From 7181ee4658926aea4b746d815627e54ce228534f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9?= <andre.peters@servercow.de>
Date: Thu, 26 Apr 2018 13:51:55 +0200
Subject: [PATCH] [Rspamd] Apply ratelimit against authenticated user instead
 of envelope from [PHP-FPM] Create PHP-FPM listeners 9001 (system) and 9002
 (web), drop 9000 [Rspamd] Parse quarantine messages as utf8 [Rspamd] Use new
 schema for Rspamd bayes hashes and expire them in Redis [SOGo] Change default
 logo [SOGo] Use different keyserver by default in Dockerfile [Rspamd] Add bad
 ASN list (disabled by default) [Watchdog] Change the way we check PHP-FPM,
 change SOGo check [Nginx] Change ports according to new PHP-FPM listeners
 [Update] Fix PHP-FPM ports for existing non-mailcow Nginx sites

---
 data/Dockerfiles/phpfpm/Dockerfile          | 122 ++++++++--------
 data/Dockerfiles/sogo/Dockerfile            |   2 +-
 data/Dockerfiles/sogo/sogo-full.svg         | 154 +++-----------------
 data/Dockerfiles/sogo/theme-blue.js         |  24 +--
 data/Dockerfiles/watchdog/watchdog.sh       |   6 +-
 data/assets/nextcloud/nextcloud.conf        |   7 +-
 data/assets/nextcloud/site.nextcloud.custom |   7 +-
 data/conf/nginx/meta_exporter.conf          |   2 +-
 data/conf/nginx/site.conf                   |  22 ++-
 data/conf/phpfpm/php-fpm.d/pools.conf       |  25 ++++
 data/conf/rspamd/custom/bad_asn.map         |  27 ++++
 data/conf/rspamd/local.d/multimap.conf      |   8 +
 data/conf/rspamd/local.d/statistic.conf     |   2 +
 data/conf/rspamd/lua/rspamd.local.lua       |  12 +-
 data/conf/rspamd/meta_exporter/pipe.php     |   3 +-
 15 files changed, 193 insertions(+), 230 deletions(-)
 create mode 100644 data/conf/phpfpm/php-fpm.d/pools.conf
 create mode 100644 data/conf/rspamd/custom/bad_asn.map

diff --git a/data/Dockerfiles/phpfpm/Dockerfile b/data/Dockerfiles/phpfpm/Dockerfile
index 00681ec2..e1f121a9 100644
--- a/data/Dockerfiles/phpfpm/Dockerfile
+++ b/data/Dockerfiles/phpfpm/Dockerfile
@@ -1,84 +1,78 @@
-FROM php:7.1-fpm-alpine
+FROM php:7.2-fpm-alpine3.7
 LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
 
-ENV REDIS_PECL 3.1.6
-ENV MEMCACHED_PECL 3.0.4
-ENV APCU_PECL 5.1.9
+ENV APCU_PECL 5.1.10
 ENV IMAGICK_PECL 3.4.3
 ENV MAILPARSE_PECL 3.0.2
+ENV MEMCACHED_PECL 3.0.4
+ENV REDIS_PECL 3.1.6
 
