38 changed files with 150 additions and 533 deletions
--- a/.github/workflows/close_old_issues_and_prs.yml
+++ b/.github/workflows/close_old_issues_and_prs.yml
@ -25,11 +25,10 @@ jobs:
          stale-pr-message: >
            This pull request has been automatically marked as stale because it has not had
            recent activity. It will be closed if no further activity occurs.
-          exempt-issue-labels: "pinned,security,enhancement,investigating,neverstale"
+          exempt-issue-labels: "pinned,security,enhancement,investigating"
-          exempt-pr-labels: "pinned,security,enhancement,investigating,neverstale"
+          exempt-pr-labels: "pinned,security,enhancement,investigating"
          stale-issue-label: "stale"
          stale-pr-label: "stale"
          exempt-draft-pr: "true"
          operations-per-run: "250"
          ascending: "true"
          #DRY-RUN
--- a/.gitignore
+++ b/.gitignore
@ -56,7 +56,6 @@ data/web/templates/cache/*
 data/web/.well-known/acme-challenge
 data/web/css/build/0081-custom-mailcow.css
 data/web/inc/vars.local.inc.php
 data/web/inc/app_info.inc.php
 data/web/nextcloud*/
 data/web/rc*/
 docker-compose.override.yml
--- a/README.md
+++ b/README.md
@ -1,6 +1,5 @@
 # mailcow: dockerized - 🐮 + 🐋 = 💕
 [![master build status](https://img.shields.io/drone/build/mailcow/mailcow-dockerized/master?label=master%20build&server=https%3A%2F%2Fdrone.mailcow.email)](https://drone.mailcow.email/mailcow/mailcow-dockerized) [![staging build status](https://img.shields.io/drone/build/mailcow/mailcow-dockerized/staging?label=staging%20build&server=https%3A%2F%2Fdrone.mailcow.email)](https://drone.mailcow.email/mailcow/mailcow-dockerized) [![Translation status](https://translate.mailcow.email/widgets/mailcow-dockerized/-/translation/svg-badge.svg)](https://translate.mailcow.email/engage/mailcow-dockerized/)
 [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/mailcow_email.svg?style=social&label=Follow%20%40mailcow_email)](https://twitter.com/mailcow_email)
 ## Want to support mailcow?
@ -24,8 +23,6 @@ Please see [the official documentation](https://mailcow.github.io/mailcow-docker
 [Telegram mailcow Off-Topic channel](https://t.me/mailcowOfftopic)
 [Official Twitter Account](https://twitter.com/mailcow_email)
 Telegram desktop clients are available for [multiple platforms](https://desktop.telegram.org). You can search the groups history for keywords.
 ## Misc
--- a/data/Dockerfiles/acme/Dockerfile
+++ b/data/Dockerfiles/acme/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:3.15
+FROM alpine:3.14
 LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
--- a/data/Dockerfiles/acme/obtain-certificate.sh
+++ b/data/Dockerfiles/acme/obtain-certificate.sh
@ -80,7 +80,7 @@ fi
 printf "[SAN]\nsubjectAltName=" > /tmp/_SAN
 printf "DNS:%s," "${CERT_DOMAINS[@]}" >> /tmp/_SAN
 sed -i '$s/,$//' /tmp/_SAN
-openssl req -new -sha256 -key ${KEY} -subj "/" -reqexts SAN -config <(cat "$(openssl version -d | sed 's/.*"\(.*\)"/\1/g')/openssl.cnf" /tmp/_SAN) > ${CSR}
+openssl req -new -sha256 -key ${KEY} -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf /tmp/_SAN) > ${CSR}
 # acme-tiny writes info to stderr and ceritifcate to stdout
 # The redirects will do the following:
--- a/data/Dockerfiles/clamd/Dockerfile
+++ b/data/Dockerfiles/clamd/Dockerfile
@ -1,8 +1,8 @@
-FROM debian:bullseye-slim
+FROM debian:buster-slim
 LABEL maintainer "André Peters <andre.peters@servercow.de>"
-ARG CLAMAV=0.103.5
+ARG CLAMAV=0.103.4
 RUN apt-get update && apt-get install -y --no-install-recommends \
  ca-certificates \
  zlib1g-dev \
@ -23,7 +23,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
  dos2unix \
  netcat \
  && rm -rf /var/lib/apt/lists/* \
-  && wget -O - https://www.clamav.net/downloads/production/clamav-${CLAMAV}.tar.gz | tar xfvz - \
+  && wget -O - https://fossies.org/linux/misc/clamav-${CLAMAV}.tar.gz | tar xfvz - \
  && cd clamav-${CLAMAV} \
  && ./configure \
  --prefix=/usr \
--- a/data/Dockerfiles/dockerapi/Dockerfile
+++ b/data/Dockerfiles/dockerapi/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:3.15
+FROM alpine:3.14
 LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
--- a/data/Dockerfiles/dovecot/Dockerfile
+++ b/data/Dockerfiles/dovecot/Dockerfile
@ -2,7 +2,7 @@ FROM debian:buster-slim
 LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
 ARG DEBIAN_FRONTEND=noninteractive
-ARG DOVECOT=2.3.17.1
+ARG DOVECOT=2.3.17
 ENV LC_ALL C
 ENV GOSU_VERSION 1.12
--- a/data/Dockerfiles/netfilter/Dockerfile
+++ b/data/Dockerfiles/netfilter/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:3.15
+FROM alpine:3.14
 LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
 ENV XTABLES_LIBDIR /usr/lib/xtables
@ -13,11 +13,10 @@ RUN apk add --virtual .build-deps \
 && apk add -U python3 \
  iptables \
  ip6tables \
  xtables-addons \
  tzdata \
  py3-pip \
  musl-dev \
-&& pip3 install --ignore-installed --upgrade pip \
+&& pip3 install --upgrade pip \
  python-iptables \
  redis \
  ipaddress \
--- a/data/Dockerfiles/olefy/Dockerfile
+++ b/data/Dockerfiles/olefy/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:3.15
+FROM alpine:3.14
 LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
 WORKDIR /app
@ -12,7 +12,7 @@ RUN apk add --virtual .build-deps gcc musl-dev python3-dev libffi-dev openssl-de
  && apk del .build-deps
 #  && sed -i 's/decompress_stream(bytearray(compressed_code))/bytes2str(decompress_stream(bytearray(compressed_code)))/g' /usr/lib/python3.8/site-packages/oletools/olevba.py
-ADD olefy.py /app/
+ADD https://raw.githubusercontent.com/HeinleinSupport/olefy/master/olefy.py /app/
 RUN chown -R nobody:nobody /app /tmp
--- a/data/Dockerfiles/olefy/olefy.py
+++ b/data/Dockerfiles/olefy/olefy.py
@ -1,220 +0,0 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 # Copyright (c) 2020, Dennis Kalbhen <d.kalbhen@heinlein-support.de>
 # Copyright (c) 2020, Carsten Rosenberg <c.rosenberg@heinlein-support.de>
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 ###
 #
 #  olefy is a little helper socket to use oletools with rspamd. (https://rspamd.com)
 #  Please find updates and issues here: https://github.com/HeinleinSupport/olefy
 #
 ###
 from subprocess import Popen, PIPE
 import sys
 import os
 import logging
 import asyncio
 import time
 import magic
 import re
 # merge variables from /etc/olefy.conf and the defaults
 olefy_listen_addr_string = os.getenv('OLEFY_BINDADDRESS', '127.0.0.1,::1')
 olefy_listen_port = int(os.getenv('OLEFY_BINDPORT', '10050'))
 olefy_tmp_dir = os.getenv('OLEFY_TMPDIR', '/tmp')
 olefy_python_path = os.getenv('OLEFY_PYTHON_PATH', '/usr/bin/python3')
 olefy_olevba_path = os.getenv('OLEFY_OLEVBA_PATH', '/usr/local/bin/olevba3')
 # 10:DEBUG, 20:INFO, 30:WARNING, 40:ERROR, 50:CRITICAL
 olefy_loglvl = int(os.getenv('OLEFY_LOGLVL', 20))
 olefy_min_length = int(os.getenv('OLEFY_MINLENGTH', 500))
 olefy_del_tmp = int(os.getenv('OLEFY_DEL_TMP', 1))
 olefy_del_tmp_failed = int(os.getenv('OLEFY_DEL_TMP_FAILED', 1))
 # internal used variables
 request_time = '0000000000.000000'
 olefy_protocol = 'OLEFY'
 olefy_ping = 'PING'
 olefy_protocol_sep = '\n\n'
 olefy_headers = {}
 # init logging
 logger = logging.getLogger('olefy')
 logging.basicConfig(stream=sys.stdout, level=olefy_loglvl, format='olefy %(levelname)s %(funcName)s %(message)s')
 logger.debug('olefy listen address string: {} (type {})'.format(olefy_listen_addr_string, type(olefy_listen_addr_string)))
 if not olefy_listen_addr_string:
    olefy_listen_addr = ""
 else:
    addr_re = re.compile('[\[" \]]')
    olefy_listen_addr = addr_re.sub('', olefy_listen_addr_string.replace("'", "")).split(',')
 # log runtime variables
 logger.info('olefy listen address: {} (type: {})'.format(olefy_listen_addr, type(olefy_listen_addr)))
 logger.info('olefy listen port: {}'.format(olefy_listen_port))
 logger.info('olefy tmp dir: {}'.format(olefy_tmp_dir))
 logger.info('olefy python path: {}'.format(olefy_python_path))
 logger.info('olefy olvba path: {}'.format(olefy_olevba_path))
 logger.info('olefy log level: {}'.format(olefy_loglvl))
 logger.info('olefy min file length: {}'.format(olefy_min_length))
 logger.info('olefy delete tmp file: {}'.format(olefy_del_tmp))
 logger.info('olefy delete tmp file when failed: {}'.format(olefy_del_tmp_failed))
 if not os.path.isfile(olefy_python_path):
    logger.critical('python path not found: {}'.format(olefy_python_path))
    exit(1)
 if not os.path.isfile(olefy_olevba_path):
    logger.critical('olevba path not found: {}'.format(olefy_olevba_path))
    exit(1)
 # olefy protocol function
 def protocol_split( olefy_line ):
    header_lines = olefy_line.split('\n')
    for line in header_lines:
        if line == 'OLEFY/1.0':
            olefy_headers['olefy'] = line
        elif line != '':
            kv = line.split(': ')
            if kv[0] != '' and kv[1] != '':
                olefy_headers[kv[0]] = kv[1]
    logger.debug('olefy_headers: {}'.format(olefy_headers))
 # calling oletools
 def oletools( stream, tmp_file_name, lid ):
    if olefy_min_length > stream.__len__():
