From 96ed94dedde26cf914f6a665ac0b74cce6248e14 Mon Sep 17 00:00:00 2001
From: Michael Kuron <mkuron@users.noreply.github.com>
Date: Sun, 2 Jul 2017 13:44:05 +0200
Subject: [PATCH 01/26] Client configuration guides

- iOS mobileconfig generator
- non-443 HTTPS ports in autoconfig etc.
- disabling POP service via SRV record
- fix display name in Outlook IMAP autodiscover
- allow multiple calls to TLSA generator and support Sieve STARTTLS
---
 data/Dockerfiles/sogo/Dockerfile              |   1 +
 data/web/autoconfig.php                       |  47 +++--
 data/web/autodiscover.php                     |  54 ++---
 data/web/clientconfig.php                     | 185 ++++++++++++++++++
 data/web/inc/functions.inc.php                |  24 ++-
 data/web/inc/vars.inc.php                     |  27 ++-
 data/web/lang/lang.de.php                     |   1 +
 data/web/lang/lang.en.php                     |   1 +
 data/web/mobileconfig.php                     | 167 ++++++++++++++++
 data/web/thunderbird-plugins/build-plugins.sh |   6 +-
 data/web/user.php                             |   1 +
 docker-compose.yml                            |   2 +-
 12 files changed, 460 insertions(+), 56 deletions(-)
 create mode 100644 data/web/clientconfig.php
 create mode 100644 data/web/mobileconfig.php

diff --git a/data/Dockerfiles/sogo/Dockerfile b/data/Dockerfiles/sogo/Dockerfile
index a3a1308d..b9db3c1c 100644
--- a/data/Dockerfiles/sogo/Dockerfile
+++ b/data/Dockerfiles/sogo/Dockerfile
@@ -8,6 +8,7 @@ ENV GOSU_VERSION 1.9
 # Prerequisites
 RUN apt-get update && apt-get install -y --no-install-recommends \
 		apt-transport-https \
+		bind9-host \
 		ca-certificates \
 		cron \
 		gnupg \
diff --git a/data/web/autoconfig.php b/data/web/autoconfig.php
index d01bc724..523d6183 100644
--- a/data/web/autoconfig.php
+++ b/data/web/autoconfig.php
@@ -5,6 +5,16 @@ if (empty($mailcow_hostname)) {
   exit();
 }
 
+$domain_dot = strpos($_SERVER['HTTP_HOST'], '.');
+$domain_port = strpos($_SERVER['HTTP_HOST'], ':');
+if ($domain_port === FALSE) {
+  $domain = substr($_SERVER['HTTP_HOST'], $domain_dot+1);
+  $port = 443;
+} else {
+  $domain = substr($_SERVER['HTTP_HOST'], $domain_dot+1, $domain_port-$domain_dot-1);
+  $port = substr($_SERVER['HTTP_HOST'], $domain_port+1);
+}
+
 header('Content-Type: application/xml');
 ?>
 <?= '<?xml version="1.0"?>'; ?>
@@ -15,52 +25,59 @@ header('Content-Type: application/xml');
       <displayShortName>mail server</displayShortName>
 
       <incomingServer type="imap">
-         <hostname><?= $mailcow_hostname; ?></hostname>
-         <port>993</port>
+         <hostname><?= $autodiscover_config['imap']['server']; ?></hostname>
+         <port><?= $autodiscover_config['imap']['port']; ?></port>
          <socketType>SSL</socketType>
          <username>%EMAILADDRESS%</username>
          <authentication>password-cleartext</authentication>
       </incomingServer>
       <incomingServer type="imap">
-         <hostname><?= $mailcow_hostname; ?></hostname>
-         <port>143</port>
+         <hostname><?= $autodiscover_config['imap']['server']; ?></hostname>
+         <port><?= $autodiscover_config['imap']['tlsport']; ?></port>
          <socketType>STARTTLS</socketType>
          <username>%EMAILADDRESS%</username>
          <authentication>password-cleartext</authentication>
       </incomingServer>
 
+<?php
+$records = dns_get_record('_pop3s._tcp.' . $domain, DNS_SRV); // check if POP3 is announced as "not provided" via SRV record
+if (count($records) == 0 || $records[0]['target'] != '') { ?>
       <incomingServer type="pop3">
-         <hostname><?= $mailcow_hostname; ?></hostname>
-         <port>995</port>
+         <hostname><?= $autodiscover_config['pop3']['server']; ?></hostname>
+         <port><?= $autodiscover_config['pop3']['port']; ?></port>
          <socketType>SSL</socketType>
          <username>%EMAILADDRESS%</username>
          <authentication>password-cleartext</authentication>
       </incomingServer>
+<?php } ?>
+<?php
+$records = dns_get_record('_pop3._tcp.' . $domain, DNS_SRV); // check if POP3 is announced as "not provided" via SRV record
+if (count($records) == 0 || $records[0]['target'] != '') { ?>
       <incomingServer type="pop3">
-         <hostname><?= $mailcow_hostname; ?></hostname>
-         <port>110</port>
+         <hostname><?= $autodiscover_config['pop3']['server']; ?></hostname>
+         <port><?= $autodiscover_config['pop3']['tlsport']; ?></port>
          <socketType>STARTTLS</socketType>
          <username>%EMAILADDRESS%</username>
          <authentication>password-cleartext</authentication>
       </incomingServer>
+<?php } ?>
 
       <outgoingServer type="smtp">
-         <hostname><?= $mailcow_hostname; ?></hostname>
-         <port>465</port>
+         <hostname><?= $autodiscover_config['smtp']['server']; ?></hostname>
+         <port><?= $autodiscover_config['smtp']['port']; ?></port>
          <socketType>SSL</socketType>
          <username>%EMAILADDRESS%</username>
          <authentication>password-cleartext</authentication>
       </outgoingServer>
-
       <outgoingServer type="smtp">
-         <hostname><?= $mailcow_hostname; ?></hostname>
-         <port>587</port>
+         <hostname><?= $autodiscover_config['smtp']['server']; ?></hostname>
+         <port><?= $autodiscover_config['smtp']['tlsport']; ?></port>
          <socketType>STARTTLS</socketType>
          <username>%EMAILADDRESS%</username>
          <authentication>password-cleartext</authentication>
       </outgoingServer>
 
-      <enable visiturl="https://<?= $mailcow_hostname; ?>/admin.php">
+      <enable visiturl="https://<?= $mailcow_hostname; ?><?php if ($port != 443) echo ':'.$port; ?>/admin.php">
          <instruction>If you didn't change the password given to you by the administrator or if you didn't change it in a long time, please consider doing that now.</instruction>
          <instruction lang="de">Sollten Sie das Ihnen durch den Administrator vergebene Passwort noch nicht geändert haben, empfehlen wir dies nun zu tun. Auch ein altes Passwort sollte aus Sicherheitsgründen geändert werden.</instruction>
       </enable>
@@ -68,6 +85,6 @@ header('Content-Type: application/xml');
     </emailProvider>
 
     <webMail>
-      <loginPage url="https://<?= $mailcow_hostname; ?>/SOGo/" />
+      <loginPage url="https://<?= $mailcow_hostname; ?><?php if ($port != 443) echo ':'.$port; ?>/SOGo/" />
     </webMail>
 </clientConfig>
diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php
index fd8cd641..7f6081ae 100644
--- a/data/web/autodiscover.php
+++ b/data/web/autodiscover.php
@@ -12,13 +12,14 @@ error_reporting(0);
 $data = trim(file_get_contents("php://input"));
 
 // Desktop client needs IMAP, unless it's Outlook 2013 or higher on Windows
-if (strpos($data, 'autodiscover/outlook/responseschema')) { // desktop client
+if (strpos($data, 'autodiscover/outlook/responseschema') !== false) { // desktop client
   $configuration['autodiscoverType'] = 'imap';
   if ($configuration['useEASforOutlook'] == 'yes' &&
-  // Office for macOS does not support EAS
-  strpos($_SERVER['HTTP_USER_AGENT'], 'Mac') === false &&
-  // Outlook 2013 (version 15) or higher
-  preg_match('/(Outlook|Office).+1[5-9]\./', $_SERVER['HTTP_USER_AGENT'])) {
+    // Office for macOS does not support EAS
+    strpos($_SERVER['HTTP_USER_AGENT'], 'Mac') === false &&
+    // Outlook 2013 (version 15) or higher
+    preg_match('/(Outlook|Office).+1[5-9]\./', $_SERVER['HTTP_USER_AGENT'])
+  ) {
     $configuration['autodiscoverType'] = 'activesync';
   }
 }
@@ -60,8 +61,28 @@ else {
 <?php
         exit(0);
       }
-      $discover = new SimpleXMLElement($data);
-      $email = $discover->Request->EMailAddress;
+      try {
+        $discover = new SimpleXMLElement($data);
+        $email = $discover->Request->EMailAddress;
+      } catch (Exception $e) {
+        $email = $_SERVER['PHP_AUTH_USER'];
+      }
+
+      $username = trim($email);
+      try {
+        $stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username");
+        $stmt->execute(array(':username' => $username));
+        $MailboxData = $stmt->fetch(PDO::FETCH_ASSOC);
+      }
+      catch(PDOException $e) {
+        die("Failed to determine name from SQL");
+      }
+      if (!empty($MailboxData['name'])) {
+        $displayname = utf8_encode($MailboxData['name']);
+      }
+      else {
+        $displayname = $email;
+      }
 
       if ($configuration['autodiscoverType'] == 'imap') {
 ?>
@@ -96,13 +117,13 @@ else {
       </Protocol>
       <Protocol>
         <Type>CalDAV</Type>
-        <Server><?=$configuration['caldav']['server'];?>/SOGo/dav/<?=$email;?>/Calendar</Server>
+        <Server>https://<?=$configuration['caldav']['server'];?><?php if ($configuration['caldav']['port'] != 443) echo ':'.$configuration['caldav']['port']; ?>/SOGo/dav/<?=$email;?>/Calendar</Server>
         <DomainRequired>off</DomainRequired>
         <LoginName><?=$email;?></LoginName>
       </Protocol>
       <Protocol>
         <Type>CardDAV</Type>
-        <Server><?=$configuration['carddav']['server'];?>/SOGo/dav/<?=$email;?>/Contacts</Server>
+        <Server>https://<?=$configuration['carddav']['server'];?><?php if ($configuration['caldav']['port'] != 443) echo ':'.$configuration['carddav']['port']; ?>/SOGo/dav/<?=$email;?>/Contacts</Server>
         <DomainRequired>off</DomainRequired>
         <LoginName><?=$email;?></LoginName>
       </Protocol>
@@ -111,21 +132,6 @@ else {
 <?php
       }
       else if ($configuration['autodiscoverType'] == 'activesync') {
-        $username = trim($email);
-        try {
-          $stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username");
-          $stmt->execute(array(':username' => $username));
-          $MailboxData = $stmt->fetch(PDO::FETCH_ASSOC);
-        }
-        catch(PDOException $e) {
-          die("Failed to determine name from SQL");
-        }
-        if (!empty($MailboxData['name'])) {
-          $displayname = utf8_encode($MailboxData['name']);
-        }
-        else {
-          $displayname = $email;
-        }
 ?>
   <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006">
     <Culture>en:en</Culture>
diff --git a/data/web/clientconfig.php b/data/web/clientconfig.php
new file mode 100644
index 00000000..68722a89
--- /dev/null
+++ b/data/web/clientconfig.php
@@ -0,0 +1,185 @@
+<?php
+require_once 'inc/prerequisites.inc.php';
+
+if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "user") {
+require_once("inc/header.inc.php");
+
+if (file_exists('thunderbird-plugins/version.csv'))
+{
+  $fh = fopen('thunderbird-plugins/version.csv', 'r');
+  if ($fh)
+  {
+    while (($row = fgetcsv($fh, 1000, ';')) !== FALSE)
+    {
+      if ($row[0] == 'sogo-integrator@inverse.ca') {
+        $integrator_file = $row[2];
+      }
+    }
+    fclose($fh);
+  }
+}
+
+$email = $_SESSION['mailcow_cc_username'];
+$domain = explode('@', $_SESSION['mailcow_cc_username'])[1];
+
+$username = trim($email);
+try {
+  $stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username");
+  $stmt->execute(array(':username' => $username));
+  $MailboxData = $stmt->fetch(PDO::FETCH_ASSOC);
+}
+catch(PDOException $e) {
+  die("Failed to determine name from SQL");
+}
+if (!empty($MailboxData['name'])) {
+  $displayname = utf8_encode($MailboxData['name']);
+}
+else {
+  $displayname = $email;
+}
+?>
+<div class="container">
+  <h2>Client Configuration Guide</h2>
+  <p>Select your email client or operating system below to view a step-by-step guide to setting up your email account.</p>
+  
+  <h3><a href="#" onclick="document.getElementById('client_apple').style.display = 'block'">Apple macOS / iOS</a></h3>
+  <div  id="client_apple" style="display: none">
+    <ol>
+      <li>Download and open <a href="mobileconfig.php">Mailcow.mobileconfig</a>.</li>
+      <li>Enter the unlock code (iPhone) or computer password (Mac).</li>
+      <li>Enter your email password three times when prompted.</li>
+    </ol>
+    <p>On iOS, Exchange is also supported as an alternative to the procedure above. It has the advantage of supporting push email (i.e. you are immediately notified of incoming messages), but has some limitations, e.g. it does not support more than three email addresses per contact in your address book. Follow the steps below if you decide to use Exchange instead.</p>
+    <ol>
+      <li>Open the <em>Settings</em> app, tap <em>Mail</em>, tap <em>Accounts</em>, tap <em>Add Acccount</em>, select <em>Exchange</em>.</li>
+      <li>Enter your email address (<code><?php echo $email; ?></code>) and tap <em>Next</em>.</li>
+      <li>Enter your password, tap <em>Next</em> again.</li>
+      <li>Finally, tap <em>Save</em>.</li>
+    </ol>
+  </div>
+  
+  <h3><a href="#" onclick="document.getElementById('client_android').style.display = 'block'">Android</a></h3>
+  <ol id="client_android" style="display: none">
+    <li>Open the <em>Email</em> app.</li>
+    <li>If this is your first email account, tap <em>Add Account</em>; if not, tap <em>More</em> and <em>Settings</em> and then <em>Add account</em>.</li>
+    <li>Select <em>Microsoft Exchange ActiveSync</em>.</li>
+    <li>Enter your email address (<code><?php echo $email; ?></code>) and password.</li>
+    <li>Tap <em>Sign in</em>.</li>
+  </ol>
+  
+  <h3><a href="#" onclick="document.getElementById('client_emclient').style.display = 'block'">eM Client</a></h3>
+  <ol id="client_emclient" style="display: none">
+    <li>Launch eM Client.</li>
+    <li>If this is the first time you launched eM Client, it asks you to set up your account. Proceed to step 4.</li>
+    <li>Go to <em>Menu</em> at the top, select <em>Tools</em> and <em>Accounts</em>.</li>
+    <li>Enter your email address (<code><?php echo $email; ?></code>) and click <em>Start Now</em>.</li>
+    <li>Enter your password and click <em>Continue</em>.</li>
+    <li>Enter your name (<code><?php echo $displayname; ?></code>) and click <em>Next</em>.</li>
+    <li>Click <em>Finish</em>.</li>
+  </ol>
+  
+  <h3><a href="#" onclick="document.getElementById('client_kontact').style.display = 'block'">KDE Kontact</a></h3>
+  <div id="client_kontact" style="display: none">
+    <ol>
+      <li>Launch Kontact.</li>
+      <li>If this is the first time you launched Kontact or KMail, it asks you to set up your account. Proceed to step 4.</li>
+      <li>Go to <em>Mail</em> in the sidebar. Go to the <em>Tools</em> menu and select <em>Account Wizard</em>.</li>
+      <li>Enter your name (<code><?php echo $displayname; ?></code>), email address (<code><?php echo $email; ?></code>) and your password. Click <em>Next</em>.</li>
+      <li>Click <em>Create Account</em>. If prompted, re-enter your password and click <em>OK</em>.</li>
+      <li>Close the window by clicking <em>Finish</em>.</li>
+      <li>Go to <em>Calendar</em> in the sidebar.</li>
+      <li>Go to the <em>Settings</em> menu and select <em>Configure KOrganizer</em>.</li>
+      <li>Go to the <em>Calendars</em> tab and click the <em>Add</em> button.</li>
+      <li>Choose <em>DAV groupware resource</em> and click <em>OK</em>.</li>
+      <li>Enter your email address (<code><?php echo $email; ?></code>) and your password. Click <em>Next</em>.</li>
+      <li>Select <em>ScalableOGo</em> from the dropdown menu and click <em>Next</em>.</li>
+      <li>Enter <code><?= $autodiscover_config['caldav']['server']; ?></code> into the <em>Host</em> field and click <em>Next</em>.</li>
+      <li>Click <em>Test Connection</em> and then <em>Finish</em>. Finally, click <em>OK</em> twice.</li>
+    </ol>
+    <p>Once you have set up Kontact, you can also use KMail, KOrganizer and KAddressBook individually.</p>
+  </div>
+  
+  <h3><a href="#" onclick="document.getElementById('client_outlook').style.display = 'block'">Microsoft Outlook</a></h3>
+  <div id="client_outlook" style="display: none">
+<?php if ($autodiscover_config['useEASforOutlook'] == 'yes') { ?>
+    <h4>Outlook 2013 or higher on Windows</h4>
+    <ol>
+      <li>Launch Outlook.</li>
+      <li>If this is the first time you launched Outlook, it asks you to set up your account. Proceed to step 4.</li>
+      <li>Go to the <em>File</em> menu and click <em>Add Account</em>.</li>
+      <li>Enter your name (<code><?php echo $displayname; ?></code>), email address (<code><?php echo $email; ?></code>) and your password. Click <em>Next</em>.</li>
+      <li>When prompted, enter your password again, check <em>Remember my credentials</em> and click <em>OK</em>.</li>
+      <li>Click the <em>Allow</em> button.</li>
+      <li>Click <em>Finish</em>.</li>
+    </ol>
+    <h4>Outlook 2007 or 2010 on Windows</h4>
+<?php } else { ?>
+    <h4>Outlook 2007 or higher on Windows</h4>
+<?php } ?>
+    <ol>
+      <li>Download and install <a href="https://caldavsynchronizer.org" target="_blank">Outlook CalDav Synchronizer</a>.</li>
+      <li>Launch Outlook.</li>
+      <li>If this is the first time you launched Outlook, it asks you to set up your account. Proceed to step 5.</li>
+      <li>Go to the <em>File</em> menu and click <em>Add Account</em>.</li>
+      <li>Enter your name (<code><?php echo $displayname; ?></code>), email address (<code><?php echo $email; ?></code>) and your password. Click <em>Next</em>.</li>
+      <li>Click <em>Finish</em>.</li>
+      <li>Go to the <em>CalDav Synchronizer</em> ribbon, click <em>Synchronization Profiles</em>.</li>
+      <li>Click the second button at top (<em>Add multiple profiles</em>), select <em>Sogo</em>, click <em>Ok</em>.</li>
+      <li>Click the <em>Get IMAP/POP3 account settings</em> button.</li>
+      <li>Click <em>Discover resources and assign to Outlook folders</em>.</li>
+      <li>In the <em>Select Resource</em> window that pops up, select your main calendar (usually <em>Personal Calendar</em>), click the <em>...</em> button, assign it to <em>Calendar</em>, and click <em>OK</em>. Go to the <em>Address Books</em> and <em>Tasks</em> tabs and repeat repeat the process accordingly. Do not assign multiple calendars, address books or task lists!</li>
+      <li>Close all windows with the <em>OK</em> buttons.</li>
+    </ol>
+    <h4>Outlook 2011 or higher on macOS</h4>
+    <p>The Mac version of Outlook does not synchronize calendars and contacts and therefore is not supported.</p>
+  </div>
+  
+  <h3><a href="#" onclick="document.getElementById('client_thunderbird').style.display = 'block'">Mozilla Thunderbird</a></h3>
+  <div id="client_thunderbird" style="display: none">
+    <ol>
+      <li>Launch Thunderbird.</li>
+      <li>If this is the first time you launched Thunderbird, it asks you whether you would like a new email address. Click <em>Skip this and use my existing email</em> and proceed to step 4.</li>
+      <li>Go to the <em>Tools</em> menu and select <em>Account Settings</em>.</li>
+      <li>Click the <em>Account Actions</em> dropdown menu at the bottom left and select <em>Add Mail Account</em>.</li>
+      <li>Enter your name (<code><?php echo $displayname; ?></code>), email address (<code><?php echo $email; ?></code>) and your password. Make sure the <em>Remember password</em> checkbox is selected and click <em>Continue</em>.</li>
+      <li>Once the configuration has been automatically detected, click <em>Done</em>.</li>
+      <li>If you already had other accounts configured in Thunderbird, select the new one (<?php echo $email; ?>) on the left, click the <em>Account Actions</em> dropdown and select <em>Set as Default</em>.</li>
+      <li>Close the account settings window with the <em>OK</em> button.</li>
+      <li>In your web browser, download <a href="thunderbird-plugins/<?php echo str_replace('__DOMAIN__', $domain, $integrator_file); ?>">SOGo Integrator</a>.</li>
+      <li>Back in Thunderbird, go to the <em>Tools</em> menu and select <em>Add-ons</em>.</li>
+      <li>Click <em>Extensions</em> on the left, click the little gear icon at the top and select <em>Install Add-on From File</em>. Select the file you downloaded in step 9, click <em>Open</em> and, after waiting for a few seconds, <em>Install Now</em>.</li>
+      <li>Click the <em>Restart Now</em> button at the top that appears.</li>
+      <li>Thunderbird briefly shows a message that it is updating extensions, then restarts automatically once more.</li>
+      <li>When you are prompted to authenticate for <?= $autodiscover_config['caldav']['server']; ?>, enter your email address and password, check <em>Use Password Manager</em> and click <em>OK</em>.</li>
+    </ol>
+  </div>
+  
+  <h3><a href="#" onclick="document.getElementById('client_windows').style.display = 'block'">Windows</a></h3>
+  <div id="client_windows" style="display: none">
+    <ol>
+    <li>Open the <em>Mail</em> app.</li>
+    <li>If you have not previously used Mail, you can click <em>Add Account</em> in the main window. Proceed to step 4.</li>
+    <li>Click <em>Accounts</em> in the sidebar on the left, then click <em>Add Account</em> on the far right.</li>
+    <li>Select <em>Exchange</em>.</li>
+    <li>Enter your email address (<code><?php echo $email; ?></code>) and click Next.</li>
+    <li>Enter your password and click <em>Log in</em>.</li>
+    </ol>
+    <p>Once you have set up the Mail app, you can also use the People and Calendar apps.</p>
+  </div>
+  
+  <h3><a href="#" onclick="document.getElementById('client_windowsphone').style.display = 'block'">Windows Phone</a></h3>
+  <ol id="client_windowsphone" style="display: none">
+    <li>Open the <em>Settings</em> app. Select <em>email + accounts</em> and tap <em>add an account</em>.</li>
+    <li>Tap Exchange.</li>
+    <li>Enter your email address (<code><?php echo $email; ?></code>) and your password. Tap <em>Sign in</em>.</li>
+    <li>Tap <em>done</em>.</li>
+  </ol>
+</div>
+
+<?php
+require_once("inc/footer.inc.php");
+} else {
+  header('Location: index.php');
+  exit();
+}
+?>
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 8e7b7cfd..ffca2bea 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -62,17 +62,17 @@ function hasMailboxObjectAccess($username, $role, $object) {
 	}
 	return false;
 }
+function pem_to_der($pem_key) {
+  // Need to remove BEGIN/END PUBLIC KEY
+  $lines = explode("\n", trim($pem_key));
+  unset($lines[count($lines)-1]);
+  unset($lines[0]);
+  return base64_decode(implode('', $lines));
+}
 function generate_tlsa_digest($hostname, $port, $starttls = null) {
   if (!is_valid_domain_name($hostname)) {
     return "Not a valid hostname";
   }
-  function pem_to_der($pem_key) {
-    // Need to remove BEGIN/END PUBLIC KEY
-    $lines = explode("\n", trim($pem_key));
-    unset($lines[count($lines)-1]);
-    unset($lines[0]);
-    return base64_decode(implode('', $lines));
-  }
 
   if (empty($starttls)) {
     $context = stream_context_create(array("ssl" => array("capture_peer_cert" => true, 'verify_peer' => false, 'allow_self_signed' => true)));
@@ -88,20 +88,24 @@ function generate_tlsa_digest($hostname, $port, $starttls = null) {
       return $error_nr . ': ' . $error_msg;
     }
     $banner = fread($stream, 512 );
-    if (preg_match("/^220/i", $banner)) {
+    if (preg_match("/^220/i", $banner)) { // SMTP
       fwrite($stream,"HELO tlsa.generator.local\r\n");
       fread($stream, 512);
       fwrite($stream,"STARTTLS\r\n");
       fread($stream, 512);
     }
-    elseif (preg_match("/imap.+starttls/i", $banner)) {
+    elseif (preg_match("/imap.+starttls/i", $banner)) { // IMAP
       fwrite($stream,"A1 STARTTLS\r\n");
       fread($stream, 512);
     }
-    elseif (preg_match("/^\+OK/", $banner)) {
+    elseif (preg_match("/^\+OK/", $banner)) { // POP3
       fwrite($stream,"STLS\r\n");
       fread($stream, 512);
     }
+    elseif (preg_match("/^OK/m", $banner)) { // Sieve
+      fwrite($stream,"STARTTLS\r\n");
+      fread($stream, 512);
+    }
     else {
       return 'Unknown banner: "' . htmlspecialchars(trim($banner)) . '"';
     }
diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php
index a52442db..05ef25dd 100644
--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@@ -18,31 +18,48 @@ $database_name = getenv('DBNAME');
 $mailcow_hostname = getenv('MAILCOW_HOSTNAME');
 
 // Autodiscover settings
+$https_port = strpos($_SERVER['HTTP_HOST'], ':');
+if ($https_port === FALSE) {
+  $https_port = 443;
+} else {
+  $https_port = substr($_SERVER['HTTP_HOST'], $https_port+1);
+}
 $autodiscover_config = array(
   // Enable the autodiscover service for Outlook desktop clients
   'useEASforOutlook' => 'yes',
   // General autodiscover service type: "activesync" or "imap"
   'autodiscoverType' => 'activesync',
-  // Please don't use STARTTLS-enabled service ports here.
+  // Please don't use STARTTLS-enabled service ports in the "port" variable.
   // The autodiscover service will always point to SMTPS and IMAPS (TLS-wrapped services).
+  // The autoconfig service will additionally announce the STARTTLS-enabled ports, specified in the "tlsport" variable.
   'imap' => array(
     'server' => $mailcow_hostname,
     'port' => getenv('IMAPS_PORT'),
+    'tlsport' => getenv('IMAP_PORT'),
+  ),
+  'pop3' => array(
+    'server' => $mailcow_hostname,
+    'port' => getenv('POPS_PORT'),
+    'tlsport' => getenv('POP_PORT'),
   ),
   'smtp' => array(
     'server' => $mailcow_hostname,
     'port' => getenv('SMTPS_PORT'),
+    'tlsport' => getenv('SUBMISSION_PORT'),
   ),
   'activesync' => array(
-    'url' => 'https://'.$mailcow_hostname.'/Microsoft-Server-ActiveSync'
+    'url' => 'https://'.$mailcow_hostname.($https_port == 443 ? '' : ':'.$https_port).'/Microsoft-Server-ActiveSync',
   ),
   'caldav' => array(
-    'url' => 'https://'.$mailcow_hostname
+    'server' => $mailcow_hostname,
+    'port' => $https_port,
   ),
   'carddav' => array(
-    'url' => 'https://'.$mailcow_hostname
-  )
+    'server' => $mailcow_hostname,
+    'port' => $https_port,
+  ),
 );
+unset($https_port);
 
 // Where to go after adding and editing objects
 // Can be "form" or "previous"
diff --git a/data/web/lang/lang.de.php b/data/web/lang/lang.de.php
index eef13b3f..8706e4ba 100644
--- a/data/web/lang/lang.de.php
+++ b/data/web/lang/lang.de.php
@@ -108,6 +108,7 @@ $lang['user']['user_settings'] = 'Benutzereinstellungen';
 $lang['user']['mailbox_settings'] = 'Mailbox-Einstellungen';
 $lang['user']['mailbox_details'] = 'Mailbox-Details';
 $lang['user']['change_password'] = 'Passwort ändern';
+$lang['user']['client_configuration'] = 'Konfigurationsanleitungen für E-Mail-Programme und Smartphones anzeigen';
 $lang['user']['new_password'] = 'Neues Passwort';
 $lang['user']['save_changes'] = 'Änderungen speichern';
 $lang['user']['password_now'] = 'Aktuelles Passwort (Änderungen bestätigen)';
diff --git a/data/web/lang/lang.en.php b/data/web/lang/lang.en.php
index 3be72fec..fceef80f 100644
--- a/data/web/lang/lang.en.php
+++ b/data/web/lang/lang.en.php
@@ -110,6 +110,7 @@ $lang['user']['user_settings'] = 'User settings';
 $lang['user']['mailbox_settings'] = 'Mailbox settings';
 $lang['user']['mailbox_details'] = 'Mailbox details';
 $lang['user']['change_password'] = 'Change password';
+$lang['user']['client_configuration'] = 'Show configuration guides for email clients and smartphones';
 $lang['user']['new_password'] = 'New password';
 $lang['user']['save_changes'] = 'Save changes';
 $lang['user']['password_now'] = 'Current password (confirm changes)';
diff --git a/data/web/mobileconfig.php b/data/web/mobileconfig.php
new file mode 100644
index 00000000..198fa4d7
--- /dev/null
+++ b/data/web/mobileconfig.php
@@ -0,0 +1,167 @@
+<?php
+require_once 'inc/prerequisites.inc.php';
+
+if (empty($mailcow_hostname)) {
+  exit();
+}
+if (!isset($_SESSION['mailcow_cc_role']) || $_SESSION['mailcow_cc_role'] != 'user') {
+  header("Location: index.php");
+  die("This page is only available to logged-in users, not admins.");
+}
+
+header('Content-Type: application/x-apple-aspen-config');
+header('Content-Disposition: attachment; filename="Mailcow.mobileconfig"');
+
+$email = $_SESSION['mailcow_cc_username'];
+$domain = explode('@', $_SESSION['mailcow_cc_username'])[1];
+$identifier = implode('.', array_reverse(explode('.', $domain))) . '.iphoneprofile.mailcow';
+
+try {
+  $stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username");
+  $stmt->execute(array(':username' => $email));
+  $MailboxData = $stmt->fetch(PDO::FETCH_ASSOC);
+}
+catch(PDOException $e) {
+  die("Failed to determine name from SQL");
+}
+if (!empty($MailboxData['name'])) {
+  $displayname = utf8_encode($MailboxData['name']);
+}
+else {
+  $displayname = $email;
+}
+
+echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
+?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>PayloadContent</key>
+	<array>
+		<dict>
+			<key>CalDAVAccountDescription</key>
+			<string><?php echo $domain; ?></string>
+			<key>CalDAVHostName</key>
+			<string><?php echo $autodiscover_config['caldav']['server']; ?></string>
+			<key>CalDAVPort</key>
+			<real><?php echo $autodiscover_config['caldav']['port']; ?></real>
+			<key>CalDAVPrincipalURL</key>
+			<string>/SOGo/dav/<?php echo $email; ?></string>
+			<key>CalDAVUseSSL</key>
+			<true/>
+			<key>CalDAVUsername</key>
+			<string><?php echo $email; ?></string>
+			<key>PayloadDescription</key>
+			<string>Configures CalDAV account.</string>
+			<key>PayloadDisplayName</key>
+			<string>CalDAV (<?php echo $domain; ?>)</string>
+			<key>PayloadIdentifier</key>
+			<string><?php echo $identifier; ?>.CalDAV</string>
+			<key>PayloadOrganization</key>
+			<string></string>
+			<key>PayloadType</key>
+			<string>com.apple.caldav.account</string>
+			<key>PayloadUUID</key>
+			<string>FC898573-EBA8-48AF-93BD-BFA0C9778FA7</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+		</dict>
+		<dict>
+			<key>EmailAccountDescription</key>
+			<string><?php echo $domain; ?></string>
+			<key>EmailAccountType</key>
+			<string>EmailTypeIMAP</string>
+			<key>EmailAccountName</key>
+			<string><?php echo $displayname; ?></string>
+			<key>EmailAddress</key>
+			<string><?php echo $email; ?></string>
+			<key>IncomingMailServerAuthentication</key>
+			<string>EmailAuthPassword</string>
+			<key>IncomingMailServerHostName</key>
+			<string><?php echo $autodiscover_config['imap']['server']; ?></string>
+			<key>IncomingMailServerPortNumber</key>
+			<integer><?php echo $autodiscover_config['imap']['port']; ?></integer>
+			<key>IncomingMailServerUseSSL</key>
+			<true/>
+			<key>IncomingMailServerUsername</key>
+			<string><?php echo $email; ?></string>
+			<key>OutgoingMailServerAuthentication</key>
+			<string>EmailAuthPassword</string>
+			<key>OutgoingMailServerHostName</key>
+			<string><?php echo $autodiscover_config['smtp']['server']; ?></string>
+			<key>OutgoingMailServerPortNumber</key>
+			<integer><?php echo $autodiscover_config['smtp']['port']; ?></integer>
+			<key>OutgoingMailServerUseSSL</key>
+			<true/>
+			<key>OutgoingMailServerUsername</key>
+			<string><?php echo $email; ?></string>
+			<key>OutgoingPasswordSameAsIncomingPassword</key>
+			<true/>
+			<key>PayloadDescription</key>
+			<string>Configures email account.</string>
+			<key>PayloadDisplayName</key>
+			<string>IMAP Account (<?php echo $domain; ?>)</string>
+			<key>PayloadIdentifier</key>
+			<string><?php echo $identifier; ?>.email</string>
+			<key>PayloadOrganization</key>
+			<string></string>
+			<key>PayloadType</key>
+			<string>com.apple.mail.managed</string>
+			<key>PayloadUUID</key>
+			<string>00294FBB-1016-413E-87B9-652D856D6875</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+			<key>PreventAppSheet</key>
+			<false/>
+			<key>PreventMove</key>
+			<false/>
+			<key>SMIMEEnabled</key>
+			<false/>
+		</dict>
+		<dict>
+			<key>CardDAVAccountDescription</key>
+			<string><?php echo $domain; ?></string>
+			<key>CardDAVHostName</key>
+			<string><?php echo $autodiscover_config['carddav']['server']; ?></string>
+			<key>CardDAVPort</key>
+			<integer><?php echo $autodiscover_config['carddav']['port']; ?></integer>
+			<key>CardDAVPrincipalURL</key>
+			<string>/SOGo/dav/<?php echo $email; ?></string>
+			<key>CardDAVUseSSL</key>
+			<true/>
+			<key>CardDAVUsername</key>
+			<string><?php echo $email; ?></string>
+			<key>PayloadDescription</key>
+			<string>Configures CardDAV accounts</string>
+			<key>PayloadDisplayName</key>
+			<string>CardDAV (<?php echo $domain; ?>)</string>
+			<key>PayloadIdentifier</key>
+			<string><?php echo $identifier; ?>.carddav</string>
+			<key>PayloadOrganization</key>
+			<string></string>
+			<key>PayloadType</key>
+			<string>com.apple.carddav.account</string>
+			<key>PayloadUUID</key>
+			<string>0797EF2B-B1F1-4BC7-ABCD-4580862252B4</string>
+			<key>PayloadVersion</key>
+			<integer>1</integer>
+		</dict>
+	</array>
+	<key>PayloadDescription</key>
+	<string>IMAP, CalDAV, CardDAV</string>
+	<key>PayloadDisplayName</key>
+	<string><?php echo $domain; ?> Mailcow</string>
+	<key>PayloadIdentifier</key>
+	<string><?php echo $identifier; ?></string>
+	<key>PayloadOrganization</key>
+	<string></string>
+	<key>PayloadRemovalDisallowed</key>
+	<false/>
+	<key>PayloadType</key>
+	<string>Configuration</string>
+	<key>PayloadUUID</key>
+	<string>5EE248C5-ACCB-42D8-9199-8F8ED08D5624</string>
+	<key>PayloadVersion</key>
+	<integer>1</integer>
+</dict>
+</plist>
diff --git a/data/web/thunderbird-plugins/build-plugins.sh b/data/web/thunderbird-plugins/build-plugins.sh
index 03986b78..53199e61 100755
--- a/data/web/thunderbird-plugins/build-plugins.sh
+++ b/data/web/thunderbird-plugins/build-plugins.sh
@@ -16,11 +16,15 @@ tar --strip-components=1 -C connector -xf connector.tar.gz
 # build custom integrator
 while read DOMAIN; do
 	echo "Building SOGo Integrator for $DOMAIN hosted on $MAILHOST"
+	PORT_NUM=$(dig -t srv  _autodiscover._tcp.$DOMAIN +short | tail -n 1 | awk '{print $3}')
+	if [[ -z ${PORT_NUM} ]]; then
+		PORT_NUM=443
+	fi
 	cd integrator
 	echo > defaults/preferences/site.js
 	mkdir -p custom/${DOMAIN}
 	cp -r custom/sogo-demo/* custom/${DOMAIN}/
-	sed -i "s/http:\/\/sogo-demo\.inverse\.ca/https:\/\/${MAILHOST}/g" custom/${DOMAIN}/chrome/content/extensions.rdf
+	sed -i "s/http:\/\/sogo-demo\.inverse\.ca/https:\/\/${MAILHOST}:${PORT_NUM}/g" custom/${DOMAIN}/chrome/content/extensions.rdf
 	sed -i "s/plugins\/updates\.php[?]/thunderbird-plugins.php?domain=${DOMAIN}\&amp;/g" custom/${DOMAIN}/chrome/content/extensions.rdf
 	echo 'pref("sogo-integrator.autocomplete.server.urlid", "'${DOMAIN}'");' > custom/${DOMAIN}/defaults/preferences/site.js
 	echo 'pref("mail.collect_email_address_outgoing", false);' >> custom/${DOMAIN}/defaults/preferences/site.js
diff --git a/data/web/user.php b/data/web/user.php
index 77ccc62d..ba7678e2 100644
--- a/data/web/user.php
+++ b/data/web/user.php
@@ -74,6 +74,7 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
   <div class="row">
     <div class="col-sm-offset-3 col-sm-9">
       <p><a href="#pwChangeModal" data-toggle="modal">[<?=$lang['user']['change_password'];?>]</a></p>
+      <p><a href="clientconfig.php">[<?=$lang['user']['client_configuration'];?>]</a></p>
     </div>
   </div>
   <hr>
diff --git a/docker-compose.yml b/docker-compose.yml
index 853dbc36..e8a7e0c4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -143,7 +143,7 @@ services:
             - phpfpm
 
     sogo-mailcow:
-      image: mailcow/sogo:1.0
+      image: mailcow/sogo:1.1
       build: ./data/Dockerfiles/sogo
       depends_on:
         unbound-mailcow:

From b88190988e3b154b2b93e875f6266e8f6a4d131f Mon Sep 17 00:00:00 2001
From: Michael Kuron <mkuron@users.noreply.github.com>
Date: Tue, 4 Jul 2017 19:58:30 +0200
Subject: [PATCH 02/26] Autodiscover: Strip bind addresses off of port
 environment variables

---
 data/web/inc/vars.inc.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php
index 05ef25dd..775af1e1 100644
--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@@ -34,18 +34,18 @@ $autodiscover_config = array(
   // The autoconfig service will additionally announce the STARTTLS-enabled ports, specified in the "tlsport" variable.
   'imap' => array(
     'server' => $mailcow_hostname,
-    'port' => getenv('IMAPS_PORT'),
-    'tlsport' => getenv('IMAP_PORT'),
+    'port' => array_pop(explode(':', getenv('IMAPS_PORT'))),
+    'tlsport' => array_pop(explode(':', getenv('IMAP_PORT'))),
   ),
   'pop3' => array(
     'server' => $mailcow_hostname,
-    'port' => getenv('POPS_PORT'),
-    'tlsport' => getenv('POP_PORT'),
+    'port' => array_pop(explode(':', getenv('POPS_PORT'))),
+    'tlsport' => array_pop(explode(':', getenv('POP_PORT'))),
   ),
   'smtp' => array(
     'server' => $mailcow_hostname,
-    'port' => getenv('SMTPS_PORT'),
-    'tlsport' => getenv('SUBMISSION_PORT'),
+    'port' => array_pop(explode(':', getenv('SMTPS_PORT'))),
+    'tlsport' => array_pop(explode(':', getenv('SUBMISSION_PORT'))),
   ),
   'activesync' => array(
     'url' => 'https://'.$mailcow_hostname.($https_port == 443 ? '' : ':'.$https_port).'/Microsoft-Server-ActiveSync',

From 8946d692742bdf37814ad953c96ba5c3b4f41cde Mon Sep 17 00:00:00 2001
From: Michael Kuron <mkuron@users.noreply.github.com>
Date: Wed, 5 Jul 2017 20:11:07 +0200
Subject: [PATCH 03/26] Fix merge conflict

---
 data/Dockerfiles/sogo/Dockerfile              | 1 -
 data/web/thunderbird-plugins/build-plugins.sh | 6 +-----
 docker-compose.yml                            | 2 +-
 3 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/data/Dockerfiles/sogo/Dockerfile b/data/Dockerfiles/sogo/Dockerfile
index b9db3c1c..a3a1308d 100644
--- a/data/Dockerfiles/sogo/Dockerfile
+++ b/data/Dockerfiles/sogo/Dockerfile
@@ -8,7 +8,6 @@ ENV GOSU_VERSION 1.9
 # Prerequisites
 RUN apt-get update && apt-get install -y --no-install-recommends \
 		apt-transport-https \
-		bind9-host \
 		ca-certificates \
 		cron \
 		gnupg \
diff --git a/data/web/thunderbird-plugins/build-plugins.sh b/data/web/thunderbird-plugins/build-plugins.sh
index 53199e61..03986b78 100755
--- a/data/web/thunderbird-plugins/build-plugins.sh
+++ b/data/web/thunderbird-plugins/build-plugins.sh
@@ -16,15 +16,11 @@ tar --strip-components=1 -C connector -xf connector.tar.gz
 # build custom integrator
 while read DOMAIN; do
 	echo "Building SOGo Integrator for $DOMAIN hosted on $MAILHOST"
-	PORT_NUM=$(dig -t srv  _autodiscover._tcp.$DOMAIN +short | tail -n 1 | awk '{print $3}')
-	if [[ -z ${PORT_NUM} ]]; then
-		PORT_NUM=443
-	fi
 	cd integrator
 	echo > defaults/preferences/site.js
 	mkdir -p custom/${DOMAIN}
 	cp -r custom/sogo-demo/* custom/${DOMAIN}/
-	sed -i "s/http:\/\/sogo-demo\.inverse\.ca/https:\/\/${MAILHOST}:${PORT_NUM}/g" custom/${DOMAIN}/chrome/content/extensions.rdf
+	sed -i "s/http:\/\/sogo-demo\.inverse\.ca/https:\/\/${MAILHOST}/g" custom/${DOMAIN}/chrome/content/extensions.rdf
 	sed -i "s/plugins\/updates\.php[?]/thunderbird-plugins.php?domain=${DOMAIN}\&amp;/g" custom/${DOMAIN}/chrome/content/extensions.rdf
 	echo 'pref("sogo-integrator.autocomplete.server.urlid", "'${DOMAIN}'");' > custom/${DOMAIN}/defaults/preferences/site.js
 	echo 'pref("mail.collect_email_address_outgoing", false);' >> custom/${DOMAIN}/defaults/preferences/site.js
diff --git a/docker-compose.yml b/docker-compose.yml
index e8a7e0c4..853dbc36 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -143,7 +143,7 @@ services:
             - phpfpm
 
     sogo-mailcow:
-      image: mailcow/sogo:1.1
+      image: mailcow/sogo:1.0
       build: ./data/Dockerfiles/sogo
       depends_on:
         unbound-mailcow:

From c1a1f98ee52a1c8bb8f19cbabd8dfd8635ca3ce7 Mon Sep 17 00:00:00 2001
From: Michael Kuron <m.kuron@gmx.de>
Date: Sun, 9 Jul 2017 10:01:27 +0200
Subject: [PATCH 04/26] DNS diagnostics page

---
 data/web/inc/header.inc.php |   5 +
 data/web/lang/lang.de.php   |   7 +
 data/web/lang/lang.en.php   |   7 +
 diagnostics.php             | 272 ++++++++++++++++++++++++++++++++++++
 4 files changed, 291 insertions(+)
 create mode 100644 diagnostics.php

diff --git a/data/web/inc/header.inc.php b/data/web/inc/header.inc.php
index 533711de..8e5b6d07 100644
--- a/data/web/inc/header.inc.php
+++ b/data/web/inc/header.inc.php
@@ -77,6 +77,11 @@
                 <li<?= (preg_match("/mailbox/i", $_SERVER['REQUEST_URI'])) ? ' class="active"' : ''; ?>><a href="/mailbox.php"><?= $lang['header']['mailboxes']; ?></a></li>
               <?php
               }
+              if ($_SESSION['mailcow_cc_role'] == 'admin') {
+              ?>
+                <li<?= (preg_match("/diagnostics/i", $_SERVER['REQUEST_URI'])) ? ' class="active"' : ''; ?>><a href="/diagnostics.php"><?= $lang['header']['diagnostics']; ?></a></li>
+              <?php
+              }
               if ($_SESSION['mailcow_cc_role'] != 'admin') {
               ?>
                 <li<?= (preg_match("/user/i", $_SERVER['REQUEST_URI'])) ? ' class="active"' : ''; ?>><a href="/user.php"><?= $lang['header']['user_settings']; ?></a></li>
diff --git a/data/web/lang/lang.de.php b/data/web/lang/lang.de.php
index eef13b3f..732171cc 100644
--- a/data/web/lang/lang.de.php
+++ b/data/web/lang/lang.de.php
@@ -214,6 +214,7 @@ $lang['header']['mailcow_settings'] = 'Konfiguration';
 $lang['header']['administration'] = 'Administration';
 $lang['header']['mailboxes'] = 'Mailboxen';
 $lang['header']['user_settings'] = 'Benutzereinstellungen';
+$lang['header']['diagnostics'] = 'Diagnose';
 $lang['header']['login'] = 'Anmeldung';
 $lang['header']['logged_in_as_logout'] = 'Eingeloggt als <b>%s</b> (abmelden)';
 $lang['header']['logged_in_as_logout_dual'] = 'Eingeloggt als <b>%s <span class="text-info">[%s]</span></b>';
@@ -495,3 +496,9 @@ $lang['admin']['add_forwarding_host'] = 'Weiterleitungs-Host hinzufügen';
 $lang['delete']['remove_forwardinghost_warning'] = '<b>Warnung:</b> Sie entfernen den Weiterleitungs-Host <b>%s</b>!';
 $lang['success']['forwarding_host_removed'] = "Weiterleitungs-Host %s wurde entfernt";
 $lang['success']['forwarding_host_added'] = "Weiterleitungs-Host %s wurde hinzugefügt";
+$lang['diagnostics']['dns_records'] = 'DNS-Einträge';
+$lang['diagnostics']['dns_records_24hours'] = 'Bitte beachten Sie, dass es bis zu 24 Stunden dauern kann, bis Änderungen an Ihren DNS-Einträgen als aktueller Status auf dieser Seite dargestellt werden. Diese Seite ist nur als Hilfsmittel gedacht, um die korrekten Werte für DNS-Einträge zu anzuzeigen und zu überprüfen, ob die Daten im DNS hinterlegt sind.';
+$lang['diagnostics']['dns_records_name'] = 'Name';
+$lang['diagnostics']['dns_records_type'] = 'Typ';
+$lang['diagnostics']['dns_records_data'] = 'Korrekte Daten';
+$lang['diagnostics']['dns_records_status'] = 'Aktueller Status';
diff --git a/data/web/lang/lang.en.php b/data/web/lang/lang.en.php
index 3be72fec..391c7d01 100644
--- a/data/web/lang/lang.en.php
+++ b/data/web/lang/lang.en.php
@@ -216,6 +216,7 @@ $lang['header']['mailcow_settings'] = 'Configuration';
 $lang['header']['administration'] = 'Administration';
 $lang['header']['mailboxes'] = 'Mailboxes';
 $lang['header']['user_settings'] = 'User settings';
+$lang['header']['diagnostics'] = 'Diagnostics';
 $lang['header']['login'] = 'Login';
 $lang['header']['logged_in_as_logout'] = 'Logged in as <b>%s</b> (logout)';
 $lang['header']['logged_in_as_logout_dual'] = 'Logged in as <b>%s <span class="text-info">[%s]</span></b>';
@@ -508,3 +509,9 @@ $lang['admin']['add_forwarding_host'] = 'Add Forwarding Host';
 $lang['delete']['remove_forwardinghost_warning'] = '<b>Warning:</b> You are about to remove the forwarding host <b>%s</b>!';
 $lang['success']['forwarding_host_removed'] = "Forwarding host %s has been removed";
 $lang['success']['forwarding_host_added'] = "Forwarding host %s has been added";
+$lang['diagnostics']['dns_records'] = 'DNS Records';
+$lang['diagnostics']['dns_records_24hours'] = 'Please note that changes made to DNS may take up to 24 hours to correctly have their current state reflected on this page. It is intended as a way for you to easily see how to configure your DNS records and to check whether all your records are correctly stored in DNS.';
+$lang['diagnostics']['dns_records_name'] = 'Name';
+$lang['diagnostics']['dns_records_type'] = 'Type';
+$lang['diagnostics']['dns_records_data'] = 'Correct Data';
+$lang['diagnostics']['dns_records_status'] = 'Current State';
diff --git a/diagnostics.php b/diagnostics.php
new file mode 100644
index 00000000..4de0082e
--- /dev/null
+++ b/diagnostics.php
@@ -0,0 +1,272 @@
+<?php
+require_once 'inc/prerequisites.inc.php';
+require_once 'inc/spf.inc.php';
+
+function in_net($addr, $net) {
+  $net = explode('/', $net);
+  if (count($net) > 1) {
+    $mask = $net[1];
+  }
+  $net = inet_pton($net[0]);
+  $addr = inet_pton($addr);
+  $length = strlen($net); // 4 for IPv4, 16 for IPv6
+  if (strlen($net) != strlen($addr)) {
+    return false;
+  }
+  if (!isset($mask)) {
+    $mask = $length * 8;
+  }
+  $addr_bin = '';
+  $net_bin = '';
+  for ($i = 0; $i < $length; ++$i) {
+    $addr_bin .= str_pad(decbin(ord(substr($addr, $i, $i+1))), 8, '0', STR_PAD_LEFT);
+    $net_bin .= str_pad(decbin(ord(substr($net, $i, $i+1))), 8, '0', STR_PAD_LEFT);
+  }
+  return substr($addr_bin, 0, $mask) == substr($net_bin, 0, $mask);
+}
+
+if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin") {
+require_once("inc/header.inc.php");
+
+$ch = curl_init('http://ipv4.mailcow.email');
+curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
+curl_setopt($ch, CURLOPT_VERBOSE, false);
+curl_setopt($ch, CURLOPT_HEADER, false);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 3);
+$ip = curl_exec($ch);
+curl_close($ch);
+
+$ch = curl_init('http://ipv6.mailcow.email');
+curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V6);
+curl_setopt($ch, CURLOPT_VERBOSE, false);
+curl_setopt($ch, CURLOPT_HEADER, false);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 3);
+$ip6 = curl_exec($ch);
+curl_close($ch);
+
+$ptr = implode('.', array_reverse(explode('.', $ip))) . '.in-addr.arpa';
+if (!empty($ip6)) {
+  $ip6_full = str_replace('::', str_repeat(':', 9-substr_count($ip6, ':')), $ip6);
+  $ip6_full = str_replace('::', ':0:', $ip6_full);
+  $ip6_full = str_replace('::', ':0:', $ip6_full);
+  $ptr6 = '';
+  foreach (explode(':', $ip6_full) as $part) {
+    $ptr6 .= str_pad($part, 4, '0', STR_PAD_LEFT);
+  }
+  $ptr6 = implode('.', array_reverse(str_split($ptr6, 1))) . '.ip6.arpa';
+}
+
+$https_port = strpos($_SERVER['HTTP_HOST'], ':');
+if ($https_port === FALSE) {
+  $https_port = 443;
+} else {
+  $https_port = substr($_SERVER['HTTP_HOST'], $https_port+1);
+}
+
+$records = array();
+$records[] = array($mailcow_hostname, 'A', $ip);
+$records[] = array($ptr, 'PTR', $mailcow_hostname);
+if (!empty($ip6)) {
+  $records[] = array($mailcow_hostname, 'AAAA', $ip6);
+  $records[] = array($ptr6, 'PTR', $mailcow_hostname);
+}
+$domains = mailbox('get', 'domains');
+foreach(mailbox('get', 'domains') as $domain) {
+  $domains = array_merge($domains, mailbox('get', 'alias_domains', $domain));
+}
+
+if (!isset($autodiscover_config['sieve'])) {
+  $autodiscover_config['sieve'] = array('server' => $mailcow_hostname, 'port' => array_pop(explode(':', getenv('SIEVE_PORT'))));
+}
+
+$records[] = array('_25._tcp.'                                              . $autodiscover_config['smtp']['server'], 'TLSA', generate_tlsa_digest($autodiscover_config['smtp']['server'], 25, 1));
+$records[] = array('_' . $https_port    . '._tcp.' . $mailcow_hostname, 'TLSA', generate_tlsa_digest($mailcow_hostname, $https_port));
+$records[] = array('_' . $autodiscover_config['pop3']['tlsport'] . '._tcp.' . $autodiscover_config['pop3']['server'], 'TLSA', generate_tlsa_digest($autodiscover_config['pop3']['server'], $autodiscover_config['pop3']['tlsport'], 1));
+$records[] = array('_' . $autodiscover_config['imap']['tlsport'] . '._tcp.' . $autodiscover_config['imap']['server'], 'TLSA', generate_tlsa_digest($autodiscover_config['imap']['server'], $autodiscover_config['imap']['tlsport'], 1));
+$records[] = array('_' . $autodiscover_config['smtp']['port']    . '._tcp.' . $autodiscover_config['smtp']['server'], 'TLSA', generate_tlsa_digest($autodiscover_config['smtp']['server'], $autodiscover_config['smtp']['port']));
+$records[] = array('_' . $autodiscover_config['smtp']['tlsport'] . '._tcp.' . $autodiscover_config['smtp']['server'], 'TLSA', generate_tlsa_digest($autodiscover_config['smtp']['server'], $autodiscover_config['smtp']['tlsport'], 1));
+$records[] = array('_' . $autodiscover_config['imap']['port']    . '._tcp.' . $autodiscover_config['imap']['server'], 'TLSA', generate_tlsa_digest($autodiscover_config['imap']['server'], $autodiscover_config['imap']['port']));
+$records[] = array('_' . $autodiscover_config['pop3']['port']    . '._tcp.' . $autodiscover_config['pop3']['server'], 'TLSA', generate_tlsa_digest($autodiscover_config['pop3']['server'], $autodiscover_config['pop3']['port']));
+$records[] = array('_' . $autodiscover_config['sieve']['port']   . '._tcp.' . $autodiscover_config['sieve']['server'], 'TLSA', generate_tlsa_digest($autodiscover_config['sieve']['server'], $autodiscover_config['sieve']['port'], 1));
+
+foreach ($domains as $domain) {
+  $records[] = array($domain, 'MX', $mailcow_hostname);
+  $records[] = array('autodiscover.' . $domain, 'CNAME', $mailcow_hostname);
+  $records[] = array('_autodiscover._tcp.' . $domain, 'SRV', $mailcow_hostname . ' ' . $https_port);
+  $records[] = array('autoconfig.' . $domain, 'CNAME', $mailcow_hostname);
+  $records[] = array($domain, 'TXT', 'v=spf1 mx -all');
+  $records[] = array('_dmarc.' . $domain, 'TXT', 'v=DMARC1; p=reject', 'v=DMARC1; p=');
+  
+  if (!empty($dkim = dkim('details', $domain))) {
+    $records[] = array($dkim['dkim_selector'] . '._domainkey.' . $domain, 'TXT', $dkim['dkim_txt']);
+  }
+
+  $current_records = dns_get_record('_pop3._tcp.' . $domain, DNS_SRV);
+  if (count($current_records) == 0 || $current_records[0]['target'] != '') {
+    if ($autodiscover_config['pop3']['tlsport'] != '110')  {
+      $records[] = array('_pop3._tcp.' . $domain, 'SRV', $autodiscover_config['pop3']['server'] . ' ' . $autodiscover_config['pop3']['tlsport']);
+    }
+  } else {
+      $records[] = array('_pop3._tcp.' . $domain, 'SRV', '. 0');
+  }
+  $current_records = dns_get_record('_pop3s._tcp.' . $domain, DNS_SRV);
+  if (count($current_records) == 0 || $current_records[0]['target'] != '') {
+    if ($autodiscover_config['pop3']['port'] != '995')  {
+      $records[] = array('_pop3s._tcp.' . $domain, 'SRV', $autodiscover_config['pop3']['server'] . ' ' . $autodiscover_config['pop3']['port']);
+    }
+  } else {
+      $records[] = array('_pop3s._tcp.' . $domain, 'SRV', '. 0');
+  }
+  if ($autodiscover_config['imap']['tlsport'] != '143')  {
+    $records[] = array('_imap._tcp.' . $domain, 'SRV', $autodiscover_config['imap']['server'] . ' ' . $autodiscover_config['imap']['tlsport']);
+  }
+  if ($autodiscover_config['imap']['port'] != '993')  {
+    $records[] = array('_imaps._tcp.' . $domain, 'SRV', $autodiscover_config['imap']['server'] . ' ' . $autodiscover_config['imap']['port']);
+  }
+  if ($autodiscover_config['smtp']['tlsport'] != '587')  {
+    $records[] = array('_submission._tcp.' . $domain, 'SRV', $autodiscover_config['smtp']['server'] . ' ' . $autodiscover_config['smtp']['tlsport']);
+  }
+  if ($autodiscover_config['smtp']['port'] != '465')  {
+    $records[] = array('_smtps._tcp.' . $domain, 'SRV', $autodiscover_config['smtp']['server'] . ' ' . $autodiscover_config['smtp']['port']);
+  }
+  if ($autodiscover_config['sieve']['port'] != '4190')  {
+    $records[] = array('_sieve._tcp.' . $domain, 'SRV', $autodiscover_config['sieve']['server'] . ' ' . $autodiscover_config['sieve']['port']);
+  }
+}
+
+define('state_good',  "&#10003;");
+define('state_missing',   "&#x2717;");
+define('state_nomatch', "?");
+
+$record_types = array(
+  'A' => DNS_A,
+  'AAAA' => DNS_AAAA,
+  'CNAME' => DNS_CNAME,
+  'MX' => DNS_MX,
+  'PTR' => DNS_PTR,
+  'SRV' => DNS_SRV,
+  'TXT' => DNS_TXT,
+);
+$data_field = array(
+  'A' => 'ip',
+  'AAAA' => 'ipv6',
+  'CNAME' => 'target',
+  'MX' => 'target',
+  'PTR' => 'target',
+  'SRV' => 'data',
+  'TLSA' => 'data',
+  'TXT' => 'txt',
+);
+?>
+<div class="container">
+  <h3><?=$lang['diagnostics']['dns_records'];?></h3>
+  <p><?=$lang['diagnostics']['dns_records_24hours'];?></p>
+  <div class="table-responsive" id="dnstable">
+    <table class="table table-striped">
+      <tr> <th><?=$lang['diagnostics']['dns_records_name'];?></th> <th><?=$lang['diagnostics']['dns_records_type'];?></th> <th><?=$lang['diagnostics']['dns_records_data'];?></th ><th><?=$lang['diagnostics']['dns_records_status'];?></th> </tr>
+<?php
+foreach ($records as $record)
+{
+  $record[1] = strtoupper($record[1]);
+  $state = state_missing;
+  if ($record[1] == 'TLSA') {
+    $currents = dns_get_record($record[0], 52, $_, $_, TRUE);
+    foreach ($currents as &$current) {
+      $current['type'] = 'TLSA';
+      $current['cert_usage'] = hexdec(bin2hex($current['data']{0}));
+      $current['selector'] = hexdec(bin2hex($current['data']{1}));
+      $current['match_type'] = hexdec(bin2hex($current['data']{2}));
+      $current['cert_data'] = bin2hex(substr($current['data'], 3));
+      $current['data'] = $current['cert_usage'] . ' ' . $current['selector'] . ' ' . $current['match_type'] . ' ' . $current['cert_data'];
+    }
+    unset($current);
+  }
+  else {
+    $currents = dns_get_record($record[0], $record_types[$record[1]]);
+    if ($record[1] == 'SRV') {
+      foreach ($currents as &$current) {
+        if ($current['target'] == '') {
+          $current['target'] = '.';
+          $current['port'] = '0';
+        }
+        $current['data'] = $current['target'] . ' ' . $current['port'];
+      }
+      unset($current);
+    }
+  }
+  
+  if ($record[1] == 'CNAME' && count($currents) == 0) {
+    // A and AAAA are also valid instead of CNAME
+    $a = dns_get_record($record[0], DNS_A);
+    $cname = dns_get_record($record[2], DNS_A);
+    if (count($a) > 0 && count($cname) > 0) {
+      if ($a[0]['ip'] == $cname[0]['ip']) {
+        $currents = array(array('host' => $record[0], 'class' => 'IN', 'type' => 'CNAME', 'target' => $record[2]));
+      
+        $aaaa = dns_get_record($record[0], DNS_AAAA);
+        $cname = dns_get_record($record[2], DNS_AAAA);
+        if (count($aaaa) == 0 || count($cname) == 0 || $aaaa[0]['ipv6'] != $cname[0]['ipv6']) {
+          $currents[0]['target'] = $aaaa[0]['ipv6'];
+        }
+      } else {
+        $currents = array(array('host' => $record[0], 'class' => 'IN', 'type' => 'CNAME', 'target' => $a[0]['ip']));
+      }
+    }
+  }
+  
+  foreach ($currents as $current) {
+    $current['type'] == strtoupper($current['type']);
+    if ($current['type'] != $record[1])
+    {
+      continue;
+    }
+    
+    elseif ($current['type'] == 'TXT' && strpos($record[0], '_dmarc.') === 0) {
+      $state = state_nomatch;
+      if (strpos($current[$data_field[$current['type']]], $record[3]) === 0)
+        $state = state_good . ' (' . current[$data_field[$current['type']]] . ')';
+    }
+    else if ($current['type'] == 'TXT' && strpos($current['txt'], 'v=spf1') === 0) {
+      $allowed = get_spf_allowed_hosts($record[0]);
+      $spf_ok = FALSE;
+      $spf_ok6 = FALSE;
+      foreach ($allowed as $net)
+      {
+        if (in_net($ip, $net))
+          $spf_ok = TRUE;
+        if (in_net($ip6, $net))
+          $spf_ok6 = TRUE;
+      }
+      if ($spf_ok && (empty($ip6) || $spf_ok6))
+        $state = state_good . ' (' . $current[$data_field[$current['type']]] . ')';
+    }
+    else if ($current['type'] != 'TXT' && isset($data_field[$current['type']]) && $state != state_good) {
+      $state = state_nomatch;
+      if ($current[$data_field[$current['type']]] == $record[2])
+        $state = state_good;
+    }
+  }
+  
+  if ($state == state_nomatch) {
+    $state = array();
+    foreach ($currents as $current) {
+      $state[] = $current[$data_field[$current['type']]];
+    }
+    $state = implode('<br />', $state);
+  }
+  
+  echo sprintf('<tr><td>%s</td><td>%s</td><td style="max-width: 300px; word-break: break-all">%s</td><td style="max-width: 150px; word-break: break-all">%s</td></tr>', $record[0], $record[1], $record[2], $state);
+}
+?>
+    </table>
+	</div>
+</div>
+<?php
+require_once("inc/footer.inc.php");
+} else {
+  header('Location: index.php');
+  exit();
+}
+?>

From 4c1537c1c2d8f99a98b7db09066f65ae66c938ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Peters?= <andryyy@users.noreply.github.com>
Date: Mon, 10 Jul 2017 08:45:59 +0200
Subject: [PATCH 05/26] Revert "DNS diagnostics page"

---
 data/web/inc/header.inc.php |   5 -
 data/web/lang/lang.de.php   |   7 -
 data/web/lang/lang.en.php   |   7 -
 diagnostics.php             | 272 ------------------------------------
 4 files changed, 291 deletions(-)
 delete mode 100644 diagnostics.php