-RUN apk add -U --no-cache libxml2-dev \
-	icu-dev \
-	imap-dev \
-	libmemcached-dev \
-	cyrus-sasl-dev \
-	pcre-dev \
-	icu-libs \
-	redis \
-	mysql-client \
-	bash \
-	autoconf \
-	g++ \
-	make \
-	openssl \
-	openssl-dev \
-	samba-client \
-	libpng \
-	libpng-dev \
-	libjpeg-turbo-dev \
-	libwebp-dev \
-	zlib-dev \
-	libxpm-dev \
-	c-client \
-  imagemagick-dev \
-  imagemagick \
-  libtool \
+RUN apk add -U --no-cache autoconf \
+  bash \
+  c-client \
+  cyrus-sasl-dev \
   freetype \
-  libpng \
-  libjpeg-turbo \
   freetype-dev \
-  libpng-dev \
-  libjpeg-turbo-dev\
+  g++ \
   gettext-dev \
-  openldap-dev \
+  icu-dev \
+  icu-libs \
+  imagemagick \
+  imagemagick-dev \
+  imap-dev \
+  libjpeg-turbo \
+  libjpeg-turbo-dev \
+  libmemcached-dev \
+  libpng \
+  libpng-dev \
+  libressl \
+  libressl-dev \
   librsvg \
+  libtool \
+  libwebp-dev \
+  libxml2-dev \
+  libxpm-dev \
+  make \
+  mysql-client \
+  openldap-dev \
+  pcre-dev \
+  redis \
+  samba-client \
+  zlib-dev \
   && pear install channel://pear.php.net/Net_IDNA2-0.2.0 \
     channel://pear.php.net/Auth_SASL-1.1.0 \
     Net_IMAP \
     Net_Sieve \
     NET_SMTP \
     Mail_mime \
-	&& pecl install redis-${REDIS_PECL} memcached-${MEMCACHED_PECL} APCu-${APCU_PECL} imagick-${IMAGICK_PECL} mailparse-${MAILPARSE_PECL} \
-	&& docker-php-ext-enable redis apcu memcached imagick mailparse \
-	&& pecl clear-cache \
-	&& docker-php-ext-configure intl \
+  && pecl install redis-${REDIS_PECL} memcached-${MEMCACHED_PECL} APCu-${APCU_PECL} imagick-${IMAGICK_PECL} mailparse-${MAILPARSE_PECL} \
+  && docker-php-ext-enable apcu imagick mailparse memcached redis \
+  && pecl clear-cache \
+  && docker-php-ext-configure intl \
   && docker-php-ext-configure gd \
-      --with-gd \
-      --enable-gd-native-ttf \
-      --with-freetype-dir=/usr/include/ \
-      --with-png-dir=/usr/include/ \
-      --with-jpeg-dir=/usr/include/ \
-  && docker-php-ext-install -j 4 intl gettext ldap sockets soap pdo pdo_mysql xmlrpc gd zip pcntl opcache \
+    --with-gd \
+    --enable-gd-native-ttf \
+    --with-freetype-dir=/usr/include/ \
+    --with-png-dir=/usr/include/ \
+    --with-jpeg-dir=/usr/include/ \
+  && docker-php-ext-install -j 4 gd gettext intl ldap opcache pcntl pdo pdo_mysql soap sockets xmlrpc zip \
   && docker-php-ext-configure imap --with-imap --with-imap-ssl \
-	&& docker-php-ext-install -j 4 imap \
-	&& apk del --purge autoconf \
-  g++ \
-  make \
-  libxml2-dev \
-  icu-dev \
-  imap-dev \
-  openssl-dev \
-  cyrus-sasl-dev \
-  pcre-dev \
-  libpng-dev \
-  libpng-dev \
-  libjpeg-turbo-dev \
-  libwebp-dev \
-  zlib-dev \
-  imagemagick-dev \
-  freetype-dev \
-  libpng-dev \
-  libjpeg-turbo-dev
+  && docker-php-ext-install -j 4 imap \
+  && apk del --purge autoconf \
+    cyrus-sasl-dev \
+    freetype-dev \
+    g++ \
+    icu-dev \
+    imagemagick-dev \
+    imap-dev \
+    libjpeg-turbo-dev \
+    libpng-dev \
+    libressl-dev \
+    libwebp-dev \
+    libxml2-dev \
+    make \
+    pcre-dev \
+    zlib-dev
 
 COPY ./docker-entrypoint.sh /
 
diff --git a/data/Dockerfiles/sogo/Dockerfile b/data/Dockerfiles/sogo/Dockerfile
index 5cc94b9b..fd49dd8b 100644
--- a/data/Dockerfiles/sogo/Dockerfile
+++ b/data/Dockerfiles/sogo/Dockerfile
@@ -28,7 +28,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 RUN mkdir /usr/share/doc/sogo \
 	&& touch /usr/share/doc/sogo/empty.sh \
-	&& apt-key adv --keyserver keys.gnupg.net --recv-key 0x810273C4 \
+	&& apt-key adv --keyserver keyserver.ubuntu.com --recv-key 0x810273C4 \
 	&& echo "deb http://packages.inverse.ca/SOGo/nightly/4/debian/ stretch stretch" > /etc/apt/sources.list.d/sogo.list \
 	&& apt-get update && apt-get install -y --force-yes \
 		sogo \
diff --git a/data/Dockerfiles/sogo/sogo-full.svg b/data/Dockerfiles/sogo/sogo-full.svg
index 72c17214..c22e3010 100644
--- a/data/Dockerfiles/sogo/sogo-full.svg
+++ b/data/Dockerfiles/sogo/sogo-full.svg
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Generator: Adobe Illustrator 17.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<!-- Generator: Adobe Illustrator 16.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
 
