update FUNDING.yml

This reverts commit 89398c4726.

.github/FUNDING.yml

@@ -1 +1,2 @@
+github: mailcow
 custom: ["https://www.servercow.de/mailcow?lang=en#sal"]

.github/ISSUE_TEMPLATE/Bug_report.yml

@@ -62,6 +62,16 @@ body:
         - nightly
     validations:
       required: true
+  - type: dropdown
+    attributes:
+      label: "Which architecture are you using?"
+      description: "#### `uname -m`"
+      multiple: false
+      options:
+        - x86
+        - ARM64 (aarch64)
+    validations:
+      required: true
   - type: input
     attributes:
       label: "Operating System:"

.github/ISSUE_TEMPLATE/pr_to_nighty_template.yml

@@ -1,13 +1,3 @@
-## :memo:  Brief description
-<!-- Diff summary - START -->
-<!-- Diff summary - END -->
-
-
-## :computer:  Commits
-<!-- Diff commits - START -->
-<!-- Diff commits - END -->
-
-
 ## :file_folder:  Modified files
 <!-- Diff files - START -->
-<!-- Diff files - END -->
+<!-- Diff files - END -->

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,38 @@
+<!-- _Please make sure to review and check all of these items, otherwise we might refuse your PR:_ -->
+
+## Contribution Guidelines
+
+* [ ] I've read the [contribution guidelines](https://github.com/mailcow/mailcow-dockerized/blob/master/CONTRIBUTING.md) and wholeheartedly agree them
+
+<!-- _NOTE: this tickbox is needed to fullfil on order to get your PR reviewed._ -->
+
+## What does this PR include?
+
+### Short Description
+
+<!-- Please write a short description, what your PR does here. -->
+
+###  Affected Containers
+
+<!-- Please list all affected Docker containers here, which you commited changes to -->
+
+<!--
+
+Please list them like this:
+
+- container1
+- container2
+- container3
+etc.
+
+-->
+
+## Did you run tests?
+
+### What did you tested?
+
+<!-- Please write shortly, what you've tested (which components etc.). -->
+
+### What were the final results? (Awaited, got)
+
+<!-- Please write shortly, what your final tests results were. What did you awaited? Was the outcome the awaited one? -->

.github/workflows/check_if_support_labeled.yml

@@ -0,0 +1,37 @@
+name: Check if labeled support, if so send message and close issue
+on:
+  issues:
+    types:
+      - labeled
+jobs:
+  add-comment:
+    if: github.event.label.name == 'support'
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - name: Add comment
+        run: gh issue comment "$NUMBER" --body "$BODY"
+        env:
+          GH_TOKEN: ${{ secrets.SUPPORTISSUES_ACTION_PAT }}
+          GH_REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.issue.number }}
+          BODY: |
+              **THIS IS A AUTOMATED MESSAGE!**
+
+              It seems your issue is not a bug.
+              Therefore we highly advise you to get support!
+              
+              You can get support either by:
+              - ordering a paid [support contract at Servercow](https://www.servercow.de/mailcow?lang=en#support/) (Directly from the developers) or
+              - using the [community forum](https://community.mailcow.email) (**Based on volunteers! NO guaranteed answer**) or
+              - using the [Telegram support channel](https://t.me/mailcow) (**Based on volunteers! NO guaranteed answer**)
+
+              This issue will be closed. If you think your reported issue is not a support case feel free to comment above and if so the issue will reopened.
+
+      - name: Close issue
+        env:
+          GH_TOKEN: ${{ secrets.SUPPORTISSUES_ACTION_PAT }}
+          GH_REPO: ${{ github.repository }}
+          NUMBER: ${{ github.event.issue.number }}
+        run: gh issue close "$NUMBER" -r "not planned"

.github/workflows/check_prs_if_on_staging.yml

@@ -10,7 +10,7 @@ jobs:
     if: github.event.pull_request.base.ref != 'staging' #check if the target branch is not staging
     steps:
       - name: Send message
-        uses: thollander/actions-comment-pull-request@v2.4.3
+        uses: thollander/actions-comment-pull-request@v2.5.0
         with:
           GITHUB_TOKEN: ${{ secrets.CHECKIFPRISSTAGING_ACTION_PAT }}
           message: |

.github/workflows/rebuild_backup_image.yml

@@ -26,7 +26,7 @@ jobs:
           password: ${{ secrets.BACKUPIMAGEBUILD_ACTION_DOCKERHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           platforms: linux/amd64,linux/arm64

.github/workflows/update_postscreen_access_list.yml

@@ -22,7 +22,7 @@ jobs:
           bash helper-scripts/update_postscreen_whitelist.sh
 
     - name: Create Pull Request
-      uses: peter-evans/create-pull-request@v5
+      uses: peter-evans/create-pull-request@v6
       with:
         token: ${{ secrets.mailcow_action_Update_postscreen_access_cidr_pat }}
         commit-message: update postscreen_access.cidr

.gitignore

@@ -13,6 +13,7 @@ data/conf/dovecot/acl_anyone
 data/conf/dovecot/dovecot-master.passwd
 data/conf/dovecot/dovecot-master.userdb
 data/conf/dovecot/extra.conf
+data/conf/dovecot/mail_replica.conf
 data/conf/dovecot/global_sieve_*
 data/conf/dovecot/last_login
 data/conf/dovecot/lua

CONTRIBUTING.md

@@ -1,33 +1,52 @@
-# Contribution Guidelines (Last modified on 18th December 2023)
+# Contribution Guidelines
+**_Last modified on 15th August 2024_**
 
 First of all, thank you for wanting to provide a bugfix or a new feature for the mailcow community, it's because of your help that the project can continue to grow!
 
-## Pull Requests (Last modified on 18th December 2023)
+As we want to keep mailcow's development structured we setup these Guidelines which helps you to create your issue/pull request accordingly.
+
+**PLEASE NOTE, THAT WE MIGHT CLOSE ISSUES/PULL REQUESTS IF THEY DON'T FULLFIL OUR WRITTEN GUIDELINES WRITTEN INSIDE THIS DOCUMENT**. So please check this guidelines before you propose a Issue/Pull Request.
+
+## Topics
+
+- [Pull Requests](#pull-requests)
+- [Issue Reporting](#issue-reporting)
+    - [Guidelines](#issue-reporting-guidelines)
+    - [Issue Report Guide](#issue-report-guide)
+
+## Pull Requests
+**_Last modified on 15th August 2024_**
 
 However, please note the following regarding pull requests:
 
 1. **ALWAYS** create your PR using the staging branch of your locally cloned mailcow instance, as the pull request will end up in said staging branch of mailcow once approved. Ideally, you should simply create a new branch for your pull request that is named after the type of your PR (e.g. `feat/` for function updates or `fix/` for bug fixes) and the actual content (e.g. `sogo-6.0.0` for an update from SOGo to version 6 or `html-escape` for a fix that includes escaping HTML in mailcow).
-2. Please **keep** this pull request branch **clean** and free of commits that have nothing to do with the changes you have made (e.g. commits from other users from other branches). *If you make changes to the `update.sh` script or other scripts that trigger a commit, there is usually a developer mode for clean working in this case.
-3. **Test your changes before you commit them as a pull request.** <ins>If possible</ins>, write a small **test log** or demonstrate the functionality with a **screenshot or GIF**. *We will of course also test your pull request ourselves, but proof from you will save us the question of whether you have tested your own changes yourself.*
-4. Please **ALWAYS** create the actual pull request against the staging branch and **NEVER** directly against the master branch. *If you forget to do this, our moobot will remind you to switch the branch to staging.*
-5. Wait for a merge commit: It may happen that we do not accept your pull request immediately or sometimes not at all for various reasons. Please do not be disappointed if this is the case. We always endeavor to incorporate any meaningful changes from the community into the mailcow project.
-6. If you are planning larger and therefore more complex pull requests, it would be advisable to first announce this in a separate issue and then start implementing it after the idea has been accepted in order to avoid unnecessary frustration and effort!
+2. **ALWAYS** report/request issues/features in the english language, even though mailcow is a german based company. This is done to allow other GitHub users to reply to your issues/requests too which did not speak german or other languages besides english.
+3. Please **keep** this pull request branch **clean** and free of commits that have nothing to do with the changes you have made (e.g. commits from other users from other branches). *If you make changes to the `update.sh` script or other scripts that trigger a commit, there is usually a developer mode for clean working in this case.*
+4. **Test your changes before you commit them as a pull request.** <ins>If possible</ins>, write a small **test log** or demonstrate the functionality with a **screenshot or GIF**. *We will of course also test your pull request ourselves, but proof from you will save us the question of whether you have tested your own changes yourself.*
+5. **Please use** the pull request template we provide once creating a pull request. *HINT: During editing you encounter comments which looks like: `<!-- CONTENT -->`. These can be removed or kept, as they will not rendered later on GitHub! Please only create actual content without the said comments.* 
+6. Please **ALWAYS** create the actual pull request against the staging branch and **NEVER** directly against the master branch. *If you forget to do this, our moobot will remind you to switch the branch to staging.*
+7. Wait for a merge commit: It may happen that we do not accept your pull request immediately or sometimes not at all for various reasons. Please do not be disappointed if this is the case. We always endeavor to incorporate any meaningful changes from the community into the mailcow project.
+8. If you are planning larger and therefore more complex pull requests, it would be advisable to first announce this in a separate issue and then start implementing it after the idea has been accepted in order to avoid unnecessary frustration and effort!
 
 ---
 
-## Issue Reporting (Last modified on 18th December 2023)
+## Issue Reporting
+**_Last modified on 15th August 2024_**
 
 If you plan to report a issue within mailcow please read and understand the following rules:
 
+### Issue Reporting Guidelines
+
 1. **ONLY** use the issue tracker for bug reports or improvement requests and NOT for support questions. For support questions you can either contact the [mailcow community on Telegram](https://docs.mailcow.email/#community-support-and-chat) or the mailcow team directly in exchange for a [support fee](https://docs.mailcow.email/#commercial-support).
 2. **ONLY** report an error if you have the **necessary know-how (at least the basics)** for the administration of an e-mail server and the usage of Docker. mailcow is a complex and fully-fledged e-mail server including groupware components on a Docker basement and it requires a bit of technical know-how for debugging and operating.
-3. **ONLY** report bugs that are contained in the latest mailcow release series. *The definition of the latest release series includes the last major patch (e.g. 2023-12) and all minor patches (revisions) below it (e.g. 2023-12a, b, c etc.).* New issue reports published starting from January 1, 2024 must meet this criterion, as versions below the latest releases are no longer supported by us.
-4. When reporting a problem, please be as detailed as possible and include even the smallest changes to your mailcow installation. Simply fill out the corresponding bug report form in detail and accurately to minimize possible questions.
-5. **Before you open an issue/feature request**, please first check whether a similar request already exists in the mailcow tracker on GitHub. If so, please include yourself in this request.
-6. When you create a issue/feature request: Please note that the creation does <ins>**not guarantee an instant implementation or fix by the mailcow team or the community**</ins>.
-7. Please **ALWAYS** anonymize any sensitive information in your bug report or feature request before submitting it.
+3. **ALWAYS** report/request issues/features in the english language, even though mailcow is a german based company. This is done to allow other GitHub users to reply to your issues/requests too which did not speak german or other languages besides english.
+4. **ONLY** report bugs that are contained in the latest mailcow release series. *The definition of the latest release series includes the last major patch (e.g. 2023-12) and all minor patches (revisions) below it (e.g. 2023-12a, b, c etc.).* New issue reports published starting from January 1, 2024 must meet this criterion, as versions below the latest releases are no longer supported by us.
+5. When reporting a problem, please be as detailed as possible and include even the smallest changes to your mailcow installation. Simply fill out the corresponding bug report form in detail and accurately to minimize possible questions.
+6. **Before you open an issue/feature request**, please first check whether a similar request already exists in the mailcow tracker on GitHub. If so, please include yourself in this request.
+7. When you create a issue/feature request: Please note that the creation does <ins>**not guarantee an instant implementation or fix by the mailcow team or the community**</ins>.
+8. Please **ALWAYS** anonymize any sensitive information in your bug report or feature request before submitting it.
 
-### Quick guide to reporting problems:
+### Issue Report Guide
 1. Read your logs; follow them to see what the reason for your problem is.
 2. Follow the leads given to you in your logfiles and start investigating.
 3. Restarting the troubled service or the whole stack to see if the problem persists.
@@ -36,4 +55,4 @@ If you plan to report a issue within mailcow please read and understand the foll
 6. [Create an issue](https://github.com/mailcow/mailcow-dockerized/issues/new/choose) over at our GitHub repository if you think your problem might be a bug or a missing feature you badly need. But please make sure, that you include **all the logs** and a full description to your problem.
 7. Ask your questions in our community-driven [support channels](https://docs.mailcow.email/#community-support-and-chat).
 
-## When creating an issue/feature request or a pull request, you will be asked to confirm these guidelines.
+## When creating an issue/feature request or a pull request, you will be asked to confirm these guidelines.

data/Dockerfiles/acme/Dockerfile

@@ -1,8 +1,8 @@
-FROM alpine:3.19
+FROM alpine:3.20
+
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
-LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
 
-ARG PIP_BREAK_SYSTEM_PACKAGES=1
 RUN apk upgrade --no-cache \
   && apk add --update --no-cache \
   bash \
@@ -15,9 +15,7 @@ RUN apk upgrade --no-cache \
   tini \
   tzdata \
   python3 \
-  py3-pip \
-  && pip3 install --upgrade pip \
-  && pip3 install acme-tiny
+  acme-tiny --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community/
 
 COPY acme.sh /srv/acme.sh
 COPY functions.sh /srv/functions.sh

data/Dockerfiles/acme/acme.sh

@@ -33,6 +33,10 @@ if [[ "${ONLY_MAILCOW_HOSTNAME}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
   ONLY_MAILCOW_HOSTNAME=y
 fi
 
+if [[ "${AUTODISCOVER_SAN}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+  AUTODISCOVER_SAN=y
+fi
+
 # Request individual certificate for every domain
 if [[ "${ENABLE_SSL_SNI}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
   ENABLE_SSL_SNI=y
@@ -113,13 +117,13 @@ fi
 chmod 600 ${ACME_BASE}/key.pem
 
 log_f "Waiting for database..."
-while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent > /dev/null; do
+while ! /usr/bin/mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent > /dev/null; do
   sleep 2
 done
 log_f "Database OK"
 
 log_f "Waiting for Nginx..."
-until $(curl --output /dev/null --silent --head --fail http://nginx:8081); do
+until $(curl --output /dev/null --silent --head --fail http://nginx.${COMPOSE_PROJECT_NAME}_mailcow-network:8081); do
   sleep 2
 done
 log_f "Nginx OK"
@@ -133,7 +137,7 @@ log_f "Resolver OK"
 # Waiting for domain table
 log_f "Waiting for domain table..."
 while [[ -z ${DOMAIN_TABLE} ]]; do
-  curl --silent http://nginx/ >/dev/null 2>&1
+  curl --silent http://nginx.${COMPOSE_PROJECT_NAME}_mailcow-network/ >/dev/null 2>&1
   DOMAIN_TABLE=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SHOW TABLES LIKE 'domain'" -Bs)
   [[ -z ${DOMAIN_TABLE} ]] && sleep 10
 done
@@ -211,7 +215,11 @@ while true; do
       ADDITIONAL_SAN_ARR+=($i)
     fi
   done
+
+  if [[ ${AUTODISCOVER_SAN} == "y" ]]; then
+  # Fetch certs for autoconfig and autodiscover subdomains
   ADDITIONAL_WC_ARR+=('autodiscover' 'autoconfig')
+  fi
 
   if [[ ${SKIP_IP_CHECK} != "y" ]]; then
   # Start IP detection

data/Dockerfiles/acme/reload-configurations.sh

@@ -2,32 +2,32 @@
 
 # Reading container IDs
 # Wrapping as array to ensure trimmed content when calling $NGINX etc.
-NGINX=($(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"nginx-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
-DOVECOT=($(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"dovecot-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
-POSTFIX=($(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"postfix-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
+NGINX=($(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"nginx-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
+DOVECOT=($(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"dovecot-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
+POSTFIX=($(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"postfix-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" | tr "\n" " "))
 
 reload_nginx(){
   echo "Reloading Nginx..."
-  NGINX_RELOAD_RET=$(curl -X POST --insecure https://dockerapi/containers/${NGINX}/exec -d '{"cmd":"reload", "task":"nginx"}' --silent -H 'Content-type: application/json' | jq -r .type)
+  NGINX_RELOAD_RET=$(curl -X POST --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${NGINX}/exec -d '{"cmd":"reload", "task":"nginx"}' --silent -H 'Content-type: application/json' | jq -r .type)
   [[ ${NGINX_RELOAD_RET} != 'success' ]] && { echo "Could not reload Nginx, restarting container..."; restart_container ${NGINX} ; }
 }
 
 reload_dovecot(){
   echo "Reloading Dovecot..."
-  DOVECOT_RELOAD_RET=$(curl -X POST --insecure https://dockerapi/containers/${DOVECOT}/exec -d '{"cmd":"reload", "task":"dovecot"}' --silent -H 'Content-type: application/json' | jq -r .type)
+  DOVECOT_RELOAD_RET=$(curl -X POST --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${DOVECOT}/exec -d '{"cmd":"reload", "task":"dovecot"}' --silent -H 'Content-type: application/json' | jq -r .type)
   [[ ${DOVECOT_RELOAD_RET} != 'success' ]] && { echo "Could not reload Dovecot, restarting container..."; restart_container ${DOVECOT} ; }
 }
 
 reload_postfix(){
   echo "Reloading Postfix..."
-  POSTFIX_RELOAD_RET=$(curl -X POST --insecure https://dockerapi/containers/${POSTFIX}/exec -d '{"cmd":"reload", "task":"postfix"}' --silent -H 'Content-type: application/json' | jq -r .type)
+  POSTFIX_RELOAD_RET=$(curl -X POST --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${POSTFIX}/exec -d '{"cmd":"reload", "task":"postfix"}' --silent -H 'Content-type: application/json' | jq -r .type)
   [[ ${POSTFIX_RELOAD_RET} != 'success' ]] && { echo "Could not reload Postfix, restarting container..."; restart_container ${POSTFIX} ; }
 }
 
 restart_container(){
   for container in $*; do
     echo "Restarting ${container}..."
-    C_REST_OUT=$(curl -X POST --insecure https://dockerapi/containers/${container}/restart --silent | jq -r '.msg')
+    C_REST_OUT=$(curl -X POST --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${container}/restart --silent | jq -r '.msg')
     echo "${C_REST_OUT}"
   done
 }

data/Dockerfiles/backup/Dockerfile

@@ -1,3 +1,3 @@
-FROM debian:bullseye-slim
+FROM debian:bookworm-slim
 
 RUN apt update && apt install pigz

data/Dockerfiles/clamd/Dockerfile

@@ -1,6 +1,6 @@
-FROM alpine:3.19
+FROM alpine:3.20
 
-LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
 RUN apk upgrade --no-cache \
   && apk add --update --no-cache \

data/Dockerfiles/dockerapi/Dockerfile

@@ -1,6 +1,6 @@
-FROM alpine:3.19
+FROM alpine:3.20
 
-LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
 ARG PIP_BREAK_SYSTEM_PACKAGES=1
 WORKDIR /app
@@ -24,4 +24,4 @@ COPY main.py /app/main.py
 COPY modules/ /app/modules/
 
 ENTRYPOINT ["/bin/sh", "/app/docker-entrypoint.sh"]
-CMD exec python main.py
+CMD ["python", "main.py"]

data/Dockerfiles/dockerapi/modules/DockerApi.py

@@ -358,8 +358,8 @@ class DockerApi:
         for line in cmd_response.split("\n"):
           if '$2$' in line:
             hash = line.strip()
-            hash_out = re.search('\$2\$.+$', hash).group(0)
-            rspamd_passphrase_hash = re.sub('[^0-9a-zA-Z\$]+', '', hash_out.rstrip())
+            hash_out = re.search(r'\$2\$.+$', hash).group(0)
+            rspamd_passphrase_hash = re.sub(r'[^0-9a-zA-Z\$]+', '', hash_out.rstrip())
             rspamd_password_filename = "/etc/rspamd/override.d/worker-controller-password.inc"
             cmd = '''/bin/echo 'enable_password = "%s";' > %s && cat %s''' % (rspamd_passphrase_hash, rspamd_password_filename, rspamd_password_filename)
             cmd_response = self.exec_cmd_container(container, cmd, user="_rspamd")

data/Dockerfiles/dovecot/Dockerfile

@@ -1,11 +1,12 @@
-FROM alpine:3.19
-LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
+FROM alpine:3.20
+
+LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
 
 # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
 ARG GOSU_VERSION=1.16
 
-ENV LANG C.UTF-8
-ENV LC_ALL C.UTF-8
+ENV LANG=C.UTF-8
+ENV LC_ALL=C.UTF-8
 
 # Add groups and users before installing Dovecot to not break compatibility
 RUN addgroup -g 5000 vmail \
@@ -24,6 +25,7 @@ RUN addgroup -g 5000 vmail \
   envsubst \
   ca-certificates \
   curl \
+  coreutils \
   jq \
   lua \
   lua-cjson \
@@ -62,7 +64,7 @@ RUN addgroup -g 5000 vmail \
   perl-package-stash-xs \
   perl-par-packer \
   perl-parse-recdescent \
-  perl-lockfile-simple --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community/ \
+  perl-lockfile-simple \
   libproc \
   perl-readonly \
   perl-regexp-common \
@@ -104,13 +106,12 @@ RUN addgroup -g 5000 vmail \
   dovecot-pigeonhole-plugin \
   dovecot-pop3d \
   dovecot-fts-solr \
+  dovecot-fts-flatcurve \
   && arch=$(arch | sed s/aarch64/arm64/ | sed s/x86_64/amd64/) \
   && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$arch" \
   && chmod +x /usr/local/bin/gosu \
   && gosu nobody true
 
-# RUN cpan LockFile::Simple
-
 COPY trim_logs.sh /usr/local/bin/trim_logs.sh
 COPY clean_q_aged.sh /usr/local/bin/clean_q_aged.sh
 COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
@@ -129,6 +130,7 @@ COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
 COPY quarantine_notify.py /usr/local/bin/quarantine_notify.py
 COPY quota_notify.py /usr/local/bin/quota_notify.py
 COPY repl_health.sh /usr/local/bin/repl_health.sh
+COPY optimize-fts.sh /usr/local/bin/optimize-fts.sh
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
-CMD exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]

data/Dockerfiles/dovecot/docker-entrypoint.sh

@@ -2,7 +2,7 @@
 set -e
 
 # Wait for MySQL to warm-up
-while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
+while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
   echo "Waiting for database to come up..."
   sleep 2
 done
@@ -29,6 +29,7 @@ ${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
 # Create missing directories
 [[ ! -d /etc/dovecot/sql/ ]] && mkdir -p /etc/dovecot/sql/
 [[ ! -d /etc/dovecot/lua/ ]] && mkdir -p /etc/dovecot/lua/
+[[ ! -d /etc/dovecot/conf.d/ ]] && mkdir -p /etc/dovecot/conf.d/
 [[ ! -d /var/vmail/_garbage ]] && mkdir -p /var/vmail/_garbage
 [[ ! -d /var/vmail/sieve ]] && mkdir -p /var/vmail/sieve
 [[ ! -d /etc/sogo ]] && mkdir -p /etc/sogo
@@ -109,7 +110,14 @@ EOF
 
 echo -n ${ACL_ANYONE} > /etc/dovecot/acl_anyone
 
-if [[ "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+if [[ "${FLATCURVE_EXPERIMENTAL}" =~ ^([yY][eE][sS]|[yY]) ]]; then
+echo -e "\e[33mActivating Flatcurve as FTS Backend...\e[0m"
+echo -e "\e[33mDepending on your previous setup a full reindex might be needed... \e[0m"
+echo -e "\e[34mVisit https://docs.mailcow.email/manual-guides/Dovecot/u_e-dovecot-fts/#fts-related-dovecot-commands to learn how to reindex\e[0m"
+echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify fts fts_flatcurve listescape replication' > /etc/dovecot/mail_plugins
+echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify mail_log fts fts_flatcurve listescape replication' > /etc/dovecot/mail_plugins_imap
+echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl fts fts_flatcurve notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
+elif [[ "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
 echo -n 'quota acl zlib mail_crypt mail_crypt_acl mail_log notify listescape replication' > /etc/dovecot/mail_plugins
 echo -n 'quota imap_quota imap_acl acl zlib imap_zlib imap_sieve mail_crypt mail_crypt_acl notify listescape replication mail_log' > /etc/dovecot/mail_plugins_imap
 echo -n 'quota sieve acl zlib mail_crypt mail_crypt_acl notify listescape replication' > /etc/dovecot/mail_plugins_lmtp
@@ -239,6 +247,51 @@ function script_deinit()
 end
 EOF
 
+# Temporarily set FTS depending on user choice inside mailcow.conf. Will be removed as soon as Solr is dropped
+if [[ "${FLATCURVE_EXPERIMENTAL}" =~ ^([yY][eE][sS]|[yY])$ ]]; then
+cat <<EOF > /etc/dovecot/conf.d/fts.conf
+# Autogenerated by mailcow
+plugin {
+    fts_autoindex = yes
+    fts_autoindex_exclude = \Junk
+    fts_autoindex_exclude2 = \Trash
+    fts = flatcurve
+
+    # Maximum term length can be set via the 'maxlen' argument (maxlen is
+    # specified in bytes, not number of UTF-8 characters)
+    fts_tokenizer_email_address = maxlen=100
+    fts_tokenizer_generic = algorithm=simple maxlen=30
+
+    # These are not flatcurve settings, but required for Dovecot FTS. See
+    # Dovecot FTS Configuration link above for further information.
+    fts_languages = en es de
+    fts_tokenizers = generic email-address
+
+    # OPTIONAL: Recommended default FTS core configuration
+    fts_filters = normalizer-icu snowball stopwords
+    fts_filters_en = lowercase snowball english-possessive stopwords
+}
+EOF
+elif [[ ! "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])$ ]]; then
+cat <<EOF > /etc/dovecot/conf.d/fts.conf
+# Autogenerated by mailcow
+plugin {
+  fts = solr
+  fts_autoindex = yes
+  fts_autoindex_exclude = \Junk
+  fts_autoindex_exclude2 = \Trash
+  fts_solr = url=http://solr:8983/solr/dovecot-fts/
+
+  fts_tokenizers = generic email-address
+  fts_tokenizer_generic = algorithm=simple
+
+  fts_filters = normalizer-icu snowball stopwords
+  fts_filters_en = lowercase snowball english-possessive stopwords
+}
+EOF
+fi
+
+
 # Replace patterns in app-passdb.lua
 sed -i "s/__DBUSER__/${DBUSER}/g" /etc/dovecot/lua/passwd-verify.lua
 sed -i "s/__DBPASS__/${DBPASS}/g" /etc/dovecot/lua/passwd-verify.lua
@@ -335,6 +388,14 @@ sys.exit()
 EOF
 fi
 
+# Set mail_replica for HA setups
+if [[ -n ${MAILCOW_REPLICA_IP} && -n ${DOVEADM_REPLICA_PORT} ]]; then
+  cat <<EOF > /etc/dovecot/mail_replica.conf
+# Autogenerated by mailcow
+mail_replica = tcp:${MAILCOW_REPLICA_IP}:${DOVEADM_REPLICA_PORT}
+EOF
+fi
+
 # 401 is user dovecot
 if [[ ! -s /mail_crypt/ecprivkey.pem || ! -s /mail_crypt/ecpubkey.pem ]]; then
 	openssl ecparam -name prime256v1 -genkey | openssl pkey -out /mail_crypt/ecprivkey.pem
@@ -350,14 +411,6 @@ sievec /var/vmail/sieve/global_sieve_after.sieve
 sievec /usr/lib/dovecot/sieve/report-spam.sieve
 sievec /usr/lib/dovecot/sieve/report-ham.sieve
 
-for file in /var/vmail/*/*/sieve/*.sieve ; do
-  if [[ "$file" == "/var/vmail/*/*/sieve/*.sieve" ]]; then
-    continue
-  fi
-  sievec "$file" "$(dirname "$file")/../.dovecot.svbin"
-  chown vmail:vmail "$(dirname "$file")/../.dovecot.svbin"
-done
-
 # Fix permissions
 chown root:root /etc/dovecot/sql/*.conf
 chown root:dovecot /etc/dovecot/sql/dovecot-dict-sql-sieve* /etc/dovecot/sql/dovecot-dict-sql-quota* /etc/dovecot/lua/passwd-verify.lua
@@ -378,7 +431,8 @@ chmod +x /usr/lib/dovecot/sieve/rspamd-pipe-ham \
   /usr/local/bin/maildir_gc.sh \
   /usr/local/sbin/stop-supervisor.sh \
   /usr/local/bin/quota_notify.py \
-  /usr/local/bin/repl_health.sh
+  /usr/local/bin/repl_health.sh \
+  /usr/local/bin/optimize-fts.sh
 
 # Prepare environment file for cronjobs
 printenv | sed 's/^\(.*\)$/export \1/g' > /source_env.sh

data/Dockerfiles/dovecot/optimize-fts.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if [[ "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])+$ && ! "${FLATCURVE_EXPERIMENTAL}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+    exit 0
+else
+    doveadm fts optimize -A
+fi

data/Dockerfiles/dovecot/repl_health.sh

@@ -11,7 +11,7 @@ fi
 
 # Is replication active?
 # grep on file is less expensive than doveconf
-if ! grep -qi mail_replica /etc/dovecot/dovecot.conf; then
+if [ -n ${MAILCOW_REPLICA_IP} ]; then
   ${REDIS_CMDLINE} SET DOVECOT_REPL_HEALTH 1 > /dev/null
   exit
 fi

data/Dockerfiles/dovecot/rspamd-pipe-ham

@@ -3,8 +3,8 @@ FILE=/tmp/mail$$
 cat > $FILE
 trap "/bin/rm -f $FILE" 0 1 2 3 13 15
 
-cat ${FILE} | /usr/bin/curl -H "Flag: 11" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/fuzzydel
-cat ${FILE} | /usr/bin/curl -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/learnham
-cat ${FILE} | /usr/bin/curl -H "Flag: 13" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/fuzzyadd
+cat ${FILE} | /usr/bin/curl -H "Flag: 11" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/fuzzydel
+cat ${FILE} | /usr/bin/curl -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/learnham
+cat ${FILE} | /usr/bin/curl -H "Flag: 13" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/fuzzyadd
 
 exit 0

data/Dockerfiles/dovecot/rspamd-pipe-spam

@@ -3,8 +3,8 @@ FILE=/tmp/mail$$
 cat > $FILE
 trap "/bin/rm -f $FILE" 0 1 2 3 13 15
 
-cat ${FILE} | /usr/bin/curl -H "Flag: 13" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/fuzzydel
-cat ${FILE} | /usr/bin/curl -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/learnspam
-cat ${FILE} | /usr/bin/curl -H "Flag: 11" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/fuzzyadd
+cat ${FILE} | /usr/bin/curl -H "Flag: 13" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/fuzzydel
+cat ${FILE} | /usr/bin/curl -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/learnspam
+cat ${FILE} | /usr/bin/curl -H "Flag: 11" -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/fuzzyadd
 
 exit 0

data/Dockerfiles/dovecot/sa-rules.sh

@@ -11,21 +11,25 @@ else
 fi
 
 # Deploy
-curl --connect-timeout 15 --retry 10 --max-time 30 http://www.spamassassin.heinlein-support.de/$(dig txt 1.4.3.spamassassin.heinlein-support.de +short | tr -d '"' | tr -dc '0-9').tar.gz --output /tmp/sa-rules-heinlein.tar.gz
-if gzip -t /tmp/sa-rules-heinlein.tar.gz; then
-  tar xfvz /tmp/sa-rules-heinlein.tar.gz -C /tmp/sa-rules-heinlein
-  cat /tmp/sa-rules-heinlein/*cf > /etc/rspamd/custom/sa-rules
+if curl --connect-timeout 15 --retry 10 --max-time 30 https://www.spamassassin.heinlein-support.de/$(dig txt 1.4.3.spamassassin.heinlein-support.de +short | tr -d '"' | tr -dc '0-9').tar.gz --output /tmp/sa-rules-heinlein.tar.gz; then
+  if gzip -t /tmp/sa-rules-heinlein.tar.gz; then
+    tar xfvz /tmp/sa-rules-heinlein.tar.gz -C /tmp/sa-rules-heinlein
+    cat /tmp/sa-rules-heinlein/*cf > /etc/rspamd/custom/sa-rules
+  fi
+else
+  echo "Failed to download SA rules. Exiting."
+  exit 0 # Must be 0 otherwise dovecot would not start at all
 fi
 
 sed -i -e 's/\([^\\]\)\$\([^\/]\)/\1\\$\2/g' /etc/rspamd/custom/sa-rules
 
 if [[ "$(cat /etc/rspamd/custom/sa-rules | md5sum | cut -d' ' -f1)" != "${HASH_SA_RULES}" ]]; then
   CONTAINER_NAME=rspamd-mailcow
-  CONTAINER_ID=$(curl --silent --insecure https://dockerapi/containers/json | \
+  CONTAINER_ID=$(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | \
     jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | \
     jq -rc "select( .name | tostring | contains(\"${CONTAINER_NAME}\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id")
   if [[ ! -z ${CONTAINER_ID} ]]; then
-    curl --silent --insecure -XPOST --connect-timeout 15 --max-time 120 https://dockerapi/containers/${CONTAINER_ID}/restart
+    curl --silent --insecure -XPOST --connect-timeout 15 --max-time 120 https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/restart
   fi
 fi
 

data/Dockerfiles/dovecot/syslog-ng-redis_slave.conf

@@ -7,6 +7,7 @@ options {
   use_fqdn(no);
   owner("root"); group("adm"); perm(0640);
   stats(freq(0));
+  keep_timestamp(no);
   bad_hostname("^gconfd$");
 };
 source s_dgram {

data/Dockerfiles/dovecot/syslog-ng.conf

@@ -7,6 +7,7 @@ options {
   use_fqdn(no);
   owner("root"); group("adm"); perm(0640);
   stats(freq(0));
+  keep_timestamp(no);
   bad_hostname("^gconfd$");
 };
 source s_dgram {

data/Dockerfiles/netfilter/Dockerfile

@@ -1,5 +1,6 @@
-FROM alpine:3.19
-LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
+FROM alpine:3.20
+
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
 WORKDIR /app
 

data/Dockerfiles/netfilter/main.py

@@ -21,28 +21,6 @@ from modules.IPTables import IPTables
 from modules.NFTables import NFTables
 
 
-# connect to redis
-while True:
-  try:
-    redis_slaveof_ip = os.getenv('REDIS_SLAVEOF_IP', '')
-    redis_slaveof_port = os.getenv('REDIS_SLAVEOF_PORT', '')
-    if "".__eq__(redis_slaveof_ip):
-      r = redis.StrictRedis(host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0)
-    else:
-      r = redis.StrictRedis(host=redis_slaveof_ip, decode_responses=True, port=redis_slaveof_port, db=0)
-    r.ping()
-  except Exception as ex:
-    print('%s - trying again in 3 seconds'  % (ex))
-    time.sleep(3)
-  else:
-    break
-pubsub = r.pubsub()
-
-# rename fail2ban to netfilter
-if r.exists('F2B_LOG'):
-  r.rename('F2B_LOG', 'NETFILTER_LOG')
-
-
 # globals
 WHITELIST = []
 BLACKLIST= []
@@ -50,18 +28,10 @@ bans = {}
 quit_now = False
 exit_code = 0
 lock = Lock()
-
-
-# init Logger
-logger = Logger(r)
-# init backend
-backend = sys.argv[1]
-if backend == "nftables":
-  logger.logInfo('Using NFTables backend')
-  tables = NFTables("MAILCOW", logger)
-else:
-  logger.logInfo('Using IPTables backend')
-  tables = IPTables("MAILCOW", logger)
+chain_name = "MAILCOW"
+r = None
+pubsub = None
+clear_before_quit = False
 
 
 def refreshF2boptions():
@@ -110,16 +80,16 @@ def refreshF2bregex():
   global exit_code
   if not r.get('F2B_REGEX'):
     f2bregex = {}
-    f2bregex[1] = 'mailcow UI: Invalid password for .+ by ([0-9a-f\.:]+)'
-    f2bregex[2] = 'Rspamd UI: Invalid password by ([0-9a-f\.:]+)'
-    f2bregex[3] = 'warning: .*\[([0-9a-f\.:]+)\]: SASL .+ authentication failed: (?!.*Connection lost to authentication server).+'
-    f2bregex[4] = 'warning: non-SMTP command from .*\[([0-9a-f\.:]+)]:.+'
-    f2bregex[5] = 'NOQUEUE: reject: RCPT from \[([0-9a-f\.:]+)].+Protocol error.+'
-    f2bregex[6] = '-login: Disconnected.+ \(auth failed, .+\): user=.*, method=.+, rip=([0-9a-f\.:]+),'
-    f2bregex[7] = '-login: Aborted login.+ \(auth failed .+\): user=.+, rip=([0-9a-f\.:]+), lip.+'
-    f2bregex[8] = '-login: Aborted login.+ \(tried to use disallowed .+\): user=.+, rip=([0-9a-f\.:]+), lip.+'
-    f2bregex[9] = 'SOGo.+ Login from \'([0-9a-f\.:]+)\' for user .+ might not have worked'
-    f2bregex[10] = '([0-9a-f\.:]+) \"GET \/SOGo\/.* HTTP.+\" 403 .+'
+    f2bregex[1] = r'mailcow UI: Invalid password for .+ by ([0-9a-f\.:]+)'
+    f2bregex[2] = r'Rspamd UI: Invalid password by ([0-9a-f\.:]+)'
+    f2bregex[3] = r'warning: .*\[([0-9a-f\.:]+)\]: SASL .+ authentication failed: (?!.*Connection lost to authentication server).+'
+    f2bregex[4] = r'warning: non-SMTP command from .*\[([0-9a-f\.:]+)]:.+'
+    f2bregex[5] = r'NOQUEUE: reject: RCPT from \[([0-9a-f\.:]+)].+Protocol error.+'
+    f2bregex[6] = r'-login: Disconnected.+ \(auth failed, .+\): user=.*, method=.+, rip=([0-9a-f\.:]+),'
+    f2bregex[7] = r'-login: Aborted login.+ \(auth failed .+\): user=.+, rip=([0-9a-f\.:]+), lip.+'
+    f2bregex[8] = r'-login: Aborted login.+ \(tried to use disallowed .+\): user=.+, rip=([0-9a-f\.:]+), lip.+'
+    f2bregex[9] = r'SOGo.+ Login from \'([0-9a-f\.:]+)\' for user .+ might not have worked'
+    f2bregex[10] = r'([0-9a-f\.:]+) \"GET \/SOGo\/.* HTTP.+\" 403 .+'
     r.set('F2B_REGEX', json.dumps(f2bregex, ensure_ascii=False))
   else:
     try:
@@ -144,8 +114,6 @@ def ban(address):
   global lock
 
   refreshF2boptions()
-  BAN_TIME = int(f2boptions['ban_time'])
-  BAN_TIME_INCREMENT = bool(f2boptions['ban_time_increment'])
   MAX_ATTEMPTS = int(f2boptions['max_attempts'])
   RETRY_WINDOW = int(f2boptions['retry_window'])
   NETBAN_IPV4 = '/' + str(f2boptions['netban_ipv4'])
@@ -180,7 +148,7 @@ def ban(address):
 
   if bans[net]['attempts'] >= MAX_ATTEMPTS:
     cur_time = int(round(time.time()))
-    NET_BAN_TIME = BAN_TIME if not BAN_TIME_INCREMENT else BAN_TIME * 2 ** bans[net]['ban_counter']
+    NET_BAN_TIME = calcNetBanTime(bans[net]['ban_counter'])
     logger.logCrit('Banning %s for %d minutes' % (net, NET_BAN_TIME / 60 ))
     if type(ip) is ipaddress.IPv4Address and int(f2boptions['manage_external']) != 1:
       with lock:
@@ -250,17 +218,21 @@ def clear():
   with lock:
     tables.clearIPv4Table()
     tables.clearIPv6Table()
-    r.delete('F2B_ACTIVE_BANS')
-    r.delete('F2B_PERM_BANS')
-    pubsub.unsubscribe()
+    try:
+      if r is not None:
+        r.delete('F2B_ACTIVE_BANS')
+        r.delete('F2B_PERM_BANS')
+    except Exception as ex:
+      logger.logWarn('Error clearing redis keys F2B_ACTIVE_BANS and F2B_PERM_BANS: %s' % ex)
 
 def watch():
-  logger.logInfo('Watching Redis channel F2B_CHANNEL')
-  pubsub.subscribe('F2B_CHANNEL')
-
+  global pubsub
   global quit_now
   global exit_code
 
+  logger.logInfo('Watching Redis channel F2B_CHANNEL')
+  pubsub.subscribe('F2B_CHANNEL')
+
   while not quit_now:
     try:
       for item in pubsub.listen():
@@ -280,6 +252,7 @@ def watch():
               ban(addr)
     except Exception as ex:
       logger.logWarn('Error reading log line from pubsub: %s' % ex)
+      pubsub = None
       quit_now = True
       exit_code = 2
 
@@ -302,12 +275,11 @@ def snat6(snat_target):
       tables.snat6(snat_target, os.getenv('IPV6_NETWORK', 'fd4d:6169:6c63:6f77::/64'))
 
 def autopurge():
+  global f2boptions
+
   while not quit_now:
     time.sleep(10)
     refreshF2boptions()
-    BAN_TIME = int(f2boptions['ban_time'])
-    MAX_BAN_TIME = int(f2boptions['max_ban_time'])
-    BAN_TIME_INCREMENT = bool(f2boptions['ban_time_increment'])
     MAX_ATTEMPTS = int(f2boptions['max_attempts'])
     QUEUE_UNBAN = r.hgetall('F2B_QUEUE_UNBAN')
     if QUEUE_UNBAN:
@@ -315,9 +287,9 @@ def autopurge():
         unban(str(net))
     for net in bans.copy():
       if bans[net]['attempts'] >= MAX_ATTEMPTS:
-        NET_BAN_TIME = BAN_TIME if not BAN_TIME_INCREMENT else BAN_TIME * 2 ** bans[net]['ban_counter']
+        NET_BAN_TIME = calcNetBanTime(bans[net]['ban_counter'])
         TIME_SINCE_LAST_ATTEMPT = time.time() - bans[net]['last_attempt']
-        if TIME_SINCE_LAST_ATTEMPT > NET_BAN_TIME or TIME_SINCE_LAST_ATTEMPT > MAX_BAN_TIME:
+        if TIME_SINCE_LAST_ATTEMPT > NET_BAN_TIME:
           unban(net)
 
 def mailcowChainOrder():
@@ -331,6 +303,16 @@ def mailcowChainOrder():
       if quit_now: return
       quit_now, exit_code = tables.checkIPv6ChainOrder()
 
+def calcNetBanTime(ban_counter):
+  global f2boptions
+
+  BAN_TIME = int(f2boptions['ban_time'])
+  MAX_BAN_TIME = int(f2boptions['max_ban_time'])
+  BAN_TIME_INCREMENT = bool(f2boptions['ban_time_increment'])
+  NET_BAN_TIME = BAN_TIME if not BAN_TIME_INCREMENT else BAN_TIME * 2 ** ban_counter
+  NET_BAN_TIME = max([BAN_TIME, min([NET_BAN_TIME, MAX_BAN_TIME])])
+  return NET_BAN_TIME
+
 def isIpNetwork(address):
   try:
     ipaddress.ip_network(address, False)
@@ -403,21 +385,76 @@ def blacklistUpdate():
           permBan(net=net, unban=True)
     time.sleep(60.0 - ((time.time() - start_time) % 60.0))
 
-def quit(signum, frame):
-  global quit_now
-  quit_now = True
+def sigterm_quit(signum, frame):
+  global clear_before_quit
+  clear_before_quit = True
+  sys.exit(exit_code)
+
+def berfore_quit():
+  if clear_before_quit:
+    clear()
+  if pubsub is not None:
+    pubsub.unsubscribe()
 
 
 if __name__ == '__main__':
-  refreshF2boptions()
+  atexit.register(berfore_quit)
+  signal.signal(signal.SIGTERM, sigterm_quit)
+
+  # init Logger
+  logger = Logger()
+
+  # init backend
+  backend = sys.argv[1]
+  if backend == "nftables":
+    logger.logInfo('Using NFTables backend')
+    tables = NFTables(chain_name, logger)
+  else:
+    logger.logInfo('Using IPTables backend')
+    tables = IPTables(chain_name, logger)
+
   # In case a previous session was killed without cleanup
   clear()
+
   # Reinit MAILCOW chain
   # Is called before threads start, no locking
   logger.logInfo("Initializing mailcow netfilter chain")
   tables.initChainIPv4()
   tables.initChainIPv6()
 
+  if os.getenv("DISABLE_NETFILTER_ISOLATION_RULE").lower() in ("y", "yes"):
+    logger.logInfo(f"Skipping {chain_name} isolation")
+  else:
+    logger.logInfo(f"Setting {chain_name} isolation")
+    tables.create_mailcow_isolation_rule("br-mailcow", [3306, 6379, 8983, 12345], os.getenv("MAILCOW_REPLICA_IP"))
+
+  # connect to redis
+  while True:
+    try:
+      redis_slaveof_ip = os.getenv('REDIS_SLAVEOF_IP', '')
+      redis_slaveof_port = os.getenv('REDIS_SLAVEOF_PORT', '')
+      if "".__eq__(redis_slaveof_ip):
+        r = redis.StrictRedis(host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0)
+      else:
+        r = redis.StrictRedis(host=redis_slaveof_ip, decode_responses=True, port=redis_slaveof_port, db=0)
+      r.ping()
+      pubsub = r.pubsub()
+    except Exception as ex:
+      print('%s - trying again in 3 seconds'  % (ex))
+      time.sleep(3)
+    else:
+      break
+  logger.set_redis(r)
+
+  # rename fail2ban to netfilter
+  if r.exists('F2B_LOG'):
+    r.rename('F2B_LOG', 'NETFILTER_LOG')
+  # clear bans in redis
+  r.delete('F2B_ACTIVE_BANS')
+  r.delete('F2B_PERM_BANS')
+  
+  refreshF2boptions()
+
   watch_thread = Thread(target=watch)
   watch_thread.daemon = True
   watch_thread.start()
@@ -460,9 +497,6 @@ if __name__ == '__main__':
   whitelistupdate_thread.daemon = True
   whitelistupdate_thread.start()
 