diff --git a/data/web/inc/header.inc.php b/data/web/inc/header.inc.php
index 8e5b6d07..533711de 100644
--- a/data/web/inc/header.inc.php
+++ b/data/web/inc/header.inc.php
@@ -77,11 +77,6 @@
                 <li<?= (preg_match("/mailbox/i", $_SERVER['REQUEST_URI'])) ? ' class="active"' : ''; ?>><a href="/mailbox.php"><?= $lang['header']['mailboxes']; ?></a></li>
               <?php
               }
-              if ($_SESSION['mailcow_cc_role'] == 'admin') {
-              ?>
-                <li<?= (preg_match("/diagnostics/i", $_SERVER['REQUEST_URI'])) ? ' class="active"' : ''; ?>><a href="/diagnostics.php"><?= $lang['header']['diagnostics']; ?></a></li>
-              <?php
-              }
               if ($_SESSION['mailcow_cc_role'] != 'admin') {
               ?>
                 <li<?= (preg_match("/user/i", $_SERVER['REQUEST_URI'])) ? ' class="active"' : ''; ?>><a href="/user.php"><?= $lang['header']['user_settings']; ?></a></li>
diff --git a/data/web/lang/lang.de.php b/data/web/lang/lang.de.php
index 54a497ab..8706e4ba 100644
--- a/data/web/lang/lang.de.php
+++ b/data/web/lang/lang.de.php
@@ -215,7 +215,6 @@ $lang['header']['mailcow_settings'] = 'Konfiguration';
 $lang['header']['administration'] = 'Administration';
 $lang['header']['mailboxes'] = 'Mailboxen';
 $lang['header']['user_settings'] = 'Benutzereinstellungen';
-$lang['header']['diagnostics'] = 'Diagnose';
 $lang['header']['login'] = 'Anmeldung';
 $lang['header']['logged_in_as_logout'] = 'Eingeloggt als <b>%s</b> (abmelden)';
 $lang['header']['logged_in_as_logout_dual'] = 'Eingeloggt als <b>%s <span class="text-info">[%s]</span></b>';
@@ -497,9 +496,3 @@ $lang['admin']['add_forwarding_host'] = 'Weiterleitungs-Host hinzufügen';
 $lang['delete']['remove_forwardinghost_warning'] = '<b>Warnung:</b> Sie entfernen den Weiterleitungs-Host <b>%s</b>!';
 $lang['success']['forwarding_host_removed'] = "Weiterleitungs-Host %s wurde entfernt";
 $lang['success']['forwarding_host_added'] = "Weiterleitungs-Host %s wurde hinzugefügt";
-$lang['diagnostics']['dns_records'] = 'DNS-Einträge';
-$lang['diagnostics']['dns_records_24hours'] = 'Bitte beachten Sie, dass es bis zu 24 Stunden dauern kann, bis Änderungen an Ihren DNS-Einträgen als aktueller Status auf dieser Seite dargestellt werden. Diese Seite ist nur als Hilfsmittel gedacht, um die korrekten Werte für DNS-Einträge zu anzuzeigen und zu überprüfen, ob die Daten im DNS hinterlegt sind.';
-$lang['diagnostics']['dns_records_name'] = 'Name';
-$lang['diagnostics']['dns_records_type'] = 'Typ';
-$lang['diagnostics']['dns_records_data'] = 'Korrekte Daten';
-$lang['diagnostics']['dns_records_status'] = 'Aktueller Status';
diff --git a/data/web/lang/lang.en.php b/data/web/lang/lang.en.php
index f0608821..fceef80f 100644
--- a/data/web/lang/lang.en.php
+++ b/data/web/lang/lang.en.php
@@ -217,7 +217,6 @@ $lang['header']['mailcow_settings'] = 'Configuration';
 $lang['header']['administration'] = 'Administration';
 $lang['header']['mailboxes'] = 'Mailboxes';
 $lang['header']['user_settings'] = 'User settings';
-$lang['header']['diagnostics'] = 'Diagnostics';
 $lang['header']['login'] = 'Login';
 $lang['header']['logged_in_as_logout'] = 'Logged in as <b>%s</b> (logout)';
 $lang['header']['logged_in_as_logout_dual'] = 'Logged in as <b>%s <span class="text-info">[%s]</span></b>';
@@ -510,9 +509,3 @@ $lang['admin']['add_forwarding_host'] = 'Add Forwarding Host';
 $lang['delete']['remove_forwardinghost_warning'] = '<b>Warning:</b> You are about to remove the forwarding host <b>%s</b>!';
 $lang['success']['forwarding_host_removed'] = "Forwarding host %s has been removed";
 $lang['success']['forwarding_host_added'] = "Forwarding host %s has been added";
-$lang['diagnostics']['dns_records'] = 'DNS Records';
-$lang['diagnostics']['dns_records_24hours'] = 'Please note that changes made to DNS may take up to 24 hours to correctly have their current state reflected on this page. It is intended as a way for you to easily see how to configure your DNS records and to check whether all your records are correctly stored in DNS.';
-$lang['diagnostics']['dns_records_name'] = 'Name';
-$lang['diagnostics']['dns_records_type'] = 'Type';
-$lang['diagnostics']['dns_records_data'] = 'Correct Data';
-$lang['diagnostics']['dns_records_status'] = 'Current State';
diff --git a/diagnostics.php b/diagnostics.php
deleted file mode 100644
index 4de0082e..00000000
--- a/diagnostics.php
+++ /dev/null
@@ -1,272 +0,0 @@
-<?php
-require_once 'inc/prerequisites.inc.php';
-require_once 'inc/spf.inc.php';
-
-function in_net($addr, $net) {
-  $net = explode('/', $net);
-  if (count($net) > 1) {
-    $mask = $net[1];
-  }
-  $net = inet_pton($net[0]);
-  $addr = inet_pton($addr);
-  $length = strlen($net); // 4 for IPv4, 16 for IPv6
-  if (strlen($net) != strlen($addr)) {
-    return false;
-  }
-  if (!isset($mask)) {
-    $mask = $length * 8;
-  }
-  $addr_bin = '';
-  $net_bin = '';
-  for ($i = 0; $i < $length; ++$i) {
-    $addr_bin .= str_pad(decbin(ord(substr($addr, $i, $i+1))), 8, '0', STR_PAD_LEFT);
-    $net_bin .= str_pad(decbin(ord(substr($net, $i, $i+1))), 8, '0', STR_PAD_LEFT);
-  }
-  return substr($addr_bin, 0, $mask) == substr($net_bin, 0, $mask);
-}
-
-if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admin") {
-require_once("inc/header.inc.php");
-
-$ch = curl_init('http://ipv4.mailcow.email');
-curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
-curl_setopt($ch, CURLOPT_VERBOSE, false);
-curl_setopt($ch, CURLOPT_HEADER, false);
-curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
-curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 3);
-$ip = curl_exec($ch);
-curl_close($ch);
-
-$ch = curl_init('http://ipv6.mailcow.email');
-curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V6);
-curl_setopt($ch, CURLOPT_VERBOSE, false);
-curl_setopt($ch, CURLOPT_HEADER, false);
-curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
-curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 3);
-$ip6 = curl_exec($ch);
-curl_close($ch);
-
-$ptr = implode('.', array_reverse(explode('.', $ip))) . '.in-addr.arpa';
-if (!empty($ip6)) {
-  $ip6_full = str_replace('::', str_repeat(':', 9-substr_count($ip6, ':')), $ip6);
-  $ip6_full = str_replace('::', ':0:', $ip6_full);
-  $ip6_full = str_replace('::', ':0:', $ip6_full);
-  $ptr6 = '';
-  foreach (explode(':', $ip6_full) as $part) {
-    $ptr6 .= str_pad($part, 4, '0', STR_PAD_LEFT);
-  }
-  $ptr6 = implode('.', array_reverse(str_split($ptr6, 1))) . '.ip6.arpa';
-}
-
-$https_port = strpos($_SERVER['HTTP_HOST'], ':');
-if ($https_port === FALSE) {
-  $https_port = 443;
-} else {
-  $https_port = substr($_SERVER['HTTP_HOST'], $https_port+1);
-}
-
-$records = array();
-$records[] = array($mailcow_hostname, 'A', $ip);
-$records[] = array($ptr, 'PTR', $mailcow_hostname);
-if (!empty($ip6)) {
-  $records[] = array($mailcow_hostname, 'AAAA', $ip6);
-  $records[] = array($ptr6, 'PTR', $mailcow_hostname);
-}
-$domains = mailbox('get', 'domains');
-foreach(mailbox('get', 'domains') as $domain) {
-  $domains = array_merge($domains, mailbox('get', 'alias_domains', $domain));
-}
-
-if (!isset($autodiscover_config['sieve'])) {
-  $autodiscover_config['sieve'] = array('server' => $mailcow_hostname, 'port' => array_pop(explode(':', getenv('SIEVE_PORT'))));
-}
-
-$records[] = array('_25._tcp.'                                              . $autodiscover_config['smtp']['server'], 'TLSA', generate_tlsa_digest($autodiscover_config['smtp']['server'], 25, 1));
-$records[] = array('_' . $https_port    . '._tcp.' . $mailcow_hostname, 'TLSA', generate_tlsa_digest($mailcow_hostname, $https_port));
-$records[] = array('_' . $autodiscover_config['pop3']['tlsport'] . '._tcp.' . $autodiscover_config['pop3']['server'], 'TLSA', generate_tlsa_digest($autodiscover_config['pop3']['server'], $autodiscover_config['pop3']['tlsport'], 1));
-$records[] = array('_' . $autodiscover_config['imap']['tlsport'] . '._tcp.' . $autodiscover_config['imap']['server'], 'TLSA', generate_tlsa_digest($autodiscover_config['imap']['server'], $autodiscover_config['imap']['tlsport'], 1));
-$records[] = array('_' . $autodiscover_config['smtp']['port']    . '._tcp.' . $autodiscover_config['smtp']['server'], 'TLSA', generate_tlsa_digest($autodiscover_config['smtp']['server'], $autodiscover_config['smtp']['port']));
-$records[] = array('_' . $autodiscover_config['smtp']['tlsport'] . '._tcp.' . $autodiscover_config['smtp']['server'], 'TLSA', generate_tlsa_digest($autodiscover_config['smtp']['server'], $autodiscover_config['smtp']['tlsport'], 1));
-$records[] = array('_' . $autodiscover_config['imap']['port']    . '._tcp.' . $autodiscover_config['imap']['server'], 'TLSA', generate_tlsa_digest($autodiscover_config['imap']['server'], $autodiscover_config['imap']['port']));
-$records[] = array('_' . $autodiscover_config['pop3']['port']    . '._tcp.' . $autodiscover_config['pop3']['server'], 'TLSA', generate_tlsa_digest($autodiscover_config['pop3']['server'], $autodiscover_config['pop3']['port']));
-$records[] = array('_' . $autodiscover_config['sieve']['port']   . '._tcp.' . $autodiscover_config['sieve']['server'], 'TLSA', generate_tlsa_digest($autodiscover_config['sieve']['server'], $autodiscover_config['sieve']['port'], 1));
-
-foreach ($domains as $domain) {
-  $records[] = array($domain, 'MX', $mailcow_hostname);
-  $records[] = array('autodiscover.' . $domain, 'CNAME', $mailcow_hostname);
-  $records[] = array('_autodiscover._tcp.' . $domain, 'SRV', $mailcow_hostname . ' ' . $https_port);
-  $records[] = array('autoconfig.' . $domain, 'CNAME', $mailcow_hostname);
-  $records[] = array($domain, 'TXT', 'v=spf1 mx -all');
-  $records[] = array('_dmarc.' . $domain, 'TXT', 'v=DMARC1; p=reject', 'v=DMARC1; p=');
-  
-  if (!empty($dkim = dkim('details', $domain))) {
-    $records[] = array($dkim['dkim_selector'] . '._domainkey.' . $domain, 'TXT', $dkim['dkim_txt']);
-  }
-
-  $current_records = dns_get_record('_pop3._tcp.' . $domain, DNS_SRV);
-  if (count($current_records) == 0 || $current_records[0]['target'] != '') {
-    if ($autodiscover_config['pop3']['tlsport'] != '110')  {
-      $records[] = array('_pop3._tcp.' . $domain, 'SRV', $autodiscover_config['pop3']['server'] . ' ' . $autodiscover_config['pop3']['tlsport']);
-    }
-  } else {
-      $records[] = array('_pop3._tcp.' . $domain, 'SRV', '. 0');
-  }
-  $current_records = dns_get_record('_pop3s._tcp.' . $domain, DNS_SRV);
-  if (count($current_records) == 0 || $current_records[0]['target'] != '') {
-    if ($autodiscover_config['pop3']['port'] != '995')  {
-      $records[] = array('_pop3s._tcp.' . $domain, 'SRV', $autodiscover_config['pop3']['server'] . ' ' . $autodiscover_config['pop3']['port']);
-    }
-  } else {
-      $records[] = array('_pop3s._tcp.' . $domain, 'SRV', '. 0');
-  }
-  if ($autodiscover_config['imap']['tlsport'] != '143')  {
-    $records[] = array('_imap._tcp.' . $domain, 'SRV', $autodiscover_config['imap']['server'] . ' ' . $autodiscover_config['imap']['tlsport']);
-  }
-  if ($autodiscover_config['imap']['port'] != '993')  {
-    $records[] = array('_imaps._tcp.' . $domain, 'SRV', $autodiscover_config['imap']['server'] . ' ' . $autodiscover_config['imap']['port']);
-  }
-  if ($autodiscover_config['smtp']['tlsport'] != '587')  {
-    $records[] = array('_submission._tcp.' . $domain, 'SRV', $autodiscover_config['smtp']['server'] . ' ' . $autodiscover_config['smtp']['tlsport']);
-  }
-  if ($autodiscover_config['smtp']['port'] != '465')  {
-    $records[] = array('_smtps._tcp.' . $domain, 'SRV', $autodiscover_config['smtp']['server'] . ' ' . $autodiscover_config['smtp']['port']);
-  }
-  if ($autodiscover_config['sieve']['port'] != '4190')  {
-    $records[] = array('_sieve._tcp.' . $domain, 'SRV', $autodiscover_config['sieve']['server'] . ' ' . $autodiscover_config['sieve']['port']);
-  }
-}
-
-define('state_good',  "&#10003;");
-define('state_missing',   "&#x2717;");
-define('state_nomatch', "?");
-
-$record_types = array(
-  'A' => DNS_A,
-  'AAAA' => DNS_AAAA,
-  'CNAME' => DNS_CNAME,
-  'MX' => DNS_MX,
-  'PTR' => DNS_PTR,
-  'SRV' => DNS_SRV,
-  'TXT' => DNS_TXT,
-);
-$data_field = array(
-  'A' => 'ip',
-  'AAAA' => 'ipv6',
-  'CNAME' => 'target',
-  'MX' => 'target',
-  'PTR' => 'target',
-  'SRV' => 'data',
-  'TLSA' => 'data',
-  'TXT' => 'txt',
-);
-?>
-<div class="container">
-  <h3><?=$lang['diagnostics']['dns_records'];?></h3>
-  <p><?=$lang['diagnostics']['dns_records_24hours'];?></p>
-  <div class="table-responsive" id="dnstable">
-    <table class="table table-striped">
-      <tr> <th><?=$lang['diagnostics']['dns_records_name'];?></th> <th><?=$lang['diagnostics']['dns_records_type'];?></th> <th><?=$lang['diagnostics']['dns_records_data'];?></th ><th><?=$lang['diagnostics']['dns_records_status'];?></th> </tr>
-<?php
-foreach ($records as $record)
-{
-  $record[1] = strtoupper($record[1]);
-  $state = state_missing;
-  if ($record[1] == 'TLSA') {
-    $currents = dns_get_record($record[0], 52, $_, $_, TRUE);
-    foreach ($currents as &$current) {
-      $current['type'] = 'TLSA';
-      $current['cert_usage'] = hexdec(bin2hex($current['data']{0}));
-      $current['selector'] = hexdec(bin2hex($current['data']{1}));
-      $current['match_type'] = hexdec(bin2hex($current['data']{2}));
-      $current['cert_data'] = bin2hex(substr($current['data'], 3));
-      $current['data'] = $current['cert_usage'] . ' ' . $current['selector'] . ' ' . $current['match_type'] . ' ' . $current['cert_data'];
-    }
-    unset($current);
-  }
-  else {
-    $currents = dns_get_record($record[0], $record_types[$record[1]]);
-    if ($record[1] == 'SRV') {
-      foreach ($currents as &$current) {
-        if ($current['target'] == '') {
-          $current['target'] = '.';
-          $current['port'] = '0';
-        }
-        $current['data'] = $current['target'] . ' ' . $current['port'];
-      }
-      unset($current);
-    }
-  }
-  
-  if ($record[1] == 'CNAME' && count($currents) == 0) {
-    // A and AAAA are also valid instead of CNAME
-    $a = dns_get_record($record[0], DNS_A);
-    $cname = dns_get_record($record[2], DNS_A);
-    if (count($a) > 0 && count($cname) > 0) {
-      if ($a[0]['ip'] == $cname[0]['ip']) {
-        $currents = array(array('host' => $record[0], 'class' => 'IN', 'type' => 'CNAME', 'target' => $record[2]));
-      
-        $aaaa = dns_get_record($record[0], DNS_AAAA);
-        $cname = dns_get_record($record[2], DNS_AAAA);
-        if (count($aaaa) == 0 || count($cname) == 0 || $aaaa[0]['ipv6'] != $cname[0]['ipv6']) {
-          $currents[0]['target'] = $aaaa[0]['ipv6'];
-        }
-      } else {
-        $currents = array(array('host' => $record[0], 'class' => 'IN', 'type' => 'CNAME', 'target' => $a[0]['ip']));
-      }
-    }
-  }
-  
-  foreach ($currents as $current) {
-    $current['type'] == strtoupper($current['type']);
-    if ($current['type'] != $record[1])
-    {
-      continue;
-    }
-    
-    elseif ($current['type'] == 'TXT' && strpos($record[0], '_dmarc.') === 0) {
-      $state = state_nomatch;
-      if (strpos($current[$data_field[$current['type']]], $record[3]) === 0)
-        $state = state_good . ' (' . current[$data_field[$current['type']]] . ')';
-    }
-    else if ($current['type'] == 'TXT' && strpos($current['txt'], 'v=spf1') === 0) {
-      $allowed = get_spf_allowed_hosts($record[0]);
-      $spf_ok = FALSE;
-      $spf_ok6 = FALSE;
-      foreach ($allowed as $net)
-      {
-        if (in_net($ip, $net))
-          $spf_ok = TRUE;
-        if (in_net($ip6, $net))
-          $spf_ok6 = TRUE;
-      }
-      if ($spf_ok && (empty($ip6) || $spf_ok6))
-        $state = state_good . ' (' . $current[$data_field[$current['type']]] . ')';
-    }
-    else if ($current['type'] != 'TXT' && isset($data_field[$current['type']]) && $state != state_good) {
-      $state = state_nomatch;
-      if ($current[$data_field[$current['type']]] == $record[2])
-        $state = state_good;
-    }
-  }
-  
-  if ($state == state_nomatch) {
-    $state = array();
-    foreach ($currents as $current) {
-      $state[] = $current[$data_field[$current['type']]];
-    }
-    $state = implode('<br />', $state);
-  }
-  
-  echo sprintf('<tr><td>%s</td><td>%s</td><td style="max-width: 300px; word-break: break-all">%s</td><td style="max-width: 150px; word-break: break-all">%s</td></tr>', $record[0], $record[1], $record[2], $state);
-}
-?>
-    </table>
-	</div>
-</div>
-<?php
-require_once("inc/footer.inc.php");
-} else {
-  header('Location: index.php');
-  exit();
-}
-?>

From beec3d47f70f3403f855a8b2a732bbeed0ed007f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Peters?= <andryyy@users.noreply.github.com>
Date: Mon, 10 Jul 2017 08:46:20 +0200
Subject: [PATCH 06/26] Revert "Client configuration guides"

---
 data/web/autoconfig.php        |  47 +++------
 data/web/autodiscover.php      |  54 +++++-----
 data/web/clientconfig.php      | 185 ---------------------------------
 data/web/inc/functions.inc.php |  24 ++---
 data/web/inc/vars.inc.php      |  31 ++----
 data/web/lang/lang.de.php      |   1 -
 data/web/lang/lang.en.php      |   1 -
 data/web/mobileconfig.php      | 167 -----------------------------
 data/web/user.php              |   1 -
 9 files changed, 56 insertions(+), 455 deletions(-)
 delete mode 100644 data/web/clientconfig.php
 delete mode 100644 data/web/mobileconfig.php

diff --git a/data/web/autoconfig.php b/data/web/autoconfig.php
index 523d6183..d01bc724 100644
--- a/data/web/autoconfig.php
+++ b/data/web/autoconfig.php
@@ -5,16 +5,6 @@ if (empty($mailcow_hostname)) {
   exit();
 }
 
-$domain_dot = strpos($_SERVER['HTTP_HOST'], '.');
-$domain_port = strpos($_SERVER['HTTP_HOST'], ':');
-if ($domain_port === FALSE) {
-  $domain = substr($_SERVER['HTTP_HOST'], $domain_dot+1);
-  $port = 443;
-} else {
-  $domain = substr($_SERVER['HTTP_HOST'], $domain_dot+1, $domain_port-$domain_dot-1);
-  $port = substr($_SERVER['HTTP_HOST'], $domain_port+1);
-}
-
 header('Content-Type: application/xml');
 ?>
 <?= '<?xml version="1.0"?>'; ?>
@@ -25,59 +15,52 @@ header('Content-Type: application/xml');
       <displayShortName>mail server</displayShortName>
 
       <incomingServer type="imap">
-         <hostname><?= $autodiscover_config['imap']['server']; ?></hostname>
-         <port><?= $autodiscover_config['imap']['port']; ?></port>
+         <hostname><?= $mailcow_hostname; ?></hostname>
+         <port>993</port>
          <socketType>SSL</socketType>
          <username>%EMAILADDRESS%</username>
          <authentication>password-cleartext</authentication>
       </incomingServer>
       <incomingServer type="imap">
-         <hostname><?= $autodiscover_config['imap']['server']; ?></hostname>
-         <port><?= $autodiscover_config['imap']['tlsport']; ?></port>
+         <hostname><?= $mailcow_hostname; ?></hostname>
+         <port>143</port>
          <socketType>STARTTLS</socketType>
          <username>%EMAILADDRESS%</username>
          <authentication>password-cleartext</authentication>
       </incomingServer>
 
-<?php
-$records = dns_get_record('_pop3s._tcp.' . $domain, DNS_SRV); // check if POP3 is announced as "not provided" via SRV record
-if (count($records) == 0 || $records[0]['target'] != '') { ?>
       <incomingServer type="pop3">
-         <hostname><?= $autodiscover_config['pop3']['server']; ?></hostname>
-         <port><?= $autodiscover_config['pop3']['port']; ?></port>
+         <hostname><?= $mailcow_hostname; ?></hostname>
+         <port>995</port>
          <socketType>SSL</socketType>
          <username>%EMAILADDRESS%</username>
          <authentication>password-cleartext</authentication>
       </incomingServer>
-<?php } ?>
-<?php
-$records = dns_get_record('_pop3._tcp.' . $domain, DNS_SRV); // check if POP3 is announced as "not provided" via SRV record
-if (count($records) == 0 || $records[0]['target'] != '') { ?>
       <incomingServer type="pop3">
-         <hostname><?= $autodiscover_config['pop3']['server']; ?></hostname>
-         <port><?= $autodiscover_config['pop3']['tlsport']; ?></port>
+         <hostname><?= $mailcow_hostname; ?></hostname>
+         <port>110</port>
          <socketType>STARTTLS</socketType>
          <username>%EMAILADDRESS%</username>
          <authentication>password-cleartext</authentication>
       </incomingServer>
-<?php } ?>
 
       <outgoingServer type="smtp">
-         <hostname><?= $autodiscover_config['smtp']['server']; ?></hostname>
-         <port><?= $autodiscover_config['smtp']['port']; ?></port>
+         <hostname><?= $mailcow_hostname; ?></hostname>
+         <port>465</port>
          <socketType>SSL</socketType>
          <username>%EMAILADDRESS%</username>
          <authentication>password-cleartext</authentication>
       </outgoingServer>
+
       <outgoingServer type="smtp">
-         <hostname><?= $autodiscover_config['smtp']['server']; ?></hostname>
-         <port><?= $autodiscover_config['smtp']['tlsport']; ?></port>
+         <hostname><?= $mailcow_hostname; ?></hostname>
+         <port>587</port>
          <socketType>STARTTLS</socketType>
          <username>%EMAILADDRESS%</username>
          <authentication>password-cleartext</authentication>
       </outgoingServer>
 
-      <enable visiturl="https://<?= $mailcow_hostname; ?><?php if ($port != 443) echo ':'.$port; ?>/admin.php">
+      <enable visiturl="https://<?= $mailcow_hostname; ?>/admin.php">
          <instruction>If you didn't change the password given to you by the administrator or if you didn't change it in a long time, please consider doing that now.</instruction>
          <instruction lang="de">Sollten Sie das Ihnen durch den Administrator vergebene Passwort noch nicht geändert haben, empfehlen wir dies nun zu tun. Auch ein altes Passwort sollte aus Sicherheitsgründen geändert werden.</instruction>
       </enable>
@@ -85,6 +68,6 @@ if (count($records) == 0 || $records[0]['target'] != '') { ?>
     </emailProvider>
 
     <webMail>
-      <loginPage url="https://<?= $mailcow_hostname; ?><?php if ($port != 443) echo ':'.$port; ?>/SOGo/" />
+      <loginPage url="https://<?= $mailcow_hostname; ?>/SOGo/" />
     </webMail>
 </clientConfig>
diff --git a/data/web/autodiscover.php b/data/web/autodiscover.php
index 7f6081ae..fd8cd641 100644
--- a/data/web/autodiscover.php
+++ b/data/web/autodiscover.php
@@ -12,14 +12,13 @@ error_reporting(0);
 $data = trim(file_get_contents("php://input"));
 
 // Desktop client needs IMAP, unless it's Outlook 2013 or higher on Windows
-if (strpos($data, 'autodiscover/outlook/responseschema') !== false) { // desktop client
+if (strpos($data, 'autodiscover/outlook/responseschema')) { // desktop client
   $configuration['autodiscoverType'] = 'imap';
   if ($configuration['useEASforOutlook'] == 'yes' &&
-    // Office for macOS does not support EAS
-    strpos($_SERVER['HTTP_USER_AGENT'], 'Mac') === false &&
-    // Outlook 2013 (version 15) or higher
-    preg_match('/(Outlook|Office).+1[5-9]\./', $_SERVER['HTTP_USER_AGENT'])
-  ) {
+  // Office for macOS does not support EAS
+  strpos($_SERVER['HTTP_USER_AGENT'], 'Mac') === false &&
+  // Outlook 2013 (version 15) or higher
+  preg_match('/(Outlook|Office).+1[5-9]\./', $_SERVER['HTTP_USER_AGENT'])) {
     $configuration['autodiscoverType'] = 'activesync';
   }
 }
@@ -61,28 +60,8 @@ else {
 <?php
         exit(0);
       }
-      try {
-        $discover = new SimpleXMLElement($data);
-        $email = $discover->Request->EMailAddress;
-      } catch (Exception $e) {
-        $email = $_SERVER['PHP_AUTH_USER'];
-      }
-
-      $username = trim($email);
-      try {
-        $stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username");
-        $stmt->execute(array(':username' => $username));
-        $MailboxData = $stmt->fetch(PDO::FETCH_ASSOC);
-      }
-      catch(PDOException $e) {
-        die("Failed to determine name from SQL");
-      }
-      if (!empty($MailboxData['name'])) {
-        $displayname = utf8_encode($MailboxData['name']);
-      }
-      else {
-        $displayname = $email;
-      }
+      $discover = new SimpleXMLElement($data);
+      $email = $discover->Request->EMailAddress;
 
       if ($configuration['autodiscoverType'] == 'imap') {
 ?>
@@ -117,13 +96,13 @@ else {
       </Protocol>
       <Protocol>
         <Type>CalDAV</Type>
-        <Server>https://<?=$configuration['caldav']['server'];?><?php if ($configuration['caldav']['port'] != 443) echo ':'.$configuration['caldav']['port']; ?>/SOGo/dav/<?=$email;?>/Calendar</Server>
+        <Server><?=$configuration['caldav']['server'];?>/SOGo/dav/<?=$email;?>/Calendar</Server>
         <DomainRequired>off</DomainRequired>
         <LoginName><?=$email;?></LoginName>
       </Protocol>
       <Protocol>
         <Type>CardDAV</Type>
-        <Server>https://<?=$configuration['carddav']['server'];?><?php if ($configuration['caldav']['port'] != 443) echo ':'.$configuration['carddav']['port']; ?>/SOGo/dav/<?=$email;?>/Contacts</Server>
+        <Server><?=$configuration['carddav']['server'];?>/SOGo/dav/<?=$email;?>/Contacts</Server>
         <DomainRequired>off</DomainRequired>
         <LoginName><?=$email;?></LoginName>
       </Protocol>
@@ -132,6 +111,21 @@ else {
 <?php
       }
       else if ($configuration['autodiscoverType'] == 'activesync') {
+        $username = trim($email);
+        try {
+          $stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username");
+          $stmt->execute(array(':username' => $username));
+          $MailboxData = $stmt->fetch(PDO::FETCH_ASSOC);
+        }
+        catch(PDOException $e) {
+          die("Failed to determine name from SQL");
+        }
+        if (!empty($MailboxData['name'])) {
+          $displayname = utf8_encode($MailboxData['name']);
+        }
+        else {
+          $displayname = $email;
+        }
 ?>
   <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/mobilesync/responseschema/2006">
     <Culture>en:en</Culture>
diff --git a/data/web/clientconfig.php b/data/web/clientconfig.php
deleted file mode 100644
index 68722a89..00000000
--- a/data/web/clientconfig.php
+++ /dev/null
@@ -1,185 +0,0 @@
-<?php
-require_once 'inc/prerequisites.inc.php';
-
-if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "user") {
-require_once("inc/header.inc.php");
-
-if (file_exists('thunderbird-plugins/version.csv'))
-{
-  $fh = fopen('thunderbird-plugins/version.csv', 'r');
-  if ($fh)
-  {
-    while (($row = fgetcsv($fh, 1000, ';')) !== FALSE)
-    {
-      if ($row[0] == 'sogo-integrator@inverse.ca') {
-        $integrator_file = $row[2];
-      }
-    }
-    fclose($fh);
-  }
-}
-
-$email = $_SESSION['mailcow_cc_username'];
-$domain = explode('@', $_SESSION['mailcow_cc_username'])[1];
-
-$username = trim($email);
-try {
-  $stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username");
-  $stmt->execute(array(':username' => $username));
-  $MailboxData = $stmt->fetch(PDO::FETCH_ASSOC);
-}
-catch(PDOException $e) {
-  die("Failed to determine name from SQL");
-}
-if (!empty($MailboxData['name'])) {
-  $displayname = utf8_encode($MailboxData['name']);
-}
-else {
-  $displayname = $email;
-}
-?>
-<div class="container">
-  <h2>Client Configuration Guide</h2>
-  <p>Select your email client or operating system below to view a step-by-step guide to setting up your email account.</p>
-  
-  <h3><a href="#" onclick="document.getElementById('client_apple').style.display = 'block'">Apple macOS / iOS</a></h3>
-  <div  id="client_apple" style="display: none">
-    <ol>
-      <li>Download and open <a href="mobileconfig.php">Mailcow.mobileconfig</a>.</li>
-      <li>Enter the unlock code (iPhone) or computer password (Mac).</li>
-      <li>Enter your email password three times when prompted.</li>
-    </ol>
-    <p>On iOS, Exchange is also supported as an alternative to the procedure above. It has the advantage of supporting push email (i.e. you are immediately notified of incoming messages), but has some limitations, e.g. it does not support more than three email addresses per contact in your address book. Follow the steps below if you decide to use Exchange instead.</p>
-    <ol>
-      <li>Open the <em>Settings</em> app, tap <em>Mail</em>, tap <em>Accounts</em>, tap <em>Add Acccount</em>, select <em>Exchange</em>.</li>
-      <li>Enter your email address (<code><?php echo $email; ?></code>) and tap <em>Next</em>.</li>
-      <li>Enter your password, tap <em>Next</em> again.</li>
-      <li>Finally, tap <em>Save</em>.</li>
-    </ol>
-  </div>
-  
-  <h3><a href="#" onclick="document.getElementById('client_android').style.display = 'block'">Android</a></h3>
-  <ol id="client_android" style="display: none">
-    <li>Open the <em>Email</em> app.</li>
-    <li>If this is your first email account, tap <em>Add Account</em>; if not, tap <em>More</em> and <em>Settings</em> and then <em>Add account</em>.</li>
-    <li>Select <em>Microsoft Exchange ActiveSync</em>.</li>
-    <li>Enter your email address (<code><?php echo $email; ?></code>) and password.</li>
-    <li>Tap <em>Sign in</em>.</li>
-  </ol>
-  
-  <h3><a href="#" onclick="document.getElementById('client_emclient').style.display = 'block'">eM Client</a></h3>
-  <ol id="client_emclient" style="display: none">
-    <li>Launch eM Client.</li>
-    <li>If this is the first time you launched eM Client, it asks you to set up your account. Proceed to step 4.</li>
-    <li>Go to <em>Menu</em> at the top, select <em>Tools</em> and <em>Accounts</em>.</li>
-    <li>Enter your email address (<code><?php echo $email; ?></code>) and click <em>Start Now</em>.</li>
-    <li>Enter your password and click <em>Continue</em>.</li>
-    <li>Enter your name (<code><?php echo $displayname; ?></code>) and click <em>Next</em>.</li>
-    <li>Click <em>Finish</em>.</li>
-  </ol>
-  
-  <h3><a href="#" onclick="document.getElementById('client_kontact').style.display = 'block'">KDE Kontact</a></h3>
-  <div id="client_kontact" style="display: none">
-    <ol>
-      <li>Launch Kontact.</li>
-      <li>If this is the first time you launched Kontact or KMail, it asks you to set up your account. Proceed to step 4.</li>
-      <li>Go to <em>Mail</em> in the sidebar. Go to the <em>Tools</em> menu and select <em>Account Wizard</em>.</li>
-      <li>Enter your name (<code><?php echo $displayname; ?></code>), email address (<code><?php echo $email; ?></code>) and your password. Click <em>Next</em>.</li>
-      <li>Click <em>Create Account</em>. If prompted, re-enter your password and click <em>OK</em>.</li>
-      <li>Close the window by clicking <em>Finish</em>.</li>
-      <li>Go to <em>Calendar</em> in the sidebar.</li>
-      <li>Go to the <em>Settings</em> menu and select <em>Configure KOrganizer</em>.</li>
-      <li>Go to the <em>Calendars</em> tab and click the <em>Add</em> button.</li>
-      <li>Choose <em>DAV groupware resource</em> and click <em>OK</em>.</li>
-      <li>Enter your email address (<code><?php echo $email; ?></code>) and your password. Click <em>Next</em>.</li>
-      <li>Select <em>ScalableOGo</em> from the dropdown menu and click <em>Next</em>.</li>
-      <li>Enter <code><?= $autodiscover_config['caldav']['server']; ?></code> into the <em>Host</em> field and click <em>Next</em>.</li>
-      <li>Click <em>Test Connection</em> and then <em>Finish</em>. Finally, click <em>OK</em> twice.</li>
-    </ol>
-    <p>Once you have set up Kontact, you can also use KMail, KOrganizer and KAddressBook individually.</p>
-  </div>
-  
-  <h3><a href="#" onclick="document.getElementById('client_outlook').style.display = 'block'">Microsoft Outlook</a></h3>
-  <div id="client_outlook" style="display: none">
-<?php if ($autodiscover_config['useEASforOutlook'] == 'yes') { ?>
-    <h4>Outlook 2013 or higher on Windows</h4>
-    <ol>
-      <li>Launch Outlook.</li>
-      <li>If this is the first time you launched Outlook, it asks you to set up your account. Proceed to step 4.</li>
-      <li>Go to the <em>File</em> menu and click <em>Add Account</em>.</li>
-      <li>Enter your name (<code><?php echo $displayname; ?></code>), email address (<code><?php echo $email; ?></code>) and your password. Click <em>Next</em>.</li>
-      <li>When prompted, enter your password again, check <em>Remember my credentials</em> and click <em>OK</em>.</li>
-      <li>Click the <em>Allow</em> button.</li>
-      <li>Click <em>Finish</em>.</li>
-    </ol>
-    <h4>Outlook 2007 or 2010 on Windows</h4>
-<?php } else { ?>
-    <h4>Outlook 2007 or higher on Windows</h4>
-<?php } ?>
-    <ol>
-      <li>Download and install <a href="https://caldavsynchronizer.org" target="_blank">Outlook CalDav Synchronizer</a>.</li>
-      <li>Launch Outlook.</li>
-      <li>If this is the first time you launched Outlook, it asks you to set up your account. Proceed to step 5.</li>
-      <li>Go to the <em>File</em> menu and click <em>Add Account</em>.</li>
-      <li>Enter your name (<code><?php echo $displayname; ?></code>), email address (<code><?php echo $email; ?></code>) and your password. Click <em>Next</em>.</li>
-      <li>Click <em>Finish</em>.</li>
-      <li>Go to the <em>CalDav Synchronizer</em> ribbon, click <em>Synchronization Profiles</em>.</li>
-      <li>Click the second button at top (<em>Add multiple profiles</em>), select <em>Sogo</em>, click <em>Ok</em>.</li>
-      <li>Click the <em>Get IMAP/POP3 account settings</em> button.</li>
-      <li>Click <em>Discover resources and assign to Outlook folders</em>.</li>
-      <li>In the <em>Select Resource</em> window that pops up, select your main calendar (usually <em>Personal Calendar</em>), click the <em>...</em> button, assign it to <em>Calendar</em>, and click <em>OK</em>. Go to the <em>Address Books</em> and <em>Tasks</em> tabs and repeat repeat the process accordingly. Do not assign multiple calendars, address books or task lists!</li>
-      <li>Close all windows with the <em>OK</em> buttons.</li>
-    </ol>
-    <h4>Outlook 2011 or higher on macOS</h4>
-    <p>The Mac version of Outlook does not synchronize calendars and contacts and therefore is not supported.</p>
-  </div>
-  
-  <h3><a href="#" onclick="document.getElementById('client_thunderbird').style.display = 'block'">Mozilla Thunderbird</a></h3>
-  <div id="client_thunderbird" style="display: none">
-    <ol>
-      <li>Launch Thunderbird.</li>
-      <li>If this is the first time you launched Thunderbird, it asks you whether you would like a new email address. Click <em>Skip this and use my existing email</em> and proceed to step 4.</li>
-      <li>Go to the <em>Tools</em> menu and select <em>Account Settings</em>.</li>
-      <li>Click the <em>Account Actions</em> dropdown menu at the bottom left and select <em>Add Mail Account</em>.</li>
-      <li>Enter your name (<code><?php echo $displayname; ?></code>), email address (<code><?php echo $email; ?></code>) and your password. Make sure the <em>Remember password</em> checkbox is selected and click <em>Continue</em>.</li>
-      <li>Once the configuration has been automatically detected, click <em>Done</em>.</li>
-      <li>If you already had other accounts configured in Thunderbird, select the new one (<?php echo $email; ?>) on the left, click the <em>Account Actions</em> dropdown and select <em>Set as Default</em>.</li>
-      <li>Close the account settings window with the <em>OK</em> button.</li>
-      <li>In your web browser, download <a href="thunderbird-plugins/<?php echo str_replace('__DOMAIN__', $domain, $integrator_file); ?>">SOGo Integrator</a>.</li>
-      <li>Back in Thunderbird, go to the <em>Tools</em> menu and select <em>Add-ons</em>.</li>
-      <li>Click <em>Extensions</em> on the left, click the little gear icon at the top and select <em>Install Add-on From File</em>. Select the file you downloaded in step 9, click <em>Open</em> and, after waiting for a few seconds, <em>Install Now</em>.</li>
-      <li>Click the <em>Restart Now</em> button at the top that appears.</li>
-      <li>Thunderbird briefly shows a message that it is updating extensions, then restarts automatically once more.</li>
-      <li>When you are prompted to authenticate for <?= $autodiscover_config['caldav']['server']; ?>, enter your email address and password, check <em>Use Password Manager</em> and click <em>OK</em>.</li>
-    </ol>
-  </div>
-  
-  <h3><a href="#" onclick="document.getElementById('client_windows').style.display = 'block'">Windows</a></h3>
-  <div id="client_windows" style="display: none">
-    <ol>
-    <li>Open the <em>Mail</em> app.</li>
-    <li>If you have not previously used Mail, you can click <em>Add Account</em> in the main window. Proceed to step 4.</li>
-    <li>Click <em>Accounts</em> in the sidebar on the left, then click <em>Add Account</em> on the far right.</li>
-    <li>Select <em>Exchange</em>.</li>
-    <li>Enter your email address (<code><?php echo $email; ?></code>) and click Next.</li>
-    <li>Enter your password and click <em>Log in</em>.</li>
-    </ol>
-    <p>Once you have set up the Mail app, you can also use the People and Calendar apps.</p>
-  </div>
-  
-  <h3><a href="#" onclick="document.getElementById('client_windowsphone').style.display = 'block'">Windows Phone</a></h3>
-  <ol id="client_windowsphone" style="display: none">
-    <li>Open the <em>Settings</em> app. Select <em>email + accounts</em> and tap <em>add an account</em>.</li>
-    <li>Tap Exchange.</li>
-    <li>Enter your email address (<code><?php echo $email; ?></code>) and your password. Tap <em>Sign in</em>.</li>
-    <li>Tap <em>done</em>.</li>
-  </ol>
-</div>
-
-<?php
-require_once("inc/footer.inc.php");
-} else {
-  header('Location: index.php');
-  exit();
-}
-?>
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index af93794b..b3420530 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -62,17 +62,17 @@ function hasMailboxObjectAccess($username, $role, $object) {
 	}
 	return false;
 }
-function pem_to_der($pem_key) {
-  // Need to remove BEGIN/END PUBLIC KEY
-  $lines = explode("\n", trim($pem_key));
-  unset($lines[count($lines)-1]);
-  unset($lines[0]);
-  return base64_decode(implode('', $lines));
-}
 function generate_tlsa_digest($hostname, $port, $starttls = null) {
   if (!is_valid_domain_name($hostname)) {
     return "Not a valid hostname";
   }
+  function pem_to_der($pem_key) {
+    // Need to remove BEGIN/END PUBLIC KEY
+    $lines = explode("\n", trim($pem_key));
+    unset($lines[count($lines)-1]);
+    unset($lines[0]);
+    return base64_decode(implode('', $lines));
+  }
 
   if (empty($starttls)) {
     $context = stream_context_create(array("ssl" => array("capture_peer_cert" => true, 'verify_peer' => false, 'allow_self_signed' => true)));
@@ -88,24 +88,20 @@ function generate_tlsa_digest($hostname, $port, $starttls = null) {
       return $error_nr . ': ' . $error_msg;
     }
     $banner = fread($stream, 512 );
-    if (preg_match("/^220/i", $banner)) { // SMTP
+    if (preg_match("/^220/i", $banner)) {
       fwrite($stream,"HELO tlsa.generator.local\r\n");
       fread($stream, 512);
       fwrite($stream,"STARTTLS\r\n");
       fread($stream, 512);
     }
-    elseif (preg_match("/imap.+starttls/i", $banner)) { // IMAP
+    elseif (preg_match("/imap.+starttls/i", $banner)) {
       fwrite($stream,"A1 STARTTLS\r\n");
       fread($stream, 512);
     }
-    elseif (preg_match("/^\+OK/", $banner)) { // POP3
+    elseif (preg_match("/^\+OK/", $banner)) {
       fwrite($stream,"STLS\r\n");
       fread($stream, 512);
     }
-    elseif (preg_match("/^OK/m", $banner)) { // Sieve
-      fwrite($stream,"STARTTLS\r\n");
-      fread($stream, 512);
-    }
     else {
       return 'Unknown banner: "' . htmlspecialchars(trim($banner)) . '"';
     }
diff --git a/data/web/inc/vars.inc.php b/data/web/inc/vars.inc.php
index 775af1e1..a52442db 100644
--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@@ -18,48 +18,31 @@ $database_name = getenv('DBNAME');
 $mailcow_hostname = getenv('MAILCOW_HOSTNAME');
 
 // Autodiscover settings
-$https_port = strpos($_SERVER['HTTP_HOST'], ':');
-if ($https_port === FALSE) {
-  $https_port = 443;
-} else {
-  $https_port = substr($_SERVER['HTTP_HOST'], $https_port+1);
-}
 $autodiscover_config = array(
   // Enable the autodiscover service for Outlook desktop clients
   'useEASforOutlook' => 'yes',
   // General autodiscover service type: "activesync" or "imap"
   'autodiscoverType' => 'activesync',
-  // Please don't use STARTTLS-enabled service ports in the "port" variable.
+  // Please don't use STARTTLS-enabled service ports here.
   // The autodiscover service will always point to SMTPS and IMAPS (TLS-wrapped services).
-  // The autoconfig service will additionally announce the STARTTLS-enabled ports, specified in the "tlsport" variable.
   'imap' => array(
     'server' => $mailcow_hostname,
-    'port' => array_pop(explode(':', getenv('IMAPS_PORT'))),
-    'tlsport' => array_pop(explode(':', getenv('IMAP_PORT'))),
-  ),
-  'pop3' => array(
-    'server' => $mailcow_hostname,
-    'port' => array_pop(explode(':', getenv('POPS_PORT'))),
-    'tlsport' => array_pop(explode(':', getenv('POP_PORT'))),
+    'port' => getenv('IMAPS_PORT'),
   ),
   'smtp' => array(
     'server' => $mailcow_hostname,
-    'port' => array_pop(explode(':', getenv('SMTPS_PORT'))),
-    'tlsport' => array_pop(explode(':', getenv('SUBMISSION_PORT'))),
+    'port' => getenv('SMTPS_PORT'),
   ),
   'activesync' => array(
-    'url' => 'https://'.$mailcow_hostname.($https_port == 443 ? '' : ':'.$https_port).'/Microsoft-Server-ActiveSync',
+    'url' => 'https://'.$mailcow_hostname.'/Microsoft-Server-ActiveSync'
   ),
   'caldav' => array(
-    'server' => $mailcow_hostname,
-    'port' => $https_port,
+    'url' => 'https://'.$mailcow_hostname
   ),
   'carddav' => array(
-    'server' => $mailcow_hostname,
-    'port' => $https_port,
-  ),
+    'url' => 'https://'.$mailcow_hostname
+  )
 );
-unset($https_port);
 