 <svg
    xmlns:dc="http://purl.org/dc/elements/1.1/"
@@ -13,17 +13,17 @@
    id="Layer_1"
    x="0px"
    y="0px"
-   width="392.82242"
-   height="201.049"
-   viewBox="0 0 392.82241 201.049"
-   enable-background="new 0 0 1600 1200"
+   width="640px"
+   height="350px"
+   viewBox="78.712 58.488 640 350"
+   style="enable-background:new 78.712 58.488 640 350;"
    xml:space="preserve"
    inkscape:version="0.91 r13725"
    sodipodi:docname="sogo-full.svg"><metadata
-     id="metadata144"><rdf:RDF><cc:Work
+     id="metadata9"><rdf:RDF><cc:Work
          rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
-           rdf:resource="http://purl.org/dc/dcmitype/StillImage" /><dc:title></dc:title></cc:Work></rdf:RDF></metadata><defs
-     id="defs142" /><sodipodi:namedview
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" /></cc:Work></rdf:RDF></metadata><defs
+     id="defs7" /><sodipodi:namedview
      pagecolor="#ffffff"
      bordercolor="#666666"
      borderopacity="1"
@@ -32,129 +32,17 @@
      guidetolerance="10"
      inkscape:pageopacity="0"
      inkscape:pageshadow="2"
-     inkscape:window-width="1097"
-     inkscape:window-height="1138"
-     id="namedview140"
+     inkscape:window-width="1721"
+     inkscape:window-height="1177"
+     id="namedview5"
      showgrid="false"
-     inkscape:zoom="1.1125147"
-     inkscape:cx="206.04418"
-     inkscape:cy="194.82483"
-     inkscape:window-x="814"
-     inkscape:window-y="0"
-     inkscape:window-maximized="0"
-     inkscape:current-layer="Layer_1"
-     fit-margin-top="0"
-     fit-margin-left="0"
-     fit-margin-right="0"
-     fit-margin-bottom="0"
-     borderlayer="true" /><g
-     id="g3"
-     transform="translate(-630.29057,-557.81)"
-     style="opacity:0.108"><g
-       id="g5"
-       style=""><g
-         id="g7"
-         style=""><g
-           id="email"
-           style=""><path
-             d="m 890.306,557.81 29.26,11.373 0,172.027 c 0,9.753 -7.895,17.649 -17.638,17.649 l -235.998,0 c -9.743,0 -17.638,-7.896 -17.638,-17.649 l 0,-172.026 29.259,-8.937"
-             id="path10"
-             inkscape:connector-curvature="0"
-             style="fill:#4d4d4d" /><path
-             d="M 758.871,656.221 649.49,747.45 c 2.507,6.648 8.901,11.409 16.44,11.409 l 235.998,0 c 7.536,0 13.933,-4.761 16.444,-11.409 l -107.402,-91.229 -52.099,0 z"
-             id="path12"
-             inkscape:connector-curvature="0"
-             style="fill:#999999;fill-opacity:0.89499996" /><g
-             id="g14"
-             style=""><path
-               d="m 810.391,656.686 107.981,90.764 c -0.331,0.881 -0.744,1.726 -1.205,2.536 l 0.028,0.035 c 1.501,-2.596 2.371,-5.594 2.371,-8.81 l 0,-172.004 -109.175,87.479 z"
-               id="path16"
-               inkscape:connector-curvature="0"
-               style="fill:#b3b3b3;fill-opacity:1" /><path
-               d="m 649.49,747.45 108.864,-90.764 -110.061,-87.479 0,172.003 c 0,3.216 0.876,6.214 2.367,8.81 l 0.039,-0.035 c -0.466,-0.809 -0.877,-1.654 -1.209,-2.535 z"
-               id="path18"
-               inkscape:connector-curvature="0"
-               style="fill:#b3b3b3;fill-opacity:1" /></g></g><path
-           d="m 961.81,681.214 c 0,0 -15.232,16.783 -42.244,14.73 l 0,28.14 c 13.328,-5.185 47.061,-20.036 56.854,-40.809 l -14.61,-2.061 z"
-           id="path20"
-           inkscape:connector-curvature="0"
-           style="fill:#666666" /><path
-           d="m 984.594,658.413 c 3.59,-9.156 7.701,-11 9.346,-11.346 -49.276,4.542 -32.99,38.693 -32.99,38.693 0,0 6.229,14.728 26.532,13.892 27.063,0.461 35.631,-50.166 35.631,-50.166 -6.654,11.655 -26.404,9.876 -38.519,8.927 z"
-           id="path22"
-           inkscape:connector-curvature="0"
-           style="fill:#666666" /><path
-           d="m 663.708,566.47 c -57.88068,154.362 -28.94034,77.181 0,0 z"
-           id="path26"
-           inkscape:connector-curvature="0"
-           style="opacity:0.1;fill:#3d5263"
-           sodipodi:nodetypes="cc" /><g
-           id="g28"
-           style=""><g
-             id="g30"
-             style=""><g
-               id="g34"
-               style=""><g
-                 id="g36"
-                 style=""><g
-                   id="g40"
-                   style="" /></g><g
-                 id="g52"
-                 style=""><g
-                   id="g54"
-                   style="" /></g><g
-                 id="g58"
-                 style=""><g
-                   id="g60"
-                   style=""><g
-                     id="g62"
-                     style="" /></g><g
-                   id="g66"
-                   style=""><g
-                     id="g68"
-                     style="" /></g></g><g
-                 id="g72"
-                 style=""><path
-                   d="m 867.815,563.83 c -193.95201,156.122 -96.97601,78.061 0,0 z"
-                   id="path74"
-                   inkscape:connector-curvature="0"
-                   style="fill:#87654a"
