Jan(moo)uary Update 2022 - Revision A (2022-01a) (#4445)

* [API] Fix minor issue in api docs

* [GH-Actions][stale] Add neverstale label to exempt list

* [Web] add github version tag

* [Web] add github version tag error handling

* Passwordless SOGo auth: support for calendar invitations and calendar/contacts subscriptions

Inviting someone to a calendar event triggers a request to /SOGo/so/otheruser@example.com/freebusy.ifb/ajaxRead. Subscribing to someone's calendar/contacts triggers a request to /SOGo/so/otheruser@example.com/foldersSearch. The email address in the URL is different from the logged-in user, which needs to be handled appropriately by sogo-auth.php.

* [Web] add github version tag - adjust css

* [Compose] Update SOGo Autoreply Schedule to 5m

Based on the advice of inverse (SOGo developer). Thanks to https://github.com/jmber

Closes: https://github.com/mailcow/mailcow-dockerized/issues/4436

* [Web] add github version tag - move twig globals

* [Web] add github version tag - missing </div>

* Passwordless SOGo auth: improvements for when accessing other users

* [WebAuthn] fido2 passwordless auth - fix (#4440)

* [WebAuthn] fido2 revert

* [WebAuthn] set UV flags to 'discouraged'

* [WebAuthn] revert - set UV flags to 'discouraged'

Co-authored-by: ntimo <git@nowitzki.me>
Co-authored-by: Peter <magic@kthx.at>
Co-authored-by: FreddleSpl0it <patschul@posteo.de>
Co-authored-by: FreddleSpl0it <75116288+FreddleSpl0it@users.noreply.github.com>
Co-authored-by: Michael Kuron <mkuron@users.noreply.github.com>

.github/workflows/close_old_issues_and_prs.yml

@@ -25,10 +25,11 @@ jobs:
           stale-pr-message: >
             This pull request has been automatically marked as stale because it has not had
             recent activity. It will be closed if no further activity occurs.
-          exempt-issue-labels: "pinned,security,enhancement,investigating"
-          exempt-pr-labels: "pinned,security,enhancement,investigating"
+          exempt-issue-labels: "pinned,security,enhancement,investigating,neverstale"
+          exempt-pr-labels: "pinned,security,enhancement,investigating,neverstale"
           stale-issue-label: "stale"
           stale-pr-label: "stale"
+          exempt-draft-pr: "true"
           operations-per-run: "250"
           ascending: "true"
           #DRY-RUN

.gitignore

@@ -56,6 +56,7 @@ data/web/templates/cache/*
 data/web/.well-known/acme-challenge
 data/web/css/build/0081-custom-mailcow.css
 data/web/inc/vars.local.inc.php
+data/web/inc/app_info.inc.php
 data/web/nextcloud*/
 data/web/rc*/
 docker-compose.override.yml

README.md

@@ -1,5 +1,6 @@
 # mailcow: dockerized - 🐮 + 🐋 = 💕
 [![master build status](https://img.shields.io/drone/build/mailcow/mailcow-dockerized/master?label=master%20build&server=https%3A%2F%2Fdrone.mailcow.email)](https://drone.mailcow.email/mailcow/mailcow-dockerized) [![staging build status](https://img.shields.io/drone/build/mailcow/mailcow-dockerized/staging?label=staging%20build&server=https%3A%2F%2Fdrone.mailcow.email)](https://drone.mailcow.email/mailcow/mailcow-dockerized) [![Translation status](https://translate.mailcow.email/widgets/mailcow-dockerized/-/translation/svg-badge.svg)](https://translate.mailcow.email/engage/mailcow-dockerized/)
+[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/mailcow_email.svg?style=social&label=Follow%20%40mailcow_email)](https://twitter.com/mailcow_email)
 
 ## Want to support mailcow?
 
@@ -23,6 +24,8 @@ Please see [the official documentation](https://mailcow.github.io/mailcow-docker
 
 [Telegram mailcow Off-Topic channel](https://t.me/mailcowOfftopic)
 
+[Official Twitter Account](https://twitter.com/mailcow_email)
+
 Telegram desktop clients are available for [multiple platforms](https://desktop.telegram.org). You can search the groups history for keywords.
 
 ## Misc

data/Dockerfiles/acme/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.14
+FROM alpine:3.15
 
 LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
 

data/Dockerfiles/acme/obtain-certificate.sh

@@ -80,7 +80,7 @@ fi
 printf "[SAN]\nsubjectAltName=" > /tmp/_SAN
 printf "DNS:%s," "${CERT_DOMAINS[@]}" >> /tmp/_SAN
 sed -i '$s/,$//' /tmp/_SAN
-openssl req -new -sha256 -key ${KEY} -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf /tmp/_SAN) > ${CSR}
+openssl req -new -sha256 -key ${KEY} -subj "/" -reqexts SAN -config <(cat "$(openssl version -d | sed 's/.*"\(.*\)"/\1/g')/openssl.cnf" /tmp/_SAN) > ${CSR}
 
 # acme-tiny writes info to stderr and ceritifcate to stdout
 # The redirects will do the following:

data/Dockerfiles/clamd/Dockerfile

@@ -1,8 +1,8 @@
-FROM debian:buster-slim
+FROM debian:bullseye-slim
 
 LABEL maintainer "André Peters <andre.peters@servercow.de>"
 
-ARG CLAMAV=0.103.4
+ARG CLAMAV=0.103.5
 RUN apt-get update && apt-get install -y --no-install-recommends \
   ca-certificates \
   zlib1g-dev \
@@ -23,7 +23,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
   dos2unix \
   netcat \
   && rm -rf /var/lib/apt/lists/* \
-  && wget -O - https://fossies.org/linux/misc/clamav-${CLAMAV}.tar.gz | tar xfvz - \
+  && wget -O - https://www.clamav.net/downloads/production/clamav-${CLAMAV}.tar.gz | tar xfvz - \
   && cd clamav-${CLAMAV} \
   && ./configure \
   --prefix=/usr \

data/Dockerfiles/dockerapi/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.14
+FROM alpine:3.15
 
 LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
 

data/Dockerfiles/dovecot/Dockerfile

@@ -2,7 +2,7 @@ FROM debian:buster-slim
 LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
 
 ARG DEBIAN_FRONTEND=noninteractive
-ARG DOVECOT=2.3.17
+ARG DOVECOT=2.3.17.1
 ENV LC_ALL C
 ENV GOSU_VERSION 1.12
 

data/Dockerfiles/netfilter/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.14
+FROM alpine:3.15
 LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
 
 ENV XTABLES_LIBDIR /usr/lib/xtables
@@ -13,10 +13,11 @@ RUN apk add --virtual .build-deps \
 && apk add -U python3 \
   iptables \
   ip6tables \
+  xtables-addons \
   tzdata \
   py3-pip \
   musl-dev \
-&& pip3 install --upgrade pip \
+&& pip3 install --ignore-installed --upgrade pip \
   python-iptables \
   redis \
   ipaddress \

data/Dockerfiles/olefy/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.14
+FROM alpine:3.15
 LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
 
 WORKDIR /app
@@ -12,7 +12,7 @@ RUN apk add --virtual .build-deps gcc musl-dev python3-dev libffi-dev openssl-de
   && apk del .build-deps
 #  && sed -i 's/decompress_stream(bytearray(compressed_code))/bytes2str(decompress_stream(bytearray(compressed_code)))/g' /usr/lib/python3.8/site-packages/oletools/olevba.py
 
-ADD https://raw.githubusercontent.com/HeinleinSupport/olefy/master/olefy.py /app/
+ADD olefy.py /app/
 