-  signal.signal(signal.SIGTERM, quit)
-  atexit.register(clear)
-
   while not quit_now:
     time.sleep(0.5)
 

data/Dockerfiles/netfilter/modules/IPTables.py

@@ -1,5 +1,6 @@
 import iptc
 import time
+import os
 
 class IPTables:
   def __init__(self, chain_name, logger):
@@ -211,3 +212,41 @@ class IPTables:
     target = rule.create_target("SNAT")
     target.to_source = snat_target
     return rule
+
+  def create_mailcow_isolation_rule(self, _interface:str, _dports:list, _allow:str = ""):
+    try:
+      chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), self.chain_name)
+
+      # insert mailcow isolation rule
+      rule = iptc.Rule()
+      rule.in_interface = f'!{_interface}'
+      rule.out_interface = _interface
+      rule.protocol = 'tcp'
+      rule.create_target("DROP")
+      match = rule.create_match("multiport")
+      match.dports = ','.join(map(str, _dports))
+
+      if rule in chain.rules:
+        chain.delete_rule(rule)
+      chain.insert_rule(rule, position=0)
+
+      # insert mailcow isolation exception rule
+      if _allow != "":
+        rule = iptc.Rule()
+        rule.src = _allow
+        rule.in_interface = f'!{_interface}'
+        rule.out_interface = _interface
+        rule.protocol = 'tcp'
+        rule.create_target("ACCEPT")
+        match = rule.create_match("multiport")
+        match.dports = ','.join(map(str, _dports))
+
+        if rule in chain.rules:
+          chain.delete_rule(rule)
+        chain.insert_rule(rule, position=0)
+
+
+      return True
+    except Exception as e:
+      self.logger.logCrit(f"Error adding {self.chain_name} isolation: {e}")
+      return False

data/Dockerfiles/netfilter/modules/Logger.py

@@ -2,7 +2,10 @@ import time
 import json
 
 class Logger:
-  def __init__(self, redis):
+  def __init__(self):
+    self.r = None
+
+  def set_redis(self, redis):
     self.r = redis
 
   def log(self, priority, message):
@@ -10,8 +13,12 @@ class Logger:
     tolog['time'] = int(round(time.time()))
     tolog['priority'] = priority
     tolog['message'] = message
-    self.r.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False))
     print(message)
+    if self.r is not None:
+      try:
+        self.r.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False))
+      except Exception as ex:
+        print('Failed logging to redis: %s'  % (ex))
 
   def logWarn(self, message):
     self.log('warn', message)

data/Dockerfiles/netfilter/modules/NFTables.py

@@ -1,5 +1,6 @@
 import nftables
 import ipaddress
+import os
 
 class NFTables:
   def __init__(self, chain_name, logger):
@@ -40,6 +41,7 @@ class NFTables:
         exit_code = 2
 
       if chain_position > 0:
+        chain_position += 1
         self.logger.logCrit(f'MAILCOW target is in position {chain_position} in the {filter_table} {chain} table, restarting container to fix it...')
         err = True
         exit_code = 2
@@ -266,6 +268,17 @@ class NFTables:
 
     return self.nft_exec_dict(delete_command)
 
+  def delete_filter_rule(self, _family:str, _chain: str, _handle:str):
+    delete_command = self.get_base_dict()
+    _rule_opts = {'family': _family,
+                  'table': 'filter',
+                  'chain': _chain,
+                  'handle': _handle  }
+    _delete = {'delete': {'rule': _rule_opts} }
+    delete_command["nftables"].append(_delete)
+
+    return self.nft_exec_dict(delete_command)
+
   def snat_rule(self, _family: str, snat_target: str, source_address: str):
     chain_name = self.nft_chain_names[_family]['nat']['postrouting']
 
@@ -297,8 +310,8 @@ class NFTables:
       rule_handle = rule["handle"]
       break
 
-    dest_net = ipaddress.ip_network(source_address)
-    target_net = ipaddress.ip_network(snat_target)
+    dest_net = ipaddress.ip_network(source_address, strict=False)
+    target_net = ipaddress.ip_network(snat_target, strict=False)
 
     if rule_found:
       saddr_ip = rule["expr"][0]["match"]["right"]["prefix"]["addr"]
@@ -309,9 +322,9 @@ class NFTables:
 
       target_ip = rule["expr"][3]["snat"]["addr"]
 
-      saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len))
-      daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len))
-      current_target_net = ipaddress.ip_network(target_ip)
+      saddr_net = ipaddress.ip_network(saddr_ip + '/' + str(saddr_len), strict=False)
+      daddr_net = ipaddress.ip_network(daddr_ip + '/' + str(daddr_len), strict=False)
+      current_target_net = ipaddress.ip_network(target_ip, strict=False)
 
       match = all((
                 dest_net == saddr_net,
@@ -381,7 +394,7 @@ class NFTables:
           break
     return chain_handle
 
-  def get_rules_handle(self, _family: str, _table: str, chain_name: str):
+  def get_rules_handle(self, _family: str, _table: str, chain_name: str, _comment_filter = "mailcow"):
     rule_handle = []
     # Command: 'nft list chain {family} {table} {chain_name}'
     _chain_opts = {'family': _family, 'table': _table, 'name': chain_name}
@@ -397,7 +410,7 @@ class NFTables:
 
         rule = _object["rule"]
         if rule["family"] == _family and rule["table"] == _table and rule["chain"] == chain_name:
-          if rule.get("comment") and rule["comment"] == "mailcow":
+          if rule.get("comment") and rule["comment"] == _comment_filter:
             rule_handle.append(rule["handle"])
     return rule_handle
 
@@ -405,7 +418,7 @@ class NFTables:
     json_command = self.get_base_dict()
 
     expr_opt = []
-    ipaddr_net = ipaddress.ip_network(ipaddr)
+    ipaddr_net = ipaddress.ip_network(ipaddr, strict=False)
     right_dict = {'prefix': {'addr': str(ipaddr_net.network_address), 'len': int(ipaddr_net.prefixlen) } }
 
     left_dict = {'payload': {'protocol': _family, 'field': 'saddr'} }
@@ -439,6 +452,8 @@ class NFTables:
           continue
 
         rule = _object["rule"]["expr"][0]["match"]
+        if not "payload" in rule["left"]:
+          continue
         left_opt = rule["left"]["payload"]
         if not left_opt["protocol"] == _family:
           continue
@@ -454,7 +469,7 @@ class NFTables:
         current_rule_net = ipaddress.ip_network(current_rule_ip)
 
         # ip to ban
-        candidate_net = ipaddress.ip_network(ipaddr)
+        candidate_net = ipaddress.ip_network(ipaddr, strict=False)
 
         if current_rule_net == candidate_net:
           rule_handle = _object["rule"]["handle"]
@@ -493,3 +508,152 @@ class NFTables:
         position+=1
 
     return position if rule_found else False
+
+  def create_mailcow_isolation_rule(self, _interface:str, _dports:list, _allow:str = ""):
+    family = "ip"
+    table = "filter"
+    comment_filter_drop = "mailcow isolation"
+    comment_filter_allow = "mailcow isolation allow"
+    json_command = self.get_base_dict()
+
+    # Delete old mailcow isolation rules
+    handles = self.get_rules_handle(family, table, self.chain_name, comment_filter_drop)
+    for handle in handles:
+      self.delete_filter_rule(family, self.chain_name, handle)
+    handles = self.get_rules_handle(family, table, self.chain_name, comment_filter_allow)
+    for handle in handles:
+      self.delete_filter_rule(family, self.chain_name, handle)
+
+    # insert mailcow isolation rule
+    _match_dict_drop = [
+      {
+        "match": {
+          "op": "!=",
+          "left": {
+            "meta": {
+              "key": "iifname"
+            }
+          },
+          "right": _interface
+        }
+      },
+      {
+        "match": {
+          "op": "==",
+          "left": {
+            "meta": {
+              "key": "oifname"
+            }
+          },
+          "right": _interface
+        }
+      },
+      {
+        "match": {
+          "op": "==",
+          "left": {
+            "payload": {
+              "protocol": "tcp",
+              "field": "dport"
+            }
+          },
+          "right": {
+            "set": _dports
+          }
+        }
+      },
+      {
+        "counter": {
+          "packets": 0,
+          "bytes": 0
+        }
+      },
+      {
+        "drop": None
+      }
+    ]
+    rule_drop = { "insert": { "rule": {
+      "family": family,
+      "table": table,
+      "chain": self.chain_name,
+      "comment": comment_filter_drop,
+      "expr": _match_dict_drop
+    }}}
+    json_command["nftables"].append(rule_drop)
+
+    # insert mailcow isolation allow rule
+    if _allow != "":
+      _match_dict_allow = [
+        {
+          "match": {
+            "op": "==",
+            "left": {
+              "payload": {
+                "protocol": "ip",
+                "field": "saddr"
+              }
+            },
+            "right": _allow
+          }
+        },
+        {
+          "match": {
+            "op": "!=",
+            "left": {
+              "meta": {
+                "key": "iifname"
+              }
+            },
+            "right": _interface
+          }
+        },
+        {
+          "match": {
+            "op": "==",
+            "left": {
+              "meta": {
+                "key": "oifname"
+              }
+            },
+            "right": _interface
+          }
+        },
+        {
+          "match": {
+            "op": "==",
+            "left": {
+              "payload": {
+                "protocol": "tcp",
+                "field": "dport"
+              }
+            },
+            "right": {
+              "set": _dports
+            }
+          }
+        },
+        {
+          "counter": {
+            "packets": 0,
+            "bytes": 0
+          }
+        },
+        {
+          "accept": None
+        }
+      ]
+      rule_allow = { "insert": { "rule": {
+        "family": family,
+        "table": table,
+        "chain": self.chain_name,
+        "comment": comment_filter_allow,
+        "expr": _match_dict_allow
+      }}}
+      json_command["nftables"].append(rule_allow)
+
+    success = self.nft_exec_dict(json_command)
+    if success == False:
+      self.logger.logCrit(f"Error adding {self.chain_name} isolation")
+      return False
+
+    return True

data/Dockerfiles/olefy/Dockerfile

@@ -1,5 +1,6 @@
-FROM alpine:3.19
-LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
+FROM alpine:3.20
+
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
 ARG PIP_BREAK_SYSTEM_PACKAGES=1
 WORKDIR /app

data/Dockerfiles/phpfpm/Dockerfile

@@ -1,5 +1,6 @@
-FROM php:8.2-fpm-alpine3.19
-LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
+FROM php:8.2-fpm-alpine3.18
+
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
 # renovate: datasource=github-tags depName=krakjoe/apcu versioning=semver-coerced extractVersion=^v(?<version>.*)$
 ARG APCU_PECL_VERSION=5.1.23

data/Dockerfiles/phpfpm/docker-entrypoint.sh

@@ -3,7 +3,7 @@
 function array_by_comma { local IFS=","; echo "$*"; }
 
 # Wait for containers
-while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
+while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
   echo "Waiting for SQL..."
   sleep 2
 done
@@ -23,7 +23,8 @@ done
 # Check mysql_upgrade (master and slave)
 CONTAINER_ID=
 until [[ ! -z "${CONTAINER_ID}" ]] && [[ "${CONTAINER_ID}" =~ ^[[:alnum:]]*$ ]]; do
-  CONTAINER_ID=$(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" 2> /dev/null | jq -rc "select( .name | tostring | contains(\"mysql-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" 2> /dev/null)
+  CONTAINER_ID=$(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" 2> /dev/null | jq -rc "select( .name | tostring | contains(\"mysql-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" 2> /dev/null)
+  echo "Could not get mysql-mailcow container id... trying again"
   sleep 2
 done
 echo "MySQL @ ${CONTAINER_ID}"
@@ -34,7 +35,7 @@ until [[ ${SQL_UPGRADE_STATUS} == 'success' ]]; do
     echo "Tried to upgrade MySQL and failed, giving up after ${SQL_LOOP_C} retries and starting container (oops, not good)"
     break
   fi
-  SQL_FULL_UPGRADE_RETURN=$(curl --silent --insecure -XPOST https://dockerapi/containers/${CONTAINER_ID}/exec -d '{"cmd":"system", "task":"mysql_upgrade"}' --silent -H 'Content-type: application/json')
+  SQL_FULL_UPGRADE_RETURN=$(curl --silent --insecure -XPOST https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/exec -d '{"cmd":"system", "task":"mysql_upgrade"}' --silent -H 'Content-type: application/json')
   SQL_UPGRADE_STATUS=$(echo ${SQL_FULL_UPGRADE_RETURN} | jq -r .type)
   SQL_LOOP_C=$((SQL_LOOP_C+1))
   echo "SQL upgrade iteration #${SQL_LOOP_C}"
@@ -43,7 +44,7 @@ until [[ ${SQL_UPGRADE_STATUS} == 'success' ]]; do
     echo "MySQL applied an upgrade, debug output:"
     echo ${SQL_FULL_UPGRADE_RETURN}
     sleep 3
-    while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
+    while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
       echo "Waiting for SQL to return, please wait"
       sleep 2
     done
@@ -59,12 +60,12 @@ done
 
 # doing post-installation stuff, if SQL was upgraded (master and slave)
 if [ ${SQL_CHANGED} -eq 1 ]; then
-  POSTFIX=$(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" 2> /dev/null | jq -rc "select( .name | tostring | contains(\"postfix-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" 2> /dev/null)
+  POSTFIX=$(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" 2> /dev/null | jq -rc "select( .name | tostring | contains(\"postfix-mailcow\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id" 2> /dev/null)
   if [[ -z "${POSTFIX}" ]] || ! [[ "${POSTFIX}" =~ ^[[:alnum:]]*$ ]]; then
     echo "Could not determine Postfix container ID, skipping Postfix restart."
   else
     echo "Restarting Postfix"
-    curl -X POST --silent --insecure https://dockerapi/containers/${POSTFIX}/restart | jq -r '.msg'
+    curl -X POST --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${POSTFIX}/restart | jq -r '.msg'
     echo "Sleeping 5 seconds..."
     sleep 5
   fi
@@ -73,7 +74,7 @@ fi
 # Check mysql tz import (master and slave)
 TZ_CHECK=$(mysql --socket=/var/run/mysqld/mysqld.sock -u ${DBUSER} -p${DBPASS} ${DBNAME} -e "SELECT CONVERT_TZ('2019-11-02 23:33:00','Europe/Berlin','UTC') AS time;" -BN 2> /dev/null)
 if [[ -z ${TZ_CHECK} ]] || [[ "${TZ_CHECK}" == "NULL" ]]; then
-  SQL_FULL_TZINFO_IMPORT_RETURN=$(curl --silent --insecure -XPOST https://dockerapi/containers/${CONTAINER_ID}/exec -d '{"cmd":"system", "task":"mysql_tzinfo_to_sql"}' --silent -H 'Content-type: application/json')
+  SQL_FULL_TZINFO_IMPORT_RETURN=$(curl --silent --insecure -XPOST https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/exec -d '{"cmd":"system", "task":"mysql_tzinfo_to_sql"}' --silent -H 'Content-type: application/json')
   echo "MySQL mysql_tzinfo_to_sql - debug output:"
   echo ${SQL_FULL_TZINFO_IMPORT_RETURN}
 fi

data/Dockerfiles/postfix/Dockerfile

@@ -1,5 +1,6 @@
-FROM debian:bullseye-slim
-LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
+FROM debian:bookworm-slim
+
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
 ARG DEBIAN_FRONTEND=noninteractive
 ENV LC_ALL C
@@ -59,4 +60,4 @@ EXPOSE 588
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 
-CMD exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]

data/Dockerfiles/postfix/postfix.sh

@@ -5,7 +5,7 @@ trap "postfix stop" EXIT
 [[ ! -d /opt/postfix/conf/sql/ ]] && mkdir -p /opt/postfix/conf/sql/
 
 # Wait for MySQL to warm-up
-while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
+while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
   echo "Waiting for database to come up..."
   sleep 2
 done
@@ -415,12 +415,6 @@ postscreen_dnsbl_sites = wl.mailspike.net=127.0.0.[18;19;20]*-2
   b.barracudacentral.org=127.0.0.2*7
   bl.mailspike.net=127.0.0.2*5
   bl.mailspike.net=127.0.0.[10;11;12]*4
-  dnsbl.sorbs.net=127.0.0.10*8
-  dnsbl.sorbs.net=127.0.0.5*6
-  dnsbl.sorbs.net=127.0.0.7*3
-  dnsbl.sorbs.net=127.0.0.8*2
-  dnsbl.sorbs.net=127.0.0.6*2
-  dnsbl.sorbs.net=127.0.0.9*2
 EOF
 fi
 DNSBL_CONFIG=$(grep -v '^#' /opt/postfix/conf/dns_blocklists.cf | grep '\S')

data/Dockerfiles/postfix/syslog-ng-redis_slave.conf

@@ -1,4 +1,4 @@
-@version: 3.28
+@version: 3.38
 @include "scl.conf"
 options {
   chain_hostnames(off);

data/Dockerfiles/postfix/syslog-ng.conf

@@ -1,4 +1,4 @@
-@version: 3.28
+@version: 3.38
 @include "scl.conf"
 options {
   chain_hostnames(off);

data/Dockerfiles/rspamd/Dockerfile

@@ -1,9 +1,10 @@
-FROM debian:bullseye-slim
-LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
+FROM debian:bookworm-slim
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
 ARG DEBIAN_FRONTEND=noninteractive
-ARG CODENAME=bullseye
-ENV LC_ALL C
+ARG RSPAMD_VER=rspamd_3.9.1-1~82f43560f
+ARG CODENAME=bookworm
+ENV LC_ALL=C
 
 RUN apt-get update && apt-get install -y \
   tzdata \
@@ -11,12 +12,16 @@ RUN apt-get update && apt-get install -y \
   gnupg2 \
   apt-transport-https \
   dnsutils \
-  netcat \
-  && apt-key adv --fetch-keys https://rspamd.com/apt-stable/gpg.key \
-  && echo "deb https://rspamd.com/apt-stable/ $CODENAME main" > /etc/apt/sources.list.d/rspamd.list \
-  && apt-get update \
-  && apt-get --no-install-recommends -y install rspamd redis-tools procps nano \
-  && rm -rf /var/lib/apt/lists/* \
+  netcat-traditional \
+  wget \
+  redis-tools \ 
+  procps \ 
+  nano \
+  lua-cjson \
+  && arch=$(arch | sed s/aarch64/arm64/ | sed s/x86_64/amd64/) \
+  && wget -P /tmp https://rspamd.com/apt-stable/pool/main/r/rspamd/${RSPAMD_VER}~${CODENAME}_${arch}.deb\
+  && apt install -y /tmp/${RSPAMD_VER}~${CODENAME}_${arch}.deb \
+  && rm -rf /var/lib/apt/lists/* /tmp/*\
   && apt-get autoremove --purge \
   && apt-get clean \
   && mkdir -p /run/rspamd \
@@ -25,7 +30,6 @@ RUN apt-get update && apt-get install -y \
   && sed -i 's/#analysis_keyword_table > 0/analysis_cat_table.macro_exist == "M"/g' /usr/share/rspamd/lualib/lua_scanners/oletools.lua
 
 COPY settings.conf /etc/rspamd/settings.conf
-COPY metadata_exporter.lua /usr/share/rspamd/plugins/metadata_exporter.lua
 COPY set_worker_password.sh /set_worker_password.sh
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 

data/Dockerfiles/rspamd/docker-entrypoint.sh

@@ -124,4 +124,190 @@ for file in /hooks/*; do
   fi
 done
 
+# If DQS KEY is set in mailcow.conf add Spamhaus DQS RBLs
+if [[ ! -z ${SPAMHAUS_DQS_KEY} ]]; then
+    cat <<EOF > /etc/rspamd/custom/dqs-rbl.conf
+  # Autogenerated by mailcow. DO NOT TOUCH!
+    spamhaus {
+        rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net";
+        from = false;
+    }
+    spamhaus_from {
+        from = true;
+        received = false;
+        rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net";
+        returncodes {
+          SPAMHAUS_ZEN = [ "127.0.0.2", "127.0.0.3", "127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7", "127.0.0.9", "127.0.0.10", "127.0.0.11" ];
+        }
+    }
+    spamhaus_authbl_received {
+        # Check if the sender client is listed in AuthBL (AuthBL is *not* part of ZEN)
+        rbl = "${SPAMHAUS_DQS_KEY}.authbl.dq.spamhaus.net";
+        from = false;
+        received = true;
+        ipv6 = true;
+        returncodes {
+          SH_AUTHBL_RECEIVED = "127.0.0.20"
+        }
+    }
+    spamhaus_dbl {
+        # Add checks on the HELO string
+        rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
+        helo = true;
+        rdns = true;
+        dkim = true;
+        disable_monitoring = true;
+        returncodes {
+            RBL_DBL_SPAM = "127.0.1.2";
+            RBL_DBL_PHISH = "127.0.1.4";
+            RBL_DBL_MALWARE = "127.0.1.5";
+            RBL_DBL_BOTNET = "127.0.1.6";
+            RBL_DBL_ABUSED_SPAM = "127.0.1.102";
+            RBL_DBL_ABUSED_PHISH = "127.0.1.104";
+            RBL_DBL_ABUSED_MALWARE = "127.0.1.105";
+            RBL_DBL_ABUSED_BOTNET = "127.0.1.106";
+            RBL_DBL_DONT_QUERY_IPS = "127.0.1.255";
+        }
+    }
+    spamhaus_dbl_fullurls {
+        ignore_defaults = true;
+        no_ip = true;
+        rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
+        selector = 'urls:get_host'
+        disable_monitoring = true;
+        returncodes {
+            DBLABUSED_SPAM_FULLURLS = "127.0.1.102";
+            DBLABUSED_PHISH_FULLURLS = "127.0.1.104";
+            DBLABUSED_MALWARE_FULLURLS = "127.0.1.105";
+            DBLABUSED_BOTNET_FULLURLS = "127.0.1.106";
+        }
+    }
+    spamhaus_zrd {
+        # Add checks on the HELO string also for DQS
+        rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net";
+        helo = true;
+        rdns = true;
+        dkim = true;
+        disable_monitoring = true;
+        returncodes {
+            RBL_ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"];
+            RBL_ZRD_FRESH_DOMAIN = [
+              "127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"
+            ];
+            RBL_ZRD_DONT_QUERY_IPS = "127.0.2.255";
+        }
+    }
+    "SPAMHAUS_ZEN_URIBL" {
+      enabled = true;
+      rbl = "${SPAMHAUS_DQS_KEY}.zen.dq.spamhaus.net";
+      resolve_ip = true;
+      checks = ['urls'];
+      replyto = true;
+      emails = true;
+      ipv4 = true;
+      ipv6 = true;
+      emails_domainonly = true;
+      returncodes {
+        URIBL_SBL = "127.0.0.2";
+        URIBL_SBL_CSS = "127.0.0.3";
+        URIBL_XBL = ["127.0.0.4", "127.0.0.5", "127.0.0.6", "127.0.0.7"];
+        URIBL_PBL = ["127.0.0.10", "127.0.0.11"];
+        URIBL_DROP = "127.0.0.9";
+      }
+    }
+    SH_EMAIL_DBL {
+      ignore_defaults = true;
+      replyto = true;
+      emails_domainonly = true;
+      disable_monitoring = true;
+      rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
+      returncodes = {
+        SH_EMAIL_DBL = [
+          "127.0.1.2",
+          "127.0.1.4",
+          "127.0.1.5",
+          "127.0.1.6"
+        ];
+        SH_EMAIL_DBL_ABUSED = [
+          "127.0.1.102",
+          "127.0.1.104",
+          "127.0.1.105",
+          "127.0.1.106"
+        ];
+        SH_EMAIL_DBL_DONT_QUERY_IPS = [ "127.0.1.255" ];
+      }
+    }
+    SH_EMAIL_ZRD {
+      ignore_defaults = true;
+      replyto = true;
+      emails_domainonly = true;
+      disable_monitoring = true;
+      rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net";
+      returncodes = {
+        SH_EMAIL_ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"];
+        SH_EMAIL_ZRD_FRESH_DOMAIN = [
+          "127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"
+        ];
+        SH_EMAIL_ZRD_DONT_QUERY_IPS = [ "127.0.2.255" ];
+      }
+    }
+    "DBL" {
+        # override the defaults for DBL defined in modules.d/rbl.conf
+        rbl = "${SPAMHAUS_DQS_KEY}.dbl.dq.spamhaus.net";
+        disable_monitoring = true;
+    }
+    "ZRD" {
+        ignore_defaults = true;
+        rbl = "${SPAMHAUS_DQS_KEY}.zrd.dq.spamhaus.net";
+        no_ip = true;
+        dkim = true;
+        emails = true;
+        emails_domainonly = true;
+        urls = true;
+        returncodes = {
+            ZRD_VERY_FRESH_DOMAIN = ["127.0.2.2", "127.0.2.3", "127.0.2.4"];
+            ZRD_FRESH_DOMAIN = ["127.0.2.5", "127.0.2.6", "127.0.2.7", "127.0.2.8", "127.0.2.9", "127.0.2.10", "127.0.2.11", "127.0.2.12", "127.0.2.13", "127.0.2.14", "127.0.2.15", "127.0.2.16", "127.0.2.17", "127.0.2.18", "127.0.2.19", "127.0.2.20", "127.0.2.21", "127.0.2.22", "127.0.2.23", "127.0.2.24"];
+        }
+    }
+    spamhaus_sbl_url {
+        ignore_defaults = true
+        rbl = "${SPAMHAUS_DQS_KEY}.sbl.dq.spamhaus.net";
+        checks = ['urls'];
+        disable_monitoring = true;
+        returncodes {
+            SPAMHAUS_SBL_URL = "127.0.0.2";
+        }
+    }
+
+    SH_HBL_EMAIL {
+      ignore_defaults = true;
+      rbl = "_email.${SPAMHAUS_DQS_KEY}.hbl.dq.spamhaus.net";
+      emails_domainonly = false;
+      selector = "from('smtp').lower;from('mime').lower";
+      ignore_whitelist = true;
+      checks = ['emails', 'replyto'];
+      hash = "sha1";
+      returncodes = {
+        SH_HBL_EMAIL = [
+          "127.0.3.2"
+        ];
+      }
+    }
+
+    spamhaus_dqs_hbl {
+      symbol = "HBL_FILE_UNKNOWN";
+      rbl = "_file.${SPAMHAUS_DQS_KEY}.hbl.dq.spamhaus.net.";
+      selector = "attachments('rbase32', 'sha256')";
+      ignore_whitelist = true;
+      ignore_defaults = true;
+      returncodes {
+        SH_HBL_FILE_MALICIOUS = "127.0.3.10";
+        SH_HBL_FILE_SUSPICIOUS = "127.0.3.15";
+      }
+    }
+EOF
+else
+  rm -rf /etc/rspamd/custom/dqs-rbl.conf
+fi
+
 exec "$@"

data/Dockerfiles/rspamd/metadata_exporter.lua

@@ -1,632 +0,0 @@
---[[
-Copyright (c) 2016, Andrew Lewis <nerf@judo.za.org>
-Copyright (c) 2016, Vsevolod Stakhov <vsevolod@highsecure.ru>
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-]]--
-
-if confighelp then
-  return
-end
-
--- A plugin that pushes metadata (or whole messages) to external services
-
-local redis_params
-local lua_util = require "lua_util"
-local rspamd_http = require "rspamd_http"
-local rspamd_util = require "rspamd_util"
-local rspamd_logger = require "rspamd_logger"
-local ucl = require "ucl"
-local E = {}
-local N = 'metadata_exporter'
-
-local settings = {
-  pusher_enabled = {},
-  pusher_format = {},
-  pusher_select = {},
-  mime_type = 'text/plain',
-  defer = false,
-  mail_from = '',
-  mail_to = 'postmaster@localhost',
-  helo = 'rspamd',
-  email_template = [[From: "Rspamd" <$mail_from>
-To: $mail_to
-Subject: Spam alert
-Date: $date
-MIME-Version: 1.0
-Message-ID: <$our_message_id>
-Content-type: text/plain; charset=utf-8
-Content-Transfer-Encoding: 8bit
-
-Authenticated username: $user
-IP: $ip
-Queue ID: $qid
-SMTP FROM: $from
-SMTP RCPT: $rcpt
-MIME From: $header_from
-MIME To: $header_to
-MIME Date: $header_date
-Subject: $header_subject
-Message-ID: $message_id
-Action: $action
-Score: $score
-Symbols: $symbols]],
-}
-
-local function get_general_metadata(task, flatten, no_content)
-  local r = {}
-  local ip = task:get_from_ip()
-  if ip and ip:is_valid() then
-    r.ip = tostring(ip)
-  else
-    r.ip = 'unknown'
-  end
-  r.user = task:get_user() or 'unknown'
-  r.qid = task:get_queue_id() or 'unknown'
-  r.subject = task:get_subject() or 'unknown'
-  r.action = task:get_metric_action('default')
-
-  local s = task:get_metric_score('default')[1]
-  r.score = flatten and string.format('%.2f', s) or s
-
-  local fuzzy = task:get_mempool():get_variable("fuzzy_hashes", "fstrings")
-  if fuzzy and #fuzzy > 0 then
-    local fz = {}
-    for _,h in ipairs(fuzzy) do
-      table.insert(fz, h)
-    end
-    if not flatten then
-      r.fuzzy = fz
-    else
-      r.fuzzy = table.concat(fz, ', ')
-    end
-  else
-    r.fuzzy = 'unknown'
-  end
-
-  local rcpt = task:get_recipients('smtp')
-  if rcpt then
-    local l = {}
-    for _, a in ipairs(rcpt) do
-      table.insert(l, a['addr'])
-    end
-    if not flatten then
-      r.rcpt = l
-    else
-      r.rcpt = table.concat(l, ', ')
-    end
-  else
-    r.rcpt = 'unknown'
-  end
-  local from = task:get_from('smtp')
-  if ((from or E)[1] or E).addr then
-    r.from = from[1].addr
-  else
-    r.from = 'unknown'
-  end
-  local syminf = task:get_symbols_all()
-  if flatten then
-    local l = {}
-    for _, sym in ipairs(syminf) do
-      local txt
-      if sym.options then
-        local topt = table.concat(sym.options, ', ')
-        txt = sym.name .. '(' .. string.format('%.2f', sym.score) .. ')' .. ' [' .. topt .. ']'
-      else
-        txt = sym.name .. '(' .. string.format('%.2f', sym.score) .. ')'
-      end
-      table.insert(l, txt)
-    end
-    r.symbols = table.concat(l, '\n\t')
-  else
-    r.symbols = syminf
-  end
-  local function process_header(name)
-    local hdr = task:get_header_full(name)
-    if hdr then
-      local l = {}
-      for _, h in ipairs(hdr) do
-        table.insert(l, h.decoded)
-      end
-      if not flatten then
-        return l
-      else
-        return table.concat(l, '\n')
-      end
-    else
-      return 'unknown'
-    end
-  end
-  if not no_content then
-    r.header_from = process_header('from')
-    r.header_to = process_header('to')
-    r.header_subject = process_header('subject')
-    r.header_date = process_header('date')
-    r.message_id = task:get_message_id()
-  end
-  return r
-end
-
-local formatters = {
-  default = function(task)
-    return task:get_content(), {}
-  end,
-  email_alert = function(task, rule, extra)
-    local meta = get_general_metadata(task, true)
-    local display_emails = {}
-    local mail_targets = {}
-    meta.mail_from = rule.mail_from or settings.mail_from
-    local mail_rcpt = rule.mail_to or settings.mail_to
-    if type(mail_rcpt) ~= 'table' then
-      table.insert(display_emails, string.format('<%s>', mail_rcpt))
-      table.insert(mail_targets, mail_rcpt)
-    else
-      for _, e in ipairs(mail_rcpt) do
-        table.insert(display_emails, string.format('<%s>', e))
-        table.insert(mail_targets, mail_rcpt)
-      end
-    end
-    if rule.email_alert_sender then
-      local x = task:get_from('smtp')
-      if x and string.len(x[1].addr) > 0 then
-        table.insert(mail_targets, x)
-        table.insert(display_emails, string.format('<%s>', x[1].addr))
-      end
-    end
-    if rule.email_alert_user then
-      local x = task:get_user()
-      if x then
-        table.insert(mail_targets, x)
-        table.insert(display_emails, string.format('<%s>', x))
-      end
-    end
-    if rule.email_alert_recipients then
-      local x = task:get_recipients('smtp')
-      if x then
-        for _, e in ipairs(x) do
-          if string.len(e.addr) > 0 then
-            table.insert(mail_targets, e.addr)
-            table.insert(display_emails, string.format('<%s>', e.addr))
-          end
-        end
-      end
-    end
-    meta.mail_to = table.concat(display_emails, ', ')
-    meta.our_message_id = rspamd_util.random_hex(12) .. '@rspamd'
-    meta.date = rspamd_util.time_to_string(rspamd_util.get_time())
-    return lua_util.template(rule.email_template or settings.email_template, meta), { mail_targets = mail_targets}
-  end,
-  json = function(task)
-    return ucl.to_format(get_general_metadata(task), 'json-compact')
-  end
-}
-
-local function is_spam(action)
-  return (action == 'reject' or action == 'add header' or action == 'rewrite subject')
-end
-
-local selectors = {
-  default = function(task)
-    return true
-  end,
-  is_spam = function(task)
-    local action = task:get_metric_action('default')
-    return is_spam(action)
-  end,
-  is_spam_authed = function(task)
-    if not task:get_user() then
-      return false
-    end
-    local action = task:get_metric_action('default')
-    return is_spam(action)
-  end,
-  is_reject = function(task)
-    local action = task:get_metric_action('default')
-    return (action == 'reject')
-  end,
-  is_reject_authed = function(task)
-    if not task:get_user() then
-      return false
-    end
-    local action = task:get_metric_action('default')
-    return (action == 'reject')
-  end,
-}
-
-local function maybe_defer(task, rule)
-  if rule.defer then
-    rspamd_logger.warnx(task, 'deferring message')
-    task:set_pre_result('soft reject', 'deferred', N)
-  end
-end
-
-local pushers = {
-  redis_pubsub = function(task, formatted, rule)
-    local _,ret,upstream
-    local function redis_pub_cb(err)
-      if err then
-        rspamd_logger.errx(task, 'got error %s when publishing on server %s',
-            err, upstream:get_addr())
-        return maybe_defer(task, rule)
-      end
-      return true
-    end
-    ret,_,upstream = rspamd_redis_make_request(task,
-      redis_params, -- connect params
-      nil, -- hash key
-      true, -- is write
-      redis_pub_cb, --callback
-      'PUBLISH', -- command
-      {rule.channel, formatted} -- arguments
-    )
-    if not ret then
-      rspamd_logger.errx(task, 'error connecting to redis')
-      maybe_defer(task, rule)
-    end
-  end,
-  http = function(task, formatted, rule)
-    local function http_callback(err, code)
-      if err then
-        rspamd_logger.errx(task, 'got error %s in http callback', err)
-        return maybe_defer(task, rule)
-      end
-      if code ~= 200 then
-        rspamd_logger.errx(task, 'got unexpected http status: %s', code)
-        return maybe_defer(task, rule)
-      end
-      return true
-    end
-    local hdrs = {}
-    if rule.meta_headers then
-      local gm = get_general_metadata(task, false, true)
-      local pfx = rule.meta_header_prefix or 'X-Rspamd-'
-      for k, v in pairs(gm) do
-        if type(v) == 'table' then
-          hdrs[pfx .. k] = ucl.to_format(v, 'json-compact')
-        else
-          hdrs[pfx .. k] = v
-        end
-      end
-    end
-    rspamd_http.request({
-      task=task,
-      url=rule.url,
-      body=formatted,
-      callback=http_callback,
-      mime_type=rule.mime_type or settings.mime_type,
-      headers=hdrs,
-    })
-  end,
-  send_mail = function(task, formatted, rule, extra)
-    local lua_smtp = require "lua_smtp"
-    local function sendmail_cb(ret, err)
-      if not ret then
-        rspamd_logger.errx(task, 'SMTP export error: %s', err)
-        maybe_defer(task, rule)
-      end
-    end
-
-    lua_smtp.sendmail({
-      task = task,
-      host = rule.smtp,
-      port = rule.smtp_port or settings.smtp_port or 25,
-      from = rule.mail_from or settings.mail_from,
-      recipients = extra.mail_targets or rule.mail_to or settings.mail_to,
-      helo = rule.helo or settings.helo,
-      timeout = rule.timeout or settings.timeout,
-    }, formatted, sendmail_cb)
-  end,
-}
-
-local opts = rspamd_config:get_all_opt(N)
-if not opts then return end
-local process_settings = {
-  select = function(val)
-    selectors.custom = assert(load(val))()
-  end,
-  format = function(val)
-    formatters.custom = assert(load(val))()
-  end,
-  push = function(val)
-    pushers.custom = assert(load(val))()
-  end,
-  custom_push = function(val)
-    if type(val) == 'table' then
-      for k, v in pairs(val) do
-        pushers[k] = assert(load(v))()
-      end
-    end
-  end,
-  custom_select = function(val)
-    if type(val) == 'table' then
-      for k, v in pairs(val) do
-        selectors[k] = assert(load(v))()
-      end
-    end
-  end,
-  custom_format = function(val)
-    if type(val) == 'table' then
-      for k, v in pairs(val) do
-        formatters[k] = assert(load(v))()
-      end
-    end
-  end,
-  pusher_enabled = function(val)
-    if type(val) == 'string' then
-      if pushers[val] then
-        settings.pusher_enabled[val] = true
-      else
-        rspamd_logger.errx(rspamd_config, 'Pusher type: %s is invalid', val)
-      end
-    elseif type(val) == 'table' then
-      for _, v in ipairs(val) do
-        if pushers[v] then
-          settings.pusher_enabled[v] = true
-        else
-          rspamd_logger.errx(rspamd_config, 'Pusher type: %s is invalid', val)
-        end
-      end
-    end
-  end,
-}
-for k, v in pairs(opts) do
-  local f = process_settings[k]
-  if f then
-    f(opts[k])
-  else
-    settings[k] = v
-  end
-end
-if type(settings.rules) ~= 'table' then
-  -- Legacy config
-  settings.rules = {}
-  if not next(settings.pusher_enabled) then
-    if pushers.custom then
-      rspamd_logger.infox(rspamd_config, 'Custom pusher implicitly enabled')
-      settings.pusher_enabled.custom = true
-    else
-      -- Check legacy options
-      if settings.url then
-        rspamd_logger.warnx(rspamd_config, 'HTTP pusher implicitly enabled')
-        settings.pusher_enabled.http = true
-      end
-      if settings.channel then
-        rspamd_logger.warnx(rspamd_config, 'Redis Pubsub pusher implicitly enabled')
-        settings.pusher_enabled.redis_pubsub = true
-      end
-      if settings.smtp and settings.mail_to then
-        rspamd_logger.warnx(rspamd_config, 'SMTP pusher implicitly enabled')
-        settings.pusher_enabled.send_mail = true
-      end
-    end
-  end
-  if not next(settings.pusher_enabled) then
-    rspamd_logger.errx(rspamd_config, 'No push backend enabled')
-    return
-  end
-  if settings.formatter then
-    settings.format = formatters[settings.formatter]
-    if not settings.format then
-      rspamd_logger.errx(rspamd_config, 'No such formatter: %s', settings.formatter)
-      return
-    end
-  end
-  if settings.selector then
-    settings.select = selectors[settings.selector]
-    if not settings.select then
-      rspamd_logger.errx(rspamd_config, 'No such selector: %s', settings.selector)
-      return
-    end
-  end
-  for k in pairs(settings.pusher_enabled) do
-    local formatter = settings.pusher_format[k]
-    local selector = settings.pusher_select[k]
-    if not formatter then
-      settings.pusher_format[k] = settings.formatter or 'default'
-      rspamd_logger.infox(rspamd_config, 'Using default formatter for %s pusher', k)
-    else
-      if not formatters[formatter] then
-        rspamd_logger.errx(rspamd_config, 'No such formatter: %s - disabling %s', formatter, k)
-        settings.pusher_enabled.k = nil
-      end
-    end
-    if not selector then
-      settings.pusher_select[k] = settings.selector or 'default'
-      rspamd_logger.infox(rspamd_config, 'Using default selector for %s pusher', k)
-    else
-      if not selectors[selector] then
-        rspamd_logger.errx(rspamd_config, 'No such selector: %s - disabling %s', selector, k)
-        settings.pusher_enabled.k = nil
-      end
-    end
-  end
-  if settings.pusher_enabled.redis_pubsub then
-    redis_params = rspamd_parse_redis_server(N)
-    if not redis_params then
-      rspamd_logger.errx(rspamd_config, 'No redis servers are specified')
-      settings.pusher_enabled.redis_pubsub = nil
-    else
-      local r = {}
-      r.backend = 'redis_pubsub'
-      r.channel = settings.channel
-      r.defer = settings.defer
-      r.selector = settings.pusher_select.redis_pubsub
-      r.formatter = settings.pusher_format.redis_pubsub
-      settings.rules[r.backend:upper()] = r
-    end
-  end
-  if settings.pusher_enabled.http then
-    if not settings.url then
-      rspamd_logger.errx(rspamd_config, 'No URL is specified')
-      settings.pusher_enabled.http = nil
-    else
-      local r = {}
-      r.backend = 'http'
-      r.url = settings.url
-      r.mime_type = settings.mime_type
-      r.defer = settings.defer
-      r.selector = settings.pusher_select.http
-      r.formatter = settings.pusher_format.http
-      settings.rules[r.backend:upper()] = r
-    end
-  end
-  if settings.pusher_enabled.send_mail then
-    if not (settings.mail_to and settings.smtp) then
-      rspamd_logger.errx(rspamd_config, 'No mail_to and/or smtp setting is specified')
-      settings.pusher_enabled.send_mail = nil
-    else
-      local r = {}
-      r.backend = 'send_mail'
-      r.mail_to = settings.mail_to
-      r.mail_from = settings.mail_from
-      r.helo = settings.hello
-      r.smtp = settings.smtp
-      r.smtp_port = settings.smtp_port
-      r.email_template = settings.email_template
-      r.defer = settings.defer
-      r.selector = settings.pusher_select.send_mail
-      r.formatter = settings.pusher_format.send_mail
-      settings.rules[r.backend:upper()] = r
-    end
-  end
-  if not next(settings.pusher_enabled) then
-    rspamd_logger.errx(rspamd_config, 'No push backend enabled')
-    return
-  end
-elseif not next(settings.rules) then
-  lua_util.debugm(N, rspamd_config, 'No rules enabled')
-  return
-end
-if not settings.rules or not next(settings.rules) then
-  rspamd_logger.errx(rspamd_config, 'No rules enabled')
-  return
-end
-local backend_required_elements = {
-  http = {
-    'url',
-  },
-  smtp = {
-    'mail_to',
-    'smtp',
-  },
-  redis_pubsub = {
-    'channel',
-  },
-}
-local check_element = {
-  selector = function(k, v)
-    if not selectors[v] then
-      rspamd_logger.errx(rspamd_config, 'Rule %s has invalid selector %s', k, v)
-      return false
-    else
-      return true
-    end
-  end,
-  formatter = function(k, v)
-    if not formatters[v] then
-      rspamd_logger.errx(rspamd_config, 'Rule %s has invalid formatter %s', k, v)
-      return false
-    else
-      return true
-    end
-  end,
-}
-local backend_check = {
-  default = function(k, rule)
-    local reqset = backend_required_elements[rule.backend]
-    if reqset then
-      for _, e in ipairs(reqset) do
-        if not rule[e] then
-          rspamd_logger.errx(rspamd_config, 'Rule %s misses required setting %s', k, e)
-          settings.rules[k] = nil
-        end
-      end
-    end
-    for sett, v in pairs(rule) do
-      local f = check_element[sett]
-      if f then
-        if not f(sett, v) then
-          settings.rules[k] = nil
-        end
-      end
-    end
-  end,
-}
-backend_check.redis_pubsub = function(k, rule)
-  if not redis_params then
-    redis_params = rspamd_parse_redis_server(N)
-  end
-  if not redis_params then
-    rspamd_logger.errx(rspamd_config, 'No redis servers are specified')
-    settings.rules[k] = nil
-  else
-    backend_check.default(k, rule)
-  end
-end
-setmetatable(backend_check, {
-  __index = function()
-    return backend_check.default
-  end,
-})
-for k, v in pairs(settings.rules) do
-  if type(v) == 'table' then
-    local backend = v.backend
-    if not backend then
-      rspamd_logger.errx(rspamd_config, 'Rule %s has no backend', k)
-      settings.rules[k] = nil
-    elseif not pushers[backend] then
-      rspamd_logger.errx(rspamd_config, 'Rule %s has invalid backend %s', k, backend)
-      settings.rules[k] = nil
-    else
-      local f = backend_check[backend]
-      f(k, v)
-    end
-  else
-    rspamd_logger.errx(rspamd_config, 'Rule %s has bad type: %s', k, type(v))
-    settings.rules[k] = nil
-  end
-end
-
-local function gen_exporter(rule)
-  return function (task)
-    if task:has_flag('skip') then return end
-    local selector = rule.selector or 'default'
-    local selected = selectors[selector](task)
-    if selected then
-      lua_util.debugm(N, task, 'Message selected for processing')
-      local formatter = rule.formatter or 'default'
-      local formatted, extra = formatters[formatter](task, rule)
-      if formatted then
-        pushers[rule.backend](task, formatted, rule, extra)
-      else
-        lua_util.debugm(N, task, 'Formatter [%s] returned non-truthy value [%s]', formatter, formatted)
-      end
-    else
-      lua_util.debugm(N, task, 'Selector [%s] returned non-truthy value [%s]', selector, selected)
-    end
-  end
-end
-
-if not next(settings.rules) then
-  rspamd_logger.errx(rspamd_config, 'No rules enabled')
-  lua_util.disable_module(N, "config")
-end
-for k, r in pairs(settings.rules) do
-  rspamd_config:register_symbol({
-    name = 'EXPORT_METADATA_' .. k,
-    type = 'idempotent',
-    callback = gen_exporter(r),
-    priority = 10,
-    flags = 'empty,explicit_disable,ignore_passthrough',
-  })
-end

data/Dockerfiles/sogo/Dockerfile

@@ -1,11 +1,13 @@
-FROM debian:bullseye-slim
-LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
+FROM debian:bookworm-slim
+
+LABEL maintainer="The Infrastructure Company GmbH <info@servercow.de>"
 
 ARG DEBIAN_FRONTEND=noninteractive
+ARG DEBIAN_VERSION=bookworm
 ARG SOGO_DEBIAN_REPOSITORY=http://www.axis.cz/linux/debian
 # renovate: datasource=github-releases depName=tianon/gosu versioning=semver-coerced extractVersion=^(?<version>.*)$
 ARG GOSU_VERSION=1.17
-ENV LC_ALL C
+ENV LC_ALL=C
 
 # Prerequisites
 RUN echo "Building from repository $SOGO_DEBIAN_REPOSITORY" \
@@ -21,7 +23,7 @@ RUN echo "Building from repository $SOGO_DEBIAN_REPOSITORY" \
   syslog-ng-core \
   syslog-ng-mod-redis \
   dirmngr \
-  netcat \
+  netcat-traditional \
   psmisc \
   wget \
   patch \
@@ -32,7 +34,7 @@ RUN echo "Building from repository $SOGO_DEBIAN_REPOSITORY" \
   && mkdir /usr/share/doc/sogo \
   && touch /usr/share/doc/sogo/empty.sh \
   && apt-key adv --keyserver keys.openpgp.org --recv-key 74FFC6D72B925A34B5D356BDF8A27B36A6E2EAE9 \
-  && echo "deb [trusted=yes] ${SOGO_DEBIAN_REPOSITORY} bullseye sogo-v5" > /etc/apt/sources.list.d/sogo.list \
+  && echo "deb [trusted=yes] ${SOGO_DEBIAN_REPOSITORY} ${DEBIAN_VERSION} sogo-v5" > /etc/apt/sources.list.d/sogo.list \
   && apt-get update && apt-get install -y --no-install-recommends \
     sogo \
     sogo-activesync \
@@ -53,4 +55,4 @@ RUN chmod +x /bootstrap-sogo.sh \
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 
-CMD exec /usr/bin/supervisord -c /etc/supervisor/supervisord.conf
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]

data/Dockerfiles/sogo/bootstrap-sogo.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # Wait for MySQL to warm-up
-while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
+while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
   echo "Waiting for database to come up..."
   sleep 2
 done
@@ -150,6 +150,8 @@ cat <<EOF > /var/lib/sogo/GNUstep/Defaults/sogod.plist
     <string>YES</string>
     <key>SOGoEncryptionKey</key>
     <string>${RAND_PASS}</string>
+    <key>OCSAdminURL</key>
+    <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_admin</string>
     <key>OCSCacheFolderURL</key>
     <string>mysql://${DBUSER}:${DBPASS}@%2Fvar%2Frun%2Fmysqld%2Fmysqld.sock/${DBNAME}/sogo_cache_folder</string>
     <key>OCSEMailAlarmsFolderURL</key>

data/Dockerfiles/sogo/syslog-ng-redis_slave.conf

@@ -1,4 +1,4 @@
-@version: 3.28
+@version: 3.38
 @include "scl.conf"
 options {
   chain_hostnames(off);

data/Dockerfiles/sogo/syslog-ng.conf

@@ -1,4 +1,4 @@
-@version: 3.28
+@version: 3.38
 @include "scl.conf"
 options {
   chain_hostnames(off);

data/Dockerfiles/solr/solr.sh

@@ -1,7 +1,15 @@
 #!/bin/bash
 
-if [[ "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+if [[ "${FLATCURVE_EXPERIMENTAL}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
+  echo "FLATCURVE_EXPERIMENTAL=y, skipping Solr but enabling Flatcurve as FTS for Dovecot!"
+  echo "Solr will be removed in the future!"
+  sleep 365d
+  exit 0
+elif [[ "${SKIP_SOLR}" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
   echo "SKIP_SOLR=y, skipping Solr..."
+  echo "HINT: You could try the newer FTS Backend Flatcurve, which is currently in experimental state..."
+  echo "Simply set FLATCURVE_EXPERIMENTAL=y inside your mailcow.conf and restart the stack afterwards!"
+  echo "Solr will be removed in the future!"
   sleep 365d
   exit 0
 fi
@@ -57,5 +65,11 @@ if [[ "${1}" == "--bootstrap" ]]; then
   exit 0
 fi
 
