jpeg, image/pjpeg, image/x-png, image/png, image/svg+xml">
+            <button name="submit_main_logo" type="submit" class="btn btn-success"><span class="glyphicon glyphicon-cloud-upload"></span> <?=$lang['admin']['upload'];?></button>
+          </p>
+        </form>
+        <?php
+        if ($main_logo = customize('get', 'main_logo')):
+          $specs = customize('get', 'main_logo_specs');
+        ?>
+        <div class="row">
+          <div class="col-sm-3">
+            <div class="thumbnail">
+              <img class="img-thumbnail" src="<?=$main_logo;?>" alt="mailcow logo">
+              <div class="caption">
+                <span class="label label-info"><?=$specs['geometry']['width'];?>x<?=$specs['geometry']['height'];?> px</span>
+                <span class="label label-info"><?=$specs['mimetype'];?></span>
+                <span class="label label-info"><?=$specs['fileSize'];?></span>
+              </div>
+            </div>
+            <hr>
+            <form class="form-inline" role="form" method="post">
+              <p><button name="reset_main_logo" type="submit" class="btn btn-xs btn-default"><?=$lang['admin']['reset_default'];?></button></p>
+            </form>
+          </div>
+        </div>
+        <?php
+        endif;
+        ?>
+        <legend><?=$lang['admin']['app_links'];?></legend>
+        <p class="help-block"><?=$lang['admin']['merged_vars_hint'];?></p>
+        <form class="form-inline" data-id="app_links" role="form" method="post">
+          <table class="table table-condensed" style="width:1%;white-space: nowrap;" id="app_link_table">
+            <tr>
+              <th><?=$lang['admin']['app_name'];?></th>
+              <th><?=$lang['admin']['link'];?></th>
+              <th>&nbsp;</th>
+            </tr>
+            <?php
+            $app_links = customize('get', 'app_links');
+            foreach ($app_links as $row) {
+              foreach ($row as $key => $val):
+            ?>
+            <tr>
+              <td><input class="input-sm form-control" data-id="app_links" type="text" name="app" required value="<?=$key;?>"></td>
+              <td><input class="input-sm form-control" data-id="app_links" type="text" name="href" required value="<?=$val;?>"></td>
+              <td><a href="#" role="button" class="btn btn-xs btn-default" type="button"><?=$lang['admin']['remove_row'];?></a></td>
+            </tr>
+            <?php 
+              endforeach;
+            }
+            foreach ($MAILCOW_APPS as $app):
+            ?>
+            <tr>
+              <td><input class="input-sm form-control" value="<?=htmlspecialchars($app['name']);?>" disabled></td>
+              <td><input class="input-sm form-control" value="<?=htmlspecialchars($app['link']);?>" disabled></td>
+              <td>&nbsp;</td>
+            </tr>
+            <?php
+            endforeach;
+            ?>
+          </table>
+          <div class="btn-group">
+            <button class="btn btn-success" id="edit_selected" data-item="admin" data-id="app_links" data-reload="no" data-api-url='edit/app_links' data-api-attr='{}' href="#"><?=$lang['admin']['save'];?></button>
+            <button class="btn btn-default" type="button" id="add_app_link_row"><?=$lang['admin']['add_row'];?></button>
+          </div> 
+        </form>
+      </div>
+    </div>
   </div>
   </div>
   </div>
diff --git a/data/web/css/admin.css b/data/web/css/admin.css
index aa07d7a3..eb6b64f8 100644
--- a/data/web/css/admin.css
+++ b/data/web/css/admin.css
@@ -53,3 +53,7 @@ body.modal-open {
   top: 65px;
   z-index: 1;
 }
+.thumbnail img {
+  min-height:100px;
+  height:100px;
+}
\ No newline at end of file
diff --git a/data/web/css/mailcow.css b/data/web/css/mailcow.css
index e3356ee7..955b05fb 100644
--- a/data/web/css/mailcow.css
+++ b/data/web/css/mailcow.css
@@ -101,4 +101,13 @@ legend {
   -ms-user-select: none
   -o-user-select: none;
   user-select: none;
+}
+.navbar .navbar-brand {
+  padding-top: 5px;
+}
+.navbar .navbar-brand img {
+  height: 40px;
+}
+.mailcow-logo img {
+  max-width: 250px;
 }
\ No newline at end of file
diff --git a/data/web/inc/footer.inc.php b/data/web/inc/footer.inc.php
index 55a8f88d..8740612c 100644
--- a/data/web/inc/footer.inc.php
+++ b/data/web/inc/footer.inc.php
@@ -6,10 +6,14 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/modals/footer.php';
 <script src="/js/bootstrap-switch.min.js"></script>
 <script src="/js/bootstrap-slider.min.js"></script>
 <script src="/js/bootstrap-select.min.js"></script>
+<script src="/js/bootstrap-filestyle.min.js"></script>
 <script src="/js/notifications.min.js"></script>
 <script src="/js/u2f-api.js"></script>
 <script src="/js/api.js"></script>
 <script>
+$(window).scroll(function() {
+  sessionStorage.scrollTop = $(this).scrollTop();
+});
 // Select language and reopen active URL without POST
 function setLang(sel) {
   $.post( "<?= $_SERVER['REQUEST_URI']; ?>", {lang: sel} );
@@ -192,6 +196,9 @@ $(document).ready(function() {
 
   // CSRF
   $('<input type="hidden" value="<?= $_SESSION['CSRF']['TOKEN']; ?>">').attr('id', 'csrf_token').attr('name', 'csrf_token').appendTo('form');
+  if (sessionStorage.scrollTop != "undefined") {
+    $(window).scrollTop(sessionStorage.scrollTop);
+  }
 });
 </script>
 
diff --git a/data/web/inc/functions.customize.inc.php b/data/web/inc/functions.customize.inc.php
new file mode 100644
index 00000000..231bc898
--- /dev/null
+++ b/data/web/inc/functions.customize.inc.php
@@ -0,0 +1,180 @@
+<?php
+
+function customize($_action, $_item, $_data = null) {
+	global $redis;
+	global $lang;
+  switch ($_action) {
+    case 'add':
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => sprintf($lang['danger']['access_denied'])
+        );
+        return false;
+      }
+      switch ($_item) {
+        case 'main_logo':
+          if (in_array($_data['main_logo']['type'], array('image/gif', 'image/jpeg', 'image/pjpeg', 'image/x-png', 'image/png', 'image/svg+xml'))) {
+            try {
+              if (file_exists($_data['main_logo']['tmp_name']) !== true) {
+                $_SESSION['return'] = array(
+                  'type' => 'danger',
+                  'msg' => 'Cannot validate image file: Temporary file not found'
+                );
+                return false;
+              }
+              $image = new Imagick($_data['main_logo']['tmp_name']);
+              if ($image->valid() !== true) {
+                $_SESSION['return'] = array(
+                  'type' => 'danger',
+                  'msg' => 'Cannot validate image file'
+                );
+                return false;
+              }
+              $image->destroy();
+            }
+            catch (ImagickException $e) {
+              $image->destroy();
+              $_SESSION['return'] = array(
+                'type' => 'danger',
+                'msg' => 'Cannot validate image file'
+              );
+              return false;
+            }
+          }
+          else {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => 'Invalid mime type'
+            );
+            return false;
+          }
+          try {
+            $redis->Set('MAIN_LOGO', 'data:' . $_data['main_logo']['type'] . ';base64,' . base64_encode(file_get_contents($_data['main_logo']['tmp_name'])));
+          }
+          catch (RedisException $e) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => 'Redis: '.$e
+            );
+            return false;
+          }
+          $_SESSION['return'] = array(
+            'type' => 'success',
+            'msg' => 'File uploaded successfully'
+          );
+        break;
+      }
+    break;
+    case 'edit':
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => sprintf($lang['danger']['access_denied'])
+        );
+        return false;
+      }
+      switch ($_item) {
+        case 'app_links':
+          $apps = (array)$_data['app'];
+          $links = (array)$_data['href'];
+          $out = array();
+          if (count($apps) == count($links)) {;
+            for ($i = 0; $i < count($apps); $i++) {
+              $out[] = array($apps[$i] => $links[$i]);
+            }
+            try {
+              $redis->set('APP_LINKS', json_encode($out));
+            }
+            catch (RedisException $e) {
+              $_SESSION['return'] = array(
+                'type' => 'danger',
+                'msg' => 'Redis: '.$e
+              );
+              return false;
+            }
+          }
+          $_SESSION['return'] = array(
+            'type' => 'success',
+            'msg' => 'Saved changes to app links'
+          );
+        break;
+      }
+    break;
+    case 'delete':
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => sprintf($lang['danger']['access_denied'])
+        );
+        return false;
+      }
+      switch ($_item) {
+        case 'main_logo':
+          try {
+            if ($redis->del('MAIN_LOGO')) {
+              $_SESSION['return'] = array(
+                'type' => 'success',
+                'msg' => 'Reset default logo'
+              );
+              return true;
+            }
+          }
+          catch (RedisException $e) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => 'Redis: '.$e
+            );
+            return false;
+          }
+        break;
+      }
+    break;
+    case 'get':
+      switch ($_item) {
+        case 'app_links':
+          try {
+            $app_links = json_decode($redis->get('APP_LINKS'), true);
+          }
+          catch (RedisException $e) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => 'Redis: '.$e
+            );
+            return false;
+          }
+          return ($app_links) ? $app_links : false;
+        break;
+        case 'main_logo':
+          try {
+            return $redis->get('MAIN_LOGO');
+          }
+          catch (RedisException $e) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => 'Redis: '.$e
+            );
+            return false;
+          }
+        break;
+        case 'main_logo_specs':
+          try {
+            $image = new Imagick();
+            $img_data = explode('base64,', customize('get', 'main_logo'));
+            if ($img_data[1]) {
+              $image->readImageBlob(base64_decode($img_data[1]));
+            }
+            return $image->identifyImage();
+          }
+          catch (ImagickException $e) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => 'Error: Imagick exception while reading image'
+            );
+            return false;
+          }
+        break;
+      }
+    break;
+  }
+}
\ No newline at end of file
diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 9deb6ef0..209b4acc 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -1291,11 +1291,11 @@ function mailbox($_action, $_type, $_data = null) {
               $port1 = (!empty($_data['port1'])) ? $_data['port1'] : $is_now['port1'];
               $password1 = (!empty($_data['password1'])) ? $_data['password1'] : $is_now['password1'];
               $host1 = (!empty($_data['host1'])) ? $_data['host1'] : $is_now['host1'];
-              $subfolder2 = (!empty($_data['subfolder2'])) ? $_data['subfolder2'] : '';
+              $subfolder2 = (isset($_data['subfolder2'])) ? $_data['subfolder2'] : $is_now['subfolder2'];
               $enc1 = (!empty($_data['enc1'])) ? $_data['enc1'] : $is_now['enc1'];
               $mins_interval = (!empty($_data['mins_interval'])) ? $_data['mins_interval'] : $is_now['mins_interval'];
               $exclude = (!empty($_data['exclude'])) ? $_data['exclude'] : '';
-              $maxage = (!empty($_data['maxage'])) ? $_data['maxage'] : $is_now['maxage'];
+              $maxage = (isset($_data['maxage']) && $_data['maxage'] != "") ? intval($_data['maxage']) : $is_now['maxage'];
             }
             else {
               $_SESSION['return'] = array(
diff --git a/data/web/inc/header.inc.php b/data/web/inc/header.inc.php
index ccccc616..b64bd5a8 100644
--- a/data/web/inc/header.inc.php
+++ b/data/web/inc/header.inc.php
@@ -39,7 +39,7 @@
         <span class="icon-bar"></span>
         <span class="icon-bar"></span>
       </button>
-      <a class="navbar-brand" href="/"><img height="32" alt="mailcow-logo" style="margin-top: -5px;" src="/img/cow_mailcow.svg"></a>
+      <a class="navbar-brand" href="/"><img alt="mailcow-logo" src="<?=($main_logo = customize('get', 'main_logo')) ? $main_logo : '/img/cow_mailcow.svg';?>"></a>
     </div>
     <div id="navbar" class="navbar-collapse collapse">
       <ul class="nav navbar-nav navbar-right">
@@ -102,6 +102,14 @@
             <li title="<?= htmlspecialchars($app['description']); ?>"><a href="<?= htmlspecialchars($app['link']); ?>"><?= htmlspecialchars($app['name']); ?></a></li>
           <?php
           endforeach;
+          $app_links = customize('get', 'app_links');
+          foreach ($app_links as $row) {
+            foreach ($row as $key => $val):
+          ?>
+            <li><a href="<?= htmlspecialchars($val); ?>"><?= htmlspecialchars($key); ?></a></li>
+          <?php 
+            endforeach;
+          }
           ?>
           </ul>
         </li>
diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php
index 1f92e1fb..cdb88804 100644
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@@ -63,6 +63,7 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/lang/lang.en.php';
 include $_SERVER['DOCUMENT_ROOT'] . '/lang/lang.'.$_SESSION['mailcow_locale'].'.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.mailbox.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.customize.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.domain_admin.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.policy.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.dkim.inc.php';
diff --git a/data/web/inc/sessions.inc.php b/data/web/inc/sessions.inc.php
index 2dbc8fff..abbef40f 100644
--- a/data/web/inc/sessions.inc.php
+++ b/data/web/inc/sessions.inc.php
@@ -53,6 +53,7 @@ if (isset($_SESSION['mailcow_cc_role']) && session_check() === false) {
     'msg' => 'Form token invalid or timed out'
   );
   $_POST = array();
+  $_FILES = array();
 }
 