 RUN chown -R nobody:nobody /app /tmp
 

data/Dockerfiles/olefy/olefy.py

@@ -0,0 +1,220 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+# Copyright (c) 2020, Dennis Kalbhen <d.kalbhen@heinlein-support.de>
+# Copyright (c) 2020, Carsten Rosenberg <c.rosenberg@heinlein-support.de>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+###
+#
+#  olefy is a little helper socket to use oletools with rspamd. (https://rspamd.com)
+#  Please find updates and issues here: https://github.com/HeinleinSupport/olefy
+#
+###
+
+from subprocess import Popen, PIPE
+import sys
+import os
+import logging
+import asyncio
+import time
+import magic
+import re
+
+# merge variables from /etc/olefy.conf and the defaults
+olefy_listen_addr_string = os.getenv('OLEFY_BINDADDRESS', '127.0.0.1,::1')
+olefy_listen_port = int(os.getenv('OLEFY_BINDPORT', '10050'))
+olefy_tmp_dir = os.getenv('OLEFY_TMPDIR', '/tmp')
+olefy_python_path = os.getenv('OLEFY_PYTHON_PATH', '/usr/bin/python3')
+olefy_olevba_path = os.getenv('OLEFY_OLEVBA_PATH', '/usr/local/bin/olevba3')
+# 10:DEBUG, 20:INFO, 30:WARNING, 40:ERROR, 50:CRITICAL
+olefy_loglvl = int(os.getenv('OLEFY_LOGLVL', 20))
+olefy_min_length = int(os.getenv('OLEFY_MINLENGTH', 500))
+olefy_del_tmp = int(os.getenv('OLEFY_DEL_TMP', 1))
+olefy_del_tmp_failed = int(os.getenv('OLEFY_DEL_TMP_FAILED', 1))
+
+# internal used variables
+request_time = '0000000000.000000'
+olefy_protocol = 'OLEFY'
+olefy_ping = 'PING'
+olefy_protocol_sep = '\n\n'
+olefy_headers = {}
+
+# init logging
+logger = logging.getLogger('olefy')
+logging.basicConfig(stream=sys.stdout, level=olefy_loglvl, format='olefy %(levelname)s %(funcName)s %(message)s')
+
+logger.debug('olefy listen address string: {} (type {})'.format(olefy_listen_addr_string, type(olefy_listen_addr_string)))
+
+if not olefy_listen_addr_string:
+    olefy_listen_addr = ""
+else:
+    addr_re = re.compile('[\[" \]]')
+    olefy_listen_addr = addr_re.sub('', olefy_listen_addr_string.replace("'", "")).split(',')
+
+# log runtime variables
+logger.info('olefy listen address: {} (type: {})'.format(olefy_listen_addr, type(olefy_listen_addr)))
+logger.info('olefy listen port: {}'.format(olefy_listen_port))
+logger.info('olefy tmp dir: {}'.format(olefy_tmp_dir))
+logger.info('olefy python path: {}'.format(olefy_python_path))
+logger.info('olefy olvba path: {}'.format(olefy_olevba_path))
+logger.info('olefy log level: {}'.format(olefy_loglvl))
+logger.info('olefy min file length: {}'.format(olefy_min_length))
+logger.info('olefy delete tmp file: {}'.format(olefy_del_tmp))
+logger.info('olefy delete tmp file when failed: {}'.format(olefy_del_tmp_failed))
+
+if not os.path.isfile(olefy_python_path):
+    logger.critical('python path not found: {}'.format(olefy_python_path))
+    exit(1)
+if not os.path.isfile(olefy_olevba_path):
+    logger.critical('olevba path not found: {}'.format(olefy_olevba_path))
+    exit(1)
+
+# olefy protocol function
+def protocol_split( olefy_line ):
+    header_lines = olefy_line.split('\n')
+    for line in header_lines:
+        if line == 'OLEFY/1.0':
+            olefy_headers['olefy'] = line
+        elif line != '':
+            kv = line.split(': ')
+            if kv[0] != '' and kv[1] != '':
+                olefy_headers[kv[0]] = kv[1]
+    logger.debug('olefy_headers: {}'.format(olefy_headers))
+
+# calling oletools
+def oletools( stream, tmp_file_name, lid ):
+    if olefy_min_length > stream.__len__():
+        logger.error('{} {} bytes (Not Scanning! File smaller than {!r})'.format(lid, stream.__len__(), olefy_min_length))
+        out = b'[ { "error": "File too small" } ]'
+    else:
+        tmp_file = open(tmp_file_name, 'wb')
+        tmp_file.write(stream)
+        tmp_file.close()
+
+        file_magic = magic.Magic(mime=True, uncompress=True)
+        file_mime = file_magic.from_file(tmp_file_name)
+        logger.info('{} {} (libmagic output)'.format(lid, file_mime))
+
+        # do the olefy
+        cmd_tmp = Popen([olefy_python_path, olefy_olevba_path, '-a', '-j' , '-l', 'error', tmp_file_name], stdout=PIPE, stderr=PIPE)
+        out, err = cmd_tmp.communicate()
+        out = bytes(out.decode('utf-8', 'ignore').replace('  ', ' ').replace('\t', '').replace('\n', '').replace('XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)', ''), encoding="utf-8")
+        failed = False
+        if out.__len__() < 30:
+            logger.error('{} olevba returned <30 chars - rc: {!r}, response: {!r}, error: {!r}'.format(lid,cmd_tmp.returncode, 
+                out.decode('utf-8', 'ignore'), err.decode('utf-8', 'ignore')))
+            out = b'[ { "error": "Unhandled error - too short olevba response" } ]'
+            failed = True
+        elif err.__len__() > 10 and cmd_tmp.returncode == 9:
+            logger.error("{} olevba stderr >10 chars - rc: {!r}, response: {!r}".format(lid, cmd_tmp.returncode, err.decode("utf-8", "ignore")))
+            out = b'[ { "error": "Decrypt failed" } ]'
+            failed = True
+        elif err.__len__() > 10 and cmd_tmp.returncode > 9:
+            logger.error('{} olevba stderr >10 chars - rc: {!r}, response: {!r}'.format(lid, cmd_tmp.returncode, err.decode('utf-8', 'ignore')))
+            out = b'[ { "error": "Unhandled oletools error" } ]'
+            failed = True
+        elif cmd_tmp.returncode != 0:
+            logger.error('{} olevba exited with code {!r}; err: {!r}'.format(lid, cmd_tmp.returncode, err.decode('utf-8', 'ignore')))
+            failed = True
+
+        if failed and olefy_del_tmp_failed == 0:
+            logger.debug('{} {} FAILED: not deleting tmp file'.format(lid, tmp_file_name))
+        elif olefy_del_tmp == 1:
+            logger.debug('{} {} deleting tmp file'.format(lid, tmp_file_name))
+            os.remove(tmp_file_name)
+
+    logger.debug('{} response: {}'.format(lid, out.decode('utf-8', 'ignore')))
+    return out + b'\t\n\n\t'
+
+# Asyncio data handling, default AIO-Functions
+class AIO(asyncio.Protocol):
+    def __init__(self):
+        self.extra = bytearray()
+
+    def connection_made(self, transport):
+        global request_time
+        peer = transport.get_extra_info('peername')
+        logger.debug('{} new connection was made'.format(peer))
+        self.transport = transport
+        request_time = str(time.time())
+
+    def data_received(self, request, msgid=1):
+        peer = self.transport.get_extra_info('peername')
+        logger.debug('{} data received from new connection'.format(peer))
+        self.extra.extend(request)
+
+    def eof_received(self):
+        peer = self.transport.get_extra_info('peername')
+        olefy_protocol_err = False
+        proto_ck = self.extra[0:2000].decode('utf-8', 'ignore')
+
+        headers = proto_ck[0:proto_ck.find(olefy_protocol_sep)]
+
+        if olefy_protocol == headers[0:5]:
+            self.extra = bytearray(self.extra[len(headers)+2:len(self.extra)])
+            protocol_split(headers)
+        else:
+            olefy_protocol_err = True
+
+        if olefy_ping == headers[0:4]:
+            is_ping = True
+        else:
+            is_ping = False
+            rspamd_id = olefy_headers['Rspamd-ID'][:6] or ''
+            lid = 'Rspamd-ID' in olefy_headers and '<'+rspamd_id+'>'
+            tmp_file_name = olefy_tmp_dir+'/'+request_time+'.'+str(peer[1])+'.'+rspamd_id
+            logger.debug('{} {} choosen as tmp filename'.format(lid, tmp_file_name))
+
+        if not is_ping or olefy_loglvl == 10:
+            logger.info('{} {} bytes (stream size)'.format(lid, self.extra.__len__()))
+
+        if olefy_ping == headers[0:4]:
+            logger.debug('{} PING request'.format(peer))
+            out = b'PONG'
+        elif olefy_protocol_err == True or olefy_headers['olefy'] != 'OLEFY/1.0':
+            logger.error('{} Protocol ERROR: no OLEFY/1.0 found'.format(lid))
+            out = b'[ { "error": "Protocol error" } ]'
+        elif 'Method' in olefy_headers:
+            if olefy_headers['Method'] == 'oletools':
+                out = oletools(self.extra, tmp_file_name, lid)
+        else:
+            logger.error('Protocol ERROR: Method header not found')
+            out = b'[ { "error": "Protocol error: Method header not found" } ]'
+
+        self.transport.write(out)
+        if not is_ping or olefy_loglvl == 10:
+            logger.info('{} {} response send: {!r}'.format(lid, peer, out))
+        self.transport.close()
+
+
+# start the listeners
+loop = asyncio.get_event_loop()
+# each client connection will create a new protocol instance
+coro = loop.create_server(AIO, olefy_listen_addr, olefy_listen_port)
+server = loop.run_until_complete(coro)
+for sockets in server.sockets:
+    logger.info('serving on {}'.format(sockets.getsockname()))
+
+# XXX serve requests until KeyboardInterrupt, not needed for production
+try:
+    loop.run_forever()
+except KeyboardInterrupt:
+    pass
+
+# graceful shutdown/reload
+server.close()
+loop.run_until_complete(server.wait_closed())
+loop.close()
+logger.info('stopped serving')

data/Dockerfiles/sogo/syslog-ng-redis_slave.conf

@@ -1,4 +1,4 @@
-@version: 3.19
+@version: 3.28
 @include "scl.conf"
 options {
   chain_hostnames(off);

data/Dockerfiles/sogo/syslog-ng.conf

@@ -1,4 +1,4 @@
-@version: 3.19
+@version: 3.28
 @include "scl.conf"
 options {
   chain_hostnames(off);

data/Dockerfiles/solr/Dockerfile

@@ -16,10 +16,15 @@ RUN dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
   tzdata \
   curl \
   bash \
+  zip \
   && apt-get autoclean \
   && rm -rf /var/lib/apt/lists/* \
   && chmod +x /solr.sh \
   && sync \
   && bash /solr.sh --bootstrap
   
+RUN zip -q -d /opt/solr/server/lib/ext/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
+
+RUN apt remove zip -y  
+
 CMD ["/solr.sh"]

data/Dockerfiles/unbound/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.14
+FROM alpine:3.15
 
 LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
 

data/Dockerfiles/watchdog/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.14
+FROM alpine:3.15
 LABEL maintainer "André Peters <andre.peters@servercow.de>"
 