        logger.error('{} {} bytes (Not Scanning! File smaller than {!r})'.format(lid, stream.__len__(), olefy_min_length))
        out = b'[ { "error": "File too small" } ]'
    else:
        tmp_file = open(tmp_file_name, 'wb')
        tmp_file.write(stream)
        tmp_file.close()
        file_magic = magic.Magic(mime=True, uncompress=True)
        file_mime = file_magic.from_file(tmp_file_name)
        logger.info('{} {} (libmagic output)'.format(lid, file_mime))
        # do the olefy
        cmd_tmp = Popen([olefy_python_path, olefy_olevba_path, '-a', '-j' , '-l', 'error', tmp_file_name], stdout=PIPE, stderr=PIPE)
        out, err = cmd_tmp.communicate()
        out = bytes(out.decode('utf-8', 'ignore').replace('  ', ' ').replace('\t', '').replace('\n', '').replace('XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)', ''), encoding="utf-8")
        failed = False
        if out.__len__() < 30:
            logger.error('{} olevba returned <30 chars - rc: {!r}, response: {!r}, error: {!r}'.format(lid,cmd_tmp.returncode, 
                out.decode('utf-8', 'ignore'), err.decode('utf-8', 'ignore')))
            out = b'[ { "error": "Unhandled error - too short olevba response" } ]'
            failed = True
        elif err.__len__() > 10 and cmd_tmp.returncode == 9:
            logger.error("{} olevba stderr >10 chars - rc: {!r}, response: {!r}".format(lid, cmd_tmp.returncode, err.decode("utf-8", "ignore")))
            out = b'[ { "error": "Decrypt failed" } ]'
            failed = True
        elif err.__len__() > 10 and cmd_tmp.returncode > 9:
            logger.error('{} olevba stderr >10 chars - rc: {!r}, response: {!r}'.format(lid, cmd_tmp.returncode, err.decode('utf-8', 'ignore')))
            out = b'[ { "error": "Unhandled oletools error" } ]'
            failed = True
        elif cmd_tmp.returncode != 0:
            logger.error('{} olevba exited with code {!r}; err: {!r}'.format(lid, cmd_tmp.returncode, err.decode('utf-8', 'ignore')))
            failed = True
        if failed and olefy_del_tmp_failed == 0:
            logger.debug('{} {} FAILED: not deleting tmp file'.format(lid, tmp_file_name))
        elif olefy_del_tmp == 1:
            logger.debug('{} {} deleting tmp file'.format(lid, tmp_file_name))
            os.remove(tmp_file_name)
    logger.debug('{} response: {}'.format(lid, out.decode('utf-8', 'ignore')))
    return out + b'\t\n\n\t'
 # Asyncio data handling, default AIO-Functions
 class AIO(asyncio.Protocol):
    def __init__(self):
        self.extra = bytearray()
    def connection_made(self, transport):
        global request_time
        peer = transport.get_extra_info('peername')
        logger.debug('{} new connection was made'.format(peer))
        self.transport = transport
        request_time = str(time.time())
    def data_received(self, request, msgid=1):
        peer = self.transport.get_extra_info('peername')
        logger.debug('{} data received from new connection'.format(peer))
        self.extra.extend(request)
    def eof_received(self):
        peer = self.transport.get_extra_info('peername')
        olefy_protocol_err = False
        proto_ck = self.extra[0:2000].decode('utf-8', 'ignore')
        headers = proto_ck[0:proto_ck.find(olefy_protocol_sep)]
        if olefy_protocol == headers[0:5]:
            self.extra = bytearray(self.extra[len(headers)+2:len(self.extra)])
            protocol_split(headers)
        else:
            olefy_protocol_err = True
        if olefy_ping == headers[0:4]:
            is_ping = True
        else:
            is_ping = False
            rspamd_id = olefy_headers['Rspamd-ID'][:6] or ''
            lid = 'Rspamd-ID' in olefy_headers and '<'+rspamd_id+'>'
            tmp_file_name = olefy_tmp_dir+'/'+request_time+'.'+str(peer[1])+'.'+rspamd_id
            logger.debug('{} {} choosen as tmp filename'.format(lid, tmp_file_name))
        if not is_ping or olefy_loglvl == 10:
            logger.info('{} {} bytes (stream size)'.format(lid, self.extra.__len__()))
        if olefy_ping == headers[0:4]:
            logger.debug('{} PING request'.format(peer))
            out = b'PONG'
        elif olefy_protocol_err == True or olefy_headers['olefy'] != 'OLEFY/1.0':
            logger.error('{} Protocol ERROR: no OLEFY/1.0 found'.format(lid))
            out = b'[ { "error": "Protocol error" } ]'
        elif 'Method' in olefy_headers:
            if olefy_headers['Method'] == 'oletools':
                out = oletools(self.extra, tmp_file_name, lid)
        else:
            logger.error('Protocol ERROR: Method header not found')
            out = b'[ { "error": "Protocol error: Method header not found" } ]'
        self.transport.write(out)
        if not is_ping or olefy_loglvl == 10:
            logger.info('{} {} response send: {!r}'.format(lid, peer, out))
        self.transport.close()
 # start the listeners
 loop = asyncio.get_event_loop()
 # each client connection will create a new protocol instance
 coro = loop.create_server(AIO, olefy_listen_addr, olefy_listen_port)
 server = loop.run_until_complete(coro)
 for sockets in server.sockets:
    logger.info('serving on {}'.format(sockets.getsockname()))
 # XXX serve requests until KeyboardInterrupt, not needed for production
 try:
    loop.run_forever()
 except KeyboardInterrupt:
    pass
 # graceful shutdown/reload
 server.close()
 loop.run_until_complete(server.wait_closed())
 loop.close()
 logger.info('stopped serving')
--- a/data/Dockerfiles/sogo/syslog-ng-redis_slave.conf
+++ b/data/Dockerfiles/sogo/syslog-ng-redis_slave.conf
@ -1,4 +1,4 @@
-@version: 3.28
+@version: 3.19
@include "scl.conf"
 options {
  chain_hostnames(off);
--- a/data/Dockerfiles/sogo/syslog-ng.conf
+++ b/data/Dockerfiles/sogo/syslog-ng.conf
@ -1,4 +1,4 @@
-@version: 3.28
+@version: 3.19
@include "scl.conf"
 options {
  chain_hostnames(off);
--- a/data/Dockerfiles/solr/Dockerfile
+++ b/data/Dockerfiles/solr/Dockerfile
@ -16,15 +16,10 @@ RUN dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
  tzdata \
  curl \
  bash \
  zip \
  && apt-get autoclean \
  && rm -rf /var/lib/apt/lists/* \
  && chmod +x /solr.sh \
  && sync \
  && bash /solr.sh --bootstrap
 RUN zip -q -d /opt/solr/server/lib/ext/log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
 RUN apt remove zip -y  
 CMD ["/solr.sh"]
--- a/data/Dockerfiles/unbound/Dockerfile
+++ b/data/Dockerfiles/unbound/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:3.15
+FROM alpine:3.14
 LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
--- a/data/Dockerfiles/watchdog/Dockerfile
+++ b/data/Dockerfiles/watchdog/Dockerfile
@ -1,4 +1,4 @@
-FROM alpine:3.15
+FROM alpine:3.14
 LABEL maintainer "André Peters <andre.peters@servercow.de>"
 # Installation
--- a/data/web/_status.502.html
+++ b/data/web/_status.502.html
@ -16,9 +16,8 @@
    <pre>docker-compose logs --tail=200 php-fpm-mailcow nginx-mailcow</pre>
    <p>Make sure your SQL credentials in mailcow.conf (a link to .env) do fit your initialized SQL volume. If you see an access denied, you might have the wrong mailcow.conf:</p>
    <pre>source mailcow.conf ; docker-compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME}</pre>
-    <p>In case of a previous failed installation, create a backup of your existing data, followed by removing all volumes and starting over (<b>NEVER</b> do this with a production system, it will remove <b>ALL</b> data):</p>
+    <p>In case of a previous failed installation, remove all volumes and start over (<b>NEVER</b> do this with a production system, it will remove <b>ALL</b> data):</p>
-    <pre>BACKUP_LOCATION=/tmp/ ./helper-scripts/backup_and_restore.sh backup all</pre>
+    <pre>docker-compose down -v ; docker-compose up -d</pre>
    <pre>docker-compose down --volumes ; docker-compose up -d</pre>
    <p>Make sure your timezone is correct. Use "America/New_York" for example, do not use spaces. Check <a href="https://en.wikipedia.org/wiki/List_of_tz_database_time_zones">here</a> for a list.</p>
    <br>Click to learn more about <a style="color:red;text-decoration:none;" href="https://mailcow.github.io/mailcow-dockerized-docs/#get-support" target="_blank">getting support.</a>
  </body>
--- a/data/web/api/openapi.yaml
+++ b/data/web/api/openapi.yaml
@ -4805,7 +4805,7 @@ paths:
            schema:
              example:
                attr:
-                  rl_value: "10"
+                  rl_vlaue: "10"
                  rl_frame: "h"
                items:
                  - info@domain.tld
@ -4815,7 +4815,7 @@ paths:
                    rl_frame:
                      description: contains the frame for the ratelimit h,s,m
                      type: string
-                    rl_value:
+                    rl_vlaue:
                      description: contains the rate for the ratelimit 10,20,50,1
                      type: number
                  type: object
@ -4876,7 +4876,7 @@ paths:
            schema:
              example:
                attr:
-                  rl_value: "10"
+                  rl_vlaue: "10"
                  rl_frame: "h"
                items:
                  - domain.tld
@ -4886,7 +4886,7 @@ paths:
                    rl_frame:
                      description: contains the frame for the ratelimit h,s,m
                      type: string
-                    rl_value:
+                    rl_vlaue:
                      description: contains the rate for the ratelimit 10,20,50,1
                      type: number
                  type: object
--- a/data/web/css/build/008-mailcow.css
+++ b/data/web/css/build/008-mailcow.css
@ -202,11 +202,6 @@ legend {
  margin-top: 27px;
  margin-bottom: 20px;
  color: #959595;
  display: flex;
  flex-direction: column;
 }
 .footer .version {
    margin-left: auto;
 }
 .slave-info {
  padding: 15px 0px 15px 15px;
--- a/data/web/inc/footer.inc.php
+++ b/data/web/inc/footer.inc.php
@ -23,12 +23,7 @@ if (is_array($alertbox_log_parser)) {
  unset($_SESSION['return']);
 }
 // globals
 $globalVariables = [
  'mailcow_info' => array(
    'version_tag' => $GLOBALS['MAILCOW_GIT_VERSION'],
    'git_project_url' => $GLOBALS['MAILCOW_GIT_URL']
  ),
  'js_path' => '/cache/'.basename($JSPath),
  'pending_tfa_method' => @$_SESSION['pending_tfa_method'],
  'pending_mailcow_cc_username' => @$_SESSION['pending_mailcow_cc_username'],
--- a/data/web/inc/prerequisites.inc.php
+++ b/data/web/inc/prerequisites.inc.php
@ -10,17 +10,11 @@ $DEV_MODE = (getenv('DEV_MODE') == 'y');
 }*/
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/vars.inc.php';
 $default_autodiscover_config = $autodiscover_config;
 if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/inc/vars.local.inc.php')) {
  include_once $_SERVER['DOCUMENT_ROOT'] . '/inc/vars.local.inc.php';
 }
 // auto-generated by generate-config.sh and update.sh
 if (file_exists($_SERVER['DOCUMENT_ROOT'] . '/inc/app_info.inc.php')) {
    require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/app_info.inc.php';
 }
 unset($https_port);
 $autodiscover_config = array_merge($default_autodiscover_config, $autodiscover_config);
@ -69,7 +63,7 @@ $tfa = new RobThree\Auth\TwoFactorAuth($OTP_LABEL, 6, 30, 'sha1', $qrprovider);
 $formats = $GLOBALS['FIDO2_FORMATS'];
 $WebAuthn = new lbuchs\WebAuthn\WebAuthn('WebAuthn Library', $_SERVER['HTTP_HOST'], $formats);
 // only include root ca's when needed
-if (getenv('WEBAUTHN_ONLY_TRUSTED_VENDORS') == 'y') $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates');
+if (getenv('WEBAUTHN_RESPECT_ROOTCA') == 'y') $WebAuthn->addRootCertificates($_SERVER['DOCUMENT_ROOT'] . '/inc/lib/WebAuthn/rootCertificates');
 // Redis
 $redis = new Redis();
--- a/data/web/inc/vars.inc.php
+++ b/data/web/inc/vars.inc.php
@ -175,9 +175,6 @@ $MAILBOX_DEFAULT_ATTRIBUTES['pop3_access'] = true;
 // Mailbox has SMTP access by default
 $MAILBOX_DEFAULT_ATTRIBUTES['smtp_access'] = true;
 // Mailbox has sieve access by default
 $MAILBOX_DEFAULT_ATTRIBUTES['sieve_access'] = true;
 // Mailbox receives notifications about...
 // "add_header" - mail that was put into the Junk folder
 // "reject" - mail that was rejected
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@ -409,14 +409,16 @@ if (isset($_GET['query'])) {
        break;
        case "fido2-get-args":
          header('Content-Type: application/json');
-          // Login without username, no ids!
+          // fetch allowed credentialIds
-          // $ids = fido2(array("action" => "get_all_cids"));
+          $cids = fido2(array("action" => "get_all_cids"));
-          // if (count($ids) == 0) {
+          if (count($cids) == 0) {  
-            // return;
+            print(json_encode(array(
-          // }
+                'type' => 'error',
-          $ids = NULL;
+                'msg' => 'Cannot find matching credentialIds'
            )));
          }
-          $getArgs = $WebAuthn->getGetArgs($ids, 30, true, true, true, true, $GLOBALS['FIDO2_UV_FLAG_LOGIN']);
+          $getArgs = $WebAuthn->getGetArgs($cids, 30, true, true, true, true, $GLOBALS['FIDO2_UV_FLAG_LOGIN']);
          print(json_encode($getArgs));
          $_SESSION['challenge'] = $WebAuthn->getChallenge();
          return;
--- a/data/web/lang/lang.cs.json
+++ b/data/web/lang/lang.cs.json
@ -467,7 +467,7 @@
        "chart_this_server": "Graf (tento server)",
        "containers_info": "Informace o kontejnerech",
        "disk_usage": "Využití disku",
-        "docs": "Dokumentů",
+        "docs": "Dokumentace",
        "external_logs": "Externí logy",
        "history_all_servers": "Záznam (všechny servery)",
        "in_memory_logs": "Logy v paměti",
--- a/data/web/lang/lang.de.json
+++ b/data/web/lang/lang.de.json
@ -86,7 +86,7 @@
        "public_comment": "Öffentlicher Kommentar",
        "quota_mb": "Speicherplatz (MiB)",
        "relay_all": "Alle Empfänger-Adressen relayen",
-        "relay_all_info": "↪ Wenn <b>nicht</b> alle Empfänger-Adressen relayt werden sollen, müssen \"blinde\" Mailboxen für jede Adresse, die relayt werden soll, erstellt werden.",
+        "relay_all_info": "↪ Wenn <b>nicht</b> alle Empfänger-Adressen relayt werden sollen, müssen \"blinde\" Mailboxen für jede Adresse, die relayt werden soll, erstellen werden.",
        "relay_domain": "Diese Domain relayen",
        "relay_transport_info": "<div class=\"label label-info\">Info</div> Transport-Maps können erstellt werden, um individuelle Ziele für eine Relay-Domain zu definieren.",
        "relay_unknown_only": "Nur nicht-lokale Mailboxen relayen. Existente Mailboxen werden weiterhin lokal zugestellt.",
--- a/data/web/lang/lang.fr.json
+++ b/data/web/lang/lang.fr.json
@ -259,7 +259,7 @@
        "recipients": "Destinataires",
        "refresh": "Rafraîchir",
        "regen_api_key": "Regénérer la clé API",
-        "regex_maps": "Cartes Regex (expression régulière)",
+        "regex_maps": "Cartes Regex (Regex = expression régulière)",
        "relay_from": "\"De:\" adresse",
        "relay_run": "Lancer le test",
        "relayhosts": "Transports  de l’expéditeur",
@ -699,7 +699,7 @@
        "private_comment": "Commentaire privé",
        "public_comment": "Commentaire public",
        "q_add_header": "Courriers indésirables",
-        "q_all": " quand déplacé dans le dossier spam ou rejeté",
+        "q_all": "Toutes les catégories",
        "q_reject": "Rejecté",
        "quarantine_notification": "Avis de quarantaine",
        "quarantine_category": "Catégorie de la notification de quarantaine",
@ -729,7 +729,7 @@
        "sogo_visible": "Alias visible dans SOGo",
        "sogo_visible_n": "Masquer alias dans SOGo",
        "sogo_visible_y": "Afficher alias dans SOGo",
-        "spam_aliases": "Alias temporaire",
+        "spam_aliases": "Alias temp.",
        "stats": "Statistiques",
        "status": "Statut",
        "sync_jobs": "Tâches de synchronisation",
@ -1070,7 +1070,7 @@
    "warning": {
        "cannot_delete_self": "Impossible de supprimer l’utilisateur connecté",
        "domain_added_sogo_failed": "Ajout d’un domaine mais échec du redémarrage de Sogo, veuillez vérifier les journaux de votre serveur.",
-        "dovecot_restart_failed": "Dovecot n’a pas pu redémarrer, veuillez vérifier les journaux",
+        "dovecot_restart_failed": "Dovecot n’a pas pu redémarrer, veuillez vérifier les journaux de votre serveur.",
        "fuzzy_learn_error": "Erreur d’apprentissage du hachage flou: %s",
        "hash_not_found": "Hachage non trouvé ou déjà supprimé",
        "ip_invalid": "IP non valide ignorée: %s",
--- a/data/web/lang/lang.it.json
+++ b/data/web/lang/lang.it.json
@ -18,8 +18,8 @@
        "quarantine_attachments": "Allegati in quarantena",
        "quarantine_category": "Modifica la categoria delle notifiche di quarantena",
        "quarantine_notification": "Modifica notifiche quarantena",
-        "ratelimit": "Limite di invio",
+        "ratelimit": "Rate limit",
-        "recipient_maps": "Mappe dei destinatari",
+        "recipient_maps": "Recipient maps",
        "smtp_ip_access": "Modifica gli host consentiti per SMTP",
        "sogo_access": "Consenti la gestione dell'accesso SOGo",
        "sogo_profile_reset": "Ripristina profilo SOGo",
@ -27,7 +27,7 @@
        "spam_policy": "Blacklist/Whitelist",
        "spam_score": "Punteggio SPAM",
        "syncjobs": "Processi di sync",
-        "tls_policy": "Politica TLS",
+        "tls_policy": "TLS policy",
        "unlimited_quota": "Spazio illimitato per le caselle di posta"
    },
    "add": {
@ -102,11 +102,10 @@
        "target_domain": "Dominio di destinazione",
        "timeout1": "Timeout per la connessione all'host remoto",
        "timeout2": "Timeout per la connessione all'host locale",
-        "username": "Nome utente",
+        "username": "Username",
        "validate": "Convalida",
        "validation_success": "Convalidato con successo",
-        "bcc_dest_format": "Il destinatario in copia nascosta deve essere un singolo indirizzo email.<br>Se si vuole spedire una copia del messaggio a più destinatari, bisogna creare un alias ed utilizzarlo per questa opzione.",
+        "bcc_dest_format": "Il destinatario in copia nascosta, dev'essere un solo indirizzo email.<br>Se devi spedire una copia del messaggio a più destinatari, crea un alias ed utilizzalo per questa opzione."