 // Handle logouts
diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php
index b91acd93..10fbe4cc 100644
--- a/data/web/inc/triggers.inc.php
+++ b/data/web/inc/triggers.inc.php
@@ -63,4 +63,14 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
 		unset_tfa_key($_POST);
 	}
 }
+if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin") {
+	if (isset($_POST["submit_main_logo"])) {
+    if ($_FILES['main_logo']['error'] == 0) {
+      customize('add', 'main_logo', $_FILES);
+    }
+	}
+	if (isset($_POST["reset_main_logo"])) {
+    customize('delete', 'main_logo');
+	}
+}
 ?>
diff --git a/data/web/index.php b/data/web/index.php
index 3202fb5b..6c5ba3c7 100644
--- a/data/web/index.php
+++ b/data/web/index.php
@@ -23,7 +23,7 @@ $_SESSION['return_to'] = $_SERVER['REQUEST_URI'];
       <div class="panel panel-default">
         <div class="panel-heading"><span class="glyphicon glyphicon-user" aria-hidden="true"></span> <?= $lang['login']['login']; ?></div>
         <div class="panel-body">
-          <div class="text-center"><img style="max-width: 250px;" src="/img/cow_mailcow.svg" alt="mailcow"></div>
+          <div class="text-center mailcow-logo"><img src="<?=($main_logo = customize('get', 'main_logo')) ? $main_logo : '/img/cow_mailcow.svg';?>" alt="mailcow"></div>
           <legend>mailcow UI</legend>
             <form method="post" autofill="off">
             <div class="form-group">
@@ -72,6 +72,14 @@ $_SESSION['return_to'] = $_SERVER['REQUEST_URI'];
             <a href="<?= htmlspecialchars($app['link']); ?>" role="button" title="<?= htmlspecialchars($app['description']); ?>" class="btn btn-lg btn-default"><?= htmlspecialchars($app['name']); ?></a>&nbsp;
           <?php
           endforeach;
+          $app_links = customize('get', 'app_links');
+          foreach ($app_links as $row) {
+            foreach ($row as $key => $val):
+          ?>
+            <a href="<?= htmlspecialchars($val); ?>" role="button" class="btn btn-lg btn-default"><?= htmlspecialchars($key); ?></a>&nbsp;
+          <?php 
+            endforeach;
+          }
           ?>
         </div>
       </div>
diff --git a/data/web/js/admin.js b/data/web/js/admin.js
index c6b3b22c..83829ab7 100644
--- a/data/web/js/admin.js
+++ b/data/web/js/admin.js
@@ -90,7 +90,7 @@ var Base64 = {
         return t
     }
 }
-
+  
 jQuery(function($){
   // http://stackoverflow.com/questions/24816/escaping-html-strings-with-jquery
   var entityMap = {
@@ -730,6 +730,24 @@ jQuery(function($){
         }
     });
   })
+
+  function add_table_row(table_id) {
+    var row = $('<tr />');
+    cols = '<td><input class="input-sm form-control" data-id="app_links" type="text" name="app" required></td>';
+    cols += '<td><input class="input-sm form-control" data-id="app_links" type="text" name="href" required></td>';
+    cols += '<td><a href="#" role="button" class="btn btn-xs btn-default" type="button">Remove row</a></td>';
+    row.append(cols);
+    table_id.append(row);
+  }
+
+  $('#app_link_table').on('click', 'tr a', function (e) {
+    e.preventDefault();
+    $(this).parents('tr').remove();
+  });
+
+  $('#add_app_link_row').click(function() {
+      add_table_row($('#app_link_table'));
+  });
 });
 
 $(window).load(function(){
diff --git a/data/web/js/api.js b/data/web/js/api.js
index a64ce04f..8935f856 100644
--- a/data/web/js/api.js
+++ b/data/web/js/api.js
@@ -14,7 +14,7 @@ $(document).ready(function() {
     });
     return o;
   };
-  // Collect values of input fields with name "multi_select" an same data-id to js array multi_data[data-id]
+  // Collect values of input fields with name "multi_select" and same data-id to js array multi_data[data-id]
   var multi_data = [];
   $(document).on('change', 'input[name=multi_select]:checkbox', function() {
     if ($(this).is(':checked') && $(this).data('id')) {
@@ -105,7 +105,8 @@ $(document).ready(function() {
         url: '/api/v1/' + api_url,
         jsonp: false,
         complete: function(data) {
-          // var reponse = (JSON.parse(data.responseText));
+          var response = (data.responseText);
+          // alert(response);
           // console.log(reponse.type);
           // console.log(reponse.msg);
           window.location = window.location.href.split("#")[0];
diff --git a/data/web/js/bootstrap-filestyle.min.js b/data/web/js/bootstrap-filestyle.min.js
new file mode 100644
index 00000000..9aa702c6
--- /dev/null
+++ b/data/web/js/bootstrap-filestyle.min.js
@@ -0,0 +1,10 @@
+/*
+ * bootstrap-filestyle
+ * doc: http://markusslima.github.io/bootstrap-filestyle/
+ * github: https://github.com/markusslima/bootstrap-filestyle
+ *
+ * Copyright (c) 2017 Markus Vinicius da Silva Lima
+ * Version 1.2.3
+ * Licensed under the MIT license.
+ */
+!function(t){"use strict";var e=0,i=function(e,i){this.options=i,this.$elementFilestyle=[],this.$element=t(e)};i.prototype={clear:function(){this.$element.val(""),this.$elementFilestyle.find(":text").val(""),this.$elementFilestyle.find(".badge").remove()},destroy:function(){this.$element.removeAttr("style").removeData("filestyle"),this.$elementFilestyle.remove()},disabled:function(t){if(!0===t)this.options.disabled||(this.$element.attr("disabled","true"),this.$elementFilestyle.find("label").attr("disabled","true"),this.options.disabled=!0);else{if(!1!==t)return this.options.disabled;this.options.disabled&&(this.$element.removeAttr("disabled"),this.$elementFilestyle.find("label").removeAttr("disabled"),this.options.disabled=!1)}},buttonBefore:function(t){if(!0===t)this.options.buttonBefore||(this.options.buttonBefore=!0,this.options.input&&(this.$elementFilestyle.remove(),this.constructor(),this.pushNameFiles()));else{if(!1!==t)return this.options.buttonBefore;this.options.buttonBefore&&(this.options.buttonBefore=!1,this.options.input&&(this.$elementFilestyle.remove(),this.constructor(),this.pushNameFiles()))}},icon:function(t){if(!0===t)this.options.icon||(this.options.icon=!0,this.$elementFilestyle.find("label").prepend(this.htmlIcon()));else{if(!1!==t)return this.options.icon;this.options.icon&&(this.options.icon=!1,this.$elementFilestyle.find(".icon-span-filestyle").remove())}},input:function(t){if(!0===t)this.options.input||(this.options.input=!0,this.options.buttonBefore?this.$elementFilestyle.append(this.htmlInput()):this.$elementFilestyle.prepend(this.htmlInput()),this.$elementFilestyle.find(".badge").remove(),this.pushNameFiles(),this.$elementFilestyle.find(".group-span-filestyle").addClass("input-group-btn"));else{if(!1!==t)return this.options.input;if(this.options.input){this.options.input=!1,this.$elementFilestyle.find(":text").remove();var e=this.pushNameFiles();e.length>0&&this.options.badge&&this.$elementFilestyle.find("label").append(' <span class="badge">'+e.length+"</span>"),this.$elementFilestyle.find(".group-span-filestyle").removeClass("input-group-btn")}}},size:function(t){if(void 0===t)return this.options.size;var e=this.$elementFilestyle.find("label"),i=this.$elementFilestyle.find("input");e.removeClass("btn-lg btn-sm"),i.removeClass("input-lg input-sm"),"nr"!=t&&(e.addClass("btn-"+t),i.addClass("input-"+t))},placeholder:function(t){if(void 0===t)return this.options.placeholder;this.options.placeholder=t,this.$elementFilestyle.find("input").attr("placeholder",t)},buttonText:function(t){if(void 0===t)return this.options.buttonText;this.options.buttonText=t,this.$elementFilestyle.find("label .buttonText").html(this.options.buttonText)},buttonName:function(t){if(void 0===t)return this.options.buttonName;this.options.buttonName=t,this.$elementFilestyle.find("label").attr({class:"btn "+this.options.buttonName})},iconName:function(t){if(void 0===t)return this.options.iconName;this.$elementFilestyle.find(".icon-span-filestyle").attr({class:"icon-span-filestyle "+this.options.iconName})},htmlIcon:function(){return this.options.icon?'<span style="margin-right: 3px;" class="icon-span-filestyle '+this.options.iconName+'"></span> ':""},htmlInput:function(){return this.options.input?'<input type="text" class="form-control '+("nr"==this.options.size?"":"input-"+this.options.size)+'" placeholder="'+this.options.placeholder+'" disabled> ':""},pushNameFiles:function(){var t="",e=[];void 0===this.$element[0].files?e[0]={name:this.$element[0]&&this.$element[0].value}:e=this.$element[0].files;for(var i=0;i<e.length;i++)t+=e[i].name.split("\\").pop()+", ";return""!==t?this.$elementFilestyle.find(":text").val(t.replace(/\, $/g,"")):this.$elementFilestyle.find(":text").val(""),e},constructor:function(){var i=this,n="",s=i.$element.attr("id"),l="";""!==s&&s||(s="filestyle-"+e,i.$element.attr({id:s}),e++),l='<span class="group-span-filestyle '+(i.options.input?"input-group-btn":"")+'"><label for="'+s+'" class="btn '+i.options.buttonName+" "+("nr"==i.options.size?"":"btn-"+i.options.size)+'" '+(i.options.disabled||i.$element.attr("disabled")?'disabled="true"':"")+">"+i.htmlIcon()+'<span class="buttonText">'+i.options.buttonText+"</span></label></span>",n=i.options.buttonBefore?l+i.htmlInput():i.htmlInput()+l,i.$elementFilestyle=t('<div class="bootstrap-filestyle input-group">'+n+"</div>"),i.$elementFilestyle.find(".group-span-filestyle").attr("tabindex","0").keypress(function(t){if(13===t.keyCode||32===t.charCode)return i.$elementFilestyle.find("label").click(),!1}),i.$element.css({position:"absolute",clip:"rect(0px 0px 0px 0px)"}).attr("tabindex","-1").after(i.$elementFilestyle),(i.options.disabled||i.$element.attr("disabled"))&&i.$element.attr("disabled","true"),i.$element.change(function(){var t=i.pushNameFiles();0==i.options.input&&i.options.badge?0==i.$elementFilestyle.find(".badge").length?i.$elementFilestyle.find("label").append(' <span class="badge">'+t.length+"</span>"):0==t.length?i.$elementFilestyle.find(".badge").remove():i.$elementFilestyle.find(".badge").html(t.length):i.$elementFilestyle.find(".badge").remove()}),window.navigator.userAgent.search(/firefox/i)>-1&&i.$elementFilestyle.find("label").click(function(){return i.$element.click(),!1})}};var n=t.fn.filestyle;t.fn.filestyle=function(e,n){var s="",l=this.each(function(){if("file"===t(this).attr("type")){var l=t(this),o=l.data("filestyle"),a=t.extend({},t.fn.filestyle.defaults,e,"object"==typeof e&&e);o||(l.data("filestyle",o=new i(this,a)),o.constructor()),"string"==typeof e&&(s=o[e](n))}});return void 0!==typeof s?s:l},t.fn.filestyle.defaults={buttonText:"Choose file",iconName:"glyphicon glyphicon-folder-open",buttonName:"btn-default",size:"nr",input:!0,badge:!0,icon:!0,buttonBefore:!1,disabled:!1,placeholder:""},t.fn.filestyle.noConflict=function(){return t.fn.filestyle=n,this},t(function(){t(".filestyle").each(function(){var e=t(this),i={input:"false"!==e.attr("data-input"),icon:"false"!==e.attr("data-icon"),buttonBefore:"true"===e.attr("data-buttonBefore"),disabled:"true"===e.attr("data-disabled"),size:e.attr("data-size"),buttonText:e.attr("data-buttonText"),buttonName:e.attr("data-buttonName"),iconName:e.attr("data-iconName"),badge:"false"!==e.attr("data-badge"),placeholder:e.attr("data-placeholder")};e.filestyle(i)})})}(window.jQuery);
\ No newline at end of file
diff --git a/data/web/json_api.php b/data/web/json_api.php
index 7673f294..0e4f9e87 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -1795,6 +1795,48 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
               ));
             }
           break;
+          case "app_links":
+            if (isset($_POST['attr'])) {
+              $attr = (array)json_decode($_POST['attr'], true);
+              if (is_array($attr)) {
+                if (customize('edit', 'app_links', $attr) === false) {
+                  if (isset($_SESSION['return'])) {
+                    echo json_encode($_SESSION['return']);
+                  }
+                  else {
+                    echo json_encode(array(
+                      'type' => 'error',
+                      'msg' => 'Edit failed'
+                    ));
+                  }
+                  exit();
+                }
+                else {
+                  if (isset($_SESSION['return'])) {
+                    echo json_encode($_SESSION['return']);
+                  }
+                  else {
+                    echo json_encode(array(
+                      'type' => 'success',
+                      'msg' => 'Task completed'
+                    ));
+                  }
+                }
+              }
+              else {
+                echo json_encode(array(
+                  'type' => 'error',
+                  'msg' => 'Incomplete post data'
+                ));
+              }
+            }
+            else {
+              echo json_encode(array(
+                'type' => 'error',
+                'msg' => 'Incomplete post data'
+              ));
+            }
+          break;
           case "relayhost":
             if (isset($_POST['items']) && isset($_POST['attr'])) {
               $items = (array)json_decode($_POST['items'], true);
diff --git a/data/web/lang/lang.de.php b/data/web/lang/lang.de.php
index 733d3782..681dca4e 100644
--- a/data/web/lang/lang.de.php
+++ b/data/web/lang/lang.de.php
@@ -512,3 +512,14 @@ $lang['success']['relayhost_removed'] = "Relayhost %s wurde entfernt";
 $lang['success']['relayhost_added'] = "Relayhost %s wurde hinzugefügt";
 $lang['admin']['relay_from'] = "Absenderadresse";
 $lang['admin']['relay_run'] = "Test durchführen";
+$lang['admin']['customize'] = "Anpassung";
+$lang['admin']['change_logo'] = "Logo ändern";
+$lang['admin']['logo_info'] = "Die hochgeladene Grafik wird für die Navigationsleiste auf eine Höhe von 40px skaliert. Für die Startseite ist eine Skalierung auf eine maximale Breite von 250px programmiert. Eine frei skalierbare Grafik (etwa SVG) wird empfohlen.";
+$lang['admin']['upload'] = "Hochladen";
+$lang['admin']['app_links'] = "App Links";
+$lang['admin']['app_name'] = "App Name";
+$lang['admin']['link'] = "Link";
+$lang['admin']['remove_row'] = "Zeile entfernen";
+$lang['admin']['add_row'] = "Zeile hinzufügen";
+$lang['admin']['reset_default'] = "Auf Standard zurücksetzen";
+$lang['admin']['merged_vars_hint'] = 'Ausgegraute Zeilen wurden aus der Datei <code>vars.inc.(local.)php</code> gelesen und können nicht mittels UI verändert werden.';
diff --git a/data/web/lang/lang.en.php b/data/web/lang/lang.en.php
index aa41d1b0..527ded11 100644
--- a/data/web/lang/lang.en.php
+++ b/data/web/lang/lang.en.php
@@ -525,3 +525,15 @@ $lang['success']['relayhost_removed'] = "Relayhost %s has been removed";
 $lang['success']['relayhost_added'] = "Relayhost %s has been added";
 $lang['admin']['relay_from'] = '"From:" address';
 $lang['admin']['relay_run'] = "Run test";
+
+$lang['admin']['customize'] = "Customize";
+$lang['admin']['change_logo'] = "Change logo";
+$lang['admin']['logo_info'] = "Your image will be scaled to a height of 40px for the top navigation bar and a max. width of 250px for the start page. A scalable graphic is highly recommended.";
+$lang['admin']['upload'] = "Upload";
+$lang['admin']['app_links'] = "App links";
+$lang['admin']['app_name'] = "App name";
+$lang['admin']['link'] = "Link";
+$lang['admin']['remove_row'] = "Remove row";
+$lang['admin']['add_row'] = "Add row";
+$lang['admin']['reset_default'] = "Reset to default";
+$lang['admin']['merged_vars_hint'] = 'Greyed out rows were merged from <code>vars.inc.(local.)php</code> and cannot be modified.';

From a110e2ea0f126ac5bed59dad6d30a76b12d29a0a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@debinux.de>
Date: Sat, 21 Oct 2017 10:08:14 +0200
Subject: [PATCH 77/84] [ACME] Fix detection of orphaned SANs and add tini

---
 data/Dockerfiles/acme/Dockerfile           |   5 +-
 data/Dockerfiles/acme/docker-entrypoint.sh | 472 +++++++++++----------
 data/Dockerfiles/acme/tini                 | Bin 0 -> 19968 bytes
 3 files changed, 248 insertions(+), 229 deletions(-)
 create mode 100755 data/Dockerfiles/acme/tini

diff --git a/data/Dockerfiles/acme/Dockerfile b/data/Dockerfiles/acme/Dockerfile
index b3fd77fd..1554e6a8 100644
--- a/data/Dockerfiles/acme/Dockerfile
+++ b/data/Dockerfiles/acme/Dockerfile
@@ -9,8 +9,9 @@ RUN apk add --update --no-cache \
 	openssl \
 	bind-tools \
 	jq \
-	mariadb-client
+	mariadb-client \
+  tini
 
 COPY docker-entrypoint.sh /srv/docker-entrypoint.sh
 
-ENTRYPOINT ["/srv/docker-entrypoint.sh"]
+CMD ["/sbin/tini", "-g", "--", "/srv/docker-entrypoint.sh"]
diff --git a/data/Dockerfiles/acme/docker-entrypoint.sh b/data/Dockerfiles/acme/docker-entrypoint.sh
index 25023819..6d3d7273 100755
--- a/data/Dockerfiles/acme/docker-entrypoint.sh
+++ b/data/Dockerfiles/acme/docker-entrypoint.sh
@@ -8,26 +8,40 @@ SSL_EXAMPLE=/var/lib/ssl-example
 mkdir -p ${ACME_BASE}/acme/private
 
 restart_containers(){
-	for container in $*; do
-		echo "Restarting ${container}..."
-		curl -X POST http://dockerapi:8080/containers/${container}/restart
-	done
+  for container in $*; do
+    echo "Restarting ${container}..."
+    curl -X POST http://dockerapi:8080/containers/${container}/restart
+  done
 }
 
 log_f() {
-  echo "$(date) - ${1}"
+  if [[ ${2} == "no_nl" ]]; then
+    echo -n "$(date) - ${1}"
+  elif [[ ${2} == "no_date" ]]; then
+    echo "${1}"
+  else
+    echo "$(date) - ${1}"
+  fi
+}
+
+array_diff() {
+  # https://stackoverflow.com/questions/2312762, Alex Offshore
+  eval local ARR1=\(\"\${$2[@]}\"\)
+  eval local ARR2=\(\"\${$3[@]}\"\)
+  local IFS=$'\n'
+  mapfile -t $1 < <(comm -23 <(echo "${ARR1[*]}" | sort) <(echo "${ARR2[*]}" | sort))
 }
 
 verify_hash_match(){
-	CERT_HASH=$(openssl x509 -noout -modulus -in "${1}" | openssl md5)
-	KEY_HASH=$(openssl rsa -noout -modulus -in "${2}" | openssl md5)
-	if [[ ${CERT_HASH} != ${KEY_HASH} ]]; then
-		log_f "Certificate and key hashes do not match!"
-		return 1
-	else
-		log_f "Verified hashes."
-		return 0
-	fi
+  CERT_HASH=$(openssl x509 -noout -modulus -in "${1}" | openssl md5)
+  KEY_HASH=$(openssl rsa -noout -modulus -in "${2}" | openssl md5)
+  if [[ ${CERT_HASH} != ${KEY_HASH} ]]; then
+    log_f "Certificate and key hashes do not match!"
+    return 1
+  else
+    log_f "Verified hashes."
+    return 0
+  fi
 }
 
 get_ipv4(){
@@ -51,239 +65,243 @@ get_ipv4(){
 [[ ! -f ${ACME_BASE}/dhparams.pem ]] && cp ${SSL_EXAMPLE}/dhparams.pem ${ACME_BASE}/dhparams.pem
 
 if [[ -f ${ACME_BASE}/cert.pem ]] && [[ -f ${ACME_BASE}/key.pem ]]; then
-	ISSUER=$(openssl x509 -in ${ACME_BASE}/cert.pem -noout -issuer)
-	if [[ ${ISSUER} != *"Let's Encrypt"* && ${ISSUER} != *"mailcow"* ]]; then
-		log_f "Found certificate with issuer other than mailcow snake-oil CA and Let's Encrypt, skipping ACME client..."
-		sleep 3650d
-		exec $(readlink -f "$0")
-	else
-		declare -a SAN_ARRAY_NOW
-		SAN_NAMES=$(openssl x509 -noout -text -in ${ACME_BASE}/cert.pem | awk '/X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0); print}' | tr -d "DNS:")
-		if [[ ! -z ${SAN_NAMES} ]]; then
-			IFS=',' read -a SAN_ARRAY_NOW <<< ${SAN_NAMES}
-			log_f "Found Let's Encrypt or mailcow snake-oil CA issued certificate with SANs: ${SAN_ARRAY_NOW[*]}"
-		fi
-	fi
+  ISSUER=$(openssl x509 -in ${ACME_BASE}/cert.pem -noout -issuer)
+  if [[ ${ISSUER} != *"Let's Encrypt"* && ${ISSUER} != *"mailcow"* ]]; then
+    log_f "Found certificate with issuer other than mailcow snake-oil CA and Let's Encrypt, skipping ACME client..."
+    sleep 3650d
+    exec $(readlink -f "$0")
+  else
+    declare -a SAN_ARRAY_NOW
+    SAN_NAMES=$(openssl x509 -noout -text -in ${ACME_BASE}/cert.pem | awk '/X509v3 Subject Alternative Name/ {getline;gsub(/ /, "", $0); print}' | tr -d "DNS:")
+    if [[ ! -z ${SAN_NAMES} ]]; then
+      IFS=',' read -a SAN_ARRAY_NOW <<< ${SAN_NAMES}
+      log_f "Found Let's Encrypt or mailcow snake-oil CA issued certificate with SANs: ${SAN_ARRAY_NOW[*]}"
+    fi
+  fi
 else
-	if [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
-		if verify_hash_match ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/privkey.pem; then
-			log_f "Restoring previous acme certificate and restarting script..."
-			cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
-			cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
-			# Restarting with env var set to trigger a restart,
-			exec env TRIGGER_RESTART=1 $(readlink -f "$0")
-		fi
-	ISSUER="mailcow"
-	else
-		log_f "Restoring mailcow snake-oil certificates and restarting script..."
-		cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
-		cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
-		exec env TRIGGER_RESTART=1 $(readlink -f "$0")
-	fi
+  if [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
+    if verify_hash_match ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/privkey.pem; then
+      log_f "Restoring previous acme certificate and restarting script..."
+      cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+      cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+      # Restarting with env var set to trigger a restart,
+      exec env TRIGGER_RESTART=1 $(readlink -f "$0")
+    fi
+  ISSUER="mailcow"
+  else
+    log_f "Restoring mailcow snake-oil certificates and restarting script..."
+    cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
+    cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
+    exec env TRIGGER_RESTART=1 $(readlink -f "$0")
+  fi
 fi
 
 while ! mysqladmin ping --host mysql -u${DBUSER} -p${DBPASS} --silent; do
-	echo "Waiting for database to come up..."
-	sleep 2
+  echo "Waiting for database to come up..."
+  sleep 2
 done
 
 while true; do
-	if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-		log_f "SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt..."
-		sleep 365d
-		exec $(readlink -f "$0")
-	fi
-	if [[ "${SKIP_IP_CHECK}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
-		SKIP_IP_CHECK=y
-	fi
-	unset SQL_DOMAIN_ARR
-	unset VALIDATED_CONFIG_DOMAINS
-	unset ADDITIONAL_VALIDATED_SAN
-	declare -a SQL_DOMAIN_ARR
-	declare -a VALIDATED_CONFIG_DOMAINS
-	declare -a ADDITIONAL_VALIDATED_SAN
-	IFS=',' read -r -a ADDITIONAL_SAN_ARR <<< "${ADDITIONAL_SAN}"
-	IPV4=$(get_ipv4)
-	# Container ids may have changed
-	CONTAINERS_RESTART=($(curl --silent http://dockerapi:8080/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | contains("nginx-mailcow") or contains("postfix-mailcow") or contains("dovecot-mailcow")) | .id' | tr "\n" " "))
+  if [[ "${SKIP_LETS_ENCRYPT}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+    log_f "SKIP_LETS_ENCRYPT=y, skipping Let's Encrypt..."
+    sleep 365d
+    exec $(readlink -f "$0")
+  fi
+  if [[ "${SKIP_IP_CHECK}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+    SKIP_IP_CHECK=y
+  fi
+  unset SQL_DOMAIN_ARR
+  unset VALIDATED_CONFIG_DOMAINS
+  unset ADDITIONAL_VALIDATED_SAN
+  declare -a SQL_DOMAIN_ARR
+  declare -a VALIDATED_CONFIG_DOMAINS
+  declare -a ADDITIONAL_VALIDATED_SAN
+  IFS=',' read -r -a ADDITIONAL_SAN_ARR <<< "${ADDITIONAL_SAN}"
+  IPV4=$(get_ipv4)
+  # Container ids may have changed
+  CONTAINERS_RESTART=($(curl --silent http://dockerapi:8080/containers/json | jq -r '.[] | {name: .Config.Labels["com.docker.compose.service"], id: .Id}' | jq -rc 'select( .name | tostring | contains("nginx-mailcow") or contains("postfix-mailcow") or contains("dovecot-mailcow")) | .id' | tr "\n" " "))
 
-	while read domain; do
-		SQL_DOMAIN_ARR+=("${domain}")
-	done < <(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0" -Bs)
-	while read alias_domain; do
-		SQL_DOMAIN_ARR+=("${alias_domain}")
-	done < <(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT alias_domain FROM alias_domain" -Bs)
+  log_f "Waiting for domain tables... " no_nl
+  while [[ -z ${DOMAIN_TABLE} ]]; do
+    DOMAIN_TABLE=$(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'domain'" -Bs)
+    [[ -z ${DOMAIN_TABLE} ]] && sleep 10
+  done
+  log_f "OK" no_date
 
-	for SQL_DOMAIN in "${SQL_DOMAIN_ARR[@]}"; do
-		A_CONFIG=$(dig A autoconfig.${SQL_DOMAIN} +short | tail -n 1)
-		if [[ ! -z ${A_CONFIG} ]]; then
-			log_f "Found A record for autoconfig.${SQL_DOMAIN}: ${A_CONFIG}"
-			if [[ ${IPV4:-ERR} == ${A_CONFIG} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
-				log_f "Confirmed A record autoconfig.${SQL_DOMAIN}"
-				VALIDATED_CONFIG_DOMAINS+=("autoconfig.${SQL_DOMAIN}")
-			else
-				log_f "Cannot match your IP ${IPV4} against hostname autoconfig.${SQL_DOMAIN} (${A_CONFIG})"
-			fi
-		else
-			log_f "No A record for autoconfig.${SQL_DOMAIN} found"
-		fi
+  while read domains; do
+    SQL_DOMAIN_ARR+=("${domains}")
+  done < <(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain WHERE backupmx=0 UNION SELECT alias_domain FROM alias_domain" -Bs)
+
+  for SQL_DOMAIN in "${SQL_DOMAIN_ARR[@]}"; do
+    A_CONFIG=$(dig A autoconfig.${SQL_DOMAIN} +short | tail -n 1)
+    if [[ ! -z ${A_CONFIG} ]]; then
+      log_f "Found A record for autoconfig.${SQL_DOMAIN}: ${A_CONFIG}"
+      if [[ ${IPV4:-ERR} == ${A_CONFIG} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
+        log_f "Confirmed A record autoconfig.${SQL_DOMAIN}"
+        VALIDATED_CONFIG_DOMAINS+=("autoconfig.${SQL_DOMAIN}")
+      else
+        log_f "Cannot match your IP ${IPV4} against hostname autoconfig.${SQL_DOMAIN} (${A_CONFIG})"
+      fi
+    else
+      log_f "No A record for autoconfig.${SQL_DOMAIN} found"
+    fi
 
         A_DISCOVER=$(dig A autodiscover.${SQL_DOMAIN} +short | tail -n 1)
-		if [[ ! -z ${A_DISCOVER} ]]; then
-			log_f "Found A record for autodiscover.${SQL_DOMAIN}: ${A_DISCOVER}"
-			if [[ ${IPV4:-ERR} == ${A_DISCOVER} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
-				log_f "Confirmed A record autodiscover.${SQL_DOMAIN}"
-				VALIDATED_CONFIG_DOMAINS+=("autodiscover.${SQL_DOMAIN}")
-			else
-				log_f "Cannot match your IP ${IPV4} against hostname autodiscover.${SQL_DOMAIN} (${A_DISCOVER})"
-			fi
-		else
-			log_f "No A record for autodiscover.${SQL_DOMAIN} found"
-		fi
-	done
+    if [[ ! -z ${A_DISCOVER} ]]; then
+      log_f "Found A record for autodiscover.${SQL_DOMAIN}: ${A_DISCOVER}"
+      if [[ ${IPV4:-ERR} == ${A_DISCOVER} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
+        log_f "Confirmed A record autodiscover.${SQL_DOMAIN}"
+        VALIDATED_CONFIG_DOMAINS+=("autodiscover.${SQL_DOMAIN}")
+      else
+        log_f "Cannot match your IP ${IPV4} against hostname autodiscover.${SQL_DOMAIN} (${A_DISCOVER})"
+      fi
+    else
+      log_f "No A record for autodiscover.${SQL_DOMAIN} found"
+    fi
+  done
 
-	A_MAILCOW_HOSTNAME=$(dig A ${MAILCOW_HOSTNAME} +short | tail -n 1)
-	if [[ ! -z ${A_MAILCOW_HOSTNAME} ]]; then
-		log_f "Found A record for ${MAILCOW_HOSTNAME}: ${A_MAILCOW_HOSTNAME}"
-		if [[ ${IPV4:-ERR} == ${A_MAILCOW_HOSTNAME} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
-			log_f "Confirmed A record ${MAILCOW_HOSTNAME}"
-			VALIDATED_MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
-		else
-			log_f "Cannot match your IP ${IPV4} against hostname ${MAILCOW_HOSTNAME} (${A_MAILCOW_HOSTNAME}) "
-		fi
-	else
-		log_f "No A record for ${MAILCOW_HOSTNAME} found"
-	fi
+  A_MAILCOW_HOSTNAME=$(dig A ${MAILCOW_HOSTNAME} +short | tail -n 1)
+  if [[ ! -z ${A_MAILCOW_HOSTNAME} ]]; then
+    log_f "Found A record for ${MAILCOW_HOSTNAME}: ${A_MAILCOW_HOSTNAME}"
+    if [[ ${IPV4:-ERR} == ${A_MAILCOW_HOSTNAME} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
+      log_f "Confirmed A record ${MAILCOW_HOSTNAME}"
+      VALIDATED_MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
+    else
+      log_f "Cannot match your IP ${IPV4} against hostname ${MAILCOW_HOSTNAME} (${A_MAILCOW_HOSTNAME}) "
+    fi
+  else
+    log_f "No A record for ${MAILCOW_HOSTNAME} found"
+  fi
 
-	for SAN in "${ADDITIONAL_SAN_ARR[@]}"; do
-		if [[ ${SAN} == ${MAILCOW_HOSTNAME} ]]; then
-			continue
-		fi
-		A_SAN=$(dig A ${SAN} +short | tail -n 1)
-		if [[ ! -z ${A_SAN} ]]; then
-			log_f "Found A record for ${SAN}: ${A_SAN}"
-			if [[ ${IPV4:-ERR} == ${A_SAN} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
-				log_f "Confirmed A record ${SAN}"
-				ADDITIONAL_VALIDATED_SAN+=("${SAN}")
-			else
-				log_f "Cannot match your IP against hostname ${SAN}"
-			fi
-		else
-			log_f "No A record for ${SAN} found"
-		fi
-	done
+  for SAN in "${ADDITIONAL_SAN_ARR[@]}"; do
+    if [[ ${SAN} == ${MAILCOW_HOSTNAME} ]]; then
+      continue
+    fi
+    A_SAN=$(dig A ${SAN} +short | tail -n 1)
+    if [[ ! -z ${A_SAN} ]]; then
+      log_f "Found A record for ${SAN}: ${A_SAN}"
+      if [[ ${IPV4:-ERR} == ${A_SAN} ]] || [[ ${SKIP_IP_CHECK} == "y" ]]; then
+        log_f "Confirmed A record ${SAN}"
+        ADDITIONAL_VALIDATED_SAN+=("${SAN}")
+      else
+        log_f "Cannot match your IP against hostname ${SAN}"
+      fi
+    else
+      log_f "No A record for ${SAN} found"
+    fi
+  done
 
   # Unique elements
-	ALL_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
-	if [[ -z ${ALL_VALIDATED[*]} ]]; then
-		log_f "Cannot validate hostnames, skipping Let's Encrypt for 1 hour."
-		log_f "Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently."
-		sleep 1h
-		exec $(readlink -f "$0")
-	fi
+  ALL_VALIDATED=(${VALIDATED_MAILCOW_HOSTNAME} $(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
+  if [[ -z ${ALL_VALIDATED[*]} ]]; then
+    log_f "Cannot validate hostnames, skipping Let's Encrypt for 1 hour."
+    log_f "Use SKIP_LETS_ENCRYPT=y in mailcow.conf to skip it permanently."
+    sleep 1h
+    exec $(readlink -f "$0")
+  fi
 
-	ORPHANED_SAN=($(echo ${SAN_ARRAY_NOW[*]} ${ALL_VALIDATED[*]} | tr ' ' '\n' | sort | uniq -u ))
-	if [[ ! -z ${ORPHANED_SAN[*]} ]] && [[ ${ISSUER} != *"mailcow"* ]]; then
-		DATE=$(date +%Y-%m-%d_%H_%M_%S)
-		log_f "Found orphaned SAN ${ORPHANED_SAN[*]} in certificate, moving old files to ${ACME_BASE}/acme/private/${DATE}.bak/, keeping key file..."
-		mkdir -p ${ACME_BASE}/acme/private/${DATE}.bak/
-		[[ -f ${ACME_BASE}/acme/private/account.key ]] && mv ${ACME_BASE}/acme/private/account.key ${ACME_BASE}/acme/private/${DATE}.bak/
-		[[ -f ${ACME_BASE}/acme/fullchain.pem ]] && mv ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/${DATE}.bak/
-		[[ -f ${ACME_BASE}/acme/cert.pem ]] && mv ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/acme/private/${DATE}.bak/
-		cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/acme/private/${DATE}.bak/ # Keep key for TLSA 3 1 1 records
-	fi
+  array_diff ORPHANED_SAN SAN_ARRAY_NOW ALL_VALIDATED
+  if [[ ! -z ${ORPHANED_SAN[*]} ]] && [[ ${ISSUER} != *"mailcow"* ]]; then
+    DATE=$(date +%Y-%m-%d_%H_%M_%S)
+    log_f "Found orphaned SAN ${ORPHANED_SAN[*]} in certificate, moving old files to ${ACME_BASE}/acme/private/${DATE}.bak/, keeping key file..."
+    mkdir -p ${ACME_BASE}/acme/private/${DATE}.bak/
+    [[ -f ${ACME_BASE}/acme/private/account.key ]] && mv ${ACME_BASE}/acme/private/account.key ${ACME_BASE}/acme/private/${DATE}.bak/
+    [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && mv ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/${DATE}.bak/
+    [[ -f ${ACME_BASE}/acme/cert.pem ]] && mv ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/acme/private/${DATE}.bak/
+    cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/acme/private/${DATE}.bak/ # Keep key for TLSA 3 1 1 records
+  fi
 
-	ACME_RESPONSE=$(acme-client \
-		-v -e -b -N -n \
-		-f ${ACME_BASE}/acme/private/account.key \
-		-k ${ACME_BASE}/acme/private/privkey.pem \
-		-c ${ACME_BASE}/acme \
-		${ALL_VALIDATED[*]} 2>&1 | tee /dev/fd/5)
+  ACME_RESPONSE=$(acme-client \
+    -v -e -b -N -n \
+    -f ${ACME_BASE}/acme/private/account.key \
+    -k ${ACME_BASE}/acme/private/privkey.pem \
+    -c ${ACME_BASE}/acme \
+    ${ALL_VALIDATED[*]} 2>&1 | tee /dev/fd/5)
 
-	case "$?" in
-		0) # new certs
-			# cp the new certificates and keys
-			cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
-			cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+  case "$?" in
+    0) # new certs
+      # cp the new certificates and keys
+      cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+      cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
 
-			# restart docker containers
-			if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
-				log_f "Certificate was successfully requested, but key and certificate have non-matching hashes, restoring mailcow snake-oil and restarting containers..."
-				cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
-				cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
-			fi
-			restart_containers ${CONTAINERS_RESTART[*]}
-			;;
-		1) # failure
-			if [[ $ACME_RESPONSE =~ "No registration exists" ]]; then
-				log_f "Registration keys are invalid, deleting old keys and restarting..."
-				rm ${ACME_BASE}/acme/private/account.key
-				rm ${ACME_BASE}/acme/private/privkey.pem
-				exec $(readlink -f "$0")
-			fi
-			if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then
-				log_f "Error requesting certificate, restoring previous certificate from backup and restarting containers...."
-				cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
-				cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
-				TRIGGER_RESTART=1
-			elif [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
-				log_f "Error requesting certificate, restoring from previous acme request and restarting containers..."
-				cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
-				cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
-				TRIGGER_RESTART=1
-			fi
-			if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
-				log_f "Error verifying certificates, restoring mailcow snake-oil and restarting containers..."
-				cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
-				cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
-				TRIGGER_RESTART=1
-			fi
-			[[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
-			log_f "Retrying in 30 minutes..."
-			sleep 30m
-			exec $(readlink -f "$0")
-			;;
-		2) # no change
-			if ! diff ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem; then
-				log_f "Certificate was not changed, but active certificate does not match the verified certificate, fixing and restarting containers..."
-				cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
-				cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
-				TRIGGER_RESTART=1
-			fi
-			if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
-				log_f "Certificate was not changed, but hashes do not match, restoring from previous acme request and restarting containers..."
-				cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
-				cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
-				TRIGGER_RESTART=1
-			fi
-			[[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
-			;;
-		*) # unspecified
-			if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then
-				log_f "Error requesting certificate, restoring previous certificate from backup and restarting containers...."
-				cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
-				cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
-				TRIGGER_RESTART=1
+      # restart docker containers
+      if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
+        log_f "Certificate was successfully requested, but key and certificate have non-matching hashes, restoring mailcow snake-oil and restarting containers..."
+        cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
+        cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
+      fi
+      restart_containers ${CONTAINERS_RESTART[*]}
+      ;;
+    1) # failure
+      if [[ $ACME_RESPONSE =~ "No registration exists" ]]; then
+        log_f "Registration keys are invalid, deleting old keys and restarting..."
+        rm ${ACME_BASE}/acme/private/account.key
+        rm ${ACME_BASE}/acme/private/privkey.pem
+        exec $(readlink -f "$0")
+      fi
+      if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then
+        log_f "Error requesting certificate, restoring previous certificate from backup and restarting containers...."
+        cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
+        cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
+        TRIGGER_RESTART=1
+      elif [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
+        log_f "Error requesting certificate, restoring from previous acme request and restarting containers..."
+        cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+        cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+        TRIGGER_RESTART=1
+      fi
+      if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
+        log_f "Error verifying certificates, restoring mailcow snake-oil and restarting containers..."
+        cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
+        cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
+        TRIGGER_RESTART=1
+      fi
+      [[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
+      log_f "Retrying in 30 minutes..."
+      sleep 30m
+      exec $(readlink -f "$0")
+      ;;
+    2) # no change
+      if ! diff ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem; then
+        log_f "Certificate was not changed, but active certificate does not match the verified certificate, fixing and restarting containers..."
+        cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+        cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+        TRIGGER_RESTART=1
+      fi
+      if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
+        log_f "Certificate was not changed, but hashes do not match, restoring from previous acme request and restarting containers..."
+        cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+        cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+        TRIGGER_RESTART=1
+      fi
+      [[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
+      ;;
+    *) # unspecified
+      if [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ]]; then
+        log_f "Error requesting certificate, restoring previous certificate from backup and restarting containers...."
+        cp ${ACME_BASE}/acme/private/${DATE}.bak/fullchain.pem ${ACME_BASE}/cert.pem
+        cp ${ACME_BASE}/acme/private/${DATE}.bak/privkey.pem ${ACME_BASE}/key.pem
+        TRIGGER_RESTART=1
             elif [[ -f ${ACME_BASE}/acme/fullchain.pem ]] && [[ -f ${ACME_BASE}/acme/private/privkey.pem ]]; then
-				log_f "Error requesting certificate, restoring from previous acme request and restarting containers..."
-				cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
-				cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
-				TRIGGER_RESTART=1
-			fi
-			if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
-				log_f "Error verifying certificates, restoring mailcow snake-oil..."
-				cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
-				cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
-				TRIGGER_RESTART=1
-			fi
-			[[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
-			log_f "Retrying in 30 minutes..."
-			sleep 30m
-			exec $(readlink -f "$0")
-			;;
-	esac
+        log_f "Error requesting certificate, restoring from previous acme request and restarting containers..."
+        cp ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/cert.pem
+        cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/key.pem
+        TRIGGER_RESTART=1
+      fi
+      if ! verify_hash_match ${ACME_BASE}/cert.pem ${ACME_BASE}/key.pem; then
+        log_f "Error verifying certificates, restoring mailcow snake-oil..."
+        cp ${SSL_EXAMPLE}/cert.pem ${ACME_BASE}/cert.pem
+        cp ${SSL_EXAMPLE}/key.pem ${ACME_BASE}/key.pem
+        TRIGGER_RESTART=1
+      fi
+      [[ ${TRIGGER_RESTART} == 1 ]] && restart_containers ${CONTAINERS_RESTART[*]}
+      log_f "Retrying in 30 minutes..."
+      sleep 30m
+      exec $(readlink -f "$0")
+      ;;
+  esac
 
-	log_f "ACME certificate validation done. Sleeping for another day."
-	sleep 1d
+  log_f "ACME certificate validation done. Sleeping for another day."
+  sleep 1d
 