 # Installation

data/web/_status.502.html

@@ -16,8 +16,9 @@
     <pre>docker-compose logs --tail=200 php-fpm-mailcow nginx-mailcow</pre>
     <p>Make sure your SQL credentials in mailcow.conf (a link to .env) do fit your initialized SQL volume. If you see an access denied, you might have the wrong mailcow.conf:</p>
     <pre>source mailcow.conf ; docker-compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME}</pre>
-    <p>In case of a previous failed installation, remove all volumes and start over (<b>NEVER</b> do this with a production system, it will remove <b>ALL</b> data):</p>
-    <pre>docker-compose down -v ; docker-compose up -d</pre>
+    <p>In case of a previous failed installation, create a backup of your existing data, followed by removing all volumes and starting over (<b>NEVER</b> do this with a production system, it will remove <b>ALL</b> data):</p>
+    <pre>BACKUP_LOCATION=/tmp/ ./helper-scripts/backup_and_restore.sh backup all</pre>
+    <pre>docker-compose down --volumes ; docker-compose up -d</pre>
     <p>Make sure your timezone is correct. Use "America/New_York" for example, do not use spaces. Check <a href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones">here</a> for a list.</p>
     <br>Click to learn more about <a style="color:red;text-decoration:none;" href="https://mailcow.github.io/mailcow-dockerized-docs/#get-support" target="_blank">getting support.</a>
   </body>

data/web/api/openapi.yaml

@@ -4805,7 +4805,7 @@ paths:
             schema:
               example:
                 attr:
-                  rl_vlaue: "10"
+                  rl_value: "10"
                   rl_frame: "h"
                 items:
                   - info@domain.tld
@@ -4815,7 +4815,7 @@ paths:
                     rl_frame:
                       description: contains the frame for the ratelimit h,s,m
                       type: string
-                    rl_vlaue:
+                    rl_value:
                       description: contains the rate for the ratelimit 10,20,50,1
                       type: number
                   type: object
@@ -4876,7 +4876,7 @@ paths:
             schema:
               example:
                 attr:
-                  rl_vlaue: "10"
+                  rl_value: "10"
                   rl_frame: "h"
                 items:
                   - domain.tld
@@ -4886,7 +4886,7 @@ paths:
                     rl_frame:
                       description: contains the frame for the ratelimit h,s,m
                       type: string
-                    rl_vlaue:
+                    rl_value:
                       description: contains the rate for the ratelimit 10,20,50,1
                       type: number
                   type: object

data/web/css/build/008-mailcow.css

@@ -202,6 +202,11 @@ legend {
   margin-top: 27px;
   margin-bottom: 20px;
   color: #959595;
+  display: flex;
+  flex-direction: column;
+}
+.footer .version {
+    margin-left: auto;
 }
 .slave-info {
   padding: 15px 0px 15px 15px;

data/web/inc/footer.inc.php

@@ -23,7 +23,12 @@ if (is_array($alertbox_log_parser)) {
   unset($_SESSION['return']);
 }
 
+// globals
 $globalVariables = [
+  'mailcow_info' => array(
+    'version_tag' => $GLOBALS['MAILCOW_GIT_VERSION'],
+    'git_project_url' => $GLOBALS['MAILCOW_GIT_URL']
+  ),
   'js_path' => '/cache/'.basename($JSPath),
   'pending_tfa_method' => @$_SESSION['pending_tfa_method'],
   'pending_mailcow_cc_username' => @$_SESSION['pending_mailcow_cc_username'],

data/web/inc/prerequisites.inc.php

@@ -10,11 +10,17 @@ $DEV_MODE = (getenv('DEV_MODE') == 'y');
 }*/
 
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/vars.inc.php';
+
 $default_autodiscover_config = $autodiscover_config;
 
 if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/inc/vars.local.inc.php')) {
   include_once $_SERVER['DOCUMENT_ROOT'] . '/inc/vars.local.inc.php';
 }
+
+// auto-generated by generate-config.sh and update.sh
+if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/inc/app_info.inc.php')) {
+    require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/app_info.inc.php';
+}
 unset($https_port);
 $autodiscover_config = array_merge($default_autodiscover_config, $autodiscover_config);
 
@@ -63,7 +69,7 @@ $tfa = new RobThree\Auth\TwoFactorAuth($OTP_LABEL, 6, 30, 'sha1', $qrprovider);
 $formats = $GLOBALS['FIDO2_FORMATS'];
 $WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['HTTP_HOST'], $formats);
 // only include root ca's when needed
-if (getenv('WEBAUTHN_RESPECT_ROOTCA') == 'y') $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates');
+if (getenv('WEBAUTHN_ONLY_TRUSTED_VENDORS') == 'y') $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates');
 
 // Redis
 $redis = new Redis();

data/web/inc/vars.inc.php

@@ -175,6 +175,9 @@ $MAILBOX_DEFAULT_ATTRIBUTES['pop3_access'] = true;
 // Mailbox has SMTP access by default
 $MAILBOX_DEFAULT_ATTRIBUTES['smtp_access'] = true;
 
+// Mailbox has sieve access by default
+$MAILBOX_DEFAULT_ATTRIBUTES['sieve_access'] = true;
+
 // Mailbox receives notifications about...
 // "add_header" - mail that was put into the Junk folder
 // "reject" - mail that was rejected

data/web/json_api.php

@@ -409,16 +409,14 @@ if (isset($_GET['query'])) {
         break;
         case "fido2-get-args":
           header('Content-Type: application/json');
-          // fetch allowed credentialIds
-          $cids = fido2(array("action" => "get_all_cids"));
-          if (count($cids) == 0) {  
-            print(json_encode(array(
-                'type' => 'error',
-                'msg' => 'Cannot find matching credentialIds'
-            )));
-          }
+          // Login without username, no ids!
+          // $ids = fido2(array("action" => "get_all_cids"));
+          // if (count($ids) == 0) {
+            // return;
+          // }
+          $ids = NULL;
 
-          $getArgs = $WebAuthn->getGetArgs($cids, 30, true, true, true, true, $GLOBALS['FIDO2_UV_FLAG_LOGIN']);
+          $getArgs = $WebAuthn->getGetArgs($ids, 30, true, true, true, true, $GLOBALS['FIDO2_UV_FLAG_LOGIN']);
           print(json_encode($getArgs));
           $_SESSION['challenge'] = $WebAuthn->getChallenge();
           return;

data/web/lang/lang.cs.json

@@ -467,7 +467,7 @@
         "chart_this_server": "Graf (tento server)",
         "containers_info": "Informace o kontejnerech",
         "disk_usage": "Využití disku",
-        "docs": "Dokumentace",
+        "docs": "Dokumentů",
         "external_logs": "Externí logy",
         "history_all_servers": "Záznam (všechny servery)",
         "in_memory_logs": "Logy v paměti",

data/web/lang/lang.de.json

@@ -86,7 +86,7 @@
         "public_comment": "Öffentlicher Kommentar",
         "quota_mb": "Speicherplatz (MiB)",
         "relay_all": "Alle Empfänger-Adressen relayen",
-        "relay_all_info": "↪ Wenn <b>nicht</b> alle Empfänger-Adressen relayt werden sollen, müssen \"blinde\" Mailboxen für jede Adresse, die relayt werden soll, erstellen werden.",
+        "relay_all_info": "↪ Wenn <b>nicht</b> alle Empfänger-Adressen relayt werden sollen, müssen \"blinde\" Mailboxen für jede Adresse, die relayt werden soll, erstellt werden.",
         "relay_domain": "Diese Domain relayen",
         "relay_transport_info": "<div class=\"label label-info\">Info</div> Transport-Maps können erstellt werden, um individuelle Ziele für eine Relay-Domain zu definieren.",
         "relay_unknown_only": "Nur nicht-lokale Mailboxen relayen. Existente Mailboxen werden weiterhin lokal zugestellt.",

data/web/lang/lang.fr.json

@@ -259,7 +259,7 @@
         "recipients": "Destinataires",
         "refresh": "Rafraîchir",
         "regen_api_key": "Regénérer la clé API",
-        "regex_maps": "Cartes Regex (Regex = expression régulière)",
+        "regex_maps": "Cartes Regex (expression régulière)",
         "relay_from": "\"De:\" adresse",
         "relay_run": "Lancer le test",
         "relayhosts": "Transports  de l’expéditeur",
@@ -699,7 +699,7 @@
         "private_comment": "Commentaire privé",
         "public_comment": "Commentaire public",
         "q_add_header": "Courriers indésirables",
-        "q_all": "Toutes les catégories",
+        "q_all": " quand déplacé dans le dossier spam ou rejeté",
         "q_reject": "Rejecté",
         "quarantine_notification": "Avis de quarantaine",
         "quarantine_category": "Catégorie de la notification de quarantaine",
@@ -729,7 +729,7 @@
         "sogo_visible": "Alias visible dans SOGo",
         "sogo_visible_n": "Masquer alias dans SOGo",
         "sogo_visible_y": "Afficher alias dans SOGo",
-        "spam_aliases": "Alias temp.",
+        "spam_aliases": "Alias temporaire",
         "stats": "Statistiques",
         "status": "Statut",
         "sync_jobs": "Tâches de synchronisation",
@@ -1070,7 +1070,7 @@
     "warning": {
         "cannot_delete_self": "Impossible de supprimer l’utilisateur connecté",
         "domain_added_sogo_failed": "Ajout d’un domaine mais échec du redémarrage de Sogo, veuillez vérifier les journaux de votre serveur.",
-        "dovecot_restart_failed": "Dovecot n’a pas pu redémarrer, veuillez vérifier les journaux de votre serveur.",
+        "dovecot_restart_failed": "Dovecot n’a pas pu redémarrer, veuillez vérifier les journaux",
         "fuzzy_learn_error": "Erreur d’apprentissage du hachage flou: %s",
         "hash_not_found": "Hachage non trouvé ou déjà supprimé",
         "ip_invalid": "IP non valide ignorée: %s",