-                   sodipodi:nodetypes="cc" /></g><g
-                 id="g76"
-                 style=""><g
-                   id="g78"
-                   style=""><g
-                     id="g80"
-                     style=""><g
-                       id="g82"
-                       style="" /></g></g><g
-                   id="g86"
-                   style=""><g
-                     id="g88"
-                     style=""><g
-                       id="g90"
-                       style="" /></g></g><g
-                   id="g94"
-                   style=""><g
-                     id="g96"
-                     style="" /></g><g
-                   id="g100"
-                   style=""><g
-                     id="g102"
-                     style="" /></g></g></g><path
-               d="m 786.264,672.409 c -139.58468,83.736 -69.79234,41.868 0,0 z"
-               id="path110"
-               inkscape:connector-curvature="0"
-               style="fill:#f1f2f2"
-               sodipodi:nodetypes="cc" /></g><g
-             id="g112"
-             style="" /></g><path
-           d="m 919.566,695.944 c 0,0 7.562,0.712 13.317,-0.502 l 13.013,16.12 c 0,0 -17.639,9.525 -26.33,12.523 l 0,-28.141 z"
-           id="path116"
-           inkscape:connector-curvature="0"
-           style="opacity:0.1;fill:#3d5263" /></g><path
-         d="m 648.292,659.614 0,81.645 c 0,9.72 7.88,17.6 17.6,17.6 l 236.073,0 c 9.72,0 17.6,-7.88 17.6,-17.6 l 0,-24.902 c 10e-4,0 -175.814,35.524 -271.273,-56.743 z"
-         id="path124"
-         inkscape:connector-curvature="0"
-         style="opacity:0.1;fill:#666666" /></g><g
-       id="g126"
-       style="" /></g></svg>
\ No newline at end of file
+     inkscape:zoom="0.59375"
+     inkscape:cx="320"
+     inkscape:cy="175"
+     inkscape:window-x="-8"
+     inkscape:window-y="-8"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="Layer_1" /><path
+     style="fill:#1976d2;fill-opacity:0.71428573"
+     d="M648.541,145.679c-9.947,0-17.009-7.278-17.009-17.048c0-9.777,7.062-17.057,17.009-17.057  c10.024,0,17.086,7.279,17.086,17.057C665.627,138.401,658.565,145.679,648.541,145.679z M648.511,94.893  c-19.693,0-33.679,14.4-33.679,33.738c0,19.33,13.985,33.729,33.679,33.729c19.822,0,33.808-14.4,33.808-33.729  C682.318,109.293,668.333,94.893,648.511,94.893z M648.482,179.843c-29.889,0-51.123-21.868-51.123-51.212  c0-29.353,21.234-51.209,51.123-51.209c30.082,0,51.307,21.856,51.307,51.209C699.789,157.975,678.564,179.843,648.482,179.843z   M648.442,58.488c-40.929,0-69.995,29.946-69.995,70.143c0,40.189,29.066,70.125,69.995,70.125c41.194,0,70.27-29.937,70.27-70.125  C718.712,88.434,689.637,58.488,648.442,58.488z M158.166,183.902l-21.018-5.008c-19.131-4.396-28.849-9.413-28.849-23.21  c0-15.684,15.99-21.965,30.419-21.965c14.667,0,25.382,7.329,31.693,18.737c0.02,0.048,0.051,0.097,0.09,0.157  c0.127,0.247,0.276,0.484,0.403,0.731l0.03-0.02c1.985,3.002,5.323,5.008,8.919,5.008c6.122,0,10.558-4.425,10.558-10.547  c0-2.341-0.504-4.82-1.601-6.688c-10.764-18.302-28.513-26.192-48.838-26.192c-27.594,0-54.262,13.797-54.262,44.218  c0,27.921,27.605,36.079,37.64,38.578l20.069,4.71c15.368,3.763,27.912,8.791,27.912,23.517c0,16.938-17.561,23.943-34.499,23.943  c-17.245,0-30.015-9.37-38.814-22.37h-0.01c-1.956-3-4.988-4.328-8.702-4.328c-5.984,0-10.805,5.185-10.587,11.162  c0.098,2.438,0.909,4.637,2.153,6.405c13.787,20.633,33.728,28.41,55.96,28.41c28.543,0,57.085-13.143,57.085-45.132  C193.918,203.325,178.551,188.613,158.166,183.902z M298.479,250.312c-33.866,0-55.199-25.403-55.199-58.331  c0-32.939,21.333-58.343,55.199-58.343c34.192,0,55.516,25.403,55.516,58.343C353.996,224.91,332.672,250.312,298.479,250.312z   M298.479,114.823c-45.471,0-77.777,32.93-77.777,77.158c0,44.217,32.306,77.146,77.777,77.146  c45.786,0,78.093-32.929,78.093-77.146C376.572,147.753,344.266,114.823,298.479,114.823z M518.715,234.312  c-0.771,0.74-1.549,1.472-2.399,2.175c-1.106,1.014-2.391,2.112-3.854,3.208c-8.829,6.391-19.979,10.094-33.017,10.094  c-33.876,0-55.198-25.402-55.198-58.332c0-32.939,21.322-58.342,55.198-58.342c34.183,0,55.506,25.403,55.506,58.342  C534.951,208.653,529.135,223.774,518.715,234.312z M468.097,317.938c2.528,0,5.146-0.168,7.863-0.504  c5.018-0.631,9.588-0.909,13.729-0.909c19.24,0.109,29.036,5.7,34.943,12.158c5.895,6.499,8.168,15.311,8.158,22.796  c0.01,3.586-0.555,6.795-1.177,8.721c-2.944,8.93-8.888,15.002-17.996,19.576c-9.035,4.484-21.095,6.777-33.707,6.757  c-4.514,0-9.105-0.288-13.639-0.831c-8.573-0.987-19.911-4.671-28.13-11.093c-4.138-3.199-6.458-6.991-8.858-11.485  c-2.379-4.514-2.783-9.748-2.783-16.442v-0.742c0-12.346,4.84-20.544,11.051-26.5c3.07-2.904,5.69-5.064,7.99-6.438  c0.366-0.218,0.438-0.416,0.755-0.593C452.39,316.014,459.684,317.968,468.097,317.938z M479.445,114.301  c-45.471,0-77.786,32.929-77.786,77.157c0,29.887,14.765,54.598,38.378,67.489c-0.314,0.314-0.621,0.641-0.916,0.966  c-6.104,6.687-9.226,15.25-9.236,23.913c-0.008,3.821,0.624,7.741,1.977,11.494c-3.062,1.956-6.717,4.634-10.46,8.147  