        "app_passwd_protocols": "Protocolli consentiti per la password dell'app"
    },
    "admin": {
        "access": "Accedi",
@ -134,18 +133,18 @@
        "advanced_settings": "Impostazioni avanzate",
        "api_allow_from": "Allow API access from these IPs/CIDR network notations",
        "api_info": "The API is a work in progress. The documentation can be found at <a href=\"/api\">/api</a>",
-        "api_key": "Chiave API",
+        "api_key": "API key",
-        "api_skip_ip_check": "Salta il controllo dell'IP per l'API",
+        "api_skip_ip_check": "Skip IP check for API",
        "app_links": "App links",
-        "app_name": "Nome dell'app",
+        "app_name": "App name",
-        "apps_name": "Nome \"mailcow Apps\"",
+        "apps_name": "\"mailcow Apps\" name",
-        "arrival_time": "Ora di arrivo (ora del server)",
+        "arrival_time": "Arrival time (server time)",
        "authed_user": "Auth. user",
        "ays": "Sei sicuro di voler procedere?",
        "ban_list_info": "See a list of banned IPs below: <b>network (remaining ban time) - [actions]</b>.<br />IPs queued to be unbanned will be removed from the active ban list within a few seconds.<br />Red labels indicate active permanent bans by blacklisting.",
        "change_logo": "Cambia logo",
        "configuration": "Configurazione",
-        "convert_html_to_text": "Converti HTML in testo semplice",
+        "convert_html_to_text": "Convert HTML to plain text",
        "credentials_transport_warning": "<b>Warning</b>: Adding a new transport map entry will update the credentials for all entries with a matching next hop column.",
        "customer_id": "ID cliente",
        "customize": "Personalizzare",
@ -191,7 +190,7 @@
        "forwarding_hosts_add_hint": "È possibile specificare indirizzi IPv4 / IPv6, reti nella notazione CIDR, nomi host (che verranno risolti in indirizzi IP) o nomi di dominio (che verranno risolti agli indirizzi IP richiamando i record SPF o, in assenza, i record MX) .",
        "forwarding_hosts_hint": "I messaggi in entrata sono accettati in maniera incondizionata da tutti gli host qui elencati. Questi host sono quindi non controllati tramite DNSBL o sottoposti a greylisting. Lo spam ricevuto da questi host non viene mai rifiutato, ma potrebbe essere archiviato nella cartella Posta indesiderata. L'utilizzo più comune è quello di specificare i server di posta elettronica su cui è stata impostata una regola che inoltra le email in arrivo al server mailcow.",
        "from": "Da",
-        "generate": "generare",
+        "generate": "generate",
        "guid": "GUID - ID istanza univoco",
        "guid_and_license": "GUID & Licenza",
        "hash_remove_info": "Removing a ratelimit hash (if still existing) will reset its counter completely.<br>\r\n  Each hash is indicated by an individual color.",
@ -206,7 +205,7 @@
        "include_exclude_info": "Di default - se nessuna voce viene selezionata - <b>tutte le caselle di posta</b> risultano attivate",
        "includes": "Includi questi destinatari",
        "is_mx_based": "Basato sul record MX",
-        "last_applied": "Ultima applicazione",
+        "last_applied": "Last applied",
        "license_info": "Non è necessario essere in possesso di una licenza ma aiuta gli sviluppatori a far crescere il prodotto.<br><a href=\"https://www.servercow.de/mailcow?lang=en#sal\" target=\"_blank\" alt=\"SAL order\">Registra qui il tuo GUID </a> oppure <a href=\"https://www.servercow.de/mailcow?lang=en#support\" target=\"_blank\" alt=\"Support order\">acquista il supporto per la tua installazione di mailcow.</a>",
        "link": "Link",
        "loading": "Caricamento in corso...",
@ -231,7 +230,7 @@
        "optional": "facoltativo",
        "password": "Password",
        "password_length": "Lunghezza password",
-        "password_policy": "Criteri della password",
+        "password_policy": "Password policy",
        "password_policy_chars": "Deve contenere almeno un carattere alfabetico",
        "password_policy_length": "La lunghezza minima della password è %d caratteri",
        "password_policy_lowerupper": "Deve contenere caratteri minuscoli e maiuscoli",
@ -283,7 +282,7 @@
        "remove": "Rimuovi",
        "remove_row": "Elimina riga",
        "reset_default": "Riporta alle condizioni di default",
-        "reset_limit": "Rimuovi hash",
+        "reset_limit": "Remove hash",
        "routing": "Routing",
        "rsetting_add_rule": "Aggiungi regola",
        "rsetting_content": "Contenuto della regola",
@ -335,15 +334,10 @@
        "unban_pending": "unban pending",
        "unchanged_if_empty": "Se immutato lasciare vuoto",
        "upload": "Upload",
-        "username": "Nome utente",
+        "username": "Username",
        "validate_license_now": "Validate GUID against license server",
        "verify": "Verifica",
-        "yes": "&#10003;",
+        "yes": "&#10003;"
        "api_read_only": "Accesso in sola lettura",
        "api_read_write": "Accesso in lettura-scrittura",
        "oauth2_apps": "App OAuth2",
        "oauth2_add_client": "Aggiungere il client OAuth2",
        "rsettings_preset_4": "Disattivare Rspamd per un dominio"
    },
    "danger": {
        "access_denied": "Accesso negato o form di login non corretto",
@ -462,7 +456,7 @@
        "username_invalid": "Username %s non può essere utilizzato",
        "validity_missing": "Assegnare un periodo di validità",
        "value_missing": "Si prega di fornire tutti i valori",
-        "yotp_verification_failed": "Verifica OTP Yubico fallita: %s"
+        "yotp_verification_failed": "Verifica Yubico OTP fallita: %s"
    },
    "debug": {
        "chart_this_server": "Grafico (questo server)",
@ -607,13 +601,7 @@
        "title": "Modifica oggetto",
        "unchanged_if_empty": "Se immutato lasciare vuoto",
        "username": "Username",
-        "validate_save": "Convalida e salva",
+        "validate_save": "Convalida e salva"
        "pushover": "Pushover",
        "sogo_access_info": "Il single-sign-on dall'interno dell'interfaccia di posta rimane funzionante. Questa impostazione non influisce sull'accesso a tutti gli altri servizi né cancella o modifica il profilo SOGo esistente dell'utente.",
        "none_inherit": "Nessuno / Eredita",
        "sogo_access": "Concedere l'accesso diretto a SOGo",
        "acl": "ACL (autorizzazione)",
        "app_passwd_protocols": "Protocolli consentiti per la password dell'app"
    },
    "fido2": {
        "confirm": "Confirm",
@ -627,8 +615,7 @@
        "rename": "Rename",
        "set_fido2": "Register FIDO2 device",
        "set_fn": "Set friendly name",
-        "start_fido2_validation": "Start FIDO2 validation",
+        "start_fido2_validation": "Start FIDO2 validation"
        "set_fido2_touchid": "Registrare il Touch ID su Apple M1"
    },
    "footer": {
        "cancel": "Annulla",
@ -642,8 +629,7 @@
        "restart_container_info": "<b>Importante:</b> Il completamento di un normale riavvio potrebbe richiedere diversi minuti, ti consigliamo di attendere.",
        "restart_now": "Riavvia adesso",
        "restarting_container": "Riavvia il container, potrebbe richiedere diversi minuti",
-        "hibp_check": "Verifica con haveibeenpwned.com",
+        "hibp_check": "Verifica con haveibeenpwned.com"
        "nothing_selected": "Niente di selezionato"
    },
    "header": {
        "administration": "Amministrazione",
@ -708,7 +694,7 @@
        "bcc_to_rcpt": "Switch to recipient map type",
        "bcc_to_sender": "Switch to sender map type",
        "bcc_type": "BCC type",
-        "booking_null": "Mostra sempre come libero",
+        "booking_null": "Always show as free",
        "booking_0_short": "Always free",
        "booking_custom": "Hard-limit to a custom amount of bookings",
        "booking_custom_short": "Hard limit",
@ -816,17 +802,7 @@
        "goto_spam": "Apprendi come <b>spam</b>",
        "open_logs": "Apri i log",
        "syncjob_check_log": "Controlla il log",
-        "syncjob_last_run_result": "Risultato dell'ultima esecuzione",
+        "syncjob_last_run_result": "Risultato dell'ultima esecuzione"
        "syncjob_EXIT_TLS_FAILURE": "Problema con la connessione criptata",
        "syncjob_EXIT_AUTHENTICATION_FAILURE": "Problema di autenticazione",
        "syncjob_EXIT_OVERQUOTA": "La casella di posta del destinatario ha superato la quota",
        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Impossibile connettersi al server remoto",
        "syncjob_EXIT_CONNECTION_FAILURE": "Problema di connessione",
        "catch_all": "Catch-All",
        "sender": "Mittente",
        "all_domains": "Tutti i domini",
        "recipient": "Destinatario",
        "syncjob_EX_OK": "Successo"
    },
    "oauth2": {
        "access_denied": "Effettua il login alla casella di posta per garantire l'accesso tramite OAuth2.",
@ -1147,18 +1123,7 @@
        "change_password_hint_app_passwords": "Il tuo account ha {{number_of_app_passwords}} password delle app che non verranno modificate. Per gestirle, vai alla scheda App passwords.",
        "syncjob_check_log": "Controlla i log",
        "syncjob_last_run_result": "Risultato dell'ultima esecuzione",
-        "open_logs": "Apri i log",
+        "open_logs": "Apri i log"
        "apple_connection_profile_with_app_password": "Una nuova password dell'app è stata generata ed aggiunta al profilo così che non sia più necessario inserire alcuna password quando si imposta il dispositivo. Si prega di non condividere il file in quanto concede l'accesso completo alla tua casella di posta elettronica.",
        "allowed_protocols": "Protocolli consentiti",
        "syncjob_EX_OK": "Successo",
        "syncjob_EXIT_CONNECTION_FAILURE": "Problema di connessione",
        "syncjob_EXIT_TLS_FAILURE": "Problema con la connessione criptata",
        "syncjob_EXIT_AUTHENTICATION_FAILURE": "Problema di autenticazione",
        "syncjob_EXIT_OVERQUOTA": "La casella di posta del destinatario ha superato la quota",
        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Impossibile connettersi al server remoto",
        "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Nome utente o password errati",
        "with_app_password": "con password dell'app",
        "direct_protocol_access": "Questo utente della mailbox ha <b>accesso diretto ed esterno</b> ai seguenti protocolli e applicazioni. Questa impostazione è controllata dal tuo amministratore. Le password delle applicazioni possono essere create per garantire l'accesso ai singoli protocolli e applicazioni.<br>Il pulsante \"Accedi alla webmail\" fornisce un singolo accesso a SOGo ed è sempre disponibile."