data/web/lang/lang.it.json

@@ -18,8 +18,8 @@
         "quarantine_attachments": "Allegati in quarantena",
         "quarantine_category": "Modifica la categoria delle notifiche di quarantena",
         "quarantine_notification": "Modifica notifiche quarantena",
-        "ratelimit": "Rate limit",
-        "recipient_maps": "Recipient maps",
+        "ratelimit": "Limite di invio",
+        "recipient_maps": "Mappe dei destinatari",
         "smtp_ip_access": "Modifica gli host consentiti per SMTP",
         "sogo_access": "Consenti la gestione dell'accesso SOGo",
         "sogo_profile_reset": "Ripristina profilo SOGo",
@@ -27,7 +27,7 @@
         "spam_policy": "Blacklist/Whitelist",
         "spam_score": "Punteggio SPAM",
         "syncjobs": "Processi di sync",
-        "tls_policy": "TLS policy",
+        "tls_policy": "Politica TLS",
         "unlimited_quota": "Spazio illimitato per le caselle di posta"
     },
     "add": {
@@ -102,10 +102,11 @@
         "target_domain": "Dominio di destinazione",
         "timeout1": "Timeout per la connessione all'host remoto",
         "timeout2": "Timeout per la connessione all'host locale",
-        "username": "Username",
+        "username": "Nome utente",
         "validate": "Convalida",
         "validation_success": "Convalidato con successo",
-        "bcc_dest_format": "Il destinatario in copia nascosta, dev'essere un solo indirizzo email.<br>Se devi spedire una copia del messaggio a più destinatari, crea un alias ed utilizzalo per questa opzione."
+        "bcc_dest_format": "Il destinatario in copia nascosta deve essere un singolo indirizzo email.<br>Se si vuole spedire una copia del messaggio a più destinatari, bisogna creare un alias ed utilizzarlo per questa opzione.",
+        "app_passwd_protocols": "Protocolli consentiti per la password dell'app"
     },
     "admin": {
         "access": "Accedi",
@@ -133,18 +134,18 @@
         "advanced_settings": "Impostazioni avanzate",
         "api_allow_from": "Allow API access from these IPs/CIDR network notations",
         "api_info": "The API is a work in progress. The documentation can be found at <a href=\"/api\">/api</a>",
-        "api_key": "API key",
-        "api_skip_ip_check": "Skip IP check for API",
+        "api_key": "Chiave API",
+        "api_skip_ip_check": "Salta il controllo dell'IP per l'API",
         "app_links": "App links",
-        "app_name": "App name",
-        "apps_name": "\"mailcow Apps\" name",
-        "arrival_time": "Arrival time (server time)",
+        "app_name": "Nome dell'app",
+        "apps_name": "Nome \"mailcow Apps\"",
+        "arrival_time": "Ora di arrivo (ora del server)",
         "authed_user": "Auth. user",
         "ays": "Sei sicuro di voler procedere?",
         "ban_list_info": "See a list of banned IPs below: <b>network (remaining ban time) - [actions]</b>.<br />IPs queued to be unbanned will be removed from the active ban list within a few seconds.<br />Red labels indicate active permanent bans by blacklisting.",
         "change_logo": "Cambia logo",
         "configuration": "Configurazione",
-        "convert_html_to_text": "Convert HTML to plain text",
+        "convert_html_to_text": "Converti HTML in testo semplice",
         "credentials_transport_warning": "<b>Warning</b>: Adding a new transport map entry will update the credentials for all entries with a matching next hop column.",
         "customer_id": "ID cliente",
         "customize": "Personalizzare",
@@ -190,7 +191,7 @@
         "forwarding_hosts_add_hint": "È possibile specificare indirizzi IPv4 / IPv6, reti nella notazione CIDR, nomi host (che verranno risolti in indirizzi IP) o nomi di dominio (che verranno risolti agli indirizzi IP richiamando i record SPF o, in assenza, i record MX) .",
         "forwarding_hosts_hint": "I messaggi in entrata sono accettati in maniera incondizionata da tutti gli host qui elencati. Questi host sono quindi non controllati tramite DNSBL o sottoposti a greylisting. Lo spam ricevuto da questi host non viene mai rifiutato, ma potrebbe essere archiviato nella cartella Posta indesiderata. L'utilizzo più comune è quello di specificare i server di posta elettronica su cui è stata impostata una regola che inoltra le email in arrivo al server mailcow.",
         "from": "Da",
-        "generate": "generate",
+        "generate": "generare",
         "guid": "GUID - ID istanza univoco",
         "guid_and_license": "GUID & Licenza",
         "hash_remove_info": "Removing a ratelimit hash (if still existing) will reset its counter completely.<br>\r\n  Each hash is indicated by an individual color.",
@@ -205,7 +206,7 @@
         "include_exclude_info": "Di default - se nessuna voce viene selezionata - <b>tutte le caselle di posta</b> risultano attivate",
         "includes": "Includi questi destinatari",
         "is_mx_based": "Basato sul record MX",
-        "last_applied": "Last applied",
+        "last_applied": "Ultima applicazione",
         "license_info": "Non è necessario essere in possesso di una licenza ma aiuta gli sviluppatori a far crescere il prodotto.<br><a href=\"https://www.servercow.de/mailcow?lang=en#sal\" target=\"_blank\" alt=\"SAL order\">Registra qui il tuo GUID </a> oppure <a href=\"https://www.servercow.de/mailcow?lang=en#support\" target=\"_blank\" alt=\"Support order\">acquista il supporto per la tua installazione di mailcow.</a>",
         "link": "Link",
         "loading": "Caricamento in corso...",
@@ -230,7 +231,7 @@
         "optional": "facoltativo",
         "password": "Password",
         "password_length": "Lunghezza password",
-        "password_policy": "Password policy",
+        "password_policy": "Criteri della password",
         "password_policy_chars": "Deve contenere almeno un carattere alfabetico",
         "password_policy_length": "La lunghezza minima della password è %d caratteri",
         "password_policy_lowerupper": "Deve contenere caratteri minuscoli e maiuscoli",
@@ -282,7 +283,7 @@
         "remove": "Rimuovi",
         "remove_row": "Elimina riga",
         "reset_default": "Riporta alle condizioni di default",
-        "reset_limit": "Remove hash",
+        "reset_limit": "Rimuovi hash",
         "routing": "Routing",
         "rsetting_add_rule": "Aggiungi regola",
         "rsetting_content": "Contenuto della regola",
@@ -334,10 +335,15 @@
         "unban_pending": "unban pending",
         "unchanged_if_empty": "Se immutato lasciare vuoto",
         "upload": "Upload",
-        "username": "Username",
+        "username": "Nome utente",
         "validate_license_now": "Validate GUID against license server",
         "verify": "Verifica",
-        "yes": "&#10003;"
+        "yes": "&#10003;",
+        "api_read_only": "Accesso in sola lettura",
+        "api_read_write": "Accesso in lettura-scrittura",
+        "oauth2_apps": "App OAuth2",
+        "oauth2_add_client": "Aggiungere il client OAuth2",
+        "rsettings_preset_4": "Disattivare Rspamd per un dominio"
     },
     "danger": {
         "access_denied": "Accesso negato o form di login non corretto",
@@ -456,7 +462,7 @@
         "username_invalid": "Username %s non può essere utilizzato",
         "validity_missing": "Assegnare un periodo di validità",
         "value_missing": "Si prega di fornire tutti i valori",
-        "yotp_verification_failed": "Verifica Yubico OTP fallita: %s"
+        "yotp_verification_failed": "Verifica OTP Yubico fallita: %s"
     },
     "debug": {
         "chart_this_server": "Grafico (questo server)",
@@ -601,7 +607,13 @@
         "title": "Modifica oggetto",
         "unchanged_if_empty": "Se immutato lasciare vuoto",
         "username": "Username",
-        "validate_save": "Convalida e salva"
+        "validate_save": "Convalida e salva",
+        "pushover": "Pushover",
+        "sogo_access_info": "Il single-sign-on dall'interno dell'interfaccia di posta rimane funzionante. Questa impostazione non influisce sull'accesso a tutti gli altri servizi né cancella o modifica il profilo SOGo esistente dell'utente.",
+        "none_inherit": "Nessuno / Eredita",
+        "sogo_access": "Concedere l'accesso diretto a SOGo",
+        "acl": "ACL (autorizzazione)",
+        "app_passwd_protocols": "Protocolli consentiti per la password dell'app"
     },
     "fido2": {
         "confirm": "Confirm",
@@ -615,7 +627,8 @@
         "rename": "Rename",
         "set_fido2": "Register FIDO2 device",
         "set_fn": "Set friendly name",
-        "start_fido2_validation": "Start FIDO2 validation"
+        "start_fido2_validation": "Start FIDO2 validation",
+        "set_fido2_touchid": "Registrare il Touch ID su Apple M1"
     },
     "footer": {
         "cancel": "Annulla",
@@ -629,7 +642,8 @@
         "restart_container_info": "<b>Importante:</b> Il completamento di un normale riavvio potrebbe richiedere diversi minuti, ti consigliamo di attendere.",
         "restart_now": "Riavvia adesso",
         "restarting_container": "Riavvia il container, potrebbe richiedere diversi minuti",
-        "hibp_check": "Verifica con haveibeenpwned.com"
+        "hibp_check": "Verifica con haveibeenpwned.com",
+        "nothing_selected": "Niente di selezionato"
     },
     "header": {
         "administration": "Amministrazione",
@@ -694,7 +708,7 @@
         "bcc_to_rcpt": "Switch to recipient map type",
         "bcc_to_sender": "Switch to sender map type",
         "bcc_type": "BCC type",
-        "booking_null": "Always show as free",
+        "booking_null": "Mostra sempre come libero",
         "booking_0_short": "Always free",
         "booking_custom": "Hard-limit to a custom amount of bookings",
         "booking_custom_short": "Hard limit",
@@ -802,7 +816,17 @@
         "goto_spam": "Apprendi come <b>spam</b>",
         "open_logs": "Apri i log",
         "syncjob_check_log": "Controlla il log",
-        "syncjob_last_run_result": "Risultato dell'ultima esecuzione"
+        "syncjob_last_run_result": "Risultato dell'ultima esecuzione",
+        "syncjob_EXIT_TLS_FAILURE": "Problema con la connessione criptata",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE": "Problema di autenticazione",
+        "syncjob_EXIT_OVERQUOTA": "La casella di posta del destinatario ha superato la quota",
+        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Impossibile connettersi al server remoto",
+        "syncjob_EXIT_CONNECTION_FAILURE": "Problema di connessione",
+        "catch_all": "Catch-All",
+        "sender": "Mittente",
+        "all_domains": "Tutti i domini",
+        "recipient": "Destinatario",
+        "syncjob_EX_OK": "Successo"
     },
     "oauth2": {
         "access_denied": "Effettua il login alla casella di posta per garantire l'accesso tramite OAuth2.",
@@ -1123,7 +1147,18 @@
         "change_password_hint_app_passwords": "Il tuo account ha {{number_of_app_passwords}} password delle app che non verranno modificate. Per gestirle, vai alla scheda App passwords.",
         "syncjob_check_log": "Controlla i log",
         "syncjob_last_run_result": "Risultato dell'ultima esecuzione",
-        "open_logs": "Apri i log"
+        "open_logs": "Apri i log",
+        "apple_connection_profile_with_app_password": "Una nuova password dell'app è stata generata ed aggiunta al profilo così che non sia più necessario inserire alcuna password quando si imposta il dispositivo. Si prega di non condividere il file in quanto concede l'accesso completo alla tua casella di posta elettronica.",
+        "allowed_protocols": "Protocolli consentiti",
+        "syncjob_EX_OK": "Successo",
+        "syncjob_EXIT_CONNECTION_FAILURE": "Problema di connessione",
+        "syncjob_EXIT_TLS_FAILURE": "Problema con la connessione criptata",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE": "Problema di autenticazione",
+        "syncjob_EXIT_OVERQUOTA": "La casella di posta del destinatario ha superato la quota",
+        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Impossibile connettersi al server remoto",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Nome utente o password errati",
+        "with_app_password": "con password dell'app",
+        "direct_protocol_access": "Questo utente della mailbox ha <b>accesso diretto ed esterno</b> ai seguenti protocolli e applicazioni. Questa impostazione è controllata dal tuo amministratore. Le password delle applicazioni possono essere create per garantire l'accesso ai singoli protocolli e applicazioni.<br>Il pulsante \"Accedi alla webmail\" fornisce un singolo accesso a SOGo ed è sempre disponibile."
     },
     "warning": {
         "cannot_delete_self": "Cannot delete logged in user",
@@ -1141,6 +1176,8 @@
     "ratelimit": {
         "minute": "messaggi / minuto",
         "disabled": "Disabilitato",
-        "second": "messaggi / secondo"
+        "second": "messaggi / secondo",
+        "hour": "messaggi / ora",
+        "day": "messaggi / giorno"
     }
 }