+echo "Starting up Solr..."
+echo -e "\e[31mSolr is deprecated! You can try the new FTS System now by enabling FLATCURVE_EXPERIMENTAL=y inside mailcow.conf and restarting the stack\e[0m"
+echo -e "\e[31mSolr will be removed completely soon!\e[0m"
+
+sleep 15
+
 exec gosu solr solr-foreground
 

data/Dockerfiles/unbound/Dockerfile

@@ -1,30 +1,36 @@
-FROM alpine:3.19
+FROM alpine:3.20
 
-LABEL maintainer "The Infrastructure Company GmbH GmbH <info@servercow.de>"
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
 RUN apk add --update --no-cache \
 	curl \
 	bind-tools \
-	netcat-openbsd \
+	coreutils \
 	unbound \
 	bash \
 	openssl \
 	drill \
 	tzdata \
+	syslog-ng \
+	supervisor \
 	&& curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache \
 	&& chown root:unbound /etc/unbound \
-  && adduser unbound tty \
+    && adduser unbound tty \
 	&& chmod 775 /etc/unbound
 
 EXPOSE 53/udp 53/tcp
 
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 
-# healthcheck (nslookup)
+# healthcheck (dig, ping)
 COPY healthcheck.sh /healthcheck.sh
+COPY syslog-ng.conf /etc/syslog-ng/syslog-ng.conf
+COPY supervisord.conf /etc/supervisor/supervisord.conf
+COPY stop-supervisor.sh /usr/local/sbin/stop-supervisor.sh
+
 RUN chmod +x /healthcheck.sh
-HEALTHCHECK --interval=5s --timeout=10s CMD [ "/healthcheck.sh" ]
+HEALTHCHECK --interval=30s --timeout=10s \
+  CMD sh -c '[ -f /tmp/healthcheck_status ] && [ "$(cat /tmp/healthcheck_status)" -eq 0 ] || exit 1'
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
-
-CMD ["/usr/sbin/unbound"]
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]

data/Dockerfiles/unbound/healthcheck.sh

@@ -1,89 +1,102 @@
 #!/bin/bash
 
-# Declare log function for logfile inside container
-function log_to_file() {
-    echo "$(date +"%Y-%m-%d %H:%M:%S"): $1" > /var/log/healthcheck.log
+STATUS_FILE="/tmp/healthcheck_status"
+RUNS=0
+
+# Declare log function for logfile to stdout
+function log_to_stdout() {
+echo "$(date +"%Y-%m-%d %H:%M:%S"): $1"
 }
 
 # General Ping function to check general pingability
 function check_ping() {
-    declare -a ipstoping=("1.1.1.1" "8.8.8.8" "9.9.9.9")
+declare -a ipstoping=("1.1.1.1" "8.8.8.8" "9.9.9.9")
+local fail_tolerance=1
+local failures=0
 
-    for ip in "${ipstoping[@]}" ; do
-            ping -q -c 3 -w 5 "$ip"
-            if [ $? -ne 0 ]; then
-                log_to_file "Healthcheck: Couldn't ping $ip for 5 seconds... Gave up!"
-                log_to_file "Please check your internet connection or firewall rules to fix this error, because a simple ping test should always go through from the unbound container!"
-                return 1
-            fi
+for ip in "${ipstoping[@]}" ; do
+    success=false
+    for ((i=1; i<=3; i++)); do
+        ping -q -c 3 -w 5 "$ip" > /dev/null
+        if [ $? -eq 0 ]; then
+            success=true
+            break
+        else
+            log_to_stdout "Healthcheck: Failed to ping $ip on attempt $i. Trying again..."
+        fi
     done
+    
+    if [ "$success" = false ]; then
+        log_to_stdout "Healthcheck: Couldn't ping $ip after 3 attempts. Marking this IP as failed."
+        ((failures++))
+    fi
+done
+
+if [ $failures -gt $fail_tolerance ]; then
+    log_to_stdout "Healthcheck: Too many ping failures ($fail_tolerance failures allowed, you got $failures failures), marking Healthcheck as unhealthy..."
+    return 1
+fi
+
+return 0
 
-    log_to_file "Healthcheck: Ping Checks WORKING properly!"
-    return 0
 }
 
 # General DNS Resolve Check against Unbound Resolver himself
 function check_dns() {
-    declare -a domains=("mailcow.email" "github.com" "hub.docker.com")
+declare -a domains=("fuzzy.mailcow.email" "github.com" "hub.docker.com")
+local fail_tolerance=1
+local failures=0
 
-    for domain in "${domains[@]}" ; do
-        for ((i=1; i<=3; i++)); do
-            dig +short +timeout=2 +tries=1 "$domain" @127.0.0.1 > /dev/null
-        if [ $? -ne 0 ]; then
-            log_to_file "Healthcheck: DNS Resolution Failed on $i attempt! Trying again..."
-            if [ $i -eq 3 ]; then
-                log_to_file "Healthcheck: DNS Resolution not possible after $i attempts... Gave up!"
-                log_to_file "Maybe check your outbound firewall, as it needs to resolve DNS over TCP AND UDP!"
-                return 1
-            fi
+for domain in "${domains[@]}" ; do
+    success=false
+    for ((i=1; i<=3; i++)); do
+        dig_output=$(dig +short +timeout=2 +tries=1 "$domain" @127.0.0.1 2>/dev/null)
+        dig_rc=$?
+
+        if [ $dig_rc -ne 0 ] || [ -z "$dig_output" ]; then
+            log_to_stdout "Healthcheck: DNS Resolution Failed on attempt $i for $domain! Trying again..."
+        else
+            success=true
+            break
         fi
-        done
     done
-
-    log_to_file "Healthcheck: DNS Resolver WORKING properly!"
-    return 0
     
+    if [ "$success" = false ]; then
+        log_to_stdout "Healthcheck: DNS Resolution not possible after 3 attempts for $domain... Gave up!"
+        ((failures++))
+    fi
+done
+
+if [ $failures -gt $fail_tolerance ]; then
+    log_to_stdout "Healthcheck: Too many DNS failures ($fail_tolerance failures allowed, you got $failures failures), marking Healthcheck as unhealthy..."
+    return 1
+fi
+
+return 0
 }
 
-# Simple Netcat Check to connect to common webports
-function check_netcat() {
-    declare -a domains=("mailcow.email" "github.com" "hub.docker.com")
-    declare -a ports=("80" "443")
+while true; do
 
-    for domain in "${domains[@]}" ; do
-        for port in "${ports[@]}" ; do
-            nc -z -w 2 $domain $port
-            if [ $? -ne 0 ]; then
-                log_to_file "Healthcheck: Could not reach $domain on Port $port... Gave up!"
-                log_to_file "Please check your internet connection or firewall rules to fix this error."
-                return 1
-            fi
-        done
-    done
+    if [[ ${SKIP_UNBOUND_HEALTHCHECK} == "y" ]]; then
+    log_to_stdout "Healthcheck: ALL CHECKS WERE SKIPPED! Unbound is healthy!"
+    echo "0" > $STATUS_FILE
+    sleep 365d
+    fi
 
-    log_to_file "Healthcheck: Netcat Checks WORKING properly!"
-    return 0
+    # run checks, if check is not returning 0 (return value if check is ok), healthcheck will exit with 1 (marked in docker as unhealthy)
+    check_ping
+    PING_STATUS=$?
 
-}
+    check_dns
+    DNS_STATUS=$?
 
-# run checks, if check is not returning 0 (return value if check is ok), healthcheck will exit with 1 (marked in docker as unhealthy)
-check_ping
+    if [ $PING_STATUS -ne 0 ] || [ $DNS_STATUS -ne 0 ]; then
+        echo "1" > $STATUS_FILE
 
-if [ $? -ne 0 ]; then
-    exit 1
-fi
+    else
+        echo "0" > $STATUS_FILE
+    fi
 
-check_dns
+    sleep 30
 
-if [ $? -ne 0 ]; then
-    exit 1
-fi
-
-check_netcat
-
-if [ $? -ne 0 ]; then
-    exit 1
-fi
-
-log_to_file "Healthcheck: ALL CHECKS WERE SUCCESSFUL! Unbound is healthy!"
-exit 0
+done

data/Dockerfiles/unbound/stop-supervisor.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+printf "READY\n";
+
+while read line; do
+  echo "Processing Event: $line" >&2;
+  kill -3 $(cat "/var/run/supervisord.pid")
+done < /dev/stdin
+
+rm -rf /tmp/healthcheck_status

data/Dockerfiles/unbound/supervisord.conf

@@ -0,0 +1,32 @@
+[supervisord]
+nodaemon=true
+user=root
+pidfile=/var/run/supervisord.pid
+
+[program:syslog-ng]
+command=/usr/sbin/syslog-ng --foreground --no-caps
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autostart=true
+
+[program:unbound]
+command=/usr/sbin/unbound
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autorestart=true
+
+[program:unbound-healthcheck]
+command=/bin/bash /healthcheck.sh
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autorestart=true
+
+[eventlistener:processes]
+command=/usr/local/sbin/stop-supervisor.sh
+events=PROCESS_STATE_STOPPED, PROCESS_STATE_EXITED, PROCESS_STATE_FATAL

data/Dockerfiles/unbound/syslog-ng.conf

@@ -0,0 +1,21 @@
+@version: 4.5
+@include "scl.conf"
+options {
+  chain_hostnames(off);
+  flush_lines(0);
+  use_dns(no);
+  use_fqdn(no);
+  owner("root"); group("adm"); perm(0640);
+  stats(freq(0));
+  keep_timestamp(no);
+  bad_hostname("^gconfd$");
+};
+source s_dgram {
+  unix-dgram("/dev/log");
+  internal();
+};
+destination d_stdout { pipe("/dev/stdout"); };
+log {
+  source(s_dgram);
+  destination(d_stdout);
+};

data/Dockerfiles/watchdog/Dockerfile

@@ -1,5 +1,6 @@
-FROM alpine:3.19
-LABEL maintainer "The Infrastructure Company GmbH <info@servercow.de>"
+FROM alpine:3.20
+
+LABEL maintainer = "The Infrastructure Company GmbH <info@servercow.de>"
 
 # Installation
 RUN apk add --update \
@@ -36,4 +37,4 @@ RUN apk add --update \
 COPY watchdog.sh /watchdog.sh
 COPY check_mysql_slavestatus.sh /usr/lib/nagios/plugins/check_mysql_slavestatus.sh
 
-CMD /watchdog.sh
+CMD ["/watchdog.sh"]

data/Dockerfiles/watchdog/watchdog.sh

@@ -33,7 +33,7 @@ if [[ ! -p /tmp/com_pipe ]]; then
 fi
 
 # Wait for containers
-while ! mysqladmin status --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
+while ! mariadb-admin status --ssl=false --socket=/var/run/mysqld/mysqld.sock -u${DBUSER} -p${DBPASS} --silent; do
   echo "Waiting for SQL..."
   sleep 2
 done
@@ -169,9 +169,13 @@ function notify_error() {
       return 1
     fi
 
+    # Escape subject and body (https://stackoverflow.com/a/2705678)
+    ESCAPED_SUBJECT=$(echo ${SUBJECT} | sed -e 's/[\/&]/\\&/g')
+    ESCAPED_BODY=$(echo ${BODY} | sed -e 's/[\/&]/\\&/g')
+
     # Replace subject and body placeholders
-    WEBHOOK_BODY=$(echo ${WATCHDOG_NOTIFY_WEBHOOK_BODY} | sed "s|\$SUBJECT\|\${SUBJECT}|$SUBJECT|g" | sed "s|\$BODY\|\${BODY}|$BODY|")
-    
+    WEBHOOK_BODY=$(echo ${WATCHDOG_NOTIFY_WEBHOOK_BODY} | sed -e "s/\$SUBJECT\|\${SUBJECT}/$ESCAPED_SUBJECT/g" -e "s/\$BODY\|\${BODY}/$ESCAPED_BODY/g")
+
     # POST to webhook
     curl -X POST -H "Content-Type: application/json" ${CURL_VERBOSE} -d "${WEBHOOK_BODY}" ${WATCHDOG_NOTIFY_WEBHOOK}
 
@@ -191,12 +195,12 @@ get_container_ip() {
     else
       sleep 0.5
       # get long container id for exact match
-      CONTAINER_ID=($(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring == \"${1}\") | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id"))
+      CONTAINER_ID=($(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring == \"${1}\") | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id"))
       # returned id can have multiple elements (if scaled), shuffle for random test
       CONTAINER_ID=($(printf "%s\n" "${CONTAINER_ID[@]}" | shuf))
       if [[ ! -z ${CONTAINER_ID} ]]; then
         for matched_container in "${CONTAINER_ID[@]}"; do
-          CONTAINER_IPS=($(curl --silent --insecure https://dockerapi/containers/${matched_container}/json | jq -r '.NetworkSettings.Networks[].IPAddress'))
+          CONTAINER_IPS=($(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${matched_container}/json | jq -r '.NetworkSettings.Networks[].IPAddress'))
           for ip_match in "${CONTAINER_IPS[@]}"; do
             # grep will do nothing if one of these vars is empty
             [[ -z ${ip_match} ]] && continue
@@ -716,7 +720,7 @@ rspamd_checks() {
 From: watchdog@localhost
 
 Empty
-' | usr/bin/curl --max-time 10 -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd/scan | jq -rc .default.required_score | sed 's/\..*//' )
+' | usr/bin/curl --max-time 10 -s --data-binary @- --unix-socket /var/lib/rspamd/rspamd.sock http://rspamd.${COMPOSE_PROJECT_NAME}_mailcow-network/scan | jq -rc .default.required_score | sed 's/\..*//' )
     if [[ ${SCORE} -ne 9999 ]]; then
       echo "Rspamd settings check failed, score returned: ${SCORE}" 2>> /tmp/rspamd-mailcow 1>&2
       err_count=$(( ${err_count} + 1))
@@ -1095,12 +1099,12 @@ while true; do
   elif [[ ${com_pipe_answer} =~ .+-mailcow ]]; then
     kill -STOP ${BACKGROUND_TASKS[*]}
     sleep 10
-    CONTAINER_ID=$(curl --silent --insecure https://dockerapi/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"${com_pipe_answer}\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id")
+    CONTAINER_ID=$(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/json | jq -r ".[] | {name: .Config.Labels[\"com.docker.compose.service\"], project: .Config.Labels[\"com.docker.compose.project\"], id: .Id}" | jq -rc "select( .name | tostring | contains(\"${com_pipe_answer}\")) | select( .project | tostring | contains(\"${COMPOSE_PROJECT_NAME,,}\")) | .id")
     if [[ ! -z ${CONTAINER_ID} ]]; then
       if [[ "${com_pipe_answer}" == "php-fpm-mailcow" ]]; then
-        HAS_INITDB=$(curl --silent --insecure -XPOST https://dockerapi/containers/${CONTAINER_ID}/top | jq '.msg.Processes[] | contains(["php -c /usr/local/etc/php -f /web/inc/init_db.inc.php"])' | grep true)
+        HAS_INITDB=$(curl --silent --insecure -XPOST https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/top | jq '.msg.Processes[] | contains(["php -c /usr/local/etc/php -f /web/inc/init_db.inc.php"])' | grep true)
       fi
-      S_RUNNING=$(($(date +%s) - $(curl --silent --insecure https://dockerapi/containers/${CONTAINER_ID}/json | jq .State.StartedAt | xargs -n1 date +%s -d)))
+      S_RUNNING=$(($(date +%s) - $(curl --silent --insecure https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/json | jq .State.StartedAt | xargs -n1 date +%s -d)))
       if [ ${S_RUNNING} -lt 360 ]; then
         log_msg "Container is running for less than 360 seconds, skipping action..."
       elif [[ ! -z ${HAS_INITDB} ]]; then
@@ -1108,7 +1112,7 @@ while true; do
         sleep 60
       else
         log_msg "Sending restart command to ${CONTAINER_ID}..."
-        curl --silent --insecure -XPOST https://dockerapi/containers/${CONTAINER_ID}/restart
+        curl --silent --insecure -XPOST https://dockerapi.${COMPOSE_PROJECT_NAME}_mailcow-network/containers/${CONTAINER_ID}/restart
         notify_error "${com_pipe_answer}"
         log_msg "Wait for restarted container to settle and continue watching..."
         sleep 35

data/assets/templates/pw_reset_html.tpl

@@ -0,0 +1,29 @@
+<html>
+  <head>
+  <meta name="x-apple-disable-message-reformatting" />
+  <style>
+  body {
+    font-family: Helvetica, Arial, Sans-Serif;
+  }
+  /* mobile devices */
+  @media all and (max-width: 480px) {
+    .mob {
+      display: none;
+    }    
+  }
+  </style>
+  </head>
+  <body>
+Hello {{username2}},<br><br>
+
+Somebody requested a new password for the {{hostname}} account associated with {{username}}.<br>
+<small>Date of the password reset request: {{date}}</small><br><br>
+
+You can reset your password by clicking the link below:<br>
+<a href="{{link}}">{{link}}</a><br><br>
+
+The link will be valid for the next {{token_lifetime}} minutes.<br><br>
+
+If you did not request a new password, please ignore this email.<br>
+  </body>
+</html>

data/assets/templates/pw_reset_text.tpl

@@ -0,0 +1,11 @@
+Hello {{username2}},
+
+Somebody requested a new password for the {{hostname}} account associated with {{username}}.
+Date of the password reset request: {{date}}
+
+You can reset your password by clicking the link below:
+{{link}}
+
+The link will be valid for the next {{token_lifetime}} minutes.
+
+If you did not request a new password, please ignore this email.

data/conf/dovecot/dovecot.conf

@@ -10,6 +10,7 @@
 auth_mechanisms = plain login
 #mail_debug = yes
 #auth_debug = yes
+#log_debug = category=fts-flatcurve # Activate Logging for Flatcurve FTS Searchings
 log_path = syslog
 disable_plaintext_auth = yes
 # Uncomment on NFS share
@@ -194,9 +195,6 @@ plugin {
   acl_shared_dict = file:/var/vmail/shared-mailboxes.db
   acl = vfile
   acl_user = %u
-  fts = solr
-  fts_autoindex = yes
-  fts_solr = url=http://solr:8983/solr/dovecot-fts/
   quota = dict:Userquota::proxy::sqlquota
   quota_rule2 = Trash:storage=+100%%
   sieve = /var/vmail/sieve/%u.sieve
@@ -247,6 +245,9 @@ plugin {
   mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
   mail_log_fields = uid box msgid size
   mail_log_cached_only = yes
+
+  # Try set mail_replica
+  !include_try /etc/dovecot/mail_replica.conf
 }
 service quota-warning {
   executable = script /usr/local/bin/quota_notify.py
@@ -302,6 +303,7 @@ replication_dsync_parameters = -d -l 30 -U -n INBOX
 !include_try /etc/dovecot/extra.conf
 !include_try /etc/dovecot/sogo-sso.conf
 !include_try /etc/dovecot/shared_namespace.conf
+!include_try /etc/dovecot/conf.d/fts.conf
 # </Includes>
 default_client_limit = 10400
 default_vsz_limit = 1024 M

data/conf/dovecot/dovecot.folders.conf

@@ -289,5 +289,20 @@ namespace inbox {
   mailbox "Kladde" {
     special_use = \Drafts
   }
+  mailbox "Πρόχειρα" {
+    special_use = \Drafts
+  }
+  mailbox "Απεσταλμένα" {
+    special_use = \Sent
+  }
+  mailbox "Κάδος απορριμάτων" {
+    special_use = \Trash
+  }
+  mailbox "Ανεπιθύμητα" {
+    special_use = \Junk
+  }
+  mailbox "Αρχειοθετημένα" {
+    special_use = \Archive
+  }
   prefix =
-}
+}

data/conf/postfix/anonymize_headers.pcre

@@ -1,6 +1,6 @@
 if /^\s*Received:.*Authenticated sender.*\(Postcow\)/
 #/^Received: from .*? \([\w-.]* \[.*?\]\)\s+\(Authenticated sender: (.+)\)\s+by.+\(Postcow\) with (E?SMTPS?A?) id ([A-F0-9]+).+;.*?/
-/^Received: from .*? \([\w-.]* \[.*?\]\)(.*|\n.*)\(Authenticated sender: (.+)\)\s+by.+\(Postcow\) with (.*)/
+/^Received: from .*? \([\w\-.]* \[.*?\]\)(.*|\n.*)\(Authenticated sender: (.+)\)\s+by.+\(Postcow\) with (.*)/
   REPLACE Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with $3
 endif
 if /^\s*Received: from.* \(.*dovecot-mailcow.*mailcow-network.*\).*\(Postcow\)/

data/conf/postfix/main.cf

@@ -114,14 +114,14 @@ smtpd_tls_loglevel = 1
 
 # Mandatory protocols and ciphers are used when a connections is enforced to use TLS
 # Does _not_ apply to enforced incoming TLS settings per mailbox
-smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+smtp_tls_mandatory_protocols = >=TLSv1.2
+lmtp_tls_mandatory_protocols = >=TLSv1.2
+smtpd_tls_mandatory_protocols = >=TLSv1.2
 smtpd_tls_mandatory_ciphers = high
 
-smtp_tls_protocols = !SSLv2, !SSLv3
-lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtpd_tls_protocols = !SSLv2, !SSLv3
+smtp_tls_protocols = >=TLSv1.2
+lmtp_tls_protocols = >=TLSv1.2
+smtpd_tls_protocols = >=TLSv1.2
 
 smtpd_tls_security_level = may
 tls_preempt_cipherlist = yes
@@ -163,12 +163,12 @@ transport_maps = pcre:/opt/postfix/conf/custom_transport.pcre,
   proxy:mysql:/opt/postfix/conf/sql/mysql_transport_maps.cf
 smtp_sasl_auth_soft_bounce = no
 postscreen_discard_ehlo_keywords = silent-discard, dsn, chunking
-smtpd_discard_ehlo_keywords = chunking
-compatibility_level = 2
+smtpd_discard_ehlo_keywords = chunking, silent-discard
+compatibility_level = 3.7
 smtputf8_enable = no
 # Define protocols for SMTPS and submission service
-submission_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
-smtps_smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+submission_smtpd_tls_mandatory_protocols = >=TLSv1.2
+smtps_smtpd_tls_mandatory_protocols = >=TLSv1.2
 parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,qmqpd_authorized_clients
 
 # DO NOT EDIT ANYTHING BELOW #

data/conf/postfix/master.cf

@@ -4,7 +4,6 @@ smtp       inet  n       -       n       -       1       postscreen
   -o postscreen_upstream_proxy_protocol=haproxy
   -o syslog_name=haproxy
 smtpd      pass  -       -       n       -       -       smtpd
-  -o smtpd_helo_restrictions=permit_mynetworks,reject_non_fqdn_helo_hostname
   -o smtpd_sasl_auth_enable=no
   -o smtpd_sender_restrictions=permit_mynetworks,reject_unlisted_sender,reject_unknown_sender_domain
 

data/conf/postfix/postscreen_access.cidr

@@ -1,9 +1,10 @@
-# Whitelist generated by Postwhite v3.4 on Mon Jan  1 00:15:22 UTC 2024
+# Whitelist generated by Postwhite v3.4 on Thu Aug  1 00:16:45 UTC 2024
 # https://github.com/stevejenkins/postwhite/
-# 2052 total rules
+# 1954 total rules
 2a00:1450:4000::/36	permit
 2a01:111:f400::/48	permit
 2a01:111:f403:8000::/50	permit
+2a01:111:f403:8000::/51	permit
 2a01:111:f403::/49	permit
 2a01:111:f403:c000::/51	permit
 2a01:111:f403:f000::/52	permit
@@ -12,40 +13,39 @@
 2.207.151.53	permit
 3.70.123.177	permit
 3.93.157.0/24	permit
+3.94.40.108	permit
 3.129.120.190	permit
-3.137.16.58	permit
 3.210.190.0/24	permit
 8.20.114.31	permit
 8.25.194.0/23	permit
 8.25.196.0/23	permit
-8.39.54.0/23	permit
-8.40.222.0/23	permit
+10.162.0.0/16	permit
 12.130.86.238	permit
-13.70.32.43	permit
-13.72.50.45	permit
-13.74.143.28	permit
-13.78.233.182	permit
-13.92.31.129	permit
 13.110.208.0/21	permit
 13.110.209.0/24	permit
 13.110.216.0/22	permit
 13.110.224.0/20	permit
 13.111.0.0/16	permit
+13.111.191.0/24	permit
 15.200.21.50	permit
 15.200.44.248	permit
 15.200.201.185	permit
+17.41.0.0/16	permit
 17.57.155.0/24	permit
 17.57.156.0/24	permit
 17.58.0.0/16	permit
+17.142.0.0/15	permit
 18.156.89.250	permit
 18.157.243.190	permit
 18.194.95.56	permit
 18.198.96.88	permit
 18.208.124.128/25	permit
 18.216.232.154	permit
-18.234.1.244	permit
+18.235.27.253	permit
 18.236.40.242	permit
+18.236.56.161	permit
 20.51.6.32/30	permit
+20.51.98.61	permit
 20.52.52.2	permit
 20.52.128.133	permit
 20.59.80.4/30	permit
@@ -63,10 +63,8 @@
 20.107.239.64/30	permit
 20.112.250.133	permit
 20.118.139.208/30	permit
-20.185.213.160/27	permit
-20.185.213.224/27	permit
+20.141.10.196	permit
 20.185.214.0/27	permit
-20.185.214.2	permit
 20.185.214.32/27	permit
 20.185.214.64/27	permit
 20.231.239.246	permit
@@ -90,39 +88,37 @@
 27.123.204.172	permit
 27.123.204.188/30	permit
 27.123.204.192	permit
-27.123.206.0/24	permit
 27.123.206.50/31	permit
 27.123.206.56/29	permit
 27.123.206.76/30	permit
 27.123.206.80/28	permit
 31.25.48.222	permit
 34.195.217.107	permit
-34.202.239.6	permit
 34.212.163.75	permit
 34.215.104.144	permit
+34.218.116.3	permit
 34.225.212.172	permit
-34.247.168.44	permit
 35.161.32.253	permit
 35.167.93.243	permit
 35.176.132.251	permit
 35.190.247.0/24	permit
 35.191.0.0/16	permit
+35.205.92.9	permit
+35.242.169.159	permit
 37.218.248.47	permit
 37.218.249.47	permit
 37.218.251.62	permit
 39.156.163.64/29	permit
-40.71.187.0/24	permit
 40.92.0.0/15	permit
 40.92.0.0/16	permit
 40.107.0.0/16	permit
 40.112.65.63	permit
-40.117.80.0/24	permit
 43.228.184.0/22	permit
 44.206.138.57	permit
-44.209.42.157	permit
+44.217.45.156	permit
 44.236.56.93	permit
 44.238.220.251	permit
-46.19.168.0/23	permit
+46.19.170.16	permit
 46.226.48.0/21	permit
 46.228.36.37	permit
 46.228.36.38/31	permit
@@ -162,7 +158,6 @@
 46.228.38.144/29	permit
 46.228.38.152/31	permit
 46.228.38.154	permit
-46.228.39.0/24	permit
 46.228.39.64/27	permit
 46.228.39.96/30	permit
 46.228.39.100/30	permit
@@ -183,31 +178,28 @@
 50.18.125.237	permit
 50.18.126.162	permit
 50.31.32.0/19	permit
-50.56.130.220	permit
-50.56.130.221	permit
-51.137.58.21	permit
-51.140.75.55	permit
-51.144.100.179	permit
+50.31.36.205	permit
+50.56.130.220/30	permit
+52.1.14.157	permit
 52.5.230.59	permit
 52.27.5.72	permit
 52.27.28.47	permit
 52.28.63.81	permit
 52.36.138.31	permit
 52.37.142.146	permit
+52.50.24.208	permit
 52.58.216.183	permit
 52.59.143.3	permit
 52.60.41.5	permit
 52.60.115.116	permit
 52.61.91.9	permit
 52.71.0.205	permit
-52.82.172.0/22	permit
 52.94.124.0/28	permit
 52.95.48.152/29	permit
 52.95.49.88/29	permit
 52.96.91.34	permit
 52.96.111.82	permit
 52.96.172.98	permit
-52.96.214.50	permit
 52.96.222.194	permit
 52.96.222.226	permit
 52.96.223.2	permit
@@ -216,8 +208,6 @@
 52.100.0.0/14	permit
 52.103.0.0/17	permit
 52.119.213.144/28	permit
-52.160.39.140	permit
-52.165.175.144	permit
 52.185.106.240/28	permit
 52.200.59.0/24	permit
 52.205.61.79	permit
@@ -228,37 +218,29 @@
 52.222.75.85	permit
 52.222.89.228	permit
 52.234.172.96/28	permit
+52.235.253.128	permit
 52.236.28.240/28	permit
-52.244.206.214	permit
-52.247.53.144	permit
-52.250.107.196	permit
-52.250.126.174	permit
 54.90.148.255	permit
+54.165.19.38	permit
 54.172.97.247	permit
 54.174.52.0/24	permit
-54.174.53.128/30	permit
 54.174.57.0/24	permit
 54.174.59.0/24	permit
 54.174.60.0/23	permit
 54.174.63.0/24	permit
 54.186.193.102	permit
 54.191.223.56	permit
-54.194.61.95	permit
-54.195.113.45	permit
 54.213.20.246	permit
 54.214.39.184	permit
-54.216.77.168	permit
-54.221.227.204	permit
 54.240.0.0/18	permit
 54.240.64.0/19	permit
 54.240.96.0/19	permit
 54.241.16.209	permit
 54.244.54.130	permit
 54.244.242.0/24	permit
-54.246.232.180	permit
 54.255.61.23	permit
 62.13.128.0/24	permit
-62.13.128.150	permit
+62.13.128.196	permit
 62.13.129.128/25	permit
 62.13.136.0/22	permit
 62.13.140.0/22	permit
@@ -266,14 +248,13 @@
 62.13.148.0/23	permit
 62.13.150.0/23	permit
 62.13.152.0/23	permit
+62.13.159.196	permit
 62.17.146.128/26	permit
 62.179.121.0/24	permit
 62.201.172.0/27	permit
 62.201.172.32/27	permit
 62.253.227.114	permit
-63.32.13.159	permit
 63.80.14.0/23	permit
-63.111.28.137	permit
 63.128.21.0/24	permit
 63.143.57.128/25	permit
 63.143.59.128/25	permit
@@ -286,24 +267,9 @@
 64.79.155.193	permit
 64.79.155.205	permit
 64.79.155.206	permit
-64.89.44.85	permit
-64.89.45.80	permit
-64.89.45.194	permit
-64.89.45.196	permit
 64.127.115.252	permit
 64.132.88.0/23	permit
 64.132.92.0/24	permit
-64.147.123.17	permit
-64.147.123.18	permit
-64.147.123.19	permit
-64.147.123.20	permit
-64.147.123.21	permit
-64.147.123.24	permit
-64.147.123.25	permit
-64.147.123.26	permit
-64.147.123.27	permit
-64.147.123.28	permit
-64.147.123.29	permit
 64.147.123.128/27	permit
 64.207.219.7	permit
 64.207.219.8	permit
@@ -358,26 +324,10 @@
 65.110.161.77	permit
 65.123.29.213	permit
 65.123.29.220	permit
-65.154.166.0/24	permit
 65.212.180.36	permit
 66.102.0.0/20	permit
-66.111.4.25	permit
-66.111.4.26	permit
-66.111.4.27	permit
-66.111.4.28	permit
-66.111.4.29	permit
-66.111.4.221	permit
-66.111.4.222	permit
-66.111.4.224	permit
-66.111.4.225	permit
-66.111.4.229	permit
-66.111.4.230	permit
 66.119.150.192/26	permit
-66.135.202.0/27	permit
-66.135.215.0/24	permit
-66.135.222.1	permit
 66.162.193.226/31	permit
-66.163.184.0/21	permit
 66.163.184.0/24	permit
 66.163.185.0/24	permit
 66.163.186.0/24	permit
@@ -390,7 +340,6 @@
 66.196.80.112/28	permit
 66.196.80.144/29	permit
 66.196.80.193	permit
-66.196.81.0/24	permit
 66.196.81.104/29	permit
 66.196.81.112/29	permit
 66.196.81.120	permit
@@ -405,7 +354,6 @@
 66.196.81.228/30	permit
 66.196.81.232/31	permit
 66.196.81.234	permit
-66.211.168.230/31	permit
 66.211.170.88/29	permit
 66.211.184.0/23	permit
 66.218.74.64/30	permit
@@ -434,12 +382,10 @@
 66.249.80.0/20	permit
 67.23.31.6	permit
 67.72.99.26	permit
-67.195.22.0/24	permit
 67.195.22.113	permit
 67.195.22.116/30	permit
 67.195.23.144/30	permit
 67.195.23.148	permit
-67.195.60.0/24	permit
 67.195.60.45	permit
 67.195.60.46/31	permit
 67.195.60.48/31	permit
@@ -447,7 +393,6 @@
 67.195.60.146	permit
 67.195.60.155	permit
 67.195.60.156	permit
-67.195.87.0/24	permit
 67.195.87.64	permit
 67.195.87.81	permit
 67.195.87.82/31	permit
@@ -472,7 +417,6 @@
 67.228.37.4/30	permit
 67.231.145.42	permit
 67.231.153.30	permit
-68.142.230.0/24	permit
 68.142.230.64/31	permit
 68.142.230.69	permit
 68.142.230.70/31	permit
@@ -498,9 +442,7 @@
 69.171.232.0/24	permit
 69.171.244.0/23	permit
 70.37.151.128/25	permit
-70.42.149.0/24	permit
 70.42.149.35	permit
-72.3.237.64/28	permit
 72.14.192.0/18	permit
 72.21.192.0/19	permit
 72.21.217.142	permit
@@ -531,7 +473,6 @@
 72.30.237.180/30	permit
 72.30.237.184/31	permit
 72.30.237.204/30	permit
-72.30.238.0/23	permit
 72.30.238.116/30	permit
 72.30.238.120/31	permit
 72.30.238.128	permit
@@ -562,12 +503,7 @@
 72.30.239.228/31	permit
 72.30.239.244/30	permit
 72.30.239.248/31	permit
-72.34.168.76	permit
-72.34.168.80	permit
-72.34.168.85	permit
-72.34.168.86	permit
 72.52.72.32/28	permit
-74.6.128.0/21	permit
 74.6.128.0/24	permit
 74.6.129.0/24	permit
 74.6.130.0/24	permit
@@ -594,14 +530,14 @@
 74.112.67.243	permit
 74.125.0.0/16	permit
 74.202.227.40	permit
-74.208.4.192/26	permit
-74.208.5.64/26	permit
-74.208.122.0/26	permit
+74.208.4.200	permit
+74.208.4.201	permit
+74.208.4.220	permit
+74.208.4.221	permit
 74.209.250.0/24	permit
 75.2.70.75	permit
 76.223.128.0/19	permit
 76.223.176.0/20	permit
-77.238.176.0/22	permit
 77.238.176.0/24	permit
 77.238.177.0/24	permit
 77.238.178.0/24	permit
@@ -622,21 +558,26 @@
 77.238.189.142	permit
 77.238.189.146/31	permit
 77.238.189.148/30	permit
-81.7.169.128/25	permit
 81.223.46.0/27	permit
-82.165.159.0/24	permit
-82.165.159.0/26	permit
-82.165.229.31	permit
-82.165.229.130	permit
-82.165.230.21	permit
-82.165.230.22	permit
+82.165.159.2	permit
+82.165.159.3	permit
+82.165.159.4	permit
+82.165.159.12	permit
+82.165.159.13	permit
+82.165.159.14	permit
+82.165.159.34	permit
+82.165.159.35	permit
+82.165.159.40	permit
+82.165.159.41	permit
+82.165.159.42	permit
+82.165.159.45	permit
+82.165.159.130	permit
+82.165.159.131	permit
 84.116.6.0/23	permit
 84.116.36.0/24	permit
 84.116.50.0/23	permit
 85.158.136.0/21	permit
 86.61.88.25	permit
-87.198.219.130	permit
-87.198.219.153	permit
 87.238.80.0/21	permit
 87.248.103.12	permit
 87.248.103.21	permit
@@ -676,6 +617,7 @@
 87.253.232.0/21	permit
 89.22.108.0/24	permit
 91.211.240.0/22	permit
+94.169.2.0/23	permit
 94.245.112.0/27	permit
 94.245.112.10/31	permit
 95.131.104.0/21	permit
@@ -689,7 +631,6 @@
 98.136.44.181	permit
 98.136.44.182/31	permit
 98.136.44.184	permit
-98.136.164.0/24	permit
 98.136.164.36/31	permit
 98.136.164.64/29	permit
 98.136.164.72/30	permit
@@ -697,7 +638,6 @@
 98.136.164.78	permit
 98.136.172.32/30	permit
 98.136.172.36/31	permit
-98.136.185.0/24	permit
 98.136.185.29	permit
 98.136.185.42/31	permit
 98.136.185.46	permit
@@ -732,7 +672,6 @@
 98.136.215.184	permit
 98.136.215.208/30	permit
 98.136.215.212/31	permit
-98.136.217.0/24	permit
 98.136.217.1	permit
 98.136.217.2	permit
 98.136.217.3	permit
@@ -742,14 +681,12 @@
 98.136.217.12/30	permit
 98.136.217.16/30	permit
 98.136.217.20/30	permit
-98.136.218.0/24	permit
 98.136.218.39	permit
 98.136.218.40/29	permit
 98.136.218.48/28	permit
 98.136.218.67	permit
 98.136.218.68/30	permit
 98.136.218.72/30	permit
-98.137.12.0/24	permit
 98.137.12.48/30	permit
 98.137.12.52/31	permit
 98.137.12.54	permit
@@ -787,7 +724,6 @@
 98.137.13.132	permit
 98.137.13.137	permit
 98.137.13.138	permit
-98.137.64.0/21	permit
 98.137.64.0/24	permit
 98.137.65.0/24	permit
 98.137.66.0/24	permit
@@ -811,7 +747,6 @@
 98.138.83.176/31	permit
 98.138.83.179	permit
 98.138.83.180/31	permit
-98.138.84.0/22	permit
 98.138.84.37	permit
 98.138.84.38/31	permit
 98.138.84.40/29	permit
@@ -852,7 +787,6 @@
 98.138.87.148/31	permit
 98.138.87.192/30	permit
 98.138.87.196/31	permit
-98.138.88.0/22	permit
 98.138.88.105	permit
 98.138.88.106	permit
 98.138.88.128/30	permit
@@ -892,7 +826,6 @@
 98.138.91.2/31	permit
 98.138.91.4/31	permit
 98.138.91.6	permit
-98.138.100.0/23	permit
 98.138.100.220/30	permit
 98.138.100.224/30	permit
 98.138.100.228/31	permit
@@ -902,7 +835,6 @@
 98.138.104.100	permit
 98.138.104.112/30	permit
 98.138.104.116	permit
-98.138.120.0/24	permit
 98.138.120.36/30	permit
 98.138.120.48/28	permit
 98.138.197.46/31	permit
@@ -995,12 +927,10 @@
 98.138.213.238/31	permit
 98.138.213.240/31	permit
 98.138.213.242	permit
-98.138.215.0/24	permit
 98.138.215.12/30	permit
 98.138.215.16/28	permit
 98.138.217.216/30	permit
 98.138.217.220/31	permit
-98.138.226.0/24	permit
 98.138.226.30/31	permit
 98.138.226.56/29	permit
 98.138.226.64/30	permit
@@ -1026,21 +956,18 @@
 98.138.227.108/31	permit
 98.138.227.128/30	permit
 98.138.227.132/31	permit
-98.138.229.0/24	permit
 98.138.229.24/29	permit
 98.138.229.32/31	permit
 98.138.229.122/31	permit
 98.138.229.138/31	permit
 98.138.229.154/31	permit
 98.138.229.170/31	permit
-98.139.164.0/24	permit
 98.139.164.96/30	permit
 98.139.164.100/30	permit
 98.139.164.104/29	permit
 98.139.164.112/30	permit
 98.139.172.112/30	permit
 98.139.172.116/31	permit
-98.139.175.0/24	permit
 98.139.175.65	permit
 98.139.175.66/31	permit
 98.139.175.68/30	permit
@@ -1065,10 +992,8 @@
 98.139.210.196/31	permit
 98.139.210.202/31	permit
 98.139.210.204/30	permit
-98.139.211.0/24	permit
 98.139.211.160/30	permit
 98.139.211.192/28	permit
-98.139.212.0/23	permit
 98.139.212.160/28	permit
 98.139.212.176/29	permit
 98.139.212.184/30	permit
@@ -1083,7 +1008,6 @@
 98.139.214.155	permit
 98.139.214.156/30	permit
 98.139.214.221	permit
-98.139.215.0/24	permit
 98.139.215.228/31	permit
 98.139.215.230	permit
 98.139.215.248/30	permit
@@ -1142,14 +1066,12 @@
 98.139.220.243	permit
 98.139.220.245	permit
 98.139.220.253	permit
-98.139.221.0/24	permit
 98.139.221.43	permit
 98.139.221.60/30	permit
 98.139.221.156/30	permit
 98.139.221.232/30	permit
 98.139.221.236/31	permit
 98.139.221.250	permit
-98.139.244.0/24	permit
 98.139.244.47	permit
 98.139.244.49	permit
 98.139.244.50/31	permit
@@ -1204,7 +1126,6 @@
 104.47.108.0/23	permit
 104.130.96.0/28	permit
 104.130.122.0/23	permit
-104.214.25.77	permit
 106.10.144.64/27	permit
 106.10.144.100/31	permit
 106.10.144.103	permit
@@ -1230,7 +1151,6 @@
 106.10.146.52/31	permit
 106.10.146.224/30	permit
 106.10.146.228/31	permit
-106.10.148.0/24	permit
 106.10.148.48/30	permit
 106.10.148.52/31	permit
 106.10.148.68/30	permit
@@ -1243,7 +1163,6 @@
 106.10.149.30	permit
 106.10.149.160/30	permit
 106.10.149.164/31	permit
-106.10.150.0/23	permit
 106.10.150.23	permit
 106.10.150.24/30	permit
 106.10.150.28/31	permit
@@ -1282,7 +1201,6 @@
 106.10.151.250/31	permit
 106.10.151.252/31	permit
 106.10.151.254	permit
-106.10.167.0/24	permit
 106.10.167.72	permit
 106.10.167.128/27	permit
 106.10.167.160/28	permit
@@ -1304,7 +1222,6 @@
 106.10.174.120/30	permit
 106.10.174.154/31	permit
 106.10.174.156/30	permit
-106.10.176.0/24	permit
 106.10.176.32/29	permit
 106.10.176.48	permit
 106.10.176.112	permit
@@ -1323,7 +1240,6 @@
 106.10.196.43	permit
 106.10.196.44/30	permit
 106.10.196.48	permit
-106.10.240.0/22	permit
 106.10.240.0/24	permit
 106.10.241.0/24	permit
 106.10.242.0/24	permit
@@ -1331,6 +1247,8 @@
 106.10.244.0/24	permit
 106.39.212.64/29	permit
 106.50.16.0/28	permit
+107.20.18.111	permit
+107.20.210.250	permit
 108.174.0.0/24	permit
 108.174.0.215	permit
 108.174.3.0/24	permit
@@ -1341,6 +1259,7 @@
 108.175.30.45	permit
 108.177.8.0/21	permit
 108.177.96.0/19	permit
+108.179.144.0/20	permit
 109.237.142.0/24	permit
 111.221.23.128/25	permit
 111.221.26.0/27	permit
@@ -1349,7 +1268,6 @@
 111.221.112.0/21	permit
 112.19.199.64/29	permit
 112.19.242.64/29	permit
-116.214.12.0/24	permit
 116.214.12.47	permit
 116.214.12.48/31	permit
 116.214.12.56/31	permit
@@ -1365,10 +1283,7 @@
 117.120.16.0/21	permit
 119.42.242.52/31	permit
 119.42.242.156	permit
-121.244.91.48	permit
-122.15.156.182	permit
 123.126.78.64/29	permit
-124.108.96.0/24	permit
 124.108.96.24/31	permit
 124.108.96.28/31	permit
 124.108.96.70/31	permit
@@ -1423,24 +1338,14 @@
 134.170.141.64/26	permit
 134.170.143.0/24	permit
 134.170.174.0/24	permit
-135.84.80.0/24	permit
-135.84.81.0/24	permit
-135.84.82.0/24	permit
-135.84.83.0/24	permit
 135.84.216.0/22	permit
-136.143.160.0/24	permit
-136.143.161.0/24	permit
-136.143.182.0/23	permit
-136.143.184.0/24	permit
-136.143.188.0/24	permit
-136.143.190.0/23	permit
 136.147.128.0/20	permit
 136.147.135.0/24	permit
 136.147.176.0/20	permit
 136.147.176.0/24	permit
 136.147.182.0/24	permit
+136.147.224.0/20	permit
 136.179.50.206	permit
-138.91.172.26	permit
 139.60.152.0/22	permit
 139.138.35.44	permit
 139.138.46.121	permit
@@ -1451,6 +1356,12 @@
 139.180.17.0/24	permit
 141.148.159.229	permit
 141.193.32.0/23	permit
+141.193.184.32/27	permit
+141.193.184.64/26	permit
+141.193.184.128/25	permit
+141.193.185.32/27	permit
+141.193.185.64/26	permit
+141.193.185.128/25	permit
 143.55.224.0/21	permit
 143.55.232.0/22	permit
 143.55.236.0/22	permit
@@ -1464,8 +1375,7 @@
 144.178.38.0/24	permit
 145.253.228.160/29	permit
 145.253.239.128/29	permit
-146.20.14.105	permit
-146.20.14.107	permit
+146.20.14.104/30	permit
 146.20.112.0/26	permit
 146.20.113.0/24	permit
 146.20.191.0/24	permit
@@ -1480,11 +1390,13 @@
 148.105.0.0/16	permit
 148.105.8.0/21	permit
 149.72.0.0/16	permit
+149.72.223.204	permit
 149.72.248.236	permit
 149.97.173.180	permit
 150.230.98.160	permit
 152.67.105.195	permit
 152.69.200.236	permit
+152.70.155.126	permit
 155.248.208.51	permit
 157.55.0.192/26	permit
 157.55.1.128/26	permit
@@ -1495,7 +1407,6 @@
 157.55.61.0/24	permit
 157.55.157.128/25	permit
 157.55.225.0/25	permit
-157.55.254.216	permit
 157.56.24.0/25	permit
 157.56.120.128/26	permit
 157.56.232.0/21	permit
@@ -1537,14 +1448,11 @@
 161.71.64.0/20	permit
 162.247.216.0/22	permit
 163.47.180.0/22	permit
-163.47.180.0/23	permit
 163.114.130.16	permit
 163.114.132.120	permit
-164.177.132.168	permit
-164.177.132.169	permit
-164.177.132.170	permit
-164.177.132.171	permit
-165.173.128.0/24	permit
+163.114.134.16	permit
+163.114.135.16	permit
+164.177.132.168/30	permit
 166.78.68.0/22	permit
 166.78.68.221	permit
 166.78.69.169	permit
@@ -1553,6 +1461,7 @@
 167.89.0.0/17	permit
 167.89.46.159	permit
 167.89.54.103	permit
+167.89.60.95	permit
 167.89.64.9	permit
 167.89.65.0	permit
 167.89.65.53	permit
@@ -1564,8 +1473,6 @@
 167.89.75.164	permit
 167.89.101.2	permit
 167.89.101.192/28	permit
-167.216.129.210	permit
-167.216.131.180	permit
 167.220.67.232/29	permit
 168.138.5.36	permit
 168.138.73.51	permit
@@ -1573,10 +1480,6 @@
 168.245.12.252	permit
 168.245.46.9	permit
 168.245.127.231	permit
-169.148.129.0/24	permit
-169.148.131.0/24	permit
-169.148.142.10	permit
-169.148.144.0/25	permit
 170.10.68.0/22	permit
 170.10.128.0/24	permit
 170.10.129.0/24	permit
@@ -1614,14 +1517,14 @@
 182.50.76.0/22	permit
 182.50.78.64/28	permit
 183.240.219.64/29	permit
-185.4.120.0/23	permit
-185.4.122.0/24	permit
+185.4.120.0/22	permit
 185.12.80.0/22	permit
 185.58.84.93	permit
 185.80.93.204	permit
 185.80.93.227	permit
 185.80.95.31	permit
 185.90.20.0/22	permit
+185.138.56.128/25	permit
 185.189.236.0/22	permit
 185.211.120.0/22	permit
 185.250.236.0/22	permit
@@ -1638,7 +1541,6 @@
 188.125.68.184	permit
 188.125.68.186	permit
 188.125.68.192	permit
-188.125.69.0/24	permit
 188.125.69.105	permit
 188.125.69.110	permit
 188.125.69.112	permit
@@ -1681,9 +1583,6 @@
 192.0.64.0/18	permit
 192.18.139.154	permit
 192.30.252.0/22	permit
-192.64.236.0/24	permit
-192.64.237.0/24	permit
-192.64.238.0/24	permit
 192.161.144.0/20	permit
 192.162.87.0/24	permit
 192.237.158.0/23	permit
@@ -1699,7 +1598,6 @@
 193.122.128.100	permit
 193.123.56.63	permit
 194.19.134.0/25	permit
-194.64.234.128/27	permit
 194.64.234.129	permit
 194.106.220.0/23	permit
 194.113.24.0/22	permit
@@ -1725,6 +1623,9 @@
 198.61.254.231	permit
 198.178.234.57	permit
 198.244.48.0/20	permit
+198.244.59.30	permit
+198.244.59.33	permit
+198.244.59.35	permit
 198.244.60.0/22	permit
 198.245.80.0/20	permit
 198.245.81.0/24	permit
@@ -1733,13 +1634,7 @@
 199.16.156.0/22	permit
 199.33.145.1	permit
 199.33.145.32	permit
-199.34.22.36	permit
 199.59.148.0/22	permit
-199.67.80.2	permit
-199.67.82.2	permit
-199.67.84.0/24	permit
-199.67.86.0/24	permit
-199.67.88.0/24	permit
 199.101.161.130	permit
 199.101.162.0/25	permit
 199.122.120.0/21	permit
@@ -1764,7 +1659,6 @@
 203.188.194.251	permit
 203.188.195.240/30	permit
 203.188.195.244/31	permit
-203.188.197.0/24	permit
 203.188.197.193	permit
 203.188.197.194/31	permit
 203.188.197.196/30	permit
@@ -1774,7 +1668,6 @@
 203.188.197.216/29	permit
 203.188.197.232/29	permit
 203.188.197.240/29	permit
-203.188.200.0/24	permit
 203.188.200.56/31	permit
 203.188.200.58	permit
 203.188.200.60/30	permit
@@ -1790,19 +1683,14 @@
 203.209.230.76/31	permit
 204.11.168.0/21	permit
 204.13.11.48/29	permit
-204.13.11.48/30	permit
 204.14.232.0/21	permit
 204.14.232.64/28	permit
 204.14.234.64/28	permit
-204.29.186.0/23	permit
 204.75.142.0/24	permit
 204.79.197.212	permit
 204.92.114.187	permit
 204.92.114.203	permit
 204.92.114.204/31	permit
-204.132.224.66	permit
-204.141.32.0/23	permit
-204.141.42.0/23	permit
 204.220.160.0/20	permit
 204.232.168.0/24	permit
 205.139.110.0/24	permit
@@ -1821,6 +1709,7 @@
 205.251.233.36	permit
 206.25.247.143	permit
 206.25.247.155	permit
+206.55.144.0/20	permit
 206.165.246.80/29	permit
 206.191.224.0/19	permit
 206.246.157.1	permit
@@ -1838,14 +1727,12 @@
 207.46.132.128/27	permit
 207.46.198.0/25	permit
 207.46.200.0/27	permit
-207.46.225.107	permit
 207.58.147.64/28	permit
 207.67.38.0/24	permit
 207.67.98.192/27	permit
 207.68.176.0/26	permit
 207.68.176.96/27	permit
-207.97.204.96	permit
-207.97.204.97	permit
+207.97.204.96/29	permit
 207.126.144.0/20	permit
 207.171.160.0/19	permit
 207.211.30.64/26	permit
@@ -1859,11 +1746,7 @@
 208.43.21.28/30	permit
 208.43.21.64/29	permit
 208.43.21.72/30	permit
-208.46.212.80	permit
-208.46.212.208/31	permit
-208.46.212.210	permit
 208.64.132.0/22	permit
-208.71.40.0/24	permit
 208.71.40.63	permit
 208.71.40.64/31	permit
 208.71.40.174/31	permit
@@ -1882,18 +1765,15 @@
 208.71.41.172/31	permit
 208.71.41.188/30	permit
 208.71.41.192/31	permit
-208.71.42.0/24	permit
 208.71.42.190/31	permit
 208.71.42.192/28	permit
 208.71.42.208/30	permit
 208.71.42.212/31	permit
 208.71.42.214	permit
 208.72.249.240/29	permit
-208.74.204.0/22	permit
+208.74.204.5	permit
 208.74.204.9	permit
 208.75.120.0/22	permit
-208.75.121.246	permit
-208.75.122.246	permit
 208.82.237.96/29	permit
 208.82.237.104/31	permit
 208.82.238.96/29	permit
@@ -1912,10 +1792,8 @@
 209.67.98.46	permit
 209.67.98.59	permit
 209.85.128.0/17	permit
-212.82.96.0/24	permit
 212.82.96.32/27	permit
 212.82.96.64/29	permit
-212.82.98.0/24	permit
 212.82.98.32/29	permit
 212.82.98.64/27	permit
 212.82.98.96/30	permit
@@ -1952,12 +1830,41 @@
 212.82.111.228/31	permit
 212.82.111.230	permit
 212.123.28.40	permit
-212.227.15.0/24	permit
-212.227.15.0/25	permit
-212.227.17.0/27	permit
-212.227.126.128/25	permit
+212.227.15.3	permit
+212.227.15.4	permit
+212.227.15.5	permit
+212.227.15.6	permit
+212.227.15.14	permit
+212.227.15.15	permit
+212.227.15.18	permit
+212.227.15.19	permit
+212.227.15.25	permit
+212.227.15.26	permit
+212.227.15.29	permit
+212.227.15.44	permit
+212.227.15.45	permit
+212.227.15.46	permit
+212.227.15.47	permit
+212.227.15.50	permit
+212.227.15.52	permit
+212.227.15.53	permit
+212.227.15.54	permit
+212.227.15.55	permit
+212.227.17.11	permit
+212.227.17.12	permit
+212.227.17.18	permit
+212.227.17.19	permit
+212.227.17.20	permit
+212.227.17.21	permit
+212.227.17.22	permit
+212.227.17.26	permit
+212.227.17.28	permit
+212.227.17.29	permit
+212.227.126.224	permit
+212.227.126.225	permit
+212.227.126.226	permit
+212.227.126.227	permit
 213.46.255.0/24	permit
-213.165.64.0/23	permit
 213.199.128.139	permit
 213.199.128.145	permit
 213.199.138.181	permit
@@ -1968,7 +1875,6 @@
 216.17.150.251	permit
 216.22.15.224/27	permit
 216.24.224.0/20	permit
-216.39.60.0/23	permit
 216.39.60.154/31	permit
 216.39.60.156/30	permit
 216.39.60.160/30	permit
@@ -1986,14 +1892,12 @@
 216.39.61.170	permit
 216.39.61.175	permit
 216.39.61.238/31	permit
-216.39.62.0/24	permit
 216.39.62.32/28	permit
 216.39.62.48/29	permit
 216.39.62.56/30	permit
 216.39.62.60/31	permit
 216.39.62.136/29	permit
 216.39.62.144/31	permit
-216.46.168.0/24	permit
 216.58.192.0/19	permit
 216.66.217.240/29	permit
 216.71.138.33	permit
@@ -2006,12 +1910,8 @@
 216.98.158.0/24	permit
 216.99.5.67	permit
 216.99.5.68	permit
-216.109.114.0/24	permit
 216.109.114.32/27	permit
 216.109.114.64/29	permit
-216.113.160.0/24	permit
-216.113.172.0/25	permit
-216.113.175.0/24	permit
 216.128.126.97	permit
 216.136.162.65	permit
 216.136.162.120/29	permit
@@ -2021,10 +1921,10 @@
 216.203.30.55	permit
 216.203.33.178/31	permit
 216.205.24.0/24	permit
+216.221.160.0/19	permit
 216.239.32.0/19	permit
-217.72.192.64/26	permit
-217.72.192.248/29	permit
-217.72.207.0/27	permit
+217.72.192.77	permit
+217.72.192.78	permit
 217.77.141.52	permit
 217.77.141.59	permit
 217.175.194.0/24	permit
@@ -2050,6 +1950,8 @@
 2620:109:c00d:104::/64	permit
 2620:10d:c090:400::8:1	permit
 2620:10d:c091:400::8:1	permit
+2620:10d:c09b:400::8:1	permit
+2620:10d:c09c:400::8:1	permit
 2620:119:50c0:207::/64	permit
 2620:119:50c0:207::215	permit
 2800:3f0:4000::/36	permit