    },
    "warning": {
        "cannot_delete_self": "Cannot delete logged in user",
@ -1176,8 +1141,6 @@
    "ratelimit": {
        "minute": "messaggi / minuto",
        "disabled": "Disabilitato",
-        "second": "messaggi / secondo",
+        "second": "messaggi / secondo"
        "hour": "messaggi / ora",
        "day": "messaggi / giorno"
    }
 }
--- a/data/web/lang/lang.ro.json
+++ b/data/web/lang/lang.ro.json
@ -42,10 +42,8 @@
        "alias_domain_info": "<small>Doar nume de domenii valide (separate prin virgulă).</small>",
        "app_name": "Nume aplicație",
        "app_password": "Adaugă parolă aplicație",
        "app_passwd_protocols": "Protocoale permise pentru parola aplicației",
        "automap": "Încearcă maparea automată a folderelor (\"Obiecte trimise\", \"Trimise\" => \"Trimise\" etc.)",
        "backup_mx_options": "Opțiuni backup MX",
        "bcc_dest_format": "Destinația BCC trebuie să fie o singură adresă de email validă.",
        "comment_info": "Un comentariu privat nu este vizibil pentru utilizator, în timp ce un comentariu public este afișat ca un tooltip când se trece peste el într-o privire de ansamblu asupra utilizatorilor",
        "custom_params": "Parametri personalizați",
        "custom_params_hint": "Corect: --param=xy, greşit: --param xy",
@ -135,8 +133,6 @@
        "api_allow_from": "Permite accesul API de la aceste adrese IP/CIDR",
        "api_info": "API-ul este în dezvoltare. Documentația se găsește la adresa: <a href=\"/api\">/api</a>",
        "api_key": "Cheie API",
        "api_read_only": "Acces doar pentru citire",
        "api_read_write": "Acces pentru citire și scriere",
        "api_skip_ip_check": "Săriți verificarea IP pentru API",
        "app_links": "Linkuri aplicație",
        "app_name": "Nume aplicație",
@ -224,8 +220,6 @@
        "no_active_bans": "Nu există interdicții active",
        "no_new_rows": "Nu există alte rânduri disponibile",
        "no_record": "Nici o înregistrare",
        "oauth2_apps": "Aplicații OAuth2",
        "oauth2_add_client": "Adaugă client OAuth2",
        "oauth2_client_id": "ID client",
        "oauth2_client_secret": "Secret client",
        "oauth2_info": "Implementarea OAuth2 suportă tipul de acces \"Cod de autorizare\" și emite jetoane de actualizare.<br>\r\nServerul emite automat noi jetoane de actualizare, după ce a fost folosit un jeton de actualizare.<br><br>\r\n→ Scopul implicit este <i>profil</i>. Doar utilizatorii căsuței poștale pot fi autentificați cu OAuth2. Dacă parametrul scop este omis, acesta revine la <i>profil</i>.<br>\r\n→ Parametrul <i>stare</i> trebuie să fie trimis de client ca parte a cererii de autorizare.<br><br>\r\nCăile pentru cereri către API-ul OAuth2:<br>\r\n<ul>\r\n  <li>Calea de autorizare: <code>/oauth/autorize</code ></li>\r\n  <li>Calea jetonului: <code>/oauth/token</code></li>\r\n  <li>Calea pentru resursă: <code>/oauth/profile</code></li>\r\n</ul>\r\nRegenerarea secretului clientului nu va expira codurile de autorizare existente, dar vor eșua să-și reînnoiască jetonul.<br><br>\r\nRevocarea jetoanelor clientului va cauza încheierea imediată a tuturor sesiunilor active. Toți clienții trebuie să se autentifice din nou.",
@ -503,7 +497,6 @@
        "optional": "Această înregistrare este opțională."
    },
    "edit": {
        "acl": "ACL (Permisiune)",
        "active": "Activ",
        "admin": "Editează administrator",
        "advanced_settings": "Setări avansate",
@ -513,10 +506,9 @@
        "allowed_protocols": "Protocoale permise",
        "app_name": "Nume aplicație",
        "app_passwd": "Parolă apicație",
        "app_passwd_protocols": "Protocoale permise pentru parola aplicației",
        "automap": "Încearcă maparea automată a folderelor (\"Obiecte trimise\", \"Trimise\" => \"Trimise\" etc.)",
        "backup_mx_options": "Opțiuni backup MX",
-        "bcc_dest_format": "Destinația BCC trebuie să fie o singură adresă de email validă.<br>Dacă trebuie să trimiteți o copie la mai multe adrese, creați un alias și utilizați-l aici.",
+        "bcc_dest_format": "Destinația BCC trebuie să fie o singură adresă de email validă.",
        "client_id": "ID Client",
        "client_secret": "Secret client",
        "comment_info": "Un comentariu privat nu este vizibil pentru utilizator, în timp ce un comentariu public este afișat ca un tooltip când se trece peste el într-o privire de ansamblu asupra utilizatorilor",
@ -558,14 +550,12 @@
        "mbox_rl_info": "Această limitare de rată se aplică pe numele de conectare SASL, se potrivește cu orice adresă „de la” folosită de către utilizatorul autentificat. O limitare a ratei căsuței poștale înlocuiește limitarea ratei la nivel de domeniu.",
        "mins_interval": "Interval (min)",
        "multiple_bookings": "Rezervări multiple",
        "none_inherit": "Nici una / Moștenește",
        "nexthop": "Următorul hop",
        "password": "Parolă",
        "password_repeat": "Confirmă parolă (repetă)",
        "previous": "Pagina precedentă",
        "private_comment": "Comentariu privat",
        "public_comment": "Comentariu public",
        "pushover": "Pushover",
        "pushover_evaluate_x_prio": "Escalează e-mailurile cu prioritate înaltă [<code>X-Priority: 1</code>]",
        "pushover_info": "Setările de notificare push se vor aplica tuturor e-mailurilor curate (non-spam) livrate la <b>% s </b> inclusiv aliasuri (partajate, care nu sunt partajate, etichetate).",
        "pushover_only_x_prio": "Luați în considerare doar e-mailurile cu prioritate înaltă [<code>X-Priority: 1</code>]",
@ -596,8 +586,6 @@
        "sieve_desc": "Descriere scurtă",
        "sieve_type": "Tip filtru",
        "skipcrossduplicates": "Sari peste mesajele duplicate din toate folderele (primul venit, primul servit)",
        "sogo_access": "Acordați acces direct de conectare la SOGo",
        "sogo_access_info": "Conectarea unică din interfața de administrare a e-mailului continuă să funcționeze. Această setare nu afectează accesul la toate celelalte servicii și nici nu șterge sau modifică profilul SOGo existent al unui utilizator.",
        "sogo_visible": "Aliasul este vizibil în SOGo",
        "sogo_visible_info": "Această opțiune afectează doar obiecte, care pot fi afișate în SOGo (adrese alias partajate sau ne-partajate cu cel puțin o căsuță poștală locală). Dacă este ascuns, un alias nu va apărea ca expeditor selectabil în SOGo.",
        "spam_alias": "Crează sau modifică adrese alias limitate în funcție de timp",
@ -615,21 +603,6 @@
        "username": "Nume de utilizator",
        "validate_save": "Validează și salvează"
    },
    "fido2": {
        "set_fn": "Setați un nume prietenos",
        "fn": "Nume prietenos",
        "rename": "redenumiți",
        "confirm": "Confirmați",
        "register_status": "Starea înregistrării",
        "known_ids": "ID-uri cunoscute",
        "none": "Dezactivat",
        "set_fido2": "Înregistrați dispozitivul FIDO2",
        "set_fido2_touchid": "Înregistrați Touch ID pe Apple M1",
        "start_fido2_validation": "Începeți validarea FIDO2",
        "fido2_auth": "Conectați-vă cu FIDO2",
        "fido2_success": "Dispozitivul a fost înregistrat cu succes",
        "fido2_validation_failed": "Validarea a eșuat"
    },
    "footer": {
        "cancel": "Anulează",
        "confirm_delete": "Confirmă ștergerea",
@ -691,7 +664,6 @@
        "alias_domain_alias_hint": "Aliasurile <b>nu</b> sunt aplicate automat pe domeniile alias. O adresă alias <code>aliasul-meu@domeniu</code> <b>nu</b> acoperă adresa <code>aliasul-meu@domeniu-alias</code> (unde \"domeniu-alias\" este un domeniu alias imaginar pentru \"domeniu\").<br>Vă rugăm să utilizați un filtru sită pentru a redirecționa poșta către o căsuță poștală externă (consultați zona \"Filtre\" sau utilizați SOGo -> Redirecționare).",
        "alias_domain_backupmx": "Alias domeniu inactiv pentru domeniu releu",
        "aliases": "Aliasuri",
        "all_domains": "Toate Domeniile",
        "allow_from_smtp": "Permiteți acestor adrese IP să utilizeze numai <b>SMTP</b>",
        "allow_from_smtp_info": "Lăsați gol pentru a permite tuturor expeditorilor.<br>Adrese și rețele IPv4/IPv6.",
        "allowed_protocols": "Protocoale permise",
@ -715,7 +687,6 @@
        "booking_custom_short": "Limită maximă",
        "booking_ltnull": "Nelimitat, dar arată ca ocupat atunci când este rezervat",
        "booking_lt0_short": "Limită redusă",
        "catch_all": "Prinde-Tot",
        "daily": "Zilnic",
        "deactivate": "Deactivează",
        "description": "Descriere",