data/web/lang/lang.ro.json

@@ -42,8 +42,10 @@
         "alias_domain_info": "<small>Doar nume de domenii valide (separate prin virgulă).</small>",
         "app_name": "Nume aplicație",
         "app_password": "Adaugă parolă aplicație",
+        "app_passwd_protocols": "Protocoale permise pentru parola aplicației",
         "automap": "Încearcă maparea automată a folderelor (\"Obiecte trimise\", \"Trimise\" => \"Trimise\" etc.)",
         "backup_mx_options": "Opțiuni backup MX",
+        "bcc_dest_format": "Destinația BCC trebuie să fie o singură adresă de email validă.",
         "comment_info": "Un comentariu privat nu este vizibil pentru utilizator, în timp ce un comentariu public este afișat ca un tooltip când se trece peste el într-o privire de ansamblu asupra utilizatorilor",
         "custom_params": "Parametri personalizați",
         "custom_params_hint": "Corect: --param=xy, greşit: --param xy",
@@ -133,6 +135,8 @@
         "api_allow_from": "Permite accesul API de la aceste adrese IP/CIDR",
         "api_info": "API-ul este în dezvoltare. Documentația se găsește la adresa: <a href=\"/api\">/api</a>",
         "api_key": "Cheie API",
+        "api_read_only": "Acces doar pentru citire",
+        "api_read_write": "Acces pentru citire și scriere",
         "api_skip_ip_check": "Săriți verificarea IP pentru API",
         "app_links": "Linkuri aplicație",
         "app_name": "Nume aplicație",
@@ -220,6 +224,8 @@
         "no_active_bans": "Nu există interdicții active",
         "no_new_rows": "Nu există alte rânduri disponibile",
         "no_record": "Nici o înregistrare",
+        "oauth2_apps": "Aplicații OAuth2",
+        "oauth2_add_client": "Adaugă client OAuth2",
         "oauth2_client_id": "ID client",
         "oauth2_client_secret": "Secret client",
         "oauth2_info": "Implementarea OAuth2 suportă tipul de acces \"Cod de autorizare\" și emite jetoane de actualizare.<br>\r\nServerul emite automat noi jetoane de actualizare, după ce a fost folosit un jeton de actualizare.<br><br>\r\n→ Scopul implicit este <i>profil</i>. Doar utilizatorii căsuței poștale pot fi autentificați cu OAuth2. Dacă parametrul scop este omis, acesta revine la <i>profil</i>.<br>\r\n→ Parametrul <i>stare</i> trebuie să fie trimis de client ca parte a cererii de autorizare.<br><br>\r\nCăile pentru cereri către API-ul OAuth2:<br>\r\n<ul>\r\n  <li>Calea de autorizare: <code>/oauth/autorize</code ></li>\r\n  <li>Calea jetonului: <code>/oauth/token</code></li>\r\n  <li>Calea pentru resursă: <code>/oauth/profile</code></li>\r\n</ul>\r\nRegenerarea secretului clientului nu va expira codurile de autorizare existente, dar vor eșua să-și reînnoiască jetonul.<br><br>\r\nRevocarea jetoanelor clientului va cauza încheierea imediată a tuturor sesiunilor active. Toți clienții trebuie să se autentifice din nou.",
@@ -497,6 +503,7 @@
         "optional": "Această înregistrare este opțională."
     },
     "edit": {
+        "acl": "ACL (Permisiune)",
         "active": "Activ",
         "admin": "Editează administrator",
         "advanced_settings": "Setări avansate",
@@ -506,9 +513,10 @@
         "allowed_protocols": "Protocoale permise",
         "app_name": "Nume aplicație",
         "app_passwd": "Parolă apicație",
+        "app_passwd_protocols": "Protocoale permise pentru parola aplicației",
         "automap": "Încearcă maparea automată a folderelor (\"Obiecte trimise\", \"Trimise\" => \"Trimise\" etc.)",
         "backup_mx_options": "Opțiuni backup MX",
-        "bcc_dest_format": "Destinația BCC trebuie să fie o singură adresă de email validă.",
+        "bcc_dest_format": "Destinația BCC trebuie să fie o singură adresă de email validă.<br>Dacă trebuie să trimiteți o copie la mai multe adrese, creați un alias și utilizați-l aici.",
         "client_id": "ID Client",
         "client_secret": "Secret client",
         "comment_info": "Un comentariu privat nu este vizibil pentru utilizator, în timp ce un comentariu public este afișat ca un tooltip când se trece peste el într-o privire de ansamblu asupra utilizatorilor",
@@ -550,12 +558,14 @@
         "mbox_rl_info": "Această limitare de rată se aplică pe numele de conectare SASL, se potrivește cu orice adresă „de la” folosită de către utilizatorul autentificat. O limitare a ratei căsuței poștale înlocuiește limitarea ratei la nivel de domeniu.",
         "mins_interval": "Interval (min)",
         "multiple_bookings": "Rezervări multiple",
+        "none_inherit": "Nici una / Moștenește",
         "nexthop": "Următorul hop",
         "password": "Parolă",
         "password_repeat": "Confirmă parolă (repetă)",
         "previous": "Pagina precedentă",
         "private_comment": "Comentariu privat",
         "public_comment": "Comentariu public",
+        "pushover": "Pushover",
         "pushover_evaluate_x_prio": "Escalează e-mailurile cu prioritate înaltă [<code>X-Priority: 1</code>]",
         "pushover_info": "Setările de notificare push se vor aplica tuturor e-mailurilor curate (non-spam) livrate la <b>% s </b> inclusiv aliasuri (partajate, care nu sunt partajate, etichetate).",
         "pushover_only_x_prio": "Luați în considerare doar e-mailurile cu prioritate înaltă [<code>X-Priority: 1</code>]",
@@ -586,6 +596,8 @@
         "sieve_desc": "Descriere scurtă",
         "sieve_type": "Tip filtru",
         "skipcrossduplicates": "Sari peste mesajele duplicate din toate folderele (primul venit, primul servit)",
+        "sogo_access": "Acordați acces direct de conectare la SOGo",
+        "sogo_access_info": "Conectarea unică din interfața de administrare a e-mailului continuă să funcționeze. Această setare nu afectează accesul la toate celelalte servicii și nici nu șterge sau modifică profilul SOGo existent al unui utilizator.",
         "sogo_visible": "Aliasul este vizibil în SOGo",
         "sogo_visible_info": "Această opțiune afectează doar obiecte, care pot fi afișate în SOGo (adrese alias partajate sau ne-partajate cu cel puțin o căsuță poștală locală). Dacă este ascuns, un alias nu va apărea ca expeditor selectabil în SOGo.",
         "spam_alias": "Crează sau modifică adrese alias limitate în funcție de timp",
@@ -603,6 +615,21 @@
         "username": "Nume de utilizator",
         "validate_save": "Validează și salvează"
     },
+    "fido2": {
+        "set_fn": "Setați un nume prietenos",
+        "fn": "Nume prietenos",
+        "rename": "redenumiți",
+        "confirm": "Confirmați",
+        "register_status": "Starea înregistrării",
+        "known_ids": "ID-uri cunoscute",
+        "none": "Dezactivat",
+        "set_fido2": "Înregistrați dispozitivul FIDO2",
+        "set_fido2_touchid": "Înregistrați Touch ID pe Apple M1",
+        "start_fido2_validation": "Începeți validarea FIDO2",
+        "fido2_auth": "Conectați-vă cu FIDO2",
+        "fido2_success": "Dispozitivul a fost înregistrat cu succes",
+        "fido2_validation_failed": "Validarea a eșuat"
+    },
     "footer": {
         "cancel": "Anulează",
         "confirm_delete": "Confirmă ștergerea",
@@ -664,6 +691,7 @@
         "alias_domain_alias_hint": "Aliasurile <b>nu</b> sunt aplicate automat pe domeniile alias. O adresă alias <code>aliasul-meu@domeniu</code> <b>nu</b> acoperă adresa <code>aliasul-meu@domeniu-alias</code> (unde \"domeniu-alias\" este un domeniu alias imaginar pentru \"domeniu\").<br>Vă rugăm să utilizați un filtru sită pentru a redirecționa poșta către o căsuță poștală externă (consultați zona \"Filtre\" sau utilizați SOGo -> Redirecționare).",
         "alias_domain_backupmx": "Alias domeniu inactiv pentru domeniu releu",
         "aliases": "Aliasuri",
+        "all_domains": "Toate Domeniile",
         "allow_from_smtp": "Permiteți acestor adrese IP să utilizeze numai <b>SMTP</b>",
         "allow_from_smtp_info": "Lăsați gol pentru a permite tuturor expeditorilor.<br>Adrese și rețele IPv4/IPv6.",
         "allowed_protocols": "Protocoale permise",
@@ -687,6 +715,7 @@
         "booking_custom_short": "Limită maximă",
         "booking_ltnull": "Nelimitat, dar arată ca ocupat atunci când este rezervat",
         "booking_lt0_short": "Limită redusă",
+        "catch_all": "Prinde-Tot",
         "daily": "Zilnic",
         "deactivate": "Deactivează",
         "description": "Descriere",
@@ -704,6 +733,8 @@