 // Where to go after adding and editing objects
 // Can be "form" or "previous"
diff --git a/data/web/lang/lang.de.php b/data/web/lang/lang.de.php
index 54a497ab..732171cc 100644
--- a/data/web/lang/lang.de.php
+++ b/data/web/lang/lang.de.php
@@ -108,7 +108,6 @@ $lang['user']['user_settings'] = 'Benutzereinstellungen';
 $lang['user']['mailbox_settings'] = 'Mailbox-Einstellungen';
 $lang['user']['mailbox_details'] = 'Mailbox-Details';
 $lang['user']['change_password'] = 'Passwort ändern';
-$lang['user']['client_configuration'] = 'Konfigurationsanleitungen für E-Mail-Programme und Smartphones anzeigen';
 $lang['user']['new_password'] = 'Neues Passwort';
 $lang['user']['save_changes'] = 'Änderungen speichern';
 $lang['user']['password_now'] = 'Aktuelles Passwort (Änderungen bestätigen)';
diff --git a/data/web/lang/lang.en.php b/data/web/lang/lang.en.php
index f0608821..391c7d01 100644
--- a/data/web/lang/lang.en.php
+++ b/data/web/lang/lang.en.php
@@ -110,7 +110,6 @@ $lang['user']['user_settings'] = 'User settings';
 $lang['user']['mailbox_settings'] = 'Mailbox settings';
 $lang['user']['mailbox_details'] = 'Mailbox details';
 $lang['user']['change_password'] = 'Change password';
-$lang['user']['client_configuration'] = 'Show configuration guides for email clients and smartphones';
 $lang['user']['new_password'] = 'New password';
 $lang['user']['save_changes'] = 'Save changes';
 $lang['user']['password_now'] = 'Current password (confirm changes)';
diff --git a/data/web/mobileconfig.php b/data/web/mobileconfig.php
deleted file mode 100644
index 198fa4d7..00000000
--- a/data/web/mobileconfig.php
+++ /dev/null
@@ -1,167 +0,0 @@
-<?php
-require_once 'inc/prerequisites.inc.php';
-
-if (empty($mailcow_hostname)) {
-  exit();
-}
-if (!isset($_SESSION['mailcow_cc_role']) || $_SESSION['mailcow_cc_role'] != 'user') {
-  header("Location: index.php");
-  die("This page is only available to logged-in users, not admins.");
-}
-
-header('Content-Type: application/x-apple-aspen-config');
-header('Content-Disposition: attachment; filename="Mailcow.mobileconfig"');
-
-$email = $_SESSION['mailcow_cc_username'];
-$domain = explode('@', $_SESSION['mailcow_cc_username'])[1];
-$identifier = implode('.', array_reverse(explode('.', $domain))) . '.iphoneprofile.mailcow';
-
-try {
-  $stmt = $pdo->prepare("SELECT `name` FROM `mailbox` WHERE `username`= :username");
-  $stmt->execute(array(':username' => $email));
-  $MailboxData = $stmt->fetch(PDO::FETCH_ASSOC);
-}
-catch(PDOException $e) {
-  die("Failed to determine name from SQL");
-}
-if (!empty($MailboxData['name'])) {
-  $displayname = utf8_encode($MailboxData['name']);
-}
-else {
-  $displayname = $email;
-}
-
-echo '<?xml version="1.0" encoding="UTF-8"?>' . "\n";
-?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<key>PayloadContent</key>
-	<array>
-		<dict>
-			<key>CalDAVAccountDescription</key>
-			<string><?php echo $domain; ?></string>
-			<key>CalDAVHostName</key>
-			<string><?php echo $autodiscover_config['caldav']['server']; ?></string>
-			<key>CalDAVPort</key>
-			<real><?php echo $autodiscover_config['caldav']['port']; ?></real>
-			<key>CalDAVPrincipalURL</key>
-			<string>/SOGo/dav/<?php echo $email; ?></string>
-			<key>CalDAVUseSSL</key>
-			<true/>
-			<key>CalDAVUsername</key>
-			<string><?php echo $email; ?></string>
-			<key>PayloadDescription</key>
-			<string>Configures CalDAV account.</string>
-			<key>PayloadDisplayName</key>
-			<string>CalDAV (<?php echo $domain; ?>)</string>
-			<key>PayloadIdentifier</key>
-			<string><?php echo $identifier; ?>.CalDAV</string>
-			<key>PayloadOrganization</key>
-			<string></string>
-			<key>PayloadType</key>
-			<string>com.apple.caldav.account</string>
-			<key>PayloadUUID</key>
-			<string>FC898573-EBA8-48AF-93BD-BFA0C9778FA7</string>
-			<key>PayloadVersion</key>
-			<integer>1</integer>
-		</dict>
-		<dict>
-			<key>EmailAccountDescription</key>
-			<string><?php echo $domain; ?></string>
-			<key>EmailAccountType</key>
-			<string>EmailTypeIMAP</string>
-			<key>EmailAccountName</key>
-			<string><?php echo $displayname; ?></string>
-			<key>EmailAddress</key>
-			<string><?php echo $email; ?></string>
-			<key>IncomingMailServerAuthentication</key>
-			<string>EmailAuthPassword</string>
-			<key>IncomingMailServerHostName</key>
-			<string><?php echo $autodiscover_config['imap']['server']; ?></string>
-			<key>IncomingMailServerPortNumber</key>
-			<integer><?php echo $autodiscover_config['imap']['port']; ?></integer>
-			<key>IncomingMailServerUseSSL</key>
-			<true/>
-			<key>IncomingMailServerUsername</key>
-			<string><?php echo $email; ?></string>
-			<key>OutgoingMailServerAuthentication</key>
-			<string>EmailAuthPassword</string>
-			<key>OutgoingMailServerHostName</key>
-			<string><?php echo $autodiscover_config['smtp']['server']; ?></string>
-			<key>OutgoingMailServerPortNumber</key>
-			<integer><?php echo $autodiscover_config['smtp']['port']; ?></integer>
-			<key>OutgoingMailServerUseSSL</key>
-			<true/>
-			<key>OutgoingMailServerUsername</key>
-			<string><?php echo $email; ?></string>
-			<key>OutgoingPasswordSameAsIncomingPassword</key>
-			<true/>
-			<key>PayloadDescription</key>
-			<string>Configures email account.</string>
-			<key>PayloadDisplayName</key>
-			<string>IMAP Account (<?php echo $domain; ?>)</string>
-			<key>PayloadIdentifier</key>
-			<string><?php echo $identifier; ?>.email</string>
-			<key>PayloadOrganization</key>
-			<string></string>
-			<key>PayloadType</key>
-			<string>com.apple.mail.managed</string>
-			<key>PayloadUUID</key>
-			<string>00294FBB-1016-413E-87B9-652D856D6875</string>
-			<key>PayloadVersion</key>
-			<integer>1</integer>
-			<key>PreventAppSheet</key>
-			<false/>
-			<key>PreventMove</key>
-			<false/>
-			<key>SMIMEEnabled</key>
-			<false/>
-		</dict>
-		<dict>
-			<key>CardDAVAccountDescription</key>
-			<string><?php echo $domain; ?></string>
-			<key>CardDAVHostName</key>
-			<string><?php echo $autodiscover_config['carddav']['server']; ?></string>
-			<key>CardDAVPort</key>
-			<integer><?php echo $autodiscover_config['carddav']['port']; ?></integer>
-			<key>CardDAVPrincipalURL</key>
-			<string>/SOGo/dav/<?php echo $email; ?></string>
-			<key>CardDAVUseSSL</key>
-			<true/>
-			<key>CardDAVUsername</key>
-			<string><?php echo $email; ?></string>
-			<key>PayloadDescription</key>
-			<string>Configures CardDAV accounts</string>
-			<key>PayloadDisplayName</key>
-			<string>CardDAV (<?php echo $domain; ?>)</string>
-			<key>PayloadIdentifier</key>
-			<string><?php echo $identifier; ?>.carddav</string>
-			<key>PayloadOrganization</key>
-			<string></string>
-			<key>PayloadType</key>
-			<string>com.apple.carddav.account</string>
-			<key>PayloadUUID</key>
-			<string>0797EF2B-B1F1-4BC7-ABCD-4580862252B4</string>
-			<key>PayloadVersion</key>
-			<integer>1</integer>
-		</dict>
-	</array>
-	<key>PayloadDescription</key>
-	<string>IMAP, CalDAV, CardDAV</string>
-	<key>PayloadDisplayName</key>
-	<string><?php echo $domain; ?> Mailcow</string>
-	<key>PayloadIdentifier</key>
-	<string><?php echo $identifier; ?></string>
-	<key>PayloadOrganization</key>
-	<string></string>
-	<key>PayloadRemovalDisallowed</key>
-	<false/>
-	<key>PayloadType</key>
-	<string>Configuration</string>
-	<key>PayloadUUID</key>
-	<string>5EE248C5-ACCB-42D8-9199-8F8ED08D5624</string>
-	<key>PayloadVersion</key>
-	<integer>1</integer>
-</dict>
-</plist>
diff --git a/data/web/user.php b/data/web/user.php
index ba7678e2..77ccc62d 100644
--- a/data/web/user.php
+++ b/data/web/user.php
@@ -74,7 +74,6 @@ elseif (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == '
   <div class="row">
     <div class="col-sm-offset-3 col-sm-9">
       <p><a href="#pwChangeModal" data-toggle="modal">[<?=$lang['user']['change_password'];?>]</a></p>
-      <p><a href="clientconfig.php">[<?=$lang['user']['client_configuration'];?>]</a></p>
     </div>
   </div>
   <hr>

From c5d90b821ae2c82507bf5e8973e7ae7a6d256cb1 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 10 Jul 2017 09:19:12 +0200
Subject: [PATCH 07/26] [Dovecot] Add extra.conf include to override Dovecot
 configuration changes

---
 .gitignore                     | 1 +
 data/conf/dovecot/dovecot.conf | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/.gitignore b/.gitignore
index 9ea8b05b..b8558fdb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,3 +16,4 @@ data/conf/rspamd/override.d/*
 !data/conf/nginx/dynmaps.conf
 !data/conf/nginx/site.conf
 data/conf/nginx/*.conf
+data/conf/dovecot/extra.conf
diff --git a/data/conf/dovecot/dovecot.conf b/data/conf/dovecot/dovecot.conf
index 2fc271e8..056f31de 100644
--- a/data/conf/dovecot/dovecot.conf
+++ b/data/conf/dovecot/dovecot.conf
@@ -1,3 +1,6 @@
+# --------------------------------------------------------------------------
+# Please create a file "extra.conf" for persistent overrides to dovecot.conf
+# --------------------------------------------------------------------------
 auth_mechanisms = plain login
 #mail_debug = yes
 log_path = syslog
@@ -256,3 +259,4 @@ service imap-postlogin {
   unix_listener imap-postlogin {
   }
 }
+!include_try /usr/local/etc/dovecot/extra.conf

From e1fc551bd2eabe075c29250a7be0d17be57f4a35 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 10 Jul 2017 21:27:49 +0200
Subject: [PATCH 08/26] [update.sh] Fix compose project name variable, add
 DOVEADM_PORT

---
 update.sh | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/update.sh b/update.sh
index 9da208b4..80aae031 100755
--- a/update.sh
+++ b/update.sh
@@ -7,7 +7,7 @@ if [[ -z $(which git) ]]; then echo "Cannot find git, exiting."; exit 1; fi
 if [[ -z $(which awk) ]]; then echo "Cannot find awk, exiting."; exit 1; fi
 if [[ -z $(which sha1sum) ]]; then echo "Cannot find sha1sum, exiting."; exit 1; fi
 
-CONFIG_ARRAY=("SKIP_LETS_ENCRYPT" "SKIP_CLAMD" "SKIP_IP_CHECK" "SKIP_FAIL2BAN" "ADDITIONAL_SAN")
+CONFIG_ARRAY=("SKIP_LETS_ENCRYPT" "SKIP_CLAMD" "SKIP_IP_CHECK" "SKIP_FAIL2BAN" "ADDITIONAL_SAN", "DOVEADM_PORT")
 echo >> mailcow.conf
 for option in ${CONFIG_ARRAY[@]}; do
 	if [[ ${option} == "ADDITIONAL_SAN" ]]; then
@@ -18,7 +18,12 @@ for option in ${CONFIG_ARRAY[@]}; do
 	elif [[ ${option} == "COMPOSE_PROJECT_NAME" ]]; then
 		if ! grep -q ${option} mailcow.conf; then
 			echo "Adding new option \"${option}\" to mailcow.conf"
-			echo "${COMPOSE_PROJECT_NAME}=mailcow-dockerized" >> mailcow.conf
+			echo "COMPOSE_PROJECT_NAME=mailcow-dockerized" >> mailcow.conf
+		fi
+	elif [[ ${option} == "DOVEADM_PORT" ]]; then
+		if ! grep -q ${option} mailcow.conf; then
+			echo "Adding new option \"${option}\" to mailcow.conf"
+			echo "DOVEADM_PORT=127.0.0.1:19991" >> mailcow.conf
 		fi
 	elif ! grep -q ${option} mailcow.conf; then
 		echo "Adding new option \"${option}\" to mailcow.conf"

From 12e9620a070a9660d4d66995dcdd93a70ec36039 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 10 Jul 2017 21:28:24 +0200
Subject: [PATCH 09/26] [Compose] Add DOVEADM_PORT with default binding
 127.0.0.1:19991

---
 docker-compose.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index d5337721..359b9d4a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -191,6 +191,7 @@ services:
         options:
           max-size: "5m"
       ports:
+        - "${DOVEADM_PORT:-127.0.0.1:19991}:12345"
         - "${IMAP_PORT:-143}:143"
         - "${IMAPS_PORT:-993}:993"
         - "${POP_PORT:-110}:110"

From 54eea38b76d129f19ff586c3b86eb753a3fa15b6 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 10 Jul 2017 21:28:44 +0200
Subject: [PATCH 10/26] Fix README.md bitcoin address

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6befab5f..42b2a3f1 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 [![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=JWBSYHF4SMC68)
 
-[![Donate (Bitcoin)](https://img.shields.io/badge/Donate-Bitcoin-blue.svg)](bitcoin:1E5rgzgA1sS3QH7r1ToWxRC3GEavfsGMrx)
+**mailcow Bitcoin donations:** 1E5rgzgA1sS3QH7r1ToWxRC3GEavfsGMrx
 
 Please see [the official documentation](https://mailcow.github.io/mailcow-dockerized-docs/) for instructions.
 

From c80d6056320c6763b5a51848105eafaa4f98a5d7 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 10 Jul 2017 21:29:03 +0200
Subject: [PATCH 11/26] Add DOVEADM_PORT to generate_config.sh

---
 generate_config.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/generate_config.sh b/generate_config.sh
index 62a5ecaf..4ef1515f 100755
--- a/generate_config.sh
+++ b/generate_config.sh
@@ -68,6 +68,7 @@ IMAPS_PORT=993
 POP_PORT=110
 POPS_PORT=995
 SIEVE_PORT=4190
+DOVEADM_PORT=127.0.0.1:19991
 
 # Your timezone
 TZ=${TZ}

From 08b99c8d74f9e0396c31ed4fe88975740fce6991 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 10 Jul 2017 21:30:45 +0200
Subject: [PATCH 12/26] [Dovecot] Add doveadm service

---
 data/conf/dovecot/dovecot.conf | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/data/conf/dovecot/dovecot.conf b/data/conf/dovecot/dovecot.conf
index 056f31de..2d416d21 100644
--- a/data/conf/dovecot/dovecot.conf
+++ b/data/conf/dovecot/dovecot.conf
@@ -34,6 +34,12 @@ passdb {
   args = /usr/local/etc/dovecot/sql/dovecot-mysql.conf
   driver = sql
 }
+# Set doveadm_password=your-secret-password in data/conf/dovecot/extra.conf (create if missing)
+service doveadm {
+  inet_listener {
+    port = 12345
+  }
+}
 namespace inbox {
   inbox = yes
   location =

From 99cd459655f1dfdd5cd619b0ee84e85cd72ac167 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Tue, 11 Jul 2017 17:06:36 +0200
Subject: [PATCH 13/26] [Compose] Remove logging restrictions to make it easier
 to implement other drivers; Push new Postfix, SOGo and Dovecot images

---
 docker-compose.yml | 24 +++---------------------
 1 file changed, 3 insertions(+), 21 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 359b9d4a..68ba9d2b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -96,9 +96,6 @@ services:
         - dkim-vol-1:/data/dkim
         - rspamd-vol-1:/var/lib/rspamd
       restart: always
-      logging:
-        options:
-          max-size: "5m"
       dns:
         - 172.22.1.254
       dns_search: mailcow-network
@@ -133,9 +130,6 @@ services:
         - SMTPS_PORT=${SMTPS_PORT:-465}
         - SMTP_PORT=${SMTP_PORT:-25}
       restart: always
-      logging:
-        options:
-          max-size: "5m"
       dns:
         - 172.22.1.254
       dns_search: mailcow-network
@@ -145,7 +139,7 @@ services:
             - phpfpm
 
     sogo-mailcow:
-      image: mailcow/sogo:1.2
+      image: mailcow/sogo:1.3
       build: ./data/Dockerfiles/sogo
       depends_on:
         unbound-mailcow:
@@ -159,9 +153,6 @@ services:
       volumes:
         - ./data/conf/sogo/:/etc/sogo/
       restart: always
-      logging:
-        options:
-          max-size: "5m"
       dns:
         - 172.22.1.254
       dns_search: mailcow-network
@@ -172,7 +163,7 @@ services:
             - sogo
 
     dovecot-mailcow:
-      image: mailcow/dovecot:1.3
+      image: mailcow/dovecot:1.4
       build: ./data/Dockerfiles/dovecot
       depends_on:
         unbound-mailcow:
@@ -187,9 +178,6 @@ services:
         - DBNAME=${DBNAME}
         - DBUSER=${DBUSER}
         - DBPASS=${DBPASS}
-      logging:
-        options:
-          max-size: "5m"
       ports:
         - "${DOVEADM_PORT:-127.0.0.1:19991}:12345"
         - "${IMAP_PORT:-143}:143"
@@ -208,7 +196,7 @@ services:
             - dovecot
 
     postfix-mailcow:
-      image: mailcow/postfix:1.1
+      image: mailcow/postfix:1.2
       build: ./data/Dockerfiles/postfix
       depends_on:
         unbound-mailcow:
@@ -227,9 +215,6 @@ services:
         - "${SMTPS_PORT:-465}:465"
         - "${SUBMISSION_PORT:-587}:587"
       restart: always
-      logging:
-        options:
-          max-size: "5m"
       dns:
         - 172.22.1.254
       dns_search: mailcow-network
@@ -276,9 +261,6 @@ services:
         - ./data/conf/rspamd/dynmaps:/dynmaps:ro
         - ./data/assets/ssl/:/etc/ssl/mail/:ro
         - ./data/conf/nginx/:/etc/nginx/conf.d/:rw
-      logging:
-        options:
-          max-size: "5m"
       ports:
         - "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
         - "${HTTP_BIND:-0.0.0.0}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"

From a31819fd6c73efc2684eb6c6f725803d39640c72 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Tue, 11 Jul 2017 17:08:06 +0200
Subject: [PATCH 14/26] [SOGo] Log to a pipe to not keep logs in a container

---
 data/Dockerfiles/sogo/supervisord.conf | 20 ++++++++++++--------
 data/Dockerfiles/sogo/syslog-ng.conf   | 18 ++++++++----------
 data/conf/sogo/sogo.conf               |  1 +
 3 files changed, 21 insertions(+), 18 deletions(-)

diff --git a/data/Dockerfiles/sogo/supervisord.conf b/data/Dockerfiles/sogo/supervisord.conf
index b76173fe..30392e3b 100644
--- a/data/Dockerfiles/sogo/supervisord.conf
+++ b/data/Dockerfiles/sogo/supervisord.conf
@@ -3,9 +3,11 @@ nodaemon=true
 
 [program:syslog-ng]
 command=/usr/sbin/syslog-ng --foreground  --no-caps
-redirect_stderr=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
 autostart=true
-stdout_syslog=true
 priority=1
 
 [program:cron]
@@ -22,22 +24,24 @@ priority=4
 
 [program:reconf-domains]
 command=/reconf-domains.sh
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
 priority=3
 autorestart=true
 
 [program:sogo]
 command="/usr/sbin/sogod"
 user=sogo
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
 autorestart = unexpected
 autostart = false
 priority=5
 
-[program:sogo-syslog]
-command=/usr/bin/tail -f /var/log/combined.log
-stdout_logfile=/dev/fd/1
-stdout_logfile_maxbytes=0
-priority=6
-
 [inet_http_server]
 port=9191
 
diff --git a/data/Dockerfiles/sogo/syslog-ng.conf b/data/Dockerfiles/sogo/syslog-ng.conf
index 4d17d9b1..264bca44 100644
--- a/data/Dockerfiles/sogo/syslog-ng.conf
+++ b/data/Dockerfiles/sogo/syslog-ng.conf
@@ -1,4 +1,4 @@
-@version: 3.5
+@version: 3.8
 @include "scl.conf"
 options {
   chain_hostnames(off);
@@ -14,12 +14,10 @@ source s_src {
   internal();
 };
 source s_sogo {
-  file("/var/log/sogo/sogo.log");
+  pipe("/dev/sogo_log" owner(sogo) group(sogo));
 };
-destination d_combined {
-  file("/var/log/combined.log");
-};
-destination d_redis_persistent_log {
+destination d_stdout { pipe("/dev/stdout"); };
+destination d_redis_ui_log {
   redis(
     host("redis-mailcow")
     persist-name("redis1")
@@ -37,11 +35,11 @@ destination d_redis_f2b_channel {
 };
 log {
   source(s_sogo);
-  source(s_src);
-  destination(d_combined);
+  destination(d_redis_ui_log);
+  destination(d_redis_f2b_channel);
 };
 log {
   source(s_sogo);
-  destination(d_redis_persistent_log);
-  destination(d_redis_f2b_channel);
+  source(s_src);
+  destination(d_stdout);
 };
diff --git a/data/conf/sogo/sogo.conf b/data/conf/sogo/sogo.conf
index 32dc1e5e..151f5aa3 100644
--- a/data/conf/sogo/sogo.conf
+++ b/data/conf/sogo/sogo.conf
@@ -78,4 +78,5 @@
   //MySQL4DebugEnabled = YES;
   //SOGoUIxDebugEnabled = YES;
   //WODontZipResponse = YES;
+    WOLogFile = "/dev/sogo_log";
 }

From f8ae5158cba45bf42f34832f2e8793486d540326 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Tue, 11 Jul 2017 17:09:20 +0200
Subject: [PATCH 15/26] [Postfix] Do not keep persistent logs in a container

---
 data/Dockerfiles/postfix/Dockerfile       |  5 ++---
 data/Dockerfiles/postfix/supervisord.conf | 11 ++++-------
 data/Dockerfiles/postfix/syslog-ng.conf   |  9 ++++-----
 data/Dockerfiles/postfix/zeyple.conf      |  2 +-
 4 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/data/Dockerfiles/postfix/Dockerfile b/data/Dockerfiles/postfix/Dockerfile
index 283adbe6..2e0e73df 100644
--- a/data/Dockerfiles/postfix/Dockerfile
+++ b/data/Dockerfiles/postfix/Dockerfile
@@ -25,14 +25,13 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 	syslog-ng \
 	syslog-ng-core \
 	syslog-ng-mod-redis \
-	&& rm -rf /var/lib/apt/lists/*
+	&& rm -rf /var/lib/apt/lists/* \
+	&& touch /etc/default/locale
 
 RUN addgroup --system --gid 600 zeyple
 RUN adduser --system --home /var/lib/zeyple --no-create-home --uid 600 --gid 600 --disabled-login zeyple
 RUN touch /var/log/zeyple.log && chown zeyple: /var/log/zeyple.log
 
-RUN touch /etc/default/locale
-
 COPY zeyple.py /usr/local/bin/zeyple.py
 COPY zeyple.conf /etc/zeyple.conf
 COPY supervisord.conf /etc/supervisor/supervisord.conf
diff --git a/data/Dockerfiles/postfix/supervisord.conf b/data/Dockerfiles/postfix/supervisord.conf
index 0968bb0a..55e76a95 100644
--- a/data/Dockerfiles/postfix/supervisord.conf
+++ b/data/Dockerfiles/postfix/supervisord.conf
@@ -3,19 +3,16 @@ nodaemon=true
 
 [program:syslog-ng]
 command=/usr/sbin/syslog-ng --foreground  --no-caps
-redirect_stderr=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
 autostart=true
-stdout_syslog=true
 
 [program:postfix]
 command=/opt/postfix.sh
 autorestart=true
 
-[program:postfix-maillog]
-command=/bin/tail -f /var/log/zeyple.log /var/log/combined.log
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-
 [unix_http_server]
 file=/var/tmp/supervisord.sock  
 chmod=0770  
diff --git a/data/Dockerfiles/postfix/syslog-ng.conf b/data/Dockerfiles/postfix/syslog-ng.conf
index c4bb63ba..808b06b7 100644
--- a/data/Dockerfiles/postfix/syslog-ng.conf
+++ b/data/Dockerfiles/postfix/syslog-ng.conf
@@ -13,9 +13,8 @@ source s_src {
   unix-stream("/dev/log");
   internal();
 };
-
-destination d_combined { file("/var/log/combined.log"); };
-destination d_redis_persistent_log {
+destination d_stdout { pipe("/dev/stdout"); };
+destination d_redis_ui_log {
   redis(
     host("redis-mailcow")
     persist-name("redis1")
@@ -34,8 +33,8 @@ destination d_redis_f2b_channel {
 filter f_mail { facility(mail); };
 log {
   source(s_src);
-  destination(d_combined);
+  destination(d_stdout);
   filter(f_mail);
-  destination(d_redis_persistent_log);
+  destination(d_redis_ui_log);
   destination(d_redis_f2b_channel);
 };
diff --git a/data/Dockerfiles/postfix/zeyple.conf b/data/Dockerfiles/postfix/zeyple.conf
index 7f039582..cc176a0e 100644
--- a/data/Dockerfiles/postfix/zeyple.conf
+++ b/data/Dockerfiles/postfix/zeyple.conf
@@ -1,5 +1,5 @@
 [zeyple]
-log_file = /var/log/zeyple.log
+log_file = /dev/null
 
 [gpg]
 home = /var/lib/zeyple/keys

From 9e92c4a2ade3070445539de957212397dbb9fcf9 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Tue, 11 Jul 2017 17:09:31 +0200
Subject: [PATCH 16/26] [Dovecot] Do not keep persistent logs in a container

---
 data/Dockerfiles/dovecot/supervisord.conf | 11 ++++-------
 data/Dockerfiles/dovecot/syslog-ng.conf   |  9 ++++-----
 2 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/data/Dockerfiles/dovecot/supervisord.conf b/data/Dockerfiles/dovecot/supervisord.conf
index e2e02250..33d488b8 100644
--- a/data/Dockerfiles/dovecot/supervisord.conf
+++ b/data/Dockerfiles/dovecot/supervisord.conf
@@ -3,19 +3,16 @@ nodaemon=true
 
 [program:syslog-ng]
 command=/usr/sbin/syslog-ng --foreground --no-caps
-redirect_stderr=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
 autostart=true
-stdout_syslog=true
 
 [program:dovecot]
 command=/usr/local/sbin/dovecot -F
 autorestart=true
 
-[program:logfiles]
-command=/usr/bin/tail -f /var/log/combined.log
-stdout_logfile=/dev/fd/1
-stdout_logfile_maxbytes=0
-
 [program:cron]
 command=/usr/sbin/cron -f
 autorestart=true
diff --git a/data/Dockerfiles/dovecot/syslog-ng.conf b/data/Dockerfiles/dovecot/syslog-ng.conf
index b8cc44fd..0257d6a1 100644
--- a/data/Dockerfiles/dovecot/syslog-ng.conf
+++ b/data/Dockerfiles/dovecot/syslog-ng.conf
@@ -13,9 +13,8 @@ source s_src {
   unix-stream("/dev/log");
   internal();
 };
-
-destination d_combined { file("/var/log/combined.log"); };
-destination d_redis_persistent_log {
+destination d_stdout { pipe("/dev/stdout"); };
+destination d_redis_ui_log {
   redis(
     host("redis-mailcow")
     persist-name("redis1")
@@ -34,8 +33,8 @@ destination d_redis_f2b_channel {
 filter f_mail { facility(mail); };
 log {
   source(s_src);
-  destination(d_combined);
+  destination(d_stdout);
   filter(f_mail);
-  destination(d_redis_persistent_log);
+  destination(d_redis_ui_log);
   destination(d_redis_f2b_channel);
 };

From 52231ac38d63f610829b6999f99793aa83281051 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Tue, 11 Jul 2017 21:07:00 +0200
Subject: [PATCH 17/26] [update.sh] Remove ,

---
 update.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/update.sh b/update.sh
index 80aae031..998dc32b 100755
--- a/update.sh
+++ b/update.sh
@@ -7,7 +7,7 @@ if [[ -z $(which git) ]]; then echo "Cannot find git, exiting."; exit 1; fi
 if [[ -z $(which awk) ]]; then echo "Cannot find awk, exiting."; exit 1; fi
 if [[ -z $(which sha1sum) ]]; then echo "Cannot find sha1sum, exiting."; exit 1; fi
 
-CONFIG_ARRAY=("SKIP_LETS_ENCRYPT" "SKIP_CLAMD" "SKIP_IP_CHECK" "SKIP_FAIL2BAN" "ADDITIONAL_SAN", "DOVEADM_PORT")
+CONFIG_ARRAY=("SKIP_LETS_ENCRYPT" "SKIP_CLAMD" "SKIP_IP_CHECK" "SKIP_FAIL2BAN" "ADDITIONAL_SAN" "DOVEADM_PORT")
 echo >> mailcow.conf
 for option in ${CONFIG_ARRAY[@]}; do
 	if [[ ${option} == "ADDITIONAL_SAN" ]]; then

From 48318a499924365e2defba9cc005ccc3e8514280 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Tue, 11 Jul 2017 22:51:48 +0200
Subject: [PATCH 18/26] [Compose] nslookup against google.com

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 68ba9d2b..e29285ec 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -9,7 +9,7 @@ services:
         mysql-mailcow:
           condition: service_healthy
       healthcheck:
-        test: ["CMD", "nslookup", "mailcow.email", "127.0.0.1"]
+        test: ["CMD", "nslookup", "google.com", "127.0.0.1"]
         interval: 30s
         timeout: 3s
         retries: 10

From e6727b1fd65a3472a4e1894b600d8e4557e6e2fb Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Thu, 13 Jul 2017 12:51:52 +0200
Subject: [PATCH 19/26] [ACME] Iterate alias domains, use hostname in subject
 field

---
 data/Dockerfiles/acme/docker-entrypoint.sh | 9 ++++++---
 docker-compose.yml                         | 2 +-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/data/Dockerfiles/acme/docker-entrypoint.sh b/data/Dockerfiles/acme/docker-entrypoint.sh
index b8098a14..f20da206 100755
--- a/data/Dockerfiles/acme/docker-entrypoint.sh
+++ b/data/Dockerfiles/acme/docker-entrypoint.sh
@@ -77,9 +77,12 @@ while true; do
 	# Container ids may have changed
 	CONTAINERS_RESTART=($(curl --silent --unix-socket /var/run/docker.sock http/containers/json | jq -rc 'map(select(.Names[] | contains ("nginx-mailcow") or contains ("postfix-mailcow") or contains ("dovecot-mailcow"))) | .[] .Id' | tr "\n" " "))
 
-	while read line; do
-		SQL_DOMAIN_ARR+=("${line}")
+	while read domain; do
+		SQL_DOMAIN_ARR+=("${domain}")
 	done < <(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT domain FROM domain" -Bs)
+    while read alias_domain; do
+        SQL_DOMAIN_ARR+=("${alias_domain}")
+    done < <(mysql -h mysql-mailcow -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT alias_domain FROM alias_domain" -Bs)
 
 	for SQL_DOMAIN in "${SQL_DOMAIN_ARR[@]}"; do
 		A_CONFIG=$(dig A autoconfig.${SQL_DOMAIN} +short | tail -n 1)
@@ -138,7 +141,7 @@ while true; do
 	done
 
   # Unique elements
-	ALL_VALIDATED=($(echo ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} ${VALIDATED_MAILCOW_HOSTNAME} | xargs -n1 | sort -u | xargs))
+	ALL_VALIDATED=($(echo ${VALIDATED_MAILCOW_HOSTNAME} ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} | xargs -n1 | sort -u | xargs))
 	if [[ -z ${ALL_VALIDATED[*]} ]]; then
 		echo "Cannot validate hostnames, skipping Let's Encrypt..."
 		exit 0
diff --git a/docker-compose.yml b/docker-compose.yml
index e29285ec..68ba9d2b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -9,7 +9,7 @@ services:
         mysql-mailcow:
           condition: service_healthy
       healthcheck:
-        test: ["CMD", "nslookup", "google.com", "127.0.0.1"]
+        test: ["CMD", "nslookup", "mailcow.email", "127.0.0.1"]
         interval: 30s
         timeout: 3s
         retries: 10

From 4e148c7026e4e73ba6eaf15f9ce4d6c899c16d84 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Thu, 13 Jul 2017 12:54:29 +0200
Subject: [PATCH 20/26] [Compose] Push Rspamd 1.4; Push acme 1.14; Add Dovecot
 ulimits

---
 docker-compose.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 68ba9d2b..04c81a56 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -80,7 +80,7 @@ services:
             - clamd
 
     rspamd-mailcow:
-      image: mailcow/rspamd:1.3
+      image: mailcow/rspamd:1.4
       build: ./data/Dockerfiles/rspamd
       command: > 
         /bin/bash -c "
@@ -186,6 +186,11 @@ services:
         - "${POPS_PORT:-995}:995"
         - "${SIEVE_PORT:-4190}:4190"
       restart: always
+      ulimits:
+        nproc: 65535
+        nofile:
+          soft: 20000
+          hard: 40000
       dns:
         - 172.22.1.254
       dns_search: mailcow-network
@@ -277,7 +282,7 @@ services:
     acme-mailcow:
       depends_on:
         - nginx-mailcow
-      image: mailcow/acme:1.12
+      image: mailcow/acme:1.13
       build: ./data/Dockerfiles/acme
       dns:
         - 172.22.1.254

From 5f5872f78b0e4237c4932f58724ecff7fc6bf7cf Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Thu, 13 Jul 2017 12:54:53 +0200
Subject: [PATCH 21/26] [Rspamd] Initial custom ratelimit support

---
 data/Dockerfiles/rspamd/Dockerfile    |   1 +
 data/Dockerfiles/rspamd/ratelimit.lua | 717 ++++++++++++++++++++++++++
 2 files changed, 718 insertions(+)
 create mode 100644 data/Dockerfiles/rspamd/ratelimit.lua

diff --git a/data/Dockerfiles/rspamd/Dockerfile b/data/Dockerfiles/rspamd/Dockerfile
index 408a7a1d..cb5c7d40 100644
--- a/data/Dockerfiles/rspamd/Dockerfile
+++ b/data/Dockerfiles/rspamd/Dockerfile
@@ -19,6 +19,7 @@ RUN apt-get update && apt-get install -y \
 	&& chown _rspamd:_rspamd /run/rspamd
 