c-9.026,8.408-18.734,22.541-19.021,42.097c-0.01,0.454-0.01,0.829-0.01,1.118c-0.01,10.071,2.379,19.157,6.459,26.774  c6.133,11.466,15.683,19.445,25.539,24.77c9.917,5.334,20.257,8.166,29.273,9.274c5.373,0.643,10.826,0.988,16.268,0.988  c15.151-0.02,30.261-2.578,43.409-9.019c13.085-6.34,24.333-17.253,29.192-32.562c1.443-4.553,2.212-9.719,2.231-15.428  c-0.02-11.595-3.349-25.759-13.767-37.452c-10.421-11.734-27.654-19.566-51.288-19.459c-5.138,0-10.606,0.356-16.426,1.078  c-1.877,0.227-3.596,0.334-5.166,0.334c-7.239-0.048-10.872-2.053-13.036-4.098c-2.133-2.084-3.2-4.839-3.229-8.058  c-0.01-3.28,1.284-6.727,3.467-9.078c2.231-2.332,5.008-3.91,9.846-3.97c0.436,0,0.9,0.01,1.374,0.05  c3.101,0.216,6.112,0.325,9.037,0.325c24.188,0.047,42.38-7.448,54.756-17.759c12.415-10.312,18.971-22.854,22.071-32.76l-0.04-0.01  c3.37-8.899,5.197-18.715,5.197-29.166C557.539,147.229,525.234,114.301,479.445,114.301z"
+     id="path3" /></svg>
\ No newline at end of file
diff --git a/data/Dockerfiles/sogo/theme-blue.js b/data/Dockerfiles/sogo/theme-blue.js
index 4efbf824..8992bba2 100644
--- a/data/Dockerfiles/sogo/theme-blue.js
+++ b/data/Dockerfiles/sogo/theme-blue.js
@@ -16,16 +16,16 @@
      * Define the Alternative theme
      */
     $mdThemingProvider.theme('mailcow')
-      .primaryPalette('indigo', {
+      .primaryPalette('blue', {
         'default': '700',  // top toolbar
-        'hue-1': '400',
-        'hue-2': '600',    // sidebar toolbar
+        'hue-1': '500',
+        'hue-2': '700',    // sidebar toolbar
         'hue-3': 'A700'
       })
-      .accentPalette('indigo', {
-        'default': '500',  // fab buttons
+      .accentPalette('blue', {
+        'default': '700',  // fab buttons
         'hue-1': '50',     // center list toolbar
-        'hue-2': '400',
+        'hue-2': '600',
         'hue-3': 'A700'
       })
       .backgroundPalette('grey', {
@@ -35,16 +35,16 @@
         'hue-3': '300'
       });
     $mdThemingProvider.theme('default')
-      .primaryPalette('indigo', {
+      .primaryPalette('blue', {
         'default': '700',  // top toolbar
-        'hue-1': '400',
-        'hue-2': '600',    // sidebar toolbar
+        'hue-1': '500',
+        'hue-2': '700',    // sidebar toolbar
         'hue-3': 'A700'
       })
-      .accentPalette('indigo', {
-        'default': '500',  // fab buttons
+      .accentPalette('blue', {
+        'default': '700',  // fab buttons
         'hue-1': '50',     // center list toolbar
-        'hue-2': '400',
+        'hue-2': '600',
         'hue-3': 'A700'
       })
       .backgroundPalette('grey', {
diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh
index 39760ec0..c5a274e9 100755
--- a/data/Dockerfiles/watchdog/watchdog.sh
+++ b/data/Dockerfiles/watchdog/watchdog.sh
@@ -128,7 +128,7 @@ sogo_checks() {
     host_ip=$(get_container_ip sogo-mailcow)
     err_c_cur=${err_count}
     /usr/lib/nagios/plugins/check_http -4 -H ${host_ip} -u /WebServerResources/css/theme-default.css -p 9192 -R md-default-theme 1>&2; err_count=$(( ${err_count} + $? ))
-    /usr/lib/nagios/plugins/check_http -4 -H ${host_ip} -u /SOGo.index/ -p 20000 -R "SOGo\sGroupware" 1>&2; err_count=$(( ${err_count} + $? ))
+    /usr/lib/nagios/plugins/check_http -4 -H ${host_ip} -u /SOGo.index/ -p 20000 -R "SOGo\.MainUI" 1>&2; err_count=$(( ${err_count} + $? ))
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
     progress "SOGo" ${THRESHOLD} $(( ${THRESHOLD} - ${err_count} )) ${diff_c}
@@ -190,8 +190,8 @@ phpfpm_checks() {
   while [ ${err_count} -lt ${THRESHOLD} ]; do
     host_ip=$(get_container_ip php-fpm-mailcow)
     err_c_cur=${err_count}
-    cgi-fcgi -bind -connect ${host_ip}:9000 | grep "Content-type" 1>&2; err_count=$(( ${err_count} + ($? * 2)))
-    cgi-fcgi -bind -connect ${host_ip}:9001 | grep "Content-type" 1>&2; err_count=$(( ${err_count} + ($? * 2)))
+    nc -z ${host_ip} 9001 ; err_count=$(( ${err_count} + ($? * 2)))
+    nc -z ${host_ip} 9002 ; err_count=$(( ${err_count} + ($? * 2)))
     /usr/lib/nagios/plugins/check_ping -4 -H ${host_ip} -w 2000,10% -c 4000,100% -p2 1>&2; err_count=$(( ${err_count} + $? ))
     [ ${err_c_cur} -eq ${err_count} ] && [ ! $((${err_count} - 1)) -lt 0 ] && err_count=$((${err_count} - 1)) diff_c=1
     [ ${err_c_cur} -ne ${err_count} ] && diff_c=$(( ${err_c_cur} - ${err_count} ))
diff --git a/data/assets/nextcloud/nextcloud.conf b/data/assets/nextcloud/nextcloud.conf
index 4759bff2..74ea6a0c 100644
--- a/data/assets/nextcloud/nextcloud.conf
+++ b/data/assets/nextcloud/nextcloud.conf
@@ -82,10 +82,13 @@ server {
     #Avoid sending the security headers twice
     fastcgi_param modHeadersAvailable true;
     fastcgi_param front_controller_active true;
-    fastcgi_pass phpfpm:9000;
+    fastcgi_pass phpfpm:9002;
     fastcgi_intercept_errors on;
     fastcgi_request_buffering off;
-    client_max_body_size 10G;
+    client_max_body_size 0;
+    fastcgi_param PHP_VALUE "max_execution_time = 1200
+                             max_input_time = 1200";
+    fastcgi_read_timeout 1200;
   }
 