         "filter_table": "Tabel filtre",
         "filters": "Filtre",
         "fname": "Nume complet",
+        "goto_ham": "Învață ca <b>ham</b>",
+        "goto_spam": "Învață ca <b>spam</b>",
         "hourly": "Din oră în oră",
         "in_use": "În uz (%)",
         "inactive": "Inactiv",
@@ -736,6 +767,7 @@
         "quarantine_notification": "Notificări de carantină",
         "quarantine_category": "Categoria notificărilor despre carantină",
         "quick_actions": "Acţiuni",
+        "recipient": "Destinatar",
         "recipient_map": "Hartă destinatar",
         "recipient_map_info": "Hărțile destinatarilor sunt folosite pentru a înlocui adresa de destinație a unui mesaj înainte de a fi livrat.",
         "recipient_map_new": "Destinatar nou",
@@ -746,6 +778,7 @@
         "remove": "Elimină",
         "resources": "Resurse",
         "running": "Rulare",
+        "sender": "Expeditor",
         "set_postfilter": "Marchează ca postfiltru",
         "set_prefilter": "Marchează ca prefiltru",
         "sieve_info": "Poți stoca mai multe filtre pentru fiecare utilizator, dar numai un singur prefiltru și un singur postfiltru pot fi active în același timp.<br>\nFiecare filtru va fi procesat în ordinea descrisă. Nici un script eșuat, nici un \"keep;\" emis nu va opri procesarea altor scripturi.Modificările aduse scripturilor sită globale vor declanșa o repornire a Dovecot.<br>\nPrefilter → User scripts → Postfilter → <a href=\"https://github.com/mailcow/mailcow-dockerized/blob/master/data/conf/dovecot/sieve_after\" target=\"_blank\">global sieve postfilter</a>",
@@ -765,6 +798,15 @@
         "stats": "Statistici",
         "status": "Stare",
         "sync_jobs": "Lucrări de sincronizare",
+        "syncjob_check_log": "Verificați jurnalul",
+        "syncjob_last_run_result": "Rezultatul ultimei rulări",
+        "syncjob_EX_OK": "Succes",
+        "syncjob_EXIT_CONNECTION_FAILURE": "Problemă de conectare",
+        "syncjob_EXIT_TLS_FAILURE": "Problemă cu conexiunea criptată",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE": "Problemă de autentificare",
+        "syncjob_EXIT_OVERQUOTA": "Cutia poștală țintă depășește cota maximă",
+        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Nu se poate conecta la server",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Nume de utilizator sau parolă greșite",
         "table_size": "Mărime tabel",
         "table_size_show_n": "Arată %s articole",
         "target_address": "Adresă goto",
@@ -848,6 +890,13 @@
         "text_plain_content": "Conținut (text/simplu)",
         "toggle_all": "Comută toate"
     },
+    "ratelimit": {
+        "disabled": "Dezactivat",
+        "second": "mesaje / sec",
+        "minute": "mesaje / min",
+        "hour": "mesaje / ora",
+        "day": "mesaje / zi"
+    },
     "start": {
         "help": "Afișează/Ascunde panoul de ajutor",
         "imap_smtp_server_auth_info": "Utilizează adresa completă de email și mecanismul de autentificare SIMPLU.<br>\nDatele tale de conectare vor fi criptate prin criptarea obligatorie de la server.",
@@ -957,20 +1006,6 @@
         "waiting_usb_register": "<i>În așteptarea dispozitivului USB...</i><br><br>Introdu parola ta mai sus și confirmă înregistrarea ta WebAuthn atingând butonul de pe dispozitivul tău USB WebAuthn.",
         "yubi_otp": "Autentificare Yubico OTP"
     },
-    "fido2": {
-        "set_fn": "Setați un nume prietenos",
-        "fn": "Nume prietenos",
-        "rename": "redenumiți",
-        "confirm": "Confirmați",
-        "register_status": "Starea înregistrării",
-        "known_ids": "ID-uri cunoscute",
-        "none": "Dezactivat",
-        "set_fido2": "Înregistrați dispozitivul FIDO2",
-        "start_fido2_validation": "Începeți validarea FIDO2",
-        "fido2_auth": "Conectați-vă cu FIDO2",
-        "fido2_success": "Dispozitivul a fost înregistrat cu succes",
-        "fido2_validation_failed": "Validarea a esuat"
-    },
     "user": {
         "action": "Acțiune",
         "active": "Activ",
@@ -987,12 +1022,15 @@
         "aliases_also_send_as": "De asemenea, este permis să trimită ca utilizator",
         "aliases_send_as_all": "Nu se verifică accesul expeditorului pentru următorul(arele) domeniu(i) și domeniile sale alias",
         "app_hint": "Parolele aplicației sunt parole alternative pentru autentificarea IMAP, SMTP, CalDAV, CardDAV și EAS. Numele de utilizator rămâne neschimbat.<br>SOGo nu este disponibil prin parolele aplicației.",
+        "allowed_protocols": "Protocoale permise",
         "app_name": "Nume aplicație",
         "app_passwds": "Parole aplicație",
         "apple_connection_profile": "Profil de conexiune Apple",
         "apple_connection_profile_complete": "Acest profil de conexiune include parametrii IMAP și SMTP, precum și calDAV (calendar) și carduri CardDAV (contacte) pentru dispozitivele Apple.",
         "apple_connection_profile_mailonly": "Acest profil de conexiune include parametrii de configurare IMAP și SMTP pentru dispozitivele Apple.",
+        "apple_connection_profile_with_app_password": "O nouă parolă pentru aplicație este generată și adăugată la profil, astfel încât să nu fie necesară introducerea unei parole la configurarea dispozitivului. Vă rugăm să nu partajați fișierul, deoarece oferă acces deplin la căsuța dvs. poștală.",
         "change_password": "Schimbă parola",
+        "change_password_hint_app_passwords": "Contul dvs. are {{number_of_app_passwords}} parole de aplicație care nu vor fi modificate. Pentru a le gestiona, accesați secțiunea Parole aplicație.",
         "clear_recent_successful_connections": "Ștergeți conexiunile reușite văzute",
         "client_configuration": "Afișează ghidurile de configurare pentru clienții de email și smartphone-uri",
         "create_app_passwd": "Crează parola aplicației",
@@ -1003,6 +1041,7 @@
         "delete_ays": "Vă rugăm să confirmați stergerea.",
         "direct_aliases": "Adrese alias directe",
         "direct_aliases_desc": "Adresele alias directe sunt afectate de setările filtrului de spam și ale politicii TLS.",
+        "direct_protocol_access": "Acest utilizator are <b>acces direct, extern</b> la următoarele protocoale și aplicații. Această setare este controlată de administratorul dvs. Parolele pentru aplicații pot fi create pentru a acorda acces la protocoale și aplicații individuale.<br>Butonul \"Conectați-vă la webmail\" oferă conectare unică la SOGo și este întotdeauna disponibil.",
         "eas_reset": "Resetează memoria cache a dispozitivului ActiveSync",
         "eas_reset_help": "În multe cazuri, resetarea cache-ului dispozitivului va ajuta la recuperarea unui profil ActiveSync defect.<br><b>Atenţie:</b> Toate elementele vor fi descărcate din nou!",
         "eas_reset_now": "Resetează acum",
@@ -1096,6 +1135,15 @@
         "spamfilter_yellow": "Galben: acest mesaj poate fi spam, va fi etichetat ca spam și va fi mutat în dosarul de junk",
         "status": "Stare",
         "sync_jobs": "Lucrări de sincronizare",
+        "syncjob_check_log": "Verificați jurnalul",
+        "syncjob_last_run_result": "Rezultatul ultimei rulări",
+        "syncjob_EX_OK": "Succes",
+        "syncjob_EXIT_CONNECTION_FAILURE": "Problemă de conectare",
+        "syncjob_EXIT_TLS_FAILURE": "Problemă cu conexiunea criptată",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE": "Problemă de autentificare",
+        "syncjob_EXIT_OVERQUOTA": "Cutia poștală țintă depășește cota maximă",
+        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Nu se poate conecta la server",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Nume de utilizator sau parolă greșite",
         "tag_handling": "Setează manevrarea pentru mailurile etichetate",
         "tag_help_example": "Exemplu pentru o adresă de email etichetată: me<b>+Facebook</b>@example.org",
         "tag_help_explain": "În subfolder: un nou subfolder numit după etichetă va fi creat sub INBOX (\"INBOX/Facebook\").<br>\nÎn subiect: numele etichetelor va fi prefixat la subiectul mailurilor, de exemplu: \"[Facebook] My News\".",
@@ -1115,6 +1163,7 @@
         "week": "săptămână",
         "weekly": "Săptămânal",
         "weeks": "săptămâni",
+        "with_app_password": "cu parola aplicație",
         "year": "an",
         "years": "ani"
     },