 COPY settings.conf /etc/rspamd/modules.d/settings.conf
+COPY ratelimit.lua /usr/share/rspamd/lua/ratelimit.lua
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
diff --git a/data/Dockerfiles/rspamd/ratelimit.lua b/data/Dockerfiles/rspamd/ratelimit.lua
new file mode 100644
index 00000000..d9e8f42a
--- /dev/null
+++ b/data/Dockerfiles/rspamd/ratelimit.lua
@@ -0,0 +1,717 @@
+--[[
+Copyright (c) 2011-2015, Vsevolod Stakhov <vsevolod@highsecure.ru>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+]]--
+
+if confighelp then
+  return
+end
+
+-- A plugin that implements ratelimits using redis or kvstorage server
+
+local E = {}
+
+-- Default settings for limits, 1-st member is burst, second is rate and the third is numeric type
+local settings = {
+}
+-- Senders that are considered as bounce
+local bounce_senders = {'postmaster', 'mailer-daemon', '', 'null', 'fetchmail-daemon', 'mdaemon'}
+-- Do not check ratelimits for these recipients
+local whitelisted_rcpts = {'postmaster', 'mailer-daemon'}
+local whitelisted_ip
+local whitelisted_user
+local max_rcpt = 5
+local redis_params
+local ratelimit_symbol
+-- Do not delay mail after 1 day
+local max_delay = 24 * 3600
+local use_ip_score = false
+local rl_prefix = 'rl'
+local ip_score_lower_bound = 10
+local ip_score_ham_multiplier = 1.1
+local ip_score_spam_divisor = 1.1
+
+local message_func = function(_, limit_type)
+  return string.format('Ratelimit "%s" exceeded', limit_type)
+end
+
+local rspamd_logger = require "rspamd_logger"
+local rspamd_util = require "rspamd_util"
+local rspamd_lua_utils = require "lua_util"
+local fun = require "fun"
+
+local user_keywords = {'user'}
+
+local limit_parser
+local function parse_string_limit(lim)
+  local function parse_time_suffix(s)
+    if s == 's' then
+      return 1
+    elseif s == 'm' then
+      return 60
+    elseif s == 'h' then
+      return 3600
+    elseif s == 'd' then
+      return 86400
+    end
+  end
+  local function parse_num_suffix(s)
+    if s == '' then
+      return 1
+    elseif s == 'k' then
+      return 1000
+    elseif s == 'm' then
+      return 1000000
+    elseif s == 'g' then
+      return 1000000000
+    end
+  end
+  local lpeg = require "lpeg"
+
+  if not limit_parser then
+    local digit = lpeg.R("09")
+    limit_parser = {}
+    limit_parser.integer =
+    (lpeg.S("+-") ^ -1) *
+            (digit   ^  1)
+    limit_parser.fractional =
+    (lpeg.P(".")   ) *
+            (digit ^ 1)
+    limit_parser.number =
+    (limit_parser.integer *
+            (limit_parser.fractional ^ -1)) +
+            (lpeg.S("+-") * limit_parser.fractional)
+    limit_parser.time = lpeg.Cf(lpeg.Cc(1) *
+            (limit_parser.number / tonumber) *
+            ((lpeg.S("smhd") / parse_time_suffix) ^ -1),
+      function (acc, val) return acc * val end)
+    limit_parser.suffixed_number = lpeg.Cf(lpeg.Cc(1) *
+            (limit_parser.number / tonumber) *
+            ((lpeg.S("kmg") / parse_num_suffix) ^ -1),
+      function (acc, val) return acc * val end)
+    limit_parser.limit = lpeg.Ct(limit_parser.suffixed_number *
+            (lpeg.S(" ") ^ 0) * lpeg.S("/") * (lpeg.S(" ") ^ 0) *
+            limit_parser.time)
+  end
+  local t = lpeg.match(limit_parser.limit, lim)
+
+  if t and t[1] and t[2] and t[2] ~= 0 then
+    return t[1] / t[2], t[1]
+  end
+
+  rspamd_logger.errx(rspamd_config, 'bad limit: %s', lim)
+
+  return nil
+end
+
+--- Parse atime and bucket of limit
+local function parse_limits(data)
+  local function parse_limit_elt(str)
+    local elts = rspamd_str_split(str, ':')
+    if not elts or #elts < 2 then
+      return {0, 0, 0}
+    else
+      local atime = tonumber(elts[1])
+      local bucket = tonumber(elts[2])
+      local ctime = atime
+
+      if elts[3] then
+        ctime = tonumber(elts[3])
+      end
+
+      if not ctime then
+        ctime = atime
+      end
+
+      return {atime,bucket,ctime}
+    end
+  end
+
+  return fun.iter(data):map(function(e)
+    if type(e) == 'string' then
+      return parse_limit_elt(e)
+    else
+      return {0, 0, 0}
+    end
+  end):totable()
+end
+
+local function resize_element(x_score, x_total, element)
+  local x_ip_score
+  if not x_total then x_total = 0 end
+  if x_total < ip_score_lower_bound or x_total <= 0 then
+    x_score = 1
+  else
+    x_score = x_score / x_total
+  end
+  if x_score > 0 then
+    x_ip_score = x_score / ip_score_spam_divisor
+    element = element * rspamd_util.tanh(2.718281 * x_ip_score)
+  elseif x_score < 0 then
+    x_ip_score = ((1 + (x_score * -1)) * ip_score_ham_multiplier)
+    element = element * x_ip_score
+  end
+  return element
+end
+
+--- Check whether this addr is bounce
+local function check_bounce(from)
+  return fun.any(function(b) return b == from end, bounce_senders)
+end
+
+local custom_keywords = {}
+
+local keywords = {
+  ['ip'] = {
+    ['get_value'] = function(task)
+      local ip = task:get_ip()
+      if ip and ip:is_valid() then return ip end
+      return nil
+    end,
+  },
+  ['rip'] = {
+    ['get_value'] = function(task)
+      local ip = task:get_ip()
+      if ip and ip:is_valid() and not ip:is_local() then return ip end
+      return nil
+    end,
+  },
+  ['from'] = {
+    ['get_value'] = function(task)
+      local from = task:get_from(0)
+      if ((from or E)[1] or E).addr then
+        return from[1]['addr']
+      end
+      return nil
+    end,
+  },
+  ['bounce'] = {
+    ['get_value'] = function(task)
+      local from = task:get_from(0)
+      if not ((from or E)[1] or E).user then
+        return '_'
+      end
+      if check_bounce(from[1]['user']) then return '_' else return nil end
+    end,
+  },
+  ['asn'] = {
+    ['get_value'] = function(task)
+      local asn = task:get_mempool():get_variable('asn')
+      if not asn then
+        return nil
+      else
+        return asn
+      end
+    end,
+  },
+  ['user'] = {
+    ['get_value'] = function(task)
+      local auser = task:get_user()
+      if not auser then
+        return nil
+      else
+        return auser
+      end
+    end,
+  },
+  ['to'] = {
+    ['get_value'] = function()
+      return '%s' -- 'to' is special
+    end,
+  },
+}
+
+local function dynamic_rate_key(task, rtype)
+  local key_t = {rl_prefix, rtype}
+  local key_keywords = rspamd_str_split(rtype, '_')
+  local have_to, have_user = false, false
+  for _, v in ipairs(key_keywords) do
+    if (custom_keywords[v] and type(custom_keywords[v]['condition']) == 'function') then
+      if not custom_keywords[v]['condition']() then return nil end
+    end
+    local ret
+    if custom_keywords[v] and type(custom_keywords[v]['get_value']) == 'function' then
+      ret = custom_keywords[v]['get_value'](task)
+    elseif keywords[v] and type(keywords[v]['get_value']) == 'function' then
+      ret = keywords[v]['get_value'](task)
+    end
+    if not ret then return nil end
+    for _, uk in ipairs(user_keywords) do
+      if v == uk then have_user = true end
+      if have_user then break end
+    end
+    if v == 'to' then have_to = true end
+    if type(ret) ~= 'string' then ret = tostring(ret) end
+    table.insert(key_t, ret)
+  end
+  if (not have_user) and task:get_user() then
+    return nil
+  end
+  if not have_to then
+    return table.concat(key_t, ":")
+  else
+    local rate_keys = {}
+    local rcpts = task:get_recipients(0)
+    if not ((rcpts or E)[1] or E).addr then
+      return nil
+    end
+    local key_s = table.concat(key_t, ":")
+    local total_rcpt = 0
+    for _, r in ipairs(rcpts) do
+      if r['addr'] and total_rcpt < max_rcpt then
+        local key_f = string.format(key_s, r['addr'])
+        table.insert(rate_keys, key_f)
+        total_rcpt = total_rcpt + 1
+      end
+    end
+    return rate_keys
+  end
+end
+
+--- Check specific limit inside redis
+local function check_limits(task, args)
+
+  local key = fun.foldl(function(acc, k) return acc .. k[2] end, '', args)
+  local ret
+  --- Called when value is got from server
+  local function rate_get_cb(err, data)
+    if err then
+      rspamd_logger.infox(task, 'got error while getting limit: %1', err)
+    end
+    if not data then return end
+    local ntime = rspamd_util.get_time()
+    local asn_score,total_asn,
+      country_score,total_country,
+      ipnet_score,total_ipnet,
+      ip_score, total_ip
+    if use_ip_score then
+      asn_score,total_asn,
+        country_score,total_country,
+        ipnet_score,total_ipnet,
+        ip_score, total_ip = task:get_mempool():get_variable('ip_score',
+        'double,double,double,double,double,double,double,double')
+    end
+
+    fun.each(function(elt, limit, rtype)
+      local bucket = elt[2]
+      local rate = limit[2]
+      local threshold = limit[1]
+      local atime = elt[1]
+      local ctime = elt[3]
+
+      if atime == 0 then return end
+
+      if use_ip_score then
+        local key_keywords = rspamd_str_split(rtype, '_')
+        local has_asn, has_ip = false, false
+        for _, v in ipairs(key_keywords) do
+          if v == "asn" then has_asn = true end
+          if v == "ip" then has_ip = true end
+          if has_ip and has_asn then break end
+        end
+        if has_asn and not has_ip then
+          bucket = resize_element(asn_score, total_asn, bucket)
+          rate = resize_element(asn_score, total_asn, rate)
+        elseif has_ip then
+          if total_ip and total_ip > ip_score_lower_bound then
+            bucket = resize_element(ip_score, total_ip, bucket)
+            rate = resize_element(ip_score, total_ip, rate)
+          elseif total_ipnet and total_ipnet > ip_score_lower_bound then
+            bucket = resize_element(ipnet_score, total_ipnet, bucket)
+            rate = resize_element(ipnet_score, total_ipnet, rate)
+          elseif total_asn and total_asn > ip_score_lower_bound then
+            bucket = resize_element(asn_score, total_asn, bucket)
+            rate = resize_element(asn_score, total_asn, rate)
+          elseif total_country and total_country > ip_score_lower_bound then
+            bucket = resize_element(country_score, total_country, bucket)
+            rate = resize_element(country_score, total_country, rate)
+          else
+            bucket = resize_element(ip_score, total_ip, bucket)
+            rate = resize_element(ip_score, total_ip, rate)
+          end
+        end
+      end
+
+      if atime - ctime > max_delay then
+        rspamd_logger.infox(task, 'limit is too old: %1 seconds; ignore it',
+          atime - ctime)
+      else
+        bucket = bucket - rate * (ntime - atime);
+        if bucket > 0 then
+          if ratelimit_symbol then
+            local mult = 2 * rspamd_util.tanh(bucket / (threshold * 2))
+
+            if mult > 0.5 then
+              task:insert_result(ratelimit_symbol, mult,
+                rtype .. ':' .. string.format('%.2f', mult))
+            end
+          else
+            if bucket > threshold then
+              rspamd_logger.infox(task,
+                'ratelimit "%s" exceeded: %s elements with %s limit',
+                rtype, bucket, threshold)
+              task:set_pre_result('soft reject',
+                message_func(task, rtype, bucket, threshold))
+            end
+          end
+        end
+      end
+    end, fun.zip(parse_limits(data), fun.map(function(a) return a[1] end, args),
+      fun.map(function(a) return rspamd_str_split(a[2], ":")[2] end, args)))
+  end
+
+  ret = rspamd_redis_make_request(task,
+    redis_params, -- connect params
+    key, -- hash key
+    false, -- is write
+    rate_get_cb, --callback
+    'mget', -- command
+    fun.totable(fun.map(function(l) return l[2] end, args)) -- arguments
+  )
+  if not ret then
+    rspamd_logger.errx(task, 'got error connecting to redis')
+  end
+end
+
+--- Set specific limit inside redis
+local function set_limits(task, args)
+  local key = fun.foldl(function(acc, k) return acc .. k[2] end, '', args)
+  local ret, upstream
+
+  local function rate_set_cb(err)
+    if err then
+      rspamd_logger.infox(task, 'got error %s when setting ratelimit record on server %s',
+        err, upstream:get_addr())
+    end
+  end
+  local function rate_get_cb(err, data)
+    if err then
+      rspamd_logger.infox(task, 'got error while setting limit: %1', err)
+    end
+    if not data then return end
+    local ntime = rspamd_util.get_time()
+    local values = {}
+    fun.each(function(elt, limit)
+      local bucket = elt[2]
+      local rate = limit[1][2]
+      local atime = elt[1]
+      local ctime = elt[3]
+
+      if atime - ctime > max_delay then
+        rspamd_logger.infox(task, 'limit is too old: %1 seconds; start it over',
+          atime - ctime)
+        bucket = 1
+        ctime = ntime
+      else
+        if bucket > 0 then
+          bucket = bucket - rate * (ntime - atime) + 1;
+          if bucket < 0 then
+            bucket = 1
+          end
+        else
+          bucket = 1
+        end
+      end
+
+      if ctime == 0 then ctime = ntime end
+
+      local lstr = string.format('%.3f:%.3f:%.3f', ntime, bucket, ctime)
+      table.insert(values, {limit[2], max_delay, lstr})
+    end, fun.zip(parse_limits(data), fun.iter(args)))
+
+    if #values > 0 then
+      local conn
+      ret,conn,upstream = rspamd_redis_make_request(task,
+        redis_params, -- connect params
+        key, -- hash key
+        true, -- is write
+        rate_set_cb, --callback
+        'setex', -- command
+        values[1] -- arguments
+      )
+
+      if conn then
+        fun.each(function(v)
+          conn:add_cmd('setex', v)
+        end, fun.drop_n(1, values))
+      else
+        rspamd_logger.errx(task, 'got error while connecting to redis')
+      end
+    end
+  end
+
+  local _
+  ret,_,upstream = rspamd_redis_make_request(task,
+    redis_params, -- connect params
+    key, -- hash key
+    false, -- is write
+    rate_get_cb, --callback
+    'mget', -- command
+    fun.totable(fun.map(function(l) return l[2] end, args)) -- arguments
+  )
+  if not ret then
+    rspamd_logger.errx(task, 'got error connecting to redis')
+  end
+end
+
+--- Check or update ratelimit
+local function rate_test_set(task, func)
+  local args = {}
+  -- Get initial task data
+  local ip = task:get_from_ip()
+  if ip and ip:is_valid() and whitelisted_ip then
+    if whitelisted_ip:get_key(ip) then
+      -- Do not check whitelisted ip
+      rspamd_logger.infox(task, 'skip ratelimit for whitelisted IP')
+      return
+    end
+  end
+  -- Parse all rcpts
+  local rcpts = task:get_recipients()
+  local rcpts_user = {}
+  if rcpts then
+    fun.each(function(r) table.insert(rcpts_user, r['user']) end, rcpts)
+    if fun.any(function(r)
+      fun.any(function(w) return r == w end, whitelisted_rcpts) end,
+      rcpts_user) then
+
+      rspamd_logger.infox(task, 'skip ratelimit for whitelisted recipient')
+      return
+    end
+  end
+  -- Get user (authuser)
+  if whitelisted_user then
+    local auser = task:get_user()
+    if whitelisted_user:get_key(auser) then
+      rspamd_logger.infox(task, 'skip ratelimit for whitelisted user')
+      return
+    end
+  end
+
+  local rate_key
+  for k in pairs(settings) do
+    rate_key = dynamic_rate_key(task, k)
+    if rate_key then
+      if type(rate_key) == 'table' then
+        for _, rk in ipairs(rate_key) do
+          if type(settings[k]) == 'table' then
+            table.insert(args, {settings[k], rk})
+          elseif type(settings[k]) == 'string' and
+              (custom_keywords[settings[k]] and type(custom_keywords[settings[k]]['get_limit']) == 'function') then
+            local res = custom_keywords[settings[k]]['get_limit'](task)
+            if type(res) == 'table' then
+              table.insert(args, {res, rate_key})
+            elseif type(res) == 'string' then
+              local plim, size = parse_string_limit(res)
+              if plim then
+                table.insert(args, {{size, plim, 1}, rate_key})
+              end
+            end
+          end
+        end
+      else
+        if type(settings[k]) == 'table' then
+          table.insert(args, {settings[k], rate_key})
+        elseif type(settings[k]) == 'string' and
+            (custom_keywords[settings[k]] and type(custom_keywords[settings[k]]['get_limit']) == 'function') then
+          local res = custom_keywords[settings[k]]['get_limit'](task)
+          if type(res) == 'table' then
+            table.insert(args, {res, rate_key})
+          elseif type(res) == 'string' then
+            local plim, size = parse_string_limit(res)
+            if plim then
+              table.insert(args, {{size, plim, 1}, rate_key})
+            end
+          end
+        end
+      end
+    end
+  end
+
+  if #args > 0 then
+    func(task, args)
+  end
+end
+
+--- Check limit
+local function rate_test(task)
+  if rspamd_lua_utils.is_rspamc_or_controller(task) then return end
+  rate_test_set(task, check_limits)
+end
+--- Update limit
+local function rate_set(task)
+  local action = task:get_metric_action('default')
+
+  if action ~= 'soft reject' then
+    if rspamd_lua_utils.is_rspamc_or_controller(task) then return end
+    rate_test_set(task, set_limits)
+  end
+end
+
+
+--- Parse a single limit description
+local function parse_limit(str)
+  local params = rspamd_str_split(str, ':')
+
+  local function set_limit(limit, burst, rate)
+    limit[1] = tonumber(burst)
+    limit[2] = tonumber(rate)
+  end
+
+  if #params ~= 3 then
+    rspamd_logger.errx(rspamd_config, 'invalid limit definition: ' .. str)
+    return
+  end
+
+  local key_keywords = rspamd_str_split(params[1], '_')
+  for _, k in ipairs(key_keywords) do
+    if (custom_keywords[k] and type(custom_keywords[k]['get_value']) == 'function') or
+        (keywords[k] and type(keywords[k]['get_value']) == 'function') then
+      set_limit(settings[params[1]], params[2], params[3])
+    else
+      rspamd_logger.errx(rspamd_config, 'invalid limit type: ' .. params[1])
+    end
+  end
+end
+
+local opts = rspamd_config:get_all_opt('ratelimit')
+if opts then
+  local rates = opts['limit']
+  if rates and type(rates) == 'table' then
+    fun.each(parse_limit, rates)
+  elseif rates and type(rates) == 'string' then
+    parse_limit(rates)
+  end
+
+  if opts['rates'] and type(opts['rates']) == 'table' then
+    -- new way of setting limits
+    fun.each(function(t, lim)
+      if type(lim) == 'table' then
+        settings[t] = lim
+      elseif type(lim) == 'string' then
+        local plim, size = parse_string_limit(lim)
+        if plim then
+          settings[t] = {size, plim, 1}
+        end
+      end
+    end, opts['rates'])
+  end
+
+  if opts['dynamic_rates'] and type(opts['dynamic_rates']) == 'table' then
+    fun.each(function(t, lim)
+      if type(lim) == 'string' then
+        settings[t] = lim
+      end
+    end, opts['dynamic_rates'])
+  end
+
+  local enabled_limits = fun.totable(fun.map(function(t)
+    return t
+  end, fun.filter(function(_, lim)
+    return type(lim) == 'string' or
+        (type(lim) == 'table' and type(lim[1]) == 'number' and lim[1] > 0)
+        or (type(lim) == 'table' and (lim[3]))
+  end, settings)))
+  rspamd_logger.infox(rspamd_config, 'enabled rate buckets: [%1]', table.concat(enabled_limits, ','))
+
+  if opts['whitelisted_rcpts'] and type(opts['whitelisted_rcpts']) == 'string' then
+    whitelisted_rcpts = rspamd_str_split(opts['whitelisted_rcpts'], ',')
+  elseif type(opts['whitelisted_rcpts']) == 'table' then
+    whitelisted_rcpts = opts['whitelisted_rcpts']
+  end
+
+  if opts['whitelisted_ip'] then
+    whitelisted_ip = rspamd_map_add('ratelimit', 'whitelisted_ip', 'radix',
+      'Ratelimit whitelist ip map')
+  end
+
+  if opts['whitelisted_user'] then
+    whitelisted_user = rspamd_map_add('ratelimit', 'whitelisted_user', 'set',
+      'Ratelimit whitelist user map')
+  end
+
+  if opts['symbol'] then
+    -- We want symbol instead of pre-result
+    ratelimit_symbol = opts['symbol']
+  end
+
+  if opts['max_rcpt'] then
+    max_rcpt = tonumber(opts['max_rcpt'])
+  end
+
+  if opts['max_delay'] then
+    max_rcpt = tonumber(opts['max_delay'])
+  end
+
+  if opts['use_ip_score'] then
+    use_ip_score = true
+    local ip_score_opts = rspamd_config:get_all_opt('ip_score')
+    if ip_score_opts and ip_score_opts['lower_bound'] then
+      ip_score_lower_bound = ip_score_opts['lower_bound']
+    end
+  end
+
+  if opts['custom_keywords'] then
+    custom_keywords = dofile(opts['custom_keywords'])
+  end
+
+  if opts['user_keywords'] then
+    user_keywords = opts['user_keywords']
+  end
+
+  if opts['message_func'] then
+    message_func = assert(load(opts['message_func']))()
+  end
+
+  redis_params = rspamd_parse_redis_server('ratelimit')
+  if not redis_params then
+    rspamd_logger.infox(rspamd_config, 'no servers are specified, disabling module')
+  else
+    if not ratelimit_symbol and not use_ip_score then
+      rspamd_config:register_symbol({
+        name = 'RATELIMIT_CHECK',
+        callback = rate_test,
+        type = 'prefilter',
+        priority = 4,
+      })
+    else
+      local symbol
+      if not ratelimit_symbol then
+        symbol = 'RATELIMIT_CHECK'
+      else
+        symbol = ratelimit_symbol
+      end
+      local id = rspamd_config:register_symbol({
+        name = symbol,
+        callback = rate_test,
+      })
+      if use_ip_score then
+        rspamd_config:register_dependency(id, 'IP_SCORE')
+      end
+    end
+    rspamd_config:register_symbol({
+      name = 'RATELIMIT_SET',
+      type = 'postfilter',
+      priority = 5,
+      callback = rate_set,
+    })
+    for _, v in pairs(custom_keywords) do
+      if type(v) == 'table' and type(v['init']) == 'function' then
+        v['init']()
+      end
+    end
+  end
+end
+
+

From 256c9d86ddd6ea1caf2f4dc5dc252bf07bc9de0a Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Thu, 13 Jul 2017 12:55:14 +0200
Subject: [PATCH 22/26] [Rspamd] Initial custom ratelimit support

---
 data/conf/rspamd/local.d/ratelimit.conf | 18 ------------------
 1 file changed, 18 deletions(-)
 delete mode 100644 data/conf/rspamd/local.d/ratelimit.conf

diff --git a/data/conf/rspamd/local.d/ratelimit.conf b/data/conf/rspamd/local.d/ratelimit.conf
deleted file mode 100644
index eca11a12..00000000
--- a/data/conf/rspamd/local.d/ratelimit.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-rates {
-  # Limit for all mail per recipient (burst 100, rate 2 per minute)
-  to = [100, 0.033333333];
-  # Limit for all mail per one source ip (burst 30, rate 1.5 per minute)
-  to_ip = [30, 0.025];
-  # Limit for all mail per one source ip and from address (burst 20, rate 1 per minute)
-  to_ip_from = [20, 0.01666666667];
-  # Limit for all bounce mail (burst 10, rate 2 per hour)
-  bounce_to = [10, 0.000555556];
-  # Limit for bounce mail per one source ip (burst 5, rate 1 per hour)
-  bounce_to_ip = [5, 0.000277778];
-  # Limit for all mail per authenticated user (burst 20, rate 1 per minute)
-  user = [20, 0.01666666667];
-}
-# If symbol is specified, then it is inserted instead of setting result
-#symbol = "R_RATELIMIT";
-whitelisted_rcpts = "postmaster,mailer-daemon";
-max_rcpt = 5;

From 84ad579437d6e978923b4b82718867fdeb8c9b77 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Sun, 16 Jul 2017 11:03:28 +0200
Subject: [PATCH 23/26] [Web] Initial ratelimit support, more API actions

---
 data/web/admin.php                          |   4 +-
 data/web/css/edit.css                       |   3 +
 data/web/edit.php                           |  85 ++-
 data/web/inc/functions.domain_admin.inc.php | 507 +++++++++++++++++
 data/web/inc/functions.inc.php              | 573 +-------------------
 data/web/inc/functions.mailbox.inc.php      | 134 ++++-
 data/web/inc/prerequisites.inc.php          |   1 +
 data/web/inc/sessions.inc.php               |   2 +
 data/web/inc/triggers.inc.php               |  41 --
 data/web/js/api.js                          |  20 +-
 data/web/json_api.php                       | 181 +++++--
 data/web/user.php                           |   4 +-
 12 files changed, 855 insertions(+), 700 deletions(-)
 create mode 100644 data/web/inc/functions.domain_admin.inc.php

diff --git a/data/web/admin.php b/data/web/admin.php
index 0e0003a8..284bf31b 100644
--- a/data/web/admin.php
+++ b/data/web/admin.php
@@ -56,7 +56,7 @@ $tfa_data = get_tfa();
           </div>
           <div class="form-group">
             <div class="col-sm-offset-3 col-sm-9">
-              <button class="btn btn-default" id="edit_selected" data-id="admin" data-item="null" data-api-url='edit/admin' data-api-attr='{}' href="#"><?=$lang['admin']['save'];?></button>
+              <button class="btn btn-default" id="edit_selected" data-id="admin" data-item="null" data-api-url='edit/self' data-api-attr='{}' href="#"><?=$lang['admin']['save'];?></button>
             </div>
           </div>
         </form>
@@ -253,7 +253,7 @@ XYZ
         </div>
       </div>
     </div>
-    
+
     <div class="panel panel-default">
       <div class="panel-heading"><?=$lang['admin']['forwarding_hosts'];?></div>
       <div class="panel-body">
diff --git a/data/web/css/edit.css b/data/web/css/edit.css
index fe4d9fff..07d4e745 100644
--- a/data/web/css/edit.css
+++ b/data/web/css/edit.css
@@ -27,3 +27,6 @@ table.footable>tbody>tr.footable-empty>td {
   user-select: none;
   padding:10px 0 10px 0;
 }
+.inputMissingAttr {
+  border-color: #FF4136;
+}
diff --git a/data/web/edit.php b/data/web/edit.php
index d156dba0..1f250535 100644
--- a/data/web/edit.php
+++ b/data/web/edit.php
@@ -25,9 +25,8 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
 				?>
 					<h4><?=$lang['edit']['alias'];?></h4>
 					<br />
-					<form class="form-horizontal" role="form" method="post" action="<?=($FORM_ACTION == "previous") ? $_SESSION['return_to'] : null;?>">
+					<form class="form-horizontal" data-id="editalias" role="form" method="post">
 						<input type="hidden" value="0" name="active">
-						<input type="hidden" name="address" value="<?=htmlspecialchars($alias);?>">
 						<div class="form-group">
 							<label class="control-label col-sm-2" for="goto"><?=$lang['edit']['target_address'];?></label>
 							<div class="col-sm-10">
@@ -43,7 +42,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
 						</div>
 						<div class="form-group">
 							<div class="col-sm-offset-2 col-sm-10">
-								<button type="submit" name="mailbox_edit_alias" class="btn btn-success btn-sm"><?=$lang['edit']['save'];?></button>
+                <button class="btn btn-success" id="edit_selected" data-id="editalias" data-item="<?=$alias;?>" data-api-url='edit/alias' data-api-attr='{}' href="#"><?=$lang['edit']['save'];?></button>
 							</div>
 						</div>
 					</form>
@@ -55,20 +54,19 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
 				<?php
 				}
 		}
-		elseif (isset($_GET['domainadmin']) && 
-			ctype_alnum(str_replace(array('_', '.', '-'), '', $_GET["domainadmin"])) &&
-			!empty($_GET["domainadmin"]) &&
-			$_GET["domainadmin"] != 'admin' &&
-			$_SESSION['mailcow_cc_role'] == "admin") {
+		elseif (isset($_GET['domainadmin']) &&
+				ctype_alnum(str_replace(array('_', '.', '-'), '', $_GET["domainadmin"])) &&
+				!empty($_GET["domainadmin"]) &&
+				$_GET["domainadmin"] != 'admin' &&
+				$_SESSION['mailcow_cc_role'] == "admin") {
 				$domain_admin = $_GET["domainadmin"];
-        $result = get_domain_admin_details($domain_admin);
+				$result = domain_admin('details', $domain_admin);
 				if (!empty($result)) {
 				?>
 				<h4><?=$lang['edit']['domain_admin'];?></h4>
 				<br />
-				<form class="form-horizontal" role="form" method="post" action="<?=($FORM_ACTION == "previous") ? $_SESSION['return_to'] : null;?>">
+				<form class="form-horizontal" data-id="editdomainadmin" role="form" method="post">
 					<input type="hidden" value="0" name="active">
-					<input type="hidden" name="username" value="<?=htmlspecialchars($domain_admin);?>">
 					<div class="form-group">
 						<label class="control-label col-sm-2" for="username_new"><?=$lang['edit']['username'];?></label>
 						<div class="col-sm-10">
@@ -122,7 +120,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
 					</div>
 					<div class="form-group">
 						<div class="col-sm-offset-2 col-sm-10">
-							<button type="submit" name="edit_domain_admin" class="btn btn-success btn-sm"><?=$lang['edit']['save'];?></button>
+              <button class="btn btn-success" id="edit_selected" data-id="editdomainadmin" data-item="<?=$domain_admin;?>" data-api-url='edit/domain-admin' data-api-attr='{}' href="#"><?=$lang['edit']['save'];?></button>
 						</div>
 					</div>
 				</form>
@@ -139,14 +137,14 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
 		!empty($_GET["domain"])) {
 			$domain = $_GET["domain"];
       $result = mailbox('get', 'domain_details', $domain);
+      $rl = mailbox('get', 'domain_ratelimit', $domain);
 			if (!empty($result)) {
 			?>
 				<h4><?=$lang['edit']['domain'];?></h4>
-				<form class="form-horizontal" role="form" method="post" action="<?=($FORM_ACTION == "previous") ? $_SESSION['return_to'] : null;?>">
+				<form data-id="editdomain" class="form-horizontal" role="form" method="post">
 					<input type="hidden" value="0" name="active">
 					<input type="hidden" value="0" name="backupmx">
 					<input type="hidden" value="0" name="relay_all_recipients">
-					<input type="hidden" name="domain" value="<?=htmlspecialchars($domain);?>">
 					<div class="form-group">
 						<label class="control-label col-sm-2" for="description"><?=$lang['edit']['description'];?></label>
 						<div class="col-sm-10">
@@ -203,7 +201,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
 					</div>
 					<div class="form-group">
 						<div class="col-sm-offset-2 col-sm-10">
-							<button type="submit" name="mailbox_edit_domain" class="btn btn-success btn-sm"><?=$lang['edit']['save'];?></button>
+              <button class="btn btn-success" id="edit_selected" data-id="editdomain" data-item="<?=$domain;?>" data-api-url='edit/domain' data-api-attr='{}' href="#"><?=$lang['admin']['save'];?></button>
 						</div>
 					</div>
 				</form>
@@ -223,6 +221,23 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
 				}
         ?>
 		<hr>
+    <form data-id="domratelimit" class="form-inline well" method="post">
+      <div class="form-group">
+        <label class="control-label">Ratelimit</label>
+        <input name="rl_value" id="rl_value" type="number" value="<?=(!empty($rl['value'])) ? $rl['value'] : null;?>" class="form-control" placeholder="disabled">
+      </div>
+      <div class="form-group">
+        <select name="rl_frame" id="rl_frame" class="form-control">
+          <option value="s" <?=(isset($rl['frame']) && $rl['frame'] == 's') ? 'selected' : null;?>>msgs / second</option>
+          <option value="m" <?=(isset($rl['frame']) && $rl['frame'] == 'm') ? 'selected' : null;?>>msgs / minute</option>
+          <option value="h" <?=(isset($rl['frame']) && $rl['frame'] == 'h') ? 'selected' : null;?>>msgs / hour</option>
+        </select>
+      </div>
+      <div class="form-group">
+        <button class="btn btn-default" id="edit_selected" data-id="domratelimit" data-item="<?=$domain;?>" data-api-url='edit/domain-ratelimit' data-api-attr='{}' href="#"><?=$lang['admin']['save'];?></button>
+      </div>
+    </form>
+		<hr>
 		<div class="row">
 			<div class="col-sm-6">
 				<h4><?=$lang['user']['spamfilter_wl'];?></h4>
@@ -282,12 +297,12 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
 		!empty($_GET["aliasdomain"])) {
 			$alias_domain = $_GET["aliasdomain"];
       $result = mailbox('get', 'alias_domain_details', $alias_domain);
+      $rl = mailbox('get', 'domain_ratelimit', $alias_domain);
       if (!empty($result)) {
 			?>
 				<h4><?=$lang['edit']['edit_alias_domain'];?></h4>
-				<form class="form-horizontal" role="form" method="post" action="<?=($FORM_ACTION == "previous") ? $_SESSION['return_to'] : null;?>">
+				<form class="form-horizontal" data-id="editaliasdomain" role="form" method="post">
 					<input type="hidden" value="0" name="active">
-					<input type="hidden" value="<?=$result['alias_domain'];?>" name="alias_domain">
 					<div class="form-group">
 						<label class="control-label col-sm-2" for="target_domain"><?=$lang['edit']['target_domain'];?></label>
 						<div class="col-sm-10">
@@ -303,10 +318,27 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
 					</div>
 					<div class="form-group">
 						<div class="col-sm-offset-2 col-sm-10">
-							<button type="submit" name="mailbox_edit_alias_domain" class="btn btn-success btn-sm"><?=$lang['edit']['save'];?></button>
+              <button class="btn btn-success" id="edit_selected" data-id="editaliasdomain" data-item="<?=$alias_domain;?>" data-api-url='edit/alias-domain' data-api-attr='{}' href="#"><?=$lang['edit']['save'];?></button>
 						</div>
 					</div>
 				</form>
+        <hr>
+        <form data-id="domratelimit" class="form-inline well" method="post">
+          <div class="form-group">
+            <label class="control-label">Ratelimit</label>
+            <input name="rl_value" id="rl_value" type="number" value="<?=(!empty($rl['value'])) ? $rl['value'] : null;?>" class="form-control" placeholder="disabled">
+          </div>
+          <div class="form-group">
+            <select name="rl_frame" id="rl_frame" class="form-control">
+              <option value="s" <?=(isset($rl['frame']) && $rl['frame'] == 's') ? 'selected' : null;?>>msgs / second</option>
+              <option value="m" <?=(isset($rl['frame']) && $rl['frame'] == 'm') ? 'selected' : null;?>>msgs / minute</option>
+              <option value="h" <?=(isset($rl['frame']) && $rl['frame'] == 'h') ? 'selected' : null;?>>msgs / hour</option>
+            </select>
+          </div>
+          <div class="form-group">
+            <button class="btn btn-default" id="edit_selected" data-id="domratelimit" data-item="<?=$alias_domain;?>" data-api-url='edit/domain-ratelimit' data-api-attr='{}' href="#"><?=$lang['admin']['save'];?></button>
+          </div>
+        </form>
 				<?php
         if (!empty($dkim = dkim('details', $alias_domain))) {
 				?>
@@ -334,10 +366,9 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
     if (!empty($result)) {
       ?>
       <h4><?=$lang['edit']['mailbox'];?></h4>
-      <form class="form-horizontal" role="form" method="post" action="<?=($FORM_ACTION == "previous") ? $_SESSION['return_to'] : null;?>">
+      <form class="form-horizontal" data-id="editmailbox" role="form" method="post">
 				<input type="hidden" value="0" name="sender_acl">
 				<input type="hidden" value="0" name="active">
-				<input type="hidden" name="username" value="<?=htmlspecialchars($result['username']);?>">
         <div class="form-group">
           <label class="control-label col-sm-2" for="name"><?=$lang['edit']['full_name'];?>:</label>
           <div class="col-sm-10">
@@ -355,7 +386,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
         <div class="form-group">
           <label class="control-label col-sm-2" for="sender_acl"><?=$lang['edit']['sender_acl'];?>:</label>
           <div class="col-sm-10">
-            <select data-width="100%" style="width:100%" id="sender_acl" name="sender_acl[]" size="10" multiple>
+            <select data-width="100%" style="width:100%" id="sender_acl" name="sender_acl" size="10" multiple>
             <?php
             $sender_acl_handles = mailbox('get', 'sender_acl_handles', $mailbox);
 