@ -733,8 +704,6 @@
        "filter_table": "Tabel filtre",
        "filters": "Filtre",
        "fname": "Nume complet",
        "goto_ham": "Învață ca <b>ham</b>",
        "goto_spam": "Învață ca <b>spam</b>",
        "hourly": "Din oră în oră",
        "in_use": "În uz (%)",
        "inactive": "Inactiv",
@ -767,7 +736,6 @@
        "quarantine_notification": "Notificări de carantină",
        "quarantine_category": "Categoria notificărilor despre carantină",
        "quick_actions": "Acţiuni",
        "recipient": "Destinatar",
        "recipient_map": "Hartă destinatar",
        "recipient_map_info": "Hărțile destinatarilor sunt folosite pentru a înlocui adresa de destinație a unui mesaj înainte de a fi livrat.",
        "recipient_map_new": "Destinatar nou",
@ -778,7 +746,6 @@
        "remove": "Elimină",
        "resources": "Resurse",
        "running": "Rulare",
        "sender": "Expeditor",
        "set_postfilter": "Marchează ca postfiltru",
        "set_prefilter": "Marchează ca prefiltru",
        "sieve_info": "Poți stoca mai multe filtre pentru fiecare utilizator, dar numai un singur prefiltru și un singur postfiltru pot fi active în același timp.<br>\nFiecare filtru va fi procesat în ordinea descrisă. Nici un script eșuat, nici un \"keep;\" emis nu va opri procesarea altor scripturi.Modificările aduse scripturilor sită globale vor declanșa o repornire a Dovecot.<br>\nPrefilter → User scripts → Postfilter → <a href=\"https://github.com/mailcow/mailcow-dockerized/blob/master/data/conf/dovecot/sieve_after\" target=\"_blank\">global sieve postfilter</a>",
@ -798,15 +765,6 @@
        "stats": "Statistici",
        "status": "Stare",
        "sync_jobs": "Lucrări de sincronizare",
        "syncjob_check_log": "Verificați jurnalul",
        "syncjob_last_run_result": "Rezultatul ultimei rulări",
        "syncjob_EX_OK": "Succes",
        "syncjob_EXIT_CONNECTION_FAILURE": "Problemă de conectare",
        "syncjob_EXIT_TLS_FAILURE": "Problemă cu conexiunea criptată",
        "syncjob_EXIT_AUTHENTICATION_FAILURE": "Problemă de autentificare",
        "syncjob_EXIT_OVERQUOTA": "Cutia poștală țintă depășește cota maximă",
        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Nu se poate conecta la server",
        "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Nume de utilizator sau parolă greșite",
        "table_size": "Mărime tabel",
        "table_size_show_n": "Arată %s articole",
        "target_address": "Adresă goto",
@ -890,13 +848,6 @@
        "text_plain_content": "Conținut (text/simplu)",
        "toggle_all": "Comută toate"
    },
    "ratelimit": {
        "disabled": "Dezactivat",
        "second": "mesaje / sec",
        "minute": "mesaje / min",
        "hour": "mesaje / ora",
        "day": "mesaje / zi"
    },
    "start": {
        "help": "Afișează/Ascunde panoul de ajutor",
        "imap_smtp_server_auth_info": "Utilizează adresa completă de email și mecanismul de autentificare SIMPLU.<br>\nDatele tale de conectare vor fi criptate prin criptarea obligatorie de la server.",
@ -1006,6 +957,20 @@
        "waiting_usb_register": "<i>În așteptarea dispozitivului USB...</i><br><br>Introdu parola ta mai sus și confirmă înregistrarea ta WebAuthn atingând butonul de pe dispozitivul tău USB WebAuthn.",
        "yubi_otp": "Autentificare Yubico OTP"
    },
    "fido2": {
        "set_fn": "Setați un nume prietenos",
        "fn": "Nume prietenos",
        "rename": "redenumiți",
        "confirm": "Confirmați",
        "register_status": "Starea înregistrării",
        "known_ids": "ID-uri cunoscute",
        "none": "Dezactivat",
        "set_fido2": "Înregistrați dispozitivul FIDO2",
        "start_fido2_validation": "Începeți validarea FIDO2",
        "fido2_auth": "Conectați-vă cu FIDO2",
        "fido2_success": "Dispozitivul a fost înregistrat cu succes",
        "fido2_validation_failed": "Validarea a esuat"
    },
    "user": {
        "action": "Acțiune",
        "active": "Activ",
@ -1022,15 +987,12 @@
        "aliases_also_send_as": "De asemenea, este permis să trimită ca utilizator",
        "aliases_send_as_all": "Nu se verifică accesul expeditorului pentru următorul(arele) domeniu(i) și domeniile sale alias",
        "app_hint": "Parolele aplicației sunt parole alternative pentru autentificarea IMAP, SMTP, CalDAV, CardDAV și EAS. Numele de utilizator rămâne neschimbat.<br>SOGo nu este disponibil prin parolele aplicației.",
        "allowed_protocols": "Protocoale permise",
        "app_name": "Nume aplicație",
        "app_passwds": "Parole aplicație",
        "apple_connection_profile": "Profil de conexiune Apple",
        "apple_connection_profile_complete": "Acest profil de conexiune include parametrii IMAP și SMTP, precum și calDAV (calendar) și carduri CardDAV (contacte) pentru dispozitivele Apple.",
        "apple_connection_profile_mailonly": "Acest profil de conexiune include parametrii de configurare IMAP și SMTP pentru dispozitivele Apple.",
        "apple_connection_profile_with_app_password": "O nouă parolă pentru aplicație este generată și adăugată la profil, astfel încât să nu fie necesară introducerea unei parole la configurarea dispozitivului. Vă rugăm să nu partajați fișierul, deoarece oferă acces deplin la căsuța dvs. poștală.",
        "change_password": "Schimbă parola",
        "change_password_hint_app_passwords": "Contul dvs. are {{number_of_app_passwords}} parole de aplicație care nu vor fi modificate. Pentru a le gestiona, accesați secțiunea Parole aplicație.",
        "clear_recent_successful_connections": "Ștergeți conexiunile reușite văzute",
        "client_configuration": "Afișează ghidurile de configurare pentru clienții de email și smartphone-uri",
        "create_app_passwd": "Crează parola aplicației",
@ -1041,7 +1003,6 @@
        "delete_ays": "Vă rugăm să confirmați stergerea.",
        "direct_aliases": "Adrese alias directe",
        "direct_aliases_desc": "Adresele alias directe sunt afectate de setările filtrului de spam și ale politicii TLS.",
        "direct_protocol_access": "Acest utilizator are <b>acces direct, extern</b> la următoarele protocoale și aplicații. Această setare este controlată de administratorul dvs. Parolele pentru aplicații pot fi create pentru a acorda acces la protocoale și aplicații individuale.<br>Butonul \"Conectați-vă la webmail\" oferă conectare unică la SOGo și este întotdeauna disponibil.",
        "eas_reset": "Resetează memoria cache a dispozitivului ActiveSync",
        "eas_reset_help": "În multe cazuri, resetarea cache-ului dispozitivului va ajuta la recuperarea unui profil ActiveSync defect.<br><b>Atenţie:</b> Toate elementele vor fi descărcate din nou!",
        "eas_reset_now": "Resetează acum",
@ -1135,15 +1096,6 @@
        "spamfilter_yellow": "Galben: acest mesaj poate fi spam, va fi etichetat ca spam și va fi mutat în dosarul de junk",
        "status": "Stare",
        "sync_jobs": "Lucrări de sincronizare",
        "syncjob_check_log": "Verificați jurnalul",
        "syncjob_last_run_result": "Rezultatul ultimei rulări",
        "syncjob_EX_OK": "Succes",
        "syncjob_EXIT_CONNECTION_FAILURE": "Problemă de conectare",
        "syncjob_EXIT_TLS_FAILURE": "Problemă cu conexiunea criptată",
        "syncjob_EXIT_AUTHENTICATION_FAILURE": "Problemă de autentificare",
        "syncjob_EXIT_OVERQUOTA": "Cutia poștală țintă depășește cota maximă",
        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Nu se poate conecta la server",
        "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Nume de utilizator sau parolă greșite",
        "tag_handling": "Setează manevrarea pentru mailurile etichetate",
        "tag_help_example": "Exemplu pentru o adresă de email etichetată: me<b>+Facebook</b>@example.org",
        "tag_help_explain": "În subfolder: un nou subfolder numit după etichetă va fi creat sub INBOX (\"INBOX/Facebook\").<br>\nÎn subiect: numele etichetelor va fi prefixat la subiectul mailurilor, de exemplu: \"[Facebook] My News\".",
@ -1163,7 +1115,6 @@
        "week": "săptămână",
        "weekly": "Săptămânal",
        "weeks": "săptămâni",
        "with_app_password": "cu parola aplicație",
        "year": "an",
        "years": "ani"
    },
--- a/data/web/lang/lang.sk.json
+++ b/data/web/lang/lang.sk.json
@ -80,7 +80,7 @@
        "password": "Heslo",
        "password_repeat": "Potvrdzovacie heslo (zopakovať)",
        "port": "Port",