data/web/lang/lang.sk.json

@@ -80,7 +80,7 @@
         "password": "Heslo",
         "password_repeat": "Potvrdzovacie heslo (zopakovať)",
         "port": "Port",
-        "post_domain_add": "SOGo kontajner, \"sogo-mailcow\", musí byť reštartovaný po pridaní novej domény!<br>",
+        "post_domain_add": "SOGo kontajner, \"sogo-mailcow\", musí byť reštartovaný po pridaní novej domény!<br><br>Okrem toho by sa mala skontrolovať konfigurácia DNS domény. Ak je konfigurácia v poriadku, reštartujte \"acme-mailcow\", aby sa automaticky vygenerovali certifikáty pre vašu novú doménu (autoconfig.&lt;domain&gt;, autodiscover.&lt;domain&gt;).<br>Tento krok je voliteľný a bude sa opakovať každých 24 hodín.",
         "private_comment": "Súkromný komentár",
         "public_comment": "Verejný komentár",
         "quota_mb": "Kvóta (MiB)",
@@ -323,7 +323,7 @@
         "to_top": "Naspať navrch",
         "transport_dest_format": "Regulárny výraz alebo syntax: example.org, .example.org, *, box@example.org (viacero hodnôt môžu byť oddelené čiarkou)",
         "transport_maps": "Transportné Mapy",
-        "transport_test_rcpt_info": "&#8226; Na otestovanie odchádzajúcej pošty je možné použiť null@hosted.mailcow.de ako adresáta",
+        "transport_test_rcpt_info": "&#8226; Na otestovanie odchádzajúcej pošty je možné použiť null@hosted.mailcow.de ako adresáta.",
         "transports_hint": "&#8226; Záznam v transportnej mape <b>prevažuje</b> nad transportnou mapou pre odosielanie</b>.<br>\r\n&#8226; Prenos na základe MX je preferovaná voľba.<br>\r\n&#8226; Nastavenie TLS pre používateľa je ignorované a môže byť vynútené TLS mapovaním.<br>\r\n&#8226; Transportná služba je definovaná vždy \"smtp:\" a použije TLS ak to bude umožnené. Wrapped TLS (SMTPS) nie je podporované.<br>\r\n&#8226; Adresy ktoré sa rovnajú hodnote \"/localhost$/\" budú vždy transportované cez \"local:\" a nebudú použité pre cieľový záznam \"*\".<br>\r\n&#8226; Po zadaní prihlasovacích údajov pre ďalší skok \"[host]:25\", Postfix <b>vždy</b> hľadá \"host\" a následne \"[host]:25\". Táto vlastnosť znemožňuje používať \"host\" a \"[host]:25\" naraz.",
         "ui_footer": "Pätička (HTML povolené)",
         "ui_header_announcement": "Oznámenie",
@@ -394,9 +394,9 @@
         "invalid_recipient_map_old": "Neplatná pôvodná mapa príjemcu: %s",
         "ip_list_empty": "Zoznam povolených IP nemôže byť prázdny",
         "is_alias": "%s je už používané ako alias adresa",
-        "is_alias_or_mailbox": "%s je už používaná ako adresa aliasu, mailovej schránky alebo aliasu odvodeného z aliasu domény",
+        "is_alias_or_mailbox": "%s je už používaná ako adresa aliasu, mailovej schránky alebo aliasu odvodeného z aliasu domény.",
         "is_spam_alias": "%s je už používaná ako adresa dočasného aliasu (spam alias adresa)",
-        "last_key": "Posledný kľúč nemôže byť vymazaný, deaktivujte najprv TFA",
+        "last_key": "Posledný kľúč nemôže byť vymazaný, deaktivujte najprv TFA.",
         "login_failed": "Prihlásenie zlyhalo",
         "mailbox_defquota_exceeds_mailbox_maxquota": "Predvolená kvóta presahuje max. kvótu mailovej schránky",
         "mailbox_invalid": "Meno mailovej schránky je neplatné",
@@ -638,7 +638,7 @@
         "restart_container": "Reštartovať kontajner",
         "restart_container_info": "<b>Dôležité:</b> Reštartovanie môže trvať dlhšie, čakajte prosím ...",
         "restart_now": "Reštartuj teraz",
-        "restarting_container": "Prebieha reštartovanie kontajnera, čakajte prosím ..."
+        "restarting_container": "Prebieha reštartovanie kontajnera, čakajte prosím"
     },
     "header": {
         "administration": "Konfigurácia & Detaily",
@@ -741,7 +741,7 @@
         "last_run_reset": "Znovu naplánovať",
         "mailbox": "Mailová schránka",
         "mailbox_defaults": "Predvolené nastavenia",
-        "mailbox_defaults_info": "Definuje predvolené nastavenia pre nové schránky",
+        "mailbox_defaults_info": "Definuje predvolené nastavenia pre nové schránky.",
         "mailbox_defquota": "Predvolená veľkosť schránky",
         "mailbox_quota": "Max. veľkosť schránky",
         "mailboxes": "Mailové schránky",
@@ -815,7 +815,7 @@
         "tls_map_policy": "Podmienky",
         "tls_policy_maps": "Mapy TLS pravidiel",
         "tls_policy_maps_enforced_tls": "Tieto politiky prepisujú používateľské nastavenia pre mailové schránky ktoré majú vynútene odchodzie TLS pripojenie. Ak nižšie nie sú uvedené žiadne pravidlá, budú použité ako východzie pravidlá <code>smtp_tls_mandatory_protocols</code> a <code>smtp_tls_mandatory_ciphers</code>.",
-        "tls_policy_maps_info": "Táto mapa prevažuje nad TLS pravidlami nezávisle od TLS pravidiel jednotlivých používateľov.<br>\r\n  Viac informácií navštívte <a href=\"http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps\" target=\"_blank\"> info k \"smtp_tls_policy_maps\" </a>",
+        "tls_policy_maps_info": "Táto mapa prevažuje nad TLS pravidlami nezávisle od TLS pravidiel jednotlivých používateľov.<br>\nPre viac informácií navštívte <a href=\"http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps\" target=\"_blank\"> postfix \"smtp_tls_policy_maps\"</a>.",
         "tls_policy_maps_long": "Prepisovanie TLS pravidiel pre odosielanie",
         "toggle_all": "Označiť všetky",
         "username": "Používateľské meno",
@@ -1069,8 +1069,8 @@
         "never": "Nikdy",
         "new_password": "Nové heslo",
         "new_password_repeat": "Potvrdiť heslo (opakovať)",
-        "no_active_filter": "Nie je dostupný žiadny aktívny filter.",
-        "no_last_login": "Žiadne informácie o UI prihlásení.",
+        "no_active_filter": "Nie je dostupný žiadny aktívny filter",
+        "no_last_login": "Žiadny záznam o prihlásení cez web",
         "no_record": "Žiaden záznam",
         "open_logs": "Otvoriť záznam",
         "open_webmail_sso": "Prihláste sa do webmailu",

data/web/sogo-auth.php

@@ -75,7 +75,12 @@ elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) && strcasecmp(substr($_SERVER['HT
   session_start();
   // extract email address from "/SOGo/so/user@domain/xy"
   $url_parts = explode("/", $_SERVER['HTTP_X_ORIGINAL_URI']);
-  $email = $url_parts[3];
+  $email_list = array(
+      $url_parts[3],                                // Requested mailbox
+      ($_SESSION['mailcow_cc_username'] ?? ''),     // Current user
+      ($_SESSION["dual-login"]["username"] ?? ''),  // Dual login user
+  );
+  foreach($email_list as $email) {
     // check if this email is in session allowed list
     if (
         !empty($email) &&
@@ -90,6 +95,7 @@ elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) && strcasecmp(substr($_SERVER['HT
       header("X-Auth-Type: Basic");
       exit;
     }
+  }
 }
 
 // if username is empty, SOGo will use the normal login methods / login form

data/web/templates/admin.twig

@@ -38,6 +38,7 @@
 
 <div class="row">
   <div class="col-md-12">
+    <div class="tab-content" style="padding-top:20px">
       {% include 'admin/tab-config-admins.twig' %}
       {% include 'admin/tab-ldap.twig' %}
       {% include 'admin/tab-config-oauth2.twig' %}
@@ -54,6 +55,7 @@
       {% include 'admin/tab-sys-mails.twig' %}
       {% include 'admin/tab-mailq.twig' %}
       {% include 'admin/tab-globalfilter-regex.twig' %}
+    </div>
   </div> <!-- /col-md-12 -->
 </div> <!-- /row -->
   

data/web/templates/admin/tab-config-admins.twig

@@ -1,5 +1,4 @@
-<div class="tab-content" style="padding-top:20px">
-  <div role="tabpanel" class="tab-pane active" id="tab-config-admins">
+<div role="tabpanel" class="tab-pane active" id="tab-config-admins">
     <div class="panel panel-danger">
       <div class="panel-heading xs-show">{{ lang.admin.admin_details }}</div>
       <div class="panel-body">
@@ -63,6 +62,7 @@
                 {% include 'fido2.twig' %}
               </table>
             </div>
+          </div>
           <br>
         </div>
       </div>
@@ -221,8 +221,6 @@
         </div>
       </div>
     </div>
-  </div>
-
   <div class="panel panel-default">
     <div class="panel-heading xs-show">{{ lang.admin.domain_admins }}</div>
     <div class="panel-body">
@@ -248,3 +246,4 @@
     </div>
   </div>
 </div>
+

data/web/templates/base.twig

@@ -423,6 +423,14 @@ function recursiveBase64StrToArrayBuffer(obj) {
   {% if ui_texts.ui_footer %}
   <hr><span class="rot-enc">{{ ui_texts.ui_footer|rot13|raw }}</span>
   {% endif %}
+  {% if mailcow_cc_username and mailcow_info.version_tag|default %}
+  <span class="version">
+    🐮 + 🐋 = 💕
+    <a href="{{ mailcow_info.git_project_url }}/releases/tag/{{ mailcow_info.version_tag }}" target="_blank">
+        Version: {{ mailcow_info.version_tag }}
+    </a>
+  </span>
+  {% endif %}
 </div>
 </body>
 </html>