@@ -426,7 +457,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
         </div>
         <div class="form-group">
           <div class="col-sm-offset-2 col-sm-10">
-            <button type="submit" name="mailbox_edit_mailbox" class="btn btn-success btn-sm"><?=$lang['edit']['save'];?></button>
+            <button class="btn btn-success" id="edit_selected" data-id="editmailbox" data-item="<?=htmlspecialchars($result['username']);?>" data-api-url='edit/mailbox' data-api-attr='{}' href="#"><?=$lang['edit']['save'];?></button>
           </div>
         </div>
       </form>
@@ -439,10 +470,9 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
       if (!empty($result)) {
         ?>
 				<h4><?=$lang['edit']['resource'];?></h4>
-				<form class="form-horizontal" role="form" method="post" action="<?=($FORM_ACTION == "previous") ? $_SESSION['return_to'] : null;?>">
+				<form class="form-horizontal" role="form" method="post" data-id="editresource">
           <input type="hidden" value="0" name="active">
           <input type="hidden" value="0" name="multiple_bookings">
-          <input type="hidden" name="name" value="<?=htmlspecialchars($result['name']);?>">
 					<div class="form-group">
 						<label class="control-label col-sm-2" for="description"><?=$lang['add']['description'];?></label>
 						<div class="col-sm-10">
@@ -475,7 +505,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
 					</div>
 					<div class="form-group">
 						<div class="col-sm-offset-2 col-sm-10">
-							<button type="submit" name="mailbox_edit_resource" class="btn btn-success btn-sm"><?=$lang['edit']['save'];?></button>
+              <button class="btn btn-success" id="edit_selected" data-id="editresource" data-item="<?=htmlspecialchars($result['name']);?>" data-api-url='edit/resource' data-api-attr='{}' href="#"><?=$lang['edit']['save'];?></button>
 						</div>
 					</div>
 				</form>
@@ -501,11 +531,10 @@ elseif (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] ==
       if (!empty($result)) {
 			?>
 				<h4><?=$lang['edit']['syncjob'];?></h4>
-				<form class="form-horizontal" role="form" method="post" action="<?=($FORM_ACTION == "previous") ? $_SESSION['return_to'] : null;?>">
+				<form class="form-horizontal" data-id="editsyncjob" role="form" method="post">
           <input type="hidden" value="0" name="delete2duplicates">
           <input type="hidden" value="0" name="delete1">
           <input type="hidden" value="0" name="active">
-          <input type="hidden" name="id" value="<?=htmlspecialchars($result['id']);?>">
 					<div class="form-group">
 						<label class="control-label col-sm-2" for="host1"><?=$lang['edit']['hostname'];?></label>
 						<div class="col-sm-10">
@@ -587,7 +616,7 @@ elseif (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] ==
 					</div>
 					<div class="form-group">
 						<div class="col-sm-offset-2 col-sm-10">
-							<button type="submit" name="edit_syncjob" value="1" class="btn btn-success btn-sm"><?=$lang['edit']['save'];?></button>
+              <button class="btn btn-success" id="edit_selected" data-id="editsyncjob" data-item="<?=htmlspecialchars($result['id']);?>" data-api-url='edit/syncjob' data-api-attr='{}' href="#"><?=$lang['edit']['save'];?></button>
 						</div>
 					</div>
 				</form>
diff --git a/data/web/inc/functions.domain_admin.inc.php b/data/web/inc/functions.domain_admin.inc.php
new file mode 100644
index 00000000..aa434079
--- /dev/null
+++ b/data/web/inc/functions.domain_admin.inc.php
@@ -0,0 +1,507 @@
+<?php
+
+function domain_admin($_action, $_data = null) {
+  global $pdo;
+  global $lang;
+  switch ($_action) {
+    case 'add':
+      $username		= strtolower(trim($_data['username']));
+      $password		= $_data['password'];
+      $password2  = $_data['password2'];
+      $domains    = (array)$_data['domains'];
+      $active     = intval($_data['active']);
+
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => sprintf($lang['danger']['access_denied'])
+        );
+        return false;
+      }
+      if (empty($domains)) {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => sprintf($lang['danger']['domain_invalid'])
+        );
+        return false;
+      }
+      if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $username)) || empty ($username)) {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => sprintf($lang['danger']['username_invalid'])
+        );
+        return false;
+      }
+      try {
+        $stmt = $pdo->prepare("SELECT `username` FROM `mailbox`
+          WHERE `username` = :username");
+        $stmt->execute(array(':username' => $username));
+        $num_results[] = count($stmt->fetchAll(PDO::FETCH_ASSOC));
+        
+        $stmt = $pdo->prepare("SELECT `username` FROM `admin`
+          WHERE `username` = :username");
+        $stmt->execute(array(':username' => $username));
+        $num_results[] = count($stmt->fetchAll(PDO::FETCH_ASSOC));
+        
+        $stmt = $pdo->prepare("SELECT `username` FROM `domain_admins`
+          WHERE `username` = :username");
+        $stmt->execute(array(':username' => $username));
+        $num_results[] = count($stmt->fetchAll(PDO::FETCH_ASSOC));
+      }
+      catch(PDOException $e) {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => 'MySQL: '.$e
+        );
+        return false;
+      }
+      foreach ($num_results as $num_results_each) {
+        if ($num_results_each != 0) {
+          $_SESSION['return'] = array(
+            'type' => 'danger',
+            'msg' => sprintf($lang['danger']['object_exists'], htmlspecialchars($username))
+          );
+          return false;
+        }
+      }
+      if (!empty($password) && !empty($password2)) {
+        if (!preg_match('/' . $GLOBALS['PASSWD_REGEP'] . '/', $password)) {
+          $_SESSION['return'] = array(
+            'type' => 'danger',
+            'msg' => sprintf($lang['danger']['password_complexity'])
+          );
+          return false;
+        }
+        if ($password != $password2) {
+          $_SESSION['return'] = array(
+            'type' => 'danger',
+            'msg' => sprintf($lang['danger']['password_mismatch'])
+          );
+          return false;
+        }
+        $password_hashed = hash_password($password);
+        foreach ($domains as $domain) {
+          if (!is_valid_domain_name($domain)) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => sprintf($lang['danger']['domain_invalid'])
+            );
+            return false;
+          }
+          try {
+            $stmt = $pdo->prepare("INSERT INTO `domain_admins` (`username`, `domain`, `created`, `active`)
+                VALUES (:username, :domain, :created, :active)");
+            $stmt->execute(array(
+              ':username' => $username,
+              ':domain' => $domain,
+              ':created' => date('Y-m-d H:i:s'),
+              ':active' => $active
+            ));
+          }
+          catch (PDOException $e) {
+            domain_admin('delete', $username);
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => 'MySQL: '.$e
+            );
+            return false;
+          }
+        }
+        try {
+          $stmt = $pdo->prepare("INSERT INTO `admin` (`username`, `password`, `superadmin`, `active`)
+            VALUES (:username, :password_hashed, '0', :active)");
+          $stmt->execute(array(
+            ':username' => $username,
+            ':password_hashed' => $password_hashed,
+            ':active' => $active
+          ));
+        }
+        catch (PDOException $e) {
+          $_SESSION['return'] = array(
+            'type' => 'danger',
+            'msg' => 'MySQL: '.$e
+          );
+          return false;
+        }
+      }
+      else {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => sprintf($lang['danger']['password_empty'])
+        );
+        return false;
+      }
+      $_SESSION['return'] = array(
+        'type' => 'success',
+        'msg' => sprintf($lang['success']['domain_admin_added'], htmlspecialchars($username))
+      );
+    break;
+    case 'edit':
+      if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin") {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => sprintf($lang['danger']['access_denied'])
+        );
+        return false;
+      }
+      // Administrator
+      if ($_SESSION['mailcow_cc_role'] == "admin") {
+        if (!is_array($_data['username'])) {
+          $usernames = array();
+          $usernames[] = $_data['username'];
+        }
+        else {
+          $usernames = $_data['username'];
+        }
+        foreach ($usernames as $username) {
+          $is_now = domain_admin('details', $username);
+          $domains = (isset($_data['domains'])) ? (array)$_data['domains'] : null;
+          if (!empty($is_now)) {
+            $active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active_int'];
+            $domains = (!empty($domains)) ? $domains : $is_now['selected_domains'];
+            $username_new = (!empty($_data['username_new'])) ? $_data['username_new'] : $is_now['username'];
+          }
+          else {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => sprintf($lang['danger']['access_denied'])
+            );
+            return false;
+          }
+          $password     = $_data['password'];
+          $password2    = $_data['password2'];
+
+          if (!empty($domains)) {
+            foreach ($domains as $domain) {
+              if (!is_valid_domain_name($domain)) {
+                $_SESSION['return'] = array(
+                  'type' => 'danger',
+                  'msg' => sprintf($lang['danger']['domain_invalid'])
+                );
+                return false;
+              }
+            }
+          }
+          if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $username_new))) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => sprintf($lang['danger']['username_invalid'])
+            );
+            return false;
+          }
+          if ($username_new != $username) {
+            if (!empty(domain_admin('details', $username_new)['username'])) {
+              $_SESSION['return'] = array(
+                'type' => 'danger',
+                'msg' => sprintf($lang['danger']['username_invalid'])
+              );
+              return false;
+            }
+          }
+          try {
+            $stmt = $pdo->prepare("DELETE FROM `domain_admins` WHERE `username` = :username");
+            $stmt->execute(array(
+              ':username' => $username,
+            ));
+          }
+          catch (PDOException $e) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => 'MySQL: '.$e
+            );
+            return false;
+          }
+
+          if (!empty($domains)) {
+            foreach ($domains as $domain) {
+              try {
+                $stmt = $pdo->prepare("INSERT INTO `domain_admins` (`username`, `domain`, `created`, `active`)
+                  VALUES (:username_new, :domain, :created, :active)");
+                $stmt->execute(array(
+                  ':username_new' => $username_new,
+                  ':domain' => $domain,
+                  ':created' => date('Y-m-d H:i:s'),
+                  ':active' => $active
+                ));
+              }
+              catch (PDOException $e) {
+                $_SESSION['return'] = array(
+                  'type' => 'danger',
+                  'msg' => 'MySQL: '.$e
+                );
+                return false;
+              }
+            }
+          }
+
+          if (!empty($password) && !empty($password2)) {
+            if (!preg_match('/' . $GLOBALS['PASSWD_REGEP'] . '/', $password)) {
+              $_SESSION['return'] = array(
+                'type' => 'danger',
+                'msg' => sprintf($lang['danger']['password_complexity'])
+              );
+              return false;
+            }
+            if ($password != $password2) {
+              $_SESSION['return'] = array(
+                'type' => 'danger',
+                'msg' => sprintf($lang['danger']['password_mismatch'])
+              );
+              return false;
+            }
+            $password_hashed = hash_password($password);
+            try {
+              $stmt = $pdo->prepare("UPDATE `admin` SET `username` = :username_new, `active` = :active, `password` = :password_hashed WHERE `username` = :username");
+              $stmt->execute(array(
+                ':password_hashed' => $password_hashed,
+                ':username_new' => $username_new,
+                ':username' => $username,
+                ':active' => $active
+              ));
+              if (isset($_data['disable_tfa'])) {
+                $stmt = $pdo->prepare("UPDATE `tfa` SET `active` = '0' WHERE `username` = :username");
+                $stmt->execute(array(':username' => $username));
+              }
+              else {
+                $stmt = $pdo->prepare("UPDATE `tfa` SET `username` = :username_new WHERE `username` = :username");
+                $stmt->execute(array(':username_new' => $username_new, ':username' => $username));
+              }
+            }
+            catch (PDOException $e) {
+              $_SESSION['return'] = array(
+                'type' => 'danger',
+                'msg' => 'MySQL: '.$e
+              );
+              return false;
+            }
+          }
+          else {
+            try {
+              $stmt = $pdo->prepare("UPDATE `admin` SET `username` = :username_new, `active` = :active WHERE `username` = :username");
+              $stmt->execute(array(
+                ':username_new' => $username_new,
+                ':username' => $username,
+                ':active' => $active
+              ));
+              if (isset($_data['disable_tfa'])) {
+                $stmt = $pdo->prepare("UPDATE `tfa` SET `active` = '0' WHERE `username` = :username");
+                $stmt->execute(array(':username' => $username));
+              }
+              else {
+                $stmt = $pdo->prepare("UPDATE `tfa` SET `username` = :username_new WHERE `username` = :username");
+                $stmt->execute(array(':username_new' => $username_new, ':username' => $username));
+              }
+            }
+            catch (PDOException $e) {
+              $_SESSION['return'] = array(
+                'type' => 'danger',
+                'msg' => 'MySQL: '.$e
+              );
+              return false;
+            }
+          }
+        }
+        $_SESSION['return'] = array(
+          'type' => 'success',
+          'msg' => sprintf($lang['success']['domain_admin_modified'], htmlspecialchars(implode(', ', $usernames)))
+        );
+      }
+      // Domain administrator
+      // Can only edit itself
+      elseif ($_SESSION['mailcow_cc_role'] == "domainadmin") {
+        $username = $_SESSION['mailcow_cc_username'];
+        $password_old		= $_data['user_old_pass'];
+        $password_new	= $_data['user_new_pass'];
+        $password_new2	= $_data['user_new_pass2'];
+
+        $stmt = $pdo->prepare("SELECT `password` FROM `admin`
+            WHERE `username` = :user");
+        $stmt->execute(array(':user' => $username));
+        $row = $stmt->fetch(PDO::FETCH_ASSOC);
+        if (!verify_ssha256($row['password'], $password_old)) {
+          $_SESSION['return'] = array(
+            'type' => 'danger',
+            'msg' => sprintf($lang['danger']['access_denied'])
+          );
+          return false;
+        }
+
+        if (!empty($password_new2) && !empty($password_new)) {
+          if ($password_new2 != $password_new) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => sprintf($lang['danger']['password_mismatch'])
+            );
+            return false;
+          }
+          if (!preg_match('/' . $GLOBALS['PASSWD_REGEP'] . '/', $password_new)) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => sprintf($lang['danger']['password_complexity'])
+            );
+            return false;
+          }
+          $password_hashed = hash_password($password_new);
+          try {
+            $stmt = $pdo->prepare("UPDATE `admin` SET `password` = :password_hashed WHERE `username` = :username");
+            $stmt->execute(array(
+              ':password_hashed' => $password_hashed,
+              ':username' => $username
+            ));
+          }
+          catch (PDOException $e) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => 'MySQL: '.$e
+            );
+            return false;
+          }
+        }
+        
+        $_SESSION['return'] = array(
+          'type' => 'success',
+          'msg' => sprintf($lang['success']['domain_admin_modified'], htmlspecialchars($username))
+        );
+      }
+    break;
+    case 'delete':
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => sprintf($lang['danger']['access_denied'])
+        );
+        return false;
+      }
+      $usernames = (array)$_data['username'];
+      foreach ($usernames as $username) {
+        if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
+          $_SESSION['return'] = array(
+            'type' => 'danger',
+            'msg' => sprintf($lang['danger']['username_invalid'])
+          );
+          return false;
+        }
+        try {
+          $stmt = $pdo->prepare("DELETE FROM `domain_admins` WHERE `username` = :username");
+          $stmt->execute(array(
+            ':username' => $username,
+          ));
+          $stmt = $pdo->prepare("DELETE FROM `admin` WHERE `username` = :username");
+          $stmt->execute(array(
+            ':username' => $username,
+          ));
+        }
+        catch (PDOException $e) {
+          $_SESSION['return'] = array(
+            'type' => 'danger',
+            'msg' => 'MySQL: '.$e
+          );
+          return false;
+        }
+      }
+      $_SESSION['return'] = array(
+        'type' => 'success',
+        'msg' => sprintf($lang['success']['domain_admin_removed'], htmlspecialchars(implode(', ', $usernames)))
+      );
+    break;
+    case 'get':
+      $domainadmins = array();
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => sprintf($lang['danger']['access_denied'])
+        );
+        return false;
+      }
+      try {
+        $stmt = $pdo->query("SELECT DISTINCT
+          `username`
+            FROM `domain_admins` 
+              WHERE `username` IN (
+                SELECT `username` FROM `admin`
+                  WHERE `superadmin`!='1'
+              )");
+        $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+        while ($row = array_shift($rows)) {
+          $domainadmins[] = $row['username'];
+        }
+      }
+      catch(PDOException $e) {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => 'MySQL: '.$e
+        );
+      }
+      return $domainadmins;
+    break;
+    case 'details':
+      $domainadmindata = array();
+
+      if ($_SESSION['mailcow_cc_role'] == "domainadmin" && $_data != $_SESSION['mailcow_cc_username']) {
+        return false;
+      }
+      elseif ($_SESSION['mailcow_cc_role'] != "admin" || !isset($_data)) {
+        return false;
+      }
+
+      if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $_data))) {
+        return false;
+      }
+      try {
+        $stmt = $pdo->prepare("SELECT
+          `tfa`.`active` AS `tfa_active_int`,
+          CASE `tfa`.`active` WHEN 1 THEN '".$lang['mailbox']['yes']."' ELSE '".$lang['mailbox']['no']."' END AS `tfa_active`,
+          `domain_admins`.`username`,
+          `domain_admins`.`created`,
+          `domain_admins`.`active` AS `active_int`,
+          CASE `domain_admins`.`active` WHEN 1 THEN '".$lang['mailbox']['yes']."' ELSE '".$lang['mailbox']['no']."' END AS `active`
+            FROM `domain_admins`
+            LEFT OUTER JOIN `tfa` ON `tfa`.`username`=`domain_admins`.`username`
+              WHERE `domain_admins`.`username`= :domain_admin");
+        $stmt->execute(array(
+          ':domain_admin' => $_data
+        ));
+        $row = $stmt->fetch(PDO::FETCH_ASSOC);
+        if (empty($row)) { 
+          return false;
+        }
+        $domainadmindata['username'] = $row['username'];
+        $domainadmindata['tfa_active'] = $row['tfa_active'];
+        $domainadmindata['active'] = $row['active'];
+        $domainadmindata['tfa_active_int'] = $row['tfa_active_int'];
+        $domainadmindata['active_int'] = $row['active_int'];
+        $domainadmindata['modified'] = $row['created'];
+        // GET SELECTED
+        $stmt = $pdo->prepare("SELECT `domain` FROM `domain`
+          WHERE `domain` IN (
+            SELECT `domain` FROM `domain_admins`
+              WHERE `username`= :domain_admin)");
+        $stmt->execute(array(':domain_admin' => $_data));
+        $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+        while($row = array_shift($rows)) {
+          $domainadmindata['selected_domains'][] = $row['domain'];
+        }
+        // GET UNSELECTED
+        $stmt = $pdo->prepare("SELECT `domain` FROM `domain`
+          WHERE `domain` NOT IN (
+            SELECT `domain` FROM `domain_admins`
+              WHERE `username`= :domain_admin)");
+        $stmt->execute(array(':domain_admin' => $_data));
+        $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
+        while($row = array_shift($rows)) {
+          $domainadmindata['unselected_domains'][] = $row['domain'];
+        }
+        if (!isset($domainadmindata['unselected_domains'])) {
+          $domainadmindata['unselected_domains'] = "";
+        }
+      }
+      catch(PDOException $e) {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => 'MySQL: '.$e
+        );
+      }
+      return $domainadmindata;
+    break;
+  }
+}
\ No newline at end of file
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index b3420530..66dad50f 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -73,7 +73,6 @@ function generate_tlsa_digest($hostname, $port, $starttls = null) {
     unset($lines[0]);
     return base64_decode(implode('', $lines));
   }
-
   if (empty($starttls)) {
     $context = stream_context_create(array("ssl" => array("capture_peer_cert" => true, 'verify_peer' => false, 'allow_self_signed' => true)));
     $stream = stream_socket_client('tls://' . $hostname . ':' . $port, $error_nr, $error_msg, 5, STREAM_CLIENT_CONNECT, $context);
@@ -113,7 +112,6 @@ function generate_tlsa_digest($hostname, $port, $starttls = null) {
     stream_socket_enable_crypto($stream, true, STREAM_CRYPTO_METHOD_ANY_CLIENT);
     stream_set_blocking($stream, false);
   }
-
   $params = stream_context_get_params($stream);
   if (!empty($params['options']['ssl']['peer_certificate'])) {
     $key_resource = openssl_pkey_get_public($params['options']['ssl']['peer_certificate']);
@@ -142,30 +140,6 @@ function verify_ssha256($hash, $password) {
 		return false;
 	}
 }
-function doveadm_authenticate($hash, $algorithm, $password) {
-	$descr = array(0 => array('pipe', 'r'), 1 => array('pipe', 'w'), 2 => array('pipe', 'w'));
-	$pipes = array();
-	$process = proc_open("/usr/bin/doveadm pw -s ".$algorithm." -t '".$hash."'", $descr, $pipes);
-	if (is_resource($process)) {
-		fputs($pipes[0], $password);
-		fclose($pipes[0]);
-		while ($f = fgets($pipes[1])) {
-			if (preg_match('/(verified)/', $f)) {
-				proc_close($process);
-				return true;
-			}
-			return false;
-		}
-		fclose($pipes[1]);
-		while ($f = fgets($pipes[2])) {
-			proc_close($process);
-			return false;
-		}
-		fclose($pipes[2]);
-		proc_close($process);
-	}
-	return false;
-}
 function check_login($user, $pass) {
 	global $pdo;
 	global $redis;
@@ -272,7 +246,6 @@ function edit_admin_account($postarray) {
 		);
 		return false;
 	}
-
 	if (!empty($password) && !empty($password2)) {
     if (!preg_match('/' . $GLOBALS['PASSWD_REGEP'] . '/', $password)) {
       $_SESSION['return'] = array(
@@ -348,28 +321,20 @@ function edit_admin_account($postarray) {
 function edit_user_account($postarray) {
 	global $lang;
 	global $pdo;
-  if (isset($postarray['username']) && filter_var($postarray['username'], FILTER_VALIDATE_EMAIL)) {
-    if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $postarray['username'])) {
-      $_SESSION['return'] = array(
-        'type' => 'danger',
-        'msg' => sprintf($lang['danger']['access_denied'])
-      );
-      return false;
-    }
-    else {
-      $username = $postarray['username'];
-    }
+  $username = $_SESSION['mailcow_cc_username'];
+  $role = $_SESSION['mailcow_cc_role'];
+	$password_old = $postarray['user_old_pass'];
+  if (filter_var($username, FILTER_VALIDATE_EMAIL === false) || $role != 'user') {
+    $_SESSION['return'] = array(
+      'type' => 'danger',
+      'msg' => sprintf($lang['danger']['access_denied'])
+    );
+    return false;
   }
-  else {
-    $username = $_SESSION['mailcow_cc_username'];
-  }
-	$password_old		= $postarray['user_old_pass'];
-
 	if (isset($postarray['user_new_pass']) && isset($postarray['user_new_pass2'])) {
 		$password_new	= $postarray['user_new_pass'];
 		$password_new2	= $postarray['user_new_pass2'];
 	}
-
 	$stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
 			WHERE `kind` NOT REGEXP 'location|thing|group'
         AND `username` = :user");
@@ -382,7 +347,6 @@ function edit_user_account($postarray) {
     );
     return false;
   }
-
 	if (isset($password_new) && isset($password_new2)) {
 		if (!empty($password_new2) && !empty($password_new)) {
 			if ($password_new2 != $password_new) {
@@ -486,293 +450,12 @@ function is_valid_domain_name($domain_name) {
 		   && preg_match("/^.{1,253}$/", $domain_name)
 		   && preg_match("/^[^\.]{1,63}(\.[^\.]{1,63})*$/", $domain_name));
 }
-function add_domain_admin($postarray) {
-	global $lang;
-	global $pdo;
-	$username		= strtolower(trim($postarray['username']));
-	$password		= $postarray['password'];
-	$password2  = $postarray['password2'];
-	$domains    = (array)$postarray['domains'];
-  $active     = intval($postarray['active']);
-
-	if ($_SESSION['mailcow_cc_role'] != "admin") {
-		$_SESSION['return'] = array(
-			'type' => 'danger',
-			'msg' => sprintf($lang['danger']['access_denied'])
-		);
-		return false;
-	}
-	if (empty($domains)) {
-		$_SESSION['return'] = array(
-			'type' => 'danger',
-			'msg' => sprintf($lang['danger']['domain_invalid'])
-		);
-		return false;
-	}
-	if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $username)) || empty ($username)) {
-		$_SESSION['return'] = array(
-			'type' => 'danger',
-			'msg' => sprintf($lang['danger']['username_invalid'])
-		);
-		return false;
-	}
-	try {
-		$stmt = $pdo->prepare("SELECT `username` FROM `mailbox`
-			WHERE `username` = :username");
-		$stmt->execute(array(':username' => $username));
-		$num_results[] = count($stmt->fetchAll(PDO::FETCH_ASSOC));
-		
-		$stmt = $pdo->prepare("SELECT `username` FROM `admin`
-			WHERE `username` = :username");
-		$stmt->execute(array(':username' => $username));
-		$num_results[] = count($stmt->fetchAll(PDO::FETCH_ASSOC));
-		
-		$stmt = $pdo->prepare("SELECT `username` FROM `domain_admins`
-			WHERE `username` = :username");
-		$stmt->execute(array(':username' => $username));
-		$num_results[] = count($stmt->fetchAll(PDO::FETCH_ASSOC));
-	}
-	catch(PDOException $e) {
-		$_SESSION['return'] = array(
-			'type' => 'danger',
-			'msg' => 'MySQL: '.$e
-		);
-		return false;
-	}
-	foreach ($num_results as $num_results_each) {
-		if ($num_results_each != 0) {
-			$_SESSION['return'] = array(
-				'type' => 'danger',
-				'msg' => sprintf($lang['danger']['object_exists'], htmlspecialchars($username))
-			);
-			return false;
-		}
-	}
-	if (!empty($password) && !empty($password2)) {
-    if (!preg_match('/' . $GLOBALS['PASSWD_REGEP'] . '/', $password)) {
-      $_SESSION['return'] = array(
-        'type' => 'danger',
-        'msg' => sprintf($lang['danger']['password_complexity'])
-      );
-      return false;
-    }
-		if ($password != $password2) {
-			$_SESSION['return'] = array(
-				'type' => 'danger',
-				'msg' => sprintf($lang['danger']['password_mismatch'])
-			);
-			return false;
-		}
-		$password_hashed = hash_password($password);
-		foreach ($domains as $domain) {
-			if (!is_valid_domain_name($domain)) {
-				$_SESSION['return'] = array(
-					'type' => 'danger',
-					'msg' => sprintf($lang['danger']['domain_invalid'])
-				);
-				return false;
-			}
-			try {
-				$stmt = $pdo->prepare("INSERT INTO `domain_admins` (`username`, `domain`, `created`, `active`)
-						VALUES (:username, :domain, :created, :active)");
-				$stmt->execute(array(
-					':username' => $username,
-					':domain' => $domain,
-					':created' => date('Y-m-d H:i:s'),
-					':active' => $active
-				));
-			}
-			catch (PDOException $e) {
-        delete_domain_admin(array('username' => $username));
-				$_SESSION['return'] = array(
-					'type' => 'danger',
-					'msg' => 'MySQL: '.$e
-				);
-				return false;
-			}
-		}
-		try {
-			$stmt = $pdo->prepare("INSERT INTO `admin` (`username`, `password`, `superadmin`, `active`)
-				VALUES (:username, :password_hashed, '0', :active)");
-			$stmt->execute(array(
-				':username' => $username,
-				':password_hashed' => $password_hashed,
-				':active' => $active
-			));
-		}
-		catch (PDOException $e) {
-			$_SESSION['return'] = array(
-				'type' => 'danger',
-				'msg' => 'MySQL: '.$e
-			);
-			return false;
-		}
-	}
-	else {
-		$_SESSION['return'] = array(
-			'type' => 'danger',
-			'msg' => sprintf($lang['danger']['password_empty'])
-		);
-		return false;
-	}
-	$_SESSION['return'] = array(
-		'type' => 'success',
-		'msg' => sprintf($lang['success']['domain_admin_added'], htmlspecialchars($username))
-	);
-}
-function delete_domain_admin($postarray) {
-	global $pdo;
-	global $lang;
-	if ($_SESSION['mailcow_cc_role'] != "admin") {
-		$_SESSION['return'] = array(
-			'type' => 'danger',
-			'msg' => sprintf($lang['danger']['access_denied'])
-		);
-		return false;
-	}
-	$usernames = (array)$postarray['username'];
-  foreach ($usernames as $username) {
-    if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $username))) {
-      $_SESSION['return'] = array(
-        'type' => 'danger',
-        'msg' => sprintf($lang['danger']['username_invalid'])
-      );
-      return false;
-    }
-    try {
-      $stmt = $pdo->prepare("DELETE FROM `domain_admins` WHERE `username` = :username");
-      $stmt->execute(array(
-        ':username' => $username,
-      ));
-      $stmt = $pdo->prepare("DELETE FROM `admin` WHERE `username` = :username");
-      $stmt->execute(array(
-        ':username' => $username,
-      ));
-    }
-    catch (PDOException $e) {
-      $_SESSION['return'] = array(
-        'type' => 'danger',
-        'msg' => 'MySQL: '.$e
-      );
-      return false;
-    }
-  }
-  $_SESSION['return'] = array(
-    'type' => 'success',
-    'msg' => sprintf($lang['success']['domain_admin_removed'], htmlspecialchars(implode(', ', $usernames)))
-  );
-}
-function get_domain_admins() {
-	global $pdo;
-	global $lang;
-  $domainadmins = array();
-	if ($_SESSION['mailcow_cc_role'] != "admin") {
-		$_SESSION['return'] = array(
-			'type' => 'danger',
-			'msg' => sprintf($lang['danger']['access_denied'])
-		);
-		return false;
-	}
-  try {
-    $stmt = $pdo->query("SELECT DISTINCT
-      `username`
-        FROM `domain_admins` 
-          WHERE `username` IN (
-            SELECT `username` FROM `admin`
-              WHERE `superadmin`!='1'
-          )");
-    $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-    while ($row = array_shift($rows)) {
-      $domainadmins[] = $row['username'];
-    }
-  }
-  catch(PDOException $e) {
-    $_SESSION['return'] = array(
-      'type' => 'danger',
-      'msg' => 'MySQL: '.$e
-    );
-  }
-  return $domainadmins;
-}
-function get_domain_admin_details($domain_admin) {
-	global $pdo;
-
-	global $lang;
-  $domainadmindata = array();
-	if (isset($domain_admin) && $_SESSION['mailcow_cc_role'] != "admin") {
-		return false;
-	}
-  if (!isset($domain_admin) && $_SESSION['mailcow_cc_role'] != "domainadmin") {
-		return false;
-	}
-  (!isset($domain_admin)) ? $domain_admin = $_SESSION['mailcow_cc_username'] : null;
-  
-  if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $domain_admin))) {
-		return false;
-	}
-  try {
-    $stmt = $pdo->prepare("SELECT
-      `tfa`.`active` AS `tfa_active_int`,
-      CASE `tfa`.`active` WHEN 1 THEN '".$lang['mailbox']['yes']."' ELSE '".$lang['mailbox']['no']."' END AS `tfa_active`,
-      `domain_admins`.`username`,
-      `domain_admins`.`created`,
-      `domain_admins`.`active` AS `active_int`,
-      CASE `domain_admins`.`active` WHEN 1 THEN '".$lang['mailbox']['yes']."' ELSE '".$lang['mailbox']['no']."' END AS `active`
-        FROM `domain_admins`
-        LEFT OUTER JOIN `tfa` ON `tfa`.`username`=`domain_admins`.`username`
-          WHERE `domain_admins`.`username`= :domain_admin");
-    $stmt->execute(array(
-      ':domain_admin' => $domain_admin
-    ));
-    $row = $stmt->fetch(PDO::FETCH_ASSOC);
-    if (empty($row)) { 
-      return false;
-    }
-    $domainadmindata['username'] = $row['username'];
-    $domainadmindata['tfa_active'] = $row['tfa_active'];
-    $domainadmindata['active'] = $row['active'];
-    $domainadmindata['tfa_active_int'] = $row['tfa_active_int'];
-    $domainadmindata['active_int'] = $row['active_int'];
-    $domainadmindata['modified'] = $row['created'];
-    // GET SELECTED
-    $stmt = $pdo->prepare("SELECT `domain` FROM `domain`
-      WHERE `domain` IN (
-        SELECT `domain` FROM `domain_admins`
-          WHERE `username`= :domain_admin)");
-    $stmt->execute(array(':domain_admin' => $domain_admin));
-    $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-    while($row = array_shift($rows)) {
-      $domainadmindata['selected_domains'][] = $row['domain'];
-    }
-    // GET UNSELECTED
-    $stmt = $pdo->prepare("SELECT `domain` FROM `domain`
-      WHERE `domain` NOT IN (
-        SELECT `domain` FROM `domain_admins`
-          WHERE `username`= :domain_admin)");
-    $stmt->execute(array(':domain_admin' => $domain_admin));
-    $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
-    while($row = array_shift($rows)) {
-      $domainadmindata['unselected_domains'][] = $row['domain'];
-    }
-    if (!isset($domainadmindata['unselected_domains'])) {
-      $domainadmindata['unselected_domains'] = "";
-    }
-  }
-  catch(PDOException $e) {
-    $_SESSION['return'] = array(
-      'type' => 'danger',
-      'msg' => 'MySQL: '.$e
-    );
-  }
-  return $domainadmindata;
-}
 function set_tfa($postarray) {
 	global $lang;
 	global $pdo;
 	global $yubi;
 	global $u2f;
 	global $tfa;
-
   if ($_SESSION['mailcow_cc_role'] != "domainadmin" &&
     $_SESSION['mailcow_cc_role'] != "admin") {
       $_SESSION['return'] = array(
@@ -847,7 +530,6 @@ function set_tfa($postarray) {
 				'msg' => sprintf($lang['success']['object_modified'], htmlspecialchars($username))
 			);
 		break;
-
 		case "u2f":
       $key_id = (!isset($postarray["key_id"])) ? 'unidentified' : $postarray["key_id"];
       try {
@@ -871,7 +553,6 @@ function set_tfa($postarray) {
         return false;
       }
 		break;
-
 		case "totp":
       $key_id = (!isset($postarray["key_id"])) ? 'unidentified' : $postarray["key_id"];
       if ($tfa->verifyCode($_POST['totp_secret'], $_POST['totp_confirm_token']) === true) {
@@ -900,7 +581,6 @@ function set_tfa($postarray) {
         );
       }
 		break;
-
 		case "none":
 			try {
 				$stmt = $pdo->prepare("DELETE FROM `tfa` WHERE `username` = :username");
@@ -977,7 +657,6 @@ function get_tfa($username = null) {
   elseif (empty($username)) {
     return false;
   }
-
   $stmt = $pdo->prepare("SELECT * FROM `tfa`
       WHERE `username` = :username AND `active` = '1'");
   $stmt->execute(array(':username' => $username));
@@ -1041,7 +720,6 @@ function verify_tfa_login($username, $token) {
 	global $yubi;
 	global $u2f;
 	global $tfa;
-
   $stmt = $pdo->prepare("SELECT `authmech` FROM `tfa`
       WHERE `username` = :username AND `active` = '1'");
   $stmt->execute(array(':username' => $username));
@@ -1126,237 +804,6 @@ function verify_tfa_login($username, $token) {
 	}
   return false;
 }
-function edit_domain_admin($postarray) {
-	global $lang;
-	global $pdo;
-
-	if ($_SESSION['mailcow_cc_role'] != "admin" && $_SESSION['mailcow_cc_role'] != "domainadmin") {
-		$_SESSION['return'] = array(
-			'type' => 'danger',
-			'msg' => sprintf($lang['danger']['access_denied'])
-		);
-		return false;
-	}
-	// Administrator
-  if ($_SESSION['mailcow_cc_role'] == "admin") {
-    if (!is_array($postarray['username'])) {
-      $usernames = array();
-      $usernames[] = $postarray['username'];
-    }
-    else {
-      $usernames = $postarray['username'];
-    }
-    foreach ($usernames as $username) {
-      $is_now = get_domain_admin_details($username);
-      $domains = (isset($postarray['domains'])) ? (array)$postarray['domains'] : null;
-      if (!empty($is_now)) {
-        $active = (isset($postarray['active'])) ? $postarray['active'] : $is_now['active_int'];
-        $domains = (!empty($domains)) ? $domains : $is_now['selected_domains'];
-        $username_new = (!empty($postarray['username_new'])) ? $postarray['username_new'] : $is_now['username'];
-      }
-      else {
-        $_SESSION['return'] = array(
-          'type' => 'danger',
-          'msg' => sprintf($lang['danger']['access_denied'])
-        );
-        return false;
-      }
-      $password     = $postarray['password'];
-      $password2    = $postarray['password2'];
-
-      if (!empty($domains)) {
-        foreach ($domains as $domain) {
-          if (!is_valid_domain_name($domain)) {
-            $_SESSION['return'] = array(
-              'type' => 'danger',
-              'msg' => sprintf($lang['danger']['domain_invalid'])
-            );
-            return false;
-          }
-        }
-      }
-      if (!ctype_alnum(str_replace(array('_', '.', '-'), '', $username_new))) {
-        $_SESSION['return'] = array(
-          'type' => 'danger',
-          'msg' => sprintf($lang['danger']['username_invalid'])
-        );
-        return false;
-      }
-      if ($username_new != $username) {
-        if (!empty(get_domain_admin_details($username_new)['username'])) {
-          $_SESSION['return'] = array(
-            'type' => 'danger',
-            'msg' => sprintf($lang['danger']['username_invalid'])
-          );
-          return false;
-        }
-      }
-      try {
-        $stmt = $pdo->prepare("DELETE FROM `domain_admins` WHERE `username` = :username");
-        $stmt->execute(array(
-          ':username' => $username,
-        ));
-      }
-      catch (PDOException $e) {
-        $_SESSION['return'] = array(
-          'type' => 'danger',
-          'msg' => 'MySQL: '.$e
-        );
-        return false;
-      }
-
-      if (!empty($domains)) {
-        foreach ($domains as $domain) {
-          try {
-            $stmt = $pdo->prepare("INSERT INTO `domain_admins` (`username`, `domain`, `created`, `active`)
-              VALUES (:username_new, :domain, :created, :active)");
-            $stmt->execute(array(
-              ':username_new' => $username_new,
-              ':domain' => $domain,
-              ':created' => date('Y-m-d H:i:s'),
-              ':active' => $active
-            ));
-          }
-          catch (PDOException $e) {
-            $_SESSION['return'] = array(
-              'type' => 'danger',
-              'msg' => 'MySQL: '.$e
-            );
-            return false;
-          }
-        }
-      }
-
-      if (!empty($password) && !empty($password2)) {
-        if (!preg_match('/' . $GLOBALS['PASSWD_REGEP'] . '/', $password)) {
-          $_SESSION['return'] = array(
-            'type' => 'danger',
-            'msg' => sprintf($lang['danger']['password_complexity'])
-          );
-          return false;
-        }
-        if ($password != $password2) {
-          $_SESSION['return'] = array(
-            'type' => 'danger',
-            'msg' => sprintf($lang['danger']['password_mismatch'])
-          );
-          return false;
-        }
-        $password_hashed = hash_password($password);
-        try {
-          $stmt = $pdo->prepare("UPDATE `admin` SET `username` = :username_new, `active` = :active, `password` = :password_hashed WHERE `username` = :username");
-          $stmt->execute(array(
-            ':password_hashed' => $password_hashed,
-            ':username_new' => $username_new,
-            ':username' => $username,
-            ':active' => $active
-          ));
-          if (isset($postarray['disable_tfa'])) {
-            $stmt = $pdo->prepare("UPDATE `tfa` SET `active` = '0' WHERE `username` = :username");
-            $stmt->execute(array(':username' => $username));
-          }
-          else {
-            $stmt = $pdo->prepare("UPDATE `tfa` SET `username` = :username_new WHERE `username` = :username");
-            $stmt->execute(array(':username_new' => $username_new, ':username' => $username));
-          }
-        }
-        catch (PDOException $e) {
-          $_SESSION['return'] = array(
-            'type' => 'danger',
-            'msg' => 'MySQL: '.$e
-          );
-          return false;
-        }
-      }
-      else {
-        try {
-          $stmt = $pdo->prepare("UPDATE `admin` SET `username` = :username_new, `active` = :active WHERE `username` = :username");
-          $stmt->execute(array(
-            ':username_new' => $username_new,
-            ':username' => $username,
-            ':active' => $active
-          ));
-          if (isset($postarray['disable_tfa'])) {
-            $stmt = $pdo->prepare("UPDATE `tfa` SET `active` = '0' WHERE `username` = :username");
-            $stmt->execute(array(':username' => $username));
-          }
-          else {
-            $stmt = $pdo->prepare("UPDATE `tfa` SET `username` = :username_new WHERE `username` = :username");
-            $stmt->execute(array(':username_new' => $username_new, ':username' => $username));
-          }
-        }
-        catch (PDOException $e) {
-          $_SESSION['return'] = array(
-            'type' => 'danger',
-            'msg' => 'MySQL: '.$e
-          );
-          return false;
-        }
-      }
-    }
-    $_SESSION['return'] = array(
-      'type' => 'success',
-      'msg' => sprintf($lang['success']['domain_admin_modified'], htmlspecialchars(implode(', ', $usernames)))
-    );
-  }
-  // Domain administrator
-  // Can only edit itself
-  elseif ($_SESSION['mailcow_cc_role'] == "domainadmin") {
-    $username = $_SESSION['mailcow_cc_username'];
-    $password_old		= $postarray['user_old_pass'];
-    $password_new	= $postarray['user_new_pass'];
-    $password_new2	= $postarray['user_new_pass2'];
-
-    $stmt = $pdo->prepare("SELECT `password` FROM `admin`
-        WHERE `username` = :user");
-    $stmt->execute(array(':user' => $username));
-    $row = $stmt->fetch(PDO::FETCH_ASSOC);
-    if (!verify_ssha256($row['password'], $password_old)) {
-      $_SESSION['return'] = array(
-        'type' => 'danger',
-        'msg' => sprintf($lang['danger']['access_denied'])
-      );
-      return false;
-    }
-
-    if (!empty($password_new2) && !empty($password_new)) {
-      if ($password_new2 != $password_new) {
-        $_SESSION['return'] = array(
-          'type' => 'danger',
-          'msg' => sprintf($lang['danger']['password_mismatch'])
-        );
-        return false;
-      }
-      if (!preg_match('/' . $GLOBALS['PASSWD_REGEP'] . '/', $password_new)) {
-        $_SESSION['return'] = array(
-          'type' => 'danger',
-          'msg' => sprintf($lang['danger']['password_complexity'])
-        );
-        return false;
-      }
-      $password_hashed = hash_password($password_new);
-      try {
-        $stmt = $pdo->prepare("UPDATE `admin` SET `password` = :password_hashed WHERE `username` = :username");
-        $stmt->execute(array(
-          ':password_hashed' => $password_hashed,
-          ':username' => $username
-        ));
-      }
-      catch (PDOException $e) {
-        $_SESSION['return'] = array(
-          'type' => 'danger',
-          'msg' => 'MySQL: '.$e
-        );
-        return false;
-      }
-    }
-    
-    $_SESSION['return'] = array(
-      'type' => 'success',
-      'msg' => sprintf($lang['success']['domain_admin_modified'], htmlspecialchars($username))
-    );
-  }
-}
 function get_admin_details() {
   // No parameter to be given, only one admin should exist
 	global $pdo;
@@ -1438,4 +885,4 @@ function get_logs($container, $lines = 100) {
   }
   return false;
 }
-?>
+?>
\ No newline at end of file
diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index 597d9d87..de8bf0ac 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -879,7 +879,7 @@ function mailbox($_action, $_type, $_data = null) {
             $alias_domain = idn_to_ascii(strtolower(trim($alias_domain)));
             $is_now = mailbox('get', 'alias_domain_details', $alias_domain);
             if (!empty($is_now)) {
-              $active         = (isset($_data['active'])) ? $_data['active'] : $is_now['active_int'];
+              $active         = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active_int'];
               $target_domain  = (!empty($_data['target_domain'])) ? idn_to_ascii(strtolower(trim($_data['target_domain']))) : $is_now['target_domain'];
             }
             else {
@@ -903,7 +903,7 @@ function mailbox($_action, $_type, $_data = null) {
               );
               return false;
             }
-            if (empty(mailbox('get', 'domain_details', $target_domain))) {
+            if (empty(mailbox('get', 'domain_details', $target_domain)) || !empty(mailbox('get', 'alias_domain_details', $target_domain))) {
               $_SESSION['return'] = array(
                 'type' => 'danger',
                 'msg' => sprintf($lang['danger']['target_domain_invalid'])
@@ -950,12 +950,10 @@ function mailbox($_action, $_type, $_data = null) {
               );
               return false;
             }
-            $tls_enforce_out = intval($_data['tls_enforce_out']);
-            $tls_enforce_in = intval($_data['tls_enforce_in']);
             $is_now = mailbox('get', 'tls_policy', $username);
             if (!empty($is_now)) {
-              $tls_enforce_in = (isset($_data['tls_enforce_in'])) ? $_data['tls_enforce_in'] : $is_now['tls_enforce_in'];
-              $tls_enforce_out = (isset($_data['tls_enforce_out'])) ? $_data['tls_enforce_out'] : $is_now['tls_enforce_out'];
+              $tls_enforce_in = (isset($_data['tls_enforce_in'])) ? intval($_data['tls_enforce_in']) : $is_now['tls_enforce_in'];
+              $tls_enforce_out = (isset($_data['tls_enforce_out'])) ? intval($_data['tls_enforce_out']) : $is_now['tls_enforce_out'];
             }
             else {
               $_SESSION['return'] = array(
@@ -1136,6 +1134,63 @@ function mailbox($_action, $_type, $_data = null) {
             'msg' => sprintf($lang['success']['mailbox_modified'], implode(', ', $usernames))
           );
         break;
+        case 'domain_ratelimit':
+          $rl_value = intval($_data['rl_value']);
+          $rl_frame = $_data['rl_frame'];
+          if (!in_array($rl_frame, array('s', 'm', 'h'))) {
+              $_SESSION['return'] = array(
+                'type' => 'danger',
+                'msg' => 'Ratelimit time frame is incorrect'
+              );
+              return false;
+          }
+          if (!is_array($_data['domain'])) {
+            $domains = array();
+            $domains[] = $_data['domain'];
+          }
+          else {
+            $domains = $_data['domain'];
+          }
+          foreach ($domains as $domain) {
+            if (!is_valid_domain_name($domain) || !hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $domain)) {
+              $_SESSION['return'] = array(
+                'type' => 'danger',
+                'msg' => sprintf($lang['danger']['access_denied'])
+              );
+              return false;
+            }
+            if (empty($rl_value)) {
+              try {
+                $redis->hDel('RL_OBJECT', $domain);
+                $redis->hDel('RL_VALUE', $domain);
+              }
+              catch (RedisException $e) {
+                $_SESSION['return'] = array(
+                  'type' => 'danger',
+                  'msg' => 'Redis: '.$e
+                );
+                return false;
+              }
+            }
+            else {
+              try {
+                $redis->hSet('RL_OBJECT', $domain, '1');
+                $redis->hSet('RL_VALUE', $domain, $rl_value . ' / 1' . $rl_frame);
+              }
+              catch (RedisException $e) {
+                $_SESSION['return'] = array(
+                  'type' => 'danger',
+                  'msg' => 'Redis: '.$e
+                );
+                return false;
+              }
+            }
+          }
+          $_SESSION['return'] = array(
+            'type' => 'success',
+            'msg' => sprintf($lang['success']['domain_modified'], implode(', ', $domains))
+          );
+        break;
         case 'syncjob':
           if (!is_array($_data['id'])) {
             $ids = array();
@@ -1149,9 +1204,9 @@ function mailbox($_action, $_type, $_data = null) {
             if (!empty($is_now)) {
               $username = $is_now['user2'];
               $user1 = (!empty($_data['user1'])) ? $_data['user1'] : $is_now['user1'];
-              $active = (isset($_data['active'])) ? $_data['active'] : $is_now['active_int'];
-              $delete2duplicates = (isset($_data['delete2duplicates'])) ? $_data['delete2duplicates'] : $is_now['delete2duplicates'];
-              $delete1 = (isset($_data['delete1'])) ? $_data['delete1'] : $is_now['delete1'];
+              $active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active_int'];
+              $delete2duplicates = (isset($_data['delete2duplicates'])) ? intval($_data['delete2duplicates']) : $is_now['delete2duplicates'];
+              $delete1 = (isset($_data['delete1'])) ? intval($_data['delete1']) : $is_now['delete1'];
               $port1 = (!empty($_data['port1'])) ? $_data['port1'] : $is_now['port1'];
               $password1 = (!empty($_data['password1'])) ? $_data['password1'] : $is_now['password1'];
               $host1 = (!empty($_data['host1'])) ? $_data['host1'] : $is_now['host1'];
@@ -1253,7 +1308,7 @@ function mailbox($_action, $_type, $_data = null) {
           foreach ($addresses as $address) {
             $is_now = mailbox('get', 'alias_details', $address);
             if (!empty($is_now)) {
-              $active = (isset($_data['active'])) ? $_data['active'] : $is_now['active_int'];
+              $active = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active_int'];
               $goto   = (!empty($_data['goto'])) ? $_data['goto'] : $is_now['goto'];
             }
             else {
@@ -1383,9 +1438,9 @@ function mailbox($_action, $_type, $_data = null) {
             elseif ($_SESSION['mailcow_cc_role'] == "admin") {
               $is_now = mailbox('get', 'domain_details', $domain);
               if (!empty($is_now)) {
-                $active               = (isset($_data['active'])) ? $_data['active'] : $is_now['active_int'];
-                $backupmx             = (isset($_data['backupmx'])) ? $_data['backupmx'] : $is_now['backupmx_int'];
-                $relay_all_recipients = (isset($_data['relay_all_recipients'])) ? $_data['relay_all_recipients'] : $is_now['relay_all_recipients_int'];
+                $active               = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active_int'];
+                $backupmx             = (isset($_data['backupmx'])) ? intval($_data['backupmx']) : $is_now['backupmx_int'];
+                $relay_all_recipients = (isset($_data['relay_all_recipients'])) ? intval($_data['relay_all_recipients']) : $is_now['relay_all_recipients_int'];
                 $aliases              = (!empty($_data['aliases'])) ? $_data['aliases'] : $is_now['max_num_aliases_for_domain'];
                 $mailboxes            = (!empty($_data['mailboxes'])) ? $_data['mailboxes'] : $is_now['max_num_mboxes_for_domain'];
                 $maxquota             = (!empty($_data['maxquota'])) ? $_data['maxquota'] : ($is_now['max_quota_for_mbox'] / 1048576);
@@ -1524,7 +1579,7 @@ function mailbox($_action, $_type, $_data = null) {
             }
             $is_now = mailbox('get', 'mailbox_details', $username);
             if (!empty($is_now)) {
-              $active     = (isset($_data['active'])) ? $_data['active'] : $is_now['active_int'];
+              $active     = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active_int'];
               $name       = (!empty($_data['name'])) ? $_data['name'] : $is_now['name'];
               $domain     = $is_now['domain'];
               $quota_m    = (!empty($_data['quota'])) ? $_data['quota'] : ($is_now['quota'] / 1048576);
@@ -1588,19 +1643,15 @@ function mailbox($_action, $_type, $_data = null) {
                 mailbox('get', 'sender_acl_handles', $username)['sender_acl_addresses']['ro']
               );
               // Get sender_acl items from POST array
-              $sender_acl_domain_admin = ($_data['sender_acl'] == "0") ? array() : $_data['sender_acl'];
+              $sender_acl_domain_admin = ($_data['sender_acl'] == "0") ? array() : (array)$_data['sender_acl'];
               if (!empty($sender_acl_domain_admin) || !empty($sender_acl_admin)) {
-                // Check items in POST array
-                foreach ($sender_acl_domain_admin as $sender_acl) {
-                  if (!filter_var($sender_acl, FILTER_VALIDATE_EMAIL) && !is_valid_domain_name(ltrim($sender_acl, '@'))) {
-                      $_SESSION['return'] = array(
-                        'type' => 'danger',
-                        'msg' => sprintf($lang['danger']['sender_acl_invalid'])
-                      );
-                      return false;
+                // Check items in POST array and skip invalid
+                foreach ($sender_acl_domain_admin as $key => $val) {
+                  if (!filter_var($val, FILTER_VALIDATE_EMAIL) && !is_valid_domain_name(ltrim($val, '@'))) {
+                    unset($sender_acl_domain_admin[$key]);
                   }
-                  if (is_valid_domain_name(ltrim($sender_acl, '@'))) {
-                    if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], ltrim($sender_acl, '@'))) {
+                  if (is_valid_domain_name(ltrim($val, '@'))) {
+                    if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], ltrim($val, '@'))) {
                       $_SESSION['return'] = array(
                         'type' => 'danger',
                         'msg' => sprintf($lang['danger']['sender_acl_invalid'])
@@ -1608,8 +1659,8 @@ function mailbox($_action, $_type, $_data = null) {
                       return false;
                     }
                   }
-                  if (filter_var($sender_acl, FILTER_VALIDATE_EMAIL)) {
-                    if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $sender_acl)) {
+                  if (filter_var($val, FILTER_VALIDATE_EMAIL)) {
+                    if (!hasMailboxObjectAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $val)) {
                       $_SESSION['return'] = array(
                         'type' => 'danger',
                         'msg' => sprintf($lang['danger']['sender_acl_invalid'])
@@ -1761,8 +1812,8 @@ function mailbox($_action, $_type, $_data = null) {
           foreach ($names as $name) {
             $is_now = mailbox('get', 'resource_details', $name);
             if (!empty($is_now)) {
-              $active             = (isset($_data['active'])) ? $_data['active'] : $is_now['active_int'];
-              $multiple_bookings  = (isset($_data['multiple_bookings'])) ? $_data['multiple_bookings'] : $is_now['multiple_bookings_int'];
+              $active             = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active_int'];
+              $multiple_bookings  = (isset($_data['multiple_bookings'])) ? intval($_data['multiple_bookings']) : $is_now['multiple_bookings_int'];
               $description        = (!empty($_data['description'])) ? $_data['description'] : $is_now['description'];
               $kind               = (!empty($_data['kind'])) ? $_data['kind'] : $is_now['kind'];
             }
@@ -2267,6 +2318,31 @@ function mailbox($_action, $_type, $_data = null) {
           }
           return $aliases;
         break;
+        case 'domain_ratelimit':
+          $aliases = array();
+          if (!hasDomainAccess($_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role'], $_data)) {
+            return false;
+          }
+          try {
+            if (($rl_value = $redis->hGet('RL_VALUE', $_data)) && $redis->hGet('RL_OBJECT', $_data)) {
+              $rl = explode(' / 1', $rl_value);
+              $data['value'] = $rl[0];
+              $data['frame'] = $rl[1];
+              return $data;
+            }
+            else {
+              return false;
+            }
+          }
+          catch (RedisException $e) {
+            $_SESSION['return'] = array(
+              'type' => 'danger',
+              'msg' => 'Redis: '.$e
+            );
+            return false;
+          }
+          return false;
+        break;
         case 'alias_details':
           $aliasdata = array();
           try {
diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php
index e00fd31a..ebc453f8 100644
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@@ -61,6 +61,7 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/lang/lang.en.php';
 include $_SERVER['DOCUMENT_ROOT'] . '/lang/lang.'.$_SESSION['mailcow_locale'].'.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.mailbox.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.domain_admin.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.policy.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.dkim.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.fwdhost.inc.php';
diff --git a/data/web/inc/sessions.inc.php b/data/web/inc/sessions.inc.php
index e2919f7a..d23d2cba 100644
--- a/data/web/inc/sessions.inc.php
+++ b/data/web/inc/sessions.inc.php
@@ -1,6 +1,8 @@
 <?php
 // Start session
 ini_set("session.cookie_httponly", 1);
+ini_set('session.gc_maxlifetime', $SESSION_LIFETIME);
+
 if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && 
   strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == "https") {
   ini_set("session.cookie_secure", 1);
diff --git a/data/web/inc/triggers.inc.php b/data/web/inc/triggers.inc.php
index 4fd207cf..34c1e14f 100644
--- a/data/web/inc/triggers.inc.php
+++ b/data/web/inc/triggers.inc.php
@@ -54,53 +54,12 @@ if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "admi
     }
   }
 }
-if (isset($_SESSION['mailcow_cc_role']) && $_SESSION['mailcow_cc_role'] == "user") {
-	if (isset($_POST["edit_user_account"])) {
-		edit_user_account($_POST);
-	}
-	if (isset($_POST["edit_syncjob"])) {
-		mailbox('edit', 'syncjob', $_POST);
-	}
-}
 if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "admin" || $_SESSION['mailcow_cc_role'] == "domainadmin")) {
-	if (isset($_POST["edit_domain_admin"])) {
-		edit_domain_admin($_POST);
-	}
 	if (isset($_POST["set_tfa"])) {
 		set_tfa($_POST);
 	}
 	if (isset($_POST["unset_tfa_key"])) {
 		unset_tfa_key($_POST);
 	}
-	if (isset($_POST["mailbox_edit_alias"])) {
-		mailbox('edit', 'alias', $_POST);
-	}
-	if (isset($_POST["mailbox_edit_domain"])) {
-		mailbox('edit', 'domain', $_POST);
-	}
-	if (isset($_POST["mailbox_edit_mailbox"])) {
-		mailbox('edit', 'mailbox', $_POST);
-	}
-	if (isset($_POST["mailbox_edit_alias_domain"])) {
-		mailbox('edit', 'alias_domain', $_POST);
-	}
-	if (isset($_POST["mailbox_edit_resource"])) {
-		mailbox('edit', 'resource', $_POST);
-	}
-	if (isset($_POST["mailbox_delete_domain"])) {
-		mailbox('delete', 'domain', $_POST);
-	}
-	if (isset($_POST["mailbox_delete_alias"])) {
-		mailbox('delete', 'delete_alias', $_POST);
-	}
-	if (isset($_POST["mailbox_delete_alias_domain"])) {
-		mailbox('delete', 'alias_domain', $_POST);
-	}
-	if (isset($_POST["mailbox_delete_mailbox"])) {
-		mailbox('delete', 'mailbox', $_POST);
-	}
-	if (isset($_POST["mailbox_delete_resource"])) {
-		mailbox('delete', 'resource', $_POST);
-	}
 }
 ?>
diff --git a/data/web/js/api.js b/data/web/js/api.js
index ec26709a..1fd962fb 100644
--- a/data/web/js/api.js
+++ b/data/web/js/api.js
@@ -64,8 +64,23 @@ $(document).ready(function() {
     // If clicked element #edit_selected is in a form with the same data-id as the button,
     // we merge all input fields by {"name":"value"} into api-attr
     if ($(this).closest("form").data('id') == id) {
-      var attr_to_merge = $(this).closest("form").serializeObject();
-      var api_attr = $.extend(api_attr, attr_to_merge)
+      var req_empty = false;
+      $(this).closest("form").find('select, textarea, input').each(function() {
+        if ($(this).prop('required')) {
+          if (!$(this).val()) {
+            req_empty = true;
+            $(this).addClass('inputMissingAttr');
+          } else {
+            $(this).removeClass('inputMissingAttr');
+          }
+        }
+      });
+      if (!req_empty) {
+        var attr_to_merge = $(this).closest("form").serializeObject();
+        var api_attr = $.extend(api_attr, attr_to_merge)
+      } else {
+        return false;
+      }
     }
     // If clicked element #edit_selected has data-item attribute, it is added to "items"
     if (typeof $(this).data('item') !== 'undefined') {
@@ -77,6 +92,7 @@ $(document).ready(function() {
     }
     if (typeof multi_data[id] == "undefined") return;
     api_items = multi_data[id];
+    // alert(JSON.stringify(api_attr));
     if (Object.keys(api_items).length !== 0) {
       $.ajax({
         type: "POST",
diff --git a/data/web/json_api.php b/data/web/json_api.php
index e4086520..56d4e741 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -426,7 +426,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
           case "domain-admin":
             if (isset($_POST['attr'])) {
               $attr = (array)json_decode($_POST['attr'], true);
-              if (add_domain_admin($attr) === false) {
+              if (domain_admin('add', $attr) === false) {
                 if (isset($_SESSION['return'])) {
                   echo json_encode($_SESSION['return']);
                 }
@@ -826,10 +826,10 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
           case "domain-admin":
             switch ($object) {
               case "all":
-                $domain_admins = get_domain_admins();
+                $domain_admins = domain_admin('get');
                 if (!empty($domain_admins)) {
                   foreach ($domain_admins as $domain_admin) {
-                    if ($details = get_domain_admin_details($domain_admin)) {
+                    if ($details = domain_admin('details', $domain_admin)) {
                       $data[] = $details;
                     }
                     else {
@@ -849,7 +849,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
               break;
 