-        "post_domain_add": "SOGo kontajner, \"sogo-mailcow\", musí byť reštartovaný po pridaní novej domény!<br><br>Okrem toho by sa mala skontrolovať konfigurácia DNS domény. Ak je konfigurácia v poriadku, reštartujte \"acme-mailcow\", aby sa automaticky vygenerovali certifikáty pre vašu novú doménu (autoconfig.&lt;domain&gt;, autodiscover.&lt;domain&gt;).<br>Tento krok je voliteľný a bude sa opakovať každých 24 hodín.",
+        "post_domain_add": "SOGo kontajner, \"sogo-mailcow\", musí byť reštartovaný po pridaní novej domény!<br>",
        "private_comment": "Súkromný komentár",
        "public_comment": "Verejný komentár",
        "quota_mb": "Kvóta (MiB)",
@ -323,7 +323,7 @@
        "to_top": "Naspať navrch",
        "transport_dest_format": "Regulárny výraz alebo syntax: example.org, .example.org, *, box@example.org (viacero hodnôt môžu byť oddelené čiarkou)",
        "transport_maps": "Transportné Mapy",
-        "transport_test_rcpt_info": "&#8226; Na otestovanie odchádzajúcej pošty je možné použiť null@hosted.mailcow.de ako adresáta.",
+        "transport_test_rcpt_info": "&#8226; Na otestovanie odchádzajúcej pošty je možné použiť null@hosted.mailcow.de ako adresáta",
        "transports_hint": "&#8226; Záznam v transportnej mape <b>prevažuje</b> nad transportnou mapou pre odosielanie</b>.<br>\r\n&#8226; Prenos na základe MX je preferovaná voľba.<br>\r\n&#8226; Nastavenie TLS pre používateľa je ignorované a môže byť vynútené TLS mapovaním.<br>\r\n&#8226; Transportná služba je definovaná vždy \"smtp:\" a použije TLS ak to bude umožnené. Wrapped TLS (SMTPS) nie je podporované.<br>\r\n&#8226; Adresy ktoré sa rovnajú hodnote \"/localhost$/\" budú vždy transportované cez \"local:\" a nebudú použité pre cieľový záznam \"*\".<br>\r\n&#8226; Po zadaní prihlasovacích údajov pre ďalší skok \"[host]:25\", Postfix <b>vždy</b> hľadá \"host\" a následne \"[host]:25\". Táto vlastnosť znemožňuje používať \"host\" a \"[host]:25\" naraz.",
        "ui_footer": "Pätička (HTML povolené)",
        "ui_header_announcement": "Oznámenie",
@ -394,9 +394,9 @@
        "invalid_recipient_map_old": "Neplatná pôvodná mapa príjemcu: %s",
        "ip_list_empty": "Zoznam povolených IP nemôže byť prázdny",
        "is_alias": "%s je už používané ako alias adresa",
-        "is_alias_or_mailbox": "%s je už používaná ako adresa aliasu, mailovej schránky alebo aliasu odvodeného z aliasu domény.",
+        "is_alias_or_mailbox": "%s je už používaná ako adresa aliasu, mailovej schránky alebo aliasu odvodeného z aliasu domény",
        "is_spam_alias": "%s je už používaná ako adresa dočasného aliasu (spam alias adresa)",
-        "last_key": "Posledný kľúč nemôže byť vymazaný, deaktivujte najprv TFA.",
+        "last_key": "Posledný kľúč nemôže byť vymazaný, deaktivujte najprv TFA",
        "login_failed": "Prihlásenie zlyhalo",
        "mailbox_defquota_exceeds_mailbox_maxquota": "Predvolená kvóta presahuje max. kvótu mailovej schránky",
        "mailbox_invalid": "Meno mailovej schránky je neplatné",
@ -638,7 +638,7 @@
        "restart_container": "Reštartovať kontajner",
        "restart_container_info": "<b>Dôležité:</b> Reštartovanie môže trvať dlhšie, čakajte prosím ...",
        "restart_now": "Reštartuj teraz",
-        "restarting_container": "Prebieha reštartovanie kontajnera, čakajte prosím"
+        "restarting_container": "Prebieha reštartovanie kontajnera, čakajte prosím ..."
    },
    "header": {
        "administration": "Konfigurácia & Detaily",
@ -741,7 +741,7 @@
        "last_run_reset": "Znovu naplánovať",
        "mailbox": "Mailová schránka",
        "mailbox_defaults": "Predvolené nastavenia",
-        "mailbox_defaults_info": "Definuje predvolené nastavenia pre nové schránky.",
+        "mailbox_defaults_info": "Definuje predvolené nastavenia pre nové schránky",
        "mailbox_defquota": "Predvolená veľkosť schránky",
        "mailbox_quota": "Max. veľkosť schránky",
        "mailboxes": "Mailové schránky",
@ -815,7 +815,7 @@
        "tls_map_policy": "Podmienky",
        "tls_policy_maps": "Mapy TLS pravidiel",
        "tls_policy_maps_enforced_tls": "Tieto politiky prepisujú používateľské nastavenia pre mailové schránky ktoré majú vynútene odchodzie TLS pripojenie. Ak nižšie nie sú uvedené žiadne pravidlá, budú použité ako východzie pravidlá <code>smtp_tls_mandatory_protocols</code> a <code>smtp_tls_mandatory_ciphers</code>.",
-        "tls_policy_maps_info": "Táto mapa prevažuje nad TLS pravidlami nezávisle od TLS pravidiel jednotlivých používateľov.<br>\nPre viac informácií navštívte <a href=\"http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps\" target=\"_blank\"> postfix \"smtp_tls_policy_maps\"</a>.",
+        "tls_policy_maps_info": "Táto mapa prevažuje nad TLS pravidlami nezávisle od TLS pravidiel jednotlivých používateľov.<br>\r\n  Viac informácií navštívte <a href=\"http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps\" target=\"_blank\"> info k \"smtp_tls_policy_maps\" </a>",
        "tls_policy_maps_long": "Prepisovanie TLS pravidiel pre odosielanie",
        "toggle_all": "Označiť všetky",
        "username": "Používateľské meno",
@ -1069,8 +1069,8 @@
        "never": "Nikdy",
        "new_password": "Nové heslo",
        "new_password_repeat": "Potvrdiť heslo (opakovať)",
-        "no_active_filter": "Nie je dostupný žiadny aktívny filter",
+        "no_active_filter": "Nie je dostupný žiadny aktívny filter.",
-        "no_last_login": "Žiadny záznam o prihlásení cez web",
+        "no_last_login": "Žiadne informácie o UI prihlásení.",
        "no_record": "Žiaden záznam",
        "open_logs": "Otvoriť záznam",
        "open_webmail_sso": "Prihláste sa do webmailu",
--- a/data/web/sogo-auth.php
+++ b/data/web/sogo-auth.php
@ -75,12 +75,7 @@ elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) && strcasecmp(substr($_SERVER['HT
  session_start();
  // extract email address from "/SOGo/so/user@domain/xy"
  $url_parts = explode("/", $_SERVER['HTTP_X_ORIGINAL_URI']);
-  $email_list = array(
+  $email = $url_parts[3];
      $url_parts[3],                                // Requested mailbox
      ($_SESSION['mailcow_cc_username'] ?? ''),     // Current user
      ($_SESSION["dual-login"]["username"] ?? ''),  // Dual login user
  );
  foreach($email_list as $email) {
  // check if this email is in session allowed list
  if (
      !empty($email) &&
@ -95,7 +90,6 @@ elseif (isset($_SERVER['HTTP_X_ORIGINAL_URI']) && strcasecmp(substr($_SERVER['HT
    header("X-Auth-Type: Basic");
    exit;
  }
  }
 }
 // if username is empty, SOGo will use the normal login methods / login form
--- a/data/web/templates/admin.twig
+++ b/data/web/templates/admin.twig
@ -38,7 +38,6 @@
 <div class="row">
  <div class="col-md-12">
    <div class="tab-content" style="padding-top:20px">
    {% include 'admin/tab-config-admins.twig' %}
    {% include 'admin/tab-ldap.twig' %}
    {% include 'admin/tab-config-oauth2.twig' %}
@ -55,7 +54,6 @@
    {% include 'admin/tab-sys-mails.twig' %}
    {% include 'admin/tab-mailq.twig' %}
    {% include 'admin/tab-globalfilter-regex.twig' %}
    </div>
  </div> <!-- /col-md-12 -->
 </div> <!-- /row -->
--- a/data/web/templates/admin/tab-config-admins.twig
+++ b/data/web/templates/admin/tab-config-admins.twig
@ -1,4 +1,5 @@
-<div role="tabpanel" class="tab-pane active" id="tab-config-admins">
+<div class="tab-content" style="padding-top:20px">
  <div role="tabpanel" class="tab-pane active" id="tab-config-admins">
    <div class="panel panel-danger">
      <div class="panel-heading xs-show">{{ lang.admin.admin_details }}</div>
      <div class="panel-body">
@ -62,7 +63,6 @@
                {% include 'fido2.twig' %}
            </table>
          </div>
          </div>
          <br>
        </div>
      </div>
@ -221,6 +221,8 @@
        </div>
      </div>
    </div>
  </div>
  <div class="panel panel-default">
    <div class="panel-heading xs-show">{{ lang.admin.domain_admins }}</div>
    <div class="panel-body">
@ -246,4 +248,3 @@
    </div>
  </div>
 </div>
--- a/data/web/templates/base.twig
+++ b/data/web/templates/base.twig
@ -423,14 +423,6 @@ function recursiveBase64StrToArrayBuffer(obj) {
  {% if ui_texts.ui_footer %}
  <hr><span class="rot-enc">{{ ui_texts.ui_footer|rot13|raw }}</span>
  {% endif %}
  {% if mailcow_cc_username and mailcow_info.version_tag|default %}
  <span class="version">
    🐮 + 🐋 = 💕
    <a href="{{ mailcow_info.git_project_url }}/releases/tag/{{ mailcow_info.version_tag }}" target="_blank">
        Version: {{ mailcow_info.version_tag }}
    </a>
  </span>
  {% endif %}
 </div>
 </body>
 </html>
--- a/data/web/templates/user/Pushover.twig
+++ b/data/web/templates/user/Pushover.twig
@ -39,7 +39,7 @@
            <div class="col-sm-12">
              <div class="form-group">
                <label for="text">{{ lang.user.pushover_sender_array|raw }}</label>
-                <input type="text" class="form-control" name="senders" value="{{ pushover_data.senders }}" placeholder="sender1@example.com, sender2@example.com">
+                <input type="text" class="form-control" name="senders" value="{{ pushover_data.token }}" placeholder="sender1@example.com, sender2@example.com">
              </div>
            </div>
            <div class="col-sm-12">
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -2,7 +2,7 @@ version: '2.1'
 services:
    unbound-mailcow:
-      image: mailcow/unbound:1.15
+      image: mailcow/unbound:1.14
      environment:
        - TZ=${TZ}
      volumes:
@ -58,7 +58,7 @@ services:
            - redis
    clamd-mailcow:
-      image: mailcow/clamd:1.43
+      image: mailcow/clamd:1.42
      restart: always
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
@ -157,7 +157,7 @@ services:
        - ALLOW_ADMIN_EMAIL_LOGIN=${ALLOW_ADMIN_EMAIL_LOGIN:-n}
        - MASTER=${MASTER:-y}
        - DEV_MODE=${DEV_MODE:-n}
-        - WEBAUTHN_ONLY_TRUSTED_VENDORS=${WEBAUTHN_ONLY_TRUSTED_VENDORS:-n}
+        - WEBAUTHN_RESPECT_ROOTCA=${WEBAUTHN_RESPECT_ROOTCA:-n}
      restart: always
      networks:
        mailcow-network:
@ -165,7 +165,7 @@ services:
            - phpfpm
    sogo-mailcow:
-      image: mailcow/sogo:1.106
+      image: mailcow/sogo:1.104
      environment:
        - DBNAME=${DBNAME}
        - DBUSER=${DBUSER}
@ -200,7 +200,7 @@ services:
        ofelia.job-exec.sogo_sessions.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu sogo /usr/sbin/sogo-tool expire-sessions $${SOGO_EXPIRE_SESSION} || exit 0\""
        ofelia.job-exec.sogo_ealarms.schedule: "@every 1m"
        ofelia.job-exec.sogo_ealarms.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu sogo /usr/sbin/sogo-ealarms-notify -p /etc/sogo/sieve.creds || exit 0\""
-        ofelia.job-exec.sogo_eautoreply.schedule: "@every 5m"
+        ofelia.job-exec.sogo_eautoreply.schedule: "@every 24h"
        ofelia.job-exec.sogo_eautoreply.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu sogo /usr/sbin/sogo-tool update-autoreply -p /etc/sogo/sieve.creds || exit 0\""
        ofelia.job-exec.sogo_backup.schedule: "@every 24h"
        ofelia.job-exec.sogo_backup.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/local/bin/gosu sogo /usr/sbin/sogo-tool backup /sogo_backup ALL || exit 0\""
@ -212,7 +212,7 @@ services:
            - sogo
    dovecot-mailcow:
-      image: mailcow/dovecot:1.159
+      image: mailcow/dovecot:1.158
      depends_on:
        - mysql-mailcow
      dns:
@ -385,7 +385,7 @@ services:
    acme-mailcow:
      depends_on:
        - nginx-mailcow
-      image: mailcow/acme:1.81
+      image: mailcow/acme:1.80
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      environment:
@ -421,7 +421,7 @@ services:
            - acme
    netfilter-mailcow:
-      image: mailcow/netfilter:1.46
+      image: mailcow/netfilter:1.45
      stop_grace_period: 30s
      depends_on:
        - dovecot-mailcow
@ -444,7 +444,7 @@ services:
        - /lib/modules:/lib/modules:ro
    watchdog-mailcow:
-      image: mailcow/watchdog:1.96
+      image: mailcow/watchdog:1.95
      dns:
        - ${IPV4_NETWORK:-172.22.1}.254
      tmpfs:
@ -506,7 +506,7 @@ services:
            - watchdog
    dockerapi-mailcow:
-      image: mailcow/dockerapi:1.41
+      image: mailcow/dockerapi:1.40
      security_opt:
        - label=disable
      restart: always
@ -524,7 +524,7 @@ services:
            - dockerapi
    solr-mailcow:
-      image: mailcow/solr:1.8.1
+      image: mailcow/solr:1.8
      restart: always
      volumes:
        - solr-vol-1:/opt/solr/server/solr/dovecot-fts/data:Z
@ -540,7 +540,7 @@ services:
            - solr
    olefy-mailcow:
-      image: mailcow/olefy:1.8.1
+      image: mailcow/olefy:1.8
      restart: always
      environment:
        - TZ=${TZ}
@ -561,7 +561,6 @@ services:
      image: mcuadros/ofelia:latest
      restart: always
      command: daemon --docker
      environment:
        - TZ=${TZ}
      depends_on:
        - sogo-mailcow
--- a/generate_config.sh
+++ b/generate_config.sh
@ -344,10 +344,10 @@ DOVECOT_MASTER_PASS=
 # https://mailcow.github.io/mailcow-dockerized-docs/debug-reset_tls/
 ACME_CONTACT=
-# WebAuthn device manufacturer verification
+# Enable webauthn device manufacturer verification
-# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed
+# After setting WEBAUTHN_RESPECT_ROOTCA=y only devices from trusted manufacturers are allowed
 # root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates
-WEBAUTHN_ONLY_TRUSTED_VENDORS=n
+WEBAUTHN_RESPECT_ROOTCA=n
 EOF
@ -361,19 +361,3 @@ echo "Generating snake-oil certificate..."
 openssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl-example/key.pem -out data/assets/ssl-example/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${MAILCOW_HOSTNAME}" -sha256 -nodes
 echo "Copying snake-oil certificate..."
 cp -n -d data/assets/ssl-example/*.pem data/assets/ssl/
 # Set app_info.inc.php
 mailcow_git_version=$(git describe --tags `git rev-list --tags --max-count=1`)
 if [ $? -eq 0 ]; then
  mailcow_git_url=$(git config --get remote.origin.url)
  echo '<?php' > data/web/inc/app_info.inc.php
  echo '  $MAILCOW_GIT_VERSION="'$mailcow_git_version'";' >> data/web/inc/app_info.inc.php
  echo '  $MAILCOW_GIT_URL="'$mailcow_git_url'";' >> data/web/inc/app_info.inc.php
  echo '?>' >> data/web/inc/app_info.inc.php
 else
  echo '<?php' > data/web/inc/app_info.inc.php
  echo '  $MAILCOW_GIT_VERSION="";' >> data/web/inc/app_info.inc.php
  echo '  $MAILCOW_GIT_URL="";' >> data/web/inc/app_info.inc.php
  echo '?>' >> data/web/inc/app_info.inc.php
  echo -e "\e[33mCannot determine current git repository version...\e[0m"
 fi
--- a/update.sh
+++ b/update.sh
@ -307,7 +307,7 @@ CONFIG_ARRAY=(
  "ADDITIONAL_SERVER_NAMES"
  "ACME_CONTACT"
  "WATCHDOG_VERBOSE"
-  "WEBAUTHN_ONLY_TRUSTED_VENDORS"
+  "WEBAUTHN_RESPECT_ROOTCA"
 )
 sed -i --follow-symlinks '$a\' mailcow.conf
@ -515,12 +515,12 @@ for option in ${CONFIG_ARRAY[@]}; do
      echo '# https://mailcow.github.io/mailcow-dockerized-docs/debug-reset-tls/' >> mailcow.conf
      echo 'ACME_CONTACT=' >> mailcow.conf
  fi
-  elif [[ ${option} == "WEBAUTHN_ONLY_TRUSTED_VENDORS" ]]; then
+  elif [[ ${option} == "WEBAUTHN_RESPECT_ROOTCA" ]]; then
    if ! grep -q ${option} mailcow.conf; then
-      echo "# WebAuthn device manufacturer verification" >> mailcow.conf
+      echo "# Enable webauthn device manufacturer verification" >> mailcow.conf
-      echo '# After setting WEBAUTHN_ONLY_TRUSTED_VENDORS=y only devices from trusted manufacturers are allowed' >> mailcow.conf
+      echo '# After setting WEBAUTHN_RESPECT_ROOTCA=y only devices from trusted manufacturers are allowed' >> mailcow.conf
      echo '# root certificates can be placed for validation under mailcow-dockerized/data/web/inc/lib/WebAuthn/rootCertificates' >> mailcow.conf
-      echo 'WEBAUTHN_ONLY_TRUSTED_VENDORS=n' >> mailcow.conf
+      echo 'WEBAUTHN_RESPECT_ROOTCA=n' >> mailcow.conf
    fi
 elif [[ ${option} == "WATCHDOG_VERBOSE" ]]; then
    if ! grep -q ${option} mailcow.conf; then
@ -719,22 +719,6 @@ if [ -f "data/conf/rspamd/local.d/metrics.conf" ]; then
  mv data/conf/rspamd/local.d/metrics.conf data/conf/rspamd/local.d/metrics.conf_deprecated
 fi
 # Set app_info.inc.php
 mailcow_git_version=$(git describe --tags `git rev-list --tags --max-count=1`)
 if [ $? -eq 0 ]; then
  mailcow_git_url=$(git config --get remote.origin.url)
  echo '<?php' > data/web/inc/app_info.inc.php
  echo '  $MAILCOW_GIT_VERSION="'$mailcow_git_version'";' >> data/web/inc/app_info.inc.php
  echo '  $MAILCOW_GIT_URL="'$mailcow_git_url'";' >> data/web/inc/app_info.inc.php
  echo '?>' >> data/web/inc/app_info.inc.php
 else
  echo '<?php' > data/web/inc/app_info.inc.php
  echo '  $MAILCOW_GIT_VERSION="";' >> data/web/inc/app_info.inc.php
  echo '  $MAILCOW_GIT_URL="";' >> data/web/inc/app_info.inc.php
  echo '?>' >> data/web/inc/app_info.inc.php
  echo -e "\e[33mCannot determine current git repository version...\e[0m"
 fi
 if [[ ${SKIP_START} == "y" ]]; then
  echo -e "\e[33mNot starting mailcow, please run \"docker-compose up -d --remove-orphans\" to start mailcow.\e[0m"
 else
`@ -1,4 +1,4 @@`
	`FROM alpine:3.15`	`FROM alpine:3.14`

	`LABEL maintainer "Andre Peters <andre.peters@servercow.de>"`	`LABEL maintainer "Andre Peters <andre.peters@servercow.de>"`