data/conf/rspamd/dynmaps/footer.php

@@ -56,21 +56,42 @@ $empty_footer = json_encode(array(
 error_log("FOOTER: checking for domain " . $domain . ", user " . $username . " and address " . $from . PHP_EOL);
 
 try {
-  $stmt = $pdo->prepare("SELECT `plain`, `html`, `mbox_exclude`, `skip_replies` FROM `domain_wide_footer` 
+  // try get $target_domain if $domain is an alias_domain
+  $stmt = $pdo->prepare("SELECT `target_domain` FROM `alias_domain` 
+    WHERE `alias_domain` = :alias_domain");
+  $stmt->execute(array(
+    ':alias_domain' => $domain
+  ));
+  $alias_domain = $stmt->fetch(PDO::FETCH_ASSOC);
+  if (!$alias_domain) {
+    $target_domain = $domain;
+  } else {
+    $target_domain = $alias_domain['target_domain'];
+  }
+
+  // get footer associated with the domain
+  $stmt = $pdo->prepare("SELECT `plain`, `html`, `mbox_exclude`, `alias_domain_exclude`, `skip_replies` FROM `domain_wide_footer` 
     WHERE `domain` = :domain");
   $stmt->execute(array(
-    ':domain' => $domain
+    ':domain' => $target_domain
   ));
   $footer = $stmt->fetch(PDO::FETCH_ASSOC);
+
+  // check if the sender is excluded
   if (in_array($from, json_decode($footer['mbox_exclude']))){
     $footer = false;
   }
+  if (in_array($domain, json_decode($footer['alias_domain_exclude']))){
+    $footer = false;
+  }
   if (empty($footer)){
     echo $empty_footer;
     exit;
   }
   error_log("FOOTER: " . json_encode($footer) . PHP_EOL);
 
+  // footer will be applied
+  // get custom mailbox attributes to insert into the footer
   $stmt = $pdo->prepare("SELECT `custom_attributes` FROM `mailbox` WHERE `username` = :username");
   $stmt->execute(array(
     ':username' => $username

data/conf/rspamd/local.d/composites.conf

@@ -21,6 +21,10 @@ FREEMAIL_TO_UNDISC_RCPT {
 SOGO_CONTACT_EXCLUDE {
   expression = "(-WHITELISTED_FWD_HOST | -g+:policies) & ^SOGO_CONTACT & !DMARC_POLICY_ALLOW";
 }
+# Remove MAILCOW_WHITE symbol for senders with broken policy recieved not from fwd hosts
+MAILCOW_WHITE_EXCLUDE {
+  expression = "^MAILCOW_WHITE & (-DMARC_POLICY_REJECT | -DMARC_POLICY_QUARANTINE | -R_SPF_PERMFAIL) & !WHITELISTED_FWD_HOST";
+}
 # Spoofed header from and broken policy (excluding sieve host, rspamd host, whitelisted senders, authenticated senders and forward hosts)
 SPOOFED_UNAUTH {
   expression = "!MAILCOW_AUTH & !MAILCOW_WHITE & !RSPAMD_HOST & !SIEVE_HOST & MAILCOW_DOMAIN_HEADER_FROM & !WHITELISTED_FWD_HOST & -g+:policies";
@@ -103,4 +107,4 @@ CLAMD_JS_MALWARE {
   expression = "CLAM_SECI_JS & !MAILCOW_WHITE";
   description = "JS malware found, Securite JS malware Flag set through ClamAV";
   score = 8;
-}
+}

data/conf/rspamd/local.d/options.inc

@@ -6,3 +6,4 @@ disable_monitoring = true;
 # In case a task times out (like DNS lookup), soft reject the message
 # instead of silently accepting the message without further processing.
 soft_reject_on_timeout = true;
+local_addrs = /etc/rspamd/custom/mailcow_networks.map;

data/conf/rspamd/local.d/rbl.conf

@@ -1,23 +1,8 @@
 rbls {
-  sorbs { 
-    symbol = "RBL_SORBS"; 
-    rbl = "dnsbl.sorbs.net";  
-    returncodes { 
-      # http:// www.sorbs.net/general/using.shtml 
-      RBL_SORBS_HTTP = "127.0.0.2"; 
-      RBL_SORBS_SOCKS = "127.0.0.3";  
-      RBL_SORBS_MISC = "127.0.0.4"; 
-      RBL_SORBS_SMTP = "127.0.0.5"; 
-      RBL_SORBS_RECENT = "127.0.0.6"; 
-      RBL_SORBS_WEB = "127.0.0.7";  
-      RBL_SORBS_DUL = "127.0.0.10"; 
-      RBL_SORBS_BLOCK = "127.0.0.8";  
-      RBL_SORBS_ZOMBIE = "127.0.0.9"; 
-    } 
-  }
   interserver_ip {
     symbol = "RBL_INTERSERVER_IP";
     rbl = "rbl.interserver.net";
+    from = true;
     ipv6 = false;
     returncodes {
       RBL_INTERSERVER_BAD_IP = "127.0.0.2";
@@ -35,4 +20,7 @@ rbls {
       RBL_INTERSERVER_BAD_URI = "127.0.0.2";
     }
   }
-}
+
+.include(try=true,override=true,priority=5) "$LOCAL_CONFDIR/custom/dqs-rbl.conf"  
+
+}

data/conf/rspamd/local.d/rbl_group.conf

@@ -5,46 +5,6 @@ symbols = {
   "RBL_UCEPROTECT_LEVEL2" {
     score = 1.5;
   }
-  "RBL_SORBS" { 
-    score = 0.0;  
-    description = "Unrecognised result from SORBS RBL"; 
-  } 
-  "RBL_SORBS_HTTP" {  
-    score = 2.5;  
-    description = "List of Open HTTP Proxy Servers."; 
-  } 
-  "RBL_SORBS_SOCKS" { 
-    score = 2.5;  
-    description = "List of Open SOCKS Proxy Servers.";  
-  } 
-  "RBL_SORBS_MISC" {  
-    score = 1.0;  
-    description = "List of open Proxy Servers not listed in the SOCKS or HTTP lists.";  
-  } 
-  "RBL_SORBS_SMTP" {  
-    score = 4.0;  
-    description = "List of Open SMTP relay servers."; 
-  } 
-  "RBL_SORBS_RECENT" {  
-    score = 2.0;  
-    description = "List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS within the last 28 days (includes new.spam.dnsbl.sorbs.net)."; 
-  } 
-  "RBL_SORBS_WEB" { 
-    score = 2.0;  
-    description = "List of web (WWW) servers which have spammer abusable vulnerabilities (e.g. FormMail scripts)";  
-  } 
-  "RBL_SORBS_DUL" { 
-    score = 2.0;  
-    description = "Dynamic IP Address ranges (NOT a Dial Up list!)";  
-  } 
-  "RBL_SORBS_BLOCK" { 
-    score = 0.5;  
-    description = "List of hosts demanding that they never be tested by SORBS.";  
-  } 
-  "RBL_SORBS_ZOMBIE" {  
-    score = 2.0;  
-    description = "List of networks hijacked from their original owners, some of which have already used for spamming.";  
-  }
   "RECEIVED_SPAMHAUS_XBL" {
     weight = 0.0;
     description = "Received address is listed in ZEN XBL";
@@ -57,4 +17,261 @@ symbols = {
     score = 4.0;
     description = "Listed on Interserver RBL";
   }
+
+  "SPAMHAUS_ZEN" {
+      weight = 7.0;
+      }
+  "SH_AUTHBL_RECEIVED" {
+      weight = 4.0;
+      }
+  "RBL_DBL_SPAM" {
+      weight = 7.0;
+      }
+  "RBL_DBL_PHISH" {
+      weight = 7.0;
+      }
+  "RBL_DBL_MALWARE" {
+      weight = 7.0;
+      }
+  "RBL_DBL_BOTNET" {
+      weight = 7.0;
+      }
+  "RBL_DBL_ABUSED_SPAM" {
+      weight = 3.0;
+      }
+  "RBL_DBL_ABUSED_PHISH" {
+      weight = 3.0;
+      }
+  "RBL_DBL_ABUSED_MALWARE" {
+      weight = 3.0;
+      }
+  "RBL_DBL_ABUSED_BOTNET" {
+      weight = 3.0;
+      }
+  "RBL_ZRD_VERY_FRESH_DOMAIN" {
+      weight = 7.0;
+      }
+  "RBL_ZRD_FRESH_DOMAIN" {
+      weight = 4.0;
+      }
+  "ZRD_VERY_FRESH_DOMAIN" {
+      weight = 7.0;
+      }
+  "ZRD_FRESH_DOMAIN" {
+      weight = 4.0;
+      }
+  "SH_EMAIL_DBL" {
+      weight = 7.0;
+      }
+  "SH_EMAIL_DBL_ABUSED" {
+      weight = 7.0;
+      }
+  "SH_EMAIL_ZRD_VERY_FRESH_DOMAIN" {
+      weight = 7.0;
+      }
+  "SH_EMAIL_ZRD_FRESH_DOMAIN" {
+      weight = 4.0;
+      }
+  "RBL_DBL_DONT_QUERY_IPS" {
+      weight = 0.0;
+      }
+  "RBL_ZRD_DONT_QUERY_IPS" {
+      weight = 0.0;
+      }
+  "SH_EMAIL_ZRD_DONT_QUERY_IPS" {
+      weight = 0.0;
+      }
+  "SH_EMAIL_DBL_DONT_QUERY_IPS" {
+      weight = 0.0;
+      }
+  "DBL" {
+      weight = 0.0;
+      description = "DBL unknown result";
+      groups = ["spamhaus"];
+  }
+  "DBL_SPAM" {
+      weight = 7;
+      description = "DBL uribl spam";
+      groups = ["spamhaus"];
+  }
+  "DBL_PHISH" {
+      weight = 7;
+      description = "DBL uribl phishing";
+      groups = ["spamhaus"];
+  }
+  "DBL_MALWARE" {
+      weight = 7;
+      description = "DBL uribl malware";
+      groups = ["spamhaus"];
+  }
+  "DBL_BOTNET" {
+      weight = 7;
+      description = "DBL uribl botnet C&C domain";
+      groups = ["spamhaus"];
+  }
+
+
+  "DBLABUSED_SPAM_FULLURLS" {
+      weight = 5.5;
+      description = "DBL uribl abused legit spam";
+      groups = ["spamhaus"];
+  }
+  "DBLABUSED_PHISH_FULLURLS" {
+      weight = 5.5;
+      description = "DBL uribl abused legit phish";
+      groups = ["spamhaus"];
+  }
+  "DBLABUSED_MALWARE_FULLURLS" {
+      weight = 5.5;
+      description = "DBL uribl abused legit malware";
+      groups = ["spamhaus"];
+  }
+  "DBLABUSED_BOTNET_FULLURLS" {
+      weight = 5.5;
+      description = "DBL uribl abused legit botnet";
+      groups = ["spamhaus"];
+  }
+  
+  "DBL_ABUSE" {
+      weight = 5.5;
+      description = "DBL uribl abused legit spam";
+      groups = ["spamhaus"];
+  }
+  "DBL_ABUSE_REDIR" {
+      weight = 1.5;
+      description = "DBL uribl abused spammed redirector domain";
+      groups = ["spamhaus"];
+  }
+  "DBL_ABUSE_PHISH" {
+      weight = 5.5;
+      description = "DBL uribl abused legit phish";
+      groups = ["spamhaus"];
+  }
+  "DBL_ABUSE_MALWARE" {
+      weight = 5.5;
+      description = "DBL uribl abused legit malware";
+      groups = ["spamhaus"];
+  }
+  "DBL_ABUSE_BOTNET" {
+      weight = 5.5;
+      description = "DBL uribl abused legit botnet C&C";
+      groups = ["spamhaus"];
+  }
+  "DBL_PROHIBIT" {
+      weight = 0.0;
+      description = "DBL uribl IP queries prohibited!";
+      groups = ["spamhaus"];
+  }
+  "DBL_BLOCKED_OPENRESOLVER" {
+    weight = 0.0;
+    description = "You are querying Spamhaus from an open resolver, please see https://www.spamhaus.org/returnc/pub/";
+    groups = ["spamhaus"];
+  }
+  "DBL_BLOCKED" {
+    weight = 0.0;
+    description = "You are exceeding the query limit, please see https://www.spamhaus.org/returnc/vol/";
+    groups = ["spamhaus"];
+  }
+  "SPAMHAUS_ZEN_URIBL" {
+      weight = 0.0;
+      description = "Spamhaus ZEN URIBL: Filtered result";
+      groups = ["spamhaus"];
+  }
+  "URIBL_SBL" {
+      weight = 6.5;
+      description = "A domain in the message body resolves to an IP listed in Spamhaus SBL";
+      one_shot = true;
+      groups = ["spamhaus"];
+  }
+  "URIBL_SBL_CSS" {
+      weight = 6.5;
+      description = "A domain in the message body resolves to an IP listed in Spamhaus SBL CSS";
+      one_shot = true;
+      groups = ["spamhaus"];
+  }
+  "URIBL_PBL" {
+      weight = 0.01;
+      description = "A domain in the message body resolves to an IP listed in Spamhaus PBL";
+      one_shot = true;
+      groups = ["spamhaus"];
+  }
+  "URIBL_DROP" {
+      weight = 6.5;
+      description = "A domain in the message body resolves to an IP listed in Spamhaus DROP";
+      one_shot = true;
+      groups = ["spamhaus"];
+  }
+  "URIBL_XBL" {
+      weight = 5.0;
+      description = "A domain in the message body resolves to an IP listed in Spamhaus XBL";
+      one_shot = true;
+      groups = ["spamhaus"];
+  }
+  "SPAMHAUS_SBL_URL" {
+      weight = 6.5;
+      description = "A numeric URL in the message body is listed in Spamhaus SBL";
+      one_shot = true;
+      groups = ["spamhaus"];
+  }
+
+  "SH_HBL_EMAIL" {
+      weight = 7;
+      description = "Email listed in HBL";
+      groups = ["spamhaus"];
+  }
+
+  "SH_HBL_FILE_MALICIOUS" {
+      weight = 7;
+      description = "An attachment hash is listed in Spamhaus HBL as malicious";
+      groups = ["spamhaus"];
+  }
+
+  "SH_HBL_FILE_SUSPICIOUS" {
+      weight = 5;
+      description = "An attachment hash is listed in Spamhaus HBL as suspicious";
+      groups = ["spamhaus"];
+  }
+
+  "RBL_SPAMHAUS_CW_BTC" {
+      score = 7;
+      description = "Bitcoin found in Spamhaus cryptowallet list";
+      groups = ["spamhaus"];
+  }
+
+  "RBL_SPAMHAUS_CW_ETH" {
+      score = 7;
+      description = "Ethereum found in Spamhaus cryptowallet list";
+      groups = ["spamhaus"];
+  }
+
+  "RBL_SPAMHAUS_CW_BCH" {
+      score = 7;
+      description = "Bitcoinhash found in Spamhaus cryptowallet list";
+      groups = ["spamhaus"];
+  }
+
+  "RBL_SPAMHAUS_CW_XMR" {
+      score = 7;
+      description = "Monero found in Spamhaus cryptowallet list";
+      groups = ["spamhaus"];
+  }
+
+  "RBL_SPAMHAUS_CW_LTC" {
+      score = 7;
+      description = "Litecoin found in Spamhaus cryptowallet list";
+      groups = ["spamhaus"];
+  }
+
+  "RBL_SPAMHAUS_CW_XRP" {
+      score = 7;
+      description = "Ripple found in Spamhaus cryptowallet list";
+      groups = ["spamhaus"];
+  }
+
+  "RBL_SPAMHAUS_HBL_URL" {
+      score = 7;
+      description = "URL found in spamhaus HBL blocklist";
+      groups = ["spamhaus"];
+  }
+
 }

data/conf/rspamd/local.d/statistic.conf

@@ -1,12 +1,14 @@
 classifier "bayes" {
+    # name = "custom";  # 'name' parameter must be set if multiple classifiers are defined
+    learn_condition = 'return require("lua_bayes_learn").can_learn';
+    new_schema = true;
     tokenizer {
       name = "osb";
     }
     backend = "redis";
     min_tokens = 11;
     min_learns = 5;
-    new_schema = true;
-    expire = 2592000;
+    expire = 7776000;
     statfile {
       symbol = "BAYES_HAM";
       spam = false;

data/conf/rspamd/lua/rspamd.local.lua

@@ -621,10 +621,24 @@ rspamd_config:register_symbol({
                   local nct = string.format('%s: %s/%s; charset=utf-8',
                       'Content-Type', rewrite.new_ct.type, rewrite.new_ct.subtype)
                   out[#out + 1] = nct
+                  -- update Content-Type header
+                  task:set_milter_reply({
+                    remove_headers = {['Content-Type'] = 0},
+                  })
+                  task:set_milter_reply({
+                    add_headers = {['Content-Type'] = string.format('%s/%s; charset=utf-8', rewrite.new_ct.type, rewrite.new_ct.subtype)}
+                  })
                   return
                 elseif name:lower() == 'content-transfer-encoding' then
                   out[#out + 1] = string.format('%s: %s',
                       'Content-Transfer-Encoding', 'quoted-printable')
+                  -- update Content-Transfer-Encoding header
+                  task:set_milter_reply({
+                    remove_headers = {['Content-Transfer-Encoding'] = 0},
+                  })
+                  task:set_milter_reply({
+                    add_headers = {['Content-Transfer-Encoding'] = 'quoted-printable'}
+                  })
                   seen_cte = true
                   return
                 end

data/conf/rspamd/meta_exporter/pipe.php

@@ -52,7 +52,7 @@ $headers = getallheaders();
 
 $qid      = $headers['X-Rspamd-Qid'];
 $fuzzy    = $headers['X-Rspamd-Fuzzy'];
-$subject  = $headers['X-Rspamd-Subject'];
+$subject  = iconv_mime_decode($headers['X-Rspamd-Subject']);
 $score    = $headers['X-Rspamd-Score'];
 $rcpts    = $headers['X-Rspamd-Rcpt'];
 $user     = $headers['X-Rspamd-User'];

data/conf/rspamd/meta_exporter/pushover.php

@@ -53,7 +53,7 @@ $qid      = $headers['X-Rspamd-Qid'];
 $rcpts    = $headers['X-Rspamd-Rcpt'];
 $sender   = $headers['X-Rspamd-From'];
 $ip       = $headers['X-Rspamd-Ip'];
-$subject  = $headers['X-Rspamd-Subject'];
+$subject  = iconv_mime_decode($headers['X-Rspamd-Subject']);
 $messageid= $json_body->message_id;
 $priority = 0;
 

data/conf/sogo/sogo.conf

@@ -16,6 +16,9 @@
     SOGoFoldersSendEMailNotifications = YES;
     SOGoForwardEnabled = YES;
 
+    // Option to set Users as admin to globally manage calendar permissions etc. Disabled by default
+    // SOGoSuperUsernames = ("moo@example.com");
+
     SOGoUIAdditionalJSFiles = (
       js/theme.js,
       js/custom-sogo.js
@@ -38,6 +41,7 @@
 
     SOGoLanguage = English;
     SOGoMailAuxiliaryUserAccountsEnabled = YES;
+    // SOGoCreateIdentitiesDisabled = NO;
     SOGoMailCustomFromEnabled = YES;
     SOGoMailingMechanism = smtp;
     SOGoSMTPAuthenticationType = plain;

data/web/admin.php

@@ -107,6 +107,7 @@ $template_data = [
   'f2b_banlist_url' => getBaseUrl() . "/api/v1/get/fail2ban/banlist/" . $f2b_data['banlist_id'],
   'q_data' => quarantine('settings'),
   'qn_data' => quota_notification('get'),
+  'pw_reset_data' => reset_password('get_notification'),
   'rsettings_map' => file_get_contents('http://nginx:8081/settings.php'),
   'rsettings' => $rsettings,
   'rspamd_regex_maps' => $rspamd_regex_maps,

data/web/debug.php

@@ -39,9 +39,13 @@ foreach ($containers as $container => $container_info) {
       $StartedAt['month'],
       $StartedAt['day'],
       $StartedAt['year']));
-    $user_tz = new DateTimeZone(getenv('TZ'));
-    $date->setTimezone($user_tz);
-    $started = $date->format('r');
+    try {
+      $user_tz = new DateTimeZone(getenv('TZ'));
+      $date->setTimezone($user_tz);
+      $started = $date->format('r');
+    } catch(Exception $e) {
+      $started = '?';
+    }
   }
   else {
     $started = '?';

data/web/edit.php

@@ -59,7 +59,8 @@ if (isset($_SESSION['mailcow_cc_role'])) {
             'domain_details' => $result,
             'domain_footer' => $domain_footer,
             'mailboxes' => mailbox('get', 'mailboxes', $_GET["domain"]),
-            'aliases' => mailbox('get', 'aliases', $_GET["domain"], 'address')
+            'aliases' => mailbox('get', 'aliases', $_GET["domain"], 'address'),
+            'alias_domains' => mailbox('get', 'alias_domains', $_GET["domain"])
           ];
       }
     }

data/web/inc/ajax/container_ctrl.php

@@ -1,4 +1,11 @@
 <?php
+
+// Block requests by checking the 'Sec-Fetch-Dest' header.
+if (isset($_SERVER['HTTP_SEC_FETCH_DEST']) && $_SERVER['HTTP_SEC_FETCH_DEST'] !== 'empty') {
+  header('HTTP/1.1 403 Forbidden');
+  exit;
+}
+
 require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';
 if (!isset($_SESSION['mailcow_cc_role']) || $_SESSION['mailcow_cc_role'] != 'admin') {
 	exit();

data/web/inc/footer.inc.php

@@ -12,7 +12,8 @@ $alertbox_log_parser = alertbox_log_parser($_SESSION);
 $alerts = [];
 if (is_array($alertbox_log_parser)) {
   foreach ($alertbox_log_parser as $log) {
-    $message = strtr($log['msg'], ["\n" => '', "\r" => '', "\t" => '<br>']);
+    $message = htmlspecialchars($log['msg'], ENT_QUOTES);
+    $message = strtr($message, ["\n" => '', "\r" => '', "\t" => '<br>']);
     $alerts[trim($log['type'], '"')][] = trim($message, '"');
   }
   $alert = array_filter(array_unique($alerts));

data/web/inc/functions.inc.php

@@ -284,17 +284,17 @@ function last_login($action, $username, $sasl_limit_days = 7, $ui_offset = 1) {
             }
             if (!$sasl[$k]['location']) {
               $curl = curl_init();
-              curl_setopt($curl, CURLOPT_URL,"https://dfdata.bella.network/lookup/" . $sasl[$k]['real_rip']);
+              curl_setopt($curl, CURLOPT_URL,"https://dfdata.bella.network/country/" . $sasl[$k]['real_rip']);
               curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
               curl_setopt($curl, CURLOPT_USERAGENT, 'Moocow');
               curl_setopt($curl, CURLOPT_TIMEOUT, 5);
               $ip_data = curl_exec($curl);
               if (!curl_errno($curl)) {
                 $ip_data_array = json_decode($ip_data, true);
-                if ($ip_data_array !== false and !empty($ip_data_array['location']['shortcountry'])) {
-                  $sasl[$k]['location'] = $ip_data_array['location']['shortcountry'];
+                if ($ip_data_array !== false and !empty($ip_data_array['shortcountry'])) {
+                  $sasl[$k]['location'] = $ip_data_array['shortcountry'];
                     try {
-                      $redis->hSet('IP_SHORTCOUNTRY', $sasl[$k]['real_rip'], $ip_data_array['location']['shortcountry']);
+                      $redis->hSet('IP_SHORTCOUNTRY', $sasl[$k]['real_rip'], $ip_data_array['shortcountry']);
                     }
                     catch (RedisException $e) {
                       $_SESSION['return'][] = array(
@@ -1073,13 +1073,17 @@ function update_sogo_static_view($mailbox = null) {
 function edit_user_account($_data) {
   global $lang;
   global $pdo;
+
   $_data_log = $_data;
   !isset($_data_log['user_new_pass']) ?: $_data_log['user_new_pass'] = '*';
   !isset($_data_log['user_new_pass2']) ?: $_data_log['user_new_pass2'] = '*';
   !isset($_data_log['user_old_pass']) ?: $_data_log['user_old_pass'] = '*';
+
   $username = $_SESSION['mailcow_cc_username'];
   $role = $_SESSION['mailcow_cc_role'];
   $password_old = $_data['user_old_pass'];
+  $pw_recovery_email = $_data['pw_recovery_email'];
+
   if (filter_var($username, FILTER_VALIDATE_EMAIL === false) || $role != 'user') {
     $_SESSION['return'][] =  array(
       'type' => 'danger',
@@ -1088,20 +1092,24 @@ function edit_user_account($_data) {
     );
     return false;
   }
-  $stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
-      WHERE `kind` NOT REGEXP 'location|thing|group'
-        AND `username` = :user");
-  $stmt->execute(array(':user' => $username));
-  $row = $stmt->fetch(PDO::FETCH_ASSOC);
-  if (!verify_hash($row['password'], $password_old)) {
-    $_SESSION['return'][] =  array(
-      'type' => 'danger',
-      'log' => array(__FUNCTION__, $_data_log),
-      'msg' => 'access_denied'
-    );
-    return false;
-  }
-  if (!empty($_data['user_new_pass']) && !empty($_data['user_new_pass2'])) {
+
+  // edit password
+  if (!empty($password_old) && !empty($_data['user_new_pass']) && !empty($_data['user_new_pass2'])) {
+    $stmt = $pdo->prepare("SELECT `password` FROM `mailbox`
+        WHERE `kind` NOT REGEXP 'location|thing|group'
+          AND `username` = :user");
+    $stmt->execute(array(':user' => $username));
+    $row = $stmt->fetch(PDO::FETCH_ASSOC);
+  
+    if (!verify_hash($row['password'], $password_old)) {
+      $_SESSION['return'][] =  array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $_data_log),
+        'msg' => 'access_denied'
+      );
+      return false;
+    }
+  
     $password_new = $_data['user_new_pass'];
     $password_new2  = $_data['user_new_pass2'];
     if (password_check($password_new, $password_new2) !== true) {
@@ -1116,8 +1124,29 @@ function edit_user_account($_data) {
       ':password_hashed' => $password_hashed,
       ':username' => $username
     ));
+  
+    update_sogo_static_view();
   }
-  update_sogo_static_view();
+  // edit password recovery email
+  elseif (isset($pw_recovery_email)) {
+    if (!isset($_SESSION['acl']['pw_reset']) || $_SESSION['acl']['pw_reset'] != "1" ) {
+      $_SESSION['return'][] = array(
+        'type' => 'danger',
+        'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+        'msg' => 'access_denied'
+      );
+      return false;
+    }
+
+    $pw_recovery_email = (!filter_var($pw_recovery_email, FILTER_VALIDATE_EMAIL)) ? '' : $pw_recovery_email;
+    $stmt = $pdo->prepare("UPDATE `mailbox` SET `attributes` = JSON_SET(`attributes`, '$.recovery_email', :recovery_email)
+      WHERE `username` = :username");
+    $stmt->execute(array(
+      ':recovery_email' => $pw_recovery_email,
+      ':username' => $username
+    ));
+  }
+
   $_SESSION['return'][] =  array(
     'type' => 'success',
     'log' => array(__FUNCTION__, $_data_log),
@@ -1560,7 +1589,7 @@ function unset_tfa_key($_data) {
 }
 function get_tfa($username = null, $id = null) {
   global $pdo;
-  if (isset($_SESSION['mailcow_cc_username'])) {
+  if (empty($username) && isset($_SESSION['mailcow_cc_username'])) {
     $username = $_SESSION['mailcow_cc_username'];
   }
   elseif (empty($username)) {
@@ -2261,6 +2290,386 @@ function uuid4() {
 
   return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4));
 }
+function reset_password($action, $data = null) {
+  global $pdo;
+  global $redis;
+  global $mailcow_hostname;
+  global $PW_RESET_TOKEN_LIMIT;
+  global $PW_RESET_TOKEN_LIFETIME;
+
+	$_data_log = $data;
+  if (isset($_data_log['new_password'])) $_data_log['new_password'] = '*';
+  if (isset($_data_log['new_password2'])) $_data_log['new_password2'] = '*';
+
+  switch ($action) {
+    case 'check':
+      $token = $data;
+
+      $stmt = $pdo->prepare("SELECT `t1`.`username` FROM `reset_password` AS `t1` JOIN `mailbox` AS `t2` ON `t1`.`username` = `t2`.`username` WHERE `t1`.`token` = :token AND `t1`.`created` > DATE_SUB(NOW(), INTERVAL :lifetime MINUTE) AND `t2`.`active` = 1;");
+      $stmt->execute(array(
+        ':token' => preg_replace('/[^a-zA-Z0-9-]/', '', $token),
+        ':lifetime' => $PW_RESET_TOKEN_LIFETIME
+      ));
+      $return = $stmt->fetch(PDO::FETCH_ASSOC);
+      return empty($return['username']) ? false : $return['username'];
+    break;
+    case 'issue':
+      $username = $data;
+      
+      // perform cleanup
+      $stmt = $pdo->prepare("DELETE FROM `reset_password` WHERE created < DATE_SUB(NOW(), INTERVAL :lifetime MINUTE);");
+      $stmt->execute(array(':lifetime' => $PW_RESET_TOKEN_LIFETIME));
+
+      if (filter_var($username, FILTER_VALIDATE_EMAIL) === false) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $action, $_data_log),
+          'msg' => 'access_denied'
+        );
+        return false;
+      }
+
+      $pw_reset_notification = reset_password('get_notification', 'raw');
+      if (!$pw_reset_notification) return false;
+      if (empty($pw_reset_notification['from']) || empty($pw_reset_notification['subject'])) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $action, $_data_log),
+          'msg' => 'password_reset_na'
+        );
+        return false;
+      }
+
+      $stmt = $pdo->prepare("SELECT * FROM `mailbox`
+        WHERE `username` = :username");
+      $stmt->execute(array(':username' => $username));
+      $mailbox_data = $stmt->fetch(PDO::FETCH_ASSOC);
+
+      if (empty($mailbox_data)) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $action, $_data_log),
+          'msg' => 'password_reset_invalid_user'
+        );
+        return false;
+      }
+
+      $mailbox_attr = json_decode($mailbox_data['attributes'], true);
+      if (empty($mailbox_attr['recovery_email']) || filter_var($mailbox_attr['recovery_email'], FILTER_VALIDATE_EMAIL) === false) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $action, $_data_log),
+          'msg' => "password_reset_invalid_user"
+        );
+        return false;
+      }
+
+      $stmt = $pdo->prepare("SELECT * FROM `reset_password`
+        WHERE `username` = :username");
+      $stmt->execute(array(':username' => $username));
+      $generated_token_count = count($stmt->fetchAll(PDO::FETCH_ASSOC));
+      if ($generated_token_count >= $PW_RESET_TOKEN_LIMIT) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $action, $_data_log),
+          'msg' => "reset_token_limit_exceeded"
+        );
+        return false;
+      }
+
+      $token = implode('-', array(
+        strtoupper(bin2hex(random_bytes(3))),
+        strtoupper(bin2hex(random_bytes(3))),
+        strtoupper(bin2hex(random_bytes(3))),
+        strtoupper(bin2hex(random_bytes(3))),
+        strtoupper(bin2hex(random_bytes(3)))
+      ));
+
+      $stmt = $pdo->prepare("INSERT INTO `reset_password` (`username`, `token`)
+        VALUES (:username, :token)");
+      $stmt->execute(array(
+        ':username' => $username,
+        ':token' => $token
+      ));
+
+      $reset_link = getBaseURL() . "/reset-password?token=" . $token;
+
+      $request_date = new DateTime();
+      $locale_date = locale_get_default();
+      $date_formatter = new IntlDateFormatter(
+        $locale_date, 
+        IntlDateFormatter::FULL, 
+        IntlDateFormatter::FULL
+      );
+      $formatted_request_date = $date_formatter->format($request_date);
+
+      // set template vars
+      // subject
+      $pw_reset_notification['subject'] = str_replace('{{hostname}}', $mailcow_hostname, $pw_reset_notification['subject']);
+      $pw_reset_notification['subject'] = str_replace('{{link}}', $reset_link, $pw_reset_notification['subject']);
+      $pw_reset_notification['subject'] = str_replace('{{username}}', $username, $pw_reset_notification['subject']);
+      $pw_reset_notification['subject'] = str_replace('{{username2}}', $mailbox_attr['recovery_email'], $pw_reset_notification['subject']);
+      $pw_reset_notification['subject'] = str_replace('{{date}}', $formatted_request_date, $pw_reset_notification['subject']);
+      $pw_reset_notification['subject'] = str_replace('{{token_lifetime}}', $PW_RESET_TOKEN_LIFETIME, $pw_reset_notification['subject']);
+      // text
+      $pw_reset_notification['text_tmpl'] = str_replace('{{hostname}}', $mailcow_hostname, $pw_reset_notification['text_tmpl']);
+      $pw_reset_notification['text_tmpl'] = str_replace('{{link}}', $reset_link, $pw_reset_notification['text_tmpl']);
+      $pw_reset_notification['text_tmpl'] = str_replace('{{username}}', $username, $pw_reset_notification['text_tmpl']);
+      $pw_reset_notification['text_tmpl'] = str_replace('{{username2}}', $mailbox_attr['recovery_email'], $pw_reset_notification['text_tmpl']);
+      $pw_reset_notification['text_tmpl'] = str_replace('{{date}}', $formatted_request_date, $pw_reset_notification['text_tmpl']);
+      $pw_reset_notification['text_tmpl'] = str_replace('{{token_lifetime}}', $PW_RESET_TOKEN_LIFETIME, $pw_reset_notification['text_tmpl']);
+      // html
+      $pw_reset_notification['html_tmpl'] = str_replace('{{hostname}}', $mailcow_hostname, $pw_reset_notification['html_tmpl']);
+      $pw_reset_notification['html_tmpl'] = str_replace('{{link}}', $reset_link, $pw_reset_notification['html_tmpl']);
+      $pw_reset_notification['html_tmpl'] = str_replace('{{username}}', $username, $pw_reset_notification['html_tmpl']);
+      $pw_reset_notification['html_tmpl'] = str_replace('{{username2}}', $mailbox_attr['recovery_email'], $pw_reset_notification['html_tmpl']);
+      $pw_reset_notification['html_tmpl'] = str_replace('{{date}}', $formatted_request_date, $pw_reset_notification['html_tmpl']);
+      $pw_reset_notification['html_tmpl'] = str_replace('{{token_lifetime}}', $PW_RESET_TOKEN_LIFETIME, $pw_reset_notification['html_tmpl']);
+
+
+      $email_sent = reset_password('send_mail', array(
+        "from" => $pw_reset_notification['from'],
+        "to" => $mailbox_attr['recovery_email'],
+        "subject" => $pw_reset_notification['subject'],
+        "text" => $pw_reset_notification['text_tmpl'],
+        "html" => $pw_reset_notification['html_tmpl']
+      ));
+
+      if (!$email_sent){
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $action, $_data_log),
+          'msg' => "recovery_email_failed"
+        );
+        return false;
+      }
+
+      list($localPart, $domainPart) = explode('@', $mailbox_attr['recovery_email']);
+      if (strlen($localPart) > 1) {
+        $maskedLocalPart = $localPart[0] . str_repeat('*', strlen($localPart) - 1);
+      } else {
+        $maskedLocalPart = "*";
+      }
+      $_SESSION['return'][] = array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $action, $_data_log),
+        'msg' => array("recovery_email_sent", $maskedLocalPart . '@' . $domainPart)
+      );
+      return array(
+        "username" => $username,
+        "issue" => "success"
+      );
+    break;
+    case 'reset':
+      $token = $data['token'];
+      $new_password = $data['new_password'];
+      $new_password2 = $data['new_password2'];
+      $username = $data['username'];
+      $check_tfa = $data['check_tfa'];
+
+      if (!$username || !$token) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $action, $_data_log),
+          'msg' => 'invalid_reset_token'
+        );
+        return false;
+      }
+
+      # check new password
+      if (!password_check($new_password, $new_password2)) {
+        return false;
+      }
+
+      if ($check_tfa){
+        // check for tfa authenticators
+        $authenticators = get_tfa($username);
+        if (isset($authenticators['additional']) && is_array($authenticators['additional']) && count($authenticators['additional']) > 0) {
+          $_SESSION['pending_mailcow_cc_username'] = $username;
+          $_SESSION['pending_pw_reset_token'] = $token;
+          $_SESSION['pending_pw_new_password'] = $new_password;
+          $_SESSION['pending_tfa_methods'] = $authenticators['additional'];
+          $_SESSION['return'][] =  array(
+            'type' => 'info',
+            'log' => array(__FUNCTION__, $user, '*'),
+            'msg' => 'awaiting_tfa_confirmation'
+          );
+          return false;
+        }
+      }
+
+      # set new password
+      $password_hashed = hash_password($new_password);
+      $stmt = $pdo->prepare("UPDATE `mailbox` SET
+        `password` = :password_hashed,
+        `attributes` = JSON_SET(`attributes`, '$.passwd_update', NOW())
+        WHERE `username` = :username");
+      $stmt->execute(array(
+        ':password_hashed' => $password_hashed,
+        ':username' => $username
+      ));
+
+      // perform cleanup
+      $stmt = $pdo->prepare("DELETE FROM `reset_password` WHERE `username` = :username;");
+      $stmt->execute(array(
+        ':username' => $username
+      ));
+   
+      $_SESSION['return'][] = array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $action, $_data_log),
+        'msg' => 'password_changed_success'
+      );
+      return true;
+    break;
+    case 'get_notification':
+      $type = $data;
+
+      try {
+        $settings['from'] = $redis->Get('PW_RESET_FROM');
+        $settings['subject'] = $redis->Get('PW_RESET_SUBJ');
+        $settings['html_tmpl'] = $redis->Get('PW_RESET_HTML');
+        $settings['text_tmpl'] = $redis->Get('PW_RESET_TEXT');
+        if (empty($settings['html_tmpl']) && empty($settings['text_tmpl'])) {
+          $settings['html_tmpl'] = file_get_contents("/tpls/pw_reset_html.tpl");
+          $settings['text_tmpl'] = file_get_contents("/tpls/pw_reset_text.tpl");
+        }
+
+        if ($type != "raw") {
+          $settings['html_tmpl'] = htmlspecialchars($settings['html_tmpl']);
+          $settings['text_tmpl'] = htmlspecialchars($settings['text_tmpl']);
+        }
+      }
+      catch (RedisException $e) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $action, $_data_log),
+          'msg' => array('redis_error', $e)
+        );
+        return false;
+      }
+
+      return $settings;
+    break;
+    case 'send_mail':
+      $from = $data['from'];
+      $to = $data['to'];
+      $text = $data['text'];
+      $html = $data['html'];
+      $subject = $data['subject'];
+    
+      if (!filter_var($from, FILTER_VALIDATE_EMAIL)) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $action, $_data_log),
+          'msg' => 'from_invalid'
+        );
+        return false;
+      }
+      if (!filter_var($to, FILTER_VALIDATE_EMAIL)) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $action, $_data_log),
+          'msg' => 'to_invalid'
+        );
+        return false;
+      }
+      if (empty($subject)) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $action, $_data_log),
+          'msg' => 'subject_empty'
+        );
+        return false;
+      }
+      if (empty($text)) {
+        $_SESSION['return'][] =  array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $action, $_data_log),
+          'msg' => 'text_empty'
+        );
+        return false;
+      }
+    
+      ini_set('max_execution_time', 0);
+      ini_set('max_input_time', 0);
+      $mail = new PHPMailer;
+      $mail->Timeout = 10;
+      $mail->SMTPOptions = array(
+        'ssl' => array(
+          'verify_peer' => false,
+          'verify_peer_name' => false,
+          'allow_self_signed' => true
+        )
+      );
+      $mail->isSMTP();
+      $mail->Host = 'postfix-mailcow';
+      $mail->SMTPAuth = false;
+      $mail->Port = 25;
+      $mail->setFrom($from);
+      $mail->Subject = $subject;
+      $mail->CharSet ="UTF-8";
+      if (!empty($html)) {
+        $mail->Body = $html;
+        $mail->AltBody = $text;
+      }
+      else {
+        $mail->Body = $text;
+      }
+      $mail->XMailer = 'MooMail';
+      $mail->AddAddress($to);
+      if (!$mail->send()) {
+        return false;
+      }
+      $mail->ClearAllRecipients();
+    
+      return true;
+    break;
+  }
+
+  if ($_SESSION['mailcow_cc_role'] != "admin") {
+    $_SESSION['return'][] = array(
+      'type' => 'danger',
+      'log' => array(__FUNCTION__, $action, $_data_log),
+      'msg' => 'access_denied'
+    );
+    return false;
+  }
+
+  switch ($action) {
+    case 'edit_notification':
+      $subject = $data['subject'];
+      $from = preg_replace('/[\x00-\x1F\x80-\xFF]/', '', $data['from']);
+
+      $from = (!filter_var($from, FILTER_VALIDATE_EMAIL)) ? "" : $from;
+      $subject = (empty($subject)) ? "" : $subject;
+      $text = (empty($data['text_tmpl'])) ? "" : $data['text_tmpl'];
+      $html = (empty($data['html_tmpl'])) ? "" : $data['html_tmpl'];
+
+      try {
+        $redis->Set('PW_RESET_FROM', $from);
+        $redis->Set('PW_RESET_SUBJ', $subject);
+        $redis->Set('PW_RESET_HTML', $html);
+        $redis->Set('PW_RESET_TEXT', $text);
+      }
+      catch (RedisException $e) {
+        $_SESSION['return'][] = array(
+          'type' => 'danger',
+          'log' => array(__FUNCTION__, $action, $_data_log),
+          'msg' => array('redis_error', $e)
+        );
+        return false;
+      }
+
+      $_SESSION['return'][] = array(
+        'type' => 'success',
+        'log' => array(__FUNCTION__, $action, $_data_log),
+        'msg' => 'saved_settings'
+      );
+    break;
+  }
+}
+
 
 function get_logs($application, $lines = false) {
   if ($lines === false) {

data/web/inc/functions.mailbox.inc.php

@@ -184,6 +184,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             'msg' => 'global_filter_written'
           );
           return true;
+        break;
         case 'filter':
           $sieve = new Sieve\SieveParser();
           if (!isset($_SESSION['acl']['filters']) || $_SESSION['acl']['filters'] != "1" ) {
@@ -1249,6 +1250,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $_data['quarantine_notification'] = (in_array('quarantine_notification', $_data['acl'])) ? 1 : 0;
             $_data['quarantine_category'] = (in_array('quarantine_category', $_data['acl'])) ? 1 : 0;
             $_data['app_passwds'] = (in_array('app_passwds', $_data['acl'])) ? 1 : 0;
+            $_data['pw_reset'] = (in_array('pw_reset', $_data['acl'])) ? 1 : 0;
           } else {
             $_data['spam_alias'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_spam_alias']);
             $_data['tls_policy'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_tls_policy']);
@@ -1264,14 +1266,15 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $_data['quarantine_notification'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_quarantine_notification']);
             $_data['quarantine_category'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_quarantine_category']);
             $_data['app_passwds'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_app_passwds']);     
+            $_data['pw_reset'] = intval($MAILBOX_DEFAULT_ATTRIBUTES['acl_pw_reset']);     
           }
 
           try {
             $stmt = $pdo->prepare("INSERT INTO `user_acl` 
               (`username`, `spam_alias`, `tls_policy`, `spam_score`, `spam_policy`, `delimiter_action`, `syncjobs`, `eas_reset`, `sogo_profile_reset`,
-                `pushover`, `quarantine`, `quarantine_attachments`, `quarantine_notification`, `quarantine_category`, `app_passwds`) 
+                `pushover`, `quarantine`, `quarantine_attachments`, `quarantine_notification`, `quarantine_category`, `app_passwds`, `pw_reset`) 
               VALUES (:username, :spam_alias, :tls_policy, :spam_score, :spam_policy, :delimiter_action, :syncjobs, :eas_reset, :sogo_profile_reset,
-                :pushover, :quarantine, :quarantine_attachments, :quarantine_notification, :quarantine_category, :app_passwds) ");
+                :pushover, :quarantine, :quarantine_attachments, :quarantine_notification, :quarantine_category, :app_passwds, :pw_reset) ");
             $stmt->execute(array(
               ':username' => $username,
               ':spam_alias' => $_data['spam_alias'],
@@ -1287,7 +1290,8 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               ':quarantine_attachments' => $_data['quarantine_attachments'],
               ':quarantine_notification' => $_data['quarantine_notification'],
               ':quarantine_category' => $_data['quarantine_category'],
-              ':app_passwds' => $_data['app_passwds']
+              ':app_passwds' => $_data['app_passwds'],
+              ':pw_reset' => $_data['pw_reset']
             ));
           }
           catch (PDOException $e) {
@@ -1576,6 +1580,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             $attr['acl_quarantine_notification'] = (in_array('quarantine_notification', $_data['acl'])) ? 1 : 0;
             $attr['acl_quarantine_category'] = (in_array('quarantine_category', $_data['acl'])) ? 1 : 0;
             $attr['acl_app_passwds'] = (in_array('app_passwds', $_data['acl'])) ? 1 : 0;
+            $attr['acl_pw_reset'] = (in_array('pw_reset', $_data['acl'])) ? 1 : 0;
           } else {
             $_data['acl'] = (array)$_data['acl'];
             $attr['acl_spam_alias'] = 0;
@@ -2865,21 +2870,22 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               $_data['sieve_access'] = (in_array('sieve', $_data['protocol_access'])) ? 1 : 0;
             }
             if (!empty($is_now)) {
-              $active     = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
+              $active               = (isset($_data['active'])) ? intval($_data['active']) : $is_now['active'];
               (int)$force_pw_update = (isset($_data['force_pw_update'])) ? intval($_data['force_pw_update']) : intval($is_now['attributes']['force_pw_update']);
-              (int)$sogo_access = (isset($_data['sogo_access']) && isset($_SESSION['acl']['sogo_access']) && $_SESSION['acl']['sogo_access'] == "1") ? intval($_data['sogo_access']) : intval($is_now['attributes']['sogo_access']);
-              (int)$imap_access = (isset($_data['imap_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") ? intval($_data['imap_access']) : intval($is_now['attributes']['imap_access']);
-              (int)$pop3_access = (isset($_data['pop3_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") ? intval($_data['pop3_access']) : intval($is_now['attributes']['pop3_access']);
-              (int)$smtp_access = (isset($_data['smtp_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") ? intval($_data['smtp_access']) : intval($is_now['attributes']['smtp_access']);
-              (int)$sieve_access = (isset($_data['sieve_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") ? intval($_data['sieve_access']) : intval($is_now['attributes']['sieve_access']);
-              (int)$relayhost = (isset($_data['relayhost']) && isset($_SESSION['acl']['mailbox_relayhost']) && $_SESSION['acl']['mailbox_relayhost'] == "1") ? intval($_data['relayhost']) : intval($is_now['attributes']['relayhost']);
-              (int)$quota_m = (isset_has_content($_data['quota'])) ? intval($_data['quota']) : ($is_now['quota'] / 1048576);
-              $name       = (!empty($_data['name'])) ? ltrim(rtrim($_data['name'], '>'), '<') : $is_now['name'];
-              $domain     = $is_now['domain'];
-              $quota_b    = $quota_m * 1048576;
-              $password   = (!empty($_data['password'])) ? $_data['password'] : null;
-              $password2  = (!empty($_data['password2'])) ? $_data['password2'] : null;
-              $tags       = (is_array($_data['tags']) ? $_data['tags'] : array());
+              (int)$sogo_access     = (isset($_data['sogo_access']) && isset($_SESSION['acl']['sogo_access']) && $_SESSION['acl']['sogo_access'] == "1") ? intval($_data['sogo_access']) : intval($is_now['attributes']['sogo_access']);
+              (int)$imap_access     = (isset($_data['imap_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") ? intval($_data['imap_access']) : intval($is_now['attributes']['imap_access']);
+              (int)$pop3_access     = (isset($_data['pop3_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") ? intval($_data['pop3_access']) : intval($is_now['attributes']['pop3_access']);
+              (int)$smtp_access     = (isset($_data['smtp_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") ? intval($_data['smtp_access']) : intval($is_now['attributes']['smtp_access']);
+              (int)$sieve_access    = (isset($_data['sieve_access']) && isset($_SESSION['acl']['protocol_access']) && $_SESSION['acl']['protocol_access'] == "1") ? intval($_data['sieve_access']) : intval($is_now['attributes']['sieve_access']);
+              (int)$relayhost       = (isset($_data['relayhost']) && isset($_SESSION['acl']['mailbox_relayhost']) && $_SESSION['acl']['mailbox_relayhost'] == "1") ? intval($_data['relayhost']) : intval($is_now['attributes']['relayhost']);
+              (int)$quota_m         = (isset_has_content($_data['quota'])) ? intval($_data['quota']) : ($is_now['quota'] / 1048576);
+              $name                 = (!empty($_data['name'])) ? ltrim(rtrim($_data['name'], '>'), '<') : $is_now['name'];
+              $domain               = $is_now['domain'];
+              $quota_b              = $quota_m * 1048576;
+              $password             = (!empty($_data['password'])) ? $_data['password'] : null;
+              $password2            = (!empty($_data['password2'])) ? $_data['password2'] : null;
+              $pw_recovery_email     = (isset($_data['pw_recovery_email'])) ? $_data['pw_recovery_email'] : $is_now['attributes']['recovery_email'];
+              $tags                 = (is_array($_data['tags']) ? $_data['tags'] : array());
             }
             else {
               $_SESSION['return'][] = array(
@@ -3132,31 +3138,43 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               ':address' => $username,
               ':active' => $active
             ));
-            $stmt = $pdo->prepare("UPDATE `mailbox` SET
-                `active` = :active,
-                `name`= :name,
-                `quota` = :quota_b,
-                `attributes` = JSON_SET(`attributes`, '$.force_pw_update', :force_pw_update),
-                `attributes` = JSON_SET(`attributes`, '$.sogo_access', :sogo_access),
-                `attributes` = JSON_SET(`attributes`, '$.imap_access', :imap_access),
-                `attributes` = JSON_SET(`attributes`, '$.sieve_access', :sieve_access),
-                `attributes` = JSON_SET(`attributes`, '$.pop3_access', :pop3_access),
-                `attributes` = JSON_SET(`attributes`, '$.relayhost', :relayhost),
-                `attributes` = JSON_SET(`attributes`, '$.smtp_access', :smtp_access)
-                  WHERE `username` = :username");
-            $stmt->execute(array(
-              ':active' => $active,
-              ':name' => $name,
-              ':quota_b' => $quota_b,
-              ':force_pw_update' => $force_pw_update,
-              ':sogo_access' => $sogo_access,
-              ':imap_access' => $imap_access,
-              ':pop3_access' => $pop3_access,
-              ':sieve_access' => $sieve_access,
-              ':smtp_access' => $smtp_access,
-              ':relayhost' => $relayhost,
-              ':username' => $username
-            ));
+            try {
+              $stmt = $pdo->prepare("UPDATE `mailbox` SET
+                  `active` = :active,
+                  `name`= :name,
+                  `quota` = :quota_b,
+                  `attributes` = JSON_SET(`attributes`, '$.force_pw_update', :force_pw_update),
+                  `attributes` = JSON_SET(`attributes`, '$.sogo_access', :sogo_access),
+                  `attributes` = JSON_SET(`attributes`, '$.imap_access', :imap_access),
+                  `attributes` = JSON_SET(`attributes`, '$.sieve_access', :sieve_access),
+                  `attributes` = JSON_SET(`attributes`, '$.pop3_access', :pop3_access),
+                  `attributes` = JSON_SET(`attributes`, '$.relayhost', :relayhost),
+                  `attributes` = JSON_SET(`attributes`, '$.smtp_access', :smtp_access),
+                  `attributes` = JSON_SET(`attributes`, '$.recovery_email', :recovery_email)
+                    WHERE `username` = :username");
+                $stmt->execute(array(
+                  ':active' => $active,
+                  ':name' => $name,
+                  ':quota_b' => $quota_b,
+                  ':force_pw_update' => $force_pw_update,
+                  ':sogo_access' => $sogo_access,
+                  ':imap_access' => $imap_access,
+                  ':pop3_access' => $pop3_access,
+                  ':sieve_access' => $sieve_access,
+                  ':smtp_access' => $smtp_access,
+                  ':recovery_email' => $pw_recovery_email,
+                  ':relayhost' => $relayhost,
+                  ':username' => $username
+                ));
+            }
+            catch (PDOException $e) {
+              $_SESSION['return'][] = array(
+                'type' => 'danger',
+                'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+                'msg' => $e->getMessage()
+              );
+              return false;
+            }
             // save tags
             foreach($tags as $index => $tag){
               if (empty($tag)) continue;
@@ -3263,6 +3281,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
               $attr['acl_quarantine_notification'] = (in_array('quarantine_notification', $_data['acl'])) ? 1 : 0;
               $attr['acl_quarantine_category'] = (in_array('quarantine_category', $_data['acl'])) ? 1 : 0;
               $attr['acl_app_passwds'] = (in_array('app_passwds', $_data['acl'])) ? 1 : 0;
+              $attr['acl_pw_reset'] = (in_array('pw_reset', $_data['acl'])) ? 1 : 0;
             } else {    
               foreach ($is_now as $key => $value){
                 $attr[$key] = $is_now[$key];
@@ -3438,30 +3457,54 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $footers['plain'] = isset($_data['plain']) ? $_data['plain'] : '';
           $footers['skip_replies'] = isset($_data['skip_replies']) ? (int)$_data['skip_replies'] : 0;
           $footers['mbox_exclude'] = array();
-          if (isset($_data["mbox_exclude"])){
-            if (!is_array($_data["mbox_exclude"])) {
-              $_data["mbox_exclude"] = array($_data["mbox_exclude"]);
+          $footers['alias_domain_exclude'] = array();
+          if (isset($_data["exclude"])){
+            if (!is_array($_data["exclude"])) {
+              $_data["exclude"] = array($_data["exclude"]);
             }
-            foreach ($_data["mbox_exclude"] as $mailbox) {
-              if (!filter_var($mailbox, FILTER_VALIDATE_EMAIL)) {
+            foreach ($_data["exclude"] as $exclude) {
+              if (filter_var($exclude, FILTER_VALIDATE_EMAIL)) {
+                $stmt = $pdo->prepare("SELECT `address` FROM `alias` WHERE `address` = :address
+                  UNION
+                  SELECT `username` FROM `mailbox` WHERE `username` = :username");
+                $stmt->execute(array(
+                  ':address' => $exclude,
+                  ':username' => $exclude,
+                ));
+                $row = $stmt->fetch(PDO::FETCH_ASSOC);
+                if(!$row){
+                  $_SESSION['return'][] = array(
+                    'type' => 'danger',
+                    'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+                    'msg' => array('username_invalid', $exclude)
+                  );
+                  continue;
+                }
+                array_push($footers['mbox_exclude'], $exclude);
+              }
+              elseif (is_valid_domain_name($exclude)) {
+                $stmt = $pdo->prepare("SELECT `alias_domain` FROM `alias_domain` WHERE `alias_domain` = :alias_domain");
+                $stmt->execute(array(
+                  ':alias_domain' => $exclude,
+                ));
+                $row = $stmt->fetch(PDO::FETCH_ASSOC);
+                if(!$row){
+                  $_SESSION['return'][] = array(
+                    'type' => 'danger',
+                    'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
+                    'msg' => array('username_invalid', $exclude)
+                  );
+                  continue;
+                }
+                array_push($footers['alias_domain_exclude'], $exclude);
+              }
+              else {
                 $_SESSION['return'][] = array(
                   'type' => 'danger',
                   'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-                  'msg' => array('username_invalid', $mailbox)
+                  'msg' => array('username_invalid', $exclude)
                 );
-                continue;
               }
-              $is_now = mailbox('get', 'mailbox_details', $mailbox);            
-              if(empty($is_now)){
-                $_SESSION['return'][] = array(
-                  'type' => 'danger',
-                  'log' => array(__FUNCTION__, $_action, $_type, $_data_log, $_attr),
-                  'msg' => array('username_invalid', $mailbox)
-                );
-                continue;
-              }
-              
-              array_push($footers['mbox_exclude'], $mailbox);
             }
           }
           foreach ($domains as $domain) {
@@ -3486,12 +3529,13 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
             try {
               $stmt = $pdo->prepare("DELETE FROM `domain_wide_footer` WHERE `domain`= :domain");
               $stmt->execute(array(':domain' => $domain));
-              $stmt = $pdo->prepare("INSERT INTO `domain_wide_footer` (`domain`, `html`, `plain`, `mbox_exclude`, `skip_replies`) VALUES (:domain, :html, :plain, :mbox_exclude, :skip_replies)");
+              $stmt = $pdo->prepare("INSERT INTO `domain_wide_footer` (`domain`, `html`, `plain`, `mbox_exclude`, `alias_domain_exclude`, `skip_replies`) VALUES (:domain, :html, :plain, :mbox_exclude, :alias_domain_exclude, :skip_replies)");
               $stmt->execute(array(
                 ':domain' => $domain,
                 ':html' => $footers['html'],
                 ':plain' => $footers['plain'],
                 ':mbox_exclude' => json_encode($footers['mbox_exclude']),
+                ':alias_domain_exclude' => json_encode($footers['alias_domain_exclude']),
                 ':skip_replies' => $footers['skip_replies'],
               ));
             }
@@ -4316,6 +4360,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           $domaindata['mboxes_in_domain'] = $MailboxDataDomain['count'];
           $domaindata['mboxes_left'] = $row['mailboxes']  - $MailboxDataDomain['count'];
           $domaindata['domain_name'] = $row['domain'];
+          $domaindata['domain_h_name'] = idn_to_utf8($row['domain']);
           $domaindata['description'] = $row['description'];
           $domaindata['max_num_aliases_for_domain'] = $row['aliases'];
           $domaindata['max_num_mboxes_for_domain'] = $row['mailboxes'];
@@ -4648,7 +4693,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
           }
 
           try {
-            $stmt = $pdo->prepare("SELECT `html`, `plain`, `mbox_exclude`, `skip_replies` FROM `domain_wide_footer`
+            $stmt = $pdo->prepare("SELECT `html`, `plain`, `mbox_exclude`, `alias_domain_exclude`, `skip_replies` FROM `domain_wide_footer`
               WHERE `domain` = :domain");
             $stmt->execute(array(
               ':domain' => $domain
@@ -5186,7 +5231,7 @@ function mailbox($_action, $_type, $_data = null, $_extra = null) {
                 'msg' => 'Could not move maildir to garbage collector: variables local_part and/or domain empty'
               );
             }
-            if (strtolower(getenv('SKIP_SOLR')) == 'n') {
+            if (strtolower(getenv('SKIP_SOLR')) == 'n' && strtolower(getenv('FLATCURVE_EXPERIMENTAL')) != 'y') {
               $curl = curl_init();
               curl_setopt($curl, CURLOPT_URL, 'http://solr:8983/solr/dovecot-fts/update?commit=true');
               curl_setopt($curl, CURLOPT_HTTPHEADER,array('Content-Type: text/xml'));

data/web/inc/functions.rspamd.inc.php

@@ -143,17 +143,26 @@ function rspamd_maps($_action, $_data = null) {
         return false;
       }
       $maps = (array)$_data['map'];
+      $valid_maps = array();
       foreach ($maps as $map) {
+        $is_valid = false;
         foreach ($RSPAMD_MAPS as $rspamd_map_type) {
-          if (!in_array($map, $rspamd_map_type)) {
-            $_SESSION['return'][] = array(
-              'type' => 'danger',
-              'log' => array(__FUNCTION__, $_action, '-'),
-              'msg' => array('global_map_invalid', $map)
-            );
-            continue;
+          if (in_array($map, $rspamd_map_type)) {
+            $is_valid = true;
+            break;
           }
         }
+        if ($is_valid) {
+          array_push($valid_maps, $map);
+        } else {
+          $_SESSION['return'][] = array(
+            'type' => 'danger',
+            'log' => array(__FUNCTION__, $_action, '-'),
+            'msg' => array('global_map_invalid', $map)
+          );
+        }
+      }
+      foreach ($valid_maps as $map) {
         try {
           if (file_exists('/rspamd_custom_maps/' . $map)) {
             $map_content = trim($_data['rspamd_map_data']);

data/web/inc/header.inc.php

@@ -49,7 +49,6 @@ $globalVariables = [
   'app_links' => customize('get', 'app_links'),
   'is_root_uri' => (parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH) == '/'),
   'uri' => $_SERVER['REQUEST_URI'],
-  'last_login' => last_login('get', $_SESSION['mailcow_cc_username'], 7, 0)['ui']['time']
 ];
 
 foreach ($globalVariables as $globalVariableName => $globalVariableValue) {

data/web/inc/init_db.inc.php

@@ -3,7 +3,7 @@ function init_db_schema() {
   try {
     global $pdo;
 
-    $db_version = "08012024_1442";
+    $db_version = "29072024_1000";
 
     $stmt = $pdo->query("SHOW TABLES LIKE 'versions'");
     $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -273,6 +273,7 @@ function init_db_schema() {
           "html" => "LONGTEXT",
           "plain" => "LONGTEXT",
           "mbox_exclude" => "JSON NOT NULL DEFAULT ('[]')",
+          "alias_domain_exclude" => "JSON NOT NULL DEFAULT ('[]')",
           "skip_replies" => "TINYINT(1) NOT NULL DEFAULT '0'"
         ),
         "keys" => array(
@@ -482,6 +483,7 @@ function init_db_schema() {
           "quarantine_notification" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "quarantine_category" => "TINYINT(1) NOT NULL DEFAULT '1'",
           "app_passwds" => "TINYINT(1) NOT NULL DEFAULT '1'",
+          "pw_reset" => "TINYINT(1) NOT NULL DEFAULT '1'",
           ),
         "keys" => array(
           "primary" => array(
@@ -693,6 +695,19 @@ function init_db_schema() {
         ),
         "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
       ),
+      "reset_password" => array(
+        "cols" => array(
+          "username" => "VARCHAR(255) NOT NULL",
+          "token" => "VARCHAR(255) NOT NULL",
+          "created" => "DATETIME(0) NOT NULL DEFAULT NOW(0)",
+        ),
+        "keys" => array(
+          "primary" => array(
+            "" => array("token", "created")
+          ),
+        ),
+        "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
+      ),
       "imapsync" => array(
         "cols" => array(
           "id" => "INT NOT NULL AUTO_INCREMENT",
@@ -978,6 +993,18 @@ function init_db_schema() {
         ),
         "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
       ),
+      "sogo_admin" => array(
+        "cols" => array(
+          "c_key" => "VARCHAR(255) NOT NULL DEFAULT ''",
+          "c_content"  => "mediumtext NOT NULL",
+        ),
+        "keys" => array(
+          "primary" => array(
+            "" => array("c_key")
+          )
+        ),
+        "attr" => "ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC"
+      ),      
       "pushover" => array(
         "cols" => array(
           "username" => "VARCHAR(255) NOT NULL",

data/web/inc/lib/sieve/extensions/enotify.xml

@@ -0,0 +1,33 @@
+<?xml version='1.0' standalone='yes'?>
+
+<extension name="enotify">
+    <command name="notify">
+        <parameter type="tag" name="from" occurrence="optional">
+            <parameter type="string" name="from-address" />
+        </parameter>
+
+        <parameter type="tag" name="importance" regex="(1|2|3)" occurrence="optional" />
+
+        <parameter type="tag" name="options" occurrence="optional">
+            <parameter type="stringlist" name="option-strings" />
+        </parameter>
+
+        <parameter type="tag" name="message" occurrence="optional">
+            <parameter type="string" name="message-text" />
+        </parameter>
+
+        <parameter type="string" name="method" />
+    </command>
+
+    <test name="valid_notify_method">
+        <parameter type="stringlist" name="notification-uris" />
+    </test>
+
+    <test name="notify_method_capability">
+        <parameter type="string" name="notification-uri" />
+        <parameter type="string" name="notification-capability" />
+        <parameter type="stringlist" name="key-list" />
+    </test>
+
+    <modifier name="encodeurl" />
+</extension>

data/web/inc/lib/sieve/extensions/mime.xml

@@ -0,0 +1,58 @@
+<?xml version='1.0' standalone='yes'?>
+
+<extension name="mime">
+    <command name="foreverypart">
+        <parameter type="string" name="name" occurrence="optional" />
+        <block />
+    </command>
+
+    <command name="break">
+        <parameter type="string" name="name" occurrence="optional" />
+    </command>
+
+    <tagged-argument extends="(header|address|exists)">
+        <parameter type="tag" name="mime" regex="mime" occurrence="optional" />
+    </tagged-argument>
+    <tagged-argument extends="(header|address|exists)">
+        <parameter type="tag" name="anychild" regex="anychild" occurrence="optional" />
+    </tagged-argument>
+    <tagged-argument extends="(header)">
+        <parameter type="tag" name="type" occurrence="optional" />
+    </tagged-argument>
+    <tagged-argument extends="(header)">
+        <parameter type="tag" name="subtype" occurrence="optional" />
+    </tagged-argument>
+    <tagged-argument extends="(header)">
+        <parameter type="tag" name="contenttype" occurrence="optional" />
+    </tagged-argument>
+    <tagged-argument extends="(header)">
+        <parameter type="tag" name="param" regex="param" occurrence="optional">
+            <parameter type="stringlist" name="param-list" />
+        </parameter>
+    </tagged-argument>
+    <tagged-argument extends="(header|address|exists)">
+        <parameter type="stringlist" name="header-names" />
+    </tagged-argument>
+    <tagged-argument extends="(header)">
+        <parameter type="stringlist" name="key-list" />
+    </tagged-argument>
+
+    <action name="replace">
+        <parameter type="tag" name="mime" regex="mime" occurrence="optional" />
+        <parameter type="string" name="subject" occurrence="optional" />
+        <parameter type="string" name="from" occurrence="optional" />
+        <parameter type="string" name="replacement" />
+    </action>
+
+    <action name="enclose">
+        <parameter type="string" name="subject" occurrence="optional" />
+        <parameter type="stringlist" name="headers" occurrence="optional" />
+        <parameter type="string" name="text" />
+    </action>
+
+    <action name="extracttext">
+        <parameter type="tag" name="first" regex="first" occurrence="optional" />
+        <parameter type="number" name="number" occurrence="optional" />
+        <parameter type="string" name="varname" />
+    </action>
+</extension>

data/web/inc/presets/sieve/sieve_1.yml

@@ -1,7 +1,7 @@
 headline: lang.sieve_preset_1
 content: |
   require ["reject","body","regex"];
-  if anyof (body :raw :regex ["filename=.*\.doc","filename=.*\.exe","filename=.*\.moo"]) {
+  if anyof (body :raw :regex ["filename=\".*\\.(doc|exe|moo)\""]) {
     reject text:
   doc, exe and moo are dangerous file extensions.
   Why would you do that? I am a sad cow.

data/web/inc/triggers.inc.php

@@ -10,16 +10,54 @@ if (!empty($_GET['sso_token'])) {
   }
 }
 
+if (isset($_POST["pw_reset_request"]) && !empty($_POST['username'])) {
+  reset_password("issue", $_POST['username']);
+  header("Location: /");
+  exit;
+}
+if (isset($_POST["pw_reset"])) {
+  $username = reset_password("check", $_POST['token']);
+  $reset_result = reset_password("reset", array(
+    'new_password' => $_POST['new_password'], 
+    'new_password2' => $_POST['new_password2'],
+    'token' => $_POST['token'],
+    'username' => $username,
+    'check_tfa' => True
+  ));
+
+  if ($reset_result){
+    header("Location: /");
+    exit;
+  }
+}
 if (isset($_POST["verify_tfa_login"])) {
   if (verify_tfa_login($_SESSION['pending_mailcow_cc_username'], $_POST)) {
-    $_SESSION['mailcow_cc_username'] = $_SESSION['pending_mailcow_cc_username'];
-    $_SESSION['mailcow_cc_role'] = $_SESSION['pending_mailcow_cc_role'];
-    unset($_SESSION['pending_mailcow_cc_username']);
-    unset($_SESSION['pending_mailcow_cc_role']);
-    unset($_SESSION['pending_tfa_methods']);
+    if (isset($_SESSION['pending_mailcow_cc_username']) && isset($_SESSION['pending_pw_reset_token']) && isset($_SESSION['pending_pw_new_password'])) {
+      reset_password("reset", array(
+        'new_password' => $_SESSION['pending_pw_new_password'],
+        'new_password2' => $_SESSION['pending_pw_new_password'],
+        'token' => $_SESSION['pending_pw_reset_token'],
+        'username' => $_SESSION['pending_mailcow_cc_username']
+      ));
+      unset($_SESSION['pending_pw_reset_token']);
+      unset($_SESSION['pending_pw_new_password']);
+      unset($_SESSION['pending_mailcow_cc_username']);
+      unset($_SESSION['pending_tfa_methods']);
 
-    header("Location: /user");
+      header("Location: /");
+      exit;
+    } else {
+      $_SESSION['mailcow_cc_username'] = $_SESSION['pending_mailcow_cc_username'];
+      $_SESSION['mailcow_cc_role'] = $_SESSION['pending_mailcow_cc_role'];
+      unset($_SESSION['pending_mailcow_cc_username']);
+      unset($_SESSION['pending_mailcow_cc_role']);
+      unset($_SESSION['pending_tfa_methods']);
+  
+      header("Location: /user");
+    }
   } else {
+    unset($_SESSION['pending_pw_reset_token']);
+    unset($_SESSION['pending_pw_new_password']);
     unset($_SESSION['pending_mailcow_cc_username']);
     unset($_SESSION['pending_mailcow_cc_role']);
     unset($_SESSION['pending_tfa_methods']);
@@ -27,11 +65,13 @@ if (isset($_POST["verify_tfa_login"])) {
 }
 
 if (isset($_GET["cancel_tfa_login"])) {
-    unset($_SESSION['pending_mailcow_cc_username']);
-    unset($_SESSION['pending_mailcow_cc_role']);
-    unset($_SESSION['pending_tfa_methods']);
+  unset($_SESSION['pending_pw_reset_token']);
+  unset($_SESSION['pending_pw_new_password']);
+  unset($_SESSION['pending_mailcow_cc_username']);
+  unset($_SESSION['pending_mailcow_cc_role']);
+  unset($_SESSION['pending_tfa_methods']);
 
-    header("Location: /");
+  header("Location: /");
 }
 
 if (isset($_POST["quick_release"])) {

data/web/inc/vars.inc.php

@@ -95,6 +95,8 @@ $AVAILABLE_LANGUAGES = array(
   'it-it' => 'Italiano (Italian)',
   'ko-kr' => '한국어 (Korean)',
   'lv-lv' => 'latviešu (Latvian)',
+  'lt-lt' => 'Lietuvių (Lithuanian)',
+  'nb-no' => 'Norsk (Norwegian)',
   'nl-nl' => 'Nederlands (Dutch)',
   'pl-pl' => 'Język Polski (Polish)',
   'pt-br' => 'Português brasileiro (Brazilian Portuguese)',
@@ -208,6 +210,12 @@ $MAILBOX_DEFAULT_ATTRIBUTES['mailbox_format'] = 'maildir:';
 // Show last IMAP and POP3 logins
 $SHOW_LAST_LOGIN = true;
 
+// Maximum number of password reset tokens that can be generated at once per user
+$PW_RESET_TOKEN_LIMIT = 3;
+
+// Maximum time in minutes a password reset token is valid
+$PW_RESET_TOKEN_LIFETIME = 15;
+
 // UV flag handling in FIDO2/WebAuthn - defaults to false to allow iOS logins
 // true = required
 // false = preferred

data/web/js/site/admin.js

@@ -397,7 +397,10 @@ jQuery(function($){
         {
           title: lang.host,
           data: 'hostname',
-          defaultContent: ''
+          defaultContent: '',
+          render: function (data, type) {
+            return escapeHtml(data);
+          }
         },
         {
           title: lang.username,

data/web/js/site/debug.js

@@ -325,7 +325,10 @@ jQuery(function($){
           title: 'URI',
           data: 'uri',
           defaultContent: '',
-          className: 'dtr-col-md dtr-break-all'
+          className: 'dtr-col-md dtr-break-all',
+          render: function (data, type) {
+            return escapeHtml(data);
+          }
         },
         {
           title: 'Method',
@@ -1294,13 +1297,7 @@ function update_stats(timeout=5){
       $("#host_cpu_usage").text(parseInt(data.cpu.usage).toString() + "%");
       $("#host_memory_total").text((data.memory.total / (1024 ** 3)).toFixed(2).toString() + "GB");
       $("#host_memory_usage").text(parseInt(data.memory.usage).toString() + "%");
-      if (data.architecture == "aarch64"){
-        $("#host_architecture").html('<span data-bs-toggle="tooltip" data-bs-placement="top" title="' + lang_debug.wip +'">' + data.architecture + ' ⚠️</span>');
-      }
-      else {
-        $("#host_architecture").html(data.architecture);
-      }
-
+      $("#host_architecture").html(data.architecture);
       // update cpu and mem chart
       var cpu_chart = Chart.getChart("host_cpu_chart");
       var mem_chart = Chart.getChart("host_mem_chart");

data/web/js/site/mailbox.js

@@ -380,6 +380,9 @@ $(document).ready(function() {
     if (template.acl_app_passwds == 1){
       acl.push("app_passwds");
     }
+    if (template.acl_pw_reset == 1){
+      acl.push("pw_reset");
+    }
     $('#user_acl').selectpicker('val', acl);
 
     $('#rl_value').val(template.rl_value);
@@ -451,6 +454,10 @@ jQuery(function($){
         dataSrc: function(json){
           $.each(json.data, function(i, item) {
             item.domain_name = escapeHtml(item.domain_name);
+            item.domain_h_name = escapeHtml(item.domain_h_name);
+            if (item.domain_name != item.domain_h_name){
+              item.domain_h_name = item.domain_h_name + '<small class="d-block">' + item.domain_name + '</small>';
+            }
 
             item.aliases = item.aliases_in_domain + " / " + item.max_num_aliases_for_domain;
             item.mailboxes = item.mboxes_in_domain + " / " + item.max_num_mboxes_for_domain;
@@ -489,11 +496,11 @@ jQuery(function($){
 
             if (item.backupmx == 1) {
               if (item.relay_unknown_only == 1) {
-                item.domain_name = '<div class="badge fs-6 bg-info">Relay Non-Local</div> ' + item.domain_name;
+                item.domain_h_name = '<div class="badge fs-7 bg-info">Relay Non-Local</div> ' + item.domain_h_name;
               } else if (item.relay_all_recipients == 1) {
-                item.domain_name = '<div class="badge fs-6 bg-info">Relay All</div> ' + item.domain_name;
+                item.domain_h_name = '<div class="badge fs-7 bg-info">Relay All</div> ' + item.domain_h_name;
               } else {
-                item.domain_name = '<div class="badge fs-6 bg-info">Relay</div> ' + item.domain_name;
+                item.domain_h_name = '<div class="badge fs-7 bg-info">Relay</div> ' + item.domain_h_name;
               }
             }
           });
@@ -521,7 +528,7 @@ jQuery(function($){
         },
         {
           title: lang.domain,
-          data: 'domain_name',
+          data: 'domain_h_name',
           responsivePriority: 3,
           defaultContent: ''
         },

data/web/js/site/user.js

@@ -676,5 +676,5 @@ jQuery(function($){
   onVisible("[id^=wl_policy_mailbox_table]", () => draw_wl_policy_mailbox_table());
   onVisible("[id^=sync_job_table]", () => draw_sync_job_table());
   onVisible("[id^=app_passwd_table]", () => draw_app_passwd_table());
-  last_logins('get');
+  onVisible("[id^=recent-logins]", () => last_logins('get'));
 });

data/web/json_api.php

@@ -47,6 +47,12 @@ function api_log($_data) {
   }
 }
 
+// Block requests not intended for direct API use by checking the 'Sec-Fetch-Dest' header.
+if (isset($_SERVER['HTTP_SEC_FETCH_DEST']) && $_SERVER['HTTP_SEC_FETCH_DEST'] !== 'empty') {
+  header('HTTP/1.1 403 Forbidden');
+  exit;
+}
+
 if (isset($_GET['query'])) {
 
   $query = explode('/', $_GET['query']);
@@ -1967,7 +1973,6 @@ if (isset($_GET['query'])) {
         case "quota_notification_bcc":
           process_edit_return(quota_notification_bcc('edit', $attr));
         break;
-        break;
         case "mailq":
           process_edit_return(mailq('edit', array_merge(array('qid' => $items), $attr)));
         break;
@@ -2063,6 +2068,9 @@ if (isset($_GET['query'])) {
         case "cors":
           process_edit_return(cors('edit', $attr));
         break;
+        case "reset-password-notification":
+          process_edit_return(reset_password('edit_notification', $attr));
+        break;
         // return no route found if no case is matched
         default:
           http_response_code(404);

data/web/lang/lang.cs-cz.json

@@ -547,7 +547,7 @@
         "dns_records": "DNS záznamy",
         "dns_records_24hours": "Upozornění: Změnám v systému DNS může trvat až 24 hodin, než se zde správně zobrazí jejich aktuální stav. Můžete zde snadno zjistit, jak nastavit DNS záznamy a zda jsou všechny záznamy správně uloženy.",
         "dns_records_data": "Správný záznam",
-        "dns_records_docs": "Přečtěte si prosím <a target=\"_blank\" href=\"https://docs.mailcow.email/prerequisite/prerequisite-dns/\">dokumentaci</a>.",
+        "dns_records_docs": "Přečtěte si prosím <a target=\"_blank\" href=\"https://docs.mailcow.email/getstarted/prerequisite-dns\">dokumentaci</a>.",
         "dns_records_name": "Název",
         "dns_records_status": "Současný stav",
         "dns_records_type": "Typ",

data/web/lang/lang.da-dk.json

@@ -459,7 +459,7 @@
         "cname_from_a": "Værdi afledt af A / AAAA-post. Dette understøttes, så længe posten peger på den korrekte ressource.",
         "dns_records": "DNS-poster",
         "dns_records_24hours": "Bemærk, at ændringer, der foretages i DNS, kan tage op til 24 timer for at få deres aktuelle status korrekt reflekteret på denne side. Det er beregnet som en måde for dig let at se, hvordan du konfigurerer dine DNS-poster og kontrollere, om alle dine poster er korrekt gemt i DNS.",
-        "dns_records_docs": "Se også <a target=\"_blank\" href=\"https://docs.mailcow.email/prerequisite/prerequisite-dns/\">dokumentationen</a>.",
+        "dns_records_docs": "Se også <a target=\"_blank\" href=\"https://docs.mailcow.email/getstarted/prerequisite-dns\">dokumentationen</a>.",
         "dns_records_data": "Korrekte data",
         "dns_records_name": "Navn",
         "dns_records_status": "Nuværende tilstand",

data/web/lang/lang.de-de.json

@@ -14,6 +14,7 @@
         "prohibited": "Untersagt durch Richtlinie",
         "protocol_access": "Ändern der erlaubten Protokolle",
         "pushover": "Pushover",
+        "pw_reset": "Verwalten der E-Mail zur Passwortwiederherstellung erlauben",
         "quarantine": "Quarantäne-Aktionen",
         "quarantine_attachments": "Anhänge aus Quarantäne",
         "quarantine_category": "Ändern der Quarantäne-Benachrichtigungskategorie",
@@ -248,6 +249,11 @@
         "password_policy_numbers": "Muss eine Ziffer enthalten",
         "password_policy_special_chars": "Muss Sonderzeichen enthalten",
         "password_repeat": "Passwort wiederholen",
+        "password_reset_info": "Wenn keine E-Mail zur Passwortwiederherstellung hinterlegt ist, kann diese Funktion nicht genutzt werden.",
+        "password_reset_settings": "Einstellungen zur Passwortwiederherstellung",
+        "password_reset_tmpl_html": "HTML Vorlage",
+        "password_reset_tmpl_text": "Text Vorlage",
+        "password_settings": "Passwort Einstellungen",
         "priority": "Gewichtung",
         "private_key": "Private Key",
         "quarantine": "Quarantäne",
@@ -287,6 +293,8 @@
         "remove_row": "Entfernen",
         "reset_default": "Zurücksetzen auf Standard",
         "reset_limit": "Hash entfernen",
+        "reset_password_vars": "<code>{{link}}</code> Der generierte Passwort-Reset-Link<br><code>{{username}}</code> Die E-Mail-Adresse des Benutzers, der die Passwortzurücksetzung angefordert hat<br><code>{{username2}}</code> Die E-Mail-Adresse zur Wiederherstellung<br><code>{{date}}</code> Das Datum, an dem die Passwort-Reset-Anfrage gestellt wurde<br><code>{{token_lifetime}}</code> Die Gültigkeitsdauer des Tokens in Minuten<br><code>{{hostname}}</code> Der mailcow Hostname",
+        "restore_template": "Leer lassen, um Standard-Template wiederherzustellen.",
         "routing": "Routing",
         "rsetting_add_rule": "Regel hinzufügen",
         "rsetting_content": "Regelinhalt",
@@ -407,6 +415,7 @@
         "invalid_nexthop_authenticated": "Dieser Next Hop existiert bereits mit abweichenden Authentifizierungsdaten. Die bestehenden Authentifizierungsdaten dieses \"Next Hops\" müssen vorab angepasst werden.",
         "invalid_recipient_map_new": "Neuer Empfänger \"%s\" ist ungültig",
         "invalid_recipient_map_old": "Originaler Empfänger \"%s\" ist ungültig",
+        "invalid_reset_token": "Ungültiger Rücksetz-Token",
         "ip_list_empty": "Liste erlaubter IPs darf nicht leer sein",
         "is_alias": "%s lautet bereits eine Alias-Adresse",
         "is_alias_or_mailbox": "Eine Mailbox, ein Alias oder eine sich aus einer Alias-Domain ergebende Adresse mit dem Namen %s ist bereits vorhanden",
@@ -436,6 +445,8 @@
         "password_complexity": "Passwort entspricht nicht den Richtlinien",
         "password_empty": "Passwort darf nicht leer sein",
         "password_mismatch": "Passwort-Wiederholung stimmt nicht überein",
+        "password_reset_invalid_user": "Benutzer nicht gefunden oder keine E-Mail-Adresse zur Wiederherstellung eingerichtet",
+        "password_reset_na": "Die Passwortwiederherstellung ist momentan nicht verfügbar. Bitte wenden Sie sich an Ihren Administrator.",
         "policy_list_from_exists": "Ein Eintrag mit diesem Wert existiert bereits",
         "policy_list_from_invalid": "Eintrag hat ein ungültiges Format",
         "private_key_error": "Schlüsselfehler: %s",
@@ -444,10 +455,12 @@
         "pushover_token": "Pushover Token hat das falsche Format",
         "quota_not_0_not_numeric": "Speicherplatz muss numerisch und >= 0 sein",
         "recipient_map_entry_exists": "Eine Empfängerumschreibung für Objekt \"%s\" existiert bereits",
+        "recovery_email_failed": "E-Mail zur Wiederherstellung konnte nicht gesendet werden. Bitte wenden Sie sich an Ihren Administrator.",
         "redis_error": "Redis Fehler: %s",
         "relayhost_invalid": "Map-Eintrag %s ist ungültig",
         "release_send_failed": "Die Nachricht konnte nicht versendet werden: %s",
         "reset_f2b_regex": "Regex-Filter konnten nicht in vorgegebener Zeit zurückgesetzt werden, bitte erneut versuchen oder die Webseite neu laden.",
+        "reset_token_limit_exceeded": "Das Limit für Rücksetz-Tokens wurde überschritten. Bitte versuchen Sie es später erneut.",
         "resource_invalid": "Ressourcenname %s ist ungültig",
         "rl_timeframe": "Ratelimit-Zeitraum ist inkorrekt",
         "rspamd_ui_pw_length": "Rspamd UI-Passwort muss mindestens 6 Zeichen lang sein",
@@ -467,6 +480,7 @@
         "tls_policy_map_dest_invalid": "Ziel ist ungültig",
         "tls_policy_map_entry_exists": "Eine TLS-Richtlinie \"%s\" existiert bereits",
         "tls_policy_map_parameter_invalid": "Parameter ist ungültig",
+        "to_invalid": "Empfänger darf nicht leer sein",
         "totp_verification_failed": "TOTP-Verifizierung fehlgeschlagen",
         "transport_dest_exists": "Transport-Maps-Ziel \"%s\" existiert bereits",
         "webauthn_verification_failed": "WebAuthn-Verifizierung fehlgeschlagen: %s",
@@ -556,7 +570,7 @@
         "dns_records": "DNS-Einträge",
         "dns_records_24hours": "Bitte beachten Sie, dass es bis zu 24 Stunden dauern kann, bis Änderungen an Ihren DNS-Einträgen als aktueller Status auf dieser Seite dargestellt werden. Diese Seite ist nur als Hilfsmittel gedacht, um die korrekten Werte für DNS-Einträge anzuzeigen und zu überprüfen, ob die Daten im DNS hinterlegt sind.",
         "dns_records_data": "Korrekte Daten",
-        "dns_records_docs": "Die <a target=\"_blank\" href=\"https://docs.mailcow.email/prerequisite/prerequisite-dns/\">Online-Dokumentation</a> enthält weitere Informationen zur DNS-Konfiguration.",
+        "dns_records_docs": "Die <a target=\"_blank\" href=\"https://docs.mailcow.email/de/getstarted/prerequisite-dns\">Online-Dokumentation</a> enthält weitere Informationen zur DNS-Konfiguration.",
         "dns_records_name": "Name",
         "dns_records_status": "Aktueller Status",
         "dns_records_type": "Typ",
@@ -613,6 +627,7 @@
         "extended_sender_acl_info": "Der DKIM-Domainkey der externen Absenderdomain sollte in diesen Server importiert werden, falls vorhanden.<br>\r\n  Wird SPF verwendet, muss diesem Server der Versand gestattet werden.<br>\r\n  Wird eine Domain oder Alias-Domain zu diesem Server hinzugefügt, die sich mit der externen Absenderadresse überschneidet, wird der externe Absender hier entfernt.<br>\r\n  Ein Eintrag @domain.tld erlaubt den Versand als *@domain.tld",
         "force_pw_update": "Erzwinge Passwortänderung bei nächstem Login",
         "force_pw_update_info": "Dem Benutzer wird lediglich der Zugang zur %s ermöglicht, App Passwörter funktionieren weiterhin.",
+        "footer_exclude": "von Fußzeile ausschließen",
         "full_name": "Voller Name",
         "gal": "Globales Adressbuch",
         "gal_info": "Das globale Adressbuch enthält alle Objekte einer Domain und kann durch keinen Benutzer geändert werden. Die Verfügbarkeitsinformation in SOGo ist nur bei eingeschaltetem globalen Adressbuch ersichtlich <b>Zum Anwenden einer Änderung muss SOGo neugestartet werden.</b>",
@@ -631,13 +646,13 @@
         "max_quota": "Max. Größe per Mailbox (MiB)",
         "maxage": "Maximales Alter in Tagen einer Nachricht, die kopiert werden soll<br><small>(0 = alle Nachrichten kopieren)</small>",
         "maxbytespersecond": "Max. Übertragungsrate in Bytes/s (0 für unlimitiert)",
-        "mbox_exclude": "Mailboxen ausschließen",
         "mbox_rl_info": "Dieses Limit wird auf den SASL Loginnamen angewendet und betrifft daher alle Absenderadressen, die der eingeloggte Benutzer verwendet. Bei Mailbox Ratelimit überwiegt ein Domain-weites Ratelimit.",
         "mins_interval": "Intervall (min)",
         "multiple_bookings": "Mehrfaches Buchen",
         "nexthop": "Next Hop",
         "none_inherit": "Keine Auswahl / Erben",
         "password": "Passwort",
+        "password_recovery_email": "E-Mail zur Passwortwiederherstellung",
         "password_repeat": "Passwort wiederholen",
         "previous": "Vorherige Seite",
         "private_comment": "Privater Kommentar",
@@ -741,12 +756,19 @@
         "session_expires": "Die Sitzung wird in etwa 15 Sekunden beendet."
     },
     "login": {
+        "back_to_mailcow": "Zurück zu mailcow",
         "delayed": "Login wurde zur Sicherheit um %s Sekunde/n verzögert.",
         "fido2_webauthn": "FIDO2/WebAuthn Login",
+        "forgot_password": "> Passwort vergessen?",
+        "invalid_pass_reset_token": "Der Rücksetz-Token für das Passwort ist ungültig oder abgelaufen.<br>Bitte fordern Sie einen neuen Link zur Passwortwiederherstellung an.",
         "login": "Anmelden",
         "mobileconfig_info": "Bitte als Mailbox-Benutzer einloggen, um das Verbindungsprofil herunterzuladen.",
+        "new_password": "Neues Passwort",
+        "new_password_confirm": "Neues Passwort bestätigen",        
         "other_logins": "Key Login",
         "password": "Passwort",
+        "reset_password": "Passwort zurücksetzen",
+        "request_reset_password": "Passwortänderung anfordern",
         "username": "Benutzername"
     },
     "mailbox": {
@@ -1065,11 +1087,13 @@
         "nginx_reloaded": "Nginx wurde neu geladen",
         "object_modified": "Änderungen an Objekt %s wurden gespeichert",
         "password_policy_saved": "Passwortrichtlinie wurde erfolgreich gespeichert",
+        "password_changed_success": "Das Passwort wurde erfolgreich geändert",
         "pushover_settings_edited": "Pushover-Konfiguration gespeichert, bitte den Zugang im Anschluss verifizieren.",
         "qlearn_spam": "Nachricht-ID %s wurde als Spam gelernt und gelöscht",
         "queue_command_success": "Queue-Aufgabe erfolgreich ausgeführt",
         "recipient_map_entry_deleted": "Empfängerumschreibung mit der ID %s wurde gelöscht",
         "recipient_map_entry_saved": "Empfängerumschreibung für Objekt \"%s\" wurde gespeichert",
+        "recovery_email_sent": "Wiederherstellungs-E-Mail an %s gesendet",
         "relayhost_added": "Map-Eintrag %s wurde hinzugefügt",
         "relayhost_removed": "Map-Eintrag %s wurde entfernt",
         "reset_main_logo": "Standardgrafik wurde wiederhergestellt",
@@ -1202,6 +1226,7 @@
         "password": "Passwort",
         "password_now": "Aktuelles Passwort (Änderungen bestätigen)",
         "password_repeat": "Passwort (Wiederholung)",
+        "password_reset_info": "Wenn keine E-Mail zur Passwortwiederherstellung hinterlegt ist, kann diese Funktion nicht genutzt werden.",
         "pushover_evaluate_x_prio": "Hohe Priorität eskalieren [<code>X-Priority: 1</code>]",
         "pushover_info": "Push-Benachrichtungen werden angewendet auf alle nicht-Spam Nachrichten zugestellt an <b>%s</b>, einschließlich Alias-Adressen (shared, non-shared, tagged).",
         "pushover_only_x_prio": "Nur Mail mit hoher Priorität berücksichtigen [<code>X-Priority: 1</code>]",
@@ -1211,6 +1236,7 @@
         "pushover_title": "Notification Titel",
         "pushover_vars": "Wenn kein Sender-Filter definiert ist, werden alle E-Mails berücksichtigt.<br>Die direkte Absenderprüfung und reguläre Ausdrücke werden unabhängig voneinander geprüft, sie <b>hängen nicht voneinander ab</b> und werden der Reihe nach ausgeführt. <br>Verwendbare Variablen für Titel und Text (Datenschutzrichtlinien beachten)",
         "pushover_verify": "Verbindung verifizieren",
+        "pw_recovery_email": "E-Mail zur Passwortwiederherstellung",
         "q_add_header": "Junk-Ordner",
         "q_all": "Alle Kategorien",
         "q_reject": "Abgelehnt",

data/web/lang/lang.en-gb.json

@@ -14,6 +14,7 @@
         "prohibited": "Prohibited by ACL",
         "protocol_access": "Change protocol access",
         "pushover": "Pushover",
+        "pw_reset": "Allow to reset mailcow user password",
         "quarantine": "Quarantine actions",
         "quarantine_attachments": "Quarantine attachments",
         "quarantine_category": "Change quarantine notification category",
@@ -256,6 +257,11 @@
         "password_policy_numbers": "Must contain at least one number",
         "password_policy_special_chars": "Must contain special characters",
         "password_repeat": "Confirmation password (repeat)",
+        "password_reset_info": "If no recovery email is provided, this function cannot be used.",
+        "password_reset_settings": "Password Recovery Settings",
+        "password_reset_tmpl_html": "HTML Template",
+        "password_reset_tmpl_text": "Text Template",
+        "password_settings": "Password Settings",
         "priority": "Priority",
         "private_key": "Private key",
         "quarantine": "Quarantine",
@@ -296,6 +302,8 @@
         "remove_row": "Remove row",
         "reset_default": "Reset to default",
         "reset_limit": "Remove hash",
+        "reset_password_vars": "<code>{{link}}</code> The generated password reset link<br><code>{{username}}</code> The mailbox name of the user who requested the password reset<br><code>{{username2}}</code> The recovery mailbox name<br><code>{{date}}</code> The date the password reset request was made<br><code>{{token_lifetime}}</code> The token lifetime in minutes<br><code>{{hostname}}</code> The mailcow hostname",
+        "restore_template": "Leave empty to restore default template.",
         "routing": "Routing",
         "rsetting_add_rule": "Add rule",
         "rsetting_content": "Rule content",
@@ -407,6 +415,7 @@
         "invalid_nexthop_authenticated": "Next hop exists with different credentials, please update the existing credentials for this next hop first.",
         "invalid_recipient_map_new": "Invalid new recipient specified: %s",
         "invalid_recipient_map_old": "Invalid original recipient specified: %s",
+        "invalid_reset_token": "Invalid reset token",
         "ip_list_empty": "List of allowed IPs cannot be empty",
         "is_alias": "%s is already known as an alias address",
         "is_alias_or_mailbox": "%s is already known as an alias, a mailbox or an alias address expanded from an alias domain.",
@@ -436,6 +445,8 @@
         "password_complexity": "Password does not meet the policy",
         "password_empty": "Password must not be empty",
         "password_mismatch": "Confirmation password does not match",
+        "password_reset_invalid_user": "Mailbox not found or no recovery email is set",
+        "password_reset_na": "The password recovery is currently unavailable. Please contact your administrator.",
         "policy_list_from_exists": "A record with given name exists",
         "policy_list_from_invalid": "Record has invalid format",
         "private_key_error": "Private key error: %s",
@@ -444,10 +455,12 @@
         "pushover_token": "Pushover token has a wrong format",
         "quota_not_0_not_numeric": "Quota must be numeric and >= 0",
         "recipient_map_entry_exists": "A Recipient map entry \"%s\" exists",
+        "recovery_email_failed": "Could not send a recovery email. Please contact your administrator.",
         "redis_error": "Redis error: %s",
         "relayhost_invalid": "Map entry %s is invalid",
         "release_send_failed": "Message could not be released: %s",
         "reset_f2b_regex": "Regex filter could not be reset in time, please try again or wait a few more seconds and reload the website.",
+        "reset_token_limit_exceeded": "Reset token limit has been exceeded. Please try again later.",
         "resource_invalid": "Resource name %s is invalid",
         "rl_timeframe": "Rate limit time frame is incorrect",
         "rspamd_ui_pw_length": "Rspamd UI password should be at least 6 chars long",
@@ -470,6 +483,7 @@
         "tls_policy_map_dest_invalid": "Policy destination is invalid",
         "tls_policy_map_entry_exists": "A TLS policy map entry \"%s\" exists",
         "tls_policy_map_parameter_invalid": "Policy parameter is invalid",
+        "to_invalid": "Recipient must not be empty",
         "totp_verification_failed": "TOTP verification failed",
         "transport_dest_exists": "Transport destination \"%s\" exists",
         "webauthn_verification_failed": "WebAuthn verification failed: %s",
@@ -556,7 +570,7 @@
         "dns_records": "DNS Records",
         "dns_records_24hours": "Please note that changes made to DNS may take up to 24 hours to correctly have their current state reflected on this page. It is intended as a way for you to easily see how to configure your DNS records and to check whether all your records are correctly stored in DNS.",
         "dns_records_data": "Correct Data",
-        "dns_records_docs": "Please also consult <a target=\"_blank\" href=\"https://docs.mailcow.email/prerequisite/prerequisite-dns/\">the documentation</a>.",
+        "dns_records_docs": "Please also consult <a target=\"_blank\" href=\"https://docs.mailcow.email/getstarted/prerequisite-dns\">the documentation</a>.",
         "dns_records_name": "Name",
         "dns_records_status": "Current State",
         "dns_records_type": "Type",
@@ -613,6 +627,7 @@
         "extended_sender_acl_info": "A DKIM domain key should be imported, if available.<br>\r\n  Remember to add this server to the corresponding SPF TXT record.<br>\r\n  Whenever a domain or alias domain is added to this server, that overlaps with an external address, the external address is removed.<br>\r\n  Use @domain.tld to allow to send as *@domain.tld.",
         "force_pw_update": "Force password update at next login",
         "force_pw_update_info": "This user will only be able to login to %s. App passwords remain useable.",
+        "footer_exclude": "Exclude from footer",
         "full_name": "Full name",
         "gal": "Global Address List",
         "gal_info": "The GAL contains all objects of a domain and cannot be edited by any user. Free/busy information in SOGo is missing, if disabled! <b>Restart SOGo to apply changes.</b>",
@@ -631,13 +646,13 @@
         "max_quota": "Max. quota per mailbox (MiB)",
         "maxage": "Maximum age of messages in days that will be polled from remote<br><small>(0 = ignore age)</small>",
         "maxbytespersecond": "Max. bytes per second <br><small>(0 = unlimited)</small>",
-        "mbox_exclude": "Exclude mailboxes",
         "mbox_rl_info": "This rate limit is applied on the SASL login name, it matches any \"from\" address used by the logged-in user. A mailbox rate limit overrides a domain-wide rate limit.",
         "mins_interval": "Interval (min)",
         "multiple_bookings": "Multiple bookings",
         "none_inherit": "None / Inherit",
         "nexthop": "Next hop",
         "password": "Password",
+        "password_recovery_email": "Password recovery email",
         "password_repeat": "Confirmation password (repeat)",
         "previous": "Previous page",
         "private_comment": "Private comment",
@@ -741,12 +756,19 @@
         "session_expires": "Your session will expire in about 15 seconds"
     },
     "login": {
+        "back_to_mailcow": "Back to mailcow",
         "delayed": "Login was delayed by %s seconds.",
         "fido2_webauthn": "FIDO2/WebAuthn Login",
+        "forgot_password": "> Forgot Password?",
+        "invalid_pass_reset_token": "The reset password token is invalid or has expired.<br>Please request a new password reset link.",
         "login": "Login",
         "mobileconfig_info": "Please login as mailbox user to download the requested Apple connection profile.",
+        "new_password": "New Password",
+        "new_password_confirm": "Confirm new password",
         "other_logins": "Key login",
         "password": "Password",
+        "reset_password": "Reset Password",
+        "request_reset_password": "Request password change",
         "username": "Username"
     },
     "mailbox": {
@@ -1072,11 +1094,13 @@
         "nginx_reloaded": "Nginx was reloaded",
         "object_modified": "Changes to object %s have been saved",
         "password_policy_saved": "Password policy was saved successfully",
+        "password_changed_success": "Password was successfully changed",
         "pushover_settings_edited": "Pushover settings successfully set, please verify credentials.",
         "qlearn_spam": "Message ID %s was learned as spam and deleted",
         "queue_command_success": "Queue command completed successfully",
         "recipient_map_entry_deleted": "Recipient map ID %s has been deleted",
         "recipient_map_entry_saved": "Recipient map entry \"%s\" has been saved",
+        "recovery_email_sent": "Recovery email sent to %s",
         "relayhost_added": "Map entry %s has been added",
         "relayhost_removed": "Map entry %s has been removed",
         "reset_main_logo": "Reset to default logo",
@@ -1210,6 +1234,7 @@
         "password": "Password",
         "password_now": "Current password (confirm changes)",
         "password_repeat": "Password (repeat)",
+        "password_reset_info": "If no email for password recovery is provided, this function cannot be used.",
         "pushover_evaluate_x_prio": "Escalate high priority mail [<code>X-Priority: 1</code>]",
         "pushover_info": "Push notification settings will apply to all clean (non-spam) mail delivered to <b>%s</b> including aliases (shared, non-shared, tagged).",
         "pushover_only_x_prio": "Only consider high priority mail [<code>X-Priority: 1</code>]",
@@ -1220,6 +1245,7 @@
         "pushover_sound": "Sound",
         "pushover_vars": "When no sender filter is defined, all mails will be considered.<br>Regex filters as well as exact sender checks can be defined individually and will be considered sequentially. They do not depend on each other.<br>Useable variables for text and title (please take note of data protection policies)",
         "pushover_verify": "Verify credentials",
+        "pw_recovery_email": "Password recovery email",
         "q_add_header": "Junk folder",
         "q_all": "All categories",
         "q_reject": "Rejected",

data/web/lang/lang.es-es.json

@@ -22,7 +22,9 @@
         "app_passwds": "Gestionar las contraseñas de aplicaciones",
         "domain_desc": "Cambiar descripción del dominio",
         "protocol_access": "Cambiar protocolo de acceso",
-        "quarantine_category": "Cambiar categoría de las notificaciones de cuarentena"
+        "quarantine_category": "Cambiar categoría de las notificaciones de cuarentena",
+        "domain_relayhost": "Cambiar relayhost por un dominio",
+        "extend_sender_acl": "Permitir extender la ACL del remitente por direcciones externas"
     },
     "add": {
         "activate_filter_warn": "Todos los demás filtros se desactivarán cuando este filtro se active.",

data/web/lang/lang.fr-fr.json

@@ -25,7 +25,7 @@
         "spam_score": "Score SPAM",
         "syncjobs": "Tâches de synchronisation",
         "tls_policy": "Politique TLS",
-        "unlimited_quota": "Quota illimité pour les boites de courriel",
+        "unlimited_quota": "Quota illimité pour les boîtes de réception",
         "domain_desc": "Modifier la description du domaine",
         "domain_relayhost": "Changer le relais pour un domaine",
         "mailbox_relayhost": "Changer le relais d’une boîte de réception"
@@ -52,7 +52,7 @@
         "delete2duplicates": "Supprimer les doubles à destination",
         "description": "Description",
         "destination": "Destination",
-        "disable_login": "Désactiver l'authentification (les mails entrants resteront acceptés)",
+        "disable_login": "Désactiver l'authentification (les courriels entrants resteront acceptés)",
         "domain": "domaine",
         "domain_matches_hostname": "Le domaine %s correspond à la machine (hostname)",
         "domain_quota_m": "Quota total du domaine (Mo)",
@@ -68,11 +68,11 @@
         "hostname": "Nom d'hôte",
         "inactive": "Inactif",
         "kind": "Type",
-        "mailbox_quota_def": "Quota boîte mail par défaut",
-        "mailbox_quota_m": "Quota max par boîte (Mo)",
+        "mailbox_quota_def": "Quota boîte de réception par défaut",
+        "mailbox_quota_m": "Quota max par boîte de réception (Mo)",
         "mailbox_username": "Identifiant (partie gauche d'une adresse de courriel)",
         "max_aliases": "Nombre maximal d'alias",
-        "max_mailboxes": "Nombre maximal de boîtes",
+        "max_mailboxes": "Nombre maximal de boîtes de réception",
         "mins_interval": "Période de relève (minutes)",
         "multiple_bookings": "Inscriptions multiples",
         "nexthop": "Suivant",
@@ -84,10 +84,10 @@
         "public_comment": "Commentaire public",
         "quota_mb": "Quota (Mo)",
         "relay_all": "Relayer tous les destinataires",
-        "relay_all_info": "↪ Si vous choissisez <b>de ne pas</b> relayer tous les destinataires, vous devez ajouter une boîte (\"aveugle\") pour chaque destinataire simple qui doit être relayé.",
+        "relay_all_info": "↪ Si vous choissisez <b>de ne pas</b> relayer tous les destinataires, vous devez ajouter une boîte de réception (\"aveugle\") pour chaque destinataire simple qui doit être relayé.",
         "relay_domain": "Relayer ce domaine",
         "relay_transport_info": "<div class=\"badge fs-6 bg-info\">Info</div> Vous pouvez définir des cartes de transport vers une destination personnalisée pour ce domaine. sinon, une recherche MX sera effectuée.",
-        "relay_unknown_only": "Relayer uniquement les boîtes inexistantes. Les boîtes existantes seront livrées localement.",
+        "relay_unknown_only": "Relayer uniquement les boîtes de réception inexistantes. Les boîtes de réception existantes seront livrées localement.",
         "relayhost_wrapped_tls_info": "Veuillez <b>ne pas</b> utiliser des ports TLS wrappés (généralement utilisés sur le port 465).<br>\r\nUtilisez n'importe quel port non encapsulé et lancez STARTTLS. Une politique TLS pour appliquer TLS peut être créée dans \"Cartes de politique TLS\".",
         "select": "Veuillez sélectionner…",
         "select_domain": "Sélectionner d'abord un domaine",
@@ -96,7 +96,7 @@
         "skipcrossduplicates": "Ignorer les messages en double dans les dossiers (premier arrivé, premier servi)",
         "subscribeall": "S'abonner à tous les dossiers",
         "syncjob": "Ajouter une tâche de synchronisation",
-        "syncjob_hint": "Sachez que les mots de passe seront sauvegardés en clair !",
+        "syncjob_hint": "Sachez que les mots de passe seront enregistrés en clair !",
         "target_address": "Aller à l'adresse",
         "target_address_info": "<small>Adresse(s) de courriel complète(s) (séparées par des virgules).</small>",
         "target_domain": "Domaine cible",
@@ -105,9 +105,10 @@
         "username": "Nom d'utilisateur",
         "validate": "Valider",
         "validation_success": "Validation réussie",
-        "bcc_dest_format": "La destination Cci doit être une seule adresse e-mail valide.<br>Si vous avez besoin d'envoyer une copie à plusieurs adresses, créez un alias et utilisez-le ici.",
+        "bcc_dest_format": "La destination Cci doit être une seule adresse de courriel valide.<br>Si vous avez besoin d'envoyer une copie à plusieurs adresses, créez un alias et utilisez-le ici.",
         "tags": "Etiquettes",
-        "app_passwd_protocols": "Protocoles autorisés pour le mot de passe de l'application"
+        "app_passwd_protocols": "Protocoles autorisés pour le mot de passe de l'application",
+        "dry": "Simuler la synchronisation"
     },
     "admin": {
         "access": "Accès",
@@ -169,7 +170,7 @@
         "domain_s": "Domaine(s)",
         "duplicate": "Dupliquer",
         "duplicate_dkim": "Dupliquer l'enregistrement DKIM",
-        "edit": "Editer",
+        "edit": "Éditer",
         "empty": "Aucun résultat",
         "excludes": "Exclure ces destinataires",
         "f2b_ban_time": "Durée du bannissement (s)",
@@ -193,7 +194,7 @@
         "generate": "générer",
         "guid": "GUID - Identifiant de l'instance",
         "guid_and_license": "GUID & Licence",
-        "hash_remove_info": "La suppression d'un hachage ratelimit (s'il existe toujours) réinitialisera complètement son compteur.<br>\r\n  Chaque hachage est indiqué par une couleur individuelle.",
+        "hash_remove_info": "La suppression d'un hachage limite d'envoi (s'il existe toujours) réinitialisera complètement son compteur.<br>\n  Chaque hachage est indiqué par une couleur individuelle.",
         "help_text": "Remplacer le texte d'aide sous le masque de connexion (HTML autorisé)",
         "host": "Hôte",
         "html": "HTML",
@@ -202,14 +203,14 @@
         "in_use_by": "Utilisé par",
         "inactive": "Inactif",
         "include_exclude": "Inclure/Exclure",
-        "include_exclude_info": "Par défaut - sans sélection - <b>toutes les boîtes</b> sont adressées",
+        "include_exclude_info": "Par défaut - sans sélection - <b>toutes les boîte de réception</b> sont adressées",
         "includes": "Inclure ces destinataires",
         "last_applied": "Dernière application",
         "license_info": "Une licence n’est pas requise, mais contribue au développement.<br><a href=\"https://www.servercow.de/mailcow?lang=en#sal\" target=\"_blank\" alt=\"SAL order\">Enregistrer votre GUID ici</a> or <a href=\"https://www.servercow.de/mailcow?lang=en#support\" target=\"_blank\" alt=\"Support order\">acheter le support pour votre intallation Mailcow.</a>",
         "link": "Lien",
         "loading": "Veuillez patienter…",
         "logo_info": "Votre image sera redimensionnée à une hauteur de 40 pixels pour la barre de navigation du haut et à un maximum de 250 pixels en largeur pour la page d'accueil. Un graphique extensible est fortement recommandé.",
-        "lookup_mx": "Faire correspondre la destination à MX (.outlook.com pour acheminer tous les messages ciblés vers un MX * .outlook.com sur ce tronçon)",
+        "lookup_mx": "Faire correspondre la destination à MX (<code>.*\\.google\\.com</code> pour acheminer tous les messages ciblés vers un MX se terminant par google.com sur ce tronçon)",
         "main_name": "\"mailcow UI\" nom",
         "merged_vars_hint": "Les lignes grisées ont été importées depuis <code>vars.(local.)inc.php</code> et ne peuvent pas être modifiées.",
         "message": "Message",
@@ -221,7 +222,7 @@
         "no_record": "Aucun enregistrement",
         "oauth2_client_id": "Client ID",
         "oauth2_client_secret": "Secret client",
-        "oauth2_info": "L'implémentation OAuth2 prend en charge le type d'autorisation \"Authorization Code\" et émet des jetons d'actualisation.<br>\nLe serveur émet également automatiquement de nouveaux jetons d'actualisation, après qu'un jeton d'actualisation a été utilisé.<br><br>\n→ La portée par défaut est <i>profile</i>. Seuls les utilisateurs d'une boîte peuvent être authentifiés par rapport à OAuth2. Si le paramètre scope est omis, il revient au <i>profile</i>.<br>\n→ Le paramètre <i>state</i> doit être envoyé par le client dans le cadre de la demande d'autorisation.<br><br>\nChemins d'accès aux requêtes vers l'API OAuth <br>\n<ul>\n  <li>Point de terminaison d'autorisation : <code>/oauth/authorize</code></li>\n  <li>Point de terminaison du jeton : <code>/oauth/token</code></li>\n  <li>Page de ressource : <code>/oauth/profile</code></li>\n</ul>\nLa régénération du secret client ne fera pas expirer les codes d'autorisation existants, mais ils ne pourront pas renouveler leur jeton.<br><br>\nLa révocation des jetons clients entraînera la fin immédiate de toutes les sessions actives. Tous les clients doivent se ré-authentifier.",
+        "oauth2_info": "L'implémentation OAuth2 prend en charge le type d'autorisation \"Authorization Code\" et émet des jetons d'actualisation.<br>\nLe serveur émet également automatiquement de nouveaux jetons d'actualisation, après qu'un jeton d'actualisation a été utilisé.<br><br>\n→ La portée par défaut est <i>profile</i>. Seuls les utilisateurs d'une boîte de réception peuvent être authentifiés par rapport à OAuth2. Si le paramètre scope est omis, il revient au <i>profile</i>.<br>\n→ Le paramètre <i>state</i> doit être envoyé par le client dans le cadre de la demande d'autorisation.<br><br>\nChemins d'accès aux requêtes vers l'API OAuth <br>\n<ul>\n  <li>Point de terminaison d'autorisation : <code>/oauth/authorize</code></li>\n  <li>Point de terminaison du jeton : <code>/oauth/token</code></li>\n  <li>Page de ressource : <code>/oauth/profile</code></li>\n</ul>\nLa régénération du secret client ne fera pas expirer les codes d'autorisation existants, mais ils ne pourront pas renouveler leur jeton.<br><br>\nLa révocation des jetons clients entraînera la fin immédiate de toutes les sessions actives. Tous les clients doivent se ré-authentifier.",
         "oauth2_redirect_uri": "URI de redirection",
         "oauth2_renew_secret": "Générer un nouveau secret client",
         "oauth2_revoke_tokens": "Révoquer tous les jetons",
@@ -236,24 +237,24 @@
         "quarantine_max_age": "Âge maximun en jour(s)<br><small>La valeur doit être égale ou supérieure à 1 jour.</small>",
         "quarantine_max_size": "Taille maximum en Mo (les éléments plus grands sont mis au rebut):<br><small>0 ne signifie <b>pas</b> illimité.</small>",
         "quarantine_max_score": "Ignorer la notification si le score de spam est au dessus de cette valeur :<br><small>Par défaut : 9999.0</small>",
-        "quarantine_notification_html": "Modèle de courriel de notification:<br><small>Laisser vide pour restaurer le modèle par défaut.</small>",
-        "quarantine_notification_sender": "Notification par e-mail de l’expéditeur",
+        "quarantine_notification_html": "Modèle de courriel de notification :<br><small>Laisser vide pour restaurer le modèle par défaut.</small>",
+        "quarantine_notification_sender": "Notification par courriel de l’expéditeur",
         "quarantine_notification_subject": "Objet du courriel de notification",
         "quarantine_redirect": "<b>Rediriger toutes les notifications</b> vers ce destinataire:<br><small>Laisser vide pour désactiver. <b>Courrier non signé et non coché. Doit être livré en interne seulement.</b></small>",
         "quarantine_release_format": "Format des éléments diffusés",
         "quarantine_release_format_att": "En pièce jointe",
         "quarantine_release_format_raw": "Original non modifié",
-        "quarantine_retention_size": "Rétentions par boîte:<br><small>0 indique <b>inactive</b>.</small>",
-        "quota_notification_html": "Modèle de courriel de notification:<br><small>Laisser vide pour restaurer le modèle par défaut.</small>",
-        "quota_notification_sender": "Notification par e-mail de l’expéditeur",
+        "quarantine_retention_size": "Rétentions par boîte de réception:<br><small>0 indique <b>inactive</b>.</small>",
+        "quota_notification_html": "Modèle de courriel de notification :<br><small>Laisser vide pour restaurer le modèle par défaut.</small>",
+        "quota_notification_sender": "Notification par courriel de l’expéditeur",
         "quota_notification_subject": "Objet du courriel de notification",
         "quota_notifications": "Notifications de quotas",
         "quota_notifications_info": "Les notications de quota sont envoyées aux utilisateurs une fois lors du passage à 80 % et une fois lors du passage à 95 % d’utilisation.",
-        "quota_notifications_vars": "{{percent}} égale le quota actuel de l’utilisateur<br>{{username}} est le nom de la boîte",
+        "quota_notifications_vars": "{{percent}} égale le quota actuel de l’utilisateur<br>{{username}} est le nom de la boîte de réception",
         "r_active": "Restrictions actives",
         "r_inactive": "Restrictions inactives",
         "r_info": "Les éléments grisés/désactivés sur la liste des restrictions actives ne sont pas considérés comme des restrictions valides pour Mailcow et ne peuvent pas être déplacés. Des restrictions inconnues seront établies par ordre d’apparition de toute façon. <br>Vous pouvez ajouter de nouveaux éléments dans le code <code>inc/vars.local.inc.php</code> pour pouvoir les basculer.",
-        "rate_name": "Nom du taux",
+        "rate_name": "Nom de la limite",
         "recipients": "Destinataires",
         "refresh": "Rafraîchir",
         "regen_api_key": "Regénérer la clé API",
@@ -273,9 +274,9 @@
         "rsetting_no_selection": "Veuillez sélectionner une règle",
         "rsetting_none": "Pas de règles disponibles",
         "rsettings_insert_preset": "Insérer un exemple de préréglage \"%s\"",
-        "rsettings_preset_1": "Désactiver tout sauf DKIM et la limite tarifaire pour les utilisateurs authentifiés",
+        "rsettings_preset_1": "Désactiver tout sauf DKIM et la limite d'envoi pour les utilisateurs authentifiés",
         "rsettings_preset_2": "Les postmasters veulent du spam",
-        "rsettings_preset_3": "Autoriser uniquement des expéditeurs particuliers pour une boîte (c.-à-d. utilisation comme boîte interne seulement)",
+        "rsettings_preset_3": "Autoriser uniquement des expéditeurs particuliers pour une boîte de réception (c.-à-d. utilisation comme boîte de réception interne seulement)",
         "rspamd_com_settings": "Un nom de paramètre sera généré automatiquement, voir l’exemple de préréglages ci-dessous. Pour plus de détails voir : <a href=\"https://rspamd.com/doc/configuration/settings.html#settings-structure\" target=\"_blank\">Docs Rspamd</a>",
         "rspamd_global_filters": "Cartes des filtres globaux",
         "rspamd_global_filters_agree": "Je serai prudent !",
@@ -311,7 +312,7 @@
         "ui_header_announcement_type_warning": "Important",
         "ui_header_announcement_type_danger": "Très important",
         "ui_texts": "Textes et étiquettes de l'interface utilisateur",
-        "unban_pending": "unban en attente",
+        "unban_pending": "Débanissement en attente",
         "unchanged_if_empty": "Si non modifié, laisser en blanc",
         "upload": "Charger",
         "username": "Nom d'utilisateur",
@@ -330,7 +331,19 @@
         "logo_normal_label": "Normal",
         "logo_dark_label": "Inversé pour le mode sombre",
         "allowed_methods": "Access-Control-Allow-Methods",
-        "allowed_origins": "Access-Control-Allow-Origin"
+        "allowed_origins": "Access-Control-Allow-Origin",
+        "copy_to_clipboard": "Texte copié dans le presse-papier !",
+        "password_policy_special_chars": "Doit contenir des caractères spéciaux",
+        "rsettings_preset_4": "Désactiver Rspamd pour un domaine",
+        "oauth2_apps": "Applications OAuth2",
+        "password_length": "Longueur des mots de passe",
+        "password_policy_chars": "Doit contenir au moins une lettre",
+        "password_policy_length": "La longueur minimale du mot de passe est de %d",
+        "f2b_manage_external_info": "Fail2ban maintiendra la liste de bannissement, mais ne définira pas activement de règles pour bloquer le trafic. Utilisez la liste de bannissement générée ci-dessous pour bloquer le trafic de manière externe.",
+        "f2b_manage_external": "Gérer Fail2Ban en externe",
+        "transport_test_rcpt_info": "&#8226 ; Utilisez null@hosted.mailcow.de pour tester le relais vers une destination étrangère.",
+        "relay_rcpt": "Adresse \"À :\"",
+        "is_mx_based": "Basé sur MX"
     },
     "danger": {
         "access_denied": "Accès refusé ou données de formulaire non valides",
@@ -344,9 +357,9 @@
         "app_passwd_id_invalid": "Le mot de passe ID %s de l'application est non valide",
         "bcc_empty": "La destination BCC destination ne peut pas être vide",
         "bcc_exists": "Une carte de transport BCC %s existe pour le type %s",
-        "bcc_must_be_email": "Le destination BCC %s n'est pas une adresse mail valide",
+        "bcc_must_be_email": "La destination BCC %s n'est pas une adresse de courriel valide",
         "comment_too_long": "Le commentaire est trop long, 160 caractère max sont permis",
-        "defquota_empty": "Le quota par défaut par boîte ne doit pas être 0.",
+        "defquota_empty": "Le quota par défaut par boîte de réception doit pas être 0.",
         "description_invalid": "La description des ressources pour %s est non valide",
         "dkim_domain_or_sel_exists": "Une clé DKIM pour \"%s\" existe et ne sera pas écrasée",
         "dkim_domain_or_sel_invalid": "Domaine ou sélection DKIM non valide : %s",
@@ -381,22 +394,22 @@
         "invalid_recipient_map_old": "Destinataire original spécifié non valide : %s",
         "ip_list_empty": "La liste des adresses IP autorisées ne peut pas être vide",
         "is_alias": "%s est déjà connu comme une adresse alias",
-        "is_alias_or_mailbox": "%s est déjà connu comme un alias, une boîte ou une adresse alias développée à partir d’un domaine alias.",
+        "is_alias_or_mailbox": "%s est déjà connu comme un alias, une boîte de réception ou une adresse alias développée à partir d’un domaine alias.",
         "is_spam_alias": "%s est déjà connu comme une adresse alias temporaire (alias d'adresse spam)",
         "last_key": "La dernière clé ne peut pas être supprimée, veuillez désactiver TFA à la place.",
         "login_failed": "La connexion a échoué",
         "mailbox_defquota_exceeds_mailbox_maxquota": "Le quota par défaut dépasse la limite maximale du quota",
-        "mailbox_invalid": "Le nom de la boîte n'est pas valide",
+        "mailbox_invalid": "Le nom de la boîte de réception n'est pas valide",
         "mailbox_quota_exceeded": "Le quota dépasse la limite du domaine (max. %d Mo)",
-        "mailbox_quota_exceeds_domain_quota": "Le quota maximum dépasse la limite du quota de domaine",
+        "mailbox_quota_exceeds_domain_quota": "Le quota maximal dépasse la limite du quota de domaine",
         "mailbox_quota_left_exceeded": "Espace libre insuffisant (espace libre : %d Mio)",
-        "mailboxes_in_use": "Le max. des boîtes doit être supérieur ou égal à %d",
+        "mailboxes_in_use": "Le max. des boîtes de réception doit être supérieur ou égal à %d",
         "malformed_username": "Nom d’utilisateur malformé",
         "map_content_empty": "Le contenu de la carte ne peut pas être vide",
         "max_alias_exceeded": "Le nombre max. d'aliases est dépassé",
-        "max_mailbox_exceeded": "Le nombre max. de boîte est dépassé (%d of %d)",
-        "max_quota_in_use": "Le quota de la boîte doit être supérieur ou égal à %d Mo",
-        "maxquota_empty": "Le quota maximum par boîte ne doit pas être de 0.",
+        "max_mailbox_exceeded": "Le nombre max. de boîte de réception est dépassé (%d of %d)",
+        "max_quota_in_use": "Le quota de la boîte de réception doit être supérieur ou égal à %d Mo",
+        "maxquota_empty": "Le quota maximum par boîte de réception ne doit pas être de 0.",
         "mysql_error": "Erreur MySQL : %s",
         "nginx_reload_failed": "Le rechargement de Nginx a échoué : %s",
         "network_host_invalid": "Réseau ou hôte non valide : %s",
@@ -421,15 +434,15 @@
         "release_send_failed": "Le message n’a pas pu être diffusé : %s",
         "reset_f2b_regex": "Le filtre regex n'a pas pu être réinitialisé à temps, veuillez réessayer ou attendre quelques secondes de plus et recharger le site web.",
         "resource_invalid": "Le nom de la resource %s n'est pas valide",
-        "rl_timeframe": "Le délai limite du taux est incorrect",
-        "rspamd_ui_pw_length": "Le mot de passe de l'interface Rspamd doit être de 6 caratères au minimum",
+        "rl_timeframe": "Le délai de la limite d'envoi est incorrect",
+        "rspamd_ui_pw_length": "Le mot de passe de l'interface Rspamd doit être de 6 caractères au minimum",
         "script_empty": "Le script ne peut pas être vide",
         "sender_acl_invalid": "La valeur ACL de l’expéditeur %s est invalide",
-        "set_acl_failed": "Impossible de définir ACL",
+        "set_acl_failed": "Impossible de définir l'ACL",
         "settings_map_invalid": "La carte des paramètres %s est invalide",
         "sieve_error": "Erreur d'analyse syntaxique Sieve : %s",
         "spam_learn_error": "Erreur d'apprentissage du spam : %s",
-        "subject_empty": "Le sujet ne peut^pas être vide",
+        "subject_empty": "Le sujet ne peut pas être vide",
         "target_domain_invalid": "Le domaine cible %s n'est pas valide",
         "targetd_not_found": "Le domaine cible %s est introuvable",
         "targetd_relay_domain": "Le domaine cible %s est un domaine de relais",
@@ -441,7 +454,7 @@
         "tls_policy_map_parameter_invalid": "Le paramètre Policy est invalide",
         "totp_verification_failed": "Echec de la vérification TOTP",
         "transport_dest_exists": "La destination de transport \"%s\" existe",
-        "webauthn_verification_failed": "Echec de la vérification WebAuthn : %s",
+        "webauthn_verification_failed": "Échec de la vérification WebAuthn : %s",
         "fido2_verification_failed": "La vérification FIDO2 a échoué : %s",
         "unknown": "Une erreur inconnue est survenue",
         "unknown_tfa_method": "Methode TFA inconnue",
@@ -450,11 +463,18 @@
         "validity_missing": "Veuillez attribuer une période de validité",
         "value_missing": "Veuillez fournir toutes les valeurs",
         "yotp_verification_failed": "La vérification Yubico OTP a échoué : %s",
-        "webauthn_authenticator_failed": "L'authentificateur selectionné est introuvable",
+        "webauthn_authenticator_failed": "L'authentificateur sélectionné est introuvable",
         "demo_mode_enabled": "Le mode de démonstration est activé",
-        "template_exists": "La template %s existe déja",
-        "template_id_invalid": "Le numéro de template %s est invalide",
-        "template_name_invalid": "Le nom de la template est invalide"
+        "template_exists": "Le modèle %s existe déjà",
+        "template_id_invalid": "Le numéro de modèle %s est invalide",
+        "template_name_invalid": "Le nom du modèle est invalide",
+        "img_dimensions_exceeded": "L'image dépasse les dimensions maximales",
+        "img_size_exceeded": "L'image dépasse la taille maximale de fichier",
+        "webauthn_publickey_failed": "Aucune clé publique n'a été stockée pour l'authentificateur sélectionné.",
+        "cors_invalid_method": "Allow-Method specifiée invalide",
+        "cors_invalid_origin": "Allow-Origin spécifiée invalide",
+        "extended_sender_acl_denied": "ACL manquante pour définir les adresses des expéditeurs externes",
+        "webauthn_username_failed": "L'authentificateur sélectionné appartient à un autre compte"
     },
     "debug": {
         "chart_this_server": "Graphique (ce serveur)",
@@ -464,7 +484,7 @@
         "history_all_servers": "Historique (tous les serveurs)",
         "in_memory_logs": "Logs En-mémoire",
         "jvm_memory_solr": "Utilisation mémoire JVM",
-        "log_info": "<p>Les logs <b>En-mémoire</b> Mailcow sont collectés dans des listes Redis et découpées en LOG_LINES (%d) chaque minute pour réduire la charge.\r\n  <br>Les logs En-mémoire ne sont pas destinés à être persistants. Toutes les applications qui se connectent en mémoire, se connectent également au démon Docker et donc au pilote de journalisation par défaut.\r\n  <br>Le type de journal en mémoire doit être utilisé pour déboguer les problèmes mineurs avec les conteneurs.</p>\r\n  <p><b>Les logs externes</b> sont collectés via l'API de l'application concernée.</p>\r\n  <p>Les journaux <b>statiques</b> sont principalement des journaux d’activité, qui ne sont pas enregistrés dans Dockerd, mais qui doivent toujours être persistants (sauf pour les logs API).</p>",
+        "log_info": "<p>Les logs <b>En-mémoire</b> Mailcow sont collectés dans des listes Redis et découpées en LOG_LINES (%d) chaque minute pour réduire la charge.\n  <br>Les logs En-mémoire ne sont pas destinés à être persistants. Toutes les applications qui se connectent en mémoire, se connectent également au démon Docker, et donc au pilote de journalisation par défaut.\n  <br>Le type de journal en mémoire doit être utilisé pour déboguer les problèmes mineurs avec les conteneurs.</p>\n  <p><b>Les logs externes</b> sont collectés via l'API de l'application concernée.</p>\n  <p>Les journaux <b>statiques</b> sont principalement des journaux d’activité, qui ne sont pas enregistrés dans Dockerd, mais qui doivent toujours être persistants (sauf pour les logs API).</p>",
         "logs": "Logs",
         "restart_container": "Redémarrer",
         "solr_dead": "Solr est en cours de démarrage, désactivé ou mort.",
@@ -477,23 +497,29 @@
         "uptime": "Disponibilité",
         "started_on": "Démarré à",
         "static_logs": "Logs statiques",
-        "system_containers": "Système & Conteneurs"
+        "system_containers": "Système & Conteneurs",
+        "timezone": "Fuseau horaire",
+        "username": "Nom d'utilisateur",
+        "wip": "En cours de réalisation",
+        "architecture": "Architecture",
+        "cores": "Cœurs",
+        "current_time": "Heure du système"
     },
     "diagnostics": {
         "cname_from_a": "Valeur dérivée de l’enregistrement A/AAAA. Ceci est supporté tant que l’enregistrement indique la bonne ressource.",
         "dns_records": "Enregistrements DNS",
         "dns_records_24hours": "Veuillez noter que les modifications apportées au DNS peuvent prendre jusqu’à 24 heures pour que leurs états actuels soient correctement reflétés sur cette page. Il est conçu comme un moyen pour vous de voir facilement comment configurer vos enregistrements DNS et de vérifier si tous vos enregistrements sont correctement stockés dans les DNS.",
-        "dns_records_docs": "Veuillez également consulter <a target=\"_blank\" href=\"https://docs.mailcow.email/prerequisite/prerequisite-dns/\">la documentation</a>.",
+        "dns_records_docs": "Veuillez également consulter <a target=\"_blank\" href=\"https://docs.mailcow.email/getstarted/prerequisite-dns\">la documentation</a>.",
         "dns_records_data": "Données correcte",
         "dns_records_name": "Nom",
-        "dns_records_status": "Etat courant",
+        "dns_records_status": "État courant",
         "dns_records_type": "Type",
         "optional": "Cet enregistrement est optionel."
     },
     "edit": {
         "active": "Actif",
         "advanced_settings": "Réglages avancés",
-        "alias": "Editer les alias",
+        "alias": "Éditer les alias",
         "allow_from_smtp": "Restreindre l'utilisation de <b>SMTP</b> à ces adresses IP",
         "allow_from_smtp_info": "Laissez vide pour autoriser tous les expéditeurs.<br>Adresses IPv4/IPv6 et réseaux.",
         "allowed_protocols": "Protocoles autorisés",
@@ -501,7 +527,7 @@
         "app_passwd": "Mot de passe de l'application",
         "automap": "Essayer d’automatiser les dossiers (\"Sent items\", \"Sent\" => \"Sent\" etc.)",
         "backup_mx_options": "Options Backup MX",
-        "bcc_dest_format": "La destination BCC doit être une seule adresse e-mail valide.",
+        "bcc_dest_format": "La destination BCC doit être une seule adresse de courriel valide.",
         "client_id": "ID client",
         "client_secret": "Secret client",
         "comment_info": "Un commentaire privé n’est pas visible pour l’utilisateur, tandis qu’un commentaire public est affiché comme infobulle lorsque vous le placez dans un aperçu des utilisateurs",
@@ -511,13 +537,13 @@
         "delete_ays": "Veuillez confirmer le processus de suppression.",
         "description": "Description",
         "disable_login": "Refuser l’ouverture de session (le courrier entrant est toujours accepté)",
-        "domain": "Edition du domaine",
-        "domain_admin": "Edition de l'administrateur du domaine",
+        "domain": "Édition du domaine",
+        "domain_admin": "Édition de l'administrateur du domaine",
         "domain_quota": "Quota du domaine",
         "domains": "Domaines",
         "dont_check_sender_acl": "Désactiver la vérification de l’expéditeur pour le domaine %s (+ alias de domaines)",
-        "edit_alias_domain": "Edition des alias de domaine",
-        "encryption": "Cryptage",
+        "edit_alias_domain": "Édition des alias de domaine",
+        "encryption": "Chiffrement",
         "exclude": "Exclure des objets (regex)",
         "extended_sender_acl": "Adresses de l’expéditeur externe",
         "extended_sender_acl_info": "Une clé de domaine DKIM doit être importée, si disponible.<br>\r\n  N’oubliez pas d’ajouter ce serveur à l’enregistrement TXT SPF correspondant.<br>\r\n  Chaque fois qu’un domaine ou un alias de domaine est ajouté à ce serveur, et qui chevauche une adresse externe, l’adresse externe est supprimée.<br>\r\n  Utiliser @domain.tld pour permettre l'envoi comme *@domain.tld.",
@@ -532,14 +558,14 @@
         "inactive": "Inactif",
         "kind": "Type",
         "last_modified": "Dernière modification",
-        "mailbox": "Edition de la boîte mail",
-        "mailbox_quota_def": "Quota par défaut de la boîte",
+        "mailbox": "Édition de la boîte de réception",
+        "mailbox_quota_def": "Quota par défaut de la boîte de réception",
         "max_aliases": "Nombre max. d'alias",
-        "max_mailboxes": "Nombre max. de boîtes possibles",
-        "max_quota": "Quota max. par boîte mail (Mo)",
+        "max_mailboxes": "Nombre max. de boîte de réception possibles",
+        "max_quota": "Quota max. par boîte de réception (Mo)",
         "maxage": "Âge maximal en jours des messages qui seront consultés à distance<br><small>(0 = ignorer la durée)</small>",
         "maxbytespersecond": "Octets max. par seconde <br><small>(0 = pas de limite)</small>",
-        "mbox_rl_info": "Cette limite de taux est appliquée au nom de connexion SASL, elle correspond à toute adresse \"from\" utilisée par l’utilisateur connecté. Une limite tarifaire pour les boîtes remplace une limite tarifaire pour l’ensemble du domaine.",
+        "mbox_rl_info": "Cette limite d'envoi est appliquée au nom de connexion SASL, elle correspond à toute adresse \"from\" utilisée par l’utilisateur connecté. Une limite d'envoi pour les boîtes de réception remplace une limite d'envoi pour l’ensemble du domaine.",
         "mins_interval": "Intervalle (min)",
         "multiple_bookings": "Réservations multiples",
         "nexthop": "Saut suivant",
@@ -549,22 +575,22 @@
         "private_comment": "Commentaire privé",
         "public_comment": "Commentaire public",
         "pushover_evaluate_x_prio": "Acheminement du courrier hautement prioritaire [<code>X-Priority: 1</code>]",
-        "pushover_info": "Les paramètres de notification push s’appliqueront à tout le courrier propre (non spam) livré à <b>%s</b> y compris les alias (partagés, non partagés, étiquetés).",
+        "pushover_info": "Les paramètres de notification push s’appliqueront à tout le courrier propre (non-spam) livré à <b>%s</b> y compris les alias (partagés, non partagés, étiquetés).",
         "pushover_only_x_prio": "Ne tenir compte que du courrier hautement prioritaire [<code>X-Priority: 1</code>]",
-        "pushover_sender_array": "Ne tenir compte que des adresses électroniques suivantes de l’expéditeur : <small>(séparées par des virgules)</small>",
+        "pushover_sender_array": "Ne tenir compte que des adresses de courriel suivantes de l’expéditeur : <small>(séparées par des virgules)</small>",
         "pushover_sender_regex": "Tenir compte de l’expéditeur regex suivant",
         "pushover_text": "Texte de la notification",
         "pushover_title": "Titre de la notification",
         "pushover_vars": "Lorsque aucun filtre d’expéditeur n’est défini, tous les messages seront considérés.<br>Les filtres Regex ainsi que les vérifications exactes de l’expéditeur peuvent être définis individuellement et seront considérés de façon séquentielle. Ils ne dépendent pas les uns des autres.<br>Variables utilisables pour le texte et le titre (veuillez prendre note des politiques de protection des données)",
-        "pushover_verify": "Vérifier les justificatifs",
+        "pushover_verify": "Vérifier les informations d'identification",
         "quota_mb": "Quota (Mo)",
-        "ratelimit": "Limite de taux",
-        "redirect_uri": "Redirection/rappel URL",
+        "ratelimit": "Limite d'envoi",
+        "redirect_uri": "URL de redirection/callback",
         "relay_all": "Relayer tous les destinataires",
-        "relay_all_info": "↪ Si vous <b>ne choissisez pas</b> de relayer tous les destinataires, vous devrez ajouter une boîte (\"aveugle\") pour chaque destinataire qui devrait être relayé.",
+        "relay_all_info": "↪ Si vous <b>ne choisissez pas</b> de relayer tous les destinataires, vous devrez ajouter une boîte de réception (\"aveugle\") pour chaque destinataire qui devrait être relayé.",
         "relay_domain": "Relayer ce domaine",
         "relay_transport_info": "<div class=\"badge fs-6 bg-info\">Info</div> Vous pouvez définir des cartes de transport vers une destination personnalisée pour ce domaine. Si elle n’est pas configurée, une recherche MX sera effectuée.",
-        "relay_unknown_only": "Relais des boîtes non existantes seulement. Les boîtes existantes seront livrées localement..",
+        "relay_unknown_only": "Relais des boîtes de réception non existantes seulement. Les boîtes de réception existantes seront livrées localement.",
         "relayhost": "Transports dépendant de l’expéditeur",
         "remove": "Enlever",
         "resource": "Ressource",
@@ -572,12 +598,12 @@
         "scope": "Portée",
         "sender_acl": "Permettre d’envoyer comme",
         "sender_acl_disabled": "<span class=\"badge fs-6 bg-danger\">Le contrôle de l’expéditeur est désactivé</span>",
-        "sender_acl_info": "Si l’utilisateur de la boîte A est autorisé à envoyer en tant qu’utilisateur de la boîte B, l’adresse de l’expéditeur n’est pas automatiquement affichée comme sélectionnable du champ \"from\" dans SOGo.<br>\r\n  L’utilisateur B de la boîte doit créer une délégation dans Sogo pour permettre à l’utilisateur A de la boîte de sélectionner son adresse comme expéditeur. Pour déléguer une boîte dans Sogo, utilisez le menu (trois points) à droite du nom de votre boîte dans le coin supérieur gauche dans la vue de courrier. Ce comportement ne s’applique pas aux adresses alias.",
+        "sender_acl_info": "Si l’utilisateur de la boîte de réception A est autorisé à envoyer en tant qu’utilisateur de la boîte de réception B, l’adresse de l’expéditeur n’est pas automatiquement affichée comme sélectionnable du champ \"de\" dans SOGo.<br>\n  L’utilisateur B de la boîte de réception doit créer une délégation dans Sogo pour permettre à l’utilisateur A de la boîte de réception de sélectionner son adresse comme expéditeur. Pour déléguer une boîte de réception dans Sogo, utilisez le menu (trois points) à droite du nom de votre boîte dans le coin supérieur gauche dans la vue de courrier. Ce comportement ne s’applique pas aux adresses alias.",
         "sieve_desc": "Description courte",
         "sieve_type": "Type de filtre",
         "skipcrossduplicates": "Ignorer les messages en double dans les dossiers (premier arrivé, premier servi)",
         "sogo_visible": "Alias visible dans SOGo",
-        "sogo_visible_info": "Cette option affecte uniquement les objets qui peuvent être affichés dans SOGo (adresses alias partagées ou non partagées pointant vers au moins une boîte mail locale). Si caché, un alias n’apparaîtra pas comme expéditeur sélectionnable dans SOGo.",
+        "sogo_visible_info": "Cette option affecte uniquement les objets qui peuvent être affichés dans SOGo (adresses alias partagées ou non partagées pointant vers au moins une boîte de réception locale). Si caché, un alias n’apparaîtra pas comme expéditeur sélectionnable dans SOGo.",
         "spam_alias": "Créer ou modifier des adresses alias limitées dans le temps",
         "spam_filter": "Filtre spam",
         "spam_policy": "Ajouter ou supprimer des éléments à la liste blanche/noire",
@@ -588,12 +614,35 @@
         "target_domain": "Domaine cible",
         "timeout1": "Délai de connexion à l’hôte distant",
         "timeout2": "Délai de connexion à l’hôte local",
-        "title": "Editer l'objet",
+        "title": "Éditer l'objet",
         "unchanged_if_empty": "Si non modifié, laisser en blanc",
         "username": "Nom d'utilisateur",
-        "validate_save": "Valider et sauver",
+        "validate_save": "Valider et enregistrer",
         "lookup_mx": "La destination est une expression régulière qui doit correspondre avec le nom du MX (<code>.*\\.google\\.com</code> pour acheminer tout le courrier destiné à un MX se terminant par google.com via ce saut)",
-        "mailbox_relayhost_info": "S'applique uniquement à la boîte aux lettres et aux alias directs, remplace le relayhost du domaine."
+        "mailbox_relayhost_info": "S'applique uniquement à la boîte de réception et aux alias directs, remplace le relayhost du domaine.",
+        "acl": "ACL (Permission)",
+        "footer_exclude": "Exclure du pied de page",
+        "custom_attributes": "Attributs personnalisés",
+        "domain_footer_info_vars": {
+            "from_addr": "{= from_addr =} - Partie de l'enveloppe relative à l'adresse de provenance",
+            "from_domain": "{= from_domain =} - Partie de l'enveloppe provenant du domaine",
+            "custom": "{= foo =} - Si la boîte de réception possède l'attribut personnalisé \"foo\" avec la valeur \"bar\", elle renvoie \"bar\"",
+            "auth_user": "{= auth_user =}    - Nom d'utilisateur authentifié spécifié par un MTA",
+            "from_user": "{= from_user =}   -La partie utilisateur de l'enveloppe, par exemple, pour \"moo@mailcow.tld\", renvoie \"moo\"",
+            "from_name": "{= from_name =} - À partir du nom de l'enveloppe, par exemple, pour \"Mailcow &lt;moo@mailcow.tld&gt ;\" on obtient \"Mailcow\""
+        },
+        "domain_footer_skip_replies": "Ignorer le pied de page des courriels de réponse",
+        "domain_footer": "Pied de page du domaine",
+        "domain_footer_html": "Pied de page HTML",
+        "domain_footer_info": "Les pieds de page du domaine sont ajoutés à tous les courriels sortants associés à une adresse au sein de ce domaine. <br> Les variables suivantes peuvent être utilisées pour le pied de page :",
+        "domain_footer_plain": "Pied de page",
+        "app_passwd_protocols": "Protocoles autorisés pour le mot de passe d'application",
+        "created_on": "Créé le",
+        "none_inherit": "Aucun / Héritage",
+        "quota_warning_bcc": "Avertissement sur les quotas BCC",
+        "quota_warning_bcc_info": "Les avertissements seront envoyés en copies séparées aux destinataires suivants. Le sujet sera précédé du nom d'utilisateur correspondant entre parenthèses, par exemple : <code>Avertissement sur les quotas (user@example.com)</code>.",
+        "sogo_access_info": "L'authentification unique à partir de l'interface de messagerie reste opérationnelle. Ce paramètre n'affecte pas l'accès à tous les autres services et ne supprime ni ne modifie le profil SOGo existant d'un utilisateur.",
+        "admin": "Modifier l'administrateur"
     },
     "footer": {
         "cancel": "Annuler",
@@ -604,15 +653,16 @@
         "hibp_ok": "Aucune correspondance trouvée.",
         "loading": "Veuillez patienter…",
         "restart_container": "Redémarrer le conteneur",
-        "restart_container_info": "<b>Important:</b> Un redémarrage en douceur peut prendre un certain temps, veuillez attendre qu’il soit terminé.",
+        "restart_container_info": "<b>Important :</b> Un redémarrage en douceur peut prendre un certain temps, veuillez attendre qu’il soit terminé.",
         "restart_now": "Redémarrer maintenant",
-        "restarting_container": "Redémarrage du conteneur, cela peut prendre un certain temps"
+        "restarting_container": "Redémarrage du conteneur, cela peut prendre un certain temps",
+        "nothing_selected": "Rien n'est sélectionné"
     },
     "header": {
         "administration": "Configuration & détails",
         "apps": "Applications",
         "debug": "Information Système",
-        "email": "E-Mail",
+        "email": "Courriel",
         "mailcow_config": "Configuration",
         "quarantine": "Quarantaine",
         "restart_netfilter": "Redémarrer Netfilter",
@@ -628,7 +678,7 @@
         "delayed": "La connexion a été retardée de %s secondes.",
         "fido2_webauthn": "FIDO2/WebAuthn Login",
         "login": "Connexion",
-        "mobileconfig_info": "Veuillez vous connecter en tant qu’utilisateur de la boîte pour télécharger le profil de connexion Apple demandé.",
+        "mobileconfig_info": "Veuillez vous connecter en tant qu’utilisateur de la boîte de réception pour télécharger le profil de connexion Apple demandé.",
         "other_logins": "Clé d'authentification",
         "password": "Mot de passe",
         "username": "Nom d'utilisateur"
@@ -636,7 +686,7 @@
     "mailbox": {
         "action": "Action",
         "activate": "Activer",
-        "active": "Active",
+        "active": "Actif",
         "add": "Ajouter",
         "add_alias": "Ajouter un alias",
         "add_bcc_entry": "Ajouter une carte BCC",
@@ -644,19 +694,19 @@
         "add_domain_alias": "Ajouter un alias de domaine",
         "add_domain_record_first": "Veuillez d’abord ajouter un domaine",
         "add_filter": "Ajouter un filtre",
-        "add_mailbox": "Ajouter une boîte",
+        "add_mailbox": "Ajouter une boîte de réception",
         "add_recipient_map_entry": "Ajouter la carte du destinataire",
         "add_resource": "Ajouter une ressource",
         "add_tls_policy_map": "Ajouter la carte de la politique des TLS",
         "address_rewriting": "Réécriture de l’adresse",
         "alias": "Alias",
-        "alias_domain_alias_hint": "Les alias <b>ne sont pas</b> appliqués automatiquement sur les alias de domaine. Un alias d'adresse <code>my-alias@domain</code> <b>ne couvre pas</b> l'adresse <code>my-alias@alias-domain</code> (où \"alias-domain\" est un alias imaginaire pour \"domain\").<br>Veuillez utiliser un filtre à tamis pour rediriger le courrier vers une boîte externe (voir l'onglet \"Filtres\" ou utilisez SOGo -> Forwarder).",
+        "alias_domain_alias_hint": "Les alias <b>ne sont pas</b> appliqués automatiquement sur les alias de domaine. Un alias d'adresse <code>my-alias@domain</code> <b>ne couvre pas</b> l'adresse <code>my-alias@alias-domain</code> (où \"alias-domain\" est un alias imaginaire pour \"domain\").<br>Veuillez utiliser un filtre à tamis pour rediriger le courrier vers une boîte de réception externe (voir l'onglet « Filtres » ou utilisez SOGo → Transférer).",
         "alias_domain_backupmx": "Alias de domaine inactif pour le domaine relais",
         "aliases": "Aliases",
         "allow_from_smtp": "Restreindre l'utilisation de <b>SMTP</b> à ces adresses IP",
         "allow_from_smtp_info": "Laissez vide pour autoriser tous les expéditeurs.<br>Adresses IPv4/IPv6 et réseaux.",
         "allowed_protocols": "Protocoles autorisés",
-        "backup_mx": "Sauvegarde MX",
+        "backup_mx": "Domaine de relais",
         "bcc": "BCC",
         "bcc_destination": "Destination BCC",
         "bcc_destinations": "Destinations BCC",
@@ -672,9 +722,9 @@
         "bcc_type": "Type de BCC",
         "booking_null": "Toujours montrer comme libre",
         "booking_0_short": "Toujours libre",
-        "booking_custom": "Limite rigide à un nombre de réservations personnalisé",
-        "booking_custom_short": "Limite rigide",
-        "booking_ltnull": "Illimité, mais afficher aussi occupé lorsque réservé",
+        "booking_custom": "Limitation stricte à un nombre personnalisé de réservations",
+        "booking_custom_short": "Limite stricte",
+        "booking_ltnull": "Illimité, mais indiqué comme occupé lors de la réservation",
         "booking_lt0_short": "Limite souple",
         "daily": "Quotidiennement",
         "deactivate": "Désactiver",
@@ -689,33 +739,33 @@
         "domain_quota": "Quota",
         "domain_quota_total": "Quota total du domaine",
         "domains": "Domaines",
-        "edit": "Editer",
-        "empty": "Pas de résulats",
+        "edit": "Éditer",
+        "empty": "Pas de résultats",
         "enable_x": "Activer",
-        "excludes": "Exclut",
-        "filter_table": "Table de filtre",
+        "excludes": "Exclus",
+        "filter_table": "Table de filtrage",
         "filters": "Filtres",
         "fname": "Nom complet",
         "force_pw_update": "Forcer la mise à jour du mot de passe à la prochaine ouverture de session",
         "gal": "Carnet d'Adresses Global (GAL)",
-        "hourly": "Horaire",
+        "hourly": "Toutes les heures",
         "in_use": "Utilisé (%)",
         "inactive": "Inactif",
         "insert_preset": "Insérer un exemple de préréglage \"%s\"",
         "kind": "Type",
         "last_mail_login": "Dernière connexion mail",
         "last_modified": "Dernière modification",
-        "last_run": "Dernière éxécution",
+        "last_run": "Dernière exécution",
         "last_run_reset": "Calendrier suivant",
-        "mailbox": "Mailbox",
-        "mailbox_defquota": "Taille de boîte par défaut",
-        "mailbox_quota": "Taille max. d’une boîte",
-        "mailboxes": "Boîtes mail",
+        "mailbox": "Boîte de réception",
+        "mailbox_defquota": "Taille de boîte de réception par défaut",
+        "mailbox_quota": "Taille max. d’une boîte de réception",
+        "mailboxes": "Boîtes de réception",
         "mailbox_defaults": "Paramètres par défaut",
-        "mailbox_defaults_info": "Définir les paramètres par défaut pour les nouvelles boîtes aux lettres.",
+        "mailbox_defaults_info": "Définir les paramètres par défaut pour les nouvelles boîtes de réception.",
         "max_aliases": "Nombre maximal d'alias",
-        "max_mailboxes": "Nombre maximal de boîtes",
-        "max_quota": "Quota max. par boîte mail",
+        "max_mailboxes": "Nombre maximal de boîte de réception",
+        "max_quota": "Quota max. par boîte de réception",
         "mins_interval": "Intervalle (min)",
         "msg_num": "Message #",
         "multiple_bookings": "Réservations multiples",
@@ -726,18 +776,18 @@
         "owner": "Propriétaire",
         "private_comment": "Commentaire privé",
         "public_comment": "Commentaire public",
-        "q_add_header": "Courriers indésirables",
-        "q_all": " quand déplacé dans le dossier spam ou rejeté",
-        "q_reject": "Rejecté",
+        "q_add_header": "lorsqu'il est déplacé dans le dossier Indésirables",
+        "q_all": " quand déplacé dans le dossier indésirables ou rejeté",
+        "q_reject": "en cas de refus",
         "quarantine_notification": "Avis de quarantaine",
         "quarantine_category": "Catégorie de la notification de quarantaine",
         "quick_actions": "Actions",
         "recipient_map": "Carte du destinataire",
         "recipient_map_info": "Les cartes des destinataires sont utilisées pour remplacer l’adresse de destination d’un message avant sa livraison.",
         "recipient_map_new": "Nouveau destinataire",
-        "recipient_map_new_info": "La destination de la carte du destinataire doit être une adresse électronique valide.",
+        "recipient_map_new_info": "La destination de la carte du destinataire doit être une adresse de courriel valide.",
         "recipient_map_old": "Destinataire original",
-        "recipient_map_old_info": "Une carte de destination originale doit être une adresse e-mail valide ou un nom de domaine.",
+        "recipient_map_old_info": "Une carte de destination originale doit être une adresse de courriel valide ou un nom de domaine.",
         "recipient_maps": "Cartes des bénéficiaires",
         "relay_all": "Relayer tous les destinataires",
         "remove": "Supprimer",
@@ -745,16 +795,16 @@
         "running": "En fonctionnement",
         "set_postfilter": "Marquer comme postfiltre",
         "set_prefilter": "Marquer comme préfiltre",
-        "sieve_info": "Vous pouvez stocker plusieurs filtres par utilisateur, mais un seul préfiltre et un seul postfiltre peuvent être actifs en même temps.<br>\r\nChaque filtre sera traité dans l’ordre décrit. Ni un script \"rejeter\" ni un \"garder\" n’arrêtera le traitement des autres scripts. Les modifications apportées aux scripts de tamis globaux déclencheront un redémarrage de Dovecot.<br><br>Préfiltre de tamis global → Préfiltre → Scripts utilisateur → Postfiltre → Postfiltre du tamis global",
+        "sieve_info": "Vous pouvez stocker plusieurs filtres par utilisateur, mais un seul préfiltre et un seul postfiltre peuvent être actifs simultanément.<br>\nChaque filtre sera traité dans l’ordre décrit. Ni un script « rejeter » ni un « garder » n’arrêtera le traitement des autres scripts. Les modifications apportées aux scripts de tamis globaux déclencheront un redémarrage de Dovecot.<br><br>Préfiltre de tamis global → Préfiltre → Scripts utilisateur → Postfiltre → Postfiltre du tamis global",
         "sieve_preset_1": "Jeter le courrier avec les types de fichiers dangereux probables",
-        "sieve_preset_2": "Toujours marquer l’e-mail d’un expéditeur spécifique comme vu",
-        "sieve_preset_3": "Jeter en silence, arrêter tout traitement supplémentaire du tamis",
-        "sieve_preset_4": "Fichier dans INBOX, éviter le traitement ultérieur par filtres à tamis",
+        "sieve_preset_2": "Toujours marquer l'adresse de courriel d’un expéditeur spécifique comme vu",
+        "sieve_preset_3": "Jeter en silence, arrêter tout traitement supplémentaire par filtre sieve",
+        "sieve_preset_4": "Fichier dans INBOX, éviter le traitement ultérieur par filtres sieve",
         "sieve_preset_5": "Répondeur auto (vacances)",
         "sieve_preset_6": "Rejeter le courrier avec réponse",
         "sieve_preset_7": "Rediriger et garder/déposer",
-        "sieve_preset_8": "Supprimer le message envoyé à une adresse alias dont fait partie l’expéditeur",
-        "sieve_preset_header": "Voir les exemples de préréglages ci-dessous. Pour plus de détails voir <a href=\"https://en.wikipedia.org/wiki/Sieve_(mail_filtering_language)\" target=\"_blank\">Wikipedia</a>.",
+        "sieve_preset_8": "Rediriger les courriels d'un expéditeur spécifique, les marquer comme lus et les classer dans des sous-dossiers.",
+        "sieve_preset_header": "Voir les exemples de préréglages ci-dessous. Pour plus de détails, voir <a href=\"https://en.wikipedia.org/wiki/Sieve_(mail_filtering_language)\" target=\"_blank\">Wikipédia</a>.",
         "sogo_visible": "Alias visible dans SOGo",
         "sogo_visible_n": "Masquer alias dans SOGo",
         "sogo_visible_y": "Afficher alias dans SOGo",
@@ -775,19 +825,29 @@
         "tls_map_policy": "Politique",
         "tls_policy_maps": "Cartes des politiques des TLS",
         "tls_policy_maps_info": "Cette carte de politique remplace les règles de transport TLS sortantes indépendamment des paramètres de politique TLS des utilisateurs.<br>\r\n  Veuillez vérifier <a href=\"http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps\" target=\"_blank\">la doc \"smtp_tls_policy_maps\" </a> pour plus d'informations.",
-        "tls_policy_maps_enforced_tls": "Ces politiques remplaceront également le comportement des utilisateurs de boîtes qui appliquent les connexions TLS sortantes. Si aucune politique n’existe ci-dessous, ces utilisateurs appliqueront les valeurs par défaut spécifiées comme <code>smtp_tls_mandatory_protocols</code> et <code>smtp_tls_mandatory_ciphers</code>.",
+        "tls_policy_maps_enforced_tls": "Ces politiques remplaceront également le comportement des utilisateurs de boîtes de réception qui appliquent les connexions TLS sortantes. Si aucune politique n’existe ci-dessous, ces utilisateurs appliqueront les valeurs par défaut spécifiées comme <code>smtp_tls_mandatory_protocols</code> et <code>smtp_tls_mandatory_ciphers</code>.",
         "tls_policy_maps_long": "Contournement de la carte de politique TLS sortante",
         "toggle_all": "Tout basculer",
         "username": "Nom d'utilisateur",
         "waiting": "En attente",
         "weekly": "Hebdomadaire",
-        "yes": "&#10003;"
+        "yes": "&#10003;",
+        "add_alias_expand": "Étendre l'alias aux alias de domaine",
+        "catch_all": "Catch-All",
+        "created_on": "Créé le",
+        "goto_ham": "Apprendre comme <b>ham</b>",
+        "goto_spam": "Apprendre comme <b>pourriel</b>",
+        "last_pw_change": "Dernier changement de mot de passe",
+        "mailbox_templates": "Modèle de boîte de réception",
+        "relay_unknown": "Relayer les boîtes de réception inconnues",
+        "all_domains": "Tous les domaines",
+        "syncjob_EXIT_OVERQUOTA": "Quota dépassé de la boîte de réception cible"
     },
     "oauth2": {
-        "access_denied": "Veuillez vous connecter en tant que propriétaire de la boîte pour accorder l’accès via Oauth2.",
+        "access_denied": "Veuillez vous connecter en tant que propriétaire de la boîte de réception pour accorder l’accès via Oauth2.",
         "authorize_app": "Autoriser l'application",
         "deny": "Refuser",
-        "permit": "Autorise l'application",
+        "permit": "Autoriser l'application",
         "profile": "Profil",
         "profile_desc": "Afficher les informations personnelles : nom d’utilisateur, nom complet, créé, modifié, actif",
         "scope_ask_permission": "Une application demande les permissions suivantes"
@@ -800,8 +860,8 @@
         "confirm_delete": "Confirmer la suppression de cet élément.",
         "danger": "Danger",
         "deliver_inbox": "Envoyer dans la boîte de reception",
-        "disabled_by_config": "La configuration actuelle du système désactive la fonctionnalité de quarantaine. Veuillez définir \"retentions par boîte\" et une \"taille maximum\" pour les éléments en quarantaine.",
-        "settings_info": "Quantité maximum d'éléments à mettre en quarantaine : %s<br>Taille maximale des e-mails : %s MiB",
+        "disabled_by_config": "La configuration actuelle du système désactive la fonctionnalité de quarantaine. Veuillez définir « retentions par boîte » et une « taille maximale » pour les éléments en quarantaine.",
+        "settings_info": "Quantité maximale d'éléments à mettre en quarantaine : %s<br>Taille maximale des courriels : %s MiB",
         "download_eml": "Télécharger (.eml)",
         "empty": "Pas de résultat",
         "high_danger": "Haut",
@@ -814,7 +874,7 @@
         "notified": "Notifié",
         "qhandler_success": "Demande envoyée avec succès au système. Vous pouvez maintenant fermer la fenêtre.",
         "qid": "Rspamd QID",
-        "qinfo": "Le système de quarantaine enregistrera le courrier rejeté dans la base de données (l'expéditeur n'aura <em> pas </em> l'impression d'un courrier remis) ainsi que le courrier, qui est remis sous forme de copie dans le dossier indésirable d'une boîte aux lettres.\r\n  <br>\"Apprendre comme spam et supprimer\" apprendra un message comme spam via le théorème Bayesianet calculera également des hachages flous pour refuser des messages similaires à l'avenir.\r\n  <br>Veuillez noter que l'apprentissage de plusieurs messages peut prendre du temps, selon votre système. <br> Les éléments figurant sur la liste noire sont exclus de la quarantaine.",
+        "qinfo": "Le système de quarantaine enregistrera le courrier rejeté dans la base de données (l'expéditeur n'aura <em> pas </em> l'impression d'un courrier remis) ainsi que le courrier, remis sous forme de copie dans le dossier indésirable d'une boîte de réception.\n  <br>« Apprendre comme spam et supprimer » apprendra un message comme spam via le théorème Bayésien calculera également des hachages flous pour refuser des messages similaires à l'avenir.\n  <br>Veuillez noter que l'apprentissage de plusieurs messages peut prendre du temps, selon votre système. <br> Les éléments figurant sur la liste noire sont exclus de la quarantaine.",
         "qitem": "Élément de quarantaine",
         "quarantine": "Quarantaine",
         "quick_actions": "Actions",
@@ -846,26 +906,34 @@
         "toggle_all": "Tout basculer"
     },
     "queue": {
-        "queue_manager": "Gestion de la file d'attente"
+        "queue_manager": "Gestion de la file d'attente",
+        "hold_mail": "Garder",
+        "legend": "Fonctions d'action de la file d'attente du courrier :",
+        "info": "La file d'attente contient tous les courriels en attente de livraison. Si un courriel reste longtemps dans la file d'attente, il est automatiquement supprimé par le système.<br>Le message d'erreur du courriel concerné indique pourquoi le courriel n'a pas pu être distribué.",
+        "deliver_mail_legend": "Tentatives de réexpédition des courriers sélectionnés.",
+        "hold_mail_legend": "Met en attente les courriers sélectionnés. (Empêche les tentatives de distribution ultérieures)",
+        "unban": "file d'attente d'unban",
+        "unhold_mail": "Libérer",
+        "unhold_mail_legend": "Libère les courriers sélectionnés pour la distribution. (Nécessite une mise en attente préalable)"
     },
     "start": {
         "help": "Afficher/masquer le panneau d’aide",
-        "imap_smtp_server_auth_info": "Veuillez utiliser votre adresse e-mail complète et le mécanisme d’authentification PLAIN.<br>\r\nVos données de connexion seront cryptées par le cryptage obligatoire côté serveur.",
-        "mailcow_apps_detail": "Utiliser une application mailcow pour accéder à vos messages, calendrier, contacts et plus.",
-        "mailcow_panel_detail": "<b>Les administrateurs de domaines</b> peuvent créer, modifier or supprimer des boîtes et alias, changer de domaines et lire de plus amples renseignements sur les domaines qui leurs sont attribués.<br>\r\n<b>Les utilisateurs de boîtes</b> sont en mesure de créer des alias limités dans le temps (alias spam), de modifier leurs mots de passe et les paramètres du filtre anti-spam."
+        "imap_smtp_server_auth_info": "Veuillez utiliser votre adresse courriel complète et le mécanisme d’authentification PLAIN.<br>\nVos données de connexion seront cryptées par le cryptage obligatoire côté serveur.",
+        "mailcow_apps_detail": "Utiliser une application mailcow pour accéder à vos messages, vos calendriers, vos contacts et plus.",
+        "mailcow_panel_detail": "<b>Les administrateurs de domaines</b> peuvent créer, modifier, ou supprimer des boîtes de réception et alias, changer de domaines et lire de plus amples renseignements sur les domaines qui leur sont attribués.<br>\n<b>Les utilisateurs de boîtes de réception</b> sont en mesure de créer des alias limités dans le temps (alias spam), de modifier leurs mots de passe et les paramètres du filtre anti-spam."
     },
     "success": {
-        "acl_saved": "ACL (Access Control List) pour l'objet %s sauvé",
-        "admin_added": "Administrateur %s a été ajoutées",
+        "acl_saved": "ACL (Access Control List) pour l'objet %s enregistré",
+        "admin_added": "Administrateur %s a été ajouté",
         "admin_api_modified": "Les modifications apportées à l’API ont été enregistrées",
         "admin_modified": "Les modifications apportées à l’administrateur ont été enregistrées",
         "admin_removed": "Administrateur %s a été effacé",
         "alias_added": "L'adresse alias %s (%d) a été ajoutée",
         "alias_domain_removed": "L'alias de domaine %s a été effacé",
-        "alias_modified": "Le changement de l'adresse alias %s a été sauvegardée",
+        "alias_modified": "Le changement de l'adresse alias %s a été enregistré",
         "alias_removed": "L'alias %s a été effacé",
         "aliasd_added": "Alias de domaine %s ajouté",
-        "aliasd_modified": "Les changements de l'alias de domaine %s ont été sauvegardés",
+        "aliasd_modified": "Les changements de l'alias de domaine %s ont été enregistrés",
         "app_links": "Modifications enregistrées dans les liens d’application",
         "app_passwd_added": "Ajout d’un nouveau mot de passe d’application",
         "app_passwd_removed": "Suppression de l’identifiant du mot de passe de l’application %s",
@@ -877,14 +945,14 @@
         "delete_filters": "Filtres supprimés : %s",
         "deleted_syncjob": "ID du travail de synchronisation supprimé : %s",
         "deleted_syncjobs": "Travail de synchronisation supprimé : %s",
-        "dkim_added": "La clé DKIM %s a été sauvegardée",
-        "dkim_duplicated": "La clé DKIM pour e domaine %s a été copiée vers %s",
+        "dkim_added": "La clé DKIM %s a été enregistrée",
+        "dkim_duplicated": "La clé DKIM pour le domaine %s a été copiée vers %s",
         "dkim_removed": "La clé DKIM %s a été supprimée",
         "domain_added": "Domaine ajouté %s",
         "domain_admin_added": "L'administrateur de domaine %s a été ajouté",
-        "domain_admin_modified": "Les modifications de l'administrateur de domaine %s ont été sauvées",
+        "domain_admin_modified": "Les modifications de l'administrateur de domaine %s ont été enregistrées",
         "domain_admin_removed": "L'administrateur de domaine %s a été supprimé",
-        "domain_modified": "Les modification du domaine %s ont été sauvées",
+        "domain_modified": "Les modifications du domaine %s ont été enregistrées",
         "domain_removed": "Le domaine %s a été supprimé",
         "dovecot_restart_success": "Dovecot a été relancé avec succès",
         "eas_reset": "Les périphériques Activesync pour l’utilisateur %s ont été réinitialisés",
@@ -900,40 +968,47 @@
         "learned_ham": "ID %s acquis avec succès comme ham",
         "license_modified": "Les modifications apportées à la licence ont été enregistrées",
         "logged_in_as": "Connecté en tant que %s",
-        "mailbox_added": "La boîte mail %s a été ajoutée",
-        "mailbox_modified": "Les modifications de la boîte %s ont été sauvées",
-        "mailbox_removed": "La boîte %s a été supprimée",
+        "mailbox_added": "La boîte de réception %s a été ajoutée",
+        "mailbox_modified": "Les modifications de la boîte de réception %s ont été enregistrées",
+        "mailbox_removed": "La boîte de réception %s a été supprimée",
         "nginx_reloaded": "Nginx a été rechargé",
-        "object_modified": "Les changements de %s ont été sauvés",
+        "object_modified": "Les changements de %s ont été enregistrés",
         "pushover_settings_edited": "Paramètres Pushover réglés avec succès, veuillez vérifier les informations d’identification.",
         "qlearn_spam": "Le message ID %s a été appris comme spam et supprimé",
         "queue_command_success": "Queue de commande terminée avec succès",
         "recipient_map_entry_deleted": "La carte du destinataire ID %s a été effacée",
-        "recipient_map_entry_saved": "L'entrée de la carte du bénéficiaire \"%s\" a été sauvée",
+        "recipient_map_entry_saved": "L'entrée de la carte du bénéficiaire \"%s\" a été enregistrée",
         "relayhost_added": "L'entrée de la carte %s a été ajoutée",
         "relayhost_removed": "L'entrée de la carte %s a été supprimée",
         "reset_main_logo": "Réinitialisation du logo par défaut",
         "resource_added": "La ressource %s a été ajoutée",
-        "resource_modified": "Les modifications apportées à la boîte %s ont été enregistrées",
+        "resource_modified": "Les modifications apportées à la boîte de réception %s ont été enregistrées",
         "resource_removed": "La ressource %s a été supprimée",
-        "rl_saved": "Limite de taux pour l’objet %s enregistrée",
+        "rl_saved": "Limite d'envoi pour l’objet %s enregistrée",
         "rspamd_ui_pw_set": "Mot de passe de l'interface Rspamd sauvegardé avec succès",
         "saved_settings": "Paramètres enregistrés",
         "settings_map_added": "Ajout de l’entrée de la carte des paramètres",
         "settings_map_removed": "Suppression de la carte des paramètres ID %s",
         "sogo_profile_reset": "Le profil SOGo profile pour l'utilisateur %s est remis à zéro",
-        "tls_policy_map_entry_deleted": "La carte de stratégie TLS ID %s a été supprimé",
-        "tls_policy_map_entry_saved": "La carte de stratégie TLS ID \"%s\" a été sauvée",
+        "tls_policy_map_entry_deleted": "La carte de stratégie TLS ID %s a été supprimée",
+        "tls_policy_map_entry_saved": "La carte de stratégie TLS ID \"%s\" a été enregistrée",
         "ui_texts": "Enregistrement des modifications apportées aux textes de l’interface utilisateur",
         "upload_success": "Fichier téléchargé avec succès",
         "verified_totp_login": "Authentification TOTP vérifiée",
         "verified_webauthn_login": "Authentification WebAuthn vérifiée",
         "verified_fido2_login": "Authentification FIDO2 vérifiée",
-        "verified_yotp_login": "Authentification Yubico OTP vérifiée"
+        "verified_yotp_login": "Authentification Yubico OTP vérifiée",
+        "cors_headers_edited": "Les paramètres CORS ont été enregistrés",
+        "domain_footer_modified": "Les modifications apportées au pied de page du domaine %s ont été enregistrées",
+        "f2b_banlist_refreshed": "L'ID de la liste de ban a été actualisé avec succès.",
+        "template_added": "Modèles ajoutés %s",
+        "template_removed": "Le modèle ayant l'ID %s a été supprimé",
+        "domain_add_dkim_available": "A DKIM key did already exist",
+        "ip_check_opt_in_modified": "Le contrôle de l'IP a été enregistré avec succès"
     },
     "tfa": {
-        "api_register": "%s utilise l'API Yubico Cloud. Veuillez obtenir une clé API pour votre clé <a href=\"https://upgrade.yubico.com/getapikey/\" target=\"_blank\">here</a>",
-        "confirm": "confirmer",
+        "api_register": "%s utilise l'API Yubico Cloud. Veuillez obtenir une clé API pour votre clé <a href=\"https://upgrade.yubico.com/getapikey/\" target=\"_blank\">ici</a>",
+        "confirm": "Confirmer",
         "confirm_totp_token": "Veuillez confirmer vos modifications en saisissant le jeton généré",
         "delete_tfa": "Désactiver TFA",
         "disable_tfa": "Désactiver TFA jusqu’à la prochaine ouverture de session réussie",
@@ -954,21 +1029,25 @@
         "webauthn": "Authentification WebAuthn",
         "waiting_usb_auth": "<i>En attente d’un périphérique USB…</i><br><br>S’il vous plaît appuyez maintenant sur le bouton de votre périphérique USB WebAuthn.",
         "waiting_usb_register": "<i>En attente d’un périphérique USB…</i><br><br>Veuillez entrer votre mot de passe ci-dessus et confirmer votre inscription WebAuthn en appuyant sur le bouton de votre périphérique USB WebAuthn.",
-        "yubi_otp": "Authentification OTP Yubico"
+        "yubi_otp": "Authentification OTP Yubico",
+        "authenticators": "Authentificateurs",
+        "u2f_deprecated_important": "Veuillez enregistrer votre clé dans le panneau d'administration avec la nouvelle méthode WebAuthn.",
+        "u2f_deprecated": "Il semble que votre clé ait été enregistrée à l'aide de la méthode U2F obsolète. Nous allons désactiver l'authentification à deux facteurs pour vous et supprimer votre clé."
     },
     "fido2": {
         "set_fn": "Définir un nom",
         "fn": "Nom",
-        "rename": "renommer",
+        "rename": "Renommer",
         "confirm": "Confirmer",
-        "register_status": "Etat de l'enregistrement",
+        "register_status": "État de l'enregistrement",
         "known_ids": "Identifiant(s) connu(s)",
         "none": "Désactivé",
         "set_fido2": "Enregistrer un nouvel appareil FIDO2",
         "start_fido2_validation": "Tester la validation FIDO2",
         "fido2_auth": "Se connecter avec FIDO2",
         "fido2_success": "L'appareil est enregistré avec succès",
-        "fido2_validation_failed": "La validation a échoué"
+        "fido2_validation_failed": "La validation a échoué",
+        "set_fido2_touchid": "Enregistrer Touch ID sur Apple M1"
     },
     "user": {
         "action": "Action",
@@ -985,9 +1064,9 @@
         "alias_valid_until": "Valide jusque",
         "aliases_also_send_as": "Aussi autorisé à envoyer en tant qu’utilisateur",
         "aliases_send_as_all": "Ne pas vérifier l’accès de l’expéditeur pour les domaines suivants et leurs alias",
-        "app_hint": "Les mots de passe d’application sont des mots de passe alternatifs pour votre connexion IMAP, SMTP, Caldav, Carddav et EAS. Le nom d’utilisateur reste inchangé.<br>SOGo n'est pas disponible au travers de mots de passe.",
+        "app_hint": "Les mots de passe d’application sont des mots de passe alternatifs pour votre connexion IMAP, SMTP, Caldav, Carddav et EAS. Le nom d’utilisateur reste inchangé.<br>SOGo n'est pas disponible au travers des mots de passe d'application.",
         "app_name": "Nom d'application",
-        "app_passwds": "Mots de passe de l'application",
+        "app_passwds": "Mots de passe d'applications",
         "apple_connection_profile": "Profil de connexion Apple",
         "apple_connection_profile_complete": "Ce profil de connexion inclut les paramètres IMAP et SMTP ainsi que les chemins Caldav (calendriers) et Carddav (contacts) pour un appareil Apple.",
         "apple_connection_profile_mailonly": "Ce profil de connexion inclut les paramètres de configuration IMAP et SMTP pour un périphérique Apple.",
@@ -1000,14 +1079,14 @@
         "delete_ays": "Veuillez confirmer le processus de suppression.",
         "direct_aliases": "Adresses alias directes",
         "direct_aliases_desc": "Les adresses d’alias directes sont affectées par le filtre anti-spam et les paramètres de politique TLS.",
-        "eas_reset": "Réinitialiser le cache de l’appareil Activesync",
-        "eas_reset_help": "Dans de nombreux cas, une réinitialisation du cache de l’appareil aidera à récupérer un profil Activesync cassé.<br><b>Attention :</b> Tous les éléments seront à nouveau téléchargés !",
+        "eas_reset": "Réinitialiser le cache de l’appareil ActiveSync",
+        "eas_reset_help": "Dans de nombreux cas, une réinitialisation du cache de l’appareil aidera à récupérer un profil ActiveSync cassé.<br><b>Attention :</b> Tous les éléments seront de nouveau téléchargés !",
         "eas_reset_now": "Réinitialiser maintenant",
         "edit": "Éditer",
-        "email": "E-mail",
-        "email_and_dav": "E-mail, calendriers et contacts",
-        "encryption": "Cryptage",
-        "excludes": "Exclut",
+        "email": "Courriel",
+        "email_and_dav": "Courriel, calendriers et contacts",
+        "encryption": "Chiffrement",
+        "excludes": "Exclus",
         "expire_in": "Expire dans",
         "force_pw_update": "Vous <b>devez</b> définir un nouveau mot de passe pour pouvoir accéder aux services liés aux logiciels de groupe.",
         "generate": "générer",
@@ -1020,7 +1099,7 @@
         "last_mail_login": "Dernière connexion mail",
         "last_run": "Dernière exécution",
         "loading": "Chargement…",
-        "mailbox_details": "Détails de la boîte",
+        "mailbox_details": "Détails",
         "messages": "messages",
         "never": "jamais",
         "new_password": "Nouveau mot de passe",
@@ -1034,27 +1113,27 @@
         "pushover_evaluate_x_prio": "Acheminement du courrier hautement prioritaire [<code>X-Priority: 1</code>]",
         "pushover_info": "Les paramètres de notification push s’appliqueront à tout le courrier propre (non spam) livré à <b>%s</b> y compris les alias (partagés, non partagés, étiquetés).",
         "pushover_only_x_prio": "Ne tenir compte que du courrier hautement prioritaire [<code>X-Priority: 1</code>]",
-        "pushover_sender_array": "Tenez compte des adresses courriel suivantes de l’expéditeur : <small>(comma-separated)</small>",
+        "pushover_sender_array": "Tenir compte des adresses de courriel suivantes de l’expéditeur : <small>(comma-separated)</small>",
         "pushover_sender_regex": "Apparier les expéditeurs par le regex suivant",
         "pushover_text": "Texte de notification",
         "pushover_title": "Titre de la notification",
-        "pushover_vars": "Lorsqu’aucun filtre d’expéditeur n’est défini, tous les messages seront considérés.<br>Les filtres Regex ainsi que les vérifications exactes de l’expéditeur peuvent être définis individuellement et seront considérés de façon séquentielle. Ils ne dépendent pas les uns des autres.<br>Variables utilisables pour le texte et le titre (veuillez prendre note des politiques de protection des données)",
-        "pushover_verify": "Vérifier les justificatifs",
+        "pushover_vars": "Lorsque aucun filtre d’expéditeur n’est défini, tous les messages seront considérés.<br>Les filtres Regex ainsi que les vérifications exactes de l’expéditeur peuvent être définis individuellement et seront considérés de façon séquentielle. Ils ne dépendent pas les uns des autres.<br>Variables utilisables pour le texte et le titre (veuillez prendre note des politiques de protection des données)",
+        "pushover_verify": "Vérifier les identifiants",
         "q_add_header": "Courrier indésirable",
         "q_all": "Toutes les catégories",
         "q_reject": "Rejeté",
         "quarantine_notification": "Avis de quarantaine",
         "quarantine_category": "Catégorie de la notification de quarantaine",
-        "quarantine_notification_info": "Une fois qu’un avis a été envoyé, les articles seront marqués comme \"notified\" et aucune autre notification ne sera envoyée pour ce point particulier.",
-        "quarantine_category_info": "La catégorie de notification \"Rejeté\" inclut le courrier qui a été rejeté, tandis que \"Dossier indésirable\" informera un utilisateur des e-mails qui ont été placés dans le dossier indésirable.",
+        "quarantine_notification_info": "Une fois qu’un avis a été envoyé, les articles seront marqués comme « notifiés » et aucune autre notification ne sera envoyée pour ce point particulier.",
+        "quarantine_category_info": "La catégorie de notification « Rejeté » inclut le courrier rejeté, tandis que « Dossier indésirable » informera un utilisateur des courriels placés dans le dossier indésirable.",
         "remove": "Enlever",
-        "running": "En fonction",
-        "save": "Sauvegarder les changements",
-        "save_changes": "Sauvegarder les changements",
+        "running": "En fonctionnement",
+        "save": "Enregistrer les changements",
+        "save_changes": "Enregistrer les changements",
         "sender_acl_disabled": "<span class=\"badge fs-6 bg-danger\">Le contrôle de l’expéditeur est désactivé</span>",
         "shared_aliases": "Adresses alias partagées",
         "shared_aliases_desc": "Les alias partagés ne sont pas affectés par les paramètres spécifiques à l’utilisateur tels que le filtre anti-spam ou la politique de chiffrement. Les filtres anti-spam correspondants ne peuvent être effectués que par un administrateur en tant que politique de domaine.",
-        "show_sieve_filters": "Afficher le filtre de tamis actif de l’utilisateur",
+        "show_sieve_filters": "Afficher le filtre sieve actif de l’utilisateur",
         "sogo_profile_reset": "Remise à zéro du profil SOGo",
         "sogo_profile_reset_help": "Ceci détruira un profil Sogo des utilisateurs et <b>supprimera toutes les données de contact et de calendrier irrécupérables</b>.",
         "sogo_profile_reset_now": "Remise à zéro du profil maintenant",
@@ -1063,10 +1142,10 @@
         "spamfilter": "Filtre de spam",
         "spamfilter_behavior": "Note",
         "spamfilter_bl": "Liste noire (BlackList)",
-        "spamfilter_bl_desc": "Les adresses de courriel sur la liste noire de <b>always (toujours)</b> peuvent être classées comme des pourriels et rejetées. Des caractères génériques peuvent être utilisés. Un filtre n’est appliqué qu’aux alias directs (alias avec une seule boîte cible), à l’exclusion des alias tous azimuts et d’une boîte elle-même.",
+        "spamfilter_bl_desc": "Les adresses de courriel sur la liste noire de <b>toujours</b> peuvent être classées comme des pourriels et rejetées. Des caractères génériques peuvent être utilisés. Un filtre n’est appliqué qu’aux alias directs (alias avec une seule boîte de réception cible), à l’exclusion des alias tous azimuts et d’une boîte de réception elle-même.",
         "spamfilter_default_score": "Valeurs par défaut",
         "spamfilter_green": "Vert : ce message n'est pas un spam",
-        "spamfilter_hint": "La première valeur indique un \"faible score de spam\", la seconde représente un \"haut score de spam\".",
+        "spamfilter_hint": "La première valeur indique un « faible score de spam », la seconde représente un « haut score de spam ».",
         "spamfilter_red": "Rouge : Ce message est un spam et sera rejeté par le serveur",
         "spamfilter_table_action": "Action",
         "spamfilter_table_add": "Ajouter un élément",
@@ -1075,13 +1154,13 @@
         "spamfilter_table_remove": "supprimer",
         "spamfilter_table_rule": "Règle",
         "spamfilter_wl": "Liste blanche (WhiteList)",
-        "spamfilter_wl_desc": "La liste blanche est programmé pour <b> ne jamais</b> classer comme spam les adresses e-mail qu'elle contient. Des caractères génériques peuvent être utilisés. Un filtre n’est appliqué qu’aux alias directs (alias avec une seule boîte cible), à l’exclusion des alias catch-all et d’une boîte mail.",
+        "spamfilter_wl_desc": "La liste blanche est programmée pour <b> ne jamais</b> classer comme spam les adresses de courriel qu'elle contient. Des caractères génériques peuvent être utilisés. Un filtre n’est appliqué qu’aux alias directs (alias avec une seule boîte de réception cible), à l’exclusion des alias catch-all et d’une boîte de réception.",
         "spamfilter_yellow": "Jaune : ce message est peut être un spam, il sera étiqueté comme spam et déplacé vers votre dossier Pourriel",
         "status": "Statut",
         "sync_jobs": "Jobs de synchronisation",
         "tag_handling": "Régler la manipulation du courrier étiqueté",
-        "tag_help_example": "Exemple pour une adresse e-mail étiquetée : me<b>+Facebook</b>@example.org",
-        "tag_help_explain": "Dans un sous-dossier : un nouveau sous-dossier nommé selon l'étiquette sera créé sous INBOX (\"INBOX/Facebook\").<br>\nDans le sujet : le nom des balises sera ajouté au début du sujet du mail, exemple : \"[Facebook] My News\".",
+        "tag_help_example": "Exemple pour une adresse de courriel étiquetée : me<b>+Facebook</b>@example.org",
+        "tag_help_explain": "Dans un sous-dossier : un nouveau sous-dossier nommé selon l'étiquette sera créé sous INBOX (\"INBOX/Facebook\").<br>\nDans le sujet : le nom des balises sera ajouté au début du sujet de l'e-mail, exemple : \"[Facebook] My News\".",
         "tag_in_none": "Ne rien faire",
         "tag_in_subfolder": "Dans un sous dossier",
         "tag_in_subject": "Dans le sujet",
@@ -1090,7 +1169,7 @@
         "tls_enforce_in": "Appliquer le TLS entrant",
         "tls_enforce_out": "Appliquer le TLS sortant",
         "tls_policy": "Politique de chiffrement",
-        "tls_policy_warning": "<strong>Attention:</strong> Si vous décidez d’appliquer le transfert de courrier chiffré, vous risquez de perdre des courriels.<br>Les messages qui ne satisfont pas à la politique seront renvoyés avec une erreur grave par le système de messagerie.<br>Cette option s’applique à votre adresse courriel principale (login name), toutes les adresses dérivées de domaines alias ainsi que les adresses alias <b>avec cette seule boîte</b> comme cible.",
+        "tls_policy_warning": "<strong>Attention :</strong> Si vous décidez d’appliquer le transfert de courrier chiffré, vous risquez de perdre des courriels.<br>Les messages qui ne satisfont pas à la politique seront renvoyés avec une erreur grave par le système de messagerie.<br>Cette option s’applique à votre adresse courriel principale (login name), toutes les adresses dérivées de domaines alias ainsi que les adresses alias <b>avec cette seule boîte de réception</b> comme cible.",
         "user_settings": "Paramètres utilisateur",
         "username": "Nom d'utilisateur",
         "verify": "Vérification",
@@ -1101,7 +1180,29 @@
         "months": "mois",
         "year": "année",
         "years": "années",
-        "with_app_password": "avec le mot de passe de l'application"
+        "with_app_password": "avec le mot de passe de l'application",
+        "apple_connection_profile_with_app_password": "Un nouveau mot de passe est généré et ajouté au profil, de sorte qu'aucun mot de passe ne doit être saisi lors de la configuration de votre appareil. Ne partagez pas le fichier car il vous donne un accès complet à votre boîte de réception.",
+        "attribute": "Attribut",
+        "direct_protocol_access": "Cet utilisateur de la boîte aux lettres dispose d'un <b>accès externe direct</b> aux protocoles et applications suivants. Votre administrateur contrôle ce paramètre. Il est possible de créer des mots de passe d'application pour accorder l'accès à des protocoles et des applications individuels.<br>Le bouton « Connexion au webmail » permet une connexion unique à SOGo et est toujours disponible.",
+        "open_webmail_sso": "Connexion au webmail",
+        "recent_successful_connections": "Voir les connexions réussies",
+        "syncjob_EXIT_TLS_FAILURE": "Problème de connexion chiffrée",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE": "Problème d'authentification",
+        "syncjob_EXIT_OVERQUOTA": "La boîte de réception cible a dépassé le quota",
+        "login_history": "Historique des connexions",
+        "change_password_hint_app_passwords": "Votre compte a %d mots de passe d'application qui ne seront pas modifiés. Pour les gérer, allez dans l'onglet Mots de passe de l'application.",
+        "clear_recent_successful_connections": "Vider l'historique des connexions réussies",
+        "created_on": "Créé le",
+        "last_ui_login": "Dernière connexion sur l'interface",
+        "syncjob_check_log": "Vérifier le journal",
+        "syncjob_last_run_result": "Résultat du dernier lancement",
+        "syncjob_EX_OK": "Succès",
+        "syncjob_EXIT_CONNECTION_FAILURE": "Problème de connexion",
+        "syncjob_EXIT_CONNECTION_FAILURE_HOST1": "Impossible de se connecter au serveur distant",
+        "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Nom d'utilisateur ou mot de passe incorrect",
+        "value": "Valeur",
+        "allowed_protocols": "Protocoles autorisés",
+        "mailbox": "Boîte de réception"
     },
     "warning": {
         "cannot_delete_self": "Impossible de supprimer l’utilisateur connecté",
@@ -1110,9 +1211,32 @@
         "fuzzy_learn_error": "Erreur d’apprentissage du hachage flou: %s",
         "hash_not_found": "Hachage non trouvé ou déjà supprimé",
         "ip_invalid": "IP non valide ignorée : %s",
-        "no_active_admin": "Impossible de désactiver le dernier administrateur active",
-        "quota_exceeded_scope": "Dépassement du quota de domaine : Seules des boîtes illimitées peuvent être créées dans ce domaine.",
+        "no_active_admin": "Impossible de désactiver le dernier administrateur actif",
+        "quota_exceeded_scope": "Dépassement du quota de domaine : Seules des boîtes de réception illimitées peuvent être créées dans ce domaine.",
         "session_token": "Jeton de formulaire invalide : Jeton différent",
-        "session_ua": "Jeton de formulaire invalide : erreur de validation User-Agent"
+        "session_ua": "Jeton de formulaire invalide : erreur de validation User-Agent",
+        "is_not_primary_alias": "Alias non primaire ignoré %s"
+    },
+    "datatables": {
+        "decimal": ".",
+        "expand_all": "Tout déplier",
+        "thousands": ",",
+        "paginate": {
+            "first": "Premier",
+            "last": "Dernier"
+        },
+        "aria": {
+            "sortAscending": ": activer pour trier les colonnes en ordre croissant",
+            "sortDescending": ": activer pour trier les colonnes en ordre décroissant"
+        },
+        "infoEmpty": "Affichage de 0 à 0 de 0 entrées",
+        "infoFiltered": "(filtré à partir de _MAX_ entrées totales)",
+        "lengthMenu": "Afficher les entrées _MENU_",
+        "loadingRecords": "Chargement…",
+        "processing": "Veuillez patienter…",
+        "collapse_all": "Tout réduire"
+    },
+    "ratelimit": {
+        "disabled": "Désactivé"
     }
 }