data/web/templates/user/Pushover.twig

@@ -39,7 +39,7 @@
             <div class="col-sm-12">
               <div class="form-group">
                 <label for="text">{{ lang.user.pushover_sender_array|raw }}</label>
-                <input type="text" class="form-control" name="senders" value="{{ pushover_data.token }}" placeholder="sender1@example.com, sender2@example.com">
+                <input type="text" class="form-control" name="senders" value="{{ pushover_data.senders }}" placeholder="sender1@example.com, sender2@example.com">
               </div>
             </div>
             <div class="col-sm-12">

docker-compose.yml

@@ -2,7 +2,7 @@ version: '2.1'
 services:
 
     unbound-mailcow:
-      image: mailcow/unbound:1.14
+      image: mailcow/unbound:1.15
       environment:
         - TZ=${TZ}
       volumes:
@@ -58,7 +58,7 @@ services:
             - redis
 
     clamd-mailcow:
-      image: mailcow/clamd:1.42
+      image: mailcow/clamd:1.43
       restart: always
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
@@ -157,7 +157,7 @@ services:
         - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
         - MASTER=${MASTER:-y}
         - DEV_MODE=${DEV_MODE:-n}
-        - WEBAUTHN_RESPECT_ROOTCA=${WEBAUTHN_RESPECT_ROOTCA:-n}
+        - WEBAUTHN_ONLY_TRUSTED_VENDORS=${WEBAUTHN_ONLY_TRUSTED_VENDORS:-n}
       restart: always
       networks:
         mailcow-network:
@@ -165,7 +165,7 @@ services:
             - phpfpm
 
     sogo-mailcow:
-      image: mailcow/sogo:1.104
+      image: mailcow/sogo:1.106
       environment:
         - DBNAME=${DBNAME}
         - DBUSER=${DBUSER}
@@ -200,7 +200,7 @@ services:
         ofelia.job-exec.sogo_sessions.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu sogo /usr/sbin/sogo-tool expire-sessions $${SOGO_EXPIRE_SESSION} || exit 0\""
         ofelia.job-exec.sogo_ealarms.schedule: "@every 1m"
         ofelia.job-exec.sogo_ealarms.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu sogo /usr/sbin/sogo-ealarms-notify -p /etc/sogo/sieve.creds || exit 0\""
-        ofelia.job-exec.sogo_eautoreply.schedule: "@every 24h"
+        ofelia.job-exec.sogo_eautoreply.schedule: "@every 5m"
         ofelia.job-exec.sogo_eautoreply.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu sogo /usr/sbin/sogo-tool update-autoreply -p /etc/sogo/sieve.creds || exit 0\""
         ofelia.job-exec.sogo_backup.schedule: "@every 24h"
         ofelia.job-exec.sogo_backup.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu sogo /usr/sbin/sogo-tool backup /sogo_backup ALL || exit 0\""
@@ -212,7 +212,7 @@ services:
             - sogo
 
     dovecot-mailcow:
-      image: mailcow/dovecot:1.158
+      image: mailcow/dovecot:1.159
       depends_on:
         - mysql-mailcow
       dns:
@@ -385,7 +385,7 @@ services:
     acme-mailcow:
       depends_on:
         - nginx-mailcow
-      image: mailcow/acme:1.80
+      image: mailcow/acme:1.81
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
       environment:
@@ -421,7 +421,7 @@ services:
             - acme
 
     netfilter-mailcow:
-      image: mailcow/netfilter:1.45
+      image: mailcow/netfilter:1.46
       stop_grace_period: 30s
       depends_on:
         - dovecot-mailcow
@@ -444,7 +444,7 @@ services:
         - /lib/modules:/lib/modules:ro
 
     watchdog-mailcow:
-      image: mailcow/watchdog:1.95
+      image: mailcow/watchdog:1.96
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
       tmpfs:
@@ -506,7 +506,7 @@ services:
             - watchdog
 
     dockerapi-mailcow:
-      image: mailcow/dockerapi:1.40
+      image: mailcow/dockerapi:1.41
       security_opt:
         - label=disable
       restart: always
@@ -524,7 +524,7 @@ services:
             - dockerapi
 
     solr-mailcow:
-      image: mailcow/solr:1.8
+      image: mailcow/solr:1.8.1
       restart: always
       volumes:
         - solr-vol-1:/opt/solr/server/solr/dovecot-fts/data:Z
@@ -540,7 +540,7 @@ services:
             - solr
 
     olefy-mailcow:
-      image: mailcow/olefy:1.8
+      image: mailcow/olefy:1.8.1
       restart: always
       environment:
         - TZ=${TZ}
@@ -561,6 +561,7 @@ services:
       image: mcuadros/ofelia:latest
       restart: always
       command: daemon --docker
+      environment:
         - TZ=${TZ}
       depends_on:
         - sogo-mailcow

generate_config.sh

@@ -344,10 +344,10 @@ DOVECOT_MASTER_PASS=
 # https://mailcow.github.io/mailcow-dockerized-docs/debug-reset_tls/
 ACME_CONTACT=
 
-# Enable webauthn device manufacturer verification
-# After setting WEBAUTHN_RESPECT_ROOTCA=y only devices from trusted manufacturers are allowed
+# WebAuthn device manufacturer verification
+# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed
 # root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
-WEBAUTHN_RESPECT_ROOTCA=n
+WEBAUTHN_ONLY_TRUSTED_VENDORS=n
 
 EOF
 
@@ -361,3 +361,19 @@ echo "Generating snake-oil certificate..."
 openssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl-example/key.pem -out data/assets/ssl-example/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${MAILCOW_HOSTNAME}" -sha256 -nodes
 echo "Copying snake-oil certificate..."
 cp -n -d data/assets/ssl-example/*.pem data/assets/ssl/
+
+# Set app_info.inc.php
+mailcow_git_version=$(git describe --tags `git rev-list --tags --max-count=1`)
+if [ $? -eq 0 ]; then
+  mailcow_git_url=$(git config --get remote.origin.url)
+  echo '<?php' > data/web/inc/app_info.inc.php
+  echo '  $MAILCOW_GIT_VERSION="'$mailcow_git_version'";' >> data/web/inc/app_info.inc.php
+  echo '  $MAILCOW_GIT_URL="'$mailcow_git_url'";' >> data/web/inc/app_info.inc.php
+  echo '?>' >> data/web/inc/app_info.inc.php
+else
+  echo '<?php' > data/web/inc/app_info.inc.php
+  echo '  $MAILCOW_GIT_VERSION="";' >> data/web/inc/app_info.inc.php
+  echo '  $MAILCOW_GIT_URL="";' >> data/web/inc/app_info.inc.php
+  echo '?>' >> data/web/inc/app_info.inc.php
+  echo -e "\e[33mCannot determine current git repository version...\e[0m"
+fi

update.sh

@@ -307,7 +307,7 @@ CONFIG_ARRAY=(
   "ADDITIONAL_SERVER_NAMES"
   "ACME_CONTACT"
   "WATCHDOG_VERBOSE"
-  "WEBAUTHN_RESPECT_ROOTCA"
+  "WEBAUTHN_ONLY_TRUSTED_VENDORS"
 )
 
 sed -i --follow-symlinks '$a\' mailcow.conf
@@ -515,12 +515,12 @@ for option in ${CONFIG_ARRAY[@]}; do
       echo '# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/' >> mailcow.conf
       echo 'ACME_CONTACT=' >> mailcow.conf
   fi
-  elif [[ ${option} == "WEBAUTHN_RESPECT_ROOTCA" ]]; then
+  elif [[ ${option} == "WEBAUTHN_ONLY_TRUSTED_VENDORS" ]]; then
     if ! grep -q ${option} mailcow.conf; then
-      echo "# Enable webauthn device manufacturer verification" >> mailcow.conf
-      echo '# After setting WEBAUTHN_RESPECT_ROOTCA=y only devices from trusted manufacturers are allowed' >> mailcow.conf
+      echo "# WebAuthn device manufacturer verification" >> mailcow.conf
+      echo '# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed' >> mailcow.conf
       echo '# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates' >> mailcow.conf
-      echo 'WEBAUTHN_RESPECT_ROOTCA=n' >> mailcow.conf
+      echo 'WEBAUTHN_ONLY_TRUSTED_VENDORS=n' >> mailcow.conf
     fi
 elif [[ ${option} == "WATCHDOG_VERBOSE" ]]; then
     if ! grep -q ${option} mailcow.conf; then
@@ -719,6 +719,22 @@ if [ -f "data/conf/rspamd/local.d/metrics.conf" ]; then
   mv data/conf/rspamd/local.d/metrics.conf data/conf/rspamd/local.d/metrics.conf_deprecated
 fi
 
+# Set app_info.inc.php
+mailcow_git_version=$(git describe --tags `git rev-list --tags --max-count=1`)
+if [ $? -eq 0 ]; then
+  mailcow_git_url=$(git config --get remote.origin.url)
+  echo '<?php' > data/web/inc/app_info.inc.php
+  echo '  $MAILCOW_GIT_VERSION="'$mailcow_git_version'";' >> data/web/inc/app_info.inc.php
+  echo '  $MAILCOW_GIT_URL="'$mailcow_git_url'";' >> data/web/inc/app_info.inc.php
+  echo '?>' >> data/web/inc/app_info.inc.php
+else
+  echo '<?php' > data/web/inc/app_info.inc.php
+  echo '  $MAILCOW_GIT_VERSION="";' >> data/web/inc/app_info.inc.php
+  echo '  $MAILCOW_GIT_URL="";' >> data/web/inc/app_info.inc.php
+  echo '?>' >> data/web/inc/app_info.inc.php
+  echo -e "\e[33mCannot determine current git repository version...\e[0m"
+fi
+
 if [[ ${SKIP_START} == "y" ]]; then
   echo -e "\e[33mNot starting mailcow, please run \"docker-compose up -d --remove-orphans\" to start mailcow.\e[0m"
 else