   location ~ ^/(?:updater|ocs-provider)(?:$|/) {
diff --git a/data/assets/nextcloud/site.nextcloud.custom b/data/assets/nextcloud/site.nextcloud.custom
index f7d6dae0..41f7348f 100644
--- a/data/assets/nextcloud/site.nextcloud.custom
+++ b/data/assets/nextcloud/site.nextcloud.custom
@@ -16,10 +16,13 @@
       fastcgi_param HTTPS on;
       fastcgi_param modHeadersAvailable true;
       fastcgi_param front_controller_active true;
-      fastcgi_pass phpfpm:9000;
+      fastcgi_pass phpfpm:9002;
       fastcgi_intercept_errors on;
       fastcgi_request_buffering off;
-      client_max_body_size 10G;
+      client_max_body_size 0;
+      fastcgi_param PHP_VALUE "max_execution_time = 1200
+                               max_input_time = 1200";
+      fastcgi_read_timeout 1200;
     }
     location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) {
       try_files $uri/ =404;
diff --git a/data/conf/nginx/meta_exporter.conf b/data/conf/nginx/meta_exporter.conf
index 30369a32..74291b14 100644
--- a/data/conf/nginx/meta_exporter.conf
+++ b/data/conf/nginx/meta_exporter.conf
@@ -10,7 +10,7 @@ server {
     client_max_body_size 10M;
     try_files $uri =404;
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass phpfpm:9000;
+    fastcgi_pass phpfpm:9001;
     fastcgi_index pipe.php;
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
diff --git a/data/conf/nginx/site.conf b/data/conf/nginx/site.conf
index 83f913f6..53a48ad6 100644
--- a/data/conf/nginx/site.conf
+++ b/data/conf/nginx/site.conf
@@ -35,7 +35,6 @@ server {
   add_header X-XSS-Protection "1; mode=block";
   add_header X-Robots-Tag none;
   add_header X-Download-Options noopen;
-  add_header X-Frame-Options "SAMEORIGIN";
   add_header X-Permitted-Cross-Domain-Policies none;
 
   index index.php index.html;
@@ -76,7 +75,7 @@ server {
   location ~ \.php$ {
     try_files $uri =404;
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass phpfpm:9000;
+    fastcgi_pass phpfpm:9002;
     fastcgi_index index.php;
     include /etc/nginx/fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
@@ -96,9 +95,22 @@ server {
     expires $expires;
   }
 
+  location /lists/ {
+    proxy_pass       http://mm-web:8000/;
+    proxy_set_header Host      $http_host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_redirect off;
+    expires $expires;
+  }
+
+  location /mm_static {
+    alias /opt/mm_web-data/static;
+  }
+
   location ~* ^/Autodiscover/Autodiscover.xml {
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass phpfpm:9000;
+    fastcgi_pass phpfpm:9002;
     include /etc/nginx/fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     try_files /autodiscover.php =404;
@@ -106,7 +118,7 @@ server {
 
   location ~* ^/Autodiscover/Autodiscover.json {
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass phpfpm:9000;
+    fastcgi_pass phpfpm:9002;
     include /etc/nginx/fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     try_files /autodiscover-json.php =404;
@@ -114,7 +126,7 @@ server {
 
   location ~ /(?:m|M)ail/(?:c|C)onfig-v1.1.xml {
     fastcgi_split_path_info ^(.+\.php)(/.+)$;
-    fastcgi_pass phpfpm:9000;
+    fastcgi_pass phpfpm:9002;
     include /etc/nginx/fastcgi_params;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     try_files /autoconfig.php =404;
diff --git a/data/conf/phpfpm/php-fpm.d/pools.conf b/data/conf/phpfpm/php-fpm.d/pools.conf
new file mode 100644
index 00000000..9b7a9646
--- /dev/null
+++ b/data/conf/phpfpm/php-fpm.d/pools.conf
@@ -0,0 +1,25 @@
+[system-worker]
+user = www-data
+group = www-data
+pm = dynamic
+pm.max_children = 15
+pm.start_servers = 2
+pm.min_spare_servers = 2
+pm.max_spare_servers = 4
+listen = [::]:9001
+access.log = /proc/self/fd/2
+clear_env = no
+catch_workers_output = yes
+
+[web-worker]
+user = www-data
+group = www-data
+pm = dynamic
+pm.max_children = 50
+pm.start_servers = 2
+pm.min_spare_servers = 2
+pm.max_spare_servers = 4
+listen = [::]:9002
+access.log = /proc/self/fd/2
+clear_env = no
+catch_workers_output = yes
diff --git a/data/conf/rspamd/custom/bad_asn.map b/data/conf/rspamd/custom/bad_asn.map
new file mode 100644
index 00000000..8b7a4407
--- /dev/null
+++ b/data/conf/rspamd/custom/bad_asn.map
@@ -0,0 +1,27 @@
+# High spam networks, disabled by default
+#201942:5 #Soltia Consulting SL - ipinfo.io
+#16276:5 #OVH
+#12876:5 #ONLINE S.A.S
+#31034:5
+#12874:5
+#30823:5
+#197071:5
+#42831:5 #UK Dedicated Servers Ltd
+#29119:5 #Aire Networks del Mediterraneo S.L.U.
+#13335:5 #Cloudflare
+#28753:5 #Leaseweb
+#61272:5 #Informacines sistemos ir technologijos
+#53755:5 #Input Output Flood LLC
+#29422:5 #FICIX Helsinki
+#62255:4 #Asmunda New Media Ltd
+#14061:4 #Digitalocean
+#55293:4 #A2 Hosting
+#63018:4 #US Dedicated
+#197518:2
+#44493:2
+#46606:2
+#49505:2
+#21100:2
+#197695:2
+#198068:2
+#43146:2
diff --git a/data/conf/rspamd/local.d/multimap.conf b/data/conf/rspamd/local.d/multimap.conf
index 6237f007..d96f6bf8 100644
--- a/data/conf/rspamd/local.d/multimap.conf
+++ b/data/conf/rspamd/local.d/multimap.conf
@@ -27,6 +27,14 @@ KEEP_SPAM {
   action = "accept";
 }
 