               default:
-                $data = get_domain_admin_details($object);
+                $data = domain_admin('details', $object);
                 if (!isset($data) || empty($data)) {
                   echo '{}';
                 }
@@ -1385,7 +1385,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
             if (isset($_POST['items'])) {
               $items = (array)json_decode($_POST['items'], true);
               if (is_array($items)) {
-                if (delete_domain_admin(array('username' => $items)) === false) {
+                if (domain_admin('delete', array('username' => $items)) === false) {
                   if (isset($_SESSION['return'])) {
                     echo json_encode($_SESSION['return']);
                   }
@@ -1603,6 +1603,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
             }
           break;
           case "mailbox":
+            // sender_acl:0 removes all entries
             if (isset($_POST['items']) && isset($_POST['attr'])) {
               $items = (array)json_decode($_POST['items'], true);
               $attr = (array)json_decode($_POST['attr'], true);
@@ -1778,6 +1779,50 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
               ));
             }
           break;
+          case "domain-ratelimit":
+            if (isset($_POST['items']) && isset($_POST['attr'])) {
+              $items = (array)json_decode($_POST['items'], true);
+              $attr = (array)json_decode($_POST['attr'], true);
+              $postarray = array_merge(array('domain' => $items), $attr);
+              if (is_array($postarray['domain'])) {
+                if (mailbox('edit', 'domain_ratelimit', $postarray) === false) {
+                  if (isset($_SESSION['return'])) {
+                    echo json_encode($_SESSION['return']);
+                  }
+                  else {
+                    echo json_encode(array(
+                      'type' => 'error',
+                      'msg' => 'Edit failed'
+                    ));
+                  }
+                  exit();
+                }
+                else {
+                  if (isset($_SESSION['return'])) {
+                    echo json_encode($_SESSION['return']);
+                  }
+                  else {
+                    echo json_encode(array(
+                      'type' => 'success',
+                      'msg' => 'Task completed'
+                    ));
+                  }
+                }
+              }
+              else {
+                echo json_encode(array(
+                  'type' => 'error',
+                  'msg' => 'Incomplete post data'
+                ));
+              }
+            }
+            else {
+              echo json_encode(array(
+                'type' => 'error',
+                'msg' => 'Incomplete post data'
+              ));
+            }
+          break;
           case "alias-domain":
             if (isset($_POST['items']) && isset($_POST['attr'])) {
               $items = (array)json_decode($_POST['items'], true);
@@ -1822,7 +1867,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
               ));
             }
           break;
-          case "spam_score":
+          case "spam-score":
             if (isset($_POST['items']) && isset($_POST['attr'])) {
               $items = (array)json_decode($_POST['items'], true);
               $attr = (array)json_decode($_POST['attr'], true);
@@ -1872,7 +1917,7 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
               $attr = (array)json_decode($_POST['attr'], true);
               $postarray = array_merge(array('username' => $items), $attr);
               if (is_array($postarray['username'])) {
-                if (edit_domain_admin($postarray) === false) {
+                if (domain_admin('edit', $postarray) === false) {
                   if (isset($_SESSION['return'])) {
                     echo json_encode($_SESSION['return']);
                   }
@@ -1989,39 +2034,109 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
               ));
             }
           break;
-          case "admin":
-            // No items as there is only one admin
-            if (isset($_POST['attr'])) {
-              $attr = (array)json_decode($_POST['attr'], true);
-              if (edit_admin_account($attr) === false) {
-                if (isset($_SESSION['return'])) {
-                  echo json_encode($_SESSION['return']);
+          case "self":
+            // No items, logged-in user, users and domain admins
+            if ($_SESSION['mailcow_cc_role'] == "domainadmin") {
+              if (isset($_POST['attr'])) {
+                $attr = (array)json_decode($_POST['attr'], true);
+                if (domain_admin('edit', $attr) === false) {
+                  if (isset($_SESSION['return'])) {
+                    echo json_encode($_SESSION['return']);
+                  }
+                  else {
+                    echo json_encode(array(
+                      'type' => 'error',
+                      'msg' => 'Edit failed'
+                    ));
+                  }
+                  exit();
                 }
                 else {
-                  echo json_encode(array(
-                    'type' => 'error',
-                    'msg' => 'Edit failed'
-                  ));
+                  if (isset($_SESSION['return'])) {
+                    echo json_encode($_SESSION['return']);
+                  }
+                  else {
+                    echo json_encode(array(
+                      'type' => 'success',
+                      'msg' => 'Task completed'
+                    ));
+                  }
                 }
-                exit();
               }
               else {
-                if (isset($_SESSION['return'])) {
-                  echo json_encode($_SESSION['return']);
-                }
-                else {
-                  echo json_encode(array(
-                    'type' => 'success',
-                    'msg' => 'Task completed'
-                  ));
-                }
+                echo json_encode(array(
+                  'type' => 'error',
+                  'msg' => 'Incomplete post data'
+                ));
               }
             }
-            else {
-              echo json_encode(array(
-                'type' => 'error',
-                'msg' => 'Incomplete post data'
-              ));
+            elseif ($_SESSION['mailcow_cc_role'] == "user") {
+              if (isset($_POST['attr'])) {
+                $attr = (array)json_decode($_POST['attr'], true);
+                if (edit_user_account($attr) === false) {
+                  if (isset($_SESSION['return'])) {
+                    echo json_encode($_SESSION['return']);
+                  }
+                  else {
+                    echo json_encode(array(
+                      'type' => 'error',
+                      'msg' => 'Edit failed'
+                    ));
+                  }
+                  exit();
+                }
+                else {
+                  if (isset($_SESSION['return'])) {
+                    echo json_encode($_SESSION['return']);
+                  }
+                  else {
+                    echo json_encode(array(
+                      'type' => 'success',
+                      'msg' => 'Task completed'
+                    ));
+                  }
+                }
+              }
+              else {
+                echo json_encode(array(
+                  'type' => 'error',
+                  'msg' => 'Incomplete post data'
+                ));
+              }
+            }
+            elseif ($_SESSION['mailcow_cc_role'] == "admin") {
+              if (isset($_POST['attr'])) {
+                $attr = (array)json_decode($_POST['attr'], true);
+                if (edit_admin_account($attr) === false) {
+                  if (isset($_SESSION['return'])) {
+                    echo json_encode($_SESSION['return']);
+                  }
+                  else {
+                    echo json_encode(array(
+                      'type' => 'error',
+                      'msg' => 'Edit failed'
+                    ));
+                  }
+                  exit();
+                }
+                else {
+                  if (isset($_SESSION['return'])) {
+                    echo json_encode($_SESSION['return']);
+                  }
+                  else {
+                    echo json_encode(array(
+                      'type' => 'success',
+                      'msg' => 'Task completed'
+                    ));
+                  }
+                }
+              }
+              else {
+                echo json_encode(array(
+                  'type' => 'error',
+                  'msg' => 'Incomplete post data'
+                ));
+              }
             }
           break;
         }
diff --git a/data/web/user.php b/data/web/user.php
index 77ccc62d..b283894c 100644
--- a/data/web/user.php
+++ b/data/web/user.php
@@ -357,7 +357,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "use
   <div class="modal-dialog" role="document">
     <div class="modal-content">
       <div class="modal-body">
-        <form class="form-horizontal" role="form" method="post" autocomplete="off">
+        <form class="form-horizontal" data-id="pwchange" role="form" method="post" autocomplete="off">
           <div class="form-group">
             <label class="control-label col-sm-3" for="user_new_pass"><?=$lang['user']['new_password'];?></label>
             <div class="col-sm-5">
@@ -380,7 +380,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "use
           </div>
           <div class="form-group">
             <div class="col-sm-offset-3 col-sm-9">
-              <button type="submit" name="edit_<?=($_SESSION['mailcow_cc_role'] == "domainadmin") ? "domain_admin" : "user_account";?>" class="btn btn-sm btn-success"><?=$lang['user']['change_password'];?></button>
+              <button class="btn btn-default" id="edit_selected" data-id="pwchange" data-item="null" data-api-url='edit/self' data-api-attr='{}' href="#"><?=$lang['user']['change_password'];?></button>
             </div>
           </div>
         </form>

From f4db3a7a00519eeffc91090cf1864dfa85db5ac2 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Mon, 17 Jul 2017 22:36:34 +0200
Subject: [PATCH 24/26] [Web] Allow multiple sync jobs with same username,
 fixes #464

---
 data/web/inc/functions.mailbox.inc.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index de8bf0ac..c81f3a88 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -135,9 +135,9 @@ function mailbox($_action, $_type, $_data = null) {
             return false;
           }
           try {
-            $stmt = $pdo->prepare("SELECT `user2`, `user1` FROM `imapsync`
-              WHERE `user2` = :user2 AND `user1` = :user1");
-            $stmt->execute(array(':user1' => $user1, ':user2' => $username));
+            $stmt = $pdo->prepare("SELECT '1' FROM `imapsync`
+              WHERE `user2` = :user2 AND `user1` = :user1 AND `host1` = :host1");
+            $stmt->execute(array(':user1' => $user1, ':user2' => $username, ':host1' => $host1));
             $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
           }
           catch(PDOException $e) {

From ed33cb5f57d24f1c46ba4f43039a702961b6ddfb Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Fri, 21 Jul 2017 11:03:35 +0200
Subject: [PATCH 25/26] [Rspamd] ARC: Disallow login/domain mismatch

---
 data/Dockerfiles/acme/docker-entrypoint.sh | 6 +++---
 data/conf/rspamd/local.d/arc.conf          | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/data/Dockerfiles/acme/docker-entrypoint.sh b/data/Dockerfiles/acme/docker-entrypoint.sh
index f20da206..616a6b81 100755
--- a/data/Dockerfiles/acme/docker-entrypoint.sh
+++ b/data/Dockerfiles/acme/docker-entrypoint.sh
@@ -147,14 +147,14 @@ while true; do
 		exit 0
 	fi
 
-	ORPHANED_SAN=($(echo ${SAN_ARRAY_NOW[*]} ${VALIDATED_CONFIG_DOMAINS[*]} ${ADDITIONAL_VALIDATED_SAN[*]} ${MAILCOW_HOSTNAME} | tr ' ' '\n' | sort | uniq -u ))
+	ORPHANED_SAN=($(echo ${SAN_ARRAY_NOW[*]} ${ALL_VALIDATED[*]} | tr ' ' '\n' | sort | uniq -u ))
 	if [[ ! -z ${ORPHANED_SAN[*]} ]] && [[ ${ISSUER} != *"mailcow"* ]]; then
 		DATE=$(date +%Y-%m-%d_%H_%M_%S)
 		echo "Found orphaned SAN ${ORPHANED_SAN[*]} in certificate, moving old files to ${ACME_BASE}/acme/private/${DATE}.bak/, keeping key file..."
 		mkdir -p ${ACME_BASE}/acme/private/${DATE}.bak/
 		[[ -f ${ACME_BASE}/acme/private/account.key ]] && mv ${ACME_BASE}/acme/private/account.key ${ACME_BASE}/acme/private/${DATE}.bak/
-		mv ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/${DATE}.bak/
-        mv ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/acme/private/${DATE}.bak/
+		[[ -f ${ACME_BASE}/acme/fullchain.pem ]] && mv ${ACME_BASE}/acme/fullchain.pem ${ACME_BASE}/acme/private/${DATE}.bak/
+		[[ -f ${ACME_BASE}/acme/cert.pem ]] && mv ${ACME_BASE}/acme/cert.pem ${ACME_BASE}/acme/private/${DATE}.bak/
 		cp ${ACME_BASE}/acme/private/privkey.pem ${ACME_BASE}/acme/private/${DATE}.bak/ # Keep key for TLSA 3 1 1 records
 	fi
 
diff --git a/data/conf/rspamd/local.d/arc.conf b/data/conf/rspamd/local.d/arc.conf
index 578056f9..e8d95871 100644
--- a/data/conf/rspamd/local.d/arc.conf
+++ b/data/conf/rspamd/local.d/arc.conf
@@ -5,7 +5,7 @@ allow_hdrfrom_mismatch = false;
 # If true, multiple from headers are allowed (but only first is used)
 allow_hdrfrom_multiple = true;
 # If true, username does not need to contain matching domain
-allow_username_mismatch = true;
+allow_username_mismatch = false;
 # If false, messages from authenticated users are not selected for signing
 auth_only = true;
 # Default path to key, can include '$domain' and '$selector' variables

From 83d485dd94662806551d072f280a3ed46a478f80 Mon Sep 17 00:00:00 2001
From: andryyy <andre.peters@debinux.de>
Date: Sat, 22 Jul 2017 20:39:54 +0200
Subject: [PATCH 26/26] [Web, Postfix, Compose] Allow to add relayhosts per
 domain (+ plain and login authentication)

---
 data/Dockerfiles/postfix/postfix.sh      |  19 ++-
 data/conf/postfix/main.cf                |   9 +-
 data/web/admin.php                       |  56 +++++++
 data/web/css/admin.css                   |  13 +-
 data/web/edit.php                        |  16 ++
 data/web/inc/functions.mailbox.inc.php   |  11 +-
 data/web/inc/functions.relayhost.inc.php | 179 +++++++++++++++++++++++
 data/web/inc/header.inc.php              |   2 +-
 data/web/inc/init_db.inc.php             |  22 ++-
 data/web/inc/prerequisites.inc.php       |   1 +
 data/web/js/admin.js                     |  53 +++++++
 data/web/json_api.php                    | 154 +++++++++++++++++++
 data/web/lang/lang.de.php                |   7 +
 data/web/lang/lang.en.php                |   7 +
 docker-compose.yml                       |   2 +-
 15 files changed, 538 insertions(+), 13 deletions(-)
 create mode 100644 data/web/inc/functions.relayhost.inc.php

diff --git a/data/Dockerfiles/postfix/postfix.sh b/data/Dockerfiles/postfix/postfix.sh
index 640538b0..9837eeef 100755
--- a/data/Dockerfiles/postfix/postfix.sh
+++ b/data/Dockerfiles/postfix/postfix.sh
@@ -20,12 +20,26 @@ dbname = ${DBNAME}
 query = SELECT IF( EXISTS( SELECT 'TLS_ACTIVE' FROM alias LEFT OUTER JOIN mailbox ON mailbox.username = alias.goto WHERE (address='%s' OR address IN (SELECT CONCAT('%u', '@', target_domain) FROM alias_domain WHERE alias_domain='%d')) AND mailbox.tls_enforce_in = '1' AND mailbox.active = '1'), 'reject_plaintext_session', NULL) AS 'tls_enforce_in';
 EOF
 