data/web/lang/lang.hu-hu.json

@@ -22,7 +22,114 @@
         "activate_api": "API aktiválása",
         "activate_send": "Küldés gomb aktiválása",
         "add": "Hozzáad",
-        "active": "Aktív"
+        "active": "Aktív",
+        "api_info": "Az API még fejlesztés alatt áll. A dokumentáció megtalálható a <a href=\"/api\">/api</a> alatt",
+        "allowed_methods": "Hozzáférés-Szabályozás-Engedélyezési-Módszerek",
+        "logo_normal_label": "Normál",
+        "logo_dark_label": "Sötét üzemmódhoz invertálva",
+        "f2b_regex_info": "Figyelembe vett naplók: SOGo, Postfix, Dovecot, PHP-FPM.",
+        "f2b_retry_window": "Újrapróbálkozási ablak (s) a maximális próbálkozásokhoz",
+        "f2b_whitelist": "Fehérlistás hálózatok/hostok",
+        "filter_table": "Szűrő táblázat",
+        "forwarding_hosts": "Továbbító hostok",
+        "forwarding_hosts_add_hint": "Megadhat IPv4/IPv6 címeket, hálózatokat CIDR jelölésben, állomásneveket (amelyek IP-címekre lesznek feloldva) vagy tartományneveket (amelyek IP-címekre lesznek feloldva az SPF rekordok vagy ezek hiányában az MX rekordok lekérdezésével).",
+        "from": "A címről",
+        "copy_to_clipboard": "Szöveg másolva a vágólapra!",
+        "f2b_manage_external": "A Fail2Ban külső kezelése",
+        "f2b_manage_external_info": "A Fail2ban továbbra is karbantartja a tiltólistát, de nem állít be aktívan szabályokat a forgalom blokkolására. Használja az alábbi generált tiltólistát a forgalom külső blokkolásához.",
+        "f2b_max_ban_time": "Maximális tiltási idő (s)",
+        "f2b_netban_ipv4": "IPv4 alhálózat mérete, amelyre tilalmat kell alkalmazni (8-32)",
+        "f2b_netban_ipv6": "IPv6 alhálózat mérete, amelyre tilalmat kell alkalmazni (8-128)",
+        "f2b_parameters": "Fail2ban paraméterek",
+        "forwarding_hosts_hint": "A bejövő üzeneteket feltétel nélkül elfogadják az itt felsorolt összes állomásról. Ezeket az állomáshelyeket nem ellenőrzik a DNSBL-ek alapján, és nem vetik alá a szürkelistázásnak. A tőlük érkező spameket a rendszer soha nem utasítja el, de opcionálisan a Junk mappába iktathatja őket. Leggyakrabban olyan levelezőszerverek megadására használjuk, amelyeken olyan szabályt állítottunk be, amely a bejövő e-maileket a mailcow-kiszolgálóra továbbítja.",
+        "guid_and_license": "GUID & Licenc",
+        "help_text": "Súgó szöveg felülírása a bejelentkezési maszk alatt (HTML engedélyezett)",
+        "html": "HTML",
+        "import": "Import",
+        "ip_check": "IP ellenőrzés",
+        "ip_check_disabled": "Az IP-ellenőrzés le van tiltva. Bekapcsolhatja a következő menüpont alatt<br> <strong>Rendszer > Beállítások > Opciók > Személyreszabás</strong>",
+        "is_mx_based": "MX alapú",
+        "last_applied": "Utoljára alkalmazott",
+        "link": "Link",
+        "loading": "Kérjük, várj...",
+        "login_time": "Bejelentkezési idő",
+        "f2b_list_info": "Egy feketelistán szereplő állomás vagy hálózat mindig nagyobb súlyú, mint egy fehérlistás entitás. <b>A lista frissítései néhány másodpercig tartanak.</b>",
+        "f2b_ban_time_increment": "A tiltási idő minden egyes tiltással növekszik",
+        "additional_rows": " - további sorokat adtak hozzá",
+        "admin": "Adminisztrátor",
+        "admin_details": "Rendszergazda adatok szerkesztése",
+        "admin_domains": "Domain hozzárendelések",
+        "f2b_max_attempts": "Max. próbálkozások",
+        "generate": "generálni",
+        "admins": "Adminisztrátorok",
+        "admins_ldap": "LDAP rendszergazdák",
+        "allowed_origins": "Hozzáférés-Szabályozás-Engedélyezési-Származás",
+        "api_allow_from": "API-hozzáférés engedélyezése ezekről az IP/CIDR hálózati jelölésekről",
+        "api_key": "API-kulcs",
+        "api_read_only": "Csak olvasható hozzáférés",
+        "api_read_write": "Olvasás-írás hozzáférés",
+        "api_skip_ip_check": "IP-ellenőrzés kihagyása az API esetében",
+        "cors_settings": "CORS beállítások",
+        "guid": "GUID - egyedi példányazonosító",
+        "dkim_to": "A címre",
+        "dkim_to_title": "Céltartomány(ok) - felülírásra kerül",
+        "domain": "Domain",
+        "domain_admin": "Domain adminisztrátor",
+        "domain_admins": "Domain adminisztrátorok",
+        "domain_s": "Domain(ek)",
+        "duplicate": "Duplikátum",
+        "duplicate_dkim": "Duplikált DKIM bejegyzés",
+        "edit": "Szerkesztés",
+        "empty": "Nincs eredmény",
+        "excludes": "Kizárja ezeket a kedvezményezetteket",
+        "f2b_ban_time": "Tilalmi idő (s)",
+        "f2b_blacklist": "Feketelistás hálózatok/hostok",
+        "f2b_filter": "Regex szűrők",
+        "logo_info": "A képed 40px magasságúra lesz méretezve a felső navigációs sávhoz és max. 250px szélességűre a kezdőlaphoz. A skálázható grafika használata erősen ajánlott.",
+        "dkim_add_key": "ARC/DKIM kulcs hozzáadása",
+        "dkim_domains_selector": "Válogató",
+        "dkim_domains_wo_keys": "A hiányzó kulcsokkal rendelkező tartományok kiválasztása",
+        "dkim_from": "A címről",
+        "dkim_from_title": "Forrás tartomány, ahonnan az adatokat másolni kell",
+        "dkim_key_length": "DKIM kulcs hossza (bit)",
+        "dkim_key_missing": "Kulcs hiányzik",
+        "import_private_key": "Privát kulcs importálása",
+        "in_use_by": "Használja a",
+        "inactive": "Inaktív",
+        "include_exclude": "Beleértve/Kivéve",
+        "include_exclude_info": "Alapértelmezés szerint - kiválasztás nélkül - <b>minden postafiók</b> címzésre kerül.",
+        "includes": "Vegye fel ezeket a címzetteket",
+        "add_row": "Sor hozzáadása",
+        "host": "Host",
+        "active_rspamd_settings_map": "Aktív beállítások térképe",
+        "add_admin": "Adminisztrátor hozzáadása",
+        "add_forwarding_host": "Továbbító állomás hozzáadása",
+        "add_relayhost": "Feladófüggő szállítás hozzáadása",
+        "add_relayhost_hint": "Felhívjuk figyelmed, hogy ha vannak hitelesítési adatok, azok egyszerű szövegként kerülnek tárolásra.",
+        "add_settings_rule": "Beállítási szabály hozzáadása",
+        "add_transport": "Szállítás hozzáadása",
+        "add_transports_hint": "Felhívjuk figyelmed, hogy ha vannak hitelesítési adatok, azok egyszerű szövegként kerülnek tárolásra.",
+        "advanced_settings": "Speciális beállítások",
+        "change_logo": "Logó módosítása",
+        "dkim_key_unused": "Nem használt kulcs",
+        "add_domain_admin": "Tartományi rendszergazda hozzáadása",
+        "dkim_key_valid": "Érvényes kulcs",
+        "dkim_keys": "ARC/DKIM kulcsok",
+        "dkim_overwrite_key": "A meglévő DKIM kulcs felülírása",
+        "dkim_private_key": "Privát kulcs",
+        "app_links": "App linkek",
+        "app_name": "Alkalmazás neve",
+        "arrival_time": "Érkezési idő (szerveridő)",
+        "authed_user": "Azonosított felhasználó",
+        "ays": "Biztos, hogy folytatni akarod?",
+        "ban_list_info": "A tiltott IP-címek listáját lásd alább: <b>hálózat (fennmaradó tiltási idő) - [akciók]</b>.<br />A tiltás feloldására várakozó IP-ket néhány másodpercen belül eltávolítjuk az aktív tiltási listáról.<br />A piros címkék a feketelistán szereplő aktív állandó tiltásokat jelzik.",
+        "configuration": "Konfiguráció",
+        "convert_html_to_text": "HTML átalakítása egyszerű szöveggé",
+        "credentials_transport_warning": "<b>Figyelmeztetés</b>: Egy új közlekedési térképbejegyzés hozzáadása frissíti a hitelesítő adatokat minden olyan bejegyzéshez, amelynek a következő ugrás oszlopa megegyezik.",
+        "customize": "Testreszabás",
+        "destination": "Célállomás",
+        "customer_id": "Ügyfél azonosító",
+        "apps_name": "\"mailcow Apps\" név"
     },
     "edit": {
         "active": "Aktív",
@@ -57,7 +164,7 @@
     "header": {
         "administration": "Beállítások és részletek",
         "apps": "Appok",
-        "debug": "Rendszer információ",
+        "debug": "Információ",
         "email": "E-Mail",
         "mailcow_config": "Beállítások",
         "quarantine": "Karantén",
@@ -399,13 +506,89 @@
         "protocol_access": "Protokoll-hozzáférés módosítása",
         "quarantine_attachments": "Karantén mellékletek",
         "quarantine_category": "Karantén értesítési kategória módosítása",
-        "quarantine_notification": "Karantén értesítések módosítása"
+        "quarantine_notification": "Karantén értesítések módosítása",
+        "eas_reset": "EAS-eszközök alaphelyzetbe állítása",
+        "extend_sender_acl": "Küldő ACL külső címekkel való bővítésének engedélyezése",
+        "mailbox_relayhost": "Relayhost módosítása egy postafiókhoz",
+        "prohibited": "ACL által tiltott",
+        "pushover": "Pushover",
+        "ratelimit": "Mérték határ",
+        "recipient_maps": "Címzett térképek",
+        "smtp_ip_access": "Az SMTP engedélyezett állomásainak módosítása",
+        "sogo_profile_reset": "SOGo profil visszaállítása",
+        "spam_alias": "Ideiglenes álnevek",
+        "spam_policy": "Fekete/Fehér lista",
+        "spam_score": "Spam pontszám",
+        "syncjobs": "Szinkronizálási feladatok",
+        "tls_policy": "TLS szabályzat",
+        "unlimited_quota": "Korlátlan kvóta a postafiókok számára",
+        "sogo_access": "A SOGo-hozzáférés kezelésének lehetővé tétele"
     },
     "diagnostics": {
         "dns_records": "DNS bejegyzések"
     },
     "add": {
         "username": "Felhasználónév",
-        "validation_success": "Sikeres ellenőrzés"
+        "validation_success": "Sikeres ellenőrzés",
+        "mailbox_quota_def": "Alapértelmezett postafiók kvóta",
+        "password_repeat": "Megerősítő jelszó (ismétlés)",
+        "post_domain_add": "A \"sogo-mailcow\" SOGo konténert újra kell indítani egy új tartomány hozzáadása után!<br><br>Kiegészítésképpen a tartományok DNS-konfigurációját is felül kell vizsgálni. A DNS-konfiguráció jóváhagyása után indítsa újra az \"acme-mailcow\"-t, hogy automatikusan generáljon tanúsítványokat az új tartományhoz (autoconfig.&lt;domain&gt;, autodiscover.&lt;domain&gt;).<br>Ez a lépés opcionális, és 24 óránként megismétlődik.",
+        "dry": "Szinkronizálás szimulálása",
+        "inactive": "Inaktív",
+        "kind": "Kedves",
+        "mailbox_quota_m": "Maximális kvóta postafiókonként (MiB)",
+        "mailbox_username": "Felhasználónév (az e-mail cím bal oldali része)",
+        "max_aliases": "Max. lehetséges álnevek",
+        "max_mailboxes": "Max. lehetséges postafiókok",
+        "mins_interval": "A lekérdezési időköz (perc)",
+        "password": "Jelszó",
+        "port": "Port",
+        "public_comment": "Nyilvános megjegyzés",
+        "target_domain": "Céltartomány",
+        "timeout1": "Időtúllépés a távoli állomáshoz való csatlakozáskor",
+        "timeout2": "Időtúllépés a helyi állomáshoz való csatlakozáskor",
+        "validate": "Érvényesítsd",
+        "description": "Leírás",
+        "destination": "Célállomás",
+        "disable_login": "Bejelentkezés letiltása (a bejövő leveleket továbbra is elfogadja)",
+        "domain_matches_hostname": "Domain %s megegyezik a hostnévvel",
+        "domain_quota_m": "Teljes tartományi kvóta (MiB)",
+        "enc_method": "Titkosítási módszer",
+        "exclude": "Objektumok kizárása (regex)",
+        "full_name": "Teljes név",
+        "gal": "Globális címlista",
+        "goto_ham": "Tanulj <span class=\"text-success\"><b>sonkaként</b></span>",
+        "goto_null": "Leveleket csendben eldobni",
+        "goto_spam": "Tanuld <span class=\"text-danger\"><b>spamként</b></span>",
+        "syncjob_hint": "Ne feledje, hogy a jelszavakat egyszerű szöveges formában kell elmenteni!",
+        "target_address": "Továbbítási címek",
+        "target_address_info": "<small>Teljes e-mail cím(ek) (vesszővel elválasztva).</small>",
+        "bcc_dest_format": "A BCC-célpontnak egyetlen érvényes e-mail címnek kell lennie.<br>Ha több címre kell másolatot küldenie, hozzon létre egy aliast, és használja azt.",
+        "comment_info": "A privát megjegyzés nem látható a felhasználó számára, míg a nyilvános megjegyzés tooltip-ként jelenik meg, amikor a felhasználó áttekintésében a megjegyzésre mutat.",
+        "custom_params": "Egyéni paraméterek",
+        "gal_info": "A GAL tartalmazza a tartomány összes objektumát, és egyetlen felhasználó sem szerkesztheti. A SOGo-ban a Szabad/Elfoglalt információ hiányzik, ha ki van kapcsolva! <b>Indítsa újra a SOGo-t a változások alkalmazásához.</b>",
+        "hostname": "Házigazda",
+        "backup_mx_options": "Továbbítási opciók",
+        "custom_params_hint": "Megfelelő: --param=xy, Rossz: --param xy",
+        "delete1": "Törlés a forrásból, ha befejeződött",
+        "delete2": "A forráson kívüli üzenetek törlése a célállomáson",
+        "delete2duplicates": "Duplikáltak törlése a célállomáson",
+        "domain": "Domain",
+        "nexthop": "Következő hop",
+        "tags": "Címkék",
+        "app_password": "Alkalmazás jelszó hozzáadása",
+        "private_comment": "Privát megjegyzés",
+        "alias_address_info": "<small>Teljes e-mail cím(ek) vagy @example.com, egy domainhez tartozó összes üzenetet elfogásához (vesszővel elválasztva). <b>csak mailcow tartományok</b>.</small>",
+        "generate": "generál",
+        "activate_filter_warn": "Az összes többi szűrő deaktiválódik, ha az aktív opció be van jelölve.",
+        "active": "Aktív",
+        "add": "Hozzáad",
+        "add_domain_only": "Csak domain hozzáadása",
+        "add_domain_restart": "Domain hozzáadása és a SOGo újraindítása",
+        "alias_address": "Alias cím(ek)",
+        "alias_domain": "Alias domain",
+        "alias_domain_info": "<small>Csak érvényes tartománynevek (vesszővel elválasztva).</small>",
+        "app_name": "Alkalmazás neve",
+        "app_passwd_protocols": "Engedélyezett protokollok az alkalmazás jelszavához"
     }
 }

data/web/lang/lang.it-it.json

@@ -107,7 +107,8 @@
         "validation_success": "Convalidato con successo",
         "bcc_dest_format": "Il destinatario in copia nascosta deve essere un singolo indirizzo email.<br>Se si vuole spedire una copia del messaggio a più destinatari, bisogna creare un alias ed utilizzarlo per questa opzione.",
         "app_passwd_protocols": "Protocolli consentiti per la password dell'app",
-        "tags": "Tag"
+        "tags": "Tag",
+        "dry": "Simula sincronizzazione"
     },
     "admin": {
         "access": "Accedi",
@@ -339,7 +340,8 @@
         "oauth2_add_client": "Aggiungere il client OAuth2",
         "rsettings_preset_4": "Disattivare Rspamd per un dominio",
         "options": "Opzioni",
-        "cors_settings": "Impostazioni CORS"
+        "cors_settings": "Impostazioni CORS",
+        "copy_to_clipboard": "Testo copiato negli appunti!"
     },
     "danger": {
         "access_denied": "Accesso negato o form di login non corretto",
@@ -462,7 +464,9 @@
         "demo_mode_enabled": "La modalità demo è abilitata",
         "template_name_invalid": "Nome template non valido",
         "template_exists": "Il template %s esiste già",
-        "template_id_invalid": "Il template con ID %s non è valido"
+        "template_id_invalid": "Il template con ID %s non è valido",
+        "img_dimensions_exceeded": "L'immagine supera la dimensione massima consentita",
+        "img_size_exceeded": "L'immagine supera la dimensione massima del file"
     },
     "debug": {
         "chart_this_server": "Grafico (questo server)",
@@ -506,7 +510,7 @@
         "dns_records": "Record DNS",
         "dns_records_24hours": "Tieni presente che le modifiche apportate ai record DNS potrebbero richiedere fino a 24 ore per poter essere visualizzate correttamente in questa pagina. Tutto ciò è da intendersi come un modo per voi di vedere come configurare i record DNS e per controllare se tutti i record DNS sono stati inseriti correttamente.",
         "dns_records_data": "Dati corretti",
-        "dns_records_docs": "Si prega di consultare anche <a target=\"_blank\" href=\"https://docs.mailcow.email/prerequisite/prerequisite-dns/\">la documentazione</a>.",
+        "dns_records_docs": "Si prega di consultare anche <a target=\"_blank\" href=\"https://docs.mailcow.email/getstarted/prerequisite-dns\">la documentazione</a>.",
         "dns_records_name": "Nome",
         "dns_records_status": "Stato attuale",
         "dns_records_type": "Tipo",
@@ -626,7 +630,9 @@
         "acl": "ACL (autorizzazione)",
         "app_passwd_protocols": "Protocolli consentiti per la password dell'app",
         "last_modified": "Ultima modifica",
-        "pushover_sound": "Suono"
+        "pushover_sound": "Suono",
+        "custom_attributes": "Attributi personalizzati",
+        "domain_footer_skip_replies": "Ignora il piè di pagina nelle e-mail di risposta"
     },
     "fido2": {
         "confirm": "Conferma",
@@ -1021,7 +1027,8 @@
         "domain_add_dkim_available": "Esisteva già una chiave DKIM",
         "template_added": "Aggiunto template %s",
         "template_modified": "Le modifiche al template %s sono state salvate",
-        "template_removed": "Il template con ID %s è stato cancellato"
+        "template_removed": "Il template con ID %s è stato cancellato",
+        "f2b_banlist_refreshed": "L'ID della lista blocchi è stato aggiornato con successo."
     },
     "tfa": {
         "api_register": "%s usa le API Yubico Cloud. Richiedi una chiave API <a href=\"https://upgrade.yubico.com/getapikey/\" target=\"_blank\">qui</a>",
@@ -1048,7 +1055,8 @@
         "yubi_otp": "Autenticazione Yubico OTP",
         "tfa_token_invalid": "Token TFA non valido",
         "u2f_deprecated": "Sembra che la tua chiave sia stata registrata utilizzando il metodo U2F deprecato. Disattiveremo Two-Factor-Authenticaiton per te e cancelleremo la tua chiave.",
-        "u2f_deprecated_important": "Registra la tua chiave nel pannello di amministrazione con il nuovo metodo WebAuthn."
+        "u2f_deprecated_important": "Registra la tua chiave nel pannello di amministrazione con il nuovo metodo WebAuthn.",
+        "authenticators": "Autenticatori"
     },
     "user": {
         "action": "Azione",
@@ -1210,7 +1218,9 @@
         "syncjob_EXIT_AUTHENTICATION_FAILURE_USER1": "Nome utente o password errati",
         "with_app_password": "con password dell'app",
         "direct_protocol_access": "Questo utente della mailbox ha <b>accesso diretto ed esterno</b> ai seguenti protocolli e applicazioni. Questa impostazione è controllata dal tuo amministratore. Le password delle applicazioni possono essere create per garantire l'accesso ai singoli protocolli e applicazioni.<br>Il pulsante \"Accedi alla webmail\" fornisce un singolo accesso a SOGo ed è sempre disponibile.",
-        "pushover_sound": "Suono"
+        "pushover_sound": "Suono",
+        "attribute": "Attributo",
+        "value": "Valore"
     },
     "warning": {
         "cannot_delete_self": "Cannot delete logged in user",

data/web/lang/lang.lt-lt.json

@@ -0,0 +1,354 @@
+{
+    "acl": {
+        "app_passwds": "Tvarkyti programėlių slaptažodžius",
+        "bcc_maps": "BCC žemėlapiai",
+        "domain_desc": "Keisti domeno aprašymą",
+        "eas_reset": "Išvalyti EAS įrenginius",
+        "filters": "Filtrai",
+        "login_as": "Prisijungti kaip elektroninio pašto naudotojas",
+        "protocol_access": "Keisti protokolų prieigą",
+        "quarantine": "Karantino valdymas",
+        "quarantine_category": "Keisti karantino pranešimo katrgoriją",
+        "quarantine_notification": "Keisti karantino pranešimus",
+        "ratelimit": "Prieigos limitas",
+        "recipient_maps": "Gavėjų sąsajos",
+        "smtp_ip_access": "Pakeisti prieinamuosius SMTP serverius",
+        "sogo_access": "Leisti SOGo prieigos valdymą",
+        "spam_policy": "Juodasis/Baltasis sąrašas",
+        "spam_score": "Šlamsto balas",
+        "tls_policy": "TLS politika",
+        "unlimited_quota": "Neribota elektroninio pašto dėžudžių kvota",
+        "quarantine_attachments": "Karantino priedai",
+        "sogo_profile_reset": "Nustatyti SOGo profilį iš naujo",
+        "alias_domains": "Pridėti pakaitinius domenus",
+        "delimiter_action": "Delimitatoriaus veiksmas",
+        "domain_relayhost": "Pakeisti peradresavimo serverį domenui",
+        "extend_sender_acl": "Leisti išplėsti siuntėjo ACL išoriniais adresais",
+        "mailbox_relayhost": "Pakeisti siuntimo serverį pašto dėžutei",
+        "prohibited": "Draudžiama pagal ACL",
+        "spam_alias": "Laikini slapyvardžiai",
+        "syncjobs": "Sinchronizuoti darbus"
+    },
+    "add": {
+        "active": "Aktyvus",
+        "add": "Pridėti",
+        "add_domain_only": "Pridėti tik domeną",
+        "add_domain_restart": "Pridėti domeną ir paleisti SOGo iš naujo",
+        "alias_domain_info": "<small>Tik tinkami domenų vardai (išskirta kableliais).</small>",
+        "app_name": "Programėlės pavadinimas",
+        "app_password": "Pridėti programėlės slaptažodį",
+        "app_passwd_protocols": "Prieinamieji programėlės slaptažodžio protokolai",
+        "custom_params": "Pasirinktiniai parametrai",
+        "delete1": "Ištrinti iš šaltinio, kai baigta",
+        "activate_filter_warn": "Visi kiti filtrai bus deaktivuoti, kai „aktyvus“ yra pražymėtas.",
+        "custom_params_hint": "Teisingai: --param=xy, neteisingai: --param xy",
+        "description": "Aprašymas",
+        "destination": "Gavėjas",
+        "domain": "Domenas",
+        "domain_quota_m": "Viso domeno kvota (MiB)",
+        "dry": "Simuliuoti sinchronizaciją",
+        "enc_method": "Šifravimo metodas",
+        "full_name": "Prilnas vardas",
+        "generate": "generuoti",
+        "goto_null": "Tyliai atmesti žinutes",
+        "goto_spam": "Išmokti kaip <span class=\"text-danger\"><b>šlamštas</b></span>",
+        "password": "Slaptažodis",
+        "select": "Pasirinkite...",
+        "select_domain": "Prima, pasirinkite domeną",
+        "sieve_desc": "Trumpas aprašymas",
+        "sieve_type": "Filtro tipas",
+        "mailbox_quota_def": "Numatytoji elelktroninio pašto dėžutės kvota",
+        "password_repeat": "Slaptažodžio patvirtininas (pakartoti)",
+        "disable_login": "Uždrausti prisijungimą (ateinančios žinutės vistiek bus gaunamos)",
+        "inactive": "Neaktyvus",
+        "alias_address": "Pakaitiniai/is adresai/as",
+        "alias_address_info": "<small>Pilnas el. pašto adresas (-ai) arba @example.com, kad gautumėte visus pranešimus iš domeno (atskirtus kableliais). <b>Tik \"mailcow\" domenai</b>.</small>",
+        "alias_domain": "Pakaitinis domenas",
+        "automap": "Stenktis automatiškai susieti aplankus (\"Išsiųsti\", \"Išsiųsti\" => \"išsiųsti\" ir tt.)",
+        "backup_mx_options": "Perdavimo nustatymai",
+        "bcc_dest_format": "BCC gavimo adresas turi būti vienas galiojantis el. pašto adresas.<br>Jei turite siųsti kopiją į kelis adresus, sukurkite slapyvardį ir naudokite jį čia.",
+        "delete2": "Ištrinti žinutes gavimo vietoje, kurios nėra šaltinyje.",
+        "delete2duplicates": "Ištrinti dublikatus gavimo vietoje",
+        "domain_matches_hostname": "Domenas %s atitinka serverio vardą",
+        "exclude": "Išskirti objektus (regex)",
+        "gal": "Visuotinis adresų sąrašas",
+        "gal_info": "GAL (Global Address List) apima visus domeno objektus ir jų negali redaguoti joks vartotojas. SOGo trūksta laisvosios/užimtosios informacijos, jei tai išjungta! <b>Perkraukite SOGo, kad pritaikytumėte pakeitimus.</b>"
+    },
+    "admin": {
+        "access": "Prieiga",
+        "active": "Aktyvus",
+        "add": "Pridėti",
+        "add_admin": "Pridėti administratorių",
+        "add_domain_admin": "Pridėti domeno administratorių",
+        "add_settings_rule": "Pridėti nustatymų taisyklę",
+        "admin": "Administratorius",
+        "admins": "Administratoriai",
+        "admins_ldap": "LDAP administratoriai",
+        "api_key": "API prieigos raktas",
+        "copy_to_clipboard": "Tekstas nukopijuotas!",
+        "cors_settings": "CORS nustatymai",
+        "dkim_from": "Iš",
+        "dkim_key_length": "DKIM rakto ilgis (bitai)",
+        "dkim_key_valid": "Raktas tinkamas",
+        "dkim_keys": "ARC/DKIM raktai",
+        "dkim_private_key": "Slaptasis raktas",
+        "dkim_to": "Į",
+        "domain": "Domenas",
+        "domain_admin": "Domeno administratorius",
+        "domain_admins": "Doneno administratoriai",
+        "domain_s": "Domenas/ai",
+        "duplicate": "Dublikatas",
+        "duplicate_dkim": "Dublikuotas DKIM įrašas",
+        "edit": "Redaguoti",
+        "empty": "Jokių rezultatų",
+        "f2b_filter": "Regex filtrai",
+        "filter_table": "Filtrų lentelė",
+        "from": "Nuo",
+        "generate": "generuoti",
+        "html": "HTML",
+        "import": "Importuoti",
+        "inactive": "Neaktyvus",
+        "message": "Žinutė",
+        "message_size": "Žinutės dydis",
+        "nexthop": "Kitas šuolis",
+        "no": "&#10005;",
+        "no_record": "Nėra įrašo",
+        "oauth2_apps": "OAuth2 Programėlės",
+        "oauth2_add_client": "Pridėti OAuth2 klientą",
+        "oauth2_client_id": "Kliento ID",
+        "optional": "pasirinktinas",
+        "options": "Nustatymai",
+        "password": "Slaptažodis",
+        "password_length": "Slaptažodžio ilgis",
+        "password_policy_chars": "Privalo turėti bent vieną numerį ar skaičių",
+        "password_policy_length": "Mažiausias slaptažodžio ilgis - %d",
+        "password_policy_numbers": "Privalo turėti bent vieną skaičių",
+        "password_policy_special_chars": "Privalo turėti specialiųjų ženklų",
+        "password_repeat": "Slaptažodžio patvirtinimas (pakartoti)",
+        "quarantine": "Karantinas",
+        "quarantine_notification_sender": "Pranešimų e-pašto siuntėjas",
+        "quarantine_release_format_att": "Kaip priedą",
+        "quarantine_release_format_raw": "Nepakeitas originalas",
+        "quota_notifications": "Kvotos pranešimai",
+        "r_active": "Aktyvūs apribojimai",
+        "r_inactive": "Neaktyvus apribojimai",
+        "refresh": "Perkrauti",
+        "regen_api_key": "Regeneruoti API raktą",
+        "relay_rcpt": "„Kam:“ adresas",
+        "relay_run": "Paleisti testą",
+        "remove": "Ištrinti",
+        "rsetting_add_rule": "Pridėti taisyklę",
+        "rsetting_desc": "Trumpas aprašymas",
+        "rspamd_global_filters_agree": "Aš busiu atsargus/i!",
+        "save": "Išsaugoti pakeitimus",
+        "search_domain_da": "Ieškoti domenus",
+        "send": "Siųsti",
+        "sender": "Siuntėjas",
+        "source": "Šaltinis",
+        "spamfilter": "Šlamšto filtras",
+        "text": "Tekstas",
+        "time": "Laikas",
+        "to_top": "Atgal į viršų",
+        "ui_header_announcement_content": "Tekstas (HTML leistina)",
+        "ui_header_announcement_select": "Pasirinkite pranešimo tipą",
+        "ui_header_announcement_type": "Tipas",
+        "ui_header_announcement_type_danger": "Labai svarbus",
+        "ui_header_announcement_type_info": "Info",
+        "upload": "Įkelti",
+        "username": "Naudotojo vardas",
+        "verify": "Patikrinti",
+        "yes": "&#10003;",
+        "customer_id": "Kliento ID",
+        "f2b_parameters": "„Fail2Ban“ parametrai",
+        "import_private_key": "Importuoti slaptąjį raktą",
+        "action": "Veiksmas",
+        "convert_html_to_text": "Konvertuoti HTML į paprastą tekstą",
+        "oauth2_renew_secret": "Geberuoti naują kliento slapuką",
+        "private_key": "Slaptasis raktas",
+        "sal_level": "Moo lygis",
+        "ui_header_announcement_type_warning": "Svarbus",
+        "admin_details": "Redaguoti administratoriaus duomenis",
+        "login_time": "Prisijungino laikas",
+        "ui_header_announcement": "Pranešimai",
+        "dkim_overwrite_key": "Perrašyti egzistuojantį DKIK raktą",
+        "f2b_whitelist": "Tinklai baltajama sąraše",
+        "f2b_blacklist": "Tinklai juodajame saraše",
+        "loading": "Prašau palaukite...",
+        "password_policy_lowerupper": "Privalo turėti mažuosius ir didžiuosius ženklus/raides",
+        "relay_from": "„Nuo:“ adresas"
+    },
+    "danger": {
+        "demo_mode_enabled": "Demo Režimas įjungtas",
+        "description_invalid": "Resurso %s aprašymas yra netinkamas",
+        "domain_exists": "Domenas %s jau egzistuoja",
+        "domain_invalid": "Domeno vardas tuščias arba netinkamas",
+        "domain_not_found": "Domenas %s nerastas",
+        "domain_quota_m_in_use": "Domeno kvota turi būti daygiau arba lygiai %s MiB",
+        "file_open_error": "Failas negali būti atidarytas įrašymui",
+        "filter_type": "Netinkamas filtro tipas",
+        "invalid_mime_type": "Netinkamas MIME tipas",
+        "login_failed": "Prisijungimas nepavyko",
+        "mailbox_defquota_exceeds_mailbox_maxquota": "Numatytoji kvota didesnė nei maksimalus kvotos limitas",
+        "mysql_error": "MySQL problema: %s",
+        "img_invalid": "Negalimas nuotraukos patikrinimas",
+        "mailbox_quota_left_exceeded": "Per mažai vietos diske (liko %d MiB)",
+        "comment_too_long": "Komentaeas per ilgas, maksimalus leistinas simbolių skaičius yra 160",
+        "nginx_reload_failed": "Nginx perkrovimas nepavyko: %s",
+        "invalid_filter_type": "Netinkamas filtro tipas"
+    },
+    "edit": {
+        "validate_save": "Patikrinti ir išsaugoti",
+        "unchanged_if_empty": "Jei nepakeista, palikite tuščią",
+        "username": "Naudotojo vardas"
+    },
+    "fido2": {
+        "confirm": "Patvirtinti",
+        "fido2_success": "Įrenginys sėkmingai užregistruotas",
+        "fido2_validation_failed": "Patikrinimas nepavyko",
+        "fn": "Draugiškasis vardas",
+        "known_ids": "Žinomi ID",
+        "none": "Neįgalintas",
+        "register_status": "Registracijos statusas",
+        "rename": "Pervadyti",
+        "set_fido2_touchid": "Registruokite Touch ID su Apple M1",
+        "set_fn": "Nustatyti draugiškąjį vardą",
+        "start_fido2_validation": "Pradėti FIDO2 patikrinimą",
+        "fido2_auth": "Prisijungti su FIDO2",
+        "set_fido2": "Registruoti FIDO2 įrengenį"
+    },
+    "footer": {
+        "cancel": "Atšaukti",
+        "confirm_delete": "Patvirtinti trynimą",
+        "delete_now": "Ištrinti dabar",
+        "hibp_check": "Patikrinti naudodami haveibeenpwned.com",
+        "hibp_nok": "Atitikta! Tai yra galimai pavojingas slaptažodis!",
+        "hibp_ok": "Nerasta jokių atitikmenų.",
+        "loading": "Prašome palaukti...",
+        "nothing_selected": "Niekas nepasirinkta",
+        "restart_container": "Paleiskite konteinerį iš naujo",
+        "restart_now": "Perkrauti dabar",
+        "restarting_container": "Perkraunamas konteineris, tai gali užtrukti.",
+        "delete_these_items": "Prašome patvirtinti savo pakeitimus šiam objekto ID",
+        "restart_container_info": "<b>Svarbu:</b> Sklandus paleidimas iš naujo gali užtrukti, prašome palaukti, kol jis baigsis."
+    },
+    "header": {
+        "administration": "Konfigūracija ir detalės",
+        "apps": "Programėlės",
+        "debug": "Informacija",
+        "email": "El. paštas",
+        "mailcow_system": "Sistema",
+        "mailcow_config": "Konfiguracija",
+        "quarantine": "Karantinas",
+        "restart_netfilter": "Paleisti „netfilter“ iš naujo",
+        "restart_sogo": "Paleisti SOGo iš naujo",
+        "user_settings": "Naudotojo Nustatymai"
+    },
+    "info": {
+        "no_action": "Nėra taikomų veiksmų",
+        "session_expires": "Jūsų sesija pasibaigs už maždaug 15 sekundžių.",
+        "awaiting_tfa_confirmation": "Laukiama DFA patvirtinimo"
+    },
+    "login": {
+        "fido2_webauthn": "FIDO2/WebAuthn Prisijungimas",
+        "login": "Prisijungti",
+        "other_logins": "Prisijungimas raktu",
+        "password": "Slaptažodis",
+        "username": "Naudotojo vardas",
+        "mobileconfig_info": "Prašome prisijungti kaip pašto dėžutės vartotojui, kad galėtumėte atsisiųsti pageidaujamą „Apple“ ryšio profilį."
+    },
+    "mailbox": {
+        "action": "Veiksmas",
+        "activate": "Aktivuoti",
+        "active": "Aktyvus",
+        "add": "Pridėti",
+        "add_alias": "Pridėti pseudonimą",
+        "add_alias_expand": "Išplėsti pseudonimą per pseudonimų domenus",
+        "add_bcc_entry": "Pridėti BCC žemėlapį",
+        "add_domain": "Pridėti domeną",
+        "add_domain_alias": "Pridėti pakaitinį domeną",
+        "add_domain_record_first": "Prašome pridėti domeną pirmiausia",
+        "add_filter": "Pridėti filtrą",
+        "add_mailbox": "Pridėti pašto dėžutę",
+        "add_recipient_map_entry": "Pridėti gavėjų žemėlapį",
+        "add_resource": "Pridėti resursą",
+        "add_template": "Pridėti Šabloną",
+        "add_tls_policy_map": "Pridėti TLS politikos schemą",
+        "address_rewriting": "Adresų perrašymas",
+        "alias": "Slapyvardis",
+        "alias_domain_backupmx": "Pakaitinis domenas nėra aktyvuotas peradresavimo domenui",
+        "all_domains": "Visi Domenai",
+        "allow_from_smtp_info": "Palikite tuščią, norėdami leisti visiems siuntėjams.<br>IPv4/IPv6 adresai ir tinklai.",
+        "backup_mx": "Peradresavimo domenas",
+        "bcc": "BCC",
+        "bcc_destination": "BCC gavimo vieta",
+        "bcc_destinations": "BCC gavimo vieta",
+        "bcc_local_dest": "Vietinė gavimo vieta",
+        "bcc_map": "BCC žemėlapis",
+        "bcc_map_type": "BCC tipas",
+        "bcc_maps": "BCC žemėlapiai",
+        "bcc_type": "BCC tipas",
+        "booking_null": "Visada rodyti kaip laisvą",
+        "booking_0_short": "Visada laisvas",
+        "booking_custom": "Nekintamasis apribojimas pagal individualią užsakymų sumą",
+        "booking_custom_short": "Nekintamasis ribojimas",
+        "booking_ltnull": "Neribotas, bet rodyti kaip užimtas, kai užrezervuota",
+        "booking_lt0_short": "Kintamasis apribojimas",
+        "catch_all": "Viską sugriebiantis",
+        "daily": "Kasdien",
+        "description": "Aprašymas",
+        "disable_login": "Uždrausti prisijungimą (gaunami el. laiškai vis dar priimami)",
+        "disable_x": "Išjungti",
+        "dkim_key_length": "DKIM rakto ilgis (bitai)",
+        "domain": "Domenas",
+        "domain_aliases": "Pakaitomieji domenai",
+        "domain_templates": "Domenų Šablonai",
+        "domain_quota": "Kvota",
+        "domain_quota_total": "Bendroji domeno kvota",
+        "domains": "Domenai",
+        "edit": "Redaguoti",
+        "filters": "Filtrai",
+        "fname": "Pilnas vardas",
+        "gal": "Visuotinis adresų sąrašas",
+        "goto_spam": "Išmokti kaip <b>šlamštas</b>",
+        "hourly": "Kas valandą",
+        "in_use": "Naudojimas (%)",
+        "inactive": "Neaktyvus",
+        "allowed_protocols": "Leidžiami protokolai tiesioginiam vartotojo prieigai (neturi įtakos programėlių slaptažodžių protokolams)",
+        "goto_ham": "Išmokti kaip <b>ham</b>",
+        "aliases": "Pseudonimai",
+        "allow_from_smtp": "Leiskite tik šiems IP naudotis <b>SMTP</b>",
+        "alias_domain_alias_hint": "Pseudonimai <b>nėra</b> taikomi domeno pseudonimams automatiškai. Pseudonimo adresas <code>my-alias@domain</code> <b>neapima</b> adreso <code>my-alias@alias-domain</code> (kur \"alias-domain\" yra įsivaizduojamas \"domain\" pseudonimas).<br>Prašome naudoti sieve filtrą, kad nukreiptumėte laiškus į išorinę pašto dėžutę (žr. skirtuką \"Filtrai\" arba naudokite SOGo -> Peradresavimas). Naudokite \"Išplėsti pseudonimus per pseudonimų sritis\" kad automatiškai pridėti trūkstamus pseudonimus.",
+        "deactivate": "Deaktivuoti",
+        "domain_admins": "Domeno administratoriai",
+        "enable_x": "Įjungti",
+        "last_run_reset": "Suplanuoti kitą",
+        "mailbox": "Pašto dėžutė",
+        "mailbox_defaults": "Numatytieji nustatymai",
+        "mailbox_defaults_info": "Nustatyti numatytuosius nustatymus naujoms pašto dėžutėms.",
+        "mailbox_defquota": "Numatytasis pašto dėžutės dydis",
+        "mailbox_templates": "Pašto dėžučių šablonai",
+        "mailbox_quota": "Maks. pašto dėžutės dydis",
+        "mailboxes": "Pašto dėžutės",
+        "max_aliases": "Maks. slapyvardžiai",
+        "max_mailboxes": "Maks. galimų pašto dėžučių",
+        "max_quota": "Maks. kvota kiekvienai pašto dėžutei",
+        "mins_interval": "Intervalas (min)",
+        "msg_num": "Žinutė #"
+    },
+    "quarantine": {
+        "atts": "Priedaj",
+        "check_hash": "Ieškoti failo Hash'o @ VT",
+        "confirm": "Patvirtinti",
+        "confirm_delete": "Patvirtinti šio elemento trynimą",
+        "danger": "Pavojus"
+    },
+    "success": {
+        "domain_admin_added": "Pridėtas domeno administractorius %s",
+        "domain_admin_removed": "Domeno administratorius %s ištrintas",
+        "domain_modified": "Domeno %s pakitimai išsaugoti",
+        "domain_removed": "Domenas %s ištrintas",
+        "dovecot_restart_success": "„Doveccot“ perkrautas",
+        "domain_added": "Pridėtas domenas %s",
+        "domain_admin_modified": "Pakeitimai domeno adminustratoriui %s išsaugoti"
+    }
+}