+LOCAL_BL_ASN {
+  require_symbols = "!MAILCOW_WHITE";
+  type = "asn";
+  map = "$LOCAL_CONFDIR/custom/bad_asn.map";
+  score = 5;
+  description = "Sender's ASN is on the local blacklist";
+}
+
 #SPOOFED_SENDER {
 #  type = "rcpt";
 #  filter = "email:domain:tld";
diff --git a/data/conf/rspamd/local.d/statistic.conf b/data/conf/rspamd/local.d/statistic.conf
index b66f5018..c8c2cf42 100644
--- a/data/conf/rspamd/local.d/statistic.conf
+++ b/data/conf/rspamd/local.d/statistic.conf
@@ -8,6 +8,8 @@ classifier "bayes" {
     min_tokens = 11;
     min_learns = 20;
     autolearn = [-20, 50];
+    new_schema = true;
+    expiry = 50d;
     per_user = <<EOD
 return function(task)
     local rcpt = task:get_recipients(1)
diff --git a/data/conf/rspamd/lua/rspamd.local.lua b/data/conf/rspamd/lua/rspamd.local.lua
index 5417c3a7..05c5f0b9 100644
--- a/data/conf/rspamd/lua/rspamd.local.lua
+++ b/data/conf/rspamd/lua/rspamd.local.lua
@@ -59,16 +59,16 @@ rspamd_config:register_symbol({
     local redis_params = rspamd_parse_redis_server('dyn_rl')
     local rspamd_logger = require "rspamd_logger"
     local envfrom = task:get_from(1)
-    if not envfrom then
+    local uname = task:get_user():lower()
+    if not envfrom or not uname then
       return false
     end
     local env_from_domain = envfrom[1].domain:lower() -- get smtp from domain in lower case
-    local env_from_addr = envfrom[1].addr:lower() -- get smtp from addr in lower case
 
     local function redis_cb_user(err, data)
 
       if err or type(data) ~= 'string' then
-        rspamd_logger.infox(rspamd_config, "dynamic ratelimit request for user %s returned invalid or empty data (\"%s\") or error (\"%s\") - trying dynamic ratelimit for domain...", env_from_addr, data, err)
+        rspamd_logger.infox(rspamd_config, "dynamic ratelimit request for user %s returned invalid or empty data (\"%s\") or error (\"%s\") - trying dynamic ratelimit for domain...", uname, data, err)
 
         local function redis_key_cb_domain(err, data)
           if err or type(data) ~= 'string' then
@@ -91,7 +91,7 @@ rspamd_config:register_symbol({
           rspamd_logger.infox(rspamd_config, "cannot make request to load ratelimit for domain")
         end
       else
-        rspamd_logger.infox(rspamd_config, "found dynamic ratelimit in redis for user %s with value %s", env_from_addr, data)
+        rspamd_logger.infox(rspamd_config, "found dynamic ratelimit in redis for user %s with value %s", uname, data)
         task:insert_result('DYN_RL', 0.0, data)
       end
 
@@ -99,11 +99,11 @@ rspamd_config:register_symbol({
 
     local redis_ret_user = rspamd_redis_make_request(task,
       redis_params, -- connect params
-      env_from_addr, -- hash key
+      uname, -- hash key
       false, -- is write
       redis_cb_user, --callback
       'HGET', -- command
-      {'RL_VALUE', env_from_addr} -- arguments
+      {'RL_VALUE', uname} -- arguments
     )
     if not redis_ret_user then
       rspamd_logger.infox(rspamd_config, "cannot make request to load ratelimit for user")
diff --git a/data/conf/rspamd/meta_exporter/pipe.php b/data/conf/rspamd/meta_exporter/pipe.php
index 5c9026af..7064b7b8 100644
--- a/data/conf/rspamd/meta_exporter/pipe.php
+++ b/data/conf/rspamd/meta_exporter/pipe.php
@@ -44,7 +44,8 @@ if (!function_exists('getallheaders'))  {
   }
 }
 
-$raw_data = file_get_contents('php://input');
+$raw_data_content = file_get_contents('php://input');
+$raw_data = mb_convert_encoding($raw_data_content, 'HTML-ENTITIES', "UTF-8");
 $headers = getallheaders();
 
 $qid      = $headers['X-Rspamd-Qid'];