 done
diff --git a/data/Dockerfiles/acme/tini b/data/Dockerfiles/acme/tini
new file mode 100755
index 0000000000000000000000000000000000000000..6556c966f4221a108f2e6d57fd0b16c4e8ac465c
GIT binary patch
literal 19968
zcmeHve|S{Yng2~lAS7WD6l{uEjv63n5)vddqS2Wo6J|6dF`1y2VltVTB%_m=ICCe6
zWi@tybvneRYHhpQZPV7r+SX@Ft!-g!OB5Ar?YF4aFVt>DQF{mcfkKh3)!EN`eoQU{
z+1+RNdA`s04-d?o`~H5<d){;Ix#!%;?e^A|+?*Uum0ax#jYDT!IZAwM+GLC3&@`)7
zug%8ydD=p4CeZo#C_byaQuRrxTGa(o%?#9e_|)eLM18K6U#NPaK*NG4%0sHj-c+&5
zOHprMB|uec8si9(BVS9e;2`Q=exd3w%o6ygWv%4MJ(8=Caurfe)%&Dls#fizw$aBW
z+vm!)0wUN-mDbF^r)uJ*((#7wrR&xe97Jv97plHjpfy!1xoaRte*Sk$sbuVw_NI%=
zQQ1CKOHf-L@b|4+xjf*l3iyN3TdHoUUsbhgWpyM}y@I!!^b_xzwr*}o#gPFbpXcF2
zIY9LF3zzJ?X8pX;<IM;1H#pB5{@00H56lJae0+$PVp=+0%GTy=pII@ZjF6*Rg~ke4
z-fUJ|Fzc-5Tt>X*_$<X|89tTx)Zjzq5_~8v>Ip!(OjM_QUk>P-JLjkNf3*GDr6pT0
zJp97D7RL*9V>jLYPn%af@xfWU#@@3${OENruKHe8?7+>}Eqwas_|p$veP}Xy=<dx=
zzVPMm-#EMJC0G9JwU<uZdc4v8;#<$&`LhF;zMoiFJnyw{y?TH1_m)(wEcxT_4t?vA
zzL(#gv-)dA73XbV_-<K`>V{K%A>ar2oOK#j#N<r)1qk+;@ZM?kTnc`62K~REhM!`0
zCjGBYga67j_z$MRUp)=}x@qvUr)lr6rfFC6G<vG0!FNuBzj7LU(KPr2)8NmV#{aKP
z!~ctE@O2ni47BVL1>#Ko_1HA{?@WV#dK&!ZY4Cm1`18&*{4~Fx$<MFz_*k?Z=Uc&n
zF)ZiNJk)1t7EB-l&%j4zoy3opSvkB};+JtfCEC491)dY}^)m2twNGnSTQ5glohK-H
zoZq5N%(ZgF=cS(cfaYoov<L0I9530mw>f{2Hc?{bc=bhc<mc!@f$x@jz98{OKO^u-
z*)F<2mO_6*>Q{P}Oa2<E$1Vxa0zVfL6S7^(pJP(b{wzK7WPFZZDC{n$$roh@=l`^(
z$v6ls<{8PaEwFM_nIvqMcs5_)zYTdR)V@;0Gu!_$;3*DF>X`v~Dm(C@cuq<`)qQi3
z<R6#qlI)sO+C6xlmBh6|X*YzL`f;VLm*Z6&4k^1*kB?I|?dKA&$@R@e68|vp40^KT
z@Fmd6&xtHQmrH*p&#`h1KY=_ixG#F>Hn>WQ=;4TeAm|Qgp<&%0^lJT~@J$*}!{Lx;
z$Q|L={r*58;?uPOpFZsOYBvESK|K`EJnlds<k5!19vwLUfNyA6-$cAUJ-%=_80rDl
zt@}ek5{3!j`-j8+px)o(8H94(8;a^$|8P|IXu1c2!vo=Ajn}XQ8DDUOxS)*Gdwtvy
z-z`4R$gtMGG3?iUgm-(mjg4+U_YfG}KjiZgOrAnI6ozSPcTYrjhxMKzw?C-$xg)-y
zd&tLIMuz*tKA+<AM4~<Y{-9qQc84Rr9&)6|=~~+ZUwi}pi0%u!);0w~L7&Ur7l4${
z>(<?xqV+_gePN$_*caAXolW+(E_+YF7t}nVV84GL8us<TM}$2hwY$Ru5slpKaR<FU
z=!A{#uvhZHAyO?I2QV-c3d&aWz@>Ivd;P(lXvF7Lw#;on6A*SE`nIR1FA|Yz!oG+e
zGPyy%_S_m8>ht^H6ZH_H<?#h0i0`m_V^Hh4YNV%AHoPg|jzqvG8i=0sd2W(I(TIBh
z!Jt5?P@EDbe<T!e>psZ%172-StFy7GXGQfT)hjdCE2`^|q`C6n)YbGD8h?sPQwCk<
znEss#nJGDE;G{JnNzhy&ivDT;Y+4C^35Ez4T|jWIb{`o=IeBF-uV>;Lvwo(i@t6<H
z<r%D&nV$(yYe7}iJVSVjfhuLzUVcf-el>&%!AyAR3g@dZ;VB-f)R^#U4kB8;2~TZM
z#cIN59yvgCnDA;&B$*Bq9s$af>rD8<3|7;6O?X<Hs4{567b_&{VH19i34e<TUt+?K
zn((SGiF~ICPiuHp#!Yzh{r>AF{Mm{b^@Ise&kCwMXu{JyS(P0o{5cAVdZ!8hDHDFu
zgvYF(DNmd53o=+u+h@X`Yr^k0;b|?S%0UzUJcUGUnDC2C_@gE~GvOVvw+bAI{IxYq
zb8MZ|^9@?KIATu}>=8`qx<-)Fi<|LXvdD@nf(MD1I+#XTyqaK2?bJRFuOOIGIyK4R
ziwK@U@D2`NKrp3nYJ$TH2&Q3^8t3p?1XC)fMmbzaFr{#6n8UdQQ|hLAIsCWffGK5D
z9UOk2U`o}LmBWV#rW8%paQHQXDK%4!!+#{0QZiM_;pYjq5Ug?d8G<P_Q%64rV)5ey
zQ%a@|ayUuwT!Qy;_+f%61yhq8{vpAXdZ`^8{w~3ka;XUp{}aKKYN>G!-%T*3SZb8R
zUm}=ND>cmFFA_}4rBpA6ZzY&gEY-o`Fu{~sDJzF>B$!evRm0)FYNqv%1LnnX$6I%z
zvm9fs<?|e4uJW?I&E-4}sOM3y8lOX~kr~AaARKo*LEL+4Cyg$I80c9$iRs9jj<H9|
zt&}=r_m&?-y=w{3j`#<TxL#i27}Lwyu^&0&|5u`2<uw4uwv<m2*VyKAt0UfA&WvB9
zU$#z0e`MIX_ULzwZ=&ZM3BA0GoGT_)W>EHQoh;cJM0Yq6o6F0LZ6Br6VB&PEQIFmt
zx*K$mfz``PjXv}dVXp=@wi%7oe-~@mj$q8#I2&y%O)Ub!2tbn~(eTC!ro|siK3rkd
zeoYNTgYQQ49Emx<1tm%0=J?%zSZ39X0Zyvh0n%>DJfj6#j{K0uOYPgv_;WWn;;%Vk
zuOIDjIrmP|%G0s;F~+OC^c-L;1^e;-l10s!PrhdF)w&&3<ER|5lNLw(jgfPALMI=d
zb2scJLi!+>w-8d>u!pSlS1b6}MDKRo@eWt;*vB)Vz!5*{c+9xck@J+}xsUbv8Er*M
zTgf8m5%xzL=Aso^bZ$2U4T|uFr}96pWm?WLZfQ5Wf*iY2i{>A>2XYx@?~y=y--gt!
zkeTwQ%aQnO?emWKhr4M?Fn;%8I!&GMRRE4eq@ecs-IV&q8yp`!AGlKBDE*D+B=2_s
ztcUSY)SB^IV9`NdxP%V6A5l~t^xogmf7?M$)Ej@rb&_3VMG8I!?p5GcY|nt?NYq^j
zl<2H)K!j)U`aS*Q#!W(h-s$?kLi#I({;!h$qv(6+Kk_Za!MH@oJ&V~X%dhK6?)cxh
zUmHlyA^b{t5UH-(6SZmM9H0@FJKv!e?t-S;bo?n}5*J%1<9qaw@iT}!;(HQW?Bu6Q
zw#-6G#!k-E`;1=^KGCr5bgPHR(aVgtP$mD3a*YR~3XC!kk5XP6zXTo8m=C;&Mgkh+
z`!n&beL2=Ja52+zM-Ceu!q{&xp`eM+m_k3owaoc3D9IYA6=P!p?KG|y2JQt(7`O;p
zj{J+tSL4Hf=Pe+5R@}~qr149T(VvTPo&1GpMrtMErsT=Ly%)j1l5H(O8xIL}i%<9Q
zdG7t3BJ!~!<Kr;-_<c^QJBrCb__z&PQYSE~$8Fs<moxrRcb7AM+!23~ZkNV`V5i=y
zK?L<+tYHo8=fwAnv>VmJ`uCv-jhSznJzU&G!x$*eL~%I}kS)GHxgYj1xzq^{f*B9;
zpeeoqB)S)`-(dT^O^kH#{syxJX5RTk5qYb~m_J(M?;3aVY>K|(Ok7^x8h`WA+o_|!
z2ZcuPB&E@llt#IFY3$@2o&-B@14Bvkej`NWL_>ja-#oUy3hBf@XvV*wCjY_pS{0fS
zpG@YOS{Vcx*|ZlV5y%E;jPFl<mgWRLzZpfs#{FQ)>hD_e@YxS|f7fwE4Yz>{iJN@i
zlxu~;h9_g=07Q5k_zjp_nVNsPyBzUjj`&Bs<K6|QZD+y7d^990l;e*0D+ueuJT~td
z&wwdeBY1c>3GzLX{3DQoA+H9(BnOkBbMk>C-Ka(O*FwFqR-(%@=p7I;R!KBHK?v^s
zgkB`kv<WECS|!j061_Tuwi5b1?#Y2<Z3aC`=s!yIc^R~mJlVt1e-_>HzzJ%^fg~*>
zgrNcA`L<}=u2BHVolwSUh|PV1z(E_2^{y`y&q?rryphPrMn_!eU%w&M3=4E;O3bfb
zN`3h6!VGPPrRu@1#&0a0Yg^}xpRjd1<1gA=xQYC(EB;|?VoAxCSK(apA(&~6pNPL=
zJP(brlj)Kzb7}T7u8f`h>_(O@f3kNux^pjhk;98{Q>k-a%pmd?BM0NxG(K!M;2xsI
z^1rbJqxHxG@_rJ_Uk3J^Blk%-G5<Euai2egK|STOu?5!m+PRf%ouh<>-Jd{$?8Y%Z
zr(w0i{?BN(NL|S1FnFH0tzcIn6#V*IXz8&BO191h1;fh&HmPM7Wo+_6&{coTgf}AP
zX$?zpj=yqoLp`}%09~=YISx<SICvbIwoW?Zc1^$3;hA3s`mz_CV=G^(eSYi9C3ii=
zmo3FFIpW3p9I?l9E`8zlqYlr@j=g#NsY$hysmH-#Tu*8e4eu{IZN%RGSCAKgj2SwH
zYj8aaE*cvZRa4$x$4PZR0ZF9aQiurm-7tV&nHsM&PIpuO8FwG!-s`hs`P(3wvzs!`
z*etR0lZE8s2}gXdQ2}-F{Kw0goG$l_Pw7kKUj^YVEGp;JzHGj)O^VK?foaTw0)C^t
z*=U9SSp7M;*OqLVB-(m1m}od&aa!x|poU*2Zlhaq4X*zKE^7S_Q|mv+Np(L3Nwj_$
zGzw2JU&k6|!|xd-+ipNd8t=T%)eHz@=GEssu4T?zP?A$4`$-B(ihEeMB4glbXyFet
zv@ZE)p>m~AX`0jJ{htfZnNNDV&|VRh>)^lf6`}WU7{9{tVbZ%3J!Xn8`imYJiXo~Q
z%fS#knWLA}io3XWa`$4w{s36IUnTMvUC8LpvoVbB_!K6LvOVKii5KVS#}fH7Km%9G
zIQ$-uK@4UQ$wO$N%KB2_s~?mk?Yj$KSuK2hgSWD-E#vDGq=hV~b>lrkZLv^mUcBsr
ztl<I~S^O)mr{PVS17Q82sUPnaCVmT&2#1?Q@~^&tX{kzdp18l+*3nFM0y7y_4PAJ;
z+D9R{53IE8{Y<W=?aeDM01iRR%R}uL`+RvGfPx}{ES`nBb<A5{4rJ*}ft;6*`d3n{
zjGpU3Tu3Wt)QnckM~a30#Kn%-p1k-wv<?`TRvm~{>!pXHhn$IXTI27Cm3Y%p;nJfJ
zCLd~QCwHAq*YQ`5Iq+=ug#rh3(-H^kBk(#C>-hZ6m+Pyf@LeE-P)ZX&U$dVl2wNT_
zF$MsGV%Or+hE5AS!yNl<P)zrrYnP!X&*h}LEg*?7|LtAy-th#*F?;51hLJ~!oM>>J
zZsb*%H#UQeetiSi$;Hr*UIq6OaI36Jaxd%7&KQhCgj<qU#p;XSKH%Tg!rto`wMY=t
zcrtDl&3%R_siXzQl!<GFi5;MbHZ36~XKK^9apWD|o-L>Ap9?L<Lm;C)^KqR#fw6)1
zq%P+7fGr3R;_)LPkF?14?>X-IoQps)1^o*6nc9XyE%K);$!xtEmQ1lHMji1tjR4f~
zyKVx?6D!MOAJ5fqiZ!?v(USWgA3*;n=D&`i8-L}4SGGQ1()^+E3?wj+yNnzXt;Yi>
zrqU<LwNl~Q4~YHL(5-@Ncv!g-RkF95x9Ug_U&+N9QlH_b4nYI0hTj^cXA`Vv-$tCo
z6H%W2X6$5<{;Kg~!X+9UryF<?reWaEsFJ0^02paLQhoGO?p$3lP@<2%NXlSNB%PW^
z68WElKN!nfLNsAF2#YUa63CjYJY3(LUxJcc4By3MRS(-ny)gA1kc6pEK@0A-i%8><
zw|E=8LZf+}nkzJ3MH)*p8i&z;#+%%Yy5$*-Pm&fmUpq<BYDVzy5qgVH*SibCcv3LV
z7i~FwKBKHk-T}obIQI$tzXwTp?1MIBLn@86&MEhAKJgvz;tTFlej7;A6tWvlOB=t3
z6q1P&;t?Qm7hv@KHtRgP1ODSCFe2?rac{%}jognw|1aeI|5H#eJraEgTQ$Y;$78SE
zUb2<m8HqLg2K1bfYmA4F@W5RRAK|_E*=s+{mi)Z6d=9$2806$m^nz;IqdYEk$C+x{
zm!OA?l>Gb&TRg8^JiBD}SB#56j@1_;^`ahf{wkQq?YoKEw_LdJAaub6^X<EvTbXkg
zD5k!<kNWN+;Xowgz-(wq9peilkY7H`o23h#=J_TEf@=Md&y_T^fs6WX+|<B7a;NGp
z$>{$9Y0QqZ5fOIY!obe*{Tp1toaaF?`Tl+KJt%bl0wj?aYqNBZ8|MnW_X@q{e714n
zhFghpAi2|&ZcByQ-i+E4DTL%><l6XHW6tF{w?$$N&o7{EzrlDEB=qY_q2Ju?ufj5I
z|Hb}tyI~hzSinW`F--AEa#Gzf3~SMbI5Z}(*@zsA9UisC=ar`}fobC!Vd*d!p~BP?
zVkH&kdglBV<YYOrTMT%HrxRn1FtH<JVhOdUl-gsv7AuB$nzk8Q#}@zj9EQ!iu_~&u
z<8T7cM6Ju-z(6i=JoeEHquoGTx4x}o)TrmD*7#vO9yLQldfuOK>(6mukQ_$$%1r~?
z4YnThdidBL8f4H14qW0)Dpy<IVsqJA8P1UXtYWc$*#@Rgaaq6HAMklsv&9i@eY3r>
zd(A0anNwdgADu#*VLI@IycxCL+1Ap|PEiGhip7y-g<4Z+Xb9)146l9p7#(bff|1pQ
zg&Jd3fz_;QFtiaQez?hq&3B7muP)T=!4ZEr6ddvebvEJ-`{`Jhi@BU_&YrIB#!kDf
z!``WJaGkxgvAxUbx?ZcQ8u8%}9Y@@YBZb;vWMm+qt#@_Wn(U`Ir_N4&UgnN4e*DR%
z&WP7vYwN_oJ0*Pn0eSGAY4*~^k)>0|;3l-6qt%(ci2(i<9)6~W7*3pV<jcC8Yg}l<
zG=%nUt<&f6`A6U=IGY@;%~}VJd;P%yCeEx^Gww%QNVWo+`9ZrGK_|n|gY$2%<l5-h
z2N_-;AZfU3N6evewWJOrCe#f$!qy;1XVYX*hKV1QGkP82)TV)#$`rqB8XH8n27KWx
z?kv9c?rHc=Psw12>G~#C5xR-uNOAW0yvu}j?BA&u7c%z1ABlPfnb$XhJey9giw@Q^
z0peOC5guHoq9uYQ4e{)d$;N7`Ygbj*vMM%!<gM}b_j@n-tmNyaGk6+rY<)Y93)<Vd
zHn5J)_BEZhwXCX&t+#cq0cJC<r7{c+Dt3&rsP1EKYT-cGJ;b6xyzRjBK_8lfR~bh9
zl;<qe50(*k!0%=Ba)F2kJm-TCsxZuyW;xoF)27h|d*B<C4Emry!UlbTVK(H8ko)F=
z3BJf`rUnoVAMT+CoKr)HRfK&vNBwxOfwj`xp6rSShSv&~VPHdkWHnpk3;M!%^?(i0
zAb>}Gp$KM&sE(IUs-b<@=hj(tm^%0p3`F<=QC=XAMD4;W6mkSah>4=Y^K)q=6M=zn
zC_1dfV0ZEV+;1L7lJD~A+?Mdzk2DPUMtlKQ;q~>qqX8Wq?ZupjGBwiqTRFU~KD2fd
z!+a{o61`|52e8)B+0$ir^)xx0t<6*O8$(Y-gYFSb8#DtlbU5#wVZ65iJww&ZhWKp?
zMOl<j3g&2E$>TNUhk6C%3{xJzA8>Y)-<USke36+OnOoPx{yrq866p^5ZW;D@Fj+AE
zW)HHEIwteVk7{2Ny<>v8DS~kby&DI8L5c*uS~E49!G+WGotaaq)$H^-5!B(f#%DfK
zMiIvBmWeI3Y%Sg~l3^Ef8^ioNgucN{!Us5BMbe`*;{8i$GC7@JaEa+piU@#a;LQAU
zx*T~E4c-(CZ45HRG=iJce^Q1QSUL6fPwM|s97@j>@iYF5`0e;F=+ni2Vj8(|iFeVW
z3!^p|(pfkf3{pNK={uawtd`HC{zz~sNb>D13>!X$X01W03qQwS|5B3~Cen>~(~oQI
z^Fg`_FT!DM1aZuMWV4b*LQK3fMp-sYb~lE|)JCk|sta8q*6+WCPhPm8U@jS|#GK*d
zh^mNOm@%X(-uL53ykmFT3XGk)`Xbw^A>4^GwxyD^A`}@89*b)9ZqB(gE*nQZ7a#rK
z(&;~;cD<5L|8j<=J#sLeehBa*ucp)Vj_n^_OQ$PQ>#wKNt*BSNnNEKb^&@{tr|I3+
zKcIdc_3K!Px8{P5CAt^&y?FH4j{1H)P(6a$i!F&t=)WJ^QeM=5z&`AsP&Z>wyF5?)
z&H!e$oLf7!oLfqB&Mlr*FrG83lwR=Q@9V&?i-<uM^{&yW{NlF-#6SM0bb25B(k!Jd
zma?l#iZ&LEYF93}?4nD`FCZ24WYLVzgV4)}&t@r&<>sy_v=lgsayOuADgu_<4xpYu
zJor1bg70gb5BOGmw&TMNrPKV~(nd?^SZ<@GZ2OF63)_}wvsA?Lud>wSh6^nfHVd;^
z%D~ZRDX<r{1Jh!{w2;9{e5gOh5pVu(H0*85g;Z?DRTehGont9;T1sse+QXzmaVUoW
z2j57i%Q!}S(HgQGcmsI;F0b8EdRMO9QZ_cjZeiQWuWk9wmYUei+-rnq@L71)T$Jm~
zLOF^)pM|mW=m`7UVP_n9U?<bfmeO3SrGVmlKk!cj&)=zDL-B=P3hx(D@z#odpghu$
zKm1)`MD13P8;f##Rg6ikj?Zyw5BT`I*zol(it}mhSz{T^o#DtSwA8flh-cc>Qk3ff
z7A;3VWU%%k3P3h*qimkG5_SW~-x}mGf480Y|J9c9oLuApbp*n7Bd%I_%YKZjCTg4u
za`!`y_Ne$f-0*ih_2V|mi&$QZrDmki!kR2)P>6I`Q#4~ed^RI;kswpBNJpNJe}~@j
zm(ywf&ifk6czzI(vI&nVrx#*e9mU3`57!#(ewpHQ7xnvCUZbUAd%nX`vu&osQXiYO
z)?y7?>TNtKji#vZyrOYhhVcq>pOjA`@JR$diNGfj_#^_KMBx8}2<$uC%DvbjYvmFx
zrKqU7Sb&+|z0nKWRMhY6)I0U+_to@*GZnSIRPWZ8UD3<&d@XLG|MlZ^hzMWLwNjP&
z&3DIa0n@=dmC+eiUd!zy?YnYOq1IVy?Mlbu=7J@NDArzHtF_34yrA_j6*}#wLhp_7
zGRMj*g`X%EuxeK?r)v0pyeP^(j*EDEh9y6aqd2VMiDeas-!HOC$^SQ%`W<_=wU<hS
zA8*R~gsf+l3j8^;ULxyNvTl*}I$8J2dPLUSWPP8kACUFWW&M<_Uy}8kvOXc}nRBIm
zSuc_GDp|M4dY!EMWj!M6ZL-d8?{u*0A4Mlv{Z^E4F6>mUb-J)GD$YDA04yskYzhr;
z3i}5Jbyne7##YqS)-l&$2)pd8Jsi5#6JnR^9JGcwSlu7KqOh>T7asECGyuDTe8)EI
z>)XVzS4{f?m5hErN87`mLF_a7D(PX}9o)pQb&M@27V6WnBgS_pm<PrS!O6E4BcXmB
zyK-XF7iSG2j~|<tUgiyXqI4X?e?f@71f0jP3fgzQpi4?zu#6kQ{$8NaPaBmu-cZVD
z^9<X&*e<|N0R8+If|b}R^aP@O`%jSr{vp4#K;k?ikwSQmt%^$SXC=0bz5f19sC~Ry
z!_mHgKQdU!y!aiU*qg*&2qAfZD{0eZIp5a^1Pako{HBhgV)l;nP<#*@*q0&V8_OFJ
z^;38e>B9bKI0%zs^Tmtfg%G!RBep?F3#sl8;kTF@DZKcVp%=$1;?&CplDjW7g5By&
zhhwLR&LwC&UhM5o^{OOA2C+}cu<s)R2D|=XA)!=ruxk_T!v<zh_qzjZI27jgvYT05
zSm<)tSyy|D3nyH5=Io-Ah;`0pdo#Ph)&=;2N_MT&<!JAAF>rL++FaMO_7-MqyPjR`
zY-_G$_Uk%2?Ok20y|d7{wxiW)2hQ2n)Y{$bY+J(`A=lQ9+;$?Vq14sR$e>i^v_r0i
zt+jVHIiT6r=xoK2U1ed5)73^gTiQFBjdj>MUCyTNR$C|Q=<e)j@3O;uGt{=>jIk3|
z>}&09u4-5Xj@j1%U|kMdYb%*5v~|P#PV$d6wRc?K>0IM*F-LoAvmMArJ3O;Bw%Ua$
zG^(l9=3HCJnr&-sYskA!)($P5g~TSjW7j(Dgd%%3{BNQo9BM{WdmEiAx+>AiPFF_s
zT4$HNlG!?)T@;X(&i1vHg%nOmKs%H`uFWpAP^fu;GCcwo3RpK9t$bn4c3UfSp?lg+
z>Avd1HBC*cSw(kWG^j^eUG>W9nyOV%4%Oa<^QfAYIB^kpnow5Ntg5+G)2btb^mAc%
zpH_|EmHO~I+iGN)uNn=m(%l0R8VE+K`=Z#fufi{Xs|muP;GkCR-4u*$8WOc078H4&
zbPCV|TG$tGlYqP$4(MbOzkjX9W%WP^7rO5jeDfdnR)<6UH@nro!Jd8`clmk-y-=bc
zA=={(huxcmgu1@b12&j(5BWXtA*7RfVCV<H)%cCAR_(zFG$t-JBmeJeS|`w)uI~T!
zxmG|^f0stBOE?l=+4qC9fups6l6U1=0ny)i;g!ZjmHE!gT#1YGQJLlSTq`H&Ql9p^
z%q3fXC5U+0IHc^W_0rcR!jQuGvR3O9rSl40Pz;p3T2GD21=2n#Nb4<XyOLMynik-Q
zRmrRMS%+Kzsr49Gc*%}m8?dw%Qu1p3^S)fbZI*J%f5oTj^`O(*O2KM<H7pmXHBvs?
ze~H#^#0AAv$*c9;gp}`<jLLp?`zZ}czESdNa($@D1@VMbO!5@7Z28-OqnN1mtol0=
z6D2^RsCBY{ge`SV^(K7G@{@9%HYw%#UbRVpUQDB+>Mgi7%a6<T(Kv15qbPp`bUHi+
zf>~bu-HZt-|9;lOTiI3m?#Yr@&ky%56&z|Et@yL^{~J<1(|=2?oOMFV|4=;`NCiyR
zs`?Ht$bTiT{?3y6`%CvKMp<Xu|8bW5!4+1{d2odgcqsFrA>izI?gH9^k785LOX}}2
zW%FmlPePWuTFI;DsWKYaDB1kk@N?jy_A7b%`5+bc-;{p|yp+32UOi8!zn7)*Pvy6=
zukzqd$eQh|-}|2w$KBKVuk^f<C9hd~fkCnIZ|$V0GT%y0)dnbL`<ks+@Y+O`$m(z=
z(3$Uda7DUQ`_<niNZ18SeTGw9uq^l(V6tD6g;(-4zncs3QZd)cwxEdb-O~Qw%}A4+
GLjMPAa2l)t

literal 0
HcmV?d00001


From 7054aa316b778d18a19726eb155c2ea2fd4f218b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@debinux.de>
Date: Sat, 21 Oct 2017 10:09:29 +0200
Subject: [PATCH 78/84] [Compose] New Rspamd image version; Syntax check Nginx
 conf before starting container; New ACME image version

---
 docker-compose.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 4f595cde..6b016564 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -69,7 +69,7 @@ services:
             - clamd
 
     rspamd-mailcow:
-      image: mailcow/rspamd:1.10
+      image: mailcow/rspamd:1.11
       build: ./data/Dockerfiles/rspamd
       stop_grace_period: 30s
       depends_on:
@@ -219,6 +219,7 @@ services:
       command: /bin/sh -c "envsubst < /etc/nginx/conf.d/templates/listen_plain.template > /etc/nginx/conf.d/listen_plain.active &&
         envsubst < /etc/nginx/conf.d/templates/listen_ssl.template > /etc/nginx/conf.d/listen_ssl.active &&
         envsubst < /etc/nginx/conf.d/templates/server_name.template > /etc/nginx/conf.d/server_name.active &&
+        nginx -qt &&
         until ping phpfpm -c1 > /dev/null; do sleep 1; done &&
         exec nginx -g 'daemon off;'"
       environment:
@@ -246,7 +247,7 @@ services:
       depends_on:
         - nginx-mailcow
         - mysql-mailcow
-      image: mailcow/acme:1.21
+      image: mailcow/acme:1.22
       build: ./data/Dockerfiles/acme
       dns:
         - 172.22.1.254

From f7cd7cc12323edb1bd72329b17e71014ff1e9736 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@debinux.de>
Date: Sat, 21 Oct 2017 10:09:53 +0200
Subject: [PATCH 79/84] [Rspamd] Redis history is enabled by default

---
 data/conf/rspamd/local.d/rspamd.conf.local | 1 -
 1 file changed, 1 deletion(-)

diff --git a/data/conf/rspamd/local.d/rspamd.conf.local b/data/conf/rspamd/local.d/rspamd.conf.local
index 735ed822..5abebb2a 100644
--- a/data/conf/rspamd/local.d/rspamd.conf.local
+++ b/data/conf/rspamd/local.d/rspamd.conf.local
@@ -1,5 +1,4 @@
 # rspamd.conf.local
-history_redis {}
 worker "log_helper" {
   count = 1;
 }

From 04cb033f0ab431bcf3ea7fc3e2eafd449340e42f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@debinux.de>
Date: Sat, 21 Oct 2017 10:10:27 +0200
Subject: [PATCH 80/84] [PHP-FPM] Add imagemagic

---
 data/Dockerfiles/phpfpm/Dockerfile | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/data/Dockerfiles/phpfpm/Dockerfile b/data/Dockerfiles/phpfpm/Dockerfile
index c447e727..fc6552fd 100644
--- a/data/Dockerfiles/phpfpm/Dockerfile
+++ b/data/Dockerfiles/phpfpm/Dockerfile
@@ -4,6 +4,7 @@ LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
 ENV REDIS_PECL 3.1.4
 ENV MEMCACHED_PECL 3.0.3
 ENV APCU_PECL 5.1.8
+ENV IMAGICK_PECL 3.4.3
 
 RUN apk add -U --no-cache libxml2-dev \
 	icu-dev \
@@ -28,15 +29,23 @@ RUN apk add -U --no-cache libxml2-dev \
 	zlib-dev \
 	libxpm-dev \
 	c-client \
-	&& pecl install redis-${REDIS_PECL} memcached-${MEMCACHED_PECL} APCu-${APCU_PECL} \
-	&& docker-php-ext-enable redis apcu memcached \
+  imagemagick-dev \
+  imagemagick \
+  libtool \
+  librsvg \
+  && pear install channel://pear.php.net/Net_IDNA2-0.2.0 \
+    channel://pear.php.net/Auth_SASL-1.1.0 \
+    Net_IMAP \
+    NET_SMTP \
+    Mail_mime \
+	&& pecl install redis-${REDIS_PECL} memcached-${MEMCACHED_PECL} APCu-${APCU_PECL} imagick-${IMAGICK_PECL} \
+	&& docker-php-ext-enable redis apcu memcached imagick \
 	&& pecl clear-cache \
 	&& docker-php-ext-configure intl \
-    && docker-php-ext-install intl pdo pdo_mysql xmlrpc gd zip pcntl opcache \
-    && docker-php-ext-configure imap --with-imap --with-imap-ssl \
-	&& docker-php-ext-install imap \
-	&& pear install channel://pear.php.net/Net_IDNA2-0.1.1 Auth_SASL2 Net_IMAP NET_SMTP Net_IDNA2 Mail_mime \
-	&& apk del autoconf g++ make libxml2-dev icu-dev imap-dev openssl-dev cyrus-sasl-dev pcre-dev libpng-dev libpng-dev libjpeg-turbo-dev libwebp-dev zlib-dev \
+  && docker-php-ext-install -j 4 intl pdo pdo_mysql xmlrpc gd zip pcntl opcache \
+  && docker-php-ext-configure imap --with-imap --with-imap-ssl \
+	&& docker-php-ext-install -j 4 imap \
+	&& apk del --purge autoconf g++ make libxml2-dev icu-dev imap-dev openssl-dev cyrus-sasl-dev pcre-dev libpng-dev libpng-dev libjpeg-turbo-dev libwebp-dev zlib-dev imagemagick-dev \
 	&& { \
   echo 'opcache.enable=1'; \
   echo 'opcache.enable_cli=1'; \
@@ -47,6 +56,7 @@ RUN apk add -U --no-cache libxml2-dev \
   echo 'opcache.revalidate_freq=1'; \
 } > /usr/local/etc/php/conf.d/opcache-recommended.ini
 
+
 COPY ./docker-entrypoint.sh /
 
 EXPOSE 9000

From 4fd5b9afbaf297d2d6110034a893c91b3fce762c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@debinux.de>
Date: Wed, 25 Oct 2017 08:57:34 +0200
Subject: [PATCH 81/84] [SOGo] Fix for some Outlook 2016 EAS problems

---
 data/conf/sogo/sogo.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/data/conf/sogo/sogo.conf b/data/conf/sogo/sogo.conf
index 151f5aa3..86278abc 100644
--- a/data/conf/sogo/sogo.conf
+++ b/data/conf/sogo/sogo.conf
@@ -43,8 +43,8 @@
     SOGoInternalSyncInterval = 30;
     SOGoMaximumSyncInterval = 354;
 
-    SOGoMaximumSyncWindowSize = 0;
-    SOGoMaximumSyncResponseSize = 1024;
+    SOGoMaximumSyncWindowSize = 100;
+    SOGoMaximumSyncResponseSize = 5172;
 
     WOWatchDogRequestTimeout = 10;
     WOListenQueueSize = 300;

From 3692fc8f327f6ed4979dd80262af8d476e66b5ba Mon Sep 17 00:00:00 2001
From: Michael Kuron <mkuron@users.noreply.github.com>
Date: Wed, 25 Oct 2017 19:43:44 +0200
Subject: [PATCH 82/84] Update rspamd

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 6b016564..56f8459c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -69,7 +69,7 @@ services:
             - clamd
 
     rspamd-mailcow:
-      image: mailcow/rspamd:1.11
+      image: mailcow/rspamd:1.12
       build: ./data/Dockerfiles/rspamd
       stop_grace_period: 30s
       depends_on:

From 988978b351621bcb2d6f419447d8a1ca2fad80eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@debinux.de>
Date: Wed, 25 Oct 2017 20:55:11 +0200
Subject: [PATCH 83/84] [Rspamd] Remove log helper and disable fann redis

---
 data/conf/rspamd/local.d/rspamd.conf.local | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/data/conf/rspamd/local.d/rspamd.conf.local b/data/conf/rspamd/local.d/rspamd.conf.local
index 5abebb2a..9f2f8f1d 100644
--- a/data/conf/rspamd/local.d/rspamd.conf.local
+++ b/data/conf/rspamd/local.d/rspamd.conf.local
@@ -1,4 +1 @@
 # rspamd.conf.local
-worker "log_helper" {
-  count = 1;
-}

From db5a3ae47f97ff9bd21e5b0366938131aed80f58 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@debinux.de>
Date: Thu, 26 Oct 2017 10:21:12 +0200
Subject: [PATCH 84/84] [Web] Start work on ACL; [Helper] Nextcloud helper
 script

---
 data/web/edit.php              | 17 +++++++++++++++++
 data/web/inc/functions.inc.php | 17 +++++++++++++++++
 data/web/inc/init_db.inc.php   |  3 +--
 data/web/lang/lang.en.php      | 12 ++++++++++--
 data/web/user.php              | 10 ++++------
 helper-scripts/nextcloud.sh    |  4 ++++
 6 files changed, 53 insertions(+), 10 deletions(-)

diff --git a/data/web/edit.php b/data/web/edit.php
index fd6682ff..ea9424e9 100644
--- a/data/web/edit.php
+++ b/data/web/edit.php
@@ -457,6 +457,23 @@ if (isset($_SESSION['mailcow_cc_role'])) {
               </select>
             </div>
           </div>
+<?php
+$mailbox_acl = get_acl($mailbox);
+?>
+          <div class="form-group">
+            <label class="control-label col-sm-2" for="sender_acl">ACL:</label>
+            <div class="col-sm-10">
+              <select multiple data-width="100%" style="width:100%" >
+                <?php
+                foreach ($mailbox_acl as $key => $val) {
+                ?>
+                <option value="<?=$key;?>" <?=($val == 1) ? 'selected' : null;?>><?=$lang['edit'][$key];?></option>
+                <?php
+                }
+                ?>
+              </select>
+            </div>
+          </div>
           <div class="form-group">
             <label class="control-label col-sm-2" for="password"><?=$lang['edit']['password'];?></label>
             <div class="col-sm-10">
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 817b9c71..79a449eb 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -244,6 +244,23 @@ function set_acl() {
     return false;
   }
 }
+function get_acl($username) {
+	global $pdo;
+	if ($_SESSION['mailcow_cc_role'] != "admin") {
+		return false;
+	}
+  $username = strtolower(trim($username));
+  $stmt = $pdo->prepare("SELECT * FROM `user_acl` WHERE `username` = :username");
+  $stmt->execute(array(':username' => $username));
+  $acl = $stmt->fetch(PDO::FETCH_ASSOC);
+  unset($acl['username']);
+  if (!empty($acl)) {
+    return $acl;
+  }
+  else {
+    return false;
+  }
+}
 function formatBytes($size, $precision = 2) {
 	if(!is_numeric($size)) {
 		return "0";
diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index e2d18517..16f3fdf2 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -3,7 +3,7 @@ function init_db_schema() {
   try {
     global $pdo;
 
-    $db_version = "02102017_0748";
+    $db_version = "25102017_0748";
 
     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'"); 
     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -165,7 +165,6 @@ function init_db_schema() {
           "delimiter_action" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "syncjobs" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "eas_reset" => "TINYINT(1) NOT NULL DEFAULT '1'",
-          "eas_autoconfig" => "TINYINT(1) NOT NULL DEFAULT '1'"
         ),
         "keys" => array(
           "fkey" => array(
diff --git a/data/web/lang/lang.en.php b/data/web/lang/lang.en.php
index 527ded11..c29d8e17 100644
--- a/data/web/lang/lang.en.php
+++ b/data/web/lang/lang.en.php
@@ -141,9 +141,9 @@ $lang['user']['weeks'] = 'Weeks';
 $lang['user']['spamfilter'] = 'Spam filter';
 $lang['admin']['spamfilter'] = 'Spam filter';
 $lang['user']['spamfilter_wl'] = 'Whitelist';
-$lang['user']['spamfilter_wl_desc'] = 'Whitelisted email addresses to <b>never</b> classify as spam. Wildcards maybe used.';
+$lang['user']['spamfilter_wl_desc'] = 'Whitelisted email addresses to <b>never</b> classify as spam. Wildcards may be used.';
 $lang['user']['spamfilter_bl'] = 'Blacklist';
-$lang['user']['spamfilter_bl_desc'] = 'Blacklisted email addresses to <b>always</b> classify as spam and reject. Wildcards maybe used.';
+$lang['user']['spamfilter_bl_desc'] = 'Blacklisted email addresses to <b>always</b> classify as spam and reject. Wildcards may be used.';
 $lang['user']['spamfilter_behavior'] = 'Rating';
 $lang['user']['spamfilter_table_rule'] = 'Rule';
 $lang['user']['spamfilter_table_action'] = 'Action';
@@ -537,3 +537,11 @@ $lang['admin']['remove_row'] = "Remove row";
 $lang['admin']['add_row'] = "Add row";
 $lang['admin']['reset_default'] = "Reset to default";
 $lang['admin']['merged_vars_hint'] = 'Greyed out rows were merged from <code>vars.inc.(local.)php</code> and cannot be modified.';
+
+$lang['edit']['tls_policy'] = "Change TLS policy";
+$lang['edit']['spam_score'] = "Set a custom spam score";
+$lang['edit']['spam_policy'] = "Add or remove items to white-/blacklist";
+$lang['edit']['delimiter_action'] = "Change delimiter action";
+$lang['edit']['syncjobs'] = "Add or change sync jobs";
+$lang['edit']['eas_reset'] = "Reset EAS devices";
+$lang['edit']['spam_alias'] = "Create or change time limited alias addresses";
diff --git a/data/web/user.php b/data/web/user.php
index 0d95790d..50583515 100644
--- a/data/web/user.php
+++ b/data/web/user.php
@@ -268,8 +268,8 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
 		<h4><?=$lang['user']['spamfilter_behavior'];?></h4>
 		<form class="form-horizontal" role="form" data-id="spam_score" method="post">
 			<div class="form-group">
-				<div class="col-sm-12">
-					<input name="spam_score" id="spam_score" type="text" style="width: 100% !important;"
+				<div class="col-lg-6 col-sm-12">
+					<input name="spam_score" id="spam_score" type="text" style="width: 100%;"
 						data-provide="slider"
 						data-slider-min="1"
 						data-slider-max="2000"
@@ -321,14 +321,13 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
           <div class="btn-group">
             <a class="btn btn-sm btn-default" id="toggle_multi_select_all" data-id="policy_wl_mailbox" href="#"><span class="glyphicon glyphicon-check" aria-hidden="true"></span> <?=$lang['mailbox']['toggle_all'];?></a>
             <a class="btn btn-sm btn-danger" id="delete_selected" data-id="policy_wl_mailbox" data-api-url='delete/mailbox-policy' href="#"><?=$lang['mailbox']['remove'];?></a></li>
-            </ul>
           </div>
         </div>
         <form class="form-inline" data-id="add_wl_policy_mailbox">
           <div class="input-group">
             <input type="text" class="form-control" name="object_from" id="object_from" placeholder="*@example.org" required>
             <span class="input-group-btn">
-              <button class="btn btn-success" id="add_item" data-id="add_wl_policy_mailbox" data-api-url='add/mailbox-policy' data-api-attr='{"username":"<?= $username; ?>","object_list":"wl"}' href="#"><span class="glyphicon glyphicon-plus"></span> <?=$lang['user']['spamfilter_table_add'];?></button>
+              <button class="btn btn-default" id="add_item" data-id="add_wl_policy_mailbox" data-api-url='add/mailbox-policy' data-api-attr='{"username":"<?= $username; ?>","object_list":"wl"}' href="#"><span class="glyphicon glyphicon-plus"></span> <?=$lang['user']['spamfilter_table_add'];?></button>
             </span>
           </div>
         </form>
@@ -349,7 +348,6 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
           <div class="btn-group">
             <a class="btn btn-sm btn-default" id="toggle_multi_select_all" data-id="policy_bl_mailbox" href="#"><span class="glyphicon glyphicon-check" aria-hidden="true"></span> <?=$lang['mailbox']['toggle_all'];?></a>
             <a class="btn btn-sm btn-danger" id="delete_selected" data-id="policy_bl_mailbox" data-api-url='delete/mailbox-policy' href="#"><?=$lang['mailbox']['remove'];?></a></li>
-            </ul>
           </div>
         </div>
         <form class="form-inline" data-id="add_bl_policy_mailbox">
@@ -358,7 +356,7 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
             <input type="hidden" name="username" value="<?= $username ;?>">
             <input type="hidden" name="object_list" value="bl">
             <span class="input-group-btn">
-              <button class="btn btn-success" id="add_item" data-id="add_bl_policy_mailbox" data-api-url='add/mailbox-policy' data-api-attr='{"username":"<?= $username; ?>","object_list":"bl"}' href="#"><span class="glyphicon glyphicon-plus"></span> <?=$lang['user']['spamfilter_table_add'];?></button>
+              <button class="btn btn-default" id="add_item" data-id="add_bl_policy_mailbox" data-api-url='add/mailbox-policy' data-api-attr='{"username":"<?= $username; ?>","object_list":"bl"}' href="#"><span class="glyphicon glyphicon-plus"></span> <?=$lang['user']['spamfilter_table_add'];?></button>
             </span>
           </div>
         </form>
diff --git a/helper-scripts/nextcloud.sh b/helper-scripts/nextcloud.sh
index b3c23e23..08aa652c 100755
--- a/helper-scripts/nextcloud.sh
+++ b/helper-scripts/nextcloud.sh
@@ -2,6 +2,10 @@
 
 [[ -z ${1} ]] && { echo "No parameters given"; exit 1; }
 
+for bin in curl dirmngr; do
+  if [[ -z $(which ${bin}) ]]; then echo "Cannot find ${bin}, exiting..."; exit 1; fi
+done
+
 while [ "$1" != '' ]; do
   case "${1}" in
     -p|--purge) NC_PURGE=y && shift;;