-cat <<EOF > /opt/postfix/conf/sql/mysql_tls_enforce_out_policy.cf
+cat <<EOF > /opt/postfix/conf/sql/mysql_sender_dependent_default_transport_maps.cf
 user = ${DBUSER}
 password = ${DBPASS}
 hosts = mysql
 dbname = ${DBNAME}
-query = SELECT IF( EXISTS( SELECT 'TLS_ACTIVE' FROM alias LEFT OUTER JOIN mailbox ON mailbox.username = alias.goto WHERE (address='%s' OR address IN (SELECT CONCAT('%u', '@', target_domain) FROM alias_domain WHERE alias_domain='%d')) AND mailbox.tls_enforce_out = '1' AND mailbox.active = '1'), 'smtp_enforced_tls:', NULL) AS 'tls_enforce_out';
+query = SELECT GROUP_CONCAT(transport SEPARATOR '') AS transport_maps
+  FROM (
+    SELECT IF(EXISTS(SELECT 'smtp_type' FROM alias LEFT OUTER JOIN mailbox ON mailbox.username = alias.goto WHERE (address = '%s' OR address IN (SELECT CONCAT('%u', '@', target_domain) FROM alias_domain WHERE alias_domain = '%d')) AND mailbox.tls_enforce_out = '1' AND mailbox.active = '1'), 'smtp_enforced_tls:', 'smtp:') AS 'transport'
+    UNION ALL
+    SELECT hostname AS transport FROM relayhosts LEFT OUTER JOIN domain ON domain.relayhost = relayhosts.id WHERE relayhosts.active = '1' AND domain = '%d' OR domain IN (SELECT target_domain FROM alias_domain WHERE alias_domain = '%d')
+  )
+  AS transport_view;
+EOF
+
+cat <<EOF > /opt/postfix/conf/sql/mysql_sasl_passwd_maps.cf
+user = ${DBUSER}
+password = ${DBPASS}
+hosts = mysql
+dbname = ${DBNAME}
+query = SELECT CONCAT_WS(':', username, password) AS auth_data FROM relayhosts WHERE id IN (SELECT relayhost FROM domain WHERE CONCAT('@', domain) = '%s');
 EOF
 
 cat <<EOF > /opt/postfix/conf/sql/mysql_virtual_alias_domain_catchall_maps.cf
@@ -110,6 +124,5 @@ if [[ $? != 0 ]]; then
 	exit 1
 else
 	postfix -c /opt/postfix/conf start
-	supervisorctl restart postfix-maillog
 	sleep 126144000
 fi
diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf
index 82bfae85..fe6fd3ab 100644
--- a/data/conf/postfix/main.cf
+++ b/data/conf/postfix/main.cf
@@ -39,11 +39,11 @@ postscreen_greet_ttl = 2d
 postscreen_greet_wait = 3s
 postscreen_non_smtp_command_enable = no
 postscreen_pipelining_enable = no
-proxy_read_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_sender_acl.cf, proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_out_policy.cf, proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf, $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
+proxy_read_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_sender_acl.cf, proxy:mysql:/opt/postfix/conf/sql/mysql_sender_dependent_default_transport_maps.cf, proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps.cf, proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf, $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
 queue_run_delay = 300s
 relay_domains = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_relay_domain_maps.cf
 relay_recipient_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_relay_recipient_maps.cf
-sender_dependent_default_transport_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_out_policy.cf
+sender_dependent_default_transport_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sender_dependent_default_transport_maps.cf
 smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 smtp_tls_cert_file = /etc/ssl/mail/cert.pem
 smtp_tls_key_file = /etc/ssl/mail/key.pem
@@ -94,3 +94,8 @@ mydestination = localhost.localdomain, localhost
 #content_filter=zeyple
 # Prefere IPv4, useful for v4-only envs
 smtp_address_preference = ipv4
+smtp_sender_dependent_authentication = yes
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps.cf
+smtp_sasl_security_options = 
+smtp_sasl_mechanism_filter = plain, login
diff --git a/data/web/admin.php b/data/web/admin.php
index 284bf31b..bb53e61e 100644
--- a/data/web/admin.php
+++ b/data/web/admin.php
@@ -121,6 +121,18 @@ $tfa_data = get_tfa();
 
 
   <div role="tabpanel" class="tab-pane" id="tab-config">
+    <div class="row">
+    <div class="col-sm-2 hidden-xs">
+      <div id="scrollbox" class="list-group">
+        <a href="#dkim" class="list-group-item"><?=$lang['admin']['dkim_keys'];?></a>
+        <a href="#fwdhosts" class="list-group-item"><?=$lang['admin']['forwarding_hosts'];?></a>
+        <a href="#f2bparams" class="list-group-item"><?=$lang['admin']['f2b_parameters'];?></a>
+        <a href="#relayhosts" class="list-group-item">Relayhosts</a>
+        <a href="#top" class="list-group-item" style="border-top:1px dashed #dadada">↸ <?=$lang['admin']['to_top'];?></a>
+      </div>
+    </div>
+    <div class="col-sm-10">
+    <span class="anchor" id="dkim"></span>
     <div class="panel panel-default">
       <div class="panel-heading"><?=$lang['admin']['dkim_keys'];?></div>
       <div class="panel-body">
@@ -254,6 +266,7 @@ XYZ
       </div>
     </div>
 
+    <span class="anchor" id="fwdhosts"></span>
     <div class="panel panel-default">
       <div class="panel-heading"><?=$lang['admin']['forwarding_hosts'];?></div>
       <div class="panel-body">
@@ -291,6 +304,7 @@ XYZ
       </div>
     </div>
 
+    <span class="anchor" id="f2bparams"></span>
     <div class="panel panel-default">
       <div class="panel-heading"><?=$lang['admin']['f2b_parameters'];?></div>
       <div class="panel-body">
@@ -318,6 +332,48 @@ XYZ
         </form>
       </div>
     </div>
+
+    <span class="anchor" id="relayhosts"></span>
+    <div class="panel panel-default">
+      <div class="panel-heading">Relayhosts</div>
+      <div class="panel-body">
+        <p style="margin-bottom:40px"><?=$lang['admin']['relayhosts_hint'];?></p>
+        <div class="table-responsive">
+          <table class="table table-striped table-condensed" id="relayhoststable"></table>
+        </div>
+        <div class="mass-actions-admin">
+          <div class="btn-group btn-group-sm">
+            <button type="button" id="toggle_multi_select_all" data-id="rlyhosts" class="btn btn-default"><?=$lang['mailbox']['toggle_all'];?></button>
+            <a class="btn btn-sm btn-default dropdown-toggle" data-toggle="dropdown" href="#"><?=$lang['mailbox']['quick_actions'];?> <span class="caret"></span></a>
+            <ul class="dropdown-menu">
+              <li><a id="edit_selected" data-id="rlyhosts" data-api-url='edit/relayhost' data-api-attr='{"active":"1"}' href="#"><?=$lang['mailbox']['activate'];?></a></li>
+              <li><a id="edit_selected" data-id="rlyhosts" data-api-url='edit/relayhost' data-api-attr='{"active":"0"}' href="#"><?=$lang['mailbox']['deactivate'];?></a></li>
+              <li role="separator" class="divider"></li>
+              <li><a id="delete_selected" data-id="rlyhosts" data-api-url='delete/relayhost' href="#"><?=$lang['admin']['remove'];?></a></li>
+            </ul>
+          </div>
+        </div>
+        <legend><?=$lang['admin']['add_relayhost'];?></legend>
+        <p class="help-block"><?=$lang['admin']['add_relayhost_add_hint'];?></p>
+        <form class="form-inline" data-id="rlyhost" role="form" method="post">
+          <div class="form-group">
+            <label for="hostname"><?=$lang['admin']['host'];?></label>
+            <input class="form-control" id="hostname" name="hostname" required>
+          </div>
+          <div class="form-group">
+            <label for="hostname"><?=$lang['admin']['username'];?></label>
+            <input class="form-control" id="username" name="username">
+          </div>
+          <div class="form-group">
+            <label for="hostname"><?=$lang['admin']['password'];?></label>
+            <input class="form-control" id="password" name="password">
+          </div>
+          <button class="btn btn-default" id="add_item" data-id="rlyhost" data-api-url='add/relayhost' data-api-attr='{}' href="#"><span class="glyphicon glyphicon-plus"></span> <?=$lang['admin']['add'];?></button>
+        </form>
+      </div>
+    </div>
+  </div>
+  </div>
   </div>
 
   <div role="tabpanel" class="tab-pane" id="tab-postfix-logs">
diff --git a/data/web/css/admin.css b/data/web/css/admin.css
index 7f8897a0..aa07d7a3 100644
--- a/data/web/css/admin.css
+++ b/data/web/css/admin.css
@@ -41,4 +41,15 @@ body.modal-open {
   -moz-transform:rotateX(180deg);
   -webkit-transform:rotateX(180deg);
   transform:rotateX(180deg);
-}
\ No newline at end of file
+}
+.anchor {
+  display: block;
+  height: 65px;
+  margin-top: -65px;
+  visibility: hidden;
+}
+.scrollboxFixed {
+  position: fixed;
+  top: 65px;
+  z-index: 1;
+}
diff --git a/data/web/edit.php b/data/web/edit.php
index 1f250535..eb0eb375 100644
--- a/data/web/edit.php
+++ b/data/web/edit.php
@@ -138,6 +138,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
 			$domain = $_GET["domain"];
       $result = mailbox('get', 'domain_details', $domain);
       $rl = mailbox('get', 'domain_ratelimit', $domain);
+      $rlyhosts = relayhost('get');
 			if (!empty($result)) {
 			?>
 				<h4><?=$lang['edit']['domain'];?></h4>
@@ -178,6 +179,21 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
 							<input type="number" class="form-control" name="quota" id="quota" value="<?=intval($result['max_quota_for_domain'] / 1048576);?>">
 						</div>
 					</div>
+					<div class="form-group">
+						<label class="control-label col-sm-2" for="quota">Relayhost</label>
+						<div class="col-sm-10">
+              <select name="relayhost" id="relayhost" class="form-control">
+                <?php
+                foreach ($rlyhosts as $rlyhost) {
+                ?>
+                <option value="<?=$rlyhost['id'];?>" <?=($result['relayhost'] == $rlyhost['id']) ? 'selected' : null;?>>ID <?=$rlyhost['id'];?>: <?=$rlyhost['hostname'];?> (<?=$rlyhost['username'];?>)</option>
+                <?php
+                }
+                ?>
+                <option value="" <?=($result['relayhost'] == "0") ? 'selected' : null;?>>None</option>
+              </select>
+            </div>
+					</div>
 					<div class="form-group">
 						<label class="control-label col-sm-2"><?=$lang['edit']['backup_mx_options'];?></label>
 						<div class="col-sm-10">
diff --git a/data/web/inc/functions.mailbox.inc.php b/data/web/inc/functions.mailbox.inc.php
index c81f3a88..3f302783 100644
--- a/data/web/inc/functions.mailbox.inc.php
+++ b/data/web/inc/functions.mailbox.inc.php
@@ -260,8 +260,8 @@ function mailbox($_action, $_type, $_data = null) {
             return false;
           }
           try {
-            $stmt = $pdo->prepare("INSERT INTO `domain` (`domain`, `description`, `aliases`, `mailboxes`, `maxquota`, `quota`, `transport`, `backupmx`, `active`, `relay_all_recipients`)
-              VALUES (:domain, :description, :aliases, :mailboxes, :maxquota, :quota, 'virtual', :backupmx, :active, :relay_all_recipients)");
+            $stmt = $pdo->prepare("INSERT INTO `domain` (`domain`, `description`, `aliases`, `mailboxes`, `maxquota`, `quota`, `backupmx`, `active`, `relay_all_recipients`)
+              VALUES (:domain, :description, :aliases, :mailboxes, :maxquota, :quota, :backupmx, :active, :relay_all_recipients)");
             $stmt->execute(array(
               ':domain' => $domain,
               ':description' => $description,
@@ -1441,6 +1441,7 @@ function mailbox($_action, $_type, $_data = null) {
                 $active               = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active_int'];
                 $backupmx             = (isset($_data['backupmx'])) ? intval($_data['backupmx']) : $is_now['backupmx_int'];
                 $relay_all_recipients = (isset($_data['relay_all_recipients'])) ? intval($_data['relay_all_recipients']) : $is_now['relay_all_recipients_int'];
+                $relayhost            = (isset($_data['relayhost'])) ? intval($_data['relayhost']) : $is_now['relayhost'];
                 $aliases              = (!empty($_data['aliases'])) ? $_data['aliases'] : $is_now['max_num_aliases_for_domain'];
                 $mailboxes            = (!empty($_data['mailboxes'])) ? $_data['mailboxes'] : $is_now['max_num_mboxes_for_domain'];
                 $maxquota             = (!empty($_data['maxquota'])) ? $_data['maxquota'] : ($is_now['max_quota_for_mbox'] / 1048576);
@@ -1531,6 +1532,7 @@ function mailbox($_action, $_type, $_data = null) {
                 `active` = :active,
                 `quota` = :quota,
                 `maxquota` = :maxquota,
+                `relayhost` = :relayhost,
                 `mailboxes` = :mailboxes,
                 `aliases` = :aliases,
                 `description` = :description
@@ -1541,6 +1543,7 @@ function mailbox($_action, $_type, $_data = null) {
                   ':active' => $active,
                   ':quota' => $quota,
                   ':maxquota' => $maxquota,
+                  ':relayhost' => $relayhost,
                   ':mailboxes' => $mailboxes,
                   ':aliases' => $aliases,
                   ':description' => $description,
@@ -2470,7 +2473,7 @@ function mailbox($_action, $_type, $_data = null) {
               ':domain' => $_data
             ));
             $row = $stmt->fetch(PDO::FETCH_ASSOC);
-            if (!empty($row)) { 
+            if (!empty($row)) {
               $_data = $row['target_domain'];
             }
             $stmt = $pdo->prepare("SELECT 
@@ -2480,6 +2483,7 @@ function mailbox($_action, $_type, $_data = null) {
                 `mailboxes`, 
                 `maxquota`,
                 `quota`,
+                `relayhost`,
                 `relay_all_recipients` as `relay_all_recipients_int`,
                 `backupmx` as `backupmx_int`,
                 `active` as `active_int`,
@@ -2514,6 +2518,7 @@ function mailbox($_action, $_type, $_data = null) {
             $domaindata['max_num_mboxes_for_domain'] = $row['mailboxes'];
             $domaindata['max_quota_for_mbox'] = $row['maxquota'] * 1048576;
             $domaindata['max_quota_for_domain'] = $row['quota'] * 1048576;
+            $domaindata['relayhost'] = $row['relayhost'];
             $domaindata['backupmx'] = $row['backupmx'];
             $domaindata['backupmx_int'] = $row['backupmx_int'];
             $domaindata['active'] = $row['active'];
diff --git a/data/web/inc/functions.relayhost.inc.php b/data/web/inc/functions.relayhost.inc.php
new file mode 100644
index 00000000..249dacc3
--- /dev/null
+++ b/data/web/inc/functions.relayhost.inc.php
@@ -0,0 +1,179 @@
+<?php
+function relayhost($_action, $_data = null) {
+	global $pdo;
+	global $lang;
+  switch ($_action) {
+    case 'add':
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => sprintf($lang['danger']['access_denied'])
+        );
+        return false;
+      }
+      $hostname = trim($_data['hostname']);
+      $username = str_replace(':', '\:', trim($_data['username']));
+      $password = str_replace(':', '\:', trim($_data['password']));
+      if (empty($hostname)) {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => 'Invalid host specified: '. htmlspecialchars($host)
+        );
+        return false;
+      }
+      try {
+        $stmt = $pdo->prepare("INSERT INTO `relayhosts` (`hostname`, `username` ,`password`, `active`)
+          VALUES (:hostname, :username, :password, :active)");
+        $stmt->execute(array(
+          ':hostname' => $hostname,
+          ':username' => $username,
+          ':password' => $password,
+          ':active' => '1'
+        ));
+      }
+      catch (PDOException $e) {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => 'MySQL: '.$e
+        );
+        return false;
+      }
+      $_SESSION['return'] = array(
+        'type' => 'success',
+        'msg' => sprintf($lang['success']['relayhost_added'], htmlspecialchars(implode(', ', $hosts)))
+      );
+    break;
+    case 'edit':
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => sprintf($lang['danger']['access_denied'])
+        );
+        return false;
+      }
+      $ids = (array)$_data['id'];
+      foreach ($ids as $id) {
+        $is_now = relayhost('details', $id);
+        if (!empty($is_now)) {
+          $hostname = (!empty($_data['hostname'])) ? trim($_data['hostname']) : $is_now['hostname'];
+          $username = (!empty($_data['username'])) ? trim($_data['username']) : $is_now['username'];
+          $password = (!empty($_data['password'])) ? trim($_data['password']) : $is_now['password'];
+          $active   = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active_int'];
+        }
+        else {
+          $_SESSION['return'] = array(
+            'type' => 'danger',
+            'msg' => 'Relayhost invalid'
+          );
+          return false;
+        }
+        try {
+          $stmt = $pdo->prepare("UPDATE `relayhosts` SET
+            `hostname` = :hostname,
+            `username` = :username,
+            `password` = :password,
+            `active` = :active
+              WHERE `id` = :id");
+          $stmt->execute(array(
+            ':id' => $id,
+            ':hostname' => $hostname,
+            ':username' => $username,
+            ':password' => $password,
+            ':active' => $active
+          ));
+        }
+        catch (PDOException $e) {
+          $_SESSION['return'] = array(
+            'type' => 'danger',
+            'msg' => 'MySQL: '.$e
+          );
+          return false;
+        }
+      }
+      $_SESSION['return'] = array(
+        'type' => 'success',
+        'msg' => sprintf($lang['success']['object_modified'], htmlspecialchars(implode(', ', $hostnames)))
+      );
+    break;
+    case 'delete':
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => sprintf($lang['danger']['access_denied'])
+        );
+        return false;
+      }
+      $ids = (array)$_data['id'];
+      foreach ($ids as $id) {
+        try {
+          $stmt = $pdo->prepare("DELETE FROM `relayhosts` WHERE `id`= :id");
+          $stmt->execute(array(':id' => $id));
+          $stmt = $pdo->prepare("UPDATE `domain` SET `relayhost` = '0' WHERE `relayhost`= :id");
+          $stmt->execute(array(':id' => $id));
+        }
+        catch (PDOException $e) {
+          $_SESSION['return'] = array(
+            'type' => 'danger',
+            'msg' => 'MySQL: '.$e
+          );
+          return false;
+        }
+      }
+      $_SESSION['return'] = array(
+        'type' => 'success',
+        'msg' => sprintf($lang['success']['relayhost_removed'], htmlspecialchars(implode(', ', $hostnames)))
+      );
+    break;
+    case 'get':
+      if ($_SESSION['mailcow_cc_role'] != "admin") {
+        return false;
+      }
+      $relayhosts = array();
+      try {
+        $stmt = $pdo->query("SELECT `id`, `hostname`, `username` FROM `relayhosts`");
+        $relayhosts = $stmt->fetchAll(PDO::FETCH_ASSOC);
+      }
+      catch(PDOException $e) {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => 'MySQL: '.$e
+        );
+      }
+      return $relayhosts;
+    break;
+    case 'details':
+      if ($_SESSION['mailcow_cc_role'] != "admin" || !isset($_data)) {
+        return false;
+      }
+      $relayhostdata = array();
+      try {
+        $stmt = $pdo->prepare("SELECT `id`,
+          `hostname`,
+          `username`,
+          `password`,
+          `active` AS `active_int`,
+          CONCAT(LEFT(`password`, 3), '...') AS `password_short`,
+          CASE `active` WHEN 1 THEN '".$lang['mailbox']['yes']."' ELSE '".$lang['mailbox']['no']."' END AS `active`
+            FROM `relayhosts`
+              WHERE `id` = :id");
+        $stmt->execute(array(':id' => $_data));
+        $relayhostdata = $stmt->fetch(PDO::FETCH_ASSOC);
+
+        if (!empty($relayhostdata)) {
+          $stmt = $pdo->prepare("SELECT GROUP_CONCAT(`domain` SEPARATOR ', ') AS `used_by_domains` FROM `domain` WHERE `relayhost` = :id");
+          $stmt->execute(array(':id' => $_data));
+          $used_by_domains = $stmt->fetch(PDO::FETCH_ASSOC)['used_by_domains'];
+          $used_by_domains = (empty($used_by_domains)) ? '' : $used_by_domains;
+          $relayhostdata['used_by_domains'] = $used_by_domains;
+        }
+      }
+      catch(PDOException $e) {
+        $_SESSION['return'] = array(
+          'type' => 'danger',
+          'msg' => 'MySQL: '.$e
+        );
+      }
+      return $relayhostdata;
+    break;
+  }
+}
\ No newline at end of file
diff --git a/data/web/inc/header.inc.php b/data/web/inc/header.inc.php
index 533711de..98d42ef1 100644
--- a/data/web/inc/header.inc.php
+++ b/data/web/inc/header.inc.php
@@ -29,7 +29,7 @@
 <link rel="shortcut icon" href="/favicon.png" type="image/png">
 <link rel="icon" href="/favicon.png" type="image/png">
 </head>
-<body style="padding-top: 70px;">
+<body style="padding-top: 70px;" id="top">
 <nav class="navbar navbar-default navbar-fixed-top" role="navigation">
   <div class="container-fluid">
     <div class="navbar-header">
diff --git a/data/web/inc/init_db.inc.php b/data/web/inc/init_db.inc.php
index a429efa8..0940ca18 100644
--- a/data/web/inc/init_db.inc.php
+++ b/data/web/inc/init_db.inc.php
@@ -3,7 +3,7 @@ function init_db_schema() {
   try {
     global $pdo;
 
-    $db_version = "18052017_1017";
+    $db_version = "20072107_1029";
 
     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'"); 
     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -60,6 +60,24 @@ function init_db_schema() {
         ),
         "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
       ),
+      "relayhosts" => array(
+        "cols" => array(
+          "id" => "INT NOT NULL AUTO_INCREMENT",
+          "hostname" => "VARCHAR(255) NOT NULL",
+          "username" => "VARCHAR(255) NOT NULL",
+          "password" => "VARCHAR(255) NOT NULL",
+          "active" => "TINYINT(1) NOT NULL DEFAULT '1'"
+        ),
+        "keys" => array(
+          "primary" => array(
+            "" => array("id")
+          ),
+          "key" => array(
+            "hostname" => array("hostname")
+          )
+        ),
+        "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
+      ),
       "alias" => array(
         "cols" => array(
           "address" => "VARCHAR(255) NOT NULL",
@@ -95,7 +113,7 @@ function init_db_schema() {
           "mailboxes" => "INT(10) NOT NULL DEFAULT '0'",
           "maxquota" => "BIGINT(20) NOT NULL DEFAULT '0'",
           "quota" => "BIGINT(20) NOT NULL DEFAULT '102400'",
-          "transport" => "VARCHAR(255) NOT NULL",
+          "relayhost" => "VARCHAR(255) NOT NULL DEFAULT '0'",
           "backupmx" => "TINYINT(1) NOT NULL DEFAULT '0'",
           "relay_all_recipients" => "TINYINT(1) NOT NULL DEFAULT '0'",
           "created" => "DATETIME(0) NOT NULL DEFAULT NOW(0)",
diff --git a/data/web/inc/prerequisites.inc.php b/data/web/inc/prerequisites.inc.php
index ebc453f8..e92a91fc 100644
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@@ -65,6 +65,7 @@ require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.domain_admin.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.policy.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.dkim.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.fwdhost.inc.php';
+require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.relayhost.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.fail2ban.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/init_db.inc.php';
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/triggers.inc.php';
diff --git a/data/web/js/admin.js b/data/web/js/admin.js
index 371b287f..9676bd5a 100644
--- a/data/web/js/admin.js
+++ b/data/web/js/admin.js
@@ -328,6 +328,44 @@ jQuery(function($){
       }
     });
   }
+  function draw_relayhosts() {
+    ft_forwardinghoststable = FooTable.init('#relayhoststable', {
+      "columns": [
+        {"name":"chkbox","title":"","style":{"maxWidth":"40px","width":"40px"},"filterable": false,"sortable": false,"type":"html"},
+        {"name":"id","type":"text","title":"ID","style":{"width":"50px"}},
+        {"name":"hostname","type":"text","title":lang.host,"style":{"width":"250px"}},
+        {"name":"username","title":lang.username,"breakpoints":"xs sm"},
+        {"name":"used_by_domains","title":lang.in_use_by, "type": "text","breakpoints":"xs sm"},
+        {"name":"active","filterable": false,"style":{"maxWidth":"80px","width":"80px"},"title":lang.active},
+        {"name":"action","filterable": false,"sortable": false,"style":{"text-align":"right","maxWidth":"180px","width":"180px"},"type":"html","title":lang.action,"breakpoints":"xs sm"}
+      ],
+      "rows": $.ajax({
+        dataType: 'json',
+        url: '/api/v1/get/relayhost/all',
+        jsonp: false,
+        error: function () {
+          console.log('Cannot draw forwarding hosts table');
+        },
+        success: function (data) {
+          $.each(data, function (i, item) {
+            item.action = '<div class="btn-group">' +
+              '<a href="#" id="delete_selected" data-id="single-rlshost" data-api-url="delete/relayhost" data-item="' + encodeURI(item.id) + '" class="btn btn-xs btn-danger"><span class="glyphicon glyphicon-trash"></span> ' + lang.remove + '</a>' +
+              '</div>';
+            item.chkbox = '<input type="checkbox" data-id="rlyhosts" name="multi_select" value="' + item.id + '" />';
+          });
+        }
+      }),
+      "empty": lang.empty,
+      "paging": {
+        "enabled": true,
+        "limit": 5,
+        "size": log_pagination_size
+      },
+      "sorting": {
+        "enabled": true
+      }
+    });
+  }
   function draw_rspamd_history() {
     ft_postfix_logs = FooTable.init('#rspamd_history', {
       "columns": [{
@@ -504,5 +542,20 @@ jQuery(function($){
   draw_fail2ban_logs();
   draw_domain_admins();
   draw_fwd_hosts();
+  draw_relayhosts();
   draw_rspamd_history();
+});
+
+$(window).load(function(){
+  width = $("#scrollbox").width();
+  $(window).bind('scroll', function() {
+    if ($(window).scrollTop() > 70) {
+      $('#scrollbox').addClass('scrollboxFixed');
+      $("#scrollbox").css("width", width);
+    } else {
+      width = $("#scrollbox").width();
+      $('#scrollbox').removeClass('scrollboxFixed');
+      $("#scrollbox").removeAttr("style");
+    }
+  });
 });
\ No newline at end of file
diff --git a/data/web/json_api.php b/data/web/json_api.php
index 56d4e741..71db6806 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -60,6 +60,39 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
               ));
             }
           break;
+          case "relayhost":
+            if (isset($_POST['attr'])) {
+              $attr = (array)json_decode($_POST['attr'], true);
+              if (relayhost('add', $attr) === false) {
+                if (isset($_SESSION['return'])) {
+                  echo json_encode($_SESSION['return']);
+                }
+                else {
+                  echo json_encode(array(
+                    'type' => 'error',
+                    'msg' => 'Cannot add item'
+                  ));
+                }
+              }
+              else {
+                if (isset($_SESSION['return'])) {
+                  echo json_encode($_SESSION['return']);
+                }
+                else {
+                  echo json_encode(array(
+                    'type' => 'success',
+                    'msg' => 'Task completed'
+                  ));
+                }
+              }
+            }
+            else {
+              echo json_encode(array(
+                'type' => 'error',
+                'msg' => 'Cannot find attributes in post data'
+              ));
+            }
+          break;
           case "mailbox":
             if (isset($_POST['attr'])) {
               $attr = (array)json_decode($_POST['attr'], true);
@@ -496,6 +529,42 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
               break;
             }
           break;
+          case "relayhost":
+            switch ($object) {
+              case "all":
+                $relayhosts = relayhost('get');
+                if (!empty($relayhosts)) {
+                  foreach ($relayhosts as $relayhost) {
+                    if ($details = relayhost('details', $relayhost['id'])) {
+                      $data[] = $details;
+                    }
+                    else {
+                      continue;
+                    }
+                  }
+                  if (!isset($data) || empty($data)) {
+                    echo '{}';
+                  }
+                  else {
+                    echo json_encode($data, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT);
+                  }
+                }
+                else {
+                  echo '{}';
+                }
+              break;
+
+              default:
+                $data = relayhost('details', $object);
+                if (!isset($data) || empty($data)) {
+                  echo '{}';
+                }
+                else {
+                  echo json_encode($data, JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT);
+                }
+              break;
+            }
+          break;
           case "logs":
             switch ($object) {
               case "dovecot":
@@ -930,6 +999,47 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
               ));
             }
           break;
+          case "relayhost":
+            if (isset($_POST['items'])) {
+              $items = (array)json_decode($_POST['items'], true);
+              if (is_array($items)) {
+                if (relayhost('delete', array('id' => $items)) === false) {
+                  if (isset($_SESSION['return'])) {
+                    echo json_encode($_SESSION['return']);
+                  }
+                  else {
+                    echo json_encode(array(
+                      'type' => 'error',
+                      'msg' => 'Deletion of items/s failed'
+                    ));
+                  }
+                }
+                else {
+                  if (isset($_SESSION['return'])) {
+                    echo json_encode($_SESSION['return']);
+                  }
+                  else {
+                    echo json_encode(array(
+                      'type' => 'success',
+                      'msg' => 'Task completed'
+                    ));
+                  }
+                }
+              }
+              else {
+                echo json_encode(array(
+                  'type' => 'error',
+                  'msg' => 'Cannot find id array in post data'
+                ));
+              }
+            }
+            else {
+              echo json_encode(array(
+                'type' => 'error',
+                'msg' => 'Cannot find items in post data'
+              ));
+            }
+          break;
           case "syncjob":
             if (isset($_POST['items'])) {
               $items = (array)json_decode($_POST['items'], true);
@@ -1470,6 +1580,50 @@ if (isset($_SESSION['mailcow_cc_role']) || isset($_SESSION['pending_mailcow_cc_u
               ));
             }
           break;
+          case "relayhost":
+            if (isset($_POST['items']) && isset($_POST['attr'])) {
+              $items = (array)json_decode($_POST['items'], true);
+              $attr = (array)json_decode($_POST['attr'], true);
+              $postarray = array_merge(array('id' => $items), $attr);
+              if (is_array($postarray['id'])) {
+                if (relayhost('edit', $postarray) === false) {
+                  if (isset($_SESSION['return'])) {
+                    echo json_encode($_SESSION['return']);
+                  }
+                  else {
+                    echo json_encode(array(
+                      'type' => 'error',
+                      'msg' => 'Edit failed'
+                    ));
+                  }
+                  exit();
+                }
+                else {
+                  if (isset($_SESSION['return'])) {
+                    echo json_encode($_SESSION['return']);
+                  }
+                  else {
+                    echo json_encode(array(
+                      'type' => 'success',
+                      'msg' => 'Task completed'
+                    ));
+                  }
+                }
+              }
+              else {
+                echo json_encode(array(
+                  'type' => 'error',
+                  'msg' => 'Incomplete post data'
+                ));
+              }
+            }
+            else {
+              echo json_encode(array(
+                'type' => 'error',
+                'msg' => 'Incomplete post data'
+              ));
+            }
+          break;
           case "delimiter_action":
             if (isset($_POST['items']) && isset($_POST['attr'])) {
               $items = (array)json_decode($_POST['items'], true);
diff --git a/data/web/lang/lang.de.php b/data/web/lang/lang.de.php
index eef13b3f..893f3d04 100644
--- a/data/web/lang/lang.de.php
+++ b/data/web/lang/lang.de.php
@@ -485,13 +485,20 @@ $lang['admin']['time'] = 'Zeit';
 $lang['admin']['priority'] = 'Gewichtung';
 $lang['admin']['refresh'] = 'Neu laden';
 $lang['admin']['logs'] = 'Logs';
+$lang['admin']['to_top'] = 'Nach oben';
+$lang['admin']['in_use_by'] = 'Verwendet von';
 $lang['admin']['message'] = 'Nachricht';
 $lang['admin']['forwarding_hosts'] = 'Weiterleitungs-Hosts';
 $lang['admin']['forwarding_hosts_hint'] = 'Eingehende Nachrichten werden von den hier gelisteten Hosts bedingungslos akzeptiert. Diese Hosts werden dann nicht mit DNSBLs abgeglichen oder Greylisting unterworfen. Von ihnen empfangener Spam wird nie abgelehnt, optional kann er aber in den Spam-Ordner einsortiert werden. Die übliche Verwendung für diese Funktion ist, um Mailserver anzugeben, auf denen eine Weiterleitung zu Ihrem mailcow-Server eingerichtet wurde.';
 $lang['admin']['forwarding_hosts_add_hint'] = 'Sie können entweder IPv4/IPv6-Adressen, Netzwerke in CIDR-Notation, Hostnamen (die zu IP-Adressen aufgelöst werden), oder Domainnamen (die zu IP-Adressen aufgelöst werden, indem ihr SPF-Record abgefragt wird oder, in dessen Abwesenheit, ihre MX-Records) angeben.';
+$lang['admin']['relayhosts_hint'] = 'Erstellen Sie Relayhosts, um diese im Einstellungsdialog einer Domain auszuwählen.';
+$lang['admin']['add_relayhost_add_hint'] = 'Bitte beachten Sie, dass Relayhost Anmeldedaten im Klartext gespeichert werden.';
 $lang['admin']['host'] = 'Host';
 $lang['admin']['source'] = 'Quelle';
 $lang['admin']['add_forwarding_host'] = 'Weiterleitungs-Host hinzufügen';
+$lang['admin']['add_relayhost'] = 'Relayhost hinzufügen';
 $lang['delete']['remove_forwardinghost_warning'] = '<b>Warnung:</b> Sie entfernen den Weiterleitungs-Host <b>%s</b>!';
 $lang['success']['forwarding_host_removed'] = "Weiterleitungs-Host %s wurde entfernt";
 $lang['success']['forwarding_host_added'] = "Weiterleitungs-Host %s wurde hinzugefügt";
+$lang['success']['relayhost_removed'] = "Relayhost %s wurde entfernt";
+$lang['success']['relayhost_added'] = "Relayhost %s wurde hinzugefügt";
diff --git a/data/web/lang/lang.en.php b/data/web/lang/lang.en.php
index 3be72fec..f7af1b32 100644
--- a/data/web/lang/lang.en.php
+++ b/data/web/lang/lang.en.php
@@ -498,13 +498,20 @@ $lang['admin']['time'] = 'Time';
 $lang['admin']['priority'] = 'Priority';
 $lang['admin']['message'] = 'Message';
 $lang['admin']['refresh'] = 'Refresh';
+$lang['admin']['to_top'] = 'Back to top';
+$lang['admin']['in_use_by'] = 'In use by';
 $lang['admin']['logs'] = 'Logs';
 $lang['admin']['forwarding_hosts'] = 'Forwarding Hosts';
 $lang['admin']['forwarding_hosts_hint'] = 'Incoming messages are unconditionally accepted from any hosts listed here. These hosts are then not checked against DNSBLs or subjected to greylisting. Spam received from them is never rejected, but optionally it can be filed into the Junk folder. The most common use for this is to specify mail servers on which you have set up a rule that forwards incoming emails to your mailcow server.';
 $lang['admin']['forwarding_hosts_add_hint'] = 'You can either specify IPv4/IPv6 addresses, networks in CIDR notation, host names (which will be resolved to IP addresses), or domain names (which will be resolved to IP addresses by querying SPF records or, in their absence, MX records).';
+$lang['admin']['relayhosts_hint'] = 'Define relayhosts here to be able to select them in a domains configuration dialog.';
+$lang['admin']['add_relayhost_add_hint'] = 'Please be aware that relayhost authentication data will be stored as plain text.';
 $lang['admin']['host'] = 'Host';
 $lang['admin']['source'] = 'Source';
 $lang['admin']['add_forwarding_host'] = 'Add Forwarding Host';
+$lang['admin']['add_relayhost'] = 'Add Relayhost';
 $lang['delete']['remove_forwardinghost_warning'] = '<b>Warning:</b> You are about to remove the forwarding host <b>%s</b>!';
 $lang['success']['forwarding_host_removed'] = "Forwarding host %s has been removed";
 $lang['success']['forwarding_host_added'] = "Forwarding host %s has been added";
+$lang['success']['relayhost_removed'] = "Relayhost %s has been removed";
+$lang['success']['relayhost_added'] = "Relayhost %s has been added";
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 04c81a56..1a38afbd 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -201,7 +201,7 @@ services:
             - dovecot
 
     postfix-mailcow:
-      image: mailcow/postfix:1.2
+      image: mailcow/postfix:1.3
       build: ./data/Dockerfiles/postfix
       depends_on:
         unbound-mailcow: